Officials tell reporters about 'no-go' shuttle launch votes
BY WILLIAM HARWOOD
STORY WRITTEN FOR CBS NEWS "SPACE PLACE" & USED WITH PERMISSION
Posted: June 21, 2006
NASA's top safety official and the agency's chief engineer said today they opposed the shuttle Discovery's launch July 1 because of concern about so-called ice-frost ramps on the ship's external tank that could shed foam and cause catastrophic impact damage. In fact, Discovery's flight will be the first in shuttle history with a system formally classified in the "unacceptable risk" category.
Bryan O'Connor, director of Safety and Mission Assurance at NASA headquarters in Washington, and Chris Scolese, the agency's chief engineer, both declined to concur with the decision to launch when signing an official Certificate of Flight Readiness, or CoFR, following a flight readiness review that ended Saturday.
But both men said today they viewed the issue as a threat to the vehicle - not a direct threat to the crew - and as such, they accepted NASA Administrator Mike Griffin's decision to press ahead with launch.
Griffin's decision raised concern in some quarters that NASA might not be paying enough attention to two of its top officials and repeating at least some of the management miscues that led to the 2003 Columbia disaster.
But Griffin and other senior managers insisted that was not the case and that O'Connor and Scolese presented their arguments in great detail and accepted the administrator's decision. In fact, when signing the CoFR document, both men wrote in by hand that they were officially no-go for launch but, since the issue did not threaten the crew, they did not object to proceeding with the flight.
O'Connor today acknowledged a perception problem with the seemingly contradictory positions, but said it was the result of the flight readiness review process and the engineering community's classification of the ice-frost ramps as "probable/catastrophic" in NASA's integrated risk matrix.
"When this first came up, most folks were pretty concerned about it," he said. "That concern level has been going down as we learn more about it, as we refine the models, we look at the data. We haven't changed the design, but there's a little bit of a shift toward more comfort than the other direction.
"I think we're just barely into the unacceptable risk area. I think it's unacceptable to the program to go fly in this condition. But I also believe if it's elevated to the right authority, an administrator (Griffin) who looks at it and with his understanding and his position in the agency who can accept it, then I felt like I was not going to lie down in the flame trench or throw my badge down."
But for purposes of the certification of flight readiness, "I was no go. Period," O'Connor said. "Now there's a second (hand-written) statement that says something to the effect that given this technical issue has already been elevated to the agency (Griffin) level and the risk has been accepted at the appropriate level by the agency as opposed to the program, I do not plan to appeal that.
"The reason that's a little strange is normally, if you just follow the rule book on how you have these reviews, you'd have your review and if there were a dissent there, then you'd have to go have another review to elevate it to agency level. The administrator attended the review, he was the appeal level, he attended it and we discussed this issue the day before we all signed the CoFR statements. We got his acceptance of the risk formally, right there in the review. That's why I put two statements in there."
Said Scolese: "When it all came out, the view of myself was no-go for the flight because I believe we should repair it. But given the decision, and given the fact that we do have many options available to us to protect the crew - and the orbiter if we can effect a repair - the (engineering) community is not against the decision to fly."
Bill Gerstenmaier, NASA's associate administrator for space flight, put it like this:
"We think it's extremely unlikely we're going to have any kind of problem on the orbiter. We're definitely going to lose foam, there's no question foam will come off these ice-frost ramps. This foam will be of a small enough mass it won't be a concern to us. ... We think this is an extremely remote possibility that it could come back and cause damage to the orbiter such that we would not be able to return that orbiter. If we thought it was different, we'd be doing something different.
"I'm just as concerned about protecting the hardware as I am the crew and we want to make sure we're not taking a risk or taking an unnecessary gamble. We've looked at this as hard as we can, we understand what could happen, we understand what could come off, we've looked at our history very carefully, we've looked at models, we've looked at other worst-case assessments and when we put it all together we have reasonable risk to go do this. But it's acceptable and I think we're ready to go fly. If we had real concerns, we would not be flying."
But Gerstenmaier said later, in answer to a question from CBS News, that Discovery's flight will be the first in shuttle history with a system officially classified as probable/catastrophic, that is, one that poses a technically unacceptable risk.
The shuttle Columbia was destroyed during re-entry Feb. 1, 2003, when super-heated air entered the ship's left wing through a hole that was caused by impact of a suitcase-size 1.67-pound piece of foam that broke away from a so-called bipod ramp 82 seconds after liftoff.
NASA eliminated the bipod ramps in the wake of the disaster but during Discovery's launch last July on the first post-Columbia mission, a one-pound chunk of foam broke away from a wind deflector known as a protuberance air-load - PAL ramp on the side of the external tank. Two PAL ramps made up of about 35 pounds of foam were in place to shield externally mounted pressurization lines and a long cable tray from aerodynamic buffeting during the shuttle's climb out of the dense lower atmosphere.
NASA added the PAL ramps late in the shuttle's design phase as a safeguard, in large part because engineers did not have the computer horsepower or wind tunnel capability to fully understand the forces acting on the huge tank during launch.
Late last year, shuttle program manager Wayne Hale decided to eliminate the PAL ramps based on computer modeling and the assumption that extensive wind tunnel testing would prove the tank and its external fittings were tough enough to stand up to the rigors of launch.
Wind tunnel data and additional computer modeling did, in fact, show the tank has the required 1.4 factor of safety with the PAL ramps. But engineers remained concerned about insulation covering 37 metal fittings that hold the pressurization lines and cable tray in place.
Worried about potentially catastrophic foam shedding, engineers tested a new ice-frost ramp design in the wind tunnel but the design failed. Griffin, Hale and other senior managers then decided to stick with the old ice-frost ramp design for Discovery's mission and at least the next few flights while a better design is developed.
