of the Presidential Commission on the Space Shuttle Challenger Accident


[85] PART 2




The space shuttle Atlantis on launch pad 39-B at KSC (Oct. to Nov. 1986) for testing of new weather protection structures, launch team proficiency training and emergency egress simulations.

The space shuttle Atlantis on launch pad 39-B at KSC (Oct. to Nov. 1986) for testing of new weather protection structures, launch team proficiency training and emergency egress simulations.




Several activities are under way or planned to support the safe return to flight that are not directly related to the Commission recommendations. These include:

The program requirements for flight and ground system hardware and software are being updated to provide a clear definition of the criteria that the project element designs must satisfy.

The NSTS system designs have been reviewed, and items requiring modification prior to flight have been identified.

Existing and modified hardware and software designs are being verified to ensure that they are compliant with the design requirements.

The program and project documentation, which implements the redefined program requirements, is being reviewed and updated.

Major testing, training, and launch preparation activities are continuing or are being planned.



Design Requirements Review (DRR)

The DRR process, begun in the spring of 1986, is a programmatic review of NSTS 07700, Volume X, Space Shuttle Flight and Ground System Specification, and the Shuttle Interface Control Documents (ICD's).

Volume X identifies the basic requirements that the element hardware must be designed and certified to meet. The ICD's define the electrical, fluid, and mechanical interfaces between the elements and between the elements and the ground support systems.

Reviews are being conducted by each element contractor, the system integration contractor, and NASA. Proposed changes to amplify, add, or delete requirements are being presented to the element projects to establish a recommended list of changes. The list is reviewed by the NSTS Engineering Integration Office for resolution of the change recommendations. Changes approved by this office are submitted to the Program Requirements Control Board (PRCB) for approval.

When complete, the DRR process will provide the NSTS Program with improved, updated documentation of the design requirements and will ensure that each project element has a clear understanding of the criteria that its design must satisfy.


System Design Review (SDR)

The NSTS Program initiated the SDR process to ensure review of all concerns [88] related to hardware and software performance in the mission environment and to identify items requiring redesign, analysis, or test prior to flight. Each organizational element of the program participated in this process. SDR items originated from design or test issues, prelaunch operations experience, in-flight operations or anomalies, postflight inspection or analyses, and other design or operations assessments. The review included a thorough description of the system issue, its potential consequences, recommended corrective action, and alternatives. Three categories were established to prioritize the changes:



The failure modes and effects analysis (FMEA)/Critical Items List (CIL) reviews of flight hardware, software, and ground support equipment also identified items requiring redesign, analysis, and/or testing before first flight. The major system changes for each element project that resulted from the SDR and the FMEA/CIL reviews are summarized below.

Orbiter. The orbiter SDR identified approximately 60 Category 1 system or component changes. Other changes were identified that will be installed on the vehicle for later flights. These changes are necessary to gain additional systems margin and to minimize risk. Figure 43 reflects several of the more important orbiter modifications.

Two of the changes for the first flight involve the main propulsion system and the reaction control system. A positive latch-open design feature for the main propulsion system disconnect valve between the orbiter and the external tank is being developed to ensure that the valve remains open during...



Figure 43. Drawing of Major Orbiter Modifications.

Figure 43. Major Orbiter Modifications.


[89]....powered flight, even if an electrical failure occurs. The orbiter reaction control system engines, which provide on-orbit attitude control, are being modified to turn off automatically if they experience thrust instability and/or chamber wall burn-through.

Two significant design changes in the orbiter thermal protection system (TPS) have been approved. The TPS in the wing elevon cove region has been damaged on several flights, and a detailed redesign will be implemented before the next flight. A new carbon-carbon panel is being developed to replace the TPS tiles on the forward end of the orbiter between the nose cap and the nose wheel door. This panel will be phased into the flight vehicles after its verification program is completed.

Another first-flight design change in process is the addition of an electrical interlock to the auxiliary power unit tank shut-off valves to preclude electrical failures that could overheat the valves and cause decomposition of the fuel (hydrazine). Alternating current-motor valve bellows in the orbital maneuvering system that have leaked because of improper manufacturing procedures are being replaced on a priority basis.

