[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
NASA'S ORGANIZATIONAL AND
MANAGEMENT CHALLENGES IN THE
WAKE OF THE COLUMBIA DISASTER
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON SCIENCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
FIRST SESSION
__________
OCTOBER 29, 2003
__________
Serial No. 108-30
__________
Printed for the use of the Committee on Science
Available via the World Wide Web: http://www.house.gov/science
90-160 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
______
COMMITTEE ON SCIENCE
HON. SHERWOOD L. BOEHLERT, New York, Chairman
LAMAR S. SMITH, Texas RALPH M. HALL, Texas
CURT WELDON, Pennsylvania BART GORDON, Tennessee
DANA ROHRABACHER, California JERRY F. COSTELLO, Illinois
JOE BARTON, Texas EDDIE BERNICE JOHNSON, Texas
KEN CALVERT, California LYNN C. WOOLSEY, California
NICK SMITH, Michigan NICK LAMPSON, Texas
ROSCOE G. BARTLETT, Maryland JOHN B. LARSON, Connecticut
VERNON J. EHLERS, Michigan MARK UDALL, Colorado
GIL GUTKNECHT, Minnesota DAVID WU, Oregon
GEORGE R. NETHERCUTT, JR., MICHAEL M. HONDA, California
Washington CHRIS BELL, Texas
FRANK D. LUCAS, Oklahoma BRAD MILLER, North Carolina
JUDY BIGGERT, Illinois LINCOLN DAVIS, Tennessee
WAYNE T. GILCHREST, Maryland SHEILA JACKSON LEE, Texas
W. TODD AKIN, Missouri ZOE LOFGREN, California
TIMOTHY V. JOHNSON, Illinois BRAD SHERMAN, California
MELISSA A. HART, Pennsylvania BRIAN BAIRD, Washington
JOHN SULLIVAN, Oklahoma DENNIS MOORE, Kansas
J. RANDY FORBES, Virginia ANTHONY D. WEINER, New York
PHIL GINGREY, Georgia JIM MATHESON, Utah
ROB BISHOP, Utah DENNIS A. CARDOZA, California
MICHAEL C. BURGESS, Texas VACANCY
JO BONNER, Alabama
TOM FEENEY, Florida
RANDY NEUGEBAUER, Texas
C O N T E N T S
October 29, 2003
Page
Witness List..................................................... 2
Hearing Charter.................................................. 3
Opening Statements
Statement by Representative Sherwood L. Boehlert, Chairman,
Committee on Science, U.S. House of Representatives............ 10
Written Statement............................................ 11
Statement by Representative Ralph M. Hall, Minority Ranking
Member, Committee on Science, U.S. House of Representatives.... 11
Written Statement............................................ 13
Statement by Representative Bart Gordon, Member, Committee on
Science, U.S. House of Representatives......................... 14
Prepared Statement by Representative Dana Rohrabacher, Chairman,
Subcommittee on Space and Aeronautics, Committee on Science,
U.S. House of Representatives.................................. 15
Prepared Statement by Representative Jerry F. Costello, Member,
Committee on Science, U.S. House of Representatives............ 15
Prepared Statement by Representative Eddie Bernice Johnson,
Member, Committee on Science, U.S. House of Representatives.... 15
Prepared Statement by Representative Sheila Jackson Lee, Member,
Committee on Science, U.S. House of Representatives............ 16
Panel I
Admiral F.L. ``Skip'' Bowman, Director, Naval Nuclear Propulsion
Program, U.S. Navy
Oral Statement............................................... 17
Written Statement............................................ 19
Biography.................................................... 24
Rear Admiral Paul E. Sullivan, Deputy Commander, Ship Design,
Integration and Engineering, Naval Sea Systems Command, U.S.
Navy
Oral Statement............................................... 24
Written Statement............................................ 26
Biography.................................................... 33
Mr. Ray F. Johnson, Vice President, Space Launch Operations, The
Aerospace Corporation
Oral Statement............................................... 33
Written Statement............................................ 35
Biography.................................................... 40
Ms. Deborah L. Grubbe, P.E., Corporate Director, Safety and
Health, DuPont
Oral Statement............................................... 40
Written Statement............................................ 42
Biography.................................................... 43
Discussion, Panel I
ITEA Budget Independence....................................... 44
Waivers........................................................ 45
Managing Safety................................................ 46
SUBSAFE........................................................ 48
Crew Escape.................................................... 48
Handling Anomolies............................................. 49
Safety Accountability.......................................... 50
Decision-making in the Naval Reactors Program.................. 52
Culture and Attitude........................................... 52
SUBSAFE's Use of the Challenger Case Study..................... 53
NASA/Navy Benchmarking......................................... 54
CAIB Recommendations........................................... 55
Communicating Risk............................................. 55
Turnover in the Safety Workforce............................... 56
Nanotechnology................................................. 57
NASA/Navy Benchmark............................................ 58
Manned vs. Unmanned Space Flight............................... 58
Safety Organization............................................ 59
Panel II
Admiral Harold Gehman (ret.), Chairman, Columbia Accident
Investigation Board
Oral Statement............................................... 61
Written Statement............................................ 62
Discussion, Panel II
ISS Safety and CAIB Recommendations............................ 63
Safety Program Independence.................................... 64
ISS Safety..................................................... 65
Leadership Confidence.......................................... 66
ISS Safety..................................................... 67
Vision......................................................... 67
Expedition 8 Launch Decision-making Process.................... 68
ITEA and Safety Staff Turnover................................. 69
ISS Review..................................................... 70
Appendix 1: Answers to Post-Hearing Questions
.................................................................
Admiral F.L. ``Skip'' Bowman, Director, Naval Nuclear Propulsion
Program, U.S. Navy 74
Rear Admiral Paul E. Sullivan, Deputy Commander, Ship Design,
Integration and Engineering, Naval Sea Systems Command, U.S.
Navy 82
Mr. Ray F. Johnson, Vice President, Space Launch Operations, The
Aerospace Corporation.......................................... 88
Ms. Deborah L. Grubbe, P.E., Corporate Director, Safety and
Health, DuPont................................................. 92
Appendix 2: Additional Material for the Record
Statement of Admiral H.G. Rickover before the Subcommittee on
Energy Research and Production, Committee on Science and
Technology, U.S. House of Representatives, May 24, 1979........ 96
Report NT-03-1, Environmental Monitoring and Disposal of
Radioactive Wastes From U.S. Naval Nuclear-Powered Ships and
Their Support Facilities, March 2003, Naval Nuclear Propulsion
Program........................................................ 208
Report NT-03-2, Occupational Radiation Exposure From U.S. Naval
Nuclear Plants and Their Support Facilities, March 2003, Naval
Nuclear Propulsion Program..................................... 269
Report NT-03-03, Occupational Radiation Exposure From Naval
Reactors' Department of Energy Facilities, March 2003, Naval
Nuclear Propulsion Program..................................... 322
Report NT-03-4, Occupational Safety, Health, and Occupational
Medicine Report, March 2003, Naval Nuclear Propulsion Program.. 373
NASA'S ORGANIZATIONAL AND MANAGEMENT CHALLENGES IN THE WAKE OF THE
COLUMBIA DISASTER
----------
WEDNESDAY, OCTOBER 29, 2003
House of Representatives,
Committee on Science,
Washington, DC.
The Committee met, pursuant to call, at 10:10 a.m., in Room
2318 of the Rayburn House Office Building, Hon. Sherwood L.
Boehlert [Chairman of the Committee] presiding.
hearing charter
COMMITTEE ON SCIENCE
U.S. HOUSE OF REPRESENTATIVES
NASA's Organizational and
Management Challenges in the
Wake of the Columbia Disaster
wednesday, october 29, 2003
10:00 a.m.-12:00 p.m.
2318 rayburn house office building
1. Purpose
On Wednesday, October 29, 2003 at 10:00 a.m., the House Committee
on Science will hold a hearing to address the organizational and
management issues confronting the National Aeronautics and Space
Administration (NASA) in the aftermath of the Space Shuttle Columbia
accident. According to the Columbia Accident Investigation Board
(CAIB), NASA's ``organizational culture and structure'' had as much to
do with the Columbia's demise as the physical causes of the accident.
During the course of its nearly seven months of investigation into the
causes of the accident, the CAIB encountered an ineffective and
disengaged safety organization within NASA that ``failed to adequately
assess anomalies and frequently accepted critical risks without
qualitative or quantitative support.'' Based on its findings, the CAIB
recommended significant changes to the organizational structure of the
Space Shuttle Program (detailed below).
To give a sense of some of the ways NASA could be restructured to
comply with its recommendations, the CAIB report provided three
examples of organizations with independent safety programs that
successfully operate high-risk technologies. The examples were: the
United States Navy's Submarine Flooding Prevention and Recovery
(SUBSAFE) and Naval Nuclear Propulsion (Naval Reactors) programs and
the Aerospace Corporation's independent launch verification process and
mission assurance program for the U.S. Air Force.
This hearing will provide an opportunity to examine each of these
examples in depth, as well as the safety programs of the Dupont
Corporation (an acknowledged industry leader in safety), to help
determine how NASA should be reorganized.
2. Critical Questions
The CAIB determined that reorganizing NASA is a critical
requirement if the Shuttle is to fly safely over the long term. To
provide adequate oversight of NASA's reorganization plans, the
Committee needs to understand how different organization structures can
contribute to safety. To that end, the following questions were
submitted in advance to each of the witnesses:
a. What does it mean for a safety program to be
``independent''? How can safety organizations be structured to
ensure their independence?
b. How can safety programs be organized to ensure that they
are robust and effective, but do not prevent the larger
organization from carrying out its duties?
c. How do you ensure that the existence of an independent
safety program does not allow the larger organization to
absolve itself of responsibility for safety?
d. How do you ensure that dissenting opinions are offered
without creating a safety review process that can never reach
closure?
3. Background
Recommendations of the CAIB and previous reports
Since the loss of the Space Shuttle Challenger in 1986, numerous
outside experts have reviewed NASA's human space flight safety programs
and found them lacking. For instance, in the immediate aftermath of the
Challenger accident, the Rogers Commission issued recommendations
calling for the creation of an independent safety oversight function.
Despite NASA's compliance efforts, the U.S. General Accounting Office
concluded in 1990 that NASA still ``did not have an independent and
effective safety organization.'' Nine years later, the Shuttle
Independent Assessment Team and NASA Integrated Action Team likewise
issued findings that were critical of NASA's safety programs and echoed
the Roger Commission's call for the creation of an independent safety
oversight function. Finally, in 2002, the Space Shuttle Competitive
Task Force reiterated the call for an independent safety assurance
function at NASA with ``authority to shut down the flight preparation
processes or intervene post-launch when an anomaly occurs.''
In August of 2003, the CAIB released Volume I of its report on the
Columbia accident. Consistent with previous analyses of NASA's safety
programs, the CAIB Report discovered fundamental, structural
deficiencies in NASA's safety programs. For example, the report states,
``the Shuttle Program's complex structure erected barriers to effective
communication and its safety culture no longer asks enough hard
questions about risk.. . .[T]he mistakes that were made on [the
Columbia mission] are not isolated failures, but are indicative of
systemic flaws that existed prior to the accident.. . .[A successful
safety process] demands a more independent status than NASA has ever
been willing to give its safety organizations, despite the
recommendations of numerous outside experts over nearly two
decades[.]''
According to the CAIB Report, NASA's current approach to safety and
mission assurance ``calls for centralized policy and oversight at
Headquarters and decentralized execution of safety programs at the
enterprise, program, and project levels.'' Under the existing
organizational rubric, ``safety is the responsibility of program and
project managers'' who are given flexibility ``to organize safety
efforts as they see fit.''
To remedy the current organization deficiencies, the primary CAIB
recommendation on organization calls on NASA to ``establish an
independent Technical Engineering Authority'' that would be
``responsible for technical requirements and all waivers to them'' and
that would be ``funded directly from NASA Headquarters, and should have
no connection to or responsibility for schedule or program cost.'' The
CAIB's fundamental goal is to separate the responsibility for safety
from the Shuttle program's responsibility for cost and schedule. The
current NASA structure, in which the Shuttle program itself is
ultimately responsible for cost, schedule and safety inevitably leads
to ``blind spots''--serious safety problems that are not properly
analyzed or addressed, the CAIB concluded. The CAIB did not specify
precisely how NASA should be reorganized to implement its
recommendations, leaving that up to the agency.
While the CAIB report does not label the implementation of a new
organizational structure as a ``return to flight'' requirement, the
report does say that NASA must ``prepare a detailed plan for defining,
establishing, transitioning and implementing an independent Technical
Engineering Authority, independent safety program, and a reorganized
Space Shuttle Integration Office'' prior to returning to flight.
NASA is in the process of preparing such a plan. Administrator Sean
O'Keefe has tasked the Associate Administrator for Safety and Mission
Assurance, Bryan O'Connor, with coming up with a proposed
reorganization plan. O'Connor has circulated a ``white paper''
outlining his ideas for reorganization among NASA staff. Before being
implemented, any reorganization plan will be reviewed both by the
Stafford-Covey Task Force (the task force of outside experts set up by
O'Keefe to evaluate return-to-flight activities, which is headed by
former astronauts Tom Stafford and Richard Covey) and by the Space
Flight Leadership Council, which comprises top NASA officials. NASA is
also in the process of setting up a new NASA Engineering and Safety
Center (NESC), which would be able to ``independently'' review aspects
of programs. It is not clear how the NESC would relate to a new
Independent Technical Engineering Authority, but Admiral Harold Gehman,
the chairman of the CAIB, has testified that the NESC does not, by
itself, fulfill the CAIB's recommendations related to organization.
Model safety organizations
The CAIB Report cites three examples of organizations with
successful safety programs and practices that could be models for NASA:
the United States Navy's Naval Reactors and SUBSAFE programs and the
Aerospace Corporation's independent launch verification process and
mission assurance program for the U.S. Air Force.
The Naval Reactors program is a joint Navy/Department of Energy
organization responsible for all aspects of Navy nuclear propulsion,
including research, design, testing, training, operation, and
maintenance of nuclear propulsion plants on-board Navy ships and
submarines. The Naval Reactors program is structurally independent of
the operational program that it serves. Although the naval fleet is
ultimately responsible for day-to-day operations and maintenance, those
operations occur within parameters independently established by the
Naval Reactors program. In addition to its independence, the Naval
Reactors program has certain features that might be emulated by NASA,
including an insistence on airing minority opinions and planning for
worst case scenarios, a requirement that contractor technical
requirements are documented in peer reviewed formal written
correspondence, and a dedication to relentless training and retraining
of its engineering and safety personnel.
SUBSAFE is a program that was initiated by the Navy to identify
critical changes in submarine certification requirements and to verify
the readiness and safety of submarines. The SUBSAFE program was
initiated in the wake of the USS Thresher nuclear submarine accident in
1963. Until SUBSAFE independently verifies that a submarine has
complied with SUBSAFE design and process requirements, its operating
depth and maneuvers are limited. The SUBSAFE requirements are clearly
documented and achievable, and rarely waived. Program mangers are not
permitted to ``tailor'' requirements without approval from SUBSAFE.
Like the Naval Reactors program, the SUBSAFE program is structurally
independent from the operational program that it serves. Likewise,
SUBSAFE stresses training and retraining of its personnel based on
``lessons learned,'' and appears to be relatively immune from budget
pressures.
The Aerospace Corporation operates as a Federally Funded Research
and Development Center that independently verifies safety and readiness
for space launches by the United States Air Force. As a separate entity
altogether from the Air Force, Aerospace conducts system design and
integration, verifies launch readiness, and provides technical
oversight of contractors. Aerospace is indisputably independent and is
not subject to schedule or cost pressures.
According to the CAIB, the Navy and Air Force programs have
``invested in redundant technical authorities and processes to become
reliable.'' Specifically, each of the programs allows technical and
safety engineering organizations (rather than the operational
organizations that actually deploy the ships, submarines and planes) to
``own'' the process of determining, maintaining, and waiving technical
requirements. Moreover, each of the programs is independent enough to
avoid being influenced by cost, schedule, or mission-accomplishment
goals. Finally, each of the programs provides its safety and technical
engineering organizations with a powerful voice in the overall
organization. According to the CAIB, the Navy and Aerospace programs
``yield valuable lessons for [NASA] to consider when redesigning its
organization to increase safety.''
4. Witnesses
First Panel
a. Admiral Frank L. ``Skip'' Bowman, United States Navy (USN),
is the Director of the Naval Nuclear Propulsion (Naval
Reactors) Program. In this capacity, Admiral Bowman is
responsible for the program that oversees the design,
development, procurement, operation, and maintenance of all the
nuclear propulsion plants powering the Navy's fleet of nuclear
warships. Admiral Bowman is a graduate of Duke University and
the Massachusetts Institute of Technology.
b. Rear Admiral Paul Sullivan, USN, is the Deputy Commander
for Ship Design Integration and Engineering for the Naval Sea
Systems Command, which is the authority for the technical
requirements of the SUBSAFE program. Admiral Sullivan is a
graduate of the U.S. Naval Academy and the Massachusetts
Institute of Technology.
c. Mr. Ray F. Johnson is the Vice President for Space Launch
Operations for the Aerospace Corporation, located in El
Segundo, California. Mr. Johnson is responsible for Aerospace's
support for all Air Force space launch programs, including
Aerospace's certification reviews prior to launch. Mr. Johnson
holds a B.S. degree in mechanical engineering from the
University of California at Berkeley and an MBA from the
University of Chicago.
d. Ms. Deborah L. Grubbe is the Corporate Director for Safety
and Health at Dupont. In this capacity, Ms. Grubbe is tasked
with leading new initiatives in global safety and occupational
health for Dupont. Ms. Grubbe and is a past director of DuPont
Nonwovens, where she was accountable for manufacturing,
engineering, and safety. Ms. Grubbe holds a B.S. degree in
chemical engineering from Purdue University and a Certificate
of Post-Graduate Study in chemical engineering from Cambridge
University.
Second Panel
Admiral Harold Gehman, Jr., USN (retired), chaired the Columbia
Accident Investigation Board.
5. Attachment
Excerpt from the Columbia Accident Investigation Board Report,
Volume I (August 2003), Chapter 7, Section 7.3 (pp. 182-184).
Attachment
Chairman Boehlert. We might as well start. We thank you for
being punctual, and I tried very hard to be punctual, too.
I want to welcome everyone to today's hearing, which
concerns one of the most critical recommendations of the
Columbia Accident Investigation Board. The CAIB was clear and
on-target in citing organizational deficiencies as a leading
cause of the Columbia accident. It was also clear and on-target
in calling for the establishment of a new Independent Technical
Engineering Authority and of a truly independent safety
organization. And in both instances, I stress the word
``independent''.
In both its conclusions and its recommendations on
organization, the Columbia Accident Investigation Board was,
unfortunately, able to follow a well-worn path. The Rogers
Commission and the Shuttle Independent Assessment Team, among
others, had made similar recommendations. They all apparently
fell on deaf ears. This must not be allowed to happen again.
NASA Administrator Sean O'Keefe is to be applauded for
deciding that the reorganization of NASA should occur before
return to flight, setting a more ambitious schedule than that
called for by the CAIB. He should also be congratulated for
recognizing NASA's organizational deficiencies before the
Columbia accident, which led him to initiate the so-called
``benchmarking studies'' comparing NASA with the Navy,
something with which he is most familiar.
But, of course, undertaking the right studies and setting
the right schedule is not enough. NASA must actually come up
with the right reorganization plan and make sure that it is
taken to heart.
The CAIB did not dictate exactly how NASA should carry out
its recommendations, so NASA is now in the process of drawing
up its plans, and this committee will have to review those
plans with a fine-tooth comb.
The purpose of today's hearing is to help give us the
background to do just that. We will hear from organizations
that the CAIB cited as possible models for NASA to follow and
from an industrial leader in safety. Obviously, there are
differences among these models, and any one of them would have
to be adapted to apply to NASA, but they all highlight
characteristics of high-reliability organizations that NASA has
been lacking. We will learn from Admiral Gehman precisely why
and how the Navy and Air Force safety programs can be seen as
models for NASA.
I have no doubt that this committee will have ample
opportunity over the next year or so to put to use the
information we gather today. As I noted earlier, NASA is just
in the initial stages of putting together and organizational
plan, and I have complete confidence that Administrator O'Keefe
has taken the CAIB recommendations to heart.
But that said, I must note that I believe the initial
organization ideas being circulated by NASA fall significantly
short of the mark. We look forward to working with NASA as it
continues to rework its plans.
Today's hearing, though, is not on any specific proposal.
Rather, our goal today is to learn what has worked elsewhere
and why and to start thinking how the experience of others
could be put to work to help NASA.
This is one of the most important tasks facing this
committee, and I am eager to hear from our witnesses today. And
I want to thank you all for being resources.
[The prepared statement of Mr. Boehlert follows:]
Prepared Statement of Chairman Sherwood Boehlert
I want to welcome everyone to today's hearing, which concerns one
of the most critical recommendations of the Columbia Accident
Investigation Board (CAIB).
The CAIB was clear and on-target in citing organizational
deficiencies as a leading cause of the Columbia accident. It was also
clear and on-target in calling for the establishment of a new
Independent Technical Engineering Authority and of a truly independent
safety organization.
In both its conclusions and its recommendations on organization,
the CAIB was, unfortunately, able to follow a well-worn path. The
Rogers Commission and the Shuttle Independent Assessment Team, among
others, had made similar recommendations. They all apparently fell on
deaf ears. That must not be allowed to happen again.
NASA Administrator Sean O'Keefe is to be applauded for deciding
that the re-organization of NASA should occur before return-to-flight,
setting a more ambitious schedule than that called for by the CAIB. He
should also be congratulated for recognizing NASA's organizational
deficiencies before the Columbia accident, which led him to initiate
the so-called ``bench-marking studies'' comparing NASA with the Navy.
But, of course, undertaking the right studies and setting the right
schedule is not enough. NASA must actually come up with the right
reorganization plan and make sure that it is taken to heart.
The CAIB did not dictate exactly how NASA should carry out its
recommendations, so NASA is now in the process of drawing up its plans,
and this committee will have to review those plans with a fine-tooth
comb.
The purpose of today's hearing is to help give us the background to
do just that. We will hear from organizations that the CAIB cited as
possible models for NASA to follow and from an industrial leader in
safety. Obviously, there are differences among these models, and any
one of them would have to be adapted to apply to NASA. But they all
highlight characteristics of high-reliability organizations that NASA
has been lacking. We will learn from Admiral Gehman precisely why and
how the Navy and Air Force safety programs can be seen as models for
NASA.
I have no doubt that this committee will have ample opportunity
over the next year or so to put to use the information we gather today.
As I noted earlier, NASA is just in the initial stages of putting
together an organization plan, and I have complete confidence that
Administrator O'Keefe has taken the CAIB recommendations to heart.
But that said, I must note that I believe the initial organization
ideas being circulated by NASA fall significantly short of the mark. We
look forward to working with NASA as it continues to rework its plans.
Today's hearing, though, is not on any specific proposal. Rather,
our goal today is to learn what has worked elsewhere and why, and to
start thinking how the experience of others could be put to work to
help NASA.
This is one of the most important tasks facing this committee, and
I am eager to hear from our witnesses today.
Chairman Boehlert. The gentleman from Texas, Mr. Hall.
Mr. Hall. Thank you, Mr. Chairman. I certainly join you in
welcoming the panel and Admiral Bowman and Admiral Sullivan,
Mr. Johnson, and Ms. Grubbe. And Admiral Gehman is to be here.
I think he has a conflict right now, but he is to join us. We
look forward to his input and his backing up the testimony that
we are going to be hearing here and to thank him again for an
excellent job that he did at a time when we really needed an
excellent job to be done.
As we continue to address the recommendations of the panel,
we now come to absolutely the most important part of it. We
have talked about organizational items, and we were organized
then, but we just weren't organized properly. And we need
organizational changes now. And that has got to be the thrust.
The Columbia Accident Investigation Board, the CAIB, report
devotes an entire chapter to the organizational causes of the
accident. And in it, the CAIB makes three specific
recommendations, and those are based on the CAIB's
investigation of organizations that have had success in setting
up and maintaining highly regarded safety procedures. They have
had some experience and they know what they are doing. They
know what they are recommending.
So three of the organizations represented by our witnesses
here are specifically named by CAIB as examples of
organizations, and I quote, ``highly adept in dealing with
inordinately high risk by designing hardware and management
systems that prevent seemingly inconsequential failure from
leading to major disasters.'' And you almost have to read that
and read it again to really get the full impact of it. But we
want to hear from each of you about the characteristics of your
approaches to safety that you think are important for NASA to
adopt.
However, setting up the right organizational structure is
only part of the job. Ensuring that the organization carries
through on safe practices is equally important. That is where
independent oversight can play a valuable role, and that is why
the Chairman emphasizes independence, independence,
independence. After the Apollo fire in 1968, Congress set up
the Aerospace Safety Advisory Panel, ASAP, to provide that
function for the agency. And in recent years, it has become
apparent that NASA had not followed through on a number of the
ASAP's constructive recommendations. As many of you know, the
entire membership of ASAP resigned last month. And that is
highly irregular. I can't even remember such an action ever
occurring. I think we need to find out why they resigned and
what we need to do to address their concerns.
One of the ASAP's recommendations concerned the need for a
crew escape system for the Shuttle. And I think ASAP was
exactly right on that. I would also note that the appendices to
the CAIB report that were released this week make it clear that
we can and we should be doing more to ensure crew survivability
on the Shuttle. I don't understand why we can't. I am going to
press--continue to press for NASA action on a crew escape
system if the Shuttle is going to be flying for many more
years. If it is going to be flying for another year, I want us
to be underway at doing it. I would hate to have a tragedy at
the end of this year and not have already launched a method for
them to escape whether we are able to get that in place. It is
just like Reagan's star wars. I don't think Russia ever knew if
we had one in place or not, but I think it helped that we were
on our way there. And the fact that we were working toward it
gave us a lot electronically and even nationally defense-wise.
And it was worthwhile. It was worth what we spent for it.
So I--and I have another concern. Admiral Gehman has made
the point in recent months that he is concerned about NASA not
following through on the CAIB recommendations once the Shuttle
returns to flight. I also share his concern. I think an
independent group is needed to monitor NASA's implementation of
the CAIB recommendations. One potential approach is contained
in H.R. 3219, a bill I recently introduced that directs the
NASA Administrator to work with the National Academies of
Science and Engineering to establish such an independent
oversight committee. It would report yearly to Congress for
five years following the launch of the next Shuttle. As I have
said, it is one potential approach. It is not the only one.
There may be others. There may be a better way to go about
ensuring continuing, independent oversight of NASA's Shuttle
program. And I am open to suggestions. But I think we need to
take action. I introduced that to get something kicked off, to
get it going in the right direction. And if anybody can pick a
better direction or a faster direction or a safer direction,
then I am certainly interested in looking at. I--but I don't
want CAIB's recommendations to wind up being ignored.
Well, I won't take any more time, Mr. Chairman, to discuss
these issues. I know we all want to hear from the witnesses,
very valuable witnesses, and people that are givers and not
takers. You have had to prepare yourself to come here. You had
to prepare yourself to know what you know and to do what you
have done and then to share it with us. I appreciate it, and I
know the Chair and this committee does.
And I yield back my time.
[The prepared statement of Mr. Hall follows:]
Prepared Statement of Representative Ralph M. Hall
Good morning. I want to join the Chairman in welcoming Admiral
Bowman, Admiral Sullivan, Mr. Johnson, and Ms. Grubbe to our hearing.
Admiral Gehman, welcome back to our committee. We again look forward to
your comments.
As we continue to address the recommendations of the Gehman Panel,
we now come to one of the most important areas--organizational changes.
The Columbia Accident Investigation Board (CAIB) report devotes an
entire chapter to the organizational causes of the accident. In it, the
CAIB makes three specific recommendations. Those recommendations are
based on the CAIB's investigation of organizations that have had
success in setting up and maintaining highly regarded safety
procedures.
Three of the organizations represented by our witnesses are
specifically named by the CAIB as examples of organizations ``highly
adept in dealing with inordinately high risk by designing hardware and
management systems that prevent seemingly inconsequential failure from
leading to major disasters.'' We want to hear from each of you about
the characteristics of your approaches to safety that you think are
important for NASA to adopt.
However, setting up the right organizational structure is only part
of the job. Ensuring that the organization carries through on safe
practices is equally important. That's where independent oversight can
play a valuable role. After the Apollo fire in 1968, Congress set up
the Aerospace Safety Advisory Panel (ASAP) to provide that function for
the agency. In recent years, it has become apparent that NASA has not
followed through on a number of the ASAP's constructive
recommendations. As many of you know, the entire membership of the ASAP
resigned last month. I can't ever remember such an action occurring,
and I think we need to find out why they resigned and what we need to
do to address their concerns.
One of the ASAP's recommendations concerned the need for a crew
escape system for the Shuttle. I think the ASAP was right. I'd also
note that the appendices to the CAIB report that were released this
week make it clear that we can and should be doing more to ensure crew
survivability on the Shuttle. I'm going to continue to press for NASA
action on a crew escape system if the Shuttle is going to be flying for
many more years.
I have another concern. Admiral Gehman has made the point in recent
months that he is concerned about NASA not following through on the
CAIB recommendations once the Shuttle returns to flight. I share his
concern. I think an independent group is needed to monitor NASA's
implementation of the CAIB recommendations. One potential approach is
contained in H.R. 3219, a bill I recently introduced that directs the
NASA Administrator to work with the National Academies of Sciences and
Engineering to establish such an independent oversight committee. It
would report yearly to Congress for five years following the launch of
the next shuttle. As I said, it is one potential approach. There may be
other ways to go about ensuring continuing, independent oversight of
NASA's Shuttle program, and I am open to suggestions. But I think we
need to take action soon so that the CAIB's recommendations don't wind
up getting ignored.
Well, I will not take any more time to discuss these issues in my
opening statement. I know we all want to hear from the witnesses, and I
will continue this discussion during the question period.
I look forward to your testimony, and I yield back the balance of
my time.
Chairman Boehlert. Thank you very much, Mr. Hall.
The gentleman from Tennessee, Mr. Gordon.
Mr. Gordon. Thank you, Mr. Chairman. I think that you sent
us in a good direction with your earlier remarks, so I will be
brief here. I want to also welcome the witnesses. It is my
understanding that Admiral Gehman is on his way over from the
Senate. And again, I want to thank him for his willingness to
appear before the Committee again.
The Columbia Accident Investigation Board, which he
chaired, raised a number of serious issues about the way NASA
addressed safety in the Shuttle program. The Board came to the
conclusion that should be of concern to all Members, namely,
and I quote, ``We are convinced that the management practices
overseeing the Space Shuttle program were as much a cause of
the accident as the foam that struck the left wing.'' To its
credit, the Board did not simply highlight the problem. It also
tried to offer some suggestions on how NASA might address the
management issue.
Today, we are going to hear from some non-NASA
organizations that the Board thinks may have some lessons
learned for NASA. I look forward to their testimony. In
particular, I hope that we can--or that they can offer the
Committee some benchmarks by which we can judge NASA's
responses to the Board's organizational recommendations.
Beyond that, Mr. Chairman, I hope that this hearing will be
just a starting point for our examination of these issues. I
hope that we will look at additional models of safety and
organizations for insights that they might offer. For example,
I think that we should look at how NASA and DOD handled
experimental flight testing programs at the Dryden Research
Center and Edwards Air Force Base.
I also think that it might be worth taking a look--a closer
look at the Russian human space flight program. As I understand
it, the Russians haven't had a space flight fatality since
1971, or more than 30 years ago. We might also benefit from the
examination of how NASA handled safety in the earlier years,
that is during the Apollo moon-landing program. Apollo was an
extremely challenging program that may have lessons for us to
learn today, also.
And finally, I want to support Mr. Hall's concerns and
comments. I was also very concerned about the mass resignation
of the Aerospace Safety Panel. ASAP members, I think we need to
hear from them and hear more about why they resigned and what
they feel like is necessary for their independence.
So there is a lot to cover today, and once again, thank
you, Mr. Chairman, for bringing us together for this important
meeting and I am glad the witnesses are giving their time
today.
Chairman Boehlert. Thank you very much, Mr. Gordon and Mr.
Hall.
[The prepared statement of Mr. Rohrabacher follows:]
Prepared Statement of Representative Dana Rohrabacher
Mr. Chairman, your leadership has enabled this committee to
carefully deliberate on the root causes that contributed to the
Columbia Space Shuttle accident and critical issues surrounding the
future of our civil space program in the wake of this tragedy.
