Answered already. This was not a matter of failure being an option, failure was already a hard fact.
ETA: Even if it could be even done, Soyuzes fit 3 people very crampedly. You’d need a squadron of 4.
And the poor Soyuzs? Did they stand a chance?
With respect to Columbia, it is worth reading the accident report, it covers a lot of this ground, and is very well written.
To address a couple of things that have gone past.
A rescue mission?:
So, the sad, and unfortunate answer, is yes, the Columbia crew probably could have been rescued.
The testing of the RCC panels was done with a number of panels, some new, some taken from other orbiters with similar age and use to those on Columbia. One of the significant issues was how badly the panels degraded in use. The foam canon was able crack a new panel, but when they tried the same shot on a panel with the same use as Columbia’s it punched a distressingly large hole on the first shot.
NASA had nearly lost an earlier shuttle flight to a foam strike. However it was a classified mission, and the very near loss, and staggering damage to the TPS on the orbiter, was not made public at the time and is still not well known. There was clear evidence that a foam strike could result in loss of an orbiter.
The foam strike that caused the loss of Columbia was the result of a briefcase sized slab of foam that was placed in front of the bipod (the bipod ramp) that supported the orbiter at the top of the external tank. There have been six earlier documented flights when a bipod ramp separated from the ET. The first in 1983, the last only three months before the loss of Columbia.
Also, Atlantis had had a strike on a RCC panel during STS-45 which resulted in a crack and near penetration of the panel. Again, NASA knew that strikes could and were damaging the RCC panels.
There had been over 40 other smaller strikes on the RCC panels.
After the first bipod ramp loss in 1983:
However after the sixth strike (ie the one before Columbia was lost) :
The report was remarkably candid, and quite damning. A couple of favourites:
As mentioned Komarov was sacrificed to a hurry to get back into space and launched in an unready ship. The Soviet program had already dodged a bullet with the interim slap-dash Voskhod series where Leonov nearly got stuck unable to get back in; then after the fall of Kruschev and the death of Sergei Korolev the program got badly delayed so when they got greenlighted to continue the team was working in a rush, the management had become highly politicized and factionalized, so the early Soyuzes had to work out a bunch of bugs inflight. The mentality was such that Soyuz 2 was already on the launchpad, ready to do a rendezvous/docking/crew tranfer mission “cold” with no prior experience or rehearsal! The idea being that any achievement would look good – but the mission profiles would have required someone to reenter in Soyuz 1 anyway, and during the investigation it came up that Soyuz-2 had many of the same defects as Soyuz-1 so they could have potentially lost two ships and crews.
What Soyuz 11 needed would have been a fast manual-shutoff for the equalization system, in easy reach of the crew, so upon detecting decompression someone could just slap it 180 degrees and reseal the environment. This was just not engineered into the design, the valve was not easy to access or handle. The first generation Soyuz Reentry Module could fit 2 people with pressure suits but already back in Voskhod they had done the “let’s make it 3 by having everyone fly in their shirtsleeves” thing and the Soyuz Orbital Module provided a separate, isolatable airlock space, so they felt they could go on with that strategy. It was not until the Soyuz-T series that they were capable of a suited crew of 3.
Did Soyuz 11 not have supplemental oxygen? I mean even an airliner has that.
It wouldn’t have helped. The equalization valve vented the cabin to vacuum, and the crew weren’t wearing pressure suits. Even if they had airline-style oxygen masks, they wouldn’t have been able to safely breathe from them, their lungs would have ruptured from the pressure differential between the air coming in and the vacuum outside.
I don’t know what the basis for this claim is, but it isn’t based upon either reliability or functionality. Solid propellant boosters were selected for the STS because they would be cheaper to develop and require less launch site processing compared to liquid boosters, which was validated in action (although the need to assemble the the segments together rather than deliver a unitary booster added some complexity, including the problematic field joints). The fact that the don’t have be be loaded (and more importantly unloaded) in the case of a significant launch slip is a real advantage with large launch vehicle, as is the reduction of complexity compared to a liquid system. Solid propellant motors also have the nice properties of providing a much higher specific thrust capacity and a high mass fraction, allowing them to be more compact and carry less propellant mass for the same propulsive capability, which offsets the lower specific impulse from solid propellants. (At sea level and low altitude where ambient pressure retards expansion the high specific impulse of light weight cryogenic fuels is less significant than the weight of tankage and insulation, hence why most liquid propellant space launch vehicles use RP-1 or hypergolic fuel and oxidizer for the first one or two ascent stages.)
