Returning to flight
By Tom Jones|January 2019
In spaceflight, failures are inevitable. If a commercial launch vehicle fails while flying NASA astronauts, how would NASA and the service provider return their systems to flight and assure astronaut safety? Veteran astronaut Tom Jones examines how NASA might cope with catastrophe.
When a rocket or spacecraft carrying astronauts suffers a major failure, the shock can convulse a space agency, and indeed an entire nation. Following its three fatal astronaut accidents, NASA grounded its Apollo and shuttle spacecraft for anywhere from 21 months (after Apollo 1) to 32 months (after Challenger). Yet after the Oct. 11, 2018, failure of a Russian Soyuz booster carrying astronauts to the International Space Station, piloted flights resumed less than two months later, on Dec. 3, 2018.
Despite the safe recovery of the crew and rapid return to flight, the Soyuz failure should get us thinking about how NASA might recover from an inflight failure in its commercial crew transport program. Under current legislation, NASA might be grounded until a presidential commission completes an investigation, limiting our access to ISS.
I believe the legislated presidential commission requirement is too restrictive. History and the facts of the Soyuz case show that NASA needs a range of options in investigating accidents, certainly using the talents of the commercial service provider, and/or enlisting government entities like the FAA and the National Transportation Safety Board. NASA’s aim — a timely and safe restoration of U.S. orbital access — won’t always be well-served by a protracted standdown and commission-led investigation.
Soyuz close call
All appeared normal during the initial ascent from Baikonur of the rocket carrying Russian cosmonaut Alexey Ovchinin and U.S. astronaut Nick Hague on the Soyuz MS-10 mission. Following first-stage burnout 118 seconds after liftoff, at an altitude of 41 kilometers, pyrotechnics fired to drop the four strap-on boosters from the core stage. However, the “D” booster failed to separate cleanly and collided with the core stage, rupturing its propellant tank and sending the rocket out of control.
The abrupt attitude excursions automatically activated the spacecraft emergency escape system, cutting loose the Soyuz descent module from the rocket’s third stage and triggering four rocket motors on the aerodynamic payload fairing. The three-second impulse from these solid motors pulled the fairing and the attached orbital and descent modules, with the crew inside, free of the crippled rocket.
Propelled to a peak altitude of 93 km, the descent module finally dropped free of the fairing 160 seconds after launch. The astronauts endured a steep, ballistic descent that saw a peak deceleration of 6.7 Gs. Slowed by its main parachute, the Soyuz descent module landed safely 19 minutes and 41 seconds after launch; recovery crews soon extracted Ovchinin and Hague, who came through in good condition. Roscosmos immediately convened an accident investigation board to find the cause of the abort and recommend corrective action.
Although the Soyuz rocket failed, Roscosmos took solace in the successful, automatic functioning of the emergency escape system. Despite the rapid breakup of the launcher, the system detected the failure and pulled the spacecraft and crew to safety.
Russian recovery
Roscosmos grounded the Soyuz system until the failure’s cause could be identified and corrective action implemented. Telemetry and video plainly showed the booster collision with the core stage, but what caused the recontact? Examination of wreckage recovered downrange in Kazakhstan helped reveal that a separation sensor on the errant “D” booster (one of four strap-ons) had failed to trigger the opening of a cover on the booster’s reverse-thrust nozzle. The nozzle was to vent high-pressure oxygen from the booster’s liquid oxygen tank, pushing the booster away from the core stage. The booster’s nose, scraping along the core instead, sliced open the core stage kerosene propellant tank, destroying the rocket.
Investigators traced the sensor failure to physical damage (a slightly bent pin) caused during assembly at Baikonur, a process error like one that destroyed a Soyuz in 1986. Because the October failure was not caused by a design flaw, Roscosmos directed inspections of future Soyuz boosters to verify proper sensor installation. On Nov. 16, the fourth Soyuz to launch since the failure rocketed a Progress cargo freighter to the ISS. That launcher flew in the same configuration as that of the Soyuz crewed mission, launched on Dec. 3.
Past space failures
After 1967’s fatal Apollo 1 pad fire, NASA took 21 months to redesign the spacecraft and fly astronauts on Apollo 7. Recovery from the Challenger disaster took 32 months and recovery from Columbia took 30.
Two fatal Russian space accidents, 1967’s Soyuz 1 and 1971’s Soyuz 11, required 18 and 27 months for crewed flights to resume. By contrast, when the Soyuz T-10a emergency escape system saved a cosmonaut crew from a catastrophic launch pad fire in 1983, the Soviets resumed flights in just seven months. Regaining confidence in a flight system takes less time if the astronauts survive the failure; only the launcher, less complex than the crew’s spacecraft, needs the fix.
