Failure Analaysis

   Fracture Mechanics

   Failure as a Design      Criterion

 Structural Failures
 ::  Unforeseen Loads & Consequences

 Human System Interaction  Failures
 ::  Flawed Decision Making
- Challenger Space Shuttle
 :: Flawed Safety culture
- Chernobyl Nuclear Power Station
 Failure of Design Management
 ::  Visionary Management Style
 ::  Inaccurate Assessment of Market Needs

See the web site for additional information on the relationship between human error and organisational failure and technques for incident reporting.

Challenger was the second orbiter to become operational at Cape Canaveral, and was named after the British naval research vessel that sailed the Atlantic and Pacific oceans in the 1870’s. Challenger joined the fleet of re-usable winged spaceships in July 1982. It flew 9 successful space shuttle missions. On January 28 1986, the Challenger and its 7 member crew (Video Clip - Crew Boarding) were lost 73 seconds after launch when a booster seal failure resulted in break-up of the vehicle.

The launch took place on a cold January morning at 11h38 with a ground temperature of 36° F (2° C) (Video Clip - Lift-Off). Some 73 s into the flight, whilst travelling at Mach 1.92 at an altitude of 46 000 feet the Challenger was enveloped in a massive, almost explosive burn of liquid hydrogen and liquid oxygen (Video Clip). The Challenger’s reaction control system ruptured and hypergolic burn of its propellants occurred as the system exited the oxygen-hydrogen flames (giving a reddish-brown tinge at the edge of the main fireball). The orbiter, under severe aerodynamic loads, broke into several large pieces including the main engine/tail section with engines still burning, one wing of the orbiter, and the forward fuselage. These plunged into the sea off Cape Canaveral.

Examination of film footage indicated that a puff of grey smoke spurted from the aft field joint on the right solid fuel rocket booster at 0.678 s into the flight. This area of the booster faced the external fuel tank. The vapourised material streaming from the joint indicates an incomplete seal by the O-ring. Subsequent black puffs of smoke indicated that the O-ring was being eroded by the 5 800° F gases. At 58.788 s a small steady flame was apparent from this joint.

Structural and aerodynamic factors directed the rapidly increasing flame plume onto the surface of the external fuel tank. This was breached at 64.660 s and at 73.124 s structural failure of the hydrogen tank commenced, which led to entire aft dome dropping away. This created an upward thrust of 2.8 million lbf pushing the hydrogen tank into the intertank structure. At the same time, the rotating right solid rocket booster impacted the intertank structure and the lower part of the liquid oxygen tank. These structures failed at 73.137 s and the explosion occurred milliseconds later.

The crew cabin section was located and retrieved with other pieces of wreckage.

A Presidential Commission on the Space Shuttle Accident was created by Executive Order 12 546 of February 3 1986. The Commission was chaired by William P Rogers and produced its report in June 1986.


The causes of the accident fall into two categories, engineering problems related to design of the joint seal in the solid rocket booster, and flawed decision making procedures related to the launch of the shuttle.

Engineering Factors:

The 2 re-usable solid rocket boosters are designed to put the shuttle into orbit around the earth. They are each 45.4 m high and 3.7 m in diameter and weigh 589 670 kg. They are manufactured in 4 segments filled with solid propellant (a mixture of aluminium powder, ammonium perchlorate and iron oxide catalyst, held together with a polymer binder). The orbiter is steered in initial stages of its flight by the aft booster nozzles and the main orbiter engines.

At burnout, they are separated from the orbiter by explosive devices and moved from the shuttle by separator motors. Parachutes and homing devices are contained in the forward booster section. Each booster produces about 3.1 million lbf of thrust in the first few seconds after launch and gradually decline over the rest of the 2 minute burn. Total thrust on the orbiter is 7.3 million lbf at lift-off.

