Engineers trying to develop rationale to fly as is
BY WILLIAM HARWOOD
STORY WRITTEN FOR CBS NEWS "SPACE PLACE" & USED WITH PERMISSION
Posted: December 6, 2007
After a five-hour Mission Management Team meeting, NASA managers today decided to delay the shuttle Atlantis' launch on a space station assembly mission until Saturday at the earliest because of problems with the circuitry associated with critical engine cutoff sensors in the ship's external tank.
Instead, the team is focusing on developing flight rationale for launching Atlantis as is, using manual procedures to monitor the sensors during ascent to prevent any potentially catastrophic problems.
LeRoy Cain, chairman of NASA'S Mission Management Team at the Kennedy Space Center, told reporters late today engineers will meet again Friday to reconsider their options, adding they may not get comfortable with a fly-as-is rationale in time for a Saturday launch.
In the meantime, NASA managers ruled out a fueling test Friday and decided instead to top off the shuttle's onboard supply of liquid hydrogen to power the ship's electricity producing fuel cells. That would permit launch attempts Saturday and Sunday and still provide enough on-board supplies for a two-day mission extension and the addition of a fourth spacewalk.
Three spacewalks are required to connect the European Columbus research lab to the station; to replace a nitrogen coolant system pressurization tank; to install a pair of experiments on the Columbus module; and to move a failed space station gyroscope to the shuttle for return to Earth.
NASA managers want to add a fourth spacewalk if possible to permit a detailed inspection of a stalled solar array rotary joint to help engineers figure out what sort of repairs might be needed to get the joint turning smoothly again. But an additional spacewalk would require a two-day mission extension and that, in turn, is based on how much hydrogen and oxygen is available to power the ship's fuel cells.
A launch on Saturday, assuming the engine cutoff sensor problem can be resolved, would be targeted for 3:43:31 p.m., setting up a docking with the international space station around 12:56 p.m. Monday. The forecast for Saturday calls for a 60 percent chance of good weather, improving to 70 percent "go" on Sunday.
Atlantis' launch window closes Dec. 13 because of power and temperature issues related to the space station's orbit. The window reopens Dec. 30, but senior NASA managers have said launch would be delayed to at least Jan. 2 if the shuttle team misses the current window.
NASA managers had high hopes for a launching today, with a forecast calling for a 90 percent chance of good weather and no technical problems of any significance at pad 39A. After a short 13-minute Mission Management Team meeting, engineers were cleared to begin loading a half-million gallons of supercold liquid oxygen and hydrogen rocket fuel into Atlantis' external tank at 7:06 a.m. A few minutes later, the engine cutoff - ECO - sensors at the base of the tank were covered with supercold propellant.
The ECO sensors are part of a backup system that ensures the shuttle's three main engines don't drain the tank in the event of other problems during the climb to space that might prevent an on-time shut down.
The ECO sensors can indicate two possible states: wet or dry. If the sensors falsely indicated they are submerged in fuel when, in fact, the tank is dry, the engines could run out of propellant while operating at flight pressures, speeds and temperatures, suffering catastrophic failures.
Based on the logic used in the computer software that monitors the sensors during ascent, two "failed wet" sensors would have no impact. But a third sensor failing wet could trigger a premature engine shutdown to protect against the possibility of the remaining sensor failing in the dry state. Launching with two sensors in the failed wet state would leave no redundancy in the system.
Propellants flow into the tank from the bottom and shortly after the four engine cutoff sensors at the base of the hydrogen section were submerged today, commands were sent to simulate dry conditions to make sure the circuitry responded properly. Voltage readings from two of the sensors immediately indicated a dry state while sensors 3 and 4 showed voltages higher than 13.5 volts, an indication of an open circuit. The readings occurred simultaneously.
"The failure occurred during tanking, 16 minutes into fast fill," Launch Director Doug Lyons said earlier today. "We picked it up while implementing our standard checkout of the system. As soon as we get these sensors wet, we go through a battery of checks to make sure they're operating nominally and properly. We were at a point in the test where we sent commands to take all four sensors dry. When we did that, sensors 1 and 2 went dry as expected and sensors 3 and 4 went wet. And right then, we knew we had an issue."
Because of earlier problems with ECO sensors, NASA developed extensive troubleshooting techniques and ultimately developed an "exception" to a previous launch guideline requiring four operational ECO sensors for a countdown to proceed. Under the exception, a launch could proceed, managers decided, if A) one hydrogen sensor failed wet; and B) engineers could show the problem didn't originate in the multiplexer-demultiplexer avionics system that controls the flow of data to and from the sensors.
As originally written, the flight rule exception called for standing down a day. A second launch try could then be made depending on an analysis of the way the sensor failed and how it behaved during a second fueling. With one sensor failed wet, two more ECO sensors would have to fail wet to pose the threat of running the tank dry. The exception did not cover the case of two failed sensors.
In the wake of the earlier problems, NASA added instrumentation to the ECO sensor system to provide realtime voltage readings that can indicate a sensor failure or change of state. The instrumentation data was implemented for countdown operations during a shuttle flight last August. But NASA has not yet implemented those changes for ascent operations.
"Once we launch, of course, the sensors are indicating wet, because they are wet, and we know that because they're at the bottom of the tank," Cain said. "Part of the challenge has always been that for a failed condition where it's failed to the wet state, where it's going to stay wet after the sensor is uncovered and really should be showing dry, we don't necessarily have any way of knowing that in real time, or we didn't previously have any way of knowing that the sensor could be failed to the wet state. Now we have some instrumentation on this system that gives us voltage measurements that helps us determine if the indication changes state.
"That's data that we have utilized in pre-launch for our launch commit criteria starting with STS-118 and again on STS-120. It's also in place for this mission. We have yet to implement it in real time for the flight operations part, in other words past T-zero where the flight director and mission control team, working with the crew, would do something with that data if it changed in flight and told them that they might have a sensor failed to the wet state. We have previously not done that because we didn't have the data. As I said, the mission operations team and the crews have been working on how to implement this into their thinking and into their flight rules and into their procedures. So they didn't just start thinking about it this morning."
Cain said he has directed the shuttle team to complete preliminary work and make those changes, if possible, in time for a Saturday launch attempt.
"What's currently in the plan is that we'll try to put together an operational workaround plan that we can get comfortable with that will allow us to go fly on Saturday," Cain said. "And it would be with the intent of flying with one or more failures potentially in the system when we go tank up again.
"If the failures of (ECO sensors) 3 and 4 are still there, the intent would be to have rationale that says operationally we can work around this and still drive the crew safety risk down to zero, or as close to zero as we can, and probably accept some additional programmatic risk between the shuttle and the station programs, but be able to do that and still go fly in December."
Programmatic risk in this case means a slightly higher risk of a premature engine shutdown, the result of some other problem in concert with ECO sensor failures, that could result in a trans-Atlantic landing. An emergency landing in Spain or France would cause major disruption to the space station assembly schedule and NASA's plans to complete the outpost and retire the shuttle by 2010.
Engineers say the odds of a premature engine shutdown in this case are acceptably remote because multiple failures would be required - ECO sensor failures as well as a leak or problems elsewhere in the system that would cause the shuttle to use up its hydrogen fuel at a higher-than-expected rate.
But not everyone agrees. Some engineers favor rolling Atlantis back to the Vehicle Assembly Building for repairs. NASA Administrator Mike Griffin participated in today's Mission Management Team meeting and presumably will weigh in on how the agency proceeds this weekend.