Commercial Crew

In article ,
says...

On 2019-06-28 12:25, Fred J. McCall wrote:

If the abort test is at Max Q I don't think this makes any difference
anyway, since you're not really 'accelerating' at Max Q. And wouldn't
part of the 'normal' abort sequence shut down the booster anyhow?


If you get in a situation so dire that you must eject in flight, can you
really expect that a shutdown command of liquid fueled engines will work?

Yes, at least from the command and control system's point of view. The
same system which notifies the capsule that it must abort will also
shutdown the engines. If the capsule has been commanded to escape, the
engines have also been commanded to shutdown.

Now, it's possible that something is going horribly, physically, wrong
with one of the engines and it can't physically terminate the thrust.
You have to escape that. That's where you need to get into the details
of the actual engine designs and evaluate whether or not that's even
possible. Anything else is idle speculation, so I think we've reached
the end of discussion on this part of the topic.

Say there is an explosion near top of Stage 1.

What would cause such an explosion? If you mean a tank ruptures, that's
not really an explosion.

This would sever
connection between capsule and the engines at bottom of stage 1.

Such a severance of communication would initiate an immediate abort of
the capsule and shutdown of the engines because "something bad
happened" which the command and control system could easily detect.

Capsule could eject, but not send shutdown command to engines.

Incorrect. See above.

Would
they shutdown within milliseconds of losing data link to capsule or
would they run till told otherwise?

Immediate shutdown.

Seems to me that a capsule eject system, is designed to handle worse
case scenario, would have to consider possibility of stack still getting
propulsion as it explodes. (even if the odds are that explosion would be
at engines and thus kill propulsion).

The capsule escape system has to have less than a 1 in 10 chance of
failure. You can't cover *all* contingencies. The situation you keep
hand-waving about is so unlikely that I'm not sure if the engineers
covered that.

Remember, if you're aborting, you're already in a very unlikely
situation which is creating "a very bad day". Escape systems are never
going to be 100%. Far from it.

Jeff
--
All opinions posted by me on Usenet News are mine, and mine alone.
These posts do not reflect the opinions of my family, friends,
employer, or any organization that I am a member of.

Jeff Findley wrote on Sat, 6 Jul 2019
11:06:12 -0400:

In article ,
says...

Seems to me that a capsule eject system, is designed to handle worse
case scenario,rrrrrrrrrr would have to consider possibility of stack still getting
propulsion as it explodes. (even if the odds are that explosion would be
at engines and thus kill propulsion).

The capsule escape system has to have less than a 1 in 10 chance of
failure. You can't cover *all* contingencies. The situation you keep
hand-waving about is so unlikely that I'm not sure if the engineers
covered that.

Remember, if you're aborting, you're already in a very unlikely
situation which is creating "a very bad day". Escape systems are never
going to be 100%. Far from it.


The other thing he keeps missing is that liquid fuel boosters are much
less prone to rapid self-disassembly without any warning than solid
fuel boosters are. The two types of engines tend to have the same
rate of failures, but they fail in very different ways. This is why
it's generally a bad idea to put people on solid rockets.


--
"Insisting on perfect safety is for people who don't have the balls to
live in the real world."
-- Mary Shafer, NASA Dryden

JF Mezei wrote on Sun, 7 Jul 2019
10:46:49 -0400:

On 2019-07-06 10:57, Jeff Findley wrote:

No. The escape systems are entirely different.

Thanks. I was trying to find some reason why it was felt Starliner
didn't need the abort test at MaxQ.

Is it known who pushed for such a test? Is it possible that it wasn't
part of NASA standards, but SpaceX offered to do it (since it has spare
boosters)?


NASA elected to do it for Orion, so I don't think that holds up.


Curous to see if this would become part of "tradition" for subsequency
capsules or whether this is more of a one-off thing.


For any capsule that requires a full 'abort' envelope it's been a
required test. Earlier capsules didn't require it because it was
assume that a Max Q abort wouldn't be survivable.


--
"Insisting on perfect safety is for people who don't have the balls to
live in the real world."
-- Mary Shafer, NASA Dryden

JF Mezei wrote on Sun, 7 Jul 2019
10:55:31 -0400:

On 2019-07-06 11:06, Jeff Findley wrote:

Yes, at least from the command and control system's point of view. The
same system which notifies the capsule that it must abort will also
shutdown the engines.

But that system is in the capsule, right?


