“We expected [the shuttle] to blow [while we were] in the tower. It happened 73 seconds later.”
Launched on January 28th, 1986, the 10th mission of the space shuttle Challenger was very much in the public eye. The crew included Christa McAuliffe, a high school teacher who was to be the first non-astronaut launched into space for NASA’s “Teacher in Space” project. In the weeks leading up to the launch, the media reported daily on the mission and made McAuliffe a household name.
Thousands of spectators gathered around Cape Canaveral to watch the launch, including McAuliffe’s husband and family and hundreds of her students, colleagues, and friends. CNN was the only television network to carry the launch live, but other networks had recorded the launch for later broadcast. NASA provided a live feed of the mission to many primary and secondary schools around the world.
Yet only 73 seconds after launch, the Challenger exploded and broke into several flaming pieces before plummeting into the ocean below, killing all seven crew members before the eyes of the watching crowds. News channels later replayed scenes of the explosion and of the horrified expressions of the witnesses. It was the worst disaster in the history of the U.S. Space Program.
Causal Factor of the Disaster
Defective O-Ring seals in the solid rocket boosters (SRBs). The main investigators of the disaster reported “the specific failure was the destruction of the seals that are intended to prevent hot gases from leaking through the joint during the propellant burn of the rocket motor.” Engineers from both the contractor and NASA were aware of concerns regarding erosion and gas blowby (a failure in which a gap allows gas to escape the O-ring seal) at the O-ring seals in cold-weather conditions.
Disregarded safety warnings and acceptance of unsafe design. Both NASA engineers and contractor engineers warned NASA management about the defects in the O-rings for almost 10 years prior to the disaster, but the warnings went unanswered and unheeded. Thiokol engineers and management particularly warned against the Challenger launch on January 28th, 1986 because of the cold weather, but NASA leadership refused to postpone and effectively bullied the contractor into signing a recommendation to launch.
Cold temperature launch conditions. The launchpad, spacecraft, and launch assembly had iced over during the night of January 27th (the night before the launch), and it was only 53 degrees Fahrenheit at the time of launch.
Effects of the Disaster
Only 73 seconds after launch, at 46,000 feet and at a speed of Mach 1.92, the Challenger was engulfed in flames, and the launch assembly broke into several sections. Burning wreckage plummeted down to the ocean below and continued falling for more than an hour, hindering search and rescue efforts. Less than three minutes after it broke up, the Challenger struck the ocean surface at around 200 miles per hour. There was no egress or escape plan for the crew.
In response to the disaster, the U.S. government commissioned an investigation chaired by William P. Rogers, a former secretary of state, which became known as the Rogers Commission. The Commission uncovered a long history of concerns and cover-ups over defects in the SRB nozzle O-rings.
In 1973, NASA selected Thiokol as the primary contractor to develop and build the SRBs for the space shuttle program because “the cost per flight to be expected from a Thiokol-built motor would be the lowest.” This was largely due to an innovative design calling for dual O-rings and test ports between seals, allowing for simpler pressure tests and less test and maintenance activity at the launch site.
Tests conducted in 1977 revealed a high amount of O-ring erosion and instances of gas blowby, which engineers noted could cause a catastrophic premature explosion of the nearly 1.6 million pounds of liquid hydrogen and oxygen on the SRB–the exact cause of the Challenger explosion. Thiokol engineers reported these findings to NASA, whose engineers demanded a redesign of the O-ring seals. Several internal memos from SRB engineers to NASA management condemned the Thiokol O-ring design as “completely unacceptable,” but those memos went unanswered. Although later static motor tests in both 1978 and 1980 also exhibited O-ring problems. NASA headquarters confirmed certification of the SRBs in 1980, believing “the secondary O-ring would pressurize and seal if the primary O-ring did not.”
Thiokol engineers also concluded that the seals were unsafe. In 1985, one engineer wrote a memo to Thiokol management warning that “catastrophe of the highest order–loss of human life” was possible due to O-ring erosion. He continued, “it is my honest and very real fear that if we do not take immediate action to solve the problem [the company could] stand in jeopardy of losing a flight.” Several other Thiokol engineers also advocated a total redesign of the nozzle seals but were ignored by their managers.
Problems with the O-rings continued to occur. A 1981 Shuttle mission experienced erosion of the primary O-ring. The recovered SRMs of the January 1985 launch, during which the temperature was a relatively low 53 degrees Fahrenheit, showed evident seal erosion and gas blowby. In a May 1985 test, months before the Challenger disaster, there was a loss of the primary O-ring seal and erosion of the secondary O-ring.
