15 July 20051 Crew Survival Office’s Position on the Acceptability of the Proposed Inline RSRB...

15 July 2005 1

Crew Survival Office’s Position on the Acceptability of the Proposed Inline RSRB Launch Vehicle

for Crewed Launches

July 15, 2005

Leo Langston

Paul Porter

Clint Thornton

JSC Crew Survival

15 July 2005 2

Agenda

• Objective• Lessons Learned?• Crew Survival Office Position• Applicable HRR Requirements• Crew Survival’s Response to SRB Reliability and Survivability Claims• Launch Failures by Subsystem Root Cause of US-Built Expendable

Vehicles 1984-2004• Demonstrated Reliability In Other Solid Based Systems• Reliability and Crew Safety Assessment for Solid Rocket Booster / J-

2S Based Launch Vehicle (SAICNY05-04-1F) - Specific Issues • CSO Comments on ESAS Integrated SRB Abort Assessment• Conclusion• Recommendations• Backup

15 July 2005 3

Objective

• Given the limited time to select launch vehicles that will meet the Agency’s exploration goals, the Crew Survival Office (CSO) is concerned that cost and schedule and perhaps other outside/political pressures may be forcing the agency to make a decision to use a launch vehicle configuration that will not meet current human rating requirements.

• The Crew Survival Office would like to present a set of arguments questioning the basis for selection of the current proposed crewed launch vehicle (13.1) that can be used to allow agency management to pause and reconsider the current selection before making a commitment to a possibly inappropriate design solution.

15 July 2005 4

Lessons Learned ?

• “We need to make sure that the next generation vehicle is not based on probability but on ‘assurability’. We need to use the best technology we can to assure that the crew survives. If we cannot do it in the Shuttle then we need to have it in next vehicle. If we do not do this now – and do some soul searching – we will be in the same place 20-30 years from now.”

Bernard Harris, Aerospace Safety Advisory Panel, March 26, 2003

• “Future crewed-vehicle requirements should incorporate the knowledge gained from the Challenger and Columbia accidents in the assessing the feasibility of vehicles that could ensure crew survival even if the vehicle is destroyed.”

Columbia Accident Investigation Board Report Vol I, August 2003

Words of wisdom from past accident investigations and other NASA advisory groups should be providing some important lessons learned to help guide our selection of the next human launch vehicle.

15 July 2005 5

Crew Survival Office Position

• It is the position of the Crew Survival Office that the use of SRB’s (large or small) in any crewed launch vehicle present booster catastrophic failure modes that make compliance with the HRR 8705.2 very unlikely due to the inability to successfully abort if those failures occur.

• Inability to abort occurs primarily due to the lack of sufficient warning time to detect the imminent booster catastrophic failure, initiate the abort and achieve a safe separation distance prior to LV catastrophic breakup or explosion

• The current ATK/SAIC reliability estimates for the RSRB in line crew launch vehicle are over-optimistic compared to historical evidence from solid propellant launch vehicles

15 July 2005 6

Applicable HRR Requirements

The following are excerpts of the applicable requirements from the latest NPR 8705.2

• 3.1.7 Space systems shall not use abort as the first leg of failure tolerance

• 3.9.3 The space system shall provide crew and passenger survival modes throughout the ascent and on-orbit profile (from hatch closure until atmosphere entry interface) in the following order of precedence:

a. Abort. b. Escape by retaining the crew and passengers encapsulated in a portion of the vehicle that can

reenter without crew or passenger fatality or permanent disability.c. Escape by removing the crew and passengers from the vehicle.

Note: The requirement is for survival modes to cover 100 percent of the ascent trajectory. The preferred method is for abort to cover 100 percent of the trajectory, thus returning the crew to the Earth in the spacecraft. Some architecture options that do not lend themselves to the 100 percent abort coverage will need to use the other methods to meet the intent of this requirement.

• 3.9.4 The program shall ensure that ascent survival modes can be successfully accomplished during any ascent failure mode including, but not limited to, complete loss of thrust, complete loss of control, and catastrophic booster failure at any point during ascent

• Tailoring of HRR requirements is allowed with the following caveatNote: Tailoring is for requirements that are not applicable (e.g., ascent escape requirements do not apply to a surface rover). Tailoring is not for requirements that are considered programmatically undesirable, expensive, or technically complicated.

