ENGINEERING ETHICS The Space Shuttle Challenger Disaster Department of Philosophy and Department of Mechanical Engineering Texas A&M University NSF Grant Number DIR-9012252 Instructor's Guide Introduction To The Case On January 28, 1986, seven astronauts were killed when the space shuttle they were piloting, the Challenger, exploded just over a minute into the flight. The failure of the solid rocket booster O-rings to seat properly allowed hot combustion gases to leak from the side of the booster and burn through the external fuel tank. The failure of the O-ring was attributed to several factors, including faulty design of the solid rocket boosters, insufficient low- temperature testing of the O-ring material and the joints that the O-ring sealed, and lack of proper communication between different levels of NASA management. Instructor Guidelines Prior to class discussion, ask the students to read the student handout outside of class. In class the details of the case can be reviewed with the aide of the overheads. Reserve about half of the class period for an open discussion of the issues. The issues covered in the student handout include the importance of an engineer's responsibility to public welfare, the need for this responsibility to hold precedence over any other responsibilities the engineer might have and the responsibilities of a manager/engineer. A final point is the fact that no matter how far removed from the public an engineer may think she is, all of her actions have potential impact. Essay #6, "Loyalty and Professional Rights" appended at the end of the case listings in this report will be found relevant for instructors preparing to lead class discussion on this case. In addition, essays #1 through #4 appended at the end of the cases in this report will have relevant background information for the instructor preparing to lead classroom discussion. Their titles are, respectively: "Ethics and Professionalism in Engineering: Why the Interest in Engineering Ethics?;" "Basic Concepts and Methods in Ethics," "Moral Concepts and Theories," and "Engineering Design: Literature on Social Responsibility Versus Legal Liability." Questions for Class Discussion 1. What could NASA management have done differently? 2. What, if anything, could their subordinates have done differently? 3. What should Roger Boisjoly have done differently (if anything)? In answering this question, keep in mind that at his age, the prospect of finding a new job if he was fired was slim. He also had a family to support. 4. What do you (the students) see as your future engineering professional responsibilities in relation to both being loyal to management and protecting the public welfare? The Challenger Disaster Overheads 1. Organizations/People Involved 2. Key Dates 3. Space Shuttle Solid Rocket Boosters (SRB) Joints 4. Detail of SRB Field Joints 5. Ballooning Effect of Motor Casing 6. Key Issues ORGANIZATIONS/PEOPLE INVOLV ...

1. ENGINEERING ETHICS
The Space Shuttle Challenger Disaster
Department of Philosophy and Department of Mechanical
Engineering
Texas A&M University
NSF Grant Number
DIR-9012252
Instructor's Guide
Introduction To The Case
On January 28, 1986, seven astronauts were killed when the
space shuttle they were piloting, the Challenger,
exploded just over a minute into the flight. The failure of the
solid rocket booster O-rings to seat properly
allowed hot combustion gases to leak from the side of the
booster and burn through the external fuel tank. The
failure of the O-ring was attributed to several factors, including
faulty design of the solid rocket boosters,
insufficient low- temperature testing of the O-ring material and
the joints that the O-ring sealed, and lack of
proper communication between different levels of NASA

2. management.
Instructor Guidelines
Prior to class discussion, ask the students to read the student
handout outside of class. In class the details of the
case can be reviewed with the aide of the overheads. Reserve
about half of the class period for an open
discussion of the issues. The issues covered in the student
handout include the importance of an engineer's
responsibility to public welfare, the need for this responsibility
to hold precedence over any other responsibilities
the engineer might have and the responsibilities of a
manager/engineer. A final point is the fact that no matter how
far removed from the public an engineer may think she is, all of
her actions have potential impact. Essay #6,
"Loyalty and Professional Rights" appended at the end of the
case listings in this report will be found relevant for
instructors preparing to lead class discussion on this case. In
addition, essays #1 through #4 appended at the end
of the cases in this report will have relevant background
information for the instructor preparing to lead
classroom discussion. Their titles are, respectively: "Ethics and
Professionalism in Engineering: Why the Interest in
Engineering Ethics?;" "Basic Concepts and Methods in Ethics,"
"Moral Concepts and Theories," and

3. "Engineering Design: Literature on Social Responsibility
Versus Legal Liability."
Questions for Class Discussion
1. What could NASA management have done differently?
2. What, if anything, could their subordinates have done
differently?
3. What should Roger Boisjoly have done differently (if
anything)? In answering this question, keep in mind
that at his age, the prospect of finding a new job if he was fired
was slim. He also had a family to support.
4. What do you (the students) see as your future engineering
professional responsibilities in relation to both
being loyal to management and protecting the public welfare?
The Challenger Disaster Overheads
1. Organizations/People Involved
2. Key Dates
3. Space Shuttle Solid Rocket Boosters (SRB) Joints
4. Detail of SRB Field Joints
5. Ballooning Effect of Motor Casing
6. Key Issues

4. ORGANIZATIONS/PEOPLE INVOLVED
Marshall Space Flight Center - in charge of booster rocket
development
Larry Mulloy - challenged the engineers' decision not to launch
Morton Thiokol - Contracted by NASA to build the Solid
Rocket Booster
Alan McDonald - Director of the Solid Rocket Motors Project
Bob Lund - Engineering Vice President
Robert Ebeling - Engineer who worked under McDonald
Roger Boisjoly - Engineer who worked under McDonald
Joe Kilminster - Engineer in a management position
Jerald Mason - Senior executive who encouraged Lund to
reassess his decision not to launch.
KEY DATES
1974 - Morton-Thiokol awarded contract to build solid rocket
boosters.
1976 - NASA accepts Morton-Thiokol's booster design.
1977 - Morton-Thiokol discovers joint rotation problem.
November 1981 - O-ring erosion
discovered after second shuttle flight.
January 24, 1985 - shuttle flight that exhibited the worst O-ring
blow-by.
July 1985 - Thiokol orders new steel billets for new field joint
design.

5. August 19, 1985 - NASA Level I management briefed on
booster problem.
January 27, 1986 - night teleconference to discuss effects of
cold temperature on booster
performance.
January 28, 1986 - Challenger explodes 72 seconds after liftoff.
KEY ISSUES
HOW DOES THE IMPLIED SOCIAL CONTRACT OF
PROFESSIONALS APPLY TO
THIS CASE?
WHAT PROFESSIONAL RESPONSIBILITIES WERE
NEGLECTED, IF ANY?
SHOULD NASA HAVE DONE ANYTHING DIFFERENTLY IN
THEIR LAUNCH
DECISION PROCEDURE?
Student Handout - Synopsis
On January 28, 1986, seven astronauts were killed when the
space shuttle they were piloting, the Challenger,
exploded just over a minute into flight. The failure of the solid
rocket booster O-rings to seat properly allowed
hot combustion gases to leak from the side of the booster and
burn through the external fuel tank. The failure of
the O-ring was attributed to several factors, including faulty
design of the solid rocket boosters, insufficient low
temperature testing of the O-ring material and the joints that the
O-ring sealed, and lack of communication

6. between different levels of NASA management.
Organization and People Involved
Marshall Space Flight Center - in charge of booster rocket
development
Larry Mulloy - challenged the engineers' decision not to launch
Morton Thiokol - Contracted by NASA to build the Solid
Rocket Booster
Alan McDonald - Director of the Solid Rocket Motors Project
Bob Lund - Engineering Vice President
Robert Ebeling - Engineer who worked under McDonald
Roger Boisjoly - Engineer who worked under McDonald
Joe Kilminster - Engineer in a management position
Jerald Mason - Senior Executive who encouraged Lund to
reassess his decision not to launch.
Key Dates
1974 - Morton-Thiokol awarded contract to build solid rocket
boosters.
1976 - NASA accepts Morton-Thiokol's booster design.
1977 - Morton-Thiokol discovers joint rotation problem.
November 1981 - O-ring erosion
discovered after second shuttle flight. January 24, 1985 - shuttle
flight that exhibited the worst O-
ring blow-by. July 1985 - Thiokol orders new steel billets for
new field joint design.

7. August 19, 1985 - NASA Level I management briefed on
booster problem.
January 27, 1986 - night teleconference to discuss effects of
cold temperature on booster
performance.
January 28, 1986 - Challenger explodes 72 seconds after liftoff.
Background
NASA managers were anxious to launch the Challenger for
several reasons, including economic considerations,
political pressures, and scheduling backlogs. Unforeseen
competition from the European Space Agency put
NASA in a position where it would have to fly the shuttle
dependably on a very ambitious schedule in order to
prove the Space Transportation System's cost effectiveness and
potential for commercialization. This prompted
NASA to schedule a record number of missions in 1986 to make
a case for its budget requests. The shuttle
mission just prior to the Challenger had been delayed a record
number of times due to inclement weather and
mechanical factors. NASA wanted to launch the Challenger
without any delays so the launch pad could be
refurbished in time for the next mission, which would be
carrying a probe that would examine Halley's Comet. If
launched on time, this probe would have collected data a few
days before a similar Russian probe would be
launched. There was probably also pressure to launch
Challenger so it could be in space when President
Reagan gave his State of the Union address. Reagan's main

8. topic was to be education, and he was expected to
mention the shuttle and the first teacher in space, Christa
McAuliffe. The shuttle solid rocket boosters (or SRBs),
are key elements in the operation of the shuttle. Without the
boosters, the shuttle cannot produce enough thrust
to overcome the earth's gravitational pull and achieve orbit.
There is an SRB attached to each side of the external
fuel tank. Each booster is 149 feet long and 12 feet in diameter.
Before ignition, each booster weighs 2 million
pounds. Solid rockets in general produce much more thrust per
pound than their liquid fuel counterparts. The
drawback is that once the solid rocket fuel has been ignited, it
cannot be turned off or even controlled. So it was
extremely important that the shuttle SRBs were properly
designed. Morton Thiokol was awarded the contract to
design and build the SRBs in 1974. Thiokol's design is a scaled-
up version of a Titan missile which had been
used successfully for years. NASA accepted the design in 1976.
The booster is comprised of seven hollow
metal cylinders. The solid rocket fuel is cast into the cylinders
at the Thiokol plant in Utah, and the cylinders are
assembled into pairs for transport to Kennedy Space Center in
Florida. At KSC, the four booster segments are
assembled into a completed booster rocket. The joints where the
segments are joined together at KSC are

