On the morning of Oct. 31, 2014, about 13 seconds after being released from its WhiteKnightTwo (WK2) launch vehicle, the suborbital spaceplane SpaceShipTwo (SS2) broke up in flight and struck the desert near Koehn Dry Lake, California, U.S., after its reentry device was unlocked by the copilot, causing inadvertent deployment at transonic speed. The pilot was severely injured but was able to descend to the ground by parachute, and the copilot was fatally injured. There were no injuries on the ground. The experimental spaceplane was destroyed, and the U.S. National Transportation Safety Board (NTSB) conducted its first investigation of a commercial spacecraft accident.
The accident occurred on the fourth powered flight of SS2, within a test program also including 30 glide flights, operated by Scaled Composites (Scaled) under a special airworthiness certificate from the U.S. Federal Aviation Administration (FAA) in a development program that was several years behind schedule. The accident flight was the first to be powered by a new rocket motor.
The SS2 program grew out of the success of SpaceShipOne (SS1), which, in 2004, was the first civilian vehicle to be piloted into space. SS2 was a much larger vehicle, designed to carry two pilots and six passengers in commercial space suborbital operations. Both vehicles were designed by famed Scaled founder Burt Rutan and featured a unique reentry concept based on a feather system that temporarily rotates a flap assembly with twin tail booms that must be unlocked and extended upward from the normal flight position to a 60-degree angle relative to the vehicle’s longitudinal axis (Figure 1) in a precisely timed sequence.
Figure 1 — SpaceShipTwo
Source: Virgin Galactic
Though less problematic than reentry at orbital velocities, suborbital reentry carries similar risks of friction heating and loss of control, with design solutions that are at cross purposes with the overall need to minimize drag in other flight phases. The highly streamlined rocketship would have to be “unstreamlined” for reentry, maximizing drag to distribute heat while remaining stable. Rutan realized the ideal solution would be for the vehicle to assume a high-drag shape like a badminton shuttlecock, presenting a large surface area to the atmosphere while remaining inherently stable. On both SS1 and SS2, this was accomplished by hinging the twin stabilizer booms and flap assembly: The tail remains horizontal until leaving the atmosphere, then pivots to a nearly vertical attitude as the vehicle coasts through apogee (the highest point of the flight trajectory). During reentry, airflow over the feathered control surfaces forces the vehicle into a belly-first attitude. Scaled describes this as a “hands off” reentry, requiring little to no pilot input during this critical phase. Once safely in the atmosphere, the pilots would return the vehicle to a normal “unfeathered” configuration for the unpowered descent and landing.
SS1’s success attracted the attention of the Virgin Group’s founder and chairman, Richard Branson, who partnered with Scaled to create the world’s first commercial spaceline, Virgin Galactic. The two companies formed a joint venture, The Spaceship Company, which would build the WK2 and SS2 vehicles for carrying passengers into space.
SS2 needed a more powerful rocket motor than SS1, but development of that motor put the program behind schedule and suffered its own tragedy. In 2007, the new motor’s oxidizer tank exploded under pressure during a “cold flow” test. The accident destroyed the test stand, killing three engineers and injuring three others.1
Seven years later, the new motor was not a contributing factor in the SS2 accident, but the constantly evolving design led to aerodynamic changes that further slowed the vehicle’s development. Being integrated within the airframe, the vehicle design could not be finalized until the motor’s precise dimensions, mass-related properties and subsystems were established. As such, the Oct. 31 test marked the first powered flight of SS2 in over nine months.
Final Flight
Test objectives for the flight included a 38-second rocket burn to reach an apogee of 135,000 ft above mean sea level (MSL) and a maximum velocity of Mach 2, with deployment of the feather system for a planned reentry at 1.2 Mach and a gliding descent to a landing at Mojave Air and Space Port (KMHV). After a 0500 local time briefing with their chase airplane pilots and mission control engineers, the WK2/SS2 pilots began preflight inspections at 0730. The mated vehicles departed KMHV at 0919.
