Petroski treated the Challenger as the clearest illustration of engineering judgment operating against institutional demand for quantitative proof. Boisjoly's argument was not based on a formula but on accumulated understanding — the sensitivity of a career spent working with materials and seals to the conditions under which materials behave in ways their specifications do not predict. The argument was correct. It was rejected because the institution could not weigh calibrated judgment against the request for proof that judgment could not, by its nature, supply.
The deeper institutional failure, documented extensively by Diane Vaughan in The Challenger Launch Decision (1996), was what Vaughan called the normalization of deviance — the process by which O-ring erosion, initially unexpected, had become routine at NASA through repeated launches where erosion occurred without catastrophic failure. Each successful launch confirmed, to the institution, that erosion was acceptable. The acceptance narrowed the margin. By January 1986, the margin was zero. When Boisjoly's judgment said the margin was zero and the data did not yet demonstrate that it was zero, the institution chose the absence of demonstration.
The Presidential Commission that investigated the disaster concluded the decision-making process was flawed — that the institution had treated the absence of proof as proof of absence. The recommendations included better communication channels between engineers and decision-makers, clearer protocols for evaluating risk under uncertainty, and greater weight given to engineering judgment. These reforms addressed the institutional problem. Petroski's framework makes visible a deeper issue they did not address: the developmental problem of how to produce engineers whose judgment is worth trusting, and institutions whose practices can recognize judgment when it is offered.
The Challenger's relevance to the AI era is precise. AI systems possess extraordinary capacity for calculation but no capacity for the felt, extrapolative judgment Boisjoly brought to the January 28 teleconference. When an AI system reports that the evidence does not demonstrate a specific failure threshold, its report is technically accurate and structurally identical to the NASA managers' reasoning on the night before the launch. The difference between the AI's accuracy and Boisjoly's judgment is not a matter of calculation quality. It is a matter of what each can do when the evidence is incomplete. The AI can report the incompleteness. Only the engineer can feel what the incompleteness portends.
The disaster occurred on January 28, 1986. The Rogers Commission, established by President Reagan, issued its report in June 1986, identifying the O-ring failure and the flawed decision-making process. Diane Vaughan's The Challenger Launch Decision (1996) provided the most thorough sociological analysis, establishing the normalization-of-deviance framework that has shaped subsequent understanding of institutional failure. Petroski drew on both the Commission's findings and Vaughan's analysis in his treatment of the case, particularly in Design Paradigms (1994) and subsequent work.
The engineers' judgment was correct. Boisjoly and his Thiokol colleagues had, through decades of materials experience, developed the judgment that correctly identified the threshold of catastrophic failure. Their judgment was rejected not because it was wrong but because it could not be expressed in the quantitative form the institution required.
Absence of proof is not proof of absence. The institutional habit of treating the absence of quantitative demonstration as equivalent to the absence of risk is the specific failure mode the Challenger revealed. Under conditions that have not been tested, the absence of failure data is not evidence of safety — it is evidence that the relevant test has not been performed.
The normalization of deviance is a structural process. Margins are consumed incrementally through routine acceptance of small deviations. Each acceptance confirms the next. The process is invisible from inside the institution because each step appears continuous with what preceded it.
AI reports incompleteness; only engineers can feel it. The difference between the AI's accurate report of insufficient data and the engineer's judgment that insufficient data means danger is the difference between processing the map and having walked the territory.