Unlikely, since the events requiring an abort are down in the booster.

If the capsule has been commanded to escape, the
engines have also been commanded to shutdown.

Sending command to shut down engines from capsule doesn't garantee
engines shutdown. (severed link scenario).


And perhaps unicorn farts will destroy the vehicle, but it's pretty
unlikely.

Such a severance of communication would initiate an immediate abort of
the capsule and shutdown of the engines because "something bad
happened" which the command and control system could easily detect.

If you cut the wires between capsule and engines, how long before each
side detects that it hasn't heard from the other side and declares
something has gone really bad, and the engine side decides to shutdown
by itself ?


You really don't seem to understand how such things work.


I can understand constant flow of telemetry data from engines to
capsule. So loss of such telemetry would be quickly detected by capsule.
But would engines detect loss of connectivity with Capsule? Does
capsule have to "ack" all telemetry packets, or is there a "hello"
packet sent every 10 seconds?


Without knowing exactly how they designed it, I can tell you how I
would do it. Somewhere in the TM aggregator there is logic to look at
selected pieces of TM and decide if the vehicle is so far off nominal
that it needs to abort. If that logic determines that to be the case,
a signal gets sent to both the booster and the capsule to initiate
abort. Barring explosive disassembly of the booster, this works fine.
Now, in the event of said explosive disassembly, you might lose that
chunk of logic. In that case, about 50 msec later the capsule is
commanded to abort (20 Hz is a common rate for things like TM). Even
if the booster doesn't get or cannot obey a shutdown command,
explosive disassembly pretty much shuts down the engine anyway.


This is why how long it takes for engines to detect the capsule isn't
there anymore matters.


You're making assumptions about how things are put together that are
not warranted.


Someone mentioned that failure of tanks would result in lost
pressurization and instant engine shutdown. Considering the acceleration
and the turbopumps, wouldn't loss of pressurization of tanks still get
fuel and oxydizer to engine turbo pumps for a few seconds?


Again, look at how liquid rocket engines work.


--
"Some people get lost in thought because it's such unfamiliar
territory."
--G. Behn

In article ,
says...

On 2019-07-06 11:06, Jeff Findley wrote:

Yes, at least from the command and control system's point of view. The
same system which notifies the capsule that it must abort will also
shutdown the engines.

But that system is in the capsule, right?

No. It's most likely in the Falcon 9 because that's got all the
computers which control it anyway. It would be monitoring itself for
anything off nominal. That would include severing the link between the
booster and the capsule. If that link fails, something catastrophic has
already failed and the capsule will abort. So it makes no sense for the
launch vehicle to continue, so it will immediately shut down.

If the capsule has been commanded to escape, the
engines have also been commanded to shutdown.

Sending command to shut down engines from capsule doesn't garantee
engines shutdown. (severed link scenario).

No command has to be sent from the capsule. Loss of the link will
trigger a shutdown.

Such a severance of communication would initiate an immediate abort of
the capsule and shutdown of the engines because "something bad
happened" which the command and control system could easily detect.

If you cut the wires between capsule and engines, how long before each
side detects that it hasn't heard from the other side and declares
something has gone really bad, and the engine side decides to shutdown
by itself ?

Very fast. You do know how fast computers are these days, right?

I can understand constant flow of telemetry data from engines to
capsule. So loss of such telemetry would be quickly detected by capsule.
But would engines detect loss of connectivity with Capsule? Does
capsule have to "ack" all telemetry packets, or is there a "hello"
packet sent every 10 seconds?

It's enough just to know the connection has been lost. Loss of voltage
for an electrical connection or loss of light for an optical connection.
The data itself doesn't matter in this case.

This is why how long it takes for engines to detect the capsule isn't
there anymore matters.


Someone mentioned that failure of tanks would result in lost
pressurization and instant engine shutdown. Considering the acceleration
and the turbopumps, wouldn't loss of pressurization of tanks still get
fuel and oxydizer to engine turbo pumps for a few seconds?

Yes, because these are liquid fueled engines, if you don't maintain tank
pressure, the engines physically can't run. Even if they tried, without
the "head" pressure in the tank, the pumps will cavitate and the flow of
propellant would essentially stop anyway. They wouldn't be able to run
as soon as the pressure in the tanks is released. We're not talking
about a tiny pump here.

Jeff
--
All opinions posted by me on Usenet News are mine, and mine alone.
These posts do not reflect the opinions of my family, friends,
employer, or any organization that I am a member of.

