-
#540
by
mn
on 08 Jan, 2020 16:52
-
...
This seems to be reacting to what happened before they start to figure out what went wrong.
...
C'mon, we all know that unless the investigation finds something unexpected there won't be another uncrewed OFT. Right? Bridenstine has already telegraphed that very transparently, and Boeing isn't going to do one unless NASA insists (and pays for it).
Because they know very well what went wrong, (the investigation is only to determine who to blame).
(Yes I know there's lots of people who want to know how this was missed, but I'm willing to bet they already know the answer to that question too).
-
#541
by
OM72
on 08 Jan, 2020 17:14
-
2) 72x181 is the only way to let Starliner burn off enough abort prop to dock safely with the ISS.
Emphasis mine. This is a bogus requirement. Dragon docked to ISS last March with a full load of abort propellant.
I email with Hans Koenigsmann from time to time. I hope to take him for a dive in the Giant Ocean Tank at the New England Aquarium. He's a genuine guy. Anyway - on Facebook today I gave him a congratulations and while I was at it I asked him a question I've been wanting the answer to for some time:
Do they dump the D2's unused hypergolic propellants prior/during EDL or does it land with them.
His answer: "We bring it back, un-tank and use it"
Question answered - thanks Hans!
Again the improper use of terms. This is not a "requirement".
This is Concept of Operations choice. Pure and simple. It is quite literally that Boeing chose one way, SpaceX chose another for their own reasons. The both have pros and cons associated with them.
-
#542
by
SWGlassPit
on 08 Jan, 2020 17:23
-
(the investigation is only to determine who to blame).
This isn't Russia. I have faith that a full RCCA process will take place. I don't read the "two month" figure as prescriptive, but rather an estimate.
-
#543
by
OM72
on 08 Jan, 2020 17:36
-
I'm delighted by the NASA announcement of the investigation into the OFT timer issue. They seem to be taking the sensible course at the moment; waiting until they know what actually happened (root causes, etc) before deciding whether or not the mission needs to be reflown.
https://forum.nasaspaceflight.com/index.php?topic=47917.msg2033114#msg2033114
In other words, they want to find out what happened before reacting to it and making a decision on what to do about it. IMHO, this is the only sensible approach.
The investigation is good, if unavoidable.
However, they are already presuming the results.
The very announcement of an investigation says it could be that astronauts critical to manning the ISS could be allows to ride aboard a “test” mission.
This seems to be reacting to what happened before they start to figure out what went wrong.
Let's take a more down to earth example. You're car doesn't start. Do you start with, based on data you have collected from trying to start it, that it could be the battery? Maybe the starter? Or not wanting to "presume the results" or "react to what happened before you figure out what went wrong" do you perhaps inspect the tires as a possible cause?
I say this because one always starts with a theory. A theory. One does not call or go into these type things and say, "Here's the root cause. What's for lunch?" The data and evidence will lead to if, in fact, that theory is valid or if it could be something else. And the investigation goes from there.
If a likely root cause is identified, you investigate, thoroughly, the processes, procedures, operations, test, etc. Wherever it may be appropriate depending on what the root cause is seeming to be. Recommendations are then made for corrective actions that impact any or all of the areas I just mentioned previously.
-
#544
by
mn
on 08 Jan, 2020 18:14
-
(the investigation is only to determine who to blame).
This isn't Russia. I have faith that a full RCCA process will take place. ...
Sorry if you thought I meant anything different.
I'm not doubting that there will be a full proper investigation, but that doesn't mean they can't already know with great confidence what the investigation will find.
Edit: On 2nd thought: the investigation will also look at how the system behaved as a result of the timer being off and while they can easily know exactly why the system did what it did, the investigation will want to know if there mistakes there or if it can be done better. This is an open unknown at least to me.
-
#545
by
TheRadicalModerate
on 08 Jan, 2020 19:01
-
2) 72x181 is the only way to let Starliner burn off enough abort prop to dock safely with the ISS.
Emphasis mine. This is a bogus requirement. Dragon docked to ISS last March with a full load of abort propellant.
