Perfect Essay Writing

On January 28,1986, the space shuttle Challenger lifted off the launch pad at 1 1:38 A.M., beginning

On January 28,1986, the space shuttle Challenger lifted off the launch pad at 1 1:38 A.M., beginning the flight of mission 51-L.’ Approximately seventy-four seconds into the flight, the Challenger was engulfed in an explosive burn and all comrnuni- cation and telemetry ceased. Seven brave crewmembers lost their lives. On board the Challenger were Francis R. (Dick) Scobee (commander), Michael John Smith (pilot), Ellison S. Onizuka (mission specialist one), Judith Arlene Resnik (mission specialist two), Ronald Erwin McNair (mission specialist three), S. Christa McAuliffe (payload specialist one), and Gregory Bruce Jarvis (payload specialist two). A faulty seal, or O-ring, on one of the two solid rocket boosters caused the accident.

WE WRITE PAPERS FOR STUDENTS

Tell us about your assignment and we will find the best writer for your project.

Get Help Now!

Following the accident, significant energy was expended trying to ascertain whether the accident had been predictable. Controversy arose from the desire to assign, or to avoid, blame. Some publications called it a management failure, specifically in risk management, while others called it a technical failure.

Whenever accidents had occurred in the past at the National Aeronautics and Space Administration (NASA), an internal investigation team had been formed.

‘The first digit indicates the fiscal year of the launch (i.e., “5” means 1985). The second number in- dicates the launch site (i.e., “1” is the Kennedy Space Center in Florida, “2” is Vandenberg Air Force Base in California). The letter represents the mission number (i.e., “C” would be the third mission scheduled). This designation system was implemented after Space Shuttle flights one through nine, which were designated STS-X. STS is the Space Transportation System and X would indicate the flight number.

404 THE SPACE SHUTTLE CHALLENGER DISASTER

But in this case, perhaps because of the visibility, the White House took the ini- tiative in appointing an independent commission. There did exist significant jus- tification for the commission. NASA was in a state of disarray, especially in the management ranks. The agency had been without a permanent administrator for almost four months. The turnover rate at the upper echelons of management was significantly high, and there seemed to be a lack of direction from the top down.

Another reason for appointing a Presidential Commission was the visibility of this mission. This mission had been known as the Teacher in Space mission, and Christa McAuliffe, a Concord, New Hampshire, schoolteacher, had been se- lected from a list of over 10,000 applicants. The nation knew the names of all of the crewmembers on board Challengel: The mission had been highly publicized for months, stating that Christa McAuliffe would be teaching students from aboard the Challenger on day four of the mission.

The Presidential Commission consisted of the following members:

William P. Rogers, chairman: Former secretary of state under President Nixon and attorney general under President Eisenhower. Neil A. Armstrong, vice chairman: Former astronaut and spacecraft commander for Apollo 1 1. David C. Acheson: Former senior vice president and general counsel, Communications Satellite Corporation (1967-1974), and a partner in the law firm of Drinker Biddle & Reath. Dr. Eugene E. Covert: Professor and head, Department of Aeronautics and Astronautics at Massachusetts Institute of Technology. Dr. Richard P. Feynman: Physicist and professor of theoretical physics at California Institute of Technology; Nobel Prize winner in Physics, 1965. Robert B. Hotz: Editor-in-chief of Aviation Week & Space Technology magazine (1953-1980). Major General Donald J. Kutyna, USAF: Director of Space Systems and Command, Control, Communications. Dr. Sally K. Ride: Astronaut and mission specialist on STS-7, launched on June 18, 1983, making her the first American woman in space. She also flew on mission 41-G, launched October 5, 1984. She holds a Doctorate in Physics from Stanford University (1978) and was still an active astronaut. Robert W. Rummel: Vice president of Trans World Airlines and president of Robert W. Rummel Associates, Inc., of Mesa, Arizona. Joseph F. Sutter: Executive vice president of the Boeing Commercial Airplane Company. Dr. Arthur B. C. Walker, Jr.: Astronomer and professor of Applied Physics; formerly associate dean of the Graduate Division at Stanford

Background to the Space Transportation System 405

University, and consultant to Aerospace Corporation, Rand Corporation, and the National Science Foundation. Dr. Albert D. Wheelon: Executive vice president, Hughes Aircraft Company. Brigadier General Charles Yeager, USAF (retired): Former experi- mental test pilot. He was the first person to break the sound barrier and the first to fly at a speed of more than 1,600 miles an hour. Dr. Alton G. Keel, Jr., Executive Director: Detailed to the Commission from his position in the Executive Office of the President, Office of Management and Budget, as associate director for National Security and International Affairs; formerly assistant secretary of the Air Force for Research, Development and Logistics, and Senate Staff.

The Commission interviewed more than 160 individuals, and more than thirty-five formal panel investigative sessions were held generating almost 12,000 pages of transcript. Almost 6,300 documents totaling more than 122,000 pages, along with hundreds of photographs, were examined and made a part of the Commission’s permanent database and archives. These sessions and all the data gathered added to the 2,800 pages of hearing transcript generated by the Commission in both closed and open sessions. Unless otherwise stated, all of the quotations and memos in this case study come from the direct testimony cited in the Report by the Presidential Commission (RPC).

BACKGROUND TO THE SPACE TRANSPORTATION SYSTEM

During the early 1960s, NASA’s strategic plans for post-Apollo manned space ex- ploration rested upon a three-legged stool. The first leg was a reusable space transportation system, the space shuttle, which could transport people and equip- ment to low earth orbits and then return to earth in preparation for the next mis- sion. The second leg was a manned space station that would be resupplied by the space shuttle and serve as a launch platform for space research and planetary ex- ploration. The third leg would be planetary exploration to Mars. But by the late 1960s, the United States was involved in the Vietnam War, which was becoming costly. In addition, confidence in the government was eroding because of civil un- rest and assassinations. With limited funding due to budgetary cuts, and with the lunar landing missions coming to an end, prioritization of projects was necessary. With a Democratic Congress continuously attacking the cost of space explo- ration, and minimal support from President Nixon, the space program was left standing on one leg only, the space shuttle.

406 THE SPACE SHUTTLE CHALLENGER DISASTER

President Nixon made it clear that funding all the programs NASA envisioned would be impossible, and that funding for even one program on the order of the Apollo Program was likewise not possible. President Nixon seemed to favor the space station concept, but this required the development of a reusable space shut- tle. Thus NASA’s Space Shuttle Program became the near-term priority.

One of the reasons for the high priority given to the Space Shuttle Program was a 1972 study completed by Dr. Oskar Morgenstern and Dr. Klaus Heiss of the Princeton-based Mathematica organization. The study showed that the space shuttle would be able to orbit payloads for as little as $100 per pound based on sixty launches per year with payloads of 65,000 pounds. This provided tremen- dous promise for military applications such as reconnaissance and weather satel- lites, as well as for scientific research.

Unfortunately, the pricing data were somewhat tainted. Much of the cost data were provided by companies who hoped to become NASA contractors and who therefore provided unrealistically low cost estimates in hopes of winning future bids. The actual cost per pound would prove to be more than twenty times the original estimate. Furthermore, the main engines never achieved the 109 percent of thrust that NASA desired, thus limiting the payloads to 47,000 pounds instead of the predicted 65,000 pounds. In addition, the European Space Agency began successfully developing the capability to place satellites into orbit and began competing with NASA for the commercial satellite business.

NASA SUCCUMBS TO POLITICS AND PRESSURE

To retain shuttle funding, NASA was forced to make a series of major conces- sions. First, facing a highly constrained budget, NASA sacrificed the research and development necessary to produce a truly reusable shuttle, and instead accepted a design that was only partially reusable, eliminating one of the features that had made the shuttle attractive in the first place. Solid rocket boosters (SRBs) were used instead of safer liquid-fueled boosters because they required a much smaller research and development effort. Numerous other design changes were made to reduce the level of research and development required.

Second, to increase its political clout and to guarantee a steady customer base, NASA enlisted the support of the United States Air Force. The Air Force could provide the considerable political clout of the Department of Defense and it used many satellites, which required launching. However, Air Force support did not come without a price. The shuttle payload bay was required to meet Air Force size and shape requirements, which placed key constraints on the ultimate design. Even more important was the Air Force requirement that the shuttle be able to launch from Vandenburg Air Force Base in California. This constraint required a

NASA Succumbs to Politics and Pressure 407

larger cross range than the Florida site, which, in turn, decreased the total allow- able vehicle weight. The weight reduction required the elimination of the design’s air breathing engines, resulting in a single-pass unpowered landing. This greatly limited the safety and landing versatility of the vehicle.’

As the year 1986 began, there was extreme pressure on NASA to “Fly out the Manifest.” From its inception, the Space Shuttle Program had been plagued by exaggerated expectations, funding inconsistencies, and political pressure. The ul- timate vehicle and mission design were shaped almost as much by politics as by physics. President Kennedy’s declaration that the United States would land a man on the moon before the end of the decade (the 1960s) had provided NASA’s Apollo Program with high visibility, a clear direction, and powerful political baclung. The Space Shuttle Program was not as fortunate; it had neither a clear direction nor consistent political backing.

Cost containment became a critical issue for NASA. In order to minimize cost, NASA designed a space shuttle system that utilized both liquid and solid propellants. Liquid propellant engines are more easily controllable than solid pro- pellant engines. Flow of liquid propellant from the storage tanks to the engine can be throttled and even shut down in case of an emergency. Unfortunately, an all- liquid-fuel design was prohibitive because a liquid fuel system is significantly more expensive to maintain than a solid fuel system.

Solid fuel systems are less costly to maintain. However, once a solid propel- lant system is ignited, it cannot be easily throttled or shut down. Solid propellant rocket motors bum until all of the propellant is consumed. This could have a sig- nificant impact on safety, especially during launch, at which time the solid rocket boosters are ignited and have maximum propellant loads. Also, solid rocket boosters can be designed for reusability, whereas liquid engines are generally used only once.

The final design that NASA selected was a compromise of both solid and liq- uid fuel engines. The space shuttle would be a three-element system composed of the orbiter vehicle, an expendable external liquid fuel tank carrying liquid fuel for the orbiter’s engines, and two recoverable solid rocket booster^.^ The orbiter’s en- gines were liquid fuel because of the necessity for throttle capability. The two solid rocket boosters would provide the added thrust necessary to launch the space shuttle into its orbiting altitude.

In 1972, NASA selected Rockwell as the prime contractor for building the or- biter. Many industry leaders believed that other competitors who had actively par- ticipated in the Apollo Program had a competitive advantage. Rockwell, however,

‘ ~ u r t Hoover and Wallace T. Fowler (The University of Texas at Austin and The Texas Space Grant Consortium), “Studies in Ethics, Safety and Liability for Engineers” (Web site: http://www.tsgc.utexas. edu~archivelgeneral/ethicdshuttle.html page 2).

3The terms solid rocket booster (SRB) and solid rocket motor (SRM) will be used interchangeably.

408 THE SPACE SHUTTLE CHALLENGER DISASTER

was awarded the contract. Rockwell’s proposal did not include an escape system. NASA officials decided against the launch escape system since it would have added too much weight to the shuttle at launch and was very expensive. There was also some concern on how effective an escape system would be if an acci- dent occurred during launch while all of the engines were ignited. Thus, the Space Shuttle Program became the first U.S. manned spacecraft without a launch escape system for the crew.

In 1973, NASA went out for competitive bidding for the solid rocket boost- ers. The competitors were Morton-Thiokol, Inc. (MTI) (henceforth called Thiokol), Aerojet General, Lockheed, and United Technologies. The contract was eventually awarded to Thiokol because of its low cost, $100 million lower than the nearest competitor. Some believed that other competitors, who ranked higher in technical design and safety, should have been given the contract. NASA be- lieved that Thiokol-built solid rocket motors would provide the lowest cost per flight.

THE SOLID ROCKET BOOSTERS

Thiokol’s solid rocket boosters had a height of approximately 150 feet and a di- ameter of 12 feet. The empty weight of each booster was 192,000 pounds and the full weight was 1,300,000 pounds. Once ignited, each booster provided 2.65 mil- lion pounds of thrust, which is more than 70 percent of the thrust needed to lift off the launch pad.

Thiokol’s design for the boosters was criticized by some of the competitors, and even by some NASA personnel. The boosters were to be manufactured in four segments and then shipped from Utah to the launch site, where the segments would be assembled into a single unit. The Thiokol design was largely based upon the segmented design of the Titan I11 solid rocket motor produced by United Technologies in the 1950s for Air Force satellite programs. Satellite programs were unmanned efforts.

