Blowing the mission: -100 reputation Depriving the ISS crew of their Christmas presents: -40 morale Giving the Russians a good laugh at your expense: priceless...
That may seem like a clever statement along the lines of what goes up must come down but the Starliner is an orbital spacecraft so not being able to bring it down is a possibility.
John Wang ...down on time that is...(atmospheric drag and orbital instabilities induced by / accumulated from gravity fields of various heavenly bodies)
He's an engineer who worked for them for 30 years and climbed the ladder and he wasn't even in charge when the actual decisions over 737max were made. His faults are mostly in how he handled the aftermath of the crap he inherited. He's the fall guy who'll be replaced by a non-engineer this time. If half the board were employees and Union reps, this guy would still have a "golden parachute" in his contract.
Hmm, well. I might be a bit harsh here, but here it goes: The fact that something got through testing even while reading the wrong timer, suggests to me that the code has not been properly tested. On a general basis, I'd say that is a bad sign, and very much so if human lives might somehow be lost
Not harsh at all. Boeing gets twice as much money as SpaceX and we all know which of those does more work despite that fact. And they can't get to the ISS? It's becoming a little ridiculous at this point.
To be honest, Boeing’s Star Liner mission failure would only be as bad as the 737 max debacle if it crashed and burned on landing. Still doesn’t look good, but it’s not catastrophic.
Thanks for the honesty but one has nothing to do with the other. And the Starliner IS looking good. It was a test flight and they surely learned a great deal. Lets stop fear-mongering and just stay the spectators that we will always be.
With regards to the horrible and amateur broadcasting of this mission...I always remember, back in the shuttle era, even if we didnt have live images for broadcast, we always had a direct link view of the images on the control centre screens. This was totally ignored in ascent and decent. All we got both ways were shots looking back at the control desks and operators with very few cuts to the projection screens...and even then they were wide cuts of the screens like Scott Manley had to zoom in on to get any scents of what was happening. At least we would have had a better idea of where the craft was rather than listening to very amateurish commentary broken up with huge pauses that made the commentators sound like they didnt have a lot of an idea of what was happening. Seemed like poor research a training on what was going to happen.... the broadcasting has gone back to the distant past IMO...even Apollo was slicker than this!!
@@geraldhenrickson7472 I thought that might have been figured or found out by someone like a Scott Manly by now. Thats why I pose the question on here. Not "Whining" at all Im looking for an answer because no one has given us one.
Ive worked in the film and TV industry for 30+ years and have been trying to figure out the "bellow par" broadcasting since It began. I would have lost my job if my work was that bellow par ...let alone been employed. maybe you can figure it out for me @G Henderson??
The audio was horrible for both launch and landing. One wired mic, one wireless, neither set to the proper level, nor fully matching mission control audio levels. Microphones open when they should have been closed. Loss of IFB to the NASA PIO at the landing site. Seamed like forever for Starliner crew to get the mobile uplink going. Should have worked out something with the support tech blocking the camera shot when they opened the hatch. As I recall a camera was going to record the forward (top) hatch showing from inside Starliner the station crew entering. So that will be a cool shot once someday they get to the station. The NASA PIO's in both the control room and on location had to prompt their counterpart. The problem is Starliner people are effectively running the coverage. Too bad it looked like an old cable public access show. Soyuz landing coverage by NASA TV are very professional, by comparison. The heat shield expert interview was interesting.
Scott, the real problem is what the little problem reveals about the whole programming of the Starliner's computer. So, the wrong timer was copied, or initialized; fine. But the program should not ONLY look at time and base its behaviour on the reading of a single timer. Such dumb programming is shameful. The program should compare its state representation to make sure it agrees with external conditions and parameters ALL THE TIME. So, the timer is wrong and we think it is time to do fine attitude control. Well, before we proceed with that, and/or while we proceed with that, we check that we are, in fact, close to the ISS; and we verify that our fuel is down to half, given that we have completed the orbit insertion burn. Etceteras. We check assumptions. Standard practice in software. If this checking of external facts does not agree with our timer and timeline, then something is wrong, and we'd better notify ground control, and ask ground control for instruction on how to proceed. I would never write firmware even for controlling a stupid light-bulb that is so pathetically dumb as to base a major decision on the value of a single timer. And I don't know many programmers that would look at code like that and not blow the whistle. Stupid programming like that puts in question the entire system and calls for a complete review involving a more trustworthy third party. Plus the fact that the problem was not seen during testing. That says that Boeing does not have a competent reliability department. Plus the fact that all the redundancies that I'm sure exist in the system were defeated by design, by using a non-redundant protocol for setting the timer. So I would not even consider for a second putting people aboard this craft until the software has been completely reviewed by a more competent party. Otherwise, think about what would happen if you have crew aboard, and the craft is slowly approaching the ISS for docking; then a cosmic ray corrupts the memory of that computer, and it thinks it should be doing an orbit insertion burn, turns on the engines full blast towards the ISS ... Stupid programming that doesn't check its assumptions should not be allowed in mission critical systems. EDIT: Note how the problem with the 737MAX MCAS software had a lot to do with them relying on a single wind-speed sensor to make the decision whether to take control away from the pilot? Lo and behold: Same thing with Starliner's software; relying on a single timer to decide what part of the program should be executing. There is some very powerful retard on the loose at Boeing... Thank god that Muilenburg lying snake got kicked out, finally; but I'm sure he wasn't the only problem.
