1 00:00:11,210 --> 00:00:11,570 Good morning. 2 00:00:11,570 --> 00:00:15,370 I am filling in for Professor Hoffman who is off addressing the French Parliament at 3 00:00:15,370 --> 00:00:16,180 this moment, or maybe it was yesterday afternoon. 4 00:00:16,180 --> 00:00:19,220 Tough choices of whether to stay here or go there. 5 00:00:19,220 --> 00:00:24,000 Well, that's right, Noah. 6 00:00:24,000 --> 00:00:30,689 These days the issue of knowing where you are, navigation is really taken for granted. 7 00:00:30,689 --> 00:00:32,980 We have GPS in our cell phones. 8 00:00:32,980 --> 00:00:34,480 GPS in handheld devices. 9 00:00:34,480 --> 00:00:41,480 GPS tells the taxi driver whether or not he should be turning up that one way street. 10 00:00:41,630 --> 00:00:48,100 When we began with human space travel, particularly as we entered the Apollo era, the question 11 00:00:48,100 --> 00:00:53,589 of navigation, along with guidance and control, was still a major issue. 12 00:00:53,589 --> 00:00:58,879 In fact, it was rather uncertain whether or not, in the Apollo mission, we were going 13 00:00:58,879 --> 00:01:05,879 to be able to, with assurance, do all of the navigation required for going to lunar trajectory 14 00:01:07,390 --> 00:01:14,390 and then doing the precise navigation to land on 15 00:01:21,390 --> 00:01:23,810 the moon. 16 00:01:23,810 --> 00:01:30,810 The history of leading guidance navigation and control has now, for a period of over half 17 00:01:36,119 --> 00:01:43,119 a century, been located just adjacent to, at one time part of MIT, the Instrumentation 18 00:01:44,158 --> 00:01:46,439 Laboratory, now Draper Laboratory. 19 00:01:46,439 --> 00:01:51,030 And the tradition carried on through Apollo to the Space Shuttle Program. 20 00:01:51,030 --> 00:01:57,130 And then, as I think as you are aware, beyond that into NASA's current plans. 21 00:01:57,130 --> 00:02:02,090 We're privileged today to have discuss with us the guidance, navigation and control issues 22 00:02:02,090 --> 00:02:05,369 on the Shuttle, Dr. Phil Hattis. 23 00:02:05,369 --> 00:02:12,369 Dr. Hattis, a graduate of Northwestern and Caltech with his PhD from the Aero-Astro Department 24 00:02:13,380 --> 00:02:17,510 at MIT, has been at Draper since 1974. 25 00:02:17,510 --> 00:02:22,040 He is a member of the Laboratory Technical Staff, which is the highest technical position 26 00:02:22,040 --> 00:02:23,470 available there. 27 00:02:23,470 --> 00:02:29,780 He serves as the Technical Lead for the Crew Exploration Vehicle Development Program in 28 00:02:29,780 --> 00:02:32,170 GN&C at Draper Laboratory. 29 00:02:32,170 --> 00:02:33,410 Phil has been very active in AIAA. 30 00:02:33,410 --> 00:02:34,270 He is a fellow. 31 00:02:34,270 --> 00:02:37,430 He has been head of the New England region. 32 00:02:37,430 --> 00:02:43,420 Has received the Draper Lab Distinguished Performance Awards and various NASA recognition 33 00:02:43,420 --> 00:02:48,800 awards for his contributions to STS-1 and STS-8 missions. 34 00:02:48,800 --> 00:02:53,880 Then we will hear about Draper's contributions and the overall issue of GN&C. 35 00:02:53,880 --> 00:02:55,840 Thanks a lot, Larry. 36 00:02:55,840 --> 00:03:02,440 I should just point out, when I came up here as a graduate student to pursue my doctorate, 37 00:03:02,440 --> 00:03:04,770 I was a Draper fellow. 38 00:03:04,770 --> 00:03:10,250 I started working on the Shuttle as a Draper fellow, so much of the work I will be talking 39 00:03:10,250 --> 00:03:15,120 about here, I was probably only a year or two older than any of you when I was doing 40 00:03:15,120 --> 00:03:15,750 this. 41 00:03:15,750 --> 00:03:22,370 And that's turned out to be fairly useful to NASA because with the Shuttle still flying 42 00:03:22,370 --> 00:03:26,770 from time to time issues come up and they stick pick my brain about what we did in 1974, 43 00:03:26,770 --> 00:03:33,770 '75 and '76, which wouldn't had been so easy if I had been at my current age then. 44 00:03:34,510 --> 00:03:39,230 But it is also a little bit alarming because it means the people that are working on the 45 00:03:39,230 --> 00:03:42,700 system now don't really understand why it was designed the way it is. 46 00:03:42,700 --> 00:03:45,440 Now, the other thing they could have asked me for was the report on which this material 47 00:03:45,440 --> 00:03:49,829 was based, which I wrote in 1983 to educate the rest of the people at Draper who were 48 00:03:49,829 --> 00:03:52,250 going to work on the program subsequently about this system. 49 00:03:52,250 --> 00:03:58,540 Now, the other thing I just want to say is feel free to interrupt me at any point to 50 00:03:58,540 --> 00:03:58,890 ask questions. 51 00:03:58,890 --> 00:04:03,260 I am going to be covering a lot of ground, and I may not get back to the area that you're 52 00:04:03,260 --> 00:04:05,660 interested in asking me about if you wait. 53 00:04:05,660 --> 00:04:10,870 So just raise your hand or speak up or whatever you feel like. 54 00:04:10,870 --> 00:04:16,329 And the other things I want to point out are two things. 55 00:04:16,329 --> 00:04:21,250 One, what you're going to be looking is largely what was done for the first Shuttle flight 56 00:04:21,250 --> 00:04:23,940 except where I mention specific upgrades. 57 00:04:23,940 --> 00:04:27,770 Now, I am not going to be comprehensively covering all the upgrades that have been done 58 00:04:27,770 --> 00:04:30,849 to the Shuttle since. 59 00:04:30,849 --> 00:04:33,819 What you will also note is this presentation will be largely monochrome. 60 00:04:33,819 --> 00:04:34,509 And why? 61 00:04:34,509 --> 00:04:39,060 Because it is drawn from a presentation of 1983 when there was no such thing as a laptop 62 00:04:39,060 --> 00:04:42,900 or PowerPoint and color was a real pain to get. 63 00:04:42,900 --> 00:04:49,849 You had to go to the artist and then get it lithographically reproduced which was an incredibly 64 00:04:49,849 --> 00:04:51,550 cost. 65 00:04:51,550 --> 00:04:55,900 What color you see, I've added now and it's limited, except for a couple of pictures at 66 00:04:55,900 --> 00:04:56,150 the end. 67 00:04:56,120 --> 00:05:00,219 I do have some before and after cockpit pictures at the end. 68 00:05:00,219 --> 00:05:06,189 You will periodically see a chart like this, topics of discussion, we'll go from section 69 00:05:06,189 --> 00:05:10,240 to section and we're going to delineate the areas I'm going to cover. 70 00:05:10,240 --> 00:05:13,270 There are going to be a whole bunch of sub-bullets for each of these areas as I go through. 71 00:05:13,270 --> 00:05:18,189 This will be not real deep, unless you ask me the questions and I will go as deep as 72 00:05:18,189 --> 00:05:24,139 you want with the questions but covering a lot of ground. 73 00:05:24,139 --> 00:05:29,180 Some of these pictures you may have seen in one form or another, but I should just highlight 74 00:05:29,180 --> 00:05:30,180 certain points. 75 00:05:30,180 --> 00:05:35,879 The systems related to the flight control were placed all over the Shuttle. 76 00:05:35,879 --> 00:05:40,759 In the forward area, which was the only pressurized portion of the Shuttle, below the livable 77 00:05:40,759 --> 00:05:43,289 areas was the avionics bay. 78 00:05:43,289 --> 00:05:50,020 And, in there where the computers, the inertial measurement unit, and I want to say something 79 00:05:50,020 --> 00:05:53,509 about that in a moment, what they refer to as multiplexers-demultiplexers. 80 00:05:53,509 --> 00:05:57,789 You've got a lot of analog systems or you had to convert back and forth between digital 81 00:05:57,789 --> 00:05:58,819 and analog. 82 00:05:58,819 --> 00:06:05,819 And the electronic boxes that drove the commands for the reaction control system thrusters. 83 00:06:05,969 --> 00:06:11,539 And then you have hand controllers and displays and indicators in the cockpit. 84 00:06:11,539 --> 00:06:17,340 In the back you have pods which have many of the reaction control system jets, the orbital 85 00:06:17,340 --> 00:06:18,990 maneuvering system thrusters. 86 00:06:18,990 --> 00:06:22,759 And I will be talking quite a bit more about them later. 87 00:06:22,759 --> 00:06:28,249 And there was also in the aft avionics bay that had specific subsystems for which it 88 00:06:28,249 --> 00:06:29,939 was deemed unacceptable to have them forward. 89 00:06:29,939 --> 00:06:36,150 Some of them were local analog digital conversion boxes, but also rate gyros which were used 90 00:06:36,150 --> 00:06:41,620 during assent and entry where they wanted them closer to the center of mass by being 91 00:06:41,620 --> 00:06:47,659 in the back and in the front avoiding some of the flexure issues associated with the 92 00:06:47,659 --> 00:06:50,779 long distance to the front. 93 00:06:50,779 --> 00:06:56,099 This particular configuration you're looking at is before the external tank separated after 94 00:06:56,099 --> 00:06:59,979 the solid rocket boosters had come off. 95 00:06:59,979 --> 00:07:04,050 This configuration is where the story begins because what I am going to be talking about 96 00:07:04,050 --> 00:07:11,050 is the part that Draper did which is the exoatmospheric flight control system. 97 00:07:12,999 --> 00:07:16,580 And that begins at main engine shutdown and ends when you hit 400,000 feet on the way 98 00:07:16,580 --> 00:07:22,919 back. 99 00:07:22,919 --> 00:07:25,629 There are different phases that we will be talking about. 100 00:07:25,629 --> 00:07:30,409 The first is what we refer to as insertion which is from the time the main engines cut 101 00:07:30,409 --> 00:07:35,360 off to the time you do initial orbit circularization. 102 00:07:35,360 --> 00:07:42,360 And that includes a brief but design challenge phase while you're attached to the external 103 00:07:42,430 --> 00:07:43,249 tank. 104 00:07:43,249 --> 00:07:46,689 It includes the separation maneuver from that. 105 00:07:46,689 --> 00:07:52,120 And, in the original flight profile for the Shuttle two burns of the orbital maneuvering 106 00:07:52,120 --> 00:07:59,099 system, the original orbit insertion strategy for the Shuttle put it in an orbit that typically 107 00:07:59,099 --> 00:08:04,550 had an apogee of about 60 nautical miles, a perigee of just a few nautical miles. 108 00:08:04,550 --> 00:08:09,969 What you would do is the first burn would raise that perigee up to the 100 plus nautical 109 00:08:09,969 --> 00:08:13,499 mile target altitude and then the second burn halfway around the earth would put you into 110 00:08:13,499 --> 00:08:16,490 a circular orbit and then you would begin your mission there. 111 00:08:16,490 --> 00:08:23,490 Later in the program for overall efficiency, in order to improve the payload margins, that 112 00:08:24,419 --> 00:08:25,339 strategy changed. 113 00:08:25,339 --> 00:08:31,439 And they tended to do more what they call direct insertion which had a substantial higher 114 00:08:31,439 --> 00:08:31,999 apogee. 115 00:08:31,999 --> 00:08:38,169 The perigee wasn't much higher but you would end up somewhere between those two. 116 00:08:38,169 --> 00:08:43,850 And then you would do one OMS burn and you would get a net gain of maybe one or two thousand 117 00:08:43,850 --> 00:08:47,840 pounds which became very important. 118 00:08:47,840 --> 00:08:52,830 During this insertion phase all the applicable sensors were on. 119 00:08:52,830 --> 00:08:55,840 Now, I said I was going to say something about the IMU. 120 00:08:55,840 --> 00:09:00,330 And most of you don't even think probably these days about having rate gyro separate 121 00:09:00,330 --> 00:09:02,790 from an inertial measurement unit. 122 00:09:02,790 --> 00:09:07,900 You get these combined packages called inertial navigation systems now. 123 00:09:07,900 --> 00:09:09,830 They're actually navigators that have the software. 124 00:09:09,830 --> 00:09:11,530 They do all the processing for you. 125 00:09:11,530 --> 00:09:13,260 They even have built in GPS receivers. 126 00:09:13,260 --> 00:09:15,870 Of course, we didn't have GPS then. 127 00:09:15,870 --> 00:09:20,790 The inertial measurement unit was a pretty clunky gimbaled device at the time the Shuttle 128 00:09:20,790 --> 00:09:21,770 first flew. 129 00:09:21,770 --> 00:09:27,220 It subsequently got upgraded to ring laser gyro systems. 130 00:09:27,220 --> 00:09:34,220 But that inertial measurement unit was simply outputting angles that were significant throughput 131 00:09:35,490 --> 00:09:35,940 issues. 132 00:09:35,940 --> 00:09:38,830 Because you had to do a lot of data crunching to get rates from that. 133 00:09:38,830 --> 00:09:39,380 Computers are really slow. 134 00:09:39,380 --> 00:09:43,990 I will talk a little bit more about that in a few minutes. 135 00:09:43,990 --> 00:09:50,260 Having rate gyros separate was a way to get data that these days would be all built into 136 00:09:50,260 --> 00:09:52,460 one box. 137 00:09:52,460 --> 00:09:57,050 General purpose computers, all of them were on during ascent. 138 00:09:57,050 --> 00:10:03,750 I will talk about the partisan of them, but there were actually five of them. 139 00:10:03,750 --> 00:10:08,680 And the Vernier reaction control system, which is a small group of jets, and I will point 140 00:10:08,680 --> 00:10:10,150 those out later, were not active. 141 00:10:10,150 --> 00:10:11,700 The larger thrusters were. 142 00:10:11,700 --> 00:10:15,730 And then, after the second OMS burn, you transition to another flight phase. 143 00:10:15,730 --> 00:10:20,290 And why all these flight phases, I will get to in a couple minutes also. 144 00:10:20,290 --> 00:10:24,650 Then orbit phase began after the second burn. 145 00:10:24,650 --> 00:10:27,960 You quickly open the doors so that you could dump waste heat. 146 00:10:27,960 --> 00:10:29,760 The radiators are on the inside of the doors. 147 00:10:29,760 --> 00:10:34,880 And, when the doors are closed, the heat just radiates back into the vehicle. 148 00:10:34,880 --> 00:10:37,190 All payload operations are during this phase. 149 00:10:37,190 --> 00:10:40,650 And you did a lot of power down to save. 150 00:10:40,650 --> 00:10:41,880 You're working off of fuel cells. 151 00:10:41,880 --> 00:10:46,640 It limits your mission life both because of the limits on the weight of the reactants 152 00:10:46,640 --> 00:10:50,460 and on the places you can put any extra tanks. 153 00:10:50,460 --> 00:10:55,270 So you turn off the rate gyros, you don't need those anymore, and I will explain why. 154 00:10:55,270 --> 00:10:58,600 Two of the five general purpose computers were shut down. 155 00:10:58,600 --> 00:11:05,100 This also being a late `70s computer design, you're talking maybe on the order of a couple 156 00:11:05,100 --> 00:11:12,100 hundred watts per computer which, by the way, I will explain more about, but was a 104,000 157 00:11:15,390 --> 00:11:17,370 word memory capacity. 158 00:11:17,370 --> 00:11:22,680 That was actually an improvement from the approach and landing test when it was 64,000 159 00:11:22,680 --> 00:11:24,220 words. 160 00:11:24,220 --> 00:11:30,830 And then you turned off two of the three redundant inertial measurement units, except for critical 161 00:11:30,830 --> 00:11:32,760 phases. 162 00:11:32,760 --> 00:11:39,380 Also the safe power, the feeling was that if you lost your navigation reference you 163 00:11:39,380 --> 00:11:43,200 would have a relatively benign environment to bring one of the others up. 164 00:11:43,200 --> 00:11:47,000 And the Vernier thrusters were made available because they were used for flying control. 165 00:11:47,000 --> 00:11:49,970 Then you have the deorbit phase. 166 00:11:49,970 --> 00:11:51,130 You close the doors again. 167 00:11:51,130 --> 00:11:53,220 You do the deorbit burn. 168 00:11:53,220 --> 00:11:59,160 You dump any residual propellant from the forward tanks by simultaneously burning opposing 169 00:11:59,160 --> 00:12:05,030 thrusters in order to get an acceptable center of mass for entry. 170 00:12:05,030 --> 00:12:09,060 Getting the acceptable location of the center of mass for attitude and thermal control during 171 00:12:09,060 --> 00:12:11,630 entry is very critical. 172 00:12:11,630 --> 00:12:15,200 You reactive all the sensors. 173 00:12:15,200 --> 00:12:19,610 You go back to all the computers being up. 174 00:12:19,610 --> 00:12:24,020 Then you turn the Vernier jets back off and you fly the vehicle using this mode until 175 00:12:24,020 --> 00:12:27,910 you're at 400,000 feet which is about where you pick up 0.05 Gs. 176 00:12:27,910 --> 00:12:33,490 And that is where the entry phase takes over. 177 00:12:33,490 --> 00:12:35,740 And this is just a summary of the profile. 178 00:12:35,740 --> 00:12:40,260 Now, this is where I wanted to take the opportunity to talk a little bit about computers and profiles 179 00:12:40,260 --> 00:12:44,170 and everything else. 180 00:12:44,170 --> 00:12:49,170 When we started this program with a 64,000 word computer, I talk in terms of words instead 181 00:12:49,170 --> 00:12:51,340 of bytes. 182 00:12:51,340 --> 00:12:53,860 The architecture of this computer didn't have bytes. 183 00:12:53,860 --> 00:12:55,420 You had words and half words. 184 00:12:55,420 --> 00:13:00,920 Each word was equivalent to about four bytes in terms of number of characters you could 185 00:13:00,920 --> 00:13:02,540 insert into it. 186 00:13:02,540 --> 00:13:06,400 But you only could break it down into pieces of two. 187 00:13:06,400 --> 00:13:13,400 So we had 208,000 - well, a thousand times 24 pieces of memory that we could work with 188 00:13:15,960 --> 00:13:20,200 on this computer. 189 00:13:20,200 --> 00:13:25,670 For the approach and landing test, which was very limited, you flew it off of a 747 for 190 00:13:25,670 --> 00:13:30,280 a couple of minutes, 64,000 words worked just fine. 191 00:13:30,280 --> 00:13:34,780 And they were chugging along with the program saying we're going to get all this orbital 192 00:13:34,780 --> 00:13:36,280 mission stuff into that computer. 