Even if we set aside the original design Shuttle SRBs (despite the fact that they had no propulsive or functional failures) and only consider the RSRM-based SRBs, that represents 110 flight sets of two motors each, plus ground static fire tests in which there was not one failure or major anomaly of the propulsion system. I believe that gives the RSRM the highest demonstrated reliability of any rocket propulsion system ever flown, with a predicted reliability in excess of 99.5%. By comparison, the Soyuz family of launchers with almost a thousand launches and the Delta 2 with over ninety launches (the gold standard for Russian and American industries, respectively) both have a predicted reliability of about 98%. Other “Stage 0” solid boosters such as the Castor IV, Atlas SRM, and GEM have demonstrated reliability similar to the Shuttle SRBs. In fact, the only propulsive failure of a qualified SRB that I can think of offhand which was due to a design problem (as opposed to failures attributed to handling damage or aging) was on the Titan 34D-9 flight where a failure of the design to account for manufacturing and assembly tolerances resulted in backside burning (propellant at a field joint pulled away from the liner allowing gas to ignite the uninhibited propellant, erosively burning through the insulator and the case, resulting in catastrophic rupture and loss of vehicle). On the other hand, liquid propellant vehicles experience significant propulsive failure due to failures of the engines and the propellant feed system (the two essentially systems that are different from solid propellant vehicles) around 4%. That means that in terms of demonstrated reliability, solids are about an order of magnitude more reliable with respect to propulsive failures.
Of course, reliability is not the only consideration for selecting a propulsion system. One consideration against solids is that they cannot be readily throttled or thrust terminated without rupturing the case and venting hot gas, which makes abort and crew escape more challenging. (On the other hand, solid motors are used for the tractor rocket for all Launch Escape Systems precisely for the reasons mentioned above: the reliability, high thrust, quick responsiveness, minimal maintenance.) As they come to the launch site already loaded, lifting and integrating them are all hazardous operations which limits the other activities that can be done simultaneously. More importantly, the propellant constituents require precise quality control, as does the fabrication of the case and application of insulation and liner. And of course, you don’t want to store hundreds of tons of oxidizer sitting in burnable plastic barrels out in a parking lot next to a fiberglass-covered building you are welding on. But while handling solid propellants and cast motors is not for the fumble-fingered or terminally inattentive, it is easier to control the hazards than dealing with similar quantities of hypergolic propellants or liquid hydrogen based upon the quantity of accidents. The most credible objection to solid propellants is the environmental contamination they create, especially in the upper atmosphere. (There are efforts to develop “green” solid propellant replacements for the existing formulations, but they are still at a research and development stage.) But from a capability standpoint they are competitive and even superior to liquid propellants in many applications.
There is certainly some truth that there is political pull applied in maintaining the industrial base for solid propellant motors, especially from Utah where Alliant Techsystems (the inheritor of Thiokol Chemical Company and Hercules Aerospace), and was a large influence on the design of the now-cancelled Ares I launch vehicle with its inadvisable solid propellant core stage, but there are still many applications where solid propellant motors have significant advantages, especially upper stage apogee “kick” motors, escape tractor motors, low altitude thrust augmentation of existing liquid propulsion systems, and of course any system which has a requirement for high availability (e.g. any kind of tactical satellite launcher or weapon system), hence why both ATK and Aerojet General (the other US manufacturer of large solid propellant motors) have lines of business other than providing motors for NASA programs. To globally state that solid motors are “unacceptable” based upon a single failure caused by a flawed joint design and that the entire industry is maintained on the basis of one constituency is thoroughly ill-informed position.
Stranger
Quite a response for a throwaway line :).
