NASA Office of Logic Design

NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.

Columbia/STS-107 Mishap

Columbia Memorial

Columbia Accident Investigation Board (CAIB) Mishap Report

NASA History Office Columbia Home Page


From Columbia to Discovery: Understanding the Impact Threat to the Space Shuttle

James D. Walker
Southwest Research Institute

22nd International Ballistics Symposium
Vancouver, BC
November 2005

 Abstract
The loss of the space shuttle Columbia in 2003 was caused by the impact of foam insulation on the leading edge of the wing. The foam strike created a hole in reinforced carbon-carbon panel 8 that led to excessive heating during re-entry, loss of the integrity of the left wing, and subsequent loss of the vehicle and crew. In the 2½ years following the accident there has been a concerted effort to understand the impact threat to the space shuttle system. The effort was a large one, and was essentially comprised of five integrated parts: 1) identifying the debris that can be shed by the External Tank and Solid Rocket Boosters; 2) determining the impact speeds and angles that debris can strike the orbiter; 3) quantifying the amount of damage to the thermal protection system caused by those strikes; 4) estimating the temperature rise in the damaged regions during reentry; and 5) deciding whether the temperature rise is sufficient to affect structural integrity. This paper overviews the extensive experimental and modeling efforts of the return-to-flight program, with an emphasis on the impact testing and modeling.


Lessons Learned but Forgotten from the Space Shuttle Challenger Accident

Allan J. McDonald, ATK Thiokol Propulsion (Retired)
Space 2004 Conference and Exhibit
September 28-30, 2004, San Diego, California
AIAA 2004-5830

 Abstract
At the time of the Challenger accident, I was the Director of the Space Shuttle Solid Rocket Motor Project for Morton Thiokol Inc.. The cause of the failure and the controversy surrounding the decision to launch the Challenger in such cold weather is discussed in detail in the Presidential Commission's Report on the Challenger Accident. The Challenger was launched at 16:38:00:010 GMT on January 28th, 1986 from the Kennedy Space Center (KSC). I was in the Launch Control Center (LCC) at the time of the launch. The Mission Management Teams’ (MMT) decision to launch the Challenger was flawed because of the lack of communication both horizontally and vertically within the NASA organizational structure. The Columbia accident suffered from a similar breakdown in communications along with failure to consider the seriousness of engineers' concerns much like the Challenger. This paper will discuss the details leading to the failure of the Challenger and the lessons learned from the accident. The paper will also show how the mistakes from the Challenger accident in 1986, the 25th flight of the Space Shuttle, were repeated in the loss of the Columbia in 2003, some 17 years and 88 flights later.


Beyond Normal Accidents and High Reliability Organizations: The Need for an Alternative Approach to Safety in Complex Systems

Karen Marais, Nicolas Dulac, and Nancy Leveson
MIT
Engineering Systems Symposium, March 24, 2004
marais-b.pdf

 Introduction
Organizational factors play a role in almost all accidents and are a critical part of understanding and preventing them. Two prominent sociological schools of thought have addressed the organizational aspects of safety: Normal Accident Theory (NAT) and High Reliability Organizations (HRO). In this paper, we argue that the conclusions of HRO researchers (labeled HRO in the rest of this paper) are limited in their applicability and usefulness for complex, high-risk systems. HRO oversimplifies the problems faced by engineers and organizations building safety-critical systems and following some of the recommendations could lead to accidents. NAT, on the other hand, does recognize the difficulties involved but is unnecessarily pessimistic about the possibility of effectively dealing with them. An alternative systems approach to safety in described, which avoids the limitations of NAT and HRO. While this paper uses the Space Shuttle, particularly the Columbia accident, as the primary example, the conclusions apply to most high-tech, complex systems.


Effectively Addressing NASA's Organizational and Safety Culture: Insights from Systems Safety and Engineering Systems

Nancy Leveson, Joel Cutcher-Gershenfeld, Betty Barrett, Alexander Brown, John Carroll, Nicolas Dulac, Lydia Fraile, Karen Marais, MIT

Engineering Systems Symposium, March 2004
leveson_on_se_safety_and_caib.doc

 

 Introduction (excerpt)
Safety is an emergent, system property that can only be approached from a systems perspective. Some aspects of safety can be observed at the level of the particular components or operations, and substantial attention and effort is usually devoted to the reliability of these elements, including elaborate degrees of redundancy. However, the overall safety of a system also includes issues at the interfaces of particular components or operations that are not easily observable if approached in a compartmentalized way. Similarly, system safety requires attention to dynamics such as drift in focus, erosion of authority, desensitization to dangerous circumstances, incomplete diffusion of innovation, cascading failures, and other dynamics that are primarily visible and addressable over time, and at a systems level.


Space Shuttle Independent Assessment Team: Report to Associate Administrator, Office of Space Flight

October - December 1999

March 7, 2000
siat.pdf

 Executive Summary (excerpt, leading section):

The Shuttle program is one of the most complex engineering activities undertaken anywhere in the world at the present time. The Space Shuttle Independent Assessment Team (SIAT) was chartered in September 1999 by NASA to provide an independent review of the Space Shuttle sub-systems and maintenance practices. During the period from October through December 1999, the team led by Dr. McDonald and comprised of NASA, contractor, and DOD experts reviewed NASA practices, Space Shuttle anomalies, as well as civilian and military aerospace experience.

