…had an anomaly during a static test at the Cape. Not clear whether this will delay the abort test, but if it does, it will likely delay the first crewed flight as well.
[Late-evening update]
Here’s the latest from Stephen Clark. Sounds like a total capsule lost. I wonder how fast they can build another one?
[Monday-morning update]
Eric Berger has the latest on what we know, and what we don’t.
From the comments on the article: Florida Today: Smoke seen for miles
The cloud of red or orange smoke is thought to be N2O4.
Rumors say the capsule was rapidly decertified for flight.
Those capsules seem inherently dangerous, so perhaps they should add some kind of abort system, such as ejection seats so they can escape from an explosion of the abort motors that might occur when they are escaping from an explosion of the Falcon 9, just to add more unreliability to the overall system.
Aside from the obvious possibility of an engine explosion, it failed on the last test cycle (catastrophic test failures always seem to occur that run before they quit testing and start picking up pieces). Each paired Super Draco mount is getting hit with 32,000 lbs of force, perhaps applied in rapid and intermittent cycles, so the Dragon might have suffered a fatigue failure in the support structure.
However they were also doing multiple runs, and if they were running full duration aborts, the capsule would’ve required refueling between tests. That introduces the possibility of the failure originating externally, or being caused by an improper fueling or tank pressurization anomaly, or from a fuel leak somewhere in the test stand.
In any event, this will cause serious delays.
Never mind. The first test was just the regular Draco maneuvering thrusters. The second test was the Super Draco and the anomaly occurred either right before or right as they fired.
As Scott Manley notes, the origin point of the explosion doesn’t seem to be the Super Draco thrusters. More likely (another) COPV failure?
Never say never, I suppose, but that seems unlikely.
Any COPV’s on D2 are mounted between the skin of the capsule and the pressure hull. And none of them are submerged in LOX as were the COPV’s in the F9 S2 that failed with Amos-6 aboard. So that particular failure mode isn’t even possible.
It’s theoretically possible a COPV simply failed under normal load, but, given the static testing those things are subjected to, post-Amos-6, I’m thinking the root cause of this latest explosion almost certainly lies elsewhere.
To borrow a notion Tom Matula has floated on other forums, perhaps the problem is related to the thorough seawater dunking this capsule took at the end of its ISS mission.
Yeesh, that sounds really bad.
The Dragon that had the, er, anomaly, was (I’m pretty sure) the Dragon from the DM-1 flight, and therefor the Dragon planned for the IFA.
If said Dragon is now, as rumored, fairly widespread in location, I suspect it will not be used for the IFA. That’ll mean they’ll have to use the DM-2 Dragon for the IFA, which will probably rule it out for the DM-2 mission. And there is no third flight Dragon 2 in existence, yet.
Even if the cause of today’s event is quickly found and fixed, I think we’re looking at a major delay here. I hope I’m wrong.
From a more recent comment:
The Super Draco has a chamber pressure of 1000 psi, and it’s pressure fed for reliability. The Super Draco has a protective shield around it so an engine explosion won’t daisy chain.
Interesting!
However, while a COPV letting go is indeed a plausible cause, IMHO there are others. My current wild guess for an alternative is a failure of a nitrogen tetroxide line, which placed some nitrogen tetroxide in contact with residual water, forming nitric acid and nitrous acid. This could have compromised the hydrazine lines, leading to a meeting of the two hypergolics. (Okay, upon reading what I wrote, it’s far-fetched because it requires two points of failure; water left in the dragon plus a line leak)
Based on the size, color, and shape of the cloud seen in a photo, my guess is at least one pair of fuel/oxidizer tanks ended up combining.
BTW, I like your point about inherent dangers and complexity. I’m of the opinion that it would be a good idea to look into whether the LAS (on any vehicle) actually adds more risk than it mitigates.
