Description

On 31 October 2014, a SpaceShip2 sub orbital 'rocket' plane [N339SS] being operated by Scaled Composites, a Northrop Grumman subsidiary, on a test flight out of the Mojave Air and Space Port in southern California in day Visual Meteorological Conditions (VMC), was climbing just after release from its launch vehicle, a WhiteKnight Two aircraft at just over 46,000 feet amsl and accelerating rapidly during the 'boost' phase of the flight when it broke apart and was completely destroyed. The commander survived with serious injuries and the co-pilot was killed.

Investigation

An Investigation was carried out by the National Transportation Safety Board (USA) (NTSB). Relevant data was successfully downloaded from the recovered FDR and a forward facing cockpit camera and the wreckage, spread over a 5 mile area north east of Mojave was subjected to a careful examination.

It was found that the break up had occurred approximately 13 seconds after the release of the SS2 from its launch aircraft, the WhiteKnight Two (WK2) with registration N348MS. It was noted that the operator/manufacturer of the SS2 was carrying out test flights, including the accident flight, under a permit issued by the FAA Office of Commercial Space Transportation (FAA/AST) according to the provisions of 14 CFR Part 437 and was developing the SS2 for Virgin Galactic, which was planning to use it for future commercial suborbital flights.

The SS2 was equipped with a system which "rotated a feather flap assembly with twin tail booms upward from the vehicle’s normal configuration (0º) to 60º to stabilise SS2’s attitude and increase drag during re-entry into earth’s atmosphere" and that this system "included actuators to extend and retract the feather and locks to keep the feather in the retracted position when not in use".

It was noted that after release of the SS2 from the WK2 carrier, the SS2 rocket motor propels it from gliding flight into an almost vertical climb during which it rapidly accelerates from subsonic to supersonic speed. It was established that "the flight test data card used during the accident flight indicated that the co-pilot was to unlock the feather during the boost phase when SS2 reached a speed of 1.4 Mach" and that this action was required to avoid the risk of a hazardous subsequent descent if a lock failure were to occur. However, it was found that, contrary to this and his training, he had unlocked it soon after passing Mach 0.8 and that thereafter, "the aerodynamic and inertial loads imposed on the feather flap assembly were sufficient to overcome the feather actuators" which had not been designed to hold the feather flap assembly in the retracted position as passage through the transonic region occurred, and uncommanded extension of the feather flap had occurred leading to immediate and catastrophic structural failure.

The Investigation found that to support its application for the necessary FAA Experimental Permit for SS2 flights, the Operator had been required, in accordance with 14 CFR 437.55, to "identify and describe those hazards that could result from human errors" . However, when doing so, although the Systems Safety Analysis (SSA) it had employed had "correctly identified that un-commanded feather operation would be catastrophic during the boost phase of flight and that multiple independent system failures had to occur to result in this hazard", it had been inadequate because had failed to recognise that a single human error could also lead to unintended feather operation at this high workload point in a flight. It was also found that the Operator "did not ensure that the accident pilots and other SpaceShip Two Test Pilots adequately understood the risks of unlocking the feather early" and had additionally made the assumption that "pilots would correctly operate the feather system every time because they would be properly trained through simulator sessions and would follow the normal and emergency procedures for a given situation".

Issue of the Experimental Permit for SS2 operations which was current at the time of the accident, a second annual renewal in May 2014, was found to have been subject to a waivers from the normal requirements for the failure to satisfy the software and human error requirements of 14 CFR 437.55(a). The Investigation found that the FAA had considered that mitigations that the Operator had put in place "would prevent hazards resulting from (human) errors". However, the Investigation concluded that the waivers had bee issued "without understanding whether the mitigations would adequately protect against a single human error with catastrophic consequences" and that the FAA also "did not determine whether mitigations, other than those intended to protect against human error, were sufficient to ensure public safety". The Investigation noted that the Operator "did not request the(se) waiver(s), participate in the waiver evaluation process, or have an opportunity to comment on these waiver(s) before (they were) issued".

Overall the Investigation concluded that "human factors should be emphasised in the design, operational procedures, hazard analysis, and flight crew simulator training for a commercial space vehicle to reduce the possibility that human error during operations could lead to a catastrophic event".

