Jump to content

So, Nauka... was at least the 2nd time that happened, wasn't it. Also, Kurs not Kursing?


DerGolgo

Recommended Posts

So this has been humming in my brains ever since I saw the first report of Nauka doing the thruster madness after docking to the ISS. When the underlying problem was published, the computer deciding it wasn't docked to anything and trying to back away from the ISS, my reaction was "Yeah, someone definitely didn't pay attention to old missions".
And yet, I haven't seen it mentioned anywhere.
So I decided to poll my fellow Kebal-Afficionados. I'm not just seeing similarities that aren't there, am I?

Cast your mind back to an earlier docking of spacecraft to space station. No, further than that.
Go all the way back to the first anything trying to dock to any space station. The first space station, as it were.
Before we get to it: No, I'm not suggesting Nauka's mishap had exactly the same cause, be it in hardware or software or both. But unless designers address it, having the same capabilities to do stuff is also to have the same capabilities for making mistakes.

But what the heck am I blathering on about. This:

1971. Salyut 1, the first space station gets its first ever visit.
Soyuz 10 had made soft-dock with Salyut 1. The docking probe was in the receptacle.
However, the guidance computer didn't like it. Or didn't know it.
With the ~6 ton Soyuz dangling from the ~18 ton Salyut, the Soyuz's computer began frantically firing the attitude thrusters to make a correction that, dangling as it did, it couldn't. I use the adjective frantically because before anyone was able to hit the kill switch, it had done so much thrusting, it had damaged the docking probe, and withdrawing it from the receptacle didn't work as per procedure and someone at mission control had to find a workaround.
That the docking probe was damaged suggests to me that if it had a "docked mode", the Soyuz's computer wasn't actually in docked mode.

So. Soyuz 10, April of 1971. A cool 50 years ago.
And this year, we get Nauka. Had it not been delayed as it was, or not quite as much, it might have cracked the anniversary exactly. I bet that, had "on the 50th anniversary of the fist time anything docked to a space station ever" been in the press release, Soyuz 10's little mishap would have gotten some airtime.
Or would it?
From what I gather, Nauka's computer was in flight mode, rather than docked mode, or glitched back into flight mode from docked mode, and attempted to correct Nauka's position accordingly. Tried to back away from the station, I believe.

The old saying goes that those who fail to learn from history are doomed to repeat it. More recently, many have pointed out that, no, history doesn't repeat - but it certainly does rhyme.
Those latter people, who propose the rhyming, have failed to learn from guidance computer related mishaps.

Now, as I stated in the very small font size above. I'm not suggesting that what went wrong with Soyuz 10 was exactly what went wrong with Nauka. It obviously wasn't. Nauka had docked hard, and fired thrusters to perform translation, while Soyuz 10 tried to correct its attitude after only softly docking.

But both spacecraft had been mechanically linked to the target, and their computers each tried to maneuver as if they weren't connected, as if the intended maneuver was actually possible.

re Kurs not Kursing:
Nauka was using the Kurs docking system, and presumably the latest iteration thereof. Kurs had been developed in the 1980s, for assembling Mir, for which it got  a very specific advantage over its predecessor, Igla.
Namely that Igla needed the target to be in the right orientation, relative to the incoming craft's approach - and Kurs doesn't. At least that's what I find when looking in a hurry. Kurs is supposed to maneuver its way around a "stationary" target to find the desired docking port, align itself, and dock.

Yet in preparation for the arrival of Nauka, the ISS had been rotated to have the target port pointing at the incoming Nauka, or at least parallel to its approach vector.
So I'm confused. The thruster calamity is being blamed on a software glitch, and even if it wasn't, I wouldn't expect that making the job easier would have caused said calamity.
But why rotate the station? Did Kurs not work as advertised on some previous occasion? Or did it never work as advertised? Or is the advert... the info I looked up, is that information just wrong?
Or was there something very special about Nauka, or about how Nauka made rendezvous, that didn't allow for letting Kurs strut its stuff?
Or did they finally get "parallel" SAS mode and wanted to try it out? :P 

Link to comment
Share on other sites

It will never be known to anybody except several dedicated specialists.

Kurs (its various generations) is working (usually - as advertised) for 40 years.

Not necesssary the Kurs is related at all, as that happened after hard docking, when Kurs is never more needed.
Kurs is an approaching system, after all. The approaching and docking were ideal.

The invalid RCS engine could restart on its own, or the attitude control system could decide to control the attitude.
If the latter, probably they could just switch it off. So, maybe an engine, attached to the presumably damaged fuelling block.

The only known problem with Kurs in this flight is that they had received the "antenna extended" signal not from the first attempt.
Was it not extended, or was it just lack of signal, who knows.

Edited by kerbiloid
Link to comment
Share on other sites

2 hours ago, kerbiloid said:

It will never be known to anybody except several dedicated specialists.

Kurs (its various generations) is working (usually - as advertised) for 40 years.

Not necesssary the Kurs is related at all, as that happened after hard docking, when Kurs is never more needed.
Kurs is an approaching system, after all. The approaching and docking were ideal.

The invalid RCS engine could restart on its own, or the attitude control system could decide to control the attitude.
If the latter, probably they could just switch it off. So, maybe an engine, attached to the presumably damaged fuelling block.

The only known problem with Kurs in this flight is that they had received the "antenna extended" signal not from the first attempt.
Was it not extended, or was it just lack of signal, who knows.

