In rocketry, range safety or flight safety is ensured by monitoring the flight paths of missiles and launch vehicles, and enforcing strict guidelines for rocket construction and ground-based operations. Various measures are implemented to protect nearby people, buildings and infrastructure from the dangers of a rocket launch.
Governments maintain many regulations on launch vehicles and associated ground systems, prescribing the procedures that need to be followed by any entity aiming to launch into space. Areas in which one or more spaceports are operated, or ranges, issue out closely guarded exclusion zones for air and sea traffic prior to launch, and close off certain areas to the public.
Contingency procedures are performed if a vehicle malfunctions or veers off course mid-flight. Usually, a range safety officer (RSO) commands the flight or mission to end by sending a signal to the flight termination system (FTS) aboard the rocket. This takes measures to eliminate any means with which the vehicle could endanger anyone or anything on the ground, most often through the use of explosives. Flight termination could also be triggered autonomously by a separate computer unit on the rocket itself.
Before each launch, the area surrounding the launch pad is evacuated, and notices to aviators and boatsmen to avoid certain locations on launch day are given. This facilitates the creation of a designated area for rockets to launch, called the launch corridor. The borders of the launch corridor are called the destruct lines. The exact coordinates of the launch corridor are dependent on weather and wind directions, and the properties of the launch vehicle and its payload. Launches can be postponed or scrubbed because of a boat, ship or aircraft entering the launch corridor.[1]
To assist the range safety officer (RSO) in monitoring the launch and making eventual decisions, there are many indicators showing the condition of the space vehicle in flight. These included booster chamber pressures, vertical plane charts (later supplanted by computer-generated destruct lines), and height and speed indicators. Supporting the RSO for this information were a supporting team of RSOs reporting from profile and horizontal parallel wires used at liftoff (before radar technology was available) and telemetry indicators. Throughout the flight, RSOs pay close attention to the instantaneous impact point (IIP) of the launch vehicle, which is constantly updated along with its position; when a rocket is predicted to cross one of the destruct lines in flight because of any reason, a destruct command is issued to prevent the vehicle from endangering people and assets outside of the safety zone. This involves sending coded messages (typically sequences of audio tones, kept secret before launch) to special redundant UHF receivers in the various stages or components of the launch vehicle. Previously, the RSO transmitted an 'arm' command just before flight termination, which rendered the FTS usable and shut down the engines of liquid-fueled rockets. Now, the FTS is usually armed just before launch. A separate 'fire' command detonates explosives, typically linear shaped charges, to disable the rocket.
Reliability is a high priority in range safety systems, with extensive emphasis on redundancy and pre-launch testing. Range safety transmitters operate continuously at very high power levels to ensure a substantial link margin. The signal levels seen by the range safety receivers are checked before launch and monitored throughout flight to ensure adequate margins. When the launch vehicle is no longer a threat, the range safety system is typically safed (shut down) to prevent inadvertent activation. The S-IVB stage of the Saturn 1B and Saturn V rockets did this with a command to the range safety system to remove its own power.[2]
In the US space program, range safety is usually the responsibility of a Range Safety Officer (RSO), affiliated with either the civilian space program led by NASA or the military space program led by the Department of Defense, through its subordinate unit the United States Space Force. At NASA, the goal is for the general public to be as safe during range operations as they are in their normal day-to-day activities.[3] All US launch vehicles are required to be equipped with a flight termination system.[4]
Range safety has been practiced since the early launch attempts conducted from Cape Canaveral in 1950. Space vehicles for sub-orbital and orbital flights from the Eastern and Western Test Ranges were destroyed if they endangered populated areas by crossing pre-determined destruct lines encompassing the safe flight launch corridor. After initial lift-off, flight information is captured with X- and C-band radars, and S-Band telemetry receivers from vehicle-borne transmitters. At the Eastern Test Range, S and C-Band antennas were located in the Bahamas and as far as the island of Antigua, after which the space vehicle finished its propulsion stages or is in orbit. Two switches were used, arm and destruct. The arm switch shut down propulsion for liquid propelled vehicles, and the destruct ignited the primacord surrounding the fuel tanks.
