Slashdot Mirror
SpaceX's Latest Advantage? Blowing Up Its Own Rocket, Automatically (qz.com)
SpaceX has reportedly worked with the Air Force to develop a GPS-equipped on-board computer, called the "Automatic Flight Safety System," that will safely and automatically detonate a Falcon 9 rocket in the sky if the launch threatens to go awry. Previously, an Air Force range-safety officer was required to be in place, ready to transmit a signal to detonate the rocket. Quartz reports: No other U.S. rocket has this capability yet, and it could open up new advantages for SpaceX: The U.S. Air Force is considering launches to polar orbits from Cape Canaveral, but the flight path is only viable if the rockets don't need to be tracked for range-safety reasons. That means SpaceX is the only company that could take advantage of the new corridor to space. Rockets at the Cape normally launch satellites eastward over the Atlantic into orbits roughly parallel to the equator. Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba.
SpaceX pushed for the new automated system for several reasons. One was efficacy: The on-board computer can react more quickly than human beings relying on radar data and radio transmissions to signal across miles of airspace, which gives the rocket more time to correct its course before blowing up in the event of an error. As important, the automated system means the company doesn't need to pay for the full use of the Air Force radar installations on launch day, which means SpaceX doesn't need to pay for some 160 U.S. Air Force staff to be on duty for their launches, saving the company and its customers money. Most impressively, the automated system will make it possible for SpaceX to fly multiple boosters at once in a single launch.
SpaceX pushed for the new automated system for several reasons. One was efficacy: The on-board computer can react more quickly than human beings relying on radar data and radio transmissions to signal across miles of airspace, which gives the rocket more time to correct its course before blowing up in the event of an error. As important, the automated system means the company doesn't need to pay for the full use of the Air Force radar installations on launch day, which means SpaceX doesn't need to pay for some 160 U.S. Air Force staff to be on duty for their launches, saving the company and its customers money. Most impressively, the automated system will make it possible for SpaceX to fly multiple boosters at once in a single launch.
I'm sure it's been sorted but this comes to mind:
Reports Say U.S. Drone was Hijacked by Iran Through GPS Spoofing.
(The nabbing of a drone by spoofed GPS signals)
In order to spoof GPS for a rocket you'd have to have a system that had multiple nodes at various altitudes along the exact flight path in order to have a strong enough signal to overpower the real satellites... it seems extremely unlikely that something going as fast as a rocket could be spoofed, unlike a drone which is usually sent to basically hover over an area.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I quote for Slashdot posterity a long and informative piece of relevant information from many years ago, because I fear it's disappearing from the web:
Reliability of Shuttle Destruct System [LONG]
"MARTIN J. MOORE" [mooremj@eglin-vax]
28 Jan 86 14:06:00 CDT
Copyright © 1986 Martin J. Moore
[COMMENT: READERS -- PLEASE OBSERVE THE RESTRICTIONS ON THIS MESSAGE AT THE END OF THE MESSAGE. PGN]
> From: Peter G. Neumann [Neumann@SRI-CSL.ARPA]
> For those of you who haven't heard, the Challenger blew up this morning...
> One unvoiced concern from the RISKS point of view is the presence on each
> shuttle of a semi-automatic self-destruct mechanism. Hopefully that
> mechanism cannot be accidentally triggered.
[COMMENT: I did not intend to imply that as the cause -- only to raise concern about the safety of such mechanisms. PGN]
Peter, I assume that you are talking about the Range Safety Command Destruct System, which is used to destroy errant missiles launched from Cape Canaveral. From 1980 to 1983 I was the lead programmer/analyst on the ground portions of that system, and I am the primary author of the software which translates the closing of destruct switches into the RF destruct signals sent to the vehicle. I think I can address the question of whether the system can be accidentally triggered; worrying about that gave me nightmares off and on for months while I was on the project. I'd like to tell you a little about the system and why I think the answer is No. Note that my information is now three years old, and some details may have changed; there may also be minor errors in detail due to lapses in my memory, which isn't as good as my computer's!
