Index
Home
About
Blog
From: Henry Spencer <henry@zoo.toronto.edu>
Newsgroups: sci.space.policy,sci.space.tech
Subject: reliability predictions (was Re: Ariane 501)
Date: Mon, 10 Jun 1996 03:36:49 GMT
In article <4p50ea$2kd@fcnews.fc.hp.com> cbuckley@hpfcla.fc.hp.com
(Chuck Buckley) writes:
>>Are you sure they didn't say that Ariane has a reliability of 98.5%? If
>>they did in fact say Ariane 5, then it's amazing what these reliability
>>engineers can make up...
>
> Well, it is even worse in the computer industry when disk drives are
>shipped with MTBF (mean time between failure) ratings of greater than
>5 years.. (and they only started making the drives less than a year before)
Actually, it's considerably better in the computer industry. What they do
is to test a large number of drives simultaneously, in severe conditions
that generally make failures much more likely, and then plug the results
into models of how that relates to normal use. While this process is by
no means perfect, the numbers are not total guesswork.
This sort of thing *is* done for a launcher's components, which are tested
under considerably more severe conditions than those expected in flight.
Of course, there's no substitute for flying the whole thing at least a few
times -- and preferably more than a few times -- in a reasonable variety of
conditions.
--
If we feared danger, mankind would never | Henry Spencer
go to space. --Ellison S. Onizuka | henry@zoo.toronto.edu
From: Henry Spencer <henry@zoo.toronto.edu>
Newsgroups: sci.space.tech
Subject: Re: Mercury failure question
Date: Wed, 10 Jul 1996 19:00:21 GMT
In article <wh_reid-0807962043130001@wh_reid.pnl.gov>
wh_reid@ccmail.pnl.gov (William H. Reid) writes:
>>how could such a carefully
>> assembled machine suffer such comprehensive failures?
>
>We've learned a lot since then and Mercury did far better than some
>programs before it. The environment is different, but the real issue was
>contamination control and quality assurance...
Well, I would say that's just the proximate cause. The *real* issue is
that when you build only a handful of copies, it's inevitable that you'll
find assorted minor problems -- and maybe occasionally a major one -- on
the maiden flight of each. This is normal for aircraft, and spacecraft
are no different. The difference is that when each spacecraft flies only
once, every flight is a maiden flight, and it's not surprising that you
see problems on each one.
>...Example of
>how it was: A LO2 clean Titan I was being erected, ready for load and
>launch when someone noticed a rattle. Inspection showed an entire tool
>kit inside the LO2 tank...
Unfortunately, that's how it still is, too. There have been at least two
incidents of this kind of thing on the shuttle. This isn't the result of
ancient sloppy practices which have long since been swept away by a tide
of paperwork; it's the result of simple human error, which all that costly
paperwork has done very little to prevent. (In fact, the paperwork quite
probably makes it worse, by encouraging a "somebody else will catch it"
mentality.)
There's a very simple way to combat this effectively, at least on larger
vehicles like the shuttle. It's a technique that's been known since at
least WW2. When the bird flies after being in the shop for major work --
which is every flight, for the shuttle -- one of the shop workers flies as
a passenger. Some places the selection is random and some places it's the
shop boss, but either way, this is part of the job and you are not allowed
to refuse.
>The simple answer is that we've learned how to be 10,000% more questioning
>and careful. Q.A.!
And that factor of 10,000 in questions and care has gotten us, *maybe*, a
factor of 10 in reliability. The aircraft people get much better results
by designing vehicles which can be tested before use.
--
If we feared danger, mankind would never | Henry Spencer
go to space. --Ellison S. Onizuka | henry@zoo.toronto.edu
Newsgroups: sci.space.policy
From: Henry Spencer <henry@zoo.toronto.edu>
Subject: engines and design philosophies
Date: Fri, 5 Jan 1996 17:50:37 GMT
In article <4cgpsc$nhc@newsbf02.news.aol.com> undamped@aol.com (Undamped) writes:
>>...On the other hand, the thrust/weight ratio of the
>>very best aircraft engines is under 10:1, while rocket engines reached
>>125:1 thirty years ago...
>
>This is really apples and oranges.
It's very apples-and-oranges, but it does address the original objection:
the need for the rocket to weigh a lot more.
>The aircraft engine is designed to
>run 4000+ hours without major maintenance, the rocket engine a few
>minutes...