I email with Hans Koenigsmann from time to time. I hope to take him for a dive in the Giant Ocean Tank at the New England Aquarium. He's a genuine guy. Anyway - on Facebook today I gave him a congratulations and while I was at it I asked him a question I've been wanting the answer to for some time:
Do they dump the D2's unused hypergolic propellants prior/during EDL or does it land with them.
His answer: "We bring it back, un-tank and use it"
Question answered - thanks Hans!
Again the improper use of terms. This is not a "requirement".
This is Concept of Operations choice. Pure and simple. It is quite literally that Boeing chose one way, SpaceX chose another for their own reasons. The both have pros and cons associated with them.
I keep picking at this because I would like to understand the CONOPS choice, and I don't. Unless the engineers are idiots (and I don't think that Boeing's are), they choose the CONOPS to fulfill an underlying set of requirements. Let me rephrase my list of hypotheses to be disproven into a more standard set of engineering requirements:
1) Have the safest plan for recovering the crew from post-insertion mishaps.
2) Meet IDA and NDS docking mass, moment, and torque requirements. (NB: Two different spacecraft with the same mass can have different moments, so D2 being OK with a full load doesn't necessarily imply that Starliner will be as well.)
3) Deal with whatever performance issues the launch leaves you with post-separation (i.e., after DEC MECO-1).
These are
all requirements for both D2 and Starliner: there needs to be an answer for each one of them. Sometimes the answers are trivial, as in the case of #2 (i.e., if you have to burn off prop, do so, but burning off prop is easy and likely doesn't impact the choice of insertion orbit). Sometimes they're not, as with #1: no matter what the insertion is, you'll need a full-up failure analysis to decide what the safest CONOPS is.
Looked at from the standpoint of these requirements, it's pretty clear that the D2 CONOPS leaves it in a stable post-separation orbit because the PLOC was lower in that orbit than it was in a free-abort orbit. That might be because D2 has more stringent attitude control issues for entry and it was safer to work attitude control problems in orbit, or it might just be because the F9 has no problem flying a safe trajectory and still inserting into the stable orbit.
Similarly, it's pretty clear that the Starliner CONOPS leaves it in a free-abort orbit because PLOC is lower in that free-abort orbit. Now, that might be because Starliner is pretty bulletproof wrt attitude control on reentry and the best way to work an attitude problem was to let the atmosphere straighten it out for them, or it might be that the N22 simply didn't have the ability to insert into a stable orbit and still fly the safe trajectory, so inserting into an orbit that was at least a safe corridor was the best they could do.
Again, I don't know the answer here. But the distinction seems pretty crucial.
-
#546
by
mgeagon
on 09 Jan, 2020 01:00
-
Perhaps, this is a better question to ask in L2, but is the 270-1 LOC requirement informed by the unmanned docking to the ISS? If a portion of the risk to crew is not retired, is there enough margin to still fly with the 270? Or, will NASA have lower the LOC requirement to fly CFT without a OFT redo?
-
#547
by
thirtyone
on 09 Jan, 2020 03:17
-
I was thinking about OFT issues, and I think a bigger concern than ISS docking is that the investigation itself may lead to some pretty lengthy code review and possibly more testing. Hopefully it's short, but consider how this bug likely came to be:
- Boeing is clearly reasonably experienced, so they *must* have run many system tests that simulated Starliner systems running with dummy hardware/software simulators at the boundaries (fake thruster actuators, sensor simulators, etc.)
- These system tests must have not captured this MET parameter bug, which almost certainly means there was some sort of mistake in either implementing the "fake" Atlas flight computer during these system tests (whoever wrote the code for the dummy Atlas flight computer accidentally put MET in the wrong parameter/format), or perhaps ULA provided test hardware that did not properly simulate the Atlas flight computer (seems much less likely given ULA's track record, though this might be the best case/least work for Boeing).
- The fix is easy--just change one parameter. But the systematic issue I'm suspecting--failing to validate test boundaries--might not be. How many previously validated tests are now in question because the test boundaries need to be rechecked? How many other tests relied on this specific Atlas flight computer test boundary, and how many of them have to be redone?
- One notable test that relied on this boundary was the pad abort test - there was no real Atlas, so perhaps something could have been missed there as well. One might also imagine that this MET bug probably would have been captured earlier (for better or worse) if they ran an in-flight abort test first.