9. known as field joints (See Figure 1). These field joints consist
of a tang and clevis joint. The tang and clevis are
held together by 177 clevis pins. Each joint is sealed by two O
rings, the bottom ring known as the primary O-
ring, and the top known as the secondary O-ring. (The Titan
booster had only one O-ring. The second ring was
added as a measure of redundancy since the boosters would be
lifting humans into orbit. Except for the
increased scale of the rocket's diameter, this was the only major
difference between the shuttle booster and the
Titan booster.) The purpose of the O-rings is to prevent hot
combustion gasses from escaping from the inside of
the motor. To provide a barrier between the rubber O-rings and
the combustion gasses, a heat resistant putty is
applied to the inner section of the joint prior to assembly. The
gap between the tang and the clevis determines the
amount of compression on the O-ring. To minimize the gap and
increase the squeeze on the O-ring, shims are
inserted between the tang and the outside leg of the clevis.
Launch Delays
The first delay of the Challenger mission was because of a
weather front expected to move into the area,
bringing rain and cold temperatures. Usually a mission wasn't
postponed until inclement weather actually entered
the area, but the Vice President was expected to be present for
the launch and NASA officials wanted to avoid

10. the necessity of the Vice President's having to make an
unnecessary trip to Florida; so they postponed the launch
early. The Vice President was a key spokesperson for the
President on the space program, and NASA coveted
his good will. The weather front stalled, and the launch window
had perfect weather conditions; but the launch
had already been postponed to keep the Vice President from
unnecessarily traveling to the launch site. The
second launch delay was caused by a defective micro switch in
the hatch locking mechanism and by problems in
removing the hatch handle. By the time these problems had been
sorted out, winds had become too high. The
weather front had started moving again, and appeared to be
bringing record-setting low temperatures to the
Florida area. NASA wanted to check with all of its contractors
to determine if there would be any problems with
launching in the cold temperatures. Alan McDonald, director of
the Solid Rocket Motor Project at Morton-
Thiokol, was convinced that there were cold weather problems
with the solid rocket motors and contacted two
of the engineers working on the project, Robert Ebeling and
Roger Boisjoly. Thiokol knew there was a problem
with the boosters as early as 1977, and had initiated a redesign
effort in 1985. NASA Level I management had
been briefed on the problem on August 19, 1985. Almost half of
the shuttle flights had experienced O-ring

11. erosion in the booster field joints. Ebeling and Boisjoly had
complained to Thiokol that management was not
supporting the redesign task force.
Engineering Design
The size of the gap is controlled by several factors, including
the dimensional tolerances of the metal cylinders
and their corresponding tang or clevis, the ambient temperature,
the diameter of the O-ring, the thickness of the
shims, the loads on the segment, and quality control during
assembly. When the booster is ignited, the putty is
displaced, compressing the air between the putty and the
primary O-ring. The air pressure forces the O-ring into
the gap between the tang and clevis. Pressure loads are also
applied to the walls of the cylinder, causing the
cylinder to balloon slightly. This ballooning of the cylinder
walls caused the gap between the tang and clevis gap
to open. This effect has come to be known as joint rotation.
Morton-Thiokol discovered this joint rotation as
part of its testing program in 1977. Thiokol discussed the
problem with NASA and started analyzing and testing
to determine how to increase the O-ring compression, thereby
decreasing the effect of joint rotation. Three
design changes were implemented:

12. 1. Dimensional tolerances of the metal joint were tightened.
2. The O-ring diameter was increased, and its dimensional
tolerances were tightened.
3. The use of the shims mentioned above was introduced.
Further testing by Thiokol revealed that the
second seal, in some cases, might not seal at all. Additional
changes in the shim thickness and O-ring
diameter were made to correct the problem.
A new problem was discovered during November 1981, after the
flight of the second shuttle mission.
Examination of the booster field joints revealed that the O-rings
were eroding during flight. The joints were still
sealing effectively, but the O-ring material was being eaten
away by hot gasses that escaped past the putty.
Thiokol studied different types of putty and its application to
study their effects on reducing O-ring erosion. The
shuttle flight 51-C of January 24, 1985, was launched during
some of the coldest weather in Florida history.
Upon examination of the booster joints, engineers at Thiokol
noticed black soot and grease on the outside of the
booster casing, caused by actual gas blow-by. This prompted
Thiokol to study the effects of O-ring resiliency at
low temperatures. They conducted laboratory tests of O-ring
compression and resiliency between 50lF and
100lF. In July 1985, Morton Thiokol ordered new steel billets
which would be used for a redesigned case field

13. joint. At the time of the accident, these new billets were not
ready for Thiokol, because they take many months
to manufacture.
The Night Before the Launch
Temperatures for the next launch date were predicted to be in
the low 20°s. This prompted Alan McDonald to
ask his engineers at Thiokol to prepare a presentation on the
effects of cold temperature on booster
performance. A teleconference was scheduled the evening
before the re-scheduled launch in order to discuss the
low temperature performance of the boosters. This
teleconference was held between engineers and management
from Kennedy Space Center, Marshall Space Flight Center in
Alabama, and Morton-Thiokol in Utah. Boisjoly
and another engineer, Arnie Thompson, knew this would be
another opportunity to express their concerns about
the boosters, but they had only a short time to prepare their data
for the presentation.1 Thiokol's engineers gave
an hour-long presentation, presenting a convincing argument
that the cold weather would exaggerate the
problems of joint rotation and delayed O-ring seating. The
lowest temperature experienced by the O-rings in any
previous mission was 53°F, the January 24, 1985 flight. With a
predicted ambient temperature of 26°F at
launch, the O-rings were estimated to be at 29°F. After the

14. technical presentation, Thiokol's Engineering Vice
President Bob Lund presented the conclusions and
recommendations. His main conclusion was that 53°F was
the only low temperature data Thiokol had for the effects of
cold on the operational boosters. The boosters had
experienced O-ring erosion at this temperature. Since his
engineers had no low temperature data below 53°F,
they could not prove that it was unsafe to launch at lower
temperatures. He read his recommendations and
commented that the predicted temperatures for the morning's
launch was outside the data base and NASA
should delay the launch, so the ambient temperature could rise
until the O-ring temperature was at least 53°F.
This confused NASA managers because the booster design
specifications called for booster operation as low as
31°F. (It later came out in the investigation that Thiokol
understood that the 31°F limit temperature was for
storage of the booster, and that the launch temperature limit was
40°F. Because of this, dynamic tests of the
boosters had never been performed below 40°F.) Marshall's
Solid Rocket Booster Project Manager, Larry
Mulloy, commented that the data was inconclusive and
challenged the engineers' logic. A heated debate went on
for several minutes before Mulloy bypassed Lund and asked Joe
Kilminster for his opinion. Kilminster was in
management, although he had an extensive engineering
background. By bypassing the engineers, Mulloy was

15. calling for a middle-management decision, but Kilminster stood
by his engineers. Several other managers at
Marshall expressed their doubts about the recommendations,
and finally Kilminster asked for a meeting off of the
net, so Thiokol could review its data. Boisjoly and Thompson
tried to convince their senior managers to stay with
their original decision not to launch. A senior executive at
Thiokol, Jerald Mason, commented that a management
decision was required. The managers seemed to believe the O-
rings could be eroded up to one third of their
diameter and still seat properly, regardless of the temperature.
The data presented to them showed no
correlation between temperature and the blow-by gasses which
eroded the O-rings in previous missions.
According to testimony by Kilminster and Boisjoly, Mason
finally turned to Bob Lund and said, "Take off your
engineering hat and put on your management hat." Joe
Kilminster wrote out the new recommendation and went
back on line with the teleconference. The new recommendation
stated that the cold was still a safety concern, but
their people had found that the original data was indeed
inconclusive and their "engineering assessment" was that
launch was recommended, even though the engineers had no
part in writing the new recommendation and

16. refused to sign it. Alan McDonald, who was present with NASA
management in Florida, was surprised to see
the recommendation to launch and appealed to NASA
management not to launch. NASA managers decided to
approve the boosters for launch despite the fact that the
predicted launch temperature was outside of their
operational specifications.
The Launch
During the night, temperatures dropped to as low as 8°F, much
lower than had been anticipated. In order to
keep the water pipes in the launch platform from freezing,
safety showers and fire hoses had been turned on.
Some of this water had accumulated, and ice had formed all
over the platform. There was some concern that the
ice would fall off of the platform during launch and might
damage the heat resistant tiles on the shuttle. The ice
inspection team thought the situation was of great concern, but
the launch director decided to go ahead with the
countdown. Note that safety limitations on low temperature
launching had to be waived and authorized by key
personnel several times during the final countdown. These key
personnel were not aware of the teleconference
about the solid rocket boosters that had taken place the night
before. At launch, the impact of ignition broke
loose a shower of ice from the launch platform. Some of the ice
struck the left-hand booster, and some ice was

17. actually sucked into the booster nozzle itself by an aspiration
effect. Although there was no evidence of any ice
damage to the Orbiter itself, NASA analysis of the ice problem
was wrong. The booster ignition transient started
six hundredths of a second after the igniter fired. The aft field
joint on the right-hand booster was the coldest spot
on the booster: about 28°F. The booster's segmented steel
casing ballooned and the joint rotated, expanding
inward as it had on all other shuttle flights. The primary O-ring
was too cold to seat properly, the cold-stiffened
heat resistant putty that protected the rubber O-rings from the
fuel collapsed, and gases at over 5000°F burned
past both O-rings across seventy degrees of arc. Eight
hundredths of a second after ignition, the shuttle lifted off.
Engineering cameras focused on the right-hand booster showed
about nine smoke puffs coming from the booster
aft field joint. Before the shuttle cleared the tower, oxides from
the burnt propellant temporarily sealed the field
joint before flames could escape. Fifty-nine seconds into the
flight, Challenger experienced the most violent
wind shear ever encountered on a shuttle mission. The glassy
oxides that sealed the field joint were shattered by
the stresses of the wind shear, and within seconds flames from
the field joint burned through the external fuel
tank. Hundreds of tons of propellant ignited, tearing apart the

18. shuttle. One hundred seconds into the flight, the
last bit of telemetry data was transmitted from the Challenger.
Issues For Discussion
The Challenger disaster has several issues which are relevant to
engineers. These issues raise many questions
which may not have any definite answers, but can serve to
heighten the awareness of engineers when faced with
a similar situation. One of the most important issues deals with
engineers who are placed in management
positions. It is important that these managers not ignore their
own engineering experience, or the expertise of their
subordinate engineers. Often a manager, even if she has
engineering experience, is not as up to date on current
engineering practices as are the actual practicing engineers. She
should keep this in mind when making any sort
of decision that involves an understanding of technical matters.
Another issue is the fact that managers
encouraged launching due to the fact that there was insufficient
low temperature data. Since there was not
enough data available to make an informed decision, this was
not, in their opinion, grounds for stopping a launch.
This was a reversal in the thinking that went on in the early
years of the space program, which discouraged

