Shuttle Columbia inquiry offers sobering grist for aviation safety at large
The investigation into the Shuttle Columbia tragedy may have dealt with a space ship, but the findings in the final report of the February 1, 2002, disintegration during re- entry provide relevant insights and even object lessons for the aviation industry.
The accident was the result of a willingness to tolerate incidents the Shuttle was not designed to experience – notably damage to the foam insulation tiles covering most of the Shuttle and to the reinforced carbon-carbon (RCC) panels comprising the leading edges that protected the aluminum wings from the searing heat of re-entry. During the history of Shuttle launches, both tiles and RCC panels were struck repeatedly by foam insulation applied to the external fuel tank, and shed during launch due to some combination of pre- existing moisture penetration, vibration, aerodynamic loading – the cause is not yet understood fully.
What lesson does the Columbia’s tragedy have for aviation safety? This thought occurs: the approach taken for the Shuttle is akin to designing airliners on the assumption that neither structure nor engines would ever experience the impact of bird strikes. Yet bird strikes have inflicted serious damage and have occasionally brought down even large transport-category aircraft.
The adage that the absence of accidents is not proof that the operation is safe applies to the history of the Space Shuttle, although with two fatal accidents in 113 flights the absence of accidents was punctuated by fatal accidents an average of every 62.5 flights – a rate that would be wholly unacceptable for even a single hour’s worth of earth- bound flights.
What emerges from the Columbia Accident Investigation Board’s (CAIB) final report is a pattern of complacency. The board, headed by retired Admiral Harold Gehman, charged that the prevailing culture at the National Aeronautics and Space Administration (NASA) was complicit. But cultures are comprised of people, and in congressional hearings last week, some legislators groused that more heads at NASA should have rolled.
The complacency is illustrated in the little things, both in the air and on the ground, which may not be so little in terms of consequences. Three of the doomed astronauts were not wearing the protective gloves for their pressure suits and one was not wearing a helmet. To be sure, had they been wearing the full suit, they would not have survived the forces of blunt trauma and hypoxia that killed them, but had the stricken vehicle survived to 40,000 feet, where they would have been low enough to bail out, the astronauts would have needed the protection of the full suit. On the ground, mission managers were not holding daily status meetings, as required by policy. Five meetings were held over the course of the 16-day mission.
In this case, the absence of accidents since the 1986 loss of Shuttle Challenger did not mean the operation was being safely managed.
A few large themes emerge. For one thing, the temptation to substitute analysis for testing should be resisted – particularly when evaluating a threat to safety and survival (the growing pressure to substitute computer simulations for actual emergency evacuation trials comes to mind as an example for aircraft). In NASA’s case, a computer model called Crater used to assess the damage caused by small pieces of foam – averaging 1-by-3 inches in size – coming off the external tank and striking the Orbiter was stretched to assess strikes on the Shuttle from pieces of foam about the size of a small beer cooler – 400 times bigger.
When a block of foam this size was hurled at an RCC panel, the impact of the so-called “lightweight” foam blew a large hole in the composite panel’s face – enough to completely compromise its protective insulating function – and in fact opened a pathway for the superhot plasma of re-entry to blowtorch its way into the wing’s innards.
The plain inference in the report is that one or more untoward precursor events should precipitate some energized testing. By this standard, the Federal Aviation Administration (FAA) falls short dismally and regularly – as evidenced by the failure to test metalized Mylar thermal acoustic blanketing even after warnings were received of its flammability from the Civil Aviation Administration of China (CAAC). It took the 1998 crash of a Swissair MD-11 to stimulate the FAA to undertake testing to produce a more demanding flammability test for insulation blankets.
The CAIB report laments the absence of data-driven safety, a fundamental article of faith in the FAA: “The Space Shuttle Program has a wealth of data tucked away in multiple databases without a convenient way to integrate and use the data for management, engineering or safety decisions.” Substitute FAA for Space Shuttle Program and this sentence has a familiar ring.
Perhaps one solution is legislation compelling regulators to maintain integrated databases in a usable fashion, and have them undergo an inspector general (IG) audit periodically. Accidents are not always preceded by a wake-up call, but frequently this is the case.
