From: National Transportation Safety Board
Posted: Tuesday, July 28, 2015
NATIONAL TRANSPORTATION SAFETY BOARD
Public Meeting of July 28, 2015
(Information subject to editing)
In-Flight Breakup During Test Flight
Scaled Composites SpaceShipTwo, N339SS
Near Koehn Dry Lake, California
October 31, 2014
This is a synopsis from the NTSB's report and does not include the Board's rationale for the conclusions, probable cause, and safety recommendations. NTSB staff is currently making final revisions to the report from which the attached conclusions and safety recommendations have been extracted. The final report and pertinent safety recommendation letters will be distributed to recommendation recipients as soon as possible. The attached information is subject to further review and editing.
On October 31, 2014, at 1007:32 Pacific daylight time, the SpaceShipTwo (SS2) reusable suborbital rocket, N339SS, operated by Scaled Composites LLC (Scaled), broke up into multiple pieces during a rocket-powered test flight and impacted terrain over a 5-mile area near Koehn Dry Lake, California. The pilot received serious injuries, and the copilot received fatal injuries. SS2 was destroyed, and no one on the ground was injured as a result of the falling debris. SS2 had been released from its launch vehicle, WhiteKnightTwo (WK2), N348MS, about 13 seconds before the structural breakup. Scaled was operating SS2 under an experimental permit issued by the Federal Aviation Administration's (FAA) Office of Commercial Space Transportation (AST) according to the provisions of 14 Code of Federal Regulations (CFR) Part 437.
Scaled had developed WK2 and was developing SS2 for Virgin Galactic, which planned to use the vehicles to conduct future commercial space suborbital operations. SS2 was equipped with a feather system that rotated a feather flap assembly with twin tailbooms upward from the vehicle's normal configuration (0) to 60 to stabilize SS2's attitude and increase drag during reentry into earth's atmosphere. The feather system included actuators to extend and retract the feather and locks to keep the feather in the retracted position when not in use.
After release from WK2 at an altitude of about 46,400 ft, SS2 entered the boost phase of flight. During this phase, SS2's rocket motor propels the vehicle from a gliding flight attitude to an almost-vertical attitude, and the vehicle accelerates from subsonic speeds, through the transonic region (0.9 to 1.1 Mach), to supersonic speeds. The flight test data card used during the accident flight indicated that the copilot was to unlock the feather during the boost phase when SS2 reached a speed of 1.4 Mach. (The feather was unlocked at this point in the flight to mitigate the hazard resulting from a reentry with the feather
down due to a lock failure.) However, a forward-facing cockpit camera and flight data showed that the copilot unlocked the feather just after SS2 passed through a speed of 0.8 Mach. Afterward, the aerodynamic and inertial loads imposed on the feather flap assembly were sufficient to overcome the feather actuators, which were not designed to hold the feather in the retracted position during the transonic region. As a result, the feather extended uncommanded, causing the catastrophic structural failure.
Before Scaled received its experimental permit to conduct rocket-powered test flights for SS2, the company prepared an experimental permit application for the FAA/AST's review. One of the pertinent regulations relating to the issuance of an experimental permit is 14 CFR 437.55, "Hazard Analysis," which, among other things, requires the applicant to identify and describe those hazards that could result from human errors. In its SS2 hazard analysis, Scaled did not account for the possibility that a pilot might prematurely unlock the feather system, allowing the feather to extend under conditions that would cause a catastrophic failure of the vehicle structure. Instead, Scaled assumed that pilots would correctly operate the feather system every time because they would be properly trained through simulator sessions and would follow the normal and emergency procedures for a given situation. However, this accident demonstrated that mistakes can occur even with a flight crewmember who had extensive flight test experience and had performed numerous preflight simulations during which the feather was unlocked at the proper speed of 1.4 Mach.
