MERCURY PROJECT SUMMARY (NASA SP-45)

 

6. RELIABILITY AND FLIGHT SAFETY

 

By JOHN C. FRENCH, Asst. Chief, Reliability and Flight Safety Office, NASA Manned Spacecraft Center; and FREDERICK J. BAILEY, JR., Chief, Reliability and Flight Safety Office, NASA Manned Spacecraft Center

 

Summary

 

[105] This paper summarizes the reliability and flight safety features of the Mercury Project. The difference between reliability and flight safety is briefly discussed. The basic concept that no single failure would cause an abort, and that no single failure during an abort would result in loss of the pilot, dictated the need for redundancy and manual over-ride capabilities in spacecraft critical systems.

 

An existing missile was modified to provide the launch vehicle, and its reliability was augmented by a program of special testing and by careful selection of components. In addition, an abort sensing system was developed for the launch vehicle to provide for sensing of impending catastrophic failure and activation of the spacecraft escape system.

 

A conservative design approach was used for the spacecraft, incorporating redundancy in all critical systems where possible, in order to provide reliability. Off-the-shelf proven components were used where possible to avoid development problems, and standard design practices were used for designing components where proven components were not available.

 

The success of the flight-test program proved the effectiveness of the ground test program in disclosing essentially all "early development"? and human induced type failures.

 

Flight safety reviews for the launch vehicle and the spacecraft, and a mission review for all aspects of the mission, were conducted prior to each mission and proved to be effective.

 

Introduction

 

The Mercury approach to reliability and flight safety was a practical approach to the problem of achieving manned orbital operation with a reasonable degree of reliability and safety at the earliest possible time. It was an all-out effort to apply knowledge and experience accumulated in years of aircraft and missile flight to get the best chance of mission success and flight safety from parts and components that already existed, or would be brought to the flight stage in, roughly, 2 years. The success of manned space flight required an extensive effort involving dedication of many individuals and their unstinting use of time, there being no sophisticated shortcuts to the disclosure of the many problems and the solving of these problems to assure success of each flight. Consideration of cost, manpower, or schedule were never allowed to influence any decisions involving mission success or flight safety.

 

Throughout the program, there proved to be a need for stringent attention to details of design, fabrication, quality control, testing and training; emphasis was placed on streamlining the failure analysis and corrective action procedures, incorporating on-the-spot failure analysis at the launch site.

 

Reliability and flight safety, although closely related, are not exactly the same thing. The former refers to the probability that a given mission will proceed to completion without mishap. This probability combined with the reliability of the escape system provides the overall flight safety or probability of crew survival. It may be pointed out that flight safety can be achieved by building a high reliability vehicle with little or no provisions for escape, as in the case of a commercial airliner, or by attaching a highly reliable escape system to an unreliable vehicle.

 

Two key design philosophies or guidelines can be postulated:

(1) No single failure shall cause an abort.

(2) No single failure during an abort will result in the loss of life of the crew.

 

[106] Obviously certain items fall outside the scope of these rules. These are such passive subsysems as the ablation shield and the spacecraft structure as well as some large activity elements having a background of high reliability such as the launch escape rocket.

 

What might be termed the Mercury approach to mission accomplishment and crew safety is outlines in the figures accompanying this report. It may be described conveniently under three main headings, the launch vehicle, the spacecraft and the operational procedures and philosophy.

 

The success of the mission and safety of the crew also dependent on a number of other considerations such as the efficiency of the worldwide network of communications and the recovery operations, both of which are discussed in other papers.

 

Launch Vehicle

 

The launch-vehicle reliability and flight safety features are shown in figure 6-1. The main features indicated here are the use of an existing missile modified for Mercury requirements and augmented by a special pilot safety program and an abort sensing system. Although the following discussion centers around the Mercury-Atlas program, similar procedures were put into effect for the Mercury-Redstone program.

 

Existing Missile

 

The Atlas and Redstone missiles were chosen as launch vehicles because they were already far along in their development phases and would thus require only minor modification to adapt them to the Mercury requirements. This choice had a number of important implications as to reliability and crew safety, some favorable and some unfavorable. On the credit side, the particular vehicles chosen were well along on their development cycles, had considerable flight experience behind them, and had already demonstrated their abilities to meet the performance requirements. Another favorable feature of the Atlas launch vehicle was the fact that all engines were started, and satisfactory engine operation was verified, before lift-off.

 


Figure 6-1. Launch vehicle reliability and flight safety features.

