300 N. Washington St.
Suite B-100
Alexandria, VA 22314
info@globalsecurity.org

GlobalSecurity.org In the News




The Washington Post March 2, 2003

NASA's Culture of Certainty

Debate Was Muffled On Risks to Shuttle

By Kathy Sawyer and R. Jeffrey Smith, Washington Post Staff Writers

Sitting in the Houston Mission Control center on the morning of Feb. 1, mechanical systems officer Jeff Kling noticed the first hint of trouble aboard the space shuttle Columbia. "FYI, I've just lost four separate temperature transducers on the left side of the vehicle," he told entry flight director Leroy Cain.

A day earlier, Kling had been in the thick of an e-mail exchange among colleagues at the Johnson Space Center who had conjured up a nightmare scenario that began much the same way. One engineer predicted precisely what might happen if superheated gas were to penetrate the left wing as the shuttle began its plunge into the atmosphere.

"First would be a temperature rise for the tires, brakes, strut actuator and the uplock actuators return," R. Kevin McCluney had written. "Then the data would start dropping out as the electrical wiring is severed."

Now the nightmare was coming true, but Kling said his first response was disbelief.

No one knows for sure yet why the Columbia broke apart, killing its seven-person crew. But since the disaster, the space agency's decision to proceed as if nothing would go amiss is looking increasingly like a metaphor for a broader set of institutional failings, independent experts say.

In particular, a series of e-mails released by NASA in the past week and interviews with several key NASA officials make clear that the agency unquestioningly accepted technical analyses -- done by a contractor with a huge financial stake in the shuttle's success -- that concluded that the shuttle's heat shielding had not been dangerously damaged by debris that struck the left wing during launch. Officials also blocked efforts to search for information, such as photographic images, that might have conflicted with that analysis.

While some engineers in Houston and at NASA's Langley Research Center in Hampton, Va., sounded alarms, no one pushed to bring the issue to the attention of more senior managers or to inform the crew before the landing attempt.

And even though the engineers imagined scenarios that exactly matched how the disaster eventually unfolded, none recommended reexamining the Columbia's long-established landing plan.

Despite the gloomy discussion the day before Columbia's reentry, Kling said he arrived at the space center on Feb. 1 fully expecting a smooth descent to landing.

Neither he nor any other engineers who had pondered the "worst-case scenarios" -- stretching even to the complete loss of the shuttle -- felt a need to inform the crew, prepare contingency plans or convey their concerns to higher management.

Outside experts and sources close to the board NASA appointed to investigate the disaster say they suspect the engineering staff fell victim to a form of "group think," in which they avoided confronting head-on the imminent possibility of the agency's signal failure -- the loss of a shuttle and its crew.

NASA Administrator Sean O'Keefe, who was waiting at the landing strip for the shuttle on Feb. 1, has said he was unaware of any engineers' alarms. He told reporters Friday that the problem was mostly one of poor data, not poor communication. If the agency had any reason to expect what lay ahead, he said, it would have spared no effort to find a solution and save the crew.

But Charles L. Bosk, a sociology professor at the University of Pennsylvania who teaches a class on NASA, is among several academic experts who find the incident disturbingly reminiscent of the shuttle Challenger's explosion because of NASA missteps in 1986. "The lesson here is that [NASA] culture learned nothing from Challenger, or forgot whatever it learned," Bosk said after studying the latest e-mails. "It sure looks like a flawed process."

Bosk pointed to the disparity between the engineers' consideration of possible failure in days before landing and the agency's blithe determination on the last day to believe a good outcome was certain. "Engineers were forced to pass an answer, not confusion and uncertainty, up to the next level," he said, and they appeared to be heavily influenced by the agency's "can-do" atmosphere. "That's really chilling -- the notion that failure, gentlemen, is not an option."

