Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Space The Military United States Hardware Technology

SpaceX's Latest Advantage? Blowing Up Its Own Rocket, Automatically (qz.com) 126

SpaceX has reportedly worked with the Air Force to develop a GPS-equipped on-board computer, called the "Automatic Flight Safety System," that will safely and automatically detonate a Falcon 9 rocket in the sky if the launch threatens to go awry. Previously, an Air Force range-safety officer was required to be in place, ready to transmit a signal to detonate the rocket. Quartz reports: No other U.S. rocket has this capability yet, and it could open up new advantages for SpaceX: The U.S. Air Force is considering launches to polar orbits from Cape Canaveral, but the flight path is only viable if the rockets don't need to be tracked for range-safety reasons. That means SpaceX is the only company that could take advantage of the new corridor to space. Rockets at the Cape normally launch satellites eastward over the Atlantic into orbits roughly parallel to the equator. Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba.

SpaceX pushed for the new automated system for several reasons. One was efficacy: The on-board computer can react more quickly than human beings relying on radar data and radio transmissions to signal across miles of airspace, which gives the rocket more time to correct its course before blowing up in the event of an error. As important, the automated system means the company doesn't need to pay for the full use of the Air Force radar installations on launch day, which means SpaceX doesn't need to pay for some 160 U.S. Air Force staff to be on duty for their launches, saving the company and its customers money. Most impressively, the automated system will make it possible for SpaceX to fly multiple boosters at once in a single launch.

SpaceX's Latest Advantage? Blowing Up Its Own Rocket, Automatically

Comments Filter:
  • Don't we also call this a missile? I think I actually like the idea of the Air Force guy with the destruct button better.
    • by thegarbz ( 1787294 ) on Friday January 05, 2018 @02:55AM (#55867379)

      You only like it because you don't work in the reliability field. Having a human operator in charge is one of the least reliable ways of doing things.

      • Having a human operator in charge is one of the least reliable ways of doing things.

        Speak for yourself. Oh, sorry; you are.

        • Nope, I'm speaking as a reliability engineer backed up by 50years worth of data and statistics.

          But hey I'm sure *you* are different. Reminds me of the 92% of males and 85% of females who believe they are better than average drivers and thus immune to the various researched effects on their driving efficacy.

      • You only like it because you don't work in the reliability field. Having a human operator in charge is one of the least reliable ways of doing things.

        Then again, there are the famous Airbus incidents where software caused the plane to safely mow through a forest and crash because it knew that the pilot desperately trying to fly it was obviously wrong.

        Or the computer glitch that told another Airbus that it was somehow flying nose-up at 30 degrees at cruising speed, and immediately pitched it down at 30 because it then thought it was in level flight. Miraculously they eventually wrested control and managed to land - though safely is a bit strong of a wo

        • by thegarbz ( 1787294 ) on Friday January 05, 2018 @11:30AM (#55869271)

          Then again, there are the famous Airbus incidents where software caused the plane to safely mow through a forest and crash because it knew that the pilot desperately trying to fly it was obviously wrong.

          On indeed. No computer is perfect, and no system created by people is perfect. In industry we look at the differences between random failure and systematic failures. Some >80% of failures of systems are systematic and the result of human error in design, operation or maintenance. The remainder can be easily quantified and is widely considered several orders of magnitude better in performance than humans.

          The point is, I don't know that I'd take the position that the human is the least reliable ways of doing things, when the humans tried to do the correct thing, but the computers insisted on their way or the highway.

          I'm reminded of the usual safety pep talks: No one goes to work with the intent to injure themselves (obviously not true, but true enough). If you consider humans doing the correct thing then they are actually quite reliable. However the key reliability problem is that humans startlingly often don't do the correct thing, often due to no fault of their own. The human brain is incredibly fallible.