19. launching until all the facts were known about a particular
problem. This same reasoning can be traced back to
an earlier phase in the shuttle program, when upper-level NASA
management was alerted to problems in the
booster design, yet did not halt the program until the problem
was solved. To better understand the responsibility
of the engineer, some key elements of the professional
responsibilities of an engineer should be examined. This
will be done from two perspectives: the implicit social contract
between engineers and society, and the guidance
of the codes of ethics of professional societies. As engineers
test designs for ever-increasing speeds, loads,
capacities and the like, they must always be aware of their
obligation to society to protect the public welfare.
After all, the public has provided engineers, through the tax
base, with the means for obtaining an education and,
through legislation, the means to license and regulate
themselves. In return, engineers have a responsibility to
protect the safety and well-being of the public in all of their
professional efforts. This is part of the implicit social
contract all engineers have agreed to when they accepted
admission to an engineering college. The first canon in
the ASME Code of Ethics urges engineers to "hold paramount
the safety, health and welfare of the public in the
performance of their professional duties." Every major

20. engineering code of ethics reminds engineers of the
importance of their responsibility to keep the safety and well
being of the public at the top of their list of priorities.
Although company loyalty is important, it must not be allowed
to override the engineer's obligation to the public.
Marcia Baron, in an excellent monograph on loyalty, states: "It
is a sad fact about loyalty that it invites...single-
mindedness. Single-minded pursuit of a goal is sometimes
delightfully romantic, even a real inspiration. But it is
hardly something to advocate to engineers, whose impact on the
safety of the public is so very significant.
Irresponsibility, whether caused by selfishness or by
magnificently unselfish loyalty, can have most unfortunate
consequences."
Annotated Bibliography and Suggested References
Feynman, Richard Phillips, What Do You Care What Other
People Think,: Further Adventures of a Curious
Character, Bantam Doubleday Dell Pub, ISBN 0553347845, Dec
1992. Reference added by request of
Sharath Bulusu, as being pertinent and excellent reading - 8-25-
00.
Lewis, Richard S., Challenger: the final voyage, Columbia
University Press, New York, 1988.
McConnell, Malcolm, Challenger: a major malfunction,

21. Doubleday, Garden City, N.Y., 1987.
Trento, Joseph J., Prescription for disaster, Crown, New York,
c1987.
United States. Congress. House. Committee on Science and
Technology, Investigation of the Challenger
accident : hearings before the Committee on Science and
Technology, U.S. House of Representatives,
Ninety-ninth Congress, second session .... U.S.
G.P.O.,Washington, 1986.
United States. Congress. House. Committee on Science and
Technology, Investigation of the Challenger
accident : report of the Committee on Science and Technology,
House of Representatives, Ninety-ninth
Congress, second session. U.S. G.P.O., Washington, 1986.
United States. Congress. House. Committee on Science, Space,
and Technology, NASA's response to the
committee's investigation of the " Challenger" accident :
hearing before the Committee on Science,
Space, and Technology, U.S. House of Representatives, One
hundredth Congress, first session, February
26, 1987. U.S. G.P.O., Washington, 1987.
United States. Congress. Senate. Committee on Commerce,
Science, and Transportation. Subcommittee on

22. Science, Technology, and Space, Space shuttle accident :
hearings before the Subcommittee on Science,
Technology, and Space of the Committee on Commerce,
Science, and Transportation, United States
Senate, Ninety-ninth Congress, second session, on space shuttle
accident and the Rogers Commission
report, February 18, June 10, and 17, 1986. U.S. G.P.O.,
Washington, 1986.
Notes
1. "Challenger: A Major Malfunction." (see above) p. 194.
2. Baron, Marcia. The Moral Status of Loyalty. Illinois Institute
of Technology: Center for the Study of Ethics
in the Professions, 1984, p. 9. One of a series of monographs on
applied ethics that deal specifically with the
engineering profession. Provides arguments both for and against
loyalty. 28 pages with notes and an annotated
bibliography.
Engineering Ethics Case Study:

23. The Challenger Disaster
Course No: LE3-001
Credit: 3 PDH
Mark Rossow, PhD, PE, Retired
Continuing Education and Development, Inc.
9 Greyridge Farm Court
Stony Point, NY 10980
P: (877) 322-5800
F: (877) 322-4774
[email protected]
Engineering Ethics Case Study: The
Challenger Disaster
Mark P. Rossow, P.E., Ph.D.

24. 2
© 2012 Mark P. Rossow
All rights reserved. No part of this work may be reproduced in
any manner without the written
permission of the author.
3

25. Preface
On January 28, 1986, the Space Shuttle Challenger burst into
flame shortly after liftoff. All
passengers aboard the vehicle were killed. A presidential
commission was formed to investigate
the cause of the accident and found that the O-ring seals had
failed, and, furthermore, that the
seals had been recognized as a potential hazard for several years
prior to the disaster. The
commission’s report, Report to the President by the Presidential
Commission on the Space
Shuttle Challenger Accident, stated that because managers and
engineers had known in advance
of the O-ring danger, the accident was principally caused by a
lack of communication between
engineers and management and by poor management practices.
This became the standard
interpretation of the cause of the Challenger disaster and
routinely appears in popular articles and
books about engineering, management, and ethical issues.
But the interpretation ignores much of the history of how NASA
and the contractor’s engineers

26. had actually recognized and dealt with the O-ring problems in
advance of the disaster. When
this history is considered in more detail, the conclusions of the
Report to the President become
far less convincing. Two excellent publications that give a
much more complete account of
events leading up to the disaster are The Challenger Launch
Decision by Diane Vaughan, and
Power To Explore -- History of Marshall Space Flight Center
1960-1990 by Andrew Dunar and
Stephen Waring. As Dunar and Waring put it—I would apply
their remarks to Vaughan’s work
as well— “Allowing Marshall engineers and managers to tell
their story, based on pre-accident
documents and on post-accident testimony and interviews, leads
to a more realistic account of
the events leading up to the accident than that found in the
previous studies.” I would strongly
encourage anyone with the time and interest to read both of
these publications, which are
outstanding works of scholarship. For those persons lacking the
time—the Vaughan book is
over 550 pages—I have written the present condensed
description of the Challenger incident. I
have drawn the material for Sections 1-8 and 10 from multiple

27. sources but primarily from
Vaughan, the Report to the President, and Dunnar and Waring.
Of course, any errors introduced
during the process of fitting their descriptions and ideas into my
narrative are mine and not the
fault of these authors. Sections 9, 11, and 12 are original
contributions of my own. All figures
have been taken from Report to the President.
Mark Rossow
4
Introduction
Course Content
This course provides instruction in engineering ethics through a
case study of the Space Shuttle
Challenger disaster. The course begins by presenting the
minimum technical details needed to

28. understand the physical cause of the Shuttle failure. The
disaster itself is chronicled through
NASA photographs. Next the decision-making process—
especially the discussions occurring
during the teleconference held on the evening before the
launch—is described. Direct quotations
from engineers interviewed after the disaster are frequently
used to illustrate the ambiguities of
the data and the pressures that the decision-makers faced in the
period preceding the launch. The
course culminates in an extended treatment of six ethical issues
raised by Challenger.
Purpose of Case Studies
Principles of engineering ethics are easy to formulate but
sometimes hard to apply. Suppose, for
example, that an engineering team has made design choice X,
rather than Y, and X leads to a bad
consequence—someone was injured. To determine if the
engineers acted ethically, we have to
answer the question of whether they chose X rather than Y
because 1) X appeared to be the
better technical choice, or 2) X promoted some other end (for
example, financial) in the

29. organization. Abstract ethics principles alone cannot answer
this question; we must delve into
the technical details surrounding the decision. The purpose of
case studies in general is to
provide us with the context—the technical details—of an
engineering decision in which an
ethical principle may have been violated.
Case Study of Challenger Disaster
On January 28, 1986, the NASA space Shuttle Challenger burst
into a ball of flame 73 seconds
after take-off, leading to the death of the seven people on board.
Some months later, a
commission appointed by the President to investigate the causes
of the disaster determined that
the cause of the disaster was the failure of a seal in one of the
solid rocket boosters (Report to the
President 1986, vol. 1, p. 40). Furthermore, Morton Thiokol, the
contractor responsible for the
seal design, had initiated a teleconference with NASA on the
evening before the launch and had,
at the beginning of the teleconference, recommended against
launching because of concerns
about the performance of the seal. This recommendation was

30. reversed during the teleconference,
with fatal consequences.
To understand the decisions that led to the Challenger disaster,
you must first understand what
the technical problems were. Accordingly, this course begins
by presenting the minimum
technical details you will need to understand the physical cause
of the seal failure. After laying
this groundwork, we examine what occurred in the
teleconference. You will probably find, as
you learn more and more about the Challenger project, that
issues that had appeared simple
initially are actually far more complex; pinpointing
responsibility and assigning blame are not
nearly as easy as many popular accounts have made them. The
purpose of the present course is
1) to consider some of the issues and show by example how
difficult it can be to distinguish
unethical behavior from technical mistakes (with severe
consequences), and 2) to equip you to
think critically and act appropriately when confronted with
ethical decisions in your own
professional work.

31. 5
The course is divided into the following topics:
1. Two Common Errors of Interpretation
2. Configuration of Shuttle
3. Function of O-rings
4. History of Problems with Joint Seals
5. Teleconference
6. Accident
7. Ethical issue: Did NASA take extra risks because of pressure
to maintain Congressional
funding?
8. Ethical issue: Did Thiokol take extra risks because of fear of
losing its contract with
NASA?
9. Ethical issue: Was the Principle of Informed Consent
violated?
10. Ethical issue: What role did whistle blowing have in the
Challenger story?
11. Ethical issue: Who had the right to Thiokol documents
relating to the Challenger
disaster?
12. Ethical issue: Why are some engineering disasters
considered ethical issues and others
are not?

