The University of Texas at Austin
Studies in Ethics, Safety, and Liability for Engineers
Kurt Hoover and Wallace T. Fowler
Apollo 13: A Mission That Failed
On March 31, 1972, one of the two liquid oxygen (LOX) tanks in the Apollo 13 Service Module (SM) exploded, releasing 300 lbs. of oxygen into space. Although telemetry indicated a serious malfunction, it was not immediately apparent to either the flight controllers in Houston or the astronauts on Apollo 13 just how extensively the spacecraft had been damaged. Oxygen, now in short supply, was used for breathing, and as a reactant for the fuel cells which produced electricity and water. Thus, the crew faced potential shortages of air, power, and water.
At the time of the accident, Apollo 13 was still on the outbound portion of its trajectory. To return safely to Earth, the spacecraft would have to swing around the Moon, using its gravity to turn back toward Earth. An entirely new trajectory and reentry procedure would have to be developed in just three days; normally such procedures normally took three months to develop and verify. To make matters worse Hurricane Helen, threatened to swamp the normal splashdown site. Despite the large potential for disaster, Apollo 13 returned safely to Earth with its crew alive and well. Their safe return is a testament not only to NASA's flight preparations,and to the thorough design of the Apollo spacecraft, but also to the courage and ingenuity of the astronauts and the engineers on the ground.
Oxygen Tank #2:
The production history of oxygen tank #2 on Apollo 13 showed a persistent lack of attention to detail and possibly a lackadaisical attitude toward safety. The first indication of trouble occurred in March, 1970. During routine countdown rehearsals the tank was filled with oxygen, but could not be emptied. Normally, gaseous oxygen was pumped into the vent line to force the liquid oxygen out the fill line. Ground crews determined that a loose nozzle fitting was the source of the difficulty. Investigations after the Apollo 13 accident revealed that the tank had been dropped during installation at North American Aviation, which caused the fitting to become loose. Instead of pushing the liquid oxygen out the fill line, the gaseous oxygen escaped through the loose fitting. When the normal procedure failed to empty the tank, the ground crew decided to use the heaters and fans inside the tank to boil out the oxygen.
The tank heaters were equipped with thermostatic switches which would deactivate the heaters if the temperature exceeded 80∞ F. During normal operations, these switches carried 28 volts supplied by the spacecraft fuel cells. However, during the rehearsal they were powered by the 65 volt ground power supply. The 65 volt load caused the thermostatic switches to fail. The ground crew kept the heaters on for 6 hours, assuming that the thermostatic switch would trigger, it the tank temperature exceeded 80∞ F. Because the heaters did not shut off, the temperature reached 1000∞ F in the heater tube assembly. This intense head burned the Teflon insulation off the fan motor wiring, leaving bare wires, which in turn short circuited during the flight.
Ground personnel should have noticed the high temperature and manually shut off the tank heaters long before the temperature reached 1000∞ F. Apparently no one was aware that the temperature had reached such a high level, and that vital parts might have been damaged.
The original 1962 specifications for the thermostatic switches called for the use of 28 volt power supplies. A 1965 revised specification required that the switches be rated to carry the 65 volt power supplied by the ground system at Kennedy. However, Beach Aircraft Corporation, which manufactured the tank, did not modify the switches. This oversight was not detected by Beach, North American, or NASA in any of the system or documentation reviews.
The loose fitting which had resulted when the tank was dropped during installation also was not fixed, since it apparently caused no problems other than inhibiting the removal of LOX. Gaseous oxygen still passed through the nozzle in the prescribed manner.
The Failed Mission
A Successful Launch:
Although several minor glitches occurred during the countdown, the liftoff of Apollo 13 was uneventful. The center engine of the second stage shut down prematurely, but the guidance system compensated by burning the other four engines 34 seconds longer than originally planned. The capability and flexibility of the launch vehicle proved it could overcome minor problems. The third stage fired as planned and placed the spacecraft on the translunar trajectory. The transposition maneuver, which linked the two spacecraft nose to nose, was executed without a hitch. Everything appeared to be going according to plan. After thorough check of all systems, Mission Control instructed the crew to move the spacecraft off of the free return trajectory (a trajectory on which the spacecraft would swing around the moon and return to earth without additional thrusting maneuvers - a "free" return). To return to Earth, the spacecraft would now have to fire its engines to establish a trajectory which would terminate with atmospheric entry and splashdown in one of Earth's oceans.
