Updates SpaceX Falcon 9 F5 CRS SpX-2 through CRS SpX-12 Updates

[RCO]

Wrong and right at the same time.

Right: A Chief Operations Officer does not know any technical details. Its not his/her business. A COO is responsible for forming the interface between executive board and the specialist departments. From down there, the COO is the little brother/sister of the CEO. And in 80% of all cases, the COO is a BA person, not an engineer.

Wrong: A COO is automatically a PR person. That's a lot of belittlement for such a responsible position. The COO is pretty much the person, who has least chances to pass the buck. If company processes are going wrong, quality assurance not working out (especially if a company implements TQM) - the COO is accountable and responsible at once. Also, the COO is a mostly internal position. Its pretty unusual, to have a COO represent the company to the outside, because thats the business of the CEO. The COO is there to free the CEO from internal responsibilities so he can focus on external responsibilities - towards investors and debtors.

But then: Shotwell is also president of SpaceX. She is the second in command and thus also responsible for representing SpaceX to the outside. And as much as you would like to rant about her performance there: She is an engineer. MSC in Mechanical Engineering and Applied Mathematics. Also she worked in the aerospace sector for quite a time before going to SpaceX.

Trust me: She knows what is known and what is still a guess. And her statements will only be as good as the statements of the engineers working for her.

My comment was certainly not a "rant" or intended to criticize Shotwell. I was referring to her as a PR person only in the context of this particular event, the news conference. She did not have any technical details to share apart from what Musk had tweeted regarding 2nd stage LOX overpressure. She did not say explicitly that the destruct command was not given. She only said she was not aware that it had been given. I don't think she had specific knowledge one way or the other. While Shotwell may be a very qualified technical person, generally, in a damage control situation such as this, she is probably acting at a high level only and is busy doing press conferences and such. I'm not criticising her. I just don't think she has the technical details at this point in time to say whether or not the destruct command was issued.

---------- Post added at 08:50 PM ---------- Previous post was at 07:57 PM ----------

At least stage 2 LOX tank overpressure event. Helium is not that mentioned.

But there are only very few possible sources for overpressure. For example an exothermic chemical reaction inside the tank, but also the gas bottles.

I suppose a structural failure at the top, with the LOX tank dome or Dragon adapter for example, could cause an overpressure if the tank began collapsing, with a decrease in volume for a moment before breaching, or if a smallish crack in the LOX tank allowed an inrush of hot, high pressure air (which would also rapidly vaporize the LOX). Although you would think a structural failure would be easy to detect in Dragon's telemetry if things had begun to move around.

The fact that the failure occurred right around the time that engine chill down should have started is significant, I think.

 

[Urwumpe]

I suppose a structural failure at the top, with the LOX tank dome or Dragon adapter for example, could cause an overpressure if the tank began collapsing, with a decrease in volume for a moment before breaching, or if a smallish crack in the LOX tank allowed an inrush of hot, high pressure air (which would also rapidly vaporize the LOX). Although you would think a structural failure would be easy to detect in Dragon's telemetry if things had begun to move around.

The fact that the failure occurred right around the time that engine chill down should have started is significant, I think.

I have my problems with the structural failure theory because I know that the tank dome on top has a lot of valves, sensors and other things that also have to get damaged before things go wrong - you would have more clear telemetry events.

But since the tank was filled with almost incompressible liquid oxygen and had only a small amount of ullage space, even a small change in volume could result in a big increase in pressure.

Engine chilldown could also be just a distraction and the cause independent of it. But maybe not. For example if there are other tank-related actions that take place in preparation for it.

 

[MaverickSawyer]

I have my problems with the structural failure theory because I know that the tank dome on top has a lot of valves, sensors and other things that also have to get damaged before things go wrong - you would have more clear telemetry events.

But since the tank was filled with almost incompressible liquid oxygen and had only a small amount of ullage space, even a small change in volume could result in a big increase in pressure.

Engine chilldown could also be just a distraction and the cause independent of it. But maybe not. For example if there are other tank-related actions that take place in preparation for it.

Agreed.

I can't remember exactly what the problem was with the helium bottles in the past... was it structural or valve issues? Because if a bottle let go all at once...

 

[PhantomCruiser]

My experience with engineers is that when you have more than 3 working on the same project, you wind up with a work stoppage.

 

[Hlynkacg]

Engine chilldown could also be just a distraction and the cause independent of it. But maybe not. For example if there are other tank-related actions that take place in preparation for it.

Keep in mind that we know from previous flights that propellant tank pressurization is part of the pre-start checklist.

I think that Thunder Chicken has the right idea, something in the pre-cooling process caused a fitting or fuel line in the second stage to rupture, resulting in the uncontrolled dumping of propellant and/or LO2.