32. 13. Summary
1. Two Common Errors of Interpretation
Persons studying the history of an engineering disaster must be
alert to the danger of committing
one of the following common errors: 1) the myth of perfect
engineering practice, and 2) the
retrospective fallacy.
The Myth of Perfect Engineering Practice
The sociologist, Diane Vaughan, who has written one of the
most thorough books on Challenger,
has pointed out that the mere act of investigating an accident
can cause us to view, as ominous,
facts and events that we otherwise would consider normal:
“When technical systems fail, …
outside investigators consistently find an engineering world
characterized by ambiguity,
disagreement, deviation from design specifications and
operating standards, and ad hoc rule
making. This messy situation, when revealed to the public,
automatically becomes an
explanation for the failure, for after all, the engineers and

33. managers did not follow the rules. …
[On the other hand,] the engineering process behind a
‘nonaccident’ is never publicly examined.
If nonaccidents were investigated, the public would discover
that the messy interior of
engineering practice, which after an accident investigation
looks like ‘an accident waiting to
happen,’ is nothing more or less than ‘normal technology.”
(Vaughan 1996, p. 200) Thus as you
read the description of the Challenger disaster on the pages to
follow, keep in mind that just
because some of the engineering practices described are not
neat and tidy processes in which
consensus is always achieved and decisions are always based on
undisputed and unambiguous
data, that fact alone may not explain the disaster; such practices
may simply be part of normal
technology—that usually results in a nonaccident.
The Retrospective Fallacy
Engineering projects sometimes fail. If the failure involves
enough money or injuries to
innocent people, then investigators may be brought in to
determine the causes of the failure and

34. 6
identify wrongdoers. The investigators then weave a story
explaining how decision-makers
failed to assess risks properly, failed to heed warning signs,
used out-of-date information,
ignored quality-control, took large risks for personal gain, etc.
But there is a danger here: the
story is constructed by selectively focusing on those events that
are known to be important in
retrospect, that is, after the failure has occurred and observers
look back at them. At the time
that the engineers were working on the project, these events
may not have stood out from dozens
or even hundreds of other events. “Important” events do not
come labeled “PARTICULARLY
IMPORTANT: PAY ATTENTION”; they may appear important
only in retrospect. To the
extent that we retrospectively identify events as particularly
important—even though they may
not have been thought particularly important by diligent and
competent people working at the

35. time—we are committing the “retrospective fallacy.” (Vaughan
1996, p. 68-70)
In any discussion of the Challenger disaster, the tendency to
commit the retrospective fallacy
exists, because we all know the horrendous results of the
decisions that were made—and our first
reaction is to say, “How could they have ignored this?” or,
“Why didn’t they study that more
carefully?” But to understand what happened, it is crucial to
put yourself in the place of the
engineers and to focus on what they knew and what they
thought to be important at the time. For
example, NASA classified 745 components on the Shuttle as
“Criticality 1”, meaning failure of
the component would cause the loss of the crew, mission, and
vehicle (NASA’s Response to the
Committee’s Investigation of the “Challenger” Accident 1987).
With the advantage of 20-20
hindsight, we now know that the engineers made a tragic error
in judging the possibility of
failure of a particular one of those 745 components—the seals—
an “acceptable risk.” But at the
time, another issue—problems with the Shuttle main engines—
attracted more concern

36. (McDonald 2009, pp. 64-65). Similarly, probably most of the
decisions made by the Shuttle
engineers and managers were influenced to some extent by
considerations of cost. As a result,
after the disaster it was a straightforward matter to pick out
specific decisions and claim that the
decision-makers had sacrificed safety for budgetary reasons.
But our 20-20 hindsight was not
available to the people involved in the Challenger project, and
as we read the history we should
continually ask questions such as “What did they know at the
time?,” “Is it reasonable to expect
that they should have seen the significance of this or that fact?,”
and “If I were in their position
and knew only what they knew, what would I have done?” Only
through such questions can we
hope to understand why the Challenger disaster occurred and to
evaluate its ethical dimensions.
2. Configuration of Shuttle.
NASA had enjoyed widespread public support and generous
funding for the Apollo program to
put a man on the moon. But as Apollo neared completion and
concerns about the cost of the

37. Vietnam War arose, continued congressional appropriations for
NASA were in jeopardy. A new
mission for NASA was needed, and so the Space Shuttle
program was proposed. The idea was
to development an inexpensive (compared to Apollo) system for
placing human beings and
hardware in orbit. The expected users of the system would be
commercial and academic
experimenters, the military, and NASA itself. On January 5,
1972, President Nixon announced
the government’s approval of the Shuttle program.
7
Fig. 1 Configuration of the Shuttle
Because a prime goal was to keep costs down, reusable space
vehicles were to be developed.
After many design proposals and compromises—for example,
the Air Force agreed not to
develop any launch vehicles of its own, provided that the
Shuttle was designed to accommodate

38. military needs—NASA came up with the piggyback design
shown in Figure 1. The airplane-like
craft (with the tail fin) shown in side view on the right side of
the figure is the “Orbiter.” The
Orbiter contains the flight crew and a 60 feet long and 15 feet
wide payload bay designed to hold
cargo such as communications satellites to be launched into
orbit, an autonomous Spacelab to be
used for experiments in space, or satellites already orbiting that
have been retrieved for repairs.
Before launch, the Orbiter is attached to the large (154 feet long
and 27 1/2 feet in diameter)
External Tank—the middle cylinder with the sharp-pointed end
shown in the figure; the External
8
Tank contains 143,000 gallons of liquid oxygen and 383,000
gallons of liquid hydrogen for the
Orbiter's engines.
The two smaller cylinders on the sides of the External Tank are
the Solid Rocket Boosters

39. (SRBs). The SRBs play a key role in the Challenger accident
and accordingly will be described
here in some detail.
The SRBs contain solid fuel, rather than the liquid fuel
contained by the External Tank.
The SRBs provide about 80 percent of the total thrust at liftoff;
the remainder of the thrust is
provided by the Orbiter's three main engines. Morton-Thiokol
Inc. held the contract for the
development of the SRBs.
The SRBs fire for about two minutes after liftoff, and then,
their fuel exhausted, are separated
from the External Tank. A key goal of the Shuttle design was
to save costs by re-using the SRBs
and the Orbiter. The conical ends of the SRBs contain
parachutes that are deployed, after the
SRBs have been separated from the External Tank, and allow
the SRBs to descend slowly to the
ocean below. The SRBs are then picked out of the water by
recovery ships and taken to repair
facilities, where preparations are made for the next flight. After
the SRBs are detached, the

40. Orbiter’s main engines continue firing until it achieves low
earth orbit. Then the External Tank
is jettisoned towards earth where it burns up in the
atmosphere—the External Tank is not re-
used. Once the crew has completed its mission in orbit, the
Orbiter returns to earth where it
glides (No propulsion is used.) to a landing on a conventional
airstrip. The Orbiter can then be
refurbished for its next launch.
More Details about the SRBs
Fig. 2 Solid Rocket Booster with Exploded View Showing
Segments and Joints
9
Figure 2 shows the subassemblies that make up the SRB.
Because the total length of the SRB
was almost 150 feet, it was too large to ship as a single unit by
rail from Thiokol’s
manufacturing facility in Utah to the Kennedy Space Center

41. launch site in Florida. Furthermore,
shipping the SRB as a single unit would mean that a large
amount of rocket fuel would be
concentrated in a single container—creating the potential for an
enormous explosion. For these
reasons, Thiokol manufactured the SRB from individual
cylindrical segments each
approximately 12 feet in diameter. At Thiokol’s plant in Utah,
individual segments were welded
together to form four “casting” segments, into which propellant
was poured (cast). The welded
joints within a casting segment were called “factory joints.”
The four casting segments were
then shipped individually by rail to Kennedy, where they were
assembled—by stacking, not
welding—to form the solid rocket motor (SRM) of the SRB.
The joints created by the assembly
process at Kennedy were called “field joints.” The sealing
problem that led to the Challenger’s
destruction occurred in the field joint at the right end of the
AFT MID SEGMENT in Figure 2.
Hot combustion gases from the SRM leaked through the joint
and either weakened or burned a
hole in the External Tank, igniting the contents of the Tank and

42. producing a catastrophic fireball.
3. Function of O-rings
The cutaway view of the SRB in Figure 3 shows the aft field
joint location in the assembled
SRB.
Fig. 3. Location of the Problematic Aft Field Joint
10
Fig. 4. Cross Section of Field Joint
Figure 4 shows how the upper SRM segment in a field joint is
connected to the lower segment by
a pin passing through the “tang” (the tongue on the upper
segment) and the “clevis” (the U-
shaped receptacle cut in the lower segment); 177 such steel pins
are inserted around the
circumference of each joint. When the propellant is burning
and generating hot combustion

43. gases under the enormous pressure necessary to accelerate the
SRB, the joint must be sealed to
prevent the gases from leaking and possibly damaging exterior
parts of the Shuttle. This sealing
is accomplished by a primary O-ring backed up by a secondary
O-ring (O-rings are widely used
in machine design and, when functioning properly, can seal
pressures in the range of thousands
of psi). An SRM O-ring has been compared to “a huge length of
licorice—same color, same
diameter (only 0.28”)—joined at the ends so it forms a circle
12’ across” (Vaughan 1996, p. 40).
SRM O-rings were made of a rubberlike synthetic material
called Viton. To prevent the hot
combustion gases from contacting and thus degrading the Viton
when the propellant was ignited,
zinc chromate putty was applied in the region shown in Figure 4
prior to assembly of the SRM
segments.
11

44. Fig. 5. Effect of Compression of the O-ring in Inhibiting
Pressure Actuation
Pressure Actuation of the O-ring Seal
Besides protecting the O-rings from the corrosive effects of the
hot combustion gases, the putty
is intended to be pushed outward from the combustion chamber
during ignition, compress the air
ahead of the primary O-ring, and thus force the O-ring into the
tang-clevis gap, thereby sealing
the gap. This process is referred to as “pressure-actuated
sealing.” Experiments show that
pressure actuation is most effective when the high-pressure air
acts over the largest possible
portion of the high-pressure side of the O-ring. In the leftmost
sketch in Figure 5, for example,
the high-pressure side extends from the “Response Node” at the
top to the point of tangency at
the bottom of the groove. If, however, the O-ring is initially
compressed during assembly, then
the O-ring may deform sufficiently to cause contact with the
left-hand side of the groove, as

45. shown in the rightmost sketch in Figure 5. In that case, the
high-pressure air acts over only the
surface of the upper left-hand side of the O-ring, and pressure
actuation of the seal is impaired.
This problem is lessened if, upon ignition, the joint gap opens,
and the O-ring is able to spring
back elastically and lose contact with sides of the groove, as in
the middle sketch in Figure 5.
However, when the temperature is low, the O-ring loses much of
its elasticity and as a result may
retain its compressed shape, as in the right-hand sketch of
Figure 5. This retention of the
compressed shape has three unfortunate consequences: 1)
pressure actuation is delayed or
impaired because the high-pressure air cannot get to the lower
left-hand side of the O-ring,
2) pressure actuation is delayed or impaired because the O-ring
does not seal the opened gap, and
the actuation pressure on the O-ring decreases as the fluid is
able to pass by the O-ring, and
3) because of the lack of sealing, compressed air, putty, and
then hot combustion gas may blow
by through the gap, and in the process, damage or even destroy
the O-ring.

