Professionalism/Roger Boisjoly, Morton Thiokol, and NASA
This book is a class project until May 17, 2013. Editors who are not students in the class are requested to refrain voluntarily from substantive content edits until then. Comments on the talk pages, as well as formatting edits (especially those that help the book adhere to Wikibooks conventions), are invited, welcome and appreciated. Thank you.
- 1 Background
- 2 Factors leading to the Failure
- 3 Key Issues and Ethical Lessons
- 4 References
On January 28, 1986, at 11:38 a.m., EST, the space shuttle Challenger lifted off at Kennedy Space Center, Florida. However, it broke apart 73 seconds into its flight, leading to the deaths of its seven crew members. Many viewed the launch live because of the presence of crew member Christa McAuliffe, the first member of the Teacher in Space Project and the (planned) first female teacher in space. The Challenger disaster has been used as a case study in many discussions of engineering safety and workplace ethics.
People and Organizations Involved
Marshall Space Flight Center - in charge of booster rocket development
Larry Mulloy - challenged the engineers' decision not to launch
Morton Thiokol - Contracted by NASA to build the Solid Rocket Booster
Alan McDonald - Director of the Solid Rocket Motors Project
Bob Lund - Engineering Vice President
Roger Boisjoly - Engineer who worked under McDonald
Jerald Mason - Senior executive who encouraged Lund to reassess his decision not to launch.
Rogers Commission - The investigation team established after Challenger disaster by the U.S government to examine the causes of the disaster.
1974 - Morton Thiokol was awarded contract to build solid rocket boosters.
1977 - Morton Thiokol discovers joint rotation problem. November 1981 - O-ring erosion discovered after second shuttle flight.
July 1985 - Thiokol ordered new steel billets for new field joint design.
August 19, 1985 - NASA Level I management briefed on booster problem.
January 27, 1986 - Night teleconference to discuss effects of cold temperature.
January 28, 1986 - Challenger exploded.
Factors leading to the Failure
After Challenger disaster, the U.S government established an investigation team called Rogers Commission to examine the causes of the disaster that took place 73 seconds after liftoff.
The Design Problems and Insufficient Testing
The Rogers Commission found that the Challenger accident was caused by a failure in O-ring sealing the aft field joint on the right solid rocket booster (SRBs), which allowed the leakage of hot pressurized gases and eventually caused structural failure of the external tank.
Solid Rocket Booster (SRB)
In the early 1970s, Thiokol was selected to receive NASA contract to design and build the solid rocket boosters(SRBs). Costs were the primary concern of NASA’s selection board, and Thiokol’s low cost advantages overrode other technical objections.The Challenger Solid Rocket Booster problems began with the faulty design of its joint and increased as both NASA and contractor management failed to recognize it as a problem and treated it as an acceptable flight risk. The contractor, Morton Thiokol, which is responsible for building the solid rocket boosters, did not accept the implications of some early testing that the design had a serious flaw. For example, the most famous early testing is called hydroburst test, in which they used pressurized water to simulate combustion gases effects, and they found that the joint tang and inside clevis bent away instead of toward each other. Engineers at Marshall Space Flight Center found the problem and wrote to the project manager at that time, however, the manager did not forward these memos to Thiokol senior decision-making board, and the filed joint design was accepted around 1980s. By 1985, Marshall and Thiokol both realized that there was a serious problem in the solid rocket booster design, and they began the process of redesigning the joint with three inches of additional steel around the tang to grip the inner face from rotation. However, the senior management at NASA did not call for a halt to shuttle flights, and they kept treating it as an acceptable flight risk and eliminating flight constraints in the subsequent launches. Therefore, Rogers Commission later concluded that the Challenger disaster was "an accident rooted in history."
The two solid rocket boosters attached to a space shuttle orbiter provided 80% of the thrust necessary to propel the shuttle into space. About 2 minutes after a normal launch, the solid rocket boosters would detach and parachute back to the ground to be reused in subsequent missions. In the case of the Challenger, the O-ring failure caused a breach in the solid rocket booster joint it sealed, therefore allowing pressurized hot gases from within the solid rocket booster to reach the outside and impinge upon the adjacent external fuel tank. This led to the separation of the right-hand solid rocket booster and the structural failure of the external tank. 
The O-Rings must be in perfect condition to prevent hot gases from leaking through the joints of the solid rocket booster. The O-Rings were two rubber rings that formed a seal between sections of the solid rocket boosters. By design, pressure from within the booster was to push a fillet of putty into the joint, forcing the O-Ring into its seat. However, it was found that flight dynamics caused the joints in the solid rocket booster to flex during launch, opening a gap through which rocket exhaust could escape. This is caused by a momentary drop in air pressure, and it made possible for combustion gases to erode the O-Rings, and destroy the booster and shuttle in the end.
In addition to the faulty design of the solid rocket boosters and O-ring sealing, they also had insufficient low temperature testing for O-ring material and joints that O-ring sealed.
Ice had accumulated all over the launch pad the night before launch day, raising concerns that ice could damage the shuttle upon liftoff. However, because both Thiokol and NASA did not have sufficient low-temperature testing on the viability of O-ring sealed joints, they launched the Challenger after their last inspection because the ice appeared to be melting. The insufficient low-temperature testing of the O-ring material failed to show the loss of effectiveness and functionality of O-Ring under cold environment, which became the determining cause of the failure of O-ring on the launch day. Most importantly, all of these technical problems and safety issues had been identified or at least predicated even before the launch day, but NASA did not accept the judgment of some of its engineers that the design was unacceptable. Thiokol’s stated position was that “the condition is not desirable, but is acceptable.”  The lack of proper communication between different levels of NASA management even worsens the problem.
