ENGINEERING ETHICS

The Space Shuttle Challenger Disaster

Department of Philosophy and Department of Mechanical Engineering
Texas A&M University
NSF Grant Number
DIR-9012252

Synopsis

On January 28, 1986, seven astronauts were killed when the space shuttle they were piloting, the Challenger, exploded just over a minute into flight. The failure of the solid rocket booster O-rings to seat properly allowed hot combustion gases to leak from the side of the booster and burn through the external fuel tank. The failure of the Oring was attributed to several factors, including faulty design of the solid rocket boosters, insufficient low temperature testing of the O-ring material and the joints that the O-ring sealed, and lack of communication between different levels of NASA management.

Organization and People Involved

Marshall Space Flight Center - in charge of booster rocket development

Morton Thiokol - Contracted by NASA to build the Solid Rocket Booster

Key Dates

Background

NASA managers were anxious to launch the Challenger for several reasons, including economic considerations, political pressures, and scheduling backlogs. Unforeseen competition from the European Space Agency put NASA in a position where it would have to fly the shuttle dependably on a very ambitious schedule in order to prove the Space Transportation System's cost effectiveness and potential for commercialization. This prompted NASA to schedule a record number of missions in 1986 to make a case for its budget requests. The shuttle mission just prior to the Challenger had been delayed a record number of times due to inclement weather and mechanical factors. NASA wanted to launch the Challenger without any delays so the launch pad could be refurbished in time for the next mission, which would be carrying a probe that would examine Halley's Comet. If launched on time, this probe would have collected data a few days before a similar Russian probe would be launched. There was probably also pressure to launch Challenger so it could be in space when President Reagan gave his State of the Union address. Reagan's main topic was to be education, and he was expected to mention the shuttle and the first teacher in space, Christa McAuliffe. 

The shuttle solid rocket boosters (or SRBs), are key elements in the operation of the shuttle. Without the boosters, the shuttle cannot produce enough thrust to overcome the earth's gravitational pull and achieve orbit. There is an SRB attached to each side of the external fuel tank. Each booster is 149 feet long and 12 feet in diameter. Before ignition, each booster weighs 2 million pounds. Solid rockets in general produce much more thrust per pound than their liquid fuel counterparts. The drawback is that once the solid rocket fuel has been ignited, it cannot be turned off or even controlled. So it was extremely important that the shuttle SRBs were properly designed. Morton Thiokol was awarded the contract to design and build the SRBs in 1974. Thiokol's design is a scaled-up version of a Titan missile which had been used successfully for years. NASA accepted the design in 1976. The booster is comprised of seven hollow metal cylinders. The solid rocket fuel is cast into the cylinders at the Thiokol plant in Utah, and the cylinders are assembled into pairs for transport to Kennedy Space Center in Florida. At KSC, the four booster segments are assembled into a completed booster rocket. The joints where the segments are joined together at KSC are known as field joints. These field joints consist of a tang and clevis joint. The tang and clevis are held together by 177 clevis pins. Each joint is sealed by two O rings, the bottom ring known as the primary Oring, and the top known as the secondary Oring. (The Titan booster had only one Oring. The second ring was added as a measure of redundancy since the boosters would be lifting humans into orbit. Except for the increased scale of the rocket's diameter, this was the only major difference between the shuttle booster and the Titan booster.) The purpose of the O-rings is to prevent hot combustion gasses from escaping from the inside of the motor. To provide a barrier between the rubber O-rings and the combustion gasses, a heat resistant putty is applied to the inner section of the joint prior to assembly. The gap between the tang and the clevis determines the amount of compression on the O-ring. To minimize the gap and increase the squeeze on the O-ring, shims are inserted between the tang and the outside leg of the clevis.