This sounds a bit to me like Kurs finalized docking and handed control back to the main control system who freaked out as it did not understand it was docked and probably assumed it was about to crash. 
I guess Kurs might not comunicate as well with Nauka as its optimized for Soyuz and Nauka is an old system. 
The real problem was that none took manual control and stopped this, simply stopping Nauka from doing anything would solve it. 

Link to comment
Share on other sites

4 minutes ago, magnemoe said:

I guess Kurs might not comunicate as well with Nauka as its optimized for Soyuz and Nauka is an old system. 

After the hard docking contacts had sent the hard contact signal, why Kurs should keep working?

Soyuz docks to another end of Nauka.
And as Nauka has been launched to receive the modern Soyuzes, this means that it's equipped with the modern version of Kurs.

7 minutes ago, magnemoe said:

The real problem was that none took manual control and stopped this, simply stopping Nauka from doing anything would solve it. 

And that's what makes to think that a control system is innocent. Otherwise they could just take out the ignition electrics, making the RCS stop .

So for me it looks like if the damaged (as we had heard on launch day) fuel valve stayed opened, and the fuel was unstoppably feeding the pressure-fed RCS through it until the remains got spent.

Link to comment
Share on other sites

18 minutes ago, kerbiloid said:

So for me it looks like if the damaged (as we had heard on launch day) fuel valve stayed opened, and the fuel was unstoppably feeding the pressure-fed RCS through it until the remains got spent.

I was under the impression it was a software glitch that fired the RCS, not just overpressure. Once Nauka had expended its fuel, Mission Control Moscow apparently transferred it from "flight mode" into "docked mode". I distinctly recall reports that Nauka was attempting to back away from ISS, that those thruster firings were controlled, by a guidance system trying to control Nauka as if it wasn't docked.
Of course, why they didn't transfer it to docked mode sooner, to stop those thruster firings, that's a little confusing. Though I wouldn't rule out that the whole macguyvering they had had to do earlier in the flight maybe had something to do with it. I'm picturing the guidance system maybe glitching right back into flight mode every time they tried to transfer it to docked mode, and they couldn't fix that so long as there was pressure in the system.

Way I gathered the overpressure problem, that stuck valve was feeding pressure into a low-pressure vessel that's part of the orbital engines. Overpressure disabled those engines. They had to fly to rendezvous on the RCS, and bled that pressure off that way, didn't they?

Personally, I can't understand why there wasn't a big, fail-safe, last-resort kill switch that either would stop the RCS thrusters from firing at all, or from receiving propellant, or would open all the valves to depressurize in all directions equally, any thrust and torque cancelled out.

Link to comment
Share on other sites

25 minutes ago, kerbiloid said:

After the hard docking contacts had sent the hard contact signal, why Kurs should keep working?

Soyuz docks to another end of Nauka.
And as Nauka has been launched to receive the modern Soyuzes, this means that it's equipped with the modern version of Kurs.

And that's what makes to think that a control system is innocent. Otherwise they could just take out the ignition electrics, making the RCS stop .

So for me it looks like if the damaged (as we had heard on launch day) fuel valve stayed opened, and the fuel was unstoppably feeding the pressure-fed RCS through it until the remains got spent.

Soyus docking to Nauka is not the same as Nauka docing to IIS, in the first part its the target but here it was the one docking. 
I assumed this was an software error, how else could it happen just after an nice docking? Yes stuff might break but it was at an weird moment. 
I assume RCS valves fail closed as loosing one RCS is much less an problem than loosing your propelant. 

Link to comment
Share on other sites

20 minutes ago, DerGolgo said:

Once Nauka had expended its fuel, Mission Control Moscow apparently transferred it from "flight mode" into "docked mode".

I.e. "not done" → "done", that's all

21 minutes ago, magnemoe said:

Soyus docking to Nauka is not the same as Nauka docing to IIS, in the first part its the target but here it was the one docking. 

Both use Kurs, so unlikely they were able to put two versions of Kurs at once, having the single set of antennas who vary from Kurs to Kurs version.

So, looks like they have same Kurs for all needs, and it's the last available one.

23 minutes ago, magnemoe said:

I assume RCS valves fail closed as loosing one RCS is much less an problem than loosing your propelant. 

It didn't need the propellant after docking.

Link to comment
Share on other sites

56 minutes ago, kerbiloid said:

I.e. "not done" → "done", that's all

Yes. Except that I'd guesstimate that setting the module's computer systems to "done" is something that should have been done when the docking was actually done.
Which was hours before it went nuts with the thrusters. I can just about understand taking a few minutes before turning the guidance computer from flight mode to done mode. But several hours makes no sense. When the ISS crew was already checking seals and getting read to open the hatch into Nauka, I cannot conceive of any reason why Nauka should have had any need for a guidance system. Let along for an active RCS system.
And yet, that they transferred it from "not done" to "done" means nothing less then that the guidance system had been set to "not done" in the first place. Hours after it was done.

56 minutes ago, kerbiloid said:

It didn't need the propellant after docking.