Underlining provided for emphasis only

15 July 2005 7

Crew Survival’s Response to SRB Reliability and Survivability Claims

• Reality does not seem to correspond to the predicted “paper reliability” of SRB’s as presented by ATK/SAIC

“It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management. What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery?"

R. P. Feynmann, Personal observations on the reliability of the Shuttle, Report of the Presidential Commission on the Space Shuttle Challenger Accident, Appendix F

15 July 2005 8

Crew Survival’s Response to SRB Reliability and Survivability Claims

• In 44 years of human space flight no flight crew has been lost during ascent as the result of a totally liquid based launch vehicle

– Anticipated failures and robust ascent abort system– Two loss of vehicle events in the manned Soyuz program ended in successful

launch aborts• Soyuz 18-1 – 2nd/3rd staging separation failure• Soyuz T 10-1 – GSE failure; pad fire

• However, in 24 years of flight on SRB based systems one flight crew has been lost as the result of an SRB failure during ascent

– Unexpected and unanticipated failures, and no valid abort system– STS 51L

“For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.”

R. P. Feynmann, Personal observations on the reliability of the Shuttle, Report of the Presidential Commission on the Space Shuttle Challenger Accident, Appendix F

15 July 2005 9

Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004

Failure Type Number of Failures Percent

Liquid Propulsion (Start)

Liquid Propulsion (In-flight)

3

3

12%

12%

Solid Propulsion (Shell)

Solid Propulsion (TVC)

4

3

16%

12%

Stage Separation

Fairing Separation

6

1

24%

4%

Electrical

Avionics

Other (lightning strike)

2

2

1

8%

8%

4%

TOTAL 25 100%Source: Futron Design Reliability Comparison for SpaceX Falcon Vehicles November 2004

In the past 20 years there have been more SRB failures than Liquid Propulsion failures

The four SRB shell failures were probably not survivable

All of the Liquid Propulsion failures were probably survivable

Failure Details

15 July 2005 10


• Four of the six liquid failures in the previous table were associated with the upper stage and none led to a vehicle explosion

– Of the two 1st stage failures• Atlas I (AC-74) - Inappropriate power down to 65% - Propellant pressure regulator

misconfiguration

• Titan 34D (34D-7) - Premature engine shutdown – Propellant feed system failure

• Of the seven SRB failures in the previous table – Four resulted in vehicle destruction with little or no warning

• STS 51L

• Titan 34D-9

• Titan 403A K-11 (45F-9)

• Delta 2 7925-10

– The three TVC failures were caused by loss of hydraulic fluid

15 July 2005 11


Titan 34D-9 – 18 April 1986

SRB Case Burst at MET of 8.5 seconds

15 July 2005 12

Demonstrated Reliability In Other Solid Based Systems

• Since 60’s the nation’s defense has relied on solid propulsion ICBM systems– Minuteman family

• Minuteman I - Launches: 380. Failures: 27. Success Rate: 92.9% (1/14 failure rate) • Minuteman II - Launches: 194. Failures: 2. Success Rate: 99.0% (1/100 failure rate) • Minuteman III - Launches: 263. Failures: 5. Success Rate: 98.1% (1/53 failure rate) • Total - Launches: 837. Failures: 34 Success Rate: 95.9% (1/24 failure rate)

– Peacekeeper• Launches: 51. Failures: 1. Success Rate: 98.0% (1/50 failure rate)

– Polaris family• Polaris A1 - Launches: 122. Failures: 33. Success Rate: 73.0% (1/4 failure rate)• Polaris A2 - Launches: 227. Failures: 15. Success Rate: 93.4% (1/15 failure rate)• Polaris A3 - Launches: 271. Failures: 8. Success Rate: 97.1% (1/34 failure rate)• Trident C-4 - Launches: 165. Failures: 7. Success Rate: 95.8% (1/24 failure rate) • Trident D-5 - Launches: 122. Failures: 5. Success Rate: 95.9% (1/24 failure rate)• Total - Launches: 907. Failures: 68. Success Rate: 92.5% (1/13 failure rate)

• These failure rates demonstrate that very high total system reliabilities are quite unlikely

15 July 2005 13

Reliability and Crew Safety Assessment for Solid Rocket Booster / J-2S Based Launch Vehicle (SAICNY05-04-1F)

Specific Issues

• SAIC, p. 7: “The simplest designs of the EELVs, which offer the greatest potential for inherent reliability, are the single core variants. These single core EELVs with an effective crew escape system should provide the greatest crew safety.”