In respect of the Operator's emergency response planning, it was noted that the failure to have the usual helicopter on standby at their Mojave base during the accident flight had meant that the location of and the initiation of medical treatment to the surviving pilot had been delayed. It was also considered that "additional parachute training and procedures would have better prepared (the Operator's) Test Pilots for emergency situations".

Seven Safety Issues were formally identified as a result of the Investigation, as follows:

1. Lack of human factors guidance for commercial space operators. Scaled did not emphasize human factors in the design, operational procedures, hazard analysis, and simulator training for SS2. For example, by not considering human error as a potential cause of uncommanded feather extension on the SS2 vehicle, Scaled missed opportunities to identify design and/or operational factors that could have mitigated the catastrophic consequences of a single human error during a high workload phase of flight. To prevent a similar situation from recurring, commercial space operators should fully consider human factors during a commercial space vehicle’s design and operation. However, because commercial space flight is an emerging industry, no guidance currently exists specifically for commercial space operators that advises them to, among other things, obtain human factors expertise, consider human error in hazard analyses, ensure that hazard analyses avoid or adequately mitigate single-point failures, and ensure that flight crews are aware of known catastrophic hazards that could result from a single human error.
2. Efficacy and timing of pre-application consultation process. Experimental permit applicants are required to consult with the FAA Office of Commercial Space Transportation (FAA/AST) before formally submitting their applications, and individual operators can decide when to begin this process. The SS2 pre-application process began about 2 years before Scaled submitted its initial application but after the vehicle had been designed and manufactured. At that point, it could have been difficult and costly for Scaled to make changes to SS2 if the FAA/AST had found inadequacies in Scaled’s hazard analysis during pre-application consultations. Thus, the experimental permit pre-application consultation process would be more effective if it were to begin during a commercial space vehicle’s design so that concerns could be resolved and potential catastrophic hazards resulting from human error could be identified early in a vehicle’s development.
3. Limited interactions between the FAA/AST and applicants during the experimental permit evaluation process. As a part of the review of Scaled’s experimental permit application, FAA/AST technical staff developed questions for Scaled technical staff related to SS2’s design and operation, many of which were necessary to understand potential operational hazards and the design, operational, and management controls that would be needed to comply with FAA regulations to ensure public safety. However, some FAA/AST technical staff members reported that their questions that did not directly relate to public safety were filtered by FAA/AST management to reduce the burden on Scaled. The dividing line between the questions that the FAA/AST needs to ask to determine the risk to the public and those to assess mission objectives is not always apparent because certain aspects of a vehicle’s design and operation could impact both public safety and mission safety assurance. Thus, more extensive interactions between FAA/AST technical staff and prospective experimental permit applicants during permit evaluations would help to perform this work more effectively in the future.
4. Missed opportunities during the FAA/AST’s evaluations of hazard analyses and waivers from regulatory requirements. The FAA/AST approved the initial and first renewal of the SS2 experimental permit without recognizing that the SS2 hazard analysis did not identify single flight crew tasks that, if performed incorrectly or at the wrong time, could result in a catastrophic hazard. Also, the FAA/AST did not consult with Scaled technical staff after determining that waivers would be necessary or ask Scaled to correct the areas of non-compliance. In addition, the FAA/AST issued the waivers without verifying that Scaled was performing the mitigations cited in the waiver or assessing the effectiveness of these mitigations.
5. Limited inspector familiarity with commercial space operators. The FAA/AST conducts inspections before and during a commercial space flight to ensure compliance with federal regulations and the experimental permit and verify that the representations made in the experimental permit application are still accurate. FAA/AST inspectors were assigned to individual launch operations and not to specific commercial space operators. The FAA/AST safety inspectors who were assigned to the accident test flight had not been assigned to previous Scaled test flights. As a result, the inspectors had limited time to understand Scaled’s training, procedures, and operations before conducting safety inspections. FAA/AST inspectors who are assigned to commercial space operators (rather than individual commercial space launch operations) could become more familiar with the operators and could bring continuity and consistency to the inspection process.
6. Incomplete commercial space flight database for mishap lessons learned. During 2010, the FAA/AST began efforts to create a mishap lessons learned database, the Commercial Space Transportation Lessons Learned System, but this database has not yet been fully developed. The aviation industry has databases documenting accident and incident findings and effective corrective actions, which have been highly beneficial in preventing accidents and reducing fatal accident rates. A fully implemented and transparent commercial space mishap database could not only benefit safety (by disseminating lessons learned) but could also promote growth while the industry is in its current formative stage.
7. Need for improved emergency response planning. Scaled conducted its flight tests from Mojave Airport (MHV). A helicopter that was specifically prepared for and tasked with supporting an emergency response to a potential SS2 accident was not pre-positioned at MHV, even though that helicopter had been pre-positioned at the airport for SS2’s three previous powered flights. As a result, the helicopter was delayed in reaching the injured pilot. Another helicopter with advanced life support capabilities was located at MHV but was not placed on standby (before the accident flight) in case an accident were to occur. Thus, Scaled and local emergency response officials could improve their emergency readiness for future test flights by making better use of available helicopter assets. Other commercial space operators could benefit from taking the same action.

