Several significant factors caught the attention of the Board during the investigation. Although it appears that they were not causal in the STS-107 accident, they are presented here for completeness.

Solid Rocket Booster Bolt Catchers

The fault tree review brought to light a significant problem with the Solid Rocket Booster bolt catchers. Each Solid Rocket Booster is connected to the External Tank by four separation bolts: three at the bottom plus a larger one at the top that weighs approximately 65 pounds.These larger upper (or "forward") separation bolts (one on each Solid Rocket Booster) and their associated bolt catchers on the External Tank provoked a great deal of Board scrutiny.

About two minutes after launch, the firing of pyrotechnic charges breaks each forward separation bolt into two pieces, allowing the spent Solid Rocket Boosters to separate from the External Tank (see Figure 4.2-1). Two "bolt catchers" on the External Tank each trap the upper half of a fired separation bolt, while the lower half stays attached to the Solid Rocket Booster.As a result, both halves are kept from flying free of the assembly and potentially hitting the Orbiter. Bolt catchers have a domed aluminum cover containing an aluminum honeycomb matrix that absorbs the fired bolts energy. The two upper bolt halves and their respective catchers subsequently remain connected to the External Tank, which burns up on re-entry, while the lower halves stay with the Solid Rocket Boosters that are recovered from the ocean.

If one of the bolt catchers failed during STS-107, the resulting debris could have damaged Columbias wing leading edge. Concerns that the bolt catchers may have failed, causing metal debris to ricochet toward the Orbiter, arose because the configuration of the bolt catchers used on Shuttle missions differs in important ways from the design used in

initial qualification tests.1 First, the attachments that currently hold bolt catchers in place use bolts threaded into inserts rather than through-bolts. Second, the test design included neither the Super Lightweight Ablative material applied to the bolt catcher apparatus for thermal protection, nor the aluminum honeycomb configuration currently used. Also, during these initial tests, temperature and pressure readings for the bolt firings were not recorded.

Instead of conducting additional tests to correct for these discrepancies, NASA engineers qualified the flight design configuration using a process called "analysis and similarity." The flight configuration was validated using extrapolated test data and redesign specifications rather than direct testing. This means that NASAs rationale for considering bolt catchers to be safe for flight is based on limited data from testing 24 years ago on a model that differs significantly from the current design.

Due to these testing deficiencies, the Board recognized that bolt catchers could have played a role in damaging Columbias left wing. The aluminum dome could have failed catastrophically, ablative coating could have come off in large quantities, or the device could have failed to hold to its mount point on the External Tank. To determine whether bolt catchers should be eliminated as a source of debris, investigators conducted tests to establish a performance baseline for bolt catchers in their current configuration and also reviewed radar data to see whether bolt catcher failure could be observed. The results had serious implications: Every bolt catcher tested failed well below the expected load range of 68,000 pounds. In one test, a bolt catcher failed at 44,000 pounds, which was two percent below the 46,000 pounds generated by a fired separation bolt. This means that the force at which a separation bolt is predicted to come apart during flight could exceed the bolt catchers ability to safely capture the bolt. If these results are consistent with further tests, the factor of safety for the bolt catcher system would be 0.956 ｭ far below the design requirement of 1.4 (that is, able to withstand 1.4 times the maximum load ever expected in operation).

Every bolt catcher must be inspected (via X-ray) as a final step in the manufacturing process to ensure specification compliance. There are specific requirements for film type/ quality to allow sufficient visibility of weld quality (where the dome is mated to the mounting flange) and reveal any flaws.There is also a requirement to archive the film for several years after the hardware has been used. The manufacturer is required to evaluate the film, and a Defense Contract Management Agency representative certifies that requirements have been met. The substandard performance of the Summa bolt catchers tested by NASA at Marshall Space Flight Center and subsequent investigation revealed that the contractors use of film failed to meet quality requirements and, because of this questionable quality, there were "probable" weld defects in most of the archived film. Film of STS-107s bolt catchers (serial numbers 1 and 19, both Summa-manufactured), was also determined to be substandard with "probable" weld defects (cracks, porosity, lack of penetration) on number 1 (left Solid Rocket Booster to External Tank attach point). Number 19 appeared adequate, though the substandard film quality leaves some doubt.

