This part deals with the explosive subsystem of the lunar module.
It is described in the part 8 of the lunar module handbook.
Link to the LM handbook
This is the block diagram of the explosive susbsystem; the relays are doubled for a reason of security.
This is the functional diagram of the explosive susbsystem.
A MASTER ARM switch allows to connect the ED bus to the 28 volt DC, which is necessary for the fire switches to have an effect.
The ABORT STAGE button also allows to connect the ED bus, but moreover allows to close the switches connected to the explosive devices of the isolation valves of the ascent tanks, and to close the switch K2 which allows to trigger all the switches commanding the explosive devices allowing the separation of the two stages of the lunar module.
They say this about the reset of the switch K2:
"If there is a master alarm, and the ED RELAYS caution light, and associated STAGE SEQ RELAYS component caution light go on, indicating the inadvertent transfer of the master alarm or staging sequence relays, the STAGE RELAY RESET switch should be set momentarily to the RESET position to reset state relay K2. If the ED RELAYS caution light and the STAGE SEQ RELAYS component caution light go off, K2 had failed temporarily. If the lights remain on, the failure is due to relays K1, or K3 through K6."
It means that the astronaut has no way to know which relay fails if one does, and, in case that the STAGE SEQ RELAYS component caution light goes on, the only available procedure is to reset the switch K2 to see whether the problem comes from this switch or not.
This is the schematic diagram of the Stage Sequence Monitoring.
In the case that the switch K1 is set, but not the switches K2 to K6 (explosive devices switches), the connection of the stage sequence monitoring is closed, and the caution lights are set.
Normally, the switch K1 is set by the MASTER ARM switch of the ABORT STAGE button, and, in this case, there is an inhibit logic which prevents the tone generator, the master Alarm light and the relay caution lights to be set; only the component caution lights are set.
In the case that a switch K2 to K6 is set, but not the switch K1, all the warnings are set, that is the tone generator, the master alarm light, the relays caution lights, and the component caution lights.
In the case that both switches K1 and K2 are set, the connection is broken in the stage sequence monitoring, and no warning is set.
But, this is a normal situation in the case of an abort, for the abort will set both K1 and K2.
In the case that both switches K1 and K3 are set, but not the switch K2, the connection is also broken in the stage sequence monitoring, and no warning is set either.
But, unlike the previous case, this is not a normal situation, for the switch K3 can only be set by the switch K2; so the fact that it might be set, without the switch K2 being set, is not a normal situation, and there is no warning about this abnormal situation!
This schema shows how the bus was armed by either the MASTER ARM switch or the ABORT STAGE button.
Both allow to close the switch K1, which one allows to connect the ED bus to the 28 volt.
This is necessary for the fire switches to have an effect.
The landing gear deployment button allows to close the switches K8 and K8A which allow to fire the explosive devices attached to the landing gear, provided that the ED bus has been armed (either with the MASTER ARM switch or the ABORT STAGE button).
The explosive devices attached to the landing gear allow the deployment of the legs of the lunar module which are initially in stowed position.
A logic allows to check that the landing gear has correctly deployed.
If all the contacts of the deployment are set, it means that the deployment of the landing gear is fully successful, which is indicated by a lamp which is set.
But, in the case that a contact would not be set, the lamp of the deployment of the landing gear will not be set, and the astronauts will be warned that there has been a problem in the deployment of the landing gear.
But the astronauts will only know there has been a problem, but they will not know which one.
They will not know which leg did not properly deploy (or eventually several legs), and yet it would be better if they knew which leg did not properly deploy.
If would be possible to know which leg did not properly deploy, if all the intermediary connections on the control circuit were also tested.
There could be an indicator per switch, or, if it makes too many lamps, a rotary switch allowing to visually check the state of each landing gear switch individually (or a program on the AGC displaying their state).
This is the schematic diagram of the descent propellant tank Prepressurization.
Fire buttons allow to activate the explosive devices of the isolation valves of the descent tanks, provided that the ED bus has been armed (either with the MASTER ARM switch or the ABORT STAGE button).
This is the schematic diagram of the ascent propellant tank Prepressurization.
A Fire button allows to activate the explosive devices of the isolation valves of the ascent tanks, provided that the ED bus has been armed (either with the MASTER ARM switch or the ABORT STAGE button); The tank 1 or the tank 2 or both can be activated, according to the position of a rotary switch.
