Moon Lander: How We Developed the Apollo Lunar Module (14 page)

After the probe was engaged and latched in the drogue it was retracted, drawing the docking rings on the LM and the CM together and triggering a dozen spring-loaded capture latches, mounted on the CM side, around the circumference of the docking rings to form a rigid structural and pressure tight connection. The drogue was held in place by three mounting lugs in the LM tunnel. It was set into position and later removed by the CM pilot, who also installed the collapsible probe assembly onto mounting lugs in the CM tunnel.

Grumman’s Mechanical Design Section worked closely with NASA’s astronauts and engineers and with North American to assure that all structural, mechanical, and functional aspects of the hatches, tunnels, docking rings, and mechanisms were coordinated and specified between the two spacecraft. Key physical and functional interfaces between LM and CM were controlled by interface control documents (ICDs), which were prepared and approved by both spacecraft contractors and approved and maintained by NASA. An extensive ground-test program was conducted jointly by Grumman and North American and flight demonstrations of rendezvous and docking took place on Apollo 9 in Earth orbit and Apollo 10 in Lunar orbit. This painstaking attention to detail paid off: the docking system functioned properly on every Apollo mission to the Moon, despite Mike Collins’ fears on Apollo 11 that the mechanisms would become jammed in the tunnel and spoil the mission.
⁵

Mechanical Design was also responsible for designing a safety critical array of components known as the explosive devices subsystem. They fell into two categories: detonator cartridges, containing explosive charges of high yield, and pressure cartridges, containing propellant charges of relatively low yield. The former were components required to effect ascent/descent-stage separation during launch from the Moon’s surface: explosive nuts and bolts that secured the stages together, and the umbilical cutter and circuit interrupter that severed and inerted the interstage umbilical wire and tubing bundle. The landing-gear uplock that held the landing gear in its retracted (stowed) position until fired to deploy the gear was also in this category. In the pressure category were normally closed, explosively opened valves used to release helium from storage tanks into the RCS, ascent, and descent propulsion systems. By containing the helium in its storage tanks and leaving the propellant tanks unpressurized until shortly before these systems were required to function
during the mission, the risk of leaking precious propellant or pressurant into space was reduced.

These devices could not be tested before use except for a low-voltage test of the igniter to assure that electrical continuity existed. Therefore their reliability depended upon redundancy in design (dual igniters, explosive charges, nuts and bolts both shattered, dual cutter blades, and so on), rigid process control during manufacture, and statistical sample test firings of components from each production lot. Any test failure caused rejection of the entire lot and an investigation of manufacturing steps to find the cause. Careful attention was paid to grounding and shielding to protect against premature un-commanded firing caused by stray currents or electromagnetic fields. Given the life or death importance of these devices, Sturiale and Romanelli were always among the most nervous Grumman engineers when supporting a flight mission, their worried expressions giving way to grins only after the capture latches clamped home to complete the ascent-stage docking to CM in lunar orbit, the last of the explosive devices having fired upon ascent-stage liftoff. As with their mechanical devices, they achieved a perfect record of explosive device performance on the Apollo missions.

Making LM Reliable

The issue of reliability, so clearly exemplified by the explosive devices subsystem, demanded much of my attention during the formative design period of 1963–64. Foremost in clarifying reliability requirements and expressing them in practical design policies and guidelines were Arnold Whitaker, assistant project engineer-Systems, Erick Stern, manager of Systems Analysis and Integration, and George Wiesinger, manager-LM Reliability Group.

NASA had posed a very broad requirement for reliability: each Apollo mission must provide .999 probability of crew safety (one in one thousand chance of fatality) and .99 probability of mission success (one in one hundred chance of aborting the mission). These overall probabilities had been apportioned by NASA to the individual elements making up the total mission, including the LM. We in turn had apportioned our total unreliability allowance (=1 —
p
) among each of the LM systems and subsystems, resulting in allowable failure probabilities of one in ten thousand or less for each system.

From a designer’s point of view these probabilities were not much help. In practical terms they could not be demonstrated because the allowable failure rates were so low that to prove them would require hundreds or even thousands of repetitive tests. Analyses, however, could be used to show
relative
failure rates of alternative system designs. The absolute value of such analyses was always suspect, but they would indicate the extent to which component redundancy or other system configuration changes would improve overall system reliability.

Reviewing the results of many systems analyses and tradeoff studies, I decided there were a few practical guidelines that we should follow to achieve the highest possible reliability for LM:

1. Specify the highest quality systems and components the current state of the art could achieve.

2. Provide system-level redundancy wherever possible, preferably by dissimilar means.

Examples of dissimilar redundancy: Lunar-orbit rendezvous, primary method, LM active with rendezvous radar; secondary method, CM active visually sighting LM or its tracking light through telescope; tertiary method, ground-based radar tracking of both LM and CM. Another example: Earth/LM communications, primary method, S-band steer able antenna on LM; secondary method, S-band omni and UHF omni antennae on LM, relay through steer able antenna on CM; tertiary method, LM omni antennae directly to Earth.

Examples of similar system-level redundancy: reaction control system, fully redundant A and B systems, each capable of maintaining flight control of LM; electrical power system, fully redundant A and B systems, each capable of providing power to all electrical loads, up to half the total ampere-hours of the combined systems. An additional partially redundant bus served essential loads only, and a completely separate redundant system and batteries powered the explosive devices system.

3. Provide component-level redundancy at the highest component level possible.

Component-level redundancy was provided in most systems, even those for which total system redundancy was impossible due to weight or functionality restrictions. For example, the ascent and descent propulsion systems had redundant valves, regulators, and pressurant lines, even though major components, such as rocket engines and propellant tanks, could not be duplicated. Extensive component-level redundancy existed in the environmental control system, although the cabin pressure shell structure and the spacesuit could not be duplicated.

