Lessons From the Columbia Disaster Safety and Organizational Culture

8/13/2019 Lessons From the Columbia Disaster Safety and Organizational Culture

1/51

1

Lessons From the

Columbia DisasterSafety & Organizational

Culture

2005 American Institute of Chemical EngineersPresentation Rev_newv4_final as of 11_15_05


2/51

2

FEB 1, 2003 8:59 EST

All 7 astronauts are killed

$4 billion spacecraft isdestroyed

Debris scattered over2000 sq-miles of Texas

NASA grounds shuttlefleet for 2-1/2 years

Space shuttle Columbia,re-entering Earthsatmosphere at 10,000mph, disintegrates


3/51

3

Columbia- The Physical Cause

Insulating foam separatesfrom external tank 81seconds after lift-off

Foam strikes underside of

left wing, breachesthermal protection system(TPS) tiles

Superheated air enterswing during re-entry,

melting aluminum struts Aerodynamic stresses

destroy weakened wing


4/51

4

A Flawed Decision Process

Foam strike detected inlaunch videos on Day 2

Engineers requestedinspection by crew or

remote photo imageryto check for damage

Mission managersdiscounted foam strikesignificance

No actions were taken toconfirm shuttle integrity orprepare contingency plans


5/51

5

Seventeen Years Earlier

January 28, 1986, theshuttle Challengerexplodes 73 secondsinto its launch, killing all

seven crew members

Investigation revealsthat a solid rocketbooster (SRB) joint

failed, allowing flamesto impinge on theexternal fuel tank


6/51

6

Challenger

Liquid hydrogen tank explodes, ruptures liquidoxygen tank

Resulting massive explosion destroys the shuttle


7/517

The Legacy of Challenger

The Rogers Commission, whichinvestigated the incident, determined:

The SRB joint failed when jet flamesburned through both o-rings in the joint

NASA had long known about recurrentdamage to o-rings

Increasing levels of o-ring damage hadbeen tolerated over time

Based upon the rationale thatnothing bad has happened yet


8/518

The Legacy continued

The Commission also determined that:

SRB experts had expressed concerns about thesafety of the Challenger launch

NASAs culture prevented these concerns from

reaching top decision-makers Past successes had created an environment of

over-confidence within NASA

Extreme pressures to maintain launch schedulesmay have prompted flawed decision-making

The Commissions recommendations addressed annumber of organizational, communications, and safetyoversight issues


9/519

Columbia- The Organizational Causes

In our view, the NASA organizational

culturehad as much to do with thisaccident as the foam.

CAI B Report, Vol. 1, p. 97

NASA had received painfullessons about its culture fromthe Challenger incident

CAIB found disturbingparallels remaining at the time

of the Columbia incidentthese are the topic of thispresentation


10/5110

ColumbiaKey Issues

With little corroboration, management had becomeconvinced that a foam strike was not, and could notbe, a concern.

Why were serious concerns about the integrity ofthe shuttle, raised by experts within one day afterthe launch, not acted upon in the two weeks priorto return?

Why had NASA not learned from the lessons ofChallenger?


11/5111

1. Maintain Sense Of Vulnerability2. Combat Normalization Of Deviance3. Establish an Imperative for Safety4. Perform Valid/Timely Hazard/Risk Assessments5. Ensure Open and Frank Communications6. Learn and Advance the Culture

Key Organizational Culture FindingsWhat NASA Did Not Do


12/5112

Maintaining a Sense of Vulnerability

Let me assure you that, as of

yesterday afternoon, the Shuttle was

in excellent shape, there were no

major debris system problems

identified.

NASA off icial on Day 8

The Shuttle has become a matureand reliable system about as safe

as todays technology will provide.

