The September 1, 2016 explosion at the Cape Canaveral launch pad, which destroyed the SpaceX Falcon rocket and its payload, the Amos 6 communication satellite, has reminded us of the complexity of space systems.

“Still working on the Falcon fireball investigation,” said SpaceX president, Elon Musk, on Twitter a week after the accident. “Turning out to be the most difficult and complex failure we have ever had in 14 years.”

More recently, SpaceX stated that the data and debris indicate “a large breach” in the helium system of the second-stage liquid oxygen tank. Storing fluids at high pressure is essential to space systems and additionally complex when those fluids are at cryogenic temperatures, which is necessary for fluids such as oxygen to be stored in its liquid state.

The current industry attention is on these cryogenic tanks, but pressure vessels are also essential for propulsion and life support systems.

Developments for Space Shuttle

Prior to the Space Shuttle program, spaceflight pressure vessels were exclusively metallic. In order to reduce weight, engineers introduced fiber composites, which can carry significantly more load per unit weight. A metal liner is needed primarily to serve as an impermeable barrier for containing fluids. The resulting design is that of a composite overwrapped pressure vessel (COPV). The Orbiter incorporated COPVs for re-pressurant gasses in the Orbital Maneuvering System (OMS) and Main Propulsion System (MPS). There were five tanks at 40” in diameter and 14 smaller tanks (diameter of 19”) for these systems. Additionally, there were four oxygen and four nitrogen tanks (diameter of 26”) for life support gasses. Subsequent to the initial design, the oxygen tanks were removed in favor of additional nitrogen tanks (five or six total).

For these larger OMS vessels, the resulting design was a titanium liner of thickness 0.104” and a composite overwrap of Kevlar-49 fibers in epoxy that had a thickness of 0.739”). For this design, the composite carried 70-80% of the total hoop load (at operating pressures). The liners and relative overwrap thickness varied for the different sizes and containing fluid. For example, the oxygen tank was made with an Inconel liner.

In the case of the Shuttle vehicle, the cumulative weight savings compared with all metallic vessels was approximately 752lb. This may not seem significant compared with the nearly 200,000 lb dry weight of the Orbiter. However, relative to the vehicle payload capacity (36,200lb to a 51.6° orbit, for the ISS), the weight savings corresponded to an additional 2% of payload capability.

Safety Considerations for COPV

A significant development effort, including a comprehensive test program, was undertaken for these vessels. The overarching safety philosophy for the Shuttle Program was Fail On/Fail Safe. To meet these requirements, the designers considered failure modes associated with a) the loss of the fluid and its subsequent impact on completing the mission, and b) failure of the COPV to contain the fluid including sudden release of the stored energy. The first part was met through system design and component redundancy.

Achieving the second part is far more complex. First, fracture control concepts were introduced to address sustained load and cyclic fatigue. The liners had to meet Leak Before Burst (LBB), a design approach in which any flaws in the liner, should they exist in any location and grow by any mechanism, would result in sudden leakage rather than sudden unstable crack growth. A burst would result in the sudden release of the stored energy. For the Shuttle program, some vessels had the energy equivalent of 5 lb of TNT (as in the 40’’ OMS vessel).

COPV designers could increase the strength and durability of COPV by applying an autofrettage during manufacture. The COPV is pressurized to a prescribed pressure well above its maximum operating pressure, thus causing expansion of the liner well beyond its plastic yield point. Upon reducing the pressure to zero, the liner would go into hoop compression and at operating pressure would be in tension but at a relatively low value. This makes the liner more robust to fatigue crack growth and stress corrosion cracking.

It should be noted that the Space Shuttle External Tank (ET), while made with a composite external layer, was not a COPV. The foam on the exterior of the Shuttle was designed to provide thermal insulation for the super-cooled oxygen and hydrogen liquids that were used by the MPS engines in the Orbiter.

Post-Shuttle Development

COPVs have been introduced into many flight systems since the Shuttle Program. Carbon fiber has replaced Kevlar as the preferred fiber as it offers a higher strength to weight ratio.

More recent research has focused on the ability to contain fluids at cryogenic temperature so that fluids like oxygen will remain in a liquid state. Typically, this is done by introducing multiple layers in the pressure vessel and maintaining a vacuum in the space between the layers. There is no convection between the inner layer which can be at −183 °C (−297 °F) and the ambient outside temperature, which exceeds 37 °C (100 °F) on a summer day at Cape Canaveral.

