Shuttle abort procedures?
Keith Soldavin
after takeoff and what they mean to the shuttle and the crew. (ie.
damage,surviveability.ect) It has been a while since this has been posted and
I can't remember what all the procedures are. Thanks in advance.
Keith Soldavin
kas...@email.psu.edu
Pat
The FAQ does a nice job of explaining this, I imagine.
--
One mans desperate mundane existence is anothers technicolor - Tik
Michael R. Grabois
>In article <kas219.58...@email.psu.edu>,
>Keith Soldavin <kas...@email.psu.edu> wrote:
>>Can someone please post the different possibilities for the shuttle to abort
>>after takeoff and what they mean to the shuttle and the crew. (ie.
>>damage,surviveability.ect) It has been a while since this has been posted and
>>I can't remember what all the procedures are. Thanks in advance.
>>
>>Keith Soldavin
>>kas...@email.psu.edu
>The FAQ does a nice job of explaining this, I imagine.
Surprisingly, it doesn't. There's nothing in there about shuttle abort
modes. And for whoever's updating the FAQ, section 7 "Mission
Schedules" REALLY needs to be renamed to reflect its contents:
"SPACE SHUTTLE ANSWERS, LAUNCH SCHEDULES, TV COVERAGE"
And incidentally, I think that those of us who point to the FAQs
should include a URL or ftp site where the FAQ can be located.
So here's the brief version of shuttle abort modes. The first four all
result in safe return of the crew and vehicle (at least according to
simulations and the single real ATO on STS-51F). Permission is granted
to use this in the FAQ, if the FAQkeeper desires, as long as I'm
notified first that it's going in (after it's been corrected by the
online community, of course.... <G>).
RTLS: Return to Launch Site
An engine fails within the first few minutes of flight, or a systems
problem (cabin leak, loss of cooling, etc.) occurs which requires the
shuttle to come home early. In this case, the shuttle will fly
downrange a bit, and then do a flip: it's originally travelling east,
with the ET on "top" (away from the earth). During this flip maneuver,
the shuttle will rotate so that its nose and tail swap places, and at
the end the shuttle is flying backwards into is own exhaust, with the
tank on the bottom. Eventually this will negate all of its forward
momentum, and start to move back towards KSC. Then it's just a matter
of dropping the ET and gliding back to the Cape. The whole thing takes
about 25 minutes.
TAL: Transoceanic Abort Landing
If a problem occurs after the last RTLS capability, then the shuttle
will have to land on the other side of the Atlantic. Depending on
inclination, this will be either in Africa (Ben Guerir, Morocco) or
Spain (Zaragoza or Moron). A TAL takes about 35 minutes.
ATO: Abort to Orbit
At some point, losing an engine will mean that enough thrust has been
lost such that the shuttle can't make it to the proper orbit, but it
can still make it to a lower, safe orbit (around 105 nautical miles).
Once it's up there, then MCC can decide whether there's enough OMS
propellant to raise the orbit any. In this case, the mission may be
shortened so that it comes home anywhere from 3 orbits into the flight
or the full mission duration, depending on propellant and whatever
else went wrong.
AOA: Abort Once Around
There are two "flavors" to an AOA, each with the same end result. A
"performance abort" results when an engine (or more) fails, and the
final orbit is too low to sustain, so they will come home right away.
The other case, a "systems abort", occurs when the shuttle loses some
critical system (like freon or water coolant loops, cabin leak, etc.)
but is otherwise in a safe orbit. An AOA will result in the shuttle
achieving some sort of orbit, then turn around and immediately come
home on the first orbit. An AOA will cause a landing about 90 minutes
after liftoff, at either KSC, Edwards, or Northrup in New Mexico.
There are also abort modes called "Contingency Aborts", which require
more manual efforts and may not always work. These include:
ECAL (East Coast Abort Landing): kind of like a cross between a TAL
and RTLS, which results in an attempted landing at a site on the North
American East Coast from North Carolina to Newfoundland. Bermuda is
also considered an ECAL site.
Bailout: when no landing site is achievable due to whatever
circumstances, the crew will steer the shuttle away from land (if it's
coming towards the East Coast) and bail out of the vehicle. This will
obviously result in the loss of the orbiter, but the crew should
survive as long as they're picked up by the Search and Rescue forces.
Michael R. Grabois | http://ourworld.compuserve.com/homepages/mgrabois
Houston, TX | or...@ix.netcom.com CI$: 74737,2600
----------------------------------------------------------------------
Gravity. It's not just a good idea, it's the law.
Konstantin Kukushkin
> RTLS: Return to Launch Site
> An engine fails within the first few minutes of flight, or a systems
> problem (cabin leak, loss of cooling, etc.) occurs which requires the
> shuttle to come home early. In this case, the shuttle will fly
> downrange a bit, and then do a flip: it's originally travelling east,
How should the shuttle get rid of SRBs in this case?
