Falling Short of the Stars: The crash of Virgin Galactic’s SpaceShipTwo
Note: this accident was previously featured in episode 31 of the plane crash series on April 7th, 2018, prior to the series’ arrival on Medium. This article is written without reference to and supersedes the original.
On the 31st of October 2014, an experimental space plane operating for Virgin Galactic abruptly disintegrated at 55,000 feet during a test flight, scattering debris over a vast area of California’s Mojave Desert. Although one of the two test pilots was killed, the other remarkably survived, parachuting to safety against all odds. The destruction of the VSS Enterprise and the death of one of its pilots promised to be a major setback for the commercial space flight industry, which was then, as now, in its infancy. Criticism was not hard to come by: was Virgin Galactic, under the direction of billionaire businessman Sir Richard Branson, pushing things too far in pursuit of a mere toy for the super-rich? Some questioned the entire basis of commercial space flight; others suggested that Branson in particular was the problem. Against this background, the National Transportation Safety Board, in its first ever major investigation of a spacecraft accident, sought to determine why the vessel came apart. The answer was both shocking and disappointing: the deceased copilot had made a single erroneous control input which caused the catastrophic in-flight breakup, raising significant questions about the design of the spacecraft, its tolerance for human error, and the manufacturer’s failure to grasp lessons that the commercial aviation industry had learned decades ago.
In 2004, British billionaire Sir Richard Branson, founder of the Virgin Group, launched a long-shot venture intended to push the frontier of commercial transportation by one day taking paying passengers on regular trips to space. Branson’s ownership of Virgin Airlines and its subsidiaries as well as his exploits with hot air balloons had earned him a reputation as an aerospace enthusiast, but developing a reusable passenger spacecraft was a tall order, and there was plenty of skepticism that Branson’s new company, christened Virgin Galactic, would ever get off the ground.
At that time, the idea of building a “space plane” which would fly to space, hang around for a few minutes, and then land at an airport was not new, and had in fact been around for a number of years. One aerospace company already working on such a project was Scaled Composites, which had partnered with billionaire Microsoft cofounder Paul Allen to build a vehicle called “SpaceShipOne.” SpaceShipOne’s objective was to carry a pilot and two passengers to space by launching from under the wing of a carrier airplane at high altitude, an interesting and novel approach which would save both weight and fuel by getting the vehicle closer to space before firing its rocket motor. SpaceShipOne first flew under its own power in 2004, becoming the first human spaceflight funded entirely by private capital. This attracted the interest of Richard Branson and his newly created space tourism company, which shortly thereafter became the primary customer for Scaled Composites’ planned successor spacecraft, SpaceShipTwo.
As the above statement implies, SpaceShipOne was a proof of concept only and was never intended to enter real commercial service. It was not possible to make a profit on flights only carrying two passengers, which was one of several reasons why production immediately began on SpaceShipTwo, which would be much larger but would employ many of the same design and operational features as SpaceShipOne. The 18-meter-long, 9,700-kilogram spacecraft would hang beneath the wing of a twin-fuselage “mothership” called WhiteKnightTwo, release at an altitude of 50,000 feet, activate its single rocket motor, climb almost vertically to a height of 110,000 meters (360,000 feet), then glide back to earth with the power off, all while carrying up to six paying passengers. In addition to the thrill of the ride itself, the passengers would experience approximately six minutes of weightlessness as the vehicle entered space at the height of its parabolic trajectory, known as its apogee. Richard Branson promised that tickets would cost USD $200,000, making the trip accessible to the merely very rich in addition to the super-rich.
One of the most significant challenges facing any space plane is the requirement that it survive reentry into the earth’s atmosphere, a punishing experience which would melt a traditional airplane. The space shuttle, for instance, reentered at a speed of approximately 26,000 kilometers per hour, and decelerating from this speed caused so much compressional heating that an expensive and heavy heat shield was required on all parts of the shuttle facing into the airstream. By contrast, SpaceShipTwo was not designed to reach orbit and would therefore reenter at a relatively sedate speed of about 4,000 kilometers per hour, allowing it to employ a rather different reentry technique. Like the space shuttle, SpaceShipTwo had a heat-shielded belly, allowing it to generate drag by maintaining a high angle of attack, but it also incorporated a feathered reentry system which increased drag still further and was capable of stabilizing the spacecraft no matter its reentry angle.
