Guidance, Navigation and Control
The functions performed by the GN&C subsystem and the sensors and control effectors used in the performance of these functions are listed in table 4-II. The sections to follow contain discussions of each of these functions, the hardware required, the use of the data processing complex, the crew involvement, and the redundancy management (RM) features provided. During dynamic phases of the mission such as ascent or entry, the system is normally configured in a redundant set of four GPC's with the fifth machine in a backup capacity. A somewhat stylized functional illustration of GN&C operation in the redundant set is shown in figure 4-24. To avoid drawing complexity, the bus/MDM network is not shown and the navigation (NAV) and control (CONT) sensors are drawn as though duplicated for each computer to represent the redundant input data available. In this configuration, each computer runs the same software in synchronization and each controls a string of sensors and control effectors. All machines, using the listen mode, receive all sensor data simultaneously. In the case of the IMU's and other navigation sensors, only three units are installed; therefore, one computer (GPC 4 in the setup shown in fig. 4-24) has no sensor to control and can receive these data only by listening to the other three. Each IMU provides the sensed inertial attitude and acceleration of the vehicle. These data are compared, after individual sensor compensation (COMP) and calibration (CALIB), in fault detection and identification (FDI) algorithms which detect out-of-tolerance conditions. A navigation state vector is calculated (as indicated schematically in the diagram, by the box with the integral (INT) sign) using data from each IMU which pass the FDI test. If data from other navigation sensors such as tacan or MSBLS are to be used (i.e., during entry), they are periodically incorporated, after passing though an FDI test, into the state vector using a Kalman filter algorithm. This update process removes or reduces any systematic state vector errors caused by IMU drift, etc. The state vector is then passed to the guidance (GUID) algorithm, where a vehicle guidance command is generated and sent to the flight control module. Here, the outer loop guidance command is combined with the inner loop commands generated in the flight control algorithm on the basis of inputs from selected flight control sensors, such as rate gyros and accelerometers. The resultant command from each computer is sent to the control effectors, where the final command selection process is conducted. The reader should keep in mind that this discussion of GN&C operation is simplified and does not include subtle variations such as those introduced by different sample rates and extraneous uses of data.
Table 4-II. - Guidance, Navigation, and Control Elements.
Figure 4-24. - GN&C RM configuration.
GN&C Sensors
The physical locations of the sensors used by the GN&C system are dictated by the structural dynamics of the vehicle, the required relationship to the center of gravity, and, to some extent in the case of the tracking devices, by the associated antenna requirements. The inertial measurement unit, star tracker, rate gyro, accelerometer, and air data sensors are described in the following subsections. The others (tacan, microwave scanning beam landing system, and rendezvous radar) are discussed in the Communications and Tracking section.
Inertial Measurement Units/Star Trackers
Three IMU's and two associated star trackers are installed on the navigation base just forward of the Orbiter lower equipment bay. The navigation base is a rigid structural beam constructed to maintain a precise angular relationship between the IMU's and the star trackers for alignment purposes. The IMU's, which supply vehicle attitude and acceleration data, are normally aligned with input axes skewed to provide enhanced capability for detecting second failures. The two star trackers, used to align the IMU's, are protected from the atmosphere during ascent and entry by doors in the Orbiter outer moldline and from excessive exposure to the Sun while on orbit by automatically operated shutters. The trackers use image-dissector tubes to measure azimuth and elevation of stars with intensity greater than third magnitude which appear within the field of view. A 100-star catalog stored in the computer software is sufficient to allow star observation and IMU alignment in virtually any orbital attitude or location.
Rate Gyro Assemblies
Four three-axis Orbiter rate gyro assemblies (RGA's) are located on the aft bulkhead of the payload bay. Two two-axis packages are located in the forward section of each solid rocket booster. These units measure vehicle angular rates about the control axes for use in the inner loop flight control algorithms. Signal selection for the Orbiter units is performed as follows. If four inputs are
present, the higher of the two mid values is selected. If the input from any unit diverges from the other three beyond a preset threshold, the input is rejected, the RGA is declared inoperative, and the midvalue of the remaining three inputs is selected. A form of quadruple middle-value selection is also performed on the SRB gyros by comparing data from all four devices.Accelerometer Assemblies
Four two-axis body-mounted accelerometer packages are located in the Orbiter forward equipment bays. These instruments measure normal and lateral acceleration and are also used in the inner loop flight control calculations. The quadruple middle-value signal selection process used is identical to that used for the Orbiter rate gyros.
