After Columbia STS-107

SCSIIT Response
Home
SCSIIT
Mars Challenger
The Creed
Introduction
DISCLAIMER
Advisories
Portfolio

After Columbia's Answer to Spaceflight History's Most Painful Report

The Columbia Crew Survival Report is located on this page: http://www.nasa.gov/reports
 
Look for "Columbia Crew Survival Investigation Report (16.2MB)"
 
Definitions:

ACP: After Columbia Project
Backup Recovery Mode: Saving the crew within a module of a larger vehicle after deliberate or inadvertent separation from the rest of the vehicle.  It may have been possible to implement this in the Shuttle using the forward fuselage as the backup recovery module.
BRM: Backup Recovery Mode (qv); Backup Recovery Module
Commanded Abort: An abort initiated by crew, ground control, or automated command while the vehicle is still under control.
CEV: Crew Exploration Vehicle; the Orion spacecraft
HLV: Heavy Lift Vehicle [or Variant]: Shorthand for the largest configurations of the Atlas V, Delta IV, and Falcon launch systems with low energy payload capacities of 20 to 25 tonnes.
SCSIIT: Spacecraft Crew Survival Integrated Investigation Team: the investigation which painfully pulled the lessons to be learned from the wreckage of Columbia and the electronic biography of her final entry attempt.
Sprint Pattern Spacecraft: Any spacecraft meeting all or a significant proportion of the Sprint spacecraft's crew safety requirements, and which is a stable spacecraft during ascent and entry (requires passive positive stability in two axes.)  Sprint pattern spacecraft outside of After Columbia Project include Orion, Dragon, Soyuz, Apollo, FireFly (Da Vinci), Canadian Arrow, Gemini, Mercury, Voskhod, Vostok, and Shenzhou.  They do not include the Shuttle, SpaceShipOne, SpaceShipTwo, Xerus, Pathfinder, Rocketplane, Ascender, Kliper, X-37/38, X-33, X-30, X-20, or X-15.  Since these craft appear to posess two axis stability when unpowered, but have powered flight modes and significant propulsion hardware within their stables forms, whether they can be called "Sprint pattern" or not is undecided: Chrysler SERV, and Blue Origin (the former would have been unpiloted, but its would-be crew spacecraft payload, the MURP, is definitely not Sprint pattern.)
Uncommanded Abort: An abort initiated by events, where the crew and systems find themselves in an emergency situation where the vehicle has catastrophically failed before any abort command was issued, or before such an abort command could be carried out.  Both Shuttle accidents could be defined as unsuccessful uncommanded aborts.  The phrase implies a design, planning, operational, and training responsibility to prepare for such situations and provide means to survive them.  While the phrase and its implications precede the SCSIIT Report by five years, it implements several SCSIIT recommendations with blanket coverage.

SCSIIT Recommendations and associated After Columbia Project responses

L1-1: Incorporate objectives in the astronaut training program that emphasize understanding the transition from recoverable systems problems to impending survival situations.

Historical notes: This was not an issue in the "classics" era (Mercury, Gemini, Apollo, X-15), as the simulation supervisors were very sadistic and included many scenarios where it was unclear whether the correct action was to abort or continue.  To see this recommendation in the SCSIIT report is a surprise to ACP and OpenLuna.

ACP Response: ACP produces no specific response to this recommendation, since it was already generally recognized that the transitional scenario ("Three hours of boredom followed by seven seconds of sheer terror" - Tom Hanks as James Lovell, Apollo 13 movie) was a part of spacecraft crew training.

L1-2: Future spacecraft and crew survival systems should be designed such that the equipment and procedures provided to protect the crew in emergency situations are compatible with [normal] operations.  Future spacecraft [elements], equipment, and mission timelines should be designed such that a suited crew member can perform all operations without compromising the configuration of the survival suit during critical phases of flight.

Historical notes: Again, the Shuttle system was compromised in this regard, in fact far more so than ACP expected.  The "classics" were very strong in this regard, none more so than the X-15, which had a nitrogen purged cabin from the drop through to the landing.  Gemini 7 was the first US human flight where the crew were let out of their suits at all.

ACP Response: ACP again produces no specific response to this recommendation.  The Sprint spacecraft has always used touchscreens with a minimum of hardware switches (mentioned in later responses) for emergencies.  These switches are big and easy to use with gloves.  The touchscreen and gloves are designed to work together, and the gloves include a "cat's claw" in-glove stylus since the very first thoughts about the Sprint's crew interfaces in June 2003.  The robust life support system and flammability requirements can easily handle continuous crew operations.  The life support system's "brains" will be able to budget oxygen for the cabin and suit together with delayed feedback from oxygen sensors to prevent high oxygen conditions in the cabin.  This should be put in as an upgrade to the Shuttle, and if necessary, Dragon, Soyuz, and ISS.

L1-3/L5-1 Future spacecraft crew survival systems should not rely on manual activation to protect the crew.

Historical notes: These systems have generally required manual activation throughout all eras of both spaceflight and aviation; that is, the ones specifically referred to in the suits, being the parachutes.  On only rare occasions have they been automated.

