Professionalism/Roger Boisjoly, Morton Thiokol, and NASA

From Wikibooks, open books for an open world
Jump to: navigation, search
The Challenger Explosion

On January 28, 1986, at 11:38 a.m., EST, the space shuttle Challenger lifted off at Kennedy Space Center, Florida. However, it broke apart 73 seconds into its flight, leading to the deaths of its seven crew members.

Many people viewed the launch live because of crew member Christa McAuliffe, the first member of the Teacher in Space Project and the (planned) first female teacher in space. After the Challenger disaster, the U.S government established an investigatory team called Rogers Commission to examine the causes of the disaster. The disaster was due in part to faulty booster designs and partly due to communication and management failures. The Challenger disaster is to this day used as a case study in engineering safety and workplace ethics.

Timeline[edit]

August 1972 - NASA contractor Morton Thiokol is awarded the contract to build shuttle solid rocket boosters at $710 million [1].

1976 - NASA accepts Morton Thiokol's booster design. The booster rocket are to be developed at NASA's Marshall Space Flight Center, a rocketry and spacecraft propulsion research center.

1977 - Morton Thiokol discovers a joint deflection problem.

November 1981 - Morton Thiokol discovers O-ring erosion after a second shuttle flight (STS-2).

April 1983 - On the maiden voyage of the space shuttle, Challenger deploys a NASA communications satellite.

January 1985 - Roger Boisjoly, a Thiokol engineer in the Solid Rocket Booster project, becomes concerned about O-ring erosion after he realizes the field joint almost completely failed during a shuttle flight (STS-51-C) [2].

July 1985 - Thiokol orders new steel billets for new field joint design.

August 19, 1985 - NASA Level I management is informed of the booster problem.

January 27, 1986 - In a nighttime teleconference, Thiokol managers and NASA personnel discuss effects of cold temperature on O-rings. Freezing temperatures are forecasted for the next morning. George Hardy, Deputy Director of the Marshall Space Flight Center, and Lawrence Mulloy, the Shuttle Program Manager, do not believe the problem to be an extraordinary risk and therefore decide not to delay the launch.

January 28, 1986 - The Challenger explodes (STS-51-L).

June 9, 1986 - The Rogers Commission, an investigatory Presidential Commission, releases its report explaining the Challenger's mode of failure. The report urges NASA to improve shuttle safety features and make organizational changes to mission procedures.

The Design Problems and Insufficient Testing[edit]

The Rogers Commission found that the Challenger accident was caused by a failure in O-ring sealing the aft field joint on the right solid rocket booster, which allowed the leakage of hot pressurized gases and eventually caused structural failure of the external fuel tank. The failure was a result of abnormally cold temperatures which weakened the putty that separated the hot gases from the O-rings which sealed the joint. The putty had a blow-by where hot gases bubbled through the putty and reached the O-rings causing further erosion so that the first O-ring could not make a seal. The second O-ring was rendered useless as the solid rocket booster's field joint bent away, preventing a seal. Therefore hot gases burned through onto the external tank, causing it to explode 73 seconds after the launch.

Solid Rocket Boosters (SRBs) Field Joint[edit]

In 1974, Thiokol was selected to receive a NASA contract at $710 million [1] to design and build the solid rocket boosters (SRBs). Costs were the primary concern of NASA’s selection board, and Thiokol’s low cost advantages overrode other technical objections, resulting in a cost plus award fee of approximately $800 million .[3] The Challenger SRB problems began with the design of the joint between sections of the rocket.

Field joint picture from Rogers Commission-Volume 1, p.57

The sections of the SRBs are connected at what is called the "field joint", composed of 177 pins connecting the clevis and tang. The joint included zinc putty to stop the O-rings, which seal the joints together, from being burned by hot gasses from burning fuel. The two solid rocket boosters attached to a space shuttle orbiter provided 80% of the thrust necessary to propel the shuttle into space. [4] About 2 minutes after a normal launch, the solid rocket boosters detach and parachute back to the ground to be reused in subsequent missions.[5]

Tests revealed a flaw in the SRB design. A hydroburst test, which uses pressurized water to simulate the pressure from combustion gases, revealed that the joint tang and clevis bent away instead of toward each other. This made the second O-ring ineffective. [3] Engineers at the Marshall Space Flight Center found the problem and wrote to the project manager, however, the manager and Deputy Director, George Hardy, did not forward these memos to Thiokol's senior decision-making board, and the field joint design was confirmed.[3] By 1985, Marshall and Thiokol both realized that there was a serious problem in the solid rocket booster design and they began the process of redesigning the joint with three inches of additional steel around the tang to grip the inner face to prevent rotation. However, the senior management at NASA did not call for a halt to shuttle flights and kept treating these problems as an acceptable flight risk.[3]