To be clear, I was referring specifically to boosters (either first stages or strap-ons), so while your points about LESes, etc. are well-taken, that’s not what I had in mind. ICBMs as well have different priorities, as does anything where storability is a primary design consideration.
At any rate, it is not just Challenger that’s the basis of my (humble) opinion; it is largely based on first-principles engineering: you should have a way of shutting down the system. This goes whether you’re talking about a car, a large tool in a machine shop, a rocket, or a nuclear reactor. Obviously, shutdown sequences on complicated machines are not always as simple as pressing the big red button, but generally there is a degree of control beyond just letting the device burn itself out.
As you note, solids are quite reliable, which should be expected due to their relative simplicity. But even if they were perfectly reliable, I’d still consider them a bad idea, since there are other systems which can still fail. A large class of abort modes are impossible if you can’t reduce your thrust to zero. Maybe there are other solutions, but you have still limited your options compared to the alternative.
And for what it’s worth, I do like the design philosophy that the Saturn V, Falcon 9, and others have used, which is that you should be able to cope with a first-stage engine loss. Furthermore, there are advantages in standardizing your engines just in terms of engineering complexity.
Also, while ATK does bug me given how they seem to want to slap their boosters onto every rocket NASA builds (“Just add another segment! It’ll be great!”), I certainly wouldn’t hold them single-handedly responsible for the continuation of the industry. The Ariane 6 appears to be using solid first and second stages. The ESA has certainly received a great deal of criticism for the move. It remains to be seen if it’s a good idea (SpaceX may eat their lunch before it matters).
What you are referring to is “fail-safe” design, i.e. if the system fails, it does so in such a way to automatically shut down, or enter a state capable of being shut down before it achieves some critical hazard threshold. But rocket propulsion systems are fundamentally not like other complex engineered systems in that by essential function they have no system-level fail-safe mode. If the propulsion system fails, loss of vehicle is essentially unavoidable. (I’ll address the “engine out” fault tolerance in a minute.) They are designed to operate at high performance under extreme conditions for a few hundreds of seconds and then be expended (or collected and refurbished). There is no failure mode other than immediately after ignition and prior to liftoff in which shutting down the propulsion system will prevent loss of the vehicle (done on the Shuttle by mechanically restraining the vehicle at the launch pad until full thrust of the SSMEs is demonstrated and all health and status checks come back positive; only then are the SRBs initiated.) The SRBs are terminated via the independent and redundant flight termination system, but this is to mitigate the flydown hazard and prevent the boosters from flying outside of the cleared zone.
Launch abort systems on both solid and liquid vehicles are designed to function under operational thrust levels since in a propulsion system failure no assurance can be had that the system can be rendered non-propulsive in the necessary interval. There are a number of modes for a liquid propulsion system which can result in runaway flight (e.g. freeze open of a regulator or overspeed of a turbopump). The lack of credible abort modes in the STS stemmed not innately from the SRBs but the design of the Orbiter Vehicle and the fact that all abort modes required flight control and return of the Orbiter. Until after the Challenger failure there were no progressions for crew egress in flight, and the solution that was provided (the Inflight Crew Escape System) was a false solution that nobody had any real confidence in as it would require bringing the Orbiter to level flight and bailing out; basically the only improvement over the original modes was that you didn’t have to make a final approach. It would not have saved the crew of Challenger, and of course Columbia broke apart at far too high an altitude or speed to consider using this even if there had been for the crew to attempt it. Fundamentally, it was a sop to address the criticism by the Rogers Commission regarding the lack of credible crew egress in flight. (Columbia did have ejection seats for the pilot and commander for the Abort and Landing Tests and the first four test flights but they were removed after to save weight. These only allowed for crew abort in the first few seconds of flight, and even then it is questionable whether the crew could have survived ejection.)
