Allan McDonald’s Legacy And The Ethics Of Decision-Making

The Space Shuttle Challenger disaster on January 28, 1986 was a life-altering event for many, ranging from people who had tuned in to watch the launch of a Space Shuttle with America’s first teacher onboard, to the countless people involved in the manufacturing, maintenance and launching of these complex spacecraft. Yet as traumatizing as this experience was, there was one group of people for whom their dire predictions and warnings to NASA became suddenly reality in the worst way possible.

This group consisted of engineers at Morton-Thiokol, responsible for components in the Shuttle’s solid rocket boosters (SRBs). They had warned against launching the Shuttle due to the very cold weather, fearing that the O-ring seals in the SRBs at these low temperatures would not be able to keep the SRB’s hot gases from destroying the SRB and the Shuttle along with it.

Allan McDonald was one of these engineers who did everything they could to stop the launch. Until his death on March 6th of 2021, the experiences surrounding the Challenger disaster led him to become an outspoken voice on the topic of ethical decision-making, as well as a famous example of making the right decision, no matter how difficult the circumstances.

What Should Never Have Been

Allan J. McDonald was born on July 9, 1937, and grew up in Billings, Montana. He grew up the son of a grocer but did not follow in his father’s footsteps. After graduating from Montana State University with a degree in chemical engineering, he began to work for Morton-Thiokol in 1959. This company had made a name for itself in the production of solid rocket boosters (SRBs) and was contracted in the late 1950s for the Minuteman ICBM program.

As the Shuttle program got under way, Morton-Thiokol was contracted to produce the SRBs for the Space Shuttle in August of 1972, which saw McDonald among the engineers in charge of the Shuttle SRB program. By that time SRBs were familiar technology, and had its share of opponents and proponents. Boeing was among those who argued for liquid-fueled boosters, while even SRB proponent McDonnell Douglas stated in a 1971 report that they saw case burn-through, where hot gases escape along the side of the SRB, as a fatal scenario without recovery possible.

Diagram of the Space Shuttle Solid Rocket Booster field joint assembly. From the Rogers Commission report.

When comparing liquid-fueled and solid rockets at the time, it was found that SRBs overall were more reliable, which was a major concern with the manned Space Shuttle program. The issue of burn-through was thought to be sufficiently solved by using two O-ring seals at each joint between SRB segments. Unfortunately it was later found that flexing of the segment casing could occur during ignition, where the pressure inside the SRB would cause a gap to form between a seal and the segment.

This ‘joint rotation’ problem was seen as an issue by NASA engineers, who would write to the manager of the SRB program, George Hardy, to note their concerns. Despite this, the first Space Shuttle missions used this joint design, even after STS-2’s SRBs showed clear signs of the O-rings being eroded from hot gases passing by them. Since these SRBs were reusable, they were inspected after each recovery, with the SRBs used with the 1984 STS-41-D mission showing both the primary and secondary O-ring being degraded. With 1985’s STS-51-B mission (also flown by Challenger), it was found that hot gases had escaped past both O-rings, much like they would a year later.

Despite these joint issues and hot gas blow-by during launches being a well-known issue at NASA and Thiokol, no measures were taken to improve the design, leading to the fateful Challenger launch on that cold January 28 in 1986.

Guilt

The Space Shuttle’s SRBs were rated to launch in temperatures down to 4 °C (40 °F), yet temperatures on the targeted launch day were considerably below that, at a predicted −1 °C (30 °F), with overnight temperatures down to 18 °F (−8 °C) . On January 27, during the launch preparations of Challenger‘s tenth mission (STS-51-L), Thiokol engineers — including Allan McDonald — and managers discussed the weather conditions with NASA and Marshall Space Flight Center.

At this point Thiokol engineers were well-aware that the O-ring joint solution was far from ideal, and they pointed out that they could not guarantee the joints would even seal properly at temperatures below 54 °F (12 °C) as the rubber became less flexible and thus less able to seal the segment joints at those low temperatures. They argued for the launch to be postponed until temperatures increased.

The explosion of Space Shuttle Challenger, seconds after the accident.

What happened next is unfortunately all too well-known. NASA managers continued the launch after Thiokol management relented and overrode the guidance from their engineers. These engineers, including lead engineer Allan McDonald, Bob Ebeling, and Roger Boisjoly thus found themselves watching the Challenger launch the next day, praying that nothing would happen, while dreading the worst.

