Pre-Columbia Criticism of NASA's Safety Culture in the late 1990's

In article ,
(Stuf4) wrote:

It is *easy* to augment the design of this pressure vessel so that it
then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

You're handwaving away some serious considerations. Do you have any
engineering studies substantiating this opinion? Or are you, like so
many other usenet-armchair-rocket-geniuses, just talking off the top of
your head with no real basis?

--
Herb Schaltegger, B.S., J.D.
Reformed Aerospace Engineer
"Heisenberg might have been here."
~ Anonymous

Stuf4 wrote:
As brutally seen in 1986, the crew cabin is much more robust than
other parts of the orbiter. There is a reason for this. It is
designed as a pressure vessel, whereas other parts of the orbiter have
no such requirement.

It is *easy* to augment the design of this pressure vessel so that it
then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

It's not *easy*, as you say. This has been studied as part of NASA's
new safety initiative started a few years back. As I recall, there were
three concepts being worked, one being a full crew escape module. The
study showed a substantial sacrifice to both payload bay volume and
payload weight as to make the shuttle no longer a feasible design as a
payload-to-orbit capability.

Another concept concerned separation of flight deck and mid deck. I
don't recall the third concept.

None were *easy* to implement.




A smart compromise would have been a *lightweight crew escape module*.
There is no need for a huge parachute system. No need for
impact/floatation bags. No need even for giant-thrust rocket
separation motors.

After pyrotechnics separate the module from the rest of the vehicle, a
small motor can be used to build separation (-51L showed that no motor
at all is needed). Then instead of a giant parachute designed to give
the escape module a soft landing, all that is needed is a
stabilization chute system that slows the module down enough for the
crew to bail out of (no escape pole needed because the wings are long
gone).


In order to clear the large vertical stabilizer or wing leading edge in
the worst case scenario, while keeping the g-load within survivable
limits, there can be no *small motor*. Several rockets would be needed
to maneuver the escape module clear. I think parachutes and parafoils
were both considered.

This is just one idea. I'm sure that others were proposed.


Yes.

[snip]

In summary, it would have been easy to design the shuttle with crew
escape capability covering the vast majority of ascent/entry. It
wasn't done. After the fact it becomes very hard to retrofit this
capability. This point has been discussed many times. Here's one
post (from just prior to Feb1st) with more info:


This may be true, if you're considering designing the shuttle from
ground up with crew escape module. I can't believe that this was not
considered, but I don't know why it was not employed. Perhaps there's
someone else in this ng who knows the particulars.

From Jon Berndt:
"Stuf4" wrote:

It is *easy* to augment the design of this pressure vessel so that it

It is? Care to elaborate on that assertion? "Easy"?

(see below)

then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

These assertions seem to go against what I have read. Why do you say this?
Can you refer to some published studies?

I say this based primarily on the empirical evidence. The evidence
that Challenger's cabin and Columbia's cabin held together
significantly even though they *weren't designed* as escape modules.

JSC office MV-6 holds this responsibility today. Here is a link to
their document "Human-Rating Requirements" from June 1998:

http://www.hq.nasa.gov/office/codea/...documentd.html

Excerpt:

__________

Requirement 7:
A crew escape system shall be provided on ETO vehicles for safe crew
extraction and recovery from in-flight failures across the flight
envelope from prelaunch to landing. The escape system shall have a
probability of successful crew return of 0.99.

__________


These specialists seem to think that it's possible. And I don't know
of any major breakthroughs in crew escape technology that have changed
this situation from that of the early '70s.

After pyrotechnics separate the module from the rest of the vehicle, a
small motor can be used to build separation (-51L showed that no motor
at all is needed). Then instead of a giant parachute designed to give
the escape module a soft landing, all that is needed is a
stabilization chute system that slows the module down enough for the
crew to bail out of (no escape pole needed because the wings are long
gone).

I'm not sure that pyrotechnics to separate the crew module from the rest of
the vehicle would go over so well, but that's just a hunch. The idea doesn't
seem so bad given that the crew module had in the case of 51-L separated
from the fuselage, but in the case of Columbia, do we know? In practice, it
might not be so easy to build.

