Satellite Launches in the PRC: Loral
However, the PRC's proposed improvements in acceptance testing, with the addition of an acoustic environment, are of more general application - they could apply no matter where in the inertial measurement unit the failure might have occurred. Most of these corrective measures relate to some extent to questions raised by the Independent Review Committee at its first meeting.
Technical Information and Advice Transferred in Independent Review Committee Meetings and Reports
It is not possible to consider all of the technical information and advice that may have been imparted to the PRC representatives during the period of Independent Review Committee activity, since verbatim records of the meetings were not kept at either of the main meetings or at any of the meetings of subgroups (including "splinter groups" involving Independent Review Committee members, staff, and PRC personnel, and meetings involving only Independent Review Committee members and staff) that were held. Therefore, this assessment is based on the Select Committee's review of available records of the Independent Review Committee meetings, its communications with Independent Review Committee members mainly relating to composing and reviewing reports, and its interviews with individual participants in the Independent Review Committee's activities more than two years after that committee had ceased its activities.
Moreover, the perspective adopted in this assessment is that of viewing all of the information as a whole, in the context of the Long March 3B failure and PRC actions not only to find and correct the failure, but also to convince customers, insurers, and re-insurers that the causes of the failure had, in fact, been found and corrected.
From a technology transfer standpoint, it is noteworthy that the Independent Review Committee charter called on the committee not only " . . . to perform an independent assessment of the most probable cause or causes of failure," but also to ". . . review the corrective action plans proposed by the [PRC's Failure Investigation Committee] and make its assessments and recommendations to [China Aerospace Corporation] and [China Great Wall Industry Corporation]." [Emphasis added]
Clearly, the charge to the Independent Review Committee went beyond making judgments about whether or not the PRC had convincingly determined the cause of failure. The Independent Review Committee members were not only to go beyond reviewing the PRC failure analysis to making an independent assessment of the most probable cause or causes of failure, they were also to review and make assessments and recommendations concerning the corrective measures to remove the causes of failure.
Taken literally, corrective measures could be none other than the means of improving the design, manufacturing, or operation of the PRC Long March 3B rocket. By extension, these improvements could improve the design, manufacture, or operation of other PRC rockets as well, and, less directly, of present or future PRC military equipment.
Moreover, the charter called for the Independent Review Committee to " . . . provide the [China Great Wall Industry Corporation] with copies of any and all working papers collected during its review process."
It is important to recognize that one of the benefits of a comprehensive accident investigation is that many potentially faulty design features, parts, or procedures ("accidents waiting to happen") may be found and corrected, whether or not they can actually be shown to have played any part in the accident under investigation.
A recent example is that in the investigation of the flight failure of TWA 800, deficiencies were found in the electrical systems of the fuel tank pumps that might have caused or contributed to the failure, or might be the cause of a failure in the future. These deficiencies are being corrected in spite of the fact that they have not been proved to be the cause of the accident.
Thus, included in this assessment are information and advice to the PRC on correcting faults or deficiencies in the design, manufacture, or operation of the Long March 3B, and on improving PRC quality assurance and reliability - as well as information and advice that could apply to PRC rockets or ballistic missiles with design features similar to the Long March 3B - whether or not they are related to what was ultimately determined to be the most likely cause of the Long March 3B accident.
In the period after the Independent Review Committee activities were terminated, the PRC participants, continuing their "hardware in the loop" simulations, found that even with artificially-imposed making and breaking of contact of the electrical connection to the inner frame gimbal torque motor, they could not simulate the periodic behavior of the inertial platform for the entire 22-second flight duration.
As later reported by the PRC participants, the series of "hardware in the loop" simulations and analyses that took place from May 20 to June 20, 1996 led to the identification and verification of the follow-up frame gimbal axis torque motor circuit as the site of the failure. They did find that by breaking the circuit to the follow-up frame torque motor, the entire 22 seconds of flight including the cyclic motions of the inertial platform could be simulated.
The conclusion was then reached that the root cause of the failure was to be found in the electrical circuits associated with the follow-up frame gimbal torque motor.
According to PRC officials, examination of these circuits in inertial measurement units from the same production batch as that aboard the failed flight of the Long March 3B led to the discovery of a faulty gold-aluminum junction in the power module that drove this torque motor. The deterioration of the gold-aluminum joint was cited as the cause of the break in the circuit of the follow-up frame gimbal torque motor that led to the inertial measurement unit failure. These findings and conclusions were briefed to the satellite manufacturing, operating, and insurance communities in October 1996.
