NASAhistory.nasa.gov/columbia/Troxell/Columbia Web Site/CAIB... · 2003. 12. 4. · Limited First...

Note: Volumes II – VI contain a number of conclusions and recommendations, several of which were adopted by the Board in Volume I. The other conclusions and recommendations drawn in Volumes II – VI do not necessarily reflect the opinion of the Board, but are included for the record. When there is conflict, Volume I takes precedence.

COLUMBIAA C C I D E N T I N V E S T I G A T I O N B O A R D

R e p o r t V o l u m e VA p p e n d i c e s G . 1 0 – G . 1 2

O c t o b e r 2 0 0 3

Limited First Printing, October 2003, by theColumbia Accident Investigation Board

Subsequent Printing and Distribution by the National Aeronautics and Space Administrationand theGovernment Printing OfficeWashington, D.C.

On the Front Cover

This was the crew patch for STS-107. The central element of the patch was the microgravity symbol, µg, flowing into the rays of the Astronaut symbol. The orbital inclination was portrayed by the 39-degree angle of the Earthʼs horizon to the Astronaut symbol. The sunrise was representative of the numerous science experiments that were the dawn of a new era for continued microgravity research on the International Space Station and beyond. The breadth of science conduct-ed on this mission had widespread benefits to life on Earth and the continued exploration of space, illustrated by the Earth and stars. The constellation Columba (the dove) was chosen to symbolize peace on Earth and the Space Shuttle Columbia. In addition, the seven stars represent the STS-107 crew members, as well as honoring the original Mercury 7 astronauts who paved the way to make research in space possible. The Israeli flag represented the first person from that country to fly on the Space Shuttle.

On the Back Cover

This emblem memorializes the three U.S. human space flight accidents – Apollo 1, Challenger, and Columbia. The words across the top translate to: “To The Stars, Despite Adversity – Always Explore“

The Board would like to acknowledge the hard work and effort of the following individuals in the production of Volumes II – VI.

Maj. Gen. John L. Barry Executive Director to the ChairmanDennis R. Jenkins Investigator and Liaison to the BoardLt. Col. Donald J. White Technical EditorLt. Col. Patrick A. Goodman Technical EditorJoshua M. Limbaugh Layout ArtistJoseph A. Reid Graphic DesignerChristine F. Cole Administrative AssistantJana T. Schultz Administrative AssistantLester A. Reingold Lead EditorChristopher M. Kirchhoff EditorAriel H. Simon Assistant EditorJennifer L. Bukvics Lead Project ManagerDonna J. Fudge Senior Paralegal, Group II CoordinatorSusan M. Plott Project Supervisor, Group III CoordinatorEllen M. Tanner Project SupervisorMatthew J. Martin Government Relations ConsultantFrances C. Fisher ANSER Liaison

COLUMBIAACCIDENT INVESTIGATION BOARD

REPORT VOLUME V OCTOBER 20032

VOLUME I

PART ONE THE ACCIDENTChapter 1 The Evolution of the Space Shuttle ProgramChapter 2 Columbiaʼs Final FlightChapter 3 Accident AnalysisChapter 4 Other Factors Considered

PART TWO WHY THE ACCIDENT OCCURREDChapter 5 From Challenger to ColumbiaChapter 6 Decision Making at NASAChapter 7 The Accidentʼs Organizational CausesChapter 8 History as Cause: Columbia and Challenger

PART THREE A LOOK AHEADChapter 9 Implications for the Future of Human Space FlightChapter 10 Other Significant ObservationsChapter 11 Recommendations

PART FOUR APPENDICES Appendix A The Investigation Appendix B Board Member Biographies Appendix C Board Staff

VOLUME II CAIB TECHNICAL DOCUMENTS CITED IN THE REPORT Readerʼs Guide to Volume II Appendix D.a Supplement to the Report Appendix D.b Corrections to Volume I of the ReportAppendix D.1 STS-107 Training Investigation Appendix D.2 Payload Operations Checklist 3Appendix D.3 Fault Tree Closure Summary Appendix D.4 Fault Tree Elements – Not Closed Appendix D.5 Space Weather Conditions Appendix D.6 Payload and Payload Integration Appendix D.7 Working Scenario Appendix D.8 Debris Transport Analysis Appendix D.9 Data Review and Timeline Reconstruction Report Appendix D.10 Debris Recovery Appendix D.11 STS-107 Columbia Reconstruction Report Appendix D.12 Impact Modeling Appendix D.13 STS-107 In-Flight Options Assessment Appendix D.14 Orbiter Major Modification (OMM) Review Appendix D.15 Maintenance, Material, and Management InputsAppendix D.16 Public Safety Analysis Appendix D.17 MER Managerʼs Tiger Team Checklist Appendix D.18 Past Reports Review Appendix D.19 Qualification and Interpretation of Sensor Data from STS-107 Appendix D.20 Bolt Catcher Debris Analysis


REPORT VOLUME V OCTOBER 2003 3

VOLUME III OTHER TECHNICAL DOCUMENTS Readerʼs Guide to Volume III Appendix E.1 CoFR Endorsements Appendix E.2 STS-107 Image Analysis Team Final Report Appendix E.3 An Assessment of Potential Material Candidates for the “Flight Day 2” Radar Object Observed during the NASA Mission STS-107 Appendix E.4 Columbia Early Sighting Assessment Team Final Report

VOLUME IV OTHER TECHNICAL DOCUMENTS Readerʼs Guide to Volume IVAppendix F.1 Water Absorption by FoamAppendix F.2 Follow the TPS Appendix F.3 MADS Sensor Data Appendix F.4 ET Cryoinsulation Appendix F.5 Space Shuttle STS-107 Columbia Accident Investigation, External Tank Working Group Final Report – Volume 1

VOLUME V OTHER SIGNIFICANT DOCUMENTS Readerʼs Guide to Volume VAppendix G.1 Requirements and Procedures for Certification of Flight ReadinessAppendix G.2 Appendix R, Space Shuttle Program Contingency Action PlanAppendix G.3 CAIB Charter, with RevisionsAppendix G.4 Group 1 Matrix Brief on Maintenance, Material, and ManagementAppendix G.5 Vehicle Data Mapping (VDM) Team Final Report, Jun 13, 2003Appendix G.6 SRB Working Group Presentation to CAIBAppendix G.7 Starfire Team Final Report, Jun 3, 2003Appendix G.8 Using the Data and Observations from Flight STS-107... Exec SummaryAppendix G.9 Contracts, Incentives, and Safety/Technical Excellence

Appendix G.10 Detailed Summaries: Rogers Commission Report, ASAP Report, SIAT Report ...... 7Appendix G.11 Foam Application and Production Chart ....................................................... 347Appendix G.12 Crew Survivability Report ............................................................................ 349

Appendix G.13 Aero/Aerothermal/Thermal/Structures Team Final Report, Aug 6, 2003

VOLUME VI TRANSCRIPTS OF BOARD PUBLIC HEARINGS Readerʼs Guide to Volume VIAppendix H.1 March 6, 2003 Houston, TexasAppendix H.2 March 17, 2003 Houston, TexasAppendix H.3 March 18, 2003 Houston, TexasAppendix H.4 March 25, 2003 Cape Canaveral, FloridaAppendix H.5 March 26, 2003 Cape Canaveral, FloridaAppendix H.6 April 7, 2003 Houston, TexasAppendix H.7 April 8, 2003 Houston, TexasAppendix H.8 April 23, 2003 Houston, TexasAppendix H.9 May 6, 2003 Houston, TexasAppendix H.10 June 12, 2003 Washington, DC



GUIDE

Readerʼs Guideto Volume V

Volume V of the Report contains appendices that were not cited in Volume I. These consist of documents produced by NASA and other organizations, which were provided to the Columbia Accident Investigation Board in support of its inquiry into the February 1, 2003 destruction of the Space Shuttle Columbia. The documents are compiled in this volume in the interest of establishing a complete record, but they do not necessarily represent the views of the Board. Volume I contains the Boardʼs findings, analysis, and recommendations. The documents in Volume V are also contained in their original color format on the DVD disc in the back of Volume II.

REPORT VOLUME V OCTOBER 2003REPORT VOLUME V OCTOBER 2003 5

THIS PAGE INTENTIONALLY LEFT BLANK



Volume VAppendix G.10

Detailed Summaries• Rogers Commission Report

• ASAP Report• SIAT Report


THIS PAGE INTENTIONALLY LEFT BLANK



G.10 Past Reports Review

1.0 Past Reports Overview

The Columbia Accident Investigation Board was very interested in how other independentreview boards had evaluated the Space Shuttle Program. A number of previously releasedreports were reviewed for relevance to the Columbia accident. At the highest level the Boardlooked at what general areas each of the reports had covered. These were broken up into ninecategories, and most reports concentrated in a small subset of these areas. This evaluationprovided the Board with insight into how NASA had previously responded to criticisms fromindependent evaluations, and also assisted the Board in determining how to frame newFindings and Recommendations for the strongest impact. The following table provides ageneral overview of the content of more than 45 previous reports.



Infrastru

ctureCommunica

tionContra

cts

Risk Management Quality

Assurance Safety Programs MaintenanceSecurity

Workforce Issues

Rog

ers

Rep

ort -

198

61

11

11

11

STS

-29

Pre

-Lau

nch

Ass

essm

ent R

evie

w -

1989

1

Aug

ustin

e 19

90 R

epor

t 1

11

11

Pat

e-C

orne

ll - 1

990

11

1

Ald

ridge

199

2 R

epor

t 1

GA

O:

NA

SA

Infra

stru

ctur

e - 1

996

11

GA

O:

NA

SA

Wor

kfor

ce R

educ

tions

- 19

961

1

Sup

er L

ight

Wei

ght T

ank

Inde

pent

ent A

sses

smen

t - 1

997

11

Pro

cess

Rea

dine

ss R

evie

w -

1998

1

11

S&

MA

Gro

und

Ops

Rep

ort -

199

81

GA

O:

NA

SA

Man

agem

ent C

halle

nges

-199

9 1

11

IA J

S-9

047

- 199

91

IA J

S-9

059

- 199

9 1

IA J

S-9

078

- 199

91

1

IA J

S-9

083

- 199

9 1

S&

MA

Gro

und

Ops

Rep

ort -

199

9 1

1

Pas

t Rep

orts

Rev

iew

1 of

3

Workforce Issues

Communication Contracts

Risk Management Quality Assurance Safety Programs

Security

Maintenance

Infrastru

cture

S&

MA

Gro

un

d O

per

atio

ns

Rep

ort

– 1

999

Ind

epen

den

t A

sses

smen

t JS

-908

3 –

1999

Ind

epen

den

t A

sses

smen

t JS

-907

8 –

1999

Ind

epen

den

t A

sses

smen

t JS

-905

9 –

1999

Ind

epen

den

t A

sses

smen

t JS

-904

7 –

1999

GA

O:

NA

SA

Man

agem

ent

Ch

alle

ng

es –

199

9

S&

MA

Gro

un

d O

per

atio

ns

Rep

ort

– 1

998

Pro

cess

Rea

din

ess

Rev

iew

– 1

998

Su

per

Lig

ht

Wei

gh

t T

ank

Ind

epen

den

t A

sses

smen

t –

1997

GA

O:

NA

SA

Wo

rkfo

rce

Red

uct

ion

s –

1996

GA

O:

NA

SA

Infr

astr

uct

ure

– 1

996

“ Ald

rid

ge

Rep

ort

” –

1992

Pat

é -C

orn

ell R

epo

rt –

199

0

“ Au

gu

stin

e R

epo

rt”

– 19

90

ST

S-2

9 P

rela

un

ch A

sses

smen

t –

1989

Ro

ger

s R

epo

rt –

198

6



Infrastru

cture

Communication Contra

cts


Assurance Safety P

rograms MaintenanceSecurity

Workforce

Issues

19

99

SIA

T 1

99

9 R

ep

ort

1

11

11

19

99

Sp

ace

Sh

utt

le G

rou

nd

Op

era

tion

s A

pri

l 1

99

9

1

19

99

Sp

ace

Sh

utt

le P

rog

ram

(S

SP

) A

nn

ua

l R

ep

ort

1

20

00

GA

O:

Sp

ace

Sh

utt

le H

um

an

Ca

pita

l a

nd

Sa

fety

1

1

20

00

IA

JS

-00

32

1

20

00

IA

JS

-00

34

1

20

00

IA

JS

-00

45

1

20

00

IG

Au

dit

Re

po

rt

1

20

00

Na

sa I

nd

ep

en

de

nt

Ass

ess

me

nt

Te

am

– 2

00

0

11

11

1

20

00

SS

P A

nn

ua

l R

ep

ort

20

00

1

11

1

20

01

AS

AP

20

01

Re

po

rt

11

11

11

1

20

01

GA

O:

NA

SA

Cri

tica

l A

rea

s 1

20

01

GA

O:

Sp

ace

Sh

utt

le S

afe

ty

1

20

01

IA

JS

-10

14

1

11

1

20

01

IA

JS

-10

24

1

11

Pas

t Rep

orts

Rev

iew

2 of

3

Ind

epen

den

t A

sses

smen

t JS

-102

4 –

2001

Ind

epen

den

t A

sses

smen

t JS

-101

4 –

2001

GA

O:

Sp

ace

Sh

utt

le S

afet

y –

2001

GA

O:

NA

SA

Cri

tica

l Are

as –

200

1

AS

AP

Rep

ort

– 2

001

Sp

ace

Sh

utt

le P

rog

ram

An

nu

al R

epo

rt –

200

0

NA

SA

Ind

epen

den

t A

sses

smen

t T

eam

– 2

000

IG A

ud

it R

epo

rt 0

0-03

9 –

2000

Ind

epen

den

t A

sses

smen

t JS

-004

5 –

2000

Ind

epen

den

t A

sses

smen

t JS

-003

4 –

2000

Ind

epen

den

t A

sses

smen

t JS

-003

2 –

2000

GA

O:

Sp

ace

Sh

utt

le H

um

an C

apit

al &

Saf

ety

– 20

00

Sp

ace

Sh

utt

le P

rog

ram

(S

SP

) A

nn

ual

Rep

ort

– 1

999

Sp

ace

Sh

utt

le G

rou

nd

Op

erat

ion

s R

epo

rt –

199

9

Sp

ace

Sh

utt

le In

dep

end

ent

Ass

essm

ent

Tea

m –

199

9

Workforce Issues


Risk Management Quality Assurance Safety Programs

Security

Maintenance

Infrastru

cture



Infrastru

cture

Communication Contra

cts


Assurance Safety P

rograms MaintenanceSecurity

Workforce

Issues

20

01

IA

KS

-00

03

1

11

20

01

IA

KS

-10

01

1

11

2001

S&

MA

Gro

und

Ops

Rep

ort

(SM

A 2

001)

1

11

2001

SS

P A

nnua

l R

epor

t 20

01

11

2001

SS

P P

roce

ssin

g IA

1

11

1

2002

AS

AP

200

2 R

epor

t 1

11

11

1

2002

GA

O:

Les

sons

Lea

rned

Pro

cess

1

20

02

IA

KS

-10

02

1

20

02

Le

sso

ns

Le

arn

ed

In

form

atio

n S

he

et

11

11

11

2002

NA

SA

Nav

y B

ench

mar

king

Exc

hang

– 2

002

11

11

1

2002

SS

P A

nnua

l R

epor

t 20

02

11

1

20

03

AS

AP

Le

ad

ing

In

dic

ato

rs

11

1

2003

NA

SA

Qua

lity

Man

agem

ent

Sys

tem

1

2003

QA

S T

iger

Tea

m S

tatu

s R

epor

t 20

03

1

2003

Shu

ttle

Bus

ines

s E

nvir

onm

ent

1

Pas

t Rep

orts

Rev

iew

3 of

3

Sh

utt

le B

usi

nes

s E

nvi

ron

men

t –

2003

QA

S T

iger

Tea

m R

epo

rt –

200

3

NA

SA

Qu

alit

y M

anag

emen

t S

yste

m –

200

3

AS

AP

Lea

din

g In

dic

ato

rs

Sp

ace

Sh

utt

le P

rog

ram

An

nu

al R

epo

rt –

200

2

NA

SA

Nav

y B

ench

mar

kin

g E

xch

ang

e –

2002

Sel

ecte

d N

AS

A L

esso

ns

Lea

rned

– 1

992-

2002

Ind

epen

den

t A

sses

smen

t K

S-1

002

– 20

02

GA

O:

Les

son

s L

earn

ed P

roce

ss –

200

2

AS

AP

Rep

ort

– 2

002

SS

P P

roce

ssin

g In

dep

end

ent

Ass

essm

ent

– 20

01

Sp

ace

Sh

utt

le P

rog

ram

An

nu

al R

epo

rt –

200

1

Wo

rkfo

rce

Su

rvey

-KS

C–

2001

Ind

epen

den

t A

sses

smen

t K

S-1

001

– 20

01

Ind

epen

den

t A

sses

smen

t K

S-0

003

– 20

01

Workforce Issues


Risk ManagementQuality

Assurance Safety Programs

Security

Maintenance

Infrastru

cture



4

CA

IB R

evie

w v

s. P

ast R

evie

ws

CA

IB R

evie

w A

reas

Past Reviews

05

1015202530

Infr

astr

uctu

reCo

mm

unic

atio

nCo

ntra

cts

Risk

Man

agem

ent

Qua

lity

Assu

ranc

eSa

fety

Prog

ram

sM

ainte

nanc

eSe

curit

yW

orkf

orce

Issue

s



2.0 Detailed Report Summaries

In addition to the general overview, many previous reports – particularly from the annualAerospace Safety Advisory Panel (ASAP) evaluation – were analyses in more detail todetermine if there were consistent trends in how NASA dealt with external criticisms. Thefollowing table lists the Findings and Recommendations from a long list of advisory panelsthat have reviewed Space Shuttle operations. The last column details NASA’s response to theFinding or Recommendation, if it was publicly released.

The table does not contain every Finding and Recommendation made in the reports that wereanalyzed, only those that seemed to have particular relevance to the NASA organization andculture as it affected STS-107. Many detailed technical recommendations that addressedspecific hardware issues are not listed (and almost all were corrected by NASA in a timelymanner), and recommendations that were not directed at the Space Shuttle Program are alsonot listed.



IndependentAssessmentTeam

(Charteredby)

Date ofReport

Finding Recommendation NASA Response

AerospaceSafetyAdvisoryPanel

(NASACharter)

March2003

Finding 02-1: Manyproblems have not beendiscovered until late inthe prelaunch sequence.In all of these cases,checkout, test, andinspection procedureswere properly performed.The potentially hazardousdiscrepancies were notdetected earlier becausethe test and inspectionrequirements did notdictate more specific ormore stringent screening.

Recommendation 02-1a:Through proactive review,revalidate and revise the criteriafor critical ground and flightsystems recertification.

Recommendation 02-1b:Based on the findings andtechnical information garneredfrom the recertification process,validate and update themaintenance, test, andinspection requirements.


(NASACharter)

March2003

Finding 02-2: Thegrowing Backlog ofMaintenance and Repair(BMAR) and the changeto Full Cost Accounting(FCA) may putinfrastructure vital to safeoperations at risk.

Recommendation 02-2:Reduce the BMAR on criticalinfrastructure as quickly aspossible to ensure that thisinfrastructure remains safe andcapable of supporting NASA’smissions.


(NASACharter)

March2003

Finding 02-3: NASA hasnot established a guidingprinciple for locatingsafety organizationswithin its organizationalstructure. Unlike theDOD and industry,NASA’s safetyorganizations areintegrated into theassurance organizationrather than into systemsengineering.

Recommendation 02-3:Through appropriatemanagement action, define anAgency-wide safetyorganizational structure—onethat separates system safetyengineering from system safetyassurance.


(NASACharter)

March2003

Finding 02-4: NASA’ssafety policy direction iswell formulated, but thePanel has observed thatsafety tends to be acomprehensive activityonly late in thedevelopment cycle afterdesign is complete, andoccasionally only after anincident or mishap.

Recommendation 02-4a:Consider integrating safety intosystems engineering to supportsystem development andsustaining engineering andsupporting system safetyassurance through anindependent reporting channelfrom the safety organization tothe mission assuranceorganization.




(Charteredby)

Date ofReport


only late in thedevelopment cycle afterdesign is complete, andoccasionally only after anincident or mishap.

assurance through anindependent reporting channelfrom the safety organization tothe mission assuranceorganization.

Recommendation 02-4b:Establish independent fundingmechanisms and appropriateauthority, responsibility, andaccountability for these newsafety units.


(NASACharter)

March2003

Finding 02-5: NASApersonnel do not viewappointments to safetyorganizations as apositive career move.

Recommendation 02-5:Require that managers of majorNASA programs and projectshave experience in safetyorganizations.


(NASACharter)

March2003

Finding 02-6: NASA’sapplication of root causeanalysis appears to beinconsistent across theAgency and acrossprograms.

Recommendation 02-6a:Continue the effort that hasbegun to assess the state of rootcause analysis performed byNASA and its contractors.

Provide the training andresources necessary to resolveany deficiencies.

Recommendation 02-6b:Explore the causes of culturalor contractual impediments, anddevise ways to change theculture from a fixing orientation(identifying and eliminatingdeviations or symptoms ofdeeper problems) to a learningorientation in which bothcultural and organizationalfactors are included in thesearch for the source ofproblems.

Recommendation 02-6c:Establish an oversight processfor reviewing the root causeanalyses and the resultingrecommendations for all majorfailures or incidents.




(Charteredby)

Date ofReport



(NASACharter)

March2003

Finding 02-7: The shiftto FCA in FY 2004 couldnegatively impact theability to sustain safe andreliable operations.

Recommendation 02-7:Identify the impact of theimplementation plans for FCAwith respect to safe and reliableoperations during and after thetransition. Ensure that programs(including maintenance andmodernization of hardware andsoftware), personnel,infrastructure, and contractorservices essential to safety areadequately funded.


(NASACharter)

March2003

Finding 02-8: The orbiterprogram is makingprogress in incorporatingEngineering orders (EO)into engineeringdrawings.

Recommendation 02-8:Identify drawings that arecritical to flight safety, updatethem to include all EOs, andkeep them current.


(NASACharter)

March2003

Finding 02-9: Althoughprogress is being made,there is no commitment toimplementing crewescape capabilities for allregions of powered flight.

Recommendation 02-9:Complete the ongoing studiesof crew escape design options.Either document the reasons fornot implementing the NASAProgram Guideline of HumanRating (currently in review) orexpedite the deployment ofsuch capabilities.


(NASACharter)

March2003

Finding 02-10: TheCockpit AvionicsUpgrade (CAU) ismaking excellent progresstoward meeting itsobjectives. The flightcrews interviewed by thePanel were enthusiasticand unanimous in supportof the effort. The Panelbelieves that Increment IImust be completed inorder to realize significantsafety improvements inShuttle operations.

Recommendation 02-10:Provide ongoing funding for theCAU through Increment II sothat continuity between the twophases can be maintained.


(NASACharter)

March2003

Finding 02-11: TheCockpit AvionicsUpgrade (CAU) projecthas not completed acredible hazard analysis.An orbiter hazard analysisincluding the CAU hasnot been planned.

Recommendation 02-11:Perform risk assessments andhazard analyses, both internalto the CAU and from theperspective of the entire orbiter,to confirm that there are noinput error conditions that couldresult in flight crew actionsdetrimental to crew, mission, orvehicle safety.




(Charteredby)

Date ofReport


detrimental to crew, mission, orvehicle safety.


(NASACharter)

March2003

Finding 02-12: Certainfailure conditions maylead to conflicting dataacross display panels [ofthe CAU].

Recommendation 02-12:Through analysis, assess theprobability of conflicting dataamong display screens.Confirm through simulatedflight experiments that flightcrew are able to identifyinformation conflicts, that theyare able to ascertain correctparameters, and that they cancorrect these errors withoutundue impact to flight safety oroperations.


(NASACharter)

March2003

Finding 01-18: Fundingcuts threaten to eliminateall effort on maintainingand updating surveillanceand modeling of theorbital debris populationas early as October 2002.[Actually in the ISSsection, but directlyapplicable to SSP.]

Recommendation 01-18:Reexamine the decision toeliminate this importantfunction and assure that thecore MMOD effort iscontinued.

NASA Response: Concur01-18: OSF is seeking toidentify all users/stakeholdersof the current Orbital DebrisProgram and identifyappropriate program contentand long-term Agencyfunding source(s) to ensurethat NASA retains thecapability for compliancewith the Agency’s OrbitalDebris Policy for NASAmissions.

Panel Assessment:Recommendation 01-18 iscontinuing. The content ofthe Orbital Debris Programwas adjusted in response tothe budget reduction withoutincreasing the risk to NASAmissions. The program iscurrently funded by the twomajor users of the output -Space Shuttle and ISS.However, continued programfunding is not resolved in theupcoming FY 2004conversion to FCA.




(Charteredby)

Date ofReport



(NASACharter)

March2003

Finding 01-6: The safetyof NASA’s human spaceflight programs willalways be dependent onthe ability of a skilled,experienced, andmotivated workforce.

Recommendation 01-6:Accelerate efforts to ensure theavailability of critical skills andto utilize and capture theexperience of the currentworkforce.

Panel Assessment:Recommendation 01-6 iscontinuing. This issue willrequire aggressive action forthe foreseeable future.


(NASACharter)

March2002

Finding 1: The currentand proposed budgets arenot sufficient to improveor even maintain thesafety risk level ofoperating the SpaceShuttle and ISS. Neededrestorations andimprovements cannot beaccomplished undercurrent budgets andspending priorities.

Recommendation 1: Make acomprehensive appraisal of thebudget and spending needs forthe Space Shuttle and ISS basedon, at a minimum, retaining thecurrent level of safety risk. Thisanalysis should include arealistic assessment ofworkforce, flight systems,logistics, and infrastructure tosafely support the Space Shuttlefor the full operational life ofthe ISS.

Response (from 2002 ASAPAppendix): Concur: BothShuttle and ISS ProgramOperating Plans (POP)identify the total resourcerequirements necessary toretain and improve safety risk.The development of theseplans involves assessmentsfrom all organizations andreceives the highest level ofNASA management review.NASA management maintainsa safety first decision processand will continue to bevigilant in developing asmuch operating margin aspossible. The Office of SpaceFlight has recently initiated anassessment to address SpaceShuttle fleet capability to flysafely until 2020. Thisassessment includes ananalysis of workforce criticalskills, flight systemsupgrades, logistics andsupportability, and anyinfrastructure upgradesrequirements necessary tomeet this goal. Anycomprehensive assessment tosupport ISS beyond 2020would occur in the future.


(NASACharter)

March2002

Finding 2: Someupgrades not only reducerisk but also ensure thatNASA’s human spaceflight vehicles havesufficient assets for theirentire service lives.

Recommendation 2a: Makeevery attempt to retain upgradesthat improve safety andreliability, and providesufficient assets to sustainhuman space flight programs.

Response (from 2002 ASAPAppendix): Concur 2a:NASA and its contractorshave continued to maintainand improve on the excellentsafety practices and processesand as such, safety has notbeen compromised.Comprehensive analyses haveidentified potential upgradesprojects that can furtherreduce risk if fully funded.Examples of needed long-term supportability upgradesthat are not currently fundedinclude the Orbiter’scommunication and trackingsystem, components of theOrbiter’s data handlingsystem, and the SRB avionicssubsystem. Every attempt isbeing made to apply availableresources to the more




(Charteredby)

Date ofReport


Examples of needed long-term supportability upgradesthat are not currently fundedinclude the Orbiter’scommunication and trackingsystem, components of theOrbiter’s data handlingsystem, and the SRB avionicssubsystem. Every attempt isbeing made to apply availableresources to the morepromising areas ofimprovement.

Recommendation 2b: Ifupgrades are deferred oreliminated, analyze logisticsneeds for the entire projectedlife of the Space Shuttle andISS, and adopt a realisticprogram for acquiring andsupporting sufficient numbersof suitable components.

Response (from 2002 ASAPAppendix): Concur 2b: Long-term supportability analysiscontinues on a periodic basisbetween Orbiter, Logistics,and SMA. Most recentorbiter/logistics summitupdated the supportabilityissues list in November 2001.SSP hardware elementmanagers and SSP logisticsmanagers have implemented acontinuing supportabilityassessment analysis which isintended to maintaincognizance of potentialsupportability issues and todevelop mitigation actions.


(NASACharter)

March2002

Finding 3: Much of theSpace Shuttle groundinfrastructure hasdeteriorated and will notbe capable of supportingthe Space Shuttle for itsrealistic service life.

Recommendation 3: Revitalizesafety-critical infrastructure asexpeditiously as possible.

Response (from 2002 ASAPAppendix): Concur 3: Humanspace flight is greatlydependent upon a capableground infrastructure. The ISSand SSP management haveworked closely with CenterDirectors in identifying thefacilities, GSE, training, andtest equipment necessary tocontinue and improve humanspace flight. As fundingbecomes available, it isapplied to those areas havingthe greatest risk benefit.


(NASACharter)

March2002

Finding 4: NASA isconsidering closing ordeactivating sometraining and test facilitiesin an effort to economize.

Recommendation 4: Perform adetailed full life cycle safetyand needs analysis includingconsideration of critical skillsretention before making closuredecisions.

Response (from 2002 ASAPAppendix): Concur 4:Anyconsideration for training ortest facility closure will bebased upon an appropriaterisk assessment that considerstheir significance to thereadiness level of the crews orthe vehicle.




(Charteredby)

Date ofReport


Charter) decisions. risk assessment that considerstheir significance to thereadiness level of the crews orthe vehicle.


(NASACharter)

March2002

Finding 5: Space Shuttleprivatization can havesafety implications aswell as affecting costs.

Recommendation 5: Include inall privatization plans anassessment by safetyprofessionals of the ability ofthe approach to retain areasonable level of NASAtechnical involvement andindependent checks andbalances.

Response (from 2002 ASAPAppendix): Concur 5:Allprivatization discussions todate have included directparticipation by the NASAHeadquarters, Center, andSSP Safety organizations. Afundamental ground rule ofany privatization option is thatit must include the properchecks and balances as wellas healthy tension betweendesign and operations andinclude a value addedindependent assessmentprocess. Current plans includenumerous independentreviews of privatizationconcepts that will bestructured to include safetyprofessionals.


(NASACharter)

March2002

Finding 6: The safety ofNASA’s human spaceflight programs willalways be dependent onthe availability of askilled, experienced, andmotivated workforce.

Recommendation 6:Accelerate efforts to ensure theavailability of critical skills andto utilize and capture theexperience of the currentworkforce.

Response (from 2002 ASAPAppendix): Concur 6:Capturing the experience ofthe current workforce bycontinuing to hire and trainyoung engineers is vital to thelong-term safety of the SpaceShuttle Program (SSP).NASA, USA, and the State ofFlorida have developed theAerospace TechnicianCertification program, whichprovides a 2-year curriculum(4-year program indevelopment) towards a spacequality standard. Similarcertification programs are inwork for other aspects of SSPwork. A Mentoring Program,focused on furtherdevelopment of technical andmanagerial skills, is also inplace. The Prime Contractorshave various hiring, training,and mentoring programs tofacilitate skill developmentand retention.




(Charteredby)

Date ofReport


and retention.

The International SpaceStation (ISS) is early in theoperational phase and hassufficient NASA civil servicepersonnel to assist in thetraining and mentoring of newBoeing engineers. Furtherdocumentation is readilyavailable on key subsystemsand some hardware is stillbeing procured. This will alsoallow an opportunity for newBoeing engineers to learn ISSsystems in detail. In summary,this is an excellent time in theISS program history totransfer and train newpersonnel and set in place alower sustaining coststructure.


(NASACharter)

March2002

Finding 7: Mishapsinvolving NASA assetsare typically classifiedonly by the actual dollarlosses or injury severitycaused by the event.

Recommendation 7: Considerimplementing a system inwhich all mishaps, regardless ofactual loss or injury, areassessed by a standing panel ofindependent accidentinvestigation specialists. Thepanel would have the authorityto elevate the classificationlevel of any mishap based on itspotential for harm.

Response (from 2002 ASAPAppendix): Concur 7:NASANPD 8621.1G defines amishap as any unplannedoccurrence or event resultingfrom any NASA operation orNASA equipment anomaly.Current human space flightproblem reporting systemsrequire reporting and analysisof all operational orequipment anomalies againstcriteria that includesaddressing the potential forsignificant loss of life orassets. At this level, theinvestigative experts are theengineers, managers, andmaintainers of the equipment.

If an actual mishap were tooccur, the MishapInvestigation Team (MIT)would be the first response.All members of this teamhave had accidentinvestigation training and theChairman has completed theNTSB accident investigationschool and USC AviationSafety curriculums.




(Charteredby)

Date ofReport


Safety curriculums.


(NASACharter)

March2002

Finding 8: There is norequirement for MishapInvestigation Boards(MIB) to includeindividuals specificallytrained in accidentinvestigation and humanfactors.

Recommendation 8: Adopt arequirement for the inclusion ofaccident investigation andhuman factors expertise onMIBs.

Response (from 2002 ASAPAppendix): Concur 8: NPD8621.1G states that it isNASA’s policy to conductNASA mishap investigations,using NASA MIBs, withproperly trained personnel. Atthe Space Shuttle Programlevel, this has beenimplemented through theassignment of the MishapInvestigation Team. Allmembers of this team havehad accident investigationtraining and the Chairman hascompleted the NTSB accidentinvestigation school and USCAviation Safety curriculums.


(NASACharter)

March2002

Finding 9: The firstincrement of the CockpitAvionics Upgrade (CAU)has significant potentialfor long-term SpaceShuttle risk reduction andprovides a platform forstill furtherimprovements.

Recommendation 9: Maintainthe previously planned fundingto expeditiously implement theCAU.

Response (from 2002 ASAPAppendix): Concur 9: CAUis currently adequately fundedand authorized through PDR.Due to budget pressuresNASA has reduced CAUfunding to include only CAUIncrement 1, which doesprovide key safetyimprovements. Increment 2will be implemented on adeferred schedule usingavailable sustainingengineering resources.


(NASACharter)

March2002

Finding 10: Orbiterwiring inspections haveshown instances whereredundant wiring iscarried in the same wirebundle.

Recommendation 10: Expediteefforts to route redundant wiresin separate wire runs.

Response (from 2002 ASAPAppendix): Concur 10:Orbiter project is currentlyexpediting the separation ofredundant wires. All that canbe accomplished during anormal flow at KSC are beingscheduled and those thatcannot will be implementedduring the vehicles nextmodification period.




(Charteredby)

Date ofReport



(NASACharter)

March2002

Finding 11: Littledefinitive action has beentaken to correct andpreclude continuing theundesirable situation ofexcessive unincorporatedEOs in the orbiterengineering drawings.

Recommendation 11:Expeditiously reduce thenumber of the drawing changescurrently outstanding.

Response (from 2002 ASAPAppendix): Concur 11:Orbiter project is currentlyworking to reduce the numberof outstanding drawingchanges. The project isprioritizing the drawingupdates based on criticality,complexity, and traffic. Thehighest priority tile drawingshave been completed andother subsystems will follow.


(NASACharter)

March2002

Finding 12: SpaceShuttle logistics will faceincreasing challengesfrom vendor issuesincluding closures,mergers, relocations, andchanges in capability.

Recommendation 12:Continue to emphasize to allsuppliers the importance oftimely reporting of allsignificant business andorganizational changes thatcould affect Space Shuttlelogistics.

Response (from 2002 ASAPAppendix): Concur 12:TheSpace Shuttle Process ControlWorking Group has beeninstrumental incommunicating to thecontractors and suppliers theimportance of change controland notification. TheLogistics departmentscontinue to interact with thesuppliers on a daily basis andhave had good success withsuppliers providingnotification of changes.Several supplier conferenceshave been held at the Projectlevel to reinforce thismessage. On January23–24,2002,the SSP held itsfirst Program-wide supplierconference in which thistheme was communicated andreinforced by topmanagement.


(NASACharter)

March2002

Finding 13: Deferring theOMMs intensifies the riskthat scheduled safetyupgrades will never becompleted, therebyfurther increasing the lifecycle safety risk ofoperating the SpaceShuttle.

Recommendation 13:Incorporate deferred safety-related modifications in theaffected orbiters expeditiously.This should not beaccomplished at the expense ofother safety or operationalupgrades, or the prudentmaintenance of the SpaceShuttle system and itsinfrastructure.

Response (from 2002 ASAPAppendix): Concur 13:Orbiter project is currentlyincorporating a number ofsafety-related modificationsand has placed priority onmany proposed safety and riskreduction modifications.




(Charteredby)

Date ofReport



(NASACharter)

March2002

Finding 14: It isreasonable to utilize thesame engineering andtechnician workforce forroutine Space Shuttleprocessing and OMDPwork at KSC, since thework content is similar.Planning andmanagement functions,however, differsignificantly between lineprocessing and heavymaintenance activities.

Recommendation 14:Designate separate,appropriately experiencedmanagement teams for theregular processing and OMDPwork at KSC. These teams mustbe well coordinated, since theywill be drawing on the sameworkforce.

Response (from 2002 ASAPAppendix): Concur 14: TheOrbiter Project hasestablished an OMDPManagement Plan, whichdesignates a separate Orbitermanagement team for OMDP.


(NASACharter)

March2002

Finding 18 [ SpaceStation, but applicableto SSP ]: Funding cutsthreaten to eliminate alleffort on maintaining andupdating surveillance andmodeling of the orbitaldebris population as earlyas October 2002.

Recommendation 18:Reexamine the decision toeliminate this importantfunction and assure that thecore MMOD effort iscontinued.

Response (from 2002 ASAPAppendix): Concur 18:Office of Space Flight isseeking to identify allusers/stakeholders of thecurrent Orbital DebrisProgram and identifyappropriate program contentand long term Agencyfunding source(s) to assureNASA retains capability forcompliance with AgencyOrbital Debris Policy forNASA missions.


(NASACharter)

March2002

Finding 19: The terroristattacks on September 11emphasized the need forincreased security of allnational assets, includingNASA’s computersystems. Since many ofthese systems safeguardthe lives of astronauts andcosmonauts and the safetyof valuable internationalassets, it is crucial thatsecurity vulnerabilities befully understood andclosely managed.

Recommendation 19a:Accelerate the schedule ofpenetration exercises to gaingreater insights into computersecurity vulnerabilities;determine if further threatanalysis should be conducted;review all vulnerabilities; andensure that plans are adequatelyformulated to mitigate thesevulnerabilities and that work isproceeding to prevent criticalsystems from beingcompromised.

Response (from 2002 ASAPAppendix): Concur 19a: TheAgency and Center ITsecurity program is a risk-based management andacceptance process. Theprogram continues to evolveto incorporate and facilitatetools and metrics for greaterinsight into securityvulnerabilities. Currently theCenters perform quarterlyvulnerability scans andmetrics that are reported tothe Agency. Thevulnerabilities found arereviewed and worked througha defined process. MissionCritical systems externalinterfaces such as those of theJSC Mission Control Centerwith the JSC InstitutionalNetwork are included in thesequarterly assessments. Wewill continue to work toimprove this process andcapability as newtechnologies and toolsbecome available.




(Charteredby)

Date ofReport


will continue to work toimprove this process andcapability as newtechnologies and toolsbecome available.

Recommendation 19b:Accelerate the schedule for theimplementation of triple DataEncryption System (DES).

Response (from 2002 ASAPAppendix): Concur 19b:Thechange to incorporate thetriple DES has beennegotiated with thecontractor; a probabilistic riskassessment associated withlosing S-bandcommunications is beingconducted prior to Programimplementation.

NASA Officeof Safety andMissionAssurance

(NASACharter)

31October2001

Under the samplingconditions (surveypopulation, four orbiterin-flow, skill mix, staffinglevels, experience level,etc.) and recognizinginherent sampling errorand questionnairelimitations, the IAT findsthat overall workplaceinduced stress does notappear to be a presentsafety concern. Based onthe results of thisassessment and the twoprevious assessments ofUSAGO workforcecapability, the IATreaffirms the previousfinding that USAGO hasestablished the capabilityto safely accomplish anevenly spaced flight rateof up to seven flights peryear.

Recommendation 1: NASAKSC SSP management shouldcommit to conductingindependent workforce surveyson a periodic (e.g., semi-annual) basis. While the currentsurvey represents only asnapshot in time it could serveas the starting point for periodicsurveys that track workforceattitudes and perspectivesregarding workplacesatisfaction and safety. Futuresurvey planning shouldconsider sampling that includesall members of the workforce(including those individualswith zero WTD) as well as awide range of questionsaddressing workplace factorsthat are recognized correlates tooccupational safety and stress.


(NASACharter)

31October2001

Skill-mix andtraining/certificationimbalance imposesgreater demands andstress on fully qualified(Level-1) workforce.

Recommendation 5: USAGOshould continue to assess andmanage skill mix/trainingissues to more effectively andsafely meet workload demands.The IAT recommends that theNASA/USA refine andimplement the WorkforceFlexibility Model as a viablemeans to address skill mix,numbers, andtraining/certificationimbalances.




(Charteredby)

Date ofReport


numbers, andtraining/certificationimbalances.


(NASACharter)

31October2001

Reported unsafe activitiesand/or conditions - anumber of the individualsinterviewed reportedknowledge of unsafeactivities or conditions inSpace Shuttle groundoperations.

Recommendation 8: NASAKSC SSP and USAmanagement must redoubletheir efforts to improveworkforce understanding andacceptance of StructuredSurveillance as an importantand necessary safety controlprocess. The idea of structuredsurveillance as a means tomaintain stable, capable, andcontrolled critical processesremains an excellent andessential concept forimplementing checks andbalances within the scope of aperformance based contract.


(NASACharter)

February2001

Finding 1: The currentplanning horizon for theSpace Shuttle does notafford opportunity forsafety improvements thatwill be needed in theyears beyond thathorizon.

Recommendation 1: Extendthe planning horizon to cover aSpace Shuttle life that matchesa realistic design, development,and flight qualificationschedule for an alternativehuman-rated launch vehicle.

NASA Response (Goldin, 24May 2001): Code M -Concur: It is prudent toassume that the Shuttle willcontinue to support humanspace flight well beyond thecurrent planning date of 2012,probably at least until 2020.Industry and NASA studiesindicate that there will not bea compelling case for funding,developing and certifying aShuttle replacement systemfor human space flight untillate in the next decade.Therefore, NASA is activelyassessing further safetyimprovements, beyond thecurrent suite of planned andfunded upgrades, which maybe implemented in the Shuttlewithin the next 5-7 years andwhich could significantlyreduce the operational risk ofthe Shuttle for many years ofcontinued operations.




(Charteredby)

Date ofReport



(NASACharter)

February2001

Finding 2: There is no in-flight crew escape systemfor the Orbiter other thanfor abort below 20,000feet during a controlledglide.

Recommendation 2: Completethe ongoing studies of crewescape design options andimplement an improved systemas soon as possible.

NASA Response (Goldin, 24May 2001): Code M -Concur: The Space ShuttleProgram (SSP) concurs withthe recommendation and isinvestigating enhanced crewescape capability with theobjective of makingsignificant strides in reducingcrew risk for vehicle failures,which result in the loss of theorbiter vehicle. A CrewEscape Study has beeninitiated to reexamine SpaceShuttle crew escape options.


(NASACharter)

February2001

Finding 3: Redundanthydraulic lines for thethree orbiter hydraulicsystems are notadequately separated topreclude loss of allhydraulic power in theevent of a singlecatastrophic failure ofadjacent hardware.

Recommendation 3: Providethe same degree of separationof redundant critical hydrauliclines as is given to redundantcritical electrical wiring.

NASA Response (Goldin, 24May 2001): Code M -Concur: Orbiter hydraulicsystems utilize and willcontinue to implement thesame considerations anddegree of redundant systemseparation as is givenredundant critical electricalwiring. Primary considerationis system placement such thata single catastrophic failureenvironment does not exist.Emphasis is placed onprecluding events that maypropagate from one functionto another. Hazards associatedwith arc tracking canpropagate to another wire inclose proximity and thereforehave influenced electricalwiring physical separationrequirements. Hydraulic linehazards such as leakage orrupture cannot propagate to anadjacent hydraulic line.Extensive Failure Modes andEffects Analysis I CriticalItems List (FMWCIL) andHazard Analyses of theOrbiter systems andoperational environment havenot identified any crediblesingle failure modes whichwould result in the loss ofhydraulic power. Neithersystem is protected againstextreme externally inducedevents such as those thatDOD separation requirementsaddress.




(Charteredby)

Date ofReport


extreme externally inducedevents such as those thatDOD separation requirementsaddress.


(NASACharter)

February2001

Finding 4: The ongoingeffort to improve thework paper used at KSCby incorporatingoutstanding deviationsand clarifying andsimplifying the workinstructions is proceedingwell. Some lesser efforthas been focused onimproving the vehicleengineering drawings andreducing the engineeringorders (EOs) theycontain.

Recommendation 4a:Continue vigorous efforts toupgrade the work paper, evenas the flight rate increases, inorder to maintain the positivemomentum that this worthwhileinitiative has generated.

NASA Response (Goldin, 24May 2001): Code M -Concur: Upgrading thepaperwork continues to be aprimary strategic initiative.The implementation ofenhancements aimed at “workpaper “Deviation” reductioncontinues to show positiveresults. The IPP (IntranetProvided Procedures) hasenabled the technician toselect and work paper that hasbeen pre-approved byengineering, and otherinitiatives such as MAXIM0are moving processing towarda more paperless workenvironment. All theseinitiatives combine tocontinue vigorous upgrade tothe work paper quality whilereducing the labor to achievethese gains.

Recommendation 4b: Focusadditional effort on updatingvehicle engineering drawingswith the objectives ofincorporating as many EOs aspossible and assuring the clarityof all information.

NASA Response (Goldin, 24May 2001): Code M -Concur: Each SSP project hasconfiguration control tominimize the number of EOsbefore engineering drawingsare updated. Additional focuswill be implemented onimproving engineeringdrawings. For example, thetile drawings, which arecomplex high-use drawings,have been updated toincorporate their EOs and thisprocess will be applied toother highly complex, high-use drawings on the vehicle.Additionally, the SpaceShuttle Program is embarkingupon a one-year pilot programto convert orbiter vehicle 2Ddrawings to 3D digitaldrawings which ifimplemented wouldincorporate all of theoutstanding EOs.




(Charteredby)

Date ofReport


implemented wouldincorporate all of theoutstanding EOs.


(NASACharter)

February2001

Finding 5: The KSCfacilities, ground supportequipment, and test andcheckout gear to supportSpace Shuttle processingand launch operationscontinue to age. Thestatus of the potentialreadiness of theseessential assets has beenprojected, but there is nodetailed, funded plan toensure that this aginginfrastructure can safelysupport the Space Shuttlefor its likely operationallife.

Recommendation 5: Developa detailed plan and budget tomaintain and upgrade the KSCassets that are essential to thesafe operation of the SpaceShuttle for its reasonablyexpected flight life so that anappropriate infrastructure lifeextension program can beimplemented.

NASA Response (Goldin, 24May 2001): Code M -Concur: Infrastructure supportand upgrades requirements forthe KSC facilities, groundsupport equipment, and testand checkout equipment arcwell defined and are updatedyearly The SSP initiated anInfrastructure RevitalizationTeam to develop a detailedplan to upgrade theinfrastructure at all elementsites, in addition to KSC, foridentified life through at least2012. Infrastructure remains atop program initiative andsignificant investment isneeded. Since there were nonew initiatives funded fromthe FY 02 budget process,other programs within HumanSpace Flight are beingconsidered to supportinfrastructure requirements.


(NASACharter)

February2001

Finding 11: The criticalskills challenge faced byNASA and its contractorsin the Space Shuttle andISS programs continuesdespite resumption ofactive recruiting ofexperienced and newemployees.

Recommendation 11: Providemore effective incentives toretain employees with criticalskills in such areas asInformation Technology andElectrical/ElectronicEngineering. Continue activerecruiting of experienced and“fresh-out” employees, usingappropriate incentives whennecessary.

NASA Response (Goldin, 24May 2001): Code M -Concur: Both NASA and itscontractor management teamshave recognized thechallenges of competing forcritical skills in today’s workenvironment, and have begunfocused development oforganizational assessmentprograms with emphasis onskills maintenance. Theseprograms are targeted toinclude multiple tools andapproaches (such as payincentives, cross training,mentoring, formal careerdevelopment planning, etc) tomaintain the appropriatebalance of experienced skillsas well as a continuousrevitalization through thesteady introduction of recentgraduates. NASA hasestablished fresh out goals atOSF Centers, usedrecruitment or relocation(signing) bonuses whennecessary to attract qualityhires at all levels, andauthorized the payment ofmore competitive salaries incritical skill areas.




(Charteredby)

Date ofReport


steady introduction of recentgraduates. NASA hasestablished fresh out goals atOSF Centers, usedrecruitment or relocation(signing) bonuses whennecessary to attract qualityhires at all levels, andauthorized the payment ofmore competitive salaries incritical skill areas.


(NASACharter)

February2001

Finding 12: NASA’srecent hiring ofinexperienced personnel,along with continuingshortages of experienced,highly-skilled workers,has produced thechallenge of training andintegrating employeesinto organizations that arehighly pressured by theexpanded Space Shuttleflight rates associatedwith the ISS. There is nosystematic effort tocapture the knowledge ofexperienced personnelbefore they leave. Stresslevels within theworkforce are acontinuing concern.

Recommendation 12a:Provide active mentoring andother career developmentincentives to bring newemployees to full productivityas rapidly as can beaccomplished with safetyremaining paramount. Expandresources and delivery methodsavailable to Agency leveltraining programs to enablegreater participation at Centerand program levels.

NASA Response (Goldin, 24May 2001): Code M -Concur: NASA and itscontractors have madesignificant enhancements inthe employee training anddevelopment arena. NASAcivil servants now haveindividual career developmentplans tailored to meet theirspecific needs, including bothhands on experience andappropriate training andeducation. Significantemphasis has also been placedon employee developmentwith an Agency wideLeadership DevelopmentInitiative, a moresystematized mentoringprogram, and increased usageof computer based training.The need to monitor stresslevels and provide copingstrategies has receivedconsiderable attention in allorganizations, with significantprogress made in this area.NASA has also recognizedthe importance of capturingthe corporate knowledge inour aging workforce andtransferring it to the nextgeneration.

Code F - General Response:NASA concurs with therecommendation(s). NASAand its contractors have madesignificant enhancements inthe employee training anddevelopment arena. SeveralNASA Centers haveimplemented individual careerdevelopment plans for theirworkforce, or for specificsegments and occupationalcategories. These workplansenable management andemployees to plan andimplement formal traininginitiatives, career




(Charteredby)

Date ofReport


development arena. SeveralNASA Centers haveimplemented individual careerdevelopment plans for theirworkforce, or for specificsegments and occupationalcategories. These workplansenable management andemployees to plan andimplement formal traininginitiatives, careerdevelopment assignments,and job rotations whichenhance current and futureperformance. Many Centershave also examined their needfor leadership development,and have implemented newtraining initiatives designed toaddress these needs andrequirements. Moresystematized mentoringprograms and increased usageof computerized training havebeen implemented within theAgency. The need to monitorstress levels and providecoping strategies has alsoreceived increased attentionacross the Agency, withsignificant progress beingmade in this area.

Code F - 12a: NASA concurswith the recommendation. Asa result of beginning to hirenew employees and fresh-outs, the NASA Centers haveinstituted, or have begun torevitalize, various orientationand other training programsdesigned to assimilate newemployees into the workforceand provide mentoring andcareer development guidance.Many programs also includethe requirement for specifictypes of training (e.g.,technical or administrative),and include both on-the-joband developmentalexperiences over a period oftime. Components in manyCenters’ training programsalso provide for guidance tosupervisors in designing atraining plan or individualdevelopment plan, providingmentoring and coaching, andevaluating work products andprogress. The goals of theseprograms are to aid in thesmooth and effectiveintegration of new employees




(Charteredby)

Date ofReport


Centers’ training programsalso provide for guidance tosupervisors in designing atraining plan or individualdevelopment plan, providingmentoring and coaching, andevaluating work products andprogress. The goals of theseprograms are to aid in thesmooth and effectiveintegration of new employeesinto the Center and Agencyworkforce by: providing acontinuing and acceleratedlearning process: providingemployees a way ofidentifying with the Center byunderstanding its mission andvalues; providing interactionwith more senior staff andleaders; and providingopportunities to developrelationships with peers. Atthe Agency level, efforts arebeing initiated to establish anetwork of experiencedpractitioners who can providementoring and access toexpertise in projectmanagement.

At the Agency level,resources have been requestedto enable NASA to expandthe delivery methods beingutilized to develop theworkforce. Specific emphasiswill be placed on thedevelopment of e-learningalternatives that can beaccessed at all locations andlevels, and increasing theability to expand participationlevels across the Agency. Inaddition, new capabilities arebeing developed to facilitatelearning within intact teams,delivering tailored contentdirectly to a project team atthe point in time specifictraining is needed. In addition,some Centers have alsoincreased their resourcesavailable for training, and areinstituting Center specificinitiatives based upon Centerneeds. In addition, learningorganization tools andmethods being introduced inpilot projects within NASAare increasing organizationalunderstanding, motivation,buy-in, and results. Examplesof new initiatives include




(Charteredby)

Date ofReport


available for training, and areinstituting Center specificinitiatives based upon Centerneeds. In addition, learningorganization tools andmethods being introduced inpilot projects within NASAare increasing organizationalunderstanding, motivation,buy-in, and results. Examplesof new initiatives includeweb-based course deliveryand partnerships withuniversities for academictraining.

Recommendation 12b:Continue efforts, in partnershipwith NASA contractors, whereappropriate, to provide hands-on experience.

NASA Response (Goldin, 24May 2001): Code F - 12b:NASA concurs with therecommendation, and aprimary emphasis indeveloping the workforce willcontinue to be reliance onvaluable on-the-jobexperience. In addition, theNASA Academy of Programand Project Leadership is inthe process or revising itscareer model to enable anexpansion of the identificationof experiential development.NASA’s ProfessionalDevelopment Program alsoprovides a combination offormal training, briefings, anddevelopmental assignmentswithin and outside theAgency.

Recommendation 12c:Establish processes that capturethe knowledge of experiencedpersonnel before they leave orretire.

NASA Response (Goldin, 24May 2001): Code F - 12c:NASA concurs with therecommendation. Severalefforts are underway to moreeffectively capture the“lessons learned fromexperienced personnel nearingor at retirement. In addition,the NASA Academy ofProgram and ProjectLeadership has initiated aseries of “Knowledge Sharingforums and has initiated anarea on its website forknowledge sharing andlessons learned. An emphasisis being placed on makingmaximum use and sharing ofthe experience of employeesand managers both while theyare still at NASA and aftertheir retirement. Variousavenues are being exploredfor access to this expertiseboth within NASA and




(Charteredby)

Date ofReport


knowledge sharing andlessons learned. An emphasisis being placed on makingmaximum use and sharing ofthe experience of employeesand managers both while theyare still at NASA and aftertheir retirement. Variousavenues are being exploredfor access to this expertiseboth within NASA andgaining access to theknowledge base of those wholeave the Agency. Withregard to sharing knowledgewithin the Agency, NASA hasalso revised its Fellowshipprogram to include a plannedreentry requirement. Thereentry plan requiresindividuals returning fromlonger-term Universityprograms to identify withtheir management how theirnew learning will be sharedwithin the Agency and how itwill be applied strategically.

Recommendation 12e:Implement an evaluation of theprocesses used to develop newhires into productive membersof the workforce.

NASA Response (Goldin, 24May 2001): Code F - 12e:NASA concurs with therecommendation. Centers willbe evaluating systems andprocesses for developing theirnew hires, assimilating theminto the workforce andsharing best practices.


(NASACharter)

February2001

Finding 13: Recentdownsizing andlimitations on hiring haveproduced a workforcewith aberrations innormal careerdevelopment patterns anda potential future shortageof experienced leadership.

Recommendation 13: Developand implement a long-termworkforce plan, focused onretention, recruitment, training,succession, and careerdevelopment needs, with atleast a five-year time horizonthat will ensure the availabilityof competent and experiencedleaders. Also provide astrengthened capability inorganizational development.

NASA Response (Goldin, 24May 2001): Code F - Concur:NASA concurs with therecommendation. The recentexperience with downsizing,coupled with Agencyconcerns about and agingworkforce, demonstrate theimportance of long-termhuman resources planning. In1998, under the auspices ofthe Chief Engineer’s Office,the Agency conducted a corecapability assessment thatfocused on the physical andstaffing needs of theEnterprises and Centers ofExcellence. This, and othersimilar activities, while veryhelpful, resulted in tactically-oriented decisions related tosolving near-term humanresource issues.




(Charteredby)

Date ofReport


Enterprises and Centers ofExcellence. This, and othersimilar activities, while veryhelpful, resulted in tactically-oriented decisions related tosolving near-term humanresource issues.

The Agency is nowembarking on a follow-onstrategic resource planningactivity, based on Centers’future vision and mission,taking into account workforceand facilities needed. Thisactivity, led by the AssociateDeputy Administrator,involves the activeparticipation of theEnterprises and Centers andsupport from the Office of theChief Financial Officer, theOffice of Human Resourcesand Education, and the Officeof the Chief Engineer. Theresult will provide a plan foreach Center that linksstaffing, funding resources,mission and activities, andcore competencies and willenable them to focus onrecruitment, retention,training, succession andcareer development tailored totheir individualcircumstances.

Once this activity has beencompleted, the Office ofHuman Resources andEducation will continue towork with the Center HumanResources Directors to assessthe impacts of demographictrends. Together the HumanResources community willdevelop plans that ensure thatthe Agency has the requisitestaffing, training, careerdevelopment, and recruitingand retention tools andprograms necessary to supportthe Agency mission.




(Charteredby)

Date ofReport


the Agency mission.

In addition, the Office ofHuman Resources andEducation has been activelyengaged, with input andsupport from the Enterprisesand Centers, in a number ofactivities and initiatives torenew and revitalize theNASA workforce. Theserange from activities torecruit, retain, and continuedevelopment of a highlycapable workforce today toendeavors to ensure a futuresource of highly qualifiedtalent in the science, math,and technology disciplinesneeded to carry out theAgency mission over the longterm.

With respect to recruitment,the Agency is committed tomarketing NASA as an“employer of choice.” Inorder to be competitive withother employers, NASArecognizes that it must have acontinuing presence oncollege and universitycampuses. The more than 140on-cam pus recruitment tripsscheduled for this coming falland spring 2002 are typical ofthis presence. In addition, theAgency will continue toutilize the PresidentialManagement Intern Programand student employmentprograms as sources for entry-level hires. NASA will alsocontinue to promote theInternet as a recruitment tooland to work collaborativelywith professionalorganizations (i.e., NationalAssociation of Colleges andEmployers and NationalAcademy of PublicAdministration) in an effort toremain competitive.




(Charteredby)

Date ofReport


remain competitive.

Our NASA Centers utilizevarious hiring authorities thatenable them to offer startingsalaries above the minimumrate of a grade. The use ofrecruitment bonuses by theCenters to attract the “bestand the brightest” has alsoincreased significantly in therecent past. The number hasincreased more than 300%from FY 1999 to FY 2000(from 20 in FY 1999 to 69 inFY 2000 and 14 in just thefirst quarter of FY 2001) - atrend that we fully expect tocontinue because of anincreasingly competitive jobmarket and high cost of livingsurrounding some of ourCenters.

In addition to these ongoingefforts, NASA will continueto be innovative in itrecruitment efforts. We areimplementing new automationtools, i.e., a positiondescription managementsoftware package and twostaffing software packages toimprove the effectiveness andtimeliness of the hiringprocess. We are enhancing theAgency’s human resourceswebsites to make them moreresponsive to applicantinformation needs. Further,we are developing newqualification requirements forcooperative educationstudents in order to moreeffectively recruit. Additionalnon-permanent employmentoptions are being pursuedwhere they are practical andthe Agency is working withthe Office of Managementand Budget (OMB) and theOffice of PersonnelManagement (OPM) tofacilitate new employmentoptions. The Agency has anew five-year plan for theemployment of people withdisabilities and will developother outreach effortsdesigned to maintain a diverseworkforce.




(Charteredby)

Date ofReport


Management (OPM) tofacilitate new employmentoptions. The Agency has anew five-year plan for theemployment of people withdisabilities and will developother outreach effortsdesigned to maintain a diverseworkforce.

A new National RecruitmentTeam, based at Headquarters,is currently being establishedto develop new Agency-widerecruitment strategies andtools to meet NASA’s currentand future hiring challenges inattracting and retaining aworld-class, highly technicaland diverse workforce. Thisteam will facilitate andcomplement the Centers’recruitment efforts;collaborate with theInstitutional Program Officesand Functional Offices;enhance relationships withuniversities; eliminateduplication of efforts; andfacilitate targeted diversityand disability recruiting.

The retention of a highlyskilled workforce is equallyvital. While the use ofretention allowances has morethan doubled from 5 in FY1999 to 12 in FY 2000 (and 7in the first quarter of FY2001), this rate of usage hasbeen impacted by downsizingand restructuring efforts inrecent years and thecontinuing need to offertargeted buyouts to deal withour skills imbalances. NASAwill continue to assess theskills of its workforce andrestructure as necessarythrough buyout and early outretirement incentives to assurethat NASA has the necessaryskills for present and futuremission success. In addition,we continue to emphasizequality of work-life initiativessuch as alternative workschedules, family friendlyleave programs, part-timeemployment and job sharing,telecommuting, dependentday car and employeeassistance programs.




(Charteredby)

Date ofReport


skills for present and futuremission success. In addition,we continue to emphasizequality of work-life initiativessuch as alternative workschedules, family friendlyleave programs, part-timeemployment and job sharing,telecommuting, dependentday car and employeeassistance programs.Promoting safety in theworkplace, providingeffective awards, recognitionand stimulating work willenhance job satisfaction andfoster retention.

In the arena of developingcompetent and experiencedleaders, in the last 18 monthsNASA conducted a leadershipstudy and created a model toalign development of ourleaders to the NASA StrategicPlan and StrategicManagement System. Thestudy included benchmarking,working with universities, andthe results of interviews ofover 500 NASA/JPLemployees performing inleadership roles from teamlead to executive seniorleader. This model provides aroadmap of skills andcompetencies for effectiveNASA leadership and is beingused to respond to the trainingand developmental needs ofthe workforce. As part ofNASA's strategy to prepareour next generation of leaders,there are several long-termdevelopmental processes inplace at both the Center andAgency level. These includethe Senior Executive

Service CandidateDevelopment Program, theProfessional DevelopmentProgram, partnerships withacademia to providefellowships in leadership andproject managementdevelopment, and Center-specific developmentprograms. In addition, thecurriculum for developingproject management leaders isbeing reviewed to ensure thatappropriate skills andcompetencies are developed.




(Charteredby)

Date ofReport


academia to providefellowships in leadership andproject managementdevelopment, and Center-specific developmentprograms. In addition, thecurriculum for developingproject management leaders isbeing reviewed to ensure thatappropriate skills andcompetencies are developed.

In the area of organizationdevelopment, one of thefeatures, which will beenabled by an increase intraining resources, is theability to provide intact teamsupport. By providingdevelopmental intervention toteams, NASA will be able tocontribute to improvedperformance of teams, as wellas better prepare individualteam members for futureopportunities. NASA is alsoengaged in a strategy todevelop employees in thetheories, methods and tools oflearning organizations. Pilotsare showing that these skillsenhance motivation,communication, andunderstanding of complexsystems. Several Centers havealso increased theirorganizational developmentresources and capacity and areoffering facilitation servicesto their organizations.

The Agency is also looking atways to help assure a futurepipeline of talent from whichthe NASA and others candraw. FY 2001 marks thepilot year of the new NASAUndergraduate StudentResearch Program. ThisAgency-wide program wasdeveloped to extend andstrengthen NASA'scommitment to educationalexcellence and universityresearch, and to highlight thecritical need to increase theNation's undergraduate andgraduate science, engineering,mathematics, and technologyskill base. The UndergraduateStudent Research Programwill also build a nationalprogram bridge from existing




(Charteredby)

Date ofReport


commitment to educationalexcellence and universityresearch, and to highlight thecritical need to increase theNation's undergraduate andgraduate science, engineering,mathematics, and technologyskill base. The UndergraduateStudent Research Programwill also build a nationalprogram bridge from existingNASA K12 EducationProgram activities to NASAHigher Education Programoptions that encourages andfacilitates student interest infuture professionalopportunities with NASA andits partner organizations. Suchopportunities might includeNASA career employment:temporary assignment:undergraduate and graduateco-op appointment; orcontractor positions.


(NASACharter)

February2001

Finding 14: WhileNASA has made majorchanges to emphasize theneed to utilize IV&V onsafety critical projects,the technology is not wellunderstood by programmanagers and otherrelevant NASApersonnel.

Recommendation 14: Developan appropriate user-centeredcourse and require softwareassurance awareness trainingfor all levels of management tohelp them become morecognizant of the IV&Vprocesses and the value IV&Vbrings to a final product.

NASA Response (Goldin, 24May 2001): Code AE -Concur: As the report pointsout, NASA has indeed mademajor changes to emphasizethe need for IV&V on missioncritical software. The softwareIV&V policy, criteria, andprocess for evaluation ofprojects is in place and beingfollowed. The Office of theChief Engineer has presentedpertinent information to allCenter Directors, emphasizingthe importance of IV&V, andcommunicating theexpectation that IV&V andthe IV&V policy beincorporated in Centerprocesses. The GoddardSpace Flight Center has beenmaking presentations aboutthe policy, criteria, andprocess in greater detail toother levels of managementincluding program and projectmanagers whose projectsmeet the criteria for IV&V orindependent assessment bythe IV&V facility. In addition,the Office of HumanResources and Developmentis planning the update ofexisting training inVerification and Validation,and Test and Evaluation toinclude IV&V and theappropriate application of thesame.




(Charteredby)

Date ofReport


independent assessment bythe IV&V facility. In addition,the Office of HumanResources and Developmentis planning the update ofexisting training inVerification and Validation,and Test and Evaluation toinclude IV&V and theappropriate application of thesame.

SpaceShuttleIndependentAssessmentTeam

(NASACharter)

7 March2000

Issue 1: NASA mustsupport the SSP with theresources and staffingnecessary to prevent theerosion of flight-safetycritical processes.

SSP Response(Abbey/Dittemore, 21 June2000): The Office of SpaceFlight (OSF) has recentlyconducted workforce reviewsof staff workload and skilldeficiencies at its Centers andprograms, with particularemphasis on the SSP.Findings of these reviews,coupled with those of externalgroups such as the SIAT andthe Aerospace SafetyAdvisory Panel (ASAP), ledto the decision to terminatedownsizing. All four OSFCenters, JSC, KSC, MSFC,and SSC, are in the midst oflarge-scale efforts to replaceskill losses and increase thenumber of entry-levelprofessionals. NASA has aplan in place to hire over 500new employees in fiscal year2000. Although only a portionof these new employees willbe dedicated to the SSP, thisaction will help fill some ofthe most critical skillshortages, enable us tostabilize our flight safetyskills resources, and build ourcadre of future leaders. It isimperative that sufficientresources, including newhires, be dedicated in supportof the SSP.

Beginning in fiscal year 2001,the plan is to replace futurelosses on a one-for-one basis.In addition, the recruitingstrategy is to emphasize theidentification of critical skillshortages and make those thetop hiring priorities. The goalis to hire 50 to 70 percent ofnew personnel at the entrylevel in an effort to revitalizethe workforce with high-caliber, recent graduates. Toallow some of the best junior-




(Charteredby)

Date ofReport


In addition, the recruitingstrategy is to emphasize theidentification of critical skillshortages and make those thetop hiring priorities. The goalis to hire 50 to 70 percent ofnew personnel at the entrylevel in an effort to revitalizethe workforce with high-caliber, recent graduates. Toallow some of the best junior-and mid-level personnel theopportunity to broaden theirfunctional experience, theSSP has created rotationalopportunities at severalCenters where they can gainexperience at the programlevel. This early exposure tothe significant operational andprogrammatic managementchallenges will enable them toenhance the flight safetycritical process skills in thenear term, and will betterequip them to serve inleadership roles in the future.


(NASACharter)

7 March2000

Issue 2: The past successof the Space Shuttleprogram does notpreclude the existence ofproblems in processes andprocedures that could besignificantly improved.

SSP Response(Abbey/Dittemore, 21 June2000): The SIAT noted, "theSSP must rigorously guardagainst the tendency to acceptrisk solely because of priorsuccess." The SSPwholeheartedly agrees.Regular senior managementmeetings are conducted thatspecifically address the issueof complacency and theinherent risk to the SSPrelative to process andprocedure change.

A specific focus on processcontrol has been establishedto increase the awarenessthroughout the SSP onchanges that could increasethe level of risk. A ProcessControl Implementation Plan,developed in cooperation witheach of the major primecontractors for the SSP, hasbeen established thataddresses the issue of processcontrol at all levels of theNASA, contractor, vendor,and supplier product chain. Aprocess control video hasbeen developed for widedistribution throughout NASAand thecontractor/vendor/supplier




(Charteredby)

Date ofReport


contractors for the SSP, hasbeen established thataddresses the issue of processcontrol at all levels of theNASA, contractor, vendor,and supplier product chain. Aprocess control video hasbeen developed for widedistribution throughout NASAand thecontractor/vendor/suppliercommunity to emphasize theimportance of process controland to significantly increasethe awareness of managementand the workforce.

Additionally, the SSPconducted a ProgramManager's Review (PMR) inMarch 2000 where riskmanagement was the soletopic. SSP senior management(NASA and contractors)participated and reviewed therisk management proceduresthat are utilized by each of theprime contractors. Emphasiswas placed on the need forimprovement and continuedadherence to sound riskmanagement principles.

The SSP recognizes thecritical importance ofmaintaining the rigor inplanning, analyses, test, andexecution that has been thestrength of NASA and thespace program. A continualemphasis on the SSP'sprimary goal, to fly safely,will be maintained tostrengthen and increase theawareness of the managementteam and the workforce.


7 March2000

Issue 3: The SSP's riskmanagement strategy andmethods must becommensurate with the"one strike and you areout" environment ofSpace Shuttle operations.

SSP Response(Abbey/Dittemore, 21 June2000): The foremost priorityof the SSP is safety. Thispriority has extended to allaspects of the program withemphasis on public, crew,workforce, and assetprotection. The program hasaccepted added cost andprovided schedule relief innumerous situations in orderto reduce safety risks.Emphasis on safety as the toppriority has been implementedacross all program elements,prime contractors,




(Charteredby)

Date ofReport


(NASACharter)

Space Shuttle operations. emphasis on public, crew,workforce, and assetprotection. The program hasaccepted added cost andprovided schedule relief innumerous situations in orderto reduce safety risks.Emphasis on safety as the toppriority has been implementedacross all program elements,prime contractors,subcontractors, and suppliers.

The SSP implementsextensive risk managementprocesses as documented inNational Space TransportationSystem (NSTS) 07700. As aresult of the SIAT, a sectionof NSTS 07700 will bededicated to documenting theprogram's risk managementplan (refer to response toSIAT recommendation #19).

The SSP is a strong supporterof independent reviewprocesses such as the ASAPand considers knowledgeablereview to be invaluable. Theprogram has chartered severalindependent reviews utilizingtechnology expertrepresentation. All findingsand recommendations arereviewed and dispositioned bythe SSP or appropriateorganization.

The SSP has taken many stepsto ensure an appropriate riskmanagement strategy, andwill continue to strive forimproving these processes(refer to response to SIATrecommendation #22). Whilethe current risk managementprocesses provide a focus forthe program to succeed in safeand successful missions, thecontinuous recognition of andsensitivity to the unforgivingenvironment of the SpaceShuttle operational profilemust always accompany eventhese disciplined processes.




(Charteredby)

Date ofReport


environment of the SpaceShuttle operational profilemust always accompany eventhese disciplined processes.


(NASACharter)

7 March2000

Issue 4: SSP maintenanceand operations mustrecognize that the Shuttleis not an "operational"vehicle in the usualmeaning of the term.

SSP Response(Abbey/Dittemore, 21 June2000): Safety is the numberone priority of the SSP and isregularly reinforcedthroughout the workforce.Additionally, there is anemphasis on continualimprovement of the SpaceShuttle system; improvementin safety, improvement inefficiency, improvement inprocesses, etc.

Ample evidence exists thatdemonstrate the SSP'scommitment to safety as itshighest priority goal (i.e., fleetstanddown due to vehiclewiring issues, launch delaysto allow time to understandand resolve technical issues,etc.). Safety "first" is a culturethat exists throughout theSSP.

The SSP agrees that the SpaceShuttle is not a typical"operational" vehicle. Asevident in the responses to theSIAT recommendations inthis document, the SSPrealizes the importance ofmaintaining rigor andconservatism in vehiclemaintenance and operations.Refer to responses to SIATIssue 2, Issue 5, and category2 recommendations #3, 4, 5,6, 10, 15, 26, 28, 32, 35, and38 for additional detail on theconservatism and checks andbalances in place formaintenance and operationsprocedures. These proceduresare periodically reviewed. Inaddition, comprehensivereexamination of maintenanceprocedures is in work as aresult of the SIAT.




