Lessons from space accidents: the hard road to soft landing of the E-6 program

"Luna-9" was the first vehicle that made a soft landing on another celestial body. But it is less known that the Luna-9 was the twelfth of a series of soft landing machines. And if it were not for the accident, the first soft landing would have taken place three years earlier, in 1963. What happened to the previous eleven apparatuses, and what can one learn from this?

Materiel

In order to make it clear which nodes where they failed, it is necessary to understand the design and the flight plan of the interplanetary stations of the E-6 program. In terms of flight, the following steps can be distinguished:
Derivation .
The first three stages of the launch vehicle bring the station and the fourth stage to an intermediate low-Earth orbit. The first and second stages had a unified control system (the legacy of a combat missile), the third and fourth stages were controlled by the station's control system.



Acceleration to the moon . About an hour after the separation, over the Atlantic Ocean, the fourth stage turned on and dispersed the station to the Moon.
Flight to the moon . In the course of the flight, the station trajectory was measured and the impulse for correction was calculated. Around mid-flight, the station gave a corrective impulse, correcting trajectory errors and targeting the landing area.

Landing . As is known, there is no atmosphere on the moon, so a soft landing on it can be made only on jet engines.

Orientation . The flight path is designed so that the last part of it is perpendicular to the surface of the moon. Using the Sun, the Earth and the Moon as beacons, the station was oriented along the axis of the trajectory.
Braking . The brake engine (KTDU) was switched on for 75 km to the surface of the Moon at the command of a radio altimeter. During braking, blocks that became unnecessary were dropped (less weight - easier to brake) and rubber shock-absorbing cylinders sulked.
Contact After the main braking session, the KTDU was turned off, and the station was decreasing on control engines at low speed. The pull-out probe recorded contact with the Moon, according to which the landing module inside the shock-absorbing cylinders was shot from the brake compartment.
')

Inclusion After the “ball” stopped jumping on the moon, the shock-absorbing cylinders were dropped, and the landing module revealed the protective petals of the upper part, and then the antennas.


Transfer of information . The main goal of the station is to convey the panorama of the lunar surface. Therefore, the main scientific tool was a rotating chamber in a sealed transparent container.

The story, albeit with pictures, is somewhat dry. Fortunately, there is an excellent Soviet film telling about the construction and flight of the station:



The scenario with “Luna-9” is in Orbiter , but, who is too lazy to bet, there is a video flight plan that explains well the flight plan:

Accidents

Now, when the construction and the flight plan of the station are more or less clear, we can say that where and why it broke.

Initial conditions

Rocket 8K78 "Lightning" made ten launches before the start of the flight program E-6. Of these, only in one launch, all four stages worked fine. The fault of the fourth stage was 5 accidents, the third - 2 and the first / second - 2. Such terrible statistics is explained by the rocket-artillery approach to testing spacecraft in the USSR, multiplied by the space race policy. First, the designers left artillerymen and rocket engineers, it was customary for them to make a lot of launches, debugging the vehicles already according to the results of emergency launches. Immediately it should be noted that this approach turned out to be inappropriate for solving space tasks - the price of one launch in terms of money and in the time spent greatly exceeded the price of thorough ground testing and testing. Secondly, the prestige of sending interplanetary stations to Mars and Venus led to the thinking of “done - to start up immediately, maybe fly away”. Naturally, the results show that "maybe" does not work.

It should also be noted that the analysis of the causes of accidents was performed poorly. The fact is that the launch of the fourth stage took place over the Atlantic Ocean, between South America and the coast of Africa, and the station could not transmit telemetry to the territory of the USSR due to the curvature of the Earth. Therefore, the exact cause of the five failures of the fourth stage was unknown. By the beginning of the E-6 program launches, the special ship Dolinsk was sent to the Gulf of Guinea in order to receive telemetry and transmit it to the MCC so that they could learn about the reason for the refusal.

The simplest calculation shows that in such conditions the probability of a successful launch is 10% (1 successful / 10 total). Although, if you think about it, it tends to 0 because of the failure of the fourth stage, the cause of which is unknown, and the detection of malfunctions was conducted at random.

First start

January 4, 1963, the first launch of the program E-6. Accident, failure of the fourth stage. The ship "Dolinsk" was already in position and managed to get telemetry. The immediate cause of the accident was the failure of the electrical start commands to start the engine (some sources indicate that these were the deposition engines that were used to start the main engine). The reason for this was the failure of the current converter in the control unit. The unit was filled with dry nitrogen, which caused increased wear of the motor collector brushes. Despite the fact that during the tests, the blocks usually failed for a longer time, no other possible reasons were found. As a solution, nitrogen began to moisten and add a little oxygen.