46. In general, pressure actuation was also affected negatively by
several other factors, such as the
behavior of the putty and the increase in gap size caused by re-
use of the SRM. From
consideration of all these factors and from observation of the
explosion, the Presidential
Commission concluded ”that the cause of the Challenger
accident was the failure of the pressure
seal in the aft field joint of the right Solid Rocket Motor
[Italics in the original]. The failure was
due to a faulty design unacceptably sensitive to a number of
factors. These factors were the
12
effects of temperature, physical dimensions, the character of
materials, the effects of reusability,
processing, and the reaction of the joint to dynamic loading.”
(Report to the President 1986, vol.
1, p. 69)
4. History of Problems with Joint Seals
From the very beginning, in 1973, of Thiokol’s contract to
develop the SRM, problems arose

47. with the joints. The Thiokol design for the SRM was based on
the Air Force’s Titan III, one of
the most reliable solid-fuel rockets produced up to that time.
But Thiokol engineers could not
simply copy the Titan design—the SRM was larger than the
Titan’s motor and had to be
designed for refurbishment and repeated use. One particular
area in which the two motors
differed was the field joints, and Thiokol’s initial design for the
SRM field joints worried
engineers at the Marshall Space Flight Center, who were
responsible for monitoring Thiokol’s
contract. Many modifications and reviews of the design ensued,
and Thiokol and Marshall
finally began various load tests in 1976. Early tests were
successful and gave engineers
confidence. In an important test in 1977, however, the joint
seals surprised the engineers by
exhibiting “joint rotation,” illustrated in Fig. 6. Of particular
concern is the loss of redundancy
in the design because not just the primary but also the
secondary O-ring is rendered ineffective if
the gap opens sufficiently. (It is important to realize the scale
of the events being described: the

48. gap between the tang and clevis in the unpressurized joint is
tiny: 0.004”, in the pressurized joint
the gap was estimated to lie between 0.042” and 0.06,”—caused
by a joint rotation that occurs in
the first 0.6 seconds of ignition.)
13
Fig. 6 Joint Rotation
Other sealing problems—some but not all related to joint
rotation—such as blow-by, ring
charring, ring erosion, loss of resilience of the O-ring material
at low temperature, and
performance of the putty were observed later in various static
tests and launches. Engineers both
at Thiokol and at the Marshall were aware of these problems.
On July 31, 1985, Roger Boisjoly,
a Thiokol engineer specializing in O-rings, wrote a memo to
Thiokol vice president Robert Lund

49. with the subject line, "O-ring Erosion/Potential Failure
Criticality", after nozzle joint erosion was
detected in an SRB:
“This letter is written to insure that management is fully aware
of the seriousness of the
current O-ring erosion problem in the SRM joints from an
engineering standpoint. “
"The mistakenly accepted position on the joint problem was to
fly without fear of failure
and to run a series of design evaluations which would ultimately
lead to a solution or at
least a significant reduction of the erosion problem. This
position is now changed as a
result of the [51-B] nozzle joint erosion which eroded a
secondary O-ring with the
primary O-ring never sealing. If the same scenario should occur
in a field joint (and it
could), then it is a jump ball whether as to the success or failure
of the joint because the
secondary O-ring cannot respond to the clevis opening rate and
may not be capable of
pressurization. The result would be a catastrophe of the highest
order-loss of human

50. life…
14
Boisjoly urged that a team be set up to work on the O-ring
problem, and ended by saying
"It is my honest and very real fear that if we do not take
immediate action to dedicate a
team to solve the problem, with the field joint having the
number one priority, then we
stand in jeopardy of losing a flight along with all the launch pad
facilities." [quoted in
Vaughan 1996, p. 447]
Boisjoly later charged that Thiokol management failed to
provide adequate follow-up and
support to correct the problem described in his memo.
Readers tempted to commit the retrospective fallacy after
reading Boisjoly’s memo should note
that the memo does not mention temperature effects on the seal.

51. The years of concern about the sealing problems eventually led
to a briefing at NASA
Headquarters in Washington on August 19
th
, 1985, by Marshall and Thiokol, in which they
presented both an engineering evaluation and a redesign plan.
They noted that only 5 of 111
primary O-rings in field joints and 12 of 47 primary O-rings in
nozzle joints had shown erosion
in various tests and flights. Thiokol argued that various
experimental and flight data verified the
safety of the design. They said, however, that the field joint was
the “highest concern” and
presented plans for improving the joints both with short-term
fixes and longer-term fixes that
would take over two years to implement. Data from studies by
Arnie Thompson (Boisjoly’s
boss) of the effect of temperature on ring resiliency were
presented, but imposing a temperature
launch constraint was not mentioned. The review judged that
leak checks and careful assembly
made it “safe to continue flying [the] existing design.”
Nevertheless NASA needed “to continue

52. at an accelerated pace to eliminate SRM seal erosion.” In the
meantime, the risks were
considered acceptable. [Dunnar and Waring, p. 363].
5. Teleconference
After several delays, the Challenger launch was scheduled for
January 28, 1986, at 9:38 AM
EST. At about 1 PM on the 27
th
, however, NASA personnel became concerned about the
unusually low temperatures—in the low 20’s—predicted for
early morning of the next day. A
Marshall manager asked Thiokol engineers to review the effect
the low temperatures might have
on the SRM. Accordingly, a meeting was held at Thiokol’s
Utah facility. Engineers there stated
their concern that the extreme cold would greatly reduce O-ring
resiliency and ability to seal the
joints. A teleconference among Thiokol, Marshall, and
Kennedy personnel was set for 5:45 PM
EST to discuss the situation.
At the teleconference, Thiokol engineers made no official
recommendation about delaying the

53. launch. The discussion centered on their concerns about the
effect of the low temperatures on
the O-rings. However, some of the teleconference participants
were unable to hear well, because
of a poor telephone connection, and some key personnel had not
been located in time to be
included in the teleconference, so the teleconference was ended,
and a second one scheduled for
8:15 PM EST. In the interim, Thiokol engineers had time to
organize their data in charts and fax
them to Marshall and Kennedy.
15
A total of thirty-four managers and engineers from Thiokol,
Marshall, and Kennedy took part in
the second teleconference. Thiokol engineers began the
teleconference by discussing the charts
that they had faxed to the other teleconference participants.
The Thiokol position was that
because significant O-ring blow-by and damage had been
observed in the coldest previous

54. launch—53°F—the O-ring material would lose much of its
resilience and the joint could fail,
were the launch to be conducted at a temperature in the 20’s or
low 30’s. When directly asked
by Larry Mulloy, Manager of the SRB project at Marshall,
Thiokol Vice President Joe
Kilminster responded that Thiokol could not recommend launch
if the temperature was below
53°F.
After Kilminster’s statement, Marshall personnel began
challenging the Thiokol position. Of the
several objections raised, two particularly stand out. First, the
data supporting the relation
between temperature and blow-by was ambiguous. Blow-by had
once occurred in a launch at
75°F, indicating a cause independent of temperature. And even
Roger Boisjoly, one of the
Thiokol engineers most knowledgeable about sealing and most
concerned about the danger to the
seal of launching at low temperatures admitted later “I was
asked to quantify my concerns, and I
said I couldn’t, I couldn’t quantify it, I had no data to quantify
it, but I did say I knew that it was

55. away from goodness in the current data base.”
The second objection to the Thiokol position centered on the
53°F limit. For almost three weeks
in December, 1985, and two weeks in January, 1986, Cape
Canaveral temperatures had been
below 53°F, once even reaching 41°F. Launches of the Shuttle
Columbia had been scheduled
(and repeatedly scrubbed) during these times, yet Thiokol had
never voiced concern about the
effect of these temperatures on the capacity of the O–rings to
seal the joint.
In short, as Thiokol’s Larry Sayer later admitted, “[W]e had a
very weak engineering position
when we went into the telecom.” Marshall’s Ben Powers
similarly observed
“I don’t believe they did a real convincing job of presenting
their data … The Thiokol
guys even had a chart in there that says temperature of the O-
ring is not the only
parameter controlling blow-by. In other words, they’re not
coming in with a real firm

56. statement. They’re saying there’s other factors. They did have
a lot of conflicting data in
there. I can’t emphasize that enough. Let me quote. On [one]
chart of theirs, they had
data that said they ran some sub-scale tests down at 30 degrees,
and they saw no leakage.
Now they’re talking out of both sides of their mouth, see.
They’re saying, “Hey,
temperature doesn’t have any effect. “ Well, I’m sure that that
was an extremely
important piece of data to Mr. Hardy [Deputy Director of
Science and Engineering at
Marshall], and certainly to my boss, Mr. McCarty, and Mr.
Smith.” (Vaughan 1996, p.
307)
Observations like this make it understandable why Marshall’s
Mulloy complained that Thiokol
was, on the eve of a launch, creating a new criterion for launch
safety, since no requirement for
O-ring temperature to exceed some minimum had ever been
previously formulated. Mulloy said,
“My God, Thiokol, when do you want me to launch, next
April?” George Hardy stated that he

57. was “appalled” at the Thiokol recommendation. Hardy’s
colleague at Marshall, Keith Coates,
later offered a rationale for Hardy’s response:
16
“George was used to seeing O-rings eroded, and I’m sure that he
recognized that it was
not a perfect condition, and he did not feel that the 20°F
difference between 53°F and
33°F, or somewhere in that range, should make that much
difference on seating an O-
ring, since you’ve got 900 psi cramming that O-ring into that
groove and it should seal
whether it is at 53°F or 33°F. He did say, I do remember a
statement something to this
effect, ‘For God’s sake, don’t let me make a dumb mistake.’
And that was directed to the
personnel in the room there at Marshall. I think he fully
appreciated the seriousness of it,
and so I think that that is on the other side of the coin that he
was amazed or appalled at
the recommendation.” (quoted in Vaughan 1996, p. 314)

58. Thiokol’s Kilminster was then asked for his view. He asked for
a brief meeting, off-line, with
his colleagues in Utah. When the meeting began, Thiokol
Senior Vice President Jerry Mason
took charge of the discussion. It soon became clear that he was
not persuaded by the argument
against launching. In response, Roger Boisjoly and Arnie
Thompson strongly defended the
recommendation not to launch, pointing out that the
temperatures predicted for the next day at
Cape Canaveral were 20°F below the temperatures at which
anyone had had previous launch
experience with the O-rings. Then Mason said if the engineers
could not come forward with any
new data to decide the issue, “We have to make a management
decision,” indicating that the four
senior Thiokol managers present would make the decision (Even
though he referred to a
“management” decision, all managers involved, at both Thiokol
and Marshall, had training and
experience as engineers). The four Thiokol managers spoke
some more and then held a vote
(Boisjoly, Thompson, and the others did not get to vote). Three

59. voted in favor of launching; the
fourth, Robert Lund paused. [Recall that Lund had been the
recipient of Boisjoly’s July, 1985,
memo warning of “the seriousness of the current O-ring erosion
problem”]. Mason then asked if
Lund would “take off his engineering hat and put on his
management hat.” [In the posttragedy
investigation, Mason explained that he meant that the
engineering data were not sufficient to
decide the issue—a judgment must be made by the people in
charge.] Lund voted for launching.
When the teleconference resumed, Kilminster stated Thiokol’s
new position—in favor of
launching—and gave a rationale. Shuttle Projects Manager
Stanley Reinartz asked if anybody
participating in the teleconference disagreed or had any other
comments about the Thiokol
recommendation. Nobody spoke. Thus Marshall and Kennedy
participants were unaware that
some Thiokol engineers continued to disagree with the decision
to launch.
Allan McDonald, Thiokol’s Director of the SRM project, was
stationed at Kennedy and had