ACP Response: No specific response.  Sprint incorporates many emergency systems automations already in its design role as station lifeboat.  The most complex example is that the Sprint is capable of detecting station depressurization using its own cabin sensors, and will respond as though the depressurization is on the station side (a failure in the spacecraft itself would need to be accomodated by station emergency systems because the resulting pressure gradient will not allow the craft's inward opening hatch to close.)  Sprint will automatically power up its systems, monitoring station power for failure and executing any additional readiness steps for loss of station power.  The craft will begin to add cabin air (a regulated mixture of oxygen and nitrogen) to allow it to detect hatch closure from the cabin pressure curve, in addition to reed switch and or FET-type proximity switches.   Manual action is required to unstow the hatch and swing it on its hinges towards the closed position.  Once close, a pressure differential develops between the lifeboat and station to force the hatch closed.  Once closed, the emergency systems automatically dog the hatch and stabilize the lifeboat atmosphere based on the average pressure over the last six hours and greatly increased cabin filtration and oxygen partial pressure, assuming a worst case scenario of the crew having exerted themselves during the emergency, breathed a poisioned atmopshere due to fire, and having lost consciousness or been incapacitated by decompression sickness having been barely able to release the hatch and move it close enough to closed for the automatic systems to function.

L1-4 Future suit design should incorporate the ability for crew members to communicate visors down without relying on spacecraft power.

Historical notes: none

ACP Response: Sprint had used the David Clark S1035 ACES a la carte, ignorant of this lack of cabability.  It is obvious from this report that Sprint would have required a new suit development had it been pursued.  The new Sprint suit requirement will have in-suit radios going well beyond this recommendation:  The worst case bailout survival conditions for Sprint will have crew members widely separated as they descend and after they land.  They need these radios to find each other and make it easy for rescuers to find them.  ACMD will study if a bailout survival mode is feasible for its Stampede/Crew Rover landing system on Mars.  Even if it is not, suit radios will still be incorporated for other requirements.  There is no need not to wear them during transitional phases within vehicles.  OpenLuna's baseline mission has only a single crew member, but it is likely that it will have a radio requirement to communicate suit-to-base-to-Earth, or suit-to-Earth (the latter being less likely because of the need to stabilize a high gain antenna on the suit itself.)  Multi-crew OpenLuna spacecraft are as likely to land crew in unpressurized landers, so this becomes a requirement for normal operations.

L2-1. Assemble a team of crew escape instructors, flight directors and astronauts to assess orbiter procedures in the context of ascent, deorbit, and entry contingencies.  Revise the procedures with consideration to time constraints and the interplay among the thermal environment, expected crew module dynamics and crew equipment capabilities.

ACP Response:  This recommendation is specific to the Space Shuttle and has no applicability to ACP activities.

L2-2. Prior to operational deployment of future crewed spacecraft, determine the vehicle dynamics, entry thermal and aerodynamic loads, and crew survival envelopes during a vehicle loss of control so that they may be adequately integrated into the training program.

Historical Note: Just so happens that the Shuttle is the first crewed orbital spacecraft which is inherently unstable in LOC scenarios.  X-15 is the only "classic" example.  The SpaceShipOne has bragging rights for being stable enough in all flight modes that it does not need fly-by-wire.  During its X-prize winning flight on 4 October 2004, its power system was deliberately shut down and reset with no impact on controllability.

ACP Response: No specific response.  This recommendation has already been exceeded by requirements for passive yaw and pitch stability and off-loop manual roll control during main power failures.  A complete loss of control of an ACP piloted spacecraft in a transitional environment is almost impossible, requiring such gross damage to the spacecraft that loss-of-control will be late indeed in a catastrophic spacecraft emergency, almost certainly after crew expiration has already occured.  Instead, ACP crews will be concentrating on controlling the craft during major failures of the guidance and/or control systems, including complete electrical failure.

L2-3. Future crewed spacecraft vehicle design should account for vehicle loss of control contingencies to maximize the probability of crew survival.

ACP Response: ACP requires piloted spacecraft stability regimes that allow positive control of the spacecraft during catastrophic loss of guidance and control systems as a more robust solution than designing for loss of control.  Control of an ACP spacecraft can be maintained well past the point where the Shuttle Orbiter loses control.  The worst case scenario is actually that the craft is stable in pitch and yaw, but winds up inverted in roll, directing the lift vector downwards.  This leads to a rapid increase in heating and aerodynamic loads.  If the crew is unable to ascertain the roll attitude of the craft, they will spin it along the roll axis, so as to distribute the lift vector and emulate a ballistic entry; this mode is part of the Soyuz spacecraft already.

L2-4/L3-4 Future spacecraft suits and seat restraints should use state-of-the-art technology in an integrated solution to minimize crew injury and maximize crew survival in [abnormal] accelleration environments.

Historical note: Dragon had incorporated swivel seats in its design almost three years before the SCSIIT report was released.

ACP Response: The pitch-and-yaw stable ACP spacecraft are unlikely to experience massive accellerations anywhere but in the -X direction, and diversions from which are likely to remain under 30deg, unless the craft has such damage that its modified aerodynamic shape is unstable, a case in which the crew is probably deceased already.  The seat restraints and seat structures, as well as all potential debris structures, such as crew consoles, are required to meet a -X 20G requirement, and 5G environment in all other directions, with a safety factor of 1.5.  With this requirement, and adequate suit impact protection (this to account for the excursion from this envelope caused by ground impact during emergencies and the resulting generation of cabin debris), the spacecraft is almost certainly going to outlast the crew in abnormal accelleration environments.  There is also a seat impact attenuation requirement to keep the seat from coming loose during brief excursions outside the 20/5G envelope.
 