Jeff Findley wrote on Mon, 8 Jul 2019
06:35:25 -0400:


Yes, because these are liquid fueled engines, if you don't maintain tank
pressure, the engines physically can't run. Even if they tried, without
the "head" pressure in the tank, the pumps will cavitate and the flow of
propellant would essentially stop anyway. They wouldn't be able to run
as soon as the pressure in the tanks is released. We're not talking
about a tiny pump here.


The case is even worse for a staged combustion turbopump engine. The
pressure in the fuel tank must be higher than that in the combustion
chamber of the turbopump, which must be higher than that in the
combustion chamber of the main engine. Lose tank pressure and fuel to
the combustion chamber of the turbopump stops. That stops the
turbopump, which stops the flow of propellants to the main combustion
chamber. Engine out.


--
"The reasonable man adapts himself to the world; the unreasonable
man persists in trying to adapt the world to himself. Therefore,
all progress depends on the unreasonable man."
--George Bernard Shaw

On 19-07-08 21:31 , Fred J. McCall wrote:
Jeff Findley wrote on Mon, 8 Jul 2019
06:35:25 -0400:


Yes, because these are liquid fueled engines, if you don't maintain tank
pressure, the engines physically can't run. Even if they tried, without
the "head" pressure in the tank, the pumps will cavitate and the flow of
propellant would essentially stop anyway. They wouldn't be able to run
as soon as the pressure in the tanks is released. We're not talking
about a tiny pump here.


The case is even worse for a staged combustion turbopump engine. The
pressure in the fuel tank must be higher than that in the combustion
chamber of the turbopump,

Doubtful, because the propellants are usually pumped into the pump's
combustion chamber (preburner) too, raising the pressure. At least if we
believe the Wikipedia description of staged combustion.

which must be higher than that in the
combustion chamber of the main engine.

That, I do not believe. If the pressure in the tank is higher than in
the engine combustion chamber, why would the pump be needed?

For a pump to work, the *force* from the driving side must be at least
as large as the *force* required on the pump side, but that does not
imply the same relation for pressures.

--
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
. @ .

JF Mezei wrote on Mon, 8 Jul 2019
12:03:23 -0400:

On 2019-07-08 06:35, Jeff Findley wrote:

No. It's most likely in the Falcon 9 because that's got all the
computers which control it anyway.

OK, so if the booster has the logic to detect abort conditions, it can
self abort with or without capsule. Do you know if, in manned mode,
falcon 9 would require the capsule "agree" to abort (akaL multiple
computers needed to agree) ?


You're looking at this wrong way around. Even if the capsule has
parallel logic (which I doubt), you want to abort if there is any
doubt, not fail to abort if there is any doubt. So in any sane system
design a single 'abort' vote would cause an abort.

Very fast. You do know how fast computers are these days, right?

This really depends on implemenmtation. For TCP/IP for instance, a
connection between two hosts can remain active for a fair bit before one
or both sides detect that the "keep alive" has not been received and
connection should be closed. For some apps, this can be in minutes.


By default TCP/IP doesn't include a 'keep alive'. It was a later
optional addition. There are three settable parameters that determine
how it behaves (time, interval, and number) and a failed connection
may not be detected for HOURS, not mere minutes.

However, we're not talking about TCP/IP and things that are different
just aren't the same. Let's start with the assumption that the
implement ors are not incompetent boobs and know how to implement a
safety-critical connection.


you mentioned loss of power/light on a cable. If they have such hardware
detection, then yeah, it can be instant. But if relying on data
protocols, it all depends on the protocol and how quickly both sides
detect the other is gone.


Again, let's assume that different just aren't the same. Let's start
with the assumption that the implement ors are not incompetent boobs
and know how to implement a safety-critical connection.


But one would also need to look at implementation. Does loss of layer 1
(in ISO 7 layers model) trigger immediate abort, or do they wish to
gracefully handle temporary loss of it due to vribration etc and not
needlessly trigger a dangerous abort?


Again, you're looking at this wrong. 'Abort' is a safety function. If
there is ANY doubt you want to abort. This is much less embarrassing
than killing a crew because you were waiting to be absolutely sure.
'Temporary loss' is permanent loss because in the event of temporary
loss the capsule is out of there.