In the last Independent Review Committee report sent to the PRC after the committee's second meeting, it was suggested that the making and breaking of electrical contacts was not necessary to explain the cyclic motion of the rocket's inertial platform. Rather, once a circuit failure had occurred, it was possible for the platform to perform a natural limit cycle motion. Limit cycles are a well-recognized phenomenon in the dynamics of mechanical, electrical, and electromechanical nonlinear systems. Although this argument was introduced while the break in the circuit to the inner frame torque motor was considered to be the most probable root cause for the observed inertial platform behavior, it obviously could apply to any other frame or torque motor.
During the second Independent Review Committee meeting, attention was called to the flat behavior of the angle measurement (resolver) of the follow-up frame. The Independent Review Committee stated that it was "very critical" to explain this behavior.
The PRC participants stated that the flat behavior was due to a bad choice of resolution for this telemetry channel - an explanation they obviously changed their mind about later.
Also in the same meeting, the Independent Review Committee called further attention to the follow-up frame by suggesting the possibility that it might have been frozen - that is, mechanically jammed. Although it did not turn out to be the final explanation, this failure mode could have produced about the same kind of inner frame angle resolver telemetry trace as a break in the circuit powering the follow-up frame gimbal axis torque motor. This was an alternate possible cause for the anomaly in the telemetry trace of follow-up frame angle.
Moreover, in their last report, the Independent Review Committee once more suggested that the PRC look again at the validity of their explanation of the flat trace of the follow-up frame angle resolver.
In its comments, questions, and advice on the inertial measurement unit failure mode, and on the simulations and analyses conducted to establish that mode, the Independent Review Committee:
- Consistently rejected the making and breaking of electrical contact by the wire delivering current to the torque motor for the inner frame as a plausible explanation for the observed cyclic motion of the inertial platform
- Insisted that, although the wire break in the circuit carrying current to the inner frame torque motor might be considered the most probable root cause for the failure, it could not be accepted as conclusive until additional analyses and "hardware in the loop" simulations could demonstrate that the cyclic motions of the inertial platform over the entire 22 seconds of flight could be accounted for on the basis of this cause
- Forcibly called attention to the indications in telemetry that the follow-up frame angle measurement was flat, and remained skeptical of the PRC explanations for this anomaly
- Pointed out that successive making and breaking of electrical contact in a torque motor circuit was not a necessary condition for development of cyclic motion of the platform
It is, of course, not possible to say how much these technical comments, suggestions, and challenges influenced the PRC. But they were all in the direction of moving the PRC representatives away from their fixation on the broken wire in the inner frame gimbal axis torque motor as the predominant, if not sole, failure mode to which they had given significant attention in their investigation since mid-March.
Another area that the Independent Review Committee focused on was reliability and quality assurance. In their plant tours, several of the Independent Review Committee members saw what they considered to be flight inertial measurement unit hardware being carelessly handled and touched. In the preliminary report, in the short term, the Independent Review Committee recommended that higher quality control and quality standards be applied in the manufacturing process.
In the detail design of the inertial platform wiring, the Independent Review Committee recommended studies to either preclude wiring harness motion during gimbal motion, or alleviate the effect of unavoidable deflection on solder joint integrity.
Also, the Independent Review Committee recommended that the PRC reexamine the environmental conditions (vibration, noise, and thermal) used in qualification and acceptance testing of the inertial measurement unit.
The distinction between qualification tests and acceptance tests must be made:
- Qualification tests are a part of the design and development of the inertial measurement unit. Their purpose is to verify the basic design and manufacturing processes. A high degree of fidelity in simulating flight environments is sought in qualification testing.
- Acceptance tests are carried out on each unit produced. Acceptance test environments are generally at lower levels of intensity than qualification tests. Depending upon the particulars of specific designs and their potential vulnerabilities, they may be of lower fidelity in representing flight environments in detail.
In fact, vibration tests as part of acceptance testing may often be regarded as tests of workmanship in production. The Independent Review Committee referred specifically to the workmanship verification function in Attachment IV to the minutes of its second meeting as follows: "Quality control was not thorough; the open wire problem should have been caught earlier in the environmental acceptance or screening test[s]."
For the longer term, the Independent Review Committee recommended that quality control philosophy and practices in fabrication, assembly, and testing should be strengthened and personnel should be trained accordingly. These recommendations would also affect reliability and quality assurance. The committee also recommended that consideration be given to increasing the redundancy of the platform.
While these recommendations of improved quality control and greater redundancy can be regarded as general maxims for achievement of improved reliability, it must be borne in mind that they are being made in the context of the expert Independent Review Committee's detailed review of the deficiencies in design, manufacture and testing of the specific inertial measurement unit on the Long March 3B.
The Independent Review Committee also made recommendations concerning the vibration, acoustic, and thermal environments to which the inertial measurement unit (and other avionics) were designed and tested. In their last report, they recommended that the PRC reexamine their environmental test plan for all avionics equipment, expressing the view that the tests might not be adequate for meeting "expected maximum flight loads including acoustic noises or detecting the defects in flight hardware."
