Look for "Columbia Crew Survival Investigation Report (16.2MB)"
ACP: After Columbia Project
Backup Recovery Mode: Saving the crew within a module of a larger
vehicle after deliberate or inadvertent separation from the rest of the vehicle. It may have been possible to implement
this in the Shuttle using the forward fuselage as the backup recovery module.
BRM: Backup Recovery Mode (qv); Backup Recovery
Commanded Abort: An abort initiated by crew, ground control, or automated command while the vehicle is still under
CEV: Crew Exploration Vehicle; the Orion spacecraft
HLV: Heavy Lift Vehicle [or Variant]: Shorthand for the
largest configurations of the Atlas V, Delta IV, and Falcon launch systems with low energy payload capacities of 20 to 25
SCSIIT: Spacecraft Crew Survival Integrated Investigation Team: the investigation which painfully pulled the lessons
to be learned from the wreckage of Columbia and the electronic biography of her final entry attempt.
Sprint Pattern Spacecraft:
Any spacecraft meeting all or a significant proportion of the Sprint spacecraft's crew safety requirements, and which is a
stable spacecraft during ascent and entry (requires passive positive stability in two axes.) Sprint pattern spacecraft
outside of After Columbia Project include Orion, Dragon, Soyuz, Apollo, FireFly (Da Vinci), Canadian Arrow, Gemini, Mercury,
Voskhod, Vostok, and Shenzhou. They do not include the Shuttle, SpaceShipOne, SpaceShipTwo, Xerus, Pathfinder, Rocketplane,
Ascender, Kliper, X-37/38, X-33, X-30, X-20, or X-15. Since these craft appear to posess two axis stability when unpowered,
but have powered flight modes and significant propulsion hardware within their stables forms, whether they can be called "Sprint
pattern" or not is undecided: Chrysler SERV, and Blue Origin (the former would have been unpiloted, but its would-be crew
spacecraft payload, the MURP, is definitely not Sprint pattern.)
Uncommanded Abort: An abort initiated by events, where
the crew and systems find themselves in an emergency situation where the vehicle has catastrophically failed before any abort
command was issued, or before such an abort command could be carried out. Both Shuttle accidents could be defined as
unsuccessful uncommanded aborts. The phrase implies a design, planning, operational, and training responsibility to
prepare for such situations and provide means to survive them. While the phrase and its implications precede the SCSIIT
Report by five years, it implements several SCSIIT recommendations with blanket coverage.
SCSIIT Recommendations and
associated After Columbia Project responses
L1-1: Incorporate objectives in the astronaut training program that emphasize
understanding the transition from recoverable systems problems to impending survival situations.
This was not an issue in the "classics" era (Mercury, Gemini, Apollo, X-15), as the simulation supervisors were very sadistic
and included many scenarios where it was unclear whether the correct action was to abort or continue. To see this recommendation
in the SCSIIT report is a surprise to ACP and OpenLuna.
ACP Response: ACP produces no specific response to this recommendation,
since it was already generally recognized that the transitional scenario ("Three hours of boredom followed by seven seconds
of sheer terror" - Tom Hanks as James Lovell, Apollo 13 movie) was a part of spacecraft crew training.
spacecraft and crew survival systems should be designed such that the equipment and procedures provided to protect the crew
in emergency situations are compatible with [normal] operations. Future spacecraft [elements], equipment, and mission
timelines should be designed such that a suited crew member can perform all operations without compromising the configuration
of the survival suit during critical phases of flight.
Historical notes: Again, the Shuttle system was compromised
in this regard, in fact far more so than ACP expected. The "classics" were very strong in this regard, none more so
than the X-15, which had a nitrogen purged cabin from the drop through to the landing. Gemini 7 was the first US human
flight where the crew were let out of their suits at all.
ACP Response: ACP again produces no specific response to
this recommendation. The Sprint spacecraft has always used touchscreens with a minimum of hardware switches (mentioned
in later responses) for emergencies. These switches are big and easy to use with gloves. The touchscreen and gloves
are designed to work together, and the gloves include a "cat's claw" in-glove stylus since the very first thoughts about the
Sprint's crew interfaces in June 2003. The robust life support system and flammability requirements can easily handle
continuous crew operations. The life support system's "brains" will be able to budget oxygen for the cabin and suit
together with delayed feedback from oxygen sensors to prevent high oxygen conditions in the cabin. This should be put
in as an upgrade to the Shuttle, and if necessary, Dragon, Soyuz, and ISS.
L1-3/L5-1 Future spacecraft crew survival
systems should not rely on manual activation to protect the crew.
Historical notes: These systems have generally required
manual activation throughout all eras of both spaceflight and aviation; that is, the ones specifically referred to in the
suits, being the parachutes. On only rare occasions have they been automated.
ACP Response: No specific response.
Sprint incorporates many emergency systems automations already in its design role as station lifeboat. The most complex
example is that the Sprint is capable of detecting station depressurization using its own cabin sensors, and will respond
as though the depressurization is on the station side (a failure in the spacecraft itself would need to be accomodated by
station emergency systems because the resulting pressure gradient will not allow the craft's inward opening hatch to close.)