The FAA/AST evaluated Scaled's SS2 experimental permit applications and granted the initial SS2 permit in May 2012 and the first and second renewals of the permit in May 2013 and May 2014, respectively. After granting the first renewal of the permit, the FAA/AST conducted another review of the SS2 hazard analysis included in Scaled's application and determined that the hazard analysis did not meet the software and human error requirements of 14 CFR 437.55(a). As a result, in July 2013, the FAA/AST issued a waiver from these hazard analysis requirements for the first renewal of Scaled's experimental permit. Scaled did not request the waiver, participate in the waiver evaluation process, or have an opportunity to comment on the waiver before it was issued (except to identify proprietary information that should not be disclosed). In May and October 2014 (as part of the second renewal of Scaled's SS2 experimental permit and Scaled's application to modify the permit to reflect changes made to SS2, respectively), the FAA/AST issued additional waivers from the software and human error hazard analysis requirements of section 437.55(a).
The FAA/AST determined that each of the waivers was in the public interest and would not jeopardize public health and safety, safety of property, or US national security and foreign policy interests. The FAA/AST also determined that, even though Scaled's hazard analysis did not comply with software and human error regulatory requirements, specific mitigations that Scaled had in place would prevent hazards resulting from such errors. However, the FAA/AST issued the waivers without understanding whether the mitigations would adequately protect against a single human error with catastrophic consequences. In addition, the FAA/AST did not determine whether mitigations, other than those intended to protect against human error, were sufficient to ensure public safety.
The NTSB identified the following safety issues as a result of this accident investigation:
Lack of human factors guidance for commercial space operators. Scaled did not emphasize human factors in the design, operational procedures, hazard analysis, and simulator training for SS2. For example, by not considering human error as a potential cause of uncommanded feather extension on the SS2 vehicle, Scaled missed opportunities to identify design and/or operational factors that could have mitigated the catastrophic consequences of a single human error during a high workload phase of flight. To prevent a similar situation from recurring, commercial space operators should fully consider human factors during a commercial space vehicle's design and operation. However, because commercial space flight is an emerging industry, no guidance currently exists specifically for commercial space operators that advises them to, among other things, obtain human factors expertise, consider human error in hazard analyses, ensure that hazard analyses avoid or adequately mitigate single-point failures, and ensure that flight crews are aware of known catastrophic hazards that could result from a single human error. Efficacy and timing of preapplication consultation process. Experimental permit applicants are required to consult with the FAA/AST before formally submitting their applications, and individual operators can decide when to begin this process. The SS2 preapplication process began about 2 years before Scaled submitted its initial application but after the vehicle had been designed and manufactured. At that point, it could have been difficult and costly for Scaled to make changes to SS2 if the FAA/AST had found inadequacies in Scaled's hazard analysis during preapplication consultations. Thus, the experimental permit preapplication consultation process would be more effective if it were to begin during a commercial space vehicle's design so that concerns could be resolved and potential catastrophic hazards resulting from human error could be identified early in a vehicle's development.
Limited interactions between the FAA/AST and applicants during the experimental permit evaluation process. As a part of the review of Scaled's experimental permit application, FAA/AST technical staff developed questions for Scaled technical staff related to SS2's design and operation, many of which were necessary to understand potential operational hazards and the design, operational, and management controls that would be needed to comply with FAA regulations to ensure public safety. However, some FAA/AST technical staff members reported that their questions that did not directly relate to public safety were filtered by FAA/AST management to reduce the burden on Scaled. The dividing line between the questions that the FAA/AST needs to ask to determine the risk to the public and those to assess mission objectives is not always apparent because certain aspects of a vehicle's design and operation could impact both public safety and mission safety assurance. Thus, more extensive interactions between FAA/AST technical staff and prospective experimental permit applicants during permit evaluations would help to perform this work more effectively in the future.
Missed opportunities during the FAA/AST's evaluations of hazard analyses and waivers from regulatory requirements. The FAA/AST approved the initial and first renewal of the SS2 experimental permit without recognizing that the SS2 hazard analysis did not identify single flight crew tasks that, if performed incorrectly or at the wrong time, could result in a catastrophic hazard. Also, the FAA/AST did not consult with Scaled technical staff after determining that waivers would be necessary or ask Scaled to correct the areas of noncompliance. In addition, the FAA/AST issued the waivers without verifying that Scaled was performing the mitigations cited in the waiver or assessing the effectiveness of these mitigations.
