back to article Virgin Galactic SpaceShipTwo crackup verdict: Pilot error

The National Transport Safety Board has today given its verdict on last year's fatal Virgin Galactic crash, suggesting the cause of the tragic accident was human error and a lack of safety training. The NTSB determined that the probable cause was manufacturer Scaled Composite's failure to mitigate against the human factor of …

  1. Anonymous Coward
    Anonymous Coward

    Many of the safety issues we will hear are not from the novelty of space flight but

    Someone always has to be first and inevitably find a point not addressed before, they are still updating aviation procedures decades after we started flying.

    He should be remembered for his help advancing the project and not just for the one mistake

  2. Anonymous Coward
    Anonymous Coward

    Disturbing

    Why was the co-pilot unlocking a braking system while the engine was just getting started? Wasn't the lock there to prevent just such a catastrophe? Or did they just not realize what would happen to unlocked feathers under power? There's something missing here.

    1. Sir Sham Cad

      Re: There's something missing here.

      Reading between the lines it seems that the less experienced co-pilot wasn't trained by Scaled Composites in what would happen if he did unlock the shuttlecock booms during that phase of flight.

      It may be he thought that he was just unlocking them ready to be deployed later, not that this would actually deploy them with the atmospheric drag under rocket power. It may be that he didn't know that deploying the booms under rocket propulsion could cause structural failure. Probably both.

      This bit: "Virgin Galactic has added an inhibitor so its feather locks cannot be unlocked in certain conditions." suggests that either Scaled didn't know that structural failure was a possibility or didn't think that the humans on board unlocking the feathers at the wrong time was a possibility. This part: "[Scaled] identified that it did not have human factor expertise" suggests the latter.

      If that's the case then the blame lies squarely with SC who obviously didn't know what they were doing. Which, when you're doing something for the first time is understandable I suppose. That said, a brave test pilot is dead and another badly injured because someone greenlit the flight without sufficient sanity checks.

      1. Orv Silver badge

        IMAP + multiple machines = headache

        There's lots of precedent for that sort of thing, including a commercial jet crash in the 1970s (Air Canada 621) where the copilot accidentally deployed the spoilers during the landing flare when he intended to arm them to deploy automatically on touchdown.

        1. paulc

          Re: IMAP + multiple machines = headache

          A Tornado GR1 wrecked it's nose and radome when the thrust reverse deployed after the wheels touched down but the aircraft had already started rising again. The thrust reverse needs weight on wheels, but it could be pre-armed by rocking the throttles outboard... no-one considered what could happen if the aircraft made a heavy landing and bounced back up into the air...

          What did happen is that the buckets carried on deploying and the aircraft then came down nose first wrecking the nose gear and making such a mess of the fuselage that the pilots, if they had tried to eject, couldn't as the seats were jammed on the rails.

          I was catching a fresh air break out the back of the avionics bay when I witnessed it all happen.

        2. Cynic_999

          Re: IMAP + multiple machines = headache

          Also a turboprop pilot who was too fast on approach decided to put the props into full beta (reverse thrust) to slow down. It caused a crash. A Learjet pilot in a similar situation tried deploying the braking (tail) parachute. That didn't have a good outcome either.

      2. John Geek

        Re: There's something missing here.

        SpaceshipTwo is a manually operated craft, with little or no automation. every gram counts.

    2. PassingStrange

      Re: Disturbing

      Who knows? The point is that he was able to. It could have been a simple mistake. Although he was a test pilot, and he could have had a reason that made sense to him. Whatever, the hardware allowed him to do something that turned out to be fatally dangerous, presumably without giving him any indication that it really wasn't a good idea.

      (There's a famous story of a Harrier jump jet test pilot asking "What happens if I vector the thrust nozzles during forward flight?" To which the answer was "We don't know - no-one's ever tried it." So he did. And nothing went wrong, and the Harrier's then-unique VIFFing manoeuvers were born. But there was always an outside chance that it would turn out to be a really bad idea, and that things could have gone horribly wrong, perhaps even killing the pilot. In which case we'd be asking what he was doing, doing something so stupid? Answer - doing his job.)

      In my book, that's not pilot error. That's either a design failure, or a training failure, or a test pilot pushing the envelope beyond its limits.

