CHARLES B. FLEDDERMANN University of New Mexico
Prentice Hall Upper Saddle River • Boston • Columbus • San Francisco • New York • Indianapolis
London • Toronto • Sydney • Singapore • Tokyo • Montreal • Dubai • Madrid Hong Kong • Mexico City • Munich • Paris • Amsterdam • Cape Town
Vice President and Editorial Director, ECS: Marcia J. Horton Executive Editor: Holly Stark Editorial Assistant: William Opaluch Marketing Manager: Tim Galligan Production Manager: Pat Brown Art Director: Jayne Conte Cover Designer: Black Horse Designs and Bruce Kenselaar Full-Service Project Management/Composition: Vijayakumar Sekar, TexTech International Pvt Ltd Printer/Binder: Edwards Brothers Cover Printer: Lehigh-Phoenix
Credits and acknowledgments borrowed from other sources and reproduced, with permission, in this textbook appear on appropriate page within text.
Copyright © 2012, 2008 Pearson Education, Inc., publishing as Prentice Hall, 1 Lake Street, Upper Saddle River, NJ 07458.
All rights reserved. Printed in the United States of America. This publication is protected by Copyright and permission should be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission(s) to use material from this work, please sub- mit a written request to Pearson Education, Inc., Permissions Department, One Lake Street, Upper Saddle River, New Jersey 07458 or you may fax your request to 201-236-3290.
Many of the designations by manufacturers and seller to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed in initial caps or all caps.
The author and publisher of this book have used their best efforts in preparing this book. These efforts include the development, research, and testing of the theories and programs to determine their effectiveness. The author and publisher make no warranty of any kind, expressed or implied, with regard to these programs or the documentation contained in this book. The author and publisher shall not be liable in any event for incidental or consequential damages in connection with, or arising out of, the furnishing, performance, or use of these programs.
Library of Congress Cataloging-in-Publication Data
Fleddermann, Charles B. (Charles Byrns), 1956– Engineering ethics / Charles B. Fleddermann. — 4th ed. p. cm. Includes bibliographical references and index. ISBN-13: 978-0-13-214521-3 (alk. paper) ISBN-10: 0-13-214521-9 (alk. paper) 1. Engineering ethics. I. Title. TA157.F525 2012 174′.962—dc23 2011023371
ISBN 10: 0-13-214521-9 ISBN 13: 978-0-13-214521-3
10 9 8 7 6 5 4 3 2 1
ABOUT THIS BOOK vii
1 Introduction 1
1.1 Background Ideas 2 1.2 Why Study Engineering Ethics? 2 1.3 Engineering Is Managing the Unknown 3 1.4 Personal vs. Professional Ethics 4 1.5 The Origins of Ethical Thought 4 1.6 Ethics and the Law 4 1.7 Ethics Problems Are Like Design Problems 5 1.8 Case Studies 6
Summary 15 References 15 Problems 16
2 Professionalism and Codes of Ethics 18
2.1 Introduction 19 2.2 Is Engineering a Profession? 19 2.3 Codes of Ethics 24 Key Terms 33 References 34 Problems 34
3 Understanding Ethical Problems 37
3.1 Introduction 38 3.2 A Brief History of Ethical Thought 38 3.3 Ethical Theories 39 3.4 Non-Western Ethical Thinking 46 Key Terms 53 References 53 Problems 53
4 Ethical Problem-Solving Techniques 56
4.1 Introduction 57 4.2 Analysis of Issues in Ethical Problems 57 4.3 Line Drawing 59 4.4 Flow Charting 62 4.5 Confl ict Problems 63 4.6 An Application of Problem-Solving Methods: Bribery/Acceptance of Gifts 65 Key Terms 71 References 71 Problems 72
5 Risk, Safety, and Accidents 74
5.1 Introduction 75 5.2 Safety and Risk 75 5.3 Accidents 79 Key Terms 98 References 98 Problems 99
6 The Rights and Responsibilities of Engineers 103
6.1 Introduction 104 6.2 Professional Responsibilities 104 6.3 Professional Rights 106 6.4 Whistle-Blowing 108 Key Terms 120 References 120 Problems 121
7 Ethical Issues in Engineering Practice 124
7.1 Introduction 125 7.2 Environmental Ethics 125 7.3 Computer Ethics 127 7.4 Ethics and Research 135 Key Terms 143 References 143 Problems 144
8 Doing the Right Thing 150
References 155 Problems 155
APPENDIX A Codes of Ethics of Professional Engineering Societies 157
The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 157 National Society of Professional Engineers (NSPE) 158 American Society of Mechanical Engineers (ASME) 163 American Society of Civil Engineers (ASCE) 164 American Institute of Chemical Engineers (AICHE) 168 Japan Society of Civil Engineers 169
APPENDIX B Bibliography 172
General Books on Engineering Ethics 172 Journals with Articles on Engineering Ethics and Cases 173 Websites 173
This page intentionally left blank
About This Book
Engineering Ethics is an introductory textbook that explores many of the ethical issues that a practicing engineer might encounter in the course of his or her profes- sional engineering practice. The book contains a discussion of ethical theories, develops several ethical problem-solving methods, and contains case studies based on real events that illustrate the problems faced by engineers. The case studies also show the effects that engineering decisions have on society.
