NASA Office of Logic Design

NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.





the Fiftieth Birthday of

Wernher von Braun

March 23, 1962


Edited by:
Ernst Stuhlinger
Frederick I. Ordway, III
Jerry C. McCall
George C. Bucher


National Aeronautics and Space Administration
Huntsville, Alabama




H. J. Fichtner

Astrionics Division
George C. Marshall Space Flight Center
National Aeronautics and Space Administration
Huntsville, Alabama

Now that space operations have become a reality, it is appropriate to review the accomplishments of the past and to discuss what must be done in the future to insure the operational readiness of our large carrier vehicle systems. Well-planned overall systems engineering is the key to this task, with electrical systems engineering playing a major subsidiary role.

When missiles were introduced on a relatively large scale some 25 years ago overall electrical systems engineering did not exist as such, although with theV2 missile the systems approach was being utilized for the first time. In those days the designers of the propulsion system provided for the system's electrical needs by maintaining the required start and cutoff sequence. The designers of the guidance and control system worked their own electrical system and took care of the electrical equipment needed for the checkout and launch operations.

Missiles resulting from this parallel design effort were operational; but to. build, checkout, and prepare them for Launching was very expensive and time consuming. Relatively early in the research and development phase of the V2 program the entire system was evaluated for large-scale production. This evaluation showed that it was impossible to supply all the electrical components needed to achieve the requested production rates. For the first time, this created the need for a coordinated overall systems approach which considered checkout equipment and the missile as one system. Duplication of functional components, signals, power sources, etc., was avoided to simplify the system as much as possible. The requirements placed on the overall system created the need for a systems engineer who was required to have a thorough knowledge of the various subsystems, their operation, and functions. A philosophy was established which has been followed since: "Keep the missile system simple; wherever possible, keep components out of the missile, especially if they only function during pre-flight checkouts." Under these conditions, the entire V2 system was redesigned.  Aside from production considerations,



operational simplicity was of major concern. Checkout and launch operations during the research and development phase were carried out by the designers themselves or by high-caliber, technically trained personnel. In combat application, the system being operated by troops had to be self-checking and automated in its launch sequence. The V2 system at the end of World War II was a classical example of functional simplicity with a minimum amount of components. The actual launch operation was simplified to only two pushbuttons: one to start the launch sequence, and one to start the full flow of propellants. The entire launch sequence was self-checking and returned the system to a safe condition if a malfunction was sensed during this time before launch. All operational missile systems today essentially follow this pattern of operational sequence.

In-flight instrumentation systems were refined more and more after World war II, and missile behavior as well as environmental conditions during the entire flight phase were observed through radio links. This possibility of telemetry coverage opened a new area for missile" design engineers to obtain valuable data for further study programs. Theoretical data could be hardened by actual data, and values could be obtained for the anticipated new missile programs. Within the last 15 years, the measuring program expanded from between 30 and 40 measurements to between 500 and 600 measurements per test flight. All these measuring programs had to be incorporated into the overall system in such a way as to not interfere with the standard system necessary for proper flight performance. A malfunction in the instrumentation system should not influence in any way the behavior of the standard system. However, the instrumentation system was required to function as long as possible to record catastrophic failures, such as fire in the engine area, control failures, etc., that would eventually lead to a flight failure. This systems-approach worked very satisfactorily in programs like Redstone, Jupiter, and Pershing. There were few failures which could not be explained. The telemetry records gave perfect coverage and usually a quick explanation.

As the missile systems expanded in size and complexity, the checkout time and the time required for launch readiness also increased. The" constant changes from one missile to a more advanced missile demanded exacting checkout, test, and firing procedures. Event sequencing had to be dictated that could be achieved only by designing all tests and sequence events into the system. Whenever possible, the human element was eliminated in all critical phases of checkout and launch. This effort was well spent, judging from the results of the various missile programs of the last 5 years. It is not a major problem today to prepare a satellite on a certain day, or even hour of the day, for firing and injection into orbit. It- is taken for granted that the entire. system is reliable enough to meet a specified countdown time. It cannot always be assumed, however, that a missile takes off from its launch pad and stays on its prescribed trajectory. Special precautions are necessary as directed by the safety officer of the missile range.



An entirely independent and redundant system has been designed over the years as a tool for the safety officer to maintain full control over the missile. He must be able at any time during the propelled flight phase to cutoff thrust or to destroy the entire missile if he decides that this is necessary for safety reasons. This system must work under any condition possible in the flying missile such as power failure, structure breakup, or other failures. The various requirements in the known missile program, such as 15-min readiness, automation to any degree, and self-checking of subsystems and components, lead to standardization and refinement of the entire system to achieve reliability. Only after the achievement of this reliability was it possible to plan for the placing of man into space.

