NACA Seal

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.


REPORTS

Read This!

Jump to: EEE Links Archive.

Failure Reports and Related Items


SUMMARY REPORT of the Review of U.S. Human Space Flight Plans Committee

(Augustine Commission)

Summary Report
Transmittal Letter, Summary Report

September, 2009

Excerpt and Contents
The nation is facing important decisions on the future of human spaceflight. Will we leave
the close proximity of low-Earth orbit, where astronauts have circled since 1972, and explore the
solar system, charting a path for the eventual expansion of human civilization into space? If so,
how will we ensure that our exploration delivers the greatest benefit to the nation? Can we explore
with reasonable assurances of human safety? And, can the nation marshal the resources to embark
on the mission?
  1. CURRENT PROGRAMS
  2. CAPABILITY FOR LAUNCH TO LOW-EARTH ORBIT AND EXPLORATION BEYOND
  3. FUTURE DESTINATIONS FOR EXPLORATION
  4. INTEGRATED PROGRAM OPTIONS
  5. ORGANIZATIONAL AND PROGRAMMATIC ISSUES
  6. SUMMARY OF KEY FINDINGS


NASA's Exploration Systems Architecture Study -- Final Report

November 2005
NASA-TM-2005-214062

Preface (excerpt)
The National Aeronautics and Space Administration’s (NASA’s) Exploration Systems Architecture Study (ESAS) Final Report documents the analyses and findings of the 90-day Agencywide study. Work on this study began in May 2005 and was completed in July 2005.  The purpose of the study was to:
  • Assess the top-level Crew Exploration Vehicle (CEV) requirements and plans that will enable the CEV to provide crew transport to the International Space Station (ISS) and will accelerate the development of the CEV and crew launch system to reduce the gap between Shuttle retirement and CEV Initial Operational Capability (IOC)
  • Define the top-level requirements and configurations for crew and cargo launch systems to support the lunar and Mars exploration programs;
  • Develop a reference exploration architecture concept to support sustained human and robotic lunar exploration operations; and
  • Identify key technologies required to enable and significantly enhance these reference exploration systems and a reprioritization of near-term and far-term technology investments.


Space Shuttle Orbiter Approach and Landing Test:
Final Evaluation Report

Approved by: Aaron Cohen and Deke Slayton
February 1, 1978
Report Number: NASA-TM-79404; JSC-13864

Abstract: (excerpt)
The Approach and Landing Test Program consisted of a series of steps leading to the demonstration of the capability of the Space Shuttle orbiter to safely approach and land under conditions similar to those planned for the final phases of an orbital flight. The tests were conducted with the orbiter mounted on top of a specially modified carrier aircraft. The first step provided airworthiness and performance verification of the carrier aircraft after modification. The second step consisted of three taxi tests and five flight tests with an inert unmanned orbiter. The third step consisted of three mated tests with an active manned orbiter. The fourth step consisted of five flights in which the orbiter was separated from the carrier aircraft.


Defense Science Board Task Force On High Performance Microchip Supply

February 2005
Office of the Under Secretary of Defense For Acquisition, Technology, and Logistics
Washington, D.C. 20301-3140

Introduction (excerpt)
   I am pleased to forward the final report of the Defense Science Board Task Force on High Performance Microchip Supply.  The report makes recommendations that help ensure the long term, leading edge U.S. performance of microchip design, development, and manufacturing.  The report also focuses on the future U.S. ability to ensure long term trusted and secure supplies of microelectronic components to the DOD and to the U.S. government.
   The conclusion is a call for U.S. government in general, and the DOD and its suppliers specifically, to establish a series of activities to ensure that the United States maintains reliable access to the full spectrum of microelectronics components, from commodity and legacy, to state-of-the-art parts, and application-specific Integrated Circuits special technologies.  These activities must provide assurance that each component's trustworthiness (confidentiality, integrity, and availability) is consistent with that component's military application.


Technical Consultation of the Hubble Space Telescope (HST) Nickel Hydrogen (NiH2) Battery Charge Capacity Prediction

NASA Engineering and Safety Center Consultation Position Paper
Document #: RP-04-08
June 17, 2004

Description
The paper examines the viability of the HST with respect to the NiH2 continued battery charge capacity.  It proposes a life prediction technique to determine critical HST milestone dates for continued science studies followed by the attachment of a re-entry module or a robotic servicing mission.


Interim Assessment of the NASA Culture Change Effort

February 16th, 2005

Executive Summary (excerpt)
    
The CAIB found that NASA’s culture and related history contributed as much to the Columbia accident as any technical failure.  As a result of the CAIB and related activities, NASA established the objective of completely transforming its organizational and safety culture. The first milestone in this transformation was to demonstrate measurable progress in changing the culture within six months.
     For five months beginning in mid-April, 2004, BST has assisted the Glenn Research Center, Stennis Space Center, and the Engineering and Mission Operations Directorates of the Johnson Space Center in implementing a broadly-based group of activities to begin changing the culture. BST also conducted a limited amount of training for the Safety and Mission Assurance Directorates at Kennedy Space Center and Goddard Space Flight Center. This initial phase of work was designed to provide a mechanism to learn how best to deploy the culture change approach while meeting the objective of achieving measurable progress in six months.


NASA Project Management Study

Donald P. Hearth
Director, Langley Research Center
January 21, 1981

Study of project management processes and tools.


Report of the
President's Commission on Implementation of United States Exploration Policy

June 2004
moon.mars.report.pdf

Members:
  1. Edward C. "Pete" Aldridge, Jr. (Chairman)
  2. Carleton S. Fiorina
  3. Michael P. Jackson
  4. Laurie A. Leshin
  5. Lester L. Lyles
  6. Paul D. Spudis
  7. Neil deGrasse Tyson
  8. Robert S. Walker
  9. Maria T. Zuber


A Renewed Commitment to Excellence

An Assessment
of the
NASA Agency-Wide Applicability
of the
Columbia Accident Investigation Board
Report
(The Diaz Report)

January 30, 2004
Executive Summary
Full Report

Introduction (excerpt)
Had the fate of STS-107 been the result of a small number of well-defined problems in a single program, finding solutions would be a relatively straightforward matter.  But the CAIB determined that such is not the case.  It was their conclusion that the mistakes made on STS-107 were not isolated failures, but rather were indicative of systemic flaws that existed prior to the accident.  The Diaz Team believes that some of these systemic flaws exist beyond the Shuttle Program.  it was our determination that nearly half of the CAIB R-O-Fs have bearing throughout the agency.

-- Al Diaz

Langley Technical Reports Server

NASA Technical Report Server

NACA Technical Report Server

Technical Reports Servers

  1. Langley
  2. NASA
  3. NACA

(May 16, 2002)

NASA Documents Online


NASA Documents Online

The following is a list of NASA publications that have been put online in either full-text or hypertext format. The list will be updated as often as possible.   (November 16, 2001)

Reliability_Papers and Reports  

Aerospace Safety Advisory Panel Reports


Aerospace Safety Advisory Panel

"The Panel shall review safety studies and operations plans referred to it and shall make reports thereon, shall advise the Administrator with respect to the hazards of proposed operations and with respect to the adequacy of proposed or existing safety standards, and shall perform such other duties as the Administrator may request."

NASA Authorization Act of 1968 | Public Law 90-67, 42 U.S.C. 2477

spaceact.html National Aeronautics and Space Act, Pub. L. No. 85-568, As amended.
MRC_SEU.pdf "Temporally Redundant Latch for Preventing Single Event Disruptions in Sequential Integrated Circuits"
Abstract -
IC designs have experienced dramatic increases in both density and speed. These advances are not without serious implications for microelectronics used in space applications where ICs are subjected to hostile environments that include single event effects (SEE) primarily do to interactions with cosmic rays, high energy protons, and high energy neutrons.

This report will:

1. provide some background to the reader in the area of SEU mechanisms and
    describe their implications for present day spaceborne microelectronics.
2. clarify the impact that shrinking device sizes will have on single event upsets
    in spaceborne microelectronics
3. explain how single event transients (SETs) in the combinatorial logic of a circuit
    will become important in spaceborne systems, and
4. propose a new and unique circuit design methodology that can, with minor tradeoffs,
    totally eliminate SEUs and even multiple bit upsets (MBUs) from sequential circuit designs.

esa_act3.pdf ESA Radiation Report on Act 3.  Proton, Heavy Ion, and Total Dose Results at 5.0 and 3.3 volts.  (.pdf 536 kbytes).
rh1020_clk_upset
_White_paper.PDF
"RH1020 Single Event Clock Upset Summary Report,"
Abstract:
This report summarizes the testing and analysis of "single event clock upset" in the RH1020 for Pass 6 parts. Also included are sample SEU-rate predictions and design recommendations for risk analysis and reduction. (.pdf  74 kbytes).
JTAG_SX_WhitePaper.PDF "Use of SX Series Devices and IEEE 1149.1 JTAG Circuitry."  This white paper reviews basic 1149.1 principles, radiation results on SX Series devices, and finishes with mitigation techniques and design considerations. (.pdf 629 kbytes)
Q_Logic_REL98d.PDF
Q_Logic_RELMON98.PDF
Quicklogic Reliability Reports, 1998.
QYH500_DPA.pdf DPA of the QYH530 (one mask) ASIC used for COTS-2/STRV-1d. (.pdf 4.3 megabytes)
Actel_Reliability_0299.pdf Actel Reliability Report, February, 1999.
Xilinx_Reliability_0199.pdf Xilinx Reliability Report, January, 1999.
LVDS_Study.pdf

High-Speed, Low-Power, Excellent EMC: LVDS for On-Board Data Handling
Abstract
The capabilities of remote-sensing instrumentation are developing rapidly. As a consequence the data rates being handled on-board spacecraft are increasing.  LVDS (Low Voltage Differential Signaling) provides a means of sending data along a twisted pair cable at high speed, with low power and with excellent EMC performance. These features make LVDS ideal for satellite on-board data-handling applications.   This paper assesses the suitability of LVDS for space applications as part of a data-handling system based on IEEE 1355 comparing it against other types of line driver/receiver. It explains how LVDS can be used together with IEEE 1355 to form the basis for a powerful on-board data handling system, which is capable of handling data from current and future, high data-rate instruments.

