| 
 Launch failures: engine outby Wayne Eleazer | 
| “Loss of liquid engine thrust” is the most common cause of mission failures for space launches over the last 35 years. | 
Included in the liquid engine loss of thrust failure mode are those cases where the engine simply ran out of propellant early. This type of failure can be due to improper calculation of the propellant load (see “Launch failures: two Thors, one problem”, The Space Review, January 19, 2009). Running out of propellant early can also be due to an engine underperforming expectations and requiring more propellant than planned, such as occurred on the first Indian GSLV mission, or a propellant loading error due to instrumentation error, as occurred on a Delta 3913 launch in 1981.
And then there are the liquid engine failures that are not immediately catastrophic, nor simply due to a low fuel load, but are more complex in nature.
On May 29, 1980, Atlas 19F lifted off from SLC-3W at Vandenberg Air Force Base, California, carrying the NOAA-B TIROS weather satellite. The launch occurred in the wee hours of the morning and everything looked normal to visual observers. Had liftoff occurred in daylight people probably would have noticed an unusually thick exhaust plume coming from one side of the booster.
Tracking data soon showed a problem, although initially it was a subtle one. The vehicle was running a bit on the low side of the predicted velocity-time curve. Then, at the first staging, where the Atlas booster package is jettisoned, a serious problem became obvious. Normally, the vehicle rate of velocity increase drops off when the two booster engines are jettisoned and thrust decreases dramatically, but then builds back up again as propellant is burned off. But with Atlas 19F, at booster package jettison the velocity time curve went flat. Observers looking at the readout were shocked, and then scoffed. The data seemed at first to show a ballistic trajectory following a loss of thrust, but telemetry data showed the Atlas sustainer engine clearly was still firing normally.
But the readout was correct; something was wrong. The sustainer engine kept firing, and kept firing, reached the nominal cutoff time and still kept firing. Concern turned to bafflement as the long seconds dragged by, people saying “This is impossible! We don’t have enough fuel for this to be happening! We don’t even have enough lubrication oil!”
Engine shutdown came an incredible 50 seconds later than the predicted nominal, an eternity in space launch terms. The spacecraft separated and fired its own kick motor but ended up in an elliptical orbit, essentially useless.
| The guidance system, sustainer engine, and propellant utilization system all worked to convert the extra propellant into the required velocity as efficiently as possible. And the struggling rocket made it, or almost. | 
Investigation showed that one of the Atlas booster engines had exhibited a rare but known failure mode. Due to the very rapid start sequence of the MA-3, an order of magnitude faster than any other engine of similar design, the seal between the fuel side of the turbopump and the gearbox could literally bounce. Once opened, the fuel forced its way under the seal and held it open, flooding the gearbox with about fifty gallons (190 liters) of fuel a minute. While this was not a significant fuel loss compared to that consumed by a normally functioning engine, fifty gallons a minute was an order of magnitude above the five gallons (19 liters) a minute of lubricating oil that normally fed the gearbox. The resultant viscous damping slowed the engine to around 80% of normal thrust, reducing the booster’s acceleration and velocity while increasing its weight due to the unused propellant. Burning the booster engines another several seconds would have made up the difference, and the GERTS guidance system tried to do just that, but that was not to be. A backup safety command in the booster onboard guidance system shut down the booster engines before the correct velocity could be reached.
At that point the Atlas was on trajectory, low on velocity, and very heavy with propellant. The guidance system, sustainer engine, and propellant utilization system all worked to make up the difference, converting the extra propellant into the required velocity as efficiently as possible. And the struggling rocket made it, or almost.
The TIROS spacecraft was unique among Atlas payloads in that there was no electrical interface of any kind between the booster and the spacecraft. Normally, the booster would transmit the signal that activated the spacecraft separation ordnance and also informed the spacecraft guidance system that it was time to go into action. But for the TIROS mission there was a call-up requirement for a replacement spacecraft to be on orbit within a limited amount of time from being given the order, typically about 90 days. That kind of schedule normally would require a spacecraft to be maintained in readiness at the launch site; that costs money and requires both specialized manpower and a dedicated processing facility. One alternative approach to shortening the time between spacecraft arrival at the launch base was to eliminate the electrical interface between the booster and spacecraft. The great thing about interfaces that are not there is that they do not have to be tested. The booster could be prepped for launch and then the spacecraft mated to the booster, checked out independently, after which launch could occur within 10 days or so, rather than the 30 days that was common.