An improved design for the fuel cell power unit subsystem is being implemented to provide an alternate path for removing water generated by the fuel cells. This new path provides greater physical separation from the other two paths and reduces the possible loss of water-removal capability for a single freezing incident. Blockage of all these paths would result in loss of the three cells and all orbiter power within a very short time.

Space Shuttle Main Engines. Approximately 20 Category 1 changes to increase the operating life, safety, reliability, and quality of the Space Shuttle main engines (SSME's) are being implemented. The primary objective of these changes is to expand the engine operating margins in areas such as temperature, pressure, and operating time. This effort includes an enhanced engine ground test program to certify hardware improvements for nominal operation at power levels of 104 percent for the initial flights. Figure 44 shows several of the important SSME modifications.


Figure 44. Drawing of Major Space Shuttle Main Engine Modifications

Figure 44. Major Space Shuttle Main Engine Modifications.


[90] These SSME changes include modifications to the high-pressure turbopump blades to significantly reduce the susceptibility to cracking in structurally critical areas. Improvements in structural capabilities of components such as the main fuel valve housing and the main combustion chamber outlet neck will result in significant increases (factor of 4) in useful life.

Changes to the high-pressure fuel turbopump coolant circuit will reduce the overall operating pressures and the redline (cutoff) values. The current hydraulic actuators are being replaced with actuators that have improved manufacturing cleanliness requirements and design modifications to reduce the susceptibility to electrical shorts. These changes will reduce the probability of launch pad aborts.

The engine ground test program has been emphasized and accelerated in order to demonstrate existing margins to the maximum extent possible and to certify those changes planned for incorporation prior to the return to flight. This emphasis will ensure maximum ground test exposure of the hardware, with a resultant increase in confidence prior to the resumption of flight.

External Tank. Eight changes to the external tank are required for first flight. These include strengthening the gaseous hydrogen pressurization line fairing and support structure, adding a freezer wrap to permit visual detection of a hydrogen fire, and other changes to improve the overall system safety margin.

Solid Rocket Booster. In addition to the solid rocket motor (SRM) redesign effort discussed under Recommendation I, several design changes are being implemented on the solid rocket booster (SRB) assembly in preparation for the next flight. These include changes in the ET aft attach ring structure, the SRB forward structural assembly, the aft skirt, and the ground interfaces. Figure 45 identifies the location of the major SRB modifications.

The SRB/ET aft attach ring structure is being modified from the existing structure of approximately 270-degree wraparound to a new structure with a 360-degree wraparound to increase the margin of safety. Hardware design and planning for test verification for the new attach ring are currently in progress.

Design changes, special tests, and...


Figure 45. Drawing  of Major SRB Modifications.

Figure 45. Major SRB Modifications.


[91]....studies/assessments have been performed on the SRB forward assembly and the aft skirt structures. Improved analytical modeling techniques and better understanding of dynamic flight loads permitted identification of areas in the aft skirt structure that need to be strengthened. Structural capability is being improved by increasing the strength of selected bolts and by adding gussets and brackets.

The SRB ground interfaces are being redesigned to provide prelaunch heater power and heated nitrogen purge gas for environmental control of critical components.

Launch Processing and Ground Support Equipment. SDR activities at the Kennedy Space Center (KSC) have resulted in several facility modifications. Special debris traps have been incorporated into the ground interfaces between the orbiter and the liquid oxygen and liquid hydrogen servicing systems. These traps prevent the entry of potentially dangerous objects into the flight vehicle during propellant loading.

Wire harness and fluid line covers are being incorporated into the orbiter aft compartment area to improve protection of critical orbiter subsystem elements during ground crew servicing.

The hydrogen vent umbilical arm is being modified to increase the factor of safety, to add a more flexible vacuum-jacketed flex line, and to reduce the weight of the retractable structure. Other design improvements for the hold-down post blast shield, the orbiter emergency-egress access arm, and miscellaneous ground interface hardware are in progress.

Two new facilities, the Orbiter Maintenance and Refurbishment Building and the SRB Refurbishment Building, have recently been completed. These facilities will house activities previously conducted in the Vehicle Assembly Building, thus enhancing orbiter and SRB turnaround operations.


Design Certification Review (DCR)

A DCR will be conducted approximately 3 months prior to flight and will be similar to the initial DCR held in April 1979. The objective of the DCR is to recertify the design of all NSTS hardware and software elements. The review will be based on the updated design requirements reflected in the Space Shuttle system specification, the Shuttle ICD's, and the major element contract end item specifications. This effort will verify that the existing and new hardware and software designs are in compliance with the design requirements.

