• Space Exploration

Is It Safe?

The first company with a plan—and a rocket—to send humans to orbit answers the existential question.

• By Michael Milstein
• Air & Space Magazine, May 01, 2009

In a hulking industrial building next to Hawthorne Municipal Airport on the west side of Los Angeles, a machine called the Mazak AJV-60 fabricates what may well be the next rocket and capsule to carry people into space. Other machines whir and grind in the background, part of the assembly line that upstart company SpaceX—officially Space Exploration Technologies—has built in the shadow of nearby aerospace giants such as Northrop Grumman and Boeing. In the next few years, SpaceX will place the capsule, Dragon, atop its Falcon 9 rocket and send it into space carrying cargo and, the company hopes, NASA astronauts to the International Space Station.

A mockup of Dragon sits on SpaceX's main assembly floor, a short walk from an open dining area where employees help themselves to free snacks and freshly brewed coffee. Built by Northrop in 1966, the building was used most recently to assemble Boeing 747 fuselages.

Dragon looks like a larger, slimmer version of the Mercury, Gemini, and Apollo capsules that once lofted Americans into space. But if SpaceX is going to launch astronauts, it will have to become the first private company to meet a little-known set of NASA safety standards, NPR 8705.2B, "Human-Rating Requirements for Space Systems." It's NASA's guidebook for getting people to space, and was revised after the agency's last manned space system, the space shuttle, turned out to be less safe than many had expected.

NASA broadly defines human rating as a design process. Spacecraft with humans aboard must offer them enough control to get out of bad situations, and to take advantage of ways to make the flight a success. A crew must have a means to recover from all sorts of emergencies, from launch pad to orbit.

The guidelines express a philosophy: "Above all, human rating is more than a set of requirements, a process or a certification," say the new standards, adopted last year. Wilson Harkins, mission support director in NASA's Office of Safety and Mission Assurance, says human rating is not so much a sheet of paper with boxes to check as it is an attitude. "It involves a mindset, instilled by leadership," he says, "where each person feels personally responsible for their piece of the design and for the safety of the crew."

Concerns about safety are driving NASA's plans to retire the space shuttle next year. The agency's successor program, Constellation, includes a rocket, Ares I, and capsule, Orion, that won't be ready until 2015 at the earliest. During the five-year gap, NASA's alternative is to buy seats on Russia's Soyuz capsule. But SpaceX's Dragon, developed in part with NASA money, may offer a homebuilt, economical alternative. The company plans to stick to a budget that would make its seats a bargain at no more than $15 million each—those on the Soyuz capsule now cost between $35 million and $45 million. So, SpaceX will test a key question: Is it possible to make a rocket safe enough for humans and cheaper than its predecessors?

The self-assured founder of this enterprise is Elon Musk, 37, who raked in millions starting PayPal and selling it to eBay. Musk recalls riding as a kid in the front seat of a car without a seat belt. "If there would have been an accident I would have been 100 feet down the road," he says, chuckling. Society has grown less tolerant of risk, he says. "It wouldn't be acceptable today to put someone on an Atlas or a Titan," intercontinental ballistic missiles converted into launch vehicles for NASA's early astronauts.

Author Andrew Smith writes in his book, Moondust, about his conversation with Rene Carpenter, who was married to Scott Carpenter at the time he became the second American in orbit. "You know, I was on the beach with Jo Schirra [wife of astronaut Walter Schirra] for the last Atlas test firing," she says, "and it blew up right in front of us! It was terrifying, but there was a fatalism among the wives, a lot of gallows humor. You'd say 'Oh, thank God the monkey wasn't in that one.' "

With degrees in economics and physics, Musk has thought plenty about making launch vehicles safe. He considers interplanetary travel one of the most important steps in the evolution of life, which he reasons is likelier to last if it exists beyond Earth. "If the future is one where we're forever stuck on Earth, that just seems really depressing to me," he says. He sits in a corner cubicle of the SpaceX building, pondering each question during an interview. Model rockets, airplanes, and robots crowd the corners of his desk. "Exploration for the purpose of gaining knowledge is obviously a worthwhile endeavor, but it is important to remember that we're just discovering what's already there. Scientists, and I count myself partly as one, sometimes forget that science is only relevant if humanity continues to survive." Musk says he wouldn't put anyone on his rocket if he didn't think it was safe enough to fly his friends and himself.

That was particularly relevant in October 2008, just after SpaceX sent Falcon 1, its first and smallest rocket, into orbit. This followed three launches that ended with problems such as the rocket tumbling out of control. "I thought getting to orbit would be tough, but it was tougher than tough," Musk says.