This is an exaggeration, on both ends. The 10:1 jet engines do *not* run
that long without major maintenance -- a 10:1 jet is a top-of-the-line
fighter engine, and those things are very maintenance-intensive compared
to airliner engines. Furthermore, rocket engines must be tested, so they
are typically designed for more than one run. The design spec for the F-1
called for a service life of 20 starts and 2250s of operation, even though
the operational requirement was 1 start and 151s. The RL10 is rated for
10 starts and 4000s of operation in a single flight -- no maintenance --
and could probably be rated for more if anyone needed it; certainly DC-X's
RL10s were started more than ten times.
The difference in lifetime is also less drastic when you remember that
an airline flight lasts hours, the powered portion of a rocket flight
only minutes.
>>You're reading me too literally. I was addressing design philosophy, not
>>detailed design approach. The safety problems of our current spacecraft
>>designs are problems of philosophy, notably the "failures are intolerable,
>>we will spend whatever it takes to make sure they never happen"
>>approach, which not only is very expensive but doesn't work...
>
>You are seriously mistaking. All engineers understand that single point
>failures are inevitable. This is why the shuttle for example has 4 flight
>control computers, redundent acuators, APU's, engines, reaction controls...
It also has two SRBs, which basically have to be perfect from the start --
there is little tolerance for failures in them, as witness Challenger. It
gets one chance to land safely on each flight. Its engines are clumped
together so a catastrophic failure (admittedly unlikely) would take out
all three. (Yes, airliners are required to survive catastrophic engine
failures.) Its landing gear must work perfectly every time, since the
orbiter is not strong enough for a belly landing. Failure of one
main-gear tire at the worst-case point in landing is very likely to blow
the other on the same side due to overload. Etc.
>The trade-off of protecting against catashphic failure via low-cost
>redundancy and back-ups versus gold plated systems is one of weight. In
>aircraft aplications, extra weight is far more tolerable than spacecraft.
The airlines would mildly disagree; extra weight means extra cost.
However, you've missed a more fundamental issue. The problem is not that
gold-plating is costly. The problem is that it *doesn't* *work* -- it
simply does not achieve the desired levels of reliability. Fault-tolerant
design does.
--
Look, look, see Windows 95. Buy, lemmings, buy! | Henry Spencer
Pay no attention to that cliff ahead... | henry@zoo.toronto.edu
Newsgroups: sci.space.shuttle
From: henry@spsystems.net (Henry Spencer)
Subject: Re: Crow for Tom, or Lithium on the brain
Date: Sun, 14 Jun 1998 06:05:02 GMT
In article <6lq4v6$jp1$1@siesta.packet.net>,
Patrick Patriarca <palerydr@citicom.com> wrote:
>the dumbing down of the Shuttle design from the beginning. IF Pres. Nixon
>and company hadn't cut the guts out of the design liguid fuel booster should
>have been used ....and why only two??? why not 3or 4 F-1 engines as
>recoverable boosters??/ allowing for ejection seats....or fewer passengers,
>same payload, ejection seats for all else.
The blame for the situation really has to rest with NASA, not Nixon. NASA
knew the financial constraints it was likely to be operating under, and
chose to ignore them in hopes that things would get better. They didn't.
Note that ejection seats would not have saved the Challenger astronauts.
They were too high and moving too fast to eject, even if an ejection seat
would get you clear of the SRB plumes, which it wouldn't.
The answer, as people have said repeatedly, is *not* to apply bandaids
like ejection seats. Air Force One -- the 747 carrying the US President
when he travels -- does not have ejection seats, despite the truly grave
consequences of losing it and its passengers.
The fundamental problem of the shuttle is not anything simple like the
SRBs. It is the attempt to design an operational system which has to be
perfect by design -- a system which has no fault-tolerance and is too
expensive to fly a proper test program. This does not work and has never
worked, not for an operational system. NASA ignored that.
It is not impossible to build fault-tolerant launchers; for example, the
Saturn V that launched Apollo 13 carried on despite an engine failure.
Building a launcher that is cheap enough for a proper test program -- that
means dozens, if not hundreds, of test flights before it ever carries a
crewman other than a test pilot or a payload other than flight-test
instrumentation -- is more of a challenge but is not fundamentally
impossible.
NASA didn't even try, as witness the fact that not one of the shuttle's
abort modes was even attempted during its four-flight "test program".
In an aircraft, it is mandatory to demonstrate these things. To prove
that a 747's brakes can stop a worst-case aborted takeoff, you load the
aircraft up with ballast to maximum takeoff weight, line it up on the
runway, wind it up to maximum rejected-takeoff speed, and slam on the
brakes. When it stops -- with the brakes glowing orange! -- you get to
sit there for ten minutes or so, simulating an overrun situation where you
can't just taxi away. In that time, if a single tire blows from all that
stress and heat, the FAA says "too bad, better luck next time". This is
proper testing: you fly all the worst cases, and if there is even a
*hint* of something not working right, it's back to the drawing board.
