The way the FAA grants airworthiness certificates to new aircraft is fundamentally different than the way NASA certifies new spacecraft. There are some good reasons for the difference.
There is an old saying that the airworthiness regs have been paid for in blood and a review of aviation history would bear that out. Those regs are generally simple, direct, and not open to much interpretation. Airworthiness regs are generally considered to be performance based. That is to say, a new aircraft must demonstrate that it can perform to the requirement. Certifying a new aircraft design takes lots and lots of flight hours. Many of the demonstrations are hazardous. For one dramatic example consider the requirement that a fully loaded jet airliner accelerating to takeoff speed must demonstrate stopping performance. If the takeoff is aborted at the last possible instant, the brakes can stop the plane before the end of the runway. This demonstration almost always leads to the wheels glowing cherry red from the heat of the brakes; it is not uncommon to set the tires on fire from the heat. Another example is the capability to take off with an engine shutdown: a fully loaded aircraft accelerating to takeoff speed is required to switch off an engine just at the most critical time and still be able to take off, climb out safely, and return to the airport for a safe landing. A multi-million dollar jet liner must be put at risk to demonstrate simple safety requirements such as these. And there are dozens of similar requirements that a new design aircraft has to demonstrate in actual practice. Not in a computer simulation, nor in a piece-part test, nor even with engineering calculation (although some of these are also done); demonstration in actual flight is mandatory. This can take months (sometimes years!) and frequently thousands of flight hours to achieve.
Launch vehicles and spacecraft are much more expensive than aircraft. And, with few exceptions, they are not reusable – the reason for that is another topic for another day. So launching dozens of test flights to demonstrate different safety requirements is not an economically viable option. Generally the number of test flights is few; one, two, maybe three, sometimes none. Meeting certification requirements is a matter of engineering analysis, computer simulation, piece-part testing, and standards on parts and design.
Thus the requirements and process for certifying space vehicles is fundamentally different from that of aircraft. Not that there are no aircraft standards for parts or design processes, but the airworthiness of a new jetliner is demonstrated, not just analyzed, before the first passenger steps on board.
There are some exceptions in the space vehicle world; the NASA Launch Services Program can certify new launch vehicles to be used to propel expensive and unique scientific satellites to orbit based on the past performance of launch vehicles. In the LSP requirements documents, a launch vehicle that has successfully launched several times (the magic number is 11) is subject to much less scrutiny than a brand new launch vehicle which is untried. So Deltas and Atlass and Pegususs (Pegusi?) are partly certified on the basis of past performance.
But that is not how NASA has ever certified a spacecraft for human conveyance – except Soyuz.
When the Space Shuttle was launched for the first time, it was “certified” to the standards of the day; thousands of hours of piece-part and subsystem tests; millions of hours of computer simulation, billions of hours of engineering calculation and analysis. So Young and Crippen made the boldest test flight ever on STS-1 and we found out . . . that some of that analysis and calculation was wrong. NASA and its contractors were good; but in fundamental ways, we were just lucky.
At the end of the cold war, with détente, the space policy makers in Washington decreed that NASA would cooperate with the Russian space organizations to build the new space station. First part of that would be a series of demonstration flights between NASA and Russian. This including flying Russians on the Space Shuttle and Americans on the Russian Soyuz spacecraft. Norm Thagard would be first.
This threw the agency into a tizzy. There was no way that the Russians were going to disclose all their technical specifications for all the sub tier parts; after all much of the technology was applicable to military uses. And there was no way that the Russians had complied with US standards – most of which were either promulgated by the US Military (the dreaded “Mil Spec”) or by American professional and commercial groups (e.g., ASME, ANSI, etc., where the A stands for American).
Yet, the Soyuz had been flying for a long time, a huge number of flights by spacecraft standards, and it had demonstrated a safety record at least as good as the Space Shuttle. And even more, the Russians were ready to fly on our shuttle based on the American assertion that it was “safe.”
So a new standard was promulgated – not officially published, but actually used. A standard that basically said, if a spacecraft is demonstrated to be adequately safe, then it is certifiable. Sort of like the simple, direct, and performance based standards of the FAA airworthiness regs.
Now there was a lot of nervousness, and many questions asked (not all answered), paper was signed, and Norm flew. It was not easy, but it happened.
You can read all about it here:
http://ston.jsc.nasa.gov/collections/TRS/_techrep/SP-2010-578.pdf
So as new human certification ratings are proposed, they rely heavily on new standards and specifications, requirements for analysis, engineering calculation, computer simulation, piece-part testing and just a little bit on flight demonstration. Of course, the Shuttle and the Soyuz don’t comply with those standards; they were built in different times with more primitive standards. But they demonstrate a level of reliability or safety that is apparently acceptable.