193 00:13:36,280 --> 00:13:40,920 And, of course, we discovered probably a year after we really began the job, we began the 194 00:13:40,920 --> 00:13:44,930 job seriously in '75, and by '76 it was obvious 64,000 words wasn't going to work. 195 00:13:44,930 --> 00:13:46,490 They upped it to 104,000 words. 196 00:13:46,490 --> 00:13:51,590 It was probably obvious four months later that 104,000 words wasn't going to work. 197 00:13:51,590 --> 00:13:58,010 So the solution, in addition to descoping as much as possible, what you had to have 198 00:13:58,010 --> 00:14:03,350 was to separate the computer loads that you had for up and down which you did when you 199 00:14:03,350 --> 00:14:07,060 were doing your orbital mission. 200 00:14:07,060 --> 00:14:10,470 And then you had something called the mass memory device which is basically a tape drive 201 00:14:10,470 --> 00:14:14,840 which when you went from this phase to this phase would reload some of the computers. 202 00:14:14,840 --> 00:14:18,080 And then you went from this phase to this phase we'd reload them again. 203 00:14:18,080 --> 00:14:21,550 And I said there were five of these computers. 204 00:14:21,550 --> 00:14:26,110 Four of them, of what I'll be talking about, were the primary computer set. 205 00:14:26,110 --> 00:14:33,110 Quad redundant so that they would vote all data going in and out to decide whether or 206 00:14:34,900 --> 00:14:37,960 not there was an inconsistency between one computer and the other. 207 00:14:37,960 --> 00:14:41,490 And it would automatically deselect the bad computer, the implications of which I will 208 00:14:41,490 --> 00:14:45,230 talk about probably about three-quarters of the way through the presentation. 209 00:14:45,230 --> 00:14:50,590 When you went up and down, all four computers were operating the same software. 210 00:14:50,590 --> 00:14:52,780 The fifth computer was called the backup flight control system. 211 00:14:52,780 --> 00:14:57,930 And the reason it was there, these four primary computers, a chunk of that 104,000 words, 212 00:14:57,930 --> 00:15:03,650 probably 30,000 to 40,000 words was used to assure the computer set operated successfully 213 00:15:03,650 --> 00:15:04,230 redundantly. 214 00:15:04,230 --> 00:15:08,680 There was always a concern that there would be a generic software error that would show 215 00:15:08,680 --> 00:15:12,870 up at some bizarre time and that you could pull down the whole computer set. 216 00:15:12,870 --> 00:15:19,870 It was an independently coded similar architecture from the standpoint of algorithm content, 217 00:15:21,070 --> 00:15:27,680 but independently coded software called the backup flight control system that on the hand 218 00:15:27,680 --> 00:15:32,010 controller there was a button the crew could hit, a panic button, if they needed to. 219 00:15:32,010 --> 00:15:34,860 And the system would revert from the primary system backup system. 220 00:15:34,860 --> 00:15:41,060 It never happened in the history of the program, it has never been used, but it is still there. 221 00:15:41,060 --> 00:15:46,110 And so those five computers are all operating on the way up and on the way down. 222 00:15:46,110 --> 00:15:51,250 Now, when you go to the onboard phase, and only three computers are up, you freeze dry, 223 00:15:51,250 --> 00:15:52,900 as they say, to the computers. 224 00:15:52,900 --> 00:15:57,660 One computer remains the backup flight computer turned off ready to turn on from emergency 225 00:15:57,660 --> 00:15:59,000 entry to backup. 226 00:15:59,000 --> 00:16:02,180 The other one is a primary software load ready to start. 227 00:16:02,180 --> 00:16:06,590 The remaining three computers, two of them were redundant set for the on-orbit functions. 228 00:16:06,590 --> 00:16:12,030 And one of them, again, because of memory problems, everything payload related was in 229 00:16:12,030 --> 00:16:18,780 a system management and monitoring other non-flight control related functions with one of the 230 00:16:18,780 --> 00:16:19,480 other computers. 231 00:16:19,480 --> 00:16:25,590 They did this spread of functions across computers, in addition to adding the tape drive in order 232 00:16:25,590 --> 00:16:30,870 to accommodate the memory constraints because the Shuttle Mission was so much more complex 233 00:16:30,870 --> 00:16:35,090 than what the computers were originally designed to accommodate. 234 00:16:35,090 --> 00:16:37,580 So you say it never happened. 235 00:16:37,580 --> 00:16:41,250 Have there been instances in which any of the backup computers have been brought online? 236 00:16:41,250 --> 00:16:45,820 There have been instances in which primary computers have failed. 237 00:16:45,820 --> 00:16:49,150 There has never been an instance in which they've reverted to the backup system. 238 00:16:49,150 --> 00:16:55,870 Now, when the primary systems fail, and I will elaborate this in more detail, while 239 00:16:55,870 --> 00:17:01,510 each computer computes the functionality for everything, they only control more or less 240 00:17:01,510 --> 00:17:04,859 a quarter of the subsystems. 241 00:17:04,859 --> 00:17:05,619 And there is a distribution. 242 00:17:05,619 --> 00:17:07,909 And some of the charts towards the end will talk about how this was done. 243 00:17:07,909 --> 00:17:11,980 And there are implications associated with what you lose when the computer goes down. 244 00:17:11,980 --> 00:17:17,220 But, if you have time in your noncritical flight phase, you can restring those things 245 00:17:17,220 --> 00:17:20,990 to the remaining healthy computers and recover accessible systems even though that computer 246 00:17:20,990 --> 00:17:22,398 has gone down. 247 00:17:22,398 --> 00:17:29,399 Now, on STS-9, that was incidentally our MIT department's first Shuttle flight. 248 00:17:29,499 --> 00:17:31,350 And it had, Byron Lichtenberg, one of our people. 249 00:17:31,350 --> 00:17:35,360 And what turned out happened to be floating solder balls and an early version of these 250 00:17:35,360 --> 00:17:39,039 computers that caused intermittent shorts. 251 00:17:39,039 --> 00:17:41,960 And one computer went down before entry. 252 00:17:41,960 --> 00:17:44,889 They recovered the string. 253 00:17:44,889 --> 00:17:48,519 Another computer went down during entry. 254 00:17:48,519 --> 00:17:53,590 And, because they had reconfigured the string, they had three of the four strings left but 255 00:17:53,590 --> 00:17:55,909 only two computers. 256 00:17:55,909 --> 00:17:58,360 And another one failed on touchdown. 257 00:17:58,360 --> 00:18:04,929 And had that one failed before touchdown they probably would have reverted to the backup 258 00:18:04,929 --> 00:18:05,179 system. 259 00:18:05,120 --> 00:18:07,460 That's the closest they ever came to a backup system. 260 00:18:07,460 --> 00:18:11,350 Now, the question that comes to my mind there, since the generic failure was not software 261 00:18:11,350 --> 00:18:16,370 but floating solder balls, which all the computers were susceptible to, what would have happened 262 00:18:16,370 --> 00:18:18,350 if they had gone to the backup system? 263 00:18:18,350 --> 00:18:22,429 Because it could have gone down, too, and then they would have had nothing. 264 00:18:22,429 --> 00:18:26,850 Because, once they've gone to the backup, it is not easy to revert in critical flight 265 00:18:26,850 --> 00:18:28,389 phase to the primary system. 266 00:18:28,389 --> 00:18:32,970 Lichtenberg, as I mentioned, was a crew member from our lab. 267 00:18:32,970 --> 00:18:36,759 Later I asked him how did he feel when the first computer went down and then the second 268 00:18:36,759 --> 00:18:37,950 computer went down? 269 00:18:37,950 --> 00:18:42,220 Byron has an aero-astro PhD and pretty savvy. 270 00:18:42,220 --> 00:18:47,389 He said he was pretty worried until he looked at the commander, who was John Young, and 271 00:18:47,389 --> 00:18:51,019 John said well, we might as well go to sleep because we're not going to reenter today. 272 00:18:51,019 --> 00:18:54,870 And when John went to sleep he said he might as well go to sleep, too, and it will be all 273 00:18:54,870 --> 00:18:55,860 right. 274 00:18:55,860 --> 00:18:58,850 And it was. 275 00:18:58,850 --> 00:18:59,850 Yes? 276 00:18:59,850 --> 00:19:04,149 [AUDIENCE QUESTION] The computer was the same. 277 00:19:04,149 --> 00:19:05,769 The software was not. 278 00:19:05,769 --> 00:19:09,149 The computers themselves are all interchangeable AP101 computers. 279 00:19:09,149 --> 00:19:15,409 Subsequently, they were changed to AP101S computers, which is modified version that 280 00:19:15,409 --> 00:19:17,120 was used on the B-1 Bomber. 281 00:19:17,120 --> 00:19:20,299 And they went to 256,000 words of memory. 282 00:19:20,299 --> 00:19:21,879 And that is the current state-of-the-art. 283 00:19:21,879 --> 00:19:26,399 You have to understand several things. 284 00:19:26,399 --> 00:19:29,289 One, it is very expensive to upgrade systems that are already flying. 285 00:19:29,289 --> 00:19:35,299 But, independent of that, you never fly in space something that is close to the state-of-the-art 286 00:19:35,299 --> 00:19:39,909 because you have to go through all the qualifications, which takes a lot of time, and it has to be 287 00:19:39,909 --> 00:19:41,490 radiation hardened when you're in space. 288 00:19:41,490 --> 00:19:45,570 And when it's a human vehicle, it has also got to go through human qualification. 289 00:19:45,570 --> 00:19:52,570 The Space Station architecture is IBM 386 processor quality, so it is basically like 290 00:19:56,220 --> 00:20:03,220 maybe about 1986, '87 early laptop generation computers. 291 00:20:03,539 --> 00:20:10,539 [AUDIENCE QUESTION] Oh, yes. 292 00:20:10,980 --> 00:20:13,090 There were quite a few missions. 293 00:20:13,090 --> 00:20:16,629 I don't think there have ever been any missions where they lost two. 294 00:20:16,629 --> 00:20:21,690 The IMU failures don't seem to have been anything systemic but just sort of a random problem. 295 00:20:21,690 --> 00:20:26,710 And I'm not sure since they have gone to the ring laser gyro systems that they have had 296 00:20:26,710 --> 00:20:26,999 any failures. 297 00:20:26,999 --> 00:20:33,759 I think it was the mechanical ones from the early days that they had some problems. 298 00:20:33,759 --> 00:20:36,519 Now, major requirements for the systems. 299 00:20:36,519 --> 00:20:39,940 We had two different autopilots for three phase transmission which incorporated both 300 00:20:39,940 --> 00:20:45,610 the insertion and the orbit features and on-orbit, so we only had two different software loads 301 00:20:45,610 --> 00:20:49,710 on that tape drive for the primary flight control system. 302 00:20:49,710 --> 00:20:54,830 The rules for Shuttle were that after any subsystem failure you have the capability 303 00:20:54,830 --> 00:20:56,330 to remain operational. 304 00:20:56,330 --> 00:20:58,309 No critical functions were lost. 305 00:20:58,309 --> 00:21:04,330 After two failures, safe operation, all critical things necessary to terminate the mission 306 00:21:04,330 --> 00:21:06,119 and bring them home would be possible. 307 00:21:06,119 --> 00:21:13,119 But some of the mission objectives may not be achievable. 308 00:21:14,129 --> 00:21:21,129 The system was mainly aimed at controlling rigid body characteristics and velocity changes 309 00:21:21,669 --> 00:21:22,639 within specification. 310 00:21:22,639 --> 00:21:27,039 Only when we started to look at docking with the mirror in the Space Station did we start 311 00:21:27,039 --> 00:21:28,899 worrying about flexible body effects. 312 00:21:28,899 --> 00:21:32,460 And it was because of what they were attaching to and not because of the Shuttle, all those 313 00:21:32,460 --> 00:21:33,740 appendages and those things. 314 00:21:33,740 --> 00:21:38,980 If Shuttle does control Space Station and did control Mir when it was docked. 315 00:21:38,980 --> 00:21:42,610 And so there have been some modes, which I won't really be talking about today, but were 316 00:21:42,610 --> 00:21:49,610 created to facilitate that control without causing unacceptable loads on those flexible 317 00:21:49,710 --> 00:21:52,960 appendages of the stations. 318 00:21:52,960 --> 00:21:58,009 And 80 millisecond app cycle, two reasons that happened. 319 00:21:58,009 --> 00:21:59,909 We originally planned to do 40 milliseconds. 320 00:21:59,909 --> 00:22:02,149 The approach and landing test program was. 321 00:22:02,149 --> 00:22:07,169 First there is less process of burden if you do it half as often. 322 00:22:07,169 --> 00:22:12,990 And the other, when it came to the reaction control system, as we discovered in about 323 00:22:12,990 --> 00:22:19,990 early 1980, a little more than a year before the first flight that there was a water hammer 324 00:22:20,340 --> 00:22:27,340 effect in the propellant lines on the RCS jets were the opening of the valves caused 325 00:22:27,899 --> 00:22:32,789 an expansion wave which reflected as a compression wave. 326 00:22:32,789 --> 00:22:34,549 The closing of the valves caused a compression wave. 327 00:22:34,549 --> 00:22:39,110 The inner section compression waves, if the valves were opened and closed too quickly, 328 00:22:39,110 --> 00:22:43,399 could cause a catastrophically large compression wave that could burst the line. 329 00:22:43,399 --> 00:22:49,450 So they deemed it better rather than redesign the entire feed system to limit us to never 330 00:22:49,450 --> 00:22:53,269 firing faster than 80 millisecond cycles. 331 00:22:53,269 --> 00:22:55,159 Now, that differed from Apollo. 332 00:22:55,159 --> 00:23:00,080 Apollo had 100 millisecond cycle time, but they had the ability to interrupt the cycle 333 00:23:00,080 --> 00:23:02,879 to turn out enough jets if they wanted a short firing. 334 00:23:02,879 --> 00:23:08,289 We couldn't do that because of the water hammer effect. 335 00:23:08,289 --> 00:23:15,289 And also because the propellant feed system involved a liquid in the tank with zero G 336 00:23:18,720 --> 00:23:24,059 acquisition devices around the surface of the tank directly exposed to the pressured 337 00:23:24,059 --> 00:23:28,119 helium, which means some of the helium dissolved into the fluid. 338 00:23:28,119 --> 00:23:34,779 If the fluid was drawn too fast the helium could bubble out causing a gap in those zero 339 00:23:34,779 --> 00:23:38,059 G acquisition devices around the tank preventing flow. 340 00:23:38,059 --> 00:23:44,019 If you get unbalanced flow of hypergolic propulsion systems you can also get an explosion. 341 00:23:44,019 --> 00:23:47,850 So the solution to that was limiting how many jets you could fire at one time off of one 342 00:23:47,850 --> 00:23:48,299 tank. 343 00:23:48,299 --> 00:23:51,429 Does everybody understand what the zero G acquisition problem is? 344 00:23:51,429 --> 00:23:53,610 It's a surface tension base. 345 00:23:53,610 --> 00:24:00,610 You have various types of rings and shapes on there that captured fluid by surface tension 346 00:24:00,749 --> 00:24:04,320 to there, which would begin to draw the fluid. 347 00:24:04,320 --> 00:24:08,830 And once you began to get some flow because of firing things it would pull the blobs of 348 00:24:08,830 --> 00:24:15,379 fluid into the tanks and into the feed lines from the tanks. 349 00:24:15,379 --> 00:24:17,340 As you recall, the origin of the problem is that the fluid would not be at the bottom 350 00:24:17,340 --> 00:24:21,730 of the tank so you risk drawing a bubble. 351 00:24:21,730 --> 00:24:26,129 The surface tension holds enough there to start the firing. 352 00:24:26,129 --> 00:24:27,679 When you fire you get some force. 353 00:24:27,679 --> 00:24:32,659 The force draws the blob to the same parts of the tanks where you can acquire the fluid. 354 00:24:32,659 --> 00:24:38,019 And, as long as you don't draw too fast, the communication between that part of the tank 355 00:24:38,019 --> 00:24:38,809 and the fluid remains. 356 00:24:38,809 --> 00:24:42,529 This was a very complicated qualification program. 357 00:24:42,529 --> 00:24:49,529 A lot of C135 parabolic trajectory time got used to test out various perturbating of the 358 00:24:50,269 --> 00:24:50,759 inside of the tanks. 359 00:24:50,759 --> 00:24:54,239 And I am not going to talk about that in detail but I'm sure there are a lot of papers out 360 00:24:54,239 --> 00:24:58,110 in the literature about how they qualified these things. 361 00:24:58,110 --> 00:25:03,429 And I don't think there were too many systems before the Shuttle that actually did it this 362 00:25:03,429 --> 00:25:03,960 way. 363 00:25:03,960 --> 00:25:08,529 One used systems that tended to use membranes where you had the pressure on one side and 364 00:25:08,529 --> 00:25:15,529 the fluid on the other side, and the membrane would just force the fluid to stay in contact. 365 00:25:17,230 --> 00:25:22,639 But the problem is the membranes would degrade over time on exposure to these hypergolic 366 00:25:22,639 --> 00:25:23,769 propellants. 367 00:25:23,769 --> 00:25:29,070 Hydrazine and nitrogen tetroxide are very chemical reactive materials. 368 00:25:29,070 --> 00:25:32,480 For instance, it was supposed to be used over many years up to a hundred times. 369 00:25:32,480 --> 00:25:36,259 The idea that you would have periodically keep opening up these tanks to change a membrane 370 00:25:36,259 --> 00:25:39,610 was not attractive when you consider the tanks are deep inside of the structure. 371 00:25:39,610 --> 00:25:44,549 So this may have been a unique issue because of a reusable system, but it also may be relevant 372 00:25:44,549 --> 00:25:51,549 to systems that even if they aren't reusable have to have a very long life in space. 