aborts – Wayne Hale's Blog

The Kaboom Case

Starting to work in Mission Control at JSC just before the first shuttle flight was a dream come true. I was surrounded by old Apollo flight controllers who filled my days with space stories from the moon landings and before. Those guys had seen a lot of action: Apollo 13, Gemini 8, Skylab 1, and many more near disasters that had turned out all right due to hard work, solid preparation, ingenuity and not a little good luck. And they also lived through “the fire” as it was universally known — Apollo 1; where all the preparation, ingenuity, and luck did not help. My early days were a continuous seminar in the trials and tribulations of early space history taught by those who had earned their PhD in the school of hard knocks.

But the torch was being passed to a new generation of flight controllers and by the second shuttle flight there were a lot of us “new kids” training for the coveted front room positions in Mission Control. I got to side saddle (that was the term) with the legendary Gary Coen who played a vital role in saving Apollo 13. For shuttle, Gary was the senior Propulsion Officer, responsible for the hypergolic rockets that controlled the orbit and attitude of the shuttle. My buddy Ron Dittemore, with a year’s seniority on me, had already achieved orbit certification and was working on the even more difficult Ascent and Entry phase certifications as a front room Prop officer. Following us was the new guy in the Prop section, a fellow that had transferred down from the Lewis Research Center: Bill Gerstenmaier. Seems like we would be working together for a long time to come.

Sitting with Gary during all the simulations and training was really outstanding. He knew the systems, flight rules, and procedures forwards and backwards. Even more importantly, he had the judgment that comes with long experience to know what to do in a crisis. And the simulations are nothing more than one crisis after another coming so fast that they pile up on top of each other.

The down side was that all the old Apollo guys were smoking fiends. In those days nobody had heard of a ban on smoking in the workplace. Gary was a chainsmoker of unfiltered cigarettes, so I got plenty of second hand smoke sitting right next to him. On my other side, the GNC officer was Harry Clancy. Harry was a pipe guy. I’m surprised that I haven’t yet died of emphysema; as it was there were some days I thought I might asphyxiate.

But we learned what it meant to be flight controllers from the pioneers.

One basic lessons was known as “loop discipline.” Every position had a communications keyset which allowed the flight controller to communicate with different people. The communications circuits were called “loops” and each one had its specific use and name. The Propulsion team, front and back room, talked about our special problems on the “Prop loop.” Everybody monitored the “Air to Ground loop” where the crew talked with the CAPCOM on the radio. And everybody _ I mean EVERYBODY – listened to the “Flight Director loop” where all the important topics were discussed and decisions announced. Drilled into your head was the requirement to “talk on the loop” where everyone who had an interest in the topic could hear you — not only the members of your own discipline but the engineers over in the Mission Evaluation Room, the prelaunch team down at KSC, and your boss over in the office on the other side of the duck ponds at JSC. Everybody who was anybody at NASA from the Administrator on down, had a box in their office to the Flight Director loop. And the loops were recorded for posterity. It was very important to pick your words carefully when talking on the loop. Telling jokes or otherwise fooling around was not allowed. But the worst sin was to “talk over the airwaves”, not on the loop, but where only the people physically around you could hear a conversation. We were trained so to talk on the loop even if it was to the guy three feet away next to you. The conversation was to be done “on the loop” so that others could follow it as well. Loop discipline was one of the minor lessons, and there were many more difficult lessons in the school of flight controller training.

After working in the Staff Support Room (aka “the back room”) on the first shuttle flight, it was really a heady experience to be in the Flight Control Room for the second shuttle flight. But I was just an “OJT” guy, Gary was at my side making sure I did all the right things at the right time. On my very first shift, we had a minor problem: the electrical feedback on a motor valve failed which cased the electric motor to stall. I got to tell the CAPCOM to have the crew move a switch in the cockpit which kept the valve from overheating. Whew, the first real crisis of my career. Gary helped me with that problem from the first recognition, through the analysis, to the words to use on the Flight Loop. Problem solved. I started to relax.