--
Konstantin Kukushkin
kuk...@itereu.de
Jacob M McGuire
procedures? by Konstantin Kukushkin@ite
>>An engine fails within the first few minutes of flight, or a systems
>>problem (cabin leak, loss of cooling, etc.) occurs which requires the
>>shuttle to come home early. In this case, the shuttle will fly
>>downrange a bit, and then do a flip: it's originally travelling east,
>
I think that the SRBs are gone after 2:42, before that, you just have
to wait them out.
just...@imap2.asu.edu
tried out (RTLS, TAL, or AOA) on a mission and they had to abort a
flight, that would wreak havoc on the subsequent flight schedule
(rescheduling payloads, shuffling orbiters), etc. and create a bunch of
Excedrin headaches for NASA planners. An abort during a flight to Mir
would be most distressing for NASA and the Russians, that's for sure....
What are the backup plans in this case? If a shuttle flight actually had
to do an inflight abort, would it be reflown in its entirety (with the
same crew and payloads), or would the payloads be flown piecemeal? Or
would some payloads not be reflown? I imagine it would depend on the
payload but I'm curious about the backup plans. Thanks for answers.
Justin Davenport, Phoenix
"You could live in a padded room, but that wouldn't be much of a
life"--Shannon Lucid
just...@imap2.asu.edu
Today's web page (http://www.flatoday.com/space) had an excellent article
about the RTLS procedure a couple of weeks back. The article called it
an option NASA doesn't want to exercise and one NASA official was quoted
as saying there were certain points in the procedure where things could
go wrong. The article also stated that Robert Crippen volunteered to
test the RTLS procedure on a shuttle test flight but was turned down by
NASA because it was too risky. There also was an Air and Space article
about TAL sites maintained in Spain and Africa a while back. I made an
earlier posting on the 19th about this subject but I think it got lost in
the shuffle because something happened either to this newsgroup or my server.
I apologize if I duplicated anything.
Jud Ready
>So here's the brief version of shuttle abort modes. The first four all
>result in safe return of the crew and vehicle (at least according to
>simulations and the single real ATO on STS-51F).
Any further info on the AOA of STS-51F?? The
site: http://www.ksc.nasa.gov/shuttle/missions/51-f/mission-51-f.html
does a woefully inadequate job at describing it (other than SSME1 shut down
prematurely at MET 5:45).
- Jud Ready ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Georgia Institute of Technology ;;
gt2...@prism.gatech.edu ;;---------------------------------;;
;; School of ;;
______________________________________ ;; Materials Science & Engineering ;;
| My recently renovated home page: | ;; & ;;
| http://www.prism.gatech.edu/~wr35/ | ;; The Packaging Research Center ;;
|_____________________________________| ;; Atlanta, Georgia ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
Andy Foster
RTLS can be performed during about the first four minutes of flight. From liftoff until first TAL capability, it will be the only abort mode available for an engine out. The
soonest that the software will actually fly the RTLS profile is at 2 minutes and 30 seconds after launch. (This is also the time that the crew would be told to select RTLS even
if an SSME died during first stage.) From SRB SEP until 2+30, software inhibits RTLS maneuvering. This is to prevent from possibly flying into the SRB's.
Once the abort is selected, the vehicle enters fuel dissipation phase. The nose will pitch away from the earth and the vehicle begins dumping OMS propellant through an
OMS/RCS interconnected burn. The "pitch up" lofts the trajectory but is mainly to burn off MPS propellant without gaining excessive downrange (away from the launch site)
speed and distance. During the time, the software is computing a point at which to turn the vehicle back toward KSC. This turnaround maneuver is called Powered
Pitcharound (abbreviated PPA). PPA is the maneuver referred to in several posts. It is a high rate, pure pitch maneuver.
The vehicle is flipped over (nose upward toward the sky) so that its is now thrusting toward the site. The maneuver is accomplished
using SSME gimballing only. (RCS is inactive during powered flight except for single engine roll control and propellant dumps.)
All this is done to accomplish two goals: (1) to get the vehicle to a MECO target with the proper energy to reach the launch site,
and (2) to have 2% MPS propellant or less remaining in the ET at separation. RTLS separation conditions are "dicey" enough due
to aeroforce interaction. More than 2% propellant in the ET makes its movements unpredictable due to propellant slosh.
After PPA, the vehicle is in "flyback". The altitude at PPA is somewhere around 350 - 400 K feet. During flyback, the trajectory will
droop to 175 - 180 K feet before climbing up to around 200K for ET sep.
About 20 seconds before MECO, the vehicle begins a pitchdown maneuver to reach ET sep attitude. This is called
Powered Pitchdown (PPD). At PPD, the SSME's are throttled to 65% and the vehicle is pitched down slightly nose low
to an alpha (angle of attack) of -4 degrees. This attitude gives the best separation dynamics. The SSME's shut off and the
aerodynamic forces here peel the tank down and away from the Orbiter.
The Orbiter begins a pitch up to an alpha of 50 degrees. It sits there until G's increase to about 2.2. The nose is then lowered to
maintain the g-level until the Orbiter has almost completed the pullout. (It began plunging about half way through PPD.) From there,
she flies a fairly "normal" entry profile (with some differences).
Most of the risk in RTLS lies in the dynamics of the maneuvers. There is some thermal risk, also, under some conditions.
