The Space Shuttle Was Not Great, Part III: Safety

Continued from Part II: Cost

Man-rated launch vehicles require a higher safety standard than unmanned launch vehicles. Human beings can’t tolerate high G-forces, and rockets carrying crew must have launch-escape capability to deliver them from danger in the event of an explosion or fire. Crew capsules are placed at the top of their rockets with structural shielding beneath the capsule to protect them if there is an explosion. A failure during the launch of an unmanned rocket may cause a few insurance companies to lose money, but a failure during a crewed launch can mean a horrifying and painful death for the crew if the rocket’s safety systems don’t function, and the extremely energetic nature of rocketry requires extremely robust and thorough safety systems. Redundancy and overlap is a key aspect of crew safety; a properly designed crew safety system can protect a crew even after a cascading failure.

Even by the standards of the 1970s – the period in which it was designed – the space shuttle was a dangerous vehicle which lacked many standard safety features.

The space shuttle was a death trap.

The Space shuttle reached space by using two tree-trunk-sized solid rocket boosters as well as three liquid-fueled main engines mounted to the rear of the vehicle. No crewed rockets before or since the space shuttle have used solid boosters – their danger outweighs their benefits.

Solid boosters are often used in unmanned rocket launches because they are cheap to manufacture and provide high levels of thrust without a corresponding increase in complexity. They are not typically used in manned spacecraft because they produce a very rough ride and cannot be shut down. The proposed Ares I rocket, which used a modified space shuttle SRB as its first stage was cancelled in part because it was found that in the event of an accident, the single SRB could create an inferno of white-hot chunks of solid fuel 3 miles wide within 20 seconds of failure. The report stated,

The capsule will not survive an abort between [mission elapsed time] of ~30 and 60 seconds – as the capsule is engulfed until water-impact by solid propellant fragments radiating heat from 4,000F toward the nylon parachute material (with a melt-temperature of ~400F)

Once a solid fuel rocket is ignited, it will continue to burn until all the fuel is consumed; it cannot be turned off. In the event of a problem in a liquid-fueled rocket, the engine can be shut down to prevent damage to the vehicle. During an Apollo launch, one of the second-stage engines began to produce dangerous oscillations and was automatically shut down as a precaution. The flight continued safely into orbit.

If a liquid engine fails to light at liftoff, the remaining liquid engines can be shut down and the flight can be aborted before the rocket even leaves the pad. This happened five times in shuttle history, most recently in 1994 when the launch was scrubbed less than 2 seconds before the SRBs were ignited. If one of the SRBs failed to light, the crew would be killed. A single SRB ignition failure was not survivable – as the tremendous imbalance in thrust would rip the entire vehicle apart within seconds. A precautionary engine shutdown is not possible for a solid-fueled engine.

In 1988, the Soviets flew Buran – a vehicle resembling the space shuttle created by the Soviets to prevent the Americans from getting ahead in the Cold War. Buran used liquid, rather than solid boosters, in part because they felt solid boosters of the size necessary could not safely be manufactured. Buran and its booster system, Energia, had been in development since before the Challenger accident, and the accident served to confirm the Soviet concerns.

If there was a problem during launch, the space shuttle had no launch escape system, as it was not seen as practical to include one due to the size and configuration of the cockpit. Instead, shuttle abort procedures starting from the moment of launch called for the crew to wait until the SRBs were jettisoned more than 2 minutes into the flight, at which point the shuttle would fly like an airplane to a landing at an available runway. In other words, in the event of a mission-ending problem aboard the vehicle, the instructions from mission control were to call back in 2 minutes. The shuttle effectively had no survivable abort mode from SRB ignition until the SRBs were jettisoned at an altitude of 28 miles.

In 1980, Gregg Easterbrook writing for the Washington Monthly, criticized this idea:

Here’s the plan. Suppose one of the solid-fueled boosters fails. The plan is, you die.

In 1986, one of the SRBs did fail, and the crew was killed. The investigation revealed that a rubber gasket in the booster, called an o-ring, had failed, allowing hot gases to escape from the side of the SRB and destroy the shuttle. The o-rings were not designed to erode or allow any hot gasses to escape the seal during flight, yet erosion and hot gas blow-by was observed as early as the second shuttle flight, five years before Challenger. In the flights leading up to the Challenger accident, the problem became worse. Engineer Roger Boisjoly, working at the SRB manufacturer, wrote a memo to company management in 1985 warning them that the problem with the o-rings could lead to catastrophe. He wrote, of the potential for complete o-ring failure,

The result would be a catastrophe of the highest order – loss of human life.