The strongest evidence available to the general public that Columbia's
crew module remained intact for a significant period following the
structural failure of the left wing was the continued data following
LOS along with the reports of the human remains and other cockpit
items being found within the same general area. A color-coded map
showing where these items were found will paint a clear picture of
crew cabin integrity in relation to the rest of the debris field. It
seems clear that the cabin did eventually fail at a high mach number,
but that it held together for a relatively long time. Given a
hypersonic drogue system for stabilization along with a minimal
thermal protection design, I expect that the crew cabin would have
brought Columbia's crew safely down to an energy level where a bailout
attempt would have been survivable.

I maintain that such a design was easily attainable with 1970's
technology. As far as pyrotechnics for cabin separation, such systems
had already been designed, tested, and used operationally in aircraft
such as the F-111 and the B-1A. My understanding is that upon
initiation, there are strips of shaped charges that cut the cabin away
from the fuselage and that there are pyrotechnic guillotines that
cleanly cut the wire bundles and other plumbing liberating the cabin
from the rest of the vehicle. Notice that the B-1A was a
Rockwell-designed vehicle. It's not hard to imagine a scene from
1971/72 where these Rockwell engineers responsible for designing crew
escape were arguing fervently how it is inexcusable to *not* have a
way out for shuttle astronauts. I expect that there are many within
NASA who had demanded it.

As far as culpability of those with oversight obligation, the link to
a report was posted back on Jan XX. See discussion from the archives:

http://tinyurl.com/md4q

http://groups.google.com/groups?hl=e...ing.google.com

It was the job of those on the ASAP to call a time out whenever they
saw NASA making unwise decisions. Designing the shuttle without a
crew escape module has proven itself time and again to have been a
fatal decision.

Today NASA wants to design in a crew escape probability of 0.99. Back
in the '70s, the decision was to give them a cumulative hope of ZERo.


~ CT

From stmx3:
Stuf4 wrote:
As brutally seen in 1986, the crew cabin is much more robust than
other parts of the orbiter. There is a reason for this. It is
designed as a pressure vessel, whereas other parts of the orbiter have
no such requirement.

It is *easy* to augment the design of this pressure vessel so that it
then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

It's not *easy*, as you say. This has been studied as part of NASA's
new safety initiative started a few years back. As I recall, there were
three concepts being worked, one being a full crew escape module. The
study showed a substantial sacrifice to both payload bay volume and
payload weight as to make the shuttle no longer a feasible design as a
payload-to-orbit capability.

Another concept concerned separation of flight deck and mid deck. I
don't recall the third concept.

None were *easy* to implement.

No disagreement here. My argument wasn't for retrofit of such a
capability. It was a questioning as to why this capability wasn't
included from the beginning.

....questions that both Rogers and Gehman didn't seem to want to
publish answers to (assuming that they bothered to ask).

A smart compromise would have been a *lightweight crew escape module*.
There is no need for a huge parachute system. No need for
impact/floatation bags. No need even for giant-thrust rocket
separation motors.

After pyrotechnics separate the module from the rest of the vehicle, a
small motor can be used to build separation (-51L showed that no motor
at all is needed). Then instead of a giant parachute designed to give
the escape module a soft landing, all that is needed is a
stabilization chute system that slows the module down enough for the
crew to bail out of (no escape pole needed because the wings are long
gone).


In order to clear the large vertical stabilizer or wing leading edge in
the worst case scenario, while keeping the g-load within survivable
limits, there can be no *small motor*. Several rockets would be needed
to maneuver the escape module clear. I think parachutes and parafoils
were both considered.

I was not advocating a design that covered the worst case scenario. I
was discussing a simple way out that might have covered a majority of
bad case scenarios. Some measure of hope is better than none.

This is just one idea. I'm sure that others were proposed.


Yes.

[snip]

In summary, it would have been easy to design the shuttle with crew
escape capability covering the vast majority of ascent/entry. It
wasn't done. After the fact it becomes very hard to retrofit this
capability. This point has been discussed many times. Here's one
post (from just prior to Feb1st) with more info:


This may be true, if you're considering designing the shuttle from
ground up with crew escape module.