Admiral Gehman and his colleagues found that overconfidence and an
overly bureaucratic nature dominated NASA's historical decision-making
of Shuttle Program managers. Although NASA claims it has made safety a
high priority within the Space Shuttle Program, ``blind spots''
inherent in its culture impeded its ability to detect risks posed by
something as simple as form.
NASA must get its house in order before it attempts to meet the
challenge of space exploration. Our witnesses will provide us insight
on how their organizations apply best practices for reducing the
likelihood of accidents. Let's hope that what we learn today is useful
for getting NASA on the path of recovery tomorrow.
Thank you Mr. Chairman.
[The prepared statement of Mr. Costello follows:]
Prepared Statement of Representative Jerry F. Costello
Good morning. I want to thank the witnesses for appearing before
our committee to discuss the organizational and management issues
confronting NASA in the aftermath of the Space Shuttle Columbia
accident. Today's hearing serves has an opportunity for Congress to
gain a better understanding of the Columbia Accident Investigation
Board (CAIB) recommendations and the successful safety programs of the
organizations represented at this hearing so as to have an informed
basis for judging whether NASA is in compliance with the CAIB
recommendations.
I have been concerned with the Safety and Health regulation
structure used by the DOE civilian labs. My colleague, Congressman Ken
Calvert, has worked with me to introduce a bill ending DOE's self-
regulation and opening the civilian labs up to regulation by OSHA and
the NRC. The Jet Propulsion Laboratory (JPL) has been drawn into this
discussion inadvertently due to its inclusion in the DOE 2002 Best
Practices Study. That report, coupled with reviews done by the General
Accounting Office, draws attention to the relative efficiency of JPL's
management processes and provides a snapshot for what we would like to
see at the civilian labs.
The same can be said about the Naval Nuclear Propulsion Program,
the SUBSAFE program, and Aerospace Corporation in relation to NASA and
evaluating best safety practices. You each represent organizations that
have been identified as leaders in safety. The CAIB report recommends
that NASA establish an independent Technical Engineering Authority that
is responsible for all technical requirements and waivers to them.
Further, the CAIB's fundamental goal in establishing this independent
body is to separate the responsibility for safety from the Shuttle's
program responsibility for cost and schedule.
I am interested to know if each of your organizations has an
independent technical engineering authority or something similar and
how it is independent from other elements of the organization, funded
and staffed. Further, I am interested to know from Admiral Gehman how
he and CAIB view the role of the Shuttle program manager in light of
the CAIB recommendations.
I welcome our panel of witnesses and look forward to their
testimony.
[The prepared statement of Ms. Johnson follows:]
Prepared Statement of Representative Eddie Bernice Johnson
Thank you, Mr. Chairman. I would like to thank you for calling this
hearing today, and I would also like to thank our witnesses for
agreeing to appear here today to answer our questions.
Today we are here to discuss issues concerning organization and
management at the National Aeronautics and Space Administration (NASA).
At the end of the past summer, the final report of the Columbia
Accident Investigation Board (CAIB) was released. While much of it
focused on the technical causes, there was also a substantial emphasis
on poor decisions and other organizational issues that may have led to
the accident. Included in this report are communications about how
repeated foam strikes on the Shuttle became damaged, as well as
communications and decision-making issues among engineers and managers
while the Shuttle was in orbit. These types of mistakes are entirely
too costly.
We are now seeing the warning signs that show that NASA is an
agency in trouble. The Columbia Accident Investigation Board sharply
criticized NASA's safety and management procedures. With problems
escalating rather than abating, NASA still seems ready to put the
mission ahead of an abundance of caution. What could be the disastrous
affects if the Space Station is not being properly maintained and
supplied, increasing the risk to its crew? In this environment, if
senior safety officials cannot halt the launch of a replacement crew to
a deteriorating Space Station, who at NASA can and would abort a
dangerous mission?
We must put forth a more concerted effort to protect the safety of
our astronauts.
It was over 40 years ago that this nation's leaders in human space
travel were given the foresight to recognize the importance of space
exploration. It is my hope that NASA will continue this exploration,
with the intent of making safety first in all of their endeavors.
[The prepared statement of Ms. Jackson Lee follows:]
Prepared Statement of Representative Sheila Jackson Lee
Mr. Chairman,
Thank you for calling yet another critical hearing in this series
to ensure that we in Congress are doing all we can do to help NASA get
back on track to fulfilling its vital mission in Space. I have been
pleased by the bipartisan spirit here and in the Space Subcommittee
since February, when we lost the Shuttle Columbia and her brave crew.
Fulfilling the call of the Gehman Board and changing the culture at
NASA will take hard work, creativity, and good ideas from both sides of
the aisle.
But we do not need to re-invent the wheel. As was stated in the
Columbia Accident Investigation Board Report, there are several
excellent models of organizations that work in high-risk areas, and
still maintain solid safety records. I thank the representatives from
those groups for joining us today, to enlighten us on the management
practices they use to ensure that safety is not an afterthought, but a
top priority.
Working together, I hope we can draw from their experiences and
craft policies for NASA that will ensure that Shuttles and the Space
Station, as well as the spaceships of the future, are robust and
reliable.
I am especially interested in their opinions on the role of
whistleblower protections and retaliation prevention in promoting open
dialogue and safety. After the Columbia Disaster, it was painful to
hear from the CAIB that there were people at NASA--and not just some
interns with naive notions--but experienced engineers, who had
recognized the dangers, and tried to take prudent steps to get images
that may have averted disaster. Those experts were ignored. That is
truly painful to think about. The report gave great insight into the
broken culture of safety at NASA that impeded the flow of critical
information from engineers up to program managers. I quote: ``Further,
when asked by investigators why they were not more vocal about their
concerns, Debris Assessment Team members opined that by raising
contrary points of view about Shuttle mission safety, they would be
singled out for possible ridicule by their peers.''
That reaffirms to me that strong whistleblower protections do not
just protect workers. They protect lines of communication and dialogue
that prevent waste, fraud, and abuse, and, in this case, might have
saved lives. I have been working with union representatives to develop
a pathway within NASA, through which workers with serious concerns
about the safety of a mission or the survivability of crew can go to
express their opinions. That body will make sure that due attention is
given to their concerns. After that, the same office will be charged
with following the employee that came to them over time, to ensure that
they are not harassed or retaliated against in any way.
Workers that think critically and act responsibly should be
rewarded, not punished. Protecting such workers will send a signal to
all workers that safety must always come before speed. I would like to
hear the panelists' opinions of this approach.
I am also interested in their opinions of what proportion of their
budgets are dedicated to safety and quality assurance. Budgets are
tight these days, and many important programs are being cut. However,
if we are going to continue our mission in space--as I believe we
must--we need to spend the appropriate funds to protect our investments
and our astronauts. How much will that cost?
I am also pleased to see Admiral Gehman here again to share his
expertise and insights with us. I would like to continue the dialogue
we started last month, exploring how we can ensure that the lessons we
learn about how to make the Shuttle safer also carry over to the Space
Station and other NASA programs. Recent revelations that the new Space
Station crew was sent up against the will of senior medical personnel
were disturbing. It was even more disturbing to hear that the internal
debates about hazards to the crew did not percolate up to the
Administrator until a couple of days before flight--and never made it
to us in Congress. I hope it is not business-as-usual at NASA. I would
like to hear the Admiral's ideas on this matter.
I look forward to the discussion. Thank you.
Panel I
Chairman Boehlert. Let us get right to our panel.
The panel consists of: Admiral F.L. ``Skip'' Bowman,
Director, Naval Nuclear Propulsion Program; Rear Admiral Paul
E. Sullivan, Deputy Commander, Ship Design, Integration and
Engineering, Naval Sea Systems Command; Ray F. Johnson, Vice
President, Space Launch Operations, The Aerospace Corporation;
and Ms. Deborah Grubbe, Corporate Director, Safety and Health,
DuPont. Thank you all for your willingness to serve as
resources for this committee. And as you will discover, we are
going to listen in wrapped attention, because what you have to
say is very important to us and--as we go about our very
important work. And I would ask that you try to summarize your
statement. The Chair is not going to be arbitrary. What you
have to say is too darn important to confine it to 300 seconds,
but that would be sort of a benchmark of five minutes or so, so
that we will have ample time for a dialogue and an exchange so
that we can learn. Thank you very much.
Admiral Bowman, you are first up.
STATEMENT OF ADMIRAL F.L. ``SKIP'' BOWMAN, DIRECTOR, NAVAL
NUCLEAR PROPULSION PROGRAM, U.S. NAVY
Admiral Bowman. Mr. Chairman, Mr. Hall, Members of the
Committee, thank you very much for the opportunity to testify
today on the culture of safety that has allowed Naval Reactors
to be successful for the last 55 years.
First, let me say that I wish the circumstances that
brought me here were different. I am sure it is true with you,
also. Obviously, the underlying reason I am here involves your
oversight of NASA in the aftermath of the Space Shuttle
Columbia tragedy.
I want to begin, then, by extending my sympathy to all of
the families, colleagues, and friends of the Columbia crew. I
must also tell you that although there has been, and continues
to be, much public discussion of the tragedy, why it happened
and what changes NASA should pursue, I do not know firsthand
the details surrounding the accident nor am I an expert on
spacecraft or the NASA organization. I am therefore not
qualified to make judgments about the causes of the tragedy or
to even suggest changes that NASA may implement to prevent our
nation from suffering another terrible loss. However, I have
studied, very carefully, the final report of the Columbia
Accident Investigation Board, and I believe, therefore, that
you might draw some useful thoughts from my testimony today.
I am often asked, Mr. Chairman, how it is that Naval
Reactors has been able to maintain its impeccable safety record
for these 55 years. Just last week, I participated in a
conference that asked these same questions, commemorating the
50th anniversary of President Eisenhower's ``Atoms for Peace''
speech, which partially addressed these very questions that I
will address today. And many of the things that I have said
then are applicable today.
Since Admiral Hyman Rickover began the Naval Reactors
Program in 1948, we have insisted that the only way to operate
our nuclear power plants, the only way to ensure safe operation
generation after generation, is to embrace a system that
ingrains in each operator a total commitment to safety, a
pervasive, enduring devotions to a culture of safety and
environmental stewardship.
To ensure the Program's success, as our record of safety
clearly demonstrates, Admiral Rickover established these core
values, which endure today. First, technical excellence and
technical competence are absolutely required in our work.
Because things do happen, especially at sea, we rely on a
multi-layered defense against off-normal events. Our reactor
designs and operating procedures are uncomplicated and
conservative, and we build in redundancy. Next, we still, and
always will, select the very best people we can find with the
highest integrity and professional competence; then we
rigorously train them and continually challenge them. Third, we
require formality and discipline, and we insist on forceful
backup from the very youngest sailor on board all of the way up
through to the commanding officer. And fourth, every level of
the Program must accept inescapable, cradle-to-grave
responsibility for every aspect of nuclear power operations.
These core values, among others, are what define our
organizational culture. They are visible in everything we do
and have done for the last 55 years.
Today, in my eighth year as Admiral Rickover's successor,
the fourth director of Naval Reactors, I oversee the operation
of 103 naval reactors, equaling the number of commercial
reactors in this country. These reactors, powering U.S. Navy
ships, are welcomed in more than 150 ports and more than 50
countries around the world.
That welcome access is primarily due to our safety record.
Safety is embedded in our organization in every individual at
every level. Put another way, we use the word ``mainstreamed.''
Safety is mainstreamed. It is not a responsibility unique to a
segregated safety department that then attempts to impose its
oversight on the rest of the organization. Each individual is
completely responsible for his or her component, his or her
system, from cradle to grave and this drives two other vital
aspects of the way we do business.
First, when solving a problem, we determine the range of
technically acceptable answers first. Then we find out how to
fit one of those solutions into our other constraints,
specifically cost and schedule, without imposing any undue risk
and without challenging the safety aspects of the technically
acceptable answers. If we need more time or more money, we
simply ask for it. Although we pride ourselves as stewards of
the Government's resources, we don't let funding or schedules
outweigh sound technical judgment.
Second, the decision-making process occasionally brings out
dissenting or minority opinions. When this occurs, my staff
presents the facts from both sides of the issues to me
directly. Before a final decision is made, every opinion is
aired. There is never any fear of reprisal for not agreeing
with the proposed recommendation; rather, if there is not a
minority opinion, I ask why not and solicit that minority
opinion, treat it with the same weight as the consensus view.
If I determine that there is enough information to make a
decision, then I make a decision. If more data are needed, then
we get more data.
In the aftermath of Three Mile Island, the accident in
1979, Admiral Rickover was asked to testify before Congress in
a context very similar to my appearance here today. In his
testimony, he said the following: ``Over the years, many people
have asked me how I run the Naval Reactors Program so that they
might find some benefit for their own work. I am always
chagrined at the tendency of people to expect that I have a
simple, easy gimmick that makes my program function. Any
successful program functions as an integrated whole of many
factors. Trying to select just one aspect as the key one will
not work. Each element depends on all of the others.''
I wholeheartedly agree with what Admiral Rickover said
those years ago. As I said earlier, there is no magic formula.
Safety must be in the mainstream.
Mr. Chairman, with your permission, I will submit a copy of
my written testimony along with Admiral Rickover's 1979
testimony for the record. This testimony is very relevant,
because it describes many of the same attributes and core
values that I have discussed today, demonstrating that in fact
these key elements of Naval Reactors are timeless and enduring.
That testimony also details the continual training program for
the nuclear-trained Fleet operators. I have taken the
opportunity to update the statistics on the first four pages of
Admiral Rickover's testimony to put them in perspective for
today's real numbers. Also, with your permission, I will submit
a copy of the Program's annual environmental, occupational
radiation exposure, and occupational safety and health reports
for the Committee's perusal.
Our basic organization responsibilities, and, most
importantly, our core values have remained largely unchanged
since Admiral Rickover founded Naval Reactors. These core
values that I have discussed today are the foundation that have
allowed our nuclear-powered ships to safely steam more than 128
million miles, equivalent to over 5,000 trips around the Earth,
without a reactor accident, indeed, with no measurable negative
impact on the environment or human health.
Thank you very much for allowing me to testify today.
[The prepared statement of Admiral Bowman follows:]
Prepared Statement of Admiral F.L. ``Skip'' Bowman
Mr. Chairman and Members of this committee, thank you for giving me
the opportunity to testify today on the subject of the culture of
safety that has allowed Naval Reactors to be successful for the last 55
years.
But first, let me say that that I wish the circumstances that
brought me here were different. Obviously, the underlying reason I'm
here involves your oversight of NASA in the aftermath of the Space
Shuttle Columbia tragedy. I want to begin, then, by extending my
sympathy to all the families, colleagues, and friends of the Columbia
crew. I must also tell you that although there has been and continues
to be much public discussion of the tragedy--why it happened, what
changes NASA should pursue, and others--I do not know first-hand the
details surrounding the accident, nor am I an expert on spacecraft or
the NASA organization. I therefore am not qualified to make judgments
about the causes of the tragedy or to suggest changes that NASA may
implement to prevent our nation from suffering another terrible loss.
However, having studied the final report of the Columbia Accident
Investigation Board, I believe you may draw some useful conclusions
from my testimony.
My area of expertise is the Naval Reactors Program (NR), so it's
better for me to talk about that. Admiral Hyman G. Rickover set up NR
in 1948 to develop nuclear propulsion for naval warships. Nuclear
propulsion is vital to the Navy today for the reasons Admiral Rickover
envisioned 55 years ago: it gives our warships high speed, virtually
unlimited endurance, worldwide mobility, and unmatched operational
flexibility. When applied to our submarines, nuclear propulsion also
enables the persistent stealth that allows these warships to operate
undetected for long periods in hostile waters, exercising their full
range of capabilities.
In 1982, after almost 34 years as the Director of Naval Reactors,
Admiral Rickover retired. Recognizing the importance of preserving the
authority and responsibilities Admiral Rickover had established,
President Reagan signed Executive Order 12344. The provisions of the
executive order were later set forth in Public Laws 98-525 [1984] and
106-65 [1999]. The executive order and laws require that the Director,
Naval Reactors, hold positions of decision-making authority within both
the Navy and the Department of Energy (DOE). Because continuity and
stature are vital, the director has the rank of four-star admiral
within the Navy and Deputy Administrator within the Department of
Energy's National Nuclear Security Administration and a tenure of eight
years.
Through the Executive Order and these laws, the director has
responsibility for all aspects of naval nuclear propulsion,
specifically:
Direct supervision of our single-purpose DOE
laboratories, the Expended Core Facility, and our training
reactors.
Research, development, design, acquisition,
procurement, specification, construction, inspection,
installation, certification, testing, overhaul, refueling,
operating practices and procedures, maintenance, supply
support, and ultimate disposition of naval nuclear propulsion
plants and components, plus any related special maintenance and
service facilities.
Training (including that which is conducted at the
DOE training reactors), assistance and concurrence in the
selection, training, qualification, and assignment of personnel
reporting to the director and of personnel who supervise,
operate, or maintain naval nuclear propulsion plants.
Administration of the Naval Nuclear Propulsion
Program, including oversight of Program support in areas such
as security, nuclear safeguards and transportation, public
information, procurement, logistics, and fiscal management.
And finally, perhaps most relevant to this committee,
I am responsible for the safety of the reactors and associated
naval nuclear propulsion plants, and control of radiation and
radioactivity associated with naval nuclear propulsion
activities, including prescribing and enforcing standards and
regulations for these areas as they affect the environment and
the safety and health of workers, operators, and the general
public.
For more than seven years, I have been the director, the third
successor to Admiral Rickover. I am responsible for the safe operation
of 103 nuclear reactors--the same number as there are commercial
nuclear power reactors in the U.S. Roughly 40 percent of the Navy's
major combatants are nuclear powered, including 10 of its 12 aircraft
carriers plus 54 attack submarines, 16 ballistic missile submarines,
and two former ballistic missile submarines being converted to SSGNs
(guided missile submarines). Also included in these 103 reactors are
four training reactors and the NR-1, a deep submersible research
submarine. The contribution these ships and their crews make to the
national defense and, more recently, to the Global War on Terrorism is
remarkable. And the Program's safety record speaks for itself: these
warships have steamed over 128 million miles since 1953 and are
welcomed in over 150 ports of call in over 50 countries around the
world.
Safety is the responsibility of everyone at every level in the
organization. Safety is embedded across all organizations in the
Program, from equipment suppliers, contractors, laboratories,
shipyards, training facilities, and the Fleet to our Headquarters. Put
another way, safety is mainstreamed. It is not a responsibility unique
to a segregated safety department that then attempts to impose its
oversight on the rest of the organization.
To clarify what I mean by mainstreaming, let me tell you a story
from my days as Chief of Naval Personnel. I was speaking to a large
gathering of Army, Navy, Air Force, and Marine Corps military and
civilian personnel at the Defense Equal Opportunity Management
Institute. I startled the group by beginning with the phrase, ``I'm
here to tell you about plans to put you out of your jobs in a few
years!'' I explained that a worthwhile goal would be to have an
organization that didn't need specialists to monitor, enforce, and
remind line management to do what's right. That's mainstreaming.
Our record of safety is the result of our making safety part of
everything we do, day to day, not a magic formula. To achieve this
organizational culture of safety in the mainstream, Admiral Rickover
established certain core values in Naval Reactors that remain very
visible today. I will discuss four of them: People, Formality and
Discipline, Technical Excellence and Competence, and Responsibility.
PEOPLE
Admiral Rickover has been rightly credited with being an
outstanding engineer and a gifted manager of technical matters. His
other genius lay in finding and developing the right people to do
extremely demanding jobs.
At NR, we still, and we always will, select the best people we can
find, with the highest integrity and the willingness to accept complete
responsibility over every aspect of nuclear-power operations. Admiral
Rickover personally selected every member of his Headquarters staff and
every naval officer accepted into the Program. This practice is still
in place today, and I conduct these interviews and make the final
decision myself.
It doesn't end there. After we hire the best men and women, the
training they need to be successful begins immediately. All members of
my technical staff undergo an indoctrination course that occupies their
first several months at Headquarters. Next, they spend two weeks at one
of our training reactors, learning about the operation of the reactor
and the training our Fleet sailors are undergoing. This is experience
with an actual, operating reactor plant, not a simulation or a
PowerPoint presentation--and it is an important experience. It gives
them an understanding that the work they do affects the lives of the
sailors directly, while they perform the Navy's vital national defense
role. This helps reinforce the tenet that the components and systems we
provide must perform when needed.
Shortly after they return from the training reactor, they spend six
months at one of our DOE laboratories for an intensive, graduate-level
course in nuclear engineering. Once that course is complete, they spend
three weeks at a nuclear-capable shipyard, observing production work
and work controls. Finally, they return to Headquarters and are
assigned to work in one of our various technical jobs. During the next
six months, they attend a series of seminars, covering broad technical
and regulatory matters, led by the most experienced members of my
staff.
At Headquarters, there is a continued emphasis on professional
development as we typically provide training courses that are open to
the entire staff each month on various topics, technical and non-
technical. In particular, we have many training sessions on lessons
we've learned--trying to learn from mistakes that we, or others, have
made in order to prevent similar mistakes from recurring.
Throughout their careers, the members of my staff are continually
exposed to the end product, spending time on the waterfront, at the
shipyards, in the laboratories, at the vendor sites, or interacting
directly with the Fleet. My staff audits nuclear shipyards, vendors,
training facilities, laboratories, and the ships to validate that our
expectations are met. In addition, we receive constant feedback from
the Fleet by several means. When a nuclear-powered ship returns from
deployment, my staff and I are briefed on the missions the ship
performed and any significant issues concerning the propulsion plant.
Additionally, I have a small cadre of Fleet-experienced, nuclear-
trained officers at Headquarters who, like me, bring operational
expertise and perspective to the table.
My Headquarters staff is very small, comprised of about 380 people,
including administrative and support personnel. We are also an
extremely ``flat'' organization. About 50 individuals report directly
to me, including my Headquarters section heads, plus field
representatives at shipyards, major Program vendors, and the
laboratories. Included in this is a small section of people responsible
for Reactor Plant Safety Analysis. In an organization where safety is
truly mainstreamed, one might ask why we have a section for Reactor
Plant Safety Analysis. Here's why: they provide most of the liaison
with other safety organizations (such as the NRC) to help ensure we are
using best practices and to champion the use of those practices within
my staff. They also maintain the documentation of procedures and upkeep
of the modeling codes used in our safety analysis. Last, they provide
one last layer that our mainstreamed safety practices are in fact
working the way they should--an independent verification that we are
not ``normalizing'' threats to safety. Thus, they are full-time safety
experts who provide our corporate memory of what were past problems,
what we have to do to maintain a consistent safety approach across all
projects, and what we need to follow in civilian reactor safety
practices.
Nearly all my Headquarters staff came to Naval Reactors right out
of college. A great many of them spend their entire careers in the
Program. For example, my section heads, the senior managers who report
directly to me, have an average of more than 25 years of Program
experience. It is therefore not uncommon that a junior engineer working
on the design of a component in a new reactor plant system will be
responsible several years later for that same system during its service
life.
Even though the focus of my testimony is on my Headquarters staff,
I should also point out the importance of the Navy crews who operate
our nuclear-powered warships. Again, I personally select the best
people I can find and then train them constantly, giving them
increasing challenges and responsibilities throughout their careers. My
Headquarters staff and I oversee this training directly.
FORMALITY AND DISCIPLINE
Engineering for the long haul demands that decisions be made in a
formal and disciplined manner. By ``the long haul,'' I mean the cradle-
to-grave life of a project, and even an individual reactor plant.
Before a new class of ships (which may be in service for more than 50
years) is even put into service, we typically have already determined
how we will perform maintenance--and refueling, if needed--and have
considered eventual decommissioning and disposal of that ship. In the
long life of a project, all requests and recommendations are received
as formal correspondence. Resolution of issues is documented, as well.
Whether we are approving a minor change to one of our technical manuals
or resolving a major Fleet issue, the resolution will be clearly
documented in formal correspondence.
That correspondence must have the documented concurrence of all
parties within the Headquarters that have a stake in the matter. There
are formal systems in place to track open commitments and agreements or
dissents with proposed actions. I receive a copy of every recommended
action prior to issue, a practice initiated by Admiral Rickover in July
1949; in fact, these recommendations are frequently discussed in detail
and, when necessary, ``cleared'' with me prior to issue.
The 50 individuals who report directly to me inform me regularly
and routinely of issues in their area of responsibility. In addition,
commanding officers of nuclear-powered warships are required to report
to me routinely on matters pertaining to the propulsion plant.
This organizational ``flatness'' streamlines the flow of
information in both directions--allowing me to ensure that the guidance
I provide reaches everyone, while ensuring that my senior leaders and I
receive timely information vital to making the right decisions.
In our ships and at our training reactors, we require formality and
discipline. Detailed written procedures are in place for all aspects of
operation. These procedures are based on over 50 years of ship
operational experience, and they are followed to the letter, with what
we call verbatim--but not blind--compliance. Independent auditing,
coupled with critical self-assessments at all levels and activities, is
virtually continuous to ensure that crews are trained and procedures
are followed properly. We insist on forceful backup, from young sailor
to commanding officer. We also insist that the only way to operate our
nuclear power plants--the only way to ensure safe operation, generation
after generation--is to embrace a system that ingrains in each operator
a total commitment to safety: a pervasive, enduring commitment to a
culture of safety and environmental stewardship.
TECHNICAL EXCELLENCE AND COMPETENCE
Technical excellence and competence are required in our work.
Nearly all of my managers are technical people with either an
engineering or science background. My job requires me to be qualified
by reason of technical background and experience in naval nuclear
propulsion. I am a qualified, nuclear-trained naval officer, having
previously served in many operational billets, including commanding
officer of a submarine and of a submarine tender that maintains nuclear
ships. It is crucial that the people making decisions understand the
technology they are managing and the consequences of their decisions.
It is also important that much of the technical expertise reside within
the Government organization that oversees the contractor work. This
enables the Government to be a highly informed and demanding customer
of contractor technology and services.
An important part of our technical effort is working on small
problems to prevent bigger problems from occurring. The way we do this
is to ask the hard questions on every issue: What are the facts? How do
you know? Who is responsible? Who else knows about the issue and what
are they doing about it? What other ships and places could be affected?
What is the plan? When will it be done? Is this within our design,
test, and operational experience? What are the expected outcomes? What
is the worst that could happen? What are the dissenting opinions? When
dealing with an issue that seems minor, these and other questions like
them not only lead us to solving the current problem before it gets
worse, but also help us prevent future problems.
As we look at the many potential solutions to a given problem, we
determine the range of technically acceptable answers first. Then we
find out how to fit one of those solutions into our other constraints,
specifically cost and schedule, without imposing any undue risk. If we
need more time or more money, we ask for it. Although we pride
ourselves as stewards of the Government's resources, we do not let
funding or schedule concerns outweigh sound technical judgment.
Occasionally, the decision-making process brings out dissenting
opinions. When this occurs, my staff presents the facts from both sides
of the issue to me directly. Before a final decision is made, every
opinion is aired. There is never any fear of reprisal for not agreeing
with the proposed recommendation; rather, we solicit and welcome the
minority opinion and treat it with the same weight as the consensus
view. If I determine there is enough information to make a decision, I
decide. If more data are needed, we get more.
Because things do happen--especially at sea--we rely on a multi-
layered defense against off-normal events. Our reactor designs and
operating procedures are simple and conservative, and we build in
redundancy to compensate for the risks involved and the operational
environment. (For example, the pressurized water reactors are self-
regulating: the reactor is designed to protect itself during normal
operations or casualty situations.) The systems and components are
rugged--they must be to withstand battle shock and still perform. In
certain key systems, there are redundant components so that if one is
unable to function, the other can take over.
RESPONSIBILITY
Admiral Rickover realized the importance of having total
responsibility. He once said:
Responsibility is a unique concept: it can only reside and
inhere in a single individual. You may share it with others,
but your portion is not diminished. You may delegate it, but it
is still with you. You may disclaim it, but you cannot divest
yourself of it. Even if you do not recognize it or admit its
presence, you cannot escape it. If responsibility is rightfully
yours, no evasion, or ignorance, or passing the blame can shift
the burden to someone else. Unless you can point your finger at
the person who is responsible when something goes wrong, then
you have never had anyone really responsible.
His concept of total responsibility and ownership permeates NR at
every level. He also realized that while the Navy designed and operated
the ships, the Atomic Energy Commission (the forerunner of the
Department of Energy) was responsible for the nuclear research and
development--he would need to have authority within both activities.
Hence, he forged a joint Navy/Atomic Energy Commission program having
the requisite authority within each activity to carry out the cradle-
to-grave responsibility for all aspects of naval nuclear propulsion,
including safety.
CONCLUSION
In the aftermath of the Three Mile Island accident in 1979, Admiral
Rickover was asked to testify before Congress in a context similar to
my appearance before you today. In this testimony, he said:
Over the years, many people have asked me how I run the Naval
Reactors Program, so that they might find some benefit for
their own work. I am always chagrined at the tendency of people
to expect that I have a simple, easy gimmick that makes my
program function. Any successful program functions as an
integrated whole of many factors. Trying to select one aspect
as the key one will not work. Each element depends on all the
others.
I wholeheartedly agree. As I said earlier, there is no magic
formula. Safety must be in the mainstream.
Mr. Chairman, with your permission, I will submit a copy of Admiral
Rickover's 1979 testimony for the record. This testimony is relevant
because it describes many of the same key attributes and core values I
have discussed today--demonstrating that in fact, these key elements of
Naval Reactors are timeless and enduring. That testimony also details
the continual training program for the nuclear-trained Fleet operators
I mentioned earlier. I have updated the statistics on the first four
pages to make them current and placed them in parentheses beside the
1979 data. Also, with your permission, I will submit a copy of the
Program's annual environmental, occupational radiation exposure, and
occupational safety and health reports. [Note: These items are located
in Appendix 2: Additional Material for the Record.]
Our basic organization, responsibilities, and, most important, our
core values have remained largely unchanged since Admiral Rickover
founded NR. These core values that I've discussed today are the
foundation that have allowed our nuclear-powered ships to safely steam
more than 128 million miles, equivalent to over 5,000 trips around the
Earth. . .without a reactor accident. . .indeed, with no measurable
negative impact on the environment or human health.
Thank you for allowing me to testify before you today.
Biography for Admiral Frank Lee Bowman
United States Navy, Director, Naval Nuclear Propulsion
Admiral Frank L. ``Skip'' Bowman is a native of Chattanooga, Tenn.
He was commissioned following graduation in 1966 from Duke University.
In 1973 he completed a dual master's program in nuclear engineering and
naval architecture/marine engineering at the Massachusetts Institute of
Technology and was elected to the Society of Sigma Xi. Adm. Bowman has
been awarded the honorary degree of Doctor of Humane Letters from Duke
University. Admiral Bowman serves on two visiting committees at MIT
(Ocean Engineering and Nuclear Engineering), the Engineering Board of
Visitors at Duke University, and the Nuclear Engineering Department
Advisory Committee at the University of Tennessee.
His early assignments included tours in USS Simon Bolivar (SSBN
641), USS Pogy (SSN 647), USS Daniel Boone (SSBN 629), and USS
Bremerton (SSN 698). In 1983, Adm. Bowman took command of USS City Of
Corpus Christi (SSN 705), which completed a seven-month
circumnavigation of the globe and two special classified missions
during his command tour. His crew earned three consecutive Battle
Efficiency ``E'' awards. Adm. Bowman later commanded USS Holland (AS
32) from August 1988 to April 1990. During this period, the Holland
crew was awarded two Battle Efficiency ``E'' awards.
Ashore, Adm. Bowman has served on the staff of Commander, Submarine
Squadron Fifteen, in Guam; twice in the Bureau of Naval Personnel in
the Submarine Policy and Assignment Division; as the SSN 21 Attack
Submarine Program Coordinator on the staff of the Chief of Naval
Operations; on the Chief of Naval Operations' Strategic Studies Group;
and as Executive Assistant to the Deputy Chief of Naval Operations
(Naval Warfare). In December 1991, he was promoted to flag rank and
assigned as Deputy Director of Operations on the Joint Staff (J-3)
until June 1992, and then as Director for Political-Military Affairs
(J-5) until July 1994. Adm. Bowman served as Chief of Naval Personnel
from July 1994 to September 1996.
Admiral Bowman assumed duties as Director, Naval Nuclear
Propulsion, on 27 September 1996, and was promoted to his present rank
on 1 October 1996. In this position, he is also Deputy Administrator
for Naval Reactors in the National Nuclear Security Administration,
Department of Energy.
Under his command, his crews have earned the Meritorious Unit
Commendation (three awards), the Navy Battle Efficiency ``E'' Ribbon
(five awards), the Navy Expeditionary Medal (two awards), the
Humanitarian Service Medal (two awards), the Sea Service Deployment
Ribbon (three awards), and the Navy Arctic Service Ribbon. His personal
awards include the Defense Distinguished Service Medal, the Navy
Distinguished Service Medal, the Legion of Merit (with three gold
stars), and the Officier de l'Ordre National du Merite from the
Government of France.
