Thread: Pre-Columbia Criticism of NASA's Safety Culture in the late 1990's
View Single Post
  #18  
Old September 6th 03, 05:57 AM
Stuf4
external usenet poster
  
Posts: n/a
Default Pre-Columbia Criticism of NASA's Safety Culture in the late 1990's
From Herb Schaltegger:
(Stuf4) wrote:

From Jon Berndt:
"Stuf4" wrote:

It is *easy* to augment the design of this pressure vessel so that it

It is? Care to elaborate on that assertion? "Easy"?

(see below)

then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

These assertions seem to go against what I have read. Why do you say this?
Can you refer to some published studies?

I say this based primarily on the empirical evidence. The evidence
that Challenger's cabin and Columbia's cabin held together
significantly even though they *weren't designed* as escape modules.

JSC office MV-6 holds this responsibility today. Here is a link to
their document "Human-Rating Requirements" from June 1998:

http://www.hq.nasa.gov/office/codea/...documentd.html

Excerpt:

__________

Requirement 7:
A crew escape system shall be provided on ETO vehicles for safe crew
extraction and recovery from in-flight failures across the flight
envelope from prelaunch to landing. The escape system shall have a
probability of successful crew return of 0.99.

__________


These specialists seem to think that it's possible. And I don't know
of any major breakthroughs in crew escape technology that have changed
this situation from that of the early '70s.

Let me clue you in to an important fact in the aerospace industry: the
people writing requirements are not usually "specialists" or "experts."
They typically have a lot of KNOWLEDGE which is not at all the same
thing as technical design or implementation ability.

Another thing you should be aware of: "requirements" do not equate with
"capability." Requirements are subject to frequent changes, usually
downward to reflect implementation efforts which don't measure up to the
pie-in-the-sky requirements insisted on at the beginning of a program.

I agree with the gist of your point. Let's say that a more realistic
figure instead of 0.99 is 0.4, then the gist of my point was that
*anything* was better than Challenger's/Columbia's zero chance of
hope.

After pyrotechnics separate the module from the rest of the vehicle, a
small motor can be used to build separation (-51L showed that no motor
at all is needed). Then instead of a giant parachute designed to give
the escape module a soft landing, all that is needed is a
stabilization chute system that slows the module down enough for the
crew to bail out of (no escape pole needed because the wings are long
gone).

I'm not sure that pyrotechnics to separate the crew module from the rest of
the vehicle would go over so well, but that's just a hunch. The idea
doesn't
seem so bad given that the crew module had in the case of 51-L separated
from the fuselage, but in the case of Columbia, do we know? In practice, it
might not be so easy to build.

The strongest evidence available to the general public that Columbia's
crew module remained intact for a significant period following the
structural failure of the left wing was the continued data following
LOS

You don't know that this is the case. The final burst of data is
consistent with a flat spin following loss of aerodynamic control.
Complete failure of the left wing may or may not have occurred prior to
that loss of directional control.

A JSC flight control specialist involved in the investigation has said
that LOS has been correlated with structural failure of the wing. If
you tell me that he could be wrong, I would agree with that.

along with the reports of the human remains and other cockpit
items being found within the same general area. A color-coded map
showing where these items were found will paint a clear picture of
crew cabin integrity in relation to the rest of the debris field. It
seems clear that the cabin did eventually fail at a high mach number,
but that it held together for a relatively long time. Given a
hypersonic drogue system for stabilization along with a minimal
thermal protection design, I expect that the crew cabin would have
brought Columbia's crew safely down to an energy level where a bailout
attempt would have been survivable.

What do you know about high-altitude, high-Mach number aerodynamics?
You're simply stating unsubstantiated opinion with no basis in fact
whatsoever.

I could tell you that I myself am a space shuttle entry specialist
holding an advanced degree in aerospace engineering and lots of
experience with high-altitude, high-Mach aerodynamics. Does that
change anything to the validity of the arguments I have presented?
It's all ad hominem. The arguments I present stand or fall based upon
their own merit or lack thereof.

If you have a valid criticism of those merits, please do let me know
so that I can have the opportunity to improve the ideas that I uphold
as valuable.

I maintain that such a design was easily attainable with 1970's
technology. As far as pyrotechnics for cabin separation, such systems
had already been designed, tested, and used operationally in aircraft
such as the F-111 and the B-1A.

You REALLY need to read up on the success rate (or lack thereof) of
EVERY capsule-type crew escape system ever implemented. If it's too
much trouble to dig for the original technical info, just google for
Mary Shafer's informative posts over the last several months to see how
poorly susch systems have performed in real life (not your handwaving
fictional universe).

Again, whether Mary Shafer's posts have been a gold mine of accurate
information or loaded with bogus, errant notions passed off as expert
analysis does absolutely nothing to prove or disprove any point that
she presents.

I would actually urge *more caution* when assimilating the analysis of
someone with a perfect track record, because you now have to deal with
the tendency of being *less critical*. Your filter will have been
gained down to "extremely porous".

That said...

I disagree with the analysis that escape pods have poor performance.
Pods are designed to deal with the extremes of the envelope.
Therefore a performance sacrifice is made for other, more probable,
regions of the envelope. The ejection modules of the B-1 and the
F-111 are not optimized around the points where they do the vast
majority of their flying (subsonic, about town and around the traffic
pattern).

To contrast Mary's opinion, consider this as a loose analogy...

Modern cars are equipped with airbags. But car manufacturers post
warning signs as to how dangerous they are - airbags can kill your
child! Let's not jump to the conclusion that a car without airbags is
*safer* than a car with airbags. The former is optimized for the
lower performance region of the automotive envelope (slow city
driving) whereas the latter is optimized for the *entire* envelope
that your car is driven.

