NASA's Organizational and Management Challenges
in the Wake of the Columbia Disaster
Wednesday, October 29, 2003
10:00 a.m. to 12:30 p.m.
2318 Rayburn House Office Building
On Wednesday, October 29, 2003 at 10:00 a.m., the House Committee on Science will hold a hearing to address the organizational and management issues confronting the National Aeronautics and Space Administration (NASA) in the aftermath of the Space Shuttle Columbia accident. According to the Columbia Accident Investigation Board (CAIB), NASA's "organizational culture and structure" had as much to do with the Columbia's demise as the physical causes of the accident. During the course of its nearly seven months of investigation into the causes of the accident, the CAIB encountered an ineffective and disengaged safety organization within NASA that "failed to adequately assess anomalies and frequently accepted critical risks without qualitative or quantitative support." Based on its findings, the CAIB recommended significant changes to the organizational structure of the Space Shuttle Program (detailed below).
To give a sense of some of the ways NASA could be restructured to comply with its recommendations, the CAIB report provided three examples of organizations with independent safety programs that successfully operate high-risk technologies. The examples were: the United States Navy's Submarine Flooding Prevention and Recovery (SUBSAFE) and Naval Nuclear Propulsion (Naval Reactors) programs and the Aerospace Corporation's independent launch verification process and mission assurance program for the U.S. Air Force.
This hearing will provide an opportunity to examine each of these examples in depth, as well as the safety programs of the Dupont Corporation (an acknowledged industry leader in safety), to help determine how NASA should be reorganized.
2. Critical Questions
The CAIB determined that reorganizing NASA is a critical requirement if the Shuttle is to fly safely over the long term. To provide adequate oversight of NASA's reorganization plans, the Committee needs to understand how different organization structures can contribute to safety. To that end, the following questions were submitted in advance to each of the witnesses:
a. What does it mean for a safety program to be "independent?" How can safety organizations be structured to ensure their independence?;
b. How can safety programs be organized to ensure that they are robust and effective, but do not prevent the larger organization from carrying out its duties?;
c. How do you ensure that the existence of an independent safety program does not allow the larger organization to absolve itself of responsibility for safety?; and
d. How do you ensure that dissenting opinions are offered without creating a safety review process that can never reach closure?
Recommendations of the CAIB and previous reports
Since the loss of the Space Shuttle Challenger in 1986, numerous outside experts have reviewed NASA's human space flight safety programs and found them lacking. For instance, in the immediate aftermath of the Challenger accident, the Rogers Commission issued recommendations calling for the creation of an independent safety oversight function. Despite NASA's compliance efforts, the U.S. General Accounting Office concluded in 1990 that NASA still "did not have an independent and effective safety organization." Nine years later, the Shuttle Independent Assessment Team and NASA Integrated Action Team likewise issued findings that were critical of NASA's safety programs and echoed the Roger Commission's call for the creation of an independent safety oversight function. Finally, in 2002, the Space Shuttle Competitive Task Force reiterated the call for an independent safety assurance function at NASA with "authority to shut down the flight preparation processes or intervene post-launch when an anomaly occurs."
In August of 2003, the CAIB released Volume I of its report on the Columbia accident. Consistent with previous analyses of NASA's safety programs, the CAIB Report discovered fundamental, structural deficiencies in NASA's safety programs. For example, the report states, "the Shuttle Program's complex structure erected barriers to effective communication and its safety culture no longer asks enough hard questions about risk….[T]he mistakes that were made on [the Columbia mission] are not isolated failures, but are indicative of systemic flaws that existed prior to the accident….[A successful safety process] demands a more independent status than NASA has ever been willing to give its safety organizations, despite the recommendations of numerous outside experts over nearly two decades[.]"
According to the CAIB Report, NASA's current approach to safety and mission assurance "calls for centralized policy and oversight at Headquarters and decentralized execution of safety programs at the enterprise, program, and project levels." Under the existing organizational rubric, "safety is the responsibility of program and project managers" who are given flexibility "to organize safety efforts as they see fit."
To remedy the current organization deficiencies, the primary CAIB recommendation on organization calls on NASA to "establish an independent Technical Engineering Authority" that would be "responsible for technical requirements and all waivers to them" and that would be "funded directly from NASA Headquarters, and should have no connection to or responsibility for schedule or program cost." The CAIB's fundamental goal is to separate the responsibility for safety from the Shuttle program's responsibility for cost and schedule. The current NASA structure, in which the Shuttle program itself is ultimately responsible for cost, schedule and safety inevitably leads to "blind spots" - serious safety problems that are not properly analyzed or addressed, the CAIB concluded. The CAIB did not specify precisely how NASA should be reorganized to implement its recommendations, leaving that up to the agency.
While the CAIB report does not label the implementation of a new organizational structure as a "return to flight" requirement, the report does say that NASA must "prepare a detailed plan for defining, establishing, transitioning and implementing an independent Technical Engineering Authority, independent safety program, and a reorganized Space Shuttle Integration Office" prior to returning to flight.
