By John McManamen
One of the many lessons I’ve learned during my career is we aren’t always as smart as we think we are. When we discovered large oscillations occurring during docking between the Space Shuttle and International Space Station (ISS), I had a chance to learn that lesson again. It’s amazing the kinds of problems you can find even in a mature program like the shuttle, which has been operating for thirty years. It teaches us to be vigilant and always stay curious, questioning things that don’t look right.
(Top) The shuttle and station docking mechanisms after soft capture and before retraction during STS-121.
(Middle) The shuttle capture ring ready to dock with station during STS-131.
(Bottom) Visitors learn about the docking mechanism that allows the Space Shuttle to dock with the International Space Station.
Photo Credits: NASA
In this instance, what didn’t look right was a recurring misalignment during docking retraction: a process that occurs after the shuttle and station have successfully joined (known as “soft capture”) but have not yet achieved what we call a “hard mate,” when the docking is complete and everything has successfully sealed. Retraction is the process of the ISS docking mechanism slowly pulling in the docking mechanism on the shuttle side. Considering how close these two massive objects get to each other—anywhere between six and fourteen inches—a little wobble can mean a lot of risk: in this case, contact between things not intended to touch.
Docking is one of those highly integrated operations that involves massive spacecraft and many systems, including relative rate and alignment sensors, digital autopilot for attitude-control systems, crew piloting to maintain lateral alignment and translational velocities, and a complex docking mechanism that can deal with residual misalignments and rates. Then consider that, once capture is achieved, both vehicles begin free drift—turning off their thrusters and thus giving up attitude control—and you can begin to imagine the entire process as a very complex dance happening at more than 17,000 mph, and up to 280 miles above Earth.
During the STS-133 docking operation, significant oscillations were experienced between the shuttle and ISS as the retraction was occurring. Reviews and a more detailed post-flight assessment raised numerous concerns about the current docking procedure and posed fundamental questions about whether we were operating within certification limits.
Trajectories and Timelines
When the docking procedure was originally created during the Space Shuttle–Mir missions and early ISS flights, the orbiting stations were much smaller, and the shuttle could approach and dock fairly quickly—usually in less than 20 minutes—along a trajectory much less susceptible to gravity-gradient torques during free drift. The gravity gradient (a greater gravitational pull on the parts of objects closest to Earth) can affect the orientation of satellites in space, inexorably pulling them out of alignment. In the case of shuttle and station, this force can pull hard enough to change their orientation to each other. This usually isn’t a problem when the station and shuttle can use thrusters to realign themselves individually. But when they shut off those thrusters and enter free drift, the gravity-gradient torques begin disturbing the operation. The longer the free drift lasts, the worse the wobble becomes. This wasn’t a problem when the shuttle–station docking process was completed within the nominal less-than-20-minute timeline, but that timeline had been getting progressively longer over the years—a result of making operational changes to deal with docking-system idiosyncrasies discovered over time.
One such idiosyncrasy occurred when an electromagnetic “brake,” the high-energy damper, inadvertently stuck beyond its normal time to disengage. We dealt with this by adding steps to the docking process: extending the docking ring and then retracting it briefly to reverse torques in the system, which allowed the clutch plates holding on to the high-energy damper to release. Adding steps also added time.
As the station grew in size and mass, the gravity-gradient effect became more dominant during shuttle–ISS docking. As this rotation built up over tens of minutes of time, the centrifugal force would create a misalignment during docking, which would slow down the docking procedure. If a sensor indicated a misalignment, the crew would follow procedure by stopping the automatic docking sequence, which would then disengage “fixers,” a design feature meant to limit misalignment during retraction. This would cause more wobble, and the crew would have to wait for alignment to reoccur before starting up the process again—more time.
Partial view of the nose and crew cabin of Discovery taken from the International Space Station during the shuttle’s docking approach.
Photo Credit: NASA
Everything culminated during the STS-133 mission; the docking took nearly 50 minutes—more than double the nominal time. I had a moment to speak with the commander during a debrief about the mission, and he described what he saw looking out the overhead window: the ISS pressurized mating adapter coming fairly close to the orbiter, and the ISS guide pins looking as though they were going to hit the orbiter docking interface as misalignment grew. When I heard what he was talking about, my jaw dropped. We realized that with the evolution to our current procedure, we had no way of controlling the growing misalignment and no integrated tools to analyze the gravity-gradient implications for the hardware, vehicles, or mission timeline. We needed a solution quickly, and we had just under four weeks to find it: STS-134 was getting ready to launch.
One Line, One Light
Convincing anyone to make a procedural change in under four weeks is no easy task, so we made sure we had our facts straight and our data validated to prove that the resolution was less risky than letting the system proceed as it had been.
Though we showed that the shuttle and ISS could never actually collide if oscillations happened during the soft-capture phase—though they could get worryingly close, closer than six inches—there were other risks to station that were very severe. Because the timeline had grown from less than 20 minutes to nearly 50 minutes, the station was at risk of losing its power-generation and thermal-heat-protection capabilities due to longeron shadowing; the station’s solar arrays could not generate enough power for vital onboard systems. Something had to change to avoid this risk.