Yes, crew escape modules can kill you. ("Mary is right!") But not
having crew escape modules can kill you in a whole lot more ways.
Let's not lose sight of the bigger picture.

My understanding is that upon
initiation, there are strips of shaped charges that cut the cabin away
from the fuselage and that there are pyrotechnic guillotines that
cleanly cut the wire bundles and other plumbing liberating the cabin
from the rest of the vehicle. Notice that the B-1A was a
Rockwell-designed vehicle.

Notice the crew-survivability/fatality rate for any vehicle using such a
system in a FAR less demanding aerothermal environment.

In this analysis, let's include the crew-survivability/fatality rate
for B-1A/F-111 supersonic low altitude ejections. This is where the
module justifies it's cost.

Modules have fallen out of favor for supersonic aircraft crew egress
design, because they just don't fly supersonic down in thick air often
enough to justify needing this protection at the expense of
sacrificing ejection performance for those parts of the envelope where
the vast majority of the flying is done.

Compare this situation to that of a spacecraft. Your mission is
requiring hypersonic flight *every* time. And the track record of
something catastrophically failing is *much* higher than that of an
aircraft mission. How can you possibly justify *not* having a means
of crew escape in the hypersonic region? Painful lessons are what
drove NASA to come around to setting the bar so high at 0.99.

It's not hard to imagine a scene from
1971/72 where these Rockwell engineers responsible for designing crew
escape were arguing fervently how it is inexcusable to *not* have a
way out for shuttle astronauts. I expect that there are many within
NASA who had demanded it.

Here's a final real world clue-in for you: twenty years-plus into a
program's life cycle is a little too late to be adding complex top-level
design requirements into the system and expect anything truly
meaningful. Hell, five years in when Challenger was lost was too late,
hence the silly bailout poll as a political bone rather than your
capsule system (which wouldn't work, either, for well understood reasons
that you don't wish to acknowledge).

(I've agreed to this point up front.)


Today NASA wants to design in a crew escape probability of 0.99. Back
in the '70s, the decision was to give them a cumulative hope of ZERo.

Completely untrue. Back then, the decision was to design to avoid
failure. If you REQUIRE no debris hits, and design to implement that
requirement, you have no lost Columbia. If you REQUIRE no O-ring SRB
burn-through and design to implement such, you have no lost Columbia.
If you determine that your implementation of the design requirements is
faulty or at least wanting, the obligation is to fix the implementation,
not add new requirements. The fatal error NASA made in the years
leading up to the loss of both vehicles was to ignore the failure in the
implementation of their own design requirements.

I actually agree with the gist of your point here. There *are* safe
ways to operate, given a less than perfect design. You must account
for your vulnerabilities and then avoid them.

I have criticized the decision to not have a crew escape module as a
back up to the back up to (...) because of the likelihood that all
vulnerabilities will not be accounted for (let alone avoided). These
vulnerabilities, in engineering parlance, are the dreaded "unknown
unknowns".

If you are smart, you can shave the safety factor during design and
subsequent apply a time-varying buffer to your operations so that you
can get the mission accomplished while remaining safely within the
unknown unknowns.

But if you are smarter, you will pad the safety factor, knowing that
you are not going to be persistent in your vigilence in the long term.

The simple term is "robust design" (vice "hanging it out").

Here's a hypothetical for you: a crew escape pod is jury-rigged into
the launch vehicle. There is another structural failure and the crew
compartment is successfully lobbed out of the conflagration in a
semi-controlled fashion. As the compartment/capsule is tumbling, your
proposed drogue is deployed to stabilize the vehicle. (This ignores the
obvious difficulties of whether such a drogue could be designed and
implemented to survive a Mach 20+ environment - no wings left, remember)
Now, what happens if the drogue fouls and doesn't deploy? After the
crew compartment is dug out of the muddy Texas plains, would you be here
moaning about how easy it would have been to have multiple drogue
'chutes? How many would you want? Two? Four? And whe the aft end
of the pressure vessel so that we take some advantage of the aerodynamic
shape of the crew compartment? Well, the aft is the area most likely to
be littered with debris from the failing structure of the orbiter, so do
we need a forward drogue assembly as well? What, then, do we do for
aerodynamic stability and to reduce heating effects on the aft end of
the crew escape module? Does it need its own thermal protection system,
too?

Your questions strike to the heart of design tradeoff dilemmas. I'll
give you my best answers...

No, the aft end does not need thermal protection for flying backwards
/ unstable. Trying to design around potential instability seems
wasteful at best. Design resources are better spent on ensuring
stability in the first place. C.g./c.p. parameters are very
controllable through smart design.

I don't know what the drogue system would look like. Maybe the
optimization would result in *none* for the hypersonic phase (only
module aerodynamics).

Your simplistic statements belie the tremendous technical complexity
involved in all this. As shown in the loss of both Columbia and
Challenger (and as illustrated by my counter-example), your mistake is
thinking that requirements mean anything. They mean nothing in the face
of poor or defective implementation. Again, I remind you that the
requirements WERE that no SRB exhaust leak past field joints; they WERE
that no debris strike the orbiter on ascent.

I'm well aware of the technical complexity of hypersonic, reusable
flight. I hope my response here has made it clear that I am not
hardline on a specific number from requirements. Anyone who has been
forced to pin down a requirement knows how fuzzy that requirement
really is.

Again, I agree that the shuttle was carefully designed to not have
catastrophic failure so that crew escape would not be needed. There
are ways to get away with this design approach. Case in point:
Airliners offer no extraction/ejection for passengers or crew.

The fundamental difference is the risk of failure. Spaceflight has
time and again been demonstrated as the harshest of flight
environments. Someday that may change. I don't see it happening in
the near future.

....and it certainly wasn't the case back in the early 1970's when
shuttle blueprints got forged in aluminum.


~ CT