The feathering system was essentially a gigantic hinge at the rear of the spacecraft which would rotate its entire tail section, including the flight control surfaces, 60 degrees upward, almost folding the vehicle in half. This caused the spacecraft to behave rather like a badminton cock, turning over into a center-of-gravity-down position regardless of its attitude at reentry. The vehicle could enter the atmosphere upside down, and aerodynamic forces acting on the feathered tail boom would immediately turn it over into an upright, nose-high position, ideal for re-entry, without any input from the crew. This design was supposed to make the spacecraft both safer and easier to fly, and indeed this was demonstrated in practice when an upset occurred during a flight test in 2011. During the incident, the pilots briefly lost control of the spacecraft, but were able to regain control by activating the feather system, which immediately forced the vehicle back into a safe descent attitude.
Like any space project, however, development of SpaceShipTwo was fraught with setbacks. This would have been seen as normal and not a serious issue had Richard Branson not continually regaled the media with unrealistic predictions of the vehicle’s imminent entry into commercial service. As early as 2008, when the first prototype was still being built, Branson repeatedly proclaimed that the first commercial flight would take place in 18 months, but in 2011 — several predictions later — he was still telling prospective customers that commercial service was 18 months away.
Meanwhile, Scaled Composites continued to oversee the development and testing of the spacecraft, beginning with its first “captive” flight — without being released from WhiteKnightTwo — in March 2010, followed by its first gliding flight test in October. The flights, carried out at Mojave Air and Space Port in the California desert, were piloted by experienced test pilots working for Scaled Composites, whose job was not only to fly the spacecraft but to identify areas where there was room for improvement. Plenty of these were found, and the vehicle underwent constant modifications throughout the testing process.
In 2013 and early 2014, the program advanced to powered flight testing, in which SpaceShipTwo’s rocket motor would be activated for longer and longer periods, eventually building up to the full 60-second burn required to reach its planned apogee of 360,000 feet. These test flights went off largely without a hitch, but they did reveal that the rocket engine was underpowered and caused serious vibrations that made it difficult for the pilots to read their instruments, forcing a major pause in testing while Scaled Composites worked with its engine subcontractor, Sierra Nevada Corp., to redesign the engine.
By the summer of 2014, the two companies had put together a new rocket motor which would produce more power and fewer vibrations by burning a nylon-based solid fuel instead of the rubber-based fuel used previously. With the new engine in place, Scaled Composites planned to resume test flying SpaceShipTwo in the fall of that year, with a self-imposed deadline at the end of October.
The October test, designated “powered flight #4,” or PF04 for short, was to be the first powered flight since January 2014, and would feature a 38-second rocket burn, the longest thus far. Preparations for the flight were made months in advance, from acquiring the requisite permits from the federal government to training the flight crew, who spent the summer and early fall conducting dozens of mock test flights on Scaled Composites’ SpaceShipTwo simulator.
The flight crew was to consist of 43-year-old Pete Siebold and 39-year-old Michael Alsbury, who both possessed commander ratings on SpaceShipTwo. Both had extensive test flying experience and were part of a tiny group of elite pilots qualified to fly the spacecraft. They were intimately familiar with both SpaceShipTwo and its mothership WhiteKnightTwo, and either Siebold, Alsbury, or both had been part of the crew of one vehicle or the other during all but two of the 30 gliding and three powered flights conducted so far. On this latest flight, Siebold would be the pilot flying from the left seat, while Alsbury acted as copilot from the right seat. In addition to the two pilots of SpaceShipTwo, the Virgin Galactic chief pilot would be serving as captain aboard WhiteKnightTwo, along with a copilot and a flight test engineer, who was the Scaled Composites SpaceShipTwo program manager. The test would also feature an Extra EA-300L aerobatic chase plane carrying a single pilot and a photographer.
After a five-day delay, PF04 was finally set to go ahead on the 31st of October 2014. Early that morning, the crews gathered at Mojave Air and Space Port to brief and prepare for the flight, which was to be the most ambitious to date. The plan was for WhiteKnightTwo to carry SpaceShipTwo up to a height of 46,400 feet, release the spacecraft, ensure adequate separation, then commence the 38-second rocket burn. After the end of the burn, the spacecraft would coast to its apogee before adopting the feathered reentry configuration, descending back into denser air, and finally unfeathering the tail boom and gliding back to Mojave Air and Space Port.
