Topics covered: Mission Control 2
Instructor: Guest Lecturer ‑ Wayne Hale
Subtitles are provided through the generous support of Heather Wood.
None for this lecture
It was quite an experience for all of us to get to hear him.
And it is equally very fortunate now to have Wayne Hale who has had a very illustrious career at NASA.
Wayne came to NASA the same year I did in 1978, worked his way up as an engineer through the propulsion system, the integrated communication systems.
Became a flight director in 1988 and served there for 15 years.
He was flight director both for the orbit phase and then the most really kind of intense flight control phase as ascent and entry.
And Wayne was ascent and entry flight director and then lead flight director for many flights, including-- we were trying to figure out before.
But I think he actually served for all of my last four flights.
So we've known each other for a long time.
In 2003, he was sent to the Kennedy Space Center to be head of launch operations.
But he didn't get to spend very much time in the Florida sunshine because they asked him to come back to Houston the next year as deputy program manager for the Space Shuttle.
And then, when Bill Gerstenmeyer left to move up to NASA headquarters, Wayne became the program manager.
So he is able to talk to us both about Mission Control operations and the current and future state of affairs of the Shuttle.
And he is very happy to have you ask questions while he is talking.
And I am not going to talk anymore because they came to hear you, Wayne.
WAYNE: Thank you, Jeff.
I cannot tell you how much I've been looking forward to coming here to talk to you folks.
This is my favorite subject.
Space, number one.
The Shuttle, number two.
And Mission Control, number three.
Maybe not exactly in that order, but they are all three topics that have been--
Oh, that was you.
I thought that was me.
I thought that's a sound I haven't heard before and I'm in big trouble.
But, as Jeff said, please feel free to ask any questions.
I will tell you all kinds of interesting stories today, I think.
Some of them might even be about Dr. Hoffman.
I should tell you my background as an engineer.
I got my bachelor's and master's degree in mechanical engineering.
Did not decide to pursue a doctorate degree for a variety of reasons.
You need to understand that the organization of NASA is very much around the centers.
It was organized as a group largely of independent centers with a very thin veneer of integration at NASA headquarters.
And it remains that way to this day.
And every center is quite different from every other center.
We have some centers that are largely involved in research.
And, if you want to work in the research center, Langley, Glenn, Ames then you need to clearly pursue a PhD.
If you're more interested in an ops center, Kennedy, Marshall, Johnson, then you need to kind of not go after the PhD.
Because people with PhDs clearly do not have a real world practical understanding of problems.
And it is only the guys with bachelor's degrees that get out and know how to turn wrenches in their spare time required there.
So it is very interesting, the different cultures.
I can say that with a grin because there are different cultures within NASA.
And working between the centers is very interesting.
And since I have moved in the management ranks, for what reason I don't understand, I have fouled up in my career.
make you a manager when you don't get to do the things that you're good at anymore.
Yes, promote you something that you were never trained for.
It has been very interesting for me to try to work between the various centers to help them accomplish the goals that the agency has.
One of the things I should say is that I regret my academic career as I didn't take more psychology, more accounting.
Because, frankly, when I was in graduate school, I can remember one of the courses I had was systems of nonlinear partial differential equations.
Anybody taken a class that has a title vaguely similar to that?
I never used that class.
I have never touched a differential equation in my professional career.
Now, why that is, is kind of interesting.
But what I really did need was trigonometry and accounting.
And you will see a little bit of that.
Today my class is not going to be highly technical.
It is going to be a series of illustrations about Mission Control.
And, as I said, I will be happy to talk to you about it.
I go to a lot of conferences these days, and I frequently sit in advanced space systems sessions.
I sat in a very interesting future reusable launch vehicle session the last AIAA conference I went to.
And I walked away totally distressed because they have no concept of what the real world is like in many of these academic seminars.
And I want to inject a little bit of real world realism into what you guys think about as engineers.
One of the favorite topics of people these days that are designing advanced space systems include what they call and "austere" launch pad.
In other words, you cannot fix anything on the rocket when it is on the launch pad.
And the reason they side is look how much money all these programs spend fixing their rocket out on the launch pad.
Well, the fact of the matter is rockets are very finicky, rockets have very little margin in many of their components and things break.
They can break and you don't even know it until you plug them all together and turn them on.
And if you have a launch pad that is austere and you can do no work on it, well, what was one of those colorful phrases that Chris Kraft would use?
You have really bought the farm.
I won't use his colorful phrases.
You wind up spending a lot more money because you've got to take the rocket back to the barn and take it all apart rather than maybe get access to fix it.
If there was anything that I wish we had was more capability to fix things on the launch pad.
We spend a lot of time and money working around problems that we cannot fix at the launch pad, even though we have a huge amount of capability.
You don't save money there.
It is a false economy.
Similarly, there is a notion en vogue that you don't need a big Mission Control.
That is just a lot of people that cost a lot of money that you don't really need.
I think it reached the height of the anti Mission Control forces during the DCX program when they were very proud to proclaim their Mission Control was a trailer house with three people in it.
And they thought that was all any space vehicle needed to have to launch.
Of course, they only reached an altitude to 5000 feet and they crashed their only prototype vehicle, not because of Mission Control but perhaps because they didn't pay enough attention to operational situations.
In my business now, I can tell you that in the Space Shuttle program Mission Control cost me less than 2% of the total budget for the Space Shuttle program.
What we get for that 2% is quite amazing.
And every time the budget folks come down from Washington to review our budget, they want to help us drive down the ops cost, they take one look, you have the budget breakdown of the Shuttle program and they say you guys don't spend very much on ops.
This is not where we need to look if we want to save some money.
If you want to save some money, you need to make a reusable vehicle.
Reusable and not so maintenance intensive to turn it around.
And that may be a theme that you hear today.
I've got a couple of things I want to pass out to get started, a couple of glossy brochures.
I think there are enough of these for everyone about Mission Control.
People in the class should get first dibs at this, but hopefully there are enough to go around.
I think there are plenty of these.
And the little one is similar to the big one.
And I'm not going to spend a lot of time.
If you want to know about how Mission Control Room is laid out and who the people are that do things, it's all in this brochure.
I don't intend to go over that.
I think Chris Kraft probably gave you a good background about why do we have a Mission Control.
Why did he invent a Mission Control?
And this is kind of the nuts and bolts of Mission Control as it exists today.
Public Affairs Office is really good about putting those things together, and I don't intend to cover them.
Also because I had a whole bunch of copies of my last two papers sitting around that I needed to get rid of, I lugged them up here.
I want to give you copies of my last two papers which have to do with operational issues that you can read at your leisure.
And I particularly want you to look at the considerations in rendezvous launch windows.
Those are two different papers.
One discussing entry operational considerations and hypersonic entry that we've learned with the Space Shuttle.
The other about rendezvous launch windows.
And it will give you a little flavor for what a real operation needs.
Many people can talk to you about the physics, kind of the things that God says you must do if you are going to rendezvous in space, for example.
But there are many other considerations that you run into in the real world.
So I am going to talk today mostly about Mission Control.
Perhaps at the end we can talk a little bit about the Shuttle program.
And these I am short of so, please, people in the class only as my handout for the slides here today.
And the slides will be posted on the Web as well.
Hoffman has got them off my electronics here.
OK, so the things I am going to talk about today basically are outlines on this page.
We have a Mission Control.
Here are some of the reasons we are going to talk about trajectory.
Planning and monitoring flight planning.
And then I've got a couple of stories from the trenches.
And then I promise you no differential equations today.
Why should you have a Mission Control?
Why is it necessary to have a Mission Control?
I have four basic reasons to have a Mission Control.
The first one is safety.
We have seven or eight astronauts flying arguably the most complex flight vehicle that has ever been invented.
They don't have enough time or enough resources to watch everything to the degree that is necessary.
We have a large group of folks on the ground in Mission Control, about 800 folks in Mission Control that are also monitoring at a very detailed level with more information than the astronauts get to make sure that everything is operating as it should be.
We provide a level of safety in Mission Control.
Secondly, we provide flexibility.
We start planning a Space Shuttle Mission typically about 18 months in advance.
The flight operations people are the flight planning people, so the Space Shuttle program, NASA headquarters will come down and say you need to fly a Space Shuttle flight that does X, services the Hubble Space Telescope, deploys the Chandra X-Ray Telescope, goes to the International Space Station and adds a module or carries supplies or what have you.
Then it is up to the planners who will become the operators to put that plan together.
How are we going to accomplish the big objectives on this flight?
It's not just enough to take this big module up and plug it into the Space Station.
You've got to wire it up.
You've got know when to do which wire first and what switch to throw in what order or you will fry the circuits.
It's a very complicated business.
It is really complicated when you have to deal with scientists.
So, when we fly scientific payloads, we deal with folks that are not operationally minded.
They may have been working on their experiment for, oh, how long did it take to get a doctorate degree, 15, 20 years in some cases.
They have been working on this experiment for many years.
They are going to get the maximum amount of data they can, but they are not aware of the fact that there are four other payloads onboard and four other competing folks that want to get their science data in.
We always have a discussion about how many person hours of astronaut time can we devote to an experiment?
How many kilowatt hours of power can we devote to an experiment?
On and on and on.
And it makes these researchers do some really tough sole-searching.
And the saddest thing that I have ever seen is an experiment, and there has been more than one of them, where they flipped the switch, it blew the fuse, it was down for the count and lost all objectives with the first switch throw.
And then the scientists would come running and in and say if you'll just let the astronauts take the back panel off and rewire this circuit it will work.
