When a launch goes bad, how do you save the crew?
When the first U.S. astronauts watched an Atlas rocket explode in a giant fireball in a May 1959 test launch, they got a very clear picture of how things could go in the country’s first human space program. The explosion was the launch vehicle’s fourth consecutive failure. Knowing this, Gus Grissom turned to his crewmates and asked incredulously, “Are we really going to get on top of one of those things?” Two years later, Alan Shepard did, risking the fireball to become the first American in space.
This article appears in the feature series American Spacelines. Click to read more about the future of U.S. human spaceflight.
Soon astronauts will once again blast off on rockets untested with human passengers. This time, the vehicles will be designed, built, and operated not by NASA but by the private U.S. companies Boeing and SpaceX. NASA has embarked on the new Commercial Crew Program to get American astronauts to and from the International Space Station without having to buy seats on Russian Soyuz launches, as it has been doing since the end of the space shuttle program in 2011. Besides wanting to end dependence on Russia and find a more affordable ticket to orbit—the Russians currently charge more than $80 million a seat; Boeing and SpaceX will ask for only $58 million—NASA is hoping to encourage the growth of a new industry in space transportation and tourism. The agency will have a smaller role than ever in developing and testing the hardware that will carry its astronauts to orbit, but it is ensuring their safety with an intensive certification process known as “human rating.” A key part of the process is to put in place a way for astronauts to escape if all the other safeguards fail—an abort system that in an emergency will get the crew out.
With nearly 60 years of experience and dramatic advances in spaceflight technology, the launch business is much safer than it was in its infancy. The Atlas V that will lift Boeing’s CST-100 Starliner capsule into orbit has a 100 percent mission success rate over its nearly 80 launches since 2002. Elon Musk’s company SpaceX, which will ferry astronauts to the International Space Station in its Crew Dragon capsule, has launched its Falcon 9 rocket fewer times, but its current success rate is 96.6 percent, and Musk has said that he wants the Falcon 9 to be “the most reliable rocket ever built.”
Still, in NASA literature, the goal of the Commercial Crew Program is “safe, reliable and cost-effective access to and from the International Space Station,” and the agency is working hard to guarantee that first word: “safe.” In certifying the launch vehicles and spacecraft, NASA will draw on its experience with the Russian Soyuz. Kathy Lueders, the manager of the Commercial Crew Program, says the process of auditing Russian safety standards before it started booking Soyuz flights has helped NASA become comfortable with its relatively hands-off management of commercial crew spacecraft.
In order to ensure that the Crew Dragon and Starliner meet NASA’s safety requirements, Lueders and her team have access to vast quantities of analysis and testing data—from both companies and from NASA’s own spaceflight programs—and they’re working closely with Boeing and SpaceX on their spacecraft designs (see “For All Mankind and for Profit,” Sept. 2018).
In terms of human rating the launch vehicles, Lueders says the agency intends to do as little as possible to change them. “Ideally, we don’t want to make any changes to a [launch] vehicle that has flight experience, a proven track record,” she says. “Whenever you do something different, you’re kind of adding risk to the operation.”
But one change was vital: adding an integrated automatic Emergency Detection System that can see potentially fatal trouble brewing and instantly trigger the capsule’s abort system, which launches the spacecraft away from the rocket and deploys its parachutes for landing.
Launch escape systems, or abort systems, came into spaceflight from its aviation roots. The American Gemini and Soviet Vostok capsules used ejection seats. Mercury and Apollo, along with the Russian Soyuz and Chinese Shenzhou, have all used rockets mounted above the crew module to pull the whole spacecraft to safety in a hurry should the launch vehicle fail. The space shuttle generally relied on the orbiter’s ability to glide back to safety if things went wrong. In some cases where that wasn’t possible, the crew were to slide out of the orbiter on a kind of fire pole and deploy personal parachutes. (In its recommendation to recertify the space shuttle, the Columbia Accident Investigation Board expressed concern over whether that system would work.)
NASA’s forthcoming Orion crewed spacecraft uses the same type of abort system as Mercury and Apollo: A rocket pulls the capsule away from the launch vehicle from above. But the abort systems on both the Crew Dragon and the Starliner will have pusher rockets built into the capsules themselves.
Garrett Reisman, SpaceX’s senior advisor of human spaceflight and a former astronaut himself, says the push method involves less risk. With the pull method, the tower where the abort rockets are mounted has to be jettisoned or the capsule won’t be able to deploy its landing parachutes, even on a normal flight when the system is not used. Reisman likens such launch-escape-system towers to ejection seats that have to be used every single time you fly. “It should be something that you rely on on a very bad day,” he says, “not something you use every good day.”
Another benefit of a built-in abort system, says Reisman, is that it comes home with the capsule and can be reused. The abort rockets (in the Crew Dragon’s case, eight liquid-fuel, 16,000-pound-thrust engines called SuperDracos) can share propellant with smaller thrusters the capsule uses for maneuvering in space. That way if an abort isn’t necessary, the spacecraft has extra fuel to use in orbit and during reentry. (It’s worth noting that NASA’s Orion will use the jettisoned-tower method so it can get rid of all unnecessary weight before making long-distance trips to the vicinity of the moon or Mars.)