The Intelsat 708 Encryption Boards Were Never Recovered
The Intelsat 708 satellite carried two FAC-3R encryption boards, one in each of its command processor units. These boards are considered Controlled Cryptographic Items by the Department of Defense, and the algorithm is classified "Secret."
Encryption boards are used to protect the command and control links between the ground station and satellite. They are required even on satellites that carry unclassified U.S. Government communications traffic. These devices do not encrypt the communications traffic that is otherwise processed by the satellite payload.373
Shortly after the Intelsat 708 launch failure, Loral's Communications Security custodian reported to the Department of Defense that the status of the encryption boards was being changed to "destroyed."
This was not seen as unusual by Department of Defense, however, because its prescribed policy requires that encryption boards be reported as "destroyed" when they are launched into orbit.
The Department of Defense did not require Loral to produce any evidence that the FAC-3R boards were in fact destroyed.374
After recovering debris from the crash site, Loral engineers grossly estimated the percentages of various subsystems and components that had been recovered.375 In that estimate, Loral engineer Muhammad Wahdy estimated that 30% of the command processors were recovered.376 Loral personnel then packaged the debris and shipped it to Palo Alto, where engineers examined the debris to specifically determine if the encryption boards were recovered.377
That examination determined that the FAC-3R boards were not, in fact, recovered from the crash site.378
The two FAC-3R encryption boards used on the Intelsat 708 satellite were mounted near the hydrazine propellant tanks and most likely were destroyed in the explosion. Additionally, the two FAC-3R boards had no distinguishing markings other than a serial number, making it extremely difficult to locate them amongst the crash debris.379
It is not known, however, whether the FAC-3R boards were recovered by the PRC. If they were, it would be difficult for the PRC to determine the cryptographic algorithm that was imprinted on them.
Reverse-engineering of a damaged board would be even more difficult. Any successful reverse-engineering would be resource intensive for the PRC.
If the PRC were able to determine the cryptographic algorithm contained on the FAC-3R board, it would gain insight into the state of the U.S. military in the 1960s, although such algorithms remain in use today.380
When the National Security Agency designs and recommends algorithms for use in equipment, it assumes that the equipment will be lost or compromised sometime during its operational lifetime. The National Security Agency relies on unique cryptographic keys for each separate satellite to keep command and control links secure. Because the FAC-3R boards on Intelsat 708 were uniquely keyed, the National Security Agency remains convinced that there is no risk to other satellite systems, now or in the future, resulting from having not recovering the FAC-3R boards from the PRC.381
In the period after the Independent Review Committee activities were terminated, the PRC participants, continuing their "hardware in the loop" simulations, rejected their own findings that the cause of the launch failure related to the inner frame of the inertial measurement unit. Instead, the PRC followed the path identified for them by the Independent Review Committee to conclude that the true cause of the launch failure was related to the follow-up frame.
The PRC engineers found that, even with artificially imposed making and breaking of contact of the electrical connection to the inner frame gimbal torque motor, they could not simulate the periodic behavior of the inertial platform for the entire 22-second flight duration. (As later reported by the PRC, the series of "hardware in the loop" simulations and analyses that led to the identification and verification of the follow-up frame gimbal axis torque motor circuit as the site of the failure took place from May 20 to June 20, 1996.)
The PRC participants then concluded that the root cause of the failure was to be found in the electrical circuits associated with the follow-up frame gimbal torque motor. The PRC engineers found that by breaking the circuit to the follow-up frame torque motor, the entire 22 seconds of flight, including the cyclic motions of the inertial platform, could be simulated.
According to the PRC engineers, examination of these circuits in inertial measurement units from the same production batch as the one used on the failed flight led to the discovery of a faulty gold-aluminum junction in the power module that drove this torque motor. The deterioration of the gold-aluminum joint was cited as the cause of the break in the circuit of the follow-up frame gimbal torque motor that led to the inertial measurement unit failure. These findings and conclusions were briefed to the satellite manufacturing, operating, and insurance communities in October 1996.
The Independent Review Committee's comments and suggestions could well have helped the PRC to come to the correct conclusion in their accident investigation more directly and quickly than they otherwise would have.
