Space Shuttle abort modes
Space Shuttle abort modes were procedures by which the nominal launch of the NASA Space Shuttle could be terminated. A pad abort occurred after ignition of the shuttle's main engines but prior to liftoff. An abort during ascent that would result in the orbiter returning to a runway or to a lower than planned orbit was called an "intact abort", while an abort in which the orbiter would be unable to reach a runway, or any abort involving the failure of more than one main engine, was called a "contingency abort". Crew bailout was still possible in some situations where the orbiter could not land on a runway.
Redundant set launch sequencer abort
The three Space Shuttle main engines were ignited roughly 6.6 seconds before liftoff, and computers monitored their performance as they increased thrust. If an anomaly was detected, the engines would be shut down automatically and the countdown terminated before ignition of the solid rocket boosters at T − 0 seconds. This was called a "redundant set launch sequencer abort", and happened five times: STS-41-D, STS-51-F, STS-51, STS-55, and STS-68.Ascent abort modes
Once the shuttle's SRBs were ignited, the vehicle was committed to liftoff. If an event requiring an abort happened after SRB ignition, it was not possible to begin the abort until after SRB burnout and separation about two minutes after launch. There were five abort modes available during ascent, divided into the categories of intact aborts and contingency aborts.The choice of abort mode depended on how urgent the situation was, and what emergency landing site could be reached.
The abort modes covered a wide range of potential problems, but the most commonly expected problem was a main engine failure, causing the vehicle to have insufficient thrust to achieve its planned orbit. Other possible non-engine failures necessitating an abort included a multiple auxiliary power unit failure, a progressive hydraulic failure, a cabin leak, and an external tank leak.
Intact abort modes
There were four intact abort modes for the Space Shuttle. Intact aborts were designed to provide a safe return of the orbiter to a planned landing site or to a lower orbit than planned for the mission.Return to launch site
Return to launch site was the first abort mode available and could be selected just after SRB jettison. The Shuttle would continue downrange to burn excess propellant, as well as pitch up to maintain vertical speed in aborts with a main engine failure. After burning sufficient propellant, the vehicle would be pitched all the way around and begin thrusting back towards the launch site. This maneuver was called the "powered pitcharound" and was timed to ensure less than 2% propellant remained in the external tank by the time the Shuttle's trajectory brought it back to the Kennedy Space Center. Additionally, the Shuttle's OMS and reaction control system motors would continuously thrust to burn off excess OMS propellant to reduce landing weight and adjust the orbiter's center of gravity.Just before main engine cutoff, the orbiter would be commanded to pitch nose-down to ensure proper orientation for external tank jettison, since aerodynamic forces would otherwise cause the tank to collide with the orbiter. The main engines would cut off, and the tank would be jettisoned, as the orbiter used its RCS to increase separation. Once the orbiter cleared the tank, it would make a normal gliding landing about 25 minutes after lift-off.
If a second main engine failed at any point during PPA, the Shuttle would not be able to make it back to the runway at KSC, and the crew would have to bail out. A failure of a third engine during PPA would lead to loss of control and subsequent loss of crew and vehicle. Failure of all three engines as horizontal velocity approached zero or just before external tank jettison would also result in LOCV.
The capsule communicator would call out the point in the ascent at which an RTLS was no longer possible as "negative return", approximately 4 minutes after lift-off, at which the vehicle would be unable to safely bleed off the velocity it had gained in the distance between its position downrange and the launch site.
The RTLS abort mode was never needed in the history of the shuttle program. It was considered the most difficult and dangerous abort, and also among the most unlikely abort to have ever been attempted since there were only a very narrow range of probable failures that were survivable but nevertheless so time-critical as to rule out more time-consuming abort modes. Astronaut Mike Mullane referred to the RTLS abort as an "unnatural act of physics", and many pilot astronauts hoped that they would not have to perform such an abort due to its difficulty.
Transoceanic abort landing
A transoceanic abort landing involved landing at a predetermined location in Africa, western Europe or the Atlantic Ocean about 25 to 30 minutes after lift-off. It was to be used when velocity, altitude, and distance downrange did not allow return to the launch point by Return To Launch Site. It was also to be used when a less time-critical failure did not require the faster but more dangerous RTLS abort.A TAL abort would have been declared between roughly T+2:30 and main engine cutoff, about T+8:30. The shuttle would then have landed at a predesignated airstrip across the Atlantic. The last four TAL sites were Istres Air Base in France, Zaragoza and Morón air bases in Spain, and RAF Fairford in England. Prior to a shuttle launch, two sites would be selected based on the flight plan and were staffed with standby personnel in case they were used. The list of TAL sites changed over time due to geopolitical factors. The exact sites were determined from launch to launch depending on orbital inclination.