The four solid rocket sections made up the case of the booster, which essen- tially encased the rocket fuel and directed the flow of the exhaust gases. This is shown in Exhibit I. The cylindrical shell of the case is protected from the propel- lant by a layer of insulation. The mating sections of the field joint are called the tang and the clevis. One hundred and seventy-seven pins spaced around the cir- cumference of each joint hold the tang and the clevis together. The joint is sealed in three ways. First, zinc chromate putty is placed in the gap between the mating segments and their insulation. This putty protects the second and third seals, which are rubber-like rings, called O-rings. The first O-ring is called the primary

The Solid Rocket Boosters

Exhibit I. Solid rocket booster (SRB)

– t

Forward Assembly

Forward ,

‘”‘”‘f-3 Factory ,-

Joint

Jolnt

Solid Propellaid

-Forward Segment

,Fpmnrd l d Segment

Rocket Booster

,An Mid Segment

O-ring and is lodged in the gap between the tang and the clevis. The last seal is called the secondary O-ring, which is identical to the primary O-ring except it is positioned further downstream in the gap. Each O-ring is 0.280 inches in diame- ter. The placement of each O-ring can be seen in Exhibit 11. Another component of the field joint is called the leak check port, which is shown in Exhibit 111. The leak check port is designed to allow technicians to check the status of the two O-ring seals. Pressurized air is inserted through the leak check port into the gap

41 0 THE SPACE SHUTTLE CHALLENGER DISASTER

Exhibit 11. Location of the O-rings

Secondary 0-Ring

Upper Segment of Rocket

Motor Casing

between the two O-rings. If the O-rings maintain the pressure, and do not let the pressurized air past the seal, the technicians know the seal is operating properly?

In the Titan I11 assembly process, the joints between the segmented sections contained one O-ring. Thiokol’s design had two O-rings instead of one. The sec- ond O-ring was initially considered as redundant, but included to improve safety. The purpose of the O-rings was to seal the space in the joints such that the hot ex- haust gases could not escape and damage the case of the boosters.

Both the Titan III and Shuttle O-rings were made of Viton rubber, which is an elastomeric material. For comparison, rubber is also an elastomer. The elas- tomeric material used is a fluoroelastomer, which is an elastomer that contains fluorine. This material was chosen because of its resistance to high temperatures and its compatibility with the surrounding materials. The Titan III O-rings were

“”I’he Challenger Accident: Mechanical Causes of the Challenger Accident”; University of Texas (web site: http://www.me.utexas.edu/-uer/challenger/cha2.htm pages 1-2).

Blowholes

Exhibit 111. Cross section showing the leak test port

Tang

Gap

Leak Test Port

Grease Bead

Clevis

Propellant

1 Zinc Chromate Putty Insulation

/ Propellant

molded in one piece, whereas the shuttle’s SRB O-rings would be manufactured in five sections and then glued together. Routinely, repairs would be necessary for inclusions and voids in the rubber received from the material suppliers.

BLOWHOLES

The primary purpose of the zinc chromate putty was to act as a thermal barrier that protected the O-rings from the hot exhaust. As mentioned before, the O-ring seals were tested using the leak check port to pressurize the gap between the seals. During the test, the secondary seal was pushed down into the same, seated position as it occupied during ignition pressurization. However, because the leak

41 2 THE SPACE SHUTTLE CHALLENGER DISASTER

check port was between the two O-ring seals, the primary O-ring was pushed up and seated against the putty. The position of the O-rings during flight and their position during the leak check test is shown in Exhibit 111.

During early flights, engineers worried that, because the putty above the pri- mary seal could withstand high pressures, the presence of the putty would prevent the leak test from identifying problems with the primary seal. They contended that the putty would seal the gap during testing regardless of the condition of the primary seal. Since the proper operation of the primary seal was essential, engi- neers decided to increase the pressure used during the test to above the pressure that the putty could withstand. This would ensure that the primary O-ring was properly sealing the gap without the aid of the putty. Unfortunately, during this new procedure, the high-test pressures blew holes through the putty before the primary O-ring could seal the gap.

Since the putty was on the interior of the assembled solid rocket booster, technicians could not mend the blowholes in the putty. As a result, this procedure left small, tunneled holes in the putty. These holes would allow focused exhaust gases to contact a small segment of the primary O-ring during launch. Engineers realized that this was a problem, but decided to test the seals at the high pressure despite the formation of blowholes, rather than risking a launch with a faulty pri- mary seal.

The purpose of the putty was to prevent the hot exhaust gases from reaching the O-rings. For the first nine successful shuttle launches, NASA and Thiokol used asbestos-bearing putty manufactured by the Fuller-O’Brien Company of San Francisco. However, because of the notoriety of products containing asbestos, and the fear of potential lawsuits, Fuller-O’Brien stopped manufacturing the putty that had served the shuttle so well. This created a problem for NASA and Thiokol.

The new putty selected came from Randolph Products of Carlstadt, New Jersey. Unfortunately, with the new putty, blowholes and O-ring erosion were be- coming more common to a point where the shuttle engineers became womed. Yet the new putty was still used on the boosters. Following the Challenger disaster, testing showed that, at low temperatures, the Randolph putty became much stiffer than the Fuller-O’Brien putty and lost much of its ~tickiness.~

O-RING EROSION

If the hot exhaust gases penetrated the putty and contacted the primary O-ring, the extreme temperatures would break down the O-ring material. Because engi-

0-Ring Resilience 41 3

neers were aware of the possibility of O-ring erosion, the joints were checked af- ter each flight for evidence of erosion. The amount of O-ring erosion found on flights before the new high-pressure leak check procedure was around 12 percent. After the new high-pressure leak test procedure, the percentage of O-ring erosion was found to increase by 88 percent. High percentages of O-ring erosion in some cases allowed the exhaust gases to pass the primary O-ring and begin eroding the secondary O-ring. Some managers argued that some O-ring erosion was “accept- able” because the O-rings were found to seal the gap even if they were eroded by as much as one-third their original diameter.6 The engineers believed that the de- sign and operation of the joints were an acceptable risk because a safety margin could be identified quantitatively. This numerical boundary would become an im- portant precedent for future risk assessment.

JOINT ROTATION

During ignition, the internal pressure from the burning fuel applies approximately 1000 pounds per square inch on the case wall, causing the walls to expand. Because the joints are generally stiffer than the case walls, each section tends to bulge out. The swelling of the solid rocket sections causes the tang and the clevis to become misaligned; this misalignment is called joint rotation. A diagram show- ing a field joint before and after joint rotation is seen in Exhibit IV. The problem with joint rotation is that it increases the gap size near the O-rings. This increase in size is extremely fast, which makes it difficult for the O-rings to follow the in- creasing gap and keep the seal.’

Prior to ignition, the gap between the tang and the clevis is approximately 0.004 inches. At ignition, the gap will enlarge to between 0.042 and 0.060 inches, but for a maximum of 0.60 second, and then return to its original position.

O-RING RESILIENCE

The term O-ring resilience refers to the ability of the O-ring to return to its orig- inal shape after it has been deformed. This property is analogous to the ability of a rubber band to return to its original shape after it has been stretched. As with a rubber band, the resiliency of an O-ring is directly related to its temperature. As the temperature of the O-ring gets lower, the O-ring material becomes stiffer.

41 4 THE SPACE SHUTTLE CHALLENGER DISASTER

Exhibit lK Field joint rotation

The Joint Rotation Effect, Somewhat Exaggerated, due to Ignition Pressure

of 1000 psig

sp Opening Illll In. – 0.W In.]

1 1 Primary 0-Ring Secondary 0-Ring

No Joint Rotation and Internal Pressure of 0 psig

Tests have shown that an O-ring at 75°F is five times more responsive in return- ing to its original shape than an O-ring at 30°F This decrease in O-ring resiliency during a cold weather launch would make the O-ring much less likely to follow the increasing gap size during joint rotation. As a result of poor O-ring resiliency, the O-ring would not seal properly.8

THE EXTERNAL TANK

The solid rockets are each joined forward and aft to the external liquid fuel tank. They are not connected to the orbiter vehicle. The solid rocket motors are mounted first, and the external liquid fuel tank is put between them and con- nected. Then the orbiter is mounted to the external tank at two places in the back and one place forward, and those connections carry all of the structural loads f o ~

‘bid., pp. 4-5.

Risk Ident$cation Procedures 41 5

the entire system at liftoff and through the ascent phase of flight. Also connected to the orbiter, under the orbiter’s wing, are two large propellant lines 17 inches in diameter. The one on the port side carries liquid hydrogen from the hydrogen tank in the back part of the external tank. The line on the right side carries liquid oxy- gen from the oxygen tank at the forward end, inside the external tank.9

The external tank contains about 1.6 million pounds of propellant, or about 526,000 gallons. The orbiter’s three engines burn the liquid hydrogen and liquid oxygen at a ratio of 6:l and at a rate equivalent to emptying out a family swim- ming pool every 10 seconds! Once ignited, the exhaust gases leave the orbiter’s three engines at approximately 6,000 miles per hour. After the fuel is consumed, the external tank separates from the orbiter, falls to earth, and disintegrates in the atmosphere on reentry.

THE SPARE PARTS PROBLEM

In March 1985, NASA’s administrator, James Beggs, announced that there would be one shuttle flight per month for all of fiscal year 1985. In actuality, there were only six flights. Repairs became a problem. Continuous repairs were needed on the heat tiles required for reentry, the braking system, and the main engines’ hy- draulic pumps. Parts were routinely borrowed from other shuttles. The cost of spare parts was excessively high, and NASA was looking for cost containment.

RISK IDENTIFICATION PROCEDURES

The necessity for risk management was apparent right from the start. Prior to the launch of the first shuttle in April of 1981, hazards were analyzed and subjected to a formalized hazard reduction process as described in NASA Handbook, NHB5300.4. The process required that the credibility and probability of the haz- ards be determined. A Senior Safety Review Board was established for oversee- ing the risk assessment process. For the most part, the risks assessment process was qualitative. The conclusion reached was that no single hazard or combination of hazards should prevent the launch of the first shuttle as long as the aggregate risk remained acceptable.

NASA used a rather simplistic Safety (Risk) Classification System. A quan- titative method for risk assessment was not in place at NASA because gathering

9 ~ ~ ~ , page 50.

41 6 THE SPACE SHUTTLE CHALLENGER DISASTER

Exhibit ll: Risk classification system

Lewl Description

Criticality 1 (Cl) Criticality 2 (C2) Criticality 3 (C3) Criticality 1R (ClR)

Criticality 2R (C2R)

Loss of life and/or vehicle if the component fails. Loss of mission if the component fails. All others. Redundant components exist. The failure of both

could cause loss of life and/or vehicle. Redundant components exist. The failure of both

could cause loss of mission.

the data needed to generate statistical models would be expensive and labor- intensive. If the risk identification procedures were overly complex, NASA would have been buried in paperwork due to the number of components on the space shuttle. The risk classification system selected by NASA is shown in Exhibit V.

From 1982 on, the O-ring seal was labeled Criticality 1. By 1985, there were 700 components identified as Criticality 1.

TELECONFERENCING

The Space Shuttle Program involves a vast number of people at both NASA and the contractors. Because of the geographical separation between NASA and the contractors, it became impractical to have continuous meetings. Travel between Thiokol in Utah and the Cape in Florida took one day each way. Therefore, tele- conferencing became the primary method of communication and a way of life. Interface meetings were still held, but the emphasis was on teleconferencing. All locations could be linked together in one teleconference and data could be faxed back and forth as needed.

PAPERWORK CONSTRAINTS

With the rather optimistic flight schedule provided to the news media, NASA was under scrutiny and pressure to deliver. For fiscal 1986, the mission manifest called for sixteen flights. The pressure to meet schedule was about to take its toll. Safety problems had to be resolved quickly.

As the number of flights scheduled began to increase, so did the require- ments for additional paperwork. The majority of the paperwork had to be com- pleted prior to NASA’s Flight Readiness Review (FRR) meetings. Approximately

Paperwork Constraints

one week, prior to every flight, flight operations and cargo managers were re- quired to endorse the commitment of flight readiness to the NASA associate ad- ministrator for space flight at the FRR meeting. The responsible projectlelement managers would conduct pre-FRR meetings with their contractors, center man- agers, and the NASA Level I1 manager. The content of the FRR meetings included the following:

Determine overall status, as well as establish the baseline in terms of significant changes since the last mission. Review significant problems resolved since the last review, and signifi- cant anomalies from the previous flight. Review all open items and constraints remaining to be resolved before the mission. Present all new waivers since the last flight.

