I don't normally try to top-post,but there's not a specific comment I want
to respond to but the general idea.

JF: Here's the thing (and Jeff and Fred will correct me if I'm wrong) but
believe it or not, redundancy is NOT always better.
I'll give you two examples"

What's safer for a small aircraft, one engine or two?
Most people will immediately leap to "two". But, the answer is not that
simple.
Sure, if one engine fails, you still have another, but...
You double your chances of failure. That's a con.
AND... in the hands of someone w/o enough experience, you now have an
aircraft that immediately wants to flip into the direction of the remaining
engine. This can be bad, especially during take-off. So, a 2nd engine does
NOT automatically make things safer. The redundancy can in fact make things
LESS safe. (but keep in mind it's not purely a binary decision when
designing an aircraft).

I'll give you another more personal case.
I do vertical caving. I teach vertical caving. We use something called
"Single Rope Technique" (SRT). Basically we rappel and climb on a single
rope. There is NO belay rope.
This is often SAFER than having a belay rope. There's a multitude of
reasons, but a big one is in many pits, the air will swirl up the pit. This
and the motion of the climber (or rappeler) can cause the rope you're on to
twist. If you have a single-rope this can lead to a bit of dizziness, but
that's about it. With a 2nd rope, they will start to braid each other. This
can stop the person completely so they can't move. They are now stuck on
the rope. Again " redundancy" is a bad choice here.

With the case of Falcon 9, you're confusing the logic to decide if there's
an abort with the order to carry it out.
There is almost certainly redundancy in sensors (such as the SSME's had)
because you don't want a flakey sensor triggering an abort. BUT, once the
decision is made, you want it as simple as possible a single wire with
voltage is that simple.

Yes, is it possible that magically the voltage on that wire drops to zero
when it shouldn't and triggers an abort? Sure, I suppose. And in that case
the astronauts get a wild ride and a story to tell.
But what would be worse is if you have 2 or more wires and one doesn't drop
to zero and you do NOT abort when you need to. In that case the astronauts
get an obituary and their families are left to tell stories.

This is why Jeff at one point uses the term fail-safe. An abort is a "bad
day" event" but should be a survivable, even if it's a mistake. A failure to
abort when you should have, is potentially a company ending event. So if
you're going to fail, fail in a way that's safe for the crew.


"JF Mezei" wrote in message ...

On 2019-07-14 09:05, Jeff Findley wrote:

monitor itself to insure it's on the right trajectory. If its not, it
initiates the FTS (flight termination system) in order to make sure that
it doesn't go completely off course which might endanger people who are
outside of the exclusion zone underneath the intended flight path.

My understanding is that FTS is triggered only when the rocket strays
from a cone of acceptable trajectory. So it isn't triggered as soon as
it strays off nominal trajectory since there could still be hope it
recovers. So there is logic involved in this.


Of course it does. But that does not negate the fact that the second
stage needs to know its trajectory all the way to orbit. So it would
make sense that the second stage computers are the ones to insure
mission success.

Second stage computers only need situational awareness, aka a copy of
telemetry feed and comms with first stage computers. First stage
computers needs the logic in order to land, swo it can't be a slave to
second stage.






Landing happens *after* first stage separation. It's
a secondary objective not directly tied to mission success.

But still critical one because first stage could go nuts and require
termination instead of crashing in downtown Cocoa Beach.

Why would the first stage ever give a damn about the second stage?

It needs to know if second stage is healthy or has exploded or whatever.
It should be part of the logic to decide whether to self destruct or not.


It's going to know right away because its going to lose the link to the
second stage and its engines will shutdown.

Exploding tank in stage 2 might not sever the "voltage or not" line.
Consider Apollo 13. They lost one side of the command module but much of
it remained functional.


We've gone over this what feels like 100 times. The "abort now" wire
going to the capsule that should have a positive voltage during launch


I really doubt "man rating" a rocket would accept a single wire as the
one commanding the catrastophic abort. If you insist on an old analogue
voltage or no voltage wire, they at the very least put 3 such wires each
120° apart around the rocket and have computers at least requite loss of
voltage on 2 wires for more than x milliseconds.

But I really doubt that Musk would have gone for 1950s analogue stuff on
a modern rocket, Especually since Falcon9 would not have had such a wire
running in cargo missions that don't have abort.

Consider also that there must be some delay betwene initiation of
Dragon2 abort, and initiation of the self destruct charges. So it can't
be the same wire.


That is because the initiation of an abort really only needs one signal
wire (and a ground as a voltage reference). We've both been telling you
this from the beginning, but you simply won't listen.

Because the use of analogue unreliable connections is not credible in a
man rated system built in 21st century. And when the user Guide mentions
"command" which implies a data packet sent.

Just because old missiles designed in the 1950s used such an alague
system doesn't mean Falcon9 added this old mechanism to support Dragon2.

Sure you could let the capsule monitor telemetry from the launch vehicle
during the flight. But that is *separate* from the abort system.

So you admit Dragon2 might get telemetry? The other guy doesn't admit to it.