Re. Muilenburg not being the only problem: In general, over many years, it has been widely reported that Boeing shifted from a focus on engineering excellence to a prioritizing on financial excellence. The predictable negative results are only now coming home to roost.
Points well made. Good programming is an art form in many ways, and including sanity checks in mission-critical code is a must. Likewise in engineering, whether mechanical, electrical, or others, experience is needed to know how much complexity is needed to accomplish the required task and include safety margins. Trade-offs for financial reasons will always be a factor to be included, but when they outweigh safety and reliability concerns then reputations can be lost, as well as even more importantly, lives.
Not particularly down with the name calling but I think this difinitively proves too little testing (especially devil's advocate) is being done on sensor and software design. Man rated rockets should be especially robust with both redundant hardware and separate software systems. Wasn't 2001 A Space Odyssy warning about this type of thing? With super fast computers shouldn't testing take just a few minutes?
This is basically the question I was asking Scott in my above question. It seems crazy to me that they would base such things on a single timer like this and not checking other assumptions as you point out. Like when being let go from Atlas, query Atlas on current position and heading. Then Starliner get its own position from its own sensors and see if the two agree. If they don't report the error and wait for how to proceed. Or if going for deeper autonomy, then start checking other methods and make the computer come up with its own decision on how to proceed. I'm newer to programming, but this just seems logical to me especially with something so important as this! It just seems crazy to think this is how they have it setup!!
@@neysonrise IMHO two teams to write and test the software would be great. Independently. My own experience with software writing is do it, then find out what you did wrong. The better the coder the more they think they're right. Strong personalities. Exceptionally bright people getting it wrong for all the right reasons. History is full of them. No blame. Just test them with dogmatic people.
I was a US Army meteorologist at White Sands Missile Range during the STS-3 mission, and I was part of the crew that did weather support for the landing (weather balloons). According to the map you showed, it is definitely the same runway that STS-3 used (runway 170). I remember being out there the day before and winds were gusting over 60 MPH which caused a one day delay. These winds are common and I've seen them as high as 90 MPH. When I got back to my barracks, I found my face was encrusted by at least an eighth of an inch of gypsum embedded by the wind (my shower water ran brown for a long while). After it landed, it sat for a while before being loaded on the 747 for transport back to Kennedy (I was there for that, too). While it sat on the ground, another dust storm came by and contaminated the inside of the shuttle pretty bad. Somebody forgot to close the back door I guess...
"We can fix this, we can do simulations, therefore we should just fix it all in simulations..." I feel like there's a roughly MAX sized hole in that argument, saying that Boeing's software testing and simulation may not be putting out the best work, and a physical test is in order.
Boeing's Commercial unit and Space unit are completely different, both in personnel and processes. The only similarity here is that the Government is calling the shots on how to proceed in both cases. That should make you feel better.
Yeah, there could be a potentially life-threatening error in the docking sequence, causing it to crash into the ISS. I would be surprised if they actually send crew on the next mission.
This is why everyone loves SpaceX , it's like we're apart of their team and they share basically everything with us that they can. I love their honesty and their genius , I'm a proud SpaceX fanboi lol!!!.
Sounds like a highly successful mission, all things considered. I only have one thought as a programmer - holy crap - unit test stuff would you!? I think I'm in the more cautious fly-it-again camp. You don't know what you don't know until you discover you didn't know it. Loss of life would set this program back at least a year - I would rather see a 1-2 month delay and another uncrewed launch. It's impossible to say if there's any more gotchas in their code. The individual instruments apparently performed admirably, but if it's not tied together properly and unit tested.... (Unit test = proper simulation or functions that drive real data into the code and check the results. Great for detecting unexpected bugs like this.)
You bet they do use unit tests, and even full-blown formal verification on critical parts. But this issue looks more like it could only have been caught in an _integration_ test, rather than a unit test. Still quite embarrassing that they didn't catch it beforehand.
I am also in the group thinking they need another test flight without a crew aboard. Expensive? Yes, but any spaceflight with a live crew is dangerous, and those lives are priceless.
Everything cannot be unit tested some aspects require scenario testing and full integration tests. I'm sure Boeing has tested what reasonable could be tested. Some bugs just do not show until you put everything together, that is why we do live tests. :-)
@@dumbledoor9293 Call the tests what you want, but when I was working on game servers the unit tests for packet handling, storing player data and managing connections ensured they were rock solid. There was no "timer error"... stuff got caught through proper simulations that drove real data through all the functions. This one should've been caught.
@@david_fisher hahaha we should have. Belgian sours and super hoppy IPAs mainly. I remember him liking our double IPA Pliny the Elder and our triple Pliny the Younger
Same! With more information it seems it was a software error. Wrong timestamp was returned from an API call? I wonder if it was a design mistake or a glitch?
