The University of Texas at Austin and Texas Space Grant Consortium
Studies in Ethics, Safety, and Liability for Engineers
Kurt Hoover and Wallace T. Fowler
Space Shuttle Challenger
Mission 51-L Launch Decision
On January 28, 1986, the Space Shuttle Challenger was launched for the last time. The decision to launch the Challenger was not simple. Certainly no one dreamed that the Shuttle would explode less than two minutes after lift-off. Much has been said and written about the decision to launch. Was the decision to launch correct? How was the decision made? Could anyone have foreseen the subsequent explosion? Should the decision-making procedure have been modified? These questions are examined in this case study.
The Space Shuttle:
The Space Shuttle is the most complicated vehicle ever constructed. Its complexity dwarfs any previous project ever attempted, including the Apollo project. The Apollo project possessed a very specific goal, to send men to the moon. The Space Shuttle program has a wide variety of goals, some of which conflict. The attempt to satisfy conflicting goals is one of the chief roots of difficulty with the design of the Space Shuttle. Originally, the design was to be only a part of NASA's overall manned space transportation system, but because of politics and budget cuts, it was transformed from an integral component of a system to the sole component of the manned space program.
The Space Shuttle was the first attempt to produce a truly reusable spacecraft. All previous spacecraft were designed to fly only a single mission. In the late 1960's, NASA envisioned a vehicle which could be used repeatedly, thus reducing both the engineering cost and hardware costs. However, resulting vehicle was not as envisioned. It had severe design flaws, one of which caused the loss of the Challenger.
NASA Planning and Politics:
NASA's post-Apollo plans for the continued manned exploration of space rested on a three legged triad. The first leg was a reusable space transportation system, the Space Shuttle, which could transport men and cargo to low earth orbit (LEO) and then land back on Earth to prepare for another mission. The second leg was a manned orbiting space station which would be resupplied by the Shuttle and would serve as both a transfer point for activities further from Earth and as a scientific and manufacturing platform. The final leg was the exploration of Mars, which would start from the Space Station. Unfortunately the politics and inflation of the early 70's forced NASA to retreat from its ambitious program. Both the Space Station and the Journey to Mars were delayed indefinitely and the United States manned space program was left standing on one leg, the space shuttle. Even worse, the Shuttle was constantly under attack by a Democratic congress and poorly defended by a Republican president.
To retain Shuttle funding, NASA was forced to make a series of major concessions. First, facing a highly constrained budget, NASA sacrificed the research and development necessary to produce a truly reusable shuttle, and instead accepted a design which was only partially reusable, eliminating one of the features which made the shuttle attractive in the first place. Solid rocket boosters (SRBs) were used instead of safer liquid fueled boosters because they required a much smaller research and development effort. Numerous other design changes were made to reduce the level of research and development required.
Second, to increase its political clout and to guarantee a steady customer base, NASA enlisted the support of the United States Air Force. The Air Force could provide the considerable political clout of the Defense Department and had many satellites which required launching. However, Air Force support did not come without a price. The Shuttle payload bay was required to meet Air Force size and shape requirements which placed key constraints on the ultimate design. Even more important was the Air Force requirement that the Shuttle be able to launch from Vandenburg Air Force Base in California. This constraint required a larger cross range than the Florida site, which in turn decreased the total allowable vehicle weight. The weight reduction required the elimination of the design's air breathing engines, resulting in a single-pass unpowered landing. This greatly limited the safety and landing versatility of the vehicle.
Factors Affecting the Launch Decision
Pressures to Fly:
As the year 1986 began, there was extreme pressure on NASA to "Fly out the Manifest". From its inception the Space Shuttle program had been plagued by exaggerated expectations, funding inconsistencies, and political pressures. The ultimate design was shaped almost as much by politics as physics. President Kennedy's declaration that the United States would land a man on the the moon before the end of the decade had provided NASA's Apollo program with high visibility, a clear direction, and powerful political backing. The space shuttle program was not as fortunate; it had neither a clear direction nor consistent political backing.
System Status and Competition:
In spite of all its early difficulties, the Shuttle program looked quite good in 1985. A total of 19 flights had been launched and recovered, and although many had experienced minor problems, all but one of the flights could rightfully be categorized as successful. However, delays in the program as a whole had lead the Air Force to request funds to develop an expendable launch vehicle. Worse still, the French launch organization Arianespace, had developed an independent capability to place satellites into orbit at prices the Shuttle could not hope to match without greatly increased federal subsidization (which was not likely to occur as Congress was becoming increasingly dissatisfied with the program). The shuttle was soon going to have to begin showing that it could pay for itself. There was only one way this could be done--increase the number of flights.
