
A once-classified anomaly nearly killed NASA's first moon astronauts - hsnewman
https://www.insider.com/classified-apollo-11-anomaly-threatened-to-crash-first-moon-astronauts-2019-6
======
todd8
It’s amazing how many engineering problems had to be solved in the space
program. I heard of one that involves software from programmers that worked
for NASA. (I don’t remember the space craft but I think it was Apollo).

After separation from the boosters that got the space craft into orbit, the
main engine of the craft had to burn to head off to the moon. This engine
could be maneuvered to “steer” the craft, but to propel the craft accurately
(without yawing or pitching) the engine had to line up with the craft’s center
of mass and the desired velocity vector.

The craft actually calculates the center of mass before the main burn by
starting the engine and wiggling the engine a bit then checking the resulting
change in the crafts attitude (using gyroscopes, etc.)

The software was designed to do all of this automatically and testing showed
that it worked.

However there was a problem. After separation from the booster stages the
craft would be in zero gravity so the main engine’s fuel was a big sphere of
liquid floating in the center of the fuel tank. The initial burn for the
calculation of center of mass could falter if the fuel wasn’t at the base of
the tank where the tank connected to the engine.

Before the main engine could be fired the maneuvering jets had to be fired
just long enough to press the fuel to the aft side of the tank. The software
did this too, but they discovered that in some cases the software didn’t do it
long enough.

Fixing the bug was too risky so close to launch, but the software could wildly
miscalculate the center of mass and the subsequent burn of the main engine
could send the craft into a fatal rapid tumble.

The solution they came up with was to tape a note on the control panel next to
the main engine switch telling the astronauts to manually switch on the
maneuvering jets to accelerate the craft before ignition of the main engine.

~~~
patchorang
I had a professor that told us about when he found a bug in some of the flight
code while he was interning at NASA. They decided it was too late to fix the
bug, so they also put a sticky note on the control panel with instructions.
Now I'm wonder how many sticky notes were on that control panel.

~~~
todd8
Sounds like the same person, it came up in a class taught by Boyer and Moore.

------
TeMPOraL
Huh.

When playing Kerbal Space Program, I usually design the spacecraft with a
final-stage engine + fuel tank below the heat shield, separated by a
decoupler. I deorbit the craft and then detach the propulsive part. As my
capsule screams through the air in a ball of plasma, I often see the
propulsive part following it through the air at a distance of couple hundred
meters, almost to the very end.

I always thought this was some KSP aerodynamics bug - intuition told me that
the detached part, not being particularly well-shaped, should burn up much
quicker and decelerate much faster. Turns out I was wrong - according to the
article, this happened multiple times during the Apollo program. I guess this
confirms that KSP is not that far from how the Space Race looked like...

~~~
pavel_lishin
I wish the article had gone into why this happened. I also expect the
jettisoned engine stages to be much more susceptible to atmospheric drag.
Maybe it's because the atmosphere is so thin up there that despite the plasma
buildup, it's still basically a vacuum?

~~~
mannykannot
The NASA report [1] goes into the details. The procedure was to fire the
service module reaction control thrusters to separate it from the command
module, spin it to give it stability, and then exhaust their fuel in slowing
it down. As the service module was not symmetric around its longitudinal axis,
however, the initial spin was not exactly aligned along that axis, and would
precess with a period of about 10 seconds. This would lead to sloshing of the
residual service module propellants, exacerbating the misalignment markedly --
sometimes wobbling beyond 90 degrees. This meant that the thrusters were not
achieving the desired change in velocity, and might sometimes even accelerate
towards the command module.

After modeling the problem for various residual fuel masses, a solution was
found in reducing the time spent on spinning the service module to two
seconds, and cutting off all thrusters after 25 seconds.

[1]
[https://archive.org/details/nasa_techdoc_19710017109/page/n3](https://archive.org/details/nasa_techdoc_19710017109/page/n3)

------
nmc
TL;DR

After being jettisoned, the Service Module remained dangerously close to the
Command Module during re-entry, so there was a risk that the two could have
collided

~~~
netsharc
That was a stupidly long article, repeating things a lot of people already
knew, for that little bit of information...

~~~
mannykannot
Its saving grace, IMHO, is that it has a link to the NASA report on the issue:
[https://archive.org/details/nasa_techdoc_19710017109/page/n3](https://archive.org/details/nasa_techdoc_19710017109/page/n3)

~~~
pbhjpbhj
Apollo 11 Mission Anomaly Report 3 - Service Module Entry

Conclusion

Tip-off moments applied to the service module at jettison cause the spin
vector to be misaligned with the service module X-axis. The rigid body spin
motion of the service module excites longitudinal slosh of the propellants in
tanks. The sloshing then becomes the dominant force and causes the spin vector
to approach a position normal to the service module X-axis. The sloshing can
orient the service module spin axis such that the net -X thrusting over a
period of 300 seconds can not only reduce the separation velocity of the
service module but also reverse its direction. This condition introduces a
remote possibility of recontact between the service modules and command
module. An optimum separation velocity can be obtained for a range of
propellant loads by restricting the spin thrusting to 2 seconds and the X-axis
thrusting to 25 seconds of firing time.

~~~
avian
I love how the solution was to add one time-delay relay into the circuit. It's
a 70s version of a one-line patch.

------
dsfyu404ed
I think this article is over-hyping the danger. Sure, the risk of the command
module and the service module crashing is nonzero but it's so tiny. They start
off being pushed away from each other by the separation and they have
different aerodynamic properties. It's not surprising that they continued on
similar paths initially since the atmosphere is very thin minimizing the
aerodynamic differences. To make an analogy, reentry is like tossing two empty
beer cans onto a windswept lake. Sure they might have a chance to hit each
other early on but the chances of that are small and if their aerodynamic
properties are different (i.e one isn't totally empty) they will get further
apart as time goes on. The Apollo program had a list a mile long of bigger
risks to spend their time mitigating. This article is just hand wringing.

