Risk Management Analysis

Challenger Space Shuttle
Max of 4 pages of text plus cover page and reference page totaling 6 pages
1.5 line spacing 11 or 12 pnt font
Min of 4 sources / no max but be realistic in four pages of text

Answer each of the following from the end of the paper:
Risk Management Plan
Q3
Q4

Risk Identification
Q8
Q10

Risk Quantification
Q16
Q17

Risk Response (Risk Handling)
Q21
Q28

Risk Control
Q35
Q42

Support answers with current logic/events and references/citations
Some answers may only need two or three sentence answer while other questions will need more in-depth answering
Simple annotate which question you are answering without repeating the question as below:

Q3: The best way to…..

Q4: The office should have…..

Q8: It depends on what…..

THE SPACE SHUTTLE CHALLENGER DISASTER:
A CASE STUDY ON RISK MANAGEMENT
On January 28, 1986, the Space Shuttle Challenger lifted off the launch pad at 11:38 a.m.,
beginning the flight of mission 51-L.1 Approximately 74 seconds into the flight, the Challenger
was engulfed in an explosive burn and all communication and telemetry ceased. Seven brave
crewmembers lost their lives.

On board the Challenger were Francis R. (Dick) Scobee

[Commander], Michael John Smith [Pilot], Ellison S. Onizuka [Mission Specialist One], Judith
Arlene Resnik [Mission Specialist Two], Ronald Erwin McNair [Mission Specialist Three], S.
Christa McAuliffe [Payload Specialist One], and Gregory Bruce Jarvis [Payload Specialist Two].
A faulty seal, or O-ring, on one of the two solid rocket boosters, caused the accident.
Following the accident, significant energy was expended trying to ascertain whether or
not the accident was predictable. Controversy arose from the desire to assign, or to avoid, blame.
Some publications called it a management failure, specifically in risk management, while others
called it a technical failure.
Whenever accidents occurred in the past at NASA, an internal investigation team was
formed. But in this case, perhaps because of the visibility, the White House took the initiative in
appointing an independent commission. There did exist significant
justification for the commission. NASA was in a state of disarray, especially in the
Copyright ? 2001 by Dr. Harold Kerzner

1

The first digit indicates the fiscal year of the launch (i.e., “5” means 1985). The second number
indicates the launch site (i.e., “1” is the Kennedy Space Center in Florida, “2” is Vandenberg Air Force
Base in California). The letter represents the mission number (i.e., “C” would be the third mission
scheduled). This designation system was implemented after Space Shuttle flights one through nine,
which were designated STS-XX. STS is the Space Transportation System and XX would indicate the
flight number.

Management ranks. The agency had been without a permanent administrator for almost four
months. The turnover rate at the upper echelons of management was significantly high, and
there seemed to be a lack of direction from the top down.
Another reason for appointing a Presidential Commission was the visibility of this
mission. This mission was highly publicized as the Teacher in Space mission with Christa
McAuliffe, a Concord, New Hampshire schoolteacher selected from a list of over 10,000
applicants. The nation knew the names of all of the crewmembers on board Challenger. The
mission was highly publicized for months stating that Christa McAuliffe would be teaching
students from the Challenger on day four of the mission.
The Presidential Commission consisted of the following members:
William P. Rogers, Chairman: Former Secretary of State under President Nixon and
Attorney General under President Eisenhower.
Neil A. Armstrong, Vice Chairman: former astronaut and spacecraft commander for
Apollo 11.
David C. Acheson: former Senior Vice President and General Counsel,
Communications Satellite Corporation (1967-1974), and a partner in the law firm of
Drinker Biddle & Reath
Dr. Eugene E. Covert: Professor and Head, Department of Aeronautics and
Astronautics at Massachusetts Institute of Technology.
Dr. Richard P. Feynman: Physicist and Professor of Theoretical Physics at
California Institute of Technology; Nobel Prize winner in Physics, 1965.
Robert B. Hotz: Editor-in-chief of Aviation Week & Space Technology magazine
(1953-1980).
Major General Donald J. Kutyna, USAF: Director of Space Systems and
Command, Control, Communications.
Dr. Sally K. Ride: Astronaut and mission specialist on STS-7, launched on June 18,
1983, becoming the first American woman in space. She also flew on mission 41-G
launched October 5, 1984. She holds a Doctorate in Physics form Stanford
University (1978) and was still an active astronaut.
Robert W. Rummel: Vice President of Trans World Airlines and President of Robert
W. Rummel Associates, Inc., of Mesa, Arizona.
Joseph F. Sutter: Executive Vice President of the Boeing Commercial Airplane
Company.
Dr. Arthur B. C. Walker, Jr.: Astronomer and Professor of Applied Physics;
formerly Associate Dean of the Graduate Division at Stanford University, and

-2-

consultant to Aerospace Corporation, Rand Corporation and the National Science
Foundation.
Dr. Albert D. Wheelon: Executive Vice President, Hughes Aircraft Company.
Brigadier General Charles Yeager, USAF (Retired): Former experimental test
pilot. He was the first person to penetrate the sound barrier and the first to fly at a
speed of more than 1,600 miles an hour.
Dr. Alton G. Keel, Jr., Executive Director: Detailed to the Commission from his
position in the Executive Office of the President, Office of Management and Budget,
as Associate Director for National Security and International Affairs; formerly
Assistant Secretary of the Air Force for Research, Development and Logistics, and
Senate Staff.
The Commission interviewed more than 160 individuals, and more than 35 formal panel
investigative sessions were held generating almost 12,000 pages of transcript. Almost 6,300
documents totaling more than 122,000 pages, along with hundreds of photographs were
examined and made a part of the Commission’s permanent database and archives.

These

sessions and all the data gathered added to the 2,800 pages of hearing transcript generated by the
Commission in both closed and open sessions. Unless otherwise stated, all of the quotations and
memos in this case study come from the direct testimony cited in the Report by the Presidential
Commission (RPC).

BACKGROUND TO THE SPACE TRANSPORTATION SYSTEM
During the early 1960s, NASA’s strategic plans for post-Apollo manned space
exploration rested upon a three-legged stool. The first leg was a reusable space transportation
system, the Space Shuttle, which could transport people and equipment to low earth orbits and
then return to earth in preparation for the next mission. The second leg was a manned space
station that would be re-supplied by the Space Shuttle and serve as a launch platform for space
research and planetary exploration. The third leg would be planetary exploration to Mars. But by
the late 1960s, the United States was involved in the Vietnam War. The war was becoming

-3-

costly. In addition, confidence in the government was eroding because of civil unrest and
assassinations. With limited funding due to budgetary cuts, and the lunar landing missions
coming to an end, prioritization of projects was necessary. With a Democratic Congress
continuously attacking the cost of space exploration, and minimal support from President Nixon,
the space program was left standing on one leg only, the Space Shuttle.
President Nixon made it clear that funding for all programs would be impossible, and that
funding for any program on the order of the Apollo Program was likewise not possible.
President Nixon seemed to favor the space station concept, but this required the development of
a reusable Space Shuttle. Thus, NASA’s Space Shuttle Program became the near-term priority.
One of the reasons for the high priority given to the Space Shuttle program was a 1972
study completed by Dr. Oskar Morgenstern and Dr. Klaus Heiss of the Princeton based
Mathematica organization. The study showed that the Space Shuttle could orbit payloads for as
little as $100 per pound based on 60 launches per year with payloads of 65,000 pounds. This
provided tremendous promise for military applications such as reconnaissance and weather
satellites, as well as scientific research.
Unfortunately, the pricing data was somewhat tainted. Much of the cost data was
provided by companies that were hopeful of becoming NASA contractors and therefore provided
unrealistically low cost estimates in hopes of winning future bids. The actual cost per pound was
more than 20 times the original estimate. Furthermore, the main engines never achieved the 109
percent of thrust that NASA desired, thus limiting the payloads to 47,000 pounds instead of the
predicted 65,000 pounds. In addition, the European Space Agency began successfully developing
the capability to place satellites into orbit and began competing with NASA for the commercial
satellite business.

-4-

NASA SUCCUMBS TO POLITICS AND PRESSURE
To retain Shuttle funding, NASA was forced to make a series of major concessions. First,
facing a highly constrained budget, NASA sacrificed the research and development necessary to
produce a truly reusable Shuttle, and instead accepted a design that was only partially reusable,
eliminating one of the features that made the Shuttle attractive in the first place. Solid rocket
boosters (SRBs) were used instead of safer liquid fueled boosters because they required a much
smaller research and development effort. Numerous other design changes were made to reduce
the level of research and development required.
Second, to increase its political clout and to guarantee a steady customer base, NASA
enlisted the support of the United States Air Force.

The Air Force could provide the

considerable political clout of the Defense Department and had many satellites, which required
launching. However, Air Force support did not come without a price. The Shuttle payload bay
was required to meet Air Force size and shape requirements, which placed key constraints on the
ultimate design. Even more important was the Air Force requirement that the Shuttle be able to
launch from Vandenburg Air Force Base in California. This constraint required a larger cross
range than the Florida site, which in turn decreased the total allowable vehicle weight. The
weight reduction required the elimination of the design’s air breathing engines, resulting in a
single-pass unpowered landing. This greatly limited the safety and landing versatility of the
vehicle.2
As the year 1986 began, there was extreme pressure on NASA to “Fly out the Manifest.”
From its inception, the Space Shuttle Program had been plagued by exaggerated expectations,

-5-

funding inconsistencies, and political pressure. The ultimate vehicle and mission design were
shaped almost as much by politics as physics. President Kennedy’s declaration, that the United
States would land a man on the moon before the end of the decade, had provided NASA’s
Apollo Program with high visibility, a clear direction, and powerful political backing. The Space
Shuttle Program was not as fortunate; it had neither a clear direction nor consistent political
backing.
Cost containment became a critical issue for NASA. In order to minimize cost, NASA
designed a Space Shuttle system that utilized both liquid and solid propellants. Liquid propellant
engines are more easily controllable than solid propellant engines. Flow of liquid propellant
from the storage tanks to the engine can be throttled and even shut down in case of an
emergency. Unfortunately, an all-liquid-fuel design was prohibitive because a liquid fuel system
is significantly more expensive to maintain than a solid fuel system.
Solid fuel systems are less costly to maintain. However, once a solid propellant system is
ignited, it cannot be easily throttled or shut down. Solid propellant rocket motors burn until all
of the propellant is consumed. This could have a significant impact on safety, especially during
launch, at which time the solid rocket boosters are ignited and have maximum propellant loads.
Also, solid rocket boosters can be designed for reusability whereas liquid engines are generally a
one-time use.
The final design that NASA selected was a compromise of both solid and liquid fuel
engines. The Space Shuttle would be a three-element system composed of the Orbiter vehicle,
an expendable external liquid fuel tank carrying liquid fuel for the Orbiter’s engines, and two

2

Kurt Hoover and Wallace T. Fowler, (The University of Texas at Austin and The Texas Space Grant
Consortium) “Studies in Ethics, Safety and Liability for Engineers,” (web site:
http://www.tsgc.utexas.edu/archive/general/ethics/shuttle.html page 2.)
-6-

recoverable solid rocket boosters.3

The Orbiter’s engines were liquid fuel because of the

necessity for throttle capability. The two solid rocket boosters would provide the added thrust
necessary to launch the Space Shuttle into its orbiting altitude.
In 1972, NASA selected Rockwell as the prime contractor for building the Orbiter. Many
industry leaders believed that other competitors who had actively participated in the Apollo
Program had a competitive advantage.

Rockwell, however, was awarded the contract.

Rockwell’s proposal did not include an escape system. NASA officials decided against the
launch escape system since it would have added too much weight to the Shuttle at launch and
was very expensive. There was also some concern on how effective an escape system would be
if an accident occurred during launch while all of the engines were ignited. Thus, the Space
Shuttle Program became the first U.S. manned spacecraft without a launch escape system for the
crew.
In 1973, NASA went out for competitive bidding for the solid rocket boosters. The
competitors were Morton-Thiokol, Inc. (MTI) [henceforth called Thiokol], Aerojet General,
Lockheed, and United Technologies. The contract was eventually awarded to Thiokol because
of

its

low

cost,

$100

million

lower

than

the

nearest

competitor.

Some

believed that other competitors who ranked higher in technical design and safety should have
been given the contract. NASA believed that Thiokol-built solid rocket motors would provide
the lowest cost per flight.

