A recent accident has humbling parallels with the earliest recorded aviation death, Adrian Park writes.
Koehn Dry Lake, California, 31 October 2014 / Wimereux, Pas de Calais, 15 June 1785.
The endeavour was a bold one. It involved a type of flight never before attempted. A generous benefactor was enlisted, the crew were world leaders in the field, and an innovative craft—never before built—was commissioned. Every aspect of the endeavour was planned in intricate detail, but there was a fatal human factors oversight. No one seriously considered that one of the best pilots, with the best tech of the era, could make a serious mistake. No one seemed to have considered the best pilot could have a bad day; that is, the best pilot could have a high demand, high-workload day and, on that day, the polished professionalism of a great pilot could quickly become the dull sheen of an overloaded, fallible human.
The pioneering flight headed skywards without incident. At first everything proceeded as planned, with the innovative craft performing as it should. However, as the flight progressed and the demands on the crew’s attention increased, so too did the work load. At a critical moment, human limitations converged with the design flaw, and the vehicle broke apart, flinging its occupants to the earth below.
This was not the doomed flight of Virgin Galactic’s SpaceShip Two, but it was kin. It was 1785 in the era of humanity’s first flight efforts and the ‘pioneering, experimental’ flying vehicle was one of the first manned balloons. The date was 15 June and the craft was of an unprecedented design: a hot air balloon tethered below a hydrogen balloon—a design which allowed greater altitude control, (and is still used, although with non-flammable helium). The design flaw was (of course) a hot air balloon tethered below a hydrogen balloon. As one contemporary wrote of the pilot: ‘he has the audacity to light his fire besides his powder magazine’.
At first the innovative design worked well and Jean-Francois Pilatre de Rozier was able to make reasonable progress in his attempt to cross the English Channel. He did this by adjusting the balloon’s altitude to find the best winds and by constantly tending to an onboard fire below the hot air balloon. Above the hot air balloon, the highly flammable hydrogen balloon did the hard lifting. De Rozier was the best of the early aeronauts (the name coined for early balloon pilots). Only two years before he was the first ever to break the bounds of earth, in a sustained way, under the approving gaze of King Louis of France, flying for an unheard-of 25 minutes—borne aloft by a Montgolfier balloon designed by the paper-making brothers of the same name. But apparently even the best of the best (which de Rozier was at the time) did not have the capacity to consistently and precisely stoke the fire in such a way as to maintain lift while avoiding an explosion. At some point, after being blown back over land, the demands of the design flaw on human capacity proved too much. De Rozier’s balloon suddenly deflated, with both de Rozier and his passenger falling at least 1500 feet to their deaths, becoming as much victims of the human factor as of gravity.
0.0 seconds SpaceShip Two released from WhiteKnight Two
2.5 seconds SpaceShip Two rocket motor started. Pilots exposed to noise, vibration and constant high G-forces during powered flight phase.
8 seconds Copilot calls-out speed at 0.8 Mach to warn pilot to expect transonic ‘bobble’ (transonic turbulence).
10 seconds Copilot unlocks feathers while aircraft in transonic phase. Unlocking should not occur until the spaceship reaches 1.4 Mach.
11.5 seconds Aerodynamic pressures cause unlocked feathers to extend. Nose pitches upwards and aerodynamic forces tear the spaceship apart.
Transonic and turn phase During transonic period and the turn into the climb aerodynamic forces apply significant upward pressure on the feathers.
14 seconds Start of climb. Aerodynamic forces apply downwards pressure on feathers.
24 seconds Speed 1.4 Mach. Copilot’s task to unlock feathers. If not unlocked by 1.8 Mach the flight would be aborted.
Fast forward 230 years to another bold endeavour: sub-orbital, commercial space flight. On 31 October, 2014 SpaceShip Two was to conduct its fourth powered test flight involving a 38-second burn of the rocket motor followed by a supersonic glide. Launch and detachment from the mother ship went well, as did the ignition of the rocket motor, but as the speed of the craft increased rapidly, so too did the demand on the pilots.
With the pilots knowing there was a relatively short window in which to carry out a number of checklist and analysis functions, the cockpit workload was quickly increasing. Complicating the crew’s ability to function were flight suits, helmets, oxygen masks, parachutes, and gloves, which reduced dexterity, and to which they were relatively unacquainted—their simulator flights had not required such equipment previously. It didn’t help either that the increased acceleration meant increasing vibration and noise—another thing not replicated in the ground-based simulator. All this added significantly to the workload stresses of the pilots, who were no doubt acutely aware the faster the experimental craft went the greater the danger of a hidden threat. But the real risk on this day wasn’t from an unknown external threat—the risk was from two rather plain, conjoined levers in the centre of the cockpit, marked innocuously ‘LT FEATHER LOCK RT FEATHER LOCK’.
