Loading AI tools
NASA Space Shuttle safety procedures From Wikipedia, the free encyclopedia
Space Shuttle abort modes were procedures by which the nominal launch of the NASA Space Shuttle could be terminated. A pad abort occurred after ignition of the shuttle's main engines but prior to liftoff. An abort during ascent that would result in the orbiter returning to a runway or to an orbit lower than planned was called an "intact abort", while an abort in which the orbiter would be unable to reach a runway, or any abort involving the failure of more than one main engine, was called a "contingency abort". Crew bailout was still possible in some situations in which the orbiter could not land on a runway.
The three Space Shuttle main engines (SSMEs) were ignited roughly 6.6 seconds before liftoff, and computers monitored their performance as they increased thrust. If an anomaly was detected, the engines would be shut down automatically and the countdown terminated before ignition of the solid rocket boosters (SRBs) at T = 0 seconds. This was called a "redundant set launch sequencer (RSLS) abort", and occurred five times: STS-41-D, STS-51-F, STS-55, STS-51, and STS-68.[1]
Once the shuttle's SRBs were ignited, the vehicle was committed to liftoff. If an event requiring an abort happened after SRB ignition, it was not possible to begin the abort until after SRB burnout and separation, about two minutes after launch. There were five abort modes available during ascent, divided into the categories of intact aborts and contingency aborts.[2] The choice of abort mode depended on how urgent the situation was and what emergency landing site could be reached.
The abort modes covered a wide range of potential problems, but the most commonly expected problem was a main engine failure, causing the vehicle to have insufficient thrust to achieve its planned orbit. Other possible failures not involving the engines but necessitating an abort included a multiple auxiliary power unit (APU) failure, a progressive hydraulic failure, a cabin leak, and an external tank leak.
There were four intact abort modes for the Space Shuttle. Intact aborts were designed to provide a safe return of the orbiter to a planned landing site or to a lower orbit than that which had been planned for the mission.
Return to launch site (RTLS) was the first abort mode available and could be selected just after SRB jettison. The shuttle would continue downrange to burn excess propellant, as well as pitch up to maintain vertical speed in aborts with a main-engine failure. After burning sufficient propellant, the vehicle would be pitched all the way around and begin thrusting back towards the launch site. This maneuver was called the "powered pitcharound" (PPA) and was timed to ensure that less than 2% propellant remained in the external tank by the time the shuttle's trajectory brought it back to the Kennedy Space Center. Additionally, the shuttle's OMS and reaction control system (RCS) motors would continuously thrust to burn off excess OMS propellant to reduce landing weight and adjust the orbiter's center of gravity.
Just before main engine cutoff, the orbiter would be commanded to pitch nose-down to ensure proper orientation for external tank jettison, since aerodynamic forces would otherwise cause the tank to collide with the orbiter. The main engines would cut off, and the tank would be jettisoned, as the orbiter used its RCS to increase separation.
Cutoff and separation would occur effectively inside the upper atmosphere at an altitude of about 230,000 ft (70,000 m), high enough to avoid subjecting the external tank to excessive aerodynamic stress and heating. The cutoff velocity would depend on the distance still to be traveled to reach the landing site and would increase based on the distance of the orbiter at cutoff. In any case, the orbiter would be flying too slowly to glide gently at such high altitude, and would start descending rapidly. A series of maneuvers in quick succession would pitch the orbiter's nose up to level off the orbiter once it reached thicker air, while at the same time ensuring that the structural limits of the vehicle were not exceeded (the operational load limit was set to 2.5 Gs, and at 4.4 Gs the OMS pods were expected to be torn off the orbiter).