I wonder if someone might look into the subject of abort system safety. ^_^
Anyway, the Dragon 2 carries 1,388 kg of fuel (according to what they filed with the FAA). Assuming they’re using the same 1.65:1 N2O4/MMH mixture ratio as the Shuttle OMS system (which they probably don’t because it’s not optimal at their higher chamber pressure), that would work out to 523 kg MMH and 864 kg N2O4, and about 600 liters of each. At full thrust they should empty the tanks in about 5.6 seconds. My thought is that right as the fuel starts down the lines at about 100 liters/second for each tank, the initial pressure drop in the tanks due to the very low starting ullage is going to be pretty darn large unless the helium can really rush in.
If it’s just simple plumbing (a pressure regulator) it should work, but if they’ve got an almost-smart-enough control system it might sense a pressure drop anomaly in the tanks and perhaps try to take some kind of ill advised corrective action, such as really opening the helium valve while slamming a fuel valve closed under extremely high flow conditions, or some such thing.
It’s hard to speculate further without having design documents and perhaps parts laid out on the floor.
And that’s of course all assuming that all kinds of crazy things weren’t happening to the capsule on the side opposite the camera view that the rumors are based on.
Has anyone used a hypergolic abort system before? All the ones I can think of are solid rockets.
You would be correct if not for the oddball case of the abort system on the Apollo Lunar Module, since Blue Origin’s pusher escape system uses solids. The LM used the ascent stage’s hypergolic engine to abort a failed descent. But they only ran that engine at about 100 psi chamber pressure, it had large fuel tanks compared to the flow rate, and only provided 1/3rd to 3/4 G’s of acceleration.
The abort systems on Vostok, Gemini, and the early Shuttle missions were standard solid-rocket ejection seats. I think everything else has always been a solid in the tractor configuration.
Interesting point on possibly having active computer control over the pressure system. That’s sure one way to install unexpected opportunities for vehicle dispersion – rather like the Boeing 737 problem, in a way.
Hrmm. If it is a COPV, I wonder if this could be as simple as some water contamination in the Nitrous Tetroxide creating acid and eating away at a COPV?
Starliner’s abort system, of course, uses hypergolics…
Ah yes. I forgot about theirs. You know, Boeing may have to have a further look at the safety of their abort system simply as a result of this failure. They’ve already had a major delay due to a hypergolic leak during a 2018 test, when half of their fuel valves stuck open. That’s why they haven’t managed to fly it yet.
“Has anyone used a hypergolic abort system before? ”
Soyuz and the Apollo CSM both use(d) a hypergolic abort system. The solid rocket tractor motor on both spacecraft was used only for abort from the pad through the end of first stage operation, and the thrust level driven in both cases by what was needed to overcome maximum dynamic pressure base drag, and still have a large positive acceleration. After first stage operation, both merely needed their service propulsion systems to effect abort separation, and the heavy launch escape rocket was jettisoned.
“It’s hard to speculate further without having design documents and perhaps parts laid out on the floor.”
“Speculation…it makes a spec out of u and some guy named ‘lation’.”
— Gregory House
From wiki, the Dragon 2 uses: “composite-carbon-overwrap titanium spherical tanks to hold the helium used to pressurize engines and also for the SuperDraco fuel and oxidizer.”
They were set to fire the SuperDracos, which require a large fuel flow. (I would guess a max of up to 250 kg/sec for all eight engines, based on thrust and ISP.) That would work out to about 153 kg/sec of N2O4 and 93 kg/sec of MMH, or about 106 liters/second of each one. That’s a big flow for such small tanks.
The tanks were almost fully fueled because they’d only been firing the regular Draco RCS engines up until then. So the system is likely going to see a pretty big pressure drop as soon as the valves open, and the helium system will have to make that up really quickly. Perhaps the helium system overshot and over pressurized one of the fuel tanks, or perhaps some high flow phenomenon occurred, such as vibration, water hammer, etc.
