Risky Business

The shuttle is launched successfully and America is back in space. We’re back! America is back! — George Bush, to a campaign rally in St. Charles, Mo., Sept. 29, 1988

If the majority of the informed speculation is correct, it’s not safe enough to fly. We shouldn’t be flying it. Period. — John Pike, space policy expert for The Federation of American Scientists, in an interview, Jan. 19, 1989

This is what you think happened:

After a week of exasperating delays, the countdown went smoothly. The Challenger gracefully lifted off the launch pad. On the ground, engineers went about their business with customary quiet confidence. All was normal, all systems “go,” perfect as always, until without warning, 72 seconds into the flight, the space shuttle Challenger and the seven lives within it disappeared in a red-blistered fireball. On the ground below there was disbelief, then horror, then paralysis. NASA was not programmed for failure. And now, on the ground at Cape Canaveral, NASA engineers, creators of a perfect machine, were staring hollow-eyed at the skies. What could possibly have gone wrong?

That story, though commonly accepted, is fiction. We know that now, because the events of the last three years — a debacle followed by unprecedented public scrutiny of a once sacrosanct national mission — have made it possible to reconstruct the final minutes leading up to and including the Challenger launch. What was really happening at Cape Canaveral on that day reveals a great deal about the state of NASA at the time of the doomed launch and about critical problems that linger.

The fact is that while public optimism is back, so is the potential for disaster.

This is what really happened:

Everyone, as usual, was scared, but this launch was scarier than most. It was colder than ever before — 24 degrees at dawn. The ice team had been worried that the thermal tiles on the outside of the spacecraft — the only protection against incineration in the searing heat of re-entry — might get damaged by icicles falling from the gantry. The entire launch area was encased in ice. It was beautiful, and terrifying, like the ice palace in Dr. Zhivago. There was talk that the cold might be a problem with the solid rockets, those gigantic explosives-packed sentinels on each side of the shuttle’s huge external tank. But the countdown was continuing.

Maybe some of the tension came from knowledge of the disaster that had just been averted. A few weeks back, they had almost blown up a congressman, Nelson from Florida, when a piece of sensor broke off and jammed in a fuel line.

Incredibly, this was discovered only by accident and only because of bad weather: The stray piece surfaced while they were draining off the fuel after the flight was postponed.

NASA had handled that in the usual fashion: They jargoned it to sleep. “Flight rescheduled for Jan. 10 to permit removal of an obstruction in SSME #2 LOX pre-valve.”

SSME means space shuttle main engine, the heart of the spacecraft. The obstruction could have blocked the flow of liquid oxygen (LOX) to the main engine, one of three, or it could have caused a catastrophic failure of that engine’s turbopump. What NASA had not volunteered was that had the flight gone off as scheduled, the shuttle would have almost certainly blown up.

At least that had been an unanticipated problem; in any cover-your-butt bureaucracy, unanticipated problems aren’t the most frightening because at least there’s no clear blame, no unforgiving paper trail to follow in the aftermath of a disaster. The predictable problems are the ones to lose sleep over, and the scariest of all these were the main engines themselves. They’d never worked right, and they’d very nearly destroyed at least two flights already.

Ultimately, the anxiety came down to a feeling that it was only a matter of time. Disaster was inevitable; it was just a question of when.

The truth is that when Challenger lifted off at 11:38 a.m. EST that morning, there were more than a few engineers and technicians who had their fingers crossed, praying that none of the things they knew might go wrong would.

“LVLH shit hot!” Astronaut Judy Resnik exclaimed into her helmet mic a quarter of a minute into the launch. NASA never explained exactly what the comment meant; the official transcript of the crew conversation, as issued by NASA, split her comment in half. At 0:14 seconds she was reported to have said, “LVLH.” A second later, she was reported to have said, “[expletive deleted] hot.” It sounded like technical gobbledygook followed by a pause followed by a spontaneous explosion of exuberance — the astronaut equivalent of “yee-hah!” — but some in the space program think the meaning is only too obvious, and ominous. When the tape is played, her words unmistakably run together. It sounds like one phrase: LVLH shit hot. LV and LH refer to “local vertical” and “local horizontal” — the Earth coordinates employed by the shuttle during launch. “Hot,” in pilot speak, means “too much.” Her words could be taken as an astronaut registering alarm that the shuttle was going too high, too fast: failing to adequately arc outward onto the proper flight path.

In fact, that’s what was happening. With too much thrust from one of its rockets, Challenger was off course.

The flight crew, Pilot Mike Smith and Commander Dick Scobee, may have been noticing this also. The spacecraft didn’t want to go in the direction it was pointed. Something was making it yaw, making its nose want to point to the left. Four seconds after Resnik’s expletive, Smith said, “Looks like we’ve got a lot of wind up here today.” But there was no wind to speak of. NASA’s weather balloons had demonstrated that before the launch; wind was one of the few things people on the ground did not have to worry about.

Within another 10 seconds the control surfaces on the trailing edge of the shuttle’s wings, used to control the shuttle’s descent upon re-entry to the atmosphere, began to deflect. This was very unusual, suggesting a computer-generated action to compensate for a drastic problem.

Brownish-orange smoke shot from the back of the orbiter. This type of smoke is produced by the combustion of tetrahydrazine, the fuel in the shuttle’s orbital maneuvering system. Those thrusters are never used except when the orbiter is actually in space. But today was terribly different.

Still there was no word from ground control.

Later, NASA’s flight controller, Jay Greene, would say that the mission control consoles gave no indication anything was wrong. Later still, NASA would acknowledge that less than five seconds into the day’s flight, the right solid rocket had begun producing nearly 12 percent more thrust than it was supposed to produce — an extremely serious, possibly fatal situation. For the shuttle to enter orbit safely, the two solid rockets must be very closely matched. This would explain the shuttle’s lunge off course.

But at 70 seconds, ground control said: “Go at throttle up.”

Scobee’s response, “Roger, go at throttle up,” did not come until a second and a half later. Play the TV videotape back, again and again, and the hesitation seems more pronounced each time, an aberration from the usually crisp back-and-forth between astronauts and ground control. It may have meant nothing at all, but some have taken it to be puzzlement at Houston’s nonchalance.