And we don't have time to do that on a spaceflight.
Or, if we did have time to do it, we would take that time away from experimenter number two or experimenter number three or all of the above.
In operations, there is a lot of work to set priorities, set timelines, make sure you do things in the right order, and then train the operators and the crew.
Now, once you do that planning for 18 months you understand the priorities, the pros and cons, the logic behind all of those trades.
And so, when you go into flight and something happens, as it always does, we can re-plan it on the fly.
And we do, almost every flight or the vast majority of flights, take the flight plan that we published pre-flight, put it gently in the recycle bin and develop a new flight plan that can be drastically different.
And we're able to achieve a great degree of success in our operation of the objectives that we set out to do because we have the people that can, in real-time while we're flying the flight, in this short period of less than two weeks overnight re-plan and come back with a new plan to accomplish the objectives.
Wayne, I was one of those scientists who didn't understand about the realities of spaceflight.
And I liked your choice of the words "you would discuss with us".
Dictate would be the key word.
The question I wanted to address to you is this business of taking the flight pad, putting it in the wastebasket and then generating a new one.
In the seven Shuttle flights that I would have investigator status on, they all had, as their basic philosophy, a return to baseline.
If something went wrong, get back to your baseline plan as quickly as you could, even if you knew that it was non-optimal.
Could you comment on that?
I would say, from my perspective, quite the opposite.
Yes, there is a baseline plan.
And there were very good reasons for that baseline plan.
But the flight control team is always looking for the optimum solution.
So I would say my perspective may be a little bit different from yours, but that has been my experience.
We are always trying to achieve the maximum number of objectives.
So flexibility from Mission Control is the second big advantage.
The third big advantage is let the crew focus on those things that people can only do in space.
They have access to vacuum.
They've got zero gravity.
They've got the high vantage point to do earth observations, what have you.
You cannot do those things on earth.
That is why we put people in space.
And why would we make them calculate the gas budget for deorbit burn which can be done by some bachelor of science engineer with an accounting minor on the ground?
So we let the crews focus on those things that you can only do in space and we do every job that we can on the ground.
Somebody calculated for me one time, and I almost hate to give the statistic, that it is $30,000 a minute for people in space.
You can hire a lot of engineers to offload that amount of time.
And, finally, there are some jobs that you can only do on the ground.
The NOAA weather satellites do not directly uplink to the Shuttle so the astronauts don't know anything about weather, other than the little part of the world they can see out their window.
If you want to forecast where you land, that's a job that you can only do on the ground.
Obviously, radar tracking there are hundreds of things that you can only do on the ground.
And I would say interact with management and review the priorities is one of those things that can only be done on the ground.
Here is my first cartoon for the day that compares airline travel to space travel.
And I think this is a telling cartoon because it is entirely true.
I flew in last night on probably a 12 or 15 year old 737.
It was a nice plane but a little shabby.
And we got bumped around pretty good coming into Boston.
And I am thinking all the time about I wonder if they have maintained this aircraft well.
You can pick up the papers.
And they do a very good job in the airlines, but the fact of the matter is much of the airline industry is involved with passengers and customer relations and baggage handling and all those good things.
And the maintainers and the safety people are few by comparison.
In comparison with the Shuttle, we don't have very many passengers to deal with.
Generally, they are cooperative.
Sometimes they get surly.
But we don't have very many to deal with.
And everybody in the program is a safety worker.
And that is something we continuously exercise.
To turn a Space Shuttle orbiter around from one flight to the next takes 500,000 man hours of maintenance.
There is a gem for you.
People have been working for 30 years to decrease the amount of time that it takes to turn the Space Shuttle orbiter around.
It is a reusable vehicle, but it is a reusable vehicle built with very small margins with a lot of complicated technology.
And it takes a lot of maintenance.
Some people think we would have been better launching expendable rockets.
The same amount of time, actually, a little more is involved in launching Titan IVs which have the same payload throw weight as the orbiter does to low earth orbit.
The new launch vehicles Atlas V, Delta IV and its variance are supposed to be launched with a whole lot less.
However, they do not have the payload capacity to orbit.
And, in fact, they have not achieved their goals of man hours to a launch that they have set out to yet.
Although, they are early yet.
We've got to give them time to work on it.
But, the fact of the matter, getting into space, whether you doing with an Ariane, a Soyuz, an H2 or an Atlas V, Delta IV or the Space Shuttle remains a very expensive process which I think the public doesn't quite understand.
I would like to talk about some of the things that Mission Control does to get ready for a flight and then how they execute it in-flight.
And first among those is trajectory control.
Who in here is an orbital mechanics wizard?
We will have some equations for you in just a minute.
Here is the first one.
Would you like to step up and explain?
This is all involved in orbital mechanics.
This is how do you get to orbit?
We have the flight performance reserve of main propulsion system propellant.
We load a half a million gallons of propellant.
That is over 2.5 million pounds of liquid hydrogen and liquid oxygen in the external tank for the Shuttle.
How much do we have for a normally planned mission at the end of when you achieve orbital insertion?
Anybody want to guess?
Remember, every pound of propellant that you leave in the tank and throw away into the ocean is a pound of payload that you could have carried to orbit.
So this is not a trivial process.
Our goal is about 900 pounds.
And you are going to see how we do.
But this is a little plot that we've developed based on mixture ratio of the engines.
Now, the Space Shuttle main engines have what we call an overboard mixture ratio of 6.039 nominally.
We test fire them at the Stennis Space Center, every engine for every flight, to check how they operate mixture ratio because mixture ratio and ISP are critical.
When we updated the Space Shuttle main engines to the block two engines they are vastly safer than the original engines in the Shuttle because they operate at lower pressures, lower temperatures and their rotating turbo machinery operates considerably slower RPM.
However, we gave us a second and a half of ISP.
And that is huge in this business, a second and a half of ISP.
This plot shows, as a function of mixture ratio, if you have any shift in mixture ratio in flight, which we have, I'm going to talk a little bit about that, you will change the amount of residual remaining.
Here the little blue dots are the normal flight performance reserve.
That is how much gas you've got left in the tank when you get to orbit.
And you can see our goal here is about 2500 pounds.
Of that about 900 pounds is fuel residual based on this curve right here.
Now, you may ask why do you want to have an extra amount of hydrogen fuel in the tank over oxygen, what is the difference?
The engines are designed, the cutoff hydrogen rich.
We don't operate at the stoichiometric chemical ratio that you would combine hydrogen and oxygen to make water.
We operated at about a mixture ratio of six instead of a mixture ratio that would be 18, I think.
Did I do my chemistry right?
It's been a while.
We operate considerably off the stoichiometric ratio.
As you get mixture ratios that approach the stoichiometric mixture ratio your fire burns a lot hotter.
You get a lot more heat out of that fire.
Metallurgically, the engines cannot stand those higher temperatures.
We already operate at 6000 degrees Fahrenheit.
That is tough.
You run out of fuel and cut off oxygen rich, those temperatures will go out of site in the engine turbo pumps.
So we want to cut off fuel rich.
We biased ourselves so we cut off fuel rich, but it does not take very much of a mixture ratio shift to get you to cut of LOX rich.
In fact, as mixture ratio crosses the knee of this curve, you wind up leaving actually a lot of LOX in the system cutting off on the fuel side.
So we have to carefully monitor how the engines come in.
And, when we talk about overboard mixture ratio, that is not just what the engines operate at, but it's whatever losses you have in the system.
As you bleed hot hydrogen or hot oxygen off the engines to repressurize the tank, that becomes a loss and that affects mixture ratio.
One of the real problems we're dealing with is, as we develop what we call engine tags down at the Stennis Space Center, we have found an interesting phenomenon.
In flight, we pressurize the tanks with their native constituent, the oxygen tanks pressurized with oxygen and the hydrogen tanks pressurized with hydrogen.
At Stennis, where we do the engine tests and develop the characteristics of each engine, and every engine is just a little bit different, they pressurize their tanks with nitrogen for safety reasons.
The nitrogen can diffuse into your hydrogen, but more importantly it can diffuse into your oxygen system.
And, therefore, you have a less pure propellant and it drives our mixture ratio off as a function of having impurities in the propellant.
So we get a tag of what we think the mixture ratio is of the engine.
That is different than what we get when we go fly.
And, in fact, the last flights, one of the last meetings I had before I came down here yesterday was a meeting with our flight analyst who have an unexplained missing 300 pounds of hydrogen every flight for the last 10 or 12 flights.
And we are beginning to converge on the idea that it is this nitrogen impurity in Stennis that gives us a false mixture ratio which we design our flights around.
Let's talk a little bit about it.
Here is a little schematic.
The external tanks really have two tanks, the oxygen tank on top and the hydrogen tank on bottom.
When we make it to orbit, how much is remaining in each tank?
Well, the answer to that question is none.
What we are running on at orbit insertion is what is left in the pipe.
And it is really not orbit insertion but close enough to talk about it.
So we have 17 inch diameter pipe coming down the side of the hydrogen tank from the oxygen tank up above.
It goes across into the engine compartment of the orbiter.
And this shows you where several of the early flights were at main engine cutoff, guided cutoff where we wanted to be from an orbital mechanics standpoint, altitude velocity, flight path angle and so forth.
That is where we were.
That is how much was remaining in the tank.
None in the tank.
That is how much is remaining in the line.
That is how close you have to cut it for spaceflight.
I have another presentation, and if we have time I might show you a few charts out of that, that talks about the difference between commercial aviation and spaceflight.
We operate on much smaller margins.
