|
Eager Space | Videos | All Video Text | Support | Community | About |
|---|
How will starship deal with failures?
What are the contingency plans, which are sometimes known as abort modes?
Starship is still under development and we therefore don't have all the information we would like to have, but we can still use the information we do have and make some guesses, hopefully educated ones.
For this discussion, we're going to look at four different launchers and contrast their abort systems and options.
We start with the starship crew vehicle launched on top of the super heavy booster.
Next is the Orion capsule launched on top of the SLS rocket
Third is the Crew dragon capsule on top of the Falcon 9 rocket.
Last is the space shuttle orbiter on top of... well, next to the rest of the space transportation system.
The first thing to notice is two very different approaches.
Orion and Dragon use conventional capsule designs launched on top of two-stage rockets.
There's one interesting difference between Orion and Dragon.
Orion uses solid rocket motors in the escape system. It has an abort motor that fires upwards and the exhaust is then redirected down to lift the capsule up.
At the top there is an attitude control motor that is used to steer the path of the orion capsule
And in between, there is a jettison motor that is used to jettison the launch escape system when it is no longer needed.
Crew Dragon uses four liquid-fueled hypergolic super draco engines that are built into the capsule structure. Steering is handled by differential thrust on the motors. There is no need for a jettison motor because there is nothing to jettison.
The shuttle orbiter and Starship have an integrated crew/cargo/reentry vehicle design, where the crew vehicle is the second stage.
Our goal at launch is to get into whatever orbit we're aiming to reach.
The biggest concern on launch is a failure in our propulsion system that results in less energy than we had planned for. The abort options depend on when the failure happens and the design of our system.
If our engine issues mean that we can't get to our desired orbit but can get into a lower orbit, we can use the "abort to orbit" option.
All of these vehicles should be able to do an abort to orbit in some scenarios.
On STS-51-F in July of 1985, engine sensors failed on the center RS-25 engine in challenger and that led to an engine shutdown at 5 minutes and 43 seconds into the flight. The lack of performance meant that the shuttle could not reach the 385 km orbit that it was aiming for, but it was able to reach a 265 km orbit and complete its mission objectives. This was the only abort during the Space Shuttle Program.
If the engine performance isn't enough to make it into a stable orbit, it might be enough to make it around the earth once. This is known as "abort once around".
There are several different scenarios depending on the inclination of our target orbit.
If we are launching to our natural inclination - the same inclination as our launch site - it's fairly simple. This picture shows the ground track of such a launch. We launch from Florida, head around the world, and the next orbit will be close enough to the launch site so we can land at it or next to it.
If we launch to a higher inclination - say the 51 degree inclination for the space station - it gets more complicated. We've launched from Florida to the north east, and the earth rotates as we complete the first orbit offsetting us quite a bit to the west.
This is why the shuttle maintained a landing site at Holloman Air Force base in New Mexico - it is roughly under the shuttle on an abort once around mission to the international space station.
If we launch on a polar orbit to the south from Vandenberg Air Force Base in California, we have a bigger problem. Our orbital track moves to the west, so that the next orbit we are considerably out in the pacific ocean.
The air force wanted to be able to do this with the Space Shuttle - to deploy a satellite immediately and return to earth, so the space shuttle has the ability to fly a curved reentry track and make it back to the US mainland to land. This is known as "crossrange" ability, and the shuttle could travel about 2000 km to one side or the other.
This capability was never used as the shuttle never flew out of Vandenberg.
The shuttle was capable of doing abort once around from a variety of orbits. What about the other vehicles?
Capsules are built so that their mass is not evenly distributed which provides some lift and therefore some crossrange. Estimates for Dragon are around 300 km, and 400 km for Orion. This is a bit problematic; you would generally want to put your recovery fleet in the location where an ascent abort might lead to landing, but oceans are big and astronauts on either Orion or Dragon could be in for a long wait before somebody reaches them in an abort once around scenario. They will probably survive but may not enjoy the experience.
What about Starship?
It has active aerodynamic control and quite a bit of body area, so it's definitely going to have a glide ratio of...
Yeah, I don't know. I do know that it doesn't glide in the sense that the shuttle glides, but neither do orion and Dragon.
If I had to guess, I would bet that it's greater than Orion and Dragon simply because it's much less dense - it's mostly a big empty tank. It's also less dense than shuttle, so maybe it will have more crossrange than I expect, but between the capsule and shuttle is a fair bet.
If we can't get around once, we will need to land before we've completed a full orbit.
For the shuttle, this was called Trans Atlantic Abort, and NASA staffed one or more airport landing zones in Europe or Africa, depending on their launch trajectory.
