Engine cutoff sensor options debated
BY WILLIAM HARWOOD
STORY WRITTEN FOR CBS NEWS "SPACE PLACE" & USED WITH PERMISSION
Posted: September 8, 2006
NASA managers are mulling two options for dealing with the failure of a hydrogen fuel level sensor in the shuttle Atlantis' external tank: Flying as is today or standing down for 24 hours for additional troubleshooting.
Engine cutoff - ECO - sensor No. 3 in the base of the hydrogen section of the huge external tank apparently "failed wet" early today during a test. Computer commands were sent to simulate a dry condition as part of a now-standard health check and the sensor continued to indicate wet.
Twenty four propellant sensors are used in the shuttle's external tank, 12 each in the oxygen and hydrogen sections. Eight are used in each tank to measure the amount of propellant present before launch. Four ECO sensors in each tank are part of a backup system intended to make sure the ship's engines don't shut down too early, resulting in an abort, or run too long, draining the tank dry with potentially catastrophic results.
NASA's original launch commit criteria required three operational ECO sensors for a countdown to proceed. But in the wake of the 1986 Challenger disaster, the LCC was amended to four-of-four because of concerns two sensors could be knocked out by a single failure in an upstream electronic black box known as a multiplexer-demultiplexer. The single-point failure later was corrected, but the four-of-four launch rule remained on the books.
Because of ECO sensor problems going into the first post-Columbia mission, NASA managers ultimately developed an "exception" to the four-of-four rule that would permit a launch if A) a hydrogen sensor failed wet; and B) engineers could show the problem didn't originate in the multiplexer-demultiplexer avionics system.
As originally written, the flight rule exception called for standing down a day and if, during a second launch try, the same electronic "signature" was seen, the team could proceed with launch. Because of the way the system works, two more ECO sensors would have to fail wet to pose the threat of running the tank dry.
NASA managers today apparently are considering yet another change to the ECO sensor rationale. The problem is particularly vexing because Atlantis' tank is equipped with ECO sensors that underwent extensive inspections before installation.
Here is a bit of background for readers unfamiliar with the ECO sensor system (graphic available here.)
The cutoff sensors are armed late in the ascent when a relatively small amount of rocket fuel remains in the tank. Once armed, the shuttle's computer system checks the status of each sensor, which is still immersed in cryogenic propellant, to make sure it is "wet." To protect against a faulty sensor, the first "dry" indication from any one of them is discarded.
During normal operations, the shuttle's flight computers continuously calculate the orbiter's position and velocity, using that data to figure out when the engines should be shut down to achieve the desired target. As a backup, the computers also monitor the ECO sensors as the tank empties to protect against unexpected problems that might affect the performance of the propulsion system.
The shuttle is launched with more fuel than it needs and in normal operation, the ECO sensors would never be "dry" before the normal guidance-based engine shutdown sequence begins. But if a problem does occur, and the computers detect two "dry" sensors, they will shut the engines down to keep from running the tank dry. As long as at least three sensors indicate "wet," however, fuel is assumed to be in the tank and the engines will keep running.
Once the system is armed, two sensors must fail "dry" to trigger an inadvertent engine shutdown. If three sensors fail "wet," the engines could run the tank empty.
The odds of such multiple failures are "extremely remote," according to internal NASA documents describing earlier problems. In fact, no cutoff sensors have failed in flight since the sixth shuttle mission in 1983 when the design was changed.
But the consequences of an early or late engine shutdown are extreme. A premature shutdown could prevent a crew from reaching orbit while a late shutdown could result in an engine fire or explosion. Even though the cutoff sensor system is considered a backup to the shuttle's flight computers, NASA's post-Challenger launch commit criteria required four operational cutoff sensors in each tank to provide multiple layers of redundancy.
The engine cutoff sensor system has been put to the test only two times in the history of the shuttle program.
During the shuttle Challenger's launching July 29, 1985, on mission STS-51F, a main engine shut down five minutes and 43 seconds after blastoff because of an internal temperature sensor failure. The fuel consumption of the two engines that kept running was affected and the end result was an ECO sensor engine cutoff.
The only other such shutdown in shuttle history occurred during mission STS-93, when a hydrogen leak in the coolant tubes making up main engine No. 3's nozzle caused more oxygen to be consumed than expected. In that case, oxygen ECO sensors went "dry," triggering engine shutdown.
In both cases, the shutdowns happened late in the ascents and both shuttle crews were able to complete their missions.
The official crew patch for the STS-115 mission of space shuttle Atlantis to resume orbital construction of the International Space Station.
Choose your store:
U.S. - U.K. - E.U. - Worldwide