This is a pet peeve of mine as I used to work on thermal imaging devices for the . Why do people insist on inverted color schemes for thermal imaging? I mean if you're looking at a thermal image of a tank column or a , you're specifically looking for heat. It kind of makes it look more like a normal daylight picture, yes, but it makes it harder for the operator to accurately tell the uh.. "high velocity no-trespassing signs" exactly what they should be tracking.
There are no guarantees no matter how many tests you run. Its complicated, dangerous and we are all just spectators. How long has it been since we left earths orbit?
@@geraldhenrickson7472 Everything you're stated is obvious. Starliner did not complete its mission. Therefore it has not been tested completely or successfully. Are there other mistakes waiting to be discovered? That's why we test, BEFORE humans get on it.
@@geraldhenrickson7472 While I agree that space flight is not a game of chasing 9s when it comes to reliability, 0.00% seems like a shitty track record for a brand new vehicle to me.
@@geraldhenrickson7472 But they still need to prove the concept - that is done by completing successful test flights. Of course there will always be risks in further flights
I talked about this in different places before and i want to reiterate my thoughts here. The ship's software missed an important step and went into weird some mode where in overcorrected until it was manually stopped, but not before it killed available delta v. Why the hell it is about as smart as an old washing machine?! There are logs, star tracking, sensors, inertial guidance and many other things it could have used to perform better and yet it did what it did. And then, i really have no words for this, as if there were not enough 737 references already, all the guys in the suits talk about how humans on board could have been the final redundancy. This and the abort test where the chute didn't deploy just screams about a massive systemic problem with safety culture in the company. Somebody designed those systems in a way that has no room for error, somebody made them, tested them, certified them and signed all the paperwork and this stuff comes up during testing by sheer luck. My only hope is that everyone near that thing would be lucky enough not to get hurt, because i'm pretty sure nobody would make them redo all the certification from scratch.
Checking sensors against other sensors sounds better than it works in practice. It adds a lot of complexity that isn't justified for simple systems like timers - much easier to address whatever gave it the wrong time than try to implement potentially erroneous cross checking with other sensors that are likely substantially less reliable than a timer
I'm glad they overlayed the text "LOW RES DOWNLINK" because if it weren't for that I might have assumed that it was high-resolution and/or an uplink. And I don't think I even have to mention how disastrous that could have been.
i can't believe there was people who wanted to see a vessel who had a computer bug attempt an automatic dock to the ISS.. And why Starliner don't do an inflight abort test?!
One of the fundamental differences between SpaceX and Boeing..... SpaceX: "Lets build a few prototypes and static fire them over the course of a few weeks or a month and then do a test flight. Boeing: "Lets run simulation after simulation on computes for months, costing hundreds of thousands of dollars; hoping all the while that the test programmers thought of everything that 'could' happen. Then, lets redesign and tweek based on that and then finally, do a launch 14mo later." Two very very very different ideologies and to anyone that remembers who and how SpaceX actually started, its no wonder. :-) Static testing and full up testing is the only way to REALLY test. Ultimately, you need to put up and just do it. Its hard though and takes lots of money and lots of faith in your people. Management and even your own people need to be prepared to lose before you win. Failure is really hard to swallow and that is where I believe the real difference is. SpaceX embraces failure and view it as a tool more than Boeing does.
Acceptance is a far cry from an embrace. Both programs seem to be running simulations and also conducting tests leading up to a crewed launch. They will eventually pull the trigger. If we remove conjecture from your comment, I am uncertain what remains.
@@geraldhenrickson7472 Actually, they do embrace it. Acceptance is throwing your hands up and saying "Well, it happened and I'm not sure why and I sure don't know how to change it, but it happened and I have to accept it." Acceptance and embrace are very very different mindsets from a development point of view. And lets face it, its all conjecture here in the comments unless you have real world inside information. Would it make you happy if I inserterted "I believe...." at the onset of my comment?
@Nobody here but us Chaotic Neutral chickens Heard this mumbling about NAsa paying everything before. I wonder what their actual contract is. I very much doubt it is constntly readjusting. Normally a contractor get paid a certain amount for a certain goal. If his calculations are wrong and he needs more money than they planned (like for an extra test flight) , that is his problem. Here is what you promised me. Here is what we expect you to do. Here is what we're paying you. Sort it out. Or we fly SpaceX. Or Orion. That's how contracts work. And Nasa, contrary to popular believes, has not an unlimited budget. And was historically quite tough on non-delivereing contractors. The idea and accusation that Boeiong gets a blank cheque from Nasa seems really silly. There might be circumstances. During Apollo, they probably rather paid more than miss the end of the decade deadline. And NAsa was the only custumer and it was the only Command /Lunar module. Or James Webb.... it's so far on, there has been so much money and time spent on it... in both cases, paying more makes more sense than throwing all the work in the bin. Also like Apollo, James Webb it's a science project than won't make any profit. That's very different for Starliner and Dragon.
It took 20 minutes to reestablish a TDRS connection which is why it burned through so more propellant and missed to window to reach ISS so a crew could have taken manual control much sooner.
