|
Items in cart [0] |
Questions? Call 888-624-8373 |
| Copyright © 2009. National Academy of Sciences. All rights reserved. Terms of Use and Privacy Statement |
Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 59
NATIONAL RESEARCH COUNCIL
COMMISSION ON ENGINEERING AND TECHNICAL SYSTEMS
2101 Constitution Avenue Washington, D. C. 20418
-- COMMI1lEE ON NASA SCIENTIFIC
AND TECHNOLOGICAL PROGRAM REVIEWS
Panel on Redesign of Space Shuttle
Solid Rocket Booster
December 21, 1988
The Honorable James C. Fletcher
Administrator
National Aeronautics and Space Administration
400 Maryland Avenue, S.W., Room 7137
Washington, DC 20546
Dear Jim:
I am pleased to submit herewith the final report of the
National Research Counci1's Panel for the Technical Evaluation
of NASA's Redesign of the Space Shuttle Solid Rocket Booster.
Since our last report, two missions of the National Space
Transportation System have been completed, STS-26 and STS-27,
employing the redesigned solid propellant rockets. The Panel
has received a briefing from NASA and Morton Thiokol personnel
on the results of post-flight inspections of the STS-26 boost-
ers that were performed at Cape Canaveral Air Force Station
and one member inspected the spent hardware while it was in
Florida.
This report contains our evaluation of the redesigned
boosters in STS-26 as well as our observations regarding the
lessons to be learned from the experience of the redesign
program.
The Flight of Discovery, STS-26
Initial inspections performed on the recovered hardware
and preliminary analysis of data from flight instruments
suggest that the redesigned solid rocket boosters performed as
anticipated. Several probe ems did arise, however, that
require NASA's attention:
(1) Small pieces of cork, which is used to cover
external diagnostic instruments and their electrical leads,
were lost during flight. One piece is thought to have damaged
thermal tiles on the Orbiter. Deficiencies in the configura-
tion and process of bonding the cork to the vehicle at Kennedy
Space Center have been identified and modifications are being
devised and adopted.
59
The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering
to serve government and other organizations
OCR for page 60
Letter to the Honorable James C. Fletcher
i,,
—2—
(2) Sooting has been reported within several internal
joints in both nozzles. The causes and implications of this
anomaly are not yet known. The problem was discovered after
our last formal meeting and we do not have sufficient current
information on it to comment on its seriousness. To develop
an appropriate understanding of the phenomenon, NASA should
review the results of static tests and carefully document its
occurrence in future flights.
(3) A considerable number of pits' galls, scratches,
and gouges were found on the surfaces of the interference fit
in the case field joints of both the left and right boosters.
Defects of this type had not been reported on the full-scale
hardware used in ground tests, either short-duration simula-
tions or full-duration static motor firings. Evaluation of
these anomalies is being conducted at the refurbishment
facility in Utah. Their occurrence could have important
consequences for program costs, since removing them could
change the dimensions of the hardware enough to make it more
difficult to find mating parts that provide the desired
interference fit.
Remaining Tasks in the Recovery Program
While STS-26 was a successful mission, work remains to be
accomplished before we would consider the redesign program to
be complete. We listed a number of the remaining tasks in our
last report. Here we highlight the following:
(1) Redesign the aft skirt to meet the system
requirement for design ultimate strength.
(2) Reconfigure the cowl vent holes in the nozzle to
prevent the occurrence of differential pressure across the
flexible boot.
(3) Determine the reuse potential of motor case
segments. In addition to a hydroburst test after 20 cycles of
pressurization, this task may require testing flown hardware
in short-duration, full-scale test apparatus such as the Joint
Environment Simulator since only flown hardware experiences
the effects of re-entry, splashdown, and recovery.
(4) Modify the configuration of the pressure proof
test to ensure that the case field joints experience more
realistic stresses. In the current configuration, one case
segment is capped by two rigid domes; consequently the ends of
the segment do not experience stresses representative of the
flight condition. The redesigned joint is more complex than
the original design; since the joint experiences the highest
stresses, it is imperative that the proof test subject the
joint to the most realistic stresses. This goal may best be
achieved by proof testing a case of two segments with a full
field joint in the middle and factory joints mated to the
domes.
60
OCR for page 61
Letter to the Honorable James C. Fletcher
—3—
(5) Continue pursuing improvements in materials and
methods of bonding, notably of insulation to the case, of the
polysulfide in the case-to-nozzle joints, and of the Iamina-
tions of the flexible bearing, as well as methods of testing
them nondestructively.