Lack of Proper Communication
The 1986 explosion that destroyed the space shuttle Challenger and killed seven astronauts shocked the nation, but for one rocket engineer the tragedy became a personal burden and created a lifelong quest to challenge the bureaucratic ethics that had caused the tragedy.
Roger Boisjoly, 73, died of cancer three months ago in Utah, was an engineer at solid rocket booster manufacturer Morton Thiokol and had begun warning as early as 1985 that the joints in the boosters could fail in cold weather, leading to a catastrophic failure of the casing. Boisjoly had noticed that the O-rings eroded, to an extent, previously. NASA and Thiokol, however, decided that, since the O-rings were not completely eroded, there was minimal risk.
In the summer of 1985, six months before the Challenger's fatal launch, an Applied Mechanics Engineer at Morton Thiokol, Roger Boisjoly, sent a memo to the company's Vice President of Engineering. In it, he urged that action be taken to immediately correct the well-known O-ring issue. The memo begins:
"This letter is written to insure that management is fully aware of the seriousness of the current O-ring erosion problem in the SRM joints from an engineering standpoint. If the same scenario should occur in a field joint (and it could), then it is a jump ball as to the success or failure of the joint...The result would be a catastrophe of the loss of human life." .
Anticipating the very problem (the aft field joint) that caused the Challenger disaster, Boisjoly addresses field joints: "If the same scenario should occur in a field joint (and it could), then it is a jump ball as to the success or failure of the joint...The result would be a catastrophe of the highest order - loss of human life."
Then the night before the final fatal launch, Boisjoly and four other space shuttle engineers argued late into the night on a telephone conference. Boisjoly and other engineers were alarmed that freezing temperatures were forecasted. Cold weather could cause the joint design problem to worsen . On the chart the engineers used to communicate with management team, we can clearly see that all passed testing results were achieved above 65 F, while the temperature predicted at the Challenger launch would be 32 F.
However, it is sad that the people made final decisions were not those who have knowledge of details. What happened subsequently that evening is the subject of much dispute, but any narrative will contain at least the following:
- The Morton Thiokol management accepted the recommendation of their engineers not to launch Challenger and sent that recommendation on to the National Aeronautic and Space Administration (NASA).
- NASA asked for a reconsideration of the recommendation.
- The burden of proof seemed to shift. The managers at Morton Thiokol caucused among themselves and approved the flight—despite their engineers’ recommendation and sometimes vehement opposition.
Boisjoly was not the only engineer who attempted to stop the launch and suffered for blowing the whistle. Allan J. McDonald was Thiokol's program manager for the solid rocket booster and became the most important critic of the accident afterward. When he was pressed by NASA the night before the liftoff to sign a written recommendation approving the launch, he refused, and later argued late into the night for a launch cancellation. When McDonald later disclosed the secret debate to accident investigators, he was isolated and his career destroyed .
Key Issues and Ethical Lessons
NASA’s organizational culture and decision-making processes were the main factors that affected the project and its safety. These were the key contributing factors to the accident. There was a big miscommunication between the levels inside the project. Although NASA managers had known contractor Morton Thiokol design of the SRBs contained problem in O-rings since 1977, they failed to address it properly. It shows that they did not want to take responsibility in an action that results in a change in the project. Also, failing to address the problems properly in the design of SRBs proves the miscommunication within the project group.
NASA managers also disregarded warnings from engineers about low temperatures of the morning of the launch thinking that it was not an important detail to consider. They pretty much did not listen to the engineers and also failed to adequately report these technical concerns to their superiors. If they reported those technical concerns on time, safety precautions could be taken for the launch.
In this case, organizational barriers prevented effective communication of critical safety information and stifled professional differences of opinion. There is lack of integrated management across program elements and informal chain of command and decision-making processes operated outside the organization’s structure.
As the result, engineers should not be coward and should not hesitate pointing out critical safety information to their managers. They should not be seen by their managers as troublemakers because it is their duty to show failures in the project. Managers should take engineers seriously without thinking that there is professional difference between them and engineers. Program should be managed as a whole; every level of the project should communicate and share information to prevent problems during or after the project. If there was a better communication between members of the project and if managers were more responsible about pointing out and solving problems in the project, launch could be postponed to a later time or could be cancelled because safety is the most important thing in critical projects like this one.
After the disaster NASA announced The NASA Safety Reporting System (NSRS). It was established by the NASA Administrator in 1987 after the Challenger Shuttle , the NSRS has since supported all flights and has been expanded to cover all NASA operations. In this system The NSRS contractor removes identifying information and forwards only a summary concerns to the NASA Headquarters Office of Safety and Mission Assurance for immediate analysis and investigation.
The NSRS is an anonymous, voluntary, and responsive reporting channel to notify NASA’s upper management of concerns about hazards. Reports are guaranteed to receive prompt attention. If there was NSRS system before this disaster, Roger Boisjoly would be able to report the problems in the project anonymously and it would easily take attention by the superiors of the project. Since managers could not leave their ego behind and did not take Boisjoly seriously because of his position in the project, they were not successful in taking precautions for the launch. Also, maintaining status quo was the another reason that caused the disaster. Performing the launch was the only goal and cancelling it would be against the status quo. Therefore managers did not want to pay attention to any warnings that would be against the launch even though they were crucial, such as Boisjoly's warning about the problem in the O-ring of the design.