A detailed evaluation will be made of the results of the testing and analysis performed to certify that the redesigned hardware and software satisfy the program requirements for each element. The DCR will certify that the NSTS element designs meet all requirements for safe return to flight.



The program and project documentation that implements the redefined program requirements is being reviewed and updated to ensure that documents are accurate and reflect the current return-to-flight NSTS design configurations.


Master Verification Plans (MVP's)

MVP's provide the guidelines and constraints and define the rationale that is used to verify that the hardware design meets configuration, performance, inspection, and maintenance requirements. They identify the analysis and the development, acceptance, qualification, and system integrated testing that must be performed to certify the hardware for flight.

MVP's were originally prepared for each subsystem and major element before STS-1. Each element subsystem manager submitted a verification completion notice (VCN) upon successful completion of all required tests and analyses. These VCN's have been rescinded by the Director, NSTS.

Each project manager is required to reevaluate his element verification in light of the Volume X design requirement changes and any hardware design modifications made since the last subsystem certification and to [92] submit new and/or revised VCN's as part of the DCR.


Operational Maintenance Requirements Specification Document (OMRSD)

The OMRSD defines the specific requirements for inspection, test, and checkout verification of the program hardware systems and software prior to each flight. The requirements take into consideration the fundamental checkout philosophy defined in the MVP, the CIL retention rationale for each system, and design center checkout requirements to identify those activities necessary to ensure safe operation of the vehicle during flight.

One of the specific actions under way is a complete review of the OMRSD. This review will be completed prior to the next flight and will ensure that the requirements defined in the document are complete and are consistent with the MVP and the results of the FMEA/CIL review.


Operations and Maintenance Instruction (OMI)

OMI's document the specific procedures used by KSC operational personnel to perform all activities on the flight hardware and associated ground support equipment. These instructions are being revised to include changes from the FMEA/CIL and OMRSD reviews and to improve the format.

An OMI and CIL implementation plan has been developed to ensure that test and maintenance activities involving hardware items designated Criticality 1 or 1R are prominently identified in the OMI documents.

Each operating procedure is being assessed by review teams made up of representatives from the Shuttle processing contractor, NASA (KSC and the design center), the design contractor, and SRM&QA.

OMI's are approved by the appropriate NASA design center before being released. Any deviations that affect critical items or requirements must be approved by the appropriate design center.


Launch Commit Criteria (LCC)

Launch commit criteria define the launch countdown operating limits for the ground and flight systems and provide the actions required in the event one of the limits is exceeded. LCC are used by the launch team to monitor the readiness of the vehicle in the 6-hour time period between external tank loading and lift-off.

The LCC are being modified to include the technical and operational rationale and to document the procedural workarounds, if any, that would allow the countdown to proceed in the event one of the criteria was violated. The recommended changes to the LCC are then reviewed and approved by the appropriate management levels prior to being submitted to the PRCB for final approval and publication.

NASA and its contractors began the LCC review in April 1987. The task includes assessment of results from the FMEA/CIL reviews and incorporation of all authorized hardware modifications to the vehicle. The LCC review is scheduled to be completed in November 1987.


New Documentation

The need for a set of formal element interface functional analyses to verify hardware criticality classifications and to identify failure effects across the vehicle-to-ground interfaces during turnaround operations (i.e., landing, mate/demate, element/vehicle checkout, prelaunch, and launch) was identified early in the documentation review process. These analyses have been initiated, and critical safety-related portions will be completed prior to the first flight.

A functional fault tolerance analysis of all vehicle subsystems has been initiated. This analysis will determine the synergistic and multiple failure effects between each functional subsystem and its interactive subsystems, and the resulting impacts on the total system. For a system as complex as the Shuttle, this analysis requires an extended period of time for completion. Planning to make certain that priority is given to critical systems related to overall system safety has [93] been initiated, ensuring that analyses required for the first flight will be completed.



Because of the vehicle and launch facility modifications in progress, the long standdown period since the last Shuttle flight, and the need for launch team training, an unmanned Shuttle vehicle wet countdown demonstration test (CDDT) and a flight readiness firing (FRF) of the Space Shuttle main engines will be conducted. These tests are required to demonstrate vehicle integrity and to ensure a safe return to flight.

