SpaceX's Latest Advantage? Blowing Up Its Own Rocket, Automatically (qz.com) 126
SpaceX has reportedly worked with the Air Force to develop a GPS-equipped on-board computer, called the "Automatic Flight Safety System," that will safely and automatically detonate a Falcon 9 rocket in the sky if the launch threatens to go awry. Previously, an Air Force range-safety officer was required to be in place, ready to transmit a signal to detonate the rocket. Quartz reports: No other U.S. rocket has this capability yet, and it could open up new advantages for SpaceX: The U.S. Air Force is considering launches to polar orbits from Cape Canaveral, but the flight path is only viable if the rockets don't need to be tracked for range-safety reasons. That means SpaceX is the only company that could take advantage of the new corridor to space. Rockets at the Cape normally launch satellites eastward over the Atlantic into orbits roughly parallel to the equator. Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba.
SpaceX pushed for the new automated system for several reasons. One was efficacy: The on-board computer can react more quickly than human beings relying on radar data and radio transmissions to signal across miles of airspace, which gives the rocket more time to correct its course before blowing up in the event of an error. As important, the automated system means the company doesn't need to pay for the full use of the Air Force radar installations on launch day, which means SpaceX doesn't need to pay for some 160 U.S. Air Force staff to be on duty for their launches, saving the company and its customers money. Most impressively, the automated system will make it possible for SpaceX to fly multiple boosters at once in a single launch.
SpaceX pushed for the new automated system for several reasons. One was efficacy: The on-board computer can react more quickly than human beings relying on radar data and radio transmissions to signal across miles of airspace, which gives the rocket more time to correct its course before blowing up in the event of an error. As important, the automated system means the company doesn't need to pay for the full use of the Air Force radar installations on launch day, which means SpaceX doesn't need to pay for some 160 U.S. Air Force staff to be on duty for their launches, saving the company and its customers money. Most impressively, the automated system will make it possible for SpaceX to fly multiple boosters at once in a single launch.
There's another name for this (Score:1)
Re: (Score:3)
Re:There's another name for this (Score:4, Insightful)
You only like it because you don't work in the reliability field. Having a human operator in charge is one of the least reliable ways of doing things.
*Civilian* GPS (Score:4, Informative)
I don't know. GPS was never supposed to be used for anything like this.
*Civilian* GPS was not supposed to be used like this and got limitations (speed, altitude *) to avoid being usable like this.
The military had guiding missile in this way in their mind from day one.
---
*: normal GPS chips will refuse to give a precise answer above a certain speed (~500 m/s) and altitude (18km) [wikipedia.org].
Re: (Score:2)
I don't know. GPS was never supposed to be used for anything like this.
*Civilian* GPS was not supposed to be used like this and got limitations (speed, altitude *) to avoid being usable like this.
It has been a while since I studied them but I think the ITAR regulations only apply if the GPS receiver is exported as with cryptography. An export regulation makes a nice unambiguous jurisdictional hook. Of course as a practical matter, this applies to any mass produced implementation. If this is an issue for SpaceX, then they should have no trouble getting a licensed exception and I assume some of the ASIC manufacturers produce a custom firmware without the civilian ITAR restrictions or that SpaceX c
Civilian GPS (Score:2)
It has been a while since I studied them but I think the ITAR regulations only apply if the GPS receiver is exported as with cryptography.
According to the Wikipedia segment I've linked, it's indeed an import/export rule.
So in theory an pure 100% all-USAmerican chip manufacturer (do such thing still exist ?) can legally flash a non limited firmware as long as the device never cross US' border during production, is only sold in-land, and is clearly market "not for export".
Also means that the usual asian chip manufacturer only need to flash such firmware on thing clearly sold elsewhere but not in the US (nor the few other countries which follow
Re: (Score:2)
Actually civilian receivers lose lock completely. It's to prevent their use on missiles.
Re: (Score:2)
Uhh, no, GPS was designed specifically to guide missiles and military aircraft.
Re: There's another name for this (Score:1)
Having a human operator in charge is one of the least reliable ways of doing things.
Speak for yourself. Oh, sorry; you are.