As the sequence of the ABORT STAGE must also fire the ascent engine, the ABORT STAGE button also automatically allows to activate the explosive devices of the isolation valves of the ascent tanks.
In the system B, there is a diode between the ABORT STAGE button and the activation of the explosive devices of the isolation valves of the ascent tanks which is missing (at the place I circled), whereas it is present in the system A.
This is the schematic diagram of the RCS propellant tank Prepressurization.
A Fire button allows to activate the explosive devices of the isolation valves of the RCS tanks, provided that the ED bus has been armed (either with the MASTER ARM switch or the ABORT STAGE button).
But, unlike in the ascent propellant tank Prepressurization, the ABORT STAGE button does not automatically open the isolation valves of the RCS.
In fact, it is normal, for the RCS must also work in the descent.
There were two systems allowing to make the RCS work, System A, and System B, which were working in parallel
These two systems were working in parallel only for a reason of redundancy, for each one was able to make the RCS work alone.
That's why their isolation valves were fired simultaneously at the beginning of the descent.
However, it was meaning that their tanks were remaining open during all the stay on the lunar ground, up to several days (unlike the ascent tanks, of which the isolation valves were fired only at lift-off).
This is not good at all for the safety of the ascent (this is confirmed by the limitations which are specified on the ascent and descent system at the end of the explosive devices subsystem chapter, for, if such limitations exist for the ascent and descent system, they certainly also exist for the RCS system).
It would have been much safer if only the system A had been made operational during the descent, and the system B made operational only at ascent time (like the ascent tanks), especially since the RCS is more solicited in the ascent than in the descent.
1) First because of the disbalance caused by the aberrant placement of a fuel ascent tank, which was forcing the RCS to continuously correct the torque caused by the disalignment of the ascent engine's thrust with the center of gravity.
2) And second because the LM needs the RCS to make the flip over maneuver at the end of the ascent to dock at the command module.
So the explosive devices of the isolation valves of the RCS tanks should have been fired by different commands instead of the same one.
A fire button would first allow to fire the explosive device connected to the isolation valve of System A, at the start of the descent.
The explosive device connected to the isolation valve of system B would be fired in three occurrences:
1) If there is a problem with system A during the descent
2) At lift-off time
3) If the ABORT STAGE button is pressed.
In fact, if there was a problem with system A during the descent, it would jeopardize the safety of the rest of the mission, and it would probably be safer to abort the mission.
The diagram of the RCS propellant tank Prepressurization would then be modified as I show.
On this diagram, the ABORT STAGE button also allows to fire the explosive device of the isolation valve of System B.
This is the schematic diagram of the stage sequence.
The ABORT STAGE BUTTON sets the switches K1 (connection of the ED bus to the 28V) and K2 which triggers the circuitry which allows to set the switches of the explosive devices.
The switches K5, K6, and K6A are immediately set; they separate nuts and bolts.
The switches K3 and K4 are not immediately set.
They give the following reason for delaying them:
"A time delay is necessary to ensure removal of all power from the interstage umbilical before it is cut".
After a delay of around 20 milliseconds, which corresponds to the separation time of the nuts and bolts, a first RC circuit (a RC circuit is a circuit which allows to delay an electrical signal), I have circled in orange, outputs a signal (colored in orange) which allows to set the switch K3; the switch K3 allows to trigger a second RC circuit, I have circled in yellow.
After a new delay, the second RC circuit outputs a signal (colored in orange) which allows to set a second switch K4.
Once that the two switches K3 and K4 are closed, the cable cutters explosive devices are fired, which terminates the explosive sequence.
But in fact, the necessary delay for the separation of the nuts and bolts is applied twice by the two RC circuits, for each of them successively applies this delay; consequently, there is the double of the necessary delay between the separation of nuts and bolts and the final cutting of the cables.
The interface could be simplified by using only one RC circuit applying the necessary delay.
Moreover, it reduces the probability of mishap, for there is less chance of one transistor failing opened in two than one in four (if a transistor fails opened, the delay will become "infinite", which means that K3 or K3 will never be triggered).
Now, you can say: OK, there is less chance of the delay never occurring that way, but, on the other hand, if a transistor fails shorted, K3 will immediately be triggered, which means that there will be no delay between the explosive devices separating the nuts and bolts and those which cut the cables; in the previous schema, if K3 is immediately set, the second RC circuit will still apply a delay.