Which is not the point of a failsafe design. The failsafe is for when anything goes wrong, the predictable and the unpredictable alike, the failure should leave the system in a safe state. Whether or not the craft still needs propellant or not is immaterial when you're talking about a fail condition. If it fails, it's explicitly something that's not supposed to happen.
Supposing the failure we saw was somewhere just in the RCS thrusters, or the controlling circuits, rather than in the guidance system. Creating thrust, putting the ISS in a spin and messing up the orbit is not a safe condition.
So the RCS system either failed, in not a safe way (creating undesired thrust is a bad idea, even if the module isn't near anything), meaning it wasn't failsafe (at least not for that fail condition), or something else failed and the RCS system worked as designed. Which it seems to have done.
All I've read thus far, the failure was in the software running in the guidance system. The RCS system just executed commands it should never have been given.

Edited by DerGolgo
Link to comment
Share on other sites

6 hours ago, DerGolgo said:

Which was hours before it went nuts with the thrusters

Hours? Iirc. it started right after the docking.

6 hours ago, DerGolgo said:

I can just about understand taking a few minutes before turning the guidance computer from flight mode to done mode. But several hours makes no sense. When the ISS crew was already checking seals and getting read to open the hatch into Nauka

?
They started checking the hatch by hours later after the RCS racing was complete.

6 hours ago, DerGolgo said:

I cannot conceive of any reason why Nauka should have had any need for a guidance system.

?
The guidance system exists there always, because the computer.
The approachment system (Kurs) is used for approaching. It provides the guidance system with coordinates and velocities.

6 hours ago, DerGolgo said:

Hours after it was done.

Again, what hours? The thrusters started/kept thrusting right after the docking and finished after burning the rest of the fuel from the only available tank pair.
It was stated that it has fuel only for one docking attempt, and it happened.
Hours later it was happily docked, they were blowing the fuel system from the fuel remains and checking the hatch to open.

6 hours ago, DerGolgo said:

Which is not the point of a failsafe design. The failsafe is for when anything goes wrong, the predictable and the unpredictable alike, the failure should leave the system in a safe state.

Exactly this case demonstrates that the system is very failsafe.
They had delivered the ship with malfunctioned propulsion/fuel system and successfully docked it on the first (and the only) attempt.
So, its systems were enough redundant to bypass the malfunction and complete the mission.

The backup mode of propulsion (by RCS, so by 1/4 of fuel) had enough delta-V to perform the flight program rather than abort.
And on the docking, when the RCS got out of controlfor some reason, the remains of the fuel were enough small to stop it in minutes.
Even if the fuel remains were greater, they would just jettison the whole module from the docking port and loose it, that's all.

And that's on the 20+ year old module, after the propulsion system, produced by another manufacturer, was replaced in situ.

So, if there is a failsafe system, that's it.

The "safe state" sounds good in theory, but any example of when it happened irl?
The lost and the almost lost spaceships I can remember, the "frozen" ones I can't.

All previous self-propelled modules of that family happily docked to Salyuts, Mir, ISS. The Soyuz-based modules as well.
The only reason why the American ones had no trouble were the same several shuttles, using same system every time and having a crew of 7 engineers onboard, and requing a billion of dollars on every interflight servicing, and Canadarm.
No shuttles - no new Western modules, and we don't know how would it go if they were self-propelled and docking instead of berthing.
(The same about the cargo ships, who disable the engines before docking and put the hopes on the Canadarm).

Right now, the Boeing has delayed the CST-100 launch again, due to technical issues.

40% of Shuttles were lost in flight accidents, it's almost the infamous F-104 record.

The Apollo-13 returned alive only due to presence of 3 engineers onboard and a hundred on Earth, and everything they did was anything but a failsafe design.

So, can't remember any failsafe design in the area where chances to loose the crew are still > 1:100.

6 hours ago, DerGolgo said:

Creating thrust, putting the ISS in a spin and messing up the orbit is not a safe condition.

It is safe while the flight stays controllable in failsafe margins. It did, as we can see. Nothing but RCS racing happened, nothing but additional fuel was lost.

Theoretically, a passenger airplane engine should not burn or get switched off.
Practically, if this happens not very often, and the plane can cut the fuel, drop the fuel, and safely land, it's a failsafe design.
That's exactly what happened, and the runway was the mission objective.

6 hours ago, DerGolgo said:

So the RCS system either failed, in not a safe way (creating undesired thrust is a bad idea, even if the module isn't near anything), meaning it wasn't failsafe (at least not for that fail condition), or something else failed and the RCS system worked as designed.

We should stop the passenger flights because the planes do the same from time to time, so they are not failsafe.

6 hours ago, DerGolgo said:

All I've read thus far, the failure was in the software running in the guidance system.

Even if so (though we don't have any evidence of that), what does it change? This world is not ideal, and technical issues happen.
The "software" unlikely changed very much since 1980s  (like the shuttle software, too), and happily worked about ten times with the modules of same system, and this never happened when the propulsion system was intact. Maybe the propulsion system sensors had a malfunction, maybe something other.

The purpose of the "failsafe" design is to keep the flight controllable at at least one system malfuncction, and we just saw this in practice.

Upd.
The last five meters they worked with TORU.
https://www.zarya.info/Diaries/blog/tracks.php?event=Nauka and ISS

Edited by kerbiloid
Link to comment
Share on other sites

10 hours ago, kerbiloid said:

Hours? Iirc. it started right after the docking.

Here is the timeline. https://www.nasaspaceflight.com/2021/07/nauka-docking/
Nauka docked at 13:29 UTC. Systems registered the attitude changing at 16:34 UTC. It did not take Nauka three hours of thrusting to create a divergence that the ISS's systems could register, of that much we can be sure.
 

