Will Starship Landings Ever Be Safe Enough? -- Part 1: Engine Reliability

SpaceX's Starship promises to revolutionize spaceflight, but its planned future missions and capabilities have drawn a lot of skepticism. Much of the skepticism surrounds Starship's goal of launching large numbers of people to space -- without any launch escape system, and landing them back on Earth or on Mars using not wings, not parachutes, but rocket propulsion.


SN8 landing attempt. Source: SpaceX


Anecdotally, it seems that the most common criticism is "Starship will never be say enough for large scale human transport", and the most commonly touted risk factor is the reliance on rocket engines for landing. If you have an engine failure, it is said, you will crash into the ground with no chance of survivability, and rocket engines have never been close to reliable enough for depending on them for routine transport without some kind of backup system for safely recovering the passengers in the event of a failure.

Those familiar with the Starship system will know that SpaceX plans to solve the engine reliability problem primarily by using redundancy. I.e. they only need one or two engines to land, depending on how heavily laden Starship is, but they have more than that many available, such that they can tolerate some degree of engine failure.

Critics are usually not convinced by this and tend to be incredulous that such a system relying solely on large pump-fed liquid-fueled engines with their complex startup process could ever be safe enough, regardless of redundancy.

I've long thought that while getting Starship safe enough for airliner-like usability is a hard problem, it's technically feasible, and engine reliability is not one of the hardest subproblems. The primary reason is that redundancy is a spectacularly effective force multiplier when it comes to risk mitigation.

In this post I'll try to show how this can work for mitigating risk from engine failure during Starship landings. For the sake of limiting the scope of the analysis, I'll focus only on failure modes that impact a single engine.

There are less common failure modes like hard starts (explosions when an engine attempts to start up) or propellant feed line issues that can take out multiple engines. It is still possible to mitigate risk from those modes using redundancy at the component level, but that gets more complicated to reason about. (I may or may not cover those in a future post.)


Landing Profiles

Starship in its current configuration has three gimbaling sea level engines in the center and three vacuum optimized engines adjacent to the skirt. A single center Raptor has enough thrust and control authority to land a mostly empty Starship, while relying on two engines can enable a later flip with a higher rate of deceleration and dramatically reduce the propellant used fighting gravity. The third center engine provides redundancy. For double engine redundancy, there's the option of planning an earlier flip and counting on only one engine to light and burn nominally.

SN20. Source: Elon Musk tweet

However, a hypothetical future Starship with a fully loaded crew cabin with hundreds of passengers would have a high enough landed mass (in the neighborhood of 200 tons) that it would need at least two engines to land. Fortunately, the RVacs (vacuum optimized Raptor engines) can also operate at sea level, albeit with reduced efficiency and thrust, and the SL (sea level) engines have enough gimbal range (up to 15 degrees) that a single SL engine can more than cancel out the torque from an off-center Vacuum engine, especially with a top-heavy loaded Starship. In theory, double engine redundancy can be retained by using an RVac as a backup engine in a 1-SL + 1-RVac contingency profile.

Such a future Starship optimized for point-to-point transport would likely have more than the current complement of six engines in order to have enough TWR (thrust to weight ratio) to take off with a full propellant load without using a booster. This kind of single-stage use would reduce operational cost and complexity for suborbital trajectories, and Elon Musk has said it seems preferable for point-to-point transport. For orbital transport (e.g. for space tourism), the current configuration might be retained, though there has been talk of possibly adding more engines.

More engines would tend to increase possible contingency modes and allow further risk reduction in landing. Since configurations with more than six engines are hypothetical at this point, I've done this analysis for the current configuration. I expect that the results will be conservative relative to the Starship variant that may one day perform these kinds of high-passenger-count flights.

For this analysis I've broken up individual engine failure risk into two components:
a) risk of failure to light, and b) risk of failure to complete a nominal burn once lit. I've calculated aggregated landing risk due to individual engine failure as a function of those two risk components for a landing algorithm that includes a nominal profile and seven contingency profiles, each relying on two-engines, at least one of which is a sea level engine. For contingency profiles involving an RVac, only the one opposite the functioning sea level engine is lit. There are other possible contingency profiles that I've excluded from this analysis, such as ones using all three RVacs w/ differential thrust and no SL engines.