That's true, but, if K3 is immediately set, the switch I have circled in red will immediately change position when K2 is set, and there is a good chance that not all the electromechanical relays I have colored will trigger, which means that the cables may be cut while there are nuts and bolts which will have not been separated, which would have catastrophic consequences.
Now, can this schema be improved so that, if a transistor fails shorted, a delay can still be applied?
Yes, it can, by modifying it this way.
In this new schema, if a transistor fails shorted either in the upper of the lower couple of transistors, the delay can still be applied by the other couple of transistors.
OK, you are going to say, we are protected against the eventuality of a transistor failing shorted, but we are not against the eventuality of a transistor failing opened, in which case the delay would be infinite; K3 would never be set, and the cables would never be cut in a such eventuality.
In the previous schema, we were not protected against the eventuality of a transistor failing opened indeed, but, if we modify the schema this way, by adding another doubled RC circuit in parallel, then we are protected against this eventuality: If a transistor fails opened on one doubled RC circuit, the other doubled RC circuit can still apply the delay.
Now, we have a true redundancy allowing the delay to be normally applied whether a transistor fails opened or shorted.
Of course, if several components fail, it may not work, but there exists no redundancy which allows a system to work if too many components fail; redundancies always are intended to work in case of the failure of a component.
It is not the only way of applying a redundancy.
In this new schema, three RC circuits independently apply a delay; each one can eventually have an infinite delay or a null one according to the fact that a transistor fails opened or shorted respectively.
Each of these RC circuits sets two switches through electromechanical relays instead of only one.
The first one sets switches I have called KA1 and KA2, the second one sets switches I have called KB1 and KB2, and the third one sets switches I have called KC1 and KC2.
Three connections in parallel close either if KA1 and KB1 close, or if KA1 and KC1 close, or if KB2 and KC2 close.
- if KA1 and KA2 close immediately, the connection KA1&KB1 will close only when KB1 closes, and the connection KA2&KC1 will close only when KC1 closes.
- if KA1 and KA2 never close, the connections KA1&KB1 and KA2&KC1 will never close, but the connection KB2&KC2 will close after the normal delay.
The logic is the same for the two other pairs of switches.
It means that the delay will always be applied whether a transistor fails opened or shorted in one of the three RC circuits, with less transistors than in the previous schema.
However, if this schema reduces the chance of transistor mishap, on the other hand it increases the chance of electromechanical relay mishap.
Nothing is perfect!
The operational limitations and restrictions which are at the end of each chapter are always tasty.
They say this:
"The landing gear legs must be deployed before the descent engine is fired. In the stowed position, the legs are in the path of the descent engine plume; descent engine firing would damage them".
The astronauts should not even have the possibility of firing the descent engine if the landing gear is not deployed, a security should prevent them from doing it; if the landing gear was refusing to deploy, the only action which should be permitted to them would be to make an abort.
They say:
"The ASCENT He PRESS switch should not be actuated longer than 24 hours before termination of ascent engine operation. The ascent pressurization valves are designed to operate for only 24 hours after exposure to propellant vapors. Exceeding this limit may cause ascent valve failure."
Sure, there are chances that the ascent time might be longer than 24 hours!
They say:
"The DES START He PRESS and DES PRPLNT ISOL VLV switches should not be actuated longer than 3.5 days before termination of descent engine operation. The descent pressurization valves are designed to operate for only 3.5 days after exposure to propellant vapors. Exceeding this limit may cause descent valve failure."
Sure, there are chances that the descent time might be longer than 3.5 days!
Now, if the valves of the ascent engine and the descent engine can be subjected to failure because of exposure to propellant vapors after they have started being used, there is no reason that it would not also be true for the RCS.
In the case of the RCS, the helium relief valves may not be exposed to propellant vapors, but the valves of the ascent feed interconnect valve arrangement are.
If system B of the RCS is also used in the descent, there are good chances that, after several days of stay on the moon, its valves would be deficient when it has to be used in the return to the command module (for having been exposed to propellant vapors in the descent).
If only system A of the RCS was used in the descent, and that the isolation valves of system B were fired only at lift-off, its valves would be operational for the ascent.
This justifies my claim that the isolation valves of the two systems of the RCS should not be fired at the same time!
If the RCS was not working in the ascent, it could not correct the torque created by the disalignment of the thrust of the ascent engine with the center of gravity caused by an aberrant misplacement of an ascent fuel tank...and the lunar module would crash shortly after having lifted off!
