Proceedings of the Eighth International Conference on Probabilistic Safety Assessment & Management (PSAM)
154 A Dynamic Risk Assessment of Space Shuttle Two Engine out Contingency Abort Scenarios (PSAM-0095)
Download citation file:
- Ris (Zotero)
- Reference Manager
As the Space Shuttle ascends to orbit it traverses various intact abort regions evaluated and planned before the flight to assure that in the event of ascent failure, the Space Shuttle Orbiter, along with its crew, are safely returned. The primary Space Shuttle intact abort modes are Return to Launch Site (RTLS), Trans-Atlantic Landing (TAL), and Abort to Orbit (ATO). Different intact abort options are available and chosen depending on the time of failure. The most likely failure to initiate an abort is the shutdown of a single Space Shuttle Main Engine (SSME).
It is possible that during an intact abort of the Space Shuttle an additional system fails, making the intact abort impossible to execute. In particular, if following a first engine shutdown (FES), a second engine also shuts down, the Orbiter will most likely not be able to continue the intact abort. Instead, it will change abort mode and perform a single engine abort, also known as a contingency abort (CA). The purpose of a CA is to guide the disabled vehicle to a safe gliding flight condition where an East Coast Abort Landing (ECAL), a Bermuda (BDA) landing, a landing at a downrange TAL site, Emergency Landing Site (ELS), or a bailout can be performed.
The type of contingency abort scenario chosen depends on the following attributes or events: how many engines fail, the time (velocity) at which they fail, and the trajectory's inclination. If possible, the crew will attempt to land at an emergency landing site. If not, the crew will attempt to establish a glide path so that the crew can ditch the vehicle and bailout.
Probabilistic risk assessments of the nominal Shuttle mission have shown that many ascent failures can be potentially mitigated with the execution of an intact abort. To complete the risk profile of the Shuttle, a quantitative understanding of both the nominal and abort risk is essential. To assess these Space Shuttle abort scenario risks, a dynamic risk model capable of evaluating the time dependent failures was developed.
To assess these Space Shuttle abort scenario risks, DARE (Dynamic Abort Risk Evaluator), a dynamic risk model capable of evaluating the time dependent failures had been previously developed. This paper describes the dynamic probabilistic assessment constructed to analyze the contingency abort regions and specifically further examines the “two engine out during ascent” scenario and the likelihood of getting into each contingency abort region, factoring in both common cause and independent failures of engines. Abort capability charts were used to determine the contingency abort regions the Orbiter would most likely get into given a two engine shutdown during ascent. These regions were selected for further investigation. Models for the most likely scenarios were developed to assess the loss of vehicle and loss of crew risk. Updated dynamic abort probabilities for the selected CAs were utilized in the models, replacing deterministic probabilities once used within the Dynamic Abort Risk Evaluator (DARE) model. For CA aborts resulting in bailout, traditional event and fault trees were constructed. Increasing fidelity to the DARE model has resulted in improved understanding and quantification of abort risk given multiple engine failure during ascent.