Then Billy Moon, the EGIL started an excited conversation with the Flight Director that I didn’t quite follow. The EGILs were responsible for the electrical systems onboard the shuttle. This included the fuel cells which generated electricity. The fuel cells are a marvel of modern technology; about the size and shape of a large trash can, they converted cryogenic hydrogen and cryogenic oxygen into drinking water and electricity. They could loaf along at 3 or 4 kilowatts — about what my house uses when the kids leave the lights on and the airconditioner running — or up to around 18 kW in an emergency situation for limited periods of time. And they only cost about $15 million apiece. The shuttle runs on electricity; there are no batteries. If the three fuel cells are turned off, the shuttle is dead; the computers don’t run, the hydraulics don’t run, the rocket engines don’t fire, nothing works. So its kinda important to keep them healthy.

Billy Moon was telling the Flight Director that symptoms indicated one of the fuel cells was “breaking down”. The catalyst material which separates the hydrogen and oxygen was developing holes. Billy wanted to shut the fuel cell down and close the valves to the hydrogen and oxygen supply lines. This was serious. The Flight Rules required early termination of the mission if a fuel cell failed. Flight had to be sure that EGIL knew what he was doing before taking a drastic step like that. After all, this was only the second day of a planned five day mission. This problem was clearly a lot more important than my little valve feedback circuit failure which had been resolved with no mission impact.

The discussion on the Flight loop got more and more heated. EGIL wanted action and Flight was waffling. Billy Moon stood up and turned from his console to face Flight, only about eight feet away. I had a front row seat since the Prop Console was almost directly between EGIL and Flight. Bill’s tone of voice and volume were increasing. Finally, Bill Moon did not key his microphone; he broke one of the fundamental Flight Controller Rules: he said loudly and off the loop “THIS IS THE KABOOM CASE, FLIGHT!” If the hydrogen and the oxygen mix improperly, the results would not be good. The Flight Director got the point.

The Flight Director had also been standing up and at this point, he sat down and said: “CAPCOM, tell the crew to shut down fuel cell 1 and close the reactant valves.” While CAPCOM was repeating this message over the Air to Ground loop to the crew, we heard Flight dialing the phone and talking with senior management: “You better get over here.”

So STS-2 became the first shuttle flight to be shortened. Not many flights have been. There have been more dramatic times in mission control, however. This was just my first.

My drug of choice is the caffeine in the coffee, not the nicotine that the Apollo guys were all addicted to. But some days in the MCC, you don’t need caffeine to get your heart rate going.

Riding the Phugoid

Phugoid, for the non-aviators, refers to a long term longitudinal oscillation in the flight path of a flying machine. More precisely it is the exchange of altitude for airspeed with constant angle of attack. Whew, I had to look it up in my old textbooks to get it right. One of the on-line helps says that the engineer that invented the term “phugoid” took it from the Latin but got the translation wrong. That figures. Most engineers don’t know that the ancient Romans studied aircraft control.

We studied phugoidal motion a lot when analyzing shuttle re-entry. It is most pronounced on an abort entry where the shuttle’s forward motion doesn’t create enough lift until the vehicle falls into the denser part of the atmosphere and then there is too much lift so it bounces upward to where there is not enough lift and then it falls down to where the dense air creates too much lift and causes it to climb up to where there isn’t as much air where . . . . Well, you get the picture. Not exactly a roller coaster, but somewhat disconcerting.

If you are designing a re-entry vehicle with any lift at all, studying the aerodynamics so that lift and drag can be applied in the proper way at the proper time is crucial. During the early portions of the shuttle entry, phugoids are to be avoided since they can lead to high heating which is . . . not a good thing. Actually, the shuttle flies something called equilibrium glide for most of the entry phase. This term refers to a state where the lift generated is exactly equal to the orbital mechanics forces and gravity. In that state, the shuttle flies at a relatively constant altitude for a fairly long period of time, all the while bleeding off the incredible kinetic energy required to orbit the earth.