The next step is Falcon 9, a 180-foot-tall, two-stage rocket, 17 feet in diameter at its widest point, with nine of SpaceX's regeneratively cooled engines instead of one. Falcon 9 is set for its first launch from Florida this spring.

NASA is investing in Falcon 9 through its Commercial Orbital Transportation Services, or COTS, program, to help develop private space vehicles the agency might someday hire. The seed money will help SpaceX fund the expensive process of engineering and certifying Dragon and Falcon 9 to carry cargo and, eventually, humans to and from the space station.

SpaceX has so far met all of NASA's milestones and is ahead of Orbital Sciences Corporation, the other company receiving COTS funding. SpaceX designed Falcon 9 and the Dragon capsule to be human-rated from the start, without any assurance NASA would ask for this. As it will dock with the manned space station, Dragon must meet about 80 percent of the human-rating standards anyway.

Human-rating requirements fall into three main areas: structural elements, such as fuel tank walls; redundancy, such as backup power and control systems; and mission design, such as launch trajectory, which determines G force—cargo can withstand a lot more of it than the human body can. Following the two shuttle disasters, NASA's Astronaut Office insisted that any new launch system be an order of magnitude safer than the shuttle. "If we wish to send explorers into space on increasingly ambitious missions, we must first solve the problem of putting humans into orbit more safely than is possible with our current launch systems," the office wrote in a May 2004 memo. The shuttle is statistically likely to suffer nine fatal accidents per 1,000 launches; the Astronaut Office wanted no more than one.

Unlike the Russians' Soyuz, the shuttle has no means of escape if something goes disastrously wrong during ascent. So NASA's human-rating standards now require an automated abort-and-escape system that works all the way to orbit.

In fact, a vehicle less dependable than the shuttle's boosters could be made safer with one modification: an Apollo-style abort system, which bundled powerful rockets in a small tower atop the stack to lift the capsule away from a failing booster. A similar unit on the Soyuz has twice saved cosmonauts, once on the launch pad and once in flight. NASA plans to equip Orion with such a system.

The rocket trajectory, though, must be designed so that astronauts would survive an abort. Unmanned rockets such as the Delta IV and Atlas V, which have relatively underpowered second stages, fly a "lofted trajectory," where the first stage shoots them very high and they actually start falling before the second stage lifts them again. If astronauts abort near the high point, their capsule could plummet straight down and belly flop on the atmosphere at extreme G force. "Structural safety margins will be blown to hell, and you'll almost certainly kill people," Musk says flatly. "This was one of the main reasons given by NASA for not using those vehicles for manned spaceflight."

So SpaceX designed Falcon 9 with a second stage about four times as powerful as that of an Atlas or a Delta, allowing for a more slanted, softer trajectory into space. The fuel's weight adds cost, but if astronauts abort, their flight path will catapult Dragon horizontally, slicing more gradually into the atmosphere.

Falcon 9 will be the first rocket since Saturn that can lose an engine without compromising the mission. The vehicle's main structure will be built to withstand flight loads 40 percent higher than what engineers expect it to encounter. The safety margin for unmanned rockets is 25 percent above expected loads.

Riding a rocket is sort of like sitting atop a controlled, sustained explosion. Falcon 9's engines exert nearly a million pounds of force, consuming 3,200 pounds of propellant each second. The rocket must control the explosion all the way to space, while also doing battle with sound. The most intense stresses occur at liftoff, when sound energy from the engines bounces off the ground and slams back into the rocket. Sound levels reach 140 decibels, louder than an up-close ambulance siren and enough to immediately injure human eardrums and damage components mounted near a rocket's outer skin. The most intense pressure after launch accumulates as the rocket goes supersonic, when shock waves and buffeting come close to what the rocket faces at liftoff.

Russian spacecraft, says NASA spokesman John Yembrick, rely heavily on beefier mechanical structures for safety rather than complex backup systems. In the mid-1990s, NASA compared the design and standards for the Russian Soyuz spacecraft to its own and concluded that both NASA and Roscosmos, Russia's space agency, have equivalent safety requirements, though the Russians follow a different path to meet those parameters. NASA's decision to put American astronauts on Soyuz for a ride to the space station was based on the rocket's history of safety and reliability. NASA felt it would have been inappropriate to ask Roscosmos to redesign Soyuz to match NASA's human-rating process.