Or perhaps they’ve encountered a new failure mode with the COPV tanks in some particular condition.
Anyway, soon we’ll know much more.
All that’s true, but it has also been true for every previous firing of SuperDraco’s on D2 test articles, of which there have been many. Something else must have been different this time and the only obvious things are the re-entry and the bath that particular D2 took in the Atlantic.
I just saw a video. It went from quietly sitting on the pad to fireball in one frame. Not much left, dammit.
Hrm… That makes me think it was initially a helium pressure vessel failure. Based on what’s required for the fuel tanks, I’d guess they have enough on board gaseous helium to pressurize the whole interior to 200 psi, whereas if the tanks were 90 percent full each one would only be able to get the interior to 10 psi from the initial rupture, sans mixing.
I’ve now seen the video. Looks to rather reminiscent of the Amos-6 event, a very sudden and powerful rupture of something. The epicenter seems to be rather high on the capsule to be the tanks, but, that might simply have been where the fireball emerged.
Unfortunately, one thing is quite clear; the DM-1 Dragon suffered catastrophic damage, and would surely have been LOV/LOC had it been on a manned mission.
It appears the event occurred before any superdraco firing.
Here’s a slowed down version.
https://www.youtube.com/watch?v=l9DVRIdA4GQ
Yep. Here’s the normal speed video.
They’d have trouble finding body parts after something that violent.
Given that the capsule can apparently blow up like that, I don’t think NASA will allow it to get near the ISS, even unmanned, until everything is completely resolved to the third decimal place.
I don’t think the violent part is initially a hypergolic explosion, either. The Gemini used ejection seats because the Titan would explode in a slow rolling fireball that they could just escape like it was a burning plane.
What else beside hypergolics is aboard that could create that big a bang that fast? I guess the COPVs might… I can’t think of anything else though (?). Or… a lithium battery explosion?
Good point on ISS; no way, no how would NASA want anything prone to getting all explody going anywhere near it.
Perhaps, just maybe, a safety system that turns the spacecraft into a flying bomb is a suboptimal feature?
There’s an older NASA paper on Orbiter COPV issues that might be worth looking at.
That’s a very interesting paper on COPVs, thank you!
I did notice one thing I found frightening; this paper is from NASA, and claims, right in the opening paragraph, that each shuttle flight can deliver 54,000 pounds to ISS.
They give correct figures later, but that’s an utterly glaring goof for NASA to make.
Looks like the Shuttle COPVs, some at least, were operating at 4000 PSI or more. I wonder how that compares to the dragon COPVs? If they are anywhere near that, or higher, I can sure see how a COPV failure could be the initial blast, plus breech at least one pair of hypergolic tanks.
And yet every single crew or cargo vessel that berths or docks with ISS has propellant on board – and that makes them all potentially flying bombs in some sense. (Yes, some propulsion systems are riskier than others, but…)
And after all, 17 cargo Dragons and 1 crew Dragon have all berthed/docked with ISS without incident.
But we really don’t know what happened.
I remember Rand talking in his book about launch abort systems introducing new failure modes.
Also, the Super Dracos were intended for propulsive landings in addition to the abort function. It seems to me that if they were still going to do propulsive landings, the engines and fuel system would have been test-fired a lot more, including in Grasshopper-type test vehicles. The Super Dracos would be as reliable as the Merlin 1Ds by the time it flew. As abort-only engines, they probably haven’t gotten as much testing. Just my two cents.
I have no idea how much run test time the Super Dracos have, but it’s probably extensive. However, they can’t have much test time on the installed propulsion system as a whole because they haven’t built many all-up Dragon 2’s. When they decided to commit to splashdowns they would’ve deleted the landing legs, which makes free-flight hover tests problematic. That leaves captive firing tests, where they bolt it down using the trunk attachment points, and that’s when the failure occurred.
After this, they’ll no doubt have to do a whole lot of extra captive firing tests, especially pressurizing and then depressurizing the main fuel tanks until they build a large and comforting statistical database.