This is a good time of year to talk about how to fly through life: are you riding the phugoid or are you in equilibrium glide? I know where I am. Yesterday was a real emotional high when the snow dusted my home and the shuttle flew over on its way back to Florida; then there were the stressful lows — like when I tried to untangle the Christmas tree lights . . . .

My job has continued to move away from the purely technical to a place where people skills are increasingly important. One of my “other duties as assigned” is to represent the agency from time to time with the folks in the media. The prospect of having this kind of interaction causes a lot of people in NASA to refuse promotions . . . engineering being generally considered to be more important than talking to the public or dealing with the media.

One of the new phenomenon in media is the blossoming of the blogosphere — exactly where we are today. The neat thing about the internet and blogs is that anyone can spread a lot of knowledge and insight to many folks in a very rapid and inexpensive way. The sad thing about the internet and blogs is that there is so much misinformation and personal opinion passing for fact out there. In the last few months I have become much more involved in the new media.

Some of it makes me miss the old media. It is sad to see reputable old style news organizations in financial trouble laying off experienced and professional journalists, for example. And being over the age of . . .. (ahem) 30 . . . I still prefer the feel of a real newspaper in my hands toreading streaming news off a computer screen. But, OK, things change and we all have to learn to use the new tools.

My biggest problem with blogs and the internet — and I’m far from being the first to observe this — is the continual flame wars that go on. Seems like everything posted attracts someone with a contrary view — that’s OK, in fact, that’s a good thing — but too frequently a contrary view stated in the most vituperative and inflammatory way. A good exchange of views can be enlightening. A rude exchange of person insults is just depressing. Sigh. Makes me want to repeat the old SNL line: “can’t we just all get along?”

To participate in this new world of internet interaction, you have to develop a thick skin. Recognize the valuable components of a enthusiastic exchange of ideas and ignore the ad hominem and personal attacks and general lack of civility that seems to be rampant on the web these days.

Its hard to avoid riding the phugoid between the highs that happen because of a great and productive exchange of ideas and information, and the lows that come with depressing and inappropriate personal attacks.

So my aerospace analogy, at least for the holiday season, is to avoid the phugoid and try to stay on the equilibrium glide as long as you have the energy.

Hey, that probably applies to family get togethers for the holidays, too! Don’t sweat the small stuff.

Black Zones – Part 4

I keep meandering around on this topic and if you get confused, I’m sorry about the writing style.

Just to review the story: Mercury, Apollo, Soyuz, Shien-Zou, and the Orion all use launch escape towers for crew safety. Gemini used ejection seats. The shuttle famously does not have a crew launch safety system although it had ejection seats for early flights for problems during entry and now has a bail-out pole and parachutes for problems resulting in not being able to reach a runway.

I will discuss re-entry safety in a later post; I know a lot of folks are interested in that, too.

Of course a launch escape tower does not provide complete safety. For example, off the pad or very early in the launch of a Saturn rocket, the launch escape system would get the astronauts away from the rocket, but the Apollo capsule would land on the beach. Those capsules were not rated for anything other than a water landing so crew injury potential was high. Similarly, there was a tremendous concern about running into the launch umbilical tower shortly after liftoff. In some of those scenarios, the launch tower might not be effective in getting the capsule away.

At a certain point in the launch sequence the escape tower is jettisoned. Survival here depends on several factors. First of all, that the launch vehicle failure still results in the spacecraft being pointed in the direction of travel. As we saw in the Soyuz 18A story, the third stage firing with the second stage attached resulted in large attitude excursions and a subsequent flight direction that resulted in far higher loads than a controlled abort at that point should have. A real spin up of a launch vehicle would probably overwhelm any of the launch escape systems ever designed.