WHAT’S NEW IN THIS EDITION
• A new section showing how ethical issues are viewed in non-Western societies including China, India, and the Middle East.
• Codes of Ethics from a professional engineering society outside the United States has been added.
• The issues brought up by competitive bidding by engineers are discussed. • Case studies have been updated. • Several new case studies including ones on the I-35W bridge collapse in
Minneapolis, issues related to the recall of Toyota passenger cars, and the earth- quake damage in Haiti have been added.
• Many new and updated problems have been added.
This page intentionally left blank
1 On August 10, 1978, a Ford Pinto was hit from behind on a highway in Indiana. The impact of the collision caused the Pinto’s fuel tank to rupture and burst into fl ames, leading to the deaths of three teenage girls riding in the car. This was not the fi rst time that a Pinto had caught on fi re as a result of a rear-end collision. In the seven years following the introduction of the Pinto, there had been some 50 lawsuits related to rear-end collisions. However, this time Ford was charged in a criminal court for the deaths of the passengers.
This case was a signifi cant departure from the norm and had important implica- tions for the Ford engineers and managers. A civil lawsuit could only result in Ford being required to pay damages to the victim’s estates. A criminal proceeding, on the other hand, would indicate that Ford was grossly negligent in the deaths of the passengers and could result in jail terms for the Ford engineers or managers who worked on the Pinto.
The case against Ford hinged on charges that it was known that the gas-tank design was fl awed and was not in line with accepted engineering standards, even though it did meet applicable federal safety standards at the time. During the trial, it was determined that Ford engineers were aware of the dangers of this design, but management, concerned with getting the Pinto to market rapidly at a price competi- tive with subcompact cars already introduced or planned by other manufacturers, had constrained the engineers to use this design.
After reading this chapter, you will be able to • Know why it is important to
study engineering ethics • Understand the distinction
between professional and personal ethics
• See how ethical problem solving and engineering design are similar.
C H A P T E R
2 1.2 Why Study Engineering Ethics
The dilemma faced by the design engineers who worked on the Pinto was to balance the safety of the people who would be riding in the car against the need to produce the Pinto at a price that would be competitive in the market. They had to attempt to balance their duty to the public against their duty to their employer. Ultimately, the attempt by Ford to save a few dollars in manufacturing costs led to the expenditure of millions of dollars in defending lawsuits and payments to vic- tims. Of course, there were also uncountable costs in lost sales due to bad public- ity and a public perception that Ford did not engineer its products to be safe.
1.1 BACKGROUND IDEAS The Pinto case is just one example of the ethical problems faced by engineers in the course of their professional practice. Ethical cases can go far beyond issues of pub- lic safety and may involve bribery, fraud, environmental protection, fairness, hon- esty in research and testing, and confl icts of interest. During their undergraduate education, engineers receive training in basic and engineering sciences, problem- solving methodology, and engineering design, but generally receive little training in business practices, safety, and ethics.
This problem has been partially corrected, as many engineering education programs now have courses in what is called engineering ethics. Indeed, the Accreditation Board for Engineering and Technology (ABET), the body responsi- ble for accrediting undergraduate engineering programs in the United States, has mandated that ethics topics be incorporated into undergraduate engineering cur- ricula. The purpose of this book is to provide a text and a resource for the study of engineering ethics and to help future engineers be prepared for confronting and resolving ethical dilemmas, such as the design of an unsafe product like the Pinto, that they might encounter during their professional careers.
A good place to start a discussion of ethics in engineering is with defi nitions of ethics and engineering ethics. Ethics is the study of the characteristics of morals. Ethics also deals with the moral choices that are made by each person in his or her relationship with other persons. As engineers, we are concerned with ethics because these defi nitions apply to all of the choices an individual makes in life, including those made while practicing engineering.
For our purposes, the defi nition of ethics can be narrowed a little. Engineering ethics is the rules and standards governing the conduct of engineers in their role as professionals. Engineering ethics encompasses the more general defi nition of eth- ics, but applies it more specifi cally to situations involving engineers in their profes- sional lives. Thus, engineering ethics is a body of philosophy indicating the ways that engineers should conduct themselves in their professional capacity.