Pusher systems can be used today only because of the immense computing power available to spacecraft builders. Part of why NASA didn’t use push rockets decades ago was that they were too difficult to control, requiring constant adjustments to keep the capsule steady. Today’s computers can easily do the job.
In fact, the entire abort system on the new crew vehicles is automatic. Computers monitor every parameter of the launch vehicle’s performance and instantly trigger an abort if anything goes wrong. It’s a far cry even from the technology on the space shuttle, which often required a human decision—and a manual command—to abort. Reisman, who flew on three shuttle missions to the ISS, says your iPhone has way more computational capability than the flight computers on the shuttle.
“We had to do subtraction in our heads to figure out, ‘Okay, if this screen goes blank and you get four lights that light up in the caution warning panel and you subtract the two lights that are below it, that means it was this particular box that failed,’ ” Reisman remembers. Now, he says, “Computers can do all of that much faster and more reliably.”
But, Reisman says, there are some situations for which you can’t write an effective algorithm—judgment calls on whether to take a given risk based on the circumstances of the mission—where you’d still want a human in the mix. So the new crew vehicles, as well as the folks in ground control, will have a manual abort option too.
One holdover from the shuttle program is the way in which the commercial crews will get away from the launch pad in an emergency before the rocket fires. They’ll exit the capsule via the crew access arm and jump into baskets attached to zip lines, which will then carry them safely to the ground, where they’ll climb into armored vehicles and drive themselves out of harm’s way. The Falcon 9 and Atlas V crew access arms are situated higher than the shuttle’s was, says Reisman, so the astronauts can expect the zip line descent to be “more sporty.”
* * *
Abort systems have rarely been needed in the history of crewed spaceflight, and only once were lives actually saved by one. [Ed note: Make that twice. Since publication, the Soyuz MS-10 crew aborted successfully during launch on October 11, 2018.] Late on the night of September 26, 1983, two Russian cosmonauts waited in their Soyuz capsule atop a Soyuz-U booster. Less than two minutes before liftoff, a faulty valve led to a fuel leak, and then a fire, at the base of the rocket. Crew members Vladimir Titov and Gennady Strekalov had no way to manually trigger an abort. As fire engulfed the rocket beneath the men, two different ground control operators in two separate rooms miles away from the pad had to radio the abort command simultaneously in order for it to work. By one estimate, the capsule separated from the rocket only two seconds before the rocket exploded. (The Soyuz capsule touched down safely a couple of miles from the ruined pad, and vodka was produced for the occupants.)
In that sense, abort systems have never failed to save crews—that is, when they were available. The only fatal American inflight accidents to date are the two shuttle disasters, both of which occurred at points in the orbiter’s trajectory where an abort was unfeasible. These “blackout zones” were part of the risk NASA took with the shuttle program—a design tradeoff in exchange for the orbiter’s large cargo capacity and reusability.
The Crew Dragon and Starliner won’t have the shuttle’s blackout problem. Their built-in abort systems can be used at any point in the launch trajectory, all the way to the space station.
That capability comes with staggering engineering challenges. The abort has to work equally well while the rocket is still sitting on the launch pad as when it’s going thousands of miles per hour outside the atmosphere. In a pad abort, the capsule has to be shot downrange far enough to be safe from an exploding rocket and high enough for its parachutes to have time to deploy. The Starliner will have the capacity to land on water or solid ground, but the Crew Dragon has to make it to the ocean during a pad abort; its initial landings are splashdown only.
An inflight abort at lower altitudes, on the other hand, requires the same system to jettison the capsule amid the violent dynamic pressure of supersonic flight. At higher altitudes the capsule has to coast through little or no atmosphere and reorient itself for reentry.
Boeing and SpaceX must show that, in every 10-second segment of the launch to orbit, the crew has at least a 95 percent chance of surviving an abort in their vehicles.
Brent W. Jett is a former astronaut who now sits on NASA’s Aerospace Safety Advisory Panel (ASAP), a board currently of eight experts who serve as outside observers and advisers to the agency in matters of safety. Jett helped write NASA’s human rating requirements back in 2007.
One of the panel’s recent topics of discussion has been SpaceX’s plans to fuel the Falcon 9 at the last minute, with the crew already on board and all ground personnel evacuated from the area. Crewed rockets have always been fueled prior to boarding the astronauts, but SpaceX says its process may be safer overall because it confines the risk of an explosion to a shorter time frame and doesn’t expose the ground crew to that risk. While the new method requires scrutiny, the ASAP members have stated that it can be an option “if the environment and hazards are understood and adequately controlled.”
The truth is, assessing risk is all about tradeoffs. No system is perfect, and every design and method has a downside. That’s the idea behind NASA’s loss-of-crew (LOC) ratio—essentially, the agency is aiming for the Crew Dragon and Starliner to have no more than a one in 270 chance of a fatal failure. On the surface this seems to distill a life-or-death decision down to a simple statistical probability. But according to NASA’s Kathy Lueders, that’s not really how the process works.