Young_ISS_Report.pdf

Young_ISS_Appendix.pdf


Independent Task Force Management Report on Space Station Presented

The independent blue-ribbon task force charged with examining the budget and management challenges facing the
International Space Station presented its report to the public on Friday, Nov. 2, in Washington. The Independent Management and Cost Evaluation (IMCE) Task Force was formed in July by NASA Administrator Daniel S. Goldin to look at the space station project. It was made up of a diverse team of world-renowned experts, including two Nobel laureates. Thomas Young, a former president and Chief Operations Officer at Martin Marietta Corp. who has managed numerous complex and technically challenging programs for government as well as private industry, headed the group.


Major Management Challenges and Program Risks: National Aeronautics and Space Administration

GAO-03-114
January 2003

gao-03-114.pdf

Introduction
NASA is at a critical juncture. Since its inception, NASA has advanced space exploration and scientific knowledge and accomplished unparalled feats of engineering. But NASA now faces challenges, particularly in terms of maintaining a skilled workforce, controlling costs, and providing effective oversight for important projects. Recognizing the need for change, NASA’s Administrator has recently articulated a new vision for NASA—one that is science-driven, not destination-driven. To put NASA on a better footing to fulfill this vision, the agency is taking on a major transformation aimed at eliminating stovepipes, becoming more integrated and results-oriented, and reducing risks while working more economically, efficiently, and effectively.

We have identified four performance and accountability challenges facing NASA. These include

  • strengthening strategic human capital management,
  • controlling International Space Station costs,
  • reducing space launch costs, and
  • improving contract management.

Collectively, these challenges seriously affect NASA’s ability to effectively run its largest programs. With an aging workforce, for example, NASA is facing the loss of science and engineering expertise across its mission areas. Moreover, cost overruns have prevented NASA from achieving its original goals with the International Space Station and taken away resources from other programs. Weak contract management and financial controls pose additional risks across the agency. Therefore, we have placed this area on our high-risk list.


Failure Reports and Related Items

 

 


Anomaly Trends for Long-Life Robotic Spacecraft

Nelson W. Green, Alan R. Hoffman, and Henry B. Garrett
Journal of Spacecraft and  Rockets
Vol. 43, No. 1. Jan-Feb 2006
pp. 218-224

green_2006.pdf

Abstract
Three unmanned planetary spacecraft to the outer planets have been controlled and operated successfully in space for an accumulated total of 68 years. The Voyager 1 and 2 spacecraft each have been in space for more than 27 years. The Galileo spacecraft was in space for 14 years, including eight years in orbit about Jupiter. During the flight operations for these missions, a total of 3300 anomalies for the ground data and the flight systems have been tracked using the Jet Propulsion Laboratory's anomaly reporting tool. Methods and results are described for classifying and identifying trends relative to ground system vs flight system, software vs hardware, and corrective actions. Several lessons learned from these assessments can significantly benefit the design and planning for long missions of the future. These include the necessity for redundancy to ensure successful operation of the spacecraft, awareness that anomaly reporting is dependent on mission activity not the age of the spacecraft, and the need for having a program to maintain and transfer operation knowledge and tools to replacement flight team members.


Maintainability of Unmanned Planetary Spacecraft: A JPL Perspective

P. Kobele, JPL
AIAA/NASA Symposium on the Maintainability of Aerospace Systems
July 26-27, 1989, Anaheim, CA
AIAA-89-5070

kobele_1989.pdf

Abstract
The requirements for mission success in unattended environments which do not allow direct repair of spacecraft faults have posed significant challenges in the areas of spacecraft design and mission operations. These challenges have resulted in innovative design requirements and implementation approaches intended to maximize the likelihood of being able to reconfigure the spacecraft to accommodate any of a myriad of spacecraft faults. Autonomous fault detection and correction algorithms and the mission operations elements of recent JPL interplanetary projects have been able to utilize these design features in their operational strategies to recover the spacecraft from what might have been mission terminating occurrences and to allow continuation of essentially undegraded missions.


NTSB Reports

These reports provided by Hunt Library


Satellite Outages and FailuresXL

 

Synopsis
On these pages, I've tried to collect facts and figures relating to on-orbit satellite failures or outages.


When Spacecraft Won't PointXL

Christopher D. Hall
2003 AAS/AIAA Astrodynamics Specialists Conference
Big Sky, Montana, August 2003
Paper # AAS 03-505

 

The Spacecraft Attitude Dynamics and Control course at Virginia Tech is primarily taken by juniors as an alternative to the aircraft stability and control course. Such a course can be taught in many different ways. On one extreme, one could invoke the powerful machinery of geometric mechanics, including the momentum map, so(3), SO(3), cotangent bundles and symplectic manifolds. At the other extreme, one might use a handbook with convenient sizing formulas for designing ADCS hardware. Somewhere in between these extreme approaches lie the approaches used in most courses. In any case, students can better appreciate the significance of the selected topics covered if they are provided with concrete examples. One particularly interesting type of example is the ADCS failure or anomaly, especially where a failure is caused by the same type of error that the students are being asked to understand and not make.


Manned space programs accident/incident summaries (1963 - 1969)

CR-120998
General Electric Co., Daytona-Beach, Florida prepared for NASA

Contract NASW-410 (Safety Task)
March 1970

Abstract:
This summary is a compilation of 508 mishaps assembled from company and NASA records which cover several years of Manned Space Flight Activity. The purpose is to provide information to be applied towards accident prevention. The accident/incident summaries are categorized by the following ten systems: Cryogenic; Electrical; Facility/GSE; Fuel and Propellant; Life Support; Ordnance; Pressure; Propulsion; Structural; and Transport/Handling. Each Accident/Incident summary has been summarized by description, cause and recommended preventive action.


Manned Space Programs Accident/Incident Summaries (1970 - 1971)

CR-120999
Cranston Research, Inc.

Contract NASW-2225
April 1972

Abstract:
This document is a compilation of 223 mishaps assembled from company and NASA records covering the Accident/Incident experience in 1970-71 In the Manned Space Flight Programs. It is the companion volume to NASA CR-120998 which covered the years 1963-1969. The objectives of this summary is to make available to Government agencies and industrial firms the lessons learned from these mishaps. Each accident/incident summary has been reviewed by description, cause and recommended preventive action. The summaries have been categorized by the following ten systems: Cryogenic; Electrical; Facility/GSE; Fuel and Propellant; Life Support; Ordnance; Pressure; Propulsion; Structural; and Transport/Handling.


Software-Desaster, und wie man sie verhindern kann

 

Inhalt

Programmfehler sind oft nur irritierend, können aber auch verheerende Folgen haben.  Ein Fehler im Pentium-Prozessor kostete Intel im Jahr 1994 US$ 306 Millionen. Fehler in einem Steuerrechner des neuen Stellwerks im Bahnhof Hamburg Altona führten im Jahr 1995 dazu, daß der Bahnhof für mehrere Tage nicht angefahren werden konnte, und verursachte erheblichen Ärger bei den Bahnkunden.  Aus der Luft- und Raumfahrt sind etliche durch Softwarefehler verursachte Unfälle bekannt, die zum Teil auch zum Verlust von Menschenleben führten.

In dem Proseminar wollen wir einige der bekanntesten dieser Fehler und die durch sie ausgelösten Desaster untersuchen.  Dabei soll jeweils

  • dargestellt werden, was genau schief ging, und wie es dazu kommen konnte, und
  • eine Technik aus der Informatik vorgestellt werden, die solche Fehler verhindern hilft.
Themen werden jeweils in Zweiergruppen bearbeitet.  Jede Gruppe recherchiert Verlauf und Auswirkungen eines Desasters und stelle eine Technik aus der Informatik vor, mit der man Fehler dieser Art verhindern kann.  Die Themenübersicht finden Sie weiter unten auf dieser Seite.

 

 

Mars


MER Spirit Flash Memory Anomaly (2004)

NASA Public Lessons Learned System (PLLS) Database

Abstract:
Shortly after the commencement of science activities on Mars, an MER rover lost the ability to execute any task that requested memory from the flight computer. The cause was incorrect configuration parameters in two operating system software modules that control the storage of files in system memory and flash memory. Seven recommendations cover enforcing design guidelines for COTS software, verifying assumptions about software behavior, maintaining a list of lower priority action items, testing flight software internal functions, creating a comprehensive suite of tests and automated analysis tools, providing downlinked data on system resources, and avoiding the problematic file system and complex directory structure.


Mars Exploration Rover Spirit Vehicle Anomaly Report

Glenn Reeves, Tracy Neilson, and Todd Litwin
JPL D- 22919/MER 420-6-785
May 12, 2004 
spirit_anomaly_report_d-22919.pdf
spirit_anomaly_report_d-22919.doc

Introduction (excerpt)
     The anomaly that afflicted the MER-A vehicle, Spirit, is now understood and can be mitigated without an immediate change to the onboard flight software. The flight software will be modified to enable a more long-term solution.
     The root cause of the anomaly was the incorrect configuration of two modules: the module that manages the onboard FLASH based file system, and the module that manages the system memory space. There was no logic error in either module; both operated as specified by the configuration parameters. Unfortunately, this was incorrect from the broader viewpoint of the overall system behavior. The combination of effects exposed other architectural and design weaknesses in the flight software that contributed to the difficulty in restoring the vehicle to normal operation.
     In addition to the technical factors related to the anomaly there are also programmatic contributors and "lessons" that became apparent as the anomaly investigation progressed.
     This report will address the technical problem and its root cause. The programmatic contributors and lessons learned are identified but no conclusive analysis has been performed.


Propulsion Lessons Learned from the Loss of Mars Observer

Carl S.Guernsey
Jet Propulsion Laboratory Pasadena,CA

AIAA 2001-3630
37th AIAA/ASME/SAE/ASEE Joint Propulsion Conference
8-11 July 2001
Salt Lake City,Utah
guernsey_a01-34322.pdf

Abstract
Contact with the Mars Observer (MO) spacecraft was lost in August 1993, three days before it was to have entered orbit around the planet Mars.  The spacecraft's transmitter had been turned off in preparation for pressurization of the propulsion system, and no signal was ever detected from the vehicle again.  Due to the lack of telemetry, it was never possible to determine with certainty what caused the loss of the spacecraft, and review boards from JPL, the Naval Research Laboratory (NRL), and the spacecraft contractor were only able to narrow the probable cause of the failure to a handful of credible failure modes.  This paper presents an overview of the potential failure modes identified by the JPL review board and presents evidence, discovered after the failure reviews were complete, that the loss was very likely due to the use of an incompatible braze material in the flow restriction orifice of the pressure regulator.  Lessons learned and design practices to avoid this and other propulsion failure modes considered candidates for the loss of MO are discussed.