The e-mails released last week are the third set disclosed since the accident, and still represent just a small portion of the agency's internal communications while the astronauts were in orbit. But significantly, they provide the first glimpse of deliberations at the Johnson Space Center one floor beneath the flight control center -- in an office known as the Mission Evaluation Room where all technical problems during a flight are supposed to be addressed.

That glimpse is sharply at odds with the agency's relentlessly upbeat public reports, which made no mention of possible tile damage from the insulating foam or other debris that struck the orbiter's wing 81 seconds after launch, and the subsequent debate within the agency about what it might mean.

The first tip-off of potential trouble reached the flight control team on the second day, when analysts working for Lockheed Martin Corp., a major NASA contractor, spotted the debris strike on grainy video trained on the shuttle during launch. Their discovery ignited sufficient alarm for the Mission Evaluation Room director, Don L. McCormack, to order a technical probe.

The assignment fell to engineers at Boeing Co., NASA's principal subcontractor for the shuttle program and a company that reaps about $ 2 billion annually from all its contracts with NASA.

In some respects, Boeing was a natural choice. Its technicians were intimately familiar with the Columbia, having overseen all maintenance and modifications to it since 1996. But the decision to put them in charge of assessing the tile damage also placed them in the awkward position of passing judgment, in effect, on whether the company had taken adequate care to prevent such a potentially serious problem. vBoeing has said since the accident that its only consideration was crew safety. But its fee arrangement with NASA includes layers of penalties if a mission is truncated or lost, inescapably giving the teams' conclusions financial implications, as well.

"This was all the more reason for NASA to draw in as many people as possible" in the discussion, said Diane Vaughan, a Boston College sociology professor who has written a book on NASA's decision-making culture. Flight controllers have never turned to outsiders for advice while astronauts were in orbit.

The nine-member team Boeing assembled to analyze the issue -- the debris' size, density, area of impact, speed, angle, and the degree of tile damage -- included engineers in Houston and Huntington Beach, Calif. Seven of them, the company has said, have shuttle-related experience totaling 100 years. But for two others who may have played a critical role, the Columbia mission was the first flight they had supported.

"There were people who were not very highly qualified" involved in the effort, said Brig. Gen. Duane W. Deal, a member of the investigation board, in an interview. "That is something we are looking at."

Boeing produced three written reports on the debris strike on the sixth, eighth and ninth days of the mission. In the first, it concluded that "a large piece of debris" measuring as much as 1,920 cubic inches may have struck the wing at a speed of up to 500 mph. In the second, it assumed the debris consisted solely of lightweight foam, and used a Boeing-written computer program known as Crater to predict that the debris might have gouged "multiple tiles . . . down to densified layer" -- raising the possibility of a safety risk from "large TPS [tile] damage."

But the engineers went on to play down this risk, noting that Crater "was designed to be conservative" and often overestimated the degree of damage in NASA tests. As a result, Boeing said in that report, it did not expect any breach in the heat shielding in any but the most serious cases examined. In its third and final study, Boeing said three pieces of debris -- not just one -- struck the shuttle, but omitted any conclusion about what this meant.

NASA and Boeing say its engineers conveyed only orally their final assurances that nothing serious would happen, adding there is no record of the conversation.

A source close to the accident board said he found these conclusions troubling. The Crater software "has been around since Apollo. But they don't believe it. And it does have assumptions . . . that really limit its usefulness," the source said. The program does not include the possibility that loss of one or two tiles could create a vortex that might strip off neighboring tiles.

The program did not, moreover, model the consequences of a strike against the wing's leading edge, which is covered not by tiles but by a tough carbon fiber coating. Some of Boeing's own work concluded the debris struck in the vicinity of Columbia's leading edge. Moreover, the largest particle strike ever tested in the laboratory by NASA -- either in the original Crater study or a subsequent analysis for the agency by the Southwest Research Institute -- was just three cubic inches, not 1,920.