Further investigation revealed that a lack of qualified non-destructive inspection technicians and differing interpretations of inspection requirements contributed to this oversight. United Space Alliance, NASAs agent in procuring bolt catchers, exercises limited process oversight and delegates actual contract compliance verification to the Defense Contract Management Agency. The Defense Contract Management Agency interpreted its responsibility as limited to certifying compliance with the requirement for X-ray inspections. Since neither the Defense Contract Management Agency nor United Space Alliance had a resident non-destructive inspection specialist, they could not read the X-ray film or certify the weld. Consequently, the required inspections of weld quality and end-item certification were not properly performed. Inadequate oversight and confusion over the requirement on the parts of NASA, United Space Alliance, and the Defense Contract ManagementAgency all contributed to this problem.

In addition, STS-107 radar data from the U.S. Air Force Eastern Range tracking system identified an object with a radar cross-section consistent with a bolt catcher departing the Shuttle stack at the time of Solid Rocket Booster separation. The resolution of the radar return was not sufficient to definitively identify the object. However, an object that has about the same radar signature as a bolt catcher was seen on at least five other Shuttle missions. Debris shedding during Solid Rocket Booster separation is not an unusual event. However, the size of this object indicated that it could be a potential threat if it came close to the Orbiter after coming off the stack.

Figure 4.2-1. A cutaway drawing of the forward Solid Rocket Booster bolt catcher and separation bolt assembly.

Although bolt catchers can be neither definitively excluded nor included as a potential cause of left wing damage to Columbia, the impact of such a large object would likely have registered on the Shuttle stacks sensors. The indefinite data at the time of Solid Rocket Booster separation, in tandem with overwhelming evidence related to the foam debris strike, leads the Board to conclude that bolt catchers are unlikely to have been involved in the accident.

Findings:

F4.2-1 The certification of the bolt catchers flown on STS-107 was accomplished by extrapolating analysis done on similar but not identical bolt catchers in original testing. No testing of flight hardware was performed.

F4.2-2 Board-directed testing of a small sample size demonstrated that the "as-flown" bolt catchers do not have the required 1.4 margin of safety.

F4.2-3 Quality assurance processes for bolt catchers (a Criticality 1 subsystem) were not adequate to assure contract compliance or product adequacy.

F4.2-4 An unknown metal object was seen separating from the stack during Solid Rocket Booster separation during six Space Shuttle missions. These objects were not identified, but were characterized as of little to no concern.

Recommendations:

R4.2-1 Test and qualify the flight hardware bolt catchers.

Kapton Wiring

Because of previous problems with its use in the Space Shuttleanditsimplicationinaviationaccidents,Kapton-insulated wiring was targeted as a possible cause of the Columbia accident. Kapton is an aromatic polyimide insulation that the DuPont Corporation developed in the 1960s. Because Kapton is lightweight, nonflammable, has a wide operating temperature range, and resists damage, it has been widely used in aircraft and spacecraft for more than 30 years. Each Orbiter contains 140 to 157 miles of Kapton-insulated wire, approximately 1,700 feet of which is inaccessible.

Despite its positive properties, decades of use have revealed one significant problem that was not apparent during its development and initial use: Kapton insulation can break down, leading to a phenomenon known as arc tracking. When arc tracking occurs, the insulation turns to carbon, or carbonizes, at temperatures of 1,100 to 1,200 degrees Fahrenheit. Carbonization is not the same as combustion. During tests unrelated to Columbia, Kapton wiring placed in an open flame did not continue to burn when the wiring was removed from the flame. Nevertheless, when carbonized, Kapton becomes a conductor, leading to a "soft electrical short" that causes systems to gradually fail or operate in a degraded fashion. Improper installation and mishandling during inspection and maintenance can also cause Kapton insulation to split, crack, flake, or otherwise physically degrade.2 (Arc tracking is pictured in Figure 4.2-2.) Perhaps the greatest concern is the breakdown of the wires insulation when exposed to moisture. Over the years, the Federal Aviation Administration has undertaken extensive studies into wiring-related issues, and has issued Advisory Circulars (25-16 and 43.13-1B) on aircraft wiring that discuss using aromatic polyimide insulation. It was discovered that as long as the wiring is designed, installed, and maintained properly, it is safe and reliable. It was also discovered, however, that the aromatic polyimide insulation does not function well in high-moisture environments, or in installations that require large or frequent flexing. The military had discovered the potentially undesirable aspects of aromatic polyimide insulation much earlier, and had effectively banned its use on new aircraft beginning in 1985. These rules, however, apply only to pure polyimide insulation; various other insulations that contain polyimide are still used in appropriate areas.

