Safety Messages

This month we're stepping back from large-scale system failures to look at a pattern of incidents that seem trivial on their own, but taken together, injure many of our employees: slips, trips and falls. In 2010, such incidents accounted for more than 40 percent of NASA's lost time injury mishaps. Of those injuries, 75 percent were falls on the same level, or slips and trips that injured but did not result in a fall. Most injuries took place during normal activities rather than high-risk operations. To tackle this systemic problem, we need to find and mitigate trip hazards when feasible, while keeping ourselves mindful and vigilant of changing conditions, be they our physical limitations or changing environments.

During a missile decommissioning procedure on Aug. 29-30, 2007, airmen at Minot Air Force Base, North Dakota, mistakenly loaded six nuclear warheads onto a B-52 bomber destined for Barksdale Air Force Base, Louisiana. Airmen failed to handle the warheads in accordance with U.S. Air Force nuclear weapons regulations, allowing the warheads to bypass five safety nets and resulting in the unauthorized transfer. This event is considered one of the most serious breaches in the Air Force's positive control of nuclear weapons. After studying this incident, we find that a slow evolution of expedient processes eroded firmly established safety protocols over time. This study reminds us that in applying NASA's broad range of procedures and processes to high-energy systems, it is not enough to comprehend procedural steps — operators and managers alike must understand the rationales behind the procedures to avoid losing sight of safety goals and of the consequences of mission failure.

On Jan. 15, 2009, residents and tourists near midtown Manhattan witnessed history. Close to 3:30 that afternoon, a silent airliner glided onto the frigid Hudson River, coming improbably to rest intact and on the surface. Within minutes, amazed passengers scrambled onto both wings and inflated emergency exit ramps, waving to commuter ferries and boats rushing to rescue them. Across the world, television viewers gaped at the unfolding story: bird strikes to both engines caused them to shut down, turning the U.S. Airways Airbus A320 into an 85-ton glider. Without sufficient altitude or airspeed to land on any nearby runway, the skilled flight crew successfully ditched the plane in the river. All had escaped fatal trauma, hypothermia and drowning. The "Miracle on the Hudson," as the event came to be known, is a testament to how solid leadership, systems knowledge and comprehensive preparation enable correct time-critical decisions to adapt and survive.

North American Aviation developed the X-15 for a program seeking to investigate winged flight and human performance at the edge of space. Pioneering research that would benefit every subsequent U.S. human spaceflight program, three X-15’s made 199 flights. On Nov. 15, 1967, U.S. Air Force Major Mike Adams was scheduled to fly the X-15 on its 191st flight. Major Adams was a skilled and experienced test pilot, and the team expected another successful mission. But when an electrical disturbance coursed through the aircraft, the flight control system was degraded at an unforgiving instant. Major Adams entered history’s first hypersonic spin, followed by an inverted dive. Massive g forces from these events incapacitated him, leaving him unable to eject before the aircraft broke apart high above the desert. A lack of component qualification testing, a degraded flight control system, possible pilot vertigo and misreading a single, deceptive flight instrument all led to departure from controlled flight. This month, we honor Major Adams’ memory by considering this story, especially as designers conceive new commercial vehicles to fly passengers to the edge of space and back again.

When night-shift employees of Imperial Sugar Company’s refinery in Port Wentworth, Georgia reported for work on Feb. 7, 2008, they had no reason to suspect that a disaster was about to occur. Visitors to the plant on that night, or any night prior, would have found its interior encased in sugar and sugar dust. The residue rested on conduits, covered machinery and coated the floor. The white particulate — inches deep in several places — looked innocuous enough, but it posed an insidious hazard of which many employees were unaware: the dust was highly combustible. The refinery had operated for more than eighty years without a major incident, but that night, everything changed when an explosion near a conveyor belt triggered a chain reaction of violent explosions that devastated the facility and took the lives of 14 workers. As is too often the case in events such as this, inadequate training and incomplete emergency preparation were among the factors leading to the tragedy. The Chemical Safety Board, which investigated the accident, also cited the Normalization of Deviance as a direct cause. Analyzing this case emphasizes the importance of guarding against complacency, maintaining strict safety standards, and cultivating a culture of preparedness.