(Charteredby)

Date ofReport


reexamination of maintenanceprocedures is in work as aresult of the SIAT.

Because of the nature ofvehicle processing that doesfrom flight to flight, it isreasonable to allow a certainlevel of standard repairs and"fair wear and tear" repairactivities to exist. Standardrepair, "fair wear and tear"specifications, andpreapproved problemdispositions are used only forrecurring conditions wherethe risks are well understoodand acceptable. The "fair wearand tear" specification is areleased engineeringdocument that addressescosmetic damage to hardwareand allows the reflight ofhardware with such damageunder specified conditions,approved by engineering.Standard repairs arepreapproved by the ProgramMaterial Review Board(PMRB) as delegated by theSSP Manager. The PMRBclearly defines the criteria thatgovern the use of such repairprocedures. Adequate trainingon the use of these proceduresand specifications is providedto the workforce.


(NASACharter)

7 March2000

Issue 5: The SSP shouldadhere to a "fly what youtest/test what you fly"methodology.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP adopted a"fly what you test, test whatyou fly" verificationmethodology at the program'sinception as the best approachfor ensuring safe andsuccessful operations.However, the extreme andcomplex environmentscoupled with their synergisticeffects, which are experiencedby a reusable spacecraft, didnot allow for full-scalevehicle or component testingto their operational limits.Therefore, the SSP baselinedrequirements for certificationand verification by test and/oranalysis, which aredocumented in the SSPMaster Verification Plan(MVP), NSTS-07700-10-MVP01. The Space Shuttleused flight and ground test




(Charteredby)

Date ofReport


vehicle or component testingto their operational limits.Therefore, the SSP baselinedrequirements for certificationand verification by test and/oranalysis, which aredocumented in the SSPMaster Verification Plan(MVP), NSTS-07700-10-MVP01. The Space Shuttleused flight and ground testdata to verify models andanalytically predictperformance at operationalboundaries. For testing, eitheractual or representative flighthardware components weretested under the most realisticoperational conditionsachievable. Software was alsothoroughly tested in avionicslaboratories that containedequivalent or simulators ofreal flight computers andflight control hardware. Priorto first launch, a rigorousverification process wasconducted by the program toassure that the flight vehicle,its components, and theassociated or analytical wereproperly or analyzedsimulation models tested to allthe defined requirements. Theprogram continues to use thissame verification process forany significant redesign.

The SSP originallyimplemented and continues touse a configuration controlprocess that assures that flighthardware, software, andassociated models remainconsistent with this test-verified certification.Postflight data acquisition,data review, correlation withanalytical simulations, andpostflight inspections/systemstesting of the hardware help toensure that the systemsmaintain this test-verifiedcertification. The SSP usedavailable ground and flighttest data to characterize theSpace Shuttle systemperformance and to certify theSpace Shuttle for flight.Systemsdispersions/uncertainties areused in designing the flightand the commit-to-flightprocesses to ensure safe




(Charteredby)

Date ofReport


certification. The SSP usedavailable ground and flighttest data to characterize theSpace Shuttle systemperformance and to certify theSpace Shuttle for flight.Systemsdispersions/uncertainties areused in designing the flightand the commit-to-flightprocesses to ensure safemargins during all flightphases. This preflight andpostflight information isreviewed today prior to eachSpace Shuttle flight.

It is natural that hardware andsoftware changes have takenplace in the 20 years since theoriginal Space Shuttlecertification. These can beclassified as planned andunplanned changes. Plannedchanges are proposed,developed, and accomplishedby the SSP to improve SpaceShuttle safety, performance,or to account forobsolescence. Space ShuttleMain Engine (SSME) BlockII, blanket thermal protectionsystem (TPS), super-light-weight external tank (ET),and software operationalincrements (OI) upgrades areexamples of planned SpaceShuttle changes. Typicallythese types of changes gothrough the same rigoroustesting, verification, andcertification processes that theoriginal Space Shuttlehardware went through duringits development.

Unplanned changes areprimarily due tomanufacturing defects of newor replaced parts orinsufficient performance orfailure of existing hardware.These types of changes aretypically very minor, andengineering judgments,supported by analyses, aremade as to the extent of therequired testing,reverification, andrecertification requirements.All available information isused in this decision processfor the safety of the Space




(Charteredby)

Date ofReport


These types of changes aretypically very minor, andengineering judgments,supported by analyses, aremade as to the extent of therequired testing,reverification, andrecertification requirements.All available information isused in this decision processfor the safety of the SpaceShuttle and its crew.


(NASACharter)

7 March2000

Issue 6: The SSP shouldsystematically evaluateand eliminate all potentialhuman single pointfailures,

SSP Response(Abbey/Dittemore, 21 June2000): Operation of the SpaceShuttle involves an extensivedependency on managers,engineers, technicians,operators, and crew personnelto perform their jobs in anefficient and accurate fashion.Various performance integritytechniques are employed toprovide for assurance inexecuting these activities. TheSSP utilizes a high degree ofdocumented procedures andprocesses which areconfiguration controlled bythe various program andproject elements. Theserequirements flow down intospecific maintenance andinspection criteria and are thebasis for techniciancertification requirements andprocesses. Quality assurancetechniques such as inspection,witness, surveys, and auditsprovide additional checks ofperformance accuracy.

The SSP has had an extensiveeffort focused on increasingworkforce awareness ofprocess control, stampwarranty, and techniciancertification. In general, thefocus has been to drive out theroot cause of human errorversus reliance on inspectionprograms. Forums such as theIncident Error Review Boardconduct analysis onmaintenance issues and utilizevarious human factor analysistechniques to drive outcontributing factors of humanerror. The establishment ofthe Process Control Forum,Chief Engineer Council, andthe establishment of the SSPindustrial engineering




(Charteredby)

Date ofReport


Incident Error Review Boardconduct analysis onmaintenance issues and utilizevarious human factor analysistechniques to drive outcontributing factors of humanerror. The establishment ofthe Process Control Forum,Chief Engineer Council, andthe establishment of the SSPindustrial engineeringinitiative have all beenstructured to provide forsystematic evaluation andelimination of all barriers toerror-free performance.Management reviewprocesses such as thePreventive/Corrective ActionReview (PCAR) have beenimplemented to providesystematic review andevaluation of performanceindicators in a proactiveapproach.

A Government MandatoryInspection Point (GMIP)represents a point in the flowprocess in which the workstops and a Governmentrepresentative performs anobservation or measurement.Often, a series of GMIPs wereexecuted in a single flowprocess and ultimately led to afinal checkout or inspectionthat verified systemperformance. In many cases,these intermediate inspectionswere redundant. This drovethe program elements toreconsider the assignment ofGMIPs and led to theformation of a specificanalysis process to use in theevaluation of GMIPs. TheSSP established criteriaagainst which existing GMIPswould be reviewed andredundant GMIPs removed.The resultant reduction ofGMIPs was based upontechnical justification utilizingestablished criteria.




(Charteredby)

Date ofReport


technical justification utilizingestablished criteria.

Extensive reviews ofinspection requirements havebeen conducted over theyears, and the SSP continuesto utilize lessons learned toevaluate inspectionrequirements.


(NASACharter)

7 March2000

Issue 7: The SSP shouldwork to minimize theturbulence in the workenvironment and its effecton the workforce.

SSP Response(Abbey/Dittemore, 21 June2000): The workforce studyconducted by SIAT membersat KSC was confined to asmall sample of workers.Although the survey raisedlegitimate concerns, theresults of the study,particularly the magnitude ofthe concerns, may notnecessarily be representativeof the workforce in general.The issues raised by the studywere known by NASA,United Space Alliance (USA),and the ASAP, whocollectively believe thatmorale and focus haveimproved since the impact ofthe 1998 reduction in force.Nevertheless, NASA andUSA took the SIAT concernsseriously, and USA initiatedseveral actions to betterunderstand the status ofworkforce morale and focusto correct open issues andimprove morale andworkforce focus. Theseactions included:

• USA increased thenumber of face-to-face"skip level" meetingswherein seniormanagers meet withemployees two ormore levels belowthem in the chain ofcommand to get directinput on issues ofconcern. Thesemeetings are held bythe Space FlightOperations Contract(SFOC) ProgramManager, theAssociate and DeputyAssociate ProgramManager (APM) ofGround Operations(GO), and by the directreports to the APM of




(Charteredby)

Date ofReport


meetings are held bythe Space FlightOperations Contract(SFOC) ProgramManager, theAssociate and DeputyAssociate ProgramManager (APM) ofGround Operations(GO), and by the directreports to the APM ofGO.

• USA commissionedLord & Hogan, anindependent consultingfirm with experience inconducting workforceanalysis, to administeran operational stressinventory and analysis.Lord & Hogancontacted the SIATtoensure the researchinstrument used wouldbe endorsed by SIAT.The Lord & Hoganstudy included workerresponse toquestionnaires,analysis of theresponses, and follow-up focus groupmeetings to gainadditional insight intoconcerns and issues.

• USA established amanagement team toreview the inputs fromthe "skip level"meetings and the Lord& Hogan survey. Thisteam hasrecommended specificactions to resolveissues. USAmanagement willfollow through with acorrective action planthat implements therecommendations.

• USA strengthenedtheir communicationprocess with theestablishment of aformal LeadershipCouncilcommunicationprocess. This councilidentifies informationthat should becommunicated to theworkforce,standardizes themessages, provides




(Charteredby)

Date ofReport


process with theestablishment of aformal LeadershipCouncilcommunicationprocess. This councilidentifies informationthat should becommunicated to theworkforce,standardizes themessages, providestalking papers tomanagers, and flowsthe informationthrough appropriatechannels to ensureboth "need to know"and "nice to know"information isprovided to theworkforce. The councilhas a feedback loop tomeasure theeffectiveness ofcommunication;thereby, continuallyimproving the process.

The issues raised by the SIATstudy also were raised in the"skip level" meetings and inthe Lord & Hogan survey.The results of the Lord &Hogan survey were verypositive and showed that theUSA employees in Floridawere in the normal rangecompared to other companiesin all categories of stress andcoping behaviors. USAcurrently is conducting asimilar study of its workforcein Texas and intends toconduct follow-on studies inboth Florida and Texas inapproximately 2 years as acomparison to the newbaseline.

The Space Shuttle launchschedule is expected toincrease to seven flights peryear in 2001 and beyond. It isimperative that the SSP havethe capability to safely meetthat schedule. To assure thatthe program will continue tosafely meet the manifest,USA is taking steps toimprove the capability of theworkforce in Florida. Actionsinclude:




(Charteredby)

Date ofReport


increase to seven flights peryear in 2001 and beyond. It isimperative that the SSP havethe capability to safely meetthat schedule. To assure thatthe program will continue tosafely meet the manifest,USA is taking steps toimprove the capability of theworkforce in Florida. Actionsinclude:

• Hiring additionalworkers in GO andlogistics to provide aworkforce that isequivalent to theworkforce that safelyprocessed, launched,and recovered eightflights in 1997. Thischange from thecontinuous pressure todownsize since 1992should have obviouspositive morale effects.

• Changing the Floridaorganization to alignwith processes in orderto conduct work moreefficiently and reducethe total workload.Initially,implementation of this"high performanceorganization" activitycould induce stress, asdoes most change. Thereorganization requirescontinuouscommunication andleadership from theinitial stagesthroughoutimplementation of thisreorganization toensure the workforceremains focused onsafely processing,launching, andrecovering SpaceShuttles.

Although not specificallymentioned as part of thisissue, the morale and focus ofBoeing's Palmdale workforceis an ongoing concern forNASA, USA, and Boeing.This concern comes mostlybecause the orbitermaintenance down (OMDP)periods are spaced withseveral months between theend of one and the beginningof another. The spacing leaves




(Charteredby)

Date ofReport


mentioned as part of thisissue, the morale and focus ofBoeing's Palmdale workforceis an ongoing concern forNASA, USA, and Boeing.This concern comes mostlybecause the orbitermaintenance down (OMDP)periods are spaced withseveral months between theend of one and the beginningof another. The spacing leavesBoeing's Palmdale workforcewith periods of very littleSpace Shuttle related work.This has caused and willcontinue to cause periodicreductions-in-force andrehiring. Boeing has takenseveral actions to mitigate theeffects of this periodic workincluding:

• Initiatives to increasePalmdale's non-SFOCwork to provideadditionalopportunities for theworkers.

• Improvements inBoeing's Palmdalefacilities to enhancework spaces, includingbetter lighting, newequipment, refurbishedwork spaces, andadding a cafeteria.

NASA and USA areextremely sensitive toworkforce issues and aretaking positive steps to ensureimprovement. Continualmonitoring of the workforcemorale and focus is an SSPand USA priority.


(NASACharter)

7 March2000

Issue 8: The size andcomplexity of the shuttlesystem and theNASA/contractorrelationships placeextreme importance onunderstanding,communication, andinformation handling.

SSP Response(Abbey/Dittemore, 21 June2000): The SIAT identified anumber of recommendationsrelative to communication andinformation handling that arebeing addressed by the SSP aspart of the SIAT responseactivity. The SSP continuallyemphasizes the importance ofcommunication and hasestablished processes,systems, and forums thatfacilitate information transferand open discussion of issuesand concerns. Weaknessesidentified by the SIAT will beaddressed.




(Charteredby)

Date ofReport


information handling. activity. The SSP continuallyemphasizes the importance ofcommunication and hasestablished processes,systems, and forums thatfacilitate information transferand open discussion of issuesand concerns. Weaknessesidentified by the SIAT will beaddressed.


(NASACharter)

7 March2000

Issue 9: Due to thelimitations in time andresources, the SlAT couldnot investigate someSpace Shuttle systemsand / or processes indepth.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP considers thework associated withknowledgeable independentreview processes to beinvaluable to the continuedsuccess of the SSP. Relativeto the SIAT, all SSP elementshave thoroughly reviewed theSIAT report and haveconducted internal reviewsbased upon the reportedobservations. A special PRCBwas held to discussimplementation plans inresponse to the SIATrecommendations. The PRCBincluded all SSP elements toensure maximum participationand dissemination of theinformation. Specific actionitems, as discussed in thisreport, were assigned to theSSP or SSP elements, asappropriate.

In addition to the SLAT, USAhas formed an independentteam comprised of Lockheed,NASA, Boeing, andindependent safety and humanfactors experts to review themaintenance practices relatedto orbiter processing.Additional reviews toexamine other SSP elementswill be considered.

The SSP has been a strongpromoter of independentreview processes and hasfinancially supported andparticipated in numerousreviews. Numerous reviewprocesses, which areindependent of the SSP, existtoday. These include, but arenot limited to, the ASAP,NASA Inspector General(IG), Government AccountingOffice (GAO), NationalResearch Council (NRC),




(Charteredby)

Date ofReport


financially supported andparticipated in numerousreviews. Numerous reviewprocesses, which areindependent of the SSP, existtoday. These include, but arenot limited to, the ASAP,NASA Inspector General(IG), Government AccountingOffice (GAO), NationalResearch Council (NRC),Program ManagementCouncil (PMC), CenterSystems ManagementOffices, and the(Headquarters/Code Q)Independent AssessmentOffice. In addition to these,NASA Headquarters, NASACenters, and the SSP havechartered independent reviewson occasion to investigatespecific topics or issues.


(NASACharter)

7 March2000

Recommendation 1-1. Thereliability of the wire visualinspection process should bequantified (success rate inlocating wiring defects maybebelow 70% under idealconditions).

SSP Response(Abbey/Dittemore, 21 June2000): Initial qualitativeassessments indicatedapproximately 70-80 percentof the wire defects are foundduring the first inspection.The remaining 30-20 percentof defects are found duringthe second inspection.Subsequent to the STS-103pre-FRR, quantitative analysisat Palmdale indicates 86percent of the defects arefound during the firstinspection with the remaining14 percent found during thesecond inspection.


(NASACharter)

7 March2000

Recommendation 1-2: Wiringin OV-102 at Palmdale shouldbe inspected for wiring damagein difficult-to-inspect regions. Ifany of the wires checked aredetermined to be especiallyvulnerable, they should bererouted, protected, or replaced.

SSP Response(Abbey/Dittemore, 21 June2000): Stringent inspectioncriteria were established todetermine which vehicle areasmust be inspected prior toflight of that vehicle. Thesecriteria were approved at theSTS-103 pre-FRR.

In addition, an end-to-endwiring inspection of OV-102at Palmdale is underway.These inspections includedifficult-to-inspect regions.Wiring which is vulnerable todamage will be reported to theSpace Shuttle VehicleEngineering Office (SSVEO)to determine whetherrerouting, additionalprotection, or replacement ofthe wiring is appropriate. To




(Charteredby)

Date ofReport


at Palmdale is underway.These inspections includedifficult-to-inspect regions.Wiring which is vulnerable todamage will be reported to theSpace Shuttle VehicleEngineering Office (SSVEO)to determine whetherrerouting, additionalprotection, or replacement ofthe wiring is appropriate. Todate, the OV-102 detailedwiring inspections have notidentified any conditionswhich invalidate our basicinspection criteria for theother vehicles in the fleet.


(NASACharter)

7 March2000

Recommendation 1-3: The 76CRIT 1 areas should bereviewed to determine the riskof failure and ability to separatesystems when consideringwiring, connectors, electricalpanels, and other electricalnexus points. Each area thatviolates system redundancyshould require a programwaiver that outlines risk and anapproach for eliminating thecondition. The analysis shouldassume arc propagation canoccur and compromise theintegrity of all affected circuits.Another concern is that over20% of this wiring can not beinspected due to limited access;these violation areas should as aminimum, be inspected duringheavy maintenance and ideallybe corrected.

SSP Response(Abbey/Dittemore, 21 June2000): The same stringentinspection criteria were usedto determine whetherinspections of these 76 areaswere appropriate prior toflight. Fifty-eight of theseventy-six areas wereinspected on OV-103 prior toflight, based on these criteria.The 18 remaining areas werenot inspected because the riskof damage during theinspection was greater thanthe benefit. The 18 remainingareas were inspected on OV-102 at Palmdale prior to theflight of OV-103. Theseinspections found no exposedconductor and no Kaptondamage. In addition, all of the

Palmdale inspectionscompleted prior to STS-103confirmed that the KSCinspection criteria were valid.

The SSVEO presented a planaddressing the criticality 1circuits located in the 76criticality 1 areas to the PRCBon May 18, 2000. Preliminaryestimates indicateapproximately 80 percent ofthe waivered conditions canbe modified to separatesystem wiring. Thesemodifications are planned tobe implemented at the KSCduring flow processingoperations or during thevehicle orbiter majormodifications, whichever ismost appropriate. Theremaining 20 percent can notbe modified due to space




(Charteredby)

Date ofReport


be modified to separatesystem wiring. Thesemodifications are planned tobe implemented at the KSCduring flow processingoperations or during thevehicle orbiter majormodifications, whichever ismost appropriate. Theremaining 20 percent can notbe modified due to spacelimitations. These conditionswill continue to be waived.


(NASACharter)

7 March2000

Recommendation 1-4: TheSpace Shuttle Program shouldreview all waivers or deferredmaintenance to verify that nocompromise to safety ormission assurance has occurred.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP completed anextensive review of openwaivers in January 2000.Waivers to SSP criticaldocuments were reviewed todetermine the quantity andquality of the waivers and thehealth of the waiver process.Currency of waiver rationale,technical validity, andpotential for a requirementchange were reviewed. Thereview concluded thatalthough the waiver process ishealthy, a periodic review ofthe waiver data base isappropriate.


(NASACharter)

7 March2000

Recommendation 2-1: NASAshould expand existing dataexchange and teaming effortswith other governmentalagencies, especially concerningage effects.

SSP Response(Abbey/Dittemore, 21 June2000): Several initiatives toexpand data exchange andteaming efforts with theFederal AviationAdministration (FAA) andDepartment of Defense(DOD) are currentlyunderway. The SSP hasinitiated conversations andplanning with the Departmentof Navy and Wright-PattersonAir Force Base to takeadvantage of initiativesalready in place and tocoordinate a list of workinggroups and forums involvingmultiple Governmentaerospace agencies. The SSPwill participate in theseforums and identify SSPpoints of contact. The SSPwill document assignmentsand involvement in theseforums and identify anappropriate SSP forum forreporting and disseminationof information obtained fromthe working interfaces.




(Charteredby)

Date ofReport


will participate in theseforums and identify SSPpoints of contact. The SSPwill document assignmentsand involvement in theseforums and identify anappropriate SSP forum forreporting and disseminationof information obtained fromthe working interfaces.

To address recommendation31, the SSP will specificallyidentify wiring relatedworking groups and establishthe appropriate level ofparticipation. The Manager,SSP Safety and MissionAssurance (SMA) has beenappointed as the NASArepresentative to the WireSafety Research

Interagency Working Groupchartered by the Office ofScience and TechnologyPolicy. In addition, the SSPestablished contact in mid-March with the chairman ofthe Aircraft Wiring and InertGas Generator (AWIGG)Working Group andestablished communicationswith the team. Membershiprosters were exchanged andboth the SSVEO and USAsent representatives to theMay 15-19, 2000, meeting tofurther establish points ofcontact and exchangeinformation. Formalmembership and identificationof specific SSPrepresentatives will bedocumented.


(NASACharter)

7 March2000

Recommendation 2-2: Aformal Aging and SurveillanceProgram should be instituted.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP currently hasa strong System IntegrityAssurance Program (SIAP),which includes considerationof all possible failuremechanisms including theeffects of aging, maintenance,or exposure. The SIAPrequirements of NSTS 07700,Volume XI, were reviewed toensure that currentrequirements are structured toincorporate effects of agingand handling on systemintegrity.




(Charteredby)

Date ofReport


effects of aging, maintenance,or exposure. The SIAPrequirements of NSTS 07700,Volume XI, were reviewed toensure that currentrequirements are structured toincorporate effects of agingand handling on systemintegrity.

The SIAP addressesrequirements andresponsibilities to ensure thatthe flight and critical groundsystems retain their designperformance, reliability, andsafety. One key objective ofthe SIAP is to developmethods to maintain thequality, integrity, anddiscipline of the SIAP processover the life of the program.Specifically, SIAP paragraph1.7.2.1 requires the projectsand elements to monitorcomprehensive maintenance,inspection, time/age/cycle,and refurbishmentrequirements to assure thattheir hardware retains designreliability, safety, andperformance. Any effortassociated with fair-wearspecifications are required tocomply with this.

As a result of the SIAT, allprogram elements andprojects are reviewing theSIAP requirements andspecific implementation tomeet these requirements.

The SIAT makes reference tothe "Aging Aircraft Program"in which NASA participates.It is not practical for the SSPto establish a similar programunique to the Space Shuttle,however, it is appropriate forthe SSP to ensure results ofrecent investigations andconcerns associated withaerospace systems areincorporated within the SIAPprocess. The assignment ofkey points of contact(reference category 2recommendation #1) willfacilitate this dissemination ofinformation from theseconferences.




(Charteredby)

Date ofReport


concerns associated withaerospace systems areincorporated within the SIAPprocess. The assignment ofkey points of contact(reference category 2recommendation #1) willfacilitate this dissemination ofinformation from theseconferences.


(NASACharter)

7 March2000

Recommendation 2-3: NASAand USA quality inspection andNASA engineers should reviewall CRIT 1 system repairs.

SSP Response(Abbey/Dittemore, 21 June2000): KSC, JSC, and MSFCreviewed the process forreview and signature ofcriticality 1 system repairs.Criticality 1 systems aredefined as functionalcriticality 1 and 1R systemsper the applicable failuremode and effectsanalysis/critical items list(FMEAJCIL) documentation."Repairs" are material review(MR) items used to repair adesign-released part. AllMRs, regardless of criticality,are treated as "out-of-family."

For orbiter systems, NASAsystem engineers (SE), USAGO; and Boeing LaunchSupport Services must sign allKSC GO MR dispositionsregardless of criticality. Itemsthat may be first timeoccurrences or out of theordinary are thoroughlydiscussed within theappropriate

Prevention/Resolution Team(PRT). The PRT consists ofsystem experts at KSC, JSC,the design Center, andvendors. The PRT technicallyreviews the problem andagrees to the resolution. TheNASA SE must be completelysatisfied that all requirementsare met and that the MR wasproperly processed prior toconcurring to the repair. ThePMRB must review all orbiterMRs on hardware with failuremode criticality 1, 1R, 1S, 2or 2R. The GO PMRBmembership includes NASAand contractor engineeringand quality representatives.




(Charteredby)

Date ofReport


PMRB must review all orbiterMRs on hardware with failuremode criticality 1, 1R, 1S, 2or 2R. The GO PMRBmembership includes NASAand contractor engineeringand quality representatives.

All NASA Shuttle LogisticsDepot (NSLD) componentMR repairs, regardless ofcriticality, are reviewed andsigned by USA quality,NASA quality, and BoeingNSLD engineers who areauthorized MR boardmembers. NASA engineeringis involved in the repair of allorbiter flight hardwarethrough the ProblemReporting and CorrectiveAction (PRACA) CorrectiveAction Request (CAR)/Sub-CAR) process and PRTs.Hardware at the NSLD isdispositioned for the NSLDPMRB approval per NSTS-07700, Volume IV, Section4.3.2.9 and Appendix Z.PMRB membership includesNASA and contractorengineering and qualityrepresentatives.

Requirements for Governmentquality inspections aredocumented in the QualityPlanning

Requirements Document(QPRD). Currently,Government qualityinspections are required onfinal verification ofconfiguration changes but noton MR repairs. As a result ofthe SIAT, a QPRD review isbeing performed by NASAquality personnel to ensurethe proper level of inspectionis documented. USA NSLDquality engineering workedclosely with NASA qualitypersonnel to eliminateunnecessary NASA inspectionpoints. Current NSLD metricsby NASA quality personnelshows no increase in findingssince the reduction.




(Charteredby)

Date ofReport


personnel to eliminateunnecessary NASA inspectionpoints. Current NSLD metricsby NASA quality personnelshows no increase in findingssince the reduction.

The SSME Project, SolidRocket Booster (SRB)Project, Reusable SolidRocket Motor (RSRM)Project, ET Project, and JSCSpace Shuttle Customer andFlight Integration Office alsoreviewed the MR repairprocess. The reviewconcluded that the NASA andcontractor engineering andquality personnel do reviewand process MR repairs.

Based on the current processand past activities/data,NASA engineering doesreview all criticality 1 repairsand is compliant with thecurrent NASA requirements.NASA will be required toapprove changes to theQPRD, which specifiescontractor and NASAinspection points. NASA KSCquality personnel arecurrently reviewing theQPRD to determine if anyadditional NASA qualityinspection points are required.


(NASACharter)

7 March2000

Recommendation 2-4: Thefailure of all CRIT 1 unitsshould be fully investigated andcorrected without waivers.

SSP Response(Abbey/Dittemore, 21 June2000): The SSPnonconformance processrequires the investigation ofsafety critical systems failuresand also considers thepossibility of similar failuremodes in other systems. It isthe policy of the SSP to returnall flight and ground hardwareand-software to "print" perSection 1D506,Nonconforming Articles andMaterials, of NSTS 5300.4(1D-2). Furthermore, theinvestigative results of thefailure and the proposedcorrective actions are exposedto a wide scope of technical,project, and program reviewsvia the PRCB process. Awaiver is used only after thedesign project and SSPmanagement team review ofcorrective action options has




(Charteredby)

Date ofReport


(1D-2). Furthermore, theinvestigative results of thefailure and the proposedcorrective actions are exposedto a wide scope of technical,project, and program reviewsvia the PRCB process. Awaiver is used only after thedesign project and SSPmanagement team review ofcorrective action options hasresulted in concurrence that a"return to print" option is notmandatory and safety is notcompromised. Thenonconformances arerecognized by theidentification of variancesfrom the SSP design andcertification requirements(i.e., NSTS 077001Volume X,Flight and GroundSpecification) or variances toform, fit, or functionspecifications in project levelend item specifications.Finally, the SSP descriptionof the integrated process forelevating and resolvingproblems is given in NSTS07700, Volume XI, SLAP.

Per Certification of FlightReadiness (CoFR)requirements, at each FRR allSSP elements are required tohave verified that allapplicable hardware andsoftware meet all SSPbaselined requirements forcertification and redundancy.Any deviations, whetherthrough disposition ofreplacement, repair, or "fly asis," must have had priorapproval by the PRCB via theSSP waiver process. Theseitems are also reviewed at theappropriate flight FRR. NSTS07700, Volume IV, Section 4,directs all SSP elements tosubmit to the PRCB (forapproval prior toimplementation) all proposedhardware or softwaredispositions which impactbaselined program risk,redundancy, or certificationrequirements. Approval by theSSP Manager results in thedevelopment of a waiver tothe applicable SSPrequirements with theattendant documentation




(Charteredby)

Date ofReport


implementation) all proposedhardware or softwaredispositions which impactbaselined program risk,redundancy, or certificationrequirements. Approval by theSSP Manager results in thedevelopment of a waiver tothe applicable SSPrequirements with theattendant documentationproviding the technicalrationale for flightacceptability and flighteffectivity.


(NASACharter)

7 March2000

Recommendation 2-5: Alltesting of units must beminimized and documented aspart of their total useful life.Similarly, maintenanceoperations must be fullydocumented.

SSP Response(Abbey/Dittemore, 21 June2000): Testing of hardwarelife cycle, repair, andreplacement items iscontrolled at KSC byestablished documentationand procedures. Efficientprocessing of the SpaceShuttle components is a goalof the contractor andGovernment employees atKSC. Standard processingtime is carefully monitoredand appropriate justificationsfor performing nonstandardtasks on flight hardware,ground support equipment(GSE), and facility items alikemust be provided.

Currently, no testing of flighthardware is performedwithout authorization anddocumentation. EstablishedOperations and MaintenanceRequirements SpecificationsDocument (OMRSD)requirements, PRACA, TestPreparation Sheet, or programlevel chits authorize testing offlight vehicle hardware andGSE. All of these documentscurrently have appropriatechecks and balances thatensure only required work isperformed. OMRSDrequirements conform to theMVP and test for failuresmodes defined by theFMEA/CIL. OMRSD reviewsare periodically held with thegoal of improving testingtechniques. Per design Centerrecommendations, time andcycle requirements are leviedon sensitive flight hardwareitems to protect their available




(Charteredby)

Date ofReport


requirements conform to theMVP and test for failuresmodes defined by theFMEA/CIL. OMRSD reviewsare periodically held with thegoal of improving testingtechniques. Per design Centerrecommendations, time andcycle requirements are leviedon sensitive flight hardwareitems to protect their availablelifetimes. OMRSD files alsocontain specific linereplaceable unit (LRU) retestsections that guide the KSCengineer when determiningthe amount of systems retestrequired. GSE and facilityitems are tested only asdirected by the appropriategroup and must also haveauthorizing documentation.


(NASACharter)

7 March2000

Recommendation 2-6: TheSIAT recommendscomprehensive re-examinationof maintenance and repairactions for adequateverification requirements (e.g.,visual, proof test, or green run).

SSP Response(Abbey/Dittemore, 21 June2000): The SSME Project,SSVEO, ET Project, RSRMProject, SRB Project, KSCGO and SSP SystemsIntegration have addressedthis recommendation. Allelements except SSVEO havecompleted their assessmentand implementation-of anynecessary corrective actions.SSVEO is scheduled tocomplete a review of NSTS08151, Intermediate andDepot MaintenanceRequirements Document(IDMRD) maintenance andBoeing Reusable SpaceSystem standard repairs byJuly 28, 2000. A schedule forimplementation of anycorrective action will beestablished as part of thisreview. All other elementshave reviewed theirrepair/maintenance testingprocedures and determinedthat processes and appropriatetesting are in place to verifyadequacy of any repairs. TheSSME Project determined,during the course of thisreview, that one type ofnozzle tube repair hadinadequate verification testingspecified. The specificationwas revised to requireacceptance test hotfire orproof testing prior to flight.All nozzles with this typerepair have since been tested.




(Charteredby)

Date ofReport


SSME Project determined,during the course of thisreview, that one type ofnozzle tube repair hadinadequate verification testingspecified. The specificationwas revised to requireacceptance test hotfire orproof testing prior to flight.All nozzles with this typerepair have since been tested.


(NASACharter)

7 March2000

Recommendation 2-7: Humanerror management anddevelopment of safety metrics,e.g., Kennedy Space CenterShuttle Processing HumanFactors team, should besupported aggressively andimplemented program-wide.

SSP Response(Abbey/Dittemore, 21 June2000): Human factorsprinciples are beingaggressively incorporated intoground processing at KSC.The Shuttle ProcessingHuman Factors Team and thenewly formed USA IndustrialEngineering and HumanFactors Department werestaffed to implement humanerror and processmanagement. Both entities arealready working hand in handto share data, resources, andexpertise to develop humanfactors concepts. With theformation of the USAIndustrial Engineering andHuman Factors Department,the essential building blocksfor this program are now inplace. We will continue toimprove by increasing thenumber of trainedinvestigators, improvingtraining, and enhancing datacapture and trends analysiscapability.

As a supporting tool, the TapRoot analysis software isbeing investigated for usethroughout USA to helpimplement a program wideroot cause analysis process.The tool would not only beused by human factors teaminvestigators but also bytrained individuals throughoutthe Space Shuttlemanagement team (NASA &USA) to add more structure toroot cause assessments andhelp implement bettercorrective actions.




(Charteredby)

Date ofReport


the Space Shuttlemanagement team (NASA &USA) to add more structure toroot cause assessments andhelp implement bettercorrective actions.

The joint USA and NASAKSC Shuttle ProcessingHuman Factors Team iscurrently supporting severalinitiatives. These initiativesinclude the Work InstructionTask Team, which providesguidelines and training oneffective procedure authoringand the Industrial and WorkSpace Design Team recentlychartered to ensure humanfactors principles areincorporated into theconcurrent engineering andground system designprocesses. Both of theseinitiatives will have programwide effects in operations,maintenance, manufacturing,and design.

A cross-functional teamincluding human factorsprofessionals has beenestablished to review the

Incident Prevention Board(IPB) process and makeimprovements to both theinvestigative process andidentification and defining ofeffective corrective actions.The corrective actionverification and effectiveness(CAVE) program is in placeto verify corrective actioneffectiveness. This programwill ensure that therecommendations of theindustrial engineering andhuman factors team and thecorrective action engineeringgroup are implemented in atimely manner and that theactions taken were effective inpreventing or correctingoccurrences. The SSP hasestablished a quarterly PCARwhere each program elementpresents their preventativeand corrective actions andmetrics.




(Charteredby)

Date ofReport


preventing or correctingoccurrences. The SSP hasestablished a quarterly PCARwhere each program elementpresents their preventativeand corrective actions andmetrics.

Some current activities of theIndustrial Engineering andHuman Factors Departmentare performance of on-siteprocess analysis duringcritical tasks and continuationof development anddeployment of human factorsrelated training. USA has alsobegun to conducttraining/outreach to theworkforce in their monthly"tailgate meetings," and hasreinstated the "Time Out"newsletter, which focuses onhuman factors issues.

The SSP established a specificfocus on industrialengineering (IE) andestablished an IE team thatwill include human factors intheir activities. The focus ofthe IE team will be to identifyspecific improvements to thevehicle and/or GSE designsand processing proceduresthat will result in reduced riskto the workforce, increasedmaintainability, reduced riskof collateral damage, and animprovement in the overallprocessing of the hardwareand vehicle systems.


(NASACharter)

7 March2000

Recommendation 2-8:Communications between therank and file work force,supervisors, engineers andmanagement should beimproved.

SSP Response(Abbey/Dittemore, 21 June2000): The USA contractorhas taken aggressive actionsto improve thecommunication between theworkforce and seniormanagement includingbiannual briefings from theChief Executive Officer(CEO), weekly LeadershipCouncil Meetings at themanagement level, weeklySSP Manager




(Charteredby)

Date ofReport


(CEO), weekly LeadershipCouncil Meetings at themanagement level, weeklySSP Manager

Meetings, and weeklyEmployee Meetingsconducted by directors andsupervisors. Additionally, theUSA Program Manager hasreemphasized the"management by walkingaround" activity wheremanagement has significantlyincreased the amount of timespent out of the office visitingemployees at their respectivework sites. This has beenespecially emphasized at KSCfor both the engineering andtechnician workforce.Meetings between seniormanagement and 20-30employees, without othermanagement present, areroutinely being conducted toget a better understanding ofworkforce issues and toreceive feedback directlyfrom the employees.

Although the SIAtrecommendation was morespecifically targeted for theKSC workforce, the SSP hasreemphasized the importanceof communication betweensenior management and theworkforce at all sites, bothcontractor and NASA. "Allhands" meetings are routinelybeing conducted tocommunicate the SSPmessage on goals andobjectives, to review "hottopics," to address currentissues and concerns, and toobtain employee feedback onspecific SSP activities.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 2-9: NASAshould expand on the HumanFactors research initiallyaccomplished by the SIAT andthe Air Force Safety Center.This work should beaccomplished through acooperative effort includingboth NASA and AFSC. Thedata should be controlled toprotect the privacy of thosetaking the questionnaires andparticipating in interviews.Since major failures areinfrequent occurrences, NASAneeds to include escapes anddiving catches (see Appendix 3)in their human factorsassessments.

SSP Response(Abbey/Dittemore, 21 June2000): As a continuation ofthe human factors researchperformed by the AFSC, USAhired an independentconsultant, Lord and Hogan,to administer the occupationalstress inventory and assess theresults. A group of 700 USAGO employees were selectedto participate in the surveyand 589 were completed.Lord and Hogan alsoconducted face-to-faceinterviews of 95 participantsin focus groups to validate thedata and identify other issues.The survey results clearlyindicated USA employeesexperience about the sameamount of stress as employeesin other industries. The focusgroups indicated that USAemployees believe that USAis focused on safety at alllevels within the organizationbut USA needs to addressworkload, training, and otherissues for the increased flightrate. These findings areconsistent with the earlierASAP findings. While theoverall results are positive,USA is evaluating the detaileddata to determine areas whereit can improve and isaddressing specific issuesraised by the focus groups. AUSA Workplace Action Teamhas been established to reviewthe survey results andrecommend proactivemeasures to help assure thatUSA can continue toeffectively manage thepressures in the workplace asthe flight rate increases.

In response to programtasking, KSC NASA/USAGO have developed a systemto ensure both hardware andprocessing/safety "escapes"and "diving catches," asidentified in the SIAT report,are identified and a riskassessment is performed todetermine the appropriatelevel of reporting andcorrective action. Humanfactors investigators areassigned to mishaps basedupon a USA risk assessment




(Charteredby)

Date ofReport


to ensure both hardware andprocessing/safety "escapes"and "diving catches," asidentified in the SIAT report,are identified and a riskassessment is performed todetermine the appropriatelevel of reporting andcorrective action. Humanfactors investigators areassigned to mishaps basedupon a USA risk assessmentscore or at the discretion ofUSA management. All itemsare evaluated using theestablished USA riskassessment process and maybe assigned as an IPB item.Additionally, the SSPManager directed that processescapes be reported andtracked similar to in-flightanomalies. Process escapesare presented to the SSPManager at the quarterlyPCAR.


(NASACharter)

7 March2000

Recommendation 2-10:Maintenance practices shouldbe reviewed to identify andcorrect those that may lead tocollateral damage.

SSP Response(Abbey/Dittemore, 21 June2000): In January 2000, ateam was formed to assesshardware damage, provisions,current protection, and anyassociated issues withcollateral damage in theorbiter aft fuselage. The teamincluded Aft Shop (orbiterprocessing facility (OPF) andPad), Palmdale, NASA, USAand Boeing subsystemengineering, Rocketdyne,GSE/tool engineering, andhuman factors personnel. Theinitial effort concentrated onthe aft fuselage due to thehardware criticality andpotential for damage.Standard processing, as wellas contingency LRUremovals, were examined.General safety and humanfactor concerns wereconsidered. Operational areaand (OASIS) data were alsoreviewed.




(Charteredby)

Date ofReport


considered. Operational areaand (OASIS) data were alsoreviewed.

The team findingsconcentrated on the followingareas: access concerns, areasat risk for collateral damage,potential for wire damage,GSE, LRU GSE, portablelighting, and training. To date,seven orbiter modificationsare in work as a direct resultof this team. A GSE/platformsubteam addressed accessandGSE concerns. Thesubteam has reviewed themaintenance procedures andplatform installations andidentified the areas of pooraccess for the horizontal andvertical platform sets. Inaddition to poor access areas,the team is reviewing the sizeand weight of the piece partsto help reduce the risk ofcollateral damage duringinstallation and removal. Theteam has also documentedaccess requirements for thechange out of an SSME in thevertical, along with the fallprotection concerns in thisconfiguration. EngineeringSupport Requests (ESR) wereapproved for improvements tothe horizontal and verticalplatform sets (ESR K16789and K16190) andimplementation is in work.An auxiliary power unit(APU) access stand wascreated for general processingand LRU remove and replace(R&R). A ProcessImprovement Team (PIT) wasalso chartered to studymaintenance procedures,onetime entry issues,additional training, lighting,and communication concerns.PIT findings have revealedthe need for an integratedapproach to platforminstallation, hardwareinspection, and protectivecover installation. The team isalso working with vendors toget improved fixed lighting toreduce the need for portablelighting. In addition, use ofbattery operated lights isunder review. Wirelessheadsets are also being




(Charteredby)

Date ofReport


approach to platforminstallation, hardwareinspection, and protectivecover installation. The team isalso working with vendors toget improved fixed lighting toreduce the need for portablelighting. In addition, use ofbattery operated lights isunder review. Wirelessheadsets are also beinginvestigated. A mainpropulsion system (MPS)vacuum jacket line protectioneffort was kicked off toprevent line damage duringprocessing. The lines arebeing protected with"elephant-hide" and a visualbarrier ("No Step" ID) asimmediate protection. Inparallel, shop-aid thermo-foam plastic hardcovers arebeing designed and fabricated(Test Preparation SheetSA19-1-629). This effort is inwork and is beingimplemented to a prioritizedlist (by line damage historyand high traffic areas).

The methodology used toassess the aft compartmentand maintenance proceduresto mitigate risk to collateraldamage will be employed forthe orbiter payload bay andforward fuselage areas.Midbody and forward teamswere kicked off and areworking in parallel. Theteams will continue to bechartered by management andwill report back to the IPB foran integrated review andconcurrence of recommendedchange. Based on increasedemphasis on minimizingcollateral damage, employeeawareness was raised throughcommunication and trainingin areas such as hardwarehandling and testing, foreignobject elimination,contamination protection, andequipment operation. Theprogram will continue toapply these methodologies toother areas of the vehicle andmaintain employeesensitivity.




(Charteredby)

Date ofReport


object elimination,contamination protection, andequipment operation. Theprogram will continue toapply these methodologies toother areas of the vehicle andmaintain employeesensitivity.


(NASACharter)

7 March2000

Recommendation 2-11:Shuttle actuator soft goodsshould be adequately wetted toprevent downtime seepage.

SSP Response(Abbey/Dittemore, 21 June2000): The current orbiterhydraulic system provides thebest environment for sealoperation to meet tightleakage requirements. Thehydraulic system seals aremaintained in a wettedenvironment at all times,including down time, andspare units are maintained onthe shelf. The PRACA systemdata base shows there has notbeen any componentreplacement due to sealdeterioration related toinadequate wetting. Theorbiter currently meets therecommendation.

SRB hydraulic LRUsincl;uding the actuators arerefurbished after each flight.Following refurbishment,each unit is acceptance testedprior to being returned tostock. Preinstallation andpostinstallation leakage testsare conducted on the entirehydraulic system for eachSRB. Rigorous system levelperformance tests, includingleakage tests, are done prior toeach flight. System sealintegrity is further verified atthe vehicle level during theSpace Shuttle Interface Test.No occurrences have beenidentified on the SRBprogram where postinstallation seal deteriorationwas related to inadequatewetting of the seal.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 2-12: Tanktime and cycle data must becarefully logged to ensure safelife criteria are not exceeded.

SSP Response(Abbey/Dittemore, 21 June2000): Time and life cyclelife requirements for SpaceShuttle flight tanks (ET,hydrogen, oxygen, orbitermaneuvering system (OMS)and reaction control system(RCS) propellant, N2, etc.)are found in OMRSD, FileTwo, Volume Ill. This filelists age sensitive items bypart number. Informationincludes age and cycle lifelimits and required actionswhen life limits are reached.Items related to this file thathave associated telemetry aretracked by a system calledTime Age Cycle ControlSystem (TACCS). TACCS isa data base that tracks thenumber of tank cycles byusing software that accessesLaunch Processing System(LPS) data for tank pressureswhenever the vehicle ispowered up. If the tank is at avendor, cycles placed on thetank are recorded in the datapack. When the tank arrivesback at KSC the data pack isreviewed and appropriateentries made into the TACCSdata base. Any cycles notcovered by telemetry and tankcycles at Palmdale arerecorded into appropriatework authorization documents(WAD) or engineering logs.TACCS personnel review theWADs and entered data intothe data base. Engineering isresponsible for transferringtank cycle data from their logsto the TACCS data base.There have been limitedinstances when the cycle datawas not accurately transferredto the TACCS data base. Thisdisparity in cycle data is verysmall and does not constitutea problem since the number ofcycles accumulated to date onthe tanks is only about 20percent




(Charteredby)

Date ofReport


cycles accumulated to date onthe tanks is only about 20percent

of the maximum allowed bythe OMRSD. However, theSSP will correct the processto ensure accurate tank cycledata in the TACCS data base.When tanks reach 90 percentof their maximum life cyclesper the OMRSD file, theappropriate systemrepresentative is notified fordisposition.

The SIATreport addressedexceeding the total number ofhours that the tanks can bekept at flight operatingpressure and the tracking ofthese data. The SSVEO hashad a fleet leader program inplace since 1978 for theKevlar overwrap pressuranttanks. Data from this programindicate that tanks will not failat ambient temperature for100 years or more. Otherorbiter tanks are not kept atflight pressures betweenflights, therefore, the totaltime spent at maximumpressure is small compared totheir overall life. In addition,the design Center stressanalysis group determinedthat there is no limit to thenumber of hours that thepropellant tanks can remain atflight pressure.


(NASACharter)

7 March2000

Recommendation 2-13:Critical operations, especiallythose involving Self-ContainedAtmospheric ProtectiveEnsembles, must be staffedwith technicians specificallyexperienced and properlytrained with the operations.

SSP Response(Abbey/Dittemore, 21 June2000): USA personnel arerequired to attend specificcritical skills certificationclasses, based upon therequirements of theirparticular shop area. This istrue for all certificationsincluding self-containedatmospheric ensemble(SCAPE). Personnel mustattend and satisfactorilycomplete specific classestaught by certified instructors.Certifications are tracked andupdated by the trainingdepartment and theindividual's specificdirectorate. On-the-jobtraining (OJT) is often used tosupplement certificationtraining. Personnel, under the




(Charteredby)

Date ofReport


attend and satisfactorilycomplete specific classestaught by certified instructors.Certifications are tracked andupdated by the trainingdepartment and theindividual's specificdirectorate. On-the-jobtraining (OJT) is often used tosupplement certificationtraining. Personnel, under theguidance of their managementand an experienced certifiedsenior technician, completeOJT packages. Thesepackages are used in theactual work environment sotraining is hands on.

Each area supervisor verifiesthat their personnel have thenecessary skill and experiencelevel to safely performspecific tasks and assignsthem accordingly. Specialefforts are made to team anexperienced technician with aless experienced technician,until the supervisor feelsconfident in assigning the lessexperienced technician to ajob without oversight. Crosstraining at various sites andwith various systems is alsostrongly encouraged. USAand NASA at KSC areconfident that only highlytrained, certified, andexperienced technicians areused in task execution.Standardization of thistraining for both horizontaland vertical operations isachieved via a "partnered"training plan.


(NASACharter)

7 March2000

Recommendation 2-14: FleetLeader testing must be carefullyscrutinized to ensure adequatesimulation of operatingconditions, applicability tomultiple subsystems, andcomplete documentation ofresults.

SSP Response(Abbey/Dittemore, 21 June2000): The Orbiter fleetleader program evaluation isin work and is expected to becomplete in June 2000.Results and recommendationswill be reviewed at theVehicle Engineering ControlBoard (VECB). The currentfleet lead testing and statuswas presented to the VECB inFebruary 2000 along with therecommendation to evaluateadditional potential fleet leadtesting including fireextinguishers, landingdeceleration systems,




(Charteredby)

Date ofReport


results. will be reviewed at theVehicle Engineering ControlBoard (VECB). The currentfleet lead testing and statuswas presented to the VECB inFebruary 2000 along with therecommendation to evaluateadditional potential fleet leadtesting including fireextinguishers, landingdeceleration systems,mechanical actuationhardware, hydraulics, andAPUs. Test conditions wereexamined to ensure thecorrect test environments areapplied to the fleet leader.

Fleet leader testing of payloadintegration hardware hasconsisted of teardowninspections of two powerharnesses and one dataharness. The results werepresented to the

November 1999 PRCB. Therewas no indication of stress inthe insulation as a result ofbending, no degradationattributable to hi-pot testing,and no wiring damage hiddenby the overbraid which wasnot attributable to theoverbraid damage itself.

All major SSME componentsachieved a fleet leader goal ofdemonstrating liferequirements of 60 missions(7.5 hours operating time).After certification, hardwareallowable life is based on 50percent of the fleet leaderoperating time.

The RSRM Project structuredpostfire inspection andrefurbishment processes toensure that flight hardwarehas met, and will continue tomeet, all engineeringspecification requirements.Conditions identified forfurther review by the postfireinspection activity aredispositioned in a closed loopsystem, which requiresapproval for closure by bothNASA and contractor seniormanagement. All observationsnoted during the inspectionsare entered into a data base




(Charteredby)

Date ofReport


specification requirements.Conditions identified forfurther review by the postfireinspection activity aredispositioned in a closed loopsystem, which requiresapproval for closure by bothNASA and contractor seniormanagement. All observationsnoted during the inspectionsare entered into a data basefor future reference andtrending purposes. Inaddition, the "number of uses"is tracked for each componentand compared to the designreuse requirements. Thisprocess ensures thatrequirements are met andidentifies when replacementhardware should be procured.Furthermore, these data arepresented as part of the CoFRprocess for review by bothNASA and contractor seniormanagement. Subsequent tothese inspections, thosecomponents intended forreuse are subjected to arigorous combination ofnondestructive evaluation(NDE), proof-test, andinspection to satisfy the safelife requirements. As with thepost'fire inspection process,the results of these activitiesare fully documented toprovide a clear pedigree of thehardware intended for flightuse.

The SRB Project does notutilize a formal fleet leaderprogram because thehardware is disassembled,thoroughly inspected,refurbished, and reassembledafter each flight. LRU life isbased on qualification of thedesign (structure LRUs = 40missions, electronic LRUs =20 missions, pyrotechnicLRUs = time, etc.).Qualification is based onanalysis, test, and/orsimilarity. LRUs arerecertified for each flight byinspection and/or test. Criticalfunctional parameters aretrended. Pyrotechniccomponents are lot certifiedfor a specific length of timeby test, and their life isextended by test, if required.




(Charteredby)

Date ofReport


Qualification is based onanalysis, test, and/orsimilarity. LRUs arerecertified for each flight byinspection and/or test. Criticalfunctional parameters aretrended. Pyrotechniccomponents are lot certifiedfor a specific length of timeby test, and their life isextended by test, if required.A teardown/analysis approachis utilized for evaluation ofcables. A small sample offlight cables are withdrawnfrom inventory and subjectedto more extensive testing,including destructiveevaluation. The SRB Projectcontinually monitors failuresto determine their age/lifeimplications and anyassociated impact onobsolescence and missionsupportability. Fleet leadertesting is not utilized in theverification of the ET sincethe tank is an expendablesubsystem of the SpaceShuttle.

All SSP elements areexercising a fleet leaderprogram, or a similarprogram, which meets therecommendation.


(NASACharter)

7 March2000

Recommendation 2-15:Vendor supplied trainingshould be evaluated for allcritical flight hardware.

SSP Response(Abbey/Dittemore, 21 June2000): The vast majority ofdirect vendor training isprovided to the NSLD. TheNSLD was started in 1986 asa repair depot function toprovide timely, cost effectivelocal support to the SSP. The

NSLD is currently certified torepair over 3,000 line items.The repair certificationrequirements are defined inJSC20423, Orbiter RepairAgency Design Activationand Operations RequirementDocument. Each time a newpiece of hardware wastransitioned from the originalequipment manufacturer(OEM) to the NSLD, anextremely rigorouscertification process wasemployed. This processincluded representatives fromOEM engineering, NASAJSC systems engineering




(Charteredby)

Date ofReport


Document. Each time a newpiece of hardware wastransitioned from the originalequipment manufacturer(OEM) to the NSLD, anextremely rigorouscertification process wasemployed. This processincluded representatives fromOEM engineering, NASAJSC systems engineeringpersonnel, Rockwell (nowBoeing) systems engineeringpersonnel, NASA qualitycontrol personnel, NASAlogistics personnel, andNSLDengineering/technicians. Theprocess included transfer ofknowledge on the theory ofoperation/design, detailedteardown/repair hands-onoperations, and OEM designand specificationdocumentation. Each piece ofhardware, for which theNSLD is the certified repairagency, is considered unique.The requirements for howspecific orbiter hardwarewas/is certified for repair atthe NSLD is controlled byNSTS08151, Intermediate andDepot MaintenanceRequirements Document(IDMRD), Vol. I,Maintenance ConceptsBaseline. Both of thesedocuments are subordinatedocuments to NSTS 07700.On complex items, trainingwas done at both the OEM'splant as well as the NSLD.Actual certification anddemonstration of hardwareknowledge, troubleshooting,and repair capability was doneat the NSLD. Each one of theindividual certifications wasvideo taped fordocumentation purposes aswell as for review (if needed)for complex repairs. OJTtraining packages were built.These packages mirrored thecertification capabilitydemonstration and conform tothe requirements of theIDMRD for use in futuretraining of engineers ortechnicians.




(Charteredby)

Date ofReport


training packages were built.These packages mirrored thecertification capabilitydemonstration and conform tothe requirements of theIDMRD for use in futuretraining of engineers ortechnicians.

KSC GO is limited toperforming R&R of LRUsand is trained, certified, andprocedure controlled toperform this task. There arerare exceptions where LRUreplacements are allowed onthe vehicle. For these cases,the design Center must concurwith actions. Options includecalling in certifiedvendor/depot support orcertifying GO personnel toperform the repair. Theformer option presents anopportunity for GO personnelto work directly with vendorrepresentatives, presenting aunique learning atmospherefor both parties. The latteroption requires vendor anddesign Center (contractor andNASA) oversight and directparticipation in initial trainingand procedure developmentfor certification of GOpersonnel. Recertificationcurriculum is developed foradministration by USAIntegrated Logistics TechnicalTraining & Development.Program control of thisprocess is assured bydocumenting allowed repairsin the OMRSD LRU retesttable. Changes to thisdocument require PRCBapproval.


7 March2000

Recommendation 2-16: Thetrue mission impact of a secondmain engine pin failure(internal engine foreign objectdebris) during flight, similar tothat which took place last July,should be determined.

SSP Response(Abbey/Dittemore, 21 June2000): The need for such ananalysis has been eliminatedsince there are no enginesremaining in the flight fleetwith deactivated main injectorliquid oxygen (LOX) posts.Engine 2048 was the last suchunit in the fleet. This unit wasreturned to the factory for apowerhead replacement. Thatwork has since beencompleted and the enginereturned to the active flightfleet at KSC. (Reference STS-




(Charteredby)

Date ofReport


(NASACharter)

that which took place last July,should be determined.

remaining in the flight fleetwith deactivated main injectorliquid oxygen (LOX) posts.Engine 2048 was the last suchunit in the fleet. This unit wasreturned to the factory for apowerhead replacement. Thatwork has since beencompleted and the enginereturned to the active flightfleet at KSC. (Reference STS-93 In-Flight Anomaly ClosureReport: STS-93-E-01).

The need for LOX postdeactivation was eliminatedwith design andmanufacturing processimprovements incorporatedduring the conversion to thePhase II + powerheadconfiguration. This non-pinned configuration is theonly configuration nowflying.


(NASACharter)

7 March2000

Recommendation 2-17: TheSSP should consider morefrequent lot sample hot firetesting of the Solid RocketBooster motor segments at full-scale size to improve reliabilityand safety and verify continuedgrain quality.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP requires theRSRM Project to demonstrateall engineering/processchanges on a full-scale statictest motor prior toincorporation into the SpaceShuttle flight program. This isaccomplished through the useof a flight support motor(FSM) program conducted atthe contractor facility in Utah.This program, presentlyconducted on approximate 12month intervals, allows anengineeringassessment/confirmation ofthe numerous analyticalmodels used for nominalmotor performancepredictions and flight safetyconsiderations of SeniorMaterial Review Boardconditions. However, thesemotors are only intended assubstantiation that both theindividual and synergisticeffects of the proposedchanges have no adverseimpacts resulting from theirincorporation. Studies relativeto "Corners-of-the-Box"and/or flaw test parametershave typically been limited tosubscale test articles whichcontain inherent scale-upuncertainties leading to




(Charteredby)

Date ofReport


individual and synergisticeffects of the proposedchanges have no adverseimpacts resulting from theirincorporation. Studies relativeto "Corners-of-the-Box"and/or flaw test parametershave typically been limited tosubscale test articles whichcontain inherent scale-upuncertainties leading toconservative boundaryconditions when utilized foranalytical calculations.Furthermore, theconsideration of flaw testingto verify margins of safety onan FSM static test placessome risk to the RSRMProject'squalification/verificationresources. Within this context,the SSP concurred with theproject's intention to define afull-scale engineering testmotor (ETM) that wouldcontain test objectivesfocused on flaw and marginassessments. Therequirements for this test bedare currently being formalizedtargeting a presentation to theSSP requesting formalauthority to proceed. TheETM firing is targeted forSeptember of 2001.


(NASACharter)

7 March2000

Recommendation 2-18: Anindependent review process,utilizing NASA and externaldomain experts, should beinstitutionalized.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP currentlyutilizes numerous reviewprocesses, which areindependent of the SSP.These reviews are performedrepetitively, and essentiallyrepresent an institutionalizedindependent process. Theseinclude, but are not limited to,the ASAP, NASA IG, GAO,NRC, PMC, Center systemsmanagement Offices, and the(Headquarters/Code Q)Independent AssessmentOffice. In addition to these,NASA Headquarters, NASACenters, and the SSP havechartered independent reviewson occasion to investigatespecific topics or issues.Many of these reviews werechartered prior to keyprogram decisions beingimplemented. The SSPestablished a specificindependent review process




(Charteredby)

Date ofReport


NASA Headquarters, NASACenters, and the SSP havechartered independent reviewson occasion to investigatespecific topics or issues.Many of these reviews werechartered prior to keyprogram decisions beingimplemented. The SSPestablished a specificindependent review processfor the upgrades programincluding the Space FlightAdvisory Committee, NASAIndependent ProgramAssessment Office, and(Headquarters/Code Q)Independent AssessmentOffice. A sufficient number ofindependent formalizing aregular independent SSPreview process. In addition,the Agency and the SSPperiodically charter otherspecific independentassessments such as the SIATto supplement the basicreview processes utilized bythe program.

While there are numerousavenues for the workforce tovoice their concerns, as aresult of the SIAT, theprogram determined thatvalue exists in theestablishment of anindependent process to drawout workforce issues. USAcommissioned an independentconsulting firm (Lord andHogan) to conduct employeesurveys on a periodic basis(approximately every 2 years)and has established a baselineas of February 2000.Additionally, an externalgroup consisting of Lockheed,NASA, Boeing, andindependent safety and humanfactors experts wasestablished to conductongoing policy, procedure,and best practice reviews.




(Charteredby)

Date ofReport


and best practice reviews.


(NASACharter)

7 March2000

Recommendation 2-19:NASA, USA, and the SSPelement contractors shoulddevelop a Risk ManagementPlan and guidance forcommunicating risk as anintegrated effort. This wouldflow SSP expectations for riskmanagement down to workinglevel engineers and technicians,and provide insight andreferences to activitiesconducted to manage risk.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP implementsand utilizes extensive riskmanagement processes. Therequirements and processesare documented in NSTS07700 and the variousassociated documents. Thisdocumentation serves as therisk management plan for theSSP and currently defines andintegrates risk managementactivities across all SSPelements.

A SSP PMR was held March21-22, 2000, which focusedon risk managementimplementation across allprogram elements. The PMRincluded participation from allNASA elements and Centers,prime contractors, DefenseContract ManagementAgency (DCMA), ASAP, andthe SIAT risk managementevaluators. Presentationsincluded discussions of thevarious methods utilized bythe contractors to involvetheir workforce andmanagement in riskmanagement processes. It wasevident that e4xtensive riskmanagement processes andanalytical techniques areimplemented across all SSPelements.

In reviewing the complexityand diversity of the riskmanagement processes, it wasdetermined that a section ofNSTS 07700, Volume I,would be dedicated to thedocumentation of the SSP riskmanagement processes andrequirements. Thisdocumentation will includethe program's riskmanagement plan and a"roadmap" to existingdocumentation. Thedocumentation will providecentralization of the variousrisk management elementsincorporated throughout the




(Charteredby)

Date ofReport


management processes andrequirements. Thisdocumentation will includethe program's riskmanagement plan and a"roadmap" to existingdocumentation. Thedocumentation will providecentralization of the variousrisk management elementsincorporated throughout theprogram and establish a basisfor the flow down of SSPexpectations for riskmanagement to the variousprogram elements andcontractors. It will provideinsight and reference toactivities conducted tomanage risk. While thissection is not intended toincorporate the specificrequirements and procedures,it is intended to consolidatereferences to the various SSPrisk management activitiesspecified throughout NSTS07700 and the associated SSPdocuments. The change toNSTS 07700 is target forimplementation this summer.


(NASACharter)

7 March2000

Recommendation 2-20: Riskassessment matrix and FailureModes and Effects Analysisshould be updated based onflight failure experience, agingand maintenance history, andnew information (e.g., wiring,hydraulics, etc.).

SSP Response(Abbey/Dittemore, 21 June2000): Currently, the riskassessment matrix,FMEA/CILs, and hazards areupdated based on flight failureexperience, aging andmaintenance history, and newinformation. For example,FMEA/CILs and hazards areupdated when there is a newfailure mode that was notconsidered previously. Thenew failure mode may cause achange in the risk matrix orcause a change in criticality.All increases in risk forFMEA/CILs or hazards arebriefed at the applicable FRR.

Prior to 1991, the SSP had arequirement to include allfailure history in theFMEA/CIL. The SSPapproved deletion of thatrequirement on October 3,1991, to eliminate duplicateinformation that can beobtained through othersources. This change alsoreduced the volume of CILdocumentation updating and




(Charteredby)

Date ofReport


requirement to include allfailure history in theFMEA/CIL. The SSPapproved deletion of thatrequirement on October 3,1991, to eliminate duplicateinformation that can beobtained through othersources. This change alsoreduced the volume of CILdocumentation updating andresulted in more efficient useof resources.

Examples of information keptin other locations include:

1. Tests: Turnaroundcheckout testing ismaintained in theOMRSD.

2. Failure History: Testfailures, flightfailures,unexplainedanomalies, and otherfailures experiencedduring groundprocessing can befound in thePRACA data base.

3. Operational Use:Standard crewactions aremaintained in flightrules and crewprocedures.

A web-based data warehousewith capability to crossreference CILs, hazards, andproblem reports/failurehistory are underdevelopment. This capabilityshould be available within 6months.


7 March2000

Recommendation 2-21: TheSSP should revise the riskmatrix for probable andinfrequent likelihood for CRIT1R** and 1R* severity torequire a greater level ofcheckout and validation.

SSP Response(Abbey/Dittemore, 21 June2000): In the 1995 timeframe,the SSP went through anextensive review of the SpaceShuttle MVP with the specificgoal of identifying theappropriate level of checkoutand verification while notoverstressing the systems dueto excessive testing. The teamwas challenged to find theproper balance between therisk of insufficient testing andthe risk of overtesting. Theteam was a multifunctionalSSP team and included safety,




(Charteredby)

Date ofReport


(NASACharter)

checkout and validation. goal of identifying theappropriate level of checkoutand verification while notoverstressing the systems dueto excessive testing. The teamwas challenged to find theproper balance between therisk of insufficient testing andthe risk of overtesting. Theteam was a multifunctionalSSP team and included safety,reliability and qualityassurance (SR&QA)personnel. At one time, allcriticality 1R1 and 1R2systems were fully checkedout on the ground. Excessivewear was resulting from thisphilosophy and on-orbitoperations were not beingconsidered in the validationapproach.

The team determined that on-orbit operating time or thetime operating the systems insupport of associated systemscheckout should beconsidered in the checkoutand validation ofperformance. This approachhas reduced the wear and tearon many of the criticalsystems and has reduced theamount of system exposure topotentially induced damage.As noted in the wiringinvestigation, exposure topotential maintenance induceddamage needs to becontinuously balanced withthe degree of groundmaintenance and checkoutrequired to verify systemperformance. To date, no in-flight failures are attributableto lack of ground checkoutand validation.

Continuous review ofvalidation and checkoutprocedures is standardpractice and a currentrequirement associated withthe MVP. For example, as aresult of the OV-104speedbrake power drive unitend cap found during groundtesting at KSC prior to STS-101, an additional groundcheckout procedure wasadded to each Vehicle flow toverify the end cap is properly




(Charteredby)

Date ofReport


practice and a currentrequirement associated withthe MVP. For example, as aresult of the OV-104speedbrake power drive unitend cap found during groundtesting at KSC prior to STS-101, an additional groundcheckout procedure wasadded to each Vehicle flow toverify the end cap is properlyseated and will not impedesystem operation.


(NASACharter)

7 March2000

Recommendation 2-22: NASASafety and Mission Assurancesurveillance should be restoredto the Shuttle Program as soonas possible.

SSP Response(Abbey/Dittemore, 21 June2000): NASA and the SSPhave maintained an activeSMA program and willcontinue to do so. The

execution of these activitieshave contained two keyelements: first, the safety,reliability,

maintainability, and qualityassurance (SRMQA)engineering; and second,analysis tasks

performed in accordance withprogram requirements and theindependent SMA oversight

function provided in supportof the Office of SMA(Headquarters/Cod.eQ)oNASA Center

SRMQAorganizations havecontinued to be activeparticipants in all aspects ofthe program.

_1_ elements and supportingorganizations have also beenvery active in executing SMAProgram

related surveillance. The SSPhas taken several stepstowards assuring a strongSMA program:

• In 1996, an SSPposition, Manager,SMA, was createdwhich provides asenior managementauthority associatedwith SSP SMApolicy,requirements, andimplementation.




(Charteredby)

Date ofReport


which provides asenior managementauthority associatedwith SSP SMApolicy,requirements, andimplementation.

• All programelements haveundergone trainingin DuPont Safety,fault tree analysis,root cause analysis,and obtained ISOquality systemcertification by thirdparty registrar.

• Resources for centerSRMQA, which atone time wereconstantlythreatened by Centerpriorities, are nowprovided directlyunder SSP funding.The SSP programoperating plan(POP) reflectsmultiyear planningfor SRMQA tasksthroughout elementand SRQAorganizations and isfully supported bySSP management.

• Suppliersurveillance hasbeen maintainedthrough use ofdelegated tasks tothe DCMA by theSSP Manager,SMA. This supporthas not decreasedand has evenrecently beenincreased throughthe direct programfunding of $4.5million to supportsurveillance ofcontractor activitiesassociated with theSRB.




(Charteredby)

Date ofReport


associated with theSRB.

• NASA implementedGovernment hiringof SMA personnel atall Centers.

• In response to SSPrequirements, theprime contractorsimplementednumerous safety andrisk managementinitiatives.

• Flight readinessprocesses includespecific review andverification ofSRMQAengineeringproducts.

• NASA and contractprogram elementshave maintained anappropriatesustainingengineering functionthat is continuouslyinvolved inevaluation andanalysis processes.These efforts arecontinuouslyreviewed at programforums such as theSSP Council, PMR,PCAR, and PMC.

The Office of SMA (NASAHeadquarters/Code Q) hasalso maintained a substantialSMA surveillance program. In1996, the (Headquarters/CodeQ) Independent AssuranceOffice located at JSCexpanded its charter toinclude independentassessments associated withthe SSP. In 1996, theAssociate Administrator ofSMA established the HumanExploration and Developmentof Space (HEDS) AssuranceBoard-to provide seniorNASA management withtimely, objective,nonadvocate assessments ofprogram health, status, andrelative safety posture. Thisboard meets on a monthlybasis with NASAAdministrator participationeach 6 months and includesparticipation of the senior




(Charteredby)

Date ofReport


Board-to provide seniorNASA management withtimely, objective,nonadvocate assessments ofprogram health, status, andrelative safety posture. Thisboard meets on a monthlybasis with NASAAdministrator participationeach 6 months and includesparticipation of the seniorCenter and program SMAmanagers. The Pre-LaunchAssessment Review is chairedby the AssociateAdministrator of SMA andprovides for independentassessment in support ofCoFR. The Office of SMAalso conducts processverification audits of thevarious SRMQA processes asan element of theirsurveillance activity andparticipates in numerousprogram reviews and problemresolution processes.

SSP requirements address thevarious roles andresponsibilities of both theSRMQA organizations andprogram elements inexecuting the SMA program.These requirements will bereviewed to ensure claritybetween the SRMQAengineering activities whichare conducted in directsupport of the SSP and theindependent assurance (IA)activities which are conductedin direct support of the Officeof SMA. Organization chartsand functional responsibilitieswill be revised to reflect clearand specific workingrelationships andresponsibilities of these twofunctions. Specificassignment of individuals willbe reviewed and revised toensure clear and separatereporting responsibilities.This review will beaccomplished by August1,2000.




(Charteredby)

Date ofReport


reporting responsibilities.This review will beaccomplished by August1,2000.


(NASACharter)

7 March2000

Recommendation 2-23: TheSafety & Mission Assurancerole should include: mandatoryparticipation onPrevention/Resolution Teamsand in problem categorization,investigation of escapes anddiving catches (see Appendix3), and dissemination of lessonslearned.

SSP Response(Abbey/Dittemore, 21 June2000): As a result of thisSIAT recommendation,verification that SSPrequirements define SRMQAengineering's mandatoryinvolvement and productexpectations has beenaccomplished. Programrequirements and processesincluding anomalydisposition, trending analysis,problem reporting,preventive/corrective action,and mishap investigationswere reviewed and wereconfirmed to requiremandatory participation bySRMQA engineering. Thesefunctions result in specificprogram products that areintegral components of theproblem resolution process.

Verification of SMAdissemination of lessonslearned was accomplished.Also, Headquarters/Code Qmanages the NASA lessonslearned data base andprovides access to anyonewithin NASA and thecontractor team. This systemis active and supported.

Products associated withdetermining safety andmission success involve anumber of program elementsand supporting disciplines.Safety reporting systems,IPBs, mishap and close callforums, and in/out of familyanomaly reviews involve adiversity of program elementand contractor functions.




(Charteredby)

Date ofReport


and contractor functions.

As a result of the SIAT, theSSP Manager directed thatescapes be treated similar toin-flight anomalies.Therefore, all escapes arebriefed to SSP management atthe quarterly PCAR. Thisrequirement is applicable toall program elementsincluding SRMQAorganizations. The PCAR isconducted as a formal PRCBinvolving the mandatoryparticipation of all elementsincluding SRMQAorganizations.


(NASACharter)

7 March2000

Recommendation 2-24: TheSIAT believes that softwaresystems (flight, ground, andtest) deserve a thorough follow-on evaluation

SSP Response(Abbey/Dittemore, 21 June2000): The SSP believes thatthe flight, ground, and testsoftware systems are ofworld-class quality asevidenced by the metrics forproduct error rates. The SSPreviews these metrics on aregular basis and conductsreviews of the elementprocesses and metrics. Flightsoftware processes continueto be better than the industrystandards for ISO 9001 andthe Software EngineeringInstitute (SEI) CapabilityMaturity Model for Software(SW-CMM). Flight softwarepersonnel continues toexercise an independentverification and validation(IV&V) assessmentthroughout the generalpurpose computer (GPC) andSSME developmentprocesses. Software processesand performance have beenassessed on numerousoccasions (ASAP, GAO,NRC, arid Roger'sCommission), with consistentfindings of exemplaryperformance reported by thesereviews. While the SSP fullyrecognizes the complexity andcriticality of softwaresystems, the current controland review processes areconsidered to be rigorous,disciplined and sufficient. TheSSP believes a follow-on SIAtevaluation is not warranted atthis time.




(Charteredby)

Date ofReport


reviews. While the SSP fullyrecognizes the complexity andcriticality of softwaresystems, the current controland review processes areconsidered to be rigorous,disciplined and sufficient. TheSSP believes a follow-on SIAtevaluation is not warranted atthis time.