Launch Delays

The first delay of the Challenger mission was because of a weather front expected to move into the area, bringing rain and cold temperatures. Usually a mission wasn't postponed until inclement weather actually entered the area, but the Vice President was expected to be present for the launch and NASA officials wanted to avoid the necessity of the Vice President's having to make an unnecessary trip to Florida; so they postponed the launch early. The Vice President was a key spokesperson for the President on the space program, and NASA coveted his good will. The weather front stalled, and the launch window had perfect weather conditions; but the launch had already been postponed to keep the Vice President from unnecessarily traveling to the launch site. The second launch delay was caused by a defective microswitch in the hatch locking mechanism and by problems in removing the hatch handle. By the time these problems had been sorted out, winds had become too high. The weather front had started moving again, and appeared to be bringing record-setting low temperatures to the Florida area. NASA wanted to check with all of its contractors to determine if there would be any problems with launching in the cold temperatures. Alan McDonald, director of the Solid Rocket Motor Project at Morton-Thiokol, was convinced that there were cold weather problems with the solid rocket motors and contacted two of the engineers working on the project, Robert Ebeling and Roger Boisjoly. Thiokol knew there was a problem with the boosters as early as 1977, and had initiated a redesign effort in 1985. NASA Level I management had been briefed on the problem on August 19, 1985. Almost half of the shuttle flights had experienced O-ring erosion in the booster field joints. Ebeling and Boisjoly had complained to Thiokol that management was not supporting the redesign task force.

Engineering Design

The size of the gap is controlled by several factors, including the dimensional tolerances of the metal cylinders and their corresponding tang or clevis, the ambient temperature, the diameter of the O-ring, the thickness of the shims, the loads on the segment, and quality control during assembly. When the booster is ignited, the putty is displaced, compressing the air between the putty and the primary O-ring. The air pressure forces the O-ring into the gap between the tang and clevis. Pressure loads are also applied to the walls of the cylinder, causing the cylinder to balloon slightly as shown in Figure 3. (The ballooning effect has been greatly exaggerated.) This ballooning of the cylinder walls caused the gap between the tang and clevis gap to open. This effect has come to be known as joint rotation. Morton-Thiokol discovered this joint rotation as part of its testing program in 1977. Thiokol discussed the problem with NASA and started analyzing and testing to determine how to increase the O-ring compression, thereby decreasing the effect of joint rotation. Three design changes were implemented:

(1) Dimensional tolerances of the metal joint were tightened.

(2) The O-ring diameter was increased, and its dimensional tolerances were tightened.

(3) The use of the shims mentioned above was introduced. Further testing by Thiokol revealed that the second seal, in some cases, might not seal at all. Additional changes in the shim thickness and O-ring diameter were made to correct the problem.

A new problem was discovered during November 1981, after the flight of the second shuttle mission. Examination of the booster field joints revealed that the O-rings were eroding during flight. The joints were still sealing effectively, but the O-ring material was being eaten away by hot gasses that escaped past the putty. Thiokol studied different types of putty and its application to study their effects on reducing Oring erosion. The shuttle flight 51-C of January 24, 1985, was launched during some of the coldest weather in Florida history. Upon examination of the booster joints, engineers at Thiokol noticed black soot and grease on the outside of the booster casing, caused by actual gas blowby. This prompted Thiokol to study the effects of O-ring resiliency at low temperatures. They conducted laboratory tests of O-ring compression and resiliency between 50F and 100F. In July 1985, Morton Thiokol ordered new steel billets which would be used for a redesigned case field joint. At the time of the accident, these new billets were not ready for Thiokol, because they take many months to manufacture.

The Night Before the Launch

Temperatures for the next launch date were predicted to be in the low 20s. This prompted Alan McDonald to ask his engineers at Thiokol to prepare a presentation on the effects of cold temperature on booster performance. A teleconference was scheduled the evening before the re-scheduled launch in order to discuss the low temperature performance of the boosters. This teleconference was held between engineers and management from Kennedy Space Center, Marshall Space Flight Center in Alabama, and Morton-Thiokol in Utah. Boisjoly and another engineer, Arnie Thompson, knew this would be another opportunity to express their concerns about the boosters, but they had only a short time to prepare their data for the presentation. Thiokol's engineers gave an hour-long presentation, presenting a convincing argument that the cold weather would exaggerate the problems of joint rotation and delayed O-ring seating. The lowest temperature experienced by the O-rings in any previous mission was 53F, the January 24, 1985 flight. With a predicted ambient temperature of 26F at launch, the O-rings were estimated to be at 29F. 