“People kind of look at this requirement and they say, ‘One in 269 is not safe, one in 270 is,’ ” she says. She explains that the number is intended not as a hard-and-fast standard but as a design tool that allows engineers to assess how certain changes will affect the overall safety of the vehicle and to give them a common language for discussing risks.
“You’re making trades all the time,” says Lueders. “You can say, ‘Yes I would love to have tons of MMOD shielding’ [protection against Micrometeoroids and Orbital Debris], but if that makes the vehicle so heavy I have to add another booster, well guess what? Adding another booster adds more risk too.”
Lueders says the commercial vehicles may not end up hitting the one-in-270 goal, and that’s okay. At some point, continuing to change the vehicle can yield diminishing returns. But if the goal is not met, NASA and the company will have to develop a rationale to explain why they consider the vehicle safe to fly.
Space programs have always used statistics to assess risk, but using the LOC ratio as a design tool is a relatively recent development. After the Columbia disaster, NASA assessed the likelihood of another fatal accident with the orbiter, finding it to be on average about one in 100. The agency wanted its next crewed vehicle, then called Constellation and now Orion, to be 10 times safer. But it soon discovered that number to be impractical.
“We’re still learning,” Lueders says.
Fifty or 60 years ago, when the first humans were launching into space, the main way to know whether a vehicle was safe was to test it. The thing was, sometimes if you hadn’t seen a problem during testing, you didn’t know about it. In a 1997 interview, astronaut Tom Stafford related a 1965 incident in which he and command pilot Wally Schirra nearly chose to eject from their Gemini 6 capsule after their Titan II rocket misfired on the pad. They decided they could get out safely the old-fashioned way, and it was a good thing—the ejection system had never been tested in the pure-oxygen cabin conditions that existed just before launch, and the pyros would have immediately ignited the air around the departing crew.
“What we would have seen, had we had to [eject], would have been two Roman candles going out,” Stafford said.
Stafford knew that because, little more than a year later, three Apollo astronauts died in a fire during a launch simulation in their capsule, which was filled with the same 100 percent-oxygen atmosphere. Among them was Gus Grissom, who had quipped about the safety of the Atlas rocket eight years earlier. Only after the fire, when the danger of a pure-oxygen environment had become grimly clear, did NASA change the capsule’s cabin atmosphere to a mixture of oxygen and nitrogen.
Modern vehicles are carefully tested too. In 2015 SpaceX conducted a pad abort test in which the capsule was launched directly from the launch pad using its SuperDraco abort engines. On board was a dummy rigged with sensors that collected data about how the considerable G-force of an abort will affect the crew. (Boeing’s pad abort test has been bumped to spring 2019, after a problem with the Starliner’s abort engines during a June 2018 test at White Sands in New Mexico.) SpaceX will also test the Crew Dragon’s abort system mid-flight during an uncrewed launch of the fully assembled vehicle later this year, and the first crewed test flights of both vehicles will likely happen early next year. (Neither abort system will be tested with humans on board.)
But these days, only a fraction of the data that gets plugged into things like the loss-of-crew calculation comes from real-life tests. The vast majority of what engineers know about the safety of their spacecraft is spun out by computer models, yielding many times more data than could ever be gathered during real-world testing. Virtual vehicles are run through thousands of simulations in which engineers vary the flight trajectory and surrounding conditions each time, randomly inserting failures to see how the spacecraft would respond. For instance, the abort system may work as long as the launch vehicle is mostly upright but not if it’s tilted beyond a certain degree. In the business, these unexpected conditions are called the flight’s “margins.”
According to ASAP’s chair, Patricia Sanders, human rating is based on understanding those margins so that you can decide whether the risk there is acceptable.
“Because [space] is a hostile environment, it is never going to be totally safe. There’s always going to be some judgment call about what level of risk, relative to the benefit, the decision makers are willing to accept,” says Sanders.
One of the greatest threats to safety in a crewed space program is the perceived need to accept a certain level of risk in order to carry on with the mission, often called the “flight rationale.” Jett explains that part of the reason NASA chose to fund the development of two commercial spacecraft to be operated by two separate companies is to take away the pressure to fly. No matter the urgency, there will always be more than one way to get people to and from the space station. No single contractor or single launch will bear the pressure of a schedule.
Jett says the risks NASA took with early crewed spaceflight came with the territory of doing something brand new. Today’s equivalent may be landing people on Mars and getting them safely home. But there’s not much mystery left in simply launching spacecraft into orbit. “We’ve been doing it for more than 50 years,” says Jett. “I believe we should be able to do it without killing people.”
While some have expressed concern that handing over astronaut safety to commercial providers is a mistake, the ASAP board is confident in NASA’s approach to certification. Of course, the certification itself will be the result of a long series of compromises and the arrival at a somewhat arbitrary loss-of-crew number.
“You will never know it perfectly,” says Jett of the human rating process. “It’s too complex. At the end of the day you make that decision. You say, ‘Okay, I think I understand it well enough and it’s worth the risk to go.’ And then you go.”
In the meantime a whole lot of private capital, not to mention tax money and computing power, is being brought to bear on making sure the new generation of spacecraft will be safe for human cargo. Or, at least, safe enough.