On a hot July day in 1996, a Boeing 747 carrying 230 people departed New York’s John F. Kennedy International Airport on a flight to Paris, France. The aircraft experienced an uneventful takeoff and initial ascent, but only 12 minutes into the flight, a sudden and catastrophic explosion in the center wing fuel tank tore the fuselage apart, raining debris into the Atlantic. All passengers and crew members lost their lives. National Transportation Safety Board (NTSB) investigators needed four years to retrieve the wreckage, reconstruct the aircraft and determine the probable cause. In its official report, the NTSB concluded that excess energy entered the center fuel tank through a short circuit in external wiring. Then, a latent fault on probes inside the tank most likely caused an electrical arc that ignited the flammable fuel/air mixture, leading to the explosion and structural failure. The 230 passengers and crew on Flight 800 paid the ultimate price when the accident exposed flawed assumptions regarding aircraft design practice. This study details those assumptions and emphasizes the need to continually re-evaluate our projects and equip our systems with additional layers of safety to protect against wrong assumptions and unanticipated failure modes.

1997 marked the third year of a collaborative space project between the United States and Russia known as the Shuttle-Mir partnership. This program sent U.S. astronauts to Space Station Mir where they worked with Russian cosmonauts on life science, microgravity and environmental research. Automated supply vehicles called Progress visited the station every four months to deliver fresh supplies and to collect accumulated rubbish. These spacecraft normally docked with Mir using a Ukrainian docking system called Kurs. However, Russia's financial difficulties and Ukraine's rising prices made the Kurs system unaffordable, and the Russians began implementing an existing manual docking system, called TORU, to dock Progress with Mir. In July of 1997, Russian Mission Control instructed the crew on board Mir to test this docking system on the Progress-M 34 freighter. The test ended in disaster when the Progress vehicle sailed past the docking node, slammed into a solar array and bounced into Mir's Spektr Module. The impact punctured the hull and caused the first ever decompression on an orbiting spacecraft. The lessons portrayed in this incident remind us that communicating and understanding the technicalities behind a system are crucial to making rational, informed decisions when off-nominal situations arise. It also emphasizes the importance of analyzing failure modes introduced by new systems, accounting for such possibilities and formulating backup plans.

Flag-of-Convenience vessels are ships that have been registered in a nation other than the country where its owners reside. Motivating factors for such an arrangement include inexpensive taxes, cheap labor and low maintenance standards. The Motor Vessel (MV) Bright Field was one such freighter: it was operated by a Chinese crew and registered under the Liberian flag. On Dec. 14, 1996, the Bright Field departed the U.S. for Japan while carrying a cargo of American grain. Its voyage ended only hours after it began when an engine trip caused by low oil pressure left the crew powerless to navigate the massive freighter. Within minutes, the Bright Field veered toward the Mississippi riverbank and crashed into the New Orleans Riverwalk. Dozens of passengers on neighboring entertainment vessels and on the Riverwalk itself were injured in their attempts to escape, but remarkably, no one was killed. The impact destroyed many riverside facilities, and the incident points to incomplete risk management by riverfront stakeholders as well as by Bright Field operators. Comprehensive risk assessments are cornerstones to any mission, and this case emphasizes the importance of formulating plans to mitigate high-consequence scenarios.

When a crew of three cosmonauts concluded a pioneering 24-day mission aboard Earth’s first space station, an entire nation waited to welcome them. But joy turned to grief after recovery teams opened the descent capsule and discovered all three cosmonauts dead in their seats. A valve meant to equalize cabin pressure with Earth’s atmosphere moments prior to landing had been forced open prematurely to vacuum when the descent module separated explosively from the rest of Soyuz-11, suffocating the crew. Events leading to the depressurization show how unplanned mechanical shock led to single-point failure of a critical assembly, and how complex systems can defeat attempts to ensure comprehensive human understanding of a project’s design from concept development to operation.

On May 31, 2008, the Space Shuttle Discovery launched from Kennedy Space Center's Pad 39A. Its mission was to deliver "Kibo" (or Hope, the centerpiece of the Japanese Experiment Module) to the International Space Station. After the launch, NASA Safing Teams set out to inspect the launch facility and were surprised to find the entire area littered with debris. Discovery's liftoff had produced dynamic loads strong enough to tear thousands of bricks from their anchors in the flame trench wall. The flying bricks, shown by radar to travel at speeds up to 680 miles per hour, damaged the opposite wall and a nearby security fence. Some bricks travelled distances exceeding 1,800 feet. Although the debris did not impact the Space Shuttle or compromise its mission, damages to the flame trench were estimated to cost $2.5 million. An aging infrastructure, an incomprehensive maintenance plan and oversights in the transition from Apollo to Space Shuttle conspired to weaken the structure of the flame trench until finally, it failed. This incident teaches us that decades-long vigilance over systems and infrastructures is crucial to identifying and rectifying hazards before they become mishaps.