This is exactly my point.

I can't believe that this was not
considered, but I don't know why it was not employed. Perhaps there's
someone else in this ng who knows the particulars.

I see this as a critical issue and I'm deeply disappointed to see not
one, but two investigation boards gloss over it.


~ CT

In article ,
(Stuf4) wrote:

From Jon Berndt:
"Stuf4" wrote:

It is *easy* to augment the design of this pressure vessel so that it

It is? Care to elaborate on that assertion? "Easy"?

(see below)

then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

These assertions seem to go against what I have read. Why do you say this?
Can you refer to some published studies?

I say this based primarily on the empirical evidence. The evidence
that Challenger's cabin and Columbia's cabin held together
significantly even though they *weren't designed* as escape modules.

JSC office MV-6 holds this responsibility today. Here is a link to
their document "Human-Rating Requirements" from June 1998:

http://www.hq.nasa.gov/office/codea/...documentd.html

Excerpt:

__________

Requirement 7:
A crew escape system shall be provided on ETO vehicles for safe crew
extraction and recovery from in-flight failures across the flight
envelope from prelaunch to landing. The escape system shall have a
probability of successful crew return of 0.99.

__________


These specialists seem to think that it's possible. And I don't know
of any major breakthroughs in crew escape technology that have changed
this situation from that of the early '70s.

Let me clue you in to an important fact in the aerospace industry: the
people writing requirements are not usually "specialists" or "experts."
They typically have a lot of KNOWLEDGE which is not at all the same
thing as technical design or implementation ability.

Another thing you should be aware of: "requirements" do not equate with
"capability." Requirements are subject to frequent changes, usually
downward to reflect implementation efforts which don't measure up to the
pie-in-the-sky requirements insisted on at the beginning of a program.

After pyrotechnics separate the module from the rest of the vehicle, a
small motor can be used to build separation (-51L showed that no motor
at all is needed). Then instead of a giant parachute designed to give
the escape module a soft landing, all that is needed is a
stabilization chute system that slows the module down enough for the
crew to bail out of (no escape pole needed because the wings are long
gone).

I'm not sure that pyrotechnics to separate the crew module from the rest of
the vehicle would go over so well, but that's just a hunch. The idea
doesn't
seem so bad given that the crew module had in the case of 51-L separated
from the fuselage, but in the case of Columbia, do we know? In practice, it
might not be so easy to build.

The strongest evidence available to the general public that Columbia's
crew module remained intact for a significant period following the
structural failure of the left wing was the continued data following
LOS

You don't know that this is the case. The final burst of data is
consistent with a flat spin following loss of aerodynamic control.
Complete failure of the left wing may or may not have occurred prior to
that loss of directional control.

along with the reports of the human remains and other cockpit
items being found within the same general area. A color-coded map
showing where these items were found will paint a clear picture of
crew cabin integrity in relation to the rest of the debris field. It
seems clear that the cabin did eventually fail at a high mach number,
but that it held together for a relatively long time. Given a
hypersonic drogue system for stabilization along with a minimal
thermal protection design, I expect that the crew cabin would have
brought Columbia's crew safely down to an energy level where a bailout
attempt would have been survivable.

What do you know about high-altitude, high-Mach number aerodynamics?
You're simply stating unsubstantiated opinion with no basis in fact
whatsoever.

I maintain that such a design was easily attainable with 1970's
technology. As far as pyrotechnics for cabin separation, such systems
had already been designed, tested, and used operationally in aircraft
such as the F-111 and the B-1A.

You REALLY need to read up on the success rate (or lack thereof) of
EVERY capsule-type crew escape system ever implemented. If it's too
much trouble to dig for the original technical info, just google for
Mary Shafer's informative posts over the last several months to see how
poorly susch systems have performed in real life (not your handwaving
fictional universe).

My understanding is that upon
initiation, there are strips of shaped charges that cut the cabin away
from the fuselage and that there are pyrotechnic guillotines that
cleanly cut the wire bundles and other plumbing liberating the cabin
from the rest of the vehicle. Notice that the B-1A was a
Rockwell-designed vehicle.