Taken together, the following actions by the Independent Review Committee would have had the effect of steering the PRC investigators away from their protracted narrow focus on the wrong failure mode:
- The Independent Review Committee's continuing skepticism concerning the make-and-break of electrical contact in the connection to the inner frame axis torque motor as a plausible explanation of the observed telemetry data (this was the PRC participants' initial explanation for the launch failure)
- The committee's insistence that the failure mode investigation could not be considered complete and convincing until the entire 22 seconds of flight had been simulated (in contrast to the PRC participants' initial reliance on data from only the first seven seconds of flight)
- The committee's pointing to the existence of dynamical limit cycles of platform motion that could result from a single break in a torque motor circuit, without repeated making and breaking of electrical contact (again in contrast to the PRC participants' approach)
- The committee's persistent calling of attention to the potential significance of the flat output of the follow-up frame angle resolver (the actual location of the cause of the launch failure)
The search for the true failure mode in an accident investigation is not a simple, straightforward procedure. In some respects, it is like finding the way through a maze. It is all too easy to start down a wrong path and to stay on it for too long. Insights, hunches, and clues based on technical judgments and experience in prior failure mode analyses, simulations, and accident investigations can be helpful. Advice from individuals or groups drawn from outside the program that has suffered a failure is often sought, even in organizations that have world-class technical competence. Even opinions from such an outside group confirming that the investigation is on the right track have value.
In the complex task of failure investigation, the right failure mode and adequate corrective measures are often not arrived at the first time. Sometimes there are repeated failures from the same cause because the failure mode analysis was inaccurate or incomplete. An example was the failure of the PRC Long March 2E fairing, first in the Optus B2 launch in 1992, and then again in the Apstar 2 failure in 1995. Absent a dissenting view voiced by an authoritative independent group such as the Independent Review Committee, the pressures for getting on with the next launch of the Long March 3B could have prevailed, the flawed analysis of the failure mode could have been accepted, and another failure could have resulted. At the least, the contribution of the Independent Review Committee to the PRC accident investigation may have been simply to speed up the investigation.
The Independent Review Committee's recommendations seem to have affected PRC rocket reliability. The PRC briefed subsequent Long March launch customers and their insurers (for example, in the case of Loral's Mabuhay satellite launch) concerning measures being taken to improve the reliability of the Long March 3B inertial measurement unit (and avionics generally) and acceptance testing.
The measures the PRC took to improve the reliability of the Long March 3B go beyond those listed in the PRC briefings at the second meeting of the Independent Review Committee in Beijing (some of which may have been influenced by questions raised earlier by the committee). For example, in the Beijing meeting, wiring connections on the platform were to be double-soldered. The later briefings indicate that all platform-moveable connections are to be double-jointed (a stress-relieving measure of the type referred to in the Independent Review Committee report's recommendation to "alleviate the impact of unavoidable deflection on solder joint integrity") and double-wired.
Also, the recommendation of the Independent Review Committee for steps to attack quality control philosophy and practice broadly, and to train personnel, are reflected in the PRC statement of intent to strengthen education in quality control for all employees, and to establish income incentives to quality. These measures to improve quality control and reliability may be the standard fare of management literature, but the context of the Independent Review Committee recommendations is that they are made with regard to a specific set of processes and practices employed in the manufacture and assembly of the Long March 3B that they reviewed.
To the extent that these practices and processes are representative of those employed on other rockets or ballistic missiles or their components built by the same or related organizations, the quality control and reliability of these PRC rockets and missiles could also be improved.
To answer definitively whether the Independent Review Committee's technical advice and recommendations had the effect of assisting the PRC in improving the accuracy of PRC ballistic missiles, it would be necessary to know whether the Long March 3B inertial measurement unit is used on any ballistic missile and whether, in fact, the Long March 3B inertial measurement unit has advantages in accuracy or other measures over others available to the PRC. The guidance accuracy requirements for an intercontinental ballistic missile based on what is assumed to be PRC missile doctrine (essentially, a "city busting" strategy) would not be considerably greater than the accuracy requirements for a rocket used to launch satellites. Because the Long March 3B inertial measurement unit is lighter and smaller than the units used on the PRC's intercontinental ballistic missiles (such as the currently-deployed CSS-4), it would not need to have greater accuracy to be advantageously applied for its weight and size advantages.
Because the PRC strategic forces doctrine apparently targets U.S. cities, this does not require especially demanding accuracy. For this, the inertial measurement unit on the Long March 3B may be sufficient - in which case its size, weight, and, potentially, reliability advantages may weigh more heavily in its favor. Of course, if the PRC has available other lighter and smaller guidance units that are more accurate, those are more likely to be chosen for the mobile intercontinental ballistic missile mission.
For shorter-range ballistic missiles, the Long March 3B inertial measurement unit might possibly be advantageously used. But it would have to compete against a variety of even more compact, strapdown systems of sufficient accuracy for short ranges. Therefore, the application of the Long March 3B inertial measurement unit or some variant of it to some future PRC ballistic missile development remains possible.
To the extent that ballistic missile manufacturing processes and practices are similar to those for rockets, an incremental potential benefit to future PRC ballistic missile programs could come from increased production efficiency, and improved reliability through adoption of improved quality control and reliability-enhancing measures in design and manufacturing that were introduced after the accident investigation, including some that the Independent Review Committee advocated.