No one will ever know for sure.

Richard Feynman was dismayed. The Nobel laureate in physics had been appointed to the presidential commission that investigated the Challenger disaster, and what he saw was alarming. He thought that the National Aeronautics and Space Administration had been playing Russian roulette.

“You pull the trigger and the gun doesn’t go off, so it must be safe to pull the trigger again,” he said.

Feynman is dead now, of cancer a year ago (though his thoughts are memorialized in an appendix he wrote to the Report of the Presidential Commission on the Space Shuttle Challenger Accident and in his book, What Do You Care What Other People Think?). But many believe that the game of Russian roulette continues. The three years since Challenger have given NASA the opportunity to do many things. The most meaningful action they took, though, may have been to replace the spent cartridge with a live one.

“The problem with the space shuttle has always been that it was based on compromise and management by wishful thinking,” says Bill McInnis of Gainesville, long an engineer in the space program. He resigned from his job as a chief assstant to NASA’s chief engineer in 1984 after he decided that a catastrophe was certain and no one was going to do anything to stop it. “By then, it had become almost policy to cut anyone who would point out problems out of the loop. It was futile — there was no way I could stay with clean conscience. Instead of being sure a system would work, the attitude was that they would certify it for flight unless they were sure it wouldn’t work.

“They would start with an idea, which may or may not have been sound. Then they’d compromise for one reason or another. They would lower the standards just a little bit. Then, next time, they would lower them a little more. Pretty soon, there weren’t any meaningful standards left.”

Engineering decisions came to be made by politicians. NASA told the military and other “customers” that the shuttle’s abilities would be far greater than they turned out to be. Payloads that could have been more easily, effectively, and cheaply launched on expendable rockets were put on the shuttle’s manifest, and the heavy-lift expendable rocket assembly lines were shut down. NASA put all its eggs in one basket, and that basket was none too sound.

The nation’s space program, both military and civilian, became hostage to one of the most complicated pieces of equipment ever built. Proven designs were abandoned. The shuttle program was so expensive that many other NASA programs, more than a dozen, were dropped. After only four flights, NASA declared that the shuttle was no longer a research and development vehicle — it was now “operational.” This meant that the “space airline” was open for business.

But it didn’t work out that way. The Rogers Commission noted that the early declaration of the shuttle as operational increased the pressure to launch on schedule — much as a commercial airline is under pressure to have on-time arrivals and departures. But the bugs weren’t worked out yet, so more compromises had to be made, more corners cut.

It used to be, said Chief Astronaut John Young in testimony before the commission, that a piece of equipment had to be proved safe before it was allowed to be flown. But now it was the other way around: It had to be proved unsafe before it would be grounded. NASA had repealed Murphy’s Law.

Despite the extensive redesign efforts that followed the disaster, NASA continues to fly with designs that it knows to be faulty — perhaps fatally so. Problems that plagued pre-Challenger shuttle flights continue, and Atlantis came remarkably close to being lost in its flight late last year. Engineers and others in and out of NASA point to areas of extreme concern:

The solid-rocket boosters, called solid-rocket motors or SRMs by the engineers, continue to show the problems that were taken after the fact in the case of Challenger as warning signs. NASA’s associate administrator for safety, reliability, maintainability, and quality assurance, George Rodney, admits that there is worry over nozzle joints in the solids because they lack the “safety factor” of the redesigned segment or “field” joints, and aerospace experts generally agree that the country never has understood just how dangerous solid-rocket motors are by their very nature.

The shuttle’s main engines are so dangerous that when Challenger broke up, everyone assumed a main engine had exploded. The problem is so severe that NASA has contracted for the redesign of the weakest — but not the only weak — link in the power chain. It may be ready to fly as early as three years from now. Until then, NASA continues to fly with a design that has malfunctioned on more than half of the shuttle flights, according to NASA’s own figures.

The protective thermal tile, criticized as insufficiently tested to begin with — as was much of the shuttle design — are terribly fragile, and more than 200 were destroyed in the Atlantis flight, exposing the bare aluminum of the orbiter and nearly costing the U.S. another shuttle and crew.

“That’s a Crit One issue,” says a Capitol Hill space watcher, referring to a nomenclature in which the importance of parts is listed by their criticality, with 1 being those items that are necessary for the ship to function safely and which have no back-up systems in the event of failure. “That’s as serious as it gets. It’s a wonder they didn’t lose Atlantis.” NASA is continuing to investigate the problem.

Software used on the shuttle’s antiquated computers may have been compromised. In the third shuttle flight, of Columbia in March 1982, the computers’ communication links failed altogether and the orbiter drifted aimlessly for nearly an hour. According to NASA records, this happened on March 26, halfway through the eight-day flight. Had it happened during launch or re-entry, the control necessary to the shuttle’s operation — and thus the shuttle and crew — would have been lost.

Shuttle computers shut down one of Challenger’s three main engines minutes after liftoff in July 1985. Software was blamed for the emergency shutdown, which resulted when the computers concluded that the engine had overheated.

Under siege, the space agency seems aimless and adrift, saddled with the task of defending a program that many believe is not particularly defensible and pinning the nation’s future in space on a vehicle that may be too dangerous to ever be practical.

It is not as though the once proud NASA, whose quality and safety were accepted as the highest in the world, suddenly decided to coast, to let things slip, to design a spaceship that had many things wrong with it.

How the space agency’s standards came to be all but abandoned is a story in itself.

When considering NASA, one must remember that the agency has no real, natural constituency. Other government agencies deal with substantial parts of the population — enough that there are supporters to rally round if necessary.

NASA came into existence at the height of the space race with the Soviet Union, and, in that the U.S. feared the Russians would rain death on us if we didn’t get there first, everyone supported its programs and objectives.

As long as the swell of support was enormous, such as it was when the space agency carried the mandate of a martyred president to go to the Moon, it had no problem.

But when Neil Armstrong stepped off the final rung of the Lunar Excursion Module’s ladder and onto the surface of the Moon, that mandate pretty much ran out — all that remained was to bring him back alive.

