The deadly crash of the spaceship designed to carry wealthy Virgin Galactic customers into space can be pinned on pilot error, the National Transportation Safety Board said this morning.

What's more concerning is not what the pilot did during the doomed October 31 test run last year, but the grave error that Scaled Composites, the aerospace company that designed and was operating SpaceShipTwo, made of its own, according to the NTSB: It never considered that a pilot could make that kind of mistake.

"Their hazard analysis did not include pilot-induced hazards," said Mike Hauf, an NTSB investigator.

The Crash

Virgin Galactic's plan is to use two aircraft to get customers into space. WhiteKnightTwo is a double-hulled plane that resembles a catamaran, optimized for high altitudes and load-bearing capacity, operated by two pilots. It carries SpaceShipTwo, also manned by two pilots, which itself would carry six passengers.

Here's how it should work: When the planes reach about 50,000 feet, WhiteKnightTwo drops the smaller craft, which fires a rocket that sends it to the very edge of the atmosphere. Those aboard experience four minutes of weightlessness before SpaceShipTwo reenters the atmosphere. The two pilots flying SpaceShipTwo use the unusual feathered tail system, which changes position from one phase of flight to another to properly orient the ship as it comes back down, with the belly parallel with the Earth’s surface. Then SpaceShipTwo coasts back down and lands like a glider.

The October 31 flight was a relatively late stage test in Virgin Galactic’s quest to send people into space, and was meant to test the rocket system—not leave the atmosphere. The paired aircraft took off from the Mojave Air and Space Port at 9:20 a.m. PDT, releasing the SpaceShipTwo craft at 10:10 a.m. A few seconds later, SpaceShipTwo fired its rocket.

After pilot Peter Siebold called out a speed of Mach .8, Michael Alsbury, sitting in the right seat, moved a handle that controls the feathering mechanism from lock to unlock—which shouldn't have been done until the spacecraft hit Mach 1.4. Alsbury did not activate the feather system, but aerodynamic load overpowered the actuators holding it in place, forcing it to open and causing SpaceShipTwo to break up in flight. Alsbury was killed; Siebold was badly inured but survived.

NTSB

Human Error

We can't know why Alsbury unlocked the system when he did, but the NTSB says the environment was a stressful one. The simulator used by Scaled Composites pilots did not replicate the vibrations and heavy G forces of rocket-powered flight, and pilots did not train in full flight gear (suit, gloves, helmet, visor). He hadn't flown under rocket power since April 2013, and was under pressure to perform a series of tasks, by memory, in quick succession. And if he didn't unlock the system by Mach 1.8, the crew would have to abort the flight.

The really damning issue, the report found, is that no one anticipated Alsbury's mistake. It was no secret that unlocking the feather system early could be catastrophic, but Scaled Composites based its safety analysis on the idea that only a systems failure could make that happen. The company simply did not consider that kind of pilot error.

Scaled did not consider that the pilot would induce that kind of failure. Lorenda Ward

"Because the probability of failure for this hazard met the risk criteria, Scaled determined that the feather system design was adequate," says Hauf. "No mitigations were considered to prevent the flight crew from unlocking the feather locks early."

Scaled's safety analysis included pilot error, says Lorenda Ward, investigator in charge, but only as an inappropriate reaction to a system failure. "Scaled did not consider that the pilot would induce that kind of failure."

That catastrophic error is a harsh repudiation of the design philosophy behind the two aircraft: Rely on human skill instead of computers. All the systems on WhiteKnightTwo and SpaceShipTwo are manually operated, to keep everything as basic as possible.

“A simple system is less likely to fail,” chief pilot Dave Mackay told us during a visit to Virgin Galactic’s HQ in Mojave, California a few months before the crash. The pilots are an elite crew with serious bonafides—so it's easy to see how you overlook the possibility of them screwing up.

Since the crash, Virgin Galactic has taken over the design of SpaceShipTwo1, an updated it to inhibit prematurely unlocking the feather system. A second unit is already being built.

1Post updated at 1:30 EDT on July 28 to clarify Virgin Galactic's role in the redesign of SpaceShipTwo.