The University of Texas at Austin
Studies in Ethics, Safety, and Liability for Engineers
Kurt Hoover and Wallace T. Fowler
Apollo 13
A Mission That Failed
On March 31, 1972, one of the two liquid oxygen (LOX) tanks in the Apollo 13 Service
Module (SM) exploded, releasing 300 lbs. of oxygen into space. Although telemetry
indicated a serious malfunction, it was not immediately apparent to either the flight
controllers in Houston or the astronauts on Apollo 13 just how extensively the spacecraft
had been damaged. Oxygen, now in short supply, was used for breathing and as a reactant
for the fuel cells, which produced electricity and water. Thus, the crew faced potential
shortages of air, power, and water.
At the time of the accident, Apollo 13 was still on the outbound portion of its trajectory.
To return safely to Earth, the spacecraft would have to swing around the Moon, using its
gravity to turn back toward Earth. An entirely new trajectory and reentry procedure
would have to be developed in just three days; normally such procedures took three
months to develop and verify. To make matters worse, Hurricane Helen threatened to
swamp the normal splashdown site. Despite the large potential for disaster, Apollo 13
returned safely to Earth with its crew alive and well. Their safe return is a testament not
only to NASA's flight preparations and the thorough design of the Apollo spacecraft, but
also to the courage and ingenuity of the astronauts and the engineers on the ground.
TABLE OF CONTENTS
Background
The Failed Mission
A Successful Return
Safety and Ethics Issues
References
Apollo 13 Accident Assignments
Background
Oxygen Tank #2:
The production history of oxygen tank #2 on Apollo 13 showed a persistent lack of
attention to detail and possibly a lackadaisical attitude toward safety. The first indication
of trouble occurred in March, 1970. During routine countdown rehearsals the tank was
filled with oxygen, but could not be emptied. Normally, gaseous oxygen was pumped
into the vent line to force the liquid oxygen out the fill line. Ground crews determined
that a loose nozzle fitting was the source of the difficulty. Investigations after the Apollo
13 accident revealed that the tank had been dropped during installation at North
American Aviation, which caused the fitting to become loose. Instead of pushing the
liquid oxygen out the fill line, the gaseous oxygen escaped through the loose fitting.
When the normal procedure failed to empty the tank, the ground crew decided to use the
heaters and fans inside the tank to boil out the oxygen.
The tank heaters were equipped with thermostatic switches which would deactivate the
heaters if the temperature exceeded 80° F. During normal operations, these switches
carried 28 volts supplied by the spacecraft fuel cells. However, during the rehearsal they
were powered by the 65 volt ground power supply. The 65 volt load caused the
thermostatic switches to fail. The ground crew kept the heaters on for 6 hours, assuming
that the thermostatic switch would trigger, it the tank temperature exceeded 80° F.
Because the heaters did not shut off, the temperature reached 1000° F in the heater tube
assembly. This intense head burned the Teflon insulation off the fan motor wiring,
leaving bare wires, which in turn short circuited during the flight.
Ground personnel should have noticed the high temperature and manually shut off the
tank heaters long before the temperature reached 1000° F. Apparently no one was aware
that the temperature had reached such a high level, and that vital parts might have been
damaged.
The original 1962 specifications for the thermostatic switches called for the use of 28 volt
power supplies. A 1965 revised specification required that the switches be rated to carry
the 65 volt power supplied by the ground system at Kennedy. However, Beach Aircraft
Corporation, which manufactured the tank, did not modify the switches. This oversight
was not detected by Beach, North American, or NASA in any of the system or
documentation reviews.
The loose fitting which had resulted when the tank was dropped during installation also
was not fixed, since it apparently caused no problems other than inhibiting the removal of
LOX. Gaseous oxygen still passed through the nozzle in the prescribed manner.
The Failed Mission
A Successful Launch
Although several minor glitches occurred during the countdown, the liftoff of Apollo 13
was uneventful. The center engine of the second stage shut down prematurely, but the
guidance system compensated by burning the other four engines 34 seconds longer than
originally planned. The capability and flexibility of the launch vehicle proved it could
overcome minor problems. The third stage fired as planned and placed the spacecraft on
the translunar trajectory. The transposition maneuver, which linked the two spacecraft
nose to nose, was executed without a hitch. Everything appeared to be going according to
plan. After thorough check of all systems, Mission Control instructed the crew to move
the spacecraft off of the free return trajectory (a trajectory on which the spacecraft would
swing around the moon and return to earth without additional thrusting maneuvers - a
"free" return). To return to Earth, the spacecraft would now have to fire its engines to
establish a trajectory which would terminate with atmospheric entry and splashdown in
one of Earth's oceans.
