Virgin Galactic Executive Summary of Submission on SpaceShipTwo Accident
SpaceShipTwo disintegrates as its two tail booms fall away. (Credit: Kenneth Brown)
EXECUTIVE SUMMARY
Submission to the
NATIONAL TRANSPORTATION SAFETY BOARD for the Investigation of Scaled Composites, LLC’s SpaceShipTwo, N339SS Rocket-Powered Flight Test
Koehn Dry Lake, California, October 31, 2014
May 29, 2015
By Virgin Galactic, LLC and The Spaceship Company, LLC
EXECUTIVE SUMMARY
Factual Background
On October 31, 2014, at approximately 10:07 PDT, Scaled Composites’ SpaceShipTwo flight test vehicle, SS2-001 (N339SS) experienced a serious in-flight anomaly during a rocket-powered test flight approximately 13 seconds after release that resulted in the destruction of the vehicle and the death of the copilot. The pilot survived after successfully parachuting to the ground. No other persons were injured in the air or on the ground.
The accident occurred during the program’s 55th overall and fourth powered test flight (PF-04) of SpaceShipTwo. Scaled Composites, the vehicle’s designer and builder, held an experimental launch permit from the Federal Aviation Administration’s Office of Space Transportation (FAA-AST) to conduct the vehicle’s rocket-powered test flights. Scaled Composites, a wholly-owned subsidiary of the Northrop Grumman Corporation, was under contract with Virgin Galactic (VG) and The Spaceship Company (TSC) to carry out SpaceShipTwo’s developmental flight test program, maintaining both operational control and safety oversight. At the time of the accident, SpaceShipTwo was piloted by two Scaled Composites test pilots.
The mishap test flight, designated PF-04, had three primary objectives:
1) Expand SpaceShipTwo’s powered flight envelope utilizing a 38-second rocket burn to attain approximately 135,000 feet above mean sea level (MSL) and Mach 2.00;
2) Conduct the first supersonic feathered re-entry of SpaceShipTwo;
3) Conduct the first flight using an alternative, polyamide-based hybrid rocket motor fuel that was essentially structurally identical to previously flown motors.
Following a delay to ensure nitrous oxide (N2O) temperatures warmed into the acceptable launch range, WhiteKnightTwo departed Mojave Air and Spaceport at 09:19:30 PDT with SpaceShipTwo mated to its underside. WhiteKnightTwo uneventfully carried SpaceShipTwo to a release altitude of approximately 47,000 feet MSL. An abbreviated timeline of the accident events follows:
10:07:19.27 SpaceShipTwo released from WhiteKnightTwo.
10:07:19.51 The pilot commanded the copilot to fire the rocket motor. Rocket motor ignition and burn were nominal.
10:07:26.83 The vehicle accelerated through 0.80 Mach.
10:07:26.91 The copilot announced 0.80 Mach in accordance with checklist procedures.
10:07:28.39 The copilot announced “unlocking” at approximately 0.92 Mach.
10:07:28.90 The copilot moved feather lock handles to the full unlock position.
10:07:32.80 Telemetric data ceased.
At the loss of data, multiple onboard and offboard video and data sources documented SpaceShipTwo entering an accelerated, high-g pitch up that telemetry confirmed exceeded the vehicle’s structural design loads. SpaceShipTwo broke up into several large pieces that impacted terrain over a five-mile area near Koehn Dry Lake, California.
A comprehensive investigation by the NTSB using telemetered and recovered onboard data conclusively demonstrated that all vehicle systems were operating normally up until the point of breakup. The rocket motor met or exceeded expectations, running smoother and with less vibration than during any previous powered flight.
SpaceShipTwo used a patented feathering system designed to aerodynamically provide stable reentry into the Earth’s atmosphere upon completion of a sub-orbital spaceflight. It functioned by rotating SpaceShipTwo’s twin tail booms upward about the wing’s trailing edge approximately 65 degrees to increase both stability and drag during the descent. In the feather down position a pair of feather lock hooks were engaged at the leading edge of the boom to provide the structural integrity required during the transonic (approximately 0.8 to 1.2 Mach) region where large up loads on the tail during powered flight would otherwise overpower the actuators and cause the feather system to extend without any additional pilot action.