Limited inspector familiarity with commercial space operators. The FAA/AST conducts inspections before and during a commercial space flight to ensure compliance with federal regulations and the experimental permit and verify that the representations made in the experimental permit application are still accurate. FAA/AST inspectors were assigned to individual launch operations and not to specific commercial space operators. The FAA/AST safety inspectors who were assigned to the accident test flight had not been assigned to previous Scaled test flights. As a result, the inspectors had limited time to understand Scaled's training, procedures, and operations before conducting safety inspections. FAA/AST inspectors who are assigned to commercial space operators (rather than individual commercial space launch operations) could become more familiar with the operators and could bring continuity and consistency to the inspection process.
Incomplete commercial space flight database for mishap lessons learned. During 2010, the FAA/AST began efforts to create a mishap lessons learned database, the Commercial Space Transportation Lessons Learned System, but this database has not yet been fully developed. The aviation industry has databases documenting accident and incident findings and effective corrective actions, which have been highly beneficial in preventing accidents and reducing fatal accident rates. A fully implemented and transparent commercial space mishap database could not only benefit safety (by disseminating lessons learned) but could also promote growth while the industry is in its current formative stage. Need for improved emergency response planning. Scaled conducted its flight tests from Mojave Airport (MHV). A helicopter that was specifically prepared for and tasked with supporting an emergency response to a potential SS2 accident was not prepositioned at MHV, even though that helicopter had been prepositioned at the airport for SS2's three previous powered flights. As a result, the helicopter was delayed in reaching the injured pilot. Another helicopter with advanced life support capabilities was located at MHV but was not placed on standby (before the accident flight) in case an accident were to occur. Thus, Scaled and local emergency response officials could improve their emergency readiness for future test flights by making better use of available helicopter assets. Other commercial space operators could benefit from taking the same action.
1. Although the copilot made the required 0.8 Mach callout at the correct point in the flight, he incorrectly unlocked the feather immediately afterward instead of waiting until SpaceShipTwo reached the required speed of 1.4 Mach.
2. The unlocking of the feather during the transonic region resulted in uncommanded feather operation because the external aerodynamic loads on the feather flap assembly were greater than the capability of the feather actuators to hold the assembly in the unfeathered position with the locks disengaged.
3. The copilot was experiencing high workload as a result of recalling tasks from memory while performing under time pressure and with vibration and loads that he had not recently experienced, which increased the opportunity for errors.
4. The pilot and copilot were properly certificated and qualified. Fatigue and medical and pathological issues were not factors in this accident. The recovered vehicle components showed no evidence of any structural, system, or rocket motor failures before the in-flight breakup.
5. SpaceShipTwo's instantaneous impact point on the day of the accident was consistent with the requirements of 14 Code of Federal Regulations 437.57, "Operating Area Containment."
6. Although Scaled Composites' systems safety analysis (SSA) correctly identified that uncommanded feather operation would be catastrophic during the boost phase of flight and that multiple independent system failures had to occur to result in this hazard, the SSA process was inadequate because it resulted in an analysis that failed to (1) identify that a single human error could lead to unintended feather operation during the boost phase and (2) consider the need to more rigorously verify and validate the effectiveness of the planned mitigation measures.
7. By not considering human error as a potential cause of uncommanded feather extension on the SpaceShipTwo vehicle, Scaled Composites missed opportunities to identify the design and/or operational requirements that could have mitigated the consequences of human error during a high workload phase of flight.
8. Scaled Composites did not ensure that the accident pilots and other SpaceShipTwo test pilots adequately understood the risks of unlocking the feather early.
9. Human factors should be emphasized in the design, operational procedures, hazard analysis, and flight crew simulator training for a commercial space vehicle to reduce the possibility that human error during operations could lead to a catastrophic event.
10. The Federal Aviation Administration Office of Commercial Space Transportation's evaluations of Scaled Composites' initial and first renewal of the SpaceShipTwo experimental permit application were deficient because the evaluations failed to recognize that Scaled Composites' hazard analysis did not meet regulatory requirements to identify hazards caused by human error.
11. The lack of direct communications between Federal Aviation Administration Office of Commercial Space Transportation technical staff and Scaled Composites technical staff, the pressure to approve experimental permit applications within a 120-day review period, and the lack of a defined line between public safety and mission safety assurance interfered with the Federal Aviation Administration's ability to thoroughly evaluate the SpaceShipTwo experimental permit applications.