L2-5 Incorporate features into the pass-through slots on the seats that the slot will not damage the strap.
 
ACP Response: Noted and will be passed on to the seat contractor when development of a spacecraft is undertaken.  It is of no matter to a concept design and therefore beyond the scope of ACP's activities.
 
L2-6 Perform dynamic testing of straps and testing of straps at elevated temperatures to determine load-carrying capabilities under these conditions.  Perform testing of strap materials in the high-temperature/low-oxygen/low-pressure environments to determine material properties under these conditions.
 
ACP Response: Another detail item to pass on to a subcontractor.  It will be implemented when development of a spacecraft is undertaken.
 
L2-7. Design suit helmets with head protection as a functional requirement, not just as a portion of the pressure garmet.  Suits should incorporate conformal helmets with head and neck restraint devices, similar to helmet/head restraint techniques used in professional automibile racing.
 
Historical note: The suit-mounted helmet is actually a fairly "recent" development, and does have its advantages in freedom of movement and comfort, as well as the ability to assemble them.  All of the "classics" except Apollo used "head mounted" helmets with impact protection, especially on X-15 (where it probably saved a pilot's life during a crash.)
 
ACP Response: ACP is likely to go with mechanical counter pressure (MCP) suits in future spacecraft designs.  This means that there will be two small vapor pressure envelopes in the groin and head areas, the former for waste management, and the latter for respiration.  Everywhere else in the suit, the shell of the suit resists the expansion of the body by direct pressure.  The consequences of a suit depressurization are likely to be more severe, but such a mishap is less likely to result in such a depressurization.  MCP suits are very conducive to "head-mounted" helmet systems.  In the event that ACP adopts a pressure-envelope transition suit for its spacecraft designs, the suit-mounted helmet becomes preferable.  In this case, a head-mounted impact system will be worn in addition to pressure-envelope helmet.  This will allow a full range of lateral movement, but somewhat limited up/down movement.  Under accident conditions, the head-mounted impact cushion will strike the inside of the pressure-shell helmet, and the neck will be prevented from reaching any extreme flexion or extension conditions by the impact helmet impacting with the pressure-shell helmet.
 
L2-8. The current shuttle inertial reels should be manually locked at the first sign of an [abnormal] situation.
 
ACP Response: Specific to Shuttle, no response.
 
L2-9. The use of inertial reels in future restraint systems should be evaluated to ensure that they are capable of protecting the crew during [normal] and [abnormal] situations without active crew intervention.
 
ACP Response: It should be possible to have a lock engage the reel brake past a certain G-limit in any direction.  In a worst case scenario, an electronic "heartbeat" from the guidance system should be available.  When the guidance system detects a loss of control or within controlled flight, a G-limit, it halts the heartbeat signal, and the reel brakes engage.  This, and an associated "loss of control" tone or vocal annunciation (i.e.: "[WHOOP WHOOP] OUT OF CONTROL [WHOOP WHOOP] OUT OF CONTROL") can signal loss of control to the crew before there is any significant departure of the craft from its last commanded attitude.  An electrical or guidance failure, of course, will stop the heartbeat and brake the reels.  If this latter option is exercised on the two-axis stable low lift ACP spacecraft models desired, the crew can begin exercising emergency control of the third axis immediately, either spinning up the craft, or flying manually according to third source data.

The Sprint pattern spacecraft (including the Orion CEV) take the approach that eliminates the need for fully functional inertial reels during transitional phases by putting all required controls within reach of the crew members in the fully restrained position.
 
L3-1. Future vehicles should incorporate a design analysis for breakup to help guide design towards the most graceful degradation of the integrated vehicle systems and structure to maximize crew survival.
 
ACP Response: This recommendation sounds rather funny on its face, but its essence has probably already been adopted in what ACP calls, "backup recovery mode" and "uncommanded abort".  Due to the nearly inviolable importance of the entire descent module structure in ACP spacecraft designs, it is not possible to implement this recommendation within the descent module.  In Sprint, the cabin and essential systems are packed fairly tightly into the aerodynamic shape.  Redundant systems are widely spaced to minimize the loss of an entire function.  Pressure vessels other than the cabin itself will be designed to depart the craft before they fail in the event of an entry burnthrough or impact, but there could still be the problem of one being crushed between the cabin and an external object (most likely the ground) in an impact, thus causing a burst and release of the vessel's contents (known pressurized fluids are nitrogen, oxygen and hydrogen peroxide, the latter a desirable alternative to hydrazine as an RCS propellant because the differences in toxicity in precisely this sort of situation.)
 
The specifics of backup recovery and uncommanded abort are essential to crew ferry ascent.  Sprint is intended to allow the crew to survive the sudden catastrophic failure of its launch vehicle.  This limits launch vehicle configuration selection in some cases because if the launch vehicle flight termination is incomplete during an abort, still thrusting elements can chase down the fleeing descent module and destroy it.  This rules out the use of any solid motors for main propulsive power in Sprint's launch vehicle, and ironically, its originally chosen launch vehicle, the Delta II 7920H.  Fortunately, the experience of the Atlas V has been a positive one and is therefore available for Sprint consideration, configurations 401, 402, 501, 502, and HLV.  The main Ascent Roadmap boosters for Sprint are the Kilder and Lilmax, depending on delivery energy and chosen capacity.
 
