Computers in Spaceflight: The NASA Experience
- Chapter Four -
- Computers in the Space Shuttle Avionics System -
The space shuttle main engine controllers
[124] Among the many special-purpose computers on the Shuttle, the....

[125] Box 4-6: Using the Shuttle's Keyboards
The Shuttle's keyboards are different from those found on Gemini and Apollo because they are hexadecimal, or base 16, rather than decimal, so that memory locations can be altered by hex entries from the keyboard. A single hex digit represents 4 bits, so just four digits can fill a half-word memory location. The other keys perform specialized functions. The most often used are
ITEM: This selects a specific function displayed on a CRT. For example, if the astronaut wishes to perform a faction numbered 32 on the screen, he or she presses ITEM, 3, 2, EXEC.
OPS: This, plus a four-digit number, selects the operational sequence and major mode desired by the crew. For instance, to choose the first major mode of the ascent software, OPS, 1, 1, 0, 1, and PRO is entered.
SPEC: This key, plus appropriate digits and PRO, selects a specialist faction or display function screen. Each OPS has associated with it a number of primary screens that reflect what is happening in the software. The ascent program has a vertical path graphic, for instance. Additionally, special functions can be called from SPEC displays that are overlaid on the primary screens when called. On-orbit, and several other OPS, have a "GPC Memory" display that can be used to read or write to individual memory locations. It cannot be called from either the ascent or descent OPS. Display function screens are just that: used to show various data such as fuel cell levels, but with no crew functions. To return to the primary screen that was on the CRT before the SPEC or DISP call, the RESUME key is used.
CLEAR: Each time this key is depressed, one character is deleted from the input line on the CRT accessed. This enables an astronaut to erase an error if it is caught before EXEC or PRO is depressed.
"+" : This sign can be used as a delimiter around numeric data or between a series of function selections.

....main engine controllers stand out as a clear "first" in space technology. The Shuttle's three main liquid-propellant engines are the most complex and "hottest" rockets ever built. The complexity is tied to the mission requirements, which state that they be throttleable, a common characteristic of internal combustion engines and turbojets, but rare in the rocket business. They run "hotter" than any other rocket engine because at any given moment they are closer to destroying themselves than their predecessors. Previous engines were overbuilt in the sense that they were designed to burn at full thrust through their entire....

Figure 4-8.

Figure 4-8. Keyboard layout of the Shuttle computer system. (From NASA, Data Processing System Workbook)

....lifetime of a few minutes with no chance that the continuous explosion of fuel and oxidizer would get out of control. To ensure this, engineers designed combustion chambers and cooling systems better than optimum, with the result that the engines weighed more than less-protected designs, thus reducing performance. Engineers also set fluid mixtures and flow rates by mechanical means at preset levels, and levels could not be changed to gain greater performance. The Shuttle engines can adjust flow levels, can sense how close to exploding they are, and can respond in such a way as to maintain maximum performance at all times. Neither the throttleability or the performance enhancements could be accomplished without a digital computer as a control device.
In 1972, NASA chose Rocketdyne as the engine contractor, with....

Figure 4-9.

Figure 4-9. A typical display of the Primary Avionics Software System. (From NASA, Data Processing System Workbook)