(NASACharter)

7 March2000

Recommendation 2-25: Due totime constraints, the SIAT onlyexamined Orbiter wiring; manyother systems associated withthe Shuttle also have criticalwiring. The findings andrecommendations in this reportare applicable to all Shuttlesystems, but unique conditionsthat may require additionalactions.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP held anelement wide wiring review atthe September 16, 1999,PRCB. This review addressedextravehicular (EVA), cargointegration, Government-furnished equipment (GFE),

GSE, RSRM, SRB, ET, andSSME wiring. Subsequent tothat meeting,14 follow-upPRCB Actions pertaining tonon-orbiter elements wereissued, addressed, and closed.The scope of these actionsincludes wiring inspectionstatus and protection, testplans and checkoutprocedures, fleet leaderapproach, engineeringstandards and requirements,as well as element uniqueactivities such as bend radiuslife cycle analysis and teflonwiring utilization. The scopeof SSP wiring attention hasbeen and will continue to beinclusive of all programelements.


(NASACharter)

7 March2000

Recommendation 2-25:During the inspection of wiring,several connector issues werealso apparent. Loose connectorbackshells and wire strain reliefthat can potentially chafewiring were noted. Undercertain conditions loosebackshells can compromiseelectrical bonding betweenshielding and structure.Movement of the backshell canalso cause chafing between thewiring and strain relief. Ineither case, these areunacceptable conditions andshould be eliminated byperiodic inspection andconnector design.

SSP Response(Abbey/Dittemore, 21 June2000): The orbiter OMRSDrequires a visual inspection ofelectrical connectors everyflow to verify proper matingand backshell attachment. Theorbiter MLO303-0014specification documents therequirements for backshellrework and connectormanipulation. A recentinvestigation of chafing foundbetween wiring and backsheilstrain relief arms resulted inan update to this specificationto provide additional strainrelief. This specification isinvoked on connectors withdetected damage andconnectors susceptible todamage due to configurationor frequent flexing. Backshell




(Charteredby)

Date ofReport


also cause chafing between thewiring and strain relief. Ineither case, these areunacceptable conditions andshould be eliminated byperiodic inspection andconnector design.

investigation of chafing foundbetween wiring and backsheilstrain relief arms resulted inan update to this specificationto provide additional strainrelief. This specification isinvoked on connectors withdetected damage andconnectors susceptible todamage due to configurationor frequent flexing. Backshellintegrity is physically verifiedwith every connectormate/demate operation andconnector reworked.

Payload integration wireharnesses are governed by thesame ML0303-0014specification as orbiterharnesses. A recent update toML0303-0014, Paragraph6.3.2.23, addresses addedprotection at the backshellstrain relief tangs, whererequired, with the use ofMystic 7503 tape.

A strain relief tang is used tosecure the wires going intothe connector to reduce strainon the contact lockingmechanism. The wiresentering a connector are spottied to the tang so that anyflexure of wire bundle stopstang. This configurationgreatly reduces movement ofthe wires in the connector.

The SSME design precludeswire looseness in backshellstrain relief clamps. Siliconetape is used to fill gaps aroundwiring, and overmoldsprovide exterior protection.Inspection for loosebackshells is included inperiodic inspectionrequirements. There has beenno comparable SSME failurehistory of wire damage due toloose backshells.




(Charteredby)

Date ofReport


loose backshells.

The RSRM Project conducteda review and evaluation ofRSRM cabling and wiring.All RSRM cables utilizingbackshell connectors are newfor each flight. All cablesundergo extensive electricaltesting/checkout and visualinspection before and afterinstallation. All RSRM cablesutilizing backshell connectorsare criticality 3. No postfightobservations/trends wereidentified for RSRM cablebackshell connectors in thehistory of the program.RSRMcables and connectordesigns are robust and residein well protected, low trafficareas on the motor, therefore,greatly reducing the chance ofcontact damage. There are nopostflight concerns/trends forany cable and connectorissues. Current cable andconnector inspections andtests are necessary andadequate; no additionalinspectionrequirements/correctiveactions have been identified.

The SRB Project connectorinspections (includingbackshell connections) areperformed at the vendor priorto shipment, at SRBrefurbishment operations forreusable cables, again athardware issue, and then afinal visual inspection isperformed prior to hardwareshipment to

GO. SRB cable wiring isverified each flight byremoval, refurbishment,inspection, and a series

of tests. Cables are insulationresistance, dielectricwithstanding voltage, andcontinuity tested on theelectrical bench. Afterinstallation, these tests arerepeated. Prior to hardwareshipment to GO, a visualinspection is performed. Forthe ancillary cables, thesetests are performed by theSRB Project prior to shipmentto GO. After installation byGO, these tests are repeated.




(Charteredby)

Date ofReport


continuity tested on theelectrical bench. Afterinstallation, these tests arerepeated. Prior to hardwareshipment to GO, a visualinspection is performed. Forthe ancillary cables, thesetests are performed by theSRB Project prior to shipmentto GO. After installation byGO, these tests are repeated.

Planned inspections of ETwiring design confirm correctassembly and installation.During assembly at Michoud,inspections verify the torquevalue of the connectorbackshells and the correctthread protrusion, spacing,and bend radius. Movement iscontrolled with tie-wraps,clamps, and Iockwire. A finalinspection is performed forvisual damage and properconfiguration. ET harnessassemblies are not exposed tohigh traffic areas due toenclosure in cable trays, tankinteriors, and protectivecovers. The ET is not areusable component of theSpace Shuttle. Therefore,connectors are not routinelymated and demated whichreduces the risk of improperinstallation.


(NASACharter)

7 March2000

Recommendation 2-27: Arctrack susceptibility of agedwiring and circuit protectiondevices that are sensitive toarcing should be evaluated.

SSP Response(Abbey/Dittemore, 21 June2000): The SSVEO hasapproved a comprehensivetest plan to evaluate the arctrack susceptibility of agedwiring and circuit protectiondevices. Arc tracking testswill be performed to obtain abaseline comparison betweenflown (OV-102) and neworbiter Kapton wire. Thesetests will be performed withorbiter circuit protection andsource configurations usingvarious initiation methods andconditions to determinesusceptibility to arc trackingunder vehicle conditions. Thetesting is scheduled to take ayear. Results will bepresented to the SSP.




(Charteredby)

Date ofReport


various initiation methods andconditions to determinesusceptibility to arc trackingunder vehicle conditions. Thetesting is scheduled to take ayear. Results will bepresented to the SSP.


(NASACharter)

7 March2000

Recommendation 2-28: Theneed to examine wiring in areasthat are protected or wheredamage may be induced byphysical wiring inspectionshould be evaluated. Wiringshould be continuouslyevaluated by conductingextensive electricalverifications on systems. Whenwiring damage is found in anarea previously not examined,the remaining Orbiters shouldalso be inspected

SSP Response(Abbey/Dittemore, 21 June2000): OV-102 is undergoingan extensive wire inspection,which includes all accessiblewire on the vehicle duringOMDP. Any area wherewiring is determined to beinaccessible is being photodocumented. Wire inspectionson OV-102 include all wireharnesses in the environmentcontrol and life supportsystem (ECLSS) bay (hightraffic area) and the aftcompartment. The

inspections include wiresprotected by convolutedtubing in order to develop anapproach for inspectingprotected wiring. The resultsof the OV-102 wireinspections will be used toupdate the OMRSD for futurevehicle OMDP requirements.All safety and mission criticalsystem functions are currentlytested every flow per therequirements specified in theapplicable OMRSD. OMRSDinspection requirements wereupdated and clarified toensure adequate inspectionsare performed during normalvehicle processing. Standardproblem resolution dictatesthat any findings on onevehicle will be assessed for itsapplicability to other vehicles,and corrective action will beimplemented as required.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 2-29: Wireaging characteristics should beevaluated, including hydrolysisdamage, loss of mechanicalproperties, insulation notchpropagation, and electricaldegradation. Testing should beperformed by an independentlaboratory.

SSP Response(Abbey/Dittemore, 21 June2000): The SSVEO approveda comprehensive test plan toevaluate wire agingcharacteristics. The evaluationwill be performed by twoindependent laboratories,Barcel and Lectromec, and by

Boeing Huntington Beach.Old wire will be obtainedfrom OV-102 and comparedto new Kapton insulated wire.Testing will be performed onthe flown wire to determineuseful life remaining. Testingwill be completed in August2000.


(NASACharter)

7 March2000

Recommendation 2-30: Adatabase that continuallyevaluates wiring systemredundancy for the currentdesign, modifications, repairs,and upgrades should bemaintained. System safetyshould evaluate the overall riskcreated by wiring failures

SSP Response(Abbey/Dittemore, 21 June2000): The SSP requirementsfor routing of redundantsystems wiring aredocumented in NSTS 8080-1.This document specifies thatelectrical wiring of redundantsystems, redundantsubsystems, or redundantmajor elements of subsystemsshall not be routed in the samewire bundle or through thesame connector with wiring ofthe other redundant systems,subsystem, or subsystemelement. A wire routingassessment was performed in1994 addressing criticality

1 systems and wire routingviolations. This assessmentwas documented in a report.An update to the report is inwork with completionscheduled for October 2000.The report will become anofficial document baselinedby the VECB chaired by theManager, SSVEO. If a futurevehicle modification willresult in violation of thecriticality 1 redundant wirerouting requirements, theVECB will review theproposed wiring and approveor disapprove associatedviolations.




(Charteredby)

Date ofReport


proposed wiring and approveor disapprove associatedviolations.


(NASACharter)

7 March2000

Recommendation 2-31: NASAengineering should specificallyparticipate in industry andgovernment technologydevelopment groups related towiring. The SAE AE-8committees (specifically A andD) are excellent forums foridentifying wiring issues.

SSP Response(Abbey/Dittemore, 21 June2000): Several initiatives toexpand data exchange andteaming efforts with theFederal AviationAdministration (FAA) andDepartment of Defense(DOD) are currentlyunderway. The SSP hasinitiated conversations andplanning with the Departmentof Navy and Wright-PattersonAir Force Base to takeadvantage of initiativesalready in place and tocoordinate a list of workinggroups and forums involvingmultiple Governmentaerospace agencies. The SSPwill participate in theseforums and identify SSPpoints of contact. The SSPwill document assignmentsand involvement in theseforums and identify anappropriate SSP forum forreporting and disseminationof information obtained fromthe working interfaces.

To address recommendation31, the SSP will specificallyidentify wiring relatedworking groups and establishthe appropriate level ofparticipation. The Manager,SSP Safety and MissionAssurance (SMA) has beenappointed as the NASArepresentative to the WireSafety Research

Interagency Working Groupchartered by the Office ofScience and TechnologyPolicy. In addition, the SSPestablished contact in mid-March with the chairman ofthe Aircraft Wiring and InertGas Generator (AWIGG)Working Group andestablished communicationswith the team. Membershiprosters were exchanged andboth the SSVEO and USAsent representatives to theMay 15-19, 2000, meeting tofurther establish points of




(Charteredby)

Date ofReport


March with the chairman ofthe Aircraft Wiring and InertGas Generator (AWIGG)Working Group andestablished communicationswith the team. Membershiprosters were exchanged andboth the SSVEO and USAsent representatives to theMay 15-19, 2000, meeting tofurther establish points ofcontact and exchangeinformation. Formalmembership and identificationof specific SSPrepresentatives will bedocumented.


(NASACharter)

7 March2000

Recommendation 2-32:Wiring subjected to hypergoliccontamination should bereplaced since high pH fluidsare known to degradepolyimide type wire insulation.

SSP Response(Abbey/Dittemore, 21 June2000): Orbiter wire is notexposed to hypergolics as partof planned operations. Currentinspection procedures woulddetect this condition. The onlycredible scenario, which couldresult in wire exposure tohypergolics, would be in thecase of a leak. If exposureoccurs, the standard problemresolution process woulddictate that the wiring bethoroughly inspected fordiscoloration and physicaldamage. If exposure anddamage has occurred, the wireis removed and replaced.


(NASACharter)

7 March2000

Recommendation 2-33: Thecurrent quality assuranceprogram should be augmentedwith additional experiencedNASA personnel.

SSP Response(Abbey/Dittemore, 21 June2000): The KSC SMA officeis in the process ofaugmenting the existingworkforce. Twenty-fivequality specialists were hiredto work in the SSP at KSC.Six existing, experiencedNASA inspectors willaugment the in-lineprocessing effort bytransferring from theAssembly and Refurbishment

Facility.




(Charteredby)

Date ofReport


In addition, three SMAengineering slots for the SSP(including one for checkoutand launch control system(CLCS)) will be filled laterthis year. SMA will continueto evaluate resourcerequirements and work withCenter management toprioritize their needs forfuture years.


(NASACharter)

7 March2000

Recommendation 2-34:Technician/inspectorcertification should beconducted by specially trainedinstructors, with the appropriatedomain expertise.

SSP Response(Abbey/Dittemore, 21 June2000): All required training,including recurring training, istracked by USA and thequalification and certificationsign-off system (QACSS).The training requirements arespecific to the hardware, theprocesses, and the proceduresused at KSC. The instructors,who train the hands-onpersonnel, represent the mostknowledgeable individuals intheir field of expertise. Theselection process forinstructors focuses on theireducation and trainingexperience. A new instructoris assigned to an experienced,qualified instructor who iscertified in the appropriatesubject matter. The newinstructor is mentored untilsigned-off by the experiencedinstructor and the manager.The instructor carries thecertifications that he or sheteaches. A senior instructor ortheir manager periodicallyobserves instructors in theirpresentations. Studentsevaluate instructors at the endof each course and mayevaluate at any time duringthe course. Course audits areconducted for courses tied tocertifications at least every 3years. However, course auditsmay be conducted at any time.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 2-35: TheSIAT recommends anevaluation of depot repairdocumentation be performed todetermine if the transitionprocess attained a necessaryand sufficient set of vendors foreach Line Replaceable Unit,Shop. Replaceable Unit, andspecial test equipment.

SSP Response(Abbey/Dittemore, 21 June2000): A project team waschartered to perform anevaluation of the certificationprocess for identifying andobtaining documentation fortransition of LRUs, shopreplacement units (SRUs),and special test equipment(STE) to the NSLD. Duringcertification, the NSLD workswith the design Center and theOEM to establish a baselineof required repairdocumentation.

The number of requests forvendor data and workstoppages due to lack ofdocumentation was evaluatedto determine whethersufficient vendor repair dataare available. There is anaverage of 500 requests fordocumentation each week tothe NSLD TechnicalDocumentation Center. NLSDpersonnel and other SSPelements submit requests.Only a small percentage ofthese Evaluations of theNSLD work metrics indicatewell requests are unable to befilled. Stoppage below 1percent are due to lack ofdocumentation. These factorsindicate that sufficientdocumentation is availablefrom the vendors.

In those rare cases whereNSLD repair documentationis not available, there is aprocess to obtain data byworking with the designCenter and USA procurement.Reasons for data not beingavailable include increasedrepair capability after originalcertification (e.g.,nonrepairable hardware mustbe repaired due toobsolescence), lost ormisplaced data, and limiteddocumentation for STE. If thevendor still supports theprogram for documentationmaintenance, USAprocurement will contact thevendor and obtain the properdata. If the vendor ordocumentation is not




(Charteredby)

Date ofReport


be repaired due toobsolescence), lost ormisplaced data, and limiteddocumentation for STE. If thevendor still supports theprogram for documentationmaintenance, USAprocurement will contact thevendor and obtain the properdata. If the vendor ordocumentation is notavailable, the design Centerwill develop and releaseequivalent documentationthrough establishedauthorization processes.

For those cases where avendor no longer supports theSSP, an alternate datamaintenance agency isdesignated. All of the OEM'sdocumentation is obtained,indexed, and maintained bythe design Center that isdesignated as the "datamaintenance" agency.


(NASACharter)

7 March2000

Recommendation 2-36:Teamwork and team supportshould be enhanced to mitigatesome of the negative effects ofdownsizing and transition toShuttle Flight OperationsContract. Most immediatelyneeded is the provision of relieffrom deficits in corecompetencies, with appropriateattention to the need forexperience along with skillcertification. Furtherdevelopment of the use ofcross-training and otherinnovative approaches toproviding on-the-job training ina timely way should beinvestigated.

SSP Response(Abbey/Dittemore, 21 June2000): Additional hiring is inprogress by USA to meet theseven flights per yearmanifest with particularemphasis on critical skills andcore competencies. Over thepast 3 months, USA has hiredapproximately 164 people inthe engineer, software,technician, and inspectorcategories at KSC. Over thesame time period,approximately 64 were lostdue to attrition. By the end ofJune 2000, USA expects tohave an appropriate numberof personnel to support theseven flights per yearmanifest. The experiencelevel of the new hires isbalanced. In addition, cross-training and certificationlevels are expanding inFlorida.




(Charteredby)

Date ofReport


Florida.


(NASACharter)

7 March2000

Recommendation 2-37: Workteams should be supportedthrough improved employeeawareness of stresses and theireffect on health and work.Workload and "overtime"pressures should be mitigatedby more realistic planning andscheduling; a serious effort topreserve "quality of life"conditions should be made.

SSP Response(Abbey/Dittemore, 21 June2000): Following the initialconcerns voiced by theSIAtabout the morale inFlorida and possible effectson safety, USA commissionedan independent consultant,Lord and Hogan, toadminister the occupationalstress inventory. Thisinventory included an in-depth survey of the Floridaworkforce on the subject ofstress and safety and face-to-face interviews of participantsin focus groups. The resultswere remarkable for tworeasons. First, the responserate to the survey wasexceptionally high. Second,the responses showed USA tobe well within expectednorms compared to manyother companies. USA is inthe process of conducting thesame survey for the Texasworkforce. Both NASA andUSA are sensitive to the"quality of life" environmentof employees. Metrics andother management tools willcontinue to be used toemphasize this factor inmanagement planning.


(NASACharter)

7 March2000

Recommendation 2-38: Theinspection procedures of theShuttle main engine high-pressure fuel lines and valves tofind cracks should be reviewed.Currently, Columbia is atPalmdale and the vehicle isavailable for inspections of themain propulsion lines to verifywhether this potentially seriousproblem exists.

SSP Response(Abbey/Dittemore, 21 June2000): During the design ofthe orbiter's MPS hardware,materials were selectedspecifically for theirresistance to hydrogenembrittlement. Hydrogeninduced damage is not aconcern in the lowtemperature/low pressureMPS. Nearly all highpressure/high temperaturecomponents use "A" ratedmaterials. Exceptions havebeen approved by thematerials and process groupbased on their review of thespecific stress environmentfor that item. To date, therehave been no problems in theMPS hardware attributable tohydrogen embrittlement. In




(Charteredby)

Date ofReport


pressure/high temperaturecomponents use "A" ratedmaterials. Exceptions havebeen approved by thematerials and process groupbased on their review of thespecific stress environmentfor that item. To date, therehave been no problems in theMPS hardware attributable tohydrogen embrittlement. In1991 and 1996, the GH2temperature probe and flowcontrol valve, respectively,were inspected down to theindividual piece part level andthere was no evidence ofhydrogen embrittlement.Since orbiter MPS materialswere selected to precludehydrogen embrittlement and ithas been verified in limitedinspections that no hydrogenembrittlement has occurred, adetailed, comprehensive,invasive inspection will not beperformed (the configurationdoes not permit 100 percentinspection, even if desired).While hydrogenembrittlement is not a concernfor MPS hardware, detailedinspections of all hardwareremoved for failure analysiswill continue to look for signsof hydrogen embrittlementsuch as cracking and fatigue.These inspections willprovide a periodic check forthe onset of any potentialfailure mechanism, includinghydrogen-related damage.


(NASACharter)

7 March2000

Recommendation 3I-1:Standard repairs on CRIT 1components should becompletely documented andentered in the ProblemResolution and CorrectiveAction system.

SSP Response(Abbey/Dittemore, 21 June2000): All repairs (standardand nonstandard) are enteredinto either the ProblemReporting and CorrectiveAction (PRACA) system orlower level nonconformancesystems per Space ShuttleProgram (SSP) requirements;all require resolution,corrective action, recurrencecontrol, and accommodatetrending, tracking, and riskmitigation.




(Charteredby)

Date ofReport


corrective action, recurrencecontrol, and accommodatetrending, tracking, and riskmitigation.

Additionally, a requirement isbeing added program wide toassure that all standard repair(SR) dispositions are uniquelycoded in a consistent manneracross the existing systems toprovide easy access to the SRdata base. The PRACAEvaluation Team (PET) willaddress this issue andrecommend PRACAenhancements or structurechanges as required.

Additionally, the SSP willreview program requirementspertaining to disposition andrecording of SRs on criticality1 components.


(NASACharter)

7 March2000

Recommendation 3I-2: Thecriteria for and the tracking ofstandard repairs, fair wear andtear issues, and their respectiveFMEA/CILs should be re-examined.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP criteria forSR's are contained in NSTS5300.4(1D-2), Safety,Reliability,

Maintainability, and QualityProvisions for the SSP,Section ID506. An SR isapproved by a MaterialReview Board (MRB) torepair a nonconformancecondition that shows a historyof repetition and does notreturn material/hardware todrawing configuration. SpaceShuttle MRBs and ProgramMaterial Review Board(PMRB) are authorized byNSTS 07700, Volume IV,Section 4.3.2.9, to dispositionrepairs per the processidentified in NSTS5300.4(1D-2), Section ID506.Any disposition, includingSRs, by the MRB of anonconformance affectingcriticality 1 or 2 failure modesmust be submitted to thePMRB with an impact/noimpact statement regardingthe critical failure modes. Ifcritical items list (ClL) waiverretention rationale for thehardware is affected, thedisposition must be approvedby the Program RequirementsControl Board (PRCB). Fairwear and tear (FW&T)criteria for flight hardware are




(Charteredby)

Date ofReport


PMRB with an impact/noimpact statement regardingthe critical failure modes. Ifcritical items list (ClL) waiverretention rationale for thehardware is affected, thedisposition must be approvedby the Program RequirementsControl Board (PRCB). Fairwear and tear (FW&T)criteria for flight hardware aredefined by the design Centerand specified in the designdrawings. FW&T items areparts or equipment exhibitingminor or cosmetic externaldefects generally attributed tohandling or usage. Alldispositions under SR orFW&T criteria are verified bythe design project forcompatibility with thecertified operatingenvironments applicable tothe hardware item.

All projects have data systemsand procedures in place fordocumenting approved SR'sand FW&T items. Criteria fortracking the occurrence ofnonconformances, includingthose dispositioned as SR's,are defined in NSTS 08126,PRACA SystemRequirements. Currently nodedicated data field isassigned in PRACA for SRclosures, and a text searchmust be made within theclosure field to identify thosenonconformancesdispositioned as SRs.

The SSP currently has anaction in work to readdressthe NSTS 08126, PRACASystem Requirements, acrossthe program per ShuttleIndependent AssessmentTeam (SIAT)recommendation. In addition,initiatives are in work thatwill enable electronic andquery of SSP PRACA data(established per NSTS 07700,Vol. XI) by all SSP elementsvia the Shuttle FlightOperations Contract (SFOC)Advanced Data Acquisitionand Management (ADAM)Data Warehouse.




(Charteredby)

Date ofReport


initiatives are in work thatwill enable electronic andquery of SSP PRACA data(established per NSTS 07700,Vol. XI) by all SSP elementsvia the Shuttle FlightOperations Contract (SFOC)Advanced Data Acquisitionand Management (ADAM)Data Warehouse.

This action will be closed byverifying with each SSPelement project that: (1)Documented procedures andinstructions exist for definingSRs and FW&T items; (2)Procedures and data systemsexist for tracking theoccurrence of SR's andFW&T items within theproject; (3) Procedures andcriteria are in place forelevating to the PMRBdispositions involvinghardware classified ascriticality 1 or 2, andelevating to the PRCBdispositions affecting ClLretention rationale.

This verification effort isexpected to be completed byOctober 2000.


(NASACharter)

7 March2000

Recommendation 3I-3: TheSIAT recommendscomprehensive re-examinationof maintenance and repairactions for adequateverification requirements (e.g.,visual, proof test, or green run).

SSP Response(Abbey/Dittemore, 21 June2000): The Space ShuttleMain Engine (SSME) Project,Space Shuttle VehicleEngineering Office (SSVEO),External Tank (ET) Project,Reusable Solid Rocket Motor(RSRM) Project, Solid RocketBooster (SRB) Project, KSCGround Operations (GO), andSpace Shuttle SystemsIntegration Office haveaddressed thisrecommendation. Allelements except the SSVEOhave completed theirassessment andimplementation of anynecessary corrective actions.The SSVEO is conducting areview of NSTS 08151,Intermediate and DepotMaintenance RequirementsDocument, maintenance and




(Charteredby)

Date ofReport


necessary corrective actions.The SSVEO is conducting areview of NSTS 08151,Intermediate and DepotMaintenance RequirementsDocument, maintenance and

Boeing Reusable SpaceSystems (BRSS) SRs.Implementation of anycorrective actions will beestablished as part of thisreview. All other elementshave reviewed theirrepair/maintenance testingprocedures and havedetermined that processes andappropriate testing are inplace to verify adequacy ofany repairs. The SSMEProject determined, during thecourse of this review, that onetype of nozzle tube repair hadinadequate verification testingspecified. The specificationwas revised to requireacceptance test hotfire orproof testing prior to flight.All nozzles with this typerepair have since been tested.


(NASACharter)

7 March2000

Recommendation 3I-4: Theavionics repair facility shouldbe brought up to industrystandards.

SSP Response(Abbey/Dittemore, 21 June2000): United Space Alliance(USA) is continuouslyevaluating initiatives in thearea of safety, testing, repair,manufacturing, and facilityimprovements at the NASAShuttle Logistics Depot(NSLD). The NSLD receivedthe Occupational Safety andHealth Administration'sStandard of Excellence Starfacility certification in 1997.

Test equipment is beingupgraded on a continual basis.Automated test stations andcommercial off the shelf(COTS) test equipment areutilized where appropriate,and computer systems havebeen rehosted to newerplatforms. Examples ofupgraded automated testequipment are for the headsup display electronics andorbiter cabling/crewcompartment wiring specialtest equipment (STE). TheSTE is currently beingevaluated at the NSLD forupgrade potential withpriority placed on




(Charteredby)

Date ofReport


platforms. Examples ofupgraded automated testequipment are for the headsup display electronics andorbiter cabling/crewcompartment wiring specialtest equipment (STE). TheSTE is currently beingevaluated at the NSLD forupgrade potential withpriority placed onsupportability improvements.Expert systems are aconsideration in theequipment upgrade process.

Tracking of equipmentfailures and causes aredocumented in logbooks andthe data are a consideration inthe upgrade process.Troubleshooting and failureanalysis plans for in-flighthardware failures aredocumented on a CorrectiveAction Report (CAR)/sub-CAR and are thoroughlydiscussed within theappropriate ProblemResolution Team (PRT). ThePRT is a combined effortbetween system experts atKSC, NSLD, the appropriatedesign Center (JSC/MSFC),and vendors that allowstechnically complete,coordinated resolution ofproblems, including failuretrends and causes, at the"hands on" level.

In the area of environmentalcontrols, USA has instituted astrong campaign at the NSLDto help reduce potentialelectrostatic discharge (ESD)damage to flight and nonflighthardware (ESD safe floorwax, ESD safe binders,smocks, liners, etc), madeelectrical groundingimprovements throughout thefacility, and upgraded thepower drops and lighting inthe Avionics Lab. Installationof an injected humidifiersystem in the avionics areahas been approved, andimplementation is currently inwork. Other initiatives underconsideration are power shut-off switches in the event oftechnician distress and use of




(Charteredby)

Date ofReport


facility, and upgraded thepower drops and lighting inthe Avionics Lab. Installationof an injected humidifiersystem in the avionics areahas been approved, andimplementation is currently inwork. Other initiatives underconsideration are power shut-off switches in the event oftechnician distress and use ofinsulated safety mats atworkstations.


(NASACharter)

7 March2000

Recommendation 3I-5:Selected areas of staffing needto be increased (e.g., theAerospace Safety AdvisoryPanel advised 15 criticalfunctional areas are currentlystaffed one deep).

SSP Response(Abbey/Dittemore, 21 June2000): The Office of SpaceFlight (OSF) has recentlyconducted workforce reviewsof staff workload and skilldeficiencies at its Centers andprograms, with particularemphasis on the SSP.Findings of these reviews,coupled with those of externalgroups such as the SIAT andthe Aerospace SafetyAdvisory Panel (ASAP), ledto the decision to terminatedownsizing. All four OSFCenters, JSC, KSC, MSFC,and SSC, are in the midst oflarge-scale efforts to replaceskill losses and increase thenumber of entry-levelprofessionals. NASA has aplan in place to hire over 500new employees in fiscal year2000. Although only a portionof these new employees willbe dedicated to the SSP, thisaction will help fill some ofthe most critical skillshortages, enable us tostabilize our flight safetyskills resources, and build ourcadre of future leaders. It isimperative that sufficientresources, including newhires, be dedicated in supportof the SSP.

Beginning in fiscal year 2001,the plan is to replace futurelosses on a one-for-one basis.In addition, the recruitingstrategy is to emphasize theidentification of critical skillshortages and make those thetop hiring priorities. The goalis to hire 50 to 70 percent ofnew personnel at the entrylevel in an effort to revitalizethe workforce with high-




(Charteredby)

Date ofReport


the plan is to replace futurelosses on a one-for-one basis.In addition, the recruitingstrategy is to emphasize theidentification of critical skillshortages and make those thetop hiring priorities. The goalis to hire 50 to 70 percent ofnew personnel at the entrylevel in an effort to revitalizethe workforce with high-caliber, recent graduates. Toallow some of the best junior-and mid-level personnel theopportunity to broaden theirfunctional experience, theSSP has created rotationalopportunities at severalCenters where they can gainexperience at the programlevel. This early exposure tothe significant operational andprogrammatic managementchallenges will enable them toenhance the flight safetycritical process skills in thenear term, and will betterequip them to serve inleadership roles in the future.


(NASACharter)

7 March2000

Recommendation 3I-6: TheSIAT recommends that the SSPimplement the AerospaceSafety Advisory Panelrecommendations. Particularattention should be paid torecurring items.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP seriouslyconsiders all ASAPrecommendations andresponds in a timely fashionto those within programauthority. The SSP providesto NASA Headquartersmanagement, through anestablished review/assessmentprocess involving Centerreview, a thorough andcomprehensive input for usein the development of anoverall NASA agencyresponse to all ASAPrecommendations. These SSPinputs provide the currentstatus of activitiesimplemented to address thespecific issue and/or theneeded implementationactions and plans to addresseach ASAP recommendation.It should be noted thatspecific implementation ofASAP recommendations isnot always possible by theSSP, as the issues often dealwith Agency-wide issues(such as manpower levels) orintegration complexities withexternal influences that arebeyond the immediate control




(Charteredby)

Date ofReport


each ASAP recommendation.It should be noted thatspecific implementation ofASAP recommendations isnot always possible by theSSP, as the issues often dealwith Agency-wide issues(such as manpower levels) orintegration complexities withexternal influences that arebeyond the immediate controlof the SSP. The SSP, whilestriving to implementappropriate recommendations,must deal with and addresssolution complexity,implementation time, and theavailability of resources allwithin the framework ofsuccessfully carrying on thecontinued operationalresponsibilities anddevelopment commitments ofthe SSP. In all cases, theASAP is well informed andbriefed on the circumstancessurrounding theirrecommendations. Allrecommendations are tracked,and the ASAP readdresseseach year thoseissues/concerns that itconsiders open from theprevious year, thereby,invoking an appropriatenew/updated response throughestablished processes.


(NASACharter)

7 March2000

Recommendation 3I-7: TheSIAT believes that AerospaceSafety Advisory Panelmembership should turnovermore frequently to ensure anindependent perspective.

SSP Response(Abbey/Dittemore, 21 June2000): The followingparagraph is the ASAPresponse to thisrecommendation. It isimportant to note that this textis taken directly from of theASAP’s “Plan for Assessmentand Replenishment of theMembership of the AerospaceSafety Advisory Panel.”

“The ASAP is chartered toprovide independent safetyoversight of NASA'sprograms and day-to-dayactivities, particularly thoserelated to human flight. Inorder to cover adequately therange of activities in whichNASA engages, the Panelneeds a highly experiencedand technically diverse corpsof members and consultants.The historical effectiveness of




(Charteredby)

Date ofReport


oversight of NASA'sprograms and day-to-dayactivities, particularly thoserelated to human flight. Inorder to cover adequately therange of activities in whichNASA engages, the Panelneeds a highly experiencedand technically diverse corpsof members and consultants.The historical effectiveness ofthe Panel has stemmed in partfrom the continuity of itsmembership. Even for expertsin the aerospace industry, ittakes a significant amount oftime to become familiar withthe NASA programs, theirmanagement and technicalpersonnel and how theprograms are managed andoperated, The primaryrecruitment goal of the ASAPis therefore to identify thebest possible members andconsultants in each neededdiscipline who are likely toremain with the Panel for asignificant period. Theexception to this is forconsultants recruited only fora specific, unusual task that isnot expected to endure orrecur.”


(NASACharter)

7 March2000

Recommendation 3I-8: Theroot cause(s) for the decline inthe number of problems beingreported to the ProblemResolution and CorrectiveAction system should bedetermined, and correctiveaction should be taken if thedecline is not legitimate.

SSP Response(Abbey/Dittemore, 21 June2000): All the SSP elementsreviewed their PRACA datato determine if their projectexperienced a decline inproblem reports (PRs) and, ifso, to determine the rootcause. The SRB Project andthe ET Project have notexperienced declines but haveseen steady or increasedreport activity tracing backthrough at least 7 years ofPRACA history. The RSRMProject, SSME Project, andthe SSVEO have experienceddeclines in PRACA reportsover at least the last 5 years.




(Charteredby)

Date ofReport


over at least the last 5 years.

The RSRM Project, throughincreased technicalunderstanding, designimprovements, and tighterprocess controls, hasexperienced a continualdecrease in reportableconditions. As therequirements for identifyingreportable conditions hasremained unchanged and thenoted trend understood, nocorrective action is underconsideration at this time. TheRSRM Project is extensivelyinvolved in postfire dataevaluation and trending. Thepostfire anomaly data baseand trending data basesextend the requirements fordocumentation to anadditional level of detail.Although the problemreporting frequency toPRACA has decreased overtime for the RSRM Project,the intensity and detail of thepostfire evaluation andpotential problem tracking hasnot diminished.

The SSME Project has seen adecline since 1993andascribes this in part toclarifications in 1993, 1998,and 1999 of their PRACAproblem reporting criteria (theUnsatisfactory ConditionReport (UCR)). The SSMEProject attributes most of thedownward trend to blockengine improvements andeffective response to issuesand problems. The data onUCR's can be sorted byfailure type and by componentto a high degree ofgranularity, substantiating thattheir decline is attributed toeffective implementation ofcorrective actions.




(Charteredby)

Date ofReport


corrective actions.

The SSVEO reviewed thedecline in their PR's andattributes this to severallegitimate factors. In 1994,KSC GO was authorized touse FW&T specifications,which allows acceptance of"cosmetic nonconformances"without remedial action andthe attendant PR. There hasalso been a series ofMemorandums ofUnderstanding (MOUs)implemented for the SSVEOto reduce the number ofproblems reported to thedesign Center. These areutilized by the SSVEOtechnical community todocument certain types ofrecurring hardware problemsthat are well understood bythe design team and for whichsome type ofcorrective/remedial action hasalready been identified andapproved. Both FW&Tspecifications and MOUimplementation correlate witha corresponding decline inPR's. The SSVEO also citesthat vehicle level testing hasbeen reduced with eachrevision to the Operations andMaintenance Requirementsand Specifications Document(OMRSD). As vehicle design,configuration, and processingtechniques have matured, lessmodifications are beingperformed resulting in lessoverall problems.

The SSVEO has initiated aninternal study of the incomingPRs to determine if there is asignificant reduction from anyone of the reporting sites thatwould indicate where thereduction is primarilyoriginating. This study will becompleted by September2000. The PET is alsoinvestigating this issue acrossall the elements and willverify these initialassessments and recommendprocess changes if deemednecessary. It should be notedthat with the observed declinein PRACA PRs, there has also




(Charteredby)

Date ofReport


originating. This study will becompleted by September2000. The PET is alsoinvestigating this issue acrossall the elements and willverify these initialassessments and recommendprocess changes if deemednecessary. It should be notedthat with the observed declinein PRACA PRs, there has alsobeen a correspondingreduction of inflightanomalies (IFA), whichwould indicate to the SSP anoverall improvement of theSpace Shuttle system.


(NASACharter)

7 March2000

Recommendation 3I-9: Theroot cause(s) for the missingproblem reports from theProblem Resolution andCorrective Action systemconcerning Main InjectorLiquid Oxygen Pin ejection,and for inconsistencies of thedata contained within theexisting problem reports shouldbe determined. Appropriatecorrective action necessary toprevent recurrence should betaken.

SSP Response(Abbey/Dittemore, 21 June2000): A detailed search andreview of the PRACA database revealed 10 of the 12engines that experiencedejection of liquid oxygen(LOX) post pins weredocumented in PRACA. Thetwo omissions (engine 0006in 1980 and 0110 in 1981)occurred before the baselinerelease of PRACA systemrequirements in 1982. Thelimited search capability inPRACA hindered the SIAT'sability to perform acomprehensive search.Criticality categorizationdifferences assigned to SSMEPRs (known as UCRs) anddifferences in interpretation ofthe event by the reportgenerator contributed to theinconsistency observed in thefinding. One interpretationassigned criticality based onthe consequences associatedwith failure of the LOX postthat was pinned (criticality 1or 1R) and not the observedconsequences of the LOXpost pin ejection (benign orcriticality 3). Rocketdyne hasa handbook on UCRprocedures and conductstraining and monthly audits ofthe system. The UCR formhas evolved over time withadditional fields created tostandardize part identificationand failure source. The UCRhandbook and the trainingwill be revised to ensurecoding consistency and theform will be reviewed toconsider if additional fields




(Charteredby)

Date ofReport


training and monthly audits ofthe system. The UCR formhas evolved over time withadditional fields created tostandardize part identificationand failure source. The UCRhandbook and the trainingwill be revised to ensurecoding consistency and theform will be reviewed toconsider if additional fieldscould further clarify andstandardize the informationrecorded. The PET is alsoaddressing advanced softwareimprovements and data basemanagement techniques thatwill aid consistent, completedata entry and enhance thesearch/trending capabilities ofPRACA..


(NASACharter)

7 March2000

Recommendation 3I-10: Arigorous statistical analysis ofthe reliability of the problemreporting and tracking systemshould be performed.

SSP Response(Abbey/Dittemore, 21 June2000): After discussions withthe author of thisrecommendation, Dr. TinaPanontin, a plan wasdeveloped for a rigorousstatistical sampling of theproblem reporting andtracking system.

A statistically significantsample of PRs (~900 total)spanning the last 5 years forthe vehicle, Governmentfurnished equipment, MSFC,and KSC PRACA systemswill be analyzed by the JSC,MSFC, and USA qualityorganizations. A standardizedstatistical methodology willbe developed to assureconsistent analysis across thePRACA systems. Thecorrective actions applied tothe sampled reports will beevaluated for effectivenessand any errors found in thereview will be categorizedand assessed for significance.The plan to accomplish thiswill be presented to the PRCBin 2 months




(Charteredby)

Date ofReport


will be presented to the PRCBin 2 months


(NASACharter)

7 March2000

Recommendation 3I-11:Reporting requirements andprocessing and reportingprocedures should be reviewedfor ambiguities, conflicts, andomissions, and the audit orreview of systemimplementation should beincreased.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP established aPET in February 2000. Theteam includes members fromall SSP elements, projects, theSSP Office, and the AmesResearch Center (ARC). ThePET addressed thisrecommendation, as well asthe findings from all PRACAaudits completed over the pastyear. A review of program-level requirements has beencompleted. The revisedrequirements will bepublished in September 2000.All SSP project and elementoffices will follow up with areview of their PRACArequirements and processes toensure compliance with therevised SSP requirements.The PET provides periodicstatus to the program at thePRCB. In addition tocompleting the PRACArequirements review, the PETwill determine appropriatechanges to improve thesoftware systems for dataentry, trending, and analysis.This PET will investigateutilizing state-of-the-art database designs and techniques.To support this effort, theARC established a pilotproject investigatingimproved PRACA systemautomation and state-of-the-art data base design. Softwareupgrade review andimplementation is schedulefor completion in August2001.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 3I-12: TheSSP should revise the ProblemResolution and CorrectiveAction database to includeintegrated analysis capabilityand improved problemclassification and coding. Also,improve system automation indata entry, trending, flagging ofproblem recurrence, andidentifying similar problemsacross systems and sub-systems.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP established aPET in February 2000. Theteam includes members fromall SSP elements, projects, theSSP Office, and the AmesResearch Center (ARC). ThePET addressed thisrecommendation, as well asthe findings from all PRACAaudits completed over the pastyear. A review of program-level requirements has beencompleted. The revisedrequirements will bepublished in September 2000.All SSP project and elementoffices will follow up with areview of their PRACArequirements and processes toensure compliance with therevised SSP requirements.The PET provides periodicstatus to the program at thePRCB. In addition tocompleting the PRACArequirements review, the PETwill determine appropriatechanges to improve thesoftware systems for dataentry, trending, and analysis.This PET will investigateutilizing state-of-the-art database designs and techniques.To support this effort, theARC established a pilotproject investigatingimproved PRACA systemautomation and state-of-the-art data base design. Softwareupgrade review andimplementation is schedulefor completion in August2001.


(NASACharter)

7 March2000

Recommendation 3I-13: Allcritical data bases (e.g.,waivers) need to bemodernized, updated and mademore user friendly.

SSP Response(Abbey/Dittemore, 21 June2000): An activity to convertcritical data bases from themainframe environment toweb based user interfaces wasinitiated in FY98. The SFOCADAM Data Warehouse isbeing utilized as the centralrepository using a web-basedinterface for searching andretrieving critical data.Currently, the SSP PRACAs,IFAs, critical hardware list,hazard reports, andtime/age/cycle applicationsare completed and data arerefreshed at least every 24hours. The waivers, Space




(Charteredby)

Date ofReport


ADAM Data Warehouse isbeing utilized as the centralrepository using a web-basedinterface for searching andretrieving critical data.Currently, the SSP PRACAs,IFAs, critical hardware list,hazard reports, andtime/age/cycle applicationsare completed and data arerefreshed at least every 24hours. The waivers, SpaceShuttle integration accountingstatus system, launch commitcriteria (LCC), and ClL willbe incorporated into ADAMby December 2000. Thecompletion of this activitywill result in the data basesbeing updated and more userfriendly.


(NASACharter)

7 March2000

Recommendation 3I-14: Thereare a number of cryogenic fluidmechanical joints and hot-gasmechanical joints that representpotential risks that shouldtherefore be examined in detail.

SSP Response(Abbey/Dittemore, 21 June2000): All cryogenic and hotgas joints currently receiveextensive and continuingattention. This attentioncomes in the form ofinspections, leak checks,problem trending, statisticalprocess control (SPC)evaluation, and root causeproblem resolution. The endresult is that all hot gas andcryogenic joints are carefullymonitored and controlled toensure that the configurationflying is identical to thatcertified. Processes,inspections, and trending arein place to ensure properinstallation and properconfiguration. Furthermore,the projects have and areenhancing monitoring toidentify trends in jointperformance and manufacturebefore the trend becomes aproblem.

The Space Shuttle uses avariety of hot gas andcryogenic joints. Many ofthese joints are not disturbedfrom flight to flight; a verysmall number are replacedwith each launch. All jointswere recertified during returnto flight. A rigorous technicalreview, a review by theprogram manager, and astructured approval processassure modifications to the




(Charteredby)

Date ofReport


cryogenic joints. Many ofthese joints are not disturbedfrom flight to flight; a verysmall number are replacedwith each launch. All jointswere recertified during returnto flight. A rigorous technicalreview, a review by theprogram manager, and astructured approval processassure modifications to thecertified configuration receiveproper engineering andmanagement attention. Finalapproval for changes isreceived at the PRCB. Therehave been no significantchanges to these systems fromthat certified for return toflight. The process formanagement review isdocumented in the NSTS07700 documents.

The SSP PRACA system isused to record and trendproblems associated withSpace Shuttle hardwareincluding the hot gas andcryogenic joints. For allelements of the vehicle therehas been no adverse orunusual problem activityassociated with hot gas orcryogenic joints. All problemsare reviewed in detail at theproject level for trending androot cause solutions.

For each flight, the entirevehicle, including the hot gasand cryogenic joints,undergoes comprehensivecheckout and flightpreparation as outlined in theOMRSD. The OMRSD andLCC are under programconfiguration control toassure appropriate andconsistent testing of allequipment before launch.Testing and checkout of thejoints are different dependingon the particular system butinclude inspections, pressurechecks, hot fires, and leaktests as appropriate.




(Charteredby)

Date ofReport


joints are different dependingon the particular system butinclude inspections, pressurechecks, hot fires, and leaktests as appropriate.

The SSP, as well as theindividual elements, employsa system of audits andinspections that ensure newhardware is manufactured inaccordance with therequirements. While most ofthe cryogenic and hot gasjoints are not changed on aroutine basis, some verycritical joints are new for eachflight. It is very important thatprocess drift or otherinadvertent changes do notresult in changes to thecertified configuration of thejoints. SPC, inspections, andprocess audits are routinelyaccomplished and reviewed toidentify process changes orout of family occurrences andassure component compliancewith engineeringrequirements.

Each of the elements wasasked to review their programfor any unique criteriaassociated with their joints.The SSVEO has undertakenan effort to review all orbitermain propulsion system(MPS) and power reactantstorage devices ClLs. Theintent is to ensure that failuremodes are still accurate andthat CIL retention rationale isstill valid. All problems aredocumented in PRACA. Theonly significant PRACAentries concerning MPS leakswere associated withhydrogen leaks resulting inthe scrub of STS-35 and STS-38 (1990). These problemsresulted in an improvement tothe 17" disconnectcomponents and have resultedin significantly reducedinstances of "measurablehydrogen leakage.




(Charteredby)

Date ofReport


the 17" disconnectcomponents and have resultedin significantly reducedinstances of "measurablehydrogen leakage.

The SSME Project uses a fleetleader process so that flownconfigurations never exceed

50 percent of the fleet leaderexperience. Engines to beflown are first run in theirfinal configuration. Inaddition, the engines undergoan extensive array of leaktesting to ensure jointintegrity. Routine inspectionsare accomplished to assuremanufacturing compliancewith engineeringspecifications. SPC is used inthe manufacturing process toidentify trends and out offamily hardware.

The RSRM Project performsextensive examination of thepostflight performance of thejoints within the motor.Reused components undergoextensive nondestructiveevaluation (NDE), prooftesting, and inspection toensure that the componentsstill satisfy engineeringrequirements. The entirerefurbishment and buildprocess undergoes an annualNASA Engineering QualityAudit (NEQA) to assureprocess integrity. SPC is oneof the tools used to monitorand highlight changes in thebuild process. Independentreview teams are used toreview process and out offamily occurrences.

The SRB Project has only hotgas joints associated with thehydraulic power unit. Thesejoints undergo visualinspections and pressuredecay tests to identify anyleakage. Each newconfiguration is hot fired in itsflight configuration to assurejoint integrity. Routinemanagement review of trendsand problems is used toidentify areas for specialattention.




(Charteredby)

Date ofReport


joints undergo visualinspections and pressuredecay tests to identify anyleakage. Each newconfiguration is hot fired in itsflight configuration to assurejoint integrity. Routinemanagement review of trendsand problems is used toidentify areas for specialattention.

The ET Project has a processthat reports nonconformancesand problems to themanagement level for reviewand action. SPC is currently inplace at some areas within theassembly process but is beingmore fully implemented evenat the subcontractor level.


(NASACharter)

7 March2000

Recommendation 3I-15: Allinternal Foreign Object Debris(e.g., pins) occurrences duringthe program should be listed,with pertinent data on date ofoccurrence, material, and mass.The internal Foreign ObjectDebris FMEA/CILs and historyshould be reviewed and thehazard categorized based on theworst possible consequence.

SSP Response(Abbey/Dittemore, 21 June2000): To address thisrecommendation, Rocketdynereviewed SSME design-generated foreign objectdebris (FOD). The designFOD analysis accounts forsome degree of normal wearand tear, postulates internalsources such as breakage orloose pads, and analyzes theensuing consequences. Asstated by SLAT, Rocketdynehas an aggressive FOD-prevention program at theirmanufacturing and assemblyplant that addresses otherFOD sources. After reviewingall design-senerated FQD inthe program history (169analytical cases), all had thecorrect failure modes andeffects analysis (FMEA)/ClLand hazard assessment. Allengine components werereviewed and a data base wascreated that includes FODsource, failure date, material,mass, disposition, FMEA/ClLor hazard reference, correctcriticality assigned (yes/no),and a descriptive comment.All UCRs and material reportswere reviewed for design-generated FOD anddocumented in this data base(over 1,000 entries). Everyreported occurrence of FODin the program requires theoriginal analysis to beexpanded and continually




(Charteredby)

Date ofReport


criticality assigned (yes/no),and a descriptive comment.All UCRs and material reportswere reviewed for design-generated FOD anddocumented in this data base(over 1,000 entries). Everyreported occurrence of FODin the program requires theoriginal analysis to beexpanded and continuallyadds to the FOD knowledgebase.


(NASACharter)

7 March2000

Recommendation 3I-16: Anytype of engine repair thatinvolves hardware modification- no matter how minor (such asliquid oxygen post pindeactivation) - should bebriefed as a technical issue tothe program management teamat each Flight ReadinessReview. The criticality of astandard repair should not beless than basic designcriticality, based on worst-caseconsequences, and all failuresof standard repairs should bedocumented and brought to theattention of the MaterialReview Board.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP requires allprojects to control report, andreview significantmodifications, repairs, andprocess changes. Therequirements are containedwithin the various volumes ofNSTS 07700 and referenceddocuments, namely, VolumesIV and Xl; MVP 01; NSTS08117; and NSTS 5300.4(1D-2) are the primary sources.These requirements cangenerally be categorized intoinformation required atprogram reviews,configuration management(CM), and hardwarenonconformance.

To address program reviewrequirements, NSTS 08117,Requirements and Proceduresfor Certification of FlightReadiness, requires that eachparticipating project elementidentify changes since the lastmission at each of theprogram milestone reviews.There is also a genericrequirement for all elementsto identify significant changesto the configuration baseline,including vehicle servicingand hardware manufacturingcritical processes.




(Charteredby)

Date ofReport


The program requirements forCM are defined in NSTS07700, Volume IV, Book 1,Revision K, ConfigurationManagement Requirements.This document defines therequirements, responsibilities,and procedures for all SSPelements/projects in theapplication of CM.

The requirement foracceptance baselineconfiguration descriptionsstates that baselineconfiguration description shalldescribe and identify the as-designed configuration withexceptions that reflect the as-built and acceptedconfiguration of an end item.

Differences between the as-designed configuration andthe as-built configurationmust have NASA approveddeviations or waivers orPMRB dispositions. Anychanges to the acceptancebaseline configuration musthave the approval of the SSPor delegated programelement/project.Configuration control ofaccepted flighthardware/software, includingdelegated authority, is definedin Volume IV. After abaseline is established, theprocess precludes anyunauthorized configurationchanges to that baseline. Aprocedure is defined to ensurethat each proposed change tothe baseline is completelydescribed (including impacts);is thoroughly coordinated,reviewed, and evaluated; andis authorized andimplemented in an approvedmanner. Additionalrequirements can be found inNSTS 07700, Volume XI,System Integrity AssurancePlan. Generally, hardwarerepairs that are not returned toprint are defined as a baselinenonconformance.Modifications can be definedas baseline configurationchanges. The differencebetween the two is that amodification is a revision to




(Charteredby)

Date ofReport


NSTS 07700, Volume XI,System Integrity AssurancePlan. Generally, hardwarerepairs that are not returned toprint are defined as a baselinenonconformance.Modifications can be definedas baseline configurationchanges. The differencebetween the two is that amodification is a revision tothe baseline and anonconformance is arestricted/limited deviationfrom the baseline and, basedon predetermined screeningcriteria, may require programapproval.

Hardware nonconformancesare regulated by two programdocuments. NSTS 5300.4(1D-2), Section 1D506,provides for repair ordispositio n of nonconforminghardware prior to Governmentacceptance. After acceptanceby the Government, NSTS07700, Volume IV, Book 1,Revision K, ConfigurationManagement Requirements,Paragraph 4.3.2.9, SpaceShuttle Material ReviewSystem, is the controllingdocument.

Both documents require theestablishment of a materialreview (MR) process.However, the NSTS5300.4(ID-2) MR processdoes not require elevation ofnonconformances to theprogram. It does requireelevation to the NASAcontracting officer based onspecific criteria.

For Government-acceptedhardware, the Volume IV,Book 1, MR process includescriteria for MR dispositions ofnonconformances that mustrequire program approval bythe delegated configurationcontrol board which is thePMRB. The SSP alsodelineates criteria forelevating a nonconformancebeyond the PMRB to thePRCB.




(Charteredby)

Date ofReport


nonconformances that mustrequire program approval bythe delegated configurationcontrol board which is thePMRB. The SSP alsodelineates criteria forelevating a nonconformancebeyond the PMRB to thePRCB.


(NASACharter)

7 March2000

Recommendation 3I-17: Thedesign and the post SolidRocket Booster recoveryinspection and re-certificationfor flight should be looked atand analyzed in careful detailby follow-on independentreviews.

SSP Response(Abbey/Dittemore, 21 June2000): The SRB Project hasrecently accomplished aNEQA. The RSRM Projectconducts annual NEQAs atthe prime contractor's facilityand recently completed anaudit in August 2000. Thesesessions cover a broad rangeof topics, including thedesign, recovery, andrecertification process. Inaddition, the RSRM Projecthas pursued additionalindependent assessments onthis same subject by teamscomprised of senior levelretired experts from industryand NASA with no significantissues identified. Finally, bothprojects are presently in theformulation process ofestablishing independentreview teams to accomplishSIAT-type reviews on theindividual projects. Teammembers will again be seniorpeople having extensiveknowledge and backgroundexperience relative to bothSpace Shuttle and SIAT-typereviews.


(NASACharter)

7 March2000

Recommendation 3I-18: Theinspection and proof-test logicto screen for flaws or cracks inthe Super-Light-Weight Tankshould be reviewed in light ofthe reversal in fracture-stress-against-flaw-size between roomand cryogenic temperatures.

SSP Response(Abbey/Dittemore, 21 June2000): The super-lightweighttank (SLWT) parent materialand welds are made of 2195aluminum-lithium alloy. Theproof test and nondestructivetest (NDT) logic used toscreen for flaws or cracks inaluminum 2195 wasextensively reviewed andaccepted by a number ofindependent review teams.The logic was thoroughlyreviewed and approved by theNASA MSFC FractureControl Board with assistancefrom experts at other NASACenters and industry. Thistopic was also a primary focusof the 1996 ASAP review of




(Charteredby)

Date ofReport


extensively reviewed andaccepted by a number ofindependent review teams.The logic was thoroughlyreviewed and approved by theNASA MSFC FractureControl Board with assistancefrom experts at other NASACenters and industry. Thistopic was also a primary focusof the 1996 ASAP review ofthe ET Project. Anindependent verification team,a design certification reviewboard, and the ASAP allconcurred that the logic tocertify and accept the SLWTwas adequate, with fullknowledge of the reversalphenomenon. The ET Projectdiscussed the concerns citedin the SIAT report with SIATmember, Dr. James Newmanof the NASA LangleyResearch Center. After thisreview, and based on theextensive previous reviews,all participants are confidentin the NDT and proof testlogic used to assure missionsuccess on the SLWT.


(NASACharter)

7 March2000

Recommendation 3I-19: TheSSP should explore thepotential of adopting risk-basedanalyses and concepts for itscritical manufacturing,assembly, and maintenanceprocesses, and statistical andprobabilistic analysis tools aspart of the program plans andactivities. Examples of theseanalyses and concepts areProcess FMEA/CIL, AssemblyHazard Analysis, ReliabilityCentered Maintenance, and OnCondition Maintenance.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP utilizesnumerous analyticaltechniques and processes todetermine and manage risk.Program requirementscontained within NSTS 07700specify the use of analyticalmethods in all aspects ofprogram execution. SPC,process FMEA, hazardanalysis, reliability centeredanalysis, and other techniquesare implemented to variousdegrees across all programelements.

The SSP has continued toexplore the potentialadaptation of variousquantitative risk analysis(QRA) processes. The SystemSafety Review Panel, withrepresentatives from allprogram elements and safety,reliability, and qualityassurance organizations, willreview current probabilisticrisk assessment/QRAtechniques being utilized anddetermine an approach which




(Charteredby)

Date ofReport


quantitative risk analysis(QRA) processes. The SystemSafety Review Panel, withrepresentatives from allprogram elements and safety,reliability, and qualityassurance organizations, willreview current probabilisticrisk assessment/QRAtechniques being utilized anddetermine an approach whichmaximizes value to riskmanagement. Thedevelopment of a QRAprogram standard and animplementation approach willbe provided in the February2001 timeframe. This willinclude methods of CM ofintegrated models, interfaceresponsibilities,technical/managerial reviewprocesses, and processes fordetermining thresholddecisions. With thisinformation, a final evaluationof value-added will beconducted and the finalrecommendation presented tothe SSP PRCB by April 2001.


(NASACharter)

7 March2000

Recommendation 3I-20:Failure analysis and incidentinvestigation should identifyroot cause and not beartificially limited to a sub-setof possible causes.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP historydemonstrates extensiveexperience and success in theconduction of failure analysis.These analyses are typicallydriven to the lowest practicallevel of potential cause forreview. However, the SSP hastaken steps to ensure thattraining syllabuses associatedwith failure analysis and rootcause analysis have hadincreased emphasis placed onthe importance of thoroughroot cause determination.Within the last year, SSPmanagement level, team leadlevel, and analyst levelpersonnel have attended rootcause analysis training. Themajority of contractoremployees have also receivedsimilar training as part of theirISO certification process. TheSSP will verify that programelements have received rootcause and failure analysistraining by December 2000.Emphasis on accuracy of rootcause analysis andclarification of the definitionof cause at the lowest level




(Charteredby)

Date ofReport


employees have also receivedsimilar training as part of theirISO certification process. TheSSP will verify that programelements have received rootcause and failure analysistraining by December 2000.Emphasis on accuracy of rootcause analysis andclarification of the definitionof cause at the lowest levelresponsible for the problemare being incorporated withinthe current revision to NSTS08126 (SSP PRACArequirements) which isplanned to be implemented byNovember 2000.


(NASACharter)

7 March2000

Recommendation 3I-21:Software requirementsgenerated by Shuttle systemupgrades must be addressed.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP believes it ismeeting the intent of thisrecommendation. For eachnew Space Shuttle systemupgrade, a review of existingsoftware systems willcontinue to be accomplishedto ensure the proper tradeoffsare performed to correctlyintegrate the new systems intothe existing Space Shuttlearchitecture. All softwaremodifications will utilize themature, proven processes thathave delivered safe, robustflight software in the past.Software changes identifiedwill be scheduled forimplementation, verification,and installation in a timeframeconsistent with the installationdate of the new Space Shuttlesystem upgrades. Workforceaugmentation and training areplanned to support upgradedriven software development,minimizing impact on thecurrent operational softwareefforts. The SSP is assigningthe responsibility formanagement of these internalsoftware requirements to theappropriate upgrade project'sorganization. The SSP isconfident that this approachwill address upgrade drivensoftware modificationswithout adding undue risk tothe program or crew.




(Charteredby)

Date ofReport


organization. The SSP isconfident that this approachwill address upgrade drivensoftware modificationswithout adding undue risk tothe program or crew.


(NASACharter)

7 March2000

Recommendation 3I-22:Enhanced software tools shouldbe considered for potentialimprovements in reliability andmaintainability as systems areupgraded.

SSP Response(Abbey/Dittemore, 21 June2000): The SSP will continueto implement reliability andmaintainability enhancementsthrough the use ofnew/revised software toolsand methods both to existingsystems and in new platforms.The Space Shuttle flightoperations contractor'sstandard softwaremaintenance processescontinually evaluate processimprovements, includingenhanced custom tools andCOTS tools through formalmethods. Recentimprovements includeconversion of data bases fromhierarchical to relational,special risk analysistools/methods, andreconfiguration datageneration enhancements. Aspart of the cockpit avionicsupgrade (CAU), the flightsoftware contractor (USA) isexamining current processes,procedures, and tools forpotential improvements inproductivity whilemaintaining or improvingreliability and maintainability.Specifically, CAU isevaluating COTS real timeoperating systems, softwaredevelopment environments,and display generation toolsfor use in, and developmentof, the new command anddisplay processor flightsoftware. The SSP isconfident that the use of theseCOTS products will improvereliability and maintainabilitywithout adding risk to theprogram.




(Charteredby)

Date ofReport


program.


(NASACharter)

7 March2000

Recommendation 3I-23: Anassessment of using lowerfatigue-crack-growth thresholdsand their impact on fracturecritical parts or componentsneeds to be reviewed toestablish life and verify theinspection intervals.Retardation and accelerationmodel(s) should be used toassess the type of crack-growthhistory under the Orbiterspectra.

SSP Response(Abbey/Dittemore, 21 June2000): NASGRO fracturemechanics analysis is themethodology andcomputerized tool used for allvehicle life predictions andinspection intervals. Thecrack growth threshold is atest derived quantity that isone of many terms in theNASGRQ crack growthequation. The NASGROcrack growth rate equationhas a number of empiricalcoefficients, including thecrack growth threshold, whichis derived so that the equationmatches test data. The currentNASGRO equation obtains itsthreshold values according tothe standard AmericanSociety for Testing andMaterials methods. Afterincorporating the thresholdvalue into the NASGROequation, the other empiricalparameters are derived toconservatively fit the materialtest data. If the crack growththreshold was lowered, thenthe other four parameterswould be adjustedaccordingly to stillconservatively fit the materialtest data. Comparing the newversion versus the currentversion of NASGRO, bothwould yield nearly identicalresults for the exact materialtest data.

Retardation and accelerationwere intentionally omittedfrom the NASGRO analysisto provide a moreconservative prediction forthe vehicle application. Thetwo occur together and areinterrelated. Retardation(beneficial to life) is thedominant effect in aerospaceapplications and will be ineffect on a larger number ofthe cycles than willacceleration. Aerospaceindustry experience hasconfirmed that ignoring




(Charteredby)

Date ofReport


the vehicle application. Thetwo occur together and areinterrelated. Retardation(beneficial to life) is thedominant effect in aerospaceapplications and will be ineffect on a larger number ofthe cycles than willacceleration. Aerospaceindustry experience hasconfirmed that ignoringretardation/acceleration isconservative. Aircraft users ofNASGRO have stated thattheir designs could nottolerate the conservatism ofthe nonretardation versionused on the vehicle. The SIATconcurred that for mostaircraft spectra, omittingacceleration is conservative.Flight data have verified thatthe vehicle spectra is similarto other aircraft spectra and,therefore, does nothave anyextreme ordering of cyclesthat would make it anexception.

There has been more than 20years of NASGRO experiencein worldwide applicationsincluding the U. S. Navy, theU. S. Air Force, Boeing,Lockheed Martin, Grumman,Sikorsky, Raytheon, andUnited TechnologiesCorporation, all with noindication of under-conservative predictions. TheSSVEO has high confidencein the current approach usedto apply NASGR© analysis tovehicle structural life.


(NASACharter)

7 March2000

Recommendation 3I-24:Assessments of the impact ofany new Orbiter flight loads onstructural life should continueas responsibility for the Orbiterstructure is transferred to thecontractor.

SSP Response(Abbey/Dittemore, 21 June2000): The JSC EngineeringDirectorate, Structures andMechanics Division (SMD)will actively participate, in aleadership role, in any newdesign loads cycle for theorbiter. An example of thistype of activity would be therecently completedperformance enhancementprogram, which significantlychanged orbiter loads duringascent. These changeseffected loads, stress, andstructural life certification. Inaddition, SMD will routinelymonitor and review the annual




(Charteredby)

Date ofReport


orbiter. An example of thistype of activity would be therecently completedperformance enhancementprogram, which significantlychanged orbiter loads duringascent. These changeseffected loads, stress, andstructural life certification. Inaddition, SMD will routinelymonitor and review the annualStructural Life TrackingReport produced byUSA/Boeing to ensure thatthe orbiter continues to beoperated within the certifiedboundaries for mission lifecertification. The StructuralLife Tracking Report, Boeingdocument RSS99D0510A,tracks key structuralparameters from mission tomission for each orbiter and ispublished for review everyyear.


(NASACharter)

7 March2000

Recommendation 3I-25: TheOrbiter Corrosion ControlReview Board should considerincorporating the frameworksuggested by the FederalAviation Administration forCorrosion Prevention andControl Plans of commercialairplane operators into theircorrosion database to providefocus to the more seriousoccurrences of corrosion.

SSP Response(Abbey/Dittemore, 21 June2000): A review of typicalcorrosion prevention controlplans (CPCPs) (DC-9/MD-80/747) revealed that theSSVEO covers the intent ofthis document by othermethods. A CPCP definescorrosion levels as 1,2, or 3,with the requirement that alllevel 2 or 3 corrosion bereported to manufacturer:

Level 1: Corrosioncan be repairedwithin allowablelimits SSVEO:Repaired byStandard RepairProcedure (SRP)

Level 2: Corrosionis widespread orrepair exceedsdesign limitsSSVEO: RequiresMR activity;Reported toCorrosion ControlReview Board(CCRB)




(Charteredby)

Date ofReport


MR activity;Reported toCorrosion ControlReview Board(CCRB)

Level 3: Corrosionis a potentialairworthinessconcern

SSVEO: Elevated toFlight ReadinessReview special topic

A CPCP establishes areas tobe inspected, inspectionintervals, methods ofinspection, methods of repair,and methods for reapplicationof corrosion protection.Similarly, the SSVEQ relieson orbiter maintenance andrequirements specifications,orbiter maintenanceinstructions, SRPs, and anyresulting PR/MRdocumentation.

The Federal AviationAdministration (FAA)requires that manufacturersand operators maintain a database showing location ofcorrosion (level 2 or 3), theparts affected, and the causeof the corrosion. The SSVEOutilizes the PRACA data basethat includes all PR/MRactivity for corrosion foundon the orbiter fleet. In 1996,KSC representatives of theCCRB built a data base bysearching for and pulling thepertinent items from thePRACA data base thatcovered the time period of1983 through 1996. TheCCRB has initiated anotherPRACA search to update theirdata base, and this activityshould be completed bySeptember 2000. The CCRBalso maintains a corrosiondata base on a NASA websitethat includes all significantissues reviewed by the CCRB.The SSVEO meets therecommendation with theirexisting mechanisms andprocedures in place to satisfythe intent of a CPCP, which is




(Charteredby)

Date ofReport


should be completed bySeptember 2000. The CCRBalso maintains a corrosiondata base on a NASA websitethat includes all significantissues reviewed by the CCRB.The SSVEO meets therecommendation with theirexisting mechanisms andprocedures in place to satisfythe intent of a CPCP, which isto ensure that inspection andmaintenance activities aresufficient to support flightsafety.


(NASACharter)

7 March2000

Recommendation 3I-26:Hidden corrosion problemsrequire a proactive inspectionprogram with practical andreliable non-destructiveevaluation techniques; at thispoint, this inspection is done ona randomized basis. Anassessment of the impact ofhidden (or inaccessible)corrosion and the repairs ofidentified corrosion on theintegrity of the Orbiter structureshould to be made.

SSP Response(Abbey/Dittemore, 21 June2000): The SSVEO employs arigorous, systematic,proactive inspection program.The OMRSD specifies areasto be inspected, inspectionfrequency, and inspectionmethods. The probability ofhidden corrosion under thethermal protection system isconsidered to be extremelyremote. Room temperaturevulcanized material has beenproven by test and experienceto provide an excellent barrieragainst moisture. However,hidden corrosion ininaccessible areas continuesto be a concern. The forwardfuselage plenum is a primeexample of this difficulty andrecent discovery of significantcorrosion on OV- 102 Xo 582frame highlights this problem•An assessment of structuralrisk in the areas of corrosionfound generally hightolerance for corrosiondamage in the forwardfuselage area.

Various new (or improved)NDE techniques areconstantly emerging.Promising NDE techniquesinclude enhanced ultrasonicand eddy current techniques,reverse geometry x-ray, andothers. However, virtually alltechniques require somedirect access to the targetarea. To ensure that theSSVEO is utilizing the fullcapability of the availableNDE technology to addressthe issue of hidden corrosion,Boeing is establishing a




(Charteredby)

Date ofReport


and eddy current techniques,reverse geometry x-ray, andothers. However, virtually alltechniques require somedirect access to the targetarea. To ensure that theSSVEO is utilizing the fullcapability of the availableNDE technology to addressthe issue of hidden corrosion,Boeing is establishing aStructures/NDE Task Team toinvestigate possible methodsfor inspecting inaccessibleareas. The task team will bechartered to identify structuralareas currently consideredinaccessible, determine whichareas warrant further study(based on low margins),investigate possible NDEmethods, and attempt tovalidate the technology atPalmdale during the nextorbiter major modification.Where corrosion has beenidentified, the integrity of therepaired structure is verifiedvia the PRIMR process. SRPor MR documentation definesprocedures for removingcorrosion using methods thatwill not damage the materialfor verifying the dimensionsof the repaired area and forrestoring the requiredcorrosion protection. Stressanalysis " verifies that theremaining material issufficient or that furtherrepairs (doublers) arerequired. If appropriate,design changes implementedas corrective action andcorrosion preventioncompounds are employed.The SSVEO meets therecommendation with existingprocesses to address generalinspection and repair issuesand by initiating a task teamto address the inaccessiblecorrosion issue.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 3I-27:Current wire inspection andrepair techniques should beevaluated to ensure that wireintegrity is maintained over thelife of the Shuttle vehicles.Several new inspectiontechniques are available thatuse optical, infrared, orelectrical properties to locateinsulation and conductordamage, and should beexplored for use on the Shuttle.

SSP Response(Abbey/Dittemore, 21 June2000): BRSS and the orbiterelectrical wiring (OEW) PRThave reviewed orbiter wiringinspection and repairtechniques. A new course wasdeveloped for all avionicspersonnel to address wiringinspection and repairmethodologies. New repairtechniques have beendeveloped, and existing repairmethodologies were reviewedand upgraded wherenecessary. BRSS proposed aplan to the SSVEO VehicleEngineering Control Board toexamine existing andemerging test methods andassociated equipment fortesting wire integrity. BRSSwill work with vendors anddevelopers to determine theeffectiveness of testequipment in categorizingdamage conditions andidentifying degradedinsulation properties due toaging wiring. Specialconsideration will be given tothe ability of the testequipment to be used in thevehicle with a minimum ofintrusiveness. Additionally,the ARC recently completed aWire Integrity Research(WIRe) Pilot Study thataddressed automatedverification and validation ofvehicle wiring configurationand automated conditionassessment for maintenance.SSVEQ approval of the BRSSplan is pending therecommendations of theAmes WIRe Pilot Study thatare expected at the end ofAugust 2000. These twostudies will contribute to thecontinued effort to ensurewire integrity across all theSSP elements.




(Charteredby)

Date ofReport



(NASACharter)

7 March2000

Recommendation 3I-28: AllCRIT 2 circuits should bereviewed to determine to whatextent redundancy has beencompromised in wiring,connectors, electrical panelsand other electrical nexuspoints. The primary concern isthat single point failure sourcesmay exist in the original designor have been created by systemupgrades or modifications.

SSP Response(Abbey/Dittemore, 21 June2000): The SSVEO hasinitiated several actions sincethe STS-93 wiring problem toaddress wiring redundancyissues. Design changes arebeing implemented toeliminate single wirecriticality 1/1 functions. Arisk ranking of electricalcriticality 1R2 items fornominal flight and criticality1/1 items for aborts is beingperformed to assess whichshould be targeted forcorrection first. Interim designsolutions are being developedto protect criticality 1R wiresand eliminate criticalredundancy routing Violationsin the fleet. The

1994 Wire RedundancySeparation Study is beingupdated to include designchanges that have occurredsince the initial study andassess routing violations forcriticality 1/1 conditions.Since criticality 2 circuits donot cause loss of crew orvehicle by definition, they arelower in priority to the 1/1and 1R2 circuits. Thecompared criticality criticalitySSVEO believes the highestpriority is to rectify thecompromised redundantcriticality 1/1 and criticality1R2 circuits and will,therefore, continue to focuson the assessment and theimplementation of thoseassociated wiringmodifications. In the future,when it becomes feasible, theSSVEO will perform anassessment of the criticality 2and criticality 2R circuits, andbased on the results of theassessment, appropriatedesign changes will beimplemented.




(Charteredby)

Date ofReport


implemented.


(NASACharter)

7 March2000

Recommendation 3I-29: TheShuttle program should form astanding wiring team that canmonitor wire integrity and takeprogram wide correctiveactions. The team shouldinclude technicians, inspectors,and engineering with bothcontractor and governmentmembers. The chair of the teamshould have directaccountability for the integrityof the Shuttle wiring. One areathat should be evaluated is thetechniques conductor that hasnot yet developed into anelectrical short.

