Perspective
Since 1960, the NASA Manned Space Flight Program has successfully accomplished 55 manned flight missions. This outstanding record has been based for the most part on the building of a competent technical and management organization within NASA and the aerospace community. The systems management approach, which was exercised to its fullest during the Apollo program, has been the basis for all subsequent manned programs - Skylab, Apollo-Soyuz, and now Shuttle. The completeness of the identification of requirements to the thoroughness of critical design and certification reviews to obtain maximum assurance that the Shuttle flight hardware is acceptable to fly is essentially the same as the system implemented on the previous manned programs.
It is the considered opinion of the Production and Development Team that there have been many outstanding achievements in the Space Shuttle development, and even though the cause of the 51-L accident appears to be isolated to one element of the system, the possibility exists that if the accident is directly or indirectly related to a Development and Production deficiency, then a similar deficiency could exist in other elements of the program. Consequently, the report highlights potential areas of concern without corresponding treatment of the program approaches and activities that are exemplary.
Introduction
In response to the STS 51-L accident on January 28, 1986, an interim mishap Investigation Board was established by the Acting Administrator of NASA to initiate an investigation into the cause of the Shuttle Challenger accident. On March 11, 1986, the Acting NASA Administrator created the STS 51-L Data and Design Analysis Task Force to replace the interim mishap Investigation Board and to support the activities of the Presidential Commission on the Space Shuttle Challenger Accident. Rear Admiral Richard Truly was designated as Chairman of the 51-L DDATF who in turn organized the task force with four principal teams to be coincident with and responsible to the four previously identified Commission panels for: (a) Development and Production, (b) Prelaunch Activities, (c) Mission Planning and Operation, and (d) Accident Analysis.
This report pertains to the Shuttle program review activities ,of the Development and Production Team. The Development and Production Team was chartered to undertake a critical review and analysis of the design, development, test and evaluation of the NSTS hardware and systems involved in the STS 51-L accident, in order to ascertain the adequacy of these program activities.
With the exception of an initial meeting of the Commission's Development and Production Panel held at JSC on March 5, 1986, the NASA team in conjunction with the Commission panel conducted all reviews jointly as a group. These reviews consisted of contractor visits to Morton Thiokol, Incorporated, Wasatch, Utah; Rocketdyne, Canoga Park, California; Rockwell International, Downey, California; Martin Marietta, Michoud Aerospace, Michoud, Louisiana; and United Space Boosters, Incorporated, Huntsville, Alabama.
The Development and Production (D&P) Team, in conjunction with representatives of the Presidential Commission Development and Production Panel, conducted a series of reviews at the prime contractor facilities at the Johnson Space Center (JSC) and the Marshall Space Flight Center (MSFC) for the purpose of assessing the hardware acquisition program.
The four key areas investigated by the Development and Production Team/Panel were common to all the National Space Transportation System (NSTS) elements. They were: (a) the design of the element including design requirements, control and certification; (b) the development of the hardware: (c) the testing and qualification of the hardware; and (d) the evaluation of the results of the production of the product to meet the stringent requirements of the Space Shuttle Program. In all of the four areas, there was a consistency in the formality and rigor of how the elements were to proceed through these stages. The various Panels, Boards, and the logical progression of the extremely detailed major reviews all functioned essentially the same across the program.
A systematic review approach was utilized to assure continuity of the reviews, and a common agenda was followed by all parties. Special emphasis was placed on the design and qualification of the critical elements of the Space Shuttle launch vehicle and the evolution of the margins of safety of the critical structures.
The Commission Panel received an extremely comprehensive reviews, in the conduct of its duties and has full confidence that with the detailed reevaluation of the safety related critical items and the improvements or correction of any deficiencies, the Space Shuttle Program will be able to safely conduct its missions. The NASA development and production process is sound and the expansion of the operating margins will allow future safe space missions.
Each contractor addressed his procedures and approaches used to develop the Failure Modes and Effects Analysis (FMEA), the Critical Items List (CIL), and Hazards Analysis (HA).
Requirements for these products emanated from NASA Handbook (NHB) 5300.4. The purpose of the FMEA is to identify the various potential failure modes of the flight elements' components and assess the associated effects on the specific flight element as well as the total launch vehicle and mission. The potential failure modes are derived from analyses of function, design, and related manufacturing processes. The CIL identifies the critical failure mode; and the rationale for retention. The items contained in the CIL are classified in five major categories commensurate with the degree of criticality. The Hazard Analysis identifies the hazards and their status of resolution and categorizes them as controlled (by design, procedure, etc.) or as accepted risk.
It was the consensus of the Commission Panel that a reassessment of the FMEA/CIL, in conjunction with the hazard analyses, should be conducted to assure that Criticality 1 and 2 items are re-evaluated and that the hazard analyses properly identify the Criticality 1 items. Thus, the associated risks and hazards will be thoroughly understood and appropriate action can be taken to minimize their criticality. This effort should identify the major items which can be prioritized and receive the necessary management attention.
Figures 1 through 8 depict the history, by flight element, of the total number of critical items and hazards.
A fundamental finding by the Commission/Panel was that the NASA system and the working relationships with their respective element contractors were outstanding for the SSME, SRB, ET and Orbiter. MSFC/Rocketdyne (SSME), MSFC/Martin Marietta Michoud Aerospace (ET), MSFC/USB1 (SRB), and JSC Rockwell International (Orbiter) all had exceptional working relationships which anticipated and solved problems together and functioned very smoothly within the rigors of the design, development, test and evaluation of the hardware elements. These relationships have continued into the operational phase of the Shuttle program. The flow of technical data and potential problems has not been as timely or comprehensive with MSFC/MTI as with the other elements, and as a result, there have been gaps in the understanding of exactly how the SRM performed.
The investigation revealed that the contractual specifications imposed upon the Solid Rocket Motor (SRM) contractor clearly specified the natural and induced environmental requirements. These requirements were not met. Specifically, the design requirement for the motor to operate over a propellant mean bulk temperature of 40 to 90 degrees Fahrenheit was the only thermal requirement considered. Consequently, the as-built hardware was not verified to the intended natural and induced environments. Of particular interest were the field joints. Since they were not tested to the complete set of environmental requirements, a total understanding of the joint design limits was not obtained. This was further complicated because of insufficient development testing and analyses concerning the operational characteristics of the joint putty, joint rotation, and O-ring compression and resiliency.
The configuration of the SRM qualification test article did not totally represent that of the flight hardware. For example, preparation of the joint putty was not accomplished comparably on the qualification motor and the flight motor. The putty performance is a possible cause of the 51-L accident.
Prior to the STS 51-L accident, there was insufficient knowledge on the part of MTI and NASA relative to the performance characteristics of the putty used in the SRM field joint. It was originally thought that the putty would allow the SRM hot gas to pressurize the primary O-ring during the motor ignition transient. It has been subsequently learned that humidity and temperature enhance the putty characteristics relative to its pressure holding characteristics thereby delaying the proper actuation of the primary O-ring. The uncertainty of these characteristic changes directly effects the ability of the field joint to seal.
The adequacy of the SRM joint O-ring process and quality control was found to be questionable. The O-ring is allowed to include five scarf joints, a quantity which was arbitrarily established, and repairs of inclusions and voids are routinely made by the vendor after his receipt of the material supplies. Due to the criticality of this hardware in the operation of the SRM, it appears that more stringent control is necessary.
Mandatory inspection points were temporarily omitted from the O-ring acceptance criteria at MTI, and the secondary O-ring for the suspect 51-L field joint was processed when the mandatory inspection points were not in effect. The possibility exists that other areas similar in criticality may be suspect if a complete assessment of all mandatory inspections is not performed.
The SRM's were static tested in the horizontal position rather than in the flight attitude. A review of the considerations for this decision reveals the decision to be based mostly on programmatic considerations and the concern of determining the thrust values more accurately. It was not obvious that the effects of this deviation in test and flight configuration received sufficient attention.
It has been determined by measurement of two flown case segments that both the SRM tang and clevis sealing surfaces have increased in diameter beyond the anticipated design limits. The growth is believed to be material related and related to the hydrostatic proof test pressure level. This uncertainty must be resolved prior to any planned reuse of case segments.