THE SOLID ROCKET BOOSTERS

3

The terms “solid rocket booster” (SRB) and “solid rocket motor” (SRM) will be used interchangeably.
-7-

Thiokol’s solid rocket boosters had a height of approximately 150 feet and a diameter of
12 feet. The empty weight of each booster was 192,000 lbs. and the full weight was 1,300,000
lbs. Once ignited, each booster provided 2.65 million lbs. of thrust, which is more than 70
percent of the thrust needed to lift off the launch pad.
Thiokol’s design for the boosters was criticized by some of the competitors and even
NASA personnel. The boosters were to be manufactured in four segments and then shipped
from Utah to the launch site where the segments would be assembled into a single unit. The
Thiokol design was largely based upon the segmented design of the Titan III solid rocket motor
produced by United Technologies in the 1950s for Air Force satellite programs.

Satellite

programs were unmanned efforts.
The four solid rocket sections made up the case of the booster, which essentially encased
the rocket fuel and direct the flow of the exhaust gases. This is shown in Figure 1. The
cylindrical shell of the case is protected from the propellant by a layer of insulation. The mating
sections of the field joint are called the tang and the clevis. One hundred and seventy seven pins
spaced around the circumference of each joint hold the tang and the clevis together. The joint is
sealed in three ways. First, zinc chromate putty is placed in the gap between the mating
segments and their insulation. This putty protects the second and third seals that are rubber-like
rings, called O-rings. The first

-8-

Figure 1. The Solid Rocket Booster

-9-

O-ring is called the primary O-ring and is lodged in the gap between the tang and the clevis. The
last seal is called the secondary O-ring, which is identical to the primary O-ring except it is
positioned further downstream in the gap. Each O-ring is 0.280 inches in diameter. The
placement of each O-ring can be seen in Figure 2. Another component of the field joint is called
the leak check port, which is shown in Figure 3. The leak check port is designed to allow
technicians to check the status of the two O-ring seals. Pressurized air is inserted through the
leak check port into the gap between the two O-rings. If the O-rings maintain the pressure, and
do not let the pressurized air past the seal, the technicians know the seal is operating properly.4
In the Titan III assembly process, the joints between the segmented sections contained
one O-ring. Thiokol’s design had two O-rings instead of one. The second O-ring was initially
considered as redundant, but included to improve safety. The purpose of the O-rings was to seal
the space in the joints such that the hot exhaust gases could not escape and damage the case of
the boosters.
Both the Titan III and Shuttle O-rings were made of Viton rubber, which is an
elastomeric material. For comparison, rubber is also an elastomer. The elastomeric material
used is a fluoroelastomer, which is an elastomer than contains fluorine. This material was
chosen because of its resistance to high temperatures and its compatibility with the surrounding
materials. The Titan III O-rings were molded in one piece whereas the Shuttle’s SRB O-rings
would be manufactured in five sections and then glued together. Routinely, repairs would be
necessary for inclusions and voids in the rubber received from the material suppliers.

4

The Challenger Accident: Mechanical Causes of the Challenger Accident; University of Texas; (web site:
http://www.me.utexas.edu/~uer/challenger/chall2.html pages 1-2.)
-10-

Figure

2.

Location

-11-

Of

The

O-Rings

Figure 3. Cross-Section Showing The Leak Test Port

-12-

BLOWHOLES
The primary purpose of the zinc chromate putty was to act as a thermal barrier that
protected the O-rings from the hot exhaust. As mentioned before, the O-ring seals were tested
using the leak check port to pressurize the gap between the seals. During the test, the secondary
seal was pushed down into the same, seated position as it occupied during ignition
pressurization. However, because the leak check port was between the two O-ring seals, the
primary O-ring was pushed up and seated against the putty. The position of the O-rings during
flight and their position during the leak check test is shown in Figure 3.
During early flights, engineers worried that, because the putty above the primary seal
could withstand high pressures, the presence of the putty would prevent the leak test from
identifying problems with the primary seal. They contended that the putty would seal the gap
during testing regardless of the condition of the primary seal. Since the proper operation of the
primary seal was essential, engineers decided to increase the pressure used during the test to
above the pressure that the putty could withstand. This would insure that the primary O-ring was
properly sealing the gap without the aid of the putty. Unfortunately, during this new procedure,
the high-test pressures blew holes through the putty before the primary O-ring could seal the gap.
Since the putty was on the interior of the assembled solid rocket booster, technicians could
not mend the blowholes in the putty. As a result, this procedure left small, tunneled holes in the
putty. These holes would allow focused exhaust gases to contact a small segment of the primary
O-ring during launch. Engineers realized that this was a problem, but decided to test the seals at
the high pressure despite the formation of blowholes, rather than risking a launch with a faulty
primary seal.

-13-

The purpose of the putty was to prevent the hot exhaust gases from reaching the O-rings.
For the first nine successful Shuttle launches, NASA and Thiokol used asbestos-bearing putty
manufactured by the Fuller-O’Brien Company of San Francisco. However, because of the
notoriety of products containing asbestos, and the fear of potential lawsuits, Fuller-O’Brien
stopped manufacturing the putty that had served the Shuttle so well. This created a problem for
NASA and Thiokol.
The new putty selected came from Randolph Products of Carlstadt, New Jersey.
Unfortunately, with the new putty, blowholes and O-ring erosion were becoming more common
to a point where the Shuttle engineers became worried. Yet the new putty was still used on the
boosters. Following the Challenger disaster, testing showed that, at low temperatures, the
Randolph putty became much stiffer than the Fuller-O’Brien putty and lost much of its
stickiness.5

O-RING EROSION
If the hot exhaust gases penetrate the putty and contact the primary O-ring, the extreme
temperatures would break down the O-ring material. Because engineers were aware of the
possibility of O-ring erosion, the joints were checked after each flight for evidence of erosion.
The amount of O-ring erosion found on flights before the new high-pressure leak check
procedure was around twelve percent. After the new high pressure leak test procedure the
percentage of O-ring erosion was found to increase by eighty-eight percent. High percentages of
O-ring erosion in some cases allowed the exhaust gases to pass the primary O-ring and begin
eroding the secondary O-ring.

5

Some managers argued that some O-ring erosion was

Ibid; page 3.
-14-

“acceptable” because the O-rings were found to seal the gap even if they were eroded by as
much as one-third their original diameter.6 The engineers believed that the design and operation
of the joints were an acceptable risk because a safety margin could be identified quantitatively.
This numerical boundary would become an important precedent for future risk assessment.

JOINT ROTATION
During ignition, the internal pressure from the burning fuel applies approximately 1000
pounds per square inch on the case wall, causing the walls to expand. Because the joints are
generally stiffer than the case walls, each section tends to bulge out. The swelling of the solid
rocket sections causes the tang and the clevis to become misaligned; this misalignment is called
joint rotation. A diagram showing a field joint before and after joint rotation is shown in Figure
4. The problem with joint rotation is that it increases the gap size near the O-rings. This
increase in size is extremely fast, which makes it difficult for the O-rings to follow the increasing
gap and keep the seal.7
Prior to ignition, the gap between the tang and the clevis is approximately 0.004 inches. At
ignition, the gap will enlarge too between 0.042 and 0.060 inches, but for a maximum of 0.60
seconds, and then return to its original position.

6
7

Ibid; page 4.
Ibid; page 4.
-15-

Joint Rotation
Gap Opening

Tang

(0.042 in. – 0.060 in.)

Primary O-Ring
Secondary O-Ring

Pressurized Joint

Unpressurized Joint

Rotation Effect
(exaggerated)
Pint = 1000 psig

No Rotation
Pint = 0 psig

Clevis

Figure 4. Field Joint Rotation

-16-

O-RING RESILIENCE
The term O-ring resilience refers to the ability of the O-ring to return to its original shape
after it has been deformed. This property is analogous to the ability of a rubber band to return to
its original shape after it has been stretched. As with a rubber band, the resiliency of an O-ring is
directly

related

to

its

temperature.

As

the

temperature

of

the O-ring gets lower, the O-ring material becomes stiffer. Tests have shown that an O-ring at
75°F is five times more responsive in returning to its original shape than an O-ring at 30°F. This
decrease in O-ring resiliency during a cold weather launch would make the O-ring much less
likely to follow the increasing gap size during joint rotation.

As a result of poor O-ring

resiliency the O-ring would not seal properly.8

THE EXTERNAL TANK
The solid rockets are each joined forward and aft to the external liquid fuel tank.
They are not connected to the Orbiter vehicle. The solid rocket motors are mounted first, and the
external liquid fuel tank is put between them and connected. Then the Orbiter is mounted to the
external tank at two places in the back and one place forward, and those connections carry all of
the structural loads for the entire system at liftoff and through the ascent phase of flight. Also
connected to the Orbiter, under the Orbiter’s wing, are two large propellant lines 17 inches in
diameter. The one on the port side carries liquid hydrogen from the hydrogen tank in the back
part of the

8

Ibid; pages 4-5.
-17-

external tank. The line on the right side carries liquid oxygen from the oxygen tank at the
forward end, inside the external tank. (RPC, p. 50)
The external tank contains about 1.6 million lbs. of propellant, or about 526,000 gallons.
The Orbiter’s three engines burn the liquid hydrogen and liquid oxygen at a ratio of 6:1 and at a
rate equivalent to emptying out a family swimming pool every 10 seconds! Once ignited, the
exhaust gases leave the Orbiter’s three engines at approximately 6,000 miles per hour. After the
fuel is consumed, the external tank separates from the Orbiter, falls to earth and disintegrates in
the atmosphere on re-entry.

THE SPARE PARTS PROBLEM
In March 1985, NASA’s Administrator, James Beggs, announced that there would be one
Shuttle flight per month for all of fiscal year 1985. In actuality, there were only six flights.
Repairs became a problem. Continuous repairs were needed on the heat tiles required for reentry, the braking system and the main engines’ hydraulic pumps. Parts were routinely borrowed
from other Shuttles. The cost of spare parts was excessively high, and NASA was looking for
cost containment.

RISK IDENTIFICATION PROCEDURES
The necessity for risk management was apparent right from the start. Prior to the launch of
the first Shuttle in April of 1981, hazards were analyzed and subjected to a formalized hazard
reduction process as described in NASA Hand Book, NHB5300.4. The process required that the
credibility and probability of the hazards be determined. A Senior Safety Review Board was
established for overseeing the risk assessment process. For the most part, the risks assessment

-18-

process was qualitative. The conclusion reached was that no single hazard or combination of
hazards should prevent the launch of the first Shuttle as long as the aggregate risk remains
acceptable.
NASA used a rather simplistic Safety (Risk) Classification System. A quantitative method
for risk assessment was not in place at NASA because the data needed to generate statistical
models would be expensive and labor-intensive. If the risk identification procedures were overly
complex, NASA would have been buried in paperwork due to the number of components on the
Space Shuttle. The risk classification system selected by NASA is shown below:

Level

Description

Criticality 1 (C1)

Loss of life and/or vehicle if the component fails.

Criticality 2 (C2)

Loss of mission if the component fails.

Criticality 3 (C3)

All others

Criticality 1R (C1R)
Criticality 2R (C2R)

Redundant components exist. The failure of both
could cause loss of life and/or vehicle.
Redundant components exist. The failure of both
could cause loss of mission.

From 1982 on, the O-ring seal was labeled Criticality 1. By 1985, there were 700
components identified as Criticality 1.

TELECONFERENCING

-19-

The Space Shuttle Programs involves a vast number of people at both NASA and the
contractors. Because of the geographical separation between NASA and the contractors, it
became impractical to have continuous meetings. Travel between Thiokol in Utah and the Cape
in Florida was one day’s travel each way. Therefore, teleconferencing became the primary
method of communication and a way of life. Interface meetings were still held, but the emphasis
was on teleconferencing. All locations could be linked together in one teleconference and data
could be faxed back and forth as needed.

THE PAPERWORK CONSTRAINTS
With the rather optimistic flight schedule provided to the news media, NASA was under
scrutinization and pressure to deliver. For fiscal 1986, the mission manifest called for 16 flights.
The pressure to meet schedule was about to take its toll. Safety problems had to be resolved
quickly.
As the number of flights scheduled began to increase, so did the requirements for
additional paperwork. The majority of the paperwork had to be completed prior to NASA’s
Flight Readiness Review meetings (FRR). Prior to every flight (approximately one week), flight
operations and cargo managers were required to endorse the commitment of flight readiness to
the NASA Associate Administrator for Space Flight at the Flight Readiness Review meetings.
The responsible project/element managers would conduct pre-FFR meetings with their
contractors, center managers and the NASA Level II manager. The content of the FFR meetings
included:

Overall status, plus establishing the baseline in terms of significant changes since the last
mission.