The first extensive scrutiny of Kapton wiring on any of the Orbiters occurred during Columbias third Orbiter Major Modification period, after a serious system malfunction during the STS-93 launch of Columbia in July 1999.Ashort circuit five seconds after liftoff caused two of the six Main Engine Controller computers to lose power, which could have caused one or two of the three Main Engines to shut down. The ensuing investigation identified damaged Kapton wire as the cause of the malfunction. In order to identify and correct such wiring problems, all Orbiters were grounded for an initial (partial) inspection, with more extensive inspections planned during their next depot-level maintenance. During Columbias subsequent Orbiter Major Modification, wiring was inspected and redundant system wiring in the same bundles was separated to prevent arc tracking damage. Nearly 4,900 wiring nonconformances (conditions that did not meet specifications) were identified and corrected. Kaptonrelated problems accounted for approximately 27 percent of the nonconformances. This examination revealed a strong correlation between wire damage and the Orbiter areas that had experienced the most foot traffic during maintenance and modification.3

Figure 4.2-2. Arc tracking damage in Kapton wiring.

Other aspects of Shuttle operation may degrade Kapton wiring. In orbit, atomic oxygen acts as an oxidizing agent, causing chemical reactions and physical erosion that can lead to mass loss and surface property changes. Fortunately, actual exposure has been relatively limited, and inspections show that degradation is minimal. Laboratory tests on Kapton also confirm that on-orbit ultraviolet radiation can cause delamination, shrinkage, and wrinkling.



A typical wiring bundle is shown in Figure 4.2-3. Wiring nonconformances are corrected by rerouting, reclamping, or installing additional insulation such as convoluted tubing, insulating tape, insulating sheets, heat shrink sleeving, and abrasion pads (see Figure 4.2-4). Testing has shown that wiring bundles usually stop arc tracking when wires are physically separated from one another. Further testing under conditions simulating the Shuttles wiring environment demonstrated that arc tracking does not progress beyond six inches. Based on these results, Boeing recommended that NASA separate all critical paths from larger wire bundles and individually protect them for a minimum of six inches beyond their separation points.4 This recommendation is being adopted through modifications performed during scheduled Orbiter Major Modifications. For example, analysis of telemetered data from 14 of Columbias left wing sensors (hydraulicline/wingskin/wheeltemperatures,tirepressures,and landing gear downlock position indication) provided failure signatures supporting the scenario of left-wing thermal intrusion,as opposed to a catastrophic failure(extensivearctracking) of Kapton wiring. Actual NASA testing in the months following the accident, during which wiring bundles were subjected to intense heat(ovens,blowtorch,andarcjet),verified the failure signature analyses. Finally, extensive testing and analysis in years prior to STS-107 showed that, with the low currents and low voltages associated with the Orbiters instrumentation system (such as those in the left wing), the probability of arc tracking is commensurately low. Finding:

F4.2-5 Based on the extensive wiring inspections, maintenance, and modifications prior to STS-107, analysis of sensor/wiring failure signatures, and the alignment of the signatures with thermal intrusion into the wing, the Board found no evidence that Kapton wiring problems caused or contributed to this accident.

Recommendation:

R4.2-2 As part of the Shuttle Service Life Extension Program and potential 40-year service life, develop a state-of-the-art means to inspect all Orbiter wiring, including that which is inaccessible.

Crushed Foam

Based on the anticipated launch date of STS-107, a set of Solid Rocket Boosters had been stacked in the Vehicle Assembly Building and a Lightweight Tank had been attached to them. A reshuffling of the manifest in July 2002 resulted in a delay to the STS-107 mission.5 It was decided to use the already-stacked Solid Rocket Boosters for the STS-113 mission to the International Space Station. All flights to the International Space Station use Super LightweightTanks, meaning that the ExternalTank already mated wouldneedtoberemovedandstoredpendingtherescheduled STS-107 mission. Since External Tanks are not stored with the bipod struts attached, workers at the Kennedy Space Center removed the bipod strut from the Lightweight Tank before it was lifted into a storage cell.6

Following the de-mating of the bipod strut, an area of crushed PDL-1034 foam was found in the region beneath where the left bipod strut attached to the tanks ｭY bipod fitting. The region measured about 1.5 inches by 1.25 inches by 0.187 inches and was located at roughly the five oclock position. Foam thickness in this region was 2.187 inches.