Mars Observer Loss of Signal: Special Review Board Final Report

November 1993
JPL Publication 93-28

mars_observer_11_93.pdf

Abstract

Launched on September 25,1992, the Mars Observer spacecraft was to conduct a global survey of the Martian surface and atmosphere. On August 21, 1993, Mars Observer was executing a sequence to pressurize the propulsion tanks in preparation for Mars Orbit Insertion three days later. As part of that sequence, the transmitter was turned off, and no signal has been detected since.

The Deputy Director of the Jet Propulsion Laboratory convened a Special Review Board to thoroughly investigate the causes and ramifications of that failure. The Board concludes that an unrecoverable failure occurred during the 14 minutes when the transmitter was turned off. The four most credible potential causes of the loss of signal are:

  1. Loss of downlink or destruction of the spacecraft due to a breach of the Propulsion System,
  2. Electrical power loss due to a massive short in the Power Subsystem
  3. Loss of the spacecraft computational function (both spacecraft computers prevented from controlling the spacecraft) in a way that could not be corrected by ground commands, and
  4. Loss of both transmitters due to failure of an electronic part.

Additional analyses, simulations, and tests underway at press time may affect the relative credibility of these hypotheses.

These most credible potential causes, and the many other hypotheses that the Board examined, are discussed in the report. The report also presents findings, including recommendations that could have been implemented and that might have precluded the failure.


Volume I: Mars Observer Mission Failure Investigation Board Report

Submitted by the MARS Observer Mission Failure Investigation Board
31 December 1993

mars_observer_12_93.pdf

A report to the Administrator, National Aeronautics and Space Administration on the investigation of the August 1993 mission failure of the Mars Observer spacecraft.


The Difficult Road to Mars
A Brief History of Mars Exploration in the Soviet Union

By V.G. Perminov

Monographs in Aerospace History, Number 15

A Joint Publication of the NASA History Division, Office of Policy and Plans, and Office of Space Science, July 1999

NP-1999-06-251-HQ

difficult_road_to_mars.pdf

Forward (exerpt)

V.G. Perminov was the leading designer for Mars and Venus spacecraft at the Lavochkin design bureau in the Soviet Union during the early days of Mars exploration. Here, he recounts the hectic days and urgent atmosphere in the Communist bureaucracy to design and successfully launch a Mars orbiter, a Mars lander, and a Mars rover. The goal was to beat the United States to Mars. The authorÕs account gives, for the first time, the personal feelings of those managing the projects.

 

Mission Readiness Review, Mars Odyssey Red Team


Mars '01 Odyssey Project, Mission Readiness Review Red Team Report, Section 6.2

March 12, 2001
 

Mars '01 Project Red Team Report


Mars '01 Project Red Team Report
to the
NASA Office of Space Science

September 15, 2000
 

http://www.seds.org/.../1989/jasa8910.txt The Rocky Soviet Road to Mars - Larry Klaes (January 7, 2002)
Mars Observer Failure Summary Mars Observer Investigation Report Released
mpiat_report_1.pdf
mpiat_report_2.pdf
The Mars Program Independent Assessment Team (MPIAT) report.  (March 29, 2000)
mpl_report_1.pdf
mpl_report_2.pdf
mpl_report_3.pdf
mpl_report_4.pdf
mpl_report_5.pdf
Report on the Loss of the Mars Polar Lander and Deep Space 2 Missions

JPL Special Review Board (March 29, 2000)

MCO_MIB_Report.pdf
MCO_report.pdf
Mars Climate Observer Reports.  March 18, 2000.


The Failures of the Mars Climate Orbiter and Mars Polar Lander: A Perspective from the People Involved

Advances in the Astronautical Sciences, Guidance and Control 2001
Vol. 107, pp. 635-655
AAS 01-074

Edward A. Euler1, Steven D. Jolly1, and H.H. 'Lad' Curtis2

1Lockheed Martin Astronautics Operations, P.O. Box 179, Denver, Colorado 80201
2ITN Energy Systems, Inc., Littleton, Colorado 80127

PaperXL

euler_mco_mpl.pdf
euler_mco_mpl.doc

Abstract
The failures of the Mars Climate Orbiter and Mars Polar Lander were the subject of numerous failure review boards composed of senior personnel not closely associated with the projects. The causes and corrective actions were well documented, however, these reports did not capture inner workings of the projects and the subtle things that happened that eventually led to the failures. This paper will present the story from the perspective of the people intimately involved with the design, development, and operation of the vehicles. In the case of the MCO, it is a story about how a number of seemingly unrelated events and actions finally led to the large navigation error and how that error could remain undetected by a group of competent and dedicated engineers and managers. In the case of the MPL, it is a story or how a flight software code error was made, why it was made, and why it went undetected through a very rigorous test program. It is hoped that these examples will lead not only to a further sense of awareness, but to emphasize once again that there are some inviolate principles that should never be compromised in the development of one-of-a-kind single flight missions.
Odyssey_FPGA_IAT_Report.pdf


Report of the Odyssey FPGA Independent Assessment Team

Donald C. Mayer, The Aerospace Corporation
Richard B. Katz, NASA/Goddard Space Flight Center
Jon V. Osborn, The Aerospace Corporation
Jerry M. Soden, Sandia National Laboratories

Note that after the report was written, a third failure from the same sublot, on other program, was discovered.

Other reports and an alert are in the process of being prepared and released.  Contact richard.b.katz@nasa.gov for additional information.

IEEE Sample Articles


Why the Mars Probe Went Off Course

IEEE Spectrum
James Oberg
December, 1999 Volume 36 Number 12

mco_charts.pdf


MARS PRESS CONFERENCE

Dr. Edward Stone’s Presentation

 

 

FBC

fbctask.pdf "NASA Faster, Better, Cheaper Task Final Report," Tony Spear.   March 18, 2000


Faster, Better, Cheaper
Low-Cost Innovation in the U.S. Space Program

Howard E. McCurdy
©2001 The Johns Hopkins University Press
ISBN 0-8018-6720-7

Contents
  1. The Reform
  2. The Nature of the Challenge
  3. Cost Control
  4. The Philosophy
  5. Mars Pathfinder
  6. Organization
  7. Technology
  8. Risk and Reliability
  9. Future Implications

 

CONTOUR

COMET NUCLEUS TOUR MISHAP INVESTIGATION BOARD REPORT

MAY 31,2003
CONTOUR Report
Press Release

Executive Summary (excerpt)
The Comet Nucleus Tour,CONTOUR,is part of the NASA Discovery series of solar system exploration satellites.NASA sponsored CONTOUR with Dr.Joseph Veverka of Cornell University as the principal investigator;it was designed,built,and operated by Johns Hopkins University ’s Applied Physics Laboratory with specialized support by NASA.

Launched on July 3,2002,CONTOUR was intended to encounter at least two comets and perform a variety of investigations and analyses of the comet material.It remained in an eccentric Earth orbit until August 15, 2002,when an integral STAR ™30BP solid rocket motor was fired to leave orbit and begin the transit to the comet Encke. attempts to contact CONTOUR were unsuccessful.

 

Patriot

The Patriot Missile Failure

Summary
On February 25, 1991, during the Gulf War, an American Patriot Missile battery in Dharan, Saudi Arabia, failed to track and intercept an incoming Iraqi Scud missile. The Scud struck an American Army barracks, killing 28 soldiers and injuring around 100 other people.  The cause of failure was an inaccurate calculation of the time, an arithmetic error.


PATRIOT MISSILE DEFENSE

Software Problem Led to System Failure at Dhahran, Saudi Arabia

GAO Report to the Chairman, Subcommittee on Investigations and Oversight, Committee on Science, Space, and Technology, House of Representatives

February, 1992

GAO/IMTEC-92-26

patriot_gao_145960.pdf

Results in Brief

The Patriot battery at Dhahran failed to track and intercept the Scud missile because of a software problem in the system’s weapons control computer. This problem led to an inaccurate tracking calculation that became worse the longer the system operated. At the time of the incident, the battery had been operating continuously for over 100 hours. By then, the inaccuracy was serious enough to cause the system to look in the wrong place for the incoming Scud.

The Patriot had never before been used to defend against Scud missiles nor was it expected to operate continuously for long periods of time. Two weeks before the incident, Army officials received Israeli data indicating some loss in accuracy after the system had been running for 8 consecutive hours. Consequently, Army officials modified the software to improve the system’s accuracy. However, the modified software did not reach Dhahran until February 26,1991-the day after the Scud incident.

 

Small Explorer

WIRE_Report.PDF Small Explorer WIRE Failure Investigation Report.  This is Appendix F of the WIRE Mishap Investigation Board Report, June 8, 1999.
WireMishap.htm Volume 1 of the WIRE Failure Investigation Report.  June 8, 1999.


WIRE Case Study

nasa_wire_lesson.pdf


Introduction
     Disaster. The Wide-Field Infrared Explorer (WIRE) mission was meant to study the formation and evolution of galaxies. Its telescope was so delicate it had to be sealed inside a solid hydrogen cryostat. But when, shortly after launch, a digital error ejected the cryostat’s cover prematurely, hydrogen discharged with a force that sent the Small Explorer craft tumbling wildly through space.
     The mission was lost. The subsequent investigation identified several oppor-tunities, in review and testing, to have caught the fatal design error. Why did we not? James Barrowman’s report offers several explanations, including lack of communication across Space Flight Centers, lack of vigilance, even when deviating from full system testing, and insufficient peer reviews.
     Responses to the report, solicited from senior managers involved in the development of WIRE, offer competing theories. William Townsend sees par-ticular fault in a complex management structure and misapplication of the F a s t e r, Better, Cheaper mandate. Ken Ledbetter generally agrees, citing "too many players in the game." Jim Watzin, on the other hand, feels technical and inter-organizational excuses mask the real problem: individuals who wouldn’t allow others to see their work.