If someone were to build their own spacecraft and/or launch vehicle; fly it successfully many times, demonstrate its capabilities in actual flight; then I suspect the new human rating requirements would be tossed aside in favor of demonstrated actual flight performance.
And that is as it should be.
But we are a long way to space travel being at the maturity, economy, and routine of air travel.
All those FAA airworthiness requirements were paid for in blood. Don’t forget that.
Wayne Hale's Blog 
…then I suspect the new human rating requirements would be tossed aside in favor of demonstrated actual flight performance.
I do hope you are right about this. By the time F9/Dragon is tapped to carry NASA crew to the ISS they should have more than that magic number (11) of successful flights under their belt. I’d hate to see them forced to meet thousands of individual part certifications despite what I hope will be a spotless launch history.
A fully human capable Dragon with a life support system? So far they have scored two successes with the F9 launcher but zero with a human capable Dragon. The first Dragon could not have supported people to the ISS and the next one up wouldn’t either – they are cargo carriers at this stage.
Granted, and I don’t think I was suggesting otherwise.
However, given the volume of air in the first Dragon, it probably would have been enough to support a person for the few hours it was in orbit.
I’ve wondered if a lawn chair and a bottle of supplemental air, plus a camera and assorted snacks… But back to your point.
We know that SpaceX is working on a crewed version of Dragon, we just don’t know how far the work has progressed. If I read your article correctly, it’s the track record of the LV that really matters in waiving the onerous requirements, and if SpaceX gets off a flight or two with its own astronauts to prove the Crewed Dragon’s worthiness, how will NASA respond?
Your insight always illuminates my ignorance. Never even thought about what it took to ‘rate’ the Soyuz.
Now, if Elon is listening, start booking those human Dragon flights now. Cram 6 or 7 together, charge $10M each. That should cover costs. Then get to 11 flights and say, “Look, we are Human Rated!”.
My understanding that all ISS Cargo vehicles meet most of NASA’s Human Rating requirements (sharps, atmo, lights, ect) so the Dragon is close already.
If memory serves, only once was a tower escape needed and it was early in the Soviet program. Forget the cost and weight of such a system.
But the Cape needs a better flight tempo to support such an effort as 11 Dragon flights.
Just wish I had the $10 mil to go.
No, the ISS cargo vehicles are far from meeting NASA’s human ratings requirements. There is no CRS (Cargo Resupply System) or COTS requirements for the ascent phase for example.
The Dragon capsule on the last flight did not even have a functional life support system.
Your level of risk acceptance (no launch escape system) is rather high. I doubt that the requirement for launch escape system will go away.
The launch abort towers for the two examples I have studied are both a little over 10K pounds IIRC. But because they are jetisoned shortly after first stage, they do not count that heavily towards the payload all the way to orbit. The rule of thumb is between 1/8th to 1/10th. So a 10,000 pound launch abort system reduces the payload to orbit by a little more than a 1,000 pounds.
Also, unmanned vehicles get launched on trajectories that are different from manned vehicles for launch abort reasons. Unmanned launches are almost straight up to get out of the atmosphere sooner.
Wayne:
I think there is a flip side to that coin. First these requirements if I read them right only apply to NASA crews. Therefore NASA may end up in a situation where they will not be able to send any crew to space while the launch company can send any crew of their own.
As of your comment about LAS. At least “you” should know that an LAS is not the panacea, don’t you? That increased complexity possibly means increased risk. The LAS as envisioned for Orion/Ares was putting the crew under so much stress, at least in the early design, that it was not even clear they might survive. The LAS requirement may not go away from a NASA perspective indeed since I believe it originated with the Astronaut Office but the Astronaut Office may become more and more irrelevant. After all they have been willing to fly Shuttle for several decades without a LAS. Do you think that a launch company would have any difficulty finding people to ride a rocket without a LAS? Even very rational people? And as to the utility of a LAS you may look at the history of Soyuz. How many times did they use one? How many times did we use one on Mercury? Gemini? Apollo? There will be time when crews will be lost with or without a LAS. The crew of Apollo 1 would not have survived with an LAS. Same for Columbia. So I think you ought to put things in perspective especially considering your experience.
Sincerely.
My personal take on the last 30 years of the shuttle is I really wish it had a launch escape system. You are right, in 50 years of human spaceflight, a LES system has only saved one crew; perhaps it is not worth it.
Unless you had been on that one crew.