Once this phase was complete, the orbiter would be about 150 nmi (278 km) from the landing site and in a stable glide, proceeding to make a normal landing about 25 minutes after liftoff.[3]
If a second main engine failed at any point during PPA, the shuttle would not be able to reach the runway at KSC, and the crew would have to bail out. A failure of a third engine during PPA would lead to loss of control and subsequent loss of crew and vehicle (LOCV). Failure of all three engines as horizontal velocity approached zero or just before external tank jettison would also result in LOCV.[4]
The capsule communicator would call out the point in the ascent at which an RTLS was no longer possible as "negative return", approximately four minutes after liftoff, at which point the vehicle would be unable to safely bleed off the velocity that it had gained in the distance between its position downrange and the launch site.
The RTLS abort mode was never needed in the history of the shuttle program. It was considered the most difficult and dangerous abort, but also among the most unlikely to occur as only a very narrow range of probable failures existed that were survivable but nevertheless so time-critical as to rule out more time-consuming abort modes. Astronaut Mike Mullane referred to the RTLS abort as an "unnatural act of physics", and many pilot astronauts hoped that they would not have to perform such an abort because of its difficulty.[5]
A transoceanic abort landing (TAL) involved landing at a predetermined location in Africa, Western Europe or the Atlantic Ocean (at Lajes Field in the Azores) about 25 to 30 minutes after liftoff.[6] It was to be used when velocity, altitude, and distance downrange did not allow return to the launch point by Return To Launch Site (RTLS). It was also to be used when a less time-critical failure did not require the faster but more dangerous RTLS abort.
For performance issues such as engine failure(s), a TAL abort would have been declared between roughly T+2:30 (two minutes 30 seconds after liftoff) and about T+5:00 (five minutes after liftoff), after which the abort mode changed to Abort Once Around (AOA) followed by Abort To Orbit (ATO). However, in the event of a time-critical failure, or one that would jeopardize crew safety such as a cabin leak or cooling failure, TAL could be called until shortly before main engine cutoff (MECO) or even after MECO for severe underspeed conditions. The shuttle would then have landed at a predesignated airstrip across the Atlantic. The last four TAL sites were Istres Air Base in France, Zaragoza and Morón air bases in Spain, and RAF Fairford in England. Prior to a shuttle launch, two sites would be selected based on the flight plan and were staffed with standby personnel in case they were used. The list of TAL sites changed over time because of geopolitical factors. The exact sites were determined from launch to launch depending on orbital inclination.[6]
Preparations of TAL sites took four to five days and began one week before launch, with the majority of personnel from NASA, the Department of Defense and contractors arriving 48 hours before launch. Additionally, two C-130 aircraft from the space flight support office from the adjacent Patrick Space Force Base (then known as Patrick Air Force Base) would deliver eight crew members, nine pararescuemen, two flight surgeons, a nurse and medical technician, and 2,500 pounds (1,100 kg) of medical equipment to Zaragoza, Istres, or both. One or more C-21S or C-12S aircraft would also be deployed to provide weather reconnaissance in the event of an abort with a TALCOM, or astronaut flight controller aboard for communications with the shuttle pilot and commander.[6]
This abort mode was never needed during the entire history of the Space Shuttle program.
An abort once around (AOA) was available if the shuttle was unable to reach a stable orbit but had sufficient velocity to circle Earth once and land at around 90 minutes after liftoff. Around five minutes after liftoff, the shuttle reaches a velocity and altitude sufficient for a single orbit around Earth.[7] The orbiter would then proceed into re-entry; NASA could choose to have the orbiter land at Edwards Air Force Base, White Sands Space Harbor, or Kennedy Space Center.[7] The time window for using the AOA abort was very short, just a few seconds between the TAL and ATO abort opportunities. Therefore, taking this option because of a technical malfunction (such as an engine failure) was very unlikely, although a medical emergency on board could have necessitated an AOA abort.
This abort mode was never needed during the entire history of the Space Shuttle program.