The "uncommanded abort" mode is used when the craft (or its backup recovery module) suddenly finds itself in a situation so abnormal that normal flight seems unattainable.  If the Shuttle's forward fuselage were designed as such a module, it would have found itself in precisely such a situation at T+74 seconds during STS-33, and EI+940 (approximately) during STS-107.  A colloquial translation of its automated actions would be "oh, crap...time to deal with this abort!"  In STS-107's case, this may have included deliberately severing itself from the rest of the orbiter well before what the SCSIIT report calls the "catastrophic event", when the orbiter came apart.  The Sprint includes an impact shield underneath its descent module designed to attenuate the impact forces of a major launch vehicle failure and its attendant debris.  Sprint's normal abort modes are much more benign.
 
L3-2. Future vehicles should be designed with a separation of critical functions to the maximum extent possible and robust protection for the individual functional componets when separation is not practical.
 
together with
 
L3-3. Future spacecraft design should incorporate crashworthy, locatable data recorders for accident/incident flight reconstruction.
 
ACP Response: Separation is not practical in the ACP baseline designs, but is still done to the maximum practical extent.  Secondary protection is therefore provided.  One of the important aspects of this is that if the crew can't survive unfolding disaster, many of these critical systems are integral with the "black boxes" for data preservation.  It is therefore preferred to have them detach from the spacecraft before they are completely destroyed.
 
L3-5. Evaluate crew survival suits as an integrated system that includes boots, helmet, and other elements to determine the weak points, such as thermal, pressure, windblast, or chemical exposure. Once identified, alternatives should be explored to strengthen the weak areas. Materials with low resistance to chemicals, heat, and flames should not be used on equipment that is intended to protect the wearer from such hostile environments.
 
ACP Response: After reading the SCSIIT report, ACP has concluded that the existing David Clark S1035 ACES is inadequate.  This means that we will be working on a new integrated safety suit.  Also, different ACP projects have different suit requirements.  OpenLuna's is the most novel, since the suit actually doubles as the crew cabin for early missions.  This is a requirement that can't be met by the ACES, even if accident survival were not an issue.
 
A1. In the event of a future fatal human space flight mishap, NASA should place high priority on the crew survival aspects of the mishap both during the investigation as well as in its follow-up actions using dedicated individuals who are appropriately qualified in this specialized work.
 
ACP Response: Since OpenLuna is a small organization, and ACP one even smaller, we must coordinate with government investigative and recovery organizations as applicable during accidents.  It is also highly desirable to extend this recommendation to any failures of crew spacecraft that are in unpiloted testing.  In order to develop qualified individuals within the ACP and OpenLuna organizations, "no-win" simulations will be extended into the investigation phase.
 
A2. Medically sensitive and personal debris and data should always be available to designated investigators but protected from release to preserve the privacy of the victims and their families.
 
ACP Response: See below, as response to A2 and A3 are the same.
 
A3. Resolve issues and document policies surrounding public release of sensitive information relative to the crew during a [ACP/OL] accident investigation to ensure that all levels of the agency understand how crew survival investigations should be performed.
 
ACP Response: This matter needs to be treated more thoroughly at ACP and OpenLuna.  Some crew members may feel more comfortable with open release.  For some, additional discomfort may result from certain crew survival information.  For instance, the fate of the S1035 ACES suits the crew of STS-107 are published.  It is very easy to extrapolate what happened to the crew members inside them, even though that specific information has been redacted.  ACP and OpenLuna plan to discuss release issues with crew members and crews prior to embarking on missions, rather than develop a blanket policy for all missions.  Having said that, a blanket policy is appropriate once spaceflight becomes more routine.
 
A4. Due to the complexity of the operating environment, in addition to traditional accident investigation techniques, spacecraft accident investigators must evaluate multiple sources of information including ballistics, video analysis, aerodynamic trajectories, and thermal/material analysis.
 
ACP Response: After Columbia Project, as part of our mandate to understand and apply the lessons of the STS-107 tragedy, have conducted our own analysis of publicly available information.  Our conclusions about which visible debris was the crew module in the available videos and the timing of the catastrophic events for the orbiter and crew module are in perfect agreement with the SCSIIT conclusions, despite our lack of expertise.  It will be difficult, but it is probably necessary for After Columbia Project and OpenLuna to employ the same personnel and disciplines of normal operations and accident investigation, as NASA already has.
 
A5. Develop equipment failure investigation marking ("fingerprinting") requirements and policies for space flight programs.  Equipment fingerprinting requires three aspects to be effective: component serialization, marking, and tracking to the lowest assembly level practical.
 
ACP Response: This "fingerprinting" schema is already essential to space-grade quality assurance and knowledge of operational hardware characteristics, especially if that hardware is reusable.
 
A6. Standard templates for accident investigation data (document, presentation, data spreadsheet, etc.) should be used.  All reports, presentations, spreadsheets, and other documents should include the following data on every page: title, date the file was created, date the fiele was updated, version (if applicable), person creating the file, and person editing the file (if different from author.)
 
ACP Response: After Columbia Project already uses this practice for design notes.  We have also adopted a date-based versioning system of yymm, for example 0901A for the first serial version of a document created in January 2009.  This can easily be extended to the yymmdd system used by Martin Schweiger's Orbiter Simulator project.  Accident investigation information will be extended from this documentation schema.
 