A sensitive word related to human rating is "tradeoff." It's always possible to build something sturdier and, presumably, safer, but at some point it will be doomed by its own weight or expense. When launching a satellite, businesses will accept a certain amount of risk as a tradeoff for keeping costs down. But the public, and by extension, NASA, will not do the same with people.

"There is a correlation between predicted reliability and cost," says Jeff Ward, vice president of avionics, guidance, and control at SpaceX. "Obviously, in manned spaceflight, we are prepared to pay the cost for very high levels of predicted reliability, because life is at stake. For unmanned missions, customers trade off cost and confidence. They recognize that there is a point of diminishing returns where spending more money doesn't make the vehicle more reliable in practice, and doesn't make sense for their business plans."

But designing launch systems is as much about juggling demands as it is about engineering. "It doesn't matter whether you're doing a rocket, a washing machine, a car, or whatever it is, it's always a balancing act," says Neil Otte, chief engineer of Ares projects at NASA's Marshall Space Flight Center. He compares the undertaking to designing a table—its construction depends on whether it's to be used in a dining room or a workshop. Engineers weigh the risk of failure based on a rocket's uses, and design in immunity to the risk or put backup controls in place.

Astronauts themselves constitute a kind of backup system: They can detect and react to events, as they did on Apollo 13, in a way that mechanical systems cannot, says Harkins. However, the human-rating standards also require a form of backup for astronauts; any manned spacecraft must be designed to guard against human error too.

The way manned spacecraft fail must meet certain standards. NASA's human-rating rules say "it is also highly desirable that the spaceflight system performance degrades in a predictable fashion to allow sufficient time for failure detection and, when possible, system recovery even when experiencing multiple failures." The simplest kind of failure, a hard fault, occurs when, say, a valve or a control panel just breaks. The more challenging kind, a soft fault, happens when hiccups in a monitoring system or computer cause it to misread a situation and conclude that a valve is broken when it isn't, or vice versa. NASA's human-rating rules are not specific about dealing with soft faults. They say that designers should do everything possible to guard against such bugs in the software. SpaceX has hired an expert in the field to design a sophisticated system that polls the computers and decides what's correct.

In its latest human-rating requirements, NASA has shifted away from specific criteria—the 40 percent structural safety margin, for example—and toward the premise that engineers should make launch systems as safe as they possibly can and then test the heck out of them. For the Ares I rocket, specific criteria hold it to the 40 percent margin, but engineers can use a smaller one if tests allow. The shuttle's second-generation external fuel tanks were moved to a 25 percent margin, but only after rigorous testing.

For SpaceX, the only upgrades required for Dragon to carry people are the Apollo-style abort-and-escape system, seats, and a full life support system. It will cost about $300 million to go from transporting cargo to transporting people, most of it for the escape system and the test flights the human-rating rules require. SpaceX has already negotiated the finances of this step with NASA.

Meanwhile, NASA has had to deal with a snag in the progress of its own vehicle. Early analysis of the Ares I solid rocket first stage, derived from the space shuttle's boosters, revealed that it would develop a dangerous thrust oscillation, or pogo effect, in flight. Gases swirling inside the booster would begin to resonate with the whole structure like sound vibrations in an organ pipe. About 115 seconds into the flight, astronauts would suddenly feel like they were on the end of a jackhammer, unable to read the instrument panel or flip switches. Engineers have solved the problem with a spring-and-damper system between the booster and the second-stage rocket, and a set of 16 spring-mounted weights in the skirt at the bottom of the booster.

Other Ares I tests are yielding encouraging results, including recent firings of the Apollo-style launch-abort system in the Utah desert.

"The most obvious difference between Constellation and the shuttle is the abort/escape design," says Bryan O'Connor, chief of NASA's Office of Safety and Mission Assurance. "We did not require crew escape for the shuttle past the fourth flight. The Constellation abort system, like Apollo, Gemini, and Mercury, will be designed to save the crew from any number of catastrophic system failures."

Lesser known rockets called ullage settling motors are being tested; they'll fire for a few seconds at stage separation to nudge the top half of Ares I forward from the booster. This will cause fuel in the second, liquid-fuel stage to slosh rearward in the tanks, helping to ensure second-stage ignition. And Pratt &Whitney Rocketdyne's cryogenic engine for NASA's new lunar lander, based on the company's RL10 lunar landing engine from the Apollo days, is a critical human-rating element of Constellation. Last January the new engine completed a third round of hot-fire tests that showed it can be throttled from 100 percent down to 10 percent, and should allow for a feather-soft touchdown on the lunar surface, with humans aboard, when that day comes. 

Michael Milstein is a frequent contributor to Air & Space/Smithsonian.