Chairman Boehlert. Thank you very much for some very fine
testimony. And without objection, your statement, in its
entirety, along with the supplemental material, will be
included in the record. And that will hold true for the
testimony of all of our distinguished witnesses. We want
everything you can give us, because we--that is how we learn.
And thank you, Admiral, and congratulations, once again, for an
outstanding program.
Admiral Sullivan.
STATEMENT OF REAR ADMIRAL PAUL E. SULLIVAN, DEPUTY COMMANDER,
SHIP DESIGN, INTEGRATION AND ENGINEERING, NAVAL SEA SYSTEMS
COMMAND, U.S. NAVY
Rear Admiral Sullivan. Good morning, Mr. Chairman, Mr.
Hall, Members of the Committee. I would like to thank you for
the opportunity to testify about the Submarine Safety Program,
which we call in the Navy, SUBSAFE.
I serve as the Naval Sea Systems Command's Deputy Commander
for Ship Design, Integration and Engineering. My organization
is the authority for the technical requirements that underpin
the SUBSAFE Program.
Mr. Chairman, I have submitted a written statement, which
addresses the questions you raised about the SUBSAFE Program,
and I will summarize that statement for you now.
On April 10, 1963, when engaged in a deep test dive, the
USS Thresher was lost with 129 people on board. The loss of
Thresher and her crew was a devastating event for the submarine
community, the Navy, and the Nation.
Shortly after that tragedy, the SUBSAFE Program was created
in June 1963. It established submarine design requirements,
initial submarine safety certification requirements, and
submarine safety certification continuity requirements.
The purpose of the SUBSAFE Program is to provide maximum
reasonable assurance of watertight integrity and the ability of
our submarines to recover from flooding. It is important to
note that the SUBSAFE Program does not spread or dilute its
focus beyond that purpose.
The heart of the Program is a combination of work
discipline, material control, and documentation.
The SUBSAFE Program has been very successful, however, it
has not been without problems. For example, in 1984 NAVSEA
directed a thorough evaluation of the SUBSAFE Program to ensure
that mandatory discipline had been maintained. As a result, the
following year, in 1985, the Submarine Safety and Quality
Assurance Division was established as an independent
organization within NAVSEA to strengthen compliance with
SUBSAFE requirements.
The SUBSAFE Program continues to adapt to the ever-changing
construction and maintenance environments as well as new and
evolving technologies as they become used on our submarines.
Safety is central to the culture of our entire Navy
submarine community, including designers, builders,
maintainers, and operators. The Navy's submarine safety culture
is instilled through the following: first, clear, concise, non-
negotiable requirements; second, multiple, structured audits;
and third, annual training with strong, emotional lessons
learned from past failures.
SUBSAFE certification is a disciplined process that lead to
formal authorization for unrestricted operations on a
submarine. Once a submarine is certified for unrestricted
operation, we use three elements to maintain that
certification. The first, the Re-entry Control Process, is used
to control work within the SUBSAFE boundary and is the backbone
of this certification continuity. The second, the Unrestricted
Operation/Maintenance Requirement Program, is used to carry out
periodic inspections and tests of critical systems, and that is
the technical basis for continued unrestricted operations.
Third, SUBSAFE audits are used to confirm compliance with
SUBSAFE requirements. We use two primary types of audits. The
first is a certification audit, and that audit examines the
objective quality evidence, or paperwork, for an individual
submarine to ensure that that submarine is satisfactory for
unrestricted operations. Functional audits review the
organizations that perform SUBSAFE work to ensure that the
organization complies with SUBSAFE requirements.
In addition to these formal NAVSEA audits, our field
organizations and the Fleet are required to conduct their own
similar internal audits. In fact, we also have the field
activities audit the headquarters. We have some homework to do,
for instance, from the most recent of those headquarters audits
that was performed this summer.
The SUBSAFE Program has a formal organizational structure,
which has key--three key elements: first, technical authority;
second, program management; and third, the submarine safety and
quality assurance. Each of these elements is organizationally
independent and has the authority to stop the certification
process until an identified issue has been satisfactorily
resolved.
Our nuclear submarines require a highly competent and
experienced technical workforce and constant vigilance to
prevent complacency. Despite our past successes, mandated
downsizing of our workforce has caused us to continually
optimize our processes and to become more efficient while we
maintain that culture of safety.
In conclusion, let me reiterate that since the inception of
the SUBSAFE Program in 1963, the Navy has had a disciplined
process that provides maximum reasonable assurance that our
submarines are safe from flooding and can recover from a
flooding incident. We have taken the lessons learned from the
Thresher to heart, and we have them--made them a part of our
submarine culture.
Thank you.
[The prepared statement of Rear Admiral Sullivan follows:]
Prepared Statement of Rear Admiral Paul E. Sullivan
NAVAL SEA SYSTEMS COMMAND
SUBMARINE SAFETY (SUBSAFE) PROGRAM
Good Morning Chairman Boehlert, Ranking Member Hall and Members of
the Committee.
Thank you for the opportunity to testify before this committee
about the Submarine Safety Program, which the Navy calls SUBSAFE, and
how it operates.
My name is RADM Paul Sullivan, USN. I serve as the Naval Sea System
Command's Deputy Commander for Ship Design, Integration and
Engineering, which is the authority for the technical requirements of
the SUBSAFE Program.
To establish perspective, I will provide a brief history of the
SUBSAFE Program and its development. I will then give you a description
of how the program operates and the organizational relationships that
support it. I am also prepared to discuss our NASA/Navy benchmarking
activities that have occurred over the past year.
SUBSAFE PROGRAM HISTORY
On April 10, 1963, while engaged in a deep test dive, approximately
200 miles off the northeastern coast of the United States, the USS
THRESHER (SSN-593) was lost at sea with all persons aboard--112 naval
personnel and 17 civilians. Launched in 1960 and the first ship of her
class, the THRESHER was the leading edge of U.S. submarine technology,
combining nuclear power with a modern hull design. She was fast, quiet
and deep diving. The loss of THRESHER and her crew was a devastating
event for the submarine community, the Navy and the Nation.
The Navy immediately restricted all submarines in depth until an
understanding of the circumstances surrounding the loss of the THRESHER
could be gained.
A Judge Advocate General (JAG) Court of Inquiry was conducted, a
THRESHER Design Appraisal Board was established, and the Navy testified
before the Joint Committee on Atomic Energy of the 88th Congress.
The JAG Court of Inquiry Report contained 166 Findings of Fact, 55
Opinions, and 19 Recommendations. The recommendations were technically
evaluated and incorporated into the Navy's SUBSAFE, design and
operational requirements.
The THRESHER Design Appraisal Board reviewed the THRESHER's design
and provided a number of recommendations for improvements.
Navy testimony before the Joint Committee on Atomic Energy occurred
on June 26, 27, July 23, 1963 and July 1, 1964 and is a part of the
Congressional Record.
While the exact cause of the THRESHER loss is not known, from the
facts gathered during the investigations, we do know that there were
deficient specifications, deficient shipbuilding practices, deficient
maintenance practices, and deficient operational procedures. Here's
what we think happened:
THRESHER had about 3000 silver-brazed piping joints
exposed to full submergence pressure. During her last shipyard
maintenance period 145 of these joints were inspected on a not-
to-delay vessel basis using a new technique called Ultrasonic
Testing. Fourteen percent of the joints tested showed sub-
standard joint integrity. Extrapolating these test results to
the entire population of 3000 silver-brazed joints indicates
that possibly more than 400 joints on THRESHER could have been
sub-standard. One or more of these joints is believed to have
failed, resulting in flooding in the engine room.
The crew was unable to access vital equipment to stop
the flooding.
Saltwater spray on electrical components caused short
circuits, reactor shutdown, and loss of propulsion power.
The main ballast tank blow system failed to operate
properly at test depth. We believe that various restrictions in
the air system coupled with excessive moisture in the system
led to ice formation in the blow system piping. The resulting
blockage caused an inadequate blow rate. Consequently, the
submarine was unable to overcome the increasing weight of water
rushing into the engine room.
The loss of THRESHER was the genesis of the SUBSAFE Program. In
June 1963, not quite two months after THRESHER sank, the SUBSAFE
Program was created. The SUBSAFE Certification Criterion was issued by
BUSHIPS letter Ser 525-0462 of 20 December 1963, formally implementing
the Program.
The Submarine Safety Certification Criterion provided the basic
foundation and structure of the program that is still in place today.
The program established:
Submarine design requirements
Initial SUBSAFE certification requirements with a
supporting process, and
Certification continuity requirements with a
supporting process.
Over the next 11 years the submarine safety criterion underwent 37
changes. In 1974, these requirements and changes were codified in the
Submarine Safety Requirements Manual (NAVSEA 0924-062-0010). This
manual continues to be the set of formal base requirements for our
program today. Over the years, it has been successfully applied to many
classes of nuclear submarines and has been implemented for the
construction of our newest VIRGINIA Class submarine.
The SUBSAFE Program has been very successful. Between 1915 and
1963, sixteen submarines were lost due to non-combat causes, an average
of one every three years. Since the inception of the SUBSAFE Program in
1963, only one submarine has been lost. USS SCORPION (SSN 589) was lost
in May 1968 with 99 officers and men aboard. She was not a SUBSAFE
certified submarine and the evidence indicates that she was lost for
reasons that would not have been mitigated by the SUBSAFE Program. We
have never lost a SUBSAFE certified submarine.
However, SUBSAFE has not been without problems. We must constantly
remind ourselves that it only takes a moment to fail. In 1984 NAVSEA
directed that a thorough evaluation be conducted of the entire SUBSAFE
Program to ensure that the mandatory discipline and attention to detail
had been maintained. In September 1985 the Submarine Safety and Quality
Assurance Office was established as an independent organization within
the NAVSEA Undersea Warfare Directorate (NAVSEA 07) in a move to
strengthen the review of and compliance with SUBSAFE requirements.
Audits conducted by the Submarine Safety and Quality Assurance Office
pointed out discrepancies within the SUBSAFE boundaries. Additionally,
a number of incidents and breakdowns occurred in SUBSAFE components
that raised concerns with the quality of SUBSAFE work. In response to
these trends, the Chief Engineer of the Navy chartered a senior review
group with experience in submarine research, design, fabrication,
construction, testing and maintenance to assess the SUBSAFE program's
implementation. In conjunction with functional audits performed by the
Submarine Safety and Quality Assurance Office, the senior review group
conducted an in depth review of the SUBSAFE Program at submarine
facilities. The loss of the CHALLENGER in January 1986 added impetus to
this effort. The results showed clearly that there was an unacceptable
level of complacency fostered by past success; standards were beginning
to be seen as goals vice hard requirements; and there was a generally
lax attitude toward aspects of submarine configuration.
The lessons learned from those reviews include:
Disciplined compliance with standards and
requirements is mandatory.
An engineering review system must be capable of
highlighting and thoroughly resolving technical problems and
issues.
Well-structured and managed safety and quality
programs are required to ensure all elements of system safety,
quality and readiness are adequate to support operation.
Safety and quality organizations must have sufficient
authority and organizational freedom without external pressure.
The Navy continues to evaluate its SUBSAFE Program to adapt to the
ever-changing construction and maintenance environments as well as new
and evolving technologies being used in our submarines. Since its
creation in 1974 the SUBSAFE Manual has undergone several changes. For
example, the SUBSAFE boundary has been redefined based on improvements
in submarine recovery capability and establishment of a disciplined
material identification and control process. An example of changing
technology is the utilization of fly-by-wire ship control technology on
SEAWOLF and VIRGINIA class submarines. Paramount in this adaptation
process is the premise that the requirements, which keep the SUBSAFE
Program successful, will not be compromised. It is a daily and
difficult task; but our program and the personnel who function within
it are committed to it.
PURPOSE AND FOCUS
The purpose of the SUBSAFE Program is to provide maximum reasonable
assurance of watertight integrity and recovery capability. It is
important to recognize that the SUBSAFE Program does not spread or
dilute its focus beyond this purpose. Mission assurance is not a
concern of the SUBSAFE Program, it is simply a side benefit of the
program. Other safety programs and organizations regulate such things
as fire safety, weapons systems safety, and nuclear reactor systems
safety.
Maximum reasonable assurance is achieved by certifying that each
submarine meets submarine safety requirements upon delivery to the Navy
and by maintaining that certification throughout the life of the
submarine.
We apply SUBSAFE requirements to what we call the SUBSAFE
Certification Boundary--those structures, systems, and components
critical to the watertight integrity and recovery capability of the
submarine. The SUBSAFE boundary is defined in the SUBSAFE Manual and
depicted diagrammatically in what we call SUBSAFE Certification
Boundary Books.
SUBSAFE CULTURE
Safety is central to the culture of our entire Navy submarine
community, including designers, builders, maintainers, and operators.
The SUBSAFE Program infuses the submarine Navy with safety requirements
uniformity, clarity, focus, and accountability.
The Navy's safety culture is embedded in the military, Civil
Service, and contractor community through:
Clear, concise, non-negotiable requirements,
Multiple, structured audits that hold personnel at
all levels accountable for safety, and
Annual training with strong, emotional lessons
learned from past failures.
Together, these processes serve as powerful motivators that
maintain the Navy's safety culture at all levels. In the submarine
Navy, many individuals understand safety on a first-hand and personal
basis. The Navy has had over one hundred thousand individuals that have
been to sea in submarines. In fact, many of the submarine designers and
senior managers at both the contractors and NAVSEA routinely are on-
board each submarine during its sea trials. In addition, the submarine
Navy conducts annual training, revisiting major mishaps and lessons
learned, including THRESHER and CHALLENGER.
NAVSEA uses the THRESHER loss as the basis for annual mandatory
training. During training, personnel watch a video on the THRESHER,
listen to a two-minute long audio tape of a submarine's hull
collapsing, and are reminded that people were dying as this occurred.
These vivid reminders, posters, and other observances throughout the
submarine community help maintain the safety focus, and it continually
renews our safety culture. The Navy has a traditional military
discipline and culture. The NAVSEA organization that deals with
submarine technology also is oriented to compliance with institutional
policy requirements. In the submarine Navy there is a uniformity of
training, qualification requirements, education, etc., which reflects a
single mission or product line, i.e., building and operating nuclear
powered submarines.
SUBSAFE CERTIFICATION PROCESS
SUBSAFE certification is a process, not just a final step. It is a
disciplined process that brings structure to our new construction and
maintenance programs and leads to formal authorization for unrestricted
operations. SUBSAFE certification is applied in four areas:
Design,
Material,
Fabrication, and
Testing.
Certification in these areas applies both to new construction and
to maintenance throughout the life of the submarine.
The heart of the SUBSAFE Program and its certification processes is
a combination of Work Discipline, Material Control, and Documentation:
Work discipline demands knowledge of the requirements
and compliance with those requirements, for everyone who
performs any kind of work associated with submarines.
Individuals have a responsibility to know if SUBSAFE impacts
their work.
Material Control is everything involved in ensuring
that correct material is installed correctly, beginning with
contracts that purchase material, all the way through receipt
inspection, storage, handling, and finally installation in the
submarine.
Documentation important to SUBSAFE certification
falls into two categories:
� Selected Record Drawings and Data: Specific design
products are created when the submarine is designed.
These products consist of documents such as system
diagrams, SUBSAFE Mapping Drawings, Ship Systems
Manuals, SUBSAFE certification Boundary Books, etc.
They must be maintained current throughout the life of
the submarine to enable us to maintain SUBSAFE
certification.
� Objective Quality Evidence (OQE): Specific work
records are created when work is performed and consist
of documents such as weld forms, Non-Destructive
Testing forms, mechanical assembly records, hydrostatic
and operational test forms, technical work documents in
which data is recorded, waivers and deviations, etc.
These records document the work performed and the
worker's signature certifying it was done per the
requirements. It is important to understand that
SUBSAFE certification is based on objective quality
evidence. Without objective quality evidence there is
no basis for certification, no matter who did the work
or how well it was done. Objective quality evidence
provides proof that deliberate steps were taken to
comply with requirements.
The basic outline of the SUBSAFE certification process is as
follows:
SUBSAFE requirements are invoked in the design and
construction contracts for new submarines, in the work package
for submarines undergoing depot maintenance periods, and in the
Joint Fleet Maintenance Manual for operating submarines.
Material procurement and fabrication, overhaul and
repair, installation and testing generate objective quality
evidence for these efforts. This objective quality evidence is
formally and independently reviewed and approved to assure
compliance with SUBSAFE requirements. The objective quality
evidence is then retained for the life of the submarine.
Formal statements of compliance are provided by the
organizations performing the work and by the government
supervising authority responsible for the oversight of these
organizations. All organizations performing SUBSAFE work must
be evaluated, qualified and authorized in accordance with
NAVSEA requirements to perform this work. A Naval Supervising
Authority, assigned to each contractor organization, is
responsible to monitor and evaluate contractor performance.
Audits are conducted to examine material, inspect
installations and review objective quality evidence for
compliance with SUBSAFE requirements.
For new construction submarines and submarines in
major depot maintenance periods, the assigned NAVSEA Program
Manager uses a formal checklist to collect specific
documentation and information required for NAVSEA Headquarters
certification. When all documentation has been collected,
reviewed and approved by the Technical Authority and the
SUBSAFE Office, the Program Manager formally presents the
package to the Certifying Official for review and certification
for sea trials. For new construction submarines, the formal
presentation of the certification package is made to the
Program Executive Officer for Submarines, and for in-service
submarines completing a major depot maintenance period the
certification package is formally presented to the Deputy
Commander for Undersea Warfare. Approval by the Certifying
Official includes verification of full concurrence, as well as
discussion and resolution of dissenting opinions or concerns.
After successful sea trials, a second review is performed prior
to authorizing unrestricted operations for the submarine.
SUBSAFE CERTIFICATION MAINTENANCE
Once a submarine is certified for unrestricted operation, there are
two elements, in addition to audits, that we use to maintain the
submarine in a certified condition. They are the Re-Entry Control
Process and the Unrestricted Operation/Maintenance Requirement Card
(URO/MRC) Program.
Re-entry Control is used to control work within the SUBSAFE
Certification Boundary. It is the backbone of certification maintenance
and continuity. It provides an identifiable, accountable and auditable
record of work performed within the SUBSAFE boundary. The purpose is to
provide positive assurance that all SUBSAFE systems and components are
restored to a fully certified condition. Re-entry control procedures
help us maintain work discipline by identifying the work to be
performed and the standards to be met. Re-entry control establishes
personal accountability because the personnel authorizing, performing
and certifying the work and testing must sign their names on the re-
entry control documentation. It is the process we use to collect the
OQE that supports certification.
The Unrestricted Operation/Maintenance Requirement Card (URO/MRC)
Program facilitates planned periodic inspections and tests of critical
equipment, systems, and structure to ensure that they have not degraded
to an unacceptable level due to use, age, or environment. The URO/MRC
Program provides the technical basis for authorizing continued
unrestricted operations of Navy submarines. The responsibility to
complete URO/MRC inspections is divided among multiple organizations.
Some inspections can only be completed by a shipyard during a
maintenance period. Other inspections are the responsibility of an
Intermediate Maintenance Activity or Ships Force. NAVSEA manages the
program by tracking performance to ensure that periodicity requirements
are not violated, inspections are not missed, and results meet invoked
technical requirements.
AUDITS
A key element of certification and certification maintenance is the
audit program. The audit program was established in 1963. During
testimony before Congress Admiral Curtze stated: ``To ensure the
adequacy of the application of the quality assurance programs in
shipyards a system of audits has been established.. . .'' This system
of audits is still in place today. There are two primary types of
audits: Certification Audits and Functional Audits.
In a SUBSAFE CERTIFICATION Audit we look at the Objective Quality
Evidence associated with an individual submarine to ensure that the
material condition of that submarine is satisfactory for sea trials and
unrestricted operations. These audits are performed at the completion
of new construction and at the end of major depot maintenance periods.
They cover a planned sample of specific aspects of all SUBSAFE work
performed, including inspection of a sample of installed equipment. The
results and resolution of deficiencies identified during such audits
become one element of final NAVSEA approval for sea trials and
subsequent unrestricted operations.
In a SUBSAFE FUNCTIONAL Audit we periodically review the policies,
procedures, and practices used by each organization, including
contractors, that performs SUBSAFE work, to ensure that those policies,
procedures and practices comply with SUBSAFE requirements, are healthy,
and are capable of producing certifiable hardware or design products.
This audit also includes surveillance of actual work in progress.
Organizations audited include public and private shipyards, engineering
offices, the Fleet, and NAVSEA headquarters.
In addition to the audits performed by NAVSEA, our shipyards, field
organizations and the Fleet are required to conduct internal (or self)
audits of their policies, procedures, and practices and of the work
they perform.
SUBSAFE ORGANIZATIONAL RELATIONSHIPS
The SUBSAFE Program maintains a formal organizational structure
with clear delineation of responsibilities in the SUBSAFE Requirements
Manual. Ultimately, the purpose of the SUBSAFE Organization is to
support the Fleet. We strongly believe that our sailors must be able to
go to sea with full confidence in the safety of their submarine. Only
then will they be able to focus fully on their task of operating the
submarine and carrying out assigned operations successfully.
There are three key elements in our Headquarters organization:
Technical Authority, Program Management and Submarine Safety and
Quality Assurance. Each of these elements is organizationally
independent and has specifically defined roles in the SUBSAFE Program.
NAVSEA Technical Authority provides technical direction and
assistance to Program Managers and the Fleet. In our terms, Technical
Authority is the authority, responsibility and accountability to
establish, monitor and approve technical products and policy in
conformance to higher tier policy and requirements. Technical
authorities are warranted (formally given authority) within NAVSEA and
our field organizations. Technical warrant holders are subject matter
experts. Within the defined technical area warranted, they are
responsible for establishing technical standards, entrusted and
empowered to make authoritative decisions, and held accountable for the
technical decisions made. Where technical products are not in
conformance with technical policy, standards and requirements, warrant
holders are responsible to identify associated risks and approve non-
conformances (waivers or deviations) in a manner that ensures risks are
acceptable. NAVSEA is accustomed to evaluating risk; however, non-
conformances are treated as an exception vice the norm. Full discussion
of technical issues is required before making decisions. Discussions
and decisions are coordinated with the Program Management and Submarine
Safety and Quality Assurance Offices. However, NAVSEA 05, Ship Design,
Integration and Engineering, is the final authority for the technical
requirements of the SUBSAFE Program.
Within the Undersea Warfare Directorate (NAVSEA 07)
the Director, Submarine Hull, Mechanical and Electrical
Engineering Management Division (NAVSEA 07T) is the warranted
technical authority and provides system engineering and support
for submarine technical SUBSAFE issues.
Submarine Program Managers manage all aspects of assigned submarine
programs in construction, maintenance and modernization, including
oversight of cost, schedule, performance and direction of life cycle
management. They are responsible and accountable to ensure compliance
with the requirements of the SUBSAFE Program and with technical policy
and standards established by the technical authority.
The Submarine Safety and Quality Assurance Office (NAVSEA 07Q)
manages the SUBSAFE program and audits organizations performing SUBSAFE
work to ensure compliance with SUBSAFE requirements. NAVSEA 07Q is the
primary point of contact within NAVSEA Headquarters in all matters
relating to SUBSAFE Program policy and requirements.
In addition, several groups and committees have been formally
constituted to provide oversight of and guidance to the SUBSAFE Program
and to provide a forum to evaluate and make changes to the program:
The SUBSAFE Oversight Committee (SSOC) provides
independent command level oversight to ensure objectives of the
SUBSAFE Program are met. Members are of Flag rank and represent
NAVSEA Directorates (SEA 09, PEO-SUB, SEA 05, SEA 04, SEA 07)
and the Navy Inventory Control Point.
The SUBSAFE Steering Task Group (SSSTG) was
established based on results of the THRESHER investigation to
ensure adequate provision of safety features in current and
future submarine construction, conversion, and major depot
availability programs. The SSSTG defines the scope of the
SUBSAFE Program, reviews program progress and approves or
disapproves proposed policy changes. Members include Admirals,
Senior Executive Service members and other senior civilian
managers with direct SUBSAFE and technical responsibilities, as
well as the Submarine Program Managers.
The SUBSAFE Working Group (SSWG) consists of SUBSAFE
Program Directors from Headquarters, shipyards, field
organizations, and the Fleet. The Working Group meets formally
twice a year to provide a forum to discuss and evaluate SUBSAFE
Program progress, implementation and proposals for improvement.
SUBSAFE Program Directors are the focal point for SUBSAFE
matters and are responsible and accountable for implementation
and proper execution of the SUBSAFE Program within their
respective organizations. They maintain close liaison with
NAVSEA 07Q to present or obtain information relative to SUBSAFE
issues.
SUBSAFE CERTIFICATION RELATIONSHIPS
As described earlier in this testimony, each NAVSEA organization is
assigned separate responsibility and authority for SUBSAFE Program
requirements and compliance. Our technical authority managers are
empowered and accountable to make disciplined technical decisions. They
are formally given the authority, responsibility and accountability to
establish, monitor and approve technical products and policy. The
Submarine Program Managers are responsible for executing the SUBSAFE
Program for assigned submarines in new construction and major depot
availabilities. They have the authority, responsibility and
accountability to ensure compliance with technical policy and standards
established by cognizant technical authority. NAVSEA 07Q, Submarine
Safety and Quality Assurance Office, is responsible and accountable for
implementation and management of the SUBSAFE Program and for ensuring
compliance with SUBSAFE Program requirements.
The ultimate certification authority is the Program Executive
Officer for Submarines (PEO SUB) for new construction and the Deputy
Commander for Undersea Warfare (NAVSEA 07) for major depot
availabilities. The Program manager, with the concurrence of and in the
presence of the technical authority representative (NAVSEA 07T) and the
SUBSAFE office (NAVSEA 07Q), presents the certification package with
which he attests that the SUBSAFE material condition of the submarine
is satisfactory for sea trials or for unrestricted operation. Each of
the participants has the authority to stop the certification process
until an identified issue is satisfactorily resolved.
NAVSEA PERSONNEL
Our nuclear submarines are among the most complex weapon systems
ever built. They require a highly competent and experienced technical
workforce to accomplish their design, construction, maintenance and
operation. In order for NAVSEA to continue to provide the best
technical support to all aspects of our submarine programs, we are
challenged to recruit and maintain a technically qualified workforce.
In 1998, faced with downsizing and an aging workforce, NAVSEA initiated
several actions to ensure we could meet current and future challenges.
We refocused on our core competencies, defined new engineering
categories and career paths, and obtained approval to infuse our
engineering skill sets with young engineers to provide for a systematic
transition of our workforce. We hired over 1000 engineers with a net
gain of 300. This approach allowed our experienced engineers to train
and mentor young engineers and help NAVSEA sustain our core
competencies. Despite this limited success, mandated downsizing has
continued to challenge us. I remain concerned about our ability, in the
near future, to provide adequate technical support to, and quality
overview of our submarine construction and maintenance programs.
NASA/NAVY BENCHMARKING EXCHANGE (NNBE)
The NASA/NAVY Benchmarking Exchange effort began activities in
August 2002 and is ongoing. The NNBE was undertaken to identify
practices and procedures and to share lessons learned in the Navy's
submarine and NASA's human space flight programs. The focus is on
safety and mission assurance policies, processes, accountability, and
control measures. To date, nearly all of this effort has involved the
Navy describing our organization, processes and practices to NASA. The
NNBE Interim report was completed December 20, 2002.
Phase-2 was initiated in January 2003 with 40 NAVSEA personnel
spending a week at the Kennedy Space Center (January 13-17) being
briefed on a wide array of topics related to the manufacturing,
processing, and launch of the Space Shuttle with emphasis on safety,
compliance verification, and safety certification processes. A follow-
up trip to Kennedy Space Center and a trip to Johnson Space Center were
scheduled for early February 2003. After loss of Columbia, the NAVSEA
benchmarking of NASA activity was placed on hold until October when 18
NAVSEA software experts were hosted by their NASA counterparts for a
week of meetings at Kennedy Space Center and Johnson Space Center. It
should also be noted that Naval Reactors hosted 45 senior NASA managers
for a ``Challenger Launch Decision'' training seminar at the Washington
Naval Yard on May 15.
Three Memoranda of Agreement (MOA) have been developed to formalize
NASA/NAVSEA ongoing collaboration. The first, recently signed,
establishes a sharing of data related to contractor and supplier
quality and performance. The second MOA, in final preparation,
establishes the basis for reciprocal participation in functional
audits. The third MOA, also in final preparation, will establish
reciprocal participation in engineering investigations and analyses.
In conclusion, let me reiterate that since the inception of the
SUBSAFE Program in 1963, the Navy has had a disciplined process that
provides MAXIMUM reasonable assurance that our submarines are safe from
flooding and can recover from a flooding incident. In 1988, at a
ceremony commemorating the 25th anniversary of the loss of THRESHER,
the Navy's ranking submarine officer, Admiral Bruce Demars, said: ``The
loss of THRESHER initiated fundamental changes in the way we do
business, changes in design, construction, inspections, safety checks,
tests and more. We have not forgotten the lesson learned. It's a much
safer submarine force today.''
Biography for Rear Admiral Paul E. Sullivan
United States Navy, Deputy Commander for Ship Design Integration
and Engineering, Naval Sea Systems Command
Rear Admiral Sullivan is a native of Chatham, N.J. He graduated
from the U.S. Naval Academy in 1974 with a Bachelor of Science Degree
in Mathematics.
Following graduation, Rear Adm. Sullivan served aboard USS Detector
(MSO 429) from 1974 to 1977, where he earned his Surface Warfare
Qualification.
Rear Adm. Sullivan then attended the Massachusetts Institute of
Technology (MIT), where he graduated in 1980 with dual degrees of
Master of Science (Naval Architecture and Marine Engineering) and Ocean
Engineer. While at MIT, he transferred to the Engineering Duty Officer
Community.
Rear Adm. Sullivan's Engineering Duty Officer tours prior to
command include Ship Superintendent, Docking Officer, Assistant Repair
Officer and Assistant Design Superintendent at Norfolk Naval Shipyard,
where he completed his Engineering Duty Officer qualification; Deputy
Ship Design Manager for the Seawolf class submarine at Naval Sea
Systems Command (NAVSEA), where he completed his submarine
qualification program; Associate Professor of Naval Architecture at
MIT; Ohio (SSBN 726) Class Project Officer and Los Angeles (SSN 688)
Class Project Officer at Supervisor of Shipbuilding, Groton, Conn.;
Team Leader for Cost, Producibility, and Cost and Operational
Effectiveness Assessment (COEA) studies for the New Attack Submarine at
NAVSEA; and the Director for Submarine Programs on the staff of the
Assistant Secretary of the Navy (Research, Development and
Acquisition).
Rear Adm. Sullivan served as Program Manager for the Seawolf Class
Submarine Program (PMS 350) 1995 to 1998. During his tenure, the
Seawolf design was completed, and the lead ship of the class was
completed, tested at sea, and delivered to the Navy.
In September 1998, Rear Adm. Sullivan relieved as Program Manager
for the Virginia Class Submarine Program (PMS 450). During his tour the
contract for the Virginia Class Submarine Program was signed,
construction was initiated on the first four submarines, and most of
the Virginia design was completed. In September 2001 he reported to his
current assignment as Deputy Commander for Ship Design Integration and
Engineering, Naval Sea Systems Command. Rear Adm. Sullivan's awards
include the Legion of Merit (two awards), the Meritorious Service Medal
(four awards), the Navy Commendation Medal (two awards) and the Navy
Achievement Medal.
Chairman Boehlert. Thank you very much, Admiral Sullivan.
Mr. Johnson.
STATEMENT OF MR. RAY F. JOHNSON, VICE PRESIDENT, SPACE LAUNCH
OPERATIONS, THE AEROSPACE CORPORATION
Mr. Johnson. Thank you. Mr. Chairman, distinguished
Committee Members, and staff, I am pleased to have the
opportunity to describe the capabilities of The Aerospace
Corporation as they relate to organizational and management
``best practices'' of successful safety and mission assurance
programs.
I will discuss the Committee's questions as outlined in the
invitation letter, but first, I would like to present an
overview of Aerospace and specifically what we do for the Air
Force in the area of launch readiness verification.
The Aerospace Corporation is a private, non-profit,
California corporation that was created in 1960 at the
recommendation of Congress to provide research, development,
and advisory services to the U.S. Government in the planning
and acquisition of space, launch, and ground systems and their
related technologies.
