
SpaceX update: The engine did not explode - trafficlight
http://www.spacex.com/press.php?page=20121008
======
lutusp
> SpaceX update: The engine did not explode

No, it just became a "Falcon 8" while enroute.

All joking aside, as a former NASA Space Shuttle engineer I'm very impressed
by this private-enterprise venture into heavy-lift launch services. People
have often speculated about how much cheaper launch services might be if they
were in the private sector -- now we can find out. The preliminary signs are
very good.

~~~
majormajor
That reminds me of a euphemism that I found delightful that I heard once while
working for a space company... "achieving submerged geostationary orbit," I
think it was.

~~~
eridius
I assume this means "crashed into the ocean"?

~~~
majormajor
Yep.

I feel like there was another word in the phrase as used by the engineer I
heard it from, but I can't for the life of me remember what it was.

~~~
jcheng
"Involuntary"? :)

------
btilly
I was curious about how reliable we should predict a Falcon 9 launch to be
based on the stated design parameters (survives the loss of any 2 engines) and
current launch data.

I found that under a simple Bayesian model, the estimated probability of
catastrophic failure during the next launch is 3.6%. See
[http://bentilly.blogspot.com/2012/10/how-reliable-will-
falco...](http://bentilly.blogspot.com/2012/10/how-reliable-will-
falcon-9-be.html) for details.

 _Update:_ I made a careless calculation error. Change 3.6% to 2%. Oops.

~~~
wamatt
Good stuff OP, nice to see Bayesian getting more attention recently. However,
after reading your blog post, I can't help get the feeling this is how a
natural frequentist would approach the problem. This method is effectively
relying on known, statistical record of past events to form the priors.

Often a more useful and appropriate construct in the Bayesian world, is the
use of a belief network or _Bayesian Network_. This is a probabilistic
directed acyclic graph (DAG) that encodes priors, often in the form of
_subjective_ beliefs (yes subjectivity can be useful), including specific
domain knowledge.

Common example: Consider a naive Bayesian classifier (a specialized form of
belief network) that identifies individual pieces of spam. Do we arrive at the
spam score by entering the probability of past events into a simple model
based of the Bayes theorem formula?

No, it's trained using the vast amount of domain knowledge and pattern
recognition (through our experience and own estimation of what 'spam' is)
encoded in our minds, that provide the priors. Thus, even though there is a
large amount of subjectivity involved, the overall result can objectively be
measured, within a given utility function. Incidentally, this is often what
makes many hardcore empiricists 'nervous', and hence avoid belief networks
altogether.

Coming back to the Falcon 9: A piece of prior information outside the scope of
historic safety records, for example, one of the lead engineers having a
nagging doubt about a particular technical risk based on some observed
phenomenon, could have an impact on the real world probability of the next
event being a failure. (Which is a pretty useful thing to know!)

In fact, this exact scenario happened in 2003 with the disastrous destruction
of the Space Shuttle Columbia. [1] An engineer spotted something wrong on
previous flights, but management failed to heed the warning[2]. This could
quite possibly have been averted, if a risk mitigation model were in place to
account for such evidence.

Looking forward, it's quite possible to imagine a future where this decision
making has been outsourced to a sophisticated AI based off a Bayes net, with
far more accurate real world modeling of risk and failure probabilities,
outclassing the amount of evidence and a human or committee could possibly
hope to compete with.

While I've nothing against frequentist approaches (albeit Bayesian naturally
makes more intuitive sense to me), a minor drawback is the reliance on the
past to predict the future. For example if you had safety records on 1 million
previous flights, then one might be tempted to say, "well that's that then, we
now know objectively the probability of failures in the future -- end of
story". But, the 1 000 001 flight may have been designed to fly on a
completely different type of technology, that will change significantly change
the safety record of space flight going forward for the next "x" years. Thus
using a Bayesian approach account for all relevant priors, it would in theory
be possible to reflect a more accurate probability for the 1 000 001 flight,
_before_ it took place.

Lastly Bayes nets are not the best tool for every job, and do have drawbacks
in certain situations. They are vulnerable to things like Bayesian poisoning
or confirmation bias. A Bayesian approach is only as useful as the ongoing
real world relevancy and accuracy of the priors. As the old adage goes, GIGO -
garbage in, garbage out.

[1] <http://en.wikipedia.org/wiki/Space_Shuttle_Columbia_disaster>

[2]
[http://www.guardian.co.uk/science/2003/jun/22/spaceexplorati...](http://www.guardian.co.uk/science/2003/jun/22/spaceexploration.columbia)

~~~
loup-vaillant
> _for example, one of the lead engineers having a nagging doubt about a
> particular technical risk based on some observed phenomenon, could have an
> impact on the real world probability of the next event being a failure.
> (Which is a pretty useful thing to know!)_

You should know that there's no such thing as "real world probability". The
rocket will crash, or it will not, period.[1] Probability, as a measure of
your own ignorance, is subjective.[2] Your main point still stands though:
knowing about the uncertainty of that lead engineer certainly should influence
your assessments of the risks involved.

