Challenger Tragedy: Presidential Report ContinuedBy Marty McDowell/NASA
An Accident Rooted in History
Early Design
The Space Shuttle's Solid Rocket Booster problem began with the faulty
design of its joint and increased as both NASA and contractor management
first failed to recognize it as a problem, then failed to fix it and
finally treated it as an acceptable flight risk.
Morton Thiokol, Inc., the contractor, did not accept the implication of
tests early in the program that the design had a serious and unanticipated
flaw. NASA did not accept the judgment of its engineers that the design
was unacceptable, and as the joint problems grew in number and severity
NASA minimized them in management briefings and reports. Thiokol's stated
position was that "the condition is not desirable but is
acceptable."
Neither Thiokol nor NASA expected the rubber O-rings sealing the joints
to be touched by hot gases of motor ignition, much less to be partially
burned. However, as tests and then flights confirmed damage to the sealing
rings, the reaction by both NASA and Thiokol was to increase the amount of
damage considered "acceptable." At no time did management either
recommend a redesign of the joint or call for the Shuttle's grounding
until the problem was solved.
Findings
The genesis of the Challenger accident -- the failure of the joint of
the right Solid Rocket Motor -- began with decisions made in the design of
the joint and in the failure by both Thiokol and NASA's Solid Rocket
Booster project office to understand and respond to facts obtained during
testing.
The Commission has concluded that neither Thiokol nor NASA responded
adequately to internal warnings about the faulty seal design. Furthermore,
Thiokol and NASA did not make a timely attempt to develop and verify a new
seal after the initial design was shown to be deficient. Neither
organization developed a solution to the unexpected occurrences of O-ring
erosion and blow-by even though this problem was experienced frequently
during the Shuttle flight history. Instead, Thiokol and NASA management
came to accept erosion and blow-by as unavoidable and an acceptable flight
risk. Specifically, the Commission has found that:
1. The joint test and certification program was inadequate. There was
no requirement to configure the qualifications test motor as it would be
in flight, and the motors were static tested in a horizontal position, not
in the vertical flight position.
2. Prior to the accident, neither NASA nor Thiokol fully understood the
mechanism by which the joint sealing action took place.
3. NASA and Thiokol accepted escalating risk apparently because they
"got away with it last time." As Commissioner Feynman observed,
the decision making was:
"a kind of Russian roulette. ... (The Shuttle) flies (with O-ring
erosion) and nothing happens. Then it is suggested, therefore, that the
risk is no longer so high for the next flights. We can lower our standards
a little bit because we got away with it last time. ... You got away with
it, but it shouldn't be done over and over again like that."
4. NASA's system for tracking anomalies for Flight Readiness Reviews
failed in that, despite a history of persistent O-ring erosion and
blow-by, flight was still permitted. It failed again in the strange
sequence of six consecutive launch constraint waivers prior to 51-L,
permitting it to fly without any record of a waiver, or even of an
explicit constraint. Tracking and continuing only anomalies that are
"outside the data base" of prior flight allowed major problems
to be removed from and lost by the reporting system.
5. The O-ring erosion history presented to Level I at NASA Headquarters
in August 1985 was sufficiently detailed to require corrective action
prior to the next flight.
6. A careful analysis of the flight history of O-ring performance would
have revealed the correlation of O-ring damage and low temperature.
Neither NASA nor Thiokol carried out such an analysis; consequently, they
were unprepared to properly evaluate the risks of launching the 51-L
mission in conditions more extreme than they had encountered before.
The Silent Safety Program
The Commission was surprised to realize after many hours of testimony
that NASA's safety staff was never mentioned. No witness related the
approval or disapproval of the reliability engineers, and none expressed
the satisfaction or dissatisfaction of the quality assurance staff. No one
thought to invite a safety representative or a reliability and quality
assurance engineer to the January 27, 1986, teleconference between
Marshall and Thiokol. Similarly, there was no representative of safety on
the Mission Management Team that made key decisions during the countdown
on January 28, 1986. The Commission is concerned about the symptoms that
it sees.
The unrelenting pressure to meet the demands of an accelerating flight
schedule might have been adequately handled by NASA if it had insisted
upon the exactingly thorough procedures that were its hallmark during the
Apollo program. An extensive and redundant safety program comprising
interdependent safety, reliability and quality assurance functions existed
during and after the lunar program to discover any potential safety
problems. Between that period and 1986, however, the program became
ineffective. This loss of effectiveness seriously degraded the checks and
balances essential for maintaining flight safety.