Air Data
Two pitot/static probes are located on revolving doors on either side of the Orbiter forward fuselage. Each probe provides four pneumatic inputs, three ram air and one static air, in parallel to two air data transducer assemblies (ADTA's). The pneumatic pressures are measured and converted to digital signals in the ADTA's and sent by way of flight forward MDM's to the GPC's as shown in figure 4-25. The data are used to calculate altitude, airspeed, Mach number, angle of attack, etc., for display and for use in the entry navigation, guidance, and flight control systems. Redundancy management in this area is particularly complicated in that the quadruply redundant sensor measurements provided to the GPC's are not really independent because only two probes are installed. Further, sideslip effects can cause differences in measurements from side to side that are difficult to distinguish from failure effects, and significant transients' can be expected, especially during Mach 1 transition. Functionally, the RM logic first determines the deployment status of the probes and their usability based on communication faults and other checks. The selection filter then either averages the usable inputs or selects one if only one is available - first on a side basis, then overall - and sends the output to the user process after passing it through a transient filter. Comparison tests against preset thresholds are made to detect and identify failures, again first on a side basis. If the two inputs from a side miscompare by more than the threshold, the selected value from the other side is used, after a sideslip correction is applied, to isolate the faulty unit. If no input is available from the other side, a dilemma situation is declared and annunciated to the crew.
Figure 4-25. - Air data system.
GN&C Control Functions
Four distinctly different dynamic control functions are performed by the GN&C system during a typical mission. These include
- Hydraulic actuator control of SRB and main engine thrust vectors and Orbiter aerodynamic control surfaces during ascent and entry
- Electrical control of the main engine throttle during ascent
- Electrical control of the reaction control system thrusters during ascent (post-MECO), on-orbit, and entry phases
- Electrical control of the orbital maneuvering system for velocity changes during exoatmospheric phases including the deorbit maneuver
TVC/Aerodynamic Control
Figure 4-26 is a simplified block diagram of the Orbiter avionics system configured to perform the hydraulic control function. Each of the four GPC's in the redundant set controls a hydraulic actuating path, which includes a flight aft MDM, an ascent thrust vector control (ATVC) driver assembly, and an aeroservoamplifier (ASA). The ATVC's control pitch and yaw actuators on the three main engines and rock and tilt (skewed 45°) actuators on the two SRB engines. The ASA's control the position of the Orbiter inner and outer elevons, the rudder, the speed brake, and the body flap. Each ATVC and each ASA controls one of four redundant ports on its respective actuators, which, in turn, control the position of an engine or an aerodynamic control surface. Figure 4-27 is a schematic of a typical hydraulic actuator showing the quadruply redundant inputs and the single power output to the controlled device. Each electrical input influences the position of the secondary shaft, which controls the drive signal to the power actuator. The resultant command to the power actuator is the sum of the inputs to the secondary shaft. If one of the inputs is in opposition to the other commands, a force fight occurs; the opposing input will be overpowered, and the system will respond to the resultant sum of the remaining inputs. Further, the hydraulic pressure measured at the input to the opposing port will be higher and of the opposite sign in comparison with the other three, and the ATVC or the ASA will, if the signal exceeds a preset threshold for an allowable time limit, hydraulically bypass the opposing signal. To accommodate systematic biases, an equalization loop is included to prevent nuisance disconnects. In addition, the crew has a manual switch option to override the disconnect signal if the situation warrants.
Figure 4-26. - GN&C actuator configuration.
Figure 4-27. - Typical hydraulic actuator drive.