[Even though Featherwing Love faces no prospect of a space accident, the same dating system is used in its internal files as well.  Base versioning has been added to chapter numbers.]
 
A7. To aid in configuration control and ensure data are properly documented, report generation must begin early in the investigation process.
 
ACP Response: Accident report generation would be a natural extension of the existing documentation practices.  After Columbia has already learned the importance of generating structured reports early in investigation processes.  Due to the time- and labor-limited nature of After Columbia's early studies, most notably Mars Challenger, they were conducted much as investigations.  The lesson of establishing the report early was part of setting the goals for the project.  We have already learned this lesson.
 
A8. As was executed with Columbia, spacecraft accident investigation plans must include provision for debris and data preservation and security.  All debris and data should be catalogued stored, and preserved so they will be availalbe for future investigations or studies.
 
ACP Response: This recommendation is noted and will be implemented.  It is also noted that timely and responsive access to normal mission databases is also required.
 
A9. Post-traumatic stress debriefings and other counseling services should be availalbe to those experiencing ongoing stress as a result of participating in the debris recovery investigation.  Designated personnel should follow up on a regular basis to ensure that individual needs are being met.
 
ACP Response: The need for this recommendation requires an actual accident to take place.  In that event, counseling will be available to applicable personel on a case-by-case basis.  It may take a different form than those envisioned by NASA, however.
 
A10. Global Positioning System receivers used for recording the latitude/longitude of recovered debris must all be calibrated the same way (i.e.: using the same reference system) and the latitude/longitude data should be recorded in a standardized format.
 
ACP Response: We are already accustomed to decimal format locations from Orbiter simulations.  It is likely we will continue to use that format for locating both normal operation (i.e.: fallen stages and landing points) and accident recovery items.
 
A11. All video segments within a compilation should be categorized and summarized.  All videos should be re-reviewed once the investigation has progressed to the point that a timeline has been established to verify that all relevant video data are being used.
 
ACP Response: The recommendation is interpreted that a first review should be used to establish a timeline and each video segment's place within it, synchronized as well as possible.  The compiled video timeline then needs to be audited with a review of each contributed segment to find missing segments, segments with erroneous synchronization, and possibly duplicate segments misplaced in the compilation.  One of the errors detected by After Columbia (and later corrected by the CAIB before it was reported) was that the first "eastern" segment of the old timeline (not counting the SCSIIT "NBC video") was placed in the timeline some thirty seconds later than it actually occurred.  After Columbia was slow to get to analyzing STS-107 video and didn't have a lot of faith in our abilities until we watched this correction unfold.  As a result of this (and the intervening two years experience of video production elsewhere by one of our members), we are quite confident that After Columbia Project can provide competent analysis of accident visual footage.
 
A12. [ACP can't find a recommendation corresponding to this designator]
 
A13. Studies should be performed to further characterize the material behavior of titanium in entry environments to better understand optimal space applications of this material.
 
ACP Response: After Columbia does not have the resources for these material tests, however, we are expecting those tests to be made or contracted by NASA and the results published by AIAA or a similar organization.  Results of tests such as these will be sought out by After Columbia as required during the material selection phases of system design.
 
After Columbia Sprint Spacecraft Design Response:
 
Of the following, the five "lethal events" were uncovered by the SCSIIT and are put in italic.  After Columbia Project has gone on to identify a number of events which can kill the vehicle or otherwise lead to one of these five.
 
1. Vehicle guidance failure
 
Hardware radiation interference qualified in case-integrated form, whether the hardware is custom or off-the-shelf.  The hardware qualification test should be overclocked and running a program that puts the internal circuitry through maximum stress, and obviously, software that can detect any glitch in the hardware.  It should also be run in operational radiation case-integrated environment while running flight-like software, both overclocked and at normal space-rating speed (if off-the-shelf hardware is used, it's normal speed may be "overclocked" according to the desired space rating.  Modern consumer hardware produces thousands of times as much computing firepower as flight guidance systems need, so this can be expected.)  A totally fault-free operation is not actually required, but the software must be designed to handle any expected hardware glitch modes that occur.  Fatal glitches that the software can't recover from are obviously unacceptable.
 
Guidance should be designed to be single fail operational/dual fail safe.  Sprint will use three guidance computers running primary software, and a fourth running backup software capable of giving the pilot inertial reference states.  This is slightly less robust than the Shuttle, but Sprint, during entry, is stable in two axes and trimmed to the desired pitch and yaw attitudes except during certain emergencies.  Failures beyond dual fail safe go to the backup modes for an electrical failure, even if there isn't an actual electrical failure.
 
2. Vehicle control failure
 
Control hardware are the systems that actually interact with the environment around the craft to make changes to the craft's velocity vector or attitude.  In the Shuttle, this includes the elevons, rudder and body flap; in SpaceShipOne, it includes the elevons, tailplane, rudders, and the so-called "feather" mechanism (which is essentially a huge set of elevators.)  In Sprint, actual control hardware consist only of thrusters during entry.  Sprint does include a ram-air parachute, and its brake lines are control devices.  There are many ways that this system can fail, and all ones that we can foresee (including fatal ones), must be accounted for in the operational risk assessment.  With vehicle control, stability and simplicity are good things.  The Shuttle has neither, but with both, a total loss of control is almost impossible.  The Shuttle also demonstrates that a vehicle can be made so that complexity and instability can be accommodated, but not easily.  While the control failure of STS-107 was not independent of other damage, the crew apparently assumed it was, and also, other damage which leads to loss of control hurts your odds of surviving an accident.
 