On the other hand, if NASA had programs analogous to the FAA’s service difficulty reporting (SDR) program, its air transport oversight system (ATOS), or its continuing analysis and surveillance system (CASS), the circumstances behind the precursor incidents might have been caught and fixed before continuing uncorrected to culminate in two losses of Shuttle and crew.
Above all, in the aftermath of an accident, the potential for a repeat is perhaps best minimized when both sides of a problem are addressed – cause and effect. In the aftermath of the 1996 fuel tank explosion that destroyed TWA Flight 800, a major hunt for ignition sources was launched (cause). More belatedly, it was recognized that inerting was necessary to nullify the vapors for full protection against explosions (effect).
In the case of the Shuttle’s vulnerable RCC leading edge tiles, the CAIB has addressed cause (external tank foam shedding), while breach (effect) remains a vulnerability. The CAIB said more RCC spares should be in hand, swapping them out on the basis of postflight condition, age, tap-tests, tactile tests, and so forth. And, to be sure, the external tank’s propensity to shed foam needs to be fixed. But the failure-proofing of the RCC leading edge tiles was relegated to a desirable future “fix.” Although not suggested in the CAIB report, the RCC tiles might be failure-proofed from impacts during the ascent phase, and from zinc erosion from flakes landing on the Orbiter from exposed primer paint on the launch pad during the pre-launch weeks spent in the open. One source suggested a protective “glove” or fillet on the RCC tiles, covering at a minimum the vulnerable inboard leading edge areas (where the fatal damage occurred on RCC tile 8, located right where the angle of sweepback changes). Because max Q (the aerodynamic force during ascent) is relatively low, hitting just over Mach 2, a glove on the RCC tiles would protect the brittle leading-edge RCC from the locus of impact and foam penetrating the tile as easily as was demonstrated during the CAIB’s impact testing. The glove could be designed to ablate away during the heat of re-entry, providing further protection.
The overarching theme of cause and effect emerges from the Shuttle investigation. Culture contributed to a dilution of proactive safety (cause #1). Foam shedding was tolerated, with resulting damage to the Shuttle’s “flight critical” thermal protective system (cause #2, among others). Columbia’s loss with all hands was the effect.
The manner in which the investigation was conducted met the test of independence in the eyes of NASA’s IG. Others may take a different view, as the parallel case for an aviation accident would have the investigators working on the FAA payroll.
What follows is a compilation of issues from the CAIB report, with a few remarks regarding their relevance to the aviation industry. Page numbers in parentheses refer to those in the CAIB report. The full report can be accessed at http://www.caib.us/news/report/default.html.
Issues And Their Relevance
Issue: Foam loss from external tank. “Foam loss occurred on more than 80 percent of the 79 missions for which imagery is available, and from the left bipod ramp on nearly 10 percent of missions where it was visible.” (P. 53)
Relevance to aviation industry: Importance of seemingly business-as-usual, non-hazardous precursor events, and the need for continuing pattern and trend analysis of incidents. Need for closed circuit television (CCTV) to monitor vehicle exterior.
Issue: Imagery. “A developmental vehicle like the Shuttle should be equipped with high resolution cameras that monitor potential hazard areas. The wing leading edge system, the area around the landing gear doors, and other critical Thermal Protection System elements need to be imaged to check for damage … Such critical images need to be downlinked so the potential problems are identified as soon as possible.” (P. 61)
“Five of seven bipod ramp [foam shedding] events occurred on … Columbia, a seemingly high number … likely due to Columbia having been equipped with umbilical cameras earlier than other Orbiters.” (P. 131)
Relevance to aviation industry: Need for CCTV to cover vehicle exterior. As one industry source observed, “I have always had a ‘tick’ as to why operators of a piece of equipment that can cost $180 million plus do not demand the ability to ‘view’ the hardware at any time they so desire. Even sailing ships from 300 years ago had people ‘watching the hardware’ 24/7.”
Umbilical cameras mentioned later in the report show the utility of CCTV. In the Shuttle’s case, one high resolution camera in the nose could cover all areas of frontal vulnerability for ascent damage.
