Kaboom! Rocket Flight Termination Systems

From the early days of rocketry, it became clear that when things did not go as planned, the consequences, and wreckage, could end up far from the launch site and often in highly undesirable locations whose inhabitants may not appreciate the humour in flaming debris raining down upon them from the sky. In 1947, a modified German V-2 launched from White Sands Missile Range in the U.S. as part of the Hermes II project came down near Juarez, Mexico, provoking something of an international incident.

It was evident that simply testing and launching rockets from remote and unpopulated sites was not enough—it was also required to guarantee that whatever happened after the button was pushed was confined to the range authorised for the test. This led to the creation of the post of “range safety officer” (RSO) and the installation of systems on rockets, originally called self-destruct packages and later the more refined term “Flight Termination System” (FTS). A typical FTS will shut off the rocket engines of a vehicle (if possible: solid rocket boosters cannot be turned off once fired), send a signal to payloads such as crewed capsules to trigger their launch escape systems, and rip open the tanks of the launcher to disperse the propellants. Solid rocket boosters are generally split open by linear shaped charges which release the pressure providing rocket thrust and allow the propellant to burn out. The design of these systems depends upon the details of the vehicle: the Saturn V launcher for the Apollo program could, for example, simply shut off its engines and fall into the ocean, only ripping open the tanks (“propellant dispersal”) if in a portion of its trajectory where that was deemed necessary to protect assets below.

Flight Termination Systems are designed to be the most reliable components of a rocket. The consequences of the system’s failing to destroy a wayward rocket or accidentally triggering and destroying a perfectly good rocket, either in flight or on the ground, are dire and unacceptable. Consequently FTS hardware is designed to operate completely independently of the rocket’s systems and with total redundancy of all components and control paths.

For decades, FTS has been triggered manually by a range safety officer when the rocket’s trajectory exceeded pre-defined “destruct lines” delimiting the safe launch corridor. Increasingly, rockets have adopted autonomous flight safety systems (AFSS) where an independent computer and navigation system on-board the rocket monitors the flight path and triggers flight termination if limits are exceeded. Since 2020, SpaceX Falcon 9, Rocket Lab Electron, and Arianespace Ariane 5 launchers have flown with AFSS, although some flights also retained manual back-up to trigger FTS. Launches to polar orbit from Cape Canaveral require AFSS, since the trajectory would cause the rocket’s exhaust plume to interfere with reception of an FTS activation signal from the ground and dropping a rocket on Cuba would not be welcomed by the inmates of that prison island.

Have such payload-saving systems ever been employed in an effort to save economically-valuable or environmentally dangerous payloads (like, say, a fission reactor)? If not, is it because such delicate payloads would not survive such a system undamaged - even if the system worked flawlessly?

To my knowledge, there have been no cases of launch escape systems having been designed for and used to protect expensive or hazardous payloads. The Blue Origin New Shepard capsule, which is used for both human and cargo flights, has a launch escape system which is active in all cases. On the NS-23 flight on 2022-09-12 (coverage here, “Blue Origin New Shepard NS-23 Flight”), the booster engine failed and the capsule, which carried no people, escaped and landed safely, with all payloads intact. SpaceX, by comparison, does not install a launch escape system on its Cargo Dragon ships used for International Space Station resupply missions.

High-value payloads tend to be large and heavy, and are designed around the limits of the launch vehicle payload capacity. Launch escape systems are heavy, and payloads other than crewed capsules do not have heat shields or parachute systems to land safely after a launch abort. Adding all that would dramatically decrease the capability of a payload such as a communication satellite and/or its useful lifetime on orbit by reducing the amount of station keeping fuel it could carry. So, they buy insurance and cross their fingers.

For radioactive payloads, the approach is to package them sufficiently ruggedly that they can survive a worst-case launch vehicle explosion and fall to the Earth without releasing the radioactive material. For a fission reactor, the reactor does not go critical until after reaching its operational orbit, so the nuclear fuel is not dangerously radioactive during the launch phase. Radioactive thermal generators (RTGs), which use intensively radioactive material such as plutonium-238, depend on a rugged capsule to contain the heat source. The RTG from Apollo 13’s lunar module science package plunged into the Pacific after the lunar module burned up in the Earth’s atmosphere and no traces of plutonium release were detected. It is almost certainly sitting intact in the Tonga trench today.