On April 3, 1986, Arnold Aldrich, the Space Shuttle program manager,
appeared before the Commission at a public hearing in Washington, D.C. He
described five different communication or organization failures that
affected the launch decision on January 28, 1986. Four of those failures
relate directly to faults within the safety program. These faults include
a lack of problem reporting requirements, inadequate trend analysis,
misrepresentation of criticality and lack of involvement in critical
discussions. A properly staffed, supported, and robust safety organization
might well have avoided these faults and thus eliminated the communication
failures.
NASA has a safety program to ensure that the communication failures to
which Mr. Aldrich referred do not occur. In the case of mission 51-L, that
program fell short.
Findings
1. Reductions in the safety, reliability and quality assurance work
force at Marshall and NASA Headquarters have seriously limited capability
in those vital functions.
2. Organizational structures at Kennedy and Marshall have placed
safety, reliability and quality assurance offices under the supervision of
the very organizations and activities whose efforts they are to check.
3. Problem reporting requirements are not concise and fail to get
critical information to the proper levels of management.
4. Little or no trend analysis was performed on O-ring erosion and
blow-by problems.
5. As the flight rate increased, the Marshall safety, reliability and
quality assurance work force was decreasing, which adversely affected
mission safety.
6. Five weeks after the 51-L accident, the criticality of the Solid
Rocket Motor field joint was still not properly documented in the problem
reporting system at Marshall.
Pressures on the System
With the 1982 completion of the orbital flight test series, NASA began
a planned acceleration of the Space Shuttle launch schedule. One early
plan contemplated an eventual rate of a mission a week, but realism forced
several downward revisions. In 1985, NASA published a projection calling
for an annual rate of 24 flights by 1990. Long before the Challenger
accident, however, it was becoming obvious that even the modified goal of
two flights a month was overambitious.
In establishing the schedule, NASA had not provided adequate resources
for its attainment. As a result, the capabilities of the system were
strained by the modest nine-mission rate of 1985, and the evidence
suggests that NASA would not have been able to accomplish the 14 flights
scheduled for 1986. These are the major conclusions of a Commission
examination of the pressures and problems attendant upon the accelerated
launch schedule.
Findings
1. The capabilities of the system were stretched to the limit to
support the flight rate in winter 1985/1986. Projections into the spring
and summer of 1986 showed a clear trend; the system, as it existed, would
have been unable to deliver crew training software for scheduled flights
by the designated dates. The result would have been an unacceptable
compression of the time available for the crews to accomplish their
required training.
2. Spare parts are in critically short supply. The Shuttle program made
a conscious decision to postpone spare parts procurements in favor of
budget items of perceived higher priority. Lack of spare parts would
likely have limited flight operations in 1986.
3. Stated manifesting policies are not enforced. Numerous late manifest
changes (after the cargo integration review) have been made to both major
payloads and minor payloads throughout the Shuttle program.
Late changes to major payloads or program requirements can require
extensive resources (money, manpower, facilities) to implement.
If many late changes to "minor" payloads occur, resources are
quickly absorbed.
Payload specialists frequently were added to a flight well after
announced deadlines.
Late changes to a mission adversely affect the training and development
of procedures for subsequent missions.
4. The scheduled flight rate did not accurately reflect the
capabilities and resources.
The flight rate was not reduced to accommodate periods of adjustment in
the capacity of the work force. There was no margin in the system to
accommodate unforeseen hardware problems.
Resources were primarily directed toward supporting the flights and
thus not enough were available to improve and expand facilities needed to
support a higher flight rate.
5. Training simulators may be the limiting factor on the flight rate:
the two current simulators cannot train crews for more than 12-15 flights
per year.
6. When flights come in rapid succession, current requirements do not
ensure that critical anomalies occurring during one flight are identified
and addressed appropriately before the next flight.
Other Safety Considerations
In the course of its investigation, the Commission became aware of a
number of matters that played no part in the mission 51-L accident but
nonetheless hold a potential for safety problems in the future.
Some of these matters, those involving operational concerns, were
brought directly to the Commission's attention by the NASA astronaut
office. They were the subject of a special hearing.