NASA off icial in 1995


13/5113

Maintaining a Sense of Vulnerability

NASAs successes (Apollo program, et al) had createda can do attitude that minimized the considerationof failure

Near-misses were regarded as successes of a robustsystem rather than near-failures

No disasters had resulted from prior foam strikes,so strikes were no longer a safety-of-flight issue

Challenger parallel failure of the primary o-ring

demonstrated the adequacy of the secondary o-ringto seal the joint

A weak sense of vulnerability can lead to taking futuresuccess for granted and to taking greater risks


14/5114

Combating Normalization of Deviance

No debris shall emanate

from the critical zone of the

External Tank on the launch

pad or during ascent

Ground System Specif ication Book

Shuttle Design Requirements

After 113 shuttle missions,foam shedding, debrisimpacts, and TPS tiledamage came to beregarded as only a routine

maintenance concern


15/51


16/5116

Establish An Imperative for Safety

When I ask for the budget to be cut,

Im told its going to impact safety on

the Space Shuttle I think thats a

bunch of crap.

Daniel S. Goldin,

NASA Administrator, 1994

The shuttle safety organization, funded by the programs itwas to oversee, was not positioned to provideindependent safety analysis

The technical staff for both Challenger and Columbia wereput in the position of having to prove that managements

intentions were unsafe

This reversed their normal role of having to prove

mission safety


17/5117

Establish An Imperative for Safety

International

Space Station

deadline

19 Feb 04

Desktop screensaver at NASA

As with Challenger, futureNASA funding requiredmeeting an ambitious launchschedule

Conditions/checks, once

critical, were now waived

A significant foam strike on

a recent mission was not

resolved prior toColumbias launch

Priorities conflicted and

production won over safety


18/5118

Perform Valid/TimelyHazard/Risk Assessments

Anymore activity today on the tile damage or are people just relegated tocrossing their fingers and hoping for the best?

Email Exchange at NASA

hazard analysis processes are applied inconsistently across systems,

subsystems, assemblies, and components.

CAIB Report, Vol. 1, p. 188

NASA lacked consistent, structured approaches foridentifying hazards and assessing risks

Many analyses were subjective, and many action itemsfrom studies were not addressed

In lieu of proper risk assessments, many identified

concerns were simply labeled as acceptable Invalid computer modeling of the foam strike was

conducted by green analysts


19/51

19

Ensure Open and Frank Communications

I must emphasize (again) that severe enough

damage could present potentially grave hazardsRemember the NASA safety posters everywhere

around stating, If its not safe, say so? Yes, its that

serious.

Memo that was composed but never sent

Management adopted a uniform mindset that foamstrikes were not a concern and was not open tocontrary opinions.

The organizational culture Did not encourage bad news Encouraged 100% consensus Emphasized only chain of command communications Allowed rank and status to trump expertise


20/51

20

Ensure Open and Frank Communications

Lateral communications between some NASA siteswere also dysfunctional

Technical experts conducted considerableanalysis of the situation, sharing opinions withintheir own groups, but this information was notshared between organizations within NASA

As similar point was addressed by the RogersCommission on the Challenger incident

Management pushback can discourage, evenintimidate, those seeking to share concerns.


21/51

21

Learn and Advance the Culture

CAIB determined that NASA had not learned from thelessons of Challenger

Communications problems still existed

Experts with divergent opinions still had difficulty

getting heard

Normalization of deviance was still occurring

Schedules often still dominated over safety concerns

Hazard/risk assessments were still shallow

Abnormal events were not studied in sufficient detail,

or trended to maximize learnings


22/51

22

An Epilog

Shuttle Discovery was launchedon 7/26/05

NASA had formed anindependent Return To Flight(RTF) panel to monitor its

preparations 7 of the 26 RTF panel members

issued a minority report prior tothe launch

Expressing concerns aboutNASAs efforts

Questioning if Columbiaslessons had been learned


23/51

23

An Epilog

During launch, a large piece of foam separated from theexternal fuel tank, but fortunately did not strike theshuttle, which landed safely 14 days later

The shuttle fleet was once again grounded, pendingresolution of the problem with the external fuel tankinsulating foam


24/51

Turning Inward- Our Industry-


25/51

25

Piper Alpha

On 7/6/1988, a series ofexplosions and firesdestroyed the Piper Alphaoil platform

165 platform workers and2 emergency responderswere killed

61 workers survivedby jumping into theNorth Sea


26/51

26

The Physical Cause

It is believed that a pumphad been returned toservice with its dischargerelief valve removed fortesting

The light hydrocarbon(condensate) that wasreleased formed a vaporcloud and ignited

