of the Presidential Commission on the Space Shuttle Challenger Accident


[35] PART 1


Recommendation III


[36] Presidential Commission Recommendation III


Criticality Review and Hazard Analysis. NASA and the primary Shuttle contractors should review all Criticality 1, 1R, 2, and 2R items and hazard analyses. This review should identify those items that must be improved prior to flight to ensure mission success and flight safety. An Audit Panel, appointed by the National Research Council, should verify the adequacy of the effort and report directly to the Administrator of NASA.





NASA is reviewing all NSTS components to determine that all critical items which must be improved prior to flight have been identified and that corrective actions are under way.

A failure modes and effects analysis (FMEA) is performed on each component of the Shuttle system to identify hardware items that are critical to the performance and safety of the vehicle and mission. This analysis begins with an identification of the functional components of each system and a determination of the potential modes of failure for that component. Postulated component failure modes are then analyzed to determine the resulting performance of the system and to ascertain the worst-case effect that could result from a failure in this mode. Items are categorized according to the worstcase effect of the failure on the vehicle, crew, and mission.

The Critical Items List (CIL) is a listing of components and their failure modes which, if they fail in one of the potential modes identified in the FMEA, could result in loss of vehicle, life, or mission. The CIL also includes items that could fail in one mode and result in loss of redundant systems capability, items whose failure mode is not readily detectable in flight, and redundant systems in which a single failure may result in loss of the total system capability.

Critical items with these failure modes must be subjected to design improvements or to corrective action to meet the program redundancy requirements, or a waiver must be submitted to document the rationale for retaining an item that does not meet the requirements. Data elements included in the rationale include design, test, and inspection data, failure history, and operational experience. An approved waiver must support the decision to accept the risk represented by the critical item and ensure that maintenance, test, or inspection procedures will minimize the potential occurrence of the failure.

The hazard analysis (HA) is another anaIytical tool used to assess the risk resulting from hazardous conditions that could develop while operating and maintaining the system hardware and software. In addition to evaluating the risk resulting from the failures identified in the FMEA process, these analyses identify the presence of other potential risks caused by the environment, crewmachine interfaces, and mission activities.

These hazards and their causes are reviewed to identify areas where hazard [38] elimination or control methods may be achieved by additional design, procedural changes, or operational constraints. Any hazards remaining after all feasible design or procedural corrective efforts are implemented are termed accepted risks and require review and approval by the Director, NSTS.

Each NSTS project and its prime contractor is conducting a review to verify the completeness and accuracy of the FMEA/ CIL for the current design. A similar evaluation of all element and integrated system-level hazard analyses has been initiated. All waivers required for items whose failure modes would result in loss of vehicle, life, or mission have been rescinded and must be resubmitted to the Director, NSTS, for approval.

The NSTS has standardized the procedures for preparation of the FMEA/CIL and for documenting the waiver-retention rationale. These procedures, documented in NSTS 22206, Instructions for Preparation of Failure Modes and Effects Analyses and Critical Items List, provide detailed instructions, data elements, and ground rules emphasizing standardization and commonality throughout the program.

Figure 18 describes the evaluation process for the FMEA/CIL. Items subjected to FMEA review are reflected in one of five major criticality classifications commensurate with the failure mode. These classifications are defined in Table 2.

Independent contractors are conducting parallel reviews of the FMEA/CIL for each element and reporting the results of their assessments to the respective element project manager and to the Director, NSTS. These reviews emphasize any analysis results that differ from those identified by NASA or the element prime contractors. These independent contractors are listed in Table 3.

The FMEA/CIL review requires three actions to be taken for each hardware element: (l) the failure modes, causes, and related effects must be identified and documented, (2) the criticality of each mode must be developed, and (3) the retention rationale for each waiver must be established. Special effort is directed to identifying design enhancements, operational/procedural checkout changes, or software additions that reduce the criticality and/or minimize the risk of the potential failure mode.

NASA and the contractor jointly review...


FMEA/CIL Evaluation Process Chart

Figure 18. FMEA/CIL Evaluation Process.


[39] Table 2. EMEA/CIL Criticality Classification.