SSP Response(Abbey/Dittemore, 21 June2000): The OEW PRT hasrecently been expanded toinclude additional NASA andcontractor representation fromthe orbiter community. Theposition of project managerfor orbiter wiring has beenestablished and is authorizedto direct the PRT tasks. Statusis given weekly to theSSVEO. KSC has been taskedby the SSP to expand thescope of the PRT to includeall flight elements. A formalcharter will be developed withprogram reportingrequirements defined andmembership expectationsoutlined.

The OEW PRT is responsibleto monitor all orbiter wireintegrity issues andrecommend correctiveactions. The primaryemphasis is on processcontrols, clarification ofspecifications, preventativewire protection (vehicle andground support equipment),repair methodology, andwiringinstallation/modificationconcerns. This scope will beexpanded to cover the entireSSP wiring community.

To remain proactive, the SSPprovides representation at theAerospace Wiring and InertGas Generator Meetings thataddress issues with wireintegrity across the aerospaceindustry. The orbiter wiringinspection process waspresented at the annual jointDepartment ofDefense/FAA/NASAconference on aging aircraft.NASA ARC is conducting awire study for the SSP, andBRSS is currently conductingtests to evaluate newinspection equipment that willassist in the detection ofpotential short circuits. The




(Charteredby)

Date ofReport


presented at the annual jointDepartment ofDefense/FAA/NASAconference on aging aircraft.NASA ARC is conducting awire study for the SSP, andBRSS is currently conductingtests to evaluate newinspection equipment that willassist in the detection ofpotential short circuits. TheSSP is also planning updatesto program wiringspecification, inspection,maintenance, and repairdocuments to ensurerecurrence is minimized.


(NASACharter)

7 March2000

Recommendation 3I-30: Thelong term use of primarilypolyimide wiring should beminimized, and wire insulationconstructions that haveimproved properties should beevaluated and compared to thecurrent wire insulation used onthe Shuttle program. Alternatewire constructions should beconsidered formodifications/repairs/upgrades.

There are several aerospacewire insulation constructionsthat can provide more balancedproperties.

SSP Response(Abbey/Dittemore, 21 June2000): BRSS performed astudy of new wire insulationfor potential vehicle uses.Testing was performed over awide range of criteriacomparing vehicle Kapton(polyimide) wiring with sixother aerospace wireconstructions. After reviewingthe test results, theengineering and safetycommunity concluded thesealternate wire constructionsdid not surpass the overallperformance of the vehicle'scurrent Kapton wiring. TheSSP plans to continue usingKapton insulated wire forvehicle harnesses based on itssuperior test performance butwill continue to evaluate newwiring constructions as theyare introduced to theaerospace community.


(NASACharter)

7 March2000

Recommendation 3L-1:Where redundancy is used tomitigate risk, it should be fullyand carefully implemented andverified. If it cannot be fullyimplemented due to designconstraints, other methods ofrisk mitigation must be utilized.

SSP Response(Abbey/Dittemore, 23October 2000): The SpaceShuttle Program (SSP)reviewed all documentationpertaining to redundancyrequirements for flight,payload, and ground supporthardware and software. Thisreview verified that therequirements appropriatelyspecify the method foridentifying critical functionsand hazards, the level ofredundancy required tomitigate identified risks, theverification required of theredundancy approach, and theprocess to address risks thatcannot be fully mitigated with




(Charteredby)

Date ofReport


review verified that therequirements appropriatelyspecify the method foridentifying critical functionsand hazards, the level ofredundancy required tomitigate identified risks, theverification required of theredundancy approach, and theprocess to address risks thatcannot be fully mitigated withredundant design. Every SSPelement was involved in thisreview effort, confirmingredundancy awareness andcompliance across theprogram. These program levelrequirements and associatedproject level documents arekept current by a formalannual review and auditprocess.

Once risks have beencharacterized and redundancymeasures implemented intothe design, a verification oftheir functionality isnecessary. The process forensuring properimplementation andcertification is defined in theSpace Shuttle MasterVerification Plan. Redundantfunctional paths orsubsystems are designed sothat their operational statuscan be verified prior to eachinstallation into the vehicle orduring ground turn-aroundwithout removal of line-replaceable-units. Eachelement defines their systemredundancy verificationrequirements in theOperations and MaintenanceRequirements andSpecifications Document, andsubsequently verifiesthat therequirements have beencorrectly implemented intotechnical work instructions.Successful execution of thesework instructions for eachSpace Shuttle mission isverified at the FlightReadiness Review (FRR) viathe Certificate of FlightReadiness (CoFR) process.




(Charteredby)

Date ofReport


work instructions for eachSpace Shuttle mission isverified at the FlightReadiness Review (FRR) viathe Certificate of FlightReadiness (CoFR) process.

For those situations whereresources and designconstraints do not permit thefull implementation ofredundancy requirements,other methods of riskmitigation are utilized per thehazard cause reductionprecedence. The risk ofhazard is either eliminated byappropriate design measures,prevented by use of safetydevices, controlled by use ofwarning devices, or avoidedby using special procedures.Furthermore, criticalfunctions are required to beseparated, protected fromfailure from similar causes,able to be isolated withoutdisrupting redundantfunctions, and able to be fault-isolated withoutdisconnections.

To ensure compliance with allthese requirements, the SSPformally directs everyelement to submit proposedhardware/softwarechangesthat impact baselinedprogram risk, redundancy, orcertification requirements tothe Program RequirementsControl Board (PRCS) fordisposition prior toimplementation. Hardware orsoftware configuration orperformance that deviatesfrom baselined requirementsmust be submitted by thedesign element on a waiverfor program consideration. Awaiver documents thetechnical rationale for flightacceptability and effectivity,is dispositioned by the PRCB,and, if approved, issubsequently reviewed at theFRR per CoFR requirements.




(Charteredby)

Date ofReport


acceptability and effectivity,is dispositioned by the PRCB,and, if approved, issubsequently reviewed at theFRR per CoFR requirements.


(NASACharter)

7 March2000

Recommendation 3L-2:Serious consideration should begiven to replacing the hydrazinepower unit with a safer andeasier to maintain advancedelectric auxiliary power unit forthe Thrust Vector Controlhydraulic unit.

SSP Response(Abbey/Dittemore, 23October 2000): NASA,United Space Alliance (USA),and Boeing-Reusable SpaceSystems (BRSS) are workingto develop and implement anelectric auxiliary power unit(EAPU) to replace theexisting hydrazine auxiliarypower unit. The overallobjectives of the EAPU areto:

• Reduce auxiliarypower unit (APU)contribution toorbiter catastrophicrisk from 30 percentto less than 5percent.

• Reduce APUcriticality 1 itemsand hazards by morethan 50 percent.

• Increase APUsystem reliability byat least two ordersof magnitude.

• Reduce plannedAPU maintenanceoperations by morethan 50 percent.

The phase I feasibility studyis complete and the phase IIprototype development is inwork. The development ofphase III preliminary flighthardware is in the process ofbeing authorized.


7 March2000

Recommendation 3L-3: Dueto obsolescence, ShuttleReaction Control Systempropellant valves and propellantflight-half couplings should bereplaced with ones that aremore tolerant of the oxidizerenvironment.

SSP Response(Abbey/Dittemore, 23October 2000): A BRSSstudy identified an improvedreaction control system (RCS)pilot operated valve (POV)and received approval fromthe NASA Space ShuttleVehicle Engineering Office(SSVEO) to beginqualification testing. Theimproved POV is designed tobe more tolerant of oxidizer-derived contamination byreducing the poppet cagecontact area and increasing




(Charteredby)

Date ofReport


(NASACharter)

replaced with ones that aremore tolerant of the oxidizerenvironment.

pilot operated valve (POV)and received approval fromthe NASA Space ShuttleVehicle Engineering Office(SSVEO) to beginqualification testing. Theimproved POV is designed tobe more tolerant of oxidizer-derived contamination byreducing the poppet cagecontact area and increasingpropellant flow through. Thepilot poppet, pilot seat, andmain seat materials were alsochanged to a more corrosionresistant stainless steel. Thequalification program will becompleted in early 2003, andimplementation will be on anattrition basis.

The qualification program forthe redesigned 1Ainch and _inch orbital maneuveringsystem and RCS air-halfcouplings is complete andcertification approval wasreceived from the SSVEO.The redesigned flight-halfcouplings were made moretolerant of oxidizer-derivedcontamination by reducing thesliding surface area andchanging the poppet materialfrom stainless steel totitanium. Oxidizer exposuretests verified the redesignmeasures. The redesignedparts will be installed on anattrition basis.


(NASACharter)

7 March2000

Recommendation 3L-4: TheProblem Resolution andCorrective Action systemshould be revised using state-of-the-art database design andinformation managementtechniques.

SSP Response(Abbey/Dittemore, 23October 2000): The SSPestablished a ProblemReporting and CorrectiveAction (PRACA) EvaluationTeam (PET) in February2000. The team includesmembers from all SSPelements, projects, the SSPOffice, and the AmesResearch Center (ARC). ThePET addressed thisrecommendation, as well asthe findings from all PRACAaudits completed over the pastyear. A review of program-level requirements has beencompleted. The revisedrequirements will bepublished in September 2000.All SSP project and elementoffices will follow up with a




(Charteredby)

Date ofReport


PET addressed thisrecommendation, as well asthe findings from all PRACAaudits completed over the pastyear. A review of program-level requirements has beencompleted. The revisedrequirements will bepublished in September 2000.All SSP project and elementoffices will follow up with areview of their PRACArequirements and processes toensure compliance with therevised SSP requirements.The PET provides periodicstatus to the program at thePRCB. In addition tocompleting the PRACArequirements review, the PETwill determine appropriatechanges to improve thesoftware systems for dataentry, trending, and analysis.This PET will investigateutilizing state-of-the-art database designs and techniques.To support this effort, theARC established a pilotproject investigatingimproved PRACA systemautomation and state-of-the-art data base design. Softwareupgrade review andimplementation is schedulefor completion in August2001.


(NASACharter)

7 March2000

Recommendation 3L-5:Inspection technique(s) forlocating corrosion under thetiles and in inaccessible areasshould be developed. Inspection

SSP Response(Abbey/Dittemore, 23October 2000): BRSS hasestablished astructures/nondestructiveevaluation (NDE) task team toinvestigate possible methodsfor inspecting inaccessibleareas on the orbiter. The taskteam is chartered to ensurethat the SSVEO is utilizingthe full capability of theavailable NDE technology toaddress the issue of hiddencorrosion. The team willidentify structural areascurrently consideredinaccessible, target the lowmargin areas for further study,investigate possible NDEmethods, and attempt tovalidate the technology atPalmdale during the nextorbiter major modification.Various new or improvedNDE techniques areconstantly emerging.




(Charteredby)

Date ofReport


currently consideredinaccessible, target the lowmargin areas for further study,investigate possible NDEmethods, and attempt tovalidate the technology atPalmdale during the nextorbiter major modification.Various new or improvedNDE techniques areconstantly emerging.Promising NDE techniquesinclude enhanced ultrasonicand eddy current techniques,reverse geometry x-ray, andothers. However, virtually alltechniques require somedirect access to the targetarea. The probability ofhidden corrosion under thethermal protection system isconsidered to be extremelyremote because roomtemperature vulcanizedmaterial has been proven bytest and experience to providean excellent barrier againstmoisture.


(NASACharter)

7 March2000

Recommendation 3L-6:Consideration should be givento modifying the Shuttleinternal hydraulic line routingto the mold line to permitefficient facility hydraulic hoseconnections.

SSP Response(Abbey/Dittemore, 23October 2000): The SSVEOauthorized BRSS to designthe relocation of the orbiterhydraulic ground servicingquick disconnects (QD) andlanding gear extend/retractQDs to a new panel at themold line. The modificationeliminates the need to carryhydraulic ground servicingequipment into the aftcompartment, thereby,reducing potential orbiterdamage and improvingvehicle turnaround time. Thedesign has progressed througha preliminary design reviewand BRSS will come to theVehicle Engineering ControlBoard (VECB) in October2000 for implementationapproval. Implementation willbegin in November 2001, andall vehicles will be modifiedby February 2002.




(Charteredby)

Date ofReport


all vehicles will be modifiedby February 2002.


(NASACharter)

7 March2000

Recommendation 3L-7: Non-intrusive methods of reliablydetecting wiring damage shouldbe developed, including thoseareas no accessible to visualinspection.

SSP Response(Abbey/Dittemore, 23October 2000): BRSS hasproposed a plan to the VECBto examine existing andemerging test methods andassociated equipment fortesting wire integrity. BRSSwill work with vendors anddevelopers to determine theeffectiveness of testequipment in categorizingdamage conditions andidentifying degradedinsulation properties. Specialconsideration will be given tominimizing orbiter intrusionwith these testing techniques.Additionally, ARC recentlycompleted a wire integrityresearch pilot study thataddressed automatedverification and validation oforbiter wiring configurationand automated conditionassessment for maintenance.


(NASACharter)

7 March2000

Recommendation 3L-8:Quantitative methods of riskassessment (likelihood offailure) should be developed.

SSP Response(Abbey/Dittemore, 23October 2000): The SSPagrees with SIAT thatquantitative risk assessment isessential to fly the SpaceShuttle safely. The SSPcurrently utilizes manyquantitative techniques todetermine and manage risk.Program requirementscontained within NSTS 07700specify the use of analyticalmethods in all aspects ofprogram execution. Statisticalprocess control, processfailure modes and effectsanalysis/critical items list,fault tree and event treeanalysis, hazard analysis,reliability-centered analysis,and other techniques areimplemented to variousdegrees across alt programelements. These methodsassess the probability andseverity of failures through allmission phases. The SSP hasgenerated a wealth ofstatistical and analytical datain the last 19 years of flighthistory and continues to




(Charteredby)

Date ofReport


and other techniques areimplemented to variousdegrees across alt programelements. These methodsassess the probability andseverity of failures through allmission phases. The SSP hasgenerated a wealth ofstatistical and analytical datain the last 19 years of flighthistory and continues toexplore the potentialadaptation of variousquantitative risk analysis(QRA) methods. The SystemSafety Review Panel (SSRP),with representatives from allprogram elements and safety,reliability, and qualityassurance organizations, isreviewing current QRAtechniques and will determinean approach to quantitativerisk assessment for theprogram. To date, severalmeetings have been held bythe SSRP involving theupgrades program, the safetycommunity, NASAHeadquarters, MSFC, andKSC to identify and agree onthe requirements andpriorities of quantitativesoftware packages to supportSSP operations and upgradetrade studies. Four softwaretools have been identified andthree expert consultants haveassisted the SSP to narrow thechoices with the currentfavorite being a packagecalled Sapphire. USA isworking with the program todevelop a probabilistic riskassessment (PRA)/QRAcenter of excellence to assistin the effort. The developmentof a PRA/QRA programstandard and animplementation approach willbe provided in the February2001 timeframe. The SSRPwill then determine if asingular program-wideanalytical methodology is theright solution, given thediversity and complexity ofthe SSP. A final evaluationwill be conducted with therecommendation presented bythe SSRP to the SSP PRCB inApril 2001.




(Charteredby)

Date ofReport


singular program-wideanalytical methodology is theright solution, given thediversity and complexity ofthe SSP. A final evaluationwill be conducted with therecommendation presented bythe SSRP to the SSP PRCB inApril 2001.


(NASACharter)

7 March2000

Recommendation 3L-9:Quantitative measures of safety(likelihood of error), includingassessment surveyingtechniques should bedeveloped, e.g., OccupationalStress Inventory and MEDA.

SSP Response(Abbey/Dittemore, 23October 2000): The IncidentError Review Board at KSC isan example of one mechanismin place to assess maintenanceprocess errors. Like themaintenance error decisionaid (MEDA) used by thecommercial airlines, thisboard analyzes allcontributing elements todetermine root cause and toformulate corrective actions.However, this approach isreactive and, much likeMEDA, has limitations in thatonly significant events initiateboard reviews.

To be proactive, the SSP isaggressively incorporatinghuman factor principles intothe flight preparation process.The Space Shuttle ProcessingHuman Factors Team and theUSA Industrial Engineeringand Human FactorsDepartment were staffed toimprove the SSP errormanagement process. The twoentities work cooperatively toshare quantitative data,resources, and expertise todevelop human factorconcepts and perform on-siteprocess analysis. Severalinitiatives underway includethe Work Instruction TaskTeam that provides guidelinesand training on effectiveprocedure authoring and theIndustrial and Work SpaceDesign Team recentlychartered to ensure humanfactors are incorporated in theengineering and groundsystem design processes. Bothprograms will havewidespread effects inoperations, maintenance,manufacturing, and design. Astatistical analysis of thePRACA system is also




(Charteredby)

Date ofReport


Design Team recentlychartered to ensure humanfactors are incorporated in theengineering and groundsystem design processes. Bothprograms will havewidespread effects inoperations, maintenance,manufacturing, and design. Astatistical analysis of thePRACA system is alsounderway to assess problemreport entry and classificationerrors, with corrective actionsto be implemented by thePRACA Evaluation Team.

USA commissioned Lord &Hogan, with the endorsementof the Shuttle IndependentAssessment Team (SIAT),toadminister an operationalstress inventory and analysis.The results of the USAworkforce surveys in Floridaand Texas indicated positiveresults in the normal rangecompared to other companiesin all categories of stress andcoping behaviors. USAintends to conduct follow-onstudies in approximately 2years as a companion to thenew baseline.

NASA Centers are in theprocess of conducting variousworkforce surveys such as theEmployee Stress Survey(ESS) and the PerformanceEvaluation Profile (PEP).These results are compiledand presented to the SSP as aseries of measurements. TheESS specifically deals withoccupational stress factorsand the ability of theworkforce to deal with stressissues. The PEP focuses onboth industrial and flightsafety and serves to evaluatethe performance of the safetyprogram. The SSP willevaluate these results and, ifnecessary, take correctiveactions.




(Charteredby)

Date ofReport


program. The SSP willevaluate these results and, ifnecessary, take correctiveactions.

To further these efforts, thehuman factor teams will bechartered to developquantitative measures ofhuman performance andpropose plans to addressimprovements within theindustrial engineering forsafety initiative currentlychartered by SSP directive.


(NASACharter)

7 March2000

Recommendation 3L-10:Quantitative methods of riskassessment and safety (seeabove) need to be integrated todevelop the ability to performtrade-off studies on the effect ofnew technology, aging,upgrades, process changes, etc.,upon vehicle risk.

SSP Response(Abbey/Dittemore, 23October 2000): The SSPagrees with SIAT thatquantitative risk assessment isessential to fly the SpaceShuttle safely. The SSPcurrently utilizes manyquantitative techniques todetermine and manage risk.Program requirementscontained within NSTS 07700specify the use of analyticalmethods in all aspects ofprogram execution. Statisticalprocess control, processfailure modes and effectsanalysis/critical items list,fault tree and event treeanalysis, hazard analysis,reliability-centered analysis,and other techniques areimplemented to variousdegrees across alt programelements. These methodsassess the probability andseverity of failures through allmission phases. The SSP hasgenerated a wealth ofstatistical and analytical datain the last 19 years of flighthistory and continues toexplore the potentialadaptation of variousquantitative risk analysis(QRA) methods. The SystemSafety Review Panel (SSRP),with representatives from allprogram elements and safety,reliability, and qualityassurance organizations, isreviewing current QRAtechniques and will determinean approach to quantitativerisk assessment for theprogram. To date, severalmeetings have been held bythe SSRP involving the




(Charteredby)

Date ofReport


with representatives from allprogram elements and safety,reliability, and qualityassurance organizations, isreviewing current QRAtechniques and will determinean approach to quantitativerisk assessment for theprogram. To date, severalmeetings have been held bythe SSRP involving theupgrades program, the safetycommunity, NASAHeadquarters, MSFC, andKSC to identify and agree onthe requirements andpriorities of quantitativesoftware packages to supportSSP operations and upgradetrade studies. Four softwaretools have been identified andthree expert consultants haveassisted the SSP to narrow thechoices with the currentfavorite being a packagecalled Sapphire. USA isworking with the program todevelop a probabilistic riskassessment (PRA)/QRAcenter of excellence to assistin the effort. The developmentof a PRA/QRA programstandard and animplementation approach willbe provided in the February2001 timeframe. The SSRPwill then determine if asingular program-wideanalytical methodology is theright solution, given thediversity and complexity ofthe SSP. A final evaluationwill be conducted with therecommendation presented bythe SSRP to the SSP PRCB inApril 2001.


(NASACharter)

February2000

Finding 1: Thecontinuing downsizing atOffice of Space FlightField Centers, coupledwith the effects of theprior hiring freeze andunplanned departures, hasproduced critical skillsdeficits in some areas,growing workloadpressure and stress levels,and a serious shortfall ofyounger S&Es.

Recommendation 1: NASAmust continue to addressworkforce problemsaggressively and establishprogram priorities that ensure aworkforce capable of achievinglong-term safe and effectiveoperations. Emphasis should beplaced on eliminating criticalskills shortfalls and recruitingyounger S&Es who can developinto experienced and skilledfuture leaders.




(Charteredby)

Date ofReport


produced critical skillsdeficits in some areas,growing workloadpressure and stress levels,and a serious shortfall ofyounger S&Es.

operations. Emphasis should beplaced on eliminating criticalskills shortfalls and recruitingyounger S&Es who can developinto experienced and skilledfuture leaders.


(NASACharter)

February2000

Finding 2: Thecombination ofdownsizing losses, hiringrestrictions, and transitionof responsibilities fromNASA to contractors,such as USA, continues tolimit the opportunities forjunior and mid-levelNASA managers to gainthe operationalknowledge andexperience required forcontinued leadership insenior managementpositions.

Recommendation 2:Innovative arrangementsbetween NASA and itscontractors to provide entry-level and mid-level NASAS&Es with operational, “hands-on” experience should bestrengthened and expanded.Project management traininginitiatives, such as theAcademy of Program & ProjectLeadership (APPL), must striveto broaden their outreach tomanagement teams andindividuals at the Field Centers.


(NASACharter)

February2000

Finding 3: The SpaceShuttle Program Officehas instituted a set ofProcess Control FocusGroups whose goal is toimplement “best practice”commonality in changecontrol procedures acrossall supplier tiers.

Recommendation 3: Focus theactive and dedicated support ofsenior management of themajor contractors and all theirsubcontractors on implementingthe process control “bestpractices” as soon as feasible.NASA must be fully apprisedof all process changes even ifthey result in a product thatmeets requirements.


(NASACharter)

February2000

Finding 4: Althoughprogress has been madeto improve the quality,accuracy, and traceabilityof the work instructions(“paperwork” used in theprocessing of SpaceShuttle Orbiters) muchremains to be done toprovide correct andunambiguous procedures.

There are still too manyunincorporated changes.

Recommendation 4: Efforts toimprove the quality, accuracy,and traceability of the workpaper as well as the timelinessof incorporation of changes towork instructions must be givenhigher priority by both NASAand USA in a coordinated,systematic effort.


February2000

Finding 5: There is nosystematic plan to counterobsolescence and assurethe availability ofadequate facilities, GSE,and specialized test-and-checkout equipmentthroughout the expectedlifetime of the SpaceShuttle.

Recommendation 5: Developand execute a plan to ensurethat all needed support and test-and-checkout facilities andequipment are assured availableand protected fromobsolescence for the maximumforeseeable life of the SpaceShuttle.




(Charteredby)

Date ofReport


(NASACharter)

and specialized test-and-checkout equipmentthroughout the expectedlifetime of the SpaceShuttle.

and protected fromobsolescence for the maximumforeseeable life of the SpaceShuttle.


(NASACharter)

February2000

Finding 6: Space Shuttleprocessing workload issufficiently high that it isunrealistic to depend onthe current staff tosupport higher flight ratesand simultaneouslydevelop productivityimprovements tocompensate for reducedhead counts. NASA andUSA cannot dependsolely on improvedproductivity to meetincreasing launchdemands.

Recommendation 6: Hireadditional personnel andsupport them with adequatetraining.


(NASACharter)

February2000

Finding 7: Due toattrition of experiencedpersonnel, NASA and itscontractors are assigningmore newly trainedpersonnel to SpaceShuttle operations tasks.This has led to concernsin the workforceregarding thequalifications of somenewly-assignedpersonnel.

Recommendation 7:

NASA and its contractors mustensure that their training,certification, and taskassignment processes are suchthat only suitably qualifiedengineering and technicalpersonnel are performing SpaceShuttle operations. Any trainingand licensing program

to certify new personnel mustinclude both testing of acquiredskills and demonstratedproficiency on the assignedtask.


(NASACharter)

February2000

Finding 11: The EVAProject Office has severalplanned initiatives toensure the availability ofadequate EVA resourcesto support the ISS andSpace Shuttle. Theseinitiatives coveracquisition of materiel,development ofprocedures, and improvedtraining.

Recommendation 11:

Expedite completion of theplanned initiatives related to thesafety of EVA so thatmaximum benefit can berealized during the upcomingintensive ISS assemblyschedule.




(Charteredby)

Date ofReport



(NASACharter)

February2000

Finding 12: The fundingof the EVA R&Tprogram is not adequateto provide the maximumsafety benefit in terms ofnew equipment andprocedures that lower therisk of extravehicularactivities.

Recommendation 12: Fund arobust EVA R&T program.


(NASACharter)

February2000

Finding 14: NASA hasinitiated an agency-wideprogram to deal withgeneral computersecurity. Significant partsof NASA’s initial plandepend upon thevoluntary compliance ofsystem users includingcontractors.

Recommendation 14: Expandthe agency-wide securitysystem development work toinclude less dependence onhuman compliance with thesystem. NASA should alsorequire contractors toparticipate in its securityefforts.


(NASACharter)

February2000

Finding 16: NASA hasestablished an AvionicsUpgrade ArchitectureTeam (AUAT) chargedwith studying SpaceShuttle avionics systemsand recommendingupgrades. The AUAT hasconducted a thoroughstudy and developed anexcellent Block I upgradeplan that addresses themost serious needs, but asyet it is unfunded.

Recommendation 16: Proceedwith full funding for theproposed Block I Space Shuttleavionics upgrades as rapidly aspossible.


(NASACharter)

February2000

Finding 17: Part of theAUAT’s initial approachis to install three missioncomputers to augment theexisting General PurposeComputers (GPCs). Thespecific functions to beoffloaded from the GPCsto the mission computershave yet to bedetermined. Eventually,the AUAT plans toconsider moving some“Crit 1” functions to themission computers.

Recommendation 17: Do notmove any “Crit 1” functions tothe mission computers unlessmemory requirements in theGPC demand it and then onlyafter an appropriate riskanalysis is performed.




(Charteredby)

Date ofReport



(NASACharter)

16 April1999

The review teamevaluated theassumptions, supportingdata, and maturity ofselected strategicinitiatives (fifteen of thetwenty-one Phase 2initiatives) and arrived atan estimated savings of224 as opposed to theUSA/GO projection of287. This 78 percent-yield (see Chapter 14,Table 14-1) suggests thatUSA/GO will achieveroughly three-quarters oftheir goal to increaseflight rate capability from5 flights-per-year to 8flight-per-year.


(NASACharter)

16 April1999

The review teamestimates that effectiveimplementation of theUSA/GO StrategicInitiatives will establishthe capability to safelyaccomplish a steady-stateflight rate of up to sevenper year. Ultimateverification of processingcapability can only bedetermined after analysisof actual steady-state flowperformance.


(NASACharter)

16 April1999

The team noted thateffective implementationhas not yet been achievedin the safety-relatedStructured SurveillancePhase II initiative, wherehuman-factors issues(communication,inspection dynamic,worker acceptance) exist.Increased USAmanagement attention iswarranted in this area.The inspection “workreview process” must beacknowledged andaccepted by the entireUSA workforce as acritical element inassuring flight safety.




(Charteredby)

Date ofReport


critical element inassuring flight safety.


(NASACharter)

February1999

Finding 1: Budget andpersonnel ceilingconstraints on the hiringof engineers, scientists,and technical workers aremoving NASA toward acrisis of losing the corecompetencies needed toconduct the Nation’sspace flight and aerospaceprograms in a safe andeffective manner.

Recommendation 1: ProvideNASA’s human space flightField Centers, particularlyKSC, JSC, and MSFC, with thebudgetary resources andadministrative flexibilityneeded to strengthen theirhuman resource capabilities.

NASA Response (in 1999ASAP appendix): NASAconcurs with therecommendation; and, wefully recognize the near heroicefforts at each of ourinstallations that have broughtus within striking distance ofour downsizing targets. At thebeginning of fiscal year 1993,the NASA employment levelwas 24,900 FTE. As a resultof the March 1993 ExecutiveOrder to reduce FederalCivilian FTE by 100,000, theNPR recommendations andadditional OMB directed cutsin 1994,NASA received anout-year target of 20,906.Additional budget reductionsoccurred that required us toinitiate the Zero Base Review,which was completed in1995.The ZBR recommendedan FY 2000 FTE level of17,488. Since that time wehave carefully managed anFTE reduction to a planned18,545 FTE for FY 99 and17,970 for FY 00. Our final"go to" target is now 17,574FTE for FY 04. Currently 7 ofour 10 Centers are at or belowour lowest "go to" numbers.To NASA’s credit, ouraccomplishments wereachieved without resort to theravages of a reduction-in-force. Voluntary losses to dateinclude in excess of 4,500buyouts, 1,300 early outs, andmore than 800 intercentertransfers.

As a result of the downsizingchallenges, we provided reliefto the OSF Centers in the FY00 budget process as follows:FY 99-153 FTE; FY 00-110FTE; FY 01-103 FTE; FY 02-59 FTE; and, FY 03-68 FTE.This relief has enabled theinnovative use of temporaryand extended termappointments, as well asincreasing the number ofpermanent hires available tofill critical skill positions. In




(Charteredby)

Date ofReport


00 budget process as follows:FY 99-153 FTE; FY 00-110FTE; FY 01-103 FTE; FY 02-59 FTE; and, FY 03-68 FTE.This relief has enabled theinnovative use of temporaryand extended termappointments, as well asincreasing the number ofpermanent hires available tofill critical skill positions. Inaddition, we are currentlyreviewing their request foradditional relief, as identifiedin the recent Core CapabilityAssessment (CCA). OSFmanagement has proposedseveral augmentation and/orhiring models that addressboth short and long termneeds regarding replacementand enhancement of criticalworkforce competencies. Oneobjective of the current CCAreview is to help chart astrategy that will provide theOSF Centers with therequisite flexibility to attractand retain the corecompetency talent poolnecessary to ensure safemission and program success.


(NASACharter)

February1999

Finding 2: Shortfalls inworkforce training withinboth NASA and USA,caused by downsizing andthe related difficulty ofhiring new people to fillskill shortages, canjeopardize otherwise safeoperations.

Recommendation 2: NASAand USA should review criticalskills training and certificationrequirements and instituteprograms to ensure the fullproficiency of the workforceand the safety of the productsbeing released.

NASA Response (in 1999ASAP appendix): NASAconcurs in therecommendation and, incooperation with USA, hasalready reviewed certificationrequirements for flightcontrollers, traininginstructors, and other keyoperating positions. Trainingplans and certificationrequirements for criticalpositions have beendocumented and maintained.For example, the managementrole in launch countdown andlanding is supported by awell–defined training andcertification plan. NASA andits contractors are continuallyreviewing critical skillstraining and certificationrequirements to ensurecontrols are in place tovalidate and ensure employeeproficiency. Qualityinitiatives are beingdeveloped to provideimproved processes for crosstraining, automated trainingtools, inline automatedcertification validation, and




(Charteredby)

Date ofReport


training and certificationrequirements to ensurecontrols are in place tovalidate and ensure employeeproficiency. Qualityinitiatives are beingdeveloped to provideimproved processes for crosstraining, automated trainingtools, inline automatedcertification validation, andenhancements in the closedloop verification of operatorsand system operationalperformance. Meanwhile,training capacity for newemployees, both NASA andcontractor, has been increasedthrough intensive simulatortraining at a new USA"training academy." Asaturation-type trainingenvironment has beendesigned to improve trainingat the beginning of the regularcertification process andproduce employees betterqualified for critical processwork. In training andorientation programs, NASAemphasizes the priority ofsafety and the responsibilityof employees to voice theirconcerns about inadequateassurances of safe products.


(NASACharter)

February1999

Finding 3: The combinedeffect of workforcedownsizing, the recenthiring freeze, and theSFOC transition,especially at KSC, hasraised the possibility thatNASA senior managers inthe future will lack thenecessary hands-ontechnical knowledge andinline experience toprovide effective insightof operations.

Recommendation 3: NASAshould develop and promulgatetraining and career paths, with aspecial focus on providinghands-on technical knowledgeand experience, so that NASA’sfuture senior managers willpossess the range of skills andexperience required foreffective insight of the SFOC.

NASA Response (in 1999ASAP appendix): NASAconcurs in therecommendation and isintensifying and refocusing itsefforts in training and insupport of career developmentat all levels. At the operatinglevel, NASA managers areinstructed to plan and to takeadvantage of all opportunitiesto obtain operationalexperience through audit,surveillance, and otherinterfaces to provide hands-onexperience to NASApersonnel.




(Charteredby)

Date ofReport


(list with lots of detailomitted)

Additionally, employees areprovided cross training andspecialized training as neededand strongly encouraged totake advantage of programrelated training.

The key to developing futuregenerations of seniormanagers is to provide hands-on experience, withprogressively moreresponsible assignmentsthrough one’s career. BothNASA and the contractorscontinually seekimprovements in thesuccession planning andpreparations for the nextgeneration of supervisors andmanagers.

Special consideration is givento assuring that broad trainingand hands-onoperational/technical jobassignments and opportunitiesare consciously addressed forpromising candidates forfuture senior managementpositions. NASA’s trainingphilosophy also emphasizeson-the-job work experiencessupplemented by classroominstruction, participation inoutside academic programsand industry throughassignments in such privatesector organizations asBoeing, Newport NewsShipbuilding, and USA.

At the agency planning level,the training budget hasprovided for an increase of20% for the Office of SpaceFlight from FY1997 throughFY2000.Current agencyProgram Operating Plan(POP) guidelines call forfunding training at 2-3.25% ofsalary levels, an extremelygenerous ratio for governmentand rivaling progressiveprivate sector organizations.




(Charteredby)

Date ofReport


FY2000.Current agencyProgram Operating Plan(POP) guidelines call forfunding training at 2-3.25% ofsalary levels, an extremelygenerous ratio for governmentand rivaling progressiveprivate sector organizations.

The NASA Academy ofProgram and ProjectLeadership (APPL) isbuilding on ten years ofeducational anddevelopmental activities andis striving to facilitate theflow of current knowledgeand techniques to the fullengineering and scienceworkforce. APPL is makingavailable information andautomated tools on-line andseeking to develop expertsystems. APPL is alsoworking directly to supportintact teams with informationand techniques and attemptingto better organize case studiesand archives into a moreeffective knowledge base.

The APPL program is alsoadding an AcceleratedLeadership Option to theProject ManagementDevelopment Process(PMDP) which will enableNASA engineers to obtain aMaster’s of Science inEngineering and Managementdegree from MIT.APPL iscontinuing and expanding amultifaceted program ofclassroom work,developmental workassignments, anddissemination of informationand guidance.

Finally, NASA is well alongin an update of its LeadershipDevelopment Model;documenting the technical,managerial, and executivecompetencies required todirect the work of the agencythrough the foreseeablefuture. This model will guidethe scope and emphasis oftraining and developmentprograms, including a newapproach to successionplanning, to ensure that




(Charteredby)

Date ofReport


documenting the technical,managerial, and executivecompetencies required todirect the work of the agencythrough the foreseeablefuture. This model will guidethe scope and emphasis oftraining and developmentprograms, including a newapproach to successionplanning, to ensure thatNASA’s leaders at all levelshave the knowledge and skillsto meet their responsibilities.


(NASACharter)

February1999

Finding 4: It is oftendifficult to findmeaningful metrics thatdirectly show safety risksor unsafe conditions.Safety risks for a maturevehicle, such as the SpaceShuttle, are identifiableprimarily in specificdeviations fromestablished proceduresand processes, and theyare meaningful only on acase-by-case basis.NASA and USA have aprocedure for finding andreporting mishaps and“close calls” that shouldproduce far moresignificant insight intosafety risks than wouldmere metrics.

Recommendation 4: Inaddition to standard metrics,NASA should be intimatelyaware of the mishaps and closecalls that are discovered, followup in a timely manner, andconcur on the recommendedcorrective actions.

NASA Response (in 1999ASAP appendix): NASAagrees with therecommendation. In additionto standard metrics, NASA isintimately aware of themishaps and close calls and isdirectly involved in theinvestigations and approval ofcorrective actions. Currentrequirements contained invarious NASA Center andcontractor safety plansinclude procedures forreporting of mishaps andclose calls. These reports areinvestigated and resolvedunder the leadership of NASArepresentatives withassociated information beingrecorded and reported toNASA management. NASA isintimately aware of andparticipates in the causalanalysis and designation ofcorrective action for eachmishap. Additionally, NASAperforms trend analysis ofmetrics as part of the requiredinsight activities.

Definitions relating to "closecall" have been expanded toinclude any observation oremployee comment related tosafety improvement. Closecall reporting has beenemphasized in contractor andNASA civil servantperformance criteria and arobust managementinformation system is beingincorporated to monitor andanalyze conditions andbehavior having the potentialto result in a mishap. Variousjoint NASA/contractor forumsexist to review, evaluate, andassign actions associated with




(Charteredby)

Date ofReport


NASA civil servantperformance criteria and arobust managementinformation system is beingincorporated to monitor andanalyze conditions andbehavior having the potentialto result in a mishap. Variousjoint NASA/contractor forumsexist to review, evaluate, andassign actions associated withreported close calls. As anexample, the KSC NASAHuman Factors IntegrationOffice leads theNASA/Contractor HumanFactors Integrated ProductTeam (IPT) in the collection,integration, analysis, anddissemination of root causeand contributing cause dataacross all KSC organizations.The KSC Human Factors IPTis also enhancing the currentclose call process whichincludes tracking of mishapswith damage below $1000and injuries with no lostworkdays. The SSP hasrevised it’sPreventive/Corrective ActionWork Instruction to includemandatory quarterly review ofclose call reports. Severalinitiatives are in place toincrease awareness of theimportance of close callreporting andpreventive/corrective actionacross the SSP and thesupporting NASA Centersand contractors.

Under this new approach toclose call reporting, a metricindicating an increase in closecall reporting and preventiveaction is considered highlydesirable as it indicates anincreased involvement by theworkforce in identifying andresolving potential hazards.Care is taken in overemphasizing the number ofclose calls reported as aperformance metric to preventreluctance in reporting.NASA is working hard toshift the paradigm from thenegative aspects of reportingclose calls under the previousdefinition to being a positiveaspect of employeeidentification of close calls




(Charteredby)

Date ofReport


emphasizing the number ofclose calls reported as aperformance metric to preventreluctance in reporting.NASA is working hard toshift the paradigm from thenegative aspects of reportingclose calls under the previousdefinition to being a positiveaspect of employeeidentification of close callsunder the new definition.


(NASACharter)

February1999

Finding 5: A principalcause of Space Shuttleprocessing errors isincorrect documentation(“paperwork”).

Recommendation 5: NASAand USA must place increasedpriority on determining errorsources, causes, and correctiveactions for inadequacies in thedocumentation on which SpaceShuttle processing is based anddevelop a management systemthat drastically reduces the timethat it takes to incorporatepaperwork changes.

NASA Response (in 1999ASAP appendix): NASAconcurs with therecommendation. NASA andUSA have established metricsto identify the types of errorsand error sources in theprocessing documentation.During daily interface, NASAand USA discuss thesemetrics and perform causalanalysis to identify the needfor corrective action. Forcritical procedures, USA hasimplemented a check andbalance in the workinstruction generation processto increase the procedurequality before it is worked.Additionally, NASA and USAhave an initiative to reducethe complexity of workprocedures, increase theprocedure standardization,and reduce the time forpaperwork generation forwork not requiringengineering disposition. Moreimportantly, USA isdeveloping, as a high priority,a paperless system.

Specifically, the GroundOperations organization atKSC is implementing anintegrated on-line system thatensures total process rigor andmitigates the potential forhuman error in accomplishingspace flight work. Thissystem incorporatesrecognized "best practices"for authoring work documentsincluding on-line review andapproval, and the ability forauthors to automaticallyupdate and incorporate workdocument deviations.Required checks and balancesare inherent in the system tomaintain the integrity, safety




(Charteredby)

Date ofReport


system incorporatesrecognized "best practices"for authoring work documentsincluding on-line review andapproval, and the ability forauthors to automaticallyupdate and incorporate workdocument deviations.Required checks and balancesare inherent in the system tomaintain the integrity, safetyand quality of both flight andground work performed.Work documents will clarifyuser understanding byincorporating enhancedexplanations with in-linegraphics, sound and videowhere required. The goal ofthis activity is to ensure that aproperly certified person,utilizing the right workinstructions, has safelyaccomplished all requiredwork.


(NASACharter)

February1999

Finding 6: While sparessupport of the SpaceShuttle fleet has beengenerally satisfactory,repair turnaround times(RTAT) have shownindications of rising.Increased flight rates willexacerbate this problem.

Recommendation 6: Refocuson adequate acquisition ofspares and logistic systemstaffing levels to preclude highRTATs, which contribute topoor reliability and could leadto a mishap.

NASA Response (in 1999ASAP appendix): NASAconcurs with therecommendation. Duringcalendar year 1998,RTAT’sfor both the NASA ShuttleLogistics Depot and theoriginal equipmentmanufacturer fluctuated, butat year’s end, the overall trendwas downward throughconcerted NASA and vendorefforts. These efforts areaimed at providing bettersupport at the current flightrate and for higher flight ratesin the future. Logistics isworking to find innovativeways to extend the lives ofaging line replaceable units(LRUs) and their support/testequipment. Logistics hasinitiated the Space Council(an industry group with 11other company executivesaddressing such topics asverification reduction, ISOcompliance, and upgrades) toassure the supplier basecontinues its outstandingsupport to the SSP. Examplesof LRUs being evaluated andenhanced include: StarTrackers, auxiliary powerunits, inertial measurementunits, multifunction electronicdisplay system (MEDS),Ku-band, orbiter tires, andmanned maneuvering units.




(Charteredby)

Date ofReport


assure the supplier basecontinues its outstandingsupport to the SSP. Examplesof LRUs being evaluated andenhanced include: StarTrackers, auxiliary powerunits, inertial measurementunits, multifunction electronicdisplay system (MEDS),Ku-band, orbiter tires, andmanned maneuvering units.NASA/KSC Logistics andUSA Integrated Logisticshave made progress on along-term supportability tool.The tool will provideinformation, includinghistorical repair trend data formajor LRUs, RTATs, and"what if" scenarios based onmanipulation of factors (e.g.,flight rate, turnaround times,loss of assets, etc.) todetermine their effect on theprobability of sufficiency.This will be a tool, not asubstitute, for humananalytical decision making.


(NASACharter)

February1999

Finding 7: NASA aircraftused for both SpaceShuttle operations andastronaut training areincreasingly out of dateand, in several respects,may be approaching theunsafe. This is noticeablyso in the case of theShuttle Training Aircraft(STA) and the T-38aircraft.

Recommendation 7: Continueto execute and accelerate asmuch as possible the currentplans for the modernization andsafety assessment of astronauttraining aircraft.

NASA Response (in 1999ASAP appendix): NASAbelieves that the currentaircraft used as astronauttraining aircraft aremaintained in a safecondition. NASA remainscommitted to safe operationof all the training aircraft.Measures to ensure that theNASA T-38s and STAs usedfor astronaut training aremaintained in a safeconfiguration and in goodmaterial and structuralcondition are in place.

(lots more T-38 detailomitted)

NASA will continue toevaluate new programs andseek new initiatives to meetthe requirements as theyevolve, such as addingavionics for compatibilitywith the future free flightconcept in the air trafficcontrol system.




(Charteredby)

Date ofReport


evolve, such as addingavionics for compatibilitywith the future free flightconcept in the air trafficcontrol system.

STA: NASA has four STAsand one spare Gulfstream II(GII) that will be modifiedinto an STA when it is eitherrequired by the Shuttle flightrate or in the event that one ofthe four STAs becomesunusable.


(NASACharter)

February1999

Finding 8: The use ofsimulated Space Shuttlelaunch and flightoperations for trainingand rehearsal has provento be an effectivetechnique for enhancingsafety and efficiency andis especially valuable inthe case of special orrarely performedprocedures or after a longhiatus of effort.

Recommendation 8:Simulation-based trainingshould be included in difficultor infrequent Space Shuttleoperations whenever feasible.This type of training isespecially needed after therehas been a significant hiatus inperforming an operation.

NASA Response (in 1999ASAP appendix): NASAconcurs with therecommendation. NASA andUSA have beneficiallyincreased simulation-basedtraining at KSC. The pursuitof a separate simulationtraining room and simulationteam will allow NASA andUSA to further increase thenumber of simulations thatcan be performed each flow.Additionally, KSC will usethe new collaborativeengineering environment toenhance simulationcapabilities.


(NASACharter)

February1999

Finding 18: The EVAproject lacks sufficientoperational assets to meetunplanned contingencies.There are no spareExtravehicular MobilityUnits (EMU). Only fiveU.S. Simplified Aid forEVA Rescue (SAFER)flight units will beavailable to meet arequirement to maintainthree units on orbit. Inaddition, only fourRussian SAFER units areplanned.

Recommendation 18: To meetcontingencies that are almostcertain to arise, additionalEMU’s and SAFER units ortheir critical long leadcomponents should be procuredas soon as possible.

NASA Response (in 1999ASAP appendix): NASAconcurs with the ASAPrecommendation. Withrespect to the EMU, theinventory of life supportsystem (LSS) hardware willbe 14 (13 Class I and 1 ClassII) by October1999.Exceedences to oursupply begin in 2000. In orderto achieve a 90 percentprobability of sufficiency,NASA must increase itsinventory by two LSSs.NASA plans on addressingthis issue within the ProgramOperating Plan (POP) 99.Weplan to upgrade the currentClass II LSS to Class I andupgrade the certification unitto Class II. This will increaseour inventory to 15. NASAalso plans to go forward withthe recommendation toprocure an additional LSS toachieve 16 LSSs.




(Charteredby)

Date ofReport


Class II LSS to Class I andupgrade the certification unitto Class II. This will increaseour inventory to 15. NASAalso plans to go forward withthe recommendation toprocure an additional LSS toachieve 16 LSSs.

(lots more LSS detail omitted)

With respect to the USASAFER, NASA concurs withthe ASAP recommendationon obtaining critical long leadcomponents. In fact, themajority of the long leadcomponents have alreadybeen procured. Thesecomponents are expected tosupport the USA SAFERflight units for their 7-yearlife. NASA can normallysupport the requirement tomaintain three USA SAFERflight units on orbit with fiveflight units in service. Thecurrent rotation plan utilizestwo of the flight units toaccommodate rotation ofback-to-back missions wherethe turnaround time isapproximately 1 month. Withone flight unit out of service,four USA SAFER flight unitscan be rotated to maintainthree units on orbit for 92percent of the flights per theInternational Space Station(ISS) assembly sequencedated February 22, 1999.Theremaining 8 percent of theflights can also be supportedwith contingent coordinationahead of time to reduce theturnaround time fromapproximately 1.5 months toapproximately 1 month.

(lots more SAFER detailomitted)




(Charteredby)

Date ofReport



(NASACharter)

February1999

Finding 25: The NASAStandard Initiator (NSI)on a SAFER unit testedon STS-86 on October 1,1997, did not activatebecause of a marginaldesign of the activatingpower supply. As a result,the unit could notfunction. The certificationtesting for the firingcircuit did not identify thepower supply inadequacy.Also, an inadequate NSIemulator was used formost of the originalSAFER certification(qualification) andacceptance tests.

Recommendation 25a: Thedesign and implementation offlight systems critical to safetyand mission success should, atleast, provide redundancy forsystem startup.

NASA Response (in 1999ASAP appendix): NASAconcurs with the ASAPfinding that the NSI drivecircuit of the USA SAFERwas marginal in its design tothe point where the drivecircuit failed to activate theNSI during a demonstrationon STS-86.The failure wasdue to lack of margin withinthe subsystem to drive theNSI and not due to lack ofredundancy (a backupsubsystem) to the subsystem.Adding redundancy (a backupsubsystem) to drive the NSIwould not resolve the lack ofmargin as both the primaryand backup subsystems wouldstill fail to drive the NSIwithout sufficient margin.This condition was addressedby addition of a new NSIcircuit with increased marginto fire the NSI on demand. Inaddition the new NSI containsredundant components wherepossible.

The USA SAFER iscategorized as emergencyhardware and is designed foruse only after the EVAcrewmember hadinadvertently separated fromstructure due to a tetherfailure or a tetherdisconnection. Thecombination of the tether andUSA SAFER provide afunctional redundancy to eachother and a fail-operationalsystem, which can sustain onefailure in the tether(functional after one failure)and still retains the capabilityto continue with the EVA. Asubsequent failure of thetether (two failures) and afunctional USA SAFERprovide a fail-safe system,which still retains thecapability to successfullyterminate the mission byusing the USA SAFER tobring the inadvertently-separated EVA crewmemberback to safety. Once the USASAFER is needed to performself-rescue in its role as thefail-safe device, its failure toperform due to any reasonwould result in loss of the




(Charteredby)

Date ofReport


which still retains thecapability to successfullyterminate the mission byusing the USA SAFER tobring the inadvertently-separated EVA crewmemberback to safety. Once the USASAFER is needed to performself-rescue in its role as thefail-safe device, its failure toperform due to any reasonwould result in loss of theEVA crewmember. Becausethe USA SAFER is to providethe fail-safe capability, as thefunctional redundancy to thetether, it was designed as asingle-string system. As such,redundancy was not requiredfor all subsystems andcomponents. Addingredundancy to the activationsubsystem alone would notincrease the probability ofsaving an inadvertentlyseparated crewmember sinceother critical subsystems(propulsion and mechanism)are still single-string. NASAwill evaluate redesigning thenext generation be fullyredundant in criticalfunctions.

Recommendation 25b: AllNASA Centers should reviewthe design requirements forreliable activation of the NSIand assure they are adequate tobe communicated to theirsuppliers, especially those whoare responsible for the design offiring circuits. All designscurrently using NSI’s should bereviewed to assure that thefiring circuits are adequate andhave been appropriately tested.

NASA Response (in 1999ASAP appendix): NASAagrees with the ASAPrecommendation. The newUSA SAFER NSI circuitemploys the capacitivedischarge approach which hasbeen well proven by the SSP.Peer reviews were held toevaluate the new circuitdesign, and a series of testswere performed with thecomplete flight circuit. Also,the Engineering Directorate’sPyrotechnic SubsystemManager performed acomprehensive review of allknown uses of the NSI toensure an acceptable designexisted and that appropriatecertification/ acceptance testshad been accomplished.Lastly, a User’s Guide (JSC-28596) for the NSI wasdeveloped to assist developersin selecting the appropriateNSI, designing theappropriate NSI drive circuit,and testing the complete NSIsubsystem.




(Charteredby)

Date ofReport


certification/ acceptance testshad been accomplished.Lastly, a User’s Guide (JSC-28596) for the NSI wasdeveloped to assist developersin selecting the appropriateNSI, designing theappropriate NSI drive circuit,and testing the complete NSIsubsystem.

Recommendation 25c:Qualification tests of safety-critical equipment must useflight-quality hardware. Anyexceptions must require high-level program approval.

NASA Response (in 1999ASAP appendix): NASAconcurs with ASAPrecommendation to use flight-quality hardware to supportqualification testing. The newUSA SAFER circuitcertification was completedwith the successful firing of15 flight NSIs consecutively.


(NASACharter)

February1999

Finding 29: The SpaceShuttle General PurposeComputers (GPC) areoutmoded and limit theability to incorporatenecessary softwarechanges and hardwareupgrades.

Recommendation 29: NASAshould begin the process ofreplacing the Space ShuttleGPC’s. As part of this effort,NASA should also modularizethe flight software.

NASA Response (in 1999ASAP appendix): The SpaceShuttle Program is addressingthe finding andrecommendation identified bythe ASAP. A review of theGPC and its flight softwarewas performed in April 1998.Based on current estimates onGPC mean time betweenfailures, the flight hardwareand spares are expected to beavailable through at least2016 (and likely significantlylater). The flight softwareestimate on memoryavailability and usage hasprojected that memorycapacity would be expected toreach its limit in the 2005-2006 timeframe.

A software architecturestrategy as part of the overallSSP avionics upgrade effort isbeing developed which willmitigate the memory capacityconcern. This strategy willpartition the critical softwaresuch as flight control andguidance from software thatrequires periodic change. Theresult of this partition wouldallow those stable softwarefunctions like flight control toremain within the currentGPC’s while allowing thosefunctions that frequentlychange to be migrated to anewer computer technology.The offloading of the softwarefunctions such as displayprocessing and systems




(Charteredby)

Date ofReport


requires periodic change. Theresult of this partition wouldallow those stable softwarefunctions like flight control toremain within the currentGPC’s while allowing thosefunctions that frequentlychange to be migrated to anewer computer technology.The offloading of the softwarefunctions such as displayprocessing and systemsmanagement from the currentGPCs should permit currentGPC memory capacity toremain acceptable through atleast 2020. Additionally thesoftware subject to frequentchange would be locatedwithin a system, which will bedesigned to be more easilyreconfigurable than theexisting system. In summary,a supportability concern doesnot exist for the current GPCs.Continued use of the existingGPCs and their establishedprocesses will maintain highlevels of safety. Softwarepartitioning involving theoffloading of softwarefunctions to a more flexiblesystem will provide sufficientmemory availability for futureGPC software changes. Thisapproach will provide anevolutionary and a migrationpath to full GPC upgrade if itis later required.


(NASACharter)

February1999

Finding 30: There is noformal requirement thatdependent Space ShuttleI-loads be recalculated orchecked when an I-loadpatch is to be uplinked.

Recommendation 30: NASAshould create a dependencymatrix of all I-loads.Furthermore, it should assess itsSpace Shuttle and ISSprocedures and ensure that theyare all fully documented.

NASA Response (in 1999ASAP appendix): NASAbelieves that we already meetthe intent of therecommendation. FlightOperations processes anddocumentation ensures properI-load change implementationfor all flight design I-loads,including uplinkable I-loads.These procedures includepositive verification that theselected or uplinked values donot violate subsystem,element, or integrated vehiclecertification and that theupdate meets missionrequirements. I-loaddependencies are verified aspart of the certificationassessment.




(Charteredby)

Date ofReport


element, or integrated vehiclecertification and that theupdate meets missionrequirements. I-loaddependencies are verified aspart of the certificationassessment.

Procedures for verifying I-loads to be uplinked vary. Insome instances uplinkedIloads change vehicleresponse in a way thatimpacts several of theremaining I-loads; i.e., Day-of-Launch I-load Update(DOLILU). Those verificationassessments include ananalysis which uses a highfidelity computer model tosimulate integrated vehicleresponse to the new I-loads.These simulations includemodels of the onboard flightsoftware of sufficient detail toverify that all applicable I-load interactions are assessed.In other cases, specific I-loaddependencies are evaluated. Anumber of flight designuplinks involve an uplink ofvalues that are generated andverified days or sometimesmonths before launch. TheseI-loads include vehiclenavigation, targeting, andabort parameters. Verificationprocedures for these I-loadsare identical to that usedduring the normal flightdesign template. For all cases,procedures clearly specifyingverification requirementsincluding specific I-loaddependency evaluations, asapplicable, are in place andunder configuration control.


(NASACharter)

February1999

Finding 31: Present plansdepend on humanprocedures to achievelockout to preventinadvertent orunauthorized access toactual hardware whenusing the new Checkoutand Launch ControlSystem (CLCS).

Recommendation 31: NASAshould use a computerizedauthorization to achieve lockoutof commands to actualhardware from anyone notauthorized to issue such acommand in CLCS.

NASA Response (in 1999ASAP appendix): NASAconcurs with the ASAPrecommendation. The CLCSProject will undertake a studywith the Shuttle engineeringcommunity to determine howthese lockouts could beimplemented. The results willinclude a preliminary set ofrequirements for CLCS andother systems, such as theShuttle Data Center andSimulation Systems, anoperational risk assessmentfor implementing these




(Charteredby)

Date ofReport


Charter) unauthorized access toactual hardware whenusing the new Checkoutand Launch ControlSystem (CLCS).

authorized to issue such acommand in CLCS.

with the Shuttle engineeringcommunity to determine howthese lockouts could beimplemented. The results willinclude a preliminary set ofrequirements for CLCS andother systems, such as theShuttle Data Center andSimulation Systems, anoperational risk assessmentfor implementing thesechanges, and a rough order ofmagnitude cost assessment forimplementing these changes.The study will be completedin a timely manner so thatimplementation can beaccomplished in time to avoidextensive revalidation ofCLCS application software.Progress reports will bepresented to the ASAP duringtheir CLCS review meetings.


(NASACharter)

February1999

Finding 32: NASA doesnot have a plan in place todeal with the problem ofmaintaining the manycommercial off-the-shelf(COTS) softwaredevelopment tools used inits programs.

Recommendation 32: NASAshould develop a generalstrategy and provide programwide guidelines for addressingthe maintenance of COTS tools.

NASA Response (in 1999ASAP appendix): NASAconcurs with the finding thatno program-wide plan existsaddressing the maintenance ofCOTS software developmenttools. A programmatic actionhas been assigned to developthe usage requirements forCOTS/modified off-the-shelfsoftware including theassociated development tools.These guidelines willdocument maintenance andselection guidelines to be usedby all of the applicableprogram elements.


(NASACharter)

27October1998

The review team couldnot determine whether ornot USA-proposedprocess improvementswill achieve efficienciesnecessary, in the timerequired, to supportincreased manifestdemands in mid-to-late1999.




(Charteredby)

Date ofReport



(NASACharter)

27October1998

The team noted thatopportunities exist toachieve efficiencies inadministrative andmanagement processes,which support the corework control/review andchange controlinfrastructure. Thestrength of USAmanagement leadershipand commitment willdetermine the outcome.


(NASACharter)

27October1998

In any event, NASAmanagement must closelymonitor implementationof proposed USA processinitiatives to assure that astable infrastructure,capable of handlingsustained higher flightrates, is developed. Flightsafety will be assured aslong as key groundoperations processesremain in place. When theground operations systembecomes saturated it willbe important tounderstand how “peoplein the process” (humanfactors) respond.


(NASACharter)

27October1998

Although no objectiveevidence was found toindicate that the workrequirements would haveany adverse impact onsafety or quality, theKSC/SMA planningprocess is not sufficientlymature to provideevidence that theincreased flight rate canbe supported withincurrent workforceceilings.

It is recommended that theKSC/SMA organization notifythe Office of Safety andMission Assurance when it hascompleted the critical processdefinition effort and theworkforce analysis planning. Atthat time a delta assessmentwill be performed to assess thecompleteness of the activity.


(NASACharter)

February1998

Finding 1: Operationsand processing inaccordance with theSpace Flight OperationsContract

Recommendation 1a: BothNASA and the SFOCcontractor, USA, shouldreaffirm at frequent intervalsthe dedication to safety beforeschedule before cost.

NASA Response (in 1998ASAP appendix): The SpaceShuttle Program concurs withthe ASAP affirmation thatsafety is our first priority. Thepotential for safety impacts asa result of restructuring anddownsizing are recognized byNASA at every level. Fromthe Administrator down thereis the communication of andthe commitment to the policythat safety is the mostimportant factor to beconsidered in our execution ofthe program and that




(Charteredby)

Date ofReport


Charter) (SFOC) have beensatisfactory. Nevertheless,lingering concernsinclude: the danger of notkeeping foremost theoverarching goal of safetybefore schedule beforecost; the tendency in asuccess-orientedenvironment to overlookthe need for continuedfostering of frank andopen discussion; the pressof budget inhibiting themaintenance of a well-trained NASA presenceon the work floor; and thedifficulty of a continuedcooperative search for themost meaningfulmeasures of operationsand processingeffectiveness.

schedule before cost. potential for safety impacts asa result of restructuring anddownsizing are recognized byNASA at every level. Fromthe Administrator down thereis the communication of andthe commitment to the policythat safety is the mostimportant factor to beconsidered in our execution ofthe program and thatrestructuring and downsizingefforts are to recognize thispolicy and solicit and supporta zero tolerance position forsafety impacts. Therestructuring efforts across theProgram in pursuit ofefficiencies which mightallow downsizing of theworkforce consistently stressthat such efficiencies must beenabled by identification andimplementation of better waysto accomplish the necessarywork, or the unanimousagreement that the work is nolonger necessary, but that ineither case that the safety ofthe operations are preserved.In the case of the restructuringand downsizing enabled bythe SFOC transition of someresponsibility and tasks to thecontractor, the transition plansfor these processes and tasksspecifically address the safetyimplications of the transition.

Additionally, the Program hasrequired the NASA Safetyand Mission Assurance(S&MA) organizations toreview and concur on thetransition plans as an addedassurance. Other Programdownsizing efforts havesimilar emphasis embedded inthe definition andimplementation of theirrestructuring, and the S&MAorganizations are similarlycommitted as a normalfunction of their institutionaland programmatic oversightto assure this focus is notcompromised.




(Charteredby)

Date ofReport


function of their institutionaland programmatic oversightto assure this focus is notcompromised.

Additionally, the Programpriorities of 1) fly safely, 2)meet the manifest, 3) improvemission supportability, and 4)reduce cost are incorporatedinto almost every facet ofplanning and communicationwithin both the NASA andcontractor execution of theProgram. Besides thecontinuous presentation ofthese priorities in employeeawareness media, the Programhighlights their relative orderin the formal consideration ofdesign and/or process changesbeing considered by thevarious Program controlboards. Additionally, thesepriorities are the focus pointfor most of the Programmanagement forums such asthe Program ManagementReviews and SFOC ContractManagement Reviews(CMRs). They are specifiedas the basis for the ProgramStrategic Plan, as well as theSFOC goals and objectivesused by the contractor andNASA to manage and monitorthe success of the SFOC.Finally, these priorities areembedded in the SFOC awardfee process (which providesfor four formal reviews eachyear). Specifically, the awardfee criteria provide for bothsafety and overallperformance gates which, ifnot met by the contractor,would result in loss of anypotential cost reduction shareby the contractor.

In summary, NASA and all ofthe contractors supporting theSpace Shuttle Program havealways been and remaincommitted to assuring thatsafety is of the highestpriority in every facet of theProgram operation. Whiledownsizing does increase thechallenge of management toexecute a successful Program,process changes, designmodifications, employee




(Charteredby)

Date ofReport


Space Shuttle Program havealways been and remaincommitted to assuring thatsafety is of the highestpriority in every facet of theProgram operation. Whiledownsizing does increase thechallenge of management toexecute a successful Program,process changes, designmodifications, employeeskills maintenance, andreorganizations are all part ofthe management challenges tobe faced and resolved, andmaintenance of the high levelof attention to safety inresolving these challenges isrecognized by NASA and thecontractors alike as not beingsubject to compromise.

Recommendation #1b

NASA should develop andpromulgate training and careerpaths leading to qualificationfor senior NASA Space Shuttlemanagement positions.

NASA Response (in 1998ASAP appendix): While it istrue that the roles for NASAmanagement and technicalpersonnel are being reducedin number and reshaped tofocus on the critical areas ofanomalies and changes, theseroles and the ongoing role ofassessing the contractor’sperformance against thecontract and Programrequirements should provide acontinued source of trainedand capable future NASAsenior managers. NASA hasan active commitment todevelopment of the skills forsenior managers for allfunctional areas of theAgency, and Space ShuttleProgram senior managers aregenerally products of boththeir in-line experiences aswell as these careerdevelopment programs. It isanticipated at this time thatthe roles for NASA personneland the career developmentprograms which have servedNASA well to this point willbe sufficient to assure acontinuation of highlyqualified and capable seniormanagers in the future. Giventhe nature of the still evolvingdefinition of the NASA andprime contractor roles andresponsibilities for the SFOCoperational model, it isreasonable to provide specialattention to this concern, andthe Program will ensure that




(Charteredby)

Date ofReport


continuation of highlyqualified and capable seniormanagers in the future. Giventhe nature of the still evolvingdefinition of the NASA andprime contractor roles andresponsibilities for the SFOCoperational model, it isreasonable to provide specialattention to this concern, andthe Program will ensure thatspecific consideration is givento this concern in thetransition plans beingdeveloped and implementedby the functional andinstitutional organizationsacross the Program.

Recommendation 1c: NASAshould continue to ensure that atrained and qualifiedGovernment personnel presenceis maintained on the work floor.

NASA Response (in 1998ASAP appendix):NASA/KSC has maintained aphysical presence on the workfloor since the beginning ofthe Shuttle ProcessingContract and will continuethis presence for SFOC,Payload Ground OperationsContract, and Base OperationsContract. NASA engineering,operations, safety, and qualitypersonnel maintain asurveillance and auditpresence of overall operationsfor insight purposes and areformally involved for selectedtasks being performed.Presence on the floormonitoring hazardous orsafety critical operations hasbeen maintained through thetransition to performancebased contracting and will bemaintained in the future. Thefrequency and depth of theinsight and presence may beadjusted as justified by theresults of the contractor’sperformance, but the value ofthese checks and balances haslong been recognized byNASA and will bemaintained. To a lesserdegree, this same floorpresence is executed atproduction sites throughResident Office presence andperiodic audit andsurveillance activities byNASA Center personnel.




(Charteredby)

Date ofReport


presence is executed atproduction sites throughResident Office presence andperiodic audit andsurveillance activities byNASA Center personnel.

While there is a focusedinitiative to minimizeGovernment mandatoryinspection points (GMIPs)across the Program, it ismutually recognized byNASA and USA that thecriticality of some checks andbalances in critical processesdemands that some smallpercentage (10–15 percent)will be maintained on theproduction and processingfloors. This presence alsosupports the desired trainingand qualification needs forNASA to remain a smartcustomer. Finally, there arefunctional roles anticipatedfor continued NASAparticipation, such as flightcontrollers, astronauts, andlaunch directors which willalso provide a significantavenue for NASA skillsmaintenance in the long-termmanagement model.

Recommendation 1d: NASAand USA should continue tosearch for, develop, test, andestablish the most meaningfulmeasures of operations andprocessing effectivenesspossible.

NASA Response (in 1998ASAP appendix): BothNASA and USA recognizethe value of meaningfulmeasures of the operationaland processing effectivenessfor the Program andcontinually strive to evolveand improve on the measurescurrently in place. The SFOCPerformance MeasurementSystem (PMS) has been asignificant developmentproject since the beginning ofthe contract, continues to takeshape as the primaryrepository for theperformance metrics whichprovide management insightinto the cost, and technicalperformance across thecomplete contract. Once thesystem is complete andpopulated with viable metrics,NASA will validate thesystem. The goal is tocomplete the validation by thefall of 1998. Key metrics arereviewed quarterly at the




(Charteredby)

Date ofReport


provide management insightinto the cost, and technicalperformance across thecomplete contract. Once thesystem is complete andpopulated with viable metrics,NASA will validate thesystem. The goal is tocomplete the validation by thefall of 1998. Key metrics arereviewed quarterly at theSFOC CMR, and individualfunctional areas such as flightoperations and groundprocessing use these on acontinual basis for theirmanagement execution andinsight. Additional measuresare continually developed atthe Program level and withinindividual functional areas toenhance the understanding ofperformance trends, and whenproven to be effectivemanagement tools, thesemetrics roll into the PMSand/or other forums andproducts used to manage theProgram.


(NASACharter)

February1998

Finding 2: The KennedySpace Center (KSC) hasbeen successfully phasingin the structuredsurveillance process forsafety and quality forsome time. Thedevelopment of metricsusing structuredsurveillance informationhas lagged datacollection.

Recommendation 2: KSCshould continue to expand theuse of structured surveillanceand to focus effort on thedevelopment of valid andreliable metrics to assessprogram performance fromstructured surveillance results.

NASA Response (in 1998ASAP appendix): Weconcur. The development ofreliable metrics with which tomeasure performance of theSFOC in all areas includingsafety and quality isprogressing at KSC. There areseveral examples of this.

At KSC, NASA Safety hasdeveloped a data base for theSpace Shuttle Program,revised its surveillanceapproach, and developed amethod by which propermeasurements can beevaluated and analyzed indetermining safety programmanagement effectivenessand contractual statement ofwork compliance. These newmetrics will enable NASASafety to more effectivelymeasure contractorperformance.




(Charteredby)

Date ofReport


Safety to more effectivelymeasure contractorperformance.

The Quality SurveillanceRecord data base is currentlybeing modified to clarify themethod by which deficienciesand observations are countedand to better define failurecodes and other datacollected. These changes willincrease the reliability of thedata used to assess programperformance and will beimplemented in early July. Inthe interim, the existing database has been modified andfocuses on surveillance datacollection for tasks whichGMIPs were deleted throughthe GMIP reduction efforts.KSC has developed anexpanded surveillance systemthat will provide extensiveinsight into the contractor’soverall operation by processanalysis. The process analysisprogram was initiated inOctober 1997, and there arepresently 11 Quality ProcessAnalysts working the pilotprogram at KSC. This systemwill provide added insightinto the contractor’sprocesses, procedures, andpolicies.


(NASACharter)

February1998

Finding 3: NASA Safetyand Mission Assurance(S&MA) auditors at KSCoverseeing operationsrequiring Self-ContainedAtmospheric ProtectiveEnsemble (SCAPE) arenot certified for SCAPE.

Recommendation #3: In orderto be in a position to conductvalid safety and quality auditsof SCAPE operations, NASAshould ensure that personnelinvolved are certified so that,when necessary, they canobserve the tasks while they areperformed.

NASA Response (in 1998ASAP appendix): The SpaceShuttle Program concurs thatsafety and quality audits ofSCAPE operations beperformed. However, KSC’sposition is that NASA’s safetyand quality personnelmonitoring SCAPE tasks willnot be exposed to theadditional risk of SCAPEoperations as personnel canaccomplish monitoring tasksby observing andcommunicating through theaudio and video capabilitiesof the OperationalIntercommunication Systemand operational television(OTV). All SCAPE tasks areconducted on recordedcommunications channels thatare monitored in the controlroom, and the majority oftasks are observable on theOTV system. NASA quality




(Charteredby)

Date ofReport


audio and video capabilitiesof the OperationalIntercommunication Systemand operational television(OTV). All SCAPE tasks areconducted on recordedcommunications channels thatare monitored in the controlroom, and the majority oftasks are observable on theOTV system. NASA qualityand safety personnel haveperformed those audits forseveral years without beingSCAPE certified.


(NASACharter)

February1998

Finding 4: Tocompensate for skillsdeficiencies related tostaff departures fromKSC, both NASA andUSA are makingextensive use of crosstraining of personnel,both technicians andengineers. Individualswho have been cross-trained also should haverecent “hands-on”experience before theyundertake a cross-trainedtask.

Recommendation 4:

NASA and USA shoulddevelop and use valid andreliable measures of thereadiness of personnel to takeon tasks for which they havebeen trained but on which theyhave only limited or episodicexperience. The cross-trainingprogram could include aregularly scheduled rotation ofduties so that the multiplytrained individual has theopportunity to employ all of theacquired skills and knowledgeat appropriate intervals.

NASA Response (in 1998ASAP appendix): NASA isin full agreement with thePanel’s position thatindividuals who have beencross-trained also should haverecent hands-on experiencebefore performing tasks. Thecombined NASA/USAtraining and certification planidentifies those skills thatrequire hands-on training aspart of the certificationprocess. Personnel selectedfor cross-training are requiredto be certified to performother jobs in the same familyof skills (i.e., mechanicalsystems, avionics systems,electrical distributionsystems).

With this knowledge base,those identified for cross-training will be required tomeet the same training andperformance requirementsestablished for the given task.Performance is measured toverify that the individual hasobtained the stated objectivesof the instructional tool beingused. In the case of hands-ontraining, the employee isrequired to demonstrate 100%command of the task beingperformed. The certificationprocess is controlled by theKSC Certification Board,which operates underapproved certificationprocedures. The CertificationBoard, chaired by the USAS&MA Director at KSC,approves and implementscertification/recertificationrequirements.




(Charteredby)

Date ofReport


KSC Certification Board,which operates underapproved certificationprocedures. The CertificationBoard, chaired by the USAS&MA Director at KSC,approves and implementscertification/recertificationrequirements.


(NASACharter)

February1998

Finding 5: The reductionof GovernmentMandatory InspectionPoints (GMIP) at KSChas significantly laggedthe downsizing of NASAquality personnelresponsible for processingthese GMIPs. This hasresulted in an expandedworkload amongremaining NASA qualityinspectors and made itmore difficult to conductanalyses needed toidentify further GMIPreductions. There hasbeen a similar reductionof NASA safetyinspectors and engineersat KSC without acommensurate reductionin oversight requirementswhile, at the same time,the addition of new safetyaudit or insightresponsibilities has takenplace.

Recommendation 5: Anydownsizing of personnel byboth NASA and USA should bepreceded by the reduction ofcommensurate workloadassociated with Space Shuttleprocessing, such as reduction ofGMIPs and NASA safetyinspections.