          TL;DR - Don't be in too big a hurry to declare superior safety. Hubris always attracts Karma

          Safety systems were invented for a reason and humans are only ever considered the first line of defence before automatic systems take over. I often like getting asked why I don't perform reliability calculations on emergency stop pushbuttons on critical equipment. The answer typically stops the person asking the question dead in their tracks: "Without doing a calculation I can say the reliability of the pushbutton is approximately 3 orders of magnitude higher than the brain that is tasked with making the decision to push it."

          • Safety systems were invented for a reason and humans are only ever considered the first line of defence before automatic systems take over. I often like getting asked why I don't perform reliability calculations on emergency stop pushbuttons on critical equipment. The answer typically stops the person asking the question dead in their tracks: "Without doing a calculation I can say the reliability of the pushbutton is approximately 3 orders of magnitude higher than the brain that is tasked with making the decision to push it."

            I think the takeaway here - or at least the one that to me would work best, is to have both. An override of the computer in the event it refuses to destroy an obviously errant rocket. Which should actually increase safety, not just eliminate payroll.

            • Yes and no. Ideal redundancy is through independent systems and by independent I am also talking technologically independent. For basic and defined outcomes a human is not needed. A human is critical in decision making where the decision point isn't well defined (i.e. does that car look like it's about to run a red light).

              The payroll in this case is a bunch of humans looking at a computer to make a decision based on an event. If the decision point is defined then the computer can just cut out the middle man

          • by janoc ( 699997 )

            That's not a quite good analogy.

            Here we are talking about replacing a proven (albeit expensive) method with a cheap computer on board of the rocket.

            Those computers have always been there in the past, the range safety explosives (and any eventual rescue systems in the case of manned flights - e.g. the Apollo/Soyuz escape towers) could have been either triggered automatically when the electronics detected an anomalous deviation from the pre-programmed path OR remotely by a human from the ground should somethi

            • by ColaMan ( 37550 )

              Challenger's boosters are an excellent case for automated range safety.

              How long did they spin out of control for? Video suggests 15 to 20 seconds. Or about a hundred times longer than an automated range safety device would have let them, greatly increasing the debris field.

            • Here we are talking about replacing a proven (albeit expensive) method with a cheap computer on board of the rocket.

              The cost or proven in use case have no bearing on the overall reliability of a system. Computer based safety systems have by their nature replaced proven and expensive methods of safety that came before them, yet with each iteration of technology the reliability continues to improve.

              What it sounds like you're making a case for is the lack of field experience for this particular computer, but that's exactly where reliability engineering comes in, something that we have also gotten far better at over the year

            • by Guspaz ( 556486 )

              Any event that happened to the vehicle that knocked the computers offline would have caused the same impact to the flight termination system regardless of if it was manual or automated. The ability to manually terminate the flight still exists, they have just now added the ability for the vehicle to decide to trigger the FTS itself. If there is any reduction in potential safety, it would come from switching from radar tracking to GPS tracking, not the vehicle having the ability to push the button itself.

        • by JD-1027 ( 726234 )
          These are great examples of times when the computer messed up the day.

          You can't make an informed decision based on that alone (well, you can, but science can't).

          For balance, we now need to list every time the computer saved the day and see which method really wins.
          • These are great examples of times when the computer messed up the day. You can't make an informed decision based on that alone (well, you can, but science can't). For balance, we now need to list every time the computer saved the day and see which method really wins.

            Well, I suppose if you are trying to say that I'm wanting to go back to woodburning rockets.

            My point is that people have a tendency to believe that a human in the loop equals bad, and that computers will always be accurate.

            I'm dealing with that very thiing right now as we write. There is a process that currently involves hand checking a number of databases.

            This is being replaced with an automated checking process that is demonstrably less accurate than the hand checked version.

            I can demonstrate

    • No, we call it an emergency self-destruct system. A rocket is already a missile by nature, with its fuel being the warhead. If it were to malfunction and hit the ground with most of its fuel still on board it would make for a *really* bad day for anyone in the area. A high altitude airburst as soon as the situation becomes unrecoverable is by far the preferable alternative.

  • âoeItâ(TM)s not a bug itâ(TM)s a feature. âoe

    Well played SpaceX. Well played.