1.2 WHY STUDY ENGINEERING ETHICS? Why is it important for engineering students to study engineering ethics? Several notorious cases that have received a great deal of media attention in the past few years have led engineers to gain an increased sense of their professional responsibili- ties. These cases have led to an awareness of the importance of ethics within the engi- neering profession as engineers realize how their technical work has far-reaching impacts on society. The work of engineers can affect public health and safety and can infl uence business practices and even politics.
One result of this increase in awareness is that nearly every major corporation now has an ethics offi ce that has the responsibility to ensure that employees have
Chapter 1 Introduction 3
the ability to express their concerns about issues such as safety and corporate busi- ness practices in a way that will yield results and won’t result in retaliation against the employees. Ethics offi ces also try to foster an ethical culture that will help to head off ethical problems in a corporation before they start.
The goal of this book and courses in engineering ethics is to sensitize you to important ethical issues before you have to confront them. You will study important cases from the past so that you will know what situations other engineers have faced and will know what to do when similar situations arise in your professional career. Finally, you will learn techniques for analyzing and resolving ethical problems when they arise.
Our goal is frequently summed up using the term “moral autonomy.” Moral autonomy is the ability to think critically and independently about moral issues and to apply this moral thinking to situations that arise in the course of professional engineering practice. The goal of this book, then, is to foster the moral autonomy of future engineers.
The question asked at the beginning of this section can also be asked in a slightly different way. Why should a future engineer bother studying ethics at all? After all, at this point in your life, you’re already either a good person or a bad per- son. Good people already know the right thing to do, and bad people aren’t going to do the right thing no matter how much ethical training they receive. The answer to this question lies in the nature of the ethical problems that are often encoun- tered by an engineer. In most situations, the correct response to an ethical problem is very obvious. For example, it is clear that to knowingly equip the Pinto with wheel lugs made from substandard, weak steel that is susceptible to breaking is unethical and wrong. This action could lead to the loss of a wheel while driving and could cause numerous accidents and put many lives at risk. Of course, such a design deci- sion would also be a commercial disaster for Ford.
However, many times, the ethical problems encountered in engineering prac- tice are very complex and involve confl icting ethical principles. For example, the engineers working on the Pinto were presented with a very clear dilemma. Trade- offs were made so that the Pinto could be successfully marketed at a reasonable price. One of these trade-offs involved the placement of the gas tank, which led to the accident in Indiana. So, for the Ford engineers and managers, the question became the following: Where does an engineering team strike the balance between safety and affordability and, simultaneously, between the ability of the company to sell the car and make a profi t?
These are the types of situations that we will discuss in this book. The goal, then, is not to train you to do the right thing when the ethical choice is obvious and you already know the right thing to do. Rather, the goal is to train you to ana- lyze complex problems and learn to resolve these problems in the most ethical manner.
1.3 ENGINEERING IS MANAGING THE UNKNOWN One source of the ethical issues encountered in the course of engineering practice is a lack of knowledge. This is by no means an unusual situation in engineering. Engineers often encounter situations in which they don’t have all of the information that is needed. By its nature, engineering design is about creating new devices and products. When something is new, many questions need to be answered. How well does it work? How will it affect people? What changes will this lead to in society? How well will this work under all of the conditions that it will be exposed to? Is it
4 1.6 Ethics and the Law
safe? If there are some safety concerns, how bad are they? What are the effects of doing nothing? The answers to these questions are often only partly known.
So, to a large extent, an engineer’s job is to manage the unknown. How does an engineer accomplish this? Really, as an engineer you can never be absolutely cer- tain that your design will never harm anyone or cause detrimental changes to soci- ety. But you must test your design as thoroughly as time and resources permit to ensure that it operates safely and as planned. Also, you must use your creativity to attempt to foresee the possible consequences of your work.
1.4 PERSONAL VS. PROFESSIONAL ETHICS In discussing engineering ethics, it is important to make a distinction between per- sonal ethics and professional, or business, ethics, although there isn’t always a clear boundary between the two. Personal ethics deals with how we treat others in our day-to-day lives. Many of these principles are applicable to ethical situations that occur in business and engineering. However, professional ethics often involves choices on an organizational level rather than a personal level. Many of the prob- lems will seem different because they involve relationships between two corpora- tions, between a corporation and the government, or between corporations and groups of individuals. Frequently, these types of relationships pose problems that are not encountered in personal ethics.
1.5 THE ORIGINS OF ETHICAL THOUGHT Before proceeding, it is important to acknowledge in a general way the origins of the ethical philosophies that we will be discussing in this book. The Western ethical thought that is discussed here originated in the philosophy of the ancient Greeks and their predecessors. It has been developed through subsequent centuries by many thinkers in the Judeo–Christian tradition. Interestingly, non-Western cultures have independently developed similar ethical principles.