I provided the telemetry argument because it is a good example of one
side sending constant data flow, so other side can very quickly detect
loss of that data flow. But that doesn't mean the sender of telemetry
detects loss of connection if the protocol only requires ACKs every few
seconds.


So if you assume the implementers are incompetent bozos there could be
a problem.


Perhaps I can reformulate the question:

In the event the capsule decides it needs to abort at MaxQ. (say they
realize they forgot the Columbian coffee):

Does it make much of a difference if the booster continues to accelerate
for a few more seconds, or does it need to stop ASAP in order to make it
much easier for capsule to open a large distance gap between the two?


It probably doesn't matter that much except insofar as being able to
calculate safe separation distances. You'd like it to slow down
because the capsule is at Max Q (which means if you need to push above
that you are eating into mechanical safety margin and the more into it
you need to push the more margin you have to eat).

Yes, because these are liquid fueled engines, if you don't maintain tank
pressure, the engines physically can't run.

As I recall, the ET was barely pressurized. And when accelerating, the
liquid fuel will be pushed down to the bottom where the pumps suck up
the liquids right?


The propellants in the ET were both only lightly pressurized. Each
propellant feed had an LP/HP turbopump set with each pump having
multiple stages to up the propel lent pressures by 100x or so.


Considering the pressures the turbopumps create, wouldn't a minimal
pressure difference in the fuel tanks (from normal to ambiant) be
noticed by the turbo pumps as long as they can pull in liquid fuel/oxydizer?


'Ambient' is pretty damned low at the altitude of Max Q. When the
tanks lose pressure do you still have liquid for the pumps to suck up?


I was under impression that in the case of the ET, the pressurization
with helium was done to reduce boiling off as the tank is being emptied
by the engines.

Does that tank pressure end up "pushing" fuel to the turbopump intake as
fast as the turbopump sucks up those liquids? or does the turbopump
still "pull" fuel from the tank?


Would a drop in tank pressure result in instant "bad news day" with the
engines, or could they run for some time before bad news happens?
Would time be in milliseconds, seconds? 30 seconds ? a minute ?


This all comes back to 'things that are different are not the same'.
Why are you looking at the Space Shuttle when we're talking about
Falcon 9? Falcon 9 tanks are pressurized at about twice what the ET
used and the turbopumps only increase pressure by 30x. As Jeff noted,
loss of pressure will cause pump cavitation and almost immediate loss
of thrust. But even that loss of pressure isn't really what we're
talking about. In a non-explosion there is no 'interruption' such as
you postulate. In an explosion, the tanks, lines, and pumps are all
wreckage.


--
"Insisting on perfect safety is for people who don't have the balls to
live in the real world."
-- Mary Shafer, NASA Dryden

Niklas Holsti wrote on Mon, 8 Jul 2019
22:46:38 +0300:

On 19-07-08 21:31 , Fred J. McCall wrote:
Jeff Findley wrote on Mon, 8 Jul 2019
06:35:25 -0400:


Yes, because these are liquid fueled engines, if you don't maintain tank
pressure, the engines physically can't run. Even if they tried, without
the "head" pressure in the tank, the pumps will cavitate and the flow of
propellant would essentially stop anyway. They wouldn't be able to run
as soon as the pressure in the tanks is released. We're not talking
about a tiny pump here.


The case is even worse for a staged combustion turbopump engine. The
pressure in the fuel tank must be higher than that in the combustion
chamber of the turbopump,

Doubtful, because the propellants are usually pumped into the pump's
combustion chamber (preburner) too, raising the pressure. At least if we
believe the Wikipedia description of staged combustion.


Yeah, I was on my ass there. They do some pretty complicated things
to get the pumps to drive.


--
"Before you embark on a journey of revenge dig two graves."
-- Confucius

JF Mezei wrote on Mon, 8 Jul 2019
21:14:26 -0400:

On 2019-07-08 17:01, Fred J. McCall wrote:

By default TCP/IP doesn't include a 'keep alive'. It was a later
optional addition. There are three settable parameters that determine
how it behaves (time, interval, and number) and a failed connection
may not be detected for HOURS, not mere minutes.

The argument had been made that because it is done by computers , it is
very fast, I provided TCP example where, even you admit to it, detection
of disconnection may take an eternityl being done by computer does not
necessarily mean fast.


TCP/IP was designed to be able to work over smoke signals (seriously,
read up on it) so that speed of the transport layer didn't matter.
Yes, if one implements stupidly it doesn't matter how fast the
hardware is. Shall we assume that the developers aren't cretins?