Recovery of the Wide-Field Infrared Explorer Spacecraft

Everett_WIRE.doc
Everett_WIRE.PDF

Synopsis


Abstract
The Wide Field Infrared Explorer was developed to perform astronomy using a cryogenically cooled infrared telescope. Shortly after launch, rapid venting of the cryogen, caused by an untimely cover removal, sent the spacecraft into an uncontrollable spin which exceeded 60 revolutions per minute. Over the next week, the WIRE team developed a plan and successfully executed the procedures necessary to de-spin the spacecraft and gain attitude control, but the cryogen for cooling the instrument was depleted. The recovery of the spacecraft enabled a thorough checkout of most of the subsystems, including the validation of several new technologies. Although the primary science mission was lost, WIRE is making breakthrough astroseismology measurements using its star tracker. This paper describes the recovery of the WIRE spacecraft and the performance of its key technologies, including the two-stage solid-hydrogen cryostat, an all-bonded graphite-composite structure with K-1100 radiator panels, composite support struts, a dual-junction gallium arsenide solar array module, a concentrator solar array module, and a 300 Mbyte solid-state recorder.


Use of FPGAs in Critical Space Flight Applications— A Hard Lesson

W. Gibbons and H. Ames

1999 MAPLD International Conference, Laurel, MD

B1_Gibbons-Ames_P.PDF
B1_Gibbons-Ames_P.doc

Abstract (excerpt)
In early March of 1999, the NASA Wide Field Infrared Explorer (WIRE) experiment was launched on a Pegasus air launch vehicle from a location in the Pacific Ocean just west of Vandenberg Air Force Base. The launch itself was successful, but a system anomaly prematurely opened the aperture cover of the telescope. This premature opening resulted in excessive venting of gaseous hydrogen from the WIRE instrument. The escaping gas increased the torque rates to the spacecraft to such an extent that the spacecraft could not control them. All the solid-hydrogen cryogen in the instrument was vented within a few hours rather than within the projected four months of nominal mission life. Days after the anomaly, the spacecraft was stabilized, and it is currently being used as an attitude control test vehicle by its builder, Goddard Space Flight Center (GSFC).
Lessons Learned at JPLXL


Lessons Learned At JPL From the HESSI mishap

Abstract
Considerable newspaper and technical publication coverage was given to an overly-severe March 21, 2000 vibration test in Room 144 of Building 100 at the Jet Propulsion Laboratory, Pasadena, California. The over-test caused significant damage (over $1,000,000) to the High Energy Solar Spectroscopic Imager (HESSI) satellite built by the University of California at Berkeley (UCB). A Mishap Investigation Board (MIB) was convened.

 

SEASAT

seasat_short.htm Report of the SEASAT Failure Review Board
seasat.htm  

 

SOHO

http://sohowww.nascom.nasa.gov/operations/Recovery/  


An Analysis of Causation in Aerospace Accidents

Kathryn A. Weiss, Nancy Leveson, Kristina Lundqvist, Nida Farid and Margaret Stringfellow, Software Engineering Research Laboratory, Department of Aeronautics and Astronautics, Massachusetts Institute of Technology, Cambridge, MA

Presented at Space 2001
Albuquerque, New Mexico
August 2001.

http://sunnyday.mit.edu/accidents/soho.doc

 

 

Abstract
After a short description of common accident models and their limitations, a new model is used to evaluate the causal factors in a mission interruption of the SOHO (SOlar Heliospheric Observatory) spacecraft.  The factors in this accident are similar to common factors found in other recent software- related aerospace losses.

 


STRV-1c/d


STRV-1c/d Anomaly Investigation Report

March 2001

strv_1c_1d_failure_report.pdf

 

Apollo


Apollo 13 Guidance, Navigation, and Control Challenges

John L. Goodman, United Space Alliance
AIAA Space 2009 Conference & Exposition
September 14-17, 2009
Pasadena, California
AIAA 2009-6455

Abstract: Combustion and rupture of a liquid oxygen tank during the Apollo 13 mission provides lessons and insights for future spacecraft designers and operations personnel who may never, during their careers, have participated in saving a vehicle and crew during a spacecraft emergency. Guidance, Navigation, and Control (GNC) challenges were the reestablishment of attitude control after the oxygen tank incident, re-establishment of a free return trajectory, resolution of a ground tracking conflict between the LM and the Saturn V S-IVB stage, Inertial Measurement Unit (IMU) alignments, maneuvering to burn attitudes, attitude control during burns, and performing manual GNC tasks with most vehicle systems powered down. Debris illuminated by the Sun and gaseous venting from the Service Module (SM) complicated crew attempts to identify stars and prevented execution of nominal IMU alignment procedures. Sightings on the Sun, Moon, and Earth were used instead. Near continuous communications with Mission Control enabled the crew to quickly perform time critical procedures. Overcoming these challenges required the modification of existing contingency procedures.


Analysis of Apollo 12 lightning incident

     R. Godfrey, Manager, Saturn Program, Marshall Space Flight Center
     E. R. Mathews, Manager, Apollo Program, Kennedy Space Center
     James A. McDivitt, Manager, Apollo Spacecraft Program, Manned Spacecraft Center

Rocco A. Petrone, Apollo Program Director

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

MSC-01540, January 1970

SUMMARY

The Apollo 12 space vehicle was launched on November 14, 1969, at 11:22 a.m. e.s.t, from launch complex 39A at Kennedy Space Center, Florida.  At 36.5 seconds and again at 52 seconds, a major electrical disturbance was caused by lightning. As a result, many temporary effects were noted in both the launch vehicle and spacecraft. Some permanent effects were noted in the spacecraft and involved the loss of nine non-essential instrumentation sensors. All noted effects were associated with solid-state circuits, which are the most susceptible to the effects of a discharge.

Analysis shows that lightning can be triggered by the presence of the long electrical length created by the space vehicle and its exhaust plume in an electric field which would not otherwise have produced natural lightning. Electric fields with sufficient charge for triggered lightning can be expected to contain weather conditions such as the clouds associated with the cold front through which the Apollo 12 vehicle was launched. The possibility that the Apollo vehicle might trigger lightning had not been considered previously.

The Apollo space vehicle design is such that a small risk of triggered lightning is acceptable. In accepting this minimal risk for future flights, launch rule restrictions have been imposed with respect to operations in weather conditions associated with potentially hazardous electric fields.


Apollo 13 Review Board (Cortright Commission)

apollo13_cortright_commission.htm

Preface
     The Apollo 13 accident, which aborted man's third mission to explore the surface of the Moon, is a harsh reminder of the immense difficulty of this undertaking.
     The total Apollo system of ground complexes, launch vehicle, and spacecraft constitutes the most ambitious and demanding engineering development ever undertaken by man. For these missions to succeed, both men and equipment must perform to near perfection. That this system has already resulted in two successful lunar surface explorations is a tribute to those men and women who conceived, designed, built, and flew it.
     Perfection is not only difficult to achieve, but difficult to maintain. The imperfection in Apollo 13 constituted a near disaster, averted only by outstanding performance on the part of the crew and the ground control team which supported them.
     The Apollo 13 Review Board was charged with the responsibilities of reviewing the circumstances surrounding the accident, of establishing the probable causes of the accident, of assessing the effectiveness of flight recovery actions, of reporting these findings, and of developing recommendations for corrective or other actions. The Board has made every effort to carry out its assignment in a thorough, objective, and impartial manner. In doing so, the Board made effective use of the failure analyses and corrective action studies carried out by the Manned Spacecraft Center and was very impressed with the dedication and objectivity of this effort.
     The Board feels that the nature of the Apollo 13 equipment failure holds important lessons which, when applied to future missions, will contribute to the safety and effectiveness of manned space flight.


Apollo 13: Houston We've Got a  Problem

EP-76
1970

 


Apollo 204 Accident

Report of the Committee on Aeronautical and Space Sciences, United States Senate, with Additional Views

90th Congress, 2d Session
Report No. 956
January 30, 1968

Preface
    
It is the committee's view that, when an event such as the tragic Apollo 204 accident occurs, it is necessary for the appropriate congressional committees to review the event thoroughly. The Congress has a duty to be fully informed and to provide an information flow to the people. Further the committee has a responsibility to satisfy itself that a strong NASA management is exercising vigilance over the safety of the people working on the space programs.
     No single person bears all of the responsibility for the Apollo 204 accident. It happened because many people made the mistake of failing to recognize a hazardous situation.
     Three courageous men lost their lives in this tragic accident. They died in the service of their country. Because of their deaths, manned space flight will be safer for those who follow them. The names Grissom, White, and Chaffee are recorded in history and the most fitting memorial the country can leave these men is the success of the Apollo program - the goal for which they gave their lives.
44_195.pdf


APOLLO 13 MISSION

HEARING BEFORE THE COMMITTEE ON AERONAUTICAL AND SPACE SCIENCES

UNITED STATES SENATE, NINETY-FIRST CONGRESS, SECOND SESSION, APRIL 24, 1970

47_476.pdf


APOLLO 13 MISSION REVIEW HEARING BEFORE THE COMMITTEE ON AERONAUTICAL AND SPACE SCIENCES

UNITED STATES SENATE

NINETY-FIRST CONGRESS, SECOND SESSION JUNE 30, 1970

47_591.pdf


HEARINGS BEFORE THE COMMITTEE ON SCIENCE AND ASTRONAUTICS

U.S. HOUSE OF REPRESENTATIVES

NINETY-FIRST CONGRESS, SECOND SESSION, JUNE 16, 1970 [No. 19]

(audio)

"We choose to go to the moon...."

"...space is there, and we're going to climb it."


Special Message to the Congress on Urgent National Needs

May 25, 1961

First, I believe that this nation should commit itself to achieving the goal, before this decade is out, of landing a man on the moon and returning him safely to the earth. No single space project in this period will be more impressive to mankind, or more important for the long-range exploration of space; and none will be so difficult or expensive to accomplish. (Full Text)   (Kennedy Library)


(med_res   high_res)

September 21, 1962
69-HC-1245

JFK at Rice University

Audio (mp3)
Audio (wav)

Video Part 1
Video Part 2
Video Part 3
Video Part 4

Text

The Decision to Go to the Moon: President John F. Kennedy's May 25, 1961 Speech before Congress

 

Plus lots of good Apollo links.