O-ring[edit]

Each field joint was sealed by a pair of two O-rings which are protected by zinc-putty. The O-rings were two rubber rings that formed a seal between sections of the solid rocket boosters. By design, pressure from within the booster was to push on the zinc putty which would transfer the pressure to the air in the joint, forcing the O-ring into its seat to form an airtight seal. They were added to stop the field joint from flexing farther outward (the clavis and tang moving away from the booster at launch from the pressure of lift-off) and to stop the hot exhaust gases from leaving the field joint. In November 1981 after the second shuttle launch, Jack Buchanan found that the primary O-ring was slightly eroded. Thiokol investigated and found that the outward flexing of the field joint delayed the O-ring seating. This lead to blow-by, where as hot exhaust gases traveled through the zinc-putty, and burned the O-ring, eroding it [6]. The cause for the blow-by could not be determined at the time but it was deemed as an acceptable flight risk after engineers determined that the O-ring could seal even when significantly eroded at higher than launch pressures [6].

Low-temperature testing[edit]

In 1985, engineers began to suspect that the blow-by which damaged the O-rings was related to ambient temperatures and were beginning to redesign the field joint. To date, no shuttle had been launched at a temperature lower than 53 degrees Fahrenheit. On the night before the launch, ambient temperatures were predicted to be below freezing. Ice had accumulated on the launch pad the night before the launch, raising concerns that ice could damage the shuttle upon liftoff. However, because both Thiokol and NASA did not have sufficient low-temperature testing on the viability of O-ring sealed joints or the zinc putty, they launched the Challenger after their last inspection because the ice appeared to be melting.[5] The insufficient low-temperature testing of the O-ring material failed to show their loss of functionality in a cold environment, resulting in the failure on launch day. Most importantly, these technical and safety problems were identified or at least predicted, but NASA did not accept some engineers' judgment that the design was unacceptable. Thiokol’s stated position was that “the condition is not desirable, but is acceptable.” [3]

Lack of Proper Communication[edit]

The 1986 explosion that destroyed the space shuttle Challenger and killed seven astronauts shocked the nation, but for one rocket engineer the tragedy became a personal burden and created a lifelong quest to challenge the bureaucratic ethics that had caused the tragedy. [7]

Roger Boisjoly (1938-2012) was an Applied Mechanics Engineer at Morton Thiokol and cautioned as early as 1985 that the joints in the boosters could fail in cold weather, leading to a catastrophic failure of the casing. Boisjoly had also noticed that the O-rings eroded as well. NASA and Thiokol, however, decided that, since the O-rings were not completely eroded, there was minimal risk.

In the summer of 1985, six months before the Challenger's fatal launch, Roger Boisjoly sent a memo to the Thiokols's Vice President of Engineering. In it, he urged that action be taken to immediately correct the O-ring issue. The memo begins:

"This letter is written to insure that management is fully aware of the seriousness of the current O-ring erosion problem in the SRM joints from an engineering standpoint. If the same scenario should occur in a field joint (and it could), then it is a jump ball as to the success or failure of the joint...The result would be a catastrophic loss of human life." [8]

Depiction of the Shuttle Flight Readiness Review Process

Despite his efforts, no mention of O-ring issues ever made it to NASA upper management, even with the extensive Shuttle Flight Readiness Review. This process begins at level IV with the contractors certifying in writing that the parts they are responsible for are ready. Then the level III NASA project managers verify the readiness of launch elements. Next, the level II Johnson program manager certifies the completion, testing, and checkout of relevant elements. The process culminates with the Level I Flight Readiness Review, two weeks before a launch. This conference is chaired by the NASA Associate Administrator for Space Flight and attended by the NASA Chief Engineer, the Program Manager, the center directors and project managers from Johnson, Marshall and Kennedy, and senior contractor representatives. This procedure was followed for the Challenger flight but it failed to address objections of Morton Thiokol Engineers about the effects of cold weather on the O-rings, and the concerns of Thiokol and Marshall Engineers about O-ring erosion in previous flights. The O-ring problems in the Solid Rocket Booster joint were not even mentioned in the Certification of Flight Readiness, signed for Thiokol by Joseph Kilminster.

