CASE STUDY 01

CHALLENGER DISASTER
 Challenger Disaster

The explosion of the space shuttle Challenger is perhaps the most widely written
about case in engineering ethics

The case illustrates many important ethical issues that engineers face:

1. What is the proper role of the engineer when safety issues are a concern?
2. Who should have the ultimate decision making authority to order a launch?
3. Should the ordering of a launch be an engineering or a managerial decision?
 Challenger Disaster

The space shuttle was designed to be a reusable launch vehicle. The vehicle consists of an
orbiter, which looks much like a medium-sized airliner (minus the engines!), two solid-
propellant boosters, and a single liquid-propellant booster.

At takeoff, all of the boosters are ignited and lift the orbiter out of the earths atmosphere. The
solid rocket boosters are only used early in the flight and are jettisoned soon after takeoff,
parachute back to earth, and are recovered from the ocean. They are subsequently repacked
with fuel and are reused.

The liquid-propellant booster is used to finish lifting the shuttle into orbit, at which point the
booster is jettisoned and burns up during reentry. The liquid booster is the only part of the
shuttle vehicle that is not reusable. After completion of the mission, the orbiter uses its limited
thrust capabilities to reenter the atmosphere and glides to a landing.
 Challenger Disaster

The accident on January 28, 1986, was blamed on a failure of

one of the solid rocket boosters. Solid rocket boosters have
the advantage that they deliver far more thrust per pound of
fuel than do their liquid-fueled counterparts, but have the
disadvantage that once the fuel is lit, there is no way to turn
the booster off or even to control the amount of thrust
produced. In contrast, a liquid-fuel rocket can be controlled
by throttling the supply of fuel to the combustion chamber or
can be shut off by stopping the flow of fuel entirely.
 Challenger Disaster

In 1974, NASA awarded the contract to design and build the solid rocket
boosters for the shuttle to Morton Thiokol.
The design that was submitted by Thiokol was a scaled-up version of the
Titan missile, which had been used successfully for many years to launch
satellites.
This design was accepted by NASA in 1976. The solid rocket consists of
several cylindrical pieces that are filled with solid propellant and stacked
one on top of the other to form the completed booster.
The assembly of the propellant-filled cylinders was performed at Thiokols
plant in Utah. The cylinders were then shipped to the Kennedy Space
Center in Florida for assembly into a completed booster.
 Challenger Disaster

A key aspect of the booster design are the joints where the individual
cylinders come together, known as the fi eld joints, illustrated schematically in
Figure 1.1a . These are tang and clevis joints, fastened with 177 clevis pins.
The joints are sealed by two O-rings, a primary and a secondary. The O-rings
are designed to prevent hot gases from the combustion of the solid propellant
from escaping. The O-rings are made from a type of synthetic rubber and so
are not particularly heat resistant. To prevent the hot gases from damaging
the O-rings, a heat-resistant putty is placed in the joint. The Titan booster had
only one O-ring in the fi eld joint. The second O-ring was added to the booster
for the shuttle to provide an extra margin of safety since, unlike the Titan, this
booster would be used for a manned space craft.
 Challenger Disaster

Early Problems with the Solid Rocket Boosters

Problems with the field-joint design had been recognized long before the
launch of the Challenger. When the rocket is ignited, the internal pressure
causes the booster wall to expand outward, putting pressure on the field
joint. This pressure causes the joint to open slightly, a process called joint
rotation, illustrated in Figure 1.1b . The joint was designed so that the
internal pressure pushes on the putty, displacing the primary O-ring into this
gap, helping to seal it. During testing of the boosters in 1977, Thiokol
became aware that this joint-rotation problem was more severe than on the
Titan and discussed it with NASA. Design changes were made, including an
increase in the thickness of the O-ring, to try to control this problem.
Challenger Disaster
 Challenger Disaster

A key aspect of the booster design are the joints where the individual
cylinders come together, known as the field joints, illustrated schematically
in Figure 1.1a .
These are tang and clevis joints, fastened with 177 clevis pins. The joints
are sealed by two O-rings, a primary and a secondary. The O-rings are
designed to prevent hot gases from the combustion of the solid propellant
from escaping. The O-rings are made from a type of synthetic rubber and
so are not particularly heat resistant. To prevent the hot gases from
damaging the O-rings, a heat-resistant putty is placed in the joint. The Titan
booster had only one O-ring in the field joint. The second O-ring was added
to the booster for the shuttle to provide an extra margin of safety since,
unlike the Titan, this booster would be used for a manned space craft.
 Challenger Disaster
Early Problems with the Solid Rocket Boosters