Preparations of TAL sites took four to five days and began one week before launch, with the majority of personnel from NASA, the Department of Defense and contractors arriving 48 hours before launch. Additionally, two C-130 aircraft from the manned space flight support office from the adjacent Patrick Air Force Base would deliver 8 crew members, 9 pararescuers, 2 flight surgeons, a nurse and medical technician, and of medical equipment to either Zaragoza, Istres, or both. One or more C-21s or C-12s aircraft would also be deployed to provide weather reconnaissance in the event of an abort with a TALCOM, or astronaut flight controller aboard for communications with the shuttle pilot and commander.
This abort mode was never needed during the entire history of the Space Shuttle program.
Abort once around
An abort once around was available if the shuttle was unable to reach a stable orbit but had sufficient velocity to circle the Earth once and land; all of which is completed around 90 minutes after lift-off. Around 5 minutes after lift-off, the shuttle reaches a velocity and altitude sufficient for a single orbit around Earth. The orbiter would then proceed into re-entry; NASA can choose to have the orbiter land at Edwards Air Force Base, White Sands Space Harbor, or Kennedy Space Center. The time window for using the AOA abort was very short: just a few seconds between the TAL and ATO abort opportunities. Therefore, taking this option due to a technical malfunction was very unlikely, although a medical emergency on board was another possible scenario that could have necessitated an AOA abort.This abort mode was never needed during the entire history of the space shuttle program.
Abort to orbit
An abort to orbit was available when the intended orbit could not be reached but a lower stable orbit was possible. This occurred on mission STS-51-F, when Challenger's center engine failed at the 5 minutes and 46 seconds mark after lift-off. An orbit near their planned orbit was established, and the mission continued despite the abort to a lower orbit. The Mission Control Center in Houston, Texas, observed an SSME failure and called "Challenger-Houston, abort ATO". The engine failure was later determined to be an inadvertent engine shutdown due to faulty temperature sensors.The moment at which an ATO became possible was referred to as the "press to ATO" moment. In an ATO situation, the spacecraft commander rotated the cockpit abort mode switch to the ATO position and depressed the abort push button. This initiated the flight control software routines which handled the abort. In the event of a loss of communications, the spacecraft commander could have made the abort decision and taken action independently.
A hydrogen fuel leak in one of the SSMEs on STS-93 resulted in a slight underspeed at main engine cut-off but did not necessitate an ATO and the shuttle achieved its planned orbit; if the leak had been more severe it might have necessitated an ATO, RTLS, or TAL abort.
Preferences
There was an order of preference for abort modes:- ATO was the preferred abort option whenever possible.
- TAL was the preferred abort option if the vehicle had not yet reached a speed permitting the ATO option.
- AOA would have been only used in the brief window between TAL and ATO options, or if a time-critical emergency developed after the end of the TAL window.
- RTLS resulted in the quickest landing of all abort options, but was considered the riskiest abort. Therefore, it would have been selected only in cases where the developing emergency was so time-critical that the other aborts were not feasible, or in cases where the vehicle had insufficient energy to perform the other aborts.
Contingency aborts
Contingency aborts involved failure of more than one SSME and would generally have left the orbiter unable to reach a runway. These aborts were intended to ensure the survival of the orbiter long enough for the crew to bail out. Loss of two engines would have generally been survivable by using the remaining engine to optimize the orbiter's trajectory so as to not exceed structural limits during reentry. Loss of three engines could have been survivable outside of certain "black zones" where the orbiter would have failed before bailout was possible. These contingency aborts were added after the destruction of Challenger.Post-''Challenger'' abort enhancements
Before the Challenger disaster during STS-51-L, ascent abort options involving failure of more than one SSME were very limited. While failure of a single SSME was survivable throughout ascent, failure of a second SSME prior to about 350 seconds would mean an LOCV, since no bailout option existed. Studies showed that an ocean ditching was not survivable. Furthermore, the loss of a second SSME during an RTLS abort would have caused an LOCV except for the period of time just prior to MECO, as would a triple SSME failure at any point during an RTLS abort.After the loss of Challenger in STS-51-L, numerous abort enhancements were added. With those enhancements, the loss of two SSMEs was now survivable for the crew throughout the entire ascent, and the vehicle could survive and land for large portions of the ascent. The struts attaching the orbiter to the external tank were strengthened to better endure a multiple SSME failure during SRB flight. Loss of three SSMEs was survivable for the crew for most of the ascent, although survival in the event of three failed SSMEs before T+90 seconds was unlikely due to design loads being exceeded on the forward orbiter/ET and SRB/ET attach points, and still problematic at any time during SRB flight due to controllability during staging.