Notice the crew-survivability/fatality rate for any vehicle using such a
system in a FAR less demanding aerothermal environment.

It's not hard to imagine a scene from
1971/72 where these Rockwell engineers responsible for designing crew
escape were arguing fervently how it is inexcusable to *not* have a
way out for shuttle astronauts. I expect that there are many within
NASA who had demanded it.

Here's a final real world clue-in for you: twenty years-plus into a
program's life cycle is a little too late to be adding complex top-level
design requirements into the system and expect anything truly
meaningful. Hell, five years in when Challenger was lost was too late,
hence the silly bailout poll as a political bone rather than your
capsule system (which wouldn't work, either, for well understood reasons
that you don't wish to acknowledge).

As far as culpability of those with oversight obligation, the link to
a report was posted back on Jan XX. See discussion from the archives:

http://tinyurl.com/md4q

http://groups.google.com/groups?hl=e...=off&threadm=d
3af8584.0301311502.39d7452%40posting.google.com&rn um=1&prev=/groups%3Fhl%3Den%
26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3Dd3af8584.0301311502.39
d7452%2540posting.google.com

It was the job of those on the ASAP to call a time out whenever they
saw NASA making unwise decisions. Designing the shuttle without a
crew escape module has proven itself time and again to have been a
fatal decision.

See above. It's too late to add such a design requirement into the
existing system.

Today NASA wants to design in a crew escape probability of 0.99. Back
in the '70s, the decision was to give them a cumulative hope of ZERo.

Completely untrue. Back then, the decision was to design to avoid
failure. If you REQUIRE no debris hits, and design to implement that
requirement, you have no lost Columbia. If you REQUIRE no O-ring SRB
burn-through and design to implement such, you have no lost Columbia.
If you determine that your implementation of the design requirements is
faulty or at least wanting, the obligation is to fix the implementation,
not add new requirements. The fatal error NASA made in the years
leading up to the loss of both vehicles was to ignore the failure in the
implementation of their own design requirements.

Here's a hypothetical for you: a crew escape pod is jury-rigged into
the launch vehicle. There is another structural failure and the crew
compartment is successfully lobbed out of the conflagration in a
semi-controlled fashion. As the compartment/capsule is tumbling, your
proposed drogue is deployed to stabilize the vehicle. (This ignores the
obvious difficulties of whether such a drogue could be designed and
implemented to survive a Mach 20+ environment - no wings left, remember)
Now, what happens if the drogue fouls and doesn't deploy? After the
crew compartment is dug out of the muddy Texas plains, would you be here
moaning about how easy it would have been to have multiple drogue
'chutes? How many would you want? Two? Four? And whe the aft end
of the pressure vessel so that we take some advantage of the aerodynamic
shape of the crew compartment? Well, the aft is the area most likely to
be littered with debris from the failing structure of the orbiter, so do
we need a forward drogue assembly as well? What, then, do we do for
aerodynamic stability and to reduce heating effects on the aft end of
the crew escape module? Does it need its own thermal protection system,
too?

Your simplistic statements belie the tremendous technical complexity
involved in all this. As shown in the loss of both Columbia and
Challenger (and as illustrated by my counter-example), your mistake is
thinking that requirements mean anything. They mean nothing in the face
of poor or defective implementation. Again, I remind you that the
requirements WERE that no SRB exhaust leak past field joints; they WERE
that no debris strike the orbiter on ascent.

~ CT

--
Herb Schaltegger, B.S., J.D.
Reformed Aerospace Engineer
"Heisenberg might have been here."
~ Anonymous

Stuf4 spewed out:
From Bill Harris:

I'd like to see those people involved with that
decision personally contact the 14 families to explain why
Challenger's and Columbia's crews had no way out.

And I'd like to see you expklain just what the "escape mechanism" was for any
spacecraft at the stage where Columbia was lost.

It is *easy* to augment the design of this pressure vessel so that it
then becomes a crew escape module...

It's _easy_? What are you smoking (and can I have some)?