-20-

Review significant problems resolved since the last review, and significant anomalies
from the previous flight.

Review all open items and constraints remaining to be resolved before the mission.

Present all new waivers since the last flight.

NASA personnel were working excessive overtime, including weekends, to fulfill the
paperwork requirements and prepare for the required meetings. As the number of space flights
increased, so did the paperwork and overtime.
The paperwork constraints were affecting the contractors as well. Additional paperwork
requirements existed for problem solving and investigations. On October 1, 1985 an Interoffice
Memo was sent from Scott Stein, Space Booster Project Engineer at Thiokol to Bob Lund, Vice
President for Engineering at Thiokol, and to other selected managers concerning the O-ring
Investigation Task Force:
We are currently being hog-tied by paperwork every time we try to
accomplish anything. I understand that for production programs, the
paperwork is necessary. However, for a priority, short schedule
investigation, it makes accomplishment of our goals in a timely
manner extremely difficult, if not impossible. We need the authority to
bypass some of the paperwork jungle. As a representative example
of problems and time that could easily be eliminated, consider
assembly or disassembly of test hardware by manufacturing
personnel. …… I know the established paperwork procedures can
be violated if someone with enough authority dictates it. We did that
with the DR system when the FWC hardware “Tiger Team” was
established. If changes are not made to allow us to accomplish work
in a reasonable amount of time, then the O-ring investigation task
force will never have the potency necessary to resolve problems in a
timely manner.
Both NASA and the contractors were now feeling the pressure caused by the paperwork
constraints.

-21-

ISSUING WAIVERS
One quick way of reducing paperwork and meetings was to issue a waiver. Historically a
waiver was a formalized process that allows an exception either to a rule, specification, technical
criteria or risk. Waivers were ways to reduce excessive paperwork requirements. Project
managers and contract administrators had the authority to issue waivers, often with the intent of
bypassing standard protocols in order to maintain a schedule. The use of waivers had been in
place well before the manned space program even began. What is important here was NOT
NASA’s use of the waiver, but the JUSTIFICATION for the waiver given the risks.
NASA had issued waivers on both Criticality 1 status designations and launch constraints.
In 1982, the solid rocket boosters were designated C1 by the Marshall Space Flight Center
because failure of the O-rings could have caused loss of crew and the Shuttle. This meant that
the secondary O-rings were not considered redundant. The SRB Project Manager at Marshall,
Larry Malloy, issued a waiver just in time for the next Shuttle launch to take place as planned.
Later, the O-rings designation went from C1 to C1R, (i.e. a redundant process) thus partially
avoiding the need for a waiver. The waiver was a necessity to keep the Shuttle flying according
to the original manifest.
Having a risk identification of C1 was not regarded as a sufficient reason to cancel a launch.
It simply meant that component failure could be disastrous. It implied that this might be a
potential problem that needed attention. If the risks were acceptable, NASA could still launch.
A more serious condition was the issuing of launch constraints. Launch constraints were official
NASA designations for situations in which mission safety was a serious enough problem to

-22-

justify a decision not to launch. But once again, a launch constraint did not imply that the launch
should be delayed. It meant that this was an important problem and needed to be addressed.
Following the 1985 mission that showed O-ring erosion and exhaust gas blow-by, a launch
constraint was imposed. Yet on each of the next five Shuttle missions, NASA’s Malloy issued a
launch constraint waiver allowing the flights to take place on schedule without any changes to
the O-rings.
Were the waivers a violation of serious safety rules just to keep the Shuttle flying? The
answer is NO! NASA had protocols such as policies, procedures and rules for adherence to
safety.

Waivers were also protocols but for the purpose of deviating from other existing

protocols. Neither Larry Malloy, his colleagues at NASA, or the contractors had any intentions
of doing evil.

Waivers were simply a way of saying that we believe that the risk is an

ACCEPTABLE RISK.
The lifting of launch constraints and the issuance of waivers became the norm or standard
operating procedure. Waivers became a way of life. If waivers were issued and the mission was
completed successfully, then the same waivers would exist for the next flight and did not have to
be brought up for discussion at the Flight Readiness Review meeting. The justification for the
waivers seemed to be the similarity between flight launch conditions, temperature, etc.
Launching under similar conditions seemed to be important for the engineers at NASA and
Thiokol because it meant that the forces acting on the O-rings were within their region of
experience and could be correlated to existing data. The launch temperature effect on the Orings was considered predictable and therefore constituted an acceptable risk to both NASA and
Thiokol, thus perhaps eliminating costly program delays in having to redesign the O-rings. The
completion of each Shuttle mission added another data point to the region of experience thus

-23-

guaranteeing the same waivers on the next launch. Flying with acceptable risk became the norm
in NASA’s culture.

LAUNCH LIFTOFF SEQUENCE PROFILE: POSSIBLE ABORTS
During the countdown to liftoff, the launch team closely monitors weather conditions, not
only at the launch site, but also at touchdown sites should the mission need to be prematurely
aborted.
Dr. Frynman: Would you explain why we are so sensitive to the
weather?
Mr. Moore (NASA’s Deputy Administrator for Space Flight):
Yes, there are several reasons. I mentioned the return to the
landing site. We need to have visibility if we get into a situation
where we need to return to the landing site after launch, and the
pilots and the commanders need to be able to see the runway and
so forth. So, you need a ceiling limitation on it [i.e. weather].
We also need to maintain specifications on wind velocity so we
don’t exceed crosswinds. Landing on a runway and getting too
high of a crosswind may cause us to deviate off of the runway and
so forth, so we have a crosswind limit. During assent, assuming a
nominal flight, a chief concern is damage to tiles due to rain. We
have had experiences in seeing what the effects of a brief shower
can do in terms of the tiles. The tiles are thermal insulation blocks,
very thick. A lot of them are very thick on the bottom of the
Orbiter. But if you have a raindrop and you are going at a very
high velocity, it tends to erode the tiles, pock the tiles, and that
causes us a grave concern regarding the thermal protection.
In addition to that, you are worried about the turnaround time of
the Orbiters as well, because with the kind of tile damage that one
could get in rain, you have an awful lot of work to do to go back
and replace tiles back on the system. So, there are a number of
concerns that weather enters into, and it is a major factor in our
assessment of whether or not we are ready to launch. (RPC, p. 18)

-24-

Approximately six to seven seconds prior to the liftoff, the Shuttle’s main engines (liquid
fuel) ignite. These engines consume one half million gallons of liquid fuel. It takes nine hours
prior to launch to fill the liquid fuel tanks. At ignition, the engines are throttled up to 104 percent
of rated power. Redundancy checks on the engines’ systems are then made. The launch site
ground complex and the Orbiter’s onboard computer complex check a large number of details
and parameters about the main engines to make sure that everything are proper and that the main
engines are performing as planned.
If a malfunction is detected, the system automatically goes into a shutdown sequence, and
the mission is scrubbed. The primary concern at this point is to make the vehicle “safe.” The
crew remains on board and performs a number of functions to get the vehicle into a safe mode.
This includes making sure that all propellant and electrical systems are properly safed. Ground
crews at the launch pad begin servicing the launch pad. Once the launch pad is in a safe
condition, the hazard and safety teams begin draining the remaining liquid fuel out of the
external tank.
If no malfunction is detected during this six-second period of liquid fuel burn, then a
signal is sent to ignite the two solid rocket boosters and liftoff occurs. For the next two minutes,
with all engines ignited, the Shuttle goes through a Max Q or high dynamic pressure phase that
exerts maximum pressure loads on the Orbiter vehicle. Based upon the launch profile, the main
engines may be throttled down slightly during the Max Q phase to lower the loads.
After 128 seconds into the launch sequence, all of the solid fuel is expended and the solid
rocket boosters (SRBs) staging occurs. The SRB parachutes are deployed. The SRBs then fall
back to earth 162 miles from the launch site and are recovered for examination, cleaning, and
reuse on future missions. The main liquid fuel engines are then throttled up to maximum power.

-25-

After 523 seconds into the liftoff, the external liquid fuel tanks are essentially expended of fuel.
The main engines are shut down. Ten to 18 seconds later, the external tank is separated from the
Orbiter and disintegrates on re-entry into the atmosphere.
From a safety perspective, the most hazardous period is the first 128 seconds when the SRB
are ignited. According to Arnold Aldrich, Manager, NASA’s STS Program, Johnson Space
Center:
Once the Shuttle System starts off the launch pad, there is no
capability in the system to separate these [solid propellant] rockets
until they reach burnout. They will burn for two minutes and eight
or nine seconds, and the system must stay together. There is not a
capability built into the vehicle that would allow these to separate.
There is a capability available to the flight crew to separate at this
interface the Orbiter from the tank, but that is thought to be
unacceptable during the first stage when the booster rockets are on
and thrusting. So, essentially the first two minutes and a little
more of flight, the stack is intended and designed to stay together,
and it must stay together to fly successfully.
Mr. Hotz: Mr. Aldrich, why is it unacceptable to separate the
Orbiter at that stage?
Mr. Aldrich: It is unacceptable because of the separation
dynamics and the rupture of the propellant lines. You cannot
perform the kind of a clean separation required for safety in the
proximity of these vehicles at the velocities and the thrust levels
they are undergoing, [and] the atmosphere they are flying through.
In that regime, it is the design characteristic of the total system.
(RPC, p. 51)
If an abort is deemed necessary during the first 128 seconds, the actual abort will not
begin until AFTER SRB staging has occurred, which is after 128 seconds into the launch
sequence. Based upon the reason and timing of an abort, options include:
Type of Abort
Once-Around Abort
Transatlantic Abort
Transatlantic Abort
Return-to-Landing-Site

Landing Site
Edwards Air Force Base
DaKar
Casablanca
(RTLS) Kennedy Space Center

-26-

Arnold Aldrich commented on different abort profiles:
Chairman Rogers: During the two-minute period, is it possible to
abort through the Orbiter?
Mr. Aldrich: You can abort for certain conditions. You can start
an abort, but the vehicle won’t do anything yet, and the intended
aborts are build around failures in the main engine system, the
liquid propellant systems and their controls. If you have a failure
of a main engine, it is well detected by the crew and by the ground
support, and you can call for a return-to-launch-site abort. That
would be logged in the computer. The computer would be set up to
execute it, but everything waits until the solids take you to altitude.
At that time, the solids will separate in the sequence I described,
and then the vehicle flies downrange some 400 miles, maybe 10 to
15 additional minutes, while all of the tank propellant is expelled
through these engines.
As a precursor to setting up the conditions for this return-tolaunch-site abort to be successful towards the end of that burn
downrange, using the propellants and the thrust of the main
engines, the vehicle turns and actually points heads up back
towards Florida. When the tank is essentially depleted, automatic
signals are sent to close off the [liquid] propellant lines and to
separate the Orbiter, and the Orbiter then does a similar approach
to the one we are familiar with with orbit back to the Kennedy
Space Center for approach and landing.
Dr. Walker: So, the propellant is expelled but not burned?
Mr. Aldrich: No, it is burned. You burn the system on two
engines all the way down-range until it is gone, and then you turn
around and come back because you don’t have enough to burn to
orbit. That is the return-to-launch-site abort, and it applies during
the first 240 seconds of – no, 240 is not right. It is longer than that
– the first four minutes, either before or after separation you can
set that abort up, but it will occur after the solids separate, and if
you have a main engine anomaly after the solids separate, at that
time you can start the RTLS, and it will go through that same
sequence and come back.
Dr. Ride: And you can also only do an RTLS if you have lost just
one main engine. So if you lose all three main engines, RTLS isn’t
a viable abort mode.

-27-

Mr. Aldrich: Once you get through the four minutes, there’s a
period where you now don’t have the energy conditions right to
come back, and you have a forward abort, and Jesse mentioned the
sites in Spain and on the coast of Africa. We have what is called a
trans-Atlantic abort, and where you can use a very similar
sequence to the one I just described. You still separate the solids,
you still burn all the propellant out of the tanks, but you fly across
and land across the ocean.
Mr. Hotz: Mr. Aldrich, could you recapitulate just a bit here? Is
what you are telling us that for two minutes of flight, until the
solids separate, there is not practical abort mode?
Mr. Aldrich: Yes, sir.
Mr. Hotz: Thank you.
Mr. Aldrich: A trans-Atlantic abort can cover a range of just a
few seconds up to about a minute in the middle where the acrossthe-ocean sites are effective, and then you reach this abort oncearound capability where you go all the way around and land in
California or back to Kennedy by going around the earth. And
finally, you have abort-to-orbit where you have enough propulsion
to make orbit but not enough to achieve the exact orbital
parameters that you desire. That is the way that the abort profiles
are executed.
There are many, many nuances of crew procedure and different
conditions and combinations of sequences of failures that make it
much more complicated than I have described it. (RPC pp. 51-52)

THE O-RING PROBLEM
There were two kinds of joints on the Shuttle – field joints that were assembled at the
launch site connecting together the SRB’s cylindrical cases, and nozzle joints that connected the
aft end of the case to the nozzle. During the pressure of ignition, the field joints could become
bent such that the secondary O-ring could lose contact within an estimated 0.17 to 0.33 seconds
after ignition. If the primary O-ring failed to seal properly before the gap within the joints
opened up and the secondary seal failed, the results could be disastrous.

