
Remembering Roger Boisjoly: He Tried to Stop Shuttle Challenger Launch - drewvolpe
https://www.npr.org/sections/thetwo-way/2012/02/06/146490064/remembering-roger-boisjoly-he-tried-to-stop-shuttle-challenger-launch
======
mannykannot
In many ways, this is an update of the Titanic story of technological hubris,
with the twist that the man who was right, who fought hard to prevent what he
foresaw, who was briefly relieved when his dire predictions seemed to be
wrong, was still dogged by the event for the rest of his life.

We don't know how those who were on the wrong side of the issue coped, and
they should not be pressured to make public anything beyond what the inquiry
required, but it seems plausible to me that those who could persuade
themselves that they made the right decision, given the circumstances and
despite the outcome, probably fared best. That is usually the case.

Edward Tufte tried to suggest that Boisjoly could have presented his case more
effectively. Tufte may have been thinking purely pedagogically, but
regardless, the implied criticism was unjustified, as Boisjoly's point should
have been clear to anyone familiar with the issue, and in fact it was clear to
quite a few, though unfortunately not to the few who mattered, and I doubt
that, for them, a different presentation would have made a difference.

We can't always be right, and we can't all be heroes, but I hope we can all
avoid being the person who said to Boisjoly, when it appeared that Boisjoly's
testimony might be fatal to Morton Thiokol, that he would leave his children
for Boisjoly to raise if he lost his job.

~~~
Aloha
What do you consider the primary technological hubris of _Titanic_?

To be clearer - the hubris of _Titanic_ wasn't technological, it was
operational - it was going too fast, in an ice field, with a lack of lookouts
- beyond this, it didnt reduce speed after ice was spotted.

Yes, there were issues, damage to such a small portion of the ship _(less than
1 /3)_ shouldn't have caused it to sink (I'll note, many other ships had
similar or worse flaws than _Titanic_ did).

The lifeboats on the other hand (as most commonly cited) are not a real issue
- _Titanic_ started launching boats about 25 min after it struck the iceberg,
which is about how long a damage survey would take. It had not launched all 20
boats by the time the forward list became so great that they were unable to
launch more - this doesn't even touch the multitudes below decks, many of whom
didnt speak english, or were unable to be moved up to the boat deck in a
timely enough fashion.

I'd also like to share something I dug up from the internet[1]:

"As far as I can determine, Titanic is the single example of a passenger ship
that sank with decks level. It was probably the only time in history when
lifeboats could be launched from both sides simultaneously. The Andrea Doria
sinking is a more typical event. In that case, half of the lifeboats were
rendered useless by the cant of the decks. Given the testimony that Titanic
was "lolling" as it foundered (listing from side to side), it is highly
probable that carrying sufficient lifeboats would have raised the center of
gravity sufficiently to have caused a permanent list early in the evening. In
other words, the weight of those extra boats might have created a situation in
which they could not have been used, anyway.

And, it is conveniently overlooked that from the moment when launching boats
became necessary until the moment when it became impossible was not long
enough to launch the 24 boats the ship carried. If it had carried more boats,
they could not have been filled and launched properly. This is not to say that
some people might not have used the un-launched boats to survive--just to
point out that more lifeboats was not the answer to saving everyone aboard
Titanic.

The only way to save everyone on any passenger ship is to not let it sink.
That's the key, not lifeboats.

White Star and the British Board of Trade had an embarassing situation on
their hands. They had lost the world's largest ship...not to mention some
1,500 irreplaceable souls. They needed an issue to divert public attention
from the real problems behind Titanic's foundering. For instance the lack of
lookout, the speed, and the fact that the ship was already well into the ice
when it struck. Why wasn't the conduct of the voyage changed at 10:00 p.m.
instead of after the accident? Or, what was wrong with the design of the ship
that allowed damage to the bow to ultimately claim the whole ship? These
issues go to the heart of the matter, but public attention was easily diverted
by the lifeboat issue. It was a diversion that worked so well that the lack of
lifeboats has become almost the only safety issue ever discussed."

[1]: [https://www.encyclopedia-
titanica.org/community/threads/boar...](https://www.encyclopedia-
titanica.org/community/threads/board-of-trade-and-lifeboats.1799/)

~~~
jacobush
They also likely would not want to draw attention to this:
[https://www.snopes.com/news/2017/01/06/coal-fire-sink-the-
ti...](https://www.snopes.com/news/2017/01/06/coal-fire-sink-the-titanic/)

~~~
NeedMoreTea
Why? Bunker fires were common on coal fired ships, as was dealing with them by
shovelling coal into the furnace, or venting steam. It's an interesting
snippet, but doesn't seem very compelling that it was a cause. I didn't watch
the actual documentary, so only have the piece you linked to go on.