It was a small step for man, a giant leap for mankind, and the end of the road for NASA. We’d done what we said we’d do. People’s attention quickly turned elsewhere — American cities were being burned in riots, college buildings were being blown up by campus anti-war terrorists, and in Southeast Asia there was a war that was getting worse.

John Kennedy, the great space booster, was gone, and Lyndon Johnson, who had pulled the pork-barrel trick of all time in getting the space center that bears his name located in Houston, was gone, too. Whether Richard Nixon cared for the space program or not, he was simply too busy with other things to pay much attention.

“What happened during that time was that Congress got the bit between their teeth,” says Dr. Bruce Murray of Cal Tech, who in the late 70s and early 80s was head of NASA’s Jet Propulsion Laboratory, and who has been anything but a NASA gadfly. He was and is a highly respected expert in planetary exploration. “It became a political football. The NASA budget became a giant WPA in the sky.”

“There was another thing,” explains Bill McInnis. “There was a cliche — `We went to the Moon so why can’t we …’ — you plug in whatever it is that’s your particular complaint. This was heard in Congress. So you have all these people shouting about their special interests and NASA, having no natural constituency, had no one shouting for its programs.”

The space agency got money for the Skylab project, but that was only because most of it was already built. NASA wanted to stay in business, to do something. It came up with a thing called the space shuttle.

And oh, what a proposal it was! A two-piece unit, with astronauts in each piece. The rocket part would carry the orbiter to the fringes of space and fling it off to go on its own. While the orbiter was orbiting, the fly-back rocket part would be flown back to Kennedy Space Center, landed, refueled, and prepared for another take-off. You’d be able to put stuff in space for $50 a pound! According to one NASA study, you might be able to fly payloads for $5 per pound! Customers would flock to it, and it would pay its own way! And by the way, it will cost you $20-billion, up front.

Congress said no. The project was allocated $5-billion. NASA would do the best it could with that. The space agency said that with that amount, it could build a shuttle that would recover its development costs within 10 years. NASA was wrong. The shuttle has not recovered any of its costs, and its commercial payloads have been subsidized.

A succession of weak presidents didn’t say much of anything. No one was in office long enough to establish much in the way of a space policy. NASA wanted to have some sort of program, so it began to scale back. The compromises that would one day become the big lie began.

“You can’t find two reputable engineers in the country who will say solids are a good idea,” says Steve Agee, an engineer brought in to investigate Morton Thoikol’s safety and quality assurance systems following the Challenger disaster. He is talking about the decision to use solid-rocket motors on the space shuttle.

But it wasn’t an engineering decision.

“After Congress nixed the first shuttle proposal, the big thing at NASA was reusability,” remembers Bill McInnis. “The decision to use solids was not made by engineers. It was made for purely political reasons. They wanted to be able to reuse something, and with solids they were pretty sure they could reuse the tubes, the outside casing. I doubt it would ever have saved them money or ever will — it’s certainly cost them so far — but at least they could maintain this image of a reusable space plane.”

(Ironically, when there were plans for the Air Force to own and operate shuttles out of Vandenberg Air Force Base in California, the Air Force concluded there was no saving and decided that it wouldn’t even bother to pick up the used casings.)

The administrator of NASA at the time was Dr. James Fletcher, former president of the University of Utah. After he made the decision to use SRMs, he awarded the contract to Thiokol Chemical Co. of Brigham City, Utah. (The company has since been bought by the Morton salt people, and is now Morton Thiokol, Inc.)

Fletcher was on the board of an organization called Pro-Utah, Inc., the purpose of which was to bring as much business to Utah as possible. And a succession of Utah’s senators have been powerful in committees dealing with NASA. In fact, one of those senators, Jake Garn, actually took a ride on the shuttle.

But sound politics and sound engineering don’t always coincide.

“The SRM is a flying trashcan,” says Agee. “It is an incredibly dangerous system to begin with, and Thiokol’s execution makes it more dangerous still.

“I personally wrote 221 hazards” — a term to describe listings of what are called “failure modes,” or ways things could go wrong — “how they could blow while they’re being stacked and transported. My associates had written more than 1,000 by the time I left, and ultimately they had listed more than 3,000. And these are catastrophic hazards, and they involve just the SRMs. The main engines are a whole other story.”

Agee tells spine-tingling stories having to do even with the shipping and storage of SRM segments. The SRMs are made in segments for shipment to Kennedy Space Center, where they are assembled — “stacked” in aerospace parlance.

“They pay no attention to temperature and humidity when they are shipping the segments,” says Agee. “I remember one at Vandenberg (Air Force Base) that was actually dripping ammonium perchlorate (a component of the solid fuel). One spark of any size, like that made by a mosquito crash landing, and the whole vehicle assembly building is on the Moon.”

Dr. H. Guyford Stever headed the National Research Council’s panel that oversaw the SRM redesign. He is a NASA supporter.

“I think they can be all right if they’re designed well and manufactured well and handled well,” he says. “It’s when we break down on those things that we run into trouble.”

Agee and others were fired by Thiokol after raising safety issues, and he is one of three former Thiokol safety engineers who have a lawsuit pending against the rocket maker.

Additionally, Agee wore a cordless microphone for the FBI in meetings with Thiokol officials. The information gathered is currently being presented to a Federal Grand Jury in Salt Lake City.

Of the 25 space shuttle launches through 1986, 12 experienced some sort of SRM malfunction, according to NASA records. This usually involved hot gases “blowing by” the rubbery seals between the sections of the rocket or where the nozzle is attached. But NASA decided it wasn’t cause for undue alarm. NASA was doing a lot of that in accepting designs that simply didn’t do what they were supposed to do. It was easier to change the specs than to change the design — and a whole lot cheaper.

Richard Feynman described it as “management reducing criteria and accepting more and more errors that weren’t designed into the device, while the engineers are screaming from below, HELP!' andThis is a RED ALERT!’”

He related a conversation with a man at the Jet Propulsion Laboratory who had analyzed NASA’s shuttle safety system: “He said that the original safety rules for the shuttle were similar to those of the FAA, but that NASA had modified them as they began to get problems.” If a particular article didn’t meet the safety requirements, the requirements were lowered.