• CSO: Crew Survival agrees with this statement. Any all liquid launch vehicle with an effective crew abort/escape system should provide the greatest crew safety. Mercury, Gemini, Soyuz and Apollo programs demonstrate this.

• SAIC, p. 8: “Simple Inherently Safe Design – A single human-rated SRB first stage matured through years of experience with over 176 flights of the current design for launching crew”

• CSO: This statement, while true of the current shuttle RSRB, is not necessarily applicable to the proposed new 5 segment RSRB or RSRB inline configuration. Also, is the shuttle RSRB human rated because it truly meets human rating requirements or because there were no viable alternatives to it for the shuttle system? Is it truly human rated or human rated because humans ride on it?

15 July 2005 14

• SAIC, p. 8: “Historically Low Rates of Failure – In the space shuttle system only the 51-L event (a non-catastrophic failure of the SRB) has marred a perfect record in 226 SRBs, with 176 consecutive successful uses of the redesigned SRBs. This 1 in 226 history, or 0.996 launch success rate is perhaps the best of the best in launcher history.”

• CSO: Non Catastrophic? Did vehicle breakup before the SRB could have had a catastrophic event? The JSC Greenbook list 17 additional significant gas sealing problems, most recently STS-79, making the demonstrated failure rate 18/226 or a success rate of 92% (Greenbook extract)

• SAIC, p. 8: “Non-Catastrophic Failure Mode Propensity – Solid rocket booster history, and specific design features of the SRB suggest a propensity for gradual thrust augmentation failures which present less of a challenge for crew survival in the inline configuration, should they occur.”

• CSO: This historical record from 1985-2004 shows this to not be the case: only 1 out of 6 SRB failures demonstrated thrust augmentation

• CSO: “suggest a propensity” is wishful thinking not, a valid engineering conclusion


Specific Issues

15 July 2005 15

• SAIC, p. 8: “Process Control – The proposed design offers the benefits of using propulsion suppliers with mature in-plant process control systems to minimize human error, which has proven to be a significant contributor to risk.”

• CSO: Current 4 segment RSRB processes may not be applicable to the new proposed 5 segment design. RSRB refurbishment, segment pouring, testing, hazardous shipping and storage, and KSC stacking still require substantial human labor and inspection with corresponding potential for human error

• SAIC, p. 8: “Failure Precursor Identification and Correction – The design capitalizes on the significant failure precursor identification and elimination benefit from recovery, and post flight inspection of the recovered SRBs.”

• CSO: Post flight failure examination is of little use to the crew on the flight with the problem

• CSO: The data may be used incorrectly as in the Challenger and Columbia accidents.

• CSO: Not all precursors are recognized


Specific Issues

15 July 2005 16

• SAIC, p. 10: 1. The proposed design has a significant potential of meeting, and even exceeding, the 1 in 1000 mission astronaut office risk goal proposed by the crew even when conservative accident failure criteria have been applied (see Figure 1.1 indicating worst case condition), and even with significant further conservative variation in key risk driving parameters.

• CSO: Paper rockets are well known for having “significant potential” in whatever aspect is important. In reality, the actual vehicle most often never achieves it’s “significant potential.”

• SAIC, p. 10: “SAIC assumed that all worse case accidents, that is, case burst events, would not be survivable. The SAIC physical models indicate that some at least, if not all, of the accidents would allow for the possibility of crew escape and recovery”

• CSO: HRR compliance requires more than “some at least, if not all, of the accidents would allow for the possibility of crew escape and recovery.”

• CSO: The unknowable accident environment renders analysis somewhat less than reliable.


Specific Issues

15 July 2005 17

• SAIC, p. 11: “The proposed design offers significant, as much as an order of magnitude, improvement in crew survival during ascent as compared to the current shuttle system.”

• CSO: Since the shuttle has no ascent crew survival capability during a first stage SRB failure this statement means “something is better than nothing.”

• SAIC, p. 11: The primary risk-driving elements of the design are forecasted to be contained in the second stage J-2S based system because it is a new development of a system without flight experience.

