Probably the most heart stopping moments in spaceflight occur at the final stages of a countdown to liftoff. Will it go or not? What happens once the engines start? Success or failure or just wait for another day? I lived through a number of shuttle launches – and launch attempts – and every time I watch a rocket launch – of any kind – when the clock ticks down to the final minute my heart starts racing.
For the Space Shuttle there were a series of documents which detailed how launch operations were conducted. The most famous was S0007 (pronounced ‘Sue Seven’ or sometimes ‘S triple balls seven’). The entire document came in five volumes. In the days when we worked in paper, it took five 2-inch-thick binders to hold it all. Every step was numbered and the responsible party was named for each step. Most of my career was “Houston Flight” and I would answer to the NASA Test Director or the NASA Launch Director or the NASA Operations Manager on their communications ‘loops’ as required.
In my Flight Director reference book was a copy – shown above – of Figure 13-3 ‘RSLS and GLS Interaction T-38 Seconds to T-0’. Chockablock with important stuff because a lot happened in those last seconds. At the final stages, it was all on automatic with the computers in control.
Two programs, the GLS (Ground Launch Sequencer) and the onboard RSLS (Redundant Set Launch Sequencer) played the final duet. People were just observers, along for the ride. There were folks that could stop the countdown if they found necessary, which happened several times for the odd items that were not monitored or controlled by the GLS and RSLS. Memorably were the launch scrubs caused by the hazardous gas detection system (Haz Gas). Almost everything required by the Launch Commit Criteria was automatically monitored.
Onboard the Space Shuttle there were five General Purpose Computers. For the launch phase, computer #5 was running the Backup Flight System. The BFS was there to take over if there was a total failure of the ‘redundant set’. The BFS did not have the command capability to launch the shuttle and was really only in listen mode prior to liftoff. Computers 1 through 4 were all running the same software at the same time in lock step; they comprised the ‘Redundant Set’. The RSLS was only one of many programs running in the ‘redundant set’ computers during the prelaunch phase also known as Major Mode 101. To continue to launch – and fly safely – all four computers had to agree. If any one got out of sync or gave an incorrect command, or failed to listen to the others, the RSLS would detect that and issue a hold so that no launch would occur.
On the chart the top half details what the RSLS is doing and the bottom half details what the GLS is doing. Commands could be given once or ‘continuously’ (every computer cycle) for a given period of time. Likewise, telemetry of critical items could be checked (verified) once or ‘continuously’ (CFVY) every computer cycle of 40 milliseconds for a specified period of time.
Time across the bottom starting at T-50 seconds with the first item: a command that the GLS automatically commanded the big Liquid Oxygen and Liquid Hydrogen Fill & Drain Valves to close. The ET should be completely full of propellant and no more would be added. Looking a little later on the chart at T-34 seconds, the GLS would verify that those valves actually closed. As always for any verification that failed, an automatic hold would be issued.
Getting back to the time scale at the bottom, in big bold letters at T-31 seconds was the notation: “LAST AVAILABLE HOLD POINT”. To this day, whenever I am watching the countdown of any vehicle, whether it matters to that system or not, my heartrate picks up significantly at T-31 seconds. Like Pavlov’s dog I am conditioned to respond.
There is also an interesting note in the box: “Onboard RSLS TBO Clock Stops Decrementing at T-6.6 sec; GND Clock continues.” The RSLS countdown time displayed to the crew notoriously stopped at the command for main engine start. After that point things either happened – or not -so quickly that human response did not come into play.
In the RSLS section is the long box “CVFY NO SSME 1,2, or 3 PAD DATA PATH FAIL, CHANNEL FAIL, or CONTROL FAILURE (EH, HL, OR MCF AND LIMIT EXCEED)” Each Space Shuttle Main Engine had two computers – prime and backup – which controlled the functions of the engine. The Redundant Set had to have good data and command links with the SSME controllers – no data path fails. Each SSME controller had to report that there were no failures in the control channels to its engine valves, and no detected major component failures (MCF), no redline exceedances either high or low on any engine temperature or pressure. That is a lot to check on every 40 milliseconds from T-20 minutes all the way to T-0.
Next, we will look at the detailed commands and verifications second by second.