Re: (Score:1)
Nope, I'm speaking as a reliability engineer backed up by 50years worth of data and statistics.
But hey I'm sure *you* are different. Reminds me of the 92% of males and 85% of females who believe they are better than average drivers and thus immune to the various researched effects on their driving efficacy.
Re: (Score:3)
You only like it because you don't work in the reliability field. Having a human operator in charge is one of the least reliable ways of doing things.
Then again, there are the famous Airbus incidents where software caused the plane to safely mow through a forest and crash because it knew that the pilot desperately trying to fly it was obviously wrong.
Or the computer glitch that told another Airbus that it was somehow flying nose-up at 30 degrees at cruising speed, and immediately pitched it down at 30 because it then thought it was in level flight. Miraculously they eventually wrested control and managed to land - though safely is a bit strong of a wo
Re:There's another name for this (Score:4, Insightful)
Then again, there are the famous Airbus incidents where software caused the plane to safely mow through a forest and crash because it knew that the pilot desperately trying to fly it was obviously wrong.
On indeed. No computer is perfect, and no system created by people is perfect. In industry we look at the differences between random failure and systematic failures. Some >80% of failures of systems are systematic and the result of human error in design, operation or maintenance. The remainder can be easily quantified and is widely considered several orders of magnitude better in performance than humans.
The point is, I don't know that I'd take the position that the human is the least reliable ways of doing things, when the humans tried to do the correct thing, but the computers insisted on their way or the highway.
I'm reminded of the usual safety pep talks: No one goes to work with the intent to injure themselves (obviously not true, but true enough). If you consider humans doing the correct thing then they are actually quite reliable. However the key reliability problem is that humans startlingly often don't do the correct thing, often due to no fault of their own. The human brain is incredibly fallible.
TL;DR - Don't be in too big a hurry to declare superior safety. Hubris always attracts Karma
Safety systems were invented for a reason and humans are only ever considered the first line of defence before automatic systems take over. I often like getting asked why I don't perform reliability calculations on emergency stop pushbuttons on critical equipment. The answer typically stops the person asking the question dead in their tracks: "Without doing a calculation I can say the reliability of the pushbutton is approximately 3 orders of magnitude higher than the brain that is tasked with making the decision to push it."
Re: (Score:2)
Safety systems were invented for a reason and humans are only ever considered the first line of defence before automatic systems take over. I often like getting asked why I don't perform reliability calculations on emergency stop pushbuttons on critical equipment. The answer typically stops the person asking the question dead in their tracks: "Without doing a calculation I can say the reliability of the pushbutton is approximately 3 orders of magnitude higher than the brain that is tasked with making the decision to push it."
I think the takeaway here - or at least the one that to me would work best, is to have both. An override of the computer in the event it refuses to destroy an obviously errant rocket. Which should actually increase safety, not just eliminate payroll.
Re: (Score:2)
Yes and no. Ideal redundancy is through independent systems and by independent I am also talking technologically independent. For basic and defined outcomes a human is not needed. A human is critical in decision making where the decision point isn't well defined (i.e. does that car look like it's about to run a red light).
The payroll in this case is a bunch of humans looking at a computer to make a decision based on an event. If the decision point is defined then the computer can just cut out the middle man
Re: (Score:2)
That's not a quite good analogy.
Here we are talking about replacing a proven (albeit expensive) method with a cheap computer on board of the rocket.
Those computers have always been there in the past, the range safety explosives (and any eventual rescue systems in the case of manned flights - e.g. the Apollo/Soyuz escape towers) could have been either triggered automatically when the electronics detected an anomalous deviation from the pre-programmed path OR remotely by a human from the ground should somethi
Re: (Score:3)
Challenger's boosters are an excellent case for automated range safety.
How long did they spin out of control for? Video suggests 15 to 20 seconds. Or about a hundred times longer than an automated range safety device would have let them, greatly increasing the debris field.
Re: (Score:2)
Here we are talking about replacing a proven (albeit expensive) method with a cheap computer on board of the rocket.
The cost or proven in use case have no bearing on the overall reliability of a system. Computer based safety systems have by their nature replaced proven and expensive methods of safety that came before them, yet with each iteration of technology the reliability continues to improve.
