By Douglas Messier
The Federal Aviation Administration issued an experimental permit to Scaled Composites to begin flight tests of Virgin Galactic’s SpaceShipTwo in 2012 despite serious deficiencies in the company’s application relating to safety analysis and risk mitigation, according to documents released by the National Transportation Safety Board (NTSB) this week.
When renewing the annual permit in 2013 and 2014, the FAA Office of Commercial Space Transportation (FAA AST) issued waivers that exempted Scaled Composites from explaining how it evaluated and planned to mitigate against human and software errors that could cause a fatal accident.
The office renewed the permit and issued the waivers over the objections of some of its own safety experts, who wanted the deficiencies corrected and complained about political pressure to approve applications. The waivers were issued without Scaled Composites requesting them.
Five months after FAA AST renewed the experimental permit last year, SpaceShipTwo crashed during a flight test, killing Scaled Composites co-pilot Mike Alsbury. NTSB has blamed the accident on pilot error by Alsbury, and the failure of the company to consider and guard against the possibility that a single human error could destroy the ship.
FAA AST Lead Technical System Safety Engineer Tom Martin, who were among those who fought to correct the problems in Scaled’s application, said he was not involved in drafting or reviewing the 2013 waiver. The decision to exclude him left the experienced safety expert, who had helped to investigate the crash of the space shuttle Columbia, incredulous.
“I said I’d be glad to evaluate any waiver that Scaled Composites or Virgin Galactic submitted…I offered my assistance,” Martin recounted to NTSB investigators. “They said, you know, we don’t need it. I said, let me get this straight. I’m telling you they didn’t meet the regulations; they’re deficient. That means the residual risk is going up. We don’t have enough verification. We don’t — they don’t document all the mitigation, so, you know, that makes me uncomfortable. You don’t want me involved in the waiver process? And they said that’s correct.”
Terry Hardy, a nationally known safety expert who evaluated Scaled’s permit application and sought to correct its deficiencies, was so frustrated with the process that he ended his consulting work with FAA AST following the SpaceShipTwo crash last Oct. 31.
“He said after 3.5 years he did not feel his recommendations or the work he did was improving the safety process,” according to a summary of an interview with Hardy posted on NTSB’s website. “He felt that after offering recommendations to the FAA he was ‘spinning my wheels’ until the FAA made significant changes to the way they approached system safety and their evaluations. He let the FAA AST managers know this.”
Both Martin and Hardy complained about political pressures to approve applications with the 120-day limit stipulated by law and to complete technical evaluations even if the data submitted by the applicants were incomplete.
“There would be a lot of pressure, political pressure, saying guys, you know, we got to get this technical eval done by next week,” Hardy recalled. “We got to get it up to ADC because they’re launching next week. And, you know, maybe I was raised different, in a different culture, but you know, my response always was that, hey, guys, they’re not launching until we’re confident that they’ve done the right engineering and that the trajectory analysis is complete to ensure that the public is safe.
“You know, I don’t care when they think they’re launching, you know, our responsibility is to the public….This is not just a problem with Scaled. This is throughout the, you know, my 2½ years there,” he added.
Technical experts were not allowed to communicate directly with applicants but had to submit them to FAA AST management, which decided which ones were appropriate to the office’s mandate to protect public safety. NTSB found there was an unclear dividing line between questions involving public safety and mission assurance.
These limits made it difficult for engineers to evaluate and verify the data and information being provided by companies. Hardy said he believes the restrictions resulted from political pressure designed to reduce the regulatory burden on applicants.
Experts within FAA AST realized there were serious deficiencies in Scaled’s original permit application, which the office approved in May 2012. Martin said the process for reviewing and approving was not as disciplined and focused as it should have been.
When it came time to renew the experimental permit in 2013, the office had two choices: remedy the problem by asking the company to provide more information, possibly holding up the renewal process; or issue a waiver that would exempt the company from the safety regulations.
Martin, Hardy and others favored remedying the deficiencies, but FAA AST management worried it was unfair to change the evaluation process in mid-stream.
“Now to credit, George Zamka, who was the deputy at the time, he stood up and said, you know, guys, we got Tom; he’s our system safety expert; we brought him on for a reason; it sounds like maybe we haven’t been doing it completely enough, so from this point on, this is how we’re going to start evaluating it,” Martin said. “And it sounds like we need — they didn’t meet the regulations, so we have to address that.”
FAA AST management concluded the waiver would not adversely affect public safety. Instead of asking Scaled Composites to formally request a waiver, management decided the agency would write the waiver for the company, even though it had not requested one. Hardy was surprised by the decision.
“Another concern was the waiver had been written by FAA management and not the applicant,” the interview summary states. “It seemed a little odd that the FAA was writing a waiver, and to his memory he did not think Scaled even wanted the waiver, instead wanting to show that they complied with the regulations. The waiver came from the FAA, and he had never seen the FAA write a waiver for a public applicant.”
Randy Repcheck, deputy manager of FAA AST’s Regulations and Analysis Division, said this was standard practice for incomplete applications.