The GLS deactivates the SRB joint heaters – which were added after Challenger – at T-50 seconds. At T-40 seconds the GLS cuts ground power to the Space Shuttle so that all the electricity must come from the onboard fuel cells. Also, at T-40 seconds the GLS verifies that the Gaseous Vent Arm (GVA or the ‘beanie cap’) is fully retracted out of the way. That beanie cap is on a long arm that stretches out over the nose of the External Tank to remove any vapors. On the very last shuttle launch, STS-135, the indicator that the GVA was out of the way failed so we had a scary – but short – hold while people in the firing room manually confirmed it was out of the way.
At T-31 we pass the last hold point – anything after that will be a launch scrub. At T-31 seconds the GLS sends “LPS Go for auto sequence start”. Launch Processing System is a generic term for the entirety of the ground system; the ‘auto sequence’ is the RSLS which takes precedence at that point.
At T-30 seconds the GLS commands the hydraulic power units in the base of the solid rocket boosters to get ready to start; the actual start command comes at T-28 seconds.
The RSLS, at T-28 seconds is doing a one-time check to see if it received the LPS Go for auto sequence start. At T-27 seconds the RSLS starts another software sequence to open the orbiter vent doors. Why? As the shuttle launches, the outside air pressure decreases with altitude; there are motor actuated doors all along the sides of the shuttle that open to allow the pressure to equalize. Otherwise, the structure would pop at some point. Not be good. Prior to launch, all the orbiter cavities are flooded with dry nitrogen gas to prevent any flammable leaks from catching fire. Opening the vent doors too early would allow oxygen to get inside and the fire hazard would increase. T-27 seconds allows all the doors to be fully opened if both electrical motors on each door function properly, operating on just one of the two redundant motors takes longer to open the doors. If any motor doesn’t work, that door may not be fully open at liftoff and there was a huge debate early in the program about whether that would be OK. Down at T-7 seconds the RSLS checks to see if all the vent doors are open. We decided to scrub the launch if any vent door motor failed rather than start opening the doors before the last hold point at T-31 seconds and risk oxygen intrusion during a hold. More than one flight held at T-31 seconds, there was never a vent door motor failure, so that proved to be a good decision that avoided potential fire hazards.
At T-26 seconds the GLS commands the Liquid Hydrogen High Point Bleed valve to closed. It would be bad to lift off with a leak in the LH2 system. The GLS verifies that valve is closed at T-12 seconds.
Then there is a blessed five seconds of calm. It is the last quiet period before everything starts happening, seemingly all at once.
At T-21 seconds the GLS commands the SRB gimbal test. With the hydraulics pressured up, those big nozzles are swiveled back and forth to make sure they work properly. Starting at the same time the GLS begins continuously verifying that the SRB hydraulic turbines are running at the proper speed. There are two turbines in each booster for full redundancy in flight but we decided not to launch unless both were working properly. I don’t ever recall an SRB hydraulic unit failing in flight (they only run for about 2 and ½ minutes) but when I was the Shuttle Program Manager and found out that there had never been a test with only one turbine running, I mandated that one of the ground test firings in Utah shut down one of the two turbines and measure the gimbal response. It worked fine. That test only cost $2 million – which is a story for another day.
At T-18 seconds the RSLS commands the safe and arm devices – which prevent an inadvertent pyrotechnic event – to arm. This is for the SRB ignition and the ground umbilical release. Hazardous phase truly initiated at this point.
By T-16 seconds the SRB gimbal test should be complete and the nozzles back down at the null position for liftoff so the GLS starts continuously verifying that position down to T-0. Also, at T-16 seconds the GLS activates the water deluge on the pad, the so called ‘sound suppression’ system. This has different modes and the first activation is the ‘pre liftoff’ mode which is a trickle compared with what happens immediately after liftoff.
At T-15 seconds the RSLS begins continuously checking that all the pyrotechnic initiator capacitors are fully charged and ready to function. Also starting at T-15 seconds the RSLS starts continuously checking that all the onboard computers have good data coming in from all over the vehicle (no MDM Return Word bypass).
At T-12.5 seconds: the RSLS starts continuously commanding valves in the Liquid Oxygen system that recirculate fluid to open, this continues every 40 milliseconds down to engine start time. At T-9.5 seconds the RSLS checks to see if those valves are open.
At T-12 seconds the GLS is also busy; it commands valves to close to terminate the helium fill going to the orbiter and the GLS also does a one-time check to verify that the rudder/speedbrake is in the launch position, the GLS locks down its command system to the SRBs and immediately removes any inhibits that were set.