--
bp
Proud Member of the Human O-Ring Society Since 2003

From Jonathan Silverlight:
Imagine a car company that does a study and determines that it is too
expensive to build a vehicle with airbags and even seatbelts, and that
the performance of that vehicle will be degraded by this safety
equipment. So they build it. And there is a long line of people who
still want to buy it and drive it. When those vehicles crash (and
they will crash) and their occupants take their final ride through the
front windshield, I can guarantee you that the NTSB would hold that
car company accountable for willful negligence.

I don't think we have to imagine this. Wasn't there a car where they
decided that including safety features (not legally mandatory but
desirable) would cost more than the compensation they would pay if one
crashed? They were silly enough to put it in writing, too.

I remember hearing that story. Management decisions involving the
cost trade of human life has to be a haunting job. This happens in
the design of many products, from children's toys to automobiles to
spacecraft. How much will we invest in making our product safe? And
will the user be willing to foot the cost (performance cost as well as
monetary cost) of such safety features?

This is a vital role of government: to step in and set safety
standards where an uninterfered market will trend toward an unsafe
solution.

So Challenger and Columbia were not just Rockwell International's
design deficiency. They were not just NASA's program management
deficiency. These tragedies precipitated from deficiency in
governmental oversight of NASA's management of the program.

It is an oversimplification to fault Congress for not allocating
enough money for having a safe design from the start. NASA was given
enough money to build a safe shuttle. They just decided not to do so.


~ CT

From Herb Schaltegger:
(Stuf4) wrote:

From Jon Berndt:
"Stuf4" wrote:

It is *easy* to augment the design of this pressure vessel so that it

It is? Care to elaborate on that assertion? "Easy"?

(see below)

then becomes a crew escape module. It is also easy to determine c.g.
limits of this module so that after orbiter breakup it has a stable
flight. An escape module design that would have permitted safe escape
for both -51L and -107 crews need not have had excessive weight.

These assertions seem to go against what I have read. Why do you say this?
Can you refer to some published studies?

I say this based primarily on the empirical evidence. The evidence
that Challenger's cabin and Columbia's cabin held together
significantly even though they *weren't designed* as escape modules.

JSC office MV-6 holds this responsibility today. Here is a link to
their document "Human-Rating Requirements" from June 1998:

http://www.hq.nasa.gov/office/codea/...documentd.html

Excerpt:

__________

Requirement 7:
A crew escape system shall be provided on ETO vehicles for safe crew
extraction and recovery from in-flight failures across the flight
envelope from prelaunch to landing. The escape system shall have a
probability of successful crew return of 0.99.

__________


These specialists seem to think that it's possible. And I don't know
of any major breakthroughs in crew escape technology that have changed
this situation from that of the early '70s.

Let me clue you in to an important fact in the aerospace industry: the
people writing requirements are not usually "specialists" or "experts."
They typically have a lot of KNOWLEDGE which is not at all the same
thing as technical design or implementation ability.

Another thing you should be aware of: "requirements" do not equate with
"capability." Requirements are subject to frequent changes, usually
downward to reflect implementation efforts which don't measure up to the
pie-in-the-sky requirements insisted on at the beginning of a program.

I agree with the gist of your point. Let's say that a more realistic
figure instead of 0.99 is 0.4, then the gist of my point was that
*anything* was better than Challenger's/Columbia's zero chance of
hope.

After pyrotechnics separate the module from the rest of the vehicle, a
small motor can be used to build separation (-51L showed that no motor
at all is needed). Then instead of a giant parachute designed to give
the escape module a soft landing, all that is needed is a
stabilization chute system that slows the module down enough for the
crew to bail out of (no escape pole needed because the wings are long
gone).

I'm not sure that pyrotechnics to separate the crew module from the rest of
the vehicle would go over so well, but that's just a hunch. The idea
doesn't
seem so bad given that the crew module had in the case of 51-L separated
from the fuselage, but in the case of Columbia, do we know? In practice, it
might not be so easy to build.

The strongest evidence available to the general public that Columbia's
crew module remained intact for a significant period following the
structural failure of the left wing was the continued data following
LOS

You don't know that this is the case. The final burst of data is
consistent with a flat spin following loss of aerodynamic control.
Complete failure of the left wing may or may not have occurred prior to
that loss of directional control.