TAL is a less risky abort in that it is closer to a "normal" ascent and entry profile. The most dynamic maneuver is the
"heads-up roll". This is performed to even out tank heating and to position the Orbiter for entry. However, if the TAL is selected late
in the trajectory, the heads up roll will not be performed. This is to preclude having a MECO occur before the heads up roll can be
completed and generating a possible flight path angle miss. The roll is performed with SSME gimballing alone unless the Orbiter is
flying on a single SSME. In that case, RCS jets using OMS propellant handle the roll.
If the Orbiter is steering to an out-of-plane TAL site (one not reachable from the normal ground track) a few seconds after TAL select,
the Orbiter will yaw as well to steer the vehicle to bring the range to within a 500 NM crossrange circle.
TAL is not as risky as RTLS as a general rule. In low energy cases (for instance, MECO occurred VERY early for some reason), ranging
can be regained by flying very low angles of attack. This results in a trajectory that can push the Orbiter to its thermal limits. So, TAL carries
its own set of risks as well.
During any abort, there is nothing you can do with the solids but ride them out. During RTLS for an engine out in first stage, staging
will occur slightly later to allow aerodynamic forces to reach better staging conditions. Otherwise, there is no difference in the
separation sequence. There is an SRB SEP push-button in the cockpit, but it will not initiate anything until SRB chamber pressure is
less than 50 psi (the SRB's are burned out). The only way to get the Orbiter away from the ET/SRB stack is a FAST SEP. This blows
the Orbiter loose of the entire thing. But with the solids still burning, the Orbiter will almost certainly hang up..and what happens then is
anyone's guess. Even if it doesn't, flying into the SRB plume could ruin your whole day anyway.
Andy
Michael R. Grabois
wrote:
>or...@ix.netcom.com (Michael R. Grabois) writes:
>>So here's the brief version of shuttle abort modes. The first four all
>>result in safe return of the crew and vehicle (at least according to
>>simulations and the single real ATO on STS-51F).
>Any further info on the AOA of STS-51F?? The
>site: http://www.ksc.nasa.gov/shuttle/missions/51-f/mission-51-f.html
>does a woefully inadequate job at describing it (other than SSME1 shut down
>prematurely at MET 5:45).
For one thing, it was an ATO, not an AOA (big difference-- the ATO
abort will stay in orbit, the AOA will come home).
The ATO that was performed on mission 51-F in 1985 was due to a faulty
sensor in one of the engines. The sensor read something incorrectly,
and the shuttle software shut down the engine as a result of the
readings. The BOOSTER officer (who is in charge of making sure the
main engines are operating correctly) saw some other data that
indicated that the sensor itself was wrong, and that the engines were
in reality fine; that was a good thing, since another sensor wanted to
shut down another engine, too.
(I'm sure someone else here -- Andy? -- can fill in the details, since
this was before I started working at JSC.)
Fortunately, it was a spacelab mission, which did not have any orbital
altitude requirements. The pre-flight planned altitude was (I think)
190 nautical miles circular; as a result of the ATO, they wound up in
a 148 x 105 naut.mi. orbit. Lower than planned, but they still got all
(as far as I know) the science objectives done.
The crew of STS-51F was CDR Gordon Fullerton, PLT Roy Bridges, MS's
Story Musgrave, Tony England, Karl Henize, and PS's Loren Acton and
John-David Bartoe.
I ran into Story Musgrave a while back, and asked him some details
about the incident. He told me that it was just like the simulators:
there's a big forward jerk when the engine shuts down, since you're
not going at full thrust. They had to do an OMS dump (they sacrifice
OMS propellant that they would have used in orbit in order to make the
vehicle lighter, so they can increase their velocity and get into a
higher orbit) and he was telling me how all three of the cockpit crew
-- commander, pilot, and MS Musgrave -- were timing the dump so that
they could locate their position on a fuel remaining/apogee chart that
tells them which OMS targets to burn (nominal, ATO, or AOA); during
sims, when they practiced that precise action, the PLT and CDR joked
that Musgrave wouldn't be able to time it correctly. All 3 had the
same time.
Nick Kralevich
In article <4lhien$2...@dfw-ixnews8.ix.netcom.com>,
Michael R. Grabois <or...@ix.netcom.com> wrote:
>The ATO that was performed on mission 51-F in 1985 was due to a faulty
>sensor in one of the engines. The sensor read something incorrectly,
>and the shuttle software shut down the engine as a result of the
>readings. The BOOSTER officer (who is in charge of making sure the
>main engines are operating correctly) saw some other data that
>indicated that the sensor itself was wrong, and that the engines were
>in reality fine; that was a good thing, since another sensor wanted to
>shut down another engine, too.
What prevented the computers from shutting down the second engine?
I would imagine that the computers would react much faster than
a human could override it, and, as a result, the booster officer
wouldn't be able to do much besides watch the engine die.
Can a main engine be restarted after it has automatically or
manually shut down?
It bothers me that a faulty sensor was responsible for a main engine
shutdown. What's to prevent three identical sensors in the three engines
from failing simultaneously? Would the computer, in this case, shutdown
ALL the engines? Or would it wait for confirmation from ground and/or the
shuttle crew?
What would be the abort mode if all three engines shut down? Can a shuttle
or ground controller override the sensors in the engine, if they believe
that the sensors are wrong?