You know what I mean. Flying humans atop the thing. The way we say it is not very important.

I disagree about it being "not very important".

Saying that a rocket is "Man rated" implies some sort of standard level of safety that does not exist. We put humans atop Soyuz Boosters and in the Shuttle despite the obvious problems. Despite this recent set-back I'd still entrust my butt to a Delta IV or Falcon 9 over either of those.

 

[MaverickSawyer]

Despite this recent set-back I'd still entrust my butt to a Delta IV or Falcon 9 over either of those.

Might want to add the Atlas V to that list. How many flights have they done with it, and not a SINGLE catastrophic failure. Just a single satellite delivered into the wrong orbit, which a manned vehicle would be able to recover from without issue.
*knocks on wood about the launch record*

 

[Linguofreak]

I disagree about it being "not very important".

Saying that a rocket is "Man rated" implies some sort of standard level of safety that does not exist. We put humans atop Soyuz Boosters and in the Shuttle despite the obvious problems. Despite this recent set-back I'd still entrust my butt to a Delta IV or Falcon 9 over either of those.

I'd trust my butt to Soyuz (at least, if I weren't a high anxiety type that won't trust my butt to anything), but never to the Shuttle. In any case, I'd say man-rateability is more a function of the spacecraft than the launch vehicle. Assuming the spacecraft is man-rateable, the only real criterion I have for the launch vehicle is "could a failure of the launch vehicle cause a nuclear explosion?*" For any reasonable kind of failure a chemical rocket could experience a man-rateable spacecraft will be upwind if the problem and will have an LES to carry it further upwind and horizontally clear of the problem.

Man rating from the organization that man rated the Shuttle is rather meaningless, though...

*Another excellent question is "could the proper operation of the launch vehicle cause a nuclear explosion?"

 

[Sky Captain]

If this failure is related to second stage and takes some redesign to fix it I wonder if it would be possible to launch Dragon on Atlas V to keep ISS supplied.

 

[RCO]

In case people hadn't already read elsewhere, the destruct command was sent as a standard procedure by flight safety, but only 70 seconds after the failure. I think possibly the final explosive disintegration is from the vehicle's auto destruct based on its own internal algorithm. Flight safety generally tries to give the vehicle the benefit of the doubt, and give it a chance to keep going and try to make orbit until it's clear that there's a catastrophic failure or the vehicle threatens to depart the safety zone. It looks like, in this case, maybe the vehicle knew it had experienced a catastrophic failure before flight safety did. I think flight safety probably would have destructed in a few more seconds if the vehicle hadn't already finished the job.

Or could be the vehicle just disintegrated due to aerodynamic forces and the FTS was never deliberately activated, either by the MFCO or by the vehicle's own algorithm. Doesn't really make much difference, as once the first stage became engulfed in flames and started disintegrating, it's likely the destruct charge would have ignited anyway. All the charge really does is split the tank lengthwise. In the final second, you can see a long flame shoot out the first stage engine, as if all the remaining propellant were being shoved through it at once. Maybe as the upper stage debris crashed into the first stage, the hypersonic air entered the first stage from the top and just blew it up like a baloon (along with the remaining propellants exploding).

At any rate, I'm curious as to why some people seem to be really interested in whether or not the FTS was activated, as if this is relevant to the failure. Destruct command is a routine thing following a catastrophic failure, and has nothing to do with the root cause. Is it just psychologically easier for some people to believe that flight safety destroyed the vehicle than to accept that the Falcon 9 failed? I don't get why this is viewed as important. I've seen the question being asked and discussed in several different forums, press conferences, etc., but it's not really an insightful question.

 

[Kyle]

If this failure is related to second stage and takes some redesign to fix it I wonder if it would be possible to launch Dragon on Atlas V to keep ISS supplied.

One of the downsides of Dragon is that it isn't LV agnostic like Cygnus is, it can only launch on F9.

 

[MaverickSawyer]

In case people hadn't already read elsewhere, the destruct command was sent as a standard procedure by flight safety, but only 70 seconds after the failure. I think possibly the final explosive disintegration is from the vehicle's auto destruct based on its own internal algorithm. Flight safety generally tries to give the vehicle the benefit of the doubt, and give it a chance to keep going and try to make orbit until it's clear that there's a catastrophic failure or the vehicle threatens to depart the safety zone. It looks like, in this case, maybe the vehicle knew it had experienced a catastrophic failure before flight safety did. I think flight safety probably would have destructed in a few more seconds if the vehicle hadn't already finished the job.