Other areas of concern came to light as the Commission pursued various
lines of investigation in its attempt to isolate the cause of the
accident. These inquiries examined such aspects as the development and
operation of each of the elements of the Space Shuttle -- the Orbiter, its
main engines and the External Tank; the procedures employed in the
processing and assembly of 51-L, and launch damage.
This chapter examines potential risks in two general areas. The first
embraces critical aspects of a Shuttle flight; for example, considerations
related to a possible premature mission termination during the ascent
phase and the risk factors connected with the demanding approach and
landing phase. The other focuses on testing, processing and assembling the
various elements of the Shuttle.
Ascent: A Critical Phase
The events of flight 51-L dramatically illustrated the dangers of the
first stage of a Space Shuttle ascent. The accident also focused attention
on the issues of Orbiter abort capabilities and crew escape. Of particular
concern to the Commission are the current abort capabilities, options to
improve those capabilities, options for crew escape and the performance of
the range safety system.
It is not the Commission's intent to second-guess the Space Shuttle
design or try to depict escape provisions that might have saved the 51-L
crew. In fact, the events that led to destruction of the Challenger
progressed very rapidly and without warning. Under those circumstances,
the Commission believes it is highly unlikely that any of the systems
discussed below, or any combination of those systems, would have saved the
flight 51-L crew.
Findings
1. The Space Shuttle System was not designed to survive a failure of
the Solid Rocket Boosters. There are no corrective actions that can be
taken if the boosters do not operate properly after ignition, i.e., there
is no ability to separate an Orbiter safely from thrusting boosters and no
ability for the crew to escape the vehicle during first-stage ascent.
Neither the Mission Control Team not the 51-L crew had any warning of
impending disaster.
Even if there had been warning, there were no actions available to the
crew of the Mission Control Team to avert the disaster.
Landing: Another Critical Phase
The consequences of faulty performance in any dynamic and demanding
flight environment can be catastrophic. The Commission was concerned that
an insufficient safety margin may have existed in areas other than Shuttle
ascent. Entry and landing of the Shuttle are dynamic and demanding with
all the risks and complications inherent in flying a heavyweight glider
with a very steep glide path. Since the Shuttle crew cannot divert to any
alternate landing site after entry, the landing decision must be both
timely and accurate. In addition, the landing gear, which includes wheels,
tires and brakes, must function properly.
In summary, although there are valid programmatic reasons to land
routinely at Kennedy, there are concerns that suggest that this is not
wise under the present circumstances. While planned landings at Edwards
carry a cost in dollars and days, the realities of weather cannot be
ignored. Shuttle program officials must recognize that Edwards is a
permanent, essential part of the program. The cost associated with regular
scheduled landing and turnaround operations at Edwards is thus a necessary
program cost.
Decisions governing Space Shuttle operations must be consistent with
the philosophy that unnecessary risks have to be eliminated. Such
decisions cannot be made without a clear understanding of margins of
safety in each part of the system.
Unfortunately, margins of safety cannot be assured if performance
characteristics are not thoroughly understood, nor can they be deduced
from a previous flight's "success."
The Shuttle program cannot afford to operate outside its experience in
the areas of tires, brakes and weather, with the capabilities of the
system today. Pending a clear understanding of all landing and
deceleration systems, and a resolution of the problems encountered to date
in Shuttle landings, the most conservative course must be followed in
order to minimize risk during this dynamic phase of flight.
Shuttle Elements
The Space Shuttle Main Engine teams at Marshall and Rocketdyne have
developed engines that have achieved their performance goals and have
performed extremely well. Nevertheless the main engines continue to be
highly complex and critical components of the Shuttle that involve an
element of risk principally because important components of the engines
degrade more rapidly with flight use than anticipated. Both NASA and
Rocketdyne have taken steps to contain that risk. An important aspect of
the main engine program has been the extensive "hot fire" ground
tests. Unfortunately, the vitality of the test program has been reduced
because of budgetary constraints.
The number of engine test firings per month has decreased over the past
two years. Yet this test program has not yet demonstrated the limits of
engine operation parameters or included tests over the full operating
envelope to show full engine capability. In addition, tests have not yet
been deliberately conducted to the point of failure to determine actual
engine operating margins.
 Next
page
Source: NASA. |
.gif)
.gif){kind=small}
.gif)
.gif){kind=small}
.gif){kind=small}
.gif){kind=small}
.gif)
(190).jpg)