~~~
afiori
high speed in an ice patch -> disaster

burning more coal than necessary -> high speed

coal fire -> burning more coal

~~~
gambiting
Even on a ship like the Titanic, it's not like the only way to slow down is to
stop burning coal. They could have vented steam instead of using it for
propulsion - that is always an option.

~~~
boudin
From a documentary on channel 4 about this, the risk was more to run out of
coal before arriving as the fire would have been ongoing since the departure
and been quite big.

~~~
chris_wot
It’s not just that. It made the steel brittle. Not a good combo in freezing
water.

------
albntomat0
My main unanswered question here (I admit I haven't looked particularly hard
for the answer) is what the false positive rate was. How many times have
similarly major concerns raised, about things that were not ultimately an
issue? Where the NASA administrators bombarded with such concerns for every
launch, or were reports a relatively rare occurrence?

Designing processes to appropriately address such concerns seems to hinge on
the answer.

[edit for grammar]

~~~
ncmncm
When the engineers are saying no, and the administrators are saying yes, you
don't need to know much more.

~~~
GuB-42
Engineers will always say no. It's the administrator's job to decide which
kind of "no" is acceptable.

Here, the problem is not the engineers saying no. It is that for some reason,
administrators weren't able to properly discern trivial matters from life
threatening ones.

~~~
kamaal
>>administrators weren't able to properly discern trivial matters from life
threatening ones

That suggests a very serious flaw in the overall capability, seriousness and
knowledge of the project of the person making that decision.

The administrators are not that stupid. Reading the article carefully. These
people were worried about the launch to be delayed by an year. That
subsequently brings up the question about how that would work for their
careers.

Also what is the downside for these people. Say the Shuttle crashes, they are
not going to be billed $2 billion or charged with manslaughter. Heck, all they
get is a job transfer in the worst possible
case([https://en.wikipedia.org/wiki/Linda_Ham#Columbia_disaster_an...](https://en.wikipedia.org/wiki/Linda_Ham#Columbia_disaster_and_investigation_report)).

If you have literally no repercussions for making wrong decisions. You have
now incentivized the administrators to make whatever decisions works best for
them personally.

No amount and quality of engineering reports are going to work from here.

------
RachelF
Unfortunately the management culture at NASA, something Richard Feynman also
criticized, did not change. This lead to managers ignoring engineers' warnings
about the foam strikes on Columbia, and also rejecting requests for high
resolution images.

Linda Ham, the manager who rejected these requests left the space shuttle
program after the Columbia disaster and was moved to other positions at NASA.
[https://en.wikipedia.org/wiki/Linda_Ham#Columbia_disaster_an...](https://en.wikipedia.org/wiki/Linda_Ham#Columbia_disaster_and_investigation_report)

~~~
maxxxxx
"and also rejecting requests for high resolution images."

That's a decision I don't understand. Would taking the pictures have been a
big change in flight plan or something like that?

~~~
NikolaeVarius
Military stuff.

Secondly, there was a strong prevalence of the idea that, even IF they had
found something, nothing could have really been done, which was probably true
according to the post-mortem.

~~~
maxxxxx
"even IF they had found something, nothing could have really been done, which
was probably true according to the post-mortem."

That would be a pretty weak excuse and only applicable in hindsight. I have
read that depending on the size of the damage they could potentially have
changed the descent profile to put more load on the other wing. To decide this
you first need the data.