What it sounds like you're making a case for is the lack of field experience for this particular computer, but that's exactly where reliability engineering comes in, something that we have also gotten far better at over the year
Re: (Score:2)
Any event that happened to the vehicle that knocked the computers offline would have caused the same impact to the flight termination system regardless of if it was manual or automated. The ability to manually terminate the flight still exists, they have just now added the ability for the vehicle to decide to trigger the FTS itself. If there is any reduction in potential safety, it would come from switching from radar tracking to GPS tracking, not the vehicle having the ability to push the button itself.
Re: (Score:2)
You can't make an informed decision based on that alone (well, you can, but science can't).
For balance, we now need to list every time the computer saved the day and see which method really wins.
Re: (Score:2)
These are great examples of times when the computer messed up the day. You can't make an informed decision based on that alone (well, you can, but science can't). For balance, we now need to list every time the computer saved the day and see which method really wins.
Well, I suppose if you are trying to say that I'm wanting to go back to woodburning rockets.
My point is that people have a tendency to believe that a human in the loop equals bad, and that computers will always be accurate.
I'm dealing with that very thiing right now as we write. There is a process that currently involves hand checking a number of databases.
This is being replaced with an automated checking process that is demonstrably less accurate than the hand checked version.
I can demonstrate
Re: (Score:2)
More evidence of AI stealing jobs.
emergency self-destruct (Score:3)
No, we call it an emergency self-destruct system. A rocket is already a missile by nature, with its fuel being the warhead. If it were to malfunction and hit the ground with most of its fuel still on board it would make for a *really* bad day for anyone in the area. A high altitude airburst as soon as the situation becomes unrecoverable is by far the preferable alternative.
Re: (Score:1)
Re: (Score:2)
I'm Canadian. I keep reading it as "Air Farce [wikipedia.org]".
Hey (Score:2)
âoeItâ(TM)s not a bug itâ(TM)s a feature. âoe
Well played SpaceX. Well played.
Hold down the button or Settings General Keybo (Score:2)
Prior to iOS 11, you had to hold down the quote button to get the option to use "smart quotes". Now that those are the default, holding the button down may give the option to use standard quotes. If not, one can turn them off entirely in Settings > General > Keyboards.
Re: (Score:2)
I am disappointed that this new feature is not being called an Overpressure Event [twitter.com] Generator.
Vandenberg AFB. (Score:2)
So they are going to try and close Vandenberg AFB and take a chunk out of California's economy?
Re: (Score:3)
So they are going to try and close Vandenberg AFB and take a chunk out of California's economy?
I kind of doubt SpaceX is the keeping Vandenberg AFB off the chopping block, particularly given the fact that Vandenberg serves as a key coastal missile defense position. Hell, Trumps Twitter account is keeping Vandenberg alive more than SpaceX at this point.
And a handful of SpaceX launches per year affects the California economy about as much as taking a piss in the Pacific ocean.
Re: (Score:2)
Vandenberg, unlike Cape Canaveral, can be used for launches to polar orbits. Polar orbits are popular for Earth observation satellites. That is what keeps Vandenberg open.
Re: (Score:3)
I understand that nobody here reads the linked articles before they pontificate on topics, but it would really help if you could at least read the short summary at the top of the page.
Re: (Score:2)
I got as far as the first paragraph of the summary, then thought, "hang on, that's not right" and went to look for better sources (1). I missed the section on polar orbits entirely.
1: which led to my post [slashdot.org] about AFSS not being a SpaceX development.
Re: (Score:2)
Missed the summary, eh?
Re: (Score:2)
Californians in general and the nearby community of Lompoc aren't great fans of the base. It very likely is a candidate for base closure. Development of the base real-estate would likely lead to greater economic benefit to California and communities close to the base.
Re: (Score:2)
It's OK, those Latinos are communists, and anyone who would say communist lives matter must be a dirty commie!
Please no spoofing of GPS... (Score:5, Insightful)
I'm sure it's been sorted but this comes to mind:
Reports Say U.S. Drone was Hijacked by Iran Through GPS Spoofing [securityweek.com].