Project Mercury was established and funded based on reliable missile systems. The primary missions of Project Mercury are the orbiting of manned capsules around the Earth, the study of man's capabilities in space flight, and the safe return of the capsules and their occupants to the surface. The program was divided into two main phases: (1) to use the modified Redstone carrier for suborbital unmanned and manned capsule flights to help qualify the Mercury capsule in a space environment, and (2) to carry out unmanned and manned orbital flights with the qualified Mercury capsule being boosted by an Atlas ICBM.

It was necessary to analyze the entire flight history of the two systems to establish a malfunction study that showed where systems improvements were desirable and possible. Parallel to this study, an abort-sensing philosophy was established to provide, during the total countdown and flight, the utmost in safe abort for the man in the capsule and for the launch crew at the pad.

A new design aspect entered the overall systems design; this was the concern about the man. Electrical checkout and functional circuits, well established in previous flights, had to be reanalyzed and redesigned because the safety of a human life was involved. Automatic abort sensing during the countdown and carrier vehicle flight was to be incorporated into an existing system. Since two independent systems were involved, carrier vehicle and capsule, close technical coordination was essential. In the preflight condition, up to liftoff, any malfunction had to result in the "safing" of the entire system or ,ejection of the capsule from the carrier rocket. It was necessary to make all abort systems redundant and operational under all possible conditions. After liftoff, the range safety officer's requirements added to the complexity of the system.

Abort had to be possible over radio link at all times from the ground; the astronaut also had the ability to abort the mission. It was necessary to develop automatic abort sensing devices for the space carrier vehicle such as:

  1. Attitude error sensors for pitch, roll, and yaw axes.

  2. Angular velocity sensors for pitch, roll, and yaw.


  1. Control voltage detectors to sense voltage failure.

  2. Combustion chamber pressure switches to sense engine performance.

All these sensing devices could activate a common abort bus for both carrier ' vehicle and capsule. Elaborate tests were performed with the system to qualify all components and circuits for the stringent requirements.

The Mercury-Redstone's three, successful, unmanned, test flights and two, successfu1, manned, suborbital flights indicate that the systems approach is sound and that the concepts in systems design are advanced enough to be applied to larger space vehicles.

The experience gained in many missile systems over the past years was carefully applied to the present systems such as Saturn. The Saturn, a large multistage, space carrier vehicle, demands an extremely well-coordinated engineering and design effort to fit all stages into one workable system. Overall systems design direction and standardization, within stages, are absolutely necessary. The first block of Saturn vehicle wi1l show what this effort means.

The electrical interconnect diagram of the Saturn first stage shows the breakdown into 16 major areas. This breakdown was selected as a logical division into subassemblies and, in some cases, into subsystems. The interconnection diagram depicts the vehicle integration scheme and illustrates to some degree the complexity of the present Saturn electrical network; it is shown in Fig. 29.1.

The electrical system used in Block One Saturn vehicles serves to supply power for the operating and switching functions needed by the various vehicle subsystems. Primary vehicle power is provided by the main batteries, which in many cases furnish the necessary power directly through the distributors to the electrically operated components. In other cases, battery power is converted into other voltages and frequencies by power supplies and routed to the subsystems through the distributors.

The entire integrating electrical network consists of cables and distributor boxes. Integration of the subsystems requires approximately 500 cable assemblies and nine distributors, since almost all components are served through distributors. This system guarantees a high degree of flexibility to incorporate design changes. The entire system can be built and checked out on the bench prior to assembly into the vehicle. This means a high assurance of quality and reliability, since accessi- bility prior to vehicle assembly is provided.

The Block One Saturn subsystems are established as follows:

1. Electrical power. The electrical power system consists of two 28-v batteries supplying two independent busses; one bus handles all


Fig. 29.1 Electrical interconnect diagram for first stage of Saturn.

Fig. 29.1 Electrical interconnect diagram for first stage of Saturn.



steady loads, the other bus all variable loads. The steady loads are mainly the secondary power supplies, such as 5-v supplies for measuring voltage and the 60-v power supply for control components. The variable loads are heaters, relays, valves and cooling equipment. Each battery will carry its total load during flight after power switch-over from ground supply shortly before ignition of the engines.

2. Pressurization. The propellant tanks are pressurized by two pressurizing systems. Fuel tank pressurization is controlled by valves in the manifold system which regulate the nitrogen gas supply with pressure switches. The fuel tanks are initially pressurized by the ground system prior to ignition. Pressure level is maintained during powered flight by pressure switch sensing, which activates required valves in a controlled sequence as fuel is consumed.

