Launch failures: the predictablesby Wayne Eleazer
|
There have indeed been launch failures where the required data was there beforehand and the prudent course of action to avoid failure should have been obvious, yet all that was ignored. |
The most recent US failures, of the SpaceX Falcon 9 and Orbital ATK Antares, are examples of this. Tests were done and inspections were accomplished, but they gave no indication of the impending failure of a pressure vessel support strut or an AJ26 engine. Corrective action for both companies apparently has been to switch to suppliers that can provide products they can trust. Obviously, both companies concluded that there were no feasible additional inspections or tests that could be done that would ensure that the existing hardware always would meet their requirements.
Even in the case of the loss of the Space Shuttle Challenger on January 28, 1986, while some people had raised concerns over the erosion of the solid motor segment joints, no one could say just exactly what was about to occur, or even if anything would at all. There was no data that showed the combination of the design deficiencies in the solid motors, the unusually low ambient temperatures, and thermal conduction along the strut from the cryogenic external tank, along with high altitude wind shear, would cause a catastrophic failure. All that became clear only after extensive investigation.
However, there have indeed been launch failures where the required data was there beforehand and the prudent course of action to avoid failure should have been obvious, yet all that was ignored.
Atlas 68E, a converted CGM-16E ICBM, lifted off from SLC-3W at Vandenberg Air Force Base late one evening. All went normally for the first two minutes of flight, but a few hundred milliseconds prior to what would have been commanded shutdown, one booster engine prematurely lost thrust. The asymmetric thrust spun the vehicle around over 180 degrees in less than a second. Remarkably, the vehicle not only survived the violent pivot intact, but then stabilized in what amounted to a retrofire attitude, lost velocity, descended, and finally exploded long before reaching the Earth’s surface.
The mishap investigation revealed that the cause of the engine failure was loss of engine gearbox lubrication, which occurred at around T+100 seconds. The conclusion reached by the US Air Force Mishap Board was that a section of the lubrication feed line failed. Portions of the feed line were made of a material that was susceptible to stress corrosion. This fact had been known for years, but with the plans underway to replace all US expendable launch vehicles (ELVs) with the Space Shuttle, there was little interest in spending any unnecessary funding on the old boosters. More than 25 Atlas ICBMs had been scrapped or otherwise disposed of several years before in anticipation of the Shuttle. The cost to replace the parts that were susceptible to stress corrosion was trivial, especially compared to the costs of a failure, but the overall attitude toward ELVs deterred such a logical and prudent action.
The investigation also revealed that some of the features left over from the ICBM had been retained even though they presented potential failure modes. For example, because the Atlas E ICBM was stored horizontally and had to be erected just before launch, it featured two quick disconnect fittings so that the lube oil tank could be filled in either the horizontal or vertical position. Corrective action for the remaining vehicles not only replaced the stress corrosion susceptible fittings but removed the unneeded additional quick disconnect fitting and also safety wired the fittings on the entire lubrication system.
On May 3, 1986, Delta 3914 #178, originally intended to be one of the last few Delta vehicles to be built, lifted off from LC-17 at Cape Canaveral Air Force Station. At T+70 seconds, the RS-27 main engine shut down and the vehicle tumbled out of control, three of the Castor IV strap-on motors still burning.
“We used to have 200 engineers on that program but by that time we had only 30. And that difference showed, too. That was the worst quality I have ever seen on a Delta vehicle.” |
Investigation revealed that the most likely cause of the failure was a momentary short circuit that killed electrical power to the Rocket Engine Relay Box. The engine shut down in response, just as if it had received a proper signal to do so. The power was restored to the relay box a fraction of a second later, but by that time the engine had already quit and could not be restarted.
The Delta program suffered from the same ELV phase-out challenge faced by all US boosters in that time period. The senior McDonnell Douglas engineer responsible for the review of the vehicle before launch summed up his findings thusly: “We used to have 200 engineers on that program but by that time we had only 30. And that difference showed, too. That was the worst quality I have ever seen on a Delta vehicle.”
A wiring chafe-through on an ELV clearly is a quality problem, related to the placement of the wires and their integrity. It was a quality problem on a booster with the “worst quality ever” that killed the Delta GOES mission. The wiring concerns could hardly have been ignored. But the boosters were being phased out and thus no one reacted to the review findings. It seems likely that the observed quality problems were so extensive that specific concerns, while no doubt observable, were overwhelmed by the large number of problems that existed on the vehicle.
Following the Delta failure investigation, the industry went through something of a catharsis concerning wiring. All existing boosters were inspected for wiring problems and further concerns were found on some. Examination and testing revealed that the Delta had the thinnest wiring insulation of any booster, and that Teflon insulation had the nearly unique capacity to heal itself. After the initial short circuit, smaller arcing episodes would take place that would char and melt the insulation so that it once again protected the wiring. Of course, the problem was preventing the chafe-through in the first place, not trying to survive the arcing when it did occur.
