TM-67-2032-2

Failure Impact and Backup Capability of Saturn Launch Support ESE at KSC

June 5, 1967

V. Muller

BELLCOMM. INC. 1100 SEVENTEENTH STREET, N.W. WASHINGTON, D.C. 20036

Title: Failure impact and backup capability of Saturn launch support ESE at KSC Author(s): Muller, V. Abstract: No Abstract Available NASA Center: NASA (non Center Specific) Publication Date: Jun 5, 1967 Document Source: CASI Download Document: View PDF File Document ID: 19790072543 Accession ID: 79N72051 Report Number: NASA-CR-154331; TM-67-2032-2 Contract-Grant-Task Number: NASW-417 Price Code: A03 Keywords: ABORTED MISSIONS ROCKET LAUNCHING SATURN LAUNCH VEHICLES APOLLO PROJECT GROUND SUPPORT SYSTEMS SYSTEM FAILURES SYSTEMS ANALYSIS Accessibility: Unclassified; No Copyright; Unlimited; Publicly available; Updated/Added to NTRS: 2005-10-31

http://ntrs.nasa.gov/search.jsp?R=547067&id=1&qs=Ntt%3D19790072543

Template:Work

[edit] COVER SHEET

[edit] ABSTRACT

The principal ESE used for Saturn launches is examined with regard to failure impact and alternate support capability during critical operations. Of the 23 systems examined, nine systems, which are classified "mandatory" in the AS 501 Launch Mission Rules, operate without complete redundancy or alternate support provisions.

When a system is classified "mandatory," it is implied that the system has a mission-essential function; therefore, it appears logical that these preflight systems should be treated in the same manner as essential flight-support systems.

It is therefore recommended that the appropriate Centers review the criticality of these systems and identify any actions required to assure that failures in any of them will not jeopardize mission success.

The requirements of dual-launch missions should be considered in these reviews.

[edit] I. GENERAL

A historical survey of 169 Atlas, Titan and Saturn I launches at Cape Kennedy shows that 105 scrubs occurred; 54 percent of these scrubs were attributed to vehicle, 33 percent to GSE- malperformance, and 13 percent to inclement weather. Of the 35 scrubs caused by malfunction of GSE, some 20 percent involved Electrical Ground Support Systems.

In the case of lunar landing missions, scrubs become much more critical. A scrub occurring late in the countdown will most likely cause missing of a launch opportunity, and result in impacting areas of national interest like prestige and expenses. Recycling of the complete mission system, KSC, MCC-H, MSFN, ETR, recovery forces, loss of consumables and contractor man hours results in specifically assessable expenses. Other penalties include wear out of the hardware, particularly flight hardware, which becomes subjected to additional test operations and adverse climatic environment.

It is not intended to use the past record of scrubs as a measure to predict the number of Saturn V scrubs that may be caused by ESE, but rather to show that they can be expected to occur. With the increased dependency on ESE systems, as compared to the early ESE/GSE operational support, more ESE failures and an even larger impact on the launch operations can be anticipated.

Scrubs caused by the flight hardware have to be expected and dealt with within mission constraints and flight hardware requirements. However, scrubs caused by the ground-based systems should be kept at the conceivable minimum.

Although the report emphasizes Saturn V support, it is, with few exceptions, also applicable to the Uprated Saturn I Vehicles and facilities.

[edit] II. OBJECTIVE

In order to assess possible ESE failures causing a scrub, each principal ESE system participating in the countdown of Saturn Vehicles is examined. The impact, in case of failure of each system, is determined and the availability of redundant functions or alternate support capability is examined. As a result of this study, the most critical systems or functions are identified. The critical systems are as classified, based upon their being mandatory to support countdown and launch operations but have no provisions for complete redundancy or alternate support.

Other related problem areas are identified which include secondary constraints arising from the redundancy or backup requirements.

The systems classified as "mandatory" are the same as specified in the AS 501 Launch Mission Rules. Mandatory is defined as being essential for accomplishing a specific mission. As a result, the mandatory assignment to a system means that the operations cannot proceed if that system fails late in the countdown.

For the purpose of this study, certain ground rules, with respect to the provisions of alternate support, are observed in the following order of criticality:

1. Each organization shall retain its assigned responsibility in the overall task of launch preparation and launch support.
2. No degradation of the supporting function shall be introduced.
3. Existing facilities are considered and addition of hardware is avoided as much as possible.

A system-by-system analysis is included as Attachment 1.

[edit] III. SUMMARY

The principal ESE to support Saturn launches at KSC has been examined with regard to failure impact and alternate support capability during critical operations.