The desired mass savings advantage of COPVs is not without some additional design complexities, however. Metallic pressure vessel design, manufacture, and in-service monitoring over the years have all advanced to the point that industry best practices encompass a robust set of well-validated prediction and inspection tools. Thick-walled shell stress and strains analysis, general finite element analysis for metals, flaw and crack detection in manufacturing and in-service use, as well as micromechanical modelling and simulation for metallic crack growth behavior, are all considered mature and generally used across industry.

Safety Considerations

Design of pressure vessels must address all potential failure modes. Specifically, designers must address these characteristics to ensure a design that will result in safe operation.

In a simple world, it might be natural to think of the metal liner and the composite overwrap as separate, independent elements of the pressure vessel, each having the potential to fail. For example, the metal liner can have flaws in its parent materials or in a joint that has been welded, and these flaws may grow to failure under sustained and/or cyclic loading. There can also be embrittlement due to the presence of operating fluids or cleaning fluids. One common source of embrittlement is excess hydrogen. Similarly, the fibers in the overwrap can be exposed to collateral damage or be exposed to a larger load than intended, resulting in fiber breakage and loss of structural integrity in the vessel. When this occurs, the stored energy of the vessel suddenly releases, which is analogous in response to a bomb.

However, it is essential to consider the pressure vessel as a system. The load is shared between the liner and the overwrap and changes in pressure can affect this load sharing. The temperature of the system is very critical. Most metals expend when heated, whereas fiber composites can contract. An increase in system temperature causes additional shifts in this load sharing. Mismanagement of this relationship, particularly during manufacture, can increase the potential for the liner to buckle during service, which is another form of catastrophic system failure.
Standard Certification

In consideration of these failure modes, a set of certification tests and analyses are required. For starters, the system is analyzed to determine the Maximum Expected Operating Pressure (MEOP) that the vessel will experience during its lifetime. The vessel is then designed to undergo a proof test (nominally 1.25x MEOP). Each vessel is testing to show that it does not experience detrimental deformation at this proof pressure. The tank is also design to burst at a pressure greater than the burst pressure (nominally 1.5xMEOP). During design qualification, at least one and usually two vessels are taken to burst pressure to verify that this requirement is met.

For fatigue failures in the liner, certification is particularly complex. Fracture control analyses are performed to show that the vessel will exceed its design life. First the system developer must determine the service life, which is the anticipated time under pressure and expected cycles that the vessel will see over its lifetime. The designers impose that the damage tolerance life (formerly termed safe life) is four times the expected service life. To meet this requirement, an analysis is performed that verifies that the worst case flaw shape in the worst case location of the vessel liner will not grow to failure within this damage tolerance lifetime.

There are many subjective aspects to this analysis. First, one must identify the largest flaw that might exist, as all materials have natural defects inherent in production. A Nondestructive Test (or inspection) (such as dye penetrant or radiography) is performed for which inherent flaws can be detected. If any initial flaw in a liner is detected, then the part is discarded and a new component is fabricated. Each technique has an associated detection capability limit to which it is rated, above which all flaws can be assumed to be reasonably screened. Second, one must determine where the worst case location and orientation of a potential defect might be. This is generally accomplished by considering multiple such combinations and evaluating the worst case. In performing these analyses, one must determine the strain on the liner during a pressurization cycle on the vessel for which the majority of the load is typically carried by the composite. The factor of four in the damage tolerance life is due to the significant errors and uncertainties associated with these analyses.

Shuttle Return to Flight

In the Return to Flight efforts following the Columbia accident, the Space Shuttle Program reexamined the original COPV certification and subsequent re-certifications, ultimately focusing on the new, previously unconsidered, Composite Stress Rupture failure mode.

According to Cornell Professor S. Leigh Phoenix, stress rupture is a sudden failure mode for COPVs that can occur at normal operating pressures and temperatures. This failure mode can occur while at stress levels below ultimate strength for an extended time. The failure mechanism is complex and difficult to accurately predict or detect prior to failure. The location and mechanism of triggering damage causing sudden failure is highly localized, but at a random location. This location and extent of local damage has not been able to be reliably detected by current NDE techniques prior to catastrophic failure. Pressure, duration of time at pressure, and temperature experienced contribute to the degradation of the fiber and/or the fiber-matrix interface, particularly around accumulations of fiber breaks, and these increase the probability of COPV stress-rupture.