Indications of a Problem
The first fifty-five hours of the flight went pretty much as planned. The astronauts had
even found the time to take some television pictures and to clown around with a weighing
device. At 9:05 PM (CST) April 13, a yellow caution light on one of the flight control
panels in Houston came on, indicating low pressure in the hydrogen tanks. The crew was
asked to activate the heaters and fans for the hydrogen and oxygen tanks which would
increase the pressure.
Unknown to either the ground controllers or the astronauts, wires in the oxygen tank #2
were without insulation. When the fans were turned on, a spark from these wires caught
the internal tank insulation on fire. In a pure oxygen environment, the insulation burned
rapidly. The fire caused a dramatic increase in the temperature and pressure in the tank.
Unfortunately the warning system on the flight control panel was configured to indicate
only one anomalous pressure at a time. The high pressure in oxygen tank #2 went
unnoticed.
At 9:08 PM (CST), Astronaut Fred Haise interrupted a conversation with Houston. "Hey,
we've got a problem here." A loud bang had occurred and main bus B was reading a very
low voltage. This bus was one of two which regulated the electrical power from the three
fuel cells. At first the cause of the bang and the low voltage was not known. However, a
zero pressure reading on oxygen tank #2 noted and Astronaut James Lovell noted that the
spacecraft was venting something into space. The escaping gas was causing the
spacecraft to pitch and roll.
The first order of business was to stabilize the command module; this proved difficult
because at first the astronauts did not realize that the gas continued to venting out of the
ruptured tank even after it appeared to have stopped. Once control had been established,
Lovell started the entire configuration revolving at a rate of once every 20 minutes to
avoid solar overheating of any portion of the capsule. Communications with the ground
had to be carried out using the omni-directional antenna, since the main antenna was
damaged by the explosion. Unfortunately, since the problem occurred after Apollo 13 had
left the free return trajectory, a propulsive burn was necessary in order to return to Earth.
Without a course correction, Apollo 13 would miss the Earth by about 40,000 miles.
Into the Lifeboat
Power in the command module (CM) was extremely limited, and the batteries would be
needed for reentry if the spacecraft was able to return to Earth. Without power the
astronauts could not stay in the command module and were forced to move into the lunar
module. One of the benefits of having both a command module and a separate lunar
module was that during an emergency, the lunar module could act as a lifeboat, although
it had no heat shield. Contingency plans to use the lunar module in such a manner had
been drawn up, but no one had ever thought that the plans would actually be used. Now,
the design of the lunar module and the contingency plans would be tested.
First, the lunar module had to be activated and the command module shut down. With all
power from the service module gone and the command module's batteries required for
reentry, the astronauts had to fly the combined lunar module, service module, and
command module configuration using the lunar module thrusters and engines. Because
the lunar module was so far from the center of mass of the combined vehicle, controlling
and aligning the entire configuration was difficult.
Using the lunar module fuel cells, navigational system, computer, thrusters, and oxygen
would theoretically keep the astronauts alive, if not comfortable. There was sufficient
oxygen for the return trip, but doctors on the ground worried about the astronauts
suffering from dehydration. Controllers on the ground were worried that there would not
be sufficient electrical power to keep the lunar module warm, run the necessary
equipment, and recharge the partially depleted command module batteries. Because it
would have interfered with their ability to move equipment and recalibrate instruments,
the astronauts chose not to wear their spacesuits. The temperature was only 40°F in the
command module and in the barely above 50°F in the lunar module; sleeping was
difficult despite the astronauts fatigued condition.
Dealing with the Problem from the Ground
While the astronauts in space were struggling to manage the lifeboat, ground controllers
back in Houston were struggling to develop a whole new flight plan. Production of a
flight plan normally required three months even with the plan relying heavily on previous
flights. This time, a document as thick as a major city phone book had to be developed
and verified in less that 3 days without the aid of similar previous flights.
During a normal mission, flight controllers worked in 6 hour shifts with the lead
controllers for each station assigned to various shifts. Now an "all star" team of the most
experienced controllers was assembled to develop the new flight plan and control the
spacecraft during the critical reentry. The other three teams took on 8 hour shifts. The
process of developing a new flight plan was extremely complicated, requiring literally
thousands of steps, most of which had to be executed in some particular order.