[1] What will actually happen is, the universe splits into many "worlds"
(blobs of amplitude in configuration space), a fraction of which will have the
rocket crash, and the rest won't. That's the closest thing we have from "real
world probability", though it really isn't: the laws of physics as we
currently know them are still deterministic.

[2] <http://lesswrong.com/lw/oj/probability_is_in_the_mind/>

~~~
wamatt
_> "The rocket will crash, or it will not, period."_

Indeed. We pretty much agree then. If you re-read the "real world probability"
in the context, I was talking specifically about a _belief_ network. The
degree to which a justified belief, in an outcome will occur. All beliefs are
by their definitions _'subjective'_ and occurring in a mind.

Actually my current thinking over the last decade mostly aligns with what
could be described as physicalist view of the reality, so even 'subjective'
thoughts, ideas, concepts etc exist objectively in a physical sense as well
(glia cells, neurons etc). (but that's a whole other topic ;)

I simply worded it 'real word' because I was attempting (perhaps ineloquently
I will concede), to differentiate between frequentist and the Bayesian
understanding of the term probability, because they differ [1].

Bayesian favors bringing in a priori beliefs into the model whereas a
posteriori consideration of a problem, as occurs in frequentist approaches,
favor isolation of the model.

 _> What will actually happen is, the universe splits into many "worlds"_

Interesting, you state that so.. assertively :p I'd give the chance of a _many
worlds interpretation_ corresponding well with our physical reality, a low
probability event, with a pretty high credibility interval ;)

[1] [http://www.experiment-resources.com/bayesian-
probability.htm...](http://www.experiment-resources.com/bayesian-
probability.html)

~~~
loup-vaillant
> _Interesting, you state that so.. assertively :p_

Well, you probably guessed where I came from:
<http://lesswrong.com/lw/r5/the_quantum_physics_sequence/>

I think most physicists agree that at the bottom, we have a distribution of
"complex amplitude"[1] over a "configuration space"[2]. But as you can see
from my second link, many (most?) physicists insist that we can derive a
"probability" from a complex number. Note that such probability would then be
an actual real world probability, where the universe itself is uncertain about
what to do. True non-determinism.

It's only natural. At the experimental level, the researcher does observe Born
statistics. Same setup, different results, so there _is_ probability in the
territory after all.

There's a problem with that however: The equations, which make such
wonderfully accurate predictions, (i) are dederministic, and (ii) do not state
at any point that the blob of amplitude we don't see disappear in a puff of
smoke. They merely say that the blobs eventually stop interacting. The same
way that if you launch a photon to outer space, never to meet it again, it
won't disappear the instant it reaches the boundary of our observable
universe. If you insist on a mono world, you have to assert that the other
blob, despite being predicted by those otherwise accurate equations, somehow
doesn't exist when you don't see it.

One way to do it is to believe that, _contrary to what the equations say_ ,
the blob you don't see does disappear in a puff of smoke. Its amplitudes are
literally zeroed out behind your back. In hindsight, this one looks nuts to
me. I mean, how can we justify distrusting accurate equations in a way that
doesn't even make experimental predictions?

Another way is to call the square moduli of those amplitude "probabilities",
and pretend that because it's probabilities, the blob you are not in isn't
real. But the equations do not make any difference between the two blobs. Then
how come the other blob is less real than our own?

To me, those two explanations really feel bizarre. You have to start from a
mono world assumption to come up with that. An easy mistake to make, since
personal experience is telling us all the time that there is only one world. A
bit like a leaf in a binary tree: its ancestors form a line, not a tree. But
Kolmogorov complexity says a literal interpretation of the equations (which
means many world) is simpler than anything else we currently know about. So to
hell with personal experience (which by the way is responsible for much worse
whackery than mono world).

