[HN Gopher] The Seal Failure in the SRB That Doomed Challenger (...
___________________________________________________________________
The Seal Failure in the SRB That Doomed Challenger (2021)
Author : phendrenad2
Score : 120 points
Date : 2024-07-10 01:11 UTC (21 hours ago)
(HTM) web link (exrocketman.blogspot.com)
(TXT) w3m dump (exrocketman.blogspot.com)
| dboreham wrote:
| Interesting reading. Did not glean from multiple books and
| documentaries that they "added another layer of turtles" to the
| O-ring design.
| mihaaly wrote:
| The overuse of emphasization (heavy phrases, all caps, underline,
| bold, italic, exclamations, COMBINED!! :) ) for the sometimes
| later coming clear statement of facts (not needing emphasis
| because speak for themselves) is an irritating read. Aggrevated
| by tangential updates in prime location of the start (instead of
| end) derailing attention right before started. Educationally the
| style is very obstuctive. But pretty useful writing still after
| pushing ourselves through, even after decades of thousand
| articles into this topic.
| romwell wrote:
| >The overuse of emphasization (heavy phrases, all caps,
| underline, bold, italic, exclamations, COMBINED!! :) ) for the
| sometimes later coming clear statement of facts (not needing
| emphasis because speak for themselves) is an irritating read
|
| Some of us are neurodivergent, and this flow _both_ makes it
| easier to follow, _as well as_ more closely reflects the way we
| think (and write).
|
| _You_ can enable your browser 's reader mode to remove
| formatting.
|
| _We_ can 't hit a button to add emphasis in relevant places.
|
| Consider this next time you're tempted to comment on formatting
| (including that of _this_ comment).
| lupusreal wrote:
| Good explaination. Too many people think the cold launch day and
| NASA culture that allowed a launch on such a day was the only
| issue. It's less widely known that the design was fucked from the
| start and wasn't working properly for _any_ of the Shuttle
| launches.
| pdonis wrote:
| Also, there was another very poor decision by NASA that the
| article does not mention. The summer before the Challenger
| launch, Thiokol, at the urgent request of its engineers, sent
| NASA a memo stating that the SRB O-rings were not sealing
| properly and recommending that all Shuttle flights be stopped
| until the issue was understood and fixed. NASA's response was
| to reclassify the SRB O-rings as a Criticality 1 flight risk
| instead of Criticality 1R--1R means the issue could cause loss
| of vehicle and loss of crew if it happens, but there is a
| redundant backup, whereas 1 means _no_ redundant backup, which
| means the Shuttle should indeed have been grounded--and then
| _waived_ the risk so the Shuttle could continue flying. So NASA
| not only put a very poor design into use, they _kept on_ using
| it even after their own flight risk procedure told them they
| should stop.
| kjkjadksj wrote:
| Has anything changed with the structure of NASA today to
| prevent these same perverse incentives from emerging on
| future missions?
| QuadmasterXLII wrote:
| Absolutely not - see the decision to put astronauts on the
| latest Starliner flight
| KennyBlanken wrote:
| You're mixing up events. The reclassification happened in
| 1980 (correction: 1982, I can't math), ~4 years prior:
|
| "A second major event regarding the joint seal occurred in
| the summer of 1982. As noted before, in 1977-78, Leon Ray had
| concluded that joint rotation caused the loss of the
| secondary O-ring as a backup seal. Because of May 1982 high
| pressure O-ring tests and tests of the new lightweight motor
| case, Marshall management [126] finally accepted the
| conclusion that the secondary O-ring was no longer functional
| after the joints rotated when the Solid Rocket Motor reached
| 40 percent of its maximum expected operating pressure. It
| obviously followed that the dual O-rings were not a
| completely redundant system, so the Criticality 1R had to be
| changed to Criticality 1.53 This was done at Marshall on
| December 17, 1982. The revised Critical Items List read (See
| pages 157 and 158)"
|
| https://www.nasa.gov/history/rogersrep/v1ch6.htm
|
| Also, the issues with the o-rings not sealing properly were
| known from the very beginning. Thiokol's seal design was
| extremely unorthordox, NASA engineers objected before the
| contract selection, testing showed substantial leakage during
| both static pressure testing and actual firings. NASA
| management ignored all this, and Thiokol insisted it wasn't a
| problem and re-wrote the pass/fail standards in terms of
| leakage.
|
| There were numerous problems; the o-rings were glued instead
| of molded as they had been on the Titan, the boosters were
| assembled horizontally (something that had never been done
| before - certainly not on the largest solid rocket motor ever
| built), the o-ring assemblies were not inspected for
| voids...the list of incompetence just goes on and on.
|
| Really, people: _read the report_.
| pdonis wrote:
| _> The reclassification happened in 1980_
|
| Actually, the _reclassification_ happened in December 1982,
| according to the Rogers Commission report that you
| reference. (The original classification as 1R happened in
| 1980; the reclassification that removed the "R" happened
| in 1982.) Which I agree is not the summer prior to the
| Challenger launch; I was misremembering that part. But the
| rest of what I said--Thiokol recommending to NASA that the
| Shuttle be grounded until the O-ring issue was fixed, and
| NASA refusing-- _did_ happen the summer prior to the
| Challenger launch (summer 1985).
