Cause-Consequence Analysis for NASA ’ s Space Transportation System ( STS )-Solid Rocket Booster ( SRB )

The Challenger Space Shuttle disaster was caused by a faulty O-Ring in the field joint of the solid rocket booster. This paper will explore the effectiveness a cause-consequence analysis would have had on the decisions related to the faulty O-rings. The ultimate decision to launch the shuttle in a temperature environment with increased O-ring failure risk was a failure of decision makers to link increased probability of failure with potential consequences. This paper will outline how the use of a cause-consequence analysis would have given the decision makers a better depiction of the information necessary for making a better decision. To expand on the cause-consequence analysis, a case is made for setting a specific probability of failure threshold for automatic launch cancelation that would have prevented the launch of the Challenger Space Shuttle at lower temperatures.


Introduction
The Space Shuttle Challenger explosion was the result of an explosion in one of the two solid rocket boosters.The rocket boosters were designed and manufactured by Morton Thiokol (Robison et al., 2002).The solid rocket boosters (SRB) are the main source of thrust for the space shuttle on launch.The two SRB's provide 80% of the thrust to propel the Space Shuttle from the launch pad to 155,000 ft.The SRB's are designed to separate from the shuttle, where they will fall back to earth assisted by parachutes.They are designed to be re-used up to 20 times (McDonald).Each SRB is shipped in 4 sections (Dalal et al., 1989).The SRM is the main part of the SRB and consists of two cylindrical shells that are 12 ft. in diameter and 30 ft. long.One side of the joint is referred to as the tang and the other is the clevis.The solid rocket booster field joint is the male to female pin connected joint between the sections of the solid rocket motor (SRM).The field joint has two O-rings that provide the pressure seal between the two cylindrical shells (Nemeth, 1990).One O-ring is the primary and the second one is a redundant O-ring in case the primary fails.It is referred to as the field joint because this section is actually assembled at the launch pad, therefore in the field (McDonald).The purpose of designing the SRM in different segments was to provide flexibility in handling, transportation, and fabrication (McDonald).

The Space Shuttle Challenger Accident
Following the Challenger explosion, President Reagan created a commission and appointed William Rogers to create a report on the accident.It was determined that the cause of the Space Shuttle Challenger accident was the result of "A combustion gas leak through the right Solid Rocket Motor aft field joint initiated at or shortly after ignition eventually weakened and/or penetrated the External Tank initiating vehicle structural breakup and loss of the Space Shuttle Challenge during mission 51-1" (Dalal et al., 1989).In short, the O-ring at the field joint did not provide the necessary pressure seal that it was designed for.Even prior to the Challenger accident, there was evidence of issues related to the pressure seal at the field joints.At initial ignition a very high amount of pressure is created.The increase in pressure causes the sides of the motor casing to bulge out.This creates a larger gap that the O-ring must fill.Again, the goal of the O-ring is to prevent gases from passing the field joint.As the sides of the casing bulges out a situation referred to as joint rotation occurs.Joint rotation is the rotation of the tang relative to the clevis.In most cases even with joint rotation the primary O-ring would still fill the increased gap.Unfortunately the joint rotation would cause the secondary O-ring to lose contact with the joint.This created a situation where if the primary O-ring were to fail there was no longer any redundancy and gas could pass through the joint and lead to an explosion (Dalal et al., 1989).The reason that the secondary O-ring loses contact during joint rotation is because the O-rings do not engage until there is pressure.When the primary is engaged, the pressure will not get to the second O-ring.Just as the secondary O-ring does not get pressure because the primary is not engaged, it takes a short time for the primary to engage when pressure first begins.This causes a situation called blow by, where gases pass the O-ring until it engages.This can cause erosion of the O-ring and possible eventual failure.It was identified over a series of launches prior to the Challenger accident that temperature was a factor in blow by and ultimately erosion of O-rings.A lower temperature correlates to a greater risk for blow by and a possible O-ring failure.At the time of the launch for Space Shuttle Challenger the temperature was 31 degrees.The lowest launch temp prior to that day was in the 50's (Dalal et al., 1989).In the end the lower temperature led to increased blow by, which led to erosion and failure of the primary O-ring while the secondary O-ring failed as a result of the joint rotation.As a result, the field joint seal failed and hot gases passed through.This led to the release of hydrogen in the external tank, which caused a catastrophic explosion to occur (Altabbakh et al., n.d.).It was determined that the probability of O-ring failure at 60 degrees was 2%.The probability of failure increased to at least 13% at 31 degrees (Dalal et al., 1989).