~~~
dgritsko
A fascinating article was posted a few years ago outlining the possibility of
scrambling the _Atlantis_ orbiter while _Columbia_ was in orbit and performing
a rescue of her crew. It was a fascinating "what-if", well worth your time:

[https://arstechnica.com/science/2016/02/the-audacious-
rescue...](https://arstechnica.com/science/2016/02/the-audacious-rescue-plan-
that-might-have-saved-space-shuttle-columbia/)

------
Dowwie
There are commenters here who in usual HN form speak as if they would have
acted differently than the team at NASA did if they had been in involved. The
reality is that it is unlikely.

Business schools use variations of the Challenger launch as a case study in
group decision making and organizational behavior. I experienced one while at
business school. The crucial parts of Challenger were applied to another
scenario. Risk and safety were brought up in discussion but were outlier
considerations by the group. The group agreed to proceed with the plan.

~~~
sumanthvepa
I took that case study in business school at Cornell. I was one of the 4
people in the class that day (there must have been 30-40 folks in the room)
whose recommendation was to NOT launch. I felt so pleased when the prof
revealed that the case was a disguised version of the Challenger incident.

EDIT: In response to the suggestion, below I've removed the reference to
actual case study, to allow future students to enjoy it as much as I did.

~~~
Dowwie
Yep. That's the one. The author of the case was my professor. You might want
to omit the details of the case in your comment because folks here might
experience it one day. :)

I was the _only_ dissenter in my class. You and I should connect.

~~~
sumanthvepa
We should definitely connect! :-) Removed the reference to the actual case, as
you suggested.

~~~
umvi
Aw, come on. I'm never going to go to business school. Let me spoil it for
myself if I so choose... Just use a URL shortener so the link doesn't give
away information for those who don't want it spoiled.

~~~
Zimahl
I don't know why you are getting downvotes, I'm not going to be heading to
business school and wouldn't mind reading it either.

------
ncmncm
Not widely known is that it was Sally Ride who clued in Feynman ['s wingman],
secretly. If it had got out, she would never have flown again.

Also not widely known was that she was gay. She had to conceal that, too, from
NASA. She died young of pancreatic cancer.

~~~
justin66
The story people read in Feynman's autobiography was that General Donald
Kutyna came by and made some very knowledgeable suggestions about areas worthy
of investigation. Kutyna revealed after her death that Sally Ride clued _him_
in, and he in turn passed the knowledge on to Feynman.

 _Kutyna: On STS-51C, which flew a year before, it was 53 degrees [at launch,
then the coldest temperature recorded during a shuttle launch] and they
completely burned through the first O-ring and charred the second one. One day
[early in the investigation] Sally Ride and I were walking together. She was
on my right side and was looking straight ahead. She opened up her notebook
and with her left hand, still looking straight ahead, gave me a piece of
paper. Didn 't say a single word. I look at the piece of paper. It's a NASA
document. It's got two columns on it. The first column is temperature, the
second column is resiliency of O-rings as a function of temperature. It shows
that they get stiff when it gets cold. Sally and I were really good buddies.
She figured she could trust me to give me that piece of paper and not
implicate her or the people at NASA who gave it to her, because they could all
get fired._

 _Kutyna: I wondered how I could introduce this information Sally had given
me. So I had Feynman at my house for dinner. I have a 1973 Opel GT, a really
cute car. We went out to the garage, and I 'm bragging about the car, but he
could care less about cars. I had taken the carburetor out. And Feynman said,
"What's this?" And I said, "Oh, just a carburetor. I'm cleaning it." Then I
said, "Professor, these carburetors have O-rings in them. And when it gets
cold, they leak. Do you suppose that has anything to do with our situation?"
He did not say a word. We finished the night, and the next Tuesday, at the
first public meeting, is when he did his O-ring demonstration.

We were sitting in three rows, and there was a section of the shuttle joint,
about an inch across, that showed the tang and clevis [the two parts of the
joint meant to be sealed by the O-ring]. We passed this section around from
person to person. It hit our row and I gave it to Feynman, expecting him to
pass it on. But he put it down. He pulled out pliers and a screwdriver and
pulled out the section of O-ring from this joint. He put a C-clamp on it and
put it in his glass of ice water. So now I know what he's going to do. It sat
there for a while, and now the discussion had moved on from technical stuff
into financial things. I saw Feynman's arm going out to press the button on
his microphone. I grabbed his arm and said, "Not now." Pretty soon his arm
started going out again, and I said, "Not now!" We got to a point where it was
starting to get technical again, and I said, "Now." He pushed the button and
started the demonstration. He took the C-clamp off and showed the thing does
not bounce back when it's cold. And he said the now-famous words, "I believe
that has some significance for our problem."_