Issue: False indications. “At EI+897 [EI = entry interface, or about 400,000 feet above the earth, where the Orbiter first encounters the atmosphere; 897 is seconds after EI] the left main landing gear downlock position indicator reported that the gear was down and locked. At the same time, a sensor indicated the landing gear door was still closed … Wire burn-through testing showed that a burn-induced short in the downlock sensor wiring could produce these same contradictions in gear status indication.” (P. 72)
Relevance to aviation industry: Potential for in-flight electrical fires/arcing to create false indications in cockpit instruments.
Issue: Flight recorders. “The Modular Auxiliary Data System instrumentation and sensor suites on each Orbiter should be maintained and updated to include current sensor and data acquisition technologies.” (P. 73) Note: Shuttles are not equipped with hardened flight data recorders (FDRs). Rather, data is telemetered to the ground, and the Modular Auxiliary Data System is a supplemental system, recording sensor readings in the last two hours of a mission.
Relevance to aviation industry: Adequacy of flight recorders to capture relevant data over sufficient time.
Issue: Prescribed procedures. “Videos of the crew during re-entry that have been made public demonstrate that prescribed procedures for use of equipment such as full-pressure suits, gloves and helmets were not strictly followed. This is confirmed by the Working Group’s conclusions that three crew members were not wearing gloves, and one was not wearing a helmet. However, under these circumstances, this did not affect their chances of survival.” (P. 77)
Relevance to aviation industry: Checklist discipline.
Issue: Standard operating procedure (SOP). “Mission Management Team Meetings occurred infrequently (five times during a 16 day mission), not every day, as specified in Shuttle Program management rules.” (P. 171)
“The Shuttle program had become overconfident. Over time, the organization determined it did not need daily meetings during a mission, despite regulations that state otherwise.” (P. 192)
Relevance to aviation industry: SOP discipline. The danger of complacency and “passive safety” cited in the report.
Issue: Adequacy of materials testing. “In its assessment of potential foam damage, NASA continued to rely heavily on the Crater model, which was used during the mission to determine that the foam-shedding event was non-threatening. Crater is a semi-empirical model constructed from Apollo-era data.” (P. 78)
“Recommendation: In order to understand the true material characteristics of Reinforced Carbon-Carbon components, develop a comprehensive database of flown [RCC] material characteristics by destructive testing and evaluation.” (p. 225)
Relevance to aviation industry: Inadequacy of the 60� flame test for electrical wiring, and inadequacy of the vertical flame test for qualifying thermal acoustic insulation materials, and calls by the Transportation Safety Board (TSB) of Canada to employ more demanding and realistic tests (see ASW, April 7).
Composite materials are being used more in aircraft construction, and their strength characteristics over time must be well understood. Recall that Airbus had to replace 80 tailfins on A310 and A300-600 aircraft. The Kevlar used as the bridging layer between the carbon skin and the honeycomb (Nomex) was debonding, prompting replacement with tailfins using glass fiber as the bridging layer. Even though the Kevlar was debonding, water ingress had not occurred, an Airbus official noted. Water penetration was feared as contributing to breakaway foam debris on the Shuttle.
Issue: Adequacy of spare parts inventory. “Recommendation: Obtain sufficient spare Reinforced Carbon-Carbon panel assemblies and associated support components to ensure that decisions related to [RCC] maintenance are made on the basis of component specifications, free of external pressures relating to schedules, costs, or other considerations.” (P. 83)
“[The] Space Shuttle Program was so strapped by schedule pressures and shortages that spare parts had to be cannibalized from one vehicle to launch another.” (P. 199)
Relevance to aviation industry: Depth of spare parts stockages. Recall the absence of a spare jackscrew, which led Alaska Airlines technicians, under pressure to return the airplane to service, to redo the end-play check using an unauthorized tool, leading to its crash two years later (see ASW, Dec. 16, 2002).