After the technical presentation, Thiokol's Engineering Vice President Bob Lund presented the conclusions and recommendations. His main conclusion was that 53F was the only low temperature data Thiokol had for the effects of cold on the operational boosters. The boosters had experienced O-ring erosion at this temperature. Since his engineers had no low temperature data below 53F, they could not prove that it was unsafe to launch at lower temperatures. He read his recommendations and commented that the predicted temperatures for the morning's launch was outside the data base and NASA should delay the launch, so the ambient temperature could rise until the O-ring temperature was at least 53F. This confused NASA managers because the booster design specifications called for booster operation as low as 31F. (It later came out in the investigation that Thiokol understood that the 31F limit temperature was for storage of the booster, and that the launch temperature limit was 40F. Because of this, dynamic tests of the boosters had never been performed below 40F.) Marshall's Solid Rocket Booster Project Manager, Larry Mulloy, commented that the data was inconclusive and challenged the engineers' logic. A heated debate went on for several minutes before Mulloy bypassed Lund and asked Joe Kilminster for his opinion. Kilminster was in management, although he had an extensive engineering background. By bypassing the engineers, Mulloy was calling for a middle-management decision, but Kilminster stood by his engineers. Several other managers at Marshall expressed their doubts about the recommendations, and finally Kilminster asked for a meeting off of the net, so Thiokol could review its data. Boisjoly and Thompson tried to convince their senior managers to stay with their original decision not to launch. A senior executive at Thiokol, Jerald Mason, commented that a management decision was required. The managers seemed to believe the Orings could be eroded up to one third of their diameter and still seat properly, regardless of the temperature. The data presented to them showed no correlation between temperature and the blowby gasses which eroded the O-rings in previous missions. According to testimony by Kilminster and Boisjoly, Mason finally turned to Bob Lund and said, "Take off your engineering hat and put on your management hat." Joe Kilminster wrote out the new recommendation and went back on line with the teleconference. The new recommendation stated that the cold was still a safety concern, but their people had found that the original data was indeed inconclusive and their "engineering assessment" was that launch was recommended, even though the engineers had no part in writing the new recommendation and refused to sign it. Alan McDonald, who was present with NASA management in Florida, was surprised to see the recommendation to launch and appealed to NASA management not to launch. NASA managers decided to approve the boosters for launch despite the fact that the predicted launch temperature was outside of their operational specifications.

The Launch

During the night, temperatures dropped to as low as 8F, much lower than had been anticipated. In order to keep the water pipes in the launch platform from freezing, safety showers and fire hoses had been turned on. Some of this water had accumulated, and ice had formed all over the platform. There was some concern that the ice would fall off of the platform during launch and might damage the heat resistant tiles on the shuttle. The ice inspection team thought the situation was of great concern, but the launch director decided to go ahead with the countdown. Note that safety limitations on low temperature launching had to be waived and authorized by key personnel several times during the final countdown. These key personnel were not aware of the teleconference about the solid rocket boosters that had taken place the night before. At launch, the impact of ignition broke loose a shower of ice from the launch platform. Some of the ice struck the left-hand booster, and some ice was actually sucked into the booster nozzle itself by an aspiration effect. Although there was no evidence of any ice damage to the Orbiter itself, NASA analysis of the ice problem was wrong. The booster ignition transient started six hundredths of a second after the igniter fired. The aft field joint on the right-hand booster was the coldest spot on the booster: about 28F. The booster's segmented steel casing ballooned and the joint rotated, expanding inward as it had on all other shuttle flights. The primary Oring was too cold to seat properly, the cold-stiffened heat resistant putty that protected the rubber O-rings from the fuel collapsed, and gases at over 5000F burned past both Orings across seventy degrees of arc. Eight hundredths of a second after ignition, the shuttle lifted off. Engineering cameras focused on the right-hand booster showed about nine smoke puffs coming from the booster aft field joint. Before the shuttle cleared the tower, oxides from the burnt propellant temporarily sealed the field joint before flames could escape. Fifty-nine seconds into the flight, Challenger experienced the most violent wind shear ever encountered on a shuttle mission. The glassy oxides that sealed the field joint were shattered by the stresses of the wind shear, and within seconds flames from the field joint burned through the external fuel tank. Hundreds of tons of propellant ignited, tearing apart the shuttle. One hundred seconds into the flight, the last bit of telemetry data was transmitted from the Challenger.