NASA personnel were working excessive overtime, including weekends, to fulfill the paperwork requirements and prepare for the required meetings. As the number of space flights increased, so did the paperwork and overtime.

The paperwork constraints were affecting the contractors as well. Additional paperwork requirements existed for problem solving and investigations. On October 1, 1985, an interoffice memo was sent from Scott Stein, space booster project engineer at Thiokol, to Bob Lund, vice president for engineering at Thiokol, and to other selected managers concerning the 0-Ring Investigation Task Force:

We are currently being hog-tied by paperwork every time we try to accom- plish anything. I understand that for production programs, the paperwork is necessary. However, for a priority, short schedule investigation, it makes ac- complishment of our goals in a timely manner extremely difficult, if not impossible. We need the authority to bypass some of the paperwork jungle. As a representative example of problems and time that could easily be elim- inated, consider assembly or disassembly of test hardware by manufacturing personnel. . . . I know the established paperwork procedures can be violated if someone with enough authority dictates it. We did that with the DR sys- tem when the FWC hardware “Tiger Team” was established. If changes are not made to allow us to accomplish work in a reasonable amount of time, then the O-ring investigation task force will never have the potency neces- sary to resolve problems in a timely manner.

Both NASA and the contractors were now feeling the pressure caused by the paperwork constraints.

THE SPACE SHUTTLE CHALLENGER DISASTER

ISSUING WAIVERS

One quick way of reducing paperwork and meetings was to issue a waiver. Historically, a waiver was a formalized process that allowed an exception to either a rule, a specification, a technical criterion, or a risk. Waivers were ways to reduce excessive papemork requirements. Project managers and contract administrators had the authority to issue waivers, often with the intent of bypassing standard pro- tocols in order to maintain a schedule. The use of waivers had been in place well before the manned space program even began. What is important here was not NASA’s use of the waiver, but the justijication for the waiver given the risks.

NASA had issued waivers on both Criticality 1 status designations and launch constraints. In 1982, the solid rocket boosters were designated C1 by the Marshall Space Flight Center because failure of the O-rings could have caused loss of crew and the shuttle. This meant that the secondary O-rings were not con- sidered redundant. The SRB project manager at Marshall, Larry Malloy, issued a waiver just in time for the next shuttle launch to take place as planned. Later, the O-rings designation went from C1 to C1R (i.e., a redundant process), thus par- tially avoiding the need for a waiver. The waiver was a necessity to keep the shut- tle flying according to the original manifest.

Having a risk identification of C1 was not regarded as a sufficient reason to cancel a launch. It simply meant that component failure could be disastrous. It im- plied that this might be a potential problem that needed attention. If the risks were acceptable, NASA could still launch. A more serious condition was the issuing of launch constraints. Launch constraints were official NASA designations for situa- tions in which mission safety was a serious enough problem to justify a decision not to launch. But once again, a launch constraint did not imply that the launch should be delayed. It meant that this was an important problem and needed to be addressed.

Following the 1985 mission that showed O-ring erosion and exhaust gas blow-by, a launch constraint was imposed. Yet on each of the next five shuttle missions, NASA’s Malloy issued a launch constraint waiver allowing the flights to take place on schedule without any changes to the O-rings.

Were the waivers a violation of serious safety rules just to keep the shuttle flying? The answer is no! NASA had protocols such as policies, procedures, and rules for adherence to safety. Waivers were also protocols but for the purpose of deviating from other existing protocols. Lany Malloy, his colleagues at NASA, and the contractors had no intentions of doing evil. Waivers were simply a way of saying that we believe that the risk is an acceptable risk.

The lifting of launch constraints and the issuance of waivers became the norm-standard operating procedure. Waivers became a way of life. If waivers were issued and the mission was completed successfully, then the same waivers would exist for the next flight and did not have to be brought up for discussion at the Flight Readiness Review meeting. The justification for the waivers seemed to

Launch Lifoff Sequence Profile: Possible Aborts 41 9

be the similarity between flight launch conditions, temperature, and so on. Launching under similar conditions seemed to be important for the engineers at NASA and Thiokol because it meant that the forces acting on the O-rings were within their region of experience and could be correlated to existing data. The launch temperature effect on the O-rings was considered predictable, and there- fore constituted an acceptable risk to both NASA and Thiokol, thus perhaps elim- inating costly program delays that would have resulted from having to redesign the O-rings. The completion of each shuttle mission added another data point to the region of experience, thus guaranteeing the same waivers on the next launch. Flying with acceptable risk became the norm in NASA’s culture.

LAUNCH LIFTOFF SEQUENCE PROFILE: POSSIBLE ABORTS

During the countdown to liftoff, the launch team closely monitors weather con- ditions, not only at the launch site, but also at touchdown sites should the mission need to be prematurely aborted.

Dr. Feynrnan: “Would you explain why we are so sensitive to the weather?”

Mr. Moore (NASA S deputy administrator for space flight): “Yes, there are sev- eral reasons. I mentioned the return to the landing site. We need to have visibility if we get into a situation where we need to return to the landing site after launch, and the pilots and the commanders need to be able to see the runway and so forth. So, you need a ceiling limitation on it [i.e., weather].

“We also need to maintain specifications on wind velocity so we don’t exceed crosswinds. Landing on a runway and getting too high of a crosswind may cause us to deviate off of the runway and so forth, so we have a crosswind limit. During ascent, assuming a normal flight, a chief concern is damage to tiles due to rain. We have had experiences in seeing what the effects of a brief shower can do in terms of the tiles. The tiles are thermal insulation blocks, very thick. A lot of them are very thick on the bottom of the orbiter. But if you have a raindrop and you are going at a very high velocity, it tends to erode the tiles, pock the tiles, and that causes us a grave concern regarding the thermal protection.

“In addition to that, you are womed about the turnaround time of the orbiters as well, because with the kind of tile damage that one could get in rain, you have an awful lot of work to do to go back and replace tiles back on the system. So, there are a number of concerns that weather enters into, and it is a major factor in our assessment of whether or not we are ready to launch.”1°

420 THE SPACE SHUTTLE CHALLENGER DISASTER

Approximately six to seven seconds prior to the liftoff, the Shuttle’s main engines (liquid fuel) ignite. These engines consume one-half million gallons of liquid fuel. It takes nine hours prior to launch to fill the liquid fuel tanks. At ig- nition, the engines are throttled up to 104 percent of rated power. Redundancy checks on the engines’ systems are then made. The launch site ground complex and the orbiter’s onboard computer complex check a large number of details and parameters about the main engines to make-sure that everything is proper and that the main engines are performing as planned.

If a malfunction is detected, the system automatically goes into a shutdown sequence, and the mission is scrubbed. The primary concern at this point is to make the vehicle “safe.” The crew remains on board and performs a number of functions to get the vehicle into a safe mode. These functions include making sure that all propellant and electrical systems are properly safed. Ground crews at the launch pad begin servicing the launch pad. Once the launch pad is in a safe con- dition, the hazard and safety teams begin draining the remaining liquid fuel out of the external tank.

If no malfunction is detected during this six-second period of liquid fuel burn, then a signal is sent to ignite the two solid rocket boosters, and liftoff oc- curs. For the next two minutes, with all engines ignited, the shuttle goes through a Max Q, or high dynamic pressure phase, that exerts maximum pressure loads on the orbiter vehicle. Based upon the launch profile, the main engines may be throttled down slightly during the Max Q phase to lower the loads.

After 128 seconds into the launch sequence, all of the solid fuel is expended and the solid rocket boosters (SRBs) staging occurs. The SRB parachutes are de- ployed. The SRBs then fall back to earth 162 miles from the launch site and are recovered for examination, cleaning, and reuse on future missions. The main liq- uid fuel engines are then throttled up to maximum power. After 523 seconds into the liftoff, the external liquid fuel tanks are essentially expended of fuel. The main engines are shut down. Ten to eighteen seconds later, the external tank is sepa- rated from the orbiter and disintegrates on reentry into the atmosphere.

From a safety perspective, the most hazardous period is the first 128 seconds when the SRBs are ignited. Here’s what Arnold Aldrich, manager of NASA’s STS Program, Johnson Space Center, had to say:

Mx Aldrich: “Once the shuttle system starts off the launch pad, there is no ca- pability in the system to separate these [solid propellant] rockets until they reach burnout. They will burn for two minutes and eight or nine seconds, and the sys- tem must stay together. There is not a capability built into the vehicle that would allow these to separate. There is a capability available to the flight crew to sepa- rate at this interface the orbiter from the tank, but that is thought to be unaccept- able during the first stage when the booster rockets are on and thrusting. So, es- sentially the first two minutes and a little more of flight, the stack is intended and designed to stay together, and it must stay together to fly successfully.”

hunch Liftoff Sequence ProjZe: Possible Aborts 421

Exhibit VI. Abort options for shuttle

Type of Abort Landing Site

Once-around abort Edwards Air Force Base Trans-Atlantic abort DaKar Trans-Atlantic abort Casablanca Return-to-landing-site (RTLS) Kennedy Space Center

ME Hotz: “Mr. Aldrich, why is it unacceptable to separate the orbiter at that stage?”

Mi: Aldrich: “It is unacceptable because of the separation dynamics and the rupture of the propellant lines. You cannot perform the kind of a clean separation required for safety in the proximity of these vehicles at the velocities and the thrust levels they are undergoing, [and] the atmosphere they are flying through. In that regime, it is the design characteristic of the total system.”11

If an abort is deemed necessary during the first 128 seconds, the actual abort will not begin until afer SRB staging has occurred, which is after 128 seconds into the launch sequence. Based on the reason and timing of an abort, options include those listed in Exhibit VI.

Arnold Aldrich commented on different abort profiles:

Chairman Rogers: “During the two-minute period, is it possible to abort through the orbiter?”

Mr Aldrich: “You can abort for certain conditions. You can start an abort, but the vehicle won’t do anything yet, and the intended aborts are built around failures in the main engine system, the liquid propellant systems and their controls. If you have a failure of a main engine, it is well detected by the crew and by the ground sup- port, and you can call for a return-to-launch-site abort. That would be logged in the computer. The computer would be set up to execute it, but everything waits until the solids take you to altitude. At that time, the solids will separate in the sequence I de- scribed, and then the vehicle flies downrange some 400 miles, maybe 10 to 15 ad- ditional minutes, while all of the tank propellant is expelled through these engines.

“As a precursor to setting up the conditions for this return-to-launch-site abort to be successful towards the end of that burn downrange, using the propellants and the thrust of the main engines, the vehicle turns and actually points heads up back towards Florida. When the tank is essentially depleted, automatic signals are sent to close off the [liquid] propellant lines and to separate the orbiter, and the orbiter then does a similar approach to the one we are familiar with with orbit back to the Kennedy Space Center for approach and landing.”

422 THE SPACE SHUTTLE CHALLENGER DISASTER

DK Walker: “So, the propellant is expelled but not burned?’

MK Aldrich: “No, it is burned. You bum the system on two engines all the way down-range until it is gone, and then you turn around and come back because you don’t have enough to burn to orbit. That is the return-to-launch-site abort, and it applies during the first 240 seconds of-no, 240 is not right. It is longer than that-the first four minutes, either before or after separation you can set that abort up, but it will occur after the solids separate, and if you have a main engine anom- aly after the solids separate, at that time you can start the RTLS, and it will go through that same sequence and come back.”

Dr Ride: “And you can also only do an RTLS if you have lost just one main en- gine. So if you lose all three main engines, RTLS isn’t a viable abort mode.”

MK Aldrich: “Once you get through the four minutes, there’s a period where you now don’t have the energy conditions right to come back, and you have a forward abort, and Jesse mentioned the sites in Spain and on the coast of Africa. We have what is called a trans-Atlantic abort, and where you can use a very similar se- quence to the one I just described. You still separate the solids, you still bum all the propellant out of the tanks, but you fly across and land across the ocean.”

Mr. Hotz: “Mr. Aldrich, could you recapitulate just a bit here? Is what you are telling us that for two minutes of flight, until the solids separate, there is no prac- tical abort mode?”

MK Aldrich: “Yes, sir.”

MK Hotz: “Thank you.”

Mr Aldrich: “A trans-Atlantic abort can cover a range of just a few seconds up to about a minute in the middle where the across-the-ocean sites are effective, and then you reach this abort once-around capability where you go all the way around and land in California or back to Kennedy by going around the earth. And finally, you have abort-to-orbit where you have enough propulsion to make orbit but not enough to achieve the exact orbital parameters that you desire. That is the way that the abort profiles are executed.