Issue: Quality control. The solid rocket boosters are connected by separation bolts, which are separated by pyrotechnic charges when the solid rockets burn out. “Bolt catchers” built into the external tank are designed to capture the upper half of a separated bolt, preventing it from potentially hitting the Orbiter. “Every bolt catcher failed well below the expected load range of 68,000 pounds. In one test, a bolt catcher failed at 44,000 pounds, which was two percent below the 46,000 pounds generated by a fired separation bolt. These results [are] … far below the design requirement of 1.4 (that is, able to withstand 1.4 times the maximum load ever expected in operation).
“Further investigation revealed that a lack of qualified non-destructive inspection technicians and differing interpretations of inspection requirements contributed to this oversight. United Space Alliance, NASA’s agent in procuring bolt catchers, exercises limited process oversight and delegates actual contract compliance verification to the Defense Contract Management Agency.” (P. 87)
Relevance to aviation industry: Similar to documented discrepancies and deficiencies in the FAA’s system of designated engineering representatives (DERs) and designated airworthiness representatives (DARs). (For conflict of interest inherent in the DER/DAR arrangement, see ASW, April 28.)
Issue: Electrical wiring type, maintenance installation separation and degradation in service. “The first extensive scrutiny of Kapton wiring on any of the Orbiters occurred during Columbia’s third Major Modification [i.e., overhaul] period, after … a short circuit five seconds after liftoff caused two of the six main engine controller computers to lose power, which could have caused one or two of the three main engines to shut down.
“The ensuing investigation identified … nearly 4,900 wiring nonconformances (conditions that did not meet specifications) … This examination revealed a strong correlation between wire damage and the Orbiter areas that had experienced the most foot traffic during maintenance and modification.” (P. 88)
“Based on these results, Boeing recommended that NASA separate all critical paths from larger wire bundles and individually protect them for a minimum of six inches beyond their separation points.” (P. 89)
“The Hold Down Post External Tank Vent Arm System is a Criticality 1-R (redundant) system … despite this high-criticality factor, the original cabling for this system was used repeatedly until it was visibly damaged. Replacing these cables after every flight and removing the Kapton will prevent bending and manipulation damage.” (P. 222)
Relevance to aviation industry: Vulnerability of Kapton to chafing and moisture, lack of awareness among maintenance technicians of care to avoid injury to wiring, and need for separation of critical circuits in electrical system design, a point noted by the National Transportation Safety Board in its investigation of the TWA Flight 800 disaster.
Recall irrelevance of wiring type in the minds of FAA officials, who often said, “We have no data.” Neither did NASA seek significant data or conduct testing, and the fleet was subsequently grounded after a Kapton wiring arcing event during launch.
External tank vent arm cabling exposure to the elements is analogous to accelerated degradation of Kapton wiring in severe weather and moisture prone (SWAMP) areas of an aircraft, where selective periodic replacement as practiced by the U.S. Navy paid dividends in the form of a huge reduction in unscheduled maintenance costs and increase in dispatch reliability.
Issue: Biased statistics. “In [2001] Kennedy [Space Center] and [United Space] Alliance redefined the single term ‘Foreign Object Damage’ … into two terms: ‘Processing Debris’ and ‘Foreign Object Debris.’
“The perception among many interviewees is that these novel definitions mitigate the impact of Kennedy Mission Assurance-found Foreign Object Debris on the United Space Alliance award fee. This is because ‘Processing Debris’ statistics do not directly affect the award fee. Simply put, in splitting ‘Foreign Object Damage’ into two categories, many of the violations are tolerated. Indeed, with 18 problem reports generated on ‘lost items’ during the processing of [Columbia] alone [for mission STS-107], the need for an ongoing, thorough and stringent Foreign Object Debris program is indisputable … The assumption that all debris will be found before flight fails to underscore the destructive potential … and creates an incentive to simply accept ‘Processing Debris.’
“Recommendation: Kennedy Space Center Quality Assurance and United Space Alliance must return to the straightforward, industry-standard definition of ‘Foreign Object Debris’ and eliminate any alternate or statistically deceptive definitions like ‘processing debris.’ ” (P. 95)
Relevance to aviation industry: A continuing campaign must be waged to prevent swarf (drill shavings, etc.) from being left in the airplane. Avoid comforting but deceptive statistical stratagems.
