The National Academies Press

Currently Skimming:

5 Space Transportation System Risk Assessment and Risk Management: Discussion and Recommendations
Pages 40-78

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 40... ... reports which would contain analyses and justification of the retention rationale for the critical items and their associated "hazards", as well as a safety-risk assessment of the resulting units, subsystems, and systems. The hazard analysis and Mission Safety Assessment parts of this overall safety and risk assessment process as it was supposed to be done prior to 1986 are shown in Figure 5-l, obtained from ISC's SR&QA. Read the entire page →
From page 41... ... t 1 In a a F fir o I .4 Z Z o Z Z U) Read the entire page →
From page 42... ... First, there is now a specific new set of NSTS instructions to all contractors and NASA organizations for conducting hazard analyses, and for preparing FMEAs and CTEs for the NSTS (these new instructions affect the activities in the boxes in Figure 5-2 marked A Second, it can be seen that the FMEA/CTE documents are intended to be one of many inputs into the hazard analysis and Hazard Report, which in turn are shown as an input into the Mission Safety Assessment. Read the entire page →
From page 43... ... CHANGE EVALUATIONS � FAILURE INVESTIGATIONS � WAIVERS/DEVIATIONS � OMRSD S/OMI S � WALKDOWN INSPECTIONS � MISSION PLANNING ACTIVITIES � FLIGHT ANOMALIES . ASAP INPUTS � INDIVIDUAL INPUTS l � PAYLOAD INTERFACES l \| SENIOR SAFETY REVIEW BOARD \| ~ �1 \| LEVEL II PRCB BASELINING l ~\| NASA SPACE SHUTTLE \| ~� \| HAZARDS OATA BASE 1 FIGURE 5-2 NASA JSC safety analysis, hazard reports, and safety assessment process in 1987, as modified by the Committee (adapted from NASA JSC SR&QA) Read the entire page →
From page 44... ... We are concerned that, for all the reasons discussed above, without professional, detailed evaluation against specific criteria for reducing risk (not just review by panels and boards) , the retention rationales can be misleading or even incorrect regarding the true causes and probabilities of the failure modes for which retention waivers are being requested (see discussion of probabilistic risk assessment in Section 5.6~. Read the entire page →
From page 45... ... This integrated review should include detailed consideration of the results of hazard analyses and all other inputs to the risk assessment process, ir' addition to the FMEA/CIL retention rationale. Further, the review process should assure that the waivers and supporting analyses fully reflect current data and designs. Read the entire page →
From page 46... ... The Committee views this implementation procedure with concern. It does not appear to reflect a serious concern on the part of the NSTS Program for the need to prioritize the CIL by assessing relative risks. Read the entire page →
From page 47... ... 5.3. HAZARD ANALYSIS AND MISSION SAFETY ASSESSMENT NASA hazard analyses currently do not address the relative probabilities of a particular hazardous condition arising from failure modes, human errors, or external situations. Read the entire page →
From page 48... ... Cot ~ c] Read the entire page →
From page 49... ... - \ to ~ If ( \ G G A, / Amoco LO ~ - LO J to - LucO - ~ ' = - ~ z z z cO ~ O G L&' LU," CO G ~ CO 49 ~e`. Read the entire page →
From page 50... ... analysis is not used to its fullest advantage and that overall system safety assessments, based on test and flight data and on quantitative analyses, are not a part of the process of accepting critical failure modes and hazards. Since the Hazard Report does not provide a comprehensive risk assessment, or even an inclependent evaluation of the retention rationale stated in the input CTEs, we believe the overall process shown in Figure 5-2, representing NASA's current plans, has serious shortcomings. Read the entire page →
From page 51... ... As discussed in Section 5.3, the hazard analyses in actual practice appear to have little or no influence on the waiver decisions to accept Criticality ~ and IR designs for flight. Also, the original scheduling of the first flight some six months after completion of the FMEA/CIL and hazard analysis reevaluations seemed to presuppose that no substantial design change requirements would result from the process. Read the entire page →
From page 52... ... that NASA take steps to ensure a close linking between the STS engineering change activities anc! the FMEA/CILhazard analysis processes. Read the entire page →
From page 53... ... RELIABILITY L OFF-LINE I L~RFORMANCE r ~ _ _ \| ~ \| HARDWARE/SOFTWAR E PROBLEM RESOLUTION . -- - 1 ' ~ ~ ~ ~ ~ , ~ ~ PROGRAM COMPLIAN E ASSURANCE AND STATUS SYST M _ � REQUIREMENTS � RISK DECISION � INTEGRATED ACCOUNTING STATUS PROBLEM STATUS ASSESSM ENT � HAZARD ANALYSIS ~ _ 6 � TREND � CRITICAL ITEM ANALYSIS STATUS AND HISTORY FMQA/CIL DATA MANAGEMENT REPORTS FIGURE 5-5 The NASA NSTS System Integrity Assurance Program (NASA) Read the entire page →
From page 54... ... Finally, the Committee HARDWARE MA NTENANCE REtUIREMENTS CONFIGURATION FLOG HT I ~ MATERIAL ~ ~ PROGRAM COMPLIANCE ~ STATUS ~ ASSURANCE AND , DERC:SSiON REPORTS STATUS SYSTEM (PCASS) HISTORY / DATA BASE ~ INVENTORY l l FMEA/CIL 6 STATUS/M ISTORY L J I I HAZARD TREN D ANAI Y.RF~ DATA FIGURE 5-6 Data base elements of the NASA NSTS Program Compliance Assurance and Status System (NASA) Read the entire page →
From page 55... ... They are sometimes employed in the FMEA to support rationales for retention, and in the hazard analyses to support classification of a hazard. They may come into play in the waiver process and the Flight Readiness Reviews. Read the entire page →
From page 56... ... Basec! on the results of these studies, NASA plans to assess the benefits and applicability of PRA to the STS risk management process. Read the entire page →
From page 57... ... NASA's risk management process provides some mechanisms for identifying cross-element interface effects and failure modes, including propagation of failure modes to interfacing or physically acljacent modules or subsystems. One mechanism is the Element Interface Functional Analysis (ElFA) Read the entire page →