(6) Improve the accuracy and reliability of case
measurements to assure the desired interference fit in the
case field joint.
(7) Seek or develop alternative O-ring materials and
processes and compatible corrosion-inhibiting greases that
will operate satisfactorily without heaters. Any resulting
changes in the design would have to be qualified before being
introduced into flight hardware.
(8) Qualify the redesigned motor at the low end of
its intended range of operating temperatures, as planned in
the QM-8 static test.
(9) Continue to collect flight data in order to
assess critically the performance of components of the
redesigned booster. In addition to assessment of flight
instrumentation data, these evaluations should include careful
inspection of used hardware and a systemmatic assessment and
documentation of the performance of seals, insulation,
ablative materials, and metal components. The procedures
should take account of the fact that in the case field joint
and case-to-nozzle joint, upstream gas barriers will normally
prevent combustion gases from reaching the primary seals,
making it difficult to detect a degradation in the seals,
materials, or surface finishes unless an upstream barrier
fails. An important objective is to continue to improve the
statistical validity of the data base.
Lessons Learned
The recovery from the Challenger accident evolved as a
comprehensive redesign, testing, and qualification program.
The Panel concluded that the program was well conceived and
executed. Indeed, we believe that a number of important
lessons have been learned from this experience that could well
be applied to future NASA programs. In our view, the most
important of these are the following:
Use of an Inherently Tolerant Design. In light of the
complexity of the preparations for fl ight and the need to
prepare components and vehicles under conditions that may be
less than ideal, designs should be favored that are relatively
insens itive to the level of skill and art required in
manufacturing, assemble y, or checkout e The design should be
tolerant of small errors.
61
OCR for page 62
Letter to the Honorable James C. Fletcher
_ 4 _
The redes ign of the Shuttle booster was constrained by
budget, schedule, hardware inventory, a desire to rely on the
large existing data base to the extent possible, and compati-
bi~ ity with existing fact] ities and hardware with the result
that it may be more sensitive to manufacturing, assembly, and
checkout procedures than might otherwise be des irable . The
resulting procedures are therefore costly and time-consuming.
In the advanced booster design program, it may be cost-
e f f ect ive to devote cons iderab le attention to achieving a
des ign that i s more to l erant o f change s in var lab l e s that are
difficult to control in materials, manufacturing, and
assembly.
Understanding How the Design Works. In testing large and com-
plex hardware systems such as the solid rocket booster, the
major emphasis seems to be, first, on performance, next on
overall reliability, and, last, on understanding how the sub-
systems and components actually work. From a programmatic
perspective, understanding how a design works at the component
level frequently carries a lower priority than just demon-
strating overall system performance. Often, only when major
components fail does the focus shift to developing a firm
understanding of how the components actually perform over the
full range of operating environments.
In response to the Challenger accident, the solid rocket
booster recovery program initially focussed on determining how
the originals y designed parts had failed, understanding their
operation, and establishing the margins of safety of the
redes igned components . The unusually detailed analyses and
tests run during the SRB redesign program frequently yielded
surprises traceable to incomplete understanding of novel
designs and the novel use of conventional designs. The growth
in understanding was a maj or factor in the design improvement.
One of the important ~ es sons ~ earned from the
post-Chal~ enger experience is that heavy emphasis should be
placed at the beginning of a new program in developing a
detailed understanding of how subsystems perform in the total
range of operating environments and in determining the margin
of safety over maximum expected operating conditions of the
component designs. In the current booster program, continued
growth in understanding may help to reduce the large number of
critical items that burden the "operational" program, thereby
reducing operating costs and allowing full attention to what
are truly the most critical items.
A Full Snectrum of Tests. Because of the inherent nature of
solid propellant rockets, a statistically meaningful number of
62
OCR for page 63
Letter to the Honorable James C. F1 etcher
—5—
fu11-scale, full-duration, solid rocket motor tests simply
cannot practically be accomplished prior to flight within any
reasonable schedule and budget. NASA's strategy for devel-
oping confidence in the redesign was to employ a hierarchy of
component and motor testing aimed at demonstrating nominal
performance and establishing margins, product control, reli-
ability, operational limits, and service life. The test
program for the original Shuttle booster was less extensive
than for many ballistic missile programs. For man-rated
systems, test programs must be particularly thorough.
