Tom Stafford’s Letter to NASA About SpaceX Falcon 9 Safety Concerns

Credit: USLaunchReport.com
Credit: USLaunchReport.com

NASA has released a copy of a December 2015 letter from Tom Stafford, chairman of the NASA International Space Station Advisory Committee, to Associate Administrator William Gerstenmaier expressing concerns about the safety of SpaceX’s Falcon 9 rocket.

Stafford wrote that the committee unanimously believes SpaceX’s plan to load astronauts aboard the Crew Dragon before fueling the Falcon 9 booster is counter to safe practices that have been in place for more than 50 years.

“We are concerned that there may be insufficient precooling of the tank and plumbing with the current planned oxidizer fill scenario, and without recirculation there may be stratification of oxidizer temperature that will cause a variation in the input conditions to the oxidizer pump,” the letter read.

The committee became even more concerned after a Falcon 9 rocket caught fire and exploded while it was being fueled for a pre-launch test on Sept. 1. When the committee met again on Monday, it had not received an answer to Stafford’s 11-month old letter.

A copy of Stafford’s letter is reproduced below. It is followed by a brief statement issued by NASA on Nov. 1.

December 9, 2015

Mr. William Gerstenmaier
Associate Administrator for Human Exploration and Operations
National Aeronautics and Space Administration
300 E Street SW
Washington, D.C. 20546

Dear Mr. Gerstenmaier,

We sincerely appreciated the briefing on the Commercial Crew Program from Kathy Lueders and Bill Jordan to our U.S. committee members. Thank you for making the briefing available to the committee. As is normal when the committee begins reviewing a topic, the briefing raised about as many questions as it answered. I will not list all the topics we will continue to follow, but there is one major issue that I believe deserves your careful attention.

There is a unanimous, and strong, feeling by the committee that scheduling the crew to be on board the Dragon spacecraft prior to loading oxidizer into the rocket is contrary to booster safety criteria that has been in place for over 50 years, both in this country and internationally. Historically, neither the crew nor any other personnel have ever been allowed in or near the booster during fueling. Only after the booster is fully fueled and stabilized are the few essential people allowed near it.

Furthermore, in addition to the personnel risk, there is the risk of operating the engines outside their design input conditions. As an experienced “Prop” guy you know the problem here as well as anyone. Pump-fed chemical engines require a sufficient and consistent input pressure to reduce the likelihood of cavitation or unsteady flow operations. We are concerned that there may be insufficient precooling of the tank and plumbing with the current planned oxidizer fill scenario, and without recirculation there may be stratification of oxidizer temperature that will cause a variation in the input conditions to the oxidizer pump.

In summary, we are deeply concerned about introducing the practice of fueling with the crew onboard, and about the lack of even a recirculation pump for oxidizer conditioning on Falcon 9.

Sincerely,

Thomas P. Stafford
Lt. Gen., USAF (Ret.)
Chairman
NASA International Space Station Advisory Committee

Statement prepared by NASA November 1, 2016:

Spacecraft and launch vehicles designed for the Commercial Crew Program must meet NASA’s safety and technical requirements before the agency will certify them to fly crew. The agency has a rigorous review process, which the program is working through with each commercial crew partner. Consistent with that review process, NASA is continuing its evaluation of the SpaceX concept for fueling the Falcon 9 for commercial crew launches. The results of the company’s Sept. 1 mishap investigation will be incorporated into NASA’s evaluation.

Independent advisory groups provide input on commercial crew safety considerations, among which the Aerospace Safety Advisory Panel is the primary independent adviser for commercial crew activity. Other groups, such as the ISS Advisory Committee, also seek information, and we treat all inquiries seriously. The ISS Advisory committee focuses on the International Space Station and international systems.

Save

  • Andrew Tubbiolo

    How awesome is that? A Gemini Astronaut still active. That said, given Space X’s failures I think that folks are going to stop looking the other way at basic points like this one. I can def see Dragon – Falcon seeing some major delays while points like this are addressed.

  • Regarding the fueling conundrum, I think that SpaceX together with NASA will review the data and parameters of the vehicle and decide on a procedure that best fits the program at hand.

    Regarding the second risk, I think that LSP was understandably anxious about SpaceX moving to the FT/v1.2 variant back in 2015, since they had to make a number of firsts with it, especially as far as densified propellants were concerned. Those were done in the past by the Soviets, but at more benign temperatures.

