Thoughts About Rocket Reliability
Much has been written in great detail about the reliability of launch vehicles. In the case of the Space Shuttle, the Loss-of-Mission probability of 1:100,000 (promoted by NASA management prior to the loss of Challenger) has turned into an empirical probability that greater than one-in-65 shuttle missions would result in loss of crew and vehicle.
Theoretical and empirical probabilities are two very different animals, especially when it comes to launch vehicle failure rates. Elon Musk had once boasted something along the lines of "Falcon I would be the most reliable rocket vehicle ever produced." On paper, he was correct. There were only two stages, one of which was powered by a simple, pressure-fed and radiatively-cooled engine. When adding up all of the probabilities of different failure modes, the vehicle has an extremely low probability for loss-of-mission. But there are so many factors to consider when identifying failure modes. When the consultants at Aerospace Corporation computed the odds of Falcon I failure, did they look at things like corroded nuts on the first stage, sloshing in the second stage, or unexpected transients with the upgraded Merlin engine? The last of these three problems (which doomed the first three Falcon missions, respectively) was certainly neglected in the analysis of the original Falcon configuration.
Failure probabilities rarely take into account the factor of human error. In the case of Challenger, the failure probability quoted by NASA management never took into account the lack of data about SRB joint behavior in extremely cold weather conditions. In Challenger's instance, managers on the NASA and SRB contractor side exercised criminal stupidity in violating established flight rules. Should risk assessments take the probability of criminal stupidity into account?
Ares I is supposed to be "Safe, Simple and Soon." ATK can justify their slogan by pointing to the booster's solid-fuel first stage. As at least one shuttle astronaut has said, "Once the SRB's light, you know you're going somewhere." SRB's have very reliable ignition systems. The probability of a single SRB failing at ignition are very low, hence the claims from ATK and NASA (which will certainly be inflated when compred to the empirical data that will come from a real, flying Ares I) that this is the safest manned launch vehicle.
Yet the reliability of Ares I's ignition system is not necessarily a boon when compared to other launchers. SpaceX's Falcon series holds down the booster for a short period of time after engine ignition to verify the health of the engines. The booster is only released after SpaceX's launch team is certain that the vehicle is healthy. Even the shuttle has a similar hold-down, igniting the liquid engines first and verifying their health before lighting the SRB's which provide the thrust for liftoff. But once the SRB's ignited, there's no way the team at the Cape could have held Challenger back for some kind of health check to establish the integrity of the SRB joint seals.
In the case of Falcon 9, the nine engines may seem to multiply the probability of a failure ruining your launch day. Yet the step of verifying engine health on the pad reduces the probability of a fatal engine failure early in ascent. As the vehicle climbs and burns off fuel, it can afford to lose engines and still have enough thrust to achieve orbit. The system is akin to an airliner testing its engines on the ground, yet it can afford an engine failure during the cruise portion of the flight.
Flight International's Rob Coppinger reports that Atlas V was deemed unsafe for manned spaceflight during the Orbital Space plane program, at least in its variant with three SRB's attached to the first stage. Politically, there may be good reasons for disqualifying Atlas V (the Russian-produced main engine.) From a safety perspective, the addition of SRB's does create more failure modes and increase the statistical probability of launch failure. (It would seem that NASA rejects the idea of one liquid engine plus three solids as unsafe, even though the shuttle's three liquid engines and two solids are perfectly fine.) But that's not to say the entire Atlas V family is inherently unsafe. Statistically speaking, the simplest Atlas (the 401 variant, with one first stage engine and one second stage engine) is the safest; it wasn't considered for the OSP program because the SRB's were necessary to lift OSP's mass. For a smaller capsule, Atlas V may meet stringient safety requirements.
The big idea is that there's a vast different between wildly optimistic estimates of reliability (based on mathematical equations that often neglect major failure modes) and empirical failure rates that are established once a vehicle has flown. I remain optimistic about the human-rating potential for Delta and Atlas because both vehicles have flight histories without a failure that ended in loss of mission. (There was the Delta IV Heavy partial failure and the Atlas V partial failure that resulted in lower orbits for their payloads, but nothing that would have killed a crew.) Falcon I seems to be on the right track for a reliable launch record now that the problems have been ironed out. Falcon 9 can hopefully reuse the flight-tested Falcon I hardware and establish a similar reliability.
Ares I creates tremendous unknowns from a reliability standpoint. Due to the size of the explosion after range safety destroys the vehicle, any kind of first stage failure (even a control failure) should be regarded as unsurvivable for the crew. (I may revise my judement on this matter once more detailed, independent analysis of the problem is complete.) Virtually none of the Ares I hardware has any empirical probability data that comes from flight history, in spite of the smoke and mirrors act known as "Ares I-X." Hopefully the Ares guys know what they're doing, but my gut tells me that Ares, like Shuttle, will be a tragic disappointment once the vehicle's safety is truly known.