The redesign program has set a more rigorous standard for
testing of material, component, and system function by includ-
ing an extensive program of analysis; laboratory testing;
substage motor tests; full-scaJe, short-duration motor tests;
and, ultimately, five fulI-scale, full-duration tests of com-
plete motor assemblies. Emphasis was placed on gaining real
understanding of how the system performed through a large
number of laboratory and subscale tests coupled with analyti-
cal models, and then scaling to well instrumented full-scale,
hot fire tests. In addition, several fu11-scale test articles
were prepared to test the structural and assembly aspects of
the new designs. In this way, signi f icant conf idence in the
new designs could be achieved without many full-scale, full-
duration tests. Furthermore, a subscale motor could be tested
f or a f ew tens o f thousands o f do ~ ~ ars whil e the costs of a
full-sca~ e, ful]L-duration static test is likely to be in the
millions to tens of millions of dollars . In the case of the
rede s igned j oints , many subscale motors were tested with a
number of design variants and with suf f icient tests to begin
to get some statisticaI conf idence in the des ign , at least at
the subsca~e level.
The results of those tests were often surprising, en-
lightening or disappointing, all of which show why the tests
were needed. It is important that future programs recognize
the need for a full spectrum of tests, and that NASA assure
the capability to run them. Tt is also important that this
philosophy of testing be continued in the current program
until the operational limits, service life, and component
reusability have been adequately determined. We believe that
this basic testing strategy is a good one for development
efforts of this type and may be successfully used in other
NASA programs.
Early in the testing program, three Joint Environment Sim-
ulator (JES) tests of the Challenger field joint configuration
added greatly to the understanding of the probable contrib-
uting causes of the Challenger accident and, in fact, appeared
to duplicate closely the operation of the joint under the
conditions of the failure. The experiments, each conducted at
63
OCR for page 64
Letter to the Honorable James C. Fletcher
—6—
25°F, were designed to study the importance for the sealing
function of the manner in which combustion gases reach the
O-rings. The results demonstrated that the worst situation
arises when the gases are confined to a narrow jet that
impinges on a seal. A jetting flow could occur in the
original field joint design through blowholes that tended to
form in the putty that was used to fill the space between
mating segments. In one test, in which a blowhole was
deliberately inserted in the putty, the performance of the
joint appeared to be similar to that observed in the initial
stages of the Challenger launch: blow-by of both the primary
and secondary O-rings occurred, with black smoke visible on
the outside of the joint at the point of the blowhole in the
putty. These three JES tests and supporting dynamic labora-
tory measurements provided the basis for an assertion that
there were three main problems with the Challenger joint that,
together, resulted in the failure: a leak path through the
putty causing a jet of combustion gas to impinge on a small
area of the O-rings and rapidly erode them, a fast opening of
a significant gap between the tang and clevis sealing surfaces
during the ignition transient, and the inability of the
O-rings to track the gap opening at the low temperature
experienced at launch.
Two other simulators, the Nozzle Joint Environment
Simulator and the Transient Pressure Test Article, were
developed during the course of the program which, along with
the JES, proved extremely valuable for improving understanding
of the operation of specific redesigned components. The Panel
believes that these test devices were of critical importance
in the design verification program and that some of these test
setups should be retained in an operational condition. In
particular, we recommend that simulators be used in the future
to verify the reuse potential of flown hardware, to demon-
strate that the primary and secondary seals remain operational
after Jong-term aging, and for verification testing of any
future block changes in the redesigned booster. These types
of test systems could also be of great value in the develop-
ment and verification testing of future generations of solid
rocket boosters.
Criteria for Success and Pretest Predictions. To assure the
effectiveness of a testing program and to validate the tech-
nical understanding of a design, the Panel believes that both
a statement of criteria for a successful test and a detailed
analysis and prediction of how the hardware is expected to
perform should routinely be prepared in advance of every major
test. In the case of the booster development and verification
64
OCR for page 65
Letter to the Honorable James C. Fletcher
—7—
program, we found that the team was conscientious in estab-
lishing specific pretest criteria for success and predictions
of results. We believe that this discipline was an important
factor in the program's success to date, that the discipline
can be sharpened further, and that it should be applied dili-
gent~y in future NASA programs.
Testing the Performance of Seals. The Pane J is also a strong
advocate of emphasizing testing that demonstrates the perform-
ance of design components at all levels under conditions more
severe than would be encountered in flight. For the redesign
joints, this testing included imposing purposely manufactured
leak paths into test articles sufficient to guarantee that
combustion gases would impinge on the respective barriers and
seals for testing the performance of the new designs.
