NASA Will Man Destruct Switch Just In Case

Ant writes "Popular Mechanics reports if the looming Discovery mission or any other between now and the spacecraft's retirement loses control, National Aeronautics and Space Administration (NASA) is prepared to ditch it in the Atlantic ocean — or blow it up. The article also shows complete no-fly-zone maps and a photograph of the switch."

Four Buttons?

I don't understand why there are four switches. I mean, I understand "Arm" and "Destruct", but why "test"? Does that blow up just a small section of the shuttle? I would have thought that turning off the "Arm" would be the same as "Safe"

I know, I know ... it's the engineers having a laugh. Getting a kick out of the confused looks on stupid people like myself.

Re:Four Buttons?

The "Test" button probably checks the detonation circuits, WITHOUT igniting the actual charges. And the "Safe" button is probably for permanently disarming the charges once the shuttle's in orbit.

Re:Four Buttons?

Sure hope those are labeled correctly... just in case anyone at NASA would think it's a funny prank, I recommend NASA add one more rule to their launch procedures: "DO NOT lauch on April 1st"

Best use a time window, to allow for differences in 'local time' (a relative notion for space operations)

Re:Four Buttons?

I had also heard that the astronauts would visit the RSO before their flights with pictures of their families, just to be sure he knows exactly whose lives he would be affecting if he had to destroy the shuttle.

That's interesting, I'd actually heard the opposite - that the RSO is not allowed to meet the astronauts at all in order to ensure that they make rational, not emotional, decisions if it comes down to it.

Slashdot Translation

Test: ping

Arm: login root

Destruct: rm / -rf

Safe: logout

Re:Four Buttons?

They should've had Apple design it. Apple would've done it with only ONE switch.

Re:Four Buttons?

I don't understand why there are four switches. I mean, I understand "Arm" and "Destruct", but why "test"? Does that blow up just a small section of the shuttle?

That button is for mission controllers that wanted to be astronauts but didn't make the cut. It blows up just one astronaut, but leaves the shuttle flying. Correct procedure when using this button is to laugh maniacally then yell "Who wants to be an astronaut now, bitch!" before flicking the switch.

Re:Four Buttons?

NOP? For shame, wasting your delay slots

photograph

I looked at TFA, and I gotta tell you, it's an exciting picture of the switch. Actually, it looks like FOUR switches and FOUR buttons. Well worth going to the site to see it.

Not news

This is such a non-story. NASA has a Range Safety Officer for every single launch, manned or not, and always has.

Re:Not news

The press does not exist to provide information but to provoke emotion. Showing the actual button that destroyes a spacecraft with human occupants achieves this effect nicely.

Re:Not news

Could we get a set of buttons like that on this article? If the comments are going down in flames, CmdrTaco could self destruct the article.

Re:Not news

Some people get them for every post. It's called -1 [troll||redundant||offtopic||overrated]. The people with them are called mods. Watch what they do to both our poor posts now.

I hope their communication channels are secure

...would be pretty nasty if someone if someone figured out how the radio comms for this function worked.

Encoded Signals

According to NASA documentation [nasa.gov], the SRB Range Safety system is operated by encoded signals.

From the description in the document, it sounds like one coded signal to 'arm' and a second coded signal to 'fire'. I'd bet that due to the nature of the system, it's transmission method will be so simple that it rarely needs to be tested and as such gives little opportunity for homicidal black-hat analysis.

Finally, I'll also bet that the codes are as top-secret as to-secret can be (as in: Get caught with this and you'll disappear forever). It wouldn't surprise me if the codes are created and handled by just one person on the day of use and never used again. Or perhaps two people where only one person knows the arm code and the other the fire code before the system is finally set.

However it's done, I'd like to think that a hell of a lot of thought went into system security ;)

Re:Encoded Signals

Oddly enough, I've seen the hardware specifications for at least one of the command destruct transmitters. That part wasn't classified, but I'm not sure where I came across it - might have been in some old Range documentation I found in the office I inherited. I don't remember much, but I'm pretty sure there were at least a couple of different designs in use. I think one was a redundant 68HC11-based system. All I really remember is that the design struck me as very conservative and architecturally simple. I don't recall any mention of crypto procedures and protocols - what I read only concerned getting the destruct message from its origin to the vehicle.

