The Space Shuttle Challenger Disaster

A failure in decision support system and human factors management

by Jeff Forrest Metropolitan State College

INTRODUCTION
This article discusses the environmental and human decision making factors that were associated with the launching of the Space Shuttle Challenger on January 28, 1986. Shortly after launch, the Shuttle exploded destroying the vehicle and all crew members. The cause and contributing factors that lead to the Challenger tragedy are explored in detail. Focus is placed on NASA's use of a group decision support system (GDSS) meeting to make the decision to launch. Examples are included that show how contributing factors such as multiple priorities and demands influenced NASA from operating in a responsible and ethical manner. Proof that NASA used a flawed database in its GDSS and how it mismanaged the GDSS meeting is also offered. Finally, the inability of each GDSS member to vote anonymously on the decision to launch is discussed as a critical factor that, had it been allowed, probably would have prevented the Challenger tragedy.

THE SHUTTLE 51-L MISSION

Environmental Factors- Societal Impacts The Space Shuttle Challenger 51-L was the 25th mission in NASA's STS program. On Jan. 28, 1986, STS 51-L exploded shortly after liftoff, destroying the vehicle and all of its seven crew members.

The STS 51-L mission was to deploy the second Tracking and Data Relay Satellite and the Spartan Halley's Comet observer. Paramount to this mission was crew member S. Christa McAuliffe - the first Space Shuttle passenger/observer participating in the NASA Teacher in Space Program (cf. [1]). Ms. McAuliffe would have conducted live educational broadcasts from the Shuttle and transmitted them to classrooms throughout the world. The loss of life and the unique position that symbolized Christa McAuliffe as the first civilian working as a teacher in space had a profound impact on society and its attitude toward NASA and the U.S. Space programs. As this article will explore, the tragic decision to launch STS 51-L was based on long term contributing factors and the use of a flawed group decision support system that was further aggravated by its related mismanagement. The outcome of this action created costs to society in terms of life, resources and public mistrust. NASA subsequently experienced years of setback for its related scientific research and operations.

BACKGROUND
Human Factors - Contributing to a Tragedy Although the destruction of the Shuttle Challenger was caused by the hardware failure of a solid rocket booster (SRB) "O" ring, the human decision to launch was, in itself, flawed. The resolution to launch was based upon faulty group decision support information and further aggravated by the related mismanagement of that information. However, as in most transportation accidents, there are usually other contributing factors that help to create an environment leading to mistakes and failures. Therefore, a brief review of the contributing factors leading to the Challenger destruction is in order. Environmental Factors - Demands on the Space Shuttle The process of "selling" the American public and its political system the need for a reusable space transportation system began in the late 1960's. Conceptually, the Space Shuttle was introduced during the crest of the successful Apollo mission. Unlike the Apollo mission, the Space Shuttle was approved as a method for operating in space, without a firm definition of what its operational goals would be ([2] pg. 3). Here is the first contributing factor. The Shuttle was developed as a utility without a firm application. Therefore, support for such a project, both politically and economically, was not very strong. To gain political support it was sold as a project with a "quick payoff" (cf., [2]). Additional support was gained by offering the Shuttle program to the military as a means to increase national security and to industry as a tool to open new commercial opportunity. Scientists argued to the American people that the Shuttle would be an "American Voyage" ([2] pg. 10) with great scientific gain. Globally, the Shuttle was sold as a partnership with the European Space Agency (ESA) and as a means to improve national and social relations by combining peoples of different nationalities, races and sexes who would serve as crew members.

The process used to develop economic, political and social support for the shuttle introduced the second contributing factor called heterogeneous engineering. That is, the Shuttle engineering and management decisions were made to meet the needs of organizational, political, and economic factors as opposed to a single entity mission profile with specific goals ([2] pg. 9). Once functional, the Shuttle became exposed to operational demands from a multitude of users. The Shuttle now had to live up to NASA's promises. Coordinating the needs of political, commercial, military, international and scientific communities placed immense pressures on the Shuttle management team. First, political pressure to provide a reliable, reusable space vehicle with rapid turn around time and deployment seriously hindered the ability for effective systems integration and development. Secondly, it was not feasible to construct any complete management support systems (MSS) that could consider all of the factors associated with such a diverse group of environmental variables. Third, additional uncertainty and low NASA employee moral was created when the Reagan Administration pushed for the Shuttle to be declared "operational" before the "developmental" stage had been completed [2]. After spending billions of dollars to go to the moon, Congress expected the Shuttle program to be financially self-supportive ([2] pg. 15). This forced NASA to operate as a pseudo commercial business. Therefore, the environment within NASA preceding the Challenger launch was one of conflict, stress, and short cuts [2].