Figure 4.2-3. Typical wiring bundle inside Orbiter wing.

Figure 4.2-4. Typical wiring harness protection methods.

The crushed foam was exposed when the bipod strut was removed. This constituted an unacceptable condition and required a Problem Report write-up.7

NASA conducted testing at the Michoud Assembly Facility and at Kennedy Space Center to determine if crushed foam could have caused the loss of the left bipod ramp, and to determine if the limits specified in Problem Report procedures were sufficient for safety.8

Kennedy engineers decided not to take action on the crushed foam because it would be covered after the External Tank was mated to a new set of bipod struts that would connect it to Columbia, and the struts would sufficiently contain and shield the crushed foam.9An inspection after the bipod struts were attached determined that the area of crushed foam was within limits specified in the drawing for this region.10

STS-107 was therefore launched with crushed foam behind the clevis of the left bipod strut. Crushed foam in this region isaroutineoccurrencebecausethefoamispouredandshaved sothatthematingofthebipodstruttothebipodfittingresults in a tight fit between the bipod strut and the foam.

Pre-launch testing showed that the extent of crushed foam did not exceed limits.11 In these tests, red dye was wicked into the crushed (open) foam cells, and the damaged and dyed foam was then cut out and examined. Despite the effects of crushing, the foams thickness around the bipod attach point was not substantially reduced; the foam effectively maintained insulation against ice and frost. The crushed foam was contained by the bipod struts and was subjected to little or no airflow.

Finding:

F4.2-6 Crushed foam does not appear to have contributed to the loss of the bipod foam ramp off the External Tank during the ascent of STS-107.

Recommendations:

ｷ None

Hypergolic Fuel Spill

Concerns that hypergolic (ignites spontaneously when mixed) fuel contamination might have contributed to the accident led the Board to investigate an August 20, 1999, hydrazine spill at Kennedy Space Center that occurred while Columbia was being prepared for shipment to the Boeing facility in Palmdale, California. The spill occurred when a maintenance technician disconnected a hydrazine fuel line without capping it.When the fuel line was placed on a maintenance platform, 2.25 ounces of the volatile, corrosive fuel dripped onto the trailing edge of the Orbiters left inboard elevon. After the spill was cleaned up, two tiles were removed for inspection. No damage to the control surface skin or structure was found, and the tiles were replaced.12

United Space Alliance briefed all employees working with these systems on procedures to prevent another spill, and on November 1, 1999, the Shuttle Operations Advisory Group was briefed on the corrective action that had been taken.

Finding:

F4.2-7 The hypergolic spill was not a factor in this accident.

Recommendations:

ｷ None

Space Weather

Space weather refers to the action of highly energetic particles in the outer layers of Earths atmosphere. Eruptions of particles from the sun are the primary source of space weather events, which fluctuate daily or even more frequently. The most common space weather concern is a potentially harmful radiation dose to astronauts during a mission. Particles can also cause structural damage to a vehicle, harm electronic components, and adversely affect communication links.

After the accident, several researchers contacted the Board and NASA with concerns about unusual space weather just before Columbia started its re-entry. A coronal mass ejection, or solar flare, of high-energy particles from the outer layers of the suns atmosphere occurred on January 31, 2003. The shock wave from the solar flare passed Earth at about the same time that the Orbiter began its de-orbit burn. To examine the possible effects of this solar flare, the Board enlisted the expertise of the Space Environmental Center of the National Oceanic and Atmospheric Administration and the Space Vehicles Directorate of the Air Force Research Laboratory at HanscomAir Force Base in Massachusetts.

Measurements from multiple spaceand ground-based systems indicate that the solar flare occurred near the edge of the sun (as observed from Earth), reducing the impact of the subsequent shock wave to a glancing blow. Most of the effects of the solar flare were not observed on Earth until six or more hours after Columbia broke up. See Appendix D.5 for more on space weather effects.

Finding:

F4.2-8 Space weather was not a factor in this accident.

Recommendations:

ｷ None

Asymmetric Boundary Layer Transition

Columbia had recently been through a complete refurbishment, including detailed inspection and certification of all lower wing surface dimensions. Any grossly protruding gap fillers would have been observed and repaired. Indeed, though investigators found that Columbias reputation for a rough left wing was well deserved prior to STS-75, quantitative measurements show that the measured wing roughness was below the fleet average by the launch of STS-107.13

Finding:

F4.2-9 A"rough wing" was not a factor in this accident.