Criticality Level

Effect of Failure



Loss of Life or Vehicle


Failure of all redundant hardware items could cause loss of life or vehicle


Loss of mission


Failure of all redundant hardware items could cause loss of mission


All others


...the results of the FMEA/CIL evaluation and identify significant items for review by the element project offices. Items such as newly identified critical items, changes in criticality, changes in the redundancy verification requirements, or changes in the flight documentation require management approval prior to program acceptance.

As each element project completes its FMEA/CIL evaluation, the results are submitted to the Program Requirements Control Board (PRCB) for approval. The presentation includes significant issues resolved during the project reviews, new CIL items or those with changed criticality classifications, critical item waiver-retention rationale, and assessments from the independent contractor reviews.

The PRCB is co-chaired by the Director, NSTS, and the Deputy Director, NSTS Program. After the board presentation, a directive is issued that documents items for which waivers have been granted and lists actions assigned by the PRCB. Each critical item, along with its approved waiver, is maintained by the NSTS Program, and any subsequent changes affecting the CIL must be approved by the Director, NSTS.

An NSTS Oversight Group, consisting of safety, reliability, and quality assurance personnel from each center, ensures that prime contractor reviews are consistent and conform to the evaluation plan. This review group has visited the orbiter, external tank (ET), and Space Shuttle main engine (SSME) prime contractor facilities, the Kennedy Space Center (KSC) vehicle processing organizations, and the Marshall Space Flight Center (MSFC) Spacelab Project Office. The solid rocket motor (SRM) prime contractor's facility will be visited before the critical design review of the redesigned hardware. SR&QA representatives from the NSTS Program Office are supporting the ongoing FMEA/CIL activities at each center to ensure that reviews are performed in accordance with program guidelines and requirements.


Table 3. Critical Item Review Teams.


Element Prime contractor

Independent Review contractor



Rockwell International Space Transportation systems Division

McDonnell Douglas Astronautics Company Houston Division

External tank

Martin Marietta Michoud Aerospace Division

Rockwell International, Space Trans-portation systems Division

Solid rocket motor

Morton Thiokol Inc., Wasatch Operations

Martin Marietta Denver Aerospace Division

Solid rocket booster

United Technologies Corp., United Space Boosters Inc.

Martin Marietta Denver Aerospace Division

Space Shuttle main engine

Rockwell International Rocketdyne Division

Martin Marietta, Denver aerospace Division



Each project office, its prime contractor, and the independent contractors are evaluating all hazard analyses and reports to verify the completeness and accuracy of the safety analysis for the NSTS design and operational use. Hazards are categorized as controlled (by design, procedure, etc.) or as an accepted risk. Figure 19 describes the evaluation process for the hazard analyses.

Each hazard analysis assessment is being conducted in accordance with the guidance provided in NSTS 22254, Methodology for Conduct of NSTS Hazard Analyses, which defines the policy and procedures required for preparing hazard analyses, reports, and mission safety assessments.

The HA reviews are being conducted in a manner similar to that used in the FMEA/ CIL review process. NASA and the element prime contractors are assessing the systems hazards, and the integration contractor is assessing potential hazards that cross element interfaces. The independent contractors are performing similar reviews and reporting directly to the projects and to the NSTS Program Office.

The HA assessment consists of a technical safety evaluation of the source material used for all analyses, studies, and investigations conducted from the beginning of NSTS flights. Each subsystem assessment ensures that all hazards have been identified, that dispositions are accurate, and that identified risks are acceptable. Final results of the evaluation will be submitted to the responsible project for review.

At the conclusion of the hazard analysis reviews, all open hazards, accepted risk candidates, or controlled hazards whose cause or effect crosses element interfaces, and the substantiating data and closure rationale, will be forwarded to a Senior Safety Review Board. This board will evaluate all submitted hazards and forward accepted risk candidates to the PRCB for approval by the Director, NSTS.



In addition to the FMEA/CIL/HA reviews, the NSTS is reviewing and updating the element interface functional analyses (EIFA's) for all flight elements. EIFA's are analyses of various functional failure modes that can occur at element-to-element interfaces as a result of a hardware failure in either element. The purpose of these analyses is to correlate element hardware failures with failure modes at the element interface to determine the effect on the mission, vehicle, or crew safety. This activity ensures that the hardware FMEA/CIL's have the correct criticality classification.


