CAPE CANAVERAL - NASA is resuming shuttle flights to the InternationalSpace Station despite a known problem that could trigger the loss of bothspacecraft and their crews, a risk deemed unacceptable by an agency safetypanel.
There is a remote chance --between one in 10,000 and one in 1 million -- that one of the shuttle'ssteering jets could inadvertently ignite while the orbiter is docked at thestation, generating enough force to rip the joined spaceships apart.
Air would rush out of thestation. There would be no time to escape. Astronauts on the shuttle andstation likely would be killed, according to NASA documents obtained by FLORIDATODAY under the Freedom of Information Act.
NASA's Station SafetyReview Panel said the steering jet hazard is a "must fix" beforeshuttles return to flight. It withdrew support for a longstanding waiver thatenabled shuttles to fly despite the problem. The safety panel and theindependent NASA Engineering and Safety Centerpropose the agency replace wiring that could cause the thrusters to fire ontheir own before station construction resumes later this year.
No permanent fix will be inplace by the time shuttle Discovery blasts off next month.
Agency documents andinterviews show NASA is taking interim steps to protect crews from accidentalthruster firings on the first two post-Columbia missions. Managers wonderwhether it is worthwhile to replace the wiring or to spend $36 million andthree years to redesign the thruster system, given the low probability offailure. The shuttles are scheduled to retire in 2010.
"We're still workingthrough understanding exactly what the situation is, and understanding theexact risks, and debating and discussing what's the best possible action totake," NASA shuttle program manager Bill Parsons said.
"This is not an easyone, where you just make a decision and move on. This is in a gray area,"he said. "So it's requiring a lot more attention and a lot more analysisto make surewe're doing the right thing."
Staying in control
The problem lies within theshuttle's reaction control system.
Made up of 44 steering jetsin the orbiter's nose and tail, the system is designed to control shuttles inspace and also helps guide the ships to safe landings as they plummet throughEarth's atmosphere.
Two electronics boxes,called reaction jet drivers, route firing commands to the thrusters from theshuttle commander's stick, the ship's onboard computers or engineers at NASA'sMission Control in Houston. A deadenedthump, like muffled cannon fire, resounds outside cockpit windows whenthrusters fire, shaking the shuttle's crew cabin.
NASA managers have knownsince the early 1980s that thrusters could fire inadvertently. It's happenedfive times when shuttles were not docked to another spacecraft. NASA deemed therisk acceptable then because the crew could recover if the shuttle wereaccidentally propelled through open space. The consequences increase when twoships are linked because crews would have no time to react before the craft ripapart.
Since 1995, when shuttlesbegan docking at Russia'sformer Mir space station, astronauts have controlled the hazard by turning offjet power when spaceships are joined in orbit. NASA has continued that practiceduring dockings at the international station.
New fears arose after the Columbiaaccident. The station's safety review panel started looking at every knowncatastrophic risk to the 206-ton space complex. They identified one they deemedunacceptable: the possible uncommanded thruster firing by avisiting shuttle.
They ordered further studyin mid-2003, and the analyses showed a thruster could fire even when power tothe system is turned off. That meant the method NASA had used for years tocontrol the risk could not be guaranteed to prevent the problem.
Frayed wiring and theresulting electrical shorts could trigger an unintended firing. The failure oftransistors within the electronics boxes could, too. So could erroneouscommands from shuttle computers, or devices that relay firing commands from thecomputers to the suspect electronics boxes.
The engineering reviewsalso showed that an inadvertent firing lasting 1.5 seconds or longer couldproduce enough force to break off the station's solar wings or radiators oreven fracture the hardware holding the docked shuttle to the station. Those andother scenarios could easily destroy the space complex and the docked shuttle,killing all aboard.
The problem now isconsidered one of the most serious threats to the $100 million station, on parwith a collision with a visiting spacecraft, a deadly strike from orbitaldebris or a medical emergency.
"This ranks right upthere," said NASA station program manager William Gerstenmaier."It's in that range of things."
The shuttle program determinedthe chance of inadvertent firings is so low that the risk is acceptable.