In his appendix to the commission report, Feynman noted NASA’s acceptance of the seal problems, erosion — the actual burning away of part or , in the case of Challenger, all of the seal — and blowby.

“Erosion and blowby are not what the design expected,” he wrote. “They are warnings that something is wrong.”

When the launch of Discovery marked America’s return to space last fall, hot gases got into five of the 10 seals joining the casings to the nozzles, much as had happened in pre-Challenger flights.

“I don’t think it’s too serious a problem,” says Stever. “The joints involved aren’t quite as critical as some others. I don’t think it’s a very large concern, though it’s the sort of thing you want to manufacture right. You’d prefer not to have it, but unless it gets much worse, it doesn’t constitute a threat.”

NASA announced that the problem was not of sufficient concern to cause postponement of the Atlantis flight or later launches.

“This is a damn good motor,” said Royce Mitchell, NASA’s solid rocket project manager at Marshall Space Flight Center.

“We are very satisfied with the (redesigned SRM) joint’s performance,” says George Rodney. “What happened is a little bit of sooting, and that didn’t surprise us.

“Now, in the nozzle we have a couple of joints we still have — well, they don’t have quite the margin on them that the main joints have.”

“The argument that the same risk was flown before without failure is often accepted as an argument for the safety of accepting it again,” wrote Feynman nearly three years ago. “Because of this, obvious weaknesses are accepted again and again — sometimes without a sufficiently serious attempt to remedy them, sometimes without a flight delay because of their continued presence.”

“If you’re talking about a reasonable risk, the current design is all right,” says Stever. “But we would make it an even more reasonable risk if some other things are done.” The panel made recommendations to NASA and Morton Thiokol about additional improvements, some of which he says are being implemented.

“Right now there’s some concern about the design of the igniter — that’s the thing that gets the whole thing going in the first place,” he explains. “It is a critical item, and while it had some redesign, there’s some more work to be done there, too. If one of them works and the other doesn’t, that’s a problem.”

The two SRMs for each flight have to be virtually identical, because they have to produce the same amount of thrust. Moveable nozzles can provide only a small amount of correction. But if only one SRM were to be ignited, it would result in catastrophe before the vehicle ever left the pad. Because there are two SRMs in each flight and both have to operate perfectly, the safety factor is only half what it would be for a single rocket alone.

Roger Boisjoly, the Morton Thiokol engineer who tried to have the Challenger flight scrubbed because he knew the seals would fail in cold weather, and who was later described in testimony before the commission as the leading expert on such seals, puts the current problem succinctly.

“To fix these things would shut the program down, so they’re not doing it,” he said recently. “That’s the same mindset that ran the program originally.”

“The tests that took place during the redesign go far beyond the tests in the original system,” says Stever. “That’s all to the good. But it is not a perfect system. It still depends on unbelievably good quality control and care at every step.”

In April 1986, about 11 weeks after the Challenger accident, a reporter for Knight-Ridder Newspapers submitted a formal query to the Eastern Space and Missile Center (ESMC) at Patrick Air Force Base. His question: What guidance had the Air Force given NASA concerning the reliability of solid-fueled rockets?

The two-paragraph written response states that the Air Force’s data were based on 1,000 uses of solid rockets over a 20-year period, and that the data dealt only with rockets that actually blew up as opposed to those that failed for some other reason. The data had been forwarded to NASA. End of answer. Just what the forwarded data were, the response did not say.

The original answer written by the Space and Missile Center public affairs office had contained an elaboration of the data. But in a memo to his boss, ESMC director of public affairs Lt. Col. Robert Nicholson Jr. noted:

“The data concerning the aggregated failure rate has been removed and is not to be used.”

The answer was censored by Air Force brass. The statistic withheld from the media was this: one time in 50, solid rockets blew up.

“The significance of this number, of course,” Nicholson’s memo continued (noting that there are two solid rockets on each shuttle launch), “is that Challenger’s SRB failure occurred on the 25th mission, or 50th use of the STS SRBs.”

In other words, the demise of Challenger, rather than being some freak occurance, was absolutely predictable. Statistically, the spacecraft exploded right on schedule.

The solid-rocket motors aren’t what engineers believe to be the most dangerous piece of hardware aboard the shuttle.

The main engines have always been a problem. The most dangerous part of the main engines is a unit called the turbopump. This is the device that propels the shuttle’s liquid hydrogen and liquid oxygen fuel to its main engines.

“When the whole idea of the shuttle was developed almost two decades ago, a lot of us felt that the most difficult part of the whole thing would be the liquid-propellent rockets, the turbopumps and the heat exchangers,” says Dr. Stever.

NASA has long recognized that the design of the turbopump is faulty, to the extent that it has contracted for an improved design to be built. But, because delivery of the new unit is more than three years away, the space agency has chosen to continue launches using the older, flawed design.

“The turbopumps are the most critical part of the main engines, and they are very much advanced state of the art,” says George Rodney, NASA’s associate administrator in charge of safety issues. “We’re pushing the state of the art on turbopumps. We have had a series of, shall we say, learning curve with the pumps. We will continue to have these kind of things probably crop up for awhile.”

The turbopumps are high-speed rotary devices, with blades that feed thousands of gallons of liquid hydrogen and liquid oxygen to the main engines each minute. They are critical to the shuttle’s safe operation. There is no back-up.

“Whenever you have high-speed rotating machinery, there are failure modes that can be very serious,” says George Rodney. “So, yes, you are concerned about the safety of these pumps. Whenever we find evidence of a new problem, we treat it very seriously.”

One problem discovered in the current design is that it is fitted with bearings that are insufficient to support the long impeller shaft. This means that the long uninterrupted central shaft can resonate — vibrate — much like a piano string.

This resonance takes place at about 94 percent power. The danger is minimized when the shuttle engines are at that setting only briefly, as happens when the vehicle powers through on its way to full throttle. NASA has tried to avoid the problem by minimizing the amount of time spent at the power settings where the resonance takes place, but contingencies that could arise in the launch would make that planned avoidance meaningless.