“There are many, many nuances of crew procedure and different conditions and combinations of sequences of failures that make it much more complicated than I have described it.’”‘

THE O-RING PROBLEM

There were two kinds of joints on the shuttle-field joints that were assembled at the launch site connecting together the SRB’s cylindrical cases, and nozzle joints

121bid., pp. 51-52.

The O-Ring Problem 423

that connected the aft end of the case to the nozzle. During the pressure of igni- tion, the field joints could become bent such that the secondary O-ring could lose contact within an estimated 0.17 to 0.33 seconds after ignition. If the primary O-ring failed to seal properly before the gap within the joints opened up and the secondary seal failed, the results could be disastrous.

When the solid propellant boosters are recovered after separation, they are disassembled and checked for damage. The O-rings could show evidence of com- ing into contact with heat. Hot gases from the ignition sequence could blow by the primary O-ring briefly before sealing. This “blow-by” phenomenon could last for only a few milliseconds before sealing and result in no heat damage to the O-ring. If the actual sealing process takes longer than expected, then charring and erosion of the O-rings can occur. This would be evidenced by gray or black soot and erosion to the O-rings. The terms used are impingement erosion and “by- pass” erosion, with the latter identified also as sooted “blow-by.”

Roger Boisjoly of Thiokol describes blow-by erosion and joint rotation as follows:

O-ring material gets removed from the cross section of the O-ring much, much faster than when you have bypass erosion or blow-by, as people have been terming it. We usually use the characteristic blow-by to define gas past it, and we use the other term [bypass erosion] to indicate that we are erod- ing at the same time. And so you can have blow-by without erosion, [and] you [can] have blow-by with erosion.13

At the beginning of the transient cycle [initial ignition rotation, up to 0.17 seconds] . . . [the primary O-ring] is still being attacked by hot gas, and it is eroding at the same time it is trying to seal, and it is a race between, will it erode more than the time allowed to have it seal.14

On January 24,1985, STS 51-C [Flight No. 151 was launched at 51°F, which was the lowest temperature of any launch up to that time. Analyses of the joints showed evidence of damage. Black soot appeared between the primary and secondary 0 – rings. The engineers concluded that the cold weather had caused the O-rings to harden and move more slowly. This allowed the hot gases to blow by and erode the O-rings. This scorching effect indicated that low temperature launches could be disastrous.

On July 31, 1985, Roger Boisjoly of Thiokol sent an interoffice memo to R. K. Lund, vice president for engineering at Thiokol:

This letter is written to insure that management is fully aware of the seri- ousness of the current O-ring erosion problem in the SRM joints from an en- gineering standpoint.

‘%id., pp. 784-785.

I41bid., p. 136.

THE SPACE SHUTTLE CHALLENGER DISASTER

The mistakenly accepted position on the joint problem was to fly without fear of failure and to run a series of design evaluations which would ulti- mately lead to a solution or at least a significant reduction of the erosion problem. This position is now drastically changed as a result of the SRM 16A nozzle joint erosion which eroded a secondary O-ring with the primary O-ring never sealing.

If the same scenario should occur in a field joint (and it could), then it is a jump ball as to the success or failure of the joint because the secondary O-ring cannot respond to the clevis opening rate and may not be capable of pressurization. The result would be a catastrophe of the highest order-loss of human life.

An unofficial team (a memo defining the team and its purpose was never published) with [a] leader was formed on 19 July 1985 and was tasked with solving the problem for both the short and long term. This unofficial team is essentially nonexistent at this time. In my opinion, the team must be offi- cially given the responsibility and the authority to execute the work that needs to be done on a non-interference basis (full time assignment until completed).

It is my honest and very real fear that if we do not take immediate action to dedicate a team to solve the problem with the field joint having the num- ber one priority, then we stand in jeopardy of losing a flight along with all the launch pad facilities.”

On August 9, 1985, a letter was sent from Brian Russell, manager of the SRM Ignition System, to James Thomas at the Marshall Space Flight Center. The memo addressed the following:

Per your request, this letter contains the answers to the two questions you asked at the July Problem Review Board telecon.

1 . Question: If the field joint secondary seal lifts off the metal mating sur- faces during motor pressurization, how soon will it return to a position where contact is re-established?

Answer: Bench test data indicate that the O-ring resiliency (its capabil- ity to follow the metal) is a function of temperature and rate of case ex- pansion. MTI [Thiokol] measured the force of the O-ring against Instron plattens, which simulated the nominal squeeze on the O-ring and ap- proximated the case expansion distance and rate.

At 100°F, the O-ring maintained contact. At 75″F, the O-ring lost con- tact for 2.4 seconds. At 50°F, the O-ring did not re-establish contact in 10 minutes at which time the test was terminated.

The conclusion is that secondary sealing capability in the SRM field joint cannot be guaranteed.

I51bid., pp. 691-692.

The 0-Ring Problem 425

  1. Question: If the primary O-ring does not seal, will the secondary seal seat in sufficient time to prevent joint leakage?

Answer: MTI has no reason to suspect that the primary seal would ever fail after pressure equilibrium is reached; i.e., after the ignition transient. If the primary O-ring were to fail from 0 to 170 milliseconds, there is a very high probability that the secondary O-ring would hold pressure since the case has not expanded appreciably at this point. If the primary seal were to fail from 170 to 330 milliseconds, the probability of the secondary seal holding is reduced. From 330 to 600 milliseconds the chance of the secondary seal holding is small. This is a direct result of the O-ring’s slow response compared to the metal case segments as the joint rotates. l6

At NASA, the concern for a solution to the O-ring problem became not only a technical crisis, but also a budgetary crisis. In a July 23, 1985, memorandum from Richard Cook, program analyst, to Michael Mann, chief of the STS Resource Analysis Branch, the impact of the problem was noted:

Earlier this week you asked me to investigate reported problems with the chaning of seals between SRB motor segments during flight operations. Discussions with program engineers show this to be a potentially major problem affecting both flight safety and program costs.

Presently three seals between SRB segments use double O-rings sealed with putty. In recent Shuttle flights, charring of these rings has occurred. The O-rings are designed so that if one fails, the other will hold against the pressure of firing. However, at least in the joint between the nozzle and the aft segment, not only has the first O-ring been destroyed, but the second has been partially eaten away.

Engineers have not yet determined the cause of the problem. Candidates include the use of a new type of putty (the putty formerly in use was removed from the market by EPA because it contained asbestos), failure of the second ring to slip into the groove which must engage it for it to work properly, or new, and as yet unidentified, assembly procedures at Thiokol. MSC is trying to identify the cause of the problem, including on-site investigation at Thiokol, and OSF hopes to have some results from their analysis within thirty days. There is little question, however, that flight safety has been and is still being compromised by potential failure of the seals, and it is acknowledged that failure during launch would certainly be catastrophic. There is also indi- cation that staff personnel knew of this problem sometime in advance of man- agement’s becoming apprised of what was going on.

The potential impact of the problem depends on the as yet undiscovered cause. If the cause is minor, there should be little or no impact on budget or flight rate. A worst case scenario, however, would lead to the suspension of

I61bid., pp. 1568-1569.

THE SPACE SHUTTLE CHALLENGER DISASTER

Shuttle flights, redesign of the SRB, and scrapping of existing stockpiled hardware. The impact on the FY 1987-8 budget could be immense.

It should be pointed out that Code M management [NASA’s associate administrator for space flight] is viewing the situation with the utmost seri- ousness. From a budgetary standpoint, I would think that any NASA budget submitted this year for FY 1987 and beyond should certainly be based on a reliable judgment as to the cause of the SRB seal problem and a correspond- ing decision as to budgetary action needed to provide for its ~olution.’~

On October 30, 1985, NASA launched Flight STS 61-A [Flight no. 221 at 75°F. This flight also showed signs of sooted blow-by, but the color was signifi- cantly blacker. Although there was some heat effect, there was no measurable ero- sion observed on the secondary O-ring. Since blow-by and erosion had now oc- curred at a higher launch temperature, the original premise that launches under cold temperatures were a problem was now being questioned. Exhibit VII shows the temperature at launch of all the shuttle flights up to this time and the O-ring damage, if any.

Management at both NASA and Thiokol wanted concrete evidence that launch temperature was directly correlated to blow-by and erosion. Other than simply a “gut feel,” engineers were now stymied on how to show the direct cor- relation. NASA was not ready to cancel a launch simply due to an engineer’s “gut feel.”

William Lucas, director of the Marshall Space Center, made it clear that NASA’s manifest for launches would be adhered to. Managers at NASA were pressured to resolve problems internally rather than to escalate them up the chain of command. Managers became afraid to inform anyone higher up that they had problems, even though they knew that one existed.

Richard Feynman, Nobel laureate and member of the Rogers Commission, concluded that a NASA official altered the safety criteria so that flights could be certified on time under pressure imposed by the leadership of William Lucas. Feynman commented:

. . . They, therefore, fly in a relatively unsafe condition with a chance of fail- ure of the order of one percent. Official management claims to believe that the probability of failure is a thousand times less.

Without concrete evidence of the temperature effect on the O-rings, the sec- ondary O-ring was regarded as a redundant safety constraint and the criticality factor was changed from C1 to C1R. Potentially serious problems were treated as anomalies peculiar to a given flight. Under the guise of anomalies, NASA began

171bid., pp. 391-392.

The O-Ring Problem 427

Exhibit VII. Erosion and blow-by history (temperature in ascending order from coldest to warmest)

Temperature Erosion Blow-by Flight Date (OF) Incidents Incidents Comments

Most erosion any flight; blow-by; secondary O-rings heated up

Deep, extensive erosion O-rings erosion O-rings heated but no damage Coolest launch without problems

Extent of erosion unknown

No erosion but soot between O-rings

No data; casing lost at sea

issuing waivers to maintain the flight schedules. Pressure was placed upon con- tractors to issue closure reports. On December 24, 1985, L. 0. Wear, NASA’s SRM Program Office manager, sent a letter to Joe Kilminster, Thiokol’s vice president for the Space Booster Program:

During a recent review of the SRM Problem Review Board open problem list I found that we have 20 open problems, 11 opened during the past 6 months, 13 open over 6 months, 1 three years old, 2 two years old, and 1 closed during the past six months. As you can see our closure record is very poor. You are requested to initiate the required effort to assure more timely closures and the MTI personnel shall coordinate directly with the S&E per- sonnel the contents of the closure reports.18

428 THE SPACE SHUTTLE CHALLENGER DISASTER

PRESSURE, PAPERWORK, AND WAIVERS

To maintain the flight schedule, critical issues such as launch constraints had to be resolved or waived. This would require extensive documentation. During the Rogers Commission investigation, it seemed that there had been a total lack of co- ordination between NASA’s Marshall Space Center and Thiokol prior to the Challenger disaster. Joe Kilminster, Thiokol’s vice president for the Space Booster Program, testified:

Mr: Kilminster: “Mr. Chairman, if I could, I would like to respond to that. In re- sponse to the concern that was expressed-and I had discussions with the team leader, the task force team leader, Mr. Don Kettner, and Mr. Russell and Mr. Ebeling. We held a meeting in my office and that was done in the October time period where we called the people who were in a support role to the task team, as well as the task force members themselves.

“In that discussion, some of the task force members were looking to circum- vent some of our established systems. In some cases, that was acceptable; in other cases, it was not. For example, some of the work that they had recommended to be done was involved with full-scale hardware, putting some of these joints to- gether with various putty layup configurations; for instance, taking them apart and finding out what we could from that inspection process.”

Dr: Sutter: “Was that one of these things that was outside of the normal work, or was that accepted as a good idea or a bad idea?”

Mr. Kilminster: “A good idea, but outside the normal work, if you will.”

Dr: Sutter: “Why not do it?’

Mr: Kilminster: “Well, we were doing it. But the question was, can we circum- vent the system, the paper system that requires, for instance, the handling con- straints on those flight hardware items? And I said no, we can’t do that. We have to maintain our handling system, for instance, so that we don’t stand the possi- bility of injuring or damaging a piece of flight hardware.

“I asked at that time if adding some more people, for instance, a safety engi- neer-that was one of the things we discussed in there. The consensus was no, we really didn’t need a safety engineer. We had the manufacturing engineer in atten- dance who was in support of that role, and I persuaded him that, typical of the way we normally worked, that he should be calling on the resources from his own organization, that is, in Manufacturing, in order to get this work done and get it done in a timely fashion.

