CAPE CANAVERAL - NASA is resuming shuttle flights to the International Space Station despite a known problem that could trigger the loss of both spacecraft and their crews, a risk deemed unacceptable by an agency safety panel.

There is a remote chance -- between one in 10,000 and one in 1 million -- that one of the shuttle's steering jets could inadvertently ignite while the orbiter is docked at the station, generating enough force to rip the joined spaceships apart.

Air would rush out of the station. There would be no time to escape. Astronauts on the shuttle and station likely would be killed, according to NASA documents obtained by FLORIDA TODAY under the Freedom of Information Act.

NASA's Station Safety Review Panel said the steering jet hazard is a "must fix" before shuttles return to flight. It withdrew support for a longstanding waiver that enabled shuttles to fly despite the problem. The safety panel and the independent NASA Engineering and Safety Center propose the agency replace wiring that could cause the thrusters to fire on their own before station construction resumes later this year.

No permanent fix will be in place by the time shuttle Discovery blasts off next month.

Agency documents and interviews show NASA is taking interim steps to protect crews from accidental thruster firings on the first two post-Columbia missions. Managers wonder whether it is worthwhile to replace the wiring or to spend $36 million and three years to redesign the thruster system, given the low probability of failure. The shuttles are scheduled to retire in 2010.

"We're still working through understanding exactly what the situation is, and understanding the exact risks, and debating and discussing what's the best possible action to take," NASA shuttle program manager Bill Parsons said.

"This is not an easy one, where you just make a decision and move on. This is in a gray area," he said. "So it's requiring a lot more attention and a lot more analysis to make sure we're doing the right thing."

Staying in control

The problem lies within the shuttle's reaction control system.

Made up of 44 steering jets in the orbiter's nose and tail, the system is designed to control shuttles in space and also helps guide the ships to safe landings as they plummet through Earth's atmosphere.

Two electronics boxes, called reaction jet drivers, route firing commands to the thrusters from the shuttle commander's stick, the ship's onboard computers or engineers at NASA's Mission Control in Houston. A deadened thump, like muffled cannon fire, resounds outside cockpit windows when thrusters fire, shaking the shuttle's crew cabin.

NASA managers have known since the early 1980s that thrusters could fire inadvertently. It's happened five times when shuttles were not docked to another spacecraft. NASA deemed the risk acceptable then because the crew could recover if the shuttle were accidentally propelled through open space. The consequences increase when two ships are linked because crews would have no time to react before the craft rip apart.

Since 1995, when shuttles began docking at Russia's former Mir space station, astronauts have controlled the hazard by turning off jet power when spaceships are joined in orbit. NASA has continued that practice during dockings at the international station.

New assessments

New fears arose after the Columbia accident. The station's safety review panel started looking at every known catastrophic risk to the 206-ton space complex. They identified one they deemed unacceptable: the possible uncommanded thruster firing by a visiting shuttle.

They ordered further study in mid-2003, and the analyses showed a thruster could fire even when power to the system is turned off. That meant the method NASA had used for years to control the risk could not be guaranteed to prevent the problem.

Frayed wiring and the resulting electrical shorts could trigger an unintended firing. The failure of transistors within the electronics boxes could, too. So could erroneous commands from shuttle computers, or devices that relay firing commands from the computers to the suspect electronics boxes.

The engineering reviews also showed that an inadvertent firing lasting 1.5 seconds or longer could produce enough force to break off the station's solar wings or radiators or even fracture the hardware holding the docked shuttle to the station. Those and other scenarios could easily destroy the space complex and the docked shuttle, killing all aboard.

The problem now is considered one of the most serious threats to the $100 million station, on par with a collision with a visiting spacecraft, a deadly strike from orbital debris or a medical emergency.

"This ranks right up there," said NASA station program manager William Gerstenmaier. "It's in that range of things."

Short-term fixes

The shuttle program determined the chance of inadvertent firings is so low that the risk is acceptable.