Approximately 40 minutes later, WK2 reached the targeted release altitude of Flight Level 460 (approximately 46,000 ft) as SS2’s crew began pre-launch checklists. The “launch minus 10 minutes” checklist called for the copilot to confirm operation of the feather system locks, which included lock/unlock functions and status/warning indications on the multifunction display. No anomalies in the lock mechanisms or feather system extend-retract checks were detected.
It was well known among the team that, per procedures specified and practiced in a fixed-base simulator for this flight, the feather system could not be safely unlocked below 1.4 Mach due to the extreme aerodynamic forces that occur in the transonic range of velocities. Transonic generally is considered to be the region of high subsonic speeds at which localized airflow becomes supersonic around isolated areas of the airframe. This places increased aerodynamic and structural loads on the airframe due to compressibility effects (standing shock waves, etc.). It is often where maximum dynamic pressure occurs, which is why SS2 needed to be safely past Mach 1 before unlocking the feathers.
Moreover, the feather system had to be unlocked before reaching 1.8 Mach to enable reliable extension. Otherwise, procedures required the flight to be aborted because the controlled reentry made possible by the feather system would not be assured.
This left a narrow window of opportunity for the copilot to act, given SS2’s rapid acceleration after release from WK2 and the high-workload environment, which was compounded by intense vibrations and control forces that could not be adequately reproduced in the simulator. Nor could the simulator generate realistic effects — discussed during SS2 pilot training — of mistimed unlocking leading to uncommanded feather system deployment with aerodynamic vehicle breakup: If unlocked too soon in the simulator, there would be no directly observable consequence.
On the actual spaceship, once unlocked, all of the aerodynamic and inertial forces were borne by the feather system’s two lock actuators and four feather flap hinges. But, SS2 being a developmental program, the critical speed limits within procedures and checklists were subject to change based on specific test conditions.
The greater fear within the program leadership was that the feather system would fail to retract after reentry and render the vehicle uncontrollable, rather than a pilot making an unrecoverable error in performing related highly practiced procedures, NTSB said. Perhaps belying Scaled’s successful heritage in research and development, the program’s focus on engineering a spacecraft that performed flawlessly led to assuming existence of a common “tribal knowledge” mentality: “The SS2 accident pilot knew that the feather was not to be unlocked before 1.4 Mach but could not remember if that information was conveyed in a design review or during informal discussions,” according to the NTSB’s final report. “He stated that the requirement for feather locks [to remain locked] in the transonic region ‘came up many times’ and believed that this information was ‘common knowledge.’ Other Scaled and Virgin Galactic pilots stated they were also aware of the requirement not to unlock the feather during the transonic region. Scaled’s vice president/general manager stated that the company had not considered the possibility that a pilot would unlock the feather before 1.4 Mach.”
NTSB determined that Scaled operated on the assumption that their test pilots would simply not make such a mistake. “Although some evidence indicated that SS2 pilots were made aware that the feather should not be unlocked before the designated Mach speed, there was insufficient evidence to determine whether the pilots fully understood the potential consequences of unlocking the feather early,” the NTSB report said. “No warning, caution or limitation in the SS2 POH [pilot operating handbook] specified the risk of unlocking the feather before 1.4 Mach.”
NTSB determined that the probable cause of the accident was Scaled’s “failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SS2 vehicle. This failure set the stage for the copilot’s premature unlocking of the feather system as a result of time pressure and vibration, and loads that he had not recently experienced, which led to the uncommanded feather extension and subsequent aerodynamic overload and inflight breakup of the vehicle.”