Sprint will automatically power up its systems, monitoring station power for failure and executing any additional readiness
steps for loss of station power. The craft will begin to add cabin air (a regulated mixture of oxygen and nitrogen)
to allow it to detect hatch closure from the cabin pressure curve, in addition to reed switch and or FET-type proximity switches.
Manual action is required to unstow the hatch and swing it on its hinges towards the closed position. Once close, a
pressure differential develops between the lifeboat and station to force the hatch closed. Once closed, the emergency
systems automatically dog the hatch and stabilize the lifeboat atmosphere based on the average pressure over the last six
hours and greatly increased cabin filtration and oxygen partial pressure, assuming a worst case scenario of the crew having
exerted themselves during the emergency, breathed a poisioned atmopshere due to fire, and having lost consciousness or been
incapacitated by decompression sickness having been barely able to release the hatch and move it close enough to closed for
the automatic systems to function.
L1-4 Future suit design should incorporate the ability for crew members to communicate
visors down without relying on spacecraft power.
Historical notes: none
ACP Response: Sprint had used the David
Clark S1035 ACES a la carte, ignorant of this lack of cabability. It is obvious from this report that Sprint would have
required a new suit development had it been pursued. The new Sprint suit requirement will have in-suit radios going
well beyond this recommendation: The worst case bailout survival conditions for Sprint will have crew members widely
separated as they descend and after they land. They need these radios to find each other and make it easy for rescuers
to find them. ACMD will study if a bailout survival mode is feasible for its Stampede/Crew Rover landing system on Mars.
Even if it is not, suit radios will still be incorporated for other requirements. There is no need not to wear them
during transitional phases within vehicles. OpenLuna's baseline mission has only a single crew member, but it is likely
that it will have a radio requirement to communicate suit-to-base-to-Earth, or suit-to-Earth (the latter being less likely
because of the need to stabilize a high gain antenna on the suit itself.) Multi-crew OpenLuna spacecraft are as likely
to land crew in unpressurized landers, so this becomes a requirement for normal operations.
L2-1. Assemble a team of
crew escape instructors, flight directors and astronauts to assess orbiter procedures in the context of ascent, deorbit, and
entry contingencies. Revise the procedures with consideration to time constraints and the interplay among the thermal
environment, expected crew module dynamics and crew equipment capabilities.
ACP Response: This recommendation
is specific to the Space Shuttle and has no applicability to ACP activities.
L2-2. Prior to operational deployment
of future crewed spacecraft, determine the vehicle dynamics, entry thermal and aerodynamic loads, and crew survival envelopes
during a vehicle loss of control so that they may be adequately integrated into the training program.
Just so happens that the Shuttle is the first crewed orbital spacecraft which is inherently unstable in LOC scenarios.
X-15 is the only "classic" example. The SpaceShipOne has bragging rights for being stable enough in all flight modes
that it does not need fly-by-wire. During its X-prize winning flight on 4 October 2004, its power system was deliberately
shut down and reset with no impact on controllability.
ACP Response: No specific response. This recommendation
has already been exceeded by requirements for passive yaw and pitch stability and off-loop manual roll control during main
power failures. A complete loss of control of an ACP piloted spacecraft in a transitional environment is almost impossible,
requiring such gross damage to the spacecraft that loss-of-control will be late indeed in a catastrophic spacecraft emergency,
almost certainly after crew expiration has already occured. Instead, ACP crews will be concentrating on controlling
the craft during major failures of the guidance and/or control systems, including complete electrical failure.
Future crewed spacecraft vehicle design should account for vehicle loss of control contingencies to maximize the probability
of crew survival.
ACP Response: ACP requires piloted spacecraft stability regimes that allow positive control of the
spacecraft during catastrophic loss of guidance and control systems as a more robust solution than designing for loss of control.
Control of an ACP spacecraft can be maintained well past the point where the Shuttle Orbiter loses control. The worst
case scenario is actually that the craft is stable in pitch and yaw, but winds up inverted in roll, directing the lift vector
downwards. This leads to a rapid increase in heating and aerodynamic loads. If the crew is unable to ascertain
the roll attitude of the craft, they will spin it along the roll axis, so as to distribute the lift vector and emulate a ballistic
entry; this mode is part of the Soyuz spacecraft already.
L2-4/L3-4 Future spacecraft suits and seat restraints should
use state-of-the-art technology in an integrated solution to minimize crew injury and maximize crew survival in [abnormal]
Historical note: Dragon had incorporated swivel seats in its design almost three years
before the SCSIIT report was released.
ACP Response: The pitch-and-yaw stable ACP spacecraft are unlikely to experience
massive accellerations anywhere but in the -X direction, and diversions from which are likely to remain under 30deg, unless
the craft has such damage that its modified aerodynamic shape is unstable, a case in which the crew is probably deceased already.
The seat restraints and seat structures, as well as all potential debris structures, such as crew consoles, are required to
meet a -X 20G requirement, and 5G environment in all other directions, with a safety factor of 1.5. With this requirement,
and adequate suit impact protection (this to account for the excursion from this envelope caused by ground impact during emergencies
and the resulting generation of cabin debris), the spacecraft is almost certainly going to outlast the crew in abnormal accelleration
environments. There is also a seat impact attenuation requirement to keep the seat from coming loose during brief excursions
outside the 20/5G envelope.