• CSO: The lack of flight experience would also be true of the 5 segment design or the inline 4 segment design.


Specific Issues

15 July 2005 18


Specific Issues

SAIC assumptions:• SAIC, p.24: 2. The 1995 Shuttle PRA [5], specifically the portions of that

document that relate to the participation of the solid rockets in the shuttle risk, is representative.

• CSO: Failure rates from other large SRB programs, at a minimum, should be included as well as the other failures in the STS SRB program

• SAIC, p. 24: 4. The SRB/J-2S developed integrated design will be fully qualified for its launch environment. Specifically any additional launch vibrational loads or other environments will either be demonstrated to have fallen within the existing shuttle qualification envelop or will undergo delta qualifications for those environments that are not contained.

• CSO: It is not apparent that the shuttle qualification envelope is appropriate to the new design.

• CSO: Delta qualification could encounter unforeseen challenges or show stoppers

15 July 2005 19


Specific Issues

SAIC assumptions:• SAIC, p. 24: 4 The SRB/J-2S design will be fully tested with an integrated

test program including full scale flight tests to demonstrate flight readiness before crewed flights.

• CSO: Full envelope qualification of the launch abort system in the presence of catastrophic SRB failures is likely to be difficult and expensive.

• SAIC, p. 25: 11. There is sufficient warning time, and signals for 80% of the loss of control (thrust augmentation) failures.

• CSO: There is no analysis that supports the 80% claim.

• SAIC, p. 25: 12. An escape system can be designed for the CEV that will provide escape capability after loss of control.

• CSO: The Titan IV-A LOC (8/12/98) suggests that this may be difficult.– 1.7 seconds elapsed between the full pitch command and vehicle breakup at an alpha of

~13 degrees. The time between a reasonable launch abort redline (5 degrees) and breakup was much smaller.

15 July 2005 20


Specific Issues

• SAIC, p.96: “SRB failure rates were developed:– By combining component failure rate data in an “assessment tree” a bottom-up

approach was used to estimate a failure rate of approximately one in 7000 motor-flights,

– Through Bayesian update of U.S. solid rocket booster experience as recommended by a NASA-commissioned Independent Peer Review Panel (approximately one in 1500 motor-flights)

– Through an expert elicitation using Thiokol managers as experts, combined with a Bayesian update to estimate a failure rate of one in 3058 motor-flights.”

• CSO: The differences in these three estimates is troubling given that the demonstrated shuttle SRB failure rate is, optimistically, 1/266 or realistically 1/15 (18/266).

– These discrepancies suggest something is askew in the world of reliability estimates.

– The current industry team LOV estimate for the inline RSRB configuration is 1/438

15 July 2005 21


Specific Issues

Initiator

LOV Prob. (1/X)

Crew Survival Events

Total Crew Survival

LOC Prob. (1/X)

Escape Possible Escape-Separation Decell/Landing Recovery

SRB Control 320 100.00% 80.00% 100.00% 99.00% 79% 1538

SRB-Immediate 160 0.00% 100.00% 100.00% 100.00% 0% 160

Staging 13459 100.00% 95.00% 100.00% 99.00% 94% 224317

Upper Stage 625 100.00% 99.00% 95.00% 95.00% 89% 5867

Total 90 Integrated Survivability (1-90/141) 36% 141

Including other large SRB failures changes the picture considerably

15 July 2005 22


Specific Issues

• Arbitrarily assuming all SRB failures are non-survivable yields a Loss of Crew Probability of 1/1750

Initiator

LOV Prob. (1/X)

Crew Survival Events

Total Crew Survival

LOC Prob. (1/X)

Escape Possible Escape-Separation Decell/Landing Recovery

SRB Control 3086 0.00% 80.00% 100.00% 99.00% 0% 3086

SRB-Immediate 13858 0.00% 100.00% 100.00% 100.00% 0% 13858

Staging 13459 100.00% 95.00% 100.00% 99.00% 94% 224317

Upper Stage 625 100.00% 99.00% 95.00% 95.00% 89% 5867

Total 482 Integrated Survivability (1-90/141) 72% 1750

Since this LOC exceeds the desired 1/1000, CEV weight growth and decreasing launch vehicle perfomance margins could lead to pressure to delete the ~10,000lb ascent abort system.