Issue: Cost pressures. “The search for cost reductions [in the 1990s] led top NASA leaders … to downsize the Shuttle workforce, outsource various Shuttle Program responsibilities – including safety oversight – and consider eventual privatization of the Space Shuttle Program. The program’s budget was reduced by 40 percent in purchasing power over the past decade and repeatedly raided to make up for Space Station cost overruns.” (P. 99)
“By 2001 … one experienced observer of the space program described the Shuttle workforce as ‘The Few, the Tired’ … The Program was operating too close to too many margins.” (P. 118)
Relevance to aviation industry: The certificate holder ultimately remains responsible for safety and the airworthiness of its aircraft. Hollowing out of core functions can lead to a dilution of safety margins.
Issue: Schedule pressures. Feb. 19, 2004, was described as a line in the sand.” This was the date by which the space station was to achieve “Core Complete” status. Meeting this date required the preparation and launch of 10 Shuttle Flights in less than 16 months. The decision to modify Columbia to lift some space station payloads after completing STS-107 put it “directly in the path of Core Complete.” (P. 134)
“Conclusion: When a program agrees to spend less money to accelerate a schedule beyond what the engineers and program managers think is reasonable, a small amount of overall risk is added. These little pieces of risk add up until managers are no longer aware of the total program risk and are, in fact, gambling. Little by little, NASA was accepting more and more risk in order to stay on schedule.” (P. 139)
Relevance to aviation industry: Pressure to achieve high on-time departure rates can be a highly misleading indicator of safety.
Issue: Staff shortages. “Multiple job titles disguised the true extent of safety personnel shortages. The Board found cases in which the same person was occupying more than one safety position – and in one instance at least three positions – which compromised any possibility of safety organization independence because the jobs were established with built-in conflicts of interest.” (P. 199)
A long-standing request to add a main engine final review before transporting the engine for installation was repeatedly denied “due to inadequate staffing.”(P. 218).
Relevance to aviation industry: Similar staffing shortages were found at Alaska Airlines in the investigation following the Jan. 31, 2000, crash of Flight 261. FAA officials found the director of operations position vacant; two individuals sharing the director of maintenance position (vacant for two years); the director of safety also the director of quality control and training (see ASW, July 3, 2000).
Issue: Perception of risk. “Over the life of the Space Shuttle Program, Orbiters have returned with an average of 143 divots in the upper and lower surfaces of the Thermal Protection System tiles … NASA and contractor personnel came to view foam strikes not as a safety of flight issue but rather a simple maintenance or ‘turnaround’ issue.” (P. 122)
“After post flight analysis determined that on both flights [STS-56 and STS-58] the foam had come from the intertank and bipod jackpad areas, the rationale for closing the In- Flight Anomalies included notations that the External Tank foam debris was ‘in family,’ or within the experience base.” (P. 129)
Relevance to aviation industry: Defining foam-shedding as not an in-flight anomaly is akin to ignoring a number of in-flight engine shutdowns (IFSDs) or of ETOPS (extended operations) regulations ignoring repeated instances of curtailing power to flight idle.
Characterizing previous foam shedding events as within the experience base – without determining the cause or taking corrective action – is equivalent to characterizing and tolerating in-flight smoke events as “in family” with inadequate engineering justification for doing so. Yes, minor hydraulic leaks can be wiped away with a rag, but …
Issue: Illusory safety margins. “NASA Headquarters Safety Office presented a report that estimated a 99 percent probability of foam not being shed from the same area … The Board’s review after STS-107 [Columbia’s last mission] … concluded that bipod foam loss occurred on approximately 10 percent of all missions.” (P. 126)
Relevance to aviation industry: Consider the safety factors applied to prevent ignition of explosive vapors in fuel tanks. A 0.2 millijoule spark can ignite the vapors at sea level. Therefore, a safety factor of 10 was used, or 0. 02 millijoules. However, the minimum ignition energy decreases with increases in altitude and temperature to 0.02 millijoules. As in the case of foam shedding, the fuel tank safety factor was off by a factor of ten (see ASW, Oct. 13, 1997).