-28-

When the solid propellant boosters are recovered after separation, they are disassembled
and checked for damage. The O-rings could show evidence of coming into contact with heat.
Hot gases from the ignition sequence could blow by the primary O-ring briefly before sealing.
This “blow-by” phenomenon could last for only a few milliseconds before sealing and result in
no heat damage to the O-ring. If the actual sealing process takes longer than expected, then
charring and erosion of the O-rings can occur. This would be evidenced by gray or black soot
and erosion to the O-rings. The terms used are impingement erosion and “by-pass” erosion with
the latter identified also as sooted “blow-by.”
Roger Boisjoly of Thiokol describes blow-by erosion and joint rotation as follows:
O-ring material gets removed from the cross section of the O-ring
much, much faster than when you have bypass erosion or blow-by,
as people have been terming it. We usually use the characteristic
blow-by to define gas past it, and we use the other term [bypass
erosion] to indicate that we are eroding at the same time. And so
you can have blow-by without erosion, [and] you [can] have blowby with erosion. (RPC, pp. 784-85)
At the beginning of the transient cycle [initial ignition rotation, up
to 0.17 seconds] . . . [the primary O-ring] is still being attacked by
hot gas, and it is eroding at the same time it is trying to seal, and it
is a race between, will it erode more than the time allowed to have
it seal. (RPC, p. 136)
On January 24, 1985, STS 51-C [Flight No. 15] was launched at 51°F, which was the
lowest temperature of any launch up to that time. Analyses of the joints showed evidence of
damage. Black soot appeared between the primary and secondary O-rings. The engineers
concluded that the cold weather had caused the O-rings to harden and move more slowly. This
allowed the hot gases to blow by and erode the O-rings. This scorching effect indicated that low
temperature launches could be disastrous.

-29-

On July 31, 1985, Roger Boisjoly of Thiokol sent an interoffice memo to R. K. Lund,
Vice President for Engineering, at Thiokol:
This letter is written to insure that management is fully aware of the
seriousness of the current O-ring erosion problem in the SRM joints
from an engineering standpoint.
The mistakenly accepted position on the joint problem was to fly
without fear of failure and to run a series of design evaluations
which would ultimately lead to a solution or at least a significant
reduction of the erosion problem. This position is now drastically
changed as a result of the SRM 16A nozzle joint erosion which
eroded a secondary O-ring with the primary O-ring never sealing.
If the same scenario should occur in a field joint (and it could), then
it is a jump ball as to the success or failure of the joint because the
secondary O-ring cannot respond to the clevis opening rate and may
not be capable of pressurization. The result would be a catastrophe
of the highest order – loss of human life.
An unofficial team (a memo defining the team and its purpose was
never published) with [a] leader was formed on 19 July 1985 and
was tasked with solving the problem for both the short and long
term. This unofficial team is essentially nonexistent at this time.
In my opinion, the team must be officially given the responsibility
and the authority to execute the work that needs to be done on a
non-interference basis (full time assignment until completed).
It is my honest and very real fear that if we do not take immediate
action to dedicate a team to solve the problem with the field joint
having the number one priority, then we stand in jeopardy of losing
a flight along with all the launch pad facilities. (RPC, p. 691-692)
On August 9, 1985, a letter was sent from Brian Russell, Manager of the SRM Ignition
System, to James Thomas at the Marshall Space Flight Center. The memo addressed the
following:
Per your request, this letter contains the answers to the two
questions you asked at the July Problem Review Board telecon.
1. Question: If the field joint secondary seal lifts off the metal
mating surfaces during motor pressurization, how soon will it
return to a position where contact is re-established?

-30-

Answer: Bench test data indicates that the O-ring resiliency
(its capability to follow the metal) is a function of temperature
and rate of case expansion. MTI [Thiokol] measured the force
of the O-ring against Instron plattens, which simulated the
nominal squeeze on the O-ring and approximated the case
expansion distance and rate.
At 100°F, the O-ring maintained contact. At 75°F, the O-ring
lost contact for 2.4 seconds. At 50°F, the O-ring did not reestablish contact in 10 minutes at which time the test was
terminated.
The conclusion is that secondary sealing capability in the SRM
field joint cannot be guaranteed.
2. Question: If the primary O-ring does not seal, will the
secondary seal seat in sufficient time to prevent joint leakage?
Answer: MTI has no reason to suspect that the primary seal
would ever fail after pressure equilibrium is reached; i.e., after
the ignition transient. If the primary O-ring were to fail from 0
to 170 milliseconds, there is a very high probability that the
secondary O-ring would hold pressure since the case has not
expanded appreciably at this point. If the primary seal were to
fail from 170 to 330 milliseconds, the probability of the
secondary seal holding is reduced.
From 330 to 600
milliseconds the chance of the secondary seal holding is small.
This is a direct result of the O-ring’s slow response compared
to the metal case segments as the joint rotates. (RPC, pp.
1568-1569)
At NASA, the concern for a solution to the O-ring problem became not only a technical
crisis, but also a budgetary crisis. In a July 23, 1985, memorandum from Richard Cook,
Program Analyst, to Michael Mann, Chief of the STS Resource Analysis Branch, the impact of
the problem was noted:
Earlier this week you asked me to investigate reported problems
with the charring of seals between SRB motor segments during
flight operations. Discussions with program engineers show this to
be a potentially major problem affecting both flight safety and
program costs.

-31-

Presently three seals between SRB segments use double O-rings
sealed with putty. In recent Shuttle flights, charring of these rings
has occurred. The O-rings are designed so that if one fails, the
other will hold against the pressure of firing. However, at least in
the joint between the nozzle and the aft segment, not only has the
first O-ring been destroyed, but the second has been partially eaten
away.
Engineers have not yet determined the cause of the problem.
Candidates include the use of a new type of putty (the putty
formerly in use was removed from the market by EPA because it
contained asbestos), failure of the second ring to slip into the
groove which must engage it for it to work properly, or new, and
as yet unidentified, assembly procedures at Thiokol. MSC is trying
to identify the cause of the problem, including on-site investigation
at Thiokol, and OSF hopes to have some results from their analysis
within 30 days. There is little question, however, that flight safety
has been and is still being compromised by potential failure of the
seals, and it is acknowledged that failure during launch would
certainly be catastrophic. There is also indication that staff
personnel knew of this problem sometime in advance of
management’s becoming apprised of what was going on.
The potential impact of the problem depends on the as yet
undiscovered cause. If the cause is minor, there should be little or
no impact on budget or flight rate. A worse case scenario,
however, would lead to the suspension of Shuttle flights, redesign
of the SRB, and scrapping of existing stockpiled hardware. The
impact on the FY 1987-8 budget could be immense.
It should be pointed out that Code M management [NASA’s
Associate Administrator for Space Flight] is viewing the situation
with the utmost seriousness. From a budgetary standpoint, I would
think that any NASA budget submitted this year for FY 1987 and
beyond should certainly be based on a reliable judgment as to the
cause of the SRB seal problem and a corresponding decision as to
budgetary action needed to provide for its solution.” (RPC, pp.
391-392)
On October 30, 1985, NASA launched Flight STS 61-A [Flight no. 22] at 75°F.

This

flight also showed signs of sooted blow-by, but the color was significantly blacker. Although
there was some heat effect, there was no measurable erosion observed on the secondary O-ring.
Since blow-by and erosion now occurred at a higher launch temperature, the original premise

-32-

that launches under cold temperatures were a problem was now being questioned. Table 1 shows
the temperature at launch of all the Shuttle flights up to this time and the O-ring damage, if any.
Management at both NASA and Thiokol wanted concrete evidence that launch
temperature was directly correlated to blow-by and erosion. Other than simply a “gut feel”,
engineers were now stymied on how to show the direct correlation. NASA was not ready to
cancel a launch simply due to an engineer’s “gut feel”.
William Lucas, Director of the Marshall Space Center, made it clear that NASA’s
manifest for launches would be adhered to. Managers at NASA were pressured to resolve
problems internally rather than to escalate them up the chain of command. Managers became
afraid to inform anyone higher up that they had problems, even though they knew that one
existed.

-33-

Table 1
Erosion and Blow-by History
(Temperature in ascending order from coldest to warmest)
Flight

Date

Temperature Erosion Blow-by
Comments
°F
Incidents Incidents
____ _______ _________ _____ ______ ___________________________
51-C 01/24/85
53
3
2
Most erosion any flight; blow-by;
secondary O-rings heated up
41-B 02/03/84
57
1
Deep, extensive erosion
61-C 01/12/86
58
1
O-rings erosion
41-C 04/06/84
63
1
O-rings heated but no damage
1
04/12/81
66
Coolest launch without problems
6
04/04/83
67
51-A 11/08/84
67
51-D 04/12/85
67
5
11/11/82
68
3
03/22/82
69
2
11/12/81
70
1
Extent of erosion unknown
9
11/28/83
70
41-D 08/30/84
70
1
51-G 06/17/85
70
7
06/18/83
72
8
08/30/83
73
51-B 04/29/85
75
61-A 10/20/85
75
2
No erosion but soot between O-rings
51-I 08/27/85
76
61
11/26/85
76
41-G 10/05/84
78
51-J 10/03/85
79
4
06/27/82
80
No data; casing lost at sea
51-F 07/29/85
81

-34-

Richard Feynman, Nobel laureate and member of the Rogers Commission, concluded that a
NASA official altered the safety criteria so that flights could be certified on time under pressure
imposed by the leadership of William Lucas. Feynman commented:
… They, therefore, fly in a relatively unsafe condition with a
chance of failure of the order of one percent. Official management
claims to believe that the probability of failure is a thousand times
less.
Without concrete evidence of the temperature effect on the O-rings, the secondary O-ring
was regarded as a redundant safety constraint and the criticality factor was changed from C1 to
C1R. Potentially serious problems were treated as anomalies peculiar to a given flight. Under
the guise of anomalies, NASA began issuing waivers to maintain the flight schedules. Pressure
was placed upon contractors to issue closure reports. On December 24, 1985, L. O. Wear
[NASA’s SRM Program Office Manager] sent a letter to Joe Kilminster, Thiokol’s Vice
President for the Space Booster Program:
During a recent review of the SRM Problem Review Board open
problem list I found that we have 20 open problems, 11 opened
during the past 6 months, 13 open over 6 months, 1 three years old,
2 two years old, and 1 closed during the past six months. As you
can see our closure record is very poor. You are requested to
initiate the required effort to assure more timely closures and the
MTI personnel shall cordinate directly with the S&E personnel the
contents of the closure reports. (RPC, p. 1554)

PRESSURE, PAPERWORK AND WAIVERS
To maintain the flight schedule, critical issues such as launch constraints had to be
resolved or waived.

This would require extensive documentation.