L2-5 Incorporate features into the pass-through slots on the seats that the slot will not damage the strap.
ACP Response: Noted and will be passed on to the seat contractor when development of a spacecraft is undertaken.
It is of no matter to a concept design and therefore beyond the scope of ACP's activities.
L2-6 Perform dynamic testing of straps and testing of straps at elevated temperatures to determine load-carrying capabilities
under these conditions. Perform testing of strap materials in the high-temperature/low-oxygen/low-pressure environments
to determine material properties under these conditions.
ACP Response: Another detail item to pass on to a subcontractor. It will be implemented when development of a spacecraft
L2-7. Design suit helmets with head protection as a functional requirement, not just as a portion of the pressure garmet.
Suits should incorporate conformal helmets with head and neck restraint devices, similar to helmet/head restraint techniques
used in professional automibile racing.
Historical note: The suit-mounted helmet is actually a fairly "recent" development, and does have its advantages in freedom
of movement and comfort, as well as the ability to assemble them. All of the "classics" except Apollo used "head mounted"
helmets with impact protection, especially on X-15 (where it probably saved a pilot's life during a crash.)
ACP Response: ACP is likely to go with mechanical counter pressure (MCP) suits in future spacecraft designs. This
means that there will be two small vapor pressure envelopes in the groin and head areas, the former for waste management,
and the latter for respiration. Everywhere else in the suit, the shell of the suit resists the expansion of the body
by direct pressure. The consequences of a suit depressurization are likely to be more severe, but such a mishap is less
likely to result in such a depressurization. MCP suits are very conducive to "head-mounted" helmet systems. In
the event that ACP adopts a pressure-envelope transition suit for its spacecraft designs, the suit-mounted helmet becomes
preferable. In this case, a head-mounted impact system will be worn in addition to pressure-envelope helmet. This
will allow a full range of lateral movement, but somewhat limited up/down movement. Under accident conditions, the head-mounted
impact cushion will strike the inside of the pressure-shell helmet, and the neck will be prevented from reaching any extreme
flexion or extension conditions by the impact helmet impacting with the pressure-shell helmet.
L2-8. The current shuttle inertial reels should be manually locked at the first sign of an [abnormal] situation.
ACP Response: Specific to Shuttle, no response.
L2-9. The use of inertial reels in future restraint systems should be evaluated to ensure that they are capable of protecting
the crew during [normal] and [abnormal] situations without active crew intervention.
ACP Response: It should be possible to have a lock engage the reel brake past a certain G-limit in any direction.
In a worst case scenario, an electronic "heartbeat" from the guidance system should be available. When the guidance
system detects a loss of control or within controlled flight, a G-limit, it halts the heartbeat signal, and the reel brakes
engage. This, and an associated "loss of control" tone or vocal annunciation (i.e.: "[WHOOP WHOOP] OUT OF CONTROL [WHOOP
WHOOP] OUT OF CONTROL") can signal loss of control to the crew before there is any significant departure of the craft from
its last commanded attitude. An electrical or guidance failure, of course, will stop the heartbeat and brake the reels.
If this latter option is exercised on the two-axis stable low lift ACP spacecraft models desired, the crew can begin exercising
emergency control of the third axis immediately, either spinning up the craft, or flying manually according to third source
The Sprint pattern spacecraft (including the Orion CEV) take the approach that eliminates the need for fully
functional inertial reels during transitional phases by putting all required controls within reach of the crew members in
the fully restrained position.
L3-1. Future vehicles should incorporate a design analysis for breakup to help guide design towards the most graceful
degradation of the integrated vehicle systems and structure to maximize crew survival.
ACP Response: This recommendation sounds rather funny on its face, but its essence has probably already been adopted
in what ACP calls, "backup recovery mode" and "uncommanded abort". Due to the nearly inviolable importance of the entire
descent module structure in ACP spacecraft designs, it is not possible to implement this recommendation within the descent
module. In Sprint, the cabin and essential systems are packed fairly tightly into the aerodynamic shape. Redundant
systems are widely spaced to minimize the loss of an entire function. Pressure vessels other than the cabin itself will
be designed to depart the craft before they fail in the event of an entry burnthrough or impact, but there could still be
the problem of one being crushed between the cabin and an external object (most likely the ground) in an impact, thus causing
a burst and release of the vessel's contents (known pressurized fluids are nitrogen, oxygen and hydrogen peroxide,
the latter a desirable alternative to hydrazine as an RCS propellant because the differences in toxicity in precisely this
sort of situation.)
The specifics of backup recovery and uncommanded abort are essential to crew ferry ascent. Sprint is intended to
allow the crew to survive the sudden catastrophic failure of its launch vehicle. This limits launch vehicle configuration
selection in some cases because if the launch vehicle flight termination is incomplete during an abort, still thrusting elements
can chase down the fleeing descent module and destroy it. This rules out the use of any solid motors for main propulsive
power in Sprint's launch vehicle, and ironically, its originally chosen launch vehicle, the Delta II 7920H. Fortunately,
the experience of the Atlas V has been a positive one and is therefore available for Sprint consideration, configurations
401, 402, 501, 502, and HLV. The main Ascent Roadmap boosters for Sprint are the Kilder and Lilmax, depending on delivery
energy and chosen capacity.