(The nabbing of a drone by spoofed GPS signals)
How would that work (Score:5, Interesting)
In order to spoof GPS for a rocket you'd have to have a system that had multiple nodes at various altitudes along the exact flight path in order to have a strong enough signal to overpower the real satellites... it seems extremely unlikely that something going as fast as a rocket could be spoofed, unlike a drone which is usually sent to basically hover over an area.
Re: (Score:3)
You only really need to spoof it long enough for the rocket to make a correction which endangers the mission, or long enough for the rocket to think its seriously off course and triggers the destruct. You don't need to spoof the entire path.
Re:How would that work (Score:4)
Re: (Score:2)
> If spoofer gradually and consistently pushes GPS data to another location, no INS data will be able to correct that.
That's just it though - a rocket is simply moving too fast to "gradually adjust" the spoofed GPS data without a substantial investment in spoofing transmitters. High-speed drones are standing still by comparison - a Falcon 9's groundspeed is mach 1 within ~90s of launch, and it's barely getting started.
Re: (Score:2)
GPS data is considered reliable but less accurate
Not in orbit. In passive orbit, GPS is extremely accurate and can be very well used by the second stage for accurate burns from parking orbits with great effect. And you have no meaningful way of spoofing that.
Also the second paragraph of the article says that the SpaceX rocket will correct its path relying on its GPS data.
The second paragraph of the article says no such thing. The flight safety system is NOT guiding the rocket.
Re: (Score:2)
But then all you've done is destroyed the rocket on it's normal path which is still planned for relative safety.
Yes, it would potentially allow someone to blow up these particular rockets. Once.
Avoiding innovation because someone, somewhere, somehow could maaaaaybe use it to break something is ridiculous.
Re: (Score:2)
Destroying one rocket one time can still cripple a competitor business (many satellites aren't insured), or can set back a military project (spy satellites etc).
The rocket goes to the satellites 12,000 miles up (Score:2)
Which one is closer depends very much on how long after launch we're talking about. It's a space rocket - toward the end of the flight is very much nearer space than it is to the ground. In fact the Falcon may go twice as high as GPS satellites.
Re: (Score:2)
Space is only 60 miles away. GPS satellites are ~12,000 miles away. You'll be in stable orbit long before you get closer to the satellites. At which point automated self destruct systems will almost certainly be disengaged because there's no longer an imminent threat to anyone, have essentially limitless time to try to regain control, and any explosion is going to create some nasty orbital debris that nobody wants around.
You're confusing orbit with "space" (Score:2)
At 60 miles, the air pressure is very low. That doesn't mean you have "limitless time" or any of that. In order to orbit at that altitude, you'd need to be traveling at 20KM/ s or so. The Falcon is only going 500 m/s at that altitude. It would need to be going about 40 times as fast for what you said to make sense.
Re: (Score:2)
Sure, at 60 miles you won't stay up indefinitely - still plenty of time to futz around and destruct manually though. And even the ISS is only at 254 miles altitude - still not completely free of atmospheric drag, but near enough for most purposes.
Actually low-Earth orbital speed is only ~8km/s, and falls off with altitude. Really though, the Falcon booster, which is the real threat, is strictly suborbital, it's only the second stage that even has the option of reaching orbital speeds, though that may chan
Two (Score:2)
It takes about two seconds to realize that any ground based system will be passed WAY out of range in about a second at the speed a rocket is going.
Not to mention the signal from a ground based station would be whack because of how fast the rocket is moving relative to the station, a GPS satellite being pretty far away means a rocket can lock on and track it very quickly even going fairly fast; no way the GPS circuits would be able to lock onto the rapidity receding ground station that is my comparison supe
Re: (Score:1)
The GPS antenna is probably on the top side, with low gain towards the earth (if they are smart). A cubesat might be able to generate the spoofing signal, althou
Re: (Score:1)
You really only need to spoof GPS for a brief moment in time; long enough for the guidance to come to the conclusion that it's out of the scheduled flight-path. Then... Goodbye cruel world. I'm not suggesting that the rocket would be hijacked in this case; rather sabotaged.
