Spacecraft Operability and the Discovery problems

Something has been nagging me since the current round of
hydrogen depletion sensor problems started on Discovery's
launch attempt, and I haven't seen any good comments come
up on the newsgroups or other commentary, so I'm going to
launch it out there.

The Shuttle design was intended to be highly reliable
and to have multiple redundant sensors and systems in
most key areas. By and large, other than structural
items where it's hard to have another whole heatshield
under the first one, they have had good success with
redundancy covering flight faults and avoiding nasty
aborts and the like.

There is a key difference to be seen between the behaviour
last week trying to launch Discovery, though, and what
typically happens with say a large 747 jetliner and
its typical operational cycle.

Airliners have what's called a Minimum Equipment List.
This covers a set of systems that have to be operational
in order for the vehicle to safely depart on a flight.
The MEL is usually designed so that a number of minor
faults are tolerated, and in areas where a fault would
cause the aircraft to have to stay and be repaired,
where possible an extra set of redundancy is applied
so that if four units are needed for safe suitably
redundant flight operation, five are installed,
and the MEL is four. One sensor or navigation system
or whatever can be completely broken, and the required
flight safety level is still met with the remaining units.

Airliners are designed that way because it costs serious
money when they can't depart on time... either they have
to be repaired in a hurry, which means lots of technicians
at each airport and lots of expensive spare parts stocked
everywhere (plus, a long enough operating cycle to accomplish
the repairs in), or you have to scramble to find another
plane to shift to the flight whose aircraft is down with
a gripe, and then shift another plane to cover for the
one you grabbed, and so on.

Shuttle was designed with an adequate level of systems
redundancy for safety considerations, in most systems.
It was not designed with an adequate level of systems
redundancy for operational considerations. The cost per
day of a Shuttle sitting on the pad, the ops crews and
the control room crews and the costs of a rollback and
destacking are all very significant. The opportunity
cost of not being able to fly on time is also not at all
a minor issue, with Shuttle's life span limited by a
currently hard deadline and too many ISS flights remaining
to get done between now and then.

Redundancy is often described in "N+1" or "N+2" or "2N"
terms; shorthand for one or two more units than are required
for safe operation, or twice as many as are required.

MEL logic really goes to a different level. We should really
be looking to "(N+1)+1", or both safety redundancy and an
operational redundancy margin. Defining the safety redunancy
factor as the N plus or multiplied by whatever, we can then
define an operational redundancy factor, consisting of some
margin on top of the minimum safety requirements. In shorthand,
let's say O for Operational Factor = (required safety factor
including margins), or for example O = N+1 . The operability
factor would then be, for example, O+1 or O+2, with the
additional operability margin depending on the maintainability
of the parts.

Future reusable spacecraft and their operators generally
already have a clue about these issues, but it bears repeating
in public to make the point. The capsules I am working on
should not have to be destacked and dissassembled if one
out of a set of four units fails while we're on the pad;
either there should be a fifth, or three should be adequate
for safe flight including safety margins, and listed in the MEL.
The same should go for any other manned orbital project.

Not every system can be made this redundant, but as Discovery
is showing, there are many systems for which safety dictated
enough redundancy that adding an operability margin on top
of that would have not been that difficult. Two wires in
the shuttle/tank interface, one more sensor unit, a few pounds
of payload capacity lost... and how many millions of dollars
lost destacking Discovery the first time, and in this launch
delay now?

Thin margins kill costs.


-george william herbert