It is my honest and very real fear that if we do not take immediate action to dedicate a team to solve the problem with the field joint having the number one priority, then we stand in jeopardy of losing a flight along with all the launch pad facilities.

His warnings were ignored. As he continued to study the o-ring problem, he found that it was associated with cold weather – the rubber o-rings became less flexible and more prone to failure in lower temperatures.

The day before Challenger was to launch, a conference call was held discussing Boisjoly’s concerns. He later testified,

Those of us who opposed the launch continued to speak out, and I am specifically speaking of Mr. Thompson and myself because in my recollection he and I were the only ones that vigorously continued to oppose the launch…

I stopped when it was apparent that I couldn’t get anybody to listen.

After the conference call, Boisjoly recalled,

I wrote the following entry in my notebook after returning to my office. “I sincerely hope that this launch does not result in a catastrophe.”

The next day Boisjoly was watching as Challenger was destroyed by an o-ring failure. The seven crew members, having no launch escape system, were killed. Evidence gathered from the wreckage showed that they were alive until their compartment impacted the water.

Shuttle proponents sometimes retort that space travel is dangerous and the astronauts knew the risks involved. The evidence, however, shows that this wasn’t true. The crew was never informed of Boisjoly’s concerns, and Associate Administrator for Space Flight L. Michael Weeks told the investigation,

We felt at the time – all of the people in the program I think felt that this Solid Rocket Motor in particular or the Solid Rocket Booster was probably one of the least worrisome things we had in the program.

Astronaut Don Lind, who flew on STS-51-B – a flight which had a close call with the o-rings – said after being told about the problem,

The first seal on our flight had been totally destroyed, and the [other] seal had 24 percent of its diameter burned away. Sixty-one millimeters had been burned away. All of that destruction happened in 600 milliseconds and what was left of that last O-ring, if it had not sealed the crack and stopped that outflow of gases—if it had not done that in the next 200 to 300 milliseconds—it would have gone. You’d never have stopped it and we’d have exploded.

Physicist Richard Feynman wrote in the notes of the investigation,

An estimate of the reliability of solid rockets was made by the range safety officer, by studying the experience of all previous rocket flights. Out of a total of nearly 2,900 flights, 121 failed (1 in 25). This includes, however, what may be called, early errors, rockets flown for the first few times in which design errors are discovered and fixed. A more reasonable figure for the mature rockets might be 1 in 50. With special care in the selection of parts and in inspection, a figure of below 1 in 100 might be achieved but 1 in 1,000 is probably not attainable with today’s technology.

And yet,

NASA officials argue that the figure is much lower. They point out that these figures are for unmanned rockets but since the Shuttle is a manned vehicle “the probability of mission success is necessarily very close to 1.0.”

That circular reasoning is what passed for logic in the shuttle program. Manned launches require a higher degree of safety than unmanned launches, and the shuttle met that requirement because it was manned, and manned launches have to meet the safety standards.

Feynman said,

It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management.

He calculated that the engineer’s estimates were probably closest to correct, and wrote,

[The shuttles] therefore fly in a relatively unsafe condition, with a chance of failure of the order of a percent…

Official management, on the other hand, claims to believe the probability of failure is a thousand times less. One reason for this may be an attempt to assure the government of NASA perfection and success in order to ensure the supply of funds. The other may be that they sincerely believed it to be true, demonstrating an almost incredible lack of communication between themselves and their working engineers

It is clear that whatever the true risk was, the astronauts who flew in the shuttle were not properly informed before their flight. NASA’s official position was that the danger involved was a thousand times lower than the actual danger.

17 years after the Challenger accident, Columbia broke up over Texas as it re-entered the atmosphere from space. Again, all seven crew members were killed. A piece of foam from the large orange external fuel tank had broken free during launch, and had damaged the leading edge of the shuttle’s wing, putting a hole in the fragile thermal protection system..

During reentry, the fiery plasma generated by the speed of the shuttle entered the hole and destroyed the structure of the wing, causing the loss of crew and vehicle.

The subsequent investigation revealed that external tank foam loss occurred regularly,

Photographic evidence of foam shedding exists for 65 of the 79 missions for which imagery is available. Of the 34 missions for which there are no imagery, 8 missions where foam loss is not seen in the imagery, and 6 missions where imagery is inconclusive, foam loss can be inferred from the number of divots on the Orbiterʼs lower surfaces.