NASA is in the process of preparing such a plan. Administrator Sean O'Keefe has tasked the Associate Administrator for Safety and Mission Assurance, Bryan O'Connor, with coming up with a proposed reorganization plan. O'Connor has circulated a "white paper" outlining his ideas for reorganization among NASA staff. Before being implemented, any reorganization plan will be reviewed both by the Stafford-Covey Task Force (the task force of outside experts set up by O'Keefe to evaluate return-to-flight activities, which is headed by former astronauts Tom Stafford and Richard Covey) and by the Space Flight Leadership Council, which comprises top NASA officials. NASA is also in the process of setting up a new NASA Engineering and Safety Center (NESC), which would be able to "independently" review aspects of programs. It is not clear how the NESC would relate to a new Independent Technical Engineering Authority, but Admiral Harold Gehman, the chairman of the CAIB, has testified that the NESC does not, by itself, fulfill the CAIB's recommendations related to organization.
Model safety organizations
The CAIB Report cites three examples of organizations with successful safety programs and practices that could be models for NASA: the United States Navy's Naval Reactors and SUBSAFE programs and the Aerospace Corporation's independent launch verification process and mission assurance program for the U.S. Air Force.
The Naval Reactors program is a joint Navy/Department of Energy organization responsible for all aspects of Navy nuclear propulsion, including research, design, testing, training, operation, and maintenance of nuclear propulsion plants onboard Navy ships and submarines. The Naval Reactors program is structurally independent of the operational program that it serves. Although the naval fleet is ultimately responsible for day-to-day operations and maintenance, those operations occur within parameters independently established by the Naval Reactors program. In addition to its independence, the Naval Reactors program has certain features that might be emulated by NASA, including an insistence on airing minority opinions and planning for worst-case scenarios, a requirement that contractor technical requirements are documented in peer-reviewed formal written correspondence, and a dedication to relentless training and retraining of its engineering and safety personnel.
SUBSAFE is a program that was initiated by the Navy to identify critical changes in submarine certification requirements and to verify the readiness and safety of submarines. The SUBSAFE program was initiated in the wake of the USS Thresher nuclear submarine accident in 1963. Until SUBSAFE independently verifies that a submarine has complied with SUBSAFE design and process requirements, its operating depth and maneuvers are limited. The SUBSAFE requirements are clearly documented and achievable, and rarely waived. Program mangers are not permitted to "tailor" requirements without approval from SUBSAFE. Like the Naval Reactors program, the SUBSAFE program is structurally independent from the operational program that it serves. Likewise, SUBSAFE stresses training and retraining of its personnel based on "lessons learned," and appears to be relatively immune from budget pressures.
The Aerospace Corporation operates as a Federally Funded Research and Development Center that independently verifies safety and readiness for space launches by the United States Air Force. As a separate entity altogether from the Air Force, Aerospace conducts system design and integration, verifies launch readiness, and provides technical oversight of contractors. Aerospace is indisputably independent and is not subject to schedule or cost pressures.
According to the CAIB, the Navy and Air Force programs have "invested in redundant technical authorities and processes to become reliable." Specifically, each of the programs allows technical and safety engineering organizations (rather than the operational organizations that actually deploy the ships, submarines and planes) to "own" the process of determining, maintaining, and waiving technical requirements. Moreover, each of the programs is independent enough to avoid being influenced by cost, schedule, or mission-accomplishment goals. Finally, each of the programs provides its safety and technical engineering organizations with a powerful voice in the overall organization. According to the CAIB, the Navy and Aerospace programs "yield valuable lessons for [NASA] to consider when redesigning its organization to increase safety."
a. Admiral Frank L. "Skip" Bowman, United States Navy (USN), is the Director of the Naval Nuclear Propulsion (Naval Reactors) Program. In this capacity, Admiral Bowman is responsible for the program that oversees the design, development, procurement, operation, and maintenance of all the nuclear propulsion plants powering the Navy's fleet of nuclear warships. Admiral Bowman is a graduate of Duke University and the Massachusetts Institute of Technology.
b. Rear Admiral Paul Sullivan, USN, is the Deputy Commander for Ship Design Integration and Engineering for the Naval Sea Systems Command, which is the authority for the technical requirements of the SUBSAFE program. Admiral Sullivan is a graduate of the U.S. Naval Academy and the Massachusetts Institute of Technology.
c. Mr. Ray F. Johnson is the Vice President for Space Launch Operations for the Aerospace Corporation, located in El Segundo, California. Mr. Johnson is responsible for Aerospace's support for all Air Force space launch programs, including Aerospace's certification reviews prior to launch. Mr. Johnson holds a B.S. degree in mechanical engineering from the University of California at Berkeley and an MBA from the University of Chicago.
d. Ms. Deborah L. Grubbe is the Corporate Director for Safety and Health at Dupont. In this capacity, Ms. Grubbe is tasked with leading new initiatives in global safety and occupational health for Dupont. Ms. Grubbe and is a past director of DuPont Nonwovens, where she was accountable for manufacturing, engineering, and safety. Ms. Grubbe holds a B.S. degree in chemical engineering from Purdue University and a Certificate of Post-Graduate Study in chemical engineering from Cambridge University.
Admiral Harold Gehman, Jr., USN (retired), chaired the Columbia Accident Investigation Board.
Excerpt from the Columbia Accident Investigation Board Report, Volume I (August 2003), Chapter 7, Section 7.3 (pp. 182-184).