Difficulty has been experienced with the SRM segments during mating operations at the launch site. The loaded segments are transported by railcar in the horizontal position. This shipment orientation could cause the cases to assume undesirable out-of-round conditions and contribute to the mating operations difficulty.
The Space Shuttle Main Engine (SSME) is recognized as a high technology, high power density, state-of-the-art rocket engine. It contains many high energy sources and therefore is a very complex and high risk element of the Space Shuttle system.
[K9] NASA and the contractor, both of which have experience in high technical liquid propulsion capabilities, have a thorough knowledge of the technical requirements for the development and operation of the engine. These capabilities allow technical penetration by the personnel such that potential problems are recognized in a timely manner and necessary resolutions are implemented. The mutual understanding of the complexity of the system and the attention of detail given has no doubt been an important factor in the success of the program to date.
The current SSME design is certified for 15 missions. Future operational requirements indicate a need for a continuous hot fire and off-nominal test program with multiple engines to demonstrate time far in excess of the Orbiter fleet leader. Such testing will demonstrate the full margin extent of critical components and subsystems.
The Orbiter development and production has been accomplished with thorough rigor and formality. However, there are several improvements now in process, as well as other potential improvements previously considered which should be re-reviewed and prioritized to assure minimization of hazards.
During the review process, the subject of the contractual separation of the launch site processing and inspection activities from the design organizations was addressed. Concern was expressed that the processing personnel may not possess the necessary technical background gained during the design and development phase to adequately determine system degradation resulting from multiple missions. The processing contractor also may not appreciate or recognize the criticality of the hardware being tested and processed.
Some of the manifested payloads require Orbiter modifications. Extremely complex and critical payloads such as Centaur should receive special safety emphasis reviews.
It was concluded that the development and certification of the non-SRM portions of the SRB have followed the NASA requirements and approved plans. The hardware design is mature. In order to assure continued success, attention must continue to be given to the details associated with the reacceptance of the reused hardware.
The Commission Panel suggested that additional instrumentation be incorporated on the SRB, prior to resumption of flights, to measure the SRM case joint parameters and SRB bending.
The ET contractor demonstrated that his technical and management staff are well versed in their respective areas of responsibilities and that the program is controlled and implemented by a disciplined system.
The lightweight External Tank configuration design incorporated a factor of safety of 1.25 for those loads that are well defined. A proration of the 1.25 factor and the more conservative 1.4 factor was used in other areas. This approach produced a lightweight design with sufficient margins of safety that resulted in more payload capability for the Space Shuttle Program.
The External Tank design incorporates a vent and relief valve on the L02 and LH2 tanks. The position indicator switch tolerances allow the valve to indicate being in the closed position when it may in fact be open up to 0.30 inch. Additional analyses and/or testing should be conducted to determine if this situation is a safety issue, followed by the necessary appropriate action.
II. Directive Appointing Development and Production Team/Charter
The 51-L Data and Design Analysis Task Force (DDATF) was established March 7, 1986, by Rear Admiral Richard H Truly, Associate Administrator for Space Flight, National Aeronautics and Space Administration (NASA). A detailed charter defining the DDATF organization, duties, responsibilities, and authority was published. As an attachment thereto, the General Assignment for Project Analysis Team document was issued which defined organization and responsibilities for the Project Analysis Team. Appendix A contains the aforementioned documentation.
Subsequent to the formation of the Project Analysis Team, its title was revised to the Development and Production Team to be consistent with the nomenclature of the Presidential Commission Panel of the same title.
III. Organization/Method of Investigation
A. Organization
The organization of the Development and Production Team is depicted in Figure 9. The Team is comprised of a core membership which consists of Mr. Thomas J. Lee, MSFC/DDOI, Lead; Mr. C. E. McCullough, JSC/VP, Deputy Lead; Mr. Robert Stewart, JSC/CB, member; and Ms. S. G. Henderson, NISFC/SA76, and Mr. D. L. Riley, MSFC/SA71, staff. The remaining membership consists of a senior representative from each of the flight element project offices; i.e., Orbiter Project, External Tank (ET) Project, Solid Rocket Booster/Solid Rocket Motor (SRB/SRM) Project, and the Space Shuttle Main Engine (SSME) Project.
B. Method of Investigation
The D&P Team conducted a critical review and analysis of the acquisition phase of the STS 51-L flight hardware. This effort was accomplished in conjunction with representatives of the Presidential Commission Development and Production Panel who jointly received formal presentations by the respective project offices and their contractors. These presentations addressed the key elements of the hardware acquisition process and the modes of operation, management, and systems utilized by the various parties to satisfactorily convert the performance and design requirements into flight hardware which was properly manufactured, tested, and certified. The presentations included the results of engineering analyses and development and qualification testing.
An in-depth penetration of the various management and functional disciplines and processes was conducted with interest in the following:
- a. Design of critical elements
- b. Trade-offs in design versus cost, safety, schedule
- c. Test and evaluation of components, subsystems, and systems
- d. Quality and certification of components, subsystems, and system
- e. Engineering changes and waivers
- f. Process control
- g. Production capability
- h. Quality control
- i. Configuration control
- j. Refurbishment, processing, impacts, and difficulties
- k. Logistics support
- 1. Production deficiencies, development, and waivers
- m. Production testing
- n. Government acceptance process
- o. Shipping and handling
Tours of the manufacturing and checkout operations were conducted to further familiarize the team and panel membership with the flight hardware in review.
Question and answer sessions were conducted which involved the Team and Panel personnel and the project and contractor personnel, including subcontractor personnel.
As required, formal action items were assigned and tracked through completion in order to assure that the Team and Commission Panel members were provided the required information and data to conduct their investigation.
IV. Definitions of Terms and Acronyms
|
Acronyms |
Terms |
|---|---|
|
. | |
|
ADP |
Acceptance Data Package |
|
AFQA |
Air Force Quality Assurance |
|
[K11] AR |
Acceptance Review |
|
ASAP |
Aerospace Space Advisory Panel |
|
CAR |
Configuration Acceptance Review |
|
CCB |
Configuration Control Board |
|
CCV |
Coolant Control Valve |
|
CDF |
Confined Detonation Fuse |
|
CDR |
Critical Design Review |
|
CEI |
Contract End Item |
|
CIL |
Critical Items List |
|
COQ |
Certificate of Qualification |
|
D&P |
Development and Production |
|
DAR |
Deviation Approval Request |
|
DAS |
Document Accountability System |
|
DCN |
Document Change Notice |
|
DCR |
Design certification Review |
|
DDATF |
Data and Analysis Design Task Force |
|
DDT&E |
Design, Development, Test and Evaluation |
|
DM |
Development Motor |
|
DVS |
Design Verification Specification |
|
E&I |
Electrical and Instrumentation |
|
EAFB |
Edwards Air Force Base |
|
ECP |
Engineering Change Proposal |
|
EIS |
End Item Specification |
|
EMC |
Electromagnetic Compatibility |
|
EMI |
Electromagnetic Interference |
|
ET |
External Tank |
|
FASCOS |
Flight Acceleration Safety Cutoff System |
|
FM |
Frequency Modulation |
|
FMEA |
Failure Modes and Effects Analysis |
|
FMOF |
First Manned Orbital Flight |
|
FPL |
Full Power Level |
|
FRR |
Flight Readiness Review |
|
FWC |
Filament Wound Case |
|
GFP |
Government Furnished Property |
|
GSE |
Ground Support Equipment |
|
HCS |
Hardware Certification Sheet |
|
HOSC |
Huntsville Operations Support Center |
|
HPFTP |
High Pressure Fuel Turbopump |
|
HMP |
High Performance Motor |
|
HPOTP |
High Pressure Oxidizer Turbopump |
|
ICD |
Interface Control Document |
|
JSC |
Johnson Space Center |
|
KSC |
Kennedy Space Center |
|
LCC |
Launch Commit Criteria |
|
LH2 |
Liquid Hydrogen |
|
LO2 |
Liquid Oxygen |
|
LPPTP |
Low Pressure Fuel Turbopump |
|
LPOTP |
Low Pressure Oxidizer Turbopump |
|
LSC |
Linear Shaped Charge |
|
LSS |
Launch Support Services |
|
LWT |
Lightweight Tank |
|
MAF |
Michoud Assembly Facility |
|
MCC |
Main Combustion Chamber |
|
MCF |
Major Component Failure |
|
MMI |
MSFC Management Instruction |
|
MOR |
Manufacturing Operation Record |
|
MPP |
Manufacturing Process Plans |
|
MPTA |
Main Propulsion Test Article |
|
MRB |
Material Review Board |
|
MTI |
Morton Thiokol, Incorporated |
|
NASA |
National Aeronautics and Space Administration |
|
NHB |
NASA Handbook |
|
NSTL |
National Space Technology Laboratories |
|
NSTS |
National Space Transportation System |
|
OFI |
Operational Flight Instrumentation |
|
OMI |
Operations and Maintenance Instruction |
|
OMRSD |
Operations and Maintenance Requirements and Specification Document |
|
PDR |
Preliminary Design Review |
|
PMBT |
Propellant Mean Bulk Temperature |
|
PRCB |
Program Requirements Control Board |
|
PRR |
Program Requirements Review |
|
PSI |
Pounds Per Square Inch |
|
PSIG |
Pounds Per Square Inch Gage |
|
QM |
Qualification Motor |
|
SSME |
Space Shuttle Main Engine |
|
STA |
Structural Test Article |
|
STM |
Standard Materials |
|
STP |
Standard Processes |
|
SWT |
Standard Weight Tank |
|
TPS |
Thermal Protection System |
|
TVC |
Thrust Vector Control |
|
UCR |
Unsatisfactory Condition Report |
|
USBI |
United Space Booster Incorporated |
|
VAFB |
Vandenberg Air Force Base |
|
VCR |
Vehicle Configuration Review |
|
VLS |
Vandenberg Launch Site |
V. Technical Description and Analysis
As stated in III.B, Method of Investigation, the investigation conducted by the D&P Team was accomplished by a series of in-depth reviews of formal presentations given by the NASA project offices and their respective prime contractors.
