Notable Ethics Failures

Shuttle Disasters

The Challenger (1986): The liquid fueled booster of the space shuttle challenger disintegrated 73 seconds after liftoff on January 28, 1986. Apparently the shuttle itself remained largely intact during its subsequent decent to the Atlantic Ocean and it is believed that the seven astronauts on board were killed by that impact. One of them was Sharon Christa McAuliffe, a school teacher from New Hampshire, who had been chosen to be the first private citizen to fly in the shuttle.

   

The cause of the breakup was due to the failure of an o-ring in one of the solid fueled boosters. This resulted in hot gases penetrating the external liquid hydrogen fuel tank. The first noticeable abnormal event that led to the tragedy was that one of the solid fueled boosters pulled away from its attachment to the external tank. One second later the hydrogen tank failed and produced a propulsive force great enough to push the hydrogen tank into the liquid oxygen tank. The disintegration of the tanks and movement of the boosters caused the vehicle to move into an aerodynamically destructive attitude whereupon the whole vehicle broke apart.

Each solid fuel booster was an assembly of several small sections. The o-rings were placed between sections to prevent gases from escaping during operation. In early testing of the booster concept it was found that ignition caused the shell of the booster to balloon under pressure, separating the joints and causing hot gases to leak from them. However, it was observed that the o-rings would move to fill the gaps and stop the gases soon afterward. So, the manufacturer changed its design specifications to accomodate this fact.

Unfortunately, the o-rings were damaged during this reseating process. It was known that the damage and the time to failure of the o-rings were a function of several variables including temperature. Because the morning of the liftoff was an unusually cold January morning, the temperature of the o-rings at lift-off was such that they could not function as seals at all.

The low temperature had prompted concern from contractor engineers. At a teleconference on the evening of January 27, company engineers and managers discussed the weather conditions with NASA managers from Kennedy Space Center and Marshall Space Flight Center. Several engineers expressed their concern about the effect of the temperature on the resilience of the rubber o-rings that sealed the joints of the boosters. They argued that if the o-rings were colder than 53 degrees there was no guarantee the o-rings would seal properly. This was an important consideration, since the O-rings had been designated as a "Criticality 1" component, meaning their failure would destroy the shuttle and its crew. They also argued that the low overnight temperatures would almost certainly result in booster temperatures below their redline of 40 degrees. However, they were overruled by company management, who recommended that the launch proceed as scheduled.

Due to the low temperature, a significant amount of ice built up on the fixed service structure that stood beside the shuttle. The Kennedy Ice Team inadvertently pointed an infrared camera at the aft field joint of the right booster and found the temperature to be only 8 degrees. This was the result of supercooled air blowing on the joint from the liquid oxygen tank vent. It was much lower than the air temperature and far below the design specifications for the o-rings. This information was never communicated to the decision makers

Although the Ice Team had worked through the night removing ice (and not knowing of the super-cooled joint) engineers at the shuttle's prime contractor still expressed concern. They warned that during launch ice might be shaken loose and strike the shuttle, possibly due to the aspiration induced by the jet of exhaust from the boosters. Although Rockwell viewed this situation as a launch constraint, Rockwell's managers at the Cape voiced their concerns in a manner that led Aldrich to go ahead with the launch.

A commission led by former secretary of state William P. Rogers and astronaut Neil Armstrong concluded that NASA, its Marshall Space Flight Center, and the contractor Morton Thiokol, the booster's manufacturer, were guilty of faulty management and poor engineering. NASA's ambitious launch schedule, it was found, had outstripped its resources and overridden warnings from safety engineers.

The Columbia (2003): The Columbia broke apart during re-entry into the atmosphere. The cause was damaged thermal tiles on the left wing that had been hit by foam fragments leaving the external fuel tank and striking the shuttle during launch. Seven people died and the space program was on hold for a considerable time after that.

   

While Columbia was still in orbit, some engineers suspected damage, but NASA managers limited the investigation on the grounds that little could be done even if problems were found.

NASA's Shuttle safety regulations stated that external tank foam shedding and subsequent debris strikes upon the Shuttle itself were safety issues that needed to be resolved before a launch was cleared, but launches were often given the go-ahead as engineers unsuccessfully studied the foam shedding problem.

The majority of Shuttle launches recorded such foam strikes and thermal tile scarring in violation of safety regulations. During re-entry of Columbia the damaged area allowed heat to build up, penetrate, and destroy the internal wing structure, eventually causing the in-flight breakup of the vehicle.

In a risk-management scenario similar to the Challenger disaster, NASA management failed to recognize the relevance of engineering concerns for safety. Two examples were 1) failures to honor engineer requests for imaging to inspect possible damage, and 2) failure to respond to engineer requests about the status of astronaut inspection of the left wing. Engineering made three separate requests for Department of Defense imaging of the shuttle in orbit to more precisely determine damage. While the images were not guaranteed to show the damage, the capability existed for imaging of sufficient resolution to provide meaningful examination. NASA management did not honor the requests and in some cases intervened to stop the DOD from assisting.

NASA managers felt a rescue or repair was impossible, so there was no point in trying to inspect the vehicle for damage while on orbit. However, the accident investigation board determined either a rescue mission or on-orbit repair, though risky, might have been possible had NASA verified severe damage within five days into the mission.