The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 1 Issue 44

Wednesday, 29 Jan 1986

Contents

oShuttle SRB/MFT self-destruct mechanisms
Dusty Bleher
Herb Lin
Martin Moore
o Challenger speculation
Herb Lin

Shuttle SRB/MFT Self-destruct mechanisms

Dusty [snake] Bleher <decwrl!pyramid!amiga!dusty@ucbvax.berkeley.edu >
Wed, 29 Jan 86 09:50:10 pst
Organization: Commodore-Amiga Inc., 983 University Ave #D, Los Gatos CA 95030

[PGN wrote

  >One unvoiced concern from the RISKS point of view is the presence on each
  >shuttle of a semi-automatic self-destruct mechanism.  Hopefully that
  >mechanism cannot be accidentally triggered.   ]

Please Note, and cease to spread your unfounded rumor!
  ONLY the SRBs and the MFT/mate assy have a destruct mechanism.  The shuttle
  is NOT provided with such a mechanism, any more then an L-1011 is!

Dusty Bleher  (@@) (408) 395-6616 x265 (wkdays PST)

                [Yes, Martin Moore noted that in RISKS-1.43.  Fortunately
                 L-1011's do not have to take off amidst Solid Rocket
                 Boosters and External Fuel Tanks!  Thanks.  PGN]


Reliability of Shuttle SRB/MFT self-destruct mechanisms

Herb Lin <LIN@MC.LCS.MIT.EDU>
Wed, 29 Jan 86 17:54:23 EST
To: mooremj@EGLIN-VAX.ARPA
cc: "RISKS-LIST:"@MC.LCS.MIT.EDU, risks@SRI-CSL.ARPA

Thanks for your piece.  Can you discuss at all the actual devices used on
the SRBs and the External Tank to set off explosions?  What ensures that
they work as expected?


Reliability of Shuttle SRB/MFT self-destruct mechanisms

"MARTIN J. MOORE" <mooremj@eglin-vax>
0 0 00:00:00 CDT
To: "lin" <lin@mit-mc>
cc: <risks@sri-csl>

Unfortunately, I really can't (as opposed to "won't") amplify much on the
actual destruct hardware; as I said, I worked strictly on the ground system,
and I have little knowledge of explosives.  My exposure to it was pretty
much limited to having one of the engineers on that side show me a block
diagram of the system and point out the salient characteristics...like
everything else that I ever saw in this system, there were double (or more)
backup paths for everything.  Sorry I can't be of more help here.

The one all-pervading factor that I encountered in various mission-critical 
systems at Cape Canaveral is redundancy.  Aside from double and triple 
circuitry and paths, there are two complete systems for everything; both run
at all times, accepting all inputs, but only one is "on-line" with respect
to outputs; if the on-line system fails (say in a power failure), the backup 
takes over.  Or a switchover can be requested manually, or the on-line program
can deliberately request a switchover if it encounters a hardware or software
error.

From time to time system redundancy was tested by running a mission simulation 
and suddenly cutting off one power source completely.  The other set of 
systems was fully capable of supporting the entire mission (of course, the
first time we tried this -- long before the first live use of the system --
we did find some problems, e.g., one system had all of its modems on the
same power source.  Its backup processor ran, but was deaf and dumb!)
Having seen this done -- first with one power source and then the other,
thus shutting down every piece of equipment at some point -- I can say 
that I *know* there is no single point of failure among the major system 
components.  I would also say that unless you run such a test, you *can't*
know it; you may think it, but you can't know it. 

                                     mjm

     [Of course, even if you run such a test, you still may not KNOW IT...
      You may never know that the test was complete.  PGN]


Challenger speculation

Herb Lin <LIN@MC.LCS.MIT.EDU>
Wed, 29 Jan 86 18:18:19 EST
To: kyle.wbst@XEROX.COM
cc: LIN@MC.LCS.MIT.EDU, "RISKS-LIST:"@MC.LCS.MIT.EDU,
    aviation@R20.UTEXAS.EDU, CMP.WERNER@R20.UTEXAS.EDU,
    neumann@SRI-CSL.ARPA

    From: kyle.wbst at Xerox.COM

    Does anyone know if a rifle shot on the big tank would be enough to
    structurally weaken it such that during that portion of the launch with
    maximum stress the thing might rupture?

It is obvious that at the time of the explosion, no rifle bullet hit
it.  Thus, any shot must have been fired much sooner.  The rifle shot
must then be timed in such a way that it is fast enough to weaken the
casing, but not strong enough to penetrate it.  It seems that that
window is pretty small.

If you are into pure, unadulterated speculation, another possibility
is that a bullet was fired into an SRB while it was on the ground, and
lodged there.  When the fuel burned to that point, a jet leaked out,
and triggered an explosion.

Please report problems with the web pages to the maintainer

Top