373 00:25:54,999 --> 00:26:00,419 Modes and submodes I will quickly go through, but you have rotation and translation modes. 374 00:26:00,419 --> 00:26:07,419 These modes could be used simultaneously for the RCS system and then separately for the 375 00:26:08,710 --> 00:26:11,899 OMS system. 376 00:26:11,899 --> 00:26:18,899 And you had special modes which to get extra oomph out of the RCS jets, if you had an abort, 377 00:26:21,809 --> 00:26:26,049 that would sometimes be done if the OMS engineers weren't available. 378 00:26:26,049 --> 00:26:33,049 The OMS engines, there were two of them which were up on the back right and left pods from 379 00:26:33,460 --> 00:26:36,799 that picture I showed a few minutes ago. 380 00:26:36,799 --> 00:26:39,350 And you could use one or two depending on what you were doing. 381 00:26:39,350 --> 00:26:44,129 And in the RCS rotation modes, you had various ways you could use it. 382 00:26:44,129 --> 00:26:46,749 Proportional meant you moved the stick. 383 00:26:46,749 --> 00:26:51,419 The response you get is in proportion to what you do, how long the jets fire. 384 00:26:51,419 --> 00:26:55,419 Discrete means you move the stick and you get a specific amount of rate change. 385 00:26:55,419 --> 00:26:58,570 Pulse means you just get a single little pulse out. 386 00:26:58,570 --> 00:27:03,100 And acceleration means as long as you're holding the stick out it keeps firing them. 387 00:27:03,100 --> 00:27:03,989 And those are all. 388 00:27:03,989 --> 00:27:08,309 There were push button displays that the crew could adjust. 389 00:27:08,309 --> 00:27:13,200 There were some modes for each of those which affected how many jets fired, whether or not 390 00:27:13,200 --> 00:27:19,259 you wanted to force it to use something that approximated couples or you were in propellant 391 00:27:19,259 --> 00:27:22,600 conservation mode and you were willing to get accept getting a rotation rate. 392 00:27:22,600 --> 00:27:25,669 With coupled in the translation you would care about that effect. 393 00:27:25,669 --> 00:27:32,369 And in the translation there were various submodes as well. 394 00:27:32,369 --> 00:27:36,580 And, in particular, you would use more jets when you were separating from the external 395 00:27:36,580 --> 00:27:38,249 tank to get away as fast as possible. 396 00:27:38,249 --> 00:27:38,499 Yes? 397 00:27:38,289 --> 00:27:41,999 On the previous slide, are there different modes for the RCS jets? 398 00:27:41,999 --> 00:27:47,869 Was there one that they happened to use the most or was like supposed to be the primary 399 00:27:47,869 --> 00:27:51,279 usage or are they all part of the normal operating? 400 00:27:51,279 --> 00:27:55,739 I think they would rarely use this or this. 401 00:27:55,739 --> 00:27:59,600 I think these two were commonly used. 402 00:27:59,600 --> 00:28:00,710 This is very fuel inefficient. 403 00:28:00,710 --> 00:28:03,330 It would only be used as kind of an emergency measure. 404 00:28:03,330 --> 00:28:08,100 That's also very difficult from the point of view of the pilot to have direct acceleration 405 00:28:08,100 --> 00:28:08,350 control. 406 00:28:08,269 --> 00:28:08,519 Right. 407 00:28:08,440 --> 00:28:12,389 I mean this might be something you would call upon if actually, for some reason, the vehicle 408 00:28:12,389 --> 00:28:17,570 started to spin up unexpectedly and you would have to neutralize that. 409 00:28:17,570 --> 00:28:20,669 Does that adequately answer your question for now? 410 00:28:20,669 --> 00:28:26,499 There will be an opportunity to collect a little more detail on that later. 411 00:28:26,499 --> 00:28:30,749 But, again, you wanted to get off the tank quickly so you would use all the jets you 412 00:28:30,749 --> 00:28:32,739 had to get off of it. 413 00:28:32,739 --> 00:28:35,609 You wouldn't do that later. 414 00:28:35,609 --> 00:28:40,259 You would have more jets that you would use for roll control while you're on the tank 415 00:28:40,259 --> 00:28:43,529 because you had a much higher roll inertia. 416 00:28:43,529 --> 00:28:46,590 You want to only spend a few seconds on the tank after the main engines shut down. 417 00:28:46,590 --> 00:28:49,220 You could often be left with residual rates you've got to quickly kill. 418 00:28:49,220 --> 00:28:53,009 There was an inhibit on the separation if you had more than half a degree per second 419 00:28:53,009 --> 00:28:53,960 on each of the axes. 420 00:28:53,960 --> 00:29:00,940 There was actually a phenomenon on the first Shuttle flight which almost got us in trouble. 421 00:29:00,940 --> 00:29:07,549 One of the first things that happens after the main engines shut down is you slew the 422 00:29:07,549 --> 00:29:12,429 engines back to stow position where you want the engines for entry. 423 00:29:12,429 --> 00:29:16,320 The reason is the auxiliary power units are needed to move the main engines. 424 00:29:16,320 --> 00:29:20,529 You want to shut those down and save the hydrazine for those until you get back to it just before 425 00:29:20,529 --> 00:29:21,879 entry. 426 00:29:21,879 --> 00:29:27,190 On the first Shuttle flight they kicked those engines at about one hertz. 427 00:29:27,190 --> 00:29:31,070 It turned out the first fundamental mode, the rock mode of the orbiter on the external 428 00:29:31,070 --> 00:29:38,070 tank had a subharmonic of about almost exactly one-fourth of that slew rate on the main engines. 429 00:29:38,749 --> 00:29:44,309 The slewing of the engines then causes the rocky mode to be excited. 430 00:29:44,309 --> 00:29:49,679 We were seeing oscillations very close to the inhibit for the separation. 431 00:29:49,679 --> 00:29:54,179 The crew was getting a little worried but we just got it in bounds in the automatic 432 00:29:54,179 --> 00:29:54,600 mode. 433 00:29:54,600 --> 00:29:59,460 And if they hadn't separated in time it would have gotten pretty complicated to do it manually. 434 00:29:59,460 --> 00:30:01,909 We made quite a few changes after that. 435 00:30:01,909 --> 00:30:05,580 There were a lot of things we learned on the first flight, and I will point a few of them 436 00:30:05,580 --> 00:30:07,450 out as we go along. 437 00:30:07,450 --> 00:30:10,379 There was also a launch pad phenomenology. 438 00:30:10,379 --> 00:30:13,739 It is not part of my talk. 439 00:30:13,739 --> 00:30:18,299 Has this come up in the class about the shockwave from the SRB ignition? 440 00:30:18,299 --> 00:30:19,029 Yes. 441 00:30:19,029 --> 00:30:19,759 OK. 442 00:30:19,759 --> 00:30:23,679 They didn't have those waterbeds in there on the first flight. 443 00:30:23,679 --> 00:30:28,950 What was relevant here, one of the things that you may or may not know is that the struts 444 00:30:28,950 --> 00:30:33,399 that held the forward RCS tanks on the first flight were buckled almost to failure. 445 00:30:33,399 --> 00:30:36,039 That wasn't realized until they got home, but had they failed they probably would have 446 00:30:36,039 --> 00:30:42,059 burst and blown up the vehicle. 447 00:30:42,059 --> 00:30:49,059 The on-orbit modes, we have both primary and Vernier jets which were only used separately, 448 00:30:50,730 --> 00:30:55,190 except under special circumstances which were designed substantially after the first flight. 449 00:30:55,190 --> 00:31:02,190 We have local, vertical and inertial frame of reference control capability with respect 450 00:31:02,519 --> 00:31:04,759 to the discrete rate mode. 451 00:31:04,759 --> 00:31:11,059 And, otherwise, it is pretty similar to what you saw in the previous picture. 452 00:31:11,059 --> 00:31:16,950 And submodes, some features were added because of rendezvous. 453 00:31:16,950 --> 00:31:19,679 You could fire a lot of jets on the fort side. 454 00:31:19,679 --> 00:31:23,979 If you wanted to do a rapid breaking, you could inhibit all the jets to fire in that 455 00:31:23,979 --> 00:31:24,229 direction. 456 00:31:24,009 --> 00:31:29,220 If you wanted to limit the use of plumes, it turns out that you didn't lose completely 457 00:31:29,220 --> 00:31:30,690 your translation control authority. 458 00:31:30,690 --> 00:31:37,269 Because the jets, in the front and back, that were in the x-axis coupled about 20% of the 459 00:31:37,269 --> 00:31:38,399 trust into the z-axis. 460 00:31:38,399 --> 00:31:42,700 So if you fired them simultaneously in both directions you could avoid pluming an object 461 00:31:42,700 --> 00:31:49,700 in front of you and still get enough translation to control that axis. 462 00:31:50,970 --> 00:31:57,019 And, just to show how everything was hooked up, the inertial measurement units and rate 463 00:31:57,019 --> 00:32:04,019 gyros and hand controllers and panel controls all went in through these multiplexer devices 464 00:32:06,429 --> 00:32:13,429 feeding the signals then into the computer and displays. 465 00:32:13,759 --> 00:32:20,450 And then you had outputs going through these similar types of electronic boxes specific 466 00:32:20,450 --> 00:32:24,629 to the reaction control jets that generated the commands that were needed by the solenoid 467 00:32:24,629 --> 00:32:31,629 valves that actually opened and closed the hypergolic feed lines. 468 00:32:33,879 --> 00:32:39,049 Looking at the whole top level architecture then of the GN&C system is all those boxes 469 00:32:39,049 --> 00:32:41,269 feeding into what was inside of the computer. 470 00:32:41,269 --> 00:32:46,519 Inside of the computer you have subsystem operation software managing each of the subsystems 471 00:32:46,519 --> 00:32:49,100 doing the redundancy management. 472 00:32:49,100 --> 00:32:53,830 The specific guidance navigation control algorithms. 473 00:32:53,830 --> 00:32:58,739 There was a moding and sequencing function which was based on both manual and automatic 474 00:32:58,739 --> 00:33:02,029 scripts. 475 00:33:02,029 --> 00:33:06,519 Then the actual driving of the displays of controls is interactive with the flight control 476 00:33:06,519 --> 00:33:13,519 system both ways providing feedback to the crew members and accepting their inputs. 477 00:33:16,299 --> 00:33:21,359 And then what was left was the system management function on this computer that didn't go into 478 00:33:21,359 --> 00:33:22,970 the separate computer. 479 00:33:22,970 --> 00:33:29,210 By the way, anything related to robotic arm operations were operated through that separate 480 00:33:29,210 --> 00:33:29,710 computer. 481 00:33:29,710 --> 00:33:33,769 One of the issues that came along later in the program is the flight control computer 482 00:33:33,769 --> 00:33:35,470 never knew what was happening with the arm. 483 00:33:35,470 --> 00:33:40,109 If you take a space telescope sized payload and put it 40 feet out there, it drastically 484 00:33:40,109 --> 00:33:40,999 changes the mass properties. 485 00:33:40,999 --> 00:33:47,369 And one of the features you will see a little later that we stuck in was the ability for 486 00:33:47,369 --> 00:33:52,100 the crew, by pushbutton, to select different tables about expected accelerations of the 487 00:33:52,100 --> 00:33:56,109 jets because we didn't know when we needed to respond to that. 488 00:33:56,109 --> 00:34:01,739 There were also flexure issues with the arm which came up as they went along, too, and 489 00:34:01,739 --> 00:34:04,639 established constraints on how we operated. 490 00:34:04,639 --> 00:34:09,500 But was there any thought given to having an adaptive system which would identify the 491 00:34:09,500 --> 00:34:12,070 current parameters? 492 00:34:12,070 --> 00:34:16,909 That would have gone way beyond the capacity of the computers that we had. 493 00:34:16,909 --> 00:34:22,569 It would be relatively easy to do with the programs we had but it would never fit in 494 00:34:22,569 --> 00:34:25,289 a 104k memory computer. 495 00:34:25,289 --> 00:34:31,859 But there has been lots of work that some of my graduate students have done over the 496 00:34:31,859 --> 00:34:34,960 years of how we should have done that. 497 00:34:34,960 --> 00:34:40,780 Brent Appleby, who is now a division leader at the Lab, actually did some work back in 498 00:34:40,780 --> 00:34:47,780 the `80s, I think that may have been his master's thesis, on some of those issues. 499 00:34:49,520 --> 00:34:56,520 [AUDIENCE QUESTION] But, in reality, we're approaching very large memories which would 500 00:35:00,299 --> 00:35:01,549 allow you to do it. 501 00:35:01,549 --> 00:35:05,460 Well, when we go into CEV, we're probably going to assume that 100 megabytes is no big 502 00:35:05,460 --> 00:35:06,539 deal. 503 00:35:06,539 --> 00:35:13,319 [AUDIENCE QUESTION] unfortunately was cancelled, but we were doing exactly that. 504 00:35:13,319 --> 00:35:17,900 We knew exactly the position [NOISE OBSCURES] all the movement when we were grappling. 505 00:35:17,900 --> 00:35:23,549 And we were changing all the tables based on the current angles [NOISE OBSCURES]. 506 00:35:23,549 --> 00:35:29,440 It is a real challenge to maintain stability on a system where you have no insight into 507 00:35:29,440 --> 00:35:30,220 that. 508 00:35:30,220 --> 00:35:35,260 But you would never build a spacecraft that way today so I'm not sure. 509 00:35:35,260 --> 00:35:40,030 The challenges we have are very interesting but probably no longer relevant. 510 00:35:40,030 --> 00:35:45,230 The challenges that remain are the flexural dynamic interaction problems. 511 00:35:45,230 --> 00:35:52,230 I just wanted to indicate that within the control laws you have a steering processor, 512 00:35:52,990 --> 00:35:57,760 which I will talk a little bit about more, an RCS jet processor, a state estimator and 513 00:35:57,760 --> 00:35:58,690 an OMS processor. 514 00:35:58,690 --> 00:36:01,589 The state estimator is unique to the on-orbit flight. 515 00:36:01,589 --> 00:36:06,109 And there is more that represents that in a minute. 516 00:36:06,109 --> 00:36:12,230 So I am going to now, having entered the overview, go into each of the subsystems in more detail 517 00:36:12,230 --> 00:36:19,230 by pulling up this picture to talk about it a little more, these subsystems in the context. 518 00:36:21,140 --> 00:36:28,140 The forward RCS system had 14 primary 870 pound jets and two Vernier 24 pound jets. 519 00:36:32,440 --> 00:36:34,900 There were 24 and 4 respectively. 520 00:36:34,900 --> 00:36:37,079 Those systems in back evenly divided left and right. 521 00:36:37,079 --> 00:36:43,980 Each of the pods in the back had one OMS engine. 522 00:36:43,980 --> 00:36:50,420 The forward RCS system had its own self-contained hypergolic tanks. 523 00:36:50,420 --> 00:36:57,420 The aft system had RCS tanks and OMS tanks which could be interconnected from within 524 00:37:01,780 --> 00:37:04,589 the pod or could be cross-fed across the pods. 525 00:37:04,589 --> 00:37:08,559 Now, the consequence to the flight control system, there were different constraints and 526 00:37:08,559 --> 00:37:11,210 simultaneous jet firings. 527 00:37:11,210 --> 00:37:15,880 And how you counted, whether it was only left or right or both, depending on which mode 528 00:37:15,880 --> 00:37:20,410 you were in, if you had a mission and needed a lot of RCS propellant and you had spare 529 00:37:20,410 --> 00:37:24,280 space in the OMS tanks, it allowed benefiting from that. 530 00:37:24,280 --> 00:37:29,450 Why are there so many thrusters pointing in the same direction? 531 00:37:29,450 --> 00:37:30,390 For redundancy? 532 00:37:30,390 --> 00:37:33,130 Yes, redundancy and maximum control authority. 533 00:37:33,130 --> 00:37:38,380 You want to find control authority normally with redundancy but for external tank separation 534 00:37:38,380 --> 00:37:41,609 you wanted high acceleration in one direction. 535 00:37:41,609 --> 00:37:45,740 For high rendezvous breaking you wanted high acceleration in the other direction plus or 536 00:37:45,740 --> 00:37:47,000 minus Z. 537 00:37:47,000 --> 00:37:54,000 And for backup to the OMS engine you wanted to have higher acceleration in the plus X 538 00:37:55,270 --> 00:37:56,020 direction. 539 00:37:56,020 --> 00:38:01,000 And then, when you were doing entry, which I'm not talking about today, you had an on-demand 540 00:38:01,000 --> 00:38:05,240 RCS control authority in the upper atmosphere during hypersonic flight. 541 00:38:05,240 --> 00:38:11,010 And you would turn on one, two, three or four yaw thrusters in particular as needed. 542 00:38:11,010 --> 00:38:16,690 I think one, two, and occasionally three thrusters had been turned on during disturbances. 543 00:38:16,690 --> 00:38:21,750 One of the things we've learned from the telemetry of the Columbia accident is as this vehicle 544 00:38:21,750 --> 00:38:25,650 was falling apart for probably 20 or 30 seconds, the vehicle was controlling very nicely because 545 00:38:25,650 --> 00:38:27,480 they kept turning on more and more jets. 546 00:38:27,480 --> 00:38:32,089 They were getting major torque imbalances from missing pieces of the vehicle. 547 00:38:32,089 --> 00:38:36,740 But it was still controlling the attitude until the damage got so severe that was no 548 00:38:36,740 --> 00:38:40,920 longer possible. 549 00:38:40,920 --> 00:38:47,920 Again, I already talked about the number of the thrusters. 550 00:38:49,720 --> 00:38:52,829 The primary thrusters, for the reasons we talked about, there were many jets. 551 00:38:52,829 --> 00:38:57,349 And also because translation and rotation control was accommodated by these Verniers, 552 00:38:57,349 --> 00:39:01,690 a feature I will mention briefly later. 553 00:39:01,690 --> 00:39:05,440 It was only a rotation control system and fundamentally does not have redundancy. 554 00:39:05,440 --> 00:39:07,880 I already talked about the on-time. 555 00:39:07,880 --> 00:39:14,270 These are just typical propellant loads and thrust levels and specific impulse numbers. 