Second, after launch escape tower jettison, for multi-engine rockets, the capability must exist for all the running engines to be shut down. So if you have an engine out case and everything is still holding together but you cannot shut the remaining engines down perhaps due to an electrical fault, generally the capsule cannot get away. There must be a rocket engine to separate the capsule from the failed launch vehicle, but many times these are relatively small. For example, the Gemini Orbit Adjust Maneuvering System (OAMS) provided such slow acceleration that even with one engine out on the Titan II second stage, the capsule could not get away. Mercury used very small separation rockets with the option to fire the solid retro rocket package, but these could not overcome the acceleration of even the Atlas sustainer engine burning alone. So attitude control upsets which in themselves can be caused by electrical faults, coupled with the inability to shut down the upper stage engine(s) – again could be the same electrical fault – could lead to very bad outcomes. On the other hand, Apollo with its huge Service Propulsion System (SPS) engine — designed to launch the CSM off the moon when direct flights were envisioned — had enough oomph to get the Apollo capsule out of almost any circumstance.

All that being said, a capsule with moderate rocket engines and a launch escape tower on top of a long slender rocket is much safer than any tandem design like the space shuttle.

The space shuttle is safe if any single SSME prematurely shuts down and both of the other engines keep running AND the attitude control system is functional AND there was no debris generated in the engine shutdown that affects the orbiter’s heat shield. That is quite a bit of difference. One of the reasons for the difference is that the cargo – up to 30 tons – goes everywhere the crew goes.

In the current design for Ares/Orion, the cargo goes up on a separate rocket. This allows for improved crew safety, but at some operational cost — the crew capsule must rendezvous with the cargo on orbit before any work can commence.

Two other quick points. One person wrote a comment that the SSMEs are so reliable that we could quit worrying about one shutting down in flight. While the engine designers and builders are justifiably proud of the extraordinary reliability of the SSMEs, nobody that has studied them in detail rests easily. Too many parts are rotating at too high speeds, combustion is taking place at too high temperature and pressure for anybody to not keep their fingers crossed for the entire duration of engine firing.

Second, a number of folks have wondered why we did not put a crew escape system on the shuttle. Various systems have been proposed, a number have been studied to a high level, and a couple of designs have been looked at in detail. Ejection seats have been rejected for reasons I mentioned earlier. Putting the crew in a capsule in the payload bay that could be separated has received a detailed examination. Some of the limitations associated with this proposal can be easily imagined. Another idea was to separate the crew module with large solid rockets away from the rest of the shuttle in a launch emergency. And there have been others. The problem with designing in these solutions to an already flying vehicle is that none of them are as reliable as we would like; all of them are very heavy and drive the center of gravity out of an acceptable region, and they all cost an incredible amount of money to retrofit in. So, none of them have been implemented.

Any winged orbital vehicle under consideration needs to have a serious capability for crew escape designed in from the beginning. As to vehicles which are carried aloft by other aircraft for their launch; crew (and passenger) safety in that environment has its own challenges and is going to be neither a simple nor cheap capability to design into that type of vehicle.

I think this rounds out my discussion on Black Zones for launch and how they affect spacecraft design. All you guys out there working to design a spacecraft, keep these points in mind.

Black Zones – time out for Q&A

I have really appreciated all the questions and comments to my mini-series of blogs on Black Zones. I am not done with the series yet, but I thought it was time to address some of the questions and comments.

First of all, not to be too grumpy, but I have to set a couple of new blog comment rules. I have received a number of comments that are frankly undecipherable. They are either written by non-English speakers or some type of computer program that strings together English words at random. So my rule is if the comment is unintelligible and/or the grammar and spelling are so bad that most readers could not understand them — I won’t post them. Clear enough? My grammar and spelling aren’t perfect and I won’t hold you to perfection either, but it has got to make sense or it doesn’t get posted. If your comment didn’t get posted, that is most likely why.

Second grumpy new rule: I don’t do UFO comments. I have no patience for these things, don’t even try to start here. Go someplace else with your UFO comments. I will not post them here. This is my personal preference and should not reflect on the agency or anybody else.

Thanks, I’m glad to get those off my chest. On to serious comments.

No, there was no serious entry guidance anomaly on STS-1. There was a significant lofting during ascent, but nothing to speak of during entry. STS-2, 3, and 4 entries were flown automatically not manually with the exception of some short duration pilot test inputs to stimulate the entry flight control system to verify its robustness. Some of these type of manual test inputs continued for a number of flights. But there have been no manually flown entries of the space shuttle — its all been automatic until subsonic speeds.