“And I also suggested that if they ran across a problem in doing that, they should bubble that up in their management chain to get help in getting the re- sources to get that done. Now, after that session, it was my impression that there

Pressure, Paperwork, and Waivers 429

was improvement based on some of the concerns that had been expressed, and we did get quite a bit of work done. For your evaluation, I would like to talk a little bit about the sequence of events for this task force.”

Chairman Rogers: “Can I interrupt? Did you know at that time it was a launch constraint, a formal launch constraint?”

MI: Kilrninster: “Not an overall launch constraint as such. Similar to the words that have been said before, each Flight Readiness Review had to address any anomalies or concerns that were identified at previous launches and in that sense, each of those anomalies or concerns were established in my mind as launch con- straints unless they were properly reviewed and agreed upon by all parties.”

Chairman Rogers: “You didn’t know there was a difference between the launch constraint and just considering it an anomaly? You thought they were the same thing?’

MI: Kilrninster: “No, sir. I did not think they were the same thing.”

Chairman Rogers: “My question is: Did you know that this launch constraint was placed on the flights in July 1985?’

Mz Kilrninstec “Until we resolved the O-ring problem on that nozzle joint, yes. We had to resolve that in a fashion for the subsequent flight before we would be okay to fly again.”

Chairman Rogers: “So you did know there was a constraint on that?’

MI: Kilrninster: “On a one flight per one flight basis; yes, sir.”

Chairman Rogers: “What else would a constraint mean?”

MI: Kilrninster: “Well, I get the feeling that there’s a perception here that a launch constraint means all launches, whereas we were addressing each launch through the Flight Readiness Review process as we went.”

Chairman Rogers: “No, I don’t think-the testimony that we’ve had is that a launch constraint is put on because it is a very serious problem and the constraint means don’t fly unless it’s fixed or taken care of, but somebody has the authority to waive it for a particular flight. And in this case, Mr. Mulloy was authorized to waive it, which he did, for a number of flights before 5 1-L. Just prior to 5 1-L, the papers showed the launch constraint was closed out, which I guess means no longer existed. And that was done on January 23, 1986. Now, did you know that sequence of events?’

Mz Kilrninster: “Again, my understanding of closing out, as the term has been used here, was to close it out on the problem actions list, but not as an overall standard requirement. We had to address these at subsequent Flight Readiness Reviews to ensure that we were all satisfied with the proceeding to launch.”

THE SPACE SHUTTLE CHALLENGER DISASTER

Chairman Rogers: “Did you understand the waiver process, that once a con- straint was placed on this kind of a problem, that a flight could not occur unless there was a formal waiver?’

Mr: Kilminster: “Not in the sense of a formal waiver, no, sir.”

Chairman Rogers: “Did any of you? Didn’t you get the documents saying that?’

Mr: McDonald: “I don’t recall seeing any documents for a formal ~aiver.” ‘~

MISSION 51-L

On January 25, 1986, questionable weather caused a delay of Mission 51-L to January 27. On January 26, the launch was reconfirmed for 9:37 A.M. on the 27th. However, on the morning of January 27, a malfunction with the hatch, combined with high crosswinds, caused another delay. All preliminary procedures had been completed and the crew had just boarded when the first problem appeared. A mi- crosensor on the hatch indicated that the hatch was not shut securely. It turned out that the hatch was shut securely but the sensor had malfunctioned. Valuable time was lost in determining the problem.

After the hatch was finally closed, the external handle could not be removed. The threads on the connecting bolt were stripped and instead of cleanly disengaging when turned, simply spun around. Attempts to use a portable drill to remove the han- dle failed. Technicians on the scene asked Mission Control for permission to saw off the bolt. Fearing some form of structural stress to the hatch, engineers made numer- ous time-consuming calculations before giving the go-ahead to cut off the bolt. The entire process consumed almost two hours before the countdown resumed.

However, the misfortunes continued. During the attempts to verify the in- tegrity of the hatch and remove the handle, the wind had been steadily rising. Chief Astronaut John Young flew a series of approaches in the shuttle training air- craft and confirmed the worst fears of mission control. The crosswinds at the Cape were in excess of the level allowed for the abort contingency. The opportu- nity had been missed. The mission was then reset to launch the next day, January 28, at 9:38 A.M. Everyone was quite discouraged since extremely cold weather was forecast for Tuesday that could further postpone the launch.”

Weather conditions indicated that the temperature at launch could be as low as 26°F. This would be much colder and well below the temperature range that the O-rings were designed to operate in. The components of the solid rocket mo- tors were qualified only to 40°F at the lower limit. Undoubtedly, when the sun

lglbid., pp. 1577-1578.

20~oovcr and Wallace, pp. 3 4 .

Mission 51 -L 431

came up and launch time approached, both the air temperature and vehicle would warm up, but there was still concern. Would the ambient temperature be high enough to meet the launch requirements? NASA’s Launch Commit Criteria stated that no launch should occur at temperatures below 31°F. There were also worries over any permanent effects on the shuttle due to the cold overnight temperatures. NASA became concerned and asked Thiokol for their recommendation on whether or not to launch. NASA admitted under testimony that if Thiokol had recommended not launching, then the launch would not have taken place.

At 5:45 P.M. eastern standard time, a teleconference was held between the Kennedy Space Center, Marshall Space Flight Center, and Thiokol. Bob Lund, vice president for engineering, summarized the concerns of the Thiokol engineers that in Thiokol’s opinion, the launch should be delayed until noontime or even later such that a launch temperature of at least 53°F could be achieved. Thiokol’s engineers were concerned that no data were available for launches at this tem- perature of 26°F. This was the first time in fourteen years that Thiokol had rec- ommended not to launch.

The design validation tests originally done by Thiokol covered only a narrow temperature range. The temperature data did not include any temperatures below 53°F. The O-rings from Flight 51-C, which had been launched under cold condi- tions the previous year, showed very significant erosion. These were the only data available on the effects of cold, but all of the Thiokol engineers agreed that the cold weather would decrease the elasticity of the synthetic rubber O-rings, which in turn might cause them to seal slowly and allow hot gases to surge through the joint.21

Another teleconference was set up for 8:45 P.M. to invite more parties to be involved in the decision. Meanwhile, Thiokol was asked to fax all relevant and supporting charts to all parties involved in the 8:45 P.M. teleconference.

The following information was included in the pages that were faxed:

Blow-by History:

SRM- 15 Worst Blow-by Two case joints (80°), (1 10″) Arc Much worse visually than SRM-22

SRM-22 Blow-by Two case joints (30-40″)

SRM-13A, 15, 16A, 18,23A, 24A Nozzle blow-by

Field Joint Primary Concerns-SRM-25 A temperature lower than the current database results in changing pri- mary O-ring sealing timing function

432 THE SPACE SHUTTLE CHALLENGER DISASTER

SRM-15A-80″ arc black grease between O-rings SRM-15B-110″ arc black grease between O-rings Lower O-ring squeeze due to lower temp Higher O-ring shore hardness Thicker grease viscosity Higher O-ring pressure activation time If actuation time increases, threshold of secondary seal pressurization capability is approached. If threshold is reached then secondary seal may not be capable of being pressurized.

Conclusions: Temperature of O-ring is not only parameter controlling blow-by: SRM-15 with blow-by had an O-ring temp at 53°F. SRM-22 with blow-by had an O-ring temp at 75°F. Four development motors with no blow-by were tested at O-ring temp

of 47″ to 52°F. Development motors had putty packing which resulted in better

performance. At about 50°F blow-by could be experienced in case joints. Temp for SRM-25 on 1-28-86 launch will be: 29°F 9 A.M.

38°F 2 P.M. Have no data that would indicate SRM-25 is different than SRM-15 other than temp.

Recommendations: O-ring temp must be 2 53°F at launch. Development motors at 47″ to 52°F with putty packing had no

blow-by. SRM-15 (the best simulation) worked at 53°F. Project ambient conditions (temp & wind) to determine launch time.

From NASA’s perspective, the launch window was from 9:30 A.M. to 12:30 P.M. on January 28. This was based on weather conditions and visibility, not only at the launch site but also at the landing sites should an abort be necessary. An additional consideration was the fact that the temperature might not reach 53°F prior to the launch window closing. Actually, the temperature at the Kennedy Space Center was not expected to reach 50°F until two days later. NASA was hop- ing that Thiokol would change its mind and recommend launch.

THE SECOND TELECONFERENCE

At the second teleconference, Bob Lund once again asserted Thiokol’s recom- mendation not to launch below 53°F. NASA’s Mulloy then burst out over the tele- conference network:

The Second Teleconference

My God, Morton Thiokol! When do you want me to launch-next April?

NASA challenged Thiokol’s interpretation of the data and argued that Thiokol was inappropriately attempting to establish a new Launch Commit Criterion just prior to launch. NASA asked Thiokol to reevaluate its conclusions. Crediting NASA’s comments with some validity, Thiokol then requested a five- minute off-line caucus. In the room at Thiokol were fourteen engineers, namely:

  1. Jerald Mason, senior vice president, Wasatch Operations 2. Calvin Wiggins, vice president and general manager, Space Division 3. Joe C. Kilrninster, vice president, Space Booster Programs 4. Robert K. Lund, vice president, Engineering 5. Larry H. Sayer, director, Engineering and Design 6. William Macbeth, manager, Case Projects, Space Booster Project 7. Donald M. Ketner, supervisor, Gas Dynamics Section and head Seal

Task Force 8. Roger Boisjoly, member, Seal Task Force 9. Arnold R. Thompson, supervisor, Rocket Motor Cases

  1. Jack R. Kapp, manager, Applied Mechanics Department 11. Jerry Bum, associate engineer, Applied Mechanics 12. Joel Maw, associate scientist, Heat Transfer Section 13. Brian Russell, manager, Special Projects, SRM Project 14. Robert Ebeling, manager, Ignition System and Final Assembly, SRB

Project

There were no safety personnel in the room because nobody thought to in- vite them. The caucus lasted some thirty minutes. Thiokol (specifically Joe Kilrninster) then returned to the teleconference stating that they were unable to sustain a valid argument that temperature affects O-ring blow-by and erosion. Thiokol then reversed its position and was now recommending launch.

NASA stated that the launch of the Challenger would not take place without Thiokol’s approval. But when Thiokol reversed its position following the caucus and agreed to launch, NASA interpreted this as an acceptable risk. The launch would now take place.

Mr. McDonald (Thiokol): “The assessment of the data was that the data was not totally conclusive, that the temperature could affect everything relative to the seal. But there was data that indicated that there were things going in the wrong direc- tion, and this was far from our experience base.

“The conclusion being that Thiokol was directed to reassess all the data be- cause the recommendation was not considered acceptable at that time of [waiting for] the 53 degrees [to occur]. NASA asked us for a reassessment and some more data to show that the temperature in itself can cause this to be a more serious con- cern than we had said it would be. At that time Thiokol in Utah said that they

434 THE SPACE SHUTTLE CHALLENGER DISASTER

would like to go off-line and caucus for about five minutes and reassess what data they had there or any other additional data.

“And that caucus lasted for, I think, a half hour before they were ready to go back on. When they came back on they said they had reassessed all the data and had come to the conclusions that the temperature influence, based on the data they had available to them, was inconclusive and therefore they recommended a launch.”22

During the Rogers Commission testimony, NASA’s Mulloy stated his thought process in requesting Thiokol to rethink their position:

General Kutyna: “You said the temperature had little effect?”

Mr Mulloy: “I didn’t say that. I said I can’t get a correlation between O-ring erosion, blow-by and O-ring, and temperature.”

General Kutyna: “5 1-C was a pretty cool launch. That was January of last year.”

Mr Mulloy: “It was cold before then but it was not that much colder than other launches.”

General Kutyna: “So it didn’t approximate this particular one?’

ME Mulloy: “Unfortunately, that is one you look at and say, aha, is it related to a temperature gradient and the cold. The temperature of the O-ring on 5 1-C, I be- lieve, was 53 degrees. We have fired motors at 48 degrees.”23

Mulloy asserted he had not pressured Thiokol into changing their position. Yet, the testimony of Thiokol’s engineers stated they believed they were being pressured.

Roger Boisjoly, one of Thiokol’s experts on O-rings, was present during the caucus and vehemently opposed the launch. During testimony, Boisjoly described his impressions of what occurred during the caucus:

“The caucus was started by Mr. Mason stating that a management decision was necessary. Those of us who were opposed to the launch continued to speak out, and I am specifically speaking of Mr. Thompson and myself because in my recollection, he and I were the only ones who vigorously continued to oppose the launch. And we were attempting to go back and rereview and try to make clear what we were trying to get across, and we couldn’t understand why it was going to be reversed.