Determining the correct locations and timing for the course correction burns was
extremely difficult. The flight controllers had to worry not only about Hurricane Helen
near the Pacific splashdown zone, but also the splashdown site of the lunar module's
atomic cask. Alternate splashdown sights in the Atlantic and Indian oceans were rejected
because no recovery ships were available or the splashdown site of the atomic cask was
to near inhabited areas. The conditions on the spacecraft itself made the maneuvers even
more difficult. Results from the first maneuver had showed a discrepancy from the
expected results. It turned out that Astronaut Swigert was not at his assigned location
during the burn and this slight difference in mass distribution had altered the results.
Worse yet, the trajectory continued to change even after the burn. Initially no one could
explain this; finally it was determined that the ruptured tank was still venting slightly
when the spacecraft's slow rotation carried it into the sunlight.
A Successful Return
Preparing for Reentry and Splashdown
During the return trip to Earth, the astronauts were kept busy. Equipment had to be
moved from the command module to the lunar module. the navigation system in the lunar
module was not as sophisticated as the one in the command module, since it had been
designed for a simpler task. Because of this, the astronauts had to do more by hand.
Obtaining their position by sighting on the stars was very important, but not easy using
the lunar module telescope. Errors due to fatigue at one point led Lovell to position the
spacecraft 90o from the desired alignment. Fortunately this situation was rapidly
corrected.
As the atmospheric scrubbers in the lunar module became saturated, the CO2 content of
the spacecraft atmosphere became dangerously high. Engineers on the ground were
forced to design an air purification system using parts from the command module. Then
using only words, no pictures were possible, they had to instruct the astronauts on how to
construct a device which no one had ever seen before. Fortunately both the design and the
construction were successful and the astronauts continued to have enough breathable air.
As the Apollo spacecraft hurled back toward Earth, NASA personnel on the ground did
their best to help the astronauts prepare themselves and their spacecraft for the critical
reentry. Astronauts in Houston tested out various ideas proposed by engineers and flight
controllers. In several cases their work in the simulators resulted in crew of Apollo
receiving better procedures. Most importantly, the crew of Apollo 13 had greater
confidence in the procedures because every one had been tested and verified in the
simulator.
As the time for reentry neared, the astronauts moved back to the command module. A
final position check was taken from the lunar module and transferred to the command
module; the lunar module fuel cells were used to fully recharge the command module
batteries which were vital for a successful reentry, splashdown, and recovery. To separate
the command module from the lunar module, the pyrotechnic bolts connecting the two
were blown and the air remaining in the lunar module rushed out of the hatch separating
the two craft. In the command module, the astronauts were busy preparing the spacecraft
for the return to the planet. Over four hundred switches and dials had to be set to the
proper positions. Lack of sleep and water, plus the accumulated stress over almost six
days caused several switches to be set incorrectly. Fortunately each switch was rechecked
and read back to Mission Control in Houston; still at least two minor switches were set
incorrectly when the spacecraft landed.
Successful Recovery
On April 17, at 12:07 PM (CST) the crippled command module command module
splashed into the Pacific Ocean, within sight of the aircraft carrier U.S.S. Iwo Jima.
Within an hour, the astronauts were safely on-board. NASA and the American public
breathed a collective sigh of relief. The astronauts had returned safely to Earth, but the
public had become aware that the Apollo program was not just a bus to the Moon. The
process of space travel was still difficult, complicated, and dangerous. This was a lesson
both NASA and the American public would have to relearn less than twenty years later
with Challenger. Even with total vigilance, it is never possible to eliminate all risks. The
flight of Apollo 13 illustrated the importance of redundancy and contingency planning,
and the dangers which arise when complacency creeps into a program.
Post-Recovery Events
As a result of the post-accident investigation, numerous changes were recommended to
eliminate vehicle and program deficiencies and to increase program strengths. The most
immediate change was improved insulation for all wires in cryogenic systems. The tanks
themselves were redesigned. In addition, a third oxygen tank was added to the service
module to provide a greater safety margin. These measures were designed to eliminate
any possible repeat of the accident and provide greater redundancy, since it is impossible
to ever obtain one hundred percent reliability. The repairs were not without cost; the total
bill required an extra $15 million for each subsequent mission and delayed the entire
program four months.
The failure of the fuel cells on Apollo 13 pointed out how vulnerable the system was to a
loss of electrical power. It was deemed prudent to provide the command module with
greater electric storage capability. Batteries which could provide sufficient power for
command module reentry were added.