During the Rogers

Commission investigation, there seemed to be a total lack of coordination between NASA’s

-35-

Marshall Space Center and Thiokol. Joe Kilminster, Thiokol’s Vice President for the Space
Booster Program, testified:
Mr. Kilminster: Mr. Chairman, if I could, I would like to respond
to that. In response to the concern that was expressed – and I had
discussions with the team leader, the task force team leader, Mr.
Don Kettner, and Mr. Russell and Mr. Ebeling. We held a meeting
in my office and that was done in the October time period where
we called the people who were in a support role to the task team,
as well as the task force members themselves.
In that discussion, some of the task force members were looking to
circumvent some of our established systems. In some cases, that
was acceptable; in other cases, it was not. For example, some of
the work that they had recommended to be done was involved with
full-scale hardware, putting some of these joints together with
various putty layup configurations; for instance, taking them apart
and finding out what we could from that inspection process.
Dr. Sutter: Was that one of these things that was outside of the
normal work, or was that accepted as a good idea or a bad idea?
Mr. Kilminster: A good idea, but outside the normal work, if you
will.
Dr. Sutter: Why not do it?
Mr. Kilminster: Well, we were doing it. But the question was,
can we circumvent the system, the paper system that requires, for
instance, the handling constraints on those flight hardware items?
And I said no, we can’t do that. We have to maintain our handling
system, for instance, so that we don’t stand the possibility of
injuring or damaging a piece of flight hardware.
I asked at that time if adding some more people, for instance, a
safety engineer – that was one of the things we discussed in there.
The consensus was no, we really didn’t need a safety engineer.
We had the manufacturing engineer in attendance who was in
support of that role, and I persuaded him that, typical of the way
we normally worked, that he should be calling on the resources
from his own organization, that is, in Manufacturing, in order to
get this work done and get it done in a timely fashion.
And I also suggested that if they ran across a problem in doing
that, they should bubble that up in their management chain to get

-36-

help in getting the resources to get that done. Now, after that
session, it was my impression that there was improvement based
on some of the concerns that had been expressed, and we did get
quite a bit of work done. For your evaluation, I would like to talk
a little bit about the sequence of events for this task force.
Chairman Rogers: Can I interrupt? Did you know at that time it
was a launch constraint, a formal launch constraint?
Mr. Kilminster: Not an overall launch constraint as such. Similar
to the words that have been said before, each Flight Readiness
Review had to address any anomalies or concerns that were
identified at previous launches and in that sense, each of those
anomalies or concerns were established in my mind as launch
constraints unless they were properly reviewed and agreed upon by
all parties.
Chairman Rogers: You didn’t know there was a difference
between the launch constraint and just considering it an anomaly?
You thought they were the same thing?
Mr. Kilminster: No, sir. I did not think they were the same thing.
Chairman Rogers: My question is: Did you know that this
launch constraint was placed on the flights in July 1985?
Mr. Kilminster: Until we resolved the O-ring problem on that
nozzle joint, yes. We had to resolve that in a fashion for the
subsequent flight before we would be okay to fly again.
Chairman Rogers: So you did know there was a constraint on
that?
Mr. Kilminster: On a one flight per one flight basis; yes, sir.
Chairman Rogers: What else would a constraint mean?
Mr. Kilminster: Well, I get the feeling that there’s a perception
here that a launch constraint means all launches, whereas we were
addressing each launch through the Flight Readiness Review
process as we went.
Chairman Rogers: No, I don’t think–the testimony that we’ve
had is that a launch constraint is put on because it is a very serious
problem and the constraint means don’t fly unless it’s fixed or
taken care of, but somebody has the authority to waive it for a

-37-

particular flight. And in this case, Mr. Mulloy was authorized to
waive it, which he did, for a number of flights before 51-L. Just
prior to 51-L, the papers showed the launch constraint was closed
out, which I guess means no longer existed. And that was done on
January 23, 1986. Now, did you know that sequence of events?
Mr. Kilminster: Again, my understanding of closing out, as the
term has been used here, was to close it out on the problem actions
list, but not as an overall standard requirement. We had to address
these at subsequent Flight Readiness Reviews to insure that we
were all satisfied with the proceeding to launch.
Chairman Rogers: Did you understand the waiver process, that
once a constraint was placed on this kind of a problem, that a flight
could not occur unless there was a formal waiver?
Mr. Kilminster: Not in the sense of a formal waiver, no, sir.
Chairman Rogers: Did any of you?
documents saying that?

Didn’t you get the

Mr. McDonald: I don’t recall seeing any documents for a formal
waiver. (RPC, pp. 1577-1578)

MISSION 51-L
On January 25, 1986, questionable weather caused a delay of Mission 51-L to January
27. On January 26, the launch was reconfirmed for 9:37 a.m. on the 27th. However, on the
morning of January 27, a malfunction with the hatch, combined with high crosswinds, caused
another delay. All preliminary procedures had been completed and the crew had just boarded
when the first problem appeared. A microsensor on the hatch indicated that the hatch was not
shut securely. It turned out that the hatch was shut securely but the sensor had malfunctioned.
Valuable time was lost in determining the problem.
After the hatch was finally closed, the external handle could not be removed. The threads
on the connecting bolt were stripped and instead of cleanly disengaging when turned, simply
spun around. Attempts to use a portable drill to remove the handle failed. Technicians on the
-38-

scene asked Mission Control for permission to saw off the bolt. Fearing some form of structural
stress to the hatch, engineers made numerous time-consuming calculations before giving the goahead to cut off the bolt. The entire
process consumed almost two hours before the countdown resumed.
However, the misfortunes continued. During the attempts to verify the integrity of the
hatch and remove the handle, the wind had been steadily rising. Chief Astronaut John Young
flew a series of approaches in the Shuttle training aircraft and confirmed the worst fears of
mission control. The crosswinds at the Cape were excess of the level allowed for the abort
contingency. The opportunity had been missed. The mission was then reset to launch the next
day, January 28, at 9:38 a.m. Everyone was quite discouraged since extremely cold weather was
forecast for Tuesday that could further postpone the launch.9
Weather conditions indicated that the temperature at launch could be as low as 26°F.
This would be much colder and well below the temperature range that the O-rings were designed
to

operate

in.

The

components

of

the

solid

rocket

motors

were

qualified only to 40°F at the lower limit. Undoubtedly, when the sun would come up and launch
time approached, both the air temperature and vehicle would warm up, but there was still
concern. Would the ambient temperature be high enough to meet the launch requirements?
NASA’s Launch Commit Criteria stated that no launch should occur at temperatures below 31°F.
There were also worries over any permanent effects on the
Shuttle due to the cold overnight temperatures. NASA became concerned and asked Thiokol for
their recommendation on whether or not to launch. NASA admitted under testimony that if
Thiokol had recommended not launching, then the launch would not have taken place.

9

Hoover and Wallace; pages 3-4.
-39-

At 5:45 p.m. eastern standard time, a teleconference was held between the Kennedy
Space Center, Marshall Space Flight Center and Thiokol.

Bob Lund, Vice President for

Engineering, summarized the concerns of the Thiokol engineers that in Thiokol’s opinion, the
launch should be delayed until noontime or even later such that a launch temperature of at least
53°F could be achieved. Thiokol’s engineers were concerned that no data was available for
launches at this temperature of 26°F. This was the first time in 14 years that Thiokol had
recommended not to launch.
The design validation tests originally done by Thiokol covered only a narrow temperature
range. The temperature data did not include any temperatures below 53°F. The O-rings from
Flight 51-C, which had been launched under cold conditions the previous year, showed very
significant erosion. This was the only data available on the effects of cold, but all of the Thiokol
engineers agreed that the cold weather would decrease the elasticity of the synthetic rubber Orings, which in turn might cause them to seal slowly and allow hot gases to surge through the
joint.10
Another teleconference was set up for 8:45 p.m. to invite more parties to be involved in the
decision. Meanwhile, Thiokol was asked to fax all relevant and supporting charts to all parties
involved in the 8:45 p.m. teleconference.
The following information was included in the pages that were faxed:
Blow-by History:
SRM-15 Worst Blow-by
2 case joints (80°), (110°) Arc
Much worse visually than SRM-22
SRM-22 Blow-by
2 case joints (30-40°)
10

Ibid; page 4.
-40-

SRM-13A, 15, 16A, 18, 23A, 24A
Nozzle blow-by
Field Joint Primary Concerns – SRM-25
? A temperature lower than the current data base results in changing primary Oring sealing timing function
SRM-15A – 80° arc black grease between O-rings
SRM-15B – 110° arc black grease between O-rings
Lower O-ring squeeze due to lower temp
Higher O-ring shore hardness
Thicker grease viscosity
Higher O-ring pressure activation time
If actuation time increases, threshold of secondary seal pressurization
capability is approached
If threshold is reached then secondary seal may not be capable of being
pressurized
Conclusions:
Temperature of O-ring is not only parameter controlling blow-by
SRM-15 with blow-by had an O-ring temp at 53°F
SRM-22 with blow-by had an O-ring temp at 75°F
Four development motors with no blow-by were tested at O-ring
temp of 47° to 52°F
Development motors had putty packing which resulted in better
performance
At about 50°F blow-by could be experienced in case joints
Temp for SRM-25 on 1-28-86 launch will be: 29°F 9 a.m.
38°F 2 p.m.
Have no data that would indicate SRM-25 is different than SRM-15 other than
temp
Recommendations:
O-ring temp must be = 53°F at launch
Development motors at 47° to 52°F with putty packing had no
blow-by
SRM-15 (the best simulation) worked at 53°
Project ambient conditions (temp & wind) to determine launch time
From NASA’s perspective, the launch window was from 9:30 a.m. to 12:30 p.m. on
January 28th. This was based upon weather conditions and visibility, not only at the launch site
but also at the landing sites should an abort be necessary. An additional consideration was the
fact that the temperature might not reach 53°F prior to the launch window closing. Actually, the
-41-

temperature at the Kennedy Space Center was not expected to reach 50°F until two days later.
NASA was hoping that Thiokol would change their minds and recommend launch.

THE SECOND TELECONFERENCE
At the second teleconference, Bob Lund once again asserted Thiokol’s recommendation
not to launch below 53°F. NASA’s Mulloy then burst out over the teleconference network:
“ My God, Morton Thiokol! When do you want me to launch –
next April?”
NASA challenged Thiokol’s interpretation of the data and argued that Thiokol was
inappropriately attempting to establish a new Launch Commit Criterion just prior to launch.
NASA asked Thiokol to re-evaluate their conclusions. Crediting NASA’s comments with some
validity, Thiokol then requested a five-minute off-line caucus. In the room at Thiokol were 14
engineers, namely:
Jerald Mason, Senior Vice President, Wasatch Operations
Calvin Wiggins, Vice President and General Manager, Space Division
Joe C. Kilminster, Vice President, Space Booster Programs
Robert K. Lund, Vice President, Engineering
Larry H. Sayer, Director, Engineering and Design
William Macbeth, Manager, Case Projects, Space Booster Project
Donald M. Ketner, Supervisor, Gas Dynamics Section and Head Seal Task Force
Roger Boisjoly, Member, Seal Task Force
Arnold R. Thompson, Supervisor, Rocket Motor Cases
Jack R. Kapp, Manager, Applied Mechanics Department
Jerry Burn, Associate Engineer, Applied Mechanics
Joel Maw, Associate Scientist, Heat Transfer Section
Brian Russell, Manager, Special Projects, SRM Project
Robert Ebeling, Manager, Ignition System and Final Assembly, SRB Project
There were no safety personnel in the room because nobody thought to invite them. The
caucus lasted some 30 minutes. Thiokol (specifically Joe Kilminster) then returned to the

-42-

teleconference stating that they were unable to sustain a valid argument that temperature affects
O-ring blow-by and erosion. Thiokol then reversed its position and was now recommending
launch.
NASA stated that the launch of the Challenger would not take place without Thiokol’s
approval. But when Thiokol reversed its position following the caucus and agreed to launch,
NASA interpreted this as an acceptable risk. The launch would now take place.
Mr. McDonald (Thiokol): The assessment of the data was that the
data was not totally conclusive, that the temperature could affect
everything relative to the seal. But there was data that indicated
that there were things going in the wrong direction, and this was
far from our experience base.
The conclusion being that Thiokol was directed to reassess all the
data because the recommendation was not considered acceptable at
that time of [waiting for] the 53 degrees [to occur]. NASA asked
us for a reassessment and some more data to show that the
temperature in itself can cause this to be a more serious concern
than we had said it would be. At that time Thiokol in Utah said
that they would like to go off-line and caucus for about five
minutes and reassess what data they had there or any other
additional data.
And that caucus lasted for, I think, a half hour before they were
ready to go back on. When they came back on they said they had
reassessed all the data and had come to the conclusions that the
temperature influence, based on the data they had available to
them, was inconclusive and therefore they recommended a launch.
(RPC, p. 300)
During the Rogers Commission testimony, NASA’s Mulloy stated his thought process in
requesting Thiokol to rethink their position:
General Kutyna: You said the temperature had little effect?
Mr. Mulloy: I didn’t say that. I said I can’t get a correlation
between O-ring erosion, blow-by and O-ring, and temperature.
General Kutyna: 51-C was a pretty cool launch.
January of last year.

