The fatal in-flight breakup of Virgin Galactic's futuristic SpaceShipTwo rocket plane during a test flight last October was the result of pilot error, possibly triggered by a high workload, unfamiliar vibration and rapid acceleration, the National Transportation Safety Board concluded Tuesday.
But the NTSB also found that the pilot's misstep was at least partially the fault of spaceplane builder Scaled Composites, which failed to fully recognize and address the consequences of critical single-point human failures, trusting pilots to properly perform in a high-stress environment without a full understanding of those consequences.
The futuristic spaceplane was built by Scaled Composites, a subsidiary of Northrop Grumman Corp., and was undergoing flight tests under contract with Virgin Galactic. The test flights were expected to pave the way toward the start of commercial launches carrying space tourists on brief sub-orbital trips above the discernible atmosphere.
But during SpaceShipTwo's fourth rocket-powered test flight on Oct. 31, 2014, the vehicle broke apart about 14 seconds after its hybrid rocket motor was ignited, killing co-pilot Michael Alsbury and injuring pilot Peter Siebold, who somehow survived being blown out of the disintegrating craft for a harrowing freefall and parachute descent to Earth.
After a nine-month investigation, the NTSB concluded, as expected, that the primary cause of the mishap was the co-pilot's premature unlocking of the vehicle's unusual rotating wing-and-fin assembly, known collectively as the feather mechanism.
The large, swept-back tail fins, or winglets, are designed to rotate upward 60 degrees before re-entry to stabilize the spacecraft and slow it down for a safe plunge back into the dense lower atmosphere.
Famed aircraft designer Burt Rutan came up with the idea while building a smaller, non-commercial version of the spaceplane. He said the feather system made the spacecraft descend somewhat like a badminton shuttlecock, relaxing guidance requirements and reducing stress on the vehicle.
But SpaceShipTwo's feather system was not supposed to be unlocked until the spacecraft reached a velocity of 1.4 times the speed of sound, fast enough for aerodynamic forces to keep it in the proper position prior to extension.
But during the October test flight, cockpit video cameras show Alsbury unlocked the mechanism at just eight-tenths the speed of sound, or Mach .8. While the actuators that normally would rotate the feather upward later were not engaged, the aerodynamic lift acting on the fins at that velocity and altitude was strong enough to force the tail fins to suddenly rotate up toward the re-entry position.
The vehicle broke apart an instant later, raining wreckage on the Mojave Desert below.
The NTSB concluded Alsbury was ultimately responsible, but found that SpaceShipTwo builder Scaled Composites did not adequately address the possibility of any such pilot-induced errors, only how pilots could fail to properly respond to various system malfunctions.
"The National Safety Transportation Board determines that the probable cause of this accident was Scaled Composite's failure to consider and protect against the possibility that a single human error could result in a catastrophic hazard to the SpaceShipTwo vehicle," the NTSB concluded.
"This failure set the stage for the copilot's premature unlocking of the feather system as a result of time pressure and vibration and loads that he had not recently experienced, which led to un-commanded feather extension and the subsequent aerodynamic overload and in-flight break up of the vehicle."
The NTSB also faulted the Federal Aviation Administration for granting an unrequested hazards analysis waiver to Scaled during renewal of the company's license to conduct experimental test flights and said agency management blocked technical questions not directly related to public safety that might otherwise have identified problems.
The NTSB also cited "pressure" inside the FAA to move commercial spaceflight applications along, although the nature of that pressure, or its motivation, was not specified.
But most of the board's discussion Tuesday centered on Scaled's failure to fully consider the impacts of single-point crew failures and taking steps to make sure flight crews and controllers understood the threat posed by errors like a premature feather release.
"Scaled composites did not emphasize human factors in the design, operational procedures, simulator training or hazard analysis for SpaceShipTwo," said NTSB investigator Catherine Wilson. "During the design of SpaceShipTwo, Scaled did not consider the possibility that a pilot would unlock the feather before 1.4 Mach and as such, no safeguards were built into the feather system designed to prevent this."
Although SpaceShipTwo program personnel acknowledged they were aware that unlocking the feather mechanism during transonic flight could be catastrophic, "there was no warning, caution, or limitation in the SpaceShipTwo pilot operating handbook or on the PF-04 (powered flight No. 4) test card that specified this risk," Wilson said.