    If you remember the OG-2 and SES-9 campaigns, SpaceX had a lot of bugs and kinks to get over and shake out both the LV and GSE, resulting in a number of scrubs.

    https://i.imgur.com/4LgSQf8.png

    By the third mission they had identified and fixed said issues, and we saw a period of very high launch cadence from them, better than even what v1.1 afforded in the past. This period also involved the exemplary CRS-8 and CRS-9 campaigns, where NASA reviewed the v1.2 variant and procedures in regards to Merlin cavitation or imbalance problems. Same with USAF, which certified the design and awarded the GPS 3 contract to SpaceX v1.2 around that time.

  • redneck

    Moving forward in any field involves some degree of risk. People of long experience in that field will normally be adverse to risk. This creates a conflict. The conflict here is that a sort of operational system is still being developed. While time will tell if these developments are good bad or indifferent, there will be “concerns” from the old gang as long as there is reasonable doubt about the new systems.

    I read many of these problems as similar to the cancellation of the Aries system. Cancellation was the right move carried out in an insensitive manner that created a counterproductive backlash in SLS. The SpaceX development while operating concept may be the right idea with a potential for risky backlash in the form of restrictions that could wipe out their gains and then some.

    It is very easy to see the performance gains from the SpaceX strategy.
    It is equally easy to see that any problems, or perceived problem, with the strategy could cost them the game. Consider the wreck of their plans if the alphabet agencies get the desire and political clout to fight densified propellant use.

  • Yes, that it true. To give a quick example, F9 is still fluid, and just now starting to get the changes needed from the data and experience SpaceX picked in their re-usability development process. As Musk has said, we are currently at block 3 and block 5 is expected to be the design lock milestone.

    The issue here is twofold though. First, SpaceX is essentially running an R&D program along operational campaigns. This is a risk that everybody knows about, some can stomach it, and there are a few that cannot. If you want my personal perspective, NASA will not and should not clear SpaceX for a manned CC flight until the design is locked, studied and has proven a minimum of reliability. They definitely don’t want to go through what happened with the Jason campaign again.

    The second issue is that said R&D program is very difficult to stomach for the “old guard”. Rockets are supposed to be well studied, developed and stable pieces of hardware by they time they start to fly operationally. Which is also a reason for paradigms like “measure many, cut once” and rocket designs remaining stable and static (in broad design terms, there are almost always tweaks and even first fly items in launches) across many years, and even decades.

    SpaceX is doing things differently. The jury is still out on whether that is a good or bad thing (especially if you view both their LV and general accomplishments against the known history and legacy of the industry across decades), but one cannot feel surprised by some of the backlash.

  • Michael Vaicaitis

    Seems to me the best option for ground crew safety would be to keep them well away from a fuelled rocket.

    Seems to me the best option for astronaut safety would be to always give them a method of escape, should the worst happen and a fuelled rocket explodes.

    Seems to me the worst possible safety option is to ask astronauts and ground crew to approach a fuelled rocket with no possibility of escape should an explosion occur.

    The actual argument appears to be not about the risk of explosion during fuelling, but that they have no confidence in the launch escape system. If they have no confidence that the escape system ensures the safety of astronauts during fuelling, what confidence do they have that the escape system will protect astronauts once the engines are burning?. If their confidence in launch escape systems is so small, why do they insist on the presence of an escape system? (except when they don’t insist on an escape system and 7 astronauts die on the Challenger shuttle).
    How many astronauts have died due to a lack of escape system?.
    How many astronauts have died due to a failure of an escape system?.
    How many astronauts have been saved by the activation of an escape system?.

    Out of curiosity, how often have rockets exploded during fuelling?, and how often have they exploded after fuelling?, how often have rockets exploded during launch?. Exactly what are the statistical risks?.

    “Only after the booster is fully fueled and stabilized are the few essential people allowed near it.”
    Does 500+ tonnes of “stabilised” propellents guarantee safety when approaching a fuelled rocket?. Does “few essential people” somehow reduce the risk to those people?. Certainly seems as though that phrase is being used as some sort of implied logical evidence. If so, surely having only the astronauts near a fuelled rocket would be “even fewer essential people”.

  • Douglas Messier

    That sums up a lot of the concerns pretty nicely. NASA would like to see the Falcon 9 fly many times in essentially the same configuration, with any upgrades carefully evaluated and tested, before putting any astronauts on board. They want a lot of insight into the booster and how it performs. The concept of insight is one that’s difficult for a lot of people to understand.