Literature Review
The ultimate failure in the Space Shuttle Challenger accident was in decision makers at both Morton Thiokol and NASA not making a connection between the O-rings increased likelihood of failure at lower temperatures and the consequences if the failure were to occur.It is certain that each Space Shuttle launch has some amount of risk, but it is important to present all available information in a way that allows decision makers to make the best decision possible.In this particular case it was shown that Morton Thiokol engineers suspected that there was an increased risk of O-ring failure at lower temperatures.The engineers actually recommended that shuttle launches should not occur at temperatures below 53 degrees.This recommendation was even forwarded to NASA who basically asked Morton Thiokol to reconsider.Ultimately Morton Thiokol reversed their recommendation despite concern from its engineers (Robison et al., 2002).The risk was known but, "a scandalous discrepancy between the intellectual tasks at hand and the images created to serve those tasks.As analytical graphics, the displays failed to reveal a risk that was in fact present.As presentation graphics, the displays failed to persuade government officials that a cold-weather launch might be dangerous.In designing those displays, the chart-makers didn't quite know what they were doing, and they were doing a lot of it" (Robison et al., 2002, p. 63).The technical experts knew there was an increased risk but were not able to convey their knowledge in a manner that allowed management to make the connection between the increased risk of O-ring failure in cold weather and a catastrophic failure (Kumar & Chakrabarti, n.d.).One method that could have been utilized to help in conveying that message would have been a Cause-Consequence Analysis.

Cause-Consequence Analysis
The data to make the correct decision to cancel the launch was available but there was a failure to gather the data, analyze it, and then convey that information to management.There is speculation that increased political, agency, and media pressure were a factor as well.Regardless of the reasons for pressing forward with the Challenger launch, it is important to evaluate methods that could have been used to arrive at a decision that would have prevented the explosion.It is understood that much more information available today than the Morton Thiokol and NASA team had at the time of the accident.The responsible parties may very well have made the same decision based on the information available at the time.The objective of looking at this event and applying a different method is aimed at understanding and improving upon techniques to help prevent catastrophe in the future.By looking at how utilizing different methods could have resulted in different decision, one can view how those tools and techniques can be applied now and in the future to ensure he is developing and operating advanced technologies in the most safe and effective way possible.One method that could have presented the O-Ring information in a manner that would have led to a better understanding of the situation is a Cause-Consequence Analysis."The cause-consequence diagram method is based on the occurrence of a critical event, which for example may be an event, involving the failure of components or subsystems that is likely to produce hazardous consequences" (Vyzaite et al., 2006, p. 399)."The results of cause-consequence analysis include among other things":  "Visual and logical description of the consequence chain evolving from the examined primary event". "Probabilities for the final consequence damages based on the cause-consequence structure".teacher in space (Vaughan, 1997).In most situations there will be pressure to perform and there must be a tradeoff between risk and reward.In situations that can result in catastrophe, there must be standards set to ensure the pressure does not force decision makers to move into an area of unreasonable risk.In the case of the Space Shuttle Challenger, there should have been a mandatory threshold of risk for critical components where their failure would lead to catastrophe.If a cause-consequence analysis had been conducted and the 13% probability of failure had been identified, the pressure to launch could have still existed.In that case there should have been a set probability of failure threshold that took the decision out of management's hands.In the case of the shuttle program, setting that threshold at 5% would be reasonable.Any time that a critical component is determined to have a probability of failure greater than 5% then the launch should be delayed until that probability is lowered by mitigating or eliminating the risk.In the case of the Space Shuttle Challenger, the probability of failure of the O-Rings was 13% at 31 degrees.An automatic launch delay should have been activated.Once the field joint temperature increased to 60 degrees, the probability of failure would have decreased below 5% and the launch could continue.This set threshold would remove the decision from the hands of individuals at risk of making decisions based on political, management, or media pressures.

Conclusion
The technical failure of the Space Shuttle Challenger accident was determined to be the seal at the field joint, but the ultimate failure of NASA and Morton Thiokol was its inability to definitively correlate decreasing field joint temperature with O-Ring failure leading to a catastrophic explosion.The use of a cause-consequence analysis would have identified the increased probability of failure at lower temperatures and the cause-consequence diagram in Fig 4 would have presented the information to management in a manner that was clear and definitive.Including all flight data related to O-Ring degradation would have been a key to understanding the true effects temperature had on O-Ring degradation.The inclusion of a probability of failure threshold of 5% for critical components would have eliminated the chance of management making a decision based on outside pressures and not the real risk being presented by technical experts.Evaluating and utilizing effective quality assurance tools and processes in decision making can help to ensure effective and safe operation of advanced systems.The use of a cause-consequence analysis has many applications throughout varying industries and can provide valuable information for an organization.The use of the cause-consequence method in this manner has significant implications in terms of efficiency of the failure analysis.It has been highlighted, however, that the cause-consequence method has limitations even when it is applied to complex systems.For future works, one can extend the method for failure analysis in systems of system by multi-layer cause-consequence diagrams.

Figure
Figure 4. Sa