On board the vehicle, there are five destruct receivers: one on the external tank (ET) and two on each of the solid rocket boosters (SRBs). There is no receiver or destruct ordnance on the Orbiter; it is effectively just an airplane. The casing of each SRB is mined with HMX, a high explosive; the ET contains a small pyrotechnic device which causes its load of liquid hydrogen and liquid oxygen to combine and combust. The receivers and explosives are connected such that the receipt of four proper ARM sequences followed by a proper FIRE sequence by any of the receivers will explode the ordnance.
The ARM sequence and FIRE sequence must come from the ground; they cannot be generated aboard the vehicle. These sequences are transmitted on a frequency which is reserved, at all times, for this purpose and this purpose alone. There are several transmitters around the Eastern Test Range which can be used to transmit the codes. These transmitters have a power of 10 kw (continuous wave). The ARM and FIRE sequences consist of thirteen tone pairs (different for each command and changed for each launch). There are eight possible tones, resulting in 28 possible tone pairs; thus, there are (28^13) or slightly over 6.5E18 correct sequences.
The Range Safety Officer has two switches labeled "ARM" and "DESTRUCT". When he throws a switch, it generates an interrupt in the central processor (there are actually two central processors running and receiving all inputs, but only one is on-line at any time; in case of software or hardware error the backup is switched in. And yes, they have different power sources.) The central program checks for the correct code on each of two different hardware lines (the correct code is different for each line); if correct, and all criteria are met to allow the sequence to be sent, the central program requests the tone pairs for that sequence from another processor. That processor (like everything else in the system, actually redundant processors) has only one function: to store and deliver those tone pairs. The processor resides in a special vault and can only be accessed in order to program the tone pairs (which are highly classified) before each launch. The data line between the central processor and the storage processor is
Just a little reminder that there are plenty of missiles out there that are NOT nukes. And a lot of them aren't nearly as destructive as a Falcon Heavy going boom right over your house. Here's hoping they have a good flight.
Don't disappoint your bird dog. Go to the range.
You only like it because you don't work in the reliability field. Having a human operator in charge is one of the least reliable ways of doing things.
I swear I heard ~15 years ago that (at least some) NASA rockets utilized a gyroscope to automatically detonate during launch if they started pointing below the horizon.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
So they are going to try and close Vandenberg AFB and take a chunk out of California's economy?
I kind of doubt SpaceX is the keeping Vandenberg AFB off the chopping block, particularly given the fact that Vandenberg serves as a key coastal missile defense position. Hell, Trumps Twitter account is keeping Vandenberg alive more than SpaceX at this point.
And a handful of SpaceX launches per year affects the California economy about as much as taking a piss in the Pacific ocean.
NASA and the Air Force (which provides the range safety systems) have been working on the autonomous flight safety system for at least a decade. SpaceX is just the first customer to use it.
...that all rocket explosions are automatic. They're rarely intended or desired but they still qualify as "automatic."
=Smidge=
I don't know. GPS was never supposed to be used for anything like this.
*Civilian* GPS was not supposed to be used like this and got limitations (speed, altitude *) to avoid being usable like this.
The military had guiding missile in this way in their mind from day one.
---
*: normal GPS chips will refuse to give a precise answer above a certain speed (~500 m/s) and altitude (18km).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Yes, the Ariane 5 did self-destruct as instructed in the software which was running on redundant hardware. Because ultimately, it was the software that made the decision to self-destruct. No human in the loop and BANG. It leaves no room for corrective course of action from any human experts.
http://www.nytimes.com/1996/12...
"When the guidance system shut down, it passed control to an identical, redundant unit, which was there to provide backup in case of just such a failure. But the second unit had failed in the identical manner a few milliseconds before. It was running the same software."
Back to SpaceX and their auto-self-destruct without any humans in the loop to save cash by giving the illusion that they don't have to employ military personnel to babysit spacex launches.
The topic up for debate here is "human reaction time envelope" as the rationale for delegating all responsibility to correct/self-destruct to the hardware/software system.
The other topic for debate is should any country trust a corporation to launch stuff into without any monitoring/intervention capability allocated into the budget? SpaceX is giving the sales pitch that they will be saving the company money and saving government tax dollars by asking the U.S. and other countries to trust them. Should we? Should we trust SpaceX software/hardware engineers will have done a correct impact analysis on everything? Not to be bleak here, but engineers were also responsible for impact analysis of nuclear power plants/offshore-drilling stations for which the world is still paying for to clean up.