I think I remember hearing that the shuttle planners could have a loss
of two engines and still guarantee survival (assuming nothing else goes
wrong), and that a guarantee of survival cannot be made with a loss of
all three main engines.
If all three main engines failed in the first 15 seconds of launch, would
the solid rocket boosters have sufficient thrust to continue forward
acceleration?
Someone else, in another article, mentioned that it was a goal to
get the ET down to 2% or less of propellant before doing an ET/orbiter
seperation. (due to sloshing of propellent and aerodynamic reasons).
In the event of a loss of all three engines, there would be no way of
burning off this fuel.
Has anyone calculated the odds of losing all three engines?
Take care,
-- Nick Kralevich
nick...@cory.eecs.berkeley.edu
Andy Foster
Space Shuttle Main Engine (SSME) shutdown is primarily controlled by a computer mounted on the engine called a Main Engine Controller. The SSME MEC monitors
several "redline" sensors in the engines that monitor critical parameters. In theory, the violation of any of "redline" parameter indicates that the engine is about to undergo
a critical failure. In that case, the engine is shut down.
These controllers "talk to" and are "talked to" by the Orbiter's GPC's. A software sequence in the Orbiter's computers called "SSME OPS" is the primary software
sequence that handles this task.
As it was explained to me, the Main Engine Controllers are located on the SSME's primarily to cut response time. Processing time by the Orbiter GPC's is too slow to allow
them to respond quickly enough to an impending engine failure. The SSME MEC's therefore handle that.
Once an SSME is shutdown, the SSME OPS sequence in the Orbiter GPC's issue a command to the
remaining SSME MEC's called "Main Engine Shutdown Limits Inhibit". This command tells the SSME
MEC's to not shut any further engines down even if redlines are violated. The crew can manually override
this command with a switch in the cockpit or also command the engine shutdown to inhibit if necessary.
The BOOSTER controllers can see what's happening on the critical engine parameters. On 51F, a malfunctioning
temperature sensor on one engine shut the engine down. I don't remember the exact scenario, but I believe that
limits were inhibited. The BOOSTER saw another temperature sensor creeping up toward the redline in the same
manner as the first one on a remaining engine. Sometimes, the "limit logic" (when the SSME's are inhibited and when
they are not) can get confusing and other engine problems can mask the true status. For that reason, the
BOOSTER (Genny Howard) called fort the Main Engine Limits switch to go to Inhibit as a precaution.
Once an SSME has been shutdown, it is not capable of restarting.
The odds of identical sensors failing in three engines at the same time are pretty astronomical. That would
be the only way the sensors could shut all three engines down simultaneously.
If an SSME fails with limits inhibited and the vehicle is still intact, the crew can tell the computers the SSME is down
using switches in the cockpit. (Unless the logic has been corrected, the computers--at least in the simulators--often
mistake this for another kind of failure called a Data Path failure.)
There really is no such thing as a guarantee of survival. The effect of multiple SSME failures on the vehicle was a topic
of wide debate. Some folks didn't think the Orbiter would be intact. Others pointed to how well the SSME's survived Challenger.
We did have procedures to cover multiple engine out cases, no matter where they occurred. What the result was depended
on how many engines failed and when. You might complete an intact abort (RTLS, TAL, ATO, AOA, or even a nominal mission.)
or you might have to fly a contingency abort--manuevers that generally were aimed to get the crew to a bailout though there were
some from which we could land the vehicle. Three engine out scenarios were the same way, though most three engine out scenarios
resulted in a bailout.
Three engine out during first stage is the worst. Yes, the solids continue on. That is, indeed, part of the problem. If three
engines die before max q, the Orbiter probably will shear off the tank. After that, there might be a chance to fly a contingency abort. Might be.
The 2% propellant goal (I actually listed that) was for an RTLS. In contingency abort scenarios, we designed the procedures to
get the tank off as quickly as possible and without what we call "recontact". There are several pretty wild flight maneuvers that are used.
You do what you can. Otherwise, you're dead anyway.
Yes, the JSC Safety Office has calculated the odds of three engines going out. They're pretty high. They way they did it, though, was
to calculate the odds of any single engine failure and extrapolate. What they didn't explore were likely propellant system failures.
If we ever suffer multiple engine out, my bet is that it will come from there. The argument that I would get from some folks was that kind
of failure would probably explode the vehicle anyway. I've been around flying machines most of my life. The failures that they often
give you are the ones you don't expect or think of.
Andy
Michael R. Grabois
On 28 Apr 1996 03:20:30 GMT, nick...@america.CS.Berkeley.EDU (Nick
Kralevich) wrote:
>In article <4lhien$2...@dfw-ixnews8.ix.netcom.com>,
>Michael R. Grabois <or...@ix.netcom.com> wrote:
>>The ATO that was performed on mission 51-F in 1985 was due to a faulty
>>sensor in one of the engines. The sensor read something incorrectly,
>>and the shuttle software shut down the engine as a result of the
>>readings. The BOOSTER officer (who is in charge of making sure the
>>main engines are operating correctly) saw some other data that
>>indicated that the sensor itself was wrong, and that the engines were
>>in reality fine; that was a good thing, since another sensor wanted to
>>shut down another engine, too.