-43-

That was

Mr. Mulloy: It was cold before then but it was not that much
colder than other launches.
General Kutyna: So it didn’t approximate this particular one?
Mr. Mulloy: Unfortunately, that is one you look at and say, aha,
is it related to a temperature gradient and the cold. The
temperature of the O-ring on 51-C, I believe, was 53 degrees. We
have fired motors at 48 degrees. (RPC, p. 290)
Mulloy asserted he had not pressured Thiokol into changing their position. Yet, the
testimony of Thiokol’s engineers stated they believed they were being pressured.
Roger Boisjoly, one of Thiokol’s experts on O-rings, was present during the caucus and
vehemently opposed the launch. During testimony, Boisjoly described his impressions of what
occurred during the caucus:
The caucus was started by Mr. Mason stating that a management
decision was necessary. Those of us who were opposed the launch
continued to speak out, and I am specifically speaking of Mr.
Thompson and myself because in my recollection, he and I were
the only ones who vigorously continued to oppose the launch. And
we were attempting to go back and rereview and try to make clear
what we were trying to get across, and we couldn’t understand why
it was going to be reversed.
So, we spoke out and tried to explain again the effects of low
temperature. Arnie actually got up from his position which was
down the table and walked up the table and put a quad pad down in
front of the table, in front of the management folks, and tried to
sketch out once again what his concern was with the joint, and
when he realized he wasn’t getting through, he just stopped.
I tried one more time with the photos. I grabbed the photos and I
went up and discussed the photos once again and tried to make the
point that it was my opinion from actual observations that
temperature was indeed a discriminator, and we should not ignore
the physical evidence that we had observed.
And again, I brought up the point that SRM-15 had a 110 degree
arc of black grease while SRM-22 had a relatively different

-44-

amount, which was less and wasn’t quite as black. I also stopped
when it was apparent that I could not get anybody to listen.
Dr. Walker: At this point did anyone else [i.e. engineers] speak
up in favor of the launch?
Mr. Boisjoly: No, sir. No one said anything, in my recollection.
Nobody said a word. It was then being discussed amongst the
management folks. After Arnie and I had our last say, Mr. Mason
said we have to make a management decision. He turned to Bob
Lund and asked him to take off his engineering hat and put on his
management hat. From this point on, management formulated the
points to base their decision on. There was never one comment in
favor, as I have said, of launching by any engineer or other
nonmanagement person in the room before or after the caucus. I
was not even asked to participate in giving any input to the final
decision charts.
I went back on the net with the final charts or final chart, which
was the rationale for launching, and that was presented by Mr.
Kilminster. It was handwritten on a notepad, and he read from that
notepad. I did not agree with some of the statements that were
being made to support the decision. I was never asked nor polled,
and it was clearly a management decision from that point.
I must emphasize, I had my say, and I never take any management
right to take the input of an engineer and then make a decision
based upon that input, and I truly believe that. I have worked at a
lot of companies, and that has been done from time to time, and I
truly believe that, and so there was no point in me doing anything
any further [other] than [what] I had already attempted to do.
I did not see the final version of the chart until the next day. I just
heard it read. I left the room feeling badly defeated, but I felt I
really did all I could to stop the launch. I felt personally that
management was under a lot of pressure to launch, and they made
a very tough decision, but I didn’t agree with it.
One of my colleagues who was in the meeting summed it up best.
This was a meeting where the determination was to launch, and it
was up to us to prove beyond a shadow of a doubt that it was not
safe to do so. This is in total reverse to what the position usually is
in a preflight conversation or a Flight Readiness Review. It is
usually exactly opposite that.

-45-

Dr. Walker: Do you know the source of the pressure on
management that you alluded to?
Mr. Boisjoly: Well, the comments made over the net are what I
felt. I can’t speak for them, but I felt it. I felt the tone of the
meeting exactly as I summed up, that we were being put in a
position to prove that we should not launch rather than being put in
the position and prove that we had enough data to launch. (RPC,
p. 793-794)
General Kutyna: What was the motivation driving those who
were trying to overturn your opposition?
Mr. Boisjoly: They felt that we had not demonstrated, or I had not
demonstrated, because I was the prime mover in SRM-15. Because
of my personal observations and involvement in the Flight
Readiness Reviews, they felt that I had not conclusively
demonstrated that there was a tie-in between temperature and
blow-by.
My main concern was if the timing function changed and that seal
took longer to get there, then you might not have any seal left
because it might be eroded before it seats. And then, if that timing
function is such that it pushes you from the 170 millisecond region
into the 330 second region, you might not have a secondary seal to
pick up if the primary is gone. That was my major concern.
I can’t quantify it. I just don’t know how to quantify that. But I
felt that the observations made were telling us that there was a
message there telling us that temperature was a discriminator, and I
couldn’t get that point across. I basically had no direct input into
the final recommendation to launch, and I was not polled.
I think Astronaut Crippin hit the tone of the meeting exactly right
on the head when he said that the opposite was true of the way the
meetings were normally conducted. We normally have to
absolutely prove beyond a shadow of a doubt that we have the
ability to fly, and it seemed like we were trying to prove, have
proved that we had data to prove that we couldn’t fly at this time,
instead of the reverse. That was the tone of the meeting, in my
opinion. (RPC, p. 676)
Jerald Mason, Senior Vice President at Thiokol’s Wasatch Division directed the caucus at
Thiokol. Mason continuously asserted that a management decision was needed and instructed

-46-

Bob Lund, Vice President for Engineering, to take off his engineering hat and put on his
management hat. During testimony, Mason commented on his interpretation of the data:
Dr. Ride [a member of the Commission]: You know, what we’ve
seen in the charts so far is that the data was inconclusive and so
you said go ahead.
Mr. Mason: . . . I hope I didn’t convey that. But the reason for
the discussion was the fact that we didn’t have enough data to
quantify the effect of the cold, and that was the heart of our
discussion . . . We have had blow-by on earlier flights. We had not
had any reason to believe that we couldn’t experience it again at
any temperature . . . (RPC, p. 764)
At the end of the second teleconference, NASA’s Hardy at Marshall Space Flight Center
requested that Thiokol put their recommendation to launch in writing and fax it to both Marshall
Space Flight Center and Kennedy Space Center. The memo (shown below) was signed by Joe
Kilminster, Vice President for Thiokol’s Space Booster Program, and faxed at 11:45 p.m. the
night before the launch.
Calculations show that SRM-25 O-rings will be 20° colder than
SRM-15 O-rings
Temperature data not conclusive on predicting primary O-ring
blow-by
Engineering assessment is that:
Colder O-rings will have increased effective durometer
(“harder”)
“Harder” O-rings will take longer to “seat”
More gas may pass primary O-ring before the primary
seal seats (relative to SRM-15)
Demonstrated sealing threshold is 3 times greater
than 0.038” erosion experienced on SRM-15
If the primary seal does not seat, the secondary seal will
seat
Pressure will get to secondary seal before the metal
parts rotate
O-ring pressure leak check places secondary seal
in outboard position which minimizes sealing
time
MTI recommends STS-51L launch proceed on 28 January
1986

-47-

SRM-25 will not be significantly different from SRM-15

THE ICE PROBLEM
At 1:30 a.m. on the day of the launch, NASA’s Gene Thomas, launch director, ordered a
complete inspection of the launch site due to cold weather and severe ice conditions. The prelaunch inspection of the Challenger and the launch pad by the ice-team was unusual to say the
least. The ice-team’s responsibility was to remove any frost or ice on the vehicle or launch
structure. What they found during their inspection looked like something out of a science fiction
movie. The freeze protection plan implemented by Kennedy personnel had gone very wrong.
Hundreds of icicles, some up to 16 inches long, clung to the launch structure. The handrails and
walkways near the Shuttle entrance were covered in ice, making them extremely dangerous if the
crew had to make an emergency evacuation. One solid sheet of ice stretched from the 195 foot
level to the 235 foot level on the gantry. However, NASA continued to cling to its calculations
that there would be no damage due to flying ice shaken loose during the launch.11 A decision
was then made to delay the launch from 9:38 a.m. to 11:30 a.m. so that the ice on the launch pad
could melt. The delay was still within the launch window of 9:30 a.m. – 12:30 p.m.
At 8:30 a.m., a second ice inspection was made. Ice was still significantly present at the
launch site. Robert Glaysher, Vice President for Orbital Operations at Rockwell, stated that the
launch was unsafe. Rockwell’s concern was that falling ice could damage the heat tiles on the
Orbiter. This could have a serious impact during reentry.
At 10:30 a.m., a third ice inspection was made. Though some of the ice was beginning to
melt, there was still significant ice on the launch pad. The temperature of the left solid rocket
booster was measured at 33°F and the right booster was measured at 19°F. Even though the

-48-

right booster was 34 degrees colder than Thiokol’s original recommendation for a launch
temperature (i.e., 53°F), no one seemed alarmed. Rockwell also agreed to launch even though
their earlier statement was that the launch was unsafe.
Arnold Aldrich, Manager of the STS Program at the Johnson Space Center, testified on the
concern over the ice problem:
Mr. Aldrich: Kennedy facility people at that meeting, everyone in
that meeting, voted strongly to proceed and said they had no
concern, except for Rockwell. The comment to me from
Rockwell, which was not written specifically to the exact words,
and either recorded or logged, was that they had some concern
about the possibility of ice damage to the Orbiter. Although it was
a minor concern, they felt that we had no experience base
launching in this exact configuration before, and therefore they
thought we had some additional risk of Orbiter damage from ice
than we had on previous meetings, or from previous missions.
Chairman Rogers: Did they sign off on it or not?
Mr. Aldrich: We don’t have a sign-off at that point. It was not—
it was not maybe 20 minutes, but it was close to that. It was within
the last hour of launch.
Chairman Rogers: But they still objected?
Mr. Aldrich: They issued what I would call a concern, a less than
100 percent concurrence in the launch. They did not say we do not
want to launch, and the rest of the team over-ruled them. They
issued a more conservative concern. They did not say don’t
launch.
General Kutyna: I can’t recall a launch that I have had where
there was 100 percent certainty that everything was perfect, and
everyone around the table would agree to that. It is the job of the
launch director to listen to everyone, and it’s our job around the
table to listen and say there is this element of risk, and you
characterize this as 90 percent, or 95, and then you get a consensus
that that risk is an acceptable risk, and then you launch.
So I think this gentleman is characterizing the degree of risk, and
he’s honest, and he had to say something.
11

Ibid; page 5.
-49-

Dr. Ride: But one point is that their concern is a specific concern,
and they weren’t concerned about the overall temperature or
damage to the solid rockets or damage to the external tank. They
were worried about pieces of ice coming off and denting the tile.
(RPC, pp. 237-238)
Following the accident, the Rogers Commission identified three major concerns about the
ice-on-the-pad issue:
1. An analysis of all of the testimony and interviews established that Rockwell’s
recommendation on launch was ambiguous.

The Commission found it

difficult, as did Mr. Aldrich, to conclude that there was a no-launch
recommendation. Moreover, all parties were asked specifically to contact
Aldrich or Moore about launch objections due to weather. Rockwell made no
phone calls or further objections to Aldrich or other NASA officials after the
9:00 a.m. Mission Management Team meeting and subsequent to the
resumption of the countdown.
2. The Commission was also concerned about the NASA response to the
Rockwell position at the 9:00 a.m. meeting. While it was understood that
decisions have to be made in launching a Shuttle, the Commission was not
convinced Levels I and II [of NASA’s management] appropriately considered
Rockwell’s concern about the ice. However ambiguous Rockwell’s position
was, it was clear that they did tell NASA that the ice was an unknown
condition. Given the extent of the ice on the pad, the admitted unknown effect
of the Solid Rocket Motor and Space Shuttle Main Engines ignition on the ice,
as well as the fact that debris striking the Orbiter was a potential flight safety
hazard, the Commission found the decision to launch questionable under those

-50-

circumstances. In this situation, NASA appeared to be requiring a contractor
to prove that it was not safe to launch, rather than proving it was safe.
Nevertheless, the Commission had determined that the ice was not a cause of
the 51-L accident and does not conclude that NASA’s decision to launch
specifically overrode a no-launch recommendation by an element contractor.
3. The Commission concluded that the freeze protection plan for launch pad 39B
was inadequate. The Commission believed that the severe cold and presence
of so much ice on the fixed service structure made it inadvisable to launch on
the morning of January 28, and that margins of safety were whittled down too
far.

It became obvious that NASA’s management knew of the ice problem, but did they
know of Thiokol’s original recommendation not to launch and then their reversal? Larry
Malloy, the SRB Project Manager for NASA, and Stanley Reinartz, NASA’s Manager of
the Shuttle Office, both admitted that they told Arnold Aldrich, Manager of the STS
program, Johnson Space Center, about their concern for the ice problem but there was no
discussion about the teleconferences with Thiokol over the O-rings. It appeared that
Malloy and Reinartz considered the ice as a potential problem whereas the O-rings
constituted an acceptable risk. Therefore, only potential problems went up the chain of
command, not the components of the “aggregate acceptable launch risk.” It became
common practice in Flight Readiness Review documentation to use the term “acceptable
risk.” This became the norm at NASA and resulted in insulating senior management
from certain potential problems. It was the culture that had developed at NASA that

-51-

created the flawed decision-making process rather than an intent by individuals to
withhold information and jeopardize safety.