Following the loss of the Space Shuttle Challenger, the Titan IV booster became the primary US heavy-lift launch vehicle. Originally intended to merely “complement” the Space Shuttle’s capabilities for only ten launches, the Titan IV program had to be radically expanded in both numbers and mission types. Instead of just the Centaur as an upper stage, Titan IV rockets would also fly with the Inertial Upper Stage (IUS) as well as with no upper stage, for use on lower altitude missions. The number of launch pads had to be expanded from just one at Cape Canaveral AFS to two pads at the Cape and two at Vandenberg AFB, one of which would be a brand new pad that would include Centaur upper stage capabilities.
As things turned out, the second Vandenberg pad for Titan IV was cancelled after the Soviet Union collapsed. But even with the reduced numbers, Titan IV would eventually fly 39 missions and the program would develop a new solid motor strap-on booster design that utilized a more advanced composite structure.
Not only had the lessons learned from the May 1986 Delta failure been ignored, but engineers later admitted that the K-17 vehicle had displayed numerous electrical faults that should have given them clear indications that it was not ready for launch. |
Programs just did not get more important, complex, urgent, or programmatically and technically complex than Titan IV, but not everyone was enamored of the big booster. To some in Air Force Space Command, Titan IV was an example of everything that was wrong with the space launch business. The program’s failures, delays, and reshuffling of schedules had people at Space Command headquarters pulling their hair out. At one point in the early 1990s, two Titan IV boosters were assembled and awaiting payloads at the Cape’s launch pads, only to have the Air Force discover that the strap-on motors had suspicious discolorations on their mating surfaces. “It’s not rust!” the experts insisted, but that’s pretty much what it looked like to less sophisticated observers. Both sets of solid motors had to be destacked on the launch pads, an approach no one had ever anticipated, and for which there were no provisions.
Air Force Space Command wanted to move to a “Launch On Demand” approach where possible. The idea was that satellite constellations would be allowed to degrade in peacetime and then surge as required by the need to go on a wartime footing. This concept was analogous to the manner that a fighter wing or an armor unit would deploy overseas in response to an international situation within 60 days.
It was a real challenge to operate any space booster that way, but for the Titan IV it proved to be flat out impossible. The lengthy processing time for Titan IV, combined with the time required to assemble, check out, launch, and perform early orbit operations on the highly complex payloads, resulted in a call-up time of not 60 days but instead essentially a full year. And then the delays in the new solid rocket motor effort caused further extensive reshuffling of the already turbulent Titan launch schedule.
These complexities meant that it was all but impossible for Space Command to fit the Titan IV into its “Operational” mindset. No wonder that Gen. Horner, the commander, called the Titan IV program “that horror show” and reportedly declined to shake the Titan SPO director’s hand at their first meeting.
The loss of Titan IVA K-11 on August 2, 1993, further complicated the program. The Air Force launched four Titan IVs from Cape Canaveral in 1994 and three in 1995, but after that, given the impact of the problems with the new solid motor, the launch schedule was backed up even worse. However, in the late 1990s, things seemed to smooth out, and by the spring of 1998 Space Command thought they were ready to forge boldly ahead with even the Titan IV.
The Air Force planned to launch four Titan IVs from Cape Canaveral in less than 12 months. This would include the last of the Titan IVA boosters as well as only the second and third launches of the Titan IVB version with the new solid motors.
The first of the launches occurred on May 9, 1998, when Titan IVB Centaur K-25 successfully carried a classified payload into orbit. The next launch, Titan IVA Centaur K-17, on August 12, 1998, did not go so well. At T+40 seconds, the vehicle suddenly pitched over sharply and broke up.
An investigation revealed that there had been a likely wiring chafe-through that momentarily killed power to the vehicle guidance system. This caused the guidance computer to reset to T-0. On a normal mission, soon after T-0 the vehicle goes into a pre-programmed pitch maneuver. Executing the same pitch maneuver at T+40 sec, at supersonic speed, overstressed the vehicle and caused the break up.
This loss was doubly tragic. Not only had the lessons learned from the May 1986 Delta failure been ignored, but engineers later admitted that the K-17 vehicle had displayed numerous electrical faults that should have given them clear indications that it was not ready for launch. The data was there, but they chose to ignore it under the pressure of an urgent schedule.
The K-17 failure investigation caused some delays and the next Titan launch from the Cape did not occur until April 9, 1999. Titan 4B K-32, which carried an Inertial Upper Stage, was to place a Defense Support Program (DSP) missile warning spacecraft into geosynchronous orbit. The Titan portion of the mission went fine, but the IUS failed to deliver the payload to geosynch; the spacecraft ended up instead in elliptical orbit.
Investigation revealed that the first stage of the IUS operated fine, but the second stage was low on performance. The reason turned out to be that the IUS first and second stages failed to separate properly.
