User:Cooperhowieson/sandbox

= NASA's Organizational Failings in the Space Shuttle Disasters = With it's first mission launched in 1981, the Space Shuttle Program began a new phase in NASA's space exploration. Over the course of 30 years the program launched 135 missions, and employed a fleet of five innovative shuttles [1]. The program marked the first application of a reusable space vehicle and was integral in the construction of the International Space Station (ISS). Despite the programs accomplishments, it did not avoid catastrophe, as two of it's missions ended in disaster. On January 28, 1986 Space Shuttle Challenger experienced vehicle breakup shortly after liftoff, resulting in the death of it's seven person crew [2]. This event, witnessed on live TV by thousands of Americans, raised alarming questions about NASA's safety practices. Ultimately the lessons learned from Challenger failed to prevent another disaster. On February 1, 2003 Space Shuttle Columbia disintegrated upon it's descent back to earth, once again losing it's whole crew [3]. This further illustrated the pervasive organizational issues within NASA.

O-rings
As will be discussed later, the main cause of the accident was the failure of seals on the Solid Rocket Boosters (SRB). The Space Shuttle is composed of the orbiter, external fuel tank and two SRBs. The SRBs are used only at takeoff and are discharged from the orbiter once all the fuel has been expended. The SRBs are composed of several parts which are held together at joints with pressure seals. At the time of the accident the joints utilized two flexible O-rings designed to block hot gases from escaping through the joints.

O-ring Development and Concerns
At the beginnings of the design and testing phase, the SRB contractor Morton Thiokol was experiencing troubles with the performance of the joint seals. Testing showed that the seals were not reacting to launch conditions as they had expected. There were various engineers from both Thiokol and NASA who expressed concern with the adequacy of the design. Despite this, production went forward and the design was granted acceptable for use. Internal memos written by alarmed NASA engineers intended to reach Thiokol were blocked by upper NASA management. Given the level of sophistication of the SRBs, there was no existing data or experience that could aid NASA in how much risk they could accept within the design. After earlier flights revealed erosion of the O-rings due to hot gases, the O-rings were classified as a category 1R component. This category was deemed for components in which failure which result in the loss of the vehicle and crew. The R stood for redundancy meaning that there was a redundancy mechanism in place. This classification was soon changed to category 1, as it was determined that the redundant mechanism was not satisfactory. This classification placed constraints on each launch, meaning that the issue would need to be addressed before any launch. However, NASA management decided to waive these constraints for every launch after the classification change. The issues continued, and several missions experienced severe damage to the O-rings, prompting Thiokol to create a task force to handle the situation. It was reported that this task force was given very little resources and was essentially unable to perform any productive work. At this point they had also noticed a correlation between cold temperature and O-ring performance. Internal documents and post-accident testimony reveled that engineers within both Thiokol and NASA were extremely worried with the situation but were helpless within the bureaucracy of their respective organizations.

The Accident
The accident was a result of the failure a pressure seal in the aft field joint of the right solid rocket booster. It was estimated that the temperature at the failed joint was approximately 28 ± 5 degrees Fahrenheit at the time of the launch [2]. Upon ignition the seal failed, and hot gases leaked from the rocket booster. 73 seconds after launch, these hot gases caused a fire on the SRB and external fuel tank, leading to structural failure and the breakup of the vehicle [2]. As a result the seven person crew were lost, in NASA's worst accident since the Apollo 1 fire.