Indications of a Problem:
The first fifty-five hours of the flight went pretty much as planned. The astronauts had even found the time to take some television pictures and to clown around with a weighing device. At 9:05 PM (CST) April 13, a yellow caution light on one of the flight control panels in Houston came on, indicating low pressure in the hydrogen tanks. The crew was asked to activate the heaters and fans for the hydrogen and oxygen tanks which would increase the pressure.
Unknown to either the ground controllers or the astronauts, wires in the oxygen tank #2 were without insulation. When the fans were turned on, a spark from these wires caught the internal tank insulation on fire. In a pure oxygen environment, the insulation burned rapidly. The fire caused a dramatic increase in the temperature and pressure in the tank. Unfortunately the warning system on the flight control panel was configured to indicate only one anomalous pressure at a time. The high pressure in oxygen tank #2 went unnoticed.
At 9:08 PM (CST), Astronaut Fred Haise interrupted a conversation with Houston. ≥Hey, weπve got a problem here.≤ A loud bang had occurred and main bus B was reading a very low voltage. This bus was one of two which regulated the electrical power from the three fuel cells. At first the cause of the bang and the low voltage was not known. However, a zero pressure reading on oxygen tank #2 noted and Astronaut James Lovell noted that the spacecraft was venting something into space. The escaping gas was causing the spacecraft to pitch and roll.
The first order of business was to stabilize the command module; this proved difficult because at first the astronauts did not realize that the gas continued to venting out of the ruptured tank even after it appeared to have stopped. Once control had been established, Lovell started the entire configuration revolving at a rate of once every 20 minutes to avoid solar overheating of any portion of the capsule. Communications with the ground had to be carried out using the omni-directional antenna, since the main antenna was damaged by the explosion. Unfortunately, since the problem occurred after Apollo 13 had left the free return trajectory, a propulsive burn was necessary in order to return to Earth. Without a course correction, Apollo 13 would miss the Earth by about 40,000 miles.
Into the Lifeboat:
Power in the command module (CM) was extremely limited, and the batteries would be needed for reentry if the spacecraft was able to return to Earth. Without power the astronauts could not stay in the command module and were forced to move into the lunar module. One of the benefits of having both a command module and a separate lunar module was that during an emergency, the lunar module could act as a lifeboat, although it had no heat shield. Contingency plans to use the lunar module in such a manner had been drawn up, but no one had ever thought that the plans would actually be used. Now, the design of the lunar module and the contingency plans would be tested.
First, the lunar module had to be activated and the command module shut down. With all power from the service module gone and the command moduleπs batteries required for reentry, the astronauts had to fly the combined lunar module, service module, and command module configuration using the lunar module thrusters and engines. Because the lunar module was so far from the center of mass of the combined vehicle, controlling and aligning the entire configuration was difficult.
Using the lunar module fuel cells, navigational system, computer, thrusters, and oxygen would theoretically keep the astronauts alive, if not comfortable. There was sufficient oxygen for the return trip, but doctors on the ground worried about the astronauts suffering from dehydration. Controllers on the ground were worried that there would not be sufficient electrical power to keep the lunar module warm, run the necessary equipment, and recharge the partially depleted command module batteries. Because it would have interfered with their ability to move equipment and recalibrate instruments, the astronauts chose not to wear their spacesuits. The temperature was only 40∞F in the command module and in the barely above 50∞F in the lunar module; sleeping was difficult despite the astronauts fatigued condition.
Dealing with the Problem from the Ground:
While the astronauts in space were struggling to manage the lifeboat, ground controllers back in Houston were struggling to develop a whole new flight plan. Production of a flight plan normally required three months even with the plan relying heavily on previous flights. This time, a document as thick as a major city phone book had to be developed and verified in less that 3 days without the aid of similar previous flights.
During a normal mission, flight controllers worked in 6 hour shifts with the lead controllers for each station assigned to various shifts. Now an ≥all star≤ team of the most experienced controllers was assembled to develop the new flight plan and control the spacecraft during the critical reentry. The other three teams took on 8 hour shifts. The process of developing a new flight plan was extremely complicated, requiring literally thousands of steps, most of which had to be executed in some particular order.