    The upgrades over the years — big and small — have amounted to a series of beta tests for which SpaceX has risked customers payloads. The Cassiopeia satellite is a good example. It was supposed to launch on Falcon 1e. Then Elon decided not to proceed with that program. Satellite was put in storage for years. Then it was launched as the payload on the test flight of the Falcon v1.1, which the company billed as a test flight of a practically new booster. And I think the customer ended up paying double the original Falcon 1e price to serve as a guinea pig for an untested rocket.

  • Enrique Moreno

    In airliners, passengers also are out of the plane durin fuelling or re-fuelling procedures.

  • JamesG

    Airliners are not fueled with supercooled propellants in uninsulated tanks.

  • savuporo

    At some point, the SpaceX pitch was affordable rockets, with good operational characteristics, and fairly straightforward and understood configuration.
    Somewhere along the way this changed and they are off chasing performance gains in deeply experimental territory, more like X-planes

  • JamesG

    Which was still cheaper than the next alternative.

    “NASA would like to see the Falcon 9 fly many times in essentially the
    same configuration, with any upgrades carefully evaluated and tested,
    before putting any astronauts on board.”

    And they are going to, just like the USAF requires SpaceX to lock and fly the version they certified for their payloads. The man-rated Crew Dragon and its F9 FT booster will be flown at least twice (inflight abort and the full test flight) before crew is onboard. More if you consider that the regular F9 FT is pretty much the same vehicle with just the usual running changes.

    The issue at hand is a procedural choice SX has made to maximize launch efficiency that is making the old guy’s queasy. The loss of AMOS-6 due to a tangential technical problem has just given them oats (to borrow an even older phrase).

    So SX can solve its He tank problem and then demonstrate that its fuelling process is as safe as it can ever be. Then the advisory board and safety review process will have done its job and we can all move along. Nothing to see here.

  • JamesG

    And ULA, ArianeSpace, and Roscosmos sit in the back ground cackling and twirling their pencil thin mustaches.

  • Vladislaw

    “That sums up a lot of the concerns pretty nicely. NASA would like to see the Falcon 9 fly many times in essentially the same configuration, with any upgrades carefully evaluated and tested, before putting any astronauts on board. They want a lot of insight into the booster and how it performs. The concept of insight is one that’s difficult for a lot of people to understand.”

    You mean like NASA did for Gemini, Apollo and the Space Shuttle?

  • Andrew Tubbiolo

    I totally agree. However government types are going to have to have a demonstration of safety (flight record) before they change those options. F9 in dense prop mode cannot operate in the old way. Yet Space X is still losing vehicles to the unknown in a manner that established aerospace thinks is not worth the trade off between risk and money. At a minimum, these failures have to stop before the gov is going to buy into Space X’s operations plans.

    Personally, I think spaceflight should be viewed as combat. You take losses. There’s a reason astronauts get parades. But I also don’t want to see a culture of safety where cost is the total driving factor. And I’m well aware of the old STS loop where the drive for safety drove costs high, and high costs drove the desire to fly which in the end eroded the culture of safety to the lows of Challenger and Columbia. None of this is easy, and some real risk has to be accepted.

  • Robert G. Oler

    That is not accurate…routinely airlines, large ones are refueled with people on board. I know I do it almost every flight to Africa Robert B777 Captain

  • Robert G. Oler

    What surprises me is that the payload people on the one that blew up agreed to have their payload on a rocket while it was going through some testing of a new procedure…

    the problem is that SpaceX is trying a series of “new things” to make their rocket perform in a payload range which is both marketable and allows recovery…

  • If spaceflight is treated like combat, then I’d expect the same level of Insensitive Munitions (IM) testing that goes into qualifying a new weapon system. Can Falcon 9 pass Fast Cook-Off, Slow Cook-Off, Sympathetic Detonation, .50 Cal Bullet Impact and Shrapnel Impact?

    While we do put our warfighters in harm’s way, we spend a huge amount of effort making sure that their tools aren’t where the danger is coming from.

  • Andrew Tubbiolo

    Okay good point. How about this … Flying combat aircraft in the 60’s when we still used high power machines under control of a control system yet with the casual dis-reguard for human safety that today we would consider criminal? You know as well as I do, there’s no way we can make a launch vehicle meet the operational standards of insensitive munitions. … Maybe with a all solids launch vehicle … maybe ….

    Maybe we should accept the level of danger inherent in flying F-4’s with early model J-79’s? I’m not even asking for accepting the danger levels of flying the F-104 back then. We need to fly. With our current technology we have to accept SOME risk, the question is WHAT can we accept?