NASA
Decision Support System (DSS) - Environmental Effects The probability for disaster was growing higher as increasing demands were being placed on NASA just prior to the Challenger launch [2]. A false sense of security was felt by NASA officials, with twenty-four successful Shuttle missions to their credit. Just prior to the STS 51-L launch, NASA was an organization filled with internal strife and territorial battles([3], pg. 412). Mangers operated in an environment of "overload and turbulence" [3]. In short, NASA was characterized as having a "disease " ([3] pg.414) of decay and destruction. As incredible as it may seem, it would appear that NASA had no formal DSS program initialized for the Shuttle operations before the Challenger launch. Evidence is strong that decisions were made primarily by "satisficing" and conscious "muddling through." Specific characteristics of decision making at the time consisted of short cuts, compromise and operational heuristics ("operational heuristics; to cannibalize existing parts" as defined by Jarman and Kouzmin [3] pg. 414). In short, NASA was operating in a phase of semi-uncontrolled decision making while trying to serve the military, industry and international research organizations with a space vehicle that had been declared operational before completion of the developmental stage [4]. NASA used decision making by default as its primary DSS. Its organizational boundary was highly political and open for manipulation by any entity that could exert political power. Upon declaring the Shuttle "operational," the Reagan Administration removed the motivation of NASA employees to manage and left them with the impression that decision making would be made by directive from political sources.

The declaration of "operational" status was the critical turning point for NASA and its management of Shuttle operations. Complacency began to grow among employees and safety considerations were traded for time spent on keeping the Shuttle on schedule and "the client of the day" satisfied. This was the environment just before the launch of STS 51-L.

THE DECISION TO LAUNCH

Group Decision Support System (GDSS) - Situational Analysis A group support system did exist between NASA and related developers of the Shuttle. Focus in this discussion will be placed on Thiokol - the subcontractor directly responsible for the development of the SRB "O" rings. The GDSS system between NASA and Thiokol consisted of same-time/different-place conference rooms equipped with a connected and distributed computer interface. Speaker phones with audio only were also available. On the evening of January 27, 1986, Thiokol was providing information to NASA regarding concerns for the next day's planned launch of STS 51-l. Thiokol engineers were very concerned that the abnormally cold temperatures would affect the "O" rings to nonperformance standards. The mission had already been canceled due to weather, and, as far as NASA was concerned, another cancellation due to weather was unthinkable ([4] pg. 23). Both parties were already aware that the seals on the SRB needed upgrading but did not feel that it was critical. Though the information provided by the GDSS (with an associated expert system) showed that the "O" rings would perform under the predicted temperatures, Thiokol engineers questioned their own testing and data that were programmed into the GDSS. Thus on the eve of the Challenger launch, NASA was being informed that their GDSS had a flawed data base. At this point, NASA requested a definitive recommendation from Thiokol on whether to launch. Thiokol representatives recommended not to launch until the outside air temperature reached 53 F. The forecast for Florida did not show temperatures reaching this baseline for several days. NASA responded with pressure on Thiokol to change their decision. NASA's level III manager, Mr. Lawrence Mulloy, responded to Thiokol's decision by asking, "My God, Thiokol, when do you want me to launch, next April?" ([4] pg. 24). After this comment the Thiokol representatives requested five minutes to go off-line from the GDSS. During this period the Thiokol management requested the chief engineer to "take off his engineering hat and put on his management cap," suggesting that organizational goals be placed ahead of safety considerations [4]. Thiokol reentered the GDSS and recommended that NASA launch. NASA asked if there were any other objections from any other GDSS member, and there was not. Group Support System - Critical Analysis There is little doubt that the environment from which NASA and its affiliated developers operated provided an opportunity for significant human error. Nevertheless, NASA and Thiokol had a "golden" opportunity to avoid disaster during their GDSS meeting before the STS 51-L