For the shuttle program, 1986 was to be the year of truth. NASA had to prove that it could launch a large number of flights on time to continue to attract customers and retain Congressional support. Unfortunately, 1986 did not started out well for the shuttle program. Columbia, Flight 61-C, had experienced a record four on-pad aborts and had three other schedule slips. Finally, on mission 61-C, Columbia was forced to land at Edwards Air Force Base rather than at Kennedy Space Center as planned. The delays in Columbia's launch and touchdown threatened to upset the launch schedule for the rest of the year.
Not only did Columbia's landing at Edwards require it to be ferried back to the Cape, but several key shuttle parts had to be carried back by T-38 for use on the other vehicles. These parts included a temperature sensor for the propulsion system, the nose-wheel steering box, an air sensor for the crew cabin, and one of the five general purpose computers. At the time of the Challenger explosion, NASA supposedly had four complete shuttles. In reality there were only enough parts for two complete shuttles. Parts were passed around and reinstalled in the orbiters with the earliest launch dates. Each time a part was removed or inserted, the shuttles were exposed to a whole host of possible servicing-induced problems.
In addition to problems caused by the flight 61-C of Columbia, the next Columbia flight, 61-E, scheduled for March also put pressure on NASA to launch the Challenger on schedule. The March flight of Columbia was to carry the ASTRO spacecraft which had a very tight launch window because NASA wanted it to reach Halley's Comet before a Russian probe arrived at the comet. In order to launch Columbia 61-E on time, Challenger had to carry out its mission and return to Kennedy by January 31.
NASA had much to gain from a successful Flight 51-L. The "Teacher in Space" mission had generated much more press interest than other recent shuttle flights. Publicity was and continues to be extremely important to the agency. It is a very important tool which NASA uses to help ensure its funding. The recent success of the Space Shuttle program had left NASA in a Catch 22 type situation. Successful shuttle flights were no longer news because they were almost ordinary. However, launch aborts and delayed landings were more news worthy because they were much less common.
In addition to general publicity gained from flight 51-L, NASA undoubtedly was aware that a successful mission would play well in the White House. President Reagan shared NASA's love of publicity and was about to give a State of the Union speech. The value of an elementary teacher giving a lecture from orbit was obvious and was lost neither on NASA nor on President Reagan.
Sequence of Events
Monday, January 27:
On Monday NASA had attempted to place Challenger in orbit only to be stymied by a stripped bolt and high winds. All preliminary procedures had been completed and the crew had just boarded when the first problem struck. A microsensor on the hatch indicated that it was not shut securely; it turned out that the hatch was shut securely and the sensor was malfunctioning, but valuable time was used determining that the sensor was the problem.
After closing the hatch the external hatch handle could not be removed. The threads on the connecting bolt were stripped and instead of cleanly disengaging when turned the handle simply spun around. Attempts to use a portable drill to remove the handle failed. Technicians on the scene asked Mission Control for permission to saw the bolt off. Fearing some form of structural stress to the hatch, engineers made numerous time consuming calculations before giving the go-ahead to cut off the bolt. The entire process consumed almost two hours before the countdown was resumed.
Misfortunes continued. During the attempts to verify the integrity of the hatch and remove the handle, the wind had been steadily rising. Chief Astronaut John Young flew a series of approaches in the shuttle training aircraft and confirmed the worst fears of Mission Control. The crosswinds at the Cape were in excess of the level allowed for the abort contingency. The opportunity had been missed and the flight would have to wait until the next possible launch window, the following morning. Everyone was quite discouraged especially since extremely cold weather was forecast for Tuesday which could further postpone the launch.
Tuesday, January 28:
After the canceled launch on Monday morning there was a great deal of concern about the possible effects of weather. The predicted low for Tuesday morning was 23o F, far below the nominal operating temperature for many of the Challenger's subsystems. Undoubtedly, as the sun came up and the launch time approached both air temperature and vehicle would warm up, but there was still concern. Would the ambient temperature become high enough to meet launch requirements? NASA's Launch Commit Criteria stated that no launch should occur at temperatures below 31o F. There was also concern over any permanent effects on the shuttle due to the cold overnight temperatures.
All NASA centers and subcontractors involved with the Shuttle were asked to determine the possible effects of cold weather and present any concerns. In the meantime Kennedy Space Center went ahead with its freeze protection plan This included the use of anti-freeze in the huge acoustic damping ponds, and allowing warm water to bleed through pipes, showers, and hoses to prevent freezing.
