FVB21602

ENGINEERING ETHICS

ASSIGNMENT 1

TOPIC: NASA CHALLENGER DISASTER

STUDENT NAME : NURIN AFIQAH SOLEHAH BADARISKON

ID NUMBERS : 50226223024

CLASS :M

LECTURER’S NAME : ASSOCIATE PROF. TS. DR. AHMAD YASIR MD SAID

1.0 STUDY BACKGROUND OF THE ACCIDENT

NASA‘s Space Shuttle Challenger originally was scheduled for launch at January 22,
1986. A seven-crew member was assigned to this mission., Commander Ricard Scobee, Pilot
Michael Smith, Mission Specialist Ellison Enizuka, Judith Resnik and Ronald McNair were
astronauts, Gregory Jarvis, an aerospace engineer and Christa McAuliffe a teacher from New
Hampshire, were payload specialists. Challenger would be the first launch of 1986.

The first shuttle lift-off scheduled from Pad B, STS-51L was beset by delays. Launch was
originally set for 3:43 p.m. on 23 January 1986, slipped to Jan. 23, then Jan. 24, due to delays
in mission 61-C. The launch was postponed another day when launch processing was unable
to meet the new morning lift-off time. Prediction of unacceptable weather at Kennedy Space
Center (KSC) led to the launch being rescheduled for 9:37 a.m. EST, Jan. 27. The launch was
delayed 24 hours again when the ground servicing equipment hatch closing fixture could not
be removed from the orbiter hatch. The fixture was sawed off and an attaching bolt drilled out
before closeout was completed.

During the delay, cross winds exceeded return-to-launch-site limits at KSC's Shuttle
Landing Facility. The launch on Jan. 28, 1986 was delayed two hours when a hardware
interface module in the launch processing system, which monitors the fire detection system,
failed during liquid hydrogen tanking procedures. The launch date was delayed several times
due to the weather conditions. They cannot launch the Space Shuttle Challengers if the
temperature was below than 53°F. On the day they launched the temperature of Central Florida
was 37°F which is very low.

On January 28, 1986, the Space Shuttle Challenger broke apart 73 seconds into its flight,
killing all seven crew members aboard. The spacecraft disintegrated 46,000 feet (14 km) above
the Atlantic Ocean, off the coast of Cape Canaveral, Florida, at 11:39 a.m. EST (16:39 UTC).
It was the first fatal accident involving an American spacecraft in flight.

The immediate cause of the explosion was a burn through of one of the O-rings on one of
the solid rocket boosters. This caused the solid rocket (steel) wall to fail at the burn through
point. The solid rocket then pivoted into the large external tank causing a release of hydrogen
which underwent a deflagration leading to the Shuttle Challenger being ripped apart at altitude.
2.0THE ROOT OF THE CAUSE

Figure 1: Configuration of the Shuttle

The airplane-like craft (with the tail fin) shown in figure 1 is the “Orbiter.” The Orbiter
contains the flight crew, and it was 60 feet (18.288m) long and 15 feet (4.572m) to hold cargo
such as communications satellites to be launched into orbit, an autonomous Spacelab to be used
for experiments in space, or satellites already orbiting that have been retrieved for repairs.

Before launch, the Orbiter is attached to the large [154 feet (46.9392m) long and 27 1/2
feet (8.382m) in diameter]. The External Tank was at the centre of cylinder with the sharp-
pointed end shown in the figure 1. The tank contains 143,000 gallons (54131.389l) of liquid
oxygen and 383,000 (1449812.71l) gallons of liquid hydrogen for the Orbiter's engines. The
two smaller cylinders on the sides of the External Tank are the Solid Rocket Boosters (SRBs).
The SRBs contain solid fuel, rather than the liquid fuel contained by the External Tank.
 2.1 O-Rings

Figure 2: The cut away view of the SRB

The proximate cause the leakage of two rubber O rings in a segmented solid rocket booster.
The rings have lost their ability to stop hot gas blow by-by because on the day of launch they
were cold (estimated at 20°F, below freezing). The ambient temperature at launch was in the
low 30s.