The Cape Canaveral Space Force Station saw around 450 failed launches of missiles and rockets (of around 3400 total) between 1950 and 1998,[5] with an unknown amount of flights ending by intervention of onboard or ground-based safety mechanisms. As of June 2024, the most recent activation of the flight termination system on a US rocket was during Starship IFT-2 in 2023.[6]
For launches from the Eastern Range, which includes Kennedy Space Center and Cape Canaveral Space Force Station, the Mission Flight Control Officer (MFCO) is responsible for ensuring public safety from the vehicle during its flight up to orbital insertion, or, in the event that the launch is of a ballistic type, until all pieces have fallen safely to Earth. Despite a common misconception, the MFCO is not part of the Safety Office, but is instead part of the Operations group of the Range Squadron of the Space Launch Delta 45 of the Space Force, and is considered a direct representative of the Delta Commander. The MFCO is guided in making destruct decisions by as many as three different types of computer display graphics, generated by the flight analysis section of range safety. One of the primary displays for most vehicles is a vacuum impact point display in which drag, vehicle turns, wind, and explosion parameters are built into the corresponding graphics. Another includes a vertical plane display with the vehicle's trajectory projected onto two planes. For the Space Shuttle, the primary display a MFCO used is a continuous real time footprint, a moving closed simple curve indicating where most of the debris would fall if the MFCO were to destroy the Shuttle at that moment. This real time footprint was developed in response to the Space Shuttle Challenger disaster in 1986 when stray solid rocket boosters unexpectedly broke off from the destroyed core vehicle and began traveling uprange, toward land.
Range safety at the Western Range (Vandenberg Space Force Base in California) is controlled using a somewhat similar set of graphics and display system. However, the Western Range MFCOs fall under the Safety Team during launches, and they are the focal point for all safety related activities during a launch.
Even for U.S. crewed space missions, the RSO has authority to order the remote destruction of the launch vehicle if it shows signs of being out of control during launch, and if it crosses pre-set abort limits designed to protect populated areas from harm. In the case of crewed flight, the vehicle would be allowed to fly to apogee before the destruct was transmitted. This would allow the astronauts the maximum amount of time for their self-ejection. Just prior to activation of the destruct charges, the engine(s) on the booster stage are also shut down. For example, on the 1960s Mercury/Gemini/Apollo launches, the RSO system was designed to not activate until three seconds after engine cutoff to give the Launch Escape System time to pull the capsule away.
The U.S. Space Shuttle orbiter did not have destruct devices, but the solid rocket boosters (SRBs) and external tank both did.[7] After the Space Shuttle Challenger broke up in flight, the RSO ordered the uncontrolled, free-flying SRBs destroyed before they could pose a threat.
Despite the fact that the RSO continues work after Kennedy Space Center hands over control to Mission Control at Johnson Space Center, they are not considered to be a flight controller. The RSO works at the Range Operations Control Center at Cape Canaveral Space Force Station, and the job of the RSO ends when the missile or vehicle moves out of range and is no longer a threat to any sea or land area (after completing first stage ascent).
Unlike the US program, the Russian space program does not destroy rockets mid-air when they malfunction. If a launch vehicle loses control, either ground controllers may issue a manual shutdown command or the onboard computer can perform it automatically. In this case, the rocket is simply allowed to impact the ground intact. Since Russia's launch sites are in remote areas far from significant populations, it has never been seen as necessary to include a flight termination system. During the Soviet era, expended rocket stages or debris from failed launches were thoroughly cleaned up, but since the collapse of the USSR, this practice has lapsed.
It is unknown if China implements safety and contingency assessments surrounding rocket launches and if a flight termination system is installed in each of the country's launch vehicles.[8] [9] The country is known for leaving rocket parts to fall back to Earth in an uncontrolled trajectory.[10] [11] In one case, a launch vehicle crashed into a village near Xichang Satellite Launch Center after veering off course, killing at least six persons. From the early 2020s, the China Aerospace Science and Technology Corporation (CASC) started developing and implementing methods to prevent uncontrolled reentries of their Long March rocket boosters, most prominently by the use of parachutes.[12]
The Japan Aerospace Exploration Agency (JAXA) regulates space activities through its Safety and Mission Assurance department. The regulation JERG-1-007E stipulates many of the safety requirements to be maintained on the range on launch day, violations of launch safety, and the procedures to follow after launch aborts and failures and during emergencies on the range.[13]
The ESA's primary launch site is in Kourou, French Guiana. ESA rockets employ flight safety systems similar to the US' despite the relative remoteness of the launch center. Range safety at Europe's Spaceport is the responsibility of the Flight Safety Team,[14] with the launch site and surrounding areas being safeguarded by the French Foreign Legion.[15] The earliest Ariane 5 rockets were controlled by flight computers with the capability to terminate a flight by own initiative, including the infamous Ariane 501 in 1996.[16]
In 2018, an Ariane 5 launcher carrying two commercial satellites veered off course shortly after liftoff. Ground control was shown a nominal course of the rocket until 9 minutes into the flight, when the second stage ignited and contact was lost.[17] The rocket nearly flew over Kourou, and at the time the RSO realised that it flew closer to land than intended, it was decided not to terminate the flight out of concerns that the resulting debris would hit the town adjacent to the launch site.[18] The two satellites were deployed into an off-target orbit and were able to correct their orbits with substantial losses of propellant.
