NASA Office of Logic Design

NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.


SP-287 What Made Apollo a Success?

7. TECHNIQUES OF CONTROLLING THE TRAJECTORY

By Howard W. Tindall, Jr.
Manned Spacecraft Center

[59] Someone not associated with the Apollo Program cannot imagine how much planning precedes each mission. Planning is truly an immense task, which takes many different forms. Basically, this is another report about mission planning. It is not about the selection of launch windows, trajectories to be flown, landing sites, or how to make the lighting conditions right. Neither does this report specifically involve preplanning the crew time line; defining when pieces of equipment should be turned on, when the crew should sleep, eat, work, perform on TV; and so forth. The planning this report is concerned with does interact intimately with these, but it is planning of an entirely different type. Generally speaking, it is the planning required to define how the trajectory is controlled once the mission objectives, trajectory plan, and crew time line have been established: to figure out exactly how the various components of the guidance, navigation, and control (GNC) systems and, to some extent, the engines are to be used during all phases of each of the manned Apollo missions.

Unquestionably, activities associated with trajectory control constitute by far the largest piece of operational overhead in any Apollo mission. That is, in the process of achieving the real objectives of a lunar-landing mission (such as placing experiments on the lunar surface, picking up rocks, and taking pictures) you will find no other inflight activity that approaches trajectory control in its capacity to absorb planning and training energy. Usually, when conflicts arise, the trajectory-control activity takes priority over everything else, such as systems management, crew work and rest cycles, and experiments (including the lunar-surface work).

Since trajectory-control activities make up such a large part of every Apollo mission, the manner of conducting them has an impact on almost every other facet of the mission, even on aspects that seem remote, such as electrical-power management, thermal control, and consumable budgeting. As a result, it is necessary to consider all of these things in the development of the overall trajectory-control procedures, which we call mission techniques. Also, it is important that almost everyone in the Apollo world knows how we intend to do these things, since we often impact their plans.

One basic characteristic in the design of the overall Apollo guidance and navigation (G&N) system must be recognized before I proceed. Namely, the ground-based tracking, computation, and control-center facilities not only form an integral part of the G&N system-being the prime source of essential data to the spacecraft systems- but in some instances, the ground will be the only source of data. Specifically, with the exception of rendezvous and inertial sensing during maneuvers, all trajectory determination is done on the ground. This is the task of determining the position and velocity of [60] the spacecraft and its relation to where we are trying to go-braking into lunar orbit, trying to land at a specific site on the moon, hitting the earth atmospheric-entry corridor, or whatever.

Also, with the exception of the rendezvous, the ground is the only source of maneuver targeting. By maneuver targeting, I mean the task of figuring out the exact magnitude and direction and the time at which each maneuver must be executed in order to perform the mission.

The two essential functions, orbit determination and targeting, cannot be performed on board the spacecraft. The reason I am making such a big point about this is probably obvious. Putting together mission techniques with a G&N system like that is much more complicated that if the whole job could be done on board the spacecraft without external assistance. A tremendous amount of data must be relayed back and forth between the spacecraft and the ground, and the content and format of these data have to be complete and precisely compatible. Also, instead of only the three crewmembers being involved in the operation-that is, understanding and carrying it out- we must involve the entire flight-control complex. This makes the inflight job, of course, more complicated-but, believe me, it makes the planning job something else, too. Many diverse opinions about the planning task are expressed without hesitation or inhibition.

There is an important point I would like to make regarding operational philosophy, since it influences the mission techniques so much. It must be obvious from the way the missions have gone so far that the spacecraft equipment is really put together right. A tremendous amount of attention has been devoted to design and testing to make sure that everything will work as it is supposed to. On top of that, in order to provide even more confidence that the mission may be conducted successfully and safely, all of the critical systems are backed up by other systems. (In the GNC area, the backup systems, without exception, are of an entirely different design than the primary systems. Thus, they are operated entirely differently, which almost doubles the planning. )

Accordingly, you might think that the mission techniques for a spacecraft like Apollo would be based on the assumption that the equipment will work. The fact is, however-right or wrong-that our operational planning on all manned space flights so far has been based on a philosophy of cross-checking and monitoring every critical system and operation to make sure that the systems are performing properly.

Operations must all be planned out before a mission-just what will be done if the primary or backup system (or both) fails or is degraded. Also, we must plan what can be done with whatever components of these systems might still be working, with the data shipped from the ground and from charts and simple mathematical techniques developed for the crew, and with any other data sources not ordinarily used, such as the view out the windows.

