NASA Procedures and Guidelines
This Document is Obsolete and Is No Longer Used. Check the NODIS Library to access the current version: http://nodis3.gsfc.nasa.gov
NPR 8621.1 Eff. Date: June 02, 2000 Cancellation Date: February 11, 2004	NASA Procedures and Guidelines for Mishap Reporting, Investigating, and Recordkeeping
| TOC | ChangeHistory | Preface | Chp1 | Chp2 | Chp3 | Chp4 | Chp5 | Chp6 | All-Appendices | AppdxA | AppdxB-All | AppdxB1 | AppdxB2 | AppdxB3 | AppdxB4 | AppdxC | AppdxD | AppdxE-All | AppdxE1 | AppdxE2 | AppdxF-All | AppdxF1 | AppdxF2 | AppdxF3 | AppdxG | AppdxH-All | AppdxH1 | AppdxH2 | AppdxH21 | AppdxH3 | AppdxH4 | AppdxH5 | AppdxH6 | AppdxH7 | AppdxI-All | AppdxI1 | AppdxI2 | AppdxI3-All | AppdxI31 | AppdxI32 | AppdxI33 | AppdxI34 | AppdxI35 | AppdxJ-All | AppdxJ1 | AppdxJ2 | AppdxJ3 | AppdxJ4 | AppdxJ5 | AppdxJ6 | AppdxJ7 | AppdxJ8 | AppdxJ9 | AppdxJ10 | AppdxJ11 | AppdxK | AppdxL | AppdxM | Cover | ALL |

1.1 Review of Records

1.1.1 "Records" encompass all records and historical data related to the specific equipment, operation, and operating personnel associated with the mishap. These records may include films, checkout equipment tapes, voice recordings, telemetry tapes, flight data recordings and/or readouts from other recording devices, and all forms of computerized information/data as well as printed matter. The first challenge is to determine what is relevant and what is not. Many times that cannot be determined until the data is reviewed and in some cases not until late in the investigation as specific areas are ruled as potentially causal based on other evidence. For that reason, records or other documentary evidence are not discarded as irrelevant without thorough evaluation. Paper documents must be read and correlated with evidence to help form the story of the mishap.

1.1.2 Printed and handwritten records maintained prior to and during the operation resulting in the mishap may also reveal extraordinary conditions related to the mishap. These records may be categorized as follows:

1.1.2.1 Operating History - Includes malfunction reports, operating logs, corrective action records, unsatisfactory condition reports, maintenance records, time and event recordings, pad logs, deviations and waivers authorized, and weather reports.

1.1.2.2 Personnel Records - Includes training and certification records, medical records, and records of violations.

1.1.2.3 Evaluation and Analysis Reports - Includes safety survey reports, safety analysis reports, equipment qualification records, and test logs.

1.1.3 Flight data and voice recorders when used in aircraft involved in a mishap are important sources of mishap evidence. The NTSB, in Washington, DC, maintains unique equipment and capabilities for analyzing such recordings and should be consulted, as required. The investigating officer should ensure that, for retrievable vehicles, the location of recorders on the type of vehicle involved in the mishap is known and that qualified personnel are available for immediate removal of these recorders. The readout data, when compiled, should be coordinated with the operations and witness group and others if necessary.

1.2 Examination of Testimony

1.2.1 Before using testimony to reach conclusions, the investigator should determine how much valid, factual evidence it contains, and how much of the information is conflicting. Where the circumstances are complex and a large number of conflicting statements have been made, the investigator should carefully review and evaluate the testimony. Testimony should be substantiated whenever possible; however, other testimony may be used in the investigation if carefully considered and appropriate restrictions are imposed. In cases where the flight path of a vehicle is involved, the clarification of testimony is obtained by marking on a map or on a mishap area diagram the location of each witness and the point at which the witness believes the vehicle was seen. If the witness can state the time the vehicle was seen at a given place, this information should also be noted on the map. The flight path should be apparent if all of the statements are reliable. Witness statements should be posted beside a mishap area diagram so that each board member has the opportunity to evaluate the statements and suggest additional sources of information. If there are so many inconsistent statements that clear-cut conclusions cannot be drawn, the investigator should make a detailed evaluation of the statements to determine which are the most reliable. This is best done by preparing a chart which contains a list of all stated opinions which appear in the witness statements. A witness statement matrix, described in Appendix E, is extremely helpful in determining where the preponderance of opinion lies. Such findings may then be correlated with previously uncovered evidence during the causal factor analysis.