And every pound you see in that far part of the table that talks about the residual remaining, those number of pounds, and, by the way, we're antiques.
We use English tradition units in the Space Shuttle program.
But every pound residual that you have in that far column is a pound that you could have taken to orbit of payload but did not.
You threw that away.
How do you measure that mass?
Very good question.
They look at pressure hit.
We have pressure transducers down in the lines as they approach the engine and you're accelerating at 3G.
We have an inertial measurement unit that measures velocity, and we control the engine throttle setting to 3Gs as we approach MECO.
And so you look at the pressure and that determines, based on a very simple head calculation, where you are in that standby coming down the outside.
The fuel side is a little bit more complicated.
They have a 5% level sensor in the tank that tells you when you're at 5% in the tank.
And then we have fuel flow meters on the hydrogen side, and they calculate flow rate minus from the 5% level down to when a main engine is cut off.
So those are the ways we can do residual.
And that is not a simple exercise.
It is vastly more complicated than the simple explanation I just gave you because the engines are throttling continuously.
Now, I wanted to talk a little bit, if I can move from normal mission planning to abort mission planning.
Normal mission planning is something we do upfront and then we monitor during flight.
And one of the stories at the very end of this presentation is about a day when things did not go right in the engine world and what we did about it.
This is going to talk about abort modes.
Now, the Shuttle is very interesting.
Human spaceflight is different than expendable spaceflight because we would really like to get the people back.
And expendable spaceflight, your basic principle is if one of the rocket engines quits early you are done.
The payload goes in the water.
Or, if you launch from
it may go into Mongolia.
But you don't get it back.
There are no overs with very few exceptions.
If you have a problem in your main propulsion system on an expendable rocket it is time to talk to your insurance company because you are done.
Even very minor problems can strand satellites in lower orbits than they have useful life.
It is very important that the propulsion system work well.
But the Shuttle was designed with the thought that one of the three main engines could shut down early.
We have safety monitoring on those engines to make sure that they would shut down if something goes wrong in a contained, that is to say they don't blow up, manner.
And then you have to have the capability to get the crew back, much like an airliner.
If you fly on an airliner or any kind of multi-engine aircraft, one of the things that they must be certified for is engine out operations.
Lose an engine, pass the commitment point on takeoff and still be able to takeoff safely and return to the airport.
That is a fundamental principle in aviation safety for a multi-engine aircraft.
One of the Shuttle design goals is very similar.
Lose one of the rocket engines, have it shut down prematurely and still be able to land safely somewhere.
Notice I said one engine.
Not two engines.
Not three engines.
That is a huge technological leap over expendable rockets.
A huge technological leap.
And we pay the price in terms of performance.
Here is a little bit of the different abort modes.
If you have an engine out somewhere between launch and about four minutes into flight, you have to return to the launch site which involves turning around and flying backwards at mach 6 through your own rocket plume, which is everybody's favorite thing to want to avoid doing.
A little bit later than that we pick up the capability to do transatlantic abort.
Sometimes we call the transoceanic aborts, but the acronym really is transatlantic abort, TAL.
And land somewhere in Europe or Africa.
And somewhat further along you can abort to orbit.
You can actually dump your secondary propellant and wind up in a lower orbit.
And then you may orbit once around or you may come back on the third orbit.
Or you may be able, in fact, to fly nearly a normal mission depending on how lucky you got for the time that the engine was out and how you were doing with reserves.
Here is a little bit of different graphic, a cartoon of the same thing.
I don't like it too much because RTLS actually turns the other way.
But, as you can see, we would try to return to the Kennedy Space Center which has possibly the worst weather in the entire western hemisphere or continue on around or up on end to orbit.
And you have to always be concerned about external tank disposal.
This was the abort regions chart generated pre-flight for our last flight, STS-114.
We have three TAL sites, transatlantic intact TAL sites, one at the Zaragoza Air Base in North Spain, one at Moron Air Base in South Spain near Seville and one at Le Tube which is the French Air Force Flight Test Facility near Marseilles.
And then we have what we call "Press to ATO".
Press to abort which involves a dump, involves changing your inclination of your orbit to a lower inclination if you invoke this.
You cannot, for example, ever rendezvous with the Space Station because you won't wind up in the right orbital inclination, even though you may make the altitude.
And then we have what we call "Press to MECO" which involves just kind of closing your eyes and riding it out and see what happens as you get close to your guided MECO.
So we build these charts in advance.
And then we have a very sophisticated computer program in Mission Control that monitors the engines the entire time during launch called the "abort region determinator" that can emulate a single engine out, two engines out, three engines out or a vacuum impact point.
And a flight dynamics officer is responsible for making those calls.
The crew does not make these calls.
The crew has a crew card very similar to this onboard so that if they lose communication with the ground and something bad happens they might have a chance at pulling it off.
But it is based on everything more or less performing as planned.
If anything is performing off normal than these charts are no good.
That is hosted in Mission Control.
And until some day we put a supercomputer onboard the space vehicle it will continue to be hosted in Mission Control.
Do you have a question?
That is a critical real-time call that is made in a hurry.
It is not always decision aid.
Can you comment a little bit on the reliance upon the automatic decision aid computer that is grinding this out and the judgment of flight control?
Well, first of all, you have made a false distinction because the people that wrote the computer code are the flight controllers.
They understand the logic that went into it with practice probably three days a week in Mission Control exercising simulated missions that have engine problems so you practice that.
It's not an either or.
It's a symbiotic relationship.
The abort region determinator doesn't work without operators.
Operators only have the cue cards to go on if the abort region determinator software quits.
You cannot get by without the other.
There is some judgment involved.
And a good flight dynamics officer with these charts, with no
can make some judgment calls based on trends and performance.
But we need both.
You cannot have one or the other.
It is very sophisticated.
It is very subtle.
And very small changes can make this software, this predictor work.
It is probably the best example of an expert system that I know of, but it takes a great deal of care and feeding.
And it is very, very sensitive to the inputs.
So it does take a lot of judgment and experience to interpret.
Along with that, we need to talk about where you land.
Because here are all the places.
We kind of closed down Banjul and the Gambia because we don't fly that inclination anymore.
We do fly at the International Space Station Missions, and we have the TAL sites I talked about.
We could fly as high as 57 degrees inclination, which we have done in the past, but that is outside the range of what we need to do for the Space Station.
The interesting thing is we get into the weather story and the weather forecasting, and deciding which landing site you can go to is pretty complicated.
I never studied meteorology in college.
It is another subject I wish I had.
That is not all.
We talked about intact abort landings if one engine quits.
But being good flight planners and controllers you always take it to the next level.
What if two engines quit?
What if all three engines quit?
And so we have made agreements all the way up the East Coast of the United States with the Canadians to have places to land.
And, again, we have agreements with all of these landing sites.
We send people to train them about what would happen if the Shuttle would land there.
We check the weather.
Across the Atlantic we have landing sites.
Again, Shannon, Ireland was probably the first dry patch of land that you can come to on the far side of the Atlantic Ocean.
Typical weather conditions there are 500 feet overcast and rain and fog so we don't really probably want to use that.
England is a little better.
Cologne Bonn is a little better.
And then we have all of these landing sites that we can look at.
And that keeps the State Department busy for us because we have to have international agreements to use any of these places.
It took us two years to negotiate with the French government for emergency use only of their landing site.
We typically don't have people at these landing sites other than our intact TAL sites, Moron, Zaragoza and Istres-Le Tube.
But they are there.
We would not hold the launch up if one of the landing sites for two or three engines out was not available, but we would if we did not have an intact landing site which is the one engine out requirement.
So we have requirements difference.
One of the really fun things is when we get into the summer months we frequently cannot use some of these airports because they have air shows going on.
And they would really like us to land the Shuttle there during an air show, but we don't.
One of the things that we have to watch very carefully is where do we get rid of the external tank?
Now, we can carry the external tank to orbit.
There have been some very colorful viewgraph presentations put together of using the external tank as parts for a Space Station.
Totally science fiction.
Operationally it would be extremely difficult to do.
Carrying the tank to orbit would be very easy, but we stopped just short of orbital velocity so that we can control the disposal of the tank.
We now have international treaties that say you shouldn't put things in orbit without being able to put them in a place where they don't hurt people.
We don't like to have satellites reenter and drop radioactive garbage or even just big hunks of metal on top of people, so we have the external tank that we separate and drop just short of orbital velocity and use the small orbital maneuvering engines on the Shuttle to provide the last couple hundred feet a second to get to orbit.
And we have to plan this very carefully.
We've done a lot of studies to find out when that tank will rupture, how big the pieces are, how far they've come apart.
And we actually have flight rules talking about ET disposal.
This is a serious subject.
Everybody that flies an expendable rocket has to know where their stages are going to fall, except maybe the Russians who just drop them in Kazak or used to.
I grew up in New Mexico in the 1970s.
We were very excited about the thought that White Sands might be the launch site for the Shuttle when it was under early design phase.
When they picked solid rocket boosters that fell off just a couple hundred miles downrange, we knew that White Sands was out of the running because that would put people at-risk in the continental United States.
And those kinds of decisions make for launch site decisions.
We're talking a little less than an hour.
Probably about 45 minutes from managing cutoff to the rupture at about, let me see, let me make sure I say that right, 122 kilometers.
I don't operate in kilometers.
I have to do the math, but it's not long.
It's less than one orbit.
One orbit taken 90 minutes.
It's about halfway to two-thirds of the way around the world that we get rid of the tank.
And this is a very important subject.
