NASA Will Only Tolerate So Much Danger
An investigation into what really went wrong with Boeing's last space mission turned up serious issues.
A lot went right during a recent attempt to reach the International Space Station. A lot went wrong too.
The rocket launched just before sunrise on a cool, late December day, cutting a streak of gold across the sky in Florida’s Cape Canaveral. The capsule it carried, which was designed and built for NASA by Boeing, was smoothly delivered past the edge of space. If the test had gone off without a hitch, the next time this spacecraft flew, it would have had astronauts inside. The capsule was supposed to stay in space for a week and dock to the ISS. But two days later, the capsule was back on Earth with its parachutes strewed across the New Mexico desert. It was healthy and in one piece, but its cargo was undelivered, and its mission cut short.
Now, NASA says, the mission could have gone even worse.
An investigation of the bungled mission has revealed more problems than officials and engineers alike expected to find. The flaws stem not from hardware, but from the flight software coded by Boeing engineers. The capsule, known as Starliner, turned out to be more dangerous than anyone realized.
“We don’t know how many software errors we have,” Doug Loverro, NASA’s associate administrator for human exploration and operations, told reporters on Friday. “We don’t know if we have just two or we have many hundreds.”
The launch was an important test in NASA’s plan to launch its own astronauts from U.S. soil for the first time since the space shuttles stopped flying in 2011. While two American companies, Boeing and SpaceX, are developing new spacecraft, NASA astronauts have been hitching some very expensive rides alongside cosmonauts on Russia’s Soyuz system. Before these two companies can fly people, though, they must prove their chops during an uncrewed journey to the ISS. SpaceX flew a similar—and successful—mission last spring. (It suffered a significant setback a month later when its capsule exploded during testing on the ground, but it has since rebounded and a new one is expected to arrive in Cape Canaveral later this month.)
Timing is everything, especially in spaceflight, and that’s where Boeing’s Starliner first had trouble. Thanks to a software glitch, Starliner incorrectly set its internal clock hours before it launched, which meant that after it separated from the rocket and reached space, the capsule missed the moment it needed to fire some thrusters and push itself into the right orbit. In a cruel twist, mission control lost contact with Starliner just then because, it seems, of interference from radio noise on Earth, possibly from cellphone towers. By the time engineers could command Starliner again, the capsule, disoriented and idling, had used up too much fuel to finish its climb toward the ISS.
With no choice but to return Starliner home, Boeing engineers started combing through the software and found another issue. Before Starliner begins its final descent to Earth, it must shed a service module that helped nudge it toward the atmosphere. But the way the software sequence was set up, the thrusters on this module wouldn’t have fired correctly. A rocky separation could have destabilized Starliner, causing it to tumble. The two spacecraft could’ve even bumped into each other, in which case the impact could have damaged the heat shield. Starliner needs that shield to survive the fiery drop of reentry, with astronauts on board or not.
“It’s hard to say where the service module would have bumped, but nothing good can come from those two spacecraft bumping,” Jim Chilton, the senior vice president of Boeing's space and launch division, told me.
Boeing engineers rewrote the software and sent the new version to Starliner barely three hours before the capsule touched down in New Mexico. If they hadn’t intervened, NASA says, Starliner could have been lost.
It is impossible to say what would have happened during this mission if people had been on board. Boeing officials have said that astronauts faced with a similar clock problem could have taken control of Starliner and guided it to the proper orbit. It’s less clear what they could have done to deal with the potential threat of a crash.
NASA has begun to investigate what’s going on inside Starliner’s team, and so far, the findings aren’t good. The space agency says it has uncovered failures at nearly every phase of Starliner’s development, from design and coding to testing and verification. Software defects in code as complex as this aren’t unexpected, NASA says, but there were “numerous instances” before flight when Boeing should have caught them. Chilton said the software patch for the reentry problem, for instance, required an easy fix. A little extra prelaunch attention could have avoided the issue altogether.
It is no doubt preferable to reckon with potentially dangerous errors after a test than after a tragedy. But the extent of the problems is confounding, and NASA seems well aware of it now. “Our NASA oversight was insufficient,” said Loverro. “That’s obvious, and we recognize that.”
NASA has always relied on contractors to provide hardware for its programs, from Apollo to the space shuttles, but the agency has never depended on them quite like this before. Boeing and SpaceX are in charge of designing nearly every bit of the new craft, from propulsion systems to the aesthetic look of the seats. Astronauts assigned to the SpaceX capsule don’t even train at the famous Johnson Space Center in Houston, working instead at SpaceX’s headquarters in California.
NASA is in charge of setting safety requirements and ultimately will decide whether and when the systems are astronaut ready. The arrangement worries George Abbey, the former director of Johnson Space Center, who joined NASA as an engineer in 1964 and went on to select and train astronauts during the shuttle program. “[Astronauts] were going to fly because they had the confidence in NASA leadership—that they would take care of all of the issues and problems. So when leadership told them they were ready to fly, they had that confidence,” Abbey told me. “With the lack of that oversight, I’m not sure that NASA can really assure them that they’re ready to fly.”
NASA officials say that it’s too early to state whether the agency will require one more uncrewed launch from Boeing before astronauts are allowed to fly in the company’s new capsule. NASA will now conduct a new review of Boeing’s workplace culture, based on interviews with personnel ranging from senior managers to technicians. This decision, Loverro said, was influenced in part by news reports about “other parts of Boeing”—a not-so-subtle allusion to Boeing’s high-profile software problems with the 737 Max plane that led to two crashes and the deaths of 346 people. Engineers at Boeing, it eventually came out, knew about problems with the plane’s safety months before the first accident. It was hard not to think about this when Jim Bridenstine, the NASA administrator, told reporters, rather pointedly, that he has advised his senior NASA leaders in this program to “never, ever, ever be afraid of the truth.”