|
Eager Space | Videos | All Video Text | Support | Community | About |
|---|
Before we dive into things, I have two links to share with you.
The first is my video on Space Shuttle abort modes, as it's very useful to understand what the options were for the shuttle.
The second is a truly wonderful book by Rand Simberg titled "Safe is not an option - How a futile obsession with getting everyone back alive is killing our expansion in space".
His main point is that we know that death is a possibility in many human endeavors - driving, flying a private plane, skydiving - and also within many jobs - commercial diving, fishing, research on antarctica, and the military. And we, as a society, have learned to deal with it. That's not to say we don't try to make those activities safer, merely that risk is inherent in life and many of these things are worth doing.
But somehow space - and particularly NASA - has decided that astronauts are different and that we cannot take risks. Perhaps the best example of this is the cancellation of the final Hubble servicing mission in 2004 because of safety concerns. The Hubble is one of NASA's priceless assets, and after significant lobbying and a change in director - some of the lobbying by astronauts who understood both the risk and the benefit - it was reinstated.
The ebook is only $5, and it's well worth your time. So go read it now, and I'll wait.
All done? Okay, lets get started.
If you look around, you will find a lot of explanations why airlines don't have parachutes for passengers that explain how impractical it would be and how most accidents wouldn't provide time to use the parachutes.
All those points are true.
But they largely view parachutes as pointless, and they are wrong in that.
Here's a video of how airplane evacuations are supposed to happen, during an evacuation test of the Airbus A380.
Now ask yourself, what would happen if 10% of those people were wearing bulky parachutes and tried to make their way off the plane?
Aviation disasters are very well studied, and we know that the time it takes to get off the plane can be the difference between life or death. We also know that passengers do not follow instructions, there are documented cases where people have died because they inflated their life vests inside the plane and could therefore not get out the exits that were slightly under water.
Parachutes would kill passengers who otherwise would have lived.
The point here is that safety changes can be good and they can be bad. We can express this in numerical terms.
We can look at how much better our mitigation is, multiply it by the chance of that scenario coming up, and get an estimate of the safety improvement
We can look at the problems our mitigation might cause, multiply it by the chance of that scenario, and get an estimate of the safety loss
Applying this to our parachute scenario with some made-up numbers, let's assume that the parachute can save 50% of the people that would otherwise die, and the chance of that scenario is one in one thousand. That gives us an improvement of half of one in one thousand, or one in two thousand.
Let's assume that the scenario where parachutes slow down evacuation only results in 10% extra deaths and the chance of that is one in one hundred, which would results in a reduction in safety of one in one thousand.
The point being that safety losses in other scenarios can outweigh the safety gains in the scenario you are trying to address.
Let's use SLS as an example, with the orion capsule on top, and some made-up numbers.
SLS is 99% successful and blows up 1% of the time, so the survival rate is 99%.
Take the Orion capsule and add a launch escape system to it. Let's assume that system is 90% successful.
So, we can take the 1% chance of needing the launch escape system and the 90 % success rate when we need it, and figure out that we get an increase in 0.9% in the survival rate, pushing us up to 99.9% total.
Abort systems are great.
Now lets look at the non-abort scenario. For reentry and landing to succeed, the abort system needs to be jetissoned from the capsule.
Let's say that works 98% of the time and fails 2% of the time.
We can take that two percent chance of failure times the 99% of the time an abort isn't needed, and that will lead to a loss of the crew 1.96% of the time, reducing our overall survival rate to 97.94%
Abort systems are terrible.
We end up with a very important point
This leads to an important general principle:
Small failure rates in common scenarios can exceed big improvements in rare scenarios
And the follow on:
Abort systems must be extremely reliable in the non-abort case
This is one reason the Crew Dragon does not a launch escape tower - the tower failing is no longer a possible scenario
Here we have our space shuttle stack.