Determining the correct locations and timing for the course correction burns was extremely difficult. The flight controllers had to worry not only about Hurricane Helen near the Pacific splashdown zone, but also the splashdown site of the lunar moduleπs atomic cask. Alternate splashdown sights in the Atlantic and Indian oceans were rejected because no recovery ships were available or the splashdown site of the atomic cask was to near inhabited areas. The conditions on the spacecraft itself made the maneuvers even more difficult. Results from the first maneuver had showed a discrepancy from the expected results. It turned out that Astronaut Swigert was not at his assigned location during the burn and this slight difference in mass distribution had altered the results. Worse yet, the trajectory continued to change even after the burn. Initially no one could explain this; finally it was determined that the ruptured tank was still venting slightly when the spacecraftπs slow rotation carried it into the sunlight.
A Successful Return
Preparing for Reentry and Splashdown:
During the return trip to Earth, the astronauts were kept busy. Equipment had to be moved from the command module to the lunar module. the navigation system in the lunar module was not as sophisticated as the one in the command module, since it had been designed for a simpler task. Because of this, the astronauts had to do more by hand. Obtaining their position by sighting on the stars was very important, but not easy using the lunar module telescope. Errors due to fatigue at one point led Lovell to position the spacecraft 90o from the desired alignment. Fortunately this situation was rapidly corrected.
As the atmospheric scrubbers in the lunar module became saturated, the CO2 content of the spacecraft atmosphere became dangerously high. Engineers on the ground were forced to design an air purification system using parts from the command module. Then using only words, no pictures were possible, they had to instruct the astronauts on how to construct a device which no one had ever seen before. Fortunately both the design and the construction were successful and the astronauts continued to have enough breathable air.
As the Apollo spacecraft hurled back toward Earth, NASA personnel on the ground did their best to help the astronauts prepare themselves and their spacecraft for the critical reentry. Astronauts in Houston tested out various ideas proposed by engineers and flight controllers. In several cases their work in the simulators resulted in crew of Apollo receiving better procedures. Most importantly, the crew of Apollo 13 had greater confidence in the procedures because every one had been tested and verified in the simulator.
As the time for reentry neared, the astronauts moved back to the command module. A final position check was taken from the lunar module and transferred to the command module; the lunar module fuel cells were used to fully recharge the command module batteries which were vital for a successful reentry, splashdown, and recovery. To separate the command module from the lunar module, the pyrotechnic bolts connecting the two were blown and the air remaining in the lunar module rushed out of the hatch separating the two craft. In the command module, the astronauts were busy preparing the spacecraft for the return to the planet. Over four hundred switches and dials had to be set to the proper positions. Lack of sleep and water, plus the accumulated stress over almost six days caused several switches to be set incorrectly. Fortunately each switch was rechecked and read back to Mission Control in Houston; still at least two minor switches were set incorrectly when the spacecraft landed.
On April 17, at 12:07 PM (CST) the crippled command module command module splashed into the Pacific Ocean, within sight of the the aircraft carrier U.S.S. Iwo Jima. Within an hour, the astronauts were safely on-board. NASA and the American public breathed a collective sigh of relief. The astronauts had returned safely to Earth, but the public had become aware that the Apollo program was not just a bus to the Moon. The process of space travel was still difficult, complicated, and dangerous. This was a lesson both NASA and the American public would have to relearn less than twenty years later with Challenger. Even with total vigilance, it is never possible to eliminate all risks. The flight of Apollo 13 illustrated the importance of redundancy and contingency planning, and the dangers which arise when complacency creeps into a program.
As a result of the post-accident investigation, numerous changes were recommended to eliminate vehicle and program deficiencies and to increase program strengths. The most immediate change was improved insulation for all wires in cryogenic systems. The tanks themselves were redesigned. In addition, a third oxygen tank was added to the service module to provide a greater safety margin. These measures were designed to eliminate any possible repeat of the accident and provide greater redundancy, since it is impossible to ever obtain one hundred percent reliability. The repairs were not without cost; the total bill required an extra $15 million for each subsequent mission and delayed the entire program four months.
The failure of the fuel cells on Apollo 13 pointed out how vulnerable the system was to a loss of electrical power. It was deemed prudent to provide the command module with greater electric storage capability. Batteries which could provide sufficient power for command module reentry were added.
