It’s old news at this point, but several weeks ago (October 11, 2018), the launch of Soyuz MS-10 suffered a failure of the second-stage booster, causing an automatic abort of the launch, and ejection of the crew capsule. Russian cosmonaut Alexey Ovchinin and US astronaut Nick Hague did NOT make it to their intended destination, the International Space Station, but instead were pulled clear of the rocket for a 37-mile ride back down to a (thankfully) safe landing.
The drama and successful outcome of this incident got a lot of well-deserved attention, but the reason I got so intrigued was the fact that the last time a Soyuz abort happened, it was September 26, 1983 – 35 years ago. On that occasion, mission Soyuz T-10-1 caught on fire while still on the pad. The abort system fired and pulled the crew away to safety two seconds before the rocket exploded. To date, this is the only successful manned pad abort.
There have been NINETY successful Soyuz launches between these two events. This is an impressive record, but what’s more impressive to me is that the Jettisonable Emergency Escape Head Section, aka the SAS (from the Russian abbreviation), or generally the Launch Escape System (LES), has been in place for every one of those launches, along for the ride… and then, the first time in 35 years it was needed, it worked, and saved two lives. You can see it in the photos of the rocket – it’s the small tower on the very top, fitted with small rocket motors of its own and designed to pull the crew capsule to safety.
Good engineers spend a lot of time thinking about “what if” scenarios, particularly when human lives are at stake. Most of us are familiar with advances in safety applied to automobiles, mostly because driving is a common experience, and the concept of having an airbag system we hope we’ll never need is still a selling point – we want those backup systems to be in place. The sheer volume of cars on the roads unfortunately means that safety systems in cars get a lot of exercise, in the aggregate.
Thankfully, aerospace fail-safe and recovery systems are called upon fairly rarely – but they are literally a matter of life and death. The Soyuz approach isn’t new or unique – US rocket systems have had a crew recovery system in place since the early days of the Mercury program. That spindly looking tower on top of the Saturn rockets? That’s the Launch Escape System, designed not only to pull the crew capsule away from the rocket, either in flight or on the pad, but to do it while deflecting the exhaust from its own rockets away from the crew. (The exception – Space Shuttle had no pad abort or during-launch crew escape system. A series of spring-loaded arms were added later in the program to provide crews the option to parachute away from an orbiter after it was already gliding, in the atmosphere, but unable to reach a suitable landing location).
Modern systems are designed with crew recovery in mind as well. SpaceX does it with an integrated set of thrusters in the Crew Dragon capsule (as opposed to using a tower atop the capsule), betting that the flexibility afforded by carrying your escape system with you at all times is worth the weight penalty. NASA’s Space Launch System (SLS) and Boeing’s Starliner designs use a traditional tower. All three have been subjected to testing for pad abort scenarios.
All these LES systems are the result of meaningful engineering risk management, and they are a hallmark of experience, and sometimes hard lessons learned, in a given field. Where human nature drives us to both:
a) underestimate the complexity of a subject outside our own experience, in other words believe that most things we know less about are simpler than they really are, and
b) give in to natural laziness and seek the easy, rather than the most reliable, solution to a given problem,
it actually takes a lot of dedicated energy and commitment to design, produce, test, improve, maintain, check, and double-check systems that may never be needed, but absolutely HAS to work when called upon. I myself have worked on several such systems, and I must admit having a certain sense of pride when things went terribly wrong during a test, and one of my “what if” designs wound up activating and saving the day.
This is all well and good for aerospace engineering, but it’s overkill for other things, right? (See points a and b, above).
Well, when I wear my other hat (outdoors guy), it’s actually pretty much the same thing. Professionalism in the outdoors, derived from experience, mandates that good risk management be involved in any successful adventure. How experienced is your crew? How reliable is your gear? What’s the weather going to throw at you? What’s your communications plan? Do you have an extraction plan? What if?
If an accident happens, and someone gets hurt – do you have the equipment, and the know-how, to do something about it? Are your skills up to the task, to perform, when absolutely needed? Have you completed a pre-flight check on your hopefully never needed backup systems, lately?
No matter the technical domain or nature of the mission, professionals manage their risk. No matter what adventure you’re embarking on, you need to evaluate your readiness to deal with emergency scenarios, particularly if you have inexperienced folks joining you. In this sense, we can all learn something from the engineers on the Soyuz program, who deserve a healthy bit of congratulations for a job well done in bringing that crew safely home.
Get Out There
PS – A necessary footnote here, even though the failure of Soyuz was unlikely, its occurrence is highlighting another risk to maintaining the ISS. Ovchinin and Hague were supposed to augment the three crew currently aboard the ISS as part of Expedition 57, Alexander Gerst (Germany), Sergey Prokopyev (Russia), and Serena Auñón-Chancellor (USA). These three were scheduled to return to Earth on Dec 13, 2018, to be replaced by another three on Dec 20. This overlap in launch and recovery of crew keeps the crew manned at all times. After the launch failure, the Russian space agency, Roscosmos, understandably wants to do some thorough testing before putting humans on top another Soyuz (you don’t get 90 successful launches between failures without being careful and thorough), but Soyuz is currently our only way of sending people to the ISS. None of the in-development systems are ready to go. So, the crew on-board ISS will either stay a bit longer, or, in the more likely case, will return on the Soyuz capsule currently docked to the ISS in December, as planned. This will result in an unmanned-ISS, until we can get a new crew up there. It certainly won’t be completely unmonitored, but having it go uninhabited and all its routine onboard maintenance activities neglected will introduce a whole new set of risks to the crew that finally makes it there, and possibly impact the long-term continued operation of the ISS. So right now, the Soyuz system is, itself, a single-point-of-failure in the context of getting people to and from the station.
4 thoughts on “Soyuz and Risk Management”
LikeLiked by 1 person
Well, I learned something. I didn’t realize the spindly thing on top of those rockets was the escape system. I guess I just figured it was there for aerodynamics of something.
LikeLiked by 1 person
I certainly learned more about it after this event. The “pull” systems were preferred in the early rocket designs because they’re more stable than trying to “push” a little conical capsule, but requires that vertical space and angled rockets to avoid frying the crew. SpaceX design now uses a push, with computer- aided stabilization.
LikeLiked by 1 person
I really liked that Apollo-era photo you included of the launch escape system in action. That makes it a whole lot clearer how the thing works. Fingers crossed that SpaceX’s redesign will work just as well!