[FPSPACE] The dark side of space disaster theories

[James Oberg]

The dark side of space disaster theories
http://www.thespacereview.com/article/1043/1
by James Oberg
The Space Review
Monday, January 21, 2008
Space disasters attract so much public attention and often involve such complex and subtle sequences of events that there's an entire Internet literature of "crackpot causes" on par with JFK assassination myths. To the degree that innovative analysis is often critical to reconstructing-from partial and often garbled evidence-a shocking causal sequence leading from goodness to disaster, the initial investigation period demands that critical judgment be held somewhat in check so as not to discourage imagination.

However, once a logical reconstruction gels, is tested, and then is ultimately verified by being implemented and hence reducing future flight hazards, that official explanation achieves a substantial level of authenticity. But not to everyone's satisfaction, apparently, as a search of still-thriving non-traditional explanations of the Apollo 1 fire, the Apollo 13 breakdown, the Challenger disintegration, and the Columbia catastrophe, whose fifth anniversary now approaches.

For example, in the case of Columbia, YouTube is full of videos from self-styled experts still convinced a freak bolt of ionospheric lightning crippled the spaceship. A famous photograph supposedly shows that bolt, even though space experts have long been satisfied that the bizarre image was merely the result of camera jiggle during a time-lapse exposure.

Apart from the comic relief value of such crackpot ideas, there's a darker aspect of this kind of cultural pathology, just as there are serious analyses pointing to the socially toxic effects of the JFK assassination "alternate theories". For spaceflight, being distracted by the wrong cause means being tempted by the wrong fix. That's never amusing, and often can be expensive.

As an egregious "bad example" of wrong causes, a recent book (Dark Mission, by Richard Hoagland and Michael Bara) spent a lot of time muddying the waters over a series of NASA Mars mission failures in the 1990s. This isn't just some remote corner of an intellectual ghetto on the Internet-the book came within one tick mark of making it onto the New York Times bestsellers list for paperback non-fiction (it reached #21 nationwide). So as an exercise in cultural self-defense and in proselytizing sound "space safety" history, here is a detailed look at the claims, the delusions, and the errors in that book's treatment of these space accidents.

Mars Observer (1993)
Dark Mission portrays the failure of the Mars Observer probe in 1993 as a deliberate act by NASA to prevent the publication of its expected photographs of artificial Martian ruins. But the description of the events is inconsistent with well-documented accounts, reports non-existent events, and omits well-known explanations for important features of the probe's flight plan. All of this can be easily confirmed through Internet searches.

Dark Mission, pp. 87-88: "NASA, in another unprecedented move, had inexplicably ordered Mars Observer to shut off its primary data stream prior to executing a key pre-orbital burn. Because NASA had violated the first rule of space travel-you never turn off the radio-no cause for the probe's loss was ever satisfactorily determined."

Actually, whether a radio is turned on or off, practically all orbital insertion burns on lunar and planetary missions occur out of radio contact. This is a result of the geometric alignment of the probe passing behind the planet (or moon) and hence having its radio signals blocked. So keeping a probe's radio turned on during these periods is about as useless as installing windshield wipers.

To my knowledge, there is no "first rule of spaceflight" about never turning radios off. Interplanetary probes do this all the time. The "rule" is imaginary. I can't find any documentation anywhere that provides this "rule". I suspect that the Dark Mission authors just imagined it.

The maneuver that Mars Observer was to perform was not even, as Dark Mission claims, a "key pre-orbital burn". It was not a burn of any kind. Instead, it was the firing of explosive bolts to open two pressurant tanks that would allow the fuel to be pushed into the probe's engines several days later.

There is nothing "inexplicable" about turning off the radio for the firing of the pyrotechnic bolts. The sharp shock of the detonations was thought to be a hazard to the hot filament in a key radio component, which is much less brittle when cold. Hot filaments can shatter under shocks that cold ones wouldn't even notice.

This is clearly explained in on-ine documents, including the accident report. You only have to search "Mars Observer accident report" to be led right to the 313-page "Failure Investigation Board Report".

Why was the radio turned off? "In accordance with the mission's published flight rules, the transmitter on the spacecraft had been turned off during the propellant-tank Pressurization Sequence on 21 August. To protect the spacecraft radio frequency transmitter from damage during the Pressurization Sequence (albeit a very low probability), the software included a command to turn off the Mars Observer transponder and radio frequency (RF) telemetry power amplifier for a period of ten minutes. This was a standard procedure that had been implemented several times earlier during the mission."

