CASE STUDY

SPACE SHUTTLE CHALLENGER

January 28, 1986
THE ORBITER:
The orbiter of the Challenger had three main
engines fuelled by liquid hydrogen. The fuel was
carried in an external fuel tank which was jettisoned
when empty. During lift-off, the thrust was provided by
the two booster rockets. These booster rockets are of
the solid fuel type, each burning a million pound load
of aluminum, potassium chloride and iron oxide.
THE SOLID ROCKET BOOSTER:
The casing of each booster rocket is about 150 feet
long and 12 feet in diameter. This consists of cylindrical
segments that are assembled at the launch site. There
are four-field joints and they use seals consisting of pairs
of O-rings made of vulcanized rubber. The O-rings work
with a putty barrier made of zinc chromate.
 The engineers were employed with Rockwell
International (manufacturers for the orbiter and main rocket),
Morton-Thiokol (maker of booster rockets), and they worked
for NASA. After many postponements, the launch of Challenger
was set for morning of Jan 28, 1986. Allan J. McDonald was an
engineer from Morton-Thiokol and the director of the Solid
Rocket Booster Project. He was skeptic about the freezing
temperature conditions forecast for that morning, which was
lower than the previous launch conditions.

Arnold Thompson and Roger Boisjoly, the seal

experts at MT explained to the other engineers how the
booster rocket walls would bulge upon launch and combustion
gases can blow past the O-rings of the field joints
THE REASONS FOR FAILURE:
• On many of the previous flights the rings have been found to
have charred and eroded.
• From the past data gathered, at temperature less than 65 °F
the O-rings failure was certain. But these data were not
deliberated at that conference as the launch time was fast
approaching.
• The engineering managers Bob Lund and Joe Kilminster
agreed that there was a safety with temperature less than 53
°F.
• The managers told Bob Lund “to take-off the engineering hat
and put on your management hat”. The judgment of the
engineers was not given weightage.
• The inability of these engineers to substantiate that the
launch would be unsafe was taken by NASA as an approval by
Rockwell to launch.
• At 11.38 a.m. the rockets along with Challenger rose up the
sky. At 76 seconds into the flight, the Challenger at a height of
10 miles was totally engulfed in a fireball.
Moral/Normative Issues:
1. The crew had no escape mechanism. An abort
module to allow the separation of the orbiter,
triggered by a field-joint leak was proposed.
But such a ‘safe exit’ was rejected as too
expensive.
2. The crew were not informed of the problems
existing in the field joints. The principle of
informed consent was not followed.
3. Engineers gave warning signals on safety. But
the management group prevailed over and
ignored the warning.
Conceptual Issues:
1. NASA counted that the probability of failure
of the craft was one in one lakh launches. But
it was expected that only the 100000th launch
will fail.
2. There were 700 criticality-1 items, which
included the field joints. A failure in any one of
them would have caused the tragedy. No
back-up or stand-bye had been provided for
these criticality-1 components.
Factual/Descriptive Issues:
1. Field joints gave way in earlier flights. But the
authorities felt the risk is not high.
2. NASA has disregarded warnings about the bad
weather, at the time of launch, because they
wanted to complete the project, prove their
supremacy, get the funding from Government
continued and get an applaud from the President
of USA.
3. The inability of the Rockwell Engineers
(manufacturer) to prove that the lift-off was
unsafe. This was interpreted by the NASA, as an
approval by Rockwell to launch.
SAFETY LESSONS FROM ‘THE CHALLENGER’:
The safety lessons one can learn in the Challenger case
are as follows:
1. Negligence in design efforts. The booster rocket casing
recovered from earlier flights indicated the failure of
filed-joint seals. No deign changes were incorporated.
Instead of two O-rings, three rings should have been
fixed.
2. Tests on O-rings should have been conducted down to
the expected ambient temperature.
3. NASA was not willing to wait for the weather to
improve. The weather was not favorable on the day of
launch.
4. The final decision making of launch or no-launch
should have been with the engineers and not on the
managers. Engineers insisted on ‘safety’ but the
managers went ahead with the ‘schedule’.
5. Informed consent: The mission was full of dangers. The
astronauts should have been informed of the probable
failure of the O-rings (field joints). No informed
consent was obtained, when the engineers had
expressed that the specific launch was unsafe.
6. Conflict of interest (Risk Vs. Cost): There were 700
criticality-1 items, which included the field joints. A
failure in any one of them would have cause the
tragedy. No back-up or standbye had been provided for
these criticality-1 components.
7. Escape mechanism or ‘safe exit’ should have been
incorporated in the craft. An abort module to allow the
separation of the orbiter, triggered by a field-joint leak
was proposed. But such a ‘safe exit’ was rejected as too
expensive.
8. Engineers who act ethically should be awarded and
encouraged to report to appropriate agency , their
views in the interest of public safety.
Three-Mile Island,Power Plant Unit-2,
U.S.A.
Mar. 1979

The Nuclear Power Plant had a Pressurised Water

Reactor System.
• The Demineraliser(12) cleans the condensate. A failure of
demineraliserled to closure of outlet valve(12) to steam generator.
• The reactor Pressure increased to very high level and opened Pressure
relieve valve(6) and lowered the control rods into the reactor core to stop
the fission process.
• When pump (14) failed, the steam generator (3) went dry. So, heat was
not removed from the reactor.
• Water was pouring out at 220 gallons/min but reactor has not cooled
down. Pump(16) was started to fill the reactor
• pumps were started to refill water reactor core.
• now too much of water in the reactor
• reactor fuel rods began to break into pieces
• chemical reaction between steam and the Zinc
alloy fuel elements produced Hydrogen
• accumulation of Hydrogen caused the explosion
of the structure.
• Radiation levels in the building increased and
sound alarm blew nobody was there to take
actions to quench
• somehow people escaped without any loss of
human lives and after 13 hours, the reactor was
put under control.
 Chernobyl, Near Kiev, Russia
(April 1986)

The RBMK (Acronym for water cooled and graphite

moderated) reactors were graphite moderated and
they use water tubes.
 A test on the turbine generator was planned
to be conducted during a scheduled plant shut-
down maintenance. To conduct the test, the
power plant output was reduced to 700 MW. But
due to a sudden and unexpected demand, the
power output has to be raised.
1. To go ahead with the test, the reactor operators
had already disconnected the emergency core-
cooling system, ignoring the raise in demand
situation.
2. Further, a control device was not properly
reprogrammed to maintain power at 700-100
MW level
3. The test was conducted at 200 MW power out-
put which is very low for the test. They should
have shut down the reactor.
4. The operators blocked all emergency signals and
automatic shut-down controls, thus all safety systems
were disconnected.
5. The operators raised control rods to increase power
output and tried to continue the test. This made the
reactor unsafe. The temperature of RBMK reactor
increased and the fission rate increased.
6. The test should have been postponed but continued.
The reactor core melted and due to the Hydrogen
accumulation, the reactor caught fire and the
radioactive waste began to spread out in USSR and also
Europe.
The people living around were informed after a
few hours and were evacuated 12 hours after the
explosion. More than 30 workers in the complex lost
their lives, while 200 workers sustained burns. About
8000 people lost their lives. The agricultural products
were affected due to contaminated radioactive water,
for several years.
 Safety Lessons From TMI and
Chernobyl
1. The thickness of the containment should be
more, to withstand the possible explosion and
further damage due to radiation and leakage
over the surroundings (Chernobyl).
2. When the test began at low loads, the
demand for increased outpower should have
been declined.