NASA Response (in 1998ASAP appendix): NASAconcurs with therecommended approach ofreducing the workload inSpace Shuttle processingbefore proceeding withdownsizing NASA and USApersonnel; however, we havenot been as successful in thisarea as desired. In thedownsizing effortimplemented in February1998, USA experienced anunexpectedly high level ofvoluntary attrition in certaincritical functions - an outcomethat was predicted by ASAPmembers and others.Although USA experiencedshortages of critical skills andstaffing to minimum levels forshort periods of time inselected areas, USA andNASA worked together toovercome these deficits andassure that the scheduledmissions through STS-91were safely executed. Thiswas done by a combination oflaunch schedule relief, back-filling USA shortages withNASA expertise, and re-hiring technical expertise totrain and certify USA staff,thus eliminating shortages incritical skills. Evaluation ofGMIPs for potentialelimination by processengineering and qualityengineering staff continues. Itis estimated thatapproximately 6,000 of theoriginal 22,000 GMIPs willremain in place at the end ofthis effort. This is a levelassessed as commensuratewith the current NASAquality inspection workforce.NASA Headquarters Office ofSafety and Mission Assurance(OSMA) continues toevaluate the situation at KSCregarding NASA and USAworkforce reductions by




(Charteredby)

Date ofReport


remain in place at the end ofthis effort. This is a levelassessed as commensuratewith the current NASAquality inspection workforce.NASA Headquarters Office ofSafety and Mission Assurance(OSMA) continues toevaluate the situation at KSCregarding NASA and USAworkforce reductions byassessing process efficienciesand workload indicators.Indicators of processeffectiveness include overtimerates and first-time qualityrates. Although the efforts arenot yet complete, OSMAanticipates that as GMIPs arereduced overtime rates forNASA quality inspectionswill drop. Additionally, if thedevelopment of processefficiency initiatives by USAare effective, then, whenimplemented, OSMAanticipates that USAengineering and technicianovertime rates will drop andfirst-time quality rates, basedon NASA surveillancesampling, will increase.


(NASACharter)

February1998

Finding 6: The SuperLight Weight Tank(SLWT) has completedits design certificationreview, and proof tests onthe first tank have beensatisfactorily passed. Theonly remaining test tocomplete certification ofthe SLWT is thecryogenic loading testthat will be run on thefirst production tank onthe launch pad. Thediligent attention that hasbeen given to qualitycontrol, particularly tomaterial inspection andweld integrity, has madethis program successful.

Recommendation 6: NASAshould ensure that the currentmanufacturing and qualitycontrol procedures continue tobe rigidly adhered to andconscientiously followed inproduction.

NASA Response (in 1998ASAP appendix): NASAconcurs with thisrecommendation. MSFC andLockheed Martin MichoudSpace Systems (LMMSS), theExternal Tank primecontractor, periodicallyperform a NASA Engineeringand Quality Audit (NEQA)which focuses on both theprocesses and the flighthardware. The audit isconducted by experiencedMSFC and LMMSS technicaland management personneland the operators andinspectors that actually utilizethose processes. LMMSS alsoperforms internal and supplieraudits throughout the year. Inaddition, on-site MSFCScience and Engineering,Safety and MissionAssurance, and DCMCpersonnel provide continuousinsight and guidance throughsurveillance and limitedoversight activities. Finally,adherence to manufacturingand quality control proceduresis one of the primary focuses




(Charteredby)

Date ofReport


addition, on-site MSFCScience and Engineering,Safety and MissionAssurance, and DCMCpersonnel provide continuousinsight and guidance throughsurveillance and limitedoversight activities. Finally,adherence to manufacturingand quality control proceduresis one of the primary focusesof the on-site governmentpersonnel.


(NASACharter)

February1998

Finding 9: Support of theSpace Shuttle fleet withoperational spares hasbeen maintained by theeffective efforts of thelogistics function. Whilespares support has beenadequate for the currentflight rate, any increase inflight rate might not besupportable.

Recommendation 9: AlthoughNASA has establishedprograms for dealing withsuppliers and bringingadditional component overhaul“in house,” efforts in theseareas need to be continuouslyreexamined to speed up therestoration and upgrading ofline-replaceable units. Suchefforts are especially needed toeliminate “dead” time whileunits are awaiting restoration.

NASA Response (in 1998ASAP appendix): The SpaceShuttle Program concurs withthe ASAP concerns for theavailability of line replaceableunits (LRUs). Logisticsmonitors LRU spares posturethrough the probability ofsufficiency calculationswithin the LRU data system.This system can beprogrammed to determinespares requirements forvarious flight rates. At thistime, an appreciable increasein flight rate would berequired to jeopardizesupporting the Space ShuttleProgram with most of thecurrent LRUs.

(Lots of detail omitted)

Additionally, through the useof industrial engineeringprinciples and work teams,Logistics has taken action toreduce the NASA ShuttleLogistics Depot (NSLD)backlog and increase outputfor fiscal year 1998. To date,backlog has decreased 8percent since October 1 byincreasing output. Theseefforts are aimed at providingbetter support at the currentflight rate but are also the typeof efforts that will allowhigher flight rates in thefuture.




(Charteredby)

Date ofReport


future.


(NASACharter)

February1998

Finding 10: Transitionand development of thelogistics tasks for theorbiter and its groundoperations under theSFOC are proceedingefficiently and accordingto plan.

Recommendation 10: NASAand USA should continue thetask of management integrationof the formerly separatelogistics contracts and retainand expand the roles of theexperienced logistics specialiststherein.

NASA Response (in 1998ASAP appendix): The SpaceShuttle Program concurs withthe ASAP philosophy oflogistics integration.Integrated Logistics has beensuccessful in integratingGround Logistics and morerecently, Flight OperationsLogistics with OrbiterLogistics insight. As newelements are integrated withinUSA, the sharing of newtechniques and best in classpractices is occurring.Logistics is recognized as akey member of both theNASA and contractor teams;their input is actively soughton key decisions, and they aremembers of key decision-making boards and panels.


(NASACharter)

February1998

Finding 11: As reportedlast year, long-termprojections are stillsuggesting increasingcannibalization rates,increasing componentrepair turnaround times,and loss of repaircapability for the SpaceShuttle logisticsprograms. If the presenttrend is not arrested,support difficulties mayarise in the next 3 or 4years.

Recommendation 11: NASAand USA should reexamine andtake action to reverse the moreworrying trends highlighted bythe statistical trend data.

NASA Response (in 1998ASAP appendix): The SpaceShuttle Program hasrecognized the concerns forlong-term supportability andis proactively pursuingimprovements.Cannibalizations continue tobe closely monitored and arewell within limits. There havebeen several concerns duringthis past year (seals and cryoheater controllers) that arerequiring the adjustment ofsparing levels. The Logisticsorganization is aggressivelypursuing a solution to specificproblems as well as pursuinginnovations to keep the ratebelow the standard.

As mentioned in the responseto Finding #9, the NSLDbacklog is now decreasing asa result of USA action. Thisshould ultimately reduce therepair turn around time forhardware although short termincreases can be expected.Other initiatives such as thereplacement of unserviceabletest equipment at vendors arealso in progress. Logistics andEngineering are developingcommon tools to integrateupgrade actions, resolve




(Charteredby)

Date ofReport


a result of USA action. Thisshould ultimately reduce therepair turn around time forhardware although short termincreases can be expected.Other initiatives such as thereplacement of unserviceabletest equipment at vendors arealso in progress. Logistics andEngineering are developingcommon tools to integrateupgrade actions, resolvesupportability issues, andmitigate the loss of repaircapability. The ProblemResolution Teams haveincreased the interfaces withLogistics, Engineering, andmanagement to ensure aproactive and integrated effortin identifying problem areasand identifying solutions.Numerous initiatives areunder way.

Finally, NASA has fundedthrough Space Shuttleupgrades the prototyping of anew expert logistics systemwhich shows promise inranking issues according toseverity. This data might thenbe used to assure that limitedfunding available is used aseconomically and wisely aspossible in order to minimizerisk in the most vulnerableareas.


(NASACharter)

February1998

Finding 19: TheCheckout and LaunchControl System (CLCS)program at KSC has notbeen provided withfunding for IndependentVerification andValidation (IV&V) that issafety critical for asoftware effort of thissize.

Recommendation 19: TheCLCS should be provided withadequate funding for softwareIV&V.

NASA Response (in 1998ASAP appendix): KSCconcurs with the ASAPrecommendation relative toIV&V funding for the CLCSProject. A Memorandum ofAgreement (MOA) wassigned on May 5, 1998,between the Software IV&VFacility and KSC, for theperformance application ofIV&V techniques andmethods to the CLCSsoftware. The scope of thismemorandum will includeperforming IV&V on selectedcatastrophic/critical/high riskCLCS software components.The selected softwarecomponents will consist ofCLCS system software. Thespecific areas to be analyzedwill be system redundancy,command support, datadistribution and processing,




(Charteredby)

Date ofReport


memorandum will includeperforming IV&V on selectedcatastrophic/critical/high riskCLCS software components.The selected softwarecomponents will consist ofCLCS system software. Thespecific areas to be analyzedwill be system redundancy,command support, datadistribution and processing,constraint management, andthe safing system relatedsoftware. The software relatedto safing includes theEmergency Safing Systemand those control logicmodules associated withsafing (some of which mayreside within applicationsoftware). The analysis willconsist of requirements,design, code, and testanalysis, as applicable for thelife cycle of the softwarebeing analyzed. Theapplication interfaces with thesystem software will also beanalyzed.

In addition, the IV&V Facilitywill perform system levelanalysis of the system testplan and system testsperformed along withsoftware engineering andintegration analysis of theCLCS system as a whole.

This MOA is effective fromMay 1, 1998, until September30, 2000. The work identifiedin this MOA will require astaffing level of about 16 fulltime equivalents (FTEs). Thisstaffing level will becomprised of 15 FTEs fromthe IV&V contractor locatedat the IV&V Facility and atKSC. The remaining one FTEwill be a civil servicepersonnel. Staffing at KSCwill be comprised of eightcontractor FTEs with theremainder residing at theFairmont Facility. The SpaceShuttle Program has agreed tofund this effort at $4.5M overthe life of the MOA.




(Charteredby)

Date ofReport


will be comprised of eightcontractor FTEs with theremainder residing at theFairmont Facility. The SpaceShuttle Program has agreed tofund this effort at $4.5M overthe life of the MOA.


(NASACharter)

February1997

Finding 1: Oneconsequence of theimplementation of theSpace Flight OperationsContract (SFOC) is areduction in opportunitiesfor NASA personnel tomaintain detailed, day-to-day work floor interfaceswith their contractorcounterparts both at spaceflight centers and majorcontractor facilities. Thiscould compromiseNASA’s ability to carryout its assessmentfunction.

Recommendation 1: In orderto carry out its assessment role,NASA must maintain somephysical presence on the workfloor at the space flight centersand major contractor facilities.NASA must ensure that thepeople staffing thesesurveillance positions are andcontinue to be appropriatelyskilled, thoroughlyknowledgeable about the SpaceShuttle, and sufficientlyexperienced with both thesubsystem they oversee and thetotal Space Shuttle system.

NASA Response (in 1997ASAP appendix): NASAconcurs with the finding andis sensitive to the need tomaintain a skilled and capableworkforce in both themanagement and technicalfunctions necessary for SpaceShuttle program (SSP)success, and the Agency willwork with the contractor inestablishing the eventualorganizational roles andresponsibilities to assure thatsuccess. The transitionprocess will be managed at apace to ensure that necessaryskills are maintained withinthe Government/contractorworkforce.

The assessment function thatNASA will perform in thefuture Shuttle operationsarchitecture will require themaintenance of a solid skillbase within the Agency.NASA will retain thecapability to review allanomalies in operations andsystem performance, as wellas all changes to operationsand to systems. NASA’s rolein requirements control willalso provide continuousexposure to designs andoperations within theprogram. The participation ofNASA engineering andmanagement in thedevelopment of Shuttleupgrades will provide furtheropportunity for themaintenance of an inherentskill base. Finally, there willbe functional roles for NASApersonnel, such as astronauts,flight controllers, and missiondirectors, that will provide anavenue for skills developmentand maintenance.




(Charteredby)

Date ofReport


be functional roles for NASApersonnel, such as astronauts,flight controllers, and missiondirectors, that will provide anavenue for skills developmentand maintenance.


(NASACharter)

February1997

Finding 2: It is not clearhow NASA Space Shuttlesupervisory personnelwill be trained andacquire the experiencelevels necessary tofunction effectively insenior managementpositions when the SFOCis fully implemented andthe traditional learningladder positions arestaffed by the contractor.

Recommendation #2: NASAshould develop and promulgatetraining and career pathsleading to preparation andqualification as potential seniorNASA Space Shuttlemanagement.

NASA Response (in 1997ASAP appendix): NASA hasan active commitment to thedevelopment of the skills ofsenior managers for allfunctional areas of theAgency. Space Shuttleprogram senior managers aregenerally products of boththeir in-line experiences aswell as the NASA careerdevelopment programs. It isanticipated at this time thatthe roles for NASA personneland the career developmentprograms that have servedNASA well to this point willbe sufficient to assure acontinuation of highlyqualified and capable seniormanagers in the future. Giventhe evolving nature of theNASA and prime contractorroles and responsibilities forthe SFOC operational model,it is reasonable to focusspecial attention on this issue;the program will ensure thatspecific consideration is givento management developmentin the transition plans beingdeveloped and implementedacross the program.


(NASACharter)

February1997

Finding 3: No objectivemeasure has yet beendeveloped, or is likelypossible, that can shedsignificant light on theimpact of downsizing onthe safety of SpaceShuttle operations.

Recommendation 3: In theabsence of a valid predictivesafety metric, NASA shouldensure that all functionsaffected by downsizing andnecessary for safe operationsare assigned to people whohave the knowledge, skills, andtime to carry them out.

NASA Response (in 1997ASAP appendix): NASAconcurs; all of the contractorssupporting the Space Shuttleprogram remain committed toassuring that safety is thehighest priority in every facetof the program. The programrecognizes the concerns thatdownsizing may raise, and itwill assure thatknowledgeable and skilledindividuals are assigned to allcritical Shuttle functions,including those beingdownsized. The plans for thetransition of processes andtasks under the SFOCspecifically address the safetyimplications of the transition.As an added assurance, theShuttle program has requiredthat the NASA Safety andMission Assurance (SMA)




(Charteredby)

Date ofReport


critical Shuttle functions,including those beingdownsized. The plans for thetransition of processes andtasks under the SFOCspecifically address the safetyimplications of the transition.As an added assurance, theShuttle program has requiredthat the NASA Safety andMission Assurance (SMA)organizations review andconcur on the transition plans.Other program downsizingefforts have a similaremphasis on safety embeddedin them, and both programmanagement and the SMAmanagement are committed toassure that this focus is notcompromised.


(NASACharter)

February1997

Finding 4: Post-flightdiscovery of a wrenchand an equipmentnameplate in the forwardskirt of one STS-79 SolidRocket Booster (SRB)has heightened concernfor the overall integrity ofSpace Shuttle processingquality assuranceprocedures.

Recommendation 4: NASA, inconcert with the several SpaceShuttle contractors, shouldconduct an in-depth review ofSpace Shuttle processingquality assurance proceduresfocused on creating a moreformal, documented approachto accounting for tools andother material introduced to andremoved from flight hardwarework areas.

NASA Response (in 1997ASAP appendix): The SpaceShuttle program elementcontractors presented theirtool control programs to theSpace Shuttle System SafetyReview Panel (SSRP)meeting in December 1996.The SSRP reviewed the toolcontrol programs of all thecontractors and determinedthat each of the tool programswas effective for the type ofwork performed. The SSRPrecommended that toolaccounting audits bemaintained or increased, andthat metrics be maintained toassure that each tool controlprogram remains effective. Ina letter dated March 20, 1997,the Space Shuttle SystemsIntegration Office confirmedthat NSTS 07700, “SpaceShuttle Program Definitionand Requirements,” requirestool control for only thelaunch and landing project,and recommended thatVolume XI of NSTS 0770 beexpanded to include toolcontrol at the manufacturingfacilities. A change request toNSTS 07700, Volume XI,adding the programrequirement to include toolcontrol at the elementmanufacturing facilities, wasapproved by the ProgramRequirements Control Board(PRCB) on July 10, 1997.




(Charteredby)

Date ofReport


facilities. A change request toNSTS 07700, Volume XI,adding the programrequirement to include toolcontrol at the elementmanufacturing facilities, wasapproved by the ProgramRequirements Control Board(PRCB) on July 10, 1997.


(NASACharter)

February1997

Finding 5: NASA plansto operate the SpaceShuttle until at least 2012.This will require safetyand operational upgradesto hardware, software,and logistics support.

Recommendation 5: NASAshould complete Space Shuttleupgrades as soon as possible totake advantage of opportunitiesfor earliest risk reduction andoperational improvement.

NASA Response (in 1997ASAP appendix): The SSPupgrade strategy is foundedon the premise that safety,reliability, and supportabilityimprovements must be madeto support human spacetransportation until a suitablereplacement is available. Tomanage and focus theseefforts more effectively, theSSP established the Office ofSSP Development on January16, 1997. The Space Shuttleupgrades program is beingimplemented from a systemsperspective. Upgrades will beintegrated and prioritizedacross all flight and groundsystems, ensuring thatindividual upgrades arecompatible and that theirimpact is assessed across theentire program.

A phased approach to the SSPupgrades is already underway. Phase I, to be completedby the year 2000, emphasizessafety and performanceenhancements for theInternational Space Station(ISS) assembly andutilization. Ongoing effortswithin all SSP elements arealso under way to identifyPhase II candidate and PhaseIII/IV studies. Primaryemphasis remains on safetyand risk reduction byimproving reliability andmaintainability, eliminatingobsolescent components, andimproving vehicleperformance. As thoseupgrade candidates areidentified by the programelements, the SSP iscommitted to expeditingimplementation to maximizesafety and reduce overallprogram risk.




(Charteredby)

Date ofReport


improving vehicleperformance. As thoseupgrade candidates areidentified by the programelements, the SSP iscommitted to expeditingimplementation to maximizesafety and reduce overallprogram risk.


(NASACharter)

February1997

Finding 6: The orbiterReaction Control System(RCS) thruster valvescontinue to leak in flight.NASA h as aggressivelyattacked this problemwith some success.Procedural changes haveimproved thrusterreliability, and theincidence of leakage hasbeen reduced but noteliminated.

Recommendation 6:Continued attention must befocused on the elimination ofthe root causes of RCS valveleakage/failures.

NASA Response (in 1997ASAP appendix): Severalremedial actions have beenand are being implemented asa result of a 1995 tiger teaminvestigation into the causesof RCS valve leakage/failure.This has resulted in manyprocedural changes andseveral potential hardwareimprovement concepts. Theprocedural changes arereducing the number of in-flight thruster valve failures.Many of the hardwareimprovements are entering adevelopment testing phase.Examples of procedure andhardware changes include:

(examples omitted)


(NASACharter)

February1997

Finding 7: A new gasgenerator valve modulefor the ImprovedAuxiliary Power Unit(IAPU) is currentlyentering the process ofcertification. When fullycertified, the IAPU withthis new valve is plannedto be qualified for 75hours of operationbetween scheduledteardowns and overhauls(in excess of 10 years atprojected use rates).

Recommendation 7: Oncecertification is achieved for 75hours of IAPU operation,NASA should establish aperiodic inspection and testprogram to assure that IAPUscontinue to perform inaccordance with requirementsthroughout their service life.

NASA Response (in 1997ASAP appendix): An IAPUmaintenance plan is beingdeveloped by the NASA andcontractor technicalcommunity. Current activityis focused on developing amaintenance specification,evaluating long-term life ofelastomeric components, andorganizing a partstracking/usage database. Atthe conclusion of this effort inlate FY 1997, a longtermmaintenance plan will bebaselined for implementation.Supplementing this to providelong-term service lifeinformation is a fleet leadertest program at WSTF. TheWSTF program is currentlyscheduled to conclude in FY1999 and is to demonstrate75-hour run time and evaluate10+ year teardown andoverhaul time.




(Charteredby)

Date ofReport


scheduled to conclude in FY1999 and is to demonstrate75-hour run time and evaluate10+ year teardown andoverhaul time.


(NASACharter)

February1997

Finding 8: The SpaceShuttle is about to receivetwo major avionicsupgrades - a tripleredundant GlobalPositioning System (GPS)installation and the Multi-Function ElectronicDisplay System (MEDS)-both of which requiresignificant changes to thePrimary Flight Software(PFS) and Backup FlightSoftware (BFS) systems.

Recommendation #8: TheSpace Shuttle program shouldensure that both the GPS andMEDS software changes arethoroughly tested in the ShuttleAvionics IntegrationLaboratory (SAIL) using thenormal and enhanced testprotocols that have proved to berobust when testing majormodifications.

NASA Response (in 1997ASAP appendix): The SSPconcurs that all software andhardware changes needthorough testing, and itrecognizes the extremelyimportant role that SAILtesting fulfills in thecomplement of testing forsoftware certification. AllShuttle software or hardwareupgrades are assessed todetermine integratedverification test requirements.The SSP and its contractorscooperate to produceintegrated hardware andsoftware test implementationplans, test requirementsdocuments, and integrated testschedules to assure that therequired resources, includingSAIL, are available. All theseplans are reviewed andapproved by the program.Thorough testing of each newcapability is then performedand analyzed. This samerigorous process that is usedfor flight softwareOperational Increment (OI)updates will be applied to theMEDS, GPS, other Shuttleupgrades, and future softwareupdates.


(NASACharter)

February1997

Finding 9:The Multi-Function ElectronicDisplay System (MEDS)in the orbiter is beingimplemented with displayfunctions and formats thatmimic the present electro-mechanical and cathoderay tube presentations.There are significantpotential safety andoperational benefits fromenhancing the amount,type, and format ofinformation shown on theMEDS displays.

Recommendation 9: TheSpace Shuttle program shouldcommit to a significantlyenhanced MEDS display assoon as possible. The MEDSadvanced display workinggroup or a similarmultidisciplinary team shouldbe tasked with identifyingspecific modifications and anassociated timetable so that theopportunities inherent in MEDScan be realized.

NASA Response (in 1997ASAP appendix): The SSPhas established an enhancedMEDS program that includeshardware and softwareenhancements to take fulladvantage of MEDScapabilities. This includeshardware expansion as well asutilization of inherent MEDScapabilities to provide betterdisplays and improve crewsituational awareness.Additionally, an SSP CockpitUpgrade Team is beingformed to develop advanceddisplay and applicationconcepts for futureimplementation intoMEDS/enhancedMEDS/future avionicsupgrades capability. TheCockpit Upgrade Team will




(Charteredby)

Date ofReport


enhancing the amount,type, and format ofinformation shown on theMEDS displays.

can be realized. situational awareness.Additionally, an SSP CockpitUpgrade Team is beingformed to develop advanceddisplay and applicationconcepts for futureimplementation intoMEDS/enhancedMEDS/future avionicsupgrades capability. TheCockpit Upgrade Team willalso participate in avionicsupgrades discussions in orderto anticipate future hardwareand software changes anddevelop advanced cockpitapplications to furtherimprove crew awareness andreduce crew trainingrequirements. Initial testing ofnew applications for enhancedMEDS will begin in June1997.


(NASACharter)

February1997

Finding 10: The Block IISSME developmentprogram has proceededwell, except for theAlternate TurbopumpProgram High PressureFuel Turbopump (ATPHPFTP). The HPFTP hassuffered significantfailures in testing, whichwere traced toshortcomings in hardwaredesign details. Correctiveactions have beenimplemented on theHPFTP. Block II enginetesting has resumed forthis major safetyimprovement.

Recommendation 10:Continue the development andcertification test programs asoriginally planned. Accumulatethe specified test operatingtimes for the modified ATPHPFTP, and employ thenumber of test pumps as per theoriginal test plan.

NASA Response (in 1997ASAP appendix): The SSMEproject is committed to meetthe original development andcertification planrequirements. The schedulefor certification has beenadjusted to accommodatecomprehensive resolution ofthe development problems.Scheduled completion ofcertification testing is nowFebruary 1998. As originallyplanned, the total “hot-firetime” for development andcertification will exceed60,000 seconds, utilizingeight HPFTP units.Certification will be based ontwo units with 22 tests each,and “hotfire time” of 11,000seconds per pump or 22,000seconds total certificationtime.


(NASACharter)

February1997

Finding 11: The schedulefor the first flight of theBlock II engine hasslipped, from September1997 to December 1997.This schedule isoptimistic and contains noslack for futuredevelopment problems.The schedule alsorequires continuedavailability of three teststands at the StennisSpace Center (SSC).

Recommendation 11:Maintain the full scope of theplanned test programs. Assurethe availability of test stand A-2at SSC for as long as it isneeded for the Block II enginetest programs so that three teststands continue to be available.

NASA Response (in 1997ASAP appendix): Thedevelopment and certificationtest programs will bemaintained as originallyplanned. Test standavailability has beencoordinated with otherprogram test requirements tosupport completion of BlockII HPFTP certification testingin February 1998. Three teststands are required only untilJuly 1997 to support thisschedule. A mid-Maymilestone to initiate




(Charteredby)

Date ofReport


Charter) This schedule isoptimistic and contains noslack for futuredevelopment problems.The schedule alsorequires continuedavailability of three teststands at the StennisSpace Center (SSC).

needed for the Block II enginetest programs so that three teststands continue to be available.

planned. Test standavailability has beencoordinated with otherprogram test requirements tosupport completion of BlockII HPFTP certification testingin February 1998. Three teststands are required only untilJuly 1997 to support thisschedule. A mid-Maymilestone to initiateconstruction authorization forthe July reconfiguration ofTest Stand A-1 for X-33testing will be reassessedbased on fuel pumpdevelopment status at thattime. The other two teststands will remain dedicatedto SSME testing. After teststand modification,conversion back to SSME testconfiguration would takeapproximately 1 month. Thefirst flight of the Block IIconfiguration has beenreassigned to STS-91,currently scheduled for May1998.

Due to the developmentproblems with the ATPHPFTP and the associatedschedule slips, the SSP haselected to certify an interimBlock II configuration,designated Block IIA. BlockIIA will consist ofRocketdyne’s current HPFTPin conjunction with the otherBlock II components and willprovide the safety andreliability benefits of the largethroat main combustionchamber at the earliestopportunity. Thisconfiguration will be certifiedto fly nominal missions at104% to 104.5% rated powerlevel (RPL) and will maintainthe current 109% RPLcontingency abort capability.




(Charteredby)

Date ofReport



(NASACharter)

February1997

Finding 12: The Block IIengine will be certifiedfor operation at 109%power level only for abortsituations. Accordingly,the test program providesonly limited cumulativetest time at this thrustlevel.

Recommendation 12: Aftercompletion of the currentplanned Block II certificationtest program, conduct acertification extension testprogram that will demonstratethe highest thrust level for safecontinuous operationachievable by the Block IIconfiguration. This programshould attempt to achieve atleast the 109% power level.

NASA Response (in 1997ASAP appendix): The BlockII program was developed to“improve the safety,reliability, and robustness ofthe SSME” by providinglower operating temperatures,pressures, shaft speeds, andother critical parameters. Anincrease in operating powerlevel from 104% to 104.5%will offset some of the weightgain of Block II. The Block IISSME was never intended toincrease Space Shuttle ascentperformance or increasepayload capability to orbit.However, additionalperformance has beenaccepted for a few specificmissions at the cost of someof the improved safetymargin. There is acommitment that the ISSflights will provide 106%engine power levelcertification to achievemandatory critical payloads toorbit. The Block IIcertification will also providea 109% intact abortcapability, which will allowthe vehicle system to betteroptimize abort scenarios.Implementationrecommendations for use of109% throttle for intact abortswill be made by the Shuttleoperations element oncecertification is complete.


(NASACharter)

February1997

Finding 13: Changes inthe Pressure SensitiveAdhesive (PSA) and thecleaning agent for the J-flap of the RSRM weredriven by environmentalregulations. Thecertification testing forthese changes included aFlight Support Motor(FSM) firing without theapplication of side loads,a significant condition forRSRM field joints forwhich the J-flap plays arole.

Recommendation 13: Employthe application of side loads inall future RSRM FSM firings.

NASA Response (in 1997ASAP appendix): The SSPand RSRM project agree withthis recommendation when aftfield joint test objectiveswarrant inclusion on an FSMtest motor. During SpaceShuttle return-toflight RSRMredesign, the assessment ofstrut loading on the solidrocket motors concluded thatthe only influence was at theaft field joint. The influenceon the aft field joint gapopenings was predicted to beless than 0.001 inch, roughlyan order of magnitude lessthan the contribution of theinternal motor pressures. Sideloads were included on twoRSRM static test motors(QM-7 and -8) in acomprehensive effort toinclude every element of




(Charteredby)

Date ofReport


a significant condition forRSRM field joints forwhich the J-flap plays arole.

aft field joint. The influenceon the aft field joint gapopenings was predicted to beless than 0.001 inch, roughlyan order of magnitude lessthan the contribution of theinternal motor pressures. Sideloads were included on twoRSRM static test motors(QM-7 and -8) in acomprehensive effort toinclude every element offlight loading influencing theaft field joint gap openings.Joint gap openings were notmeasured directly, but thesealing systems performed asexpected. Gap openings weremeasured on the RSRMstructural test article-3, wheretesting showed side loadsinfluence to be less than0.0005 inch out of a total of0.0084 inch for aft field jointsonly.

The consideration to includeside loads on all future testswould not come withouttechnical penalty. Toaccommodate the side loadforces, the aft test stand mustbe locked out, and as such, nothrust measurements areobtained. Also, no thrustvector control (TVC) dutycycling is performed duringthe side load events, whichrequires modification to thebaseline static test duty cycle;for certain test objectives, thisis an important requirementconsideration. This baselineTVC duty cycle is utilized toallow direct performancecomparisons between statictests, primarily associatedwith nozzle and aft domematerials or components.Therefore, a generic inclusionof side loads on all futureFSM tests would requireelimination of other testconsiderations, which,depending on specific testobjectives, might be aqualification necessity.




(Charteredby)

Date ofReport


considerations, which,depending on specific testobjectives, might be aqualification necessity.

In conclusion, the RSRMstatic test policy includes sideloads on full-scale static testmotors where there are testobjectives associated with theaft field joints, which could beinfluenced by side loads.


(NASACharter)

February1997

Finding 14: There aremany material andprocess changes in workfor the RSRM in responseto both environmentalregulations andobsolescence issues. Avital part of thecertification program forthese changes is thedemonstration of theacceptability of thechanges during an FSMfiring. At present, FSMfirings are scheduled at 2-year intervals instead ofthe 1-year or 18-monthintervals previously used.

Recommendation 14:Considering the large numberof changes in RSRM materialsand processes and theimportance of propersimulation of operatingconditions in any certificationtest program, NASA should re-evaluate its decision to have 2years between FSM firings.

NASA Response (in 1997ASAP appendix): TheRSRM project presented anassessment of static test motorfrequency to the PRCB onFebruary 27, 1997, andrecommended static tests at 1-year intervals. Therecommendation wasaccepted by the PRCB. Aninitiative is under way toensure that the maximumpossible benefit is obtainedfrom each test.


(NASACharter)

February1997

Finding 15: A substantialprogram effort is underway to eliminate theasbestos used in RSRMmanufacture and replaceit with moreenvironmentallyacceptable (i.e.,“asbestos- free”)materials. Although someof the materials tested todate meet specifications,they do not provide ashigh structural andthermal margins as theasbestos-containingmaterials.

Recommendation 15: Tomaintain flight safety, NASAshould not eliminate the use ofasbestos in RSRM manufacture.An environmental waivershould be obtained to continueits use in RSRM insulation,liners, inhibitors, and othermotor parts in the event offuture regulatory threat to theasbestos supplier.

NASA Response (in 1997ASAP appendix): NASAcurrently has no plan tointroduce nonasbestos-basedreplacements for asbestos-based components in RSRMproduction. The RSRMproduction and flight historyare baselined with asbestos-based materials, primarilyNBR rubber. Asbestos is alsoa constituent of liner andadhesives. The production,handling, and disposalprocesses for these materialsare performed in compliancewith strict state, Federal, andlocal controls and regulationsregarding asbestos material.There are no currentlyidentified regulations to banproduction or use of asbestosmaterials in the RSRM supplychain. Because there is noexisting or pendingregulation, pursuit of waiversor exemptions is notapplicable at this time.




(Charteredby)

Date ofReport


production or use of asbestosmaterials in the RSRM supplychain. Because there is noexisting or pendingregulation, pursuit of waiversor exemptions is notapplicable at this time.

NASA considers it prudent tocontinue low-leveldevelopment of possiblealternative nonasbestosmaterials. This reflectsNASA’s sensitivity to theenvironment, worker safetyand health issues, and the factthat the shelf life of thesematerials precludes the optionto stockpile. Thisdevelopment effort is beingcarried out to provide limitedcontingency development at aroutine pace. Therecommendations by both theASAP and the RSRMinitiatives to find alternativematerials are consistent withprogram policy documentedin SSP letter MS 96-071,dated September 16, 1996.The policy seeks to balanceflight safety andenvironmental protectiongoals.


(NASACharter)

February1997

Finding 16: The 2195aluminum-lithium alloyused in the tank walls anddomes of the new SuperLight Weight Tank(SLWT) has a lowerfracture toughness atcryogenic temperaturesthan was anticipated inthe design. Tocompensate for thispotentially critical short-coming, NASA haslimited the pressure usedin the full tank proof testand has recognized thatacceptance of each SLWTfor flight is highlydependent on far morestringent quality controlof the materials andprocesses used tomanufacture the SLWTthan is required for thecurrent external tanks.

Recommendation 16a: Assurethat the acceptance tests of the2195 material and the qualitycontrol procedures used in themanufacture of each SLWTcontinue to be sufficientlystringent, clearly specified,conscientiously adhered to, andtheir use unambiguouslydocumented.

NASA Response (in 1997ASAP appendix): The SSPand Marshall Space FlightCenter (MSFC) will continueto ensure that materialacceptance testing and thequality control proceduresused in the manufacturing ofSLWTs are of a sufficientquality to validate that eachtank is fully in compliancewith all program requirementsand is safe to fly.




(Charteredby)

Date ofReport


dependent on far morestringent quality controlof the materials andprocesses used tomanufacture the SLWTthan is required for thecurrent external tanks.

Recommendation 16b: Thecriticality of these qualitycontrol operations makes itmandatory for NASA to retainbuyoff of the results of thosefabrication operations and teststhat are essential in determiningSLWT safety.

NASA Response (in 1997ASAP appendix): The SSPand MSFC will retain NASAapproval of the quality controlprogram and changes to thatbaseline.

Recommendation 16c: Asquality control data on the sizeof flaws detected in 2195aluminum-lithium material arecollected, they should be usedin an updated analysis of theSLWT structure, because itmay permit the verifiablespread between flight limitstress and proof stress to beraised above that presentlyreported.

NASA Response (in 1997ASAP appendix): Thesimulated service databasehas been developed from datacollected on fracturespecimens with flaws that are0.175 inch long. The dataverify a 2.9% positive spreadbetween the flight and proof-test conditions. Using thedemonstrated flawdetectability level for ournondestructive evaluation dyepenetrant process (0.086 inchlong) would increase thespread to approximately 14%.Because of uncertainties, it isNASA’s standard policy touse a factor of two on ourflaw detectability limit. Thismethodology provides theproper risk allocation betweenthe nondestructive evaluationcapability and proof-testlevels. The use of a flaw sizeof 0.175 inch for thesimulated service tests isconservative for the SLWT.


(NASACharter)

February1997

Finding 17: Transition oflogistics functions underPhase 1 of the SpaceFlight OperationsContract (SFOC) appearsto be taking placesmoothly. Key personnelare maintainingcontinuity in managementtechniques and processes.

Recommendation 17:Continue adherence toestablished systems, and makemaximum use of the inherentcapability of the incumbentpersonnel in the logisticssystems.

NASA Response (in 1997ASAP appendix): NASAconcurs. The establishedNASA Logistics Operationscontinues to monitor theestablished logistics systemsand enhance others in order tomaintain insight into thelogistics activity. Both theSFOC contractor and NASALogistics Organization haveretained incumbent keypersonnel with criticallogistics skills to minimize thetransitional risks and continueto support the SSP.




(Charteredby)

Date ofReport


continuity in managementtechniques and processes.

logistics activity. Both theSFOC contractor and NASALogistics Organization haveretained incumbent keypersonnel with criticallogistics skills to minimize thetransitional risks and continueto support the SSP.

Currently, the SFOCcontractor is studying thehorizontal consolidation oflike functions and processes.NASA Logistics Operationswill monitor the contractor’sprogress to assure that thelogistics systems resultingfrom this consolidation willbe capable, effective,efficient, and, above all, notadversely impacting the safetyof operations.


(NASACharter)

February1997

Finding 18: Long-termprojections suggestincreasing cannibalizationrates, component repairturnaround times, andloss of repair capabilityfor the Space Shuttlelogistics and supportprograms.

Recommendation 18: Takeearly remedial action to controlthis potential situation, such asmaintaining sufficient sparesand extending repair andoverhaul capability.

NASA Response (in 1997ASAP appendix): NASA isclosely monitoring logisticstrends. The areas of emphasisstress long-term logisticssupport indicators,specifically backlog andrepair turnaround. While anincrease in repair turnaroundtime has been noted, vehiclesupport remains at the samehigh level. Budget reductionsin past years have meant thatfewer spares have beenproduced and less repairswere performed, but NASAand the contractor willcontinue to manage theprocess to maintainacceptable levels of support.Presently, logisticsperformance measurementdata do not indicate anyadverse trends incannibalization rates. NASAhas directed SFOCmanagement to maintain anemphasis on logisticssupportability during thetransition of all contractresponsibilities. The SFOCcontractor has been directedto maintain key personnelwith critical logistics skills tominimize transitional risksand provide continuity toShuttle logistics support. Inaddition, SFOC is required todevelop and submit originalequipment manufacturer(OEM) contingency plans forresponding to known andpotential support issues at




(Charteredby)

Date ofReport


contractor has been directedto maintain key personnelwith critical logistics skills tominimize transitional risksand provide continuity toShuttle logistics support. Inaddition, SFOC is required todevelop and submit originalequipment manufacturer(OEM) contingency plans forresponding to known andpotential support issues ateffected OEMs. All knownsupportability threats aretracked and evaluated todetermine the associated riskand required actions forresolution. The SFOC has theappropriate processes in placeto both monitor and respondto loss of subcontractorcapability. The NASA ShuttleLogistics Depot (NSLD) hasbeen certified to make somerepairs where there has been aloss of critical suppliercapability. The SFOC is alsoconsidering consolidatingsimilar work at one vendor sothat the NSLD is not the onlyrepair agent.

Finding 19:Obsolescence ofcomponents and systemson the Space Shuttle is anincreasing problemthreatening critical sparesavailability.

Recommendation 19:Alternative components mustbe developed and certified, and,where necessary, systems mustbe redesigned to use availableor adaptable units.

NASA Response (in 1997ASAP appendix): NASAcontinues to identify andcoordinate obsolescenceissues concerning hardware,special test equipment, vendorcapability, and environmentalrestrictions with theappropriate design center.Each issue is evaluated forlogistics impacts, and thisinformation is communicatedto or within the design centerso that appropriate action canbe taken to initiate anyrequired redesigns,modifications, orenhancements.

A Kennedy Space Center(KSC) logistics priority list ismaintained to communicatelogistics’ top concerns todesign center management.While obsolescence willcontinue, a team approach toproblem identification,prioritization, and resolutionappears to be providingeffective problem resolution.Additionally, the Shuttleupgrade program is designed




(Charteredby)

Date ofReport


maintained to communicatelogistics’ top concerns todesign center management.While obsolescence willcontinue, a team approach toproblem identification,prioritization, and resolutionappears to be providingeffective problem resolution.Additionally, the Shuttleupgrade program is designedto assure that potentialproblem areas are addressedso as to preclude disruption inmeeting manifestrequirements.


(NASACharter)

February1997

Finding 27: NASA’sAgency-wide softwaresafety policy allowsprojects latitude to tailortheir software safety planfor safety-criticalsoftware. It does not,however, require projectsto obtain center Safetyand Mission Assurance(S&MA) approval of thetailored software safetyplans nor does it requireVerification andValidation (V&V) per se.mile the softwareassurance standard doesmention V&V, it does notrequire any independenceof V&V for safety-criticalsoftware.

Recommendation 27a: NASAshould require approval of aproject’s tailored softwaresafety plan by both the centerS&MA organization and by oneadministrative level higher thanthat making the request.

NASA Response (in 1997ASAP appendix): NASAagrees with the intent of thisrecommendation but believesthe requirements for formalsystem safety program plansand software managementplans exist and, with properand firm enforcement, fulfillthe objective of thisrecommendation. To be surethat these requirements areperfectly understood, theOffice of Safety and MissionAssurance (OSMA) willupdate NSS 1740.13, “NASASoftware Safety Standard,” toexplicitly state that theprogram/project manager forprograms/projects perform anassessment to determine,based on the level ofcriticality and risk, the scopeand level of IndependentVerification and Validation(IV&V) to be planned.

The results of the assessmentwill be formally reviewed byCenter Safety and MissionAssurance (SMA). Theprogram/project manager, inconsultation with SMA, willtailor an approach to ensurethat the appropriate V&Vrequirements are establishedand implemented. The OSMAwill place more emphasis onthe implementation andenforcement of these existingrequirements. Processverification, recentlyestablished in the OSMA, willbe used to evaluate andenforce these existing policyand requirements moreaggressively.




(Charteredby)

Date ofReport


and implemented. The OSMAwill place more emphasis onthe implementation andenforcement of these existingrequirements. Processverification, recentlyestablished in the OSMA, willbe used to evaluate andenforce these existing policyand requirements moreaggressively.

NASA is committed toassuring that requiredprogram management plansand any subordinate planssuch as software or safetymanagement plans cover theessential requirements forprograms where warranted bycost, size, complexity,lifespan, risk, andconsequence of failure.Additional changes are beingincorporated into NPG7120.5, “NASAProgram/Project ManagementGuide” (currently underdevelopment), to ensure thatnecessary and sufficientrequirements will be fulfilledfor programs having softwarevulnerabilities. SMAorganizations at each level areto be a party to thesedecisions and are to intervenewhere necessary to assure thatproper and clearlydocumented decisions aremade by the appropriate levelof management. The ProgramManagement Councils couldplay a role in adjudicating anyissues with the content ofprogram management plans.


(NASACharter)

February1997

Finding 28: NASA hasput considerable effortinto the reorganization ofits software activities andhas made significantprogress. It does not yet,however, have acomprehensive, clear setof roles andresponsibilities forvarious groups within theAgency with respect tosoftware development,safety, V&V, andsoftware processdevelopment.

Recommendation 28: NASAshould ensure that there is aclear, universally well-understood, widelypromulgated, and enforcedNASA Policy Directive on theroles and responsibilities of itsvarious organizations vis-a-vissoftware development andsafety. Moreover, that PolicyDirective should specifyorganizational roles andresponsibilities solely on thebasis of technical andadministrative capability.

NASA Response (in 1997ASAP appendix): NASAagrees with therecommendation. The July1996 (draft) program plan forthe Fairmont (IV&V) Facilityis the contract between CodeQ and the Facility and will beupdated for future fundingand delegation of the softwareassurance program. NASAconcurs that the draft plannow contains ambiguities butwill be clarified in the nextupdate. The IV&V Facility’sreporting structure will befinalized in the upcomingproposed Ames Research




(Charteredby)

Date ofReport


comprehensive, clear setof roles andresponsibilities forvarious groups within theAgency with respect tosoftware development,safety, V&V, andsoftware processdevelopment.

various organizations vis-a-vissoftware development andsafety. Moreover, that PolicyDirective should specifyorganizational roles andresponsibilities solely on thebasis of technical andadministrative capability.

Q and the Facility and will beupdated for future fundingand delegation of the softwareassurance program. NASAconcurs that the draft plannow contains ambiguities butwill be clarified in the nextupdate. The IV&V Facility’sreporting structure will befinalized in the upcomingproposed Ames ResearchCenter reorganization. It isanticipated that the IV&VFacility will be moved fromunder the direction of Code Iat Ames and installed as theequivalent of a Directorate inthe new ARC organization.

The IV&V Facility BusinessPlan currently defines theroles and responsibilities ofthe IV&V Facility. NASAHeadquarters will establishand document at the policylevel the roles in the Agencyfor all software, includingembedded and flight systemsoftware. The policiesdocument will explain howthe roles and responsibilitiesof the Agency-wide softwareefforts mentioned in thefinding (e.g., CIO, COE-IT,IV&V Facility) fit together ina synergistic manner withinthe Agency.

The new NPD 2820 willdefine Agency policy forprogram/project utilization ofthe IV&V Facility. The ChiefInformation Officer, the ChiefEngineer’s Office, the Officeof Safety and MissionAssurance, and the SoftwareWorking Group will beresponsible for increasingAgency awareness of all thesoftware-related resources,policies, and existingstandards. The newlyimplemented Code Q processverification activity willvalidate Agency projectmanagers’ awareness ofsoftware assurance policy andprocedures for compliance insoftware development efforts.




(Charteredby)

Date ofReport


implemented Code Q processverification activity willvalidate Agency projectmanagers’ awareness ofsoftware assurance policy andprocedures for compliance insoftware development efforts.


(NASACharter)

February1996

Finding 1: Cutbacks ingovernment andcontractor personnel andother resources at theKennedy Space Center(KSC) and the plannedtransition of tasks fromgovernment to contractorworkers will create a newmode of Space Shuttleoperations. Thoseinvolved in day-to-dayShuttle operations andmanagement are in thebest position to determinehow to maintain thestated program priorities -fly safely, meet themanifest and reducecosts, in that order.

Recommendation 1:Additional reductions in staffand operations functions shouldbe accomplished cautiously andwith appropriate inputs fromthe KSC NASA/contractorteam itself.

NASA Response (in 1996ASAP appendix): KSCoperations continue to focuson the program goals of flyingsafely, meeting the manifest,and reducing costs, withflying safely beingparamount. Teamworkbetween NASA and itscontractors has enabled us tomeet program challenges inthe past, and we will rely onthat same teamwork to meetthe challenges of the SpaceFlight Operations Contract(SFOC) transition. Reductionsin personnel will beproportional to requirementreductions as opposed tobudget reductions.Requirements reductionswhich will reduce workcontent should come from theprogram as well asefficiencies which areoriginated at KSC. KSC plansto use a phased methodologyto control change and risk. Ina partnering relationship,NASA and United SpaceAlliance (USA) will jointlyplan change, implementchange, then stabilize andassess the results beforemaking further changes.“Partnering” provides NASAvisibility and managementinsight into the transitionprocess and ensures desiredlevels of safety and qualityare maintained. Byimplementing a disciplinedtransfer of mature systems,proven procedures, andexperienced personnel intoSFOC, we feel that we canaccomplish a seamlesstransition without disturbingthe infrastructure that hasmade this program such asuccess.




(Charteredby)

Date ofReport


accomplish a seamlesstransition without disturbingthe infrastructure that hasmade this program such asuccess.


(NASACharter)

February1996

Finding 2: Obsolescenceof Space Shuttlecomponents is a seriousoperational problem withthe potential to impactsafety. Many originalequipment manufacturersare discontinuing supportof their components.NASA is, therefore, facedwith increasing logisticsand supply problems.

Recommendation 2: NASAshould support augmenting thecurrent comprehensive logisticsand supply system so that it iscapable of meeting Space

Shuttle Program needs in spiteof increasing obsolescence.

NASA Response (in 1996ASAP appendix): NASAconcurs with the finding thatcurrent tracking and controlsystems are providing timelyinformation to deal withlogistics problems. Withregards to the specific needfor better visibility into thesubject of obsolescence, itwas with that concern in mindthat the Safety andObsolescence (S&O) activitywas established as a processfor identifying and respondingto trends indicative of agingand to identify areas wherereplacement parts may nolonger be available.

The S&O process baselined inNSTS 08198 provides arigorous prioritizationapproach which factors in thecriticality of the systems andnonsafety related risksinvolved with Shuttle flightand ground processinghardware. This processidentifies the most seriousproblems and generates dataused to support requests toprogram management forcorrection of the identifiedconcerns.


(NASACharter)

February1996

Finding 3: The Return toLaunch Site (RTLS) abortmaneuver is one of thehighest risk off-nominalSpace Shuttle flightprocedures. A SpaceShuttle Main Engine(SSME) shutdownleading to an intact abortis more likely than acatastrophic enginefailure. Exposure of anascending Space Shuttleto the risk of performingthe demanding RTLSmaneuver might besignificantly minimizedby operating the Block IISSME at higher thrustlevels at appropriatetimes. Certification ofalternative Space Shuttlelanding approaches for

Recommendation 3:

NASA should pursue withvigor efforts to minimize SpaceShuttle exposure to the RTLSmaneuver through all availablemeans.

NASA Response (in 1996ASAP appendix): NASA hasand will continue to increasethe reliability of the hardwareto decrease the probability ofany abort and to makeoperational trades to balancethe risks between theavailable abort modes. TheRTLS abort mode is fullycertified and has been arequirement throughout thedesign and certification of thevehicle. Options to improveabort capability, such asincreased SSME throttling orutilization of GPS to increaseoperating flexibility, arecontinually evaluated.




(Charteredby)

Date ofReport


failure. Exposure of anascending Space Shuttleto the risk of performingthe demanding RTLSmaneuver might besignificantly minimizedby operating the Block IISSME at higher thrustlevels at appropriatetimes. Certification ofalternative Space Shuttlelanding approaches foruse during contingencyaborts and installation ofGlobal PositioningSystem (GPS) could alsocontribute to theminimization of RTLSrisk (see Finding #5).

requirement throughout thedesign and certification of thevehicle. Options to improveabort capability, such asincreased SSME throttling orutilization of GPS to increaseoperating flexibility, arecontinually evaluated.

A decision for certifying theBlock II SSME intact throttleto 109 percent is scheduledfor late 1996. Routinelyoperating at higher thrustsettings may add additionalrisk, which needs to beevaluated versus RTLSexposure. A review of theGPS implementation scheduleis under way. Single-stringGPS is in development forthree vehicles to gather flighttest experience. Softwaredevelopment for three-stringGPS is also currently in work.As development and flighttesting continues, the GPScontribution to minimizingRTLS risk will be assessed.While the RTLS intact abortmode is certified and isconsidered to be acceptable,however, improvements todecrease the risks of RTLSwill continue to be evaluated.Each flight is designed tomeet RTLS constraints, andoperational considerations arecontinually reviewed toensure that the proper tradesare being made to balancerisks. While many alternativeshave been considered, nonecan eliminate the requirementfor RTLS capability, and, todate, all are predicted to haverisk greater than thatassociated with the currentcertified abort modes.




(Charteredby)

Date ofReport



(NASACharter)

February1996

Finding 4: The RangeSafety System (RSS)destruct charges havebeen removed from theliquid hydrogen tank ofthe External Tank (ET).The risk studies, whichsupported this removal,also suggested that theRSS charges had to beretained on the LiquidOxygen (LOX) tank ofthe ET. It is preferable toomit as much ordnance aspossible from flightvehicles to reduce thepossibility of inadvertentactivation.

Recommendation 4: Studiessupporting the need for the RSSdestruct system on the LOXtank should be updated in lightof the current state ofknowledge, operatingexperience and the introductionof the new Super LightweightTank (SLWT) to determine if itis now acceptable to remove theordnance.

NASA Response (in 1996ASAP appendix): Studieshave been completed, and theSpace Shuttle program hasformally eliminated therequirement for an ET RSSand approved removal of ETRSS hardware.

Deactivation of the system isplanned with a phasedimplementation of hardwareremoval on tanks thatculminates in a total removalby ET-96. RSS hardwareremoval may begin as early asET-87. The first SLWT (ET-96) will not have any RSShardware installed, thusincreasing the Shuttle safetyby removing the possibility ofinadvertent activation of thetank destruct system.


(NASACharter)

February1996

Finding 5: The Orbiterand its landing sitescontinue to be configuredwith obsolescent terminalnavigation systems. Theexisting Tactical AirControl and Navigation(TACAN) andMicrowave ScanningBeam Landing System(MSBLS) systems areincreasingly difficult tomaintain, vulnerable andexpensive. Continuedreliance upon them limitslanding options in theevent of a contingencyabort. Replacement ofTACAN and MSBLSwith now availableprecise positioning GPSin a triple redundantconfiguration wouldameliorate and mostlikely solve theseproblems.

Recommendation 5:Accelerate the installation of atriple redundant precisepositioning service GPS in allOrbiters.

NASA Response (in 1996ASAP appendix): The SpaceShuttle orbiter project isaccelerating the firstinstallation of three-stringGPS to the orbitermaintenance down period(OMDP) scheduled for OV-104 in 1998. This improvesthe date for the last TACANflight by 2 years, from 2002to 2000. The FY 1998 OMDPis the earliest date that can beaccommodated by hardwaredesign, certification, andflight software development.Software development andhardware installation duringthe OMDP are the pacingitems in bringing the three-string system on line. Therequirements to install thewiring, antenna, and controlpanel modifications for thethree-string system have beenestimated to be approximately5,000 man-hours of work oneach vehicle. Implementingany change of this size duringa vehicle flow in the KSCOrbiter Processing Facilitywould create prohibitivelaunch flow impacts, thusrelegating the change toOMDP.




(Charteredby)

Date ofReport


a vehicle flow in the KSCOrbiter Processing Facilitywould create prohibitivelaunch flow impacts, thusrelegating the change toOMDP.

The single-string system nowbeing implemented for OV-103, -104, and -105 isessential to verifying GPSperformance. Plans tothoroughly evaluate andcertify the GPS as the primaryShuttle navigational systemare being prepared. Theadditions to GPS flightsoftware necessary to supportjust the single-string systemrequire the single largestsoftware change since theinitial development of theSpace Shuttle program. Theadditional changes to go fromsingle-string to theoperational three-stringsystem will be approximatelythe same size. Production ofthis software is being giventhe highest priority.

The backup flight softwaresystem (BFS) will support thesingle string-system on STS-79. Primary flight softwarefor the Shuttle is developed inoperational increments. GPSsoftware was originallyconsidered for 01-26 in 1994;however, it was necessary togive priority to softwareassociated with payloadperformance enhancementsthat enable construction of theInternational Space Station. Aspecial OI-26B was created toadd single-string GPScapability to the primaryflight software. 01-27 will bedevoted to the three-stringsystem. Meanwhile, NASA isconsidering utilizing single-string GPS data for additionalrisk reduction for contingencyaborts and emergency de-orbits. Software and hardwareimprovements and supportingcertification will allow forfirst flight of the three-stringGPS in January 1999 on STS-96. The Space Shuttleprogram continues toinvestigate upgrades that willminimize the risks ofcontingency abort modes.




(Charteredby)

Date ofReport


risk reduction for contingencyaborts and emergency de-orbits. Software and hardwareimprovements and supportingcertification will allow forfirst flight of the three-stringGPS in January 1999 on STS-96. The Space Shuttleprogram continues toinvestigate upgrades that willminimize the risks ofcontingency abort modes.


(NASACharter)

February1996

Finding 6: OrbiterReaction Control System(RCS) oxidizer thrustervalve leaks are occurringwith increasingfrequency. More recently,RCS fuel thruster valveleaks have also beenobserved. Becauseisolation of leakingthrusters can beimplemented by manifoldshut off and thrusterredundancy is provided,leaking thrusters have notbeen considered a serioussafety hazard. RCS leaksin the vicinity ofrendezvous targets suchas Mir and theInternational SpaceStation (ISS) could,indeed be a serious safetyhazard.

Recommendation 6: Do whatis necessary to eliminate theRCS thruster valve leaks nowand in the future.

NASA Response (in 1996ASAP appendix): Acomprehensive program toimprove thruster reliabilityand eliminate RCS thrusterleaks has been put in place.The majority of oxidizer valveleaks are attributed to thelong-term accumulation ofnitrates that form in thepresence of moisture. Thechanges fall into threecategories: operationsimprovements, improvedmaintenance of valves, anddesign changes. Changes inthe way turnaround operationsare performed consist ofemphasizing the maintenanceof the RCS propellant systemin a hard-filled/wetted state,improved thermalconditioning to keep thethrusters always above theminimum temperature, andreduction of moistureintrusion into the system.These principles have beenincorporated into writtenprocedures at KSC and arecurrently in use. In addition, amolecular sieve is beingimplemented at the launchpad to reduce the residual ironand water in the RCSoxidizer. Periodic flushing ofthruster and valve passages toremove accumulations ofnitrates has beenimplemented. The thrusterflushing essentially returnsthe thruster to an as- newcondition in terms of nitrateaccumulation. Thrusterflushing has been performedat each OMDP beginning withOV-103 in July 1995.Subsequent intervals forflushing are planned at everyother orbiter maintenancedown period (OMDP), subjectto change based on evolving




(Charteredby)

Date ofReport


the thruster to an as- newcondition in terms of nitrateaccumulation. Thrusterflushing has been performedat each OMDP beginning withOV-103 in July 1995.Subsequent intervals forflushing are planned at everyother orbiter maintenancedown period (OMDP), subjectto change based on evolvingfailure rates from nitrateaccumulation.

Two design approaches toachieve a more reliable valvehave been evaluated, and onehas been chosen forimplementation. The firstdesign solution proposed wasto abandon the current pilotoperated valve (POV) in favorof a direct acting valve(DAV). In addition totechnical problems involvingreliability of required bellows,it was determined thatremoving and replacing all theoxidizer valves in the fleetwas cost prohibitive. It wasdetermined that the cost-effective approach could beachieved by replacing certaininternal parts of the existingvalve with redesigned parts onan attrition basis. Theredesigned parts modify theareas of the current valve thathave been shown to besensitive to nitratecontamination. Examples ofdesign changes are reductionof seal surface contact area,adoption of a conical sealgeometry, and a strongerspring with more valveclosing capability.

In summary, acomprehensive, cost-effectiveprogram to improve thrusterreliability and minimize leakshas been defined and is invarious stages ofimplementation. Theeffectivity of various elementsof the program will becarefully monitored and theprogram adjusted according toresults.




(Charteredby)

Date ofReport


has been defined and is invarious stages ofimplementation. Theeffectivity of various elementsof the program will becarefully monitored and theprogram adjusted according toresults.


(NASACharter)

February1996

Finding 7: The use ofAlumina Enhanced-Thermal Barrier (AETB)tiles with ToughenedUniplace FibrousInsulation (TUFI) coatingon the Orbiter has thepotential to enhancesafety and reduce lifecycle cost.

Recommendation 7: NASAshould make a thorough studyof the potential use of theAETB/TUFI tiles in order todetermine if it is cost effectiveto qualify the tiles for flight.

NASA Response (in 1996ASAP appendix): The use ofAETB tiles with the TUFI has been consideredextensively in the last year foruse on the Shuttle.AETB/TUFI tiles have beenflown as technologydemonstrations in support ofthe X-33 program. These tileswere installed on the lowerbody flap and base heat shieldof the orbiter. Tiles withdensity of 12 pounds/cubicfoot were attached to the bodyflap. Those attached to thebase heat shield had a densityof 8 pounds/cubic foot. Theuse of TUFI coating with theFRCI-12 substrate has beenidentified as a practical optionfor certain damage proneareas of the orbiter.Certification of thiscombination for multipleflights will be relativelyinexpensive because ofsimilarity between the currentcoating and TUFI. However,the weight of FRCI-12 withthe TUFI coating excludes itsuse for large areaapplications. Weight is acritical parameter as the SpaceShuttle program strives forperformance improvements insupport of Space Stationassembly flights.

The AETB-12 tile substrate,which is the most matureAETB material, offers fewbenefits over the currentcertified FRCI- 12. TheAETB-8 shows some promiseas it would be weightcompetitive with the LI-900configuration. Developmentof AETB-8 technologycontinues, but it is not inproduction. Studies will beperformed to determinewhether it is cost effective tocertify and implement this tileconfiguration. These studies




(Charteredby)

Date ofReport


AETB-8 shows some promiseas it would be weightcompetitive with the LI-900configuration. Developmentof AETB-8 technologycontinues, but it is not inproduction. Studies will beperformed to determinewhether it is cost effective tocertify and implement this tileconfiguration. These studieswill determine whether thelower maintenance costswould provide an adequatepayback.


(NASACharter)

February1996

Finding 8: The SSMEhas performed well inflight during this year.While some launcheswere delayed because ofproblems or anomaliesdiscovered during pre-launch inspections andcheckout or developmentengine test firings at theStennis Space Center(SSC), such issues werethoroughly and rapidlyinvestigated and resolved.

Recommendation 8: Continuethe practice of thorough anddisciplined adherence toinspection and checkout ofengines prior to commitment toflight as well as prompt andthorough resolution of anyanomalies discovered.

NASA Response (in 1996ASAP appendix): Adisciplined adherence toprocedures and a commitmentto complete resolution of allanomalies will be maintained.


(NASACharter)

February1996

Finding 9: The Block IIengine, in near-finalconfiguration, re-entereddevelopment testing inmid October 1995.Testing of what had beenexpected to be the finalconfiguration was begunlater that month. TheHigh Pressure FuelTurbopump (HPFTP) wasa principal cause of thelate restart of testingprimarily because of slipsin obtaining someredesigned turbopumpcomponents. Theremaining time to achievethe scheduled first flightof the Block IIconfiguration is very tightand allows for little, ifany, problem correctionduring development andcertification testing. Theimproved ruggedness andreliability of this versionof the SSME is critical tothe assembly andoperation of the ISS.

Recommendation 9: Do not letschedule pressure curtail theplanned development andcertification program.

NASA Response (in 1996ASAP appendix): The SpaceShuttle program and theSSME project are committedto completing thedevelopment and certificationprogram of the Block IIengine. Current planningsupports the utilization of theBlock II SSME for ISSmissions, but the Shuttle hasadequate performance withBlock I engines for the initialSpace Station flights.




(Charteredby)

Date ofReport


during development andcertification testing. Theimproved ruggedness andreliability of this versionof the SSME is critical tothe assembly andoperation of the ISS.


(NASACharter)

February1996

Finding 10: Post flightinspection of recoveredRSRMs from STS-71 andSTS-70 identified gaspaths leading to primaryO-ring heat erosion injoint #3 of the RSRMnozzles. Heat erosion inthis joint couldcompromise SpaceShuttle mission safety.NASA stopped alllaunches until theanomaly was resolvedand corrective repairsmade.

Recommendation 10: NASAshould continue to investigateand resolve all potential SpaceShuttle flight safety problems inthis same forthright manner.

NASA Response (in 1996ASAP appendix): NASAconcurs. Anomalies that couldcompromise Space Shuttlemission safety will beresolved before subsequentShuttle launches.


(NASACharter)

February1996

Finding 11: The schedulefor firings of FlightSupport Motors (FSM)for evaluating changesmade to the RSRM hasbeen stretched out. Now,accelerating obsolescenceand new environmentalregulations haveincreased the need for thedata supplied by FSMfirings.

Recommendation 11: Do notfurther stretch out FSM firings.

NASA Response (in 1996ASAP appendix): NASAconcurs with the finding and,based on current fundingprofiles, plans to abide by theschedule associated with FSMfirings.


(NASACharter)

February1996

Finding 12: Thedevelopment of the SuperLightweight Tank(SLWT) using AluminumLithium (Al-Li) materialentails several unresolvedtechnical issues. Theseinclude a low fracturetoughness ratio andproblems in large scalejoint welding. There arealso critical structuralintegrity tests, which arebehind schedule.Resolution of these issuescould impact the deliveryof the SLWT.

Recommendation 12:Satisfactory resolution of theseissues must be achieved prior toSLWT flight.

NASA Response (in 1996ASAP appendix): NASArecognizes the concernsexpressed in the findings andrecommendations for thisitem. Appropriate efforts andplanning have beenimplemented within theSLWT project to focus theneeded resources ondevelopment of resolutions tothe issues noted and supportdelivery of ET-96 to meet theInternational Space Stationfirst element launch inDecember 1997.Progress/changes that addressthese issues since the lastAerospace Safety AdvisoryPanel review follow.




(Charteredby)

Date ofReport


of the SLWT. Progress/changes that addressthese issues since the lastAerospace Safety AdvisoryPanel review follow.

(lots of details omitted)


(NASACharter)

February1996

Finding 29: The DrydenFlight Research Center’sBasic Operations Manual(BOM) describes a pro-active attitude towardsafety, which isexemplary and worthy ofemulation throughoutNASA.

Recommendation 29: OtherCenters and NASA contractorscould profit from the use of theDryden BOM as a model.

NASA Response (in 1996ASAP appendix): NASAagrees that the Dryden FlightResearch Center’s BasicOperations Manual (BOM)describes a proactive attitudetoward safety that isexemplary and worthy ofemulation throughout NASA.The Dryden BOM wasinstalled on the Internet 2years ago and can be accessedfrom the Dryden home page.This will ensure itsavailability to other NASAcenters and contractors for useas a model in developing orimproving their ownoperations documentation.


(NASACharter)

February1996

Finding 31: The SeniorManagers’ Safety Courseconceived and conductedby JSC is an outstandingoverview of philosophies,techniques and attitudesessential to a successfulsafety program.

Recommendation 31: A safetycourse for senior managerssimilar to the one conducted atJSC should be established atother NASA centers andHeadquarters. Considerationshould also be given toexporting the course to majorNASA contractors andincluding its elements inmanagerial training programs.

NASA Response (in 1996ASAP appendix): The SeniorManagers Safety Courseconducted at JSC has becomethe benchmark at NASA forestablishing enhanced safetyawareness at the CenterDirector level.

The Associate Administratorfor Safety and MissionAssurance coordinated andpromoted the awarenesscourse during presentationson April 9-l 1, 1996, inHouston, Texas, to NASACenter Directors, seniormanagers, and senior safety,reliability, maintainability,and quality assurancepersonnel. Attendees highlypraised the course andrecommended enhancingsenior participation by requestof the NASA DeputyAdministrator. The DeputyAdministrator will invite allCenter Directors to a secondpresentation at JSC in the fallof 1996. The goal will be totransport this course using the“train the trainer” concept toeach participating NASAcenter, with the objective ofkeeping safety and missionsuccess foremost in everyNASA operation.




(Charteredby)

Date ofReport


Administrator will invite allCenter Directors to a secondpresentation at JSC in the fallof 1996. The goal will be totransport this course using the“train the trainer” concept toeach participating NASAcenter, with the objective ofkeeping safety and missionsuccess foremost in everyNASA operation.


(NASACharter)

February1996

Finding 32: NASA’songoing reorganizationand the intention to passresponsibility for SpaceShuttle operations to asingle Space FlightOperations Contractor(SFOC) have potentialsafety implications. Tothis point, other than aneffect on morale at theKSC due to uncertainty,no significant problemshave surfaced.

Recommendation #32: NASAleadership and top managementshould continue active anddetailed involvement in thesafety aspects of planning forand oversight of the NASAreorganization in general andSpace Shuttle operations inparticular.

NASA Response (in 1996ASAP appendix): NASA’stop priority throughout therestructuring process andimplementation of the SFOChas been, and will continue tobe, maintenance of safety.Safety considerations arecurrently embedded in theprogram managementprocesses and will remain so.To help assure this, theAssociate Administrator forSafety and Mission Assurance(S&MA) at NASAHeadquarters has formed aHuman Exploration andDevelopment of Space(HEDS) Assurance Board,which includes in itsmembership the S&MADirectors of JSC, MSFC,KSC, and SSC and the ShuttleS&MA Technical Manager’sRepresentative (TMR) fromthe Program Office. TheHEDS Assurance Boardcharter is to monitor programsafety implementation andprovide guidance throughtransition to the SFOC. TheLead Center Director (LCD)at JSC has established theposition of Associate Director(Technical) withresponsibility for overseeingprogram safety and providingrecommendations to theCenter Director. (AstronautJohn Young currentlyoccupies this position.) TheLCD receives weekly SFOCimplementation status fromthe Program Manager as wellas monthly program issuesreports, which are shared withthe Associate Administratorfor Space Flight.




(Charteredby)

Date ofReport


implementation status fromthe Program Manager as wellas monthly program issuesreports, which are shared withthe Associate Administratorfor Space Flight.

Additionally, the ProgramManager provides statusbriefings to the OSFManagement Council (theAssociate Administrator forSafety and Mission Assuranceis a member) quarterly or asrequested. Theimplementation of SpaceShuttle program streamliningand the SFOC is, therefore,receiving top-levelmanagement visibility andguidance on a routine basis.Even so, NASA is beingextremely careful inimplementing the SFOC. Forexample, particular attentionis being paid to safetyconsiderations at KSC, wherethe flight hardware will beprocessed by the SFOC.There, NASA will beinstituting an extensive audit,surveillance, and independentassessment of SFOCprocessing activities that arerequired to be compliant withexisting NASA-approvedprocesses. The KSCmanagement team will beretained as an integral part ofthe program managementstructure and will maintaininsight into SFOC launch,landing, logistics, and S&MAactivities. This team willcontinue to play a major rolein Flight Readiness Review(FRR) activities with fullmembership on the FRRBoard. Finally, we believeexecution with the incumbentoperations support contractorsfor the SFOC providesmaximum assurance ofcontinuation of safeoperations.




(Charteredby)

Date ofReport


continuation of safeoperations.


(NASACharter)

February1996

Finding 33: The plan forSpace Shuttlerestructuring anddownsizing provides thatNASA personnel will beinvolved in the resolutionof any off-nominal eventswhich are beyond theoperating experience baseor “out-of-family.” Thisplaces extremeimportance on thedevelopment andimplementation of thedefinition of an out-of-family situation.

Recommendation 33: NASApersonnel with direct SpaceShuttle operations experienceshould be involved not only inthe derivation of the definitionof out-of-family but also in theday-to-day decisions on whatconstitutes an out-of-familyevent.

NASA Response (in 1996ASAP appendix): The SpaceShuttle program managementplans to maintain fullcapability for identifying,evaluating, and resolving allanomalous performance ofSpace Shuttle systems. Tosupport this objective, theprogram has developedgeneral definitions of “In-Family” and “Out-of-Family”characteristics for all Shuttlesystems and processes, whichwill serve as performanceclassification criteria. NASAwill use its most experiencedand skilled personnel todevelop detailed definitionsand data bases. With theimplementation of the SpaceFlight Operations Contract(SFOC), the program istransferring responsibility forroutine operations activities tothe contractor, which will beaccountable for classifyingperformance as either “In-Family” or “Out-of-Family”per the definitions andconsistent with well-definedsystems and processesperformance data bases. TheSFOC contractor will berequired to report andinterface with NASA on adaily basis to ensure thatappropriate data areexchanged to identify “Out-of-Family” issues.Additionally, NASA willperform audit andsurveillance of the operationusing ADVISORY PANELNASA technical andoperations experts. Metricswill be developed that willsupport the identification of“Out-of Family” issues aswell as the health of theprocesses.




(Charteredby)

Date ofReport


“Out-of Family” issues aswell as the health of theprocesses.

For evaluating those issuesreported as “Out-of-Family,”the program will retain a coreteam of NASA experts ineach area (e.g., KSC groundoperations, JSC flightoperations, orbiter, flightsoftware, etc.) that will becapable of performingindependent assessment ofissues and makingrecommendations to theProgram Manager. In thisapproach, the ProgramManager requires theseNASA experts to concur in“Out-of-Family” resolutions.


(NASACharter)

February1996

Finding 35: Whilehardware typically getsadequate coverage fromthe Safety and MissionAssurance organizationsat the NASA Centers,there is evidence thatsoftware does not.

Recommendation 35: TheHeadquarters Office of Safetyand Mission Assurance shouldexamine the depth of thesoftware assurance process ateach of the Centers andpromulgate NASA-widestandards for adequatecoverage.

NASA Response (in 1996ASAP appendix): NASAagrees with the importance ofthis recommendation. TheNASA Software AssuranceStandard (NASA-STD-2201-93) promulgates commonalityand provides direction onwhat activities are to beperformed for softwareassurance across the Agency.The NASA Software SafetyStandard (NSS 1740.13) wasadded to the Safety Standardsseries in 1996. The addition ofthe software safety standardand guidebook will assistprojects to plan and budgetfor software safety assoftware increases incriticality and importance inNASA systems.

(lots of detail on ISS omitted)

One such process to beverified is the softwareassurance process as it isapplied at the center withrespect to NASA-STD-2201-93. Process Verification willprovide the Agency theconfidence that proper skillsand personnel exist toadequately perform softwareassurance for each center.Software assurance has a highpriority to be verified withinthe first year of the PVinitiative.




(Charteredby)

Date ofReport


93. Process Verification willprovide the Agency theconfidence that proper skillsand personnel exist toadequately perform softwareassurance for each center.Software assurance has a highpriority to be verified withinthe first year of the PVinitiative.


(NASACharter)

March1995

Finding 7: The RussianAndrogynous PeripheralDocking System (APDS)for docking the SpaceShuttle with the Mir uses12 active hooks on theSpace Shuttle side whichmate with an equalnumber of passive hookson the Mir. The designcurrently provides nopositive means ofdetermining whether anyor all of the hooks aresecured. NASA hasdecided it is an acceptablerisk to fly the firstdocking mission, STS-71,without an indicator.Having to rely on thepyros as presentlysupplied by the RussianSpace Agency poses riskbecause of lack ofknowledge relating to thepyros’ pedigree andcertification. A secondcontingency demateprocedure is availableinvolving theExtravehicular Activity(EVA) removal of 96bolts at a differentinterface. Implementingeither backup method toseparate Shuttle from Mirmay leave the Mir portunusable for futuredockings.

