The part that was damaged on Columbia during the ascent phase of STS-107 were not the insulation tiles on the bottom and part of the top side (it is common that a few tiles are lost during ascent or reentry) but the reinforced carbon-carbon panels that protected the leading edge of the delta wing structure. This is a crucial distinction because the tiles merely protect against the incident radiation coming off the “bow shock” (and therefore doesn’t experience significant direct contact with the hot plasma during the initial reentry phase), but the RCC panels actually experience direct impingement of the air compressed as the Orbiter reenters. This “ram compression” that occurs at the shock front causes extreme heating that is conducted directly to the leading edges in addition to the aerodynamic loads experienced, and because of the narrow form factor, the heating from radiation is concentrated, making protection of this area critical. The canteloupe-sized hole in the RCC panel allowed hot gas to enter and impinge directly on the aluminum wing structure, causing it to lose structural integrity and fail as soon as aerodynamic loading on the wing became significant. With that kind of damage there is no possibility of surviving reentry with any flight profile. The Orbiter thermal protection systems (TPS) was arguably the second most challenging part of the STS design after the RS-25 Space Shuttle Main Engines.
It is true both that Boisjoly had previously identified failure of the o-ring as a potential catastrophic failure mode based upon examination of data and recovered motors from previous flights, and that he strenuously objected to the launch of STS-41-L due to the cold preflight temperature, which was both below past launch history for the STS and outside of the motor qualification range. However, it is worthwhile to note three additional items before awarding Boisjoly the “Gotcha!” card:
[ol]
[li]Boisjoly correctly identified o-ring blowby and erosion due to joint gapping and lack of low temperature resiliance of the Viton seal as the root cause of a failure. However, the specific failure mode identified by Boisjoly was that loss of o-ring sealing would result in loss of joint integrity and result in catastrophic rupture of the motor case. In fact, while the predicted blowby and o-ring erosion did occur, the SRM itself did not fail in a functional sense, and in fact maintained integrity even after the SRM broke away from the External Tank and tumbled end over end for 37 seconds, right up until the point that the Range Safety Officer issued the flight termination tones and destructed the motors. STS-41-L failed because the hot gas jetted through the joint and cut into the support strut and LH[SUB]2[/SUB] tank, which then caused thrust misalignment and resulting structural failure of the ET and Orbiter due to aerodynamic loads. Boisjoly himself stated that he expected the SRM to explode upon ignition (when both the peak pressure and presumed highest potential for gapping occurred) and was relieved to see the Shuttle take off, only then to observe the failure, albeit not the one he predicted. [/li][li]The concern about the temperature was based upon the variation of blowby and erosion seen during different ambient temperatures. However, one of the worst blowby incidents occurred at a pre-launch temperature of 75 °F, which is well within the qualification range and at the upper range of previous experience. The specific phenomena that caused blowby were not fully understood at that time (even by Boisjoly who performed the original 1985 analysis) and so there was not a conclusive techincal threshold at which the motor was unfit for flight (though, being outside of the qualification range argues that they shouldn’t have flown regardless of the specific concern). This leads to third point, to wit:[/li][li]Although the failure is widely attributed to the cold ambient pre-flight temperature, the reality is that ground wind patterns caused cryogenic oxygen vented from the top of the ET to pool in that specific location as demonstrated by post-accident CFD analysis. In addition, STS-41-L experienced the highest wind shear ever seen during a Shuttle launch, and in fact wind loading was near the GRAM-99 three sigma “statistical maximum” that we would design to today. So, while this failure occurred at the coldest pre-launch temperature, it very possibly could have happened at higher ambient temperatures with other similar conditions. [/li][/ol]The sum total is that while Boisjoly was correct about the root cause and had previously demonstrated that the joint design was flawed, his specific predictions about the failure mode was incorrect, and in fact this failure could have occurred on any flight.
Similarly, the failure on STS-107 wasn’t something particular to that flight profile or aging of Columbia, but just a statistical happenstance or what we call a random failure. The fact that it hadn’t happened was taken as increasing evidence that it couldn’t happen when the reality is that every flight was at the edge of the cliff, i.e. the “normalization of devience” that gnoitall mentions. This is why “flight qualified” or “flight proven” are misnomers; no real flight will hit the coincident extreme conditions with sufficient confidence to envelope all maximum possible loads and environments (MPE), and even if it does it will not provide any margin for variability in build quality or system integrity. This is why unit and subsystem qualification testing, while laborious and expensive, are crucial (but not exhaustive) to assuring launch vehicle reliability, as is post-flight analysis and resolution of issues.
Unfortunately, getting to a test-demonstrated root cause on every anomaly is an Herculean effort, and actually resolving every problem (rather than applying a band-aid fix or monitoring the condition) often requires fundamental redesigns that seem cost-prohibitive as long as you can convince yourself that the vehicle will operate okay. I can pretty much guarantee that every large rocket launch vehicle every flown has experienced anomalies and has multiple design weaknesses that could potentially result in failure. This isn’t to excuse the failure of both NASA and Thiokol management for recognizing and addressing this particular design flaw prior to the loss of Challenger, but as even a cursory look over the history of issues with the STS there are many more inherent failure modes which could have resulted in catastrophic loss of crew and vehicle. Rocket launch vehicles, by design and essential function, are full of single failure points. The STS, by virtue of its particular complexity (parallel stages, large cryogenic tanks, winged orbiter, lack of bail-out capability though SRB operation) is particularly problematic and serves as an object lesson for why you should not make a vehicle more complex than necessary (e.g. require a large wing area for unnecessarily high cross range capability), and also why your first design should not be your production design.
Stranger