|
| _> the issues with the o-rings not sealing properly were
| known from the very beginning_
|
| The fact that the design was unorthodox was known, yes. The
| extent to which that design would lead to actual events in
| actual flights was not. The Thiokol engineers only
| gradually learned what the extent of the actual flight risk
| was as they analyzed flight data. A good account, which
| includes a brief description of how the design was flawed,
| the efforts made by the Thiokol engineers to analyze flight
| data and to obtain test data on the O-rings, the
| information sent by Thiokol to NASA in the summer of 1985,
| and and an account of the conference call the night before
| the Challenger launch, is given in this paper co-authored
| by Roger Boisjoly:
|
| https://people.rit.edu/wlrgsh/FINRobison.pdf
|
| To be clear, none of this means the design should have been
| accepted in the first place; clearly it shouldn't have
| been. I am simply pointing out that the article under
| discussion in this thread leaves out further points in the
| process, besides the original design choice and the
| conference call the night before the launch, where NASA was
| given strong indications that they should change their
| minds, and they never did.
| KennyBlanken wrote:
| You're right, I corrected the date while I was drafting
| it and I only changed the date, not the range (note I
| said "4 years", challenger was in 1986).
|
| I will update.
| toss1 wrote:
| Yes, what I found excellent about this explanation is how the
| system is actually dynamic, but NASA treated it as static.
|
| In the reference good design, the single O-Rings must
| dynamically seat against the outermost surface from the forces
| in the initial leak test, and that seating is reinforced by the
| actual flight pressures. This also relies upon the free path of
| hot gasses from the hot pressurized combustion side to apply
| equal pressure around the ring and compress the now-hot air
| against the ring and steel walls, which act as a heat sink, and
| achieve 1/1-million failure rates.
|
| In contrast, it looks like NASA treated it as a static system,
| just adding more "sealant" and O-Rings to the system, which
| actually forked-up the dynamics, forcing a single-point
| breakthru of the O-ring. And worse yet, they magnified the
| problem in the "fix", and the only reason it didn't happen
| again is they never launched in such cold temps again.
|
| Also particularly sad to see the failure obvious in Pic #4,
| with hot gasses expelling from the SRB side even before it
| leaves the pad. They were already doomed. And even if someone
| somehow saw that failure happening on the pad, could anything
| have been done? A way to separate them from the main structure
| early and abort? Separate the shuttle from the main tank and
| abort?
| jccooper wrote:
| Using a segmented solid was dumb from the start. Not to mention
| using a solid at all on a supposedly-reusable and/or human-
| carrying vehicle.
| vundercind wrote:
| The SLS uses old Shuttle SRBs.
|
| I assume the same ones with the post-Challenger 3-ring
| redesign that doesn't fix the core problem at all.
|
| Jesus. Add it to the list of safety-related reasons I hope
| that nonsense project never makes a crewed flight.
| cryptonector wrote:
| After reading TFA I also have this question: are the SLS
| boosters also using this 3 o-ring design?
| jccooper wrote:
| SLS uses improvements made late in the Shuttle program.
| Lower temp materials and some larger diameters.
| Presumably that exact problem is fixed. Others? Who
| knows.
| incorrecthorse wrote:
| > Those two flight deck pilots had breathed-up all the oxygen in
| their breathing packs by the time they hit the sea, something
| confirmed by the empty breathing packs that were recovered. Which
| means they were alive when they hit the sea!
|
| I don't understand how this follows. The best scenario is that
| they had their last drops of oxygen around hitting the sea; in
| other scenarios they died from lack of oxygen before hitting the
| sea.
| inglor_cz wrote:
| "in other scenarios they died from lack of oxygen before
| hitting the sea."
|
| If they ran out in last 4 km of altitude or so, they would be
| in air dense enough not to even lose consciousness.
| krisoft wrote:
| > they would be in air dense enough not to even lose
| consciousness.
|
| Assuming that they don't need to do any action to change from
| bottle oxygen to external. Or that if action is required
| (like turning a valve or opening their visors), that it was
| performed by them.
|
| I do not know how that subsystem worked. Maybe someone else
| here knows?
| KineticLensman wrote:
| > The best scenario is that they had their last drops of oxygen
| around hitting the sea; in other scenarios they died from lack
| of oxygen before hitting the sea.
|
| See [0] for a summary. It appears that at least one
| unidentified crew member activated the air pack for Smith (the
| pilot) but not Scobee (the commander). Smith operated some
| switches after the break-up so was certainly conscious. The
| crew compartment was tumbling but not so fast as to cause
| blackouts.
|
| [0]
| https://en.wikipedia.org/wiki/Space_Shuttle_Challenger_disas...
| 1659447091 wrote:
| Here is the link to add on the Personal Egress Air Packs, and
| a crew member activating Smiths PEAP
|
| [0]: https://en.wikipedia.org/wiki/Personal_Egress_Air_Pack
| KennyBlanken wrote:
| Note that the Challenger crew were not wearing Launch Entry
| Suits like those shown in the photo.