Recommendations:

ｷ None

Training and On-Orbit Performance

All mission-specific training requirements for STS-107 launch and flight control operators were completed before launch with no performance problems. However, seven flight controllers assigned to the mission did not have current recertifications at the time of the Flight Readiness Review, nor were they certified by the mission date. (Most flight controllers must recertify for their positions every 18 months.) The Board has determined that this oversight had no bearing on mission performance (see Chapter 6). The Launch Control Team and crew members held a full "dress rehearsal" of the launch day during theTerminal Countdown Demonstration Test. SeeAppendix D.1 for additional details on training for STS-107.

Because the majority of the mission was completed before re-entry, an assessment of the training preparation and flight readiness of the crew, launch controllers, and flight controllers was based on the documented performance of mission duties. All STS-107 personnel performed satisfactorily during the launch countdown, launch, and mission. Crew and mission controller actions were consistent with re-entry procedures.

There were a few incorrect switch movements by the crew during the mission, including the configuration of an inter-communications switch and an accidental bump of a rotational hand controller (which affected the Orbiters attitude) after the de-orbit burn but prior to Entry Interface. The inter-communications switch error was identified and then corrected by the crew; both the crew and Mission Control noticed the bump and took the necessary steps to place the Orbiter in the correct attitude. Neither of these events was a factor in the accident, nor are they considered training or performance issues. Details on STS-107 on-orbit operations are inAppendix D.2.

Finding:

F4.2-10 The Board concludes that training and on-orbit considerations were not factors in this accident.

Recommendations:

ｷ None

Payloads

To ensure that a payload malfunction did not cause or contribute to the Columbia accident, the Board conducted a thorough examination of all payloads and their integration with the Orbiters systems. The Board reviewed all downlinked payload telemetry data during the mission, as well as all payload hardware technical documentation. Investigators assessed every payload readiness review, safety review, and payload integration process used by NASA, and interviewed individuals involved in the payload process at both Johnson and Kennedy Space Centers.

TheBoardsreviewoftheSTS-107FlightReadinessReview, Payload Readiness Review, Payload Safety Review Panel, and Integrated Safety Assessments of experiment payloads on STS-107 found that all payload-associated hazards were adequately identified, accounted for, and appropriately mitigated. Payload integration engineers encountered no unique problemsduringSPACEHABintegration,therewerenopayload constraints on the launch, and there were no guideline violations during the payload preparation process.

The Board evaluated 11 payload anomalies, one of which was significant. A SPACEHAB Water Separator Assembly leak under the aft sub-floor caused an electrical short and subsequent shutdown of both Water Separator Assemblies. Groundandflightcrewresponsessufficientlyaddressedthese anomalies during the mission. Circuit protection and telemetry data further indicate that during re-entry, this leak could not have produced a similar electrical short in SPACEHAB that might have affected the main Orbiter power supply.

The Board determined that the powered payloads aboard STS-107 were performing as expected when the Orbiters signal was lost. In addition, all potential "fault-tree" payload failures that could have contributed to the Orbiter breakup were evaluated using real-time downlinked telemetry, debris analysis, or design specification analysis. These analyses indicate that no such failures occurred.

Several experiments within SPACEHAB were flammable, used flames, or involved combustible materials. All downlinked SPACEHAB telemetry was normal through re-entry, indicating no unexpected rise in temperature within the module and no increases in atmospheric or hull pressures. All fire alarms and indicators within SPACEHAB were operational, and they detected no smoke or fire. Gas percentages within SPACEHAB were also within limits.

Because a major shift in the Orbiters center of gravity could potentially cause flight-control or heat management problems, researchers investigated a possible shifting of equipment in the payload bay. Telemetry during re-entry indicated that all payload cooling loops, electrical wiring, and communications links were functioning as expected, supporting the conclusion that no payload came loose during re-entry. In addition, there are no indications from the Orbiters telemetry that any flight control adjustments were made to compensate for a change in the Orbiters center of gravity, which indicates that the center of gravity in the payload bay did not shift during re-entry.