On the other hand, when you consider that we deploy two sophisticated spacecraft, each of which has extensive capabilities, the imagination explodes with the possible ways things could be done as various components fail. Also, when you multiply this multitude of choices by the number of uniquely different phases in a lunar-landing mission, you find that the task of developing the techniques could expand indefinitely. Obviously, if unconstrained, this whole business could get out of hand. Not only could it [61] cause an inexcusable waste of resources, but it could also introduce a myriad of complicated procedures-tier upon tier of alternate modes of operation which would go beyond the ability of the crew and flight controllers to understand, train with, and use.

These two rules bound the problem: Be prepared to recognize and react under any condition to save the crew and the mission, but do not carry this business to the point of actually reducing reliability by introducing confusion or the incomprehensible into the system. If I were to look back and judge how we actually did on Apollo, I would say we went a little too far-not much, but some. And, of course, it is easier to look back.

The Mission-Technique Development Task: How do you decide how to fly an Apollo mission? If the inertial reference system is drifting a little, what do you do about it? If it drifts a lot, what do you do about that? What is the switchover point between a "little" and a "lot"? Let us say you are in the middle of a rendezvous with a maneuver coming up and you have three sources of data each telling you what the maneuver should be. Also, your friend in the other spacecraft has a solution, as do the people on the ground. How do you choose among these solutions, if they differ? It is specific questions like these-and there are literally hundreds of them-that the mission-technique development process was set up to answer to everyone's satisfaction. Let me describe the development process and its products.

First of all, the task involves pinning down precisely how well the systems must work or if they are even needed to achieve mission success or to assure crew safety. This can become a tough job. Certainly, we do not want to abort a mission if it is safe to continue, but we must be sure it is safe, even if something else fails. To some extent, the decisions depend on where you are in the mission.

For example, we had as an Apollo 11 mission rule that we would not separate the lunar module (LM) from the command and service module (CSM) in lunar orbit if the rendezvous radar was not working. We felt that our lunar-orbit experience and LM systems maturity were not adequate at that time to start intentionally a rendezvous situation without the rendezvous radar. On the other hand, after the two spacecraft had been separated and descent had started, there was no reason to terminate the mission because of a rendezvous-radar failure. By that time, we would already be committed ourselves to performing the rendezvous without it and so might as well press on. Thus, some mission techniques can be chosen by applying common sense to the situation. Table 7-I illustrates one of the mission-technique products dealing with this kind of situation by listing which pieces of equipment must be working to continue at several go/no-go points in lunar orbit.

If a piece of equipment is obviously broken, it is easy to apply the mission rules agreed to before flight, such as those given in table 7-I. However, if it is just not working up to par, then what? In this case, the go/no-go decision must reflect system requirements in terms of the mission phase.

A good example of this was the preparation for the LM descent to the lunar surface on Apollo 11. Although all three gyroscopes in the primary guidance system inertial platform have identical design, the performance required of each was markedly different. Analysis showed that a misalignment about the pitch axis as large as 1 does not degrade the descent guidance unacceptably as long as the landing radar is working, but [64] that just a 0.5 misalignment renders the guidance system incapable of performing a safe abort from the descent trajectory. So we established safe-abort ability as the criterion for computing the limiting pitch-axis gyroscope performance. Specifically, since the system is aligned approximately an hour and a half before powered descent, we were able to fix 0.33 deg/hr as the maximum acceptable gyroscope pitch rate (the 3σ Apollo gyroscope performance is 0.1 deg/hr).


[62] TABLE 7-I. MANDATORY GUIDANCE, NAVIGATION, AND CONTROL SYSTEMS

(a) Lunar module systems

LM systems

Undocking and separation a

Descent orbit insertion

Power descent initiate

.

Primary GNC system:

R b

R

R

LM guidance computer

R

R

R

Inertial measurement unit

R

R

R

Display and keyboard

R

R

R

Abort guidance system

R

R

R

Control electronics system

R

R

R

Descent propulsion subsystem

R

R

R

Rendezvous radar

R

R

NR c

Landing radar

R

R

R

Flight director attitude indicator

R d

R d

R d

Alinement optical telescope

R

NR e

NR

Hand controllers f

R

R

R

Flashing light on LM

NR

R

R

a The separation maneuver and mini-football activities will be performed for all conditions allowing undocking.
b Required.
c Not required.
d Only one unit is required.
e Alignment optical telescope is required until the pre-descent-orbit-insertion fine alignment is completed.
f Translation and at least one rotation hand controller.