[https://www.popularmechanics.com/space/a18616/an-oral-
histor...](https://www.popularmechanics.com/space/a18616/an-oral-history-of-
the-space-shuttle-challenger-disaster/)

~~~
ncmncm
It is a deep indictment of NASA that any of that skulduggery was necessary. I
don't doubt that it was. My guess at the reason is that allowing people to
talk about things that were true would have led to the whole program being
canceled.

The program was such a disaster, by every conceivable reckoning; using the
money wasted on that white elephant, we could have had, thirty years ago, what
Elon Musk is just finally getting around to, and (as a bonus!) without Elon.

~~~
WalterBright
Why would it be better without Elon?

~~~
close04
Perhaps he means that Musk has the tendency to leave his ego in the driver's
seat. One false move, one unlucky moment, and it can cause another tragedy.

Otherwise one person achieving what Musk has is just as good as any other.
Just as long as they are stable enough to not pose a risk to the mission.

------
hodgesrm
It is much easier to prevent disasters like this if you design processes to
surface problems as early in the process as possible. It does not take
anything away from Roger Boisjoly to say that it's really hard to stop the
process once you get far enough toward launch/release/production or whatever
the end result is. The real failing of the NASA managers is that they failed
to create a culture of safety that would encourage problems to be addressed
long before they became catastrophes.

~~~
jaggederest
This is easier to do if it's anonymous, in general. One I've seen is hand out
decks of cards, have people put in a card, and if there isn't consensus on
moving forward, things stop.

[https://retromat.org/en/?id=130](https://retromat.org/en/?id=130) is an
example of this. Trust is the most important thing about teamwork imo.

~~~
kwhitefoot
Anonymous voting is only necessary because people don't trust each other.

If you trust each other there is no need for anonymity.

~~~
skolsuper
Yes but the inverse isn't true either: removing anonymity doesn't cause
everyone to trust each other. If you don't have trust, or you're not sure, an
exercise like this is a good idea

------
moioci
Also worth remembering Bob Ebeling, another Thiokol engineer who was wracked
with guilt for 30 years, thinking he should've done more to stop the launch.
[https://www.npr.org/sections/thetwo-
way/2016/02/25/466555217...](https://www.npr.org/sections/thetwo-
way/2016/02/25/466555217/your-letters-helped-challenger-shuttle-engineer-
shed-30-years-of-guilt)

------
S_A_P
This got me following the rabbit hole and I found this NYTimes article from
1987 about the subsequent lawsuit against Morton Thiokol by Boisjoly.

[https://www.nytimes.com/1987/01/29/us/engineer-who-
opposed-l...](https://www.nytimes.com/1987/01/29/us/engineer-who-opposed-
launching-challenger-sues-thiokol-for-1-billion.html)

If you forgot how different things were back then, here are a few highlights:

Thiokol spokesmen ''consistently and falsely'' portrayed Mr. Boisjoly as ''a
disgruntled or malcontented employee whose views should be discounted and
whose professional expertise should be doubted,'' the suit said. It cited
press interviews in which Thiokol spokesmen labeled Mr. Boisjoly a
''tattletale'' and an ''impatient'' employee who tried to hire subcontractors
in violation of a contract.

Roger stood his ground and paid dearly for it, kudos to him for having some
integrity.

------
matchagaucho
Edward Tufte made a great case that data visualization could have prevented
the launch... and that PowerPoint was to blame.

[https://www.asktog.com/books/challengerExerpt.html](https://www.asktog.com/books/challengerExerpt.html)

~~~
justin66
Roger Boisjoly, and others, have a response to Tufte's analysis that is worth
reading:

[https://people.rit.edu/wlrgsh/FINRobison.pdf](https://people.rit.edu/wlrgsh/FINRobison.pdf)

Tufte made a number of errors, including the sorts of errors Tufte might freak
out about:

 _The other temperatures Tufte lists on Table 1 are of the ambient air at time
of launch. Tufte has mixed apples and oranges. Tufte thus has both coordinates
on the scatterplot wrong. The vertical axis should be “blow-by”, not “O-ring
damage”, and the horizontal axis should be “O-ring temperature”, not a mixture
of O-ring temperature and ambient air temperature._

I don't know if he ever offered a response to this paper.