THE ACCIDENT
Just after liftoff at 0.678 seconds into the flight, photographic data showed a strong puff
of gray smoke spurting from the vicinity of the aft field joint on the right solid rocket booster.
The two pad 39B cameras that would have recorded the precise location of the puff were
inoperative. Computer graphic analysis of film from other cameras indicated the initial smoke
came from the 270 to 310-degree sector of the circumference of the aft field joint of the right
solid rocket booster. This area of the solid booster faced the external tank. The vaporized
material streaming from the joint indicated there was incomplete sealing action within the joint.
Eight more distinctive puffs of increasingly blacker smoke were recorded between 0.836
and 2.500 seconds. The smoke appeared to puff upwards from the joint.

While each smoke

puff was being left behind by the upward flight of the Shuttle, the next fresh puff could be seen
near the level of the joint. The multiple smoke puffs in this sequence occurred about four times
per second, approximating the frequency of the structural load dynamics and resultant joint
flexing. Computer graphics applied to NASA photos from a variety of cameras in this sequence
again placed the smoke puffs’ origin in the 270 to 310 degree sector of the original smoke spurt.
As the Shuttle Challenger increased its upward velocity, it flew past the emerging and
expanding smoke puffs. The last smoke was seen above the field joint at 2.733 seconds.
The black color and dense composition of the smoke puffs suggested that the grease, joint
insulation and rubber O-rings in the joint seal were being burned and eroded by the hot
propellant gases.

-52-

At approximately 37 seconds, Challenger encountered the first of several high altitude
wind shear conditions that lasted about 64 seconds. The wind shear created forces of relatively
large fluctuations on the vehicle itself. These were immediately sensed and countered by the
guidance, navigation and control systems.
The steering system (thrust vector control) of the solid rocket booster responded to all
commands and wind shear effects. The wind shear caused the steering system to be more active
than on any previous flight.
Both the Challenger’s main engines and the solid rockets operated at reduced thrust
approaching and passing through the area of maximum dynamic pressure of 720 pounds per
square foot. Main engines had been throttled up to 104 percent thrust and the solid rocket
boosters were increasing their thrust when the first flickering flame appeared on the right solid
rocket booster in the area of the aft field joint. This first very small flame was detected on
image-enhanced film at 58.788 seconds into the flight. It appeared to originate at about 305
degrees around the booster circumference at or near the aft field joint.
One film frame later from the same camera, the flame was visible without image
enhancement.

It grew into a continuous, well-defined plume at 59.262 seconds.

At

approximately the same time (60 seconds), telemetry showed a pressure differential between the
chamber pressures in the right and left boosters. The right booster chamber pressure was lower,
confirming the growing leak in the area of the field joint.
As the flame plume increased in size, it was deflected rearward by the aerodynamic
slipstream and circumferentially by the protruding structure of the upper ring attaching the
booster to the external tank. These deflections directed the flame plume onto the surface of the
external tank. This sequence of flame spreading is confirmed by analysis of the recovered

-53-

wreckage. The growing flame also impinged on the strut attaching the solid rocket booster to the
external tank.
The first visual indication that swirling flame from the right solid rocket booster breached
the external tank was at 64.660 seconds when there was an abrupt change in the shape and color
of the plume. This indicated that it was mixing with leaking hydrogen from the external tank.
Telemetered changes in the hydrogen tank pressurization confirmed the leak.

Within 45

milliseconds of the breach of the external tank, a bright, sustained glow developed on the black
tiled underside of the Challenger between it and the external tank.
Beginning around 72 seconds, a series of events occurred extremely rapidly that
terminated the flight. Telemetered data indicated a wide variety of flight system actions that
supported the visual evidence of the photos as the Shuttle struggled futilely against the forces
that were destroying it.
At about 72.20 seconds, the lower strut linking the solid rocket booster and the external
tank was severed or pulled away from the weakened hydrogen tank permitting the right solid
rocket booster to rotate around the upper attachment strut. This rotation was indicated by
divergent yaw and pitch rates between the left and right solid rocket boosters.
At 73.124 seconds, a circumferential white vapor pattern was observed blooming from
the side of the external tank bottom dome. This was the beginning of the structural failure of the
hydrogen tank that culminated in the entire aft dome dropping away. This released massive
amounts of liquid hydrogen from the tank and created a sudden forward thrust of about 2.8
million pounds, pushing the hydrogen tank upward into the intertank structure. About the same
time, the rotating right solid rocket booster impacted the intertank structure and the lower part of

-54-

the liquid oxygen tank. These structures failed at 73.137 seconds as evidenced by the white
vapors appearing in the intertank region.
Within milliseconds there was massive, almost explosive, burning of the hydrogen
streaming from the failed tank bottom and the liquid oxygen breach in the area of the intertank.
At this point in its trajectory, while traveling at a Mach number of 1.92 at an altitude of
46,000 feet, the Challenger was totally enveloped in the explosive burn. The Challenger’s
reaction control system ruptured, and a hypergolic burn of its propellants occurred producing the
oxygen-hydrogen flames. The reddish brown colors of the hypergolic fuel burn were visible on
the edge of the main fireball. The Orbiter, under severe aerodynamic loads, broke into several
large sections which emerged from the fireball. Separate sections that can be identified on film
include the main engine/tail section with the engines still burning, one wing of the Orbiter, and
the forward fuselage trailing a mass of umbilical lines pulled loose from the payload bay.
The consensus of the Commission and participating investigative agencies was that the
loss of the Space Shuttle Challenger was caused by a failure in the joint between the two lower
segments of the right solid rocket motor. The specific failure was the destruction of the seals that
were intended to prevent hot gases from leaking through the joint during the propellant burn of
the rocket motor. The evidence assembled by the Commission indicates that no other element of
the Space Shuttle system contributed to this failure.
In arriving at this conclusion, the Commission reviewed in detail all available data,
reports and records; directed and supervised numerous tests, analyses, and experiments by
NASA, civilian contractors and various government agencies; and then developed specific
failure scenarios and the range of most probably causative factors.

-55-

The failure was due to a faulty design unacceptably sensitive to a number of factors.
These factors were the effects of temperature, physical dimensions, the character of materials,
the effects of reusability, processing, and the reaction of the joint to dynamic loading.

NASA AND THE MEDIA
Following the tragedy, many believed that NASA’s decision to launch was an attempt to
minimize further ridicule by the media. Successful Shuttle flights were no longer news because
they were almost ordinary. However, launch aborts and delayed landings were more newsworthy
because they were less common. The Columbia launch, which immediately preceded the
Challenger mission, was delayed seven times. The Challenger launch had gone through four
delays already. News anchor personnel were criticizing NASA. Some believed that NASA had
to do something quickly to dispel their poor public image.
The Challenger mission had more media coverage and political ramifications than other
missions. This would be the launch of the Teacher in Space Project. The original launch date of
the Challenger was just before President Reagan’s State of the Union message that was
scheduled for the evening of January 28. Some believed that the president would publicly praise
NASA for the Teacher in Space Project and possibly even talk to her live during his address.
This would certainly enhance NASA’s image.
Following the tragedy, there were questions as to whether or not the White House had pressured
NASA into launching the Shuttle because of President Reagan’s (and NASA’s) love of favorable
publicity. The commission found no evidence of White House intervention in the decision to
launch.

-56-

FINDINGS OF THE COMMISSION
Determining the cause of an engineering disaster can take years of investigation. The
Challenger disaster arose from many factors including launch conditions, mechanical failure,
communication and decision-making. In the end, the last minute decision to launch put all
possible factors into a lethal action.
The Commission concluded that the accident was rooted in history. The space Shuttle’s
solid rocket booster problem began with the faulty design of its joint and increased as both
NASA and contractor management first failed to recognize it as a problem, then failed to fix it,
and finally treated it as an acceptable flight risk.
Morton Thiokol, Inc., the contractor, did not accept the implication of tests early in the
program that the design had a serious and unanticipated flaw.

NASA did not accept the

judgment of its engineers that the design was unacceptable, and as the joint problems grew in
number and severity, NASA minimized them in management briefings and reports. Thiokol’s
stated position was that “the condition is not desirable but is acceptable.”
Neither Thiokol nor NASA expected the rubber O-rings sealing the joints to be touched
by hot gases of motor ignition, much less to be partially burned. However, as tests and then
flights confirmed damage to the sealing rings, the reaction by both NASA and Thiokol was to
increase the amount of damage considered “acceptable.” At no time did management either
recommend a redesign of the joint or call for the Shuttle’s grounding until the problem was
solved.
The genesis of the Challenger accident – the failure of the joint of the right solid rocket
motor – began with decisions made in the design of the joint and in the failure by both Thiokol

-57-

and NASA’s Solid Rocket Booster project office to understand and respond to facts obtained
during testing.
The Commission concluded that neither Thiokol nor NASA responded adequately to
internal warnings about the faulty seal design. Furthermore, Thiokol and NASA did not make a
timely attempt to develop and verify a new seal after the initial design was shown to be deficient.
Neither organization developed a solution to the unexpected occurrences of O-ring erosion and
blow-by, even though this problem was experienced frequently during the Shuttle flight history.
Instead, Thiokol and NASA management came to accept erosion and blow-by as unavoidable
and an acceptable flight risk. Specifically, the Commission found that:
1. The joint test and certification program was inadequate.

There was no

requirement to configure the qualifications test motor as it would be in flight,
and the motors were static tested in a horizontal position, not in the vertical
flight position.
2. Prior to the accident, neither NASA nor Thiokol fully understood the
mechanism in which the joint sealing action took place.
3. NASA and Thiokol accepted escalating risk apparently because they “got
away with it last time.” As Commissioner Feynman observed, the decision
making was:
“a kind of Russian roulette. . . . [The Shuttle] flies [with Oring erosion] and nothing happens. Then it is suggested,
therefore, that the risk is no longer so high for the next
flights. We can lower our standards a little bit because we
got away with it last time. . . . You got away with it, but it
shouldn’t be done over and over again like that.”
4. NASA’s system for tracking anomalies for Flight Readiness Reviews failed in
that, despite a history of persistent O-ring erosion and blow-by, flight was still

-58-

permitted. It failed again in the strange sequence of six consecutive launch
constraint waivers prior to 51-L, permitting it to fly without any record of a
waiver, or even of an explicit constraint.

Tracking and continuing only

anomalies that are “outside the data base” of prior flight allowed major
problems to be removed from, and lost by, the reporting system.
5. The O-ring erosion history presented to Level I at NASA Headquarters in
August 1985 was sufficiently detailed to require corrective action prior to the
next flight.
6. A careful analysis of the flight history of O-ring performance would have
revealed the correlation of O-ring damage and low temperature. Neither
NASA nor Thiokol carried out such an analysis; consequently, they were
unprepared to properly evaluate the risks of launching the 51-L mission in
conditions more extreme than they had encountered before.
The Commission also identified a concern for the “silent” safety program.

The

Commission was surprised to realize after many hours of testimony that NASA’s safety staff was
never mentioned. No witness related the approval or disapproval of the reliability engineers, and
none expressed the satisfaction or dissatisfaction of the quality assurance staff. No one thought
to invite a safety representative or a reliability and quality assurance engineer to the January 27,
1986, teleconference between Marshall and Thiokol.

