Difference between revisions of "Apollo 1 Disaster"
|Line 82:||Line 82:|
<center> < Previous Article | Parent Article | Next Article></center>
<center> < Previous Article | Parent Article | Next Article></center>
<center>'''SEBoK v. 2.2, released 15 May 2020'''</center>
<center>'''SEBoK v. 2.2, released 15 May 2020'''</center>
Revision as of 12:28, 9 May 2020
Lead Authors: W. Clifton Baldwin, Anthony Long
This case study examines some of the human factors shortfalls that lead to the 1967 Apollo 1 disaster.
On January 27, 1967, the crew of Apollo 204 was training for the first crewed Apollo flight, an Earth orbiting mission scheduled for launch on 21 February. They were involved in a "plugs-out" test on the launch pad just as in the actual launch, except the rocket was not fueled. This test was a simulation, going through an entire countdown sequence. Flight commander Gus Grissom, astronaut Edward White and astronaut Roger Chaffee died when fire swept the Apollo Command Module during this preflight test. After the accident, NASA reclassified Apollo 204 as Apollo 1.
During the test and subsequent accident, emergency teams were not in attendance (Benson and Faherty 1978). The fire crews were only on standby since the vehicle was not fueled (Freiman and Schlager 1995). It was believed that the test did not rate a hazardous classification (Benson and Faherty 1978) (NASA History Office 1967), and the emergency equipment located in the launch tower test room was not designed for the type of fire that resulted (NASA History Office 1967). Within the capsule, there were no design features for fire protection as no one had considered the possibility of a fire from anything other than the rocket engines (NASA History Office 1967). There was not even a fire extinguisher in the cabin (Freiman and Schlager 1995) (Kranz 2000). Astronaut Frank Borman later stated, “None of us gave any serious consideration to a fire in the spacecraft” (Benson and Faherty 1978).
NASA leveraged technical knowledge from the two earlier Mercury and Gemini space programs and utilized their designs as a baseline for the Apollo program (Rosholt 1966). Naturally, some problems were expected from such a huge undertaking. Due in part to a multitude of integration issues, the crew could not escape the fire. After the accident, however, NASA officials admitted that they had concentrated their efforts on “in flight” situations and had not even considered problems on the ground (Benson and Faherty 1978) (Kranz 2000).
During the late 1960s, NASA’s systems integration group appeared to be largely paperwork focused, although NASA considered the Apollo 204 test as a type of systems integration test (Baldwin and Reilly 2005). Regardless of the systems integration efforts, there were obvious gaps integrating the astronauts leading to the unfortunate consequence of the deaths of the men of Apollo 1.
Integration of the Hatch
Designing and integrating safety into the space capsule was known to be an important factor from the start of the space program. The hatch was the primary means for the astronauts to enter and exit the capsule, and therefore it was a vital component for integrating the astronauts.
Both the Mercury and the Apollo capsules were equipped with a means for escaping from a launch-vehicle failure (Purser, Faget and Smith 1965) (Swenson Jr., Grimwood and Alexander 1998). This escape system consisted of a booster rocket on the capsule that could fly the capsule away from a malfunctioning rocket. The Gemini capsule had ejection seats instead. Due to the dangers during an emergency ejection, the Apollo design went back to an escape tower booster (Purser, Faget and Smith 1965). Without the ejection seats, the quick-opening hatches used by the Gemini program were not required. Initially, the Apollo capsule contractors North American Aviation had recommended a hatch that opens outward with explosive bolts for emergencies. NASA designers disagreed due to the accidental opening of an earlier Mercury capsule with a similar hatch design (Brooks, Grimwood and Swenson 1979). “NASA and North American designers hadn’t been as worried about escape contingencies as they were about the possibility of a hatch popping open into the vacuum of space or another inadvertent opening during a water landing” (Kranz 2000).
In order to keep the astronauts safe, “An Apollo mission designer would prefer that the crew never exit the space capsule” (Mendell 1998). Therefore, the designers integrated the hatch to open inward, which allowed the internal pressure to assist in keeping the hatch secure (Murray and Cox 1989). The result of the integration process was a three-part hatch, an inner pressure hatch that opened inward when the capsule was on the ground, an ablative hatch that opened outward when in space, and a boost protective cover to protect the capsule during launch from the escape tower boosters (Freiman and Schlager 1995) (Kranz 2000) (NASA History Office 1967). Furthermore, the designers chose not to have an explosive hatch. As an aside to the Apollo 1 accident, even if the capsule had an explosive hatch, it would not have been armed during the test due to the danger to the support personnel (Murray and Cox 1989).