I also happen to agree that any launch abort/escape system must be well designed so as not to become a hazard in itself.
That is my personal perspective considering my experience.
Do you think that a launch company would have any difficulty finding people to ride a rocket without a LAS? Even very rational people?
Whether or not astronauts are willing to take risk is not all that relevant so I don’t know why it is so often used in discussions as some type of gauge for setting safety levels . There is only one situation where an astronaut’s opinion about risk should be listened to and that’s when they express a concern about safety. Why is that? Because they may be noticing or sensing a risk that others haven’t, or they may have picked up through the grapevine a risk that hasn’t made it to the ears of managers. Maybe the astronaut is wrong, but their concern should be taken seriously and not dismissed.
On the other hand if an astronaut expresses that they feel that it is safe to fly, that’s not really relevant. Why? Because the reverse is not true, an astronaut cannot in any reliable way notice, sense, or hear through the grapevine that it is safe to fly.
Finally you have the astronaut that you are describing who is aware of higher than normally acceptable risk, but expresses a “light this candle” bravado. That again is not relevant because it’s not their spacecraft or their program. Many lives and livelihoods are at risk, not just theirs. A fatality in a government run program immediately puts the entire program at risk (i.e. Challenger and Columbia) and would likely put a private company like SpaceX out of business. Maybe you don’t think so, but then again it’s not your company at risk, or your space program (except as a taxpayer).
here’s the problem – anything funded in any way by NASA is going to be “blamed” on NASA….
I wonder if it’s possible to use the fuel in a reusable space capsules OMS to be used in a LES, take the two hypergolic propellant components and squirt them into a simple combustion chamber between the pressure hull and heat shield. Messy, inefficient, blows the heat shield to bits, but the controlled explosion still does the job of kicking the capsule clear. And I’d argue that even if the process looks messy and is inefficient, that doesn’t mean it’s not well designed, well designed means the system is reliable in doing what it needs to do without excessive complexity, cost, or weight.
Several folks have expressed an interest in designing launch abort systems which would use the fuel carried for orbital manuevering and attitude control systems. That could be an elegant solution – but I think it needs a tad more engineering than your simple combustion chamber proposal.
We asked the same thing on Constellation and the reply made a lot of sense. The LAS for CEV is a tractor solid rocket so it pulls the capsule away. Explosive bolts free the capsule from the service module. The worst case scenario, it can pull hard enough that crew experiences 15G. It is a solid, just like previous US vehicles and the boost part is not throttleable.
The vehicle stack is not built to handle pulling forces, so if the LAS fires while the capsule is still attached the structure would fail. Adding structure to withstand the pulling forces was not worth the weight penalty.
waynehale says:
January 7, 2011 at 11:46 pm
…You are right, in 50 years of human spaceflight, a LES system has only saved one crew;…
I believe that that statement is in error. Have there not been two [2] successful Soyuz crew recoveries using a Launch Escape System?
Soyuz Flight #18:
4/5/1975 Soyuz 18a 7K-T (aka Soyuz 18-1) A failure of staging resulted in need to use the launch escape system. The crew endures high-G’s during the launch abort followed by a 20 G landing in mountains near Chinese border. After touch-down, the capsule slid down a slope towards a cliff. Fortunately the parachute snagged on a tree and halted the capsule. One cosmonaut suffered internal injuries that prevented further flights.
Soyuz Flight #49:
9/26/1983 Soyuz T-10-1 T Fire prior to launch results in use of launch escape system to save crew.
Source Data:
NASA Astronauts on Soyuz: Experience and Lessons for the Future
NASA/SP–2010–578 / August 2010
Appendix B: Crewed Soyuz Flights
In the case of NASA, Gemini 6A [VI-A] Walter M. Schirra, Jr. Commander and Thomas P. Stafford, pilot, in their initial December 12, 1965 launch attempt came very, very, close to utilising their Launch Escape System [Ejection Seats] when their Titan II main engines automatically shut-down just after ignition. Schirra elected not to eject contrary to “mission rules” as neither he nor Stafford detected any signs of the Titan tipping over. The vehicle was “recycled” and successfully launched 3 days later on December 15th.
Source: http://en.wikipedia.org/wiki/Gemini_6A
Just because there have been few actual uses of Launch Escape Systems does not mean their usefulness can be cavalierly dismissed. I have had airbags in my cars for over twelve years now without any use. This does not mean I am prepared to remove them as unnecessary despite the risk of their inadvertent deployment. Tomorrow is a whole new day……!!
Thank you Wayne for pointing to the NASA Soyuz publication. It made for very interesting reading. As indeed does your blog. Do please keep-up the good work.
