Launch failures: new discoveries
by Wayne Eleazer
|For around 20 years, since at least 1987, we had merely been discovering new ways to repeat old failure causes.|
The database only began at 1975, since we wanted to use it not just for historical information but rather to support engineering risk evaluations for launch vehicles in the 21st century. Presumably people would have learned something about designing and operating space boosters over the last 60 years or so and there would be a base of knowledge for the industry to draw on.
The most recently exhibited “new” failure cause known as of ten years ago probably dated from 1987, when triggered lightning downed an Atlas Centaur booster. Even that failure was something of an echo of the experience of Apollo 12 in 1969, although in that case the lightning did not cause an actual failure. So, for around 20 years, since at least 1987, we had merely been discovering new ways to repeat old failure causes.
In any case, failure causes like the Atlas lightning strike were grouped into larger, more general, failure modes. For the Atlas shot down by the thunderstorm, the very large amplitude “digital” signal had reprogrammed a single word in the guidance computer program, so the case fit within the “Guidance/Navigation” failure mode, the same as the actual failure of a guidance computer or inertial navigation system would have.
Of course, this was not always the case. In the early days failures were more common than successes, and each case often offered a rich new lesson. At Caltech in the early 1940s, they were mystified why their solid rocket motors would tend to work only up to one day after they were poured, but not after two or more days. The problem was that propellant plasticizer evaporated, causing the propellant to become brittle and break up at ignition, greatly increasing the burn area and overstressing the motor case. The temporary answer was to cast the motors in the wee hours of the morning and then run them out to March Army Air Field where they were strapped to an Ercoupe light aircraft and used to test the JATO concept. That approach did not completely stop the motors from exploding but it cut down those misadventures to a tolerable level—and gave the Army Air Corps test pilot some confidence that he would be able to complete the test program.
During the X-1 rocket plane program in the late 1940s, they found that a gasket material called “Ulmer Leather” was not compatible with liquid oxygen (LOX); the discovery was an explosive one. It’s not surprising today to think that organic compounds don’t get along well with LOX, but that was a new discovery back then.
But it was not until around 1980 that the US space launch industry discovered that that some materials used in contact with liquid oxygen for decades were not exactly compatible. Bolts long used to patch dents in Thor and Delta LOX tanks were found to be not exactly optimum for cryogenic temperatures; the last Thor launched, in 1980, had one such bolt installed. The solder employed in Atlas E/F propellant utilization system sensors and to attach Thor propellant tank screens also was found not to be compatible with LOX. Any kind of energy input, mechanical or electrical, could conceivably cause an explosion if the solder was immersed in LOX at the time. But, in both the bolt and the solder cases, the answer was to accept the risk for the time being; it would have been too costly to take corrective action and the schedule impact would have been unacceptable.
|Despite the way things looked ten years ago, since then we have had some genuine new failure causes come to light, and even one new failure mode.|
It apparently is not recorded just when or where someone discovered that having the oxidizer in a turbopump leak into the gearcase and meet up with the lubricant was a very bad thing. The Germans probably made this discovery in the 1930s; the answer was to provide a purge in the turbopump bearing area to flow any leakage overboard. Then later someone discovered that, if you used helium for the purge but it was not heated properly, any water present would freeze and block the purge. In retrospect, this all seems obvious but no doubt only became so after some violent and unexpected dismantling of hardware.
A fuel leak from the turbopump into the gearcase sounds like a far less serious condition, since kerosene and lube oil generally get along pretty well. And then came the Atlas 19F NOAA-B launch of 1980, where the fuel leaked into the gearcase in such a quantity that it reduced performance by about 20 percent, combining with other factors to produce a mission failure (See “Launch failures: engine out”, The Space Review, December 31, 2012). There were people who said they knew that could happen based on test stand experiences, but they just had not bothered to mention it to anyone.
It’s also not known when was the first time it was discovered that if you let a rocket engine just sputter away until it runs out of fuel that situation may result in an oxidizer-rich condition in the final seconds, causing a sudden increase in performance, just before the engine explodes and takes out the whole vehicle. That failure is even less obvious than the oxidizer leak into the gearcase, but it also tends to stick in your memory if it occurs.
However, despite the way things looked ten years ago, since then we have had some genuine new failure causes come to light, and even one new failure mode.
During an Atlas V mission on June 15, 2007, the second stage ran out of fuel before attaining the required velocity. The cause was determined to be that an unusually long burn of the RL10 engine caused the propellant value to leak and bleed off the hydrogen fuel into space. No one knew that the valve could leak as a result of such a long burn and tests had been done of the valve, using nitrogen, which was safer but not sufficiently similar to hydrogen to identify the problem. We determined the failure mode for the database to be “Liquid Engine Loss of Thrust,” the most common failure mode of all, and one that covers a myriad of failure causes, including simply running out of propellant due to a bad calculation, a loading error, or a non-catastrophic engine failure. So the failure cause was something new, although it fit within an existing identified failure mode.
|They did not carefully measure the amount of propellants being pumped into the stage but instead just filled it up, leading to a stage that was much heavier than it should have been for that mission.|
On June 28, 2015, a SpaceX Falcon 9 failed during ascent. The cause was structural failure of the second stage, which in turn was caused by structural failure of a high pressure vessel that was initiated by structural failure of a mounting strut. What was different about this failure is that all other structural failures back to at least 1975 were associated with fairings, such as a fairing collapse during ascent. So, the general failure mode was not wholly new although the specific cause of the structural failure was, in terms of the last 40 years of experience.