"The only documented discussions about the loads on SpaceShipTwo's tail occurred more than three years before the accident in an email and a Powerpoint presentation," she said, adding that FAA personnel were not informed about the issue.
"In addition, human factors were not fully considered in SpaceShipTwo training as the simulator did not replicate the vibration and loads nor did pilots train with the same flight gear that they were expected to where during the actual flight in the vehicle," Wilson said.
Alsbury was a veteran Scaled test pilot, but he only had one powered flight to his credit in SpaceShipTwo and "the lack of recent experience with powered flight vibration and loads could increase the co-pilot's stress, and thus his workload, during a critical phase of flight," Wilson said.
NTSB board member Robert Sumwalt said "as humans, we all commit mistakes."
"I think the question we're all trying to answer here is why did the co-pilot unlock the feather early? I think that's a question people have been pounding their heads trying to figure out for nine months now."
Quoting interviews with other Scaled Composite test pilots, Sumwalt said Alsbury was "'as professional a co-pilot as you could have and was 100 percent prepared for the mission. He was always looking for ways to do things better. No one knew the FAA regulations better than him. No one was better at procedures than him.'
"And I think that really puts it in perspective, this was somebody who was really a professional, trying to do it the right way and yet the error occurred."
The NTSB showed three videos documenting SpaceShipTwo's launch from the WhiteKnight carrier plane. One of those, from a camera mounted on one of the twin feather winglets, showed SpaceShipTwo's hybrid rocket motor igniting as expected a few seconds after the spacecraft was released from the carrier jet.
Then, unexpectedly, the wing fins suddenly begin swinging up. The NTSB video stopped at that point, an instant before vehicle breakup began.
While Alsbury's action initiated the failure, the NTSB was equally, if not more, concerned by Scaled Composite's failure to fully recognize and address the possibility of a single piloting error that could have such catastrophic consequences.
"Scaled understood very well that in the transonic region if the feather was not locked, the aerodynamic loads would push the feather up, those forces would exceed the ability of the actuators to hold them down, so therefore they had to remain locked during that transonic region," Sumwalt said. "They knew that and understood that very well."
He said the company effectively "put all their eggs in the basket of the pilots doing it correctly. So that's a single-point failure, if the pilot does it wrong or the co-pilot does it wrong, then it will have very bad results, catastrophic results in fact."
He then asked a staff member if a single-point mechanical failure mode would be acceptable.
"It would not," the staff member replied.
"It would not," Sumwalt repeated. "So why would a single-point human failure be acceptable? And it really should not be acceptable. The fact is, if you put all your eggs in the basket of a human to do it correctly, and I don't mean this flippantly, but humans will screw up anything if you give them enough opportunity."
He said he meant no disrespect to the crew, "but the fact is a mistake was made here. But the mistake is often times a symptom of a flawed system. So it's important to anticipate the errors and design an error-tolerant system."
The NTSB made 10 recommendations to improve the FAA's visibility into experimental spacecraft operations and systems, to improve communications and to make sure human factors are fully assessed from the start of a spacecraft's design.
For its part, Scaled Composites has implemented multiple changes, including the addition of human factors expertise, and Virgin Galactic, which is pressing ahead with construction of a new spaceplane, has added an "inhibitor" to prevent a premature feather release on future flights and is upgrading crew resource management for its pilots.
"Even without an NTSB recommendation or requirement to do so, Virgin Galactic engineers have designed a mechanism to prevent the feather from being unlocked at the wrong time in future flights," the company said in a statement.
"Virgin Galactic had begun safety reviews and a vehicle improvement program prior to the accident in preparation for the expected transition of SpaceShipTwo from Scaled Composites for the start of commercial service. After the flight test accident, Virgin Galactic assumed full responsibility for the completion of the flight test program and is getting ready for commercial service."
Virgin Group founder Richard Branson said "we will never forget the tragic loss of Michael Alsbury." But with the NTSB investigation complete, "Virgin Galactic can now focus fully on a strengthened resolve to achieve our goals. It is important that our collective efforts and sacrifices are not in vain."