Safety Gaps: Learning from Columbia

STS-107

sts-107-patch

On February 1, 2003, space shuttle Columbia experienced a loss-of-control and catastrophic break-up at about 180,000 feet altitude during re-entry at hyper-sonic speeds.

All crew members were killed as the orbiter rapidly depressurized.

Years after the original investigation, a followup study closely examined crew survivability.

The NASA  study touches on every aspect of safety from equipment design and use to system integration and accident investigation measures.

Despite NASA’s commitment to shuttle safety, especially after the Challenger incident, gaps or lapses in safety procedures and programming were common.

We don’t fly in space but we operate in a similar dynamic environment and can profit from their experience.

46 Seconds

sts107 liftoff

The leading edge of Columbia’s left wing was compromised on lift-off  from a strike by detached insulating foam.

As it began to re-enter earth’s atmosphere heated gases entered the shuttle body damaging wiring and hydraulic lines.

It’s likely that the crew’s first hard evidence of a serious problem was a loss-of-control when the hydraulic lines failed resulting in the shuttle pitching nose up as the elevons and body flap moved to a “floating” position.

In the ensuing seconds the forward fuselage containing the crew module broke away from the rest of the spacecraft.

At that moment the crew lost on-board oxygen, all electrical power including voice intercom and lighting.

(All crew members had activated their personal chem-stick lights.)

Moments later both the crew module and what remained of the forward fuselage disintegrated.

The crew module probably disintegrated in less then 15 seconds when it separated from the fore-body.

The period of time from a loss of communication signal to the catastrophic event was about 46 seconds and is a focus of crew actions.

Normalizing Risk

Challenger Crew Module After Separation From Orbiter

Challenger Crew Module After Separation From Orbiter

The Columbia crew paid the price for the failure of NASA leadership to continuously maintain safety as the primary goal.

Both the 1986 Challenger and 2003 Columbia incidents are largely attributable to the normalization of risk by NASA.

In both cases leaders were faced with repeated unsettling events during launch that could result in destruction of the orbiter.

Challenger involved problems with the solid rocket o-rings and Columbia with insulating foam being shed from a fuel tank.

NASA failed to adequately address either problem as launch after launch was successful despite visible damage to the space craft.

This same normalization of risk was an issue with the Columbia crew and would become apparent during the crew survival study.

Risk Normalization in the Crew Module

aceshelmet

Crew behavior contributed to an unsafe and potentially lethal work environment.

Preparing for re-entry required resetting the interior of the shuttle and many systems to a new configuration.

Seats were re-installed, equipment stowed and the in-flight evacuation mechanism was set-up.

Most of this work was accomplished working off of check-lists.

The process was both laborious and time-consuming.

One crew member was neither seated nor belted when the loss-of-control event began.

Another crew member was not wearing their helmet.

Several others did not have their gloves properly donned.

All helmet visors were in the “up” position, denying the crew the use of emergency oxygen.

These lapses were excused as the result of the inability of crews to finish routine tasks in a timely manner as if work schedules or task responsibility could not have been shifted so that all of the crew were seated, belted and fully ready for re-entry.

 Problem-Solving Versus Survival

107 crew

The Columbia crew was among the best trained ever and they were noteworthy for the closeness of their team.

In one example they completed a complicated many-step procedure without verbal communication, relying solely on hand signals.

During loss-of-control, the crew would have been swaying side-to-side while being pulled forward and pushed downward in their seats as the orbiter was in a flat, slow spin.

Bracing would have been required and the report suggests that the team would have been focused on diagnosing and dealing with the anomalies.

In the first 32 seconds,  data shows that the flight crew acknowledged a fault message with a keyboard entry and re-initiated the autopilot after bumping and dis-engaging it. In addition, a switch panel was recovered which suggests that the pilot was also attempting an auxiliary power re-start in order to gain hydraulic pressure.

These actions indicate conditions were still within operational tolerance.

The study panel concluded that the crew were excellent problem solvers yet unable to transition to a survival mode during the critical seconds available.

They emphasized the need for crews to recognize the onset of lethal conditions early and to transition to survival mode instantly.

In the end though, crew actions were hampered by their lack of “egress readiness.”

Protective Equipment

 ACES

Astronauts wore an “Advanced Crew Escape Suit” (ACES) developed after the 1986 Challenger explosion when the crew was operating in a “shirt sleeve” environment inside the crew module.

The suits were bulky and the flight deck was not re-designed to reflect their use so mishaps, including bumping and disengaging the autopilot were fairly common.  Indeed, it occurred at least twice during the Columbia incident.