The ultimate test of the new joints prior to the return to
flight was the ful1-sca~e, full-duration static test of the
PV-1 motor. This test included pressure-assuring flaws to the
primary O-ring in both the field joints and the case-to-nozzle
joint, as well as intentional flaws in some of the internal
nozzle joints and the case-to-igniter joint. Defects to
simulate insulation edge separations were also intentionally
introduced in several areas near the pressure-assuring flaws
to evaluate the effects of poor insulation-to-metal bonding.
This test represented a major departure from historical
approaches to full-scale, full-duration ground testing of
rocket motors and was debated for many months by the redesign
team and our Panel.
We advocated the test because we were convinced that the
requirement for redundant, verifiable, and independent seals
should be confirmed in fulI-duration, fu11-scale testing. The
test incorporated flaws that clearly were more severe than
defects that can be expected to arise in the normal course of
manufacturing and assembling the boosters but not be detected.
As the program proceeded, each of the flaws that was
finally tested in the PV-1 motor was first successfully tested
in subscale and then in full-sca~e, short-duration hardware.
Thus, with each succeeding test, the team became more confi-
dent that the joint seal designs had truly redundant seals
that performed as expected. The PV-1 test, which was per-
formed on August 18th, was successful: full motor pressure
did, in fact, reach the primary O-rings (through the flaws)
but gas did not leak past the O-rings.
The Panel believes that careful preparation and demon-
strations at subscale and intermediate levels prior to such
65
OCR for page 66
Letter to the Honorable James C. Fletcher
—8—
a "high risk" test is critical to successful testing of this
general type. Again, we believe that NASA might well apply
this philosophy to other programs.
Validation of Analytical Computations. While extensive use of
analytical models and computer-based computational methods is
appropriate and necessary for developing and verifying space
systems, we concluded that the current
mixed success in this regard. Models
validated through well instrumented
testing generally predicted the results
duration testing rather well. However,
"first principles" but not validated before full-sca~e testing
often left something to be desired. This appeared to us to be
particularly true of structural analysis where great emphasis
was placed on large, complex finite element methods. The most
obvious example was the redesign of the aft skirt where com-
puter analyses led to a design that added hundreds of pounds
of weight but did not significantly improve the structural
margin of safety.
program achieved only
that were refined and
subscale or component
of full-scale, full-
models developed from
Computational results are no better than the physics of
the models on which the analyses are based. There are many
areas of design where the knowledge of the physics is too
limited for reliable analyses (e.g., mechanical and thermal
performance of ablatives), or where available computational
codes are not adequate (e.g., analysis of plastic deformation
in complex load situations or of heat transfer from viscous
rotational two-phase flows). The experience in the SRB re-
design program suggest a strategy that should be adopted in
the future:
(1) Identify the areas where analysis is likely to be
unreliable,
(2) Find and employ the best expertise available,
(3) Use the analysis to test for the sensitivity of
results to poorly determined inputs, and
(4) Verify computed results by test.
We concluded that analyses, especially those whose objec-
fives are to predict structural failure, must be verified by
carefully planned and properly simulated experiments that are
well instrumented. We suggest that NASA could improve its
modelling capability by shifting some attention from computer
program development to development of good engineering insight
through simple, meaningful validation experiments.
Control of Processes and Materials. The redesign program has
set new standards for control of materials and processes used
66
OCR for page 67
Letter to the Honorable James C. Fletcher
_9 _
in manufacturing the motor and its component parts, and for
inspection of components, assembly operations, and the
assembled product. While improving reliability, this has
added substantially to cost and to production and assembly
time. Some of these efforts may have been, or may later
become, unnecessary as an acceptable degree of imperfection
becomes clear. However, the enhanced control and inspection
procedures have frequently shown the presence of defects that
would not have been found in the past, some of which are still
considered unacceptable.
There will no doubt be a push toward relaxation of quality
control and inspection in the interest of economy and time or
due to complacency. Potential improvements, particularly in
process controls, may justify some Reductions . It is abso-
lutely crucial however that "rel axation" be a carefully
planned, del iberate process in which lowered standards are
only authorized after formal demonstration that safety and
reliability are not compromised. Considering the nature of
the Shuttl e and its mi s s i on, standards f or qua l ity c ontro l and
assurance should be the highest of all space systems.
Documentation of Lessons Learned. In light of the important
lessons learned in the course of the redesign program, both
technical and administrative, about large and complex
engineering programs, we suggest that NASA commission an
independent, professional technical history of the booster
rocket recovery program to benefit future NASA--and possibly
other national--programs of similar scope.