Accomplishing this sequence of maneuvers would require no small amount of hands-on piloting by Siebold and Alsbury. Most of the required tasks, including the timing of the rocket burn and deployment of the feathering system, were not automated, and the latter was especially complicated. The mission plan required the pilots to first unlock, but not deploy, the feathering system while the spacecraft was accelerating through Mach 1.4 (1.4 times the speed of sound) early in the boost sequence, in order to ensure that the system could be deployed later. This step was intended to reveal any problems with the feathering system in time to abort the engine burn before the vehicle could get high enough to necessitate a reentry maneuver, which would be much more dangerous if the tail boom couldn’t be feathered. In fact, the risk of reentering with the feather retracted was so great that if the pilot did not unlock the system, confirming its operability, by Mach 1.8, they were obligated to abort the flight.
To unlock the feather system, the copilot must move the feather unlock handle on the center pedestal to the right and then down, unclipping hooks on the main wing body which grasp steel locks on the “tusks,” the forwardmost points of the feathering tail boom, as seen above. When these locks are in place, it is impossible to deploy the feather. However, once the locks are removed, the copilot can then pull a separate feather handle outward, causing two identical feather actuators to rotate the tail boom around its hinge until it reaches the 60-degree “deployed” position.
One vulnerability of this system was that if it were to be unlocked during a flight phase in which there was a significant upward aerodynamic force on the tail section, this force could overcome the actuators and cause an uncommanded feather deployment. This danger was particularly acute during the transonic region close to the speed of sound, between approximately Mach 0.9 and Mach 1.1. During this period, airflow over some parts of the spacecraft could reach supersonic speeds while airflow in other areas remained subsonic, subjecting the vehicle to unusual aerodynamic forces. On SpaceShipTwo, this manifested in the form of a “transonic bobble,” as shifting airflow patterns temporarily moved the spacecraft’s center of lift forward and then aft again. During this bobble, the net aerodynamic force on the tail would shift from downward (feather retracted) to upward (feather deployed) before returning to downward after reaching supersonic speeds. It was therefore forbidden for the pilot to unlock the feather system earlier than Mach 1.4, because without the locks, this upward aerodynamic force on the tail boom could back-drive the actuators and force the feather to deploy.
There was no doubt among Scaled Composites engineers that this step would be performed correctly, since both pilots had been drilled extensively on when to unlock the feather. Indeed, as the pilots of SpaceShipTwo briefed the maneuver that morning, they mentioned repeatedly that they would unlock the feather at Mach 1.4, as expected.
Following the departure of WhiteKnightTwo at 9:19 a.m., with SpaceShipTwo hanging underneath it, Siebold and Alsbury continued to run through various routine checks, with only one significant anomaly, a momentary failure of the main multi-function computerized display, which was resolved by rebooting the computer.
By 9:59, WhiteKnightTwo had reached the launch height of 46,400 feet, and the SpaceShipTwo pilots were running through the “10 minutes to launch,” or L minus 10 checklist.
“Electrical system?” Alsbury asked.
“All looks good,” Siebold replied.
“Greater than 23, good regulator pressures.”
“Right, uh feather locks. Here comes the locks,” said Alsbury.
To test whether the feather locks were working correctly, Alsbury moved the feather unlock handle right and down, causing a yellow “feather unlocked” light to illuminate on the instrument panel. The illumination of the light confirmed that the feather had indeed unlocked. “Pressures good, indications, and locking,” Alsbury said. He then returned the feather handle to the locked position. “And show locked,” he added. “Backup indications look good.”
For the next several minutes, the pilots continued to run through dozens of routine checks of various systems and flight controls. Everything appeared normal, so the crew moved on to the next checklist, L minus four. They checked that they had correctly set the rocket burn timer, checked that the speed brake was disabled, turned off the window heat, ensured that the transponder was on, and checked for any warning lights (there were none). With landing clearance already received from Mojave tower, Captain Siebold ran through their plan one last time. “Alright, you’re clear to arm [the rocket motor] at pylon release, I’ll call for fire,” he said. “Call the pitch up, pitch down, trim, feather unlock one point four. Then after shutdown, roll boost while we have some speed, roll boost will come off. Primary RCS is coming on. Set the attitudes… feather up at apogee… reset trims for minus ten… you’re cleared to feather at apogee if I haven’t called for it, and remind me on the trims if I haven’t got to ‘em.”
In plain English, the plan for the first 30 seconds after release looked like this: first, copilot Alsbury would arm the rocket motor, then Siebold would call for him to fire it when ready. Next, Alsbury would call out the pitch up and pitch down associated with the transonic bobble, then once the spacecraft was past the transonic zone, they would “trim” the nose up for the “gamma turn,” the transition from a shallow climb to a vertical ascent. During the gamma turn, at a speed of Mach 1.4, Alsbury would unlock the feather.