10 hours ago, kerbiloid said:

They started checking the hatch by hours later after the RCS racing was complete.

Again, Nauka had been docked for over three hours when it began firing thrusters. If you direct your attention to the 17:53 UTC update of the article I linked, it is explicitly reported that cosmonauts had already opened the Zvezda-side hatch of the docking port when Nauka began firing its thrusters.

10 hours ago, kerbiloid said:

Again, what hours? The thrusters started/kept thrusting right after the docking and finished after burning the rest of the fuel from the only available tank pair.

Again, please check the timeline I linked above.

10 hours ago, kerbiloid said:

It was stated that it has fuel only for one docking attempt, and it happened.

Hours later it was happily docked, they were blowing the fuel system from the fuel remains and checking the hatch to open.

Hours later, it was happily docked - and THEN it started firing its thrusters.
And they did not blow the fuel system. If you will direct your attention to the above link once again, Roskosmos announced that the remaining fuel was consumed by Nauka's mad thruster firing, they do not mention any blowing or purging of the fuel system.
I'm not sure what safety margin Roskosmos requires to consider any amount of fuel to be sufficient for what number of docking attempts. But the fact that they may consider amount x to be insufficient for more than one attempt does not remotely indicate that amount x would have to be completely consumed during that attempt. The latter would suggest they don't have safety margins.

10 hours ago, kerbiloid said:

Exactly this case demonstrates that the system is very failsafe.

They had delivered the ship with malfunctioned propulsion/fuel system and successfully docked it on the first (and the only) attempt.
So, its systems were enough redundant to bypass the malfunction and complete the mission.

You pretty much spell it out yourself. Nauka's systems had sufficient redundancy. Redundancy is not the defining characteristic of a failsafe design and, likewise, a failsafe design is not defined by redundancy.
A failsafe design is defined by the failure leaving the system in a safe state. If the system also has redundancy designed into it, splendid. Is redundancy maybe part of a separate failsafe mechanism, such as to leave the craft maneuverable even if the main propulsion fails? Great - for that fail condition.
But when a spacecraft starts firing its thrusters in an unplanned, undesired manner, leading to an unplanned, undesired, and uncontrolled change in attitude of the larger assembly, putting the entire space-station into an unplanned, uncontrolled spin. Making it necessary to engage other thruster assemblies to counteract against the unplanned thruster firings. Actually expending fuel that nobody had planned on expending, possibly reducing redundancies intended for emergencies. Actually creating the emergency such redundancies might have been intended to handle.
That is not a safe state. Not least because ISS relies on maintaining a certain, pre-planned orientation, to ensure the solar panels get sufficient sunlight to satisfy all the station's power needs, and also to ensure that antennae can be oriented towards the satellites that enable uninterrupted communication, regardless of where ISS is on its orbit.
Whatever failure conditions were factored into any failsafe design aspects, the guidance system coming back on over three hours after docking and firing thrusters without rhyme nor reason was either not factored in, or whatever form the failsafe design of Nauka's guidance and RCS system took did not work as intended.

10 hours ago, kerbiloid said:

The backup mode of propulsion (by RCS, so by 1/4 of fuel) had enough delta-V to perform the flight program rather than abort.

Again, redundancy to manage one fail condition is not failsafe for other fail conditions.

10 hours ago, kerbiloid said:

And on the docking, when the RCS got out of controlfor some reason, the remains of the fuel were enough small to stop it in minutes.

Yes, it expended its fuel in minutes.
In 45 Minutes. Once again, link above.

10 hours ago, kerbiloid said:

Even if the fuel remains were greater, they would just jettison the whole module from the docking port and loose it, that's all.

"Just jettison the whole module". A module that is already behaving in a way neither intended nor predicted (had it been predicted, they would have had a kill switch, wouldn't have had to wait 45 minutes for the fuel to be expended, of that much we can be sure).
Jettisoning Nauka would have been madness. Never mind failsafe design. Nauka was out of control (had it been under control, they would have stopped the thrusters before the fuel was expended). A 20 ton chunk of metal, with pretty big solar panels sticking out on either side. Out of control. Right next to ISS.
Nobody had predicted the guidance system would give the RCS thrusters commands to start firing. At the time, probably nobody had even figured out what had gone wrong. For all anyone could predict, the moment Nauka was loose, it might have fired its thrusters in a different direction. Could have begun translating  laterally, crashing right into the Soyuz docked at Rassvet, on the other side of Zarya. Or it could have done a little bit of this, a little bit of that, and crashed into one of Zvezda's solar panels.
When you have a craft capable of autonomous maneuvering, it's behaving erratically, and you cannot bring it under control. Setting it loose is about the most dangerous thing you could do. Keeping it docked was the only way to ensure it wouldn't smash apart other parts of the station, the only way to undertake any damage-limitation until it could be brought back under control, or until it had expended the fuel it was using to create the problem.

Remember Progress M-34? The docking with Mir, in 1997?
That docking attempt went wrong and the Progress crashed into the Spektr module, damaging the module itself and one of Spektr's solar panels. That was a fairly compact Progress ship, about 7 tons, under manual control via TORU. We can be pretty sure that cosmonaut Tsibliyev did what he could to avoid crashing the Progress into the very space station he himself was on at the time.
Nauka is about three times the mass of that Progress, much longer and wider, with much larger solar panels sticking out. The damage to Spektr had been considered pretty bad. What damage could an uncontrolled Nauka have done?
 

