Nearly a month after SpaceX's Falcon 9 rocket disintegrated en route to the International Space Station, CEO Elon Musk announced what brought the vehicle down: a faulty steel strut, just 2 feet long and 1 inch thick. It was one of thousands of struts holding down the helium pressure valves inside the rocket's liquid oxygen tank; when it snapped, it released too much helium, causing the tank — and then the rocket — to burst. Even the smallest oversight can be catastrophic in spaceflight.
Fortunately, no astronauts were aboard the doomed vehicle — only food, water, and cargo were lost. But astronauts will be aboard that same rocket very soon. SpaceX and Boeing are currently developing crew transportation modules that will ferry US astronauts to and from the ISS. It's part of NASA's Commercial Crew Program, aimed at stimulating the private spaceflight sector, and it’s scheduled to begin in 2017.
"For every 270 flights, we might have one where we’re going to have a bad day."
This is the first time the space agency has entrusted the lives of its astronaut fleet to private companies. It’s a new model of space exploration with new methods for ensuring safety. NASA is holding these private companies to similar — if not higher — safety standards as it did for its Shuttle missions, but the level of oversight the space agency has during the vehicles’ development process is minimal. Instead, SpaceX and Boeing must meet a few hundred predefined safety requirements and demonstrate they can keep the astronauts alive if the rocket that's carrying them falls apart. NASA doesn’t get much say in what the vehicles look like or how they work.
And even with all the requirements, NASA isn't demanding 100 percent reliability from SpaceX and Boeing. "For every hundred missions, how many missions could you analytically show are going to be safe and return the crew safely to Earth?" asks Phil McAlister, director of commercial spaceflight development at NASA. "The number we've come up with is: for every 270 flights, we might have one where we’re going to have a bad day."
NASA's Space Shuttle Atlantis launches from Florida. (NASA/Bill Ingalls)
NASA has always used outside contractors to help design and build its vehicles. The Space Shuttle was built by Rockwell International, and Lockheed Martin manufactured its external tank. The various parts of NASA's next big rocket, the Space Launch System, are being built by Boeing, Alliant Techsystems, and Lockheed.
The main difference between those projects and the Commercial Crew Program, however, is the level of oversight. NASA was in direct control of the Space Shuttle's design specifications, giving contractors between 10,000 and 12,000 requirements that needed to be met. NASA personnel were also deeply rooted in the manufacturing process, overseeing every level of production and ordering changes if necessary. Outside contractors may have built the vehicles, but NASA owned the final product.
The vehicles ultimately belong to SpaceX and Boeing — not NASA
With the capsules used for the Commercial Crew Program, the CST-100, and Dragon V2 — now called Crew Dragon, nearly all of the vehicles' logistics are up to the companies; SpaceX and Boeing only have to meet 280 design requirements laid out by NASA in the Commercial Crew contracts. McAlister says the requirements aren't too rigid and mostly revolve around safety and performance. The contracts call for a reliable abort system for the crew and ways to manually override in-flight software — but they don't specify how these systems should work.
"It gives the companies a lot of flexibility to design their own systems the way they want," says McAlister. "With Commercial Crew, we were able to do away with lower level requirements, allowing companies to innovate and come up with their own unique solutions." This also allows SpaceX and Boeing to work at their own speeds, says McAlister, since they don't have to constantly check in with NASA to make sure they are meeting an intimidating list of criteria.
NASA does provide the companies with a few space agency liaisons, who work with the companies' engineers in whatever capacity is needed. The space agency also requires complete "insight" into the companies' designs. "If there’s a meeting that's important or test data that’s important, we have full access to that," says McAlister. Yet despite this heavy integration and daily communication, the vehicles ultimately belong to SpaceX and Boeing — not NASA.
The Commercial Crew Program’s lack of oversight has also led to trouble at times. In January, the Aerospace Safety Advisory Panel — which evaluates NASA's safety performance — said NASA hadn’t given them enough information on the program's safety logistics. NASA’s communication with ASAP has improved since then, but the organization still has some concerns, said vice admiral Joseph Dyer, the panel’s chair. "Our faith in the execution of the problem is vested in the quality of the leadership," Dyer told The Verge. As long as a few key personnel, including NASA’s associate administrator for human exploration Bill Gerstenmaier, are involved in the program, Dyer feels confident about safety. But he finds it alarming that he must trust in personality and reputation, instead of a clear and transparent data record, he said.