  • And the IM requirements wouldn’t be great for spacecraft because you don’t expect to be shot at with .50 Cal rounds (you should expect space debris) – but it shows that you at least have a standard. The “loss rate” that I would find acceptable would be one calculated to not exceed the TRAINING fatalities of jet fighter pilots (assuming fighters have the highest fatalities per hours flown).

    A routine spaceflight that doesn’t involve a new design, saving a life or even the entire planet really should be comparable to any training flight or exercise that fighter pilots undergo: with known hazards, but no disregard for human life.

    Now, test flying a new aircraft (or spacecraft) design involves new and unknown risks. That should be done by test pilots and shouldn’t be considered any more hazardous than test flying a new military aircraft.

    We lose military pilots every year to training accidents because it’s a risky job. But we have stand-downs and redesigns when we see a problem with training, proficiency or the aircraft itself. Every lose of life in spaceflight has involved a KNOWN deficiency with the system that was not corrected.

  • TimR

    Great investigative reporting thanks to Doug. It seems apparent after reading this that the Falcon 9 rocket for HSF will never be fueled with passengers on board. Secondly, “about the lack of even a re-circulation pump for oxidizer conditioning on Falcon 9” is another reason to expect design changes to the Oxidizer tanks and COPv’s well before human spaceflight to ISS. It may fly in mid-December without design changes and relying on procedural corrections but design change will happen.

  • Mike Borgelt

    So the letter amounts to ” we haven’t done it this way before, so we shouldn’t be doing it”. Great.
    I know I’d rather be strapped into a Dragon 2 with it all checked out and the escape system armed and THEN have it fueled and launched than approach a fully fueled rocket and have NO escape means until the strapping, hatch closing, set the switches(could possibly be done remotely), clear the ground crew away (they WILL die if escape system is used before they are clear), procedures were done.
    If the worst happens in the first scenario there has to be a catastrophic problem with the fueling AND the escape system has to fail for the flight crew to die.
    In the second, the crew AND ground crew WILL die if something goes catastrophically wrong with the fully fueled vehicle. Just having people messing around near one seems a problem to me.
    I don’t know enough to comment on the LOx stratification problem but I’ll assume this was thought of by the SpaceX engineers and the risks mitigated.

  • JamesG

    Actually it shows ignorance of SpaceX Falcon-9 and their “just-in-time” fill procedures. The way F9 FT fill works is that they pump the chilled fuel and then the oxidizer into the tanks and aim top off at just before engine startup (T-20 I think). There is no need for recirculation. That is needed only if you are filling and then waiting around for a Hail Mary or two, or to board the crew.

  • JamesG

    The customer is always right. Too bad the biggest customer is filled with scaredy-cat accountants and bureaucrats more worried about their careers than pushing the black. Luckily a lot of their commercial customers seem inclined to go along for the ride.

  • JamesG

    But then most of their equipment is made by the lowest bidder. :/

  • JamesG

    Except that launching spacecraft with today’s rocket technology requires accepting exceptional risk, especially with HSF. Simply the energies, massses, and complexity involved require it. No rocket launch is ever routine, the way even a carrier launch is.

    Not going to get away from that until someone invents that better mouse trap.

  • windbourne

    odd that the safety ppl do not see it that way.
    THe only way to be safe is to be fully loaded and ready to go PRIOR to doing the fueling.

  • windbourne

    “What surprises me is that the payload people on the one that blew up agreed to have their payload on a rocket while it was going through some testing of a new procedure…”

    Uh, other way around.
    They insisted on having it there. SpaceX did not want it there.

  • windbourne

    Do as I say, not as I do.

    And truth be told, it really makes sense for these to fly with cargo multiple times PRIOR to a human crew.

  • redneck

    An general observation is that “the only way for X to be done” is an argument for a totally static operation that never changes, The deeper meaning is that someone signs off on hardware or procedure and improvements and changes are permanently locked out.

    It only works on totally mature systems where the solution is very clear. And even then it only works until competition builds a better mousetrap that does something different and manages to get around the imposed limitations anyway.

    This is not saying that either method of fueling is the right way as I don’t know. It is a general observation regarding process such as mature vacuum tube devices were probably better than early transistor devices.

  • ReSpaceAge

    Isn’t a lot of this performance tweaking because they have to fit F9 under bridges to ship their vehicle across the country?

    Seems the smarter plan would be to just make the vehicle a little wider/bigger.