The Probable Cause of the accident was determined as:

"Scaled Composites’ failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SpaceShip Two vehicle. This failure set the stage for the co-pilot’s premature unlocking of the feather system as a result of time pressure and vibration and loads that he had not recently experienced, which led to uncommanded feather extension and the subsequent aerodynamic overload and in-flight breakup of the vehicle."

Ten Safety Recommendations were made at the conclusion of the Investigation as follows (their reference numbers will be added when they are formally communicated by NTSB):

• that the FAA, in collaboration with the Commercial Spaceflight Federation, develop and issue human factors guidance for operators to use throughout the design and operation of a crewed vehicle. The guidance should address, but not be limited to, the human factor issues identified during the SpaceShip Two accident investigation.

• that the FAA implement steps in the evaluation of experimental permit applications to ensure that applicants have (1) identified single flight crew tasks that, if performed incorrectly or at the wrong time, could result in a catastrophic hazard, (2) assessed the reasonableness, including human factor considerations, of the proposed mitigations to prevent errors that could result from performing those tasks, and (3) fully documented the rationale used to justify related assumptions in the hazard analysis required by [ 14 Code of Federal Regulations 437.55]

• that the FAA develop a process to determine whether an experimental permit applicant has demonstrated the adequacy of existing mitigations to ensure public health and safety as well as safety of property before granting a waiver from the human error hazard analysis requirements of 14 Code of Federal Regulations 437.55.

• that the FAA develop and implement procedures and guidance for confirming that commercial space operators are implementing the mitigations identified in a safety-related waiver of federal regulations and work with the operators to determine the effectiveness of those mitigations that correspond to hazards contributing to catastrophic outcomes.

• that the FAA develop and issue guidance for experimental permit applicants that (1) includes the information in Advisory Circular 413-1, “License Application Procedures,” and (2) encourages commercial space vehicle manufacturers to begin the consultation process with the Office of Commercial Space Transportation during a vehicle’s design phase.

• that the FAA develop and implement a program for Office of Commercial Space Transportation inspectors that aligns them with individual operators applying for an experimental permit or a launch license to ensure that the inspectors have adequate time to become familiar with the technical, operational, training, and management controls that they will inspect.

• that the FAA direct Office of Commercial Space Transportation (AST) management to work with AST technical staff to (1) develop clearer policies, practices, and procedures that allow direct communications between staff and applicants, (2) provide clearer guidance on evaluating commercial space transportation permits, waivers, and licenses, and (3) better define the line between the information needed to ensure public safety and the information pertaining more broadly to ensuring mission success.

• that the FAA in collaboration with the commercial space flight industry, continue work to implement a database of lessons learned from commercial space mishap investigations and encourage commercial space industry members to voluntarily submit lessons learned.

• that the Commercial Spaceflight Federation advise commercial space operators to work with local emergency response partners to revise emergency response procedures and planning to ensure that helicopter and other resources are appropriately deployed during flights.

• that the Commercial Spaceflight Federation work with the Federal Aviation Administration to develop and issue human factors guidance for operators to use throughout the design and operation of a crewed vehicle. The guidance should address, but not be limited to, the human factor issues identified during the SpaceShip Two accident investigation.

The Final Report of the Investigation and the formal communication of the Safety Recommendations to recipients is pending but on 28 July 2015, the NTSB released a 'Synopsis' from the Report which has been used to prepare this summary, which will be updated once the Report has been released. The information in the Synopsis is qualified by NTSB as "subject to further review and editing" and any resulting changes will be covered by the update process.

Further Reading/Related Articles

• Hazard Identification
• Risk Management
• Risk Mitigation
• Experimental Permit Program Report: FAA, 2008