The weather for Tuesday morning was to be clear and cold. Because the overnight low was forecast at 23o F, there was doubt that Challenger would be much above freezing at launch time. The Launch Commit Criteria included very specific temperature limits for most systems on the shuttle. A special wavier would be required to launch if any of these criteria were not met. Although these criteria were supposedly legally binding, Marshall Space Flight Center administrator Larry Mulloy had been routinely writing waivers to cover the problems with the SRBs on the recent shuttle flights.
Engineers at Morton-Thiokol, the SRB manufacturer in Utah, were very concerned about the possible effects of the cold weather. The problems with the SRBs had been long known to engineers Roger Boisjoly and Allan McDonald, but both felt that their concerns were being ignored. They felt that the request by NASA to provide comment on the launch conditions was a golden opportunity to present their concerns. They were sure that Challenger should not be launched in such conditions as those expected for Tuesday morning. Using weather data provided by the Air Force, they calculated that at the 9:00 am launch time the temperature of the O-rings would be only 29o F. Even by 2:00 pm, the O-rings would have warmed only to 38o F.
The design validation tests originally done by Thiokol covered only a very narrow temperature range. The temperature data base did not include any temperatures below 53o F. The O-rings from Flight 51-C which had been launched under cold conditions the previous year showed very significant erosion. This was the only data available on the effects of cold, but all the Thiokol engineers agreed that the cold weather would decrease the elasticity of the synthetic rubber O-rings, which in turn might cause them to seal slowly and allow hot combustion gas to surge through the joint.
Based on the these results, the engineers at Thiokol recommend to NASA Marshall that Challenger not be launched until the O-rings reached a temperature of 53o F. The management of Marshall was flabbergasted, and demanded that Thiokol prove that launching was unsafe. This was a complete reversal of normal procedure. Normally, NASA required its subcontractors to prove that something was safe. Now they were requiring their subcontractors to prove that something was unsafe. Faced with this extreme pressure, Thiokol management asked its engineers to reconsider their position. When the engineers stuck to their original recommendations not to fly, Thiokol management overruled them and gave NASA its approval to launch.
Rockwell, the company which manufactured the Orbiter also had concerns about launching in cold and icy conditions. Their major concern was the possibility of ice from either the shuttle or the launch structure striking and damaging the vehicle. Like Thiokol, they recommended against the launch, and they too were pressed to explain their reasoning. Instead of sticking with their original strong recommendation against launch, the Rockwell team carefully worded their statement to say that they could not fully guarantee the safety of the shuttle.
In its desire to fly out its manifest, NASA was willing to accept this as a recommendation. The final decision to launch, however, belonged to Jesse Moore. He was informed of Rockwell's concerns, but was also told that they had approved the launch. The engineers and management from NASA Marshall chose not to even mention the original concerns of Thiokol. Somehow, as the warnings and concerns were communicated up each step of the latter of responsibility they became diminished.
Late Monday night the decision to push onward with the launch was made. Despite the very real concerns of some of the engineers familiar with the actual vehicle subsystems, the launch was approved. No one at NASA wanted to be responsible for further delaying an already delayed launch. Everyone was aware of the pressure on the agency to fly out the manifest, yet no one would have consciously risked the lives of the seven astronauts. Somehow, the potential rewards had come to outweigh the potential risks. Clearly, there were many reasons for launching Challenger on that cold Tuesday morning; in addition a great deal of frustration from the previous launch attempt remained.
Although the decision to launch on Tuesday had been made late on Monday night, it was still possible that something might force NASA to postpone the launch. However, the decision to launch had been made, and nothing was going to stand in the way; the "press on" mentality was firmly established and even if all of Florida froze over, Challenger would launch.
The prelaunch inspection of Challenger and the launch pad by the ice-team was unusual to say the least. The ice-team's responsibility was to removing any frost or ice on the vehicle or launch structure. What they found during their inspection looked like something out of a science fiction movie. The freeze protection plan implemented by Kennedy personnel had gone very wrong. Hundreds of icicles, some up to 16 inches long, clung the to launch structure. The handrails and walkways near the shuttle entrance were covered in ice, making them extremely dangerous if the crew had to make an emergency evacuation. One solid sheet of ice stretched from the 195 foot level to the 235 foot level on the gantry. However, NASA continued to cling to its calculations that there would be no damage due to flying ice shaken lose during the launch.
