My point stands: 270 non-fatal launches does not equate to a failure probability of better than 1:270.
Quote from: DanClemmensen on 12/07/2022 05:22 pmMy point stands: 270 non-fatal launches does not equate to a failure probability of better than 1:270.I think it does, just not by very much.See here: https://moleseyhill.com/2009-09-22-bayesian-probability-of-success.html
Quote from: Lee Jay on 12/07/2022 06:00 pmQuote from: DanClemmensen on 12/07/2022 05:22 pmMy point stands: 270 non-fatal launches does not equate to a failure probability of better than 1:270.I think it does, just not by very much.See here: https://moleseyhill.com/2009-09-22-bayesian-probability-of-success.htmlYes, a naive Bayesian model is more correct for non-learning situations. 270 flights gives a LOC of 1- 215/216 = .0046, or 1:216.By this statistical model the probability of LOC for the dozen Dragon-2 flights is 1 - 12/14 = 14%. Yes I'm counting the Dragon explosion on the test pad as a failure.If you don't want to count the test pad failure then you also don't get to count the first dozen failures as Starship works out its problems.If we count only since last failure, it's still 1 - 12/13 = 7.7% chance of failure for the next Dragon-2 launch.So why is someone claiming 1:270 LOC for Dragon-2 and why can't that analysis be applied to Starship?
I am skeptical of Probabilistic Risk Analysis alone,...
Quote from: Robotbeat on 12/07/2022 06:29 pmI am skeptical of Probabilistic Risk Analysis alone,...Me too, and I have a question. As far as I can tell, the PRA just models all the known failure modes. What do they do about the unknown unknowns? Do they have some sort of fudge factor or safety factor they apply for those?
I note shuttle tiles took 113 flights to finally get a loss of craft (LOC) despite lots of earlier hints about failure.
Quote from: Lee Jay on 12/07/2022 03:38 amQuote from: sebk on 12/07/2022 12:03 amCapsules with parachutes are inherently unable to achieve a high flight rate. And you absolutely do need a high flight rate to get safety to even get into the ballpark of motorcycle riding or general aviation (the general aviation is merely 2x safer than motorbike riding, BTW).If you want to have a high flight rate with a capsule then you need a powered landing. At that point you have the same primary issue as the architecture you claim to be inherently unsafe. I don't particularly like capsules, but these arguments are nonsense. They were nice in the 60s.Capsules by necessity have very low lift to drag and thus steep reentry. That means less total heat pulse but much worse peak heating. Which in turn means higher thermal stress of the heatshield. Which in turn means none of the TLR>3 reusable heatshields would hold. In effect capsule effectively means ablative heat shield which is incompatible with a high flight rate.But even if currently low TRL solutions were developed, you still have a parachute which is needs at least a refurbishment:large parachutes, unlike those made for individual humans, are complex devices with pyros and delay charges, go through high stresses and are not quickly reusable.
Quote from: sebk on 12/07/2022 12:03 amCapsules with parachutes are inherently unable to achieve a high flight rate. And you absolutely do need a high flight rate to get safety to even get into the ballpark of motorcycle riding or general aviation (the general aviation is merely 2x safer than motorbike riding, BTW).If you want to have a high flight rate with a capsule then you need a powered landing. At that point you have the same primary issue as the architecture you claim to be inherently unsafe. I don't particularly like capsules, but these arguments are nonsense. They were nice in the 60s.
Capsules with parachutes are inherently unable to achieve a high flight rate. And you absolutely do need a high flight rate to get safety to even get into the ballpark of motorcycle riding or general aviation (the general aviation is merely 2x safer than motorbike riding, BTW).If you want to have a high flight rate with a capsule then you need a powered landing. At that point you have the same primary issue as the architecture you claim to be inherently unsafe.
Quote from: sebk on 12/07/2022 08:11 amQuote from: Lee Jay on 12/07/2022 03:38 amQuote from: sebk on 12/07/2022 12:03 amCapsules with parachutes are inherently unable to achieve a high flight rate. And you absolutely do need a high flight rate to get safety to even get into the ballpark of motorcycle riding or general aviation (the general aviation is merely 2x safer than motorbike riding, BTW).If you want to have a high flight rate with a capsule then you need a powered landing. At that point you have the same primary issue as the architecture you claim to be inherently unsafe. I don't particularly like capsules, but these arguments are nonsense. They were nice in the 60s.Capsules by necessity have very low lift to drag and thus steep reentry. That means less total heat pulse but much worse peak heating. Which in turn means higher thermal stress of the heatshield. Which in turn means none of the TLR>3 reusable heatshields would hold. In effect capsule effectively means ablative heat shield which is incompatible with a high flight rate.But even if currently low TRL solutions were developed, you still have a parachute which is needs at least a refurbishment:large parachutes, unlike those made for individual humans, are complex devices with pyros and delay charges, go through high stresses and are not quickly reusable. We're not talking about reentry with capsules. We're talking about escape with capsules, which hardly ever get deployed. The thermal and mechanical stresses are extremely modest, because max-q is about as high/fast as they'd ever be used. Whether or not you choose to use a parachute or a powered landing is pretty much a mid-level engineering decision--either will work.Just so we're all on the same page on the various phases of flight and their aborts:1) Pad abort: Use the escape capsule.2) Low-altitude abort, before you can get decent SS-SH staging separation: Use the capsule.3) Mid-altitude, low-q abort: Use the Starship. If you can RTLS to the chopsticks, cool. If you have to abort downrange with no chopsticks, do the belly flop, start to rotate higher than usual, and deploy the capsule.4) Max-q abort: Use the capsule.5) Hypersonic ascent abort: Use the Starship via an early staging.¹ If chopsticks unavailable for landing, use the capsule once you're at low altitude.6) On-orbit abort: Come home, standard conops. If an off-target EDL is essential to get on the ground ASAP, use the escape capsule at low altitude.7) Reentry abort: No solution.¹ Trans- or sub-sonic belly flop abort: Use the capsule. It has plenty of altitude to orient itself, then land propulsively.9) Flip/landing abort: First, implement the flip maneuver higher, wasting some delta-v in the name of safety. Then use the capsule, at whatever orientation you have to. You'll be high enough that the capsule can orient itself.10) Any off-target landing: Use the capsule. (You could argue that a smooth-surface landing with legs would allow Starship recovery, but I don't see anybody getting a 120t, 50m x 9m thing out of a cornfield in one piece.)11) Post-landing abort (missed catch, engine shutdown explosion, rough-surface tip): Use the capsule._____________¹I'm omitting the cases where you have a significant Starship (not SuperHeavy) structural failure in hypersonic flight. In some of those, the escape capsule would be handy. But it makes it much more difficult to engineer, and most of those cases aren't survivable.