Issue: Risk evaluation. The Crater model used to evaluate the risk of foam strikes was used for the first time as part of an in-flight assessment when Columbia was in orbit. The Crater model is calibrated to a one-by-three inch piece of foam, but engineers used Crater to estimate damage from a 20-by-6 inch piece of foam, an item roughly 400 times larger. (P. 143)
Relevance to aviation industry: Risk evaluation on a best case basis that ignored operational experience. Recall that for airplanes rudder loads for certification purposes are based on full deflection in one direction, then return to center. The American Airlines Flight 587 accident airplane experienced four rudder reversals in rapid succession before the tailfin snapped off. Other reversals had occurred, also outside the certification regime (see ASW, Nov. 25, 2002).
Issue: Tolerating risk. “The initial Shuttle design predicted neither foam debris nor poor sealing action of the solid rocket booster joints … For both O-rings and foam, the first decision was a turning point. It established a precedent for accepting, rather than eliminating, these technical deviations … managers incorporated worsening anomalies into the engineering experience base, which functioned as an elastic waistband, expanding to hold larger deviations from the original design. Anomalies that did not lead to catastrophic failure were treated as a source of valid engineering data that justified further flights.” (P. 196)
“After a cursory briefing without a full technical review” the attach rings’ minimum required safety factor was reduced from 1.4 times the maximum load ever expected in operations to 1.25. (P. 223)
Relevance to aviation industry: This pattern of activity is akin to flying without fire detection and suppression in cargo holds and other inaccessible spaces, although fires have occurred therein.
The ultimate load in the aviation industry is a factor of 1.5 to the design service load, and there is no known case where this safety factor has been reduced.
Issue: False redundancy. The O-ring joint sealing the segments of the solid rocket boosters was originally classified as a Criticality 1 item. The joint was later demoted to Criticality 1-R (redundant) on the basis that while the outer rings had suffered burn-through, the inner o-rings held. (P. 196)
This concept of reliable redundancy unraveled when Shuttle Challenger was launched in cold temperatures never before experienced, and both rings failed. (P. 197)
Relevance to aviation industry: Jackscrews were assumed to receive periodic lubrication, and even under the higher wear rate caused by inadequate lubrication, grit and such, the two threads in the acme nut would not both be stripped (see ASW, Jan. 20). As it turned out, the failure mechanism affected both threads, analogous to the way cold degraded both O-rings.
Issue: Burden of proof. “The engineers found themselves in the unusual position of having to prove that a situation was unsafe – a reversal of the usual requirement to prove that a situation is safe.” (P. 169, emphasis in original).
Relevance to aviation industry: Following the Nov. 12, 2001, crash of American Airlines Flight 587, there was some discussion about grounding the A300-600 fleet until the cause could be determined. A March 22, 2002, call from a group of A300-600 pilots to “consider the grounding of the A300-600 fleet until such time as its airworthiness can be assured” was rejected by NTSB and FAA officials (see ASW, June 17, 2002). The argument given was that in the absence of hard knowledge about the cause of the crash, grounding was inappropriate. In other words, the airplane would have to be proven unsafe to justify grounding action.
Issue: Oversight and quality assurance. “The contract involved substantial transfers of safety responsibility from the government to the private sector, rollbacks of tens of thousands of government mandated inspection points, and vast reductions in NASA’s in-house safety-related technical expertise.” (P. 179)
“NASA’s quality assurance role at Kennedy Space Center was significantly reduced. In the course of this transition, Kennedy reduced its inspections – called Government Mandatory Inspection Points – by more than 80 percent. Marshall Space Flight Center cut its inspection workload from 49,000 government inspection points … to 13,700.” (P. 218)
“Efforts by Kennedy Quality Assurance management to move its workforce towards a ‘hands-off, eyes-off’ approach are unsettling … management discourages inspectors from rejecting contractor work. Inspectors are told to cooperate with contractors to fix problems rather than rejecting the work and forcing contractors to resubmit it … In this new process, discrepancies are not recorded or tracked. As a result, discrepancies are currently not being tracked in any easily accessible database … Testimony further revealed incidents of quality assurance inspectors being played against each other to accept work that had originally been refused.” (P. 219)
Relevance to aviation industry: Breakdown of independent oversight, erosion of checks and balances, loss of audit trail and inability to establish accountability. The basic problem – self oversight and voluntary regulations.