launch. The following factors are offered as potential explanations for what created the flawed GDSS and the associated mismanagement of its information: First, Thiokol was aware of the "O" ring problem at least several months before the Challenger launch. However, the goal was to stay on schedule. NASA was made aware of the problem but it was "down-played" as a low risk situation. Here is the first element of flawed information that was input into the GDSS. If NASA had been aware of the significance of the "O" ring situation, they probably would have given more credence to the advice of the Thiokol engineers' recommendations. However, the data transmitted during the GDSS meeting from Thiokol did say that it would be safe to launch for the forecasted temperatures. NASA was frustrated over the conflicting advice from the same source. Second, the decision to delay a Shuttle launch had developed into an "unwanted" decision by the members of the Shuttle team [5]. In other words, suggestions made by any group member that would ultimately support a scheduled launch were met with positive support by the group. Any suggestion that would lead to a delay was rejected by the group. Third, all members of the GDSS felt that they should live up to the "norms" of the group. Although the Thiokol engineers were firm on their recommendation to scrub the launch, they soon changed their presentation of objections once threatened with the possibility of being expelled from the program (as suggested by a NASA administrator who was "appalled" at a company that would make such a recommendation based on the data available) [5]. Fourth, Thiokol became highly susceptible to "groupthink" when they requested a break from the GDSS. At this point they became insulated, conducted private conversations under high stress and were afraid of losing potential future revenue should they disagree with NASA. All these factors are considered prime to the formulation of "groupthink" [5]. Fifth, all parties were afraid of public and political response to another launch cancellation (there had already been six cancellations that year). Each party began to rationalize that past success equaled future success [5]. Finally, the GDSS was seriously flawed. As already mentioned, the data base contained erroneous information regarding the "O" rings. Ideas, suggestions and objections were solicited but not anonymously. Individuals who departed from the group norms were signaled out as unwelcome members. An agenda was never defined and NASA was therefore surprised by the Thiokol presentation. Conflict management was avoided by NASA's domination of the entire meeting. NASA, at times, became very assertive and intimidating. Considering NASA's attitude, no group member or individual was willing to be held accountable for any comment or decision [5]. The setting for such an important GDSS meeting was also ineffective. Considering that a speaker phone and CPU modem was used, it was easy for NASA to down-play the personal opinions of the Thiokol engineers. If the meeting could have been held at the same place for all members, the outcome might have been different. At the end of the meeting NASA, very reluctantly, suggested that they would still cancel the launch if Thiokol insisted. No response from Thiokol was made

and the NASA officials could not see the expression of "self-censorship" that was being communicated on the face of each Thiokol engineer [5]. Perhaps the most significant flaw in the GDSS was when Thiokol requested a private five minute meeting with its own members. Up to this point Thiokol had stayed with its recommendation to cancel the launch. Once disconnected, Thiokol became an isolated member and the GDSS failed altogether. Once reconnected, Thiokol had changed its position and offered the go ahead to launch without any objection.

CONCLUSIONS
The Critical Human Factor - Need for Voting Tool Many conclusions may be drawn as to the primary cause and contributing factors associated with the Challenger tragedy. It is the opinion of this author that regarding the GDSS and decision to launch the ability of each member to have voted anonymously was the key factor that would have maintained the integrity of the GDSS and the quality of the decision. It has been shown that just after Thiokol's presentation to NASA, most of the GDSS group members were very concerned with the "O" ring situation and believed that the opinions expressed by Thiokol engineers were cause for serious consideration of launch cancellation [5]. However, only selected senior officials were allowed to vote their "opinion", which they did verbally and at the request of NASA. From the research conducted on this paper, the author believes that had a universal anonymous vote been conducted of the total GDSS membership, a decision to cancel the launch would have been made. The factors which lead to the Challenger incident can be traced back to the inception of the shuttle program. NASA and Thiokol failed to maintain a quality assurance program through MSS, as was initiated on the Apollo program, due to multiple source demands and political pressures. The GDSS used for the launch decision contained inaccurate data. Engineering members of the GDSS did not believe in the testing procedures used to generate the data components in the GDSS. And, the entire meeting was mismanaged. The decision to launch the Challenger Shuttle and its subsequent destruction had a major affect on society and the management of our space program. Challenger's unique mission and the death of Christa McAuliffe opened the door for discussion and research on how managers use DSS to make decisions that will affect public trust.

AFTERMATH
Ethics and MSS/DSS - Human Factors Management A complete discussion of ethical decision making is beyond the scope of this article. However, the question of how NASA and Thiokol managed ethical considerations is central to the decision to launch the Challenger Shuttle and, therefore, deserves a brief overview.

The first area of ethical concern is the area of information accuracy. The fact that both NASA's and Thiokol's managers had little regard to the concerns of Thiokol's engineers is very distressing. All members of the group made a decision knowing that the decision was based on flawed information. A second concern is that the decision made put safety last and operational goals first. Only one member of the GDSS expressed serious concern for the potential loss of life [5]. Additionally, open and free communication before and during the GDSS meeting was discouraged through such group dynamics as mind guarding, direct pressure and self-censorship [5]. Individuals who know of a situation that, unless acted upon with integrity might cause social harm, have a responsibility to contact any authority that will manage and control that situation in the best interest of the public ([4] "Whistleblowing, pg. 34). Human factors analysis and management science have begun to define the incorporation of MSS/DSS as a socially responsive way of conducting business ([6] pg. 826). This is especially true for government agencies and large public projects like the Shuttle program. It could be argued that GDSS technology had not evolved to the level of effectiveness that was needed to support the Challenger project. The success of the DSS used in the prior Apollo mission shows that this was not the case. In the Challenger program social and ethical decision making was discarded for the sake of cost, schedule and outside environmental demands.