STS-51L, the Challenger flight of Jan. 28, 1986, involved an extended time at 94 percent power, resulting in what independent observers believe was a second fatal flaw aboard the vehicle.

“Look at the pictures,” says Bill McInnis. “You can see the fire, along the shuttle between main engine two and main engine three. The only time it was ever addressed, Jesse Moore told the Rogers Commission it was a reflection — but there’s nothing there to be reflected.”

Those observers think that even if the solid rocket booster failure had not taken place, Challenger would likely have been destroyed by that fire in the main engine compartment, likely due to the faulty turbopumps.

Here is one of the problems: At 94 percent power — the exact point varying slightly from unit to unit — the turbo-pump’s shaft resonates. It vibrates and bends. This allows its blades to strike its outer housing. They chip, sending red-hot shards down the fuel line, which is filled with propellant. A fire results. It is potentially catastrophic. Additionally, because the blades are traveling at such a high speed, only a little imbalance, such as is caused by even a tiny chip missing from one of the blades, could cause the whole turbopump unit to rattle apart in seconds, which would in turn cause the man-engine compartment to be flooded with fuel, resulting in a catastrophic failure.

Bearings and casings are also wont to crack, which can lead to quick failure unless they take place at the very end of the main engine burn. So far, they seem to have — though there have been some close calls. Among engineers, the question is less whether the turbopumps are safe as it is why one hasn’t destroyed the shuttle yet.

Indeed, it has almost happened. According to NASA’s own records, there was a fire in the main engine compartment aboard an early flight, but it was sufficiently near the end of the burn that it went out before a disaster could take place, when the external tank separated from the orbiter. The fire damage wasn’t discovered until the shuttle was back on the ground.

“The engineers told me that some of the people who worked on the engines always had their fingers crossed on each flight, and the moment they saw the shuttle explode, they were sure it was the main engines,” said Feynman.

“Everybody always had their fingers crossed, hoping that this wouldn’t be the one and knowing one day luck would run out,” says McInnis. “The main engines and their turbopumps were and are a bomb waiting to go off.”

“When I heard that the Challenger had blown up,” says John Pike of the Federation of American Scientists, “my first thought was one of the turbopumps had disintegrated.” That view was almost unanimously held in the aerospace community.

But the people NASA has hired to fix the problem say it isn’t a safety issue at all.

“These pumps are kind of the heart of the engine and it’s an area where NASA was concerned about frequent overhauls and things like that,” says John Zimonis, heading up the turbopump redesign for Pratt & Whitney. “Not a flight safety problem or not any kind of operational difficulty, but NASA thought they could perhaps improve their economics by modernizing these pumps.”

The turbo pumps currently in use were designed and built by Rocketdyne, a subsidiary of the orbiter’s primary contractor, Rockwell International. A redesign has been undertaken by the Government Engine division of Pratt & Whitney, which has more experience than does Rocketdyne in the development and manufacture of the high-pressure pumps and the associated rocket engines. If development works out as planned and the new units are approved for use, they could be aboard the shuttle as early as mid-1992. Until then, the shuttle flies with the old units.

A problem involving a cracked bearing in the high-pressure oxidizer turbopump on engine three took place aboard Atlantis when it was launched in November, carrying a secret military payload. NASA says the vibrations encountered in flight were higher than those encountered during testing, and it is investigating.

“This latest problem that we had with this bearing was a little bit unexpected, but we have an easy fix for it,” says Rodney. “It was more a manufacturing process problem than a design problem.”

Loss of the unit would result in loss of mission, vehicle, and crew. It is a non-redundant system — there is nothing to do the turbopump’s job if it fails. There are three turbopumps on each of the shuttle’s three main engines, one each for the hydrogen fuel, the liquid oxygen, and a third to power the other two. That means there are a total of nine of the turbine units, with the failure of any one of them almost certainly fatal.

In addition to the chipping of the impeller blades in the pump, some of them have cracked, and there is danger that one or more of them could come loose.

“You throw a bucket — an impeller blade — and the engine comes apart quickly,” says McInnis. “This is true in all designs like that, including jet aircraft. If you have reason to think you’ve thrown a bucket, you punch out right now, because the whole thing’s coming apart within a second or two.”

Adding to the danger, says McInnis, is the space agency’s insistence upon operating the shuttle’s main engines above their rated power. This is why shuttle launch observers hear commands for the shuttle to go to 104 percent power.

“This came about because the shuttle was overweight and NASA had contracted to carry payloads that required the shuttle’s full design potential, which wasn’t realized in the finished product,” says McInnis. “They made up the difference by pushing the main engines beyond their design capabilities. In my opinion, they’re pushing the state of the art too far.”

The main engines and their turbo-pumps are far more complicated than anything ever previously built to send a ship to space. But added to the technical problems was a compounding of all the little lies about the shuttle’s performance. NASA had made promises. Customers and Congress had been told the orbiter could carry 65,000 pounds, and in reality the payload was turning out to be much less than that — about five tons less, in fact. Space flight equipment is supposed to be able to hold together far beyond the stresses it will ever encounter in flight. But NASA found that, to keep its promises, it had to push the shuttle equipment farther and cut into that safety range. Engine stresses work, engineers say, on a logarithmic scale: Operating the main engines at 109 percent power, as NASA has planned and is planning again, produces twice the stress that operating at 104 percent power does. In turn, 104 percent is nearly twice the stress of 100 percent, and so on.

The turbopumps operate at more than 25,000 revolutions per minute, and are subjected to enormous thermal stress as well, because at start up they are taken from the temperature of the surrounding air to the temperature of liquid hydrogen or liquid oxygen — the -400 degrees Fahrenheit range.

“Imagine something the size of a microwave oven that operates at 75,000 shaft horsepower,” McInnis explains. “That’s the turbo pump. It’s an extremely high-stress article.”

When the turbopump contract was awarded in the early 1970s, Pratt & Whitney was clearly the industry leader in the design and manufacture of such units. In fact, they had essentially already designed full main engines for the shuttle. But the Connecticut-based company had been involved in a military overcharge scandal which is said to have biased NASA away from awarding it the contract. Instead, it was decided that Rocketdyne would build the unit.