A summary report on each of these investigations is provided in the following subsections which address each element, i.e., SRM, SRB, ET, SSME, and Orbiter.
To provide continuity of the investigation, the reviews conducted at the major elements' facilities all followed the same basic agenda:
- a. Design Requirements and Control
- b. Design Reviews and Certification System
- c. Verification Requirements, Planning, Documentation, and Control
- d. Development and Qualification
- e. Transportation and Handling Verification
- f. Design and Production Control
- (1) Configuration Control
- (2) Operating Plan and Control
- (3) Quality Control
- g. Launch Support Services
- h. Failure Mode Effects Analysis/Critical Items List (FMEA/CIL) Summary
- i. Response to Specific Previously Submitted Questions
- j. In-plant Review of Production
A. SRM Analysis
The D&P Team, in conjunction with representatives of the Presidential Commission, convened at Morton Thiokol, Incorporated (MTI), Wasatch Operations, Utah, on March 17 and 18, 1986, for the purpose of evaluating the SRM acquisition program. A series of formal presentations was provided by representatives of MTI. Mr. Sutter, Dr. Walker, and Mr. Rummel were the Presidential Commission members in attendance.
Appendix B, Space Shuttle Solid Rocket Booster Fact Book, SA44-80-02, provides a general description of the SRM.
The presentations, Appendix C hereto, addressed requirements and certification control, design reviews, requirements verification, [K12] design and production control, and transportation and handling. The contractor also provided a Failure Modes and Effects Analysis/Critical Items List summary presentation and provided answers to specific inquiries identified prior to the meeting by the Presidential Commission's Development and Production Panel.
A.1. Requirements and Control
Performance and design requirements for the SRM emanate from a variety of sources. These requirement sources are: (a) systems requirements (defined in the JSC 07700 Program Definition & Requirements documentation) identified and controlled by the NSTS Program Office, (b) SRM unique requirements (defined in the Contract End Item (CEI) Specification CPW 1-3300 and associated referenced documents) identified and controlled by the NASA Project Office at MSFC, and (c) other SRM requirements which the contractor specifies and controls. These requirements are documented in the contractor engineering drawings, specifications, etc. The Requirements and Certification Control (RCC) section of the presentation defined the specific control boards and their respective authorities and areas of responsibility. These various control boards are compatible with the overall Space Shuttle control board requirements. Section CC of Appendix C defines the MTI configuration control system.
The SRM project design requirements are documented through a formal set of specifications and other documentation which are controlled by the respective Level I, II, III, and IV control boards.
The specific criteria for the SRM case joint and seal design requirements were presented with particular reference to the natural and induced thermal environments.
During this portion of the investigation, it was determined that MTI did not properly interpret the thermal environments imposed by the CEI Specification. Specifically, the design requirement for the motor to operate over a Propellant Mean Bulk Temperature (PMBT) of 40 to 90 degrees Fahrenheit was the only thermal requirement considered. MTI stated that they did not interpret the natural and induced environments as applicable for flight even though the natural environment of 31 to 99 degrees Fahrenheit is in the CEI as applicable to "vertical flight" and the induced environment for a "cold day" shows a case interface with the ET attach temperature of 25 degrees Fahrenheit.
A.2. Design Review and Certification
The SRM project, from November 1974 through September 1982, conducted and participated in a series of major program reviews which were used to incrementally develop and assure certification of the configuration baseline. These reviews were the Preliminary Design Review (PDR), Critical Design Review (CDR), Lightweight Case CDR, and the STS-6 Vehicle Configuration Review (VCR).
A.3. Requirements Verification
The contractor had implemented a closed-loop verification program which is defined by the contract end item specification and which resulted in a detailed development and verification plan and associated sub-tier plans and procedures. The closed-loop verification program tracks each end item specification requirement and defines the phase (development, acceptance, prelaunch, etc.), the method of verification (analysis, inspection, test, etc.), and applicable requirements of the verification plan, through the test plans and reports culminating in a formal certificate of qualification (COQ). The SRM contains the following 16 items which required a COQ.
|
|
MTI presented a summary schedule of the SRM project which provided the relationships between the major development activities, the production contract deliveries, and the manned orbital flights.
In the requirements and verification presentation (reference Section R&V of Appendix C), case joint seals requirements were selected from the CEI specification and presented as an example of the verification process which included development and qualification testing. Specific requirements pertaining to performance, pressure seals, natural and induced environments, general factors of safety, and safety factors for pressure and materials were addressed. Each requirement was defined, the method of certification was identified (i.e., analysis, test, inspection, similarity), the resulting subsystem-level certification documents were listed, and a synopsis was provided. The following points of interest were extracted.
|
CEI Requirement |
Synopsis Extract |
|---|---|
|
. | |
|
Performance |
Demonstrated operating temperature range via development and qualification motor tests was 36°F ambient (PMBT of 68°F) to 97°F ambient (PMBT of 74°F). (Reference Appendix C, page R&V-33.) |
|
. | |
|
Pressure Seals, Verifiable, Redundant |
TWR-12051-STA-1, Motor Case Setup II. Pressure measurements implied increasing volume between O-rings, confirming relative movement between clevis and tang (inside clevis to tang gap opens slightly). During case pressurization, secondary O-ring probably became unseated due to clevis/tang gap opening. Same unseating could occur under worst case dimensional tolerances. It was pointed out that this worst case condition had existed on only one SRM to date. |
|
. | |
|
Natural Environments 31°F to 99°F |
280 successful proof tests of joints using 90 durometer, 0.275 dia. O-rings at 65(F. These tests are equivalent of proof tests of 70 durometer, 0.280 dia. O-rings at 30(F. (Reference Appendix C, page R&V-35). DM-l through DM-5 and QM-1 through QM-4 static tests were conducted with calculated O-ring temperatures of 40(F to 84(F. (Reference Appendix C, page R&V-35.) Vendor certified seals to MIL-R-83248 which states that, generally, materials meeting this specification are usable over a temperature range of -30(F to 500(F but that the user should consider the particular application in determining usability in these thermal conditions. Materials meeting this specification are more compression set resistant than those meeting MIL-R-25897. (Reference Appendix C, page R&V-35.) |
During this portion of the presentation, much discussion ensued as to how the case joint was qualified. Since the static firings were conducted in the horizontal position rather than the [K13] vertical, questions were raised regarding proper simulation of the SRM relative to launch situations. MTI stated that horizontal testing of the SRM was considered an adequate verification of the motor. Certainly, there was no compromise on the verification of motor performance as analytical corrections of the ballistic performance were not required as a result of propellant weight consumption. Corrections are required for vertical test firings, and thrust reproducibility was a key specification requirement to ensure the Space Shuttle control moments were not exceeded. This horizontal testing did introduce some variance in the case joint putty configuration caused by the tendency of the propellant grain to slump. The putty was inspected from the motor interior after assembly and repacked as required to fill voids. However, at that time, this operation was intended to simulate a consistent putty layup configuration existent with vertical assembly. The validity of that simulation is questionable today since no O-ring erosion or blow-by was experienced in ground testing. However, other variables including data base limits, pre-proof test seating pressure changes, and putty source variations may have masked the problem. Discussions also focused on the fact that the SRM qualification testing did not consider or address all aspects of the CEI specification requirements, particularly in the area of natural and induced thermal requirements. In conjunction with the above, questions surfaced pertaining to whether or not there was adequate understanding of the field joint operation and its assembled components (regarding putty performance, joint rotation, O-ring compression and resiliency, segment mating mismatch, handling, etc.).