The "uncommanded abort" mode is used when the craft (or its backup recovery module) suddenly finds itself in a situation
so abnormal that normal flight seems unattainable. If the Shuttle's forward fuselage were designed as such a module,
it would have found itself in precisely such a situation at T+74 seconds during STS-33, and EI+940 (approximately) during
STS-107. A colloquial translation of its automated actions would be "oh, crap...time to deal with this abort!"
In STS-107's case, this may have included deliberately severing itself from the rest of the orbiter well before what the SCSIIT
report calls the "catastrophic event", when the orbiter came apart. The Sprint includes an impact shield underneath
its descent module designed to attenuate the impact forces of a major launch vehicle failure and its attendant debris.
Sprint's normal abort modes are much more benign.
L3-2. Future vehicles should be designed with a separation of critical functions to the maximum extent possible and robust
protection for the individual functional componets when separation is not practical.
L3-3. Future spacecraft design should incorporate crashworthy, locatable data recorders for accident/incident flight
ACP Response: Separation is not practical in the ACP baseline designs, but is still done to the maximum practical extent.
Secondary protection is therefore provided. One of the important aspects of this is that if the crew can't survive unfolding
disaster, many of these critical systems are integral with the "black boxes" for data preservation. It is therefore
preferred to have them detach from the spacecraft before they are completely destroyed.
L3-5. Evaluate crew survival suits as an integrated system that includes boots, helmet, and other elements to determine
the weak points, such as thermal, pressure, windblast, or chemical exposure. Once identified, alternatives should be explored
to strengthen the weak areas. Materials with low resistance to chemicals, heat, and flames should not be used on equipment
that is intended to protect the wearer from such hostile environments.
ACP Response: After reading the SCSIIT report, ACP has concluded that the existing David Clark S1035 ACES is inadequate.
This means that we will be working on a new integrated safety suit. Also, different ACP projects have different suit
requirements. OpenLuna's is the most novel, since the suit actually doubles as the crew cabin for early missions.
This is a requirement that can't be met by the ACES, even if accident survival were not an issue.
A1. In the event of a future fatal human space flight mishap, NASA should place high priority on the crew survival aspects
of the mishap both during the investigation as well as in its follow-up actions using dedicated individuals who are appropriately
qualified in this specialized work.
ACP Response: Since OpenLuna is a small organization, and ACP one even smaller, we must coordinate with government investigative
and recovery organizations as applicable during accidents. It is also highly desirable to extend this recommendation
to any failures of crew spacecraft that are in unpiloted testing. In order to develop qualified individuals within the
ACP and OpenLuna organizations, "no-win" simulations will be extended into the investigation phase.
A2. Medically sensitive and personal debris and data should always be available to designated investigators but protected
from release to preserve the privacy of the victims and their families.
ACP Response: See below, as response to A2 and A3 are the same.
A3. Resolve issues and document policies surrounding public release of sensitive information relative to the crew during
a [ACP/OL] accident investigation to ensure that all levels of the agency understand how crew survival investigations should
ACP Response: This matter needs to be treated more thoroughly at ACP and OpenLuna. Some crew members may feel more
comfortable with open release. For some, additional discomfort may result from certain crew survival information.
For instance, the fate of the S1035 ACES suits the crew of STS-107 are published. It is very easy to extrapolate what
happened to the crew members inside them, even though that specific information has been redacted. ACP and OpenLuna
plan to discuss release issues with crew members and crews prior to embarking on missions, rather than develop a blanket policy
for all missions. Having said that, a blanket policy is appropriate once spaceflight becomes more routine.
A4. Due to the complexity of the operating environment, in addition to traditional accident investigation techniques,
spacecraft accident investigators must evaluate multiple sources of information including ballistics, video analysis, aerodynamic
trajectories, and thermal/material analysis.
ACP Response: After Columbia Project, as part of our mandate to understand and apply the lessons of the STS-107 tragedy,
have conducted our own analysis of publicly available information. Our conclusions about which visible debris was the
crew module in the available videos and the timing of the catastrophic events for the orbiter and crew module are in perfect
agreement with the SCSIIT conclusions, despite our lack of expertise. It will be difficult, but it is probably necessary
for After Columbia Project and OpenLuna to employ the same personnel and disciplines of normal operations and accident investigation,
as NASA already has.
A5. Develop equipment failure investigation marking ("fingerprinting") requirements and policies for space flight programs.
Equipment fingerprinting requires three aspects to be effective: component serialization, marking, and tracking to the lowest
assembly level practical.
ACP Response: This "fingerprinting" schema is already essential to space-grade quality assurance and knowledge of operational
hardware characteristics, especially if that hardware is reusable.
A6. Standard templates for accident investigation data (document, presentation, data spreadsheet, etc.) should be used.
All reports, presentations, spreadsheets, and other documents should include the following data on every page: title, date
the file was created, date the fiele was updated, version (if applicable), person creating the file, and person editing the
file (if different from author.)
ACP Response: After Columbia Project already uses this practice for design notes. We have also adopted a date-based
versioning system of yymm, for example 0901A for the first serial version of a document created in January 2009. This
can easily be extended to the yymmdd system used by Martin Schweiger's Orbiter Simulator project. Accident investigation
information will be extended from this documentation schema.