The original Pratt & Whitney design called for additional bearings along the length of the pump’s shaft. This would have prevented the harmonic problem experienced in the Rocketdyne unit.

“NASA has all sorts of contingency plans for one- and two-engine aborts,” says McInnis. “But those plans don’t make any sense, because the failure modes of the main engines are of the sort that when an engine fails, it takes out adjacent engines, too.”

The main engines have also been plagued by burn-throughs in the nozzles themselves.

Those nozzles are enormous heat exchangers, honeycombed by pipes carrying the liquid fuel. The heat from the burning engines turns the fuel into gas, the form in which it is used by the engines. At the same time, the fuel pipes keep the nozzles cool enough that they don’t burn up.

It’s a sophisticated design, but in nearly half of the shuttle launches, some of the lines have burned through. A few instances of burn-through do not affect the shuttle’s performance enormously, but as Feynman noted, when a piece of equipment malfunctions, it is a warning sign. The lines were not designed to burn through. It was a surprise. But because it didn’t have an immediate, catastrophic effect, NASA continued to fly despite the anomaly.

“You just find a number of places where there can be more trouble,” says Stever. “And you fix up one area only to find other areas to worry about.”

The main engine contract was awarded to the Rockwell subsidiary in 1971 after being selected by a Source Evaluation Board that had itself been selected by Dale D. Myers, then NASA’s Associate Administrator for Manned Space Flight. Before coming to NASA in 1970, he had been Rockwell’s Vice President and Manager for the Space Shuttle Program, and soon after contracts for both the orbiter and its main engines were signed with Rocketdyne and Rockwell respectively, Myers resigned from NASA and returned to Rockwell.

In what many see as the ultimate irony, following the Challenger disaster Fletcher, who had resigned from NASA in 1977, was re-appointed administrator. An assistant was appointed. His name is Dale D. Myers.

“When Fletcher was brought back, it was a message to everyone that nothing would change. It was business as usual at NASA,” says Robert Hotz, a member of the Rogers Commission.

The thermal protection tiles encasing the orbiter are an engineering marvel. Spun from silicon, they have truly astounding insulating properties. When the shuttle was being built, pictures were circulated of a technician holding a red-hot tile in his bare hand, which was unburned, so great was the tile’s ability to shield from heat.

They also have the consistency of that green plastic foam used in flower arrangements. You can stick your finger right into one.

“If we hadn’t lost something like 288 tiles ferrying the first orbiter to KSC, we probably would have lost the very first shuttle,” remembers McInnis. “But the bonding method, the way they were attached to the shuttle, was so damn bad that they fell off just during the ferry flight. They thought they fixed it, but they weren’t sure — and they never did tests to find out.

“One thing you have to remember: This is the first manned space vehicle flown by any country in the world that flew the first time untested. Every other spacecraft has been flown unmanned before you ever put people in it, and that includes the new Russian shuttle.” Despite the repairs made to Columbia before the first flight, 16 tile were lost and 148 more were damaged, according to NASA, during that first flight.

As the compromises were becoming a bigger and bigger lie, NASA’s policy of “man-rated” parts was abandoned.

The man-rated part was one of the space agency’s safety hallmarks. It was exemplified by the phrase “fail-operational / fail-operational / fail-safe.” That meant that with one failure of a system, you could still fly the mission. With a second failure, you would have some mission impairment, but you could do part of the job. With a third failure, you could still get everybody home alive. This kind of redundancy ensured that we wouldn’t lose astronauts in flight, and during the time the policy was in place we didn’t.

“The qualification tests done on man-rated parts were much more stringent than those on unmanned vehicles,” says McInnis. “In the case of the shuttle, when they got around to building it, in many cases they didn’t do full tests. A lot of things on the shuttle were qualified by analysis or similarity to other parts, so it was a paper qualification. They still had no idea whether it would work.”

So it was with the tile. In early flights, large numbers of tile would be damaged or lost. When Challenger was lost, there had been concern that falling ice could seriously damage or dislodge the tile. We will never know if that actually happened.

But in the most recent flight of Atlantis, more than 200 tile were lost or damaged. One Congressional space watcher noted that it’s a real problem.

“This is a Crit One issue,” he said, meaning that there is nothing to save the shuttle if the tiles are lost. “There were burns through the buffer, the tile, the insulator — and that was the orbiter sitting there. That aluminum there — that’s the orbiter. That’s serious.”

NASA is worried, too.

“It wasn’t serious in the sense that there was serious degradation as a result of this damage on this flight,” says George Rodney. “However, it’s serious in the context that you can’t tolerate that much damage or sometime you’ll get a combination of events that might make it very serious. So we have got to get it fixed.

“We think we understand what caused this unusual amount of damage, and in this particular case it was more of a breakdown in our processing in the nosecone of the solid-rocket booster that allowed this to happen. We’ve taken measures to fix that problem.

“But we cannot tolerate exposure to that much damage to the tile. On this flight, it wasn’t a serious problem, but on another flight, with just a slightly different combination, you might have a very serious problem.”

The shuttle’s computer and software system is a source of continuing concern. In the STS-3 flight of Columbia, on March 26, 1982, the shuttle’s computers failed when they lost contact with ground control. The orbiter continued, essentially out of control, for nearly an hour.

The computers are very old technology. Most home computers and in fact the little portable laptop on which this story is written are far more powerful. Using the old-style “core” memory, which is a metal oxide core with wires running out of it, instead of modern microchip technology, the shuttle computers are very limited in their capacity. That’s why astronauts are forever having to reload tapes into the computers, so the computers will know what programs to run now.

There are reports that during Challenger’s launch, software — programs — that normally were not in the computers had been loaded ahead of time. This could explain the mysterious and improper firing of the aft thrusters, perhaps by the computer, perhaps by the pilot, as the shuttle struggled to get aloft on a wobbling, off-course ascent. The thrusters are normally fired only once the orbiter is in space.

Last year, there were reports from Houston that shuttle flight software had been seriously compromised. The software is developed over a long and tedious process and then, once it is deemed to be ready, it is tested. A test can itself take weeks. But Sylvia Robins, who had been involved in software design for Unisys, a NASA contractor, said that changes were being made in the software while the tests were underway, making the tests themselves useless.