The most likely cause of control failure to a Sprint type spacecraft during ascent is an uncommanded abort, which is sterile language for a catastrophic failure of the launch vehicle or the payload interface with it.  This can be a survivable event in a properly designed spacecraft in a properly designed ascent profile, but commanded aborts are preferable to maintain positive control of the spacecraft during all phases of the emergency.  To this end, the launch vehicle must be able to command a nondestructive shutdown, and therefore is not allowed to use solid motors for main thrust.  During on-orbit operations, the most likely failure is a thruster malfunction.  This is prevented by robust guidance, electrical, and thruster design, along with backup power for closing latching pre-valves in case of a complete electrical failure (this may be important in the aftermath of a docking collision, where damage to both thrusters and the electrical system may occur.)  Sprint is unlikely to suffer a loss of control during entry, as it is stable in two axis.  In the case of a guidance, control, or electrical failure, backup thruster power can be used to spin the craft up to abort onto a ballistic trajectory.  The spinning dissipates the craft's lift vector in all radial directions, effectively eliminating it.  It is a mode of the Soyuz craft already, perhaps a famous one.  After entry, the ram-air parasol Sprint uses to descend is quite complex and more prone to failure, but at this point, the integrity of the craft is not as critical, as the crew can bail out into a survivable environment.
 
3. Vehicle structural failure
 
Guarding against structural failure is nearly impossible, so the trick is to prevent its failure.  Fortunately, the most expected way structures fail is thermal failure during entry (which will also result from many ascent failures.)  It is also rather predictable where a structure compromized by entry heat will fail: at the point where the peak thermal load and peak structural loads coincide.  After Columbia calls this the "Peak Loads Region", while the Shuttle Program calls it "Equilibrium Glide Phase".  During STS-107, OV-102 Columbia's left wing failed shortly before reaching this point, emphasizing just how severe her damage was.
 
Structural failure is the likely proximal cause for a Sprint-type spacecraft control failure during entry, since in order to have a three-axis loss of control for a Sprint spacecraft, stability in one of the two stable axes must be lost.  Even with a thruster malfunction, by the time the Sprint is in the peak loads region, the only way to cause this is through structural damage.  Structural failure of any craft can be the proximal cause of failures in other systems.  For example, when OV-102 Columbia and OV-099 Challenger severed the forward fuselage at the Xo582 ring frame in their respective final missions, the electrical and data connections between the computers forward of this frame and the fuel cells aft of it could no longer be maintained, leading to a complete loss of all electrical power and guidance.  Control was already lost in both cases, but had it not been, the command and data paths between the guidance computers and all operational control devices were lost.  The forward fuselage has available only the nose landing gear and forward reaction control pod, and is itself impossible to stabilize in the peak loads region, as is the naked crew cabin without the forward fuselage structure around it.  A vehicle like the Shuttle has the crew in a relatively small part of it, so it may be possible to design a partial vehicle backup recovery mode into it, but for the Shuttle orbiter itself, it would be very difficult indeed.  Sprint's crew cabin is too large compared to the rest of the descent module to accommodate this, however the descent module forms the backup recovery module of larger vehicles Sprint can form a subset of, most importantly its ascending booster, but also space stations and interplanetary spacecraft.
 
4. Vehicle electrical failure
 
Electrical failures can be partial or total.  It is important to, if possible, keep the most essential systems for the particular phase of flight powered.  For, ascent, entry and docking, these are the guidance and control systems.  For on orbit phases, this is life support.  During the ascent, entry, and docking phases, phrased together as "transitional phases" (hence references to "transitional suits" worn during these periods to provide emergency ambient pressure and life support to the crew members individually should their cabin environment be compromized by an accident, which is, needless to say, most likely during these transitional phases.)  Ideally, a power system would be designed with main and backup sources.  Since Sprint uses only batteries, it has only a single modular main source, however, some craft use fuel cells or solar wings to provide main power.  These craft should have secondary sources in close proximity to essential loads, unlikely to be severed by structural failure.  The most obvious of these is the inertial black box.  On Sprint, the guidance computer, inertial measurement unit, flight data recorder, and a single discharge battery are combined into one rugged unit.  It is our intention that this unit will survive and continue recording through a catastrophic accident all the way to impact.  It is also our intention that all three main computers, and possibly even the backup computer, all have this functionality.  A separate lighting unit and voice data recorder form another black box.  This implements SCSIIT Recommendation L3-3 in addition to creating a guidance system that should theoretically outlast the crew many fatal accident scenarios.
 
Systems on Sprint which have backup power in the form of single discharge batteries (most likely lithium-iodine or lithium-thionyl chloride primary cells) are cabin lighting, guidance, and manual thruster control.  These systems are not interconnected, so backup guidance power, for example, can't activate the thrusters and is for its state recording functions only in a total electrical failure.  This implements SCSIIT Recommendation L3-2, separation of critical functions, during accident scenarios.
 