[Even though Featherwing Love faces no prospect of a space accident, the same dating system is used in its internal
files as well. Base versioning has been added to chapter numbers.]
A7. To aid in configuration control and ensure data are properly documented, report generation must begin early in the
ACP Response: Accident report generation would be a natural extension of the existing documentation practices.
After Columbia has already learned the importance of generating structured reports early in investigation processes.
Due to the time- and labor-limited nature of After Columbia's early studies, most notably Mars Challenger, they were conducted
much as investigations. The lesson of establishing the report early was part of setting the goals for the project.
We have already learned this lesson.
A8. As was executed with Columbia, spacecraft accident investigation plans must include provision for debris and data
preservation and security. All debris and data should be catalogued stored, and preserved so they will be availalbe
for future investigations or studies.
ACP Response: This recommendation is noted and will be implemented. It is also noted that timely and responsive
access to normal mission databases is also required.
A9. Post-traumatic stress debriefings and other counseling services should be availalbe to those experiencing ongoing
stress as a result of participating in the debris recovery investigation. Designated personnel should follow up on a
regular basis to ensure that individual needs are being met.
ACP Response: The need for this recommendation requires an actual accident to take place. In that event, counseling
will be available to applicable personel on a case-by-case basis. It may take a different form than those envisioned
by NASA, however.
A10. Global Positioning System receivers used for recording the latitude/longitude of recovered debris must all be calibrated
the same way (i.e.: using the same reference system) and the latitude/longitude data should be recorded in a standardized
ACP Response: We are already accustomed to decimal format locations from Orbiter simulations. It is likely we will
continue to use that format for locating both normal operation (i.e.: fallen stages and landing points) and accident recovery
A11. All video segments within a compilation should be categorized and summarized. All videos should be re-reviewed
once the investigation has progressed to the point that a timeline has been established to verify that all relevant video
data are being used.
ACP Response: The recommendation is interpreted that a first review should be used to establish a timeline and each video
segment's place within it, synchronized as well as possible. The compiled video timeline then needs to be audited with
a review of each contributed segment to find missing segments, segments with erroneous synchronization, and possibly duplicate
segments misplaced in the compilation. One of the errors detected by After Columbia (and later corrected by the CAIB
before it was reported) was that the first "eastern" segment of the old timeline (not counting the SCSIIT "NBC video") was
placed in the timeline some thirty seconds later than it actually occurred. After Columbia was slow to get to analyzing
STS-107 video and didn't have a lot of faith in our abilities until we watched this correction unfold. As a result of
this (and the intervening two years experience of video production elsewhere by one of our members), we are quite confident
that After Columbia Project can provide competent analysis of accident visual footage.
A12. [ACP can't find a recommendation corresponding to this designator]
A13. Studies should be performed to further characterize the material behavior of titanium in entry environments to better
understand optimal space applications of this material.
ACP Response: After Columbia does not have the resources for these material tests, however, we are expecting those tests
to be made or contracted by NASA and the results published by AIAA or a similar organization. Results of tests
such as these will be sought out by After Columbia as required during the material selection phases of system design.
After Columbia Sprint Spacecraft Design Response:
Of the following, the five "lethal events" were uncovered by the SCSIIT and are put in italic. After Columbia Project
has gone on to identify a number of events which can kill the vehicle or otherwise lead to one of these five.
1. Vehicle guidance failure
Hardware radiation interference qualified in case-integrated form, whether the hardware is custom or off-the-shelf.
The hardware qualification test should be overclocked and running a program that puts the internal circuitry through maximum
stress, and obviously, software that can detect any glitch in the hardware. It should also be run in operational radiation
case-integrated environment while running flight-like software, both overclocked and at normal space-rating speed (if off-the-shelf
hardware is used, it's normal speed may be "overclocked" according to the desired space rating. Modern consumer hardware
produces thousands of times as much computing firepower as flight guidance systems need, so this can be expected.) A
totally fault-free operation is not actually required, but the software must be designed to handle any expected hardware glitch
modes that occur. Fatal glitches that the software can't recover from are obviously unacceptable.
Guidance should be designed to be single fail operational/dual fail safe. Sprint will use three guidance computers
running primary software, and a fourth running backup software capable of giving the pilot inertial reference states.
This is slightly less robust than the Shuttle, but Sprint, during entry, is stable in two axes and trimmed to the desired
pitch and yaw attitudes except during certain emergencies. Failures beyond dual fail safe go to the backup modes for
an electrical failure, even if there isn't an actual electrical failure.
2. Vehicle control failure
Control hardware are the systems that actually interact with the environment around the craft to make changes to the
craft's velocity vector or attitude. In the Shuttle, this includes the elevons, rudder and body flap; in SpaceShipOne,
it includes the elevons, tailplane, rudders, and the so-called "feather" mechanism (which is essentially a huge set of elevators.)
In Sprint, actual control hardware consist only of thrusters during entry. Sprint does include a ram-air parachute,
and its brake lines are control devices. There are many ways that this system can fail, and all ones that we can foresee
(including fatal ones), must be accounted for in the operational risk assessment. With vehicle control, stability and
simplicity are good things. The Shuttle has neither, but with both, a total loss of control is almost impossible.