But at the behest of thestation program, shuttle engineers developed a software patch for NASA's firsttwo post-Columbia missions. Shuttle computers will automatically detect an unorderedthruster firing,then shut it down before damage could be done.
The station'spower-producing solar wings also will be repositioned to reduce structuralloads when shuttles are docked at the outpost. That would prevent them frombeing damaged in a firing.
The measures are meant toprotect crews on the two upcoming test flights, when the station's size andconfiguration will remain the same as it is today. The half-built station,however, will become more susceptible to serious damage from inadvertentfirings once astronauts resume construction.
As the station grows, so too will the stress the structuremust bear.Consequently, shuttle computers no longer will be able to shut down thethruster system quickly enough to prevent potentially catastrophic damage.
Safety engineers determinedthe new software patch would be inadequate once a second American power toweris erected during a shuttle mission set for launch in December. Once unfurledin space, its massive solar arrays will have a wingspan greater than that of aBoeing 747. And both the arrays and its base -- a skeletal truss -- won't beable to take the force imparted during an inadvertent firing.
The gleaming blue-and-goldsolar wings and the tower's base could snap off and slam into the hull of thestation's living and laboratory modules.
"This is becoming amore serious issue," said NASA Engineering and Safety Centerdeputy director Rick Gilbrech, who headed a grouplooking into the thruster concerns. "Our main focus as we see it is to layout the facts to the decision-makers . . . so their eyes are wide open aboutthe risks they are taking."
Those risks also includepotential dangers under other circumstances.
Propelled by an unintended firing,a 100-ton shuttle orbiter could strike a spacewalking astronaut. A jet plumecould, too. Or a 50-foot shuttle robot arm could crack off at its base with aspacewalker anchored to its end, both floating toward oblivion. Even groundtechnicians at Kennedy Space Center couldbe killed if a steering thruster suddenly ignited while they were servicing thejets.
The station review panelwants shuttle managers to take action in addition to the software patch. Theywant NASA to inspect or replace thruster system wiring and order a redesign ofthe suspect electronics boxes.
At the same time, the groupfrom the safety center -- an organization created after the Columbiaaccident to provide impartial analyses on safety issues -- also recommends thatshuttle managers inspect or replace wiring before resuming ISS constructionafter the two post-Columbia test flights.
About 4,000 feet ofthruster system wiring is in each of NASA's three shuttle orbiters. All of itis sheathed in Kapton, a material that tends to fray, which couldinduce electrical shorts. Much of the cable is either inaccessible or buried inbundles that can't be reached easily.
"We originallyrecommended 100 percent inspections because there was uncertainty as to the conditionof the wiring. But they can only see the outside of the bundles. They said(complete inspections) would be too intrusive," Gilbrech said.
"We said, 'If that'sthe case, to eliminate doubt, we recommend replacing the wire.' "
The safety center groupalso intends to make a recommendation on a redesign of the electronics boxesafter it finishes testing aged internal transistors. The electronics boxes,designed to last 10 years, are more than 20 years old. No program had beeninitiated to requalify the devices for extended use.
The agency is planning toinspect the wiring, but it is unlikely 100 percent of the recommended workcould be done in time to resume station construction by the end of the year. Adecision is pending on wholesale replacement, and NASA will make a call on aredesign of the electronics boxes after the NASA safety center issues itsrecommendation.
Parsons and Gerstenmaierare confident the safety review teams from the station and shuttle programsultimately will come to a consensus on the right course of action. If not,they'll take the matter up with more senior NASA officials.
"I think the goodthing is we're discussing this at length and we're not jumping to anyconclusions. We're trying to get the appropriate data to make the rightdecisions," Parsons said. "We're willing to go do what we think isthe right thing. But we're also willing to bump it up to a higher authority ifwe can't come to an agreement."
Published under license from FLORIDA TODAY. Copyright ? 2005FLORIDA TODAY. No portion of this material may be reproduced in any waywithout the written consent of FLORIDATODAY.
· Fixing NASA: Continuing Coverage ofSpace Shuttle Return to Flight