Nearly a month after SpaceX’s Falcon 9 rocket disintegrated en route to the International Space Station, CEO Elon Musk announced what brought the vehicle down: a faulty steel strut, just 2 feet long and 1 inch (64cm) thick. It was one of thousands of struts holding down the helium pressure valves inside the rocket’s liquid oxygen tank; when it snapped, it released too much helium, causing the tank – and then the rocket – to burst. Even the smallest oversight can be catastrophic in spaceflight.
Fortunately, no astronauts were aboard the doomed vehicle – only food, water, and cargo were lost. But astronauts will be aboard that same rocket very soon. SpaceX and Boeing are currently developing crew transportation modules that will ferry US astronauts to and from the ISS. It’s part of Nasa’s Commercial Crew Program, aimed at stimulating the private spaceflight sector, and it’s scheduled to begin in 2017.
For every 270 flights, we might have one where we’re going to have a bad day
This is the first time the space agency has entrusted the lives of its astronaut fleet to private companies. It’s a new model of space exploration with new methods for ensuring safety. Nasa is holding these private companies to similar – if not higher – safety standards as it did for its Shuttle missions, but the level of oversight the space agency has during the vehicles’ development process is minimal. Instead, SpaceX and Boeing must meet a few hundred predefined safety requirements and demonstrate they can keep the astronauts alive if the rocket that’s carrying them falls apart. Nasa doesn’t get much say in what the vehicles look like or how they work.
And even with all the requirements, Nasa isn’t demanding 100% reliability from SpaceX and Boeing. “For every hundred missions, how many missions could you analytically show are going to be safe and return the crew safely to Earth?” asks Phil McAlister, director of commercial spaceflight development at Nasa. “The number we’ve come up with is: for every 270 flights, we might have one where we’re going to have a bad day.”
Nasa has always used outside contractors to help design and build its vehicles. The Space Shuttle was built by Rockwell International, and Lockheed Martin manufactured its external tank. The various parts of Nasa’s next big rocket, the Space Launch System, are being built by Boeing, Alliant Techsystems, and Lockheed.
The main difference between those projects and the Commercial Crew Program, however, is the level of oversight. Nasa was in direct control of the Space Shuttle’s design specifications, giving contractors between 10,000 and 12,000 requirements that needed to be met. Nasa personnel were also deeply rooted in the manufacturing process, overseeing every level of production and ordering changes if necessary. Outside contractors may have built the vehicles, but Nasa owned the final product.
The vehicles ultimately belong to SpaceX and Boeing – not Nasa
With the capsules used for the Commercial Crew Program, the CST-100, and Dragon V2 – now called Crew Dragon, nearly all of the vehicles’ logistics are up to the companies; SpaceX and Boeing only have to meet 280 design requirements laid out by Nasa in the Commercial Crew contracts. McAlister says the requirements aren’t too rigid and mostly revolve around safety and performance. The contracts call for a reliable abort system for the crew and ways to manually override in-flight software – but they don’t specify how these systems should work.
“It gives the companies a lot of flexibility to design their own systems the way they want,” says McAlister. “With Commercial Crew, we were able to do away with lower level requirements, allowing companies to innovate and come up with their own unique solutions.” This also allows SpaceX and Boeing to work at their own speeds, says McAlister, since they don’t have to constantly check in with Nasa to make sure they are meeting an intimidating list of criteria.
Nasa does provide the companies with a few space agency liaisons, who work with the companies’ engineers in whatever capacity is needed. The space agency also requires complete “insight” into the companies’ designs. “If there’s a meeting that’s important or test data that’s important, we have full access to that,” says McAlister. Yet despite this heavy integration and daily communication, the vehicles ultimately belong to SpaceX and Boeing – not Nasa.
The Commercial Crew Program’s lack of oversight has also led to trouble at times. In January, the Aerospace Safety Advisory Panel – which evaluates Nasa’s safety performance – said Nasa hadn’t given them enough information on the programme’s safety logistics. Nasa’s communication with ASAP has improved since then, but the organisation still has some concerns, said vice admiral Joseph Dyer, the panel’s chair. “Our faith in the execution of the problem is vested in the quality of the leadership,” Dyer says. As long as a few key personnel, including Nasa’s associate administrator for human exploration Bill Gerstenmaier, are involved in the program, Dyer feels confident about safety. But he finds it alarming that he must trust in personality and reputation, instead of a clear and transparent data record, he said.
Aborts and redundancies
The Commercial Crew Program requires companies to meet certain milestones, much in the way students are required to pass certain standardised tests. How the companies pass is up to them.
For SpaceX and Boeing, this means coming up with redundancies; for example, the companies are putting three different computer systems into their vehicles in case the first two computers fail during a mission. And even if all three go offline, astronauts have backup controls.
But the main systems that will guarantee the crews’ safety are the capsule’s abort procedures. As we learned from SpaceX in June, a small steel rod can bring down a 500-tonne-plus rocket during lift-off. Nasa wants to know that if something like that happens again, the astronauts can escape safely.
To ensure this, SpaceX is incorporating an in-flight abort system. Small engines embedded in the walls of the Crew Dragon – dubbed Super Draco – can carry the capsule away from a failing rocket before the vehicle reaches space. Then, the Crew Dragon’s parachutes kick in and gently land the capsule back on Earth. “Unlike past abort tower systems, this provides astronauts with escape capability all the way to orbit,” says Phil Larson, a spokesperson for SpaceX.
Boeing says it has a similar in-flight escape system. If the spacecraft is failing, Boeing’s system automatically detects the failure and a Rocketdyne RS-88 engine can push the capsule to safety. Then its parachutes will deploy, says Chris Ferguson, director of crew and mission operations at Boeing. He says the in-flight abort can be initiated any time up until main engine cut-off.
And there are also plans for trouble before the launch begins. These systems, called pad aborts, carry the crew away from the launch-pad if a rocket engine malfunctions. The same engines used in the in-flight escape systems will carry their respective capsules to safety.