60. participated in the teleconference. After the teleconference was
finished, he took a strong stand
against launching. Because he had not participated in Thiokol’s
offline discussion, he did not
know why Thiokol had changed their position to supporting
launching, but he stated clearly that
the motor had been qualified only down to 40°F, and further,
that “I certainly wouldn’t want to
be the one that has to get up in front of a board of inquiry if
anything happens to this thing and
explain why I launched the thing outside of what I thought it
was qualified for.” [quoted in
Vaughn, p. 327]
At launch time the next day, the temperature at the launch pad
was 36°F.
17
At this point, the reader might want to recall the myth of perfect
engineering practice, discussed
in Section 1. The discussion and decision-making process

61. occurring in the teleconference were
not unusual. Holding a teleconference before launch was not
out of the ordinary but rather was
the NASA norm. Similarly, disagreement among engineers
working on a large technical project
was also the norm, and NASA management routinely subjected
any engineer making a
recommendation to tough questioning to ensure that the
recommendation was based on sound
data and logical thinking. What was unusual in this
teleconference was that it was the first time
in the life of the project that a contractor had made a
recommendation not to launch. Before, it
had always been NASA that called for a delay.
6. Accident
The Space Shuttle Challenger launch began at 11:38 Eastern
Standard Time on January 28
th
,
1986. The following photos and captions are reproduced, with
some modification, from Volume
1 of the Report to the President by the Presidential Commission
on the Space Shuttle Challenger

62. Accident.
18
Fig. 7. Immediately after solid rocket motor ignition, dark
smoke (arrows) swirled out between
the right hand booster and the External Tank. The smoke's
origin, behavior and duration were
approximated by visual analysis and computer enhancement of
film from five camera locations.
Consensus: smoke was first discernible at .678 seconds Mission
Elapsed Time in the vicinity of
the right booster's aft field joint.
19
Fig. 8. Multiple smoke puffs are visible in the photo above
(arrows). They began at .836 seconds
and continued through 2.500 seconds, occurring about 4 times a

63. second. Upward motion of the
vehicle caused the smoke to drift downward and blur into a
single cloud. Smoke source is shown
in the computer generated drawing (far right).
20
Fig. 9. At 58.788 seconds, the first flicker of flame appeared.
Barely visible above, it grew into a
large plume and began to impinge on the External Tank at about
60 seconds. Flame is pinpointed
in the computer drawing between the right booster and the tank,
as in the case of earlier smoke
puffs. At far right (arrow), vapor is seen escaping from the
apparently breached External Tank.
21

64. Fig. 10. Camera views indicate the beginning of rupture of the
liquid hydrogen and liquid
oxygen tanks within the External Tank. A small flash (arrows
above) intensified rapidly, then
diminished.
Fig. 11. A second flash, attributed to rupture of the liquid
oxygen tank, occurred above the
booster/tank forward attachment (left) and grew in milliseconds
to the maximum size indicated
in the computer drawing.
22
Fig. 12. Structural breakup of the vehicle began at
approximately 73 seconds. Fire spread very
rapidly. Above [right], a bright flash (arrow) is evident near
the nose the Orbiter, suggesting
spillage and ignition of the spacecraft's reaction control system
propellants. At left, the two Solid
Rocket Boosters thrust away from the fire, crisscrossing to from

65. a “V.”
23
Fig. 13. At right, the boosters diverge farther; the External
Tank wreckage is obscured by smoke
and vapor. The Orbiter engines still firing, is visible at bottom
center.
24
Fig. 14. At about 76 seconds, unidentifiable fragments of the
Shuttle vehicle can be seen
tumbling against a background of fire, smoke and vaporized
propellants from the External Tank
(left).
25

66. Fig. 15. In the photo at right, the left booster (far right) soars
away, still thrusting. The reddish-
brown cloud envelops the disintegrating Orbiter. The color is
characteristic of the nitrogen
tetroxide oxidizer in the Orbiter Reaction Control System
propellant.
26
Fig. 16. Hurtling out of the fireball at 78 seconds are the
Orbiter's left wing (top arrow), the
main engines (center arrow) and the forward fuselage (bottom
arrow). In the photo below
[bottom right], it plummets earthward, trailed by smoking
fragments of Challenger.
27

67. Fig. 17. At 11:44 a.m. Eastern Standard Time, a GOES
environment-monitoring satellite
operated by the National Oceanic and Atmospheric
Administration acquired this image of the
smoke and vapor cloud from the 51-L accident. The coast of
Florida is outlined.
28
Fig. 18. Flight crew
Francis R. (Dick) Scobee
Commander
Michael John Smith
Pilot
Ellison S. Onizuka
Mission Specialist One
Judith Arlene Resnik

68. Mission Specialist Two
Ronald Erwin McNair
Mission Specialist Three
S.Christa McAuliffe
Payload Specialist One
Gregory Bruce Jarvis
Payload Specialist Two
“The consensus of the Commission and participating
investigative agencies is that the loss of the
Space Shuttle Challenger was caused by a failure in the joint
between the two lower segments of
the right Solid Rocket Motor. The specific failure was the
destruction of the seals that are
29
intended to prevent hot gases from leaking through the joint
during the propellant burn of the

69. rocket motor. The evidence assembled by the Commission
indicates that no other element of the
Space Shuttle system contributed to this failure.” (Report to the
President 1986, vol. 1, p. 40)
7. Ethical issue: Did NASA knowingly take extra risks because
of pressure to maintain
Congressional funding?
To sell the Space Shuttle program to Congress initially, NASA
had promised that Shuttle flights
would become thoroughly routine and economical. Arguing that
the more flights taken per year
the more routinization and economy would result, NASA
proposed a highly ambitious
schedule—up to 24 launches per year (Report to the President
1986, vol. 1, p. 164). But as work
on the program proceeded, NASA encountered many delays and
difficulties. Concern was
voiced in Congress, and NASA officials were worried about
continued budget support. To show
Congress that progress was being made, NASA planned a record
number of launches for 1986.
The January Challenger launch was to be the first launch of the
year, but unfortunately—and to
NASA’s further embarrassment—the launch of the Shuttle
Columbia scheduled for the previous

70. December was delayed a record seven times (for various
reasons, including weather and
hardware malfunctions), and finally launched on January 12,
1986, necessitating Challenger’s
launch date be set back. Thus NASA managers were undeniably
under pressure to launch
without further delays; a public-relations success was badly
needed. This pressure led to
managerial wrongdoing, charged John Young, Chief of NASA’s
Astronaut Office, in an internal
NASA memo dated March 4, 1986: “There is only one driving
reason that such a potentially
dangerous system would ever be allowed to fly—launch
schedule pressure.” (Exploring the
Unknown 1999, p. 379). Young’s memo was written more than
a month after the disaster, so
concerns about the retrospective fallacy arise. In any event, the
question is, “Did pressure to
meet an ambitious launch schedule cause NASA to take risks
that otherwise would not have been
taken?”
The question is difficult to answer with certainty, but three
distinct points can be made:

71. 1) Regardless of ethical considerations, risking disaster by
launching under unsafe
conditions simply would have been a bad gamble. Imagine a
NASA manager weighing
the costs and benefits of risking the flight crew’s lives to make
the launch schedule. His
calculation of the costs would include the probability of
detection of his misconduct, if
something went wrong. But this situation was not analogous to
a dishonest
manufacturer’s substituting a lower-quality component in an
automobile with over
20,000 components; the probability of detection might be low.
But if something went
wrong with a launch, the probability of detection was 100%.
The manager’s career
would be finished, and he might face criminal charges. Adding
this cost to the cost—in
moral terms—of the death of the crew and the cost of
suspension of the entire program
for many months or even years would give a total cost so large
that any rational manager
would have judged the risk to far outweigh the reward.

72. 2) The context of Marshall manager Larry Mulloy’s remark,
“My God, Thiokol, when do
you want me to launch, next April?”, must be considered. In
the words of Marshall’s
Larry Wear, “Whether his choice of words was as precise or as
good or as candid as
perhaps he would have liked for them to have been, I don’t
know. But it was certainly a
30
good, valid point, because the vehicle was designed and
intended to be launched year-
round. There is nothing in the criteria that says this thing is
limited to launching only on
warm days. And that would be a serious change if you made it.
It would have far
reaching effects if that were the criteria, and it would have
serious restriction on the
whole shuttle program. So the question is certainly germane,
you know, what are you
trying to tell us, Thiokol? Are we limited to launching this
thing only on selected days?

73. … The briefing, per se, was addressing this one launch, 51-L.
But if you accept that
input for 51-L, it has ramifications and implications for the
whole 200 mission model,
and so the question was fair. (quoted in Vaughan 1996, p. 311)
3) Even though the Presidential Commission’s report described
at great length the
pressure on NASA to maintain an ambitious launch schedule,
the report did not identify
any individual who ranked budgetary reasons above safety
reasons in the decision to
launch. Furthermore, “NASA’s most outspoken critics—
Astronaut John Young, Morton
Thiokol engineers Al McDonald and Roger Boisjoly, NASA
Resource Analyst Richard
Cook, and Presidential Commissioner Richard Feynman, who
frequently aired their
opinions to the media—did not accuse anyone of knowingly
violating safety rules,
risking lives on the night of January 27 and morning of January
28 to meet a schedule
commitment. … Even Roger Boisjoly … had no ready answer on
this point. [When

74. asked] why Marshall managers would respond to production
pressures by proceeding
with a launch that had the potential to halt production
altogether, he was stymied.
Boisjoly thought for a while, then responded, ‘I don’t know.’ …
The evidence that
NASA management violated rules, launching the Challenger for
the sake of the Shuttle
Program’s continued economic viability was not very
convincing. Hardy’s statement that
‘No one in their right mind would knowingly accept increased
flight risk for a few hours
of schedule’ rang true.” (Vaughan 1996, pp. 55-56)
After the disaster, other charges appeared in the media. The
President’s State of the Union
address was scheduled for the evening of the 28
th
, and critics charged that the White House had
intervened to insist that the launch occur before the address so
that the President could refer to
the launch—and perhaps even have a live communication
connection with the astronauts during

75. the address. Or perhaps the White House had intervened to
ensure that Christa McAuliffe—a
high-school teacher who had been included in the flight crew—
would be able to conduct and
broadcast her Teacher in Space lessons during the week, when
children would be in school. If
true, these charges would have indicated a clear ethical lapse on
the part of NASA management,
because they would have violated their duty to make public
safety their primary concern. But
extensive investigation by the Presidential Commission did not
find evidence to support the
charges.
8. Ethical issue: Did Thiokol knowingly take extra risks because
of fear of losing its
contract with NASA?
Shortly before the Challenger launch, word came out that NASA
was seeking a second source to
supply the SRMs. NASA’s actions were taken not out of
dissatisfaction with Thiokol’s
performance but instead “resulted from lobbying by Thiokol’s
competitors for a piece of
NASA’s solid rocket market and from desires by Congress to
ensure a steady supply of

76. 31
motors for the Shuttle’s military payloads.” (Dunar and Waring
1999, p. 369) Apparently the
existence of a possible second supplier was interpreted by the
Presidential Commission as a
source of pressure on Thiokol management, with the result, the
Commission concluded, that
“Thiokol Management reversed its position and recommended
the launch of 51-L, at the urging
of Marshall and contrary to the views of its engineers in order
to accommodate a major
customer.” (Report to the President 1986, vol. 1, p. 105) The
major customer was of course
NASA.
On the other hand, however, regardless of the introduction of a
second source, Thiokol was to
supply NASA with hardware for two more purchases, one for a
60-flight program and another
for a separate 90-flight program. Thus the threat posed by a
second source was not immediate.