As its primary activity, Aerospace operates a Federally
Funded Research and Development Center, or FFRDC, sponsored by
the Undersecretary of the Air Force and managed by the Space
and Missile Systems Center, or SMC, in El Segundo, California.
Our principal tasks are systems planning, systems engineering,
integration, flight readiness verification, operations support,
and anomaly resolution for DOD, Air Force, and National
Security Space systems. Independent launch verification is a
core competency of Aerospace, as defined in its charter. As
such, Aerospace is directly accountable to SMC for the
verification of launch readiness. The verification begins as
early as the concept and requirement definition phase of most
programs and continues through flight operations. This
assessment includes things such as design, qualification,
fabrication, acceptance, software, mission analysis,
integration, and test.
Prior to any launch, Aerospace provides a letter to SMC
documenting the results of the launch verification process,
confirming the flight readiness of the launch vehicle. This
letter is not just a formality but represents the culmination
of a long and rigorous assessment that draws upon the
collective expertise of scientists and engineers within the
program office and engineering staff.
Now I will address the Committee's specific questions. The
first question: ``What does it mean for a safety program to be
``independent''? How is your organization structured to ensure
its independence?''
The Government's requirement for the Aerospace FFRDC
mission requires complete objectivity and freedom from conflict
of interest; a highly expert staff, full access to all space
programs and contractor data sources; special simulation,
computational, laboratory, and diagnostic facilities; and
continuity of effort that involves detailed familiarity with
the sponsor's programs, past experience, and future needs.
Although the Aerospace program offices are co-located with
the Air Force programs, they are separate organizations with
their own management structure. Technical recommendations are
worked up through Aerospace management and are then presented
to the Air Force.
The second question was: ``Given that more can always be
done to improve safety, how can you ensure that your safety
program is independent and vigilant, and that it won't prevent
the larger organization from carrying out its duties?''
Aerospace recognizes its obligation to identify issues in a
timely manner and to keep the Air Force aware of any technical
issues that may impact the overall program. The launch
verification process is involved with all phases of the program
and is not merely a final assessment that is done just prior to
launch. While our technical rigor can identify otherwise
unobserved risks, the entire team must work together to allow
the larger organization to carry out its duties to achieve
flight worthiness certification and a successful mission.
The third question was: ``How do you ensure that the
existence of Aerospace's mission assurance program and
independent launch verification process does not allow the
larger organization that it serves to feel that it is absolved
of its responsibility for safety?''
Final flight worthiness certification is the responsibility
of the SMC Commander. At the final flight readiness review, the
Commander receives input from several organizations prior to
giving the GO to proceed with launch processing. The Commander
receives inputs from the Air Force Mission Director, the launch
vehicle program managers, the launch ranges, the SMC Chief
Engineer, prime contractors, the spacecraft program managers,
The Aerospace Corporation, and also his Independent Readiness
Review Team.
Aerospace is directly accountable to SMC for the
verification of launch readiness. The ultimate GO/NO-GO launch
decision rests with the SMC Commander, not Aerospace. However,
the Air Force relies heavily on our readiness assessment in
building confidence in the final decision.
And the final question is: ``How do you ensure that
dissenting opinions are offered without creating a process that
can never reach closure?''
The verification process includes all stakeholders at major
decision points and milestones. Individuals with dissenting
opinion are heard and we make every effort to assure our
positions are based on sound engineering practices backed up by
factual data. Management encourages the sharing of all points
of view and has the responsibility for ultimately deciding on a
final recommendation. When a pure technical solution is not
possible, the Air Force is provided with a risk assessment that
outlines the degree of risk associated with each course of
action.
In closing, our success depends largely on the close,
intimate relationship we have with our government customers. We
are physically integrated and programmatically aligned with our
customers. It is this totally integrated approach that allows
Aerospace to use its technical and scientific skills in support
of the National Security Space Program.
Thank you for the opportunity to describe The Aerospace
Corporation, its launch verification program, and contributions
to mission success.
I stand ready to provide any further data or discussions
that the Committee may require.
Thank you.
[The prepared statement of Mr. Johnson follows:]
Prepared Statement of Ray F. Johnson
Mr. Chairman, distinguished Committee Members and Staff:
I am pleased to have the opportunity to describe the capabilities
of The Aerospace Corporation as they relate to organizational and
management ``best practices'' of successful safety and mission
assurance programs. Aerospace is truly a unique organization. Our
capabilities, core competencies and practices are the result of 43
years of operating a Federally Funded Research and Development Center
(FFRDC) for the National Security Space program.
I will discuss the committee's questions as outlined in the
invitation letter, but first I would like to present an overview of
Aerospace and specifically what we do for the Air Force in the area of
launch readiness verification.
The nature and value of The Aerospace Corporation
The Aerospace Corporation is a private, nonprofit corporation,
headquartered in El Segundo, California. It was created in 1960 at the
recommendation of Congress and the Secretary of the Air Force to
provide research, development and advisory services to the U.S.
government in the planning and acquisition of space, launch and ground
systems and their related technologies. The key features of Aerospace
are that we provide a stable, objective, expert source of engineering
analysis and advice to the government, free from organizational
conflict of interest. We are focused on the government's best
interests, with no profit motive or predilection for any particular
design or technical solution.
As its primary activity, Aerospace operates an FFRDC sponsored by
the Under Secretary of the Air Force, and managed by the Space and
Missile Systems Center (SMC) in El Segundo, California. Our principal
tasks are systems planning, systems engineering, integration, flight
readiness verification, operations support and anomaly resolution for
the DOD, Air Force, and National Security Space systems. Through our
comprehensive knowledge of space systems and our sponsor's needs, our
breadth of staff expertise, and our long term, stable relationship with
the DOD, we are able to integrate technical lessons learned across all
military space programs and develop systems-of-systems architectures
that integrate the functions of many separate space and ground systems.
Aerospace does not compete with industry for government contracts,
and we do not manufacture products. The government relies on Aerospace
for objective development of pre-competitive system specifications, and
impartial evaluation of competing concepts and engineering hardware
developments, to ensure that government procurements can meet the
military user's needs in a cost-and-performance-effective manner.
Aerospace employs about 3,450 people, of whom 2,400 are scientists
and engineers with expertise in all aspects of space systems
engineering and technology. The professional staff includes a large
majority, 74 percent, with advanced degrees, with 29 percent holding
Ph.D.s. The average experience of Members of the Technical Staff (MTS)
is more than 25 years. We recruit more than two-thirds of our technical
staff from experienced industry sources and the rest from new
graduates, university staff, other nonprofit organizations, government
agencies, and internal degree programs.
Aerospace has maintained a 43-year strategic partnership with the
DOD and the National Security Space community, developing a data and
experience base that covers virtually every military space program
since 1960. We have evolved an unparalleled set of engineering design,
analysis and systems simulation tools, along with computational,
diagnostic test, and research facilities in critical space-specific
disciplines that are used in day-to-day support of government space
system programs.
Aerospace is the government's integral engineering arm for National
Security Space systems architecture and engineering. As such, Aerospace
has broad access to intelligence information, government requirements
development, all programs and contractors' proprietary data and
processes, and the full scope of government program planning
information. We translate the requirements dictated by Congress and the
military and national security management into engineering
specifications that form the basis for competitive Request for
Proposals (RFPs) to industry. We evaluate contractor technical designs
and performance, and provide continuing technical insight and progress
assessment for the government program manager throughout the
engineering development, test and initial operation phases of space
systems. In order to do this, Aerospace must have technical experience
and breadth at least equal to the industrial firms we evaluate. I am
extremely proud of the quality and performance record of our staff, as
evidenced by the outstanding success record of the space launches and
satellite systems Aerospace has technically supported on behalf of its
government sponsors.
The Aerospace technical program office MTS are supported by a
matrix of 1,000 engineering and scientific specialists in every
discipline relevant to space systems, with extensive laboratory and
diagnostic facilities. Typically, an expert in a particular field--
propulsion, microelectronics, or infrared sensors, for example--will
work on several programs during the course of a year, as each program
has a need for a particular skill depending on its program phase. This
approach permits Aerospace to develop and maintain state-of-the-art
analytical and simulation models and test facilities that could not be
afforded by a single program or contractor, but are efficiently used as
needed by all programs.
Aerospace systems engineering currently supports 29 satellite
programs, 8 launch vehicle boosters, and 13 ground station elements for
the DOD and National Security customers. Our functions can be
summarized as follows, covering the entire system acquisition process:
planning and systems studies--pre-competitive systems
definition
trade-offs and simulations of system requirements to
help prioritize user needs
technical RFPs and technical evaluation of proposals
early detection of development problems and timely
identification of alternative solutions, to preserve schedule,
cost and performance
independent analysis, verification, and validation of
data and performance to assure mission success
launch verification and readiness assessments
(boosters, satellites and ground systems)
launch and on-orbit operations and work-arounds
Aerospace's launch readiness verification process
Independent launch readiness verification is a core competency of
Aerospace as defined in our charter as an FFRDC supporting the Air
Force. As such, Aerospace is directly accountable to SMC for
verification of launch readiness. This responsibility is vested within
the Space Launch Operations program offices and executed using our
launch readiness verification process.
Prior to any launch, Aerospace provides a letter to SMC documenting
the results of the launch verification process, confirming flight
readiness of the launch vehicle. This letter is not just a formality,
but represents the culmination of a long and rigorous assessment that
draws upon the collective expertise of scientists and engineers within
the program office and the engineering staff. The launch readiness
verification letter provided by the Aerospace Vice President of Space
Launch Operations to the Air Force was first introduced in the late
1970s to document our corporate commitment to mission success. This
formal launch readiness verification provides assurance that all known
technical issues have been assessed and resolved, residual launch risks
have been satisfactorily assessed, and establishes confidence in launch
mission success. The ultimate GO/NO-GO launch decision and flight
worthiness certification rests with SMC, not Aerospace, however, the
Air Force relies heavily on our readiness assessment in building
confidence in its final decision.
The process used to independently determine launch system flight
readiness is a capability that has evolved over 40 years. Aerospace's
role in independent launch readiness verification began with the
Mercury-Atlas program in 1960, shortly after the corporation was
founded. The Project Mercury launch vehicle had suffered two failures
and a turnaround in reliability was required before human space flight
could be attempted. The risk reduction techniques that Aerospace
developed were instrumental in achieving mission success. Since then,
we have applied this process to the design, development, and operation
of more than 600 launches including all Atlas, Delta, Inertial Upper
Stage, and Titan launch vehicle variants resulting in a proven track
record of reducing launch risk.
The fundamental features of our launch readiness verification have
been the same since first employed. Verification begins as early as the
concept and requirements definition phase of most programs and
continues through flight operations. Launch verification certification
and readiness assessments include design, qualification, fabrication,
acceptance, software, mission analysis, integration and test. Thorough
launch readiness verification requires a detailed review by Aerospace
staff of thousands of components, procedures, and test reports to
verify flight readiness. Independent models are developed and
maintained by Aerospace domain experts and exercised to validate and
verify the contractors' results. Resident Aerospace engineers are
involved in all aspects of the launch campaign from manufacture through
launch site operations. Launch readiness verification is a closed loop
process via post flight analyses that use the independent analytical
tools and independently acquired and processed flight telemetry data to
provide feedback into the engineering design process, capture lessons
learned, monitor trends, and establish a basis for proceeding into the
next launch cycle.
To accomplish the entire spectrum of launch readiness verification
requires that Aerospace retain a diverse cadre of skilled engineers
with expertise in a wide variety of disciplines including systems
engineering, mission integration, structures and mechanics, structural
dynamics, guidance and control, power and electrical, avionics,
telemetry, safety, flight mechanics, environmental testing, computers,
software, product assurance, propulsion, fluid mechanics, aerodynamics,
thermal, ground systems, facilities and operations. Our major objective
is to retain the necessary skills and expertise needed to support
planned as well as unexpected events.
The launch readiness verification process was reinvigorated in the
late 1990s following a series of launch failures. Among the
observations of the Space Launch Broad Area Review were that the root
cause was the lack of disciplined system engineering in the design and
processing of launch vehicles exacerbated by a premature dismantling of
government oversight capability, particularly the engineering support
capabilities; that space launch needed to re-establish clear lines of
authority and accountability; that space launch is inherently more
engineering intensive than other operational systems; and that properly
conducted independent review is an essential element of mission
success.
Now, I will address the committee's specific questions:
1. What does it mean for a safety program to be ``independent?'' How
is your organization structured to ensure its independence?
The government's requirement for the Aerospace FFRDC mission
requires complete objectivity and freedom from conflict of interest; a
highly expert staff; full access to all space programs and contractor
data sources; special simulation, computational, laboratory and
diagnostic facilities; and continuity of effort that involves detailed
familiarity with the sponsor's programs, past experience, and future
needs. We are focused on the government's best interests, with no
profit motive or predilection for any particular design or technical
solution.
Although the Aerospace program offices are co-located with the Air
Force programs, they are separate organizations with their own
management structure. Technical recommendations are worked up through
Aerospace management and are then presented to the Air Force. In
addition to the launch verification letter, a formal launch readiness
briefing is given to the Aerospace president. At this review, our
president confirms that our technical analyses are thorough and
objective, and our recommendations are based on sound engineering
principles. Although the Aerospace launch readiness verification
products are produced independently from those of the prime contractor,
we also employ another independent review organization that reports to
the SMC Commander. This independent review team also briefs our
president on its findings to ensure that our process has yielded
acceptable risks. This review is conducted just prior to the SMC
Commander's Flight Readiness Review (FRR). The Aerospace president is
polled during the Commander's FRR for his concurrence to proceed with
final launch processing.
2. Given that more can always be done to improve safety, how do you
ensure that your safety program is independent and vigilant, but that
it won't prevent the larger organization from carrying out its duties?
The key elements here are teamwork, technical rigor, and a goal for
100 percent mission success. Aerospace program offices are co-located
with the Air Force programs and Aerospace engineers are in daily
contact with their Air Force counterparts. Aerospace recognizes our
obligation to identify issues in a timely manner and to keep the Air
Force aware of any technical issues that may impact the overall
program. The launch readiness verification process is involved with all
phases of the program and is not merely a final assessment that is
performed just prior to launch. The failures of 1998 and 1999 were in
part due to ineffective teamwork. All successes since then can be
attributed to a complete team effort among Aerospace, the Air Force,
and the contractors. All team members understand and respect the value
of the individual responsibilities and contributions. While vigilance
and independence can identify otherwise unobserved risks, the entire
team must work together to allow the larger organization to carry out
its duties to achieve flight worthiness certification and a successful
mission.
Just as important as teamwork is the technical rigor employed in
the process to reach certification. We employ a well-defined launch
readiness verification process with individual responsibilities and
accountability. The burden of proof requires a positive demonstration
that a system is flight-worthy, rather than proving that an anomalous
condition will cause a flight failure. The launch readiness
verification process is part of an overarching flight readiness
process. Many unforeseen events occur during each launch campaign that
must be acted upon. The process rigor that we employ assures that no
single event or issue is overlooked or prematurely closed. With 100%
focus on mission success, the technical rigor and commitment by each
team member enhances the larger organization decision process.
3. How do you ensure that the existence of Aerospace's mission
assurance program and independent launch verification process does not
allow the larger organization that it serves to feel that it is
absolved of responsibility for safety?
Final flight worthiness certification is the responsibility of the
SMC Commander. At the final FRR, the Commander receives input from
several organizations prior to giving the GO to proceed with launch
processing. The Commander receives input from the Air Force Mission
Director, launch vehicle program managers, launch ranges, SMC Chief
Engineer, prime contractors, spacecraft program managers, Aerospace,
and the Independent Readiness Review Team (IRRT).
Aerospace is directly accountable to SMC for the verification of
launch readiness. Our task is to independently confirm readiness of the
launch vehicle, assess mission risks, and assure that all risks are
acceptably low to enter into launch. The ultimate GO/NO-GO launch
decision rests with the SMC Commander, not Aerospace; however, the Air
Force relies heavily on our readiness assessment in building confidence
in the final decision.
4. How do you ensure that dissenting opinions are offered without
creating a process that can never reach closure?
The verification process includes all stakeholders at major
decision points and milestones. Dissenting opinions are heard and data
is required to resolve engineering issues. Aerospace makes every effort
to ensure that our positions are based on sound engineering practices
backed up by factual data. Aerospace's engineering staff objectively
develops their technical recommendations and supporting analyses that
are then coordinated with the Aerospace program offices and management.
Management encourages the sharing of all points of view and is
responsible for ultimately deciding on a final recommendation. When an
issue is well founded in science and engineering, the path forward is
usually identifiable, e.g., additional inspections, tests, analyses,
etc. For issues that do not have concrete solutions, risks are assessed
by senior review teams based on technical data. When a ``pure''
technical solution is not possible, the Air Force is provided with a
risk assessment that outlines the degree of risk associated with each
course of action.
As I mentioned previously, the independent launch readiness
verification end-to-end system review process culminates in a launch
readiness assessment for each mission. A formal flight readiness
certification provides assurance that all known technical issues have
been assessed and resolved, residual launch risks have been
satisfactorily assessed and confidence in launch mission success has
been established as acceptable. It is this process, as outlined in the
following figure, that ensures acceptable closure of every issue.
I would like to leave you with some concluding summary thoughts:
Aerospace is focused on the success of its sponsor's
mission
Aerospace is the integral space systems engineering
arm of the Air Force and National Security Space program
The key to Aerospace's value and effectiveness is our
process of systems engineering:
-- stable, objective, expert advice backed by analysis
and experiment
-- a trusted partner with our sponsors and industry
-- breadth and depth of staff in all space disciplines
-- access to sensitive planning and proprietary data
-- continuity across all space programs and
technologies
-- co-location with the government customer
In closing, our success depends largely on the close, intimate
relationship we have with our government customers. We are physically
integrated and programmatically aligned with our customers. It is this
totally integrated approach that allows Aerospace to use its technical
and scientific skills in support of the National Security Space
program.
Thank you for the opportunity to describe The Aerospace
Corporation, its Launch Readiness Verification program, and
contribution to mission success.
I stand ready to provide any further data or discussions that the
Committee may require.
Biography for Ray F. Johnson
Ray F. Johnson is Vice President of Space Launch Operations, Space
Systems Group. He assumed this position on April 1, 2001.
Johnson is responsible for Aerospace support to all Air Force
launch programs including Titan II, Titan IV, Delta II, Atlas II, upper
stages and the Evolved Expendable Launch Vehicle (EELV), as well as the
Air Force Space Test Program. He has responsibility for the company's
launch operations at Cape Canaveral, Florida, and Vandenberg Air Force
Base, California, and operations in support of the Space Test Program
at Kirtland Air Force Base, New Mexico.
Johnson joined Aerospace in 1987 as a project engineer in the Titan
program office. He was promoted to manager of the Liquid Propulsion
section in 1988. He was director of the Centaur Directorate within the
Titan program office from 1990 to 1993 and was responsible for
Aerospace's support in developing the Centaur upper stage for use on
the Titan IV launch vehicle.
In November 1993 Johnson was appointed principal director of the
Vehicle Performance Subdivision, Engineering and Technology Group, with
responsibility for engineering support in the areas of propulsion,
flight mechanics, fluid mechanics, and launch vehicle and spacecraft
thermal analysis.
Before being named vice president, Johnson was general manager of
the Launch Programs Division with responsibility for managing
Aerospace's technical support to the Air Force for the Titan, Atlas and
Delta launch programs.
Prior to joining Aerospace, Johnson held a number of engineering
positions with Martin Marietta Aerospace as part of Titan launch
operations at Vandenberg AFB.
Johnson holds a B.S. degree in mechanical engineering from the
University of California at Berkeley and an MBA from the University of
Chicago. He is a registered professional engineer in the state of
California and a senior member of the American Institute of Aeronautics
and Astronautics.
The Aerospace Corporation, based in El Segundo, California, is an
independent, nonprofit company that provides objective technical
analyses and assessments for national security space programs and
selected civil and commercial space programs in the national interest.
Chairman Boehlert. Thank you very much, Mr. Johnson.
Ms. Grubbe.
STATEMENT BY MS. DEBORAH L. GRUBBE, P.E., CORPORATE DIRECTOR,
SAFETY AND HEALTH, DuPONT
Ms. Grubbe. Good morning, Mr. Chairman, Members of the
Committee. I would like to thank you for the opportunity to
testify today on the most important issue of safety.
In my work with the DuPont Company, I am a chemical
engineer by training. I also have 25 years of experience with
DuPont in engineering design, leading multi-million dollar
construction projects and running multi-million dollar
manufacturing organizations.
Today, I would like to focus my remarks on how we manage
safety in the DuPont Company. My overarching message is that
good safety practice takes committed leadership, educated
personnel, integrated safety systems, and a continuous
attention to doing the details of the work.
While DuPont has one of the best safety records in the
world, we are far from perfect. Good safety is an elusive
dynamic. When we think we are getting good, that is the time we
need to start to worry. The key is never to become complacent.
From our experience, we think there are several
organizational attributes common to successive--successful
safety organizations: number one, safety comes first, and all
organizational leadership is actively engaged in safety; number
two, standards are high, these standards are well communicated
and everyone knows what their role is; number three, our line
management is accountable for safety, every person; number
four, if the work can not be done safely, it is not done until
it can be done safely; number five, safety systems, tools, and
process are in place to support high standards and to support
implementation and people are trained.
DuPont's safety culture starts at the top of our
organization. Our Chief Executive Officer is actively engaged
in leading safety. He starts his key meetings with safety. He
insists that safety come first on every manager's and
employee's list of tasks. He expects to be notified by his
direct reports of each employee and contractor fatality or
lost-time injury within 24 hours of the event.
Any person can stop any job at any time if there is a
perceived danger. Managers and employees are expected to work
together to figure out how to do a job safely. If they need
more resources, the team obtains them and resolves the problem.
Management's role is to support the team and to help find the
safest, best solution. Safety is, and must be, a fundamental,
line management responsibility all through the organization.
Independent bodies can help and assist line managers execute
their responsibilities and monitor that execution.
Our corporate safety organization is accountable for being
the watchdog on corporate safety policy and for examining how
well DuPont executes against its own procedures. This
organization, in conjunction with business safety leaders, also
develop safety improvements. All improvements, however, are
owned and implemented by the line management structure. There
are multiple audits to ensure compliance to standards. DuPont
never stops looking for weaknesses in its safety systems.
The corporate safety organization reports to a separate
executive leader. This person does not have a specific business
or manufacturing role and is accountable for integrating safety
health and environmental excellence as a core business
strategy. His organization works with every DuPont business and
functional leader to ensure safe, injury-free operation.
Just as our CEO considers himself the ``chief safety
officer'' for DuPont, each of our managers and supervisors are
the chief safety officers of their respective organizations.
They are never relieved of their safety duties. Our collective
goal is to have every employee and every contractor that works
at our facilities leave everyday just as they arrived. We
believe that all injuries and incidents are preventable.
Complacency and arrogance are our enemies.
In summary, we believe that any organization can create a
safe work environment if it embraces and implements a core set
of organizational attributes and values, beginning with the
fundamental belief that good safety is achievable and is a core
management responsibility.
Thank you for the opportunity to share our experiences with
the Committee, and I would be happy to answer any questions.
[The prepared statement of Ms. Grubbe follows:]
Prepared Statement of Deborah L. Grubbe
I am a chemical engineer by training and have 25 years of
experience with DuPont in engineering design, construction and
operations. My current role is Corporate Director--Safety and Health.
Today I would like to focus my remarks on ``Safety at DuPont.'' In
summary, good safety practice takes committed leadership, educated
personnel, integrated safety systems, and a continuous attention to
detail.
DuPont has been in business for over 200 years. We started as a
manufacturer of black powder for the U.S. Government in 1802. DuPont
first kept injury statistics in 1912, installed an off the job safety
process in the 1950's, and worked with the U.S. Government to establish
OSHA 1910.119 in the 1980's. Even today, DuPont continues to improve
its own safety systems. In 1994, DuPont established a Goal of Zero for
injuries and incidents, and in the year 2000, decided to adopt a Goal
of Zero for soft tissue injuries like, and not limited to, carpal
tunnel syndrome and back injuries.
DuPont always strives to improve its safety performance. In fact,
safety is a precarious subject; just when you think you are good, that
is the time you should start to worry. The key is to never become
complacent. DuPont does have a leadership commitment to put safety
first and we are committed to continuous improvement throughout our
whole organization.
Safety conscious organizations hold similar organizational
attributes:
1. Safety comes first, and all organizational leadership is
actively engaged.
2. Standards are high, are well communicated, and everyone
knows their role.
3. Line management is accountable for safety.
4. If the work cannot be done safely, it is not done until it
can be done safely.
5. Safety systems, tools and processes are in place and
training is constant.
DuPont is a large organization, diverse in products, in
technologies, and in global locations. However, in spite of this
diversity, we have a single safety culture. We have an integrated,
disciplined set of beliefs, behaviors, safety systems and procedures.
The safety culture is held together by committed and visible
leadership. We ensure that our contractors also have similar management
processes in place to manage their own safety to high standards.
DuPont safety culture starts at the top of the organization. Our
CEO is actively engaged in leading safety. He starts his key meetings
with safety, and he insists that safety come first on every employee's
list. He expects to be notified by his direct reports, of each employee
lost time injury or fatality, employee or contractor, within 24 hours
of the event.
Safety at DuPont
Safety management is the unique balance of the carrot and the
stick. There must be recognition and reward, as well as serious
implications for blatant disregard of safety procedures and standards.
If a DuPont employee continuously disregards procedures, he/she
endangers his/her life, the lives of his/her colleagues, the
shareholders' investment, and the health and welfare of the communities
where we do business. We usually prefer that these kinds of people find
work somewhere else.
Any person can stop any job at anytime if there is a perceived
safety danger. Employees are trained to look out for each other and to
ensure that they and their colleagues work safely.
The corporate safety organization is accountable for being the
watchdog on corporate policy and for examining how well DuPont executes
against its own procedures. This organization, in conjunction with
business safety leaders, also develops safety improvements. All
improvements are owned and implemented by the line organization. There
are multiple audits to ensure compliance to standards. These audits can
range from a sales manager observing the driving habits of his/her
sales representatives, to an external consultant evaluating how well we
conduct our audits. The point is that DuPont never stops looking for
weaknesses in its safety systems.
The corporate safety organization reports to a separate leader.
This person does not have a specific business or manufacturing role and
is accountable for integrating safety, health and environmental
excellence as a core business strategy. His organization works with
each DuPont leader to ensure there is clear knowledge of the risks
present in his/her area, and to ensure safe, injury-free operation.
Just as our CEO considers himself the ``chief safety officer'' for
DuPont, each of our managers and supervisors are the chief safety
officers for their respective organizations. They are never relieved of
their safety duties. The safety organization in DuPont is sometimes a
consultant, sometimes a conscience, and sometimes a leader. Our
collective goal is to have every employee and every contractor that
works at our facilities leave every day just as they arrived.
In 2002, over 80 percent of our 367 global sites completed the year
with zero lost time injuries. While we are proud of the thousands of
employees and their achievements; we are not satisfied with this
performance. We believe that all injuries and incidents are
preventable. Complacency and arrogance are our enemies.
Biography for Deborah L. Grubbe
Deborah Grubbe is Corporate Director--Safety and Health for DuPont.
She is accountable for leading new initiatives in global safety and
occupational health for the $27 billion corporation. Deb was formerly
the Operations Director in two of DuPont's global businesses, where she
was accountable for manufacturing, engineering, safety, environmental
and information systems. Deborah is also a past director of DuPont
Engineering's 700 person engineering technology organization. Her 15
different assignments in 24 years range from capital project
implementation through manufacturing management and human resources.
Deborah currently serves on the National Institute of Standards and
Technology Visiting Committee for Advanced Technology. She also serves
the National Academy of Sciences as a member of the oversight committee
for the Demilitarization of U.S. Chemical Weapons Stockpile. Deborah
sits on the Board of Directors of the Engineering and Construction
Committee of the American Institute of Chemical Engineers, and is on
the Business Management Advisory Committee of Wilmington College. She
is the former co-chair of the Benchmarking and Metrics Committee of the
Construction Industry Institute, and currently serves as a member of
the Purdue University School of Chemical Engineering New Directions
Executive Committee. Deborah was the first woman and youngest elected
member on the State of Delaware Registration Board for Professional
Engineers (1985-1989). During her tenure on the State Board, she was
the Chair of the Law Enforcement and Ethics Committee. She is active
with the Society of Women Engineers, and is a former board member of
the Women in Engineering Program Advocates Network (WEPAN). Deborah has
been featured in the books ``Engineering Your Way to Success'' and
``Journeys of Women in Science and Engineering--No Universal
Constants.''
She has been active in the Delaware community; as former president
and board member of the Chesapeake Bay Girl Scout Council, and
currently sits on their Northern President's Advisory Council. Deborah
is also a board member of the Delaware Zoological Society. Deborah is a
past board member of the YWCA of New Castle County. She has served as a
Province President of her sorority, Zeta Tau Alpha, and is a recipient
of their Alumnae Certificate of Merit. In 1994, Deborah was named an
outstanding Chemical Engineering Alumna by the Purdue University School
of Chemical Engineering, and is a recipient of the 1986 Trailblazer
Award from the Delaware Alliance of Professional Women. This year, she
is a recipient of the Purdue Distinguished Engineering Alumni Award,
and has been named ``Delaware Engineer of the Year,'' by the Delaware
Engineering Society.
Deborah was born in suburban Chicago and graduated with a Bachelor
of Science in Chemical Engineering with Highest Distinction from Purdue
University. She received a Winston Churchill Fellowship to attend
Cambridge University in England, where she received a Certificate of
Post Graduate Study in Chemical Engineering. She is a registered
professional engineer in Delaware. She is married to James B. Porter,
Jr., and resides in Chadds Ford, Pennsylvania.
Discussion, Panel I
Chairman Boehlert. Thank you very much, Ms. Grubbe, and
thank all of you.
ITEA Budget Independence
Can you explain--you know, Admiral Gehman, the CAIB
Commission, if they have said it once, they have said it a
thousand times: safety has to be independent of operational
budget considerations. Can you tell me how your organizations,
particularly the Admirals', have safety truly independent of
the operational segment budgets and schedules? Ms. Grubbe and
Mr. Johnson specifically addressed those, and I would like the
Admirals to do so.
Admiral Bowman. Mr. Chairman, as I listened to Ms. Grubbe,
I heard her describing the Naval Reactors organization, also.
Many of the elements of her safety program and her operation
are identical to what I described as the Naval Reactors
organization. I specifically jotted down committed leadership,
ingrained safety culture throughout the organization, an
integrated safety system, attention to detail, safety owned by
line management, a very key point, and that the CEO feels that
he is the ``chief safety officer.'' I could just say ditto for
the Naval Reactors Program.
And this is a difference in the way I think some are
interpreting or perhaps the way the CAIB report is written.
Standby for heavy rolls here. I don't believe an organization
should have--should rely on an independent organization off to
the side to oversee safety. I believe that safety has to be
endemic to the organization. It has to be ingrained in every
person. I used the word ``mainstream.'' Our line management,
likewise, is responsible for safety in our organization. We can
not have a separate group that comes in at the end and throws
the flag on safety. Safety is a part of the day-to-day design,
the day-to-day operation, the day-to-day development of
procedures. It is who we are. It is what we are. Every person
who is responsible and reports directly to me for components
for systems for the entire reactor plant feels the
responsibility for safety.
We don't create, therefore, a tension between safety and
resources. Safety is a part of the technical line management
organization. If one were to arrange a separate safety
committee or safety group totally responsible for safety within
an organization, I believe that it would be near impossible to
avoid this tension between the schedule and the budget, the
resources that are necessary. The line management will--would
look upon that safety group as Piranhas, not invite them into
the campfire at night. They would be pulling in the opposite
direction, and I think that the correct way is to ensure that
every person within the organization understands that safety is
a part of his or her responsibility from the very beginning,
from the design and the operation.
Chairman Boehlert. You can't emphasize that enough.
Admiral Bowman. Yes, sir.
Chairman Boehlert. Like you know the old saw where if
something is everybody's business, it is nobody's business.
Admiral Bowman. Yes, sir.
Chairman Boehlert. I mean, it has to be someone. And I
think what Admiral Gehman is saying, at least in my
interpretation, is that you need people--everybody has to be
devoted to safety, but you need an operation separate from the
pressures of scheduling and looking at the calendar. ``Can we
go on the 14th?'' Or, ``Do we have to wait until the 15th?''
Or, ``Do we have enough money to go?'' Some--safety has to be
totally separate from that, according to my interpretation of
the Gehman report and then be able to enter into the equation
and say, ``Regardless of schedule, regardless of money, here is
what we think in terms of safety.''
Admiral Sullivan, do you have any thoughts on that?