The feather-lock system of SpaceShip Two enabled the twin-tailed segment of the craft to pivot upwards from zero to 60 degrees as a re-entry speed-brake. Early on in the program, crews and engineers were concerned that if a malfunction occurred and the feather locks could not be disengaged to allow for a tail-up re-entry, the consequences of a high velocity, non-braked entry into the atmosphere would be a disastrous breakup. Ironically, much time and thought was invested into developing a cockpit procedure to mitigate this possibility—a possibility that in itself would first require a significant malfunction—while virtually nothing was done to guard the feather-lock levers. This was surprising as these levers were also, at subsonic speeds, the equivalent of self-destruct levers. In a more conventional aircraft, a high-risk lever or switch such as this would usually be decorated with threatening orange or yellow hash markings and red or orange warnings. If practical, or if possible, it would also have a safety pin or interlock system. SpaceShip Two had none of these safeguards.
The cockpit procedure in SpaceShip Two required the co-pilot at Mach 1.4, within a short time, to retract the feather locks by pushing their lock handles to the right and down.
The idea was at beyond Mach 1.0, the resultant supersonic ‘centre of pressure’ would provide a downward force on the twin-tailed segment and thus assist the pneumatic actuators to hold the segment in place. However, at transonic speeds (in the transonic ‘bobble’) if the locks were somehow disengaged, aerodynamic forces would act against the actuators, dangerously pulling the tail assembly upwards. Engineers had discussed this in an almost incidental fashion with crews, and while it was recognised a premature deactivation of the feather lock at transonic speeds would most likely destroy the craft, the naïve assessment was the crews would not do such a thing. It was assumed the human factor of error potential was not a factor; at least not one worth guarding against. As a result, while crews trained and developed cockpit procedures for the ‘might happen’ of a feather-lock malfunction, nothing was done to redesign the levers or fashion secondary locking mechanisms, or provide warning placards—any one of which would probably have prevented that simple but catastrophic lever movement. It is sobering to think that every SpaceShip Two transonic flight was only ever one downward push away from disintegration.
On its fourth rocket powered flight, as SpaceShip Two accelerated to transonic speeds, the pilot in command called out ‘Mach 0.8’ as an advisory statement. As he did, the co-pilot, who had his hand on the feather lock levers awaiting Mach 1.4, inexplicably pulled down on the levers disengaging the feather locks and leaving the actuators to deal with the full brunt of transonic force.
Within microseconds, the tail segment of SpaceShip Two began to flutter dangerously against the actuators. With the tail segment representing a good third of SpaceShip Two’s mass, and now being violently pulled upwards, SpaceShip Two’s pneumatic actuators and structural strength quickly gave way to the destructive forces of the vibrating tail assembly. At this point there was a loud bang, and a strange sound in the background the pilot would later liken to ‘paper fluttering in the wind’, which he attributed as the sound of the cabin coming apart. It was indeed coming apart and as he passed into unconsciousness he was thrown out and down into a 46,000 foot free-fall. Amazingly he survived, thanks to the automatic activation of his parachute as he fell through 20,000 feet. The co-pilot tragically did not, and was later found still strapped to his seat amid the five-mile-circumference debris field. A simple downwards pull of a lever was all it took to cause a fatality and thwart years of development, training and testing.
It’s easy to look at de Rozier’s attempted balloon flight across the English Channel and wonder why on earth he’d strap a fire-carrying balloon to a hydrogen one. With our armchair snobbery it’s good sport to deride such foolishness, and especially easy when separated by at least two continents, an ocean and 230 years.
But why is it that in the 21st-century with all the benefits of modern technology, sophisticated human factors training and libraries of accumulated aviation knowledge, a simple lever on the centre console of a sophisticated spacecraft was also an unguarded self-destruct lever?
In the age of heavily legislated aviation there is something deeply inspiring about pioneering flight. Most modern aviators fly within the bounds of routine for the majority of their careers.
Only the unexpected emergency pushes us closer to the edge of normal. But for experimental test pilots, many of their flights are outside the bounds of ‘normal’ in untried flight envelopes with untried vehicles. This generally means a level of acumen above and beyond that of the average pilot. This does not, however, mean a level of acumen above and beyond fallible humanity. From aeronauts to astronauts, basic human fallibility is an always and forever threat.
After 230 years of flight, the deadliest human factor continues to be humanity’s proclivity to over-estimate its abilities and under-estimate its fallibility.
Experimental or routine, no matter what aircraft we fly, we always fly with the potential for error. And this means we should always fly ‘human-factor’ aware; that is, fly monitoring our own fallibility the same way we’d monitor a lit fire burning beside a powder magazine.
Aeronauts and their Balloons: the Story of Aeronauts and the first Balloons by Scott Slaughter.
‘In-Flight Breakup During Test Flight Scaled Composites SpaceShipTwo, N339SS Near Koehn Dry Lake, California October 31, 2014’ Aerospace Accident Report, NTSB/AAR-15/02.