Or could be the vehicle just disintegrated due to aerodynamic forces and the FTS was never deliberately activated, either by the MFCO or by the vehicle's own algorithm. Doesn't really make much difference, as once the first stage became engulfed in flames and started disintegrating, it's likely the destruct charge would have ignited anyway. All the charge really does is split the tank lengthwise. In the final second, you can see a long flame shoot out the first stage engine, as if all the remaining propellant were being shoved through it at once. Maybe as the upper stage debris crashed into the first stage, the hypersonic air entered the first stage from the top and just blew it up like a baloon (along with the remaining propellants exploding).

At any rate, I'm curious as to why some people seem to be really interested in whether or not the FTS was activated, as if this is relevant to the failure. Destruct command is a routine thing following a catastrophic failure, and has nothing to do with the root cause. Is it just psychologically easier for some people to believe that flight safety destroyed the vehicle than to accept that the Falcon 9 failed? I don't get why this is viewed as important. I've seen the question being asked and discussed in several different forums, press conferences, etc., but it's not really an insightful question.

I think it's more a case of, "why'd it take so long for them to hit the FTS?"

 

[Notebook]

Slightly off topic...but have a listen to the comment at 1:15 in:

https://www.youtube.com/watch?v=rsPg8-vxWPs

N

 

[hellotoall]

If we can speculate. The second stage isnt really that complicated internally, some bottles and circumferential and radial baffles to prevent sloshing. I dont think all the hardware is instrumented. You would expect most of the things that would blow the second stage would occur after second engine start - such as ingesting something into the engine. In this case maybe a helium bottle or fitting came loose? I think they use hilok/hilite fasteners so they snap in at the predetermined torque. But hole-sizes and part thicknesses can be a manufacturing variation.
E.g sometimes when you friction stir-weld something you may thin out the tank wall - they add doublers to the wall but that only helps in fastener tension and pullout not bearing failure. Or sometimes a hole may be drilled out too large. The main thing is that this happened on 'not the maiden flight' so it could be a simple mistake or tolerance build up issue. Normally on the manufacturing line if something is out of spec they will notify the responsible engineer who will decide whether to proceed or not depending on the margin of safety and risk involved - they will then stamp 'use as is' to allow the defect on the flight article if it cant be fixed or if its still deemed safe for flight.

So once they localize the failure id guess they would pull all the manufacturing dispositions and data and check how it was all installed. If nothing comes up then more deep dive to see if a tolerance analysis or FMEA (failure modes and effects analysis) can lead to the same failure. Just conjecture though...i have no idea.

 

[Urwumpe]

I think that Thunder Chicken has the right idea, something in the pre-cooling process caused a fitting or fuel line in the second stage to rupture, resulting in the uncontrolled dumping of propellant and/or LO2.

Again, in my eyes, thats unrealistic because that kind of failure does not cause the observed events.

Even the oxidizer line of the rocket engine does not have the diameter to permit such massive emissions of LOX. And the chill-down line that branches off the main LOX line usually (again, I have no knowledge of the piping in a Falcon 9 rocket), will be much smaller. So, by the observed cloud, this is already wrong. Also we had no smaller emission of LOX before the tank failed completely.

Also, such a breaking pipe would not instantly result in a structural failure of the second stage and would not get observed as "counter-intuitive overpressure event"

If they are needing hex editors to recover the final frames of telemetry, you can be sure: The event that resulted in the loss of the vehicle had been sudden and it happened shortly before telemetry failed. Since the second stage has its own telemetry antenna, its likely that the first stage telemetry antenna did likely not emit second stage data.

We can be sure that first stage and second stage have independent guidance systems - maybe connected by a databus. What destroyed the second stage did not have impact on the performance of the first stage, until the first stage was destroyed by an explosion.

---------- Post added at 06:58 PM ---------- Previous post was at 06:54 PM ----------

At any rate, I'm curious as to why some people seem to be really interested in whether or not the FTS was activated, as if this is relevant to the failure.

Its important for the sequence of events. Would it have been a manual destruction, it would be a different situation than if an internal error detection in the launcher triggered the FTS. Or if the FTS was never triggered, but aerodynamics alone destroying the rocket (unlikely but possible).

Its not itself responsible for the failure, but the three versions mean different symptoms in the rocket and a different flight situation as it presented itself to the guidance system.

---------- Post added at 07:05 PM ---------- Previous post was at 06:58 PM ----------

but never to the Shuttle.

There we disagree... The Shuttle was never unsafe. It had really bad safety to no safety in situations in which Soyuz for example excels. And excels in safety in situations in which Soyuz looks bad.

Just looking at the disadvantages of a launcher makes you often forget, that it also had advantages - the chance to survive a failure after SRB SEP was for example much higher in the Shuttle than in a Soyuz at the same flight conditions.