The report gave further details: "This sequence included the firing of two normally-closed pyrotechnic valves, that would allow high-pressure gaseous helium to pressurize the nitrogen tetroxide oxidizer tank and the monomethyl hydrazine fuel tank." More on p. 25 of the report: "Concern existed in the Mars Observer project team that the pyro-firing event might damage the traveling wave tube amplifiers in the spacecraft telecommunications system if the amplifiers were left on."

Nor is it true that "no cause for the probe's loss was ever satisfactorily determined", as Dark Mission claims. To the contrary, in hindsight it was excruciatingly clear what almost certainly happened.

"The Board was unable to find clear and conclusive evidence pointing to a particular scenario as the 'smoking gun'," the report explained, but "the Board concluded through a process of elimination that the most probable cause of the loss of downlink from the Mars Observer was a massive failure of the pressurization side of the propulsion system. The Board also concluded that the most probable cause of that failure was the unintended mixing of nitrogen tetroxide (NTO) and monomethyl hydrazine (MMH) in the titanium tubing on the pressurization side of the propulsion system. This mixing was believed by the Board to have been enabled by significant NTO migration through check valves during the eleven-month cruise phase from Earth to Mars. This conclusion is supported (but not proven) by NTO transport-rate data acquired by JPL, by NTO/MMH reaction simulations performed by [the Naval Research Laboratory], and by NTO/MMH mixing tests performed by AFPL [Air Force Propulsion Labs]."

As to why the propulsions system hardware, adapted from a military prop module that normally needed a lifetime of only 12 hours, was used for a year-long mission, the report added that "Too much reliance was placed on the heritage of spacecraft hardware, software, and procedures, especially since the Mars Observer mission was fundamentally different from the missions of the satellites from which the heritage was derived." It specifically criticized the propulsion system for "Inappropriate isolation mechanisms between fuel and oxidizer for an interplanetary mission."

"The original [money-saving] philosophy of minor modifications to a commercial production-line spacecraft was retained throughout the program," the report continued. "The result was reliance on design and component heritage qualification that was inappropriate for the mission. Examples of this reliance were the failure to qualify the traveling wave tube amplifiers for pyro firing shock [and] the design of the propulsion system."

Whether or not this particular proposed failure mode is plausible (and from my own research I've concluded it was very plausible), it remains untrue to state (as Dark Mission does) that turning off the radio was "inexplicable" (and a violation of a "rule number one") and that no satisfactory explanation for the failure was ever determined. Leaving out these easily-available views resulted in a passage that I think was incomplete and misleading.

Mars Polar Lander (1999)
I noted several Dark Mission references to me personally that deal with the 1999 failure of the Mars Polar Lander (MPL) probe. On page 316: "James Oberg published a story on UPI that accused JPL employees of knowing full well that the MPL was doomed (due to software problems related to the spacecraft's landing legs) from very early on in the mission." On page 317 this is called a "bizarre UPI accusation". The brief account of the UPI article is garbled almost beyond recognition, casting serious doubts on the reading comprehension level of the author who did this section. In the one-sentence summary ("James Oberg published a story on UPI that accused JPL employees of knowing full well that the MPL was doomed due to software problems related to the spacecraft's landing legs from very early on in the mission"), practically every word is wrong.

Alleged foreknowledge of the impending failure had nothing to do with software. The article stated:

As explained privately to UPI, the Mars Polar Lander vehicle's braking thrusters had failed acceptance testing during its construction. But rather than begin an expensive and time-consuming redesign, an unnamed space official simply altered the conditions of the testing until the engine passed. "They tested the [engine] ignition process at a temperature much higher than it would be in flight," UPI's source said. This was done because when the [engines] were first tested at the low temperatures predicted after the long cruise from Earth to Mars, the ignition failed or was too unstable to be controlled. So the test conditions were changed in order to certify the engine performance. But the conditions then no longer represented those most likely to occur on the real space flight. "I'm as certain as I can be that the thing blew up," the source concluded.

That potential failure mode was not known "from very early on in the mission", but only at the very end: "Following the September loss of the first spacecraft due to management errors, NASA had initiated a crash review of the Mars Polar Lander to identify any similar oversights. According to UPI's source, the flaws in the [engine] testing were uncovered only a few days before the landing was to occur on December 3. By then it was too late to do anything about it."