  • So they are going to try and close Vandenberg AFB and take a chunk out of California's economy?

    • So they are going to try and close Vandenberg AFB and take a chunk out of California's economy?

      I kind of doubt SpaceX is the keeping Vandenberg AFB off the chopping block, particularly given the fact that Vandenberg serves as a key coastal missile defense position. Hell, Trumps Twitter account is keeping Vandenberg alive more than SpaceX at this point.

      And a handful of SpaceX launches per year affects the California economy about as much as taking a piss in the Pacific ocean.

    • Vandenberg, unlike Cape Canaveral, can be used for launches to polar orbits. Polar orbits are popular for Earth observation satellites. That is what keeps Vandenberg open.

      • I understand that nobody here reads the linked articles before they pontificate on topics, but it would really help if you could at least read the short summary at the top of the page.

        • I got as far as the first paragraph of the summary, then thought, "hang on, that's not right" and went to look for better sources (1). I missed the section on polar orbits entirely.

          1: which led to my post [slashdot.org] about AFSS not being a SpaceX development.

      • Missed the summary, eh?

    • Californians in general and the nearby community of Lompoc aren't great fans of the base. It very likely is a candidate for base closure. Development of the base real-estate would likely lead to greater economic benefit to California and communities close to the base.

  • by ClarkMills ( 515300 ) on Friday January 05, 2018 @02:13AM (#55867293)

    I'm sure it's been sorted but this comes to mind:

    Reports Say U.S. Drone was Hijacked by Iran Through GPS Spoofing [securityweek.com].

    (The nabbing of a drone by spoofed GPS signals)

    • How would that work (Score:5, Interesting)

      by SuperKendall ( 25149 ) on Friday January 05, 2018 @02:20AM (#55867309)

      In order to spoof GPS for a rocket you'd have to have a system that had multiple nodes at various altitudes along the exact flight path in order to have a strong enough signal to overpower the real satellites... it seems extremely unlikely that something going as fast as a rocket could be spoofed, unlike a drone which is usually sent to basically hover over an area.

      • You only really need to spoof it long enough for the rocket to make a correction which endangers the mission, or long enough for the rocket to think its seriously off course and triggers the destruct. You don't need to spoof the entire path.

        • by K. S. Kyosuke ( 729550 ) on Friday January 05, 2018 @04:29AM (#55867615)
          The rocket wouldn't make any correction (of its flight path, I presume?) since it most likely integrates GPS and INS data. (No launch vehicle I'm aware of flies purely on GPS data, and I picture that the flight path integrator only integrates GPS data into INS data until GPS goes wildly astray with no confirmation from accelerometers that the rocket is actually going wildly astray, too, so spoofing the GNC system could be rather difficult.)
        • by torkus ( 1133985 )

          But then all you've done is destroyed the rocket on it's normal path which is still planned for relative safety.

          Yes, it would potentially allow someone to blow up these particular rockets. Once.

          Avoiding innovation because someone, somewhere, somehow could maaaaaybe use it to break something is ridiculous.

          • Destroying one rocket one time can still cripple a competitor business (many satellites aren't insured), or can set back a military project (spy satellites etc).

      • No, you can broadcast all the signals from a single source on the ground. GPS antennas aren't very directional; GPS measures range from signal timing only. The only requirements are that you are strong enough to override the real signal. You adjust the timing of the fake signals to spoof out the location you want the target to believe it's at.
        The GPS antenna is probably on the top side, with low gain towards the earth (if they are smart). A cubesat might be able to generate the spoofing signal, althou
      • You really only need to spoof GPS for a brief moment in time; long enough for the guidance to come to the conclusion that it's out of the scheduled flight-path. Then... Goodbye cruel world. I'm not suggesting that the rocket would be hijacked in this case; rather sabotaged.

        Again, I'm sure there are work-arounds for this sort of "prank" by now.