556 00:39:14,270 --> 00:39:19,690 You notice that large maneuvers are always a little more efficiently done with the primary 557 00:39:19,690 --> 00:39:23,770 jets and even more efficiently still with the OMS as you will see in another chart. 558 00:39:23,770 --> 00:39:29,289 Life for duty cycles and on-time are relevant for a vehicle that is going to fly a lot of 559 00:39:29,289 --> 00:39:31,829 missions. 560 00:39:31,829 --> 00:39:34,829 Flying control almost always will be done with Vernier jets, not just because of propellant, 561 00:39:34,829 --> 00:39:40,940 which it is much more efficient, but also because you will get a lot more mission life 562 00:39:40,940 --> 00:39:44,240 out of it. 563 00:39:44,240 --> 00:39:46,150 This is a stick drawing of those. 564 00:39:46,150 --> 00:39:48,720 There is a numbering system associated with it. 565 00:39:48,720 --> 00:39:50,980 FRL for which pot it's in. 566 00:39:50,980 --> 00:39:53,910 Up, down, forward, right, left. 567 00:39:53,910 --> 00:39:57,829 The last character for which direction it fires. 568 00:39:57,829 --> 00:40:01,010 And then the middle number is a manifold. 569 00:40:01,010 --> 00:40:02,960 If you see a five that is the Vernier jets. 570 00:40:02,960 --> 00:40:09,250 One, two, three or four, any pod that has got the same middle number is on one manifold. 571 00:40:09,250 --> 00:40:14,630 If a failure shut that manifold or a string took down that manifold, all of those jets 572 00:40:14,630 --> 00:40:16,279 were lost. 573 00:40:16,279 --> 00:40:21,589 When you lose a string, you would have one manifold per pod that you would lose. 574 00:40:21,589 --> 00:40:25,220 That means under some circumstance, because the Vernier system is redundant, a single 575 00:40:25,220 --> 00:40:26,349 failure could take that out. 576 00:40:26,349 --> 00:40:32,309 But that wasn't critical to carrying out most mission objectives or to safety. 577 00:40:32,309 --> 00:40:38,660 That is probably enough said on that. 578 00:40:38,660 --> 00:40:45,660 The OMS, typical propellant loads mentioned here. 579 00:40:46,349 --> 00:40:47,369 On-time, never less than two seconds. 580 00:40:47,369 --> 00:40:52,779 Never less than, with one engine, 12,000 pound second impulse with a 6,000 pound thrust not 581 00:40:52,779 --> 00:40:55,920 suitable for fine maneuvers. 582 00:40:55,920 --> 00:41:01,010 The RCS jets would always be used to trim out any large OMS burn errors. 583 00:41:01,010 --> 00:41:04,339 Had a significantly higher specific impulse. 584 00:41:04,339 --> 00:41:09,000 For large maneuvers you're clearly better off from a propellant weight perspective using 585 00:41:09,000 --> 00:41:11,400 that system. 586 00:41:11,400 --> 00:41:18,400 Each of the engines had redundant gimbal control, redundant by having one mechanical screw system, 587 00:41:18,710 --> 00:41:23,859 but you could drive the nut or you could drive the screw. 588 00:41:23,859 --> 00:41:26,680 And there were different electrical systems that did that. 589 00:41:26,680 --> 00:41:28,299 This was the maximum authority. 590 00:41:28,299 --> 00:41:34,270 And the two axes at each engine could move a portion of which was used to tract the center 591 00:41:34,270 --> 00:41:39,730 of mass as the vehicle consumed propellant or delivered payloads and a portion of which 592 00:41:39,730 --> 00:41:43,869 was for actual thrust vector control management. 593 00:41:43,869 --> 00:41:45,220 We also had to subtract a little bit. 594 00:41:45,220 --> 00:41:48,539 You never want to go too close to the hard stops because you risk mechanical failure 595 00:41:48,539 --> 00:41:49,770 by doing that. 596 00:41:49,770 --> 00:41:54,520 And you always have a little bit of mechanical uncertainty of exactly where you are anyway. 597 00:41:54,520 --> 00:41:59,740 A portion of that was a mechanical uncertainty and a portion of that was just a mechanical 598 00:41:59,740 --> 00:42:01,369 safety margin. 599 00:42:01,369 --> 00:42:08,369 This is a drawing in the two different planes of the rotation of the engines showing the 600 00:42:09,029 --> 00:42:16,029 span between the center, say about 15 feet apart, no surprise given the general cross-section 601 00:42:16,770 --> 00:42:17,289 of the Shuttle. 602 00:42:17,289 --> 00:42:24,059 An important thing to notice is that the engine, while I can point through the CG, is not pointing 603 00:42:24,059 --> 00:42:27,010 anywhere near the body access of the vehicle. 604 00:42:27,010 --> 00:42:33,289 And, by the way, the vehicle body axes weren't -- There was a significant offset between 605 00:42:33,289 --> 00:42:40,289 the principle axis of the vehicle and the body axis component of inertia, and the body 606 00:42:40,970 --> 00:42:47,970 axis was quite large. 607 00:42:49,099 --> 00:42:52,799 Three units, even with the replacements they have gone through over the years, there remains 608 00:42:52,799 --> 00:42:59,799 three units for the INSs now, but the IMU where mechanical systems with quanta for knowledge 609 00:43:03,170 --> 00:43:06,440 of state which were not all that small. 610 00:43:06,440 --> 00:43:11,789 And the RGAs were even worse, the rate gyros. 611 00:43:11,789 --> 00:43:14,390 These quanta were quite significant. 612 00:43:14,390 --> 00:43:20,240 The reason was we had a half-word in that multiplexity multiplexer for translating the 613 00:43:20,240 --> 00:43:25,619 analog signal to a digital signal which determined, based on the maximum range, the maximum range 614 00:43:25,619 --> 00:43:30,869 being dictated by maneuver rates where possible during ascent and entry and not on orbit. 615 00:43:30,869 --> 00:43:33,420 But we were stuck with that. 616 00:43:33,420 --> 00:43:35,740 It was hardwired into the cards. 617 00:43:35,740 --> 00:43:42,740 And so these quanta then, we discovered there was a one sigma probability of an every third 618 00:43:45,799 --> 00:43:51,029 cycle one quanta noise spike on the data that came across the MDMs. 619 00:43:51,029 --> 00:43:54,940 And that was pretty significant when we were trying to do fine control during the transition 620 00:43:54,940 --> 00:43:56,829 phase. 621 00:43:56,829 --> 00:44:03,829 Were the noise levels determined by this quantization, in effect, the [NOISE OBSCURES]? 622 00:44:09,200 --> 00:44:13,750 The noise phenomenology was related to the electronics of the card, but it was directly 623 00:44:13,750 --> 00:44:17,520 related to the least significant byte. 624 00:44:17,520 --> 00:44:21,279 But the mechanical sensors themselves were superior to that? 625 00:44:21,279 --> 00:44:22,210 Yes, they were. 626 00:44:22,210 --> 00:44:24,890 It was the MDM card that introduced the noise. 627 00:44:24,890 --> 00:44:31,890 If you had used one word from the MDMs that would have [NOISE OBSCURES]? 628 00:44:33,329 --> 00:44:40,329 Given the state-of-the-art to have processed that much information across the MDMs would 629 00:44:40,619 --> 00:44:43,260 have made it too slow. 630 00:44:43,260 --> 00:44:50,140 We're talking orders of magnitude slower electronics from the late `70s than you have today, so 631 00:44:50,140 --> 00:44:57,140 the half-word was dictated by the data rates that we required of these boxes. 632 00:44:59,079 --> 00:45:06,079 Now I'm going to go into specific features on the software side. 633 00:45:06,400 --> 00:45:06,869 Yeah? 634 00:45:06,869 --> 00:45:11,630 With the gyros, it seems on Hubble and Station, for example, we always hear bad news on the 635 00:45:11,630 --> 00:45:18,630 gyros having to be replaced every so often. 636 00:45:20,109 --> 00:45:24,549 Well, first of all, what I'm talking about here, at the time the Shuttle first flew, 637 00:45:24,549 --> 00:45:26,559 are mechanical gyros. 638 00:45:26,559 --> 00:45:28,400 Hubble may have started mechanical gyros. 639 00:45:28,400 --> 00:45:30,589 They have been changed out at least once or twice. 640 00:45:30,589 --> 00:45:34,529 And are probably fiber optic systems. 641 00:45:34,529 --> 00:45:40,180 Hubble has the problem that it's in a fairly high orbit, 300 plus nautical miles high for 642 00:45:40,180 --> 00:45:41,170 the Shuttle anyway. 643 00:45:41,170 --> 00:45:46,289 It has a significant radiation exposure, particularly when it goes through the South Atlantic Anomaly 644 00:45:46,289 --> 00:45:50,430 of the radiation belts which are 300 nautical miles. 645 00:45:50,430 --> 00:45:54,119 Much more time they spend on that than at 100 nautical miles. 646 00:45:54,119 --> 00:45:59,299 Cumulative radiation damage to the electronics in those gyros is probably a contributing 647 00:45:59,299 --> 00:46:06,299 factor to the failure rates that they're seeing on Hubble. 648 00:46:07,539 --> 00:46:12,170 I would say they must spend a few percentage of their time in the South Atlantic Anomaly 649 00:46:12,170 --> 00:46:14,420 at that altitude. 650 00:46:14,420 --> 00:46:21,420 Are the gyro replacements we're talking about measurement gyros or attitude control gyros? 651 00:46:23,170 --> 00:46:30,170 Well, the fine guidance gyros are the ones that have been the big problem on the Hubble. 652 00:46:30,230 --> 00:46:37,230 We're talking about quantitatively a different regime we're operating here. 653 00:46:37,529 --> 00:46:42,369 The quantization, take away the noise effects, was something we could live with for operating 654 00:46:42,369 --> 00:46:43,099 the flight control system. 655 00:46:43,099 --> 00:46:47,140 In Hubble, you want to be able to measure rates two or three orders of magnitude lower 656 00:46:47,140 --> 00:46:50,470 than what we're talking about here. 657 00:46:50,470 --> 00:46:54,890 The actual design of the sensors is substantially different because they're trying to get very, 658 00:46:54,890 --> 00:46:56,640 very tiny little rates out. 659 00:46:56,640 --> 00:47:02,579 These are trying to maintain the image lock when you're using the full magnification capability 660 00:47:02,579 --> 00:47:08,170 of the telescope and whatever target that it has. 661 00:47:08,170 --> 00:47:12,940 Nevertheless, I would imagine that if the Shuttle gyros are staying at 300 nautical 662 00:47:12,940 --> 00:47:19,940 miles for five to ten years, they would fail, too. 663 00:47:21,559 --> 00:47:23,910 Radiation is one of the fundamental drivers for all missions. 664 00:47:23,910 --> 00:47:28,500 And it often that Atlantic Anomaly is one of the big drivers for low inclination. 665 00:47:28,500 --> 00:47:30,020 Space telescopes are 28.5 degree inclinations. 666 00:47:30,020 --> 00:47:34,119 So they don't have to deal with the magnetic fields coming in toward the poles which a 667 00:47:34,119 --> 00:47:39,819 polar mission has to, but there is this big dip in the Van Allen Belts off the coast of 668 00:47:39,819 --> 00:47:46,789 South America which poses a problem for everything that isn't low orbit. 669 00:47:46,789 --> 00:47:53,789 The functionality we have in the autopilot, we use the rate gyros and the inertial measurement 670 00:47:54,549 --> 00:48:00,400 unit on the transitioned app to get states direction giving us altitude, giving us rate. 671 00:48:00,400 --> 00:48:06,420 On orbit we have the gyro shutdown to conserve power, view data only. 672 00:48:06,420 --> 00:48:12,869 That then dictates that we are going to have a state estimator on orbit. 673 00:48:12,869 --> 00:48:16,829 We have to put some special features to overcome the rate gyro noise in the transition phase, 674 00:48:16,829 --> 00:48:20,010 which is irrelevant when the rate gyros aren't operating in the on-orbit phase. 675 00:48:20,010 --> 00:48:24,769 We have the Vernier jets and the associated algorithm logic for on-orbit which isn't in 676 00:48:24,769 --> 00:48:26,970 the transition phase. 677 00:48:26,970 --> 00:48:32,769 We worry a lot more about every detail propellant deficiency on-orbit because we spend so much 678 00:48:32,769 --> 00:48:33,760 more time there. 679 00:48:33,760 --> 00:48:39,700 We have a lot of features we've added to minimize propellant there. 680 00:48:39,700 --> 00:48:46,700 The OMS capability in the two phases is actually identical with both of them having a capability 681 00:48:47,410 --> 00:48:51,799 to wrap around the RCS jets to the thrust vector control should the thrust vector control 682 00:48:51,799 --> 00:48:55,150 not behave properly during that OMS burn. 683 00:48:55,150 --> 00:49:01,690 And this just delineates the various features we have for steering. 684 00:49:01,690 --> 00:49:03,250 OMS and RCS. 685 00:49:03,250 --> 00:49:07,690 Where we add lots more features because there are a lot more things you are attempting to 686 00:49:07,690 --> 00:49:13,170 track when you're doing your mission on orbit than when you're just trying to get to and 687 00:49:13,170 --> 00:49:18,049 from orbit. 688 00:49:18,049 --> 00:49:19,430 Notice the rates that we're talking about. 689 00:49:19,430 --> 00:49:26,010 Typically, you look at an INS box these days and you see hundreds of hertz data rates. 690 00:49:26,010 --> 00:49:30,640 What restricted us here was how fast could we -- For instance, none of the software was 691 00:49:30,640 --> 00:49:32,150 in the sensor package. 692 00:49:32,150 --> 00:49:35,170 It was in our computer. 693 00:49:35,170 --> 00:49:38,710 And we had a severe throughput problem. 694 00:49:38,710 --> 00:49:45,220 And the solution, since we had the rate gyros for rates and we only needed the IMUs for 695 00:49:45,220 --> 00:49:51,680 attitudes, and rates could be used to extrapolate attitudes for a reasonable period of time, 696 00:49:51,680 --> 00:49:57,319 was to greatly reduce the processing rate of the IMU down to on the order of one hertz, 697 00:49:57,319 --> 00:49:59,510 submultiple of 25 hertz which is why it is 1.04. 698 00:49:59,510 --> 00:50:06,510 On orbit, since it was our only source of information, we had to eat a larger processing 699 00:50:09,529 --> 00:50:16,380 burden, operating on a 6.25 hertz, but we still were extrapolating in between the state 700 00:50:16,380 --> 00:50:17,390 estimate of one time constant. 701 00:50:17,390 --> 00:50:20,940 We'll talk a little bit about what we're doing with that, but everything down here is operating 702 00:50:20,940 --> 00:50:23,779 at 12.5 and we're getting the data in at 6.25. 703 00:50:23,779 --> 00:50:30,500 There are a lot of things you would do differently simply because you don't have these low rate 704 00:50:30,500 --> 00:50:37,500 constraints due to throughput limits. 705 00:50:38,130 --> 00:50:43,849 The architecture then for the autopilot that is being representative on orbit is you would 706 00:50:43,849 --> 00:50:48,410 have a maneuver module where all the features for steering the vehicle would be, kind of 707 00:50:48,410 --> 00:50:50,010 an adjunct to guidance. 708 00:50:50,010 --> 00:50:53,960 You would have these modes controlled by the crew and the push button display of what the 709 00:50:53,960 --> 00:50:56,260 stick deflections would do. 710 00:50:56,260 --> 00:51:01,019 You would have the phase plane which would be tracking attitude error, rate error and 711 00:51:01,019 --> 00:51:07,039 whether or not you should fire jets as a function of those errors separate per axis. 712 00:51:07,039 --> 00:51:10,859 Are there people here that don't know about phase planes? 713 00:51:10,859 --> 00:51:11,549 OK. 714 00:51:11,549 --> 00:51:16,990 Well, the concept of the phase plane, you go to optimal control theory and you look 715 00:51:16,990 --> 00:51:23,990 into a situation where you have a control effector which is on or off by directional, 716 00:51:24,410 --> 00:51:25,869 which is what thrusters are. 717 00:51:25,869 --> 00:51:31,730 And you look at what it takes, given an error in a plane which is attitude error and rate 718 00:51:31,730 --> 00:51:38,730 error, and you want to get minimum time to neutralize that error to zero. 719 00:51:40,730 --> 00:51:47,730 51:35 But you have lots of dead zones, which I will talk about more, to assure that you don't inefficiently 720 00:52:05,470 --> 00:52:09,069 use the jets so that you are not constantly trying to fire the jets to get exactly to 721 00:52:09,069 --> 00:52:12,680 the origin which is never possible. 722 00:52:12,680 --> 00:52:15,920 The state estimator, which is a form of a Kalman filter. 723 00:52:15,920 --> 00:52:20,769 And then the jet selection logic which is essentially for the primary jet lookup tables. 724 00:52:20,769 --> 00:52:27,769 But it turned out to probably be the first use of real based intelligence. 725 00:52:28,130 --> 00:52:29,849 We didn't think about these things in that time. 726 00:52:29,849 --> 00:52:34,390 And, when I talk about the stringing later, I think we were also using an early version 727 00:52:34,390 --> 00:52:36,980 of failure tree analysis. 728 00:52:36,980 --> 00:52:43,980 But, in the 1970s, none of these things were named. 729 00:52:44,109 --> 00:52:50,430 And then you have various loads for the parameters that determine these dead zones and tables 730 00:52:50,430 --> 00:52:50,680 and all that. 731 00:52:50,490 --> 00:52:57,490 And the crew would select these from push button displays. 732 00:52:58,500 --> 00:53:05,500 For the OMS, you could either have hand controller inputs or cross-product steering and based 733 00:53:06,339 --> 00:53:13,339 guidance inputs which would then go into roll and pitch and yaw. 734 00:53:18,630 --> 00:53:23,900 Thrust vector processing channels were roll and pitch coupled. 735 00:53:23,900 --> 00:53:28,410 Roll is only possible, of course, when you're firing two engines by differentially pitching 736 00:53:28,410 --> 00:53:30,269 the gimbals on the two engines. 737 00:53:30,269 --> 00:53:36,069 This would actually be an RCS loop automatically with one engine, but you had to have the two 738 00:53:36,069 --> 00:53:38,829 pads coupled when you were trying to do both of them. 739 00:53:38,829 --> 00:53:41,799 But the yaw axis was separate. 740 00:53:41,799 --> 00:53:44,380 Just keeping in mind the time. 741 00:53:44,380 --> 00:53:45,640 Go through one or two more charts before the break? 