The two-month recovery time for October’s Soyuz MS-10 failure was possible, first, because it was caused by a human processing error and not a design flaw. Second, the escape system saved the crew. Had two astronauts been lost in October, a lengthy, in-depth investigation and spacecraft redesign would have been necessary.
An added incentive to resume operations quickly after October’s failure was the need to launch a relief crew to the ISS. The three Expedition 57 astronauts would have had to leave ISS by early January 2019, before their docked Soyuz MS-09 exceeded its orbital shelf life. Although the ISS could fly under ground control for a few weeks, ISS managers were not eager to leave the outpost unpiloted and vulnerable to irreparable systems failures.
Coping with commercial failure
For a launch system failure — U.S. or Russian — the return-to-flight interval depends on the time needed to isolate the failure cause, ground-test the required fix, and prove its efficacy via flight testing. A launcher with an extensive flight history helps: The reliability and flight hardware of the Soyuz booster family, with over 1,700 launches, are very well understood.
NASA’s commercial partners will soon be flying the Crew Dragon and Starliner transport systems, whose configurations are new even if their launchers are well-tried. Suppose the SpaceX Crew Dragon’s Falcon 9 booster with nearly 65 launches and an approximately 97 percent success rate fails during launch. We can get an idea of how the investigation might proceed by looking back at how NASA and its partner dealt with a previous failure. When the Falcon 9 carrying the uncrewed CRS-7 Dragon cargo capsule to the ISS failed during ascent in 2015, SpaceX set up an accident investigation team and invited the FAA, NASA and Air Force to join. NASA subsequently created its own independent review team to evaluate the events leading to the failure, and ensure corrective actions were implemented. The parties agreed that SpaceX would correct a structural flaw in the mounting of a second stage helium tank. Ten months later, after three successful Falcon 9 missions for other customers, SpaceX successfully launched the CRS-8 Dragon to ISS.
United Launch Alliance’s Atlas 5, carrying Boeing’s Starliner, has flown 79 times and has never failed to achieve orbit, but no system is perfect. Both Boeing and SpaceX hope that their transports’ crew escape systems would protect against a launch failure; both use pusher rockets to blast the crew module clear of a failing booster. The companies plan to flight-test their escape systems in the first half of 2019, well before their first crewed ISS test missions planned for mid to late 2019.
Commission complications
In contrast to its adjunct role in past cargo launch failures, NASA would have a much larger part to play in any accident involving a commercial crew. The agency told me in a statement that “In general, the contractor will lead its investigation with government participation. But there are other options: NASA could conduct its own investigation with support by the contractor; a presidentially appointed Accident Investigation Board; or an FAA/NTSB-led investigation.”
After the Columbia accident, Congress in its NASA Authorization Act of 2005 directed that a presidential commission would investigate “any incident that results in the loss of:
1. a Space Shuttle;
2. the International Space Station or its operational viability;
3. any other United States space vehicle carrying humans that is owned by the Federal Government or that is being used pursuant to a contract with the Federal Government; or
4. a crew member or passenger of any space vehicle described in this subsection.”
This language means that if either a Falcon 9 or Atlas 5 fails while carrying astronauts, a presidential commission is called for — even if the crew walks away in perfect health. It could take years before a report is issued, corrective action is implemented, and astronauts are again cleared to fly.
Having two transport providers servicing ISS is a wise idea.
Preparing for failure
Why do I believe the presidential commission requirement is too restrictive? After a fatal commercial aviation accident, we don’t get a presidential commission, nor does the FAA ground every aircraft of that model while the accident cause is being sought. Many at NASA and the FAA would like Congress to ease this language and allow NASA to emulate the FAA’s successful spaceflight incident response model.
NASA should be able to work with its commercial provider and the FAA, identify the cause, make necessary changes, test them, and get back into orbit. This remedial approach works in civil aviation and in the military, and should be applied to the new NASA commercial crew regime.
A healthy tension will always exist between NASA and its commercial partners as the latter strive to meet agency safety standards while conducting profitable launches to ISS and opening an orbital tourism market. For its part, NASA must take a measured pace as it responds to a future commercial launch failure, even as it seeks to restore flight operations and rebuild domestic ISS access.
The right time to fly again is after a thorough, collaborative investigation identifies the failure cause and the fix has been tested rigorously to reinforce crew safety. In the words of famed rocket pioneer Wernher von Braun, “One good test is worth a thousand expert opinions.”
Related Topics
Human Spaceflight