Risk Reduction through Product Improvement
Although our formal task is completed with the successful
return to flight, the Panel has been briefed on NASA's plans
for program activities beyond STS-26. We have also formed
conclusions about what is needed for continued flight safety
and have concerns about the adequacy of your plans in this
regard. Before stating these concerns once again, it is
appropriate to emphasize that the Space Transportation System
consists of a very complex flight system, operating in a very
hostile environment. It is not realistic to view the mission
as risk-free. It is, however, reasonable to expect that a
higher level of confidence can be acquired as more flight
experience is obtained.
That confidence will only be gained from measured
performance of the system (including data from quality control
review and post flight inspection). Risk cannot be assessed
67
OCR for page 68
Letter to the Honorable James C. Fletcher
-10-
without a data base, and confidence comes from large data
bases, which cannot be provided from pre-flight tests alone.
It is standard practice in the aeronautical industry to
monitor flight performance (from components to systems to the
vehicle) and to make modifications when the data base indi-
cates that safety margins are below design requirements or
potential failure modes are not adequately treated in the
design.
The need for such practices is even more important in the
Shuttle system because the safety margins are lower than in
the aeronautical industry (due to considerations of weight)
and the opportunity to develop a performance data base is
orders of magnitude more limited. This message was dramat-
ical~y conveyed by the Challenger accident and the conditions
leading to it. The thorough redesign and verification effort
since then reflect a new set of standards within NASA and the
space industry. It is important that these standards be
continued in the flight program, and that budgetary, manpower,
and facilities policies be consistent with that objective.
Some specific recommendations for effective control and
reduction of risk are:
. . ~
(1) Maintain a technically competent team of
personnel that is familiar with booster design to evaluate,
maintain, and/or improve quality control, assembly, launch
operations, post-fight evaluation, and questions of service
life.
(2) Provide for measurements during flight for as
long as program engineering and safety personnel perceive the
need (i.e., get the data base).
(3) Maintain a supporting program of ground testing
that will provide for product quality control and for
validation of changes in material, manufacturing, and design
related to product reliability. This program should include
maximum use of the "Test Evaluation Motor" firings for the
these purposes.
(4) Provide enough flexibility in the flight program
to introduce adequately evaluated material, manufacturing, and
design improvements expeditiously when accumulating results
indicate unanticipated risk.
(5) Insulate the budget for the above activities from
competitive pressures from the flight program or advanced
solid rocket motor programs and reduce their support only in
the context of statistically significant base of measured
flight performance.
68
OCR for page 69
Letter to the Honorable James C. Fletcher
Organizational Issues
—11—
At times, some organizational issues seemed to have
impeded the smooth progress of the redesign effort. For
example, we observed problems with calculation and dissemin-
ation of loads within the program. Information about design
loads was difficult to obtain and almost al ways in a state of
flux. We believe that the designers of components of solid
rocket boo s ter should not only have intimate understanding o f
the loads but also be suf f iciently knowledgable to challenge
the methods and results of the calculations supplied by
others. The organizational and management issues pertinent to
the calculation and dissemination of loads should be reviewed
by NASA.
Finally, as we have recommended previously, independent
responsibilities should be firmly established for setting
design requirements and standards and for carrying out the
design. The objective should be to ensure a system of checks
and balances in the inevitable interplay between design and
requirements.
Acknowledgments
Finally, Jim, all of the members of the NASA/contractor
team responsible for the redesign of the solid rocket booster
have earned the appreciation and congratulations of the Nation
for their tireless dedication leading to the return to flight
of the Shuttle in the face of intense public scrutiny. We
join in expressing our own thanks, particularly because we
could not have discharged our responsibilities without their
earnest cooperation and support.
We are especially grateful to John W. Thomas, of NASA' s
Marshall Space Fl ight Center, and Allan J . McDonald, of Morton
Thiokol, Inc., who bore a primary responsibility for making
the engineering j udgments required in the redes ign program and
the burden 0 f cony inc ing us that they were r ight - - or accept ing
our recommendations. We owe a special debt of gratitude to
Russell Bardos, of NASA's Office of Space Flight, for assuring
that we had the information we needed to ful f ill our charge,
guiding us through the program' s organizational structure, and
providing excel lent ~ iaison between the Panel and the
respective leered s of NASA.
S incerel y,
H . Guy f ord Stever
Chairman
cc: Adm. Richard H. Truly
Panel Members
69
OCR for page 70
OCR for page 71
:l j
APPENDIXES
71
Representative terms from entire chapter:
solid rocket