A particularly significant enhancement was bailout capability. Unlike the ejection seat in a fighter plane, the shuttle had an inflight crew escape system. The vehicle was put in a stable glide on autopilot, the hatch was blown, and the crew slid out a pole to clear the orbiter's left wing. They would then parachute to earth or the sea. While this at first appeared only usable under rare conditions, there were many failure modes where reaching an emergency landing site was not possible yet the vehicle was still intact and under control. Before the Challenger disaster, this almost happened on STS-51-F, when a single SSME failed at about T+345 seconds. The orbiter in that case was also Challenger. A second SSME almost failed due to a spurious temperature reading; however the engine shutdown was inhibited by a quick-thinking flight controller. If the second SSME had failed within about 69 seconds of the first, there would have been insufficient energy to cross the Atlantic. Without bailout capability, the entire crew would have been killed. After the loss of Challenger, those types of failures were made survivable. To facilitate high-altitude bailouts, the crew began wearing the Launch Entry Suit and later the Advanced Crew Escape Suit during ascent and descent. Before the Challenger disaster, crews for operational missions wore only fabric flight suits.
Another post-Challenger enhancement was the addition of East Coast/Bermuda abort landings. High-inclination launches would have been able to reach an emergency runway on the East Coast of North America under certain conditions. Most lower-inclination launches would have landed in Bermuda.
An ECAL/BDA abort was similar to RTLS, but instead of landing at the Kennedy Space Center, the orbiter would attempt to land at another site along the east coast of North America or Bermuda. Various potential ECAL landing sites extended from South Carolina into Newfoundland, Canada. The designated landing site in Bermuda was Naval Air Station Bermuda. ECAL/BDA was a contingency abort that was less desirable than an intact abort, primarily because there was so little time to choose the landing site and prepare for the orbiter's arrival. All of the pre-designated sites were either military airfields or joint civil/military facilities. ECAL emergency sites were not as well equipped to accommodate an orbiter landing as those prepared for RTLS and TAL aborts. The sites were not staffed with NASA employees or contractors and the staff working there were given no special training to handle a Shuttle landing. If they were ever needed, the Shuttle pilots would have had to rely on regular air traffic control personnel using procedures similar to those used to land a gliding aircraft that has suffered complete engine failure.
Numerous other abort refinements were added, mainly involving improved software for managing vehicle energy in various abort scenarios. These enabled a greater chance of reaching an emergency runway for various SSME failure scenarios.
Ejection escape systems
An ejection escape system, sometimes called a "launch escape system", had been discussed many times for the shuttle. After the Challenger and Columbia losses, great interest was expressed in this. All previous and subsequent US manned space vehicles have launch escape systems, although as of 2020 none have ever been used for a manned flight.Ejection seat
The first two shuttles, Enterprise and Columbia, were built with ejection seats. It was only these two that were planned to be flown with a crew of two. Subsequent shuttles were built only for missions with a crew of more than two, including seats in the lower deck, and ejection seat options were deemed to be infeasible, so Challenger, Discovery, Atlantis, and Endeavour were built with no ejection seats. The type used on the first two shuttles were modified versions of the seats used in the Lockheed SR-71. The approach and landing tests flown by Enterprise had these as an escape option, and the first four flights of Columbia had this option as well. But STS-5 was the first mission to have a crew of more than two, and the commander made the decision that the ethical thing to do was to fly with the ejection seats disabled. Columbia's next flight was likewise flown with the seats disabled. By the time Columbia flew again, it had been through a full maintenance overhaul at Palmdale and the ejection seats had been fully removed. Ejection seats were not further developed for the shuttle for several reasons:- Very difficult to eject seven crew members when three or four were on the middeck, surrounded by substantial vehicle structure.
- Limited ejection envelope. Ejection seats only work up to about and 130,000 feet. That constituted a very limited portion of the shuttle's operating envelope, about the first 100 seconds of the 510 seconds powered ascent.
- No help during a Columbia-type reentry accident. Ejecting during an atmospheric reentry accident would have been fatal due to the high temperatures and wind blast at high Mach speeds.