The exact chunk of foam that had damaged Columbia, the left bipod ramp, had a 1 in 10 chance of breaking free during launch.

The Board found instances of left bipod ramp shedding on launch that NASA was not aware of, bringing the total known left bipod ramp shedding events to 7 out of 72 missions for which imagery of the launch or External Tank separation is available.

As a result of foam shedding, launch-related damage to the shuttle’s fragile underside was common – During the launch of the first shuttle in 1981, a piece of foam struck the shuttle and damaged several tiles on the rear of the vehicle. Astronaut John Young noticed some damage on the nose of the shuttle and said it looked like someone had taken “big bites” out of some tiles.

In 1988, Atlantis was struck by a piece of insulation from one of its solid boosters – 700 tiles along the left side of the shuttle were damaged or destroyed. Once the shuttle reached orbit, commander Robert Gibson used the robotic arm to point a camera at the damaged underside of the shuttle. He later recalled,

I will never forget, we hung the arm over the right wing, we panned it to the location and took a look and I said to myself, “we are going to die.” There was so much damage. I looked at that stuff and I said, “oh, holy smokes, this looks horrible, this looks awful.”

After the crew returned safely to earth, it was found that in one place, the tiles were completely missing and the heat of reentry had melted the aluminum structure underneath. Had the damage occurred in a slightly different place, it would have been catastrophic – only a thick antenna mounting plate at the location had prevented complete burn-through.

The Atlantis crew was shocked by mission control’s response to the damage –

We’ve looked at the images and mechanical says it’s not a problem. The damage isn’t that severe.

After they had landed, Gibson learned that the engineers had misinterpreted the video and still images sent down from orbit.

Their conclusion, which they did not pass back to us, was “oh, you know what? That’s not tile damage, those are just lights and shadows we’re seeing in this video.”

Foam insulation is necessary because of the cryogenic propellant used in rockets – it must be kept very cold to prevent it from boiling away. During a typical rocket launch, debris and ice cascade down the side of the rocket after being shaken loose by vibrating engines. In most rockets, shedding of insulating foam and ice isn’t a problem because the payload is at the top of the rocket – away from any falling debris; the side-mounted shuttle did not have this passive safety feature. The foam chunk that doomed Columbia struck the wing at nearly 500 miles per hour.

The fear of debris damaging the vehicle was reflected in the original design specification, as described in the Investigation Board’s report –

The Space Shuttle System, including the ground systems, shall be designed to preclude the shedding of ice and/or other debris from the Shuttle elements during prelaunch and flight operations that would jeopardize the flight crew, vehicle, mission success, or would adversely impact turnaround operations.

Despite foam loss occurring on practically every flight, a condition contrary to the specifications of the vehicle, flights were allowed to continue.

Engineers reviewing the footage of the Columbia launch in 2003 saw the foam strike and became concerned about the potential for damage to the shuttle. They contacted Shuttle Program Manager Wayne Hale (who had been an engineer working on the shuttle during the near-disaster involving Atlantis in 1988) to request help from the Air Force; the engineers wanted to see photos of the underside of the orbiting shuttle so they could assess the damage. Hale began the process of requesting help, but his request was cancelled by mission management.

The extent of the damage was not known, but emails released during the investigation reveal that there was concern about the seriousness of the problem. After hearing that the imagining request had been cancelled, Chief Engineer of the thermal protection system Rodney Rocha wrote,

In my humble technical opinion, this is the wrong (and bordering on irresponsible) answer from the SSP and Orbiter not to request additional imaging help from any outside source. I must emphasize (again) that severe enough damage (3 or 4 multiple tiles knocked out down to the densification layer) combined with the heating and resulting damage to the underlying structure at the most critical location (viz., MLG door/wheels/tires/hydraulics or the X1191 spar cap) could present potentially grave hazards… Remember the NASA safety posters everywhere around stating, ʻIf itʼs not safe, say soʼ? Yes, itʼs that serious.

Another engineer wrote

There is lots of speculation as to extent of the damage, and we could get a burn through into the wheel well upon entry.

As it turned out, the foam from the bipod ramp had struck the fragile leading edge of Columbia’s wing, an area protected not by tiles but by panels of reinforced carbon carbon (RCC), panels designed to survive the most intense heat of any area of the vehicle during reentry. The foam pierced the RCC panels and left Columbia with a large hole in the most vulnerable place on the shuttle, a hole which let hot gasses into the wing of the shuttle ultimately leading to its destruction.