Although for many individuals, personal ethics are rooted in religious beliefs, this is not true for everyone. Certainly, there are many ethical people who are not religious, and there are numerous examples of people who appear to be religious but who are not ethical. So while the ethical principles that we will discuss come to us fi ltered through a religious tradition, these principles are now cultural norms in the West, and as such, they are widely accepted regardless of their origin. We won’t need to refer explicitly to religion in order to discuss ethics in the engineering profession.
1.6 ETHICS AND THE LAW We should also mention the role of law in engineering ethics. The practice of engi- neering is governed by many laws on the international, federal, state, and local lev- els. Many of these laws are based on ethical principles, although many are purely of a practical, rather than a philosophical, nature.
There is also a distinction between what is legal and what is ethical. Many things that are legal could be considered unethical. For example, designing a process that releases a known toxic, but unregulated, substance into the environment is proba- bly unethical, although it is legal.
Chapter 1 Introduction 5
Conversely, just because something is illegal doesn’t mean that it is unethical. For example, there might be substances that were once thought to be harmful, but have now been shown to be safe, that you wish to incorporate into a product. If the law has not caught up with the latest scientifi c fi ndings, it might be illegal to release these substances into the environment, even though there is no ethical problem in doing so.
As an engineer, you are always minimally safe if you follow the requirements of the applicable laws. But in engineering ethics, we seek to go beyond the dictates of the law. Our interest is in areas where ethical principles confl ict and there is no legal guidance for how to resolve the confl ict.
1.7 ETHICS PROBLEMS ARE LIKE DESIGN PROBLEMS At fi rst, many engineering students fi nd the types of problems and discussions that take place in an engineering ethics class a little alien. The problems are more open ended and are not as susceptible to formulaic answers as are problems typically assigned in other engineering classes. Ethics problems rarely have a correct answer that will be arrived at by everyone in the class. Surprisingly, however, the types of problem-solving techniques that we will use in this book and the nature of the answers that result bear a striking resemblance to the most fundamental engineer- ing activity: engineering design.
The essence of engineering practice is the design of products, structures, and processes. The design problem is stated in terms of specifi cations: A device must be designed that meets criteria for performance, aesthetics, and price. Within the limits of these specifi cations, there are many correct solutions. There will, of course, be some solutions that are better than others in terms of higher perfor- mance or lower cost. Frequently, there will be two (or more) designs that are very different, yet perform identically. For example, competing automobile manufac- turers may design a car to meet the same market niche, yet each manufacturer’s solution to the problem will be somewhat different. In fact, we will see later that although the Pinto was susceptible to explosion after rear-end impact, other simi- lar subcompact automobiles were not. In engineering design, there is no unique correct answer!
Ethical problem solving shares these attributes with engineering design. Although there will be no unique correct solution to most of the problems we will examine, there will be a range of solutions that are clearly right, some of which are better than others. There will also be a range of solutions that are clearly wrong. There are other similarities between engineering ethics and engineering design. Both apply a large body of knowledge to the solution of a problem, and both involve the use of analytical skills. So, although the nature of the solutions to the problems in ethics will be different from those in most engineering classes, approaches to the problems and the ultimate solution will be very similar to those in engineering practice.
1.8 CASE STUDIES Before starting to learn the theoretical ideas regarding engineering ethics and before looking at some interesting real-life cases that will illustrate these ideas, let’s begin by looking at a very well-known engineering ethics case: the space
6 1.8 Case Studies
shuttle Challenger accident. This case is presented in depth at the end of this chap- ter, but at this point we will look at a brief synopsis of the case to further illustrate the types of ethical issues and questions that arise in the course of engineering practice.
Many readers are already familiar with some aspects of this case. The space shuttle Challenger was launched in extremely cold weather. During the launch, an O-ring on one of the solid-propellant boosters, made more brittle by the cold, failed. This failure led to an explosion soon after liftoff. Engineers who had designed this booster had concerns about launching under these cold conditions and recom- mended that the launch be delayed, but they were overruled by their management (some of whom were trained as engineers), who didn’t feel that there were enough data to support a delay in the launch. The shuttle was launched, resulting in the well-documented accident.
On the surface, there appear to be no engineering ethical issues here to dis- cuss. Rather, it seems to simply be an accident. The engineers properly recom- mended that there be no launch, but they were overruled by management. In the strictest sense, this can be considered an accident—no one wanted the Challenger to explode—but there are still many interesting questions that should be asked. When there are safety concerns, what is the engineer’s responsibility before the launch decision is made? After the launch decision is made, but before the actual launch, what duty does the engineer have? If the decision doesn’t go the engineer’s way, should she complain to upper management? Or should she bring the problem to the attention of the press? After the accident has occurred, what are the duties and responsibilities of the engineers? If the launch were successful, but the postmortem showed that the O-ring had failed and an accident had very nearly occurred, what would be the engineer’s responsibility? Even if an engineer moves into manage- ment, should he separate engineering from management decisions?
