Space Shuttles Challenger and Columbia Accidents
SPACE SHUTTLES CHALLENGER AND COLUMBIA ACCIDENTS
The losses of the space shuttles Challenger in 1986 and Columbia in 2003 dramatically illustrated the risks involved in the human exploration of space, and provide starkly instructive case studies in the ethics of science and technology.
A central mission of the National Aeronautics and Space Administration (NASA) is human exploration of space. Given this legitimate political commitment to human space exploration, the space shuttle program is ethically and politically acceptable insofar as the agency in charge, NASA, promotes careful and honest examination of the human risks and, in reaching the compromises unavoidable in balancing safety against performance, involves those most subject to the risks and those making the political commitment.
The careful, honest examination of risk cannot be done once; it must continue as flight experience accumulates. In balancing safety and performance the shuttle's design both represents NASA's understanding of the system and predicts that the shuttle's flight will safely meet performance requirements. To count as a success, a shuttle flight must perform as the design predicts, not merely return "safely" to Earth. As long as flight does not conform to design, that is, has "anomalies," the design remains provisional; it is not fully understood; and the system is "developmental" not "operational." Both disasters revealed that NASA truncated the examination of risk by deeming the shuttle "operational"; by treating as "successful" flights that did not perform as predicted; and by "accepting" risks inherent in anomalous performance. Continuing instances of anomalies signaled the existence of inexplicable risks, which, accepted, culminated in the disasters.
Shuttle History and Design
After Apollo NASA needed a large program to justify its size and budget. It ambitiously planned a shuttle, a space station, and planetary exploration, but budgetary constraints limited the post-Apollo program to the space shuttle. To secure approval of the shuttle, NASA promised to launch all U.S. payloads. Also the reusable orbiter was presented as a means of long-run cost savings: With regularly scheduled, once-per-week operational launches promised by the mid- to late 1980s, the shuttle was to pay for itself. To develop fifty shuttle payloads every year, however, would have required a space budget ten times as large as NASA's actual budget. There was clearly an unrealistic presentation of feasibility on the part of NASA and uncritical thinking on the part of the U.S. Congress. The promises remain a root cause of pressure to launch the shuttle on schedule.
As Figure 1 shows, the shuttle consists of two solid rocket boosters (SRBs) to provide major thrust at launch, an external tank that carries fuel for the orbiter's main engines, and the orbiter, which carries the crew, payload, and main engines. The burnt-out SRB casings drop into the ocean where they are retrieved and later reused. The orbiter returns to Earth for servicing and reuse. The external tank is taken nearly to orbit before separation from the orbiter, and burns up on reentry. The official investigative reports, cited below, describe the shuttle, normal operations, and each disaster.
Shuttle development presented many design problems. One of the most challenging was a "thermal protection system" to protect the orbiter from the heat of reentry, when temperatures may exceed 5,000 degrees Fahrenheit. Another was providing a reliable seal between SRB segments.
Disasters Compared
The two disasters were very different superficially. The Challenger disaster occurred in the first moments of launch on an unusually cold January 28, 1986. Because of the cold weather, an O-ring seal between SRB segments leaked hot combustion gas, which quickly triggered the explosion that destroyed the vehicle. The dynamics of launch cause the joints between SRB segments to flex, and to prevent leaks the O-rings must be resilient enough to "follow" this flexure and maintain their seal. The cold O-rings were too stiff to follow the joint flexure.
The Columbia disaster culminated during reentry on February 1, 2003, after completion of the mission's on-orbit tasks. During launch the external tank had shed a large piece of foam insulation, which struck the orbiter's left wing, damaging its thermal protection system. Because of this unknown damage to the wing during launch, the heat of reentry destroyed the wing, leading to the breakup of the orbiter.
Similarities between the cases in three areas—no-return decisions, misunderstood anomalies, and overridden concerns from engineers—reveal the common ethical issues.
NO-RETURN DECISIONS. In both cases an explicit no-return decision left no chance to avoid disaster: For Challenger this occurred at launch—specifically, the ignition of the SRBs. For Columbia this came at initiation of reentry—the firing of the retro-rockets. Between the identification of an anomaly and this no-return decision there was time to have averted the disaster.
Regarding Challenger, the danger of a cold launch was suspected from heat damage to SRB seals—anomalies—in previous flights over several years. But the analysis of trends of seal damage as related to temperature omitted flights suffering no seal damage, all of which occurred at warm temperatures. This omission obscured the relationship of damage to temperature. If the many no-damage, warm launches had been considered, the significance of the few high-damage, cold launches would have emerged and convinced engineers that cold launches were unsafe (Vaughan 1996).