At this date in the shuttle program, it is my belief that the bugs have been worked out of all the intact abort modes. That is, for any single SSME premature shutdown, there is a very high confidence level that the vehicle and crew can successfully execute an RTLS, TAL, ATO. The big assumption, though, is that nothing else goes wrong. The shuttle requirement — which I believe it meets — is that any single premature SSME shutdown at any point in the trajectory will lead to an intact abort — safe landing by the orbiter on a runway and safety for the crew.

I was pleased to see a post with the details of the Gemini ejection seats, but I would think that landing a mere 700 feet from an exploding Titan II rocket would not be a good thing. Survivable if the wind was blowing the right way probably. And I do agree that Schirra showed that he had the right stuff when he did not pull the ejection handle on Gemini 6A pad abort.

I probably should have started the series of posts with a definition of ‘black zone’ so here it is: a portion of a manned rocket launch trajectory where the premature shutdown of any or all running booster engines will lead to loss of the re-entry vehicle and crew subsequently due to the over temperature or structural loads incurred from the resulting trajectory. Is that too muddy? Black zone does not mean what is going to happen in a normal case, only if an engine (or two or three) quits. Black zone does not take into account the weather at the proposed abort landing site which is another way to kill a crew.

As to why EELVs were not chosen by the Exploration team early on — I don’t think black zones had a lot to do with it, but I really don’t know. I should ask and I will ask and I will report to you at a later day. However, the standard trajectory design for EELV launches would result in extensive black zones — which can be either greatly reduced or eliminated by adjusting the trajectory — which in turn leads to significant reductions in the mass which the EELV could place in orbit.

The two early American suborbital flights — Shepard and Grissom — had carefully designed trajectories to keep the entry G level and heating relatively low. If they had flown the type trajectory that the redstone rocket used as a weapon, that would not have been the case. Similarly, the Soyuz T-10-1 high altitude abort had an extreme entry G level because the rocket staging went so poorly that the entry was steeper than it would have been for a clean abort — as if the 3rd stage engines had merely failed to light off.

Well, that’s all for today folks. The series resumes tomorrow.

Black Zones – Part 3

The basic assumption for the shuttle design is that the shuttle would be like an airliner: no ejection seats, no parachutes (except for the first test flights) — crew safety consisted in total vehicle safety and the crew riding the vehicle down to a runway.

In retrospect that was a very poor assumption.

Adding crew escape to the space shuttle has received tremendous attention over the years and there are actually some methods that might work. Not to put too short a discussion on it, the problem with all of the best methods is the additional weight. After adding the crew escape system (capsules, rockets, whatever) and ballast to get the center of gravity right, there is no payload capacity left. The shuttle would become a huge crew transportation device with no capability to carry much of anything else up or down. Not to mention the pricetag to develop some of these devices! Wow. So, in the final analysis, the best way to make the shuttle safer is to retire her as soon as possible and go to a different type of vehicle. Sorry but there it is.

Actually, the shuttle does have a minimal crew escape capability. If the shuttle gets to a straight and level glide (actually not very level since the shuttle glides mostly like a rock), then down at 30,000 feet or less the the crew can jettison the side hatch and bail out with parachutes like some WWII bomber crew. This is better than ditching in the ocean or rough terrain. All studies show touchdown “off-runway” would not be survivable. So the subsonic, aircraft-in-control, bailout is all there is. And in most cases the crew probably winds up sitting in a tiny inflatable rubber raft in the middle of the North Atlantic waiting for somebody to pick them up. Not a lot of fun.

But the shuttle does have a remarkable capability that most other rockets do not. In virtually all expendable rockets, if any one of the booster engines shut down prematurely — even if that shutdown is benign — the mission is over, the payload is going into the ocean somewhere, and the Flight Control Officer is going to “send functions”. On the other hand, the shuttle is designed — required — to be able to safely return the orbiter, crew, and payload to a runway landing following the benign shutdown of any one of the three SSMEs.