If the crew knew exactly what was the problem, if there was ability to override the automated systems and they had trained on the procedure to correct the problem, then they would have been able to correct the issue. More likely there would have been a brief time trying to figure out what went wrong and which of three possible options that would be chosen. 1) Crew try to fix the problem. 2) Do an "Abort to Orbit" (which is what actually happened). 3) Depending on the location - possibly do an abort and return to earth.
Astronaut Mike Fink who will be on the first human test flight was certain they could have taken control. Most likely they would have stabilized where they were; acquired the TDRS satellite; worked with mission control on a new plan.
The main argument I make in favor of crew being on the next flight is that there's a difference between crew-rating and ISS-rating. As you said, this flight was, while not optimal, perfectly safe for a theoretical crew. What hasn't been tested is how Starliner's prox ops with the ISS will go. But if that's what we're worried about, doesn't it make sense to have a crew on board? It's an extra failsafe, basically - the crew should be perfectly safe, so having those extra eyes/hands should be a plus. I totally understand the argument for another flight, though - especially when Boeing went into this contract saying "We have decades of sim experience, we don't need flight testing for stuff, we'll just build it all and it'll work first time." And yet here they are with exactly the same number of abort system failures as SpaceX, just better-hidden.
Your arguments are sound, and the faults with this flight and the failure to deploy a parachute on the pad abort test are clearly identifiable. What worries me is the faults we *don't* know about, that are undiscovered because of the same kind of poor engineering decisions, poor review procedures. Indicates a program with endemic flaws.
Don Jones Every complex system has flaws that remain hidden. The only way to discover them is for the right set of conditions to appear, and those conditions may never occur. As a system matures, more flaws are found, but they can never be completely eliminated. If every spacecraft to ever fly had to be completely bug free, we’d never have put a single human in space. At a certain point you have to make the call that it is safe enough, with redundancies just in case something fails, thus a flawless spacecraft is an unreasonable bar for Starliner.
My main argument against a crewed capsule on the next launch is that there were basically 3 main objectives on this mission: (1) Achieve an appropriate orbit to rendezvous with the ISS from launch, (2) perform station keeping exercises and docking with the ISS, (3) and successfully return to land. They got 1 out of 3, 33%. You could add an asterisk to number 2 in that failing the first objective made the second one pretty much impossible. Thus far, Boeing has only one-upped Blue Origin; proving they can make a safe system for tourists to go into orbit, not just space. But that wasn't what they were paid to do, it was to get astronauts to the ISS and back. My main argument for allowing a crew on the next launch is that most of the issues should be able to be evaluated with simulators. That should only be done after a VERY rigorous evaluation of the software and testing regimes at Boeing. For example, they should have picked up that they were getting the wrong MET data being during simulations.
Adam Harvey They were perfectly safe? No they weren’t. They completely missed the trajectory. The same error could drive them into the ground killing all. They would’ve survive this time because of luck, but this was not safe at all...
We need to stop whining about astronauts and make them more expendable. When that first teacher in space blew up on the Challenger I was a young man homeless in Florida and had to put my legs in a garbage bag to sleep through that cold night. Each billion dollars or whatever spent to prevent an astronaut death would save thousands of children even before fixing any social welfare spending corruption. Back in 1986 in Florida I would see kids who had umbilical hernias the size of large lemons. Instead of a belly button? To prevent long drawn out lost in space media scenarios just have Putin accidentally squash it on a failed rescue attempt to bring closure. (See first Chechen war failures.)
So what lack of propellant precluded the ISS visit, RCS or main? And during which event was so much propellant used up due to the tight deadbands and super precise maneuvering, was this during the autonomous 'wrong clock' burn, or the manually initiated one by ground control later?
Another issue is it missed the orbit raising burn by 20 minutes which means it would take longer than planned to reach ISS or to reach it it would have to go a higher than orginaly planned orbit and then let ISS catch it.
@@Patchuchan Not entirely true. It is in the same plane as the ISS so it could have still performed the other orbit raising burns just at different times. Yes it missed its Primary OIB window but made the end of the contingency window however the RCS thrusters triggered red flags for operational lifetime firing limits in recovering to an orbit. They had enough fuel to complete the mission nominally but lacked the required fuel reserves to safely dock with the ISS and deorbit in the event of another contingency occurring thus they cancelled the ISS portion of the mission to garuntee a nominal deorbit.
Two thing worry me the most about this: 1) they lost telemetry with the spacecraft because they couldn't find it. PROBLEM!!! 2) How did the API handshake screwup NOT get found during QC testing? Software validation seems like a problem for Boeing lately, and I don't know if I trust them to "do simulations" to re-certify the system.
They already found the error, which was one line of code. Given that the mission proceeded perfectly after the MET was reset to the correct time, it's clear that the fix worked fine.
@@AmbientMorality Yes, they found it, after the frikkin thing launched, even after they "validated and simulated" everything. If this was fundamental thing (you know, the system that fundamentally controls everything, since they use a timer) missed, what else? I mean this is at the same level as incorrect staging in Kerbal. If was a miscue of some minor subsystem, I'd be much more forgiving.