Again, I'm sure there are work-arounds for this sort of "prank" by now.
Re: (Score:2)
So instead of a person bring responsible for pressing a button there is now AI making that decision.
Better get used to that. It's our future whether we like it or not.
Re: (Score:2)
Re: (Score:2)
No it's more than that. With the old system, someone on the ground had to monitor the flight path of the rocket and press the self-destruct if it went far enough off course. This meant you needed to be able to track the entire flight of the rocket with radar ground stations (which they can't for this kind of launch), and you had to hope the self-destruct signal from the ground got through to the rocket.
This new system eliminates both problems, because the rocket tracks itself (using onboard GPS sensors and
Put all your enemies on a rocket (Score:2)
"Reliability of Shuttle Destruct System" (Score:5, Informative)
Reliability of Shuttle Destruct System [LONG]
"MARTIN J. MOORE" [mooremj@eglin-vax]
28 Jan 86 14:06:00 CDT
Copyright © 1986 Martin J. Moore
[COMMENT: READERS -- PLEASE OBSERVE THE RESTRICTIONS ON THIS MESSAGE AT THE END OF THE MESSAGE. PGN]
> From: Peter G. Neumann [Neumann@SRI-CSL.ARPA]
> For those of you who haven't heard, the Challenger blew up this morning...
> One unvoiced concern from the RISKS point of view is the presence on each
> shuttle of a semi-automatic self-destruct mechanism. Hopefully that
> mechanism cannot be accidentally triggered.
[COMMENT: I did not intend to imply that as the cause -- only to raise concern about the safety of such mechanisms. PGN]
Peter, I assume that you are talking about the Range Safety Command Destruct System, which is used to destroy errant missiles launched from Cape Canaveral. From 1980 to 1983 I was the lead programmer/analyst on the ground portions of that system, and I am the primary author of the software which translates the closing of destruct switches into the RF destruct signals sent to the vehicle. I think I can address the question of whether the system can be accidentally triggered; worrying about that gave me nightmares off and on for months while I was on the project. I'd like to tell you a little about the system and why I think the answer is No. Note that my information is now three years old, and some details may have changed; there may also be minor errors in detail due to lapses in my memory, which isn't as good as my computer's!
On board the vehicle, there are five destruct receivers: one on the external tank (ET) and two on each of the solid rocket boosters (SRBs). There is no receiver or destruct ordnance on the Orbiter; it is effectively just an airplane. The casing of each SRB is mined with HMX, a high explosive; the ET contains a small pyrotechnic device which causes its load of liquid hydrogen and liquid oxygen to combine and combust. The receivers and explosives are connected such that the receipt of four proper ARM sequences followed by a proper FIRE sequence by any of the receivers will explode the ordnance.
The ARM sequence and FIRE sequence must come from the ground; they cannot be generated aboard the vehicle. These sequences are transmitted on a frequency which is reserved, at all times, for this purpose and this purpose alone. There are several transmitters around the Eastern Test Range which can be used to transmit the codes. These transmitters have a power of 10 kw (continuous wave). The ARM and FIRE sequences consist of thirteen tone pairs (different for each command and changed for each launch). There are eight possible tones, resulting in 28 possible tone pairs; thus, there are (28^13) or slightly over 6.5E18 correct sequences.
The Range Safety Officer has two switches labeled "ARM" and "DESTRUCT". When he throws a switch, it generates an interrupt in the central processor (there are actually two central processors running and receiving all inputs, but only one is on-line at any time; in case of software or hardware error the backup is switched in. And yes, they have different power sources.) The central program checks for the correct code on each of two different hardware lines (the correct code is different for each line); if correct, and all criteria are met to allow the sequence to be sent, the central program requests the tone pairs for that sequence from another processor. That processor (like everything else in the system, actually redundant processors) has only one function: to store and deliver those tone pairs. The processor resides in a special vault and can only be accessed in order to program the tone pairs (which are highly classified) before each launch. The data line between the central processor and the storage processor is
Re: (Score:1)
What part of "not for reproduction or retransmittal without the express permission of the author" did you not understand?