 

[107] Since the Mercury-Atlas vehicle was used as the launch vehicle for the orbital missions, the following discussion will be centered around this vehicle.

 

A determined effort was made to retain the proven components on the launch vehicle since the development of new components would have resulted in the loss of much of the advantage of using a developed launch vehicle.

 

Pilot Safety Program

 

The Pilot Safety Program (see fig. 6-1 and 6-2) was added in the Mercury Project to augment the reliability and safety of the basic Atlas system. This program was developed by the Air Force for the selection and preparation of the Atlas launch vehicles for manned Mercury flights. It was recognized that major design changes to increase the reliability potential of the basic design could not be accomplished within the life of the Mercury Project, and therefore special efforts would be necessary to make certain that the maximum reliability of which the design was capable would actually be achieved in Mercury operations. The program that resulted involved three parts, a Quality Assurance Program, a Factory Rollout Inspection Program, and a Flight Safety Review Program at the launch site.

 

The Quality Assurance Program consisted of two major areas: An educational program for contractor and sub-contractor personnel; and a critical parts selection program.

 

Training conducted by the contractor created an awareness of the importance of the Man-in-Space Program and the high reliability required of the Mercury-Atlas launch vehicle. High quality through careful workmanship was stressed.

 


Figure 6-2. Mission review activities.

 

[108] The result of the critical parts selection program was the rejection of components and subsystems with excessive operating times, on nonstandard performance, or questionable inspection records. Choice of Mercury-Atlas launch-vehicle engines was limited to those standard

 

Atlas engines whose performance parameters most closely met the exact specification requirements. Spare parts were also selected with the same care given to flight hardware. All selected units were specifically identified as accepted Mercury hardware and stored in a specially designated and controlled area.

 

The Factory Roll-Out Inspection assured that the Mercury-Atlas launch vehicle was complete, functionally acceptable, and ready for delivery. The technical roll-out inspection team consisted of specialists in the technical areas of each flight system. General launch vehicle progress was analyzed on a continuing basis, with special emphasis on hardware status and replacements.

 

A pre-roll-out inspection meeting deter mined vehicle status and potential problem areas. A tentative roll-out inspection schedule was established at this time, and composite test go ahead was granted for final contractual Air Force factory acceptance of the Mercury-Atlas launch vehicle. After satisfactory completion of the composite test, a pre- acceptance meeting was held by the Air Force with associate contractors prior to the formal acceptance meeting to determine systems- performance status and acceptability of the launch vehicle to the Air Force.

 

After the final Rollout and Acceptance Inspection at the contractor's plant, a post-acceptance critique was held and a final report prepared to cover assembly and test history and all discrepancies uncovered and corrected up to time of delivery to the Atlantic Missile Range.

 

The contractor was also required to submit n detailed report covering critical item qualification status. A functionally complete launch vehicle was required prior to delivery.

 

The Mercury-Atlas Flight Safety Review determined the status of the launch vehicle flight readiness. Technical flight readiness was established by personnel from the Space Systems Division (SSD) of the Air Force and their associate contractors who met prior to planned launch for complete vehicle history review since arrival at AMR. The team determined that all possible efforts to insure a successful mission had been made and that the vehicle was in state of technical readiness. Complete review of all facts yielded a "go" or "no-go" recommendation to the Mercury-Atlas Flight Safety Review Board, which was chaired by the Commander, SSD, for the manned orbital flights. This Review Board meeting was attended by NASA observers, including the NASA Operations Director and one of the astronauts. The findings of this board were subsequently conveyed officially to the NASA Operations Director in the Mission Review.

 

The total scope of the Pilot Safety Program resulted in expenditure of about twice the standard Atlas fabrication time, and more than three times the normal checkout time and attention.

 

Abort Sensing and Implementation System (ASIS)

 

The abort sensing and implementation system (ASIS) was conceived and developed to enhance crew safety. The functions of this ASIS were to sense impending catastrophic launch-vehicle failure, automatically generate an abort command, and activate the spacecraft escape system in sufficient time to assure astronaut safety. An abort signal would be generated if pre-selected tolerances of certain critical launch-vehicle performance parameters were exceeded. The ASIS was supplemented by manned ground and spacecraft abort capabilities.

 

Atlas flight test data were analyzed to deter mine which specific performance parameters should be monitored and to determine the abort threshold levels, to assure that sufficient time for escape would be provided and that false abort commands would not be generated.

 

Evaluation of ASIS reliability under extreme environmental conditions was carried out by an extensive ground-test and flight-test program.

