Engine Cut-Off Sensor Background
BY WILLIAM HARWOOD
Written for CBS NEWS & used with permission
Updated: Sept. 9, 2006
Changes and additions:
Twenty four propellant sensors are used in the shuttle's external tank, 12 each in the oxygen and hydrogen sections. Eight are used in each tank to measure the amount of propellant present before launch. Four in each tank, known as engine cutoff - ECO - sensors, are part of a backup system intended to make sure the ship's engines don't run too long, draining the tank dry with potentially catastrophic results, after other problems that might prevent an on-time shutdown.
NASA's original launch commit criteria required three operational ECO sensors for a countdown to proceed. But in the wake of the 1986 Challenger disaster, the LCC was amended to four-of-four because of concerns two sensors could be knocked out by a single failure in an upstream electronic black box known as a multiplexer-demultiplexer. The single-point failure was corrected during Discovery's last overhaul, but the four-of-four launch rule remains on the books.
The hydrogen ECO sensors are located at the very bottom of the tank near the entrance to the pipe that carries hydrogen into the shuttle's engine compartment.
The Engine Cut-Off (ECO) sensors are located at the base of the shuttle's liquid hydrogen fuel tank. Graphic: NASA.
The cutoff sensors are armed late in the ascent when a relatively small amount of rocket fuel remains in the tank. Once armed, the shuttle's computer system checks the status of each sensor, which is still immersed in cryogenic propellant, to make sure it is "wet." To protect against a faulty sensor, the first "dry" indication from any one of them is discarded.
During normal operations, the shuttle's flight computers continuously calculate the orbiter's position and velocity, using that data to figure out when the engines should be shut down to achieve the desired target. As a backup, the computers also monitor the ECO sensors as the tank empties to protect against unexpected problems that might affect the performance of the propulsion system.
The ECO sensors are wired to a shoebox sized electronics box housed in the shuttle's aft engine compartment. Graphic: NASA.
The shuttle is launched with more fuel than it needs and in normal operation, the ECO sensors would never be "dry" before the normal guidance-based engine shutdown sequence begins. But if a problem does occur, and the engines run longer than expected, two "dry" sensors would trigger an engine shutdown to keep from running the tank dry. As long as at least three sensors indicate "wet," however, fuel is assumed to be in the tank and the engines will keep running.
Once the system is armed, two sensors must fail "dry" to trigger an inadvertent engine shutdown. Before arming, three sensors must fail "dry." If three sensors fail "wet," the engines could run the tank empty.
The odds of such multiple failures are "extremely remote," according to internal NASA documents describing earli er problems. In fact, no cutoff sensors have failed in flight since the sixth shuttle mission in 1983 when the design was changed.
A spare orbiter point sensor chassis and motherboard. Photo: NASA/KSC.
But the consequences of an early or late engine shutdown are extreme. A premature shutdown could prevent a crew from reaching orbit while a late shutdown could result in an engine fire or explosion. Even though the cutoff sensor system is considered a backup to the shuttle's flight computers, NASA's launch commit criteria require four operational cutoff sensors in each tank to provide multiple layers of redundancy.
The engine cutoff sensor system has been put to the test only two times in the history of the shuttle program.
During the shuttle Challenger's launching July 29, 1985, on mission STS-51F, a main engine shut down five minutes and 43 seconds after blastoff because of an internal temperature sensor failure. The fuel consumption of the two engines that kept running was affected and the end result was an ECO sensor engine cutoff.
The only other such shutdown in shuttle history occurred during launch of mission STS-93, when a hydrogen leak in the coolant tubes making up main engine No. 3's nozzle caused more oxygen to be consumed than expected. In that case, oxygen ECO sensors went "dry," triggering engine shutdown.
In both cases, the shutdowns happened late in the ascents and both shuttle crews were able to complete their missions (Challenger's crew ended up in a lower-than-planned orbit due to the earlier engine shutdown).
Discovery/STS-114 ECO sensor chronology
Engineers removed an electronic controller, called a point sensor box, from Discovery and replaced wiring to the two sensors in question (wiring to sensors 1 and 2 wasn't touched). But the controller checked out OK and troubleshooters were unable to trace the cause of the problem A point sensor box from the shuttle Atlantis was installed and a second fueling test was conducted.
This time around, the sensors worked normally. But during additional post-test troubleshooting, the replacement sensor controller box malfunctioned. It was replaced by one taken from the shuttle Endeavour. NASA already had decided to replace Discovery's tank to address ice debris issues. With a fresh controller, replacement cabling, a new tank and solid test results, NASA managers decided to treat the sensor issue as an "unexplained anomaly" that presumably had been fixed.
But during a subsequent countdown, the No. 2 low-level hydrogen sensor failed to switch from "wet" to "dry" during a test in which computers send signals to simulate a dry tank. When the tank was drained, the other three sensors changed from wet to dry as expected. The No. 2 sensor remained "wet" for another three hours before switching back to "dry."