At T-11 seconds the RSLS commands another software program in the onboard computers to start: navigation. The crew sees this as the ‘Eight ball’ display showing attitude goes to vertical. At the same time the RSLS commands the main engine throttle settings to 100%. The engines have not started yet, but when they do, they will aim to run at 100% of the rated power level. For almost all of the shuttle flights ascent flight used 104% (or 104.5% for later flights) but the pad was only certified to 100% so the command to throttle up to 104% was one of the first things that the computers did after liftoff.
At T-10 seconds the GLS fires the ‘sparklers’ at the base of the launch pad to burn off any stray hydrogen vapors before the engines start. Scrubbing at this point incurs about a week effort to replace those items.
Also, at T-10 seconds the GLS issues the ‘go for main engine start’ discrete. We did a long study once that showed this was the last critical action of the GLS; a total failure of the ground computing system after this would not stop the shuttle from launching itself. The RSLS is totally in charge now.
At T-9.5 seconds the RSLS sends ‘start enable’ to the main engines – get ready! At that same point the RSLS checks one time to see if each main engine indicates it is ready. This is a complicated process that requires terminating liquid oxygen cooling to the engines – which occurred back at T-50 seconds when the valves were closed or really even earlier than this chart when LOX replenish was terminated. The engines must be chilled to the right temperature for a smooth start and during replenish operations the engines are actually too cold. When replenish ends, LOX from the External tank starts flowing into the cooling channels; this LOX is in the big 17-inch pipe coming down the outside of the ET. Since it is outside, the LOX is actually a tad warmer than the LOX which was coming in from the ground tanks. This allows the engines to warm up just enough so that the temperatures are in the ‘start box’. When the main engine controller senses the right temperature, it issues the ‘engine ready’ discrete. This what the RSLS is looking for. On several flights where we were holding at T-31 seconds (after replenish was terminated) the engine temperature crept higher – out of the ‘start box’ and the engine ready discrete went away. SCRUB!
Also, at T-9.5 seconds the RSLS starts continuously commanding the Liquid Hydrogen prevalves for each engine to open. If they are closed, no fuel gets to the engine. Continuously commanding those valves to the open position every 40 milliseconds until the engine starts.
A fraction later, at T-9.4 seconds the RSLS starts continuously commanding the Liquid Oxygen overboard bleed valves to close and continues this until the main engines start. Remember the GLS had closed the equivalent on the liquid hydrogen side at T-26 seconds, an eternity ago.
At T-9 seconds the GLS deactivates the Liquid Hydrogen recirculation pumps and a second later at T-8 seconds the GLS shuts off its capability to command anything on the orbiter.
At T-7 seconds the RSLS verifies that it has received the LPS go for engine start, and verifies that the LOX recirc valves are open, and starts continuous verification – for 0.4 seconds – that the engines are all in ‘engine ready’ mode, checks the vent door positions, and the prevalve positions and then the big show starts.
At T-6.6 seconds the RSLS issues the start commands to each engine: engine 3, engine 2, engine 1 with 120 millisecond staggers. The engine gimbals are commanded to override to prevent failures during the engine start transients. From now to T-0 the RSLS will verify that no main engine controller has issued a ‘shutdown mode’ or ‘post shutdown mode’ discrete. All the action turns to the main engine controllers which execute a tightly choreographed sequence of valve operations to safely start each engine and bring it up to 100% throttle. Describing that sequence would take much longer than this paper.
The forlorn GLS issues its last command to shut down the ground cooling units at T-6 seconds.
At T-2 seconds the RSLS starts continuously checking to verify each main engine is reporting that it is running at greater than 90% throttle setting; there after the RSLS resets the engine gimbal commands to allow steering after launch to happen
At T-0 the last RSLS commands go out – fire the umbilical release pyros, fire the hold down post pyros, fire the ET vent arm disconnect pyros, and all in the same millisecond command window, fire the SRB ignition pyros. Then reset all the controllers (Master Event Controllers – MEC) for the pyros.
As a flight director, I knew the next step – coming less than 40 milliseconds seconds after all those commands: The onboard redundant set computer programs moded to the flight – first stage – phase; Major Mode 102. The RSLS was done and turned off.
A young Flight Director on console with the SOO7 document open on the console shelf – red binder.