~~~
matchagaucho
Tufte's improvement on the NASA chart was _adding_ an X/Y axis to show
correlation between temperature and damage; something the original charts
failed to communicate.

Maybe he didn't offer a response to this paper because the fundamental design
approach is correct, albeit the actual numbers need refinement?

~~~
pdonis
_> Tufte's improvement on the NASA chart was adding an X/Y axis to show
correlation between temperature and damage; something the original charts
failed to communicate._

But, as the response that justin66 linked to shows, Tufte's "improved" chart
is incorrect on both axes: its "temperature" axis wrongly conflates ambient
air temperature with O-ring temperature, and its "damage" axis wrongly
conflates erosion with blow-by. (See comment at end.)

The reasons why the charts shown by the Thikol engineers did not communicate
"correlation between temperature and damage" was, as the Boisjoly response
makes clear, because, at the time (the night before the Challenger launch),
_nobody knew what that correlation was_. The argument the engineers were
making was _not_ "the risk of O-ring failure increases with decreasing
temperature". It was "since we don't understand the root cause of the O-ring
issue, we should not launch at any temperature outside the previous range of
launch temperatures". The lowest previous launch temperature was 53 F; the
temperature on the morning of the Challenger launch was 29 F.

Why did the engineers not know the correlation between temperature and damage?
Because the data they had at the time was inconclusive and incomplete (for
example, they did not even have complete data on the ambient air temperature
and the O-ring temperature for every previous launch--a point Tufte
overlooks), and their attempts to obtain more data had been mostly
unsuccessful.

And why were the engineers reduced to making what is, on the surface, a fairly
weak argument the night before the Challenger launch? Because, as I noted in
another comment upthread, they had already tried, the previous summer, to get
NASA to stop _all_ Shuttle flights until the O-ring issue could be properly
understood and fixed, on the grounds that with it not fixed, _every_ Shuttle
flight had a significant risk of loss of vehicle and loss of life (see further
comment below on this). And NASA _refused_. So the engineers that night
already knew they were dealing with a NASA management that was simply ignoring
a critical flight risk; therefore, arguments of the form "this is a critical
flight risk we don't understand, so we shouldn't launch" were out of bounds,
since they had already been tried and had failed. The engineers were simply
trying to do the best they could to get at least _some_ Shuttle flights
stopped, and making the best arguments they could to do that, against the
background of their much better argument for having _all_ flights stopped
having already failed.

A further comment on what I said above, that _every_ Shuttle flight was a
significant risk with the O-ring issue not understood. Tufte's assumption that
the root issue was in fact a "correlation between temperature and damage" was
_wrong_. It is true that the data from previous launches showed more "witness
events" (evidence of either erosion or blow-by) at lower temperatures. But the
engineers also had test stand data showing that under some conditions, the
O-ring joints were failing to seal at any temperature below 100 F! (And there
was at least one flight that showed blow-by, i.e., evidence of the O-ring
joint failing to seal, at 75 F.) So the problem wasn't "the joint is OK at
higher temperatures but unacceptably risky at lower temperatures". The problem
was "the joint is unacceptably risky at any temperature below 100 F"; the fact
that it was more unacceptably risky at lower temperature than higher was a
relatively minor detail. But NASA had already refused to listen to that
argument.

And a final brief comment on erosion vs. blow-by. Erosion is damage to the
O-ring due to hot gas eroding part of it while the O-ring is sealing the
joint. Blow-by is hot gas going right past the O-ring because it is _not_
sealing the joint. The O-rings were designed to tolerate a certain amount of
erosion, based on the expected temperature of the gas and the duration of the
burn; so erosion, in and of itself, was not evidence of a problem not
anticipated by the design. But the O-rings were _not_ designed to not seal at
all: not sealing was a failure of the design. So blow-by was direct evidence
of a failure of the design. That's why conflating the two is wrong: blow-by is
the problem, not erosion. (It's true that an O-ring that has hot gas blowing
by it because it's not sealing will also have erosion; but blow-by without
erosion is still a problem, while erosion without blow-by is not. So blow-by
is the indicator that should be focused on when assessing the risk level of
the O-ring joint design.)