In fact, US laws and the Eastern Range that we have to work with to get launch clearance issues what we call "Notice to Airmen" or "ET disposal" about 48 hours prior to the Shuttle launch to clear the ocean area and the air space.
And this is all based on what we call a normal main engine cutoff.
We made our guided cutoff to orbit.
And here is a little picture of a problem we had earlier I want to talk about.
Here are the ET disposal lines for the different inclinations.
You can see that some of these get kind of close to the West Coast of Mexico, but most of them fall out in the Pacific Ocean.
And, in particular, here are the Space Station lines for disposal of the external tank.
And, as we go through the five minute launch window, the inclination of the orbit -- Not the inclination but the steering the Shuttle has got to do to reach the Internal Space Station changes the place where these tanks are disposed of.
I think I have a better picture.
And, in particular, we had a problem with this little island right here that we were infringing on the internationally recognized 200 nautical mile limit for pieces.
Now, if we do a normal insertion, you will see that we have these typical nominal footprints based on where we were in the launch window.
That is where all the pieces will fall.
But we have dispersions based on trajectory and other dispersions that say we've got to clear to a 99.7% probability this whole area, or this is the area that results from all the dispersions at that level.
So we don't want to drop pieces on people.
Once upon a time, the United States Air Force thought that Pitt Island down here was a bird sanctuary and nobody lived there.
And they sent out the Notice to Airmen to clear the area, and we found out there are a couple of hundred people that live on this little island and the Australian government got kind of bent out of shape over that.
We had to negotiate infringing by just a few miles on the 200 nautical mile circle around these guys just at the toe of the footprint, and that went back to the French government.
And that took us two years to negotiate.
So they don't teach you everything you need to know in engineering school like negotiating with the French.
[BEGINS SPEAKING WITHOUT MICROPHONE]
...disposal probability to your average diplomat, like you say, we don't get training for that.
Now, here is my funny story number one.
Dick Richards, who was program manager before me, was asked to go on speaking engagement to American Samoa.
Now, I've been asked to speak a lot of places and they are always like Boston or, you know, OK, this is a nice place to come, but think about a speaking engagement in American Samoa.
So he had to go to American Samoa to speak.
And, as they got ready to leave, the airline pilot came on and said we cannot take off because they are going to launch the Shuttle today.
He had seen these tanks come in.
He was not about to violate that airspace that they have been notified.
And the launch time would put him past the point of no return where they had to continue onto Hawaii and could not turn back to American Samoa, so he wasn't going to take off until he got word that the Shuttle had either launched or scrubbed for the day.
And there was a delay.
And so Dick Richards got on his cell phone and called to Houston and found out that we were sitting on the ground in Florida based on bad weather at the TAL site at Banjul and the Gambia.
The passengers started talking about this.
And they said you mean here we are in American Samoa waiting on a Shuttle launch from Florida that has been delayed because of bad weather in West Africa?
The answer is yes.
So, what you do has an impact all around the world.
OK, enough about trajectory.
And I have quite a lot I could talk about.
Let's talk about flight planning.
One of the interesting things that we do onboard the Space Shuttle is we carry a lot of laptop.
At last count, I think we carried about 11 laptops on the last flight.
But we don't rely on those laptops because they keep breaking.
What we rely on is paper.
Spacelab flights are worse.
I'd say the typical Space Shuttle flight that launches carries 80 pounds of paper checklists.
Every one of those pages lovingly crafted.
We got maps and charts and we got all kinds of little cue cards that stick up on Velcro all around the cockpit, but by and large they come in books, and here are some of the books.
And Mission Control folks build those books, understand those books, can modify those books in real-time, and frequently do.
One of the things we have to watch is printer paper onboard because we cannot run out of printer paper when we update checklists.
And so we have to monitor how much paper we are using as we print out changes to the checklists onboard.
In so far as paper can be made low flammable.
It is but it is paper and it will burn.
The Shuttle cockpit is full of flammable stuff.
But it is tried to kept under control.
It is tried to be protected.
And, of course, we don't operate in a pure oxygen atmosphere as Apollo did.
It is very much like earth normal atmosphere.
So, no, it is not fire proof.
I wish it was.
When we start a flight, we start out with what we call a flight requirement.
Here is the flight definition requirement document.
Here is the flight we just flew and the basic parameters that we've got.
Which orbiter are we going to fly?
The next flight up we're going to fly Atlantis.
Which external tank is TBD?
Because we're still arguing about that.
Which solid rocket booster pair, so on and so forth?
Which main engine by serial number?
Which flight software release?
How many cryogenic tanks do we have the arm onboard and all this stuff?
What is the manifest?
Well, it is a station manifest for the utilization flight 1.1 which has got an MPLM.
It used to be called the Miniature Payload Logistics Module.
Now it is the Multi-Purpose.
That transmigration of acronyms over time have become more politically correct as a subject for a doctoral thesis, I think.
Which launch pad we're going to operate out of?
And how many days are we going to fly?
How many people?
We're going to carry seven up, six down, land at KSC and a bunch of remarks.
This is kind of the basic definition.
This is the starting point for a flight.
This is what we get to start.
And then we have to flush those out.
We build a word document and we talk about the requirements for a flight.
This is done at the program level.
What is the launch window?
What is the launch period?
And many of these things are just flushing out the basic requirements you saw in the chart.
Here is an interesting one, part of that flight requirements document that talks about EVA spacewalks and talks about what we're going to do.
And you will notice, in great bureaucratic language, the purposes of the EVAs are defined in another document that you have to go off and look at.
So, they're not any flight requirements documents but at least you got a reference where to go.
And here are some of the things we are going to be able to do on this flight.
And, in fact, we're going to have some contingency or emergency EVAs that can do these emergency things, which we hope we don't have to do but we are going to be prepared to do.
From that we develop flight rules and flight plans.
Here is a page out of the flight rules book that the ops people built.
This is discussing how we take pictures of the external tank.
You saw those beautiful pictures just a few minutes ago of the tank taken by the Shuttle.
And here are the guidelines.
We're going to have to do a thrust from the plus X jets, but we won't do it if we've got problems in the propellant system, if we are way under speed, if we're going to be dark because we don't have a flash that big, and so on and so forth.
And then that's the automated umbilical well camera.
And then we've got the handheld photography.
And we've got a whole bunch of reasons why we wouldn't do that.
If we had to go to a backup software, we don't want to do that because it makes it too sporty, just all kinds of reasons.
Bob's people are thinking about this all the time.
And, in fact, it's not enough to have the rule.
Here is the rationale behind that rule.
Why is it we decided you would or would not take those pictures which are very important to us for post-flight analysis on a very detailed level?
Anything you see in italics font is what we call flight rule rationale which is the subject of interminable meetings and lots of haranguing and wrangling.
Here is a little bit of the inspect rule.
We all know that the thermal protection system on the Shuttle is not as robust as we would like it to be.
We are going to inspect it every time.
Here are the priorities that are planned before flight for thermal inspection system.
And we start with the most important and we work to the least important.
Your goal is to do them all but your plan is to have a plan ready if you run out of time.
And then, again, the backup of why did we say that.
And, again, it is more inspection priorities.
I am not going to go over all of these.
You can look at them.
I want to come back to EVAs for a minute.
Here are some of the EVA task objectives.
This is something that they did just the other day onboard the International Space Station.
This happens to be an International Space Station rule, but it is closely related to the Shuttle rules.
They put in a new camera group.
All this is perfectly clear to you guys, all these acronyms.
It takes about six weeks to learn the language when you come to work at NASA.
And then we have something on the Station called the floating point potential measurement device which is broken and became junk and they threw it overboard just a couple of days ago.
Well, you get through all the rules and you come to a flight plan.
And here is the flight plan.
This is from the last flight.
Eileen Collins, here is what she is doing this particular day.
This is flight day number three.
This is what the pilot is doing.
Some time I will have to tell you the difference between pilot astronauts and mission specialists.
Hoffman has his PhD.
He well versed in many things.
And the pilot, Jim Kelly, one of my favorite guys, I like him a lot, flies jet planes so he gets post-sleep exercise.
And so we have all the guys.
And what they are doing by the hour of the day, and this is the overview, by the way, but these guys are going out on a spacewalk.
And so here is their EVA preparation, purging their suits, getting setup, going out the door.
Here is the EVA which are going to be outside for 6.5 hours.
And this particular day they're doing the thermal protection system repair detailed test objective which you saw in the rules as one of the priorities.
So, we build this level of flight plan.
Now, this is not it.
We go to the minute-by-minute level, detailed checklist, this is the overview.
This is kind of OK, you've got to get up and brush your teeth and make breakfast and then go do some work kind of thing.
And then we have all of our other procedure and checklist to make sure everything goes as perfectly as it possibly can.
And this is just A day.
And then we get all kinds of good little information down here.
One of which is when we're going to be able to communicate with the astronauts.
There was a revolution in flight control when we launched the Tracking and Data Relay Satellites.
Before we had Tracking and Data Relay Satellites and you just had ground stations to communicate with the crew, we could talk to the crew about 15% of the time.
85% of the time they were out of communications with the earth.
Now, if you were going to the Moon and you used a Deep Space Network, you pretty much had continuous comm.
But if you were doing Shuttle or any other low-earth orbit kind of thing you could only talk to the crew for about 15% of the time.
And sometimes it lined up that you would talk to them three or four minutes every hour and a half.
The Russians have a huge problem in that they lost all of their tracking stations outside of geographical Russia.
And so they talk to their crew and plan their crew day on those parts of the orbit where they come over geographical Russia.