Rear Admiral Sullivan. Yes, sir. I would like to start by
echoing Admiral Bowman's remarks about a culture of safety. You
can not enforce from above or from beside and catch everything.
You will always need to have everyone from the designers to the
builders to the operators raised in a culture of safety. That
is the best way to get started.
In our submarine safety program, we, in fact, have two
checks and balances on the program office, if you will. And I
have been on both sides of this. I was the Sea Wolf program
manager and the Virginia class program manager, so I have
looked at this issue from both sides. The program managers are,
in fact, driven by cost and schedule, but the technician
authority in NAVSEA is outside of the Program Manager's
organization. And the technical authority is, in fact,
independent of the Program Manager, and they are funded
separately.
The safety--submarine safety organization is also
independent of the Program Manager, so, in fact, we have two
checks and balances. And both of those organizations can put a
stop to a certification process or getting--allowing a ship to
get underway, for instance, if there is an issue. And we stop
until we get it resolved.
Waivers
Chairman Boehlert. I am going to interrupt you for a
minute, because my--the red light is on and we are trying to
stick to the five-minute rule, but I gave you a little
flexibility, so I will take a little flexibility here.
But I assume that each of you have a system for waivers,
and I would like to know, you know, at NASA they got almost
4,000 waivers, some of them--a third of them are over 10 years
old. Do you have a waiver system, Admiral Bowman and Admiral
Sullivan? I will ask you to respond to that. How many waivers
are in place, and how do you deal with the waivers?
Admiral Bowman. There are very few waivers in place in the
unforgiving technology that I deal with, the Naval Nuclear
Reactors Program. When deviations from specifications occur in
manufacturer--in production, they are brought through the
system with recommendations and analysis of the overall impact
of that deviation on the product, on the system, and on the
integrated operation of the plant. Before the decision is made
to agree to any deviation, departure from existing written
specification and manufacturer production, it is brought to me
for final approval. And we, at the table, then, go through that
process that I described earlier asking what is the impact,
what might be the impact, what is the worst that could happen
if we accept this deviation, and what are the minority
opinions. Are there people out there in the organization who
say, ``No, don't accept this product; send it back, start
over.''? We have very, very few of those. It is the--very much
the exception and not the rule.
Chairman Boehlert. So you would say maybe a handful?
Admiral Bowman. Yeah, it would be difficult for me to put a
number, sir, but----
Chairman Boehlert. Certainly not thousands?
Admiral Bowman. Not thousands.
Chairman Boehlert. And are you aware of any waivers that
might be in existence in your Program that are 10 years old?
Admiral Bowman. Deviations from manufacturing tolerances
where a manufacturing tolerance might call for something to be
between five and 10 mils and it is--in fact, it came in at four
mils, we may have those kinds of deviations in existence, but
they have been very thoroughly analyzed and determined not to
impact the----
Chairman Boehlert. Thank you.
Admiral Sullivan, would you care to comment?
Rear Admiral Sullivan. We have a similar process outside
the propulsion plant where waivers are formally submitted and
evaluated. We, too, have few waivers, and I couldn't give you
the numbers off the top of my head, but it is a disciplined,
rigorous process, and yes, the age of our submarines can be up
to--they have about a 30-year service life, but the only
waivers that are allowed to stay on a submarine permanently are
those of a similar nature to what the Admiral just described.
Chairman Boehlert. Ms. Grubbe and Mr. Johnson, I mean you
both addressed this directly in your testimony. Do you have
anything you would like to add before I go to Mr. Hall?
Mr. Johnson. Well, I was just going to add that we do have
a process of working waivers. And to give you an idea of the
typical number on a Titan 4, which is our--a fairly complex
vehicle, we have on the order of about 130 to 150 waivers that
we would be working. That has actually been driven down,
because there has been a real effort to try and reduce the
number of waivers on the vehicle. Probably about four or five
years ago, the number was more like around 400 waivers. But we
have a process that we review each one of those, provide an
engineering assessment and opinion back to the Air Force on
those.
Chairman Boehlert. Ms. Grubbe.
Ms. Grubbe. Nothing to add.
Chairman Boehlert. All right. Thank you very much.
Mr. Hall.
Managing Safety
Mr. Hall. Mr. Chairman, thank you for leading in to the--
your questions with the word safety. And I think when we think
about safety, I guess it is fair to assume that no one at NASA
or any of your organizations would deliberately seek to follow
unsafe practices. That is outrageous and ridiculous to even
think about.
However, back when we were working in the early '80's on
the Clean Air Act and worked--I think it took 12 or 13 years to
do it, there was a poll that came out that--from one of the
Members of the Congress that had sought that poll to try to
pass a stronger Clean Air Act. He had a poll that showed that
82 percent of the people wanted clean air. And I wondered about
that other 18 percent what--just what their choice was. But we
are 100 percent on safety and seeking it and wanting it and
demanding it. And I think that is what you have to do. The
problem, though, arises when the pressures to achieve these
organizational goals that you men and lady set out, I think,
reach the point where the managers and workers find themselves
making compromises to follow that schedule or to try to escape
the use of a waiver or to have to seek something other than the
100 percent perfection that you have to have when you are going
to have safety.
So--well, for example, Admiral Gehman's Investigation Board
found that the pressures exerted by NASA's top management to--
made an arbitrary date for Space Station Core Complete led to
actions being taken that wound up reducing the safety margins
of the Shuttle Program, we are told, and I believe that is
probably right, because I don't hear anybody that negates that.
So I guess I would like to ask each of you, how do you prevent
this kind of a thing from happening in your organizations? How
have--you been successful in your thrust there or you wouldn't
be here. The Chairman selected you to come and give us the best
testimony that is obtainable anywhere in the country, and you
are here, so apparently you have found a way to prevent that
from happening in your organizations. How do you ensure that
safety margins can be protected in the thrust that we are on
right now? I guess I ask any of you, and if that type of
situation does arise, how would you deal with it?
Admiral Bowman.
Admiral Bowman. Yes, sir, Mr. Hall----
Mr. Hall. Skip? They call you ``Skip,'' Admiral Bowman?
Admiral Bowman. Yes, sir, they do.
Mr. Hall. Do just the normal, ordinary, J.G. like I was 60
years ago, call--come up and said, ``Hey, Skip.'' Would that be
okay?
Admiral Bowman. No, sir. Maybe I should have said once.
Your question strikes at the very heart of what we are
talking about today. And again, I would just have to fall back
on the answer that within the Naval Reactors organization, my
line management, who are all direct reports to me, we probably
have one of the flattest organizations in this country, and
certainly within the United States Government, in that all of
my direct reports are the first line reports. There is nobody
between me and the 21 direct reports at headquarters. They all
feel responsible for safety from the beginning. So we don't
allow this competition, this competition between schedule,
costs, and safety to exist, because we built it into the system
from the design, from the redundancy, from the system
oversight, the component oversight as it is being developed.
And so we don't allow that to be a topic of conversation
that we are supposed to go on sea trials on Monday the 15th of
March and if we don't make that, it is going to be a black eye
and now we have this safety issue that has reared its ugly
head. And the answer is very simple: fix it. Fix it. We build
redundancy and safety into our systems for the Commanding
Officer of these ships to exercise at sea in battle or in
untoward situations. And it is not within my purview. I don't
even consider it to be a question that I can remove that
redundancy and that safety from him by making a decision here
in Washington, DC that makes the ship less safe before it goes
to sea.
I might add, by the way, that I ride all of the initial sea
trials on all of these ships and take the ships through all of
their evolutions the--for the very first time. So my staff is
there with me, and we are there watching the results of the
fruits of our labor. So it just doesn't come up. We don't allow
safety to be in competition with schedule and budget.
SUBSAFE
Mr. Hall. Admiral Sullivan, your experience on your SUBSAFE
thrust, give us the benefit of that.
Rear Admiral Sullivan. Yes, sir. First off, as far as
waivers coming up and getting pushed aside by the Program
Manager, the Program Manager does not have unilateral authority
to grant a waiver. He must get technical disposition and that--
and he must take a technically acceptable path to disposition
of that way. And we do not waive fundamental SUBSAFE
requirements, period. And like the Admiral said, when we have
an initial sea trial, the toughest certification is the ship
going to sea for the first time and the Program Manager also
rides.
Mr. Hall. My time is up. Briefly, Mr. Johnson or Ms.--I
called you Ms. Grubbe. Is it Ms. Grubbe?
Ms. Grubbe. Yes, sir, Grubbe.
Mr. Hall. Ms. Grubbe.
Ms. Grubbe. I would just like to add, very similarly to the
other gentlemen, that safety comes first and that anyone at any
time can stop anything. And safety does come before budget. I
find it interesting that in the collective, when over the years
as many people have dealt with safety, we find that we rarely
have money up front to do it right, but we always have lots of
money at the end to fix it once something goes wrong.
Mr. Hall. Mr. Johnson.
Crew Escape
Mr. Johnson. Just very briefly, well, first of all, our
whole purpose is a mission assurance or safety organization. We
are separate from the Air Force in that respect. We also do
have a separate management chain so we are held accountable
up--beyond the people that report directly to the Air Force
program managers that verify that--and maintain that our
mission success focus is something that we never deviate from
and never give in to the pressures of schedule and cost.
Mr. Hall. I have one more quick answer--question to ask. I
won't require anything but a yes or a no. Do you know of any
way that the parents of a person that is going to be launched
in one of our Shuttles can feel completely confident without
having an escape, modular escape vehicle?
Admiral Bowman. Sir, for my purposes, that is outside my
realm of expertise. It certainly sounds----
Mr. Hall. You are going to skip that, huh?
Admiral Bowman. It sounds like something that should be
evaluated. Absolutely.
Mr. Hall. Admiral.
Rear Admiral Sullivan. I don't have anything to add to
that, sir.
Mr. Hall. You are consistent. Go ahead, Mr. Johnson.
Rear Admiral Sullivan. It is--again, it is outside our----
Mr. Hall. Yeah.
Rear Admiral Sullivan. Outside our purview.
Mr. Hall. But it is not above your pay scale, is it?
Mr. Johnson, your answer is probably no and Ms. Grubbe,
yours is probably no. We have got to have an escape if we are
going to feel completely safe, right?
Mr. Johnson. That is correct.
Mr. Hall. That is three to two. So we are pretty--no, thank
you for your answers. We have to have our fun up here.
Chairman Boehlert. Thank you very much, Mr. Hall.
Mr. Burgess.
Handling Anomolies
Mr. Burgess. Well, Mr. Chairman, I want to thank you for
convening this panel today. It has truly been very instructive
and necessary for us as we make our evaluations about the
Columbia Accident Investigation Board report.
The--when Admiral Gehman was here before, he talked about
applying the template to NASA where there is a strict adherence
to safety and how to treat an anomaly and continue flying. And
yet I read in the Washington Post yesterday an editorial about
apparently accepting an anomaly with the on-board environment
on the Space Station and continuing--continue with the mission
to put some additional astronauts up there. So the question
comes up are we really serious about that and, Admiral Bowman,
would that be an acceptable anomaly in your experience to
continue flying?
Admiral Bowman. I fly underwater. If we were faced with a
similar situation of--or if we were faced with a situation of
not being able to monitor the ship's environment, that would be
cause for not allowing the ship to sail.
Mr. Burgess. All right. Thank you.
On the--just following on the same line that the Chairman
and Mr. Hall have been pursuing, do you have--could you share
with us, any of you, a real-world example of how your
organization has handled a particular safety problem,
particularly one where an ongoing mission of your larger
organization had to be interfered with?
Rear Admiral Sullivan. I can give you an example of it some
years ago when we were trying to deliver the Sea Wolf, which
was a program with not a great reputation on the Hill. We were
about six months from final sea--first sea trials and a working
level engineer at one of our ship builders, who was working on
the design, came up with a concern about the Titanium alloy we
were using on the doors to the torpedo tubes, which are the
largest holes on the ship. He pulled the thread on that and
eventually got it pulled up through the organization, which is
also flat. Our organization is not as flat as Naval Reactors,
but it is flat enough that minority opinions, such as this, are
voiced. And it came into--this was in about 1994. It came to
full attention of the program management and technical and
safety staff. And we had to come to a grinding halt, do a bunch
of testing, and replace that material on those doors, and it
delayed the ship delivery a year, and it cost in excess of $50
million by the time we were done. And it is because we couldn't
compromise the safety.
Mr. Burgess. Admiral Bowman, would you have an example from
the Nuclear Reactor Program?
Admiral Bowman. Questions of safety are--with the nuclear
reactors for the Naval Reactors Program are not quite so
dramatic that we get to the end of the trail and suddenly have
to make a decision like Admiral Sullivan just described,
because we begin with safety in mind all of the way at the
beginning of the design and the manufacturing process, and we
will watch it and monitor it. And then as we test the completed
components in a non--not--in a critical reactor environment, we
then may run across things that require safety adjudications.
So we fix it then. And then we go on to the next level of test
program. And so as the test program moves along, safety items
that might exist, that very seldom do exist, but that might
exist, come to the floor earlier than as Admiral Sullivan just
described. So I am racking my brain right now to think of an
equivalent, and I can't think of one.
Mr. Burgess. Well, the yellow light is on, so just for a
minute more, if we had a similar situation or we had the
situation with, of course, the Columbia with the foam, but in
your experience in your organization, it would have never
gotten to the--to that point. That anomaly would have been
selected out much earlier in the process? In the design and
manufacturing?
Admiral Bowman. Well, it is difficult to say conclusively,
but I would dare say yes.
Mr. Burgess. Thank you very much. I will yield back the
balance of my time, Mr. Chairman.
Chairman Boehlert. Thank you very much, Mr. Burgess.
Ms. Johnson.
Ms. Johnson. Thank you, Mr. Chairman, and thank you for
having this hearing. I have an opening statement of which I
will put into the record.
Chairman Boehlert. Without objection, so ordered.
All Members will have their opening statements in the
record immediately following the opening statements from the
distinguished Ranking Member.
Safety Accountability
Ms. Johnson. Thank you. There was comment, I think by the
Admiral, that indicated he thought the CEO should be the one in
charge without a separate organization. I don't think NASA had
a separate organization, but the CEO, the person who occupies
that, did not get the information. How do you think that could
be improved?
Admiral Bowman. Again, an excellent question. I think what
Ms. Grubbe said and I agree with was that her CEO at DuPont
felt himself to be the ``chief safety officer.'' And certainly,
within my organization, I feel myself to be the ``chief safety
officer.'' Let me--if I could for just one minute, I do have,
at Naval Reactors, a safety group, but that safety group is not
responsible on a day-to-day basis for ensuring the safe design
and manufacture and production and operation of the components.
That is the line management's responsibility to me directly. So
the way we do it, as the design is moving along, as the system
is operating, as we go day to day with these 103 reactors that
I spoke of earlier that I am responsible for, I hear in real
time these difficulties that we are encountering. And the line
management know that they are responsible for safety as well as
for delivering the product.
So again, the tension isn't there. What my safety group
does for me is integrate the overall efforts of the
organization. They keep the safety codes. They are responsible
for the computer codes that evaluate the overall safety of the
reactor plant. And they do the liaison with the Nuclear
Regulatory Commission for Naval Reactors for me. But they are
not--and I found this out dramatically early on in my tour when
I asked a safety question about a reactor coolant pump. And I
asked it of the safety group head, and you would have thought
the world was coming to an end. Within minutes, the owner of
that reactor coolant pump, the line manager who designs and
oversees the reactor coolant pump, was in pounding my desk
saying, ``What are you doing asking the safety group head about
my stuff?'' And I think it is that sense of ownership and that
sense of responsibility that leads to this mainstreaming that I
am talking about. And that is the way that we do it at Naval
Reactors. I would hear about it within minutes of something
happening.
Ms. Johnson. So though you have persons that have expertise
generally in particular areas, the communication loop always
includes you for the final decisions?
Admiral Bowman. Yes, ma'am, it does.
Ms. Johnson. Thank you.
Mr. Johnson, is that the way you function at DuPont?
Mr. Johnson. I am The Aerospace Corporation. And actually,
in our case, in the case of the Air Force launch organization,
the CEO, the appropriate person in that same position would
actually be Lieutenant General Arnold, who is the Space and
Missile System Commander. The program managers that manage the
overall launch programs actually work for him. And the
information always flows up to General Arnold, to answer your
question. The program managers do a very good job of doing
that, and the final flight readiness review is actually chaired
by General Arnold, and he is the one that gives the final GO
decision based on the inputs of all of the various agencies,
The Aerospace Corporation being one of them, but also his
Program Manager and several others.
Ms. Johnson. Ms. Grubbe.
Ms. Grubbe. Congresswoman, at the DuPont company, everyone
has the same accountability for safety: from the CEO to the
operator in the control room on the night shift. And it is our
intent to make sure that everyone would behave and make the
decisions with regard to safety in the same way.
Ms. Johnson. Thank you very much.
Does anyone on the panel have a comment of what--your
opinion of what might have broken down at NASA?
Admiral Bowman. As I said, Congresswoman, in my opening
testimony, I just don't consider myself to be expert enough in
this area and have not studied it well enough to offer an
opinion.
Ms. Johnson. Thank you very much.
Is that a signal that my time is up?
Chairman Boehlert. Yeah, that is it. All right.
Ms. Johnson. Thank you.
Decision-making in the Naval Reactors Program
Chairman Boehlert. Thank you very much.
Admiral Bowman, let me ask you, does Naval Reactors make a
decision on when and whether to launch, or does it go topside
at Navy?
Admiral Bowman. I--this gets difficult. I have--both wear a
hat within the Navy as the Director of Naval Reactors as a
four-star admiral, and I am also an Assistant Secretary of
Energy overseeing the safe operation, the oversight regulation
of the safe operation of Naval Reactors. In that job, I have
the final say over whether a Reactor is safe to operate. And so
there is no over my head in that regard. And certainly, I
report to the Secretary of Energy in that regard, in that role,
and to the Secretary of the Navy in the Navy role.
Chairman Boehlert. Well, then you would say you are
comparable to the Administrator of NASA in that regard? In
other words, you have the final say on when and whether to
launch?
Admiral Bowman. When and whether to allow operation of the
Reactor plant. The ship's operation is a different matter. The
Reactor plant is the propulsion system that drives the ship
through the water. Without it, the ship couldn't get underway.
So I do have a veto vote that the ship couldn't leave if I felt
there was something unsafe that--to preclude safe operation of
the Reactor plant. But the contrary is not true. There may be
things that are beyond my purview having to do with the
submarine safety areas that Admiral Sullivan oversees that I
could say my Reactor plant is perfectly ready to go and safe to
operate, but the ship doesn't leave because now it does leave
my hands and go----
Chairman Boehlert. Yeah, I----
Admiral Bowman [continuing]. Above my head. Yes, sir.
Chairman Boehlert. Thank you very much for that
clarification.
Mr. Gutknecht.
Culture and Attitude
Mr. Gutknecht. Thank you, Mr. Chairman.
And I apologize to our distinguished guests for the
attendance here, because you need to understand, we
understand--sometimes people in the audience don't understand
we have a number of other Committee meetings going on at the
same time. And I want to thank the Chairman for calling this
hearing, and I want to thank you for coming. I have never had
the courage to go out on one of these weekend submarine
missions, which some of my colleagues have done. I have spent a
few hours on one, and I must tell you, I am in admiration of
those brave Americans who go out sometimes for months at a time
and serve this country. So please pass that along to the people
that work under you.
Let me--the issue here is about safety, and I want to come
back to something, because I believe the single most important
word in the English vocabulary is the word ``attitude.'' And I
think if anything happened that I have learned so far and in
what we have learned in terms of the Shuttle catastrophe is
that the attitudes at NASA had become a little bit sloppy. And
you went through--the Navy went through a similar process, I
think, after Thresher. I guess the question that this committee
really wants to get at, after the Thresher, and I think this is
for Admiral Sullivan, did you start, essentially, with a blank
sheet of paper and start over, or did you tend to--did you try
to modify the current structure that was there? And I think
that is a fundamental question we need to get at relative to
NASA. And perhaps you could offer some observations on that.
Rear Admiral Sullivan. I would say in response to the
Thresher disaster, we basically went all the way to our roost
and rebuilt the culture. The first thing we did was restrict
the operating depth of all operational submarines at the time.
Then they revised the operating procedures. And of course, this
was many years ago. Submarine operating procedures were
revised. We went through a review of the design of our
submarines and made a number of changes that fundamentally
changed the way we had our safety systems in our submarines
design including redundancy, putting in a special emergency
blow system, and having redundant backups for closing major
openings into the ship if the primary system failed. We also
worked hard on our diving plane hydraulic systems so that we
would have increased reliability. We started the whole audit
process. We formalized--we changed the way we joined our pipes.
Before Thresher, many of the pipes that carried water inside
the ship where they were--water coming in from the sea were
used silver-braise joints. We went from silver-braise joints to
welded joints, which are much more reliable and can be
inspected more easily and with more reliability. So we really
changed the whole operating design and manufacturing culture of
the program. It took a long time.
Mr. Gutknecht. But Admiral, did you change your
organizational structure?
Rear Admiral Sullivan. I wasn't there then. I was a kid.
I--there was no SUBSAFE group, that is for sure.
SUBSAFE's Use of the Challenger Case Study
Mr. Gutknecht. The--and let us come back to that SUBSAFE
group. Now apparently, I am told, that you used the Challenger
accident as part of your training program. Can you tell us a
little bit about that?
Rear Admiral Sullivan. Yeah, I am glad you mentioned that,
because I wanted to talk about how you combat complacency in a
culture of safety. Basically, whenever any complex system
fails, including Challenger and including all of the Soviet
Navy's submarine losses, we try to fold that into our training.
We hold annual training on everyone who works on the submarine
program who works at SUBSAFE. And the training consists of two
parts. One is a kind of review of all of the procedures and
instructions, and the second part is a formal--I will call it a
lecture, but we actually watch a video every year that
describes the whole lead up and loss of Thresher, including a
tape of the audio of the submarine pressure hold breaking up.
And that is pretty sobering to go through every single year.
And you know, I have heard it an untold number of times, and it
sends a chill through my bones every time I listen to that
tape.
So I--again, what you have to do is combat complacency.
Mr. Gutknecht. But do you use the Challenger incident?
Admiral Bowman. My organization uses the Challenger
incident as formal training. In fact, just yesterday I was at
one of my two Department of Energy laboratories speaking to a
fairly large crowd outside. And I spoke then about the Columbia
Accident Investigation Board and its report and how we needed
to do exactly the same thing with Columbia as we have done with
Challenger. One of the first books I read upon taking this job
over seven years ago was Diane Vaughn's book on the loss of the
Challenger. And we have ingrained that training as a formal
routine part of our training at Naval Reactors.
We use a phrase called ``constructive dissatisfaction'' to
attack what Admiral Sullivan was just speaking of, complacency
within an already pretty safe organization. I argue that if we
are not constructively dissatisfied with where we are and with
the status quo, we are going to find ourselves on the right
road but standing still, and we are going to get caught some
day. So the Challenger training is a big part of that training.
Mr. Gutknecht. Well, thank you very much.
NASA/Navy Benchmarking
Chairman Boehlert. Thank you.
Just let me ask you, how long, Admiral Bowman, have you
been in your current job? Eight years?
Admiral Bowman. Seven years and 28 days.
Chairman Boehlert. And Admiral Sullivan, how long?
Rear Admiral Sullivan. I have been at my job just over two
years.
Chairman Boehlert. I am just wondering, between--in the
last half a dozen years or so prior to the tragic February 1
accident of Columbia, was there interaction between NASA and
your organization?
Admiral Bowman. Yes, sir, there was. Early on in Mr.
O'Keefe's tenure, he socialized with me the possibility of
benchmarking the Naval Reactor's culture against what he had
found at NASA. He subsequently formally asked the Secretary of
the Navy for permission to do that discussion, benchmarking
with my organization as well as with Paul Sullivan's
organization. The Secretary of the Navy, of course, obliged
happily, and we began that benchmarking operation months before
the tragedy.
Chairman Boehlert. Of course, Mr. O'Keefe has prior
experience with the Navy, so he was fully aware of your
outstanding program.
Admiral Bowman. Yes, sir.
Chairman Boehlert. But I am comforted to hear that. But you
guys, in the Navy, learn from the Challenger, and that is a
case study.
Admiral Bowman. Sure.
Chairman Boehlert. I sometimes wonder if NASA learned from
Challenger. They ought to study it as seriously as you did.
Mr. Miller.
Mr. Matheson. How about Mr. Matheson? Thanks.
Chairman Boehlert. This paper, who says what? Mr. Matheson.
Yes, sir.
CAIB Recommendations
Mr. Matheson. Thanks. Thanks, Mr. Chairman.
I want to thank you for your testimony on safety practices
in your own organizations. What I would like each of you to
tell us is what specific benchmarks you think ought to be
established to evaluate whether or not NASA is complying with
the Board's organizational recommendations. And as part of your
response, I would like you to give a thought about how long you
think it should take for an organization like NASA to implement
those recommendations.
Admiral Bowman. Boy, that is a good question. And I have
given very little honest thought to it, because it is not my
responsibility. If I could possibly back off for just a couple
of days and provide that answer for the record, I will devote--
--
Mr. Matheson. That would be great.
Admiral Bowman [continuing]. A lot of resources to thinking
about it. But I just haven't given it adequate thought to
answer.
Rear Admiral Sullivan. I would just add that probably the
best forum for that is to just continue the benchmarking effort
that is going on between NASA and NAVSEA right now.
Mr. Matheson. If you--go ahead.
Mr. Johnson. I was just going to add that I think probably
the best benchmarks are the items that are contained in the
recommendations in the report itself. And it could take a
considerable amount of time to set up an organization like
that. Of course, we don't know exactly what it is that NASA is
going to set up, but that could be easily a year-long effort to
set up an organization like that.
Mr. Matheson. Sure. Sure.
Ms. Grubbe. Congressman, I can not speak to the benchmark
question, but in DuPont's work with other clients with regards
to changing their own safety culture, it takes--if management
is committed, if the management of the company is committed, it
takes roughly 18 to 24 months to see substantive changes.
Communicating Risk
Mr. Matheson. You know, one issue that we deal with that,
you know, as Congressmen, we are dealing with the public all of
the time in town meetings or what not. And I am wondering how
do your organizations address public--the public's concern
about risk? How do you try to communicate how you are dealing
with risk? How do you try to build up that knowledge within the
public that your organization is addressing risk issues? And
how do you think that would apply to NASA? You can just go in
the same order. Yeah.
Admiral Bowman. I am going to reverse the seating next
time.
Within Naval Reactors, there has been a consorted effort
over the past five or six years to do more of what you are
suggesting. We are little bit hamstrung, because a great deal
of what I deal with is classified----
Mr. Matheson. Right.
Admiral Bowman [continuing]. And it is protected by the
Atomic Energy Act of 1954. And so I have to be cautious. I
honestly believe that I am dealing with the country's crown
jewels, or at least some portion of them, in our nuclear
submarines and nuclear aircraft carriers. I know, without
question, that my organization is targeted by other nations for
this technology, so we have been careful.
Mr. Matheson. Sure.
Admiral Bowman. That said, we recognize that--the point of
your question, that it was very important to begin developing
more trust with the public than perhaps we had before. So we
asked ourselves what could be discussed, and we began a program
that I--from my Tennessee background, if Mr. Gordon were here,
called hobnobbing. And I began encouraging my field
representatives who oversee the operations in the various ports
where our submarines and aircraft carriers are located or where
my Department of Energy laboratories are to begin discussions
with the public officials, the State officials, and the Federal
officials who co-regulate some of our activities to bring them
in and, at the table over a cup of coffee in a non-extreme kind
of situation, tell them who we are and what we are trying to do
and begin working even on security clearances for some of these
people so that we can bring them into the inner sanctum and let
them know better what we are doing to protect the environment
and to protect the--their public.
We are highly reliant on these State and local officials to
take care of their people in our ports. So we felt very
strongly that it was important to do that. So I would say that
we have had now a number of these discussions with State
officials in all of the states that we operate in as well as
beginning now to do what I call table-top drills, training
scenarios that would walk us through the what-ifs and the
highly improbable event of an incident that would require the
town or the state to mobilize, what would be required. And so
we have been doing a great deal of that, most recently with the
State of Washington and their Adjutant General attended that
with us.
Mr. Matheson. Thank you, sir.
Chairman Boehlert. Thank you very much. The gentleman's
time has expired. Did anyone else need to respond to that?
Thank you very much.
Mr. Smith.
Turnover in the Safety Workforce
Mr. Smith. Mr. Chairman, thank you.
Congress tries to fulfill its role of policy, and sometimes
that policy sort of interferes with some of the goals of the
Administration or the Navy. I served in the Nixon
Administration for about five years. And pretty much what we
were told when we came on the Hill is, you know, try not to
rile any of the Congressmen. Be nice. Be polite. I am a little
concerned with NASA that has been somewhat immune from
political control even--from Congress, but also even from the
White House over the last several years. And so I am trying
to--I guess my question relates partially to the balance of
that policy coming from Congress to--at what point it--is it
disruptive to the mission as determined by the Administration
versus as the responsibility for policy oversight by Congress.
But I don't know how you answer a question that is sort of
vague like that, except let me specifically talk about the
difference between the Navy and the NASA in terms of
complacency, how complacency starts to evolve from employees
that have been doing the same thing for too long a period. And
as I understand it, Admiral Bowman, the Navy has an 8-year
transition in some of the more technical aspects. And NASA has
now told us that they are looking at a rotation of two to three
years, so a new broom will sweep clean, if you will, but--so it
is a balance of the energy and attentiveness of new people
coming on the job versus the potential of complacency. What is
the right length of time for rotation and transition?
Admiral Bowman. Well, that is another very good question
and I think one that should be addressed by this committee in
dealing with this NASA situation. You are right. My particular
position is, by law, eight years. On the day Admiral Rickover
retired, President Reagan wrote an Executive Order that made
that so, and that Executive Order has subsequently been written
into law twice now, making my tenure eight years.
I think longevity in this kind of oversight position that I
find myself in is extremely important to the safe operation of
an organization that deals with an unforgiving technology, such
as mine or NASA's. So I heartily endorse both that concept of
extending the tenures of key technical people at NASA as well
as what Secretary Rumsfeld is trying to do across the Navy for
this--or across the military for----
Mr. Smith. You are recommending that it be done by law?
Admiral Bowman. Well, that is certainly one way to ensure
that it gets done. It is a way that it could happen. It is the
way it has happened with my position.
Mr. Smith. Well, according--but you know, part of my
concern with past hearings on the Columbia disaster, and I
appreciate the question that was asked earlier that the Navy
looks at Columbia in terms of what possible mistakes have they
made in reaction--in relation to what we are doing and how do
we make sure that we don't make the same mistakes. NASA, I
think, is going to start being more conscious of a larger
environment.
Nanotechnology
I have been concerned about the mission. I am Chairman of
the Subcommittee on Research. A lot of the justification for
our NASA effort is research. We have been told that the main
reason that humans are in space is to--studying--
scientifically, at least, is studying the physiological
implications on humans in space flight. I just returned from
Cal Tech and JPL and looking at some of the California science
efforts. And I guess I come back with the conclusion that our
new nanotechnology is going to replace a lot of the manned
space flight. How about nanotechnology in communication to
replace more personnel in the Navy, especially with submarines?
Admiral Bowman. We are headed in that direction, without
question, the entire Navy, not just submarines. Looking at
automation. Nanotechnology may very well have a place in that
in the sensor world, being able to better determine what is
going on inside systems and inside components with
nanotechnology. But reducing the manpower on board our warships
is a stated goal as the Chief of Naval Operations and the
Secretary of the Navy even--one which I endorse.
NASA/Navy Benchmark
Mr. Smith. Is there--just one last quick question.
On your investigation and how it might apply to you and
your responsibilities in terms of reviewing what happened with
Columbia, do you communicate any of that analysis or evaluation
to NASA?
Admiral Bowman. I am sure we will. I say that because of
the earlier questions that indicated that Mr. O'Keefe was keen
on benchmarking his organization against the Navy's
organization. So I would have no doubt that he would be
interested in our views on lessons learned from Columbia. I
would add that we have already conducted training for NASA on
Challenger, giving them our version of the lessons that we
learned from the Challenger disaster----
Mr. Smith. Okay.
Admiral Bowman [continuing]. And I think they found that
very helpful.
Chairman Boehlert. Thank you very much. The gentleman's
time has expired.
Mr. Smith. Thank you.
Chairman Boehlert. Ms. Jackson Lee.
Manned vs. Unmanned Space Flight
Ms. Jackson Lee. Thank you very much. And to the panelists,
I think I associate my remarks with my colleague who has
indicated that there are a number of hearings going on that may
have delayed us in hearing your complete testimony, but I want
to thank the Chairman and Ranking Member for a very, very vital
hearing.
