Thursday, December 7, 2023

How Close We Came to Losing the OSIRIS-Rex Return Samples

Back on September 24, we all talked about the return of material from Asteroid Bennu as the sample return capsule parachuted to a landing in the Utah desert.  What we didn't know at the time (or, at least, I didn't know) was that the return capsule came perilously close to smashing into the desert floor and possibly ruining the mission.  

This was the moment Dante Lauretta had waited for nearly 20 years to see. A small robotic capsule was on the way back to Earth with rocks scooped from an asteroid, and Lauretta was eager to get his hands on the samples.

For those watching NASA's live video coverage of the OSIRIS-REx mission's return to Earth, there were hints that something was amiss. Video imagery from a NASA tracking airplane showed the capsule tumbling toward the ground at high speed, well after the point when the drogue parachute should have been visible.

Inside a nearby helicopter, Lauretta was waiting for verbal updates on the status of the capsule.

"I heard the 100,000-foot crossing, and no drogue, and the drogue chute is supposed to come out at 100,000 feet," he recalled during a presentation last month to the National Academies' Space Studies Board. "Sixty-thousand feet, no drogue. I’m like, 'Ugh, this isn’t good.'"

"We’re tumbling. We are in a subsonic regime, and we are not stabilized," Lauretta said. "There’s no drogue chute deployed here. Problem! So I was like trying to mentally prepare myself, because we’re on live TV, to get off this helicopter and deal with a crashed capsule in the desert."

Then, Lauretta heard confirmation from the Air Force that the OSIRIS-REx return capsule had unfurled its main parachute.

"I was like, 'What? How is that possible?'" he said. "So the main chute deployed. The drogue chute, as we’ve been able to reconstruct, went one second before the main. So it came out. It had to come out. It was in front of the main parachute in the canister, and it looks like there was a circuit issue."

On Tuesday, NASA provided the results of an investigation into what happened; an investigation carried out by engineers from NASA and Lockheed Martin, which built the OSIRIS-REx spacecraft and sample-return vehicle.  

When the capsule passed through 100,000 feet, the system was supposed to send a command to deploy the drogue chute.  This would trigger the start of a five minute timer before the main chute would deploy.  Instead, the signal triggered the system to cut the drogue free.  Nothing deployed. All it did was cut the drogue parachute's cords attaching it to the capsule.  

At 9,000 feet, it sent the command to release the drogue chute, but with its cord already cut, the drogue went flying and the main chute deployed.  Lauretta explained:

"The first signal was supposed to fire the mortar and release the drogue," Lauretta said. "The second signal was supposed to cut the cable to release the main... It looks like the first signal cut the (cable), and then the second signal fired the mortar, so it went backwards. But it worked. We had lots of margin on that main chute. It landed safely—a beautiful pinpoint landing in the Utah desert.”

The capsule on the ground in Utah after it's incorrect parachute sequence.  Photo credit: NASA/Keegan Barber 

The investigation concluded that the mistake was created because instructions for how to connect everything used the word "main" in two different ways.  "On the signal side, 'main' meant the main parachute. In contrast, on the receiver side 'main' was used as a reference to a pyrotechnic that fires to release the parachute canister cover and deploy the drogue.  "Engineers connected the two mains, causing the parachute deployment actions to occur out of order," NASA said. 

Those of you who have been through the seemingly endless design reviews for such things, resulting in a pile of papers that outweighs the launch vehicle, know that this little detail had to have been reviewed multiple times and nobody ever thought there was anything wrong.  You were probably shaking your heads in wonder as you read this, as was I.  


  1. Issues can occur when there are too many groups producing too much material and the integration group or overwatch group is overloaded.

    First things first. There needs to be a specific guideline for naming. I know, sounds stupid, but old school programming required knowing how to name things. Like using longer name conventions. Like, oh, "Main Parachute" meaning main parachute and "Main Parachute Pyro" meaning main parachute pyrotechnic, while "Para Cover and Drogue Pyro" meaning parachute canister cover and drogue launch pyrotechnic.

    We are past the days of minimal names due to low computer power and storage.

    Names and labels for subgroups should not be found in other subgroups' names and labels.

    It's, you know, not like any of this is new. People have been doing spacecraft design, construction and integration since, what, the mid to late 40's? And it's one of the things that was hammered home after the Apollo 1 fire. And the issues with Skylab. And the issues with the Space Shuttle. And the issues with the Delta explosive bolts. And that one probe with measurement issues. And and and...

    1. Agreed, Beans. You have to have a COMMON naming convention with names that make sense to avoid confusion and grievous mistakes. We got lucky this time, but we won't be so lucky the more complex the systems become!

  2. They were using imperial main instead of metric main.

  3. That's why this tax-funded computer code has to be secret, because if you had hundreds of fanatical space nerds looking over it, the bug would have been found. Instead, like congress we have to fly this spacecraft to find out what's in it.

  4. This went way beyond lucky. Blessed would be my preferred term.