The largest piece of ice-frost ramp foam known to have come off in flight weighed an estimated .09 pounds. Computer modeling indicates pieces up to .2 pounds could break away and, if it happened at the worst possible time and worst possible place on the tank, such debris could trigger catastrophic damage.
As a result, NASA's engineering directorate classified the ice-frost ramp foam as "probable/catastrophic" in the risk matrix. That means that over 100 flights or so, if NASA stuck with the current ice-frost ramp design, it's now considered probable that ice-frost ramp foam will break away and cause catastrophic damage. NASA only plans 17 or so more flights, but the classification stands.
O'Connor said foam debris has been falling off the ice-frost ramps "for quite some time. As we learned more about it, we found there's actually a new kind of a failure mechanism here, cracks and delamination under this thick foam on thick foam that we have at these ice-frost ramps. And as we looked at it, the teams realized that the potential here was higher than we had thought before for damage to the orbiter."
With the PAL ramp now gown, the ice-frost ramps were deemed "higher risk than any of the other foam areas when you look at the potential for loss of the vehicle," O'Connor said.
"It was high enough that the technical community reviewing the risk, using their modeling and conservative approach to those areas where there are uncertainties, this got into the area of what we would say is unacceptable risk for the program to be taking. Although it's a close call, there are some engineers who think it doesn't quite meet that margin and there are others that do, there was enough engineering and safety and mission assurance concern about this being in the unacceptable level that the program actually classified it formally as unacceptable risk."
That classification triggered widespread debate among space engineers. Griffin said he did not believe the ramps should be so classified and that in any case, they do not pose a direct threat to the crew. Even a "catastrophic" impact would not affect the shuttle's ability to reach orbit or carry out its mission. In a worst-case scenario, the astronauts could attempt repairs or, if necessary, move into the international space station to await rescue by another shuttle crew. NASA is preparing the shuttle Atlantis for launch on such a rescue mission if necessary.
O'Connor said he agrees with that logic. But he voted to stand down in the FRR process to make sure the issue was decided at the highest possible level.
"When I sized all this up, I kind of came down on the thought that the ice-frost ramp failure case, should it actually develop, a piece that would put a real bad hole in one of the tiles or the special tiles around the (landing gear) doors, we might not be able to fix it to the point where we'd be suitable for entry," he said. "Now in a case like that, that's pretty much the definition of loss of vehicle.
"But the crew does have another option, that is to stay on the space station and then wait for a combination of shuttle/Soyuz (capsules) to retrieve the crew and bring them back. We have plenty of that capability. ... They've done a lot on space station with logistics planning and so on to make sure you could keep nine crew members up there in good shape with relatively good redundant systems available for quite a while to give us time to get the next vehicle ready to go up and bring them down.
"That's the difference between loss of vehicle and loss of crew. And I thought when I sized all this up that if we were in the red area, in other words, the unacceptable risk area for loss of vehicle, I did not consider us to be there for loss of crew. By the end of our meeting, by the way, even if I disagreed with some on loss of vehicle, I think everybody in that room agreed the loss-of-crew risk for this mission is acceptable. So I didn't see anybody saying that was a piece of the story. And that's why I made that distinction."
It was that very distinction, along with NASA's pressing need to resume space station assembly to get the job finished before the Bush administration's 2010 deadline for retiring the shuttle, that prompted Griffin to clear Discovery for flight.
"There is a programmatic risk, without doubt," Griffin said Saturday. "If we have another major incident in launching the space shuttle, I would not wish to continue with the program. We're going to use this flight and the subsequent flights to complete the space station, that's what we want to do with the shuttle, within the next three years we're going to complete the space station. We believe it is possible to do so. But if it is going to be possible to do so, we're going to have to take some programmatic risks because the shuttle will be retired in 2010.
"This president's budget will not carry funding for shuttle vehicles beyond 2010. So if we're going to fly, we need to accept some programmatic risk and get on with it. Again, I'll point out, for me to accept programmatic risk to do this is not the same as accepting a crew risk, which we believe we're not doing."
But the "safe haven" option, in which the crew of a damaged space shuttle moved into the space station to await rescue is not without considerable risk itself. A major question mark has been how NASA would justify launching a rescue shuttle - a mission designated as STS-300 - that could fall victim to the same problem. O'Connor agreed it would be a tough call.
"We would not have time to change the design (of the ice-frost ramps) before STS-300," he said. "But we would have to sit down and feel very comfortable about the concept of going with another flight with that same design. That's why the nature of a lot of the questions in our readiness reviews dealt with, is there anything new about the PAL ramp redesign that makes the environment on these ice-frost ramps different? In other words, we're looking for something unusual about this new configuration that we're flying that would be liable to fool us on this flight and cause something unknown or unexpected to happen on these ice-frost ramps.
"We really scratched our heads on that, the engineers really worked it, they really looked at the data from analysis and wind tunnels and came back with we don't expect this environment where the PAL ramps are gone to pose anything unusual in the way of an environment on these ice-frost ramps. And so that leads us to believe if we were to have an ice-frost ramp problem on this next flight, it would most likely be in an area where we are already accepting risk. We're accepting the risk that some pieces may come off, knowing that the risk assessment says some of those may be fairly large and there's some low chance that a fairly large piece would hit in a critical area. And that's an acceptance of risk.
"If we think we're within that engineering knowledge space on the first flight, then that would make it easier to justify flying the second one," he said. "At the very least, there would be a big discussion about whether we're ready to go do that. The third part of the discussion would be what are our alternatives? ... When you're in an emergency situation like this, where you're going to rescue people, it makes people work harder, think harder and really address the risks in ways that tend to focus your attention. We would have people we'd need to bring back. So I'm sure that would color our discussions as well."