An abort to orbit (ATO) was available when the intended orbit could not be reached but a lower stable orbit above 120 miles (190 km) above Earth's surface was possible.[7] This occurred during mission STS-51-F, when Challenger's center engine failed five minutes and 46 seconds after liftoff.[7] An orbit near the craft's planned orbit was established, and the mission continued despite the abort to a lower orbit.[7][8] The Mission Control Center at Johnson Space Center observed an SSME failure and called "Challenger-Houston, abort ATO." The engine failure was later determined to be an inadvertent engine shutdown caused by faulty temperature sensors.[7]
The moment at which an ATO became possible was referred to as the "press to ATO" moment. In an ATO situation, the spacecraft commander rotated the cockpit abort mode switch to the ATO position and depressed the abort push button. This initiated the flight-control software routines that handled the abort. In the event of a loss of communication, the spacecraft commander could have made the abort decision and taken action independently.
A hydrogen fuel leak in one of the SSMEs during the STS-93 mission resulted in a slight underspeed at main engine cutoff (MECO) but did not necessitate an ATO, and Columbia achieved its planned orbit; if the leak had been more severe, it might have necessitated one of the earlier abort options.
There was an order of preference for abort modes:
Unlike with all other United States orbit-capable crewed vehicles (both previous and subsequent, as of 2024), the shuttle was never flown without astronauts aboard. To provide an incremental non-orbital test, NASA considered making the first mission an RTLS abort. However, STS-1 commander John Young declined, saying, "let's not practice Russian roulette"[9] and "RTLS requires continuous miracles interspersed with acts of God to be successful."[10]
Contingency aborts involved failure of more than one SSME and would generally have left the orbiter unable to reach a runway.[11] These aborts were intended to ensure the survival of the orbiter long enough for the crew to bail out. Loss of two engines would have generally been survivable by using the remaining engine to optimize the orbiter's trajectory so as to not exceed structural limits during reentry. Loss of three engines could have been survivable outside of certain "black zones" where the orbiter would have failed before bailout was possible.[4] These contingency aborts were added after the destruction of Challenger.
Before the Challenger disaster during STS-51-L, ascent abort options involving failure of more than one SSME were very limited. While failure of a single SSME was survivable throughout ascent, failure of a second SSME prior to about 350 seconds (the point at which the orbiter would have sufficient downrange velocity to reach a TAL site on just one engine) would mean an LOCV, since no bailout option existed. Studies showed that an ocean ditching was not survivable. Furthermore, the loss of a second SSME during an RTLS abort would have caused an LOCV except for the period of time just prior to MECO (during which the orbiter would be able to reach KSC by prolonging the burn time of the remaining engine), as would a triple SSME failure at any point during an RTLS abort.
After the loss of Challenger in STS-51-L, numerous abort enhancements were added. With those enhancements, the loss of two SSMEs was now survivable for the crew throughout the entire ascent, and the vehicle could survive and land for large portions of the ascent. The struts attaching the orbiter to the external tank were strengthened to better endure a multiple SSME failure during SRB flight. Loss of three SSMEs was survivable for the crew for most of the ascent, although survival in the event of three failed SSMEs before T+90 seconds was unlikely because of design loads that would be exceeded on the forward orbiter/ET and SRB/ET attach points, and still problematic at any time during SRB flight because of controllability during staging.[4]
A particularly significant enhancement was bailout capability. Unlike the ejection seat in a fighter plane, the shuttle had an inflight crew escape system[12] (ICES). The vehicle was put in a stable glide on autopilot, the hatch was blown, and the crew slid out on a pole to clear the orbiter's left wing. They would then parachute to earth or the sea. While this at first appeared only usable under rare conditions, there were many failure modes where reaching an emergency landing site was not possible yet the vehicle was still intact and under control. Before the Challenger disaster, this almost happened on STS-51-F, when a single SSME failed at about T+345 seconds. The orbiter in that case was also Challenger. A second SSME almost failed because of a spurious temperature reading; however, the engine shutdown was inhibited by a quick-thinking flight controller. If the second SSME had failed within about 69 seconds of the first, there would have been insufficient energy to cross the Atlantic. Without bailout capability, the entire crew would have been killed. After the loss of Challenger, those types of failures were made survivable. To facilitate high-altitude bailouts, the crew began wearing the Launch Entry Suit and later the Advanced Crew Escape Suit during ascent and descent. Before the Challenger disaster, crews for operational missions wore only fabric flight suits.
