Comment Of The Day: “Catching Up: Professional Ethics And The Challenger Disaster”

I was very pleased to receive this Comment of the Day by Ryan Harkins on the post “Catching Up: Professional Ethics And The Challenger Disaster,”  because it focuses on the ethics of risk, a great topic that EA hasn’t covered as well as it should. 

I’ll have one brief note at the end.


I was 4 and in preschool when the Challenger exploded. We watched the launch on TV before I went to school that day, and apparently it really disturbed me, because I bit another student and then hid under a table for the rest of the day.

Working at the refinery now, we get to revisit the Challenger explosion frequently (along with the Bhopal Union Carbide gas leak, the Texas City tanker explosion, the Texas City ISOM explosion, and a host of others) when discussing process safety. Michael West is absolutely right in that it isn’t simply a calculation of what the worst consequence is, but also the likelihood of that occurring.

Part of the reason the engineers’ concerns were dismissed was because the problem with the O-rings had been known and discussed for quite some time, and there had been numerous launches prior to this one that had been perfectly successful. In other words, NASA had gotten away with using the faulty O-rings before, so they saw no reason to be overly concerned this time around. Furthermore, the launch had already been delayed multiple times, and they were under intense pressure to launch. Why should they listen to the doom-saying of engineers when empirical evidence said the worst-case scenario was not going happen?

All the pieces that lead up to an incident like the Challenger explosion all seem blatantly obvious in retrospect. I’ve led dozens of investigations on minor incidents here at the refinery, and looking back at the events that led up to an incident, it seems they would inexorably lead to the incident occurring. Yet when you’re actually in the moment, the incident doesn’t seem likely, and when it occurs, it is often surprising. In process safety, we talk a lot about the Swiss-cheese model. We normally have a number of safeguards to prevent an incident from occurring, but every safeguard has its weaknesses, which we liken to the holes in a slice of Swiss cheese. When you stack slices on top of each other, it seems you have an impenetrable wall. And so all the safeguards together are supposed to give reasonable protection against an incident occurring. When an incident does occur, it is because it has managed to slide past all those safeguards, or as we would say, the holes in the cheese all aligned.

Holes in the cheese align when we take shortcuts around procedures, when we use the wrong material, when we get in a hurry, or when we’re not aware of the risks. If we want to work on a piece of machinery, we want to have it offline and unpowered so that the people working on it are not in danger. But simply have the breaker flipped off is not a sufficient safeguard, because some could see it off, think it needs to be on, and switch it on, which could then energize the equipment. So we place a lock on the breaker so that only the person who locked it can unlock it and re-energize the breaker. Not putting the lock on the breaker won’t necessarily cause an incident, but it creates a hole in the cheese.

The Challenger investigation introduced into our vocabulary “Normalization of Deviance”, which is surprisingly common. If we engage in a risky behavior and we don’t suffer any negative consequences, we tend to engage in that behavior again. In this case, the shuttles had launched multiple times without incident, using these exact same O-rings. That’s because there were other slices of cheese providing protection. But leading up to that January morning, those protections were subtly defeated. Ultimately, the last “safeguard”, that the O-ring could have warmed up had the shuttle sat longer in the sun and launched later in the day, provided the last hole through the cheese, allowing the disaster to occur.

There are a number of different investigative methods out there. For a time, we’d used the method called the Latent Cause Analysis (LCA). This method holds to the philosophy that all incidents ultimately have a human cause, and there is a gap between what we expect to have happened, and what actually did happen. That gap is the latent cause. In order to do better going forward, the person who was responsible for that latent cause needs to correct that behavior. Another methodology, a little less robust (I think), but easier to work with is the 5-Why model, in which you ask why the incident occurred, and keep asking “why” to each of those answers. They you identify one of those whys as the most appropriate to address in the aftermath, with the reasoning being that if that why had been addressed, none of the subsequent consequences, including the incident, would have occurred.

I’ll suggest that everyone should take some time working through an incident investigation, even if it seems like it is something silly. Why did this glass bowl shatter? Because it hit the counter after falling three feet. Why did it fall? Because it slipped out of my hand. Why did it slip out of my hand? Because I was carrying too much. Why was I carrying too much? I was in a hurry to get the kitchen cleaned up after dinner. I can’t really help that i was in a hurry, because often time being in a hurry is outside my direct control. But I can make it a rule that I never carry too much, even if it means leaving dirty dishes on the table before running off to my next errand.