  • by supernova87a ( 532540 ) <kepler1@@@hotmail...com> on Friday January 05, 2018 @02:42AM (#55867355)
    I quote for Slashdot posterity a long and informative piece of relevant information from many years ago, because I fear it's disappearing from the web:


    Reliability of Shuttle Destruct System [LONG]
    "MARTIN J. MOORE" [mooremj@eglin-vax]
    28 Jan 86 14:06:00 CDT
    Copyright © 1986 Martin J. Moore
    [COMMENT: READERS -- PLEASE OBSERVE THE RESTRICTIONS ON THIS MESSAGE AT THE END OF THE MESSAGE. PGN]

    > From: Peter G. Neumann [Neumann@SRI-CSL.ARPA]
    > For those of you who haven't heard, the Challenger blew up this morning...
    > One unvoiced concern from the RISKS point of view is the presence on each
    > shuttle of a semi-automatic self-destruct mechanism. Hopefully that
    > mechanism cannot be accidentally triggered.
    [COMMENT: I did not intend to imply that as the cause -- only to raise concern about the safety of such mechanisms. PGN]

    Peter, I assume that you are talking about the Range Safety Command Destruct System, which is used to destroy errant missiles launched from Cape Canaveral. From 1980 to 1983 I was the lead programmer/analyst on the ground portions of that system, and I am the primary author of the software which translates the closing of destruct switches into the RF destruct signals sent to the vehicle. I think I can address the question of whether the system can be accidentally triggered; worrying about that gave me nightmares off and on for months while I was on the project. I'd like to tell you a little about the system and why I think the answer is No. Note that my information is now three years old, and some details may have changed; there may also be minor errors in detail due to lapses in my memory, which isn't as good as my computer's!

    On board the vehicle, there are five destruct receivers: one on the external tank (ET) and two on each of the solid rocket boosters (SRBs). There is no receiver or destruct ordnance on the Orbiter; it is effectively just an airplane. The casing of each SRB is mined with HMX, a high explosive; the ET contains a small pyrotechnic device which causes its load of liquid hydrogen and liquid oxygen to combine and combust. The receivers and explosives are connected such that the receipt of four proper ARM sequences followed by a proper FIRE sequence by any of the receivers will explode the ordnance.

    The ARM sequence and FIRE sequence must come from the ground; they cannot be generated aboard the vehicle. These sequences are transmitted on a frequency which is reserved, at all times, for this purpose and this purpose alone. There are several transmitters around the Eastern Test Range which can be used to transmit the codes. These transmitters have a power of 10 kw (continuous wave). The ARM and FIRE sequences consist of thirteen tone pairs (different for each command and changed for each launch). There are eight possible tones, resulting in 28 possible tone pairs; thus, there are (28^13) or slightly over 6.5E18 correct sequences.

    The Range Safety Officer has two switches labeled "ARM" and "DESTRUCT". When he throws a switch, it generates an interrupt in the central processor (there are actually two central processors running and receiving all inputs, but only one is on-line at any time; in case of software or hardware error the backup is switched in. And yes, they have different power sources.) The central program checks for the correct code on each of two different hardware lines (the correct code is different for each line); if correct, and all criteria are met to allow the sequence to be sent, the central program requests the tone pairs for that sequence from another processor. That processor (like everything else in the system, actually redundant processors) has only one function: to store and deliver those tone pairs. The processor resides in a special vault and can only be accessed in order to program the tone pairs (which are highly classified) before each launch. The data line between the central processor and the storage processor is
    • by Anonymous Coward

      What part of "not for reproduction or retransmittal without the express permission of the author" did you not understand?

    • the External Tank contains a small pyrotechnic device which causes its load of liquid hydrogen and liquid oxygen to combine and combust.

      I have often wondered -- and this makes me wonder once again -- how did the Challenger's H2 and O2 become an explosive mixture? Inside the External Tank were actually a LOX tank (above) and a separate LH2 tank (below).

      The cause of the disaster was explained as a faulty O-ring that allowed a jet of hot gas to escape out the side of one of the solid rocket boosters, impinging on the External Tank. Fine, but that could cause a breach of the O2 tank or the H2 tank -- not both.

