NASA mission manager LeRoy Cain had a tough translation job on his hands Thursday night when he tried to explain how his team could proceed to launch the space shuttle Atlantis — under the very same circumstances that aborted a launch attempt earlier that day.
He seemed to be using ordinary terms such as “flight rules” and “rationale” and “decision.” But such terms are tricky when you're telling journalists that a new policy of tolerating previously forbidden hardware problems could really be as safe as the zero-tolerance approach.
To an outsider, it may have looked as if NASA was cutting corners on safety once again. But take it from a former insider: Cain's approach makes perfect sense.
It all comes down to what the meaning of the word “rule” is, and why it may be justifiably different in space from what it is back on Earth.
These aren’t ironclad laws that incur civil punishment if broken, or rote checklists that must be followed like some tax form’s flow chart. A rule for spaceflight guides decisions in much the same way that Mission Control guides the spacecraft: It gives you a planned path — but when certain conditions are met, detours are allowed.
An explosive subject
In this case, the rules deal with a literally explosive subject, the propellant in the shuttle’s giant external tank. More critically, the rules deal with that critical phase near the end of the ascent when the propellant is nearly but not quite exhausted.
Back on Earth, when driving cross-country, a gas gauge that reads "nearly empty" when the tank actually runs dry leaves you stranded and embarrassed. On a spaceflight, it can mean death.
During Thursday’s aborted countdown, two of the four fluid sensors in the shuttle’s main hydrogen tank indicated that they would report "wet" — that is, "not yet empty" — even if the tank actually went dry. Under certain conditions, if those sensors don’t accurately report that the tank is running empty, there could be disastrous consequences to the shuttle and its crew. If either the oxygen or the hydrogen feed stops while the other feed continues, the fire in the engines can go disastrously out of control.
To permit the launch to proceed, NASA currently requires that three of the four fuel tank sensors be operational. So when Cain was suggesting it might be safe enough to decide that only two working sensors might be adequate, was he lowering the level of safety?
My own years in Mission Control told me that he wasn't. He was describing a classic NASA practice of making sure you and your equipment are ready for every emergency. His logic was impeccable, safety was being preserved, and yet the message failed to get across to his audience because he wasn’t actually speaking ordinary English, as most listeners assumed.
Flight Rules with capital letters
In the Mission Control Center, a “flight rule” is a capitalized, well-defined concept. These Flight Rules, or FRs, are compiled in a book that is the first reference for rapid decision-making during situations that don't follow the norm. It is by no means a mindless cookbook for automatic obedience. Nor is it merely a list of suggestions that can be followed or not by whim.
Essentially, it’s the product of “worrying in advance” about possible failures, or combinations of failures, and what the best reactions to them are. These reactions are developed based on analysis, on testing, on complex mission simulations and real flight experience.
As a veteran of Mission Control myself, I didn’t learn this from a book, or from being lectured. All this practical theory was drilled into me when, in 1979, NASA flight director Neil Hutchison asked me to be the panel secretary for his new project: composing the very first Flight Rules for a space shuttle launch.
Hutchison headed the "Silver Team" — the men and women tasked to conduct the first-ever space shuttle blastoff (and when it happened, on April 12, 1981, I was there in Mission Control as a member of that team). Even though the team drilled and drilled to think fast, Hutchison realized from experience that most choices could be defined and described in advance.
System by system — propulsion, power, communications, life support, the works — the panel reviewed the kinds of failures that might occur, how they would manifest themselves, what could be done about them, and how soon the advice had to be acted upon. I chronicled the debates, collected the draft rules and the logic behind them, distributed the notes and collated the critiques. Gradually, a workable reference book emerged.
Inside the Flight Rules
In a real mission, we would have to detect anomalies, diagnose them, determine the proper response, inform the crew, and monitor the level of success of their response. And we would be expected to do this while beset by extremely tight time schedules, misled by false alarms and distracted by a prioritized list of other real problems calling for our attention.
Each rule was accompanied in the handbook by its rationale. Why had the rule been composed, and in what anticipated situations was it to be applied? What other factors might negate the desirability of the specified responses? What was the proper role of judgment and originality?
The Flight Rules that Cain was trying to explain, aimed at making a launch safe even with one or two failed tank sensors, are part of this genre. And these FRs really ought to work, because NASA engineers have reacted to a recent history of sensor problems by performing thousands of hours of new tests of the sensor’s performance, and by installing new circuits that provide hitherto-unavailable insights into the sensor’s functions and malfunctions.
The most important new diagnostic tool is a voltage monitor that can tell when a sensor has failed in the "wet" mode — falsely indicating that there's more fuel left than there really is. A small flag appears on display screens, labeling the "wet" indication as false. Previously, the sensor failure had to be deduced by comparing it to indications from other nearby sensors — and for that, the conflicting indicators had to vote the bad sensor "off the island," as if spaceflight were a "Survivor" episode.
This is no longer the case. The last two shuttle missions have used fuel tanks with these new tank sensors installed. In flight, the sensors performed perfectly, but during practice sessions back on Earth, trainers had simulated combinations of false and true readings from the entire set of sensors, in order to test the reactions of Mission Control.
Based on the way we have all been taught, I would confidently guess that Mission Control already has a pretty thorough "cheat sheet" drawn up and tested by fire, specifying the necessary responses to the entire gamut of possible combinations of failures.
Blessing the new rules
On Thursday, Cain explained that these reference charts had not yet been formally presented to the review process that would bless them as real Flight Rules (the capitalization was evident in Cain's enunciation). He had assigned an action to the group to whip them into shape in a day (or if needed, two or three days) and present them to his own special panel, the Mission Management Team. If the team at Mission Control could prove that their written rules resulted in the right answers under all conceivable conditions, they would be blessed by Cain’s team for use on this mission.
And that is what Cain had been trying to explain, using terms that sounded like they were everyday English but which, in arcane NASA practice, were much, much more. It is a rigorous application of those words in their Mission Control meanings, not any thermal tile or pressure hull or meteorite shield, that is the space shuttle’s main bulwark against disaster in flight.
I know it was that way for STS-1, because I had a small role in helping bring it about. And I have every confidence that Cain and his team can stay true to this tradition and establish the safety of launching Atlantis with fewer tank sensors than originally prescribed. And that’s because of, not in spite of, the non-standard meanings applied to standard English terms.
He and I do speak the same language, and we are connected by another bond. I was on duty for the very first moments of Columbia’s flight as it launched. Twenty-two years later, Cain was in charge of the Mission Control team that was on duty for the last moments of Columbia’s flight history, when conditions beyond human control destroyed it and its crew. He’s not going to forget that feeling of bafflement, helplessness and despair — and I’m confident he’ll make sure the new Flight Rules are built strong and safe.
James Oberg, space analyst for NBC News, spent 22 years at the Johnson Space Center as a Mission Control operator and an orbital designer.