 

ASIS reliability was provided by electronic equipment redundancies designed to preclude the possibility of system failures or inadvertent aborts. There were deficiencies in the ASIS discovered during the development flights, but corrections were made prior to use on the Mercury-Atlas flights. Early unmanned Mercury flights proved out the entire system; successful abort was initiated on the MA-8 flight, saving [109] the spacecraft which was flown again on MA-4. There were no manned Mercury flights which required an abort action by the ASIS, nor were there any false ASIS abort signals.

 

ASIS was supplemented by the following manned abort capabilities:

(1) Off-the-pad aborts could be initiated by the test conductor, through direct electrical circuitry, until the vehicle had lifted 2 inches from the pad.

(2) From the point of 2-inch vertical ascent through the end of powered flight, an abort could be initiated through the Mercury Control Center (MCC) radio-frequency link.

(3) The mission could be terminated at any time throughout the entire powered flight by the astronaut.

(4) Indirect abort capability was provided the Range Safety Officer. The automatic airborne abort system could be activated by supplying a manual engine cut-off command. A 3-second airborne time delay was integrated with the airborne range safety command receiver to insure a safe separation of the spacecraft in the event that a command destruct signal became necessary.

 

Spacecraft

 

The size, complexity, and cost of the spacecraft and related operational activities including recovery precluded a program of using general flight testing to uncover design and systems weaknesses. It was necessary to produce the first and following spacecrafts with sufficient reliability to assure that each flight would complete its mission. The following discussion covers the reliability and flight safety features of the effort expended in Mercury to accomplish this result. The features are shown on figure 6-3 and may be described under the four headings

 


Figure 6-3. Spacecraft reliability and flight safety features.

 

[110] of design, reliability, fabrication. and testing and checkout.

 

Design

 

The spacecraft was designed specifically for manned orbital flight with virtually no background of applicable experience to serve as a guide. A very conservative design approach was adopted to provide redundancy in all critical subsystems where possible. The original design was required to provide for normal manned operation. unmanned operation, and operation with an incapacitated man aboard. Much of the redundancy, particularly in the smaller items such as explosive bolts, igniters, etc., was functional in both the unmanned and manned vehicles, but for manned flights the major subsystems such as the attitude control system and landing system relied on pilot operation of the backup mode: hence, the presence of the pilot substantially increased the reliability of the spacecraft in the manned missions.

 

There was an average of ten spacecraft component malfunctions or failures per manned spacecraft mission despite the level of effort to disclose and correct all anomalies prior to flight.

 

However, in no case did these failures, some of which were critical, result in mission failure. The adopted design approach utilizing equipment redundancy and pilot back-up modes proved its effectiveness.

 

Insofar as reliability and safety were concerned, components selected or fabricated for use in the subsystem were representative of the state- of-the-art at the time of the design freeze. Standard design practices were utilized for designing components for specific applications where proven components were not available.

 

The philosophy of designing redundancy into Project Mercury is best described by the following examples:

 

One-time-only operating devices. A number of subsystems are required to operate only once during a mission, and thus the frequency of failure of these subsystems is independent of mission duration.

 

In order to be sure that the escape tower could be released from the spacecraft, and that the spacecraft could be released from the launch vehicle, the clamp rings were divided into three segments and held together by three double-ended explosive bolts. Figure 6-4 shows the

 


Figure 6-4. Automatic and manual initiation of tower-jettisoning-bolt, pyrotechnic.

 

[111] escape-tower clamp ring bolt-firing functional arrangement. Firing any end of any bolt could effect the release. The automatic system could fire one end of each bolt from one electric circuit and the opposite end of two bolts from a completely independent circuit; an astronaut manually operated backup could fire the opposite end of the third bolt through a percussion device, and in addition, could send electrical signals through the two automatic electric circuits.

 

For retroimpulse there were three solid fuel rockets with dual igniters fired by dual circuits. They could be initiated automatically, or by either astronaut or ground command. Only two of the three retrorockets were required to effect a satisfactory reentry.

 

The primary parachute system was fully automatic. It incorporated dual barostats, dual power sources, and manual backup of each main function in the sequence. The entire automatic system was backed up by an independent manually operated reserve parachute system.

 

Operating-time dependent systems. A number of critical systems of the spacecraft had to operate more or less continuously throughout the flight. The frequency of failure of components in these systems would be, in general, proportional to the length of time they were operated and hence to the length of the mission.