>What prevented the computers from shutting down the second engine?
>I would imagine that the computers would react much faster than
>a human could override it, and, as a result, the booster officer
>wouldn't be able to do much besides watch the engine die.
When a main engine shuts down for whatever reason, the crew will "take
limits to inhibit" (move the "limits" switch from "enable" to
"inhibit"). With limits enabled, the computers can shut down an engine
if it sees something wrong enough according to its software. With
limits inhibited, the computers will annunciate the fact that
something's wrong, but they won't shut down the engine. The Booster
Officer on the ground will recommend shutting down the engine if
necessary.
>Can a main engine be restarted after it has automatically or
>manually shut down?
Nope. It's a one-shot deal. That's why the engines have to be replaced
if there's a pad abort in which the engines start then shut down
before liftoff.
>It bothers me that a faulty sensor was responsible for a main engine
>shutdown. What's to prevent three identical sensors in the three engines
>from failing simultaneously? Would the computer, in this case, shutdown
>ALL the engines? Or would it wait for confirmation from ground and/or the
>shuttle crew?
The computer would shut down the engines, provided that they were
still allowed to (see the "limits" discussion). And I'm not exactly
sure what the problem originally was-- whether it was a problem with
the sensor itself, or if the sensor for some reason got bad data.
>What would be the abort mode if all three engines shut down?
Depends on when the engines shut down. If it was too early, then it'd
probably be a bailout case (jump out and ditch the orbiter). If it's
later, then they may be able to get a TAL or even ATO out of it.
>Can a shuttle
>or ground controller override the sensors in the engine, if they believe
>that the sensors are wrong?
Yep (see above). That's just what was done on the 51F mission.
>I think I remember hearing that the shuttle planners could have a loss
>of two engines and still guarantee survival (assuming nothing else goes
>wrong), and that a guarantee of survival cannot be made with a loss of
>all three main engines.
Again, it depends on when the engines fail. You may recall hearing the
calls "Single Engine TAL" and "Single Engine Press to MECO" during an
ascent; those are the times at which the shuttle can still make that
abort mode successfully with just a single engine remaining. And a
late loss of all engines would probably result in a successful TAL.
>If all three main engines failed in the first 15 seconds of launch, would
>the solid rocket boosters have sufficient thrust to continue forward
>acceleration?
Yes, but not enough to do much of anything. This is a bailout case
(point the orbiter out to sea and jump out).
>Someone else, in another article, mentioned that it was a goal to
>get the ET down to 2% or less of propellant before doing an ET/orbiter
>seperation. (due to sloshing of propellent and aerodynamic reasons).
>In the event of a loss of all three engines, there would be no way of
>burning off this fuel.
True, but what else can you do in that case?
Jim Kingdon
> It bothers me that a faulty sensor was responsible for a main engine
> shutdown. What's to prevent three identical sensors in the three engines
> from failing simultaneously? Would the computer, in this case, shutdown
> ALL the engines? Or would it wait for confirmation from ground and/or the
> shuttle crew?
There are engine failure modes in which waiting for confirmation would
cause the engine to explode. In fact, the increased use of sensors is
partially responsible for the fact that engines don't tend to explode
in flight these days (look at the recent launch failures--guidance,
stage separation, etc.--not exploding engines).
Granted, the flakiness of the shuttle sensors is a cause for concern.
I'm not sure what the answer is.
James Mantle u
An excellent post, Andy!
Andy Foster (afo...@hic.net) wrote:
[snip]
: The odds of identical sensors failing in three engines at the same time are pretty astronomical. That would
: be the only way the sensors could shut all three engines down simultaneously.
[snip]
: Yes, the JSC Safety Office has calculated the odds of three engines going out. They're pretty high. They way they did it, though, was
: to calculate the odds of any single engine failure and extrapolate. What they didn't explore were likely propellant system failures.
: If we ever suffer multiple engine out, my bet is that it will come from there. The argument that I would get from some folks was that kind
: of failure would probably explode the vehicle anyway. I've been around flying machines most of my life. The failures that they often
: give you are the ones you don't expect or think of.
The big assumption here is that the failure amongst the sensors is an
independent failure. That is (forgive the examples, they are admittedly
poor ones), something mechanical fails (a wire falls off), it's installed
wrong, or the thing comes unscrewed, or whatever -- something which is
unique to that sensor.
However, a key word here is *identical* sensors: If the reason for failure
is a design fault in a sensor, and a sensor fails, then this is not an
independent event: The odds of all three failing is not the product of
p(failure<n>), n=1,2,3.
Jim
DPHUNTSMAN
>However, a key word here is *identical* sensors: If the reason for
failure
is a design fault in a sensor, and a sensor fails, then this is not an
independent event: The odds of all three failing is not the product of
p(failure<n>), n=1,2,3.
Correct. And things like that do happen; e.g., STS-9, where two
simultaneous---and identical---happened on two APUs during descent,
causing identical fires that almost cost the mission. That's a Real
example of , "shit happens"!