      And even if both were breached, w

      • [quote] how did the Challenger's H2 and O2 become an explosive mixture? [A jet of hot gas] could cause a breach of the O2 tank or the H2 tank -- not both.[/quote]

        The mixture was caused by kinectic force. When the H2 tank breached the rupture rocketed it into the O2 tank.

  • by mentil ( 1748130 ) on Friday January 05, 2018 @03:27AM (#55867441)

    I swear I heard ~15 years ago that (at least some) NASA rockets utilized a gyroscope to automatically detonate during launch if they started pointing below the horizon.

    • by torkus ( 1133985 )

      Even so, that's an extremely simplistic backup for a single failure mode which may not occur until well after a rocket has deviated from it's flightpath.

  • by hackertourist ( 2202674 ) on Friday January 05, 2018 @04:21AM (#55867601)

    NASA and the Air Force (which provides the range safety systems) have been working on the autonomous flight safety system [nasa.gov] for at least a decade. SpaceX is just the first customer to use it.

  • by Smidge204 ( 605297 ) on Friday January 05, 2018 @05:03AM (#55867681) Journal

    ...that all rocket explosions are automatic. They're rarely intended or desired but they still qualify as "automatic."

    =Smidge=

    • by torkus ( 1133985 )

      Depends which rockets you mean. The ones with explosive ordinance in them usually go kaboom. Otherwise someone might be sad to not have their earth shattering kaboom!

    • Uh, no. "Automatic" implies a pre-planned action. Unintended and undesirable rocket explosions are "accidents".

      • Two ways to argue this;

        1) Nothing about automatic implies preplanning; "Done or occurring spontaneously, without conscious thought or attention"

        2) Explosions are absolutely pre-planned in rocket design, though the intent is to keep the explosions contained within the engine. :-)

        =Smidge=

  • I was under the impression that Ariane 5 did automatically self-destruct in 1996.

    • by keneng ( 1211114 )

      Yes, the Ariane 5 did self-destruct as instructed in the software which was running on redundant hardware. Because ultimately, it was the software that made the decision to self-destruct. No human in the loop and BANG. It leaves no room for corrective course of action from any human experts.
      http://www.nytimes.com/1996/12... [nytimes.com]
      "When the guidance system shut down, it passed control to an identical, redundant unit, which was there to provide backup in case of just such a failure. But the second unit had failed

      • by torkus ( 1133985 )

        Paranoid much? How about a rogue range officer. How about rogue software reporting incorrect flight data? How about someone having a Bad Day? How about someone being negligent in their job and not paying enough attention? What if someone blocks/jams the signal?

        Bottom line: any practice has potential avenues of failure. Computers can react faster and with more precision than a human plus this puts the decision look within the spacecraft eliminating the need for a groundside communications loop.

        Oh, and

    • Well, yeah, after it started to come apart in mid-air. See this analysis [leshatton.org] for details.

  • "Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba."

    Actually, according to my research, Miami and Cuba are in fact populated areas.

    • by Zocalo ( 252965 )
      Given the geography, "past Miami" probably means over the Glades, which is almost certainly below the maximum population density requirement, but Cuba did raise my eyebrows too. I think the clue is actually in the bit that says "thread a safe path southward", which implies a rather narrow launch corridor. Keep in mind that by the time the rocket even gets from the Cape to Miami it's travelling pretty quickly, so if there is a problem with the trajectory it could easily be outside the permitted corridor be
    • I suppose you can fly over Cuba without being too close. If you were 100km away straight up?

    • "Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba."

      Actually, according to my research, Miami and Cuba are in fact populated areas.

      Yes, I think that's the point. The previous system (a person tracking the rocket and pressing the destruct button if necessary) was not fast enough to let them launch rockets over heavily-populated areas. The new system can react more quickly, so it can fly over heavily-populated areas with considerably less danger to the people on the ground.

  • Least impressively, it will take a cheap human out of the decision loop, making it more likely that the wrong decision will be made by some possibly buggy software, like, say the $400 million Ariane blowup of yore.

Old mail has arrived.

Working...