“It’s not unusual, because we’ve had other applicants do the same thing where they’ve applied for a license or permit, they think they met a requirement, we disagreed,” Repcheck told investigators. “And so the way we handle that is we consider that submittal that doesn’t meet the requirement as tantamount to applying for a waiver.”
FAA officials rejected Martin’s offer to assist with the drafting of the waiver. “I said, okay, I’ll watch how they document it. The next time I saw the waiver was when it was published,” Martin added.
Hardy also saw the waiver for the first time after publication in the Federal Register. The contents left him puzzled.
“He was really surprised what was written in the waiver,” according to the interview summary. “One question he asked was that if no human error analysis was required to be performed, how a determination could be made that the mitigations identified in the waiver would be effective. He did not know about Scaled’s use of the simulator run at 1.4 times the speed. He knew of others on the technical team at FAA that had problems with the waiver, certainly the system safety folks.”
NTSB found that FAA AST “did not ensure that Scaled Composites was in compliance with the mitigations cited in the waiver from regulatory requirements or determine whether those mitigations would adequately address human errors with catastrophic consequences.”
The permit renewal was issued in May 2013; the waiver was published two months later in July. FAA AST renewed the permit in May 2014 and issued a similar safety waiver.
Sources have told Parabolic Arc that Scaled Composites was under significant pressure during this period from Virgin Galactic, for whom it was building the space plane, to complete SpaceShipTwo’s flight test program so commercial revenue-producing flights could begin. Virgin Galactic also faced pressures from its parent company, Virgin Group.
Following the spacecraft’s first powered flight on April 29, 2013, Virgin Chairman Richard Branson predicted he would be roaring into space with his son Sam on the first commercial flight by the end of the year. The British billionaire subsequently held a gathering of ticket holders in Mojave in September 2013. He predicted spaceflights would be commencing within months.
That proved impossible. SpaceShipTwo made successful powered flights in September 2013 and January 2014. However, the longest engine burns were only for 20 seconds and the ship only reached 71,000 feet, far short of what was required to reach space. The spacecraft was then taken into the Scaled hangar for six months for modifications even as Virgin Galactic continued to press to complete the flight test program and fly Branson by the end of 2014.
Martin said he was especially concerned about the January powered flight. He and other FAA officials noted flutter in the aft tail wing during powered ascent. Flutter is defined as an “unstable oscillation which can lead to destruction. Flutter can occur on fixed surfaces, such as the wing or the stabilizer, as well as on control surfaces such as the aileron or the elevator for instance.”
Subsequent investigation indicated that Scaled Composites had made some changes before the flight to the wings in anticipation of installing helium tanks in them. The helium was needed to compensate for instability in the hybrid rubber-nitrous oxide motor that caused vibrations and oscillations to SpaceShipTwo. The company had not informed FAA AST in advance of the changes.
“My management got comfortable with it because Scaled Composites came back and said they had done a lot of C and D and drop testing with it, and they had a lot of information to correlate the data,” Martin told investigators. “So the next round in the experimental permit, we didn’t see any updates to their hazard analysis. So I did not get involved other than to say no hazard analysis was seen or provided; therefore, you know, I didn’t have any evaluation or comments to the regulation, and the permit was issued or reissued.”
In May 2014, Virgin Galactic announced they were ditching the rubber/nitrous oxide hybrid engine they had previously flown with in favor of one that used nitrous oxide and nylon. This resulted in Scaled Composites coming back to FAA AST with a revised permit application that that took into account the significant changes required in SpaceShipTwo.
“They’ve shortened the engine. They’ve changed the fuel, the shape, and they’ve added [redacted] – [redacted] plumbing and tanks, [redacted] psi tanks in the wings and changed the structure of that,” Martin told investigators.
Sources have told Parabolic Arc the new engine used helium and methane in addition to the nitrous oxide to burn the nylon fuel. The changes added complexity and additional failure modes to the propulsion system.
Martin said given the extent of the changes, he wanted to see updates to the hazard analysis as well as the structural analysis for SpaceShipTwo. At that point, he had the opportunity to examine the entire application for the first time and made a surprising discovery.
“I noted to my management that they did not identify structures as safety critical, and they didn’t provide us with any type of hazard analysis associated with that,” Martin said. “My management’s technical response was that they didn’t believe structures was safety critical at the time….
“You know, we at least ought to get them to update the structures,” he said. “And to their credit, you know, we had the discussions — you know, Scaled was willing to do that, but my management didn’t feel it was necessary.”
Martin also discovered that the rocket engines tested on the ground were not in the same configuration as they would be in flight. This made it difficult to predict the vibration environment in the cockpit, which was one of the limiting factors that kept engine firings in flight to under 30 seconds.
As a result, pilots would have to rely on software to terminate engine thrust if vibrations exceeded safe levels, he added. The waivers issued by FAA AST exempted Scaled Composites from providing analysis of possible software errors.
“We never got inside into how they develop their software and how they do their quality assurance, like you would find in DO-178-Bravo or any of the industry practices for ensuring software safety,” Martin told investigators. “So we were relying on their testing program that we didn’t get to see. And we didn’t get the — we being the technical team – the verification evidence.”