Problems with the field-joint design had been recognized long before the
launch of the Challenger. When the rocket is ignited, the internal pressure
causes the booster wall to expand outward, putting pressure on the field
joint. This pressure causes the joint to open slightly, a process called joint
rotation, illustrated in Figure 1.1b . The joint was designed so that the
internal pressure pushes on the putty, displacing the primary O-ring into this
gap, helping to seal it. During testing of the boosters in 1977, Thiokol
became aware that this joint-rotation problem was more severe than on the
Titan and discussed it with NASA. Design changes were made, including an
increase in the thickness of the O-ring, to try to control this problem.
 Challenger Disaster

Further testing revealed problems with the secondary seal, and more changes
were initiated to correct that problem. In November of 1981, after the second
shuttle flight, a post launch examination of the booster field joints indicated that
the O-rings were being eroded by hot gases during the launch. Although there
was no failure of the joint, there was some concern about this situation, and
Thiokol looked into the use of different types of putty and alternative methods
for applying it to solve the problem. Despite these efforts, approximately half of
the shuttle flights before the Challenger accident had experienced some degree
of O-ring erosion. Of course, this type of testing and redesign is not unusual in
engineering. Seldom do things work correctly the first time, and modifications to
the original design are often required.
 Challenger Disaster

It should be pointed out that erosion of the O-rings is not necessarily a

bad thing. Since the solid rocket boosters are only used for the first few
minutes of the flight, it might be perfectly acceptable to design a joint in
which O-rings erode in a controlled manner. As long as the O-rings dont
completely burn through before the solid boosters run out of fuel and are
jettisoned, this design should be fine. However, this was not the way the
space shuttle was designed, and O-ring erosion was one of the problems
that the Thiokol engineers were addressing.
 Challenger Disaster

The first documented joint failure came after the launch on January 24,
1985, which occurred during very cold weather. The post flight examination
of the boosters revealed black soot and grease on the outside of the
booster, which indicated that hot gases from the booster had blown by the
O-ring seals. This observation gave rise to concern about the resiliency of
the O-ring materials at reduced temperatures. Thiokol performed tests of
the ability of the O-rings to compress to fill the joints and found that they
were inadequate. In July of 1985, Thiokol engineers redesigned the fi eld
joints without O-rings. Instead, they used steel billets, which should have
been better able to withstand the hot gases. Unfortunately, the new design
was not ready in time for the Challenger flight in early 1986 [ Elliot et al.,
1990 ].
 Challenger Disaster
The Political Climate

NASAs budget was determined by Congress, which was becoming

increasingly unhappy with delays in the shuttle project and shuttle
performance.
NASA had billed the shuttle as a reliable, inexpensive launch vehicle for a
variety of scientific and commercial purposes, including the launching of
commercial and military satellites that capable of frequent flights (several per
year)
NASA was feeling some urgency in the program because the European Space
Agency was developing what seemed to be a cheaper alternative to the
shuttle, which could potentially put the shuttle out of business.
 Challenger Disaster

Launching a mission was especially important in January 1986, since the

previous mission had been delayed numerous times by both weather and
mechanical failures.
NASA also felt pressure to get the Challenger launched on time so that the
next shuttle launch, which was to carry a probe to examine Halleys comet,
would be launched before a Russian probe designed to do the same thing.
There was additional political pressure to launch the Challenger before the
upcoming state-of-the-union address, in which President Reagan hoped to
mention the shuttle and a special astronautthe first teacher in space,
Christa McAuliffein the context of his comments on education
 Challenger Disaster
The Days Before the Launch

The front was expected to bring extremely cold weather to the launch site,
with temperatures predicted to be in the low 20s (F).
NASA checked with all of the shuttle contractors - During teleconference,
Roger Boisjoly and Arnie Thompson, two Thiokol engineers who had
worked on the solid propellant booster design, gave an hour-long
presentation on how the cold weather would increase the problems of joint
rotation and sealing of the joint by the O-rings.
The engineers point was that the lowest temperature at which the shuttle
had previously been launched was 53F, on January 24, 1985, when there
was blow-by of the O-rings. The O-ring temperature at Challengers
expected launch time the following morning was predicted to be 29F.
 Challenger Disaster