Recommendation 7: NASAshould develop an indicatorsystem.

NASA Response (in 1995ASAP appendix): Thesecond APDS unit, which isbeing procured from RSC-Energia for the second andsubsequent Mir missions, alsodoes not have individualstructural hook positionindicators. The addition ofindicators was discussed withRSC-Energia, however, theAPDS manufacturing anddelivery schedule precludedinstallation. Johnson SpaceCenter (JSC) and Rockwellengineers have shown,through test and analysis, thatthere is no threat to crew andvehicle safety for the remotefailure case of two adjacenthooks failing to closeproperly. Combinations offailures that would result increw injury or vehicle damageare considered to be of remoteprobability, the risk thereforebeing acceptable for the PhaseI program. The Shuttleprogram has reviewed the testand analysis results andapproved the APDS baselinewithout position indicators forthe Mir missions.




(Charteredby)

Date ofReport



(NASACharter)

March1995

Finding 8: If the primarysystem fails, the firstbackup separation systemfor the APDS is a set ofpyro bolts whichdisengage the 12 activehooks.

Recommendation 8: NASAshould emphasize increasingthe reliability of the primarymating/demating mechanismsin order to reduce the likelihoodof having to use either of thebackups. NASA should alsoobtain an acceptablecertification of the suppliedpyro bolts. Failing that, NASAshould procure fully certifiedsubstitute bolts.

NASA Response (in 1995ASAP appendix): The APDSmechanism hardware hasbeen demonstrated by test tofully meet its designenvironments. Additionaldetail regarding criticalmechanical components wasjointly developed by RSC-Energia, JSC, and Rockwellengineering, and analysis ofthose components has beencompleted. The analysissupports test results whichdemonstrate design marginfor the life of the Mirprogram. Additionally, theresults for this analysis will beused as a guideline indeveloping maintenancerequirements for future Mirand Station missions, Thepyrotechnics, installed in theAPDS, have completed aconfidence test that wasdeveloped by Rockwell andNASA engineering inconjunction with RSC-Energia and with theconcurrence of NASAS&MA. NASA is pursuingdesign improvements of theRSC-Energia bolts for Stationmissions and is also workingon the development of anAmerican-built pyrotechnicbolt. RSC-Energia has notbeen receptive to the idea ofinstalling American bolts inthe APDS; however, assemblyschedules do not require adecision until late 1995, anddiscussions with RSC-Energiaare continuing.


(NASACharter)

March1995

Finding 9: Significantadditional payload masscapability is required tomeet the demands of theISS assembly and supplyplans. Much of theneeded increase incapacity will be achievedthrough weight reductionprograms on a number ofSpace Shuttle elementsand subsystems. Thelarge number ofsimultaneous changescreates potential trackingand communicationproblems among systemmanagers.

Recommendation 9: Emphasisshould be placed on theadequate integration of all ofthe changes into the totalsystem.

NASA Response (in 1995ASAP appendix): Integrationof major changes into theexisting Space Shuttle vehicleis receiving emphasis by theSpace Shuttle program. TheSpace Shuttle program hashad a system in place formany years to integrate all ofthe changes into the totalsystem. This system hasproven effective.




(Charteredby)

Date ofReport


through weight reductionprograms on a number ofSpace Shuttle elementsand subsystems. Thelarge number ofsimultaneous changescreates potential trackingand communicationproblems among systemmanagers.

many years to integrate all ofthe changes into the totalsystem. This system hasproven effective.

The system consists oftechnical panels, integratedproduct teams, and controlboards. A technical panelexists for each majorfunctional area (e.g., Loadsand Dynamics, Thermal).These technical panelsintegrate and review thetechnical aspects of theanalysis and testing. Thefunctional areas are integratedby the integrated productteams (e.g., PropulsionSystem Integration Group)and at joint panel meetings.The control boards, at theproject and program level,provide a final technicalreview and integration, andmanagement direction for costand schedule control.

The NASA Element ProjectOffices and prime contractorsare represented on thetechnical panels, integratedproduct teams, and controlboards, allowing crosscommunication and input atall levels of the process. Thereis a System Integration Planfor each of the majorperformance enhancementsthat defines theresponsibilities of the affectedelements, identifiesdeliverable products andhardware, and defines thesystem schedule for thatenhancement to support thefirst element launch.


March1995

Finding 10: The NewGas Generator ValveModule (NGGVM): whencertified and retrofitted tothe fleet, should mitigatemany of the problemswith the current ImprovedGas Generator ValveModule in the ImprovedAuxiliary Power Unit(IAPU). The NGGVMdevelopment program isproceeding well.

Recommendation 10: NASAshould attempt to introduce theNGGVM into the fleet as soonas possible as a safety andlogistics improvement.

NASA Response (in 1995ASAP appendix): NASAintends to introduce theNGGVM into the fleet on anopportunity basis. The groundrule for this plan is tomaintain a minimum KennedySpace Center (KSC) stocklevel of five spare IAPUs tosupport any unplanned linereplaceable unit removals.Any other IAPUs not requiredto support this stock level willbe shipped to Sundstrand toundergo the NGGVMmodification. By leaving this




(Charteredby)

Date ofReport


(NASACharter)

many of the problemswith the current ImprovedGas Generator ValveModule in the ImprovedAuxiliary Power Unit(IAPU). The NGGVMdevelopment program isproceeding well.

logistics improvement. rule for this plan is tomaintain a minimum KennedySpace Center (KSC) stocklevel of five spare IAPUs tosupport any unplanned linereplaceable unit removals.Any other IAPUs not requiredto support this stock level willbe shipped to Sundstrand toundergo the NGGVMmodification. By leaving thisnumber of spare IAPUs on theshelf at KSC and modifyingany units available beyondthat, the NGGVMimplementation into the fleetcan be completed in late 1998or early 1999. Upgrade andmodification of threeAuxiliary Power Unitscurrently not used for flight asan expedient to the NGGVMfleet retrofit is not costeffective.


(NASACharter)

March1995

Finding 11: The decisionhas been made to installthe entire Multi-FunctionElectronic DisplaySystem (MEDS) in eachOrbiter during a singleOrbiter Maintenance andDown Period (OMDP).An Advanced OrbiterDisplays/System WorkingGroup has been formed toplan for the nextgeneration of MEDSformats and displayenhancements.

Recommendation 11: NASAshould support the AdvancedOrbiter Displays/SystemWorking Group and set atimetable for the introduction ofenhanced display formatswhich will improve both safetyand operability. It should alsomaintain its commitment tocompleting the MEDSinstallations during a singleOMDP.

NASA Response (in 1995ASAP appendix): NASAestablished the AdvancedOrbiter Displays/SystemWorking Group to definenext-generation cockpitdisplays that will takeadvantage of MEDS dataprocessing capabilities toimprove safety andoperability. TheGovernment/industry workinggroup is currently definingrequirements for enhanceddisplays as well as a timetablefor both evaluation ofcandidate displays in MEDStestbeds and introduction ofnew displays into orbiters.NASA identified severaladvantages to installingMEDS hardware in orbitersduring a single OMDP.Current OMDP planning aswell as the schedule for firstflight of MEDS on eachorbiter reflects the singleOMDP installation plan.




(Charteredby)

Date ofReport



(NASACharter)

March1995

Finding 12: The TacticalAir Control andNavigation (TACAN) andMicrowave ScanningBeam Landing System(MSBLS) on-boardreceivers are obsolescentand increasingly difficultto maintain. The MSBLSreceivers also haveknown design problemswhich can lead toerroneous guidanceinformation if the Orbiteris operating with only twoof the three receivercomplement. A GlobalPositioning System (GPS)test is underway on one ofthe Orbiters using thebackup flight softwareand computer. The use ofGPS could replace boththe TACAN and MSBLSsystems as well asassisting ascent and on-orbit operations.

Recommendation 12: Giventhe potential of GPS to improvesafety and reliability, reduceweight and avoid obsolescenceand the many existing andpotential problems with the useof TACAN and MSBLS, a fullGPS implementation on theOrbiter should be accomplishedas soon as possible.

NASA Response (in 1995ASAP appendix): The SpaceShuttle program is currentlyreviewing a plan to fullyimplement the GPScapabilities. The GPShardware/softwareimplementation plan calls forcompleting the installation ofa redundant GPS hardwarecapability as early as the year2000. The softwareimplementation will becompleted with delivery ofthe 0I-27 operationalincrement by December 1997with a first flight effectivity inthe summer of 1998. Theredundant GPS hardwareinstallation will beaccomplished during theOMDP for each orbiter.


(NASACharter)

March1995

Finding 13: Growth inthe requirements for on-board data processing willcontinue as the SpaceShuttle is used in supportof Shuttle/Mir, ISS andother future missions. Thelength of time over whichthe General PurposeComputer and itssoftware will be able tomeet these growing needseffectively is likelyinadequate.

Recommendation 13: NASAshould expedite a long-rangestrategic hardware and softwareplanning effort to identify waysto supply future computationalneeds of the Space Shuttlethroughout its life-time.Postponing this activity invitesa critical situation in the future.

NASA Response (in 1995ASAP appendix): We concurthat continued reliance on theSpace Shuttle beyond 2005will demand some majorrevisions to the core GeneralPurpose Computer (GPC)hardware and software, if forno other reason than theinability to maintain hardwarebased on early 1980technology. Such a revision,given the tightly coupledinterdependencies of thepresent core architecture,would logically beaccomplished as a major“block” update rather thangradually evolving to a newarchitecture.

The block update approachcan also serve to reduce futureoperations costs by stabilizingavionics hardware andsoftware during the Stationassembly era. In accord withthat concept, the SpaceShuttle program isconsidering an approach thatwould freeze the GPCsoftware at roughly the turn ofthe century, following theincorporation of Station-driven enhancements. Thatfreeze would allow for




(Charteredby)

Date ofReport


software during the Stationassembly era. In accord withthat concept, the SpaceShuttle program isconsidering an approach thatwould freeze the GPCsoftware at roughly the turn ofthe century, following theincorporation of Station-driven enhancements. Thatfreeze would allow fordiversion of engineeringresources, heretofore devotedto routinely evolvingenhancements, to pursue atrue significant block updatesufficient to sustain the SpaceShuttle past 2020.

As the foundation for such apossible architecture, the JSCEngineering Directorate hasdeveloped a ReducedInstruction Set Computer(RISC) for high-fidelityemulation of the present

GPC. That emulation iscapable of real-time bit-levelexecution of actual objectcode produced by the HAL/Scompiler. It will soon be madeavailable to allow flightsoftware developers a targetmachine for earlydevelopment testing. At thepresent time, such earlytesting is a premium becauseof the limited availability ofreal GPCs. The extension ofthe emulator concept, as acandidate to replace the actualflight GPCs, is the nextlogical step. It would preservecritical flight code, therebyminimizing the reverificationcosts, while still providing amodern platform for growth.

In summary, NASA doeshave the essential formativeelements for a long-rangestrategic hardware andsoftware upgrade effort inwork. Existing limitedresources and ongoingprogram activities obviouslypreclude any definitivestrategic planning untilcompletion of the currentprogram-wide restructuringactivities. Once thoseactivities are complete, amore definitive plan and




(Charteredby)

Date ofReport


software upgrade effort inwork. Existing limitedresources and ongoingprogram activities obviouslypreclude any definitivestrategic planning untilcompletion of the currentprogram-wide restructuringactivities. Once thoseactivities are complete, amore definitive plan andschedule, predicated oncritical examination of limitedavailable resources, can bedeveloped.


(NASACharter)

March1995

Finding 14: The STS-64mission involved a higherthan usual level ofwindshield hazing whichcould have led to asituation in which theastronauts’ view of thelanding runway wasobscured. MSBLS andTACAN are obsolescent.There is also thepossibility that falseindications by MSBLSunder certain scenarioscould result in anunacceptable risk of alanding mishap. Thus,there is a clear need forearly upgrade of Orbiterand support facilityautoland equipment andcrew flight rules andtraining improvement.

Recommendation 14: NASAshould improve the autolandequipment on the Orbiter; forexample, replacing MSBLS andTACAN with GPS. In theinterim, NASA should ensurethat operations and failuremodes of MSBLS are fullyexamined and understood.NASA should also reexaminethe training of crews forexecuting automatic landings,including autoland systemfamiliarization. Astronautcommanders and pilots shoulddiscuss circumstances whichmight warrant autoland useprior to each mission and beprepared for all reasonablecontingencies in its operation.

NASA Response (in 1995ASAP appendix):Incorporation of GPS is beingpursued as aggressively asfunding and technicalconstraints will allow. Theprogram has approved plansand funding to provide asingle-string GPS capabilitythat can be flown in thesummer of 1997 as a first steptoward TACANIMSBLSreplacement. Plans for a fullthree-string operationalsystem have been approvedfor 01-27, and detailed costsand schedules are beingassessed by the program. Thefailure modes of the MSBLShave been analyzed and aredocumented in the program’sCritical Item List.

The finding made by theASAP regarding the STS-64mission, involving a higherthan usual level of windshieldhazing that could have led to asituation in which theastronaut’s view of thelanding runway was obscured,is incorrect. The STS-64orbiter Quick Look Reportsstates: “Orbiter Windows 3and 4 exhibited light hazingand streaks were seen on 4.”Additionally, the Commander(Richard N. Richards, 4thflight) reports that the windowhazing was not unusual at all,typical of what is usuallyseen, and an excellent view ofthe runway was obtained at alltimes during the approach,landing, and rollout phases ofthe flight. The STS-64 vehicletouchdown parameters wereexcellent, confirming that the




(Charteredby)

Date ofReport


(Richard N. Richards, 4thflight) reports that the windowhazing was not unusual at all,typical of what is usuallyseen, and an excellent view ofthe runway was obtained at alltimes during the approach,landing, and rollout phases ofthe flight. The STS-64 vehicletouchdown parameters wereexcellent, confirming that theCommander had an excellentview of all visual aidsthroughout the approach andlanding. (These touchdownparameters includetouchdown airspeed of 198knots versus 195 planned,touchdown distance of 2386feet versus predicted 2505,sink rate at touchdown of 1.0feet per second, and athreshold crossing height of20 feet. All parameters areexcellent.)

Extensive analysis of theorbiter autoland system hasbeen performed by variousorganizations in NASA,including exhaustive reviewsby NASA Safety and MissionAssurance personnel. Thoseresults have been briefed toall levels of NASAmanagement. The SpaceShuttle program has notidentified/defined anyhardware or software changethat is necessary to improvethe autoland capability. Theoperational use of theautoland capability remains atthe discretion of the missioncommander. To educate pilotsand commanders on the use ofthis emergency system,

Mission OperationsDirectorate (MOD) provides abriefing that covers thecapabilities and limitations ofthe autoland system, as wellas the contingency cases forwhich it is a viable alternative(i.e.? both pilotsincapacitated, or a highlyinaccurate weather forecastfor landing). In addition, eachcrew has a session in theShuttle Mission Simulator, aswell as the Shuttle TrainingAircraft where the autoland




(Charteredby)

Date ofReport


the autoland system, as wellas the contingency cases forwhich it is a viable alternative(i.e.? both pilotsincapacitated, or a highlyinaccurate weather forecastfor landing). In addition, eachcrew has a session in theShuttle Mission Simulator, aswell as the Shuttle TrainingAircraft where the autolandsystem is demonstrated anddiscussed.


(NASACharter)

March1995

Finding 15: It hasbecome necessary toexecute a partialdisassembly of both theengines and turbopumpsafter each flight becauseof the accumulation ofspecial inspectionrequirements and servicelife limits on componentsof the current (Phase II)SSMEs. Theseinspections are performedwith rigor and appropriateattention to detail.included in theparameters used in thealgorithms that determineengine health.

Recommendation 15: In orderto control risk, NASA mustmaintain the present level ofstrict discipline and attention todetail in carrying out inspectionand assembly processes toensure the reliability and safetyof the SSMEs even after theBlock I and Block II upgradesare introduced.

NASA Response (in 1995ASAP appendix): NASAagrees with thisrecommendation and willcontinue to perform thedetailed inspections of thePhase II Space Shuttle MainEngines (SSME) that arecurrently defined. Thepostflight inspections of boththe Block I and Block IISSMEs will be significantlyless in frequency than thosefor today’s Phase II SSMEdue to the major designchanges, especially in theturbopumps. However, theprogram plans to use the samelevel of strict discipline andattention to detail in carryingout the new inspectionprogram as it has in the past.


(NASACharter)

March1995

Finding 16: The re-startof the AdvancedTurbopump Program(ATP) High Pressure FuelTurbopump (HPFTP) andthe start of the LargeThroat Main CombustionChamber (LTMCC)developments wereauthorized in the springof 1994. Combined withthe ongoing componentdevelopments of theBlock I engine, this willproduce a Block II enginewhich will contain all ofthe major componentimprovements that havebeen recommended overthe past decade toenhance the safety andreliability of the SSME.Both the Block I andBlock II programs havemade excellent progressduring the current yearand are meeting theirtechnical objectives.

Recommendation 16:Continue the development ofthe Block II modifications forintroduction at the earliestpossible time.

NASA Response (in 1995ASAP appendix): NASAagrees with thisrecommendation. The firstflight of the Block I SSMEwas on STS-70, which waslaunched on July 13, 1995.The Block II SSME will beavailable for flight inSeptember 1997.




(Charteredby)

Date ofReport


improvements that havebeen recommended overthe past decade toenhance the safety andreliability of the SSME.Both the Block I andBlock II programs havemade excellent progressduring the current yearand are meeting theirtechnical objectives.


(NASACharter)

March1995

Finding 17: In order toprovide an engine healthmonitoring system thatcan significantly enhancethe safety of the SSME,improvements must bemade in the reliability ofthe engine sensors and thecomputational capacity ofthe controller. It is alsoessential to eliminate thedifficulties with thecables and connectors ofthe Flight AccelerometerSafety Cut-Off System(FASCOS) so thatvibration data can beincluded in theparameters used in thealgorithms that determineengine health.

Recommendation 17: Expandand emphasize the program toimprove engine healthmonitoring. Continue theprogram of sensorimprovements.

NASA Response (in 1995ASAP appendix): The SpaceShuttle program isimplementing DischargeTemperature Thermocouplesas a replacement for thecurrent temperature sensorson the SSMEs. No otherhealth monitoringimprovements are funded atthis time because the designwas not mature enough tomake this a cost-effectiveproject.


(NASACharter)

March1995

Finding 18: The Block IISSME can improve safetyif an abort is requiredbecause it can be operatedmore confidently at ahigher thrust level. Thiswill permit greaterflexibility in the selectionamong abort modes.

Recommendation 18: NASAshould reexamine the relativerisks of the various abort typesgiven the projected operatingcharacteristics of the Block IISSMEs. Particular emphasisshould be placed on thepossibility of eliminating orsignificantly reducing exposureto a Return to Launch Siteabort.

NASA Response (in 1995ASAP appendix): Operatingthe Block II SSMEs at ahigher power level requirescompletion of twocertification activities-theBlock II SSME hardwarecertification and theintegrated vehicle intact abortcertification (loads, thermal,guidance, navigation andcontrol). Because the internalenvironments and stresses aresignificantly reduced forBlock II SSMEs, the SpaceShuttle program approvedcertification testing to includelog-percent power level forintact abort operations. Thisallows for the futureconsideration of increasingthe power level for intactaborts to 109 percent pendingthe results of certificationtesting. If the increase inpower level for intact abortsproves feasible, it wouldreduce, but not eliminate,exposure to the Return-to-Launch Site abort mode.




(Charteredby)

Date ofReport


consideration of increasingthe power level for intactaborts to 109 percent pendingthe results of certificationtesting. If the increase inpower level for intact abortsproves feasible, it wouldreduce, but not eliminate,exposure to the Return-to-Launch Site abort mode.

Performance enhancementsvehicle ascent certificationenvironments are currentlybeing developed using 106-percent power level for intactabort operations to improveabort performance and tominimize the risk of designimpacts to the Space Shuttlevehicle. A delta certificationplan to incorporate log-percent power level for intactabort operations is currentlybeing developed.

Implementation of the plan iscontingent on a successfulBlock II SSME test program,the results of vehicle thermaland structural loads tradestudies, and the deltacertification cost andschedule. Further, even ifcertification is successful, thedecision to utilize log-percentpower level for intact abortswill depend on actual flightexperience with the Block IISSMEs.


(NASACharter)

March1995

Finding 19: The liquidoxygen tank aft domegore panel thickness ofthe Super LightweightTank (SLWT) has beenreduced significantly onthe basis of analyses. Tostiffen the dome, a ribwas added. The currentplan to verify the strengthof the aft dome involves aproof test only to limitload. Bucklingphenomena cannot beextrapolated withconfidence between limitand ultimate loads.

Recommendation 19: TheSLWT aft dome should eitherbe tested to ultimate loads or itsstrength should be increased toaccount for the uncertainties inextrapolation.

NASA Response (in 1995ASAP appendix): NASAagrees with thisrecommendation. At the jointNASA and Martin MariettaAluminum Lithium TestArticle (ALTA) DesignReview on August 19, 1994,an aft LO2 dome test wasadded to the ALTA testprogram. Adding this stabilitytest will permit the aft dometo be verified to the ultimateload condition. The as-planned test satisfies thebuckling concerns of Finding#19.




(Charteredby)

Date ofReport


load. Bucklingphenomena cannot beextrapolated withconfidence between limitand ultimate loads.

to be verified to the ultimateload condition. The as-planned test satisfies thebuckling concerns of Finding#19.


(NASACharter)

March1995

Finding 20: Thestructural tests of asegment of an SRB aftskirt in the baselineconfiguration did notduplicate the strains andstresses previouslymeasured in the tests ofthe full-scale aft skirtStructural Test Article(STA-3). This suggeststhat segment testing ofthe proposed bracketmodification to improvethe aft skirt’s factor ofsafety may not be valid.

Recommendation 20: NASAshould reassess the use of thesegment test method andreconsider the use of a full scaletest article for qualifying theproposed bracketreinforcement.

NASA Response (in 1995ASAP appendix): At the timeof the NASA response to theMarch 1994 ASAP AnnualReport, two initial testcondition baselining testarticles (TA) had been testedto 100- and 70-percent loadlevels. The TA-1 and TA-3test loads were analyticallyderived and validated usingempirical data from these testsand STA-3. The TA-3baseline testing showedexcellent correlation withstrain response curvesmeasured during the STA-3test. In addition, a second testarticle was tested to failure.Strain data obtained fromthese two specimens wascompared to the STA-3 straindata (up to 12%percent loadswhich was the maximum loadlevel achieved prior to failureinitiation during the STA-3test program). Data fromsecond baseline test, thebracket test, and STA-3 aredepicted in the figure below.The strain measurements forthe critical weld region for thefull-load applications (0 to12%percent loads) exhibit anaverage correlation within 8.6percent and, at 128-percentload levels, the averagecorrelation is within 9.6percent.

(lots of details omitted)

In summary, component testresults indicate that theexternal bracket significantlyenhances critical weld factorsof safety. In addition toproviding substantivequantitative verification ofexisting analytical techniques,the completed evaluation ofthe test program results hasprovided no challenge to orindictment of current flightrationale. The resultantpotential benefits fromintroduction of the bracket arelimited. The design change




(Charteredby)

Date ofReport


providing substantivequantitative verification ofexisting analytical techniques,the completed evaluation ofthe test program results hasprovided no challenge to orindictment of current flightrationale. The resultantpotential benefits fromintroduction of the bracket arelimited. The design changehas minimal potential forincreasing the Shuttle lift-offwind allowables (andassociated probability oflaunch), as other elements aresimilarly constraining. Theelimination of the AdvancedSolid Rocket Motor effortprecludes near-term concernsfor substantially increasedskirt loading. The significantcomponent, subscale and full-scale analysis and test, alongwith individualizedmeasurements of each aftskirt, provide a level ofunderstanding such that nofurther concerns exist for ademonstrated 1.28 factor ofsafety in the critical weldarea. Therefore,implementation of the bracketis not planned at this time,and the program plans tochange the appropriatespecification requirement toreflect this factor of safety toavoid repetitive flight by-flight waivers.


(NASACharter)

March1995

Finding 21: The effort bythe NASA logisticsorganization and itsprincipal contractors hasresulted in satisfactoryperformance. Thereremain a few problems,such as a tendencytowards increasedcannibalization, whichstill require attention.

Recommendation 21: Everyeffort should be made to avoidcannibalizations, particularly oncritical components such as theSSME and the IAPU.

NASA Response (in 1995ASAP appendix): Whilethere were some increases incannibalizations in mid-1994,continued managementattention has maintained anoverall decreasing trend incannibalizations. Closeattention to related indicatorswill continue. There arecurrently four spare IAPUs onthe shelf at KSC. No IAPUcannibalizations haveoccurred since 1993.




(Charteredby)

Date ofReport


occurred since 1993.


(NASACharter)

March1995

Finding 23: There is aplan to consolidate alllogistics elements at KSCexcept Spacelab over thenext three or four years.This should unify theentire logistics and supplyorganization. Therealignments are intendedto eliminate duplicationof effort, gain efficiencyin support and materiallyreduce the cost ofoperation.

Recommendation 23: Proceedas outlined in the NASA plan.

NASA Response (in 1995ASAP appendix): A singleorganization consolidating allKSC logistics elements wasofficially established on April17, 1995. This neworganization integrateslogistics functions from thePayload Management andOperations Directorate, theInstallation Management andOperations Directorate, theEngineering DevelopmentDirectorate, and the ShuttleManagement and OperationsDirectorate. This neworganization, known as theLogistics OperationsDirectorate, is nowproceeding with internalrealignments to eliminateduplication, increaseefficiency, and reduce costswhile improving customerservice.


(NASACharter)

March1995

Finding 29: TheSimplified Aid for EVARescue (SAFER) wassuccessfully flight testedon the STS-64 mission.Although designed as arescue device for anastronaut who becomesuntethered, SAFER hasdemonstrated its potentialto assist in other safety-critical situations such ascontingency EVAs. FiveSAFER flight units havebeen ordered. Plans are todeploy them on Mir andSpace Station as well asto carry them on theSpace Shuttle only whenan EVA is planned.

Recommendation 29: Oncethe flight units are available,NASA should considerroutinely flying SAFER unitson all Space Shuttle missionswhich do not have severeweight limitations, This willpermit them to be used forthose contingency EVAs inwhich safety can be improvedby giving crew members thecapability to translate to thelocation of a problem to makean inspection or effect a repair.

NASA Response (in 1995ASAP appendix): NASA hasconsidered routinely flyingSAFER units on all SpaceShuttle missions which do nothave severe weight limitationsand has decided that it is notrequired.

SAFER was specificallydesigned to be used to rescuean EVA crewmember whohad become inadvertentlydetached from a structureunder the circumstanceswhere the Shuttle could notcredibly effect a rescue (forexample, during Space Stationoperations when the Shuttle iseither not at the Station or isdocked to it). As such, it isclassified as an “emergency”device and only needs to besingle-string (i.e., zero-faulttolerant). SAFER is notrequired for other(operational) EVAs. Allknown, credible, contingencyEVAs can be safelyaccomplished without it.There currently exists an EVAmethod to get to the ExternalTank (ET) umbilical doors




(Charteredby)

Date ofReport


classified as an “emergency”device and only needs to besingle-string (i.e., zero-faulttolerant). SAFER is notrequired for other(operational) EVAs. Allknown, credible, contingencyEVAs can be safelyaccomplished without it.There currently exists an EVAmethod to get to the ExternalTank (ET) umbilical doorslocated on the Orbiter withoutSAFER, for which each EVAcrewmember is briefed priorto flight.

Furthermore, the cost ofmaking SAFER operationalon all Shuttle flights would behigh. To be used as other thanan emergency device,significant redesign would berequired to make it at leastsingle-fault tolerant. SAFERcannot be stowed on thePrimary Life SupportSubsystem in the airlock;therefore, special stowagewould be required on eachflight. Flying two SAFERunits on each flight wouldrequire stowage for about 8cubic feet and 200 pounds.Additional EVA trainingwould also be required eachtime SAFER is flown,regardless of whether or not itis planned to be used.

Given the above reasonsincluding the fact that allknown, credible, contingencyEVAs can be safelyaccomplished withoutSAFER, NASA believes thatimplementing thisrecommendation is notappropriate at this time.




(Charteredby)

Date ofReport



(NASACharter)

March1994

Finding 5: Theorganization andmanagement of SpaceShuttle launch operationsat Kennedy Space Center(KSC) continue to benefitfrom a “continuousimprovement process”managed by the ShuttleProcessing Contractor(SPC). Greater employeeinvolvement, bettercommunications,strengthened employeetraining and the use oftask teams, processimprovement teams, anda management steeringcommittee have beenmajor factors in thisimprovement.

Recommendation 5: A strongcommitment to achieving“continuous improvement,”despite budget cutbacks, shouldbe maintained, at the same timerecognizing the paramountpriority of safety.

NASA Response (in 1994ASAP appendix): The SPCcontinues its deepcommitment to ContinuousImprovement (CI) with over550 active processimprovement teams and 86percent of their 6,600-personworkforce trained in theprinciples and precepts of CI.The underlying theme of allSPC initiatives is their pledgefor the highest level ofperformance at the lowestpossible cost with absolutededication to safety andquality.


(NASACharter)

March1994

Finding 6: More than1,200 positions have beeneliminated by the SPCsince September 1991with only about 22percent being achievedthrough involuntaryseparations. Presentreductions have beenachieved without anapparent adverse effect onthe safety of launchprocessing. A comparablefurther reduction has beencalled for by the end ofFY 1995. Theseadditional reductionscannot likely be madewithout a higherprobability of impactingsafety.

Recommendation 6: KSC andSPC management must bevigilant and vocal in avoidingany unacceptable impacts onsafety as a result of costreductions planned for FY 1995and beyond.

NASA Response (in 1994ASAP appendix): KSC andSPC management are firmlycommitted to the precept thatsafety will not becompromised as a result ofcost reductions. Proceduresfor processing a safe spacevehicle have been establishedand are strictly followed.These procedures are revisedonly after a thorough reviewby technical and safetypersonnel to ensure that safetywill not be compromised.Schedule times are flexible;safety requirements are not.As the cost reductionscontinue, KSC is committedto processing only the numberof vehicles that can becompleted safely withinavailable resources.


(NASACharter)

March1994

Finding 7: Severalproblems at KSC havebeen attributed to humanfactors issues. KSC hasrecently formed a humanfactors task force toaddress these problems.

Recommendation 7: KSCshould ensure that the humanfactors task force includesindividuals with training andexperience in the field. Specificassistance should be soughtfrom appropriate researchcenters and technology groupswithin NASA.

NASA Response (in 1994ASAP appendix): TheManagement SteeringCommittee, chaired by theKSC Launch Director,established a CI team tosupport the Incident ErrorReview Board (IERB) inassessing human-error factors.This team reviewed thehuman-factors aspects of theFreon Coolant Loop Number1 Pump Package incident onOV-105/STS-61 and madenine specificrecommendations concerningthe incident. A tenthrecommendation addressedthe need for the team to obtain




(Charteredby)

Date ofReport


within NASA. assessing human-error factors.This team reviewed thehuman-factors aspects of theFreon Coolant Loop Number1 Pump Package incident onOV-105/STS-61 and madenine specificrecommendations concerningthe incident. A tenthrecommendation addressedthe need for the team to obtaintraining in human factorsprinciples.

The CI Human Factors Teamhas since received training onhuman factors from theBattelle Memorial Institute ina seminar conducted at KSC.Some team members attendeda class on incidentinvestigation taught by TheCentral Florida Chapter of theNational Safety Council. Theteam has subsequently addeda new member with extensiveexperience in human factorsfrom Analex Space Systems,Inc. The team will continue topursue additional humanfactors training.


(NASACharter)

March1994

Finding 8: KSC hasdeveloped a StructuredSurveillance Programwith the objectives ofdecreasing overallprocess flow time,increasing “first-timequality,” and reducingcost. The programapproach involvesreducing the reliance oninspections for assuringquality. StructuredSurveillance also isproving valuable as a toolfor the effectivedeployment of qualityassurance resources.

Recommendation 8: TheStructured Surveillanceprogram should be continuedand cautiously expanded.

NASA Response (in 1994ASAP appendix): KSC hasimproved structuredsurveillance data elements,data collection methods, andmetrics for the entire programat KSC (both Government andcontractor) and has discussedthese improvements with thePanel. To ensure effectiveimplementation of theGovernment application ofthe structured surveillanceprogram, the leadership ofthis effort has been moved upto the directors of the twoimplementing organizations.These directors co-chair anewly formed control boardthat manages the generationand modification of thepolicies, procedures, andtraining necessary for fullimplementation of structuredsurveillance.




(Charteredby)

Date ofReport


policies, procedures, andtraining necessary for fullimplementation of structuredsurveillance.


(NASACharter)

March1994

Finding 9: Thermaldamage was noted on theSTS-56 (OV-103) elevontiles. The slumping of thetiles indicated that the tilesurface reached atemperature ofapproximately 1,000degF. A temperature ofthis magnitude suggeststhat the temper andstrength of the underlyingaluminum structure couldhave been affected.

Recommendation 9: NASAshould initiate an analysis todetermine the temperatureprofile of the underlyingaluminum structure of theelevens and its possibleconsequences on the strength ofthe Orbiter structure.

NASA Response (in 1994ASAP appendix): On STS-56 (OV-103), an alternateforward elevon schedule (partof Center of GravityExpansion Activities,Detailed Test Objective(DTO) 251) was flown. Thiswas the maximum-upschedule (12 degrees up) everflown. There was some tileslumping (caused bytemperatures exceeding 1500degrees F) at the center hingelocation, but detailedpostflight vehicle inspectionconfirmed that the aluminumstructure was neither damagednor subjected to unacceptabletemperatures. PositiveMargins-of-Safety have beenverified subsequently throughthermal design analysis. Aredesign has been certifiedand is currently beinginstalled on all four vehicles.This new design will allow afull-up (16 degrees) elevonwithout overheating of theunderlying structure. Prior toincorporation of thismodification, the elevonschedule had been constrainedto 7 degrees up.


(NASACharter)

March1994

Finding 10: The Shuttletiles have providedeffective heat protection.However, the surface ofthe tiles is easily damagedand their shrinkage anddistortion properties arenot as low as desired. Anew tile formulation withsuperior characteristicsand possibly lowerdensity is being explored.

Recommendation 10: NASAis encouraged to support thedevelopment of thermalprotection tiles with improvedmechanical properties andlower density than the currentShuttle tiles. Autoland in acontingency mode, but do notplan to demonstrate Autolanduntil a firm requirementmandates a demonstration.”

NASA Response (in 1994ASAP appendix): NASA isconsidering severalimprovements to the TileProtective System (TPS). OnSIX-51 (OV-105), a toughertile coating on FiberReinforced CompositeInsulation (FRCI-12) tiles wasflown as a DTO on a few doortiles on the base heatshield.There were no hits on thesetiles. However, the DTO willbe flown a number of times toobtain a good evaluation ofthe improvement expectedfrom this coating. Thistougher coating will enhanceturnaround activities byminimizing tile replacementdue to coating damage.




(Charteredby)

Date ofReport


be flown a number of times toobtain a good evaluation ofthe improvement expectedfrom this coating. Thistougher coating will enhanceturnaround activities byminimizing tile replacementdue to coating damage.


(NASACharter)

March1994

Finding 11: NASA hasmade excellent progresson the engineering of theMultipurpose ElectronicDisplay System (MEDS)for retrofitting Orbiterdisplays. However, thereis no formal program toidentify and include thesafety advantagespossible from a fullyexploited MEDS.

Recommendation 11: Athorough review of theperformance and safetyimprovements possible from acompletely developed MEDSshould be conducted based oncrew inputs to system designersand researchers. A definitiveplan should be developed todetermine the schedule/costimplications of suchimprovements, and, ifwarranted, implementationshould be scheduled as soon aspossible.

NASA Response (in 1994ASAP appendix): TheMEDS, when operational,will provide a foundation forpotential upgrades andenhancements to the currentcrew displays that willimprove safety. The initialMEDS program must be online in a timely manner toreplace aging electro-mechanical devices. Theflight crew, missionoperations, engineering,training, and safety,reliability, and qualityassurance program personnelhave all agreed that the“transparency” achieved bydesigning enhanced displayssimilar in function andappearance to the currentdisplays is the optimumsolution initially. Bydesigning similar butenhanced displays, theimpacts for a mixed fleetwhile MEDS is beinginstalled are minimized in theareas of training and flightsoftware. There is only onesingle-motion-base simulator,therefore, crews training forMEDS or non-MEDSequipped vehicles will be ableto train on displays that aresimilar to those they will usein flight. Similar displayformats do not require anychanges to the existing flightsoftware. Once trainers andlaboratories are equipped withMEDS, the test beds will bein place to evaluate displayupgrades.




(Charteredby)

Date ofReport


upgrades.

The next phase of the totalorbiter displays-and-controlsupdate activities will be toachieve a world-class state-of-the-art system by expandingthe total complement todigital electronics replacingcurrent wiring and switches aspractical. Planning for thisphase is beginning, but theexact implementationschedule will be dependent onfunding availability as well asfuture human-tendedspacecraft planning.


(NASACharter)

March1994

Finding 12: TheImproved AuxiliaryPower Unit (IAPU) hasexperienced problemsthat have impacted SpaceShuttle processing andlogistics.

Recommendation 12: A newfocus on increasing thereliability of the total IAPUsystem should be initiated andsupported until the identifiedproblems are solved.

NASA Response (in 1994ASAP appendix): Toimprove Auxiliary PowerUnit (APU) reliability, acontinuous improvementprogram has been underwaysince the STS 51-L accident.Results from this programinclude the completion of anIAPU “upgrade” project(which eliminated injectortube corrosion, exhausthousing cracking, and someCriticality 1 concerns), a newdesign for the turbine wheel,an improved APU controllerand fuel isolation valve, andthe more reliable “Path a” GasGenerator Valve Module(GGVM). These changes haveresulted in a greatly reducedrate of APU in-flightanomalies and fewer delays tothe Shuttle processing andlogistics support activities.Elements of the continuousimprovement program not yetcomplete, but now underwayinclude development of anentirely new GGVM,certification of a new materialfor the fuel pump thermalisolator, and development ofmore vibration-resistantthermostats. As the newGGVM is incorporated in thefleet, the APU should betotally certified for its planned75-hour life capability.




(Charteredby)

Date ofReport


GGVM is incorporated in thefleet, the APU should betotally certified for its planned75-hour life capability.


(NASACharter)

March1994

Finding 13: In itsresponse to the Panel’slast Annual Report,NASA indicated that“The program isreviewing the operationalflight rules pertaining toAutoland, we havebudgeted upgrades insoftware and hardware toimprove the Autolandfunctionality, the lifesciences organization iscollecting physiologicaldata and developingcountermeasures toensure adequate crewperformance as themission durationincreases. We areconfident with usingAutoland in acontingency mode, but donot plan to demonstrateAutoland until a firmrequirement mandates ademonstration.”

Recommendation #13: Thefocus of Autoland should not beexclusively on long-durationmissions. NASA shouldformulate a complete set ofoperational procedures neededfor emergency use of Autoland,taking into account a full rangeof operational scenarios andequipment modifications thatmight be beneficial. Theseinclude upgrades to theMicrowave Scanning BeamLanding System (MSBLS)receiver group, and installationand certification of GlobalPositioning System (GPS)capability.

NASA Response (in 1994ASAP appendix): It is agreedthat the Autoland systemshould not be focused just onlong-duration missions.Currently, mission planningrequirements do not includemissions longer thanapproximately 18 days,including the Space Stationprogram. The entry systemsrequirements includingpiloting techniques arecontinuously assessed forimprovements. Autolandbackup capabilities as well asheading alignment conepiloting enhancements arebeing developed and will beincorporated as we continueto implement the flightprogram. MSBLS/GPS typesystems are being consideredand will be brought on line asimprovements are practical

No specific training orprocedures are required forthe emergency use ofAutoland, as the only manualtasks required of the crew inan Autoland scenario (e.g.,deploying landing gear,postlanding braking, air dataprobe deployment, andnavigation sensor dataincorporation) are identical tothose performed in a manuallanding. Present flight rulesdefine orbiter and landing-siteequipment that must befunctioning to perform anAutoland landing. Thedecision to engage Autolandin a contingency is left to thecommander’s discretion toprotect the safety of the crew.Exact flight rules to define allAutoland engagement criteriaexceed the number of failurecases addressed by the currentflight rules. A program toexpand these criteria wouldrequire large resourcecommitments to develop andis not currently in theplanning.




(Charteredby)

Date ofReport


Exact flight rules to define allAutoland engagement criteriaexceed the number of failurecases addressed by the currentflight rules. A program toexpand these criteria wouldrequire large resourcecommitments to develop andis not currently in theplanning.


(NASACharter)

March1994

Finding 14: The SSMEhas performed well inflight but has been thecause of launch delaysand on-pad launch abortsthat were primarilyattributable tomanufacturing controlproblems.

Recommendation 14:Continue to implement thecorrective actions developed bythe NASA and Rocketdynemanufacturing process reviewteams and devise techniques fordetecting and/or precludingrecurrence of the types ofproblems identified.

NASA Response (in 1994ASAP appendix): Theprocess audit teams and theNASA and Rocketdyneincident investigation teamshave both identified processimprovements which eitherhave been or will beincorporated into all areas ofthe engine program. Theseprocess improvements willimprove detection andpreclude the recurrence ofmanufacturing controlproblems in any of our new orrecycled hardware andsubstantially reduce thelikelihood of associatedproblems leading to launchdelays or launch pad aborts.


(NASACharter)

March1994

Finding 15: “Sheetmetal”cracks in the Phase II(current) High PressureFuel Turbopump(HPFTP) have becomemore frequent and arelarger than previouslyexperienced. This has ledto the imposition of a4,250-second operatingtime limit and a reductionof allowable crack size bya factor of four. Congresshas delayed the fundingfor restarting thedevelopment of thealternate HPFTP. Thisnew turbopump designshould eliminate thecracking problem.

Recommendation 15: Restartthe development andcertification of the alternateHPFTP immediately.

NASA Response (in 1994ASAP appendix): NASAfully agrees with therecommendation to restart thealternate HPFTP immediately.Congressional authority torestart the program wasreceived on April 14, 1994.The Space Shuttle program(SSP) is proceeding with therestart. The alternate HPFFPwill be incorporated into theBlock II SSME configurationwith first flight scheduled forSeptember 1997.




(Charteredby)

Date ofReport



(NASACharter)

March1994

Finding 16: Theapproved parts of theengine componentimprovement programs,now organized into blockchanges, are progressingwell. The Block Igrouping will enterformal certificationtesting by mid-1994.Progress in the Block IIeffort is, however,hampered by the delay inrestarting the alternateHPPTP developmenteffort.

Recommendation 16:Continue efforts to complete allof the Block II development assoon as possible.

NASA Response (in 1994ASAP appendix): NASAfully agrees with thisrecommendation and is firmlycommitted to developing andimplementing all of the SSMEsafety improvements,including the AlternateHPFTP and the Large ThroatMain Combustion Chamber.Upon completion of thesemodifications, a significantreduction in Shuttleoperational risk will berealized. Initiation of full-scale development testing iscurrently planned for mid-1995, with first- flightcapability scheduled forSeptember 1997.


(NASACharter)

March1994

Finding l7: Enginesensor failures havebecome more frequentand are a source ofincreased risk of launchdelays, on-pad aborts, orpotential unwarrantedengine shutdown in flight.

Recommendation 17:Undertake a program to secureor develop and certifyimproved, more reliable enginecondition sensors.

NASA Response (in 1994ASAP appendix): Improvedhot gas temperature-sensinginstrumentation is undergoingdevelopment testing and isplanned for the first flight inFY 1995. A two-stepimprovement process forpressure and flow measuringinstrumentation is also underway. As a first step, a newscreening selection processhas been developed forimmediate implementation toimprove sensor qualitycontrol. The second step,redesigning and improvingsensors, is being implementedas these improvementsbecome available.


(NASACharter)

March1994

Finding 18: The SSMEhealth monitoring systemcomprising the enginecontroller and itsalgorithms, software, andsensors is old technology.The controller’s limitedcomputational capacityprecludes incorporationof more state-of-the-artalgorithms and decisionrules. As a result, theprobabilities of eithershutting down a healthyengine or failing to detectan engine anomaly arehigher than necessary.

Recommendation 18: TheSSME program shouldundertake a comprehensiveeffort to improve the capabilityand reliability of the SSMEhealth monitoring system. Sucha program should include notonly improved sensors but alsoa more capable controller andadvanced algorithms.

NASA Response (in 1994ASAP appendix): NASAagrees that the developmentand implementation of anadvanced health monitoringsystem for the SSME ispotentially worth pursuing. Asystem currently beingconsidered would incorporatemore processing capability inan upgraded controller andallow the utilization ofadvanced health monitoringsoftware algorithms. With animproved system of thisnature, the probability ofshutting down a healthyengine would be reducedwhile the probability ofpreventing a catastrophicfailure would be increased.NASA is reviewing proposalsthat would certify and




(Charteredby)

Date ofReport


probabilities of eithershutting down a healthyengine or failing to detectan engine anomaly arehigher than necessary.

advanced health monitoringsoftware algorithms. With animproved system of thisnature, the probability ofshutting down a healthyengine would be reducedwhile the probability ofpreventing a catastrophicfailure would be increased.NASA is reviewing proposalsthat would certify andimplement this new capabilityinto the Block II SSMEconfiguration.


(NASACharter)

March1994

Finding 19: A segmentof an aft skirt will be usedto test the effectiveness ofan external bracketmodification in reducingthe overall bending stressof the skirt. The validityof using an 11-inch-widetest specimen todetermine theeffectiveness of thebracket is yet to bedemonstrated.

Recommendation 19: NASAshould evaluate the firstspecimen test results to see ifthe strains in the weld areaduplicate the strains foundwhen a full aft skirt was testedin the Static Test Article-3(STA-3) test. If not, another testapproach should be pursued.

NASA Response (in 1994ASAP appendix): Tests onthree of the four aft skirt testspecimens have beencompleted. The baseline testarticle (TA-l), whichrepresents the current aft skirtconfiguration, has beensubjected to 100 percent ofthe developed load case.Based on a thoroughevaluation of the TA-1 testdata and correlation of thedata with STA-3 test results, itis clear that the weld areastrain field developed in theTA-1 test article correlateswell with the strain field inthis same area on the STA-3aft skirt. This correlationconfirms the validity of thetest approach being used. Thesecond test article (TA-4) wasalso in the baselineconfiguration and wassubjected to a maximum loadof 70 percent of the developedload case. This article utilizedthe photoelastic method fordetermining the strain field asopposed to using the typicalstrain gage method used on allother articles in this testprogram. This test verifiedthat the STA-3 strain fieldcould be duplicated on two-separate articles withinacceptable limits and that nohigh strain areas wereoverlooked during theanalytical study of the testarticle response. The third testarticle (TA-2), which has anexternal bracket for thereduction of strain in criticalweld region, was subjected to205 percent of the developedload case with no structuralanomalies occurring.Comparisons of the baseline




(Charteredby)

Date ofReport


overlooked during theanalytical study of the testarticle response. The third testarticle (TA-2), which has anexternal bracket for thereduction of strain in criticalweld region, was subjected to205 percent of the developedload case with no structuralanomalies occurring.Comparisons of the baselineconfiguration article (TA-1)and the bracketedconfiguration article (TA-2)were made at 100 percentloads. This comparisondemonstrated that there wasapproximately a 50 percentreduction in the average weldstrain in the critical weldregion.

The baseline configurationarticle (TA-1) was tested tofailure during June 1994. Thistest defined the weld failurestrain for the TA-1 article.Test data obtained from thistest is being compared to theresults of the 205 percent TA-2 test and the STA-3 test todevelop a comparativeassessment of the benefitgained by the addition of theexternal bracket modificationIf this assessment does notreveal adequate stressreduction, additional testingmay be indicated.


(NASACharter)

March1994

Finding 20: A smallcrack was found in theinner wall of a forwardRedesigned Solid RocketMotor (RSRM) casingused for STS-54.Although slightly abovethe specified minimumdetectable size, it waswell within the acceptablelimits for safe flight. Thiswas the first time that acrack had been found in aforward segment,although cracks havepreviously been detectedin other segments. Thecrack occurred during themanufacturing heattreatment process becauseof an inclusion in theparent material.

Recommendation 20: The X-ray and magnetic particleinspection program criteriashould be re-evaluated to assesstheir ability to detect cracks ofthe size found.

NASA Response (in 1994ASAP appendix): A singlecrack was detected duringstandard refurbishment of theforward segment flown onSTS-54. The subsequentinvestigation determined thatan inclusion introduced intothe metal during themanufacturing process causedthe crack to form during heattreatment of the cylinder. Thesegment had been flown fourtimes prior to detection of thecrack. Prior to each of theseflights, the cylinder was prooftested, which demonstratedsafe life (4 mission cycles) inthe membrane region wherethis crack was found.




(Charteredby)

Date ofReport


forward segment,although cracks havepreviously been detectedin other segments. Thecrack occurred during themanufacturing heattreatment process becauseof an inclusion in theparent material.

times prior to detection of thecrack. Prior to each of theseflights, the cylinder was prooftested, which demonstratedsafe life (4 mission cycles) inthe membrane region wherethis crack was found.

All areas of the RSRM metalhardware (case, nozzle,igniter) have been reevaluatedwith respect to critical flawsize and whether proof test,magnetic particle inspectionor other nondestructiveevaluation methods arerequired to demonstratecompliance to safe liferequirements. As a part of thisreevaluation, an RSRMhardware configurationspecific magnetic particleinspection probability ofdetection (POD) study wascompleted.

Prior to this study, crackdetection threshold limitswere based on industrystandards. This RSRMmagnetic particle inspectionPOD study incorporatedRSRM specific geometries,physical access, gauss levels,surface finishes, potentialflaw types, inspection times,and multiple operators. Theresults demonstrated that, inthe areas of the RSRMhardware upon whichmagnetic particle inspection issolely relies, the detectableflaw size is smaller than thecritical flaw size. Proof test isthe method of choice used todemonstrate safe life in thecase membrane region, notmagnetic particle inspection.X-ray inspection is not usedfor crack detection in RSRMmetal hardware. Magneticparticle inspection capabilityhas been reevaluated and, as aresult of an RSRM hardwareconfiguration specific PODstudy, detection capabilityversus location is wellcharacterized. In those areasthat rely solely on magneticparticle inspection, thedetectable flaw size is smallerthan the critical flaw size.




(Charteredby)

Date ofReport


has been reevaluated and, as aresult of an RSRM hardwareconfiguration specific PODstudy, detection capabilityversus location is wellcharacterized. In those areasthat rely solely on magneticparticle inspection, thedetectable flaw size is smallerthan the critical flaw size.


(NASACharter)

March1994

Finding 21: TheAdvanced Solid RocketMotor (ASRM) projecthas been canceled. Someelements from the ASRMdevelopment havepossible reliability and/orperformance benefits ifthey were applied to theRSRM.

Recommendation 21: Examinethe potential applicability andcost-effectiveness of includingselected ASRM design featuresin the RSRM.

NASA Response (in 1994ASAP appendix): TheRSRM project has continuedto consider ASRM designattributes, as motivated byRSRM flight results,performance goals,obsolescence issues, and costenhancements. Examples ofthese are the RSRM project’songoing initiative to replacemetal parts vapor degreasecleaning with an aqueousprocess and the ongoinginitiative to remove asbestosfrom the primary RSRMinsulation material. Both ofthese obsolescencereplacement activities havedrawn from previous ASRMactivity.

There are numerous ASRMdesign attributes for potentialconsideration for futureadoption in the RSRM. Theseinclude, in part, propellantformulation (hydroxyl-terminated polybutadiene),sealing system designs,pressure vessel design andmaterials, some attributes ofthe nozzle design and somemanufacturing processautomation, such as insulationstrip winding and Real TimeRadiography (RTR) fornozzle and case inspections.At present, the RSRM projectis considering incorporationof the previous ASRM RTRsystem into the RSRMhardware verification processand the use of ASRMmanufacturing equipment fornozzle fabrication. Based oncollective consideration of theimplementation cost impactsand RSRM flightdemonstrated hardwareperformance, no requirementshave been established topursue the ASRM sealing




(Charteredby)

Date ofReport


hardware verification processand the use of ASRMmanufacturing equipment fornozzle fabrication. Based oncollective consideration of theimplementation cost impactsand RSRM flightdemonstrated hardwareperformance, no requirementshave been established topursue the ASRM sealingsystem pressure vessel, ornozzle design attributes.However, future justificationsin these areas are possiblebased on continuing RSRMflight evaluation or increasedShuttle program performancerequirements.


(NASACharter)

March1994

Finding 22: A chamberpressure excursion of 13psi (equivalent to a thrustperturbation of 54,000pounds) occurred in oneof the RSRMs of STS-54at 67 seconds of motoroperation. A thoroughinvestigation of thephenomenon was initiatedand found that the mostprobable cause was theexpulsion of a “slug” ofliquid slag (aluminumoxide) generated duringnormal propellantcombustion. Analysesshowed that, even understatistical worst-caseconditions, the safety ofthe Shuttle system is notcompromised by suchperturbations. Sometesting and analyses arestill scheduled tocomplete theinvestigation.

Recommendation 22:Complete and document theinvestigation, and continue theestablished practice ofmonitoring chamber pressuresand examining possibleremedial actions.

NASA Response (in 1994ASAP appendix): TheRSRM project has concludedits investigation and hasdetermined that the genericcause of chamber pressureexcursions is the periodicexpulsion of liquid slag(aluminum oxide). Slag isproduced during normalpropellant combustion and istemporarily accumulated inthe aft end of the nozzle priorto being “dumped” throughthe nozzle. The RSRM projecthas implemented therecommendations set forth bythe Panel and has establisheda program to continue toevaluate multiple parametersthat could affect the pressureperturbations. The results andfindings of these studies arebeing reviewed and changesto the processes orspecification will be made if itis concluded that they will bebeneficial to the program.

A very detailed study of manyprocess and materialparameters that influence slagformation has been conductedto determine if a statisticalcorrelation exists betweenthese parameters and thepressure perturbations.Examples of these parametersinclude humidity, time inprocess, ammoniumperchlorate (AP) moisturecontent, mix times, cast times,viscosity, mechanicalproperties, and many others.




(Charteredby)

Date ofReport


to determine if a statisticalcorrelation exists betweenthese parameters and thepressure perturbations.Examples of these parametersinclude humidity, time inprocess, ammoniumperchlorate (AP) moisturecontent, mix times, cast times,viscosity, mechanicalproperties, and many others.No special causes or processdeviations related to pressureperturbations have beenidentified. Analyses haveshown that, under the worstcase conditions, the safety ofthe Shuttle system is notcompromised by the pressurephenomenon. The results ofthis extensive study arecurrently being documentedby Thiokol. Chamberpressures are being analyzedor monitored by StatisticalProcess Control charts.

Eighteen acceptance tests areconducted for each lot of AP.The flight and static testpressure perturbation historyis reviewed before everylaunch. Additionally, severalother studies are beingconducted to improve thepredictability of pressureexcursions. Quench bombtests recorded with high-speedfilm have been used toidentify burn-rate differencesin the various propellantmixes. Five-inch diameterspin motor tests are beingconducted to evaluate theamount of slag that isgenerated in a motor. Thistesting employs a design ofexperiments to evaluate theeffects of ground AP,unground AP, differences inAP vendors, aluminum-particle sizes and vendordifferences, particle- sizedistributions, iron oxidesurface area, and several otherparameters.




(Charteredby)

Date ofReport


distributions, iron oxidesurface area, and several otherparameters.


(NASACharter)

March1994

Finding 23: A SuperLight Weight ExternalTank (SLWT) has beenproposed as a means ofincreasing the payloadperformance of the SpaceShuttle. The tank wouldemploy structural changesand be made from anAluminum-Lithium (Al-Li) alloy. The SLWTappears to involve nosafety decrement and lowtechnical risk.

Recommendation 23: Theimpact of the SLWT on thetotal system should be carefullyexamined.

NASA Response (in 1994ASAP appendix): TheExternal Tank Project andShuttle program arethoroughly committed to anintegrated system approach tothe design and developmentof the SLWT. A systemsintegration plan to ensure thetimely assessment of SLWTeffects on the Shuttle system,and to ensure program-wide-managed implementation iscurrently in development.


(NASACharter)

March1994

Finding 24: TheIntegrated Logistics Panel(ILP), which meets at 6-month intervals to reportand coordinate theactivities of the NASACenters and theircontractors, is performinga vital service in helpingto control the entire SpaceShuttle logistics program.

Recommendation 24: The ILPshould continue to be supportedas an effective means ofmaintaining control andcoordination of the entirelogistics program.

NASA Response (in 1994ASAP appendix): NASACenters and contractorscontinue to support the ILPand related integrationactivities. All project elementsbenefit from the exchange oftechnical data presented atILP meetings. NSTS 07700,Volume XII, “IntegratedLogistics Requirements”, theprogram’s requirements forintegrated logistics wasrecently updated, and the ILPprovided a focus for thiseffort. The ILP will continueto serve as the forum forproblem solving, technicalinformation exchange, and theappropriate level of control,coordination, and integrationof Shuttle logistics support.


(NASACharter)

March1994

Finding 25: The Vision2000 cost-reductionprogram promulgated inMay 1993 includes somemajor changes in thelogistics and supportareas.

Recommendation 25: Allchanges that might impairlogistics and support functionsin the name of cost-cuttingshould be most carefullyreviewed beforeimplementation.

NASA Response (in 1994ASAP appendix): As theprogram continues to plan forthe future, the Vision 2000approach to the program willremain relevant. The Vision2000 approach is based on thefollowing two principles:operate within SSPexperience and locatedecision making nearoperations. Notwithstandingthe advantages theseprinciples offer to the currentShuttle logistics community,the SSP office will remainvigilant and exercise cautionwhen making cost-cuttingdecisions and changesnecessitated by fundingreductions.




(Charteredby)

Date ofReport


decision making nearoperations. Notwithstandingthe advantages theseprinciples offer to the currentShuttle logistics community,the SSP office will remainvigilant and exercise cautionwhen making cost-cuttingdecisions and changesnecessitated by fundingreductions.


(NASACharter)

March1994

Finding 26: Introductionof the Just-In-Time (JIT)manufacturing and shelf-stocking concept byNASA logistics at KSC isa potentially effectivemethod of cost control.

Recommendation 26: JITshould be used with caution andwith a thorough understandingof how it may impact theavailability of Space Shuttlespares and hardware supplies.

NASA Response (in 1994ASAP appendix): Allprojects have cautiouslyconsidered the JIT method ofspares provisioning and are indifferent stages of planningand implementation. Launchand Landing Project (L&L)has applied the JIT method tomanufacturing activity. Inaddition, L&L is furtherstudying alternative methodsof prioritizing repair workwhich may be applied to JTTrepairs at a later date.Operational availability willbe uppermost in any JITimplementation decisionstrategy affecting spares andhardware supplies.


(NASACharter)

March1994

Finding 31: NASA’s pastapproach to softwaredevelopment has been toincorporate it within theindividual programs,allowing them todetermine their ownrequirements anddevelopment, verification,and validationprocedures. In the future,as the complexity ofNASA’s computersystems and the need forinteroperability grow, thismode of operation will beincreasingly lesssatisfactory. While NASAhas some good softwarepractices, it does not havethe overall managementpolicies, procedures, ororganizational structure todeal with these complexsoftware issues.

Recommendation 31: NASAshould proceed to develop andimplement an Agency-widepolicy and process for softwaredevelopment, verification,validation, and safety asquickly as possible.

NASA Response (in 1994ASAP appendix): A softwareprocess action team,sanctioned by the ActingDeputy Administrator and theInformation ResourceManagement Council, isworking on Agency softwareissues including roles,responsibilities, standards,and procedures. The Office ofSafety and Mission Assuranceis leading the Agency instrategic planning for theAgency-wide softwareprogram with a NASAworking group consisting ofmembers from Centers,industry, and academia.




(Charteredby)

Date ofReport


policies, procedures, ororganizational structure todeal with these complexsoftware issues.

A Software Safety Standardhas been completed. Ourpresent plan is to establishthis as an interim standard for1 year at which time it willbecome a mandatoryrequirement for newlydeveloped software. TheSoftware IndependentVerification and ValidationFacility will focus on theAgency software processesfor development, verification,and validation in accordancewith the Software Strategicplan currently beingdeveloped.


(NASACharter)

March1994

Finding 32: NASA hasconsolidated Life andMicrogravity Sciencesand Applications,including human factorsin NASA HeadquartersCode U. A space HumanFactors & EngineeringProgram Plan is beingprepared to guide futureresearch activities. Thereremains, however, a clearneed for more operationalhuman factors input inboth the Space Shuttleand Space Stationprograms.

Recommendation 32: TheProgram Plan should beexpanded to include support ofthe operating space flightprograms to ensure thatsufficient human factorsexpertise is included.

NASA Response (in 1994ASAP appendix): The Lifeand Biomedical Sciences andApplications Division iscommitted to developing anew, dynamic Space HumanFactors Engineering Programthat will integrate humanfactors knowledge andmethodologies into theShuttle and Space Stationprograms. Leadership of thisprogram resides within theEnvironmental Systems andTechnology Branch of CodeU, which is responsible fordirecting an integrated SpaceHuman Factors Engineeringresearch and developmentprogram. New processes andprocedures will be developedto enhance crew training,augment the design ofcomplex automated systems,and use extreme and isolatedenvironments to conductanalog studies. Researchprograms will continue;however, the primary focus ofthe program will shift fromknowledge acquisition toknowledge application. Thisshift will extend humanfactors support to operationalareas and emphasize theimprovement of processes andproducts.




(Charteredby)

Date ofReport


products.

The Space Human FactorsEngineering Program Plandeveloped in 1993, is beingrevised to reflect this shift ofemphasis, and animplementation plan will bedeveloped to establish andmaintain this new focus.Emphasis will be placed onidentifying specific, adequatefunding for meaningfulresults, and promoting theadded value of human factorsthrough concurrentengineering throughout theAgency. A Space HumanFactors Engineering CustomerTeam, currently beingestablished at Headquarterswith representatives fromCodes U, M, R, and Q, isbeing received in -a spirit ofcooperation and collaboration.These changes should create asafer and more productiveoperational environment forall flight and ground activitiesplanned for current and futureprograms.


(NASACharter)

March1993

Finding 9: The SpaceShuttle automatic landingsystem needs onlyminimal additionalanalysis and a few systemdesign changes to extendits performance limits andto support a completedefinition of flight rulesfor its use. Cancellationof the detailed testobjective for an automaticlanding on the flight ofSTS-53 has furtherdelayed the specificationof these capabilities andthe appropriateoperational role of theautomatic landing system.

Recommendation 9: Definethe requirements anddemonstrate the capability foran automatic landing system assoon as possible.

NASA Response (in 1993ASAP appendix): The orbitercurrently has a capability forautomatic landings, to be usedas a contingency when thecommander and the pilot areincapacitated or incapable oflanding the orbiter usingnominal Control StickSteering (CSS). Certificationof contingency Autoland hasinvolved partial flightdemonstration; on STS-2, -3,and –4 Autoland (automaticlanding) was engaged from10,000 ft. to as low as 125 ft.Further certification testing ofcontingency Autoland has notbeen identified as arequirement. Postflight datafrom each mission have beenreviewed and indicate noinstances of unexpecteddivergence by the nonactivecontingency Autoland fromthe reference trajectory.




(Charteredby)

Date ofReport


reviewed and indicate noinstances of unexpecteddivergence by the nonactivecontingency Autoland fromthe reference trajectory.

The requirements fordemonstrating an automaticlanding on the Shuttle havebeen developed as part of aDTO. However, this DTO isnot currently scheduled.Reasonable mission rules,placards, microwave landingsystem calibration, and crewtraining requirements havebeen identified. Softwarechanges desirable to enhanceredundancy management ofnavigation sensors have beendeveloped, though not yetimplemented. Options forautomation of landing geardeployment, air data probedeployment, braking, andnosewheel switching havebeen developed forincorporation in a long-duration orbiter program.

We currently have no plan todemonstrate the AutolandSystem. This policy is thesame as not demonstrating aReturn to Launch Site orTransatlantic Abort (RTLS orTAL). The policy is not totake any additional risk fordemonstration purposeswithout a firm requirement.As you know, the Office ofSpace Flight (OSF) isreviewing a crew exchange topreclude pilots from landingon long-duration flights toSpace Station which extendbeyond the crew’s certifiedcapability to land.Additionally, the OSF hasdeveloped an on-orbitsimulator for practicinglandings prior to entry. Thiswill enhance crewperformance during landing.




(Charteredby)

Date ofReport


will enhance crewperformance during landing.

In summary, the program isreviewing the operationalflight rules pertaining toAutoland, we have budgetedupgrades in software andhardware to improve theAutoland functionality, thelife sciences organization iscollecting physiological dataand developingcountermeasures to ensureadequate crew performance asthe mission durationincreases. We are confidentwith using Autoland in acontingency mode, but do notplan to demonstrate Autolanduntil a firm requirementmandates a demonstration.


(NASACharter)

March1993

Finding 10: NASA hasfunded the developmentand installation of aMulti-Purpose ElectronicDisplay System (MEDS)for retrofit into theOrbiter. This system willreplace the conventionalelectro- mechanicalinstruments with flatpanel displays.

Recommendation 10: Theinherent operational andpotential safety benefits ofMulti-Purpose ElectronicDisplay System.

NASA Response (in 1993ASAP appendix): Themagnitude of themodifications to the orbitervehicles to incorporate theMEDS is quite large. This isknown to involve removal andinstallation of flight deckpanels, installation of avionicLine Replaceable Unit (LRU)cooling ducts, and installationof new LRU wiring and theLRUs themselves. The natureof these modificationscoupled with the subsystemdevelopment schedule, testingschedule, and delivery datesof MEDS hardware, warrantinstallation of the MEDSduring orbitermaintenance/intervalinspection down periods. Firstflight is scheduled in thefourth quarter of FY 1996.




(Charteredby)

Date ofReport



(NASACharter)

March1993

Finding 11: Theinventory of AuxiliaryPower Units is currentlybeing upgraded to anImproved AuxiliaryPower Unit configurationto improve reliability andservice life. The upgradeprogram, however,projects a condition ofzero spares in the futuredue to time limits onsome parts.

Recommendation 11: NASAshould take the steps necessaryto preclude a situation of zeroImproved Auxiliary Power Unitspares.

NASA Response (in 1993ASAP appendix): The entireorbiter fleet will be upgradedto fly only IAPUs with thecompletion of the OV-104Orbiter Maintenance DownPeriod (OMDP) 1. The sparesposture is improving, butcannibalization will continueto be a possibility until allolder APUs are upgraded toIAPUs and are available forinstallation in the field.


(NASACharter)

March1993

Finding 13: The resultsof flight tests on theOrbiter Columbia (OV-102) using pressure andstrain gage measurementson the wing showed thatthe calculated ascentloads on the wing areconservative. Additionalflight tests to beconducted will measurethe pressure distributionand strains on the wingand tail of OV-102. Thesedata are required tosubstantiate that thepredicted applied andinternal loads on the wingand tail are conservative.

Recommendation 13: Conductthe planned tests asexpeditiously as possible.Particular emphasis should beplaced on the loads on the tail.

NASA Response (in 1993ASAP appendix): The SpaceShuttle program hasconducted a series ofstructural DTOs flights tocollect the pressure and straingage data on wing loads.Additional DTOs are plannedfor STS-55 and STS-58. Thecollected flight data will beused to verify the orbiteraerodynamic data base whichhas been used in loadsanalyses. Vehicle loadsanalyses are expected to becompleted by October 1994.


(NASACharter)

March1993

Finding 14: The SpaceShuttle Main Engineprogram is doing well andhas sufficient spares.However, the engines stillrequire meticulousattention to detail ininspections and tests.

Recommendation 14:Continue the vigilantimplementation of theinspection and test procedureswhile design solutions forknown weaknesses are beingaddressed.

NASA Response (in 1993ASAP appendix): The SSMEprogram will continue vigilantimplementation of improvedinspection techniques andacceptance test procedures.Design solutions, recurrencecontrols, limitations, andproduct improvements areaddressed routinely to assureand increase operatingmargins and safety margins.


(NASACharter)

March1993

Finding 15: Theindividual majorcomponent improvementprograms are makingprogress. However, a totalengine upgrade is beingdelayed because the HighPressure Fuel Turbopump(HPFTP) part of theAdvanced TurbopumpProgram (ATP) is onhold. The highly effectiveLarge Throat MainCombustion Chamber(LTMCC) has finallybeen made a formal partof the Space Shuttle Main

Recommendation 15: Theidentified Space Shuttle MainEngine design improvementsare vital to the reduction ofSpace Shuttle operational risk.Therefore, NASA shouldreinstate the AdvancedTurbopump Program HighPressure Fuel Turbopumpdevelopment; continue to pressfor approval of the LargeThroat Main CombustionChamber; and examinecarefully the benefits ofintegrating all the individualmodifications into a blockchange program.

NASA Response (in 1993ASAP appendix): Theidentified SSME designimprovements are vital to thereduction of Space Shuttleoperational risk. Therefore,NASA should reinstate theATP HPFTP development aswell as continue to press forapproval of the LTMCC, andexamine carefully the benefitsof integrating all theindividual modifications intoa block change program.




(Charteredby)

Date ofReport


Charter) delayed because the HighPressure Fuel Turbopump(HPFTP) part of theAdvanced TurbopumpProgram (ATP) is onhold. The highly effectiveLarge Throat MainCombustion Chamber(LTMCC) has finallybeen made a formal partof the Space Shuttle MainEngine program byNASA but has beendenied appropriations byCongress. Scheduledisparities among thevarious componentimprovements lead tointerim certifications ofcomponents in engineconfigurations that willnever fly and tounnecessary duplicationof certification tests.

reinstate the AdvancedTurbopump Program HighPressure Fuel Turbopumpdevelopment; continue to pressfor approval of the LargeThroat Main CombustionChamber; and examinecarefully the benefits ofintegrating all the individualmodifications into a blockchange program.

NASA should reinstate theATP HPFTP development aswell as continue to press forapproval of the LTMCC, andexamine carefully the benefitsof integrating all theindividual modifications intoa block change program.


(NASACharter)

March1993

Finding 16: Three FlightSupport Motors havebeen used to date toverify quality and qualifydesign improvements,reproducibility, andreplacement materials forthe Redesigned SolidRocket Motor (RSRM).In the near future, newmaterials will be neededin the RSRM to replacethose eliminated forenvironmental or safetyconcerns. It will also benecessary to qualify newvendors to replace thosewho have left the industryor are no longer willing tosupply components forthe RSRM.

Recommendation 16: Tomaintain safety andperformance, NASA shouldcontinue the use of FlightSupport Motors for qualitycontrol, validation of designimprovements, andqualification and verification ofnew materials, processes,facilities, and equipment.

NASA Response (in 1993ASAP appendix): It isNASA’s intention to continueto qualify new materials orprocess changes incorporatedinto the RSRM via the FSMprogram. The next FSM isFSM-4, scheduled forNovember 1993. The timingof these changes and thesubsequent qualificationefforts are subject tobudgetary constraints.


(NASACharter)

March1993

Finding 21: TheKennedy Space Centerhas begun a pilotStructured SurveillanceProgram with theobjective of increasingthe efficiency of thequality control function inorder to enhance launchturnaround processing.This program appears tohave great potential.

Recommendation 21: BeforeStructured Surveillance can befully implemented, it must becarefully evaluated to assurethat it is fully supportive of safeflight operations.

NASA Response (in 1993ASAP appendix): TheStructured Surveillanceprogram is in the early stagesof development withemphasis on maintaining safeflight operations. Operationsand MaintenanceRequirements Specifications(OMRSs) derived fromCritical Items Lists (CILs) orHazard Report acceptancerationale will continue to havethe previous level of qualityassurance inspections.Acceptance and installation ofCriticality 1 hardware willalso continue to have both




(Charteredby)

Date ofReport


quality control function inorder to enhance launchturnaround processing.This program appears tohave great potential.

and MaintenanceRequirements Specifications(OMRSs) derived fromCritical Items Lists (CILs) orHazard Report acceptancerationale will continue to havethe previous level of qualityassurance inspections.Acceptance and installation ofCriticality 1 hardware willalso continue to have bothcontractor and NASAinspections. Evaluation of theresults of the pilot programindicates increased efficiencyof the processing effort andcontinued effectiveness of thequality assurance activities.We are moving slowly intothis program with closemanagement attention toassure safe flight operations.


(NASACharter)

March1993

Finding 23: A new highbay Orbiter ProcessingFacility (OPF-3) has beenopened at the KennedySpace Center. In additionto advanced supportequipment, OPF-3 hasvastly improved lighting,which should decreaseaccident risk and increaseproductivity.