3. Why did the thruster use so much fuel in a very short time? 4. Why did the software recognize the rapid fuel consumption and and lack of communication and go into safe mode? To me these questions indicate a lot of software or hardware issues that were not caught in ground testing. Combine this with the parachutists failure on the abort test and the earlier fuel leak during engine testing indicates Boeing is not finding problems in basic testing . And as a result one or more problems coe upon final testing.. Nasa should have no confidence in Boeing testing and should mandate a complete redo of the unmanned test flight and an in flight about test. Anything less is putting that astronauts at risk.
@@AmbientMorality Imagine how many lines of erroneous code didn't get caught because they didn't run the full mission. End to end testing in production with human lives at risk seems like a date driven mandate.
@@jmacd8817 Because everything else that was tested worked. The outstanding parts are related to ISS proximity operations, but now they know that the docking abort works correctly and ISS proximity operations are automatically a risk to ISS crew regardless of whether there are crew in the capsule or not. Most docking failure modes would involve inability to dock and not risk anyone, though.
Great analysis, likely for Boeing to transport lives regardless of this missions missed goals. I’d check further into the delayed release of the booster theory. Definitely plausible but fundamental design would provide “safe” separation...I would think. Love your reports!
they SO need to fly that mission again... If I was going to be the first person the fly that craft I would as HFN... They can not even prove that they can dock with the space station.
The 737 was a marketing failure, having *both* sensors wired to a flight control computer was a paid option instead of default. With only one sensor the computer has no way to tell if it failed, and so it can't shine a warning light either. The pilot would have to know to disengage flight control computer if this happened, but that also wasn't in the manual (it said to do this if sensor failure light was on), and it's not like you'll be able to navigate through a 500 page tome in the 90 seconds you've got between cruise altitude and sea level while the plane is subjected to maximum permitted positive and negative G-forces alternating every two seconds.
Boeing makes safety optional ... they need to expel the MBA strangle hold over the company. This started when Boeing management left Seattle with the avowed purpose of separating management from operations. They actually wanted to cut off the technical & production from influencing management decisions. Management chose to become Wall Street's obedient sycophant ... and arrogant Wall street only cares about short term paper profits, and their wheeling dealing, not long term fundamentals of the core industry. When the technical team got in the way, they simply and deliberately cut them off.
No, having both sensors wired to the computer was not an option at all. MCAS always used the active side AOA sensor; the option had to do with an AOA disagree alert which may have helped diagnosis of an MCAS issue but was not tied to MCAS. Pilots were supposed to run the memorized procedure for runaway stabilizer (cut out all electric trim control), which was certainly not realistic given the MCAS authority and altitude (and thus it is still Boeing's fault), but it's not true that they would have flipped through pages to find the relevant procedure.
R. Slater McLaughlin wall street is the arena of money managers ... shifting around billions of dollars of investment funds and pensions (other people's money). They are judged and rewarded for short term rates of return. If they fail to deliver, their careers are in jeopardy. If they do deliver high returns, they are rewarded far beyond a working man's lifetime salary. Thus, the rules of engagement are defined. Tragically, these rules of engagement guarantee the poisoning of the financial institutions; transforming the stock market from a means of raising capitol that empowers main street to advance & invest in long term profitability, and instead forces main street management to sacrifice long term profitability and disguise risk. The net result is short term profits by cutting corners (e.g. Deliberately assuming $10/hour programmers in India will provide the same quality as experienced in house programmers in order to increase profit), and often management decisions to cut off spending for next generation models (e.g. Apple under Tully who almost killed the company by cutting funding for software development. He forced out Steve Jobs over this issue) Another example is Ford cutting development of next year's car models, thereby saving billions in the short term but sacrificing a huge part of their future). Wall street accountants love high profit margins and reward companies for sacrificing low profit margin sectors.
Being a CEO is like being a first division football manager: Sunday: "The manager has the full confidence of the board of directors." Monday: "I'll get me coat..."
Speaking as a Dog Groomer these things can happen, one minute everything's going smoothly and the next you're spinning around in circles loosing all your fluid !
Would you please explain proton rockets? Being born and raised in New Mexico I love this video. When I was in the third grade we had 3 Wednesdays, once each month, where we had to move away from our windows in the school. At 1 pm, a low rumbling sound and shaking overtook our classroom. Why? At White Sands, they were testing an underground nuclear device. What was amazing is we were 200 miles away and the test site ground level was about 3000 feet. My classroom was at 7000 feet above ground level. White Sands has experienced a great deal.
SpaceX decided to go with an inflight abort test. Boeing’s approach was to test almost everything on the ground, so a pad abort test and then use OFT as the final test for all these systems before flying crew
The in flight abort is conducted at Max Q, and unexpected things can pop up. I think that it's a mistake to give Boeing a pass on this. The Airbus A380 had an unexpected structural failure during it's (static-on the ground) ultimate load test, and there's no telling how many lives have been saved, or will be saved in the future, because the US FAA didn't trust simulations and forced Airbus to conduct the test in order to grant the plane certification. And yes, Airbus had to destroy a costly A380 wing as part of the process. At least a reusable space capsule (hopefully) survives an abort at the worst possible moment...