The final lapse in communication occurred on January 27, 1986, the night before the launch. A series of conference calls were initiated between Thiokol Engineers (including Roger Boisjoly), Thiokol senior project management personnel, and NASA management to discuss the effects of cold temperatures on the O-rings. In this teleconference, Thiokol engineers recommended that the launch be delayed and that Aldrich, Program Manager at Johnson (Level II), be informed of the O-ring concerns. Thiokol presented the recommendation to only launch within the data set within which they had tested the O-rings: 53 degrees or warmer.[3] NASA management was not pleased by the recommendation. George Hardy, Deputy Director of the Marshall Space Flight Center responded, “I am appalled by your recommendation.” Similarly, Lawrence Mulloy, the Shuttle Program Manager, retorted, “My god, Thiokol. When do you want us to launch – next April?” [3] NASA asked that Thiokol reconsider their recommendation not to launch. This caused an apparent shift in the launch paradigm; rather than needing to prove the launch was safe before proceeding, NASA administrators wanted proof that the launch was not safe before agreeing to a delay. This sidestepped engineering concerns that were grounded on the lack of adequate data to prove the safety of a launch. Gerald Mason, the Senior Vice President of Operations at Thiokol, demanded a management decision, telling engineering manager Bob Lund to “take off your engineering hat and put on your management hat.”[3] This led to a management decision to approve the flight despite the engineers’ recommendation and vehement opposition by Boisjoly and others. NASA upper level management was never informed of the potential hazards and the Challenger was launched.

Key Issues and Ethical Lessons[edit]

NASA’s organizational culture and decision-making processes were the main factors that compromised the project and its safety. There was miscommunication between the levels inside the project, a powerful drive to launch despite possible consequences, and an increased tolerance of risk. Consequently, although NASA managers had known contractor Morton Thiokol's design of the SRBs contained problems with O-rings since 1978, they failed to address these issues properly and the Challenger exploded, killing all seven crew members.

Asymmetry of Power[edit]

The relative sizes of NASA and Morton Thiokol placed pressure on Thiokol to prioritize NASA's goals. The solid rocket booster contract made up $400 million of Thiokol’s $2 billion dollar annual revenue. Losing this contract would have been a significant financial blow to the company. Thiokol received the original contract despite not being the lowest bidder, having bid $710 million to Aerojet’s $655 million.[1] Thiokol therefore may have felt obliged not to protest decisions from NASA, in the hopes of receiving future preferential treatment from NASA. Thiokol may have received the contract due to the influence of Dr. James Fletcher, then NASA Administrator.[1] He had served as president of the University of Utah and owned several companies in the district of Utah in which Thiokol was based. Giving Thiokol the contract was a way to invest in his home district. Having possibly received the contract through favoritism rather than merit no doubt created additional incentive for Thiokol to treat NASA as a customer rather than a client, in the hopes of winning future contracts.

Launch Fever[edit]

NASA faced several external pressures that incentivized hurried launch over safety, which are collectively referred to as “launch fever.” President Reagan was due to give his State of the Union Address the day of the launch and had planned on using Christa McAuliffe, a high school teacher in the Challenger crew, as a talking point to underscore his promotion of education. Halley’s Comet, which passes by the Earth every 75 years, was going to appear later in the year and NASA was launching instruments with which to observe the comet on Challenger. The media had increasingly painted a picture of NASA as an inefficient organization unable to keep its deadlines, which dis-incentivized Congress from budgeting public money to NASA. In fact, Congress had recently cut NASA’s budget. However, NASA could regain funds by launching 24 flights per year by 1991.[9] This highly incentivized NASA to launch quickly rather than safely.

Normalization of Deviance[edit]

Normalization of deviance was a theory proposed by sociologist Diane Vaughan. Vaughan defined normalization of deviance as "people within the organization become so much accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety".[10]. There were several incremental deviances among Thiokol and NASA. The first was the issue of the flexing of the field joint and blow-by. When Thiokol designed the field joint, they noticed the joint flexed but rather than change the design to strengthen the walls, they added the two O-rings. The O-rings were deemed a criticality 1 component, meaning that if the component failed it would lead to catastrophic failure of the space shuttle. A criticality 1 component could never be backed up by another criticality 1 component. NASA should not have allowed the criticality 1 primary O-ring to be supported by another criticality 1 component, namely the secondary O-ring.[6] In 1978 and in 1979, John Q. Miller and other engineers at Marshall sent memos to their supervisors, Glenn Eudy (1978) and George Hardy (1979), to tell them that the field joint was not safe, that the O-ring was not properly applied, and that the secondary O-ring sealing was not always guaranteed to work as specified in the contract.[3] During testing, NASA engineers even wrote memos to their manager at Marshall Space Center, George Hardy, who did not send on their concerns to Thiokol.