During the Shuttle’s ascent, everything appeared nominal, with the Shuttle performing its normal maneuvers. It almost seemed like nothing would go wrong. Then within seconds Challenger disintegrated, with the two SRBs spiraling away from the remnants of the Space Shuttle and the main tank. For those watching on from the ground, there was nothing that could be done to save any of the seven souls onboard.

For the Thiokol engineers who had tried to warn NASA, this was devastating. For Ebeling, who had written a desperate memo about this issue in 1985, the grief and feelings of guilt never went away.

Not a Unique Case

During the subsequent investigation it was found that much like with previous launches, one of the seals had failed, and hot gases made their way outside of the SRB, near the struts holding it to the main tank. Initially a seal made of aluminium oxides from the SRB’s burned propellant sealed the gap, but after a sudden wind shear rattled the SRB, this temporary seal failed and the escaping hot gases were free to finish their destructive work. This is just what Thiokol’s engineers had feared, and something for which they had seen strong warnings on previously recovered SRBs.

President Reagan formed the Rogers Commission in June of 1986 to investigate the incident. The commission’s findings were that the O-ring design flaw lay at the root of the accident, while strongly criticizing the decision to launch. Their report concluded that:

… failures in communication … resulted in a decision to launch 51-L based on incomplete and sometimes misleading information, a conflict between engineering data and management judgments, and a NASA management structure that permitted internal flight safety problems to bypass key Shuttle managers

McDonald and Boisjoly were two of the Thiokol engineers who testified as witnesses for the commission. Their truthfulness led to McDonald being demoted at Thiokol, while Boisjoly resigned from his position at Thiokol. However, members of Congress learned of McDonald being sidelined and threatened Thiokol with exclusion from future NASA contracts. Thiokol management relented, resulting in McDonald being promoted to vice president, and put in charge of the redesign and re-qualification of the SRBs for future Shuttle missions.

None of this explains exactly why NASA was so adamant to launch, even if communication between engineers and upper management was poor, as found by the Rogers Commission. Especially after decades of clear concerns about the joint seals and clear evidence of pending disaster. For a situation where the safety of those involved should be paramount, one could call this decision to launch a callous disregard for human life.

The Price of a Life

The inside of Apollo 1’s capsule after the fire.

Sometimes the price of progress comes at a cost, as with Apollo 1, which saw unfortunate design decisions lead to the death of three people. Such accidents stand in stark contrast with accidents like the Challenger disaster, however. In hindsight, the Apollo 1 design was flawed, but mostly as a result of the rushed development during those days of the Space Race against the Soviet Union, unfortunate shortcuts were taken and painful lessons learned.

In the case of Challenger, there was no rushed development, but a supposedly finished orbiter with active sister spacecraft and many years of mission data that would — and did — reveal the weaknesses in the design. As the Rogers Commission concluded, the Space Shuttle Challenger disaster was ‘rooted in history’, with NASA subsequently trying to cover up having ignored the objections from engineers.

None of this is exclusive to the space industry either. As we have seen recently with the Boeing 737 MAX, and in the past with cases like the Ford Pinto and Therac-25 radiation therapy machine, wilful and unethical decisions. By rushing a product to market, cutting corners to save costs, or by omitting certain testing or design elements, a situation is created in which people are likely to get injured, or even killed.

The Way Forward

Allan J. McDonald’s book on the Challenger disaster.

Both Allan McDonald and Roger Boisjoly would spend a lot of their time after the Challenger disaster telling people about what happened, and especially the circumstances that led up to the disaster. McDonald’s book on the disaster titled ‘Truth, Lies, and O-rings’ from 2009 goes into depth on what happened.

Both of them would speak at seminars and other events, to impress on people the need to do the right thing and make the right decisions, or as McDonald put it: ‘do the right thing for the right reason at the right time with the right people’. Regret for the things which one did are tempered by time, whereas the regret for things we did not do will always remain.

During the decades after the Challenger disaster, McDonald had to deal with the feelings of guilt over those lives that were lost, but came to realize that he had no reason to feel guilty. He, along with his fellow engineers had after all done the right thing, at the right time, with the right people.

Even though their pleas and objections fell on deaf ears, the guilt and responsibility was not theirs to bear. He, along with those who went ahead, now have left the responsibility to do the right thing with the next generations. All so that in the future there shall be no more engineers watching on as the disaster they feared unfolds in front of their very eyes.