Of the 23 principal systems examined, nine of the systems, which are classified "mandatory" in the AS 501 Launch Mission Rules, operate without complete redundancy or alternate support provisions. These systems and the related criticalities in case of failure are listed below:

1. KSC Timing System: the distribution and sub-timing systems are not always available in a redundant configuration or with an alternate support capability. They are required for the operation of mandatory ESE. (See Section 1.1.)
2. Terminal Countdown Sequencer: cutoff and subsequent reset requires some four hours. (See Section 1.2.)
3. RCA-110A system, specifically the LUT computer system: loss of discrete output switch selection and control. (See Section 1.3.)
4. Mission Support Room (LVO): loss of specific mission rule measurement monitor, firing room and MCC-H support. (See Section 1.5.)
5. Digital Data Acquisition System (DDAS): loss of flight TM systems checkout capability during open-loop test and loss of LV checkout data during closed-loop test to LCC, MSR, ALDS and LIEF. (See Section 1.6.)
6. Digital Event Evaluation System (DEE): loss of data monitor during propellant loading and environmental tests. (See Section 1.7.)
7. Data Transmission System (DTS): loss of monitor and control capability of pad critical GSE. (See Section 1.8)
8. USB command link: loss of AGC and LVDC update capability and loss of real-time command capability (Abort Advisory and LVDC backup). (See Sections 1.18 and 1.23.)

In addition to the systems listed under 1 through 8 above, some additional systems contain a set of special problems:

1. ACE-SC requires a second station for alternate support capability during critical test operations. Scheduling requirements must reflect this mode of operation.
2. Hardline Communication: Catastrophic events (fire, power loss) in central facilities such as CDSC, VABR, BRR disable all basic capability for hardline communications.

[edit] IV. CONCLUSIONS

Supporting functions which are classified as "mandatory" are, by definition, functions which are essential for accomplishing a mission.

The Apollo Program Specification, SE 005-001-1, Rev. A, specifies in Section 3.1.3.3.4 ..... that no single failure shall prevent the successful continuation of the mission ..... Although this statement is primarily directed to vehicle and flight-support systems, it appears that, with the assignment of mandatory, the criticality of prelaunch ESE approaches that of the ground support systems used during flight.

In consideration of the above, it seems appropriate to recommend that the appropriate Centers review the criticality of these systems and identify any actions required to assure that failures in any of them will not jeopardize mission success.

The requirements of dual-launch missions should be considered in these reviews.

[edit] ACKNOWLEDGMENT

The author wishes to express his appreciation to all the NASA/KSC, ETR and associated contractor personnel who have been helpful in accumulating and reviewing the presented information. Particular acknowledgment goes to KSC/HC, HD, JA, KA, PA, QA, GSFC/USB, ETORS and associated contractors.

2032-VM-gmp V. Muller

Attachments

1. Systems Analysis
2. List of Abbreviations

[edit] SYSTEMS ANALYSIS

ATTACHMENT 1

Table I presents a list of principal ESE systems participating in the countdown. Included are KSC outlying systems, such as ETR, MCC-H and LIEF, since their functions present an integral part of KSC operations support.

Figure 1 depicts the principal Data Distribution Network, which is either part of the systems listed in Table I or interfaces within these systems. The network shown includes only the basic Telemetry and Command Links in the open or closed loop configuration.

In the following sections, each system listed in Table I is discussed with regard to interface requirements, failure impact and alternate support capability. Selected related problem areas are included.

[edit] 1.1 KSC Timing System

[edit] a. Configuration

The KSC Timing System generates and distributes time and frequency signals with +10 milliseconds accuracy. The timing generation equipment is located in the CIF; part of the timing distribution system is the countdown clock. The Timing and Countdown systems provide some 150 inputs to such functions as countdown displays, GMT, discrete frequencies, sequence control and event signals. Subtiming stations at MSOB, LCC, VAB, LUT and PTCR receive and distribute the timing signals for local users such as the RCA-110A system and ACE-SC. Calibration is accomplished through WWV, VLF and Loran C transmitters; synchronization with ETR occurs through cable interface, at BRR and via UHF at the CIF.

FIGURE 1 PRINCIPAL DATA DISTRIBUTION NETWORK

[edit] b. Failure Impact

Failure of the Timing and the Countdown Systems disables most ESE support functions. Loss of momentary synchronization necessitates a hold and successive reinitialization of the timing system users. Loss of synchronization can occur through loss of timing generation, distribution systems failure or through temporary surge of power.

[edit] c. Alternate Support

The timing generation system operates in two identical sets, on a redundant standby basis. Switchover is accomplished manually.

Power backup exists by means of standby batteries in the CIF.

In addition, alternate timing signals can be provided through manual patching to the ETR timing system. However, the distribution and subtiming systems do not provide complete redundancy and most of the distribution network and subtiming systems operate on facility power.

[edit] 1.2 Terminal Countdown Sequencer (TCS)

The TCS is a solid state device, located in the LUT sequence rack.

Between T-187 sec. and T+20 sec., the TCS initiates some 148 timed functions through operating output relays in a prearranged sequence. These functions include fuel tank pressurization, transfer to internal power, termination of bubbling, turbopump bearing heater cutoff, umbilical arm disconnect, ignition sequencer start, etc. The TCS is started after completion of the interlock chain preparation and manual closure of the Firing Command Enable Switch in the Terminal Sequencer Panel of the LCC. Timing control of the TCS is provided through a 1-pps signal from the countdown clock. Interrupt of the TCS can occur through interface chain cutoff or manual cutoff, necessitated in most cases by a launch vehicle systems anomaly.