Elisabeth Pat-Cornell, head of the management science and engineering department at Stanford University, who led a study of the debris threat for NASA in the early 1990s, said these are among the reasons she found the Boeing studies "optimistic. . . . The software seemed to assume, for example, that the tiles were well-bonded, seemed to assume a particular spot in which the foam hit the tiles. And in my opinion, it was not the 'worst case,' contrary to what they said."

Members of the NASA-appointed Columbia Accident Investigation Board have already suggested the Boeing study had other flaws. First, "that foam could have been saturated with ice, which would make it very dense" and much heavier, said retired Adm. Harold W. Gehman Jr., the board's chairman. "And oh, by the way, it's possible that that left bipod ramp is not the only source of foam. . . . There are other places that foam could have come from."

G. Scott Hubbard, a board member who directs NASA's Ames Research Center, said the Boeing team also had not adequately considered the possibility of "cryopumping" -- a phenomenon in which fingers of air, super-cooled by the liquid fuel in the shuttle's external tank, seep through holes in the foam and freeze the atmosphere into ice clumps that might be very hard to spot.

"If the [tank's] surface was open to the air, it would act like a magnet" for ice, Hubbard said in an interview. The heat of the shuttle's launch could force this ice to expand, "burping it out" and onto the heat shielding protecting the shuttle.

"My own interpretation is that whoever wrote this Boeing report really wanted to smooth over the situation," said William H. Starbuck, a social psychologist who teaches at New York University's business school. After the disaster, he noted, engineer Daniel Mazanek at NASA's Langley Research Center used the same information to estimate a very different possibility -- that the debris strike was perhaps comparable to a 500-pound safe hitting the wing at 365 mph.

Despite these shortcomings, the Boeing work was accepted by NASA engineers and formed the basis of all their subsequent decisions, according to a series of interviews with agency officials.

"We had proper teams looking at thermal analyses, and [they] came back with what we thought was a good result," Kling said this week. "We had no reason to doubt the thermal analysis that said there was not going to be any burn-through on the vehicle."

But there was more dissent and debate ahead.

On the day Boeing finished the first of its reports on the debris strike, a group of safety experts at the Johnson Space Center discussed the risks and concluded that NASA should ask the Defense Department to photograph the shuttle as it orbited. Wayne Hale, a veteran flight director currently serving as manager of shuttle launch integration at the Kennedy Space Center in Florida, acknowledged last week he raised the issue with the Air Force.

But others within NASA -- it remains unclear who made the decision -- withdrew the request before it could be carried out. NASA engineer J. Steven Stich, who works in the same group as Kling, told colleagues several days later in an e-mail that he informed the military no pictures were needed of potential tile damage from "ice or insulation," because "it is something that has happened before and is not considered to be a major problem."

Precisely what the military was preparing to do has not been disclosed. But Stich's message blocked NASA's sole opportunity to try to check the accuracy of Boeing's work through direct observation of the shuttle's tiles and the wing's leading edge.

"We truly appreciate the effort and apologize for any inconvenience the cancellation of the request may have caused," said Johnson center official Roger Simpson, in an e-mail to the Strategic Command on Jan. 23. He promised better coordination to ensure future requests do not "slip through the system and spin the community up about potential problems that have not been fully vetted through the proper channels."

Starbuck, at New York University, said he worries about the stifling implications of such a message. What Simpson is saying "is that management is trying to keep control of things. They don't want engineers playing around with ideas or looking at how realistic their assumptions are. In other words, nobody is supposed to think on their own."

According to the e-mails NASA has released so far, the first direct challenge to Boeing's conclusions from other engineers came on the 12th day of the flight, about the time that a team of flight managers overseeing the mission discussed the problem and concluded -- in roughly five minutes of conversation -- there would be no risk to the crew.

A thermal engineer named T. John Kowal sent an e-mail to other members of the engineering directorate at 10:35 a.m., warning that the Mission Evaluation Room report had wrongly concluded the tile damage was insufficient to breach "thermal and gas seals" over the wheel well and that a summary report produced by the group had fostered "a false sense of security."