15 July 2005 23


Specific Issues

• SAIC, p. 120: Launcher reliability has a large impact on crew safety. Regardless of the launcher type, assuring crew safety after a failure is uncertain. Given the limited number of test and flight opportunities it will be difficult to gain sufficient understanding of the dynamics to create an escape system that can provide high assurance of escape. Unknown-unknowns will dominate the reliability of crew escape systems. Since there undoubtedly will be significantly more launch experience than abort experience, the uncertainty in the likelihood of launch failure will be less than the uncertainty in abort reliability. Furthermore, a good design should be focused on achieving safety inherently, not by adding safety systems as a crutch. This is because the operating environment for the safety system is almost always less known (and therefore cannot be counted on to be highly reliable), therefore the safety focus of design should always be directed at achieving the highest possible reliability and recovery failure systems added only afterward.

• CSO: This philosophy seems contradictory to the findings, recommendations, and observations of previous accident investigation boards. (link)

15 July 2005 24

CSO Comments on ESAS Integrated SRB Abort Assessment

• The comparison should be between the Single Stick SDLV and a liquid fueled vehicle. (link)– Side mount SDLV has already been ruled out

• Safety Drivers – omits relevant facts from Single Stick claims (link)– Thrust Augmentation leads to slower single stack break-up is an

assertion for which there is very little substantiating analysis.– Thrust Augmentation can lead to interactions between stages on the

Single Stick – Thrust Augmentation can lead to upper stage propellant

mixing/conflagration on the Single Stick

15 July 2005 25

Conclusion

• It is the opinion of the CSO that the ATK/SAIC Loss of Crew prediction for the inline RSRB configuration is over-optimistic and should not be the basis for selecting the next crewed launch vehicle.– Historical data suggests that exceeding a 99% launch success rate for

solid propellant vehicles is improbable.

15 July 2005 26

CSO Recommendations

1. Non-selection of the inline SRB design for the crewed launch vehicle based on inability to meet the current Human Rating Requirements, NPR 8705.2.

2. If the inline SRB design is pursued, establish an independent analysis and review effort to assess SRB success rates, failure modes, failure dynamics, failure detectability, and to define the catastrophic failure environments in which any launch abort system would have to successfully operate and determine the appropriate test and qualification program for that launch abort system.

3. The agency perform a detailed comparison between the inline RSRB and EELV derived or other all liquid LV configurations using consistent criteria as to what counts in the reliability statistics

The Agency is in the process of selecting a human launch vehicle that will most likely be used for the duration of the exploration program. Historical evidence and the lessons from past accidents should be applied in that selection.

“Those who cannot remember the past are condemned to repeat it.” George Santayana

15 July 2005 27

BACKUP

1. Crew Survival Definitions

2. Launch Failures by Subsystem Root Cause of US-Built Expendable Vehicles 1984-2004

3. SRB Anomalies from JSC19413 (Greenbook)

4. ESAS Integrated SRB Abort Assessment

15 July 2005 28

Crew Survival Definitions

• Abort: Termination of the nominal mission that allows the crew and passengers to be returned to Earth in the portion of the space system used for nominal entry and touchdown.

• Escape: Removal of crew and passengers from the portion of the space system normally used for reentry, due to rapidly deteriorating and hazardous conditions, thus placing them in a safe situation suitable for survivable return or recovery. Escape includes, but is not limited to, those modes that utilize a portion of the original space system for the removal (e.g., pods, modules, or fore bodies).

• Rescue: The process of locating the crew, proceeding to their position, providing assistance, and transporting them to a location free from danger.