It took at least 90 seconds to open the hatch under ideal conditions (Freiman and Schlager 1995) (Senate Committee on Aeronautical and Space Sciences 1968). In practice, the crew had never accomplished the egress in the minimum time. Additionally, escaping was a very complicated procedure to perform under emergency circumstances. For example, it required one astronaut to lower another one’s headrest in order to actuate a ratchet-type device that would release the first of a series of latches (NASA History Office 1967). When the accident occurred, it took five minutes and 25 seconds to open the hatch (NASA History Office 1967). The Apollo Review Board criticized this problem as well as obviously recommended it to be changed (Benson and Faherty 1978).
The accident of Apollo 1 caused NASA to reconsider its decisions and processes. Although well integrated technically, NASA was lacking in integrating the astronauts with the hatch. To remedy this problem, the hatch was redesigned to be single-hinged that could be unlatched in three seconds and would swing outward with minimal force (Benson and Faherty 1978).
Integration of the Environmental Control System
Perhaps the most complex of all the human factors elements concerned the Environmental Control System (ECS). This system was designed to control the quantity and quality of air delivered to the astronauts, maintain cabin pressure, and heat and cool the astronauts, equipment, and cabin. Extremes of space flight had to be anticipated and this system needed to meet the needs of that harsh environment. Redundancy was built in to provide suitable backup systems and ensure reliability and availability (NASA History Office 1967).
NASA engineers had performed trade studies that concluded a pure oxygen atmosphere in the cabin was preferred. Again, this decision failed to fully consider the astronauts. In 1964, Dr. Emmanuel Roth of the Lovelace Foundation for Medical Education and Research prepared for NASA a paper warning about the dangers of pure oxygen (Benson and Faherty 1978). Natural fabrics, most synthetics, and even allegedly flameproof materials will burn violently in a pure oxygen environment. In that same year, Dr. Frank J. Hendel, a staff scientist with Apollo Space Sciences and Systems at North American Aviation, wrote an article warning against pure oxygen especially on the launch pad (Benson and Faherty 1978). Joe Shea, head of Apollo Spacecraft Program Office at the time, wrote in a memo, “The problem is sticky- we think we have enough margin to keep fire from starting - if one ever does, we do have problems. Suitable extinguishing agents are not yet developed” (Murray and Cox 1989).
Due to the ongoing redesign and test environment in which the ECS was operated, there was a need to change out components quickly and easily to save time on the schedule (NASA History Office 1967). This need resulted in poor wiring placement as well as insulation (Stavnes and Hammoud 1994). Coolant coils were placed in locations that permitted them to be used as a handle to move about in the cabin. This unintended usage led to a leakage of coolant in the cabin, whereby the vapors were flammable and the coolant itself in liquid form was corrosive to the insulation of the nearly 12 miles of electrical wiring in the command module (Freiman and Schlager 1995) (NASA History Office 1967). The cooling system was extensive throughout the capsule, and coolant leakage at solder joints had already been a chronic problem (NASA History Office 1967).
One ECS cable was wedged against the bottom of a door used by the astronauts. When the door was shut, it would scrape the cable. The repeated abrasion eventually exposed two tiny sections of wire on the cable (Murray and Cox 1989). When the insulation became worn away, the wiring system would fail, and sparks could arc (Stavnes and Hammoud 1994). To make matters worse, flammable raschel netting near the scuffed cable was located closer to the cable than it should have been (Murray and Cox 1989).
The astronauts’ spacesuits were also not incorporated well into the ECS. A suit-loop provided air quality control, temperature control, pressure control, humidity control, and decontamination to the astronauts and the cabin. There were three astronauts suited up and plugged into the loop with a fourth suit position. This so-called fourth suit position provided forced ventilation and exchange of the cabin air with the suit circuit (Bellcomm, Inc. 1964). This link of the spacesuits to the cabin could not be closed off in an emergency. The result would allow internal toxic gases from a fire to penetrate the astronauts’ suits.
Integration of the Egress System
Until the accident, no one seriously considered the possibility of a safety issue within the capsule. The egress system, which would allow astronauts to get away from the launch pad, was not thoroughly explored and several integration problems were missed (NASA History Office 1967). “We all assumed that when a calamity struck, it would be in flight. Our nightmare was an explosion during launch, or a flying coffin, a faulty craft stuck in endless orbit” (Kranz 2000). There were no formal procedures for an in-capsule emergency on the ground for either the crew or the spacecraft pad work team (NASA History Office 1967).