31 thoughts on “Allan McDonald’s Legacy And The Ethics Of Decision-Making

  1. “During the decades after the Challenger disaster, McDonald had to deal with the feelings of guilt over those lives that were lost, but came to realize that he had no reason to feel guilty. He, along with his fellow engineers had after all done the right thing, at the right time, with the right people.

    Even though their pleas and objections fell on deaf ears, the guilt and responsibility was not theirs to bear.”

    This right here is the key takeaway. They did everything they possibly could to delay the launch. The guilt lies with the Thiokol management that gave NASA the green light regardless

    1. Agreed. And Thiokol gave that green light for fear of being removed as a key vendor for the shuttle program and whatever other business M-T may have been pursuing at NASA.

      NASA management is just as guilty, in my opinion, for flexing that muscle with lives on the line.

        1. SotU certainly has been speculated as some of the pressure, but far from the majority of it from the White House; rather, NASA really wanted the mention because they were losing a PR battle with public perception and if they didn’t get the mention it would be a huge loss. If you check my comment down below, I link to an article that shows that the negative portrayal of NASA in the media regarding delays was a pretty significant factor as well.

        2. Unless the White House was also made aware that launching was unsafe, then I’m not sure the blame can be placed there. Certainly the Thiokol managers were under pressure from NASA, and NASA under pressure from the White House, but that cannot excuse Thiokol from the guilt of lying and ignoring the engineers.

        1. I had never heard the part about McDonald actually being demoted until now. I knew about the shakeup at Thiokol, but not about the retaliation for testifying….

          And I’m sure there are many cases of that today, even with whistleblower “protection.”

  2. Sad to hear about his passing. I had an opportunity to attend one of his talks and speak with him afterwards. I’ve always felt an odd connection to the Challenger disaster being that it happened on my birthday, and it was neat to be able to pick his brain on the incident.

  3. >None of this explains exactly why NASA was so adamant to launch

    The reason NASA was so adamant to launch was because of the Teacher In Space program and a public relations/perception issue as well. The launch had been delayed several times; the first launch was scheduled for July 1985, but that was pushed to November and then to January 1986. When January arrived, the first launch was scheduled for January 22 but that got pushed to January 25, which again got pushed to January 28. The previous launch (Columbia) was delayed seven times. The media made it sound like the technicians working on it were bumbling idiots and that NASA was incompetent. Also, later that day Reagan was going to do the State of the Union Address and there is speculation (though I’ve seen no hard evidence) that being able to mention the Teacher In Space Program was additional pressure. Here is a good opinion piece about it:

    https://www.washingtonpost.com/archive/opinions/1986/03/30/did-the-media-goad-nasa-into-the-challenger-disaster/e0c8669d-a809-4c8d-a4f8-50652b892274/

  4. Not only did this mistake lead to seven deaths, but it set back the shuttle program, and space exploration as a whole. The people connected to the launch were affected, yes, but this event will continue to have ramifications in rocketry and space ex. in the future.
    (Not to say that all future effects were bad. This can serve to humble us and keep us from attempting anything stupid, and will hopefully save lives.)

      1. I glanced at the article you provided, but I can’t grasp exactly what is going on without some diagrams and explanation on why a bolt would affect a door handle. Do you know more about this topic? If so I’d love some more information.

        1. I’ll have to say the above article does a lousy job of explaining. There was an external door handle that would be removed before liftoff. Procedure was that the three bolts holding it would be unscrewed, the handle removed, and a heat-resistant tile put there. Leaving the handle attached would leave a spot unprotected by heat-resistant tiles, and the handle itself would stick out about 5 inches. I’m not enough of a spacecraft engineer to know exactly what issues this could cause, but I Imagine it falling off due to aerodynamic stresses and hitting something important (ref STS-107) or it heating up and damaging the structure it was attached to. This door can still be opened from the inside with the outside handle removed.

          On 1986-01-27 one of the three bolts had been tightened too much to be removed with the regular tools, and NASA technicians spent two hours trying to remove it before the weather got so bad they couldn’t proceed with the launch.

          Ostracus’ article seems to imply that this somehow helped cause the disaster the day after, but I can find absolutely no indication this is true. Perhaps the temperature was higher on the 27th, and the O-rings would have sealed better had they launched then?

