I can’t believe NASA would even consider a crewed flight without another uncrewed flight.  The awesomeness of autonomous spacecraft is that you can fly them until you get things right.  My old company has flown its spacecraft numerous times without any major issues, but they’re still doing missions to make sure everything is safe before putting a person on.  Boeing had a MAJOR issue, and what’s troubling to me is that it’s the sort of fault that should have been avoidable with proper ground simulation.  Some things are hard to test on the ground, like getting high confidence in aerodynamics, for example, but proper timing should have possible to ground test.

This also just makes me wonder what is going on with Boeing.  Are they capable of making safe aircraft and spacecraft?  Their recent track record is just not great.  I’d love to know more about their software development process for spacecraft.  I’m familiar with the approach used here in Seattle for aircraft.  It’s industry standard (for aerospace), but I honestly feel it’s flawed, as was obviously demonstrated by the crashes.  I think a lot of the approaches used in software today made more sense when software was far less complex.  The complexity that today’s powerful computers allow calls for rethinking some of the verification approaches.  I think we should be moving away from verification that’s focused on unit testing and moving towards more emphasis on simulation.  Both are obviously done, but my experience has been that as the rigor of verification increases, the emphasis shifts from simulation to unit test, to the detriment of the system’s overall reliability.

I’m reading Truth, Lies and O-rings by Allan McDonald regarding the Challenger disaster.  The author was a senior manager at the time of the Shuttle disaster in Morton Thiokol, the company responsible for making the solid rocket motors, which were the point of the failure.

I’m only 16% of the way through, but it is seriously like watching a car crash.  It’s mind-boggling, but I suppose it shouldn’t be based on my worldview that most people, including most engineers, are incompetent and that engineering is very hard because unlike many professions, there is a right answer, and the wrong answer results in failures.

In any case, I am blown away by reading about how MT (Morton Thiokol) is busy analyzing their O-ring problems and is aware that there is a temperature component based on the observations on the retrieved hardware from previous flights.  However, they don’t bother to try and really figure this out until the night before a proposed Shuttle launch date in cold weather, at which point their engineering team hastily comes up with a hand-written proposal recommending a launch commit criteria of 53 F temperature at the O-ring.

Now, when your vendor is telling you it’s not safe to launch below 53 F and you’re flying humans, it seems obvious in retrospect that the proper course of action is to stand down and do a full analysis.  I mean, you don’t develop launch commit criteria using the back of an envelope.  The real question should have been, among other things, how can you be really sure that 53 F is really safe?  (The Shuttle had previously survived a mission with the O-ring at that condition, but that’s no guarantee it would survive a thousand or a hundred thousand missions at that condition given other uncertainties.)

If no astronauts were in the picture, it would have been absolutely appropriate for NASA to push back, consider proceeding at risk, pressure the vendor to reconsider, whatever.  But with astronauts’ lives on the line?  If your vendor pulls a new launch commit criteria out of their back pocket on a system that’s supposedly been qualified to 13 degrees lower?  (Keep in mind that in aerospace to qualify something to a given temperature you test in to temperatures 30 degrees lower or higher.  It’s unclear to me when the author says the booster was qualified to 40F whether he’s saying it was tested at 10F, or that it was tested at 40F.  I presume the former.)  I would conclude that my vendor was incompetent and that a full review of their system was needed.

Well, now I get to read what NASA really did.  It’s interesting reading because my knowledge about Challenger is really quite limited.

I was sorry to see the SpaceX failure today.  Obviously.  One thing that I like about the space community is that generally speaking, engineers pull for each other, whether they be American, commercial, Russian, other foreign, or government or whatever.  OK, I don’t know any Russians, but I assume they also like to see successful American launches, too.

One thing I hate about rocket launches is that no one notices or cares when launches are successful, but when one fails, you hear one of the following: Why are we wasting money on space exploration?  This is too dangerous!  We should be paying for food for the hungry instead.  Commercial space is a failure and can never succeed!  Drives. Me. Crazy.  You cannot succeed if you’re afraid to fail.

Yesterday, I had the privilege of listening to the man who I find to be the most inspirational speaker on the topic of space.  By the time he had finished talking, I was thinking, “Space is our future!” – just like the bumper sticker.  My dismay at the troubles of global warming and racism and gun control and everything else wrong with this world was put temporarily on the shelf as I reflected on the bright and exciting future of space exploration.  This crash does not really dim my excitement all that much.  (Time and the mundane challenges of daily life will do that quickly enough.)

I re-watched Blue’s launch video with my daughter this morning.  How high, Mama?  she wanted to know.  I tried to explain to her that it was much, much higher than the plane we’d taken to New York, but I’m not sure she understood.