5. Pilot error
 
The first line of defense against pilot error is excellent crew training, procedures and documentations, but the guidance system and crew interface system can be designed to detect "this is stupid" exceptions and require confirmation for certain major actions.  Store till systems have such alerts, so implementing them in a piloted spacecraft should not be too steep an expectation.  One thing that will make pilot error less likely is to require fewer critical pilot inputs.  Another is automated configuration checking, something already seen in spacecraft modules for the Orbiter Simulator (the one by Martin Schweiger).  The final line of defense is to make a craft more tolerant of pilot errors that actually get implemented by the guidance and/or control systems.  If the pilot doesn't realize that he has made an error, it may be that he doesn't realize that an emergency is developing, and so to him it may appear that a major system error has occurred, in which case he will respond as though it is one of the other four vehicle failure categories.  The last line of defense is therefore the defenses for the other failure categories where the proximal (or apparent) cause of the failure is pilot error.
 
The SCSIIT believe that the crew of STS-107 did not realize that a catastrophic emergency had developed until the "Catastrophic Event", when the forward fuselage separated from the mid fuselage, taking most of the Xo582 ring frame with it, disabling the power, and leading to a significant relief of the accelleration felt by the crew.  The SCSIIT also believe that crew members with the suits properly donned would lower their visors to save themselves even if other members of the crew did not have their suits fully donned.  The STS-107 crew trained together for over two years before flying this mission, so it seems very unlikely to After Columbia Project that these two events occurred.  The SCSIIT report confirms that this crew was so tightly knit that they conducted a launch and ascent simulation lasting several hours without saying a single word.  The SCSIIT apparently ignored the emotional connections such training and discipline are likely to generate, or possibly, figured it was potentially too painful for themselves or the astronauts' families to publish more well thought out speculation about how they behaved after loss of signal.  After Columbia Project believes that the members of the crew who had properly donned suits knew that three of their number had not mated their gloves and that one had not put on his helmet.  (Incidentally, ACP's speculation on exactly which crew members were missing gloves and which one was missing his helmet was accurate from September 2003 and confirmed by the SCSIIT report.)  All four of the crew members who had their suits properly donned had military experience.  They are likely to have felt that they would be betraying their unprepared crewmates by abandoning the vehicle (so to speak) and looking after their individual survival.  They therefore decided to work to save the vehicle on the assumption (which they probably knew was incorrect) that she could somehow be saved.  This means that After Columbia Project is less certain than the SCSIIT about when the cabin depressurized, but we still believe it was related to the catastrophic event, most likely a twisting of the tunnel adapter interface with the crew module, causing it to break open the skin between the mid deck and lower compartment, as well as force the crew module into the forward fuselage to break open Volume E, the lower compartment locker from which debris was found far west of crew module structural debris, indicating that it had broken open long before the crew module was destroyed.
 
1. The first event with lethal potential was depressurization of the crew module, which started at or shortly after orbiter breakup
 
The Sprint spacecraft pattern protects against this event at the cabin level, but not against the wholesale breakup of the descent module.  A craft like the Shuttle should protect against this event for the breakup of the vehicle aft of the Xo582 ring frame, or its equivalent (i.e.: the small space between the oxidizer tank and cabin aft bulkhead on SpaceShipOne.)  Protecting against this event requires thermal and structural protection, and possibly protection against debris-to-debris interaction during the breakup event of an uncommanded abort.  A major design decision taken by the Ascent Roadmap is a moratorium on the use of solid rocket motors for main thrust in any launch vehicle carrying a crew spacecraft, since there is no way to shut down a solid motor without risk of destroying the launch vehicle, and an unaborted solid motor can chase down and ram a fleeing crew module or ejected crew member.
 
Cabin depressurization can and should be protected at the suit level as well, but this should not be the primary means of protecting the crew,  An acceptable (if not yet viable) alternative to the pressure suit is a pressure capsule made as part of the crew member seat package, able to automatically encapsulate the crew member or passenger quickly enough to counteract the effects of a rapid depressurization, or on command from vehicle guidance (or seat controller loss of contact with spacecraft guidance or electical power) prior to a near-certain depressurization of the cabin.  This would isolate crew members from vehicle controls and so should not be employed for crew members who must be available to take action during an emergency if possible.  If a craft is deemed reliable enough at the vehicle level, and robust enough at the cabin level, that cabin depressurization can be expected less than once in 10,000 transitional events, the transitional protection suit can be removed from the design.  We are a long way from achieving this goal.
 
2. The second event with lethal potential was unconscious or deceased crew members exposed to a dynamic rotating load environment with nonconformal helmets and a lack of upper body restraint.

The problems on the Shuttle were threefold: First, the Shuttle is only barely stable whole and both the forward fuselage and naked crew module are unstable in all three axes.  This complete loss of control is required to cause the random accelleration environment criticized above.  The second problem was the failure of the seat restraints, both due to inadequate seatbelt reels and the need for them in the first place.  Not everything that the crew needs to reach during transitional phases can be reached from the fully secured position in the seat.  The final problem is the poor design of the ACES helmet and bone dome.