Wayne Hale's Blog 
To much living in the lets deal with the future
Wayne, Very interesting. Although I was not directly involved in Shuttle Ops after it became operational, I was a Flight Crew Operations representative to the early Shuttle design and development efforts. One of our big concerns was the possibility of generic software problems which resulted in the development of the BFS. I have not seen anything documented about the history of the BFS. Was it included throughout Shuttle operations and was it ever actually used? Was it just an unnecessary hassle? Thank you for your great service in Flight Ops. Art Nolting
The BFS was initially thought only to provide a way to fly the shuttle if the primary system failed. It was never used for that in flight although there were probably ten thousand simulations that ‘engaged’ the BFS during launch or entry.
However, one of the interesting facets of the BFS is that is could actually listen to some onboard telemetry streams that the primary system could not, and that was even in the ‘pre-engage’ listening mode of the BFS. So over time more and more systems monitoring was built into the BFS software. We could not have successfully flown the shuttle without some of that monitoring so it was absolutely used for that purpose on each and every shuttle flight.
Very interesting. I am so glad the BFS became a useful tool. I assume any on-board software problems in the primary system were worked around operationally.
A really good read!
Startup lists have always been available but generally come across as just that, lists. Reading the startup sequence in this narrative really makes the process come alive, and adds to the appreciation of the complexity of what was accomplished. We often hear how each position in Mission Control represents a team of people that we don’t see. I thought of a similar reality as I read this narrative, thinking of how each and every one of the steps occurring every few seconds and milliseconds represents countless hours of design, planning, testing, and as indicated, sometimes debate. It’s almost incomprehensible to imagine the enormity of work that each Shuttle launch represented.
Hmmmm, I would have thought the Shuttle launch sequence would have been more complex, 😂
As always Wayne, thank you for the details and the background knowledge. It is amazing what is required to successfully conduct a human rated launch.
Well, this was a summary. There were a lot of other things going on in the background. I would cite the SSME Ops sequence which translated some of those RSLS commands into more detailed actions regarding the main engines; the LCC monitoring software continued to run in the LPS computers, and onboard the navigation and guidance software completed a huge number of calculations in the final seconds. So yes, it was more complex than this simple summary chart indicates.
Wow! – Doubtful any of those 5 ring binders were useful during an actual launch sequence – but rather were good for training, planning, coordination and troubleshooting after the fact. I enjoyed reading your explanations. So many “degrees of freedom” in a launch sequence and yet, despite the many opportunities for failure, launches were successful….or doomed to a hold by the weatherman…..
N. Clay Jones 832-282-1164 sent from my iMac M1 mini ________________________________
Thanks Wayne, very informative. I’ve written a fictional narrative of a shuttle launch (STS-136) abort and an actual launch, peppered with anomalies throughout. One command that the GC made just prior to MECO was “fine count.” Could you elaborate as to it’s meaning? Thanks and wonderful work here…
Fine count – typically called out by the FDO on the Flight Director comm loop – was a guidance mode indicating the final controls to precisely cut off the main engines to hit a bulls eye on the insertion targets. If I remember correctly is was the time frame about 6 seconds to main engine cutoff (MECO).
Thanks Wayne for the “fine count” explanation…very helpful!
Another great one Wayne. I saw Atlantis launch once. Didn’t know if it was going to go until a few minutes before T0 due to TAL weather I was the only one in the crowd with a scanner to listen to NASA public channel. It still wasn’t 100% and as the last minute counted down my heart rate skyrocketed. And I was only watching.
As a big fan of Jack Lousma, I recall after SRB separation during his STS-3 launch he called out “there’s 103”. I’m not sure if I ever heard anyone else call that out, and I’ve wondered what he meant for years. I think your blog just filled in that 42 year old blank. With Major Mode 101 being prelaunch, and Major Mode 102 being first stage, does that mean his call means “second stage”? Thank you so much for taking the time to write these blogs. I find each one fascinating!
Yes, the flight software was divided into ‘Major Modes’ depending on phase of flight. MM 101 was prelaunch, MM102 was first stage, MM 103 was second stage, MM104 was post MECO for OMS orbital insertion, etc. Entry was similarly divided in Major Modes that started with 301 for pre-deorbit burn coast through 305 for post landing functions. Abort modes 601 602 and 603 were for RTLS and contingency aborts. TAL and AOA transitioned directly from the MM 103 to MM 302 entry software. It was pretty complicated to learn and keep track of all the flight software modes.