- Astronauts were skeptical of the ejection seats' usefulness. STS-1 pilot Robert Crippen stated:
Ejection capsule
An alternative to ejection seats was an escape crew capsule or cabin escape system where the crew ejected in protective capsules, or the entire cabin is ejected. Such systems have been used on several military aircraft. The B-58 Hustler and XB-70 Valkyrie used capsule ejection, while the General Dynamics F-111 and early prototypes of the Rockwell B-1 Lancer used cabin ejection.Like ejection seats, capsule ejection for the shuttle would have been difficult because no easy way existed to exit the vehicle. Several crewmembers sat in the middeck, surrounded by substantial vehicle structure.
Cabin ejection would work for a much larger portion of the flight envelope than ejection seats, as the crew would be protected from temperature, wind blast, and lack of oxygen or vacuum. In theory an ejection cabin could have been designed to withstand reentry, although that would entail additional cost, weight and complexity. Cabin ejection was not pursued for several reasons:
- Major modifications required to shuttle, likely taking several years. During much of the period the vehicle would be unavailable.
- Cabin ejection systems are heavy, thus incurring a significant payload penalty.
- Cabin ejection systems are much more complex than ejection seats. They require devices to cut cables and conduits connecting the cabin and fuselage. The cabin must have aerodynamic stabilization devices to avoid tumbling after ejection. The large cabin weight mandates a very large parachute, with a more complex extraction sequence. Air bags must deploy beneath the cabin to cushion impact or provide flotation. To make on-the-pad ejections feasible, the separation rockets would have to be quite large. In short, many complex things must happen in a specific timed sequence for cabin ejection to be successful, and in a situation where the vehicle might be disintegrating. If the airframe twisted or warped, thus preventing cabin separation, or debris damaged the landing airbags, stabilization, or any other cabin system, the occupants would likely not survive.
- Added risk due to many large pyrotechnic devices. Even if not needed, the many explosive devices needed to separate the cabin entail some risk of premature or uncommanded detonation.
- Cabin ejection is much more difficult, expensive and risky to retrofit on a vehicle not initially designed for it. Had the shuttle been initially designed with a cabin escape system, adding one might have been more feasible.
- Cabin/capsule ejection systems have a patchy success record. Al White suffered a crushed arm when ejecting from the XB-70 mid-air collision
Space Shuttle abort history
| Date | Orbiter | Mission | Abort type | Abort time | Description |
| 1984-06-26 | Discovery | STS-41-D | RSLS | T−4 seconds | Sluggish valve detected in Space Shuttle main engine No. 3. Discovery rolled back to VAB for engine replacement. |
| 1985-07-12 | Challenger | STS-51-F | RSLS | T−3 seconds | Coolant valve problem with SSME No. 2. Valve was replaced on launch pad. |
| 1985-07-29 | Challenger | STS-51-F | ATO | T+5 minutes, 45 seconds | Sensor problem shutdown SSME No. 1. Mission continued in lower than planned orbit. |
| 1993-03-22 | Columbia | STS-55 | RSLS | T−3 seconds | Problem with purge pressure readings in the oxidizer preburner on SSME No. 2. All engines replaced on pad. |
| 1993-08-12 | Discovery | STS-51 | RSLS | T−3 seconds | Sensor that monitors flow of hydrogen fuel in SSME No. 2 failed. All engines replaced on launch pad. |
| 1994-08-18 | Endeavour | STS-68 | RSLS | T−1 second | Sensor detected higher than acceptable readings of the discharge temperature of the high pressure oxidizer turbopump in SSME No. 3. Endeavour rolled back to VAB to replace all three engines. A test firing at Stennis Space Center confirmed a drift in the fuel flow meter which resulted in a slower start in the engine which caused the higher temperatures. |
Emergency landing sites
Pre-determined emergency landing sites for the orbiter were chosen on a mission-by-mission basis according to the mission profile, weather and regional political situations. Emergency landing sites during the shuttle program included:Sites in which an orbiter has landed are listed in bold, but none is an emergency landing.
