The dark side of space disaster theoriesby James Oberg
|
For spaceflight, being distracted by the wrong cause means being tempted by the wrong fix. That’s never amusing, and often can be expensive. |
As an egregious “bad example” of wrong causes, a recent book (Dark Mission, by Richard Hoagland and Michael Bara) spent a lot of time muddying the waters over a series of NASA Mars mission failures in the 1990s. This isn’t just some remote corner of an intellectual ghetto on the Internet—the book came within one tick mark of making it onto the New York Times bestsellers list for paperback non-fiction (it reached #21 nationwide). So as an exercise in cultural self-defense and in proselytizing sound “space safety” history, here is a detailed look at the claims, the delusions, and the errors in that book’s treatment of these space accidents.
Dark Mission portrays the failure of the Mars Observer probe in 1993 as a deliberate act by NASA to prevent the publication of its expected photographs of artificial Martian ruins. But the description of the events is inconsistent with well-documented accounts, reports non-existent events, and omits well-known explanations for important features of the probe’s flight plan. All of this can be easily confirmed through Internet searches.
Dark Mission, pp. 87–88: “NASA, in another unprecedented move, had inexplicably ordered Mars Observer to shut off its primary data stream prior to executing a key pre-orbital burn… Because NASA had violated the first rule of space travel—you never turn off the radio—no cause for the probe’s loss was ever satisfactorily determined.”
Actually, whether a radio is turned on or off, practically all orbital insertion burns on lunar and planetary missions occur out of radio contact. This is a result of the geometric alignment of the probe passing behind the planet (or moon) and hence having its radio signals blocked. So keeping a probe’s radio turned on during these periods is about as useless as installing windshield wipers.
To my knowledge, there is no “first rule of spaceflight” about never turning radios off. Interplanetary probes do this all the time. The “rule” is imaginary. I can’t find any documentation anywhere that provides this “rule”. I suspect that the Dark Mission authors just imagined it.
The maneuver that Mars Observer was to perform was not even, as Dark Mission claims, a “key pre-orbital burn”. It was not a burn of any kind. Instead, it was the firing of explosive bolts to open two pressurant tanks that would allow the fuel to be pushed into the probe’s engines several days later.
There is nothing “inexplicable” about turning off the radio for the firing of the pyrotechnic bolts. The sharp shock of the detonations was thought to be a hazard to the hot filament in a key radio component, which is much less brittle when cold. Hot filaments can shatter under shocks that cold ones wouldn’t even notice.
This is clearly explained in on-ine documents, including the accident report. You only have to search “Mars Observer accident report” to be led right to the 313-page “Failure Investigation Board Report”.
Keeping a probe’s radio turned on during orbit insertion burns is about as useless as installing windshield wipers. |
Why was the radio turned off? “In accordance with the mission’s published flight rules, the transmitter on the spacecraft had been turned off during the propellant-tank Pressurization Sequence on 21 August… To protect the spacecraft radio frequency transmitter from damage during the Pressurization Sequence (albeit a very low probability), the software included a command to turn off the Mars Observer transponder and radio frequency (RF) telemetry power amplifier for a period of ten minutes. This was a standard procedure that had been implemented several times earlier during the mission.”
The report gave further details: “This sequence included the firing of two normally-closed pyrotechnic valves, that would allow high-pressure gaseous helium to pressurize the nitrogen tetroxide oxidizer tank and the monomethyl hydrazine fuel tank.” More on p. 25 of the report: “Concern existed in the Mars Observer project team that the pyro-firing event might damage the traveling wave tube amplifiers in the spacecraft telecommunications system if the amplifiers were left on.”
Nor is it true that “no cause for the probe’s loss was ever satisfactorily determined”, as Dark Mission claims. To the contrary, in hindsight it was excruciatingly clear what almost certainly happened.
“The Board was unable to find clear and conclusive evidence pointing to a particular scenario as the ‘smoking gun’,” the report explained, but “the Board concluded through a process of elimination that the most probable cause of the loss of downlink from the Mars Observer was a massive failure of the pressurization side of the propulsion system. The Board also concluded that the most probable cause of that failure was the unintended mixing of nitrogen tetroxide (NTO) and monomethyl hydrazine (MMH) in the titanium tubing on the pressurization side of the propulsion system. This mixing was believed by the Board to have been enabled by significant NTO migration through check valves during the eleven-month cruise phase from Earth to Mars. This conclusion is supported (but not proven) by NTO transport-rate data acquired by JPL, by NTO/MMH reaction simulations performed by [the Naval Research Laboratory], and by NTO/MMH mixing tests performed by AFPL [Air Force Propulsion Labs].”
