The Night Before Challenger
On the evening of January 27, 1986, engineers at Morton Thiokol gathered on a teleconference with NASA managers to discuss a launch scheduled for the next morning. The forecast temperature at Kennedy Space Center was 18ยฐF โ far below any previous launch. The engineers were concerned. Very concerned. Roger Boisjoly, a seal expert who had been raising alarms about the solid rocket booster O-rings for months, presented data showing that the rings had performed poorly at cold temperatures in previous launches. His conclusion was direct: do not launch until temperatures warm above 53ยฐF.
The meeting lasted nearly three hours. NASA managers pushed back, asking whether the engineers could prove the O-rings would fail โ rather than asking whether they could prove they would be safe. Thiokol managers asked for a few minutes to caucus without NASA on the line. They deliberated. Then the senior vice president said something that has become one of the most quoted phrases in engineering ethics literature: "Take off your engineering hat and put on your management hat." The engineers' recommendation was overruled. The decision was made to launch. At 11:38 AM the following morning, 73 seconds after liftoff, Challenger broke apart over the Atlantic Ocean. All seven crew members died.
"The question wasn't whether the engineers were right. They were right. The question was why being right wasn't enough."
What Boisjoly actually knew โ and when he knew it
The Challenger disaster is often described as a case where safety concerns were "overlooked" or "missed." This is inaccurate. The O-ring problem was not a surprise. It had a documented history going back to 1977, when engineers first identified that the field joint design had potential issues. In 1985, Boisjoly wrote a memo to his supervisor with language that could not have been more explicit: he described "a catastrophe of the highest order โ loss of human life" as the potential consequence if the O-ring problem was not corrected before the next flight. The memo was dated July 31, 1985 โ six months before the accident.
Over that same period, O-ring erosion had been observed on multiple previous shuttle flights. Each time erosion was found and the flight had not failed, it was added to a data set of "successful" missions โ and the argument was implicitly made that since the shuttle had flown successfully despite the erosion, the erosion was not necessarily catastrophic. This is the pattern sociologist Diane Vaughan later named normalization of deviance: a deviation from standards becomes gradually accepted as normal because the expected failure doesn't materialize, until eventually the deviation becomes so normalized that no one sees it as a deviation at all.
At the Rogers Commission investigation into the Challenger accident, physicist Richard Feynman โ a commission member who conducted his own independent investigation โ performed a demonstration during a break that became famous. He took a piece of O-ring material that had been provided to him, clamped it in a small clamp, submerged it in a glass of ice water at the table in front of the cameras, and waited a few minutes. When he removed it, the material had lost its resiliency โ it didn't spring back to its original shape when the clamp was released. He then said: "I believe that has some significance for our problem." In 11 seconds, he demonstrated in front of the cameras what the engineers had been trying to communicate to management for months and had failed to communicate effectively.
The structural failure of risk communication
Boisjoly's data was technically correct. The O-rings did lose resiliency at low temperatures. The correlation between temperature and O-ring performance was real. But the way the data was presented on the teleconference โ scatter plots showing erosion incidents on previous flights, discussed verbally โ was not persuasive to managers who were looking for a threshold temperature below which failure was certain. There wasn't one in the data. The engineers couldn't say "below 40ยฐF, catastrophic failure is certain." They could say "cold temperatures correlate with worse performance, and 18ยฐF is far outside any previous experience."
This is a fundamental problem in communicating engineering risk under uncertainty: engineers often know something is unsafe without being able to prove it will definitely fail. The absence of certainty gets interpreted as absence of evidence. And in organizational settings under schedule pressure, the burden of proof falls on those arguing for caution โ not on those arguing for proceeding. The engineers had to prove it was unsafe to launch. The default was to launch. This asymmetry โ where "we can't prove it's safe" is insufficient to halt a launch โ is not an accident. It's a consequence of organizational incentives, schedule pressure, and the way risk gets managed in large hierarchical institutions.