These types of questions will be the subject of this book. As an engineer, you will need to be familiar with ideas about the nature of the engineering profession, ethi- cal theories, and the application of these theories to situations that are likely to occur in professional practice. Looking at other real-life cases taken from newspaper accounts and books will help you examine what engineers should do when con- fronted with ethically troubling situations. Many cases will be postmortem examina- tions of disasters, while others may involve an analysis of situations in which disaster was averted when many of the individuals involved made ethically sound choices and cooperated to solve a problem.
A word of warning is necessary: The cliché “Hind-sight is 20/20” will seem very true in engineering ethics case studies. When studying a case several years after the fact and knowing the ultimate outcome, it is easy to see what the right decision should have been. Obviously, had the National Aeronautics and Space Administration (NASA) owned a crystal ball and been able to predict the future, the Challenger would never have been launched. Had Ford known the number of people who would be killed as a result of gas-tank failures in the Pinto and the sub- sequent fi nancial losses in lawsuits and criminal cases, it would have found a better solution to the problem of gas-tank placement. However, we rarely have such clear predictive abilities and must base decisions on our best guess of what the outcome will be. It will be important in studying the cases presented here to try to look at them from the point of view of the individuals who were involved at the time, using their best judgment about how to proceed, and not to judge the cases solely based on the outcome.
Chapter 1 Introduction 7
THE SPACE SHUTTLE CHALLENGER AND COLUMBIA ACCIDENTS
The NASA Space Shuttle Disasters
The space shuttle is one of the most complex engineered systems ever built. The challenge of lifting a space vehicle from earth into orbit and have it safely return to earth presents many engineering problems. Not surprisingly, there have been sev- eral accidents in the U.S. space program since its inception, including two failures of the space shuttle. The disasters involving the space shuttles Challenger and Columbia illustrate many of the issues related to engineering ethics as shown in the following discussion. The space shuttle originally went into service in the early 1980s and is set to be retired sometime in 2011 or 2012.
The Space Shuttle Challenger Disaster
The explosion of the space shuttle Challenger is perhaps the most widely written about case in engineering ethics because of the extensive media coverage at the time of the accident and also because of the many available government reports and transcripts of congressional hearings regarding the explosion. The case illustrates many important ethical issues that engineers face: What is the proper role of the engineer when safety issues are a concern? Who should have the ultimate decision- making authority to order a launch? Should the ordering of a launch be an engi- neering or a managerial decision? This case has already been presented briefl y, and we will now take a more in-depth look.
The space shuttle was designed to be a reusable launch vehicle. The vehicle consists of an orbiter, which looks much like a medium-sized airliner (minus the engines!), two solid-propellant boosters, and a single liquid-propellant booster. At takeoff, all of the boosters are ignited and lift the orbiter out of the earth’s atmosphere. The solid rocket boosters are only used early in the fl ight and are jettisoned soon after takeoff, parachute back to earth, and are recovered from the ocean. They are sub- sequently repacked with fuel and are reused. The liquid-propellant booster is used to fi nish lifting the shuttle into orbit, at which point the booster is jettisoned and burns up during reentry. The liquid booster is the only part of the shuttle vehicle that is not reusable. After completion of the mission, the orbiter uses its limited thrust capabilities to reenter the atmosphere and glides to a landing.
The accident on January 28, 1986, was blamed on a failure of one of the solid rocket boosters. Solid rocket boosters have the advantage that they deliver far more thrust per pound of fuel than do their liquid-fueled counterparts, but have the dis- advantage that once the fuel is lit, there is no way to turn the booster off or even to control the amount of thrust produced. In contrast, a liquid-fuel rocket can be con- trolled by throttling the supply of fuel to the combustion chamber or can be shut off by stopping the fl ow of fuel entirely.
In 1974, NASA awarded the contract to design and build the solid rocket boost- ers for the shuttle to Morton Thiokol. The design that was submitted by Thiokol was a scaled-up version of the Titan missile, which had been used successfully for many years to launch satellites. This design was accepted by NASA in 1976. The solid rocket consists of several cylindrical pieces that are fi lled with solid propellant and stacked one on top of the other to form the completed booster. The assembly of the propellant-fi lled cylinders was performed at Thiokol’s plant in Utah. The
8 1.8 Case Studies
cylinders were then shipped to the Kennedy Space Center in Florida for assembly into a completed booster.