At 10:07, with the briefings and checklists complete, the pilot of WhiteKnightTwo called out over the radio, “Five. Four. Three. Two. One. Release, release, release.”
At that moment SpaceShipTwo separated from WhiteKnightTwo’s release pylon and began to fall away from the mothership.
“Clean release,” someone announced.
Less than one second later, Siebold called out, “Fire.”
Alsbury reached for the rocket motor arm switch, flipped it, then flipped the rocket motor fire switch a split second later. “Arm. Fire,” he called out.
The pilots’ displays switched to BOOST mode, and the spacecraft immediately soared forward and upward, propelled by the immense power of the rocket motor. Straining against the G-forces, Siebold announced, “Good light. Yeehaw!”
Seven seconds after release, Alsbury called out their speed as “Point eight.”
A cockpit camera then captured Alsbury placing his left hand on the feather unlock handle, apparently in anticipation of unlocking the feather at Mach 1.4, which they would reach in approximately 15 seconds. But instead of waiting, Alsbury immediately announced “Unlocking,” and over the next half second, he moved the feather unlock handles rightward and downward until the “feather not locked” light blinked on again. The speed of the spacecraft was only Mach 0.92, still deep inside the transonic zone and nowhere near the point where the feather system was supposed to be unlocked.
Before anyone could notice or react, the feather locks disengaged, and the upward aerodynamic force on the tail boom started to overpower the feather actuators. Within two seconds, the tail boom began an uncommanded upward rotation into the feathered position, causing the spacecraft to pitch up without warning. Siebold called out “Pitch up,” followed by strained grunting as the G-forces of the sudden maneuver pressed the pilots even harder into their seats. Propelled by powerful aerodynamic forces, the tail boom rapidly reached the 60-degree deployed position and then kept right on going, causing cracks to spread through the wings and fuselage as the entire tail section threatened to rip away. Three seconds after Alsbury unlocked the feather, the video feed from SpaceShipTwo abruptly cut out as the spacecraft cartwheeled once and then disintegrated utterly, vanishing into a hail of debris at 55,000 feet.
The pilots’ colleagues aboard WhiteKnightTwo, on the Extra chase plane, and back at base could only look on in horror as the wreckage of SpaceShipTwo fanned out into the sky high above the Mojave Desert. For three minutes, they watched the debris tumble to earth, spreading ever wider as it fell, until suddenly the pilot of the chase plane announced that he had seen something incredible — a parachute.
Realizing that at least one pilot may have survived the accident, test personnel and controllers immediately began an effort to get emergency medical personnel to the crash site as quickly as possible. Ninety seconds after the parachute was first observed, the main wreckage of the spacecraft struck the ground in a remote swath of the Mojave Desert near Cantil, California. Due to a failure of planning, however, no helicopter equipped for emergency medevac was stationed at Mojave Air and Space Port. A helicopter operated by Kern County managed to depart at 10:30, 23 minutes after the accident, and another departed at 10:41, arriving 11 minutes later. The crew were able to spot a red and white parachute splayed out in the desert, and upon landing they confirmed that against all odds, pilot Pete Siebold had somehow survived the midair breakup. Although a flight surgeon was among the first rescuers to arrive, this helicopter was not medevac capable, and an unaffiliated medical helicopter had to be called in from a maintenance test flight, arriving at the scene to pick up Siebold more than an hour after the crash. Although Siebold’s injuries were serious, he was stable enough that the delay did not cost him his life, and he arrived at Antelope Valley Hospital in Lancaster at 11:53. Unfortunately, copilot Michael Alsbury was not so lucky: his body was found strapped into his seat in the cockpit, his parachute still stowed in its pack.
Siebold’s remarkable escape made him the first person ever to survive a spacecraft accident in which someone else died. Despite early assumptions that he had ejected, Siebold in fact had no time to react, and was simply thrown out of the vehicle in his seat as it came apart. He was launched out into the rarefied air at 55,000 feet, nearly twice the height of Mount Everest, at a speed of more than 960 kilometers per hour, and yet somehow he lived to tell the tale. He told investigators that he remembered a loud noise, a brutal high-G pitch up, and the sensation of a sudden decompression, before his memory temporarily became blank. The next thing he knew, he was falling, still strapped into his seat, while looking down at the Mojave from a high altitude. He undid his seat belt and assumed the freefall position, then blacked out again, presumably due to lack of oxygen, waking up only when his parachute deployed automatically at a lower altitude. He then attempted to use the parachute’s built-in emergency oxygen supply, but he couldn’t get oxygen flowing. Investigators would later note that the oxygen delivery system was poorly designed, requiring a large pull force on the handle to initiate oxygen flow, but that even if Siebold had managed to activate it, he would not have received any oxygen because a key tube had been disconnected. On the other hand, they praised the parachute’s automatic deployment system, which likely saved Siebold’s life as he was falling unconscious toward the ground.