In the two-part flowchart below, you can see the profiles considered (profile 0 is a nominal landing, 1-7 are contingencies). For the sake of avoiding clutter in the chart, I've only shown the paths leading to a successful landing. At each step, I've included an expression representing the probability of arriving at that point.

In this chart, the variable a represents the probability that a given engine will light successfully during a landing attempt. For example, if there's a 1:200 chance of lighting failure, a would be 0.995.

The variable b represents the probability that a given engine will burn nominally for the desired profile once it is lit. A successful light and burn for a single engine would have the probability a times b -- a lower value (higher risk of failure) than both a and b individually.



Are these profiles realistic?

It's worth pointing out that for these probability calculations to be accurate, the assumed engine out capability must be available at every point in the landing profile.

If one or more engines goes out during the flip maneuver, there needs to be enough control authority to flip the ship. Ideally, the engine with the best lever arm would be available to execute this maneuver, but any of the sea-level engines could do it (especially with a high center of mass with a loaded cabin) given a bit more time. The trade off is simply to plan for an earlier and less aggressive flip using a little more propellant.

If engines fail to light or fail to burn and backups have to be relit, this will cause a momentary loss of thrust that will tend to cause the ground to arrive sooner than expected (before the ship slows all the way down). To mitigate this, it's valuable to plot a trajectory that leaves ample headroom in the throttle range of the engines. E.g. w/ a combined 460t of thrust from two Raptor 2 sea level engines (less from an SL + an RVac), it might be worth using closer to 300t of thrust for a nominal landing (~1.5g for a deceleration rate of ~0.5g) so that if there's a momentary loss of thrust, the trajectory can be quickly corrected by applying 100% thrust for a short period after the backup engine(s) is/are lit. Again, this buys safety at the cost of more landing propellant.

But what happens if the engine failure is close to the ground, and there's not enough time to correct? It turns out that Raptor engines can spool up fast enough (in fraction of a second) that in the worst case, you're hitting the ground or the catching arms of the tower slow enough that either landing legs or the tower arms can take up the slack.

To get an intuitive sense of this, consider that falling from a height of 1.23m (a little over 4 feet) and reaching an impact speed of 4.9m/s takes half a second. Raptor engines, as I understand, can light and spool up to full thrust in less time than that. It's true that if you are traveling at a certain speed, and especially if counting on higher than 1g of thrust, a momentary loss in thrust can lead to a greater gain in kinetic energy than a drop from standstill. However, the backup Raptor will start arresting the acceleration quickly enough that if your engine failure occurs early enough for you to hit peak thrust on the backup Raptor (which you can do with a failure as late as a fraction of a second before landing), you can pretty much expect to do better than freefall, especially if your landing profile involves reduction in rate of deceleration as you approach.

If the 4.9m/s of a half-second freefall was the impact speed (I'd expect it to be lower than that in actual contingency profiles), tower arms designed to minimize structural loads on the ship could give about that distance and only subject the ship to ~2g's. Landing legs with crush cores might do ~5g's and only give ~30cm (half a foot). Because the ship is unfueled, this would be a substantially lower load on most of the structure than it experiences during flight, and because it's momentary, it would only be felt by the passengers as a bumpy landing and would not be dangerous.

Aggregate Risk

The sum of the probabilities for profiles 0-7 yields the probability of a successful landing if all risk factors other than individual engine failure are excluded. 1 minus that value is the probability of failure. To get a "1 in n" figure, we simply divide 1 by the probability of failure to get n.

Below is a plot of engine lighting risk (1 in x) and nominal burn risk (1 in y) figures that lead to a target aggregate risk due to individual engine failure.



It turns out that with these contingency modes, bringing lighting failures down to 1:250 and burn failures down to 1:500 is sufficient to bring risk of landing failure due to soft (non-exploding) engine failure down to 1 in a million.

1:800 and 1:1500 respectively for lighting and burn is sufficient for 1 in 30 million expected failure rate. 1:2500 and 1:5000 is enough for 1 in a billion.

This function is approximately cubic, because it takes at least three engine failures to cause a system failure. This means that every 10x improvement in engine reliability leads to a 1000x improvement in system reliability (in this one area).