|
| They were dressed in what amounted to nylon jumpsuits and
| motorcycle helmets.
| hilbert42 wrote:
| _"...the crew did not die in the tank explosion and subsequent
| ripping-apart of the orbiter by air loads. ...The crew was still
| alive in the orbiter cabin until it finally hit the sea, which is
| about a 200-gee stop, since it hit dead broadside. "_
|
| Anyone around at the time vividly remembers this horrible
| tragedy. My memory was unexpectedly reinforced only days later
| when I came across a memorial to the crew in the Smithsonian
| museum.
|
| Perhaps those in NASA were aware that the crew were (or would
| have assumed to have been) alive until they hit the water but if
| I recall that knowledge wasn't available to the GP.
|
| I assumed, like I suppose many, the crew were killed outright at
| the time of disintegration and that would have been the most
| merciful outcome. That it wasn't even now fills me with horror
| and I shudder to think about it. The crew's final moments must
| have been sheer terror.
| KineticLensman wrote:
| > I assumed, like I suppose many, the crew were killed outright
| at the time of disintegration and that would have been the most
| merciful outcome
|
| The breakup was certainly slower and less directly destructive
| for the crew than the Columbia. Challenger essentially broke up
| due to aerodynamic stresses as the entire stack tumbled when
| the SRB broke loose (the stack rotated so the orbiter was on
| top, at Mach 1.92). The massive visible 'explosion' was
| actually the fuel from the external tank igniting as a result
| of the tank breaking up mechanically, not the initial cause of
| the orbiter's destruction. The separated but mainly intact crew
| compartment then continued upwards ballistically before
| beginning its long fall back to the ocean.
|
| In contrast, due to earlier launch-time damage to its wing,
| Columbia entered a flat spin while re-entering hypersonically
| at Mach 15. Complete break-up was about 20 seconds after the
| last comms from the crew. By this time the crew were already
| dead, due to physical trauma from being violently buffeted
| around - e.g. their non-conforming 'fishbowl' helmets offered
| no real head-protection in the event of violent movement.
| hilbert42 wrote:
| Thanks for that. I presume on both accounts NASA is much more
| conversant with the details than are publicly available.
| That's how it ought to be out of respect for the families.
| KineticLensman wrote:
| > I presume on both accounts NASA is much more conversant
| with the details than are publicly available. That's how it
| ought to be out of respect for the families.
|
| Yes, and I agree. The Columbia break-up left fragments
| scattered over a massive area and from the fact that parts
| of spacesuits, belts, seats etc are scattered sometimes
| miles apart, it's clear that the breakup was massively
| destructive. But in the otherwise very detailed reports,
| the 'medical' details are (rightly, I think) redacted, as
| you say, out of respect.
| gwd wrote:
| > That it wasn't even now fills me with horror and I shudder to
| think about it. The crew's final moments must have been sheer
| terror.
|
| Having been in a situation where I thought I was about to die
| (head-on collision on an icy country highway), that wasn't my
| experience. When I saw the other car in my lane I was hit with
| a wall of adrenaline; I experienced the "bullet time" that you
| see sometimes in movies, where tiiime slooowwws doooowwwwnnn;
| and I felt like I was processing things calmly and rationally,
| thinking about what they tell you to do in that situation in
| driver's training, and even when it became clear that there was
| nothing I could do to avoid the oncoming car, I simply thought,
| "I wonder what it's like to die?"
|
| (Now having been in a few more accidents, and experiencing
| "crumple zones", I'd probably just be thinking about whether
| the car would be totaled.)
|
| The professional astronauts will have been put through loads of
| training for all kinds of contingencies; there's a very good
| chance they had similar responses, and a decent chance that
| McAuliffe did too.
| MadnessASAP wrote:
| They did, many of the controls in the recovered cabin were
| found in positions that correspond with the crew following
| emergency procedures. Obviously with the rest of the orbiter
| missing those procedures were useless, as would've been
| anything else they attempted.
|
| Which makes it little more then a sad footnote to the whole
| thing, there was nothing the crew could've done, but they
| died knowing they were in big trouble and were trying to
| restore control of a scrap of their former vehicle.
| dghlsakjg wrote:
| The crew were likely alive, but not conscious.
|
| The crew capsule experienced high g force on multiple axis'
| pretty quickly after the explosion.
|
| That's enough force to put even the best fighter pilots to
| sleep VERY quickly.
|
| Nasa also concluded that the emergency air system wouldn't have
| been sufficient to maintain consciousness with a complete loss
| of cabin pressure at their altitude.
| (https://www.nasa.gov/missions/space-
| shuttle/sts-51l/challeng...).
|
| The emergency air system was designed for an evacuation on the
| ground, not at altitude.
| librasteve wrote:
| very good explanation. surely there must have been engineers on
| the team that knew the NASA design was unproven - by NOT
| whistleblowing they killed the crew as surely as anyone else -
| chickenshits
| ceejayoz wrote:
| The engineers tried.