    New Glen

  • Robert G. Oler

    exactly well said

  • Robert G. Oler

    I am in Istanbul and was doing TRI/TRE training the last bit so have not followed every detail…thank you for clearly that up. that was dumb

  • Robert G. Oler

    none of those were (except the shuttle for a little bit) operational systems that were sold as a product

  • The use of liquid helium to pressurize the tanks is entirely new to me, if that’s actually what they were doing. I know I’ve mentioned something like that in the far distant usnet past as a quick and easy way to pressurize cryogenic tankage, but I’m not aware of anyone doing it regularly in an industrial setting, let alone within advanced rocketry.

    I would welcome any informed coherent comments on this subject. Not reddit stuff.

  • Douglas Messier

    It all makes sense if you think the helium tank problem is the only concern that Stafford, his committee and other experts have about fueling with the crew on board. It’s not.

    Did the Air Force really lock in the version they certified? I think the opposite. I believe I read that SpaceX continued to upgrade to booster and USAF had to review all the changes.

    In any event, Musk is talking about the Falcon 9 Block 5 being the final version and flying those sometime next year. I don’t know what Block 5 entails exactly. The problem is that with each major variant, you have to start counting again in terms of booster reliability. With the Falcon FT, they reeled off 8 successful launches before blowing one up on the launch pad during a fueling exercise.

  • JamesG

    It all makes sense if you think the helium tank problem is the only concern that Stafford, his committee and other experts have about fueling with the crew on board. It’s not.

    The He tanks aren’t their concern at all, its SX’s planned procs for Crew Dragon. Even if there hadn’t been a problem with them, they would have raised their objections because…. Its’ not the way we did things, sonny!”

    Did the Air Force really lock in the version they certified? I think theopposite. I believe I read that SpaceX continued to upgrade to booster and USAF had to review all the changes.

    Which means they can tell SX, “No. We want it the way we certified it.” If the USAF feels okay or gets convinced to circle X that, well… that is a different issue.

    The problem is that with each major variant, you have to start counting again in terms of booster reliability.

    Yes and not really. Their rolling changes and improvements are tested out and are well integrated with proven other/sub components. Their engineering is pretty good.
    Everyone is just used to the “NASA, DOD” way of system development and production as totally separate entities that only meet when absolutely nessissary.

  • Jeff2Space

    The only way to be “safe” is to never fly. There will always be risks. That’s why both commercial crew vehicles are equipped with launch escape systems.

  • Jeff2Space

    Good point.

  • Jeff2Space

    “Can Falcon 9 pass Fast Cook-Off, Slow Cook-Off, Sympathetic Detonation, .50 Cal Bullet Impact and Shrapnel Impact?”

    No. But neither is a passenger airliner. Neither a passenger airliner nor a launch vehicle is expected to be shot at by a .50 caliber bullet.

  • Yes, but the original question was what target safety should a LV achieve. Even if you pick a weapon system, they have standards that are chosen to be appropriate for the environment they are used in. While a passenger jet isn’t expected to take a .50 Cal round, they are tested to prove they can lose a blade and maintain containment, survive ingesting a bird, max braking, etc. There is an accepted, and evolving standard of safety based on lessons learned. While rocketry may still be “hard”, that doesn’t exempt anyone from meeting standards of proper safety design.

  • Vladislaw

    That is the whole point. Business and how it has handled transportation and the risks that are both acceptable to the producer and customer have always been different than the government.

  • Kenneth_Brown

    There are always so many unknowns that it’s right to address potential issues that one does know about.

    I can see the problem with stratification that Stafford writes about. Allowing time for the whole stack to cold soak and stabilize before loading crew could be a very prudent thing to do. Yes, it puts some people at risk during the time it takes to get the astronauts on board and strapped in. The upside is that many of the pre-launch checks that would have to be done in the Apollo era by the crew can now be done remotely and many times, automatically, so there can be less time between closing the hatch and lighting the engines.

    When the team I was working with started allowing the oxidizer tank to cool down and the LOx to settle before initiating flight, we had better efficiency (denser LOx) and more stable operation. It took more time, but we had much better results.

  • Robert G. Oler

    I dont think NASA is willing to actually accept a higher risk then business…at least on paper and I am sure the USAF is not

  • Vladislaw

    That is the point I am making Robert. Why bother with risk when I can get a 5 billion dollar 5 year program in my political district to eliminate that risk .. or not .. either way .. it was money well spent in my district.

    Business through error or willful ignorance etc etc .. and business customers have historically ALWAYS been willing to accept more risk than the government. It is way regulations get put into place, to protect people from themselves.. by forcing them to wear seat belts when they didn’t want them.. helmets when they didn’t want them , air bags etc etc etc