742 00:53:45,640 --> 00:53:47,299 That's fine. 743 00:53:47,299 --> 00:53:53,599 I will go through the state estimator and then we can take a short break. 744 00:53:53,599 --> 00:53:58,760 The state estimator, again, we were only getting attitude information at 6.25 hertz from the 745 00:53:58,760 --> 00:54:05,130 primary thrusters trying to maintain an estimate of the vehicle rotation rates. 746 00:54:05,130 --> 00:54:09,760 We also wanted to know what disturbances on orbit you can have out-gassing the vehicle. 747 00:54:09,760 --> 00:54:10,640 You have gravity gradients. 748 00:54:10,640 --> 00:54:14,819 You have aero torques which have a diurnal variation depending on where you are on earth 749 00:54:14,819 --> 00:54:20,640 orbit relative to where the sun is which are tending to torque the vehicle in a particular 750 00:54:20,640 --> 00:54:20,890 direction. 751 00:54:20,880 --> 00:54:26,940 Having knowledge of how that torque is behaving in a certain time enables you to manipulate 752 00:54:26,940 --> 00:54:30,789 your phase plane switching lines to more efficiently use the jets. 753 00:54:30,789 --> 00:54:35,569 We were trying to estimate that. 754 00:54:35,569 --> 00:54:40,010 Given that we only had IMU data with noise and quantization effects, we also had flexure 755 00:54:40,010 --> 00:54:43,869 we weren't accounting for in doing that. 756 00:54:43,869 --> 00:54:49,210 So we had a low rate filter which incorporated the measurements directly and a higher rate 757 00:54:49,210 --> 00:54:54,230 filter which was also taking in feed forward information we're going to fire the jets. 758 00:54:54,230 --> 00:55:01,230 We expect these velocity changes, rotational and translational, to occur as a result of 759 00:55:01,329 --> 00:55:02,980 the jet firing. 760 00:55:02,980 --> 00:55:09,079 And you can build that into the estimate to anticipate that effect. 761 00:55:09,079 --> 00:55:14,599 And then, given all that information, basically use that in the form of a common filter. 762 00:55:14,599 --> 00:55:21,599 We had different gains associated with primary and Vernier jet usage because, given the factor 763 00:55:21,799 --> 00:55:27,150 of 30 difference in the rotational acceleration authority of these jets, they were fundamentally 764 00:55:27,150 --> 00:55:31,119 different bandwidth systems on the basis of the actuators. 765 00:55:31,119 --> 00:55:33,769 We accommodated those different bandwidths in the software. 766 00:55:33,769 --> 00:55:40,769 That, by the way, affected us when we started worrying about flexure on the arm because 767 00:55:41,140 --> 00:55:46,759 we found that some of the modes with heavy payloads in the arm actually fell within this 768 00:55:46,759 --> 00:55:47,539 bandwidth. 769 00:55:47,539 --> 00:55:51,490 And, in the case of the Vernier jets, were falling right near the roll off point, which 770 00:55:51,490 --> 00:55:54,630 was the worst possible place to have a flexure mode. 771 00:55:54,630 --> 00:55:58,079 And there were some significant design issues that were addressed later in the program as 772 00:55:58,079 --> 00:56:00,609 a result of that. 773 00:56:00,609 --> 00:56:02,849 And then this disturbance acceleration -- Question. 774 00:56:02,849 --> 00:56:08,380 At the time that you were designing these, was there sufficient knowledge of the structural 775 00:56:08,380 --> 00:56:09,950 modes or the bending modes? 776 00:56:09,950 --> 00:56:12,180 For the RMS payload operations, not at all. 777 00:56:12,180 --> 00:56:16,960 We first learned about that when we started looking at use of the arm to deploy the SPAS 778 00:56:16,960 --> 00:56:19,869 one payload in STS-7. 779 00:56:19,869 --> 00:56:25,180 Nobody understood at the time we were designing for the first Shuttle flight the kind of coupling 780 00:56:25,180 --> 00:56:27,400 effects you would get from payloads on the arm. 781 00:56:27,400 --> 00:56:29,619 It hadn't been modeled yet. 782 00:56:29,619 --> 00:56:32,339 I would say probably about the time the first flights were occurring is when we started 783 00:56:32,339 --> 00:56:38,000 to look at that stuff, but the Shuttle software for the first flight was 95% frozen by '78, 784 00:56:38,000 --> 00:56:40,319 even though the flight didn't occur until '81. 785 00:56:40,319 --> 00:56:43,329 You then discovered them in simulations or from flight data? 786 00:56:43,329 --> 00:56:48,829 No, it was from high-fidelity simulations with the arm dynamics included in that. 787 00:56:48,829 --> 00:56:49,990 We understood it pretty well. 788 00:56:49,990 --> 00:56:55,500 We refined it after the flights. 789 00:56:55,500 --> 00:56:59,400 We did even do some flight tests on STS-8 with an object called a payload flight test 790 00:56:59,400 --> 00:57:00,490 article. 791 00:57:00,490 --> 00:57:04,509 The original payload on that flight couldn't fly in time so they put this 8,000 pound dumbbell 792 00:57:04,509 --> 00:57:06,299 on there and the arm was able to manipulate. 793 00:57:06,299 --> 00:57:10,910 Went through all kinds of exercises and pretty much validated it with the simulations. 794 00:57:10,910 --> 00:57:12,599 Were towing us at that point in time. 795 00:57:12,599 --> 00:57:18,410 But it was a real lot of work that went into those high-fidelity robotic arm simulations 796 00:57:18,410 --> 00:57:21,369 and coupling that to the flight control system to get those numbers. 797 00:57:21,369 --> 00:57:25,769 And a lot of work into evaluating what it all meant in terms of restrictions on the 798 00:57:25,769 --> 00:57:27,470 use of the control system. 799 00:57:27,470 --> 00:57:31,839 And then the last thing I will talk about before the break, the disturbance acceleration 800 00:57:31,839 --> 00:57:35,400 estimator had a 56 second time constant. 801 00:57:35,400 --> 00:57:41,569 Mostly the disturbances we are talking about were either orbital or semi-orbit, half-orbit 802 00:57:41,569 --> 00:57:44,150 type of periodicity. 803 00:57:44,150 --> 00:57:47,880 You wanted to allow adequate time to integrate and determine their effect, but not so long 804 00:57:47,880 --> 00:57:53,470 that you weren't able to properly respond to it. 805 00:57:53,470 --> 00:57:57,509 Somewhere in the one-minute range seemed to be about right for something that would have 806 00:57:57,509 --> 00:57:59,359 45 minute periodicity. 807 00:57:59,359 --> 00:58:03,269 And I think the next topic will be RCS processor. 808 00:58:03,269 --> 00:58:04,970 And that is a good point to take the break. 809 00:58:04,970 --> 00:58:10,849 Before we break, let me ask one historical question. 810 00:58:10,849 --> 00:58:15,509 The timeframe for the design of this was mid to late '70s? 811 00:58:15,509 --> 00:58:20,869 We began the work in '75. 812 00:58:20,869 --> 00:58:26,819 There was a famous phase of '76 which is the Hay Scrub which is where we realized that 813 00:58:26,819 --> 00:58:28,279 not everything can go onto one computer. 814 00:58:28,279 --> 00:58:30,569 The computer memory had to increase. 815 00:58:30,569 --> 00:58:37,569 The real design architecture of what was going to be the first flight started to gel in '76. 816 00:58:37,839 --> 00:58:41,589 The original expected launch date of the Shuttle was '78. 817 00:58:41,589 --> 00:58:46,660 It kind of stayed ahead of us a certain amount of time, but we had probably 90% or 95% of 818 00:58:46,660 --> 00:58:49,339 the design done by '78. 819 00:58:49,339 --> 00:58:53,490 We're going through detailed flight verification and crew training with Jeff being one of the 820 00:58:53,490 --> 00:58:55,009 crew members that was assigned to us. 821 00:58:55,009 --> 00:59:00,230 And we would go out to Downey to do that in the '78 to '80 period. 822 00:59:00,230 --> 00:59:07,069 In the design, now, you refer to the state estimator and optimal control. 823 00:59:07,069 --> 00:59:13,250 By that time, had that methodology been completely accepted as a substitute for the classical 824 00:59:13,250 --> 00:59:13,789 control design? 825 00:59:13,789 --> 00:59:14,730 Oh, yeah, I think so. 826 00:59:14,730 --> 00:59:18,589 I think the phase plane concept first appeared, actually, in Apollo. 827 00:59:18,589 --> 00:59:23,150 And there was sort of a rudimentary application of optimal control theory that was quite successful. 828 00:59:23,150 --> 00:59:30,130 By that time I think the aircraft zoom maneuver [NOISE OBSCURES], people were happy with that. 829 00:59:30,130 --> 00:59:35,549 The Kalman filter work, an early form of that also made it into Apollo. 830 00:59:35,549 --> 00:59:39,150 I don't think we were actually pushing the envelope that much in using these things. 831 00:59:39,150 --> 00:59:41,450 We actually carried over. 832 00:59:41,450 --> 00:59:48,450 But Apollo, applying any of these technologies in the mid to late `60s, was very groundbreaking. 833 00:59:51,079 --> 00:59:53,359 Any other questions before the break? 834 00:59:53,359 --> 00:59:53,910 OK. 835 00:59:53,910 --> 00:59:56,049 Let's take five minutes. 836 00:59:56,049 --> 00:59:58,880 Am I missing anybody? 837 00:59:58,880 --> 01:00:03,130 I know Larry hasn't come back. 838 01:00:03,130 --> 01:00:04,549 Close enough. 839 01:00:04,549 --> 01:00:05,250 OK. 840 01:00:05,250 --> 01:00:10,289 Well, I'm going to go into the RCS processor now. 841 01:00:10,289 --> 01:00:12,519 We've talked a lot about the presence of the phase plane. 842 01:00:12,519 --> 01:00:16,740 We're going to go into some of the details in the jet selection. 843 01:00:16,740 --> 01:00:23,740 Important consideration of the jet selection is we had to accommodate failures, maintaining 844 01:00:25,259 --> 01:00:32,259 control authority for any type of single failure, thruster, manifold, string, which you will 845 01:00:32,319 --> 01:00:33,569 see those later. 846 01:00:33,569 --> 01:00:40,569 And you also had to be able to maintain adequate authority for safety with two of those combined 847 01:00:40,730 --> 01:00:41,230 failures. 848 01:00:41,230 --> 01:00:45,410 We also had to limit plume restrictions, accommodate the tank constraints. 849 01:00:45,410 --> 01:00:50,980 We talked about having couples, not having couples, the balance propellant in tanks to 850 01:00:50,980 --> 01:00:57,319 limit fuel usage when you didn't worry about translational coupling and minor orbital perturbations 851 01:00:57,319 --> 01:01:00,769 and all those other special maneuvers that we pointed out before they required higher 852 01:01:00,769 --> 01:01:02,279 authority. 853 01:01:02,279 --> 01:01:09,279 You had your manual modes going in and then you had all these steering modes which without 854 01:01:10,069 --> 01:01:14,569 orbit, in addition to the ones we talked about, discrete rate and pulse and acceleration and 855 01:01:14,569 --> 01:01:20,680 all that kind of stuff, you had various landmark tracking modes, orbital object tracking modes 856 01:01:20,680 --> 01:01:27,680 which were a guidance function providing inputs to the control loop, that all had to be managed 857 01:01:28,049 --> 01:01:32,779 through a proper way of manipulating the phase plans. 858 01:01:32,779 --> 01:01:37,609 They were tracking the errors of matter with respect to the mode that you were in and then 859 01:01:37,609 --> 01:01:41,910 sending, based on the errors being detected in the phase plane commands, they would be 860 01:01:41,910 --> 01:01:45,130 processed by the jet selection logic. 861 01:01:45,130 --> 01:01:52,130 The principles of the phase plane, we figured you weren't important enough to get started. 862 01:01:55,279 --> 01:02:00,529 [LAUGHTER] You had a phase plane per axis. 863 01:02:00,529 --> 01:02:01,150 Roll. 864 01:02:01,150 --> 01:02:01,769 Pitch. 865 01:02:01,769 --> 01:02:02,390 Yaw. 866 01:02:02,390 --> 01:02:06,089 You had switch lines which were shaped based on the expected torques. 867 01:02:06,089 --> 01:02:10,519 You always had a parabolic feature, but much more complicated than just that. 868 01:02:10,519 --> 01:02:15,069 You added dead bands because you didn't want to fire. 869 01:02:15,069 --> 01:02:19,579 When you didn't know exactly where you were, you wanted to be able to get in the general 870 01:02:19,579 --> 01:02:23,599 vicinity far enough from a firing zone that it would stay in the general vicinity for 871 01:02:23,599 --> 01:02:27,220 a while and then only fire when you had to when you were diverging from that. 872 01:02:27,220 --> 01:02:32,950 You had to deal in the transition phase with that rate gyro noise phenomenology. 873 01:02:32,950 --> 01:02:38,130 And you had to get the disturbance acceleration on orbit. 874 01:02:38,130 --> 01:02:45,130 What we did about all those maneuver modes is each phase plane had an origin, the origin 875 01:02:46,180 --> 01:02:50,849 being zero with respect to sun frame and attitude and position. 876 01:02:50,849 --> 01:02:57,849 You could move that origin at a rate or you could increment its attitude position if you 877 01:02:58,019 --> 01:03:02,880 were commanding the vehicle to do something such as a tracking maneuver or a discrete 878 01:03:02,880 --> 01:03:03,299 rate. 879 01:03:03,299 --> 01:03:07,849 And that way the errors of the phase plane we're looking at with respect to where you 880 01:03:07,849 --> 01:03:10,460 wanted to be rather than in absolute sense. 881 01:03:10,460 --> 01:03:15,038 And you would always create [NOISE OBSCURES] in here so that if you had a big error you 882 01:03:15,038 --> 01:03:19,359 could spend a little bit of fuel to get to somewhere which would cause you to go in the 883 01:03:19,359 --> 01:03:21,779 right direction without continuously firing the jet. 884 01:03:21,779 --> 01:03:24,990 Whereas, if you truly followed the parabolic switch curve you would just keep firing the 885 01:03:24,990 --> 01:03:29,140 jet until you were back to the origin which can be quite costly. 886 01:03:29,140 --> 01:03:34,420 So I am going to show you this picture and then the on-orbit one. 887 01:03:34,420 --> 01:03:40,079 These are the residual parabolic switch lines which, in the optimal control theory, would 888 01:03:40,079 --> 01:03:43,890 be going through the origin. 889 01:03:43,890 --> 01:03:48,799 And then if you're out over in these region out here you will always fire a jet meaning 890 01:03:48,799 --> 01:03:51,809 a plus direction or the minus direction. 891 01:03:51,809 --> 01:03:54,190 You're inside here. 892 01:03:54,190 --> 01:03:57,019 You will fire until you hit another switch line on the other side. 893 01:03:57,019 --> 01:04:01,509 The expectation is that you're coming in this way or you're coming in this way. 894 01:04:01,509 --> 01:04:05,809 You want to get to a point where you're not likely to fire again for a while. 895 01:04:05,809 --> 01:04:12,809 But then you also would be concerned because you don't automatically want to fire back 896 01:04:18,049 --> 01:04:23,990 right away because the rate gyro noise phenomenology could cause, where you think you are with 897 01:04:23,990 --> 01:04:29,730 respect to that line, to move back and forth causing you to fire too soon, causing the 898 01:04:29,730 --> 01:04:31,960 fire again to reverse that and get in trouble. 899 01:04:31,960 --> 01:04:38,960 So what we actually did is if you actually hit this line and began to fire, each time 900 01:04:42,490 --> 01:04:49,490 you fired up to two or three times it would move the line out temporarily so that the 901 01:04:50,319 --> 01:04:55,140 quantum noise from that MDM would not make you think, even though you were moving this 902 01:04:55,140 --> 01:04:57,230 way, that you were going back out. 903 01:04:57,230 --> 01:05:03,099 Because, if you fired that jet again, not only would you be spinning the propellant 904 01:05:03,099 --> 01:05:05,690 to go faster, you'd hit the other line a lot faster still. 905 01:05:05,690 --> 01:05:11,809 For every time you double the size of the impulse that you use to reverse your rate, 906 01:05:11,809 --> 01:05:13,859 you're quadrupling the total propellant time. 907 01:05:13,859 --> 01:05:20,859 Because, if you double the propellant each time, you hit a surface twice as fast before 908 01:05:21,559 --> 01:05:26,619 you get to the next one. 909 01:05:26,619 --> 01:05:32,259 Now, on-orbit we didn't have that noise problem so we don't have that moving switch line there. 910 01:05:32,259 --> 01:05:33,579 But we have this moving switch line. 911 01:05:33,579 --> 01:05:37,430 If you're coming in you're looking to hit the zero line and cut off, but here you're 912 01:05:37,430 --> 01:05:40,038 not going to cut off until you hit the disturbance acceleration line. 913 01:05:40,038 --> 01:05:44,259 It is expecting, when you hit that, that the predicted acceleration is going to say you're 914 01:05:44,259 --> 01:05:45,130 going to go up this way. 915 01:05:45,130 --> 01:05:50,490 That means it will be longer before you hit another surface than if you start doing that 916 01:05:50,490 --> 01:05:51,450 over here. 917 01:05:51,450 --> 01:05:58,450 So this one is a trick to lower the frequency of the jet firings based on other knowledge 918 01:05:59,359 --> 01:06:04,859 that we had about the acceleration. 919 01:06:04,859 --> 01:06:05,470 Jet selection. 920 01:06:05,470 --> 01:06:08,200 We had entirely different laws for the primary and the Vernier. 921 01:06:08,200 --> 01:06:15,200 The Verniers had a very complicated configuration, had to be able to be fault tolerant, be able 922 01:06:16,150 --> 01:06:19,619 to handle simultaneous translation rotation commands. 923 01:06:19,619 --> 01:06:26,619 It turned out, because of throughput processing limits, the correct approach was something 924 01:06:27,130 --> 01:06:28,109 like a table lookup. 925 01:06:28,109 --> 01:06:32,538 But we had all kinds of rules we went through to say which kind of table did we want to 926 01:06:32,538 --> 01:06:33,259 go to? 927 01:06:33,259 --> 01:06:34,960 What are the consequences of failures? 