| https://en.wikipedia.org/wiki/Space_Shuttle_Challenger_disas...
|
| > Based upon O-ring erosion that had occurred in warmer
| launches, Morton Thiokol engineers were concerned over the
| effect the record-cold temperatures would have on the seal
| provided by the SRB O-rings for the launch. Cecil Houston, the
| manager of the KSC office of the Marshall Space Flight Center,
| set up a conference call on the evening of January 27 to
| discuss the safety of the launch. Morton Thiokol engineers
| expressed their concerns about the effect of low temperatures
| on the resilience of the rubber O-rings. As the colder
| temperatures lowered the elasticity of the rubber O-rings, the
| engineers feared that the O-rings would not be extruded to form
| a seal at the time of launch. The engineers argued that they
| did not have enough data to determine whether the O-rings would
| seal at temperatures colder than 53 degF (12 degC), the coldest
| launch of the Space Shuttle to date. Morton Thiokol employees
| Robert Lund, the Vice President of Engineering, and Joe
| Kilminster, the Vice President of the Space Booster Programs,
| recommended against launching until the temperature was above
| 53 degF (12 degC).
|
| This article confirms that:
|
| > The decision to fly cold-soaked colder than the SRB's had
| ever been tested, was also a NASA management decision. Both
| NASA and Thiokol engineers objected, but were over-ruled.
| Thiokol upper management also over-ruled their own engineers,
| and told NASA to go ahead and launch. Thus emboldened by
| Thiokol management, NASA launched the thing, thus killing its
| crew.
| librasteve wrote:
| well, yes. Lets agree on the fact that _Robert Lund, the Vice
| President of Engineering, and Joe Kilminster, the Vice
| President of the Space Booster Programs, recommended against
| launching_ ... I am saying that Robert Lund and Joe
| Kilminster are partly responsible for these horrible deaths
| and that instead of some paper recommendation they should
| have immediately given their resignation and made a press
| announcement of the situation (regardless of the consequences
| of breach of NDA or the ending of their careers) or otherwise
| prevented the launch, not least because as the senior
| executives with engineering oversight they would have been
| well aware of the organisation politics / buck passing
| culture
| dogleash wrote:
| Whoever wrote that section on wikipedia didn't do a great
| job. They're mentioned by name when they were against the
| launch, and they're "Morton Thiokol leadership" when they
| change their mind. It's technically true but misleading, I
| was so confused reading it I had to reference the Roger's
| Commission report because I thought (correctly) that
| Kilminster was one that faxed in a signed recommendation to
| launch to overrule the engineer on site.
| whycome wrote:
| There was also a good chance that the flight successfully
| would reach orbit. Then what?
| dogleash wrote:
| Then they keep launching with lower strictness "because
| it worked last time" until something else fails.
| Feynman's section of the investigation report is
| basically the argument that's what was already happening
| at NASA and the O-rings were just the first thing to fail
| catastrophically.
| nordsieck wrote:
| That's exactly what happened with tile damage.
|
| The very first Shuttle flight - STS-1 experienced serious
| tile damage. And others (famously, the antenna mission)
| had similar experiences. But it wasn't until the Columbia
| disaster that anyone suffered for it.
| librasteve wrote:
| as set out in the article there is a 1/1000,000 O ring
| related failure rate for the normal design and an unknown
| (but now know to be ~1/50) failure rate for the NASA
| specified design - should corporate / military entities
| risk life at 1 million to one ... that seems fair to me
| with the understanding of the crew - but it is definitely
| not good engineering practice (and is likely a criminal
| offence) to take an unknown risk with a human crew
| yodelshady wrote:
| Good article, I've seen this covered from the materials science
| and system engineering perspective before but not the mechanical
| perspective.
|
| Ask any first year materials science graduate how Challenger
| failed and they'll confidently tell you about glass transition
| temperatures in fluoropolymers, but if any chartered engineer
| gave you that answer, fire them. People in the room at the time
| knew about that, but _somehow_ a clear warning became a point of
| uncertainty became a minor interest became a footnote.
|
| What I find more interesting is, ask any first year economist
| about 2008 and they'll tell you about Gaussian risk cupolas.
| Somehow in _that_ field sticking with the level one explanation
| as if the PhDs in the room _there_ didn 't know is accepted.
| Paul-Craft wrote:
| Challenger did not explode because of a "seal failure." That
| tragedy was entirely preventable. At least one of the engineers
| raised the alarm, saying that because of the recent cold weather,
| they couldn't guarantee that the O-ring would perform properly.
| But, the big wigs disregarded that warning, and seven people paid
| for that mistake with their lives.
|
| No, it most certainly was not a seal that failed. It was an
| organization that failed. Unfortunately, it's harder to fix an
| organization than it is to design an O-ring that won't become
| brittle from sitting out a few hours on a cold night.
| dghlsakjg wrote:
| That's my takeaway after a lot of reading about this.
|
| The seal performed exactly as it was specified to. The spec was
| that below certain temperatures it wasn't guaranteed to perform
| as a seal, and that's exactly how it performed.