Now there _is_ a way out: we can admit that _current_ physics imply many
worlds, but insist that _real_ physics probably don't. Current physics are not
complete after all. We may have big surprises. This argument is certainly be
much saner than the Copenhagen interpretation. So much that it does lower my
probability for many worlds somewhat. Just not enough to squash my confidence.
:-)

[1]: <https://en.wikipedia.org/wiki/Probability_amplitude>

[2]: <https://en.wikipedia.org/wiki/Configuration_space>

------
ghostfish
>"Panels designed to relieve pressure within the engine bay were ejected to
protect the stage and other engines."

Can anyone that knows something about the Falcon 9 design or rockets in
general shed some light on this? That sentence makes it sound like the panels
were purposefully jettisoned, which doesn't make sense to me. What do those
panels do, what do they look like, and where are they?

~~~
stephengillie
Purposefully jettisonning panels is a way of preventing an explosion from
damaging the rest of the ship. The rocket creates energy in a direction, but
what if something prevents the energy from going in that direction? The
energy, in the form of expanding gasses, has to go somewhere. If these panels
didn't break away to give the energy somewhere to go, it could have forced
into another rocket or into the ship's body, causing a much bigger problem.

~~~
luke_s
When they say "Jettisoned", it makes it sound like one of the flight computers
decided to drop the panels. Wouldn't it more be the case that the panels are
deliberately designed to be blown off? I have a hard time believing that any
control system could react in time in case of an engine explosion...

~~~
stephengillie
The panels may have been designed to jettison once they reached a certain
pressure differential, or they may be jettisonned by computer.

How quickly do engines explode? Is it faster than 2 cars colliding? Computers
deploy air bags quickly because electricity travels faster along wires in your
car chassis than the car travels into something else.

Visualize a bumper with sensors - as the bumper is deformed by a collision, a
sensor shifts an electron in the copper wire, and the electron next to it
shifts. There's a cascade of shifting electrons along the wire, and it races
backwards through the car's body, chased by the destruction of the car as it
collides with another object. The cascade of electrons hits the air bag
computer, which begins another cascade of electrons to the air bag. The wave
of destruction has covered most of the distance to your windshield by now. The
air bag deploys as molecules of air rush from their high-pressure canister to
fill it. As the bag hits its most pressurized point, your car is coming to a
stop as its kinetic energy is combined with energy from the other object.

~~~
schiffern
Beautiful. A small correction – most airbags use pyrotechnic inflators, not
compressed air.

Sidenote about airbags: they have to be folded to fit inside their module, so
as it inflates it's also unfolding. In order to make sure it unfolds properly
they coat it in a lubricant that can't evaporate – either talcum powder or
cornstarch depending on the vehicle.

I learned this only _after_ I scrambled out of the car my sister put in a
ditch thinking it was on fire. The best part? It was a diesel car.

Who knows, maybe the engineers consider it a feature because after an accident
it sure gets people out of the car quick!

------
eupharis
"Falcon 9 did exactly what it was designed to do. Like the Saturn V (which
experienced engine loss on two flights) and modern airliners, Falcon 9 is
designed to handle an engine out situation and still complete its mission. No
other rocket currently flying has this ability."

Chills down my spine as I read this. I try to write eloquently, but sometimes
the fact should stand alone: "No other rocket currently flying has this
ability."

~~~
rplnt
This reminds me of a major feature Chrome had when launched - to withstand a
crash of any of the opened tabs. I thought it's a funny feature to have...
other browsers just preferred not to crash in the first place. Then I tried
Chrome and realized it was a great feature for them, because Chrome kept
crashing all the time (back then).

What I wanted to say by this is that while it's a great thing for Falcon 9 to
have fail-over in its maiden flights (as we could see yesterday), I wouldn't
worry too much about "other rockets" not having this. Soyuz rockets are a
great example (100% success rate for manned flights to ISS and over 97%
success rate for all Soyuz rockets (that's since 1966)[1]).

1\. my numbers are only from wiki:
<http://en.wikipedia.org/wiki/R-7_(rocket_family)> and
[http://en.wikipedia.org/wiki/List_of_Russian_manned_space_mi...](http://en.wikipedia.org/wiki/List_of_Russian_manned_space_missions)

------
SoftwareMaven
I saw the engine flame out and the panels come apart during the launch. I
expected _some_ comment on the launch radio because it was obviously not SOP
(engines shouldn go out with debris), yet, due to good design, the entire
launch remained nominal.

I am now getting hopeful that I'll be able to experience zero-G before I die.
SpaceX team, you are my heroes. Keep up the great work!