On May 25, 1961, President John F. Kennedy announced before a special joint session of Congress the dramatic and ambitious goal of sending an American safely to the Moon before the end of the decade. A number of political factors affected Kennedy's decision and the timing of it. In general, Kennedy felt great pressure to have the United States "catch up to and overtake" the Soviet Union in the "space race." Four years after the Sputnik shock of 1957, the cosmonaut Yuri Gagarin had become the first human in space on April 12, 1961, greatly embarrassing the U.S. While Alan Shepard became the first American in space on May 5, he only flew on a short suborbital flight instead of orbiting the Earth, as Gagarin had done. In addition, the Bay of Pigs fiasco in mid-April put unquantifiable pressure on Kennedy.  He wanted to announce a program that the U.S. had a strong chance at achieving before the Soviet Union. After consulting with Vice President Johnson, NASA Administrator James Webb, and other officials, he concluded that landing an American on the Moon would be a very challenging technological feat, but an area of space exploration in which the U.S. actually had a potential lead. Thus the cold war is the primary contextual lens through which many historians now view Kennedy's speech.

NASA Apollo Mission Apollo-1-- Report Title Page

REPORT OF APOLLO 204 REVIEW BOARD

TO

THE ADMINISTRATOR

NATIONAL AERONAUTICS AND SPACE ADMINISTRATION

NASA Apollo Mission Apollo-1-- NASA Response


NASA Response To Findings, Determinations, And Recommendations Of Apollo 204 Review Board

NASA Apollo Mission Apollo-1-- Baron Report

Baron Report (1965-1966)

[From \Investigation into Apollo 204 Accident

Baron's Testimony Before Congress

NASA Apollo Mission Apollo-1-- Phillips Report

 

Skylab

Skylab_Lessons.htm These lessons learned are from Skylab Lessons Learned as Applicable to a Large Space Station, a dissertation submitted to the faculty of The School of Engineering and Architecture of the Catholic University of America for the Degree Doctor of Engineering by William C. Schneider, Washington, D.C., 1976.
Skylab_Report.htm Skylab Failure Report

 

International Space Station (ISS)


Testimony to the House Subcommittee on Space and Aeronautics On the Assessment of Apollo Hardware for CRV and CTV

Dale Myers
May 8, 2003

Assessment of Apollo Hardware for CRV and CTV

Introduction
A team (Appendix 1) was chartered by NASA to make a top-level assessment of the viability of using the Apollo Command and Service Modules (CSM) as the basis for a Crew Return Vehicle (CRV), and potentially for a Crew Transfer Vehicle (CTV) for the International Space Station (ISS).  This assessment was conducted on March 13-14, 2003.  None of the conclusions can be other than judgemental, due to the short time of study, but this small group does cover a broad background of knowledge and experience about Apollo and about human space flight.

FGB Launch Introduction
On November 22, 1998, the FGB-the first piece of the International Space Station-was carried into orbit atop a Proton rocket. Another flaw in the design very nearly stopped the program dead in its tracks within hours of launch. Once the FGB had reached orbit, champagne corks popped at Baykonur, but at Russia's military space control center southwest of Moscow, it was eyeballs that were popping. As the FGB passed overhead on its first orbit, controllers radioed up some routine instructions for the autopilot to prepare to raise its orbit. The FGB sailed on, not responding. The commands were not even acknowledged.

 

Challenger


Lessons Learned but Forgotten from the Space Shuttle Challenger Accident

Allan J. McDonald, ATK Thiokol Propulsion (Retired)
Space 2004 Conference and Exhibit
September 28-30, 2004, San Diego, California
AIAA 2004-5830

macdonald_2004.pdf

Abstract
At the time of the Challenger accident, I was the Director of the Space Shuttle Solid Rocket Motor Project for Morton Thiokol Inc.. The cause of the failure and the controversy surrounding the decision to launch the Challenger in such cold weather is discussed in detail in the Presidential Commission's Report on the Challenger Accident. The Challenger was launched at 16:38:00:010 GMT on January 28th, 1986 from the Kennedy Space Center (KSC). I was in the Launch Control Center (LCC) at the time of the launch. The Mission Management Teams’ (MMT) decision to launch the Challenger was flawed because of the lack of communication both horizontally and vertically within the NASA organizational structure. The Columbia accident suffered from a similar breakdown in communications along with failure to consider the seriousness of engineers' concerns much like the Challenger. This paper will discuss the details leading to the failure of the Challenger and the lessons learned from the accident. The paper will also show how the mistakes from the Challenger accident in 1986, the 25th flight of the Space Shuttle, were repeated in the loss of the Columbia in 2003, some 17 years and 88 flights later.


Ethical Decisions - Morton Thiokol and the Space Shuttle Challenger Disaster

Roger M. Boisjoly
Presented at the ASME Winter Annual Meeting
Paper 87-WA/TS-4
Boston, Massachusetts, Dec. 13-18, 1987

Abstract

A background summary of important events leading to the Challenger disaster will be presented starting with January, 1985, plus the specifics of the telecon meeting held the night prior to the launch at which the attempt was made to stop the launch by the Morton Thiokol engineers. A detailed account will show why the off-line telecon caucus by Morton Thiokol Management constituted the unethical decision-making forum which ultimately produced the management decision to launch Challenger without any restrictions.

The paper will continue with the post-disaster chronology of my working relationship with Morton Thiokol Management and conclude with a discussion on accountability, professional responsibility and ethical conduct which should be practiced in the work place, plus statements from the academic community about the plight of whistleblowers and my closing remarks.


Strategy for Safely Returning Space Shuttle to Flight Status

Date: 99th Congress, 2nd Session, May 15, 1986
63_144.pdf

(Hearing) U.S. House Committee on Science and Technology, Subcommittee on Space Science and Applications.

Pages: 124 (7.06 MB)


Space Shuttle Accident - Hearing on the Space Shuttle Accident and the Rogers Commission Report.

Date: 99th Congress, 2nd Session, February 18, June 10 and 17, 1986
62_885.pdf

(Hearing) U.S. Senate Committee on Commerce, Science and Transportation, Subcommittee on Science, Technology and Space.

Pages: 219 (14.2 MB)


Apollo, Challenger, Columbia:
The Decline of the Space Program

Phillip K. Tompkins
Roxbury Publishing Company
©2005 Roxbury Publishing Company

Contents
  • Preface

  • Introduction and Acknowledgements

  • The Columbia Accident

  • The Week Following: Debris, Data, and Fault Trees

  • Culture and Communication in NASA

  • Communication and Culture in the Marshall Space Flight Center

  • The Challenger Accident

  • The Mysteries of Columbia Continue

  • Reading the CAIB Report: Echos of Challenger and a Cultural Fence

  • The Challenger Syndrome and the Decline of American Organizations and Institutions: "Speaking Truth to Power"

  • Chicken Little, the Ostrich, and Spiderman

  • Case of Characters


Investigation of the Challenger Accident - (Hearing) U.S. House Committee on Science and Technology

Volume 1 (64_295.pdf)
Date: 99th Congress, 2nd Session, June 10, 11, 12, 17, 18, 25, 1986
Pages: 778 (38.7 MB) - Due to its size, this hearing has been divided into two smaller files.
Volume 2 (64_548.pdf)
Date: 99th Congress, 2nd Session, July 15, 16, 23, 24, 1986
Pages: 591 (20.9 MB) - Due to its size, this hearing has been divided into two smaller files.
  • Part 1 - Pages 1-327 (15.5 MB)  (64_548a.pdf)
  • Part 2 - Pages 328-591 (5.32 MB)


Investigation of the Challenger Accident - (Report) U.S. House Committee on Science and Technology.

Date: 99th Congress, 2nd Session, October 29, 1986
Pages: 450 (19.8 MB)   64_420.pdf

Due to its size, this report has been divided into two smaller files.


Space Shuttle Oversight

Date: 100th Congress, 1st Session, January 22, 1987
Pages: 170 (9.23 MB)   72_663.pdf

(Hearing) U.S. Senate Committee on Commerce, Science and Transportation, Subcommittee on Science, Technology and Space. (Hearing on Oversight of the National Aeronautics and Space Administration's Space Shuttle Redesign Activities)


NASA’s Response to the Committee’s Investigation of the "Challenger" Accident

Date: 100th Congress, 1st Session, February 26, 1987
Pages: 47 (2.56 MB)  73_353.pdf

(Hearing) U.S. House Committee on Science, Space and Technology


Hubble Space Telescope and the Space Shuttle Problems

Date: 101st Congress, 2nd Session, July 10, 1990
Pages: 59 (4.08 MB)  36_688.pdf

(Hearing) U.S. Senate Committee on Commerce, Science and Transportation, Subcommittee on Science, Technology and Space.


"What Do You Care What Other People Think?"

Richard P. Feynman
© 1988 by Gweneth Feynman and Ralph Leighton
W W Norton & Company
ISBN 0-393-32092-8

Preface

A CURIOUS CHARACTER: The Making of a Scientist; "What Do You Care What Other People Think?"; It's as Simple as One, Two, Three. . . ; Getting Ahead; Hotel City; Who the Hell Is Herman?; Feynman Sexist Pig!; I Just Shook His Hand, Can You Believe It?; Letters; Photos and Drawings

MR. FEYNMAN GOES TO WASHINGTON: INVESTIGATING THE SPACE SHUTTLE CHALLENGER DISASTER: Preliminaries; Committing Suicide; The Cold Facts; Check Six!; Gumshoes; Fantastic Figures; An Inflamed Appendix; The Tenth Recommendation; Meet the Press; Afterthoughts; Appendix F: Personal Observations on the Reliability of the Shuttle

EPILOGUE: Preface; The Value of Science


Challenger A Major Malfunction

A True Story of Politics, Greed, And the Wrong Stuff

Malcolm McConnell
Doubleday & Company, Inc., Garden City, NY 1987
ISBN 0-385-23877-0
© 1987 by Malcolm McConnell

Preface (excerpt)
   ...
This book's goal is to dissect a tragic policy failure, to reveal the political intrigue and compromise, the venality and hidden agendas that combined over almost twenty years to produce the disaster.