• Safe Haven: A functional association of capabilities and environments that is initiated and activated in the event of a potentially life-threatening anomaly and allows human survival until rescue or repair can be affected

15 July 2005 29


Source: Futron Design Reliability Comparison for SpaceX Falcon Vehicles November 2004

15 July 2005 30

SRB Anomalies from JSC19413 (Greenbook)

STS Vehicle Description

2 102 RH SRM aft field joint gas leak to primary O-ring with erosion

6 99 Gas paths on both SRM nozzle-to-case joints

8 99 Abnormal erosion pattern of nozzle nose rings

41C 99 Gas leak and erosion to primary O-ring of RH SRM nozzle-to-case joint

41D 103 RH SRM forward field joint erosion LH SRM gas leak and erosion to primary O-ring of nozzle-to-case joint

51A 103 LH SRM nozzle throat inlet ablative ring separation from housing

51C 103

LH SRM forward field joint gas leak and erosion to primary O-ring RH SRM primary O-ring gas leak and erosion at center field joint Gas leaks to primary O-rings at nozzle-to-case joint on both SRMs

51D 103 RH SRB nozzle throat ring developed erosion pockets Gas leak and erosion in both SRM nozzle-to-case joints

51B 99 RH SRB gas leak at primary O-ring of forward field joint Gas leak and erosion in both SRM nozzle-to-case joints. Erosion to secondary O-ring on LH SRM

51G 103 Gas leaks and erosion on both SRM nozzle-to-case joints Gas leaks, but no erosion in either SRM igniter joint

51F 99

LH SRM nozzle throat inlet ablative ring separation from housing Gas leak in the RH SRM nozzle-to-case joint Gas leak but no erosion to LH SRM igniter joint

15 July 2005 31

SRB Anomalies from JSC19413 (Greenbook)continued


51I 103

Gas leak in the LH SRM nozzle-to-case joint Gas leaks in both inner and outer seals of LH SRM igniter joints. No seal damage Gas leaks, but no erosion to outer gasket of RH SRM igniter joint

61A 99

LH center and aft field joints had gas leaks to primary O-rings RH forward field joint gas leak at primary O-ring Gas leaks occurred at both SRM nozzle-to-case joints. O-ring erosion to the right joint but not the leak. Gas leaks, but no erosion to outer seal of both SRM igniter joints

61B 104 Gas leaks and erosion in both SRM nozzle-to-case joints Gas leaks but no erosion to outer seal of both SRM igniter joints

61C 102

LH SRB aft field joint gas leak and erosion at primary O-ring Gas leak in the LH SRM nozzle-to-case joint Gas leak and erosion in the RH SRM nozzle-to-case joint Gas leaks, but no erosion to outer seal of both SRM igniter joints

27 104 Ignition/igniter heaters charred. Some heat damage and charring was evidenced by discoloration at two locations

of both igniter heaters.

29 103 Approximately 95 percent of the glass cloth phenolic insulator and 100 percent of the carbon cloth phenolic liner

was missing from the left SRM aft exit cone.

28 102 Right SRM aft center segment ply separations of internal insulation. During postflight inspection operations at

KSC, a ply separation was identified in the internal insulation of the right SRM aft center segment.

33 103 The left SRB ETA ring aft IEA end cover experienced hot gas flow (aft to forward) through its interior from the

tunnel side, resulting in sooting and varying degrees of heat exposure to 16 operational flight reusable cables.

15 July 2005 32

SRB Anomalies from JSC19413 (Greenbook)concluded


31 103 The RSS crossover bracket on both SRB's is sooted around the P2 connector jam nut. Also, ballooning of the

heat shrink tubing was observed on one cable in the right SRB RSS transition housing.

41 103

During the postflight inspection of both the left and right SRM igniters, the outer joints were found to have a blow-hole in the putty. Also, cadmium plating damage and sooting was observed.

Abnormal erosion of the internal insulation (at the forward edge) was observed in both the left and right SRM aft dome-to-stiffener and stiffener-to- stiffener factory joints.

35 102 During the follow-on postflight inspection of the left RSRM nozzle joint 3 at TC, a 1.5-inch gas path was observed

through an RTV void at 195 deg, resulting in heat effects to the CCP surface and sooting to the primary O-ring.

39 103 Excess erosion on right RSRM nozzle cowl and outer boot ring.

48 103 During postflight inspection of the right SRB lower strut, a black mark with flow lines was observed at the ET/SRB

strut segment interface.

44 104 During the SRB recovery operations, the retrieval team reported structural damage to the left SRB forward skirt,

systems tunnel, and ETA ring.

42 103

The left and right RSRM nozzle-to-case joints had gas paths through the poly-surfide adhesive with erosion and sooting of the wiper O-rings. Gas penetration on the left side was more extensive as blowby was observed at the wiper O-ring.

