Eager Space | Videos by Alpha | Videos by Date | All Video Text | Support | Community | About |
---|
What will it take to fly people on starship?
One of my recent videos provides information on the history of reliability analysis and risk tolerance at NASA, and you might want to go watch it first.
If you follow online discussions, there have been strong opinions about flying crew on starship. Here are a few examples...
Are these opinions right?
I certainly have an opinion, but if you've watched any of my videos you're probably expecting it's going to take a while to get there.
Just to keep things from getting boring, let's do something different.
(read)
Now that we've gotten that out of the way, feel free to tell me why I'm wrong in the comment sections. Or... maybe you could watch the rest of the video first, and then decide.
In reference to the space shuttle, NASA administrator James C. Fletcher said:
(read)
When I read that, another quote sprang to mind.
(read)
The problem I'm having is with this word "safe". Because "safe" is not a binary thing.
What we really care about is "safe enough".
Or, to put it more simply, is the benefit we get from the activity worth the risk of engaging in the activity.
Formula 1 drivers at one point accepted a risk of dying of 1 in 100 per year, and that met the bar for "safe enough"
What about a different scenario?
What about a 1 in 10,000 risk per year? Is that safe enough?
I don't think so.
The current number is probably about 1 in 5,000,000 per year, and there are certainly people who would argue that that isn't safe enough.
The main point here is that risk is a relative thing based on the scenario.
***
1/100 is historical data from Formula 1; newer races are likely much safer.
The average child rides 5 miles on a school bus and does this 200 (ish) days a year, so about 1000 miles per year.
NHTSA says the fatality rate is 0.2 fatalities per 100 million vehicle miles travelled, or 1 fatality per 500 million miles. Assume 10 children per bus, and that puts the per child per year risk at
500 million * 10 / 1000 = 1 in 5,000,000
What is safe enough to put humans on starship?
Here are five vehicles that NASA has either flown astronauts on or plans to fly astronauts on.
We have the mighty Saturn V rocket used on the Apollo missions.
We have the Russian Soyuz that carried 77 astronauts to the space station and back for NASA
We have the space shuttle, which NASA flew for 30 years.
We have the Falcon 9 and Crew Dragon.
We have the SLS rocket and Orion capsule, which NASA will be flying on upcoming Artemis missions
Time for a pop quiz!
Your task is to rank these launch vehicles according to safety
Spend a few seconds thinking about that. I'll wait.
Here are the results...
Coming in at #5, we have the Apollo Saturn V. We don't actually have a true estimate for this vehicle because NASA chose not to do one, but it's probably around a 1 in 10 chance of losing the crew per flight on a full lunar mission.
Coming in at #4, we have the space shuttle. NASA was happy to fly shuttle for about 20 years without good risk estimates, but when they finally did them, early shuttle flights were estimated at about 1 in 10. By 2010, shuttle got to 1 in 90, at which point it was retired because it wasn't safe enough. I think I might be making that up...
Coming in at #3, we have the SLS Orion, where NASA has chosen a 1 in 75 target for a mission around the moon and back.
Coming in at #2, we have the ubiquitous Russian Soyuz at about 1 in 100. This has been a very reliable launcher since the early 1970s, though there have been quality concerns recently.
And finally at #1, we have the Falcon 9 and Crew Dragon, at a NASA-verified 1 in 276.
How did you do? Any surprises?
The point of this quiz is that NASA has been comfortable flying astronauts on vehicles with relatively poor or even unknown safety profiles, and their newest launcher is any safer than shuttle was. So it's a little strange to consider them the keepers of safety for human launch.
If you care about this subject at all, you should go buy a wonderful book by Rand Simberg titled "Safe is not an option - How a futile obsession with getting everyone back alive is killing our expansion in space".
His main point is that we know that death is a possibility in many human endeavors - driving, flying a private plane, skydiving - and also within many jobs - commercial diving, fishing, research on antarctica, and the military. And we, as a society, have learned to deal with it. That's not to say we don't try to make those activities safer, merely that risk is inherent in life and many of these things are worth doing.
The ebook is only $5, and it's well worth your time.
Now that the preliminaries are out of the way, we can talk about Starship.
Just one more clarification...
Crewed missions are composed of three parts; there is the ascent into orbit, the actual mission, and then the return from orbit. I'm going to skip the mission risks.