I’m baaaack!

The Netflix documentary on the disaster made one point that doesn’t fit with Ryan’s “Normalization of Deviance.” The O-Rings had never been used in the kind of cold temperatures that the launch was scheduled to occur in, and the Morton Thiokol decision-makers were warned that tests had shown that at even higher temperatures (but still cold), the O-rings had cracked. So this was a new risk, a different slice of cheese. The full story about the warning about launching in unprecedented cold was initially withheld from investigators.

14 thoughts on “Comment Of The Day: “Catching Up: Professional Ethics And The Challenger Disaster”

  1. Another factor in both of the shuttle disasters is management by PowerPoint.*
    It is an understandable reluctance to delegate decisions downwards. Managers feel like they’re in charge, so they should be the ones to make decisions. Often they’re not the best qualified, because they are not grasping the full scope and tradeoffs of the decisions. This is most acute when talking about technical matters that are beyond the understanding of upper managers.
    Often PowerPoint is the tool of choice to use to make managers think they grasp the details. PowerPoint was never intended to be the presentation. It was supposed to be a visual aid. Instead it is often used as the entire means of communication. What’s particularly bad about this means of communication is it is turning into what should be a lengthy memo into a select number of bullet points. PowerPoint discourages even complete sentences. Even more insidious is that often the time allotted for presentations goes down as the matter is taken to higher levels of management. Those sentence fragments are shortened and consolidated ever further as the basic understanding on the topic decreases at higher levels of management.
    A blog in relation to the Columbia disaster is here with much more detail:

    *The issue isn’t PowerPoint. This isn’t an indictment of Microsoft in this. It’s only the modern tool. This issue existed in the days of transparencies and overhead projectors. It’s a management training issue.

    • Oooh! Comment of the Day! A sore point with me: I use PPT in my ethics presentations as background and graphic enhancemment, with all the details in the materials participants get. Yet groups always ask for the slides so they can put my PPT online as ‘the presentation.” I don’t let them, because without my commentary and the discussion, the slides are useless.

      • Too many people put everything onto their slides and then just read off the slides, which is one of my pet peeves. At that point, I do want the slides, because if I can just read for myself everything you’re going to say, I’d rather read and save the time.

        Thank you, Jack, for bucking that trend!

      • Amen! I experience the same thing in the law enforcement training community. I only authorize those instructors to whom I have taught my full class curriculum to teach my curriculum. If I give anyone any copies of any PowerPoint slides (which rarely happens), I remove any references to my authorship of the material.

  2. Jack, thank you for the COTD!

    You’re right, I didn’t specifically go into the details of the temperatures at which O-rings had previously been subjected to. That January morning was colder than any other launch day, and an aggravating factor (if I recall correctly from one my trainings) was that the Shuttle was shaded for a good portion of that time as well. It is possible that had the Shuttle been in direct sunlight for a lot longer, the O-ring would have regained its elasticity. Or not. We won’t ever know.

    • Michael,

      Root Cause Analysis (RCA) and 5-Why often go together, the former as the philosophy and the latter as the method. RCA often uses 5-Why because chaining cause and effect is helpful in getting to what the root cause is. But there are other methods. I just haven’t been trained in them.

      Over all, when comparing the different philosophies in incident investigations, I feel that they overlap in many areas, and one philosophy can be morphed into another without a great deal of effort. I like the Latent Cause Analysis (LCA) because it has a definite stopping point. Once you hit the human factor, you’ve landed on what needs corrected. RCA can just as easily do that, but it could also stop short at the physical causes and never address the human causes that contribute to the physical causes. Management that doesn’t like to be held accountable for their poor decisions tend to like RCA over LCA for that very factor.

  3. I normally don’t comment at work any longer, but this requires it. Those were great thoughts, Ryan. Your mention and explanation of the “Normalization of Deviance” was completely eye-opening to me and will change the way I approach aspects of my life. It should give everyone that reads this piece some moments to pause for reflection. What questionable/risky/deviant/illegal things am I doing that haven’t gotten me in trouble…yet?

    We should constantly be thinking beyond the “here and now” to the future and the potential consequences for the things we do and say, even if they’ve never caused us trouble in the present.

    I’m grateful for this piece. It’s a sobering reminder of the kind of person I really am in contrast to the person I want to be. Imagine that?…an event I experienced as a junior in high school helping me 35 years later.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.