From page 58... ... bridging two or more STS elements. To the extent that the hazard analysis is a topclown analysis, it is important that its output lead to the generation or modification of the FMEAs. Read the entire page →
From page 59... ... back into the FMEA/CIL/retention rationale, hazard analysis, etc., to ensure that they are consistent ant] complete or that a design change is implemented, with all relevant documents being revised accordingly. Read the entire page →
From page 60... ... . At MSFC, the Engineering Directorate has the prime responsibility for establishing design requirements and also for reviewing ant! Read the entire page →
From page 61... ... A ~ o ~ o 3 of < ~ 11 11 11 11 ~ ohms ,. Read the entire page →
From page 62... ... by ISC representatives that, because of limited staff, the ISC SR&QA organization now provides little inclependent review and oversight of the software activities in the NSTS program. Based on the Committee's review of STS certification-validation-verification processes, it appears that the work is managed and concluctec] Read the entire page →
From page 63... ... However, these organizations should continue to conduct activities supporting certification and I VeSr V 5.9 OPERATIONAL ISSUES Operational aspects of the NSTS program require considerable attention in risk assessment and management. Read the entire page →
From page 64... ... operations (testing, certification, maintenance, assembly, etc.~. Hazard analyses can consider human error in both types of operations activities; but the Committee has not found that hazard analysis is regularly used to assess this element of risk. Read the entire page →
From page 65... ... Cannibalization is not evaluated as a producer of potential failure in either the hazard analysis (where it would be most appropriate) Read the entire page →
From page 66... ... 1 ' 1 z He you �In ~ An In In LL fir ~ o O: LL LL In - ~ #) Read the entire page →
From page 67... ... - - ~ \\\\\\ m CL a: at 11 it: l I I I I I I'm a\\\\ 1 1 0 0 0 0 0 0 0 0 0 0 US 0 U' 0 UP ~ CO CO Cot Cot _ _ ~IlN'no nun 6 67 J l _ US ED m ~D l (D U' U) Read the entire page →
From page 68... ... Figure 5-l ~ depicts the review groups associated with the NSTS FMEA/CIL and hazard analysis processes alone. There are also boards to review design requirements and certification, software, the Operations and Maintenance Requirements ant! Read the entire page →
From page 69... ... J J LL 6 I tin aC o ~ a: ~ m I _ _. Read the entire page →
From page 70... ... NASA management should also see to it that each individual involved in the NSTS Program is completely aware of his/ her responsibilities and authority for decision making. 5 10.2 Adequacy of Orbiter Structural Safety Margins The primary structure of the STS has been excluded, by definition, from the FMEA/CIL process, based on the belief that there is an adequate positive margin of safety. Read the entire page →
From page 71... ... The Manager of the NSTS Engineering Integration Office chairs this board and signs the flight readiness statement on software; thus he is the focus of configuration control and 71 Read the entire page →
From page 72... ... by the main NASA centers involved in the NSTS Program may reflect an imbalance between the authority of the centers and that of the NSTS Program Office. The Committee is concernec] Read the entire page →
From page 73... ... that the NSTS Program Office "review the FMEA/CTE reevaluation processes as implemented for each STS element to assure itself that any differences will not compromise the quality and completeness of the overall STS FMEA/CTE effort." This more specific concern for procedural differences led, moreover, to a broader concern over the nature of management control within NASA. Differences in procedures used by the NASA centers in this context and others (e.g., with respect to the independence of STS certification, as discussed in Section 5.8) Read the entire page →
From page 74... ... with the failure anodes an(l hazards. It is not reasonable to expect that NASA management or its panels and boards can provide their own detailed assessments of the risks associated with failure modes and hazards presented to them for acceptance. Read the entire page →
From page 75... ... that they are being controlled to the levels accepted by the appropriate NASA authorities.) Figure 5-12 shows that even in the current post51-L planning, the final result of the hazard analysis and safety assessment process is a NASA Space Shuttle Hazards Data Base. Read the entire page →
From page 77... ... (his is appropriate, because overall risk management anct total systems safety are clependent on the quality assurance function throughout NASA. The QA function shouicl be performed separately from the systems safety engineering functions (although there is certainly a strong oversight interaction between the two) Read the entire page →
From page 78... ... The Committee also recommends that the STS risk management program, based in part on the definition of the potential to reduce the level of risk (levelope(1 by the system safety risk assessment, include a concerted effort to remove or reduce the risks. Read the entire page →

From page 40...

... reports which would contain analyses and justification of the retention rationale for the critical items and their associated "hazards", as well as a safety-risk assessment of the resulting units, subsystems, and systems. The hazard analysis and Mission Safety Assessment parts of this overall safety and risk assessment process as it was supposed to be done prior to 1986 are shown in Figure 5-l, obtained from ISC's SR&QA.

5 Space Transportation System Risk Assessment and Risk Management: Discussion and Recommendations Pages 40-78

5 Space Transportation System Risk Assessment and Risk Management: Discussion and Recommendations
Pages 40-78