      1. Yet Another Anonymous coward Silver badge

        Re: Disturbing

        There have also been a number of accidents when thrust reversers or slats deployed during flight on commercial airliners - either because of faults or pilot error.

        Adding interlocks so thrust reversers only work when there is weight on the wheels seemed like a sensible precaution - however well airline pilots were trained not to put the engines in reverse while flying.

        1. Voland's right hand Silver badge

          Re: Disturbing

          so thrust reversers only work when there is weight on the wheels

          Cough, cough. You have never been flown by a psychotic pilot in a Tu-154 my friend.

          Just like THIS one.

          1. Cynic_999

            Re: Disturbing

            Large commercial jet airliners have many safety interlocks that not all smaller aircraft have. It's easier to provide a safety interlock when the device being operated is controlled indirectly (via electric or hydraulic power). A small turboprop aircraft OTOH has its throttle and prop controls connected directly to the engines via Bowden cables or other mechanical linkages, which makes interlocks more problematic. While an automatic mechanical interlock is possible, it introduces an avoidable failure mode (interlock sticking) that can be deemed a higher risk than the probability and consequence of the pilot making a mistake. So instead the control is usually just fitted with a simple pilot-operated gate.

            Similar to the way that some cars have a safety interlock that prevents the driver starting the engine when the car is in gear and clutch released, but a heck of a lot of cars simply rely on the driver not doing that (and in some emergency situations you might *want* to be able to move the car using the starter motor).

  3. Anonymous Coward
    Anonymous Coward

    Operating procedure:

    1. Disengage the safety catch

    2. Engage the extreme danger catch

    (Douglas Adams?)

  4. Francis Vaughan

    The problem seems to have been that there was no interlock - they assumed that a pilots would never do something at the wrong time. This is combined with a lack of human factors - which seems to be a euphemism for not taking into account that humans get flustered, especially under pressure and under conditions that the simulator didn't really match.

    The co-pilot had 26 seconds to work through his required actions, and it seems that he made the call of "mach 0.8" and then he performed the next plus one action on his to-do list immediately after. There was no checklist used, just rehearsed actions. So nothing to cope with a flustered co-pilot doing something he was supposed to do, but a few seconds too early.

    So one suspects that the final NTSB report will be that this was an accident waiting to happen, and that no-one realised because SC didn't have the background in human factors, and the NTSB didn't have the background in supervising an experimental spacecraft.

  5. Anonymous Coward
    Anonymous Coward

    Motive ?

    The question which stays in my mind is, why did he perform this particular seemingly deliberate action?

    The possiblities seem to be -

    1. As Sir Sham Cad commented earlier, he performed the unlock in preparation for later stages of the flight, unaware that the aircraft would respond in the way that it did.

    2. Something had begun to go wrong with the flight and he had made an unusual attempt at aborting the supersonic phase of the flight

    The second sounds rather far fetched given that there is no indications of this in the recorded flight data.

    As for the first, aren't these sort of things scripted and rehearsed prior to a test flight? Why would he had made an ad-hoc decision to perform this procedure? Is so, does this point to sloppy planning on the part of the company ?

    [ "fail to prepare, prepare to fail" ]

    1. Malcolm Weir

      Re: Motive ?

      Having actually been inside the vehicle, and seen the simulator procedures (i.e. "flown" in the simulator), the critical issue is probably that there are two parts of the feather boom controls: the lock, and then the honking great handle that actually moves the tail into the father position. So it's very very reasonable to believe that a pilot could have believed that unlocking the boom early was benign, and the tail would remain where it was supposed to be until the handle was pulled; in other words, that the lock was philosophically more like a cover over a control rather than an actual part of the mechanical mechanism. That is clearly a design flaw, although perhaps an understandable one if the original thinking about the lock mechanism was primarily to prevent boom deployment while attached to the ferry aircraft (WhiteKnight2, etc).

      1. Pookietoo

        Re: the honking great handle that actually moves the tail

        So put the lock on the feather control and there's no inclination to deactivate it before you’re ready to feather?

      2. Vic

        Re: Motive ?

        So it's very very reasonable to believe that a pilot could have believed that unlocking the boom early was benign, and the tail would remain where it was supposed to be until the handle was pulled

        Perhaps - but en experienced jet pilot would undoubtedly have waited until he was going quite a bit faster before doing so - strange and wonderful things occur as you go transonic...