The Decision Making leading up to the Accident
NASA's pre-launch protocol consisted of several levels of Flight Readiness reviews, all of which were responsible for the approval of different components of the Space Shuttle. The Kennedy Space Centre was primarily responsible with the launch of the Shuttle, while the Marshall Space Centre was responsible for the SRBs, external fuel tank and main engines. The decision making process leading up to the launch were centered around these two levels and a breakdown of the major events/decisions is provided below:

January 27, 1986:


 * 1) Approximately 1:00 PM: Kennedy Centre managers ask Thiokol if they have any concerns over launching at such low-temperatures [2].
 * 2) Approximately 2:30 PM: Thiokol engineers raise concerns over O-ring performance at lower temperatures, referencing performance issues on previous missions [2].
 * 3) Approimately 5:30-8:45 PM: Discussions between Kennedy Centre, Johnson Centre and Thiokol personnel. Thiokol presents previous issues experienced on past missions, and provide data illustrating the correlation between cold temperature and poor O-ring performance. Thiokol management recommend not launching unless a temperature of 53 degrees Fahrenheit is reached. Kennedy center managers are reportedly "appalled" by recommendation and raise questions of Thiokol's data. Thiokol management ask for a break to discuss the decision [2].
 * 4) Approximately 10:30 PM: Internal Thiokol meetings. Thiokol managers and engineers discuss launch, engineers voice concerns over launching. Thiokol senior management hold meeting, excluding the engineers. Thiokol management decide there is substantial room for error in the pressure seal design, and launch can be recommended. It was reported that one senior member told another reluctant member to "put your management hat on" [2].
 * 5) Approximately 11:00 PM: Final discussion between Kennedy Centre, Johnson Centre and Thiokol personnel. Thiokol explain reasons for o-ring concerns but provide rationale for recommending a launch. NASA management ask for the recommendation in writing [2].
 * 6) Approximaetly 11:45 PM: Kennedy Centre receives Thiokols launch recommendation [2].

January 28, 1986:


 * 1) Approximately 7:00-9:00 AM: NASA Launch Pad Ice Crew inspections measure temperature of 25 and 8 degrees Fahrenheit on parts of left and right SRBs. Information is never communicated as launch criteria do not include temperature limits [2].
 * 11:38 AM: Space Shuttle Challenger Launches [2].
 * 11:39 AM: 73 seconds after launch, Challenger explodes, killing the whole crew [2].

Cause of Accident
The accident was the result of damage exerted on the orbiters left wing. During launch a piece of insulating foam from the external fuel came loose and struck the leading edge of the orbiter's left wing. This caused damage to the wings heat-resistant tiling, a crucial component of the wing. Upon re entry, the substantial amounts of heat experienced by the orbiter reached the inside of the wings superstructure. The heat melted the structure weakening the wing until failure. The resulting aerodynamic forces exerted on the vehicle lead to complete loss of control and vehicle breakup [6].

A History of Foam Strikes
Since the very beginning of the Space shuttle program, foam from the external fuel tank had been coming lose and striking the orbiter. This at first had caused large concern within NASA, as the potential damage of foam strikes was still unknown. However, as each mission returned safely, NASA personnel became confident that the foam strikes posed no concern and were treated as a maintenance issue opposed to a flight risk. Foam strikes occurred on every space shuttle mission, and small amounts of damage were frequently found on the orbiter. Eventually, NASA began to refer to these instances as "foam shedding" rather than the original "debris strike".

Detection of the Damage and NASA's Decisions
Given NASA's experience with the foam strikes, imaging detection systems were already in place. Initial review did not detect any anomalies, but the day following higher resolution images revealed what appeared to be a large piece of foam striking the bottom of the left wing. The large size of the foam piece caused concern among NASA personnel, and a Debris Strike Assessment team was created to conduct a formal review. Upon analysis of the video it was decided that further imaging was needed to determine the severity of the damage, if any. The Debris team sent a request to the Johnson Space Centre Management to expecting the request to be forwarded to the Space Shuttle Program managers. The Johnson Centre managers declined the request. The debris team than turned to using mathematical models to determine the amount of damage the orbiter could have experienced. Upon determining that the damage was significant enough to cause heat damage, the debris team mad a presentation to the Mission Evaluation Room. Once again the strike was not deemed significant enough to warrant imaging, and the debris team's request was denied any.