Normal extension of the feather system required a two-step sequence of aircrew actions:
1) Feather Lock Handles UNLOCK. This action disengaged the feather lock hooks from the tail booms and enabled rotation of the system. Unlocking of the feather system was accomplished through the copilot’s single movement of the feather lock handles into the unlocked position. When accomplished at 1.4 Mach or greater (as required per the SpaceShipTwo checklist procedures and the PF-04 test card) the feather system remained retracted due to a sufficient closing pre-load from the feather actuators and favorable, tail-down aerodynamic loads.
2) Feather Handle EXTEND. This action commanded the feather system into the extended position. Normal extension occurred subsequent to unlocking the feather locks when the copilot moved the feather handle (a lever independent from the feather lock handle) to the extended position. On normal rocket-powered flights, checklist procedures called for this step to occur after rocket motor burn out while in space just prior to apogee.
Probable Cause and Contributing Causes
The Probable Cause of this accident was the copilot’s unlocking of SpaceShipTwo’s feather locks at 0.92 Mach, approximately 14 seconds prior to the flight manual minimum speed of 1.4 Mach.
Although normal checklist procedures maintained the feather locks in the locked position until after obtaining a minimum speed of 1.4 Mach, the mishap copilot prematurely unlocked the system at approximately 0.92 Mach. This premature unlocking was indisputably confirmed by telemetric, in-cockpit video and audio data. At this speed, lift from the horizontal tails well exceeded the feather actuator’s ability to prevent a rapid aerodynamic extension of the feather system. These forces caused the feather to rapidly extend without any further pilot action or mechanical malfunction.
A thorough review of the mishap flight data conclusively determined that there were no misleading indications on the pilot displays and that all flight data were accurately displayed to the aircrew.
Extension of the feather while in boosted flight under these conditions imparted over 9g’s of pitch up acceleration forces on the spaceship. These forces exceeded SpaceShipTwo’s designed structural load capability and resulted in its in-flight breakup.
The Contributing Causes of the accident were:
Feather Lock system design. The Feather Lock system design did not have an automatic mechanical inhibit to prevent premature movement of the feather system.
Crew Resource Management. Scaled Composites’ aircrew procedures did not require a challenge/response protocol prior to moving the feather lock handle.
Recommendations
Scaled Composites was responsible for all aspects of the flight test program at the time of the accident. Subsequently, Virgin Galactic has assumed full responsibility for the completion of SpaceShipTwo flight test program and the commercial operations which will follow.
Well prior to the accident, Virgin Galactic and TSC began a vehicle improvement program in anticipation of the program’s planned January 2015 transition from Scaled Composites. The improvement program was based on lessons learned from both SS2-001’s construction and the flight test program. Commercial service enhancements were scheduled to be included in both SS2-001 and SS2-002 (currently under construction by TSC) prior to either vehicle entering commercial service.
Following the accident, Virgin Galactic and TSC undertook a comprehensive internal and external program review of the SpaceShipTwo design and operations. Virgin Galactic recommends these actions:
1) Modify the SpaceShipTwo feather lock system with an automatic mechanical inhibit to prevent unlocking or locking the feather locks during safety-critical phases of flight.
Status: Completed
2) Add to the SpaceShipTwo Normal Procedures checklist and Pilot’s Operating Handbook an explicit warning about the consequences of prematurely unlocking the feather lock.
Status: Completed
3) Implement a comprehensive Crew Resource Management (CRM) approach to all future Virgin Galactic SpaceShipTwo operations in a manner consistent with the pre-existing CRM program VG has employed for WK2 operations. This includes, as a minimum:
Standardized procedures and call outs
Challenge/response protocol for all safety-critical aircrew actions, to include feather lock handle movement
Formalized CRM training
Status: Completed
4) Conduct a comprehensive internal safety review of all SpaceShipTwo systems to identify and eliminate any single-point human performance actions that could result in a catastrophic event.