Reason : Constructive flaws.
Solution : Redesign.

Second start

February 2, 1963. The accident at the site of the third stage, the rocket deviated from the course and fell in the Pacific. The reason was the incorrect installation of the gyroscopes of the station's control system, which, as you remember, controls the third stage of the launch vehicle. In fact, the third stage at the start was aimed at the ocean. In addition, the lack of accuracy of gyroscopes was revealed, since the real trajectory differed from the programmed one.

Reason : Operational failure, also revealed design flaws.
Solution : Change of documentation and control during preparation for launch, design change.

Third start

April 2, 1963. All four steps are triggered successfully, the station goes to the moon under the name "Luna-4". The accident occurs at the stage of issuing a corrective impulse half way, the station missed the moon. The cause of the accident is the failure of the astronavigation system. The immediate cause of the accident has not been reliably established, the block of the astronavigation system received many comments. The commission’s surprise, described by Chertok, is very characteristic: “Where have you all been before? In order to find dozens of flaws in such a complex system, it is not at all necessary to fly to the Moon. All this is evident with inexpensive laboratory and factory inspections . ”

Reason : Presumably, a constructive flaw.
Solution : Redesign.

Fourth start

March 21, 1964. The accident at the site of the third stage - the main oxygen valve did not open, the third stage did not start. The reason is a broken valve stem; all valves for the third stage had to be refined.

Reason : Constructive flaws.
Solution : Redesign.

Venus helped

On March 27, 1964, an 8K78 rocket was launched with an interplanetary station to Venus. Again, the fourth stage did not turn on, but, due to the fact that it was equipped with a new recording device, information was obtained about the sequence of events during the engine start. It turned out that the designers of the control system did not take into account the fact that the power switches (relays) do not switch instantaneously. Due to the delayed operation of the switch, the valves did not receive power and did not turn on. The fourth stage could not orient and tumbled in an intermediate orbit.

Tellingly, on Earth, the problem was fixed in 20 minutes with a soldering iron.

Reason : Constructive flaws.
Solution : Redesign.

Fifth launch

April 20, 1964. Accident, fourth stage failure, engine restart. Telemetry records the absence of a signal to the engine start support system. The tests of the I-100 control system and the PT-500 current converter are being conducted again. Laboratory tests reveal that, despite the satisfactory overall temperature of the I-100, some of its parts are subject to unacceptable local overheating. The device was sent for revision, also, before starting it began to cool.

Please note that the immediate cause of the accident coincides with the first launch, and the cause of this failure is again not clear until the end. Problems with an unequivocal determination of the causes of failures led to a conflict between the developers of the power supply unit (PT-500, chief designer Iosif'yan) and the control system unit (I-100, chief designer Pilyugin).

Reason : Constructive flaws.
Solution : Redesign.

Sixth start

March 12, 1965. Accident, fourth stage failure, engine restart. Regular laboratory tests against the background of aggravating relations between designers. Pilyugin’s employees check the PT-500 Iosif'yan converter at the stand, and after many hours find out a possible reason - the balancing washer can touch the cap fastening screw, which, in their opinion, overloads and disables the engine. By the decision of the emergency commission, the PT-500 is replaced with two PT-200 converters, also produced by Iosif'yan, but older and more familiar.


Photo PT-500 did not find, PT-1500 from the same series, just three times more powerful

Reason : Constructive flaws.
Solution : Redesign.

Seventh start

April 10, 1965. The serial number of the station reached the number 8, and the officers of the launch team joked darkly, “We don’t bless the number eight before the moon”. The joke was right - the accident, the failure of the third stage. The reason - the violation of the engine due to a failure of the pressurization system tanks.

Reason : Constructive or manufacturing flaw. The most likely production flaw, because the block "And" (third stage) was already a serial product and was launched many times.
Solution : Not specified. A single manufacturing defect could not cause any modifications.

Eighth start

May 9, 1965. All four stages worked fine, and the station went to the moon called "Luna-5". However, problems were already half way through - with the control system operation algorithm, too little time was allotted for heating gyroscopes. Because of this, the trajectory correction maneuver failed once (it was still executed from the third time), and the deceleration maneuver at the Moon failed. The station crashed on the surface of the moon.

Reason : Constructive defects
Solution : Changing the design, changing the algorithm of the control system.