As the SRBs ignited, the cold conditions did not allow the O-rings to properly seat. Within the first 300 milliseconds of ignition, both the primary and secondary O-rings on the lowest section of the right SRB were vaporized across 70o of arc by the hot combustion gases. Puffs of smoke with the same frequency as the vibrating booster are clearly present in pictures of the launch. However, soon after clearing the tower, a temporary seal of glassy aluminum-oxides from the propellent formed in place of the burned O-rings and Challenger continued skyward.
Unfortunately, at the time of greatest dynamic pressure, the shuttle encountered wind shear. As the Challenger's guidance control lurched the Shuttle to compensate for the wind shear, the fragile aluminum-oxide seal shattered. Flame arched out of the joint, struck the external tank and quickly burned through the insulation and the the aluminum structure. Liquid Hydrogen fuel streamed out and was ignited. The Challenger exploded.
When the remains of the cabin were recovered, it became apparent that most of the crew survived the explosion and separation of the Shuttle from the rest of the vehicle. During the 2 minute 45 second fall to the ocean at least four of the personal egress packs were activated and at least three were functioning when the Challenger stuck water. The high speed impact with the water produced a force of 200g and undoubtedly killed all the crew.
Since the crash of Challenger, NASA and external investigators have taken a look at both the shuttle and the sequence of events which allowed it to be launched. The SRBs have gone through significant redesign and now include a capture feature on the field joint. The three Marshall administrators most responsible for allowing the SRB problems to go uncorrected have all left NASA. Following the recommendations of the Rogers commission, NASA has attempted to streamline and clean-up its communication lines. A system for reporting suspected problems anonymously now exists within NASA. In addition, the astronauts themselves are now much more active in many decision making aspects of the program. The current NASA Administrator, Admiral Richard Truly, is a former shuttle astronaut.
Safety and Ethics Issues
There are many questions involving safety and/or ethics which are raised when we examine the decision to launch the Challenger. Obviously, the situation was unsafe. The ethics questions are more complex. If high standards of ethical conduct are to be maintained, then each person must differentiate between right and wrong, and must follow the course which is determined to be the right or ethical course. Frequently, the determination of right or wrong is not simple, and good arguments can be made on both sides of the question. Some of the issues raised by the Challenger launch decision are listed below.
- Are solid rocket boosters inherently too dangerous to use on manned spacecraft? If so, why are they a part of the design?
- Was safety traded for political acceptability in the design of the Space Shuttle?
- Did the pressure to succeed cause too many things to be promised to too many people during the design of the Space Shuttle?
- Did the need to maintain the launch schedule force decision makers to compromise safety in the launch decision?
- Were responsibilities being ignored in the writing of routine launch waivers for Space Shuttle?
- Were managers at Rockwell and Morton Thiokol wise (or justified) in ignoring the recommendations of their engineers?
- Did the engineers at Rockwell and Morton Thiokol do all that they could to convince their own management and NASA of the dangers of launch?
- When NASA pressed its contractors to launch, did it violate its responsibility to ensure crew safety?
- When NASA discounted the effects of the weather, did it violate its responsibility to ensure crew safety?
- ³Actions to Implement the Recommendations of the Presidential Commission of the Space Shuttle Challenger Accident.² National Aeronautics and Space Administration. Washington, D.C. July 14, 1986.
- Challenger: A Major Malfunction. Malcolm McConnell. Doubleday & Company, Inc. Garden City, NY. 1987
- Prescription for Disaster. Joseph J. Trento. Crown Publishers Inc. New York, NY. 1987
- ³Report of the Presidential Commission of the Space Shuttle Challenger Accident.² The Presidential Commission of The Space Shuttle Challenger Accident. Washington, D.C. June 6, 1986.
Challenger Launch Decision Assignments
The problem faced by NASA managers on January 28, 1986, is simply stated - Given the existing weather conditions, the recommendations of the various engineering and operational groups, and the political pressures, should Challenger be launched?
Many conflicting factors were considered in reaching the decision to launch. Those responsible for high risk programs such as Challenger must attempt to identify and evaluate the risks. Specific questions which needed to be answered were: (1) What level of risk was acceptable for launch?, and (2) Did the current conditions meet this standard?
Even properly identifying and evaluating all risks is not sufficient, because the potential benefits of taking each risk must be considered. Greater risks can sometimes be justified given the possibility of greater rewards. In the case of the Challenger, the people with the ultimate authority to launch came to the conclusion that the potential rewards justified what they believed to be relatively minor risks. The belief that the risks were minor, however, was not shared by many of the engineers further down the chain of responsibility.
Read the General Information provided on the Space Shuttle Challenger launch decision. Consider each of the following questions carefully in light of that information and write a complete and grammatically correct paragraph answering each.
