[Chode]

so let me get this straight, a sensor worth only a few hundred$ is a "Crit-One" system with NO DOUBLE OR TRIPLE REDUNDANT BACK UP SYSTEM and is holding up billion's of dollars worth of launch???

is it just me or is this MORE than a little piss poor planing on nasa's part...

[burzum]

Being a person who has worked on nuclear reactor instrumentation and control equipment (I&CE) systems, I feel qualified to comment a little on the redundancy issue.

NASA has said that this system is 2-failure redundant and provides coincidence protection. This is a fairly insane standard to meet in operation because this means that any 2 sensors, instruments, control circuitry, power supplies, sources of power, or combination thereof can fail and the system would still operate. It also means that 2 sensors must be giving the same signal to initiate a protective function (typically if an instrument fails it will not be within this band). To give you an idea of how hard it is to meet a 2-failure redundant system, I will briefly describe a 1-failure redundant system.

In case 1: you have 3 sensors. Each sensor has an associated instrument (which sends an electrical signal to the sensor, receives it back, and interprets it). Each instrument is powered off of a single electrical bus and is isolated by fuses or breakers. This single electrical bus is considered indestructible (normal in engineering systems since it takes alot to break a bus bar). The electrical bus can be powered one of two ways. It can be powered by a DC auctioneered power supply, where you have 2 DC input sources, 2 diodes, and one output source. This will supply power to the load with both sources energies or either energized. The second way is by an automatic bus transfer device (ABT). If one AC bus goes away, it will automatically switch to the other (sort of like the auctioneered power supply except it is AC and it is built differently). This case 1 system will be able to provide coincidence protection in any case except the failure of a bus bar or a failure of the ABT (or auctioneering power supply).

In case 2: The problem with the potential failures of a bus bar or ABT (or auctioneering power supply) is fixed by providing 4 sensors. 2 sensors and their associated instruments are powered by one power supply, which is electrically isolated from the other 2 sensors and their associated instruments. In this case any 2 failures will allow the system to operate normally.

Now try to do it with 2 failure redundant and have coincidence protection. This requires at least 4 sensors and 4 separate power supplies. If one has failed prior to launch you are now down to 1 failure redundant. But, I don't think the shuttle is built this way. Even though the engineers have stated that it is 2 failure redundant, I believe that has caveats. I do not believe that the shuttle has 4 separate power supplies (from a cursory look at the electrical schematics they had on the mission site a week ago). I believe they have 2. This means its probably the same as case 2 that I described. Consider if they have a failed sensor #3. Then if they lose power supply 1 that powers instruments and sensors #1 and #2, they only have sensor #4 operating. They no longer have coincidence protection (and only a hack like a loss of power signal can allow a protective function). This means that one additional failure can render the system inoperative.

It seems wise to me to fix the problem on a redundant, coincidence protected system. Working on nuclear reactors I would never consider operating a safeguards system with a broke sensor. I would be less likely to consider it if I was an astronaut.