Seeing how "reluctant" they were to provide live coverage makes me realise how beautifully open and courageous SpaceX are about letting the whole world watch as they test and occasionally fail spectacularly. :)
Possibly. By the time I got to 4 minutes 11 of this video, I realised things could have been even more tragic for Starliner if it thought it was higher than it was.
great question,i think i wouldn't,i dont trust Boeing into putting my safety above $$, i bet they wont even change this dependency of a single timer input not because they cant, but because it will set them back months in tests and certifications.
Astronauts and Cosmonauts need to return to Earth. They do so on craft sent from Earth. In an emergency, if their expected return craft never arrived, it would be a real problem.
@@riparianlife97701 In that situation, the crew will abort in the same vehicle it came in. The option and the means (read:return crafts) for the entirety of ISS crew to abort back to Earth is always available.
@@saurabhdas3412 Remember when the Soyuz capsule they came in had a hole in it? Nice they were able to fix it. I think Boeing should have to get a mannequin all the way to the ISS before they can take humans. I think they should also have to do an abort at high speed like SpaceX is doing in a couple weeks.
Scott, thanks for asking questions that I really never consider, and then providing a possible explanation. It helps to suppress "conspiracy theories". Keep up the good work.
@@king_br0k , I was reading comments as the video went on, and that note came out about 40 seconds after I responded to the original comment. That said, spent boosters are dead weight and are normally dropped as soon as possible: when you can lighten the load, you get better overall performance. As Scott noted, retaining the spent boosters was an anomalous procedure.
SpaceX weren't conducting a test for NASA when their capsule (which had already completed its test flight to the space station) exploded. And anyway, that's fixed now.
I am a huge fan of SpaceX and I think that Boeing have screwed up royally here. However, can you imagine the fallout if SpaceX were allowed to do the propulsive landings on the Super Dracos and they had that valve issue. It would have been horrible...
@@thePronto So I guess it's a good thing that SpaceX did testing all on their own that wasn't mandated by NASA so that now that will never happen. (Along with your hypothetical scenario of propulsive landings which are not happening either. Granted, blowing up instead of escaping isn't ideal either, but again, they fixed it. Also, unlike SpaceX, Boeing dispose of their service modules so we'll never know what happens to one if you try to fire it after it's already finished a successful mission to the station.)
does Boeing even have redudence computers like Space X on board. As much as i am biased for Space X, as a software engineer student, Reading the wrong timer seem like a pretty massive issue to overlook and not catch during the software testing. On an non software note, did space x not have to leave the ship in orbit to examine how it would degrade to evaluate if it would be good for long term missions. It does seem like Boeing is getting to skip out on some testing. Logically speaking Space X should win in the end, they got the cheaper flights and they offer a ship who has a good track record and except from the explosion or the super Draco, they had a good track record for the rest of the testing.if by some reason Boeing gets the contract, for the crew to the ISS it does show that there is corruption behind the scene
Boeing and SpaceX already have contracts, there's nothing to win. Redundancy doesn't help at all if the software specification incorrectly specified a parameter. They did software and hardware-in-the-loop testing, but evidently that model was off as well. SpaceX didn't leave the ship in orbit for more than a week (with most of that time docked). Boeing and SpaceX both specified their testing program; both included an uncrewed docking mission, but that wasn't a requirement for the contract.
@@AmbientMorality space x uses a number computers running simultaneously testing each other. If one has a problem and the others don't, they disregard it and correct it. In space where radiation can switch a 0 to a 1, it is important to have redundancy and safeties. The golden rule of software dev is to test 100% of your code at all times. Software failure, specially on a rocket that will carry humans is not an option specially when it fucks up the whole mission because something important like a clock is not calibrated properly. Nasa should 100% delays any man crew with Boeing until they can show their software is not fucking up. As for the contracts, they cant logically keep going on giving every company the same contract when one is superior to the other in cost and with a good safety record. Boeing is falling behind on tech and apparently in safety standard's now and they damn well know it and they don't care cuz they are part of the military industrial complexe, like the banks, they are too big to fail
@@peter4210 That doesn't help at all if your software specification is to pull a specific parameter from Atlas. All computers would pull the same incorrect parameter. It wasn't a code error; it was a software specification error. They tested all of their code, including testing it with full hardware-in-the-loop testing. That doesn't help if the interface between Starliner and Atlas was slightly misunderstood.
The software executed it's code flawlessly as it can only do what it's told. Unfortunately someone told it to do the wrong thing. Redundancy would not have eliminated this problem. This is a coding QC issue not a system failure.
This timing error shows that the simluations that where used to qualify the Starliner where at least inadequate for the task, if not fully unusable. I would find it very hard to trust the Starliner until it has shown real world capabilites, meaning a new test flight is required.
To be fair landing a capsule with that precision was also done by SpaceX on COTS-1 which was the first mission of Dragon 1. It came within 800m of the bullseye per Gwynne Shotwell. I would assume it has been repeated a few other times considering they have had other 19 Dragon splashdowns.
Another reason why they had to return quickly was orbital decay. According to the regularly updated Keplerian Elements the perigee was reducing by as much as 3 kilometres per orbit, whilst apogee was decaying by a kilometre or more per orbit. Let's hope that the next flight of the capsule doesn't become Calypso collapso.
