white arrow on a blue background
(Photo by Nick Fewings on Unsplash)

By Tara Hoke

The July 8 launch of the space shuttle Atlantis, the final flight in this National Aeronautics and Space Administration (NASA) program, presents a timely opportunity to reflect on the 30-year history of shuttle flights. The 135 flights of Atlantis and her sister ships have witnessed enormous scientific success but have not been without tragic and costly failures. The losses of the shuttles Challenger and Columbia and their crews offer poignant examples both of the courage of NASA's astronauts in pursuing the interests of space exploration and of the importance of engineering ethics in ensuring the safety of people dependent upon an engineer's judgment.


On January 28, 1986, Challenger exploded and broke apart some 73 seconds after liftoff, taking the lives of its seven crew members. The explosion was traced to the O-rings in the shuttle's right solid-propellant booster, which failed to form the necessary seal and allowed high-temperature gases to escape and burn through the external fuel tank. The destruction of Columbia, on February 1, 2003, during reentry into the earth's atmosphere, was the result of a piece of insulating foam that had separated from the left bipod ramp of the external tank and struck Columbia' s wing during takeoff, causing damage to its thermal protection system. Upon reentry, superheated air penetrated the damaged wing, weakening the structure and causing it to disintegrate.

What is most striking about the two shuttle disasters from an ethics standpoint is the extent to which the technical issues leading to the failures had been recognized and understood by the engineers involved in the missions. In the case of Challenger , engineers had known of a design flaw in a tang and clevis joint in the solid-propellant boosters from the earliest days of the program. The design featured two O-rings that were intended to seal the joint by compression. However, ignition caused the tang and clevis to move away from each other, lessening rather than increasing pressure on the O-rings. The primary O-ring would shift forward into the gap between the tang and clevis, forming a seal, but hot gas would escape during the time of the shift, causing damage to the O-rings. However, neither the manufacturers nor NASA made an attempt to correct the design flaw, choosing to regard the seal created after the shift as acceptable.

In 1985 Roger Boisjoly-a mechanical engineer employed by Morton Thiokol, the company responsible for producing the solid-propellant boosters-observed significant O-ring damage in a nozzle joint during a postflight inspection of another shuttle. He found that low temperatures had lengthened the time required for the O-ring to move from its groove, thereby allowing more hot gas to escape. He sent a memorandum to his senior manager noting that if a similar event occurred in a field joint, "the result would be a catastrophe of the highest order-loss of human life."

Temperatures on the night before the Challenger liftoff were predicted to be well below the range of current data results, and Boisjoly and other engineers recommended that the launch be postponed. But NASA was operating under a tight window of opportunity for the launch, and its rocket booster project manager contended that the data were inconclusive. Morton Thiokol's senior executives met in closed session to discuss the matter and, over the objections of the company's engineers, voted to recommend that the launch proceed.

With regard to Columbia, NASA's original design specifications for the space shuttles considered damage from foam loss to be a particular safety threat and required that "no debris shall emanate from the critical zone of the tank on the launch pad or during ascent." In practice, however, damage from space debris occurred on every shuttle flight, and nearly every ascent involved some shedding of insulating foam. Foam shedding from the left bipod ramp had been detected on at least six prior missions. Yet because of the success of those missions NASA came to consider the incidents as mere "in-flight anomalies," not as something that could jeopardize the crew.

On reviewing footage of Columbia's January 16, 2003, liftoff, engineers at NASA observed that a significant piece of insulating foam had broken off and struck the shuttle's left wing. Concerned by the size and momentum of the debris, members of the debris assessment team made a series of requests for satellite images in order to assess the extent of the damage. Convinced, however, that the problem was a maintenance and not a safety issue, NASA managers denied the request. Turning the shuttle in such a way as to obtain images could, they reasoned, have interfered with the mission's schedule or hampered scientific experiments. Assessment team members were therefore advised that images would be requested only if there was a "mandatory need." Lacking the appropriate tools or data to substantiate the existence of a safety risk, the assessment team members failed to persuade the mission's decision makers to address their safety concerns.


What ethical lessons can be drawn from these tragedies?


While the circumstances of each event have been greatly simplified here, in both cases the tragedies might have been averted if sound engineering judgment had prevailed. Challenger's launch could have been delayed until temperatures had risen, and rescue or repair options were available if the extent of the damage to Columbia had been detected. In both cases the design problems leading to the failures could have been addressed earlier. The events surrounding the shuttle disasters encapsulate the range of considerations that can compromise an engineer's commitment to safety. Such circumstances include cost and scheduling concerns, pressure from employers or clients to make decisions consistent with their interests, barriers to effective communication, inherent uncertainties in the necessary analyses or data, and an organizational culture that rewards consistency and punishes the voice of dissent.

In the face of such pressures, it is important to remember that canon 1 of ASCE's Code of Ethics requires engineers to "hold paramount the safety, health, and welfare of the public." This provision embodies the engineering profession's commitment to serve the public irrespective of circumstances that may make this duty cumbersome or personally costly. The tragic losses of Challenger and Columbia are a lasting reminder of the importance of this ethical charge.

Those interested in further exploring the ethical and engineering aspects of these tragedies may find the following works helpful:

Tara Hoke is ASCE’s general counsel and a contributing editor to Civil Engineering.

© ASCE, ASCE News, August, 2011