Shortly after the accident, the National Transportation Safety Board moved to take charge of the investigation. However, the NTSB had never investigated a commercial space travel accident before, and its mandate did not explicitly state that it had jurisdiction, prompting the agency to send Congress a justification of its assertion of authority over the case. The justification was accepted by the relevant House and Senate committees, formally establishing the NTSB’s authority to investigate commercial space accidents, a fascinating if esoteric piece of behind-the-scenes bureaucratic maneuvering.
Meanwhile on the ground, NTSB investigators began poring over the vast amounts of telemetry data and recovered video footage from the fatal test flight in order to find out what went wrong. The video footage made the answer immediately obvious: somehow, the feathering tail boom, which should only deploy during reentry, had come open as the spacecraft approached the speed of sound during its ascent. Aerodynamic forces then ripped the tail boom off, and the rest of the spacecraft disintegrated a split second later. Footage from inside the cockpit, which was continually beamed to the ground, further confirmed that copilot Michael Alsbury had unlocked the feather prematurely.
Scaled Composites engineers explained to the NTSB that if the feather system was unlocked during the transonic zone, aerodynamic forces would overcome the actuators and force the feather to deploy, a scenario which they were aware would be catastrophic. This led to two parallel lines of inquiry: first, why did Michael Alsbury unlock the feather too early; and second, why was it possible for him to do so in the first place?
The first question was by no means an easy one. Michael Alsbury was by all accounts a highly skilled and competent test pilot, and his colleagues were shocked and surprised that he would have made a mistake so basic as unlocking the feather at the wrong time. Indeed, it is and remains difficult to rationalize, even after picking apart the possible reasons. But the NTSB ultimately did find several contributing factors which increased the risk of such an error, even if they could not pinpoint the exact reason why Alsbury pulled the feather unlock handle at Mach 0.9 instead of Mach 1.4.
One thing investigators noticed was that the window in which Alsbury was supposed to unlock the feather was incredibly narrow. It was forbidden to unlock the feather before Mach 1.4, but if he waited until past Mach 1.5, a caution light would illuminate on the instrument panel, and if he had not pulled the handle by Mach 1.8 the mission would be aborted. The actual time between Mach 1.4 and Mach 1.5 was only 2.7 seconds, an incredibly short window which he was nevertheless expected to hit on every flight.
A review of Alsbury’s training records revealed that he had not always hit the mark. Four days before the crash, Alsbury unlocked the feather after Mach 1.5 during a simulator run, triggering the caution message and a post-session debriefing about what went wrong. This experience would have been fresh on his mind when he embarked on the accident flight, perhaps making him anxious to avoid unlocking the feather too late.
By contrast, there was very little to suggest that Alsbury would have been concerned about unlocking the feather too early. Although he was aware that Mach 1.4 was a hard lower limit, he may not have been fully aware of the reasons why this limit existed. The NTSB searched for written evidence that the pilots had been informed of the catastrophic consequences of unlocking the feather too early, but they found this information only in a single email from 2010 and a powerpoint presentation slide from 2011. The pilot operations handbook didn’t mention the catastrophic nature of such an error, nor was it part of the training curriculum. Although the pilots had likely learned of the matter at some point by word of mouth, the NTSB could find no evidence that they had encountered any official information about it in more than three years. All of this seemed to indicate that the pilots may have been only vaguely aware of the consequences of unlocking the feather too early. And without that awareness, Alsbury would have been much more anxious to avoid unlocking the feather after Mach 1.5 than he was about unlocking it before Mach 1.4. This type of emphasis on one boundary at the expense of another can result in overcompensation, causing a person to violate the less prominent boundary while trying hard to avoid the more prominent one.