The solid rocket motor joints are shown in the figure. Pink is the tang, which fits into the clevis, coloured orange. 177 steel pins (yellow) secure the joint. Each joint contains 2 O-rings seals, which are 37 foot circles of special rubber. The loss of the Challenger was due to failure of these O-ring pressure seals in the right booster aft joint. This was a result of faulty design, which was known to be unacceptably sensitive to a number of factors:
  1. Reaction of the joint to load - the gap between tang and clevis opens up by around 0.017-0.029 inches under the pressures generated by ignition and combustion, and associated vehicle motions in flight. This occurs during the first 0.600 s of the flight. If the O-ring cannot follow this opening, gas leakage could occur, causing erosion of the O-ring.
  2. Low temperature – the O-ring deformation response is 5 times quicker at 75° F than at 30° F. This is important, as noted above. The lift-off temperature was 15° F lower than the next previous lowest launch temperature. (Of 21 previous launches with ambient temperatures of 61° F or greater, only 4 showed signs of O-ring distress. Each of the launches below 61° F resulted in one or more O-rings showing signs of thermal distress).
  3. Physical dimensions (out-of-roundness) – certain parts of the O-ring were more tightly compressed than others and a longer time is required to recover the uncompressed dimensions.
  4. Effects of re-usability of the boosters - previous use had grown the segment diameters, resulting in lower tang-to-clevis gaps of between 0.004-0.008 inches, leading to greater compression of the O-rings in their grooves, and contact of the ring on all three walls of the groove. For the O-ring sealing to work effectively, gas pressure is required on high pressure side of the O-ring. This requires a gap to exist between the O-ring and the upstream wall of its groove. Additionally, out-of-roundness existed in the segments.
Ideally, motor pressure should be applied to actuate the O-ring seal prior to significant opening of the tang-to-clevis gap (i.e. within 100-200 milliseconds). Experimental evidence indicated that temperature, humidity and other variables in the putty compound used to insulate and seal the joint can delay pressure application by up to 500 milliseconds or more. This delay could be a factor in initial joint failure.

There was a possibility of water in the clevis of the joints due to previous rainfall. If this water froze in the joint, tests showed that it would inhibit secondary seal performance.

The shuttle experienced wind conditions in the period 32 s to 62 s into the flight which were typical of the most severe values experienced on previous missions, and would affect the joint gap during flight, at a stage when it was already leaking.

Human Factors:

Most of the above engineering factors were known to the Morton-Thiokol engineers and to NASA staff, prior to the launch. The decision to launch was based on a flawed ‘decision support system’ which was aggravated by mismanagement of related information. However, there were a number of contributory factors which created an environment leading to the failure:
  1. The process of ‘selling’ the concept of a re-usable space transportation system to the American public and its political system started in the late 1960’s, following the successful Apollo mission. The space shuttle was approved as a method for operating in space without a firm definition of what it goals would be (unlike previous NASA programmes). Support for the project, both politically and economically, was not very strong.
  2. To gain support was sold as a project with a ‘quick payoff’. Additional support was gained by offering the shuttle programme to the military, and to industry as a tool to open up new commercial opportunity. Magazines displayed the shuttle to the public as an ‘American Voyage’ with great scientific gain. Globally, the shuttle was sold as a partnership with the European Space Agency.
  3. This process to develop economic, political and social support for the shuttle introduces a factor that has been termed ’heterogeneous engineering’, i.e. shuttle engineering and management decisions were made to meet the needs of organisational, political and economic factors, as opposed to a single mission profile with specific objectives.
  4. Once functional, the shuttle became exposed to operational demands from a multitude of users as NASA endeavoured to live up to its promises. Coordinating the needs of political, commercial, military, international and scientific communities placed immense pressures on the shuttle management team.
    • Political pressure to provide a reliable reusable space vehicle with rapid turn-around time and deployment seriously hindered the ability for effective systems integration and development.
    • It was not feasible to construct any complete management support systems that could integrate all of the factors associated with such a diverse group in the operational environment.
    • The push of the Reagan administration to declare the shuttle ‘operational’ before the ‘developmental’ stage was completed created uncertainty and low NASA employee morale.
  5. Congress expected the shuttle programme to be financially self-supporting. This forced NASA to operate on a pseudo-commercial basis.
These factors created an environment in NASA preceding the Challenger launch which was one of conflict, territorial battles, stress and short cuts. Additionally, previous 24 successful shuttle missions had created a false sense of security in NASA officials. There was thus no formal ‘decision support system’ for shuttle operations prior to the Challenger launch. Characteristics of decision making were short cuts, compromise, operational expediency, and complacency. This complacency meant that NASA managers looked for evidence to support mission success rather than evidence indicating possible mission failure. The effect of these factors is indicated clearly in the decision to launch.
  • A ‘group decision support system’ (GDSS) did exist between NASA and associated developers like Morton-Thiokol (solid rocket boosters). On the evening of January 27 1986, Thiokol engineers provided information to NASA regarding concerns that the abnormally cold conditions would affect O-ring sealing performance. The mission had already been cancelled due to weather and NASA did not want another such cancellation.
  • Both parties were aware that the seals needed upgrading but did not think this was critical (see reference 7). Information provided by the GDSS showed that the O-rings would perform under the launch conditions, but Thiokol engineers were questioning their own data and testing. Thus NASA was being informed that their GDSS had a flawed database.
  • At this point, NASA requested a definitive recommendation from Thiokol as to whether to launch the shuttle. Thiokol representatives recommended not to launch until the ambient air temperature was 53° F based on discussion centred around the engineering issue "Would the seals even actuate and seal due to changing of response time characteristics?". This temperature was not expected to be reached in Florida for several days. NASA responded with pressure on Thiokol to change their decision. NASA’s Level III Manager, Lawrence Mulloy asked ’My God, Thiokol, when do you want me to launch, next April?’. He requested George Hardy (NASA) for a launch decision. This manager responded that he was ‘appalled at Thiokol’s recommendation but would not launch over the contractor’s objection’. Mulloy spent some time presenting his views that the data presented by Thiokol on the seal problem was ‘inconclusive’.
  • Thiokol representatives requested 5 minutes offline from the GDSS. During this discussion, management representatives had a closed discussion [7], and engineering representatives were excluded from the vote to launch. This unethical decision caucus resulted from intense customer pressure and a management desire to gain kudos for a continuing relationship with NASA.
  • NASA immediately accepted this decision with no probing questions, as it accorded with their desires.
The GDSS decision making had the following failures:
  • The seal ring database was known to be flawed. Ideas, suggestions and objections were solicited, but not anonymously. Individuals who departed from ‘accepted wisdom’ were flagged as unwelcome members of the GDSS.
  • An agenda was never defined, hence NASA were surprised by the Thiokol O-ring presentation and ‘appalled’ by their decision not to launch.
  • Conflict management was avoided by NASA’s domination of the meeting, and hence conflict was not satisfactorily resolved.
  • The GDSS setting was inappropriate for such an important decision. A face-face meeting would have allowed visual signals to play a role and the unhappiness of the Thiokol engineering representatives would have been apparent.
  • Thiokol should not have requested a 5 minute disconnection from the GDSS. This allowed other internal pressures to dominate their (undemocratic) decision.
  • The GDSS put safety last and operational goals first. Note that shuttle crew were not represented at the meeting, although they had the most to lose.
Design Failures:
  1. The design of the solid booster joint was insufficiently robust to cope with the effects of re-usability, low temperature O-ring compression response, and movement during acceleration and wing turbulence.
  2. Lack of a safety culture which would put crew safety ahead of operational goals.
  3. A flawed ‘group decision support system’.


Structural Failures | Human System Interaction Failures | Failure of Design Management

Failure Analysis  -  Fracture Mechanics  -  Failure As A Design Criterion