But at the behest of the station program, shuttle engineers developed a software patch for NASA's first two post-Columbia missions. Shuttle computers will automatically detect an unordered thruster firing, then shut it down before damage could be done.

The station's power-producing solar wings also will be repositioned to reduce structural loads when shuttles are docked at the outpost. That would prevent them from being damaged in a firing.

The measures are meant to protect crews on the two upcoming test flights, when the station's size and configuration will remain the same as it is today. The half-built station, however, will become more susceptible to serious damage from inadvertent firings once astronauts resume construction.

As the station grows, so too will the stress the structure must bear. Consequently, shuttle computers no longer will be able to shut down the thruster system quickly enough to prevent potentially catastrophic damage.

Safety engineers determined the new software patch would be inadequate once a second American power tower is erected during a shuttle mission set for launch in December. Once unfurled in space, its massive solar arrays will have a wingspan greater than that of a Boeing 747. And both the arrays and its base -- a skeletal truss -- won't be able to take the force imparted during an inadvertent firing.

The gleaming blue-and-gold solar wings and the tower's base could snap off and slam into the hull of the station's living and laboratory modules.

"This is becoming a more serious issue," said NASA Engineering and Safety Center deputy director Rick Gilbrech, who headed a group looking into the thruster concerns. "Our main focus as we see it is to lay out the facts to the decision-makers . . . so their eyes are wide open about the risks they are taking."

Those risks also include potential dangers under other circumstances.

Propelled by an unintended firing, a 100-ton shuttle orbiter could strike a spacewalking astronaut. A jet plume could, too. Or a 50-foot shuttle robot arm could crack off at its base with a spacewalker anchored to its end, both floating toward oblivion. Even ground technicians at Kennedy Space Center could be killed if a steering thruster suddenly ignited while they were servicing the jets.

Recommendations

The station review panel wants shuttle managers to take action in addition to the software patch. They want NASA to inspect or replace thruster system wiring and order a redesign of the suspect electronics boxes.

At the same time, the group from the safety center -- an organization created after the Columbia accident to provide impartial analyses on safety issues -- also recommends that shuttle managers inspect or replace wiring before resuming ISS construction after the two post-Columbia test flights.

About 4,000 feet of thruster system wiring is in each of NASA's three shuttle orbiters. All of it is sheathed in Kapton, a material that tends to fray, which could induce electrical shorts. Much of the cable is either inaccessible or buried in bundles that can't be reached easily.

"We originally recommended 100 percent inspections because there was uncertainty as to the condition of the wiring. But they can only see the outside of the bundles. They said (complete inspections) would be too intrusive," Gilbrech said.

"We said, 'If that's the case, to eliminate doubt, we recommend replacing the wire.' "

The safety center group also intends to make a recommendation on a redesign of the electronics boxes after it finishes testing aged internal transistors. The electronics boxes, designed to last 10 years, are more than 20 years old. No program had been initiated to requalify the devices for extended use.

The agency is planning to inspect the wiring, but it is unlikely 100 percent of the recommended work could be done in time to resume station construction by the end of the year. A decision is pending on wholesale replacement, and NASA will make a call on a redesign of the electronics boxes after the NASA safety center issues its recommendation.

Parsons and Gerstenmaier are confident the safety review teams from the station and shuttle programs ultimately will come to a consensus on the right course of action. If not, they'll take the matter up with more senior NASA officials.

"I think the good thing is we're discussing this at length and we're not jumping to any conclusions. We're trying to get the appropriate data to make the right decisions," Parsons said. "We're willing to go do what we think is the right thing. But we're also willing to bump it up to a higher authority if we can't come to an agreement."

Published under license from FLORIDA TODAY. Copyright © 2005 FLORIDA TODAY. No portion of this material may be reproduced in any way without the written consent of FLORIDA TODAY.

·         Fixing NASA: Continuing Coverage of Space Shuttle Return to Flight