        Vic.

        1. Malcolm Weir

          Re: Motive ?

          Nope, you're missing the point: if the pilot(s) believe that the handle moves the feather boom, and the safety catch prevents inadvertent activation of the handle, then unlocking the safety catch would have nothing to do with the transonic pressures: don't touch the handle, and the tail booms will remain where they're supposed to be. Granted, the experienced supersonic (not just jet) pilot would avoid (say) putting his hand on the handle, for the reasons you mention, but the key issue is that, in reality, the safety catch locks the booms in place, not the handle (if you see what I mean).

          1. Vic

            Re: Motive ?

            Nope, you're missing the point

            No, I'm not.

            if the pilot(s) believe that the handle moves the feather boom, and the safety catch prevents inadvertent activation of the handle, then unlocking the safety catch would have nothing to do with the transonic pressure

            If the handle has a lock, it is to prevent inadvertent use of that handle. An experienced jet pilot would know that stange things happen as you go transonic, and simply wouldn't have fucked with it. Whilst we might all hope that the booms would have stayeed put without handle movement, anyone who has flown a glider knows that you don't leave stuff in the "closed" position, you use the lock.

            in reality, the safety catch locks the booms in place

            In reality, no it doesn't. That's why the booms deployed. A test pilot shouldn't really be determining that - it's simply too dangerous a situation, as we saw.

            Vic.

          2. Cynic_999

            Re: Motive ?

            " ... if the pilot(s) believe that the handle moves the feather boom ..."

            A test pilot will ensure that he is *very* conversant with the design of a new aircraft he is going to pilot, especially one that is radically different to the norm. He will certainly not go on the maiden flight with any misconceptions about exactly how every control and switch in the cockpit functions, and that is especially true of anything connected with an exceptionally different feature of the aircraft.

            The suggestion that the co-pilot may have been unaware of exactly what the locking mechanism did and how it was supposed to be used is just not plausible. Even normal pilots of tried and tested commercial aircraft have to study (and pass tests) on pretty advanced details of the systems of the aircraft they are getting type-approval to fly. Test pilots usually know the design in pretty good detail and will have spent many hours in simulation.

            1. x 7

              Re: Motive ?

              "Test pilots usually know the design in pretty good detail and will have spent many hours in simulation"

              But by any understanding of the term in "normal" aviation circles he wasn't trained as a "real" test pilot.

              He'd never trained at ETPS or its USA or European equivalents. He appears to have been pulled from regular airline service to flying a high-performance high-tech design with no intermediate experience. And no experimental test flight experience.

              I don't blame him. I blame the managers at the company for placing him in that position.

    2. The First Dave

      Re: Motive ?

      I've seen loads of comments blaming the pilot for unlocking the lever, but very few have picked up on the fact that this was done eleven seconds too early.

      That is a tiny amount of time, under the circumstances.

      The pilot may have triggered this crash, but the only real cause was bad design.

      1. Destroy All Monsters Silver badge

        Re: Motive ?

        GO PILOTLESS

      2. John Brown (no body) Silver badge

        Re: Motive ?

        "I've seen loads of comments blaming the pilot for unlocking the lever, but very few have picked up on the fact that this was done eleven seconds too early."

        Yes. He unlocked just after reaching mach 1.0 but was supposed to unlock it before reaching mach 1.8 which implies that it should be unlocked while under thrust anyway. It does seem odd that unlocking it at mach 1.0 but without activating the feathering should have triggered the feathering to occur. It's almost as if the designers were relying on atmospheric drag at high speed to hold the booms in place.

  6. John Smith 19 Gold badge
    Unhappy

    There is *no* design manual for sub orbital space planes

    Especially one that uses such a novel speed reduction process.

    Lesson learned.

    Hopefully the last one tht VG will have to learn.

  7. graeme leggett Silver badge

    "Alsbury had a relatively unusual background for a test pilot."

    That section reads as a roundabout way of saying he lacked the experience that would normally be expected of anyone on the cutting edge of aviation.