The failure of the solid rocket booster O-rings to seat properly allowed hot combustion
gases to leak from the side of the booster and burn through the external fuel tank. The failure
of the O-ring was attributed to several factors, including faulty design of the solid rocket
boosters, insufficient low-temperature testing of the O-ring material and problem joints at the
O-ring sealed, and lack of communication between different levels of NASA management.

Figure 3: Location of the Problematic Aft Field Joint

 2.1.1 Problems of Joint Seal
In 1973, of Thiokol’s contract to develop the Solid Rocket Motor (SRM), problems arose
with the joints. The Thiokol design for the SRM was based on the Air Force’s Titan III, one of the
most reliable solid-fuel rockets produced up to that time. The SRM was larger than the Titan’s
motor and had to be designed for refurbishment and repeated use. One particular area in which the
two motors differed was the field joints, and Thiokol’s initial design for the SRM field joints
worried engineers at the Marshall Space Flight Centre, who were responsible for monitoring
Thiokol’s contract.

Many modifications and reviews of the design ensued, and Thiokol and Marshall finally
began various load tests in 1976. Early tests were successful and gave engineers confidence. In an
important test in 1977, the joint seals surprised the engineers by exhibiting “joint rotation,”
illustrated in Figure 4 of particular concern is the loss of redundancy in the design because not just
the primary but also the secondary O-ring is rendered ineffective if the gap opens sufficiently.

Figure 4: Cross Section of Field Joint

Solid Rocket Motor cross section shows positions of tang, clevis and O-rings. Putty
lines the joint on the side towards the propellant. Figure 4 showed how the upper SRM segment
in a field joint is connected to the lower segment by a pin passing through the “tang” (the
tongue on the upper segment) and the “clevis” (the U-shaped receptacle cut in the lower
segment). 177 such steel pins are inserted around the circumference of each joint.
 2.1.2.1 Before Launching of Challenger
During the night, temperatures dropped to as low as 8°F, much lower than had been
anticipated. In order to keep the water pipes in the launch platform from freezing, safety
showers and fire hoses had been turned on. Some of this water had accumulated, and ice had
formed all over the platform. There was some concern that the ice would fall off the platform
during launch and might damage the heat resistant tiles on the shuttle.

The ice inspection team thought the situation was of great concern, but the launch
director decided to go ahead with the countdown. Note that safety limitations on low
temperature launching had to be waived and authorized by key personnel several times during
the final countdown. These key personnel were not aware of the teleconference about the solid
rocket boosters that had taken place the night before.

2.1.2.2 During Launching of Challenger

At launch, the impact of ignition broke loose a shower of ice from the launch platform.
Some of the ice struck the left-hand booster, and some ice was sucked into the booster nozzle
itself by an aspiration effect. Although there was no evidence of any ice damage to the Orbiter
itself, NASA’s analysis of the ice problem was wrong.

The booster ignition transient started six hundredths of a second after the igniter fired.
The aft field joint on the right-hand booster was the coldest spot on the booster, it is about 28°F
(-2.2°C). The booster's segmented steel casing ballooned and the joint rotated, expanding
inward as it had on all other shuttle flights.

Immediately after solid rocket motor ignition, dark smoke (arrows) swirled out between
the right hand booster and the External Tank. The smoke's origin, behaviour and duration were
approximated by visual analysis and computer enhancement of film from five camera locations.
Based on Figure 5, the smoke was first discernible at .678 seconds Mission Elapsed Time in
the vicinity of the right booster's aft field joint.
 Figure 5: Black smoke appeared upwards from the joint.

It recorded between .836 and 2.500 seconds the blacker smoke appeared. The smoke
appeared to puff upwards from the joint. While each smoke puff was being left behind by the
upward flight of the Shuttle, the next fresh puff could be seen near the level of the joint. The
multiple smoke puffs on the right-hand booster. Computer graphics applied to NASA photos
from a variety of cameras in this sequence again placed the smoke puffs' origin in the 270- to
310-degree sector of the original smoke spurt.

