The Challenger crew. Front, from the left: Michael J. Smith, Francis R. Scobee and Ronald E. McNair. Rear from the left: Ellison Onizuka, Christa McAuliffe, Gregory Jarvis, and Judy Resnik

The world has had plenty of tragedy and near tragedy in space. I suspect we will continue to.

This is how an escape system should work.

This is not…!

Gemini 6 aborts on the pad after the engine ignited. Gemini 7, 180 miles overhead, could even see the flash of launch. 

In 1960 the Soviets suffered the Nedelin Catastrophe where a rocket blew up on the pad killing 150 people including the head of the Soviet space program, Marshal Mitrofan Nedelin, who had bypassed safety protocols and was attempting to repair a rocket on the  pad without defueling it.

Gemini 8 had a maneuvering thruster shut down and put the capsule in a 60 RPM spin. Only quick action by future “first man on the moon” Neil Armstrong saved the day.

Soyuz one had a parachute failure. Cosmonaut Vladimir Komarov died on impact after reentry.

Georgy Dobrovolsky, Vladislav Volkov, and Viktor Patsayev died of asphyxiation when a valve opened prematurely during reentry.

During the Apollo-Soyuz Test Project, lethal Nitrogen trioxide leaked into the US Command module. They weren’t able to ventilate the module until after touchdown. It caused chemically induced pneumonia in the astronauts that took weeks to heal.

The crew of Apollo One, Gus Grissom, Ed White and Roger Chaffee, died during a ground test of the capsule. It had been overpressured to 18 PSI with pure oxygen when a spark caused an interior fire. Anything even remotely flammable instantly flashed. The Soviets had suffered a similar accident in the early 60s

Apollo 15 lost a parachute after reentry. However Apollo had three parachutes and was able to land safely. This is also an an advantage of a water landing. You can absorb a much greater impact into water than into dirt.

Not to mention numerous non fatal issues popping up in the early shuttle. If you want an incomplete but still good listing, check Wikipedia’s article on the subject.

Fast forward and despite repeated issues with the Shuttle, we have forgotten that space exploration is very dangerous. The shuttle became theater and as we know, in a theater, the show must go on. So we pick a teacher to go up and give kids fun lessons while real scientists do real work in the background. She is the first space entertainer. We are all excited about the demonstration of how ordinary and safe space travel has become.

However, the blow thru of the O-ring joint has been seen on previous shuttle launches, just not bad enough to blow anything up. As long as it doesn’t get any worse we’re safe, right? Other launch vehicles (like the Titan 3C) also used o-rings (even though much smaller diameter tubes) and (usually) had no problems, right?

This kind of thinking is like saying that as long as there is no cross traffic at an intersection, you can safely blow thru the red light. And then always assuming there won’t be any traffic because there hasn’t been any yet.

Not everyone shared the point of view. Criticisms of the safety of the O-ring design dated all the way back to 1977 and continued until the fatal launch of STS 57L in 1986.

2019-01-16_16-56-34

Back on the ground, it is cold, way below the shuttle’s operating range. NASA officials don’t want to scrub or delay the launch (like many other launches before have been). It won’t look good. We have clients waiting on us. We have a PR stunt to pull. But they have to contact Morton Thiokol to launch outside the accepted parameters. Morton Thiokol feels intense pressure from their most important client, but management has to get an engineering sign off. Engineering balks. Management finds a way around them and gets approval to NASA. (Famous quote here: “Take off your engineering hat and put on your management hat. This launch MUST go.”

The rest is sad history.

2019-01-16_17-03-03
Challenger is destroyed by a leaky O-ring.

Then the Roger Commission issued its report. It is long and deep and technical. Richard Feynman was asked to serve on it. All it took was a small O-ring and a glass of ice water and the cause was plain to see.

 

 

It seems space is a bit more dangerous than we thought. What made it exceptionally dangerous was a change in NASA. Modern paradigms of corporate management had infiltrated the agency. The shuttle was now a business and whoever was paying for the payload was the client.