Re:"Reliability of Shuttle Destruct System" (Score:4, Informative)
Re: (Score:2)
How did the H2 and O2 become an explosive mixture? (Score:2)
the External Tank contains a small pyrotechnic device which causes its load of liquid hydrogen and liquid oxygen to combine and combust.
I have often wondered -- and this makes me wonder once again -- how did the Challenger's H2 and O2 become an explosive mixture? Inside the External Tank were actually a LOX tank (above) and a separate LH2 tank (below).
The cause of the disaster was explained as a faulty O-ring that allowed a jet of hot gas to escape out the side of one of the solid rocket boosters, impinging on the External Tank. Fine, but that could cause a breach of the O2 tank or the H2 tank -- not both.
And even if both were breached, w
Re: (Score:2)
[quote] how did the Challenger's H2 and O2 become an explosive mixture? [A jet of hot gas] could cause a breach of the O2 tank or the H2 tank -- not both.[/quote]
The mixture was caused by kinectic force. When the H2 tank breached the rupture rocketed it into the O2 tank.
First Rocket? (Score:3)
I swear I heard ~15 years ago that (at least some) NASA rockets utilized a gyroscope to automatically detonate during launch if they started pointing below the horizon.
Re: (Score:2)
Even so, that's an extremely simplistic backup for a single failure mode which may not occur until well after a rocket has deviated from it's flightpath.
Not exclusive to SpaceX (Score:5, Informative)
NASA and the Air Force (which provides the range safety systems) have been working on the autonomous flight safety system [nasa.gov] for at least a decade. SpaceX is just the first customer to use it.
I'm pretty sure... (Score:5, Funny)
...that all rocket explosions are automatic. They're rarely intended or desired but they still qualify as "automatic."
=Smidge=
Re: (Score:2)
Depends which rockets you mean. The ones with explosive ordinance in them usually go kaboom. Otherwise someone might be sad to not have their earth shattering kaboom!
Re: (Score:2)
Uh, no. "Automatic" implies a pre-planned action. Unintended and undesirable rocket explosions are "accidents".
Re: (Score:2)
Two ways to argue this;
1) Nothing about automatic implies preplanning; "Done or occurring spontaneously, without conscious thought or attention"
2) Explosions are absolutely pre-planned in rocket design, though the intent is to keep the explosions contained within the engine. :-)
=Smidge=
Ariane 5 (Score:2)
I was under the impression that Ariane 5 did automatically self-destruct in 1996.
Re: (Score:3)
Re: (Score:3)
Paranoid much? How about a rogue range officer. How about rogue software reporting incorrect flight data? How about someone having a Bad Day? How about someone being negligent in their job and not paying enough attention? What if someone blocks/jams the signal?
Bottom line: any practice has potential avenues of failure. Computers can react faster and with more precision than a human plus this puts the decision look within the spacecraft eliminating the need for a groundside communications loop.
Oh, and
Re: (Score:2)
Well, yeah, after it started to come apart in mid-air. See this analysis [leshatton.org] for details.
uhm....??? (Score:2)
"Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba."
Actually, according to my research, Miami and Cuba are in fact populated areas.
Re: (Score:2)
fine, but gotta admit the odds of SpaceX crashing some debris directly onto Raúl Castro's head as opposed to some random sugar cane farmer is pretty remote.
Re: (Score:2)
Re: (Score:2)
I suppose you can fly over Cuba without being too close. If you were 100km away straight up?
Re: (Score:2)
"Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba."
Actually, according to my research, Miami and Cuba are in fact populated areas.
Yes, I think that's the point. The previous system (a person tracking the rocket and pressing the destruct button if necessary) was not fast enough to let them launch rockets over heavily-populated areas. The new system can react more quickly, so it can fly over heavily-populated areas with considerably less danger to the people on the ground.
Re: (Score:2)
Re: (Score:2)
Polar orbits are used for weather and "weather" satellites.
FTFY.
Signed,
CIA/FBI/NSA/X-Files/whatever.
Least impressively..... (Score:1)
Least impressively, it will take a cheap human out of the decision loop, making it more likely that the wrong decision will be made by some possibly buggy software, like, say the $400 million Ariane blowup of yore.