 

The environmental system incorporated the basic redundancy of a full pressure suit in a controlled cabin environment. Manual controls were provided to back up the automatic control functions. An emergency O2 supply was available to the suit as a further backup in the event of simultaneous malfunctions in both suit and cabin controls.

 

The attitude control system, which was particularly critical for retrofire, consisted of a primary automatic system backed up by dual independent manual subsystems, one of which was completely independent of the automatic system.

 

Failure mode and effect analysis. A failure mode and effect analysis was performed for each subsystem to investigate the failure mode of components comprising the system and determine the significance to mission success and the corrective action to be taken. This analysis so included an evaluation to determine the action that should be taken in case the systems-performance indications displayed to the pilot and transmitted to the ground stations were in disagreement. An important consideration was the probability that the sensors and indicators may malfunction and thus incorrectly dictate the need of an abort.

 

A concentrated effort was made to identify single point failures; first, those which would in themselves be catastrophic or prevent subsequent operation; and second, those which would cause a premature operation.

 

An example of a subsystem revision resulting from this effort was the change in arrangement of the dual barostats that functioned to close the circuit to the parachute deployment sequence. Originally, the dual barostats were in parallel; a failure to the closed position of either would initiate the deployment sequence. The revision placed the barostats in series, thereby requiring both to fail closed in order to initiate premature deployment.

 

Reliability

 

An effort was initiated in the Mercury Project to make a quantitative reliability assessment and obtain an overall estimate of mission success and flight safety based on test time and failures that took place during the ground test program. The estimate of the reliability of the Mercury spacecraft utilized mathematical models of the subsystems together with failure rate data derived from actual test experience on the system parts and components.

 

In general, the results were not satisfactory because the applicability of the failure rate data was always highly debatable. It was a basic ground rule of the approach to manned space flight that a failure during development and preflight tests always resulted in a corrective action designed to eliminate all possibility of repetition of that particular type of failure. Hence, past failure data never applied directly to the then- current articles.

 

However, methods were evolved for setting up an analytical model to describe the operation of a complex system, and the computer programing on the IBM 7090 that eliminated lengthy and complex manual quantitative analysis. Those methods appear to have direct applications for assessing mission success and crew safety during the design stages of future space programs.

 

[112] Mathematical models were used to some degree in the design stages of the Mercury Project. Catalogued values of failure rates that had been established by the manufacturers or various testing agencies as being representative of the random or statistical type of failure that predominates in fully developed parts comprised the inputs to these models. Reliability values obtained in this way tended to reflect the ultimate goal; that is, the minimum failure rate that may eventually be obtained with the design.

 

The first Mercury space flights with new systems could not be delayed pending statistically rigorous reliability tests to assure demonstration of reliability goals. The problem was therefore to decide, by a combination of engineering judgment, common sense, experience, and intuition just when the last serious "early development" types and human-induced types of failure had been eliminated. The early development type of failure arose from design errors, interaction effects between parts and components, unanticipated environmental effects, or errors in estimating environments. The human-induced type were those associated with faulty fabrication, quality control, failure diagnosis, handling, installation, and carelessness.

 

As a result of the experience in the Mercury Project the role of numerical reliability assessment in manned space programs may be summarized as follows:

(1) It is desirable to specify an overall numerical reliability goal to insure that adequate attention is directed to reliability in the design stage. This goal should be apportioned or budgeted through a mathematical model down to the various subsystems and their components. The subsystem designer should be required to show that his subsystem is capable of absorbing the expected number of random or statistical type failures of parts without serious consequences or without exceeding his reliability budget.

(2) The logic flow diagrams which show functionally the systems sequence of action were especially useful since they represented primary and critical abort paths, crew inputs, and principal events. They reflected the basic ground rules relative to choice of alternate modes of operation and aborts. From these diagrams the effect of a component failure could readily be determined.

(3) Beyond this point the usefulness of formal quantitative reliability assessment procedures is debatable; the most effective approach from here on is to concentrate on establishing a testing program and quality assurance program that will assure detection and correction on all the unproven design and induced sources of system failure before flight.

 

Fabrication

 

Fabrication of the spacecraft was generally in accordance with the accepted aircraft production practices for small lots on the order of twenty articles. Air-conditioned clean room procedures were introduced in an effort to eliminate the introduction of contaminants or debris into components.

