The shaping of reliable, safe Apollo spacecraft owes its success to specific principles stressing the simplicity, both in originating and evaluating hardware designs. The primary consideration governing the design of the Apollo system was that, if it could be made so, no single failure should cause the loss of any crewmember, prevent the successful continuation of the mission, or, in the event of a second failure in the same area, prevent a successful abort of the mission.
To implement this policy, the following specific principles were established to guide Apollo engineers when they originated and evaluated hardware designs.
- Use established technology.
- Stress hardware reliability.
- Comply with safety standards.
- Minimize in-flight maintenance and testing for failure isolation, and instead on assistance from the ground.
- Simplify operations.
- Minimize interfaces.
- Make maximum use of experience gained from previous manned-space programs.
Established technology was used for areas in which performance and reliability goals had already been realized. Hardware design precluded, as much as possible, the necessity to develop new components or techniques. When this policy could not be met, procedures were established whereby management approved new development requirements only after clear-cut plans for the development effort and a suitable backup capability had been defined.
A primary criterion governing a particular system was whether or not the design could achieve mission success without incurring risk of life or serious injury to the crew. Numerical values for reliability standards and minimum mission objectives  were established. Trade-off studies of design and performance were then made to define the necessary redundancy (including alternate or backup equipment as well as modes of operation) for meeting mission goals within the program constraints of time, cost, and weight. Apollo engineers performed not only comprehensive failure mode and effects analyses, but also single-point failure analyses. Through a series of iterative design reviews, the engineers eliminated or minimized each potential failure point.
Safety considerations were emphasized by selecting appropriate design features and proven, qualified components and operating principles. Integrated safety analyses defined the interfaces between subsystems. Thus, safety problem areas were identified for the combined system. Failure modes considered included structural failures, ruptures, fuel leaks, hose-tubing failures, electrical open-short, and fastener failures.
During Apollo spacecraft design and planning, in-flight maintenance was carefully considered, but the disadvantages of this approach far outweighed the advantages. In consideration of the duration of the Apollo missions, reliable performance could be achieved through component, circuit, and system redundancy, since the subsystems are not required to operate over long periods of space travel or after being dormant for long periods. The additional connectors and test points required for an in-flight maintenance also significantly degraded the overall reliability of the system. Of lesser consideration was the provisioning and stowage of the necessary spare parts within an already limited volume.
With elimination of maintenance and failure isolation by the crew in flight, data were made available to allow the ground to troubleshoot, isolate the failure, and recommend corrective action. This reliance on the ground for troubleshooting has proved quite effective, since subsystem operational specialists (flight controllers) and design specialists (subsystem engineers) are available and free to concentrate continuously on the resolution of spacecraft problems. This practice also relieves the crew from a training requirement of becoming intimately familiar with the detailed subsystem design. In addition to having cockpit display information relayed from the crew, the ground has approximately 330 data channels through telemetry and approximately 1100 ground or preflight checkout data channels.
Rapid data storage, comparison, retrieval, and analysis by computer complexes within the Mission Control Center at the NASA Manned Spacecraft Center (fig. 2-1) give the ground an enormous advantage over the crew, which must continue to operate the spacecraft, eat, and sleep on a fixed schedule. In addition, the ground has complete files of drawings and specifications available. The ground also has simulators-exact functional duplicates of the flight spacecraft-to evaluate flight problems and corrective procedures.
The Apollo maintenance concept, although not providing for in-flight maintenance, does permit removal and replacement of "black boxes" during preflight checkout. This procedure does not require entering the box interior, a practice which could disturb adjacent or related assemblies. Performance of the replaced equipment must be at least equal to the required performance of the original system. To isolate faults at the black-box level, test points are located in the subsystems. The engineers have appropriate ground-checkout equipment for fault isolation.
Guided by concepts of simplified functional operation, Apollo engineers combined off-the-shelf components into integrated systems which performed so efficiently that the crew was permitted to devote the majority of its time to the productive tasks of scientific experimentation and data acquisition. Some design requirements, however, resulted not so much in simple mechanisms as in extreme simplicity and reliability of operation. Thus, one crewman, wearing a pressurized space suit, can perform all critical spacecraft control functions.
To achieve a minimum of interfaces, subsystem designs were developed and tested independently and later joined with other spacecraft subsystems. The final Apollo configuration was the result of technological and weight constraints. The Apollo external interfaces between the launch complex and the launch vehicle and the internal interface between the command module and the lunar module are defined in detail by interface control documents, and have been carefully screened to eliminate all but essential functions, thus keeping vehicle interfaces to the minimum. For example, there are only 36 wires between the lunar module and command and service module and only some 100 wires between the spacecraft and the launch vehicle.
To use the experience gained from Project Mercury and the Gemini Program, engineers with operational background from these programs were involved in all major Apollo design reviews . This procedure allowed incorporation of their knowledge as the Apollo design evolved. This involvement proved a key factor in producing spacecraft that have performed superbly so far. Even the Apollo 13 oxygen tank rupture, by far the most critical problem of any Apollo mission to date, was overcome by relying on preplanned emergency procedures and the resourcefulness and ingenuity of the astronauts and the ground support team.
Apollo gains a measure of simplicity from features simple both in design and operation, complex in design but simple to operate, or simple by being passive in function. The concept of simple design and simple operation is best illustrated by the Apollo rocket-propulsion systems (fig. 2-2). The pressure feeding and redundant valving guarantee the arrival of the propellant in the combustion chamber, where hypergolic reaction assures ignition. Ablative materials for chamber walls assure chamber integrity while simplifying design greatly.
 The latching device for the crew hatch, (fig. 2-3) illustrates a complex but simply operated mechanism. Although the device contains approximately 400 parts, it allows a crewman, with a single movement of his arm, to open the command module hatch in less than 10 seconds.
Some design features are simple by being passive (for instance, thermal control). Thermal coatings, ablative heat shields, and insulation eliminate the electrical power requirements of an active system and necessitate only attitude adjustment to maintain spacecraft temperatures within acceptable tolerances.
Apollo reaction-control systems, in both the lunar module and the command module, represent prime examples of redundancy. The command and lunar modules have two parallel and independent systems, either of which is able to meet mission requirements.
Critical events initiated by pyrotechnic devices and the cooling of temperature sensitive subsystems by the environmental control system (ECS) represent two examples of redundant paths. In the case of pyrotechnic devices, two separate wire runs and initiators receive the same event signal. Likewise, the ECS contains two water/glycol circulating plumbing loops, each having its own control system. Not all systems serviced by the primary glycol loop can be supported by the secondary system, but enough capability exists to return to earth safely.
For some of the critical systems, redundancy is not provided by duplication. For example, the lunar module abort guidance system provides virtually the same ability for delivering the lunar module back into orbit from the descent trajectory and from the lunar surface that the primary guidance system does. However, the designs of the abort and primary guidance systems, both hardware and software, are completely different. In at least one respect, this difference improves reliability by eliminating the possibility of common design faults, particularly in the computer programs, although this was not the basic reason for using this approach. In addition, some simultaneous component failures of both systems can even be tolerated by adopting a more manual mode of operation and using the remaining capability of each system.
The Apollo design philosophy has resulted in a highly reliable spacecraft capable of placing man on the moon and returning him to earth safely. Simple design practice, coupled with stringent technical and administrative discipline, has achieved this end.
 The spacecraft (the command and service module and the lunar module), embodying millions of functional parts, miles of wiring, and thousands of welded joints, has evolved into a truly operational space transportation system.
Home - NASA
Office of Logic Design
Last Revised: February 03, 2010
Web Grunt: Richard Katz