- I'm guessing there could be some pretty scary failure modes if the MET or other data from the Atlas is interpreted incorrect during an abort (or causes a false abort) and the Starliner computer decides to attempt the incorrect abort sequence for that stage of ascent. Don't think human intervention would be sufficient for safety in many of these scenarios.
I'm just trying to imagine what other root causes could have resulted in the MET issue right now, and the only other ideas are all just gross negligence, which seem pretty unlikely - bad software version control, bad test software version control, sloppy testing, etc. When testing is done correctly, mistakes tend to happen at test boundaries, so this seems like a likely scenario to me.
-
#548
by
AJW
on 09 Jan, 2020 07:55
-
There are disturbing parallels between the pad abort test and the OFT MET issue. Nothing mission critical should ever be dependent on a possible mistake by any single individual. In the case of the pad abort, someone failed to make a connection. A second individual should have been observing the first and seen that mistake. A photographer was recording the process but didn't see the mistake, and yet another individual should have been inspecting the photographs. It is not clear how a process that should have required at minimum 3-4 checks by different individuals failed every single one.
Info on the MET anomaly is scarce. Jim Chilton, Boeing's senior VP of the Space and Launch division, described using the wrong 'coefficient' when retrieving the MET. Again, this isn't just one individual who made a mistake, programmers have code reviews, so multiple coders should be reviewing all check-in. Teams should be doing full code walk-throughs. QA should be writing tests to verify the code and checking code coverage to insure that that every line of code is executed. Test harnesses should have been emulating the Atlas and triggering this identical anomaly long before a flight. When looking for a 'who', this won't be an individual, this will be a team, or multiple teams, and like the pad abort, this raises more concerns about why, not who. Time to invite Wayne Hale over to ask questions.
-
#549
by
mn
on 09 Jan, 2020 13:39
-
Is it routine for closeout photos to be reviewed before flight? Or are they normally tucked away only to be looked at if something goes wrong?
(sorry I've asked this before on one of the oft threads but I don't recall seeing a response)
-
#550
by
clongton
on 09 Jan, 2020 13:42
-
2) 72x181 is the only way to let Starliner burn off enough abort prop to dock safely with the ISS.
Emphasis mine. This is a bogus requirement. Dragon docked to ISS last March with a full load of abort propellant.
I email with Hans Koenigsmann from time to time. I hope to take him for a dive in the Giant Ocean Tank at the New England Aquarium. He's a genuine guy. Anyway - on Facebook today I gave him a congratulations and while I was at it I asked him a question I've been wanting the answer to for some time:
Do they dump the D2's unused hypergolic propellants prior/during EDL or does it land with them.
His answer: "We bring it back, un-tank and use it"
Question answered - thanks Hans!
Again the improper use of terms. This is not a "requirement".
This is Concept of Operations choice. Pure and simple. It is quite literally that Boeing chose one way, SpaceX chose another for their own reasons. The both have pros and cons associated with them.
Apparently you missed the word
BOGUS. I said it was a
bogus requirement, meaning that it was NOT a requirement. I chose that phrase because it was being presented as if it were a requirement when, in fact, it is not. And I provided an example (Dragon) to prove that it was not.
-
#551
by
OM72
on 09 Jan, 2020 17:43
-
I keep picking at this because I would like to understand the CONOPS choice, and I don't. Unless the engineers are idiots (and I don't think that Boeing's are), they choose the CONOPS to fulfill an underlying set of requirements. Let me rephrase my list of hypotheses to be disproven into a more standard set of engineering requirements:
1) Have the safest plan for recovering the crew from post-insertion mishaps.
2) Meet IDA and NDS docking mass, moment, and torque requirements. (NB: Two different spacecraft with the same mass can have different moments, so D2 being OK with a full load doesn't necessarily imply that Starliner will be as well.)
3) Deal with whatever performance issues the launch leaves you with post-separation (i.e., after DEC MECO-1).
These are all requirements for both D2 and Starliner: there needs to be an answer for each one of them. Sometimes the answers are trivial, as in the case of #2 (i.e., if you have to burn off prop, do so, but burning off prop is easy and likely doesn't impact the choice of insertion orbit). Sometimes they're not, as with #1: no matter what the insertion is, you'll need a full-up failure analysis to decide what the safest CONOPS is.