The Second Teleconference 435

“So, we spoke out and tried to explain again the effects of low temperature. Arnie actually got up from his position which was down the table and walked up the table and put a quad pad down in front of the table, in front of the manage- ment folks, and tried to sketch out once again what his concern was with the joint, and when he realized he wasn’t getting through, he just stopped.

“I tried one more time with the photos. I grabbed the photos and I went up and discussed the photos once again and tried to make the point that it was my opinion from actual observations that temperature was indeed a discriminator, and we should not ignore the physical evidence that we had observed.

“And again, I brought up the point that SRM-15 had a 110 degree arc of black grease, while SRM-22 had a relatively different amount, which was less and wasn’t quite as black. I also stopped when it was apparent that I could not get any- body to listen.”

Dz Walker “At this point did anyone else [i.e., engineers] speak up in favor of the launch?’

Mx Boisjoly: “No, sir. No one said anything, in my recollection. Nobody said a word. It was then being discussed amongst the management folks. After Arnie and I had our last say, Mr. Mason said we have to make a management decision. He turned to Bob Lund and asked him to take off his engineering hat and put on his management hat. From this point on, management formulated the points to base their decision on. There was never one comment in favor, as I have said, of launching by any engineer or other nonmanagement person in the room before or after the caucus. I was not even asked to participate in giving any input to the fi- nal decision charts.

“I went back on the net with the final charts or final chart, which was the ra- tionale for launching, and that was presented by Mr. Kilminster. It was handwrit- ten on a notepad, and he read from that notepad. I did not agree with some of the statements that were being made to support the decision. I was never asked nor polled, and it was clearly a management decision from that point.

“I must emphasize, I had my say, and I never take any management right to take the input of an engineer and then make a decision based upon that input, and I truly believe that. I have worked at a lot of companies, and that has been done from time to time, and I truly believe that, and so there was no point in me doing anything any further [other] than [what] I had already attempted to do.

“I did not see the final version of the chart until the next day. I just heard it read. I left the room feeling badly defeated, but I felt I really did all I could to stop the launch. I felt personally that management was under a lot of pressure to launch, and they made a very tough decision, but I didn’t agree with it.

“One of my colleagues who was in the meeting summed it up best. This was a meeting where the determination was to launch, and it was up to us to prove be- yond a shadow of a doubt that it was not safe to do so. This is in total reverse to

436 THE SPACE SHUTTLE CHALLENGER DISASTER

what the position usually is in a preflight conversation or a Flight Readiness Review. It is usually exactly opposite that.”

DI: Walker: “Do you know the source of the pressure on management that you alluded to?”

MI: Boisjoly: “Well, the comments made over the net are what I felt. I can’t speak for them, but I felt it. I felt the tone of the meeting exactly as I summed up, that we were being put in a position to prove that we should not launch rather than being put in the position and prove that we had enough data to launch.”24

General Kutyna: “What was the motivation driving those who were trying to overturn your opposition?”

MI: Boisjoly: “They felt that we had not demonstrated, or I had not demonstrated, because I was the prime mover in SRM-15. Because of my personal observations and involvement in the Flight Readiness Reviews, they felt that I had not conclu- sively demonstrated that there was a tie-in between temperature and blow-by.

“My main concern was if the timing function changed and that seal took longer to get there, then you might not have any seal left because it might be eroded before it seats. And then, if that timing function is such that it pushes you from the 170 millisecond region into the 330 second region, you might not have a secondary seal to pick up if the primary is gone. That was my major concern.

“I can’t quantify it. I just don’t know how to quantify that. But I felt that the observations made were telling us that there was a message there telling us that temperature was a discriminator, and I couldn’t get that point across. I basically had no direct input into the final recommendation to launch, and I was not polled.

“I think Astronaut Crippin hit the tone of the meeting exactly right on the head when he said that the opposite was true of the way the meetings were nor- mally conducted. We normally have to absolutely prove beyond a shadow of a doubt that we have the ability to fly, and it seemed like we were trying to prove, have proved that we had data to prove that we couldn’t fly at this time, instead of the reverse. That was the tone of the meeting, in my opinion.”25

Jerald Mason, senior vice president at Thiokol’s Wasatch Division, directed the caucus at Thiokol. Mason continuously asserted that a management decision was needed and instructed Bob Lund, vice president for engineering, to take off his engineering hat and put on his management hat. During testimony, Mason commented on his interpretation of the data:

DI: Ride [a member of the Commission]: “You know, what we’ve seen in the charts so far is that the data was inconclusive and so you said go ahead.”

2 4 ~ i d . . pp. 793-794.

bid., p. 676.

The Ice Problem 437

Mr Mason: “. . . I hope I didn’t convey that. But the reason for the discussion was the fact that we didn’t have enough data to quantify the effect of the cold, and that was the heart of our discussion . . . We have had blow-by on earlier flights. We had not had any reason to believe that we couldn’t experience it again at any temperature. . . .”26

At the end of the second teleconference, NASA’s Hardy at Marshall Space Flight Center requested that Thiokol put their recommendation to launch in writ- ing and fax it to both Marshall Space Flight Center and Kennedy Space Center. The memo that follows was signed by Joe Kilminster, vice president for Thiokol’s Space Booster Program, and faxed at 11:45 P.M. the night before the launch.

Calculations show that SRM-25 O-rings will be 20” colder than SRM- 15 O-rings. Temperature data not conclusive on predicting primary O-ring blow-by. Engineering assessment is that:

Colder O-rings will have increased effective durometer (“harder”). “Harder” O-rings will take longer to “seat.”

More gas may pass primary O-ring before the primary seal seats (relative to SRM- 15). Demonstrated sealing threshold is three times greater than 0.038″ erosion experienced on SRM- 15.

If the primary seal does not seat, the secondary seal will seat. Pressure will get to secondary seal before the metal parts rotate. O-ring pressure leak check places secondary seal in outboard position, which minimizes sealing time.

MTI recommends STS-S1L launch proceed on 28 January 1986. SRM-25 will not be significantly different from SRM-15.”

THE ICE PROBLEM

At 1:30 A.M. on the day of the launch, NASA’s Gene Thomas, launch director, ordered a complete inspection of the launch site due to cold weather and severe ice conditions. The prelaunch inspection of the Challenger and the launch pad by the ice-team was unusual, to say the least. The ice-team’s responsibility was to remove any frost or ice on the vehicle or launch structure. What they found dur- ing their inspection looked like something out of a science fiction movie. The

.-

‘%id., p. 764.

“Ibid., p. 764.

438 I

THE SPACE SHUTTLE CHALLENGER DISASTER

freeze-protection plan implemented by Kennedy personnel had gone very wrong. Hundreds of icicles, some up to 16 inches long, clung to the launch structure. The handrails and walkways near the shuttle entrance were covered in ice, making them extremely dangerous if the crew had to make an emergency evacuation. One solid sheet of ice stretched from the 195 foot level to the 235 foot level on the gantry. However, NASA continued to cling to its calculations that there would be no damage due to flying ice shaken loose during the launch.28 A decision was then made to delay the launch from 9:38 A.M. to 11:30 A.M. SO that the ice on the launch pad could melt. The delay was still within the launch window of 9:30 A.M.-12:30 P.M.

At 8:30 A.M., a second ice inspection was made. Ice was still significantly present at the launch site. Robert Glaysher, vice president for orbital operations at Rockwell, stated that the launch was unsafe. Rockwell’s concern was that falling ice could damage the heat tiles on the orbiter. This could have a serious impact during reentry.

At 10:30 A.M., a third ice inspection was made. Though some of the ice was beginning to melt, there was still significant ice on the launch pad. The tempera- ture of the left solid rocket booster was measured at 33°F and the right booster was measured at 19°F. Even though the right booster was 34 degrees colder than Thiokol’s original recommendation for a launch temperature (i.e., 53″F), no one seemed alarmed. Rockwell also agreed to launch, even though its earlier state- ment had been that the launch was unsafe.

Arnold Aldrich, manager of the STS Program at the Johnson Space Center, testified on the concern over the ice problem:

MK Aldrich: “Kennedy facility people at that meeting, everyone in that meeting, voted strongly to proceed and said they had no concern, except for Rockwell. The comment to me from Rockwell, which was not written specifically to the exact words, and either recorded or logged, was that they had some concern about the possibility of ice damage to the orbiter. Although it was a minor concern, they felt that we had no experience base launching in this exact configuration before, and therefore they thought we had some additional risk of orbiter damage from ice than we had on previous meetings, or from previous missions.”

Chairman Rogers: “Did they sign off on it or not?”

MK Aldrich: “We don’t have a sign-off at that point. It was not-it was not maybe 20 minutes, but it was close to that. It was within the last hour of launch.”

Chairman Rogers: “But they still objected?”

28~oover and Wallace, page 5.

The Ice Problem 439

Mr. Aldrich: “They issued what I would call a concern, a less than 100 percent concurrence in the launch. They did not say we do not want to launch, and the rest of the team overruled them. They issued a more conservative concern. They did not say don’t launch.”

General Kutyna: “I can’t recall a launch that I have had where there was 100 percent certainty that everything was perfect, and everyone around the table would agree to that. It is the job of the launch director to listen to everyone, and it’s our job around the table to listen and say there is this element of risk, and you characterize this as 90 percent, or 95, and then you get a consensus that that risk is an acceptable risk, and then you launch.

“So I think this gentleman is characterizing the degree of risk, and he’s hon- est, and he had to say something.”

Dr. Ride: “But one point is that their concern is a specific concern, and they weren’t concerned about the overall temperature or damage to the solid rockets or damage to the external tank. They were worried about pieces of ice coming off and denting the tile.”29

Following the accident, the Rogers Commission identified three major con- cerns about the ice-on-the-pad issue:

  1. An analysis of all of the testimony and interviews established that Rockwell’s recommendation on launch was ambiguous. The Commission found it difficult, as did Mr. Aldrich, to conclude that there was a no- launch recommendation. Moreover, all parties were asked specifically to contact Aldrich or Moore about launch objections due to weather. Rockwell made no phone calls or further objections to Aldrich or other NASA officials after the 9:00 A.M. Mission Management Team meeting and subsequent to the resumption of the countdown.
  2. The Commission was also concerned about the NASA response to the Rockwell position at the 9:00 A.M. meeting. While it was understood that decisions have to be made in launching a Shuttle, the Commission was not convinced Levels I and I1 [of NASA’s management] appropriately considered Rockwell’s concern about the ice. However ambiguous Rockwell’s position was, it was clear that they did tell NASA that the ice was an unknown condition. Given the extent of the ice on the pad, the ad- mitted unknown effect of the Solid Rocket Motor and Space Shuttle Main Engines ignition on the ice, as well as the fact that debris striking the or- biter was a potential flight safety hazard, the Commission found the deci- sion to launch questionable under those circumstances. In this situation,

29~bid., pp. 237-238.

440 THE SPACE SHUTTLE CHALLENGER DISASTER

NASA appeared to be requiring a contractor to prove that it was not safe to launch, rather than proving it was safe. Nevertheless, the Commission had determined that the ice was not a cause of the 5 1-L accident and does not conclude that NASA’s decision to launch specifically overrode a no- launch recommendation by an element contractor.

  1. The Commission concluded that the freeze protection plan for launch pad 39B was inadequate. The Commission believed that the severe cold and presence of so much ice on the fixed service structure made it inadvisable to launch on the morning of January 28, and that margins of safety were whittled down too far.

It became obvious that NASA’s management knew of the ice problem, but did they know of Thiokol’s original recommendation not to launch and then their reversal? Larry Malloy, the SRB Project manager for NASA, and Stanley Reinartz, NASA’s manager of the Shuttle Office, both admitted that they told Arnold Aldrich, manager of the STS program, Johnson Space Center, about their concern for the ice problem but there was no discussion about the teleconferences with Thiokol over the O-rings. It appeared that Malloy and Reinartz considered the ice as a potential problem whereas the O-rings constituted an acceptable risk. Therefore, only potential problems went up the chain of command, not the com- ponents of the “aggregate acceptable launch risk.” It became common practice in Flight Readiness Review documentation to use the term acceptable risk. This be- came the norm at NASA and resulted in insulating senior management from cer- tain potential problems. It was the culture that had developed at NASA that cre- ated the flawed decision-making process rather than an intent by individuals to withhold information and jeopardize safety.

