Static fire tests are among the most critical — and most dangerous — milestones in a launch vehicle’s life. The vehicle is fully fueled, the engines are lit, and everything that can go wrong is present in one place at one time. This analysis presents a structured fault tree for a generic liquid-propellant launch vehicle static fire, covering the window from ignition command (T-0) to T+5 seconds, structured per MIL-STD-882E and NASA SP-2010-580.
The Top Event: Vehicle Destruction
The analysis centers on a single top event — vehicle destruction shortly after engine ignition — and asks: what paths lead there? The answer is six Level-1 branches connected by an OR gate, meaning any one of them alone is sufficient to destroy the vehicle.
Branch 1 — Propellant System Failure
Liquid propellant systems are statistically the most common source of catastrophic failure in static fire events. The sub-tree covers four failure families: leaks and ruptures (weld defects, fitting seal failures, fatigue cracks, FOD damage), overpressure events (relief valves failing closed, water hammer, pressurant regulator runaway), propellant mixing outside the engine (cross-connected fill lines, common bulkhead leaks, LOX-enriched atmospheres), and loading and purge errors (wrong propellant loaded, incomplete purge leaving residual air in LOX lines).
The SpaceX AMOS-6 explosion in 2016 is a textbook example — supercooled liquid oxygen trapped in the carbon fiber overwrap of a second-stage COPV ignited during helium loading, destroying the vehicle and its payload on the pad at LC-40.
Branch 2 — Engine and Combustion Failure
Hard starts, combustion instability, turbopump failures, and nozzle liner burn-through are the leading engine failure modes. A hard start — excess propellant in the chamber before ignition, or an igniter that fires out of sequence — can produce a chamber pressure spike that exceeds structural limits in milliseconds. High-frequency acoustic combustion instability can destroy an engine in less than a second. Turbopump burst is a single-point catastrophic failure mode with no recovery path once it initiates.
The Apollo 6 mission in 1968 encountered J-2 engine combustion instability and propellant line fatigue failure on the S-II stage simultaneously — two branches of this fault tree triggering in parallel.
Branch 3 — Structural Failure
Structural failures range from pre-existing manufacturing cracks and LOX-compatible material substitution errors to stand hold-down fitting failures and explosive bolt misfires. This branch is often a consequence rather than an initiator — a propulsion failure triggers overpressure that then causes structural failure — but pre-existing cracks and material errors are genuine independent initiators.
Branch 4 — Control and Avionics Failure
The control branch covers software logic faults, sensor failures that give false-nominal readings (preventing an abort trigger), EMI corruption of the command bus, and abort systems that fail to safe on an anomaly. A watchdog timer disabled for test convenience is listed as a basic event — a reminder that test configurations introduce failure modes that are not present in flight configurations. The Starship IFT-1 multi-engine failure and subsequent loss of attitude control falls primarily in this branch, compounded by the absence of a water deluge system at the pad.
Branch 5 — GSE and Human Error
Ground support equipment and human factors are often underweighted in probabilistic risk analyses but appear in nearly every historical accident. A single procedural deviation — a purge gas not connected properly, a ground valve left in the wrong position, a propellant loading procedure deviation — can simultaneously affect multiple fault tree branches. Human factors and GSE errors are the highest-correlation common-cause failure mode in the entire tree.
Branch 6 — Accumulated Fatigue from Prior Test History
Assume expendable first stage including engines.
This branch is unique: it requires an AND gate rather than a pure OR gate. Three conditions must coincide — (1) prior hot-fire test history exists, (2) post-test inspection was incomplete or inadequate, and (3) the vehicle-level static fire exceeds the remaining life margin. By the time a vehicle-level static fire is conducted, each engine has already accumulated 20–35% of its design life through individual acceptance tests and thermal cycling during shipping and assembly. A first-stage flight burn then consumes another 30–60%. The margin available for the vehicle static fire may be smaller than assumed.
The critical controls for this branch are an engine life ledger tracking cumulative hot-time per serial number, post-test NDT (borescope, dye-penetrant on welds), a seal replacement policy after every hot-fire, and a minimum remaining-life gate that is a hard no-go before the static fire proceeds.
Common-Cause Failures and Minimum Cut Sets
Nine order-1 minimum cut sets are identified — single-point failures each sufficient on their own to cause vehicle destruction. The highest-risk are propellant line rupture near an ignition source, an engine hard start exceeding chamber design limits, and an ignition sequence software fault sending the wrong command. The highest-risk common-cause scenarios involve events that trigger multiple branches simultaneously: a LOX leak near an ignition source simultaneously activates the propellant and structural branches; fatigue damage missed at inspection simultaneously activates the fatigue and engine branches.
Preventive Controls
Each branch has a defined set of controls. For propellant systems: leak detection sensors with auto-abort, double-block-and-bleed valves, pre-fire leak checks. For engine/combustion: ignition monitoring before the main valve opens, chamber pressure abort limits, hard-start suppression via water deluge. For avionics: independent hardwired abort systems, 2-of-3 sensor voting logic, software V&V per NASA-STD-8739.8 with all safeties enabled for test. For GSE and human factors: two-person integrity for valve line-up, independent verification checklists, RSO independent abort authority.
Historical Case Studies
Eight historical events spanning 1967 to 2023 are mapped to the fault tree branches — Apollo 1, Apollo 6, the X-33 LH₂ tank failure, J-2X development test anomalies, Falcon 9 CRS-7, Falcon 9 AMOS-6, and Starship IFT-1 and IFT-2. Every Level-1 branch is represented by at least one real event, underscoring that the fault tree is not theoretical — each branch has a history.
Conclusion
A static fire is not a dress rehearsal for flight in the sense that it is safe by comparison. It is a full-energy event with a fully fueled vehicle and a constrained window to abort. The fault tree makes clear that the risk is dominated not by exotic failure modes but by well-understood ones: leaks, hard starts, software errors, and inadequate inspection of hardware that has already been tested. The accumulated fatigue branch is perhaps the most underappreciated — it is the one that grows silently across every test event and can only be managed through rigorous life tracking and a culture that treats the remaining-life gate as a genuine no-go criterion, not a formality.
– Tom Irvine
1 thought on “Launch Vehicle Static Fire Test Explosion Fault Tree”