 

The results of operational experiences were fed back into the fabrication process by holding frequent Development Design Engineering Inspections (DEI). The purpose of the DEI was to assure that the Mercury spacecraft as engineered and manufactured was safe for manned flight. Emphasis was placed on attaining reliability and flight safety with existing Mercury hardware. To accomplish this objective, the DEI team was responsible for conducting suitable inspections for deficiencies and initiating necessary corrective action. The DEI board was authorized to make final decisions on the acceptability of the spacecraft.

 

Preparatory to the DEI, the inspection team reviewed in detail engineering design, fabrication, and assembly, as well as component, system, and composite testing.

 

Testing and Checkout

 

Ground testing. In addition to the standard type of qualification and acceptance tests, the following types of tests were conducted.

 

Demonstration tests: Demonstration.; were made to determine reliability, wherein several samples of each major subsystem tested under simulated operational environment meets and duty cycles for a total operating time considerably longer than that of a single mission. The scope of these tests is shown in figure 6-5.

 


[113] Figure 6-5. Spacecraft subsystems reliability tests.

Major subsystems

Typical test time or firings

1. Environmental control system

1500 hrs

2. Automatic stabilization and control system

2000 hrs

3. Reaction control system - automatic

290 hrs

4. Reaction control system - manual

112 hrs

5. Horizon scanner

720 hrs

6. Landing and recovery

38 firings

7. Rockets

27-37 firings (ea. type)

8. Sequential system

400 cycles

9. Communications (tranceivers, audio center, transponders, beacons, etc.)

1000 hrs (ea. type)

10. Satellite clock

3000 hrs

11. Bolt, expl. clamp release

108-155 firings (ea. type)

12. Bolt, retrorocket release

106 firings

13. Battery (3000w, 1500w)

20 discharge cycles (ea. type)

14. Ejector, antenna firing

145 firings

15. Explosive egress hatch

67 firings

16. Inverter, static

4000 hrs (ea. type)


 

The results of these tests were questionable since the equipment being tested did not always represent production-quality hardware. In addition, actual flight hardware was subject to conditions not contemplated in the reliability testing such as handling and shipping environments, installations in high density and crowded areas within the spacecraft adjacent to unrelated heat generating equipment, and contamination external to the subsystem as well as within the subsystem.

 

Safety margin tests: Safety margin tests were made wherein a number of component units were tested under progressively severe environments to determine the safety margin provided. It was necessary for such tests as Project Orbit and subsystems tests at contractor's plant, followed by the intensive subsystems checkout at the Cape, to uncover weaknesses. These tests are discussed in the following paragraphs.

 

Ground test program: A continuous ground test program, using a complete spacecraft and identified as Project Orbit, was instituted at the contractor's plant about midway through Project Mercury. It became apparent early in the Mercury Project that malfunctions occurring at Cape Canaveral and in the flight made it imperative that design and fabrication weakness be disclosed as early as possible. A comprehensive test program was started in which, to the greatest degree possible, the mission was simulated in real time and included orbital heating and near-vacuum effects. Obviously zero g effects, launch time and vibration, explosive devices, launch escape rocket, tower and spacecraft separation, exposure of the ablation shield to reentry temperatures, parachute deployment, and landing could not be duplicated. However, cabin-environment and operation of time dependent subsystems under normal and emergency cabin environment were closely simulated. The continuous aspect of this program conducted in all altitude chamber with all systems operating as they would in a mission not only disclosed the weaknesses but validated equipment revised as a result of the malfunctions. Consequently, the test demonstrated the performance of up-to-date configurations.

 

The tests were very effective in disclosing design weaknesses associated with interface problems, time dependent failures, and thermal [114] balances involving heat sinks and heat removal. A typical example of the usefulness of Project Orbit is discussed.

 

A revision in the gyro design resulted when, during the operation of the autopilot under an emergency mode (decompressed cabin), a failure in the gyros caused by decreased heat dissipation under vacuum conditions was disclosed. The lubricant vaporized, and there was a breakdown in insulation windings. The problem was resolved by changing the lubricant to one having a lower vapor pressure, and by using an insulation that maintained its dielectric characteristic when subjected to high temperatures.

 

Spacecraft subsystems tests: Spacecraft subsystems tests at the contractor's plant were followed by extensive tests at Cape Canaveral. Altitude sensitive systems were tested in an altitude chamber at the Cape since such tests were not made at the contractor's plant for each spacecraft.