Ninth start

June 8, 1965. The station successfully launched to the moon under the name "Luna-6". The mission was failed due to the fact that during the correction of the trajectory of the engine is not turned off and burned all the fuel. The reason was the error in the commands sent to the "board" from the Earth - they forgot to specify the duration of the engine. The station flew past the moon.
In the process of flying past the moon, the station was used to test the operation of components and mechanisms, those that could be tested (pressurized shock absorbers, etc.) What is important - a noticeable number of comments were received.

Reason : Operational error.
Solution : Not specified. Presumably, educational work with management personnel, increasing the control of commands sent to the "board".

Tenth start

October 4, 1965. The station successfully launched to the Moon as “Luna-7” and without problems reached the start of the braking session. The station switched to real-time telemetry transmission mode, reports were heard in the MCC: “There is a construction of the lunar vertical!”, “Measurements are being made with a radio altimeter - five thousand kilometers to the Moon”, “Four thousand kilometers to the Moon”. Half an hour later, the report sounded: "The loss of the Earth was registered." The loss of the Earth by an astro-orientation sensor meant a blockage of the brake motor. The station crashed on the surface of the moon. The cause of the accident was an error when installing the angles of the Earth's sensor - the Earth fell on the very edge of the sensor, and the slightest disturbance meant a loss of orientation. In parallel, comments were made to the equipment for constructing the lunar vertical.

Reason : Operational defects, constructive defects.
Solution : Refinement design. Presumably, strengthening the monitoring of the installation of parameters of the station before the flight.

Eleventh start

December 3, 1965. The station started to the moon, becoming the "Luna-8". For greater confidence, a “false correction” session was conducted shortly before braking, when, at the command of the earth, the station switched on the astroorientation and oriented in space, but did not turn on the braking motor. However, during the braking session after pressurization of the cylinder-shock absorbers, the station lost its height measurement. Judging by the reports, the station started spinning, and the altimeter “lost” the moon, which blocked the engine starting to brake. The engine was turned on only 9 seconds before the contact, and the station crashed into the moon at an unacceptable speed.
The loss of orientation after pressurization of shock absorbers made the cylinders the main suspects. Five days of experiments found the cause - when the cylinders are pressurized, they rest against the fiberglass antenna bracket that broke, forming sharp edges that pierced the cylinders, and leaking from them led to a loss of orientation. The reason for the failure of the bracket - a violation of manufacturing technology, incorrect laying of the workpiece in the mold. This reason is given in Chertok's “Missiles and People”. At the same time, there is an alternative version - pressurization of cylinders caused disturbances with which the orientation system on gas engines could not cope. In this case, the decision was to transfer the pressurization of the cylinders to the area of ​​operation of the brake engine, where the power reserve for stabilization was.

Reason : Industrial defect (Chertok), constructive defect ( Smorkalov ).
Solution : Improving the quality and control in production (Chertok), changing the planting algorithm (Smorkalov).

Twelfth launch

On January 31, 1966, the station "Luna-9" was successfully launched and on February 3, 1966, it successfully descended, for the first time in the world. Seven communication sessions were conducted with the station, and panoramas of the lunar surface were constructed from photographs:



Here you can see three larger panoramas.

Analysis

Consider the causes of accidents of this program (not taking into account the launches of the same carrier with other Mon). At the place of failure:
Third Stage : 3
Fourth step : 3
Station : 4
Earth : 1

It turns out that in half of the cases the station simply “did not reach the turn” - there was a failure of the node working before it. Separately, it is necessary to note the problems with stage 4 (block “L”), which stubbornly “did not want” to work as it should. In the event that a queue reached the station, she refused two thirds of the time. At the same time, the analysis of the accidents that have taken place speaks of the overwhelming prevalence of design defects that could have been identified and eliminated during ground tests if they had been carried out with sufficient thoroughness. These statistics clearly indicate that the method of working out products is unsuitable for cosmonautics by consistent improvement in the results of accidents.

Implications for IT

There are different areas in IT, a program can even exist successfully even with critical bugs, but you should always balance the costs of testing a certain level, coverage and quality with losses from bugs (falling user reputation, customer failures, contract fines and tons .P.).

It is also useful to understand that in the presence of a sequence of elements, each of which should work successfully for overall success, there is no point in repeated tests before debugging an intermediate element. Simply put, until they have achieved high reliability of the "fourth stage", there is no sense in "sending stations to the moon."

Information sources

The main source is the third book of B.E. Chertok "Rockets and people. Hot days of the Cold War.
Also used materials from Wikipedia, Encyclopedia Astronautica , GalSpace , KIK USSR , http://jurnal.vniiem.ru/text/124/17.pdf .
KDPV - Sokolov's picture

For navigation: posts on the "Lessons of cosmic incidents" tag.