Figure 6: Multiple smoke came out from right handed booster

Multiple smoke puffs are visible in Figure 6. They began at .836 seconds and continued
through 2.500 seconds, occurring about 4 times a second. Upward motion of the vehicle caused the
smoke to drift downward and blur into a single cloud. Smoke source is shown in the computer-
generated drawing (far right).
 2.1.2.3 After Launching of Challenger
The primary O-ring was too cold to seat properly, the cold-stiffened heat resistant putty
that protected the rubber O-rings from the fuel collapsed, and gases at over 5000°F (2760°C)
burned past both O-rings across seventy degrees of arc. Eight hundredths of a second after
ignition, the shuttle lifted off. Engineering cameras focused on the right-hand booster showed
about nine smoke puffs coming from the booster aft field joint. Before the shuttle cleared the
tower, oxides from the burnt propellant temporarily sealed the field joint before flames could
escape.

Figure 7 Figure 8 Figure 9

Figure 7,8 and 9: The First Flicker of Flame Appeared

At 58.788 seconds, the first flicker of flame appeared. Barely visible above, it grew into a
large plume and began to impinge on the External Tank at about 60 seconds. Flame is pinpointed
in the computer drawing between the right booster and the tank, as in the case of earlier smoke
puffs. At far right (arrow), vapor is seen escaping from the apparently breached External Tank.

Figure 10: Rupture of Liquid Hydrogen and Liquid Oxygen Tank

Camera views indicate the beginning of rupture of the liquid hydrogen and liquid oxygen
tanks within the External Tank. A small flash (arrows above) intensified rapidly, then diminished.
 Figure 11: The Challenger Figure 12: The Challenger
Exploded Shattered

Structural breakup of the vehicle began at approximately 73 seconds.

Shattered on theFire spread very
rapidly. Above at right, a bright flash (arrow) is evident near the nose the Orbiter, suggesting
Space
spillage and ignition of the spacecraft's reaction control system propellants. At left, the two Solid
Rocket Boosters thrust away from the fire, crisscrossing to from a “V.”

At Figure 12 about 76 seconds, unidentifiable fragments of the Shuttle vehicle can be seen
tumbling against a background of fire, smoke and vaporized propellants from the External Tank
(left).

Figure 13: The Booster Soars Away

In the photo at right, the left booster (far right) soars away, still thrusting. The reddish-
brown cloud envelops the disintegrating Orbiter. The color is characteristic of the nitrogen
tetroxide oxidizer in the Orbiter Reaction Control System propellant.
 3.0 ETHICAL ISSUES FOR THIS INCIDENT

3.1 Ethical issue: Did Thiokol knowingly take extra risks because of fear of losing
its contract with NASA?
Shortly before the Challenger launch, word came out that NASA was seeking a second
source to supply the SRMs. NASA’s actions were taken not out of dissatisfaction with
Thiokol’s performance but instead “resulted from lobbying by Thiokol’s competitors for a
piece of NASA’s solid rocket market and from desires by Congress to ensure a steady supply
of 31

3.2 Ethical issue: Did NASA knowingly take extra risks because of pressure to
maintain Congressional funding?
To sell the Space Shuttle program to Congress initially, NASA had promised that
Shuttle flights would become thoroughly routine and economical. Arguing that the more flights
taken per year the more routinization and economy would result, NASA proposed a highly
ambitious schedule—up to 24 launches per year (Report to the President 1986, vol. 1, p. 164).
But as work on the program proceeded, NASA encountered many delays and difficulties.

Concern was voiced in Congress, and NASA officials were worried about continued
budget support. To show Congress that progress was being made, NASA planned a record
number of launches for 1986. The January Challenger launch was to be the first launch of the
year, but unfortunately it was a NASA’s further embarrassment. The launch of the Shuttle
Columbia scheduled for the previous December was delayed a record seven times (for various
reasons, including weather and hardware malfunctions), and finally launched on January 12,
1986, necessitating Challenger’s launch date be set back.