It is a serious misperception that the Saturn V can tolerate an engine out any time in flight. The Saturn V can not tolerate a loss of any of the 5 F-1 engines on the S-IC stages at any point during flight; the thrust imbalance of losing a side engine would cause the vehicle to go wildly out of control, and sudden loss of the center engine would very likely introduce a destructive axial mode. The S-II stage can tolerate loss of an J-2 engine after a certain point in flight and still achieve orbit (it actually lost two in the Apollo 6 test flight), but this is no credit to the design; the failures on both Apollo 6 and Apollo 13 weren’t due to failure within the engine itself but because of destructive POGO effects in the propellant feed system. If the system had been built with in-line accumulators (as most liquid feed systems are today) the problem would never have been experienced.
The Falcon 9(v1.0) demonstrated the ability to survive an engine out in one case; however, the ability to do so depends on when failure occurs in flight and the trajectory requirements. I’m fairly certain it couldn’t survive an engine out that occurs just a few seconds after liftoff, nor with the maximum payload or high orbit trajectory. Relying on engine out capability versus high inherent reliability of the engines and feed system has some serious drawbacks; having enough engines (we’ll say quantity N) to be able to survive a propulsive loss of one engine (P[sub]f[/sub] means both that the probability of occurrence of a failure in a given flight hasnow increased by 1-[1-(1-P[sub]f[/sub])[sup]N[/sup]]*F for F number of failures. So if your chance of a failure occurring with one engine is, say, 2%, the chance of failure of one of the six engines now 11.4%, and the chance of failing two engines (and therefore loss of vehicle) is still 1.3%. in other words, for all the additional complexity in both design and assembly, and potential failure points and destructive interaction introduced, you’ve only bought yourself a factor of 1.5 improvement in reliability, and then only then at the point of flight when you can actually tolerate an engine loss. (I picked 2% and six engines as neutral numbers, but you can rerun the calculations for any number of engines you like; the benefits get worse with the number of engines you add.) And redundancy only protects against independent random failures; a limit failure (exceeding the qualified environment) or system failure (loss of propellant flow from the tank) will cause all engines to fail regardless of how many there are. Redundancy is really only useful when you can get a completely independent chain of function at lower levels; otherwise, the slight benefit to reliability is countered by the additional complexity (and generally mass and cost of additional hardware), so unless you were going to have sufficient units for redundancy (.e.g you are adapting an existing engine to be ganged together into a new vehicle, or you are at the practical limit of how big an engine you can build and reliably function, which was the case with the F-1) it makes more sense to minimize the number of engines.
The lesson here is that it is better to design and test a propulsion system for inherent reliability (by robustness and/or simplicity) than to rely upon redundancy the propulsion system level. In any case, there are many failure modes that can affect the propulsion system which have single failure points regardless of the redundancy you attempt to build into the system.
Stranger
Looking at the Challenger footage again, makes me wonder if there was anyway for the crew to jettison the SRB’s before burnout. I don’t think that would have saved the Orbiter, but could it be done? And would the Shuttle at that time in flight have the ability to reach Orbit or at least space and return (like one of the failed Soyuz launches)?
Stranger, what are you smoking with your discussion of engine-out capabilities?
Let’s run those numbers again : you have 5 engines, and for 75% of the ascent using the lower stage you can survive an engine-out, if you design your avionics and fuel systems to handle such a situation. The engines are moderately robust and reliable, and you have a 1% chance of losing any given engine on a particular flight.
If you cannot tolerate an engine out : the chance of this stage of the rocket working successfully is (1-0.01)^5 : .951%, or about a 5% chance of failure.
If you can tolerate an engine out, and the chance of an engine failure is evenly distributed throughout the time this stage of the rocket is in use, then your chance of success is :
(0.25 * (1-0.01)^5 ) + (0.75 * 1 - (0.01 * (1 - (1-0.01)^4) )) ) = 0.987.
The engine out capability reduces your failures by a factor of 3.76.
I do see your point that, all factors held equal, having more engines where you can afford to lose one or instead one gigantic engine that is equally reliable to the smaller engines surprisingly favors the single engine.
This does not actually make much intuitive sense, at all…All my engineering textbooks give examples where parallel systems are unquestionably the best choice.