Crew Actions
In analyzing the copilot’s actions, the NTSB found that, “Because of the dynamic nature of the boost phase, the copilot memorized his three tasks to be accomplished during that phase: calling out 0.8 Mach, calling out the pitch trim position in degrees as the pilot trimmed the horizontal stabilizers, and unlocking the feather at 1.4 Mach. In addition to recalling these tasks from memory, each of the tasks needed to be accomplished in a limited time frame. … Because of the importance of unlocking the feather before 1.8 Mach, the copilot might have been anxious to unlock the feather to avoid aborting the flight. Thus, time pressure was likely a stressor that contributed to the copilot incorrectly recalling the sequence of his tasks and unlocking the feather prematurely.”
At this point in the accident sequence, the vehicle was only at 0.82 Mach. NTSB simulator tests indicated SS2 would not have reached 1.4 Mach for another 13 seconds. As noted, other contributing factors amplified the copilot’s workload; in particular, vibration and high acceleration, though it is notable that the surviving pilot reported that the new nylon fuel grain burned smoother than the original rubber-based propellant compound. Within two seconds (between the 0.8 Mach callout and unlocking the feather), axial acceleration had jumped from 1 g to 2.3 g (2.3 times standard gravitational acceleration).
Safety Culture
The copilot’s actions immediately before the in-flight breakup proved to be unexplainable for NTSB but did not occur in a vacuum. The report was critical of the safety cultures within both Scaled and the FAA Office of Commercial Space Transportation (FAA/AST). The report pointed to the proliferation of safety management systems (SMS) and crew resource management (CRM) within commercial aviation as offering mitigating solutions to risk factors noted.
One of the fundamental concepts of SMS is a thorough description of operational processes, so there can be no confusion as to what actions are expected in a particular situation. “Say what you do, do what you say” is a difficult hurdle for an organization that is not accustomed to documenting its processes. Yet, the NTSB determined that “Scaled’s accomplishments led to complacency regarding human factors. … Management, test pilots and engineers did not fully consider the risk of human error because of the flawed assumption that test pilots would operate the vehicle correctly during every flight. Also, Scaled had not informed FAA/AST personnel that early unlocking of the feather could be catastrophic, which provided further evidence of Scaled’s expectation that a pilot would perform as trained.”
That is not to say that Scaled, when developing its own systems safety analysis (SSA), did not consider other accepted industry practices such as commercial aircraft certification standards, in addition to FAA Advisory Circular (AC) 437.55-1, Hazard Analysis for the Launch or Reentry of a Reusable Suborbital Rocket Under an Experimental Permit. The AC addresses protection of people on the ground in the event of a launch vehicle failure and stipulates that potential human error must be considered during the hazard analysis. This specifically included operating certain flight controls at the wrong time. Scaled told NTSB investigators they believed their analysis fully captured these potential risk conditions.
Given its long history in research and development and with its test pilots, it is understandable why Scaled’s SS2 team might assume that their pilots would correctly follow procedures every time, the report said. The report also questioned whether SS2, given the accident investigation findings, was being adequately developed for future operation by pilots who may not have flight test experience. Specifically, before the accident flight, Scaled’s engineers had been focused on the potential mechanical causes of an uncommanded feather system extension: “Scaled’s analysis showed that the probability of failure for the hazard involving uncommanded feather operation during the boost phase met the ‘extremely remote’ criteria in [U.S. Federal Aviation Regulations Part] 437.55(a) and Scaled’s quantitative requirement of 1 x 10-6 [that is, one failure in 1 million flights]. As a result, Scaled determined that the feather system design was adequate and that no mitigations were needed to ensure that the feather would remain retracted during the boost phase.”
NTSB examination of Scaled’s analysis revealed that the company had considered human error only in the context of response to external factors — specifically, that a pilot may “incorrectly respond while attempting to mitigate another failure. As a result, the SSA did not account for single flight crew tasks that, if performed incorrectly or at the wrong time, could result in a catastrophic hazard. … Specifically, Scaled did not account for the possibility that a pilot might unlock the feather prematurely.”