Another post-Challenger enhancement was the addition of East Coast/Bermuda abort landings (ECAL/BDA). High-inclination launches (including all ISS missions) would have been able to reach an emergency runway on the East Coast of North America under certain conditions. Most lower-inclination launches would have landed in Bermuda (although this option was not available for the very lowest-inclination launches—those to an orbital inclination of 28.5°—which launched due east from KSC and passed far to the south of Bermuda).
An ECAL/BDA abort was similar to RTLS, but instead of landing at the Kennedy Space Center, the orbiter would attempt to land at another site along the east coast of North America (in the case of ECAL) or Bermuda (in the case of BDA). Various potential ECAL landing sites extended from South Carolina into Newfoundland, Canada. The designated landing site in Bermuda was Naval Air Station Bermuda (a United States Navy facility). ECAL/BDA was a contingency abort that was less desirable than an intact abort, primarily because there was so little time to choose the landing site and prepare for the orbiter's arrival. All of the pre-designated sites were either military airfields or joint civil/military facilities. ECAL emergency sites were not as well equipped to accommodate an orbiter landing as those prepared for RTLS and TAL aborts.[13] The sites were not staffed with NASA employees or contractors and the staff working there were given no special training to handle a shuttle landing. If they were ever needed, the shuttle pilots would have had to rely on regular air traffic control personnel using procedures similar to those used to land a gliding aircraft that has suffered complete engine failure.
Numerous other abort refinements were added, mainly involving improved software for managing vehicle energy in various abort scenarios. These enabled a greater chance of reaching an emergency runway for various SSME failure scenarios.
An ejection escape system, sometimes called a "launch escape system", had been discussed many times for the shuttle. After the Challenger and Columbia losses, great interest was expressed in this. All previous and subsequent U.S. crewed space vehicles have launch escape systems, although as of 2024[update] none have ever been used for an American crewed flight.
The first two shuttles, Enterprise and Columbia, were built with ejection seats. These two vehicles were intended to be part of the shuttle test program and would fly with a crew of two test pilots or astronauts. Subsequent shuttles Challenger, Discovery, Atlantis, and Endeavour were built for operational missions with a crew of more than two, including seats in the lower deck, and ejection seat options were deemed to be infeasible. The type used on the first two shuttles were modified versions of the Lockheed SR-71 seat. The approach and landing tests flown by Enterprise had these as an escape option, and the first four flights of Columbia had this as a crew abort option as well.[14] With STS-5 marking the end of Columbia's test flight program, and as an operational mission with four crew members, the two cockpit ejection seats had their rocket motors removed for the flight. Columbia's next flight (STS-9) was likewise flown with the seats disabled in this manner. By the time Columbia flew again (STS-61-C, launched on January 12, 1986), it had been through a full maintenance overhaul at Palmdale and the ejection seats (along with the explosive hatches) had been fully removed. Ejection seats were not further developed for the shuttle for several reasons:
...in truth, if you had to use them while the solids were there, I don’t believe you would [survive]—if you popped out and then went down through the fire trail that’s behind the solids, that you would have ever survived, or if you did, you wouldn't have a parachute, because it would have been burned up in the process. But by the time the solids had burned out, you were up to too high an altitude to use it. ... So I personally didn't feel that the ejection seats were really going to help us out if we really ran into a contingency.[15]
The Soviet shuttle Buran was planned to be fitted with the crew emergency escape system, which would have included K-36RB (K-36M-11F35) seats and the Strizh full-pressure suit, qualified for altitudes up to 30,000 metres (98,000 ft) and speeds up to Mach three.[16] Buran flew only once in fully automated mode without a crew, thus the seats were never installed and were never tested in real human space flight.