During the mission, despite the vigorous discussion at NASA, the astronauts were not told about the concerns. The flight director sent an email to the crew, saying,

There is one item that I would like to make you aware of for the upcoming PAO event on Blue FD 10 and for future PAO events later in the mission. This item is not even worth mentioning other than wanting to make sure that you are not surprised by it in a question from a reporter.

During ascent at approximately 80 seconds, photo analysis shows that some debris from the area of the -YET Bipod Attach Point came loose and subsequently impacted the orbiter left wing, in the area of transition from Chine to Main Wing, creating a shower of smaller particles. The impact appears to be totally on the lower surface and no particles are seen to traverse over the upper surface of the wing. Experts have reviewed the high speed photography and there is no concern for RCC or tile damage. We have seen this same phenomenon on several other flights and there is absolutely no concern for entry.

Even NASA administrator Charlie Bolden, who flew both Columbia and Discovery didn’t know how vulnerable the RCC panels were. In his oral history, he said,

Nobody ever considered any damage to that because we all thought that it was impenetrable. In fact, it was not until the loss of Columbia that I learned how thin it was. I grew up in the space program. I spent fourteen years in the space program flying, thinking that I had this huge mass that was about five or six inches thick on the leading edge of the wing. And, to find after Columbia that it was fractions of an inch thick, and that it wasn’t as strong as the fiberglass on your Corvette, that was an eye-opener, and I think for all of us.

After the accident, the investigation team performed an impact test duplicating the conditions during the Columbia launch. With a loud boom, the foam punched a 16 inch diameter hole in the RCC panel.

Sheila Widnall, a member of the investigation board, said,

There were people at NASA who didn’t believe that foam could put a hole in the RCC. It was such an emotional event. The guy that had developed this material, he cried – he was in the audience when he saw this – he cried.

The Columbia accident served to show that the institutional problems that had existed in the program since its inception had not been solved. The report of the accident investigation board stated,

The organizational causes of this accident are rooted in the Space Shuttle Program’s history and culture, including the original compromises that were required to gain approval for the Shuttle Program, subsequent years of resource constraints, fluctuating priorities, schedule pressures, mischaracterizations of the Shuttle as operational rather than developmental, and lack of an agreed national vision.

The report criticized the program for having a deeply flawed technical view on safety.

The initial Shuttle design predicted neither foam debris problems nor poor sealing action of the Solid Rocket Booster joints. To experience either on a mission was a violation of design specifications. These anomalies were signals of potential danger, not something to be tolerated, but in both cases after the first incident the engineering analysis concluded that the design could tolerate the damage. These engineers decided to implement a temporary fix and/or accept the risk, and fly. For both O-rings and foam, that first decision was a turning point. It established a precedent for accepting, rather than eliminating, these technical deviations.

The shuttle was from its creation inherently dangerous, and the danger was never adequately addressed. With no launch escape system, no possibility for abort during SRB-firing, a configuration that had debris falling onto the fragile thermal protection system, and institutional problems with identifying, communicating, and eliminating hazards, it’s not at all surprising that the space shuttle killed more people than all other space vehicles in history combined.

I hope that I’ve been able to show that the anti-shuttle position isn’t an anti-space or anti-science position. I love space, and I love science – I see it as a modern-day messiah. It is responsible for the greatest miracles the world has ever seen and has produced the most amazing improvements in the quality of life. The space shuttle was detrimental to the progress of space flight and space science. NASA spent 30 years flying the shuttle and what do they have to show for it? It started life as the vehicle that would make space flight cheap and routine, and ended as a highly experimental vehicle which was too deadly and expensive to fly. NASA astronauts haven’t left low orbit since the last moon landing more than 40 years ago, and now they can’t even get to low orbit without hitching a ride on a Russian Soyuz. The anti-shuttle position is typical among people in the field. Even shuttle-era NASA administrator Michael Griffin recognized that the program was not successful. After the Columbia accident, he said,

The shuttle is inherently flawed. It does not have an escape system for its crew, and we all know that since human perfectionism is unattainable, sooner or later, there will be another shuttle accident

He continued the criticism in an interview with USA Today,

Asked Tuesday whether the shuttle had been a mistake, Griffin said, “My opinion is that it was. … It was a design which was extremely aggressive and just barely possible.”

I’m glad the shuttle is gone, and I only wish it would not have taken so many billions of dollars and 14 lives before it went.

Be Sociable, Share!


The things I like and write about are mormonism, beekeeping, homeschool, and outer space.

View all posts by

Leave a Reply

Your email address will not be published. Required fields are marked *