REFERENCES
[1] NASA Spacelink Challenger Press Release, http://history.nasa.gov/sts51lpresskit.pdf [2] Launius, Roger D., "Toward an Understanding of the Space Shuttle: A Historiographical Essay". Air Power History, Winter 1992, vil. 39, no. 4. [3] Jarman A. and Kouzmin, A., "Decision pathways from crisis. A contingency-theory simulation heuristic for the Challenger Shuttle disaster", Contemporary Crises, December 01, 1990, vol. 14, no. 4. [4] Kramer, Ronald C. and Jaska, James A., "The Space Shuttle Disaster: Ethical Issues in Organizational Decision Making", Western Michigan University, April 1987, 39 pgs. [5] Groupthink videorecording written by and produced by Kirby Timmons; produced by Melanie Mihal, Carlsbad, Calif., CRM Films, c 1991 25min. [6] Turban, Efraim, Decision Support and Expert Systems, Macmillan Publishing Company, N.Y., N.Y. 1993.

Editor's Note
The NASA history site on the Challenger STS 51-L Accident at http://history.nasa.gov/sts51l.html links to many resources including Jeff Forrest's analysis. Reader's are especially encouraged to read and review the Report of the Presidential Commission on the Space Shuttle Challenger Accident (commonly called the Rogers Commission Report), June 1986 and the Implementations of the Recommendations, June 1987. The GDSS was an

audio teleconference. The slides had been faxed to the NASA meeting site. Mr. Mulloy of NASA testified that Mr. Kilminster of Thiokol requested the 5 minute off-net caucus that ultimately lasted approximately 30 minutes. The opinions in this analysis are those of the author and not necessarily those of the Editor or of DSSResources.com.

Some Questions for Further Analysis and Discussion

1. 2. 3. 4. 5. What is a group decision support system? Did NASA and Thiokol use a GDSS? Did the group decision support system fail or was the problem with the participants? What do you think was the cause of the decision-making failure in this situation? Could improved GDSS technology have avoided this tragedy? If so what was needed? Video, anonymous voting?

The Space Shuttle Challenger Disaster

Department of Philosophy and Department of Mechanical Engineering Texas A&M University NSF Grant Number DIR-9012252 Instructor's Guide Introduction To The Case On January 28, 1986, seven astronauts were killed when the space shuttle they were piloting, the Challenger, exploded just over a minute into the flight. The failure of the solid rocket booster O-rings to seat properly allowed hot combustion gases to leak from the side of the booster and burn through the external fuel tank. The failure of the O-ring was attributed to several factors, including faulty design of the solid rocket boosters, insufficient low- temperature testing of the O-ring material and the joints that the O-ring sealed, and lack of proper communication between different levels of NASA management. Instructor Guidelines Prior to class discussion, ask the students to read the student handout outside of class. In class the details of the case can be reviewed with the aid of the overheads. Reserve about half of the class period for an open discussion of the issues. The issues covered in the student handout include the importance of an engineer's responsibility to public welfare, the need for this responsibility to hold precedence over any other responsibilities the engineer might have and the responsibilities of a manager/engineer. A final point is the fact that no matter how far removed from the public an engineer may think she is, all of her actions have potential impact. Essay #6, "Loyalty and Professional Rights" appended at the end of the case listings in this report will be found relevant for instructors preparing to lead class discussion on this case. In addition, essays #1 through #4 appended at the end of the cases in this report will have relevant background information for the instructor preparing to lead classroom discussion. Their titles are, respectively: "Ethics and Professionalism in Engineering: Why the Interest in Engineering Ethics?;" "Basic Concepts and Methods in Ethics," "Moral Concepts and Theories," and "Engineering Design: Literature on Social Responsibility Versus Legal Liability." Questions for Class Discussion 1. What could NASA management have done differently?

2. What, if anything, could their subordinates have done differently? 3. What should Roger Boisjoly have done differently (if anything)? In answering this question, keep in mind that at his age, the prospect of finding a new job if he was fired was slim. He also had a family to support. 4. What do you (the students) see as your future engineering professional responsibilities in relation to both being loyal to management and protecting the public welfare? The Challenger Disaster Overheads 1. 2. 3. 4. 5. 6. Organizations/People Involved Key Dates Space Shuttle Solid Rocket Boosters (SRB) Joints Detail of SRB Field Joints Ballooning Effect of Motor Casing Key Issues