Dave Huntsman
"The democracy of Taiwan is special. It is a germ of democracy that will
fool China's immune system if China insists on taking us on. David will
once again win the battle over Goliath." -- Ming-jing Hwang, Taipei
Greg d. Moore
Nick Kralevich wrote:
>
> In article <4lhien$2...@dfw-ixnews8.ix.netcom.com>,
> Michael R. Grabois <or...@ix.netcom.com> wrote:
> >The ATO that was performed on mission 51-F in 1985 was due to a faulty
> >sensor in one of the engines. The sensor read something incorrectly,
> >and the shuttle software shut down the engine as a result of the
> >readings. The BOOSTER officer (who is in charge of making sure the
> >main engines are operating correctly) saw some other data that
> >indicated that the sensor itself was wrong, and that the engines were
> >in reality fine; that was a good thing, since another sensor wanted to
> >shut down another engine, too.
>
> What prevented the computers from shutting down the second engine?
> I would imagine that the computers would react much faster than
> a human could override it, and, as a result, the booster officer
> wouldn't be able to do much besides watch the engine die.
realized they were bogus and overrode the computer.
> Can a main engine be restarted after it has automatically or
> manually shut down?
> No. The conditions have to be just right. Also, they are ignited
by a one-shot "spark plug" item in them. Before you moan about how
badly the engines were designed, keep in mind that was the purposeful
design spec. I don't know of any engines used during a boost phase
that can be re-ignited during the boost phase. The RL-10 can be relight
but that is usually in orbit.
> It bothers me that a faulty sensor was responsible for a main engine
> shutdown. What's to prevent three identical sensors in the three engines
> from failing simultaneously? Would the computer, in this case, shutdown
> ALL the engines? Or would it wait for confirmation from ground and/or the
> shuttle crew?
> There are more than one sensor. But you're right, if something
weird happened (as it almost did here) what would happen? I'm not
entirely sure.
> What would be the abort mode if all three engines shut down? Can a shuttle
> or ground controller override the sensors in the engine, if they believe
> that the sensors are wrong?
> Yes, if the engines haven't been shut down, they can be overriden.
They can also be over-ridden when there is a problem, but the ground feels
it would be safer to keep flying. (For example, right at lift-off the
shuttle has GOT to get enough altitude. So it might be safer to fly on
an three engines that you think may explode at any moment than to shut
all of them down and crash ignomiously on your tail.)
> I think I remember hearing that the shuttle planners could have a loss
> of two engines and still guarantee survival (assuming nothing else goes
> wrong), and that a guarantee of survival cannot be made with a loss of
> all three main engines.
> It depends on what point in the flight they are. If you listen
during a lift-off you'll hear "Two engine Press to MECO (main engine
cut-off)" followed a few minutes later by "One engine Press to MECO".
This means that if they lose an engine (or later two) they can fly the
other engines longer or hotter and still make a stable orbit. That
is what happened on STS-26 (19th flight), one engine quit and they flew
an ATO profile. They arrived in orbit lower than planned but safe.
> If all three main engines failed in the first 15 seconds of launch, would
> the solid rocket boosters have sufficient thrust to continue forward
> acceleration?
> No.
> Someone else, in another article, mentioned that it was a goal to
> get the ET down to 2% or less of propellant before doing an ET/orbiter
> seperation. (due to sloshing of propellent and aerodynamic reasons).
> In the event of a loss of all three engines, there would be no way of
> burning off this fuel.
> I don't recall, but I believe there is dump valve on the
17" disconnects. (BTW, for someone else, Henry perhaps, Jenkins talks about
switching to smaller disconnects. Is this still planned, has it happened?)
And checking yes, the LH2 dump is on the aft-fuselages left side between the
OMS pod the the upper surface of the wing.
> Has anyone calculated the odds of losing all three engines?
>
> Take care,
> -- Nick Kralevich
> nick...@cory.eecs.berkeley.edu
--
---
str...@acm.rpi.edu |http://acm.rpi.edu/~strider
Green Mountain Software |
I do not speak for anyone in any way.
djenkins
Greg d. Moore wrote:
>
> Nick Kralevich wrote:
> >
>
lots of stuff deleted ...
> > I don't recall, but I believe there is dump valve on the
> 17" disconnects. (BTW, for someone else, Henry perhaps, Jenkins talks about
> switching to smaller disconnects. Is this still planned, has it happened?)
The 14-inch disconnects that I mentioned in the first edition of my Shuttle book were cancelled
for economic reasons in 1993 before any production articles had been built. Some of the
technology developed for them is scheduled to be incorporated into the existing 17-inch valves.
BTW, my description of the STS-26 (51-F) ATO in the book was incorrect. The SSME's were *not*
thottled past 100% again ... they were burned at 65% percent for a longer time than planned to
make up the energy lost when the engine shut down.
As an aside, all of this is in the 2nd edition (plus lots of other stuff) that should hit the
shelves in the middle of June.
DJ
--
---------------------------------------------------------------------------
"Ignorance killed the cat, sir, curiosity was framed." | djen...@iu.net
-- Sabrina Perrault-Cadiz |
---------------------------------------------------------------------------
Michael R. Grabois
Just clearing up a couple of points:
On Thu, 02 May 1996 10:09:30 -0400, "Greg d. Moore"
<str...@acm.rpi.edu> wrote:
> It depends on what point in the flight they are. If you listen
>during a lift-off you'll hear "Two engine Press to MECO (main engine
>cut-off)" followed a few minutes later by "One engine Press to MECO".