.....Marshall Space Flight Center responsible for monitoring the design, production, and testing of the engines. Rocketdyne conducted a preliminary study of the engine control problem and recommended that a distributed approach be used for the solution166. By placing controllers at the engines themselves, complex interfaces between the engine and vehicle could be avoided. Also, the high data rates needed for active control are best handled with a dedicated computer. Both Marshall and Rocketdyne agreed that a digital computer controller was better than an analog controller for three reasons. First, software allows for greater flexibility. Inasmuch as the control concepts for the engines were far from settled in 1972, NASA considered the ease of modifying software versus hardware a very important advantage167. [128] Second, the digital system could respond faster. And third, the failure detection function could be simpler168. Basically, the computer has only two functions: to control the engine and to do self tests.
The concept of fail operational/fail-safe is preserved with the engine controllers because each engine has a dual redundant computer attached to it. Failure of the first computer does not impede operational capability, as the second takes over instantly. Failure of the second computer causes a graceful shutdown of the affected engine169. Loss of an engine does not cause any immediate danger to a Shuttle crew, as demonstrated in a 1985 mission that lost an engine and still achieved orbit. If engine loss occurs early in a flight, the mission can be aborted through a RTLS maneuver that causes the spacecraft essentially to turn around and fly back to a runway near the launch pad. Slightly later aborts may lead to a landing in Europe for Kennedy Space Center launches. If the engine fails near orbit it may be possible to achieve an orbit and then modify it using the orbital maneuvering system engines.
Controller Software and Redundancy Management
As with the main computers on the Shuttle, software is an important part of the engine controller system. NASA managers adopted a strict software engineering approach to the controller code. Marshall's Walter Mitchell said, "We try to treat the software exactly like the hardware"170. In fact, the controller software is more closely married to engine hardware than in other systems under computer control. The controllers operate as a real-time system with a fixed cyclic execution schedule. Each major cycle has four 5-millisecond minor cycles for a total of 20 milliseconds. This is a high frequency, necessitated by the requirement to control a rapidly changing engine environment. Each major cycle starts and ends with a self test. It proceeds through engine control tasks, input sensor data reads, engine limit monitoring tasks, output, another round of input sensor data, a check of internal voltage, and then the second self test171. Some free time is built into the cycle to avoid overruns into the next cycle. So that the controller will not waste processing time handling data requests from the primary avionics system, direct memory access of engine component data can be made by the primary172.
As with the primary computers in the Shuttle, the memory of the controller cannot hold all the software originally designed for it. A set of preflight checkout programs have to be stored on the MMU and rolled in during the countdown. At T-30 hours, the engines are activated and the flight software load is read from the mass memory173. Even this way, fewer than 500 words of the 16K are unused174.


Figure 4-10.

Figure 4-10. A Shuttle Main Engine Controller mounted in an engineering simulator at the Marshal Space Flight Center. (NASA photo)

Although redundant, the controllers are not synchronized like the primary computers. Marshall Space Flight Center studied active synchronization, but the additional hardware and software overhead seemed too expensive175. The present system of redundancy management most closely resembles that used by the Skylab computers. Since Marshall also had responsibility for those computers and was making the decision about the controllers at the same time Skylab was operating, some influence from the ATMDC experience is possible. Two watchdog timers are used to flag failures. One is incremented by the real-time clock and the other, by a clock in the output electronics. Each has to be reset by the software. If the timers run out, the software or critical hardware of the computer responsible for resetting them is assumed failed and the Channel B computer takes over at that point. The timeout is set at 18 milliseconds, so the engine involved is "uncontrolled" by a failed computer for less than a major cycle before the redundant computer takes over176.

[130] Box 4-7: Shuttle Engine Controller Hardware
The computer chosen for the engine controllers is the Honeywell HDC-601. The Air Force was using it in 1972 when the choice was made, so operational experience existed. Additionally, the machine was software compatible with the DDP 516, a ground-based Honeywell minicomputer, so a development environment was available. Honeywell built parts of the controller in St. Petersburg, Florida and shipped those to the main plant in Minneapolis for final assembly; within a couple of years, all the construction tasks moved to St. Petersburg. By mid-1983, Honeywell completed 29 of the computers177.
The HDC-601 uses a 16-bit instruction word. It can do an add in 2 microseconds, a multiply in 9. Eighty-seven instructions are available to programmers, and all software is coded in assembly language178. The memory is 2-mil plated wire, which has been used widely in the military and is known for its ruggedness. It functions much like a core memory in that data are stored as a one or zero by changing the polarity in a segment of the wire. Each machine has 16K of 17 bits, the seventeenth bit used to provide even parity179. Plated wire has the advantage of having nondestructive readout capability.
The controllers are arranged with power, central processor, and interfaces as independent components, but the I/O devices are cross strapped. This provides a reliability increase of 15 to 20 times, as modular failures can be isolated. The computers and associated electronics are referred to as Channel A and Channel B. With the cross strapping, if Channel A's output electronics failed, than Channel B's could he used by Channel A's computer180.
Packaging is a serious consideration with engine controllers, since they are physically attached to a running rocket engine, hardly the benign environment found in most computer rooms. The use of late 1960s technology, which creates computers with larger numbers of discrete components and fewer ICs, means that the engine builders are penalized in designing appropriate packages181. Rocketdyne bolted early versions of the controller directly to the engine, resulting in forces of 22g rattling the computer and causing failures. The simple addition of a rubber gasket reduced the g forces to about 3 or 4. Within the outer box, the circuit cards are held in place by foam wedges to further reduce vibration effects182.

link to previous pagelink to indexlink to next page