A JSC flight control specialist involved in the investigation has said
that LOS has been correlated with structural failure of the wing. If
you tell me that he could be wrong, I would agree with that.

along with the reports of the human remains and other cockpit
items being found within the same general area. A color-coded map
showing where these items were found will paint a clear picture of
crew cabin integrity in relation to the rest of the debris field. It
seems clear that the cabin did eventually fail at a high mach number,
but that it held together for a relatively long time. Given a
hypersonic drogue system for stabilization along with a minimal
thermal protection design, I expect that the crew cabin would have
brought Columbia's crew safely down to an energy level where a bailout
attempt would have been survivable.

What do you know about high-altitude, high-Mach number aerodynamics?
You're simply stating unsubstantiated opinion with no basis in fact
whatsoever.

I could tell you that I myself am a space shuttle entry specialist
holding an advanced degree in aerospace engineering and lots of
experience with high-altitude, high-Mach aerodynamics. Does that
change anything to the validity of the arguments I have presented?
It's all ad hominem. The arguments I present stand or fall based upon
their own merit or lack thereof.

If you have a valid criticism of those merits, please do let me know
so that I can have the opportunity to improve the ideas that I uphold
as valuable.

I maintain that such a design was easily attainable with 1970's
technology. As far as pyrotechnics for cabin separation, such systems
had already been designed, tested, and used operationally in aircraft
such as the F-111 and the B-1A.

You REALLY need to read up on the success rate (or lack thereof) of
EVERY capsule-type crew escape system ever implemented. If it's too
much trouble to dig for the original technical info, just google for
Mary Shafer's informative posts over the last several months to see how
poorly susch systems have performed in real life (not your handwaving
fictional universe).

Again, whether Mary Shafer's posts have been a gold mine of accurate
information or loaded with bogus, errant notions passed off as expert
analysis does absolutely nothing to prove or disprove any point that
she presents.

I would actually urge *more caution* when assimilating the analysis of
someone with a perfect track record, because you now have to deal with
the tendency of being *less critical*. Your filter will have been
gained down to "extremely porous".

That said...

I disagree with the analysis that escape pods have poor performance.
Pods are designed to deal with the extremes of the envelope.
Therefore a performance sacrifice is made for other, more probable,
regions of the envelope. The ejection modules of the B-1 and the
F-111 are not optimized around the points where they do the vast
majority of their flying (subsonic, about town and around the traffic
pattern).

To contrast Mary's opinion, consider this as a loose analogy...

Modern cars are equipped with airbags. But car manufacturers post
warning signs as to how dangerous they are - airbags can kill your
child! Let's not jump to the conclusion that a car without airbags is
*safer* than a car with airbags. The former is optimized for the
lower performance region of the automotive envelope (slow city
driving) whereas the latter is optimized for the *entire* envelope
that your car is driven.

Yes, crew escape modules can kill you. ("Mary is right!") But not
having crew escape modules can kill you in a whole lot more ways.
Let's not lose sight of the bigger picture.

My understanding is that upon
initiation, there are strips of shaped charges that cut the cabin away
from the fuselage and that there are pyrotechnic guillotines that
cleanly cut the wire bundles and other plumbing liberating the cabin
from the rest of the vehicle. Notice that the B-1A was a
Rockwell-designed vehicle.

Notice the crew-survivability/fatality rate for any vehicle using such a
system in a FAR less demanding aerothermal environment.

In this analysis, let's include the crew-survivability/fatality rate
for B-1A/F-111 supersonic low altitude ejections. This is where the
module justifies it's cost.

Modules have fallen out of favor for supersonic aircraft crew egress
design, because they just don't fly supersonic down in thick air often
enough to justify needing this protection at the expense of
sacrificing ejection performance for those parts of the envelope where
the vast majority of the flying is done.

Compare this situation to that of a spacecraft. Your mission is
requiring hypersonic flight *every* time. And the track record of
something catastrophically failing is *much* higher than that of an
aircraft mission. How can you possibly justify *not* having a means
of crew escape in the hypersonic region? Painful lessons are what
drove NASA to come around to setting the bar so high at 0.99.

