NASA has issued a Launch Commit Criteria (LCC) waiver in case of a specific ECO (Engine Cut Off) sensor failure, with a troubleshooting plan drawn up in case of related problems in the countdown.
Despite some documented disagreement on the correct way to deal with sensor failures – with some element within NASA recommending a full “4 of 4” LCC should remain – it is hoped the waiver won’t be required during the final preparations for the launch of STS-121.
NASA meetings had previously dismissed a change in the LCC for the sensors, added to the 5th of April decision against a tanking test to evaluate the ECO sensors for any potential repeat of failures recorded in the run up to STS-114 last July, with faults showing during both the tanking test and the first countdown – the latter causing a scrub.
This followed a decision to swap out the LH2 ECO sensors from ET-119 – a process that is also currently being undertaken on ET-118 at KSC – due to information that pointed at a large amount of installed sensors coming from a bad batch.
The ECO R&R work may have ultimately solved the problem, which would allow for the launch of Discovery to proceed without the ECO sensors hindering the countdown. However, if a fault does show, NASA has a plan.
The waiver is based around a single LH2 ECO sensor failing ‘wet’ during the countdown, a series of SIM commands will test the system, with the waiver noting certain criteria that will determine whether the launch can proceed as planned, or scrubbed.
However, if a ‘single DRY failure or multiple WET or DRY failures,’ then the launch would become a ‘scrub, stand down, form teams, do not attempt 24 or 48 hour turnaround,’ noted an attached Space Shuttle Systems Engineering and Integration Office (SE&I) document.
‘SICB (NASA’s System Integration Control Board) consensus that additional troubleshooting on pad unlikely to identify cause of failure.’
‘On second launch attempt, if same sensor fails wet or there is no ECO failure: Go for Launch,’ – with the – ‘LCC exception rationale: Confidence increased in remaining 3 sensor system, PRA for LOCV (Loss of Crew/Vehicle) with one failed ECO sensor system – cause unknown – is better than 1/1000. Any other failure signature (different sensor, multiple sensors fail): SCRUB. Assess intrusive troubleshooting.’
The waiver notes – in justification: ‘Additional time and cryo cycles provide confidence in the remaining ECO System. 3 of 4 systems is acceptable for flight and meets the fail ops/fail safe criteria. The likelihood of two additional ECO System Failed WET coupled with a need for the LLCO system during flight is considered remote. (Greater than 1 in 1000).’
SE&I’s document also noted that STS-114’s ECO issues are still classed as an UA (Unknown Anomaly), although technicians believe they have a theory as to what caused the ECO sensor problem.
‘Exact root cause of failure on the day of launch will not be known, may just be narrowed to a given area of the circuit, E.g., most probable cause of STS-114 launch attempt anomaly is a cryogenic tanking induced, high impedance/open in measurement path. Unable to narrow down to PSB, Orbiter wiring, Orbiter connectors, ET wiring, ET connectors, or ET sensor.’
Presenting rationale against the ‘3 of 4’ position was Johnson Space Center’s ‘EP4’, noting in their JSC/EP4 MPS Integration position: ‘We advocate a 4 of 4 LCC for LH2 ECO sensors because of the MX/NC PRA.
‘The PRA says that if we launch 3 of 4 with an unidentified root cause then the probability of LOCV is approximately 10 (to the power) 3. If we launch 4 of 4 or 3 of 4 with the failure identified so that common cause can be ruled out, then the probability is in the 10 (to the power) 6 range.
‘Any STS-121 on-pad troubleshooting plan that does not culminate in identification of the failure mode does not help the probability issue. Therefore, not in favor of any 24-48 hr scrub turnaround tankings.
‘(There is) new data supporting 4-of-4 position. Thermal conditioning does not improve the future reliability of the sensor (per May 4 PRCB tanking test PSE&I charts). ET Project has reported that problematic swages can cause inconsistent and unrepeatable resistance changes from cryocycle to cryocycle.’
As far as getting to the point in the count where a most of these decisions will kick in, most of the documentation shows that a final assessment of any issue that arises will come at T-9 minutes. What is also clear in JSC/EP4 MPS Integration’s position is the requirement for a rollback of Discovery – and detank (ending the July launch window opportunity) should the failure breach the troubleshooting criteria.
‘MPS NSE recommends ‘Go’ for launch ONLY if fail ‘wet’ condition occurs and is positively isolated to the MDM after reaching stable replenish (ensures thermal equilibrium of all system elements including monoball).
Otherwise: ‘Review of other signals going through the affected mono-ball for anomalous signatures. Review of other subsystem activities coinciding with the ECO anomaly event for possible EMI influence.
‘Detank. Open aft compartment and install break out box at monoball production break (connectors 50J952 or 50J963). Perform resistance and TDR reading on affected circuit plus equivalent circuit. Remove break out box and install cryosimulator at new production break. Perform point sensor box system level checkout. Detailed data review of all of the above.
‘Go for second launch attempt if troubleshooting isolates/corrects failure and no common cause concerns exist. If troubleshooting does not identify/isolate failure and allow for ruling out common cause, EP4 MPS integration is ‘No Go’ for subsequent launch attempt.’