Issue: Overhaul intervals. Orbiter overhaul intervals have averaged between every eight flights or three years. (P. 220)
“The Shuttle Program has explored the possibility of extending Orbital [overhaul] cycles to once every 12 flights or six years. This initiative runs counter to the industry norm of increasing the frequency of inspections as systems age.” (P. 221)
Relevance to aviation industry: Recall arbitrary extension of jackscrew lubrication intervals. Sometimes corrosion problems are found during non-corrosion inspections. Hence, the risk of undetected corrosion may increase as intervals between inspections are extended.
Issue: Design service life and service life extension. “The Board’s discovery of mass loss in RCC panels, the deferral of investigation into signs of metal corrosion, and the deferral of upgrades all strongly suggest that a policy is needed of complete recertification of the Space Shuttle.” (P. 209)
“Aviation industry standards offer ample measurable criteria for gauging specific aging characteristics, such as stress and corrosion … and Aging Aircraft studies.” (P. 209).
“As part of Shuttle Service Life Extension Program and potential 40-year service life, develop a state-of-the-art means to inspect all Orbiter wiring, including that which is inaccessible.” (P. 226)
Relevance to aviation industry: Mandate to inspect all wiring, even in inaccessible spaces, goes considerably beyond inspection protocols for aging aircraft under consideration by the FAA (see ASW, May 5).
Issue: Contingency planning. “Managers failed to develop simple contingency plans for a re-entry emergency. They were convinced … that nothing could be done.” (P. 181)
Relevance to aviation industry: Recall Airbus argument for extended operations (ETOPS) that airplanes could be made sufficiently reliable through design as to preclude the necessity for diversion contingency planning (see ASW, March 24).
Issue: Data-driven safety. “As it is currently structured, the Shuttle Program does not use data-driven safety methodologies to their fullest advantage.” (P. 189)
“The Board found that the information systems that support the Shuttle program are extremely cumbersome and difficult to use in decision-making at any level.” (P. 189)
Relevance to aviation industry: Insufficient capability for pattern analysis and trend tracking. Regarding NASA’s cumbrous oversight system, similar concerns have been expressed about the FAA’s air transport oversight system (ATOS). According to sources, the FAA’s service difficulty reporting (SDR) program is still not functioning in analysis and flagging of impending safety trends.
Issue: Component vs. vehicle safety. “As of 2001, the Shuttle Program no longer requires Boeing to conduct integrated hazard analyses. Instead, Boeing now performs hazard analysis only at the sub-system level. In other words, Boeing analyzes hazards to components and elements but is not required to consider the Shuttle as a whole.” (P. 188)
Relevance to aviation industry: The same misleading focus on system-level safety that stops short of safety assessment at the aircraft level was articulated recently by Lu Zuckerman, a reliability engineer (see ASW, July 28).
Issue: Hardening against catastrophe. “Initiate a program designed to increase the Orbiter’s ability to sustain minor debris damage by measures such as improved impact resistant [RCC] and acreage tiles … To the extent possible, increase the Orbiter’s ability to successfully re-enter Earth’s atmosphere with minor leading edge structural and system damage.” (P. 225).
Relevance to aviation industry: The thermal protection system is vulnerable during both ascent and descent. The Columbia accident investigation relegates the vulnerability of RCC leading edge components to a desirable future “fix.” This approach may be akin to the post-crash improvements to Concorde’s tires, while foregoing the Kevlar armor that also was installed on the thin-skinned wing tanks. Note also the early decision to isolate all airliner fuel tank electrical hazards, followed by the realization that a total safety fix would have to embrace concomitant tank-inerting. In so many cases, half-measures won’t provide a sufficient level of safety and complementary protections are necessary.