Safety Messages

This month we're stepping back from large-scale system failures to look at an emerging issue for NASA and the aerospace industry: counterfeit components. Counterfeit components have created an increasing hazard at NASA, impacting project costs, performance and schedules and increasing the potential for mission failures. The attached view graphs present facts surrounding the counterfeiting of electronic components (i.e., circuit boards and computer chips) and inform us on the proliferation of illegal offshore production and international brokerage of non-compliant parts. As the new era of commercial spaceflight begins, NASA must use all available defenses to prevent acquisition or use of counterfeit components. This requires strict enforcement of compliance standards, verification testing, vigilant reporting and awareness of authorized suppliers. Although a challenging task in a globalized business environment, NASA must endeavor to assure quality while fostering technological innovation and set the example for commercial spaceflight programs that will undoubtedly encounter similar challenges.

According to Charles Perrow, interfaces, whether they be hardware or software, may enable unintentional sequences not immediately visible or comprehensible, presenting complex interactions. Much of the same can be said for tight system coupling where no buffers exist to prevent one input from having an immediate and direct impact on an entire system. Either of these situations present innate hazards; but combined, a catastrophic outcome can become expected, even normal. In the Feb. 25, 2009 crash of Turkish Airlines Flight 1951, complex interactions inherent in outdated automated flight controls were combined with yet another ingredient: social complexity. As Flight TK1951 approached the Polderbaan runway at Amsterdam-Schiphol International Airport that day, shifting interfaces met uncoordinated organizational policy. These effects manifested themselves with disastrous consequences, claiming the lives of nine people and the injuries of countless more aboard Flight 1951.

The Sept. 9, 2010, PG&E pipeline explosion that reduced San Bruno, California, to smoke and rumble will remain vivid in the hearts and minds of the community's residents. The incident left eight dead, 58 injured and affected 108 homes. The earth-scarring explosion that had taken so much from those residents provides a terrible lesson to be learned in identifying latent hazards and making organizational choices. As much as we can point out negligence and the folly of "run-to-failure" attitudes in this tragic accident, we must feed our motivation to discover and act on those latent conditions, known and unknown, that lead to errors and unsafe situations. This is a learning culture that we are trying to further foster within NASA.

Ten stories of loss, from communication with aircraft and spacecraft to catastrophic launch failure to the death of hundreds of passengers when an airliner strikes a hill on final approach. What do these stories have in common? Structured, rigorous validation and verification of software requirements, implementation and change management could have prevented them all. Here we will learn of hard-won lessons about the kinds of software defects and defect-defeating options available to project managers, system and software engineers, software assurance engineers...key players in the complex, unforgiving environment where software is needed to control hardware and human risk decisions are always involved.

In September 2006, 14 members of the Royal Air Force lost their lives during a NATO-led offensive in southern Afghanistan. Though all wartime casualties leave indelible scars on surviving friends and families, the loss of these servicemen bears particular tragedy because they died in a preventable accident. That accident took place because misplaced confidence and false assumptions projected an illusion of safety that care and vigilance might have shattered. This is a story that unfolds in every industry, in every sector. It is the story of an organization that allowed complacency to trump watchfulness and transition to undermine safeguards. NASA faces significant changes now. What steps will we take to sustain a safety culture to carry us through upheaval that transitions can bring?

In 1982, the Ocean Ranger was the largest, most advanced mobile offshore drilling unit in the world. After six years of operation, the massive oil rig proved it could withstand the North Atlantic's most severe storms, and many people described it with one word: unsinkable. All of that would change on Feb. 14, when one overlooked detail — failure to cover a window before a storm — would weaken the oil rig's defenses. The Ocean Ranger's 84 crew members died that night, and the rig itself capsized at around 3 a.m. One of the most tragic details of this disaster is the fact that the crew could have stopped the devastating chain if they had possessed a more comprehensive understanding of system design and intent. We must view the lessons of the Ocean Ranger as a somber reminder that we must strive to exhibit all characteristics of a safety culture no matter how infallible our modern machines may seem.

On Feb. 23, 1997, the six crew members on board Space Station Mir were enjoying a rare moment of relaxation when a fire suddenly erupted from the spacecraft’s supplemental oxygen generator. The fire cut off access to one of two Soyuz escape vehicles and filled the space station with thick black smoke. Swift action and teamwork saved the crew, but the incident brought to light several shortcomings in emergency preparation, communication and safety drills. This story provides a platform from which we can discuss the importance of the fundamental issues related to the Mir crisis, which also apply to NASA and other international or commercial aerospace organizations. While many differences separate these entities, all of them should rely on a common culture of safety that places its emphasis upon mission success.

Communication lapses lie at the root of many mishaps and close calls and can set off complicated event chains that lead to disaster. One such string of mistakes took place in the weeks preceding Space Shuttle Columbia's maiden voyage in March 1981. A countdown demonstration test had just concluded, and controllers opened the pad area for normal work. The controllers did not know that a hazardous condition — an atmosphere of pure nitrogen — still existed in the shuttle's aft compartment. Without warning signals or other indications of the oxygen-deficient space, technicians entered the area and collapsed just seconds later. Over the course of 15 minutes, six technicians were exposed to the nitrogen atmosphere, and three of them eventually died because of it. This was the third successive time that tragedy struck the inaugural mission of a human spaceflight program. This story illustrates the prevalent and far-reaching effects of systemic safety issues and reminds us of the vigilance required to keep those failure modes at bay.

On June 22, 2009, a shocking accident rocked routine rush hour traffic, taking the lives of nine commuters and injuring dozens of others on the Washington Metropolitan Area Transit Authority (WMATA) railway. That day, the automatic train control system, which determines train speed and spacing, failed to detect the presence of inbound Train 214. As a result, Train 214 ground to a halt not far from the Fort Totten station. Meanwhile, the following train — number 112 — coasted across the rails at the maximum speed of 55 mph. A bend in the track eliminated opportunity for Train 112's operator to observe stopped Train 214 in time, and only seconds after what must have been a horrific realization for its operator and passengers, Train 112 barreled into Train 214 at significant speed. In the wake of this disaster, we find a reverberating lesson that must not fade with familiarity: commitment to safety must be demonstrated at the highest levels, and it must impact every facet of an organization to foster a safety culture that is truly effective.

After spending 20 years orbiting Earth, Hubble Space Telescope (HST) has recorded more than 570,000 images of 30,000 celestial objects. This data has changed the face of astronomy by helping scientists around the world gain a deeper understanding of the universe, and Hubble is now regarded as one of the most important observatories ever built. Hubble’s origins, however, were far from auspicious. When the finished project launched in April of 1990, Hubble began transmitting severely blurred images of the cosmos, crushing the general expectation that HST would outperform any earthbound observatory. Investigation teams later discovered that Hubble could only record blurred images because its primary mirror had been polished into the wrong shape. NASA was able to correct this error during a service mission three years later, and since then, HST has surpassed its performance specifications. Many of the events leading to the misshapen mirror could have been prevented by better managerial practices, better risk identification and better enforcement of Quality Assurance procedures. Ultimately, however, the HST optical systems failure resulted because managers disregarded evidence of threats to mission success while facing significant schedule and budget pressures. This month, we discuss the importance of assigning clear responsibility, ensuring rigorous documentation and remembering the mission during times of crisis.