This partial view of the starboard wing of Space Shuttle Discovery was provided by an Expedition 26 crewmember during a survey of the approaching STS-133 vehicle prior to docking with the International Space Station.
Photo Credit: NASA
We knew there was no time to make any hardware changes, so we looked at what we else could do. Some of our concern was with the earlier procedure changes, which had the fixers operating in a different way than what had been certified. A fixer is just what it sounds like: a small switch that deploys to fix something in place, in this case the gears controlling the orbiter docking-ring rotation. We needed to understand what the fixers were doing in the new procedure. Were they engaging or not? Were they working properly or not? Were they failing or working?
The operations community was very concerned about ensuring the fixers were working; if they weren’t, and we had a large gravity-gradient-induced oscillation, we could impact parts of the docking mechanism not intended for contact. We had to come up with a new technique to determine what was happening with the fixers in real time.
The previous procedure included shutting off the automatic sequence if misalignment occurred in order to protect against a fixer failure. Our perception at the time was that the fixers could not structurally handle the stress of gravity-gradient torques. But stopping the sequence stopped the ring retraction and disengaged the fixers, so the fixers never got to do their job: preventing the orbiter capture ring from rotating. What we discovered during testing was the misalignment sensor would actually trip before ever making contact with the fixers. So we had to look creatively at what else was available in the system in terms of more accurate sensors, and we needed to better understand the fixers’ structural capacity.
Backdropped by Earth, Discovery approaches the International Space Station during STS-133 rendezvous and docking operations. Already docked to the station is a Russian Progress spacecraft.
Photo Credit: NASA
The initial-contact sensor in the docking system is odd because that is all we use it for—it turns on a display-panel light for the crew—but it’s actually an unreliable indicator of initial contact. It turns out to be a very good indicator of how much the capture ring has rotated, though. We found that the initial-contact-sensor indication always occurred after the fixers engaged. Once we understood that, and were able to demonstrate it on the brassboard docking-mechanism unit we have—a test model which is essentially a flight unit—we knew the sensor was a very good indicator of whether a fixer had failed or not. The only time we should see that sensor light during retraction is if a fixer has failed.
Convincing anyone to make a procedural change in under four weeks is no easy task, so we made sure we had our facts straight and our data validated to prove that the resolution was less risky than letting the system proceed as it had been.
The fixer load capacity was refined based on discussions with our Russian colleagues, who had originally designed, built, and tested the system. We were able to demonstrate through test data that loads applied to the test-unit fixers far exceeded our predicted worst-case gravity-gradient loads. With this information and our new knowledge of a sensor that could accurately indicate a failed fixer, we were confident we could modify the docking procedure to make it safer and more robust.
The procedure change ended up being very small. We altered only one line of code in the auto-sequence programming, and trainers advised the flight crew to ignore the misalignment sensor and instead use the initial-contact sensor to judge misalignment. But that small change had profound consequences for the overall operation. We mitigated huge risks to the docking mechanisms on both the shuttle and ISS, as well as risks to the vehicles themselves. The team worked hard and through long hours to find the simplest, safest solution before the next shuttle mission launched, and we found it in one light and one line of code.
The International Space Station and the docked Space Shuttle Endeavour photographed by Expedition 27 crew member Paolo Nespoli from the Soyuz TMA-20 following its undocking on May 23, 2011.
Photo Credit: NASA
By making those changes, we were able to decrease the delays caused by the automatic stop programmed into the docking procedure, which occurred whenever the first misalignment-sensor indicator lit up. Our hard work and innumerable data were validated once more when STS-134 docked without any of the delays experienced on STS-133. In fact, it achieved the transition from soft capture to hard mate in just 13 minutes and 4 seconds.
Mitigating Potential Problems
Very few anomalies are caused by just one thing. It’s usually a number of factors, events, or changes that line up to result in a real problem. In our situation we had a number of things lining up for a potentially bad outcome. Thankfully, our team was able to recognize the signals and mitigate the risk before the potential could become reality. And we learned some very valuable lessons in the process: a thorough assessment is required even for the smallest, simplest procedure change; environments and systems can change, even after thirty years of proven performance, so reevaluate integrated system certification/verification regularly to ensure operations are still valid and safe; and, most importantly, stay hungry, be curious, and question things if they don’t look right. If those questions lead to hardware modifications or procedural changes, have a rigorous certification process in place to assess unintended consequences. This will help ensure one risk doesn’t unintentionally lead to more.
About the Author
 |
John McManamen began his NASA career at Johnson Space Center in 1987 as an aerospace engineer in the Mechanical Design and Analysis Branch of the Structures and Mechanics Division. In 2000 he became chief engineer of the International Space Station, seeing it through final development and early on-orbit assembly operations. In 2003, he was selected as an inaugural member and Technical Fellow in the newly formed NASA Engineering and Safety Center. He is currently chief engineer for the Space Shuttle program. |