And I would like to probe extensively, within my time
frame, on this question of safety. Realizing that Admiral
Gehman and the Columbia Investigation Board set a standard of
which we should try to achieve, I have noted over the years,
starting halfway, probably, into my term, maybe even earlier,
on this committee, which has been a sizable amount of time,
that safety is the number one responsibility and requirement.
And I would then add to say that we are at a crisis point as it
relates to safety issues in moving NASA forward. Admiral
Bowman, just a quick question. My colleague led you down the
path of technology and manpower and possibly substituting
technology for manpower. I assume reducing manpower does not,
in your mind, equate to eliminating manpower as it relates to
submarines.
Admiral Bowman. In some instances----
Ms. Jackson Lee. In totality, I am trying to say.
Admiral Bowman. No, not in totality. Absolutely not.
Ms. Jackson Lee. Okay. Then let me--I just wanted to make
sure that I got that on the record that technology will never,
in totality, replace the necessity of manpower, humanpower,
womanpower, if you will, if they have reached that point of
staffing on the submarines. And I don't believe that it will
reach the point of eliminating the importance and vitality of
human space flight. You are not here today suggesting that we
should eliminate the human Space Shuttle?
Admiral Bowman. The----
Chairman Boehlert. All right. Excuse me. That is not at all
the purpose of the hearing. The purpose of the hearing is to
learn from them how do we make----
Ms. Jackson Lee. I understand.
Chairman Boehlert [continuing]. Human flight safer.
Ms. Jackson Lee. I appreciate. Let me allow the gentleman--
would you answer my question, please, Admiral? Thank you.
Admiral Bowman. It was certainly not my intent to indicate
any opinion on the elimination of manned space flight in my
answer.
Ms. Jackson Lee. Right. So you are not here suggesting that
that should be eliminated or make a comment on that?
Admiral Bowman. That is correct.
Safety Organization
Ms. Jackson Lee. Okay. The CAIB has indicated that we
should divide the structure of NASA between operations and
safety. Is that along the lines of what you have done with
respect to the operations that you are involved in the Navy?
Admiral Bowman. We really have done almost the opposite.
Ms. Jackson Lee. All right.
Admiral Bowman. We have integrated operations and safety.
We have combined operations and safety from the beginning. As I
have said earlier, the mainstreaming aspect of safety with the
line functions does that for you and makes everybody
responsible for and cognizant of safety.
Ms. Jackson Lee. And how have you found--has that been a
structure that you have had for a number of years? Has it been
a structure that you have implemented in response to actions
that have occurred? Or has this been the Navy's general basis
of operations?
Admiral Bowman. Admiral Rickover set up his office at Oak
Ridge in 1948, and this has been a part of Naval Reactors since
1948.
Ms. Jackson Lee. And in that integration of safety issues,
how do you encourage the personnel in the Navy to be open on
their concerns about safety questions, for example, and I think
it was asked before but I would like to hear it again, if there
is an air quality problem or a safety problem in a submarine
that was about to disembark or about to leave shore, if you
will, with my--with the technology to be refined better? But in
any event, what would be the response to that individual or
individuals?
Admiral Bowman. I think they would be rewarded and
applauded. They certainly would be in my organization in our--
--
Ms. Jackson Lee. And how do they go up the chain of
command?
Admiral Bowman. Within my organization, it is quite easy.
They have direct access to me, number one, through knocking on
my door and coming in the office, calling me on the telephone,
e-mail. They have direct access to their section heads. The
direct reports that I referred to earlier, the 21 direct
reports, know that we are going to be talking at the table in
my office about are there minority opinions, are there
dissenting opinions on the consensus view here. And so they go
out and look for it.
Ms. Jackson Lee. So the atmosphere can be created, you are
saying?
Admiral Bowman. I believe it can, yes, ma'am.
Ms. Jackson Lee. Ms. Grubbe, would you--thank you very
much, Admiral.
Would you help me with the safety question in the private
sector? We find that there are concerns of retaliation and
enforcement questions on how do you enforce the atmosphere or
penalize those who don't do it. What do you do in the private
sector with DuPont?
Ms. Grubbe. We do something very similar to the Navy,
Congresswoman. We reward and highlight people who bring forward
not only safety events that have occurred where no one else was
around, but potential events and make sure that they get broad
communication across the organization and to every plant site
around the world that has a similar kind of apparatus, if it
involves a piece of equipment.
Ms. Jackson Lee. We thank you very much for your reasoning
on this. This will be instructive to us as to what we need to
do, and I thank you for your testimony.
Chairman Boehlert. Thank you very much.
Mr. Rohrabacher.
Mr. Rohrabacher. Well, I am just going to say that I missed
the testimony, and I am sorry, and I apologize. We have got our
Governor-elect Arnold in town, and I was introducing him to
various people, and that is part of my job, and I am sorry. But
I will be reading your testimony. And I appreciate the fact
that you have shared your expertise with us. We have to put
NASA's house in order, and all of us on the outside and the
inside have to work together. And I appreciate your
contribution and appreciate Sherry Boehlert's leadership. Thank
you very much.
Chairman Boehlert. Thank you very much.
And now I would like to thank the panel for participating,
for serving as resources. We value highly your testimony in its
entirety. And all of your complete testimony will be part of
the permanent record and any added material you care to submit.
And stay tuned, we may be back by phone or by written
communication to ask for some amplification of certain segments
of your testimony, but we really appreciate what you have done.
Thank you very much.
Panel II
Our next panel will be a panel of one, the very
distinguished Chairman of the Columbia Accident Investigation
Board, Admiral Harold Gehman. Admiral Gehman has had a busy
day. He has been over to the JV's this morning. He is coming to
the Varsity right now in the Science Committee of the House of
Representatives. As we all know, Admiral Gehman has been just
outstanding in his service to the Nation in a very important
capacity as Chairman of the Columbia Accident Investigation
Board. Let me add, he has also been outstanding in many other
respects, including his availability to all of the Members of
this committee and to the staff of the Committee. We are
working hand-in-glove with the Admiral to ensure that we have
the best possible response to a very tragic situation.
And with that, now that the name tag is properly in place
and the Admiral is prepared, Admiral Gehman, welcome back.
Admiral Gehman. Thank you very much.
Chairman Boehlert. The Floor is yours, sir.
STATEMENT OF ADMIRAL HAROLD W. GEHMAN, JR. (RET.), CHAIRMAN,
COLUMBIA ACCIDENT INVESTIGATION BOARD
Admiral Gehman. Thank you very much, Mr. Chairman.
I will just make a very, very short opening statement here,
and we will get right to the questions.
The panel that you just had, I didn't get to listen to all
of it, but I got to listen to part of it, a very illustrious
panel. I consulted their organizations in the course of our
investigation, and I congratulate this committee for getting
them here and letting them talk about safety and reliability.
Let me just say that the Columbia Accident Investigation
Board was careful to--we tried to be careful to separate safety
from reliability. By safety, we referred to--we refer to things
like untoward incidents in the workplace or hazardous
conditions or hazardous materials or the failure to inspect or
to catch something. Reliability refers to completing the
mission, that is launching safely and returning safely with all
of the humans intact. And we--they are related to each other,
but at the same time, the Board came to the conclusion that the
organization and structure needed to accomplish these two goals
with slightly--a slightly different approach. And therefore, we
made these three organizational and structural organizations
the--that you are conducting this hearing on. And it is the
opinion of the Board that there is almost nothing in our
report, which is more important than getting this right. We
really feel that if the Board--if the Columbia Accident
Investigation Board is going to be viewed as having been
successful, then making these changes in NASA will be the
measure of whether or not we were successful.
In the area of reliability, we feel very strongly that
separating technical and engineering authority from the
operation of the Shuttle is the key to increasing the
reliability and accomplishing the mission. Right now, we are
successfully launching and recovering the crew and the Shuttle
55 out of 56 times. And that is not what I would call a high
reliability record. There are a lot of activities in the United
States which are very dangerous, very hazardous, and which have
success rates far in excess of 55 out of 56. Certainly you had
Naval Reactors here and the Navy Submarine Program as well as
DuPont and The Aerospace Corporation. And they--their goal is
zero failures to accomplish their mission. And they don't
consider 55 out of 56 to be anything to brag about. So the
separation of the technical and engineering authority, we
believe, is one of the keys--is the key to doing that.
The second area is safety. As NASA is organized right now,
the Headquarters safety organization is independent and that is
not the issue. The problem that we have is that the
Headquarters safety organization, Code Q, Mr. Brian O'Connor,
with--in whom we have the highest confidence, does not have any
line authority. He is the policy setter. And it is--it isn't
that the Headquarters safety organization is not independent.
That is not the issue. The problem that we have is that the
Headquarters organization doesn't have any authority. And then
the program and center safety organizations are subordinate and
are dependent upon the programs and centers, that is the very
organizations that they are supposed to check up on, are the
ones that are funding their activities. And we have--it is
the--so it is the program and the center safety programs that
we think are not independent, not the Headquarters safety
program.
The last thing I would say before I respond to your
questions is that the Board carefully studied these
institutions whose representatives you just had here, plus some
others, and we also availed ourselves of more than a dozen
academic experts in the area of high-reliability operations and
safety. And we will admit to you--we will admit, unashamedly,
that we selectively picked and chose the attributes and
characteristics of these organizations, which we thought added
to reliability. We did not copy lock, stock, and barrel either
the Naval Reactor's model, the SUBSAFE model, the Aerospace
model, or any other model. We picked the attributes that we
liked the best and put our formula in the report. And the
longer that this report stands out here, the more scrutiny it
has gotten, the stronger we feel that we got it right.
So with that, Mr. Chairman, I will be glad to answer your
questions.
[The prepared statement of Admiral Gehman follows:]
Prepared Statement of Harold W. Gehman, Jr.
Good afternoon Mr. Chairman, Representative Hall, distinguished
Members of the Committee, ladies and gentlemen.
It is a pleasure to appear today before the House Science
Committee. I thank you for inviting me and for the opportunity to
provide answers to questions you may have as you endeavor to implement
the recommendations of our report on the investigation into the tragic
loss of the Space Shuttle Columbia and her courageous crew of seven.
My intent during my testimony today is to provide the Committee
with information on any of the topics explored by the Columbia Accident
Investigation Board in the final report. I am prepared to explore any
area in which you or the Committee are interested; however, I would
like to remind you that now that the Board has disbanded, my ability to
speak on its behalf is limited. I cannot comment on the progress of the
NASA's return to flight, as I have not been involved in an oversight
role. I do wish to make myself available to explain any facets of the
report that may be unclear or require further clarification.
That said, I would like to turn my attention to the questions
provided in the charter of this hearing.
The first question asks what it means for a safety program to be
independent. I believe we must clarify which independent safety program
we are discussing. The Board found that the NASA Headquarters Code Q
safety organization is completely independent. Our finding referred to
the Center and Program Safety Offices. We do not think the current
process by which the Center and Program Managers ``buy'' as much safety
as they can afford or think they need is the best organizational
construct. When safety competes against all other budget items such as
schedule, maintenance, upgrades, pay raises, etc., safety sometimes is
compromised. In regards to the NASA Headquarters Safety Office
addressed in Recommendation 7-2.5, the Board's concern was not lack of
independence, but rather the lack of a direct line of authority over a
safety organization whose jurisdiction runs all the way down to the
shop floor.
The second question concerns how to balance the organization of
safety programs to give them sufficient robustness and efficiency, but
without preventing the larger organization from carrying out its
duties. Safety organizations should not have veto authority over
operations, but they do need the expertise and depth to understand the
systems completely, the ability to initiate and resource at least a
minimal study or inquiry on their own without having to ask project
management, sufficient personnel to be present at critical tests and
inspections, proper test equipment, and sufficient resources to fund
studies that help reveal what trends mean and what the safety
organization should be looking for.
Thirdly, the Committee asks how to ensure that the existence of an
independent safety program does not allow the larger organization to
absolve itself of responsibility for safety. The safety organization
should not supplant the operations organization for operational
decisions. The safety organization just needs to be robust enough and
independent enough to study an issue, understand multiple sides and all
the implications of the actions contemplated, come to a conclusion that
is supported by analysis, testing and research, and then have a chance
at the proper forum to voice their independent position.
The Committee's last question concerns ensuring that dissenting
opinions are heard, but avoiding the possible impasse resulting from a
safety review process that can never reach closure. The Board has
reached the conclusion that holding and voicing dissenting opinions is
not the problem. The problem comes when dissenting opinions are not
supported by data. What the CAM recommended are procedures that ensure
that reliability and safety matters can be thoroughly examined by
knowledgeable people with sufficient resources. This process does not
guarantee that errors won't be made, but the current NASA process
doesn't even give the system the chance to catch mistakes.
Thank you, Mr. Chairman. This concludes my prepared remarks and I
look forward to your questions.
Discussion, Panel II
ISS Safety and CAIB Recommendations
Chairman Boehlert. Thank you very much, Admiral.
You are aware, and so are all of us, of the issue of the
Space Station and what has transpired over the last several
days and the extensive coverage given to the issue and how it
was handled. If your recommendations had been in place, how do
you think it would have been handled differently?
Admiral Gehman. Mr. Chairman, I do not--I only know about
this case of the air and water quality on the International
Space Station from what I read about in the newspapers. I do
not have any knowledge of the actual details of who said what
to whom and who went to what meeting and all of that sort of
thing. But I can speak to that incident in the context of the
mosaic presented by our report. First of all, if there are
technical standards for air, water quality, and if there are
monitoring instruments up there, the operation of those
instruments and the enforcement of the air--of the
environmental quality and the safety of the people in the
International Space Station would be the purview of this
engineering technical authority. And the Program Manager could
not waive those standards. He could not say, ``No, I am going
to go anyway.'' That is--that would not be one of his
functions. He would have to go to the independent technical and
engineering authority and say, ``Well, I have looked at this,
and I have decided that we should go ahead and replace this
crew. Even though these instruments aren't working the way they
are supposed to, we have no reason to believe that there is''--
anyway, he would make his argument, and it would be up to this
independent technical authority to determine whether or not it
wanted to waive its own standards. If it chose not to waive--
and to get to your question specifically, the--whoever these
people were who decided not to sign off on the flight readiness
review, they would be operating in an environment in which they
would be on the inside. That is, they are in an engineering
environment in which actions like this are rewarded and are
encouraged rather than having to prove that something was
wrong.
Sooner or later, it would have to come to some person,
probably the head of human space flight, or something like
that, who would have to decide which way to go. That is okay.
And if they decided to go ahead anyway, that would be fine. But
I--but the big difference would--the big difference in my view
would be that, as I understand it, and Mr. O'Keefe sat beside
me a couple of hours ago and he just explained his action here,
as I understand it, these dissenting opinions were encouraged.
They were fired up on. They were taken seriously, but they were
all taken seriously because of the good graces and the
cooperative attitude of management. And I--the history of the
Space Shuttle Program and NASA, going all of the way back to
Apollo, indicates that over a period of 18 to 24 months, those
good graces and that cooperative attitude will atrophy and the
old pressures of schedule and manifest and cost will come back
again.
Chairman Boehlert. And it never got topside until the last
72 hours. I mean----
Admiral Gehman. Yeah, that--I don't know any of those
details, but the big difference would be, in my opinion, that
these dissenting opinions, these concerns would be voiced in an
organization that was not concerned about schedule, not
concerned about cost, and it would be in a friendly
environment. These people would not be, kind of, on the outside
trying to get their way in.
Safety Program Independence
Chairman Boehlert. Well, what--how do you consider the
Naval Reactors Program independent, because we just heard from
Admiral Bowman that there is nothing separate? I mean, safety
is everybody's business. It is the culture that he is talking
about. Everybody is totally immersed in safety first and
foremost. And it--there doesn't seem to be the independence
that you outlined, the Board outlined in its recommendations.
Admiral Gehman. Mr. Chairman, I listened to part of that,
and I think that there was a misunderstanding, even though
Admiral Bowman tried to clear it up at the end. Admiral Bowman
and his organization are responsible for the Reactor and all of
the requirements of the Reactor, all waivers to the Reactor,
and all operations of the Reactor, but they are not responsible
for the ship, the submarine. There is a--the Fleet is
responsible for the operations of the submarine. And that is
our model with--the Program Manager who is responsible for the
operations of the manifest of the Shuttle and then a technical
authority that is responsible for the technical specs and
requirements of the Shuttle.
Admiral Bowman and his organization can say, ``That Reactor
is not ready to operate,'' in which case the Fleet Commander
can't operate the submarine. But Admiral Bowman doesn't operate
the submarine. Once he says it is okay, then someone else
decides where the submarine goes, how fast it goes, what date
it goes out----
Chairman Boehlert. Got it.
Admiral Gehman [continuing]. When it comes back, and so
when he says that the whole line organization is responsible
for safety, he was referring to his line organization. He was
referring to his pump guys and his----
Chairman Boehlert. Thank you for that clarification.
Admiral Gehman. Yeah.
Chairman Boehlert. Ms. Jackson Lee.
ISS Safety
Ms. Jackson Lee. Thank you very much, Mr. Chairman, again.
And thank you, Admiral Gehman----
Admiral Gehman. Thank you.
Ms. Jackson Lee [continuing]. For having the willingness to
be at bat more than once today.
Since you have been here, your work is continuing, and our
challenges are continuing. And so rather than dance around the
question, let me go right to it. You had been answering the
question, but might I say that I think we were engaged earlier,
as you well know, when I say we, myself in questioning, raised
the issue of safety on the International Space Station. And I
think now we are in dialogue through written communications to
try and expand on that understanding. I believe that maybe it
was good for us to have this happen sooner rather than later
with respect to the issue of exposing the difficulties.
There are two prongs that I would like to probe with you.
One, we found, again, if you will, and you have not done an
extensive review of the Space Station but use your background
and experience with your view of Columbia 7, the tragedy that
occurred there. The first prong, of course, is that there were,
in this instance, two very vocal scientists who offered their
opinion and, I believe, refused to sanction and/or prove the
sending of two additional astronauts to that--to the Station.
What should have happened or what went wrong, maybe that would
be the better approach, that they were either overrun,
superseded? Was that healthy? Was there--and you may be
gleaning this from newspaper articles, but what went wrong from
that perspective?
The other perspective is that is it viable and important at
this time now to do a comprehensive safety assessment on the
Space Station? Again, I remain committed to the value of humans
in space and certainly human Space Shuttle. But for it to be a
successful experiment, which I think Space Station is, there is
no doubt that we are still experimenting with what goes on in
space, but do we need that right now without one moment's rest
or stop in beginning to assess the safety issues on that--on
Space Station?
Admiral Gehman. Thank you very much, Ms. Jackson Lee.
From what I understand of the incident over--the incident
having to do with the approval of the Crew 8 mission, I believe
that it is--if you take the matrix or the test of the Columbia
Accident Investigation Board report and apply it to that event,
I believe it looks like this. In the first case, there is some
good news. For example, one of the issues that we raised in our
report was it--that it seemed to us that over the years that
engineers and scientists had to prove that a situation was
unsafe before the Shuttle Program would take any action,
whereas in the original days, you had to prove it was safe in
order to go forward. And the fact that the test now seems to be
``prove to me that it is unsafe'' is the wrong question. For
example, in the case of the engineers in the case of Columbia
who wanted photography, wanted imagery on-orbit, they were told
to prove that there was a problem before management would go
ahead and get the photography. That is a case of ``prove that
it is unsafe before I take any action,'' whereas the original
Apollo philosophy was ``you have to prove to me that it is safe
or I am not going to go forward.''
Okay. In the case of the atmosphere and the water
situation, the human conditions on board the International
Space Station, it does appear to me that NASA management asked
the question, ``All right, you are going to have to prove to me
that it is safe.'' That is the correct question. So it looks to
me like they have learned that--in this case, they have learned
their lesson. The--so that is the good news in this particular
incident.
The bad news, or the thing that I am concerned about is the
same issue that I brought up with the Chairman and that is it
appears to me that it took the intervention, the act of
intervention of management to resolve this issue. In other
words, the system didn't take care of this problem by itself.
And a year from now, or 18 months from now, when cost and
schedule pressures have resumed, I am--I don't think we want to
rely upon the intervention of management to snatch victory from
the jaws of defeat. I think we want to institutionalize a
process by which these issues can be raised and sorted out
without having top-level management intervene.
Chairman Boehlert. Thank you very much, Admiral.
Admiral Gehman. And the second question, to get to your
second question, we kind of have a cookbook here. We only
looked at the Shuttle Program. I think that probably the
International Space Station Program ought to be looked at,
also, but I--but not with the same urgency, of course.
Ms. Jackson Lee. Thank you.
Chairman Boehlert. Thank you, Ms. Jackson Lee.
Mr. Rohrabacher.
Leadership Confidence
Mr. Rohrabacher. Yes. Admiral Gehman, Mr. O'Keefe, Director
O'Keefe, has my full faith in his decision-making. Does he have
your faith?
Admiral Gehman. Yes, sir. I--of course, I only have seven
months of experience, I mean, since the 1st of February, and--
--
Mr. Rohrabacher. Almost as much as his.
Admiral Gehman. Well, that is right. He is--that is right.
He has only been there slightly longer than that, but in the
course of this investigation, he has provided us all support,
everything we have asked for. He has taken all of the right
moves, as far as I can tell, so yes. The answer is yes.
ISS Safety
Mr. Rohrabacher. Okay. And the episode with this Space
Station decision that had to be made, you were satisfied with
the way that that has been handled?
Admiral Gehman. Well, once again, I don't know the details
of who said what to whom. And--but it did appear to me, just
based on the limited knowledge that I have, including listening
to Mr. O'Keefe explain it to the CST this morning, that it took
the active intervention of management to bring this issue up to
the proper level. And I would rather see a system at work in
which it didn't take the active intervention of senior managers
to bring something up. It ought to come up automatically.
Mr. Rohrabacher. And since the issuance of your report,
your--you would give NASA an ``A''? A ``B''? A ``C''? An ``F''?
Admiral Gehman. Since the issuance of our report, myself
and other members of the Board have continued to dialogue not
only with NASA on a regular basis, we have been asked--invited
by Mr. O'Keefe to come over and address his senior management,
and we continue to hammer, and hammer, and hammer. But also, we
have an active dialogue going on with the Stafford Covey Return
To Flight Task Group so that they understand exactly what we
mean by every recommendation. So we are--you know, it is early
yet, and we are still in the thinking stage. We are not in the
doing stage yet, but so far, so good.
Vision
Mr. Rohrabacher. One of the things that I believe we
discussed when you were sitting there before was the lack of--
the importance of a lack of vision statement and the importance
of lack of an overall goal that people would--could unify
behind and those type of goals actually energize the system. I
haven't seen anything come forward from the Administration yet
along those terms. Is it necessary? Do you still believe that
it is necessary to have this vision and unified concept for
NASA to work at its peak efficiency?
Admiral Gehman. Yes, sir. The Board was quite
straightforward and firm in that finding. It wasn't a
recommendation, but we felt very strongly that the lack of an
agreed, and by agreed I mean both ends of Pennsylvania Avenue
as well as the American public, an agreed vision for what we
want to do in space gets in the way of a lot of very practical
day-to-day things. For example, NASA doesn't know, nor do you
know, how much money to put into infrastructure upgrades if you
don't know where you are going. You don't know how much money
and how high a priority Shuttle upgrades and Shuttle safety
upgrades should be accorded, because you don't know how long
the Shuttle is going to last. You don't know--NASA doesn't know
how to justify to you major investments. And indeed, in the
case of the orbital space plane, it is not clear exactly what
this thing is supposed to do because we don't have an agreed
vision as to what we want to do.
So it gets in the way of doing business on a daily basis,
not only at the national level, not only at your level, but at
the practical level down at the Cape and down at Marshall,
because they----
Mr. Rohrabacher. And in terms of the individual level, you
might correct me if you disagree, but I imagine you do, that
individuals who are working within a system are energized and
there is a new dynamic created in their--in the way they work
and the care that they take if they feel that they are part of
something that is much larger than just the task of the day.
And without a consensus or a concept that is going to--a
unifying concept, we are not going to be able to do our job,
are we?
Admiral Gehman. Well, I think that the--all of the workers
and all of the scientists and engineers as well as the
contractors that we came in contact with, which was quite
extensive, as you know, because we did interviews on the shop
floor, we did interviews in the back room, they all appeared to
be motivated and serious and quite dedicated to their project.
I think I mentioned to you and to other Members of this
committee that early in our investigation, we were--when we
were doing view graph 101, when we were getting hundreds and
hundreds of view graphs, we actually had presenters choke up
and break down while they were briefing us, just to show how
dedicated they are.
But I believe that--in the--that where your question really
hits the mark, Mr. Rohrabacher, is in the area of problem
solving. Now if we don't really have a good vision, a good,
exciting vision that people can buy into, we don't really
address some of the problems as aggressively and imaginatively
as they would if they knew where they were going.
Mr. Rohrabacher. Thank you very much. Thank you, Mr.
Chairman.
Chairman Boehlert. Thank you very much.
Mr. Wu.
Expedition 8 Launch Decision-making Process
Mr. Wu. Thank you, Mr. Chairman.
Thank you for coming again, Admiral.
I want to ask one question and then one follow-up. And the
question is--somewhat follows up on the Chairman's earlier
question and Ms. Jackson Lee's earlier question about the
decision to launch this latest group of people to the
International Space Station and the fact that there were, in
fact, in essence, two dissenting opinions. And there was a
process. There was dissent. There was discussion, and
apparently that occurred over a period of time, and now there
are two astronauts in the International Space Station. We have
a solar flare that occurred yesterday and it is arriving just
about at this time: an unpredicted event, difficult to predict,
and in this case, unpredicted. Was this decision-making process
and the fact that now these two astronauts have to get into the
thickest part of the International Space Station and move water
around, perhaps, and so on, is that a sign that the process is
working because two people were able to consent, or is that a
sign that this process is not improving because we are where we
are with the solar flare and two astronauts up and the
radiation monitors not working?
Admiral Gehman. Right. Well, my understanding--and
certainly we studied this in the case of the Shuttle Program in
great detail. My understanding is that in the process of
certifying a vehicle for a launch or a mission to go, I would
consider dissent to be a good thing. There are so many
variables and so many pieces and so many subsystems that--there
are so many risks and so many assumptions that have to be made
that if everybody said, ``Yes, yes, we are ready to go. No
problems. Everything is good to go,'' I would be suspicious
that somebody is hiding something from me, because it is so
complex and so dangerous. There is so much energy involved.
There are so many systems involved. There has got to be some--
out there, there has got to be somebody who is having a little
problem with his system or he has some doubts about something.
And if that person doesn't speak up, that is what I would be
concerned about.
So the fact that there were some environmental scientists,
or medical doctors in this particular case, who were concerned
about some aspect of it, to me is not a sign of a failure or a
sign that anything is going wrong or anything like that. The
lack of any dissent would cause my suspicions to go up. And
once again, I do not know in detail of how this dissent was
handled or who did what to whom and who held what meeting, only
what I have heard Mr. O'Keefe testify to this morning and what
I have read in the newspapers. And I had already said that it
looked to me like it took active management intervention to get
that sorted out. And that is not a long-term formula for
success.
Mr. Wu. Thank you, Admiral.
The follow-up question I have is that, according to what I
have heard, Administrator O'Keefe learned of this problem only
days before the launch even though the dissents occurred a
significant time prior to that. And as a Member of this
committee, I don't know if the Chairman had better access to
the information, but I learned about the dissents through the
newspaper. Is this--the panel we had earlier said, ``You know,
one of the things about safety is you build it in so that it
goes to the top and everyone has responsibility and the loop
loops in the person who is ultimately responsible.'' And the
fact that, perhaps Administrator O'Keefe did not know until,
maybe, soon before the launch and that members of this
oversight committee didn't know until it was published in the
newspaper post-launch, is that a sign of a challenge or a
problem to be faced?
Admiral Gehman. I think we should not comment on that here,
because in his testimony this morning before the Senate, Mr.
O'Keefe said that that was not true. And we ought to let him
sort this out. As I say, I do not know who said what to whom on
what day, but in his testimony this morning, Mr. O'Keefe said
that that press report of when he was told and how he was told
was inaccurate. And so we ought to let him sort that out.
Mr. Wu. Thank you, Admiral.
Chairman Boehlert. Thank you.
Mr. Wu. Thank you, Mr. Chairman.
ITEA and Safety Staff Turnover
Chairman Boehlert. A quick one before I go to Mr. Smith for
the final question for you. How important do you think it is,
Admiral, to have longevity in the staff of the independent
technical and safety organizations?
Admiral Gehman. Well, I think that longevity is one of the
attributes that would aid in the efficiency and effectiveness
of that organization. It is also the opinion of the Board, by
the way, that this independent technical and engineering
authority or whatever it eventually gets called, would also aid
in some of NASA's career progression and retaining issues,
because right now there are very troublesome career moves of
into contractors and out of contractors and back and forth. And
I would really like to see a more healthy progression of, you
know, into the--into a true engineering organization than back
into the program and back into engineering. So we think it is
very important.
Chairman Boehlert. That is a view we share. It is--we are
working with NASA to give them the ability to restructure in
how they do things and to treat their workforce a little bit
differently because of the proven need.
All right. Mr. Smith, for the final----
ISS Review
Mr. Smith. Mr. Chairman, I am--very briefly. And Mr.
Chairman, I agree with you that Administrator O'Keefe was
correct when he decided that the reorganization of NASA should
occur before the return to flight, really setting a more
ambitious schedule than that called for by the CAIB.
Admiral, let me ask you exactly what you meant when you
said there should be a further evaluation of the Space Station.
Are you talking about policy, goals, objectives, what it is
accomplishing, or are you talking about safety?
Admiral Gehman. Any kind of a review whatsoever. I am
speaking--that was a private opinion. So I have got no evidence
to go on to indicate that there were--there are any problems in
International Space Station.
Mr. Smith. Well, there is hope----
Admiral Gehman. But my private opinion is, though, that the
kind of look we looked at their management schemes here and how
safety is handled probably would be a good idea for the
International Space Station to get the same kind of
examination.
Mr. Smith. But even more than that, I would think, last
weekend, I am sure you are aware that a report by NASA
scientists was, for lack of a better word, leaked that
described the human physiological research at the Station as
voodoo science. And NASA science, I think, has identified that
the physiological research on humans is essentially all of the
justification why humans would be in space. And of course, I am
an advocate of dramatic reductions at this time of real
financial problems with the Federal Government and the debt
that we are facing to review all programs. And so I think when
we look at the Space Station, we also need to look at what it
has accomplished. And I think that we should consider, in some
kind of investigation, whether it is--and I suspect maybe you
would like to visit with your family some more as far as you
taking the responsibility of it, but should we drastically
reduce manned space flight and should we maybe abandon the
Space Station?
Admiral Gehman. I am sorry. I am going to have to defer on
that----
Mr. Smith. I knew you--all right.
Admiral Gehman [continuing]. Mr. Smith. We did not look--we
did a lot of ancillary research to make sure that the report
that we wrote was--is in much context as we possibly could. We
put it in budget context, history context, everything else
like--but the one context that we did not look at was the
argument between how much human space flight is enough. And so
I just am not a----
Mr. Smith. And again, thank you for your great work and
service to the country.
Admiral Gehman. Thank you.
Mr. Smith. And Mr. Chairman, I yield back. Thank you.
Chairman Boehlert. Thank you very much. And what you said,
very eloquently, and you have said it many times, we need a
national debate, a good thorough vetting of the issues. And we
have got to reach some sort of a consensus that gives us a
vision.
Admiral Gehman. Yeah.
Chairman Boehlert. And we have got to work toward it. Thank
you very much, Admiral Gehman.
Admiral Gehman. May I make one 30-second last closing
statement here----
Chairman Boehlert. By all means.
Admiral Gehman [continuing]. And that is that the
fundamental--the three fundamental organizational
recommendations that we made that is there should be an
independent technical engineering authority. That is the most
important one. That the Headquarters safety organization should
have line authority. Now that doesn't mean that the Program
can't have a safety organization and the center can't have a
safety organization. They certainly can. But for the--for your
head of safety to be only a policy-setter doesn't seem to be--
--
Chairman Boehlert. Right.
Admiral Gehman [continuing]. Reason for us. And the last
one, that the Shuttle Program should have a true integration--a
systems integration office, which it does right now. In
reflection over time and listening to all of the experts, we
are more convinced than ever that those are good, solid
recommendations, and we stand by them. And I didn't hear
anything from this panel this morning which changed my opinion.
Thank you very much, Mr. Chairman.
Chairman Boehlert. Well, thank you. And you have not
disappointed us. We have always come to recognize that we get
good, solid recommendations from you.
Thank you very much. This hearing is adjourned.