It's not hard to imagine a scene from
1971/72 where these Rockwell engineers responsible for designing crew
escape were arguing fervently how it is inexcusable to *not* have a
way out for shuttle astronauts. I expect that there are many within
NASA who had demanded it.

Here's a final real world clue-in for you: twenty years-plus into a
program's life cycle is a little too late to be adding complex top-level
design requirements into the system and expect anything truly
meaningful. Hell, five years in when Challenger was lost was too late,
hence the silly bailout poll as a political bone rather than your
capsule system (which wouldn't work, either, for well understood reasons
that you don't wish to acknowledge).

(I've agreed to this point up front.)


Today NASA wants to design in a crew escape probability of 0.99. Back
in the '70s, the decision was to give them a cumulative hope of ZERo.

Completely untrue. Back then, the decision was to design to avoid
failure. If you REQUIRE no debris hits, and design to implement that
requirement, you have no lost Columbia. If you REQUIRE no O-ring SRB
burn-through and design to implement such, you have no lost Columbia.
If you determine that your implementation of the design requirements is
faulty or at least wanting, the obligation is to fix the implementation,
not add new requirements. The fatal error NASA made in the years
leading up to the loss of both vehicles was to ignore the failure in the
implementation of their own design requirements.

I actually agree with the gist of your point here. There *are* safe
ways to operate, given a less than perfect design. You must account
for your vulnerabilities and then avoid them.

I have criticized the decision to not have a crew escape module as a
back up to the back up to (...) because of the likelihood that all
vulnerabilities will not be accounted for (let alone avoided). These
vulnerabilities, in engineering parlance, are the dreaded "unknown
unknowns".

If you are smart, you can shave the safety factor during design and
subsequent apply a time-varying buffer to your operations so that you
can get the mission accomplished while remaining safely within the
unknown unknowns.

But if you are smarter, you will pad the safety factor, knowing that
you are not going to be persistent in your vigilence in the long term.

The simple term is "robust design" (vice "hanging it out").

Here's a hypothetical for you: a crew escape pod is jury-rigged into
the launch vehicle. There is another structural failure and the crew
compartment is successfully lobbed out of the conflagration in a
semi-controlled fashion. As the compartment/capsule is tumbling, your
proposed drogue is deployed to stabilize the vehicle. (This ignores the
obvious difficulties of whether such a drogue could be designed and
implemented to survive a Mach 20+ environment - no wings left, remember)
Now, what happens if the drogue fouls and doesn't deploy? After the
crew compartment is dug out of the muddy Texas plains, would you be here
moaning about how easy it would have been to have multiple drogue
'chutes? How many would you want? Two? Four? And whe the aft end
of the pressure vessel so that we take some advantage of the aerodynamic
shape of the crew compartment? Well, the aft is the area most likely to
be littered with debris from the failing structure of the orbiter, so do
we need a forward drogue assembly as well? What, then, do we do for
aerodynamic stability and to reduce heating effects on the aft end of
the crew escape module? Does it need its own thermal protection system,
too?

Your questions strike to the heart of design tradeoff dilemmas. I'll
give you my best answers...

No, the aft end does not need thermal protection for flying backwards
/ unstable. Trying to design around potential instability seems
wasteful at best. Design resources are better spent on ensuring
stability in the first place. C.g./c.p. parameters are very
controllable through smart design.

I don't know what the drogue system would look like. Maybe the
optimization would result in *none* for the hypersonic phase (only
module aerodynamics).

Your simplistic statements belie the tremendous technical complexity
involved in all this. As shown in the loss of both Columbia and
Challenger (and as illustrated by my counter-example), your mistake is
thinking that requirements mean anything. They mean nothing in the face
of poor or defective implementation. Again, I remind you that the
requirements WERE that no SRB exhaust leak past field joints; they WERE
that no debris strike the orbiter on ascent.

I'm well aware of the technical complexity of hypersonic, reusable
flight. I hope my response here has made it clear that I am not
hardline on a specific number from requirements. Anyone who has been
forced to pin down a requirement knows how fuzzy that requirement
really is.