I'm sure the codes are tightly controlled. It's really not hard to design a very secure system, when it only needs to send one message, and that very rarely. An arbitrarily long, purely random key generated and distributed to the transmitter and receiver under tight security would do it. Denial-of-service would be a more difficult problem to address, but then jamming the signals isn't exactly easy when you're competing with some fairly high-power transmitters on high-gain dishes aimed right at the receiver. And they've got RF measurement vans that I assume patrol for interfering signals, malicious or otherwise.

destruct switches _should_ look like that.

You know, if you are going to have destruct switches... they really should look like that. A big turn key, solid, metal, single function panel that does nothing else. Heavy clunky switches that tell you you've done something. Yep, if you're going to have what is essentially a "big red button" that's how it should look. There's no mistaking that for the coffee dispenser switch. Putting modern "iPhone" styling on that would be a sin.

Already been used

Not only are the destruct switches active during each and every launch, they have actually been used on one particular launch. When Challenger's [wikipedia.org] external fuel tank blew up, destroying the shuttle, the solid rocket boosters started to fly out of control.

At T+110.250, the Range Safety Officer (RSO) at the Cape Canaveral Air Force Station sent radio signals that activated the range safety system's "destruct" packages on board both solid rocket boosters. This was a normal contingency procedure, undertaken because the RSO judged the free-flying SRBs a possible threat to land or sea. The same destruct signal would have destroyed the External Tank had it not already disintegrated.[11]

As if this is new..

Its funny this is "news" - they've had that switch since day one, if I know the military. And the no-fly zone has probably be a registered flightplan with the FAA since a year before day one. Interesting, yes, but not news since at least 1978 (or whenever it was they were building the fleet). I knew a guy who worked on the software on the early fleet. Made me wonder about the whole thing.

Other abort modes!

In addition to the destruct switch, there are other flight plans for an intact abort in case of problems. These abort modes are: Return to Landing Site (after SRBs are jettisoned, shuttle returns to Kennedy Space Center); East Coast Abort Landing where the orbiter lands on a different runway somewhere up the East Coast of the US; Transoceanic Abort Landing where the orbiter lands somewhere in Europe or Africa; Abort to Orbit; and Abort Once Around.

The Solid Rocket Boosters can't be stopped once they are started, but they have their own navigation system (rate gyro assemblies, and inertial measurement units) that are considered as/more reliable as those on the orbiter due to the rigidity of the SRBs. So the reason this "self destruct" button exists is because there is no "off" button for the SRBs, but, as far as I know, it is only an issue if its quad-redundant navigation system fails and somehow its thrust gets stuck in an unsafe vector, and that is very unlikely.

More detail, including why you can't jettison the flight deck with all the crewmembers: http://en.wikipedia.org/wiki/Space_Shuttle_abort_modes [wikipedia.org]

Technical details

For the technical details on how this works, check out an old Risks article here [ncl.ac.uk]. They put a lot of thought into the system.

Re:People inside?

Didn't RTFA, but are they planning on blowing it up with people inside, if something goes wrong.

Yes, they are. They always have. *Every* NASA rocket launch includes a self-destruct to prevent ground casualties. This includes the manned missions. In such cases where it would be used, the crew is either dead or will unavoidably be dead very shortly, and the lives on the ground must be saved.

Re:People inside?

And if you need an example of why those destruct systems are required, watch this [youtube.com].

I've met at least one of the Range Safety Officers while working out at Cape Canaveral. It's not something they like to talk about much, when it comes to the Shuttle.

Re:What a kewl job

RSO usually also has to do a lot of work before the launch. They are ultimately responsible that there have been no incursions into the various danger zones. This would mean they would be talking to police, coastguard as well.

Re:Space Shuttle Discovery

The other issue, just as important as the explosives, is all the other chemicals on board - many of which are highly toxic. This includes chemicals like monomethyl hydrazine (MMH) used in the Orbital Maneuvering Subsystem (OMS) and in the Solid Rocket Boosters (SRBs) for control. It is great stuff, you mix it with nitrogen tetroxide (N2O4) and they ignite with no spark or air required. At the same time, by the time you can smell it, you have been exposed to ten times the lethal dose. Remember when Columbia crashed and they told everyone not to go near the wreckage? this was one reason why.

As the parent said, remote destruct capabilities are simply par for the course when your strapping things to that much explosives and toxic chemicals. Really it should make us feel safer that NASA is honest about the risks and is willing to do what it needs to do to insure (as best as possible) public safety.