The specific software problem with the landing leg sensor scenario was not known before the landing at all, and the UPI article clearly states that it was discovered after the crash: "The Mars Polar Lander investigation team has also reportedly identified a second fatal design flaw that would have doomed the probe even if the engines had functioned properly. Post-accident tests have shown that when the legs are initially unfolded during the final descent, springs push them so hard that they 'bounce' and trigger the microswitches by accident. As a result, the computer receives what it believes are indications of a successful touchdown, and it shuts off the engines. Ground testing prior to launch apparently never detected this because each of the tests was performed in isolation from other tests. One team verified that the legs unfolded properly. Another team verified that the microswitches functioned on landing."

In a simple reading comprehension verification test, this one incident indicates a severe problem with the book's authors' ability to understand, and restate, simple English about space technology. In one sentence, there were three swings, and three misses-three strikes.

By the way, after NASA's official denunciations of the UPI story I had written (I have the honor of being the only journalist ever denounced by name in an official NASA press release), the story turned out even worse than I had written. Space engineers hadn't fudged the test results, after all. My source was wrong about this, this time, the first occasion in a long sequence of accurate leaks. What was far worse was that NASA had decided that any such tests weren't even necessary. The engine ignition system was never tested at temperatures expected out at Mars, because (JPL said) the engine had already flown in space on some other mission and so didn't need to be requalified. But NASA press officials, despite repeated inquiries from me and promises of cooperation from them, never disclosed the space mission(s) that these special engines had been originally flown on.

The same design engines are installed aboard the Mars Phoenix lander now on route. Hopefully, improvements have been made.

Mars Climate Orbiter (1999)
Dark Mission's treatment of the Mars Climate Orbiter failure in 1999 (pp. 313-315) is erroneous, misleading, and unintentionally deliciously ironic.

All observers are free to offer their own hypotheses about the causes of space disasters. But their fundamental credibility must be founded on an adequate understanding and accurate recounting of the official theories that they want to supplant. Here, the authors fail spectacularly, again.

"According to a terse press release, the spacecraft was thrown off course when one navigational team in Colorado and the other at JPL used two separate measurement systems (metric and imperial) in key navigational calculations." Dark Mission called this "highly implausible and bizarre", and added: "The notion that this error could have been induced from the beginning of the mission and gone unnoticed is ridiculous. [T]o anyone with the slightest understanding of measurement systems and orbital mechanics, this statement. is ludicrous. That is why NASA's explanation is so unbelievable."

But the proximate cause of the navigation error was exactly as NASA admitted-a units foulup. Dark Mission's problem is that the authors completely misunderstood the NASA description, a description verified by independent investigators with private access to the space navigation team. While denouncing the official version of the accident as "ludicrous", they themselves never understood it, and so grossly misreported it in their book.

In reality (and interested readers can search the Internet for both official and unofficial contemporary stories with full details), the units problem was isolated to one data table that specified expected minor course disturbances from routine attitude control (pointing control) maneuvers during the coast periods. As small thrusters were fired on autopilot to correct for the gradual buildup of small orientation errors, the thrusters did not impart purely rotational impulses because of the way they were attached to the probe's exterior. Instead, they induced small propulsive forces as well.

Based on a reference table, an adjustment factor of these accumulated disturbances (which were too small to be detected by the probe's on-board accelerometers) could be calculated and factored into the periodic course corrections.

The table of expected accumulation of propulsive disturbances based on the amount of orientation control firings was the document that was in the "wrong" units, but was not labeled so explicitly. So when this "fudge factor" was calculated based on the known number of orientation thruster firings (with a calculation of the expected course disturbance caused by them), the factor was off by a factor of about three. This led to an unexpected and persistent trajectory "disturbance" that was noticed, wondered about, and periodically corrected for during the trans-Mars cruise.

All tracking and course correction maneuvers were calculated exclusively in metric, so the flight path was under close observation and control. Dark Mission's allegation of a wildly-off-course spacecraft based on its authors' misunderstanding of the fundamental error is entirely illusory. Their mocking rebuttal of the units error cause is a joke on themselves, since they never knew enough about the probe's navigation error to fairly judge its cause.