NASA also reevaluated both its training and ground crew procedures. All failure scenarios, no matter, how improbable were simulated. Multipoint failures which were previously ignored as too improbable were simulated, requiring both astronauts and flight controllers to deal with them. The purpose of training on simulators, to prepare for all possible scenarios, was stressed with renewed intensity. The flight controller's computer display consoles were also modified to eliminate superfluous information and to present vital information in a better format. The formats of all the flight control consoles were reevaluated for content and clarity of information.
Safety and Ethics Issues
Some safety and ethics issues are raised by examining the Apollo 13 mission. In the simplest terms, maintaining good ethical conduct requires a person to differentiate between what is right and what is wrong and follow the course that the person determines is correct. Frequently, it is not so simple; right and wrong are not clearly marked, and a person must use his best judgement. Some of the ethical issues associated with the mission and the events preceding it are listed below.
Why didn't Beech change the switches to allow them to handle 65 volt power? Was this intentional or simply an oversight?
Why was the discrepancy not detected or corrected by any of the parties involved in design and documentation reviews?
When faced with the failure of oxygen tank #2 to empty correctly shouldn't ground personnel at Kennedy have investigate the problem instead of simply by-passing it?
When the heaters remained on for six hours, shouldn't someone have been concerned about the possibility of damage?
When considering possible failure modes, how small must the probability of an event be to ignore the event?
Considering that the lives of the astronauts may depend on contingency planning, how much is necessary?
- "Apollo 13: Houston, We've got a problem." Office of Public Affairs, National Aeronautics and Space Administration. United States Government Printing Office, 1970.
- Thirteen, the Flight that Failed. Henry S. F. Cooper, Jr. New Yorker Magazine. New York, NY. 1972
- The Voyages of Apollo. Richard S. Lewis. New York Times Book Co. New York, NY. 1974. pp. 149-174.
Apollo 13 Accident Assignments
The Apollo 13 accident illustrates the importance of redundancy and contingency planning, and the dangers which arise when complacency creeps into a program. Unfortunately, unless measures are taken to check it complacency it the natural result of time.
Many events lead to the explosion of oxygen tank #2. Stopping any one of the events might have prevented the accident. Many people must share the blame for contributing to the conditions that allowed the accident to occur. On the other hand, the successful return of the astronauts shows that many things were done right. Both the spacecraft and the NASA procedures were designed well enough to survive in what could have been a catastrophic situation.
Read the General Information provided on the Apollo 13 accident. Consider each of the following questions carefully in light of that information and write a complete and grammatically correct paragraph in which you explore a probable answer.
- When oxygen tank #2 was dropped during handling, why was it not more thoroughly checked to make sure that nothing had been damaged?
- When ground personnel at Kennedy had trouble emptying the tank, why did they not look for the source of the problem, instead of simply bypassing it?
- Why didn't the ground personnel notice that the heaters had not switched off? Why didn't someone check the tank to see if the long heater activation time had damaged something?
- Why did Beech fail to change the thermostatic switch to match the revised specifications? How come none of the system or documentation reviews by any of the contractors or NASA caught the discrepancy?
- With all the problems with oxygen tank #2, why wasn't a thorough investigation of it ordered by someone in NASA management?
- Why was the flight control panel in Houston configured to only show one anomalous reading? This panel configuration kept the controllers and crew from becoming immediately aware of the full extent of the danger.
- Even though no one had really thought that the lunar module would ever have to be used as a lifeboat, shouldn't astronauts have been practiced the procedure?
- Why weren't the contingency plans which covered the possibility of having to evacuate to the lunar module more extensive? For example why weren't the difficulties of maneuvering using only lunar module propulsion considered?
- Shouldn't the problem of excess CO2, which could result from any malfunction of the atmospheric system, have been examined long before Apollo 13?
- How can complacency in a large program be reduced?
Choose one of the following statements, research the topic, and write a two page paper in which you explore the impact of the Apollo 13 oxygen tank explosion.