~~~
matchagaucho
#ChangeMyView delta awarded :-)

------
mark-r
Needs a (2012) appended to the title. A very powerful story deserving to be
retold.

------
mcv
> "We were talking to the people who had the power to stop that launch."

The problem is that the people who had the power to stop the launch were
managers dealing with other concerns. Engineers should have the power to stop
the launch.

And with principles like Agile and Lean, engineers are fortunately
increasingly getting empowered to stop a launch if they feel it would be
irresponsible. I hope NASA now uses these sort of principles too.

~~~
snarfy
I have to disagree that Agile is any kind of solution to this. I've seen it
fail too many times. If implemented correctly, maybe, but that rarely happens.
And why is that? Why so many Agile horror stories?

There is a real lack of leadership in the world, at all levels of society.
It's not something an ideal like agile can fix. Without good leaders we end up
with broken agile. I'm pretty sure NASA has a good engineering process. It
doesn't matter if nobody listens.

~~~
mcv
Agile is not a thing that fixes things. Agile is a set of principles. People
over process, and that sort of thing. Blindly implementing Agile as a process
ignores that basic principle of Agile.

In this particular case, there was a person, and expert, who saw a very real
danger and was overruled by people who lacked his expertise because his
opinion was inconvenient to them. That's not good. If an expert sounds the
alarm, you listen to him, no matter how inconvenient it may be.

And in Agile and maybe more explicitly in Lean, the people who do the work are
empowered to make decisions regarding their work. Responsibility shouldn't lie
entirely with people who may be distracted by other concerns.

------
alexhutcheson
Serious question: What was the proposed course of action had they decided to
cancel the launch? My (possibly wrong) understanding was that the O-ring
damage only would have been apparent if they disassembled one or both of the
solid rocket boosters. Was anyone seriously proposing to do this prior to the
launch?

The question is relevant because I’ve read conflicting sources about whether
the damage to the O-ring caused by the freezing temperature was permanent. If
the temperature permanently compromised the O-ring material, then a delay
wouldn’t have saved the Challenger, only a disassembly of the boosters would
have. However, if the O-ring performance would have recovered when brought
back to a normal temperature range, then a delay could have prevented the
disaster. Does anyone have any definitive sources on this?

~~~
vilhelm_s
The O-rings were not damaged prior to launch, but they didn't function if they
were too cold. You'd have to wait until a warmer day.

------
bensniffler
The morning before the shuttle blew up I was watching the news on tv before
catching the bus to school. You could tell just looking at the news feed that
that the shuttle was covered in ice. Even to my 12 year old self it seemed
insane to launch a space ship into orbit when covered in ice. I was so
confused when told in school that the shuttle blew up. I was like, no way
would anyone think that was a good idea to launch today. I still to this day
don't know if they de-iced it first or just shot it up there and hoped for the
best.

------
billsmithaustin
I wonder how many other times an engineer advised NASA to delay a flight.

------
cladari
If I remember right the roberts report on this said each time they launched at
a low temperature any degradation of the seal became the new normal and
"safe". The launch temperature got lower and lower and each time the normal
was reset.

------
heyjudy
Gotta get better at ringing the right alarms and persisting if you want to be
heard. He could've done lots more things to warn but he didn't: tried to warn
astronauts' families, leak it to the media, and such. But he didn't. Why
lionize him for failing?

------
geggam
This story should be shown to every manager who ignores engineers
recommendations.

------
camel_gopher
Pretty sure an actor played him in the movie about the challenger disaster.

[https://imdb.com/title/tt2421662/](https://imdb.com/title/tt2421662/)

------
toolslive
off topic: if I decline the cookie policy, I get the plain text site! That's
an extra free benefit. Love it.

------
moviuro
GDPR-compliant link:
[https://text.npr.org/s.php?sId=146490064](https://text.npr.org/s.php?sId=146490064)

~~~
ahmedalsudani
Oh wow. Better presentation too.