From the report:

…testimony reveals failures in communication that resulted in a decision to
launch 51-L based on incomplete and sometimes misleading information, a conflict between engineering data and management judgments, and a NASA management structure that permitted internal flight safety problems to bypass key Shuttle managers.

A couple of key events in the decision to launch.

2019-01-16_18-17-09

2019-01-16_18-21-00

2019-01-16_18-14-38

Likewise, it had been discussed that the crew cabin could be reinforced and a way to jettison the cabin and a parachute added that could deploy to recover the crew should there be a launch failure. Every other prior manned launch had had a way to pull the capsule free of the rocket and return by parachute. The shuttle was touted as a taxi to the sky – and so safe that such a thing would not be needed. It was rejected on time, weight and cost parameters. And… if we did such a thing we would be admitting this taxi was not a safe taxi.

We know at least some of the Columbia crew survived the explosion and died on impact with the water.

The o-tings and joints are redesigned to be more reliable and we move on

Lets move forward a bit to December 1986. The shuttle Atlantis, flight STS-27, returns to Earth with 700 damaged thermal tiles and one entirely missing.

One would think this would be a wake-up call. But it was more like, Hey, glad we dodged that bullet! Probably won’t happen again.

It did. The tiles on the Shuttle are very delicate. You can cut them with your thumbnail, pull them off the shuttle by hand and crunch them with your fingers. They are not intended to sustain any kind of impact. They are ultralightweight insulation against insane levels of reentry heat.

The massive fuel tank the feeds the shuttle’s engines during launch is also insulated. This time it is foam to keep the cryogenic fuel cold. Not a lot of thought had been given to how it was attached. It was expendable once the launch actually began. Cameras had caught sections of foam falling off and impacting the shuttle at high velocity in flight. Atlantis had proven it was capable of causing serious damage.

Proposals had been made to rethink how the insulation on the main tanks was attached. Other proposals were made to use EVAs or modifying the arm to be able to examine the critical areas of the shuttle for damage and to equip the astronauts with a tile repair kit. Proposals for some kind of rescue plan, should the tiles be damaged too badly.

All were met with hostility and rejection from NASA management. It would cost more. It would slow the pace of launches. Supplies to last the extra time in space they might need would take away from profitable payload. Astronauts would be wasting precious orbital time on what was considered the “unproductive” task of examining the shuttle for damage. And don’t forget all that “unproductive” training time for them to learn to do it. It will take time and money to develop repair kits and of course there was no way an astronaut could actually do a repair like that in space.

Oh… and there was a formal requirement for human escape system for every regime from blastoff to landing of a “human rated” launch system – except the Shuttle had been exempted without the reasons for exemption being documented.


The Soviet Buran was a much safer launch vehicle. The booster itself was a reusable

STS-Buran-grand
Shuttle left, Buran right.

rocket that carried their shuttle as a payload rather than the engines of the Shuttle itself being used to boost it into orbit. The Buran’s engines were only used for manuvering and deorbiting. There were no solid rocket boosters and so no o-rings to worry about, no external fuel tank, so no foam to fall off. If something happened to the booster, Buran would simply separate and return on its own at any point in the flight regime.

If something happened to the crew, the automated pilot system kicked in and in a test performed every funtion from takleoff to landing perfectly. It also had auxiliary jet engines for atmospheric flight so it could circle around and take another run at a landing it the pilot didn’t like the first approach or even go to a different runway Crew ejection seats allowed the crew to bail out if they needed to.


Apollo 13 had shown the ability of astronauts to do things that shouldn’t be able to do. Skylab had had a rescue plan. Even the ISS had rescue plans. Despite ample evidence that o-rings weren’t the only Achilles heel in the Space Shuttle, once again the warnings were ignored and rejected. The reason for this was that the same people were running the show. They had been chastened but not removed from the decision making process.

You take a group of corporate managers, lecture them on how they need to change their way of thinking and send them back, chastized, to resume their work. Sorry, but that is the only thing they know. Soon they will revert to form. I don’t hate them – but most professional managers don’t know anything else but pushing papers. They are hard-wired for bottom line thinking.

Space exploration has to be run by engineers, not bean counters.