Boeing is currently developing the CST-100 to transport astronauts to space. (Boeing)
Aborts and Redundancies
The Commercial Crew Program requires companies to meet certain milestones, much in the way students are required to pass certain standardized tests. How the companies pass is up to them.
For SpaceX and Boeing, this means coming up with redundancies; for example, the companies are putting three different computer systems into their vehicles in case the first two computers fail during a mission. And even if all three go offline, astronauts have backup controls.
But the main systems that will guarantee the crews' safety are the capsule's abort procedures. As we learned from SpaceX in June, a small steel rod can bring down a 500-ton-plus rocket during liftoff. NASA wants to know that if something like that happens again, the astronauts can escape safely.
To ensure this, SpaceX is incorporating an in-flight abort system. Small engines embedded in the walls of the Crew Dragon — dubbed Super Draco — can carry the capsule away from a failing rocket before the vehicle reaches space. Then, the Crew Dragon's parachutes kick in and gently land the capsule back on Earth. "Unlike past abort tower systems, this provides astronauts with escape capability all the way to orbit," says Phil Larson, a spokesperson for SpaceX.
SpaceX successfully conducted its pad abort maneuver in May. (SpaceX/YouTube)
Boeing says it has a similar in-flight escape system. If the spacecraft is failing, Boeing’s system automatically detects the failure and a Rocketdyne RS-88 engine can push the capsule to safety. Then its parachutes will deploy, says Chris Ferguson, director of crew and mission operations at Boeing. He says the in-flight abort can be initiated any time up until main engine cutoff.
And there are also plans for trouble before the launch begins. These systems, called pad aborts, carry the crew away from the launchpad if a rocket engine malfunctions. The same engines used in the in-flight escape systems will carry their respective capsules to safety.
Though the safety systems are similar, they won’t undergo the same tests. SpaceX already demonstrated its pad abort system in May; it plans to test its in-flight escape system in 2016. Boeing, on the other hand, won’t test its pad abort system until February 2017 — and the company hasn’t announced any plans for testing its in-flight abort system before its capsule’s first flight with people aboard. That's because Boeing is relying more heavily on computer modeling, says NASA. SpaceX is able to do more physical testing, because the company already has access to a similar version of the Crew Dragon.
Probabilistic Risk Assessment
NASA anticipates that there will be fatalities. The contracts with Boeing and SpaceX specify that the capsules keep crews safe for 99.6 percent of ISS missions. This means that NASA believes that one of every 270 missions will go catastrophically wrong.
This morbid calculation is known as the probabilistic risk assessment, or a PRA. It's used to evaluate risks associated with complex technology, and is meant to predict three big things: all possible system failures, how likely it is the failures will occur, and finally, their consequences — which include, yes, death. To make a PRA, the companies take into account past rates of failure, vehicle reliability, and flight range, among other data points. "It sort of simulates what the actual flight experience will be if you flew it over and over again," says NASA's McAlister.
The companies must demonstrate that their capsules will keep crews safe for 99.6 percent of the ISS missions
PRAs are actually pretty controversial. They don't take human errors into account, for instance. And naturally, it's impossible to consider every possible catastrophic scenario, experts say. But they are useful tools for determining the strengths and weaknesses of a launch vehicle.
But even with those limitations, the commercial space flight’s PRA is better than its predecessors. The Space Shuttle had a 1 in 80 chance of losing crew members — so the new capsules are theoretically three times safer. The specter of the Columbia and Challenger disasters hangs over the safety systems; it’s partly why the new abort capabilities exist. It’s also why the capsules are smaller — that makes it easier to avoid orbital debris in space, Ferguson says.
"We can never lose sight of the fact that we lost 15 different people on shuttle," says Ferguson. "Even though it was a tremendous technological achievement, I wouldn’t qualify it as an unadulterated success."
Though it’s tempting to compare the Commercial Crew Program to the Space Shuttle program, it's too soon to really do so. SpaceX will do an uncrewed test of its Dragon capsule in 2016, and Boeing will test its CST-100 in April 2017. Crewed flights are slated for 2017 — though NASA administrator Charles Bolden says it's possible that the first flights may be delayed if Congress doesn't give the space agency the funding it needs for the program. But even the first successful flights won’t be enough to tell whether the program’s a success. After all, what we’re looking for is reliability, and that requires not one, but many launches.
The real test, of course, is when one of these launches fails. That’s when we’ll find out exactly how good the safety systems are.
Correction (12:37PM ET 8/13/15): An earlier version of this story suggested the first uncrewed testing of the Crew Dragon will happen in April 2016. No dates have been specified, and the article has been updated.