They say “Space is hard”
Orbital Sciences crashed a rocket equipped with two 40 year old engines. Physically that old. They were an interim solution and they were working towards new engines. We don’t know at this point if the engines were to blame, but, to me, it is likely: engine brightening and thrust loss points to that. No people were hurt. In may this year, a similar NK-33 engine exploded in a test stand at NASA Stennis.
Last friday, Scaled Composites’ SpaceShipTwo disintegrated soon after its hybrid rocket engine was started. One of the two pilots was killed.
Many leaders had already quit the organization this year. Scaled had been critizised by some people in the industry for choosing a hybrid motor in the aircraft. Scaled Composites won the X Prize in 2004, ten years ago with the much smaller SpaceShipOne and a hybrid motor built by SpaceDev. The two flights to 100 km were successful. But scaling up to SpaceShipTwo size has taken unexpectedly long. They had a test stand explosion already in 2007, killing three people. The large amount of nitrous oxide (N2O) is dangerous as it is a monopropellant. A chain reaction can occur that will cause an explosion without any propellant mixing. The solid fuel part of the hybrid system can disintegrate and pieces of the solid can block the nozzle. Such things have happened with solid rockets, raising pressure and causing a runaway pressure rise and a catastrophic explosive failure.
I have not followerd Scaled Composites that closely, and I don’t know how many ground tests they have done. There has been talk that they were moving to a new fuel chemistry, but it is unclear if that was on this flight. SpaceshipTwo had already done some successful supersonic flights so the craft was not exploring new flight territory when it was destroyed.
To someone watching from afar, it might seem that failures would actually not be so hard to avoid. Could both of them have been avoided with a simple cure? Just 1) have more ground firings of the engine.
I’m in no position to say so myself for certain, but it seems like quite a simple.
No people were lost on the Orbital Antares flight. The payload was their own Cygnus unmanned space station resupply vehicle. So they can just rebuild the pad and fly again. With no lives at stake, it’s rational to go from engine tests to flight at a much earlier point.
With SpaceShipTwo the situation is much more severe. Two test pilots were flying the vehicle. The design was such that it required large amounts of pressurized monopropellant (N2O) and the engine chamber was large, containing large amounts of hot high pressure gas when operating.
In a liquid rocket engine, the risks can be mitigated a lot more easily since the chamber is a lot smaller than in a hybrid. The propellants (if ordinary ones are chosen) can not explode by themselves, and only a very small amount of them are mixed at any time in the preburners, pumps and chamber. So one way to avoid accidents like these is to 2) pick a fundamentally less dangerous approach.
There is even a third way to avoid accidents. Make the system resilient to individual component failures. Compared to Antares, in a SpaceX Falcon 9, would a single main engine giving up the ghost a few seconds into the flight resulted in a pad crash? If the stage would have stayed intact and the engine would not have exploded so violently that it would have destroyed other ones (if there were sensors for automatic engine shutdown), the mission would perhaps still have ended in failure but the pad might have been saved. If it had occurred later in flight, even the mission might have been salvageable.
And what about reusable vehicles, like SpaceShipTwo? Its design is like it’s made for tolerating engine problems: after the release in case of any trouble it can just glide to an easy landing, (possibly after venting the oxidizer). There’s no dangerous low altitude zone like with some ground launched vehicles. So the problem is just making really good sensors and having the engine stop at any sign of a problem. And of course making the engine stoppable. Hybrids are stoppable (compared to solids), but the amount of high pressure gas is still so big that it’s not straight forward to sense problems and control the system. The nitrous being a monopropellant can also cause issues.
So Scaled had a dream system. They built a great carrier aircraft, White Knight Two, which had similar avionics and cockpits and systems to SpaceshipTwo, and they test flew that a lot. They had carry and glide tests for SpaceshipTwo, made some changes and ironed out that part. They really knew how to do the aeroplane part, having built multiple record breaking craft before. What really is the tragedy here is that their propulsion seems to have too big failure modes – and just that one bit them now. So 3) Make the system always abortable.
This should apply to software business as well. You should have things like software component testing, regression, internal testing, customer testing. You should also have good software design like for example transactionality and constraints in databases. This stuff is also more than 40 years old, and if done right, categorically prevents a large amount of data corruption problems.
Have fail operational infrastructure design (multiple hard disks, multiple network connections, multiple servers in different physical locations (data centers with redundant power and cooling) with different service providers, backups with restore tests, hot spares, gracefully degraded modes in case of for example data transfer problems).
And then there’s the software development change management process which is another can of worms. I’ll write more about it in a couple of years…
Michael Alsbury was the SpaceshipTwo pilot who was killed in the accident. We should respect his memory and try to publicize ways to make space access safer for all. We should not say “space is hard”. We should say that space requires both a good comprehensive dedication as well as an open attitude towards safety.