Theoretical and empirical probabilities are two very different animals, especially when it comes to launch vehicle failure rates. Elon Musk had once boasted something along the lines of "Falcon I would be the most reliable rocket vehicle ever produced." On paper, he was correct. There were only two stages, one of which was powered by a simple, pressure-fed and radiatively-cooled engine. When adding up all of the probabilities of different failure modes, the vehicle has an extremely low probability for loss-of-mission. But there are so many factors to consider when identifying failure modes. When the consultants at Aerospace Corporation computed the odds of Falcon I failure, did they look at things like corroded nuts on the first stage, sloshing in the second stage, or unexpected transients with the upgraded Merlin engine? The last of these three problems (which doomed the first three Falcon missions, respectively) was certainly neglected in the analysis of the original Falcon configuration.
Failure probabilities rarely take into account the factor of human error. In the case of Challenger, the failure probability quoted by NASA management never took into account the lack of data about SRB joint behavior in extremely cold weather conditions. In Challenger's instance, managers on the NASA and SRB contractor side exercised criminal stupidity in violating established flight rules. Should risk assessments take the probability of criminal stupidity into account?
Ares I is supposed to be "Safe, Simple and Soon." ATK can justify their slogan by pointing to the booster's solid-fuel first stage. As at least one shuttle astronaut has said, "Once the SRB's light, you know you're going somewhere." SRB's have very reliable ignition systems. The probability of a single SRB failing at ignition are very low, hence the claims from ATK and NASA (which will certainly be inflated when compred to the empirical data that will come from a real, flying Ares I) that this is the safest manned launch vehicle.
Yet the reliability of Ares I's ignition system is not necessarily a boon when compared to other launchers. SpaceX's Falcon series holds down the booster for a short period of time after engine ignition to verify the health of the engines. The booster is only released after SpaceX's launch team is certain that the vehicle is healthy. Even the shuttle has a similar hold-down, igniting the liquid engines first and verifying their health before lighting the SRB's which provide the thrust for liftoff. But once the SRB's ignited, there's no way the team at the Cape could have held Challenger back for some kind of health check to establish the integrity of the SRB joint seals.
In the case of Falcon 9, the nine engines may seem to multiply the probability of a failure ruining your launch day. Yet the step of verifying engine health on the pad reduces the probability of a fatal engine failure early in ascent. As the vehicle climbs and burns off fuel, it can afford to lose engines and still have enough thrust to achieve orbit. The system is akin to an airliner testing its engines on the ground, yet it can afford an engine failure during the cruise portion of the flight.
Flight International's Rob Coppinger reports that Atlas V was deemed unsafe for manned spaceflight during the Orbital Space plane program, at least in its variant with three SRB's attached to the first stage. Politically, there may be good reasons for disqualifying Atlas V (the Russian-produced main engine.) From a safety perspective, the addition of SRB's does create more failure modes and increase the statistical probability of launch failure. (It would seem that NASA rejects the idea of one liquid engine plus three solids as unsafe, even though the shuttle's three liquid engines and two solids are perfectly fine.) But that's not to say the entire Atlas V family is inherently unsafe. Statistically speaking, the simplest Atlas (the 401 variant, with one first stage engine and one second stage engine) is the safest; it wasn't considered for the OSP program because the SRB's were necessary to lift OSP's mass. For a smaller capsule, Atlas V may meet stringient safety requirements.
The big idea is that there's a vast different between wildly optimistic estimates of reliability (based on mathematical equations that often neglect major failure modes) and empirical failure rates that are established once a vehicle has flown. I remain optimistic about the human-rating potential for Delta and Atlas because both vehicles have flight histories without a failure that ended in loss of mission. (There was the Delta IV Heavy partial failure and the Atlas V partial failure that resulted in lower orbits for their payloads, but nothing that would have killed a crew.) Falcon I seems to be on the right track for a reliable launch record now that the problems have been ironed out. Falcon 9 can hopefully reuse the flight-tested Falcon I hardware and establish a similar reliability.
Ares I creates tremendous unknowns from a reliability standpoint. Due to the size of the explosion after range safety destroys the vehicle, any kind of first stage failure (even a control failure) should be regarded as unsurvivable for the crew. (I may revise my judement on this matter once more detailed, independent analysis of the problem is complete.) Virtually none of the Ares I hardware has any empirical probability data that comes from flight history, in spite of the smoke and mirrors act known as "Ares I-X." Hopefully the Ares guys know what they're doing, but my gut tells me that Ares, like Shuttle, will be a tragic disappointment once the vehicle's safety is truly known.
posted by Mr. X at
3:06 PM