Approaching Mars, the disturbances grew. The uncertainties proved too high, and the error factor was in the wrong direction. So when the probe skimmed around the backside of Mars to fire its braking engine it was a few hundred kilometers too low-and so it hit the upper atmosphere, as last-minute tracking plots indicated it would, too late for any course change.

It was easy-and self-serving-for NASA flacks to blame low-level engineers making a conversion error. But the blame lay elsewhere. The debacle's root cause was a series of management flaws-including the refusal to respond to navigators' concerns until they could "prove the probe was off course"-and these were ultimately responsible for not reacting correctly to the suspicious disturbances in time.

A workable safety strategy is to develop a system that expects human errors and has defense in depth to detect, identify, and counteract them. It is not enough to simply assume, as NASA did in this case, that people won't make mistakes. And it was dishonest for NASA, in the immediate aftermath of the crash, to blame the disaster on a human mistake, and not on an imprudent NASA management philosophy of assuming no mistakes (and hence, eliminating double-checks).

In hindsight, it is an instructive example of a bad attitude toward safety and reliability that had infected NASA culture in the 1990s when under Dan Goldin's leadership, shaped in still-undetermined degrees by White House pressure, politics superseded safety as primary motivator. The spread of that attitude led directly to the bad decisions that later destroyed Columbia and killed its seven astronauts.

That hideous cost underscores the importance of correctly understanding space disasters, learning their lessons (often lessons already learned once, but forgotten), and responding correctly and constructively to them. And this suggests that bizarre conspiracy theories with false causes and phantasmagorical explanations (as in Dark Mission) aren't merely entertaining: in the worst case than can be distracting, misleading, and ultimately, costly. And that's much worse than merely "ludicrous".

The Hoagland "theory" of the failures
Focusing attention on these garbled and nonsensical Hoagland/Bara criticisms of the "establishment explanations" of these Mars probe failures distracts from actually considering what alternative scenarios Dark Mission advocates. They are not worthy of the appellation "theories" since they can't be verified or falsified, but as imaginative suggestions, they are very revealing of the thought processes behind them and similar fringe disaster scenarios.

Essentially, they argue that the accidents were all staged to prevent the need for public release of photographic evidence the probes were sure to gather concerning alien ruins on Mars (as if individual images couldn't just as easily be made to disappear as an entire spacecraft). Either the probes were turned off entirely, or their data was switched to some alternate top secret military control network that was developed for such a purpose.

Specifically, Dark Mission argues that the Mars Observer mission was terminated by decision of NASA based on a televised debate with a NASA scientist that Hoagland claims he won. Within hours of the debate, word was released that contact with the probe had been lost.

"In hindsight, it isn't difficult to figure out what actually happened," states Dark Mission (p. 87). "After other high NASA officials (and their bosses) watched [the scientist's] lame spin control fail miserably-and on live television-NASA went to Plan B. They either pulled the plug on the mission outright-out of fear of what uncensored images would reveal-or NASA simply took the entire mission 'black'."

This postulated causal chain doesn't even pass the simple timeline check. The debate, on a Sunday morning, occurred half a day after the probe had failed to resume communications-a development that was announced later on Sunday. Dark Mission would have the probe actually perform the "maneuver" (the pyro firing) correctly, come back on the air and transmit routine data for many hours, and then have NASA officials suddenly order everybody involved to pretend they had not received the expected signals. All the recordings of the previous twelve hours then needed to be erased, and a false series of bogus uplink communications commands needed to be thrown together-and everybody sworn to testify to this charade before the investigation board.

And all for what? Mars has in the past decade been swarmed by spacecraft from the US, Europe, Japan (unsuccessful, and understandably so), and, soon, Russia again. Their images have exceeded the quality of those that would have been obtained by the doomed Mars Observer. How were they then allowed to succeed?

But even without an analysis of the proposed true cause, a careful assessment of the misinterpretations and misrepresentations in the book's treatment of well-investigated spacecraft disasters provides a strong argument that these alternate ideas are not useful. Certainly one owes it to Murphy, the god of things going wrong in space, to look at any suggestion-and just as certainly, after looking at them, scenarios such as these can be ruled out.


--------------------------------------------------------------------------------

Jim Oberg spent 22 years at NASA Mission Control in Houston, where he sometimes performed the duties of division safety officer. He has specialized in debunking crackpot left-wing and right-wing theories about the Korean Airlines Flight 007 massacre in 1983.