The launch vehicles of the Indian Space Research Organisation (ISRO) are tracked by C-band and S-band radars. As of February 2019, ISRO does not use GPS and NavIC to directly transmit a launch vehicle's location to the range.[19]
Range safety measures are performed during launches of the Chollima-1 orbital launch vehicle. On the successful third launch attempt of the rocket, it was reported that officials activated the flight termination system on the first stage after separation, presumably to destroy evidence in an effort to prevent reverse engineering if the booster were to be recovered by South Korea or allies.[20]
A flight termination system (FTS) is a set of interconnected activators and actuators mounted on a launch vehicle which can shut down or destroy components of the vehicle to render it incapable of flight. As it is the only thing that is able to ensure the safety of ground facilities, personnel and spectators during a rocket launch, it is required to be effectively 100 percent reliable. Flight termination systems are also frequently installed on unmanned aerial vehicles.[21] [22]
To prevent other components from interfering with its decisions, the FTS has to operate entirely independently from the rocket; as such, it needs separate maintenance and comes with its own power source.[23] In the case of multistage rockets and those utilizing side boosters, each stage and each booster on the launch vehicle is equipped with its own FTS.
Flight termination usually destroys the payload with the rocket; crewed launch vehicles, with the exception of the Space Shuttle,[24] have employed a launch escape system to save the lives of the crew in case their carrier rocket malfunctions.[25]
A flight termination system typically consists of two sets of the following components:
A flight can be terminated two ways, which are described below.
In most cases, it is preferred that a malfunctioning launch vehicle is fully neutralized at altitude. A rocket is destroyed during flight to prevent it from leaving the launch corridor or continue an otherwise errant flight. The resulting destruction is required to scatter rocket parts over a small area, ensuring the majority of the parts stay within the launch corridor and are able to cause as little damage or injuries as possible. Additionally, it has to combust and disperse its propellant far above the ground in a manner that is as controlled as possible. This is done by detonating high explosives, usually linear shaped charges,[26] in specific areas of the rocket, which initiates structural failure and renders the vehicle aerodynamically unstable.On liquid-fueled rockets,[27] [28] the propellant tanks are cut open to spill out their contents. The rocket's engines are usually also destroyed or disabled. On rockets containing hypergolic propellants, the intertank section or the common bulkhead of the rocket's tanks is ruptured to ensure the toxic propellants mix and combust as much as possible when flight is terminated. On rockets fueled by cryogenic propellants, the tanks are perforated from the side to prevent excessive mixing and combustion of propellants, as an FTS is not allowed to detonate propellants and cause a violent explosion.
Solid-fuel rockets[29] cannot have their engines shut down, but splitting them open terminates thrust even though the propellant will continue to burn, as the explosive charges break the rocket and its fuel into pieces. In some cases, only the nosecone or top section of the solid propellant case might be removed from a solid rocket, with the risk that the remainder of the rocket explodes violently and cause injuries or damage upon impact with the ground or water.
In some cases involving liquid-fueled rockets, shutting down the engines[30] is sufficient to ensure flight safety. In those cases, full destruction of the vehicle is not necessary as it will be destroyed during reentry or on impact in an empty spot in the ocean. The FTS instead commands either the valves of the propellant and oxidizer lines to close, or explosives (such as pyrovalves) to sever the fuel lines, rendering the vehicle unable to use its engines and ensuring it stays on a safe trajectory. The vehicle then may be destroyed[31] by its tanks colliding and cracking. This method was first proposed for the Titan III-M launch vehicle, which would have been used in the Manned Orbiting Laboratory program.