Algeria
- Aguenar – Hadj Bey Akhamok Airport, Tamanrasset
- Kingsford-Smith International Airport, Sydney, New South Wales
- RAAF Base Amberley, Ipswich, Queensland
- RAAF Base Darwin, Darwin, Northern Territory
- RAAF Base Pearce, Perth, Western Australia
- Lynden Pindling International Airport, Nassau
- Sir Grantley Adams International Airport, Bridgetown
- CFB Goose Bay, Goose Bay, Labrador
- CFB Namao, Edmonton, Alberta
- Gander International Airport, Gander, Newfoundland
- Stephenville International Airport, Stephenville, Newfoundland
- St. John's International Airport, St. John's, Newfoundland
- Halifax Stanfield International Airport, Halifax, Nova Scotia
- Amílcar Cabral International Airport, Sal Island
- Mataveri International Airport, Easter Island
- Istres-Le Tubé Air Base near Istres, France
- Hao Airport, Hao, French Polynesia
- Yundum International Airport, Banjul
- Köln Bonn Airport, Cologne
- Souda Air Base, Souda Bay, Crete
- Keflavík International Airport, Keflavík
- Shannon Airport, Shannon, County Clare
- Roberts International Airport, Monrovia
- Ben Guerir Air Base, Morocco
- Mohammed V International Airport, Morocco
- Lajes Field, Lajes
- Beja Airbase, Beja
- King Khalid International Airport, Riyadh
- Zaragoza Air Base
- Morón Air Base
- Gran Canaria Airport, Gran Canaria
- Berbera Airport, Berbera
- Air Force Base Hoedspruit
- Arlanda Airport, Stockholm
- Esenboğa International Airport, Ankara
- RAF Greenham Common, Berkshire, England
- RAF Brize Norton, Oxfordshire, England
- RAF Fairford, Gloucestershire, England
- RAF Finningley, South Yorkshire, England
- RAF Machrihanish, Campbeltown, Scotland
- RAF Mildenhall, Suffolk, England
- RAF Upper Heyford, Oxfordshire, England
- NAS Bermuda, St David's Island, Bermuda
- Naval Support Facility Diego Garcia, Diego Garcia, British Indian Ocean Territory
- Andersen Air Force Base, Guam
- Atlantic City International Airport, Pomona, New Jersey
- Bangor International Airport, Bangor, Maine
- Bradley International Airport, Windsor Locks, Connecticut
- MCAS Cherry Point, Havelock, North Carolina
- Naval Air Station Oceana, Virginia Beach, Virginia
- Columbus Air Force Base, Columbus, Mississippi
- Dover Air Force Base, Dover, Delaware
- Dyess Air Force Base, Abilene, Texas
- East Texas Regional Airport, Longview, Texas
- Edwards Air Force Base, California
- Ellsworth Air Force Base, Rapid City, South Dakota
- Elmendorf Air Force Base, Anchorage, Alaska
- Fort Huachuca, Arizona, Sierra Vista, Arizona
- Francis S. Gabreski Airport, Long Island, New York
- Grant County International Airport, Moses Lake, Washington
- Grand Forks Air Force Base, Grand Forks, North Dakota
- Griffiss International Airport, Rome, New York
- Grissom Air Force Base, Bunker Hill, Indiana
- Hickam Air Force Base, Honolulu, Hawaii
- John F. Kennedy International Airport, New York, New York
- Kennedy Space Center, Merritt Island, Florida
- Lehigh Valley International Airport, Allentown, Pennsylvania
- Lincoln Airport, Lincoln, Nebraska
- Mountain Home Air Force Base, Mountain Home, Idaho
- Myrtle Beach International Airport, Myrtle Beach, South Carolina
- Orlando International Airport, Orlando, Florida
- Otis Air National Guard Base, Falmouth, Massachusetts
- Pease Air Force Base, Portsmouth, New Hampshire
- Plattsburgh Air Force Base, Plattsburgh, New York
- Portsmouth International Airport, Portsmouth, New Hampshire
- Stewart Air National Guard Base, Newburgh, New York
- Westover Air Force Base, Chicopee, Massachusetts
- White Sands Space Harbor, White Sands, New Mexico
- Wilmington International Airport, Wilmington, North Carolina
- Wright-Patterson Air Force Base, Dayton, Ohio
- N'djili Airport, Kinshasa
In the event of an emergency deorbit that would bring the orbiter down in an area not within range of a designated emergency landing site, the orbiter was theoretically capable of landing on any paved runway that was at least long, which included the majority of large commercial airports. In practice, a US or allied military airfield would have been preferred for reasons of security arrangements and minimizing the disruption of commercial air traffic.
In popular culture
- A detailed RTLS maneuver is depicted in Mike Mullane's technothriller novel Red Sky: A Novel of Love, Space, & War.
- The use of the inflight crew escape system was depicted in Hollywood sci-fi movie Space Cowboys.
- A launch abort to Easter Island sets off the events of Lee Correy's novel Shuttle Down.