With respect to Columbia, occurrences of shedding of foam—anomalies—were known even before the Challenger accident. Foam strikes were "accepted" because efforts to prevent foam shedding were unsuccessful but flights were "successful." If NASA can fix the shedding problem in the halt in shuttle flights that followed the Columbia accident, so it could have during the similar halt after Challenger. This would have caused minimal (if any) delay and would have prevented the second disaster.
MISUNDERSTOOD ANOMALIES. The root cause of both disasters was misunderstanding anomalies. The 2003 Columbia disaster report quotes the 1986 Challenger report to show that the causes were identical. In effect, anomalies in performance—if followed by a successful landing—were considered evidence of safety instead of what they really were, evidence that the shuttle did not perform as designed. Thus safely landing after foam shedding or seal erosion reinforced the conviction of safety. This "normalization of deviance" violates the trust given NASA to accomplish human spaceflight safely (Vaughan 1996).
OVERRIDEN CONCERNS FROM ENGINEERS. In both cases working-level engineers most familiar with the relevant systems expressed timely concerns that could have averted the disaster, and their concerns were overridden. Regarding Challenger, engineers at the SRB contractor wanted to postpone the launch for a few hours or for a day for warmer weather, and were heard by company management in last-minute "readiness-to-launch" reviews, but management overrode them after NASA officials expressed frustration and desire to launch. They were overridden in part because of the inadequate trend analysis mentioned above. Warmer conditions could have averted the disaster. Desire to launch prevailed. With respect to Columbia, because the impact seemed more significant than the many previous instances of foam striking the orbiter, NASA engineers reviewing launch videos were alarmed. They requested a damage assessment but were overridden by management without a hearing. Had management honored the request, the disaster might have been prevented—the crew rescued but the orbiter lost (CAIB 2003).
The engineers did not push their arguments because of fear for their careers. Deciding to launch a shuttle had changed from a process requiring agreement that the system is safe to launch, per the design, to a process assuming launch and requiring anyone asking for delay to prove it unsafe. As "accepted" risks, damage to seals and strikes by foam were no longer an issue. This acceptance meant that a major foam strike on a launch shortly before Columbia (on October 7, 2002) was not declared an anomaly (CAIB 2003). Consistent with NASA's 1982 declaration of the shuttle as "operational," insulation strikes and seal damage became normal, while raising questions about these issues became deviant. William Langewiesche (2003) shows the depth of NASA managers' belief that insulation striking the orbiter was not a risk; he shows that only seeing an experimental demonstration of damage to a mock wing could destroy their belief, and that the demonstration left them in shock. Raising questions about foam shedding to such managers would damage one's career.
A healthy organization provides an environment and information conducive to decisions that advance the organization's goals within ethical constraints. Clearly, pressure to launch biased decisions by overemphasizing the partial, short-term goal of launching on schedule, reified in a lack of substantive, ethical discussion preceding the fatal no-return decisions. Astronauts, those most at risk, were not represented in the discussions. As the official reports reveal, typical predecision discussions were formal and procedural and laden with acronyms, emphasized the need to launch, and lacked ethical substance.
RADFORD BYERLY, JR.
SEE ALSO Apollo Program;Engineering Ethics;National Aeronautics and Space Administration;Space Exploration.
BIBLIOGRAPHY
Langewiesche, William. (2003). "Columbia's Last Flight." Atlantic Monthly 292(4): 58–87. An accessible but rigorous analysis of the accident and NASA's reaction to it.
U.S. Columbia Accident Investigation Board (CAIB). (2003). Report of the Columbia Accident Investigation Board, Vol. 1. Arlington, VA: Author. The official report on Columbia; comprehensive.
U.S. House. Committee on Science and Technology. (1986). Investigation of the Challenger Accident. 99th Cong., 2nd sess. The congressional report on Challenger, essentially a supplement to executive branch Challenger report immediately below.
U.S. Presidential Commission on the Space Shuttle Challenger Accident. (1986). Report of the Presidential Commission on the Space Shuttle Challenger Accident. 5 vols. Washington, DC: Author. Official executive branch report on Challenger; comprehensive.
Vaughan, Diane. (1996). The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. Chicago: University of Chicago Press. How NASA's culture contributed to the accident.
INTERNET RESOURCES
U.S. Columbia Accident Investigation Board (CAIB). "The CAIB Report." Available from http://www.caib.us/news/report/.default.html.
U.S. Presidential Commission on the Space Shuttle Challenger Accident. "Report of the Presidential Commission on the Space Shuttle Challenger Accident." Available from http://history.nasa.gov/rogersrep/51lcover.htm.