Because of the same people making the same mistakes, on February 1, 2003, this is what the reentry of Columbia looked like.

Foam falling off the main tank hit the leading edge of the left wing at a high velocity.  This was seen at launch. Once in space, NASA administrators disregarded opportunities to examine the area. DOD even offered to have a spy satellite examine the wing with ultrahigh resolution cameras. NASA declined. The thinking was that foam had fallen before and it hadn’t caused fatal damage then and it probably didn’t now either. There was also thinking that if it did cause damage, there was nothing to be done for it.

That kind of thinking would have killed the Apollo 13 crew.

Before the Shuttle, this kind of thinking would never have been allowed.

A maybe-might-work repair was possible, even without a dedicated kit. A rescue mission was also possible. The Columbia crew needn’t have died. But NASA wasn’t interested in checking for damage. If you don’t think you need to check, you’ll never get to the repair or rescue options.

Another catastrophe, another report. The Columbia Accident Investigation Board (CAIB)  investigated and then made recommendations. The Executive Summary is here:

  • The organizational causes of this accident are rooted in the Space Shuttle Program’s history and culture, including the original compromises that were required to gain approval for the Shuttle, subsequent years of resource constraints, fluctuating priorities, schedule pressures, mischaracterization of the Shuttle as operational rather than developmental, and lack of an agreed national vision for human space flight. Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices (such as testing to understand why systems were not performing in accordance with requirements); organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that operated outside the organization’s rules.
  • This report concludes with recommendations, some of which are specifically identified and prefaced as “before return to flight.” These recommendations are largely related to the physical cause of the accident, and include preventing the loss of foam, improved imaging of the Space Shuttle stack from liftoff through separation of the External Tank, and on-orbit inspection and repair of the Thermal Protection System. The remaining recommendations, for the most part, stem from the Board’s findings on organizational cause factors.

This time a few heads rolled and  others had their careers permanently compromised.  The foam was better attached to the external fuel tank. A 50 foot boom was attached to the shuttle arm to be able to view all mission-critical areas of the ship and tile repair kits were added to each ship. More and better cameras were added to the launch complex to specifically watch for falling debris during launch.

Most importantly, a decisive attitude adjustment wrench was applied to NASA management.

Crew_of_STS-107,_official_photo.jpg
Image from Wikipedia. The crew of STS-107 in October 2001. From left to right: Brown, Husband, Clark, Chawla, Anderson, McCool, Ramon

After 28 more launches and no more disasters, the Shuttle system was  retired. ISS was built. Project Orion and the Ares heavy launch vehicle which were supposed to replace it were canceled by Obama. This left us swinging in the wind with no way to get crew up and down other than hitchhiking on Russian Proton/Soyuz rockets. Sixty year old technology. Very reliable but still risky. At least there was a way for the capsule to cut free in the event of a launch failure.

2019-02-01_17-43-37
Proton rocket launching a Soyuz capsule with US and Russian passengers for the ISS. (NASA astronaut Nick Hague and Russian cosmonaut Alexey Ovchinin.)

Soyuz Space Crew Launch Failure 2018: Full Coverage

Lest we forget, China has its own space program. It seems they care so little about safety they launch over populated areas.

This is what happens when you don’t have a range safety officer to abort or destroy an out of control launch.  Also when you launch adjacent to a small city.  When we send up a rocket, it heads out over water. In Russia it heads out over a vast and unpopulated desert. In our case there is a range safety officer is right there with his finger over the destruct button. He has absolute authority to immediately destroy any launch vehicle that threatens civilians. (Can’t say what the Russian’s range safety policy is.)

Spool back to February. 1996. Southern China.

The accident was suppressed and visuals only leaked out because as Westerners were whisked away by bus, they secretly videoed the devastation as they passed through it. Next time the Chinese will no doubt have buses with blacked out windows.

Just like a small atomic bomb and the Long March 3 isn’t even one of the “big boys”.

Hundreds dead? Thousands? How many other accidents that didn’t have Western observers? We may never know the truth. Or at least until the Chinese government goes the way of the old Soviet Union

Previous: Skylab

Next up: Manned Spaceflight in the Near Future