10 hours ago, kerbiloid said:

The "safe state" sounds good in theory, but any example of when it happened irl?

The lost and the almost lost spaceships I can remember, the "frozen" ones I can't.

How about this one right here: https://techcrunch.com/2020/12/14/virgin-galactic-test-flight-fails-to-reach-space-after-failsafe-landing-triggered/
The computer cannot control the rocket engine. The Failure. Igniting the rocket engine is prevented. The safe state. Because igniting an uncontrolled rocket engine is very much unsafe, as it would accelerate the spacecraft in an uncontrolled manner. Possibly right into its own impact crater.
Another example: free return trajectories on the early Apollo moon missions. See below.

10 hours ago, kerbiloid said:

All previous self-propelled modules of that family happily docked to Salyuts, Mir, ISS. The Soyuz-based module

Yes, that family of modules was remarkably reliable at docking. Personally, I assume that this record of success was related to the engineers designing those systems recalling what had gone wrong the first time (Soyuz 10/Salyut 1). That was when the thrusters fired right when soft docking occurred, I guess you maybe confused that with Nauka. Some of the blame for that confusion I will accept myself, since I was originally asking whether anyone else saw the similarities.

However, as old as Nauka was at this point, and as successful as previous models from that family had been. Kurs got a massive update in 2013. Progress seem to have been using it without calamity. But legacy systems interacting with new systems and producing unexpected results is common enough in Earth-based software, or hardware, or both. Did old Nauka get the updated Kurs, but some part of the old module didn't behave as expected, leading to the guidance system flipping back into flight mode? Or did Nauka use the older Kurs system, but the systems on ISS at this point had been expecting the newer system, thus causing some interruption which, hours after Nauka had docked, flipped it back into flight mode?
I don't know. Mistakes happen. Neither Roskosmos nor NASA, nor ESA, Jaxa, or ISRO for that matter, are immune to such. Which is why so much of spaceflight preparations consists of quality assurance and testing.
The fact remains that, after many, many previous successes, this time, there was a failure, with potentially dramatic results. Had there been another problem, one that would have prevented use of other modules' thrusters to counteract Nauka, ISS would have rotated a little faster still, and might have lost its main communications link, due to antennae being unable to point at the satellites, or might have lose power to some of its systems, due to solar panels getting into an unfortunate angle. Other systems on ISS had to work, to correct/compensate the undesired rotation before it created greater problems. That is an unsafe condition.
The failure on Nauka was one that, I believe, a master kill-switch could have prevented, and which (after Soyuz 10/Salyut 1) I would have expected would be part of a system that has been working pretty flawlessly for 40 odd years.

10 hours ago, kerbiloid said:

The only reason why the American ones had no trouble were the same several shuttles, using same system every time and having a crew of 7 engineers onboard, and requing a billion of dollars on every interflight servicing, and Canadarm.

No shuttles - no new Western modules, and we don't know how would it go if they were self-propelled and docking instead of berthing.
(The same about the cargo ships, who disable the engines before docking and put the hopes on the Canadarm).

What conversation are you even having? Was anyone talking about how Nauka demonstrated the inferiority of Soviet/Russian spacecraft design, or of the Soviet/Russian methods of space station assembly?
That the other guys use entirely different methods, requiring much greater effort and expense, has no bearing on what happened with Nauka.
I for one think the Soviet spaceflight program was awe inspiring, and given the choice, I would rather be disqualified from riding a Soyuz (I'm too tall) than catch a ride on that Shuttle death-trap.
If anyone was suggesting all future additions to ISS should have to be berthed using Canadarm, and heck knows how they would be boosted into orbit and to rendezvous in the first place - I didn't see that suggestion. Do point me at it, I would like to tell that person to shut their filthy mouth.
The only conversation I've been participating in right here was in regards to mishaps that happened, period, and my confusion about why the Kurs system got its approach prepped like Igla would have. I'm getting the impression you're trying to argue about some national pride. I'm an internationalist, so I can't really see the point.

Also, re "no shuttles - no new Western modules"
I believe Bigelow Aerospace and SpaceX would disagree. The Bigelow Epandable Activitiy Module was launched on a SpaceX dragon in 2016, when the Shuttles had all been retired already. They used Canadarm to berth it, but no shuttle.
Ditto for the Nanoracks Bishop Airlock. Launched by SpaceX, berthed by Canadarm, no Shuttle.

10 hours ago, kerbiloid said:

Right now, the Boeing has delayed the CST-100 launch again, due to technical issues.

40% of Shuttles were lost in flight accidents, it's almost the infamous F-104 record.

None of which has any bearing on how something did go wrong with Nauka.
Like I said, I consider the Shuttle a death trap. They maybe should have built one, flown it a few times, then hung their heads in shame as (production, air-breathing engine equipped) Buran made them look like total noobs, and then should have designed Space Shuttle 2: Shuttling Day.

As for Boeing. They aren't fit to lick the dirt off of anyone's boots, at this point. They are managed by used-car salesmen, they ignore lessons learned from fatal crashes when they design commercial aircraft, and they appear to have designed the Starliner not to go to the ISS, but to bring in government funding.