1:24 - Putting a reentry vehicle on a bullseye is much _much_ easier when the vehicle doesn't have to soft-land (and slow down to a couple of meters per second while trailing a bunch of huge draggy bags and get blown all over the place like a feather in the wind) and can stay hypersonic right on down to the surface (or just above it).
Sometimes I think they make things much more complex than needed. Keep it as simple as possible seems like good advice, not as complicated as possible.
1) If they were using the pre-launch clock instead of the liftoff clock handed off from Atlas, that seems like an issue that would have been caught in the same type of simulations that they are proposing to use to verify the fix. 2) Why is the clock the only guidance and automation input when they have GPS, inertial measurement, star tracking, and Centaur guidance data hand-off? Seems like even if the clock was off, polling those other data sources would have allowed a well written program to dismiss the bad clock and still perform the proper burn.
Testing the interface is always going to be more difficult as it'll involve communication between two separate engineering teams (ULA and Boeing). OFT helped test that, revealed a problem, and it appears that all other aspects of that handoff worked correctly. I would not trust any GPS data and I doubt Centaur gave guidance data to Starliner - better to trust one simple timer than add additional complexity. At any rate, if there's conflicting data the wrong response is to perform the proper burn because you have no clue what set of data is correct.
Redundancy is important in a human rated vehicle. One source of truth is always a bad design philosophy. Which should be followed through in software also. As an example, in schiphol airport a 737 crashed due radar altimeter failure. Hardware had the required triple redundancy but software was getting its data from single sensor for autopilot. (captain side) It just caused a buzzer warning and auto throttle kept operating with faulty data. In similar aircraft such as A320 triple redundancy is also in the software, where conflicting information from different hardware sets would give proper warnings and if necessary, algorithms would decide which information is the truth. (for 2/3 operational case) It wouldn't do a flare middle of the sky. Automation require redundancy in software part of things too. One clock being able to offset flight state this dramatically should've been covered using other data sources. I am aware Boeing's space division is seperate from civil aviation division but I sense mistakes in general software design philosophy.
@@anilhaksever Redundancy doesn't help with a systemic error at all. It wasn't a coding issue, and three computers would all pull the same wrong time. A clock is the simplest; trying to do weird error checking on an incredibly reliable timer is the wrong approach. If you're worried about timer reliability add a few timers. At no point does trying to check timer with less reliable sensors make sense, because timers will almost certainly only be wrong because they were set wrong and some very tiny chance of a bit flip which can be caught by a few timers.
@@AmbientMorality watch at 3:45. He clearly states Starliner gets guidance info from Centaur. And although I wouldn't trust GPS to put me on an inch perfect approach to the ISS, at orbital velocity, the 20 minutes they missed the burn by works out to about 5,800 miles. GPS would be enough compare expected vs actual to say clock is off, use inertial guidance and Centaur data, phone home for more info. Even if you weren't sure about the burn, it also sounds like it was an orientation problem that stopped a link up through a satellite. If there's an error, you could have it try rolling and pitching to find a signal. Running spacecraft sequencing off of nothing but a timer is how the Mercury capsules were flown. Surely, in the sixty year since we've advanced enough that more complexity for the sake of redundancy in both hardware and software is available. All that said, it still doesn't explain why it was missed in simulation of the code.
@@briancox2721 I don't see that in primary sources. It's possible I missed it, but it's not in the teleconference. A timer is very reliable compared to any other system you mentioned, so it is a natural thing to sequence from. If there are systemic timer errors, why not simply correct the source of those? If there are random timer errors, use rad-hardened components and/or some voting architecture. There are not really any other ways a timer can go wrong, whereas sensors can fail in a huge number of ways. Simulation of the code doesn't help if you expect (for example) that the Atlas launch timer refers to time after launch commit rather than timer after countdown initialization.
The Dragon capsule exploded after being immersed in salt water that corroded valves on the escape rockets, after a successful launch/return mind you. Correct me if I am wrong, but isn't the Dragon capsule only going to be certified for one initial crew rated flight and then relegated to cargo duty for future flights? I think everyone is making the pad explosion out to be more than it really is. I wouldn't drive a car that has been drenched in salt water, why would anyone trust a space vehicle after? For having over a billion more in government funding Boeing sure is doing a great job though....
Taking all your statements as wrote for the argument, what about sitting next to the ISS on cargo flights. They'll be using the RCS in close proximity to the ISS. Also if it were to explode at retro fire some debris might get kicked back up into the ISS exclusion orbits. It's an issue, it needs to be fixed.
It still has to go back to ISS after its salt water bath. It's a bad idea keeping all of that abort hardware around the capsule, but they can't change it now. Either way, every manned American space craft has manually docked. The fact that Boeing couldn't test out its auto dock on this mission is not critical IMO. The point is to end Soyuz reliance, not beat SpaceX there, so all the fanboys should get their panties out of a twist.
@@AndrewTubbiolo it was the Draco Engine Fuel System(DEFS) that failed not the RCS fuel system. the DEFS is only pressurized during or near the time of use so the threat for an explosion is non-existant given the cause of the explosion.