We'll start with the ascent phase:
Broadly speaking, there are four big risk areas.
The first is what is generally called underperformance; there is some sort of problem with the propulsion system and the vehicle therefore can't get into its desired orbit.
The second is a vehicle breakup, which might come from aerodynamic forces or it could come from catastrophic failure of the propulsion system.
The third is a failure of the electrical system or some other mission-critical system
And the fourth is some sort of environmental condition that puts the crew at risk - a fluid leak or a fire.
We'll start by talking about underperformance, and that takes us to talking about engines.
How reliable can we expect Raptor to be? Let's look at two engines.
The Merlin engine used on the Falcon 9 has had 3 failures in 1500 uses, giving a failure rate of 1 in 500.
The RS-25 engine used on the space shuttle had 1 failure in 405 uses, for 1 in 405.
1 in 500 looks like a good starting point.
We can get some context by looking at Falcon 9 first.
We'll start by assuming each engine has a 1 in 500 chance of failing on any flight.
Falcon 9 has 9 engines on the booster and 1 on the second stage.
The booster will abort if 2 engines fail, and the second stage will abort if its only engine fails.
Time for some math. For 9 engines, the change of no failures is 0.998 raised to the 9th power, or 0.982. That puts the chance of a single engine failure at 0.018. We need two engines to fail for an abort, so that gives us an abort probability of 0.00032, or 1 in 3000. That is the power of redundancy; having more engines makes it more likely 1 engine will fail but redundancy makes it less likely that enough engines will fail to cause a problem.
Looking at the second stage, it's chance of an engine failure is 1 in 500 or 0.002, and since there is only a single engine, that's the full probability as well.
If we look at the aggregate across both stages, we get 1 in 430 as the overall chance of requiring an abort due to engine shutdown, with most of the risk coming from the second stage.
Now let's look at starship, keeping the same 1 in 500 chance of a failure.
Current information suggests the booster will have 33 engines and the second stage will have 9. What effect do you think that will have on reliability?
The booster will be okay with 3 failures but will abort with 4, and I'm asserting that the second stage will be okay with one failure and will abort with 2.
For the first stage, the chance of one engine failing is 0.064. To abort, this needs to happen 4 times, for a probability of 0.000017, or 1 in 60,000. That's a really big number for a rocket.
The second stage has a single engine failure probability of 0.018, but it needs two to fail to trigger an abort, with a probability of 0.0003, or 1 in 3000.
In the aggregate, the risk is dominated by the second stage so the overall value is about 1 in 3000.
That is a very low chance of underperformance, and that's for a fairly low expected level of performance from Raptor.
If Raptor manages 1 in 1000, the aggregate probability goes to 1 in 12,000
Onto vehicle breakup
I looked at vehicle breakup due to engine failure to see if there are other examples like this Antares one from 2015.
Atlas had a few engine failures that might have been that bad, but none since the 1960s. Delta had 1 in the 1960s, and zero since then. Ariane had zero. Soyuz had zero.
And the space shuttle and falcon 9 both had zero.
This suggests that the Antares failure is probably an outlier - but if you watched the NASA crew safety video I did, you know the dangers of trying to generalize from events that are rare. The best we could ever say is "the historical data suggests that failures that are more impactful than engine shutdown are very rare", with some weasel words about how rare they might be.
The are other risks during launch; the vehicle might breakup due to aerodynamic forces, there might be an electrical failure, or there might be environmental issues.
Despite the regular mention of Max Q as if it is a significant issue in launch, failures due to aerodynamics appear to be exceedingly rare.
I don't have figures about electrical failure or environmental issues or any ideas on how to estimate those and they aren't unique to starship, so I'm going to skip them.
I think most of you have been waiting for the return phase discussion.
The big risks I see are burning up on reentry, engine failure on landing, failure of the flip maneuver, or failure of the catch
The obvious question to ask about reentry is whether starship is like shuttle. What are the chances that it will have the sort of problem that doomed Columbia?
There are two important differences that make this less likely.
Shuttle tiles were attached to the orbiter using adhesive, in a painstaking process that took NASA a long time to develop.
Starship tiles are attached to metal pins that are welded to the vehicle structure, and are therefore *likely* to be more durable. This will, of course, need to be validated during orbital flight testing.