Again, you're looking at this wrong. 'Abort' is a safety function. If
there is ANY doubt you want to abort.

As I recall, in Apollo 13, they lost an engine after launch. Human
decision was made to continue and just burn remaining engines longer to
get the desired delta-V.


Once again, THINGS THAT ARE DIFFERENT JUST ARE NOT THE SAME! Get that
tattooed on the inside of your eyeballs or something.


Would today's automated systems have seen "any doubt" and triggered an
abort? or would they have predicted that loss of an engine above certain
time would not trigger abort, but below that, would ?


No, they would not. Again, let's assume that the folks implementing
this stuff are NOT cretins, shall we?


is an in flight abort considered safe?


As safe as anything else in rocketry. Full envelope abort wasn't a
requirement for Apollo. It is a requirement for Commercial Crew.
Russian capsule can smack you with as much as 16+g on an abort (and
they're not real friendly on landing, either). Crew Dragon is a much
gentler 7-ish g. I don't know that the Russian capsules have full
envelope abort capability (they may).


Am asking in a context on whether they want automated "instant" trigger
of abort, or whether there are situations where the computer might
suggest an abort but leave it up to crew?


No. People are too slow. The computer knows more and is much faster
at making the right decision.


Also, on the pad, with engines not running yet, but crew in capsule,
what logic/sensors would detect the onset of an explosion requiring the
capsule be thrown up real fast? Would that be a human with a finger on
the big red button? Or severring of data lines to capsule?


No to both your proposed possibilities. The same telemetry and logic
that is used in flight will be used on the pad.

This is much less embarrassing
than killing a crew because you were waiting to be absolutely sure.

For wide body commercial aircraft, using emergency chutes generally
results in a dozen or so injuuries, (and in winter, frostbite for
passengers idle on tarmac waiting for help). so unless there is an
absolute immediate danger (fire), the crew will prefer to wait for
airstairs.


One more time for the slow of wit. THINGS THAT ARE DIFFERENT JUST ARE
NOT THE SAME!!!!!!!!!!


Are these capsule ejects considered "safe" with no ill effects on crew?
or are there imminent risks wherher they would rather not eject unless
it is a dire situation?


First, it's not an 'eject'. Second, yes, it's safe, or at least as
safe as any other part of riding on a rocket. G stress is lower than
fighter pilots take and the landing looks like any other landing.

So if you assume the implementers are incompetent bozos there could be
a problem.

No trying to understand how it is implemented in geheric terms. Mr
Findley provided the information that the login in Falcon9 was in stage
I, so that corrected many of my assumptions/questions.


Frankly, I'd be surprised if the bulk of that logic wasn't in the
second stage, since that's where most of the avionics, flight
computers, and telemetry aggregation are.


But what happens if stage II goes wrong at MaxQ? Will the logic in stage
I detect this?


What's to 'go wrong'? It's not doing anything. Since the second
stage is where all the engine controllers are, if something goes wrong
there I don't think anyone needs to 'detect' anything.

'Ambient' is pretty damned low at the altitude of Max Q.

For the Shuttle ET, it was pressurized to roughly 35psi. So 2 ATM. My
bike tires are at 110psi.


Again, THINGS THAT ARE DIFFERENT JUST ARE NOT THE SAME!!!!!!!!!!!!!!!!


Would assume that pressure generated by the turbopump was orders of
magnitudes higher so a drop of 35psi shouldn't have had that drastic an
impact initially/as long as there was liquid fuel the pump can suck from
bottom of tank.

I understand that Falcon9 has single turbopump stage and more sensitive
to cavitation.

In terms of kerosene, would kerosese vaporize if sucked in by pump at
too low a pressure? All I could find was a value of 50psi on some reddit
place (so not authoritative).


Think about how a pump works. Do you understand what cavitation is?


I can understand how liquid Oxygen would love to vaporize if pressure
dropped as it was sucked into the pump at too high a rate (relative to
its pressure in pipe/tank). At what PSI is the LOX stored in tank?

Is a drop of 50psi once the engine is already running such a big deal?


Yes.


I can understand the need for pressure to push fuel into the turbopumps
when engines are started. But once they are running, is the pressure as
critical or less critical than at startup ?


As critical.


--
"Insisting on perfect safety is for people who don't have the balls to
live in the real world."
-- Mary Shafer, NASA Dryden