“five General Purpose Computers.” — think of the extra space and weight available by replacing them with 5 hardened Arduinos. 🙂
Remember that the purpose of having redundancy was not just to protect against radiation induced failures, which I assume is what you meant by ‘hardened’ computers. There were a few occasions where GPCs failed in flight due to various electrical faults that had nothing to do with radiation. At the same time, they are archaic by today’s computing standards and much smaller and more capable computers are available for new flight vehicles. Just think about how your personal computer (or phone!) has improved since 1981. Wow.
Oh definitely. And by “hardened”, I really meant the kind of stuff that “old tech” was. Each copper signal wire was whatever gauge, the CPU ran at 5(?) volts, etc. All things that would be drastic overkill now.
I’d love to know what a gen 2 space shuttle could be if it didn’t need such a big payload bay or cross-range landing requirements, and took advantage of 40+ more years of tech. (Dream chaser?)
One of my deepest regrets/wishes is that we never got the chance to build a Space Shuttle 2.0 incorporating all the lessons learned and advances in technology. But I would have kept that huge crossrange capability – as an Entry Flight Director I found that extraordinarily useful.
Wonderful
Great read, Wayne. I was QC on S0007 in the firing room for several launches. It was a challenge keeping up with all the various steps/sequences and deviations. I started in 79 as a Rec. Inspector for USBI. When the contract changed I went to Thiokol. I eventually moved up to run the ET/SRB QC Department as the Manager. I made a habit of doing a Pad walk down of the vehicle a few days prior to launch. I was amazed at some of the things I found but then again, I suspect you may not be. As the contracts changed I ended up going to Lockheed and finally USA. I spent 29 years at KSC and loved every day of it. Thank you again for these great stories allowing us to reminisce.
You mentioned the BFS. I was a Flight Crew Operations representative to the early Space Shuttle design and development effort. Along with the Engineering Avionics Division we were concerned that there might generic software problems that could impact functioning of the Flight Design System. Was the BFS after used in flight?
The BFS had functions that were used every flight. For example, it monitored – and displayed to the crew – certain telemetry measurements that the primary system could not access. That said, the intended function of the BFS – to take over flight control of the vehicle in a critical time if the primary system suffered some catastrophic fault like a generic software glitch – was never used. In actual flight the BFS was never ‘engaged’. Some of us lobbied for a test during quiescent conditions on orbit but the program management never authorized it.
Assuming it’s a relevant metric reflecting the complexity of the shuttle launch sequence, I wonder how many lines of code all this required?
While we’re at it, what language(s) were used? It’s easy to assume C, but that’s also about when Ada was all the rage, or given that the computers were old IBM boxes introduced in the late 60s, were they just assembly?
I believe the Space Shuttle software predates Ada. The ground software was written in a special language called GOAL; sorry but I don’t remember what that stands for and certainly don’t know anything about the characteristics of that programming language.
The onboard software was written in an IBM derived language called (drum roll) HAL-S. Yep, the space vehicle Discovery OV-103 had software written in HAL-S (the -S part was ‘shuttle’). That was a highly efficient, very structured language that compiled into a very compact bit stream.
Important to remember that the GPCs – IBM AP-101s – were developed initially for the B-1 bomber in the 1970s; very rugged – and with a non-volatile memory of a whopping 256 kilobytes. Yep, not a misprint. 256 kilobytes to fly the most complex space vehicle ever built. Later in the program there was a memory upgrade to 512 kilobytes. That allowed us to remove the tape drive memory storage.
Love your posts. It was an incredible machine and y’all were heroes of mine.
Mr. Hale,
I represent the Midwest Institute for Applied Physics Research, an unsuccessful offeror on Appendix P HLS. (Disclaimer: this comment is not a proposal or a proposal modification.) We have serious and, we believe, well-thought-out concerns about the current Artemis program structure. We also understand that you do not need off-topic comments, however. May we contact you in your HEO oversight capability, and if so, how may we do so?
Thanks either way and thank you for your time.
I will make my comments and evaluations known in public on this forum in the next few months.
Very fascinating article! Thank you for sharing. Has the S007 document ever been made available to the general public?
I don’t know if it has been made available. I can’t think why it couldn’t be. It is 5 very large volumes . . . .
Is it correct to say the LOX drain back was initiated at T-4:00 (I think) to get the SSMEs into the start box?” How did ET pressurization impact LOX drain back? (It is probably obvious I am not an engineer. lol.)