While several of Scaled’s engineers and at least one pilot stated they had taken university courses in human factors, there was no human factors expert on staff. This lack of expertise would explain overreliance on training to reduce the risk of pilot error in the SS2 operating environment, according to the report.
NTSB cited the U.S. Defense Department’s system safety “design order of precedence,” in which the greatest potential for improvements occurs in the following order: design enhancements, engineered features or devices, warning devices, and training and procedures. For SS2, the “last choice,” or least effective mitigation strategy, was the one that was relied on to mitigate the probable cause of this accident.
Safety Recommendations to FAA
FAA/AST was found to have created administrative “filters” within its experimental flight permit process that stifled certain technical staff efforts to thoroughly analyze SS2’s risks. The NTSB report noted that the FAA — while tasked with overseeing commercial airline SMS — did not have its own SMS in place during SS2’s pre-application and permit evaluation processes. Rather than taking a team project-management approach, FAA/AST had one individual in its Operations Integration Division act as Scaled’s main point of contact. NTSB said that FAA leadership believed this would remove any undue burdens on the applicant, and as a result, this person relayed all information from Scaled to the Licensing and Evaluation division’s permit team.
Predictably, this became a choke point for communication about risks. Several FAA technical staff told NTSB that draft technical questions proposed for Scaled engineers — if not specifically related to public safety — were “filtered” (i.e., deleted from those actually sent). One staff member said that this filtering process resulted in information that was “so washed out, it’s not even what we asked for in the beginning,” according to the report.
One experienced Space Shuttle program veteran expressed frustration about FAA/AST managers and staff members, who, with limited knowledge of spaceflight, were reviewing and significantly editing the technical questions posed to Scaled during the permit process. NTSB found that this lack of direct communication among technical experts, political pressure to approve experimental permits within a 120-day review period and a lack of clarity between public safety and mission assurance prevented a thorough evaluation of SS2’s initial and renewed experimental flight permit applications.
No one yet knows what the ideal designs and pilot training will be for a passenger spacecraft, and there are as many different design solutions as there are designers. In contrast, the commercial airline industry has been refining equipment, systems for flight operations and training for decades, as have state regulatory bodies.
Virgin Galactic has since taken over the SS2 flight test program while working with Scaled to design an electromechanical inhibitor into the feather lock system for all future vehicles. Employing pilots with extensive flight test experience, including one former astronaut, Virgin is also reported to be leveraging the parent airline’s experience in safety management to refine the techniques for safely piloting the future spacecraft in regular service.
After leading the investigation into the U.S. National Aeronautics and Space Administration’s (NASA’s) fatal Apollo 1 fire2, astronaut Frank Borman said that the root cause was a “failure to imagine.” In 1968, long duration human spaceflight was in some ways more mature than commercial suborbital spaceflight is today. By adopting CRM and SMS principles, these emerging “spacelines” can hope to make this new frontier feel like something less than “rocket science.”
This article is based on NTSB Report AAR-15/02, “In-Flight Breakup During Test Flight; Scaled Composites SpaceShipTwo, N339SS; Near Koehn Dry Lake, California; October 31, 2014.” July 28, 2015.
Patrick Chiles was a member of Flight Safety Foundation’s Business Advisory Committee from 2000 to 2015. Outside his work as an aircraft dispatcher and safety manager, he writes about aerospace topics and is involved in amateur/high power rocketry. His novels, Perigee and Farside, are set in the world of commercial spaceflight.
Notes
- “Test Site Explosion Kills Three,” Tami Abdollah and Stuart Silverstein, Los Angeles Times, July 27, 2007.
- On. Jan. 27, 1967, three U.S. astronauts were killed when a flash fire occurred in the command module during a launch pad test of the Apollo/Saturn space vehicle being prepared for the first piloted flight, the AS-204 mission. Jerome F. Lederer, founder of Flight Safety Foundation, that year retired from the Foundation and during 1967–1972 established and led NASA’s Office of Manned Space Flight Safety.
Featured image: © Virgin Galactic