The resulting vapor cloud

explosion ruptured oilexport lines and ignitedfires on the platform


27/51

27

The Physical Cause

Other interconnectedplatforms continuedproduction, feeding theleaks on Piper Alpha

Ensuing fires breachedhigh pressure naturalgas inlet lines on theplatform

The enormity of the

resulting conflagrationprevented any organizedevacuation


28/51

28

The Organizational Causes

The official investigation report, written by LordCullen, faulted the companys management of safetyon Piper Alpha

The confusion leading to restarting the condensatepump resulted from failures to adhere to the permit towork (PTW) system

Daily monitoring and periodic audits had failed to

identify the continuing dysfunction of the system


29/51

29


Inadequate shift turnovers failed to communicate

the status of the pump to the oncoming shift

Inadequate communications (and PTW systemproblems) had contributed to a fatality, and a

civil conviction for the company, but remedialaction had not been taken

The diesel fire pumps were in manual and, after the

explosion, could not be reached by staff seeking to

start them A prior audit recommendation to stop this

practice had not been implemented


30/51

30


Even if fire water had been available, many delugenozzles were plugged

The company had been trying to resolve thisproblem for at least four years, but repairs were

behind schedule

One year earlier, an engineering study had concludedthat the gas risers were vulnerable and that a massivegas release could prevent successful evacuation of

the platform Management had discounted the study results


31/51

31


Other problems that audits and management reviews hadfailed to identify and/or resolve included:

Emergency response training given to workers new to the

platform was cursory and often omitted. Some workers

had not been shown the location of their life boat.

Platform managers had not been trained on how to

respond to emergencies on other platforms (e.g., when to

stop production)

Evacuation and emergency shutdown drills on Piper Alpha

were not conducted according to schedule


32/51

32

Parallels to NASAand Columbia

Each Piper Alpha

organizational cause can bemapped to one or more ofthe NASA lessons

Maintain Sense OfVulnerability

Combat Normalization OfDeviance

Establish an Imperative forSafety

Perform Valid/Timely

Hazard/Risk Assessments Ensure Open and Frank

Communications

Learn and Advance theCulture


33/51

33

Flixborough

On 6/1/1974, a massivevapor cloud explosion(VCE) destroyed a UKchemical plant

Consequences:

28 employees diedand 36 were injured

Hundreds of off-siteinjuries

Approx. 1800 homesand 170 businessesdamaged


34/51

34

The Physical Cause

22 3344 66

2020--inchinch

bypassbypass 125 psi125 psi

1122 33

44 66

2020--inchinch

bypassbypass 125 psi125 psi

11

Approx. 30 tons of boiling cyclohexane released from

reactor system

Most likely release cause was the failure of atemporary piping modification

Installed between two reactors

Was a bypass for reactor removed for repairs


35/51

35

The Physical Cause

Bellows not designedfor 38-ton thrust

Design standards for

bellows ignored Inadequate pressure

test of installation

Inadequate vertical andlateral support for

jumper


36/51

36


No qualified mechanicalengineer on-site

Inadequate concern withthe cause of the reactorfailure

Jumper connectionconsidered a routineplumbing job

No detailed designfor jumper


37/51

37


Hurry upattitude of management

Overworked staffdid not take time toproperly analyzetheir actions


38/51

38


Each Flixboroughorganizational causecan be mapped to oneor more of the followingNASA lessons

Maintain Sense OfVulnerability

Establish anImperative for Safety

Perform Valid/TimelyHazard/RiskAssessments


39/51

39

Could this happen to us?

