Engine Modes & Safing

Owned by Will Merges (RIT Student)
Last updated: Apr 09, 2022

The engine controller implements four engine modes:

Disabled Mode

In this mode, the engine controller ignores all commands besides mode and safing commands. To enter disabled mode, all valves must first be closed, if they are not the command will be rejected by the controller. When the engine controller boots, all valves default to closed and the mode defaults to disabled.

Test Mode

This is a debugging mode used for system tests, it accepts all commands at all times. It should not be used for real tests or anytime after the engine is fueled, it is only for checking that electrical outputs are correct during system setup.

Cold Mode

This is an active mode that is used during filling operations. All commands, including valve commands, are accepted in this mode.

Hot Mode

This is an active mode that is used when the engine is ready to be tested (remotely). The difference between hot and cold mode is the action taken during a safing procedure.


Safing

The engine controller implements automatic safing of the engine in the event of failures. Safing will become active in the following circumstances:

  • Manual command is received setting safing to active, essentially a "remote e-stop"
  • Link failure is detected (e.g. something stops communication along the Ethernet line from controller to ground station)

The actions taken when safing goes active depends on the mode. In disabled mode, no action is taken because all the engine is already "safed" as all valves must be closed prior to entering disabled and must remain so. In cold mode, all valves are immediately closed as fast as possible. Safing in cold mode prioritizes the safety of people in proximity to the engine, albeit potentially damaging the system. In hot mode, there is no personnel allowed within the safe blast radius of the engine and fuel is assumed to be live in the system, for this reason the purge is run after closing fuel and oxidizer valves. This prioritizes making the engine safe to approach without damage to the system, but does introduce pressure in the line from purging so is not optimal if there are personnel nearby.

To prevent an operator accidentally disabling safing, after the controller goes into active safing the operator must perform two steps to set safing to inactive and continue testing:

  • Place the engine in disabled
  • Set safing to inactive

Any other command sent while safing is active will be ignored. Any command sent before the proper safing procedure has been run will also be ignored.


Indicators

The engine has a 3 light tower (red, yellow, green) that is used to communicate mode and safing information visually. A green light indicates the engine is disabled and safe to approach, as the engine is unfueled in this mode. A yellow light indicates that the engine is in cold mode, and indicates that the only personnel near the engine should be the minimum required for the fill process. A red light indicates hot mode, and the engine should be approached under no circumstances whatsoever. Additionally, a loud buzzer will beep five times before initiating any engine test to warn all personnel and provide feedback to the operator.

When the engine goes into active safing, all lights will be lit up and will blink until the safing procedure is complete. This provides feedback to the operator for when the network link goes down.


Nominal Usage

The following steps describe the engine mode during a nominal test:

  • The engine controller is connected and powered on, defaulting to disabled mode with all valves closed
  • All solenoids are electrically connected, but there is no fuel in the engine. The controller is placed in test mode and all valves, indicator lights, and igniters are tested.
  • The engine is placed into cold mode and the filling process begins. All personnel are evacuated except for the minimum needed for filling.
  • The engine is fueled and pressurized, then the controller is placed into hot mode. All personnel are evacuated.
  • The engine test is loaded in the ground station and the countdown clock is begun, a hold can be initiated for any pre-test checks as well.
  • The engine completes a test fire, the data is verified and the engine is placed into cold mode.
  • Any remaining fuel is emptied by the minimum personnel, then the engine is placed in disabled mode.
  • The engine controller is shutdown and disconnected.

Additional Precautions

Engine commands can only be sent physically from the ground station OR remotely from a password protected dashboard hosted over a standard web browser. Only the ground station operator and a single dashboard has access to manually commanding valves, while a second dashboard shows sensor data and has controls to set safing active or stop the countdown clock.