~~~
rst
The main mission (Dragon/ISS) wasn't affected, but a secondary payload (an
ORBComm test satellite) was left in the Dragon's insertion orbit, and didn't
get the scheduled secondary boost --- apparently because, after the delayed
orbital insertion, the reboost would have gone too close to ISS, according to
an ORBComm press release:

www.orbcomm.com/Collateral/Documents/English-
US/ORBCOMM%20Launches%20Prototype%20OG2%20Satellite%20FINAL.pdf

------
jakkals
Am I the only one who got confused by the first sentence? "The Dragon
spacecraft is on its way to the International Space Station this morning and
is performing nominally...".

Is everything fine now, or is it not? "Nominally" in this sense to me means
that something is amiss, but reading the rest of the article seems to imply
that everything is on track.

~~~
frabcus
It seems to have a special space meaning:

"Aerospace & Engineering. According to plan or design: a nominal flight
check."

<http://www.thefreedictionary.com/nominally>

~~~
russell
Having listened to 5 decades of rocket launches, I would say that nominal
means that it is working within mission parameters. There may be glitches, but
it is going to work, i.e. the payload is going into orbit. The engine failure
wasnt planned, but there was enough redundancy in the system for it to
succeed.

------
molecule
following the Engine-1 failure, did Falcon 9 continue w/ six engines
operating, or was one of the two previously shutdown engines re-engaged?

~~~
HodCarrier
The engine failed prior to MECO-1 (where the first two scheduled shutdowns
occur) so there were still 8 lit engines. There's no capability to restart the
engines that have been shut down.

------
VSerge
It's amazing that this could have worked as a Dragon 7. One engine failed and
they still could have made it with one other engine malfunctioning. Bearing in
mind the cost of the launches for SpaceX are forecasted to be significantly
lower than old shuttles, this is all the more impressive. There was a misshap
though, since the Orbcomm satellite wasn't nearly put on the right orbit. I
have no idea whether the onboard propulsion of the satellite will be enough to
get into the desired orbit, but if they do manage it, it will be a testament
to the quality and interest of fault-tolerant space operations.

------
bravesirrobin
I have to admit that I'm impressed at how well the system they build
compensated for the mechanical failure. It looks like they have some good
people building things.

One aspect that's worth consideration is the private/corporate aspects of
spaceflight. When there were failures in Apollo and the shuttle, the public
had a right to know everything that happened since we'd paid for everything.
SpaceX has been super cool about disclosure here, but how long can we count on
that? At some point, there's too much money at stake for them to maintain full
transparency.

~~~
wprice
What's more important than disclosure to the public after something has gone
wrong, is disclosure to the customers (e.g. NASA) and future astronauts ahead
of time if something has been identified as a potential problem before launch.
The Space Shuttle Challenger disaster occurred because managers failed to
acknowledge the warnings of engineers, who recommended postponing the launch
due to cold weather which could prevent some O-rings from functioning
properly. Having the ability to acknowledge and correct problems ahead of
time, even if it means a launch delay and potentially some lost profits, will
ultimately pave the path for a sustainable private space industry.

But I think that SpaceX understands that NASA is funded by the public and it
will be easier to get the support of NASA if they have the support of the
public. I would suspect that for this reason they will continue a decent
amount of public disclosure.

------
confluence
I saw the launch live and I saw the debris ejecting about 90 seconds in. What
I found particularly amazing was that SpaceX either didn't know it, didn't
want to confirm it or just realised that their design worked because all I
heard after that was my favourite aerospace term "Situation nominal".

~~~
maaku
Simple efficiency of communication. The guy saying “situation nominal” was the
one looking at the engine data.

------
dhughes
I bet the ISS crew yelled the ice cream noo!

------
knodi
I am speechless in amazement. So badass!!

------
rorrr
If anything, this shows the fault tolerant design that works.

~~~
biot
It's essentially a RAID6 design for rocket engines.

~~~
tomasquintero
RAID5, they can only sustain one failure.

~~~
biot
Incorrect. From the fine article (SpaceX's release):

    
    
      "It is worth noting that Falcon 9 shuts down two of its engines
       to limit acceleration to 5 g's even on a fully nominal flight.
       The rocket could therefore have lost another engine and still
       completed its mission."