In a normal mission, both the solid rocket boosters and the three main engines are ignited on the launch pad. The solids burn for about 2 minutes, and the main engines burn for a little more than 8 minutes.
At that point, we reach Main Engine Cut Off, or MECO, and we're in orbit.
The aborts are all about what happens when something doesn't go quite right. The first thing to note is that there is no abort if the solid rocket boosters fail.
The aborts are all based on one or more main engines failing or underperforming, and the options depend upon when the engine failures happen. The abort options and timings depend upon the destination of the shuttle and the amount of payload it is carrying. The chart that I'm showing is from STS-116, which was a mission to the international space station.
We'll start by looking at the cases where a single engine fails, starting at the end of the launch and working our way back.
If the engine failure happens after about 6.5 minutes, there is no abort required. The remaining engines will burn longer and the mission proceeds normally.
If the engine failure happens from 4.5 minutes to 6.5 minutes, the orbiter can not generate enough speed to get into the desired orbit but it can get into a temporary orbit, so the Abort To Orbit - or ATO - abort option is used. This option allows time to decide what to do.
If the orbit is close to the desired - or nominal - orbit, the Orbital Maneuvering System engines can be used to raise the orbit to the nominal orbit, or at least one that is good enough for the goals of the mission.
If continuing the mission is not possible, the flight is converted to the Abort Once Around - or AOA - option. The shuttle gets into orbit and then reenters before completing an entire orbit. Depending on the orbit that the shuttle was aiming for, they would land at Edwards Air Force base in california, Holloman air force base in new Mexico, or back at the launch site in florida.
If the engine fails from 2.5 minutes to 4.5 minutes, the shuttle cannot generate enough speed to reach orbit, so the transoceanic abort landing - or TAL - option is chosen. Depending on the orbital inclination of the mission, different landing sites were used.
A mission to Hubble would be to 28.5 degrees, so their TAL landing site would be Banjul International Airport in Gambia.
STS-116 was to the international space state would be to 51.6 degrees, so their prime TAL landing site was Zaragosa Air Force Base in Spain, with possible backup sites in France, Spain, and Morocco, and the capability to land at other emergency landing sites.
TAL aborts can also be used for systems failures unrelated to engines, such as propellant leaks, cabin leaks, or cooling inssues.
If an engine fails in the first 2.5 minutes of flight, there isn't enough energy to do a TAL abort, so the return to launch site - or RTLS - option is chosen.
Getting back to the launch site is complicated. The orbiter is currently moving away from the launch site, so it will need to perform a powered pitcharound with the engines running so it is pointing back towards the launch site to kill the velocity towards the launch site. Then it will perform a powered pitch down to get the nose at the proper angle for gliding.
At that point - in the highlighted box - the shuttle needs to be at the proper altitude, the proper velocity, the proper angle and be pointed at the proper direction. The main engines can then be shut off, the orbiter detached from the external tank, and the glide to the runway started.
To make it a little more complicated, it's not safe to separate from the external tank if the external tank has more than 2% of its fuel remaining, so it must also use up its fuel before it reaches that point. That may require it to do a maneuver called "lofting", where it flies a high flight path to waste fuel.
It's not clear how feasible RTLS was. In 1980, STS-1 commander John Young said, "RTLS requires continuous miracles interspersed with acts of God to be successful". RTLS was improved after that, but it still remained iffy.
With two engines out, we are into what are known as contingency abort. Quoting, "Contingency abort procedures are executed when multiple main engines fail or suffer a performance degradation that results in the loss of all other intact abort options.
There are both nominal and transoceanic abort landing options, but they have shrunk and there is no longer an Abort to orbit option as the shuttle can't generate enough speed to make it to orbit.
DRP stands for Droop Guidance. There is a requirement that the shuttle stay above 265,000 feet (80 km) at high speeds to keep the external tank from overheating, and if the computers predict this will happen, they will enter droop guidance. The computer will rotate the shuttle into the "stand on the tail" attitude to minimize the sink rate. In this case, TAL should be achieved, but droop guidance may enable at other times.