 

[63] TABLE 7-1. MANDATORY GUIDANCE, NAVIGATION, AND CONTROL SYSTEMS - Concluded

(b) Command and service module systems

CSM systems

Undocking and separation a

Descent orbit insertion

Power descent initiate

.

GNC system:

CM computer

R b

R

NR c

Inertial measurement unit

R

R

NR

Display and keyboard

R

R

NR

Optics:

Sextant

R

R

NR

Scanning telescope

R

R

NR

Crewman optical alignment sight

R

R

NR

Stabilization and control system:

Body-mounted attitude gyroscopes

R d

R d

NR

Gyroscope display coupler

R

R

NR

Flight director attitude indicator

R e

R e

NR

Service propulsion system

R f

R f

NR

Hand controllers

R

R

NR

Entry monitor system change-in-velocity counters

NR

NR

NR

Very-high-frequency ranging

NR

NR

NR

Rendezvous radar transponder

R

R

NR

 

a The separation maneuver and mini-football activities will be performed for all conditions allowing undocking.
b Required.
c Not required.
d One set of body-mounted attitude gyroscopes required.
e Only one unit is required.
f lf service propulsion system has failed, transearth injection will be performed a next opportunity.

On the Apollo 11 mission, very large misalignments could be tolerated in yaw and roll. In fact, there was no reason not to continue unless one of these two gyroscopes drifted more than 1.5 deg/hr-the value determined by the gyroscope experts as an indication that the system is broken. In other words, a failure limit imposed a tighter constraint than any performance requirement; therefore, failure became the yaw and roll gyroscope criterion.

This will not be the case on Apollo 13, where the landing will take place in extremely rough terrain with a limited safe-landing area. Both mission success and crew safety depend on the guidance system getting the LM to within 1 kilometer of the aiming point. Accordingly, it is necessary to reduce the maximum allowable drift rate about the inertially vertical axis from the failure-criteria value of 1.5 to 0.145 deg/hr (i. e., 10 times better performance than was needed on the earlier missions). The job in each case is to find the most constraining criterion and the limits associated with it.

Once we set limits like these, we can then define precise crew and ground-support procedures for verifying that the performance comes within the limits before reaching each mission go/no-go decision point. It is also necessary to decide what to do if the performance does not fall between the limits. In the non-failure cases just mentioned, it is possible to reload new drift-compensation values into the spacecraft computer by a command up link from the ground. In the failure case (i. e., 1. 5-deg/hr drift on any of the three gyroscopes), the only choice is to "no-go" the descent.

Mission techniques also involve defining the procedures for monitoring systems during critical mission phases; for example, in powered flight, where an unsafe situation can develop very quickly. The way of doing this follows the pattern described for system-performance tests.

To illustrate, I have pulled the flow chart shown in figure 7-1 from one of our documents. It describes part of the decision logic followed by the ground flight controllers who monitor the lunar descent. The flow chart shows the steps to be taken under each condition in monitoring the guidance and control systems. The diagram is not meant to be followed step by step, but rather is a guide for the flight controllers, who monitor various parameters on strip charts. The flow chart gives the procedures to be followed if certain limits are exceeded.

Monitoring another type of critical phase must also be worked out. During lunar orbit rendezvous, we have no fewer than five first-class systems computing the rendezvous maneuvers. The LM has its primary guidance system and a backup guidance system; the CSM has an excellent system, and the ground can do a very good job too. In addition to those, the crew can do the same job with some charts and simple paper-and-pencil calculations. The rendezvous is probably the best example of where a job we call "data priority" had to be applied. It is clear how the maneuvers should be executed if all of these data sources agree with one another, but how should you respond [66] if they do not? Many hours of discussion were spent in pinning down such basics as what we mean by "agreement" (e. g., within 0.1, 1.0, or 10 fps for velocity) and, if things do not agree, which one should be used?


[
65] [PICTURE MISSING]

Figure 7-1. Steps the ground-based flight controllers take if certain guidance and control values exceed premission limits for the LM during LM descent to the lunar surface.

We also produce mission-technique documents for every phase of every manned Apollo flight. The mission-technique documents describe precisely how all of this is done and the reasons for doing it that way. The documents are widely distributed to make sure everyone knows what we plan to do. But most important, all of these techniques are included in Crew Procedures, Checklist, Flight Plan, Flight Control Procedures, and Mission Rules-the documents which truly govern the conduct of the mission.

Development of mission techniques was achieved by assigning to an individual in the Apollo Spacecraft Program Office the responsibility of coordinating the activities of the various groups working on those things so that when they were finished, there was some assurance they would all be compatible, complete, and universally understood.