Thus NASA managers were undeniably under pressure to launch without further
delays, a public-relations success was badly needed. This pressure led to managerial
wrongdoing, charged John Young, Chief of NASA’s Astronaut Office, in an internal NASA
memo dated March 4, 1986: “There is only one driving reason that such a potentially dangerous
system would ever be allowed to fly—launch schedule pressure.” (Exploring the Unknown
1999, p. 379). Young’s memo was written more than a month after the disaster, so concerns
about the retrospective fallacy arise. In any event, the question is, “Did pressure to meet an
ambitious launch schedule cause NASA to take risks that otherwise would not have been
taken?”
The question is difficult to answer with certainty, but three distinct points can be made:

1) Regardless of ethical considerations

Risking disaster by launching under unsafe conditions simply would have been a bad
gamble. Imagine a NASA manager weighing the costs and benefits of risking the flight crew’s
lives to make the launch schedule. His calculation of the costs would include the probability of
detection of his misconduct if something went wrong. But this situation was not analogous to
a dishonest manufacturer’s substituting a lower-quality component in an automobile with over
20,000 components; the probability of detection might be low. But if something went wrong
with a launch, the probability of detection was 100%. The manager’s career would be finished,
and he might face criminal charges. Adding this cost to the cost in moral terms of the death of
the crew and the cost of suspension of the entire program for many months or even years would
give a total cost so large that any rational manager would have judged the risk to far outweigh
the reward.

2) The context of Marshall manager Larry Mulloy’s remark

“My God, Thiokol, when do you want me to launch, next April?”, must be considered.
In the words of Marshall’s Larry Wear, “Whether his choice of words was as precise or as good
or as candid as perhaps he would have liked for them to have been, I don’t know. But it was
certainly a good, valid point, because the vehicle was designed and intended to be launched
year-round.

There is nothing in the criteria that says this thing is limited to launching only on warm
days. And that would be a serious change if you made it. It would have far reaching effects if
that were the criteria, and it would have serious restriction on the whole shuttle program. So
the question is certainly germane, you know, what are you trying to tell us, Thiokol? Are we
limited to launching this thing only on selected days? The briefing, per se, was addressing this
one launch, 51-L. But if you accept that input for 51-L, it has ramifications and implications
for the whole 200 mission model, and so the question was fair. (quoted in Vaughan 1996, p.
311)
 3) Presidential Commission’s report

Even though Presidential Commision report described at great length the pressure on
NASA to maintain an ambitious launch schedule, the report did not identify any individual who
ranked budgetary reasons above safety reasons in the decision to launch. Furthermore,
“NASA’s most outspoken critics Astronaut John Young, Morton Thiokol engineers Al
McDonald and Roger Boisjoly, NASA Resource Analyst Richard Cook, and Presidential
Commissioner Richard Feynman, who frequently aired their opinions to the media did not
accuse anyone of knowingly violating safety rules, risking lives on the night of January 27 and
morning of January 28 to meet a schedule commitment.

Even Roger Boisjoly had no ready answer on this point. “Why Marshall managers
would respond to production pressures by proceeding with a launch that had the potential to
halt production altogether, he was stymied. Boisjoly thought for a while, then responded, ‘I
don’t know.’The evidence that NASA management violated rules, launching the Challenger
for the sake of the Shuttle Program’s continued economic viability was not very convincing.
Hardy’s statement that ‘No one in their right mind would knowingly accept increased flight
risk for a few hours of schedule’ rang true.” (Vaughan 1996, pp. 55-56)

After the disaster, other charges appeared in the media. The President’s State of the
Union address was scheduled for the evening of the 28th, and critics charged that the White
House had intervened to insist that the launch occur before the address so that the President
could refer to the launch and perhaps even have a live communication connection with the
astronauts during the address or perhaps the White House had intervened to ensure that Christa
McAuliffe a high-school teacher who had been included in the flight crew would be able to
conduct and broadcast her Teacher in Space lessons during the week when children would be
in school. If true, these charges would have indicated a clear ethical lapse on the part of NASA
management, because they would have violated their duty to make public safety their primary
concern. But an extensive investigation by the Presidential Commission did not find evidence
to support the charges.
4.0 WHO IS/ARE THE CULPRITS?

4.1 NASA [Larry Mulloy (Manager of Solid Rocket Booster)]

[George Hardy (NASA Deputy Director)]
At some point in the launch process, NASA management made an independent decision
to waive previously established launch constraints designed to assure flight safety. Basic
principles of risk oversight make it imperative that both the establishment of project
compliance checks and balances, and decisions to override them, are subject to review by
higher levels of management.