|
| The issue was that some level of management was alerted that
| they were operating outside of the spec, and they gambled that
| it didn't matter.
| m3kw9 wrote:
| The selection team for the seal failed to account for
| temperature ranges for earth atmospheric conditions. They
| went low and that is what happened
| sjm-lbm wrote:
| To be fair, there were specific temperature ranges in which
| the shuttle was supposed to be capable of launching, and
| the temperature range did not go as low as you might expect
| because the Shuttle was going to launch in Florida (and,
| maybe someday, California) - iirc, the minimum temperature
| was 40 def F or something like that.
|
| Of course, the Thiokol engineers weren't sure that 40 was
| sufficient (they were worried about anything below 52
| degrees), but in defense of the people that chose the
| o-ring material, Challenger launched outside of the design
| spec for the Space Shuttle.
| KennyBlanken wrote:
| The seal did not "perform exactly as it was designed to."
|
| The seal leaked during initial static pressure testing, it
| leaked during test-firings, etc. Engineers and management at
| both Thiokol and NASA knew about this. NASA engineers
| repeatedly objected to the Thiokol design (both original and
| modified) for different reasons, talked to the o-ring
| supplier who stated that the design was using o-rings in a
| way never used before, etc.
|
| The author of the blog post is wildly wrong, but so are a
| _lot_ of comments.
|
| Everyone, PLEASE read the Rogers Commission report. It spells
| out the _extensive_ problems with the design /manufacture,
| and at both Thiokol and NASA.
|
| https://www.nasa.gov/history/rogersrep/v1ch6.htm
|
| Edit: I can't post a response because my account has a
| posting limit, but "the o-rings were not defective"
| is...misleading.
|
| The o-rings were constructed as an assembly that used
| multiple lengths of o-ring material glued together, instead
| of the entire o-ring being molded at once, which is what had
| been done on prior rockets. Up to five joints were allowed.
| No inspection of the glued joints was performed other than a
| surface inspection.
|
| Second edit: no, the problem is not that the "selection team
| did not account for atmospheric pressure." The joints between
| sections mechanically did not hold together correctly. NASA
| engineers predicted this when examining the revised design
| during the earliest phases, although the assembly was found
| to act in a way different than how they had predicted, but
| still caused the seals to leak. Everyone knew the seals
| leaked, before the first shuttle headed to the launch pad.
|
| Third edit: the blog is "wildly wrong" because it claims NASA
| supplied or modified the revised seal design and outright
| declares them incompetent government bureaucrats who didn't
| know how solid rocket motors worked. In fact, both designs
| came from Thiokol in entirety - and NASA engineers basically
| said in reports something to the effect of "the government
| (ie NASA and the military) has never seen a solid rocket
| motor sealed like this".
|
| When NASA engineers approached the o-ring manufacturing
| company, the company said they'd never seen a design like it
| and felt that it was 'not being used like an o-ring' or
| something to that effect.
|
| From the very beginning NASA engineers were screaming their
| heads off that the design was shit. Testing validated their
| concerns. Upper management at both Thiokol and NASA didn't
| care.
| dghlsakjg wrote:
| I should have been more specific: the o-ring did not fail
| in an unexpected way.
|
| There was no defect in the o-ring. The design of the entire
| joint it was sealing was suspect, and was known to perform
| in a way that was not satisfactory. It did perform just as
| it was expected to (they expected a failure under the
| conditions) by the people that had the technical details.
| procflora wrote:
| True indeed, but it's important to not lose the
| uncertainly they had at the time, and the degree of
| o-ring failure being not so binary.
|
| According to what I recall of Allan McDonald's version of
| things, they had a good amount of data that colder
| temperatures meant worse sealing performance from the
| o-rings (soot making its way past the first o-ring and in
| some cases damaging the second, basically). Like you
| said, it was a well-known issue in some circles. They
| also knew the Challenger launch the next morning would be
| very cold indeed, something wild like at or just above
| freezing, I think.
|
| The engineers at Thiokol raised their concerns and were
| asked what a safe temperature to launch is and said
| something like 53F, basing this on the fact that a
| previous launch at that temp was successful. NASA (and
| Thiokol) management balked at this because the booster's
| certified minimum launch temp was something lower like 30
| or 40F. Then they basically asked them to prove it would
| catastrophically fail at the temperatures expected the
| next morning, which they couldn't conclusively do since
| they didn't have the data to back it up. Management
| reversed the no-go recommendation based on this.
|
| So yes, the o-rings performed as expected insofar as
| colder = worse, but it was a matter of how much worse at
| temperatures lower than any successful previous launch.
| stracer wrote:
| Why is the blog post wildly wrong? He states the seal
| joints were poorly designed, similar to your statement. His
| statements seem reasonable and in agreement with Feynman's
| and others' (Boisjoly) account, which tell a story of
| corrupt NASA and Thiokol management, who pushed for flying
| outside the safe temperature window.
| romwell wrote:
| >The seal performed exactly as it was specified to.
|
| Yeah, _no_.
|
| The seal _never_ performed the way it was designed to.[1] It
| was faulty _by design_. The seal _always_ leaked, but that
| didn 't always lead to an explosion.