But assuming the helium tank is the issue…
The post-Challenger NASA paper on the failure modes and reliability of the Shuttle’s numerous COPV tanks, which I linked above, indicates such tanks will all eventually fail due to one of several issues, and notes that their use on the Shuttle saved 750 pounds mass over solid metal tanks.
The Dragon 2 has enough fuel for about three fourths of the Shuttle OMS’s delta V, so the tankage is probably comparable. The Dragon’s dry weight is only 13 percent as much as the Orbiter’s, so a simple comparison says the COPV pressure vessels are only saving the Dragon about 100 pounds of launch weight over pure titanium pressure tanks.
I would recommend eating the extra pounds and switching to solid metal tanks to completely sidestep reams of COPV analysis, microscopic manufacturing inspections, onerous testing both before and after tank installation, and byzantine certification requirements for each new vehicle. Heck, I’d throw in another 50 pounds of metal just to stay further away from the failure margin.
“It will certainly work, unless it just randomly blows you into little bits due to any one of many complex material failure modes,” is not a good recommendation in a safety system.
They can keep studying and re-engineering the COPV tanks until they’re 100% certain they won’t suffer another anomaly, and then re-introduce them into the design as an upgraded version. But in the meantime, they need to figure out the shortest and fastest path to flight worthiness, and that NASA paper tells me that the quick path does not go through an exhaustive engineering and statistical proof that can demonstrate that each and every tank is flight worthy.
Thanks for the detailed response.
It also occurred to me that if the Super Dracos had been intended as abort engines only, the system would have been designed differently. Boeing’s Starliner has them in a separate module behind the crew capsule.
The only reason to have these engines and tanks integral to the crew capsule is if they are used as landing engines. Otherwise there’s no point in carrying all that stuff around during the flight. I understand Dragon 2 had to add a fourth parachute because it was heavier than originally intended since it was carrying the unused propellant during landing.
The may be in for a major rethink on the architecture, which would delay a manned flight for potentially several years.
However, they are also extremely lucky that nobody was injured or killed, and also extremely lucky that it did in fact blow up now. Had the anomaly not occurred on this test, it could have occurred at some other time, and the fact that it did occur indicates that their procedures were not proof against this particular flaw, even if the flaw was a one-off manufacturing defect that might never have recurred.
If it had been a crewed system test it would have been another Apollo 1. On the pad it would’ve been worse because we’d all be watching live. On ascent or descent it would have created the trauma of another Challenger or Columbia, with recovery teams canvasing the ocean floor or bean fields outside Smalltown Texas.
If it had occurred in space, NORAD radars would be tracking the orbits of little chunks of astronaut for years, which takes “bad” into a whole new realm. “Mom, is that a shooting star?” “No honey, that’s probably Uncle Bob’s foot.” The psychological scars from an exchange like that could turn dreams of human spaceflight into a bleak PR nightmare.
But that’s all been avoided because of sheer unbelievable luck. The devastating catastrophic failure mode has exposed itself early, without causing a single injury, and now they can proof against it. Learning the lesson could have taken a much higher toll.
The accident also confirms Rand’s position on how a safety system can increase risks, and interestingly gives new weight to Elon Musk’s old comment that a guy in a scuba tank and a lawn chair would have been perfectly safe on the first ever Dragon ISS mission. NASA wouldn’t let him do that, causing years of delay, and as it turns out, the elaborate system they insisted on was vastly more dangerous than adding nothing at all. The Falcon 9 FT is 49 for 49. The safety system has 1 successful flight and 1 catastrophic explosion. The greatest risk of LOV/LOC, by far, was from the safety system.
I’m sure the obsessive safety folks didn’t intend to add a high risk catastrophic failure mode to an extremely safe flight system, but they did, and that is a teachable moment. They’ll no doubt point fingers at the SpaceX engineers and say they didn’t design it right, but should it have been designed at all?