1.2.2 The utilization of testimony from persons who did not witness the mishap firsthand or who do not have direct knowledge of the areas being explored should not be encouraged and should occur only when necessary for clarification of testimony. The verbal testimony of key operating personnel and specialists may prove useful in evaluating the validity of evidence and in clarifying points which are not understood.

1.3 Wreckage Reconstruction

1.3.1 It may be necessary to reassemble the wreckage from a mishap in order to clarify or correlate evidence, or to prove a theory that is difficult to evaluate. If conditions and locations permit, a limited wreckage reconstruction in the field may be sufficient. However, indoor reconstruction permits a much more detailed examination. A voting member of the investigation board should be designated to control and coordinate wreckage reconstruction. After all groups have completed an on-the-scene examination, the entire wreckage may be removed to another area for further examination. Adequate measures should be taken to preserve wreckage for subsequent reconstruction and analysis under controlled conditions. All parts and pieces should be carefully isolated and preserved indoors in an area that can be adequately secured and controlled. Reconstruction of twisted or broken parts may enable investigators to determine points of failure, the nature of stress involved, the origin of fire or explosion, sequence of failure events, and other details which help determine cause and which serve as evidence to support conclusions and recommendations. At this point, the use of specialized investigative skills and professional talent may prove invaluable. The investigator may employ either or both of two common methods of wreckage reconstruction. The first method, which affords a broad, top-level examination to determine evidence that may have been overlooked previously, is accomplished by laying out all parts in their normal relative positions on the ground or on the floor. The second method is utilized when detailed study of one area is desired. A framework of metal or wood covered with chicken wire is constructed to attach wreckage in a three dimensional mockup. Though not classified as wreckage construction, another effective means of visualizing how damage may have been incurred is to outline discoloration or failure patterns with colored tape or grease pencil on another like system. Thus, smoke trails, sears in the skin of equipment, or other damage may be seen in relation to the areas possibly affected by the initial failure. In all cases, reconstructed wreckage should be made available for analysis by the investigation board.

1.4 Examination of Parts

1.4.1 If field investigation or wreckage reconstruction does not obtain conclusive evidence of mishap causes, it may be necessary to conduct a detailed inspection of every part or component suspected of failure. Support requested for this investigative effort may consist of specialized technical personnel (NASA or contractors), laboratory analyses of materials and failed parts, special tests or demonstrations, and teardown evaluation of suspected assemblies or components. Recent advances in the science of nondestructive testing have resulted in the development of many laboratory facilities for use in examining parts suspected of failure. These facilities are available through existing governmental agencies and private organizations. Methods and equipment have been developed for identifying failures and deficiencies in areas such as:

1.4.1.1 Structural overstress, flaws, and cracks detected by the magnetic particles, dye penetrant, eddy current, ultrasonic, and X-ray processes.

1.4.1.2 Electromagnetic and microwave hazards and deficiencies in radioactive isotopes, linear accelerators, and nuclear reactors detected by radiographic inspections and radiological detection devices.

1.4.1.3 Material quality and quantity detected by electron microscope, electron microprobe analyzer, X-ray detection, spectroscope, infrared, or other such tests.

1.4.1.4 Thermal overloads, inadequate welds, and incomplete bonds detected by infrared-radiometric microscope.

1.4.1.5 Mixture quality and quantity detected by gas chromatography and chemical analysis.

1.4.1.6 Physiological aspects detected through biological and medical techniques and other tools such as infrared absorptiometry, radioactive assay, mass spectrometry, chromatography, ultrafluorescent cytology.

