Notes on Challenger Disaster

1
Notes on Challenger Disaster

• Stephen Scott
• March 12, 2003

2
Background

• Shuttle propelled by two types of engines
• Two Solid Rocket Boosters (SRBs) generate 3.3M
  lbs. thrust at launch using solid fuel
• Used during launch and up to 220000 feet then
  detach and parachute to Earth for reuse
• Once started, cannot be shut off
• SRB failure caused the Challenger explosion
• Liquid Fuel Engine (SSME) used to establish and
  maintain orbit
• Most liquid fuel in external fuel tank
• This engine had its own problems (see Feynman)

3
What Went Wrong?

• SRB consists of segments that join together
• Zinc chromate putty seals hot (5800º F) gases
  inside
• Backed up by two O-rings
• Designed to deform as pressure increases to seal
  openings
• About a year before Challenger, Boisjoly
  discovered that primary O-ring was letting gas
  escape
• Later, the secondary O-ring showed problems as
  well

4
What Went Wrong? (contd)

• O-ring problems exacerbated by cold weather
• Boisjoly and other engineers brought this up
  were mostly ignored by MTI and NASA management
• Launch had already been significantly delayed
• Generally, NASA wanted to increase launch rate
• Historically problematic due to frequent late
  payload changes and long astronaut training times
• So NASA and MTI management significantly
  downplayed risk 1 in 100,000 vs 1 in 100
• January 28, 1986 was a particularly cold morning
  at the launch site (18º F) . . .

5
What Happened Next

• Investigation by a Presidential Commission
• NASA tried to downplay the cold weather problems
  (blame it on assembly problems)
• MTI distorted the facts of the telecon
• Boisjoly and Al McDonald greatly suffered at work
  as a result of their honest testimony that
  contradicted NASA and MTI
• Boisjoly later left MTI
• Commission found serious safety flaws in SRB,
  SSME, and (most importantly) management
• MTI and managers went essentially unpunished

6
Epilogue
Engineers have a responsibility that goes far
beyond the building of machines and systems. We
cannot leave it to the technical illiterates, or
even to literate and overloaded technical
administrators to decide what is safe and for the
public good. We must tell what we know, first
through normal administrative channels, but when
these fail, through whatever avenues we can find.
Many claim that it is disloyal to protest.
Sometimes the penalty disapproval, loss of
status, even vilification--can be severe. Today
we need more critical pronouncements and
published declarations by engineers in high
professional responsibilities. In some instances,
such criticism must be severe if we are properly
to serve mankind and preserve our freedom. Hence
it is of the utmost importance that we maintain
our freedom of communication in the engineering
profession and to the public. The decades ahead
are bound to be a critical and difficult period
and there will be occasions for sharp dissent and
strong words if we are to meet our
responsibilities. Adolph J. Ackerman,
"Engineering Ethics and the Challenger Accident,"
1986
7
Epilogue (contd)
For a successful technology, reality must take
precedence over public relations, for nature
cannot be fooled. Dr. Richard P. Feynman
More than 20 years ago I received some superb
advice from a QA manager that I have applied
throughout my career. He told me to ask myself
the following question when faced with a tough
question of whether a product was acceptable
"Would you allow your wife or children to use
this product without any reservations?" If I
could not answer that question with an
unqualified, "Yes," he said, I should not sign
off on the product for others to use. That is
what ethical analysis of acceptable risk should
be. Roger Boisjoly