As for the F-104. No. You are wrong there. Or maybe not. Depends on how you count.
The Luftwaffe lost 292 F-104, out of 916 aircraft procured in total (original order had been just over 600, the rest all being replacements). 116 pilots died in their Starfighter.
That means 12.6% of all Luftwaffe Starfighters crashed with the loss of all hands. Approximately, I think there may have been a few trainer variants in there, with two crew aboard. But not many.
As you point out, 40% of all Space Shuttles were lost with all hands. The "Widowmaker" didn't even crack a third of that.
 

10 hours ago, kerbiloid said:

The Apollo-13 returned alive only due to presence of 3 engineers onboard and a hundred on Earth, and everything they did was anything but a failsafe design.

So, can't remember any failsafe design in the area where chances to loose the crew are still > 1:100.

Actually, there you go. Yes, they had to turn the everything inside out to make it back. And had to use the LM engine to get into the "free return trajectory" that would end with reentry.
But that was 13. Apollos 8, 10, and 11, went on a free return trajectory from the get-go. Those missions were designed to be failsafe for a failure of the propulsion system. When the Saturn V's third stage, S-IVB,  did the trans-lunar injection, it also put them on a free return trajectory. Chosen so if the Apollo Service Module engine had never even ignited in the first place, they would have coasted all the way back to reentry.
 

10 hours ago, kerbiloid said:

It is safe while the flight stays controllable in failsafe margins. It did, as we can see. Nothing but RCS racing happened, nothing but additional fuel was lost.

Theoretically, a passenger airplane engine should not burn or get switched off.
Practically, if this happens not very often, and the plane can cut the fuel, drop the fuel, and safely land, it's a failsafe design.
That's exactly what happened, and the runway was the mission objective.

No it wasn't. You are conflating active safety measures, like dumping fuel, with failing safe. A design, of some subsystem or whatever, is failsafe when, after the failure, the situation is itself safe, and does not require immediate correction while the failure is still going on.
They had to counteract Nauka's thrusters while those were still firing. The failure that had caused Nauka's guidance system to fire the thrusters had not resulted in a safe state. Since the ISS's orientation is critical regarding solar panels and communication antennae, that safe state would have been to stop producing thrust and torque that further and further affected the station's attitude. The very fact that they had to intervene and use other thrusters to counteract Nauka while Nauka was still firing its thrusters demonstrates that the sate that this had put the ISS in was not safe.

Regarding passenger airplanes: Dumping fuel is an active measure needed to make the plane safe to land. If it is, the failure did not produce a safe state for the landing weight. If an engine shut itself off because some part of the control system failed, that part of the design may be failsafe. But the overall situation regarding the plane's fuel load and weight is not.
However, some planes, they are failsafe in that regard. Planes designed to be filled up, and then fly a short route back and forth, or a route with many hops, where another type wouldn't be able to burn enough fuel to get down to landing weight. Such planes can, consequently, do an emergency landing without dumping fuel.
As it happens, the Boeing 757, 737, and 717 (and its DC9/MD80 predecessors), and the Airbus A320 family, all come without fuel dumping systems. They can land as heavy as they took off, can do an immediate return to airfield, no active measures to reduce weight required. That aspect of their design is failsafe. As far as landing weight is concerned, they are safe, regardless of what other part of the plane has failed.

10 hours ago, kerbiloid said:

We should stop the passenger flights because the planes do the same from time to time, so they are not failsafe.

If a planes engines or control surfaces start doing stuff without pilot input, and against what the autopilot is supposed to do? Yes, that flight must be stopped.
Not everything is failsafe, not everything can be. Sometimes, when something fails, intervention is necessary.
As it was here. Because whatever failure caused Nauka to start firing its thrusters had not produced a safe state.
 

10 hours ago, kerbiloid said:

Even if so (though we don't have any evidence of that), what does it change? This world is not ideal, and technical issues happen.

The "software" unlikely changed very much since 1980s  (like the shuttle software, too), and happily worked about ten times with the modules of same system, and this never happened when the propulsion system was intact. Maybe the propulsion system sensors had a malfunction, maybe something other.

The purpose of the "failsafe" design is to keep the flight controllable at at least one system malfuncction, and we just saw this in practice.

Upd.
The last five meters they worked with TORU.
https://www.zarya.info/Diaries/blog/tracks.php?event=Nauka and ISS

I'm still confused what conversation you're trying to have. What does previous success have to do with present day failure?
The system that failed appears to have been part of Nauka. Once it failed, and Nauka began firing its RCS, Mission Control Moscow was unable to bring it under control. They kept trying, for 45 minutes, when the thrusters stopped - because they were out of fuel.
Whatever failed - Nauka did not remain controllable, evidently. If it had, they could have stopped it firing its thrusters.
They had to resort to RCS systems on Zarya and Progress to counteract Nauka's actions. How would they have done that if, whatever glitch it was, it had occurred before Nauka had even made rendezvous? If Nauka had not been docked to the ISS, they could not have counteracted those thrusters. Nauka's systems were not failsafe there.

As for the software changing. As I pointed out, Kurs got a major update in 2013. Going from using an array of five antennae, and a lot of power, in the original Kurs, to Kurs NA, using only a single antenna. Using a single source of data to calculate how to control the spacecraft as opposed to five such sources is not a minor change in software. It probably required a whole new set of algorithms.
As you pointed out, Nauka was pretty old. Which version of Kurs did it have? That they used TORU to bring her in may be relevant, but was it TORU that somehow glitched into/started up in flight mode three hours after docking? Or was it an old version of Kurs? Or the new version? I addressed this earlier.

