SpaceX's Latest Advantage? Blowing Up Its Own Rocket, Automatically

SpaceX has reportedly worked with the Air Force to develop a GPS-equipped on-board computer, called the "Automatic Flight Safety System," that will safely and automatically detonate a Falcon 9 rocket in the sky if the launch threatens to go awry. Previously, an Air Force range-safety officer was required to be in place, ready to transmit a signal to detonate the rocket. Quartz reports: No other U.S. rocket has this capability yet, and it could open up new advantages for SpaceX: The U.S. Air Force is considering launches to polar orbits from Cape Canaveral, but the flight path is only viable if the rockets don't need to be tracked for range-safety reasons. That means SpaceX is the only company that could take advantage of the new corridor to space. Rockets at the Cape normally launch satellites eastward over the Atlantic into orbits roughly parallel to the equator. Launches from Florida into orbits traveling from pole to pole generally sent rockets too close to populated areas for the Air Force's liking. The new rules allow them to thread a safe path southward, past Miami and over Cuba.

SpaceX pushed for the new automated system for several reasons. One was efficacy: The on-board computer can react more quickly than human beings relying on radar data and radio transmissions to signal across miles of airspace, which gives the rocket more time to correct its course before blowing up in the event of an error. As important, the automated system means the company doesn't need to pay for the full use of the Air Force radar installations on launch day, which means SpaceX doesn't need to pay for some 160 U.S. Air Force staff to be on duty for their launches, saving the company and its customers money. Most impressively, the automated system will make it possible for SpaceX to fly multiple boosters at once in a single launch.

"Reliability of Shuttle Destruct System"

[supernova87a]

I quote for Slashdot posterity a long and informative piece of relevant information from many years ago, because I fear it's disappearing from the web:


Reliability of Shuttle Destruct System [LONG]
"MARTIN J. MOORE" [mooremj@eglin-vax]
28 Jan 86 14:06:00 CDT
Copyright © 1986 Martin J. Moore
[COMMENT: READERS -- PLEASE OBSERVE THE RESTRICTIONS ON THIS MESSAGE AT THE END OF THE MESSAGE. PGN]

> From: Peter G. Neumann [Neumann@SRI-CSL.ARPA]
> For those of you who haven't heard, the Challenger blew up this morning...
> One unvoiced concern from the RISKS point of view is the presence on each
> shuttle of a semi-automatic self-destruct mechanism. Hopefully that
> mechanism cannot be accidentally triggered.
[COMMENT: I did not intend to imply that as the cause -- only to raise concern about the safety of such mechanisms. PGN]

Peter, I assume that you are talking about the Range Safety Command Destruct System, which is used to destroy errant missiles launched from Cape Canaveral. From 1980 to 1983 I was the lead programmer/analyst on the ground portions of that system, and I am the primary author of the software which translates the closing of destruct switches into the RF destruct signals sent to the vehicle. I think I can address the question of whether the system can be accidentally triggered; worrying about that gave me nightmares off and on for months while I was on the project. I'd like to tell you a little about the system and why I think the answer is No. Note that my information is now three years old, and some details may have changed; there may also be minor errors in detail due to lapses in my memory, which isn't as good as my computer's!

On board the vehicle, there are five destruct receivers: one on the external tank (ET) and two on each of the solid rocket boosters (SRBs). There is no receiver or destruct ordnance on the Orbiter; it is effectively just an airplane. The casing of each SRB is mined with HMX, a high explosive; the ET contains a small pyrotechnic device which causes its load of liquid hydrogen and liquid oxygen to combine and combust. The receivers and explosives are connected such that the receipt of four proper ARM sequences followed by a proper FIRE sequence by any of the receivers will explode the ordnance.

The ARM sequence and FIRE sequence must come from the ground; they cannot be generated aboard the vehicle. These sequences are transmitted on a frequency which is reserved, at all times, for this purpose and this purpose alone. There are several transmitters around the Eastern Test Range which can be used to transmit the codes. These transmitters have a power of 10 kw (continuous wave). The ARM and FIRE sequences consist of thirteen tone pairs (different for each command and changed for each launch). There are eight possible tones, resulting in 28 possible tone pairs; thus, there are (28^13) or slightly over 6.5E18 correct sequences.

The Range Safety Officer has two switches labeled "ARM" and "DESTRUCT". When he throws a switch, it generates an interrupt in the central processor (there are actually two central processors running and receiving all inputs, but only one is on-line at any time; in case of software or hardware error the backup is switched in. And yes, they have different power sources.) The central program checks for the correct code on each of two different hardware lines (the correct code is different for each line); if correct, and all criteria are met to allow the sequence to be sent, the central program requests the tone pairs for that sequence from another processor. That processor (like everything else in the system, actually redundant processors) has only one function: to store and deliver those tone pairs. The processor resides in a special vault and can only be accessed in order to program the tone pairs (which are highly classified) before each launch. The data line between the central processor and the storage processor is

Re:"Reliability of Shuttle Destruct System"

[SirGarlon]

Sometimes doing what you think is right requires knowingly doing what someone else thinks is wrong.

Not exclusive to SpaceX

[hackertourist]

NASA and the Air Force (which provides the range safety systems) have been working on the autonomous flight safety system for at least a decade. SpaceX is just the first customer to use it.

*Civilian* GPS

[DrYak]

I don't know. GPS was never supposed to be used for anything like this.

*Civilian* GPS was not supposed to be used like this and got limitations (speed, altitude *) to avoid being usable like this.

The military had guiding missile in this way in their mind from day one.

---

*: normal GPS chips will refuse to give a precise answer above a certain speed (~500 m/s) and altitude (18km).