Path Forward

While not shown in the plot above, engine risk factors of 1:80 (relight) and in 1:150 (burn) (combined reliability of 98.1%) are sufficient to bring aggregate risk down to 1:30,000 -- a risk low enough to easily fit within the total risk budget of a NASA crew mission. The commercial crew program has a whole mission LOC (loss of crew) risk threshold of 1:270, and the Demo-2 mission had a calculated risk of 1:276.

With three engines lighting on each landing, the required engine reliability could be demonstrated with a high degree of confidence with a string of fewer than 100 nominal landings following fixes addressing engine failures on early flights.

Note that this does not take into account the fact that early crew flights will have a small enough complement that landed mass will be low enough for single engine landings, further reducing engine reliability requirements.

All this suggests that however hard other aspects of Starship may be to human-rate, the landing method is not likely to be a blocker to NASA astronauts landing on Earth with Starship this decade.

Orbital tourist flights with small complements require a similar degree of safety. Passenger counts are likely to increase over time as the system is refined and proven out. Eventual airliner-like reliability may or may not happen, but if it doesn't, the engines, at least as far as soft failures are concerned, are highly unlikely to be bottleneck.

I imagine that somewhere between a 1:100k and 1:1 million whole flight fatality risk would be low enough for most people to feel comfortable using Starship for point to point transport -- the most ambitious use case, in terms of required safety.

This would likely call for somewhere between a 1:3 million and 1:300 million risk due to soft engine failures on landing. On the low end, this calls for engine reliability comparable to the Merlin engine. On the high end, we're looking at less than an order of magnitude improvement in reliability.

Comments

Post a Comment

Popular posts from this blog

Gray Dragon on Falcon Heavy

I often bring up the idea that the role SLS & Orion perform in taking crew to lunar orbit could be performed by Falcon Heavy launching a modified lunar Dragon with a crew of four, and I'm often met with skepticism from certain quarters of spaceflight fandom. Recently I've gotten frustrated that instead of framing their objections in the form of "how would that work with consideration X", many of the skeptics come out of the gate with phrasings along the lines of "that wouldn't work because X", seemingly not even considering the possibility that I and others have already accounted for X, Y, Z, and a number of other factors before bringing this up. Tired of trying to convince people one at a time, I've decided to lay it out here. I won't hit all of the details I've considered, but hopefully enough to convince most people that this is actually feasible. To be clear, I think of this as an alternate history story or an idea for a secondary or
Read more

Crewed Lunar on Falcon 9

On the Prospect of Falcon 9 Doing SLS's Job... Recently I pointed out that Falcon 9 has flown more lunar missions than SLS, and that this is likely to remain true through the end of the decade, based on contracted and expected launches. Some rightfully pushed back on this being an apples and oranges comparison, since the Falcon 9 doesn't have nearly the capabilities of SLS, and the spacecraft it is sending towards the Moon are relatively small uncrewed ones. Now it hadn't been my intention to say they were the same or that the Falcon 9 could do SLS's job. I was just making a tongue-in-cheek jab at "Mega Moon Rocket" launching fewer lunar payloads for the foreseeable future than not-a-Moon-rocket, as well as reminding people that two-stage kerolox rockets like Falcon 9 can in fact competitively launch useful payloads towards the Moon, contrary to popular wisdom until not that long ago. On the other hand, I do like to remind people that Artemis-like missions ca
Read more

Neutron Alt History

In this post, I'm going to try to describe what I would have wanted to see RocketLab pursue instead of Neutron. It's important to preface this by saying that I don't have a strong objection to the Neutron architecture itself. I also think that RocketLab has a brilliant team of great executors. My concerns lie primarily with strategy: 1. I wish they had pursued the MLV market sooner; many outside observers, as well as other companies in the industry, have seen small launch as a stepping stone where there isn't very much opportunity to grow. RocketLab, on the other hand, resisted going into big rockets, and lost time (see time between Falcon 1 and 9 vs. between Electron and Neutron for a sense of the might-have-been). 2. I wish their stated goals for Neutron cost and pricing reflected the reality of SpaceX's very comfortable margins with Falcon 9, as well as the threat of a larger LV with aspirationally single digit million dollar marginal launch costs. RL is aiming t
Read more