The equivalent of blowing a redlined car engine. When that happens, it's operator error, not the engine's fault.
And a critic might well point out that regardless of cause, you're still down one engine. And if it happened on a lonely road in the desert -- which there are a lot of where I live -- you'd be seriously in trouble. So you need a backup engine right? For redundancy you need at least two of everything, right?
This is where reading the anomaly reports is instructive. There were problems with the RCS in several Apollo missions, none having to do with the jets themselves. The problems were either in the propellant feed systems or in the combinatorial logic -- you know, that giant circuit diagram in the ANR that Jr Knowing says isn't technical enough. The anomaly investigations describe how the crew (if there was one in that mission) was able to switch things around and get the system working again. This is how we design for robustness without "backups." The backup capability is there, just not expressed in the way a layman will naturally recognize without examples. And then you also get to read the reasoning for what they're going to do to fix the problem, because that's what those flights were for. Sometimes the fix is just procedural. You just switch things around until the isolation valve unsticks or the propellant gets fed right. Or in hindsight some engineer says, "Hey, if we ran a line between these two points we could work around this valve if it sticks on the next flight."
Skylab 3 was a different sort of animal. The poppet got stuck open because a particle got wedged in the valve seat. This caused a propellant leak. Isolating the quad (i.e., shutting off the fuel to it upstream) is the right thing to do, and then the pilot just reports that the ship is somewhat harder to control. This may be what Jr refers to as "instability." We've been reading it as alleging a sort of uncontrollable instability, which isn't the case. Docking is a critical maneuver because it requires both positional and attitude control. That is very hard to do indeed with one whole quad disabled. For Apollo it was not as dangerous since either vehicle can become the active vehicle for docking. Apollo LOR profiles included
seventeen different contingency plans to accommodate either the CSM or the LM being unable to maneuver. Skylab docking is different because the CSM has to be the active vehicle in that case. Alignment for de-orbit wouldn't have been as big a problem because position is not important -- only attitude.
This does raise an issue I had kind of hoped someone would bring up when we were talking about the fairings during boost. Skylab 3 was the first time something had got stuck in the poppet that couldn't be blown loose by the fluid flow. The RCS propellant is under fairly high pressure, and normally if a valve doesn't seat because some debris is caught in it, you just pulse the valve until it knocks the debris loose. The RCS fuel is highly filtered, so the engineers figured that -- against all odds -- some piece of particulate debris had found its way into the jet, past the pre-ignition cup and into the poppet --
and become so embedded in the Teflon gasket that the normal valve-clearing procedure wouldn't work. So if you watch STS liftoffs, you see the RCS jets covered with Tyvek taped in place. It keeps out particle debris while the stack is on the pad (i.e., out in the elements). But the Tyvek breaks loose on the ascent, or is blown free when the jets are first used in space.
But that sort of graceful degradation of control -- where the ship is harder to fly, but you can still dock it -- is commonplace in aerospace. Let's say a similar thing happens in a Boeing passenger jet, and a bit of gunk jams a control valve or an actuator. In that case, the mechanical linkage on the affected control surface is designed to shear. That means in one scenario that the remaining hydraulic systems can still move the control surface, or in other cases that it will be "safely" frozen in place at its last controllable attitude. You still have roll authority with one aileron out of commission, but it will require additional control actions to maintain pitch stability. You still have pitch authority with one elevator dead, but at the cost of an unwanted roll moment. And if you look carefully at many airframes, the rudder is split so that you have two separate rudders. That's the only place where you need first-order redundancy.