The Shuttle also demonstrates that a vehicle can be made so that complexity and instability can be accommodated, but not easily.
While the control failure of STS-107 was not independent of other damage, the crew apparently assumed it was, and also,
other damage which leads to loss of control hurts your odds of surviving an accident.
The most likely cause of control failure to a Sprint type spacecraft during ascent is an uncommanded abort, which is
sterile language for a catastrophic failure of the launch vehicle or the payload interface with it. This can be a survivable
event in a properly designed spacecraft in a properly designed ascent profile, but commanded aborts are preferable to maintain
positive control of the spacecraft during all phases of the emergency. To this end, the launch vehicle must be able
to command a nondestructive shutdown, and therefore is not allowed to use solid motors for main thrust. During on-orbit
operations, the most likely failure is a thruster malfunction. This is prevented by robust guidance, electrical, and
thruster design, along with backup power for closing latching pre-valves in case of a complete electrical failure (this may
be important in the aftermath of a docking collision, where damage to both thrusters and the electrical system may occur.)
Sprint is unlikely to suffer a loss of control during entry, as it is stable in two axis. In the case of a guidance,
control, or electrical failure, backup thruster power can be used to spin the craft up to abort onto a ballistic trajectory.
The spinning dissipates the craft's lift vector in all radial directions, effectively eliminating it. It is a mode of
the Soyuz craft already, perhaps a famous one. After entry, the ram-air parasol Sprint uses to descend is quite complex
and more prone to failure, but at this point, the integrity of the craft is not as critical, as the crew can bail out into
a survivable environment.
3. Vehicle structural failure
Guarding against structural failure is nearly impossible, so the trick is to prevent its failure. Fortunately,
the most expected way structures fail is thermal failure during entry (which will also result from many ascent failures.)
It is also rather predictable where a structure compromized by entry heat will fail: at the point where the peak thermal load
and peak structural loads coincide. After Columbia calls this the "Peak Loads Region", while the Shuttle Program calls
it "Equilibrium Glide Phase". During STS-107, OV-102 Columbia's left wing failed shortly before reaching this point,
emphasizing just how severe her damage was.
Structural failure is the likely proximal cause for a Sprint-type spacecraft control failure during entry, since in order
to have a three-axis loss of control for a Sprint spacecraft, stability in one of the two stable axes must be lost.
Even with a thruster malfunction, by the time the Sprint is in the peak loads region, the only way to cause this is through
structural damage. Structural failure of any craft can be the proximal cause of failures in other systems. For
example, when OV-102 Columbia and OV-099 Challenger severed the forward fuselage at the Xo582 ring frame in their respective
final missions, the electrical and data connections between the computers forward of this frame and the fuel cells aft of
it could no longer be maintained, leading to a complete loss of all electrical power and guidance. Control was already
lost in both cases, but had it not been, the command and data paths between the guidance computers and all operational control
devices were lost. The forward fuselage has available only the nose landing gear and forward reaction control pod, and
is itself impossible to stabilize in the peak loads region, as is the naked crew cabin without the forward fuselage structure
around it. A vehicle like the Shuttle has the crew in a relatively small part of it, so it may be possible to design
a partial vehicle backup recovery mode into it, but for the Shuttle orbiter itself, it would be very difficult indeed.
Sprint's crew cabin is too large compared to the rest of the descent module to accommodate this, however the descent module
forms the backup recovery module of larger vehicles Sprint can form a subset of, most importantly its ascending booster, but
also space stations and interplanetary spacecraft.
4. Vehicle electrical failure
Electrical failures can be partial or total. It is important to, if possible, keep the most essential systems for
the particular phase of flight powered. For, ascent, entry and docking, these are the guidance and control systems.
For on orbit phases, this is life support. During the ascent, entry, and docking phases, phrased together as "transitional
phases" (hence references to "transitional suits" worn during these periods to provide emergency ambient pressure and life
support to the crew members individually should their cabin environment be compromized by an accident, which is, needless
to say, most likely during these transitional phases.) Ideally, a power system would be designed with main and backup
sources. Since Sprint uses only batteries, it has only a single modular main source, however, some craft use fuel cells
or solar wings to provide main power. These craft should have secondary sources in close proximity to essential loads,
unlikely to be severed by structural failure. The most obvious of these is the inertial black box. On Sprint,
the guidance computer, inertial measurement unit, flight data recorder, and a single discharge battery are combined into one
rugged unit. It is our intention that this unit will survive and continue recording through a catastrophic accident
all the way to impact. It is also our intention that all three main computers, and possibly even the backup computer,
all have this functionality. A separate lighting unit and voice data recorder form another black box. This implements
SCSIIT Recommendation L3-3 in addition to creating a guidance system that should theoretically outlast the crew many fatal
Systems on Sprint which have backup power in the form of single discharge batteries (most likely lithium-iodine or lithium-thionyl
chloride primary cells) are cabin lighting, guidance, and manual thruster control. These systems are not interconnected,
so backup guidance power, for example, can't activate the thrusters and is for its state recording functions only in a total
electrical failure. This implements SCSIIT Recommendation L3-2, separation of critical functions, during accident scenarios.