Optional: PasteCompany logo

here

Complacencydue to our superior safety performance

Normalizingour safety critical requirements

Ineffective Risk Assessmentsof our systems

Reversing the Burden of Proofwhen evaluating safetyof operations

Employees Not Speaking Freelyof their safetyconcerns

Business Pressuresat odds with safety priorities

Failure to Learnand apply learnings to improving ourculture


40/51

40

Title for Relevant Company Event

Use this section to briefly

summarize key aspectsof the event Do not addresses

causes here Add additional slides

if required

Paste photo related toevent in space at right, ifdesired

JPG files at 300 dpi,provide adequate

resolution If photo is not

provided, drag rightborder over toexpand this text box


here


41/51

41

The Physical Cause

Briefly describe thefactors that caused theevent

Do not addressorganizationalfactors here

Add additionalslides if required

Add photo to the right,or expand the text boxas desired/needed


here


42/51

42


Describe the organizational causes of the event

Where feasible, lay a basis for parallels to the 6NASA organizational culture findings

Maintain Sense Of Vulnerability Combat Normalization Of Deviance Establish an Imperative for Safety Perform Appropriate and Timely Hazard/Risk

Assessments Ensure Open and Frank Communications Learn and Advance the Culture


here


43/51

43


If you feel that thiswould add to theemphasis of themessage, include one ormore slides thatemphasize how yourorganizational causesrelate to the underlyingthemes from Columbia

Alternatively, youmay want to leave

this as an individualor group exercisefor the audience


here


44/51

Indicators Of OrganizationalCulture Weaknesses

The following slidesprovideexamples of indicators that

your organization is

NOT Maintaining a


45/51

45

NOTMaintaining aSense of Vulnerability

Safety performance has been good and you do notrecall the last time you asked But what if?

You assume your safety systems are good enough

You treat critical alarms as operating indicators

You allow backlogs in preventative maintenance ofcritical equipment

Actions are not taken when trends of similar

deficiencies are identified.

NOT Preventing


46/51

46

NOTPreventingNormalization of Deviance

You allow operations outside established safeoperating limits without detailed risk assessment

Willful, conscious, violation of an established

procedure is tolerated without investigation, or withoutconsequences for the persons involved

Staff cannot be counted on to strictly adhere to safetypolicies and practices when supervision is not aroundto monitor compliance

You are tolerating practices or conditions that wouldhave been deemed unacceptable a year or two ago

NOT Establishing An


47/51

47

NOTEstablishing AnImperative for Safety

Staff monitoring safety related decisions are nottechnically qualified or sufficiently independent

Key process safety management positions have beendowngraded over time or left vacant

Recommendations for safety improvements areresisted on the grounds of cost or schedule impact

No system is in place to ensure an independent reviewof major safety-related decisions

Audits are weak, not conducted on schedule, or areregarded as negative or punitive and, therefore, areresisted

NOT Performing Valid/Timely


48/51

48

NOTPerforming Valid/TimelyHazard/Risk Assessments

Availability of experienced resources for hazard or riskassessments is limited

Assessments are not conducted according to schedule

Assessments are done in a perfunctory fashion, orseldom find problems

Recommendations are not meaningful and/or are notimplemented in a timely manner

Bases for rejecting risk assessment recommendations are

mostly subjective judgments or are based upon previousexperience and observation.

NOT Ensuring Open and


49/51

49

NOTEnsuring Open andFrank Communications

The bearer of bad news is viewed as not a teamplayer

Safety-related questioning rewarded by requiring thesuggested to prove he / she is correct

Communications get altered, with the messagesoftened, as they move up or down the managementchain

Safety-critical information is not moving laterallybetween work groups

Employees can not speak freely, to anyone else, abouttheir honest safety concerns, without fear of careerreprisals.

NOTLearning and Advancing


50/51

50

g gthe Culture

Recurrent problems are not investigated, trended, andresolved

Investigations reveal the same causes recurring time and

again Staff expresses concerns that standards of performance

are eroding

Concepts, once regarded as organizational values, arenow subject to expedient reconsideration

Engineering By View Graph


51/51

Engineering By View Graph

When engineering analyses and risk assessments are condensed to fit

on a standard form or overhead slide, information is inevitably lost

the priority assigned to information can be easily misrepresented by its

placement on a chart and the language that is used.

The CAIB faulted shuttle project staff for trying tosummarize too much important information on toofew PowerPoint slides

We risk the same criticism here

This presentation introduces the concept oforganizational effectiveness and safety culture, asexemplified by the case studies presented

This is only the beginning

Date post:	04-Jun-2018
Category:	Documents
Upload:	ruano25
View:	220 times
Download:	0 times

Lessons From the Columbia Disaster Safety and Organizational Culture

Documents