Edited by DerGolgo
Link to comment
Share on other sites

2 hours ago, DerGolgo said:

Here is the timeline. https://www.nasaspaceflight.com/2021/07/nauka-docking/
Nauka docked at 13:29 UTC. Systems registered the attitude changing at 16:34 UTC. It did not take Nauka three hours of thrusting to create a divergence that the ISS's systems could register, of that much we can be sure.

I didn't see this timeline.
Ok, three hours later the pressure-fed self-igniting thruster system with presumably malfunctioning valve had unexpectedly ignited, starting burning out the fuel remains from the operational tank pair.
What does it change, if it ignited not on contact, but with a delay?
It's malfunctioning, as it was stated, and it's out fuel and can repeat that. Maybe a sudden hit during the hatch operations made a damaged valve open, maybe an engine sensor send a wrong signal on that hit, maybe these events are not related at all.

2 hours ago, DerGolgo said:

And they did not blow the fuel system. If you will direct your attention to the above link once again, Roskosmos announced that the remaining fuel was consumed by Nauka's mad thruster firing, they do not mention any blowing or purging of the fuel system.

If you pay attention to my posts in the Russian Launches thread, the RCS thrusters are fed from the only pair of tanks, while others are unavailable for them, and Roscosmos stated that they blew with helium the fuel system to remove the fuel remains.

2 hours ago, DerGolgo said:

You pretty much spell it out yourself. Nauka's systems had sufficient redundancy. Redundancy is not the defining characteristic of a failsafe design and, likewise, a failsafe design is not defined by redundancy.

The "failsafe" is just a technobabble magic word from ideal word.
No technical system can be "failsafe", it can be only enough redundant to: "Continue flight if any one system failed, safely aboty the flight if two system failed", as it's usually stated in docs.

The type 77 modules just prove their redundancy in these terms.
Nauka continued the flight, reached the destination, stayed operational (except the system that are unnecessary after the flight), and the issues appeared during the flight were fixed remotely, by internal systems, with no external invasion.

2 hours ago, DerGolgo said:

Again, redundancy to manage one fail condition is not failsafe for other fail conditions.

Challenger. Columbia. Apollo-13.
Failsafe? Or as failsafe as reasonably possible?

2 hours ago, DerGolgo said:

Just jettison the whole module". A module that is already behaving in a way neither intended nor predicted (had it been predicted, they would have had a kill switch, wouldn't have had to wait 45 minutes for the fuel to be expended, of that much we can be sure).

Or the key switch was engaged (the most probably, but the (as already stated)) damaged fuel system was open, and the hypergolic fuel continued passing from the hight-pressure tank to a low-thrust thruster.

2 hours ago, DerGolgo said:

Jettisoning Nauka would have been madness.

It's a normal operation implemented in the docking adaptor construction since dinosaurs.

The Buran-Mir APAS-89 adaptor, laying in the base of the IDSS standard used in all American ships was designed to detach it with pyrofasteners in case if Buran can't undock. So, check all American docking ports for that feature.

Nauka doesn't use exactly APAS, but it still could be detached in case of emergency.

2 hours ago, DerGolgo said:

A 20 ton chunk of metal, with pretty big solar panels sticking out on either side. Out of control. Right next to ISS.

So what? It would escape radially, as it's attached this way.

All American cargo ships are 10-15 t heavy chunks of metal floating in several meters from ISS between the panels and modules in a hope that Canadarm will grab them, rather than push.

2 hours ago, DerGolgo said:

Nobody had predicted the guidance system would give the RCS thrusters commands to start firing

As we can see, it didn't send unpredicted commands. It either didn't send them at all, or was happy with one thruster on.

2 hours ago, DerGolgo said:

Remember Progress M-34? The docking with Mir, in 1997?

It was piloted manually, all systems were intact. Just the pilot was tired and the view obstructed.

Nauka approached automatically, then was corrected manually, then docked automatically.

2 hours ago, DerGolgo said:

How at all the Virgin Galactic test plane relates to the Nauka with her 1980s tech, using the systems flying for decades?

2 hours ago, DerGolgo said:

Yes, that family of modules was remarkably reliable at docking. Personally, I assume that this record of success was related to the engineers designing those systems recalling what had gone wrong the first time (Soyuz 10/Salyut 1).

Soyuz-10 fied long before Kurs, it used Igla.
But this module family was happily docking with both Igla and Kurs.

Also, why at all talk about the approaching system, which just provides the guidance computer with coordinates and velocities, and the performance happened after docking.

2 hours ago, DerGolgo said:

That was when the thrusters fired right when soft docking occurred, I guess you maybe confused that with Nauka.

Soyuz-10 had the guidance system not even closely similar to the Almaz family.

2 hours ago, DerGolgo said:

The fact remains that, after many, many previous successes, this time, there was a failure, with potentially dramatic results.

A minor but unexpected failure with only possible dramatic result of jettisonning Nauka and saying bye to it.

2 hours ago, DerGolgo said:

What conversation are you even having? Was anyone talking about how Nauka demonstrated the inferiority of Soviet/Russian spacecraft design, or of the Soviet/Russian methods of space station assembly?

I just trying to demonstrate the relativity of the "failsafe" term.