Recommendation 23: NASAshould upgrade the lighting inthe other Orbiter ProcessingFacilities as soon as possible toavoid differences across thehigh bays and maximize safetyand productivity.

NASA Response (in 1993ASAP appendix): KSCacknowledges the findingsand agrees with therecommendation. Actions arein process to improve thelighting disparities. Becausethe most significantdifferences are in platformconfigurations and light-reflective surfaces, allsurfaces that can reflect lighton High Bay 1 and 2platforms are being paintedwhite. The floors in High Bay1 are also being painted whiteand those in High Bay 2 arescheduled to be painted whitein August 1993.


(NASACharter)

March1993

Finding 24: The NASAShuttle Logistics Depothas great potential forimproving repairturnaround times andenhancing the logisticsprogram. At present,however, repairturnaround tunes are stillsignificantly longer thandesired due largely toprotracted failure analysistimes.

Recommendation 24: TheSpace Shuttle Program needs toestablish a more effectivemethod of moving unitsthrough the repair cycle inorder to achieve the fullpotential of the NASA ShuttleLogistics Depot.

NASA Response (in 1993ASAP appendix): Theprotracted failure analysistimes, especially thoseinvolving original equipmentmanufacturers (OEMs), arethe most prominentcontributors to the long repairturnaround times. Suchturnaround times involvingOEMs have averaged aboutfour times those at the NSLD.The failure analysis capabilityat the NSLD has beenenhanced during the past year.Initiatives are also underwaywith the Johnson SpaceCenter (JSC) Orbiter and GFEproject to improve the overallfailure analysis processrelative to identification ofrequirements as well as




(Charteredby)

Date ofReport


protracted failure analysistimes.

four times those at the NSLD.The failure analysis capabilityat the NSLD has beenenhanced during the past year.Initiatives are also underwaywith the Johnson SpaceCenter (JSC) Orbiter and GFEproject to improve the overallfailure analysis processrelative to identification ofrequirements as well aslocation where the analysis isperformed. The increasingutilization of the KSC NSLDcapability for both failureanalysis and repair willsignificantly improve theaverage repair turnaroundtime and the overall logisticsprogram in general.


(NASACharter)

March1993

Finding 29: At therequest of the NASAAdministrator, the Panelexamined theorganizational structureof the Office of Safetyand Mission Quality andthe counterpartorganizations at NASACenters. The studyconcluded that the currentorganizationalarrangement provides anappropriate and effectiverelationship betweenNASA Headquarters andthe Centers.

Recommendation 29:Maintain the currentorganizational structure, butclarify the functions and dutiesof the Headquarters Office ofSafety and Mission Quality andthose of Center Directors and, ifnecessary, issue revised NASAManagement

Instructions.

NASA Response (in 1993ASAP appendix): The roleand responsibilities of theHeadquarters Office of Safetyand Mission Quality (Code Q)have been realigned as theresult of the recent internalNASA Headquarters redteam/blue team reviews.Based on the teams’ findings,the name of Code Q has beenchanged to the “Office ofSafety and MissionAssurance” to moreaccurately reflect its function.Other changes have beeninstituted to streamline theoverall activity and realignresources to better support theevolving needs of NASAprograms and missions. ANM1 incorporating thesechanges was signed on April9, 1993.

Although the mandate of theOSMA will continue toemphasize its role as theAgency’s “safetyconscience,” the changesensure an appropriate andharmonious balance betweenCode Q’s independentprogram oversight andsupport functions. The Officewill provide an upfrontcontribution to programs(prevent problems by buildingin safety, reliability, andquality assurance at theearliest possible stage), focusefforts to manage the qualityprocess for NASA payloads,




(Charteredby)

Date ofReport


Code Q’s independentprogram oversight andsupport functions. The Officewill provide an upfrontcontribution to programs(prevent problems by buildingin safety, reliability, andquality assurance at theearliest possible stage), focusefforts to manage the qualityprocess for NASA payloads,and increase systemengineering/concurrentengineering capabilities,while expanding risk-management capabilities tosupport program managers inmeeting schedule and budgetconstraints during criticaldecision making processes.

The strategic thrust of theOffice over the next 2 yearswill be to: (1) IntegrateSRM&QA requirements atthe appropriate stage of aprogram; (2) AdvocateSRM&QA oversight andassessment functions acrossthe Agency; (3) Develop andpromote NASA-wide risk-management practices; (4)Maintain a strong contributingSRM&QA presence in NASAprograms and operations; and(5) Develop and advanceengineering standards andpractices.


(NASACharter)

March1993

Finding 34: NASAresearch and test facilitiesare a national asset, keyto the United States’continuing leadership inspace and aeronautics.Regrettably, some of theinfrastructure is not beingadequately maintained,and the development ofnew, state-of-the-artfacilities has beenlagging.

Recommendation 34: NASAshould develop an integratedlong-range infra-structure planthat assures the maintenance ofexisting assets and developsnew facilities to continueAmerican leadership in spaceand aeronautics research anddevelopment.

NASA Response (in 1993ASAP appendix): NASA hasembarked on a comprehensivestudy to develop acoordinated national plan forworld-class aeronautical andspace facilities that meets thecurrent and projected need forcommercial and Government-sponsored research anddevelopment, and forGovernment space operations.The plan will be coordinatedwith the Department ofDefense, Department ofEnergy, Department ofCommerce, Department ofTransportation, and theNational Science Foundation.Industry representatives havebeen contacted to ensure thatprivate-sector interests areconsidered. The plan willaddress shortfalls in existingcapability, new facility




(Charteredby)

Date ofReport


Defense, Department ofEnergy, Department ofCommerce, Department ofTransportation, and theNational Science Foundation.Industry representatives havebeen contacted to ensure thatprivate-sector interests areconsidered. The plan willaddress shortfalls in existingcapability, new facilityrequirements, andconsolidation and phaseout ofexisting facilities. Thedevelopment of the FacilityPlan will be accomplished bythree task groups: AeronauticsR&D Facilities, Space R&DFacilities, and SpaceOperations Facilities; all threeof which are of interest toconstituencies in the privatesector. The results of thestudy will be an essentialcomponent of our internalplanning to improve andcontinue to maintain ourfacility infrastructure.


(NASACharter)

March1993

Finding 36: NASA hasembraced the concept ofTotal QualityManagement (TQM).However, TQMimplementation acrossNASA centers andcontractors appears tovary from highly visibleand apparently productiveefforts to activities thatseem to have more formthan substance.

Recommendation 36: NASAshould review its internal TotalQuality Management programto assure that it is properlystructured as a support functionand includes not onlymotivation, but also appropriateleadership and training for bothTQM instructors and hands-onemployees.

NASA Response (in 1993ASAP appendix): NASA’sContinual ImprovementOffice (Code T) is currentlycompleting efforts to provideplanning for a structuredimplementation of TQM.Coordination with points-of-contact at each NASA facilityand outside industry expertshas been conducted, and aNASA-wide ImplementationPlan has been written. Theplan provides for a phasedprogram to examineestablished initiatives andapproaches at all NASACenters, benchmarksuccessful activity, coordinatea consensus commitmentacross NASA, and achievepartnership workingarrangement with outsideorganizations.Contractor/NASA metrics,and an internal/externalSupplier Ratings System(SRS) have been developedusing the guidelines andselected provisions of theBaldridge Award, PresidentAward, NASA Low Trophy,and other similar criteria.These measures will be usedto gauge the performance ofNASA’s Continual




(Charteredby)

Date ofReport


and an internal/externalSupplier Ratings System(SRS) have been developedusing the guidelines andselected provisions of theBaldridge Award, PresidentAward, NASA Low Trophy,and other similar criteria.These measures will be usedto gauge the performance ofNASA’s ContinualImprovement activities.Overall, this effort will resultin a network of leadership,support, and training thatmeets the strategic goals anddirections of the Agency.


(NASACharter)

March1992

Finding 6: The results offlight tests indicate thatthe turbulent flow overthe body flap creates aspectrum of hingemoments greater than thatused in the originalstructural fatigue analysis.It also has beendetermined that anadditional load path existsfrom the flap to thesupporting structure.Further, the flap actuatorswere found to be moreflexible than originallyassumed. Additional testsare to be conducted toevaluate hinge momentsand actuator flexibility.

Recommendation 6: NASAshould evaluate, as rapidly aspossible, the results of the newtests and loads analyses toreestablish the allowablenumber of flights for the bodyflap.

NASA Response (in 1992ASAP appendix): Concur.The Space Shuttle Programhas baselined a set of loads toaccount for the increasedbuffet environment.Additionally, the SpaceShuttle Program hasimplemented a plan tomeasure loads duringmissions. Assessments haveshown adequate mission lifeof the body flap for currentmissions and overall life stillis being evaluated.Additionally, the ShuttleModal Inspection System(SMIS) is being used to trackpotential damage of the bodyflap.


(NASACharter)

March1992

Finding 7: NASA hasdeveloped a ShuttleModal Inspection System(SMIS) for detectingchanges in stiffness instructural/mechanicalsystems due to factorssuch as wear or cracking.The SMIS has showngood results when usedon the Orbiter body flapand elevon systems(including actuators andsupporting structures).However, it is not acomplete replacement formore conventionalnondestructive inspection(NDI) methods. Theseconventional methods arecapable of detectingcracks in primarystructures with a “criticalcrack length” too small tocause a detectable changein stiffness and hence be

Recommendation 7: TheSMIS procedure should be usedonly to augment moreconventional NDI methods.

NASA Response (in 1992ASAP appendix): Concur.Successful tests haveindicated that the SMIS is areliable method to detectchanges in stiffness anddynamic behavior of theOrbiter body flap, elevon, androtor speed brake (controlsurfaces). The SMIS is notintended to replace currentinspection procedures but is tosupplement standardinspection procedures to helpdetect early damage in areasthat cannot be inspected.NASA has not deleted anystructural inspectionrequirements documented inthe Operational MaintenanceRequirements andSpecifications Document(OMRSD).




(Charteredby)

Date ofReport


complete replacement formore conventionalnondestructive inspection(NDI) methods. Theseconventional methods arecapable of detectingcracks in primarystructures with a “criticalcrack length” too small tocause a detectable changein stiffness and hence bemeasurable by SMIS.

that cannot be inspected.NASA has not deleted anystructural inspectionrequirements documented inthe Operational MaintenanceRequirements andSpecifications Document(OMRSD).


(NASACharter)

March1992

Finding 8: Thermalprotection system tiles areinspected for damageafter every flight byspecially trained andhighly experiencedinspectors using tactiletechniques. Theseinspectors determine ifthe tiles are loose andhelp to identify problemsin step and gap. Thecurrent procedure islargely qualitative andhighly dependent on theskill of the individualinspectors.

Recommendation 8: Aprogram to select and train newinspectors should be institutedto ensure the availability of anadequate cadre of qualifiedinspectors throughout the life ofthe Orbiters. In addition, furthereffort should be applied to thedevelopment of a quantitativeinspection technique.

NASA Response (in 1992ASAP appendix): Concur.NASA has a program in placeto train and qualify inspectorsto inspect TPS tiles. Inaddition, quantitativetechniques are beinginvestigated to reduce thetechnique-sensitivecharacteristics of the current,operator-dependent,inspection techniques.

Currently, all new tileinspections require bondverification testing. Anypostflight tile suspect bondconditions also are verifiedalong with conductingengineering “deflection” tests.A dozen certified bondinspectors presently are beingused to qualitatively evaluatesuspect tile bonds. Theindividuals have been trainedon-the-job and consist ofcontractor and governmentengineers. The number oftrained personnel will remainthe same unless unforeseenincreases in bond anomaliesoccur.

The Kennedy Space Center(KSC) is actively pursuing thedevelopment andimplementation of analternative nondestructiveevaluation (NDE) method forperforming tile bondverification. Presently, a mathmodel of the tile system isbeing formulated that will beused to evaluate the abilitiesof NDE systems beingdeveloped by twoindependent contractors.These NDE systems usevibration imaging patternscorrelated to bonddiscrepancies to identify bond




(Charteredby)

Date ofReport


verification. Presently, a mathmodel of the tile system isbeing formulated that will beused to evaluate the abilitiesof NDE systems beingdeveloped by twoindependent contractors.These NDE systems usevibration imaging patternscorrelated to bonddiscrepancies to identify bondanomalies.


(NASACharter)

March1992

Finding 9: The SpaceShuttle Program requiresboth turnaround andperiodic major Orbiteroverhaul functions.

Recommendation 9: Overhauland major modification effortsshould be organizationally andfunctionally separated fromroutine turnaround operationsbecause of the different types ofplanning and managementskills and experience required.

NASA Response (in 1992ASAP appendix): The SpaceShuttle Program has dedicatedOrbiter Maintenance DownPeriods (OMDP) at 3-yearintervals for the performanceof major modifications,structural inspections andother interval inspections. Thedecision to retain the sameorganizational structure at theKennedy Space Center (KSC)for planning and managementof both OMDPs as well asturnaround processing isbased on the following:

(list omitted)


(NASACharter)

March1992

Finding 10: The SpaceShuttle design presentlyincludes an automaticapproach guidancesystem that requires crewparticipation and does notcontrol all landingfunctions throughtouchdown and rollout towheel stop. The presentsystem never has beenflight tested totouchdown, but a detailedtest objective for such atest is in preparation. Theavailability of a certifiedautomatic landing systemwould provide riskreduction benefits insituations such as weatherproblems after de-orbitand Orbiter windshielddamage.

Recommendation 10: Futuremission plans suggest thepotential for significant riskreduction if the present SpaceShuttle automatic landingcapabilities are fully developedand certified for operationaluse. System developmentshould include consideration ofhardware, software, and humanfactors issues.

NASA Response (in 1992ASAP appendix): Thecurrent autoland systemcapability is functionallyadequate and verified as abackup entry system withsome crew participationrequired. Beginning withSTS-53, a two-flight detailedtest objective will evaluateautolanding performancethrough wheel stop. Further, aprogram study is under way todefine the necessaryhardware, software, humanfactors, and system analysesrequired to support anupgraded autoland system forextended duration SpaceShuttle flights where thisautoland system could be theprime mode for entryoperations.




(Charteredby)

Date ofReport


and Orbiter windshielddamage.

prime mode for entryoperations.


(NASACharter)

March1992

Finding 11: NASAcontinued its softwareindependent verificationand validation (IV&V)activities during the year.This independent reviewhas demonstrated itsvalue by finding failuremodes that previouslywere unknown. TheSafety and MissionQuality organization hastaken on greaterresponsibilities forsoftware safety.

Recommendation 11: NASAshould continue to support asoftware IV&V oversightactivity. The present processshould be reviewed to ascertainwhether it can be streamlined.The IV&V oversight activityshould include the developmentof detailed procedures for testgeneration. NASA should notattempt to duplicate, throughIV&V or otherwise, the actualperformance of all verificationand validation tests.

NASA Response (in 1992ASAP appendix): Concur.The Space Shuttle Programhas formally baselined theembedded V&V process andestablished the requirementsin NSTS 08271, FlightSoftware Verification andValidation Requirements;formally established a V&Vpolicy requiring programelements to adhere to thisprocess; and assigned theSR&QA organization as theindependent overseer assuringadherence to this process. TheSpace Shuttle V&V processincludes maintenance ofdetailed test procedures onmany levels for the existingtest facilities available to theprogram. Although theprogram feels very strongly.that the embedded V&Vprocess is excellent, the NRChas been requested to evaluatethe Space‘ Shuttle’sembedded V&V processrelative to the need for IV&V.NRC’s evaluation is inprocess with plannedcompletion targeted forSeptember 1992.Additionally, NASA plansconstruction of an IV&Vfacility in Fairmont, WV in1992. Methods of improvingand streamlining the IV&Vprocess will be studied at thisfacility. Based on criticalityand category of the softwareto be independently validatedand verified, the NASAIV&V activity will permittailoring to specific softwareproject needs.




(Charteredby)

Date ofReport


It is not the intent of theseindependent activities toduplicate all verification andvalidation (V&V) tests, but toprovide support andconsistency to enhance theV&V process.


(NASACharter)

March1992

Finding 12: The newSpace Shuttle generalpurpose computer (GPC)apparently has performedwell. The Single EventUpsets (SEUs) were nomore numerous thanexpected. Based uponNASA’s model of SEUs,the accuracy of thepredictions is excellent,and supports NASA’sestimate that theprobability of an SEU-induced failure isnegligibly small.Nevertheless, there still isconcern about theeventual saturation ofusable memory on theGPC.

Recommendation 12: NASAshould initiate a small study onalternatives for future GPCupgrades and/or replacements.This should involve otherNASA organizations that havebeen studying computerevolution.

NASA Response (in 1992ASAP appendix): The GPCError Detection andCorrection circuitry cyclicallyaccesses each word in the256K memory every 1.7seconds. Because any SEUerror is corrected at that rate,there is minimal chance of thememory being “saturated,”regardless of the duration ofexposure, The same circuitryalso generates a countwhenever it encounters andcorrects such an error, therebyproviding corroborating datato compare with theenvironmental analysesperformed to predict SEUrates. The same EDACarchitecture is used in theSpace Station onboard 386processors. That processorfamily also has been selectedfor the new Space ShuttleMultifunction ElectronicDisplay System (MEDS). It isanticipated that the MEDSwill allow future mission-related software growthwithout directly impacting theflight-critical code in theGPCs. Available usablememory in the GPC appearsto be adequate well into thenext decade. It is probablethat hardware obsolescencewill arrive well beforepractical memory limits arereached. Considerations forGPC upgrades should beinitiated in the next 3 to 4years through the AssuredShuttle Availability (ASA)process.




(Charteredby)

Date ofReport



(NASACharter)

March1992

Finding 13: Thereplacement of somerequested softwareupgrades with crewprocedures is a matter ofserious concernparticularly when thefunctions addressed couldbe handled with greaterreliability and safety bysoftware. The crewalready has to cope with avery large number ofprocedures.

Recommendation 13: NASAshould conduct a thoroughreview of all crew proceduresthat might be performed by thecomputer system to determinewhether they are better donemanually by the crew or by thesoftware. Human factorsspecialists and astronautsshould participate.

NASA Response (in 1992ASAP appendix): Concur.As part of the softwareupgrade process, reviews areheld to determine whichactivities are best shifted fromthe crew procedures.Astronauts have activelyparticipate in these processesand reviews. Human factorsspecialists also contribute tothis process.

The Space Shuttle Programhas and will continue toimplement flight softwareautomation of crewprocedures that are deemed asignificant threat to flightsafety or mission success dueto the level of difficulty.Tasks for which manualprocedures are adequate arejudged based on the trade-offof valueadded/implementation riskagainst other flight softwarepriorities. During therequirements baselining of thelast three OperationalIncrements (i.e., 01-21, -22, -23), a significant number ofsoftware change requestswere approved that automatedexisting crew procedures.Examples include (1) singleengine auto contingencyabort, which defined theautomation of vehiclemaneuvers following thefailure of two Space ShuttleMain Engines; (2) abortsequencing redesign, whichautomated some of the crewprocedure for aborts; (3)Transatlantic Abort Landing(TAL) droop control, whichautomated crew procedures tokeep the vehicle above aminimum target altitude; and(4) Universal Pointing FutureManeuver-Digital Autopilot(DAP) that significantlyreduces the crew proceduresfor selecting the mostappropriate DAPconfiguration to enter from 14separate entries to a singleentry.




(Charteredby)

Date ofReport


(DAP) that significantlyreduces the crew proceduresfor selecting the mostappropriate DAPconfiguration to enter from 14separate entries to a singleentry.


(NASACharter)

March1992

Finding 14: There arecurrently a sufficientnumber of flightworthyengines to provide eachOrbiter with a flight set aswell as provide anadequate number ofspares.

Recommendation 14:Maintain this position. leveltests have begun for both

NASA Response (in 1992ASAP appendix): Thankyou. We intend to maintain agood posture on spareengines.


(NASACharter)

March1992

Finding 25: In spite ofsignificant advances overthe past year, there is stilla need to improve theeffectiveness of launchprocessing at KSC. It israre when a vehicle istaken to the pad andlaunched without delays.Subsystem problemssometimes either requirerolling the vehicle back tothe Vehicle AssemblyBuilding (VAB) or theycause delays at the pad.

Recommendation 25:Continue efforts to improve theeffectiveness of launchprocessing operations. Eachoccurrence of a problem at thepad should be reviewed todetermine why it was notcaught in the VAB or OrbiterProcessing Facility.

NASA Response (in 1992ASAP appendix): Concur.NASA is committed to aseries of new initiativesdesigned to enhance thehands-on accountability ofindividuals at the task leveland improve processing flow.The Space Shuttle Programhas requested all SpaceShuttle projects to continuestriving for efficiencies in thecheckout requirements andthe implementing proceduresat KSC. The Space ShuttleProgram recently completed aproject-by-project review ofthe OMRSD requirements.The goal was to eliminate orreduce “vehicle” checkoutrequirements that wereconsidered redundant testingor over-testing of a system.This is now beginning toappear in the OMIs asefficiencies to operations. Apolicy that has been put inplace by the Space ShuttleProgram defers testing of afunction until reaching thepad if (1) that function isrequired to be checked out inan integrated test and (2) thesystem/component can bereasonably repaired orremoved/replaced at the pad.Process reviews and processanalyses by the task teamsstill are being promoted asanother technique to improveprocessing operations.




(Charteredby)

Date ofReport


analyses by the task teamsstill are being promoted asanother technique to improveprocessing operations.


(NASACharter)

March1992

Finding 26: Moraleamong launch processingpersonnel at KSCimproved over the pastyear. This most likely isthe result of a heightenedsense of individualresponsibility, improvedsystems training, and abettersupervisory/managementapproach.

Recommendation 26:Continue and expand theapproaches that have beensuccessful over the past year.

NASA Response (in 1992ASAP appendix): Concur.


(NASACharter)

March1992

Finding 29: Proceduresfor tracking, analyzing,and providing correctiveaction for hardwareproblems arising at KSCare complex and lengthyinvolving numerousentities. There is nooverall coordinationeffort to ensure thatappropriate correctiveaction is taken.

Recommendation 29: TheSpace Shuttle Program shouldestablish a coordinatingfunction that is responsible forensuring that proper and timelyaction is taken by responsibleorganizations in correctingproblems that occur duringlaunch preparation.

NASA Response (in 1992ASAP appendix): Concur. Ajoint KSC/JSC problemprocess improvement teamchartered by the Space ShuttleProgram (SSP) has beenformed to analyze the Orbiterdiscrepant hardware/logisticprocessing flow. Thesequence of events presentlyrequired to process discrepanthardware is undergoingassessment to determine howbest to streamline and makethe system more responsive.Recommended changes arescheduled for presentation tothe SSP in mid-1992. Inaddition, the Space ShuttleCritical Process ImprovementTeam has completed a reviewof the current NASAmanagement/ contractorinterface relationships forlogistics for all Space Shuttleelements. A report identifyingissues and corrective actionshas been submitted to theSpace Shuttle Program.




(Charteredby)

Date ofReport



(NASACharter)

March1992

Finding 42: Despiteacknowledged examplesof contributions toaviation safety analysesthrough human factorsresearch, NASA has notmarshalled its resourcesin this field to studysimilar problems inspaceflight orbital andground operations. Effortsin this arena have beenstymied by a lack ofappreciation of itspotential value and theabsence of clearguidelines regardingprogrammaticresponsibilities.

Recommendation 42: In viewof the anticipated increase inmanned spaceflight activityduring the present decadeinvolving joint Space Shuttleand Space Station activities,NASA human factors resourcesshould be marshaled andcoordinated effectively toaddress the problems of riskassessment and accidentavoidance.

NASA Response (in 1992ASAP appendix): Concur.NASA currently sponsors apilot project at the KennedySpace Center to determine thevalue to the safety program ofincorporating human factorsprinciples. This projectfocuses primarily on facilitydesign and acquisition. TheSpace Station ProcessingFacility has been selected toserve as a demonstrationvehicle. Draft guidelines havebeen developed and are beingtested in the pilot project priorto publication and NASA-wide implementation.


(NASACharter)

March1991

Finding 1: NASA hasplanned to implement thewing/fuselagemodifications indicatedby the results of the 6.0load analysis.Modification work hasbeen scheduled for OV-102, and plans are beingdeveloped for theremainder of the fleet.

Recommendation 1: Theimplementation of thesemodifications should beaccomplished as soon aspossible so that the restrictedflight envelope (greensquatcheloid) parameters can besafely upgraded.

NASA Response (in 1991ASAP appendix): Concur.Modifications are scheduledfor each vehicle’s OrbiterMaintenance Down Period(OMDP). The OMDP hasbeen incorporated into theSpace Shuttle Program toprovide dedicated times forperforming detailed vehiclestructural inspections,subsystem inspections andinternal functional checks aswell as modifications. Allvehicle modifications will becomplete by mid-1993.


(NASACharter)

March1991

Finding 2: Theuncertainties surroundingcrew performance afterextended stays in spacesuggest a need for analternative to manuallandings.

Recommendation 2: TheSpace Shuttle Program shouldcomplete the development of areliable autoland system for theOrbiter as a backup.

NASA Response (in 1991ASAP appendix): Concur.The existing Shuttle autolandsystem is certified and is areliable backup for 16-dayExtended Duration Orbitermissions. A significantprogram to collect crewperformance data is beingundertaken by the Office ofSpace Science andApplications during flightsinvolving incrementalincreases of on-orbit duration.Current plans involve flyingfour lo-day flights and three13-day flights prior to the first16-day flight. Crewperformance data will beevaluated and must be judgedacceptable prior tocommitment to the nextincrement of extendedduration.




(Charteredby)

Date ofReport


16-day flight. Crewperformance data will beevaluated and must be judgedacceptable prior tocommitment to the nextincrement of extendedduration.


(NASACharter)

March1991

Finding 3: With plans toextend Orbiter use wellinto the next century, itwill be necessary toupgrade the Orbitercomputer systems severaltimes. The present, ratherad hoc, approach oftreating each upgrade asan independent actionwill be unsatisfactory forthe long term.

Recommendation 3: NASAshould accept the need for anupgrade involving a completesoftware reverificationapproximately every 10 years.A study should be undertakento plan a path of evolution forall future changes in avionicscomputer hardware andsoftware for the life of theSpace Shuttle Program. Thestudy should involveindependent assessment toensure the broadest possibleperspective.

NASA Response (in 1991ASAP appendix): Concur.NASA has just completedintegrating the ImprovedGeneral Purpose Computer(IGPC) into the fleet. Thisupgrading of the orbitercomputers included anextensive reverification of theflight software. Integratedtesting of the flight hardwareand software was one of themilestones in the certificationof the IGPC hardware andflight software. In addition,the Shuttle software isincrementally upgraded andreleased for flightapproximately every eightmonths. These upgrades arevalidated, verified, andcertified through an extensiveand thorough process. Futurecomputing capability beyondrecent incorporation of theIGPC is under development inthe Assured ShuttleAvailability (ASA) Programin the MultifunctionElectronics DisplaySubsystem (MEDS). The planfor the subsequent lo-15 yearsinvolves maintaining theexisting system. Issuesinvolving obsolescence andenhanced performance willcontinue to be reviewed.


(NASACharter)

March1991

Finding 4: The SpaceShuttle flight softwaregeneration process is verycomplex. It includesnumerous carefullydesigned safeguardsintended to ensure that nofaulty software is everloaded. When errors haveoccurred, or whenconcerns have been raisedabout steps in theprocedure, newsafeguards have beenadded. The whole processis long, complicated, andinvolves a plethora oforganizations andcomputers.

Recommendation 4: NASAshould conduct an independentreview of its entire softwaregeneration, verification,validation, object build, andmachine loading process for theSpace Shuttle. The goals shouldbe to ascertain whether theprocess can be made lesscomplex and more efficient.

NASA Response (in 1991ASAP appendix): Concur.An independent review hasbeen completed of NASA’sentire software generation,verification, validation, objectcode build, and machineloading process. As part of thepost-511 activity, NASAcontracted with IntermetricsInc., as the independentverification and validation(IV&V) contractor. NASA isdeveloping a policy to definethe scope of our independentoversight activity. To assist inthis task, NASA has requestedthe National ResearchCouncil to perform an




(Charteredby)

Date ofReport


loaded. When errors haveoccurred, or whenconcerns have been raisedabout steps in theprocedure, newsafeguards have beenadded. The whole processis long, complicated, andinvolves a plethora oforganizations andcomputers.

process can be made lesscomplex and more efficient.

post-511 activity, NASAcontracted with IntermetricsInc., as the independentverification and validation(IV&V) contractor. NASA isdeveloping a policy to definethe scope of our independentoversight activity. To assist inthis task, NASA has requestedthe National ResearchCouncil to perform anindependent review of theIV&V process to includesoftware generation, objectcode build, and machineloading.


(NASACharter)

March1991

Finding 14: The externaltank project is movingalong very well.

Recommendation 14: Keep upthe good work.

NASA Response (in 1991ASAP appendix): Thankyou.


(NASACharter)

March1991

Finding 15: This pastyear, NASA managementhas postponed SpaceShuttle launches whentechnical uncertaintiesexisted, declared a hiatusduring the Christmasseason and interruptedlaunch operations untilthe cause of hydrogenleaks could be determinedand resolved. This is clearevidence of NASAmanagement’scommitment to theprinciple of “safety first,schedule second.”

Recommendation 15: NASAmanagement should maintainthis policy even as Shuttlelaunches become morefrequent.

NASA Response (in 1991ASAP appendix): Stronglyconcur.


(NASACharter)

March1991

Finding 16: Reportsindicate that launchprocessing operations atthe Kennedy SpaceCenter (KSC) are beingcarried out with adeclining rate ofincidents. This is a trendin the right direction sincethe extreme sensitivity ofShuttle launch processingrequires reducing errorsto the lowest possiblelevels.

Recommendation 16: KSC,the Shuttle ProcessingContractor, and associatecontractors should continue tomake all possible efforts toreduce incidents. However, caremust be exercised to ensure thatany observed decrease inincident reports is not merelyan artifact of the reportingsystem. In particular, ifmanagement’s response toincident reporting is perceivedas punitive in nature, the netresult may be a suppression ofreporting with a resultantreduction in the informationavailable to management onwhich to identify problems anddesign remedial actions. TotalQuality Management (TQM)techniques can be of greatassistance. Likewise, the

NASA Response (in 1991ASAP appendix): Concur.KSC and the ShuttleProcessing Contractor (SPC)are continuing to try to reduceincidents, even beyond thesuccess we have had to date.We are accomplishing thisthrough a network ofpreplanning, communication,and coordination thatencourages everyone to worktogether and understand thatthey are an essential part ofthe task at hand. Managementtakes no punitive actionagainst any worker forincidents unless it is clearlyshown that the worker had apreconceived negative intentor makes the mistakerepetitively (more than twice).For repetitive errors, the




(Charteredby)

Date ofReport


to the lowest possiblelevels.

incident reporting is perceivedas punitive in nature, the netresult may be a suppression ofreporting with a resultantreduction in the informationavailable to management onwhich to identify problems anddesign remedial actions. TotalQuality Management (TQM)techniques can be of greatassistance. Likewise, theinclusion of human factorsprofessionals on incidentinvestigation teams can be verybeneficial. Therefore, KSCshould consider both anenhanced TQM program and abroader use of human factors.

together and understand thatthey are an essential part ofthe task at hand. Managementtakes no punitive actionagainst any worker forincidents unless it is clearlyshown that the worker had apreconceived negative intentor makes the mistakerepetitively (more than twice).For repetitive errors, theworker is simply reassigned toother tasks and/or retrained.Any repetitive error isautomatically evaluated fromthe human factors viewpoint.It should be noted that humanfactors concepts have beenused throughout the creationand verification of all OrbiterMaintenance Instructions(OMIs) and the initialperformances of all tasksinvolved in vehicleprocessing. With qualitycontrol checks at all levelsfrom planning, engineering,OMI creation, and progressivesteps of task team work, weare practicing TQM andreducing incidents. We willcontinue to use enhancedTQM and a broader use ofhuman factors, as appropriate.


(NASACharter)

March1991

Finding 17: There is aperception among someworkers at KSC thatdisciplinary actions forerrors are overly severe.

Recommendation 17: NASAand its contractors should makeevery effort to communicate thefacts and rationale fordisciplinary actions to the workforce and involve workers inincident reviews. TQMtechniques can be of greatassistance. There is simply nosubstitute for sincerecommunication betweenmanagement and labor indispelling negative perceptions.

NASA Response (in 1991ASAP appendix): Concur.NASA is very concernedabout the potential that such aperception may exist. KSCand SPC have instituted aprogram of vertical and lateralcommunications that extendsfrom the highest KSCmanagement levels (both civilservice and SPC) downthrough middle management,engineering, and the task teamtechnical floor workers.Practices include weeklymeetings at top managementlevels, daily reviews at middlemanagement and throughoutengineering, and per shift (ormore) coordination sessions atthe task team level. There arealso horizontal channels forcoordination from hands-on-workers, logistics/supplyelements, and supportoperations. It is continuallystressed throughout thesechannels that disciplinaryaction for errors will not besevere or punitive unless the




(Charteredby)

Date ofReport


more) coordination sessions atthe task team level. There arealso horizontal channels forcoordination from hands-on-workers, logistics/supplyelements, and supportoperations. It is continuallystressed throughout thesechannels that disciplinaryaction for errors will not besevere or punitive unless theerrors or incidents result fromclearly proven negative intent.All employees are advised oftheir obligation to come towork fit and able, and toperform the tasks carefullyand successfully. Any error isdiscussed with the responsibleemployee and efforts made tohelp him or her understandhow to avoid a repetition.


(NASACharter)

March1991

Finding 18: There arecases in which recurringwaivers are sought andissued for the samesubsystem or componenton successive SpaceShuttle flights. Forexample, waivers havehad to be issued to flywith the tumble valvedisabled on the externaltank.

Recommendation 18:Continuing waivers for thesame condition should not bepermitted. If it is deemedacceptable to fly repeatedlywith a configuration that variesfrom specifications, thespecifications should be alteredrather than risk diluting thesignificance of waivers bymaking them routine. Forexample, the underlyingspecification for the tumblevalve could be changed torequire its inclusion only onhigh inclination launches.

NASA Response (in 1991ASAP appendix): Concur inprinciple. The ASAP iscorrect in suggesting thatthere are continuing waiverswhere the specification can bechanged; a good example isthe tumble valve. Based onFlight Data for tanks with anactive tumble system, thetumble systems were disabledon selected flights based onanalysis of External Tank(ET) Rupture Altitude and thecorresponding debrisfootprint. Flight and trackingdata were used to determinethe correlation between non-tumble system tanktrajectories, ET motion, ETRupture Altitude and the ETDebris Model. Based on theseanalyses and flight tests, theapplicable specification waschanged to preclude thenecessity for continuing ETTumble System Waivers.However, it should be pointedout that waiver disposition isnever “routine.” As outlinedabove, a request for waiversor to change a specificationrequires rigorous supportingdata (many times flight data)presented through a series ofat least three change controlboards. Specifications havebeen, and will continue to be,changed where it is provedthat the limits should berevised for all flights.




(Charteredby)

Date ofReport


or to change a specificationrequires rigorous supportingdata (many times flight data)presented through a series ofat least three change controlboards. Specifications havebeen, and will continue to be,changed where it is provedthat the limits should berevised for all flights.


(NASACharter)

March1991

Finding 19: The MissionControl computer supportsystem is quite old,relatively slow, and hasmonochrome displaysprimarily of tabular data.The advantages ofapplying currenttechnology to MissionControl are beingexplored with the Real-Time Data System at theJohnson Space Center(JSC).

Recommendation 19: NASAshould embark upon asystematic process to replacethe old Mission Control systemwith one based upon up-to-datecomputer and human interfacesystem technology.

NASA Response (in 1991ASAP appendix): Concur.Since 1986, NASA has beenin a phased process ofupgrading the operationalelements of the MissionControl Center (MCC) toincorporate advancedtechnology. This includes thereplacement and upgrade ofmainframe computers, and theplacement over the last 2years of current generationworkstations in the MCC thatare capable of using advancedtechniques for analyzing anddisplaying data. Theseenhancements are part of acomprehensive multi-yearplan developed to introducenew technology into theoperating environment.


(NASACharter)

March1991

Finding 24: Out-of-production, aging, andobsolescent parts are agrowing problem.

Recommendation 24:Increased emphasis should begiven to ensuring theavailability of sufficientquantity of up-to-datehardware.

NASA Response (in 1991ASAP appendix): Concur.NASA recognizes thepotential problem posed byobsolete parts. KSC hasinstituted a three-part programto minimize the impact thatobsolescence could have onorbiter logisticssupportability. The programincludes identification ofpotentially obsolete parts;evaluation of availableprevention options; andtracking of obsolescence data,including actions taken. Theseactions are taken inconjunction with the AssuredShuttle Availability Program.The increased emphasis onparts obsolescence shouldensure the ability of KSC toprovide up-to-date hardwarefor orbiter launch processing.




(Charteredby)

Date ofReport


parts obsolescence shouldensure the ability of KSC toprovide up-to-date hardwarefor orbiter launch processing.


(NASACharter)

March1991

Finding 25: There doesnot appear to be acomprehensive andrealistic plan forscheduling andaccomplishing majoroverhaul of the Orbiterfleet.

Recommendation 25: To helpensure structural integrity ofeach vehicle, much greatereffort must be devoted to thesetasks. A comprehensiveprogram should be developedfor the orderly overhaul ofOrbiters that are expected tooperate into the 21st century.

NASA Response (in 1991ASAP appendix): Concur.The Space Shuttle Programhas developed and instituted aplan by which the orbitervehicles are inspected andmodified every 3 years. Thisplan involves the use ofspecific orbiter flow periodscommonly referred to asOrbiter Maintenance DownPeriod (OMDP) to performvehicle structural inspectionsand modifications. The orbiterstructural inspection willverify the integrity of primarystructural elements of thevertical tail, flight controlsurfaces, aft fuselage, mid-fuselage, landing gear, crewmodule and forward fuselage.Critical elements will beinspected for corrosion,fatigue, deformation andcracks, which would result inreduced structural integrity.Flow periods of 188 dayshave been allocated for anOMDP. OV-102 is the firstvehicle to be scheduled for anOMDP and will begin in FY91. OV-103 and OV-104 arecurrently scheduled to begintheir modification/inspectionsperiods in FY 92.

The Space Shuttle Programwill continue to use OMDPsto inspect and modify eachorbiter throughout a vehiclesoperational lifetime to ensureeach orbiter’s structuralintegrity and upgrade thesystems as required to ensureoperations through 2020.




(Charteredby)

Date ofReport



(NASACharter)

March1991

Finding 29: The use ofFault Tree Analysis andFailure Modes andEffects Analysistechniques proved to bevaluable in solving thehydrogen leak problemson STS-35 and STS-38.Their use led to theidentification of probablesources of the hydrogenleaks, the probable causesof these leaks, and thenature of the correctiveactions needed.

Recommendation 29: Use ofthese techniques for problemresolution should beencouraged throughout NASA.Suitable training programsshould be established to ensureproper implementation.

NASA Response (in 1991ASAP appendix): Concur.Fault-tree analysis (FTA) andFailure Modes and EffectsAnalysis (FMEA) aretechniques fundamental to theNASA systems engineeringdisciplines. They are usedthroughout systemdevelopment to enable earlyidentification of problems,and assign hardware andsoftware criticality. CriticalItem Lists (CILs) aretabulated by criticality leveland require review,resolution, or waiver beforeflight is approved. FTA isused by the safetyorganizations to provide top-down analyses of safety-critical problems, while theFMEA is a bottom-upapproach that begins at theparts level. Both formal andinformal on-the-job trainingin these techniques isprovided.


(NASACharter)

March1991

Finding 30: NASA has aTQM program intendedto improve quality andproductivity withinNASA and itscontractors. Theimplementation of theTQM (or its equivalent)concept, however, hasbeen quite variable acrossthe NASA Centers andcontractors.

Recommendation 30: Theprinciples of TQM have meritwhen implemented by adedicated and concernedmanagement. NASA shouldimplement a consistent TQMmethodology that ensuresadherence to those principlesand participation of all levels ofthe work force.

NASA Response (in 1991ASAP appendix): Concur.NASA’s ongoing emphasis onquality and productivityimprovement (QPI) began in1982, with an internal andexternal focus. In 1986, aspecial emphasis was placedon the external efforts inrecognition that the majorityof the NASA budget isallocated to contractors. Infact, Martin-Marietta/Michoud (which wasreferenced in the ASAPreport) was evaluated underthe NASA Excellence AwardProgram and won in 1987 fortheir quality achievements. In1989-90, a renewed emphasiswas placed on internal QPIprograms, while stillmaintaining our externalefforts. In February 1990,NASA formally launched aninternal TQM initiative, andrecently conducted aNASAwide TQM assessment.We are now planning aninternal TQM evaluationinitiative patterned after theGeorge M. Low Trophy(NASA’s Quality andExcellence Award program)using TQM criteria containedin the President’s Award for




(Charteredby)

Date ofReport


NASA formally launched aninternal TQM initiative, andrecently conducted aNASAwide TQM assessment.We are now planning aninternal TQM evaluationinitiative patterned after theGeorge M. Low Trophy(NASA’s Quality andExcellence Award program)using TQM criteria containedin the President’s Award forQuality and ProductivityImprovement. NASA top-level management iscommitted to successfullyimplementing the TQMprogram and will be directlyinvolved in formulatingstrategies for achievingNASA TQM program goals.The TQM SteeringCommittee, consisting ofNASA senior management,will report on the status andprogress of TQMimplementation at their Fall1991 meeting.


(NASACharter)

March1991

Finding 31: NASA has amanagement instruction(NM1 8621.1E) thataddresses “MishapReporting andInvestigation.” This NM1includes a specification ofboard composition. Itdoes not, however,realistically address theneed for human factorsinput in suchinvestigations. It notesthat if human factors arethought to besubstantially involved,then human factor input isto be sought from a“NASA or residentNASA contractorphysician” rather than atrained human factorsexpert. Also, this NM1does not requireinvestigation of “closecalls.”

Recommendation 31:Inclusion of a member on theincident/accident investigationboard with specific humanfactors expertise should begiven much greaterconsideration. “Close-call”investigations should be moreformalized.

NASA Response (in 1991ASAP appendix): Concur.NASA is investigating thehuman element in all NASAmishaps. Efforts are currentlyunderway to refine and updateNM1 8621.1E. Part of thiseffort will be the transition ofNASA Mishap InvestigationBoard Membershiprequirements to the BasicSafety Manual, NHB 1700.1.Consideration will be given toincorporating a requirement tohave a Human FactorsEngineering professionalassigned to a NASA MishapInvestigation Board duringthis transition. The NASAHeadquarters Safety Divisionis sponsoring a Human ErrorAvoidance Project at KSCthat includes funding for afull-time Human FactorsEngineering professional.This individual will beavailable to participate infuture mishap investigationsat KSC. Formalization of theNASA close-call investigationprocess is also a NASAconcern. The update to NM1862LlE will stipulateinvestigation of Type A, B,and C mishap-related close-calls as a requirement in the




(Charteredby)

Date ofReport


calls.” This individual will beavailable to participate infuture mishap investigationsat KSC. Formalization of theNASA close-call investigationprocess is also a NASAconcern. The update to NM1862LlE will stipulateinvestigation of Type A, B,and C mishap-related close-calls as a requirement in theBasic Policy for NASAMishap Reporting andInvestigation. Under thecurrent policy, all close-callsmust be reported; close-callreports are evaluated atNASA Headquarters and,when necessary, aninvestigation board isestablished.


(NASACharter)

March1990

Finding 1: UntilNovember 1989, the twoprincipal manned spaceflight programs - theSpace Shuttle and SpaceStation Freedom - weremanaged independently,each under thecognizance of a separateAssociate Administrator.Since the Challengeraccident, Space Shuttlemanagement hasexhibited a noteworthydegree of effectivenessand stability. In contrast,Space Station Freedommanagement has sufferedfrom a lack of continuityin its top-level personnel.Also, the independentstatus of both programscreated some confusionconcerning futureoperationalresponsibilities. Therecent reorganization ofthe Office of Space Flightplaces both programsunder one AssociateAdministrator. Thischange in NASAmanagement is a positivestep in seeking stabilityand cohesiveness inmanned space flightactivity, especially inflight operations andbudgetary planning.

Recommendation 1: NASA,the Administration, and theCongress should support therecent reorganization of theOffice of Space Flight andallow that office time toaccomplish its objective ofachieving a unified andcohesive manned space flightprogram.

NASA Response (in 1990ASAP appendix): NASAconcurs with the findingregarding the recentreorganization andestablishment of the Office ofSpace Flight under a singleAssociate Administrator. Allnecessary actions have beentaken within Space StationFreedom Program (SSFP)elements to ensure the smoothtransition of the organizationinvolved so that the goal of a“unified and cohesive mannedspace flight program” can beachieved.




(Charteredby)

Date ofReport


management is a positivestep in seeking stabilityand cohesiveness inmanned space flightactivity, especially inflight operations andbudgetary planning.


(NASACharter)

March1990

Finding 3: The return-to-flight of the Space Shuttlehas been characterized byextensive preflightreviews. The majority ofthese, including the roll-out, solid rocketbooster/external tankmating, and flightreadiness reviews havebeen conducted face-to-face at the KennedySpace Center. With theincreasing flight rate, thetravel and schedulinginvolved in themultiplicity of meetingsare becoming a financialand physical burden.Some of the reviews arebeing shifted to video ortelephone conferences.These techniquesconserve travel time andbudget, but could reducethe effectiveness of themanagement reviewprocess.

Recommendation 3: The flightreadiness, Launch-2 day, andLaunch-1 day reviews shouldcontinue to be conducted asface-to-face meetings at theKennedy Space Center. Thebalance of the prelaunchreviews for each flow may beconducted as either actualmeetings or by remoteconferencing techniques. Thiswould depend upon interflightschedules and thenumber/importance of uniqueproblems or issues associatedwith a particular flight.

NASA Response (in 1990ASAP appendix): NASAconcurs with therecommendation. The FlightReadiness Review, and theLaunch-2 Day and Launch-lDay reviews will continue tobe conducted as face-to-facereviews at the Kennedy SpaceCenter. For the L-2/L-1reviews, some JSC supportelements (flight directors,weather, etc.) must remain atJSC to support, the terminalcount. Therefore, some JSCelements have beensupporting, and will continueto support the L-2 and L-1reviews by telephone. TheLevel III project reviews,ET/SRB MATE Review,Orbiter OPF Rollout Review,and Launch Site FlowReviews can be conducted bytelephone with properrepresentation, Detailrequirements, formats, anddesignated face-to-facemeetings are contained withinthe NSTS 7000, Level I,Program RequirementsDocument, Appendix 8(NSTS Operations).


(NASACharter)

March1990

Finding 5: Interruptionsin Space

Shuttle operations for anyreason can have seriousconsequence to the SpaceStation Freedomassembly. The Panel, thusfar, has seen littleevidence of contingencyplanning by NASA forsuch eventualities.Contingency planningshould extend through allphases of operation. ThePanel believes this to bean important area forNASA to emphasize inoperational planning.

Recommendation 5: NASAshould develop a contingencyplan that addresses the issuesarising from possibleinterruptions of Space Shuttleoperations during the assemblyof Space Station Freedom.

NASA Response (in 1990ASAP appendix): NASAconcurs and has actionspresently underway. All of theSpace Station Freedom stagesprior to permanently mannedcapability (PMC) have anorbital lifetime of at least 1year and generally closer to 2years in the normal operatingaltitude. In the case of a SpaceShuttle standdown, NASAcould boost any of thesestages to higher orbits withorbital lifetime ofapproximately 2 to 4 years,depending on solar cycle.After PMC, an Assured CrewReturn Vehicle (ACRV) willbe present; and in the event ofa shuttle standdown, the crewcould be returned via theACRV and the station boosted




(Charteredby)

Date ofReport


should extend through allphases of operation. ThePanel believes this to bean important area forNASA to emphasize inoperational planning.

could boost any of thesestages to higher orbits withorbital lifetime ofapproximately 2 to 4 years,depending on solar cycle.After PMC, an Assured CrewReturn Vehicle (ACRV) willbe present; and in the event ofa shuttle standdown, the crewcould be returned via theACRV and the station boostedto a higher orbit. These resultswill be reviewed during theSpace Station Programpreliminary design review inDecember.


(NASACharter)

March1990

Finding 12: Review ofthe data from postflightinspections of orbiterwindows indicates thatfrequency of damage tothe windows is greaterthan previously believed.

Recommendation 12: NASAshould consider incorporatingthicker or improved glass toenhance the safety margin ofthe windows as well asimplementation of operationaltechniques such as pre-selectingon-orbit attitudes and entryangle of attack to minimizeexposure to debris or thermaleffects.

NASA Response (in 1990ASAP appendix): Review ofpostflight inspections oforbiter window shows thatfrequency of damage towindows is well within valuespredicted by Rockwell at thebeginning of the program.Thicker windows have beenconsidered in the past as animprovement that wouldreduce turnaround time for theorbiter. Though improvedglass will undoubtedlyimprove the thermal pane’sability to withstand impactsby reducing the stress on thepane’s surface, there alwayswill be a hypervelocityparticle that can penetrate thepane. A redundant thermalpane window design may befeasible to incorporate withinthe vehicle to provide anotherlayer of protection against therisk associated with a failedthermal pane. Vehicle on-orbit operational attitudes thatcould minimize exposure todebris have been reviewed,though more work needs to bedone. Uncertainties in theanalysis data presented to dateare greater than the riskreduction a different attitudewould give.




(Charteredby)

Date ofReport


The probability of a particlelarge enough to penetrate thethermal pane is very small,about 10 to the minus 4 for a7-day mission. Thus, the riskis small for continuing tooperate without attituderestrictions. The effect on thevehicle during entry for thecrack and/or loss of a thermalpane is being studied. Entryprofiles that could be flown tominimize thermal stresses ona cracked window andsurrounding structure will beevaluated once the damagedwindow study has beencompleted. Current missionrules require an orbiter entryat a cabin pressure of 10.2 psifor the loss of a thermal pane,thereby minimizing stresseson the remaining panes andwindow structure.


(NASACharter)

March1990

Finding 14: NASA facesa significant problem withrespect to its SpaceShuttle computers thathas not been addressed: athird generation ofcomputers to replace thenew computers to beinstalled in 1991. While itmay seem premature toconsider a thirdgeneration computerbefore the secondgeneration has beeninstalled, the rate at whichcomputer technology isadvancing compels such aconsideration.

Recommendation 14: NASAshould begin planning now fora process of regular upgrades tothe Space Shuttle and the SpaceStation Freedom computersincluding, perhaps, a transitionto the use of a commonunderlying computerarchitecture for the twosystems.

NASA Response (in 1990ASAP appendix): NASAconcurs with thisrecommendation for the longterm but disagrees that this isa near-term issue. NASAbelieves that efforts currentlyunderway are sufficient toidentify and provide anynecessary upgrades to theSpace Shuttle and SpaceStation Freedom computingsystems.

The new Space ShuttleGeneral Purpose Computer(GPC) is scheduled for itsfirst flight on STS-41 inOctober 1990. Design workfor the new GPC began inJanuary 1984, and the firstnew computers will be flownin late 1990 or early 1991.The calendar time required todesign, test, and certify such aman-rated system practicallyassures that system to betechnologically obsolete formost of its operational life.The expected life of the newGPCs is 15 years. Subsequentmajor changes to thecomputer system architecturewould require revision of thecomplete avionics package.NASA believes that anyconsideration of possiblefurther improvements to the




(Charteredby)

Date ofReport


technologically obsolete formost of its operational life.The expected life of the newGPCs is 15 years. Subsequentmajor changes to thecomputer system architecturewould require revision of thecomplete avionics package.NASA believes that anyconsideration of possiblefurther improvements to theGPCs or to the computersystem should be an integralpart of the Assured ShuttleAvailability (ASA) Program.

The Space Station FreedomProgram (SSFP) is planningfor the upgrading ofcomputers and/or software asimproved technology permits.This planning, documented inits highest level programdocument, the ProgramRequirements Document(PRD), and in its second levelrequirements document, theProgram Definition andRequirements Document(PDRD), is in two areas. First,the SSFP is planning formainframe computerhardware and supportsoftware replacement every 7years and workstationreplacement every 5 yearsduring the program’soperational phase. Second, theprogram is establishingevolutionary requirementsallowing the flexibility toupgrade to advancetechnology as it becomesavailable. As a result,requirements for theoperational Space StationInformation System require adesign that isolatesapplications software (bothflight and ground) from theunderlying computing system,This promotes the migrationof ground hardware andsoftware to the flight systemsor from facility to facility, andmaximizes flexibility forreplacement of flighthardware during the life of theprogram.




(Charteredby)

Date ofReport


software to the flight systemsor from facility to facility, andmaximizes flexibility forreplacement of flighthardware during the life of theprogram.

Transition to the use of acommon computerarchitecture in both the SpaceShuttle and Space Station isnot considered feasible due tothe differences in theunderlying design philosophyof the two systems. The SpaceShuttle, although relying onfive computers (four primaryand one backup), isessentially a centralizedsystem fully integrated withthe avionics package.Migrating the Space Shuttlecomputer architecture to someother design, such as thatemployed by the SpaceStation, would require thecomplete redesign of theavionics system. The SpaceStation, on the other hand,employs a decentralizedsystem utilizingmicrocomputing technologyas its driving force.Additionally, these systemsemploy radically differentoperating systems,programming languages, andare subject to different weightand volume constraints.


(NASACharter)

March1990

Finding 20: The desire toeliminate the tumblevalve has resulted incarrying a waiver for eachflight since STS-27. Thetumble valve has beendisengaged for a numberof flights and this has notresulted in External Tankdebris footprints outsideacceptable limits.

Recommendation 20: Theprogram should either removethe tumble valves in theirentirety and eliminate thespecification requirement orconduct a process by whichwaivers are no longer neededfor each flight.

NASA Response (in 1990ASAP appendix): In allflights where the tumble valvehas been activated, the reentryfootprint has remained typicalof a tumbling tank and outsidethe geographical limits of 25nautical miles from UnitedStates landmass and 200nautical miles from foreignland masses. Mission specificanalyses are performed toassure that predicted ETreentry footprints aresatisfactory and to establishany risk associated withcontingency aborts. Thetumble valve will be disabledfor missions where thefootprint is such that thetumble valve is not required.NASA and DOD RangeSafety agree the footprintuncertainties pose no risk to




(Charteredby)

Date ofReport


reentry footprints aresatisfactory and to establishany risk associated withcontingency aborts. Thetumble valve will be disabledfor missions where thefootprint is such that thetumble valve is not required.NASA and DOD RangeSafety agree the footprintuncertainties pose no risk toadjacent landmarks. Whengeneric certification of ETentries without an activetumble valve is complete, thetumble valve system will beremoved. This genericcertification is planned to becompleted by the end of FY91and would enable NASA toeliminate this critical flighthardware from the ExternalTank.


(NASACharter)

March1990

Finding 21: There isclear evidence that manyof the problems thathampered launchprocessing prior to theChallenger accident arebeing addressed such asexcessive overtime, lackof clarity in workinstructions, shortage ofspare parts, and heavypaperwork burden.However, these pre-Challenger problems havenot been totallyeliminated.

Recommendation 21: NASAand the Shuttle ProcessingContractor must work diligentlyto eliminate deviations anderrors that still occur frequentlyin the processing activities.Communications between theShuttle Processing Contractormiddle management and hands-on technicians must becontinually improved.

NASA Response (in 1990ASAP appendix): NASA andthe Shuttle ProcessingContractor (SPC) realize thatto safely process vehicles insupport of the planned flightrate, occurrences of workererror must be further reduced.To decrease the likelihood ofworker fatigue contributing toprocessing mistakes, the KSCcontinues to strictly adhere tothe overtime policy outlinedin Kennedy ManagementInstruction (KMI) 1700.2.Over the past year, less than 1percent overtime exceeded the60 hour/week criteria outlinedin the KMI. In May 1989,NASA/SPC formed a jointProcessing EnhancementTeam (PET) to reevaluateoverall processing procedures.Efforts have focused on threemajor areas.

First, the PET is working toassure that the work taskpreparation is complete, i.e.,all documentation, people,and parts are available whenrequired. Second, the team isworking to guarantee that theright people and equipmentare available to resolveprocessing problems as theyoccur. And third, the PET hasfound that to enhanceprocessing, standardization isrequired of planning and




(Charteredby)

Date ofReport


all documentation, people,and parts are available whenrequired. Second, the team isworking to guarantee that theright people and equipmentare available to resolveprocessing problems as theyoccur. And third, the PET hasfound that to enhanceprocessing, standardization isrequired of planning andscheduling procedures. Theserepresentative steps are aimedat clarifying instructions thateach worker must abide by insafely completing his task.Availability of spare parts hasimproved markedly sincereturn-to-flight. The LineReplacement Unit (LRU) fillrate is roughly 89 percentcompared to an average of 80percent prior to STS-51L. Thetransition of logisticsmanagement responsibility toKSC has greatly improved thesupport posture. Steps alsohave been taken in this areaby placing commonly useditems in the OPF to assureavailability to workers.Reduction in the amount of,technician downtime hasresulted.

The Shuttle Processing andData Management System II(SPDMS II) is the descriptivetitle for a computer hardware,software, documentation, andprocessing system that willprovide technical andmanagement informationsupport to shuttle groundprocessing activities. Theproject will significantlyimprove the work controlsystem at KSC by providingfaster, more accurate workscheduling, tracking, andapproval to support theprojected flight rate. Initialphases of this project are nowbeing implemented, withcontinued incorporationplanned over the next 2 years.NASA/SPC believes the stepssummarized above willmitigate the potential forprocessing errors. A systemhas been set up by the PETwhereby workers cancommunicate their concernsand ideas about the specific




(Charteredby)

Date ofReport


being implemented, withcontinued incorporationplanned over the next 2 years.NASA/SPC believes the stepssummarized above willmitigate the potential forprocessing errors. A systemhas been set up by the PETwhereby workers cancommunicate their concernsand ideas about the specificprocessing tasks toappropriate directoraterepresentatives. Managerscontinue to emphasize thatsafety will not becompromised to meet launchschedules. NASA/SPCremains committed tocontinue improvingworkmanship andstrengthening communicationchannels between managersand hands-on technicians.


(NASACharter)

March1990

Finding 40: There is aneed to monitor the agingand reliability ofcomponents as a functionof time in service.Typically, monitoring isaccomplished with fleetleader statistics.Unfortunately, aspresently employed, fleetleader numbers can berelatively uninformativeor even misleading. Forexample, these data donot permit managers toassess whether the fleetleader is representative ofthe entire system orsimply an outlier.

Recommendation 40:Statistics on single fleet leadersshould be augmented by simpledata that identify thedistribution of the entire fleet.For items that have beenprocured in relatively largenumbers, this might beexpressed as percentages. Forrelatively unique items,information on the three or fourof the oldest and youngestitems might be provided.

NASA Response (in 1990ASAP appendix): NASAagrees. Historically, fleetleader statistics were usedalmost exclusively; however,this is not the case today. TheSSME is the only item using amodified fleet leader conceptin that it uses multiple fleetleaders to obtain a morerepresentative sample of thefleet distribution. Thisminimizes the likelihood of asingle fleet leader being anoutlier. Use of a single fleetleader is atypical rather thantypical.

Fleet leader information issupplemented by suchtechniques and data sources asstress analysis, fractureanalysis, qualification testresults, life limit tests, andadditional inspections ofcritical hardware. The processis no longer restricted solelyto the fleet leader statistics.Initially, the fleet leader is theprime source of data definingthe anticipated fleetdistribution. However, asadditional devices are built,tested and put into operationadditional data becomesavailable to “temper” theinitial judgment of the initialfleet distribution. Informationis retained at the contractors




(Charteredby)

Date ofReport


Initially, the fleet leader is theprime source of data definingthe anticipated fleetdistribution. However, asadditional devices are built,tested and put into operationadditional data becomesavailable to “temper” theinitial judgment of the initialfleet distribution. Informationis retained at the contractorson each device and thesestatistics are compared usingin-house studies to guidejudgment on retention ofitems and the flightworthiness of them. Thesedata are reviewed prior toeach flight and bear heavilyon the decisions toretain/reuse items and on theultimate launch decision.


(NASACharter)

March1989

Finding 1-A:Strengthening the role ofNASA Headquarters(Level I) and STSprogram management(Level II), coupled withtighter management andbudgetary controls overNASA’s R&D Centers(Level III), has clarifiedresponsibilities within thetotal STS program andstrengthened authorityand accountability at alllevels. Of specialimportance is the positionof Deputy Director(NSTS) for Operations asthe focal point of thehighly complex shuttleprocessing and launchactivities at the KennedySpace Center.

Recommendation A: It isessential that this moredisciplined managementstructure - characterized byclear lines of authority,responsibility andaccountability - continue inplace once the launch rateaccelerates in order to supportNASA’s commitment to theoperating principle of “Safetyfirst; schedule second.”

NASA Response (in 1989ASAP appendix): NASAagrees. The SpaceTransportation System (STS)management system isreviewed on a continuingbasis to ensure thatestablished clear lines ofauthority, responsibility, andaccountability are effectivelyentrenched to accommodateplanned accelerated launchrates. The ManagementCouncils involving the NASAManned Space Flight CenterDirectors and the monthlyGeneral Management StatusReviews serve to enhanceNASA visibility within theSTS program and provideassurance of managementstrengthened authority andaccountability at all levels.Primary emphasis continuesto be placed on preventingcommunication breakdownand ensuring that vitalinformation pertinent to thedecision-making process isprovided to appropriate levelsof management in near real-time,




(Charteredby)

Date ofReport


time,

In addition, the DeputyAssociate Administrator forSystems Assurance, CodeQA, is developing anaudit/survey process that willbe used to assess theacceptability andresponsiveness of theSRM&QA efforts in eachNASA program, including theNational Space TransportationSystem (NSTS) program. Oneof the major purposes of thisaudit/survey process will be tofurther ensure that clear,effective, efficient lines ofauthority, responsibility, andaccountability are establishedand remain in place. Efforts todate have concentrated on:analyzing existing policydocuments and their flowthroughout NASA; anddeveloping a generic, modelsurvey plan that will be theblueprint for conducting asurvey of NSTS Level 2 andLevel 3 during the firstquarter of FY 1990. NASAhas no intention of letting thestrengthened Level I, II, andIII roles degrade. Theoperating principle of "SafetyFirst, Schedule Second" willcontinue as NASA policy.


(NASACharter)

March1989

Finding 1-B: The Safety,Reliability,Maintainability andQuality Assurance(SRM&QA) function isnow stronger, morevisible, better staffed andbetter funded sinceestablishment of theposition of the Office ofAssociate Administratorfor SRM&QA whichreports directly to theAdministrator. The Panelnotes that the incumbent,George Rodney, is a partof the key decision loopsand has established thebeginnings of anessentially independent“certification” processwithin NASA. However,there is recent evidencethat budgetary pressureswithin the Shuttleprogram are causing

Recommendation B: Across-the-board budget cuts thatjeopardize the recentlystrengthened SRM&QAfunction must be denied.Funding to maintain essentialsafety-related documentation ofSTS systems must be provided.

NASA Response (in 1989ASAP appendix): NASAagrees that problems such asfunding cuts that jeopardizethe continuing strengtheningof the SRM&QA functionmust be resolved. Across-the-board budget cuts not onlyhave a debasing effect onSafety, but on all areas ofNASA. Management realizesthat it is necessary to look atthe overall NASA program toevaluate the best and mostefficient way to administerresources. In several areas,prior major efforts havereduced the outstanding workload so that availableresources can be channeledelsewhere for best overallresults relating to Safety. Forexample, in the area of FailureModes and EffectsAnalysis/Critical Items Lists(FMEA/CILs) and hazard




(Charteredby)

Date ofReport


George Rodney, is a partof the key decision loopsand has established thebeginnings of anessentially independent“certification” processwithin NASA. However,there is recent evidencethat budgetary pressureswithin the Shuttleprogram are causingproject directors topropose budget cuts invarious SRM&QAactivities (e.g., safetydocumentation associatedwith the Space ShuttleMain Engine, such asFMEA/CILs and HazardAnalyses, and oversightof major STS projects).

resources. In several areas,prior major efforts havereduced the outstanding workload so that availableresources can be channeledelsewhere for best overallresults relating to Safety. Forexample, in the area of FailureModes and EffectsAnalysis/Critical Items Lists(FMEA/CILs) and hazardanalyses, a major rebaseliningof all hazards was undertakenduring the hiatus after STS-51L.

The rebaselining effort hasbeen completed; hazard andFMEA/CIL evaluations arenow needed only when newhazards are discovered orwhen configuration changesand new development designsare initiated. This is aconsiderably smaller effortthan during the rebaseliningeffort, where all existinghazards were revisited andreevaluated. While the hazardFMEA/CIL process is andwill continue to be proactive,the quantity of analyses willvary based on design changesto the systems, the elementsbeing deployed, and thosehazards that are discoveredduring operation/evaluationperiods. Resolution anddocumentation of problemsassociated with hazardanalyses and FMEA/CILfindings will continue.However, the backlog ofproblems and, therefore, theeffort is decreasing asproblems are resolved.

To help identify commonfunding problems within theSafety community,Headquarters Safety Division,Code QS, convenes aQuarterly Center SafetyDirectors Meeting. Thismeeting allows the SafetyCommunity to air safetyissues that require additionalfunding and/or personnel. Inaddition, the AssociateAdministrator for SRM&QAperiodically meets with theSR&QA Directors from thenine NASA Centers. The




(Charteredby)

Date ofReport


Quarterly Center SafetyDirectors Meeting. Thismeeting allows the SafetyCommunity to air safetyissues that require additionalfunding and/or personnel. Inaddition, the AssociateAdministrator for SRM&QAperiodically meets with theSR&QA Directors from thenine NASA Centers. Theagenda at these sessionspermits open discussion ofproblems and issues, such asproblems created by fundingcuts and reallocation ofresources. With the insightacquired through this forum,the problems can be addressedat the Headquarters level, andappropriate action can beinitiated with cognizantprogram managers. Thisfacilitates the resolution ofimpacts created by fundingproblems and maintains thevitality of a healthy NASA-wide Safety program.


(NASACharter)

March1989

Finding 1-C:Managementcommunications, anecessary component inachieving a successfulSTS program, haveimproved, bothhorizontally andvertically within NASA.In particular, thereinstatement of theManagement Council, anentity that fosters directand regularcommunication among alltop STS managers andcenter directors, hasbrought a higher level ofawareness of commonproblems and coordinatedaction to resolve them.This, in turn, has resultedin better informed andeffective designcertification reviews(DCRs) and flightreadiness reviews (FRRs).

Recommendation C: As theflight rate increases, greaterattention to maintaining theseimproved communicationchannels will be required.

NASA Response (in 1989ASAP appendix): NASAagrees with the need tomaintain the improved andstrengthened managementcommunications channels.NASA fully intends tomaintain the higher level ofawareness that now exists inthe Space TransportationSystem (STS) programmanagement structure. NASAalso plans to continue theManagement Council to fosterdirect and regularcommunication, and to ensurebetter informed and effectiveassessment of STS programconcerns and actions as theflight rate increases.




(Charteredby)

Date ofReport


(DCRs) and flightreadiness reviews (FRRs).


(NASACharter)

March1989

Finding 1-D: NASA,along with many otherFederal agencies, hassuffered through morethan a decade of hostilitydirected toward Federalemployees and a relatedfailure to maintain salarycomparability at thehigher managementlevels. NASA urgentlyneeds greater flexibilityand resources incompeting for andretaining the skilledpersonnel who arerequired to carry forwardthe Nation’s space andaeronautical programs.

Recommendation D: Althoughthe salary comparabilityquestion will be settled by theAdministration and Congress,NASA should speak out clearlyabout the increasing costs of thepresent situation and thespecific steps that are needed toonce again make NASA careersamong the most desirable andrespected.

NASA Response (in 1989ASAP appendix): NASAagrees that specific steps areneeded to make NASAcareers among the mostdesirable and respected. Thishas been a priority issuewithin NASA, and variousapproaches have beenimplemented to raise andmaintain the professionalstature of NASA personnel.However, the monetaryreward and/or pay structureare legislated external to theAgency. Competing withindustry for top talent,especially in high cost ofliving areas, is a seriousproblem. Within the Agency,various career developmentprograms that permit careergrowth have beenimplemented. Also, jobflexibility programs permitpersonnel to change positionsand jobs horizontally withinthe Agency, as well asvertically, to gain variedbackground and experiences.This approach provides newand interesting personalchallenges and, at the sametime, promotes interest andgrowth. Training andrecruitment programs at bothprofessional andnonprofessional levels alsocontinue as a top priority atNASA Headquarters and theCenters.

The NASA Quality andProductivity ImprovementPrograms Office has as aprimary responsibility, thefunction of finding betterways to stimulate productivityand providing methods andprograms for rewardingprofessional achievement.Recognition for performanceis an important factor inretaining the skilled workforce.




(Charteredby)

Date ofReport


ways to stimulate productivityand providing methods andprograms for rewardingprofessional achievement.Recognition for performanceis an important factor inretaining the skilled workforce.

In summary, there is aproblem in attracting andkeeping professionalpersonnel. The salary basecommensurate withresponsibility, which islegislated external to theAgency, as well as theuncertainty of funding forexisting and new spaceprograms have madeattracting and keeping top-level managers and engineersa serious problem. This is anAdministration andCongressional issue.


(NASACharter)

March1989

Finding 3: NASA’sdecision to procure theAdvanced Solid RocketMotor (ASRM) is basedon the premise that thenew motor will benefitfrom advanced solidrocket motor technologyand new manufacturingmethods and thus wouldevolve into a safer andmore reliable motor thanthe current redesignedsolid rocket motor(RSRM). On the basis ofsafety and reliabilityalone it is questionablewhether the ASRM wouldbe superior to the RSRMwhich has undergoneextensive design changesuntil the ASRM has asimilar background oftesting and flightexperience. This may takeas long as 10 years fromgo-ahead. In the interim,the current design isexpected to have had over160 additional firingsprior to the introductionof the ASRM.

Recommendation 3: TheASAP recommends that NASAreview its decision to procurethe Advanced Solid RocketMotor and postpone any actionuntil other alternatives,including consideration of longrange objectives for futurelaunch requirements have beenthoroughly evaluated.

NASA Response (in 1989ASAP appendix): TheNASA decision to procure theASRM was made afterthorough review of the majorfactors involved, including anassessment of potentialalternative courses of action.Several of the moresignificant considerations thatlead to the NASA decision toproceed with the ASRMProgram are discussed below.

There have been majorimprovements in the NationalSpace Transportation System(NSTS) as a whole, and in theRSRM in particular, since theSTS-51L accident. RSRMjoint integrity is muchimproved, and the degree offield joint and nozzle-to-casejoint rotation during motorignition has been reducedsignificantly. However, O-ring expansion is still requiredto preclude hot gas leakage.[The ASAP report (page 4)notes the need to develop aresilient O-ring material forprimary and secondary sealsto eliminate the required(RSRM) field joint heaters.]The RSRM factory joints donot meet the redundant,verifiable seal designcriterion, due to joint rotation.




(Charteredby)

Date ofReport


the current design isexpected to have had over160 additional firingsprior to the introductionof the ASRM.

Furthermore, it is notevident why the newmanufacturing processesplanned for the ASRMcannot be applied to themanufacture andassembly of the RSRM.Consequently, it is notclear to the ASAP whyNASA is proceeding withits plan to develop a newand expensive solidrocket motor, especiallyas there are still manyelements of the STSsystem which, if modifiedor replaced, would addsignificantly to the safetyof the operation.

Furthermore, NASA hasnot thoroughly evaluatedother alternative choicesto the ASRM such asliquid rocket boosters.

to preclude hot gas leakage.[The ASAP report (page 4)notes the need to develop aresilient O-ring material forprimary and secondary sealsto eliminate the required(RSRM) field joint heaters.]The RSRM factory joints donot meet the redundant,verifiable seal designcriterion, due to joint rotation.Every feasible precaution,short of complete redesign,has been taken to ensure thatall RSRM joints will functionas intended, and NASA hashigh confidence in RSRMjoint integrity. However, theRSRM joint designs are notthe best concepts nowavailable, and are notoptimally tolerant of off-nominal conditions orunanticipated combinations ofevents. RSRM joint integritythus remains a concern for thelong term.

The Advanced Solid RocketMotor (ASRM) provides apositive solution to jointintegrity by incorporation ofwelded factory joints andmechanical field joints thatclose upon motorpressurization. Themechanical joint closurecriterion applies to & joints(igniter to case, segment tosegment, and nozzle to case).The redesign of joints to useface seals rather than boreseals minimizes assemblydamage potential and permitsvisual seal inspection until thefinal mating. Joint heaters,and their attendant failuremodes, are eliminated.Furthermore, it is anticipatedthat insulation designimprovements will furtherreduce potential debondsand/or leakage paths.




(Charteredby)

Date ofReport


and/or leakage paths.