Actually, it's just "Press to MECO" and "Single Engine Press to MECO".
>This means that if they lose an engine (or later two) they can fly the
>other engines longer or hotter and still make a stable orbit. That
>is what happened on STS-26 (19th flight), one engine quit and they flew
>an ATO profile. They arrived in orbit lower than planned but safe.
STS-26 went just fine. You're thinking of STS-51F in 1985.
Greg d. Moore
djenkins wrote:
>
> Greg d. Moore wrote:
> >
> > Nick Kralevich wrote:
> > >
> >
>
> lots of stuff deleted ...
>
> > 17" disconnects. (BTW, for someone else, Henry perhaps, Jenkins talks about
> > switching to smaller disconnects. Is this still planned, has it happened?)
>
> for economic reasons in 1993 before any production articles had been built. Some of the
> technology developed for them is scheduled to be incorporated into the existing 17-inch valves.
>
If you've got the time, could you describe what changes these are (besides
the extra latch that was already put into the 17" disconnect.)
> BTW, my description of the STS-26 (51-F) ATO in the book was incorrect. The SSME's were *not*
> thottled past 100% again ... they were burned at 65% percent for a longer time than planned to
> make up the energy lost when the engine shut down.
> Ah, so one minor mistake. Still, overall, an excellent book.
> As an aside, all of this is in the 2nd edition (plus lots of other stuff) that should hit the
> shelves in the middle of June.
> Now this isn't fair, I just picked up the first edition in February! BTW,
I got it at KSC and almost passed by it. My first look at the cover made me think
it was some tabloid style book. Then I looked closely at the cover and noticed
the name of the author. I knew I had to have it. I'm glad I got it. It's
an excellent source of material. I can't wait until the 2nd edition (and
the 3rd and 4th... :-)
Keep up the good work.
Oh, one last question, since it came up earlier today. On page 168, you say NASA
let out contract for a new set of structural spares? Where these actually built?
Thanks.
> DJ
>
> --
> ---------------------------------------------------------------------------
> "Ignorance killed the cat, sir, curiosity was framed." | djen...@iu.net
> -- Sabrina Perrault-Cadiz |
> ---------------------------------------------------------------------------
--
Andy Foster
We've been flying at 104% for a long time. In fact, when a main engine fails, the other engines
will throttle to 104% except for some RTLS cases when the vehicle is in flyback if they're not there. Throttle backs to
65% occur either under three g throttling or in what is known as MECO PREP (6 seconds
before MECO for anything but RTLS ; 20 seconds before MECO there.) Three engine RTLS and TAL's
are flown at 65% for most of their routes. Two engine MECO PREP throttle back's at the time of 51F
were only to 91% for all cases.
At MECO PREP, most guidance constraints are released except for the velocity target. The SSME's
will remain at 65% until that target is hit or propellant depletion becomes a danger. The SSME's
then shutdown.
When an ATO is selected, ascent guidance calls for a different set of MECO targets for the ATO.
In some cases, we used the same targets that we did for a nominal trajectory (i.e., engine out performance
was good enough and orbital parameters were low enough to support that) . In some cases, the
different target involves flying to a slightly lower orbit. I believe this was the case for 51F. In addition, OMS
propellant is dumped (burned) through OMS and RCS jets to lighten the vehicle. These two factors--OMS dump
and retargeting--regain most of the performance lost by the SSME failure. 51F did have a "lower" ATO
guidance target.
To the best of my knowledge, there was no signficant difference in the throttle profile for 51F. The
MECO time was longer than that for a nominal and that usually is the case.
Andy
Greg d. Moore
Michael R. Grabois wrote:
>
> Just clearing up a couple of points:
>
> On Thu, 02 May 1996 10:09:30 -0400, "Greg d. Moore"
> <str...@acm.rpi.edu> wrote:
>
> >during a lift-off you'll hear "Two engine Press to MECO (main engine
> >cut-off)" followed a few minutes later by "One engine Press to MECO".
>
>
> >This means that if they lose an engine (or later two) they can fly the
> >other engines longer or hotter and still make a stable orbit. That
> >is what happened on STS-26 (19th flight), one engine quit and they flew
> >an ATO profile. They arrived in orbit lower than planned but safe.
>
There is some confusion here. According to Jenkins book, page
185:
Flight # STS # Manifest # Orbiter Flight # Date Notes:
19 26 51-F OV-099 Jul: 29 85 In-flight ATO...
So, you could argue either of us are correct. Or Jenkins is wrong. :-)
>
> Michael R. Grabois | http://ourworld.compuserve.com/homepages/mgrabois
> Houston, TX | or...@ix.netcom.com CI$: 74737,2600
> ----------------------------------------------------------------------
> Gravity. It's not just a good idea, it's the law.
--
Michael R. Grabois
On Sun, 05 May 1996 09:30:13 -0400, "Greg d. Moore"
<str...@acm.rpi.edu> wrote:
>Michael R. Grabois wrote:
>>
>>
>> STS-26 went just fine. You're thinking of STS-51F in 1985.