More important, however, is two design choices made for shuttle.
The first is the architecture of the shuttle; mounting the orbiter on the side of the fuel tank exposes the fragile thermal protection system to damage from foam debris that comes from the external tank, and this was an ongoing problem in the program - 80% of the flights where imagery was available showed foam shedding.
The second is the fuel choice for the shuttle; the shuttle's choice of hydrogen required that the external tank be insulated to keep the extremely cold liquid hydrogen from boiling away, and that meant foam sprayed on the outside of the tank. In the picture, the upper circle shows the bipod ramp where the shuttle attaches to the external tank; on Columbia, a chunk of foam came from this location and impacted on the wing where the second lower red circle is drawn.
If you want to know more about why NASA chose this design, I've linked my video "why does the space shuttle look so weird?" in the upper corner. There were other shuttle concepts that did not have this issue.
On starship, there is nothing next to the thermal protection system, and therefore it will not be damaged from debris impact on launch.
Finally, we've come to the scenario that most of you are thinking of.
(video)
And those were certainly three exciting failures.
But there were also two successes:
(video)
We can do some math and look at the odds of failure due to Raptor failure, assuming once again that raptor fails once in 500 uses.
There are 3 landing engines and to crash all three need to fail.
The chance of a 3 engine failures is the chance of one engine failing - 0.002 - cubed.
Or a whole lot of zeros followed by an 8, or 1 in 125 million.
If raptor is a 1 in 500 engine, the chance of all 3 engines failing due to engine issues is miniscule.
We are much more likely to see system issues; there might be fuel system issues, fuel contamination, weather issues. Issues like these are more likely to occur than a triple engine failure.
Can the Falcon 9 booster landing record tell us anything?
The falcon 9 has had direct engine problems in 2 of 105 landings, or about 1 in 50
Falcon 9 does not have the landing engine redundancy starship will have, nor was the landing hardware designed to be crew-rated
If it did, we'd expect it would be 1 in 125,000 or so.
SpaceX is planning on catching both super heavy and starship at the launch tower.
I have no idea how to estimate the risk of that.
I can, however, surmise that SpaceX does not think it is significantly riskier than a landing-leg approach, and if it is more risk, they could use landing legs as a fallback.
How about a hybrid system? Put a crew dragon capsule inside of starship, and use that as an abort option.
This seems like a great idea, but has some problems...
The super draco escape engines use toxic and explosive propellants, and therefore there is risk in just having those systems in your spacecraft. Remember that a Crew Dragon capsule exploded during tests in 2019.
The real question is whether the increase in safety in the abort scenario outweighs the decrease of safety in the normal scenario?
The answer isn't clear; if Raptor is really as reliable as we suspect, having an abort system with super dracos could increase the risk substantially.
I'd also like to touch on SpaceX's confidence in powered landing
SpaceX flew SN15 successfully on May 5th of 2021
9 months later, they have flown zero additional landing tests
Further, the recently-announced Polaris program features two crew dragon flights and the first crew starship flight.
Both of these show that SpaceX is very confident in their powered landing approach.
Let's go back to my original statement...
After looking at the ascent and reentry risks, I see no reason to suspect that Starship will be less risky than Crew Dragon on Falcon 9 and every reason to suspect that it will be considerably safer.
I think the common belief that it is high is because parachutes are commonplace and their reliability is not well appreciated and we've all seen starship prototypes blow up on landing.
One more point about safety, then I promise we'll start talking about Starship.
Let's say you are going on a space holiday for 7 days. You need to ascend into orbit, stay for a week, and then come back and land.
And let's just say that the ascent and descent both have a 1 in 500 chance of killing the passengers, and the orbital stay has a 1 in 5000 chance.
We can convert those probabilities to success rates, multiply them together, convert it back, and get 1 in 238.
Over time, we improve our landing so it's 1 in 1000. That will push our overall risk down to 1 in 412, a big improvement
Now let's change the scenario; instead of staying in orbit we are going to spend 7 days on the surface of the moon, and that part of the mission has a 1 in 50 chance of death.
That gives us a 1 in 42 overall risk.
Now posit the same increase in landing reliability, to 1 in 1000. All that gives us is 1 in 44.
Which brings up another conclusion. On risky missions, the less risky parts don't matter - they don't contribute much to the overall risk. You can spend a huge amount of effort there and make minimal gains.