NASA's Changing Culture
These accidents were largely a result of NASA's organizational structure and culture, but several external pressures cannot be ignored. After the conclusion of the space race, NASA's budget was cut substantially, and the US government's interest in further funding of space exploration was dwindling. This had far-reaching affects on the organizational structure and attitude of NASA. Previously, NASA's main focus was creating the most effective and safe components, with little worry for budget and resources. This was exemplified in the significant engineering achievements and success of the Apollo missions. But this all changed after Apollo. With a slashed budget and increasing questions around the future of the organization, NASA sought to create an efficient means of transporting astronauts to space. This resulted in the idea of a reusable space craft, which eventually culminated in the Space Shuttle. NASA had a vision of conducting Shuttle missions on a weekly basis, a retrospectively ambitious goal. Starting in the 1970s, development of the shuttle was plagued with issues [2]. NASA had to turn to several subcontractors to build various components of the craft, leading to design and production oversight issues. Eventually, the first shuttle was launched in 1981, but NASA's issues continued. It soon became apparent that the amount of logistics needed to conduct once launch was causing major problems for NASA. Each mission required large amounts of resources and NASA struggled to keep up. By the time of the Challenger disaster, the Shuttle was still under research and development, but NASA was treating the Shuttle as operational. The contrasting differences between the organizations goals and operating capacity resulted in a dangerous culture which will be analyzed win the nest section.

Challenger
Many issues can be found within the events leading up to the Challenger launch, but analyzing the development and history of the o-rings and the decision making done on the day before launch can illustrate the underlying problems within NASA's culture. From the very start, many issues were raised about the effectiveness of the o-ring design. These issues were illustrated not only within testing of the o-rings, but from shuttle missions. But NASA decided that these problems could be accepted as 'flight risks', as the cost of designing and developing new pressure seals, was too great. The shuttle program was in full swing and the financial and political pressure being faced by NASA was substantial. Furthermore, NASA was under large pressure to deem the program operational and could not afford any major setbacks. This resulted in the attitude that if the seals didn't fail last time, then they wouldn't the next. This can be referred to as the normalization of deviance and became widespread within the organization [4]. NASA became more and more willing to accept risks within their design, as long as no catastrophic failure was encountered. From an organizational behavior standpoint, motivation and Groupthink can be discussed as causes of this phenomenon. The political and financial pressures experienced by the senior management at NASA, had it's affects on the whole organization and was felt throughout all levels of management. It can be assumed that managers motivated by pushing development along, rather than focusing on safety concerns, became more and more accepting of risk. These underlying pressures would be compounded by the pressure to conform within the organization allowing groupthink to thrive. This ultimately led to issues surrounding the o-rings to be considered acceptable risks. Furthermore, NASA's compartmentalized structure and lack of a strong safety oversight program allowed these issues to stay within isolated areas where engineers and managers were ill equipped to handle the problem. Additionally, this isolation of the problem allowed the managers dealing with it to keep it hidden, and the attitude to do nothing about it prevailed. With a lack of past experience, insufficient resources to conduct more testing and a risk accepting culture, the o-rings were allowed to be deemed acceptable.

