Safety Messages

Detailed inspection throughout the lifetime of a safety-critical part is absolutely essential. The tail mounted engine on the DC-10 aircraft for United Airlines Flight 232 had left the manufacturing foundry with undetected microscopic defects. However, when establishing the safe operational lifetime, it was assumed that all parts were defect free. After 15 years of operations, numerous inspection teams failed to detect the growth of cracks from these defects, and the initial defect-free assumptions were never re-evaluated. On July 19, 1989, that engine exploded well before its set operational lifetime, severing all three hydraulic fluid lines. The pilots of Flight 232 had never trained for a complete loss of hydraulic controls nor were there any operating procedures for handling such a scenario. Still, because they thoroughly understood the DC-10 system, they were able to regain just enough control to crash land the plane using only the remaining engine throttles. While it is impossible to predict and then train for every conceivable situation, even some known scenarios are so complex and dependent on other variables that official documented procedures can be ineffective. Therefore, it is critical that NASA operators have a thorough understanding of our systems and operations, so that they are able to successfully navigate situations for which they were not explicitly trained.

Understanding the limitations and failure modes of the materials that we use is critical in maintaining a safe operating environment. The improper selection of one key component for "The Big Dig" ceiling tiles resulted in 24,000 lbs of concrete crashing down on a passing car below, killing one of the passengers on July 10, 2006. The post-accident inspection was the first in the seven years since the initial installation inspection, and the same epoxy adhesive that had failed on July 10 was found to be in the process of failing on thousands of anchor bolts used to secure other suspended concrete ceiling panels. The particular epoxy chosen was simply too weak for the tunnel application. Reduced margins, forfeited review cycles, and ignored warnings all contributed to this disaster. Given the extreme environments and new technologies employed during NASA space operations, we must ensure that all critical materials are identified and thoroughly understood through robust testing, hazard analysis, and clear documentation.

NASA projects customarily include contractors, subcontractors, third-party vendors, as well as international partners and other government agencies. Delegation of roles, tasks and authorities among team members is common and desired in these teaming arrangements. However, clarity in these delegations, along with a universal understanding of their limits, is crucial in any complex undertaking. This case study addresses a number of key issues associated with managing an engineering project with a high degree of multi-organizational cooperation and dependency. Of the many things that are naturally delegated amongst the parties involved, overall responsibility for safety and performance cannot be one of them.

On Aug. 14, 2003, the United States and Canada experienced the largest electrical power blackout in North American history.  It was a massive power outage that affected parts of the northeastern U.S. and eastern Canada. Approximately 40 million people in eight U.S. states (about one-seventh of the population of the U.S.) and 10 million people in the Canadian province of Ontario (about one-third of the population of Canada) were impacted. The cost of financial losses related to the outage was estimated at $4 to $10 billion. The shutdown was the result of a monitoring and diagnostic systems failure coupled with communications problems between operations and support staffs, and a lack of systems understanding and planning by utility operators.

A seminal event in the history of human spaceflight occurred on the evening of Jan 27, 1967, at Kennedy Space Center (KSC) when a fire ignited inside the Apollo 204 spacecraft during ground test activities. The 100 percent oxygen atmosphere, flammable materials and a suspected electrical short created a fire which quickly became an inferno. Virgil Grissom, Edward White II, and Roger Chaffee (the prime crewmembers for Apollo mission AS-204 — later designated Apollo 1) perished in the flames before the hatch could be opened.

On July 29, 1967, a tragic string of events culminated in disaster on the flight deck of the USS Forrestal resulting in the deaths of 134 sailors. As 27 fully armed combat aircraft were on deck in preparation for a bombing mission over North Vietnam, a wing mounted Zuni rocket was inadvertently launched from an F-4 Phantom. The rocket flew across the flight deck and penetrated an externally mounted fuel tank of an A-4 Skyhawk, flooding the deck with hundreds of gallons of jet fuel which quickly ignited. The fire engulfed the aircraft and spread quickly, fanned by 32 knot winds. One minute and 34 seconds later, one of that same Skyhawk's 1000 pound bombs "cooked off," with an explosion that sent shrapnel, flame, and destruction across the flight deck, wiping out the fire fighting crew, and wreaked havoc below deck. Over the next hour, eight more 1000 pound bombs exploded, each time taking the lives of another valiant team of sailors fighting the blaze. The ship was able to return to Subic Bay, Philippines, but fires continued below deck for over 24 hours.

The Lewis Spacecraft Mission was conceived as a demonstration of NASA’s Faster, Better, Cheaper (FBC) paradigm. Lewis was successfully launched on Aug. 23, 1997, from Vandenberg Air Force Base, California on a Lockheed Martin Launch Vehicle (LMLV-1). Over the next 3 days a series of on-orbit failures occurred including a serious malfunction of the attitude control system (ACS). The ACS issues led to improper vehicle attitude, inability to charge the solar array, discharge of batteries and loss of command and control. Last contact was on Aug. 26, 1997. The spacecraft re-entered the atmosphere and was destroyed 33 days later. This mission may have been faster and cheaper, but in retrospect it was at the expense of better.

In the early years of nuclear power development, the first small-scale boiling water reactor exploded catastrophically, claiming the lives of three engineering technicians. This nuclear accident occurred in January of 1961 at the U.S. National Reactor Testing Station near Idaho Falls, Idaho, and is the only nuclear accident resulting in the loss of life ever to occur in the United States. The accident, called a "prompt criticality," resulted from a variety of factors, including inadequate design, inadequate materials testing, and poor procedures and training.

Fifteen smokejumpers leapt from a C-47 aircraft on a hot, dry August afternoon in 1949 to engage what was believed to be a routine forest fire burning along the south ridge of the Mann Gulch, a steep, narrow, valley, situated directly east of the Missouri River. Over the next 90 minutes a complex, confusing, and heroic struggle ensued as the fire, fanned by high winds and downdrafts spread in unexpected ways, cutting off firefighters from their planned river escape path and roaring up the gulch with a wall of flame, superheated air and black boiling smoke. In the end, 13 of the firefighters lost their lives. This tragic event dealt a devastating blow to the Smokejumper program and drastically changed the way the Forest Service analyzes hazards and how its fire fighters are trained, equipped, led and deployed.

The R101 Airship story is one of political leadership spurring investment in new technology, but at the same time driving that new technology to a premature implementation and subsequent disaster. The maiden voyage of British-built airship R101 in October of 1930 ended in a fiery crash that killed 48 people when bad weather forced the massive airship down over Beauvais, France.