          More information here: https://archive.nytimes.com/www.nytimes.com/library/national/science/012886sci-nasa-challenger.html

          1. >Perhaps the temperature was higher on the 27th, and the O-rings would have sealed better had they launched then?

            Yes, exactly this.

            Also, thanks a lot for the explanation on how those bolts worked!

  5. Another decision that doomed the Challenger crew was made early in the Shuttle design when they opted to not have an emergency crew cabin separation and recovery system. The crew cabin is mounted to the rest of the structure at a few points. Explosive bolts there, cutters on wires and pipes or breakaway connections, and explosive cord (like is used in some fighter jet canopies) to cut the outer skin would’ve allowed the cabin to break free soon after the explosion then descend under parachutes.

    But even then they might not have made it due to breaches in the crew cabin that caused pressure loss, mercifully making them lose consciousness or perhaps even being dead before impacting the ocean.

    It was flat out stupid to launch without the crew in EV suits. Rocket, not airliner.

  6. Richard Feynman’s participation in the investigation carries a lot of detail to the issue at it’s root cause. He writes about his role in his book “What Do You Care What Other People Think” and I highly recommend reading it. Long story short, the Engineers did everything they could to stop the launch. Thiokol’s Management, the government, and NASA had other agendas, so the Engineers’ concerns were downplayed.

    Another reason the concern was downplayed, is something called “Normalization of Deviance”. NASA and Thiokol management argued that several other launches were successful at temperatures below the levels of what the Engineers had defined as the minimum temperature for O-Ring performance, and thus the range was “expanded” by management against Engineering recommendation. The success of an o-ring below spec was a deviation from expectation, but these deviations were used to create a new “normal”. Also, it must be noted that while the o-rings did not fail in the previous launches below desired temperatures, the o-rings did show damage from outgassing. Obviously, management and NASA felt that damage was acceptable when their agendas were at risk.

    1. Ever hear of the term thermal soak? It took as much as 3days for our booster’s internal temp to recover after a freeze episode on the test stand 1C15 KEDW, and it blew up anyways.

  7. There is an old saying they teach in business: If you want to get the product out of development you must first fire the engineer (that’s the nice version).

    Business managers know that if left to their own devices, engineers will fiddle and tinker with things to squeeze every last bit of performance out of a design. But a product doesn’t need to be perfect. It merely needs to be “good enough.” The problem? Business managers don’t know what “good enough” really means. The notion of risk is abstract. They do not understand it in the way that most engineers do. So they “wing it.”

    The problem in the Space Shuttle case is that it was a research vehicle. It was never going to be perfect in every respect. The concerns of the engineers were ignored because there were plenty of flights before that didn’t have problems. The managers really didn’t know how to evaluate what the engineers were saying.

    From the perspective of the managers, there are always technical reasons not to launch, but there is a risk if they do not launch, too. If the space shuttle was not able to meet the financial goals that everyone thought it would be capable of, then it is not worth having and they’re all out of work. So the managers operated in their own little myopic world, and they made a decision that in retrospect looks inconceivable. Nobody knew a damned thing about O-Rings or burn through or any of that stuff. They didn’t have the time or the mental bandwidth to understand this.

    If anyone here thinks this sort of decision making process is unique, it happens all the time. And thankfully, most of the time, nothing happens. This is decision making in the low probability/high impact region. Most people make poor decisions when faced with this combination.

    I say this as a registered professional engineer. I’ve lived this. We have to spend time to figure out how to speak to managers to convey the difference between tweaking a design and an absolute safety issue.

    By the way, the loss of the Space Shuttle Columbia was also due to this sort of miscommunication. It was the original Death by Powerpoint example.

    These days, hopefully, when an engineer says the word safety, people should sit up and listen. If the engineer provides formal advice against a certain activity or production, and you choose to ignore that advice; then when the accident happens you will probably be sitting on the opposite side of a court room while lawyers feast upon your future livelihood.

  8. And years later, we got the 737Max fiasco leading to hundreds of deaths. Management should never be allowed to overrule engineering if engineering refuses to sign off.

    I have worked as a design authority in aerospace and have had a few “discussions” with management when I refuse to sign off designs. Yes, I have put my job on the line to do the right things. After all, my signature is the final approval on the drawing that the authorities are going to look at if something goes wrong, not the manager’s.

Leave a Reply to evadCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.