Chapter 9 - OTHER SAFETY CONSIDERATIONS In the course of its investigation, the Commission became aware of a number of matters that played no part in the mission 51-L accident but nonetheless hold a potential for safety problems in the future. Some of these matters, those involving operational concerns, were brought directly to the Commission's attention by the NASA astronaut office. They were the subject of a special hearing. Other areas of concern came to light as the Commission pursued various lines of investigation in its attempt to isolate the cause of the accident. These inquiries examined such aspects as the development and operation of each of the elements of the Space Shuttle -- the Orbiter, its main engines and the External Tank; the procedures employed in the processing and assembly of 51-L, and launch damage. This chapter examines potential risks in two general areas. The first embraces critical aspects of a Shuttle flight; for example, considerations related to a possible premature mission termination during the ascent phase and the risk factors connected with the demanding approach and landing phase. The other focuses on testing, processing and assembling the various elements of the Shuttle. ASCENT: A Critical Phase The events of flight 51-L dramatically illustrated the dangers of the first stage of a Space Shuttle ascent. The accident also focused attention on the issues of Orbiter abort capabilities and crew escape. Of particular concern to the Commission are the current abort capabilities, options to improve those capabilities, options for crew escape and the performance of the range safety system. It is not the Commission's intent to second-guess the Space Shuttle design or try to depict escape provisions that might have saved the 51-L crew. In fact, the events that led to destruction of the Challenger progressed very rapidly and without warning. Under those circumstances, the Commission believes it is highly unlikely that any of the systems discussed below, or any combination of those systems, would have saved the flight 51-L crew. FINDINGS 1. The Space Shuttle System was not designed to survive a failure of the Solid Rocket Boosters. There are no corrective actions that can be taken if the boosters do not operate properly after ignition, i.e., there is no ability to separate an Orbiter safely from thrusting boosters and no ability for the crew to escape the vehicle during first-stage ascent. Neither the Mission Control Team not the 51-L crew had any warning of impending disaster. Even if there had been warning, there were no actions available to the crew of the Mission Control Team to avert the disaster. LANDING: Another Critical Phase The consequences of faulty performance in any dynamic and demanding flight environment can be catastrophic. The Commission was concerned that an insufficient safety margin may have existed in areas other than Shuttle ascent. Entry and landing of the Shuttle are dynamic and demanding with all the risks and complications inherent in flying a heavyweight glider with a very steep glide path. Since the Shuttle crew cannot divert to any alternate landing site after entry, the landing decision must be both timely and accurate. In addition, the landing gear, which includes wheels, tires and brakes, must function properly. In summary, although there are valid programmatic reasons to land routinely at Kennedy, there are concerns that suggest that this is not wise under the present circumstances. While planned landings at Edwards carry a cost in dollars and days, the realities of weather cannot be ignored. Shuttle program officials must recognize that Edwards is a permanent, essential part of the program. The cost associated with regular scheduled landing and turnaround operations at Edwards is thus a necessary program cost. Decisions governing Space Shuttle operations must be consistent with the philosophy that unnecessary risks have to be eliminated. Such decisions cannot be made without a clear understanding of margins of safety in each part of the system. Unfortunately, margins of safety cannot be assured if performance characteristics are not thoroughly understood, nor can they be deduced from a previous flight's "success." The Shuttle program cannot afford to operate outside its experience in the areas of tires, brakes and weather, with the capabilities of the system today. Pending a clear understanding of all landing and deceleration systems, and a resolution of the problems encountered to date in Shuttle landings, the most conservative course must be followed in order to minimize risk during this dynamic phase of flight. SHUTTLE ELEMENTS The Space Shuttle Main Engine teams at Marshall and Rocketdyne have developed engines that have achieved their performance goals and have performed extremely well. Nevertheless the main engines continue to be highly complex and critical components of the Shuttle that involve an element of risk principally because important components of the engines degrade more rapidly with flight use than anticipated. Both NASA and Rocketdyne have taken steps to contain that risk. An important aspect of the main engine program has been the extensive "hot fire" ground tests. Unfortunately, the vitality of the test program has been reduced because of budgetary constraints. The number of engine test firings per month has decreased over the past two years. Yet this test program has not yet demonstrated the limits of engine operation parameters or included tests over the full operating envelope to show full engine capability. In addition, tests have not yet been deliberately conducted to the point of failure to determine actual engine operating margins. The Orbiter has also performed well. There is, however, one serious petential failure mode related to the disconnect valves between the Orbiter and the External Tank. The present design includes two 17-inch diameter valves, one controlling the oxygen flow, and the other the hydrogen flow from the tank to the Orbiter's three engines. Each of the disconnect valves has two flappers that close off the flow of the liquid hydrogen and oxygen when the External Tank separates from the Orbiter. An inavertent closure by any of the four flappers during normal engine operation would cause a catastrophe due to rupture of supply line and/or tank. New designs are under study, incorporating modifications to prevent inadvertent valve closures. Redesigned valves could be qualified, certified and available for use on the Shuttle's next flight. While the External tank has performed flawlessly during all Shuttle flights, one area of concern pertains to the indicators for the two valves which vent the liquid hydrogen and liquid oxygen. These valves can indicate they are closed when they might be partially open. This condition is potentially hazardous, since leaks of either gaseous oxygen or hydrogen prior to launch, or in flight, could lead to fires. This could, in turn lead to catastrophic failure of the External Tank. NASA is currently studying design modifications to the valve position indicators. This effort could be expedited and the redesigned indicators installed before the next flight of the Shuttle. (Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.178, p.192)