 

Flight testing. Contributing much to the success of Project Mercury was the flight test program. Each flight of this test program was designed to qualify equipment and procedures for succeeding flights as well as ultimately for the manned orbital flights. Any malfunctions that occurred in a flight were analyzed, and corrected prior to the next flight. These early flights included (1) Beach Abort for qualifying the launch escape and landing system; (2) the Little Joe flights: (3) the Mercury-Atlas unmanned ballistic flights for qualifying the structure and ablation shield under severe reentry conditions, (4) the ballistic Mercury-Redstone unmanned, primate, and manned flights, and (5) the Mercury-Atlas unmanned and primate orbital flights.

 

The manned orbital flights progressed in a logical manner from a 3-orbit mission to a 22-orbit mission.

 

Technical competence. A very important feature of the Mercury approach to flight safety was the assignment of personnel with a high level of technical competence to the performance and monitoring of all preflight tests and preparations at the launch site. Senior engineering personnel, in many eases key members of the original design team, moved to the launch site and developed the launch preparation procedures. This high level of competence also extended into the quality control and inspection areas at the launch site.

 

Quality screening. The Mercury Project has featured extremely tight quality screening for deficiencies during all preflight checkout operations. This was accomplished by providing a system for effectively reporting unsatisfactory conditions to the contractor and to NASA management, to obtain conclusive corrective action and to eliminate irregularities and deficiencies which adversely affect the spacecraft program. These anomalies were recorded on forms noted as Unsatisfactory Reports (UR's).

 

Failure analysis and corrective action. The effectiveness of the contractor's failure analysis and corrective action program was evolutionary and improved considerably as the project went through its transition period from unmanned to manned flight. Later in the program, it tee came apparent that a streamline procedure was necessary for failure diagnosis and corrective action to assure effectivity in subsequent spacecraft. In many cases joint contractor-MSC teams analyzed a failure on-the-spot, or hand-carried the failed part to the supplier where a laboratory analysis of the failure was made.

 

In addition to individual failure reports on all failures, the contractor maintained an up-to date status of all failures, submitting an IBM tabulation summary to MSC monthly. This tabulation included all unresolved failures, and was used to point out critical and recurrent problems.

 

Operations

Simulated Flights

 

There were several features and practices in the Mercury operation that are worth mentioning in connection with reliability and safety. A great deal of attention was given to rehearsals and simulations of complete missions prior to each flight. These simulations were made extremely realistic. They not only served to verify the feasibility of planned procedures and provide crew practice for the expected flight plan, but also included a wide range of emergencies deliberately introduced to show up areas where improved planning might be needed to eliminate all possibility of confusion or indecision.

 

Interface Control

 

[115] With different groups responsible for the launch vehicle and the spacecraft, there was need for very special planning and procedures to insure proper handling of interface problems. It was found necessary in the field to establish a joint inspection team charged with the responsibility for witnessing all mating and other interface activities, measuring and verifying the adequacy of all physical clearances, inspecting all structural joints and electrical connections, and assuring that no debris was left in critical areas. Adequate access ports for field inspection were found to be an absolute requirement.

 

Special procedures were established for maintaining and periodically distributing one and only one official interface wiring diagram, reflecting the exact current status of the wiring on the vehicle at specified dates.

 

Flight Safely Reviews

 

The final item on figure 6-6, Flight Safety Reviews, deals with the problem of determining that the launch vehicle and spacecraft were in fact ready for launch. These activities are covered in figures 6-2 and 6-6. In Mercury, the philosophy was adopted that a launch would not take place with any unresolved difficulty. To insure this, preflight launch vehicle readiness and spacecraft readiness review meetings were set up. In these meetings, representatives from engineering , operations, flight safety, astronauts and (gape inspection reviewed in detail with the specialists responsible for the checkout of each system, all malfunctions observed in the system, and all changes and corrections made. Two sets of contractor failure records were maintained first. a segregation of failures from all testing into specific subsystems; second, a the of all failures associated with subsystems of a specific spacecraft. From these records, it was possible to determine early general weaknesses and to review the case histories of critical areas in ally specific spacecraft. These data, together with the unsatisfactory reports (UR's) and record of anomalies occurring in the subsystems checkout recorded by MSC personnel at the Cape provided a major input in these meetings.

 

These detailed meetings on the major pieces of equipment were followed by a Final Mission Review meeting. This meeting provided a final

 


Figure 6-6. Operational reliability and flight safety features.

 

[116] confirmation of launch vehicle and spacecraft readiness and established the readiness of the range, recovery, weather and aeromedical elements.

 

These operating procedures were very effective in concentrating the attention of the best qualified technical talent available on the detailed engineering problems of each vehicle.

 


Figure 6-7. Spacecraft review activities.


Previous Index Next