Safety Messages

System safety engineering is embraced at NASA from the beginning of the program/project life cycle to the end. Historically, an assurance model has been the paradigm, expressed at each life cycle stage via oversight or insight into requirements development and compliance.

Assumptions are made to identify critical areas of risk so that advanced analytical tools such as Probabilistic Risk Assessment (PRA) can be reasonably and efficiently applied. This has proven to be a successful technical approach, except when the assumptions themselves miss scenarios driven more by complex social interactions.

We can learn from a sentinel 1988 event in the petroleum industry: the loss of 167 personnel and $3.4 billion damage following fire and explosions on the Piper Alpha offshore oil platform. Design flaws hindering communications, emergency procedures and evacuation conspired with an unfortunate configuration change and deficient work permit process to doom workers. The North Sea oil drilling industry changed dramatically as a result, with new regulations calling for a "safety case"--a compelling set of documents that could prove a drilling system was safe to an acceptable degree. Ever since the safety case concept was developed, the entering assumptions for safe system development and operation could be covered completely and systematically.

The NASA System Safety Handbook, Volume 1 is your source to discover how the NASA safety case, called a Risk-Informed Safety Case (RISC) should be constructed.

This last February 1 (Remembrance Day) is not the only time we can reflect upon any of the three NASA human spaceflight mishaps over the last four decades. Looking at these tragic events, Apollo 1, Challenger and Columbia, through the lens of NASA Safety Culture can inspire us to further examine current programs and projects on any day necessary.

Do we continue to enhance our reporting culture while remaining flexible enough to meet new demands? Are we just in rewarding this reporting or do we "shoot the messenger?" Do we learn enough from our close calls to prevent deadly mishaps from occurring? And finally, are we constantly engaged in positively affecting the agency’s approach to safety?

Read, then try looking around you at your organization with an eye toward Reporting Culture, Flexible Culture, Just Culture, Learning Culture and Engaged Culture. What do you see? What’s being done about it?

A routine training mission came to a tragic end when an F-22A pilot was killed in a crash during a return to base. The frigid night mission, flown out of Joint Base Elmendorf-Richardson near Anchorage, Alaska, demanded the use of night vision goggles and bulky cold weather flight suits and gloves. Although the United States Air Force legal investigation board for this accident deemed the crash to be caused by channelized attention, it also suggested that personal protective equipment (PPE), intended to protect the pilot, may have obstructed movement as he tried to activate an emergency oxygen supply. This tragic loss tells us to consider the usability of our own PPE and the effectiveness of emergency training under real-world off-nominal operations.

When NASA activities are planned, our first priority must remain to protect the public and uphold public trust. This trust is achieved by communication between government and the people it serves — a task not without challenge. Secrecy bred of competition and proprietary technology can threaten communication between industry and government points of contact. This creates a barrier to sharing essential safety information, hidden against some other perceived kind of risk. Such information, known to few but not all of those with the need to know, can be termed as an "unknown known." This is the story of a great disaster, the Halifax Harbour explosion of 1917, where a dangerous munitions cargo entered a busy port, unplanned for, and known to few but unknown to key risk owners. An outbound ship struck the explosives-laden French freighter, sparking the largest man-made detonation yet. The sheer devastation made casualty counts difficult: approximately 2,000 were dead and 9,000 injured. Modern emergency planning and relief efforts sprang from this tragic event, the first disaster given extensive investigative treatment that can help us plan better nearly a century later.

When critical safety requirements for hazardous work are not clearly identified in a project, the risks of prioritizing schedule over safety become invisible to the real risk owners (project managers and operators physically exposed to hazards). If the all-important discussion fails to occur at the risk-owner level, going forward by cutting technical margins can be seen as being efficient from a cost/schedule/quality risk viewpoint. It may also result in a tragedy like the Xcel confined space tunnel fire, where risk owners became blind to latent hazards awaiting nine industrial painters recoating the inside of a hydroelectric station’s penstock tunnel. Failure to mitigate the dangers of flammable thinners in confined spaces resulted in the needless deaths of five of those nine painters.

