From Diana Vaughan's book

The Challenger Launch Decision

Risky Technology, Culture, and Deviance at NASA

University of Chicago, 1997

NASA's Verification and Certification Committee was responsible for certifying the flightworthiness of each element of the shuttle system prior to the first scheduled launch in 1981 [The disaster happened on January 28, 1986]. The Committee paid particular attention to the joint design and operation... NASA specialists had reviewed the field joint design, updated with larger O-rings and thicker shims, and found the safety factors adequate for the current design. In the wake of the Challenger tragedy, some analysts interpreted the NASA's "certification of flawed design" as one of the early incidents attesting to the priority of schedule over safety... At the time, the working engineers believed they understood SRB [Solid Rocket Booster] joint dynamics and that the boosters were an acceptable risk.

The second action formalizing the construction of risk was the assignment to the component of an official status on NASA's Critical Items List (CIL). Criticality categories were formal labels assigned to each shuttle component, identifying the "failure consequences" should the component fail... Here is the labeling system:


Loss of life or vehicle if the component fails


Loss of mission


All others


Redundant components, the failure of both could cause loss of life or vehicle


Redundant components, the failure of both could cause loss of mission

The CIL entry for each item told why each component was an acceptable risk. Since all items were risky, the entries described the data and actions taken that the engineers believed precluded catastrophic failure. The "Rationale for Retention" included the "technical rationale", based on evidence from tests and flight experience, that stated why the design should be retained for the critical item. Written by contractor engineers working closely with the S&E [Science and Engineering Directorate] engineers at the NASA center responsible for the element, it presented all the data analysis to date, documenting risk acceptability. Engineering disagreements between the two engineering communities had to be negotiated to get the document written and approved because government, contractor, and Safety engineers had to sign it...

In November 1980, the SRB joint was classified as Criticality 1R (C 1R) on the CIL, the "R" acknowledging the redundancy of the joint... The document accurately depicts the disagreement between Marshall [Program managers for Main Engine, SRB, External Tank] and Thiokol [Contractor for SRB] engineers about the timing of redundancy. In the Rationale for Retention Thiokol engineers report Mashall's concern about the secondary's ability to seal if the primary failed late in the ignition cycle.

(pp. 107, 108)

The third event transforming the construction of risk by working engineers into an official organizational construction of risk was the March 1981 FRR [Flight Readiness Review] for Columbia (STS-1), the first of NASA's four scheduled test flights in the developmental period. The construction of risk negotiated and confirmed by Marshall and Thiokol working engineers was presented for review and approved by Level IV, Level III, Level II, and Level I. Certified at all levels, the SRBs were officially defined as an acceptable risk, as were the Orbiter, Main Engine, and External Tank...

For engineers, a design is a hypothesis to be tested. But tests only approximate reality. The proof is in the performance. For the shuttle, flight was the ultimate test. STS-1 affirmed the official construction of risk of the Space Shuttle but not just because the mission was completed. The affirmation was based on engineering analysis of all components done from in-flight data transmission and inspection after the vehicle landed. Milton Silviera, Chief Engineer, NASA Headquarters, later wrote: "The first flight of the shuttle proved a number of concepts that were under research and development for years... the first flight represented a proof of the design concept".

At Marshall and Thiokol, the postflight analysis of the STS-1 booster joints affirmed the decisions the work group had made before the launch. They had developed a technical rationale, based on many tests, that the SRB joint was an acceptable risk. The determination of acceptable risk had two significant procedural implications: (1) the design was not a threat to flight safety, so flight could proceed, and (2) the appropriate corrective action was to fix, not redesign. STS-1 affirmed these choices and what was to become the dominant ideology of the work group in the years preceding the Challenger tragedy: the belief in redundancy.

(pp. 109, 110)

With the completion of the first shuttle launch, the Level III and IV Marshall and Thiokol managers and engineers had established the beginnings of a normative structure that would characterize the work group culture, guiding future decisions.

(p. 113)

The following pictures are from the Web page


Compilation, emphasis (blue), and explanatory notes in square brackets: Timm Grams, Fulda, 4. November 2001