Perhaps more important, she said that security at the software development center was so lax that it was possible to break into the development computers and actually alter programs. And, she charged, this had happened at least once, involving the back-up software for the Discovery flight. The company objected to her calling attention to this, and she no longer works there. She and other whistle blowers at Unisys have sued.

Before Challenger, when the White House was considering the launch of the unmanned nuclear-powered Galileo space probe to Jupiter, the administration’s science office asked NASA to supply a probable failure rate for shuttle launches. The fear was that if the shuttle blew with Galileo in the hold, live nuclear material would be dumped into the Atlantic Ocean. If NASA couldn’t guarantee that the risk of failure was less than one in 200, the White House was not prepared to approve the launch.

NASA sent a reassuring report saying, yes, the risk was less than one in 200. According to the figure commonly given by NASA, a lot less. Shuttle reliability, the space agency has claimed on more than one occasion, is such that there will be a catastrophic failure every 100,000 flights. If that were true, NASA could hope to safely launch a flight every day for nearly 273 years. That rate is 4,000 times more optimistic than the Air Force figure. NASA has never explained how it arrived at its assessment.

“That’s the fundamental problem that I think I see with the shuttle right now,” says John Pike. “We simply don’t have the first idea in the world how safe the thing is. NASA management was assuming that the incidence of failure was going to be one in 100,000. And I’ve seen documents to that effect. I’ve also talked to a lot of people who think it’s more like one in a couple dozen. And if indeed the majority of the informed speculation is correct . . . it’s not safe enough to fly. We shouldn’t be flying it. Period.”

If the catastrophic failure rate of the shuttle’s solid rocket boosters is indeed one in 25 missions, then the shuttle’s overall reliability is even worse. The rocket boosters are only one of many systems whose catastrophic failure rates have been calculated. A NASA-commissioned study by the California consulting firm of Pickard, Lowe, and Garrick, Inc., determined that on one mission in 70, all three of the shuttle’s auxiliary power units (APUs) would fail. The APUs power the shuttle, including the controls that enable it to land — the elevons, the landing gear, and so forth. Without them, it would crash. The study pointed out that that APUs have actually malfunctioned on at least five shuttle missions, including the November 1983Columbia mission when two of the units failed shortly before landing.

In another NASA study a year earlier, Lockheed Co. experts determined that a malfunction of the pressurizer system for the main fuel tanks would cause a crash once every 400 missions.

And so on.

Arnold Aldrich, director of NASA’s Space Transportation System (STS — the shuttle), says he does not believe that predicting failure rates is “meaningful.” He said the important point is that “the shuttle is extremely reliable, as safe as we are able to make it after an exhaustive three-year review.”

NASA plans to launch the plutonium-powered Galileo on a shuttle mission in October.

After Challenger, much was made of extensive redesigns that were taking place. The most attention, of course, was paid to the solid-rocket motors, which were seen as the immediate cause of the disaster. Whether that redesign was sufficient, and indeed whether solid motors will ever be safe and reliable for manned flights, remains in question. Even while the redesign was taking place, an oversight committee of the National Research Council repeatedly complained that the testing was insufficient and noted that while safety was the primary issue, speed was “a close second.”

NASA has pointed out the hundreds of changes that have been made in the orbiter and associated hardware. The results of some of the redesign work may have lulled many into believing the shuttle is now safer than it actually is. One example is the emergency escape system installed in post-Challenger shuttles.

“For it to be of any use,” notes McInnis, and others agree, “you must have perfectly working solid rocket motors, because they have to have gone through their entire burn sequence before you can cut them loose. Then you have to have perfectly working main engines, because the huge external fuel tank has to be drained down to only 5 percent full before you can cut it loose. But the failure modes of the main engines in test were catastrophic. If one goes, it takes out the other two.

“Then you have to have a shuttle in full control, because it needs to be in a controlled glide before the escape system will work.

“In short, you can escape from the shuttle, really, only when you have nothing to escape from — when everything’s working.”

As a matter of historical record, the shuttle remains the only American manned spacecraft ever — and possibly the only spacecraft of any country — that offers no means of crew escape in the event of a malfunction during the crucial launch phase of flight.

Even in the early days of flight test, there has usually been a means of escape. One of the notable and heroic aspects of Chuck Yeager’s flight through the sound barrier in the Bell X-1 was that it was one of the few test planes from which the pilot could not escape in the event of a malfunction.

Many believe that the shuttle, to save weight, has been equipped with fewer instruments than prudence would suggest. When Challenger broke up, flight controllers in Houston had no sense that anything was wrong until their screens froze.

And the flight before that, according to NASA records, it was only a weather delay that allowed ground crews to discover a piece of broken equipment stuck in a propellant valve. Had the chance discovery not been made, it would have been Columbia, not Challenger, to go up in smoke.

To summarize so far: NASA, with the best of intentions, proposed an elaborate space-shuttle system. Congress said no. So NASA simultaneously reduced the scope of its proposal and increased their claims for its capability. Then, once the shuttle project was approved, NASA, under Dr. James Fletcher, systematically closed down all other avenues to space, making the shuttle, with inflated expectations and unprecedented inattention to safety and reliability, the only show in town. All NASA’s eggs were in one basket.

“Well, it actually put the Air Force’s and the civilian community’s eggs in that basket as well,” says Dr. Bruce Murray. “That was a matter of doctrine. It really was. It was not a matter of reasoned technical alternatives, because NASA exterminated the alternatives and was able to successfully get a monopoly, not just on access to space for the whole government and the civil sector, and not only to get a monopoly but to get a monopoly using only manned, tended systems, which in retrospect is extraordinary.

“How could the secretary of the Air Force, the secretary of defense, and other key defense department personnel been persuaded to let the U.S. space monitoring capability become dependent to a manned system? And the fact that their actions since then have been to get away from that as fast as possible certainly indicates they recognize now that it was a bad thing to do.”