5. Pilot error
The first line of defense against pilot error is excellent crew training, procedures and documentations, but the guidance
system and crew interface system can be designed to detect "this is stupid" exceptions and require confirmation for certain
major actions. Store till systems have such alerts, so implementing them in a piloted spacecraft should not be too steep
an expectation. One thing that will make pilot error less likely is to require fewer critical pilot inputs. Another
is automated configuration checking, something already seen in spacecraft modules for the Orbiter Simulator (the one by Martin
Schweiger). The final line of defense is to make a craft more tolerant of pilot errors that actually get implemented
by the guidance and/or control systems. If the pilot doesn't realize that he has made an error, it may be that he doesn't
realize that an emergency is developing, and so to him it may appear that a major system error has occurred, in which case
he will respond as though it is one of the other four vehicle failure categories. The last line of defense is therefore
the defenses for the other failure categories where the proximal (or apparent) cause of the failure is pilot error.
The SCSIIT believe that the crew of STS-107 did not realize that a catastrophic emergency had developed until the "Catastrophic
Event", when the forward fuselage separated from the mid fuselage, taking most of the Xo582 ring frame with it, disabling
the power, and leading to a significant relief of the accelleration felt by the crew. The SCSIIT also believe that crew
members with the suits properly donned would lower their visors to save themselves even if other members of the crew did not
have their suits fully donned. The STS-107 crew trained together for over two years before flying this mission, so it
seems very unlikely to After Columbia Project that these two events occurred. The SCSIIT report confirms that this crew
was so tightly knit that they conducted a launch and ascent simulation lasting several hours without saying a single word.
The SCSIIT apparently ignored the emotional connections such training and discipline are likely to generate, or possibly,
figured it was potentially too painful for themselves or the astronauts' families to publish more well thought out speculation
about how they behaved after loss of signal. After Columbia Project believes that the members of the crew who had properly
donned suits knew that three of their number had not mated their gloves and that one had not put on his helmet. (Incidentally,
ACP's speculation on exactly which crew members were missing gloves and which one was missing his helmet was accurate from
September 2003 and confirmed by the SCSIIT report.) All four of the crew members who had their suits properly donned
had military experience. They are likely to have felt that they would be betraying their unprepared crewmates by abandoning
the vehicle (so to speak) and looking after their individual survival. They therefore decided to work to save the vehicle
on the assumption (which they probably knew was incorrect) that she could somehow be saved. This means that After
Columbia Project is less certain than the SCSIIT about when the cabin depressurized, but we still believe it was related to
the catastrophic event, most likely a twisting of the tunnel adapter interface with the crew module, causing it to break open
the skin between the mid deck and lower compartment, as well as force the crew module into the forward fuselage to break open
Volume E, the lower compartment locker from which debris was found far west of crew module structural debris, indicating that
it had broken open long before the crew module was destroyed.
1. The first event with lethal potential was depressurization of the crew module, which started at or shortly after
The Sprint spacecraft pattern protects against this event at the cabin level, but not against the wholesale breakup of
the descent module. A craft like the Shuttle should protect against this event for the breakup of the vehicle aft of
the Xo582 ring frame, or its equivalent (i.e.: the small space between the oxidizer tank and cabin aft bulkhead on SpaceShipOne.)
Protecting against this event requires thermal and structural protection, and possibly protection against debris-to-debris
interaction during the breakup event of an uncommanded abort. A major design decision taken by the Ascent Roadmap is
a moratorium on the use of solid rocket motors for main thrust in any launch vehicle carrying a crew spacecraft, since there
is no way to shut down a solid motor without risk of destroying the launch vehicle, and an unaborted solid motor can chase
down and ram a fleeing crew module or ejected crew member.
Cabin depressurization can and should be protected at the suit level as well, but this should not be the primary means
of protecting the crew, An acceptable (if not yet viable) alternative to the pressure suit is a pressure capsule made
as part of the crew member seat package, able to automatically encapsulate the crew member or passenger quickly enough to
counteract the effects of a rapid depressurization, or on command from vehicle guidance (or seat controller loss of contact
with spacecraft guidance or electical power) prior to a near-certain depressurization of the cabin. This would isolate
crew members from vehicle controls and so should not be employed for crew members who must be available to take action during
an emergency if possible. If a craft is deemed reliable enough at the vehicle level, and robust enough at the cabin
level, that cabin depressurization can be expected less than once in 10,000 transitional events, the transitional protection
suit can be removed from the design. We are a long way from achieving this goal.
2. The second event with lethal potential was unconscious or deceased crew members exposed to a dynamic rotating load
environment with nonconformal helmets and a lack of upper body restraint.
The problems on the Shuttle were threefold: First, the Shuttle is only barely stable whole and both the forward fuselage
and naked crew module are unstable in all three axes. This complete loss of control is required to cause the random
accelleration environment criticized above. The second problem was the failure of the seat restraints, both due to inadequate
seatbelt reels and the need for them in the first place. Not everything that the crew needs to reach during transitional
phases can be reached from the fully secured position in the seat. The final problem is the poor design of the ACES
helmet and bone dome.