Note that all of this has been previously described.  This event is guarded against by the Sprint pattern spacecraft primarily through the use of passive stability, preventing the loss of control which leads to the dynamic rotating environment.  Loss of control is also guarded against by protecting the guidance, control, and electrical systems and providing manual stabilization backups.  The Sprint crew interface is designed that everything that the crew needs to access during transitional phases is within reach from the secured position in the seat, eliminating the need for inertial reels.  The Sprint then provides further protection at the seat and suit level by requiring suits to have impact protection.  A pressure-shell mounted helmet requires the crew member to wear an impact protection helmet or "bone-dome" underneath it.  A conformal helmet mounted directly on the head is also acceptable, although interference must be provide by either the suit or seat in the fully restrained position to keep the neck from bending beyond reasonable limits.

The downside to all this is that if Sprint suffers damage similar to that Columbia experienced on STS-107, entry plasma is likely to enter the cabin before departure from controlled flight and before the crew loses consciousness.  Crew members might have the unfortunate experience of observing the effects of entry plasma on their colleages and themselves, something which would probably be psychologically very difficult for potential survivors to recover from.

3. The third event with lethal potential was separation from the crew module and the seats with associated forces, material interactions, and thermal consequences. This event is the least understood due to limitations in current knowledge of mechanisms at this Mach number and altitude. Seat restraints played a role in the lethality of this event.

The current state of the art cannot account for an uncommanded separation of individual crew members.  Therefore the uncontrolled breakup of the crew cabin must be avoided at all costs.  This can be provided for either by providing means of controlled separation of the crew members from the cabin, such as through ejection seats or bailout provisions, by investing heavily in the preserving cabin itself, or some combination.  Sprint takes the approach of investing heavily in the cabin and the descent module immediately surrounding it, while providing a modest bailout capability.  The specifics of cabin level protection include

- a minimum of cabin penetrations (which precludes the use of ejection seats)
- a payload escape system, which includes booster escape system, backup maneuver motor, and base impact shield.
- a robust descent module, made in a shape and with design center-of-gravity range that is stable in two axes during supersonic and subsonic flight (instability in the transonic region can be accomodated in normal operations by the main parachute drogue, and a brief departure from controlled flight during emergencies can be accepted if the module can decellerate to subsonic speeds and return to a stable attitude on its own.)
- a self-sealing pressurized cabin with a minimum of hazardous systems inside it.
- a highly robust cabin pressure management system with stubborn logic and plenty of resources.
- a robust main parachute (which is a large ram-air parasol deployed in stages, based on the system tested by the X-38 program) and two round reserves (which result in a radially offset accelleration vector for the crew.)
- strong reusable impact protection (landing airbags and "runway pond") for the main parasol impact event.  Strong single use impact protection for the impact events caused by the reserve parachutes (crush struts, crumple zones, and seat mounted crash airbags to protect against the seats coming loose inside the cabin.)

A side hatch and individual parachutes allow for the crew to bail out of the Sprint descent module if all craft parachutes fail, or if some other circumstance, such as terrain, makes it preferable to land individually rather than with the craft.

4. The fourth event with lethal potential was exposure to near vacuum, aerodynamic accelerations, and cold temperatures.

The human body is not an aerodynamic shape, more so, it is highly flexible and aerodynamically unstable in most of its configurations.  It is also difficult to protect from this event.  Suits are unlikely to have the ability to survive even a controlled separation from the cabin, followed by a severe entry environment (although OpenLuna proposes a suit that can survive entry by not having the constraints of a cabin in the first place.)  Survival of this event therefore is best provided at the cabin- or capsule- level.  Sprint chooses the cabin level, and its protection for this event has already been described.

OpenLuna's suit-level protection is rather un-suitlike in its nature.  The suit has a large backpack/service module which contains the propulsion system, mounts for lander restraints, life support, communications, and survival kits for both Earth and space (the space kit includes a pressurized "tent", the use of which is not required in the normal mission mode.)  The entry system contains an inflatable paracone, where the suit rests at the apex, with flexible ablative insulation to survive a high energy entry, and probably provide a small amount of lift to reduce normal accellerations when returning from the Moon.  The crew member will either use the inflatable cone as a parachute, or somehow bail from or collapse the device to deploy his own parachute.  If successful, it may be possible to expand this system to provide for escape from a lost spacecraft during entry.  Like providing parachutes and slidepoles, ejection seats, or whole aircraft parachutes for current commercial airliners, it is unlikely that such escape systems will be widely employed.  (However, airliner prototypes provide bailout provisions for their small test crews; equivalent systems in commercial passenger spacecraft are likely.)
 
5. The final event with lethal potential was ground impact.

The systems for protecting against this event at the cabin and suit level (parachutes, airbags, crush struts, crumple zones, suit impact protection, aiming at water) have already been addressed in previous sections, and bear not repeating.  The exception is crew and passenger training for Parachute Landing Fall (PLF), the standard impact protection for people descending on parachutes.

After Columbia concludes that there is a lot that can be done to improve crew and passenger survival under accident conditions, and that most of these measures are not being employed in current spacecraft, not even "prime time" spacecraft like SpaceShipOne and other Karmen Hoppers ('X-prize' class spacecraft designed to provide a trip to an altitude of more than 100km and several minutes of weightlessness.)  All spacecraft designers should seriously consider all of these options in new spacecraft designs.  Not all of them can be employed simultaneously, but with sound judgment, a solution ideal to a particular mission can be identified and employed.

(c) 2009 After Columbia Project
 
This report, and the above response to it, was very difficult to write.  This page is a rather crude attempt to show how much it hurt: SCSIIT Tribute