THE ACCIDENT

Just after liftoff at 0.678 seconds into the flight, photographic data showed a strong puff of gray smoke spurting from the vicinity of the aft field joint on the right solid rocket booster. The two pad 39B cameras that would have recorded the precise lo- cation of the puff were inoperative. Computer graphic analysis of film from other cameras indicated the initial smoke came from the 270- to 3 10-degree sector of the circumference of the aft field joint of the right solid rocket booster. This area of the solid booster faced the external tank. The vaporized material streaming from the joint indicated there was incomplete sealing action within the joint.

Eight more distinctive puffs of increasingly blacker smoke were recorded be- tween 0.836 and 2.500 seconds. The smoke appeared to puff upward from the joint. While each smoke puff was being left behind by the upward flight of the

The Accident 441

Shuttle, the next fresh puff could be seen near the level of the joint. The multiple smoke puffs in this sequence occurred about four times per second, approximat- ing the frequency of the structural load dynamics and resultant joint flexing. Computer graphics applied to NASA photos from a variety of cameras in this se- quence again placed the smoke puffs’ origin in the same 270- to 310-degree sec- tor of the circumference as the original smoke spurt.

As the shuttle Challenger increased its upward velocity, it flew past the emerging and expanding smoke puffs. The last smoke was seen above the field joint at 2.733 seconds.

The black color and dense composition of the smoke puffs suggested that the grease, joint insulation, and rubber O-rings in the joint seal were being burned and eroded by the hot propellant gases.

At approximately 37 seconds, Challenger encountered the first of several high altitude wind shear conditions that lasted about 64 seconds. The wind shear created forces of relatively large fluctuations on the vehicle itself. These were im- mediately sensed and countered by the guidance, navigation, and control systems.

The steering system (thrust vector control) of the solid rocket booster re- sponded to all commands and wind shear effects. The wind shear caused the steering system to be more active than on any previous flight.

Both the Challenger’s main engines and the solid rockets operated at reduced thrust approaching and passing through the area of maximum dynamic pressure of 720 pounds per square foot. Main engines had been throttled up to 104 percent thrust, and the solid rocket boosters were increasing their thrust when the first flickering flame appeared on the right solid rocket booster in the area of the aft field joint. This first very small flame was detected on image-enhanced film at 58.788 seconds into the flight. It appeared to originate at about 305 degrees around the booster circumference at or near the aft field joint.

One film frame later from the same camera, the flame was visible without image enhancement. It grew into a continuous, well-defined plume at 59.262 sec- onds. At approximately the same time (60 seconds), telemetry showed a pressure differential between the chamber pressures in the right and left boosters. The right booster chamber pressure was lower, confirming the growing leak in the area of the field joint.

As the flame plume increased in size, it was deflected rearward by the aero- dynamic slipstream and circumferentially by the protruding structure of the up- per ring attaching the booster to the external tank. These deflections directed the flame plume onto the surface of the external tank. This sequence of flame spread- ing is confirmed by analysis of the recovered wreckage. The growing flame also impinged on the strut attaching the solid rocket booster to the external tank.

The first visual indication that swirling flame from the right solid rocket booster breached the external tank was at 64.660 seconds, when there was an abrupt change in the shape and color of the plume. This indicated that it was

442 THE SPACE SHUTTLE CHALLENGER DISASTER

mixing with leaking hydrogen from the external tank. Telemetered changes in the hydrogen tank pressurization confirmed the leak. Within 45 milliseconds of the breach of the external tank, a bright, sustained glow developed on the black tiled underside of the Challenger between it and the external tank.

Beginning around 72 seconds, a series of events occurred extremely rapidly that terminated the flight. Telemetered data indicated a wide variety of flight sys- tem actions that supported the visual evidence of the photos as the shuttle strug- gled futilely against the forces that were destroying it.

At about 72.20 seconds, the lower strut linking the solid rocket booster and the external tank was severed or pulled away from the weakened hydrogen tank, permitting the right solid rocket booster to rotate around the upper attachment strut. This rotation was indicated by divergent yaw and pitch rates between the left and right solid rocket boosters.

At 73.124 seconds, a circumferential white vapor pattern was observed blooming from the side of the external tank bottom dome. This was the beginning of the structural failure of the hydrogen tank that culminated in the entire aft dome dropping away. This released massive amounts of liquid hydrogen from the tank and created a sudden forward thrust of about 2.8 million pounds, pushing the hydrogen tank upward into the intertank structure. About the same time, the ro- tating right solid rocket booster impacted the intertank structure and the lower part of the liquid oxygen tank. These structures failed at 73.137 seconds, as evi- denced by the white vapors appearing in the intertank region.

Within milliseconds there was massive, almost explosive, burning of the hy- drogen streaming from the failed tank bottom and the liquid oxygen breach in the area of the intertank.

At this point in its trajectory, while traveling at a Mach number of 1.92 at an altitude of 46,000 feet, the Challenger was totally enveloped in the explosive bum. The Challenger’s reaction control system ruptured, and a hypergolic bum of its propellants occurred, producing the oxygen-hydrogen flames. The reddish brown colors of the hypergolic fuel burn were visible on the edge of the main fire- ball. The orbiter, under severe aerodynamic loads, broke into several large sec- tions, which emerged from the fireball. Separate sections that can be identified on film include the main engineltail section with the engines still burning, one wing of the orbiter, and the forward fuselage trailing a mass of umbilical lines pulled loose from the payload bay.

The consensus of the Commission and participating investigative agencies was that the loss of the space shuttle Challenger was caused by a failure in the joint between the two lower segments of the right solid rocket motor. The specific failure was the destruction of the seals that were intended to prevent hot gases from leaking through the joint during the propellant bum of the rocket motor. The evidence assembled by the Commission indicates that no other element of the space shuttle system contributed to this failure.

Findings of the Commission 443

In arriving at this conclusion, the Commission reviewed in detail all available data, reports, and records; directed and supervised numerous tests, analyses, and experiments by NASA, civilian contractors, and various government agencies; and then developed specific failure scenarios and the range of most probably causative factors.

The failure was due to a faulty design unacceptably sensitive to a number of factors. These factors were the effects of temperature, physical dimensions, the character of materials, the effects of reusability, processing, and the reaction of the joint to dynamic loading.

NASA AND THE MEDIA

Following the tragedy, many believed that NASA’s decision to launch had been an attempt to minimize further ridicule by the media. Successful shuttle flights were no longer news because they were almost ordinary. However, launch aborts and delayed landings were more newsworthy because they were less common. The Columbia launch, which had immediately preceded the Challenger mission, had been delayed seven times. The Challenger launch had gone through four de- lays already. News anchor personnel were criticizing NASA. Some believed that NASA felt it had to do something quickly to dispel its poor public image.

The Challenger mission had had more media coverage and political ramifica- tions than other recent missions. This would be the launch of the Teacher in Space Project. The original launch date of the Challenger had been scheduled just before President Reagan’s State of the Union message, that was to be delivered the evening of January 28. Some believed that the president had intended to publicly praise NASA for the Teacher in Space Project and possibly even talk to Ms. McAuliffe live during his address. This would certainly have enhanced NASA’s image. Following the tragedy, there were questions as to whether the White House had pressured NASA into launching the Shuttle because of President Reagan’s (and NASA’s) love of favorable publicity. The commission, however, found no ev- idence of White House intervention in the decision to launch.

FINDINGS OF THE COMMISSION

Determining the cause of an engineering disaster can take years of investigation. The Challenger disaster arose from many factors, including launch conditions, me- chanical failure, faulty communication, and poor decision making. In the end, the last-minute decision to launch combined all possible factors into a lethal action.

444 THE SPACE SHUTTLE CHALLENGER DISASTER

The Commission concluded that the accident was rooted in history. The space shuttle’s solid rocket booster problem began with the faulty design of its joint and increased as both NASA and contractor management first failed to rec- ognize that they had a problem, then failed to fix it, and finally treated it as an ac- ceptable flight risk.

Morton Thiokol, Inc., the contractor, did not accept the implication of tests early in the program that the design had a serious and unanticipated flaw. NASA did not accept the judgment of its engineers that the design was unacceptable, and as the joint problems grew in number and severity, NASA minimized them in management briefings and reports. Thiokol’s stated position was that “the condi- tion is not desirable but is acceptable.”

Neither Thiokol nor NASA expected the rubber O-rings sealing the joints to be touched by hot gases of motor ignition, much less to be partially burned. However, as tests and then flights confirmed damage to the sealing rings, the re- action by both NASA and Thiokol was to increase the amount of damage con- sidered “acceptable.” At no time did management either recommend a redesign of the joint or call for the shuttle’s grounding until the problem was solved.

The genesis of the Challenger accident-the failure of the joint of the right solid rocket motor-lay in decisions made in the design of the joint and in the failure by both Thiokol and NASA’s Solid Rocket Booster project office to un- derstand and respond to facts obtained during testing.

The Commission concluded that neither Thiokol nor NASA had responded adequately to internal warnings about the faulty seal design. Furthermore, Thiokol and NASA did not make a timely attempt to develop and verify a new seal after the initial design was shown to be deficient. Neither organization developed a so- lution to the unexpected occurrences of O-ring erosion and blow-by, even though this problem was experienced frequently during the shuttle flight history. Instead, Thiokol and NASA management came to accept erosion and blow-by as unavoid- able and an acceptable flight risk. Specifically, the Commission found six things:

  1. The joint test and certification program was inadequate. There was no re- quirement to configure the qualifications test motor as it would be in flight, and the motors were static tested in a horizontal position, not in the vertical flight position.
  2. Prior to the accident, neither NASA nor Thiokol fully understood the mechanism by which the joint sealing action took place.
  3. NASA and Thiokol accepted escalating risk apparently because they “got away with it last time.” As Commissioner Feynman observed, the decision- making was:

A kind of Russian roulette. . . . [The Shuttle] flies [with O-ring ero- sion] and nothing happens. Then it is suggested, therefore, that the risk is no longer so high for the next flights. We can lower our stan-

Findings of the Commission

dards a little bit because we got away with it last time. . . . You got away with it, but it shouldn’t be done over and over again like that.

  1. NASA’s system for tracking anomalies for Flight Readiness Reviews failed in that, despite a history of persistent O-ring erosion and blow-by, flight was still permitted. It failed again in the strange sequence of six consecutive launch constraint waivers prior to 51-L, permitting it to fly without any record of a waiver, or even of an explicit constraint. Tracking and continuing only anomalies that are outside the database of prior flight allowed major problems to be removed from, and lost by, the reporting system.
  2. The O-ring erosion history presented to Level I at NASA Headquarters in August 1985 was sufficiently detailed to require corrective action prior to the next flight.
  3. A careful analysis of the flight history of O-ring performance would have revealed the correlation of O-ring damage and low temperature. Neither NASA nor Thiokol canied out such an analysis; consequently, they were unprepared to properly evaluate the risks of launching the 5 1-L mission in conditions more extreme than they had encountered before.

The Commission also identified a concern for the “silent” safety program. The Commission was surprised to realize after many hours of testimony that NASA’s safety staff was never mentioned. No witness related the approval or dis- approval of the reliability engineers, and none expressed the satisfaction or dis- satisfaction of the quality assurance staff. No one thought to invite a safety rep- resentative or a reliability and quality assurance engineer to the January 27, 1986, teleconference between Marshall and Thiokol. Similarly, there was no safety rep- resentative on the Mission Management Team that made key decisions during the countdown on January 28, 1986.

The unrelenting pressure to meet the demands of an accelerating flight schedule might have been adequately handled by NASA if it had insisted on the exactingly thorough procedures that had been its hallmark during the Apollo program. An extensive and redundant safety program comprising interdependent safety, reliability, and quality assurance functions had existed during the lunar program to discover any potential safety problems. Between that period and 1986, however, the safety program had become ineffective. This loss of effectiveness seriously degraded the checks and balances essential for maintaining flight safety.

On April 3, 1986, Arnold Aldrich, the Space Shuttle Program manager, ap- peared before the Commission at a public hearing in Washington, D.C. He de- scribed five different communication or organization failures that affected the launch decision on January 28, 1986. Four of those failures related directly to faults within the safety program. These faults included a lack of problem reporting

446 THE SPACE SHUTTLE CHALLENGER DISASTER

requirements, inadequate trend analysis, misrepresentation of criticality, and lack of involvement in critical discussions. A robust safety organization that was prop- erly staffed and supported might well have avoided these faults, and thus elimi- nated the communication failures.

NASA had a safety program to ensure that the communication failures to which Mr. Aldrich referred did not occur. In the case of mission 51-L, however, that program fell short.

The Commission concluded that there were severe pressures placed on the launch decision-making system to maintain a flight schedule. These pressures caused rational men to make irrational decisions.