This section needs additional citations for verification. (April 2015) |
An alternative to ejection seats was an escape crew capsule or cabin escape system where the crew ejected in protective capsules, or the entire cabin is ejected. Such systems have been used on several military aircraft. The B-58 Hustler and XB-70 Valkyrie used capsule ejection, while the General Dynamics F-111 and early prototypes of the Rockwell B-1 Lancer used cabin ejection.
Like ejection seats, capsule ejection for the shuttle would have been difficult because no easy way existed to exit the vehicle. Several crewmembers sat in the middeck, surrounded by substantial vehicle structure.
Cabin ejection would work for a much larger portion of the flight envelope than ejection seats, as the crew would be protected from temperature, wind blast, and lack of oxygen or vacuum. In theory an ejection cabin could have been designed to withstand reentry, although that would entail additional cost, weight and complexity. Cabin ejection was not pursued for several reasons:
Source:[18]
Date | Orbiter | Mission | Abort type | Abort time | Description |
---|---|---|---|---|---|
1984-06-26 | Discovery | STS-41-D | RSLS | T−4 seconds | Sluggish valve detected in Space Shuttle main engine (SSME) No. 3. Discovery rolled back to VAB for engine replacement. |
1985-07-12 | Challenger | STS-51-F | RSLS | T−3 seconds | Coolant valve problem with SSME No. 2. Valve was replaced on launch pad. |
1985-07-29 | Challenger | STS-51-F | ATO | T+5 minutes, 45 seconds | Sensor problem shut SSME No. 1 down. Mission continued in lower than planned orbit. Only non-RSLS abort during the entire program. |
1993-03-22 | Columbia | STS-55 | RSLS | T−3 seconds | Problem with purge pressure readings in the oxidizer preburner on SSME No. 2. All engines replaced on pad. |
1993-08-12 | Discovery | STS-51 | RSLS | T−3 seconds | Sensor that monitors flow of hydrogen fuel in SSME No. 2 failed. All engines replaced on launch pad. |
1994-08-18 | Endeavour | STS-68 | RSLS | T−1 second | Sensor detected higher than acceptable readings of the discharge temperature of the high pressure oxidizer turbopump in SSME No. 3. Endeavour rolled back to VAB to replace all three engines. A test firing at Stennis Space Center confirmed a drift in the fuel flow meter which resulted in a slower start in the engine which caused the higher temperatures. |
Predetermined emergency landing sites for the orbiter were chosen on a mission-by-mission basis according to the mission profile, weather and regional political situations. Emergency landing sites during the shuttle program included:[19][20]
An orbiter has landed at three sites that are also designated as emergency landing sites: Edwards Air Force Base, Kennedy Space Center, and White Sands Space Harbor. However, none of the landings at these three sites have been emergency landings. These sites are listed in bold below.
Algeria
Australia
Bahamas
Barbados
Canada[25]
Cape Verde
Chile
France
The Gambia
Germany
Greece
Iceland
Ireland
Jamaica
Liberia
Morocco
Portugal
Saudi Arabia
Spain
Somalia
South Africa
Sweden
Turkey
United Kingdom
British Overseas Territories
United States
Democratic Republic of the Congo
Other locations
In the event of an emergency deorbit that would bring the orbiter down in an area not within range of a designated emergency landing site, the orbiter was theoretically capable of landing on any paved runway that was at least 3 km (9,800 ft) long, which included the majority of large commercial airports. In practice, a US or allied military airfield would have been preferred for reasons of security arrangements and minimizing the disruption of commercial air traffic.
Seamless Wikipedia browsing. On steroids.
Every time you click a link to Wikipedia, Wiktionary or Wikiquote in your browser's search results, it will show the modern Wikiwand interface.
Wikiwand extension is a five stars, simple, with minimum permission required to keep your browsing private, safe and transparent.