77. Furthermore, in postaccident interviews, the people who had
participated in the teleconference
explicitly rejected that idea that Thiokol’s concern about a
possible second-source contractor was
a factor in launch decision-making. As Ben Powers of Marshall
said, “I knew there was talk of a
second source, but I wouldn’t have thought it would have made
any difference, because they
were our only contractor and we need shuttle motors, so, so
what? We’ve got to get them from
somewhere. And to get an alternate source you’d have to have
somebody that has demonstrated
and qualified. There is no one else that can produce that motor
at this time. I don’t think that
had anything to do with this at all. It was strictly dealing with
the technical issues.” (quoted in
Vaughan 1996, p. 337-338)
Finally, the same argument made in the last section about
NASA’s risking disaster by launching
under unsafe conditions being a bad gamble applies equally well
to Thiokol. Robert Lund of
Thiokol made the point succinctly: “as far as second source on
this flight decision, gadzooks,

78. you know, the last thing you would want to do is have a
failure.” (quoted in Vaughan 1996, p.
338)
9. Ethical issue: Was the Principle of Informed Consent
Violated?
Scientists conducting an experiment involving human subjects
are expected to obtain the
“informed consent” of the subjects before the experiment
begins. Informed consent refers to the
condition that the subjects 1) agree freely and without coercion
to participate in the experiment,
and 2) have been provided all the information needed and in an
understandable form to allow
them to make a reasonable decision whether or not to
participate in the experiment. Although
not usually viewed that way, a Space Shuttle flight certainly has
elements of an experiment
involving human subjects, and thus the question arises, “Was
the principle of informed consent
followed in the case of the Challenger crew?” The first
requirement, no coercion, was clearly
met—to be a crew member was very prestigious, large numbers
of people eagerly applied for the

79. positions, and the persons chosen were lauded for their success
in being selected. Crew
members had back-ups (for use in case of illness, for example),
so that had one crew member
decided not to participate, he or she would not have been
responsible for cancelling the launch
for everyone, and so would not have been under pressure for
that reason.
The second requirement—that the crew had enough information
to decide if they wanted to risk
launch—does not appear to have been met. The issue is
complicated by the fact, much discussed
in the news media, that on the morning of the launch, the flight
crew was informed of the ice on
the launch pad but was not informed of the teleconference the
evening before. But even if they
32
had been told of the teleconference, it is difficult to see how
they could have made a reasonable
decision about launching. No member of the crew was a
specialist in O-rings (Christa

80. McAuliffe, the “Teacher in Space,” was not even an engineer or
scientist but a high-school social
studies teacher). What information could the crew have been
given on launch day, or after the
teleconference, that they could have possibly digested—in only
a few hours—sufficiently to
make a reasonable decision? Even if they had had the technical
expertise, they also would have
encountered the same ambiguities in the data (for example, seal
failure at 75°F) and the “very
weak engineering position” presented at the teleconference that
led the NASA and Thiokol
managers to dismiss the concern about the effect of low
temperature on the seals. Given that
NASA routinely held teleconferences before launch and these
teleconferences contained
vigorous questioning about whether it was safe to launch, what
reason is there to think that the
crew would have been able to discern that the January 27
th
teleconference raised an issue much
more serious than had been raised in previous teleconferences?
It simply seems that it was not
possible to supply the “informed” half of the “informed

81. consent” requirement, and to think
otherwise appears to be a case of committing the retrospective
fallacy.
10. Ethical issue: What role did whistle blowing have in the
Challenger story?
The term “whistle blowing” has been attributed to the practice
of British policemen in the past
who, upon observing someone committing a crime, would blow
their whistles to attract the
attention of other policemen and civilians in the area. Whistle
blowing now has a more specific
meaning, with legal ramifications. For example the American
Society of Civil Engineers (ASCE
Guidelines for Professional Conduct for Civil Engineers 2008)
states
“’Whistle blowing’ describes the action taken by an employee
who notifies outside
authorities that the employer is breaking a law, rule, or
regulation or is otherwise posing a
direct threat to the safety, health, or welfare of the public.
Employees who ‘blow the
whistle’ on their employers are afforded certain protections
under U.S. law. If an

82. employee is fired or otherwise retaliated against for whistle
blowing, an attorney should
be consulted to identify legal protections available to the
employee. If it becomes
necessary to blow the whistle, the employee must advise the
appropriate regulatory
agency or a law enforcement agency of the illegal act. Simply
complaining to someone
inside the company is not whistle blowing and leaves the
employee without protection of
whistle blower laws.”
Note that “complaining to someone inside the company” is not,
by this definition, whistle
blowing. Thus Roger Boisjoly’s attempts before the disaster to
get Thiokol management to take
action on the O-ring problem, though courageous and admirable,
do not constitute whistle
blowing.
If Boisjoly can be said to have been a whistle blower, it was
because of his actions in the
Presidential Commission’s investigation after the disaster. He
repeatedly objected to Thiokol’s

83. assertions about the cause of the disaster. He believed that
managers at Thiokol and Marshall
were trying to minimize the role that temperature played in the
failure of the joint seals, and he
presented his evidence to the Commission, without first
consulting management, and even after
managers had complained to him that his statements were
harming the company. As time went
on, he felt that management was increasingly ignoring him,
isolating him from any significant
33
role in the joint redesign work then underway, and generally
creating a hostile work
environment. In July, 1986, he took an extended sick leave
from the company (His colleagues,
Arnie Thompson and Allan McDonald, who also had
experienced management displeasure as
the result of their testimony to the Commission, both continued
working at Thiokol after the
disaster). In January, 1987, he sued the company for over $2
billion under the False Claims Act

84. for selling defective hardware to NASA. He filed a second suit
against the company for $18
million in personal damages—mental suffering and disability
that prevented him from returning
to productive work; he accused Thiokol of “criminal homicide”
in causing the death of the flight
crew. After deliberations lasting more than six months, a U.S.
District judge dismissed both
suits. McDonald commented in his book written many years
later that Boisjoly felt he had been
harmed by his whistle-blower role: “He told me he was
blackballed in the industry by [Thiokol]
management, and, indeed, was unsuccessful in finding an
engineering job for over a year … He
was mentally hurt by the Challenger accident and had a tough
time making a living. [He]
eventually became a relatively successful expert witness before
retiring.” (McDonald 2009, pp.
554-555) It is not clear that Boisjoly’s difficulties in obtaining
a new job were attributable to
blackballing by Thiokol: word of his $2 billion lawsuit against
his previous employer had
appeared in the news media and would have tended to drive
away other prospective employers.

85. In 1988, Boisjoly received the Scientific Freedom and
Responsibility Award from the American
Association for the Advancement of Science, and the Citation of
Honor Award from The
Institute of Electrical and Electronics Engineers.
11. Who had the right to Thiokol documents relating to the
Challenger disaster?
According to newspaper reports, “When Boisjoly left Morton
Thiokol, he took 14 boxes of every
note and paper he received or sent in seven years.” (“Chapman
receives papers from Challenger
disaster”, 2010) The National Society of Professional
Engineers “Code of Ethics for Engineers”
states that “Engineers' designs, data, records, and notes
referring exclusively to an employer's
work are the employer's property.” (NSPE Code of Ethics for
Engineers. 2007) Thus if Boisjoly
did not get permission from Thiokol to take the papers, he
violated the Code of Ethics. The
newspaper reports do not say whether or not he got permission;
thus no conclusions can be
drawn.

86. 12. Why are some engineering disasters considered ethical
issues and others are not?
The Challenger disaster triggered a tremendous outpouring of
activity designed to find the causes
of the disaster and to identify the responsible decision makers.
A Presidential commission was
established. The commission’s report was widely disseminated
and analyzed. Congressional
hearings were held. Dozens of books and thousands of
newspaper, magazine, and scholarly
articles were written about the disaster. Thousands of television
and radio interviews and
discussions took place. Thousands of engineering, business, and
philosophy students studied the
Challenger disaster in ethics courses. All this attention was the
result of a series of engineering
decisions that led to the death of seven people.
Compare the attention given to Challenger to the lack of
attention given to another series of
engineering decisions that led to the death of many people. In
response to the 1973 oil embargo
by OPEC countries, Congress in 1975 passed into law the
Corporate Average Fuel Economy

87. (CAFE) standards. The purpose of the standards was to force
automobile manufacturers to
34
improve the average fuel mileage of autos and light trucks sold
in the United States. The
standards did not specify how the improved fuel mileage was to
be achieved; that decision was
left to the manufacturers and, of course, to their engineers. The
engineers saw that the only way
to meet the CAFE standards by the required deadlines was to
reduce the weight of the vehicles.
All other things being equal, however, small cars provide
significantly less protection against
injury in a collision than large cars. As a result, the CAFE
standards led to more consequences
than just an improvement in fuel mileage, as described in the
findings of a report by a National
Research Council panel:
“Finding 2. Past improvements in the overall fuel economy of
the nation’s light-duty

88. vehicle fleet have entailed very real, albeit indirect, costs. In
particular, all but two
members of the [13-member] committee concluded that the
downweighting and
downsizing that occurred in the late 1970s and early 1980s,
some of which was due to
CAFÉ standards, probably resulted in an additional 1,300 to
2,600 traffic fatalities in
1993.” (Effectiveness and Impact of Corporate Average Fuel
Economy (CAFE)
Standards 2002)
Assuming that the “1,300 to 2,600” fatalities in 1993 were
representative of the number of
fatalities that have every year since the CAFE standards first
went into effect, we can estimate
that thousands of innocent people have died as a result of a
policy set by the government and
implemented through design changes by engineers in the
automobile industry. Small cars are
now safer than they were in the 1970s and 1980s, thanks to the
work of automotive engineers.
Just how much safer is a matter of some debate, but independent
of that debate, the question