ORGANIZATIONS/PEOPLE INVOLVED Marshall Space Flight Center - in charge of booster rocket development Larry Mulloy - challenged the engineers' decision not to launch Morton Thiokol - Contracted by NASA to build the Solid Rocket Booster Alan McDonald - Director of the Solid Rocket Motors Project Bob Lund - Engineering Vice President Robert Ebeling - Engineer who worked under McDonald Roger Boisjoly - Engineer who worked under McDonald Joe Kilminster - Engineer in a management position Jerald Mason - Senior executive who encouraged Lund to reassess his decision not to launch. KEY DATES 1974 - Morton-Thiokol awarded contract to build solid rocket boosters. 1976 - NASA accepts Morton-Thiokol's booster design. 1977 - Morton-Thiokol discovers joint rotation problem. November 1981 - O-ring erosion discovered after second shuttle flight. January 24, 1985 - shuttle flight that exhibited the worst O-ring blow-by. July 1985 - Thiokol orders new steel billets for new field joint design. August 19, 1985 - NASA Level I management briefed on booster problem. January 27, 1986 - night teleconference to discuss effects of cold temperature on booster performance. January 28, 1986 - Challenger explodes 72 seconds after liftoff.

KEY ISSUES HOW DOES THE IMPLIED SOCIAL CONTRACT OF PROFESSIONALS APPLY TO THIS CASE? WHAT PROFESSIONAL RESPONSIBILITIES WERE NEGLECTED, IF ANY? SHOULD NASA HAVE DONE ANYTHING DIFFERENTLY IN THEIR LAUNCH DECISION PROCEDURE? Student Handout - Synopsis On January 28, 1986, seven astronauts were killed when the space shuttle they were piloting, the Challenger, exploded just over a minute into flight. The failure of the solid rocket booster O-rings to seat properly allowed hot combustion gases to leak from the side of the booster and burn through the external fuel tank. The failure of the O-ring was attributed to several factors, including faulty design of the solid rocket boosters, insufficient low temperature testing of the O-ring material and the joints that the O-ring sealed, and lack of communication between different levels of NASA management. Organization and People Involved Marshall Space Flight Center - in charge of booster rocket development Larry Mulloy - challenged the engineers' decision not to launch Morton Thiokol - Contracted by NASA to build the Solid Rocket Booster Alan McDonald - Director of the Solid Rocket Motors Project Bob Lund - Engineering Vice President Robert Ebeling - Engineer who worked under McDonald Roger Boisjoly - Engineer who worked under McDonald Joe Kilminster - Engineer in a management position Jerald Mason - Senior Executive who encouraged Lund to reassess his decision not to launch. Key Dates 1974 - Morton-Thiokol awarded contract to build solid rocket boosters. 1976 - NASA accepts Morton-Thiokol's booster design. 1977 - Morton-Thiokol discovers joint rotation problem. November 1981 - O-ring erosion discovered after second shuttle flight. January 24, 1985 - shuttle flight that exhibited the worst O-ring blow-by. July 1985 - Thiokol orders new steel billets for new field joint design. August 19, 1985 - NASA Level I management briefed on booster problem. January 27, 1986 - night teleconference to discuss effects of cold temperature on

booster performance. January 28, 1986 - Challenger explodes 72 seconds after liftoff. Background NASA managers were anxious to launch the Challenger for several reasons, including economic considerations, political pressures, and scheduling backlogs. Unforeseen competition from the European Space Agency put NASA in a position where it would have to fly the shuttle dependably on a very ambitious schedule in order to prove the Space Transportation System's cost effectiveness and potential for commercialization. This prompted NASA to schedule a record number of missions in 1986 to make a case for its budget requests. The shuttle mission just prior to the Challenger had been delayed a record number of times due to inclement weather and mechanical factors. NASA wanted to launch the Challenger without any delays so the launch pad could be refurbished in time for the next mission, which would be carrying a probe that would examine Halley's Comet. If launched on time, this probe would have collected data a few days before a similar Russian probe would be launched. There was probably also pressure to launch Challenger so it could be in space when President Reagan gave his State of the Union address. Reagan's main topic was to be education, and he was expected to mention the shuttle and the first teacher in space, Christa McAuliffe. The shuttle solid rocket boosters (or SRBs), are key elements in the operation of the shuttle. Without the boosters, the shuttle cannot produce enough thrust to overcome the earth's gravitational pull and achieve orbit. There is an SRB attached to each side of the external fuel tank. Each booster is 149 feet long and 12 feet in diameter. Before ignition, each booster weighs 2 million pounds. Solid rockets in general produce much more thrust per pound than their liquid fuel counterparts. The drawback is that once the solid rocket fuel has been ignited, it cannot be turned off or even controlled. So it was extremely important that the shuttle SRBs were properly designed. Morton Thiokol was awarded the contract to design and build the SRBs in 1974. Thiokol's design is a scaled-up version of a Titan missile which had been used successfully for years. NASA accepted the design in 1976. The booster is comprised of seven hollow metal cylinders. The solid rocket fuel is cast into the cylinders at the Thiokol plant in Utah, and the cylinders are assembled into pairs for transport to Kennedy Space Center in Florida. At KSC, the four booster segments are assembled into a completed booster rocket. The joints where the segments are joined together at KSC are known as field joints (See Figure 1). These field joints consist of a tang and clevis joint. The tang and clevis are held together by 177 clevis pins. Each joint is sealed by two O rings, the bottom ring known as the primary O-ring, and the top known as the secondary O-ring. (The Titan booster had only one O-ring. The second ring was added as a measure of redundancy since the boosters would be lifting humans into orbit. Except for the increased scale of the rocket's diameter, this was the