An autonomous flight termination system (AFTS) or autonomous flight safety system (AFSS) is a system in which flight termination can be commanded on a rocket without the involvement of ground personnel. Instead, AFTS destructors have their own computers that are programmed to detect mission rule violations and implement measures to bring the mission to a safe end. Since 1998,[32] these systems have been developed to bring down launch costs and enable faster and more responsive launch operations.[33] [34] [35] Additionally, inadvertent separation destruct systems have been deployed to destroy parts of rockets autonomously when they are unintentionally removed or loosened from the remainder of the vehicle.[36]
NASA started developing AFSS in 2000, in partnership with the US Department of Defense, with its development being included in the Commercial Orbital Transportation System program.
Both ATK and SpaceX have developed AFSS. Both systems use a GPS-aided, computer controlled system to terminate an off-nominal flight, supplementing or replacing the more traditional human-in-the-loop monitoring system.
ATK's Autonomous Flight Safety System made its debut on November 19, 2013, at NASA's Wallops Flight Facility. The system was jointly developed by ATK facilities in Ronkonkoma, New York; Plymouth, Minnesota; and Promontory Point, Utah.[37]
The system developed by SpaceX was demonstrated in F9R Dev1, a Falcon 9 booster used in 2013/14 to test its reusable rocket technology development program. In August 2014, after an errant sensor reading caused the booster to veer off course, the AFTS triggered and the vehicle disintegrated.[38]
The SpaceX autonomous flight termination system has since been used on many SpaceX launches and was well tested by 2017. Both the Eastern Range and Western Range facilities of the United States are now using the system, which has replaced the older "ground-based mission flight control personnel and equipment with on-board positioning, navigation and timing sources and decision logic." Moreover, the systems have allowed the US Air Force to drastically reduce their staffing and increase the number of launches that they can support in a year. 48 launches annually can now be supported, and the cost of range services for a single launch has been reduced by 50 percent.[39]
The addition of AFTS has also loosened up the inclination limits on launches from the US Eastern Range. By early 2018, the US Air Force had approved a trajectory that could allow polar launches to take place from Cape Canaveral. The 'polar corridor' would involve turning south shortly after liftoff, passing just east of Miami, with a first stage splashdown north of Cuba.[40] Such a launch corridor is not feasible with a ground-commanded system due to radio interference from the rocket's own exhaust plume facing the ground station. In August 2020, SpaceX demonstrated this capability with the launch of SAOCOM 1B.[41]
The AFTS on SpaceX's Starship exhibited considerable issues on its first flight. SpaceX expected the vehicle to be given the destruct command at the point the vehicle lost thrust vector control at T+1:30, but this was done much later.[42] Upon activation, the explosive ordnance detonated as expected, but destruction was delayed;[43] the vehicle was only destroyed at T+3:59, 40 seconds after the AFTS was estimated to be triggered.
In December 2019, Rocket Lab announced that they added AFTS on their Electron rocket. Rocket Lab indicated that four previous flights had both ground and AFT systems. The December 2019 launch was the first Electron launch with a fully autonomous flight termination system. All later flights have AFTS on board. In the event of the rocket going off course the AFTS would command the engines to shutdown.[44]
In August 2020, the European Space Agency announced that Ariane 5 has AFSS installed on the avionics bay. The AFSS onboard Ariane 5 is called KASSAV (Kit Autonome de Sécurité pour la SAuvergarde en Vol).[45] A later version of the system, KASSAV 2, will have the authority to automatically terminate the flight in the event of the rocket going off course.[46]
The Japanese government has approved AFTS for use on the country's launch vehicles since the mid-2010s.[47] The SpaceOne KAIROS solid-fuel rocket uses an AFTS.[48]
Future launch vehicles such as the Blue Origin New Glenn, United Launch Alliance Vulcan Centaur and ArianeGroup Ariane 6 are expected to have them as well. NASA's Space Launch System plans to introduce an AFT system by the flight of Artemis 3.[49]
In 2020 NASA started developing the NASA Autonomous Flight Termination Unit (NAFTU) for use on commercial and government launch vehicles. Provisional certification of the unit was granted in 2022 for Rocket Lab's first U.S. Electron mission (from Wallops Flight Facility) in Jan 2023.[50]