On January 28, 1986,
exploded and broke apart some 73 seconds after liftoff, taking the lives of its seven crew members. The explosion was traced to the O-rings in the shuttle's right solid-propellant booster, which failed to form the necessary seal and allowed high-temperature gases to escape and burn through the external fuel tank. The destruction of
on February 1, 2003, during reentry into the earth's atmosphere, was the result of a piece of insulating foam that had separated from the left bipod ramp of the external tank and struck
s wing during takeoff, causing damage to its thermal protection system. Upon reentry, superheated air penetrated the damaged wing, weakening the structure and causing it to disintegrate.
What is most striking about the two shuttle disasters from an ethics standpoint is the extent to which the technical issues leading to the failures had been recognized and understood by the engineers involved in the missions. In the case of
, engineers had known of a design flaw in a tang and clevis joint in the solid-propellant boosters from the earliest days of the program. The design featured two O-rings that were intended to seal the joint by compression. However, ignition caused the tang and clevis to move away from each other, lessening rather than increasing pressure on the O-rings. The primary O-ring would shift forward into the gap between the tang and clevis, forming a seal, but hot gas would escape during the time of the shift, causing damage to the O-rings. However, neither the manufacturers nor NASA made an attempt to correct the design flaw, choosing to regard the seal created after the shift as acceptable.
In 1985 Roger Boisjoly-a mechanical engineer employed by Morton Thiokol, the company responsible for producing the solid-propellant boosters-observed significant O-ring damage in a nozzle joint during a postflight inspection of another shuttle. He found that low temperatures had lengthened the time required for the O-ring to move from its groove, thereby allowing more hot gas to escape. He sent a memorandum to his senior manager noting that if a similar event occurred in a field joint, "the result would be a catastrophe of the highest order-loss of human life."
Temperatures on the night before the
liftoff were predicted to be well below the range of current data results, and Boisjoly and other engineers recommended that the launch be postponed. But NASA was operating under a tight window of opportunity for the launch, and its rocket booster project manager contended that the data were inconclusive. Morton Thiokol's senior executives met in closed session to discuss the matter and, over the objections of the company's engineers, voted to recommend that the launch proceed.
With regard to
NASA's original design specifications for the space shuttles considered damage from foam loss to be a particular safety threat and required that "no debris shall emanate from the critical zone of the tank on the launch pad or during ascent." In practice, however, damage from space debris occurred on every shuttle flight, and nearly every ascent involved some shedding of insulating foam. Foam shedding from the left bipod ramp had been detected on at least six prior missions. Yet because of the success of those missions NASA came to consider the incidents as mere "in-flight anomalies," not as something that could jeopardize the crew.
On reviewing footage of
January 16, 2003, liftoff, engineers at NASA observed that a significant piece of insulating foam had broken off and struck the shuttle's left wing. Concerned by the size and momentum of the debris, members of the debris assessment team made a series of requests for satellite images in order to assess the extent of the damage. Convinced, however, that the problem was a maintenance and not a safety issue, NASA managers denied the request. Turning the shuttle in such a way as to obtain images could, they reasoned, have interfered with the mission's schedule or hampered scientific experiments. Assessment team members were therefore advised that images would be requested only if there was a "mandatory need." Lacking the appropriate tools or data to substantiate the existence of a safety risk, the assessment team members failed to persuade the mission's decision makers to address their safety concerns.
What ethical lessons can be drawn from these tragedies?
While the circumstances of each event have been greatly simplified here, in both cases the tragedies might have been averted if sound engineering judgment had prevailed.
launch could have been delayed until temperatures had risen, and rescue or repair options were available if the extent of the damage to
had been detected. In both cases the design problems leading to the failures could have been addressed earlier. The events surrounding the shuttle disasters encapsulate the range of considerations that can compromise an engineer's commitment to safety. Such circumstances include cost and scheduling concerns, pressure from employers or clients to make decisions consistent with their interests, barriers to effective communication, inherent uncertainties in the necessary analyses or data, and an organizational culture that rewards consistency and punishes the voice of dissent.
In the face of such pressures, it is important to remember that canon 1 of ASCE's Code of Ethics requires engineers to "hold paramount the safety, health, and welfare of the public." This provision embodies the engineering profession's commitment to serve the public irrespective of circumstances that may make this duty cumbersome or personally costly. The tragic losses of
are a lasting reminder of the importance of this ethical charge.
Those interested in further exploring the ethical and engineering aspects of these tragedies may find the following works helpful:
© ASCE, Civil Engineering, August, 2011