If both engines fail before 5.5 minutes, we will enter ECAL or BDA abort. ECAL stands for "Eastern Coast of North America" (the NASA docs define that with a straight face, and basically is a serious of airports where a shuttle might be able to land. Because this flight is to the ISS, the ground path of the flight is up the easter seaboard and therefore ECAL is the contingency option of choice; if the launch was more to the east, an abort to Bermuda (or BDA) would be the only option. If this situation is detected, the software will command an unguided 45 degree yaw (turn) in the direction of the landing site; the is intended to make it easier for the shuttle to reach the landing site. The nose will be pointed up to prevent the vehicle from sinking too quickly.
If a two-engine failure occurs during this period, the crew will consult their documentation to choose an appropriate ECL site.
Finally, if two engines fail in the first two minutes, RTLS will be initiated immediately and proceed in the same manner as 1 engine out.
There are other flight rules that may lead to an abort; these happen when a system fails that would compromise part of the mission.
If the orbital maneuvering system cannot function, orbit cannot be achieved, so a TAL orbit will be used
If the auxiliary power units or hydraulics are failing, either RTLS or TAL will be chosen based on getting the orbiter back as soon as possible.
If there is a cabin leak, the cryogenics are failing, or the freon cooling is failing, the same rule applies.
If the two main electric busses are failing, the rules say to do RTLS but my guess is that it's either RTLS or TAL
Finally, if one of the windows breaks, reentry is no longer possible so RTLS is the only option.
Finally, we reach the 3 engines out aborts. These are the most speculative and depend significantly on exactly when the failure happens, what the payload is, etc.
There are small nominal, Transoceanic abort landing, and ECAL/BDA options if the failures occur after 6 minutes.
Just before that we have what is known as a black zone.
The NASA documentation says, "Black zones are regions along the ascent trajectory that may not be survivable".
Black zones exist when:
Exceeding 470 knots airspeed during entry due to the inability of the flight control system to maintain control
Exceeding 4.2 g during entry, due to limits on the strength of the Orbital maneuvering system pods
Three engines fail when the SRBs are firing. This may lead to failure at the external tank and SRB attach points, poor separation dynamics (the ET may hit the orbiter), or a center of gravity beyond limits that makes the orbiter uncontrollable.
Experiencing high dynamic pressure during coast, too much for the reaction control system to be able to deal with
Control surface forces exceed their maximum or the wing or tail become too hot.
You can read all of those as "the orbiter loses control and breaks apart"
This first black zone is because the orbiter dives after the loss of engine thrust and is going too fast when it levels out.
Interestingly, there is a section earlier in flight where ECAL/BDA may be possible as there is less speed and therefore the flight levels out.
There is a black zone in the first 2 minutes if all three main engines fail, as none of the RTLS maneuvers can be accomplished. Further, there are black zones if the remaining engines fail for the same reason.
That covers all of the ascent aborts.
Let's talk about reentry.
Nearly all of reentry is a black zone; there is no abort possible if something goes wrong.
Originally, Columbia had ejection seats for the commander and pilot, but that was only a solution for two astronauts and they took those out after the first few flights.
After challenger, they added a bail out option. If you get to 50,000 feet and you are more than about 55 nautical miles from the landing site, you won't make it and you can bail out. Or if you get there but there's some reason to think you can't land, you can bail out.
On this chart, the red box shows the time you have to prepare to bail out by flattening out the glide and turning on the autopilot. And the green shows the 90 seconds you have to get out.
Here's a simplified sequence:
At 50,000 feet, call for bailout, flatten out the glide with wings level at 185-190 knots and engage the autopilot.
At 40,000 feet, the cabin is vented to equalize pressure so the hatch can opened
At 30,000 feet, the side hatch is jettisoned and the crew exits the vehicle.