Thank you.
Geoffrey.
I stand corrected about two launch aborts. I believe the Soyuz 18a (aka ‘The April Anomaly’) was a failure of upper stage separation which was post LES jettison. However, it was a launch abort and the Soyuz system provide an abort system which worked. So twice.
Note to the readers: in an earlier post on this blog space I set forth the rules. Today I deleted/did not post some comments because they violated the rules. I will not allow this blog site to become an uncivil place. No ad hominem attacks allowed, no unsubstantiated snippy replys allowed, and finally; no comments longer than the original blog post allowed.
You two articles certainly seem to contradict each other.
So which is it?
I’m sorry, I don’t see the contradiction. Could you elaborate?
If someone were to build their own spacecraft and/or launch vehicle; fly it successfully many times, demonstrate its capabilities in actual flight; then I suspect the new human rating requirements would be tossed aside in favor of demonstrated actual flight performance.
And that is as it should be.
Wayne: If by “new” human rating requirements you mean the new suite of documents that describe the body of knowledge NASA has accumulated over the years, I respectfully disagree.
I read your statement to mean that our experience, experience built on the very blood you mention, should be tossed aside after some number of successful flights are flown by a spacecraft that does not follow those requirements. A few extreme examples: should we toss aside standards if we fly 50 flights with 100% O2, or with zero fault tolerant systems for (comm/life support/eps/dps), or without launch commit criteria for lightning?
I hope that isn’t the toss you are suggesting. Please clarify.
w/r
I completely agree that anyone who builds a spacecraft should learn from the past, heed the lessons that have been learned the hard way.
My beef with the new suite of documents purporting to be the NASA human rating requirements is that they are too bureaucratic and too prescriptive.
I also believe that the FAA method of demonstrating vehicle capability in actual flight is a better method than engineering analysis, etc.
I sometimes wonder whether an Apollo style LES is worth the risk and financial cost. A LES is only available for the first 3 minutes of flight on Soyuz and was about the same on Apollo I think.
Also would the Challenger crew survived if they had the current setup with Shuttle (ie. Launch and entry suits, escape pole)? I think there are cue cards for crew bailout escape on the Shuttle flight deck during launch for structural break-up of the Shuttle during launch ?? – so there must be some thinking within the program that another Challenger type event might be survivable assuming sufficient altitude.
Maybe another limited escape option for Dragon (or similar capsule design) is to have a Pad based escape system that pulls the capsule away from an exploding rocket on the launch pad that would disconnect once launch happens (and be robust enough to protect the capsule and astronauts during a pad based accident with the rocket)? Also more crew have been lost on re-entry than launch (11 during rentry/landing vs 7 during launch). Maybe Dragon crew should have a bailout system as well instead of a LES?
Crew escape during re-entry is a much more difficult engineering problem than the ascent case. The pressure suits and parachutes incorporated post Challenger might very well have allowed a similar early launch breakup to be survivable; those systems could do nothing to help the Columbia crew. Bailout systems during re-entry have a very limited usefulness; basically the very last part of the flight is all that can be protected; the regime where most objects disintegrate during entry is much worse.
I have nothing useful to add — just wanted to say thanks for the interesting reading. I have a hard time keeping up with all the blogs that interest me, but I always make sure to read yours… eventually.
Wayne, as usual, does an excellent job of summarizing a topic. However, I think the FAA approach he refers to is for commercial aircraft, intended to transport the average person for a fee from point A to point B. The FAA indeed does that. But they also have provisions for all sort of other airborne vehicles, including balloons, for special circumstances as well as a provision for Space Transportation licenses. For aircraft, see http://www.faa.gov/aircraft/air_cert/airworthiness_certification/aw_overview/ and for the current licensing of Space Transportation (which does not contemplate passengers but rather is designed to limit the risk to people and property on the ground), see http://www.faa.gov/licenses_certificates/commercial_space_transportation/ .
Bottom line, it seems to me that spacecraft at this point are really more akin to experimental aircraft, which have different criteria than commercial aircraft and which assume an operator who has some notion of the risks and will bear the brunt of failures. I personally believe that astronauts fall more into this category than an average commercial airline passenger.
As to assessments of safety or reliability, these are essentially probability calculations with potentially large elements of uncertainty. Reduction of that uncertainty comes about with actual demonstrations but to reduce it a lot, there must be very large numbers, as well as fundamental understandings of the systems and environment involved, as Wayne alluded. Design margins are an extremely key element of the true reliability but do not figure largely in the calculations. Especially in the area of structure, higher margins almost always translate into additional cost or weight or both.