As to why the propulsions system hardware, adapted from a military prop module that normally needed a lifetime of only 12 hours, was used for a year-long mission, the report added that “Too much reliance was placed on the heritage of spacecraft hardware, software, and procedures, especially since the Mars Observer mission was fundamentally different from the missions of the satellites from which the heritage was derived.” It specifically criticized the propulsion system for “Inappropriate isolation mechanisms between fuel and oxidizer for an interplanetary mission.”
“The original [money-saving] philosophy of minor modifications to a commercial production-line spacecraft was retained throughout the program,” the report continued. “The result was reliance on design and component heritage qualification that was inappropriate for the mission. Examples of this reliance were the failure to qualify the traveling wave tube amplifiers for pyro firing shock [and] the design of the propulsion system.”
Whether or not this particular proposed failure mode is plausible (and from my own research I’ve concluded it was very plausible), it remains untrue to state (as Dark Mission does) that turning off the radio was “inexplicable” (and a violation of a “rule number one”) and that no satisfactory explanation for the failure was ever determined. Leaving out these easily-available views resulted in a passage that I think was incomplete and misleading.
I noted several Dark Mission references to me personally that deal with the 1999 failure of the Mars Polar Lander (MPL) probe. On page 316: “James Oberg published a story on UPI that accused JPL employees of knowing full well that the MPL was doomed (due to software problems related to the spacecraft’s landing legs) from very early on in the mission.” On page 317 this is called a “bizarre UPI accusation”. The brief account of the UPI article is garbled almost beyond recognition, casting serious doubts on the reading comprehension level of the author who did this section. In the one-sentence summary (“James Oberg published a story on UPI that accused JPL employees of knowing full well that the MPL was doomed due to software problems related to the spacecraft’s landing legs from very early on in the mission”), practically every word is wrong.
Alleged foreknowledge of the impending failure had nothing to do with software. The article stated:
As explained privately to UPI, the Mars Polar Lander vehicle’s braking thrusters had failed acceptance testing during its construction. But rather than begin an expensive and time-consuming redesign, an unnamed space official simply altered the conditions of the testing until the engine passed. “They tested the [engine] ignition process at a temperature much higher than it would be in flight,” UPI’s source said. This was done because when the [engines] were first tested at the low temperatures predicted after the long cruise from Earth to Mars, the ignition failed or was too unstable to be controlled. So the test conditions were changed in order to certify the engine performance. But the conditions then no longer represented those most likely to occur on the real space flight. “I’m as certain as I can be that the thing blew up,” the source concluded.
That potential failure mode was not known “from very early on in the mission”, but only at the very end: “Following the September loss of the first spacecraft due to management errors, NASA had initiated a crash review of the Mars Polar Lander to identify any similar oversights. According to UPI’s source, the flaws in the [engine] testing were uncovered only a few days before the landing was to occur on December 3. By then it was too late to do anything about it.”
The brief account of the UPI article is garbled almost beyond recognition, casting serious doubts on the reading comprehension level of the author who did this section. |
The specific software problem with the landing leg sensor scenario was not known before the landing at all, and the UPI article clearly states that it was discovered after the crash: “The Mars Polar Lander investigation team has also reportedly identified a second fatal design flaw that would have doomed the probe even if the engines had functioned properly. Post-accident tests have shown that when the legs are initially unfolded during the final descent, springs push them so hard that they ‘bounce’ and trigger the microswitches by accident. As a result, the computer receives what it believes are indications of a successful touchdown, and it shuts off the engines. Ground testing prior to launch apparently never detected this because each of the tests was performed in isolation from other tests. One team verified that the legs unfolded properly. Another team verified that the microswitches functioned on landing.”
In a simple reading comprehension verification test, this one incident indicates a severe problem with the book’s authors’ ability to understand, and restate, simple English about space technology. In one sentence, there were three swings, and three misses—three strikes.
By the way, after NASA’s official denunciations of the UPI story I had written (I have the honor of being the only journalist ever denounced by name in an official NASA press release), the story turned out even worse than I had written. Space engineers hadn’t fudged the test results, after all. My source was wrong about this, this time, the first occasion in a long sequence of accurate leaks. What was far worse was that NASA had decided that any such tests weren’t even necessary. The engine ignition system was never tested at temperatures expected out at Mars, because (JPL said) the engine had already flown in space on some other mission and so didn’t need to be requalified. But NASA press officials, despite repeated inquiries from me and promises of cooperation from them, never disclosed the space mission(s) that these special engines had been originally flown on.
The same design engines are installed aboard the Mars Phoenix lander now on route. Hopefully, improvements have been made.