The liquid oxygen tanks are initially pressurized by a ground pressure supply. After ignition, liquid oxygen is gasified by running it through a heat exchanger. The gas then maintains the desired pressure within the liquid oxygen tanks. Mechanical vent valves relieve excess pressure through the preset valve. These tanks may be electrically vented from the blockhouse at any time prior to liftoff.

3.. Engine start and cutoff. The fuel and oxidizer are fed to the engine by turbine-powered pumps. Initial turbine momentum is given by the turbine spinner, which is started by squibs ignited by an electrical signal from the ground equipment. The turbine spinner is sustained by fuel and oxidizer burning in the gas generator. After initial startup, fuel pressure maintains engine operation. The eight Saturn engines are started with the ground equipment in a staggered sequence pattern. Only two engines are ignited simultaneously. The four groups of two engines are ignited 100 msec apart. All engines are nonitored for combustion and proper build up of hydraulic fluid pressure needed for engine gimbaling. These criteria are monitored for 3.3 sec to ensure that all eight engines are running properly and that hydraulic pressure is maintained.

Only if these indications are satisfactory does the ground support equipment (GSE) continue the launch sequence with the thrust-commit signal. This signal deenergizes a relay in the vehicle to energize the one-engine out bus. Energizing this bus enables the: vehicle to give cutoff automatically to one engine if the thrust falls below the specified limits. When one engine is cut off prior to liftoff, the remaining engines are also cut off in a given, patterned sequence. Should the thrust of any engine drop below the specified limits during the first 10 sec of flight, that engine will be cut off, and the engine out circuits will be deactivated to prevent the other engines from being cut off because of low thrust. This circuit is reactivated at 1iftoff-p1us-10-sec so that the other engines with low thrust may be cut off. Emergency cutoff may be given from the ground by radio link, through the destruct command receivers, any time after liftoff. This signal will switch all engines



off at once. Normal cutoff sequence is provided by liquid level sensors in the fuel and oxidizer tanks. When fuel and oxidizer consumption reaches a preset low level, the cutoff for the four inboard engines is triggered. Derived from this signal 6 sec later, the outboard engines are also cut off. In the engine cutoff sequence, circuitry is provided to insure that there are more than two outboard engines running at one time.

4. Flight sequencing. The program device is the source of all inflight sequence events. It provides accurate time pulses to initiate' and execute guidance, control, and sequenced functions. The program device is a precise, six-channel, magnetic tape recorder, of which three channels are presently used:

  1. One channel provides the tilt program.
  2. One channel initiates telemeter inflight calibration.
  3. One channel stimulates the overall vehicle sequencing.

The program device is started from zero at liftoff, relating all sequence events of the channels to liftoff as the time base. Shortly before calculated inboard engine cutoff, the program device is stopped and restarted at the actual, inboard engine cutoff signal. This provides a new time base for the upper-stage operational sequence based on inboard engine cutoff. This has the advantage of eliminating the tolerances of carrier vehicle performance; cutoff predictions are theoretical values only.  All overall vehicle sequencing stimulated by the program device is executed by the flight sequencer; a chain of relays respond to pulses from the program device.

5. Control. The heart of the control system is the stabilized platform and its executing equipment. The stabilized platform serves as inflight reference for signals to the control system. The control system senses and corrects vehicle inflight inaccuracies through null- seeking devices that continuously compare actual flight information with the programmed flight path. The signals and values derived from the stabilized platform are transmitted to the control computer. The control computer in turn translates these signals into control signals. The output signals are executed by hydraulic servo actuators, which gimbal the four control engines accordingly.

6. Inflight cooling. To assure proper operation of some inflight equipment within the given tolerances, an inflight cooling system regulates the temperature within the pressurized canisters where this equipment is housed.

7. Heating. The air required by the air-bearing gyros is heated to maintain the stringent tolerances of the platform. A temperature sensing device monitors and maintains this temperature within the preset limits as the stabilized platform is in operation. The angle-of-attack meters used with the control system are also heated to prevent icing during flight.



8. Tracking. The Saturn tracking equipment consists of two radar units, Udop, Azusa, and their associated antennas. The equipment is powered and operated through vehicle circuitry. There are four continuously burning lights tracked by CZR cameras for a period after liftoff. The flight sequencer turns the lights off after the vehicle is out of camera reach.

9. Telemetering. The Saturn vehicle carries eight telemeter links which are used to transmit about 600 measurements back to ground rf receiving stations. These measurements are routed and signal-conditioned from all areas of the vehicle to the proper telemetry channel for transmission.

These short descriptions of the major areas to be combined into one overall system indicate the necessity of well-defined technical system coordination. A thorough knowledge of the system's functional operation is essential for the systems designer. The design must provide not only reliable, and in some areas redundant, operation during the flight application, but also the means of complete functional checkout after completion of assembly, preflight, and launch operations.