Another ASRM designcriterion leads to obviation ofthe Space Shuttle MainEngine (SSME) "throttlebucket" during the maximumdynamic pressure regime withthe attendant elimination orreduction of about 175Criticality l/lR failure modesfor the STS. Informationgained from actual flightexperience has been show-nthat the safety factors forwater impact loads, internalinsulation, and nozzle erosionon the current motors arelower than the original designcriteria; these deficiencies areto be rectified in the ASRM.Due to ASRM designinnovations, it is anticipatedthat, relative to the RSRM,Criticality 1 failure modeswill be reduced byapproximately 30 percent,failure causes will be reducedby approximately 25 percent,and failure points will bereduced by approximately 30percent.

Flight reliability is asdependent upon the method ofmanufacturing as it is upondesign. The current motormanufacturing is highly laborintensive, and historicalcontractor data indicate that40 to 50 percent of theencountered defects areworkmanship faults.Furthermore, workmanshipfaults are prevalent in theentire family of solid rocketmotor (SRM) failures.

These findings led to theconclusion that ASRM shouldbe designed for the prudentautomation of manufacturingprocesses to minimize defectsand maximize reproducibility.Short of a major redesign,which would be tantamount toa noncompetitive ASRMprocurement, the RSRM willnever achieve theaforementioned flight safetyand reliability enhancements.Moreover, the ASRMsignificantly enhances




(Charteredby)

Date ofReport


processes to minimize defectsand maximize reproducibility.Short of a major redesign,which would be tantamount toa noncompetitive ASRMprocurement, the RSRM willnever achieve theaforementioned flight safetyand reliability enhancements.Moreover, the ASRMsignificantly enhancesindustrial, environmental, andpublic safety.

The ASRM will eliminate allasbestos-bearing insulationand other materialapplications in favor ofequally effective materialsthat are noncarcinogenic. Themanufacturing automationwill minimize the exposure ofthe work force to hazardousoperations; and the newproduction and test facilitieswill incorporate features forenvironmental protection inanticipation of ever increasingstringency in environmentalconstraints.

(lots more omitted)


(NASACharter)

March1989

Finding 5-E: As theflight schedule picks upin FY 1989, there remainsthe clear and presentdanger of slipping backinto the operatingenvironment at KSC thathelped to contribute to theChallenger accident. Atthe same time, the need toachieve greater efficiencyand cost-effectiveness inturnaround procedures isclear. In this situation,NASA’s commitment tothe operating principle of“Safety first; schedulesecond” must be retained.If experience of the pastis a guide to the future,the pressures to maintainor increase flight rate willbe intense.

Recommendation 5-E: NASAmust resist the schedulepressures that can compromisesafety during launch operations.This requires strongenforcement by NASA of thedirectives governing STSoperations.

NASA Response (in 1989ASAP appendix): NASA andour contractors recognize thecomplex problem ofincreasing launch siteefficiency while resistingschedule pressures that maycompromise safety. Some ofthe specific actions thatKennedy Space Center hastaken include: review ofproblems caused by human-induced error to ascertainwhether additional training,job reassignment, orprocedure change is required;and constant review of areasof high overtime/stress forschedule change andreassignment of personnel. Inaddition, NASA hasestablished formalizedtraining programs designed toreduce the potential forhuman error.




(Charteredby)

Date ofReport


the pressures to maintainor increase flight rate willbe intense.

addition, NASA hasestablished formalizedtraining programs designed toreduce the potential forhuman error.

The schedule and schedulingprocess are constantlyreviewed and updated, asnecessary, to ensure that allformal protocols arecompleted regardless of theaffect on ability to launch on aspecific date. NASAmanagement from the toplevel through the first-linesupervisor exercises constantvigilance to ensure thatsatisfactory workingschedules and environmentsare maintained at all times inaccordance with the operatingprinciple, "Safety First,Schedule Second."

NASA continues to closelymonitor workload imposed bythe baselined STS flight rate.Manpower levels currentlybudgeted to support the STSflight schedule have beensized to assure that theprocessing workload cancontinue to be accomplishedin a safe manner. Bothstaffing and overtime datacontinue to be reviewed bytop management on a weeklybasis to assure rigorousadherence to the overtimepolicy in KennedyManagement Instruction(KMI)

1700.2.


(NASACharter)

March1989

Finding D-1: In 1988NASA issued severalNMIs and NHBs thatprovide policies anddirection designed toimprove theidentification, evaluationand disposition of safetyrisks. In particular, NM18070.4 titled “RiskManagement policy forManned Flight Programs”calls for a riskmanagement process thatincludes categorizationand prioritization of“risks” using qualitativetechniques for ratings of

Recommendation D-1: Therisk management policies andinitial implementingmethodologies which have beenissued in 1988 need to beevolved further. Practicalquantitative risk assessment andother relative risk-level ratingtechniques should be actuallydeveloped. They should then beapplied to help define the risklevels of flight and groundsystems. enhancing changes,and, if so, define these changes.

NASA Response (in 1989ASAP appendix): The riskmanagement function isevolving. NASA is vigorouslyrefining the NASAManagement Instructions(NMIs) and NASAHandbooks (NHBs) to reflectthe latest risk managementpolicy developments.Independent risk assessmentsare being performed onGalileo and Ulysses payloadsutilizing updated riskmanagement methodology.This risk methodologyincludes the development ofcredible accident scenarios




(Charteredby)

Date ofReport


and disposition of safetyrisks. In particular, NM18070.4 titled “RiskManagement policy forManned Flight Programs”calls for a riskmanagement process thatincludes categorizationand prioritization of“risks” using qualitativetechniques for ratings ofthe frequency expectationand severity of thepotential mishaps. Thedocuments also providefor use of quantitativerisk analysis to provide amore definitive orderingof risks for purposes ofrisk management.

other relative risk-level ratingtechniques should be actuallydeveloped. They should then beapplied to help define the risklevels of flight and groundsystems. enhancing changes,and, if so, define these changes.

Handbooks (NHBs) to reflectthe latest risk managementpolicy developments.Independent risk assessmentsare being performed onGalileo and Ulysses payloadsutilizing updated riskmanagement methodology.This risk methodologyincludes the development ofcredible accident scenariosderived from initiating eventsthat could cause potentialmishaps. It incorporates bothqualitative and quantitativesystem response analyses ofinitiating events induced byhardware or softwareanomalies malfunction(s),human error, environmentalinfluences, or probablecombinations of these factors.Also, the risk assessmentmethods are beingrestructured as furtherdevelopment and state-of-the-art knowledge are gainedfrom ongoing risk assessmentactivities arena. Practicalquantitative risk methods andrisk-level techniques arebeing matured by NASA instructured workshop sessionsand supporting policies with aview toward incorporationinto the risk managementefforts in the National SpaceTransportation System(NSTS), space station, andpayload areas.


(NASACharter)

March1989

Finding D-2: The Panelhas found strongcommitment by each ofthe Center DirectorOffices to the rebuildingof the System SafetyFunctions in NASA. Theyhave provided valuableguidance, encouragementand some level offinancial support to thedifficult restructuring,staffing and new policyimplementation activitiesat their respectiveCenters. We areconcerned that programresource cuts may bebeginning to erode theprogress which has beenmade.

Recommendation D-2: Inaddition to continuing theirgood work we believe thatadditional vigorous assistanceis required on the part of eachCenter Director’s Office toassure the allocation ofresources that are necessary sothat the promising progresstoward a truly effectiveSystems Safety capability doesnot falter and wither away aftera few successful STS flights.The Center Directors must beseen as major champions ofsafety engineering withinNASA.

NASA Response (in 1989ASAP appendix): NASAstrongly agrees that a keyelement to the successfulimplementation of a NASA-wide Safety Program is thecommitted support of theCenter Directors who mustcontinue to be the championsof safety engineering. Toensure that progress made atthe Centers is maintained, theOffice of the AssociateAdministrator for SRM&QA,Code Q, has initiated thefollowing efforts:




(Charteredby)

Date ofReport


implementation activitiesat their respectiveCenters. We areconcerned that programresource cuts may bebeginning to erode theprogress which has beenmade.

The Center Directors must beseen as major champions ofsafety engineering withinNASA.

Administrator for SRM&QA,Code Q, has initiated thefollowing efforts:

(list omitted)


(NASACharter)

March1989

Finding D-3: At JSCthere is a clearcommitment from theDirector’s level down toimplementing the generalpolicies and requirementsof NM1 8070.4, and toimproving techniques forrisk assessment and riskmitigation. We observedthat the SRM&QAorganization is still notcompletely staffed. Theorganization hasassembled hazardinformation that is used inthe decisions of whetheror not to fly. Whether thissame information can beused to identify safetyenhancing changes hasyet to be examined.

Recommendation D-3:Examine the collected data tosee if it can be used to identifysafety enhancing changes, and,if so, define these changes.

NASA Response (in 1989ASAP appendix): Thereview process for NationalSafety Transportation System(NSTS) safety issues andassociated hazard reports,conducted by the SystemSafety Review Panel (SSRP)and the Levels I and IIProgram RequirementsControl Board (PRCB),results in thorough review ofthe safety problems involved.As part of this process,recommended changesrequired for hazard mitigationand/or control are actionslevied on the responsibleNSTS element(s). Detailedresponses and presentationsare made to the review boardsup to the Level I PRCB,which is chaired by the NSTSProgram Director. Therefore,identifying andrecommending safety-enhancing changes inresponse to identified hazardsare integral parts of the hazardreview process at levels up toand including NASAHeadquarters. These changesinclude:revisions/changes/additions(to Flight Rules and LaunchCommit Criteria);improvements inmanufacturing, inspection,test, and quality controlprocedures; and designchanges to mitigate or reducethe risk involved (subject tobudgetary review andapproval by the NSTSProgram Director).




(Charteredby)

Date ofReport


Program Director).


(NASACharter)

March1989

Finding D-4: At JSC theASAP was presented anew approach to hazardrebaselining and rating,and a new format for theMission SafetyAssessment report&ISA). The new report isbasically a set ofevaluated fault treeswhich identify thepotential system mishapswhich might result fromvarious hardware orhuman faults. For STS-26, 25 “significant risk”mishaps were “selected”for evaluation. All itemsselected had worst-caseseverity levels of “loss ofcrew and/or vehicle.” Allitems were also rated as“unlikely,” which was thelowest probability ratingused in the hazard ratingmatrix. Thus, the MSAdid not address even therelative risk-levels of theselected potentialmishaps. However, thesystem safetyorganization did color-code various faults - red,which designates thatImprovement is HighlyDesirable (IHD). Becauseall of the items elected forinclusion in the MSA arerated as unlikely to occurand therefore “safe tofly,” there remain a largenumber ofundifferentiated itemsdesignated MD.

Recommendation D-4: Theambiguity regarding risk levelsimplied by the red color-codedMSA needs to be removed.NASA needs to provide a muchmore objective (quantitative)and data- based risk assessmentmethodology that willdifferentiate the “unlikely”events for purposes of assessingthe principal contributors to riskon STS and Space Station typeprograms.

NASA Response (in 1989ASAP appendix): TheMission Safety Assessment(MSA) focuses in more detailon risks considered issues forthe current and subsequentlaunches. Since the ASAPvisit, the MSA has beenreevaluated and is nowconsidered a program baselinesafety assessment to beupdated periodically, notmission specific. It is derivedfrom the approved HazardReport (HR) set, which formsthe program baseline safetyrisk. Renaming of thedocument is underconsideration and the safetycommunity is developing areplacement document thatwill be mission-specific andunique, the final title of whichis not yet determined. It willprovide visibility to topmanagement of significantchanges or potentialsignificant changes to thebaseline safety risk. It willindicate launch constraintsand resolved safety riskfactors. Basic requirementsfor the mission-unique safetyrisk assessment report need tobe changed, and changes tothe requirements are beingpursued. The requirement forthe MSA to be published 30days prior to a launch isunrealistic as some safety riskdata probably will not beachieved in time forconsideration in the report ashappened on STS-26. It isexpected that the newrequirement for safety riskassessments will be keyed tomilestones such as the FlightReadiness Review (FRR) andthe L-2 Day Review, and itwill have a format that willpermit rapid, last-minuteupdates. All risks in the STS-26 were considered"unlikely," but were alsomore significant than othersthat had been received at thetime of publication.




(Charteredby)

Date ofReport


Readiness Review (FRR) andthe L-2 Day Review, and itwill have a format that willpermit rapid, last-minuteupdates. All risks in the STS-26 were considered"unlikely," but were alsomore significant than othersthat had been received at thetime of publication.

Several HRs weresubsequently submitted with aprobability of occurrence of"likely," and they have beenincorporated in subsequentMSA editions. All the eventshad the potential of beingcatastrophic events. The fault-tree approach presents thesebasic and conditional events.From this analysis, the MSAevaluated the hazard controlsin the design and proceduralarea (i.e., redundancy, safetyfactors, launch commitcriteria) for possibleimprovement to furthermitigate the risk. The MSAused a qualitative approach toassessing the relative levels ofrisk. The NSTS safetycommunity is consideringchanges to the three-levelprobability of occurrence toprovide greaterdifferentiation. Also, futureeditions 'of the MSA will usethe results of probabilistic riskassessments, when available,to help define the relativelevel of risk for prioritization.

NASA's effort to identify andquantify risk contributors hasproceeded with severaldifferent approaches:probabilistic risk assessment(PRAs), individual statisticalanalyses, and prioritization ofFailure Modes and EffectsAnalysis/Critical Items List(FMFA/CIL) items(system/component coupledwith a Criticality 1 failuremode). Relative to the PRAeffort, a risk assessment forthe Galileo mission [whichuses a radioisotopethermoelectric generator(RTG) power source] wasconducted. The assessment




(Charteredby)

Date ofReport


Analysis/Critical Items List(FMFA/CIL) items(system/component coupledwith a Criticality 1 failuremode). Relative to the PRAeffort, a risk assessment forthe Galileo mission [whichuses a radioisotopethermoelectric generator(RTG) power source] wasconducted. The assessmentfocused on events leading tobreech of the RTG case.Shuttle element risks andindividual risk contributorswere developed using faulttrees, random failuredistribution approximations,and Bayesian techniques.However, none of the aboveefforts obviate the need fordetailed, accurate, and easilyaccessible data basescontaining test and flightfailure data. The currentProgram ComplianceAssessment Status System(PCASS) data base containsproblem reports oncomponent failures. Foranalysis purposes, data fieldscontaining the specific FMEAfailure mode need to beincluded to facilitate initialanalyses; such an effort isnow under consideration.

A space station requirementdocument for a failure historydata base is being developed.Apart from individualassessments and developmentof data bases, a morequantitative approach foridentifying and assessingprincipal risk contributors hasbeen explored using thecurrent hazard analyses as afoundation. In this approach,detailed causes and scenariopaths leading to damage statesare developed. Likelihoodsascribed to the scenario nodesand, in turn, probabilities areapproximated for eachpotential path and damagestate. Examples usingauxiliary power unit hazardshave been developed. Thisapproach is being evaluated asa quantitative enhancementfor hazard assessment.




(Charteredby)

Date ofReport


and, in turn, probabilities areapproximated for eachpotential path and damagestate. Examples usingauxiliary power unit hazardshave been developed. Thisapproach is being evaluated asa quantitative enhancementfor hazard assessment.


(NASACharter)

March1989

Finding D-5: Functionalareas such as system-safety engineering at theCenters appear not tohave received theresource supportnecessary to fulfill theirresponsibilities. TheSRM&QA organizationsat the centers appear to berelatively loosely coupledto Headquarters.

Recommendation D-5: Thevarious systems safetyorganizations throughoutNASA should get strongerassistance from Headquartersespecially regarding financialsupport.

NASA Response (in 1989ASAP appendix): NASAagrees that Center SRM&QAorganizations should continueto receive strong support fromHeadquarters. During fiscalyear (FY) 1989, 50 percent ofthe Headquarters SRM&QAbudget is being transferreddirectly to the Centers. In FY1990, we plan to increase thisto 70 percent.

Since January 1986, we havebeen able to increase thenumber of civil service andJet Propulsion Laboratorypersonnel directly assigned toSRM&QA functions byapproximately 39 percent.During that same period, thenumber of support contractorpersonnel performingSRM&QA functions hasincreased by nearly 95percent. These statistics verifythat the Centers have a strongand eloquent voice inHeadquarters. As aconsequence, NASA feels thatwithin the context of existingFederal Budget constraints,the Center SRM&QAorganizations have been wellsupported.

Center SRM&QAorganizations report and aredirectly responsible to theCenter Directors. The Officeof SRM&QA functions in asenior staff capacity atHeadquarters providing afocal point for NASA-wideSRM&QA activities,programmatic direction,policy formulation, andresources support. The linkbetween Headquarters andfield SRMLQA operations issufficiently strong to provideproactive and vigorousSRM&QA programmanagement.




(Charteredby)

Date ofReport


focal point for NASA-wideSRM&QA activities,programmatic direction,policy formulation, andresources support. The linkbetween Headquarters andfield SRMLQA operations issufficiently strong to provideproactive and vigorousSRM&QA programmanagement.


(NASACharter)

March1989

Finding D-6: At MSFCthe ASAP found anexcellent SRM&QAorganizational structureand good progress instaffing it withexperienced engineeringpersonnel. As othercenters have done, theyhave engaged the servicesof two contractors to aidin developing the analysistechniques for practical,more quantitative riskassessment.

Recommendation D-6: MSFCis to be commended for theirprogress in evolving itsSR&QA function and theseefforts should receivecontinuing high-level support.

NASA Response (in 1989ASAP appendix): Theachievements of the Safety,Reliability, Maintainability,and Quality Assurance(SRM&QA) organization atMarshall Space Flight Center(MSFC) are recognized andapplauded. Also noteworthy isMSFC taking the lead inestablishing the managementand engineering requirementsfor Maintainability, which is arelatively new key disciplinewithin the Agency. MSFCand the other CenterSRM&QA organizations willcontinue to receive the high-level support required toensure their continuedviability as effectivespokespersons for SystemSafety, Reliability,Maintainability, and QualityAssurance.


(NASACharter)

March1988

Finding A-1-a: NASAhas responded positivelyto ASAP’srecommendations andthose of the PresidentialCommission dealing withreorganization of NASAand the National SpaceTransportation System,including thereestablishment of anindependent safety,reliability,maintainability, andquality assurancefunction.

Recommendation A-1-a:NASA’s top managementshould continue to supportvigorously the new agency andprogrammatic organizationalstructure. The Office ofSRM&QA should continue tobe provided with themanagement support andresources it needs to carry outits essential oversight andreview function in a fullyindependent and comprehensivemanner.

NASA Response (in 1988ASAP appendix): TheAssociate Administrator (AA)for Safety, Reliability,Maintainability, and QualityAssurance (SRM&QA) is onan equal organizational basiswith the top program officialswithin the Agency. The AAalso has access, both on an asrequired and on a regularlyscheduled basis, with theother top managementofficials within the Agency.Additionally, requests forresources, both budgetary andpersonnel, are given carefuland deliberate consideration.NASA is committed toproviding a vigorous andindependent oversight andreview function through theOffice of Safety, Reliability,Maintainability and QualityAssurance. This capability hasbeen developed and is inplace. NASA’s long-range




(Charteredby)

Date ofReport


personnel, are given carefuland deliberate consideration.NASA is committed toproviding a vigorous andindependent oversight andreview function through theOffice of Safety, Reliability,Maintainability and QualityAssurance. This capability hasbeen developed and is inplace. NASA’s long-rangeplans include the maintenanceof this established capabilityand the continualstrengthening of theSRM&QA functions withinthe Agency.


(NASACharter)

March1988

Finding A-1-b: In theinvestigation of theChallenger accident, itwas revealed that abreakdown developed inthe Shuttle managementstructure over the courseof time. Explanations forthis abound.Nevertheless, the viewpersists that if themanagement breakdowncould have been averted,vital informationpertinent to the decision-making process couldhave reached responsiblemanagement in a moretimely manner.

Recommendation A-1-b: Oncea management system for aprogram has been adopted,especially for long-termprojects, it would seem prudentfor the NASA Administrator tobe apprised periodically of itsfunctioning to ensure thatchanges in personnel andprogram direction have notresulted in deterioration of themanagement structure.

NASA Response (in 1988ASAP appendix): NASAagrees. How well themanagement system functionsis a key element in theassessment of NASAprograms. The managementsystem, much like technical orbudgetary elements, is beingreviewed periodically, withthe results provided to theNASA Administrator. Amongthe management mechanismsin NASA that enable this tooccur are the variousManagement Councils thatinvolve the appropriateNASA Center Directors, andthe monthly GeneralManagement Status Reviews(GMSR) where the variousNASA AssociateAdministrators report directlyto the Administrator. Thedirection and disciplineapplied for these reviewsensures that the intent andcontent of these reviews coverall aspects of technical as wellas programmatic problemsfacing the Agency, theCenters, and programs. Allchanges in key personnel,management structure andorganizations and the statusrelative to performance,problems, and concerns arecontinually reviewed as partof the agendas for thesereviews. In addition, theSRM&QA organization, CodeQ, is strengthening theAgency’s audit systemcapability, which includes theperiodic survey andassessment of the Centers’technical and management




(Charteredby)

Date ofReport


problems, and concerns arecontinually reviewed as partof the agendas for thesereviews. In addition, theSRM&QA organization, CodeQ, is strengthening theAgency’s audit systemcapability, which includes theperiodic survey andassessment of the Centers’technical and managementand reporting systems.


(NASACharter)

March1988

Finding A-1-c: The STSis a complex system withmany R&D-likecharacteristics. Toemploy the system so thatthere is an acceptablelevel of risk requiresmuch effort and vigilantattention to detail.

Recommendation A-1-c:NASA should adopt the goal ofusing the STS only in thosecircumstances where humanpresence in space is needed formission success. Otherwise,access to space should begained by using unmannedexpendable rockets. Given theexpected long-termrequirements of the SpaceStation and other space projectsof national importance, theneed to begin development ofan unmanned heavy lift vehicleis clear. These initiatives shouldbe part of a long-termcomprehensive national spacepolicy that sets clear objectives,determines the best way toaccomplish these objectives,and then commits the UnitedStates to a realistic scheduleand budget.

NASA Response (in 1988ASAP appendix): NASAagrees and is working towardthis goal. However, the SpaceShuttle must be utilized toreduce the current payloadbacklog. The President’snational space policy, whichsets forth a long-termbalanced and clear cut set ofgoals, principles, andguidelines, states that theSpace Transportation System(STS) will be used tomaintain the Nation’scapability in manned spaceflight and to support criticalprograms requiring mannedpresence and other uniqueSTS capabilities. The policyalso states that the UnitedStates’ national spacetransportation capability willbe based on a mix of vehicles,consisting of the STS,unmanned launch vehiclesand in space transportationsystems. NASA stronglysupports this policy and isintent upon meeting itsobjectives.

As stated in the response tothe 1986 ASAP report, themixed fleet analysis study hasbeen completed. The resultingplan is currently beingimplemented for a mixed fleetof launch vehicles. The March1988 Mixed Fleet Manifestfor flights through September1993 shows 16 NASA andNational Oceanic andAtmospheric Administration(NOAA) spacecraftpreviously planned for theshuttle being reassigned forlaunching on expendablelaunch vehicles (ELVs). Inaddition, some 20 DODpayloads have been off-




(Charteredby)

Date ofReport


for flights through September1993 shows 16 NASA andNational Oceanic andAtmospheric Administration(NOAA) spacecraftpreviously planned for theshuttle being reassigned forlaunching on expendablelaunch vehicles (ELVs). Inaddition, some 20 DODpayloads have been off-loaded from the shuttle toELVIS. NASA also agreeswith the need for developmentof an unmanned heavy-liftvehicle. The Agency is apartner with the Air Force inthe definition of an AdvancedLaunch System (ALS) and isalso conducting initial studiesof an unmanned, cargoversion of the Space Shuttle,Shuttle C.


(NASACharter)

March1988

Finding A-1-d: Thereevaluation andrecertification of allhardware and softwaresystems on the STS, hasproduced an extremelyheavy work load relatedto launch processingincluding morepaperwork, manymodifications to existingsystems, and a greatlyexpanded test program.

Recommendation A-1-d:NASA, the Shuttle ProcessingContractor (SPC), andsupporting contractors mustexercise the most intensive andunrelenting scrutiny to preventhuman error from occurring. Inparticular, the natural tendencyto sign off routinely oncomplex documents approvedat lower levels, shortcut testprocedures, or otherwise workaround nagging problems mustbe avoided at all costs.

NASA Response (in 1988ASAP appendix): BothNASA and contractormanagement are sensitive tothe need to prevent humanerror from occurring.Increased discipline has beenmanifested by additions tomanpower in the areas ofengineering support to the on-line workforce and additionalquality control personnel,with clear direction forincreased emphasis onplanning and control of work.In the SRM&QA area, theratio of quality controlinspector-to- technicians hasbeen increased in all areasfrom pre-STS 51-L levels.

Certification andrecertification training alsocontinues to be provided forthe work-force. NASA, theShuttle Processing Contractor(SPC), and element contractormanagement periodicallyreview these programs toassure that each criticaldiscipline area is properlysupported. Additionally, thecurrently budgeted ShuttleProcessing Data ManagementSystem (SPDMS) is beingimplemented to lessen thepaperwork burden. Thisautomated system willimprove the work controlsystem by providing for




(Charteredby)

Date ofReport


assure that each criticaldiscipline area is properlysupported. Additionally, thecurrently budgeted ShuttleProcessing Data ManagementSystem (SPDMS) is beingimplemented to lessen thepaperwork burden. Thisautomated system willimprove the work controlsystem by providing forfaster, more accurate problemdisposition with appropriatemanagement visibility.

In addition to the above, theNASA HeadquartersSRM&QA Office, Code Q,has revised the System SafetyHandbook whereby a chapteris devoted to Human Factorsconsiderations andrequirements. Code Q willalso validate the effectivity oforganizational functions,systems and staffing throughselected staff assistancesurveys. Such overviewactions will permit insight fordetermination relative toexistence and application ofadequate discipline within thesystem.


(NASACharter)

March1988

Finding A-2: NASA andthe STS contractors havebeen redoing the FMEAs,CILs and hazard analysesfor all elements of theShuttle system. We foundthat, although there weregreat differences in thespecific techniques anddata managementemployed by differentorganizations, the workwas thorough and of highquality. Only a limitednumber of new failuremodes were uncovered inthe original designs.There were, of course,new modes identified fordesigns that had changesincorporated or planned.One result of the reworkis that the number ofCriticality 1I and 2 itemsincreased dramatically.This occurred primarilybecause of new groundrules as to levels at whichcomponents would beaddressed.

Recommendation A-2: (1)NASA should take steps toestablish uniform methodologyfor conductingFMEA/CIL/Hazard Analysesfor the agency as a whole. (2)In addition to the above, NASAshould develop and implementa consistent method ofprioritization of items in theCIL so that appropriateattention can be given to thegreater risks. (3) Datadeveloped from theFMEA/CIL/Hazard Analysisprocess should be organized insuch a fashion that it providesthe deciding authority withinformation permitting him orher to assess the risk and makeinformed decisions.

NASA Response (in 1988ASAP appendix): (1) As partof the revalidation process forthe STS “Return to Flight”,the National SpaceTransportation System(NSTS) Program issuedNSTS 22206, “Instructionsfor Preparation of FailureModes and Effects Analysis(FMEA) and Critical ItemsList (CIL)” and NSTS 22254,“Methodology for Conduct ofNSTS Hazards Analyses(HA).”

The purpose of thesedocuments is to provideconsistent methods for thepreparation, maintenance, andpublication of theFMEA/CIL/HAs. Thesedocuments are being used bythe SRM&QA Office todevelop NASA handbooksthat will provide the Agency-wide guidelines. Drafts ofthese handbooks have alreadybeen prepared, and it isanticipated that the final




(Charteredby)

Date ofReport


designs that had changesincorporated or planned.One result of the reworkis that the number ofCriticality 1I and 2 itemsincreased dramatically.This occurred primarilybecause of new groundrules as to levels at whichcomponents would beaddressed.

NASA is consideringvarious techniques forprioritizing the CIL sothat the “highest risk”items can receive thehighest levels ofattention. The ASAPstrongly supports thisconcept. A moredefinitive prioritizationfor such risk managementpurposes would require amore quantitativemethodology to establishsafety-risk levels.

her to assess the risk and makeinformed decisions.

preparation, maintenance, andpublication of theFMEA/CIL/HAs. Thesedocuments are being used bythe SRM&QA Office todevelop NASA handbooksthat will provide the Agency-wide guidelines. Drafts ofthese handbooks have alreadybeen prepared, and it isanticipated that the finaldocuments will be issuedprior to the end of FY 88. (2)A procedure (NSTS 22491,“Instructions for Preparationof Critical Items RiskAssessment”) was developedand issued by the NSTSProgram to implement amethod of categorizing NSTSfailure modes by severity ofeffect and likeliness ofoccurrence and prioritizingthem from most severe effectto least severe effect. Inaddition, a method(Memorandum NA2/87-L046,“Implementation of HazardPrioritization Technique”,September 29, 1987) forcategorizing Hazards bylikelihood of occurrence andseverity was alsoimplemented in order todetermine a risk index foreach hazard. Thesemethodologies are beingincorporated into an overallAgency Risk ManagementProgram being developed bythe SRM&QA Office. (3) TheNSTS Program has developeda new closed-loop accountingsystem known as the SystemIntegrity Assurance Program(SIAP). A key feature ofSIAP is its ProgramCompliance Assurance andStatus System (PCASS). Thisis a computer-basedinformation system whichfunctions as a database thatintegrates a number ofinformation systems.FMEA/CIL and HazardsAnalyses data are a part ofthis data base. PCASS has thepotential to provide, in nearreal-time, an integrated viewof a number of riskassessment parameters toNSTS Program decision-makers.




(Charteredby)

Date ofReport


information systems.FMEA/CIL and HazardsAnalyses data are a part ofthis data base. PCASS has thepotential to provide, in nearreal-time, an integrated viewof a number of riskassessment parameters toNSTS Program decision-makers.


(NASACharter)

March1988

Finding A-3-c: Prior tothe STS 51-L accident,there was no cross-reference listing betweenthe operationalmaintenance requirementsspecifications document(OMRSD) and the criticalitems list (CIL). Since theaccident, anOMRSDIFMEAICILmatrix has been generatedto help ensure that a focusis kept on all criticalitems in every step of theprocessing procedure.One of the short comingsin the procedures prior tothe 51-L accident was thelack of traceability ofOMRSD requirements tothe operations andmaintenance instructions(OMI). An operations andmaintenance plan (OMP)is now in use to providethis traceability. Aclosed-loop requirementsaccounting system isexpected to be in placefor STS-26R. This will bea partially manual systemfor STS-26R but isexpected to be fullyautomated by February1989.

Recommendation A-3-c:NASA should continue itsefforts to establish clear-cut anduniform policies for the ShuttleProcessing Procedures and forthe flow of all evaluations top-down as well as bottom-up in aconsistent and rational manner.

NASA Response (in 1988ASAP appendix): NASA iscontinuing its efforts to haveclear and uniform policies forshuttle processing proceduresand evaluations. NASA andits contractors are expendingmajor efforts to properlyidentify, document, and crossreference all shuttle criticalitems in the CIL, OMRSD,OMIs and OMP. Thesedocuments have all beenthoroughly reviewed, revised,and reformatted for thatspecific purpose, and matricesallow tracing a CIL itemthroughout the series. Closed-loop OMP - OMI - OMRSDAccounting has been initiatedand is in place supportingSTS-26R KSC processing.The complete automation ofthis system is in process andon schedule to be partiallyavailable for STS-26 andcompleted by February 1989.This system will provide foruniform implementation ofpolicy and create a greaterawareness of the criticalportions of shuttle processingand facilitate problemidentification, resolution, andanomaly evaluations. ThePCASS system will also beused to track and provide thestatus of Criticality 1 & 1Rhardware problems.




(Charteredby)

Date ofReport



(NASACharter)

March1988

Finding A-3-d: Thecontent and format of thelaunch commit criteriadocument are beingimproved significantly.The format change willmake it easier to use. Inaddition to these changes,the command chainduring the countdown hasbeen modified to includea “Mission ManagementTeam” to whom theLaunch Director willreport. There is a concernthat no clear distinction isbeing made between a“redline” and othercriteria whose values are,advisedly, subject tointerpretation orevaluation.

Recommendation A-3-d:Clear, unambiguousdistinctions should be made inthe Launch Commit Criteriabetween “redlines” and otherparameters monitored duringlaunch operations.

NASA Response (in 1988ASAP appendix): TheLaunch Commit Criteria havebeen thoroughly reviewed byall concerned elements of theshuttle program to remove allambiguous and unnecessaryguidelines and leave onlyclear and concise criteria.Except for some introductorymaterial about the documentand general information oncrew restrictions, only true“redlines” remain. These true“redlines? have no built-inmargins and are intended forcountdown holds, shutdowns,or recycles, depending on thephase of the count. All of the“redlines” that can beautomated are beingautomated. The automationstops the countdown (clock)when any “redline” (limit) isreached prior to T-31 seconds,to allow a considered decisionby the appropriate experts andprogram management onwhether to proceed with orterminate the countdown, ortake an alternate course.Encountering a “redline” afterT-31 seconds leads to ashutdown and/or recycle ofthe launch countdown.


(NASACharter)

March1988

Finding B-1-a: Therestructured SRM&QAorganization andoperational mode appearsto meet therecommendations madeby the PresidentialCommission, theCongress and theAerospace SafetyAdvisory Panel and theinternal NASA workinggroups. The policies andplans promulgated by theAssociateAdministrator/SRM&QAare being implemented bythe NASA centers. Thereis a new team spiritevolving throughout theSRM&QA world withinNASA and its contractorsthat bodes well for thefuture.

Recommendation B-1-a:Official direction, through anappropriate document(s),should be provided to allprograms/projects on thedecision process for riskdecisions. Without suchdirection for each specificprogram/project, risk decisionswill not be made with acommonly understood andagreed-upon definition of thefactors pertinent to the decision.The AA/SRM&QA shouldensure that implementation ofdirected SRM&QA activitiesare conducted in an orderly,thorough and timely manner tosupport the various milestonesset by program/project offices.

NASA Response (in 1988ASAP appendix): The riskmanagement NMIs andNHBs, as discussed in SectionB.1.c on the next page,provide direction on the riskdisposition decision process,which is the central functionof risk management. Thesedirectives and handbooks willbe applicable to all programs.As appropriate, they providefor qualitative analyses withlikelihood and severity treatedcategorically, and uncertaintyreflected in the potentialvariability of thecategorizations. They alsoprovide for quantitativeanalyses with likelihood andseverity combined innumerical risk estimates, anduncertainty expressed asnumerical distributions of thepossible variations in theestimates.




(Charteredby)

Date ofReport


the NASA centers. Thereis a new team spiritevolving throughout theSRM&QA world withinNASA and its contractorsthat bodes well for thefuture.

thorough and timely manner tosupport the various milestonesset by program/project offices.

categorizations. They alsoprovide for quantitativeanalyses with likelihood andseverity combined innumerical risk estimates, anduncertainty expressed asnumerical distributions of thepossible variations in theestimates.

The development of the RiskManagement Program Planfor each program is a programmanagement responsibility.Guidance is provided in theNMIs and the NHBS, and theSafety Division (QS) RiskManagement ProgramManager provides additionalassistance in the developmentof the plan and itsimplementation, as required.The Risk ManagementProgram Manager in Code QSalso supports or participates inprogram risk managementassurance activities designedto provide oversight of theprogram’s risk managementprocess. Code Q will, throughits audit, oversight, andindependent assessmentcharter, provide personnel andresources to ensure that theprograms properly implementthe risk management programplans.


(NASACharter)

March1988

Finding B-1-b: NASAhas successfully instituteda variety of newprocedures and reports toensure and monitorsafety. These are beinggiven much attention inthe efforts to resume STSflights. As regular Shuttleflights resume andbecome more routine,there is a danger ofcomplacency setting in.

Recommendation B-1b:Because there is danger ofcomplacency setting in, it isrecommended that NASAreview and audit the safetyassessment processimplementation on a periodicbasis. Particular emphasisshould be placed on the qualityof the information reachingdecision-makers. A regularreview of the process will helpmanagers discriminate betweenmeaningful changes in systemsafety and unanticipatedalterations in the reportingprocess.

NASA Response (in 1988ASAP appendix): The Officeof SRM&QA is well aware ofthe dangers of complacencyand its impact on the safety ofthe various programs. One ofthe principal functions of theDeputy AssociateAdministrator for SystemAssurance is to establish andimplement an audit/oversightfunction that will determinethe SRM&QA acceptabilityand posture of each program.Program trade-offs andengineering decisions, vis-a-vis their effects on safety, arekey elements to be reviewed,as well as the safety data thatwas generated to supportthese decisions. The expandedaudit process andmethodology, with plans andschedules, are beingdeveloped with the support ofthe NASA Headquarters Code




(Charteredby)

Date ofReport


alterations in the reportingprocess.

engineering decisions, vis-a-vis their effects on safety, arekey elements to be reviewed,as well as the safety data thatwas generated to supportthese decisions. The expandedaudit process andmethodology, with plans andschedules, are beingdeveloped with the support ofthe NASA Headquarters CodeQ support contractor.

Audits will take place on aregular and/or as neededbasis. Audit teams will consistof SRM&QA personnel fromHeadquarters, the Centers,support contractors, andoutside experts in selecteddisciplines. The reportingsystems and decision-makingprocesses will be incorporatedinto the audit checklists toensure that alterations tomanagement systems andchanges to reportingprocedures are recognizedwith changes being properlyassessed. Additionally, theSafety Division, QS, willcontinue to monitor thedegree of implementation ofthe Agency safety policies bymeans of its own assistancevisits and assessment/reviews.A training course is also beingdeveloped for personnel whowill participate in audits,reviews, and surveys to assureeffectiveness of the auditsystem. Maintaining thesafety awareness andmotivation of the workers atthe floor level is also criticalto the prevention ofcomplacency and maintainingthe safety assessment process.In support of this, the SafetyDivision is developing anAgency level Safety AwardsProgram that will provide toplevel recognition to projectgroups, facility groups, orindividuals who havedemonstrated superior safetyperformance.




(Charteredby)

Date ofReport


groups, facility groups, orindividuals who havedemonstrated superior safetyperformance.


(NASACharter)

March1988

Finding B-1-c: NewNASA ManagementInstructions and Noticesrelated to risk assessmentand risk managementpolicies are beingdeveloped. Theseinstructions provideimportant new thinkingand enabling policies thatcould lead to a morecomprehensive andobjective safety-riskmanagementmethodology for NASA.As yet, there is noorganizational orfunctional structure forsystems safetyengineering that couldimplement effectivelysuch a comprehensiveprogram.

Recommendation B-1c: TheASAP recommends that (I)NASA complete NASA

Management Instructions andNotices and their implementinghandbooks and promulgatethem as soon as possible. (2)NASA develop as rapidly aspossible a more integratedsystems safety engineeringfunctional structure (possiblywithin the HeadquartersSRM&QA organization withsimilar organizations at thecenters).

NASA Response (in 1988ASAP appendix): (1) NM18070.4, “Risk ManagementPolicy for Manned FlightPrograms,” was promulgatedon February 3, 1988. NMIsare also in draft and underreview on risk managementfor unmanned programs andfor research and technicalfacilities. These NMIs willidentify, in general terms, theroles of qualitative andquantitative risk assessment insupport of risk dispositiondecision-making. The NMIsalso reflect recognition of theneed to tailor these roles tospecific applications, inaccordance withappropriateness criteria thatare related to the significanceof the risks of concern, theinformation available for riskassessment, and the resourcesrequired for assessment andintegration of results.

NHB s are also beingdeveloped to aid in theimplementation of theprocesses defined in theNMIs. A draft NHB on riskmanagement program toolsand techniques is currentlyunder review. An NHB onrisk management programroles and responsibilities hasbeen developed, and a draft iscurrently available. The firstNHB is a compendium ofadvanced qualitative andquantitative risk assessmentand risk decision-makingmethods. The second NHBdelineated the functions andinterfaces of program andfacility management,engineering, system safety,and other Code Q elements. Itfurther delineates the rolesand responsibilities in riskmanagement assurance. Theprimary role of program andfacility management isrecognized, as is the role ofsystem safety in riskmanagement support. The key




(Charteredby)

Date ofReport


facility management,engineering, system safety,and other Code Q elements. Itfurther delineates the rolesand responsibilities in riskmanagement assurance. Theprimary role of program andfacility management isrecognized, as is the role ofsystem safety in riskmanagement support. The keyrole of oversight and specialtechnical assistance in riskmanagement assurance isparticularly noted.

In addition, a two-volumeSafety Risk ManagementProgram Plan has beenpublished. It serves as a basicinformation source on riskmanagement programobjectives, rationale, andbasic methodology.


(NASACharter)

March1988

Finding B-1-d: Themajority of NASA’ssafety efforts havefocused on hardwarereliability and the trainingand preparation ofastronauts and pilots.There are potential safetyproblems that can arisefrom human errors at anylevel of the systembecause of its inherentcomplexity.

Recommendations B-1-d:More emphasis should beplaced on the study of potentialdesign-induced human errors.

NASA Response (in 1988ASAP appendix): NASACode QS is already providingadditional emphasis onidentifying and, whenpossible, preventing by designthe potential safety problemareas arising from humanerrors. One chapter of therevised System SafetyHandbook is devoted toHuman Factors,Considerations, andRequirements. Continuedemphasis will be appliedtowards incorporating theseconcerns into contractstatements of work or asoverall applicable contractrequirements. Review ofappropriate progress will beconducted during design andsafety reviews to ensure thatdesign takes intoconsideration human factorsrequirements. Additionally,Code QS intends to validatethe effectiveness of themultiplicity of disciplineproducts and interfacesgenerated within the highly-matrixed SRM&QAorganizational functionsthrough selected staffassistance surveys.




(Charteredby)

Date ofReport


multiplicity of disciplineproducts and interfacesgenerated within the highly-matrixed SRM&QAorganizational functionsthrough selected staffassistance surveys.


(NASACharter)

March1988

Finding 5-a: WorkEnvironment at KSC. Thework environment at KSCassociated with launchprocessing can inducehuman error. NASA, theShuttle ProcessingContractor (SPC), andsupport contractors havegenerally recognized thisfact through such actionsas tightened disciplineand accountability,improved worker safetyprograms, strictguidelines to controlovertime, better trainingprograms, and the betteravailability of spare partsand related equipment.However, there are stilloccasional reports ofschedule pressure and theassociated potential forerror or acceptance ofexcessive risk.

Recommendation 5-a: Topmanagement at NASA and theSPC should exercise continuingvigilance to ensure that asatisfactory workingenvironment is achieved andmaintained at KSC. TheASAP’s dictum of “Safety first;schedule second” must beobserved by each and everyperson involved in the STSprogram.

NASA Response (in 1988ASAP appendix): NASA andits contractors haverecognized that thecomplexity of STS launchprocessing can induce humanerror, and that there are risksassociated with schedulepressure. The actions cited areintended to mitigate thepossibility of such errors. Asan example, SRM&QAmanagement has taken amajor step to this end byforming a PersonnelInitiatives Panel (PIP). Thepurposes of the PIP are asfollows: (1) identifyorganization problems,recommend corrective action,and provide a means ofcommunication up to alllevels of management; (2)establish the SR&QAfunction as an aggressivecontributor for the overallteam; (3) promote aworkforce that is manned withquality people who arededicated to superiorperformance and the pursuitof excellence; and (4) developa comprehensive program toattract, develop, motivate, andretain the best professionaltalent available. By adheringto these tenets, NASA feelsthat the “safety first” beliefcan best be instilled in everyworker.

KSC policy is in place toassure that overtime isCarefully monitored andcontrolled, and that workerfatigue due to excessiveovertime does not contributeto errors during processing.Additionally, recentlyapproved manpowerincreases, along withinitiatives to increaseoperational efficiency, areserving to improve theworking environment.




(Charteredby)

Date ofReport


fatigue due to excessiveovertime does not contributeto errors during processing.Additionally, recentlyapproved manpowerincreases, along withinitiatives to increaseoperational efficiency, areserving to improve theworking environment.


(NASACharter)

February1987

Finding General-1: ThePanel finds the recentreorganization of SpaceShuttle management to bea positive step inrecapturing or rebuildinga spirit of mutual respectand trust at all levels. ThePanel recommends that: apriority objective of thenew management teammust be to enforceNASA's managementinstructions and to defineclearly the responsibilitiesand authority of theNASA centers; awillingness of all NASAcenters to pull together, tosubordinate parochialinterests, and to help eachother is absolutely crucialif the Space Shuttleprogram is to succeed.

NASA Response (in 1987ASAP appendix): We agree.In the Phillips’ study, theCrippen report, and in thereorganization of the shuttlemanagement, we haveaddressed the roles andresponsibilities of all levels ofmanagement to specify therelationship between thevarious program offices andcenters. NASA ManagementInstructions (NMIs), ProgramApproval Documents (PADS)and supporting policies arebeing reviewed to clearlydefine the responsibilities andauthority of the centers.

The elevation of direct controlof the program toHeadquarters establishes aprogrammatic chain that isindependent of the NASAcenter organizations.However, the center directorsare responsible andaccountable for the technicalexcellence and performanceof each of the National SpaceTransportation System(NSTS) project elements attheir respective centers.Further, the center directorswill ensure that theirinstitution provides therequired support to the NSTSprogram.

In addition, the centerdirectors, along with theAssociate Administrator,Office of Space Flight (CSF)are working together asmembers of the OSFManagement Council whichmeets on a scheduled basis tooversee all CSFresponsibilities and providean independent review andassessment of the NSTSprogram.




(Charteredby)

Date ofReport


Office of Space Flight (CSF)are working together asmembers of the OSFManagement Council whichmeets on a scheduled basis tooversee all CSFresponsibilities and providean independent review andassessment of the NSTSprogram.


(NASACharter)

February1987

Finding General-2: ThePanel finds that NASAand the Congress need toappreciate that the SpaceShuttle is a system whichremains primarilydevelopmental with someoperationalcharacteristics. It isrecommended that NASAneeds to emphasize thedevelopmentalcharacteristic or it islikely to miss keyelements of the SpaceTransportation Systemmanagement challenge.

NASA Response (in 1987ASAP appendix): In thedetailed program assessmentconducted after the 51-Laccident, it has becomeevident to the topmanagement within NASAthat much of NSTS is still inthe developmental stage andsignificant areas of the systemwill probably remainessentially developmentalthroughout the life of theprogram. We agree with thePanel that there is a need toemphasize the developmentcharacteristics in order toprovide required managementoversight and operationalawareness. Also, it will be theduty of NASA to workclosely with the Congress tocome to a mutualunderstanding of thedevelopmental stage of thesystem. This will be a criticaltask to get budget approval inareas of continueddevelopment. We seekassistance from ASAP toemphasize in their interfacewith the members of Congressand their staff thedevelopmental nature of theshuttle system. NASA hasalready taken steps tostrengthen its developmenteffort on the shuttle program.In the critical main engineprogram, the single enginetest rate has been substantiallyincreased. The new plan callsfor an average of 12 tests permonth through February1988, and 10 tests per monththrough the mid-1990’s. Thisis an increase over theprevious plan of eight testsper month through mid-1990and six tests per monththrough the mid-1990s.




(Charteredby)

Date ofReport


month through February1988, and 10 tests per monththrough the mid-1990’s. Thisis an increase over theprevious plan of eight testsper month through mid-1990and six tests per monththrough the mid-1990s.

In the Solid Rocket Motor(SRM) program, it is plannedto continue full scale firingsof production motors at therate of one to two per yearfollowing final qualificationfirings. These firings will beused to verify maintenance ofcritical processes, establishlife of reusable components,and qualify any designchanges. Another example isin the flight software areawhere a Level II SoftwareChange Control Board hasbeen set up. This board, madeup of high level experts,reviews each proposedsoftware change, determinesimpact, and approves ordisapproves the change.


(NASACharter)

February1987

Finding General-8: ThePanel recommends thatNASA top managementshould address thegrowing problem ofrecruiting and retainingtalented engineers andmanagers due toinadequate Federalsalaries. This is not just aSpace Shuttle problem.

NASA Response (in 1987ASAP appendix): We agreewith this recommendation.NASA has traditionally reliedon its highly visible mission,work environment, and careeradvancement opportunities toattract high-caliber scientistsand engineers. However, inthe past several years, 70percent of all graduatingentry-level engineers havedeclined NASA engineeringjob offers. The reason mostoften given for not acceptingthese job offers is inadequatesalaries and/or benefits. Entrylevel technical salariescontinue to be significantlyless in the Federal sector thanin private industry. NASA’smost recent experiences showthat quality scientists andengineers with bachelor’sdegrees are accepting entryoffers in private industry of$26,000 - $29,000; and someexceptional graduates withmaster’s degrees, offers of$30,000 - $34,000. Under theFederal system, NASA canonly offer $23,866 and$28,347, respectively.




(Charteredby)

Date ofReport


that quality scientists andengineers with bachelor’sdegrees are accepting entryoffers in private industry of$26,000 - $29,000; and someexceptional graduates withmaster’s degrees, offers of$30,000 - $34,000. Under theFederal system, NASA canonly offer $23,866 and$28,347, respectively.

The Personnel ProgramsDivision, Code NP, has beenand will continue to documentall data reflecting nationalrecruitment trends andsituations, Such data,including specific NASArecruitment and turnover datawas recently presented toCMB. NASA managementwill continue to take everyopportunity to give testimonyto Congress, CMB, and OPMand to support neededchanges to the Federalpersonnel system.Additionally, Code NP inconjunction with fieldinstallation personnel officeshas initiated and developed anew personnel concept. Thisconcept, centering around anew pay and compensationpackage, has the NASAAdministrator’s support. Thisnew personnel system isneeded to strengthen NASA’srecruitment and retentionposture with private industry,as well as to improve theoverall quality of the NASAworking environment.

In expressing its concernregarding the salary structurefor technical persons withinNASA, the ASAP Reportstated that: “It appears that inorder to progress in terms ofsalary, people must move intomanagement ranks, making itdifficult to keep experienced,highly qualified people in thetechnical ranks (p.58-91.” Wedo not agree with thisstatement. In fact, theopposite is true. NASAemploys approximately 6,500E-13, 14, and 15 level non-managerial technologistscompared to 3,000




(Charteredby)

Date ofReport


management ranks, making itdifficult to keep experienced,highly qualified people in thetechnical ranks (p.58-91.” Wedo not agree with thisstatement. In fact, theopposite is true. NASAemploys approximately 6,500E-13, 14, and 15 level non-managerial technologistscompared to 3,000management officials at thesame grade levels.) It is atthese grade levels where thepreponderance of technicalexpertise is found withinNASA and where Federalsalaries are generallycomparable to those in theprivate sector.


(NASACharter)

February1987

Finding General-9: ThePanel, in an independentreview, concurs with theNational ResearchCouncil (NRC) Panelconclusions on SpaceShuttle Flight Rates andUtilization, that is, anupper limit of 8-10 flightsper year with a threeOrbiter fleet and 11-13with a four Orbiter fleet.Further, the Panelrecommends that theSpace Shuttle be usedonly where mannedmissions are deemedmandatory, andexpendable launchvehicles should be usedfor all other missions.

NASA Response (in 1987ASAP appendix): In general,the flight rates projected byNASA are consistent with theconclusions of the NRCPanel. Their four orbiter flightrate of about 12 flights peryear was characterized as areasonable expectedsustainable level. Therationale was that four flightsper year can be achieved byeach orbiter, but that onlythree of the four orbiters canbe relied upon to be availableon a continuing basis, due tounexpected problems andrelated maintenance andinspection requirements. TheNRC also concluded that thespace shuttle should have thecapacity to surge above thissustainable level for shortperiods of time. NASA’scurrent planning is based on agradual buildup to 11 flightsper year in the first four yearsafter operations resume, witha later increase to 13 or 14when the replacement orbiterjoins the fleet. The actualflight rates will be adjusted onthe basis of operationalexperience, with appropriatecontingency allowances in theshuttle processing schedulesto minimize the buildup oflaunch pressure. For greaterassurance of access to spaceand to reduce the demands onthe shuttle for payloads thatdo not require its uniquecapabilities, Dr. Fletcherdirected Admiral Truly,




(Charteredby)

Date ofReport


experience, with appropriatecontingency allowances in theshuttle processing schedulesto minimize the buildup oflaunch pressure. For greaterassurance of access to spaceand to reduce the demands onthe shuttle for payloads thatdo not require its uniquecapabilities, Dr. Fletcherdirected Admiral Truly,Associate Administrator forSpace Flight, to conduct aNASA-wide study of a mixedfleet strategy, usingexpendable launch vehicles toaugment the shuttle. Thestudy recommended thatDelta, Atlas, and Titan classvehicles be utilized for thosepayloads that could belaunched on ELVs (about 25percent of the NASApayloads). It alsorecommended that for theperiod beyond 1992, NASA,with the DOD, shoulddevelop a heavy lift launchvehicle capability to meet theneeds of this Nation.Implementation plans for bothrecommendations are beingdeveloped as part of theongoing NASA planning andbudgeting process.


(NASACharter)

February1987

Finding Safety-1: ThePanel finds that threefundamental weaknessesappear evident. First,there has been a lack ofin-line responsibility andauthority in theHeadquartersorganization forestablishing policy for thesafety engineeringfunction throughoutNASA. Second, theelements of the safetyfunctions that have beenaccomplished at variouslocations did not includeresponsibility for definingand controlling thevalidation andcertification programs.Third, there is a consciouslack of quantitativeapproaches to determinefailure-mode probabilitiesfor the purposes ofdefining acceptablemargins, and the relativelikelihood of resulting

Recommendation Safety-1:Within the newly establishedSafety, Reliability,Maintainability and QualityAssurance (SRM&QA)organization, NASA shoulddevelop the operating policy forall NASA SRM&QA and havethe authority to ensureimplementation. At each Centerthere should be a NASA SafetyEngineering function reportingto the Center Director. Thisfunction should be matrixedinto the variousprograms/projects and shouldbe responsible forimplementation of safetypolicies established by theHeadquarters organization.

NASA Response (in 1987ASAP appendix): NASA hassignificantly strengthened theSRM&QA function both atheadquarters and at the fieldcenters. The AssociateAdministrator for SRM&QAreports directly to theAdministrator and isresponsible for developingoperating policy for theNASA SRM&QA functionsthroughout NASA. He has theauthority to ensureimplementation of thesepolicies. Each of the flightcenters has a SRM&QADirector who reports directlyto the center director.




(Charteredby)

Date ofReport


and controlling thevalidation andcertification programs.Third, there is a consciouslack of quantitativeapproaches to determinefailure-mode probabilitiesfor the purposes ofdefining acceptablemargins, and the relativelikelihood of resultingsystem interactivehazards.

policies established by theHeadquarters organization.

NASA should continue toindependently review allpayload components withregard to their individualinherent safety, and shouldanalyze the safety implicationsof the potential interactions ofpayloads in the event of amalfunction of any individualone.

to the center director.

There is a safety engineeringfunction within the centerSRM&QA Director’sorganization. It is our intent tomatrix SRM&QA personnelto their line organization foroverview and oversightpurposes. SRM&QAresponsibilities within theprograms will reside with theline organizations and theywill have their own personnelto accomplish the safetyengineering functions withinthe program/project.Additional personnel may bematrixed between programprojects for this purpose toassure full compliance withSRM&QA objectives.

RogersCommission

(PresidentialCharter)

6 June1986

Recommendation I – Design:The faulty Solid Rocket Motorjoint and seal must be changed.This could be a new designeliminating the joint or aredesign of the current joint andseal. No design options shouldbe prematurely precludedbecause of schedule, cost orreliance on existing hardware.

Original Response(Fletcher, 14 July 1986): OnMarch 24, 1986, the MarshallSpace Flight Center (MSFC)was directed to form a SolidRocket Motor (SRM) jointredesign team to includeparticipation from MSFC andother NASA centers as wellas individuals from outsideNASA. The team includespersonnel from JohnsonSpace Center, Kennedy SpaceCenter, Langley ResearchCenter, industry, and theAstronaut Office. To assistthe redesign team, an expertadvisory panel was appointedwhich includes 12 people withsix coming from outsideNASA.

Ultimate Result: The resultwas the Redesigned SolidRocket Motor (RSRM), laterrenamed the Reusable SolidRocket Motor.




(Charteredby)

Date ofReport


RogersCommission


6 June1986

Recommendation I –Independent Oversight: TheAdministrator of NASA shouldrequest the National ResearchCouncil to form an independentSolid Rocket Motor designoversight committee toimplement the Commission'sdesign recommendations andoversee the design effort.

Original Response(Fletcher, 14 July 1986): Inaccordance with theCommission’srecommendation, the NationalResearch Council (NRC) hasestablished an IndependentOversight Group chaired byDr. H. Guyford Stever andreporting to the NASAAdministrator. The NRCOversight Group has beenbriefed on Shuttle systemrequirements,implementation, and control;Solid Rocket Motorbackground; and candidatemodifications. The group hasestablished a near-term planthat includes briefings andvisits to review in- flightloads; assembly processing;redesign status; and othersolid rocket motor designs,including the Titan. Longerterm plans are beingformulated by the groupincluding participation in theSolid Rocket Motorpreliminary design review inSeptember 1986.

RogersCommission


6 June1986

Recommendation II – ShuttleManagement Structure: TheShuttle Program Structureshould be reviewed. The projectmanagers for the variouselements of the Shuttle programfelt more accountable to theircenter management than to theShuttle program organization.Shuttle element funding, workpackage definition, and vitalprogram information frequentlybypass the National STS(Shuttle) Program Manager. Aredefinition of the ProgramManager's responsibility isessential. This redefinitionshould give the ProgramManager the requisite authorityfor all ongoing STS operations.Program funding and all ShuttleProgram work at the centersshould be placed clearly underthe Program Manager'sauthority.

Original Response(Fletcher, 14 July 1986): TheAdministrator has appointedGeneral Sam Phillips, whoserved as Apollo ProgramDirector, to study everyaspect of how NASAmanages its programs,including relationshipsbetween various field centersand NASA Headquarters.General Phillips has broadauthority from theAdministrator to exploreevery aspect of NASAorganization, managementand procedures. His activitieswill include a review of theSpace Shuttle Office ofSafety, Reliability, andQuality Assurance, and to theexisting Aerospace SafetyAdvisory Panel.




(Charteredby)

Date ofReport


Program work at the centersshould be placed clearly underthe Program Manager'sauthority.

existing Aerospace SafetyAdvisory Panel.

On June 25, 1986, AstronautRobert Crippen was directedto form a fact-finding groupto assess the Space Shuttlemanagement structure. Thegroup will reportrecommendations to theAssociate Administrator forSpace Flight by August 15,1986. Specifically, this groupwill address the roles andresponsibilities of the SpaceShuttle Program Manager toassure that the position hasthe authority commensuratewith its responsibilities. Inaddition, roles andresponsibilities at all levels ofprogram management will bereviewed to specify therelationship between theprogram organization and thefield center organizations. Theresults of this study will bereviewed with GeneralPhillips and the Administratorwith a decision onimplementation of therecommendations by October1, 1986.

RogersCommission


6 June1986

Recommendation II –Astronauts in Management:The Commission observes thatthere appears to be a departurefrom the philosophy of the1960s and 1970s relating to theuse of astronauts inmanagement positions. Theseindividuals brought to theirpositions flight experience anda keen appreciation ofoperations and flight safety.

Original Response(Fletcher, 14 July 1986):Rear Admiral Richard Truly,a former astronaut, has beenappointed as AssociateAdministrator for the Officeof Space Flight. Severalactive astronauts are currentlyserving in managementpositions in the agency. TheCrippen group will addressmeans to stimulate thetransition of astronauts intoother management positions.It will also determine theappropriate position for theFlight Crew OperationsDirectorate within the NASAorganizational structure.




(Charteredby)

Date ofReport


RogersCommission


6 June1986

Recommendation II – ShuttleSafety Panel: NASA shouldestablish an STS SafetyAdvisory Panel reporting to theSTS Program Manager. TheCharter of this panel shouldinclude Shuttle operationalissues, launch commit criteria,flight rules, flight readiness andrisk management. The panelshould include representationfrom the safety organization,mission operations, and theastronaut office.

Original Response(Fletcher, 14 July 1986): AShuttle Safety Panel will beestablished by the AssociateAdministrator for SpaceFlight not later thanSeptember 1, 1986, withdirect access to the SpaceShuttle Program Manager.This date allows time todetermine the structure andfunction of this panel,including an assessment of itsrelationship to the newlyformed Office of Safety,Reliability, and QualityAssurance, and to the existingAerospace Safety AdvisoryPanel.

RogersCommission


6 June1986

Recommendation III –Criticality Review andHazard Analysis: NASA andthe primary Shuttle contractorsshould review all Criticality 1,1R, 2, and 2R items and hazardanalyses. This review shouldidentify those items that mustbe improved prior to flight toensure mission safety. An AuditPanel, appointed by theNational Research Council,should verify the adequacy ofthe effort and report directly tothe Administrator of NASA.

Original Response(Fletcher, 14 July 1986): OnMarch 13, 1986, NASAinitiated a complete review ofa1 Space Shuttle programfailure modes and effectsanalyses (FMEAs) andassociated critical item lists(CILs). Each Space Shuttleproject element andassociated prime contractor isconducting separatecomprehensive reviews whichwill culminate in a program-wide review with the SpaceShuttle Program Manager atJohnson Space Center laterthis year. Technical specialistsfrom outside the SpaceShuttle program have beenassigned as formal membersof each of these review teams.AI1 Criticality 1 and 1Rcritical item waivers havebeen cancelled. The teams arerequired to reassess andresubmit waivers in categoriesrecommended for continuedprogram applicability. Itemswhich cannot be revalidatedwill be redesigned, qualified,and certified for flight. AllCriticality 2 and 3 CILs arebeing reviewed for propercategorization. This activitywill culminate in acomprehensive final reviewwith NASA Headquartersbeginning in March 1987.




(Charteredby)

Date ofReport


being reviewed for propercategorization. This activitywill culminate in acomprehensive final reviewwith NASA Headquartersbeginning in March 1987.

As recommended by theCommission, the NationalResearch Council has agreedto form an Independent AuditPanel, reporting to the NASAAdministrator, to verify theadequacy of this effort.

RogersCommission


6 June1986

Recommendation IV – SafetyOrganization: NASA shouldestablish an Office of Safety,Reliability and QualityAssurance to be headed by anAssociate administrator,reporting directly to the NASAAdministrator. It would havedirect authority for safety,reliability, and qualityassurance throughout theagency. The office should beassigned the work force toensure adequate oversight of itsfunctions and should beindependent of other NASAfunctional and programresponsibilities.

Original Response(Fletcher, 14 July 1986): TheNASA Administratorannounced the appointment ofMr. George A. Rodney to theposition of AssociateAdministrator for Safety,Reliability, and QualityAssurance on July 8, 1986.The responsibilities of thisoffice will include theoversight of safety, reliability,and quality assurancefunctions related to all NASAactivities and programs andthe implementation of asystem for anomalydocumentation and resolutionto include a trend analysisprogram. One of the firstactivities to be undertaken bythe new AssociateAdministrator will be anassessment of the resourcesincluding workforce requiredto ensure adequate executionof the safety organizationfunctions. In addition, the newAssociate Administrator willassure appropriate interfacesbetween the functions of thenew safety organization andthe Shuttle Safety Panelwhich will be established.




(Charteredby)

Date ofReport


RogersCommission


6 June1986

Recommendation V –Improved Communications:The Commission found thatMarshall Space Flight Centerproject managers, because of atendency at Marshall tomanagement isolation, failed toprovide full and timelyinformation bearing on thesafety of flight 51-L to othervital elements of Shuttleprogram management.

Original Response(Fletcher, 14 July 1986): OnJune 25, 1986, AstronautRobert Crippen was directedto form a team to developplans and recommendedpolicies for the following:

1. Implementation ofeffectivemanagementcommunications atall levels.

2. Standardization ofthe imposition andremoval of STSlaunch constraintsand otheroperationalconstraints.

3. Conduct of FlightReadiness Reviewand MissionManagement Teammeetings, includingrequirements fordocumentation andflight crewparticipation.

Since this recommendation isclosely linked with therecommendation on Shuttlemanagement structure, thestudy team will incorporatethe plan for improvedcommunications with that formanagement restructure.

This review of effectivecommunications will considerthe activities and informationflow at NASA Headquartersand the field centers whichsupport the Shuttle program.The study team will presentfindings andrecommendations to theAssociate Administrator forSpace Flight by August 15,1986.




(Charteredby)

Date ofReport


1986.

RogersCommission


6 June1986

Recommendation VI –Landing Safety: NASA musttake actions to improve landingsafety.

Original Response(Fletcher, 14 July 1986): ALanding Safety Team hasbeen established to reviewand implement theCommission’s findings andrecommendations on landingsafety. All Shuttle hardwareand systems are undergoingdesign reviews to insurecompliance with thespecifications and safetyconcerns. The tires, brakes,and nose wheel steeringsystem are included in thisactivity, and funding for anew carbon brakes system hasbeen approved. Runwaysurface tests and landing aidrequirement reviews had beenunder way for some time priorto the accident and arecontinuing. Landing aidimplementation will becomplete by July 1987. Theinterim brake system will bedelivered by August 1987.Improved methods of localweather forecasting andweather-related support arebeing developed. Until theShuttle program hasdemonstrated satisfactorysafety margins through highfidelity testing and duringactual landings at EdwardsAir Force Base, the KennedySpace Center landing site willnot be used for nominal end-of-mission landings. DualOrbiter ferry capability hasbeen an issue for some timeand will be thoroughlyconsidered during theupcoming months.




(Charteredby)

Date ofReport


RogersCommission


6 June1986

Recommendation VII –Launch Abort and CrewEscape: The Shuttle programmanagement considered first-stage abort options and crewescape options several timesduring the history of theprogram, but because of limitedutility, technical infeasibility, orprogram cost and schedule, nosystems were implemented.

Original Response(Fletcher, 14 July 1986): OnApril 7, 1986, NASA initiateda Shuttle Crew Egress andEscape review. The scope ofthis analysis includes egressand escape capabilities fromlaunch through landing andwill provide analyses,concepts, feasibilityassessments, cost, andschedules for pad abort,bailout, ejection systems,water landings, and poweredflight separation. This reviewwill specifically assessoptions for crew escapeduring controlled glidingflight and options forextending the intact abortflight envelope to includefailure of 2 or 3 main enginesduring the early ascent phase.In conjunction with thisactivity, a Launch AbortReassessment Team wasestablished to review alllaunch and launch abort rulesto ensure that launch commitcriteria, flight rules, rangesafety systems andprocedures, landing aids,runway configurations andlengths, performance versusabort exposure, abort andend-of-mission landingweights, runway surfaces, andother landing-relatedcapabilities provide the propermargin of safety to the vehicleand crew. Crew escape andlaunch abort studies will becomplete on October 1, 1986,with an implementationdecision in December 1986.

RogersCommission


6 June1986

Recommendation VIII –Flight Rate: The nation'sreliance on the Shuttle as itsprincipal space launchcapability created a relentlesspressure on NASA to increasethe flight rate. Such reliance ona single launch capabilityshould be avoided in the future.NASA must establish a flightrate that is consistent with itsresources. A firm payloadassignment policy should beestablished. The policy shouldinclude rigorous controls oncargo manifest changes to limitthe pressures such changesexert on schedules and crewtraining.

Original Response(Fletcher, 14 July 1986): InMarch 1986 NASAestablished a Flight RateCapability Working Group.Two flight rate capabilitystudies are under way: (1) astudy of capabilities andconstraints which govern theShuttle processing flows atthe Kennedy Space Centerand (2) a study by the JohnsonSpace Center to assess theimpact of flight specific crewtraining and softwaredelivery/ certification onflight rates. The workinggroup will present flight raterecommendations to the




(Charteredby)

Date ofReport


a single launch capabilityshould be avoided in the future.NASA must establish a flightrate that is consistent with itsresources. A firm payloadassignment policy should beestablished. The policy shouldinclude rigorous controls oncargo manifest changes to limitthe pressures such changesexert on schedules and crewtraining.

study of capabilities andconstraints which govern theShuttle processing flows atthe Kennedy Space Centerand (2) a study by the JohnsonSpace Center to assess theimpact of flight specific crewtraining and softwaredelivery/ certification onflight rates. The workinggroup will present flight raterecommendations to theOffice of Space Flight byAugust 15, 1986. Othercollateral studies are still inprogress which addressPresidential Commissionrecommendations related tospares provisioning,maintenance, and structuralinspection. This effort willalso consider the NationalResearch Council in-dependent review of flightrate which is under way as aresult of a CongressionalSubcommittee request.

NASA strongly supports amixed fleet to satisfy launchrequirements and actions torevitalize the United Statesexpendable launch vehiclecapabilities.

Additionally, a new cargomanifest policy is beingformulated by NASAHeadquarters which willestablish manifest groundrules and impose constraintsto late changes. Manifestcontrol policyrecommendations will becompleted in November 1986.

RogersCommission


6 June1986

Recommendation IX –Maintenance Safeguards:Installation, test, andmaintenance procedures mustbe especially rigorous for SpaceShuttle items designatedCriticality 1. NASA shouldestablish a system of analyzingand reporting performancetrends of such items.Maintenance procedures forsuch items should be specifiedin the Critical Items List,especially for those such as theliquid-fueled main engines,which require unstintingmaintenance and overhaul.

Original Response(Fletcher, 14 July 1986): AMaintenance SafeguardsTeam has been established todevelop a comprehensive planfor defining andimplementing actions tocomply with the Commissionrecommendations concerningmaintenance activities. AMaintenance Plan is beingprepared to ensure thatuniform maintenancerequirements are imposed onall elements of the SpaceShuttle program. This planwill define the structure thatwill be used to document (1)




(Charteredby)

Date ofReport


establish a system of analyzingand reporting performancetrends of such items.Maintenance procedures forsuch items should be specifiedin the Critical Items List,especially for those such as theliquid-fueled main engines,which require unstintingmaintenance and overhaul.

comply with the Commissionrecommendations concerningmaintenance activities. AMaintenance Plan is beingprepared to ensure thatuniform maintenancerequirements are imposed onall elements of the SpaceShuttle program. This planwill define the structure thatwill be used to document (1)hardware inspections andschedules, (2) plannedmaintenance activities, (3)maintenance proceduresconfiguration control, and (4)maintenance logistics. Theplan will also defineorganizationalresponsibilities, reporting, andcontrol requirements forSpace Shuttle maintenanceactivities. The maintenanceplan will be completed bySeptember 30, 1986.

A number of other activitiesare underway which willcontribute to a return to safeflight and strengthening theNASA organization. A SpaceShuttle Design RequirementsReview Team headed by theSpace Shuttle SystemsIntegration Office at JohnsonSpace Center has beenassigned to review all Shuttledesign requirements andassociated technicalverification. The team willfocus on each Shuttle projectelement and on total SpaceShuttle system designrequirements. This activitywill culminate in a SpaceShuttle Incremental DesignCertification Reviewapproximately 3 months priorto the next Space Shuttlelaunch.

In consideration of thenumber, complexity, andinterrelationships between themany activities leading to thenext flight, the Space ShuttleProgram Manager at JohnsonSpace Center has initiated aseries of formal ProgramManagement Reviews for theSpace Shuttle program- Thesereviews are structured to beregular face-to-face




(Charteredby)

Date ofReport


number, complexity, andinterrelationships between themany activities leading to thenext flight, the Space ShuttleProgram Manager at JohnsonSpace Center has initiated aseries of formal ProgramManagement Reviews for theSpace Shuttle program- Thesereviews are structured to beregular face-to-facediscussions involving themanagers of all major SpaceShuttle program activities.Specific subjects to bediscussed at each meeting willfocus on progress, schedules,and actions associated witheach of the major programreview activities and will betailored directly to currentprogram activity for the timeperiod involved. The first ofthese meetings was held atMarshall Space Flight Centeron May 5-6, 1986, with thesecond at Kennedy SpaceCenter on June 25, 1986.Follow-on reviews will beheld approximately every 6weeks. Results of thesereviews will be reported to theAssociate Administrator forSpace Flight and to the NASAAdministrator.

Only Findings and Recommendations relevant to the Space Shuttle Program have been extracted from eachreport.

The Organizations making the reports – and their charters - are as follows:

Aerospace Safety Advisory Panel (ASAP): “The Panel shall review safety studies and operations plansreferred to it and shall make reports thereon, shall advise the Administrator with respect to the hazards ofproposed operations and with respect to the adequacy of proposed or existing safety standards, and shall performsuch other duties as the Administrator may request.” NASA Authorization Act of 1968 | Public Law 90-67, 42U.S.C. 2477



Space Shuttle Independent Assessment Team (SIAT): The Space Shuttle Independent Assessment Team waschartered in September 1999 by the NASA Administrator to provide an independent review of the Space Shuttlesubsystems and maintenance practices.



NASAhistory.nasa.gov/columbia/Troxell/Columbia Web Site/CAIB... · 2003. 12. 4. · Limited First...

Documents

Transcript of NASAhistory.nasa.gov/columbia/Troxell/Columbia Web Site/CAIB... · 2003. 12. 4. · Limited First...