Status: An initial assessment was completed and modifications to SS2-002 are in progress. Virgin Galactic will continually evaluate and improve System Safety throughout SpaceShipTwo’s lifecycle.
5) Conduct a comprehensive external safety review of Virgin Galactic and The Spaceship Company’s engineering, flight test and operations as well as SpaceShipTwo itself.
Status: Initial Assessment Completed. The external review team will review the program both prior to commencement of flight test activities as well as prior to entering commercial service.
6) Ensure Virgin Galactic employs pilots who meet or exceed the highest standards and possess a depth and breadth of experience in high performance fighter-type aircraft and/or spacecraft. Minimum VG qualifications during the flight test program shall be:
A long course graduate of a recognized test pilot school with a minimum of 2.5 years post-graduation experience in the flight test of high performance, military turbojet aircraft and/or spacecraft.
A minimum of 1000 hours pilot in command of high performance, military turbojet aircraft.
Experience in multiengine non-centerline thrust aircraft
Experience in multi-place, crewed aircraft and/or spacecraft
These criteria are based on industry best practices for flight testing, using DCMA INST 8210.1C, paragraph 4.3 as guidance.
Status: Completed. All current Virgin Galactic pilots exceed the above minimum VG standards.
51 responses to “Virgin Galactic Executive Summary of Submission on SpaceShipTwo Accident”
Leave a Reply
You must be logged in to post a comment.
Does anyone have any idea why the co unlocked the feathers upon ascent ? And killing himself, destroying SS2 and seriously injuring the Pilot ?
Did he panic? Lose sanity? Misread the flight plan ?
I suspect none of the above, lets wait for the official findings, speculation was all we had for the last nine months, we don’t have long to wait for the official version.
He flocked up. As my old Chief Pilot always used to tell me, “Don’t flock up.” It was simultaneously the most useless advice I’ve ever been given and, as I was to subsequently realize again and again, unswervingly true.
A young co-pilot I once flew with once said during a flight, “Oh shit”. I told him, “Pilots never say ‘Oh shit.'” That wasn’t quite true. The last words pilots say has often been “Oh shit”.
Humans make mistakes. Sound aircraft design and operational flight envelope constraints, implemented with appropriate procedures, checklists and CRM are key to safety. Maintenance is another big factor. Working against that are, among many other things, all sorts of human factors, including schedule pressures, monetary factors and egos. However, cockpit communications and coordination (CRM) is a biggie. It’s amazing how, among other things, differing interpretations of a word or phrase or concept can lead to problems, and potentially disaster. Design changes, procedural changes and training changes can alleviate these problems, as the NTSB report has apparently found.
I dont understand why you would need to unlock the feathers before the engine was turned off and the craft in free fall.
Why did a late unlock cause a potential flight abort ? This doesn’t make sense.
There is seemingly a procedural problem right in there, combined with a design issue.
Yeah, sounds like a prototype issue that hasn’t been properly fleshed out into production. Sounds like its viability is on a knife edge. Thats cutting edge I guess.
Would be interesting to see the various flight mode procedures and recovery procedures they have depending where they are in the flight.
unless the lock is only there while accelerating through the transonic stage.
A late unlock by itself was not a problem. The concern was that a failure of the unlocking mechanism would be dangerous. (Perhaps someone else here can speak to the issues of reentering from full altitude without the feather. In the best of cases I believe that the SS2 would be badly damaged — from heat? — and I believe that I’ve seen it suggested that an unfeathered reentry could cause loss of vehicle and crew.) So they did the unlock in time to abort the flight in case the it failed to unlock, not because they needed it to unlock so soon.
ok, so unlock after M1.4 to ensure viable reentry, so you can abort and power off the engine before you reach PNR, if the lock has failed.