Oddly, the suits could not be used with visors down during reentry because  they employed 100 percent oxygen.

Exhaled gases would raise the O2 content in the cabin to levels deemed unsafe for fire reasons.

This meant that visors remained up to prevent fogging and that the use of the oxygen system in an emergency required lowering the visor and activating the system.

Advanced Crew Escape Suit

Advanced Crew Escape Suit

Communication

The escape suit contained among other things, a parachute, raft and other survival gear.

If the shuttle escape system was not being used the parachute required manual deployment.

The suit did not include a battery that would power crew communications if the shuttle system failed.

When the fuel cells were lost near or during the catastrophic event, all powered systems, including communication ceased.

Crew members would be reduced to shouting to one another or the use of hand signals to communicate.

 Gloves

A number of crew members did not have their gloves connected to the suit meaning that they would be unable to utilize it in an emergency and that they would be unprotected in the event of a bail-out.

Several reasons are given: some members preferred having their gloves off to work and others simply ran behind in the completion of tasks related to preparing the orbiter for reentry.

In fact, being rushed was a common complaint that contributed to crews being in a re-entry environment where the use of the escape system might be possible but they would not be prepared to do so.

Restraints

Seat harnesses included shoulder, lap and crotch belts.

Most crew members were fully strapped in when the loss-of-control occurred but the shoulder straps failed to function leading to lethal trauma when the crew module failed.

Because the visors were up a depressurization event would have disabled the crew in less than 15 seconds.

(It is surmised that the Columbia cabin breaches were fairly small, probably two in number. They occurred when the crew module contacted the orbiter fore-body during the catastrophic event.)

Once unconscious they were unable to brace properly to counteract  gravity and orbiter forces.

Summary

The combined gaps between safety procedures and protective equipment significantly decreased the crew’s survival margin if conditions degraded to the point that emergency actions were necessary.

The re-entry procedures placed the crew in a compromised position since they often would be unable to complete their assigned duties and be properly restrained and protected.

The ACES oxygen system did not allow use during re-entry because of a potential fire hazard in the crew module.

The seat restraint system failed to protect the crew from rotational forces if they were unconscious.

There was no back-up mode for loss of on-board communications.

The gaps were both normalized and accepted by NASA leadership and safety experts over a period of time.

Is your crew creating safety gaps through risk normalization?

 

Columbia Disintegrates

Columbia Disintegrates

 

 

 

6 Comments

  • Bill Hand says:

    A great example to use when discussing almost anything that has to do with safety. This “Normalization of Deviance” thing happens everyday in the fire service (and other jobs) all over the country. I use to teach a lot out at Johnson Space Center here in Houston and NASA was without doubt, the most safety conscious organization that I ever worked for, but they occasionally screwed things up.

    • Eric Lamar says:

      Thanks, Bill.

      If the best can let things slip (twice) it shows the challenge of keeping safety “fresh” in our minds.

      Eric

  • cortez lawrence says:

    OK my friend, you have dropped the first shoe here, when will the second fall? You should follow-on this now that you have our attention, with operationalizing this for fire service leaders and members, but especially company officers! So what does a “prepared for re-entry” fire company look like, and think like, and train like, and how does their agency created a “normalization of safety situation”? Great start and with all your leisure time combined with your knowledge this could blossom into a series, mayhap even another career! I look forward to your next efforts, as always, CL

  • Miguel A Lima says:

    Hi Eric.
    I just read your report from the space shuttle disasters and although it truly is a shame how people have become complacent in their responsibilities, to compare NASA to the Fire Service or vise versa is a little far reaching.
    I do agree that we’ve all become guilty of normalizing risk but there seems to be a big difference between us and them.
    Unlike NASA we in the Fire Service have been under attack in many different ways including financially where NASA on the other hand had unlimited funding.
    As we all know we have faced the most severe staffing shortages in history and although that doesn’t excuse skipping steps, in any form, it does normalize it in the sense that things need to be accomplished at every emergency no matter what. We have sworn to protect life and property, on Earth, shame on us if we let the unprotected down by not doing everything possible to accomplish our mission.
    Granted our leaders have a responsibility to the members but we also need to check ourselves and put the blame on who truly is responsible. Just remember that the public we serve see us and not the production managers of fantasy.

    • Eric Lamar says:

      M-

      Thank for writing.

      Here’s what Bill Hand, a foremost firefighter safety professional had to say about the comparison, not just to firefighting, but worker safety in a universal sense:

      “A great example to use when discussing almost anything that has to do with safety.”

      NASA leadership is ultimately responsible for the procedural and systemic lapses,

      Eric

Leave a Reply

Your email address will not be published. Required fields are marked *