Henry Spencer wrote: > On Sat, 28 Sep 2002, Randall Clague wrote: > >>>The other thought is - in such a situation, would an orderly shutdown >>>actually be quick enough and less dangerous? >> >>Good point. If we automate the shutdown sequence... > > > Of course, there is the question of what happens if the automation fails. > (Say, its power supply dies at an inconvenient time.) > > One answer to that is to test it and debug it and bulletproof it well > enough that a failure comes under the "random implausible catastrophe" > case -- something grossly improbable happened, you just have to cope as > best you can -- but if it's not going to be wrung out that thoroughly, > there had better be a backup plan.
I tend to harp on cascaded purges, but here I'll go again: Instead of a three way valve as Dave Masten suggested upthread, the method that XCOR (and many others) have used is to have a relief valve plumbed into each of the propellants immediately downstream of the main valves. These relief valves are fed from a regulated high flow inert supply, through an appropriately sized purge control valve. The purge is turned on before the mains are opened, and not turned off until several seconds after the mains close. When the main valves open, the pressure in the manifold shuts the relief valves, stopping the purge flow. The relief valves MUST be bubble tight when closed, else propellants might seep backwards into the inert gas supply. Making sure the purge gas supply is at similar or higher pressure than the propellants helps, too. On shutdown, the only command needed is to either close the main valves (as on the EZ-Rocket), or simply to turn off the Main Open command (as is usual when using pneumatic actuated 4-way solenoid piloted valves). As the propellant pressures drop, the purge relief valves reopen and sweep out the residuals. When all is clear, then you disable the purge- excess purge just wastes a bit of inert gas, not a big deal. We use industrial process controllers (PLC's) which are very tough, and have had only one failure in over 1000 engine runs controlled by these devices. The one exception (caused by water inside the PLC electronics) led to the environmental enclosures we added to the EZ-Rocket in July. If you're paranoid enough, the purge could be controlled by a pneumatic valve operator that turns on the purge valve, allowing purge to continue even in the event of total electrical failure. For the EZ-Rocket, we didn't bother, because earlier we established by testing that we could safely shut down the engine without purge once, although cleaning might be required before re-use. This is essentially what happened during the flight 11 abort- the controller failed and Dick pulled the prevalve, but the loss of the controller also meant the purge command went away. Thus our flight rules call for inspection and cleaning before the next engine start. This deserves emphasis: if you have an anomalous shutdown, the engine is out_of_service until it can be inspected, and cleaned/overhauled as needed. After the flight, we removed the engine that had the controller failure, inspected and cleaned it carefully. Thanks to the particular layout, there was no contamination of the LOX manifold upstream of the engine. Continuous intact abort allows for a healthy level of paranoia, so that while a mission might be lost, we can have good confidence in safety. Reusable vehicles allow discretion to be the greater part of valor. Doug _______________________________________________ ERPS-list mailing list [EMAIL PROTECTED] http://lists.erps.org/mailman/listinfo/erps-list