4.2 Right Hand, Left Hand Problems

Senior launch officials were unaware of key warnings expressed by others. The most
recent problem with the O-Rings, a contractor’s recommendation not to launch below 53
degrees. The similar warnings of project engineers and the manufacturer’s concerns with
launchpad ice. Project information flow must provide decision-makers with access to the
perspectives of all meaningful project participants.

4.3 Engineer [Morton-Thiokol Inc. (MTI, Company Manufacturing O-ring)]

[Roger Boisjoly (O-ring Specialist)]

[Arnold Thompson (Engineer)]

[Allen McDonald (Project Supervisor of Solid Fuel Rocket)]

[Jerry Mason (Senior VP & GM)]

[Joe Kilminster (VP of Space Booster)]

When the manufacturer didn’t tell NASA not to launch, it warned that the impact of
launchpad ice on the shuttle was an unknown condition and that the risk of ice striking the
shuttle was a potential flight safety hazard. Yet NASA proceeded. Effective risk management
depends on the ability to identify, process and consider signs and indicators that can be critical
to project success.
5.0 OPINION HOW TO AVOID THIS ACCIDENT

One of the possible solutions is to flatten the organizational hierarchy and establish a
network organization, which has proved to be a useful structure. NASA management should
not make important decisions that could put their jobs at risk. They should be more responsible
on the seven-crew life.

Secondly, engineers should be able to get their ideas across to the government and exert
an impact on the decision-making process. Moreover, there should be a way for them to bypass
formal bureaucratic procedures in special cases. What concerns technical advice, the Rogers
Commission proposed NASA to create some escape systems. Such systems could allow
astronauts to jump out of a shuttle before the crash and survive.

Thirdly, NASA management should not take the engineer’s opinion lightly. Life is not
something that we can buy, so that, the management needs to calculate the consequences. If
the space shuttle was not able to launch due to minor risk, it should not launch. So that, they
can take their time to figure out on what the problem was. If this application have been applied,
than the life of seven crew members will be different today.

NASA considered several different options, including ejector seats, tractor rockets and
bailing out through the bottom of the orbiter. The ejector seat is one of the most complex
systems installed in the aircraft. It is the last chance to provide the crew for a save exit out of
the aircraft in case of a severely damaged aircraft or an accident.

If the pilot is not in a correct position before firing it could cause severe injury or even
cause death. So the pilot should attend the training of the procedures, how the pilot should be
positioned before pulling the handle, is essential for survival. Knowing when to eject is just as
important as how to eject.
6.0 LESSON LEARN

One of the most important lessons is the unfortunate loss of human life due to the pursuit
of something never done before. NASA was and is a pioneer at the at the edge of technology.
If we really think about it, NASA is sending vehicles to space and doing something that no one
has ever done before. This amazing feat does come at a price, but the price should be in the
form of cost, resources and manpower but not at the expense of human life.

Furthermore, incident vs accident is another lesson that we should take away from this
case study. There is a big difference between incident and accident. In the review of the case
study it is proposed that the Challenger space shuttle could have been avoided or predicted if
NASA had followed the proper managemental and ethical procedures. Therefore, we can
conclude that the Challenger space shuttle disaster was an incident and not an accident. An
accident would be if the space shuttle would fail due to unforeseen circumstances, but the
shuttle failed to a known critical issue that was not addressed properly.

People, engineers and management became used to having successfully missions and
had positive feeling about future expectations. NASA’s mentality about the space program
went from “prove to me that it is safe” to “prove to me that it is not safe”. This mentality proven
to be deadly and the lesson here is that we cannot take safety for granted. All repetitive actions
and projects must be treated as new ones with emphasis on safety.
7.0REFERENCES

• https://onlineethics.org/cases/engineering-ethics-cases-texas-am/space-shuttle-
challenger-disaster
• https://www.studocu.com/row/document/university-of-south-australia/jazz-
studies-200/case-study-the-space-shuttle-challenger-disaster/9382092
• https://studycorgi.com/the-review-of-the-challenger-disaster/
• https://www.theguardian.com/commentisfree/2020/oct/16/challenger-disaster-
american-netflix-space-shuttle
• https://www.simscale.com/blog/space-shuttle-challenger-disaster/