This is partly conjecture on my part but here goes. If the vehicle reached its peak altitude and was unable to deploy the feathering mechanism, there probably would not be sufficient pitch control to keep the nose from pointing downwards at a steep angle. The vehicle would accelerate quickly. Heating may be an issue but it seems more likely that the vehicle would exceed its maximum designed aerodynamic loads and tear itself apart. Back in 1967, an X-15 pilot named Michael Adams lost control during reentry and was killed. According to this article, Burt Rutan witnessed the crash. When he was designing SS1, the need for a simple and safe reentry system was what inspired him to develop the feathering mechanism.
A small drogue, you punch out as you come over the top would also be possible.
Given the vehicle’s mass and the thinness of the atmosphere at that altitude, I doubt that a small (or even a fairly large) drogue chute would be sufficient to slow SS2 enough.
This is the Virgin Executive Summary, the title is misleading. It’s early 🙂
It will be fascinating to see the NTSB findings today and compare them with what looks superficially to be a pre-emptive press release aimed at using Virgin’s PR firepower to dominate the news agenda.
Ah I see the date was May so this was their position paper rather than a current summary.
The NTSB made 10 recommendations, 8 to the FAA and 2 to the Spaceflight Federation. They had no recommendations to Scaled, Virgin, or The Spaceship Company because of voluntary actions already taken.
This is in line with the tone of Virgin’s release.
Edit: I agree that the title of this post is misleading.
Sorry I didn’t see the date on the paper, too taken with the heading that looked as though it was the NTSB’s executive summary.
Thanks for that. Despite the statements from VG about there needing to be agreement between pilot and co-pilot before mission critical actions being initiated such as extending the feather that didn’t happen on this flight:
“Crew Resource Management. Scaled Composites’ aircrew procedures did not require a challenge/response protocol prior to moving the feather lock handle”
Also, as I suspected VG or Scaled did not stress to the pilots that extending the feather early would lead to catastrophic break-up of the vehicle:
“2) Add to the SpaceShipTwo Normal Procedures checklist and Pilot’s Operating Handbook an explicit warning about the consequences of prematurely unlocking the feather lock.”
It was included in the flight manual to extend the feather at Mach 1.4 but that’s not the same as explicitly stating that if it is extended early it would result in vehicle break-up. I rather suspect that Scaled and VG themselves did not know, and that’s why it was not emphasized to the pilots.
Bob Clark
I still don’t understand how experienced aircraft designers could leave such a critical step unchecked.
The stunning thing is that this is one of the most singularly unconventional features of this aircraft, even more surprising it was not the focus of more penetrating thinking.
Someone very knowledgeable about these things pointed me to this Far Side cartoon that kind-of sums up their design…
http://imgur.com/AosYvGn
…and in colour…
http://stevec.smugmug.com/O…
Its scary how much spot on Gary Larson has always been, about everything. That strip must be 20 years old.
Live they are arguing the wording of the cause specifically to include the pilot. Its going to end up far less along VG’s PR argument that it was a ‘mishap copilot’. I like what Mr. Hart was saying as the base cause. A pilot is *always* the proximal cause of any organisational human factors failure the question is why did they make the error. The question is not why the copilot pressed a ‘destruct button’ but why the team he worked within created the ‘destruct button’ and didn’t make sure he realised its importance.
I assume the reason why “unlock” is a separate action from “extend” is so they can do a safe abort if there’s an unlock failure? Seems to me it would be better to re-engineer the system so that the probability of an unlock failure was low enough to do an atomic unlock/extend operation would be safer. You get all kinds of potential failures if you’re wandering around the sky assuming that you’re going to stay above mach 1.4 in the aerodynamically controlled flight regime: What if you’re reading the wrong mach number? What if the rocket shuts down at mach 1.5 and you coast into the unstable range? What if you’re doing any kind of abort? What if there are corner cases in the flight control envelop where you wind up with lift on the tails well above mach 1.4?
Yes. If the feather fails to unlock by Mach 1.8, they abort.
So what’s the procedure if they successfully unlock and then have to abort for some other reason?