A key aspect of the booster design are the joints where the individual cylinders come together, known as the fi eld joints, illustrated schematically in Figure 1.1a . These are tang and clevis joints, fastened with 177 clevis pins. The joints are sealed by two O-rings, a primary and a secondary. The O-rings are designed to prevent hot gases from the combustion of the solid propellant from escaping. The O-rings are made from a type of synthetic rubber and so are not particularly heat resistant. To prevent the hot gases from damaging the O-rings, a heat-resistant putty is placed in the joint. The Titan booster had only one O-ring in the fi eld joint. The second O-ring was added to the booster for the shuttle to provide an extra margin of safety since, unlike the Titan, this booster would be used for a manned space craft.
Early Problems with the Solid Rocket Boosters
Problems with the fi eld-joint design had been recognized long before the launch of the Challenger. When the rocket is ignited, the internal pressure causes the booster wall to expand outward, putting pressure on the fi eld joint. This pressure causes the joint to open slightly, a process called “joint rotation,” illustrated in Figure 1.1b . The joint was designed so that the internal pressure pushes on the putty, displacing the primary O-ring into this gap, helping to seal it. During testing of the boosters in 1977, Thiokol became aware that this joint-rotation problem was more severe than on the Titan and discussed it with NASA. Design changes were made, including an increase in the thickness of the O-ring, to try to control this problem.
Further testing revealed problems with the secondary seal, and more changes were initiated to correct that problem. In November of 1981, after the second shut- tle fl ight, a postlaunch examination of the booster fi eld joints indicated that the
Figure 1.1 (a) A schematic drawing of a tang and clevis joint like the one on the Challenger solid rocket boosters. (b) The same joint as in Figure 1.1a , but with the effects of joint rotation exaggerated. Note that the O-rings no longer seal the joint.
Inside of booster
Chapter 1 Introduction 9
O-rings were being eroded by hot gases during the launch. Although there was no failure of the joint, there was some concern about this situation, and Thiokol looked into the use of different types of putty and alternative methods for applying it to solve the problem. Despite these efforts, approximately half of the shuttle fl ights before the Challenger accident had experienced some degree of O-ring erosion. Of course, this type of testing and redesign is not unusual in engineering. Seldom do things work correctly the fi rst time, and modifi cations to the original design are often required.
It should be pointed out that erosion of the O-rings is not necessarily a bad thing. Since the solid rocket boosters are only used for the fi rst few minutes of the fl ight, it might be perfectly acceptable to design a joint in which O-rings erode in a controlled manner. As long as the O-rings don’t completely burn through before the solid boosters run out of fuel and are jettisoned, this design should be fi ne. However, this was not the way the space shuttle was designed, and O-ring erosion was one of the problems that the Thiokol engineers were addressing.
The fi rst documented joint failure came after the launch on January 24, 1985, which occurred during very cold weather. The postfl ight examination of the boost- ers revealed black soot and grease on the outside of the booster, which indicated that hot gases from the booster had blown by the O-ring seals. This observation gave rise to concern about the resiliency of the O-ring materials at reduced tem- peratures. Thiokol performed tests of the ability of the O-rings to compress to fi ll the joints and found that they were inadequate. In July of 1985, Thiokol engineers redesigned the fi eld joints without O-rings. Instead, they used steel billets, which should have been better able to withstand the hot gases. Unfortunately, the new design was not ready in time for the Challenger fl ight in early 1986 [ Elliot et al., 1990 ].
The Political Climate
To fully understand and analyze the decision making that took place leading to the fatal launch, it is important also to discuss the political environment under which NASA was operating at that time. NASA’s budget was determined by Congress, which was becoming increasingly unhappy with delays in the shuttle project and shuttle performance. NASA had billed the shuttle as a reliable, inexpensive launch vehicle for a variety of scientifi c and commercial purposes, including the launching of commercial and military satellites. It had been promised that the shuttle would be capable of frequent fl ights (several per year) and quick turnarounds and would be competitively priced with more traditional nonreusable launch vehicles. NASA was feeling some urgency in the program because the European Space Agency was developing what seemed to be a cheaper alternative to the shuttle, which could potentially put the shuttle out of business.
These pressures led NASA to schedule a record number of missions for 1986 to prove to Congress that the program was on track. Launching a mission was espe- cially important in January 1986, since the previous mission had been delayed numerous times by both weather and mechanical failures. NASA also felt pressure to get the Challenger launched on time so that the next shuttle launch, which was to carry a probe to examine Halley’s comet, would be launched before a Russian probe designed to do the same thing. There was additional political pressure to launch the Challenger before the upcoming state-of-the-union address, in which President Reagan hoped to mention the shuttle and a special astronaut—the fi rst teacher in space, Christa McAuliffe—in the context of his comments on education.