Wasn't that a NASA safety requirement 1:270 LOC?
I agree with much of this, but if this thing is going to carry 12-100 people, that capsule gets pretty huge.
Quote from: Lee Jay on 12/07/2022 06:58 pmQuote from: Robotbeat on 12/07/2022 06:29 pmI am skeptical of Probabilistic Risk Analysis alone,...Me too, and I have a question. As far as I can tell, the PRA just models all the known failure modes. What do they do about the unknown unknowns? Do they have some sort of fudge factor or safety factor they apply for those?I don’t know the specific answer to your question but I think part of the idea of the TRL scale is that you start eliminating these Unknown Unknowns by professing technologies to higher in the TRL scale.In other words, you use TRL as a tool to control/mitigate/prevent unknown unknowns.
We're not talking about reentry with capsules. We're talking about escape with capsules, which hardly ever get deployed.
Quote from: TheRadicalModerate on 12/07/2022 09:06 pmWe're not talking about reentry with capsules. We're talking about escape with capsules, which hardly ever get deployed. That's my fundamental disagreement with an encapsulated abort capsule. hardly every deployed means the PRA is full of WAGs not data.
Quote from: InterestedEngineer on 12/08/2022 12:09 amQuote from: TheRadicalModerate on 12/07/2022 09:06 pmWe're not talking about reentry with capsules. We're talking about escape with capsules, which hardly ever get deployed. That's my fundamental disagreement with an encapsulated abort capsule. hardly every deployed means the PRA is full of WAGs not data.Abort systems have been tested a small number of times and then successfully deployed. Two were used successfully recently, one of which saved the lives of the crew.The idea is that they are relatively simple systems and so a small amount of testing goes a long way. Further, even if they are only 90% successful, that still multiplies your probability of survival by a factor of ten, say from 99 out of 100 to 999 out of 1000.
Quote from: Lee Jay on 12/08/2022 12:23 amQuote from: InterestedEngineer on 12/08/2022 12:09 amQuote from: TheRadicalModerate on 12/07/2022 09:06 pmWe're not talking about reentry with capsules. We're talking about escape with capsules, which hardly ever get deployed. That's my fundamental disagreement with an encapsulated abort capsule. hardly every deployed means the PRA is full of WAGs not data.Abort systems have been tested a small number of times and then successfully deployed. Two were used successfully recently, one of which saved the lives of the crew.The idea is that they are relatively simple systems and so a small amount of testing goes a long way. Further, even if they are only 90% successful, that still multiplies your probability of survival by a factor of ten, say from 99 out of 100 to 999 out of 1000.A mechanism sitting on the top of its normally used staging system is reasonably simple (plus or minus hypergolic explosions). They still fail. And they fail when not needed as well as when needed.
One that has to eject out of a Starship, not so simple
Quote from: InterestedEngineer on 12/08/2022 12:38 amQuote from: Lee Jay on 12/08/2022 12:23 amQuote from: InterestedEngineer on 12/08/2022 12:09 amQuote from: TheRadicalModerate on 12/07/2022 09:06 pmWe're not talking about reentry with capsules. We're talking about escape with capsules, which hardly ever get deployed. That's my fundamental disagreement with an encapsulated abort capsule. hardly every deployed means the PRA is full of WAGs not data.Abort systems have been tested a small number of times and then successfully deployed. Two were used successfully recently, one of which saved the lives of the crew.The idea is that they are relatively simple systems and so a small amount of testing goes a long way. Further, even if they are only 90% successful, that still multiplies your probability of survival by a factor of ten, say from 99 out of 100 to 999 out of 1000.A mechanism sitting on the top of its normally used staging system is reasonably simple (plus or minus hypergolic explosions). They still fail. And they fail when not needed as well as when needed.When was the last time that happened operationally?QuoteOne that has to eject out of a Starship, not so simpleYeah - SS is a bad architecture for humans.
Quote from: InterestedEngineer on 12/08/2022 12:38 amA mechanism sitting on the top of its normally used staging system is reasonably simple (plus or minus hypergolic explosions). They still fail. And they fail when not needed as well as when needed.When was the last time that happened operationally?
A mechanism sitting on the top of its normally used staging system is reasonably simple (plus or minus hypergolic explosions). They still fail. And they fail when not needed as well as when needed.