Although the 1988 PEPCON disaster in Clark County, Nevada, killed two employees and had the potential to kill many hundreds more, time and the remote location have distanced us from its lessons. One of the ammonium perchlorate (AP) explosions that day matched the explosive yield of a one-kiloton nuclear airblast and moved Richter scale instruments in other states. Awaiting NASA’s return to flight following the Challenger mishap, stockpiled AP quietly accumulated in storage containers unsuited for the chemical’s massive energy potential. Hot work maintenance was scheduled and performed without understanding the potential risk; when a spark from hot work ignited material covered in AP residue, the lacking fire response systems and procedure was utterly incapable of intervening. Consider if this case motivates checks for accumulating hazardous material at your center, especially if high-energy systems exist or activities will occur in close proximity to potentially dangerous material.

This month we’ll be discussing in a new way an issue that continues to affect our agency: transportation safety. Motor vehicle accidents accounted for nearly 40 percent of all damage mishaps at NASA locations between 2009 and 2011. Transportation mishaps can result in the unanticipated financial burden of repairs to serious injuries or even death. While the latter examples of that spectrum seldom occur, it is vital that we educate ourselves on the most common situations in which motor vehicle accidents transpire at NASA in order to reduce risk. The entirety of the NASA Safety Center’s informative Transportation Safety campaign is available at https://nsc.nasa.gov/Resources/Studies/TransportationSafety (NASA only). Please take a look, because driving safely is everyone’s mission.

Asked the copilot, as the Airbus A330 that was Air France Flight 447 dropped like a stone toward the dark Atlantic on the night of May 31, 2009. The copilot who was struggling to fly the jet, and the Captain who returned from a rest utterly failed to comprehend the many alerts, tones and instrument cues of an aircraft in a fully stalled state. Erratic airspeed indications from sensors clogged with ice crystals triggered a complex chain of events and conditions that baffled the crew during an agonizing 125-mile per hour free fall from 37,000 feet that lasted over 4 minutes. Others had experienced Airbus airspeed problems and lived; how could this tragedy, costing 228 lives, occur? What can we learn about the design and operator training of our own complex systems? Over three years later, we have the final investigation from the French BEA to examine.

In 2010, a Texas Tech University Chemistry graduate student was seriously injured after an energetic compound he was working with detonated. The student lost three fingers, received burns to his hands and face, and suffered an eye injury. Almost three years prior to this incident, two close calls occurred in the same department-one even in the same research project. Laboratory research by students is ongoing at NASA centers and at college campuses supporting NASA research and education activities. At any given time, hundreds of students participate in NASA on-site activities through education outreach, intern and cooperative education programs. Hundreds of other students and faculty members participate in NASA research grants across the country. These students are often exposed to many of the same potentially hazardous environments as our regular full-time employees. The lessons learned from these events provide NASA with an important opportunity to reflect on and scrutinize our own policies and practices (e.g., Comprehensive Chemical Hygiene Plans, hazard communications and lessons learned programs) and on the barriers to safety that existed at TTU leading up to the incident. Even with the attention that goes with preparing our grant provisions, it is the NASA and contractor veterans working directly with these young, talented employees and faculty members that most influence their safety and health.

The Balloon Program conducts frequent flights globally for NASA's scientific and technology development investigations, while also serving as an important training ground for tomorrow's scientists and engineers. NASA's scientific balloon activities date from the earliest days of the agency, with over 2,500 balloon missions conducted, and have enabled discoveries of our Earth, the Sun and the universe. The aborted launch of the Nuclear Compton Telescope from Alice Springs, Australia, in April of 2010 called into question the methods used for decades in conducting safe balloon launches. The Investigation team concluded the mishap stemmed from the failure of the launch mechanism, combined with insufficient risk planning, training and safety oversight. NASA program and safety leadership conducted an extensive evaluation of balloon safety processes following the mishap, developed a corrective action plan to address the recommendations from the mishap review, and was given approval to resume flights in December 2010. Since then, the Balloon Program has safely and successfully conducted balloon launches from Antarctica, Australia, Sweden and the United States. Many aspects leading to the mishap could have been prevented by better risk analysis, contingency planning, personnel training, government oversight and public safety accommodations. This mishap shows us the impact of safety procedures, training and communications on mission success.