- The nozzle on Oxygen Tank #2 was damaged during handling at North American Aviation.† Because of the damaged nozzle, the tank could not be emptied properly during testing. NASA personnel used the tanks heaters to boil out the oxygen. The heaters were supposed to turn off if the tank temperature exceeded 80°F, but the thermostatic switch failed. This switch met original specifications, but not the revised specifications. No system or documentation review had detected or corrected this problem. Explore this chain of events and recommend where things should have been done differently.
- Because the thermostatic switch failed, the insulation on some of the wires leading to the tank was melted off, leaving bare wires. While enroute to the Moon astronauts turned on the heaters and fans in the oxygen tanks. This action caused a short, which in turn caused the explosion of the oxygen tank #2. Because of the configuration of the flight control panel in Houston, the extent of the damage was not immediately known to either the flight controllers or crew. Was there anything that crew or ground controllers could have done to avoid or minimize the problem?
- Because of the loss of oxygen, the command module fuel cells could not operate correctly. This left the astronauts with insufficient power to continue with their mission. The astronauts evacuated the command module and moved to the lunar module. Contingency plans to use the lunar module as a lifeboat existed, although they had not been tested and no one had thought that these plans would ever be used. What is the proper level of contingency planning?
- In three days, flight controllers on the ground developed a new flight plan to return the astronauts; this procedure normally took three months. Astronauts in Houston tested out possible maneuvers in the simulators. This testing helped correct and refine the maneuvers before they were actually used by Apollo 13. When considering possible splashdown sites, the flight controllers had to worry about a hurricane and a shortage of recovery ships in addition to the problems with the spacecraft. The lunar module reentry trajectory also had to be calculated precisely to ensure that the atomic cask on board would impact far away from any population center. Does this mean that NASA spends too much time on planning for contingencies and should just wait until emergencies occur before dealing with them?
Divide the class into small groups, no more than three to a group. Each group is to choose one of the four roles outlined below and develop a statements outlining the position represented by those in your role in the successful recovery of Apollo 13. Develop two statements: (1) what are your major concerns, and (2) how do these concerns relate to those of the other group.
- Astronauts: Your main concern is obviously to get back home. You have had extensive training, but nothing in your training prepared you for something like this. The spacecraft is very uncomfortable; you have been under extreme stress and the thought of your death has crossed you mind at least once. How do you keep yourself functioning despite your fatigue? You must stay as mentally sharp as possible. What types of things might help you do this, metal exercise, staying busy, thinking about your family, thinking about God? Remember that your goal is to stay functional, otherwise you will die in space.
- Reentry Flight Controller: Your task is to plan a safe reentry. What happens on-board the spacecraft up until that time is not important to you, as long as sufficient electrical power, air, and water is left for reentry. Because your part of the return is the most complicated you want as much of the resources, including the astronauts mental sharpness, as you can get, but these needs must be balanced against the needs of the other groups.
- Other Flight Controller: Your job is to make sure that the spacecraft and functioning until it is time for reentry. To do this you must interface with all the other parties, and to some extent keep them all satisfied. You must carefully calculate how much electrical power, oxygen, and water, can be used and how much must be saved. Everyone needs more than what you will give them.
- NASA Doctors: You are worried about the condition of the astronauts. You are afraid that they are not getting enough to drink. When it is cold people, do not want as much water, even if their body needs it. To return to Earth the astronauts must be able to think clearly; this is very difficult considering the conditions they are subjected to. You are worried about the stress and the fatigue inducing mental errors. As a doctor you are trained to recognize and understand the effects of stress and fatigue, but the astronauts do not have such training. Like most human beings they will be suffering the effects long before they are aware of them, and will attempt to push themselves too hard. If they do not pace themselves, they may make mistakes at during the critical reentry. In addition you are worried about the possibility of infection.
Working in three person groups, consider the how to prevent reduce the possibility of complacency in large programs. First identify the possible origins of complacency. Can these origins be eliminated, or must they be accepted and mitigated? What are some actions that can be taken to reduce complacency? Do these actions involve management structures, motivational tools, monetary compensation, review procedures, technical issues, quality control inspections, or other factors?
Working in three person groups, consider the role of contingency planning in a manned space flight. Obviously it is neither economical or possible to plan for every possible problem, but where should the line be drawn? Frequently the question may comes down to one of cost versus possible benefit? How are possible failures determined in the first place? Show are the probabilities determined for each possible failure? What is the role of simulation in preparing and planning?