I’m sure such questions will be asked in the coming months.
Well said, George.
The only thing I’d like to add would be the CRX-7 in-flight disintegration of the F9; the Dragon would probably have survived if the ‘chutes had been programmed to deploy. So, even a LV failure of that kind can be survivable sans LAS.
I certainly think the question of whether the LAS should have been designed at all should be asked, but I’m far from sure it will be asked.
If Cargo Dragon could have been given a life support system (and a lawnchair), IMHO it would have been fine without a LAS – and probably safer.
Aside from the crewed scenarios you mentioned, it’s good that it didn’t happen during the inflight abort test.
3,2,1, ignition… liftoff… Mach 1… Max Q… OK, abort!
*boom*
That would be bad optics to say the least.
The Super Dracos would have been tested more, but they still have been tested…hundreds of times over seven years.
But again, the cause of the explosion may not even be the Super Dracos.
I plan to wait until we know more facts, but it’s worth noting we don’t actually know the capsule was “blown to bits.” In the slow motion video, you can see the capsule was still on the test stand after the first explosion (or whatever), and vanishes after subsequent ones. But some people on various sites have isolated frames showing the capsule was ejected from the test stand and disappears out of frame very quickly. I can think of several ways that could happen (if it did). This could have been a massive oxydizer spill, followed by a lesser fuel leak and ignition on the floor under the test stand. That would account for the giant red cloud drifting from the site, as well as the flames visible in the video between the first two explosions. But it’s all WAGs at this point. We’ll find out what happened when NASA and SpaceX decide to tell us. At least the SEC can’t muzzle SpaceX.
The hold downs on the test stand could withstand the full force of an abort, so ripping completely loose is pretty darn bad, especially since the applied forces were not coming through a combustion chamber and nozzle, but from the capsule itself.
One commenter on Eric Berger’s article noted that the initial flash would just about line up with the top of the COPV tanks near the crew door.
Anyway, the resulting cloud even showed up on radar, which is pretty cool.
I’m curious if that’s a known fact or just a supposition. Either way, it makes sense for it to be so. That said, nothing like this could ever be less than very bad. For example, suppose the Apollo 13 explosion had happened while on the pad, during the last seconds the countdown? In all probability, the ruptured service module would have collapsed and dumped the command module, LES tower and all, overboard. Even if the LES fired simultaneously, the SIVB would probably have exploded, followed by the rest of the Saturn V, and a bad day would have ensued. One can argue that it couldn’t have happened that way, but the main evidence for that is simply that it didn’t happen that way. Anyways, I’d like to know if DM-1 is in thousands of pieces, or only a few big ones…
Or just one big one with a heckuva dent.
The more I see about this, the more I think George is probably right regarding COPV as the cause.
I also very much agree that if it is a failed COPV, SpaceX would be far better off replacing it with an all-metal one.
As we have subsequently been informed the explosion occurred eight seconds before the SuperDracos were due to ignite, you are correct that a plumbing/COPV origin hypothesis has now moved way up the probability ranks.
A mini-Nedelin. Quite annoying. Perhaps the fuel tanks need a redesign.
Hopefully this won’t impact the launch schedule too much.
Gojira, I hope I’m wrong, but I suspect that this will impact the launch schedule by a lot, and I do not mean just Dragon 2 launches.
For example, until and unless NASA is certain this issue is limited to Dragon 2, it will ground Cargo Dragon as well – and it can do so, because both Dragons are NASA programs.
If this issue is related to the COPV, and there is commonality between these COPV and F9 COPV, We’re looking at a grounding of F9/FH too.
NASA has already said it’s going to proceed with the scheduled Dragon 1 resupply mission so no suspension of it or of its booster seems to be in the offing.