Understanding the Challenger Disaster: Organizational Structure and the Design of Reliable Systems

C.F. Larry Heimann
Michigan State University

American Political Science Review
Vol. 87, No. 2., June 1993
pp. 421-435

heimann_1

Abstract
The destruction of the space shuttle Challenger was a tremendous blow to American space policy.  To what extent was this loss the result of organizational factors at the National Aeronautics and Space Administration?  To discuss this question analytically, we need a theory of organizational reliability and agency behavior.   Martin Landau's work on redundancy and administrative performance provides a good starting point for such an effort.  Expanding on Landau's work, I formulate a more comprehensive theory of organizational reliability that incorporates both type I and type II errors.  These principles are then applied in a study of NASA and its administrative behavior before and after the Challenger accident.
51lcover


Challenger Report

The complete text and images of the Report of the Presidential Commission of the Space Shuttle Challenger Accident (commonly known as the Rogers Commission report, after its chairman, William P. Rogers) are now on-line. This site includes both the multi-volume report itself, which was published in June 1986, as well as the Implementations of the Recommendations, published in June 1987.  The report includes extensive testimony, charts, photos, correspondence, and analytical narrative and is a tremendous reference source for those interested in the Challenger accident.


From Bridges and Rockets, Lessons for Software Systems

C. Michael Holloway
NASA Langley Research Center

Conference Proceedings of the 17th International System Safety Conference
August 16-21, 1999
Orlando, Florida, pages 598-607.

cmh-issc-lessons.pdf
cmh-issc-lessons.htm


Abstract
Although differences exist between building software systems and building physical structures such as bridges and rockets, enough similarities exist that software engineers can learn lessons from failures in traditional engineering disciplines. This paper draws lessons from two well-known failures--the collapse of the Tacoma Narrows Bridge in 1940 and the destruction of the space shuttle Challenger in 1986--and applies these lessons to software system development. The following specific applications are made: (1) the verification and validation of a software system should not be based on a single method, or a single style of methods; (2) the tendency to embrace the latest fad should be overcome; and (3) the introduction of software control into safety-critical systems should be done cautiously.


Launching the Space Shuttle Challenger: Disciplinary Deficiencies in the Analysis of Data

Frederick F. Lighthall
IEEE Transactions on Engineering Management, Vol. 38, No. 1., February 1991, pp. 63-74

Abstract
This paper analyzes published and archival testimony of participants in the decision to launch the space shuttle Challenger and extracts new lessons from the decision process for engineering training and engineering managers.  Examination of interview testimony, published hearings, and tabular data examined by the decision participants at the time of the Challenger launch show not only that analysis of data and reasoning were flawed, but that the flaws are attributable in large measure not to personal or even organizational failings but rather to a professional weakness shared by all participants.   The professional weakness pointed to is either curricular or instructional: a gap in the education of engineers.  Staff engineers and engineering managers arguing for and against the launch, all of whom agreed they had insufficient quantitative data to support an argument against the launch, were unable to frame basic questions of covariation among field variables, and thus unable to see the relevance of routinely gathered field data to the issues they debated before the Challenger launch.  Simple analyses of field data available to both Morton-Thiokol and NASA at launch time and months before the Challenger launch are presented to show that the arguments against launching at cold temperatures could have been quantified, but were not quantified, to the point of predicting degrees of component failure beyond those held by decision participants to be safe.  The weakness in engineering education, in turn, is taken to be of a pervasive genre: An overemphasis on contemporary universities and research centers on specialization and analysis and an underemphasis on synthesis of knowledge across fields.  A larger lesson of the accident, then, is that professional narrowness, leading to false diagnosis of cause-effect relations, can be fatal.
 

Prescription for Disaster
From the Glory of Apollo to the Betrayal of the Shuttle

Joseph J. Trento
With reporting and Editing by Susan B. Trento

Crown Publishers, Inc., New York
© 1987 by Joseph J. Trento
ISBN 0-517-56415-7

 

Contents

  1. The Great Space Race
  2. The Kenney Years
  3. Shooting the Moon
  4. Flight of the Sun God
  5. Shuttle
  6. The Dark Side of Space
  7. Carter- The Man Who Paid the Piper
  8. Fly Now, Pay Later
  9. The Contractors and the Congress
  10. The Politics of Space
  11. Death of a Dream

Notes on Sources and Interviews


The Challenger Launch Decision
Risky Technology, Culture, and Deviance at NASA

Diane Vaughan
The University of Chicago Press
Chicago and London
©1996 by The University of Chicago
ISBN 0-226-85175-3 (cloth)
ISBB 0-226-85176-1 (paper)

Contents
  1. The Eve of the Launch
  2. Learning Culture, Revising History
  3. Risk, Work Group Culture, and the Normalization of Deviance
  4. The Normalization of Deviance, 1981-1984
  5. The Normalization of Deviance, 1985
  6. The Culture of Production
  7. Structural Secrecy
  8. The Eve of the Launch Revisited
  9. Conformity and Tragedy
  10. Lessons Learned

Appendix A Cost/Safety Tradeoffs? Scrapping the Escape Rockets and the SRB Contract Award Decision
Appendix B Supporting Charts and Documents
Appendix C On Theory Elaboration, Organizations, and Historical Ethnograpy

NASA Leadership and America's Future in Space

A Report to the Administrator

 

By Dr. Sally K. Ride
August 1987

Ride_Report
(on the http://history.nasa.gov server)

Excerpt from the Preface

For nearly a quarter of a century, the U. S. space program enjoyed what can appropriately be termed a “golden age” From the launch of Earth-orbiting satellites, to the visits by robotic spacecraft to Venus and Mars, to the stunning achievement of landing the first human beings on the Moon, the many successes of the space program were exciting and awe-inspiring. The United States was clearly and unquestionably the leader in space exploration, and the nation reaped all the benefits of pride, international prestige, scientific advancement, and technological progress that such leadership provides.

However, in the aftermath of the Challenger accident, reviews of our space program made its shortcomings starkly apparent. The United States’ role as the leader of spacefaring nations came into serious question. The capabilities, the direction, and the future of the space program became subjects of public discussion and professional debate.

The U.S. civilian space program is now at a crossroads, aspiring toward the visions of the National Commission on Space but faced with the realities set forth by the Rogers Commission. NASA must respond aggressively to the challenges of both while recognizing the necessity of maintaining a balanced space program within reasonable fiscal limits.

Challenger, STS-51L Information


Information on the STS-51L/Challenger Accident
NASA's History Office

NASA Sites

Non-NASA Sites

 

DC-XA Clipper Graham

 


DC-XA Clipper Graham Mishap Investigation Report

Final Report: September 12, 1996

dcx_report.pdf

I have Volumes II and III in hardcopy and have not had time to scan them yet.  Please contact me for access.

Contents

Volume I

Section 1. Transmittal Letter; Section 2. Signature Page; Section 3. List of Members, Advisors, Observers, and Others; Section 4. Executive Summary; Section 5. Method of Investigation, Board Organization, and/or Special Circumstances; Section 6. Narrative Description; Section 7. Data Analysis; Section 8. Causes, Findings, Observations, and Recommendations; Section 9. Definitions of Terms and Acronyms; Section 10. References

**Volume II - Appendices

Appendix A. NASA Mishap Report (Form 1627); Appendix B. Directive Appointing Board; Appendix C. DC-XA Flight Test Cards; Appendix D. Vehicle Preparation Records; Appendix E. Landing Gear 2 Functional Test; Appendix F. Helium Decay/Equivalent Orifice Analysis; Appendix G. Photographs of the Flight, Accident, and Wreckage, and Photographs and Drawings of Landing Gear; Appendix H. Weather Report: SAMS Data Report Northrup Strip and White Sands Missile Range

**Volume III - Proposed Corrective Action Implementation Plan

Volume IV - Lessons Learned Summary

*Volume V - Witness Statements, Recordings/Transcripts (*Transmitted under separate cover to the Director, Safety and Risk Assessment Division, Office of Safety and Mission Assurances, NASA Headquarters)

**Not included in this electronic copy of the document.

 

Lewis and Clark

Lewis Spacecraft Mission Failure Investigation Board

Final Report

February 12, 1999

lewis_document.pdf


Executive Summary (excerpt)

The Board found that the loss of the Lewis Spacecraft was the direct result of an implementation of a technically flawed Safe Mode in the Attitude Control System. This error was made fatal to the spacecraft by the reliance on that unproven Safe Mode by the on orbit operations team and by the failure to adequately monitor spacecraft health and safety during the critical initial mission phase.

The Board also discovered numerous other factors that contributed to the environment that allowed the direct causes to occur. While the direct causes were the most visible reasons for the failure, the Board believes that the indirect causes were also very significant contributors. Many of these factors can be attributed to a lack of a mutual understanding between the contractor and the Government as to what is meant by Faster, Better, Cheaper. These indirect contributors are to be taken in the context of implementing a program in the Faster, Better, Cheaper mode:

  • Requirement changes without adequate resource adjustment

  • Cost and schedule pressures

  • Program Office move

  • Inadequate ground station availability for initial operations

  • Frequent key personnel changes

  • Inadequate engineering discipline

  • Inadequate management discipline

 

X-43


 

Report of Findings X-43A Mishap
By the
X-43A Mishap Investigation Board

Approved 5/8/03

47414main_x43A_mishap.pdf

Executive Summary (excerpt)

NASA initiated the Hyper-X Program in 1996 to advance hypersonic air-breathing propulsion and related technologies from laboratory experiments to the flight environment.  This program was designed to be a high-risk, high-payoff program. The X-43A was to be the first flight vehicle in the flight series. The X-43A was a combination of the Hyper-X Research Vehicle (HXRV), HXRV adapter, and Hyper-X Launch Vehicle (HXLV) referred to as the X-43A stack. The first X-43A flight attempt was conducted on June 2, 2001.

The HXLV was a rocket-propelled launch vehicle modified from a Pegasus launch vehicle stage one (Orion 50S) configuration. The HXLV was to accelerate the HXRV to the required Mach number and operational altitude to obtain scramjet technology data. The trajectory selected to achieve the mission was at a lower altitude and subsequently a higher dynamic pressure than a typical Pegasus trajectory. This trajectory was selected due to X-43A stack weight limits on the B-52.