10 1.8 Case Studies
The Days Before the Launch
Even before the accident, the Challenger launch didn’t go off without a hitch, as NASA had hoped. The fi rst launch date had to be abandoned due to a cold front expected to move through the area. The front stalled, and the launch could have taken place on schedule. But the launch had already been postponed in deference to Vice President George Bush, who was to attend. NASA didn’t want to antagonize Bush, a strong NASA supporter, by postponing the launch due to inclement weather after he had arrived. The launch of the shuttle was further delayed by a defective microswitch in the hatch-locking mechanism. When this problem was resolved, the front had changed course and was now moving through the area. The front was expected to bring extremely cold weather to the launch site, with temperatures predicted to be in the low 20’s (°F) by the new launch time.
Given the expected cold temperatures, NASA checked with all of the shuttle contractors to determine if they foresaw any problems with launching the shuttle in cold temperatures. Alan McDonald, the director of Thiokol’s Solid Rocket Motor Project, was concerned about the cold weather problems that had been experi- enced with the solid rocket boosters. The evening before the rescheduled launch, a teleconference was arranged between engineers and management from the Kennedy Space Center, NASA’s Marshall Space Flight Center in Huntsville, Alabama, and Thiokol in Utah to discuss the possible effects of cold temperatures on the performance of the solid rocket boosters. During this teleconference, Roger Boisjoly and Arnie Thompson, two Thiokol engineers who had worked on the solid- propellant booster design, gave an hour-long presentation on how the cold weather would increase the problems of joint rotation and sealing of the joint by the O-rings.
The engineers’ point was that the lowest temperature at which the shuttle had previously been launched was 53°F, on January 24, 1985, when there was blow-by of the O-rings. The O-ring temperature at Challenger’s expected launch time the fol- lowing morning was predicted to be 29°F, far below the temperature at which NASA had previous experience. After the engineers’ presentation, Bob Lund, the vice president for engineering at Morton Thiokol, presented his recommendations. He reasoned that since there had previously been severe O-ring erosion at 53°F and the launch would take place at signifi cantly below this temperature where no data and no experience were available, NASA should delay the launch until the O-ring tem- perature could be at least 53°F. Interestingly, in the original design, it was specifi ed that the booster should operate properly down to an outside temperature of 31°F.
Larry Mulloy, the Solid Rocket Booster Project manager at Marshall and a NASA employee, correctly pointed out that the data were inconclusive and disagreed with the Thiokol engineers. After some discussion, Mulloy asked Joe Kilminster, an engi- neering manager working on the project, for his opinion. Kilminster backed up the recommendation of his fellow engineers. Others from Marshall expressed their disagreement with the Thiokol engineers’ recommendation, which prompted Kilminster to ask to take the discussion off line for a few minutes. Boisjoly and other engineers reiterated to their management that the original decision not to launch was the correct one.
A key fact that ultimately swayed the decision was that in the available data, there seemed to be no correlation between temperature and the degree to which blow-by gasses had eroded the O-rings in previous launches. Thus, it could be con- cluded that there was really no trend in the data indicating that a launch at the expected temperature would necessarily be unsafe. After much discussion, Jerald Mason, a senior manager with Thiokol, turned to Lund and said, “Take off your engineering hat and put on your management hat,” a phrase that has become
Chapter 1 Introduction 11
famous in engineering ethics discussions. Lund reversed his previous decision and recommended that the launch proceed. The new recommendation included an indication that there was a safety concern due to the cold weather, but that the data were inconclusive and the launch was recommended. McDonald, who was in Florida, was surprised by this recommendation and attempted to convince NASA to delay the launch, but to no avail.
Contrary to the weather predictions, the overnight temperature was 8°F, colder than the shuttle had ever experienced before. In fact, there was a signifi cant accu- mulation of ice on the launchpad from safety showers and fi re hoses that had been left on to prevent the pipes from freezing. It has been estimated that the aft fi eld joint of the right-hand booster was at 28°F.
NASA routinely documents as many aspects of launches as possible. One part of this monitoring is the extensive use of cameras focused on critical areas of the launch vehicle. One of these cameras, looking at the right booster, recorded puffs of smoke coming from the aft fi eld joint immediately after the boosters were ignited. This smoke is thought to have been caused by the steel cylinder of this segment of the booster expanding outward and causing the fi eld joint to rotate. But, due to the extremely cold temperature, the O-ring didn’t seat properly. The heat-resistant putty was also so cold that it didn’t protect the O-rings, and hot gases burned past both O-rings. It was later determined that this blow-by occurred over 70º of arc around the O-rings.