Issues For Discussion

The Challenger disaster has several issues which are relevant to engineers. These issues raise many questions which may not have any definite answers, but can serve to heighten the awareness of engineers when faced with a similar situation. One of the most important issues deals with engineers who are placed in management positions. It is important that these managers not ignore their own engineering experience, or the expertise of their subordinate engineers. Often a manager, even if she has engineering experience, is not as up to date on current engineering practices as are the actual practicing engineers. She should keep this in mind when making any sort of decision that involves an understanding of technical matters. Another issue is the fact that managers encouraged launching due to the fact that there was insufficient low temperature data. Since there was not enough data available to make an informed decision, this was not, in their opinion, grounds for stopping a launch. This was a reversal in the thinking that went on in the early years of the space program, which discouraged launching until all the facts were known about a particular problem. This same reasoning can be traced back to an earlier phase in the shuttle program, when upper-level NASA management was alerted to problems in the booster design, yet did not halt the program until the problem was solved. 

To better understand the responsibility of the engineer, some key elements of the professional responsibilities of an engineer should be examined. This will be done from two perspectives: the implicit social contract between engineers and society, and the guidance of the codes of ethics of professional societies. As engineers test designs for ever-increasing speeds, loads, capacities and the like, they must always be aware of their obligation to society to protect the public welfare. After all, the public has provided engineers, through the tax base, with the means for obtaining an education and, through legislation, the means to license and regulate themselves. In return, engineers have a responsibility to protect the safety and well-being of the public in all of their professional efforts. This is part of the implicit social contract all engineers have agreed to when they accepted admission to an engineering college. The first canon in the ASME Code of Ethics urges engineers to "hold paramount the safety, health and welfare of the public in the performance of their professional duties." Every major engineering code of ethics reminds engineers of the importance of their responsibility to keep the safety and well being of the public at the top of their list of priorities. Although company loyalty is important, it must not be allowed to override the engineer's obligation to the public. Marcia Baron, in an excellent monograph on loyalty, states: "It is a sad fact about loyalty that it invites...single-mindedness. Single-minded pursuit of a goal is sometimes delightfully romantic, even a real inspiration. But it is hardly something to advocate to engineers, whose impact on the safety of the public is so very significant. Irresponsibility, whether caused by selfishness or by magnificently unselfish loyalty, can have most unfortunate consequences."

Annotated Bibliography and Suggested References

Feynman, Richard Phillips, What Do You Care What Other People Think,: Further Adventures of a Curious Character, Bantam Doubleday Dell Pub, ISBN 0553347845, Dec 1992. Reference added by request of Sharath Bulusu, as being pertinant and excellent reading - 8-25-00.

Lewis, Richard S., Challenger: the final voyage, Columbia University Press, New York, 1988.

McConnell, Malcolm, Challenger: a major malfunction, Doubleday, Garden City, N.Y., 1987.

Trento, Joseph J., Prescription for disaster, Crown, New York, c1987.

United States. Congress. House. Committee on Science and Technology, Investigation of the Challenger accident : hearings before the Committee on Science and Technology, U.S. House of Representatives, Ninety-ninth Congress, second session .... U.S. G.P.O.,Washington, 1986.

United States. Congress. House. Committee on Science and Technology, Investigation of the Challenger accident : report of the Committee on Science and Technology, House of Representatives, Ninety-ninth Congress, second session. U.S. G.P.O.,Washington, 1986.

United States. Congress. House. Committee on Science, Space, and Technology, NASA's response to the committee's investigation of the "Challenger" accident : hearing before the Committee on Science, Space, and Technology, U.S. House of Representatives, One hundredth Congress, first session, February 26, 1987. U.S. G.P.O.,Washington, 1987.

United States. Congress. Senate. Committee on Commerce, Science, and Transportation. Subcommittee on Science, Technology, and Space, Space shuttle accident : hearings before the Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science, and Transportation, United States Senate, Ninety-ninth Congress, second session, on space shuttle accident and the Rogers Commission report, February 18, June 10, and 17, 1986. U.S. G.P.O.,Washington, 1986.

Notes

1. "Challenger: A Major Malfunction." (see above) p. 194.

2. Baron, Marcia. The Moral Status of Loyalty. Illinois Institute of Technology: Center for the Study of Ethics in the Professions, 1984, p. 9. One of a series of monographs on applied ethics that deal specifically with the engineering profession. Provides arguments both for and against loyalty. 28 pages with notes and an annotated bibliography.