During any shuttle launch, NASA protocols required that each contractor participating in the mission have a senior manager present at the launch to provide expertise and sign off on the launch decision. On the night prior to the Challenger launch, the Thiokol engineer on site, Allan McDonald, recommended that the launch be postponed due to concern about O-ring performance in the cold weather. NASA’s project manager ignored the recommendation and asked McDonald to sign his agreement to the scheduled launch.
McDonald refused. NASA contacted Thiokol’s headquarters, and the managers at Thiokol initially supported McDonald’s recommendation. NASA leadership then demanded the contractor justify their recommendation on a conference call two hours later and bullied Thiokol on the call itself until Thiokol agreed to fax in a sign-off from their executives. The company’s general manager reportedly told the other signees, “It’s time to take off your engineering hats and put on your management hats,” and the company signed off on the launch. McDonald, the Thiokol engineer on-site at the launch, later told the Commission, “We expected [the shuttle] to blow [while we were] in the tower. It happened 73 seconds later.”
After the Challenger accident, shuttle flights were suspended until after the results and recommendations of the Rogers Commission investigation. At the Commission’s recommendation, NASA pursued a total redesign of the space shuttle’s solid rocket boosters, which was monitored by an independent oversight group as the Commission had required. Thiokol agreed to “voluntarily accept” a $10m monetary penalty in exchange for immunity from legal liability for the disaster. NASA also created a new Office of Safety, Reliability and Quality Assurance to oversee all operations and prevent acceptance of unsafe designs or mission decisions.
The engineers at Thiokol who had advocated a redesign of the O-ring seals, and warned against recommending the Challenger launch in the cold temperature, were ostracized by their co-workers at the company and gradually shunted into lower-status jobs. Eventually dubbed “the five lepers” by their colleagues, all eventually left the company.
As usual, **** managers, only concerned about profits and politics, didn’t care about risk to people. Next time, replace astronauts with those managers. Maybe when it is their own lives on the line, they might deign to care.
Thiokol management and NASA management that bullied the engineers to sign off should have been prosecuted and served time in white-collar prison. Many of the bullied engineers regretted not taking stronger action for the remainder of their lives. The engineer who refused to sign off is a hero of sorts and should receive recognition by his profession for doing the ethical thing. I am a professional engineer and would have never signed off on something I believed was unreasonably unsafe if the risks are too great.
Sounds like the “five lepers” were the real heroes in this story.
Licensed engineers would have lost their right to practice. Manufacturers employ unlicensed individuals to design, oversee and manufacturer cars, boats, airplanes, and unfortunately rocket-ships.
The Challenger had 5 different launch ascent phase abort modes that were feasible and may have saved the Crew. Unfortunately, none of these abort modes could be performed until the SRB burn ended, approximately 2 minutes after launch. When Thiokol’s McDonald told the Rogers Commission that they expected the failure to occur while the vehicle was still in the tower, he essentially stated that the Crew was doomed, but they were going to launch anyway.
Having a failure occur when the failure mode is known and foreseeable under the conditions of the launch is criminal negligence. Thiokol management should have gone to jail. Thiokol’s $10 million cap on liability was the greatest gift ever from the government to a guilty party.
Unfortunately, NASA failed to learn their lesson after the loss if the Challenger. Years later, the Columbia was lost due to damaged heat shield tiles. The NTSB conducted a thorough investigation, including causal factors going back to the Challenger loss, and concluded that NASA had fallen victim to several systemic traits that are common to organizations that have experienced catastrophic, and lesser, incidents. While at Williams, I initialed the development of a “Process Safety Guide,” which was in part based on the findings in the NTSB report on the Columbia loss. One of the NASA findings we a failure to establish an imperative for safety, which sounds obvious at face value, but at its root, is a less obvious meaning. In general terms, NASA had a “prove it’s unsafe” attitude, versus “prove it’s safe” attitude. If you read the NTSB report on the Columbia loss, they referenced the Challenger o-ring issue in detail. While the engineers at Thiokol believed, through design and laboratory testing, that the o-rings would fail at lower ambient temperature, they had no proof that it was a definitive outcome, given the actual historical launch data. This is where NASA’s poor culture of “prove it’s unsafe” prevailed in the hours leading up to the Challenger disaster.
The comments left so far are all “right on”. We would like to think that we would have forcefully intervened as did the “lepers”. But what would you really do, faced with management pressure and a decade of “nothing” happening? …a very expensive system to protect against an unlikely but disastrous failure? Never mind management, I occasionally find myself having to gently educate other engineers. I was recently struck by a quote in an article on the “red crew” and the recent Artemis launch: “It’s creaking, it’s making venting noises, it’s pretty scary.” Ponder… where is your limit, and what would you actually do?
James McAdams, very good commentary. Gives me cause to wonder, did NASA. as an organization learn anything from these prior bad decisions? As I understand the SLS has a lot of Shuttle “technology baggage”.