And they are a slave to that.
And we launched the Tracking and Data Relay Satellite.
Now we can talk to the crew all the time.
There is virtually no time you cannot talk to the crew.
The crew gets really tired of that.
They want to shut the radio off because Mission Control is always calling up and yammering at them.
But it is a revolution because now we can get continuous data, communications and command with the crew from the ground.
And the bottom line on that is we're much more efficient.
We don't have to wait for critical activities to happen until we get that communication link.
Mars there are going to be four to 20 minute time delays in communications one way.
What are the preliminary plans for dealing with that?
I don't know.
No, I'm sorry.
A lot of people are really worried about that.
It will be a different way to operate.
And the folks that are working on those programs have got a real challenge.
Two quick questions.
One is if you time the checklist, I mean do you know how long page three is going to take?
And the other thing is do you have backup flight plans for every contingency pretty much where you know if this experiment fails, per se, we will pull out this flight plan and it reschedules everybody?
In fact, what we do is we have some emergency checklists.
If you develop a leak in a cabin, OK, here is the emergency drill checklist to get you back on the ground as soon as possible.
But the flexibility that I talked about in Mission Control is no, we don't build complete different timelines.
Say if experiment A doesn't work we have a different timeline.
What we do is we have the smart people in Mission Control that can take the existing timeline and build a new one.
And, in fact, they do almost every night.
I call it night.
That is when the crew is asleep.
It could be daytime in Houston but it is when the crew is asleep.
The last thing I want to talk about in a flight preparation.
If the crew fall asleep at the same time, isn't that not a bad idea in case something goes wrong?
Shouldn't someone be keeping watch?
Mission Control is watching, A, number one.
And, B, number two, there are enough automatic sensing.
The computer is watching the really vital things so that if you've got a link in the cabin, if you've got fire, something like that happens, the alarms will go off and wake the crew off.
One of the case studies I am going to show is when Mission Control didn't get to watch, so look for that in a minute.
The post-sleep period?
The post-sleep period is what do you do after your alarm clock goes off?
There is cleanup, shave, get dressed and make breakfast, which is a huge deal.
This is not like taking something out of the freezer, throw it in the microwave and eat it.
It's a huge deal to cook and cleanup onboard.
Personal hygiene time.
It's also time that most crews spend reading the morning mail.
They don't get a newspaper but they get reams and reams of paper off the printer from Mission Control.
You thought you were going to do an EVA today, but here is what we're really going to do.
It's a really important time, getting ready for the day, so we allow the crews about an hour and a half of post-sleep activities.
And that is everything to get to work.
How do you decide what to tell the crew and who makes that decision?
Well, that's an interesting discussion.
The flight director, of course, is in overall charge.
I should say that there are three shifts of flight controllers in Mission Control, who are not ironmen, but that work about 9 hours.
There is an hour handover period, and so three shifts a day cover the day.
A flight director is in charge of the team.
The flight planners, big flight activities officer we call them, obviously have a big part of this.
On a day like this when it's an EVA day the EVA officers have a big part of this.
The CAPCOM, capsule communicator which is held over from Mercury days, is an astronaut.
And hopefully a flown astronaut.
Not always but typically a flown astronaut that is the crew's representative in Mission Control.
And the CAPCOM is a very valuable resource in saying here are things the crew would want to know, here are some things the crew already knows so we don't have to tell them.
Here you've built a plan that is going to overwork the crew or here you've built a plan that has got people sitting around with a lot of white space not doing anything getting bored.
So, it becomes a team effort.
Finally, the flight director approves all uplink messages.
...when do you tell the crew about that and who decides?
Well, again, it is a team so it's not this military hierarchy that orders come from the top.
There is a team.
The team will develop here is what is happening, here is what we think we're going to do.
The stories come together enough and here is the judgment factor.
The flight director will tell the CAPCOM to tell the crew in basic terms what the crew should know.
Now, we have a lot of ways to communicate with the crew.
And the Shuttle we are very fixed, obsessed with doing things on an open air to ground because in the old days they did some things kind of pine that got came out in press conferences that were bad.
The station crew has got this IP phone, Internet Protocol phone and they can call you.
Like right now if they had your phone number.
They can just call you and talk on the phone, and nobody knows what's going on.
We have email with the crew.
And a lot of things go up on email, but all of those communication paths are utilized to get information back and forth to the crew.
I probably ought to tell you one little short story.
This is my sports analogy story so you will have to put up with that.
Working in Mission Control is like working in different sports.
If you are the ascent entry shuttle team it is like playing basketball full court press all the time.
You are always running short time but very intense.
If you are a shuttle on orbit it is kind of like American football.
You huddle up, figure out what play you're going to do, go out, execute the play, it worked or it didn't work, you come back, huddle up.
It is very episodic but it can happen fast when it is happening, when you're executing it.
The Space Station is baseball.
It's a very much different game.
And one of the hard things as you move as a flight control from Shuttle ascent to Shuttle orbit to Space Station, you have to accommodate the different rhythms of the game.
The Russians have a phrase for when the Shuttle comes to visit the Space Station.
They say the hurricane came through.
Because they have this nice orderly regime and these folks come and fill the place up and they're doing stuff and they're throwing things here and there and then they leave.
And then we have to sort it all out and go back to our normal kind of placid existence.
The last thing about flight planning is we talk about decision making.
Here is the simplified diagram for the Chandra X-Ray Telescope launch decision.
AXAF, as you might know, is the Advanced X-Ray Astrophysics Facility which got renamed Chandra Telescope.
And we have the ascent flight direction, we have a mission director, we have the ops director, we have the launch director, we've got the KSC people and all these people.
Then the prelaunch timeframe are all watching their parts of this.
They're watching the telescope.
They're watching the upper stage.
They're watching the Shuttle.
They're watching a launch complex.
Somebody has got to decide and they all have got to talk to each other.
And they are all, by the way, geographically in different places.
And you've got to know who is responsible for what and who has authority to give information for what.
Because you don't want somebody in the AXAF control center saying to the NASA test director your shuttle doesn't look right on TV.
He doesn't know that his TV is out of adjustment or something.
The plan to get all these people together, what numbers they call, what they loops they talk on has got to all be worked through.
That is a real operational nightmare when you come to decision-making and communications.
We have literally thousands of people involved on a launch decision, a payload deploy decision and looking at their piece part.
It has to be clearly defined what you're looking at, what you're going to do if it doesn't look right, and so you have to spend a conservable amount of time planning that, training for it and then executing.
And I think we ought to break here if we're going to take a two-minute break.
I hope this is helpful to you guys.
It is not exactly the standard academic fare.
I want to talk a little bit about systems engineering because one of the things we pride ourselves on in an operations community is that we are systems engineers.
We're not mechanical, aero, what have you.
You're a systems engineer and you've got to know a little bit about a lot.
One of my favorite authors is Robert Heinlein.
You may have heard of him.
And his quotation about what a human being is I think is particularly appropriate to us.
And somehow this didn't come off on the page, but the bottom line is he comes out with specialization is for insects.
I'm not going to go over the Shuttle.
You guys kind of know what it looks like and why it got there.
I was looking at the syllabus of the class thinking I should have been in this class.
Structurally, it is a complex vehicle.
Inordinately complex in my way of thinking.
But that is because of requiring wings for the cross range, large aero surfaces for the aerodynamics and, of course, being able to transform from a rocket to an on-orbit spacecraft to a hypersonic glider is not easy.
The main landing gear and the tires is a subject that I could talk about for a long time.
And, in the interest of time, I took it out of my presentation.
But if I ever get a chance to come back -- I think you probably had a discussion of that, but operationally they are a bear.
Al Louviere actually gave a nice talk.
We are the only folks that operate tires in that regime, other than the Concorde.
And you guys know what happened to the Concorde.
And we have real constraints on our tires and fret about them all the time.
Here is a list of the Space Shuttle systems that we divide up into.
One of my favorites is right here in the middle.
But it goes everywhere from the main propulsion system onto the waste management system.
Isn't that a great NASA acronym?
This, I think, is an erroneously named chart because it says Space Shuttle Systems.
This ought to be Orbiter Systems.
There are many other systems in the main engines and so forth.
One I would like to talk just a little bit about is the environmental life control system.
I think you probably had a little talk about that before.
Have you had an introduction to the environmental system before?
I think it is a wonderful system.
Again, it is wonderfully complex.
We have water in the crew compartment so that if it leaks it is not hazardous.
We have Freon out in a payload bay so it won't freeze when it gets very cold.
And we have this ammonia stuff for the last part of entry which is a pain in the butt but it is what it takes to get there.
As you know the story, basically we take oxygen and hydrogen in the fuel cells and make electricity.
And, as a happy byproduct, we make water.
My case study here is going to be what do we do with the water?
These days, most of the time, we give the water to the International Space Station where they can electrolyze it using electrical energy from the solar rays and turn it back into oxygen, dump the hydrogen overboard and breath the oxygen.
We probably made this stuff by electrolyzing seawater so it is going this back and forth, water to electricity to components.
I wanted to talk a little bit about what we do with this water.
Some of the water is used as coolant through the flash evaporator system.
It is very important to us but we typically run in excess, and so we've got to get rid of it which becomes a waste management problem.
If the crew doesn't drink it, we have to dump it overboard.
As I say, we've tied into that system.
And typically we've used the very pure water and give it to the International Space Station these days.
I am sorry the print is kind of small.
But right here is the dump valve.
And one of these is the waste and one of them is the supply water dump valve where we dump that water out.