There were no failsafe designs in space. Almost all flights had their issues, from minor to lethal, and only system redundancy saved them.

2 hours ago, DerGolgo said:

Also, re "no shuttles - no new Western modules"
I believe Bigelow Aerospace and SpaceX would disagree.

I believe, their agreement/disagreement means nothing until they have assembled something of  Mir level.

To the moment we can see only mockups and 3d models.

2 hours ago, DerGolgo said:

The Bigelow Epandable Activitiy Module was launched on a SpaceX dragon

A tiny think inside the trunk, taken and plugged by Canadarm. The same about the Bishop Airlock.

Cute little things. There are several such modules delivered by just a Progress (Pirs RIP, Rassvet, Poisk).

And I mean the full-sized ones, of 4 m diameter.

2 hours ago, DerGolgo said:

Like I said, I consider the Shuttle a death trap.

Yes. It's not failsafe, and killed 14 people.
But 2/3 of human flights were performed by this not perfect design, and it many times docked to Mir and ISS.
Any critical failure, and ISS would be squashed, but that was a risk.

2 hours ago, DerGolgo said:

As for Boeing. They aren't fit to lick the dirt off of anyone's boots, at this point. They are managed by used-car salesmen, they ignore lessons learned from fatal crashes when they design commercial aircraft, and they appear to have designed the Starliner not to go to the ISS, but to bring in government funding.

I have a strange feeling that Boeing will catch cold walking SpaceX and Bigelow to museum.

2 hours ago, DerGolgo said:

The Luftwaffe lost 292 F-104, out of 916 aircraft procured in total (original order had been just over 600, the rest all being replacements). 116 pilots died in their Starfighter.
That means 12.6% of all Luftwaffe Starfighters crashed with the loss of all hands.

According to wiki, 

Quote

F-104 получил печальную известность и даже печать дала им прозвище «Widowmaker» («Вдоводел») и «Flying Coffin» («летающий гроб») из-за большого количества катастроф. Такую репутацию «Старфайтер» приобрёл в ВВС ФРГ, на вооружение которых поступило 916 самолётов (треть всех построенных), из них 292 (то есть ~30 %) были потеряны в лётных происшествиях; погибло 116 пилотов[4][5][6].

Of 916 German F-104 292 (30%) were lost in crashes, 116 pilots were killed.
Also, the Canadian F-104 lost 46% in crashes.

So, the numbers look shuttlish.

3 hours ago, DerGolgo said:

Actually, there you go. Yes, they had to turn the everything inside out to make it back. And had to use the LM engine to get into the "free return trajectory" that would end with reentry.
But that was 13. Apollos 8, 10, and 11, went on a free return trajectory from the get-go. Those missions were designed to be failsafe for a failure of the propulsion system.

And except the lunar transfer and the lunar ascent this "failsafe" was implemented by engine redundancy, when a failed engine could be replaced with another one.
And this is exactly what happened in the Nauka flight.

3 hours ago, DerGolgo said:

You are conflating active safety measures, like dumping fuel, with failing safe. A design, of some subsystem or whatever, is failsafe when, after the failure, the situation is itself safe, and does not require immediate correction while the failure is still going on.

And Nauka just used RCS to reach ISS instead of main engines.

3 hours ago, DerGolgo said:

The failure that had caused Nauka's guidance system to fire the thrusters had not resulted in a safe state.

What is "failsafe state" when a fuel valve is probably broken and inoperational?

3 hours ago, DerGolgo said:

However, some planes, they are failsafe in that regard.

No plane is failsafe while it's fueled.

Also, Nauka could not dump the fuel before docking, because probably it would dump all fuel.

3 hours ago, DerGolgo said:

If a planes engines or control surfaces start doing stuff without pilot input, and against what the autopilot is supposed to do?

If this make the plane rotate by 1.5 turns in three hours, it is not a failure, it's a notice for technicians to check what's skewed. The human reaction time is same.

3 hours ago, DerGolgo said:

I'm still confused what conversation you're trying to have. What does previous success have to do with present day failure?

Nothing special happened. It's a technics, and things happen from time to time.
If American modules were self-propelled or the cargo ships were docking instead off berthing, we would probably had a lot of other cases to amaze, Nauka is not something from Armageddon with Bruce Willis (Mir finally was, lol).

The real list of issues unlikely will be published, and if it was, it would require a detailed technical description of the module to explain what is where, and nobody will do this.
Some version enough good for public will be stated, but it's absolutely no guarantee that it will have any relation to real events.
Because the audience doesn't care (and 95% probably is not aware of the event at all), and engineers will have no desire to get into details after the investigation.

So, the only things which really matter are:
1) Will it repeat with Nauka? = No, because its tanks are anyway empty.
2) Will it repeat with Nauka-like module? = No, it was the last in its family.
3) Could it cause drama? = Unlikely, because Nauka would be just jettissonned and fly away, then burn in atmosphere several months later.
4) What was wrong with Nauka on ground? = A lot of, but this doesn't matter anymore.
5) Can something happen because Roscosmos is not enough good? = It happened even with perfect NASA and shuttles.
6) Will another Russian module delivery be same spectacular? = No, just another 3 m module was going to be delivered.

So, it's an endless story how should something be made perfectly in a world where a rocket with 2% chances to explode is considered reliable.

Link to comment
Share on other sites

This thread is quite old. Please consider starting a new thread rather than reviving this one.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...