71 104 Nozzle internal joint 3 gas path/primary o-ring erosion

70 103 Nozzle internal joint 3 gas path/primary o-ring erosion

75 102 Dual gas paths through the polysulfide to the wiper O-ring-in the nozzle-to-case joints of both RSRM's

78 102 Sooting/heating effects beyond the insulation J-leg tip on field joints.

79 104 Right-hand nozzle striated axial erosion on the throat and forward exit cone

15 July 2005 33

Single Stick SDLV Side Mount SDLV

Specific Failure Instance <,>, = Specific Failure Instance

ExplosionNot Credible - No credible failure modes identified for explosion as a result of a case breach > Gas Impingement - Gas impinging on core vehicle causing an

explosion of liquid propulsion system

Loss of Control*

Single Vectoring System - Only one nozzle to overcome side load from thrust, however, there would be no thrust imbalance as a result of different internal motor pressures between the boosters as is present in Side Mount

=

Thrust Imbalance - Three vectoring mechanisms (two boosters and liquid engines) to assist in overcoming thrust imbalance from case breach thrust side loads and internal motor pressure (Assumes lower loss of internal pressure/less thrust imbalance)**

Structural Break-upNot Credible - No credible failure modes identified for structural breakup of motor/vehicle that is not initiated from a loss of control as a result of a case breach

=Not Credible - No credible failure modes identified for structural breakup of motor/vehicle that is not initiated from a loss of control as a result of a case breach

Explosion

Proximity from Debris - All explosive events happen aft of abort capsule allowing more favorable conditions in which to initiate abort >

Proximity from Debris - Explosive events happen in closer proximity to abort capsule either beside or upstream. More likely to pitch/yaw as a result of explosion. More likely to lead to failure of core vehicle

Loss of Control*

System Imbalance - Side load causing system imbalance (forces acting in multiple directions) with instantaneous pressure decay >

Thrust Imbalance - Two vectoring mechanisms (opposite booster and liquid engines) to assist in overcoming thrust imbalance from internal motor pressure (Assumes higher loss of internal pressure/severe thrust imbalance)**

Structural Break-up

Proximity from Debris - Structural breakup occurs aft of abort capsule resulting in less FOD/debris to interfere with abort >

Proximity from Debris - Structural breakup occurs beside or forward of abort capsule resulting in significantly more FOD/debris to interfere with abort. Potential for impact with other vehicle components

ExplosionNot Credible - No credible failure modes identified for explosion as a result of a nozzle anomaly = Not Credible - No credible failure modes identified for

explosion as a result of a nozzle anomaly

Loss of Control*

Flex Bearing Failure - Failure of flex bearing or partial nozzle burnthrough leading to lack of controllability of vehicle <

Flex Bearing Failure - Flex bearing failure or partial nozzle burnthrough on a single motor presents more opportunity to overcome control issues since you have the opposite booster and liquid engines to help compensate

Structural Break-upLoss of thrust - Structural break-up of nozzle should lead to loss of thrust but fewer overall issues with abortability >

Loss of thrust - Thrust imbalance leading to loss of control as a result of nozzle structural break-up (Assumes only a single motor nozzle failure)

* More in-depth analysis of control and loads (specifically side loads) are needed

** Assumes solids provide 80% or more of thrust and that liquid system contribution alone is not adequate to overcome large deltas in thrust vectoring of motors

Likelihood of Successful Abort

Case Breach

Case Rupture

Nozzle Anomaly

*** MSFC Solid & Hybrid Propulsion Systems Branch, Abortability Assessment RSRM, April 2005.

ESAS Integrated SRB Abort Assessment***

15 July 2005 34

Single Stick SDLV Side Mount SDLV

Specific Failure Instance <,>, = Specific Failure Instance

ExplosionNot Credible - No credible failure modes identified for explosion as a result of a GN&C anomaly = Not Credible - No credible failure modes identified for

explosion as a result of a GN&C anomaly

Loss of Control

Hard over event - Current trajectory/structural assessments show minimal abort capability from a hard over vectoring condition <

Hard over event - More potential exists to overcome control issues since you have the opposite booster and liquid engines to help compensate. Worst Case is both booster nozzles go hard over, but more likely scenario is a single hardover event

Structural Break-upNot Credible - No credible failure modes identified for structural breakup of motor/vehicle that is not initiated from a loss of control as a result of a GN&C anomaly