The NTSB also noted that Alsbury hadn’t flown a powered flight on SpaceShipTwo since April 2013, a year and a half before the accident. He would have grown unused to the powerful G-forces and vibrations experienced during the rocket burn, which could have negatively affected his ability to handle this high-workload period of the flight. Although he had trained extensively in the simulator, the fidelity of these simulations was low because the simulator had a fixed base and could not replicate high G-forces or vibrations, and the pilots did not wear their full flight suits, parachutes, helmets, and oxygen masks while training on it. Although there was no direct relationship between these factors and the decision to release the feather when he did, it is known that the fidelity of a training exercise correlates with a person’s ability to replicate a specific sequence of actions later.
One potential cause was, however, ruled out: that Alsbury misread his speed indication. He in fact correctly called out a speed of Mach 0.8 less than two seconds before he announced that he was “unlocking.” Alsbury was therefore aware of their speed, but was also aware that he wasn’t supposed to unlock the feather until Mach 1.4, which is what makes his mistake so difficult to understand. If anything, it’s a reminder that the human brain is an imperfect machine which is capable of holding simultaneous contradictory notions.
It is this very fact which prompted the NTSB to ask why it was even possible for a pilot to unlock the feather in a phase of flight where the consequences would be catastrophic. Scaled Composites’ answer to this question was stunning in its naïveté: they simply didn’t think a pilot would ever do this.
Needless to say, the attitude toward the test pilots expressed by Scaled Composites was hopelessly romantic. The fact that a test pilot made this supposedly unthinkable mistake after SpaceShipTwo had accumulated just 6.3 hours of powered flight time underscored its ridiculousness. One of the basic assumptions made during modern aircraft design is that if a pilot can do something, some pilot somewhere eventually will. Even if we accept the false notion that test pilots are infallible, it was hard to see how Scaled Composites could expect SpaceShipTwo to one day conduct regular commercial flights with regular pilots and still continue hiding from this fundamental reality.
A review of Scaled Composites’ safety program showed that it had conducted highly in-depth analyses of numerous potential mechanical faults and implemented redundancies to mitigate them, but had put almost no thought into human factors. The company had no human factors department and no dedicated human factors expert, nor did it hire an outside expert to provide advice. Some Scaled Composites engineers said that they had taken college-level courses on human factors, but that was it. When it came to ergonomic issues, such as user interface design, the engineers relied entirely on feedback from the pilots after testing was already underway.
This enormous blind spot in the design process led to a number of bizarre design decisions that an experienced aircraft manufacturer probably would not have made. For example, engineers did consider the possibility that the pilot might try to lock the feather before it had finished retracting after reentry, so they added an “OK TO LOCK” annunciation on the multi-function display to assist them. Despite this, they didn’t think to include an “OK TO UNLOCK” annunciation to prevent the opposite error. Nor did they include any kind of mechanical control lock to prevent the pilot from moving the feather unlock handle during phases of flight where it might as well have been a big red “self-destruct” button.
That a company in 2014 would make such design decisions is unforgivable, given the amount of information available to them about human factors in aerospace design. Granted, most of this information was aimed at manufacturers of regular aircraft, not spacecraft, but the lessons were equally applicable. To find a similar accident in commercial aviation, one might have to go all the way back to 1970, when the pilot of an Air Canada Douglas DC-8 accidentally deployed the ground spoilers before the plane touched the ground, causing a hard touchdown and fire which destroyed the aircraft. By that time most manufacturers had already realized the importance of including a lock to prevent pilots from deploying the ground spoilers in flight, since their sole purpose is to prevent the wings from generating lift after touchdown. Obviously there is no good reason for a pilot to be able to remove all of an airplane’s lift while in the air, so the DC-8 was subsequently redesigned with a lock to prevent deployment of the ground spoilers unless the wheels were in fact on the ground. The applicability of this lesson to the case of SpaceShipTwo is plain enough, but if anyone at Scaled Composites had heard of Air Canada flight 621 or a similar accident, they didn’t make the connection.
That Scaled Composites was unaware of basic design lessons learned decades ago by the aviation industry was suggestive of a generally unsafe company culture. This poor safety culture was perhaps best exemplified by an incident which occurred, almost unnoticed, on SpaceShipTwo’s second powered flight in 2013. During that flight, the spacecraft used a very short rocket burn which caused it to reach its apogee while still in the atmosphere. As a result, as it approached apogee, the spacecraft decelerated back through the transonic zone at an altitude where air was still present to generate an upward force on the tail boom. Because the pilots had already unlocked the feather system when they first accelerated through Mach 1.4, the tail boom was held in place by the actuators alone when it reentered the zone of upward forces on the tail. These forces exceeded the reactive capability of the feather actuators for a period of one second, causing the tail boom to move 0.8 degrees toward the feathered position before the forces reduced again. This incredibly unsafe situation was completely predictable based on the planned test parameters, and yet either no one had predicted it, or someone decided that the test should go ahead anyway. Either explanation would constitute a serious safety violation.