The Shuttle was by design always appearing more dangerous... but if you really look at the technology possible and the technology implemented, you can only say that the biggest danger of the Shuttle was the organisation that operated it.

 

[DaveS]

Again, in my eyes, thats unrealistic because that kind of failure does not cause the observed events.

Even the oxidizer line of the rocket engine does not have the diameter to permit such massive emissions of LOX. And the chill-down line that branches off the main LOX line usually (again, I have no knowledge of the piping in a Falcon 9 rocket), will be much smaller. So, by the observed cloud, this is already wrong. Also we had no smaller emission of LOX before the tank failed completely.

Also, such a breaking pipe would not instantly result in a structural failure of the second stage and would not get observed as "counter-intuitive overpressure event"

If they are needing hex editors to recover the final frames of telemetry, you can be sure: The event that resulted in the loss of the vehicle had been sudden and it happened shortly before telemetry failed. Since the second stage has its own telemetry antenna, its likely that the first stage telemetry antenna did likely not emit second stage data.

We can be sure that first stage and second stage have independent guidance systems - maybe connected by a databus. What destroyed the second stage did not have impact on the performance of the first stage, until the first stage was destroyed by an explosion.

---------- Post added at 06:58 PM ---------- Previous post was at 06:54 PM ----------



Its important for the sequence of events. Would it have been a manual destruction, it would be a different situation than if an internal error detection in the launcher triggered the FTS. Or if the FTS was never triggered, but aerodynamics alone destroying the rocket (unlikely but possible).

Its not itself responsible for the failure, but the three versions mean different symptoms in the rocket and a different flight situation as it presented itself to the guidance system.

I believe most launch vehicles since the late 60's are equipped with break-wires to autonomously trigger the FTS in-case the RSO are unable to command the FTS. The FTS is monitoring these break-wires and if even one is sensed as broken, then the FTS is activated.

In the case of CRS-7 it could be that the vehicle stayed intact save for the very top of the vehicle (Dragon/Falcon adapter section). This would explain how the vehicle flew on it was intact, just leaking LOX from stage 2, most likely from a damaged/missing LOX tank top dome. Then once enough the vehicle had been destroyed by the aerodynamic forces the break-wires got cut and the FTS was triggered.

 

[boogabooga]

If this failure is related to second stage and takes some redesign to fix it I wonder if it would be possible to launch Dragon on Atlas V to keep ISS supplied.

:rofl:

 

[Urwumpe]

I believe most launch vehicles since the late 60's are equipped with break-wires to autonomously trigger the FTS in-case the RSO are unable to command the FTS. The FTS is monitoring these break-wires and if even one is sensed as broken, then the FTS is activated.

Breakwires are used for detecting separation events and are not automatically an abort trigger. Maybe multiple breakwires together to exclude sensor failures which are common there. Otherwise, rockets would be in danger of FTS getting triggered even on good flights.

The FTS did trigger late, not during the majority of the structural damage, so even assuming that the FTS was triggered when the second stage guidance did not respond to the first stage guidance anymore is more likely than breakwires. Possibly the FTS was triggered when an interstage communication time-out occured (which would explain the delay) and a second stage guidance failure was confirmed by multiple indications.

You should not think that a rocket is covered in breakwire sensors to detect that it had failed - usually it has just enough sensors to make sure that it works.

In most cases, the FTS is triggered by an independent control system, for both stages, so its likely that SpaceX was forced by NASA and Air Force to do the same best practice.

 

[Frilock]

If this failure is related to second stage and takes some redesign to fix it I wonder if it would be possible to launch Dragon on Atlas V to keep ISS supplied.

Why bother? As has been said, Dragon is computable. For Orbital, they basically have to redesign half their rocket, so its unlikely they're going anyway on their own for the foreseeable future. With SpaceX this likely isn't going to require a massive redesign. If it does, it would be in both parties interest just to cancel the contract at that point.

 

[K_Jameson]

If this failure is related to second stage and takes some redesign to fix it I wonder if it would be possible to launch Dragon on Atlas V to keep ISS supplied.

Teorically yes - Atlas V is more capable than Falcon 9 in terms of payload.
In real world... obviously no. Firstly, SpaceX and ULA are competitors.
In second instance, the hypotetical integration of Dragon on Atlas V is not an easy and speedy task - as stated many times, rockets are not LEGO.
If really the second stage is flawed, and if is a minor issue (as I think), is hugely simpler to fix it and then fly it as before.

 

[Urwumpe]

If really the second stage is flawed, and if is a minor issue (as I think), is hugely simpler to fix it and then fly it as before.

I doubt that its a terrible large systematic flaw. The rocket flew 13 times successfully in that configuration.

I suspect its a chain of minor events that simply went wrong this time and each of this has the potential to fix the problem and end the chain early.