Great videos Scott thank you..I know you explained that they took a lower altitude with the first stage for crew abort reasons..but why wouldnt this rocket go as high and as fast as it can to orbit? (Instead of having to rely on the next stage (of the capsule itself) for orbital insertion) Have there been any other manned vehicles taking this 'safe' approach?
Firing the CEO is nothing more than slaying a sacrificial lamb. Like a CEO has anything to do with the engineering and training debacle that is the 737 MAX. Still this is how corporations react to bad press in an attempt to restore investor confidence. Because you know the new CEO will most certainly be able to swoop in and debug tens of thousands of lines of code and install a new 737 MAX certification program. Those things have already been done. Sorry this sort of BS just bothers me. It's a sham.
The sort of cost cutting measures that comes with the 737 max debacle can only come from a higher executive. It most likely wasn't some programmer's choice.
The CEO sets a leadership example, whether they want to or not. They can create an environment that is conducive to safety or they can create an environment that is focused on profits above the lives of 346 passengers. I hope hitting those quarterly revenue targets was worth it. Still, the CEO is only partly to blame. The board that fired him was also the board that hired him.
2:25 "The Board did say that they were standing by Dennis on Friday". They were standing by him at the statue of Pompey in the chamber of the Roman Senate several days before the Ides of March.
I was really wondering about them hanging on to those solids for the extra 40+ seconds. Thanks for that explanation. I think this was a successful mission for Boeing and based on everything I've been reading about it that the next flight will be crewed.
Boeing may be all over the place with political connections but NASA people aren't stupid and ( I hope) they won't let it pass. Nobody wants more accidents
I was surprised to hear your analysis of the sequence and methods to raise the spacecrafts orbit and what led to the problems with the RCS, sensors, manifolds, etc. 1) I thought that those problems occurred as a result of the chaotic thruster firings that were occurring autonomously, during the period when the spacecraft was 11hrs off the actual mission event time. 2) I assumed that when they did raise the orbit to something stable, that they used the OMAC, not RCS thrusters, which you indicated caused the problems with sensors, etc. I don't recall hearing/reading your version of the events.
Well, it does look like I didn't hear/read correctly. Spaceflightnow's article on it reports that smaller thrusters were used to raise the orbit to what they finally achieved, which caused the "overheating" anomalies... Question then seems to be WHY did they raise the orbit that way, instead of using the more powerful, appropriate thrusters for orbit raising. There seems to be something wrong with their decision to raise the orbit by overusing the RCS to the point of doing some damage to it.
@@poneil They didn't do damage; the sensors hit temperature limits and couldn't accurately monitor thrusters, so they shut off. Can be described as overheat, but no permanent damage and all 24 thrusters were recovered and successfully tested in orbit later. I wonder if mission control had better control with thrusters for some reason? OMACs obviously worked in the deorbit burn, so shouldn't have been anything physical
@@AmbientMorality I agree. Good correction on the "damage" part. Possibly, because they had been talking about "fineness" control, maybe the system was not working "coursely" enough, at the time, to use the larger engines.
@@treelonmusk8324 You base that one.....what? Dragon 2 has been certified by NASA for flight pending the final drop tests and the inflight abort, which is not required by contract...... and we know if it's not required, it shouldn't be mandatory.
Talk about moving the goalpost. We went from orbital rendezvous and docking with the ISS to a test of Starliners' heatshield. Well done Boeing, you replicated a Mercury test flight from the early 1960's. Impresive indeed! Soooo... if it was a bullseye landing, why did we not see a SpaceX style "bullseye" like when Falcon 9 returns? Perhaps because it was dark.
Because they cut corners by replacing their software developers with Indian coders on H8 visas whom did not specialize in aviation software, not familiar with what Boeing's work and did whatever Boeing asked them to do. People died because they cut corners. This is what happens when you prioritize shareholder stock buy backs versus paying American aviation software engineers.
Yup, sounds like they had no error checking or fault tolerance on here, just a list of actions blindly excuted based on a single time code taken from another system, which then didn't get thoroughly tested and verified. Sounds like MCAS!
@@geraldhenrickson7472 They knew exactly what happened. Pogo effects happened before. They knew dampers in certain places would reliably eliminate the problem. And the reason for the 2 J2 engine shutoffs were also clearly identified and therefore they could fix the problem knowing it would not happen again. These were the only 2 issues. Serious ones but clearly identifiable. Launch, computers, staging all worked fine. The CSM was thourougly tested on Apollo 7 and also worked fine. Also there was a race on, the CIA had just spy-photographed a huge booster in russia and they expected them to make such a flight soon. That's why they took the enormous risk (arguably the biggest in Nasa history) of Apollo 8. There is absolutely no motivation or justification to risk anything here. It would not be nearly as big of course.
@@5Andysalive But it is a similar scenario: they know what the issue is and how to fix it. Moreover, as the problem was software rather than hardware, I'd argue that it is a lesser concern, especially as having an astronaut on board would have likely been able to fix the issue in-flight. As far as taking risks: NASA lives or dies based on its publicity (i.e. popularity with people and thus politicians). They *really* want to get back into orbit. Look at the risks they were willing to take with STS 1.