The Board explored whether the pressurized SPACEHAB module may have ruptured during re-entry. A rupture could breach the fuselage of the Orbiter or force open the payload bay doors, allowing hot gases to enter the Orbiter. All downlinked payload telemetry indicates that there was no decompression of SPACEHAB prior to loss of signal, and

(Above) The SPACEHAB Research Double Module (left) and Hitchhiker Carrier are lowered toward Columbias payload bay on May 23, 2002. The Fast Reaction Experiments Enabling Science, Technology, Applications and Research (FREESTAR) is on the Hitchhiker Carrier.

(Below) Columbias payload bay doors are ready to be closed over the SPACEHAB Research Double Module on June 14, 2002.

no dramatic increase in internal temperature or change in the air composition. This analysis suggests that the pressurized SPACEHAB module did not rupture during re-entry (see Appendix D.6.).

Finding:

F4.2-11 The payloads Columbia carried were not a factor in this accident.

Recommendations:

ｷ None

Willful Damage and Security

During the Boards investigation, suggestions of willful damage, including the possibility of a terrorist act or sabotage by a disgruntled employee, surfaced in the media and on various Web sites. The Board assessed such theories, giving particular attention to the unprecedented security precautions taken during the launch of STS-107 because of prevailing national security concerns and the inclusion of an Israeli crew member.

Speculation that Columbia was shot down by a missile was easily dismissed. The Orbiters altitude and speed prior to breakup was far beyond the reach of any air-to-air or surface-to-air missile, and telemetry and Orbiter support system data demonstrate that events leading to the breakup began at even greater altitudes.

The Boards evaluation of whether sabotage played any role included several factors: security planning and countermeasures, personnel and facility security, maintenance and processing procedures, and debris analysis.

To rule out an act of sabotage by an employee with access to these facilities, maintenance and processing procedures were thoroughly reviewed. The Board also interviewed employees who had access to the Orbiter.

The processes in place to detect anything unusual on the Orbiter, from a planted explosive to a bolt incorrectly torqued, make it likely that anything unusual would be caught during themanychecksthatemployeesperformastheOrbiternears final closeout (closing and sealing panels that have been left open for inspection) prior to launch. In addition, the process of securing various panels before launch and taking closeout photos of hardware (see Figure 4.2-5) almost always requires the presence of more than one person, which means a saboteur would need the complicity of at least one other employee, if not more.

Debris from Columbia was examined for traces of explosives that would indicate a bomb onboard. Federal Bureau of Investigation laboratories provided analysis. Laboratory technicians took multiple samples of debris specimens and compared them with swabs from Atlantis and Discovery. Visual examination and gas chromatography with chemiluminescence detection found no explosive residues on any specimens that could not be traced to the Shuttles pyrotechnic devices. Additionally, telemetry and other data indicate these pyrotechnic devices operated normally.

In its review of willful damage scenarios mentioned in the press or submitted to the investigation, the Board could not find any that were plausible. Most demonstrated a basic lack ofknowledgeofShuttleprocessingandthephysicsofexplosives, altitude, and thermodynamics, as well as the processes of maintenance documentation and employee screening.

NASA and its contractors have a comprehensive security system, outlined in documents like NASA Policy Directive 1600.2A. Rules, procedures, and guidelines address topics ranging from foreign travel to information security, from security education to investigations, and from the use of force to security for public tours.

The Board examined security at NASA and its related facilities through a combination of employee interviews, site visits, briefing reviews, and discussions with security personnel. The Board focused primarily on reviewing the capability of unauthorized access to Shuttle system components. Facilities and programs examined for security and sabotage potential included ATK Thiokol in Utah and its Reusable Solid Rocket Motor production, the Michoud Assembly Facility in Louisiana and its External Tank production, and the Kennedy Space Center in Florida for its Orbiter and overall integration responsibilities.

The Board visited the Boeing facility in Palmdale, California; Edwards Air Force Base in California; Stennis Space Center in Bay St. Louis, Mississippi; Marshall Space Flight Center near Huntsville, Alabama; and Cape Canaveral Air Force Station in Florida. These facilities exhibited a variety of security processes, according to each sites unique demands. At Kennedy, access to secure areas requires a series of identification card exchanges that electronically record each entry. The MichoudAssembly Facility employs similar measures, with additional security limiting access to a completed External Tank. The use of closed-circuit television systems complemented by security patrols is universal.

Employee screening and tracking measures appear solid across NASAand at the contractors examined by the Board. The agency relies on standard background and law enforcement checks to prevent the hiring of applicants with questionable records and the dismissal of those who may accrue such a record.