From 2005-11, the cross agency and industry team addressed this issue in three parts. The team evaluated and deemed tank replacement implausible as the time to procure new tanks even to the heritage design would not be possible. Furthermore, replacement in the OMS pod was simply not possible with the existing design. The lowest reliability vessels in the fleet, two MPS tanks, were replaced with existing flight spares. Second, an improved stress rupture reliability model with existing industry data was developed, primarily by Phoenix, and has become the industry standard for quantifying this failure mode. Third, improved flight procedures affecting the manner in which the vessels were loaded on the pad and the margins for re-pressurant quantities were reevaluated. A reduction in risk by a factor of six was realized without compromising the Shuttle payload capabilities. (Kezirian, et al. “Composite Overwrapped Pressure Vessels (COPV): Flight Rationale for the Space Shuttle Program”, AIAA SPACE 2011 Conference & Exposition, SPACE Conferences and Exposition,

Collateral Damage and Threat to Safe Operation

There has been significant concern regarding threats posed by the handling and processing of pressure vessels, including mechanical impact and other adverse handling involving certain aggressive chemicals.

Engineers at the White Sands Test Facility have tested the structural strength of vessels intentionally impacted to simulate processing errors. They have determined that impacts as low as 5 pound-ft of energy can markedly reduce structural strength. They are developing non-destructive evaluation techniques, which can assess impact areas and screen for the presence of defects. They are also working to develop sensors which can record impacts so that pressure vessels in transport can be accurately monitored for such adverse effects.

Service Life Threats

With the growing Micrometeroid and Orbital Debris (MMOD), there has been increased concern regarding the risks of impact of spacecraft. Current approaches to MMOD are to avoid large objects (which are few) and develop protection for small particles (with shielding). There is currently a gap between these two categories with small particles too small to track and accurately propagate their trajectories, yet too large to consider such impact to be benign. The ISS implements Whipple Shields, a series of thin sacrificial layers which dissipate the energy on impact of small particles.
Recent concern has also focused on the disposal through deorbit of spacecraft. Several pressure vessels have been recovered intact and pose a significant risk to the public, both in the airspace and on the ground. (see Surratt, et al, JSSE, pp 51-56, 2015.)

COPV Training

The International Association for the Advancement of Space Safety (IAASS) training academy offers training including on the safe design and operations of COPV. The course has been offered five times since 2012, most recently in Houston in August, 2016.

By Michael T. Kezirian and Michael Surratt

Michael T. Kezirian, Ph.D. is an expert in the safe design and operation of Composite Overwrapped Pressure Vessels (COPV).  He chairs the AIAA Aerospace Pressure Vessel Committee on Standards leading the effort to rewrite the standards for COPV (ANSI/AIAA S-081B) and  metallic pressure vessels and pressurized hardware (ANSI/AIAA S-080A).  At the Boeing Company, he was the COPV Analysis Team Lead for the Orbiter Project (Space Shuttle) addressing composite stress rupture, a key COPV design engineer for the Nitrogen Oxygen Recharge System (NORS) COPV development and a safety design engineer for the Commercial Crew Program, CST-100 Starliner.

Dr. Kezirian is an Adjunct Associate Professor of the University of Southern California, teaching space safety in the Masters program in astronautical engineering.  He is the President of the International Space Safety Foundation and Editor-In-Chief of the Journal of Space Safety Engineering.

Michael Surratt, is a graduate student in the University of Southern California Department of Astronautical Engineering. His current research interests include the effect of Micrometeoroid and Orbital Debris (MMOD) damage on pressure vessels. Mr. Surratt has industrial and governmental experience with carbon and glass fiber reinforced plastic structures for nuclear-powered attack submarines (General Dynamics – Electric Boat Division), high-energy hydrocarbon rocket fuels (USAF Research Laboratory), and novel nuclear pulse propulsion concepts (Pennsylvania State University & AFRL).

About the author

Guest Author


Space Safety Magazine welcomes guest columns and contributions. Have an article to share? Get in touch!

Leave a Reply

Your email address will not be published. Required fields are marked *