1.4.2 The chairperson may request assistance in obtaining such specialized support as described above.

1.5 Analyzing Data

1.5.1 Root causes can be determined only through proper investigation to ascertain factors which contributed directly or indirectly to the mishap. The investigation findings reflect the thoroughness and effectiveness of the processes of collection of evidence and analysis. Deductive reasoning, which begins after disclosure of the base facts and continues through the process of analysis, should be the basis for all investigation findings. It may be necessary to resort to a process of elimination to arrive at conclusions as to what happened. In some cases evidence may be so obscure that causal factors cannot be adequately determined from evidence alone. The investigator may be forced to rely on mishap simulation, trajectory generation, or system history studies to arrive at root causes. In some cases, research studies should be conducted to determine facts when technical data is lacking.

1.5.2 Important by-products of investigations which are often overlooked are the contributing root causes and significant observations. The factors did not cause or necessarily contribute to the mishap in question, but under other possible conditions could be significant sources of hazard. The investigator should be aware that such factors do exist, and that they often precipitate future mishaps of greater magnitude. Few mishaps are identical repetitions of previous conditions and results. In any event, preventive measures can be taken based on known, expected, and potential and contributing factors. These form a basis for recommendations for corrective action which can be highly effective in preventing future mishaps. There are several approaches to the analysis of evidence related to mishaps. The following paragraphs describe some of these methods. Greater detail is provided on the most pertinent analytical techniques in Appendix I-3.

1.5.3 Sequence of Events - It is necessary, as early as possible after the collection of evidence, to establish a history of events from the time of operational readiness preparations to the time of the mishap. This is accomplished by using recordings, telemetry data, test procedures, logs, witness/participant testimony, and other pertinent data obtained or impounded earlier. Such a time-based sequence of events is an invaluable tool for substantiating evidence, for pointing out specific areas where detailed examination is needed, and for separating the event which caused the mishap from subsequent events which resulted from the mishap.

1.5.4 Known Precedent - The known-precedent concept is based on the historically supported theory that events will repeat themselves given enough trials. When applied to the mishap investigation, the known precedent provides a basis for recognizing events that may have contributed to the mishap. Previous mishap/incident reports, hazards analyses, test failure histories, and safety analysis reports (SAR) may also provide a precedent to the total mishap or to some specific aspects of the mishap. Search for a known precedent should not be limited to the history of the system in question but should be expanded to include the histories of similar types of systems.

1.5.5 Causation/Logic Models - Everything that can be seriously considered as a possible cause should be explored and evaluated. Logic models are helpful to ensure that all facets of the problem are given due consideration. One or more of the approaches listed below may be used in constructing causation and logic models.

1.5.6 Person-Machine-Media-Management - Examples of items which may be considered under each of the elements of logic models of this type are:

a. Person - human error, psychological and physiological limitations, physical interface with equipment, operating procedures and communications, and training media.

b. Machine - design deficiency and material degradation or failure.

c. Media - the person's working environment, natural phenomena, operational environment imposed on equipment, and abnormal environments imposed by emergency situations.

d. Management - management philosophy, policy, requirements, and guidance.

1.5.7 Unsafe Acts-Unsafe Conditions: Includes personnel error, hardware failure, management deficiencies, design inadequacies, and other acts/conditions which pose hazards to personnel and equipment.

1.5.7.1 Engineering-Education-Enforcement - examples of items which may be considered under each of the elements of logic models of this type are:

a. Engineering - design deficiencies, inadequate test procedures, incomplete test and checkout, human error by operator, engineering/maintenance personnel, and material failure.

b. Education - improper emphasis on training, inadequate training facilities and educational tools, incomplete instructions, and erroneous statements by instructors.

c. Enforcement - inadequate delineation of engineering and management requirements, noncompliance with specifications, improper access control procedures, failure to follow up on safety survey findings, and failure to enforce safety standards.