The events that preceded the decision to launch challenger, illustrated a faulty organizational structure with a dangerous attitude towards safety. Concerns surrounding the cold temperatures were not brought up until the day before the launch. This is alarming, as it allowed Thiokol engineers very little time to analyze data, come to a conclusion, and successfully present their recommendations. This was shown as Thiokol engineers mistakenly presented slides that had been previously used to support launches on cold days. When Thiokol recommended to not launch unless 53 degrees Fahrenheit was achieved, they were greeted with intense criticism from NASA managers. This pressure had significant affects on Thiokol managers, as immediately after they reversed their previous decision. The discussions between the Thiokol managers and NASA reveal two alarming occurrences: the decision was essentially treated as a negotiation, and safety and engineering decisions were treated as management decisions. Thiokol was aware of NASA's strong intention to launch the next day as the publicity of Christa McAullife on the mission, and the various launch delays added to the urgency to successfully launch. With NASA's clear disappointment with the first recommendation, Thiokol decided to reevaluate their decision. Furthermore, Thiokol was tasked with providing evidence of why to not launch, opposed to proving it was safe to launch. With the lack of data, it was virtually impossible for Thiokol to prove it was not safe to launch. With all of the pressure, it seems as though Thiokol reached an 'agreement' with NASA. Furthermore, Thiokol's internal meetings raise questions as to how the o-ring problem was dealt with. First and foremost the issue should have been treated as an engineering problem. This would have narrowed the issue down to the question of whether they could confirm the o-rings performance under the cold temperatures. Given the lack of resources, the answer to this would have been no, and the decision on a safety basis would have been to not launch. However, this was not the case, as the problem was treated as a management problem. Engineers were excluded from the final Thiokol meeting and the decision was made by senior management opposed to the engineers who specialized in the o-rings. This is exemplified by the infamous "put your management hat on" quote. The effects of groupthink cannot be ignored within Thiokol's decision. With the underlying knowledge that delaying the launch would displease NASA, and a prevailing attitude among the managers that they should launch, Thiokol managers rationalized the decision to recommend launch upon essentially baseless ground.

Columbia
The mistakes made by NASA in the Challenger disaster were repeated for Columbia. The normalization of deviance was once again found in how NASA dealt with the foam debris strikes as the prevailing attitude was once again to accept the risk. Another alarming assumption was once again being made at NASA. With the case of the o-rings and debris strikes, the results were outside of the design parameters, but were still performing without failure. This prompted NASA to increase their assumptions of the resiliency of the systems [5]. The debris strikes had occurred on every mission, but the Columbia strike was of much greater size than NASA had seen ever seen before. It would be assumed that this would warrant more attention, but NASA managers, normalized to the strikes, deemed it of no flight risk. The decision to do nothing until major problem occur was once again made. Unfortunately for the astronauts who lost their lives, when major problems occur in such a high risk task as spaceflight, the results are often catastrophic. The Columbia disaster once again raised the question of how NASA deals with safety and risk. However, an often ignored aspect that should be discussed is that of NASA's ethics. With the complexity and risk involved with NASA's work, there should not be any room for uncertainty, let alone "acceptable risk". As discussed earlier, NASA found themselves basing the safety of components upon the fact that they did not fail the last time. This is inherently a flawed assumption and it is disturbing that it had become so widespread within an organization responsible for people's lives. NASA rationalized putting people's lives at risk, through "acceptable risk".

Columbia also served to show resiliency of organizational culture. Faced with large backlash from the Challenger disaster, NASA had an opportunity to reshape it's organizational structure and culture. The almost absent safety program that had been discovered after Challenger, had not changed. NASA's compulsiveness to prioritize mission objectives and optics rather than safety, still prevailed. It had been reported that NASA managers may have declined the debris team multiple image requests, as a granted image request would initiate emergency protocols. The Department of Defense would need to conduct the imaging and for some at NASA, this was not convenient. Once again, managers resorted to "sticking with the program" rather than raise possible safety concerns. The little change in attitude at NASA after the Challenger disaster, shows the deeply rooted and strong culture within NASA. Manager's appeared to conform to the culture out of both normalization to risks, and the motivation to keep the program running normally.

Conclusion
The space shuttle disasters were both tragic events that led to the loss of 14 lives. The two disasters permanently tainted the space shuttle program, and have had significant impacts of NASA. Despite this they serve as great examples of how demanding circumstances can create dangerous cultures. NASA faced with a substantially reduced budget, began to feel the pressure to constantly prove themselves worthy of government funding. With overly ambitious goals for the space shuttle program, dangerous practices started to emerge. Flight risks were deemed more and more acceptable with every mission that did not end in disaster. Group think and a pressure to perform led NASA manager's into flawed decision making. Furthermore, NASA illustrated the difficulties with changing culture that has been rooted in an organization for decades. NASA's responsibility for the Challenger disaster should have marked a large shift within the organizations safety standards, and attitudes. However, this was not the case as once again, NASA's reluctance to change led the way to the Columbia disaster.