[Whereupon, at 12:19 p.m., the Committee was adjourned.]
Appendix 1:
----------
Answers to Post-Hearing Questions
Responses by Admiral F.L. ``Skip'' Bowman, Director, Naval Nuclear
Propulsion Program, U.S. Navy
Questions submitted by Representative Ralph M. Hall
Columbia Accident Investigation Board Recommendations
Q1. How will we know that NASA has implemented the Columbia Accident
Investigation Board (CAIB) recommendations? What measures do you use in
your organization to determine that your safety mechanisms are working?
A1. I do not have firsthand knowledge of the pertinent details of
NASA's technology and organization. However, I do note that in many
ways they are different from that of the Naval Nuclear Propulsion
Program (NNPP). Therefore, I cannot provide useful guidance on how to
best determine if the CAIB's recommendations are implemented.
As to how I determine if safety mechanisms are working in my own
Program, I have several methods using many inputs. My staff and I are
personally informed of or briefed on every significant naval nuclear
propulsion plant problem; from this, we determine if additional causes
need to be identified or if additional corrective actions (technical or
administrative) need to be taken. In addition to performing site
inspections, Reactor Safeguards Examinations (RSE), and personal site
or ship visits, my staff and I receive reports from my many field
representatives, from contractor and other Program organizations, and
from commanding officers of nuclear-powered ships. I expect them to
find problems--if they don't, my instincts based on a more than 30-year
career as a nuclear-trained operator tell me that they probably aren't
looking hard enough. Issues identified in those reports are evaluated
to see whether corrective actions (again, either technical or
administrative) are required. Similarly, I expect dissenting opinions
on difficult decisions and if there are no dissenting opinions, my
experience tells me that they haven't asked all the right people for
input. In addition, I frequently insert my own ``dissenting opinions''
(``devil's advocate'') into the discussion and have those carefully
examined. As Admiral Rickover said, ``One must create the ability in
his staff to generate clear, forceful arguments for opposing viewpoints
as well as for their own. Open discussions and disagreements must be
encouraged, so that all sides of an issue will be fully explored.''
My safety inspection process is extensive. Headquarters personnel
at the most senior level personally evaluate performance and compliance
in the field. Headquarters staff conducts regular inspections of work,
safety, and environmental and radiological controls. Headquarters
evaluation teams are made up of the technical-requirements owners (who
are responsible to me for all safety aspects of their areas) for the
particular areas being assessed. This ensures that the evaluation team
has an indepth understanding of not only the requirement, but also its
significance, letting the evaluation team identify issues and trends
that might not be discerned if auditing were done solely by checklist.
Additionally, field office personnel routinely conduct audits and
inspections as part of their responsibility to monitor the work of
Program laboratories, prototypes, the Fleet, shipyards, and prime
contractors. The DOE laboratories, the nuclear-capable shipyards, and
the Fleet also must conduct self-audits, assessments, and inspections.
My Headquarters staff, field office personnel, senior Fleet personnel,
and I then critique these self-reviews, as appropriate.
Of course, the bottom-line measure of the success of the safety
mechanisms is prevention of any event that could affect the health and
safety of the public and Navy personnel or the environment. Therefore,
we don't let near misses or even initiating events pass unchallenged.
The hallmark of a strong safety culture is to look continually and
actively address the minor problems in order to prevent the major
problems.
Q2. The CAIB recommends a separation between the operational aspects
of the Shuttle program and the organizations providing engineering and
safety support. Based on your experience:
Q2a. Do you agree with this as a principle for managing your program?
A2a. In the Naval Nuclear Propulsion Program (NNPP), my Headquarters
and Field Office staff that provides engineering and safety support
also provides operational oversight (as opposed to operational control,
which is assigned to the Fleet for ships and to the Prime Contractors
for their laboratories and prototype reactors). I do not agree with the
principle of completely divorcing all operational aspects of a
technical program from engineering and safety support for that program.
The technical expertise from engineering and safety is necessary in the
proper oversight of operations. Most importantly, I consider it vital
for the technical authority to be one and the same as the safety
oversight to ensure indepth and continuing understanding, awareness,
and ownership of all aspects of design and operation.
For Fleet operations, Headquarters and Field Offices are
responsible for the engineering and safety aspects relating to nuclear
power. The Fleet operates the nuclear-powered warships in accordance
with the safe operating procedures my organization provides them. The
Prime Contractors operate prototype propulsion plants, following
similar procedures. Changes to technical standards or operational
procedures require my Headquarters' approval.
Q2b. Where do you place the boundaries between these three program
elements in your program and how do they interact?
A2b. Within my organization, safety is the responsibility of everyone
at every level: equipment suppliers, contractors, laboratories,
shipyards, training facilities, the Fleet, field offices, and
Headquarters. It is not a responsibility unique to a segregated safety
department that then attempts to impose its oversight on the rest of
the organization. Put another way, safety is mainstreamed. I expect to
be able to ask any of my direct reports about the safety significance
of any action in which they are involved and have them be able to
explain the issues and why the action is satisfactory.
Because of the mainstreaming philosophy, some elements of the
Program (such as shipyards and the Fleet) do not even have a separate
reactor safety department. However, I do have a small group of people
responsible for reactor plant safety analysis, who provide policy
oversight as well as most of the liaison with other safety
organizations (such as the NRC) to help ensure that we are using best
practices. They also maintain the documentation of procedures and
responsibility for the modeling codes used in our safety analyses. They
are full-time safety experts who provide our corporate memory of what
the past problems were, what we have to do to maintain a consistent
safety approach across all projects, and what we need to know about
civilian reactor safety practices. In addition, this group is part of
our technical reviews to ensure that our mainstreamed safety practices
are in fact working the way they should by providing an independent
verification that we are not ``normalizing'' threats to safety.
While safety is mainstreamed throughout the Program, technical
authority is vested in my Headquarters. Any other Program organization
must get my Headquarters' agreement for any changes in technical
standards and operational procedures. Sometimes this requires decisions
that affect ship operations, which is one reason the Director of the
NNPP needs to have a technical engineering background, with career-long
experience in naval nuclear propulsion, and the seniority of a four-
star admiral. Congress recognized this need and enacted it as a
requirement in law.
Q2c. What training and experience do, you require, in your senior
managers, and what incentives do you provide such managers?
A2c. Nearly all of my technical staff at Headquarters came to the NNPP
right out of college and with science or engineering degrees. They
receive NNPP-specific engineering training during their early years
with the Program and continue to receive specialized training
throughout their careers with us. At the end of their initial
obligation, we offer permanent positions to those individuals who in
our judgment have the requisite technical capabilities that best
embrace our cultural values, such as mainstreaming safety. These are
the people that go on to become my senior managers--a great many
spending their entire adult lives and careers in the Program.
My section heads, the senior managers who report directly to me,
have an average of more than 25 years of Program experience. However,
mere longevity is not a requirement: a suitably capable individual with
less time in service could become a section head. I select the best-
qualified personnel as my senior managers.
As a performance measure, safety is not tied to incentives. Rather,
it is a shared value among all engineers within the NNPP. My engineers
won't be promoted to senior positions unless they demonstrate that they
have embraced the importance of safety in their work and have ingrained
this attitude in their subordinates, including fairly and completely
vetting dissenting opinions.
Threats From Minor Problems
Q3. In both Shuttle accidents, NASA failed to appreciate the threat to
the vehicle from what seemed a minor problem--O-ring seals that did not
seem to work well in cold weather and foam that sometimes struck the
Orbiter's thermal protection system.
Q3a. How does your organization deal with similar ``weak signals''?
A3a. In a high-risk environment, there are no guarantees of success,
but our record demonstrates the value of hard work in addressing the
``weak signals.'' As an organization, we do not allow weak signals to
go unanswered. An important part of our technical effort is working on
small problems to prevent bigger problems from occurring. We measure
and track minor deficiencies to identify trends. Then we ask the hard
questions on even apparently minor issues: What are the facts? How do
you know? Who is responsible? Who else knows about the issue and what
are they doing about it? What other ships or activities (e.g., the labs
or prototypes) could be affected? What is the plan? When will it be
completed? Is this within our design, test, and operational experience?
What are the expected outcomes? What is the worst that could happen?
What are the dissenting opinions? These and other questions like them
help us to solve the problem at hand before it gets worse. As an
example, I personally read letters (required at least quarterly) from
each of the commanding officers of our 82 nuclear-powered warships. I
look for these ``weak signals'' in their reports and flag them to
cognizant headquarters personnel for resolution through this process.
Additionally, my Headquarters and field organizations conduct periodic
inspections in the field to determine the effectiveness of the
individual activities in identifying, assessing, and resolving such
deficiencies.
Q3b. How does your organization evaluate problems to determine if they
represent recurring failures that require changes in design or
processes if they are to be dealt with? Who conducts those evaluations?
A3b. Even minor problems under Headquarters' consideration require
formal and disciplined review, together with official action and
resolution correspondence signed by the cognizant Headquarters
engineers. Any issue that, in our view, could recur and have
undesirable consequences is assessed for the need for corrective action
by my Headquarters staff. Where my staff concludes that action is
warranted, I task the prime contractor laboratories with further
assessment and with recommending corrective action. If the issue is
time-sensitive, the Naval Nuclear Propulsion Program (NNPP) will
immediately issue guidance by naval message to any ships or in writing
to any training reactors that may be affected.
Q3c. For recurring problems, does your organization have the
capability to analyze the trend to determine if it could contribute to
a low-probability, high-consequence accident?
A3c. The Naval Nuclear Propulsion Program (NNPP) conducts extensive
self-audits and performs various analyses of trends. Multiple
organizations (my Headquarters organization, Nuclear Propulsion
Examining Boards, Fleet headquarters, type commanders, naval squadrons,
shipyards, and laboratories) are notified when problems arise and can
call for further evaluation and correction based on recognition of a
trend or precursor event requiring correction. Put simply, recurring
problems aren't ``normalized.'' We do everything we can to engineer
them out of our system before they become major issues.
Q3d. How much certainty would your organization require to take action
in a case where your relevant technical expert strongly believed a
catastrophe could occur but did not have the engineering evaluations to
confirm that judgment--and little or no time to conduct such
evaluations?
A3d. To determine the relative importance of individual discrepancies,
I rely on my engineering judgment and that of my experienced managers
and engineers throughout the Program. If there were a strong belief,
even if only by a single individual, those unacceptable consequences
are a possibility, the issue would be attacked at: the technical level
by my DOE labs and Headquarters experts and then discussed with me. All
relevant technical facts would be presented, and an appropriately
conservative course, balanced by military necessity, would then be
chosen. This would not always mean that the reactor, and therefore the
ship, must stand down from operation, but it might require additional
operational precautions that suitably offset the situation under
consideration. The Director, as a four-star admiral with a career of
nuclear experience and a long tenure (the law stipulates eight years),
is essential to making this come out right. Engineering is not an exact
process--there is no single absolutely correct answer to every problem.
The NNPP, as instituted by Admiral Rickover and as it continues to this
day, embraces the philosophy that airing dissenting opinions helps
invigorate the technical evaluation process and minimize the chance
that a technically significant issue is overlooked.
Question submitted by Representative Bart Gordon
Operational and Developmental Safety Structures
Q1. Does it matter in your organization whether a vehicle or product
is deemed ``operational'' versus ``experimental/developmental''? Do you
have a different safety structure for operational activities versus
those that are developmental in nature?
A1. Our safety structure and processes are independent of the
operational designation of the product. However, the margin of
conservatism will be even greater when we are dealing with a
developmental system. We test components, subsystems, and then systems
(often to the point of failure in tests prior to ships' use), to ensure
that unexpected results are minimized in operational warships. We then
thoroughly test the ships and crew pier side to confirm the
acceptability of the systems and the training of the crew. When I take
a ship to sea for the first time, on sea trials in which I directly
participate, I confirm that both the propulsion plant and crew are
fully capable and ready to join the Fleet. Once a ship is in
commission, it is deemed ``operational''--regardless of whether it is
the first or the last of a class.
Questions submitted by Representative Nick Lampson
Safety at Every Level
Q1. Admiral Bowman testified that, ``Safety is the responsibility of
everyone at every level in the organization,'' a sentiment echoed by
Ms. Grubbe in her statement--but in day-to-day program activities,
safety is not a primary metric for measuring performance. Safety
usually becomes an issue only after it is clearly seen to be absent.
What specific actions does your organization take to maintain the focus
on safety when the pressures to achieve organizational goals inevitably
build?
A1. Safety is an overarching organizational goal. We recognize that the
ability of the Navy to operate nuclear-powered warships in over 150
ports of call in more than 50 countries around the world is based on
the trust we have earned and maintained by safely steaming over 129
million miles. If we do not deliver and maintain safe naval nuclear
propulsion plants, we have failed our crews, our Navy, and our country.
Everyone in the Naval Nuclear Propulsion Program (NNPP) understands
this. We all understand (and are trained in this from our first day in
the NNPP) that the only acceptable answer is the technically correct
solution. We also recognize that no technology is risk-free. We
benchmark actions against requirements and past practices, require that
a design or change be proven technically correct, and identify any
alternatives. If the only technically safe acceptable action is one
that affects cost and schedule to an extent that cannot be accommodated
within available resources or schedule, we slow the schedule and/or add
the additional resources.
Additionally, the very fabric of my Headquarters organization
ensures that safety is mainstreamed for the long haul. Headquarters
personnel are handpicked and have a common broad heritage of technical
Program training and experience that permit the necessary esprit de
corps and shared values. These factors (together with the independence
of our technical authority from others in the Navy who are primarily
charged with ``cost, schedule, and mission'') permit us to provide
effective direction and oversight. Safety is not just a way to measure
performance: it's the result of a process that must be followed from
start to finish if we are to achieve the desired result.
Technical Authority and Safety Assurance
Q2. In your organization, do you have units performing the functions
of an independent technical authority and office of safety assurance?
How do they interact within your organization? If you don't, why not?
A2. In my DOE ``hat,'' my Headquarters is the absolute technical
authority for all naval reactor plants. Therefore, any other
organization must get my Headquarters' agreement for any changes in
technical standards and operational procedures. Sometimes this requires
decisions that affect ship operations, which is one reason the director
of the Naval Nuclear Propulsion Program (NNPP) needs the seniority of a
four-star admiral. Congress recognized this need and enacted it as a
requirement in law.
I don't separate technical authority and safety assurance. They are
part and parcel of the same process. For the Navy, my organization is
responsible for the engineering and safety aspects relating to nuclear
power. The Fleet operates the nuclear-powered warships in accordance
with safe operating procedures my organization provides them. In the
NNPP, the same staff that provides engineering and safety support also
provides operational oversight (as opposed to the Fleet's operational
control). Safety is the responsibility of everyone at every level of
the Program. In other words, safety is mainstreamed. It is not a
responsibility unique to a segregated safety department that then
attempts to impose its oversight on the rest of the organization. This
is the only way safety can be ensured effectively, since no separate
office of safety can have the depth of technical knowledge and
personnel resources to cover an entire, complex technical program in
the detail necessary to fulfill a safety responsibility.
Although the various elements of the Program (such as shipyards and
the Fleet) do not have a separate reactor safety department, I do have
a small group of people responsible for reactor plant safety analysis.
They provide policy oversight as well as most of the liaison with other
safety organizations (such as the Nuclear Regulatory Commission) to
help ensure that we are using best practices. They also maintain the
documentation of procedures and upkeep of the modeling codes used in
our safety analyses. As full-time safety experts, they provide our
corporate memory of what the past problems were, what we have to do to
maintain a consistent safety approach across all projects, and what we
need to follow in civilian reactor safety practices. By providing an
independent verification that we are not ``normalizing'' threats to
safety, each additional group involved in a technical review also
ensures that our mainstreamed safety practices are in fact working the
way they should.
Questions submitted by Representative Sheila Jackson Lee
Safety Training and Awareness
Q1. How is safety training done in your organization? How is safety
awareness maintained in your organization? Please describe the kinds of
training materials you use.
A1. Allow me to break my answer into elements dealing with my
Headquarters and the U.S. Navy Fleet.
Safety awareness is built into every part of our work, including
our extensive training programs. Thorough training minimizes problems,
results in quick and efficient responses to issues, and helps ensure
safety. At my Headquarters, I select the best graduate engineers I can
find, with the highest integrity and the willingness to accept complete
responsibility for every aspect of nuclear-power operations. After I
hire them, the training they need to be successful begins immediately.
All members of my technical staff undergo a technical indoctrination
course during their first several months at Headquarters. Next, they
spend two weeks at one of our training reactors (prototypes), learning
about the operation of the reactor and observing and participating in
the training our Fleet sailors are undergoing. This involves an actual,
operating reactor plant, not a simulation or a PowerPoint
presentation--and it is an important experience. It gives them an
understanding that the work they do affects the lives of the sailors
directly, while they perform the Navy's vital national defense role.
This direct experience helps reinforce the tenet that the components
and systems we provide must perform when needed.
Shortly after our new people return from the training reactor, they
spend 6 months in residence at one of our DOE laboratories, completing
an intensive, graduate-level course in nuclear engineering. Once that
course is complete, they spend three weeks at a nuclear-capable
shipyard, observing production work and work controls. Finally, they
return to Headquarters and are assigned to work in one of our various
technical jobs. They then attend a six-month series of seminars on a
wide range of technical and regulatory matters, led by the most
experienced members of my staff. Each of these training experiences is
saturated with the principles of reactor safety through high quality
assurance of plant material, conservative design, and verbatim
adherence to procedures.
At Headquarters, there is a continual emphasis on professional
development. We typically provide training courses that are open to the
entire staff each month on various topics, technical and non-technical.
In particular, we have many interactive training sessions on lessons
we've learned--mistakes that we, or others, have made--in order to
prevent similar mistakes in the future. These sessions teach both the
specific issues and the right questions to ask.
Throughout their careers, the members of my staff are continually
exposed to the end product, spending time on the waterfront, at the
shipyards, in the laboratories, at the vendor sites, or interacting
directly with the Fleet. In addition, the constant interaction among
Headquarters personnel provides me with an arsenal of individuals who,
though charged with responsibilities in specific areas, are capable and
knowledgeable of overarching Program interests and are expected to act
accordingly. Every one of these activities and perspectives emphasizes
the vital role of safety.
My responsibilities also include training the operators of nuclear-
powered warships. I require both officer and enlisted operators to
undergo 6 months of formal academic instruction in nuclear propulsion
theory and technology, followed by 24 weeks of hands-on operational and
casualty training at an operating prototype or moored training ship
(MTS). Even after completing this training and qualification as an
operator at a prototype or MTS, personnel must completely requalify
(including familiarization steps and watch standing under instruction)
on the ship to which they are assigned before they are permitted to man
a propulsion plant watch station on that ship. For both officer and
enlisted nuclear-trained personnel, there is continuing training and
required periodic requalification in the Fleet throughout their
careers. My prime contractor personnel who operate the prototype
reactors get equivalent training.
For the officers, a significant milestone in their career path is
qualification as an engineer officer. This signifies an officer has
obtained sufficient knowledge to supervise safe, effective maintenance
and operation of the ship's propulsion plant. When the commanding
officer (CO) is satisfied with a junior officer's knowledge level, he
recommends him or her to take the Engineer's Examination. The
Engineer's Examination is administered at my Headquarters and consists
of a written examination (about five hours long) and at least two
detailed technical interviews. I personally approve qualification of
each engineer officer. The best of these junior officers are
subsequently assigned to submarines as the engineer officer or to
aircraft carriers as a principal assistant to the reactor officer.
The commanding officer (CO) is charged with the absolute
responsibility for all aspects of ship operation, including safe and
effective operation of the reactors. Personnel who become COs of
nuclear-powered submarines are all Engineering Officer of the Watch
qualified with about 17 years of experience in the Navy. They have
qualified as an engineer officer on a nuclear-powered submarine, have
served as an executive officer and have successfully completed an
intense, technical/safety course during a three-month Prospective
Commanding Officer School at Naval Nuclear Propulsion Program
Headquarters.
The path for becoming a CO of a nuclear-powered aircraft carrier is
similar. Personnel who become COs of a nuclear-powered aircraft
carriers are Engineering Officer of the Watch qualified officers with
over 20 years of experience in the Navy. They have completed a three-
month Prospective Commanding Officer School at Naval Nuclear Propulsion
Program Headquarters and have served as an executive officer on a
nuclear-powered aircraft carrier.
Every segment of every training experience for both Headquarters
and Fleet personnel emphasizes the absolute need for ``safety first.''
Lessons learned from historical problems are discussed in detail. The
conservative design of our plants and the need for strict adherence to
written, formal procedure is taught and tested. There is no confusion
regarding our philosophy that safety comes first.
Safety Audit Process
Q2. Please describe your safety audit process. What is its scope? How
often is it done? Who does it? To whom, are the results reported? What
is done with the results?
A2. My safety inspection process is extensive. Inspection and
corrective action follow-up are essential aspects of being the
technical authority for the Program and its current 103 reactor plants.
Headquarters personnel at the most senior level personally evaluate
performance and compliance in the field. Headquarters staff conducts
regular inspections of work, safety, environmental and radiological
controls. Additionally, field office personnel routinely conduct audits
and inspections as part of their responsibility to monitor the work of
Program laboratories, prototypes, the Fleet, shipyards, and prime
contractors. The DOE laboratories, the nuclear-capable shipyards, and
the Fleet also conduct self-audits, assessments, and inspections at
almost every organizational level. These reviews are then critiqued by
Headquarters, field office, and senior Fleet personnel (as appropriate)
and then reported to me. An important part of these reviews is
evaluating the activity's ability to look critically at itself--in
keeping with the principle that each activity must identify, diagnose,
and resolve its own problems when outside inspectors are not present to
do so. This effort, along with other requirements, makes clear that
day-to-day excellent performance must be the goal (and the norm), not
merely ``peaking'' for an annual audit or inspection. In fact, my
evaluation teams make ``inadequate self-assessment'' a finding of its
own, when appropriate. My teams will then closely follow the efforts of
activity management to improve this crucial ability.
Headquarters evaluation teams always include the technical-
requirements owners for the particular areas being assessed. This
ensures that the team has an indepth understanding of not only the
requirement, but also its significance, letting the evaluation team
identify issues and trends that might not be discerned if auditing were
done solely by checklist. My field offices, largely composed of
qualified personnel drawn from the Fleet and from Headquarters, are
located at all major Program sites and at each Navy Fleet concentration
area.
The Naval Nuclear Propulsion Program (NNPP) continually evaluates
operational information for trends and lessons learned. For example, my
staff annually assesses--and I personally review plant-aging concerns
to ensure that trends in equipment corrosion, wear, and maintenance
performance are acceptable.
To meet regulatory responsibilities for oversight of nuclear-
powered warship operations, the NNPP relies in part on the Nuclear
Propulsion Examining Board (NPEB). The NPEB, comprising nuclear-trained
officers who have served as commanding officers or engineer officers of
nuclear-powered warships, performs annual Operational Reactor
Safeguards Examinations (ORSE) and inspects the material condition of
each plant in the Fleet. During an ORSE, the NPEB reviews documentation
of normal operation (including operational, maintenance, and crew
training records); observes and assesses current plant operations (both
normal and in response to casualty drills); and reviews any off-normal
events that may have occurred during the preceding year. The NPEB
reports directly to me in parallel with the command authority for that
ship (the Fleet Commander). As discussed above, the ship's day-to-day
performance and ability to self-assess are emphasized through
evaluation of records, training, evolutions, lessons learned, and
overall plant conditions. If ships do not meet standards, they would
have their authorization to operate removed until they are upgraded,
reexamined, and deemed satisfactory.
Dissenting Opinions
Q3. In your organization, is there a channel specifically for
dissenting opinions?
Q3a. How do you generate a dissenting opinion in a case where a strong
technical consensus exists? What prevents that from becoming an empty
exercise?
Q3b. How would a dissenting technical opinion be evaluated?
A3a,b. There are several channels through which individuals can air
dissenting opinions. At my prime contractor laboratories, any
dissenting opinion must be documented, along with a discussion of the
reason why the majority opinion is being recommended. (In some cases
the process results in the formerly ``dissenting'' opinion becoming the
recommended approach.) In the case of a dissenting opinion that could
affect safety, further analysis and discussion are required to attempt
to reach a satisfactory resolution. If the dissenter is not satisfied,
the recommended action must be agreed to by the laboratory general
manager, and the dissenting opinion is documented in the recommendation
to me with an explanation as to why it was not accepted. This allows my
staff and me to see that dissenting opinion firsthand as we evaluate
the recommendation.
Similarly, within Headquarters, if a dissenting opinion is not
resolved, the issue must be cleared with me. When I discuss a complex
issue, I frequently ask if there were any dissenting opinions to ensure
that personnel have the opportunity to air any remaining concerns. If I
am satisfied that I have enough data to make an informed decision, I
will do so. In any other case, I will request additional information or
the involvement of additional personnel to help me reach the correct
technical decision.
Q3c. In cases where dissenting opinions question the safety of reactor
operations for a ship (or class of ships) deployed and operating, are
reactors immediately shut down or is a risk assessment performed to
determine whether operations can continue?
A3c. Nuclear-powered warships are designed to survive under battle
conditions. The inherent conservatism and redundancy built into these
ships, along with the extensive training provided every operator, make
it highly unlikely that any unexpected problem will pose an immediate
threat to public or environmental safety. If such an unlikely problem
ever were to occur, we would balance the multiple safety
responsibilities of reactor, crew, ship, and public safety. Where there
is a reactor safety concern, we immediately determine whether the
problem is likely to occur, the potential consequences, its potential
impact on ship operations and safety, and any alternatives that may
mitigate the problem. Since our designs include significant redundancy,
shutting down all or part of the reactor plant system of concern might
still allow safe operation of the reactor. If necessary, the reactor
would be shut down and the problem repaired, even at sea.
Q3d. While dissenting opinion may be welcomed in the Naval Reactors
program, how do you demonstrate to new junior officers that expressing
such opinions will not create problems for their careers in the Navy
outside the program--particularly if that opinion is left unsupported
by later analysis?
A3d. In the Fleet, dissenting opinions are raised through the chain of
command. Dissenting opinions are not just welcomed, they are highly
valued. For the Fleet, asking questions and raising concerns is
highlighted during training for junior officers and enlisted personnel
from their first day in the Program. In fact, we teach and require
forceful backup. If expected indications and conditions are not
observed during an evaluation, other members of the watch team are
required to point that out. There cannot be any fear of reprisal for
raising concerns or issues. The best proof of this is our record. I
can't think of a single example when a junior officer brought up a
safety issue and it created a problem for that officer's career. On the
contrary, if an officer of any rank is aware of a safety issue and
doesn't bring it up, that officer would be held accountable.
Answers to Post-Hearing Questions
Responses by Rear Admiral Paul E. Sullivan, Deputy Commander, Ship
Design, Integration and Engineering, Naval Sea Systems Command,
U.S. Navy
Questions submitted by Representative Ralph M. Hall
NASA Implementation of Investigation Board Recommendations; SUBSAFE
Program Measures
Q1. How will we know that NASA has implemented the Columbia Accident
Investigation Board (CAIB) recommendations?
A1. Respectfully, this question may be best posed to the CAIB, or
similar independent board. As a practical matter, it is beyond the
purview of the Naval Sea Systems Command (NAVSEA) to monitor NASA's
implementation of the CAIB recommendations, and therefore, we are
unable to offer a substantive response in this area. However, as noted
in my testimony, NAVSEA is a continuing participant in the NASA/Navy
Benchmarking Exchange. To that extent, we are engaged in the process of
sharing information with NASA on all aspects of the Submarine Safety
(SUBSAFE) Program, so that NASA itself can evaluate the potential
adaptability of any part of the SUBSAFE Program to the NASA Safety
Program.
Q1a. What measures do you use in your organization to determine that
your safety mechanisms are working?
A1a. The Navy uses a tiered approach to ensure Submarine Safety
(SUBSAFE) Program safety mechanisms are working. The Naval Sea Systems
Command Submarine Safety and Quality Assurance Office (NAVSEA 07Q) has
overall responsibility for overseeing the SUBSAFE Program and verifying
compliance with its requirements.
The purpose of the SUBSAFE Program is to provide
maximum reasonable assurance of a submarine's watertight
integrity and its ability to recover from a flooding casualty.
It is important to note that the SUBSAFE Program does not
spread or dilute its focus beyond this purpose. The technical
and administrative requirements of the SUBSAFE Program are
applied specifically to a carefully defined set of ship systems
and components that are critical to the safety of the
submarine. The tenets of the SUBSAFE Program are invoked in a
submarine's initial design, through construction and initial
SUBSAFE Certification, and throughout its service life.
The first tier of the SUBSAFE Program is a Quality
Program at each activity that performs SUBSAFE work. Each
facility is required to have a quality system such as that
defined by MIL-Q-9858 (Quality Program Requirements) or ISO
9000, etc. The quality assurance organization at each facility
plays a key role in validating compliance with SUBSAFE Program
requirements and in compiling the objective quality evidence
necessary to support SUBSAFE certification. A local SUBSAFE
Program Director (SSPD) provides oversight for work at each
facility and is responsible for independently verifying
compliance with the SUBSAFE Manual requirements. At private
contractor shipbuilding facilities, a U.S. Navy Supervisor of
Shipbuilding, Conversion and Repair (SUPSHIP) organization is
also assigned to monitor compliance with SUBSAFE work and
process requirements.
The second tier is the SUBSAFE audit program. NAVSEA
07Q audits the policies, procedures and practices at each
facility as well as the effectiveness of the oversight provided
by the local SSPD and SUPSHIP. There are two types of audits:
(1) the Functional Audit, which evaluates the organization's
programs and processes for compliance with SUBSAFE
requirements; and (2) the Ship Certification Audit, which
evaluates the work and processes used to overhaul or construct
each individual submarine for compliance with SUBSAFE
requirements prior to SUBSAFE certification.
The final tier is program oversight. Several
organizations provide forums for program evaluation, process
improvement, and senior level oversight. The SUBSAFE Working
Group, chaired by the Director of the Submarine Safety and
Quality Assurance Office (NAVSEA 07Q), is comprised of NAVSEA,
field activity and contractor SSPDs and meets semi-annually to
review program status and discuss recommendations for
improvement. The SUBSAFE Steering Task Group, chaired by the
NAVSEA Deputy Commander for Undersea Warfare (NAVSEA 07),
reviews program progress and provides policy guidance for the
SUBSAFE Program. The SUBSAFE Oversight Committee, chaired by
the NAVSEA Vice Commander (NAVSEA 09), provides independent
command-level oversight of the SUBSAFE Program to ensure the
purpose and intent of the SUBSAFE Program are being met.
Separation Between Operational Aspects of Program and Organizations
Providing Engineering and Safety Support
Q2. The CAIB recommends a separation between the operational aspects
of the Shuttle program and the organizations providing engineering and
safety support. Based on your experience:
Q2a. Do you agree with this as a principle for managing your program?
A2a. Yes. The separation of Program Management, the Technical
Authority, and the Safety Organization has proven an effective approach
for the Navy's Submarine Safety (SUBSAFE) Program during the last 40
years.
Q2b. Where do you place the boundaries between these three program
elements in your program and how do they interact?
A2b. The three groups--Program Management, Technical Authority, and
Safety Organization--work together to discuss issues and reach
agreement on final decisions. However, each has its own authority and
responsibility:
The Program Manager has overall authority and
responsibility for the success of his program (Quality, Cost,
Schedule). However, the Program Manager is not a technical
authority and may not make technical decisions unilaterally.
The Program Manager has the authority to choose among the
technically acceptable solutions provided by the Technical
Authority.
The Technical Authority bears ultimate responsibility
for the adequacy of the technical solutions provided to the
Program Manager.
The Safety Organization has the authority and
responsibility to ensure that compliance with SUBSAFE Program
requirements is achieved. The Safety Organization is staffed
with engineers giving it the acumen to understand the technical
issues and providing it with the credentials to challenge the
Technical Authority and the Program Manager when appropriate.
Q2c. What training and experience do you require in your senior
managers, and what incentives do you provide such managers?
A2c. Senior managers are hand picked based on detailed submarine
experience. Senior managers receive continuous training on safety and
participate in the audit process. Our senior managers, military and
civilian, are required to achieve a broad scope of experience and
formal training as they progress in their career. Both the Navy and the
Office of Personnel Management establish supervisory and management
training programs to enhance career paths and assist in developing the
knowledge, skills and abilities necessary to achieve success in the
senior management levels of the Naval Sea Systems Command (NAVSEA) and
the Navy.
Recognition and Analysis of Safety Threats
Q3. In both Shuttle accidents, NASA failed to appreciate the threat to
the vehicle from what seemed a minor problem--O-ring seals that did not
seem to work well in cold weather and foam that sometimes struck the
Orbiter's thermal protection system.