Shut down the engine, and (I presume) lock the tail, pitch over, glide to a landing.
This makes sense, but unlocking while ascending dosn’t.
It does seem counter intuitive but it makes sense. If the unlock failed for whatever reason and they didn’t find out about it while ascending, they would not survive the descent. The vehicle would simply pick up too much speed coming down. So, as strange as it may seem, they do the unlock under power at Mach 1.4 to confirm that it’s working. If not, they can shut down the engine and abort safely. At or above M1.4, the forces on the tail booms are low enough to manage. However, the copilot inadvertently unlocked at Mach 0.92 in relatively dense air. The forces were too much for the system and the booms started to rise, resulting in a 9G pitch up while under power. Aerodynamic forces then tore the vehicle apart.
The procedure makes sense within the scope of the design, but the design still makes very little sense. Go/no-go tests on a flight critical control surface at supersonic speeds are an invitation to trouble. Since the engineers on this project are not idiots, I would be highly surprised if they didn’t feel the same way.
Perhaps the only other time you could test the unlock mechanism is before release but it’s possible the aerodynamic forces are still too high at that point. It still comes down to ensuring the mechanism worked while there’s still time to abort. If you were able to unlock and them relock before release, it could still fail after release. The feathering mechanism is critical for mission success, but unlocking it too soon is also fatal. They’ll probably implement some form of prevention circuit that won’t allow the unlock to work below M1.4 but Murphy’s Law being what it is, even that will need an override.
I’m not arguing that the feather unlock should have been tested at a different point during the flight. I’m arguing that if you have a key subsystem that you don’t trust to remain operational between pre-flight and post-ignition, that subsystem has no business riding along on a manned spaceplane.
—
ETA: I think you are correct that a lockout circuit will be added, but I also think that adding more complexity to the system sends them in the wrong direction with respect to overall reliability.
It’s simple: They’d rather find out that the unlocking mechanism is broken at 50,000 feet than at 250,000 feet.
Hmm. So we’ve got two failure trees, one with the current unlock procedure, and one where you do atomic unlock/deploy:
1) M1.4 –> unlock successful –> abort –> re-lock failure –> feather deploys while going transonic –> tumble –> RUD
2) Hypersonic flight with close to zero aerodynamic forces –> unlock and deploy failure –> hot reentry –> RUD.
I guess that makes sense, given that #1 is catastrophic only with a double failure (although a late abort has to be a pretty high probability event), and #2 could be a catastrophic point failure.
Sure seems like working to mitigate the failure trees for the the unlock mechanism would be a good idea, though.
In my opinion, the unlock should’ve been automated from day one.
Looks like the whole thing should be automated from day 1. If the pilots have too much to do within a a few seconds, esp a go\no-go. commercial pressures etc TBH in this day and age, im really suprised they are not testing this automatically\remotely.
Surely the craft will come ok through the transonic region while descending with feathers unlocked and deployed? Or do they have to lower the feathers and lock it into place before dropping under M1.4 ?
Is it not just a failure upon powered ascent that the unlocked feathers will cause ?
From the description above, it sounded like the issue was that there was an up-force on the tails in the transsonic region–that should be independent of acceleration.
Yeah but it was in rocketship mode and pitching up. If your saying that unless they can lock the feathers as they drop into transonic then this is a risky endeavour indeed.
So they unlock while still ascending under power up ? This is very strange, So the design commands the feathers are fully extended before it starts to slow into the transonic range otherwise is destructs ?
Its a very strange design. I could understand the feathers are deployed during descent at all speeds. But the margin for failure here seems high.
The feathering is deployed around apogee. The unlock during ascent is technically a safety feature – if the unlocking mechanism fails, they abort. If they cannot unlock / deploy the feathering, they cannot descend safely from apogee.
any idea at what max height can they safely abort if the locking mechanism fails ? Seems they enable it quite soon outside of its “danger zone”, I would have thought a large safety margin would have been sensible.