Similarly, there was no safety

representative on the Mission Management Team that made key decisions during the countdown
on January 28, 1986.
The unrelenting pressure to meet the demands of an accelerating flight schedule might
have been adequately handled by NASA if it had insisted upon the exactingly thorough

-59-

procedures that were its hallmark during the Apollo program. An extensive and redundant safety
program comprising interdependent safety, reliability and quality assurance functions existed
during the lunar program to discover any potential safety problems. Between that period and
1986, however, the safety program became ineffective. This loss of effectiveness seriously
degraded the checks and balances essential for maintaining flight safety.
On April 3, 1986, Arnold Aldrich, the Space Shuttle program manager, appeared before the
Commission at a public hearing in Washington. D.C. He described five different communication
or organization failures that affected the launch decision on January 28, 1986. Four of those
failures related directly to faults within the safety program. These faults included a lack of
problem reporting requirements, inadequate trend analysis, misrepresentation of criticality and
lack of involvement in critical discussions. A robust safety organization that was properly
staffed and supported might well have avoided these faults and thus eliminated the
communication failures.
NASA had a safety program to ensure that the communication failures to which Mr.
Aldrich referred did not occur. In the case of mission 51-L, that program fell short.
The Commission concluded that there were severe pressures placed on the launch
decision-making system to maintain a flight schedule. These pressures caused rational men to
make irrational decisions.
With the 1982 completion of the orbital flight test series, NASA began a planned
acceleration of the Space Shuttle launch schedule. One early plan contemplated an eventual rate
of a mission a week, but realism forced several downward revisions. In 1985, NASA published
a projection calling for an annual rate of 24 flights by 1990. Long before the Challenger

-60-

accident, however, it was becoming obvious that even the modified goal of two flights a month
was overambitious.
In establishing the schedule, NASA had not provided adequate resources. As a result, the
capabilities of the launch decision-making system were strained by the modest nine-mission rate
of 1985, and the evidence suggested that NASA would not have been able to accomplish the 15
flights scheduled for 1986. These were the major conclusions of a Commission examination of
the pressures and problems attendant upon the accelerated launch schedule:
1. The capabilities of the launch decision-making system were stretched to the limit to
support the flight rate in winter 1985/1986. Projections into the spring and summer
of 1986 showed a clear trend; the system, as it existed, would have been unable to
deliver crew training software for scheduled flights by the designated dates. The
result would have been an unacceptable compression of the time available for the
crews to accomplish their required training.
2. Spare parts were in critically short supply. The Shuttle program made a conscious
decision to postpone spare parts procurements in favor of budget items of perceived
higher priority. Lack of spare parts would likely have limited flight operations in
1986.
3. Stated manifesting policies were not enforced. Numerous late manifest changes (after
the cargo integration review) have been made to both major payloads and minor
payloads throughout the Shuttle program
Late changes to major payloads or program requirements required
extensive resources (money, manpower, facilities) to implement.

-61-

If many late changes to “minor” payloads occurred, resources were
quickly absorbed.
Payload specialists frequently were added to a flight well after announced
deadlines.
Late changes to a mission adversely affect the training and development of
procedures for subsequent missions.
4. The scheduled flight rate did not accurately reflect the capabilities and resources.
The flight rate was not reduced to accommodate periods of adjustment in
the capacity of the work force. There was no margin for error in the
system to accommodate unforeseen hardware problems.
Resources were primarily directed toward supporting the flights and thus
not enough were available to improve and expand facilities needed to
support a higher flight rate.
5. Training simulators may have been the limiting factor on the flight rate: the two
current simulators could not train crews for more than 12-15 flights per year.
6. When flights come in rapid succession, current requirements did not ensure that
critical anomalies occurring during one flight are identified and addressed
appropriately before the next flight.

CHAIN-OF-COMMAND COMMUNICATION FAILURE
The commission also identified a communication failure within the reporting structure at
both NASA and Thiokol. Part of the problem with the chain of command structure was the idea
of the proper reporting channel. Engineers report only to their immediate managers, while those

-62-

managers report only to their direct supervisors. Engineers and managers believed in the chain
of command structure; they felt reluctant to go above their superiors with their concerns.
Boisjoly at Thiokol and Powers at Marshall felt that they had done all that they could as far as
voicing their concerns. Anything more could have cost them their jobs. When questioned at the
Rogers Commission hearing about why he did not voice his concerns to others, Powers replied,
“That would not be my reporting channel.” The chain of command structure dictated the only
path which information could travel at both NASA and Thiokol. If information was modified or
silenced at the bottom of the chain, there was not an alternate path for it to take to reach highlevel officials at NASA. The Rogers Commission concluded that there was a breakdown in
communication between Thiokol engineers and top NASA officials and faulted the management
structure for not allowing important information about the SRBs to flow to the people who
needed to know it. The Commission reported that the “fundamental problem was poor technical
decision-making over a period of several years by top NASA and contractor personnel.”
Bad news does not travel well in organizations like NASA and Thiokol. When the early
signs of problems with the SRBs appeared, Thiokol managers did not believe that the problems
were serious. Thiokol did not want to accept the fact that there could be a problem with their
boosters. When Marshall received news of the problems, they considered it Thiokol’s problem
and did not pass the bad news upward to NASA headquarters. At Thiokol, Boisjoly described
his managers as shutting out the bad news. He claims that he argued about the importance of the
O-ring seal problems until he was convinced that “no one wanted to hear what he had to say.”
When Lund finally decided to recommend delay of the launch to Marshall, managers at Marshall
rejected the bad news and refused to accept the recommendation not to launch. As with any

-63-

information going up the chain of command at these two organizations, bad news could often be
modified so that it had less impact, perhaps skewing its importance.12

On January 31, 1986, President Ronald Reagan stated:
“The future is not free: the story of all human progress is one of a struggle against all odds.
We learned again that this America, which Abraham Lincoln called the last, best hope of man
on Earth, was built on heroism and noble sacrifice. It was built by men and women like our
seven star voyagers, who answered a call beyond duty, who gave more than was expected or
required and who gave it little thought of worldly reward.”

EPILOGUE
Following the tragic accident, virtually every senior manager that was involved in the
Space Shuttle Challenger decision-making processes, at both NASA and Thiokol, accepted early
retirement. Whether this was the result of media pressure, peer pressure, fatigue or stress we can
only postulate. The only true failures are the ones from which nothing is learned. Lessons on
how to improve the risk management process were learned, unfortunately at the expense of
human life.
On January 27, 1967, Astronauts Gus Grissom, Edward White and Roger Chaffee were
killed on board a test on Apollo-Saturn 204. James Webb, NASA’s Administrator at that time,
was allowed by President Johnson to conduct an internal investigation of the cause.

The

investigation was primarily a technical investigation. NASA was fairly open with the media

12

The Challenger Accident: Administrative Causes of the Challenger Accident; (web site:
http://www.me.utexas.edu/~uer/challenger/chall3.html pages 8-9.)
-64-

during the investigation.

As a result of the openness, the credibility of the agency was

maintained.
With the Challenger accident, confusion arose as to whether it was a technical failure or
management failure. There was no question in anyone’s mind that the decision-making process
was flawed. NASA and Thiokol acted independently in their response to criticism. Critical
information was withheld, at least temporarily, and this undermined people’s confidence in
NASA. The media, as expected, began a vengeful attack on NASA and Thiokol.
Following the Apollo-Saturn 204 fire, there were few changes made in management
positions at NASA. Those changes that did occur were the result of a necessity for improvement
and where change was definitely warranted. Following the Challenger accident, almost every
top management position at NASA underwent a change of personnel.
How an organization fares after an accident is often measured by how well it interfaces
with the media. Situations such as the Tylenol tragedy and the Apollo-Saturn 204 fire bore this
out.
Following the accident, and after critical data was released, papers were published
showing that the O-ring data correlation was indeed possible. In one such paper, Lighthall13
showed that not only was a correlation possible, but the real problem may be a professional
weakness shared by many people, but especially engineers, who have been required to analyze
technical data.

Lighthall’s argument was that engineering curriculums might not provide

engineers with strong enough statistical education, especially in covariance analysis. The Rogers
Commission also identified this conclusion when they found that there were no engineers at
NASA trained in statistical sciences.

-65-

Almost all scientific achievements require the taking of risks. The hard part is deciding
which risk is worth taking and which is not. Every person who has ever flown in space, whether
military or civilian, was a volunteer. They were all risk-takers who understood that safety in
space can never be guaranteed with 100 percent accuracy.

13

Frederick F. Lighthall, “Launching The Space Shuttle Challenger: Disciplinary Deficiencies in the
Analysis of Engineering Data,” IEEE Transactions on Engineering Management, Vol. 38, No: 1, February
1991, pp. 63-74
-66-

Discussion Questions
Below are a series of questions categorized according to the principles of risk management.
There may not be any single right or wrong answer to these questions.

RISK MANAGEMENT PLAN
1.

Does it appear, from the data provided in the case, that a risk management plan was in
existence?

2.

If such a plan did exist, then why wasn’t it followed, or was it followed?

3.

Is there a difference between a risk management plan, quality assurance plan, and safety
plan, or are they the same?

4.

Would there have been a better way to handle risk management planning at NASA
assuming 16 flights per year, 25 flights per year, or as originally planned, 60 flights per
year? Why is the number of flights per year critical in designing a formalized risk
management plan?

RISK IDENTIFICATION
5.

What is the difference between a risk and an anomaly? Who determines the difference?

6.

Does there appear to be a structured process in place for risk identification at either NASA
or Thiokol?

7.

How should problems with risk identification be resolved if there exist differences of
opinion between the customer and the contractors?

8.

Should senior management or sponsors be informed about all risks identified or just the
overall “aggregate” risk?

9.

How should one identify or classify the risks associated with using solid rocket boosters on
manned spacecraft rather than the conventional liquid fuel boosters?

10. How should one identify or classify tradeoff risks such as trading off safety for political
acceptability?
11. How should one identify or classify the risks associated with pressure resulting from
making promises that may be hard to keep?
12. Suppose that a risk identification plan were established at the beginning of the space
program when the Shuttle was still considered an experimental design. If the Shuttle is now

-67-

considered as an operational vehicle rather than as an experimental design, could that affect
the way that risks were identified to the point where the risk identification plan would need
to be changed?

RISK QUANTIFICATION
13. Given the complexity of the Space Shuttle Program, is it feasible and/or practical to
develop a methodology for quantifying risks, or should each situation be addressed
individually? Can we have both a quantitative and qualitative risk evaluation system in
place at the same time?
14. How does one quantify the dangers associated with the ice problem?
15. How should risk quantification problems be resolved if there exist differences of opinion
between the customer and the contractors?
16. If a critical risk is discovered, what is the proper way for the project manager to present to
senior management the impact of the risk? How do you as a project manager make sure
that senior management understand the ramifications?
17. How were the identified risks quantified at NASA? Is the quantification system truly
quantitative or is it a qualitative system?
18. Were probabilities assigned to any of the risks? Why or why not?

RISK RESPONSE (RISK HANDLING)
19. How does an organization decide what is or is not an acceptable risk?
20. Who should have final say in deciding upon the appropriate response mechanism for a risk?
21. What methods of risk response were used at NASA?
22. Did it appear that the risk response method selected was dependent on the risk or on other
factors?
23. How should an organization decide whether or not to accept a risk and launch if the risks
cannot be quantified?
24. What should be the determining factors in deciding which risks are brought upstairs to the
executive levels for review before selecting the appropriate risk response mechanism?
25. Why weren’t the astronauts involved in the launch decision (i.e. the acceptance of the risk)?
Should they have been involved?

-68-

26. What risk response mechanism did NASA administrators use when they issued waivers for
the Launch Commit Criteria?
27. Are waivers a type of risk response mechanism?
28. Did the need to maintain a flight schedule compromise the risk response mechanism that
would otherwise have been taken?
29. What risk response mechanism were managers at Thiokol and NASA using when they
ignored the recommendations of their engineers?
30. Did the engineers at Thiokol and NASA do all they could to convince their own
management that the wrong risk response mechanism was about to be taken?
31. When NASA pressed its contractors to recommend a launch, did NASA’s risk response
mechanism violate their responsibility to ensure crew safety?
32. When NASA discounted the effects of the weather, did NASA’s risk response mechanism
violate their responsibility to ensure crew safety?

RISK CONTROL
33. How much documentation should be necessary for the tracking of a risk management plan?
Can this documentation become overexcessive and create decision-making problems?
34. Risk management includes the documentation of lessons-learned. In the case study, was
there an audit trail of lessons learned or was that audit trail simply protection memos?
35. How might Thiokol engineers have convinced both their own management and NASA to
postpone the launch?
36. Should someone have stopped the Challenger launch and, if so, how could this have been
accomplished without risking one’s job and career?
37. How might an engineer deal with pressure from above to follow a course of action that the
engineer knows to be wrong?
38. How could the chains of communication and responsibility for the Shuttle Program have
been made to function better?
39. Because of the ice problem, Rockwell could not guarantee the Shuttle’s safety, but did
nothing to veto the launch. Is there a better way for situations as this to be handled in the
future?

-69-

40. What level of risk should have been acceptable for launch?
41. How should we handle situations where people in authority believe that the potential
rewards justify what they believe to be relatively minor risks?
42. If you were on a jury attempting to place liability, whom would you say was responsible for
the Challenger disaster?

Leave a Comment

Your email address will not be published. Required fields are marked *