In performing the review, much of a very positive nature was observed by the SIAT, not the least of which was the skill and dedication of the workforce. It is in the unfortunate nature of this type of review that the very positive elements are either not mentioned or dwelt upon. This very complex program has undergone a massive change in structure in the last few years with the transition to a slimmed down, contractor-run operation, the Shuttle Flight Operations Contract (SFOC). This has been accomplished with significant cost savings and without a major incident. This report has identified significant problems that must be addressed to maintain an effective program.  These problems are described in each of the Issues, Findings or Observations summarized below, and unless noted, appear to be systemic in nature and not confined to any one Shuttle sub-system or element. Specifics are given in the body of the report, along with recommendations to improve the present systems.
12_21_00_NIAT.pdf


Enhancing Mission Success – A Framework for the Future
A Report by the NASA Chief Engineer and the NASA Integrated Action Team

Introduction
In March 2000, NASA released a series of reports that were the product of activities chartered by the Agency in response to failures in the Mars Program, Shuttle wiring problems, and a generic assessment of NASA’s approach to executing "Faster, Better, Cheaper" projects. The subject reports are:

  • Mars Climate Orbiter (MCO) Mishap Investigation chaired, by Mr. Arthur Stephenson,
  • Director, Marshall Space Flight Center (MSFC),
  • Mars Program Independent Assessment (MPIA), chaired by Mr. A. Thomas Young, Lockheed Martin (retired),
  • NASA Faster, Better, Cheaper (FBC) Task, chaired by Mr. Anthony Spear, Jet Propulsion Laboratory Mars Pathfinder Project Manager (retired),
  • Shuttle Independent Assessment (SIA), chaired by Dr. Henry McDonald, Director, Ames Research Center (ARC).

Recommendations contained in the reports not only addressed root and contributing causes of specific failures but also looked beyond those incidents to make broader recommendations to the Agency on ways it might improve its general approach to executing programs and projects.


Photographic Analysis Technique for Assessing External Tank Foam Loss Events

T.J. Rieckhoff1, M. Covan2 and J.M. O’Farrell2

1Marshall Space Flight Center
2United Space Alliance

NASA/TM—2001–210880
June 2001

tm210880.pdf

Introduction

The external tank (ET) of the Space Shuttle system is covered with a very low-density, spray-on foam insulation (SOFI) to protect it from the heating experienced during ascent flight. The intertank thrust panels (fig. 1) are ribbed structures that resemble corrugated panels when sprayed with foam.

Postflight inspection of orbiter tiles on mission STS–86 revealed greater damage than observed on previous flights. STS–87/ET–89, launched on November 19, 1997, had even more tile damage and prompted the initiation of in-flight anomaly STS–87–T–01 (IFA87) to identify the cause of the orbiter’s above average, lower surface tile damage and suggest corrective action. Foam loss was suspected to be the cause of damage to the orbiter tiles. Figure 2 shows a photograph of the STS–87 ET after it was jettisoned. Areas of foam loss from the intertank are readily apparent.

A camera was installed on the left solid rocket booster (SRB) of STS–95/ET–98, launched on October 29, 1998, providing video images of the ET intertank thrust panels during ascent. From the video, foam loss was seen to initiate at 92 sec into flight and continue until SRB separation, at which time the view was lost. From simple observation of the STS–95 SRB camera video, foam loss appeared to be most prominent on the tops and sides of the thrust panel ribs. It was also noted that from a visual standpoint, the foam loss closely resembled the phenomenon known as popcorning, which has been observed in thermal vacuum testing at Marshall Space Flight Center (MSFC) test facilities.

Tile damage impact testing was conducted by Southwestern Research Laboratories to assess the susceptibility of the orbiter tiles to damage from the ET foam particles. Test results demonstrated that the particles of the size detected in the STS–95 video could cause the observed orbiter tile damage.

Flight instrumentation and video cameras were installed on both left and right SRB’s for missions STS–96/ET–99 and STS–93/ET–100. Data from the videos were used to identify the times that foam loss occurred and to record differences in foam loss characteristics.

A method of processing the SRB video images was developed to allow rapid detection of permanent changes indicative of foam loss events on the ET intertank surface. This method was applied to accurately time, count, categorize, and locate changes corresponding to foam loss events.


Risk Management for the Tiles of the Space Shuttle

M.-Elisabeth Pate-Cornell1 and Paul S. Fishbeck2
1 Stanford University
2 Carnegie Mellon University

tile_risk_management.pdf

 The tiles of the space shuttle orbiter are critical to its safety at reentry, and their maintenance between flights is time-consuming. We performed a probabilistic risk analysis to identify the most risk-critical tiles and to set priorities in the management of the heat shield. The model is based on a multiple partition of the orbiter's surface. For the tiles in each zone, we used the following data: (1) the probability of debonding due either to debris hits or to a poor bond, (2) the probability of losing adjacent tiles once the first one is lost, (3) the probability of burn-through given the final size of the failure patch, and (4) the probability of failure of a critical subsystem under the skin of the orbiter if a burn-through occurs. A risk-criticality scale was designed based on the results of this model. It is currently used (along with temperature charts) to set priorities for the maintenance of the tiles. We found that 15 percent of the tiles account for about 85 percent of the risk and that some of the most critical tiles are not in the hottest areas of the orbiter's surface. We recommended that NASA inspect the bond of the most risk- critical tiles and reinforce the insulation of the external systems (external tank and solid rocket boosters) that could damage the high-risk tiles if it debonds at take-off.  We computed that such improvements of the maintenance procedures could reduce the probability of shuttle accident attributable to tile failure by about 70 percent.

Home - NASA Office of Logic Design
Last Revised: December 05, 2005
Digital Engineering Institute
Web Grunt: Richard Katz
NACA Seal