The designers’ experience necessitated “The use of an escape system should a malfunction occur during the powered ascent portion of the trajectory” (Purser, Faget and Smith 1965). Unfortunately, the designers only considered escape situations where the astronauts had to remain in the capsule. Hazard analysis was done to “Examine all the hazards that might require escape from the launch vehicle during powered flight” (Purser, Faget and Smith 1965). Nonetheless, the hazards were thought to come through three operational phases, “1) liftoff and shortly thereafter, 2) transonic through maximum dynamic pressure regimes, and 3) shutdown and staging” (Purser, Faget and Smith 1965). There is no mention of a hazard within the capsule itself.
Additional evidence for unsatisfactory egress can be found in the launch pad environment. Even if they could get the hatch open, there were no contingency preparations to permit escape or rescue of the crew from an internal capsule fire. The umbilical tower access arm contained features such as steps, sliding doors and sharp turns in the egress paths that hindered emergency operations (NASA History Office 1967). Albeit too late for Apollo 1, the Apollo 204 Review Board sharply criticized the fact that the astronauts had no quick means of escaping the capsule (Benson and Faherty 1978).
Systems Thinking Approach
A systems approach to integration with respect to the capsule and rocket may have avoided overlooking the users’ needs inside the capsule. For example, the ECS was designed without fully considering the astronauts onboard. Decisions to limit space in order to restrict subsystems from growing in weight were made by rule of thumb. A “whole system” integration approach could have arrived at a design for the ECS while considering the astronauts’ needs. Early integration of the astronauts could have saved time, especially since those changes had to be made eventually, and would have saved lives. For more information, see Part 2, Overview of the Systems Approach.
NASA designers stated they considered three phases of operations which were known to be hazardous. A problem with their analysis is that they failed to consider every phase, such as prelaunch or rather preflight. The designers should have evaluated every feasible scenario, or use case, of the system, even if unlikely. Thorough use case analysis evaluates all potential “normal” and “rainy day” scenarios. Use cases could have been developed for the preflight phase, including any potential failure cases on the ground. The designers could have used these scenarios to contemplate hatch issues, coolant coil issues, and especially the egress process.
The plugs-out test of Apollo 1 was ranked as a low risk without much analysis, and NASA officials stated that they were not concerned with problems prior to launch. Although a failure analysis was conducted for the flight of Apollo 204, no failure analysis, such as a Failure Modes and Effects Analysis (FMEA), was conducted for an on-the-ground or prelaunch situation. Once identified, proper mitigation actions could have been implemented. For more information, see Part 3, Risk Management and Part 6, Safety Engineering.
Baldwin, W. C., and C. K. Reilly, interview by Rich Morton. 2005. Interview with former NASA Technician during January 1967 (Dec. 13).
Bellcomm, Inc. 1964. Review of Environmental Control Systems for Apollo. B-1.
Benson, C. D., and W. B. Faherty. 1978. Moonport: A History of Apollo Launch Facilities and Operations . Vols. NASA Special Publication-4204 in the NASA History Series. Washington D.C., USA: National Aeronautics and Space Administration. Available at: http://www.hq.nasa.gov/office/pao/History/SP-4204/contents.html. Accessed Nov. 22, 2005.
Brooks, C., J. Grimwood, and L. Swenson. 1979. Chariots for Apollo: A History of Manned Lunar Spacecraft. Vols. NASA Special Publication-4205 in the NASA History Series. Washington D.C., USA: National Aeronautics and Space Administration.
Freiman, F. L., and N. Schlager. 1995. “Apollo 1 catches fire,” Vol. 1, in Failed Technology: True Stories of Technological Disasters, by Fran Locher Freiman and Neil Schlager. New York, NY, USA: UXL.
House Subcommittee on NASA Oversight of the Committee on Science and Astronautics. 1967. Investigation into Apollo 204 Accident: Hearings. Washington D.C., USA: 90th Congress, 1st Session, pp. 1-404.
Kranz, G. 2000. Failure Is Not an Option. New York, NY, USA: Simon and Schuster.
Mendell, W. W. 1998. "Role of lunar development in human exploration of the solar system," Journal of Aerospace Engineering, pp. 106 - 110.
Murray, C., and C. B. Cox. 1989. Apollo: The Race to the Moon. New York, NY, USA: Simon & Schuster.
NASA History Office. 1967. Findings, Determinations and Recommendations. Apollo 204 Review Board, National Aeronautics and Space Administration. Washington D.C., USA: NASA Historical Reference Collection. Available at: http://www.hq.nasa.gov/office/pao/History/Apollo204/find.html. Accessed Feb. 18, 2020.
NASA History Office. 1967. History of The Accident. Apollo 204 Review Board, National Aeronautics and Space Administration. Washington, D.C., USA: NASA Historical Reference Collection. Available at: http://www.hq.nasa.gov/office/pao/History/Apollo204/history.html. Accessed Feb. 18, 2020.