4. Strive for simplicity and ample design safety margins.

This guideline became the principal line of defense for systems, such as propulsion, and elements, such as structure and landing gear, that either could not be made redundant or would gain no reliability benefit from redundancy. NASA imposed a program-wide set of structural design safety factors: 1.1 times maximum predicted applied stress before yield of the material, and 1.5 times before failure. These provided adequate margins while recognizing the need for “just good enough” designs to achieve spacecraft weight goals.

5. Test extensively and exhaustively in various environments and stress levels, including stress to failure. Document all failures and investigate until the specific cause is found and design, manufacturing, or operational corrections have been made.

A particularly useful test was acceptance-vibration testing of systems and components, which tended to disclose both design and manufacturing defects that could be corrected. Joe Gavin led a crusade to refine the design and improve reliability by relentlessly tracking down and correcting the cause of test failures. Gavin proclaimed throughout the program, “There are no random failures; every test failure has a specific cause that must be found and corrected.”
⁶

We developed these reliability approaches and applied them to LM with NASA’s advice and approval at every step. One obvious result was that the number of LM components grew dramatically, accompanied by a major increase in weight. In January 1964 NASA approved increasing the LM control weight to 29,500 pounds (fully loaded, without crew).
⁷
We agreed to try to achieve a target weight of 25,000 pounds, but the propellant tanks were resized for the control weight. Weight control became more important as the design moved from sketches to drawings to hardware, until in 1965 it became my primary concentration.

An important program-wide NASA decision in mid-1963 greatly simplified the spacecraft’s design and lunar mission planning. The competitions for the Apollo spacecraft and for LM both specified in-flight maintenance (IFM) and repair. Built-in test circuits would detect failed replaceable assemblies or components, which would be carried as spares inside the CM and LM crew compartments, and be manually replaced by the flight crews as needed. Although we dutifully complied with this approach in our LM proposal and delegated much of its analysis and implementation to RCA, I never liked it, and once we won the LM contract I tried to change it.

I was convinced that in-flight maintenance would degrade reliability instead of improving it, for many reasons. For one thing, the built-in test circuitry itself was complex and required adding sensors or test ports at critical system locations, which themselves became additional potential failure points. The connectors or mechanical attachments that were required to make the components removable in flight were less reliable than the alternate designs of fixed attachments of hard-mounted components that were only replaced by skilled technicians in a factory clean-room environment. In-flight maintenance made the wiring harness and electrical connectors more susceptible to short circuits and corrosion from humidity and liquid spills in the cabin because protective techniques such as hermetic sealing and connector “potting” (sealing with waterproof hardening putty) probably could not be used. If broadly applied, IFM would require most of the electronic equipment
to be located in accessible areas within the crew compartment, increasing its size and internal heat load. Because the spare components and assemblies would have to be stored within the crew compartments, they would be exposed to the humid internal environment. The number of spares of each type would have to be estimated by failure rate analyses that would not be perfect, resulting in payload wasted carrying unused spares that could be more effectively applied to providing redundancy in the basic design. My list of objections was long and, I thought, convincing. Owen Maynard and his NASA LM engineers became as determined as I to eliminate IFM.

Other powerful voices within NASA also began attacking IFM. Houston Flight Operations director Christopher Kraft argued that the crew simply would not have time to repair faulty hardware during LM operations. When George Mueller took over as Manned Space Flight chief in Washington in September 1963, he also had reservations about it. Shortly thereafter IFM was deleted from the entire Apollo spacecraft. Instead the crew would rely on operational displays, the caution and warning system, and ground-based support from the Mission Operations Center in Houston to detect malfunctions. Switchable redundancy would be “wired in,” and all electronics inside the cabin would be hermetically sealed or potted to protect against moisture and contaminants.
⁸
This encouraged us as designers to locate as much electronics as possible outside of the crew compartment, making it smaller and more flexible in accommodating lunar surface mission requirements. I believe this sound NASA decision contributed to Apollo’s success.

Project Christmas Present

In the fall of 1963 North American invited Grumman and MIT to join a task force at Downey devoted to establishing an integrated set of Apollo program schedules. The schedules they had prepared in October 1962 had been rendered meaningless by subsequent delays, and as spacecraft integrator they could not properly function without detailed schedule goals. The task force generated the Apollo spacecraft development test plan (ASDTP), the first comprehensive set of subsystem, ground-test, and flight-test schedules linking the CSM, LM, and GNC system with one another and with the Saturn booster. The initial draft of the plan was submitted by the contractors to Houston just before Christmas and was dubbed Project Christmas Present by the task force.

The Grumman contingent at Downey was led by Reynold “Ren” Witte and Theodore “Ted” Moorman. Both were experienced test engineers; Witte’s background was in ground testing from the Structural Test Group in Engineering and Moorman’s in aircraft flight testing with the Flight Test Department. Both were well-organized and effective leaders. They tapped into the test engineering corporate memory at Bethpage and directed the ten to
twenty Grumman engineers on site who were temporarily assigned to support them. Witte and Moorman had led the LM development test negotiations with NASA after contract award and were thoroughly familiar with the intricate interrelations and prerequisites between critical test milestones on the LM subsystems and in LM’s flight-development program. In the ASDTP exercise they explored and established the constraints that LM development milestones imposed on the CSM, the GNC system and the Saturn, and vice versa. The ASDTP task force was a most beneficial activity for all the Apollo contractors.