However, the Russians win the honor of not just creating a new failure cause, but one so unique that it even required a new failure mode category to be defined.
On December 6, 2010, a new version of the Proton booster lifted off from Baikonur; the rocket was an 8K82M DM-03. The new DM-03 version of the upper stage incorporated additional propellant tankage designed to allow longer burns. All the booster’s systems apparently worked properly, but the vehicle failed to attain orbit.
The reason for the Proton failure was that the larger DM-03 tanks had been filled with propellants as if was the smaller version. In other words, they did not carefully measure the amount of propellants being pumped into the stage but instead just filled it up, leading to a stage that was much heavier than it should have been for that mission. Even that probably would have been okay if the trajectory had been shaped to make use of the additional propellant properly. If the Proton had flown a lofted trajectory, such as typically is done with the Atlas V and Delta IV boosters, then with aerodynamic drag and gravity losses reduced at the higher altitude the DM-03 could have done a longer burn up where it would have done some good. But the trajectory was not shaped to match the available upper stage propellant and thus, while everything ran just fine, the payload did not attain orbit.
This is an unusual failure mode, to say the least. The problem was that the guidance program did not match the vehicle configuration, but it was not an error in the program. This produced a need for the definition of a new failure mode, “Incorrect Mass Properties,” and it is the first of its kind, although there was a Japanese M-5 booster failure that might fit that failure mode as well.
The SpaceX catastrophic failure during a tanking test on September 1, 2016, technically does not fit the definition of a launch failure in terms of Federal Aviation Administration standards because it did not occur during an actual launch operation. Nonetheless, it is of interest. It clearly is another case of structural failure, but what is especially interesting about it is the cause. SpaceX reports that the carbon fiber of the helium pressure vessel combined with the liquid oxygen in which it was immersed to produce “solid oxygen” plus flammable carbon, an explosive combination. It appears that, just like the solder problem discovered decades ago, liquid oxygen and carbon can be set off by a variety of initiating sources. It remains to be seen just what that initiating source was, and given the circumstances it may well never be discovered with any certainty.
The SpaceX failure points out a universal problem with composite pressure vessels, especially those that use carbon fiber, regardless of the application. Immersing a helium pressure vessel in cryogenic liquid to enable more gas to be pumped into it has been done for decades. The old Atlas E/F boosters used that technique, although the helium tank was outside the LOX tank and had a jacket around it that was filled with liquid nitrogen before launch. Immersing the pressure vessel in LOX was an innovative idea but it was also one that proved to have unexpected and disastrous consequences.
|If we did a better job of sharing information about failures, even those not previously associated with aerospace applications, we might be able to face the unknown with a bit more confidence.|
But composite pressure vessels, regardless of application, still have some unknowns associated with them. The Kennedy Space Center suffered a composite pressure vessel failure in one of the labs a few years ago and commissioned a study into just what kind of failures can be expected for such vessels. The theoretical lifetime of composite pressure vessels is in the hundreds if not thousands of years, but how long can they be really expected to last in a real-world environment? This was not a unique question and others had tried to answer it, but with little success. The US Army spent over $1 million investigating the issue and the results essentially were worthless due to errors made in the study.
Private industry, for the most part, flatly refused to participate in the KSC study for fear it would reflect unfavorably on their products. The industry had also refused to participate in a similar study commissioned by the Defense Technical Information Center a few years before. Some smaller firms agreed to provide failure data for the KSC study—except they said they did not have any.
One of the findings of the study was that composite pressure vessels are quite robust, except when it comes to certain environmental conditions. Carbon fiber is especially susceptible to contact with corrosive substances or damage from impacts, and fails to give obvious warning of an impeding failure, either in terms of visual indications or by a graceful degradation. One way of handing this problem is to overwrap the carbon fiber tank with glass fiber, which is not as strong as the carbon but is more resistant to corrosive substances; not all carbon fiber pressure vessel manufacturers have adopted this practice.
The manner in which we share failure data has had its flaws from the beginning, with data kept as close-hold information and with government organizations ignoring their own data as well as that of others, but now the situation is even worse. Companies refuse to provide data that would be pejorative to their products. While we now have much better access to foreign failure data—the Proton user’s handbook actually provides a list of failures and corrective actions—neither the Air Force nor NASA possesses the degree of oversight capability they once had. On the purely commercial front, the FAA and NTSB do not provide the same kind of mishap information for space launch mishaps that they do for aircraft.
We are once more in an era of true innovation and new development of launch vehicles and, as a consequence, are once again finding new ways to cause them to fail. It is really a case of unknown unknowns. But if we did a better job of sharing information about failures, even those not previously associated with aerospace applications, we might be able to face the unknown with a bit more confidence.