Of course, the way we got this job done was with meetings-big meetings, little meetings, hundreds of meetings! The thing we always tried to do in these meetings was to encourage everyone, no matter how shy, to speak out, hopefully (but not always) without being subjected to ridicule. We wanted to make sure we had not overlooked any legitimate input.

One thing we found to be very effective-and which we almost always did-was to make decisions on how to do the job, even if the data available were incomplete or conflicting, or if there was substantial disagreement among the participants. This even included making educated guesses at the performance abort limits and stating that they were the values we would use unless someone came in with something better. However, do not get me wrong. These limits are a very serious business. They literally define the point at which a mission will be aborted. You can imagine how emotional our meetings frequently were!

Although the decisions reached often displeased someone, the fact that a decision had been made was invaluable. Since this effort was officially sanctioned, the decisions served to unify all subsequent work. They often also pointed up the need for more work. And for those dissatisfied with the decisions, at least they presented a firm target which they could attack through recognized channels to higher authority.

In short, the primary purpose of these meetings was to make decisions, and we never hesitated! These early decisions provided a point of departure; and by the time the flight took place, our numbers were firm, checked, and double-checked. By then, we knew they were right!

Mission-Technique Spinoffs: There were several important spinoffs from this work. The meetings were regularly attended by experts involved in all facets of trajectory control-systems, computer, and operations people, including the crew. Our discussions not only resulted in agreement among everyone as to how we planned to do the job and why, but also inevitably educated everyone as to precisely how the systems themselves work, down to the last detail. A characteristic of Apollo you could not help noting was just how great the lack of detailed and absolute comprehension are on a [67] program of this magnitude. There is a basic communication problem for which I can offer no acceptable solution. To do our job, we needed a level of detailed understanding of the functioning of systems and software far greater than was generally available. Through our meetings, however, we forced this understanding. It was not easy, but we got it sorted out eventually-together.

Another valuable spinoff from these discussions was the state of readiness achieved by the operations people-ground and crew-before starting simulation training exercises. By the time we had finished our work, everyone had a pretty good idea of exactly what we were trying to do and how we were going to do it-exactly what was expected of each individual and when. And, most important, the data flow between ground and spacecraft would have been defined and scheduled in detail. As a result, when simulations began, they could proceed with maximum efficiency doing exactly what they were intended to do-train people. Interruptions and false starts to get things squared away were kept to a minimum, usually just involving those things that had not occurred to us previously or which did not work out too well in actual practice. I cannot overemphasize the importance of this, since obtaining adequate training is one of the toughest jobs we have.

A third spinoff involves the inevitable discovery of system deficiencies. When you get a gang of people like these together to figure out exactly how you are going to do the trajectory-control job, it is inevitable that really outstanding new ideas will emerge. These new ideas caused a large number of spacecraft and control-center computer-program changes, both additions and-I am pleased to report-deletions. We also uncovered undesirable or even unacceptable hardware characteristics. We were able to get some fixed. We took it upon ourselves to advertise the rest extensively and to plan workaround procedures.

The greatest impact on an area, outside of mission techniques, involved trajectory planning. As we worked out the details, it was found advisable to make substantial changes in lunar-orbit rendezvous, lunar descent aborts, and entry through the earth atmosphere, as well as many less significant things, such as performing the lunar-orbit insertion in two steps instead of one and, starting with Apollo 13, doing the descent-orbit insertion maneuver with the CSM instead of the LM.

These changes were usually made when it was found that suitable monitoring techniques were not available or that it was necessary to make the mission more compatible with the backup techniques. For example, there are two levels of backup to the primary G&N system of the CSM for atmospheric entry at the conclusion of a lunar mission. However, neither of the backups can support the long-range entry involving skipping out of the atmosphere, which was originally planned for Apollo missions to avoid bad weather and was the standard mode the primary guidance system was designed to fly. Accordingly, to permit switchover of systems if the primary G&N failed during entry, the trajectory plan was changed and the G&N was modified to fly the nonskip trajectory we now use on all lunar flights.

How has this all worked out now that we have essentially finished it? Well, I have to confess that, as far as I know, there was never an instance in any of the Apollo flights where the detailed system test and monitoring we set up uncovered anything unacceptable. That is, we could have flown with our eyes closed, and the primary guidance system would have come through. The work we were originally set up to do has [68] never saved us from catastrophe, although I am sure it must have reduced anxieties by several orders of magnitude As far as the usefulness of the overall effort, I really do not see how we could have flown the missions without its having been done. The spin-offs alone were worth it.

previouscontentsnext

Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Web Grunt: Richard Katz
NACA Seal