3. The Need for Process Safety
3.3 Process Safety Culture: NASA Space Shuttle Columbia Disaster, 2003
3.3.1 Summary
The NASA Space Shuttle, Columbia, was destroyed during its re-entry into the Earth’s atmosphere at the end of a 16-day voyage, just 16 minutes before scheduled touchdown. During the launch, a large piece of insulation foam became detached from the area where the shuttle had been attached to the external fuel tank and hit the leading edge of the left wing. After the incident, it was discovered that a fragment of the thermal protective panel drifted away from the wing while in space. At the critical part of re-entry when friction with the Earth’s atmosphere is at its greatest, superheated air entered the left wing, destroying the structure and causing the spacecraft to lose aerodynamic control, and break up (Figure 3.6). All seven of the crew were killed. Within two hours of loss of signal from Columbia, the independent Columbia Accident Investigation Board (CAIB) was established following procedures that had been put in place after the Challenger disaster 17 years earlier. (CCPS, 2008)
3.3.2 Detailed Description
Columbia was launched on January 16, 2003 for the 28th time. At 81.7 seconds into the flight, a large piece of insulation foam became detached. The detached piece of foam hit the leading edge of the left wing 0.2 seconds later (Figure 3.7).
This event was not detected by the crew or ground support functions until detailed examination of the launch photographs and videos took place the following day. There was sufficient concern that a Debris Assessment Team was created to determine whether the event had caused critical damage to the shuttle.
No adverse effects were noticed by the crew or support staff as the mission continued. What they did not know was that on the second day of the flight, an object drifted away from the shuttle. The radar signature of this object, discovered after the incident, was consistent with it being a 140 square inch (900 cm2) fragment of the protective panel from the left wing of the shuttle. At the critical part of re-entry when friction with the Earth’s atmosphere is at its greatest, superheated air entered the left wing, destroying the structure and causing the spacecraft to lose aerodynamic control leading to break up.
Figure 3.6. Columbia breaking up, courtesy NASA.
Figure 3.7. A shower of foam debris after the impact on Columbia s left wing. The event was not observed in real time, courtesy NASA.
The obvious question was asked as to how a piece of lightweight foam material could fatally damage something as apparently strong as a spacecraft designed for one of the most aggressive of operating environments. Calculations showed that, at the time of separation, the foam was traveling at the same speed as Columbia - about 1,568 mph (700 m/s) and the rapid deceleration of the foam combined with continued acceleration of the shuttle explained the severity of the impact. It was also found that insulation foam loss had occurred on all previous Space Shuttle flights, from small “popcorn” sized pieces, to briefcase sized chunks, and that, on 10% of flights, foam loss had occurred at the bipod attachment area. In the original design team there had been extreme concern that foam loss would result in fatal damage to the shuttle. Since the specification for the large external fuel tank contained a requirement that “no debris shall emanate from the critical zone of the external tank on the launch pad or during ascent”, no protection had been provided to the leading edges of the shuttle’s wings. Despite this, there had been a lot of damage to Columbia’s protective tiles during its first mission – more than 300 had to be replaced. One engineer stated that if they had known in advance the extent of the debris shower that occurred, they would have had difficulty in getting the Space Shuttle cleared for flight.
Over the previous decade, NASA was placed under severe pressure to reduce costs, losing about 40% of its budget and workforce. Part of the response was for NASA to hand over much of its operational responsibilities to a single contractor, replacing its direct involvement in safety issues with a more indirect performance monitoring role. NASA managers continued to preach the importance of safety, but their actions sent the opposite signal.
Despite the cutbacks, there was pressure — some self-imposed — to keep the Space Shuttle program on schedule, particularly to complete the International Space Station (ISS). The uncertainty over the long-term future of the program resulted in reduced investment, with safety upgrades delayed or deferred. The CAIB found that the infrastructure had been allowed to deteriorate, and the program was operating too close to too many margins.
3.3.3 Causes
Technical. Technically, the cause was the failure of the foam insulation at the bipod attachment. No non-destructive testing (NDT) of hand applied foam was carried out other than visual inspection at the assembly building and at the space center, even though NDT techniques for foam had been successfully used elsewhere. The CAIB concluded that too little effort had gone into the understanding of foam fabrication and failure modes.
Culture. In spite of cutbacks and deadline pressures, the organization continued to pride itself in its “can do” attitude, which had undoubtedly contributed to former
successes. This enabled the phenomenon known as “normalization of deviation”.
The failure of the foam without significant consequences was observed so many times that it became an accepted part of every flight and with each successful landing the original concerns seem to have faded away.
In the words of the CAIB report:
“Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices (such as testing to understand why systems were not performing in accordance with requirements); organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that stifled professional differences of opinion; and decision-making processes that operated outside the organization’s rules.” (CAIB, 2003).
3.3.4 Key Lessons
Process Safety Culture (Section 2.2). This element was also a key component in the BP Texas City incident (Section 3.1). An important aspect of a good safety culture is maintaining a sense of vulnerability. An example of the poor safety culture at NASA is the denial of requests by the Debris Assessment Team for imaging of the wing while the shuttle was in orbit. The team concluded, based on modeling that “some localized heating damage would most likely occur during re- entry, but they could not definitively state that structural damage would result.”
The Mission Management Team eventually concluded the debris strike was a
“turnaround” issue. As stated in the CAIB report “Organizations that deal with high-risk operations must always have a healthy fear of failure – operations must be proved safe, rather than the other way around. NASA inverted this burden of proof.”
The following is a finding from the CAIB report:
“NASA s safety culture has become reactive, complacent, and dominated by unjustified optimism. Over time, slowly and unintentionally, independent checks and balances intended to increase safety have been eroded in favor of detailed processes that produce massive amounts of data and unwarranted consensus, but little effective communication.
Organizations that successfully deal with high-risk technologies create and sustain a disciplined safety system capable of identifying, analyzing, and controlling hazards throughout a technology’s life cycle.”
3.3.5 References and Links to Investigation Reports
The CAIB report is available online. The online report also contains several movie clips, such as the actual foam strike and impact testing.
Columbia Accident Investigation Board, (2003) Volume 1 http://www.nasa.gov/columbia/caib/html/start.html
Columbia Incident Investigation Board, (2003) Volume 1, movie clips http://www.nasa.gov/columbia/caib/html/movies.html
CCPS, “Incidents That Define Process Safety”, Center for Chemical Process Safety, New York, 2008.
CCPS, Process Safety Beacon, Process Safety Culture, June 2007.
(http://sache.org/beacon/files/2007/06/en/read/2007-06-Beacon-s.pdf)