The capsules can land anywhere there is enough water, which probably would mean in the Atlantic for shorter range landings or maybe the Indian ocean for longer-ranged landings. Some inclinations spend quite a bit of time over Africa and that might limit the number of water landing sites.
Starship is obviously designed to land on land, and it will probably be capable of landing in any big flat solid area. And it has a lot of delta-v, so making it across to Europe in this scenario is likely.
However, there is no reason that it couldn't land in the ocean if it had to, as Falcon 9 demonstrated that ability. Given a sealed crew section, it's probably as survivable as an Orion or Dragon landing away from the recover fleet.
This means that Starship can essentially land anywhere from an abort perspective, which gives it more flexibility than the other systems.
As things get worse, we lose the ability to travel farther.
For shuttle, that meant trying to get to any airfield that was in range for an ECAL or BDA abort.
For high inclination flights - such as to the international space station - the shuttle flies up the east coast (that's what ECAL means) and if there's a major issue it can try to use its crossrange ability to get to one of these airports. For lower inclination, the only real option is Bermuda, and there are some abort scenarios where that isn't feasible.
If something happens early in the launch and you need to land right away, things get more interesting.
The capsules very likely just trigger their abort systems and land in the water near the launch site. Easy enough, though they will need somebody to do recovery wherever they land.
Shuttle has issues. We can't do anything for the first 2 minutes until the solid rocket motors burn out, and that gives us a lot of forward velocity. Unfortunately, not enough to get to anyplace useful, so we are stuck with the infamous return to launch site abort, or RTLS. To have a chance at a landing, the shuttle needs to arrive at this circle at the proper angle and with an empty external tank so that it can separate. To do that it needs to burn off its fuel before it reaches that point, which it does by placing itself in a fuel wasting attitude - something kindof like hovering.
In 1980, STS-1 commander John Young said, "RTLS requires continuous miracles interspersed with acts of God to be successful"
What about starship? Well, assuming an early problem with super heavy, Starship has loads of delta V and can easily turn around and do a nice lofted trajectory back to the launch site - the same sort trajectory the Falcon 9 first stage uses for RTLS. With one caveat I'll talk about later.
Onto pad abort. For shuttle, there was no pad abort
Dragon can abort off the pad, and it will likely go well for Dragon as the super dracos work quite well.
It's not clear how things will go with Orion:
Here's a launch from 1997 of a Delta II rocket with 9 solid rocket boosters.
The SLS uses very large solid rocket boosters, and as we see, a failure can throw burning solid propellant high in the air, perhaps high enough to reach the capsule or the capsule's parachutes. NASA models suggest that this is unlikely though there is no consensus inside NASA about this issue.
So Orion gets a checkmark with an asterisk
What about starship? Well, it gets a bit complicated because we don't know what the crew starship configuration will be.
The design seems to have converged on 3 sea level raptors in the middle of the stage.
But it's not clear how many vacuum raptors there will be; the original design called for 3 but Musk recently tweeted that they would go with 6.
This has significant impact on the abort scenarios because the number of engines determines the power to weight ratio and that determines how quickly starship could accelerate during an abort.
This graph looks at different payload sizes and different numbers of engines. The usual caveats about everything related to Starship being an estimate apply here....
Starting with the 6 engine blue line, if we are planning a full 100 ton payload, the thrust/weight ratio is 1.002. Start up 6 engines and starship will just hover on top of Super Heavy for a few seconds before it burns off enough fuel to start moving upwards. That will heat up the top of Super Heavy considerably, probably enough to rupture the propellant tanks. Not a great idea.
If we are willing to accept less payload - 25 tons - we can get the power to weight ratio up to a little over 1.5, which will allow for a reasonably quick escape.
With 9 engines, we get a power to weight ratio of 1.5 with full payload, and 2.25 with a 25 ton payload.
For reference, the Dragon escape system will generate 4.5 g of acceleration, and the orion 7 gs of acceleration. Those systems will trigger very quickly, while the raptors on Starship will take some time to generate full thrust.
One more complication - to start the engines on the second stage before the stages are separated, the exhaust from the second stage engines needs somewhere to go. The Russians use this design on some of their rockets, including the Proton shown here, and the US used it in the past on the Titan II missile.
There's one more complication for starship.
Crew starship will start with a mass of at least 950 tons. It is designed to reenter and land with about 150 tons.
That's about 800 tons of excess mass, and while some will be used up in the abort maneuver, much of it will still be around. We'll probably see a lot of this:
Starship likely can do a pad abort, but it's going to be slower than Orion or Dragon and it's going to be spending time getting rid of a lot of fuel, so it gets a check mark with two asterisks.