Some idle thoughts:
Though we obviously must wait for actual facts, I think some evidence is accummulating against the FA-DOOM! Scenario (COPV explodes, capsule disintegrates immediately). The negative evidence is, where is the cloud of shrapnel such an event would produce?
Here’s what I think I see (feel free to say I imagined it): There is a pressure wave under the skin of the Dragon right at the subsequent explosion’s epicenter, immediately before said explosion. Once the camera saturation fades, you see the capsule intact on the test stand, with a fire on the floor under the test stand. As subsequent explosions erupt, you can make out what appears to be the capsule, still largely intact, exiting stage right and somewhat upwards, presumably to impact the ground somewhere nearby, probably continuing to have internal explosions. we know most of the oxydizer got away because we saw it on the weather radar. (Rather than breaking free of the test stand, I think internal pressure blew the shell and pressure vessel off the heat shield.)
My vote: plumbing rupture, followed by a very rapid cascade of increasingly severe events. Imagine if such a thing had happened during the IFA. The first impulse would be to say the abort system had failed to activate, and the damage to the capsule (or pieces thereof) fished from the sea would have been done by the exploding rocket.
I don’t think this will impact the rest of CRS-1, using the last four (refurbished) Dragon-1 spacecraft. After that, it better be solved at least enough to use Dragon-2 for CRS-2 missions. And Commercial Crew is entirely in irons now. It’s 10 months since Boeing had its own abort system issue. You all know it’s not impossible these problems could lead to a decision to splash ISS in 2024.
I’m not sure if this has been pointed out before, but I seem to recall that Musk once said in an interview about the differences between Dragon 1 and 2, he pointed out that the Super Dracos and the Dracos shared a common and complex set of plumbing. It strikes me that this may have been the only time there may have been a test of both Dracos and Super Dracos at the same time. I remember hearing about the terror that Luftwaffe personnel experienced when fueling and safeing the ME262. Any contact between T-Stoff and C-Stoff meant kablooey. Might Spacex not want to examine possible mixing between oxidiser and fuel when firing both Dracos and Super Dracos?
I don’t think that could possibly happen, as they design it with CAD, use robotic pipe benders for the plumbing, and have successfully flown a previous abort test and a flight up to the ISS.
It’s possible William Barton is correct and it started in the plumbing, though. I read that the last test was several hours after the earlier Draco tests, which perhaps raises the possibility of some kind of back leakage through valves leading to fuel residues in the plumbing. If the plumbing explosions was violent enough to immediately rupture a tank, it might result in something as fast as what happened. But I think if it only ruptured the pipes then the limitations on the flow rates through the pipes would’ve spread the disaster out over at least a significant fraction of a second, if not more than a second.
Hypothetically, a bad design or part might let both fuels flow through some valves and into the nitrogen purge system and mix, and a really crazy bad design might let both propellants drain backwards into the bottom of the common tank of pressurizing gas and mix there, which would cause an immediate and large boom.
But there’s also some expansion and contraction of the tanks and plumbing that occurs simply due to stress/strain relations, and perhaps that wasn’t sufficiently allowed for, whether putting too much mechanical strain or shock on a component or simply having a rub point that saws into something.
But I think we’re stuck into a wait and see until somebody somewhere releases more information.
Would the Dracos have been used during the pad abort test?
Of course I meant the ME163 Komet, not the 262 Swallow.
I think you mean the ME 163, not the 262.
Some overlooked possibilities to consider for the initial explosion:
– A slow N2O4 leak’s reaction products might have corroded and weakened a COPV, if it was a COPV which seems unlikely to me.
– It’s very hard to get a substantial explosion by mixing N2O4 and MMH since they ignite on contact. But both N2O4 and MMH are to some extent monopropellants, and thus potentially explosive on their own. A leak could have filled an interior volume with some mix of liquid and vapor, which then ignited/detonated from some action in the engine light sequence, with further explosions following from damage done by the first. Given what’s known so far, this seems to me the best fit. Pending of course more data.