- Why did NASA decide to launch Challenger?
- How safe is safe enough? How does one determine what is an acceptable risk?
- Is is possible to develop a methodology for quantifying risks, or must each particular situation be addressed individually?
- Were NASA administrators justified in writing Launch Commit Criteria Waivers for Challenger and previous shuttle flights?
- At the time of the Challenger accident there was a general feeling among both NASA and the public that the space shuttle was no longer an experimental vehicle, but was now a fully operational vehicle, in the same sense as a commercial airliner. Was this a correct perception and why was it common?
- Should someone have stopped the Challenger launch? If so how could an individual have accomplished this?
- If you were on a jury attempting to place liability, whom would you say was responsible for the deaths of the astronauts? Are several individuals or groups liable?
- How might the Morton-Thiokol engineers have convinced NASA and their own management to postpone the launch?
- How might an engineer deal with pressure from above to follow a course of action he knows to be wrong?
- How could the chains of communication and responsibility for the shuttle program have been made to function better?
Choose one of the following statements, research the topic, and write a two page paper in which you explore the impact of the topic on the Challenger explosion.
- Following Apollo the manned space program suffered from lack of funding and direction.
- The design for the space shuttle is a series of compromises driven by poorly timed allocations of funds from congress.
- To minimize R & D costs, only part of the shuttle system was made reusable and solid boosters were used instead of the safer liquid boosters.
- NASA was under intense pressure at the time of the Challenger accident to prove that the shuttle was a viable launch vehicle.
- A significant delay in launching Challenger would have upset the launch schedule for the rest of the year.
- Flight 51-L (Challenger) was scrubbed the previous day leaving all involved frustrated and determined to launch as soon as possible.
- No test data on any of the shuttle components existed for the low overnight or launch temperatures.
- Problems with the seals on the SRBs had been known for several flights and waivers had been written for each flight.
- Concerns about the O-rings were never revealed to the NASA administrators who had the final launch authority.
- Morton-Thiokol initially recommended against launch, but when pressured by NASA reversed its decision.
- The anti-freeze plan left large sheets of ice and icicles all over the launch structure. An analysis done at Houston showed no danger at lift-off due to falling ice.
- Rockwell could not guarantee the shuttle¹s safety, but did not veto the launch. Their ice analysis showed some possibility of danger.
- The ice team recommended against launching, but was overruled by Mission Control.
Divide the class into small groups, no more than three to a group. Each group is to choose one of the four roles outlined below and develop a statements outlining the position represented by those in your role on January 28, 1986. Develop two statements: (1) what you think was the position of those in your role, and (2) the position that those in your role should have taken.
- NASA Management: You want to launch the Challenger as soon as possible. The delays are not only embarrassing, but threaten your funding and customer base. Challenger must launch on Tuesday to preserve the schedule. An analysis done by your engineers at Houston shows that the ice on the pad should not strike the Challenger when it lifts-off.
- Thiokol Engineers: You believe it is not safe to launch, but have no hard data to back this up. Limited data from a previous cold weather flight indicates that temperature is important. Basic physics tells you that the O-rings will lose elasticity with decreasing temperature. You feel that both NASA and your own management are trying to solve the problem with a bureaucratic solution, when an engineering solution is called for.
- Thiokol Management: You must listen to your engineers, but at the same time you must please your primary customer. There is talk in Congress of awarding a second source contract. The last thing you want to do is admit that your product is defective. NASA is pressuring you to launch. If would be very damaging for your company if a delay is blamed on your SRBs.
- Rockwell Management: You are concerned about the amount of ice on the pad. Analysis by your engineers does not entirely agree with that done at Houston. Like Thiokol you must satisfy your customer. You would prefer not to launch, but are not sure that your reason to delay is good enough. Your objective is to try to convince NASA to delay without them pointing a finger at you as the cause.
Working in three person groups, develop a realistic procedure for making launch decisions which would have avoided the Challenger accident. Remember that the procedure must create a concensus among individuals and organizations with different objectives, backgrounds, and priorities. Part of your work will require that you develop a methodology to determine potential risks and benefits for launching the shuttle in less than ideal conditions. Remember that in the real world, personalities are often the dominant factor in a decision.
Working in three person groups, consider the problems of Allan McDonald and Roger Boisjoly. Develop a strategy to convince Thiokol management and NASA management that your safety concerns were valid. Consider the points of view of all of those who are pressing to launch. Remember that management often tends to view engineers as extremely competent in a specific area, but lacking a good understanding of the big picture.