What are the launch timelines and options for each vehicle?
The space shuttle burned its solid rocket boosters for 120 seconds. It is not possible to start an abort during that time period and there are no abort options if the solid rockets malfunction.
The abort options for a single main engine failure depend on when the failure happens; if it's early in the launch RTLS is required, then TAL and ATO. After about 6.5 minutes, no abort is required due to a single engine failure. Multiple engine failure scenarios get more complicated; if you want all the details, see my Space Shuttle Abort Options video.
For the Falcon 9, the capsule can abort at any point from the pad all the way into orbit, though the Super Draco abort thrusters may not be necessary later in the launch. The Falcon 9 first stage has sufficient performance to deal with one engine failure during it's flight, but there is no redundancy in the second state engines. Late in the launch there are other abort options, such as abort once around or abort to orbit.
SLS has a launch escape system for the first 3 and a half minutes, and that covers the time that the solid rockets are running, so it's better than shuttle in that regard. It does have less escape system coverage than the Super Dracos on Dragon, but there's probably no significant difference in safety. Like shuttle, it will be tolerant of engine failures late in the launch. Interestingly, for Artemis 1 at least, the ICPS second stage isn't actually used to get into orbit; it's used to get out of the orbit and head towards the moon, so it doesn't impact the ascent abort scenarios.
Super Heavy provides significant engine redundancy, with the ability to tolerate 3 engine failures and complete its mission. I also expect that starship will be able to abort during the time that Super Heavy is operating. Starship will tolerate some engine failures on ascent; how many it can tolerate will depend on how many engines SpaceX puts on the crew version, which engines fail, and when the failures happen, but my guess is that 2 engine failures will likely be okay if there are 9 installed.
Starship will also have what the shuttle program called "intact aborts" - other options if something significant happens on ascent.
One more complication...
Whatever abort system is present needs to handle a number of different scenarios; with aborts at different speeds and different altitudes depending on the kind of abort.
We can now move to talk about reentry aborts.
There aren't any.
That's not quite true. For shuttle, if you manage to make it through the hot part of reentry and end up in a controlled glide but can't land, there's a small window when you can bail out, parachute down, and maybe survive. But it's a small window.
For the other vehicles, there is no plan B.
They do, however, feature redundant parachutes or redundant landing engines. I talked quite a bit about Starship and landing in my "people on starship" video, which I'll link in the upper corner. The summary is that if Raptor engines are reasonably reliable - as reliable as the Merlin or the space Shuttle RS-25 - the chances of all three failing is very, very low.
Parachutes are interestingly more problematic. This is a chart showing testing for the Orion capsule, showing the parachute deployment altitude on the vertical axis and the speed on the horizontal axis.
The parachute deployment for a normal reentry is this small region in the middle. But when you add in aborts, those can occur anywhere in the region outlined in red, and there are some parts of that which cannot easily be tested.
Just to make it more interesting, a normal parachute deploy uses drogue parachutes before the main parachutes, but a low-level abort only uses the main parachutes.
This is probably well summarized by this Elon Musk tweet, where he notes that parachutes are way more difficult than they seem.
I'm going to cover parachutes in more detail in a separate video as there is too much detail to fit here.
Our vehicles use three different methods of landing, and it's useful to compare and contrast them.
The shuttle obviously used wheels, and they allow a nice, low energy, gentle landing.
On the con side, you can only land if there is an airport within reach, if you have enough airspeed to be flying, and if you are on a glide path that gets you to that airport.
Parachutes are a mostly passive system and there is considerable history and expertise in using them.
On the con side, they have lots of failure points, the chance of failure is higher during aborts due to higher stresses, there is a lot of testing required, and they can't land on land - at least for Orion and Dragon. And they have a limited ability to target their landing site.
Finally, engines allow your vehicle to have a lot of delta-v during abort and therefore lots of options, and they have considerable redundancy.
On the con side, their ground approach is high energy, and there are no options if the engines don't work.
One more point about safety, then I promise we'll start talking about Starship.
Let's say you are going on a space holiday for 7 days. You need to ascend into orbit, stay for a week, and then come back and land.
And let's just say that the ascent and descent both have a 1 in 500 chance of killing the passengers, and the orbital stay has a 1 in 5000 chance.
We can convert those probabilities to success rates, multiply them together, convert it back, and get 1 in 238.
Over time, we improve our landing so it's 1 in 1000. That will push our overall risk down to 1 in 412, a big improvement
Now let's change the scenario; instead of staying in orbit we are going to spend 7 days on the surface of the moon, and that part of the mission has a 1 in 50 chance of death.