So, the Atlas/TIROS interface was designed with a mechanical connection only, using the typical V-shaped clamp band. The spacecraft would decide when it needed to initiate separation, based on its own accelerometer signal that indicated the Atlas had stopped thrusting. Without input from the booster, the spacecraft guidance system would issue the command to blow the clamp band ordnance and then pull away from the Atlas using its small hydrazine monopropellant thrusters, orient itself, and fire its TEM-364-15 apogee kick motor to attain the final sun synchronous orbit.
Of course, with such a scheme, failure of the spacecraft accelerometer would mean that separation never occurred, so the spacecraft guidance system also contained a software-based timer that would override the accelerometer signal and initiate separation.
For the Atlas 19F flight the TIROS timer reached its limit before the booster had completed the extended burn, at 370 sec. The Sustainer engine shut down soon thereafter, but the Atlas also had an additional 11 seconds of burn time for just the two LR-101 vernier engines, a feature that enabled more precise pointing of the booster prior to payload separation. The two 1,000-pound-force (4,450-newton) verniers were not much compared to the sustainer, but they were an order of magnitude above what the spacecraft’s four little hydrazine thrusters produced.
With the clamp band blown, but the Atlas still shoving it in the rear, the spacecraft was unable to separate and perform the required pitch-down maneuvers. Another cost saving feature of the TIROS mission was that the booster flew a lofted trajectory that enabled as much of the flight as possible to be tracked with Vandenberg’s telemetry receivers; this reduced the need for costly downrange Advanced Range Instrumentation Aircraft. But such a trajectory meant that the spacecraft had to pitch down to properly orient itself before firing its solid motor AKM. The TIROS finally got away from the booster when it fired its AKM, blowing a hole in the top of the Atlas LOX tank in the process. Telemetry showed the Atlas LOX tank pressure went to zero coincident with the AKM firing.
The resultant elliptical orbit was very far from the nominal 450-nautical-mile (830-kilometer) sun synchronous circular orbit desired and proved to be essentially useless. The engine failure had not been total but still proved to be deadly to the mission due to factors not directly related to the engine itself.
| It appears the key to surviving an engine failure is proper design of the entire vehicle and its mission. You need not only proper design margin in the propulsion system but also a form of design margin in the entire vehicle that takes into account that things can go wrong. | 
On December 21, 2004, the first Delta IV Heavy booster lifted off from SLC-37 at Cape Canaveral AFS. This was the first booster in the world to feature three nearly identical first stages strapped together. Things seemed to go well, but the two strap-on boosters shut down eight seconds early. This was followed by the core vehicle first stage shutting down nine seconds early. The second stage burned longer than planned in an attempt to make up the substantial velocity deficit, but the test payload ended up in an orbit with an apogee 10,000 miles (16,000 kilometers) lower than the planned geosynchronous objective. Two small secondary payloads were released during the ascent but were so low that they re-entered.
The problem was traced to what was in reality a solution, an old one. The Atlas 19F mission showed that starting a rocket engine is fraught with peril, but shutting down a liquid rocket engine is not necessarily a simple process, either. Great care must be taken to ensure that the engine does not die from fuel starvation, especially with the result of an extreme oxidizer-fuel mixture ratio. For example, for most engines an excessively LOX-rich condition is likely to cause a sudden increase in performance, followed by the engine exploding, and that may well take out the rest of the booster, the upper stages, and the payload.
So, virtually every vehicle has switches that shut down the engines when the propellant tanks get almost empty. In the case of the Delta IV Heavy, the added performance of the two extra strap-on stages exposed a flaw in the propellant feed system. For all three of the first stages, propellant depletion was sensed too early and the engines shut down before the job was done. It was rather like Atlas 19F in that a safety feature activated under circumstances where its omission would have ensured success.
In the case of the Delta IV Medium on October 4, the performance loss for the second stage engine was made up by the stage simply burning longer, using up the propellant not used due to the engine’s low thrust, just like Atlas 19F did. Due to good integration—including proper communication between the payload and the booster—the spacecraft did not try to leave on its own before the proper orbit was attained.
In the case of the Falcon 9 on October 7, one of the first stage booster engines was shut down automatically when an engine problem was detected. The performance loss associated with the engine loss was made up by the rest of the booster, but safety considerations associated with the limitations on the proximity to manned or manable spacecraft (typically a minimum separation of 50 nautical miles, or 90 kilometers) meant that the secondary payload could not be delivered to the proper orbit.
It appears the key to surviving an engine failure is proper design of the entire vehicle and its mission. You need not only proper design margin in the propulsion system but also a form of design margin in the entire vehicle that takes into account that things can go wrong. Ultimately, salvaging a mission after an engine failure is a test of the payload integration and mission design process, even more so than of the flight hardware.