TCS monitor and interlock status is available through the RCA-110A data link, ground DDAS, DEE equipment and special hardwire. Discrete Output Control by the RCA-110A computer, however, is inhibited during TCS operation.

[edit] b. Failure Impact

In addition to cutoffs initiated by the interlock system, loss of countdown timing or TCS failure generates an interrupt. Current estimates show that a TCS reset and recycle, without repair, would at least require some four hours.

[edit] c. Alternate Support

No alternate support capability exists in case of TCS failure.

[edit] 1.3 RCA-110A Computer System

[edit] a. Configuration

The LUT based RCA-110A computer system provides the LVDC interface, performs the switch selection, monitors and controls the discrete outputs, monitors the DDAS and contains the discrete action tables.

The LCC RCA-110A computer controls the test execution and provides the display service.

Interfacing with the RCA-110A system are the ground and stage DDAS, DEE-3, PTCS, Display computer (DDP-224), PTCS, and ACE-SC. The RCA-110A also provides an input (preparations ready) for enabling initiation of the TCS.

[edit] b. Failure Impact

Failure of the LUT RCA-110A or associated in/output and signal distribution equipment disables switch selection, discrete output control and inhibits G&C systems testing.

Failure of the LCC computer or associated in/output distribution equipment disrupts the LCC function execution control and display console service.

Operation of the LUT computer is a prerequisite for the start of the TCS, and LCC computer operation is mandatory for DDP-224 computer operation.

[edit] c. Alternate Support

No alternate support capability exists for performing LUT computer switch selections and discrete in/output control, except for limited hardwire controls.

A manual switch selection and discrete output control capability exists between the LCC and backup LUT RCA-110A operations. However, manual control of 2048 discretes is very cumbersome and impossible within the time constraints of the countdown operations. Therefore, manual control is only planned for some 4-6 discrete operations at the end of launch countdown (no T-time estimate available).

Additional hardwires are available for emergency safing.

LV and ESE status monitoring in the LCC is available independently of the RCA-110A computers, by means of the DEE-6, DEE-3, DDAS and CIF telemetry systems. Each backup system drives its own displays, recorders, indicators or printers to provide the LCC man/equipment interface.

Preparations are being made to provide the CIF telemetry data via DDP-224 computer to the Sanders displays upon request. This would provide for redundant monitoring capability; however, it would limit backup capability in case of DDP-224 computer failure.

[edit] 1.4 LCC Data Display and Control

[edit] a. Configuration

The LCC Data Display and Control consoles are located in the LCC firing rooms. They provide for manual initiation of test programs, manual interruption of programmed events and contain the CRT (Sanders) displays, event lights and analog meters. Command and display interface between the consoles and the RCA-110A computer is provided by the DDP-224 computer system.

[edit] b. Failure Impact

Failure of individual display and control console equipment disables the monitor and manual control function of a particular stage or system.

Failure of the DDP-224 system disables the console main displays and the manual control capability by the systems test engineers in a firing room. Availability of principal LCC Data Displays is mandatory for launch operations and launch.

[edit] c. Alternate Support

Individual display and control consoles can be backed up by other consoles through insertion of a coded card, thus enabling alternate program callup for display and control support. In case of complete loss of the DDP-224 operated displays and controls, partially alternate data presentation is available from the DEE-6, DEE-3, DDAS and CIF equipment. These alternate data presentations are, however, not always feasible for real time data analysis.

Limited manual control of discrete outputs and emergency operations can be performed through direct hardline links. Increased computer program control and, hence, elimination of the man/machine interface is possible through progressive automation.

[edit] 1.5 LVO Mission Support Room (MSR)

[edit] a. Configuration

The MSR is located in the CIF and is used by LVO to monitor real-time data from Uprated Saturn I or Saturn V launch vehicles during prelaunch, launch and postlaunch operations.

The MSR is manned by LV Systems Engineers whose responsibilities include (1) monitoring of mission rules measurements, (2) backing up the LCC on other critical measurements, and (3) directly supporting MCC-H flight control operations. The LV information is presented on trajectory displays, CRT displays, strip charts, recorders and video displays. All data is available from the CIF Data Core; CRT displays are driven by the GE 635 computers, the other displays are directly driven. Direct OIS interface exists with the LCC firing rooms, MCC-H and HOSC.

[edit] b. Failure Impact

Malfunction of the MSR results in the loss of a mandatory function during prelaunch and launch operations and a highly desirable function during the powered phases of a mission.

[edit] c. Alternate Support

The MSR performed functions are not redundant to LCC, HOSC or MCC-H functions. Each of these functions, such as monitoring of launch mission rules (limit check of critical parameters), systems engineering support, LVO flight controller operations for evaluating systems performance and dynamic trends of the navigational system, electrical network, mechanical and propulsion systems, or Abort Parameter monitoring and LIEF operations support are uniquely defined and have individual equipment provided.

No alternate support is available.