Figure 4.2-5. At left, a wing section open for inspection; at right, wing access closed off after inspection.

It is difficult for anyone to access critical Shuttle hardware alone or unobserved by a responsible NASA or contractor employee. With the exception of two processes when foam is applied to the External Tank at the Michoud Assembly Facility, there are no known final closeouts of any Shuttle component that can be completed with fewer than two people. Most closeouts involve at least five to eight employees before the component is sealed and certified for flight. All payloads also undergo an extensive review to ensure proper processing and to verify that they pose no danger to the crew or the Orbiter.

Security reviews also occur at locations such as the Transoceanic Abort Landing facilities. These sites are assessed prior to launch, and appropriate measures are taken to guarantee they are secure in case an emergency landing is required. NASAalso has contingency plans in place, including dealing with bioterrorism.

Both daily and launch-day security at the Kennedy Space Center has been tightened in recent years. Each Shuttle launch has an extensive security countdown, with a variety of checks to guarantee that signs are posted, beaches are closed, and patrols are deployed. K-9 patrols and helicopters guard the launch area against intrusion.

Because the STS-107 manifest included Israels first astronaut, security measures, developed with National Security Council approval, went beyond the normally stringent precautions, including the development of a Security Support Plan.

Military aircraft patrolled a 40-mile Federal Aviation Administration-restricted area starting nine hours before the launch of STS-107. Eight Coast Guard vessels patrolled a three-nautical-mile security zone around Kennedy Space Center and Cape Canaveral Air Force Station, and Coast Guard and NASA boats patrolled the inland waterways. Security forces were doubled on the day of the launch.

Findings:

F4.2-12 The Board found no evidence that willful damage was a factor in this accident.

F4.2-13 Two close-out processes at the Michoud Assembly Facility are currently able to be performed by a single person.

F4.2-14 Photographs of every close out activity are not routinely taken.

Recommendation:

R4.2-3 Require that at least two employees attend all final closeouts and intertank area hand-spraying procedures.

Micrometeoroids and Orbital Debris Risks

Micrometeoroids and space debris (often called "space junk") are among the most serious risk factors in Shuttle missions. While there is little evidence that micrometeoroids or space debris caused the loss of Columbia, and in fact a review of on-board accelerometer data rules out a major strike, micrometeoroids or space debris cannot be entirely ruled out as a potential or contributing factor.

Micrometeoroids, each usually no larger than a grain of sand, are numerous and particularly dangerous to orbiting spacecraft. Traveling at velocities that can exceed 20,000 miles per hour, they can easily penetrate the Orbiters skin. In contrast to micrometeoroids, orbital debris generally comes from destroyed satellites, payload remnants, exhaust from solid rockets, and other man-made objects, and typically travel at far lower velocities. Pieces of debris four inches or larger are catalogued and tracked by the U.S. Air Force Space Command so they can be avoided during flight.

NASA has developed computer models to predict the risk of impacts. The Orbital Debris Model 2000 (ORDEM2000) database is used to predict the probability of a micrometeoroid or space debris collision with an Orbiter, based on its flight trajectory, altitude, date, and duration. Development of the database was based on radar tracking of debris and satellite experiments, as well as inspections of returned Orbiters. The computer code BUMPER translates expected debris hits from ORDEM2000 into an overall risk probability for each flight. The worst-case scenario during orbital debris strikes is known as the Critical Penetration Risk, which can include the depressurization of the crew module, venting or explosion of pressurized systems, breaching of the Thermal Protection System, and damage to control surfaces.

NASA guidelines require the Critical Penetration Risk to be better than 1 in 200, a number that has been the subject of several reviews. NASA has made changes to reduce the probability. For STS-107, the estimated risk was 1 in 370, though the actual as-flown value turned out to be 1 in 356. The current risk guideline of 1 in 200 makes space debris or micrometeoroid strikes by far the greatest risk factor in the Probabilistic Risk Assessment used for missions. Although 1-in-200 flights may seem to be long odds, and many flights have exceeded the guideline, the cumulative risk for such a strike over the 113-flight history of the Space Shuttle Program is calculated to be 1 in 3. The Board considers this probability of a critical penetration to be unacceptably high. The Space Stations micrometeoroid and space debris protection system reduces its critical penetration risk to five percent or less over 10 years, which translates into a per-mission risk of 1 in 1,200 with 6 flights per year, or 60 flights over 10 years.