Note that all of this has been previously described. This event is guarded against by the
Sprint pattern spacecraft primarily through the use of passive stability, preventing the loss of control which leads to the
dynamic rotating environment. Loss of control is also guarded against by protecting the guidance, control, and electrical
systems and providing manual stabilization backups. The Sprint crew interface is designed that everything that the crew
needs to access during transitional phases is within reach from the secured position in the seat, eliminating the need for
inertial reels. The Sprint then provides further protection at the seat and suit level by requiring suits to have impact
protection. A pressure-shell mounted helmet requires the crew member to wear an impact protection helmet or "bone-dome"
underneath it. A conformal helmet mounted directly on the head is also acceptable, although interference must be provide
by either the suit or seat in the fully restrained position to keep the neck from bending beyond reasonable limits.
downside to all this is that if Sprint suffers damage similar to that Columbia experienced on STS-107, entry plasma is likely
to enter the cabin before departure from controlled flight and before the crew loses consciousness. Crew members might
have the unfortunate experience of observing the effects of entry plasma on their colleages and themselves, something which
would probably be psychologically very difficult for potential survivors to recover from.
3. The third event with lethal potential was separation from the crew module and the seats with associated forces,
material interactions, and thermal consequences. This event is the least understood due to limitations in current knowledge
of mechanisms at this Mach number and altitude. Seat restraints played a role in the lethality of this event.
4. The fourth event with lethal potential was exposure to near vacuum, aerodynamic
accelerations, and cold temperatures.
The current state of the art cannot account for an uncommanded separation of individual crew members. Therefore
the uncontrolled breakup of the crew cabin must be avoided at all costs. This can be provided for either by providing
means of controlled separation of the crew members from the cabin, such as through ejection seats or bailout provisions, by
investing heavily in the preserving cabin itself, or some combination. Sprint takes the approach of investing heavily
in the cabin and the descent module immediately surrounding it, while providing a modest bailout capability. The specifics
of cabin level protection include
- a minimum of cabin penetrations (which precludes the use of ejection seats)
a payload escape system, which includes booster escape system, backup maneuver motor, and base impact shield.
- a robust
descent module, made in a shape and with design center-of-gravity range that is stable in two axes during supersonic and subsonic
flight (instability in the transonic region can be accomodated in normal operations by the main parachute drogue, and a brief
departure from controlled flight during emergencies can be accepted if the module can decellerate to subsonic speeds and return
to a stable attitude on its own.)
- a self-sealing pressurized cabin with a minimum of hazardous systems inside it.
a highly robust cabin pressure management system with stubborn logic and plenty of resources.
- a robust main parachute
(which is a large ram-air parasol deployed in stages, based on the system tested by the X-38 program) and two round reserves
(which result in a radially offset accelleration vector for the crew.)
- strong reusable impact protection (landing airbags
and "runway pond") for the main parasol impact event. Strong single use impact protection for the impact events caused
by the reserve parachutes (crush struts, crumple zones, and seat mounted crash airbags to protect against the seats coming
loose inside the cabin.)
A side hatch and individual parachutes allow for the crew to bail out of the Sprint descent
module if all craft parachutes fail, or if some other circumstance, such as terrain, makes it preferable to land individually
rather than with the craft.
The human body is not an aerodynamic shape, more so, it is highly flexible and aerodynamically unstable in most of
its configurations. It is also difficult to protect from this event. Suits are unlikely to have the ability to
survive even a controlled separation from the cabin, followed by a severe entry environment (although OpenLuna proposes a
suit that can survive entry by not having the constraints of a cabin in the first place.) Survival of this event therefore
is best provided at the cabin- or capsule- level. Sprint chooses the cabin level, and its protection for this event
has already been described.
OpenLuna's suit-level protection is rather un-suitlike in its nature. The suit has
a large backpack/service module which contains the propulsion system, mounts for lander restraints, life support, communications,
and survival kits for both Earth and space (the space kit includes a pressurized "tent", the use of which is not required
in the normal mission mode.) The entry system contains an inflatable paracone, where the suit rests at the apex, with
flexible ablative insulation to survive a high energy entry, and probably provide a small amount of lift to reduce normal
accellerations when returning from the Moon. The crew member will either use the inflatable cone as a parachute, or
somehow bail from or collapse the device to deploy his own parachute. If successful, it may be possible to expand this
system to provide for escape from a lost spacecraft during entry. Like providing parachutes and slidepoles, ejection
seats, or whole aircraft parachutes for current commercial airliners, it is unlikely that such escape systems will be widely
employed. (However, airliner prototypes provide bailout provisions for their small test crews; equivalent systems in
commercial passenger spacecraft are likely.)
5. The final event with lethal potential was ground impact.
The systems for protecting against this event
at the cabin and suit level (parachutes, airbags, crush struts, crumple zones, suit impact protection, aiming at water) have
already been addressed in previous sections, and bear not repeating. The exception is crew and passenger training for
Parachute Landing Fall (PLF), the standard impact protection for people descending on parachutes.
After Columbia concludes
that there is a lot that can be done to improve crew and passenger survival under accident conditions, and that most of these
measures are not being employed in current spacecraft, not even "prime time" spacecraft like SpaceShipOne and other Karmen
Hoppers ('X-prize' class spacecraft designed to provide a trip to an altitude of more than 100km and several minutes of weightlessness.)
All spacecraft designers should seriously consider all of these options in new spacecraft designs. Not all of them can
be employed simultaneously, but with sound judgment, a solution ideal to a particular mission can be identified and employed.