928 01:06:34,960 --> 01:06:39,910 Do we want to start modifying the commands we've received because of what we basically 929 01:06:39,910 --> 01:06:46,910 know about which jets have failed and what we no longer can accomplish? 930 01:06:48,529 --> 01:06:52,059 We actually had a Bullion implementation of those tables that actually got implemented 931 01:06:52,059 --> 01:06:56,499 as tables because we developed algorithms and IBM converted the software. 932 01:06:56,499 --> 01:07:00,279 And they didn't necessarily do exactly what we told them. 933 01:07:00,279 --> 01:07:06,900 Subsequent to that there was an experiment on the Shuttle called a phase space autopilot 934 01:07:06,900 --> 01:07:13,900 which is based on looking for velocity changes and optimal combinations of jets. 935 01:07:14,930 --> 01:07:21,930 You would go through a linear optimal search and find the combinations. 936 01:07:24,210 --> 01:07:27,029 That was flown a couple times for a few hours on Shuttle. 937 01:07:27,029 --> 01:07:33,730 The experiment was quite successful but never converted into a basic shuttle capability. 938 01:07:33,730 --> 01:07:37,130 But certainly with the processing capability that you have now would be a very good option 939 01:07:37,130 --> 01:07:38,319 as an alternative to what we did. 940 01:07:38,319 --> 01:07:43,309 The Vernier jets, which were only used on orbit, only had six jets. 941 01:07:43,309 --> 01:07:47,150 We weren't trying to deal with redundancies so an entirely different kind of scheme was 942 01:07:47,150 --> 01:07:49,740 done there. 943 01:07:49,740 --> 01:07:56,740 We were looking to find the jets with respect to a three-axis command which best contributed 944 01:07:58,809 --> 01:08:01,079 to producing rates in that direction. 945 01:08:01,079 --> 01:08:04,910 We could find a first jet that would be the best jet. 946 01:08:04,910 --> 01:08:11,200 And then we could see, given how good that one is, is there another one which is half 947 01:08:11,200 --> 01:08:11,690 as good? 948 01:08:11,690 --> 01:08:13,180 If so, we would pick it. 949 01:08:13,180 --> 01:08:17,060 And, if we found one half as good, we might say if there is another one which is half 950 01:08:17,060 --> 01:08:21,810 again as good we might pick that and end up with an aggregate number of jets we would 951 01:08:21,810 --> 01:08:28,380 turn on to start producing the command. 952 01:08:28,380 --> 01:08:33,420 This would be based not just on whether or not the phase plane said you should have a 953 01:08:33,420 --> 01:08:40,420 jet fire in an axis, but also on how big the error was but not yet to the point of hitting 954 01:08:40,609 --> 01:08:44,460 the phase plane line in the other axis. 955 01:08:44,460 --> 01:08:50,259 And so the composite vector you were trying to neutralize would be a combination of the 956 01:08:50,259 --> 01:08:52,380 command and error reduction on the other axes. 957 01:08:52,380 --> 01:08:56,770 And you would find the jets which would then respond your command and reduce the errors 958 01:08:56,770 --> 01:08:57,809 on the other axes. 959 01:08:57,809 --> 01:08:59,960 Now, we would not re-compute that every cycle. 960 01:08:59,960 --> 01:09:06,960 If we found that the ones or minus ones in the three axes for the commands were not changing, 961 01:09:08,399 --> 01:09:13,029 even though the fractional values and the uncommand of axes were changing for up to 962 01:09:13,029 --> 01:09:15,469 five cycles we would not re-compute the jets. 963 01:09:15,469 --> 01:09:22,068 And that would minimize the duty cycles which was a life issue on the jets. 964 01:09:22,068 --> 01:09:27,899 And then there was the other phenomenology I mentioned which is you start having large 965 01:09:27,899 --> 01:09:31,690 payloads or you're attached to Mir or something like that. 966 01:09:31,690 --> 01:09:33,589 Mass properties are very different. 967 01:09:33,589 --> 01:09:37,529 We don't know about that unless the crew tells us, but we could put a discrete number of 968 01:09:37,529 --> 01:09:41,818 alternative configurations in the tables for what we expected accelerations of the jets 969 01:09:41,818 --> 01:09:42,899 would be. 970 01:09:42,899 --> 01:09:45,940 The crew could tell us which one applies, and then it would do this selection based 971 01:09:45,940 --> 01:09:48,529 on that. 972 01:09:48,529 --> 01:09:50,609 The Vernier algorithm looks something like this flow chart. 973 01:09:50,609 --> 01:09:54,800 Whereas, the primary algorithm would probably fill a 50 page flowchart. 974 01:09:54,800 --> 01:09:57,389 The Vernier algorithm was very simple. 975 01:09:57,389 --> 01:10:03,880 You go through and have a command vector which was ones and minus ones or fractional values, 976 01:10:03,880 --> 01:10:09,330 depending on whether or not phase planes have commanded an axis or just had a bias because 977 01:10:09,330 --> 01:10:11,270 of an error in that axis. 978 01:10:11,270 --> 01:10:15,150 You would do a dot product of the six jets. 979 01:10:15,150 --> 01:10:22,150 You would look for the maximum value of that dot product of the acceleration and the command. 980 01:10:22,940 --> 01:10:25,670 And then, based on that value of that dot product, you would see if there was one that 981 01:10:25,670 --> 01:10:26,400 was half as good. 982 01:10:26,400 --> 01:10:29,559 And, if there was one as half as good, you would see if there was one that was a quarter 983 01:10:29,559 --> 01:10:31,190 as good. 984 01:10:31,190 --> 01:10:36,170 And then, if we already selected, we would be doing this counter of up to five times 985 01:10:36,170 --> 01:10:38,100 where we wouldn't recomputed. 986 01:10:38,100 --> 01:10:42,639 Now, I was just talking during the break about one of the constraints on here. 987 01:10:42,639 --> 01:10:45,900 When we were using these computers, the dot product of a three vector by three vector 988 01:10:45,900 --> 01:10:49,239 took about one millisecond. 989 01:10:49,239 --> 01:10:50,570 We had an 80 millisecond cycle. 990 01:10:50,570 --> 01:10:57,150 And, in that 80 millisecond cycle, seven to ten milliseconds could be allocated to control 991 01:10:57,150 --> 01:11:01,010 some of the guidance and some of the other functions. 992 01:11:01,010 --> 01:11:02,159 Six milliseconds was being used to do these dot products. 993 01:11:02,159 --> 01:11:09,159 That is why we never could have considered doing something like that for the primary 994 01:11:09,420 --> 01:11:12,530 jets. 995 01:11:12,530 --> 01:11:19,530 The TVC processor, we have instead of discrete control with thrusters, we have nearly continuous 996 01:11:22,210 --> 01:11:28,460 control because we're doing gimbal steering up to the nonlinear effect of a gimbal limit. 997 01:11:28,460 --> 01:11:30,210 Remind them what TVC is. 998 01:11:30,210 --> 01:11:31,770 Thrust vector control. 999 01:11:31,770 --> 01:11:36,730 Moving the thrust of the OMS engine by steering the gimbals on which it is attached, which 1000 01:11:36,730 --> 01:11:43,590 you cannot do with the RCS thrusters. 1001 01:11:43,590 --> 01:11:45,510 What we would do then is cross-product steering. 1002 01:11:45,510 --> 01:11:49,949 You have an error vector and a thrust vector, and the cross-product between the two could 1003 01:11:49,949 --> 01:11:55,110 tell you the direction you needed to steer the vehicle to turn into the desired direction 1004 01:11:55,110 --> 01:11:56,949 you wanted to thrust. 1005 01:11:56,949 --> 01:12:02,290 That steering command was then used to determine the commands we sent to the gimbals for moving 1006 01:12:02,290 --> 01:12:03,800 the engines. 1007 01:12:03,800 --> 01:12:08,679 You had manual and automatic modes for doing that. 1008 01:12:08,679 --> 01:12:14,080 Generally, we were limited to two degrees per second because the gimbals were fairly 1009 01:12:14,080 --> 01:12:14,659 slow. 1010 01:12:14,659 --> 01:12:19,940 We didn't want to get ourselves in a situation where we over-steered and had to correct back 1011 01:12:19,940 --> 01:12:22,710 which would take a lot of time and maybe cost us some propellant. 1012 01:12:22,710 --> 01:12:26,330 But, if we got into trouble, the reaction control system could wrap around. 1013 01:12:26,330 --> 01:12:30,050 And that could happen automatically if the errors got big enough or the crew could induce 1014 01:12:30,050 --> 01:12:33,150 that by hitting the hand controller. 1015 01:12:33,150 --> 01:12:38,110 And you have the two pads going into the manual auto mode. 1016 01:12:38,110 --> 01:12:43,309 And manual always overrides auto from any of these operations. 1017 01:12:43,309 --> 01:12:49,449 We had a lot of things we had to tolerate in determining our filter gains. 1018 01:12:49,449 --> 01:12:53,570 We didn't always know the thrust direction engines all that way because of mechanical 1019 01:12:53,570 --> 01:12:54,090 misalignment. 1020 01:12:54,090 --> 01:13:00,150 When you build this thing an additional misalignment occurs after you launch the thing causing 1021 01:13:00,150 --> 01:13:06,989 changes in the gimbal drive connections a little bit. 1022 01:13:06,989 --> 01:13:12,020 There are errors. 1023 01:13:12,020 --> 01:13:15,920 You rotate to a desired burn direction with the RCS jets before you light the engines. 1024 01:13:15,920 --> 01:13:18,600 You're never exactly there when you start up. 1025 01:13:18,600 --> 01:13:20,199 You can have failures during burns. 1026 01:13:20,199 --> 01:13:22,409 An engine can shut down. 1027 01:13:22,409 --> 01:13:28,380 An actuator can stop driving. 1028 01:13:28,380 --> 01:13:35,380 If it is the OMS-1 burn in the early Shuttle days, during that burn they were dumping the 1029 01:13:36,139 --> 01:13:41,199 residual oxygen and hydrogen in the feed lines for the main engines during the burn causing 1030 01:13:41,199 --> 01:13:44,969 torque disturbance on the vehicle that we had to overcome. 1031 01:13:44,969 --> 01:13:49,280 The OMS burn actually helped drive that fluid out of those lines. 1032 01:13:49,280 --> 01:13:52,420 And then, of course, we had steering noise and bias. 1033 01:13:52,420 --> 01:13:57,550 And then we had to have margins for things that all liquid propellant vehicles have. 1034 01:13:57,550 --> 01:14:04,550 Slosh, flexure, actuator nonlinearities and sample rate effects. 1035 01:14:05,580 --> 01:14:11,260 Now we had a design and then we had to change it. 1036 01:14:11,260 --> 01:14:14,840 And the reason we had to change it is we flew for a little while, and we discovered that 1037 01:14:14,840 --> 01:14:20,570 these brushless electric motors being used for the OMS actuators were turning on and 1038 01:14:20,570 --> 01:14:24,570 off at a high enough rate during the burns that they were overheating making a hundred 1039 01:14:24,570 --> 01:14:27,460 mission life maybe two or three missions. 1040 01:14:27,460 --> 01:14:33,150 And they could take the pods off, but they were fairly hard to get and expensive to maintain. 1041 01:14:33,150 --> 01:14:37,760 So they asked us to change the bandwidth. 1042 01:14:37,760 --> 01:14:43,290 And that's what we did beginning with the twelfth shuttle flight making these changes 1043 01:14:43,290 --> 01:14:44,110 here. 1044 01:14:44,110 --> 01:14:50,960 And that caused a little bit more sloppy behavior at the beginning and the end of the burn but 1045 01:14:50,960 --> 01:14:55,090 didn't make very appreciable difference on the performance and made a big difference 1046 01:14:55,090 --> 01:14:57,719 on the actuator life. 1047 01:14:57,719 --> 01:15:02,010 There was an outer loop just showing where the cross-product steering comes in and the 1048 01:15:02,010 --> 01:15:07,409 fact that there are various filters and digital compensation effects that are going into this 1049 01:15:07,409 --> 01:15:13,639 to deal in an adequate manner with all those effects that I listed a few minutes ago. 1050 01:15:13,639 --> 01:15:20,639 The wraparound was there because we have the means to cover for large perturbations. 1051 01:15:22,840 --> 01:15:23,739 Why not implement it? 1052 01:15:23,739 --> 01:15:27,719 I mean the situation you always have with human space flight, if there was a capability 1053 01:15:27,719 --> 01:15:34,719 you can take advantage of in a contingency scenario put it in. 1054 01:15:34,800 --> 01:15:41,800 This also changed, though, between the first flight and the twelfth flight. 1055 01:15:42,300 --> 01:15:46,380 And the reason we found is that you put this contingency capability in, but when you really 1056 01:15:46,380 --> 01:15:50,860 study it you realize you can actually take these two fundamentally different control 1057 01:15:50,860 --> 01:15:55,590 laws and cause them to interact adversely. 1058 01:15:55,590 --> 01:16:01,150 We could perturb it and then induce the jets to fire in a way that would cause it to counteract 1059 01:16:01,150 --> 01:16:04,210 the effect that the thrust vector control system was doing. 1060 01:16:04,210 --> 01:16:09,800 So, when we lowered the bandwidth, we also changed some of the parameters in there to, 1061 01:16:09,800 --> 01:16:12,969 in combination, preclude that first flight. 1062 01:16:12,969 --> 01:16:18,969 This is a case where we continued to evaluate the baseline system after we were flying and 1063 01:16:18,969 --> 01:16:25,969 discovered additional potential unanticipated deficiencies that we should fix, which is 1064 01:16:26,670 --> 01:16:31,809 saying you're never done analyzing the system even after it starts flying. 1065 01:16:31,809 --> 01:16:38,449 The maneuver and track modes, I mentioned that they were there, but we had this universal 1066 01:16:38,449 --> 01:16:41,170 pointing display that the crew could manipulate. 1067 01:16:41,170 --> 01:16:41,780 Yes? 1068 01:16:41,780 --> 01:16:48,780 On that last general comment, on the last subject of discovering issues and potential 1069 01:16:49,059 --> 01:16:51,210 problems after the system is flying. 1070 01:16:51,210 --> 01:16:52,290 You're doing the analysis. 1071 01:16:52,290 --> 01:16:54,920 You're doing your research. 1072 01:16:54,920 --> 01:17:01,130 What, in general, were the reactions of your NASA counterparts when you bring that to their 1073 01:17:01,130 --> 01:17:01,380 attention? 1074 01:17:01,360 --> 01:17:04,369 Would they call for an immediate fix before the next launch? 1075 01:17:04,369 --> 01:17:05,840 It depended on the nature of the problem. 1076 01:17:05,840 --> 01:17:09,780 And let me mention two or three of them at one time. 1077 01:17:09,780 --> 01:17:15,070 I mentioned one about that phenomenology for the excitation or the rocking motion on the 1078 01:17:15,070 --> 01:17:15,460 tank. 1079 01:17:15,460 --> 01:17:19,469 And then another one with the Vernier jets which I will explain in a moment. 1080 01:17:19,469 --> 01:17:23,630 The external tank one had to be fixed before a second shuttle flight. 1081 01:17:23,630 --> 01:17:26,440 There was one that potentially created a dangerous situation. 1082 01:17:26,440 --> 01:17:30,820 Tank separation violated safety of flight rules. 1083 01:17:30,820 --> 01:17:34,820 This one was a potential wraparound interaction. 1084 01:17:34,820 --> 01:17:40,600 It could only occur if you already had a significant contingency under fairly complex conditions. 1085 01:17:40,600 --> 01:17:47,309 And, if the crew knew about it, there was a procedural way to temporarily inhibit the 1086 01:17:47,309 --> 01:17:51,040 reaction control system interactions stopping the effect. 1087 01:17:51,040 --> 01:17:54,840 Because there was a crew workaround, they knew about the problem, it was deemed acceptable 1088 01:17:54,840 --> 01:17:59,530 to go some number of missions for an already scheduled software update to insert it. 1089 01:17:59,530 --> 01:18:06,530 Now, the third problem discovered as a result of analysis of STS-1 and 3 was a plume and 1090 01:18:07,059 --> 01:18:12,320 pendulum phenomenology of the down firing aft jets. 1091 01:18:12,320 --> 01:18:19,320 The body flap sticks out as kind of a random position on orbit, and the down firing thrusters, 1092 01:18:20,719 --> 01:18:22,010 part of their plume hits it. 1093 01:18:22,010 --> 01:18:27,590 They had evaluated that effect for the primary jets because they knew in the direction they 1094 01:18:27,590 --> 01:18:31,550 pointed and their lower expansion ratio in the Vernier jets there was going to be a problem. 1095 01:18:31,550 --> 01:18:34,150 And that was properly dealt with in the flight control system. 1096 01:18:34,150 --> 01:18:39,790 They never modeled for the Vernier jets, but only discovered that the state estimator was 1097 01:18:39,790 --> 01:18:46,489 not converging as well as expected on the first Shuttle flight when using the Vernier 1098 01:18:46,489 --> 01:18:46,739 jets. 1099 01:18:46,650 --> 01:18:52,139 And it turned out there was probably a 20% or 30% net reduction in thrust and a 15 or 1100 01:18:52,139 --> 01:18:57,530 20 degree effective change in the direction of the thrusts, those two down firing Verniers. 1101 01:18:57,530 --> 01:19:02,610 And the feed forward estimation from the RCS jets, as a result, was giving the wrong data 1102 01:19:02,610 --> 01:19:07,920 in the state estimator causing a jump in the value and a long time constant to settle out. 1103 01:19:07,920 --> 01:19:13,690 And that was causing a few percent increase in the propellant consumption but probably 1104 01:19:13,690 --> 01:19:17,369 a factor of ten increase in the duty cycles of the jets which was unacceptable from the 1105 01:19:17,369 --> 01:19:19,230 life of the jets. 1106 01:19:19,230 --> 01:19:24,190 That was compounded by a problem in STS-3 which is the first time they used the arm. 1107 01:19:24,190 --> 01:19:28,650 And they actually put a few hundred pound payload and tried controlling the attitude 1108 01:19:28,650 --> 01:19:30,460 of the vehicle in moving that payload. 