During the first mission, the X-43A stack was released from a B-52 carrier aircraft one hour and 15 minutes after takeoff. This corresponds to 0.0 seconds mission time. The HXLV solid rocket motor ignition occurred 5.19 seconds later and the mission proceeded as planned through the start of the pitch-up maneuver at 8 seconds. During the pitch-up maneuver the X-43A stack began to experience a control anomaly (at approximately 11.5 seconds) characterized by a diverging roll oscillation at a 2.5 Hz frequency. The roll oscillation continued to diverge until approximately 13 seconds when the HXLV rudder electromechanical actuator (EMA) stalled and ceased to respond to autopilot commands.  The rudder actuator stall resulted in loss of yaw control that caused the X-43A stack sideslip to diverge rapidly to over 8 degrees. At 13.5 seconds, structural overload of the starboard elevon occurred. The severe loss of control caused the X-43A stack to deviate significantly from its planned trajectory and the vehicle was terminated by range control 48.57 seconds after release.

 

GSFC Anomaly Reports


Orbital Anomalies in Goddard Spacecraft (OAGS) Annual Reports

Abstract
The documents found on this page are Goddard Space Flight Center Orbital Anomalies in Goddard Spacecraft (OAGS) Annual Reports. These reports summarize anomalies occurring in Goddard managed spacecraft for each calendar year.

General Reports


An Analysis of Causation in Aerospace Accidents

Kathryn A. Weiss, Nancy Leveson, Kristina Lundqvist, Nida Farid and Margaret Stringfellow, Software Engineering Research Laboratory, Department of Aeronautics and Astronautics, Massachusetts Institute of Technology, Cambridge, MA

Presented at Space 2001
Albuquerque, New Mexico
August 2001.

http://sunnyday.mit.edu/accidents/soho.doc

 

 

Abstract
After a short description of common accident models and their limitations, a new model is used to evaluate the causal factors in a mission interruption of the SOHO (SOlar Heliospheric Observatory) spacecraft.  The factors in this accident are similar to common factors found in other recent software- related aerospace losses.

Space_Launch_Vehicles
_Broad_Area_Review.pdf


Space Launch Vehicles Broad Area Review Report

Nov 1999

Charter
Establish a Broad Area Review (BAR) to:

  • Examine recent launch failures
  • Provide a report that includes
    • Causes of the failures
    • Recommendations for changes in practices, procedures, and operations to enhance mission success
12_21_00_NIAT.pdf


Enhancing Mission Success – A Framework for the Future
A Report by the NASA Chief Engineer and the NASA Integrated Action Team

Introduction
In March 2000, NASA released a series of reports that were the product of activities chartered by the Agency in response to failures in the Mars Program, Shuttle wiring problems, and a generic assessment of NASA’s approach to executing "Faster, Better, Cheaper" projects. The subject reports are:

  • Mars Climate Orbiter (MCO) Mishap Investigation chaired, by Mr. Arthur Stephenson,
  • Director, Marshall Space Flight Center (MSFC),
  • Mars Program Independent Assessment (MPIA), chaired by Mr. A. Thomas Young, Lockheed Martin (retired),
  • NASA Faster, Better, Cheaper (FBC) Task, chaired by Mr. Anthony Spear, Jet Propulsion Laboratory Mars Pathfinder Project Manager (retired),
  • Shuttle Independent Assessment (SIA), chaired by Dr. Henry McDonald, Director, Ames Research Center (ARC).

Recommendations contained in the reports not only addressed root and contributing causes of specific failures but also looked beyond those incidents to make broader recommendations to the Agency on ways it might improve its general approach to executing programs and projects.

The Office of Space Science (OSS) and the Office of Space Flight (OSF) are completing responses to program specific recommendations of the reports.  (1/8/2001)

The Impact of the Space Environment on Space Systems

July 20, 1999
H.C. Koons, J.E. Mazur, R.S. Selesnick, J.B. Blake, J.F. Fennell, J.L. Roeder, and P.C. Anderson
Space and Environment Technology Center
Technology Operations

Prepared for:
Space and Missile Systems Center
Air Force Materiel Command

Aerospace Report No. TR-99(1670)-1

TR-99-1670-1.pdf (Full report)
TR-99-1670-1_Main.pdf (Main report, 720 kbytes)
TR-99-1670-1_Appendix.pdf (Appendices, 3 Mbytes)

Abstract
We have undertaken a study to determine the impact of the space environment on space systems.  Known impacts include mission outages, mission degradation and mission failure, launch delays, redesign and retest, anomaly analyses, and the ultimate cost for each of the preceding.  We are attempting to quantify these impacts whenever possible.  This task is made difficult because impacts are rarely formally documented.   We reviewed a variety of sources for anomaly impact information.   These sources include anomaly reports from the archives of the Space Sciences Department of The Aerospace Corporation, and contractor reports and published documents relating to spacecraft anomalies.  The study provides a good indication of the quality and quantity of the data available.  It also shows the degree to which it is possible to obtain impact information for historical anomalies.  We summarize the results of the study, and emphasize those causes for which it may be possible to provide predictive information such as surface charging, internal charging, and the single-event upsets that accompany solar proton events.
Distribution limited to US Government agencies and their contractors only.   Contact richard.b.katz@nasa.gov for distribution.


Space Systems Engineering Lessons Learned

Aerospace Report No. TOR-2001(8504)-0798
March 30, 2001
The Aerospace Corporation

 

NEAR

NEAR_Rendezvous_Burn.pdf


The NEAR Rendezvous Burn Anomaly of December 1998 - Final Report

(1.2 MB PDF file), Requires Adobe Acrobat Reader 4.0 (Added 1/30/01)

 

Ariane

ariane_157_pressconference.ppt


Flight 157 - Ariane 5 ECA Press Conference

Paris - January 7, 2003

Ariane501.htm ARIANE 5 - Flight 501 Failure -Report by the Inquiry Board (March 29, 2000)
ariane_501_full_report.pdf Has a set of presentation slides as an Appendix. (January 2, 2002)
Ariane 5 Failure ResourcesXL

Niwot Ridge Resources

A Source of Information for Mission Critical Software Systems, Management Processes, and Strategies

 

Huygens/Cassini

huygens_enquiry_board.PDF
huygens_enquiry_board.doc

huygens_enquiry_board_annex.PDF
huygens_enquiry_board_annex.ppt

Huygens_Recovery_Plan.htm


Huygens Communications Link Enquiry Board Report

Introduction
In February 2000, after the fifth in-flight cruise check-out of the Huygens Probe, a dedicated Probe Relay Link Test was performed, aimed at characterising the performance of the Probe Support Equipment (PSE) under realistic mission conditions.    This test revealed some unexplained anomalies in the communication subsystem in terms of data recovery in the presence of Doppler at mission-representative levels.   (12/21/2000)

The Huygens recover plan has been added.  (6/29/2001)


Resolving the Cassini/Huygens Relay Radio Anomaly

Leslie J. Deutsch
Jet Propulsion Laboratory

huygens_deutsh.pdf

Abstract
NASA's Cassini mission to Saturn carries the Europen Space Agency's (ESA's) Huygens probe, which it will release shortly before an encounter with Saturn's moon, Titan, a possible location for extraterrestrial life within our Solar System. As it parachutes towards Titan's surface, Huygens will acquire scientific information which will be relayed to Earth through Cassini. Comprehensive testing of this relay radio link was not performed prior to Cassini launch and cannot be done during cruise. A test using NASA's Deep Space Network (DSN) to mimic the probe's signal was performed in 2000 and uncovered an anomaly that, unchecked, would result in nearly complete loss of the Huygens mission. An international team of experts from NASA and ESA was assembled to solve this problem: the Huygens Recovery Task Force (HRTF.) This team, co-chaired by the author, performed extensive testing, modeling, and simulation to understand the failure mechanism. Each Huygens science team determined mission impacts for various scenarios based on these results. This led to a suggested modification to the Cassini trajectory that will result in nearly complete data return for Huygens with minimal impact on Cassini.

 

USSR/Russian


Causes of the Soyuz TMA-1 Descent Vehicle Returning to Earth in Ballistic Mode

May 26, 2003
Korolev, Moscow Region.

Official Press Release

OFFICIAL PRESS RELEASEXL

Introduction
The findings of the technical commission established to analyze the causes of the Soyuz TMA-1 descent vehicle returning to Earth in ballistic mode were presented at a press conference held at S.P.Korolev Rocket and Space Corporation Energia for journalists of Russian and international TV companies and information agencies, as well as representatives from NASA and European Space Agencies. The chairman of the commission is the First Deputy General Designer of RSC Energia N.I.Zelenschikov. Present at the press conference were members of the commission - managers and specialists from RSC Energia, Federal Office of Aviation and Space Rescue and Recovery, Gagarin Cosmonaut Training Center and TsNIIMash.
FGB Launch Introduction
On November 22, 1998, the FGB-the first piece of the International Space Station-was carried into orbit atop a Proton rocket. Another flaw in the design very nearly stopped the program dead in its tracks within hours of launch. Once the FGB had reached orbit, champagne corks popped at Baykonur, but at Russia's military space control center southwest of Moscow, it was eyeballs that were popping. As the FGB passed overhead on its first orbit, controllers radioed up some routine instructions for the autopilot to prepare to raise its orbit. The FGB sailed on, not responding. The commands were not even acknowledged.
Nedelin disaster


R-16 Family: Nedelin Disaster

It took almost three decades before the first publication in the official Soviet press shed the light on what really happened in October 1960. In 1989, Ogonyok magazine, a mouthpiece of Gorbachev's "perestroika," run a story called "Sorok Pervaya Ploshadka," (or Site 42 in English). The article revealed to the Soviet people that Nedelin died in the explosion of a ballistic missile in Tyuratam along with numerous other nameless victims.

Some interesting excerpts:

To make matters worse, several minutes after the membranes blew up, pyrotechnic devices on the valves of one of three engines in the first stage fired spontaneously.

The commission concluded that the management of the testing was overly confident in the safe performance of the complex vehicle, which resulted in the decisions taken without thorough analysis.

(Added 10/9/01)

 

Genesis

genesis.mov Movie of Genesis crashing on September 8, 2004.  The chutes did not deploy.
mishap_board_leader.htm Sept. 10, 2004

NASA's Associate Administrator for Science Al Diaz announced today, Dr. Michael Ryschkewitsch, Director of the Applied Engineering and Technology Directorate at NASA's Goddard Space Flight Center (GSFC), Greenbelt, Md., would lead the Genesis Mishap Investigation Board (MIB).