The presentation then continued with an explanation of the steel case configurations and high performance motor design changes. The verification program flow and methods were discussed, and the testing flow was explained.
As a result of the aforementioned fact that MTI and NASA overlooked the natural and induced thermal requirements specified in the CEI specification, it is apparent that the SRM was tested and certified only to a minimum operating ambient temperature of 40°F. MTI also stated that there were no temperature or humidity putty data gathered during the development and qualification static firings.
Again, discussions regarding the natural and induced environments only resulted in MTI restating that their interpretation of the 31°F to 99°F requirement is that it is a ground air launch pad temperature prior to launch. The Commission requested copies of the Level II and III specifications which defined the SRM temperature requirements. Copies of these specifications were provided by action DP-003.
The material presented during the remainder of the case joint seals verification was not clear as to when it was developed; i.e., during certification or after. Data which was known and may or may not have been presented to NASA during the verification process was interleaved with today's known data and its present interpretation. The Commission Panel's opinion is that irrespective of whether the data was available or not at the time of the Design Certification Review, whatever was available should have been presented. Since it apparently was not, the NASA review process should have identified the deficiency, and NASA should have requested the information and directed any further appropriate testing be conducted as required.
Action DP-006 was assigned to develop a time correlation depicting SRM changes, the verification program, and any evidence of problems associated with the SRM joint seal integrity. The product of this action is contained in Appendix D.
Subsequent to the review, a chronology was prepared which summarizes the O-ring anomalies observed during post-flight and post-test inspections of the SRM's. This information is contained in Appendix U.
The MTI summary stated that: (a) the progression of design reviews culminating with the CDR in 1979 assured the standard SRM was certified for flight on STS-1; (b) that the Lightweight case and the High Performance Motor (HPM) changes were properly reviewed and approved prior to incorporation into flight hardware; and (c) that they have interpreted the SRM CEI specification to require that the SRM be certified over a propellant mean bulk temperature range of 40°F to 90°F. that all other components of the SRM would be at the same temperature as the propellant, and that the SRM must be capable of withstanding long-term storage at temperatures ranging from 32°F to 95°F.
A.4. Transportation and Handling
The transportation and handling requirements and methods of implementation and certification were evaluated by the D&P Team. The SRM segments are transported horizontally by standard 200-ton capacity railcars with hydraulic couplers, and the nozzle exit cone extensions are transported by standard 70-ton capacity railcars. It was determined that the transportation design requirements for the transportation support equipment exceeded the capabilities of the railcars. The transportation design requirements included a factor of safety of 3 on ultimate and the handling is five times static load with a factor of safety of 4 on ultimate. Each item of support equipment was analyzed for all loading conditions, and a series of tests was conducted involving railcar coupling with an inert segment and cross country transportation with an instrumented segment. The support equipment requirements included thermal protection but n instrumentation was required to record structural loads. For acceptance, the support equipment was subjected to a proof test of twice the load for all lifting loads and inspections.
More than 200 motor segments loaded with propellant have been transported from MTI to Kennedy Space Center (KSC), and more than 180 fired motor segments have been returned to MTI from KSC. Additionally, eight inert segments have been shipped to MSFC and KSC and returned to MTI and then shipped and returned between MTI and Vandenberg Air Force Base (VAFB).
No anomalies have been attributed to transportation and handling, and there have been no exceedances of the transportation thermal requirements. Discussions did arise concerning potential changes to the cases resulting from transportation in the horizontal position. As part of the case joint redesign effort, studies are now being conducted to determine the effect of horizontal transportation on case ovality and, in turn, the effect of ovality on the assembly process. The cases are not currently instrumented during cross country transportation such that the loading, etc., is known. A case was instrumented during the development phase of the program and it was determined that maximum transportation loads were insignificant. The details pertaining to the requirements and certification for the transportation and handling equipment are contained in Appendix C, Section T&H.
For in-house handling, a discipline exists to classify moves commensurate with their criticality. Accordingly, responsible individuals are identified to assure that the requirements and procedures are proper. Critical moves must receive approval of MTI upper management as well as that of NASA. A handling evaluation team is established to witness the first operation. Critical operations receive 100% monitoring by a handling engineer and require completion of a detailed handling checklist. There were no commission recommended changes or criticism concerning the in-house handling. Reference Section IHH of Appendix C.
A.5. Design and Production Control
The MTI configuration control system was reviewed (Referenced Appendix C, Section CC). This system was formulated upon the contractual requirements (MSFC document MMI 8040.12) and is documented by the NASA-controlled SRM Configuration Management Plan and subordinate MTI policies and procedures. The Class I and Class II control systems were addressed; the membership of the MTI Configuration Control Board (CCB) was defined and its authority was addressed. A summary level explanation was provided for each Class I (NASA approval required) authorized change. It was noted that the change (ECP SRM 0995) [K14] establishing the midweight case configuration was certified only by similarity. However, the midweight assembly does not represent a significant redesign, and since its loads and case reactions are between the two extremes demonstrated, verification by similarity was deemed appropriate. The midweight SRM utilizes an aft casting segment identical to that of a standard weight motor with lightweight center and standard weight forward casting segments of a lightweight SRM configuration. The resulting load changes were assessed, and it was determined that they were within previously demonstrated experience; therefore, specific testing was not required.
Vendor configuration control was presented, and a discussion was held on the approval of design deviations. It was felt by the Commission Panel that, for a project of this magnitude, the number of significant Class I changes was relatively small, and the minor changes which were incorporated were also reasonable in number. The changes that received the most discussion were the addition of the third stiffener ring, the inhibitor change on the HPM, the nozzle putty tack test, and the revision of the field joint putty layup. This last item was of particular interest as it had been found that propellant shrinkage had caused a larger gap between the sections of the insulation; therefore, the putty thickness had been increased. There was no additional testing performed, and this change was certified by analysis.
MTI employs an automated manufacture planning system which collects and correlates the necessary requirements from the established engineering and manufacturing criteria, build authorization, etc., and in turn produces the shop traveler (floor build paper). The process inspections plan is linked to the data base and is produced as a portion of the shop traveler. Appendix C, Section OP, defines the manufacturing planning and control system.
A.5.a. Critical Processes
Critical processes are formally identified and controlled by NASA. All processes are classified and controlled by the contractor's Process Change Control Board. It was noted that the number of process changes was low over the total program; i.e., 31 from flight set SRM-9 through flight set SRM-25. Reference Appendix C, pages OP7-OPI 1.
A.5.b. Quality Control
The D&P Team/Panel evaluated the MTI Quality Control system. Reference Appendix C, Section IP. The quality program requirements were established by NASA Headquarters (NHB 5300.4 (ID-2)) and via the contract and resulted in the SRM Quality Plan defining the specific requirements applicable to the production of SRM's. Sub-level policies and procedures further expanded and clarified the requirements for proper implementation. The contractor has a master inspection plan which was developed by considering requirements of the design drawings and specifications, characteristics classification, failure modes and effects analysis, and critical items. From the master inspection plan, specific inspection plans were derived for vendor productions, receiving inspection, in-house manufacturing, re-test, and special efforts (nonroutine).
The preparation and control of the inspection planning involves a disciplined approach beginning with the quality engineer who develops the plan through the various levels of review by the quality engineering office, the project engineer, and subsequent disposition by the project manager. Once approved, the data is "locked" in the automatic data base. Any required changes are processed in the same basic mode and receive the same degree of review and approval as the original planning.