NASA also reevaluated both its training and ground crew procedures. All failure
scenarios, no matter, how improbable were simulated. Multipoint failures which were
previously ignored as too improbable were simulated, requiring both astronauts and flight
controllers to deal with them. The purpose of training on simulators, to prepare for all
possible scenarios, was stressed with renewed intensity. The flight controller's computer
display consoles were also modified to eliminate superfluous information and to present
vital information in a better format. The formats of all the flight control consoles were
reevaluated for content and clarity of information.
Safety and Ethics Issues
Some safety and ethics issues are raised by examining the Apollo 13 mission. In the
simplest terms, maintaining good ethical conduct requires a person to differentiate
between what is right and what is wrong and follow the course that the person determines
is correct. Frequently, it is not so simple; right and wrong are not clearly marked, and a
person must use his best judgment. Some of the ethical issues associated with the mission
and the events preceding it are listed below.
1. Why didn't Beech change the switches to allow them to handle 65 volt power?
Was this intentional or simply an oversight?
2. Why was the discrepancy not detected or corrected by any of the parties involved
in design and documentation reviews?
3. When faced with the failure of oxygen tank #2 to empty correctly shouldn't
ground personnel at Kennedy have investigate the problem instead of simply by-
passing it?
4. When the heaters remained on for six hours, shouldn't someone have been
concerned about the possibility of damage?
5. When considering possible failure modes, how small must the probability of an
event be to ignore the event?
6. Considering that the lives of the astronauts may depend on contingency planning,
how much is necessary?
References
1. "Apollo 13: Houston, We've got a problem." Office of Public Affairs, National
Aeronautics and Space Administration. United States Government Printing
Office, 1970.
2. Thirteen, the Flight that Failed. Henry S. F. Cooper, Jr. New Yorker Magazine.
New York, NY. 1972
3. The Voyages of Apollo. Richard S. Lewis. New York Times Book Co. New
York, NY. 1974. pp. 149-174.
Apollo 13 Accident Assignments
The Apollo 13 accident illustrates the importance of redundancy and contingency
planning, and the dangers which arise when complacency creeps into a program.
Unfortunately, unless measures are taken to check it, complacency is the natural result of
time.
Many events lead to the explosion of oxygen tank #2. Stopping any one of the events
might have prevented the accident. Many people must share the blame for contributing to
the conditions that allowed the accident to occur. On the other hand, the successful return
of the astronauts shows that many things were done right. Both the spacecraft and the
NASA procedures were designed well enough to survive in what could have been a
catastrophic situation.
Assignment A
Read the General Information provided on the Apollo 13 accident. Consider each of the
following questions carefully in light of that information and write a complete and
grammatically correct paragraph in which you explore a probable answer.
1. When oxygen tank #2 was dropped during handling, why was it not more
thoroughly checked to make sure that nothing had been damaged?
2. When ground personnel at Kennedy had trouble emptying the tank, why did they
not look for the source of the problem, instead of simply bypassing it?
3. Why didn't the ground personnel notice that the heaters had not switched off?
Why didn't someone check the tank to see if the long heater activation time had
damaged something?
4. Why did Beech fail to change the thermostatic switch to match the revised
specifications? Why did none of the system or documentation reviews by any of
the contractors or NASA catch the discrepancy?
5. With all the problems with oxygen tank #2, why wasn't a thorough investigation
of it ordered by someone in NASA management?
6. Why was the flight control panel in Houston configured to only show one
anomalous reading? This panel configuration kept the controllers and crew from
becoming immediately aware of the full extent of the danger.
7. Even though no one had really thought that the lunar module would ever have to
be used as a lifeboat, shouldn't astronauts have practiced the procedure?
8. Why weren't the contingency plans which covered the possibility of having to
evacuate to the lunar module more extensive? For example why weren't the
difficulties of maneuvering with only lunar module propulsion considered?
9. Shouldn't the problem of excess CO2, which could result from any malfunction of
the atmospheric system, have been examined long before Apollo 13?
10. How can complacency in a large program be reduced?
Assignment B
Choose one of the following statements, research the topic, and write a two page paper in
which you explore the impact of the Apollo 13 oxygen tank explosion.