Bottom Line: we need humans in the loop and government intervention in order to force the greatest of deliberation on matters that do not distinguish borders.
Paranoid much? How about a rogue range officer. How about rogue software reporting incorrect flight data? How about someone having a Bad Day? How about someone being negligent in their job and not paying enough attention? What if someone blocks/jams the signal?
Bottom line: any practice has potential avenues of failure. Computers can react faster and with more precision than a human plus this puts the decision look within the spacecraft eliminating the need for a groundside communications loop.
Oh, and you didn't RTFS. This is *also* to allow a polar launch which cannot be tracked and monitored by a RSO as there is no radar coverage for that flight path. So besides just saving some cash, it opens up an entirely new launch slot.
You can get rich if you own a politician, but you have to be rich to buy one in the first place.
You only like it because you don't work in the reliability field. Having a human operator in charge is one of the least reliable ways of doing things.
Then again, there are the famous Airbus incidents where software caused the plane to safely mow through a forest and crash because it knew that the pilot desperately trying to fly it was obviously wrong.
Or the computer glitch that told another Airbus that it was somehow flying nose-up at 30 degrees at cruising speed, and immediately pitched it down at 30 because it then thought it was in level flight. Miraculously they eventually wrested control and managed to land - though safely is a bit strong of a word for that mess.
There was another case where software was added to keep pilots from throttling back right after takeoff. Some did this to lower noise. There was an airstrike on the flight as the plane took off. The engines were running rough, the pilot called for reduced power, but the software insisted on full power for takeoff. Killed the engines and the plane had to land in a local field.
The point is, I don't know that I'd take the position that the human is the least reliable ways of doing things, when the humans tried to do the correct thing, but the computers insisted on their way or the highway.
I'd like to know how they determined that this is failsafe. The presumably unsafe range officers - do you have the numbers of flights that should have been destroyed that were not? The only one I know of was a Chinese launch that took out a nearby town, and I don't even know if that had a human in the loop or was a more reliable computer
TL;DR - Don't be in too big a hurry to declare superior safety. Hubris always attracts Karma
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
I understand that nobody here reads the linked articles before they pontificate on topics, but it would really help if you could at least read the short summary at the top of the page.
No, we call it an emergency self-destruct system. A rocket is already a missile by nature, with its fuel being the warhead. If it were to malfunction and hit the ground with most of its fuel still on board it would make for a *really* bad day for anyone in the area. A high altitude airburst as soon as the situation becomes unrecoverable is by far the preferable alternative.
--- Most topics have many sides worth arguing, allow me to take one opposite you.
Then again, there are the famous Airbus incidents where software caused the plane to safely mow through a forest and crash because it knew that the pilot desperately trying to fly it was obviously wrong.
On indeed. No computer is perfect, and no system created by people is perfect. In industry we look at the differences between random failure and systematic failures. Some >80% of failures of systems are systematic and the result of human error in design, operation or maintenance. The remainder can be easily quantified and is widely considered several orders of magnitude better in performance than humans.
The point is, I don't know that I'd take the position that the human is the least reliable ways of doing things, when the humans tried to do the correct thing, but the computers insisted on their way or the highway.
I'm reminded of the usual safety pep talks: No one goes to work with the intent to injure themselves (obviously not true, but true enough). If you consider humans doing the correct thing then they are actually quite reliable. However the key reliability problem is that humans startlingly often don't do the correct thing, often due to no fault of their own. The human brain is incredibly fallible.
TL;DR - Don't be in too big a hurry to declare superior safety. Hubris always attracts Karma
Safety systems were invented for a reason and humans are only ever considered the first line of defence before automatic systems take over. I often like getting asked why I don't perform reliability calculations on emergency stop pushbuttons on critical equipment. The answer typically stops the person asking the question dead in their tracks: "Without doing a calculation I can say the reliability of the pushbutton is approximately 3 orders of magnitude higher than the brain that is tasked with making the decision to push it."
Challenger's boosters are an excellent case for automated range safety.
How long did they spin out of control for? Video suggests 15 to 20 seconds. Or about a hundred times longer than an automated range safety device would have let them, greatly increasing the debris field.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.