For hardware and materials acceptance, MTI Quality Assurance is responsible for source inspections, receiving inspections, in-process inspections, tests, and documentation reviews. As appropriate, mandatory inspection points are identified for each of the aforementioned inspections. As the manufacturing effort is completed, the acceptability of the hardware is determined by quality control and reviewed and accepted by the Air Force Quality Assurance (AFQA).
Acceptance Data Packages (ADP) are required for the segments, exit cones, and safe and arm mechanisms. An ADP is also required for the integration hardware kits and deliverable GSE. The ADP contains the information and data specified via the contract and is formally accepted by the government via the AFQA signature on the 6D-250.
For nonconformance control in accordance with the requirements of NASA Headquarters documentation (NHB 5300.4 (ID-2)), Material Review Boards (MRB) were established with specific and limited disposition authority. The SRM project incorporated three levels of MRB's; i.e., regular, MTI Senior MRB, and MSFC Senior MRB. Each level has a defined area of responsibility and authority.
There were no significant Commission issues concerning the overall quality control process; however, concern was expressed in regards to the instance in which mandatory inspection points were erroneously deleted from the O-ring acceptance criteria. This error was not detected by either MTI or AFPRO quality control. This resulted when the inspection points were eliminated from the engineering drawings and left to reside only in the inspection plans. Concern was also expressed about the 6-ring supplier performing only a visual and dimensional inspection. A subsequent visit to the supplier, Hydrapak, resulted in the following findings.
- a. The O-ring splice tensile strength requirement is not verified by a witness sample.
- b. The supplier's process is not classified by MTI as a "critical process."
- c. The supplier does not verify the vendor's adhesive ingredients certification by tests.
A.6. Launch Support Services
MTI has staff located at KSC serving in the capacity of Launch Support Services (LSS). These personnel represent the MTI Program Office and Quality Assurance and provide liaison between the SRM design and production element responsible to MSFC and the assembly and checkout element, which is the Shuttle Processing Contractor (SPC) responsible to KSC. They conduct a series of support functions associated with receiving inspection of the motor segments and the case field joints preparation and mating. This staff participates in KSC review of anomalies and problem reports and recommends disposition, witnesses SPC repair operations, and reviews Assembly/Disassembly Operations and Maintenance Instructions (OMI) to assure compliance with MTI-provided operations and maintenance documents. The staff is responsible for certification to MSFC that the SRM's are assembled to baseline documentation. They provide liaison among the SPC, MSFC, and MTI post-flight hardware inspection team during disassembly and inspection and provide further liaison during shipment of fired hardware to assure proper identification, packing, and shipment. Further explanation of the Launch Support Services activity is depicted in Appendix C, Section LSS.
There were no significant concerns related to the MTI Launch Support Service activities as presently being performed.
A.7. FMEA/CIL Summary
The D&P Team/Panel reviewed the summary FMEA/CIL data (Appendix C, Section F/C) provided by MTI. This data addressed the various criticality levels and their associated definitions. FMEA/CIL's receive the review and approval of design, systems and project engineering, and program management. SRM FMEA/CIL is controlled by NASA. Summary Criticality I and I R information was presented for each subsystem; i.e., ignition, case, propellant, liner, insulation, nozzle, electrical and instrumentation, and thermal. MTI reported a total of 356 Criticality I and 78 Criticality IR items per flight. It was not clear as to how these total numbers compared to those identified in the [K15] Level II documentation, and an action was assigned to clarify this relationship. A briefing was presented by MSFC to explain that the level of detail and technique of counting critical items vary between the MTI SRNI analysis and the integrated SRB document. However, the 18 Criticality I and IR items identified in that document encompass those identified by MTI.
Appendix E, Hazards Analysis Report for Space Shuttle Solid Rocket Booster and Range Safety Command Destruct System, is enclosed for information. This report includes the SRM hazard analysis.
A.8. Responses to Questions From Presidential Commission Development and Production Panel
These are responses to specific previously asked questions. MTI made presentations (reference Appendix C, Section Q) in response to questions which had been asked prior to the Commission Panel visit to MTI on March 17-18, 1986. Because each of the questions concerned a particular interest, there was considerable discussion on each. Also, because of the importance of the questions, each is listed below along with a brief summary of the response. Often, additional actions were generated and those actions are also identified.
Question No. 1 - What has been the history of structural margins as design changes; i.e., lightweight ET, high performance SRB, wing, Orbiter attach fittings?
Answer - Summary historical data was presented showing the structural margins were and have remained above the 1.4 factor of safety as determined by a combination of analysis and testing including actual burst verification. The basic configuration of the HPM joint is identical to the standard SRM, and stress values were presented as the pin loads change with the HPM pressure increase. There was a significant difference of analytical results between MSFC and MTI as to the effect of pressure on the percentage of axial versus hoop strain at the joint. MTI felt the values were 70 axial/30 hoop, and MSFC was sure it was 15 axial 85 hoop. MTI is contracting with Lockheed to model the joint and conduct an analysis. This was yet another indication that the complexity of the joints under load has not been fully understood and indicates the importance of conducting the presently planned testing to understand the joints and their failure mechanisms prior to recommending any fix or redesign.
Question No. 2 - Describe the approach used to calculate design loads to include addressing load factors, yield strength/criteria. How do recorded flight loads correspond to design loads? Provide an explanation of "bi-axial stress" theory as it compares with/contrasts to more common methods.
Answer - MTI explained the flight loads provided by MSFC as being axial, two axis bending, transverse shear. torsion, and peaking. Pre-liftoff envelope loads curves for both the steel and Filament Wound Case (FWC) SRM's were presented with the values at the aft joint (station 1491.49) being of most interest. A loads summary table was provided which contained six stations for the conditions of SSME buildup, post SRB ignition, and post lift-off. Both axial and tangential interface peaking loads were also discussed in depth. The biaxial improvement for D6AC steel was explained, and a considerable discussion centered around static properties under combined stress. In summary, the Commission felt the 7.1% 3 sigma value for an ultimate tensile strength from 195 to 220 KSI was reasonable. This improvement data was obtained from MTI Minuteman, HARM, and SRM Programs.
Question No. 3 - Explain how a significant design change is proposed, executed, approved. verified, tested; i.e.. reduced SRB case thickness, to include action item lists from all design reviews.
Answer - A general presentation of the Class I change process was given, and, the example of the lightweight case design was explained including a listing of the PDR/CDR Review Item Discrepancies (RID). One of the RID's requested the determination of joint rotation and verification of no joint leakage over a pressure range of 0.0 psig to 1330 + 30/-0 psig. Although 11 hydratests were conducted on both the standard and lightweight versions which exhibited up to 0.042 inch of separation due to rotation, there were no axial loads in the test. The Commission again felt uneasy about the full understanding of the joint under flight conditions.
Question No. 4 - It has come to our attention that the SRB development and qualification testing may not have revealed the O-ring erosion problem that appeared on SRB's used in the flight program and that the putty used in the field joints may have been tamped after pressure testing of the O-ring seals and before development and qualification firing. It also has been stated that such tamping has not been done on SRB's used in the flight program. What are the facts surrounding this issue?
Answer - The question was answered in two parts: (a) the DM-I test and (b) the tests conducted on DM-2 through DM-5 and QM-1 through QM-4. The answer for DM-1 was that the horizontal case segment assembly in Utah is different from KSC vertical mating, that a putty deficiency was observed during an inspection after mating, and that putty was added with a tamping device to the putty deficient regions of the field joints. Following this activity on DM-1, the remainder of the motor tests were adjusted during assembly by increasing the putty quantity prior to mating and tamping any observed bubbles. Only minor amounts of putty were added and many field joints were not tamped. MTI stated that for the flight motors there was no inspection, no putty addition, and no tamping after mating.
Question No. 5 - A description of the leak test procedure for the SRM case field joint, nozzle/case joint, and igniter/case joint.
Answer - A brief description of the leak test was provided. It was pointed out that the leak test may create putty blow holes, but that putty masking a bad O-ring is a worse condition.
Question No. 6 - Why are there no-launch temperature criteria specifically established for the O-ring and putty?
