Quote from: Barley on 09/10/2023 10:18 pmBut that might cause the engine controller to be considered to be part of the AFSS and add another couple of 9's to the reliability requirement. Probably easier to hardwire a relay in series with a valve solenoid or hardwire explosives to the inlet manifold or hardwire something. I really don't want to have to discuss byzantine errors in a bus controller with a regulator.No it would not. The AFSS/AFTS specs are pretty clear. It's job is to tell everyone to shut down (or whatever) when it detects an anomolous condition; it is a simple binary signal. If it does that reliably, then done.
But that might cause the engine controller to be considered to be part of the AFSS and add another couple of 9's to the reliability requirement. Probably easier to hardwire a relay in series with a valve solenoid or hardwire explosives to the inlet manifold or hardwire something. I really don't want to have to discuss byzantine errors in a bus controller with a regulator.
Quote from: Barley on 09/10/2023 10:18 pmQuote from: TheRadicalModerate on 09/10/2023 09:31 pm2) There's nothing to say that the individual engine controllers can't do a safe shutdown if they lose contact with the primary flight computers. It's not a great solution, but odds are that things have already gone pear-shaped, and the shutdown is probably the least bad solution, or close to it.But that might cause the engine controller to be considered to be part of the AFSS and add another couple of 9's to the reliability requirement. Probably easier to hardwire a relay in series with a valve solenoid or hardwire explosives to the inlet manifold or hardwire something. I really don't want to have to discuss byzantine errors in a bus controller with a regulator.What regulator? All the FAA cares about is that the thing goes boom when told to. Thrust termination has nothing to do with that. But thrust termination is incredibly important for any kind of launch escape, especially full Starship escape, which has pretty wimpy acceleration. The FAA doesn't care about that, at least until the human spaceflight moratorium expires (which could be next month, I guess).
Quote from: TheRadicalModerate on 09/10/2023 09:31 pm2) There's nothing to say that the individual engine controllers can't do a safe shutdown if they lose contact with the primary flight computers. It's not a great solution, but odds are that things have already gone pear-shaped, and the shutdown is probably the least bad solution, or close to it.But that might cause the engine controller to be considered to be part of the AFSS and add another couple of 9's to the reliability requirement. Probably easier to hardwire a relay in series with a valve solenoid or hardwire explosives to the inlet manifold or hardwire something. I really don't want to have to discuss byzantine errors in a bus controller with a regulator.
2) There's nothing to say that the individual engine controllers can't do a safe shutdown if they lose contact with the primary flight computers. It's not a great solution, but odds are that things have already gone pear-shaped, and the shutdown is probably the least bad solution, or close to it.
Quote from: TheRadicalModerate on 09/10/2023 10:32 pmQuote from: Barley on 09/10/2023 10:18 pmQuote from: TheRadicalModerate on 09/10/2023 09:31 pm2) There's nothing to say that the individual engine controllers can't do a safe shutdown if they lose contact with the primary flight computers. It's not a great solution, but odds are that things have already gone pear-shaped, and the shutdown is probably the least bad solution, or close to it.But that might cause the engine controller to be considered to be part of the AFSS and add another couple of 9's to the reliability requirement. Probably easier to hardwire a relay in series with a valve solenoid or hardwire explosives to the inlet manifold or hardwire something. I really don't want to have to discuss byzantine errors in a bus controller with a regulator.What regulator? All the FAA cares about is that the thing goes boom when told to. Thrust termination has nothing to do with that. But thrust termination is incredibly important for any kind of launch escape, especially full Starship escape, which has pretty wimpy acceleration. The FAA doesn't care about that, at least until the human spaceflight moratorium expires (which could be next month, I guess).I'm quoting you, if you've changed your mind just say so and we can move on.
Let's think this through. If the main flight computers lose contact with the engines, that's an abort condition. I don't know how many one minus nines that takes you into the failure tree, but now you're on the node that says, "Don't let the SuperHeavy hit you in the butt on the way out." So now the question is how you get as reliable a thrust termination as possible. If the main computers have lost connectivity to the engines, you've hopefully already begun the abort process. Also hopefully, you detected something catastrophically bad was developing and issued thrust termination before connectivity was lost, but that may be too much to hope. So the important thing is for the controllers to rapidly and reliably detect a loss of connectivity. The protocol for that could be a tad on the byzantine side (e.g., you could be the process of a switch failover and you wouldn't want to abort a mission for that, but the switch can probably tell you that), but it's certainly manageable.It's important not to begin an escape separation until thrust is terminated, if at all possible. But failure to terminate thrust is a reasonable contingency. Note that this isn't really a problem with a high thrust escape system, but could be a big problem if the Starship itself is your escape system.
Go and read them again. There's no requirement to shut down engines with a direct command for liquid fueled engines. None. Nada
Sorry for being a bit snippy last night. I probably shouldn't post after dark.
The problem with the engine controller shutting down the engines for the abort is that the engine controller could go haywire. A software "stuck throttle" in the engine controller could both require an abort and make the abort more difficult. You want to be able to say:P( Loss of crew ) = P( Loss of Booster ) x P( Failure of Escape system )