|
| There were multiple times where the erosion/blow-by problem
| was observed; in fact, the O-ring was (unsuccessfully)
| redesigned by Morton Thiokol to address the issue.[2]
|
| The problem was that nobody _really_ understood what was
| going on, and waved their hands about it.
|
| Quote[3]:
|
| _"NASA had developed a peculiar kind of attitude: if one of
| the seals leaks a little and the flight is successful, the
| problem isn't so serious. Try playing Russian roulette that
| way: you pull the trigger and the gun doesn't go off, so it
| must be safe to pull the trigger again."_
|
| Please do some due diligence before simply saying things that
| _feel_ right for the sake of making a point.
|
| Your point still stands (it _was_ an organizational failure),
| but premising it on a false statement (that the O-ring
| performed to spec) isn 't a way to make it.
|
| [1] https://www.latimes.com/archives/la-
| xpm-1986-11-19-mn-4295-s...
|
| [2] https://www.nasa.gov/history/rogersrep/v1ch6.htm
|
| [3] https://lithub.com/how-legendary-physicist-richard-
| feynman-h...
| dylan604 wrote:
| > "NASA had developed a peculiar kind of attitude: if one
| of the seals leaks a little and the flight is successful,
| the problem isn't so serious.
|
| this quote is also feels pertinent to the Starliner
| decision to launch. They knew there was helium, but they
| just decided there was more helium for the mission than was
| leaking. so the acceptable risk bar seems to be pretty low.
| cryptonector wrote:
| TFA explains that the seal design was flawed. The cold helped,
| but the design had already failed in earlier flights, and that
| had been observed. It really was a seal failure.
| vikingerik wrote:
| However, do keep in mind the principle you need to think about
| when designing such an organization, which is warning fatigue.
|
| Anything as complex as the shuttle is going to have any number
| of groups raising any number of warnings about any number of
| components. If you heeded all of them, you'd spend eternity
| investigating everything and nothing would ever fly (welcome to
| the SLS.) How many other warnings of similar perceived severity
| were ever raised but flew anyway and never resulted in anything
| catastrophic? Probably a lot. "Go fever" is a problem, but so
| is its opposite in warning fatigue.
|
| It's easy to condemn the organization, but that has to also
| come with some sense that the organization had a million
| problems to deal with, and we only knew to pick out this one
| after it happened.
| fuzzfactor wrote:
| There had been delays and as a live TV watcher it could be
| seen there was pressure to launch as soon as conditions could
| be considered the least bit acceptable.
|
| IOW almost completely unfavorable, but not quite as bad as it
| was earlier.
|
| The media revealed some skepticism that a launch would be
| advisable that day, but once a lift-off time was set, then it
| became all systems go as usual.
|
| If there's a freezing day on that part of the Florida coast,
| that's an unusual _year_. You question everything that hasn
| 't previously survived that kind of year in the past.
|
| I didn't feel optimistic for those reasons alone.
|
| >The "science" is that knowledge which was written down. The
| "art" is the knowledge that was not written down, usually
| because no one wanted to pay for the writing.
|
| That's so true why so much documentation is never made, you
| have to make the most of what you have and fill in the rest
| through experimentation.
|
| But O-rings are so boring, seems like nobody wants to take
| the time to even _read_ the "free" literature. It's not any
| more complex than an average engineering semester.
|
| Now it would take more than a semester to get really deep
| into polymer properties that can be involved under different
| conditions, but engineers themselves are never expected to
| get very far in that direction if they're not even experts in
| the mechanical engineering of the o-ring dimensional
| enclosures.
|
| Once it was revealed that the Challenger was doomed by
| inadequate o-ring engineering, it reminded me of the day one
| blew out when I had my first gas lab, at over 10,000 psi the
| explosive force was easily noticeable. From quite a few doors
| down.
|
| The engineer who designed the cylinders had "copied them from
| XXXX lab" and we were using them no differently than they
| were doing, but it was always an accident waiting to happen
| because the tolerances and material selection were not given
| but a fraction of the attention necessary to avoid a mission-
| critical failure, much less a potentially hazardous
| aftermath. Quintessential technical debt.
|
| Anyway I had to redesign the cylinders and deal with the
| machinists and suppliers myself. I guess maybe it was a bit
| like artistic background that was helpful since I had already
| worked in one of the highest-precision machine shops during
| summer, and then after university full-time (12-hour days) at
| a polymer plant laboratory. What it brought to the table was
| greater than the available documentation which was essential
| too. Before it was over I had then spent time with a life-
| long o-ring expert who had built a company based on o-rings
| for severe service. There is no substitute for a large
| warehouse filled with nothing but millions of o-rings, and
| browsing around with the pro who has helpful advice at every
| turn and truly wants you to never have a blowout as if your
| life depended on it.
|
| So the o-ring blowout had been my initiation into a
| commercial laboratory startup back in 1980, building custom
| engineering laboratories to handle contract research
| projects.
|
| Definitely a single point of failure which is worse than
| others _because_ it is so boring, it is much more likely to
| be overlooked.