Answer - The MTI answer was that there were no specific O-ring and putty temperature criteria in the Contract End Item Specification and that only the thermal criteria for propellant mean bulk temperature was applicable to SRM operation. It was restated here that MTI interpreted 31°F to 99°F natural environment as a pre-launch environment, not a flight operations requirement. It was once again clear that there was a non-Yielding position taken by MTI on their interpretation of these thermal requirements and that MSFC failed to notice this omission in the design certification reviews held.
Question No. 7 - Why was the decision to use putty in the field joint rather than an insulation-to-insulation quasi-seal as in Titan?
Answer - The difference is in the size of the Titan and SRM segments (72,000 pounds of propellant versus 302.000 pounds of propellant) and the predicted slump of the propellant grain during vertical assembly. It would have been very difficult to design an interference fit like Titan. It was stated that all MTI fabricated large booster motors (120-inch and 156-inch diameter) have used putty as a gap filler material. (The SRM has a 146-inch diameter.)
Question No. 8 - What thermal analyses of the putty/O-ring system have been made for the SRB, both before and after the 51-L analysis? Can we obtain copies of these analyses?
Answer - MTI explained that the following tests were performed: (a) 2-D analysis of the STS 51-C field joints for presentation at STS 51-E Flight Readiness Review (FRR) on February 8, 1985; (b) I-D analysis and presentation of January 27, 1986, on colder weather firings; (c) 2-D analysis of all flight and static test motors which was completed on February 24, 1986; and (d) an analysis of adiabatic compression of free volume between the putty and the primary O-rings, which was completed on March 10, 1986.
Question No. 9 - What analyses of blow holes in the putty have been carried out? What have been the results?
Answer - MTI stated they had not modeled the putty blow hole mechanism; however, an empirically based model has been developed which characterizes the O-ring pressurization and erosion resulting from a putty blow hole. The model has been [K16] validated, and recent runs show that O-ring damage varies directly with cavity size and cavity heat loss, and inversely with gas-jet size.
Question No. 10 - What data is recorded during the static test firing?
Answer - Charts summarizing both the frequency modulation and digital instrumentation were presented to the Commission.
Question No. 11 - Describe the nozzle burn through incident in more depth. What steps were taken to prevent repetition? (Nozzle primary O-ring burn through on Mission 51-B.)
Answer - A detailed briefing on the location and damage to the primary nozzle O-ring was presented. There was also erosion of the secondary O-ring: however, there was no blow-by past the secondary O-ring. The erosion scenario presented the case that by using a 100 psi leak check pressure. the putty masked an improperly seated nozzle primary O-ring. As the gas expanded circumferentially in the cavity between the O-rings, the erosion to the secondary O-ring stopped when the cavity pressure equaled the motor pressure, and thus there was no blow-by. The corrective action was to increase the leak check pressure to 200 psi which prevents putty masking a defective primary O-ring seal.
Question No. 12 - How does the SRB igniter work?
Answer - A detailed presentation of the SRB igniter ,was presented to the Commission. There were no follow-on actions assigned.
Question No. 13 - Is there a modeling program to calculate the SRB skin temperature How does it incorporate the effects of the cold ET?
Answer - Yes, there is a 2-D computer program used by MT1 which provides transient and peripheral propellant temperatures, but it does not include the effects of an adjacent cold ET. The program calculates a weighted mean propellant temperature, the propellant mean bulk temperature; however, the accuracy of the skin temperature has never been verified by direct surface temperature measurements. The parameters of the net heat input into the SRM case surface were explained, and the net heat input at the launch site is determined on an hourly basis. The input to the program is varied around the circumference of the motor to account for sections of the motor which are shielded from solar radiation. Results from this model show a 25 degree F case temperature for a "cold day".
Question No. 14 - We need to receive a detailed briefing on the new filament wound cases. It should include the following:
- a. The retention mechanism
- b. Analysis of rotation for the new cases
- c. Detailed drawings showing material used in joint, etc.
- d. A comparison of dimensional tolerances on the new and old casings.
Answer - A design overview was presented starting with a description of the assignments of the 22 full scale segments to be used for structural testing, static firing, motor qualification, etc. The FWC development program also includes 48 quarter scale analog units for materials analysis, dynamic tests, damage tolerance tests, reuse assessment, etc. Since the HPM forward dome, the HPM ET attach, and the HPM aft dome are all exactly as presently being used on the HPM, the interest in the FWC was centered on the membrane and the joint design. A dimensional comparison was provided, and the configuration differences were explained in detail. The predicted gap increase at the field joint seal due to joint rotation was of particular interest. At 1,004 psig, the analytically predicted gap change for the steel case at pressurization is 0.063 inch maximum. The steel case Structural Test Article (STA) and hydratests had maximum gap changes of 0.052 and 0.042 inch, respectively. For the FWC, the analytically predicted gap opening is 0.014 inch maximum with 1,004 psig pressurization. Full scale sections of the HPM and the FWC joints were provided for inspection. There was considerable discussion on the FWC joint configuration, the upcoming testing on the STA at MSFC, and the damage assessment units tests, particularly the amount and types of instrumentation to be used on the tests.
A.9. Plant Tour
During this 2-day period. a tour was conducted of the manufacturing operations.
A.10. Action Items
Appendix F lists the action items assigned during the SRM review.
B. SRB Analysis
The SRB design verification was reviewed on April 7, 1986, at the Marshall Space Flight Center by the D&P Team and Mr. J. Sutter of the Presidential Commission Panel.
The SRB configuration and system description are contained in Appendix B, Space Shuttle Solid Rocket Booster Fact Book.
Appendix G contains the SRB Design Verification presentation which included: (a) background information and general description of the USBI-provided hardware, (b) SRB requirement sources, (c) verification planning and schedule, and (d) design verification by individual subsystems. This data pertained primarily to the ascent phase.
The SRB review by the D&P Team/Panel, because of time restrictions, was limited primarily to verification and therefore deviated from the subjects and areas identified in Section V of this report.
B.1. Requirement Sources
Performance and design requirements for the SRB are defined in the Space Shuttle Program Level II documentation series JISC 07700. Volume X of this series is the Flight and Ground system Specification and contains the applicable systems level SRB technical requirements. These requirements are applicably allocated to the SRB and, in conjunction with the SRB unique technical requirements, are documented in the SRB End Item Specification 10 CEI-0001. These two primary source documents
Also include or reference documentation which defines SRB requirements. Included in this category are requirements for natural and induced environments, loads, materials, range safety, lightning protection, pyrotechnics, electromagnetic compatibility, interface requirements, and acceptance and checkout. These specific documents are listed on page 8 of Appendix G.
B.2. Verification Plan and Schedule
The SRB verification plan, SE-019-21-1, was issued June 1975 and established the verification logic for the SRB as an entity as well as at the subsystem and component levels. It established the approach for re-use hardware verification and delineated the Specific methods that were to be used to satisfy each of the end item specification requirements.
An overall schedule was presented which identified the Critical Design Reviews and Design Certification Reviews conducted by the program. Reference page 10 of Appendix G.
B.3. Subsystem Verification
The SRB is composed of the following subsystems:
- a. Electrical and Instrumentation (E&I)
- b. Thrust Vector Control (TVC)
- c. Structures
- d. Thermal Protection System (TPS)
- e. Separation
- f. Range Safety System (RSS)
A common approach, described herein, was presented to address the verification of each of the subsystems.
Pictorials and schematics were offered to define and explain the configuration and functions of the subsystems. The principal design requirements and verification methods were identified. Additionally, photographs were used to depict the various test facilities and associated details of the testing. The presentation included matrices which identified applicable subsystem [K17] components, requirements to be satisfied, and the methods of verification utilized; i.e., test, analysis, similarity, and envelope. The matrix further identified & status; e.g., a component was qualified for 20 missions.
The SRB verification was accomplished by a combination of development testing, major ground test, certification and acceptance testing, assembly checkout and pre-launch checkout, flight data and post flight inspection, and testing of retrieved hardware. (Reference Appendix G.)
B.4. Re-use Verification
Specific requirements were established for verification of the hard, ware subject to reuse. These requirements must be satisfied prior to the applicable hardware being returned to the inventory for subsequent flight. These requirements include such effort as removal, cleaning, flush and purge, visual inspections, disassembly, dimensional checks, x-ray and dye-penetrant inspections, and interface verification.