When the investigation team looked at the mission’s close-out photos, they could see just what the problem was. Such photos are taken of the vehicle while it is being assembled to document the configuration, just in case there is an anomaly. And the K-32 photos showed the problem, as clear as can be. It is normal practice to wrap wiring harnesses with a silicone tape to protect them, and that was done on the mission’s IUS, thoroughly. But it proved to be rather too thoroughly.
For the Titan K-32 mission IUS, the tape had been applied over the connector that had to separate in order for IUS stage 2 to pull away from IUS stage 1; the connector was taped together and could not separate properly. The failure of the connector to separate had not only caused the IUS second stage to tow the first stage behind it, but also the first stage’s inadvertent proximity had prevented the second stage’s rocket motor extendable exit cone from deploying properly. As a consequence, the payload was placed in an elliptical orbit lower than required.
That wasn’t all. Analysis of previous IUS mission telemetry data showed anomalies during the IUS stage 1/stage 2 separation events. And examination of the close-out photos also showed the tape had been applied over those connectors as well. The K-32 mission was the one in which the tape was wrapped over the connector a little bit tighter than the rest.
The data had always been there, the close-out photos staring everyone in the face, and the telemetry data showing there was a concern. But all that data had been ignored.
The next Titan IVB mission from the Cape, K-26, employed a Centaur upper stage and was intended to place Milstar communications payload into orbit. While the K-32 investigation was still underway at that point, the earlier problem clearly was with the IUS and not the Titan or Centaur, so the mission launched only about a week later, on May 8, 1999.
Once again, the Titan IVB phase of the mission went well, but soon after the start of the first Centaur burn at T+540 seconds, some roll maneuver anomalies were noted. The real problem occurred during the second Centaur burn, when the vehicle went out of control and placed the highly expensive payload into a useless orbit.
In all cases, though, people thought they could ignore reality and get away with it. The space launch business is far less forgiving of such an approach than most forms of endeavor, and usually provides earlier and more spectacular feedback. |
Investigation showed that, during the writing of the Centaur guidance program, a roll constant was mistakenly entered as –0.199 rather than the correct –1.99. This resulted in unnecessary maneuvering during the first Centaur burn, which depleted the attitude control propellant and left the stage with inadequate control for the scond burn. Simulations of the guidance program before launch showed something a bit strange, but this apparently was discounted as unimportant during the press to get the launch off on schedule.
The Air Force had done it: they launched four Titan IVs in less than a year. And three out of the four were total failures. This was far worse than the dual Titan failures of 1985-1986 and, as a resultm caused a major shakeup in the Air Force’s view of the space launch mission.
“Predictable” failures undoubtedly are not unique to the US, but we have more access to information for American launches. There are some foreign launch failures that look pretty predictable as well.
A Russian Soyuz 11A511U launched on May 14, 1996, failed to deliver its payload to orbit because the fairing broke up during ascent. And only a little more than a month later, on June 20, 1996, the same thing occurred with another Soyuz. Eventually the likely cause of both failures was determined to be defective glue bonds in the fiberglass fairing.
A Chinese Long March CZ-2E launched on December 21, 1992, suffered an apparent fairing collapse, which destroyed the spacecraft, although the wreckage of the payload was placed into orbit. On January 25, 1995, almost the exact same mishap occurred with another CZ-2E, three seconds later in flight, and the vehicle impacted a village and reportedly killed and injured a number of people. In both of these cases, the payload was a US-made commercial communications satellite; the Chinese insisted that the payloads had exploded during ascent.
On June 21, 2005, a Volna—a converted Russian SLBM—was launched on a commercial mission, carrying The Planetary Society’s solar sail demonstration mission. The first stage shut down early at about T+83 seconds, and the payload never attained orbit. The telemetry data revealed data characteristic of a turbopump failure associated with a known design defect in that model of engine. A modification had been developed to correct the problem, but had not been incorporated on the mission vehicle. Coming as it did after the first Volna solar sail mission failure of July 20, 2001, the second failure engendered a rather belated recognition by The Planetary Society that cheap launches may not necessarily be thrifty ones.
We can’t speak to what was in peoples’ heads during the foreign launch failures, but for the US, in each case of the “predictables,” there was an overriding philosophy in effect that overruled normal prudence and good engineering practice. For the foreign “predictables,” the reward/punishment systems in those societies probably were the biggest factor; you never admit failure, especially if it points to you.
In all cases, though, people thought they could ignore reality and get away with it. The space launch business is far less forgiving of such an approach than most forms of endeavor, and usually provides earlier and more spectacular feedback. And in the event of a failure, perhaps the most important question is not “why did this occur?” but “why did this fault slip by us?” Answering that latter question may be not only far more difficult than simply determining the cause of failure, but also far more painful in terms of corrective action as well.