With the 1982 completion of the orbital fight test series, NASA began a planned acceleration of the space shuttle launch schedule. One early plan contem- plated an eventual rate of a mission a week, but realism forced several downward re- visions. In 1985, NASA published a projection calling for an annual rate of twenty- four flights by 1990. Long before the Challenger accident, however, it was becoming obvious that even the modified goal of two flights a month was overambitious.

In establishing the schedule, NASA had not provided adequate resources. As a result, the capabilities of the launch decision-making system were strained by the modest nine-mission rate of 1985, and the evidence suggested that NASA would not have been able to accomplish the fifteen flights scheduled for 1986. These were the major conclusions of a Commission examination of the pressures and problems attendant upon the accelerated launch schedule:

  1. The capabilities of the launch decision-making system were stretched to the limit to support the flight rate in winter 198511986. Projections into the spring and summer of 1986 showed a clear trend; the system, as it existed, would have been unable to deliver crew training software for scheduled fights by the designated dates. The result would have been an unacceptable compression of the time available for the crews to accomplish their required training.
  2. Spare parts were in critically short supply. The shuttle program made a conscious decision to postpone spare parts procurements in favor of bud- get items of perceived higher priority. Lack of spare parts would likely have limited flight operations in 1986.
  3. Stated manifesting policies were not enforced. Numerous late manifest changes (after the cargo integration review) had been made to both major payloads and minor payloads throughout the shuttle program

Late changes to major payloads or program requirements required ex- tensive resources (money, manpower, facilities) to implement. If many late changes to “minor” payloads occurred, resources were quickly absorbed. Payload specialists frequently were added to a flight well after an- nounced deadlines.

Chain-of-Command Communication Failure 447

Late changes to a mission adversely affected the training and devel- opment of procedures for subsequent missions.

  1. The scheduled flight rate did not accurately reflect the capabilities and resources.

The flight rate was not reduced to accommodate periods of adjustment in the capacity of the work force. There was no margin for error in the system to accommodate unforeseen hardware problems. Resources were primarily directed toward supporting the flights and thus not enough were available to improve and expand facilities needed to support a higher flight rate.

  1. Training simulators may have been the limiting factor on the flight rate: the two simulators available at that time could not train crews for more than twelve to fifteen flights per year.
  2. When flights came in rapid succession, the requirements then current did not ensure that critical anomalies occurring during one flight would be identified and addressed appropriately before the next flight.

CHAIN-OF-COMMAND COMMUNICATION FAILURE

The Commission also identified a communication failure within the reporting structure at both NASA and Thiokol. Part of the problem with the chain of com- mand structure was the idea of the proper reporting channel. Engineers report only to their immediate managers, while those managers report only to their direct su- pervisors. Engineers and managers believed in the chain of command structure; they felt reluctant to go above their superiors with their concerns. Boisjoly at , Thiokol and Powers at Marshall felt that they had done all that they could as far as voicing their concerns. Anything more could have cost them their jobs. When questioned at the Rogers Commission hearing about why he did not voice his con- cerns to others, Powers replied, “That would not be my reporting channel.” The chain of command structure dictated the only path that information could travel at both NASA and Thiokol. If information was modified or silenced at the bottom of the chain, there was not an alternate path for it to take to reach high-level officials at NASA. The Rogers Commission concluded that there was a breakdown in com- munication between Thiokol engineers and top NASA officials and faulted the management structure for not allowing important information about the SRBs to flow to the people who needed to know it. The Commission reported that the “fun- damental problem was poor technical decision-making over a period of several years by top NASA and contractor personnel.”

Bad news does not travel well in organizations like NASA and Thiokol. When the early signs of problems with the SRBs appeared, Thiokol managers did

448 THE SPACE SHUTTLE CHALLENGER DISASTER

not believe that the problems were serious. Thiokol did not want to accept the fact that there could be a problem with its boosters. When Marshall received news of the problems, it considered it Thiokol’s problem and did not pass the bad news upward to NASA headquarters. At Thiokol, Boisjoly described his managers as shutting out the bad news. He claims that he argued about the importance of the O-ring seal problems until he was convinced that “no one wanted to hear what he had to say.” When Lund finally decided to recommend delay of the launch to Marshall, managers at Marshall rejected the bad news and refused to accept the recommendation not to launch. As with any information going up the chain of command at these two organizations, bad news was oftem modified so that it had less impact, perhaps skewing its importance.30

On January 3 1, 1986, President Ronald Reagan stated:

The future is not free: the story of all human progress is one of a struggle against all odds. We learned again that this America, which Abraham Lincoln called the last, best hope of man on Earth, was built on heroism and noble sacrifice. It was built by men and women like our seven star voyagers, who answered a call beyond duty, who gave more than was expected or re- quired and who gave it with little thought of worldly reward.

EPILOGUE

Following the tragic accident, virtually every senior manager that was involved in the space shuttle Challenger decision-making processes, at both NASA and Thiokol, accepted early retirement. Whether this was the result of media pressure, peer pressure, fatigue, or stress we can only postulate. The only true failures are the ones from which nothing is learned. Lessons on how to improve the risk man- agement process were learned, unfortunately at the expense of human life.

On January 27, 1967, Astronauts Gus Grissom, Edward White, and Roger Chaffee were killed on board a test on Apollo-Saturn 204. James Webb, NASA’s Administrator at that time, was allowed by President Johnson to conduct an in- ternal investigation of the cause. The investigation was primarily a technical in- vestigation. NASA was fairly open with the media during the investigation. As a result of the openness, the credibility of the agency was maintained.

With the Challenger accident, confusion arose as to whether it had been a technical failure or a management failure. There was no question in anyone’s mind that the decision-making process was flawed. NASA and Thiokol acted in- dependently in their response to criticism. Critical information was withheld, at

30″The Challenger Accident: Administrative Causes of the Challenger Accident” (Web site: http://www.me.utexas.edu~-uer/challengerchl3.html pages 8-9).

Questions 449

least temporarily, and this undermined people’s confidence in NASA. The media, as might have been expected, began vengeful attacks on NASA and Thiokol.

Following the Apollo-Saturn 204 fire, there were few changes made in man- agement positions at NASA. Those changes that did occur were the result of a ne- cessity for improvement and where change was definitely warranted. Following the Challenger accident, almost every top management position at NASA under- went a change of personnel.

How an organization fares after an accident is often measured by how well it interfaces with the media. Situations such as the Tylenol tragedy (subject of an- other case study in this volume) and the Apollo-Saturn 204 fire bore this out.

Following the accident, and after critical data were released, papers were published showing that the O-ring data correlation was indeed possible. In one such paper, ~ ightha l l~ ‘ showed that not only was a correlation possible, but the real problem may be a professional weakness shared by many people, but espe- cially engineers, who have been required to analyze technical data. Lighthall’s ar- gument was that engineering curriculums might not provide engineers with strong enough statistical education, especially in covariance analysis. The Rogers C o d s s i o n also identified this conclusion when they found that there were no engineers at NASA trained in statistical sciences.

Almost all scientific achievements require the taking of risks. The hard part is deciding which risk is worth taking and which is not. Every person who has ever flown in space, whether military or civilian, was a volunteer. They were all risk-takers who understood that safety in space can never be guaranteed with 100 percent accuracy.

QUESTIONS

Following are a series of questions categorized according to the principles of risk management. There may not be any single right or wrong answer to these questions.

Risk Management Plan

  1. Does it appear, from the data provided in the case, that a risk management plan was in existence?
  2. If such a plan did exist, then why wasn’t it followed–or was it followed?

31~rederick E Lighthall, “Launching The Space Shuttle Challenger: Disciplinary Deficiencies in the Analysis of Engineering Data,” IEEE Transactions on Engineering Management, vol. 38, no. 1, (February 1991), pp. 63-74.

I 450 THE SPACE SHUTTLE CHALLENGER DISASTER 3. Is there a difference between a risk management plan, a quality assurance

plan, and a safety plan, or are they the same? 4. Would there have been a better way to handle risk management planning at

NASA assuming sixteen flights per year, twenty-five flights per year, or as originally planned, sixty flights per year? Why is the number of flights per year critical in designing a formalized risk management plan?

I Risk Identification 5. What is the difference between a risk and an anomaly? Who determines the

difference? 6. Does there appear to have been a structured process in place for risk identi-

fication at either NASA or Thiokol? 7. How should problems with risk identification be resolved if there exist dif-

ferences of opinion between the customer and the contractors? 8. Should senior management or sponsors be informed about all risks identified

or just the overall “aggregate” risk? 9. How should one identify or classify the risks associated with using solid

rocket boosters on manned spacecraft rather than the conventional liquid fuel boosters?

  1. How should one identify or classify trade-off risks such as trading off safety for political acceptability?
  2. How should one identify or classify the risks associated with pressure result- ing from making promises that may be hard to keep?
  3. Suppose that a risk identification plan had been established at the beginning of the space program when the shuttle was still considered an experimental design. If the shuttle is now considered as an operational vehicle rather than as an experimental design, could that affect the way that risks were identified to the point where the risk identification plan would need to be changed?

Risk Quantification

  1. Given the complexity of the Space Shuttle Program, is it feasible andlor prac- tical to develop a methodology for quantifying risks, or should each situation be addressed individually? Can we have both a quantitative and qualitative risk evaluation system in place at the same time?
  2. How does one quantify the dangers associated with the ice problem? 15. How should risk quantification problems be resolved if there exist differ-

ences of opinion between the customer and the contractors? 16. If a critical risk is discovered, what is the proper way for the project manager to

present to senior management the impact of the risk? How do you as a project manager make sure that senior management understand the ramifications?

Questions 451

  1. How were the identified risks quantified at NASA? Is the quantification sys- tem truly quantitative or is it a qualitative system?
  2. Were probabilities assigned to any of the risks? Why or why not?

Risk Response (Risk Handling)

  1. How does an organization decide what is or is not an acceptable risk? 20. Who should have final say in deciding upon the appropriate response mech-

anism for a risk? 2 1. What methods of risk response were used at NASA? 22. Did it appear that the risk response method selected was dependent on the

risk or on other factors? 23. How should an organization decide whether or not to accept a risk and launch

if the risks cannot be quantified? 24. What should be the determining factors in deciding which risks are brought

upstairs to the executive levels for review before selecting the appropriate risk response mechanism?

  1. Why weren’t the astronauts involved in the launch decision (i.e., the accep- tance of the risk)? Should they have been involved?
  2. What risk response mechanism did NASA administrators use when they is- sued waivers for the Launch Commit Criteria?
  3. Are waivers a type of risk response mechanism? 28. Did the need to maintain a flight schedule compromise the risk response

mechanism that would otherwise have been taken? 29. What risk response mechanism were managers at Thiokol and NASA using

when they ignored the recommendations of their engineers? 30. Did the engineers at Thiokol and NASA do all they could to convince their own

management that the wrong risk response mechanism was about to be taken? 3 1. When NASA pressed its contractors to recommend a launch, did NASA’s

risk response mechanism violate their responsibility to ensure crew safety? 32. When NASA discounted the effects of the weather, did NASA’s risk response

mechanism violate their responsibility to ensure crew safety?

Risk Control

  1. How much documentation should be necessary for the tracking of a risk man- agement plan? Can this documentation become overexcessive and create decision-making problems?
  2. Risk management includes the documentation of lessons-learned. In the case study, was there an audit trail of lessons learned or was that audit trail sim- ply protection memos?

452 THE SPACE SHUTTLE CHALLENGER DISASTER

  1. How might Thiokol engineers have convinced both their own management and NASA to postpone the launch?
  2. Should someone have stopped the Challenger launch and, if so, how could this have been accomplished without risking one’s job and career?
  3. How might an engineer deal with pressure from above to follow a course of action that the engineer knows to be wrong?
  4. How could the chains of communication and responsibility for the Space Shuttle Program have been made to function better?
  5. Because of the ice problem, Rockwell could not guarantee the shuttle’s safety, but did nothing to veto the launch. Is there a better way for situations as this to be handled in the future?
  6. What level of risk should have been acceptable for launch? 41. How should we handle situations where people in authority believe that the

potential rewards justify what they believe to be relatively minor risks? 42. If you were on a jury attempting to place liability, whom would you say was

responsible for the Challenger disaster?

SOURCE: WWW.ROYALRESEARCHERS.COM
Havent found the Essay You Want?
We Can Help
The Essay is Written From Scratch for You

🛒Place Your Order

ORDER AN ESSAY WRITTEN FROM SCRATCH at : https://royalresearchers.com/
PLACE YOUR ORDER
Share your love