Now, you'll notice something very interesting about that dump valve.
We have a window in a hatch and we've got windows up here and we've got a TV camera here and a TV camera here and nobody can see what is going on.
Nobody can see what is going on coming out of that dump valve.
The only way to see is to take the arm out and put it in a very sensitive position to look at what happened.
In the old days they used to teach drafting.
I always liked to look at these.
The computer did not do this drawing.
This is a work of art.
This is the nozzle.
The Shuttle was developed in the 1970s.
We don't have a CAD model of the Shuttle.
Jeff asked me could you send us the CAD model of the Shuttle?
We had a little arrow CAD model of the outer mold line that the aero people use.
There is no CAD model of the Shuttle.
It exists on 800,000 paper drawings.
And, when I came to work, one of the things I got in the Program Office was a recommendation from the independent people to go off and computerize all of this.
And so we went off and tried to develop an estimate to computerize it.
They said it would take us eight years and cost about $40 million to convert these drawings from paper to the latest -- What's the CAD model that everybody uses?
I cannot remember.
We are not going to do it because we don't have the money, so we're still working with the paper products.
Anyway, here is the nozzle.
The water comes in.
There is an orifice and a set of heaters because you've got space on this side.
And if you just push water out there it will freeze.
You want to keep it from freezing so you've got the heaters in there.
And this is a very tricky small orifice to design, install and maintain.
Now, here is what Mission Control sees.
This is a plot of temperature, well, it's actually three or four things versus time.
And what we have here is the first thing that happens is you turn on the heaters on the nozzle and the nozzle temperature warms up.
Then you open the dump valve and the water supply quantity goes down.
And, as the water goes out, the nozzle temperatures jitter a little bit, but they basically stay in this nice, warm 150 degree temperature range.
Close the dump valve.
The water quits flowing, the nozzle bakes out, turn the heaters off and it turns off.
That is a normal water dump, what Mission Control looks at all the time.
The crew has got a timer.
Or, better yet, Mission Control calls and says start the dump now, stop the dump now.
Sometimes they'll set a timer.
Here is a little bit of an abnormal signature.
Turn the heaters on, the temperature comes up, it plateaued out and it kind of does this kind of thing, and people start scratching their heads what is going on?
There is another interesting thing.
Here is one that warmed up, didn't get quite as warm as it should have, sputtered out and quit.
What is going on?
We actually took the arm out and looked at this nozzle, and there was an icicle that had grown on the outside.
And, if you go back to this little drawing, it turns out there is an offset here.
And this nozzle has got a little offset to it.
And they had rotated the offset 180 degrees so that the heat wasn't being applied properly and we were building an icicle.
And we built probably a 16 foot long icicle off the side of the Shuttle on more than one occasion.
And actually went out on one flight with the arm and knocked it off.
Actually knocked it off like you would knock an icicle off your eaves.
The thing that clued us into this, in addition to these temperature plots, was the fact that we came back with ice stuck to the top of the payload bay doors.
There was actually a lump of ice that survived reentry.
At the Kennedy Space Center there was a lump of ice on top of the payload bay doors.
How would you get a lump of ice on top of the payload bay door?
The reason is when this door is open, right here, it hangs over.
And this icicle had grown all the way from the gap from the nozzle to the open door and had actually stuck on the open door.
And when we closed the door the icicle broke off, people theorize, at the root and then carried this long stick of ice up and reentered that way.
And when we landed most of it was gone but about a two or three pound ball of ice on the doors had survived reentry.
Now, you might say, well, what is the big deal about that?
We also found a big hunk out of the insulating tile on the OMS pod where some of that had broken off and had traveled back during entry and struck the OMS pod.
This is not a good thing because you are depending, in early phases of atmospheric flight, on these thrusters for attitude control.
And their propellant tank is right there inside that pod.
Not a good plan.
There is an example of a mystery in Mission Control that we had to work our way through over the course of, really, several flights.
And they redesigned the nozzle.
Here is the simplified drawing of the electrical system.
I think you guys have seen some of these systems things before.
We've got three fuel cells connected to three main buses which branch out into all these sub-buses.
If you are a flight controller you need to understand how you get electrical power because everything on the Shuttle works on electricity.
I am old enough now that I went to work in Mission Control before the simulator had programmed in the electrical system.
And I was a propulsion guy, OMS RCS guy, and we practiced all this stuff about the propulsion system and what would you do if different things happened.
One day they released a new drop of the software and all of a sudden the trainers could cause electrical power buses to fail.
We didn't know what the heck was going on but we learned in a big hurray because that is a big important part of our job.
Here is a simplified picture of the communication systems onboard the Shuttle.
This is the simplified.
Did you catch that?
Have you guys been through the communication system?
We have S-band FM, S-band PM and Ku, and it all comes in here and goes out there.
And it is all cross-strap so that if any one of these little black boxes doesn't work the integrated communications officer can send commands and change it all around.
Unless it was the communications boxes didn't work, in which case we've got to call the crew on the other radio and tell them to go throw some switches, which is very complicated.
And if you don't talk to the crew from Mission Control you don't do anything.
If you don't get telemetry from the vehicle, from Mission Control, you don't do anything.
If you cannot command the vehicle, from Mission Control, you don't do anything.
You might as well go out and get a cup of coffee because there is nothing you can do.
If the comm systems folks are having a bad day -- And I will just add that's one of the most serious malfunctions that we would practice all the time so you had it cold.
I mean if most things, if they break, you can talk to the ground, get some help, they're looking over your shoulder, but if you cannot communicate with the ground at that point onboard your success in getting home depends on being able to analyze what is the malfunction and reestablish communication.
So, we take that very seriously.
And, I've got to tell you, this is a serious design flaw in the Shuttle.
And here is a principle you need to remember.
When the systems were categorized
they were categorized on the basis of the severity of their failure mode.
Obviously, the main propulsion system is what we call a criticality one system.
If bad things go wrong in the main propulsion system really bad things could happen, so they spent serious design effort making sure that nothing bad would happen.
The communication system is a crit-3 system.
That means that people did not spend the time to make a robust communication system.
It is not as reliable as some of the other systems.
And that was a huge mistake.
And we have to fuss with this all the time.
That is a huge headache.
When you design something people say, well, communications isn't critical.
Communications is absolutely vital.
You cannot do anything without communication.
A flight rule on the books says if we lose all communication between a station and a shuttle the crew must land within 24 hours.
And we keep updated with just enough information so that they know where to land without communication.
That is part of the news you get every morning is an update of if you lose communication these are the landing sites.
Here is where you want to go.
Here is the weather and here are the times.
This is the simplified drawing of the data processing system.
This is the hardware of the data process system.
And you've got this general purpose computer that goes out through all these data buses to all these multiplexers and demultiplexers to talk to all these different pieces of gear.
And we've got different buses to get into each of the black boxes.
And you can switch ports and it is very reconfigurable and is a big pain in the butt.
And if you want to operate as a systems flight controller you have to understand it cold.
This is the software, very simplified high level view of the flight software onboard the computer.
You guys talk about the onboard computers on the Shuttle?
How much memory does a general purpose computer have?
Not megs, not gigs, K.
Of course, it works in ascent and vibrations and radiation and all these other things.
Very sophisticated software in a very small place.
What I grew up on is the reaction control system.
This has got helium pressurization going through a series of regulators and valves down to propellant tanks which get manifolded out to the various thrusters.
You've got oxidizer and fuel.
They come together and they make fire.
And so I started life as a mechanical engineer specializing in fluids so I'm supposed to understand things like pressure and temperature and combustion.
But I had to learn about valves which are mechanical and electrically operated that are operated through the computer system so all of those data buses on this page right here became very important to me.
They are sometimes operated automatically by the software so I have to understand all the software.
And then we get to what we call we redundancy management.
We have this basic principle that we want to have more than one of a critical thing.
And so the question is how do you monitor and manage that redundancy.
And the reaction control system has got the most sophisticated redundancy management program in the Shuttle.
And it depends on instrumentation coming back through those multiplexers and signal conditioners going to the computer that when it commands through the digital autopilot those jets to fire they either do or they don't.
And it tells it all about it.
And then the crew gets notified back over here.
And it is very complicated, redundancy management.
Redundancy is a way to provide reliability.
Redundancy is not a means to an end.
I noticed Chris Kraft said that the Shuttle is quad redundant.
That is not correct, Chris.
The Shuttle is not quad redundant.
We have four computers.
They are not quad redundant.
Now, if you go to a lot of systems, you only have three of.
If you go to some systems that you have four of, one cannot do the job.
For example, flight control.
We have four flight control hydraulic channels that operate the elevons.
One channel cannot operate that.
It takes two.
So you've got four but it takes two.
That means I can lose two.
So, I am at best, three redundant.
I can lose two and fly with two.
The trouble is if you lose two and they get in a fight with the other two it becomes very difficult to manage.
One of my favorite systems is the inertial measurement system.
The main requirement on Shuttle avionics is that it is fail operational/fail safe.
You've got to be able to take the first failure and you can keep flying the mission as planned.
You take the second failure and you're still safe to land because you've got one left.
Three inertial measurement units, clearly we are fail operational/fail safe.
If the first inertial measurement unit fails, good to go, we keep on doing what we're doing.
But those last two, if they disagree, how do you know which one is telling you the truth?
That is tough.
We developed this mathematical scheme using matrices and the navigation quaternion that would give us the best chance.
We have about a 99.5% chance of determining which IMU is telling us the truth versus lying to us, but it isn't foolproof.