The focus of the investigation now turned to another related question: why didn’t the Federal Aviation Administration catch on to Scaled Composites’ poor safety culture? The company had even had a fatal accident before, when a SpaceShipTwo rocket motor exploded on a test bed in 2007, killing three engineers. As it turned out, however, the issue was not so much that the FAA didn’t know, but that the FAA didn’t care.
In order to receive its experimental flight permit from the FAA, Scaled Composites was required to conduct a hazard analysis, whose purpose was to identify hazards from a variety of sources, including human error. Scaled Composites stated that it based its hazard analysis on an advisory circular put out by the Federal Aviation Administration Office of Commercial Space Transportation, or FAA/AST, entitled “Hazard Analysis for the Launch or Re-entry of a Reusable Suborbital Rocket Under an Experimental Permit,” which stated, among other things, that a hazard analysis must address human errors, including “decision errors, such as using the flight controls at the wrong time.”
However, in its hazard analysis, Scaled Composites addressed the possibility of human error only in response to another failure. The possibility that a pilot could unlock the feather too early was not considered, and the FAA/AST was not told that this would be catastrophic. The company did, however, invoke a provision of the advisory circular which allowed the omission of certain human errors from the hazard analysis if an evaluation had found their exclusion to be reasonable based on evidence. After the accident, Scaled Composites claimed that the possibility of a pilot unlocking the feather too early could be excluded under this provision because it had trained its pilots to unlock the feather at the proper time. This was a grossly simplistic view of the matter, since pilot performance is affected by many factors other than training. It’s also worth noting that longstanding theories of system safety consider training to be the least effective of the three main methods of improving safety, behind design changes and warning devices. Furthermore, Scaled Composites made no attempt to develop a training protocol designed to empirically reduce the risk of a pilot unlocking the feather too early.
The FAA/AST initially approved, and then later renewed, Scaled Composites’ experimental permit despite these deficiencies in its hazard analysis and mitigation program. However, following the permit renewal in 2013, an FAA/AST systems safety engineer raised concerns that Scaled Composites’ hazard analysis didn’t meet regulatory requirements due to a lack of consideration of human and software errors. The FAA/AST confirmed these shortfalls in a subsequent review, but instead of asking Scaled Composites to improve its hazard analysis, the agency simply granted the company a waiver which exempted it from the requirement to include human and software errors in its hazard analysis. Scaled Composites hadn’t even requested such a waiver, but the FAA/AST issued one unilaterally because it felt that the company had already designed the spacecraft to mitigate the consequences of these types of errors. The NTSB, for its part, could not understand how the FAA/AST came to this conclusion when Scaled Composites’ hazard analysis did not even identify which human errors were possible, let alone what it was doing to mitigate them. Indeed, some of the supposed mitigations cited in the FAA/AST’s justification for the waiver were later found not to have been in place.
Looking deeper into the matter, the NTSB found that the FAA/AST’s supervision of Scaled Composites was chaotic and ineffective at every level. It wasn’t clear who was responsible for enforcing the mitigations specified in the waiver, and FAA/AST inspectors involved with the company stated that they did not interpret the waiver provisions as regulatory requirements. In fact, no one was monitoring whether Scaled Composites was actually implementing the safety mitigations.
In addition, communication between the FAA/AST and Scaled Composites was conducted via a single point of contact, creating an information bottleneck. FAA/AST engineers complained that their technical questions were being “scrubbed” by management before being passed on to Scaled Composites, and that by the time the company’s answers had worked their way back through the point of contact, the original intent of the questions had often been lost. Engineers with experience in space transportation were especially frustrated that their questions were being altered by FAA/AST managers who had limited space flight knowledge. These failings prevented FAA/AST staff from gaining a thorough understanding of how SpaceShipTwo worked and how Scaled Composites was operating it.
Furthermore, the FAA/AST had a policy of assigning inspectors to individual space launches, rather than having a single inspector dedicated to a particular space company, as is standard practice in the aviation industry. The NTSB noted that an inspector responsible only for a specific launch could not possibly get a good sense of the quality of a permit holder’s operations.