1109 01:19:30,460 --> 01:19:36,280 The combination of those things they went back and, by STS-5, had to make serious changes 1110 01:19:36,280 --> 01:19:43,280 to the phase plane estimation logic and tables for the accelerations for those Vernier jets 1111 01:19:44,800 --> 01:19:47,239 because they didn't want to burn those jets. 1112 01:19:47,239 --> 01:19:50,070 I think, after STS-2, they actually changed some of the jets. 1113 01:19:50,070 --> 01:19:55,360 And then they didn't want to have to change them again. 1114 01:19:55,360 --> 01:19:59,550 The maneuver mode. 1115 01:19:59,550 --> 01:20:05,510 You want to do various types of [NOISE OBSCURES] maneuvers with respect to various frames of 1116 01:20:05,510 --> 01:20:12,510 reference which could be landmark tracking, local vertical tracking, second spacecraft 1117 01:20:12,969 --> 01:20:14,869 if you're doing a rendezvous tracking. 1118 01:20:14,869 --> 01:20:16,260 Guidance to provide that. 1119 01:20:16,260 --> 01:20:22,239 That would be broken down into components by axis. 1120 01:20:22,239 --> 01:20:26,760 And then there was an additional level of hysteresis about what you were telling the 1121 01:20:26,760 --> 01:20:27,489 face plane to do. 1122 01:20:27,489 --> 01:20:30,610 And I talked about adjusting the origin. 1123 01:20:30,610 --> 01:20:34,320 This would decide whether or not you would adjust the origin. 1124 01:20:34,320 --> 01:20:39,210 If you're error in a given axis with respect to what you wanted to do with the maneuver 1125 01:20:39,210 --> 01:20:42,639 was less than twice the dead band, you would not adjust the origin. 1126 01:20:42,639 --> 01:20:46,219 And if it was more than twice you would. 1127 01:20:46,219 --> 01:20:51,360 And, again, it is a case of why force it to do things it doesn't have to do if it's going 1128 01:20:51,360 --> 01:20:54,969 to get there eventually anyway? 1129 01:20:54,969 --> 01:21:01,969 And that is actually an adjustable parameter which, for certain payload missions, they 1130 01:21:02,790 --> 01:21:09,790 might change that value from something else. 1131 01:21:10,630 --> 01:21:17,630 There were these various direct manual translation rotation modes and the auto modes that I think 1132 01:21:19,580 --> 01:21:22,489 bit by bit I have talked about. 1133 01:21:22,489 --> 01:21:28,860 The reason you have these different references, inertial and local vertical, if you're doing 1134 01:21:28,860 --> 01:21:32,619 an earth observation mission, almost everything is going to be in a local vertical frame. 1135 01:21:32,619 --> 01:21:35,690 You're going to have your payload bay pointing down. 1136 01:21:35,690 --> 01:21:38,119 You want to keep it pointed at a certain spot. 1137 01:21:38,119 --> 01:21:43,790 If you're doing a solar telescope mission, everything is going to be in an inertial frame. 1138 01:21:43,790 --> 01:21:49,210 You're going to want to keep it pointing at the sun or within a few degrees where maybe 1139 01:21:49,210 --> 01:21:56,210 the telescope will have a limited travel of its own. 1140 01:21:57,010 --> 01:22:01,050 If you're doing rendezvous then it's going to have to be you're accounting for the orb 1141 01:22:01,050 --> 01:22:02,389 rates of the two vehicles. 1142 01:22:02,389 --> 01:22:07,849 You're going to want to keep your rendezvous radar pointed in the right direction. 1143 01:22:07,849 --> 01:22:14,849 By the way, the rendezvous radar, there is a deployable dish antenna that goes out of 1144 01:22:14,960 --> 01:22:17,290 the payload bay, the side of the payload bay of the Shuttle. 1145 01:22:17,290 --> 01:22:20,520 That is a dual-purpose antenna. 1146 01:22:20,520 --> 01:22:27,520 It can be used to point at the TDRS satellite to send data at high rates to the earth and 1147 01:22:27,780 --> 01:22:28,650 track the satellite. 1148 01:22:28,650 --> 01:22:34,989 Or it can be used to point a radar beam at another spacecraft. 1149 01:22:34,989 --> 01:22:38,790 It was not used for TDRS in the beginning of the program. 1150 01:22:38,790 --> 01:22:45,790 It was only used for radar because the first TDRS was launched by STS-6. 1151 01:22:47,020 --> 01:22:49,670 Electronic string, and I think we're about at the right point of time on this, too, to 1152 01:22:49,670 --> 01:22:55,150 allowing me to get into this in a little bit of detail. 1153 01:22:55,150 --> 01:22:59,270 This was something that kind of crept up on us in importance. 1154 01:22:59,270 --> 01:23:06,270 It was thought it would make the systems redundant, have separate strings, don't put them all 1155 01:23:06,820 --> 01:23:08,010 on the same computer. 1156 01:23:08,010 --> 01:23:12,000 All those things were recognized, but I don't think until about a year, a year and half 1157 01:23:12,000 --> 01:23:16,020 before the first flight actually occurred that we realized how difficult it is to be 1158 01:23:16,020 --> 01:23:22,900 sure that all the interactions of these strings, the power string, the pluming string and the 1159 01:23:22,900 --> 01:23:29,020 electronic string and the possible combinations of failures, how difficult it is to assure 1160 01:23:29,020 --> 01:23:32,050 that you meet those high level failure tolerance requirements. 1161 01:23:32,050 --> 01:23:39,050 And that is what I think I did in 1980, '81, probably was the early form of fault tree 1162 01:23:39,630 --> 01:23:39,940 analysis. 1163 01:23:39,940 --> 01:23:45,699 And I have in a handbook I developed for the first flight, a series what if tables with 1164 01:23:45,699 --> 01:23:49,880 all these different breakdowns of what could happen. 1165 01:23:49,880 --> 01:23:53,290 And actually a person that didn't know about probabilities and all looked at it. 1166 01:23:53,290 --> 01:23:58,920 It was a pretty scary table when you looked at all the possible bizarre two failure combinations. 1167 01:23:58,920 --> 01:24:03,639 But first you've got to understand what the strings are. 1168 01:24:03,639 --> 01:24:10,639 You would have one forward, one aft left, one aft right, so three boxes, three half 1169 01:24:16,340 --> 01:24:21,739 boxes and multiplexers-demultiplexers on a string. 1170 01:24:21,739 --> 01:24:28,739 And there were two MDM boxes in each pod, forward left right aft. 1171 01:24:32,540 --> 01:24:35,710 And the electronics were broken apart into each half box. 1172 01:24:35,710 --> 01:24:40,940 So you actually had, in effect, four sets of electronics in each pod, even though you 1173 01:24:40,940 --> 01:24:45,800 only had two boxes. 1174 01:24:45,800 --> 01:24:50,630 And one card from each of those boxes would be dedicated to string, but each string would 1175 01:24:50,630 --> 01:24:53,570 have a card per pod. 1176 01:24:53,570 --> 01:25:00,070 So three cards would be tied electronically to one computer anomaly. 1177 01:25:00,070 --> 01:25:07,070 Now, you couldn't take a string that could be commanded by more than one computer. 1178 01:25:09,739 --> 01:25:13,869 The computer saw the data from all four strings so they could vote the data to decide whether 1179 01:25:13,869 --> 01:25:18,860 or not each of the computers was healthy, but they could only command one string. 1180 01:25:18,860 --> 01:25:25,860 I should say each string could only be commanded by one computer, but you could, if you started 1181 01:25:26,000 --> 01:25:29,630 losing computers, latch up more than one string to one computer. 1182 01:25:29,630 --> 01:25:34,000 Even though one string could only take commands from one computer, more than one string could 1183 01:25:34,000 --> 01:25:37,780 take commands from the same computer if that became necessary. 1184 01:25:37,780 --> 01:25:42,290 If you lost a computer and were in a benign environment and you wanted to recover all 1185 01:25:42,290 --> 01:25:47,199 those systems, that happened with the first computer failure in STS-9, then you would 1186 01:25:47,199 --> 01:25:51,860 manually re-latch those strings to a healthy computer. 1187 01:25:51,860 --> 01:25:58,860 Of course, if that computer went down then it would take two strings down. 1188 01:26:03,190 --> 01:26:10,190 There was a unique latch up of these string components to power systems, but it wasn't 1189 01:26:10,840 --> 01:26:11,659 necessarily one-to-one. 1190 01:26:11,659 --> 01:26:18,239 And that is where things got very complicated, when you start crossing the subsystems where 1191 01:26:18,239 --> 01:26:21,980 one power system could cause some subsystems to fail on more than one string. 1192 01:26:21,980 --> 01:26:23,790 Then you take a string down. 1193 01:26:23,790 --> 01:26:29,340 That would be a very different failure scenario than taking two strings down. 1194 01:26:29,340 --> 01:26:32,440 This is showing how the thrusters laid out. 1195 01:26:32,440 --> 01:26:37,070 You can see there are a lot of thrusters on each string. 1196 01:26:37,070 --> 01:26:43,250 If you go back and look at the vehicle carefully and you look at the down firing thrusters, 1197 01:26:43,250 --> 01:26:49,170 you will see that in the front of the tank there are two thrusters that point down to 1198 01:26:49,170 --> 01:26:55,800 the left and two thrusters that point down to the right candid out about 40 degrees. 1199 01:26:55,800 --> 01:27:01,260 That means that if you lose two thrusters, two strings or two manifolds it was possible 1200 01:27:01,260 --> 01:27:03,040 to lose both of them on one side. 1201 01:27:03,040 --> 01:27:08,960 That is very important because that's one of the phenomena we had to protect against 1202 01:27:08,960 --> 01:27:10,250 for separating from the external tank. 1203 01:27:10,250 --> 01:27:14,449 And it becomes a highly coupled separation maneuver. 1204 01:27:14,449 --> 01:27:21,130 And there were some special jet select tables created for that and some special control 1205 01:27:21,130 --> 01:27:23,280 logic loops that were created just for that one scenario. 1206 01:27:23,280 --> 01:27:30,280 You go through these things and certain critical events where things cannot fail even if your 1207 01:27:31,360 --> 01:27:34,389 subsystems have failed twice. 1208 01:27:34,389 --> 01:27:38,559 And the subsystems may not have been designed to make it very convenient, but you still 1209 01:27:38,559 --> 01:27:38,820 have to do it. 1210 01:27:38,820 --> 01:27:41,940 That happens to be one of the scenarios we looked at a lot. 1211 01:27:41,940 --> 01:27:47,090 And that we see forward down left down left or forward down right down right. 1212 01:27:47,090 --> 01:27:50,650 So somehow you lose the thrusters, these strings or whatever. 1213 01:27:50,650 --> 01:27:53,449 That became a special design case. 1214 01:27:53,449 --> 01:27:56,080 And there were a lot of those kinds of things. 1215 01:27:56,080 --> 01:28:03,080 I would say 70% or 80% of our design time goes into learning those special cases. 1216 01:28:04,790 --> 01:28:11,790 With the thrusters the manifolds are basically the valve lines, so there is a commonality 1217 01:28:15,889 --> 01:28:20,099 between the electronic stringing of manifolds in those valves. 1218 01:28:20,099 --> 01:28:22,210 With the OMS that's not really true. 1219 01:28:22,210 --> 01:28:27,800 The way the OMS engines work, each engine [NOISE OBSCURES] is actually an oxidizer and 1220 01:28:27,800 --> 01:28:34,800 fuel tank going into two loops of lines each with two valves. 1221 01:28:35,480 --> 01:28:42,480 At least one valve in each path had to open to feed fuel. 1222 01:28:44,010 --> 01:28:51,010 At least both valves in one loop had to close to stop fuel from flowing. 1223 01:28:55,260 --> 01:29:02,260 Any combination which would leave two open after a burn started or would leave two closed 1224 01:29:04,659 --> 01:29:08,780 before the burn started was a problem. 1225 01:29:08,780 --> 01:29:10,000 Then you have pressure sensors. 1226 01:29:10,000 --> 01:29:13,880 And there was only one per engine. 1227 01:29:13,880 --> 01:29:19,219 You lacked insight into whether or not the engine started based on pressure if one of 1228 01:29:19,219 --> 01:29:21,179 those failed. 1229 01:29:21,179 --> 01:29:26,270 The stringing of this was not the same as the electronic string, so we had to start 1230 01:29:26,270 --> 01:29:33,270 looking at the possibility of individual valve failures and electronic string failures. 1231 01:29:33,980 --> 01:29:35,070 Taking down other valves. 1232 01:29:35,070 --> 01:29:38,719 Did that happen before an engine started, after an engine started? 1233 01:29:38,719 --> 01:29:44,349 How did that correlate with then influence on the same engine's actuator control? 1234 01:29:44,349 --> 01:29:49,530 We could get situations where we could start the engine but we couldn't steer it, engines 1235 01:29:49,530 --> 01:29:56,530 that we could steer but couldn't start it, and so we ended up with this maze of tables 1236 01:29:57,679 --> 01:30:02,179 looking at those situations coming up with contingency designs. 1237 01:30:02,179 --> 01:30:08,330 Sometimes reverting to using the XRCS jets under severe multiple failure scenarios that 1238 01:30:08,330 --> 01:30:15,040 actually do deorbit burns. 1239 01:30:15,040 --> 01:30:16,679 We talked about what could go down. 1240 01:30:16,679 --> 01:30:22,630 All of these things could be lost with a single failure, though not all strings have an IMU 1241 01:30:22,630 --> 01:30:24,190 because there are only three. 1242 01:30:24,190 --> 01:30:27,770 And only two of the chamber pressure. 1243 01:30:27,770 --> 01:30:32,580 Some strings were more important than others with respect to a subset of the systems. 1244 01:30:32,580 --> 01:30:39,580 And since there are only two thrusters on one manifold per pod of the Verniers, there 1245 01:30:39,610 --> 01:30:42,679 are also only three strings that affected those. 1246 01:30:42,679 --> 01:30:49,679 All this got set up so that any one failure was quite manageable, but the moment you talked 1247 01:30:51,290 --> 01:30:57,770 about any possible two failures was when it became much more complicated. 1248 01:30:57,770 --> 01:31:04,770 Generally, where we ended up, after lots and lots of special design accommodation was we 1249 01:31:06,869 --> 01:31:13,869 tolerated loss of translation control in the axes that were not necessary for managing 1250 01:31:17,489 --> 01:31:20,570 deorbit. 1251 01:31:20,570 --> 01:31:27,010 We tolerated degradation and rotation control but assured that we retained it, at least 1252 01:31:27,010 --> 01:31:30,170 in a time average sense, in all three axes. 1253 01:31:30,170 --> 01:31:37,170 The biggest complexity here was assuring we still had adequate time averaged translation 1254 01:31:37,429 --> 01:31:39,960 and rotation control for tank separation. 1255 01:31:39,960 --> 01:31:43,270 So we would pull away without recontacting the tank. 1256 01:31:43,270 --> 01:31:47,010 Remember, recontacting the tank meant tiles hitting the tank. 1257 01:31:47,010 --> 01:31:50,199 Those tiles are really fragile. 1258 01:31:50,199 --> 01:31:57,199 They can survive thousands of degrees but not much impact. 1259 01:31:59,900 --> 01:32:04,760 We accommodated the scenario where we could lose all thrust vector control on the OMS 1260 01:32:04,760 --> 01:32:11,760 engines and still do a deorbit burn usually with RCS wraparound properly designed. 1261 01:32:12,080 --> 01:32:17,349 And we had to accommodate the situations where MDMs did not reset, so everything tied to 1262 01:32:17,349 --> 01:32:19,420 an MDM would be lost. 1263 01:32:19,420 --> 01:32:24,239 And that is the kind of situation where you start having valve here, a valve here, a valve 1264 01:32:24,239 --> 01:32:28,219 there being shut down along with a bunch of jets. 1265 01:32:28,219 --> 01:32:35,219 And the real pain was understanding what things could collectively go down together. 1266 01:32:36,139 --> 01:32:42,619 You had to lay out all the faults, all the things that could happen with each of the 1267 01:32:42,619 --> 01:32:45,849 faults and then overlaying the combinations of those. 1268 01:32:45,849 --> 01:32:48,340 And then you would find it wasn't everything you were worried about. 1269 01:32:48,340 --> 01:32:54,230 It was usually a small fraction, but those few fractions drove the design details and 1270 01:32:54,230 --> 01:32:56,869 effort to a great degree. 1271 01:32:56,869 --> 01:33:02,909 Now, on orbit, because you would often being using one IMU and you only had two computers, 1272 01:33:02,909 --> 01:33:05,469 one of those strings going down meant you lost your navigation base. 1273 01:33:05,469 --> 01:33:09,960 But because you're in a relatively benign environment, restringing and bringing up another 1274 01:33:09,960 --> 01:33:11,000 system wasn't a problem. 1275 01:33:11,000 --> 01:33:15,040 If you were doing terminal rendezvous with the Space Station, you would not be in a one 1276 01:33:15,040 --> 01:33:15,330 IMU mode. 1277 01:33:15,330 --> 01:33:22,330 You would be in a three IMU mode on two computers, but you would not lose your navigation base. 1278 01:33:23,409 --> 01:33:29,010 If you lost a computer at a critical point in that, you would probably abort the rendezvous, 1279 01:33:29,010 --> 01:33:33,139 reconfigure again and resume your operations. 1280 01:33:33,139 --> 01:33:37,880 One of the ground rules for all rendezvous operations with the Shuttle, and I think will 1281 01:33:37,880 --> 01:33:42,219 be true of the CVE is an rendezvous operation planned to do has to be able to be repeated 1282 01:33:42,219 --> 01:33:42,489 at least once. 1283 01:33:42,489 --> 01:33:49,489 The way I want to end this, and then we could have questions, is two pictures, before and 1284 01:33:55,480 --> 01:33:58,760 after cockpit upgrade on the Shuttle. 1285 01:33:58,760 --> 01:34:03,110 This was the way the Shuttle was for many flights. 1286 01:34:03,110 --> 01:34:10,110 Those are CRT displays, green monochrome where no images could be drawn except little sticks, 1287 01:34:16,980 --> 01:34:20,270 dots and lines and rudimentary. 1288 01:34:20,270 --> 01:34:26,659 These are analog tape measures, analog eight ball with analog needles for attitude and 1289 01:34:26,659 --> 01:34:30,889 rate information. 