To improve crew and vehicle safety over the next 10 to 20 years, the Board believes risk guidelines need to be changed to compel the Shuttle Program to identify and, more to the point, reduce the micrometeoroid and orbital debris threat to missions.

Findings:

F4.2-15 There is little evidence that Columbia encountered either micrometeoroids or orbital debris on this flight.

F4.2-16 The Board found markedly different criteria for margins of micrometeoroid and orbital debris safety between the International Space Station and the Shuttle.

Recommendation:

R4.2-4 Require the Space Shuttle to be operated with the same degree of safety for micrometeoroid and orbital debris as the degree of safety calculated for the International Space Station. Change the micrometeoroid and orbital debris safety criteria from guidelines to requirements.

Orbiter Major Modification

The Board investigated concerns that mistakes, mishaps, or human error during Columbias last Orbiter Major Modification might have contributed to the accident. Orbiters are removed from service for inspection, maintenance, and modification approximately every eight flights or three years. Columbia began its last Orbiter Major Modification in September 1999, completed it in February 2001, and had flown once before STS-107. Several aspects of the Orbiter Major Modification process trouble the Board, and need to be addressed for future flights. These concerns are discussed in Chapter 10.

Findings:

F4.2-17 Basedonathoroughinvestigationofmaintenance records and interviews with maintenance personnel, the Board found no errors during Columbias most recent Orbiter Major Modification that contributed to the accident.

Recommendations:

ｷ None

Foreign Object Damage Prevention

Problems with the Kennedy Space Center and United Space Alliance Foreign Object Damage Prevention Program, which in the Department of Defense and aviation industry typically falls under the auspices of Quality Assurance, are related to changes made in 2001. In that year, Kennedy and Allianceredefinedthesingleterm"ForeignObjectDamage" ｭ an industry-standard blanket term ｭ into two terms: "Processing Debris" and "Foreign Object Debris."

Processing Debris then became:

Any material, product, substance, tool or aid generally used during the processing of flight hardware that remains in the work area when not directly in use, or that is left unattended in the work area for any length of time during the processing of tasks, or that is left remaining or forgotten in the work area after the completion of a task or at the end of a work shift. Also any item, material or substance in the work area that should be found and removed as part of standard housekeeping, Hazard Recognition and Inspection Program (HRIP) walkdowns, or as part of "Clean As You Go" practices.14

Foreign Object Debris then became:

Processing debris becomes FOD when it poses a potential risk to the Shuttle or any of its components, and only occurs when the debris is found during or subsequent to a final/flight Closeout Inspection, or subsequent to OMI S0007 ET Load SAF/FAC walkdown.15

These definitions are inconsistent with those of other NASA centers, Naval Reactor programs, the Department of Defense, commercial aviation, and National Aerospace FOD Prevention Inc. guidelines.16 They are unique to Kennedy Space Center and United SpaceAlliance.

Because debris of any kind has critical safety implications, these definitions are important. The United Space Alliance Foreign Object Program includes daily debris checks by management to ensure that workers comply with United SpaceAlliances "clean as you go" policy, but United Space Alliance statistics reveal that the success rate of daily debris checks is between 70 and 86 percent.17

The perception among many interviewees is that these novel definitions mitigate the impact of Kennedy Mission Assurance-found Foreign Object Debris on the United Space Alliance award fee. This is because "Processing Debris" statistics do not directly affect the award fee. Simply put, in splitting "Foreign Object Damage" into two categories, many of the violations are tolerated. Indeed, with 18 problem reports generated on "lost items" during the processing of STS-107 alone, the need for an ongoing, thorough, and stringent Foreign Object Debris program is indisputable. However, with two definitions of foreign objects ｭ Processing Debris and Foreign Object Debris ｭ the former is portrayed as less significant and dangerous than the latter. The assumption that all debris will be found before flight fails to underscore the destructive potential of Foreign Object Debris, and creates an incentive to simply accept "Processing Debris."

Finding:

F4.2-18 Since 2001, Kennedy Space Center has used a non-standard approach to define foreign object debris. The industry standard term "Foreign Object Damage" has been divided into two categories, one of which is much more permissive.

Recommendation:

R4.2-5 Kennedy Space Center Quality Assurance and United SpaceAlliance must return to the straightforward, industry-standard definition of "Foreign Object Debris," and eliminate any alternate or statistically deceptive definitions like "processing debris."