Q3a. How does your organization deal with similar ``weak signals''?
A3a. Dealing with and resolving ``weak signals'' before they become
major problems, or even disasters, is very difficult for a large
organization. It requires constant vigilance. These signals get missed
when people become complacent and accept seemingly minor unsatisfactory
conditions. As I noted in my testimony, our review of the Submarine
Safety (SUBSAFE) Program during the 1985-86 timeframe noted an
increasing number of incidents and breakdowns that raised concerns
about the quality of SUBSAFE work and thus, the level of discipline
with which that work was being performed. As a result, we established
additional program requirements and actions to improve the
understanding of SUBSAFE Program requirements, to provide increased
emphasis on oversight, and to find problems and fix them. They are
still in place today, but personal vigilance is still required as the
potential exists for complacency to creep into any organization. For
example, less than two years ago, we nearly lost the USS DOLPHIN (AGSS
555) to a flooding casualty. While it was not a SUBSAFE issue, the
casualty was due, in part, to allowing a less than acceptable condition
to exist that made it easier for water to enter the submarine when
transiting on the surface. Only the skills and exceptional action on
the part of the well-trained crew prevented disaster. Although crew
selection and training aren't part of SUBSAFE, the Navy gives them the
appropriate level of attention to ensure the crews are highly trained,
competent and motivated. Corrective and other follow-up actions are
still in progress from the incident.
Q3b. How does your organization evaluate problems to determine if they
represent recurring failures that require changes in design or
processes if they are to be dealt with? Who conducts those evaluations?
A3b. We have several formal programs for evaluating failures and
conditions that may require program or design changes. Periodic
inspections and tests are required to be performed to validate that the
condition of the submarine and its critical components support
continued unrestricted operation. The results of these inspections and
tests are tracked over time and across submarines to ensure conditions
are not degrading. During component major maintenance or overhaul, the
conditions found must be documented and reported for technical
evaluation, again, to determine if any unexpected degradation may be
occurring and to maintain a history, that is used to evaluate the need
for maintenance program or design changes. Audits of facilities and
submarines are conducted to evaluate performance and acceptability of a
submarine for SUBSAFE certification. During the service life of a
submarine and facility, problems or failures may occur that are outside
the scope of the formal inspection and audit programs. These are
required to be formally investigated and reported to Naval Sea Systems
Command (NAVSEA) as Trouble Reports. The results of audits and Trouble
Reports are tracked, maintained and trended over time, and are used to
evaluate the health of program and determine if changes are required or
appropriate to consider. Responsibility for these programs, including
implementation of changes, is assigned to specific offices or
organizations within NAVSEA. However, recommendations for significant
changes in technical requirements or program procedures are reviewed
and concurred with by members of the Technical Authority, Program
Manager and Safety Offices.
Q3c. For recurring problems, does your organization have the
capability to analyze the trend to determine if it could contribute to
a low-probability, high-consequence accident?
A3c. Trending and analysis are an integral part of the Submarine Safety
(SUBSAFE) Program and are used to guide future actions. In addition, an
annual SUBSAFE Program assessment is prepared with input from SUBSAFE
Working Group members, and is briefed to the SUBSAFE Steering Task
Group and the SUBSAFE Oversight Committee. Hazard analyses of specific
conditions or component or system operations are conducted when
warranted to assess risk and potential consequence, and to determine
what actions must be taken to mitigate risk if the condition is to be
allowed to exist.
Q3d. How much certainty would your organization require to take action
in a case where your relevant technical expert strongly believed a
catastrophe could occur but did not have the engineering evaluations to
confirm that judgment--and little or no time to conduct such
evaluations?
A3d. When we identify a significant technical/safety concern, the
normal approach is to suspend work, testing, or ship deployment until
the relevant engineering evaluations are obtained. For a significant
and imminent wartime condition or situation, a risk assessment would be
presented to the Fleet Type Commander for decision.
Questions submitted by Representative Bart Gordon
Operational vs. Developmental Safety Structure
Q1. Does it matter in your organization whether a vehicle or product
is deemed ``operational'' versus ``experimental/developmental''? Do you
have a different safety structure for operational activities versus
those that are developmental in nature?
A1. No, Submarine Safety (SUBSAFE) Program requirements are invoked in
design contracts and construction contracts, including those for
experimental or developmental items placed on our submarines. The
SUBSAFE Program structure is the same whether an item is operational or
developmental.
Dealing with Downsizing and Aging Workforce Challenges
Q2. You mentioned in your written testimony the challenge you faced in
1998 with downsizing and an aging workforce. Please describe the
magnitude of the problem and the steps you took to maintain the
integrity of the SUBSAFE Program in the face of this challenge? How are
you dealing with these problems?
A2. Over the past decade, the Naval Sea Systems Command (NAVSEA) has
undergone a significant loss of experience and depth of knowledge due
to downsizing and an aging workforce. The size of the independent
technical authority staff at NAVSEA headquarters has been reduced from
1300-1400 people in 1988 to approximately 300 today. Beginning in 1995,
NAVSEA undertook an approach to provide continued support of critical
defense technologies with a smaller Headquarters workforce. This was
accomplished through the development of a war-fighting system
engineering hierarchy that defined the necessary engineering capability
requirements. NAVSEA began to refocus our workforce on core equities or
competencies:
Setting technical standards and policies,
Certifying and validating delivered products, and
Providing a vision for the future, i.e., technology
infusion and evolution.
NAVSEA also initiated a recruitment program to hire engineering
professionals, primarily in our field activities, but headquarters
engineering staff continued to decrease.
As a result of the noted reduction in NAVSEA headquarters
independent technical authority staff over the past 15 years, we have
remained continuously engaged in balancing the need to maintain our
culture of safety while becoming more efficient.
NAVSEA currently is contemplating modest increases in staffing in
the independent technical authority and SUBSAFE and quality assurance
organizations to manage the increasing SUBSAFE workload in design,
construction and maintenance, and to bolster and renew the workforce as
our older experts retire.
Questions submitted by Representative Nick Lampson
Specific Actions to Maintain Focus on Safety
Q1. Admiral Bowman testified that, ``Safety is the responsibility of
everyone at every level in the organization,'' a sentiment echoed by
Ms. Grubbe in her statement--but in day-to-day program activities,
safety is not a primary metric for measuring performance. Safety
usually becomes an issue only after it is clearly seen to be absent.
What specific actions does your organization take to maintain the focus
on safety when the pressures to achieve organizational goals inevitably
build?
A1. First, Admiral Bowman and Ms. Grubbe are correct. The culture of
safety must be instinctive. Training, instructions and written
performance requirements are not enough to ensure safety. In the final
analysis, each person who operates, designs, constructs, maintains or
tests submarines must have the culture of safety as part of his or her
basic work ethic. This culture is instilled in our sailors from the
first day of submarine basic training, and in the civilian workforce by
continuous grooming from their leaders. It is reinforced for all by
periodic mandatory Submarine Safety (SUBSAFE) training.
Second, we cannot afford for safety to become ``absent'' and we
work constantly to ensure that does not happen. We do that by keeping
the requirements of our Submarine Safety (SUBSAFE) Program visible at
all levels. Critical safety requirements and implementation methods are
clearly defined. These safety requirements are protected regardless of
pressures. Program Managers cannot tailor them or trade them against
other technical or programmatic variables. The Technical Authority and
the Safety Office do not compromise the technical or safety
requirements to relieve a Program Manager's schedule or cost pressures.
This separation of Program Management, the Technical Authority and the
Safety Office has proven to be an effective organizational structure in
support of Submarine Safety. Our routine SUBSAFE training includes
lessons learned with strong emotional ties. Our SUBSAFE audit programs
focus on technical and safety compliance and provide additional
visibility to the importance of safety.
Finally, for the U.S. Navy Submarine Force, safety IS an
organizational goal. It is tracked carefully and reviewed frequently by
senior management, and corrective action is rapid.
Lessons from the Challenger Accident
Q2. What lessons does the Navy take away from its review of the
Challenger accident?
A2. As noted in my testimony, the Challenger accident occurred at the
same time the Naval Sea Systems Command (NAVSEA) was conducting an in-
depth review of the Submarine Safety (SUBSAFE) Program. The Challenger
accident gave added impetus to, and helped focus our effort in, several
critical areas: disciplined compliance with requirements, thoroughness
and openness of technical evaluations, and formality of our readiness
for sea certification process.
As a result of our review, we have: maintained increased visibility
on mandatory and disciplined compliance with requirements and
standards; upgraded our engineering review system (technical authority)
to ensure responsibilities and expectations for thorough engineering
reviews with discipline and integrity are clear; and established a
safety and quality assurance organization with the authority and
organizational freedom to function without external pressure. We use
annual training with strong, emotional lessons from past failures to
ensure that all members of the Navy's Submarine community fully
understand the need for constant vigilance in all SUBSAFE matters.
NASA/Navy Benchmarking Exchange
Q3. Please provide your impression of the NASA/Navy Benchmarking
Exchange (NNBE) undertaken in August of 2002. What specific plans, if
any, are there for continuing this interaction? What changes in this
interaction do you anticipate because of the Columbia accident?
A3. The NNBE has been a valuable process for both NASA and the
submarine Navy. Two reports outlining the results of the NNBE to date
have been issued, the first in December 2002 and the second in July
2003. After the loss of Columbia, NNBE activity was temporarily placed
on hold to allow NASA to focus on the accident investigation. Specific
exchanges under the NNBE process since the Columbia accident have
included Navy presentations to the NASA Engineering and Safety Center
Management Team and to the SUBSAFE Colloquium held at NASA headquarters
in November 2003. On December 2, 2003, both parties signed a Memorandum
of Agreement for participation in engineering investigations and
analyses. A Memorandum of Agreement for participation in Functional
Audits is currently being developed and is scheduled to be signed in
early 2004. In the NNBE forum, we have initiated exchanges regarding
processes for specification control, waivers to requirements, life
cycle extension, software safety and human systems integration. More
detailed discussions on these common processes are planned in 2004. We
also expect benefits from planned collaboration of technical experts in
welding, materials, life support and other areas of special interest.
Questions submitted by Representative Sheila Jackson Lee
Safety Training
Q1. How is safety training done in your organization? How is safety
awareness maintained in your organization? Please describe the kinds of
training materials you use.
A1. The Submarine Safety (SUBSAFE) Manual requires that organizations
performing SUBSAFE work establish and maintain procedures for
identifying training needs and provide for the training of all
personnel performing activities affecting SUBSAFE quality. This
requirement includes periodic SUBSAFE Awareness training. During
Functional Audits of these organizations we evaluate the adequacy of
training programs and the level of knowledge of personnel performing
SUBSAFE work. Our SUBSAFE requirements are generally integrated into
specific technical process or work-skill training. This training and
its periodicity are established and provided by each organization to
meet its needs for the work it performs.
One of the keys to SUBSAFE Program awareness is the fact that many
of the senior Navy and civilian managers and personnel have either
served aboard or temporarily embarked on submarines during their
careers. This ``underway'' experience, in addition to regular visits to
submarines undergoing construction, repair or maintenance, fosters a
heightened level of understanding in program management that is
important to maintaining the requisite level of vigilance and
visibility for SUBSAFE matters.
SUBSAFE Program Awareness Training is usually given on an annual
basis. It consists of a review of requirements, a brief history of the
SUBSAFE Program and a discussion of recent relevant program events,
e.g., changes, problems, and failures (and their causes). SUBSAFE
training beyond the annual awareness training takes a variety of forms.
Web-based training is becoming the most common. This is supported by
classroom lecture and discussion. Skills-training takes the same form
and is supplemented by practical exercises and on-the-job training. By
combining personal experience, training and our requirements in this
way, we keep the SUBSAFE Program and its requirements visible to and
fresh in the minds of the Navy's Submarine community personnel, ashore
and afloat.
Safety Audit Process
Q2. Please describe your safety audit process. What is its scope? How
often is it done? Who does it? To whom are the results reported? What
is done with the results?
A2. There are two primary types of audits in the Submarine Safety
(SUBSAFE) Program: Certification Audits and Functional Audits.
In a SUBSAFE Certification Audit, we look at the Objective Quality
Evidence associated with an individual submarine to ensure that the
material condition of that particular submarine is satisfactory for sea
trials and unrestricted operations. These audits are performed at the
completion of new construction and at the end of major depot
maintenance periods. They cover a planned sample of specific aspects of
all SUBSAFE work performed, including inspection of a sample of
installed equipment. The results and resolution of deficiencies
identified during such audits become one element of final Naval Sea
Systems Command (NAVSEA) approval for sea trials and subsequent
unrestricted operations.
In a SUBSAFE Functional Audit, we periodically--either annually or
bi-annually depending on the scope of work performed--review the
policies, procedures, and practices used by each organization,
including contractors, that performs SUBSAFE work. The purpose is to
ensure that those policies, procedures and practices comply with
SUBSAFE requirements, are healthy, and are capable of producing
certifiable hardware or design products. This audit also includes
surveillance of actual work in progress. Organizations audited include
public and private shipyards, engineering offices, the Fleet, and
NAVSEA headquarters.
Audits are performed by a team of 12 to 25 auditors, led by the
NAVSEA Submarine Safety and Quality Assurance Office (NAVSEA 07Q).
Auditors are experienced subject matter experts drawn from NAVSEA and
our field organizations that perform SUBSAFE work, e.g., shipyards,
engineering offices, etc. To ensure consistent and thorough coverage of
the areas of concern, audits are conducted using formal audit plans or
guides. In functional audits, guides are supplemented with pre-audit
analysis reports,
that assess the prior health of the organization and point out past
problems so that the effectiveness of corrective actions can be
evaluated. The results of audits are formally documented and reported
to the organization and to senior NAVSEA management. They are also
provided to other SUBSAFE organizations for lessons learned purposes.
Each deficiency must be corrected and the root cause of the deficiency
identified. The corrective action and root cause is formally reported
back to NAVSEA along with applicable objective quality evidence for
evaluation and approval. Further, each deficiency is tracked by NAVSEA
07Q to maintain its visibility and to ensure it is satisfactorily
resolved. Annually, an analysis report of all audit results, and other
reported problems, is prepared to support a senior management
assessment of the health of the SUBSAFE Program.
Functional Audits are also used to identify areas in which an
organization can initiate process improvements. Although a process or
practice may be in compliance with SUBSAFE requirements, auditors may
make recommendations, which offer the opportunity for significant
improvement in the effectiveness of the process or practice. These
recommendations, categorized as Operational Improvements, are
documented in the report and tracked until the organization provides
its evaluation and any planned actions.
In addition to the audits performed by NAVSEA, our shipyards, field
organizations and the Fleet are required to conduct internal (or self)
audits of their policies, procedures, and practices and of the work
they perform.
Answers to Post-Hearing Questions
Responses by Ray F. Johnson, Vice President, Space Launch Operations,
The Aerospace Corporation
Note of Clarification: Throughout the discussions of CAIB
investigations, the term ``safety'' is used relative to establishing
NASA flight readiness. Since our DOD launches are not human rated, we
use the term ``mission assurance'' in essentially an equivalent
meaning. For DOD launches, the term `flight safety'' is primarily
associated with the risks to the uninvolved public due to catastrophic
failure rather than mission success itself.
Questions submitted by Representative Ralph M. Hall
Q1. How will we know that NASA has implemented the Columbia Accident
Investigation Board (CAIB) recommendations? What measures do you use in
your organization to determine that your safety mechanisms are working?
A1. Following the Space Launch Broad Area Review in 1999, the Air Force
developed an execution plan for each of the Board's recommendations.
Periodically since then the BAR has reconvened and reviewed progress
against their initial recommendations. We would recommend a similar
approach to track NASA's implementation of the CAIB recommendations.
Our mission success record is the best gauge of our mission
assurance processes. Since the Broad Area Review, the renewed rigor in
mission assurance has yielded a 100 percent success rate. We have also
measured our success rate against other launch organizations (i.e.,
commercial, foreign) and found that our processes have consistently
resulted in a higher level of success.
Q2. The CAIB recommends a separation between the operational aspects
of the Shuttle program and the organizations providing engineering and
safety support. Based on your experience:
Q2a. Do you agree with this as a principle for managing your program?
A2a. Our organization and the value of our contributions comes from the
degree of independence we are afforded by our Air Force sponsors. Our
launch programs do not employ separate organizations for safety,
engineering and operations, but rather a triumvirate of program
participants (Air Force, contractor, Aerospace) with individual
responsibilities. Aerospace is the program participant with
responsibility for the independent mission assurance assessment.
Q2b. Where do you place the boundaries between these three program
elements in your program and how do they interact?
A2b. Our independent mission assurance role uses a cadre of engineering
talent with skills comparable to that of the contractor who has the
primary engineering and operational responsibility. Aerospace provides
a final launch readiness verification to the SMC Commander that is
independent from the contractor's assessment. The SMC Commander, in his
role as ultimate flight worthiness certification authority, employs an
additional oversight review team to ensure that the program
participants properly execute their responsibilities.
Flight safety is the responsibility of the Range Safety
organization at the launch sites. Range Safety is not only completely
separate from the launch system program, it is under a separate Air
Force organization. Range Safety's primary role is to protect
resources, personnel, and general public from the hazards of launch.
Q2c. What training and experience do you require in your senior
managers, and what incentives do you provide such managers?
A2c. We are essentially an engineering and scientific organization and
our role in space launch does not typically require formal
certification training of our personnel. Our engineering staff is made
up of career professionals who typically have many years experience
either in industry or academia. Many of these are the foremost
specialists in their fields. Our senior managers (up to and including
our president) all have strong technical backgrounds as well. Our field
site personnel, who are associated with vehicle operations and exposed
to hazardous conditions, are certified as required by the local safety
organizations. We are incentivized by our accountability to mission
success as well as formal recognition through a corporate awards
program.
Q3. In both Shuttle accidents, NASA failed to appreciate the threat to
the vehicle from what seemed a minor problem--O-ring seals that did not
seem to work well in cold weather and foam that sometimes struck the
Orbiter's thermal protection system.
Q3a. How does your organization deal with similar ``weak signals''?
A3a. We apply rigor in defining system performance specifications and a
continuous oversight presence in identifying any out-of-family
condition following every launch. Any out-of-family deviation is
thoroughly evaluated to determine the associated risk and corrective
action.
Q3b. How does your organization evaluate problems to determine if they
represent recurring failures that require changes in design or
processes if they are to be dealt with? Who conducts those evaluations?
A3b. Each flight is thoroughly analyzed by domain experts to identify
any anomalies. These anomalies are compared to other missions to
evaluate trends and out-of-family performance. Each item is then
assessed for mission risk and corrective action is established. Unless
the risk can positively be established as low, the corrective action is
made a lien against the next launch of that system. These evaluations
are performed by the contractor and independently by Aerospace using
separately acquired, processed, and analyzed telemetry, video and radar
data. Results and findings are compared at formal Post-Flight Reviews.
Q3c. For recurring problems, does your organization have the
capability to analyze the trend to determine if it could contribute to
a low-probability, high-consequence accident?
A3c. Yes, we not only have the capability to independently analyze
these conditions, we have the obligation to ensure they are
accomplished. We maintain a separate database of launch vehicle flight
data that our engineering team uses to maintain recurring flight
records. We have also developed unique analytical tools for the
engineers to use in analyzing and identifying trends. We recently
identified a potential problem during trend analysis of actuator
performance that was ultimately traced to internal contamination. Due
to the consequences of failure from debris migration, all actuators of
like manufacture were processed through a new cleaning procedure before
another flight was allowed.
Q3d. How much certainty would your organization require to take action
in a case where your relevant technical expert strongly believed a
catastrophe could occur but did not have the engineering evaluations to
confirm that judgment--and little or no time to conduct such
evaluations?
A3d. We believe that we are required to take the necessary time to
validate a condition such as this and would request the launch be held
if need be. Our first obligation is to validate the concern through our
readiness review process, then elevate in time to effect the launch
decision. A recent example illustrates our process. Our experts
identified a concern for dynamic instability on an upcoming Titan
launch. This was based on observations noted on other launches but
could not be readily quantified for this mission. Due to the risks
involved, we requested a launch slip of several weeks while additional
modeling was developed and analyses performed. The Air Force was
persuaded by the preliminary analysis that a more definitive answer was
warranted and delayed the launch. The results of this analysis created
sufficient concern that flight changes were made that successfully
mitigated the risk of occurrence.
Questions submitted by Representative Bart Gordon
Q1. Does it matter in your organization whether a vehicle or product
is deemed ``operational'' versus ``experimental/developmental''? Do you
have a different safety structure for operational activities versus
those that are developmental in nature?
A1. Space Launch is an inherently engineering intensive activity. This
is partly due to the high performance, low margins, numerous hazards,
and consequences of failure. But it is also due to the very low
production and flight rates with equally low repeatability and assembly
before flight. By any comparison to other transportation media, space
launch operations would not be considered an operational system and its
inherent reliability viewed as relatively low. Therefore as a space
organization we have no truly operational systems and continuous
engineering involvement is mandatory for mission assurance.
As mentioned in response to Mr. Hall's questions, Range Safety is
responsible for flight safety of our launches. When a vehicle strays
from its intended flight path, it is destroyed to protect the public
from an errant vehicle. This approach would unlikely be employed in an
operational transportation system. Also, a comparison of flight safety
procedures for space launch and air traffic control yields many
significant differences which can be attributed to the non-operational
nature of launch.
Q2. In your written testimony you noted that a root cause of some
launch failures in National Security Space programs was ``the lack of
disciplined system engineering in the design and processing of launch
vehicles exacerbated by a premature dismantling of government oversight
capability.. . .''
Q2a. Could you elaborate on the circumstances of this ``premature
dismantling'' and how it contributed to the launch failures studied in
the Broad Area Review?
A2a. The Broad Area Review found that a combination of budget
reductions and program reforms that occurred in the early-mid 1990s
converged to dilute program effectiveness. Pressures to reduce costs
resulted in reduction of government oversight, quality assurance,
erosion of expertise, and emphasis on cost savings over mission
assurance. In addition specs, standards, and policies were abandoned
and the mission assurance technical focus eroded in favor of an
``operational'' orientation. This was particularly true on Titan, one
of the most complex launch systems in use, where manpower reductions in
the government and Aerospace staff approached 50 percent. The Broad
Area Review referred to this as a ``premature going out of business
mindset'' in anticipation of flying out the remaining vehicles as the
new EELV families were in development, whereas, in reality, the Titan
launch rate was increasing. The Broad Area Review also found that the
recent failures it examined could be attributed to engineering and
workmanship (i.e., human) errors that should have been avoidable.
Q2b. How similar are the findings and conclusions of the Broad Area
Review and the Columbia Accident Investigation Board report?
A2b. In both reviews it was found that lines of responsibility,
accountability, and authority were fragmented, which resulted in an
inadequate decision process. We also see similarities in findings that
the government entity relied more and more on the contractor, allowed
organic capabilities to erode, and became more complacent.
Q2c. With Aerospace Corporation's experience in independently
assessing launch readiness, what capabilities do you expect to see in
the Air Force organizations involved in the launch decision to be
confident of a successful launch?
A2c. We expect our Air Force customer to hold us accountable for our
mission assurance responsibilities and to demand the appropriate rigor
and technical discipline in our independent assessments and
recommendations.
Q2d. How do you evaluate the relationships between the Air Force and
the contractors supplying the launchers when certifying readiness to
launch? What represents an appropriate relationship between those two
groups?
A2d. We rely on the contractors as the primary source of all data and
the first line of defense in the mission assurance/readiness process.
They provide assurance in their hardware, software, and procedures. It
is our job to independently verify that all critical items (i.e.,
hardware, software, analyses, processes, and procedures) are
technically acceptable. The appropriate relationship is one of
cooperation and technical interchange with the independent technical
party providing additional confidence through verification. The Air
Force holds both the contractor and Aerospace accountable for
independent mission assurance assessments.
Q3. In your testimony you state, ``dissenting opinions are heard.. .
.'' What specifically are the forums for these dissenting opinions? How
does your organization encourage dissent?
A3. For each launch we conduct a series of technical reviews at each
level of management up to the corporation president. At each stage of
these reviews, all disciplines and domain experts are represented and
their findings and conclusions are presented. The launch vehicle
programs rely on the domain experts in the Engineering and Technology
Group to provide the technical basis for all positions. Each discipline
presents all findings and must be in agreement on the readiness state.
If a dissenting position is presented, it will be flagged and actions
assigned to resolve. The existence of these issues is also tracked and
the dispositions presented throughout the process. This process is also
overseen by the Independent Readiness Review Team that reports to the
SMC Commander at the Flight Readiness Review in the form of a risk
assessment.
Question submitted by Representative Nick Lampson
Q1. Admiral Bowman testified that, ``Safety is the responsibility of
everyone at every level in the organization,'' a sentiment echoed by
Ms. Grubbe in her statement--but in day-to-day program activities,
safety is not a primary metric for measuring performance. Safety
usually becomes an issue only after it is clearly seen to be absent.
What specific actions does your organization take to maintain the focus
on safety when the pressures to achieve organizational goals inevitably
build?
A1. We maintain an independent chain of mission assurance
responsibility within our organization that flows up to our president.
Although we are also responsible to the Air Force program director for
his readiness assessment, our president reports to the SMC Commander
who is above the program director and who ultimately certifies flight
worthiness. It is this chain of command and the accountability expected
at each level that assures our mission assurance focus is maintained.
Questions submitted by Representative Sheila Jackson Lee
Q1. How is safety training done in your organization? How is safety
awareness maintained in your organization? Please describe the kinds of
training materials you use.
A1. True safety training and certification is only required for those
individuals at the launch site who support hazardous operations and are
near the flight hardware. For industrial safety, our Safety and
Security office is responsible for training in various procedures. They
also have safety awareness circulars and other information media, such
as the corporate website. For technical training we also have an
educational arm of the corporation, The Aerospace Institute, that has a
wide curriculum of space and national defense related courses. The
Institute has classroom courses with appropriate text and other
documentation for student's use. Our launch systems, systems
engineering, and mission assurance functions are all contained in
different modules within these courses. For those assigned specific
mission assurance functions, we maintain a well-defined process and
mentoring program that supports our technical staff.
Answers to Post-Hearing Questions
Responses by Deborah L. Grubbe, P.E., Corporate Director, Safety and
Health, DuPont
Questions submitted by Representative Ralph M. Hall
Q1. How will we know that NASA has implemented the Columbia Accident
Investigation Board (CA1B) recommendations? What measures do you use in
your organization to determine that your safety mechanisms are working?
A1. We will know when the CAIB recommendations are in place when we see
NASA leadership and management more focused on safety than on schedule.
The diagnostic is as simple and as difficult as to watch what is done.
In my firm we measure outcome metrics, e.g., the number of injuries and
we also measure leading indicators, which is a measure of the general
safety attitudes and procedures. With NASA I would start by looking at
contractor and employee injury rates. If those start to improve, the
indicator is there that management and leadership are taking safety
seriously. There are literally hundreds of measures within an world
class safety program.
Q2. The CAIB recommends a separation between the operational aspects
of the Shuttle program and the organizations providing engineering and
safety support. Based on your experience:
Q2a. Do you agree with this as a principle for managing your program?
A2a. Yes, my firm has independent authorities for both safety and for
engineering.
Q2b. Where do you place the boundaries between these three program
elements in your program and how do they interact?
A2b. All elements in my firm: manufacturing, safety and engineering
interact at the local site, where the work is being done. In NASA
terms, the work comes together at the center. We try to work with no
boundaries at all times. We work to ensure alignment against the
highest objective, which is to safely meet our customers' needs. If
there is a point of disagreement, the management of the respective
organizations are called in to help resolve the best approach.
Q2c. What training and experience do you require in your senior
managers, and what incentives do you provide such managers?
A2c. Most managers have been ``in those chairs'' and know what it is
like to see someone hurt. None of us who have been there ever want to
see that again. The only true incentive for safety is, in the end, that
everyone under my charge left today with all the parts they came with.
There is a small monetary incentive at the corporate level, which may
be as little as $500/year to someone making six figures. This money is
really not much incentive, and is more recognition of job well done.
Q3. In both Shuttle accidents NASA failed to appreciate the threat to
the vehicle from what seemed a minor problem--O-ring seals that did not
seem to work well in cold weather and foam that sometimes struck the
Orbiter's thermal protection system.
Q3a. How does your organization deal with similar ``weak signals''?
A3a. My firm investigates anything that seems ``out of the ordinary''
or unexpected. We drive the answer to root cause, and put the fix into
place as soon as practical. The important aspect of this work is to fix
it before it becomes more serious.
Q3b. How does your organization evaluate problems to determine if they
represent recurring failures that require changes in design or
processes if they are to be dealt with? Who conducts those evaluations?
A3b. Our engineering and safety organizations, along with the
collaboration of our manufacturing organization, looks to discern
common cause and special cause variation. Both common cause and special
cause variation provide data to direct the needed change.
Q3c. For recurring problems, does your organization have the
capability to analyze the trend to determine if it could contribute to
a low-probability, high-consequence accident?
A3c. Yes. Our organization, primarily our engineering organization, can
do the analysis to quantify risk.
Q3d. How much certainty would your organization require to take action
in a case where your relevant technical expert strongly believed a
catastrophe could occur but did not have the engineering evaluations to
confirm that judgment--and little or no time to conduct such
evaluations?
A3d. My firm instructs its employees that if they do not feel safe,
they are to stop their job and get someone to help them determine a
better, safer way to do the work. An engineering evaluation does not
have to do be done, someone just has to sense that ``something is not
right.''
Questions submitted by Representative Bart Gordon
Q1. Does it matter in your organization whether a vehicle or product
is deemed ``operational'' versus ``experimental/developmental''? Do you
have a different safety structure for operational activities versus
those that are developmental in nature?
A1. The same safety standards apply whether the process or equipment is
``operational'' vs. ``experimental.''
Q2. One of the ``cultural'' issues raised in the CAIB report is the
lack of respect for the safety organization demonstrated by the
engineering and program offices at NASA. How does DuPont's safety
organization avoid such marginalization?
A2. While there are many safety organizations in DuPont, every DuPont
employee, and every DuPont contractor is accountable for safety. Safety
is a line responsibility. Safety comes first. Period. No questions
asked. No one in DuPont can ignore safety without consequences that
could lead up to and include termination. If I discount safety, I can
expect to hear about it from my boss, and he is not going to be happy!
Likewise, with our corporate group. Since everyone is accountable for
safety, it is never ignored. The safety organization can serve as the
conscience on some occasions; however, you know safety is really
working with the organization serves as its own conscience.
Question submitted by Representative Nick Lampson
Q1. Admiral Bowman testified that, ``Safety is the responsibility of
everyone at every level in the organization,'' a sentiment echoed by
Ms. Grubbe in her statement--but in day-to-day program activities,
safety is not a primary metric for measuring performance. Safety
usually becomes an issue only after it is clearly seen to be absent.
What specific actions does your organization take to maintain the focus
on safety when the pressures to achieve organizational goals inevitably
build?
A1. All major DuPont meetings start with a discussion of safety.
Subjects include: statistics, what happened to me on the way home last
night, weather safety, travel safety, etc. Others actions include the
following: a monthly review of safety statistics at the global
manufacturing meetings, reporting of lost time injuries within 24 hours
to the CEO, and an aggressive off the job safety program where daily
statistics are kept on lost time with off the job fatalities reported
to the CEO within 24 hours. Safety statistics are shared daily with the
whole organization, and we share improvement ideas frequently. We know
that when we go through organizational changes, that safety can suffer,
so we also redouble our efforts during difficult times.
Questions submitted by Representative Sheila Jackson Lee
Q1. How is safety training done in your organization? How is safety
awareness maintained in your organization? Please describe the kinds of
training materials you use.
A1. Safety training starts the first day of employment and continues
monthly until one retires. Safety meeting attendance is mandatory.
Safety awareness is maintained through items like: a global safety
message that is sent out every working day at 2 a.m. EST, tool box
meetings at the start of every shift, supervisor walk-through to
support learning good safety techniques, etc. Training materials are
items like: standards, videos, computer assisted tools, demonstrations,
safety fairs, classes, safety meetings, written job procedures,
pictures on how to best do the task, etc.
Q2. You mentioned in your written testimony that ``any person can stop
any job at any time if there is a perceived safety danger.'' What
incentives do you use to encourage such action?
A2. People who stop a job, and people who offer an alert to an unsafe
situation are highlighted at a safety meeting, or verbally recognized
at a tool box meeting, or are sometimes even offered monetary
recognition. The positive reinforcement is very affirming, and we
continue to see more folks step forward and report unusual events. It
is the driving home of the fixes on these unusual events that helps to
keep people from getting hurt in the first place.
Appendix 2:
----------
Additional Material for the Record