It takes people to manage it.
We have opened ourselves, through redundancy, to a system in some cases where we don't have quad redundancy.
We have four ways to fail the system.
The reaction control system is one of my favorites because we have four jets on each side.
For example, the yaw jets in the aft that you need.
So, you would say quad redundancy.
No, I have four ways to fail.
What I'd really like to have is just one jet that would do the job and was highly reliable, but I've got four jets that are leaky that get clogged up, that lie to you on the instrumentation that you've got to watch all the time because I need at least two of them to do the job during entry.
So, be careful when you say things about redundancy.
What you're really after is reliability, not redundancy.
Redundancy is a way to reliability.
And you build these incredibly complicated schemes to deal with redundancy to provide the reliability of the system level you need.
Simple is better, let me tell you.
Complicated is not.
I've got two stories from the trenches and then I'm going to quit.
You guys have not been asking too many questions so that either means I am a brilliant lecturer or I'm putting you to sleep.
This is not your standard academic fair.
Is this good for you guys?
I have a question on the redundancy.
Chris Kraft talked earlier this week about how because you have four strings that you should launch if one string is broken and not worry about it since you're still failsafe with what is left and that that would increase the turnaround time and you would be able to launch more often.
One IMU has failed, we'll launch with the two because we know that 99.5% of the time that is good enough for us.
Do you have any comments on that?
Chris and I have had this discussion before.
I have a technical response to this discussion.
We are not reliable enough to launch with anything down.
This vehicle is barely reliable enough to make the mission as planned when we launch full up.
If you want to build a spacecraft that needs two of or three of or four of.
And you want to be able to launch with one broken on the launch pad like sometimes your airplane takes off with something broken that you, the passenger, don't know, but the pilot does and say it is OK.
We're not at that stage.
That is a nice idea.
That is a great goal.
I think people, when they thought about designing the Shuttle, thought that we ought to do it that way.
It doesn't work with the design we've got.
If you were going to build a new Shuttle, yeah, I would put five IMUs on it.
Well, shoot, I would throw out the IMUs and I would put GPS on it or something like that because it is more reliable.
But we are not at a stage where we can launch with less than the normal stuff.
Our flight history is that we have terminated three Shuttle flights because we lost redundant gear to the point where the flight rules said you needed to come home.
Now, if you had launched with just enough gear so that the next failure puts you into shortened mission, you would have terminated more flights early.
The whole theory about the Shuttle, if you go back to the very beginning, we are going to fly a flight a week.
64 flights a year originally.
That didn't happen for a variety of reasons.
If you flew 64 flights a year, the theory was if you got up there and something broke and you had to bring the payload back, OK, we would just role it into the one next week and we would have enough flights.
It hasn't happened that way.
Spaceflight remains difficult because these flights are rare.
The best we've ever done, I think, is ten flights in a year in 1985.
And typically we're talking four or five flights in a year.
These flights are rare.
The pressure is on to get the maximum advantage out of every flight.
And I think spaceflights are going to remain rare with the technology we've got into the future.
That is probably a discussion for a future date, but the fact of the matter is that Shuttle does not have the reliability in its piece parts to launch with one of things down.
JEFF: Wayne, let me ask you a question to speak to, you know, just here at a classroom, not as the Shuttle manager and not for attribution.
This is a danger, when people
Sheila Widnall was here and told us about CARB and their reputation.
What is your feeling about the wisdom of ending the Shuttle flights at the end of the decade?
WAYNE: I have a couple of thoughts.
First of all, I am a Shuttle hugger.
I grew up with Shuttle.
Shuttle is an amazing vehicle.
It is a huge technological leap.
I am very proud of what it has done.
On the other hand, we need a replacement.
It has got some serious shortcomings.
And if you look at the history of aviation and the first 30 years from the Wright Brothers to, say, the DC3, that was about 35 years, a little less.
DC3 was the first economically practical airliner, right?
Everybody wanted to compare the Shuttle to the DC3.
The problem is between the Wright Flyer in 1903 and a DC3 in 1935 or thereabouts, they went through probably 10,000 designs.
They had trial and error.
We tried things out.
We found out what worked, we found out what didn't.
They junked the bad designs.
They took the good designs, and they took the good parts of the good designs and built the next designs even better.
They probably went through 10,000 variations on aircraft to get to that point.
Now, we've been flying in space for about 35 years.
Count them all.
Chinese, Russian, American.
How many space vehicles have there been?
Human space vehicles.
Less than ten.
Soyuz, Vostok, Voskhod, Mercury, Gemini, Apollo, Skylab, Shuttle, Shenzhou, what am I missing?
That's about it.
How can you possibly advance that technology?
It is ludicrous to think that you are going to advance the technology without doing the iteration that we saw in early aviation.
We should have replaced the Shuttle 20 years ago as a nation with a more advanced version that fixed some of the shortcomings that made it more economical to operate.
We should have done a lot of things but, for national reasons, we didn't.
So, I am torn.
I love the Shuttle.
It is a great machine.
I spent my whole career with it.
It gives us capabilities that we are going to give up, frankly, when we go to the CEV.
It's going to be a different kind of machine that does different kinds of things.
And we are going to miss the Shuttle, I am convinced.
But should we long ago have built a new one?
Are we behind where we should be?
We need to invent the next generation of spacecraft and be ready to go on and invent the next one after that.
The Shuttle was designed for a ten year life.
We should have been working on Shuttle II the day that Columbia launched the first flight.
That is my perspective.
This might be outside of the realm of the discussion, but those 10,000 different designs that were done for aircraft were done largely by private sector, right?
There was a fair amount of government.
And, remember, it wasn't all American.
There was a large amount of government subsidy.
And it was, frankly, a cheaper technology to develop.
Rocket technology is difficult to develop.
I will go back to Heinlein my favorite author.
He says when you're in earth orbit you are halfway to anywhere in the universe.
Getting the first hundred miles off the planet is very hard, but once you get in earth orbit or thereabouts you are halfway to anywhere in the universe.
And we still have not cracked that nut.
I really like the space elevator guys.
It is science fiction but the idea is a good one.
There ought to be a different technology other than rockets to get to space.
Somebody did a calculation that said if we had an elevator to the Moon, we could get to the Moon for about $10 worth of electricity.
Of course, there is a big "if" that goes in front of that rolling that elevator.
So, rockets are an exceedingly difficult technology.
I want one of you guys to invent a new technology.
Aaron Cohen, he may have already told you this, tells one of the great stories of all times about spaceflight.
He talks about when he was in the management of the Space Shuttle program and the fact that the main engines were causing just awful problems getting them developed.
Stop me if you heard the story.
And one day he woke up and said wouldn't it be great if somebody just invented an antigravity device and we could get away from rockets?
Wouldn't that just be great?
And he thought about it a little while longer and said no, it would still have braised welds and electronic parts and all the things that are causing us problems on the engines would cause us problems with the antigravity machine.
Get him to tell you the story.
He tells it better than I do.
But we need a better technology, quite frankly.
We need something that makes the transition from propellers to jet engines.
We need something like that.
The Space Shuttle main engines in terms of the rocket cycle thermodynamically are about 99% of the maximum theoretical efficiency for a hydrogen/oxygen rocket engine.
You're not going to do any better.
We need a new technology.
You might make them cheaper, you might make them more reliable but you're not going to lift any more pounds to orbit.
So, we need that revolution.
Well, I'm passionate about it.
You're talking to the wrong guy.
Of course it's a help.
If you want to talk about whether it's a hindrance, ask him after I'm gone.
Some of our astronauts friends which we'd shut up.
But, no, seriously, I think everybody would say that Mission Control is actually a vital part of the process.
You've got to plan the missions.
You've got to execute the missions.
There are only so many people onboard the vehicle.
These are not autonomous vehicles.
That is another word that really sets my teeth on edge when people say space vehicles ought to be autonomous like commercial aircraft.
It just sets my teeth on edge.
Have you ever seen what it takes to plan a commercial aircraft flight?
There are more people on the ground than there are in the cockpit by a lot.
And I'm not talking about the baggage handlers and I'm not even really talking about the mechanics that keep it flying.
Everybody has got to plan the routes, got to make sure that they've got the manifesting right, make sure that they've got the fuel right, all that planning process, you've got to have people that do that.
Saying you're going to get by without that shows a total ignorance of how the world really works.
Now I'm beginning to sound like Chris Kraft.
I want to share with you a couple of stories.
This is something you ought to past on your wall.
The last law of robotics.
The only real errors are human errors.
Mother nature does not make mistakes.
If you flew your airplane into a thunderstorm and it crashes, was it mother nature's fault?
No, you were stupid and flew your airplane into a place that it wasn't designed to handle.
Perhaps the weather forecaster gave you a bad forecast.
Perhaps your weather radar was insufficient and didn't pick up that nimbus cumulous cloud on its radar, but it wasn't mother nature's fault.
It was a human error.
They used to talk about in aircraft accidents there were really three causes for aircraft accidents.
There is pilot error, which we all understand.
The pilot turned left when he should have gone right, you know, something much more sophisticated than that.
There is mechanical failure.
Mechanical failure can come for two reasons.
Number one, the aircraft was not maintained properly.
I remember that Alaska airline jet that went down because it had the mechanism in the tail that had the long spiral grooved shaft and they didn't lubricate it properly and it wore off.
And finally they had no elevator control and the plane crashed.
It wasn't maintained properly or it wasn't designed properly.
It wasn't design properly to handle the environment that it flew in.