only major difference between the shuttle booster and the Titan booster.) The purpose of the O-rings is to prevent hot combustion gasses from escaping from the inside of the motor. To provide a barrier between the rubber O-rings and the combustion gasses, a heat resistant putty is applied to the inner section of the joint prior to assembly. The gap between the tang and the clevis determines the amount of compression on the O-ring. To minimize the gap and increase the squeeze on the Oring, shims are inserted between the tang and the outside leg of the clevis. Launch Delays The first delay of the Challenger mission was because of a weather front expected to move into the area, bringing rain and cold temperatures. Usually a mission wasn't postponed until inclement weather actually entered the area, but the Vice President was expected to be present for the launch and NASA officials wanted to avoid the necessity of the Vice President's having to make an unnecessary trip to Florida; so they postponed the launch early. The Vice President was a key spokesperson for the President on the space program, and NASA coveted his good will. The weather front stalled, and the launch window had perfect weather conditions; but the launch had already been postponed to keep the Vice President from unnecessarily traveling to the launch site. The second launch delay was caused by a defective micro switch in the hatch locking mechanism and by problems in removing the hatch handle. By the time these problems had been sorted out, winds had become too high. The weather front had started moving again, and appeared to be bringing record-setting low temperatures to the Florida area. NASA wanted to check with all of its contractors to determine if there would be any problems with launching in the cold temperatures. Alan McDonald, director of the Solid Rocket Motor Project at Morton-Thiokol, was convinced that there were cold weather problems with the solid rocket motors and contacted two of the engineers working on the project, Robert Ebeling and Roger Boisjoly. Thiokol knew there was a problem with the boosters as early as 1977, and had initiated a redesign effort in 1985. NASA Level I management had been briefed on the problem on August 19, 1985. Almost half of the shuttle flights had experienced O-ring erosion in the booster field joints. Ebeling and Boisjoly had complained to Thiokol that management was not supporting the redesign task force. Engineering Design The size of the gap is controlled by several factors, including the dimensional tolerances of the metal cylinders and their corresponding tang or clevis, the ambient temperature, the diameter of the O-ring, the thickness of the shims, the loads on the segment, and quality control during assembly. When the booster is ignited, the putty is displaced, compressing the air between the putty and the primary O-ring. The air pressure forces the O-ring into the gap between the tang and clevis. Pressure loads are

also applied to the walls of the cylinder, causing the cylinder to balloon slightly. This ballooning of the cylinder walls caused the gap between the tang and clevis gap to open. This effect has come to be known as joint rotation. Morton-Thiokol discovered this joint rotation as part of its testing program in 1977. Thiokol discussed the problem with NASA and started analyzing and testing to determine how to increase the O-ring compression, thereby decreasing the effect of joint rotation. Three design changes were implemented: 1. Dimensional tolerances of the metal joint were tightened. 2. The O-ring diameter was increased, and its dimensional tolerances were tightened. 3. The use of the shims mentioned above was introduced. Further testing by Thiokol revealed that the second seal, in some cases, might not seal at all. Additional changes in the shim thickness and O-ring diameter were made to correct the problem. A new problem was discovered during November 1981, after the flight of the second shuttle mission. Examination of the booster field joints revealed that the O-rings were eroding during flight. The joints were still sealing effectively, but the O-ring material was being eaten away by hot gasses that escaped past the putty. Thiokol studied different types of putty and its application to study their effects on reducing O-ring erosion. The shuttle flight 51-C of January 24, 1985, was launched during some of the coldest weather in Florida history. Upon examination of the booster joints, engineers at Thiokol noticed black soot and grease on the outside of the booster casing, caused by actual gas blow-by. This prompted Thiokol to study the effects of O-ring resiliency at low temperatures. They conducted laboratory tests of O-ring compression and resiliency between 50lF and 100lF. In July 1985, Morton Thiokol ordered new steel billets which would be used for a redesigned case field joint. At the time of the accident, these new billets were not ready for Thiokol, because they take many months to manufacture. The Night Before the Launch Temperatures for the next launch date were predicted to be in the low 20s. This prompted Alan McDonald to ask his engineers at Thiokol to prepare a presentation on the effects of cold temperature on booster performance. A teleconference was scheduled the evening before the re-scheduled launch in order to discuss the low temperature performance of the boosters. This teleconference was held between engineers and management from Kennedy Space Center, Marshall Space Flight Center in Alabama, and Morton-Thiokol in Utah. Boisjoly and another engineer, Arnie Thompson, knew this would be another opportunity to express their concerns about the boosters, but they had only a short time to prepare their data for the