|
| Things I won't work with: engineers that are not so great but
| think they are.
|
| Much better off handling things like benzene, methanol, or
| sulfuric acid in shorts and flip-flops which people know not
| to try this at home.
| pixl97 wrote:
| Eh, this is why the space shuttle sucked and was a stupid
| design that was going to kill people. It could never fly
| without people so every possible flight test was a fatal one.
| It was too expensive so no one wanted to 'test' it. It was
| such an incredibly complicated package that critical issues
| that would ground any other project got bypassed because of
| the sunk cost fallacy.
|
| SpaceX generally does the opposite of this for example. Their
| testing is very hardware rich. Then they'll have dozens of
| automated flights on very similar hardware. Then after the
| hardware has been used in a wide range of conditions we see
| it migrate to human ratings.
|
| NASA picked something too complicated, was warned it was too
| complicated, then lost human lives when it was too
| complicated.
| dhc02 wrote:
| Your initial statement is a particularly bad sort of semantic
| mishandling.
|
| The seal absolutely failed, in the way that any reasonable
| person would interpret that phrase. A seal prevents things from
| getting past it, and it did not do that.
|
| Some alternate phrasings that I believe make the (valid) point
| without this semantic flaw:
|
| - The Challenger did not explode because of a simple or
| unexpected seal failure.
|
| - The seal failure was merely a symptom of a larger, harder to
| fix, much more troubling failure.
|
| - The seal failed, but that was not the failure that mattered.
| csours wrote:
| I just finished "The Undoing Project" - about Kahneman and
| Tversky. It covers quite a lot of territory, but the title is
| about mentally 'Undoing' disasters.
|
| Generally speaking, people pick a proximate human action or
| inaction as the keystone for preventing the problem.
|
| In the book, they give the example of going back in time to kill
| Hitler - but people often don't decide to go back in time to buy
| Adolf's art - and then one of them suggests that even something
| as small as another sperm or no sperm 'winning' that particular
| race would disrupt history just as well.
|
| It is much more _satisfying_ to think about killing Hitler than
| it is to think about throwing a rock at his parent 's window.
|
| ---
|
| It is much more satisfying to think about NASA administrators
| taking the warnings seriously than it is to think about all the
| ways the culture and incentives were messed up. You can see a
| particular decision that was WRONG.
|
| Finding fault with a person is a shortcut to mental satisfaction,
| but it will only at best fix one problem, and at worst will find
| the person who 'rolled the dice' wrong, or who picked the wrong
| lottery numbers. That is, you can find a person who was standing
| next to the cause of the problem, but any other person in that
| same spot would have the same odds of causing the same problem.
|
| ---
|
| I've also been thinking about learning organizations - any org
| that wants to accomplish really big things has to be able to
| learn.
|
| I'd love to hear of any personal experience of contracts that
| allow for learning. I think it's possible, but usually
| discouraged because contracts are written defensively, and
| learning involves a great deal of trust.
|
| Its very clear in this case that NASA culture was deeply cynical
| and brittle. As a government organization they felt they could
| not show any failure or waste, and this must certainly have
| wormed into their group and personal psychology.
|
| In contrast, SpaceX has demonstrated what a learning organization
| looks like - it looks like public failure. I emphasize IT LOOKS
| LIKE public failure. Learning means not being embarrassed about
| test rockets blowing up spectacularly. It means that you collect
| your data and improve, and try again.
|
| To be sure, this would not work as well (or at all?) with a
| publicly traded company, and it certainly would not work with a
| government organization.
| pixl97 wrote:
| This is a really good point. The shuttle was doomed to be a
| failure before the first part was produced. A whole bunch of
| different organizations wanted a piece of the pie and were
| forcing changes on the design that turned it into a pasted
| together swiss army knife. If you said no to any of those
| organizations, they would have fought against your funding.
|
| Space is an arena that needs a lot of hardware rich testing to
| see what works and what fails and fast turn around times.
| cryptonector wrote:
| This is the best explanation I've seen yet.
|
| The summary is that you want a buffer of air between the hot
| gasses of the running motor and the o-ring seal such tat the air
| gets compressed but remains between the hot gasses and the o-ring
| thus insulating the o-ring from the hot gasses. But to avoid a
| pressurization test NASA went with a two-o-ring scheme where the
| space between them is pressurized, which forces the inner o-ring
| to be on the wrong side of where it should be, thus leaving
| little or no air buffer between that o-ring and the hot gasses.
| That in turn can cause point failures in the inner o-ring which
| will result in concentrated jets of hot gasses impinging on the
| outer o-ring which then cannot hold (because the pressure isn't
| uniform across the o-ring's circumference, instead it's
| concentrated on a point). Add the cold o-ring brittleness and
| boom.
|
| Is SLS still using this o-ring design?? I sure hope not.
| KennyBlanken wrote:
| It was revised after the Challenger disaster.
|
| It's not the "best explanation yet" - it's outright historical
| revisionism that directly contravenes _reams_ of documentation,
| test results, and testimony as part of the Rogers Commission.
