Ch4-7
....main engine controllers stand out as a
clear "first" in space technology. The Shuttle's three main
liquid-propellant engines are the most complex and "hottest"
rockets ever built. The complexity is tied to the mission
requirements, which state that they be throttleable, a common
characteristic of internal combustion engines and turbojets, but
rare in the rocket business. They run "hotter" than any other
rocket engine because at any given moment they are closer to
destroying themselves than their predecessors. Previous engines
were overbuilt in the sense that they were designed to burn at
full thrust through their entire....
[126]
....lifetime of a few minutes with no
chance that the continuous explosion of fuel and oxidizer would
get out of control. To ensure this, engineers designed combustion
chambers and cooling systems better than optimum, with the result
that the engines weighed more than less-protected designs, thus
reducing performance. Engineers also set fluid mixtures and flow
rates by mechanical means at preset levels, and levels could not
be changed to gain greater performance. The Shuttle engines can
adjust flow levels, can sense how close to exploding they are, and
can respond in such a way as to maintain maximum performance at
all times. Neither the throttleability or the performance
enhancements could be accomplished without a digital computer as a
control device.
In 1972, NASA chose Rocketdyne as the
engine contractor, with....
[127]
.....Marshall Space Flight Center
responsible for monitoring the design, production, and testing of
the engines. Rocketdyne conducted a preliminary study of the
engine control problem and recommended that a distributed approach
be used for the solution166. By placing controllers at the engines themselves,
complex interfaces between the engine and vehicle could be
avoided. Also, the high data rates needed for active control are
best handled with a dedicated computer. Both Marshall and
Rocketdyne agreed that a digital computer controller was better
than an analog controller for three reasons. First, software
allows for greater flexibility. Inasmuch as the control concepts
for the engines were far from settled in 1972, NASA considered the
ease of modifying software versus hardware a very important
advantage167. [128] Second, the digital system could respond faster.
And third, the failure detection function could be
simpler168. Basically, the computer has only two functions: to
control the engine and to do self tests.
The concept of fail operational/fail-safe
is preserved with the engine controllers because each engine has a
dual redundant computer attached to it. Failure of the first
computer does not impede operational capability, as the second
takes over instantly. Failure of the second computer causes a
graceful shutdown of the affected engine169. Loss of an engine does not cause any immediate
danger to a Shuttle crew, as demonstrated in a 1985 mission that
lost an engine and still achieved orbit. If engine loss occurs
early in a flight, the mission can be aborted through a RTLS
maneuver that causes the spacecraft essentially to turn around and
fly back to a runway near the launch pad. Slightly later aborts
may lead to a landing in Europe for Kennedy Space Center launches.
If the engine fails near orbit it may be possible to achieve an
orbit and then modify it using the orbital maneuvering system
engines.
Controller Software and
Redundancy Management
As with the main computers on the Shuttle,
software is an important part of the engine controller system.
NASA managers adopted a strict software engineering approach to
the controller code. Marshall's Walter Mitchell said, "We try to
treat the software exactly like the hardware"170. In fact, the controller software is more closely
married to engine hardware than in other systems under computer
control. The controllers operate as a real-time system with a
fixed cyclic execution schedule. Each major cycle has four
5-millisecond minor cycles for a total of 20 milliseconds. This is
a high frequency, necessitated by the requirement to control a
rapidly changing engine environment. Each major cycle starts and
ends with a self test. It proceeds through engine control tasks,
input sensor data reads, engine limit monitoring tasks, output,
another round of input sensor data, a check of internal voltage,
and then the second self test171. Some free time is built into the cycle to avoid
overruns into the next cycle. So that the controller will not
waste processing time handling data requests from the primary
avionics system, direct memory access of engine component data can
be made by the primary172.
As with the primary computers in the
Shuttle, the memory of the controller cannot hold all the software
originally designed for it. A set of preflight checkout programs
have to be stored on the MMU and rolled in during the countdown.
At T-30 hours, the engines are activated and the flight software
load is read from the mass memory173. Even this way, fewer than 500 words of the 16K are
unused174.
Although redundant, the controllers are
not synchronized like the primary computers. Marshall Space Flight
Center studied active synchronization, but the additional hardware
and software overhead seemed too expensive175. The present system of redundancy management most
closely resembles that used by the Skylab computers. Since
Marshall also had responsibility for those computers and was
making the decision about the controllers at the same time Skylab
was operating, some influence from the ATMDC experience is
possible. Two watchdog timers are used to flag failures. One is
incremented by the real-time clock and the other, by a clock in
the output electronics. Each has to be reset by the software. If
the timers run out, the software or critical hardware of the
computer responsible for resetting them is assumed failed and the
Channel B computer takes over at that point. The timeout is set at
18 milliseconds, so the engine involved is "uncontrolled" by a
failed computer for less than a major cycle before the redundant
computer takes over176.
[126]
Figure 4-8. Keyboard layout of the Shuttle computer system. (From NASA, Data Processing System Workbook)
[127]
Figure 4-9. A typical display of the Primary Avionics Software System. (From NASA, Data Processing System Workbook)
[129]
Figure 4-10. A Shuttle Main Engine Controller mounted in an engineering simulator at the Marshal Space Flight Center. (NASA photo)