Looked at from the standpoint of these requirements, it's pretty clear that the D2 CONOPS leaves it in a stable post-separation orbit because the PLOC was lower in that orbit than it was in a free-abort orbit. That might be because D2 has more stringent attitude control issues for entry and it was safer to work attitude control problems in orbit, or it might just be because the F9 has no problem flying a safe trajectory and still inserting into the stable orbit.
Similarly, it's pretty clear that the Starliner CONOPS leaves it in a free-abort orbit because PLOC is lower in that free-abort orbit. Now, that might be because Starliner is pretty bulletproof wrt attitude control on reentry and the best way to work an attitude problem was to let the atmosphere straighten it out for them, or it might be that the N22 simply didn't have the ability to insert into a stable orbit and still fly the safe trajectory, so inserting into an orbit that was at least a safe corridor was the best they could do.
Again, I don't know the answer here. But the distinction seems pretty crucial.
Those are not requirements. (Well, to an extent #2 is but all that is contained in what is called the ICD)
In my opinion, you're really looking at this in too fine a matter. Concept of Operations are a set of just that, concepts, on how to achieve the overall mission within the various *INTEGRATED* vehicle design requirements, constraints, objectives, etc of any given flight.
So in other words, both Starliner and D2 ConOps work. They just skinned-the-cat differently for their own reasons in the various trade space each company respectively worked.
In the case of Starliner, yes, you get a free entry if you want to take it. But the ConOps assumes that is not going to be the case. LAS is no longer required but all the prop is still there. This vehicle will be docked and in-orbit for approximately 6 months and generally facing the forward velocity vector. It was CHOSEN to burn off as much prop that would not be required for the *entire* mission duration for potential MMOD reasons.
-
#552
by
SoftwareDude
on 09 Jan, 2020 17:58
-
I wonder if NASA requires Boeing to launch another unmanned test, will NASA pay them to do it?
-
#553
by
Eric Hedman
on 09 Jan, 2020 18:14
-
I wonder if NASA requires Boeing to launch another unmanned test, will NASA pay them to do it?
That will require us to wait and see. I'm sure there will be negotiations on that. It could go from NASA paying nothing, to paying just for the Atlas V, to paying for the whole thing. I would bet if it happens, NASA pays just for the Atlas V or part of it.
-
#554
by
jarmumd
on 09 Jan, 2020 18:23
-
2) Meet IDA and NDS docking mass, moment, and torque requirements. (NB: Two different spacecraft with the same mass can have different moments, so D2 being OK with a full load doesn't necessarily imply that Starliner will be as well.)
Both have significant margin wrt the IDSS limits. Enough so that the mass difference of the additional propellant should not be significant.
As I said before, the mass could be significant for GNC control, but even then likely not.
-
#555
by
TheRadicalModerate
on 09 Jan, 2020 20:28
-
Those are not requirements. (Well, to an extent #2 is but all that is contained in what is called the ICD)
In my opinion, you're really looking at this in too fine a matter. Concept of Operations are a set of just that, concepts, on how to achieve the overall mission within the various *INTEGRATED* vehicle design requirements, constraints, objectives, etc of any given flight.
So in other words, both Starliner and D2 ConOps work. They just skinned-the-cat differently for their own reasons in the various trade space each company respectively worked.
In the case of Starliner, yes, you get a free entry if you want to take it. But the ConOps assumes that is not going to be the case. LAS is no longer required but all the prop is still there. This vehicle will be docked and in-orbit for approximately 6 months and generally facing the forward velocity vector. It was CHOSEN to burn off as much prop that would not be required for the *entire* mission duration for potential MMOD reasons.
I'm not understanding your distinction here. All of those are clearly requirements; indeed, they're even integrated requirements. I'm happy to add your "reduce MMOD-generated explosion risk by reducing dormant prop" to the list. The CONOPS has to treat all of them as constraints and come up with something that satisfies them all. That doesn't mean that the requirements stand alone, however. For example, if you have trajectory constraints that limit your performance, then you might insert into a suborbit that has an absolute higher risk than that of a stable orbit, but that doesn't matter if the stable orbit is off the table because of the need to reduce a much higher trajectory risk. What
does matter is that the all-up risk is acceptable.