|
| The author repeatedly claims NASA created the design of the
| inter-section seal, that they were incompetent in solid rocket
| motor design, insisted on the design, etc because Those Silly
| Government Workers blah blah.
|
| In reality, NASA engineers saw Thiokol's initial bore/face seal
| design (which was also a double seal...) and objected to it:
|
| "The initial Thiokol design proposal was changed before the
| production motors were manufactured. Originally, the joint seal
| design incorporated both a face seal and a bore seal.16 (Figure
| 1.) However, the motor that was eventually used had double bore
| O-rings. The original bore seal/face seal design was chosen
| because it was anticipated that it "provides [better]
| redundance over a double bore ring seal since each is
| controlled by different manufacturing tolerances, and each
| responds differently during joint assembly. " 17 Because the
| early design incorporated tolerances similar to the Titan and
| it also incorporated a face seal, Thiokol believed it possessed
| "complete, redundant seal capability."
|
| > Nevertheless, as the Solid Rocket Motor program progressed,
| Thiokol-with NASA's concurrence-dropped the face/bore seal
| design for one using a double bore seal (Figure 1). NASA
| engineers at Marshall said the original design would have
| required tapered pins to maintain necessary tolerances and
| assure enough"squeeze" on the face-sealing O-ring.19 However,
| design analysis determined that motor ignition would create
| tension loads on the joint sufficient to cause the tapered pins
| to pop out. Solving that would have meant designing some type
| of pin-retainers. Moreover, the rocket assembly was much easier
| with the dual bore seals. Because inspections and tests had to
| be conducted on the Solid Rocket Motor stack, horizontal
| assembly was required.
|
| The seal design was still not adequate and NASA engineers
| objected more. Testing showed NASA engineer's concerns to be
| valid. During both static pressure testing and actual test-
| firings there was documented leakage, and Thiokol's response
| was to revise what was considered an acceptable amount of
| leaking.
|
| Numerous NASA engineering staff, and even the o-ring suppliers,
| all objected. Thiokol repeatedly ignored those objections, as
| did NASA management.
|
| You can read it right here:
| https://www.nasa.gov/history/rogersrep/v1ch6.htm
|
| The entire premise of the blog post is contravened by early
| tests. Whereas the author claims that the seal was doomed to
| fail because the o-ring would leak until it was forced upward
| to where it would properly seal, the actual problem was:
|
| > Although the test was successful in that it demonstrated the
| case met strength requirements, test measurements showed that,
| contrary to design expectations, the joint [123] tang and
| inside clevis bent away from each other instead of toward each
| other and by doing so reduced-instead of increased-pressure on
| the 0-ring in the milliseconds after ignition.26 This
| phenomenon was called "joint rotation." Testifying before the
| Commission, Arnold Thompson, Thiokol's supervisor of
| structures, said,
|
| > "We discovered that the joint was opening rather than closing
| as our original analysis had indicated, and in fact it was
| quite a bit. I think it was up to 52 onethousandths of an inch
| at that time, to the primary O-ring."27
|
| > Thiokol reported these initial test findings to the NASA
| program office at Marshall. Thiokol engineers did not believe
| the test results really proved that "joint rotation" would
| cause significant problems,28 and scheduled no additional tests
| for the specific purpose of confirming or disproving the joint
| gap behavior.
| csours wrote:
| It seems like their main complaint is with NASA management -
| though it did sound like it bled over onto engineering as
| well. That feels like a very natural human response - to
| paint with a wider brush than is needed.
| Ringz wrote:
| From the Wikipedia Article:
|
| ,,Modified SR-71 Blackbird ejection seats and full pressure suits
| were used for the two-person crews on the first four Space
| Shuttle orbital test flights, but they were disabled and later
| removed for the operational flights."[1]II-7
|
| But I think this would not have helped the astronauts on the
| middle deck.
|
| [1]: Jenkins, Dennis R. (2016). Space Shuttle: Developing an Icon
| - 1972-2013. Specialty Press. ISBN 978-1-58007-249-6.
| sitharus wrote:
| Indeed it wouldn't, which is why they were removed when they
| started putting astronauts in the middeck seats.
| imemyself wrote:
| Not sure if this was posted because of the book - but a book on
| Challenger was released a month or two ago
| (https://www.amazon.com/Challenger-Story-Heroism-Disaster-
| Spa...).
|
| I just finished reading and would strongly recommend it to anyone
| interested in Challenger or aerospace in general. One of my
| better reads in the last few years.
|
| And also infuriating to read...my previous impression was that
| there was some concern about cold weather + the o-rings, and one
| guy thought they shouldn't launch.
|
| But the management mistakes were far more grievous than I
| realized. There was a repeated pattern of near misses on the
| SRB's over the years before Challenger, and most engineers
| working on the SRB's felt very strongly that they should not
| launch. The previous coldest launch was 15+ degrees warmer than
| Challenger's, and came very very close to failure itself.
|
| (And while it ended up not being what killed them, Rockwell, the
| folks who build the Shuttle itself, _also_ did not want to
| launch, out of concerns about ice).
___________________________________________________________________
(page generated 2024-07-10 23:01 UTC)