> There is some confusion here. According to Jenkins book, page
>185:
>Flight # STS # Manifest # Orbiter Flight # Date Notes:
>19 26 51-F OV-099 Jul: 29 85 In-flight ATO...
>So, you could argue either of us are correct. Or Jenkins is wrong. :-)
Ah, I see the confusion. STS-51F was the 26th manifested mission, but
due to shifts in the schedule and cancellation of some missions, it
was the 19th to actually fly.
Andy Foster
I want to clarify and correct a couple of items in my previous post.
I went back and double checked when someone questioned
and 51F ATO guidance targets appear to be the same as nominal.
Also, ascent guidance releases atitude and orbital plane position
targets 40 seconds prior to MECO.. She's steering for velocity only after that.
Closed loop guidance is terminated at "fine count" which occurs ten
seconds prior to MECO for nominal/ATO/ or TAL and 6 seconds prior
to MECO during RTLS. I believe the MECO PREP discreet is also set
in the SSME OPS sequence at these times..
What I'd give for a FSSR...
Andy
djenkins
Greg d. Moore wrote:
>
(stuff deleted)
> Oh, one last question, since it came up earlier today. On page 168, you say NASA
> let out contract for a new set of structural spares? Where these actually built?
The second set of structural spares were cancelled before any significant pieces were built. About all
we got were some minor piece-parts and some MPS plubing and valves. No airframe sections were
completed. And most of the airframe tooling was ordered destroyed (NASA did not want to continue paying
for storage), so there is little chance we could economically build another vehicle (or repair a
seriously damaged one).
DJ
P.S. BTW, I significantly changed the cover on the 2nd edition.
Burns Fisher
In article <3188C2...@acm.rpi.edu>, "Greg d. Moore" <str...@acm.rpi.edu>
writes:
|>Nick Kralevich wrote:
|>>
|>> In article <4lhien$2...@dfw-ixnews8.ix.netcom.com>,
|>> Michael R. Grabois <or...@ix.netcom.com> wrote:
|>> >The ATO that was performed on mission 51-F in 1985 was due to a faulty
|>> >sensor in one of the engines. The sensor read something incorrectly,
|>> >and the shuttle software shut down the engine as a result of the
|>> >readings. The BOOSTER officer (who is in charge of making sure the
|>> >main engines are operating correctly) saw some other data that
|>> >indicated that the sensor itself was wrong, and that the engines were
|>> >in reality fine; that was a good thing, since another sensor wanted to
|>> >shut down another engine, too.
|>>
My recollection is that the problem was in one of the temp measurements in the
engine. I forget exactly which...maybe one of the turbopump exhaust temps.
Anyway, there are somewhere on the order of 3 temp sensors in each engine for
this measurement. One failed...they could tell it was a failure because it
failed off-scale positive, which is the typical failure indication for this
particular sensor. All is ok; they engine controller still "believes" the two
remaining sensors. A second one fails. Oops...now the majority says offscale
high. Shut down the engine. To controllers looking at those readings it was
quite clear what had happened, but the controllers were programmed the way they
were...
Anyway, now a sensor fails on another engine. Ooops....big time trouble if a
fourth one fails. Time to override the sensors. I don't remember if the second
sensor on the second engine actually did fail. I also don't remember if the
review board every figured out why there was this sudden crop of failures.
However, that is why they had time to override the sensors.
Burns
Burns Fisher
In article <318CAD...@acm.rpi.edu>, "Greg d. Moore" <str...@acm.rpi.edu>
writes:
|>Michael R. Grabois wrote:
|>>
|>> Just clearing up a couple of points:
|>>
|>> On Thu, 02 May 1996 10:09:30 -0400, "Greg d. Moore"
|>> <str...@acm.rpi.edu> wrote:
|>>
|>> > It depends on what point in the flight they are. If you listen
|>> >during a lift-off you'll hear "Two engine Press to MECO (main engine
|>> >cut-off)" followed a few minutes later by "One engine Press to MECO".
|>>
|>> Actually, it's just "Press to MECO" and "Single Engine Press to MECO".
|>>
|>> >This means that if they lose an engine (or later two) they can fly the
|>> >other engines longer or hotter and still make a stable orbit. That
|>> >is what happened on STS-26 (19th flight), one engine quit and they flew
|>> >an ATO profile. They arrived in orbit lower than planned but safe.
|>>
|>> STS-26 went just fine. You're thinking of STS-51F in 1985.
|>
|> There is some confusion here. According to Jenkins book, page
|>185:
|>
|>Flight # STS # Manifest # Orbiter Flight # Date Notes:
|>19 26 51-F OV-099 Jul: 29 85 In-flight ATO...
|>
|>So, you could argue either of us are correct. Or Jenkins is wrong. :-)
Jenkins is wrong. STS26 is the first flight after Challenger's destruction.
Shuttle flights did not have "51-F" style numbers after that. Besides isn't
OV-099 Challenger? Besides, July 29, '85 is before the the Challenger's
destruction.
I'd guess that the book has the STS-number wrong, since that seems to be the
inconsistency.
Burns