Surely NASA will have asked in the design review whether they looked at other CONOPS and determined that this one optimized mission safety for whatever launch constraints they had. Surely somebody had to answer the question, "Why is this safer than inserting into a stable orbit?"
There are lots of acceptable answers to that question, but they need to reference fundamental safety criteria to be taken seriously. A couple of examples:
1) "We computed the risk of a post-separation loss of control to be high enough, and the risks of reentry in that condition to be low enough, that a free-abort insertion is safer than a stable orbit insertion."
2) "We have launch safety constraints that prevent us from getting to a stable orbit, so we chose the free-abort insertion as the lowest possible post-separation risk given that constraint."
An
unacceptable answer would likely be, "We needed to burn off prop to minimize MMOD explosion risk while docked to the ISS, and so we intentionally chose a suborbit so we could lop 32 m/s of prop off right from the git-go." That would almost certainly beg the question, "Why didn't you just do a sub-optimal set of phasing maneuvers to burn off the same amount of prop, instead of subjecting the spacecraft to a bunch of post-separation suborbit risks?" It's fine to answer that by saying, "Because we had to be in the suborbit anyway, for either safety or performance reasons, and burning off the prop like this is just gravy," but I can't see that being the principal motivation for the suborbit.
-
#556
by
clongton
on 09 Jan, 2020 21:43
-
I wonder if NASA requires Boeing to launch another unmanned test, will NASA pay them to do it?
IMO it likely depends on the final root cause for OFT Mission Fail and Boeing's degree of culpability for it.
Was it a normal hiccup in new software that displayed itself in a spectacular way, or was it a screw up that no way in hell should have happened? Only time will tell.
-
#557
by
Redclaws
on 09 Jan, 2020 21:55
-
This appears to repeat the erroneous assumption that the leading surfaces of the ISS are at greater risk from MMOD.
In fact, they are some of the safest.
There is almost nothing at 400 km going slower than the ISS. More than 100 m/s less and it will reentry immediately.
Do you have a reference for the leading edge of the ISS taking fewer impacts? This statement doesn’t make sense to me. The idea of things “going slower” than the ISS assumes items in precisely the same orbital track, the issue is presumably not items in precisely the same orbital path, it is items in distinct orbital paths that intersect.
-
#558
by
Coastal Ron
on 09 Jan, 2020 22:27
-
This appears to repeat the erroneous assumption that the leading surfaces of the ISS are at greater risk from MMOD.
In fact, they are some of the safest.
There is almost nothing at 400 km going slower than the ISS. More than 100 m/s less and it will reentry immediately.
This is only true for objects in space that are in the same orbit as the ISS, and going in the SAME DIRECTION. If they are going in the opposite direction then they would result in a nasty collision with the ISS. And the same is true about polar orbits intersecting with the ISS, which would collide with the sides of the ISS.
What this has to do with the Starliner, I have no idea. But just wanted to point that out...
-
#559
by
Comga
on 09 Jan, 2020 22:43
-
This appears to repeat the erroneous assumption that the leading surfaces of the ISS are at greater risk from MMOD.
In fact, they are some of the safest.
There is almost nothing at 400 km going slower than the ISS. More than 100 m/s less and it will reentry immediately.
Do you have a reference for the leading edge of the ISS taking fewer impacts? This statement doesn’t make sense to me. The idea of things “going slower” than the ISS assumes items in precisely the same orbital track, the issue is presumably not items in precisely the same orbital path, it is items in distinct orbital paths that intersect.
Any Orbital Mechanics 101 textbook or online tutorial.
No it does not make that assumption.
If something has a perigee as low as the ISS but coming from a substantial angle, a different inclination orbit, the sides have much higher chance of impact.
The only things being overtaken are exoatmospheric air constituents.
But this is no longer L2.
edit:a quick Google search on my iPhone pulls up.
this.For an early configuration of the ISS, (before JEM and Columbus) with many caveats, those elements most at risk from MMOD, in order of decreasing danger are:
Progress Nadir (bottom of back end)
Soyuz (hanging below towards the back)
Progress Aft (the back)
The node up front is way down the list.