Again, I agree that the shuttle was carefully designed to not have
catastrophic failure so that crew escape would not be needed. There
are ways to get away with this design approach. Case in point:
Airliners offer no extraction/ejection for passengers or crew.

The fundamental difference is the risk of failure. Spaceflight has
time and again been demonstrated as the harshest of flight
environments. Someday that may change. I don't see it happening in
the near future.

....and it certainly wasn't the case back in the early 1970's when
shuttle blueprints got forged in aluminum.


~ CT

From Gene DiGennaro:

I still think that had the crew of both 51L and 107 were able to
separate from the orbiter's airframe, they were still doomed. I have
heard that if 51L crew had parachutes, they could have bailed out of
the crew cabin. I have also heard a similar argument for 107.

Any oldtimers here remember the A-3 Skywarrior or the F3D Skynight?
Both of these early jets had an escape chute or slide to bail out of
the aircraft. It worked ONLY when the aircraft was in smooth level
flight. ( Gee if the plane was in smooth level flight, why would you
want to bail out?) The slides were useless in a spinning, out of
control situation that is most common when pilots eject.

I would agree that module stability is essential for success. This
would need to be a design requirement.

As to bailing out while flying straight and level, shuttle crews
practice this for every mission (obviously, not having the energy
capability to make a suitable runway is one reason for doing so).

For an aircraft, there are many reasons why you might need to eject
while flying straight and level. Like defecting to a Western country.
Ha!

(actually there's a sad ending to that story, as you may know)

Perhaps the most often viewed clip of controlled flight ejection was
of that A-10 during flight test at Edwards back in the early '70s.
Great slow motion film of an ejection. The reason for needing to get
out was that the gun was being test fired and hot gas ingestion flamed
out both engines. I can't remember the reason why restart was
unsuccessful, but many attempts were tried. Apparently it has been
determined that you can't maintain enough windmilling hydraulics in
order to safely land the jet (you can see from the film that the
lakebed was reachable). Painful ending to this story too in that the
pilot, after safely ejecting, did an inadequate parachute landing and
cracked his helmet on a rock. It's been a while since I've seen his
interview retelling the story, but I seem to remember that he didn't
fly for a long time afterwards.

(I'm not sure that I'm convinced that an A-10 dead-stick can't be
flown to a safe touchdown. But the point remains that there are lots
of scenarios where you need to punch out smooth in controlled flight.)

Even given a robust orbiter cabin that survived both accidents(51L and
107)it seems awfully unlikely that the crew could have crawled out of
the seats, opened a hatch and yelled "geronimo". Barring a cushion and
large parachute a la B-1A or F-111 escape capsule, shuttle crews still
needed ejection seats to get out of the pressure cabin.

If what you are saying here can be shown to be accurate, then my
response is...

Let's give them ejection seats!

Wings or Airpower magazine had a good article recently on aircraft
escape systems.

I'll keep my eyes out for it. Thanks for the tip.


~ CT

In message , Stuf4
writes
From Gene DiGennaro:

I still think that had the crew of both 51L and 107 were able to
separate from the orbiter's airframe, they were still doomed. I have
heard that if 51L crew had parachutes, they could have bailed out of
the crew cabin. I have also heard a similar argument for 107.

Any oldtimers here remember the A-3 Skywarrior or the F3D Skynight?
Both of these early jets had an escape chute or slide to bail out of
the aircraft. It worked ONLY when the aircraft was in smooth level
flight. ( Gee if the plane was in smooth level flight, why would you
want to bail out?) The slides were useless in a spinning, out of
control situation that is most common when pilots eject.

I would agree that module stability is essential for success. This
would need to be a design requirement.

As to bailing out while flying straight and level, shuttle crews
practice this for every mission (obviously, not having the energy
capability to make a suitable runway is one reason for doing so).

Just how do you practice bailing out of a space shuttle? When I read
about this I'm reminded of the opening of "Encounter with Tiber" where
they lose one crew member during the bail out and another drowns.
--
"Forty millions of miles it was from us, more than forty millions of miles of
void"