Okay, now that we've covered that, time to talk about Starship.
Wait, one more topic
We need to talk about abort systems and their impact on reliability. We'll use SLS as an example.
NASA's target goal for SLS is 1 in 300 on ascent, or 99.66% reliable. Let's say that the base reliability of the launcher is 1 in 100. That only gives us 99%.
Take the Orion capsule and add a launch escape system to it. Let's assume that system will save the crew 66% of the time.
So, we can take the 1% chance of needing the launch escape system and the 66 % success rate when we need it, and figure out that we get an increase in 0.66% in the survival rate, pushing us up to 99.66% total, or the 1 in 300 we are hoping for.
Abort systems are great.
Now lets look at the nominal, or non-abort scenario. For reentry and landing to succeed, the abort system needs to be jettissoned from the capsule. If that doesn't work, the crew cannot reenter.
Let's say that works 98% of the time and fails 2% of the time.
We can take that two percent chance of failure times the 99% of the time an abort isn't needed, and that will lead to a loss of the crew 1.96% of the time, reducing our overall survival rate to 97.94%, or 1 in 43.
Abort systems are terrible.
Let's look at another example.
Finally, let's talk about the details of starship.
Like shuttle, there are two basic kinds of problems that can happen on ascent.
The first class is underperformance; something has gone wrong with one or more of the engines and we therefore don't have the thrust we expect.
The second class are major issues. The booster explodes, there is a toxic gas leak, the electrical system fails, that sort of thing.
We'll star
Our options depend upon what the performance of Super Heavy was and what the performance of Starship is; failures with either stage might cause us to explore our abort options.
The shuttle had 5 abort options.
If the energy deficit was small, they could abort to a lower-than-expected orbit.
If there is enough energy to get near to orbit, they can travel around the earth once and then land.
The next option is to land at an airport in europe.
If the ground track is convenient, they could land on the east cost or the Bahamas
And final, they could return to land at the launch site.
Assume Super heavy has a significant issue. Super heavy can either keep flying and stage when it runs out of fuel, or it can stage immediately.
If the choice is to stage immediately, the options depend upon which starship is flying. If it's a 6 engine starship, the thrust/weight ratio is less than 1 and that means it's not possible to abort while sitting on the pad.
If it's the 9 engine starship, the thrust to weight is probably greater than 1, and it's possible to abort while sitting on the pad, though SpaceX has talked about stretching Starship to carry more fuel and that might change that.
Pratt & Whitney JT9D - 747-100
General Electric GE90 - 777
If you look around, you will find a lot of explanations why airlines don't have parachutes for passengers that explain how impractical it would be and how most accidents wouldn't provide time to use the parachutes.
All those points are true.
But they largely view parachutes as pointless, and they are wrong in that.
Pratt & Whitney JT9D - 747-100
General Electric GE90 - 777
Before we dive into things, I have two links to share with you.
The first is my video on Space Shuttle abort modes, as it's very useful to understand what the options were for the shuttle.
The point here is that safety changes can be good and they can be bad. We can express this in numerical terms.
We can look at how much better our mitigation is, multiply it by the chance of that scenario coming up, and get an estimate of the safety improvement
We can look at the problems our mitigation might cause, multiply it by the chance of that scenario, and get an estimate of the safety loss
Applying this to our parachute scenario with some made-up numbers, let's assume that the parachute can save 50% of the people that would otherwise die, and the chance of that scenario is one in one thousand. That gives us an improvement of half of one in one thousand, or one in two thousand.
Let's assume that the scenario where parachutes slow down evacuation only results in 10% extra deaths and the chance of that is one in one hundred, which would results in a reduction in safety of one in one thousand.
The point being that safety losses in other scenarios can outweigh the safety gains in the scenario you are trying to address.
Here's a video of how airplane evacuations are supposed to happen, during an evacuation test of the Airbus A380.
Now ask yourself, what would happen if 10% of those people were wearing bulky parachutes and tried to make their way off the plane?
Aviation disasters are very well studied, and we know that the time it takes to get off the plane can be the difference between life or death. We also know that passengers do not follow instructions, there are documented cases where people have died because they inflated their life vests inside the plane and could therefore not get out the exits that were slightly under water.
Parachutes would kill passengers who otherwise would have lived.