Later that day, the debate widened when reentry and landing engineer Carlisle Campbell e-mailed a copy of the debris impact video to a counterpart at Langley Research Center. "Wow! I bet there are a few pucker strings pulled tight around there," responded the recipient, landing dynamics engineer Robert Daugherty.

Daugherty's concern grew steadily over the next two days, as he and Campbell discussed the danger that the excessive heat in the wheel well might deflate two of the shuttle's tires and put its landing at risk. On Jan. 30, two days before the expected shuttle reentry, Daugherty conjured seven disaster scenarios and sent them in an e-mail to David Lechner, a young engineer with United Space Alliance, a Boeing/Lockheed Martin joint venture that manages shuttle operations for NASA. Lechner sent an e-mail at 2:35 a.m. on Jan. 31, the next-to-last day of the flight, to other engineers, saying "we will need to address [his] concerns."

A rich exchange of e-mails ensued, in which at least three engineers suggested that excessive heating as a result of tile damage could endanger the shuttle, its crew or its safe landing. They also described with prescience how a disastrous scenario might unfold, and discussed the comparative merits of crew bailout, ditching in water and belly-landing on the runway.

But none of their "what-if" deliberations were disclosed to the crew or to senior NASA officials before the landing. "On entry day, things are very busy. When we know that we have a good vehicle and we know that we are going to do a good reentry, we do not send these things to cause distractions. It was just within our group," Kling said last week.

Another participant in the engineering debate, Robert Doremus, explained last week that "you really need to be careful bringing up a 'what-if' scenario. . . . You really should have some concrete evidence there is a problem."

Academic experts who have worked with and advised NASA said the engineers' comments show the agency retains a culture that encourages secrecy and a reluctance to share uncertainties based on intuition, stifling wider debate that could bring fresh insights.

"They need to have better mechanisms to determine what needs to be passed along," said Pat-Cornell of Stanford. "The 'what-if' process of NASA is not a good way to reason. . . . It misses the point -- which is probability and chances" that can lead to alternative courses of action.

While the possibility of astronauts being marooned or perishing in space is a classic of science fiction, John Pike, director of GlobalSecurity.org and a space policy analyst, said the agency seems unprepared for it. During this flight, the Columbia's pilot was never told that engineers worried about landing with deflated tires.

In one of the final e-mail exchanges, NASA engineer McCluney warned that if explosives in the wheel well detonated because of excessive heat, the landing gear would deploy automatically during the shuttle's reentry. "This is likely a LOC [loss-of-crew] case, so we'll skip it" in the analysis, he said.

Several independent experts said the message betrayed NASA's debilitating but characteristic reluctance to come face-to-face with the prospect of imminent disaster.

Kling said no special instructions regarding new flight procedures were brought to the control room in case super-heated air burned through the shuttle's skin in a vulnerable spot. "That's essentially an unsurvivable case. We don't practice those sorts of things," he said. "We don't even make cards for them."

So on the morning of Feb. 1, Kling was watching sensors for wheel wells, tire pressures, doors and the other systems for which he and his team were all responsible. The alarming numbers appeared on a grid resembling a spreadsheet and changed at frequent intervals as new telemetry was relayed from the descending shuttle.

"When events started unfolding, there was a little bit of disbelief right at first when we got the first indications, and we just kind of went down that path of, you know, I can't believe this is happening and what did I miss, what did we miss as a team?" Kling said. Then for a while, "I was going through my job, talking to the escape officer, looking for evidence of the crew bailing out or whatever," even though the astronauts had never been warned such action might be needed.

Only after he saw the video of shuttle wreckage flaming across the blue sky did he fully accept what had happened, Kling said. Hours later, shuttle program manager Ron Dittemore told reporters why things unfolded as they did: "We convinced ourselves, as we analyzed it 10 days ago, that it was not going to represent a safety issue."

Staff writer David S. Hilzenrath contributed to this report.


Copyright 2003, The Washington Post