1290 01:34:30,889 --> 01:34:35,429 And really very 1970s. 1291 01:34:35,429 --> 01:34:39,380 Comment on that. 1292 01:34:39,380 --> 01:34:46,110 One of the things that we did as payload specialists is we got some training in the cockpit, and 1293 01:34:46,110 --> 01:34:49,179 that was the version that was available in the early `90s when I was down there. 1294 01:34:49,179 --> 01:34:54,420 And you would go from your desk at the Johnson Space Center when you were using an IMB Think 1295 01:34:54,420 --> 01:34:59,800 Pad or something, and you felt as though you had gone through a time warp when you went 1296 01:34:59,800 --> 01:35:03,469 back to the simulator on what was the world's most expensive vehicle. 1297 01:35:03,469 --> 01:35:04,989 It was extraordinary. 1298 01:35:04,989 --> 01:35:09,369 And, of course, you could explain why this was kept on so long. 1299 01:35:09,369 --> 01:35:16,369 Well, it was this multi seven digit figure for its upgrade, as well as the issue about 1300 01:35:16,710 --> 01:35:18,349 recertification. 1301 01:35:18,349 --> 01:35:25,349 And let me mention both of those in a moment, point out a couple of things and get back 1302 01:35:25,679 --> 01:35:30,449 to that before I show you the current configuration. 1303 01:35:30,449 --> 01:35:37,449 [AUDIENCE QUESTION] The amount in the Shuttle versus the amount to support the Shuttle? 1304 01:35:42,300 --> 01:35:42,590 In the Shuttle because [NOISE OBSCURES]. 1305 01:35:42,590 --> 01:35:45,639 Well, you only have a 104k memory computer. 1306 01:35:45,639 --> 01:35:51,730 You have the actual number of lines that are [NOISE OBSCURES]. 1307 01:35:51,730 --> 01:35:58,730 Yeah, you had the 104k for the backup system, the 104k for ascent and entry, the 104k for 1308 01:35:59,369 --> 01:36:05,650 on-orbit, the 104k for system management. 1309 01:36:05,650 --> 01:36:08,849 And then there have been other things where their own software capabilities have been 1310 01:36:08,849 --> 01:36:10,000 added in subsequent years. 1311 01:36:10,000 --> 01:36:17,000 So it is a lot of software now, but human validation means if you make small change 1312 01:36:18,360 --> 01:36:22,679 everything has to be reassessed for possible interaction to a degree that you would never 1313 01:36:22,679 --> 01:36:28,630 do for a mission that doesn't put human safety at risk. 1314 01:36:28,630 --> 01:36:35,510 That means the cost of doing that each time is probably an order of magnitude higher than 1315 01:36:35,510 --> 01:36:38,170 it would be for an unmanned system. 1316 01:36:38,170 --> 01:36:43,429 You look at what it was going to take to put a cockpit upgrade in there. 1317 01:36:43,429 --> 01:36:47,070 We're talking hundreds of millions of dollars to do it for the fleet. 1318 01:36:47,070 --> 01:36:47,820 And when I say hundreds of millions, a couple hundred million. 1319 01:36:47,820 --> 01:36:52,869 It did eventually get done, as I will show you in the next picture, but the main reason 1320 01:36:52,869 --> 01:36:59,659 was obsolescence rather than wanting to be contemporary. 1321 01:36:59,659 --> 01:37:03,659 You cannot buy these pieces to replace them anymore. 1322 01:37:03,659 --> 01:37:08,579 The companies that actually made some of these systems may not exist. 1323 01:37:08,579 --> 01:37:13,380 Or, if they do, they have no economic incentive for maintaining the base for a customer that 1324 01:37:13,380 --> 01:37:15,550 may buy another five of them. 1325 01:37:15,550 --> 01:37:21,320 And so, one of the things you have to deal with when a system is going to do this many 1326 01:37:21,320 --> 01:37:27,110 years, another example of that is the B-52 or the Triton missiles or things that stay 1327 01:37:27,110 --> 01:37:33,489 in operation for a long time, is you have to plan, as part of your operation cost, for 1328 01:37:33,489 --> 01:37:40,050 periodic upgrades to mitigate obsolescence. 1329 01:37:40,050 --> 01:37:47,050 [AUDIENCE QUESTION] In some program they had some support. 1330 01:37:54,320 --> 01:37:58,500 It was Digital microcomputers. 1331 01:37:58,500 --> 01:38:02,099 We had a room over in the Hill building that had about 100 of them stacked up as backups. 1332 01:38:02,099 --> 01:38:06,320 I don't think the boxes ever got opened. 1333 01:38:06,320 --> 01:38:12,250 I think the program did the buy, but the program never lasted as long as it was supposed to. 1334 01:38:12,250 --> 01:38:14,130 But you are right. 1335 01:38:14,130 --> 01:38:15,139 You can try to buy it. 1336 01:38:15,139 --> 01:38:20,480 But, even so, even unused systems had a shelf life. 1337 01:38:20,480 --> 01:38:24,420 And you don't know how good they are going to be 30 years later. 1338 01:38:24,420 --> 01:38:28,800 If you had asked me in 1978 how long the Shuttle was going to fly before it was replaced, I 1339 01:38:28,800 --> 01:38:31,079 would have said ten years, maybe 15. 1340 01:38:31,079 --> 01:38:34,440 Before the Columbia accident they were talking about another 20. 1341 01:38:34,440 --> 01:38:38,969 It is only the safety issues now that are going to make them stop it soon. 1342 01:38:38,969 --> 01:38:45,860 Anyway, the other thing I want to point out here, this is the crew interaction mechanism, 1343 01:38:45,860 --> 01:38:49,679 a push button display. 1344 01:38:49,679 --> 01:38:50,750 No such thing as GUI. 1345 01:38:50,750 --> 01:38:54,409 That is unheard of in the Shuttle. 1346 01:38:54,409 --> 01:38:57,969 Can you talk a bit about the hand controllers? 1347 01:38:57,969 --> 01:38:58,389 Are they the same ones used for landings that are also used for docking? 1348 01:38:58,389 --> 01:39:02,449 I mean was it the same hand controller for everything? 1349 01:39:02,449 --> 01:39:06,260 It is the same hand controller for everything, except there is another station in the back, 1350 01:39:06,260 --> 01:39:09,540 I didn't bring a picture of it, which is used for docking. 1351 01:39:09,540 --> 01:39:14,570 The cockpit, you're looking out the forward windows, you turn around and there is another 1352 01:39:14,570 --> 01:39:17,780 set of cockpit instrumentation, hand controllers. 1353 01:39:17,780 --> 01:39:21,860 And there are two windows above you and two windows looking on the payload bay. 1354 01:39:21,860 --> 01:39:26,199 And there are also controllers there for the arm. 1355 01:39:26,199 --> 01:39:29,119 Everything related to the arm is done looking out toward the payload bay. 1356 01:39:29,119 --> 01:39:30,630 The arm is attached there. 1357 01:39:30,630 --> 01:39:33,520 When you are doing rendezvous you're looking out at the overhead windows of the vehicle 1358 01:39:33,520 --> 01:39:34,590 you are approaching. 1359 01:39:34,590 --> 01:39:40,670 So, in effect, you have a couple of these CRT displays and identical hand controller 1360 01:39:40,670 --> 01:39:47,670 and the equivalent then or the updated equivalent now of these displays on a back station. 1361 01:39:49,320 --> 01:39:56,320 To avoid any issues of changing controllers and changing viewpoints, you might note that 1362 01:39:56,329 --> 01:39:59,989 normally the controls that are done out of the back window with that separate controller 1363 01:39:59,989 --> 01:40:03,489 and separate displays are done by different crew members. 1364 01:40:03,489 --> 01:40:09,010 That is typically a mission specialist's job, not a pilot or commander job, and so they 1365 01:40:09,010 --> 01:40:10,280 are separately trained. 1366 01:40:10,280 --> 01:40:10,699 Right. 1367 01:40:10,699 --> 01:40:12,389 That's an important point. 1368 01:40:12,389 --> 01:40:17,079 For rendezvous and docking, it is the pilot or commander who uses the aft controls to 1369 01:40:17,079 --> 01:40:22,650 control [NOISE OBSCURES]. 1370 01:40:22,650 --> 01:40:24,670 Do you know? 1371 01:40:24,670 --> 01:40:27,809 I believe that everything related to the RMS that you said is correct. 1372 01:40:27,809 --> 01:40:31,780 But for a rendezvous the commander is always involved. 1373 01:40:31,780 --> 01:40:38,780 But the point was that in that case that is done out the rear window. 1374 01:40:39,949 --> 01:40:42,900 It is still done at the rear window, so he has got to mentally reverse his frame of reference 1375 01:40:42,900 --> 01:40:43,880 while he is doing that. 1376 01:40:43,880 --> 01:40:44,619 That is correct. 1377 01:40:44,619 --> 01:40:51,389 [NOISE OBSCURES] And that is something that I think will not be done with the CEV. 1378 01:40:51,389 --> 01:40:58,239 The same frame of reference will be used on the CEV because I think that has always been 1379 01:40:58,239 --> 01:41:04,750 a little bit of a point of contention in the problems of maintaining simultaneous proficiency. 1380 01:41:04,750 --> 01:41:09,610 For remote manipulation with the arm that has been an issue. 1381 01:41:09,610 --> 01:41:10,010 Yeah. 1382 01:41:10,010 --> 01:41:15,800 And I think that has always been done by uniquely trained mission specialists. 1383 01:41:15,800 --> 01:41:17,199 That's right. 1384 01:41:17,199 --> 01:41:21,969 Today's cockpit looks a lot more like what you will see on a commercial airliner vintage 1385 01:41:21,969 --> 01:41:28,969 mid `80s, the late `80s perhaps, but still more familiar where you've got glass multicolored 1386 01:41:30,030 --> 01:41:30,900 displays. 1387 01:41:30,900 --> 01:41:37,900 The eight ball still exists in image form because that is what a lot of the astronauts 1388 01:41:39,349 --> 01:41:41,079 used to learn how to fly these vehicles. 1389 01:41:41,079 --> 01:41:48,079 They still fly with respect to it, except it is a digital representation, but you're 1390 01:41:48,780 --> 01:41:51,909 still not with the gooey environment. 1391 01:41:51,909 --> 01:41:54,090 You still won't have touch pads or a mouse. 1392 01:41:54,090 --> 01:41:55,829 It is all pushbutton displays. 1393 01:41:55,829 --> 01:42:00,980 And there is a case to be made that touch displays or touch screens don't work very 1394 01:42:00,980 --> 01:42:04,300 well in a vehicle where you G environments keep changing. 1395 01:42:04,300 --> 01:42:09,760 It is very difficult to get a touch display that works with a light touch and a heavy 1396 01:42:09,760 --> 01:42:15,389 touch when you're in zero G or when you're pulling several Gs. 1397 01:42:15,389 --> 01:42:20,050 Even if the technology was space qualified, it is not clear that they would use it, except 1398 01:42:20,050 --> 01:42:23,690 on a vehicle that stays in a constant environment. 1399 01:42:23,690 --> 01:42:28,559 At this point, let me introduce Dr. Hayashi. 1400 01:42:28,559 --> 01:42:35,559 Miwa Hayashi is, in fact, at NASA Ames Research Center now, was here at MIT and worked on 1401 01:42:36,550 --> 01:42:40,860 the design of the next generation of the Shuttle cockpit upgrade. 1402 01:42:40,860 --> 01:42:47,429 In fact, that is what you will be talking about in ten minutes across the hall in the 1403 01:42:47,429 --> 01:42:47,969 16.400 class. 1404 01:42:47,969 --> 01:42:54,420 It is essentially what would have been done if Shuttle life had been extended. 1405 01:42:54,420 --> 01:42:58,940 I might add that, although the room is very crowded, if a few of you would like to sort 1406 01:42:58,940 --> 01:43:04,730 of hear where this story would have gone, you're welcome to come across the hall to 1407 01:43:04,730 --> 01:43:06,400 419 and hear Dr. Hayashi. 1408 01:43:06,400 --> 01:43:10,929 And you are also giving a lab meeting lecture at 1:00. 1409 01:43:10,929 --> 01:43:14,500 Could you tell us that subject? 1410 01:43:14,500 --> 01:43:21,000 That is about the astronaut scanning behavior. 1411 01:43:21,000 --> 01:43:26,659 Our team had a model about the astronaut's scanning behavior in the cockpit, this upgraded 1412 01:43:26,659 --> 01:43:26,960 cockpit. 1413 01:43:26,960 --> 01:43:29,510 Anyone interested in this kind of topic you are welcome. 1414 01:43:29,510 --> 01:43:30,320 It is from 1:00 PM 33206. 1415 01:43:30,320 --> 01:43:30,590 Thank you. 1416 01:43:30,590 --> 01:43:31,000 Go ahead, Phil. 1417 01:43:31,000 --> 01:43:35,210 Well, at this point, I think I'm open to a few more questions. 1418 01:43:35,210 --> 01:43:42,210 We have a couple of minutes for further questions, any topic we've covered or that's related 1419 01:43:42,329 --> 01:43:44,420 that we didn't cover. 1420 01:43:44,420 --> 01:43:44,940 Yeah? 1421 01:43:44,940 --> 01:43:51,940 You talked a lot about the constraints of the invented computers. 1422 01:43:57,989 --> 01:44:04,989 [AUDIENCE QUESTION] Well, we had very large facilities for that purpose that evolved over 1423 01:44:10,969 --> 01:44:11,469 time. 1424 01:44:11,469 --> 01:44:16,510 The first major facility was the Flight Simulation Laboratory in Downing, California, which was 1425 01:44:16,510 --> 01:44:17,750 then Rockwell. 1426 01:44:17,750 --> 01:44:24,360 You had a room with a couple cockpits, you had another room which had the digital interfaces 1427 01:44:24,360 --> 01:44:31,360 of the cockpit, and a half a floor with the analog computers that provided a lot of the 1428 01:44:32,659 --> 01:44:36,480 information generation at a rate that was not achievable with digital systems. 1429 01:44:36,480 --> 01:44:43,480 You had this hybrid system for driving what were man-in-the-loop simulations. 1430 01:44:43,909 --> 01:44:50,909 And we spent 24 hours a day, 7 days a week using those labs for several years. 1431 01:44:50,920 --> 01:44:54,380 I would often go out to California and be on the 5:00 PM to 5:00 AM shift often spanning 1432 01:44:54,380 --> 01:44:54,630 weekends. 1433 01:44:54,579 --> 01:45:01,579 By the way, I was doing that, I think, when I was still a graduate student, which was 1434 01:45:02,199 --> 01:45:04,380 kind of an interesting experience. 1435 01:45:04,380 --> 01:45:10,670 But then NASA built the Shuttle Avionics Integration Laboratory in Houston which eventually superseded 1436 01:45:10,670 --> 01:45:13,770 the laboratory at Rockwell. 1437 01:45:13,770 --> 01:45:15,559 That became an all-digital system. 1438 01:45:15,559 --> 01:45:16,650 The hybrid systems went away. 1439 01:45:16,650 --> 01:45:22,929 The high capacity computers, they could fit in one good size room everything they needed, 1440 01:45:22,929 --> 01:45:28,949 and were able to get much more digital displays for the crews. 1441 01:45:28,949 --> 01:45:32,960 Sometimes what they used to do for the imagery of the crew in the early days is they would 1442 01:45:32,960 --> 01:45:37,199 actually drive a camera across a simulated scene because you couldn't generate the scene. 1443 01:45:37,199 --> 01:45:42,480 By the time they got the sail facility developed they were able to do scene generation with 1444 01:45:42,480 --> 01:45:48,239 fairly high computers. 1445 01:45:48,239 --> 01:45:49,820 Now everything could almost be tabletop. 1446 01:45:49,820 --> 01:45:54,429 I mean it is just so dramatic as how this evolved over the years. 1447 01:45:54,429 --> 01:45:58,199 The one thing they had at Rockwell that never got replaced, though, is they also were able 1448 01:45:58,199 --> 01:46:02,329 to put into the loop actual hydraulic systems. 1449 01:46:02,329 --> 01:46:08,389 When they were doing entry they could turn on aero surfaces and hydraulics with simulated 1450 01:46:08,389 --> 01:46:09,579 loads. 1451 01:46:09,579 --> 01:46:13,579 And you always knew when they were doing it because the high pitch scream of the APUs, 1452 01:46:13,579 --> 01:46:16,630 when they were doing it, you could hear two blocks away. 1453 01:46:16,630 --> 01:46:16,900 OK. 1454 01:46:16,900 --> 01:46:17,449 Last question. 1455 01:46:17,449 --> 01:46:24,449 Sir, I was wondering if you could give kind of a concept of the cost of developing the 1456 01:46:32,530 --> 01:46:35,570 software either in man hours or in comparison of what they spent on the hardware. 1457 01:46:35,570 --> 01:46:41,250 Well, the initial development of the system probably involved the equivalent of 15 or 1458 01:46:41,250 --> 01:46:48,250 20 full time people for a few years. 1459 01:46:49,559 --> 01:46:55,349 And this was to develop the algorithms and support the validation. 1460 01:46:55,349 --> 01:46:59,869 The actual flight software was actually produced by IBM separately. 1461 01:46:59,869 --> 01:47:04,349 And they had a small team of people that would take the detail design specifications and 1462 01:47:04,349 --> 01:47:11,349 create 1463 01:47:19,270 --> 01:47:21,610 the software. 1464 01:47:21,610 --> 01:47:28,610 It is a big effort but a very small part of the cost of developing a Shuttle. 1465 01:47:36,989 --> 01:47:40,150 I mean you measure the Shuttle in billions. 1466 01:47:40,150 --> 01:47:43,540 You measure the flight software development in millions. 1467 01:47:43,540 --> 01:47:50,540 One thing that I remember when the software was developed and we were working and validating 1468 01:47:50,949 --> 01:47:56,659 it, IBM wanted every line of code change in million dollars. 1469 01:47:56,659 --> 01:48:02,159 A million dollars for one line of code change because they had to verify the whole software. 1470 01:48:02,159 --> 01:48:06,940 That is why you would never, unless there was a flight critical thing, do that. 1471 01:48:06,940 --> 01:48:13,940 NASA wanted generally, whenever possible, to aggregate changes for a year or maybe two 1472 01:48:14,590 --> 01:48:15,599 years sometimes. 1473 01:48:15,599 --> 01:48:20,070 And then put them in there just for that reason because there was this huge cost of revalidating. 1474 01:48:20,070 --> 01:48:22,360 And that was the IBM cost. 1475 01:48:22,360 --> 01:48:25,639 It would be a cost to bringing us back in to certify that, too. 1476 01:48:25,639 --> 01:48:29,159 Well, it worked and you should be very proud of it, you and your colleagues. 1477 01:48:29,159 --> 01:48:29,630 Thank you very much, Phil. 1478 01:48:29,630 --> 01:48:29,880 Thank you. 1479 01:48:29,719 --> 01:48:29,969 [APPLAUSE]