NASA Office of Logic Design

NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.

Space Shuttle Main Engine Controller

NASA Technical Paper 1932
November 1981

Russell M. Mattox and J.B. White
George C. Marshall Space Flight Center
Marshall Space Flight Center, Alabama


In March 1972, NASA selected the Rocketdyne Division of Rockwell International to design and develop the Space Shuttle Main Engines (SSME) for the reusable Space Shuttle. The development program was managed by NASA/Marshall Space Flight Center (MSFC) and was supported by the various engineering laboratories within the Science and Engineering Directorate. The engine itself is designed to be reusable for 55 missions totaling 7.5 hr of cumulative operating time, and to operate at a variable thrust level commanded by the Orbiter. Engine control could have taken alternate forms such as time sequenced valve control, pressure-ladder sequenced propellant valve control, analog computer control, or digital computer control. A digital computer control concept was selected as the basis of the control system and was designed with the appropriate input-output (control) electronics to interface with the engine hardware. This alternative results in several advantages-

  1. Changes in operational sequences and functions were readily accomplished simply by changing computer software programs, thereby avoiding costly and time-consuming hardware redesign, retrofit, reverification, and engine recalibration firing.
  2. It provided the flexibility and ease of change needed during the engine research and development phase along with the eventual autonomy and adaptability necessary in a fully operational system.
  3. Development schedules were simplified because the hardware design and fabrication proceeded in parallel with software development.
  4. A digitally based system provided the fast control response necessary to accomplish thrust level control and maintain a constant fuel/oxidizer mixture ratio over the complete throttle range.
  5. It provides the capability of monitoring engine operating conditions and performs various types of safing operations depending on the nature of anomalous or failure conditions detected real-time during flight.
  6. A digital system with its associated software is able to perform tests on the engine hardware and self-tests on itself and report any function not performing within specification that might need correcting. Failure detection, isolation, and resolution is more readily accomplished without impacting other system operations.
  7. Operating conditions and component redundancy management results are always readily available to be transmitted, digitally, to the Orbiter and to the ground.

The engine developed for the Space Shuttle represents the most complex high-performance engine ever built. Due to the extremely high operating thrust chamber and turbopump temperatures, pressures, and speeds, very precise monitoring and control of critical engine parameters are of prime importance. Because of the speed and accuracy required in controlling these parameters, the application of a software controlled digital computer was a natural approach.

To reduce the development risk and cost, the Honeywell HDC-601 airborne computer functional organization and logical design was selected as the central processing unit for the SSME: control application. This unit, along with specially designed input/output interfacing electronics, power supplies, and appropriate redundancy control electronics, was duplexed and packaged into a unit called the controller.

Since each flight controller is mounted directly on an engine, the environment in which it operates is very severe. Therefore, special emphasis was placed on the mechanical design and packaging techniques of the electronic components and subassemblies. An extensive design verification (qualification) program was instigated and implemented to assure that the controller operates and survives under all the conditions to which it is exposed and for the number of missions for which it is designed.

During the controller development and testing program, various problems and design deficiencies were recognized, analyzed, and corrected. Some were unique because of the nature of the controller design and application, and some were typical of those expected in any electronic package design and development program.

Each of the functional elements comprising the controller is described and discussed in detail. The redundancy configuration employed and the redundancy management concepts, schemes, and techniques utilized are covered. The mechanical design of the controller package, which must withstand the unusual operating environment and the extensive testing to assure controller flight worthiness, is then considered. Finally, operational functions, timeliness and experience are presented.

Space Shuttle Avionics Page

Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz