Fuel sensor problem could delay launch
BY WILLIAM HARWOOD
STORY WRITTEN FOR CBS NEWS "SPACE PLACE" & USED WITH PERMISSION
Posted: December 6, 2007
Engineers are troubleshooting an apparent problem with two of four engine cutoff sensors in the shuttle Atlantis' hydrogen tank that apparently "failed wet" during fuel loading today. If troubleshooting confirms an actual failure, that means the sensors could falsely indicate the tank still has hydrogen in it at the end of the climb to space when, in fact, it is empty.
Here is a bit of background, taken from our coverage of an earlier shuttle mission, on engine cutoff sensors in the shuttle's external tank:
Twenty four propellant sensors are used in the shuttle's external tank, 12 each in the oxygen and hydrogen sections. Eight are used in each tank to measure the amount of propellant present before launch. Four in each tank, known as engine cutoff - ECO - sensors, are part of a backup system intended to make sure the ship's engines don't run too long, draining the tank dry with potentially catastrophic results, after other problems that might prevent an on-time shutdown.
NASA's original launch commit criteria required three operational ECO sensors for a countdown to proceed. But in the wake of the 1986 Challenger disaster, the LCC was amended to four-of-four because of concerns two sensors could be knocked out by a single failure in an upstream electronic black box known as a multiplexer-demultiplexer. The single-point failure later was corrected, but the four-of-four launch rule remained on the books.
Because of ECO sensor problems going into me first post-Columbia mission, NASA managers ultimately developed an "exception" to the four-of-four rule that would permit a launch if A) one hydrogen sensor failed wet; and B) engineers could show the problem didn't originate in the multiplexer-demultiplexer avionics system that controls the flow of data to and from the sensors.
As originally written, the flight rule exception called for standing down a day. A second launch try could then be made depending on an analysis of the way the sensor failed and how it behaved during a second fueling. With one sensor failed wet, two more ECO sensors would have to fail wet to pose the threat of running the tank dry.
The hydrogen ECO sensors are located at the very bottom of the tank near the entrance to the pipe that carries hydrogen into the shuttle's engine compartment.
The cutoff sensors are armed late in the ascent when a relatively small amount of rocket fuel remains in the tank. Once armed, the shuttle's computer system checks the status of each sensor, which is still immersed in cryogenic propellant, to make sure it is "wet." To protect against a faulty sensor, the first "dry" indication from any one of them is discarded.
During normal operations, the shuttle's flight computers continuously calculate the orbiter's position and velocity, using that data to figure out when the engines should be shut down to achieve the desired target. As a backup, the computers also monitor the ECO sensors as the tank empties to protect against unexpected problems that might affect the performance of the propulsion system.
The shuttle is launched with more fuel than it needs and in normal operation, the ECO sensors would never be "dry" before the normal guidance-based engine shutdown sequence begins. But if a problem does occur, and the engines run longer than expected, two "dry" sensors would trigger an engine shutdown to keep from running the tank dry. As long as at least three sensors indicate "wet," however, fuel is assumed to be in the tank and the engines will keep running.
Once the system is armed, two sensors must fail "dry" to trigger an inadvertent engine shutdown. Before arming, three sensors must fail "dry." If three sensors fail "wet," the engines could run the tank empty.
The odds of such multiple failures are "extremely remote," according to internal NASA documents describing earli er problems. In fact, no cutoff sensors have failed in flight since the sixth shuttle mission in 1983 when the design was changed.
But the consequences of an early or late engine shutdown are extreme. A premature shutdown could prevent a crew from reaching orbit while a late shutdown could result in an engine fire or explosion. Even though the cutoff sensor system is considered a backup to the shuttle's flight computers, NASA wants four operational cutoff sensors in each tank to provide multiple layers of redundancy.
The engine cutoff sensor system has been put to the test only two times in the history of the shuttle program.
During the shuttle Challenger's launching July 29, 1985, on mission STS-51F, a main engine shut down five minutes and 43 seconds after blastoff because of an internal temperature sensor failure. The fuel consumption of the two engines that kept running was affected and the end result was an ECO sensor engine cutoff. The only other such shutdown in shuttle history occurred during launch of mission STS-93, when a hydrogen leak in the coolant tubes making up main engine No. 3's nozzle caused more oxygen to be consumed than expected. In that case, oxygen ECO sensors went "dry," triggering engine shutdown.
In both cases, the shutdowns happened late in the ascents and both shuttle crews were able to complete their missions (Challenger's crew ended up in a lower-than-planned orbit due to the earlier engine shutdown).
Problems with ECO sensors bedeviled NASA during the ramp up to the first post-Columbia mission, prompting one launch scrub and intense analysis. After the flight, engineers traced the problem to a suspect connection between sensors and electrical cables in a specific batch of ECO sensors manufactured in the late 1990s.