That gives us a 1 in 42 overall risk.
Now posit the same increase in landing reliability, to 1 in 1000. All that gives us is 1 in 44.
Which brings up another conclusion. On risky missions, the less risky parts don't matter - they don't contribute much to the overall risk. You can spend a huge amount of effort there and make minimal gains.
Okay, now that we've covered that, time to talk about Starship.
Wait, one more topic
We need to talk about abort systems and their impact on reliability. We'll use SLS as an example.
NASA's target goal for SLS is 1 in 300 on ascent, or 99.66% reliable. Let's say that the base reliability of the launcher is 1 in 100. That only gives us 99%.
Take the Orion capsule and add a launch escape system to it. Let's assume that system will save the crew 66% of the time.
So, we can take the 1% chance of needing the launch escape system and the 66 % success rate when we need it, and figure out that we get an increase in 0.66% in the survival rate, pushing us up to 99.66% total, or the 1 in 300 we are hoping for.
Abort systems are great.
Now lets look at the nominal, or non-abort scenario. For reentry and landing to succeed, the abort system needs to be jettissoned from the capsule. If that doesn't work, the crew cannot reenter.
Let's say that works 98% of the time and fails 2% of the time.
We can take that two percent chance of failure times the 99% of the time an abort isn't needed, and that will lead to a loss of the crew 1.96% of the time, reducing our overall survival rate to 97.94%, or 1 in 43.
Abort systems are terrible.
Let's look at another example.
Finally, let's talk about the details of starship.
Like shuttle, there are two basic kinds of problems that can happen on ascent.
The first class is underperformance; something has gone wrong with one or more of the engines and we therefore don't have the thrust we expect.
The second class are major issues. The booster explodes, there is a toxic gas leak, the electrical system fails, that sort of thing.
We'll star
Our options depend upon what the performance of Super Heavy was and what the performance of Starship is; failures with either stage might cause us to explore our abort options.
The shuttle had 5 abort options.
If the energy deficit was small, they could abort to a lower-than-expected orbit.
If there is enough energy to get near to orbit, they can travel around the earth once and then land.
The next option is to land at an airport in europe.
If the ground track is convenient, they could land on the east cost or the Bahamas
And final, they could return to land at the launch site.
Assume Super heavy has a significant issue. Super heavy can either keep flying and stage when it runs out of fuel, or it can stage immediately.
If the choice is to stage immediately, the options depend upon which starship is flying. If it's a 6 engine starship, the thrust/weight ratio is less than 1 and that means it's not possible to abort while sitting on the pad.
If it's the 9 engine starship, the thrust to weight is probably greater than 1, and it's possible to abort while sitting on the pad, though SpaceX has talked about stretching Starship to carry more fuel and that might change that.
Pratt & Whitney JT9D - 747-100
General Electric GE90 - 777
If you look around, you will find a lot of explanations why airlines don't have parachutes for passengers that explain how impractical it would be and how most accidents wouldn't provide time to use the parachutes.
All those points are true.
But they largely view parachutes as pointless, and they are wrong in that.
Pratt & Whitney JT9D - 747-100
General Electric GE90 - 777
Before we dive into things, I have two links to share with you.
The first is my video on Space Shuttle abort modes, as it's very useful to understand what the options were for the shuttle.
The point here is that safety changes can be good and they can be bad. We can express this in numerical terms.
We can look at how much better our mitigation is, multiply it by the chance of that scenario coming up, and get an estimate of the safety improvement
We can look at the problems our mitigation might cause, multiply it by the chance of that scenario, and get an estimate of the safety loss
Applying this to our parachute scenario with some made-up numbers, let's assume that the parachute can save 50% of the people that would otherwise die, and the chance of that scenario is one in one thousand. That gives us an improvement of half of one in one thousand, or one in two thousand.
Let's assume that the scenario where parachutes slow down evacuation only results in 10% extra deaths and the chance of that is one in one hundred, which would results in a reduction in safety of one in one thousand.
The point being that safety losses in other scenarios can outweigh the safety gains in the scenario you are trying to address.
Here's a video of how airplane evacuations are supposed to happen, during an evacuation test of the Airbus A380.
Now ask yourself, what would happen if 10% of those people were wearing bulky parachutes and tried to make their way off the plane?
Aviation disasters are very well studied, and we know that the time it takes to get off the plane can be the difference between life or death. We also know that passengers do not follow instructions, there are documented cases where people have died because they inflated their life vests inside the plane and could therefore not get out the exits that were slightly under water.
Parachutes would kill passengers who otherwise would have lived.