presentation.1 Thiokol's engineers gave an hour-long presentation, presenting a convincing argument that the cold weather would exaggerate the problems of joint rotation and delayed O-ring seating. The lowest temperature experienced by the Orings in any previous mission was 53F, the January 24, 1985 flight. With a predicted ambient temperature of 26F at launch, the O-rings were estimated to be at 29F. After the technical presentation, Thiokol's Engineering Vice President Bob Lund presented the conclusions and recommendations. His main conclusion was that 53F was the only low temperature data Thiokol had for the effects of cold on the operational boosters. The boosters had experienced O-ring erosion at this temperature. Since his engineers had no low temperature data below 53F, they could not prove that it was unsafe to launch at lower temperatures. He read his recommendations and commented that the predicted temperatures for the morning's launch was outside the data base and NASA should delay the launch, so the ambient temperature could rise until the O-ring temperature was at least 53F. This confused NASA managers because the booster design specifications called for booster operation as low as 31F. (It later came out in the investigation that Thiokol understood that the 31F limit temperature was for storage of the booster, and that the launch temperature limit was 40F. Because of this, dynamic tests of the boosters had never been performed below 40F.) Marshall's Solid Rocket Booster Project Manager, Larry Mulloy, commented that the data was inconclusive and challenged the engineers' logic. A heated debate went on for several minutes before Mulloy bypassed Lund and asked Joe Kilminster for his opinion. Kilminster was in management, although he had an extensive engineering background. By bypassing the engineers, Mulloy was calling for a middle-management decision, but Kilminster stood by his engineers. Several other managers at Marshall expressed their doubts about the recommendations, and finally Kilminster asked for a meeting off of the net, so Thiokol could review its data. Boisjoly and Thompson tried to convince their senior managers to stay with their original decision not to launch. A senior executive at Thiokol, Jerald Mason, commented that a management decision was required. The managers seemed to believe the O-rings could be eroded up to one third of their diameter and still seat properly, regardless of the temperature. The data presented to them showed no correlation between temperature and the blow-by gasses which eroded the O-rings in previous missions. According to testimony by Kilminster and Boisjoly, Mason finally turned to Bob Lund and said, "Take off your engineering hat and put on your management hat." Joe Kilminster wrote out the new recommendation and went back on line with the teleconference. The new recommendation stated that the cold was still a safety concern, but their people had found that the original data was indeed inconclusive and their "engineering assessment" was that launch was recommended, even though the engineers had no part in writing the new recommendation and refused to sign it. Alan McDonald, who was present with NASA management in Florida, was surprised to see the recommendation to launch and appealed to NASA management

not to launch. NASA managers decided to approve the boosters for launch despite the fact that the predicted launch temperature was outside of their operational specifications. The Launch During the night, temperatures dropped to as low as 8F, much lower than had been anticipated. In order to keep the water pipes in the launch platform from freezing, safety showers and fire hoses had been turned on. Some of this water had accumulated, and ice had formed all over the platform. There was some concern that the ice would fall off of the platform during launch and might damage the heat resistant tiles on the shuttle. The ice inspection team thought the situation was of great concern, but the launch director decided to go ahead with the countdown. Note that safety limitations on low temperature launching had to be waived and authorized by key personnel several times during the final countdown. These key personnel were not aware of the teleconference about the solid rocket boosters that had taken place the night before. At launch, the impact of ignition broke loose a shower of ice from the launch platform. Some of the ice struck the left-hand booster, and some ice was actually sucked into the booster nozzle itself by an aspiration effect. Although there was no evidence of any ice damage to the Orbiter itself, NASA analysis of the ice problem was wrong. The booster ignition transient started six hundredths of a second after the igniter fired. The aft field joint on the right-hand booster was the coldest spot on the booster: about 28F. The booster's segmented steel casing ballooned and the joint rotated, expanding inward as it had on all other shuttle flights. The primary Oring was too cold to seat properly, the cold-stiffened heat resistant putty that protected the rubber O-rings from the fuel collapsed, and gases at over 5000F burned past both O-rings across seventy degrees of arc. Eight hundredths of a second after ignition, the shuttle lifted off. Engineering cameras focused on the right-hand booster showed about nine smoke puffs coming from the booster aft field joint. Before the shuttle cleared the tower, oxides from the burnt propellant temporarily sealed the field joint before flames could escape. Fifty-nine seconds into the flight,Challenger experienced the most violent wind shear ever encountered on a shuttle mission. The glassy oxides that sealed the field joint were shattered by the stresses of the wind shear, and within seconds flames from the field joint burned through the external fuel tank. Hundreds of tons of propellant ignited, tearing apart the shuttle. One hundred seconds into the flight, the last bit of telemetry data was transmitted from the Challenger. Issues For Discussion The Challenger disaster has several issues which are relevant to engineers. These issues raise many questions which may not have any definite answers, but can serve to heighten the awareness of engineers when faced with a similar situation. One of the