As early as 1984, the Air Force began to believe that it had been had. Money was requested for development and construction of heavy-lift expendable launch vehicles. The Air Force had satellites that needed to be launched, and the shuttle just wasn’t doing the job. It failed to live up to its promised performance, the Air Force said, and it was unreliable.

Dr. Murray says that NASA spent a lot of time and money showboating with the shuttle, to justify the system, by using it to do things that could have been done better by another kind of launch vehicle.

“There’s absolutely no reason to have a human in the loop to launch a planetary spacecraft,” he says. “There’s no purpose for having a human in the loop to launch a communications satellite.

“When the Challenger blew up, you have to ask, what did we kill seven people doing? And their principal job was launching an unmanned communications satellite which in the future will all be launched with expendibles. And should have been launched with expendibles at the time.”

The civilian space program has suffered. Hughes Aircraft, builder of the AUSSAT, was told by Australia that it should be launched on a Chinese launch vehicle. That’s because insurance premiums for the shuttle had gone through the roof, and China promised to underwrite the insurance.

Things got this bad, Murray and others say, because no one was minding the store — no one was holding NASA accountable. Everyone just presumed that it was all true until Challenger blew to pieces. Then there was stylish but brief outrage. Then things quieted down again and went back pretty much to normal.

Part of the problem, says a Congressional staffer involved in monitoring space activities, is that from day to day, the people who pay attention to NASA’s activities are those who have vested interests, such as space centers or concentrations of contractors in their districts. They are the ones least likely to holler, if hollering could jeopardize some aspect of some project.

“I mean, a large part of the Congress has a nice, warm, fuzzy feeling about the space program,” says the staffer. “The idea that it’s a good thing that the country does, and the astronauts are very brave people and gosh, you know there’s this thing out there that’s gonna take pictures of Uranus and isn’t that wonderful. And when you ask them what should we do with all of this, Well, about what we're doing now.' How much should we spend on all this?Well, about what we’re spending now.’ And I think that’s the dominant attitude not only in the Congress but the American public.

“So then you get into a small group of people who have very parochial interest — not in the negative sense — but it’s their district; Bill Nelson’s very interested; senators from Florida are of course interested; it’s a big industry there. Members from Texas, senators from Texas, and a few others, people like Senator Glenn, who has an obviously tie and interest, Sen. Garn — that’s again the Morton-Thiokol connection.”

So far, the shuttle project, even when it has worked, has fallen far below NASA’s projections and claims. Even at its best, it has been a litany of failures — The Solar Maximum project, which was so delayed that it wasn’t orbited when its primary mission was still possible; spy satellites that cost as much as an aircraft carrier, sent into space with reduced fuel loads, shortening their missions; hardware failures that have jeopardized dozens of astronauts and cost the lives of seven.

“In the newspaper I used to read about shuttles going up and down all the time,” said Richard Feynman, “but it bothered me a little bit that I never saw in any scientific journal any results of anything that had ever come out of the experiments on the shuttle that were supposed to be so important.”

Where can it go from here?

“The biggest change that I’d make would be to get a better handle on what the reliability and flight rate capabilities of the shuttle are,” says John Pike of the Federation of American Scientists. “And I think that to the extent that programmatic changes are in order, I think that they would basically flow from that assessment. It seems to me that we’re either placing too much reliance on the shuttle or not enough. That if the shuttle can only fly eight or 10 times a year and is going to blow up every couple dozen flights, I think we ought to just shut the thing down.

“On the other hand, if the shuttle can fly hundreds of missions safely and has a potential flight rate of 14 or 16 flights a year, I think we’re probably not placing enough dependence on it. That would then determine everything else. The big unknown for me is, how often is the shuttle going to blow up, and how often is it going to fly? Until you’ve got some answers to those questions that you can believe in, you don’t know what you’re doing.

“And the problem right now is that NASA is behaving as though they can fly it a lot and it’s not going to blow up anytime soon. Everybody else is behaving as though it’s not going to fly very much and it’s going to blow up fairly frequently. Somebody’s wrong.”

What is safe? In the case of the shuttle, figuring a statistical likelihood of failure cannot be done with any degree of accuracy, because there have only been 27 launches. One has failed catastrophically. Others have nearly done so. But even if all 27 had gone off without a hitch, that doesn’t mean the shuttle could be pronounced 100 percent safe. There have been too few launches to arrive at a meaningful number, for much the same reason that a new drug would not be allowed on the market after having been tested on only 27 people.

“I don’t think you can give a number at this point,” says Stever. “If you look at well-developed rockets that don’t have men in them, they fail at about two in 100. That’s not a very good number for manned flights, and you’d like it to be better. There are some things that you just must have right, because if you don’t you’re going to have a catastrophic event.

“I think the redesign has reduced the problems by quite a margin, and it now comes down to having the thing manufactured carefully and handled carefully, things like making sure they operate within the prescribed limits.

“This is risky business, and the people who do it know it’s risky business. They would like them as safe as possible, but they wouldn’t like the program shut off. So there’s pressure there to actually go ahead. There’s also pressure on the budget and on time. All those things are pounding away at each other, and you end up compromising every last one of them.”

And who’s to blame for all this? Who is the author of the big lie that the space shuttle program has become?

“NASA did this to itself,” says Dr. Bruce Murray. “NASA manipulated the president and everyone else on the grounds that it had a fundamental, over-riding, institutional need for a big aerospace project that involved the three centers. They took the best one they could get, and with a good deal of misrepresentation over a long period of time, created the problem. NASA created it, not Congress, not the president. NASA.

“The shuttle is a magnificent flying machine, but it’s a research and development vehicle, and it’s that fundamental problem that has bedeviled the program since the beginning. I think it still does. Namely, that it is a very important step in manned space flight, but it’s an R&D vehicle and therefore it can never be very effective and never be done very cost effectively.”

Before he died, Richard Feynman made a plea to NASA to become honest, both scientifically and insofar as its public relations are concerned.

“If in this way the government would not support NASA, then so be it,” he wrote in his appendix to the commission report. “NASA owes it to the citizens from whom it asks support to be frank, honest, and informative, so that these citizens can make the wisest decisions for the use of their limited resources.

“For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled.”