Certain components are returned to the vendor for rework and functional testing of out-of-tolerance parts, and soft goods and seals are replaced. Functional acceptance tests, electrical tests, and calibration checks are performed as well as special tests such as auxiliary propulsion system hot fire and load, testing of hydraulic actuators.
Also included were tabulations depicting reacceptance methods utilized for components of the STS 51-L subsystems.
The SRM portion of this report contained a discussion on the Commission Panel's concern on re-use of hardware. Although this was again discussed in relationship to the SRB, there was not as much concern about the non-SRM items of the SRB, but it was felt that refurbishment and inspection must continue to be controlled very closely. The criteria for inspecting for fatigue are of special importance and should be periodically reviewed.
B.5. Criticality 1 and 1R Summary
A summary was included for each subsystem which identified the criticality failure points. This information is contained on pages 34. 53, 73, 102 and 113 of Appendix G.
The SRB Hazard Analysis Report is contained in Appendix E.
B.6. Flight Systems Hazard Analysis
USBI-BPC Systems Safety Engineering participates in design reviews and reviews and approves all design changes before release. During these reviews, Safety Engineering determines if the design and/or hardware creates a new hazard not previously identified. Safety Engineering attempts to resolve the hazard within USBI-BPC engineering through design modification or by using a different approach. If the design cannot be altered to eliminate the hazard, it is documented via an Engineering Change Proposal (ECP) and submitted to MSFC for review and action. Within the ECP is a retention rationale identified by USBI-BPC engineering and the justification or supporting evidence as to why the hazard cannot be eliminated. The "open hazard", described in the ECP, is then acted upon by the Level III Review Board at MSFC. The approval by this board is based upon adequacy of retention rationale and the fact that the hazard cannot be eliminated or reduced.
The hazard analysis is initiated and documented by the System Safety. Engineering after careful analysis of each design change. Subsequently, all hazards are statused and tracked by the System Safety group. They provide coordination and review support during the approval processing. They are also responsible for the preparation and statusing of these hazards analyses at Flight Readiness Reviews and providing a current update for each flight,
B.7. Action Items
No Actions were assigned.
B.8. MSFC Systems Presentation
Presentations addressing the following subjects were provided to the Commission Panel while at MSFC:
- a. SRM Design, Development, Test, and Evaluation (DDT&E) Instrumentation Program
- b. SRM Case Reuse Analyses and Retests
- c. Loads Iteration, Verification, Anomalies, Safety Margin History
- d. FMEA/CIL Traceability
- e. Time-correlation-changes, Verification, Safety Margin History
- f. Impacts of Decision to Return to Original SRM Design
- g. Hydrapak Visit
- h. Response to Commission D&P Panel Questions
The presentation data is contained in Appendix H.
B.9. Responses to Questions from Presidential Commission Development and Production Panel
Various questions and comments previously submitted to MSFC from the Presidential Commission Development and Production Panel were addressed during this meeting.
Question No.1 - Access to information on alternate designs submitted by other bidders for the SRB's when the system was in the development stage. This item is sensitive because of company private data; however. any summaries which MSFC could release to us would be helpful.
Answer - A presentation by the SRM Project Office Manager was given which addressed each design proposed by MTI, Aerojet, Lockheed, and United Technologies Corporation, with emphasis on the respective joint design. The rationale for selection of MTI was also discussed. The details of the presentation will be provided to the Presidential Commission Panel.
Question No.2 - Are there procedures or guidelines for the presentation of "special circumstances" to high authority during the L-1 review?
Answer - Prior to the L-1 Day Review, the Flight Readiness Review process is structured to identify significant issues to upper management; i.e.. Center Director, Level II, and Level I At the L-1 Day Review, the procedures require review of all issues from the Level I Flight Readiness Review and disposition of any new significant issues and items that occurred after the Level I Flight Readiness Review. After the L-1 Day Review, the Mission Management Team process is used to surface any problems requiring Level II and Level I disposition.
Question No. 3 - Description of the procedures for establishing new Launch Commit Criteria (LCC).
Response - Flow charts were presented which defined the change process for launch commit criteria. The flow traced a change from initiation, both MSFC and non-MSFC initiated, through receipt by the responsible MSFC organization, evaluation by the appropriate project, technical and contractor organizations, review and disposition by the appropriate Level III Configuration Control Board, and final review and disposition by the Level 11 Program Requirements Control Board (PRCB).
Question No. 4 - Are launch commit criteria reviewed in a systematic way periodically? If so, what is the procedure?
Answer - The launch commit criteria does change systematically. There are no established periodic reviews of all launch commit criteria. MSFC has had four major reviews: (a) August 1980, MSFC Center review, prior to STS-1, (b) May 1981, MSFC Center review, prior to STS-2, (c) June 1983, MSFC Center review, prior to STS-7, and (d) July 1984, MSFC Center review, prior to STS-14. In addition, each project office is required to report launch commit criteria additions and/or deletions to the Shuttle Projects and Center Board Flight Readiness Reviews.
C. External Tank Analysis
The External Tank acquisition program review was conducted at Martin Marietta Michoud Aerospace, Michoud Assembly Facility (MAF), New Orleans, LA, on April 8 and 9, 1986. Messrs. Sutter and Rummel and Dr. Walker of the Presidential Commission Panel were in attendance.
Formal presentations were provided by senior representatives of the company. These presentations are contained in Appendix 1. The presentations addressed the following areas: (a) ET configuration, (b) requirements, (c) verification, (d) manufacturing, [K18] (c) transportation and handling, (0 quality assurance, (g) configuration control, and (h) launch operations. During the early portion of the meeting, a plant tour was provided in which major operations of the manufacturing process and hardware testing were demonstrated for the visitors' familiarization.
During the introduction, it was noted that as a result of NASA direction, the ET weight was to be reduced from the standard weight tank (SWT) configuration by 6,000 pounds. The resulting lightweight tank (LWT) configuration was 7,300 pounds lighter than the SWT. Most attention was given in the presentations to the implementation of the LWT requirements.
The configuration and technical description of the ET is contained in Appendix J.
C.1. Design Requirements and Control
The contractor presented the requirements for both the standard weight tank, which was flown on the six DDT&E flights, and the production lightweight tank. After presenting the requirements, the control mechanisms to assure proper application of the criteria were displayed.
C.1.a. Project Requirements (Level II)
The contractor very briefly presented the configuration of the External Tank describing the major elements of oxygen tank, intertank, hydrogen tank, and interface hardware. The primary systems, including propulsion and electrical, were discussed and major subcomponents described. Finally, the flight-critical thermal protection system was explained with some description of materials used for thermal protection.
The Level II requirements highlighted included the Space Shuttle Specifications. Volume X, and its corollary appendices, along with the seven Level II Interface Control Documents (ICD) applicable to the External Tank. NASA Handbook 5300.4, "Safety, Reliability, and Quality Assurance Provisions," and the numerous data books which represent environmental requirements including loads, aerodynamics and plume heating, thermal and shock, vibrations, and acoustics. The extensive nature of the Level II requirements was demonstrated by example of the EMI and EMC requirements including MIL STD's 461/2/3. MIL-E-6051, and JSC-5L-# 001 and 0002 documents. Special emphasis was placed on the requirements for structural design in preparation for discussion of margins which will be covered below in response to the Commission's pre-review questions.
Some of the major Level II requirements, including the Volume II specifications, are not imposed directly on contract of the External Tank. There is a reference for Volume X in matrix form within the ET End Item Specification (EIS). Each paragraph of Volume X is called out by reference to a paragraph of the EIS, where applicable; however, the requirement is that which is written in the EIS where there is a difference from Level II requirements.
The discussion also covered the NASA Handbook 5300.4,-Safety, Reliability, and Quality Assurance. A brief description of how that document was related to all of the implementing Level III and IV documents was discussed.
The contractor included other requirements discussions from Level II documentation including lightning, instrumentation accuracy, interface performance, weight, fluid requirements and fluid measurements, ET tumbling, compartment purging and gas detection, and operating conditions.
C.1.b. Project Requirements (Level III)
The contractor highlighted many of the significant criteria established in the Level III External Tank End Item Specification which includes the type of wiring, fluid lines, fluid filter screens, cleanliness, and factors of safety for structural design. Detailed discussion centered on the development of state-of-the-art Level III criteria for imposing fracture mechanics on the External Tank program in the early 1970's and how those criteria are represented in the requirements. These are critical requirements that specify not only the methods of the process but the designation of allowable imperfections plus the manner of detection of such imperfections.