Conditions to be demonstrated during these tests will be similar to the actual countdown time line and launch preparations, except for periods of the wet CDDT where special test objectives will be accomplished. Both the wet CDDT and the FRF will use modified flight and ground software, and data recorded during the CDDT will be used to confirm launch hold and abort shutdown time lines.

SSME start procedures during the FRF will be identical to those used in an actual launch, and the engines will be tested at 100-percent rated power level for approximately 20 seconds.

A detailed test readiness review will be held approximately 2 weeks prior to the CDDT and FRF to assess the test configurations and to ensure that all test preparations are in order to meet the requirements. It is planned to conduct the tests approximately 2 months prior to launch.



NASA has continued the training of both flight crews and flight control teams to maintain proficiency. Training, which is being conducted in all facilities, ranges from the basic level for familiarizing new personnel with NSTS systems to the intermediate level using single-system trainers and water immersion facilities to the complex level using the Shuttle mission simulator (SMS). Integrated simulations are conducted weekly using the SMS and the Mission Control Center (MCC).

Flight controller training and certification in the MCC has been strengthened and has become more rigorous. MCC personnel from each discipline are supporting the integrated simulations and are validating their respective data programs and procedures.

Flight crews are training at a reduced rate to sustain a required level of proficiency and to maintain the skills necessary to remain eligible for flight status. The crew for the next flight is very experienced and does not require a high rate of training at this time. As the launch approaches, the maximum flight crew training time in the SMS will be limited to 16 hours per week to minimize the crew work load.

Extended, integrated simulations are maintaining both flight crew and flight controllers in a state of flight readiness. Full-up vehicle systems are simulated during these simulations and require crew and MCC activities similar to those for real-time flight.

The training facilities are undergoing improvements. The SMS math models for the main propulsion system, landing and roll-out, and auxiliary power unit have been significantly upgraded, and less extensive modifications have been incorporated into other models.

Plans are being formulated to link training facilities at Johnson Space Center (JSC) and KSC to develop team coordination between flight controllers and launch controllers. Regularly scheduled training coordination meetings between JSC and Marshall Space Flight Center have facilitated mission support and training activities at each center.



The launch date for the first flight (STS-26) is now planned for June 1988. The exact date will depend upon completion and certification of all mandatory vehicle and engine modifications, SRB hardware delivery to KSC, orbiter processing time, and launch/flight team readiness.



The five veteran astronauts (Figure 46) recently named to man the Discovery for the STS-26 mission are, right to left, Frederick Hauck, Richard Covey, John Lounge, David Hilmers, and George Nelson. Hauck and Nelson have flown on two previous missions, and each of the others has flown once. The crew is intimately involved in all aspects of the return-to-flight activities.


Figure 46. Photo of STS-26 Flight Crew.

Figure 46. STS-26 Flight Crew.


[95] Abbreviations and Acronyms


countdown demonstration test


critical design review


crew egress/escape system


Critical Items List


design certification review


development motor


Department of Defense


design requirements review


Edwards Air Force Base


element interface functional analysis


expendable launch vehicle


end of mission


external tank


Federal Aviation Administration


failure modes and effects analysis


flight readiness firing


flight readiness review


hazard analysis




Interface Control Document


joint environment simulator


Lyndon B. Johnson Space Center


John F Kennedy Space Center


launch minus 1 day


launch commit criteria


line replacable unit


Mission Control Center


mission management team


George C Marshall Space Flight Center


Master Verification Plan


nondestructive evaluation


National Oceanic and Atmospheric Administration


National Research Council


National Space Technology Laboratories


National Space Transportation System


Operations and Maintenance Instruction


Operational Maintenance Requirements Specification Document


Office of Space Flight


program compliance assurance and status system


Program Requirements Control Board


qualification motor


system design review


Shuttle-derived vehicle


System Integrity Assurance Program


Shuttle mission simulator


solid rocket booster


solid rocket motor


safety, reliability, and quality assurance


safety, reliability, maintainability, and quality assurance


Space Shuttle main engine


structural test article


Space Transportation System


thermal protection system


United States Air Force


verification completion notice

link to the previous pagelink to the index pagelink to the next page