Main Engine Throttle Control
A dually redundant, active/standby digital controller is mounted on each main engine to manage and control all engine performance functions. Throttle and start/stop commands are generated in the four redundant-set Orbiter GPC's and transmitted to these controllers through three engine interface units, one dedicated to each engine (fig. 4-28). The EIU's select three of the four input commands from the GPC's, add a BCH error-detecting code, convert the message to the engine bus protocol, and transmit the result to the engine controllers on the three dedicated engine buses. Valid commands received on Orbiter bus inputs 1 and 2 are passed through to engine buses 1 and 2. The first valid command received on either Orbiter bus input 3 or Orbiter bus input 4 is passed through to engine bus 3. The engine controllers will respond only if at least two identical, valid commands are received; otherwise, the last commanded value will be held. With this arrangement, any two failures which cause the loss of EIU inputs 1 and 2 will result in the loss of command capability to the associated engine. For this reason, the GPC inputs are staggered among the three EIU's to prevent two such failures from affecting more than one engine. A hardwired, manually activated path and the necessary cues are provided to allow the crew to shut down an engine if the automatic path is incapacitated.
Figure 4-28. - Main engine throttle control.
RCS Control
The reaction control system uses 44 thrusters mechanized in four groups fore and aft to control vehicle attitude during external tank separation and throughout the on-orbit phase, and to augment the aerodynamic control surfaces during entry. These thrusters are arranged to provide fail operational/fail safe (FO/FS) control in all attitude and translation control axes. Six vernier thrusters are included for precise attitude control on orbit. Figure 4-29 shows the thruster configuration; the associated reaction jet driver forward (RJDF) and reaction jet driver aft (RJDA) units, which manage the on/off commands from the computers; and the flight-critical MDM/data bus paths, which carry the required commands and data. Each GPC, when operating in the redundant set, controls a quarter of the jets, distributed on a control axis basis. If a thruster fires because of an incorrect command from one of the GPC's or because of some other failure in a string, an opposing thruster or thrusters controlled by other computers in the set will be commanded to fire to counteract the erroneous torque on the vehicle. An appropriate alarm will be sounded and the crew will be required to take appropriate manual action to disable the uncontrolled jet before fuel use or other constraints are violated. The combination of control axes, fuel and oxidizer manifolding and tankage, ullage constraints, valving, and electrical power considerations requires the mechanization of an extremely complicated redundancy management scheme.
Figure 4-29. - RCS configuration.
Misfiring RCS jets are detected by sensing the chamber pressure in the jet each time it is commanded to fire, with an appropriate delay to account for pressure buildup. Continuously firing (failed on) jets are detected by comparing the state of the computer command to a given jet with the voltage applied to the solenoid drivers, which activate the fuel and oxidizer valves causing the jet to fire. If the solenoid driver voltage indicates that the jet is firing with no associated computer command, the jet is declared failed on, the crew is notified, and the associated propellant manifolds must be closed, to prevent loss of fuel. Leaking jets, which can cause an explosive situation, are detected by sensing the fuel and oxidizer injector temperatures and comparing them against a threshold. Again, the associated manifold valves must be closed to prevent occurrence of a potentially dangerous condition. The status of each jet is maintained in an available jet status table in the software. When manifold valves are closed to isolate a malfunctioning jet, as many as three others will be isolated as well; therefore, the manifold valve status must be mapped into all affected jets and the table altered accordingly. The availability table is monitored by the various digital autopilots, and only jets listed in the table are commanded to fire.
Orbital Maneuvering System Control
Two OMS engines are installed in pods on either side of the aft section of the fuselage. These 6672-newton (1500 pound) thrust engines are used to perform exoatmospheric velocity changes after insertion, on orbit, and for deorbit. Figure 4-30 is a simplified schematic diagram of the system. The thrust vector direction is controlled in the pitch and yaw axes by electric-motor-driven actuators commanded through flight aft MDM's. By means of redundant gearing, two control paths are provided for each actuator. The OMS engine thrust and actuator performance are monitored by the redundancy management software.. Thrust performance is evaluated by comparing both chamber pressure and the accrued velocity change over a given time with threshold values. Actuator performance is evaluated by comparing the commanded position with the actual position achieved,as determined from feedback sensors. The crew is notified of off-nominal performance and expected to take appropriate action.
Figure 4-30. - OMS configuration.
Home -
NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering
Institute
Web Grunt: Richard
Katz