  8. x 7

    Human error, but he should never have been put in the situation where human error was possible. The companies safety culture should have been such that it recognised the risk and either trained against it, or mechanically prevented it. Likewise the FAA should have been more insistent in its controls - ensuring a sufficient safety culture existed in the company.

    An earlier accident in 2007 when three people died in a nitrous oxide explosion should have rung the authorities alarm bells. A critique of what happened is at

    http://www.knightsarrow.com/rockets/scaled-composites-accident/

    A thoroughly disturbing report. If what is indicated is correct, Scaled Composites should have had the plug pulled on them then on safety grounds.

    1. lambda_beta
      Linux

      "Likewise the FAA should have been more insistent in its controls - ensuring a sufficient safety culture existed in the company."

      And you know what would happen ... all the aholes would cry 'too much government regulation .. let the maket pace decided about safety.

      1. Destroy All Monsters Silver badge
        Facepalm

        but he should never have been put in the situation where human error was possible

        I can't even fathom the confused state of mind that extrudes this kind of statement.

        "Likewise the FAA should have been more insistent in its controls - ensuring a sufficient safety culture existed in the company."

        Newsflash: The FAA is not in the business of "ensuring sufficient safety culture" (sufficient for what, anyway?)

        And you know what would happen ... all the aholes would cry 'too much government regulation .. let the maket pace decided about safety.

        Never trust someone who is into Big Government but cannot spell properly.

        1. Francis Vaughan

          "Newsflash: The FAA is not in the business of "ensuring sufficient safety culture" "

          Actually they are. The FAA ride the aviation industry with enormous control, and they vet every part of the design and construction of an aircraft. You cannot get a new plane off the ground unless the FAA have OK'ed every aspect of the design and construction, and as part of that process the FAA absolutely want to know everything about your design and testing processes. Safety culture is a key part of those processes, and the FAA will want to know every detail about your companies safety processes and culture.

          The NTSB identified that there wasn't enough experience with the kind of work SC were doing in the FAA, and and thus the FAA's oversight didn't extend far enough to have picked up on the deficiencies. The FAA don't have oversight of military aircraft or rockets, so the jump from overseeing companies building subsonic conventional aircraft to rocket propelled supersonic opened a hole in their experience of how tight the safety culture needed to be. Any history of rocket science will show that the levels of detail and care needed to avoid problems is an order of magnitude greater than just about anything else there is.

    2. Malcolm Weir

      Scaled is (now) a division of Northrop Grumman. The acquisition was announced the week before the accident to which you refer, but completed a month later. Therefore the legal entity that you suggest should have had the plug pulled did, in fact, change dramatically immediately after the incident (although for unrelated reasons).

    3. Cynic_999

      "Human error, but he should never have been put in the situation where human error was possible."

      Motor cars have been around a lot longer than jet aircraft, yet you won't find a single model that prevents human error causing a fatal accident. Why expect aircraft to be so much different - especially prototype aircraft? In fact many proposed interlocks for cars have been vetoed on the grounds that drivers don't want to lose control - e.g. limiters that prevent a driver exceeding the speed limit.

  9. Anonymous Coward
    Anonymous Coward

    SS2 no better than a vomit comet trip?

    "SpaceShipTwo offers no "space" applications beyond zero-G joyrides (which can be more effectively achieved in a normal jet aircraft such as the NASA "Vomit Comet" used for astronaut training)."

    If all you want to do is train astronauts, by all means stick with aeroplanes on vomit-inducing roller coaster rides. But SS2 is something different.

    If it's just practical applications you're interested in, SpaceShipTwo has the potential to provide an environment for microgravity research in a way that parabolic flights offered by normal jet aircraft cannot match, because such jet flights only provide relatively short periods of free fall in a higher applied gravitational field - and never mind the fact that SS2 can fly an awful lot higher, which opens up the possibility of making measurements of particles which are absorbed by the atmosphere (although high altitude balloons are very useful for some research in that line).

    On top of that, the SS2 experience shouldn't cause vomiting quite as readily as a "vomit comet" flight.

    SS2 can fly an awful lot higher than any jet aircraft can possibly manage - the sort of altitude which allowed the USA to claim Alan Shepard as the first American in space in 1961 due to having flown a suborbital hop of a similar altitude to that which SS2 should manage. And every account I've read indicates that getting up into official "space" as he did in that flight changes your outlook on the world.