Very quickly, the fi eld joint was sealed again by byproducts of the solid rocket- propellant combustion, which formed a glassy oxide on the joint. This oxide
Table 1.1 Space Shuttle Challenger Accident: Who’s Who
NASA The National Aeronautics and Space Administration, responsible for space exploration. The space shuttle is one of NASA’s programs
Marshall Space Flight Center A NASA facility that was in charge of the solid rocket booster
development for the shuttle Morton Thiokol A private company that won the contract from NASA for building
the solid rocket boosters for the shuttle People
Larry Mulloy Solid Rocket Booster Project manager at Marshall
Roger Boisjoly Arnie Johnson
Engineers who worked on the Solid Rocket Booster Development Program
Joe Kilminster Engineering manager on the Solid Rocket Booster Development Program
Alan McDonald Director of the Solid Rocket Booster Project
Bob Lund Vice president for engineering
Jerald Mason General manager
12 1.8 Case Studies
formation might have averted the disaster had it not been for a very strong wind shear that the shuttle encountered almost one minute into the fl ight. The oxides that were temporarily sealing the fi eld joint were shattered by the stresses caused by the wind shear. The joint was now opened again, and hot gases escaped from the solid booster. Since the booster was attached to the large liquid-fuel booster, the fl ames from the solid-fuel booster blow-by quickly burned through the external tank. The liquid propellant was ignited and the shuttle exploded.
As a result of the explosion, the shuttle program was grounded as a thorough review of shuttle safety was conducted. Thiokol formed a failure-investigation team on January 31, 1986, which included Roger Boisjoly. There were also many investiga- tions into the cause of the accident, both by the contractors involved (including Thiokol) and by various government bodies. As part of the governmental investiga- tion, President Reagan appointed a blue-ribbon commission, known as the Rogers Commission, after its chair. The commission consisted of distinguished scientists and engineers who were asked to look into the cause of the accident and to recom- mend changes in the shuttle program.
One of the commission members was Richard Feynman, a Nobel Prize winner in physics, who ably demonstrated to the country what had gone wrong. In a dem- onstration that was repeatedly shown on national news programs, he demonstrated the problem with the O-rings by taking a sample of the O-ring material and bend- ing it. The fl exibility of the material at room temperature was evident. He then immersed it in ice water. When Feynman again bent the O-ring, it was obvious that the resiliency of the material was severely reduced, a very clear demonstration of what happened to the O-rings on the cold launch date in Florida.
As part of the commission hearings, Boisjoly and other Thiokol engineers were asked to testify. Boisjoly handed over to the commission copies of internal Thiokol memos and reports detailing the design process and the problems that had already been encountered. Naturally, Thiokol was trying to put the best possible spin on the situation, and Boisjoly’s actions hurt this effort. According to Boisjoly, after this action he was isolated within the company, his responsibilities for the redesign of the joint were taken away, and he was subtly harassed by Thiokol management [ Boisjoly, 1991 , and Boisjoly, Curtis, and Mellicam, 1989 ].
Eventually, the atmosphere became intolerable for Boisjoly, and he took extended sick leave from his position at Thiokol. The joint was redesigned, and the shuttle has since fl own numerous successful missions. However, the ambitious launch schedule originally intended by NASA was never met. It was reported in 2001 that NASA has spent $5 million to study the possibility of installing some type of escape system to protect the shuttle crew in the event of an accident. Possibilities include ejection seats or an escape capsule that would work during the fi rst three minutes of fl ight. These features were incorporated into earlier manned space vehicles and in fact were in place on the shuttle until 1982. Whether such a system would have saved the astronauts aboard the Challenger is unknown, and ultimately an escape system was never incorporated into the space shuttle.
The Space Shuttle Columbia Failure
During the early morning hours of February 1, 2003, many people across the Southwestern United States awoke to a loud noise, sounding like the boom associ- ated with supersonic aircraft. This was the space shuttle Columbia breaking up during
Chapter 1 Introduction 13
reentry to the earth’s atmosphere. This accident was the second loss of a space shut- tle in 113 fl ights—all seven astronauts aboard the Columbia were killed—and pieces of the shuttle were scattered over a wide area of eastern Texas and western Louisiana. Over 84,000 individual pieces were eventually recovered, comprising only about 38% of the shuttle.
This was the 28th mission fl own by the Columbia, a 16-day mission involving many tasks. The fi rst indication of trouble during reentry came when temperature sensors near the left wheel well indicated a rise in temperature. Soon, hydraulic lines on the left side of the craft began to fail, making it diffi cult to keep control of the vehicle. Finally, it was impossible for the pilots to maintain the proper position- ing of the shuttle during reentry—the Columbia went out of control and broke up.
The bottom of the space shuttle is covered with ceramic tiles designed to dissi- pate the intense heat generated during reentry from space. The destruction of the Columbia was attributed to damage to tiles on the leading edge of the left wing. During liftoff, a piece of insulating foam on the external fuel tank dislodged and
Explosion of the space shuttle Challenger soon after liftoff in January 1986. NASA/ Johnson Space Center
14 1.8 Case Studies