Genesis Mishap: Understanding the Causes and the Opportunities

Dr. Mike Ryschkewitsch
Deputy Director, NASA Goddard Space Flight Center

Abstract and Bios

Systems Engineering Seminar Presentation
February 7, 2006

Files

 

NOAA


NOAA-13 Failure Report

August 1994

SUMMARY (excerpt)
   The National Oceanic and Atmospheric Administration (NOAA)-13 (NOAA-I before launch) was the tenth NOAA-funded operational spacecraft of the Television and Infrared Observational Satellite (TIROS)-N series to be launched. Nine of the ten launches have been successful.
   The NOAA-13 was launched on August 9, 1993. The initial checkout of NOAA-13 proceeded as planned and no anomalies were encountered until August 21. On that date after loss of signal by the Wallops Island, Virginia tracking station while in full sunlight, the NOAA-13 satellite solar array bus shorted to satellite ground, which effectively removed the solar array from the power line. The batteries immediately took over to provide power to the satellite. The NOAA-13 was not being monitored on orbit 176 due to a ground station conflict with the operational NOAA-12 satellite. On orbit 177, the operations crew noted that the battery low voltage and high temperature flags on all three batteries had been set. The data from orbits 176 and 177 were recorded. Orbit 178 was the first negative acquisition by the Wallops Island, Virginia Station. Orbits 179 and 180 were not monitored due to ground station geometry. On orbit 181, satellite recovery procedure commenced; however, no further signals from the satellite were received.


NOAA N-PRIME Mishap Investigation
Final Report

September 13, 2004
65776main_noaa_np_mishap.pdf

EXECUTIVE SUMMARY (excerpt)
On Saturday, September 6, 2003 during an operation at Lockheed Martin Space Systems Company (LMSSC) Sunnyvale that required repositioning the Television Infrared Observational Satellites (TIROS) National Oceanic and Atmospheric Administration (NOAA) N-Prime satellite from a vertical to a horizontal position, the satellite slipped from the Turn-Over Cart (TOC) and fell to the floor (see Figure 3-1). The satellite sustained heavy damage (see Figure 3-2), although no injuries to personnel occurred. The exact extent of the hardware damage is still being assessed.

 

Gemini


Gemini VIII: Stuck Thruster
 

Synopsis
Shortly after sending encoder command 041 (recorder ON), roll and yaw rates were observed to be developing. No visual or audible evidence of spacecraft thruster firing was noted, and the divergence was attributed to the GATV.

 

DART


NESC Review of Demonstration of Autonomous Rendezvous Technology (DART) Mission Mishap Investigation Board Review

Synopsis (excerpt)
On April 15, 2005, the Demonstration of Autonomous Rendezvous Technologies (DART) spacecraft was launched from the Western Test Range at Vandenberg Air Force Base, California. DART was designed to rendezvous with, and perform a variety of maneuvers in close proximity to, the Multiple Paths, Beyond-Line-of-Sight Communications (MUBLCOM) satellite, without assistance (autonomously) from ground personnel. DART performed as planned during the first eight hours through the launch, early orbit, and rendezvous phases of the mission, accomplishing all objectives up to that time, even though ground operations personnel noticed anomalies with the navigation system. During proximity operations, however, the spacecraft began using much more propellant than expected. Approximately 11 hours into what was supposed to be a 24-hour mission, DART detected that its propellant supply was depleted, and it began a series of departure maneuvers. Although it was not known at the time, DART had actually collided with MUBLCOM 3 minutes and 49 seconds before initiating departure.

Shuttle


Shuttle ALT Free Flight 1: GPC 2 Failure

Introduction
The separation event was marked by a sharp, but not loud, explosive sound and a brief, sharp, upward lurch. Neither the noise nor the jolt were particularly distracting and did not affect the accomplishment of the planned procedures. Immediately after the separation event, a master alarm occurred and a computer caution and warning light, a computer annunciation matrix column on general purpose computer 2, and a big "X" on cathode ray tube 2 were noticed .


Shuttle ALT Flight 1A: GPC 3 Failure

 

Summary
General purpose computer 3 failed during preflight checks for captive-active flight 1A on June 17, 1977, at 14:33:04. The central processing unit and input-output processor both stopped executing. No built-in test equipment error indications were generated.   Troubleshooting, including thermal cycling, has not caused the problem to recur. The problem cannot be further isolated by analysis, so the actual cause cannot be determined.


Inadvertent Firing of L1L, L1U, R4U, F3L, and F3U (ORB)

 

Power-on Reset Problem
Primary reaction control system (RCS) thrusters L1L, L1U, R4U, F3L, and F3U inadvertently fired simultaneous 80-msec pulses at 035:11:41:06 G.m.t. (001:06:19:02 MET) when aft flight controller power was switched on. The firing was consistent with a +Y/+Z translation command response. The crew reported that the aft station translational hand controller (THC) had not been deflected.


Evaluation of Ice and Frost Accumulation on the Space Shuttle External Tank

R.E. Rhodes and S.W. Walker
Proceedings of the Thirteenth Space Congress
April 7-9, 1976
Cocoa Beach, Florida

Abstract
Ice/Frost formation on the Space Shuttle cryogenic propellant tanks presents a different problem from that of past launch vehicles.  Lift off weight addition has been the primary concern on past launch vehicles.  The primary ice/frost concern on the Shuttle vehicle is damage to the Orbiter Thermal Protection System due to ice/frost impact.  The approach used to arrive at a solution to this unique Shuttle problem is presented.  The launch vehicle configuration selected and its limitations are described, along with contingency ground support equipment.


Space Shuttle Orbiter Reaction Jet Driver (RJD) Independent Technical Assessment/Inspection (ITA/I) Report

NASA Engineering and Safety Center Report
Document #: RP-05-18
March 22, 2005

1.0 AUTHORIZATION AND NOTIFICATION (excerpt)
The Space Shuttle Program (SSP) has a zero-fault-tolerant design related to an inadvertent firing of the primary reaction control jets on the Orbiter during mated operations with the International Space Station (ISS). Failure modes identified by the program as a wire-to-wire “smart” short or a Darlington transistor short resulting in a failed-on primary thruster during mated operations with ISS can drive forces that exceed the structural capabilities of the docked Shuttle/ISS structure. Mr. Bryan O’Connor, NASA’s Chief of Safety and Mission Assurance (S&MA) Officer, initiated an assessment on April 19, 2004, by requesting the NESC to review the issue and render a technical opinion on the probability of a catastrophic failure related to this scenario.  Other stakeholders include Mr. William Parsons, the SSP Manager, and Mr. William Gerstenmaier, the ISS Program Manager. The SSP liaison assigned is Mr. Donald Totton, Deputy Manager, and SSP S&MA.


ACTS PYRO Separation Band Anomaly (Shuttle Orbiter)

NASA PLSS #0312

Abstract
Minor damage to the Shuttle was caused when the firing of the primary explosive cord to deploy the payload from the cargo bay also triggered the backup cord. End-to-end system tests had validated the erroneous design rather than the end function. Document electrical-mechanical interfaces, protect hazardous systems against any possible unintended operation, and consider use of a single cord configuration.


In-Flight Anomaly Database for STS-1 Through STS-107

 

Description:
Links to .pdf files for each mission.


HDP System A Pyros Did Not Detonate During STS-112 Launch

IPR 114V -0004
sts112_pyros.pdf

Description of Problem

Just after T -0 during the launch of STS-112 on 10/07/02 at approximately 1545 ET, the GLS software in Firing Room 3 annunciated a 'cutoff condition and did not automatically issue the normal post launch sating even though the vehicle had successfully left the mobile launch platform. Real time data review revealed that the erroneous GLS indication and subsequent safing hang-up was triggered by the failure of a MLP 3 GSE indication (GMSX11 07E: SYS A HDP T -0 Bus On Indication) to transition from OFF to ON at T -0. Starting at T -2 seconds, GLS continuously monitors both the SYS A and SYS B HDP T -0 Bus On indications and requires that both (2 of 2) be ON as confirmation that liftoff has occurred and before it will issue post launch safing. More detailed post-launch data review then showed that the MLP 3 Hold Down Post (HDP), ET Vent Arm System (ETV AS) and ETV AS Lanyard' A' circuit pyrotechnic devices did not receive detonation energy as expected from the MLP .3 system A PICs (Pyrotechnic Initiation Controller). TheF1 and F2 switch indicators did not come on, indicating that the F1 and F2 commands were not processed by the PICs. Since the PIC rack did not see all three requisite commands in the proper sequence, it did not issue the detonation energy to the A circuit HDP or ETV AS ordnance. Of the three signals, only the ARM signal could be positively verified as reaching the PICs.


SPARTAN STS-87 Anomaly

spartan_anomaly_sts87.pdf

spartan_anomaly_sts87_appendix.pdf

 


STS-86 USA Simplified Aid for EVA Rescue (SAFER) Failure

Failure Review Board Report

MISHAP DATE: October 1,1997
March 30,1998
safer_pyro.pdf

Failure and Main Contributing Factor
The NSI in the SAFER (seriall #1005) did not fire. Therefore, the pyrotechnic propellant isolation valve did not open and nitrogen gas was not sent to the SAFER’S thrusters.

The NSI did not fire because there was a change in the NSI resistance as the NSI “fire” current pulse was applied to the NSI by the avionics circuit. This caused the NSI “fire” current level (designed at 4.1 amps) to drop (to 2.8 amps) below the “all fire” (3.5 amps) NSI current specification. The NSI resistance was measured at 1.09 ohms before installation into the SAFER. During application of the “fire” pulse, the resistance changed due to “ohmic heating” to approximately 1.6 ohms. The change in resistance caused the 4.1 amp NSI “fire” pulse to drop to 2.8 amps because of the avionics circuit constant voltage design. At 2.8 amps, the probability of firing the NSI is approximately 60%.


"How Clementine Really Failed and What NEAR Can Learn"

 

Papers & Documents Available     NASA/GSFC Radiation Effects Home Page Reports

Initial Radiation Report on the Chip Express CX2001
Heavy Ion Results on FPGAs (Version 2)
Preliminary Evaluation of the Chip Espress QYH580

 


Home - klabs.org
Last Revised: February 03, 2010
http://twitter.com/klabsorg  --  Web Grunt: Richard Katz