12. The Federal Aviation Administration Office of Commercial Space Transportation did not ensure that Scaled Composites was in compliance with the mitigations cited in the waiver from regulatory requirements or determine whether those mitigations would adequately address human errors with catastrophic consequences.
13. The experimental permit preapplication consultation process would be more effective if it were to begin during a commercial space vehicle's design phase so that concerns can be resolved before a commercial space vehicle is developed and manufactured and potential catastrophic hazards resulting from human error can be identified early.
14. The effectiveness of the Federal Aviation Administration Office of Commercial Space Transportation's inspection process would be improved if inspectors were assigned to commercial space operators rather than individual commercial space launch operations because the inspectors could become more familiar with the operators' training and procedures and could identify ways to enhance safety.
15. A database of lessons learned from commercial space mishap investigations would provide mutual benefits to public safety and industry promotion and would thus be consistent with the Federal Aviation Administration's mission and authority.
16. Scaled Composites and local emergency response officials could improve their emergency readiness for future test flights by making better use of available helicopter assets.
17. Additional parachute training and procedures would have better prepared Scaled Composites' test pilots for emergency situations.
The National Transportation Safety Board determines that the probable cause of this accident was Scaled Composites' failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SpaceShipTwo vehicle. This failure set the stage for the copilot's premature unlocking of the feather system as a result of time pressure and vibration and loads that he had not recently experienced, which led to uncommanded feather extension and the subsequent aerodynamic overload and in-flight breakup of the vehicle.
As a result of this investigation, the National Transportation Safety Board makes the following safety recommendations:
To the Federal Aviation Administration:
1. In collaboration with the Commercial Spaceflight Federation, develop and issue human factors guidance for operators to use throughout the design and operation of a crewed vehicle. The guidance should address, but not be limited to, the human factor issues identified during the SpaceShipTwo accident investigation.
2. Implement steps in your evaluation of experimental permit applications to ensure that applicants have (1) identified single flight crew tasks that, if performed incorrectly or at the wrong time, could result in a catastrophic hazard, (2) assessed the reasonableness, including human factor considerations, of the proposed mitigations to prevent errors that could result from performing those tasks, and (3) fully documented the rationale used to justify related assumptions in the hazard analysis required by 14 Code of Federal Regulations 437.55
3. Develop a process to determine whether an experimental permit applicant has demonstrated the adequacy of existing mitigations to ensure public health and safety as well as safety of property before granting a waiver from the human error hazard analysis requirements of 14 Code of Federal Regulations 437.55.
4. Develop and implement procedures and guidance for confirming that commercial space operators are implementing the mitigations identified in a safety-related waiver of federal regulations and work with the operators to determine the effectiveness of those mitigations that correspond to hazards contributing to catastrophic outcomes.
5. Develop and issue guidance for experimental permit applicants that (1) includes the information in Advisory Circular 413-1, "License Application Procedures," and (2) encourages commercial space vehicle manufacturers to begin the consultation process with the Office of Commercial Space Transportation during a vehicle's design phase.
6. Develop and implement a program for Office of Commercial Space Transportation inspectors that aligns them with individual operators applying for an experimental permit or a launch license to ensure that the inspectors have adequate time to become familiar with the technical, operational, training, and management controls that they will inspect.
7. Direct Office of Commercial Space Transportation (AST) management to work with AST technical staff to (1) develop clearer policies, practices, and procedures that allow direct communications between staff and applicants, (2) provide clearer guidance on evaluating commercial space transportation permits, waivers, and licenses, and (3) better define the line between the information needed to ensure public safety and the information pertaining more broadly to ensuring mission success.
8. In collaboration with the commercial space flight industry, continue work to implement a database of lessons learned from commercial space mishap investigations and encourage commercial space industry members to voluntarily submit lessons learned.
To the Commercial Spaceflight Federation:
9. Advise commercial space operators to work with local emergency response partners to revise emergency response procedures and planning to ensure that helicopter and other resources are appropriately deployed during flights.
10. Work with the Federal Aviation Administration to develop and issue human factors guidance for operators to use throughout the design and operation of a crewed vehicle. The guidance should address, but not be limited to, the human factor issues identified during the SpaceShipTwo accident investigation.
// end //