In a well-functioning safety culture, the burden of proof should lie with those asserting that a system is safe enough to operate, not with those raising concerns. This is the principle behind "if in doubt, don't" โ and it's explicitly stated in most engineering codes of ethics. In practice, large organizations under schedule and cost pressure tend to invert this: the presumption is that launch (or production, or delivery) proceeds unless someone can prove a specific failure is imminent. Changing this cultural default โ making "we're not sure" sufficient grounds to halt โ is one of the most difficult organizational engineering challenges, and one that organizations repeatedly fail at, even after disasters that demonstrate the cost of getting it wrong.
What Boisjoly's career became โ and what it tells us
After the accident, Boisjoly testified before the Rogers Commission and told the full story of the teleconference, including the management override of the engineers' recommendation. He was accurate, detailed, and honest. His testimony was crucial to the Commission's findings. In return, Morton Thiokol gave him an award โ and then made his professional life increasingly difficult. He was removed from the return-to-flight investigation team, isolated from colleagues, and eventually took a medical leave. He never returned to aerospace engineering. He spent the rest of his career as a lecturer on engineering ethics.
The pattern is not unique to Boisjoly. Whistleblowers โ people who report safety concerns through internal or external channels at personal professional risk โ consistently face retaliation despite legal protections that are inconsistently enforced. The engineers who raised concerns about the Boeing 737 MAX MCAS system faced similar outcomes. The pattern is so consistent across industries and decades that it suggests a systemic problem, not individual failures of organizational character. The engineering profession's codes of ethics say that engineers have an obligation to public safety above all other loyalties. What they don't provide is reliable protection from the consequences of honoring that obligation.
๐ค Was NASA's decision to launch technically illegal โ did it violate any formal safety standard?
โผThis is legally complex. The formal launch commit criteria didn't explicitly prohibit launching at low temperatures โ the O-ring temperature threshold wasn't in the official documentation. What existed was a large body of informal engineering knowledge, internal memos, and documented concerns that the formal process had not translated into binding launch constraints. This is part of what the Rogers Commission criticized: the shuttle program had a safety process that was extensive in appearance but had failed to capture and enforce critical technical concerns as formal constraints. The commission found that the decision-making process violated the spirit of NASA's own safety philosophy, but whether it violated the letter of any specific regulation is less clear. Subsequent NASA safety reforms after Challenger โ and again after Columbia in 2003 โ attempted to create more rigorous linkages between documented technical concerns and formal launch constraints. Both disasters involved documented concerns that the formal process hadn't captured.
๐ค What specifically makes an O-ring fail at low temperatures โ what's the physics?
โผAn O-ring seals by deforming under compression to fill a gap. The rubber's resiliency โ its ability to spring back after compression and maintain contact with the sealing surfaces โ is critical. At low temperatures, rubber compounds stiffen dramatically. The glass transition temperature (Tg) of the O-ring material used in the shuttle's solid rocket booster joints was around 25ยฐF โ below which the material transitions from a flexible elastomer to a more glass-like, brittle state. Above Tg, the O-ring deforms quickly under compression and seals effectively. Near or below Tg, the ring deforms slowly, may not fully conform to the joint geometry, and may develop gaps that allow hot combustion gas to blow by. The joint also had a design issue: when the booster segments separated slightly at ignition due to pressure (joint rotation), the gap the O-ring had to seal actually increased at the worst possible moment โ when the O-ring was already cold-stiffened and least able to conform. Boisjoly had analyzed this joint rotation problem separately from the temperature issue โ it was a second overlapping failure mechanism.
Order the Decision Chain
Drag to put these Challenger events in chronological order.
- NASA managers ask engineers to prove failure, not prove safety
- Boisjoly writes July 1985 memo warning of catastrophic O-ring risk
- Challenger breaks apart 73 seconds after launch
- Teleconference held the night before launch, Jan 27 1986
- Thiokol VP says Take off your engineering hat