They specifically mentioned the feather mechanism has to be unlocked by Mach 1.8 or they have to abort the flight. I do not know what height that translates to. So they have a window from Mach 1.4 to 1.8 in which the feather mechanism must be unlocked – and this happens in a very short span of time (there is about 26 seconds from engine ignition to Mach 1.8). One of the contributing factors to the failure mentioned was time pressure on the copilot (who is responsible for disengaging the feather locking mechanism).
So essentially the craft is unstable with the wings unlocked < M1.4 and in powered ascent, unstable on descent if wings locked > M1.8 and a destroyed upon re entry if the wings don’t deploy.
Hmmmm.
At < Mach 1.4 transsonic aerodynamic forces on the tail produce a great deal of lift, which, if the feather system is unlocked, forces the tail into the feathered position. Past Mach 1.4 the supersonic airflow doesn’t produce this lifting force on the tail.
The “wings feathered” is a high-stability, high-drag position. It’s necessary for the wings to be in this position for it to re-enter the atmosphere safely. Unfeathered, the aircraft would experience too much heating on re-entry to survive.
Here is an excellent summary of the by Lee Jay, one of the moderators over at NSF, of the NTSB presentation:
There was corporate conversational knowledge that unlocking the feather
system during the transonic region would be catastrophic, but this
knowledge wasn’t formalized into the pilot handbook or in training.
There was formal knowledge that unlocking late would lead to a flight
abort, and a recent event had occurred where the unlock was late. Add
to this copilot workload increases between flights, the fact that
training wasn’t done in the suits and equipment worn on the real flight
or under the g and vibration loads in the flight, and the result was the
copilot unlocked the feather early leading to the loss of the vehicle.
As usual, not a single failure, but a chain of smaller failures – lack of
formalization of knowledge, lack of training in the operational
environment, recent events, pressure to avoid an abort, and you get an
overcompensation.
“unlocking the feather system during the transonic region would be catastrophic” – is this under any condition ? powered/unpowered descent etc?
It sounds as if the danger varies with the conditions, possibly with the air density and the attitude and actions of the control surfaces in addition to powered ascent vs unpowered descent. From the rough transcript of today’s NTSB meeting:
Chairman Hart: Thank you. And was there a reference to an event with a previous flight, that once the locks were unlocked, there was a slight movement out of lock — I am trying to remember what that reference was about the rhythms of previous event referred to going through the transonic range with there was a brief movement from locks to unlocked. — From locked to unlocked. Am I remembering that correctly?
Mr. Callahan: That is correct. The vehicle goes through the lock region two times. When the rocket motor is on and then when the rocket motor is off, it decelerates. In terms of moment coefficients, you have the same high coefficients wanting to move the feather up. On flight 02, the deceleration occurred at a relatively lower altitude and a deliberately tested point to explore the elements of a further operating envelope. It was deliberately flown very close to the edge of the ability of the actuators to keep the feather down, and in fact, they got a slight movement of about .8 degrees for half a second.
Yes. The NTSB staff did just say that every SS2 pilot they interviewed knew about the catastrophic results of premature unlocking, but that it was not explicitly stated in the Pilot Operating Handbook.
Both this Executive Summary and their Party Submission include the date “May 29, 2014” on the title page. I assume that this is intended to be the date of submission, and that it should have been 2015.
So this was the six page Executive Summary of Virgin & TSS’s report of their investigation to the NTSB. The complete thirty-six page report is also available on the Virgin site. Go here and select “Documents”. (I don’t know how to link the PDF directly.)
I’m surprised that such a critical step wasn’t covered in the test plan and flight briefing beforehand. This was a test flight program and generally every action taken (or not taken) by the flight crew is meticulously planned in these types of flights, including timing (ie “t+0:28, speed > mach 1.4, copilot unlocks feather. Abort on failure.”.
Or maybe it was, and it was just a mistake.
You get all kinds of potential failures if you’re wandering around the sky assuming that you’re going to stay above mach 1.4 in the aerodynamically controlled flight regime:Casquette Superman