Well, I submit that weather is not a cause of an accident.
Weather is a human failure because you need to understand what you're capable of operating your vehicle in, and you don't operate it in environments that you're not capable of handling.
The only real errors are human errors.
It's either the pilot, the engineer that designed it, the guys that didn't maintain it properly or maybe the guys that didn't forecast the weather right.
Those are human errors.
They are not acts of god.
You need to understand the environment you're going to operate your spacecraft in.
Make sure you design it robustly so it doesn't come apart.
Makes sure you design it so that it can be maintained and you make sure the instructions for the maintainers is done properly.
And, finally, you've got to train your crews so they can pilot it properly.
One of the things that the Shuttle doesn't do well is navigate on its own.
The Shuttle has an inertial navigation system.
We're trying to upgrade it to GPS.
We've been trying to upgrade it to GPS for ten years.
Maybe we will get the next vehicle Endeavor out of its maintenance depot period with GPS and fly it with GPS, but right now we fly it with inertial measurement systems.
Those inertial measurement systems, developed right here at the Charles Stark Draper Lab, have some drift in them.
After about a day their knowledge of where the Shuttle is creeps off.
It creeps off enough so that you could not reenter safely because the error in the onboard knowledge of where the Shuttle is is different from where the Shuttle actually is.
In addition to that, the integration over time doesn't give you a good state vector so we track the Shuttle from the ground with radar and update what we call the state vector position, velocity and direction, six components at least once a day.
On STS-32, Mission Control screwed it up.
There is a long flight.
The ninth day of the flight the INCO officer sent a bad command that caused the Shuttle orbiter to lose attitude control.
And if the propulsion system had been configured differently they would have run the little jets.
If they had been on the big jets we might have used up enough gas so that the crew could not have reentered safety.
This is a serious error.
It also happened at about 3:00 in the morning.
I would offer to you that you ought not do critical things in the wee hours of the morning.
Writing term papers, running somewhat hazardous experiments are not things you want to do at 3:00 in the morning.
That error was recognized and corrective actions were taken immediately.
But, due to some other circumstances, it was a near thing.
We were out of control and out of communications for about ten minutes.
And this was in the middle of crew sleep.
What they did basically was to uplink a state vector that told the computer that the position of the orbiter was somewhere outside the Milky Way Galaxy.
I mean it was that kind of thing.
Here is the story for the night.
This is 17 days, 23 hours to 18 days GMT.
This was in the early part of the year.
This is a one hour time period.
The crew is awakened in the middle of crew sleep because an onboard smoke alarm goes off.
There was no fire.
It was just an erroneous alarm, but it woke the crew up.
Now, when you are the flight control team and you are working when the crew is asleep, your number one goal is to keep the crew asleep.
Don't let them wake up.
So, this flight control team has already failed.
They allowed an erroneous alarm to wake the crew.
A little bit later the flight dynamics officer says we need to reinitialize the state vector, which is something that we normally do, about once a day.
It is interesting that this is in the middle of crew sleep.
Normally it is done when the crew is awake, but the flight dynamics officer says we need to uplink a new position and velocity sort of vectors.
The flight director says did you do a good job, Fido?
Fido says of course we did.
Flight say OK, you have a go to uplink that vector.
The integrated communication officer gets the word from the flight dynamics officer, I want you to go to the computer and get vector number umpty-ump and uplink it to the crew.
And the integrated communications officer uplinks the vector to the onboard system.
Now, there is a check in the onboard system that goes into a buffer in the computer.
And that buffer gets sent telemetry back to the ground, and the ground computer compares what is in the onboard versus what is sent and they should be the same.
We send about 5000 commands in the course of a two week flight, and normally they always compare.
This particular time there was a problem, some radio noise or something and the data got scrambled.
And it came back to the ground and the computer put out the little words "data reject".
In other words, the command that you sent is not what is onboard, the integrated communications officer.
The backroom is doing other things.
The guy in the front room, integrated communications officer checks the display and says, for whatever reasons at 3:00 in the morning, OK, punches the button to send the execute.
In other words, move the data from the buffer into the navigation software.
It is wrong.
But he just makes a human error and sends it.
His backroom guy, because we always work in teams, is doing something else and didn't check his work.
Normally there is a check and balance.
Before you send buffer execute you say to somebody else does this look OK to you, too?
They missed that check.
They send this command.
The Shuttle thinks it is in orbit around, I was going to say Alpha Centauri, but it was a lot farther away than that doing what we call local vertical/local horizontal hold.
Well, now it's doing LV/LH around the star in the Andromeda Galaxy, I guess, and it goes out of control.
Now, this doesn't tumble end over end.
It reaches three degrees a minute rate, which is not a high rate but you're moving out of your attitude.
Well, what happens?
When you move out of your attitude the antennas are no longer pointing at each other.
The Shuttle antenna is no longer pointing at the tracking and data relay satellite so command, data, voice, go away.
Loss of signal.
The worst thing the flight director can hear is loss of signal with the crew.
We got lucky because about ten minutes later it just happened to be acquired back through the satellite.
It just happened to be acquired back.
We got lucky and they called the crew.
The crew switched to a manual autopilot, turns on the big jets, restores the attitude and life goes back to normal.
The crew now has been awakened twice, by the way.
They are going to be grumpy the whole next day.
If the big jets, which use a lot of gas, had been on in that ten minutes, we could have used the entire entry allowance of propellant.
As anything there is always a chain of events.
The flight dynamics officer was unable to do this navigation state vector prior to crew sleep because of the vehicle activity.
In other words, they had been doing maneuvers and they had to get the radars to track to build a solution.
Plans were made to uplink the state vector during sleep, which is not terribly unusual but not the typical situation.
During a sleep period, and I don't know why they put during a sleep period, we typically can have telemetry dropouts and radio frequency interference and conditions which cause telemetry dropouts.
They were predicted because of the orbiter attitude.
The antennas don't always point in the best part of the antenna pattern.
That we're going to have that.
We had the onboard smoke alarm that woke the crew up.
We let them go back to sleep.
This is the same thing I went through.
Twelve seconds after he sent the back command the backroom guy this did trivial recorder command and we saw that they were miscompared.
And this is really the key.
Seventeen seconds after calling up the display the backroom attempted to question the decision but too late, the button had been pushed by seventeen seconds.
The flight dynamic officer is looking to see if we get a good state vector on the board.
He didn't see on the board.
INCO said I sent it.
What's going on?
The data processing system officer reports that the computers, both of them, the guidance and navigation computer and the system management computer are clocking internal errors.
They have a term for this.
It's called divide by zero.
Computers don't like to do that arithmetically.
They send an alarm.
The propulsion system officer reports continuous jet firing.
The guidance officer reports that they are huge autopilot errors and high vehicle rates.
When I said three degrees, I meant three degrees a second, quite a lot.
CAPCOM says wake up.
CAPCOM, we need to tell the crew something is going on.
Wake the crew up.
Voice link is normally disabled during crew sleep.
Because every once in a while somebody pushes the button and wakes the crew up during crew sleep so we configure it so that we cannot do it.
So we had to reconfigure the ground voice system to allow the CAPCOM to communicate.
We lost the one satellite.
We had the wrong antenna selecting.
And then ten minutes everybody thought they were dead.
We woke the crew up, they put the vehicle on manual mode and life returned to normal after the new state vector onboard.
That never made the press, I don't think.
It was directly caused by operator error.
He clearly did things outside of what he was trained to.
And these are all nice little bureaucratic words saying that everything worked like it was supposed to except for the guy.
And here is what we did in our great bureaucratic mode.
Procedures were updated.
Software was updated.
Rules were updated.
Consol handbook procedures were updated.
Work guidelines of making people work ten or twelve days in a row on nine or ten or twelve hour shifts, particularly on a nice shift were revised so we let people off.
And, basically, what we did was we added more checks and balances to the system.
Now, is that the kind of thing that you do when you are designing a spacecraft?
Why would you design a spacecraft where you had to update the state vector every day?
Why would you design a spacecraft that would crash into the surface of Mars when it was supposed to go into orbit around Mars?
You've got to be careful when you design your system of the unintended consequences of your operation.
And if you don't think very clearly about what you're putting on the operators you'll force them into positions like this, so you've got to think about the operation.
Not just is the wing going to fall off because the wind gust is going to exceed the structural capability?
You have to think about the operations.
I've got one more.
Do we have time for one more?
If you can do it in two minutes.
This main engine combustion chamber, the main engines have a computer that looks at sensors that controlled our mixture ratio and things.
One of these sensors plugged up.
And they give you the 30 second version.
You can read it all.
The ground had been using a pressure check with a little pressure meter that had a Neoprene rubber O ring.
And, when they pulled the pressure gauge off, it left the Neoprene rubber there and stopped up the sensor.
And, because of that, the engine nearly shut down in flight.
And, if Mission Control hadn't been paying attention and disabled that sensor during real-time, we would have done our first return to launch site abort on that engine.
So, little things count for a lot.
Small instrumentation things count for a lot.
I hope this has been helpful to you.
Anybody got any other questions before I sit down?
One question from the back.
Well, my thoughts are: I'm excited that NASA's got the goal of going back to the Moon and Mars, I wish we'd never gotten away from that.
I'm working really hard in the Space Shuttle program to free up money so that exploration can do what it needs to do.
I'm not in a position to know whether they've got enough to do their job.
It does look a little tight - I don't know, time will tell.
But I'm just excited to have the opportunity to head in that direction.
I'm going to give you the diplomatic answer.
Chris is retired; I still have to go to work.