Further deviation came with STS-2, the second manned shuttle flight which observed some erosion to the primary O-ring. Neither Thiokol nor NASA re-evaluated the designs. Rather, Thiokol created a new putty to help prevent O-ring erosion. The engineers tested the limits of the joint with different levels of erosion and, since it still worked when eroded, determined it was an acceptable flight risk.[6] The O-rings were not replaced. In March 1984 on shuttle flight STS 41-B, erosion had become more common and so Thiokol presented its report on the erosion to Lawrence Mulloy of Marshall Space Center for the Level III Flight Readiness Review for STS 41-C. [3] Mulloy forwarded this information onto Level I Flight Readiness Review as a technical issue, and in response, Mulloy was to conduct a more thorough review of sealing in each joint of each case. Mulloy asked Thiokol to find the limits of O-ring sealing and the consequent flight risk.[3] Flight STS 51-B in April of 1985 had the worst blow-by leading to erosion of the secondary O-ring. NASA implemented a mandatory pre-launch O-ring review.[3] Yet Mr. Mulloy and Mr. Lawrence waived the constraint for each flight after July 10, 1985, up to and including Challenger.[3] These deviances were justified by a culture that incentivized avoiding delays and cost increases instead of addressing technical and safety issues. Normalization of deviance continued up to the point where NASA pressured Thiokol and managers pressured engineers in order to maintain launch schedules, despite the evident danger of cold temperatures.

Solutions[edit]

After the disaster NASA announced the NASA Safety Reporting System (NSRS). The NSRS has since supported all flights and has been expanded to cover all NASA operations. In this system the NSRS contractor removes identifying information and forwards only a summary of concerns to the NASA Headquarters Office of Safety and Mission Assurance for immediate analysis and investigation. The NSRS is an anonymous, voluntary, and responsive reporting channel to notify NASA’s upper management of concerns about hazards. Reports are guaranteed to receive prompt attention. If there had been a NSRS system before this disaster, Roger Boisjoly would have been able to report the problems in the project anonymously; thereby avoiding the organizational barriers to his concerns. His position as a NASA contractor would not have mattered in the anonymous submission and thus his concerns would have been heard by upper management and not stifled by NASA level III managers.

References[edit]

  1. a b c d Hoover, Kurt; Fowler, Wallace. "Doomed from the Beginning:The Solid Rocket Boosters for the Space Shuttle". Texas Space Grant Consortium. http://www.tsgc.utexas.edu/archive/general/ethics/boosters.html. Retrieved May 1, 2014. 
  2. Online Ethics Center for Engineering. [www.onlineethics.org/Topics/ProfPractice/Exemplars/BehavingWell/RB-intro.aspx "Roger Boisjoly-The Challenger Disaster"]. National Academy of Engineering. www.onlineethics.org/Topics/ProfPractice/Exemplars/BehavingWell/RB-intro.aspx. Retrieved May 1, 2014. 
  3. a b c d e f g h i j k l m Rogers Commission (June 6, 1986). "Report of the Presidential Commission on the Space Shuttle Challenger Accident, Chapter VI: An Accident Rooted in History". http://history.nasa.gov/rogersrep/v1ch6.htm. 
  4. Rogers Commission (June 6, 1986). "Report of the Presidential Commission on the Space Shuttle Challenger Accident, Chapter IV: The cause of the accident". http://history.nasa.gov/rogersrep/v1ch4.htm. 
  5. a b Department of Philosophy; Department of Mechanical Engineering. "Engineering Ethics: The Space Shuttle Challenger Disaster". Texas A&M. http://ethics.tamu.edu/ethics/shuttle/shuttle1.htm. Retrieved May 1, 2014. 
  6. a b c d Vaughan, Diane (1997). The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. University Of Chicago Press. ISBN 0226851761. 
  7. Vartabedian, Ralph (February 07, 2012). "Engineer tried to halt shuttle launch". Lost Angeles Times. http://articles.latimes.com/2012/feb/07/local/la-me-roger-boisjoly-20120207. Retrieved 4 May 2014. 
  8. Bos, Carole (October 1999). "Challenger Disaster - Warnings ignored". Awesome Stories. http://www.awesomestories.com/asset/view/Challenger-Disaster. Retrieved May 4, 2014. 
  9. Rogers Commission (June 6, 1986). "Report of the Presidential Commission on the Space Shuttle Challenger Accident, Chapter VIII: Pressures on the System". http://history.nasa.gov/rogersrep/v1ch8.htm. 
  10. Villeret, Bertrand; Vaughan, Diane (May 2008). "Interview : Diane Vaughan". Consultant. http://www.consultingnewsline.com/Info/Vie%20du%20Conseil/Le%20Consultant%20du%20mois/Diane%20Vaughan%20(English).html. Retrieved May 3, 2014.