Finally, the most damning revelation of all came when FAA/AST inspectors admitted to the NTSB that they felt political pressure to approve experimental permits for commercial space travel companies within the standard 120-day review period, even if they felt uncomfortable with an application. The US government was keen to promote the fledgling industry and seemingly wanted to get as many applications approved as possible. Unfortunately, this lax oversight had allowed an unsafe company to slip through the cracks.
As a result of these findings, the NTSB recommended, and the FAA implemented, a major overhaul of the mechanisms and procedures used to oversee commercial space travel companies.
The crash, and the NTSB’s findings, necessarily raised the question of whether the commercial space flight industry, and especially the space tourism industry, possessed the right mindset to succeed in conquering the final frontier. Many publications criticized the entire idea of space tourism as a playground for billionaires which brought nothing of value, and with so much money having been poured into Virgin Galactic and other similar companies with precious little to show for it, these critics had a point. Others leveled their criticism at Richard Branson in particular, as he was seen by many in the industry as unappreciative of the scale of the task at hand. “It’s Branson… who has always been the most troubling of the cosmic cowboys — selling not just himself on his fever dreams but his trusting customers [as well],” a Time Magazine opinion columnist wrote in the aftermath of the crash. Indeed, Branson made headlines, and raised some eyebrows, by initially distancing Virgin Galactic from the accident, and then later declaring that testing of SpaceShipTwo would continue, and that the setback would not prevent the spacecraft from soon carrying paying passengers. Although some customers who had made down payments backed out, most didn’t, and within two years, a replacement SpaceShipTwo was back in testing at Mojave Air and Space Port.
The crash did, however, prompt major soul-searching at Scaled Composites, which ended up making several major design changes to improve the safety of SpaceShipTwo. One of these changes was the installation of an electromechanical interlock to prevent the pilot from deploying the feather during the transonic phase. Under the supervision of Virgin Galactic, the company also amended the pilot operations handbook to warn about the consequences of releasing the locks too early; implemented a comprehensive crew resource management training program; added a challenge and response protocol for all critical in-flight tasks; and launched a broader review to find and eliminate any other “single-point human performance actions that could result in a catastrophic event.”
There is an argument, and not an unreasonable one, that modern spacecraft development, much like early aircraft development, is inherently dangerous, and that the loss of a single ship should not be allowed to set the industry back. In the author’s opinion this is self-evidently true, although there are some who would disagree. At the same time, however, this truth doesn’t excuse Scaled Composites and its poor design philosophy. Of course, there are still many aspects of space flight which push the boundaries of human technological capability, and when something goes wrong at the limits of our knowledge and foresight, that is forgivable. But the crash of SpaceShipTwo was caused by pure carelessness. Even in an emerging industry, it should not have happened. Installing an interlock on the feather unlock lever would have been easy, and the need should have been obvious.
And then there’s the question of whether the billionaires who fund most commercial spaceflight ventures were sufficiently humbled by the accident and its lessons. Although there are plenty of valid criticisms of controversial space projects by Jeff Bezos and Elon Musk, these ventures have so far progressed as slowly as they need to and have avoided fatal accidents. As for Richard Branson, his pronouncement in 2009 that SpaceShipTwo would be conducting regular commercial flights in 18 months looks especially silly given that, as of 2022, Virgin Galactic has conducted a grand total of one passenger flight, which carried four Virgin Galactic employees, including Branson himself, in a transparent attempt to get ahead of a similar flight by Jeff Bezos the following week.
In its latest update, Virgin Galactic stated that commercial flights would begin in “mid-2022,” but as of September, the first scheduled flight still hasn’t happened. In contrast, Jeff Bezos’s Blue Origin has at time of writing carried out six successful space tourist flights, and seems set to continue on an increasingly regular schedule. Of course, it shouldn’t be a race, even if billionaires treat it like one. Pushing the boundaries of human space travel is a worthwhile endeavor for its own sake, regardless of who claims to be “first.” Billionaires, especially Branson, should keep that in mind. They should also strive to ensure that their projects enrich humanity, not just their egos — something which many of them have so far struggled to demonstrate. And while they should recognize that setbacks and accidents may be inevitable, they should avoid using that inevitability as an excuse to neglect lessons which we have already learned. Our road to becoming a spacefaring civilization doesn’t need to be paved with bodies, but if we believe that it will be, then that belief will become a self-fulfilling prophecy.
Visit r/admiralcloudberg to read and discuss over 220 similar articles.
You can also support me on Patreon.