After *that*, you can put the President in it with confidence. There is
no other way.
--
Being the last man on the Moon is a | Henry Spencer henry@spsystems.net
very dubious honor. -- Gene Cernan | (aka henry@zoo.toronto.edu)
Newsgroups: sci.space.shuttle
From: henry@spsystems.net (Henry Spencer)
Subject: Re: Crow for Tom, or Lithium on the brain
Date: Sun, 14 Jun 1998 17:49:39 GMT
In article <1998061409322601.FAA13897@ladder01.news.aol.com>,
Motie 52 <motie52@aol.com> wrote:
>...No launch vehicle will
>ever be 100% safe, and I don't think anyone expects that...
However, they can and should be as safe as, say, jet fighters. (After
development, that is -- almost every fighter development program loses one
or two prototypes during testing.) They aren't.
--
Being the last man on the Moon is a | Henry Spencer henry@spsystems.net
very dubious honor. -- Gene Cernan | (aka henry@zoo.toronto.edu)
Newsgroups: sci.space.policy,sci.space.history
From: henry@spsystems.net (Henry Spencer)
Subject: Re: Man Rating, Manned Vehicles, RLV Reliability, and other
subjects...
Date: Tue, 12 Dec 2000 01:14:08 GMT
In article <3a35e3bc.45638426@nntp.ix.netcom.com>,
Rand Simberg <simberg.interglobal@trash.org> wrote:
>...But rocket *engines* weren't
>considered munitions. The X-1 (and X-15) was just an airplane with a
>rocket engine in it, and its design practices were no more or less
>than the design practices for any other high-performance aircraft of
>the day...
Note, though, that the design and development practices for the *engine*
were significantly different from those used (especially later) for
missile engines -- in particular, a whole bunch of little tradeoffs were
made differently, to emphasize reliability rather than ultimate maximum
performance. (At the last Space Access, Jeff Greason showed a photo of
the X-1 engine running in a ground test... with a technician walking past
maybe 15ft away. This was routine; it is a design requirement for
aircraft engines that they do not explode without warning. :-))
--
When failure is not an option, success | Henry Spencer henry@spsystems.net
can get expensive. -- Peter Stibrany | (aka henry@zoo.toronto.edu)
From: "Jeff Greason" <jgreason@hughes.net>
Newsgroups: sci.space.tech
Subject: Re: Is Roton Dead?
Date: Mon, 12 Feb 2001 08:38:54 -0800
Henry Spencer <henry@spsystems.net> wrote in message
news:G8KF7H.AF7@spsystems.net...
> In article <962bkc$6fd@dispatch.concentric.net>,
> Jake McGuire <jamcguir@yahoo.com> wrote:
> >Looking at recent ELV failures, and trying to identify which would be
> >avoided by a test-fired Delta IV SSTO, I come up with two avoided
failures
> >out of the past 11. A 20% difference in failure rate is utterly in the
> >noise of current ELV reliability.
>
> Also, bear in mind that static firings can *hurt* reliability, by using up
> working life of short-lived components. There were several incidents in
> the Thor program, for example, of missiles passing multiple static firings
> with flying colors and then failing in flight because things had worn out;
> Douglas eventually talked the USAF into dropping the static-firing
> requirement.
Of course, that's true only if you're working very close to the wear
out life of your components. Large Russian engines typically are
static fired to qualify, which is one reason they have, by design,
useful lifetimes of many flights -- if they didn't, they would fall prey
to the problem Henry is pointing out.
The two primary methods of assuring reliability are statistical
process control (which requires a component production rate
large enough to discern meaningful failure statistics), and burn-in
testing (which requires component life long enough that the
burn-in test doesn't use up a significant part of the lifetime).
The former (greatly simplifying), tries to make all the components
off the line exactly the same, and sacrifices a part of the
production run to thorough testing to determine life and
reliability. The latter applies when "infant mortality" is a large
part of your failure rate, and tries to shake out those
components which have problems before shipping to the
customer. Generally, both methods are applicable, but the
mix differs depending on your failure modes and production
rate.
----------------------------------------------------------------
"Limited funds are a blessing, not Jeff Greason
a curse. Nothing encourages creative President & Eng. Mgr.
thinking in quite the same way." --L. Yau XCOR Aerospace
<www.xcor-aerospace.com> <jgreason@hughes.net>
Index
Home
About
Blog