After much discussion, Jerald Mason, a senior manager with Thiokol, turned
to Lund and said, Take off your engineering hat and put on your
management hat, a phrase that has become famous in engineering ethics
discussions. Lund reversed his previous decision and recommended that the
launch proceed. The new recommendation included an indication that there
was a safety concern due to the cold weather, but that the data were
inconclusive and the launch was recommended. McDonald, who was in
Florida, was surprised by this recommendation and attempted to convince
NASA to delay the launch, but to no avail.
 Challenger Disaster
The Launch

Contrary to the weather predictions, the overnight temperature was 8F,

colder than the shuttle had ever experienced before. In fact, there was a
significant accumulation of ice on the launch pad from safety showers and fi
re hoses that had been left on to prevent the pipes from freezing. It has been
estimated that the aft field joint of the right-hand booster was at 28F
 Challenger Disaster

cameras, looking at the right booster, recorded puffs of smoke coming from the aft
field joint immediately after the boosters were ignited. This smoke is thought to have
been caused by the steel cylinder of this segment of the booster expanding outward
and causing the field joint to rotate. But, due to the extremely cold temperature, the
O-ring didnt seat properly. The heat-resistant putty was also so cold that it didnt
protect the O-rings, and hot gases burned past both O-rings. It was later determined
that this blow-by occurred over 70 of arc around the O-rings.
 Challenger Disaster

Very quickly, the field joint was sealed again by byproducts of the solid rocket
propellant combustion, which formed a glassy oxide on the joint. This oxide
formation might have averted the disaster had it not been for a very strong
wind shear that the shuttle encountered almost one minute into the flight. The
oxides that were temporarily sealing the fi eld joint were shattered by the
stresses caused by the wind shear. The joint was now opened again, and hot
gases escaped from the solid booster. Since the booster was attached to the
large liquid-fuel booster, the flames from the solid-fuel booster blow-by quickly
burned through the external tank. The liquid propellant was ignited and the
shuttle exploded.
 Challenger Disaster
DISCUSSION

The astronauts on the Challenger mission were aware of the

dangerous nature of riding a complex machine such as the space

1
shuttle into space, so they can be thought of as having given
informed consent to participating in a dangerous enterprise. What
role did informed consent play in this case? Do you think that the
astronauts had enough information to give informed consent to
launch the shuttle that day?
 Challenger Disaster
DISCUSSION

2 Can an engineer who has become a manager truly ever

take off her engineers hat? Should she?
 Challenger Disaster
DISCUSSION

3
Some say that the shuttle was really designed by Congress
rather than NASA. What does this statement mean? What are
the ramifications for engineers if this is true?
 Challenger Disaster
DISCUSSION

Aboard the shuttle for this flight was the first teacher in space.
Should civilians be allowed on what is basically an experimental
launch vehicle? At the time, many felt that the placement of a

4 teacher on the shuttle was for purely political purposes. President

Reagan was thought by many to be doing nothing while the
American educational system decayed. Cynics felt that the teacher-
in-space idea was cooked up as a method of diverting attention
from this problem and was to be seen as Reagan doing something
for education while he really wasnt doing anything. What are the
ethical implications if this scenario is true?
 Challenger Disaster
DISCUSSION

Should a launch have been allowed when there were no test

data for the expected conditions? Keep in mind that it is
probably impossible to test for all possible operating conditions.
5 More generally, should a product be released for use even
when it hasnt been tested over all expected operational
conditions? When the data are inconclusive, which way should
the decision go?
 Challenger Disaster
DISCUSSION

During the aftermath of the accident, Thiokol and NASA

investigated possible causes of the explosion. Boisjoly accused
6 Thiokol and NASA of intentionally downplaying the problems with
the O-rings while looking for other causes of the accident. If true,
what are the ethical implications of this type of investigation?
 Challenger Disaster
DISCUSSION

It might be assumed that the management decision to launch was

prompted in part by concerns for the health of the company and the
space program as a whole. Given the political climate at the time of

7 the launch, if problems and delays continued, ultimately Thiokol

might have lost NASA contracts, or NASA budgets might have been
severely reduced. Clearly, this scenario could have led to the loss of
many jobs at Thiokol and NASA. How might these considerations
ethically be factored into the decision?
 Challenger Disaster
DISCUSSION

Engineering codes of ethics require engineers to protect

8 the safety and health of the public in the course of their

duties. Do the astronauts count as the public in this
context? How about test pilots of new airplane designs?
 Challenger Disaster
DISCUSSION

9 What should NASA management have done differently?

What should Thiokol management have done differently?
 Challenger Disaster
DISCUSSION

10 What else could Boisjoly and the other engineers at

Thiokol have done to prevent the launch from occurring?