=Not Credible - No credible failure modes identified for structural breakup of motor/vehicle that is not initiated from a loss of control as a result of a GN&C anomaly

Explosion

Proximity from Debris - All explosive events happen aft of abort capsule allowing more favorable conditions in which to initiate abort >

Proximity from Debris - Explosive events happen in closer proximity to abort capsule either beside or upstream. More likely to pitch/yaw as a result of explosion. More likely to lead to failure of core vehicle

Loss of Control

Single Vectoring System - More benign due to less complex system interactions such as thrust imbalance

>

Thrust Imbalance - Thrust imbalance resulting from internal motor pressure deltas from internal structural effects of breakup (Assumes thrust imbalance as a result of surface area/pressure increase caused by structural failure of propellant grain)**

Structural Break-upStructural Failure - More benign due to less complex system interactions. Less likely to have structural impacts on other systems (FOD)

>Structural Failure - More likely to have structural impacts given proximity to other vehicle components

** Assumes solids provide 80% or more of thrust and that liquid system contribution alone is not adequate to overcome large deltas in thrust vectoring of motors

Structural Failure (Not captured in previous 4 failure modes)

Likelihood of Successful Abort

GN&C Anomaly

*** MSFC Solid & Hybrid Propulsion Systems Branch, Abortability Assessment RSRM, April 2005.

ESAS Integrated SRB Abort Assessment*** (cont’d)

15 July 2005 35

ESAS Safety Drivers - Boost Stage

Reliability Drivers Single Stick SRB Shuttle EELV (Triple Core)

Simplicity Single Element 2 SRBs plus 3 Staged Combustion Engines

3 Engines ( with 2 Turbo Pumps)3 Feedback Control Systems(1 Staged Combustion)3 Propellant Management Systems3 Purging Systems

Dynamics (Moving Parts) 1- TVC 5 TVCs, 6 High Performance Turbo Pumps with Pre-Burners

3- TVC – 6 Turbo Pumps, 3 Throttle Valves, Numerous Prop Management Valves

Understanding of the Environment (Margin)

226 Flight Operations, with post flight inspection

113 Flight Operations 1 EELV Heavy flight, conflagration during Delta launch, LOx Rich Environment(RD-180)

Process control and feedback

Post Flight Inspection, production process controls

Post Flight Inspection (except ET), production process controls

No post flight inspectionRely on process control in flight (red-lines)

Survivability Drivers

Trajectory (g- loads on abort re-entry)

Crew escape: Flatter Trajectory with mild G-Loads

No crew escape system Crew escape: more lofted trajectory with higher loads on crew (more so with Delta). Can be mitigated with new upperstage.

Accident environment Thrust Augmentation leads to slower single stack break-up

SRB Thrust augmentation leads to immediate break-up and potential propellant mixing/conflagration

Thrust imbalance or engine shutdown can lead to interactions between stages, LH2 Explosions (Below 10K), RP explosions at higher elevations, no empirical data on explosive environments

15 July 2005 36

ESAS RSRB - Safety and Reliability Simple Inherently Safe Design

Design Robustness

Historically Low Rates of Failure

Non-Catastrophic Failure Mode Propensity

Process Control

Failure Precursor Identification and Correction

Vehicle FlightsAttempts (Flights x 2)

SRB Failures

Shuttle 113 226 1TOTAL 113 226 1 1 in 226Titan IV A 22 44 1Titan IV B 14 28Titan 34D 15 30 1Ariane V 17 34TOTAL 68 136 2 1 in 68

Large Throat SRB Attempts and Failures (Flight Demonstrated Only)

Demonstrated Shuttle RSRB reliability is more than 3 times that of other large SRBs Major redesign conducted after the Challenger

accident significantly increased the expected reliability of the SRB

The estimated reliability for a 4-segment SRB, based on QRAS2000 model, is 99.97%

15 July 2005 37

ESAS Significant Benefit for Post Flight InspectionNumber of Shuttle SRB Post Flight Issues vs. Flights

15 July 20051 Crew Survival Office’s Position on the Acceptability of the Proposed Inline RSRB...

Documents

Transcript of 15 July 20051 Crew Survival Office’s Position on the Acceptability of the Proposed Inline RSRB...