Oh, I understand the problem, now. It’s due to the particular demands of rocket flight. Right at liftoff, when the rocket has the most fuel onboard, you need as much thrust as possible, and you do not want to weigh the rocket down with extra engines beyond the bare minimum for liftoff with the right TWR. Later in the flight of the first stage, you are throttling back anyway to reduce aerodynamic stresses and losses. This means that a smaller number of engines at full throttle could maintain the same thrust as all engines at reduced throttle. You “only” have to compensate for the missing engine by adjusting the thrust vectors for the surviving nozzles to keep the rocket flying as intended.
So, in my example, the chance of failure is dominated by that part of flight right after liftoff in the 5 engine case. If you over-engined the rocket such that immediately after liftoff you could survive a loss of 20% thrust, then the rocket would be more reliable with 5 engines and engine-out capability.
And I just realized that it must be good crack you are smoking, Stranger. I thought of a complicated way to use the SpaceX launch abort capability and landing capability to recover a rocket.
If the TWR immediately after clearing the tower is at least 1.25 : 1, and you have 5 engines, and you lose an engine immediately after clearing the tower, you could immediately trigger stage separation.
The lower Falcon 1 stage would hover in place, and the upper stage would ascend to a higher altitude and then it too would hover in place. Each would hover until most of the fuel was burned off, and would go in for a powered landing as demonstrated in this video : SpaceX's Reusable 'Grasshopper' Rocket Soars in Highest Test Flight Yet (Video) | Space
In this best case scenario, you would recover most of the rocket intact. You could swap the failed engine and reconstruct the rocket and be ready to try another launch in a few weeks.
Realistically, the upper stage might not be capable of hovering in the lower atmosphere when fully loaded with payload. It also probably could not land with the satellite payload still attached. So, you might be forced to ditch the upper stage and the payload - but at least you got the lower stage back intact.
The answers are no and no. SRB separation occurs during the “tail off” period of SRM action time (the time from motor ignition to the point that chamber pressure drops below a certain threshold and active combustion essentially stops). Small motors at the forward end of each SRB drive the motors outward from the ET to assure that no recontact occurs during separation, and the Shuttle Main Engines continue to thus the Orbiter Vehicle and External Tank to orbit. If release of the SRBs were to occur while still at main thrust, two things would happen; one, the SRBs, relieved of their duty to pull along the OV and ET, would fly forward past the rest of the vehicle subjecting it to destructively hot exhaust and very likely recontacting (since they would be out of control). Second, the sudden and violent change of thrust load on the ET would cause a violent axial forcing function which would likely cause the connections between the ET and OV to fail, resulting in loss of control of the vehicle similar to what occurred when the SRB on STS-51-L broke away.
The STS requires full thrust of the SRBs for their entire action time, plus thrust from at least two of the three SSMEs to achieve the “Abort To Orbit” mode (done once on STS-51-F). Each SRB produces more than twice as much thrust at liftoff, and averages more than 1.5 times as much sustained thrust during flight compared too all three SSMEs combined. If you built liquid boosters based on the SSME you would need at least six engines on each booster (likely more to account for the poorer mass fraction of a liquid booster) to achieve the same level of thrust. So you can see why SRMs were cheaper to develop and easier to process than a comparable liquid booster even ignoring the comparative complexity of a liquid.
While that is a fairly clever scheme in concept, I highly suspect it would be unworkable in practice. Staging is the single most risky sequence of events during flight (especially if you look at the number of incidents over the duration it occurs), and a particular set of conditions have to be met in order to successfully stage and recover. Even if it were possible to assert control authority while staging between a fully loaded first and second stage, it is unlikely that the upper stage could develop enough thrust to cleanly separate while the first stage is still thrusting. And hovering a fully loaded stage with zero forward velocity, especially in the lower atmosphere, is almost certainly well outside of the control margins and would subject the base end to heating well in excess of thermal design tolerances.