    It's not just about practical applications.

    1. jason 7

      Re: SS2 no better than a vomit comet trip?

      Hire a U2 plane for the day. Surprised no one has tried getting hold of and hiring the back seat of one of those out.

      Seemed pretty amazing view from the James May documentary. Plus you'd get more for your money.

  10. TonyWilk

    Seems little margin for error...

    Given the article states:

    ... catastrophic structural failure at "just above approximately Mach 1.0".

    and

    ... the system must be unlocked prior to reaching Mach 1.8.

    It appears there's little margin for error there - I wonder what the actual safe unlock speed was supposed to be? Mach 1.7 ?

    I also wonder if it was known that the actuators would be overridden by aerodynamic forces to cause such a movement at Mach 1.0

    Unless there was a very specific procedure: "Thou shalt only unlock between X and Y speed", then it should not be classed as Pilot Error.

    1. Richard 12 Silver badge

      Re: Seems little margin for error...

      Presumably the instructions did say that, as the copilot wouldn't have made the flight if he didn't believe he knew what to do.

      But requiring a human to pull the handle inside an 11 second window, while they're doing all of the other "fly the plane" things, with disaster occurring if they are early or late is just stupid.

      Automate it.

      1. Cynic_999

        Re: Seems little margin for error...

        "Automate it."

        Automation is a two-edged sword. It's fine for things that we have a lot of experience with and thus will behave predictably. Not so good for things where something unexpected may require humans to operate the controls in ways that the autopilot was not programmed for.

        In general prototypes have less automation (and thus more under human control) than the final production models. They rely on human testers who have far greater knowledge and ability than the average eventual end-user. This is true of a prototype TV set or even alpha software just as much as a prototype aircraft - in fact the experience of the testers is used to define how the automatic systems eventually operate and what figures will eventually be used as the operational limits.

      2. Cynic_999

        Re: Seems little margin for error...

        "But requiring a human to pull the handle inside an 11 second window, while they're doing all of the other "fly the plane" things, with disaster occurring if they are early or late is just stupid."

        Not in the slightest. 11 seconds is plenty of time. If car drivers were unable to apply the brake or throttle within a window far, far smaller than 11 seconds, it would be impossible for cars to be used on the road. In a small 2-seat helicopter at cruise speed the pilot has no more than a second or two to get the collective lever down in the event of an engine failure, otherwise the rotor will slow below a critical RPM and will be unrecoverable - the helicopter will literally fall like a brick - and unlike this situation an engine failure is an unexpected occurrence.

        It is not a great deal different to other things that have a speed window on an aircraft. On one light aircraft I flew it could cause serious damage if the flaps were lowered above 120kts but could result in a crash if they failed to be lowered below 80kts. There was no interlock or warning that prevented the pilot from operating the flaps outside those limits. There was also a maximum speed that the landing gear could be lowered without causing problems - again no warning or automatic interlock. These actions often need to be completed while negotiating a complex instrument approach, adjusting various engine controls, re-trimming the aircraft and complying with ATC instructions. Pilots are very familiar with double-checking the appropriate instruments to ensure they are within required parameters before operating certain controls.

        1. JeffUK

          Re: Seems little margin for error...

          Interlocking anything to speed relies on the measuring devices working perfectly. e.g. if you couldn't lower your landing gear unless the plane believed you were under 80kts, and your air speed indicator failed (frozen pitot tube f'rinstance) it would be somewhat inconvenient to have to get out and fix the problem prior to landing.

  11. Stevie

    Bah!

    The speeds and weight restrictions on spaceflight using the current state of the art - which is not really much different to that pertaining in the 1960s with respect to goals, methods and obstacles - make the whole business a very dangerous undertaking.

    What this tragic accident highlights is the magnificent job done by everyone involved in Mercury, Gemini, Apollo and STS (with the notable exception of the idiots assembling Virgil Grissom's Mercury capsule; I've seen what was pulled out from behind the console when it was salvaged and those involved should regard themselves as extremely fortunate that their malfeasance was hidden by the sinking of the machine and subsequent blaming for the fiasco on the - as it turns out - blameless astronaut).

    Spaceflight is dangerous. Those that do it are both brave and lucky bastards.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon