SpaceX F9 : Crew Dragon In-Flight Abort Test : Jan. 19, 2020 : Discussion

[crandles57]

In a real abort scenario, I can only imagine that Dragon would attempt to shut down the engines. Thus, in this test, it would do the same.

Nonsense. Absolute utter nonsense.

Why do I say this with such confidence?
Because shutting down the engines take a LOOOOOOOOOOOOOOOOOOOOOOOOOOOONG time, at least as abort scenarios go. Having the Dragon perform a Merlin engine shutdown would require the Dragon loitering around without leaving the stack, for several hundred milliseconds.

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

[TheRadicalModerate]

In a real abort scenario, I can only imagine that Dragon would attempt to shut down the engines. Thus, in this test, it would do the same.

Nonsense. Absolute utter nonsense.

Why do I say this with such confidence?
Because shutting down the engines take a LOOOOOOOOOOOOOOOOOOOOOOOOOOOONG time, at least as abort scenarios go. Having the Dragon perform a Merlin engine shutdown would require the Dragon loitering around without leaving the stack, for several hundred milliseconds.
It also introduces an enormous amount of complexity in the abort parameters and sequences.
Time and complexity which would be insane to waste on neatening its house, when the house is on fire.

It doesn't have to be a synchronous shutdown, i.e., you don't have to wait for the shutdown to complete before you detach.  Instead, you just command the F9 to initiate shutdown, then leave.  It's harmless at the very least, and likely significantly reduces the time to achieve a safe separation distance between the D2 and the F9.

[TheRadicalModerate]

Do we all agree that, if an abort is triggered, part of the abort sequence will be to shut down whatever F9 engines aren't already shut down?

Yes.  That command may have been redundant in the IFA test.

I'll buy "may have been".  More specifically:

1) If the F9 initiated the shutdown, then it will have been redundant.

2) If the abort was triggered by either dummying up acceleration inputs or by simply inserting an abort criterion at the proper MET, altitude, and/or dynamic pressure, then the command will not have been redundant, and will have caused the F9 engine shutdown.

[meekGee]

In a real abort scenario, I can only imagine that Dragon would attempt to shut down the engines. Thus, in this test, it would do the same.

Nonsense. Absolute utter nonsense.

Why do I say this with such confidence?
Because shutting down the engines take a LOOOOOOOOOOOOOOOOOOOOOOOOOOOONG time, at least as abort scenarios go. Having the Dragon perform a Merlin engine shutdown would require the Dragon loitering around without leaving the stack, for several hundred milliseconds.
It also introduces an enormous amount of complexity in the abort parameters and sequences.
Time and complexity which would be insane to waste on neatening its house, when the house is on fire.

You say that as if Dragon clears the explosion zone in a millisecond...

The state of the F9 engines continues to matter even after separation since it influences the rate of separation, and you don't know when the rocket will explode.

This is even more true for an abort off of S2, because once Dragon breaks free the stage might leap forward with renewed ooomph if the engine is still pushing.

[Pete]

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

Yes, the engines get shut down following/during an abort.
But WHY is everyone insisting the Dragon is sitting there, managing the task?
The stage avionics would be shutting down engines, and managing a hundred other tasks, to mitigate the situation in an abort.
The *DRAGON* would care only about itself.
Once it decides that abort is needed, it just checkd abort tools (Dracos, propelants, etc), and GO!

So many of the other tasks needed in an abort require sensor feedback and/or time-sequenced actions to accomplish. Engine shutdown is a prime example of this, you do *not* just switch off a Merlin engine. You cannot even shut down fuel feed instantaneously, there is a small matter of several hundred kg of propellant passing through its plumbing at many meters per second. One does *not* just slam a valve closed on something like that. Shutting down a running turbopump rocket engines takes *time*. Time the Dragon cannot afford just sitting there doing.

[quagmire]

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

Yes, the engines get shut down following/during an abort.
But WHY is everyone insisting the Dragon is sitting there, managing the task?
The stage avionics would be shutting down engines, and managing a hundred other tasks, to mitigate the situation in an abort.
The *DRAGON* would care only about itself.
Once it decides that abort is needed, it just checkd abort tools (Dracos, propelants, etc), and GO!

So many of the other tasks needed in an abort require sensor feedback and/or time-sequenced actions to accomplish. Engine shutdown is a prime example of this, you do *not* just switch off a Merlin engine. You cannot even shut down fuel feed instantaneously, there is a small matter of several hundred kg of propellant passing through its plumbing at many meters per second. One does *not* just slam a valve closed on something like that. Shutting down a running turbopump rocket engines takes *time*. Time the Dragon cannot afford just sitting there doing.

Again Dragon doesn’t sit there to confirm shutdown. It just says, “ Hey F9 shutdown, see ya” and bolts. It doesn’t wait for an acknowledgement of said command, it doesn’t wait for the shutdown sequence to finish, it just tells the F9 to shutdown, that’s it. The command could very well have gone by ignored due to the malfunction occurring to initiate the abort, but again Dragon won’t be waiting around for it.

[TheRadicalModerate]

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

Yes, the engines get shut down following/during an abort.
But WHY is everyone insisting the Dragon is sitting there, managing the task?
The stage avionics would be shutting down engines, and managing a hundred other tasks, to mitigate the situation in an abort.
The *DRAGON* would care only about itself.
Once it decides that abort is needed, it just checkd abort tools (Dracos, propelants, etc), and GO!

So many of the other tasks needed in an abort require sensor feedback and/or time-sequenced actions to accomplish. Engine shutdown is a prime example of this, you do *not* just switch off a Merlin engine. You cannot even shut down fuel feed instantaneously, there is a small matter of several hundred kg of propellant passing through its plumbing at many meters per second. One does *not* just slam a valve closed on something like that. Shutting down a running turbopump rocket engines takes *time*. Time the Dragon cannot afford just sitting there doing.

You're assuming that the Dragon has to babysit the engine shutdown.  It doesn't.  There's an entirely different set of avionics on the F9 itself.  All the Dragon has to do is tell the F9 avionics, "Shut down any running engines", which takes literally nanoseconds, and it can continue on to pressurize the SuperDracos, ignite them, release from the F9, and go on its merry way.  It's virtually zero time to command the shutdown, and it can yield quite a bit of extra separation distance.

[lonestriker]

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

Yes, the engines get shut down following/during an abort.
But WHY is everyone insisting the Dragon is sitting there, managing the task?
The stage avionics would be shutting down engines, and managing a hundred other tasks, to mitigate the situation in an abort.
The *DRAGON* would care only about itself.
Once it decides that abort is needed, it just checkd abort tools (Dracos, propelants, etc), and GO!

So many of the other tasks needed in an abort require sensor feedback and/or time-sequenced actions to accomplish. Engine shutdown is a prime example of this, you do *not* just switch off a Merlin engine. You cannot even shut down fuel feed instantaneously, there is a small matter of several hundred kg of propellant passing through its plumbing at many meters per second. One does *not* just slam a valve closed on something like that. Shutting down a running turbopump rocket engines takes *time*. Time the Dragon cannot afford just sitting there doing.

Again Dragon doesn’t sit there to confirm shutdown. It just says, “ Hey F9 shutdown, see ya” and bolts. It doesn’t wait for an acknowledgement of said command, it doesn’t wait for the shutdown sequence to finish, it just tells the F9 to shutdown, that’s it. The command could very well have gone by ignored due to the malfunction occurring to initiate the abort, but again Dragon won’t be waiting around for it.

Agreed.  This is also one of the many benefits of using liquid boosters and not solids*.  You can tell them to throttle up or down and also to turn them off in the event of an emergency.  There's no inconsistency to say that the loss of thrust on F9 caused the abort AND that D2 ALSO told the booster to shutdown after abort was triggered.  And it's silly to argue that D2 has to wait around before the booster completes the command.

* This "feature" of solid boosters is also why I can't imagine making an actual IFA test optional for Boeing and CST. How you simulate an abort on Atlas V + solid boosters in many different scenarios is a difficult task.  If the boosters detached and are still lit, they will have significant thrust-to-weight ratio that should be able to outrun the CST abort engines.

[John Santos]

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

Yes, the engines get shut down following/during an abort.
But WHY is everyone insisting the Dragon is sitting there, managing the task?
The stage avionics would be shutting down engines, and managing a hundred other tasks, to mitigate the situation in an abort.
The *DRAGON* would care only about itself.
Once it decides that abort is needed, it just checkd abort tools (Dracos, propelants, etc), and GO!

So many of the other tasks needed in an abort require sensor feedback and/or time-sequenced actions to accomplish. Engine shutdown is a prime example of this, you do *not* just switch off a Merlin engine. You cannot even shut down fuel feed instantaneously, there is a small matter of several hundred kg of propellant passing through its plumbing at many meters per second. One does *not* just slam a valve closed on something like that. Shutting down a running turbopump rocket engines takes *time*. Time the Dragon cannot afford just sitting there doing.

Again Dragon doesn’t sit there to confirm shutdown. It just says, “ Hey F9 shutdown, see ya” and bolts. It doesn’t wait for an acknowledgement of said command, it doesn’t wait for the shutdown sequence to finish, it just tells the F9 to shutdown, that’s it. The command could very well have gone by ignored due to the malfunction occurring to initiate the abort, but again Dragon won’t be waiting around for it.

Agreed.  This is also one of the many benefits of using liquid boosters and not solids*.  You can tell them to throttle up or down and also to turn them off in the event of an emergency.  There's no inconsistency to say that the loss of thrust on F9 caused the abort AND that D2 ALSO told the booster to shutdown after abort was triggered.  And it's silly to argue that D2 has to wait around before the booster completes the command.

* This "feature" of solid boosters is also why I can't imagine making an actual IFA test optional for Boeing and CST. How you simulate an abort on Atlas V + solid boosters in many different scenarios is a difficult task.  If the boosters detached and are still lit, they will have significant thrust-to-weight ratio that should be able to outrun the CST abort engines.

I mostly agree with this but some/many/all solid boosters have a thrust termination system: blow a hole in the top of the rocket and the thrust goes essentially to zero almost instantly.  IF the Atlas solids have this feature, they wouldn't be able to out-accelerate the CST.
BTW, this discussion belongs in a CST-100 thread or a general abort thread, not in the Dragon IFAT discussion...

[meekGee]

Musk was quite clear lots of things happen in 700 milliseconds and ordering a shutdown doesn't mean you wait to see if it happens as expected then trigger separation. You order the shutdown and go regardless of whether the shutdown happens.

Yes, the engines get shut down following/during an abort.
But WHY is everyone insisting the Dragon is sitting there, managing the task?
The stage avionics would be shutting down engines, and managing a hundred other tasks, to mitigate the situation in an abort.
The *DRAGON* would care only about itself.
Once it decides that abort is needed, it just checkd abort tools (Dracos, propelants, etc), and GO!

So many of the other tasks needed in an abort require sensor feedback and/or time-sequenced actions to accomplish. Engine shutdown is a prime example of this, you do *not* just switch off a Merlin engine. You cannot even shut down fuel feed instantaneously, there is a small matter of several hundred kg of propellant passing through its plumbing at many meters per second. One does *not* just slam a valve closed on something like that. Shutting down a running turbopump rocket engines takes *time*. Time the Dragon cannot afford just sitting there doing.

Not a single person upthread said the Dragon managed the shutdown.

This entire discussion is on one detail:

Was Dragon rigged to abort and commanded an F9 shutdown, or was F9 commanded to shutdown from the ground.

It's an interesting detail, but...

[Alexphysics]

I don't know who said that all Dragon does is minding its business but that's completely false. Falcon 9 and Crew Dragon's computers are constantly talking to each other, Crew Dragon is always knowing all the important parameters on the rocket and at the milisecond one of them turns the wrong way or looks horrible it initiates abort which includes the shutdown of the engines. And here I'm talking in a general situation, not discussing if the engines were shutdown by Crew Dragon during this test or if they were preprogrammed to be shutdown and things like that. The point is that no, Crew Dragon is not minding its business and doing nothing, it is always constantly checking on Falcon to see if everything is ok or if it has to abort.

[Kabloona]

Here's a theory about how and why the IFA abort sequence was triggered that addresses both sides of the arguments made upthread.

Normally, the Dragon abort trigger due to low F9 thrust would occur after an engine failure or some other propulsion anomaly that caused F9 thrust to drop, at which point the Dragon low-acceleration sensor would trigger the abort.

So why didn't SpaceX simply program F9 to reduce thrust at the desired time in the flight sequence, and let Dragon's low-acceleration sensor do its job, without changing the threshold of that "trigger" as they stated had been done? That seemingly would have been the sensible thing to do, as it would most closely follow the sequence of events during an actual in-flight anomaly.

But apparently they changed the "trigger" threshold to make Dragon intiate the abort, even with F9 operating at normal thrust. Dragon then presumably sends a command to F9 flight computer saying, "I'm aborting, so you start your abort sequence too."  Then F9 goes into its own abort routine, shutting down its engines, etc, while Dragon is independently executing its abort. (BTW, that command to F9 could be as simple as a breakwire at the sep plane, by which F9 would automatically shut down after Dragon has already separated).

So why do the test this way, with Dragon aborting "a priori," while F9 thrust is still nominal? Because that's an edge case, proving that Dragon can abort safely while F9 is operating at nominal thrust during Max-Q (or max drag, whichever it was). Since separation is a major concern, you want to prove Dragon can separate and escape even when F9 is "chasing" it in worst case, ie at nominal thrust.

Once you prove Dragon can abort and outrun F9 at nominal thrust, you've also proven it can do it with F9 at the lower thrust levels, when it's not "chasing" Dragon with as much thrust at separation.

So, IMO, this was a rather clever way to test an edge case in the abort envelope, ie with F9 at nominal thrust.

[crandles57]

So, IMO, this was a rather clever way to test an edge case in the abort envelope, ie with F9 at nominal thrust.

To add to this, they had passed MaxQ and had at least started throttling back up the engines when the abort happened. So seems likely it was timed to be a worst case scenario which involves both highest aerodynamic pressure and F9 engines at high power level.

[rsdavis9]

And wouldn't just one engine shutting down be okay? The f9 is designed to lose one engine and still make orbit with the remaining 8. So the lost of thrust must be more than one engine shutdown?

[Stan-1967]

This discussion on the relevance of Dragon either initiating or just responding to the abort command has been interesting, however I don't understand the fuss over the delay time from sensing the failure to the firing of the superdraco's.  The point being if the D2 computer sends the command to shut off engines after sensing loss of thrust, it is somehow wasting time by sending the command when it should be aborting.  It seems like D2 is capable of doing both.  Once an abort is in process, there are many event that have transient times.  ( pressurize tanks, release latches, etc.) Even if the chain of events from sensing an abort failure to firing of the SD's takes 1-2 milliseconds, that is several million clock cycles in the avionics multiple core CPU's to send a single bit of information for defining the engine state of the F9 booster. 

Reminds me of Star Trek NG when Data considered the Borg's offer to make him flesh & blood for 4.5 milliseconds ( or something) which was an eternity for him.

[MrHollifield]

I don't have any specific knowledge of how SpaceX does it, but as a controls engineer, I would implement the abort trigger something like this:
-F9 reads a status register from Dragon. Within that register there is a bit labeled NotAbort.
-There is a limit switch or break wire monitoring the connection between the Dragon trunk and F9 S2.


These two conditions are permissives for F9's engines. As long as both are TRUE, F9 manages the flight as normal. If either goes to FALSE, F9 initiates a shutdown and safing.


For the IFA, you modify the abort criteria in Dragon so that it thinks a normal reading is out of limits. This tests Dragon's monitoring of flight parameters and ability to initiate an F9 shutdown. When the abort reading is detected, NotAbort is set to FALSE in the F9 status register. Dragon continues with its abort procedure and SDs fire when ready, about 700ms later, IIRC. As Dragon rockets off on the SD's, the limit switch/break wire signal on F9 is lost. If F9 didn't recognize the NotAbort bit being set low, the loss of the contact signal will initiate the engine shutdown.


In this scenario, Dragon does nothing to F9 and does not monitor the engine shutdown. It sets one bit in a status register and then gets itself clear. This would agree with Elon's statement that they set a speed trigger in the Dragon abort software to initiate the abort at a speed they expected to reach at 84 sec MET.


Mark

[Nomadd]

 I suppose you could do a thought experiment, where something went wrong with the engine shutdown command that didn't affect anything else, and try to figure out how that would have affected the abort, but I don't think it's worth six more pages of this back and forth that could have been summed up in three posts.

 Does anybody even know if engines running are based on a deadman type setup, or what a loss of comms with Dragon would cause?

[Perchlorate]

A professor once asked his class, "How can you measure the height of a tall building with a barometer?"

Fred raised his hand and said, "I'd measure the barometric pressure on the first floor, jot it down, then go to the top of the building and note the pressure there, too.  With some simple calculations based on the pressure difference, I'll give you the height within 5 or 10 feet."

Chris raised hand and said, "I'd grab a friend with a stopwatch, take the barometer to the top of the building and toss it off.  My friend will start the stopwatch exactly when he sees me throw it, then click it at the exact moment of impact.  With some even simpler calculations, I'll give you the height even more accurately than Fred."

Pete smiled and raised his hand and said, "I'll go to the building, see the superintendent and say, 'If you'll let me have a quick look at the blueprints for this building, I'll give you this fine barometer,' and then I'll have the exact height."

(Moral of the story:  For the love of God, will SOMEBODY from SpaceX PLEASE chime in with the final answer and put this thread out of its misery.)

[CorvusCorax]

I love this discussion: Let's throw some kindlings into the fire:

1950's style solution:

A breakwire runs from the engine main propellant valve to the spacecraft at the top of the rocket and back down to the 1st stage engine. If the breakwire (which is double-redundant to prevent false positives) gets interrupted because of vehicle breakup or abort, the engine shuts down. The same cable is also used by the abort tower to trigger the escape rocket. You got all bases covered. If the vehicle breaks up, the engines shut down and and the abort rocket fires. If the astronauts hit the abort switch, the escape rockets fire, the capsule separates, wires get disconnected and the engine shuts down. If the engine shuts down, the spacecraft can measure the loss of thrust (it has inertial guidance) and escape, too.

1980's style solution:
the spacecraft has all the computers. in case of an abort, the computer sends commands all the way down to the engine, bypassing the engine controller and shuts down the main valves, then initiates vehicle separation and flies away. if main engines fail to shutdown... oh wait, the main engines are on the spacecraft anyway, never mind ...

2010's style solution:
The vehicle has a network bus, connecting both stages and spacecraft redundantly. If an abort trigger is noticed, the "abort condition" is signaled on the main vehicle bus with an appropriate broadcast message. Individual components will respond to that broadcast message with appropriate behavior for the flight regime: Main engines will be shut down by their respective engine control computers. Attachment clamps will separate. Abort engines will fire. Guidance is in 'launch escape mode', etc...

2030's solution:
Launch escape? Where we're going, we don't need no launch escape...

[TheRadicalModerate]

2030's solution:
Launch escape? Where we're going, we don't need no launch escape...

How reliable is the robot that scoops the banana peel out of the Mr. Fusion?

FWIW, I think this is a great discussion, too.  However 33 likes on Perchlorate's "please make this pain stop" post seem to put us in a minority.