Figure 19. Hazard Analysis Evaluation Process Chart.

Figure 19. Hazard Analysis Evaluation Process.


[41] EIFA's have been conducted on ET/ orbiter, SSME/orbiter, and SRB/ET/orbiter interfaces. These analyses have been reviewed by NASA and the systems integration contractor, and the results are under evaluation by the element project offices and the NSTS Engineering Integration Office. When this review is completed, the finalized EIFA's will be presented to the PRCB for formal approval.



The Shuttle Criticality Review and Hazard Analysis Audit Committee of the National Research Council (NRC), chaired by retired USAF General Alton Slay, reports directly to the NASA Administrator and is responsible for verifying the adequacy of the proposed actions for returning the Space Shuttle to flight status (see Appendix F for panel membership and a summary of responsibilities).

The committee has discussed the FMEA/ CIL/HA reevaluation process with representatives from NASA Headquarters, JSC, KSC, and MSFC. Meetings have been held at the centers and at Rockwell International's Space Transportation Systems and Rocketdyne divisions; Morton Thiokol; United Space Boosters, Inc.; Sundstrand Corporation; and NRC Headquarters. The committee is evaluating the adequacy of the review process, checking for continuity across all elements of the program, and reviewing changes that NASA and its contractors have made since the accident.

A preliminary report was submitted to the NASA Administrator on January 13, 1987, indicating that the committee has been favorably impressed with the results obtained from the FMEA/CIL and hazard analysis processes. While the committee's general impressions were favorable, it did make some suggestions for improvements. In summary, these suggestions are: (1) Criticality 1 and 1R items should be assigned priorities based on the probability of occurrence; (2) since many of the Criticality 1 and 1R items differ substantially in terms of the probability of failure, NASA should consider modifying the definition of critical items to account for these differences; (3) NASA should incorporate its present system review procedures into an integrated system assessment process coupled closely with the FMEA/CIL reevaluation now being undertaken; (4) linkage between the STS engineering change activities and the FMEA/CIL/HA processes should be provided. NASA has responded to these suggestions in the following manner:

1. Several candidate systems for prioritizing critical items have been evaluated by each of the projects. A hybrid system has been developed that incorporates the positive features of the candidate systems and specifically addresses probability of occurrence. The approach can be overlaid on the existing FMEA activity with minimum perturbation, providing an effective measure of relative risk.

In parallel with the development of prioritization techniques, an effort is under way to determine the applicability of probability risk assessment to the FMEA/CIL process. This technique is used in the nuclear power industry to provide relative-risk assessments. Two firms with expertise in probability analysis have been selected to perform detailed assessments of the orbiter auxiliary power unit and the main propulsion engine pressurization system. A decision to apply probability analysis techniques to other systems of the program will depend on the results of these assessments.

2. The FMEA/CIL prioritization process will provide the necessary program focus and more definitive definitions in response to the committee's concern expressed in their second suggestion.

3. Since the accident, NASA has reemphasized its risk management effort. An important feature of the revised effort is a "systems engineering" approach that integrates the various elements of hardware and software failure analysis. Further discussion of risk management is included in the response to Recommendation IV.

4. Engineering changes are processed through the same project and program control boards that conduct and approve the reviews of the FMEA/CIL. Each [42] change request will be assessed to determine if it affects any Criticality 1 or 2 hardware to ensure that the required linkage is provided.

The NRC audit committee is reviewing additional areas to identify potential methods of reducing risk. These include the design qualification and flight certification processes, launch commit criteria and waiver policy, and the generation, review, and approval of retention rationale for waivers to critical items.

Also being reviewed are the overall safety, reliability, maintainability, and quality assurance program, the definition of structural analysis requirements, the establishment and verification of analyses for margins of safety, the risk management processes for software, and the processes for analyzing payload safety.

Interim findings and recommendations from these reviews will be submitted to the NASA Administrator through letter reports, as required. The final report, anticipated in 1987, will include an assessment of the procedures reviewed and recommendations for improving the Shuttle risk management system. As reports are received, any recommendations included will be reviewed by NASA and responses will be provided to NRC.

link to the previous pagelink to the index pagelink to the next page