BTW, the previous example (with six engines and a 2% chance of failure) was an artificial and idealized scenario to highlight why the “partial redundancy” offered by engine out capability isn’t really a big reliability driver. The assumption of independent random failure of the engine doesn’t actually represent the way most propulsion failures occur. (The 2% is also a wildly exaggerated number for the sake of clarity; I just didn’t want to deal with exponents to the thousandth and ten-thousandth.) Most engine failures occur either because the environment on an engine controller or thrust vector system component is exceeded, or because some part of the propellant feed system fails. Both of these failures typically occur due to interactions with–you guessed it–other engines, or within the complex spiderweb of plumbing and valves to feed and control multiple engines. So rather than multiple engines causing reliability to drop on a geometric scale, the reality is more likely an exponential scale. Interactions between the large number of engines is largely what doomed the Soviet N-1 rocket, and it caused many of the problems experienced on the Saturn S-II stage.
In fact, the only reason you would use multiple separate engines rather than one large engine is really that large engines tend to be more prone to instability, are more difficult to fabricate, more difficult to gimbal, and have larger chambers pressure requiring a higher strength chamber wall. All things being equal, one big engine is preferable from a functional and reliability standpoint as you don’t have to worry about thrust imbalance, misalignment errors between the thrust axes, or built a complex thrust structure to mount a bunch of smaller engines. This is why virtually all Big Dumb Booster-type proposals like the Boeing Double Bubble, McDonnell Douglas and Chrysler MCDs, and the Sea Dragon had one large (often relatively low performing) engine for the first stage engine and used vernier engines or some kind of liquid injectant system for vector control. Really, the only time that multiple engines make sense is when they’re ganged together into one nozzle array such as in a large aerospike or plug nozzle, keep the individual chamber size small and plumbing lengths relatively uniform while eliminating separate thrust vector systems on every engine.
Stranger
Thanks for the answer, Stranger. This does intuitively make sense : instead of a nightmare maze of plumbing, pumps, and valves you just have the simpler (and much bigger) parts for a single large engine.
Now, if you can package the engines such that you eliminate coupling - every engine gets it’s own completely independent, a firewall between it and the other engines, it’s own electronics, and so on… In that case, you should have independent parallel systems, and they should be more reliable.
This is the reason I keep making references to you smoking illegal drugs : the back of my systems engineering textbook has a long appendix on reliability, and it shows enormous improvements with parallel systems that are uncoupled from one another. (since in order for the system to fail it requires a series of low probability events to happen)
However, in the problem domain of rocketry, I can see how a lot of the coupling is common.
You’re going to want to try to share parts in common between engines to save mass. Heck, pipes and pumps scale nonlinearly, so a fuel feed system that can handle the flow for 2 engines does not weigh double the system for one engine. This kind of nonlinear scaling means you’d be strongly tempted to share stuff in common between engines.
There’s the thrust coupling problem mentioned earlier, where you don’t want to have unnecessary engines on the rocket immediately after liftoff. And, there’s the impulse coupling problem that makes control more difficult, since done poorly it will cause the rocket to fly poorly, wobbling the gimbaled nozzled excessively and so on.
I suspect that SpaceX does it the way I mentioned above. I think each engine is completely independent from the others, their control software takes into account the future forces of all engines in it’s model, and their engines can probably handle the abort I mention. (although they may not be able to do the staging)
Thanks Stranger. Could the Orbiter be fully seperated inflight before SRB burnout? Or would tyat still be catastrophic.
I think that the post was a left-wing drive-by, not a serious post.
It would have been a bigger plus if he were to have boasted of it closer to the election.
State of the Union speeches aren’t that important in electioneering.
My observation is that Stranger is unswervingly accurate when it comes to details and difficult to fault. And in any case, this is probably not the right place for making political inferences. Just sayin’.
Couple issues with this: first, the path of the SRB’s would cause the orbiter to intersect their exhaust which is obviously a big issue. Secondly, with the liquid fuel tank solidly attached to the orbiter, the sudden loss of thrust from the SRB’s would likely be catastrophic due to the extreme stress on the airframe. Maybe you could drop the fuel tank early too, but then your are just a glider with the aerodynamics of a brick sitting in stall position.
Basically, my understanding is that the horizontal configuration of the Shuttle made any abort strategy at most points during launch nearly impossible. With a vertical stack, you can at least try to drag the capsule up and away from all the shit that’s going wrong underneath you, although getting your parachutes burnt up in the ensuing debris cloud is still an issue…