A word about “benign”. High performance liquid rocket engines have a tendency to come apart in a hurry if something goes wrong. The SSMEs have been extensively instrumented and tested. Their computer control brain has a number of ways to detect an impending failure and turn the engine off before it comes apart. The system is not completely foolproof, but should prevent an explosive catastrophe in most cases. The only SSME premature shutdown in flight history occurred in 1985 on STS-51F when faulty temperature sensors erroneously indicated a problem with the engine and the computer shut that engine down. This occurred late enough during the boost phase that the mission continued to a completely successful conclusion. After that flight we spent a lot of time building more reliable temperature sensors.

So if any single SSME shuts down prematurely at any point in the launch phase, a safe return of the shuttle and crew will result. All the various options have been examined, simulated, and verified by computer analysis, wind tunnel testing, etc., etc., etc.

From launch to about 4 minutes into flight the shuttle can perform the scariest type of abort – a Return to Launch Site abort (RTLS). Prior to the first shuttle flight, somebody proposed that we do an RTLS on purpose as a test — they called it the “Sub-Orbital Flight Test (SOFT). Capt. John Young, the chief of the astronaut office and the commander of STS-1 was noted for his colorful memos that he would regularly send on topics of the day. The SOFT proposal drew a classic response: “RTLS requires continuous miracles interspersed by Acts of God to be successful” John wrote in 1980. And in fact, on STS-1, a trajectory bug lofted the shuttle trajectory higher than expected and an RTLS probably would not have been successful.

Since those days, RTLS has been significantly improved and would most likely work — but I’d just as soon not find out. In particular the separation from the External Tank is very tricky. ‘Nuff said on that subject.

From about 2 1/2 minutes into flight until almost orbital insertion loss of an SSME could result in a Trans-Atlantic Landing abort (TAL). The shuttle keeps going forward but aims for Europe rather than orbit. The entry is very similar to a normal end-of-mission entry and the landing would occur at a prepared runway in Spain or France (in the early days we also had landing sites in west Africa).

Later in flight, from about 4 1/2 minutes on, loss of an SSME would result in an Abort To Orbit (ATO) where the shuttle presses forward and we try to scavenge out all the propellant in the External Tank to go on to orbit. Sometimes a dump of propellant from the Orbital Maneuvering System is required, sometimes other adjustments to the trajectory are required, but ATOs can range from landing after a few orbits on launch day to having a fully successful mission depending on many variables. The longer the main engines run, the closer to normal the shuttle can get.

The Abort Once Around (AOA) mission – which is exactly what it sounds like – is basically not used these days except for problems like a big air leak from the crew cabin.

Now all of that is fine as long as two of the three SSMEs continue to operate and the shuttle remains under control. If control is lost, then all is lost since the shuttle does not fly sideways very well. A capsule might right itself, but the shuttle will break up.

If two of the SSMEs quit but one remains running, there are some options to steer toward the east coast of the United States and land at an emergency airfield somewhere on the Atlantic Coast of North America. However, many of these trajectories result in entry conditions that exceed the capability of the shuttle orbiter either thermally or structurally: black zones. The possibility of executing a successful East Coast Abort Landing (ECAL) is far from guaranteed, but in that situation it is worth a try. What is the other choice? If the shuttle doesn’t break up or burn up on the steep ballistic trajectory for an ECAL there is every reason to believe that a safe landing will occur. That is sort of a big “if”, however.

If three SSMEs quit all at once, there is real trouble. There is little to no way to control trajectory and the black zones get immense. In some lucky cases a successful ECAL might result but then you are not really having a lucky day if all three engines quit, are you?

My least favorite abort is a low alpha (low angle of attack) stretch to try to cross the Atlantic and make it to Ireland or someplace. These multiple-engine-out aborts result in extreme heating on the wing leading edge and the RCC panels are likely to fail. Another thing to try if there are no other options.

And of course, if the whole stack comes apart, its game over. Don’t even talk about a failure of a Solid Rocket Booster, either.

So the shuttle has a lot of capability compared with other rockets — and a lot less capability than any capsules.

More black zone discussions tomorrow.