89. remains why those design improvements weren’t done earlier—
as soon as the increase in deaths
associated with small cars was noted in the late 1970s.
So the question arises, “Why has the Challenger disaster (seven
deaths) been considered by
many people as an example of an ethical violation by
irresponsible engineers and managers
while the CAFE standards disaster (thousands of deaths) has
not?” To answer that question,
consider the contrasting characteristics of the Challenger and
CAFE standards deaths:
The Challenger deaths involved people already known to the
public (through media
coverage before the flight); their deaths occurred
simultaneously, in one specific location,
in front of millions of television viewers and were covered by
many reporters; the cause
of the deaths could be clearly traced to a particular piece of
hardware; and government
officials were able to launch a vigorous public investigation
because they were unlikely
to be blamed for a poor policy decision—that is, the
investigation was unlikely to lead to

90. blaming the legislation that the government officials had
passed.
The CAFE deaths involved the deaths of people not known to
the public; their deaths
occurred in many different locations and were spread over many
years; no television
coverage was present; the link between the standards (and
resulting light-weight
vulnerable autos) and the deaths was not easily traceable to a
particular piece of hardware
or design decision; and government officials had a strong
interest in not linking the
35
deaths to the CAFE standards, because then government
officials might receive some of
the blame for the deaths.
These considerations suggest that the public’s perception plays
a role in determining the ethical
status of at least some kinds of engineering decisions. Those
decisions sharing the

91. characteristics of Challenger described above are subject to
ethical scrutiny; those decisions
sharing the CAFE characteristics are excused from widespread
scrutiny. Many of the Challenger
engineers reported personally agonizing over their role in the
deaths of seven astronauts. On the
other hand, if large numbers of automotive engineers have
agonized over the deaths of thousands
of drivers of small cars, they have not expressed it publicly. In
fact, most automotive engineers
would probably be offended were you to suggest that they bear
any ethical responsibility for
designing cars in which people are more likely to be killed or
injured. Their response would
probably be something such as, “We design the cars according
to government requirements; the
public knowingly assumes the risk of driving them.” To judge
from the limited public
controversy (limited compared to the intense publicity
accompanying the Challenger disaster)
surrounding the CAFE standards deaths, a large majority of the
public appears to agree.
Note: A large body of social-science literature exists that

92. describes how people’s perception of a
risk if often wildly different than the actual risk. The
discussion above, however, refers to
people’s perception of blame, not risk.
13. Summary
A central message of this course is that ethical judgments have
to wait until the facts have been
examined—and the retrospective fallacy and the myth of perfect
engineering practice have to be
avoided when choosing which facts to examine and how to
interpret them. After describing the
facts in the Challenger story—both hardware issues and
personal behaviors, we then considered
various ethical issues: 1) Did NASA engineers violate their duty
to put public safety above
concerns about maintaining the launch schedule? 2) Did
Thiokol engineers violate their duty to
put public safety above concerns about losing a contract with
NASA? 3) Was the principle of
informed consent violated? 4) What was the role of whistle
blowing and related possible
discriminatory treatment of the whistle blowers? 5) Did a
Thiokol engineer violate his duty to

93. treat records—referring exclusively to his work—as company
property? 6) What are the
characteristics that determine whether or not the public
perceives an engineering decision to
involve an ethical violation? Answering these questions is
difficult; this course has tried to
show, by means of the Challenger case study, that sometimes
the more you learn about the
background of an engineering disaster, the more difficult it
becomes to accept simple, one-cause
explanations of what happened and to assert that the decision
makers acted unethically.
Glossary
Challenger 51-L
NASA designation for the Challenger Space Shuttle
Presidential Commission
In February, 1986, President Reagan appointed a commission to
investigate the causes of the
disaster. William P. Rogers, a former Attorney General, served
as the Chair, and the commission
is also known as the Rogers Commission.

94. 36
Kennedy
The Shuttle was launched from the Kennedy Space Center in
Cape Canaveral, Florida.
Thiokol
Morton Thiokol Inc. (MTI) was the contractor for the
development of the Solid Rocket Booster.
Marshall (MSFC)
The Marshall Space Flight Center in Huntsville, Alabama, had
oversight responsibility for
Thiokol’s work on the booster.
SRB
Solid rocket booster
SRM
Solid rocket motor (part of the SRB)

95. References
“ASCE Guidelines for Professional Conduct for Civil
Engineers.” (2008). <
http://www.asce.org/uploadedFiles/Ethics_-
_New/ethics_guidelines010308v2.pdf> (Dec. 14,
2010).
Effectiveness and Impact of Corporate Average Fuel Economy
(CAFE) Standards. (2002).
Committee on the Effectiveness and Impact of Corporate
Average Fuel Economy (CAFE)
Standards. National Academy Press, Washington, D.C.
Dunar, Andrew J. and Waring, Stephen P., Power To Explore --
History of Marshall Space
Flight Center 1960-1990. (1999). Washington, D.C.:
Government Printing Office.
Exploring the Unknown. Selected Documents in the History of
the U.S. Civil Space Program.
Vol. IV: Accessing Space. (1999). Edited by John M. Logsdon
with Ray A. Williamson, Roger
D. Launius, Russell J. Acker, Stephen J. Garber, and Jonathan
L. Friedman. NASA SP-4407,

96. NASA History Division, Office of Policy and Plans,
Washington, D.C.
McDonald, Allan J. (2009). Truth, Lies, and O-Rings.
Gainsville, FL: University Press of
Florida.
NASA’s Response to the Committee’s Investigation of the
“Challenger” Accident. Hearing
conducted by the House of Representatives Committee on
Science, Space, and Technology,
February 26, 1987
“NSPE Code of Ethics for Engineers.” (2007). <
< http://www.nspe.org/ethics/codeofethics/index.html > (Dec.
14, 2010).
“Chapman receives papers from Challenger disaster.” (2010).
Orange County Register.
http://www.asce.org/uploadedFiles/Ethics_-
_New/ethics_guidelines010308v2.pdf
http://www.nspe.org/ethics/codeofethics/index.html
37
<http://www.ocregister.com/news/boisjoly-248703-boyd-

97. chapman.html?plckFindCommentKey=CommentKey:a00a912b-
593e-4236-aa06-d85e9d68d755
> (Dec. 14, 2010).
Report to the President by the Presidential Commission on the
Space Shuttle Challenger
Accident (1986). Washington, D.C.: Government Printing
Office.
Vaughan, Diane. (1996). The Challenger Launch Decision.
Chicago: University of Chicago
Press.
http://www.ocregister.com/news/boisjoly-248703-boyd-
chapman.html?plckFindCommentKey=CommentKey:a00a912b-
593e-4236-aa06-d85e9d68d755
http://www.ocregister.com/news/boisjoly-248703-boyd-
chapman.html?plckFindCommentKey=CommentKey:a00a912b-
593e-4236-aa06-d85e9d68d755
Code of Ethics for Engineers
4. Engineers shall act for each employer or client as faithful
agents or

98. trustees.
a. Engineers shall disclose all known or potential conflicts of
interest
that could influence or appear to influence their judgment or the
quality of their services.
b. Engineers shall not accept compensation, financial or
otherwise,
from more than one party for services on the same project, or
for
services pertaining to the same project, unless the circumstances
are
fully disclosed and agreed to by all interested parties.
c. Engineers shall not solicit or accept financial or other
valuable
consideration, directly or indirectly, from outside agents in
connection with the work for which they are responsible.
d. Engineers in public service as members, advisors, or
employees
of a governmental or quasi-governmental body or department
shall
not participate in decisions with respect to services solicited or
provided by them or their organizations in private or public
engineering practice.
e. Engineers shall not solicit or accept a contract from a
governmental
body on which a principal or officer of their organization serves
as
a member.
5. Engineers shall avoid deceptive acts.
a. Engineers shall not falsify their qualifications or permit

99. misrepresentation of their or their associates’ qualifications.
They
shall not misrepresent or exaggerate their responsibility in or
for the
subject matter of prior assignments. Brochures or other
presentations incident to the solicitation of employment shall
not
misrepresent pertinent facts concerning employers, employees,
associates, joint venturers, or past accomplishments.
b. Engineers shall not offer, give, solicit, or receive, either
directly or
indirectly, any contribution to influence the award of a contract
by
public authority, or which may be reasonably construed by the
public as having the effect or intent of influencing the awarding
of a
contract. They shall not offer any gift or other valuable
consideration in order to secure work. They shall not pay a
commission, percentage, or brokerage fee in order to secure
work,
except to a bona fide employee or bona fide established
commercial
or marketing agencies retained by them.
III. Professional Obligations
1. Engineers shall be guided in all their relations by the highest
standards
of honesty and integrity.
a. Engineers shall acknowledge their errors and shall not distort
or
alter the facts.

100. b. Engineers shall advise their clients or employers when they
believe
a project will not be successful.
c. Engineers shall not accept outside employment to the
detriment of
their regular work or interest. Before accepting any outside
engineering employment, they will notify their employers.
d. Engineers shall not attempt to attract an engineer from
another
employer by false or misleading pretenses.
e. Engineers shall not promote their own interest at the expense
of the
dignity and integrity of the profession.
2. Engineers shall at all times strive to serve the public interest.
a. Engineers are encouraged to participate in civic affairs;
career
guidance for youths; and work for the advancement of the
safety,
health, and well-being of their community.
b. Engineers shall not complete, sign, or seal plans and/or
specifications that are not in conformity with applicable
engineering
standards. If the client or employer insists on such
unprofessional
conduct, they shall notify the proper authorities and withdraw
from
further service on the project.
c. Engineers are encouraged to extend public knowledge and

101. appreciation of engineering and its achievements.
d. Engineers are encouraged to adhere to the principles of
sustainable
development1 in order to protect the environment for future
generations.
Preamble
Engineering is an important and learned profession. As
members of this
profession, engineers are expected to exhibit the highest
standards of honesty
and integrity. Engineering has a direct and vital impact on the
quality of life for
all people. Accordingly, the services provided by engineers
require honesty,
impartiality, fairness, and equity, and must be dedicated to the
protection of the
public health, safety, and welfare. Engineers must perform
under a standard of
professional behavior that requires adherence to the highest
principles of ethical
conduct.
I. Fundamental Canons
Engineers, in the fulfillment of their professional duties, shall:
1. Hold paramount the safety, health, and welfare of the public.
2. Perform services only in areas of their competence.
3. Issue public statements only in an objective and truthful
manner.
4. Act for each employer or client as faithful agents or trustees.
5. Avoid deceptive acts.
6. Conduct themselves honorably, responsibly, ethically, and