1. The nozzle on Oxygen Tank #2 was damaged during handling at North American
Aviation. Because of the damaged nozzle, the tank could not be emptied properly
during testing. NASA personnel used the tanks heaters to boil out the oxygen. The
heaters were supposed to turn off if the tank temperature exceeded 80o F, but the
thermostatic switch failed. This switch met original specifications, but not the
revised specifications. No system or documentation review had detected or
corrected this problem. Explore this chain of events and recommend where things
should have been done differently.
2. Because the thermostatic switch failed, the insulation on some of the wires
leading to the tank was melted off, leaving bare wires. While enroute to the Moon
astronauts turned on the heaters and fans in the oxygen tanks. This action caused a
short, which in turn caused the explosion of the oxygen tank #2. Because of the
configuration of the flight control panel in Houston, the extent of the damage was
not immediately known to either the flight controllers or crew. Was there
anything that crew or ground controllers could have done to avoid or minimize
the problem?
3. Because of the loss of oxygen, the command module fuel cells could not operate
correctly. This left the astronauts with insufficient power to continue with their
mission. The astronauts evacuated the command module and moved to the lunar
module. Contingency plans to use the lunar module as a lifeboat existed, although
they had not been tested and no one had thought that these plans would ever be
used. What is the proper level of contingency planning?
4. In three days, flight controllers on the ground developed a new flight plan to
return the astronauts; this procedure normally took three months. Astronauts in
Houston tested out possible maneuvers in the simulators. This testing helped
correct and refine the maneuvers before they were actually used by Apollo 13.
When considering possible splashdown sites, the flight controllers had to worry
about a hurricane and a shortage of recovery ships in addition to the problems
with the spacecraft. The lunar module reentry trajectory also had to be calculated
precisely to ensure that the atomic cask on board would impact far away from any
population center. Does this mean that NASA spends too much time on planning
for contingencies and should just wait until emergencies occur before dealing
with them?
Assignment C
Divide the class into small groups, no more than three to a group. Each group is to choose
one of the four roles outlined below and develop a statements outlining the position
represented by those in your role in the successful recovery of Apollo 13. Develop two
statements: (1) what are your major concerns, and (2) how do these concerns relate to
those of the other group.
1. Astronauts: Your main concern is obviously to get back home. You have had
extensive training, but nothing in your training prepared you for something like
this. The spacecraft is very uncomfortable; you have been under extreme stress
and the thought of your death has crossed you mind at least once. How do you
keep yourself functioning despite your fatigue? You must stay as mentally sharp
as possible. What types of things might help you do this, metal exercise, staying
busy, thinking about your family, thinking about God? Remember that your goal
is to stay functional, otherwise you will die in space.
2. Reentry Flight Controller: Your task is to plan a safe reentry. What happens on-
board the spacecraft up until that time is not important to you, as long as sufficient
electrical power, air, and water is left for reentry. Because your part of the return
is the most complicated you want as much of the resources, including the
astronauts mental sharpness, as you can get, but these needs must be balanced
against the needs of the other groups.
3. Other Flight Controller: Your job is to make sure that the spacecraft and
functioning until it is time for reentry. To do this you must interface with all the
other parties, and to some extent keep them all satisfied. You must carefully
calculate how much electrical power, oxygen, and water, can be used and how
much must be saved. Everyone needs more than what you will give them.
4. NASA Doctors: You are worried about the condition of the astronauts. You are
afraid that they are not getting enough to drink. When it is cold, people do not
want as much water, even if their body needs it. To return to Earth the astronauts
must be able to think clearly; this is very difficult considering the conditions they
are subjected to. You are worried about the stress and the fatigue inducing mental
errors. As a doctor you are trained to recognize and understand the effects of
stress and fatigue, but the astronauts do not have such training. Like most human
beings they will be suffering the effects long before they are aware of them, and
will attempt to push themselves too hard. If they do not pace themselves, they
may make mistakes at during the critical reentry. In addition you are worried
about the possibility of infection.
Assignment D
Working in three person groups, consider how to reduce the possibility of complacency
in large programs. First identify the possible origins of complacency. Can these origins
be eliminated, or must they be accepted and mitigated? What are some actions that can be
taken to reduce complacency? Do these actions involve management structures,
motivational tools, monetary compensation, review procedures, technical issues, quality
control inspections, or other factors?
Assignment E
Working in three person groups, consider the role of contingency planning in a manned
space flight. Obviously it is neither economical nor possible to plan for every possible
problem, but where should the line be drawn? Frequently the question may come down to
one of cost versus possible benefit. How are possible failures determined in the first
place? Are the probabilities determined for each possible failure? What is the role of
simulation in preparing and planning?