1.6 Problem Solving Technique

The investigator will find that the traditional problem-solving technique of posing a hypothesis and developing it to the point where it is proved or disproved is an effective means of arriving at root cause(s). Initially, data should be collected to support the hypothesis or assumption. These data should be checked for accuracy and thoroughly reviewed to assure that they support the situation (or hypothesis) in question and not just some other situation not perceived at that time. Next the logical or empirical consequences of the data are tested. The results of these tests are then compared to the actual condition, thereby validating or invalidating the hypothesis. For example, if a mishap occurred as the result of an erratic launch vehicle motion, it may be hypothesized that the erratic motion was caused by an attitude control system failure. All telemetry data generated by the equipment monitoring that system during the time period in question should then be collected to prove or disprove the hypothesis. If a failure is indicated, it should then be determined whether that failure was of such magnitude that the unstable condition could have resulted. This theory may then be tested empirically through aerodynamics simulation. If the results of these calculations prove that the failure was of such magnitude that an unstable condition could have resulted, then the hypothesis is validated.

CAUTION: An investigator must not become so focused on a single hypothesis that the goal becomes proving it to be true and disregarding all other hypotheses. The only effective approach is to evaluate the evidence first, determine possible failure scenarios, and then develop hypotheses about those failure scenarios.

1.7 Mishap Research and Simulation

In the absence of conclusive evidence, it may be necessary to simulate the mishap environment and physical situation to arrive at a determination of what happened and why. Under these circumstances, the building of mockups and the simulation of events and conditions under which the mishap took place may provide the answers. Three-dimensional, full-scale models of the equipment involved in the mishap may have to be constructed and dynamic simulation made of sequential events. An investigation sometimes is not considered complete until duplication of certain failure patterns under simulated mishap conditions is effected. If research or simulation is required, it may be necessary to include the identification of this requirement as part of the board's findings and recommendations, and to defer final conclusions to a later date in order to expedite completion of the investigation report.

1.8 Statistical Analysis Cause Categorization.

1.8.1 Mishaps may be caused by human factors, material failure, design, technical data, organizational deficiencies, or natural phenomena. For statistical purposes and trend analysis, mishap cause factors are categorized as follows:

1.8.1.1 Human factors is the category which accounts for human, physical, physiological, and psychological limitations. Elements that range from organizational, team, individual, and design inputs can influence human performance. It includes errors such as failure to follow approved checklists or to use standard procedures and/or techniques. It also covers factors associated with physical limitations such as illness and blackout and psychological problems such as claustrophobia. Human factors may be underlying or well hidden and become apparent only after a careful evaluation. The failure of a person to perform an act may be classified as a human failure provided that one should be expected to perform the act on the basis of experience, training, or instruction. The human failure category may be assigned regardless of whether or not a determination can be made as to why the failure occurred.

1.8.1.2 Material failure is the physical breakdown or chemical deterioration of any part, structure, or component.

1.8.1.3 Design deficiency may sometimes be difficult to differentiate from material failure. If a part or component is so designed that failure can occur under predictable circumstances, it is a design deficiency.

1.8.1.4 Technical data deficiency results from authorized use of inadequate technical data operating instructions, and documentation containing omissions or erroneous data. Technical data includes documentation such as safety and hazards analysis reports, operational readiness inspection reports, and test and checkout plans and procedures.

1.8.1.5 Organization deficiency exists when an element of management directly or indirectly caused or contributed to the mishap because of inadequate planning, supervision, staffing of operations, evaluation of procedures, policies, rewards, dissemination of information, change process, and/or training or other factors affecting human performance.

1.8.1.6 Natural phenomena includes acts of nature. This does not apply when there is evidence of failure to take normal precautions against these contingencies.

1.8.1.7 Undetermined is the category used if a root cause, or a most probable cause, is not established by the consensus of the board.

DISTRIBUTION:
NODIS