The variances between standard weight tank and lightweight tank requirements were presented for all of the Orbiter and SRB interface loads, component vibration, protuberance airloads, compartment vending, aero and plume heating, and the design factors of safety.
Considerable attention was paid to the design factors of safety in preparation for the discussion of the margins. Recognition was noted that the yield requirements for the standard weight tank were designed to relieve pressure, whereas the lightweight tank was designed for operating pressure. The ultimate strength which represented the critical failure cases in both instances remained at the upper limit of the operating band. The primary change, therefore, in the structural requirement was the reduction of the design factor of safety from 1.40 to 1.25 for well-defined loads only. Well-defined loads are limited to those loads associated with controlled pressure, thrust, and inertia loads based on experience of DDT&E flights. Furthermore, the standard weight tank structural test article was modified as necessary to reflect configuration changes to the lightweight tank, and in those cases, partial retesting was accomplished. Similarly, the loads prediction was validated by flight data: therefore, the uncertainties associated with factor of safety were far reduced from those of the initial program through analysis techniques, fabrication methods, and the load predictions. All margins and safety factor compilations were based on standard analysis and do not include improvement based on bi-axial stress theories.
C.1.c. Requirements Implementation and Control System
The requirements implementation and control system discussion was centered on the interface with the contractor and NASA and the resulting documentary interfaces. The presentation highlighted the contractor's use of a detailed design criteria document until initial release of all hardware at the beginning of the program. Subsequent control is the traditional drawing change method. Engineering criteria were discussed in terms of the drawings, standard processes/ materials (STP/STM), and other controlling documents. Some require approval by NASA (Level III) including a Fracture Control Plan and Materials Control Plan.
The system of imposing control and changes through the Level II/III board structure and within the contractor board was described, beginning with the change authorization committee and then describing the set of computer data systems which track the process from the contractual requirements through the design changes and resulting engineering parts list. The tracking continues with the production parts list, the bill of materials, issued hardware, and finally an independent input by the assembly crew. These worker inputs are automatically back-checked through the data system to assure that the as-built hardware satisfied all of the preceding requirements.
The contractor concluded that the system of controlling requirements is generally excellent. A single shortcoming exists, from the contractor's point of view, in failure to directly apply Level II criteria, such as Space Shuttle specification, upon the contractor through the end item specification. The concern was described by the example of the debris criteria for the External Tank which, in the contractor's point of view, would be unacceptable as-specified criteria. A change to these criteria was established in the midst of an intertank thermal protection system problem merely by statement of the Orbiter element contractor that the intention of the criteria was a definitive size of SOFI debris coming off of the ET which was different than the contractor's previous understanding of the implied but unstated criteria. The contractor pointed out that, by imposing contractually the direct statement from the Level II, it would be necessary for all parties to carefully and clearly understand and clarify the exact meaning and intent of each requirement rather than to merely reflect within the element contract an independent statement of requirement tied only by the matrix.
[K19] C.2. Design Review and Certification System
The presentation material highlighted the entire review processes. The discussion began with the Program Requirements Review (PRR) then carried through PDR, CDR, Acceptance-Review (AR), Design Certification Review (DCR), and FRR processes in relation to standard weight and lightweight tank applications of this process. It was noted that the process is repeated for major changes such as LWT.
C.2.a. Levels of Review
The end-to-end flight readiness review process was discussed for all the review agenda items including flight anomalies, first time events, Class I and II changes, senior MRB actions, acceptance and qualification anomalies, CIL and hazards, first time waiver, SR&QA, and readiness assessment. It was indicated that each tank for each flight goes through a chain of reviews beginning with the Martin Marietta Michoud Aerospace, then Martin Marietta Corporate Review, MSFC Project FRR. Shuttle Project FRR, MSFC Center Board FRR, Level II and Level I FRR's. the L-I Day Review, and culminating in launch-clay issue reviews.
C.2.b. Review Controls
Controls were established for the format and function of all of the formal review processes. Furthermore, the discussions highlighted the controls imposed throughout the countdown process: controls which allow both the contractor and Level III project to input concerns, limitations, or changes through the launch commit criteria mechanism. Discussion covered the waiver/exception processing associated with the LCC. As an example of a waiver and the methods for imposing and dispositioning, a waiver was cited for the case of STS 51-L. Due to low ambient temperature and the lower specified limit for nose compartment temperature violation, a waiver was prepared and executed. Discussion addressed the rationale for the waiver to a requirement which is generic and exists as a result of icing limitations and the contractually specified (vendor) lower limit for instrumentation calibration. The concerns were alleviated by visual inspection for ice, and special testing for the instruments and the waiver was thus granted.
The review process is thorough including the process up to the point of launch; and the contractor stated that there has never been any doubt that launch could be delayed or aborted at any point in the countdown through contractor personnel in the Launch Control Center. There is a direct line of communication in the same control center to the MSFC Program Manager who is in communication with Firing Room 1.
The contractor responded to the question by the Commission Panel concerning whether a case had ever occurred that the process continued although the process was against the contractor's recommendations or wishes. The response was that no such case had ever occurred; that one case of the intertank debonding had resulted in very serious and significant discussions of the need to modify the tank before the next flight, and the contractor was satisfied that the appropriate action was taken before the issue was resolved. It is the contractor's practice to coordinate with MSFC technical people before recommendations.
C.3. Verification Requirements Planned Documentation and Control
The contractor traced the acceptance of each External Tank through the recurring process before departure from the factory. Numerous tests and checks are described; most important being proof-leak and component test, then entire tank proof, and numerous subassembly in-process tests. Then, the critical thermal protection system in-process test and ET final acceptance are accomplished. After that, acceptance review checkout continues at the launch site and on to stacking and launch preparations. The requirements are described through: the Shuttle Master Verification Plan, the ET Specification, the External Tank Tank Verification Plan (TM01), the OMRSD File IV, and finally the OMRSD File II launch commit criteria.
C.3.a. Requirements
The requirements specified for acceptance of the External Tank as reflected above are documented in detail in the contractor's test requirement checkout document TM04. This specifies such things as component test for electrical/propulsion hardware and LO2, tank proof and leaks. Similarly, LH2, tank proof and leak, TPS application, and final acceptance are included. Discussions centered on the acceptance of hardware at the vendor and subsequent functional and in-line test during assembly. A typical description was given for the acceptance of the LH2, feedlines demonstrating their proof load and proof pressure, spring rate, vacuum annulus leakage, and inspection. Pressure requirements were demonstrated graphically for the hydrostatic testing of the LO2, tank and prieumostatic tests of the LH2 tank which, in addition, impose flight loads in such a manner that most of the structure is adequately proofed for combined pressure and interface loads. It was described that that which is not so proofed, is postproof x-rayed and treated in such a manner as to give assurances of no leaks and no failures in flight.
Welding verification receiving special attention was a description of the penetrant inspection on both sides of each of the 36,000 inches of weld plus pre-proof x-ray inspection. At that point, the contractor noted that among the lessons learned was a decision to expand on the independence of the two x-ray reviews to assure higher likelihood of independence and measurement of the performance of the inspectors. Each LH2 weld is bubble tested which assures the detection of leaks as small as 1 x 10-3 scc per second after the proof test. The LO2 tank is checked for leakage by the use of special electrical tape.
Because of the criticality of the TPS system, its acceptance was covered in detail. The process was described, and samples of the resulting process material were presented to the Commission Panel. The systems verification in the final acceptance test was also described
C.3.b. Documentation
The documentation which controls the acceptance process was described and is addressed later in the production segment. Documentation of the final condition, after ET assembly, is defined in complete detail in that 70% of the hardware is serialized, and all major subassemblies and assemblies fall in that category. The build logs which represent all of the actual floor paper are retained for each such item of hardware and contain both production and quality stamps associated with each processing step. In addition, the as-built hardware reporting system, which is the computerized collection system, reflects the installation by serial number on vehicle effectivities. All of the documentation is collected and retained under the control of the Product Assurance Department.
C.3.c. Product Assurance Controls
A detailed discussion was provided on quality assurance including the overall quality and safety program, then the in-house controls, operational readiness inspection, the nonconformance sy