most important issues deals with engineers who are placed in management positions. It is important that these managers not ignore their own engineering experience, or the expertise of their subordinate engineers. Often a manager, even if she has engineering experience, is not as up to date on current engineering practices as are the actual practicing engineers. She should keep this in mind when making any sort of decision that involves an understanding of technical matters. Another issue is the fact that managers encouraged launching due to the fact that there was insufficient low temperature data. Since there was not enough data available to make an informed decision, this was not, in their opinion, grounds for stopping a launch. This was a reversal in the thinking that went on in the early years of the space program, which discouraged launching until all the facts were known about a particular problem. This same reasoning can be traced back to an earlier phase in the shuttle program, when upper-level NASA management was alerted to problems in the booster design, yet did not halt the program until the problem was solved. To better understand the responsibility of the engineer, some key elements of the professional responsibilities of an engineer should be examined. This will be done from two perspectives: the implicit social contract between engineers and society, and the guidance of the codes of ethics of professional societies. As engineers test designs for ever-increasing speeds, loads, capacities and the like, they must always be aware of their obligation to society to protect the public welfare. After all, the public has provided engineers, through the tax base, with the means for obtaining an education and, through legislation, the means to license and regulate themselves. In return, engineers have a responsibility to protect the safety and well-being of the public in all of their professional efforts. This is part of the implicit social contract all engineers have agreed to when they accepted admission to an engineering college. The first canon in the ASME Code of Ethics urges engineers to "hold paramount the safety, health and welfare of the public in the performance of their professional duties." Every major engineering code of ethics reminds engineers of the importance of their responsibility to keep the safety and well being of the public at the top of their list of priorities. Although company loyalty is important, it must not be allowed to override the engineer's obligation to the public. Marcia Baron, in an excellent monograph on loyalty, states: "It is a sad fact about loyalty that it invites...single-mindedness. Singleminded pursuit of a goal is sometimes delightfully romantic, even a real inspiration. But it is hardly something to advocate to engineers, whose impact on the safety of the public is so very significant. Irresponsibility, whether caused by selfishness or by magnificently unselfish loyalty, can have most unfortunate consequences." Annotated Bibliography and Suggested References Feynman, Richard Phillips, What Do You Care What Other People Think,: Further Adventures of a Curious Character, Bantam Doubleday Dell Pub, ISBN 0553347845,

Dec 1992. Reference added by request of Sharath Bulusu, as being pertinent and excellent reading - 8-25-00. Lewis, Richard S., Challenger: the final voyage, Columbia University Press, New York, 1988. McConnell, Malcolm, Challenger: a major malfunction, Doubleday, Garden City, N.Y., 1987. Trento, Joseph J., Prescription for disaster, Crown, New York, c1987. United States. Congress. House. Committee on Science and Technology, Investigation of the Challenger accident : hearings before the Committee on Science and Technology, U.S. House of Representatives, Ninety-ninth Congress, second session .... U.S. G.P.O.,Washington, 1986. United States. Congress. House. Committee on Science and Technology, Investigation of the Challenger accident : report of the Committee on Science and Technology, House of Representatives, Ninety-ninth Congress, second session. U.S. G.P.O., Washington, 1986. United States. Congress. House. Committee on Science, Space, and Technology, NASA's response to the committee's investigation of the "Challenger" accident : hearing before the Committee on Science, Space, and Technology, U.S. House of Representatives, One hundredth Congress, first session, February 26, 1987. U.S. G.P.O., Washington, 1987. United States. Congress. Senate. Committee on Commerce, Science, and Transportation. Subcommittee on Science, Technology, and Space, Space shuttle accident : hearings before the Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science, and Transportation, United States Senate, Ninety-ninth Congress, second session, on space shuttle accident and the Rogers Commission report, February 18, June 10, and 17, 1986. U.S. G.P.O., Washington, 1986. Notes 1. "Challenger: A Major Malfunction." (see above) p. 194. 2. Baron, Marcia. The Moral Status of Loyalty. Illinois Institute of Technology: Center for the Study of Ethics in the Professions, 1984, p. 9. One of a series of monographs on applied ethics that deal specifically with the engineering profession. Provides

arguments both for and against loyalty. 28 pages with notes and an annotated bibliography.