Before entering the area of ground checkout equipment, a few words, should be said about some features in the vehicle system. Since eight engines have to be operated during the propelled flight phase, the probability of one engine failure cannot be overlooked. The engine start and cutoff sequences have been described before. If one engine is lost due to some malfunction, a hazardous condition may be created for the overall system. Since combustion chamber pressure is sensed as the criterion for proper engine behavior, this indication is utilized to cut a. particular engine off. The eight engines are in individual compartments, and a fire in one compartment should be localized to that area. All propellant supply will be shut off properly by sequence; however, a fire or minor explosion may destroy all electrical lines in this engine compartment. The design provides short circuit protection; one short of any operational electrical line to another or to the vehicle structure below the fire wall will not affect the rest of the system. All measuring pickups in each engine area are also fed by its own measuring power supply. These pickups are protected by line resistors to maintain operation in this troubled area as long as possible while not affecting the measurements in other areas of the vehicle.

All circuits for vehicle destruction are completely redundant, from power source to explosive train. For future application, an exploding bridgewire system will be introduced for all ordnance items as substitutes for the present sensitive squibs in which elaborate protective circuitry complicates the system unnecessarily.

The function of the ground checkout system for the Saturn is not a new concept. As in previous projects, it is still designed to checkout



all vehicle circuits in various Subsystem tests. All subsystems are checked out and qualified, then the overall system is operated with the same equipment, bypassing all inapplicable subsystems test circuits. The overall systems test, if fully automated in itself, creates signals in the ground checkout equipment and returns the resultant stimulus for the next step in the automated process. This method will consider all critical functions during the countdown, and a failure at any point of the sequence will stop the countdown and return the system to a safe condition.

Since the complexity of the entire system is considerably increased compared with other known systems, new methods of manufacturing are being established. The rack and panel concept was introduced to build up the entire system by use of modules. Distribution racks were designed on which standardized connectors are wired to an IBM patchboard. This results in standardization and a high degree of flexibility. The connectors will receive either an incoming or an outgoing cable. They will also receive standardized relay modules, diode modules, resistor modules, transistor modules, etc. Standardized modules and the racks with the connectors can be fabricated in quantity long before circuit definition. After the system circuits are established and detailed design is finished, the IBM patchwork will interconnect all modules. This patchboard can be defined late in the schedule to incorporate all design refinements or changes. In the area of control panels this system cannot be adapted readily; however, standardization of panels and components has been maintained throughout the program and stages involved so far. This has considerably shortened the design and manufacturing time, as well as lowering the cost.

For the present, the same equipment used for checkout will be used for stage static firings as well as for final checkout at the manufacturing site and launch site. The concept, as described, will serve the overall Saturn system as long as it stays with the present scheme of operation. The system proved itself to be extremely satisfactory at the first Saturn firing; no technical difficulties arose during the countdown and inflight operation. .

The problem of increased distance between launch pad and blockhouse will dictate a different overall scheme for several reasons. The main reason is the safety distance in the case of a mishap. This and other considerations, such as increased firing density, quicker checkout, and better data retrieval, lead into a new scheme of vehicle electrical systems for the single stage as well as for the assembled configuration. A scheme will be chosen to standardize stage checkout at the manufacturer's site for all stages of the system, and to continue to launch operations. The scheme will make use of a digital method and the automation of all system checks.



The question may arise as to the necessity of automating to this degree, since the present automated countdown has worked satisfactorily. Before going into this major effort of generating a sophisticated automatic system, the advantages and disadvantages should be discussed. If a properly operating system is assumed, the biggest advantage to be gained will be improvement of the overall systems reliability, and an overall time saving for various phases of testing and launch preparation. The human error can be eliminated in the checkout procedure. Standardized testing will occur throughout the vehicle test program and complete test results will be printed out and available for design improvement studies. Since running time utilized for the testing procedure will be cut to a minimum, the effective mean time-to-failure ratio for the vehicle will be increased.

Once a system is correctly automated, more thorough testing can be achieved in much less time than in the manual case. Therefore, the confidence of firing personnel in the flight hardware can be increased. When a system failure has been noted, the exact condition under which the failure occurred can be easily duplicated. More complete data can be gathered at the instant of failure to aid in trouble-shooting and fault isolation. The anticipated schedules for Saturn flights will require automation of the checkout procedures to save time and to make the best use of personnel.

Since the advantages have been reviewed, we can now look at the disadvantages and the reasons of failure of some known automated systems. The first disadvantage is the complexity introduced in an overall system by adding automated features. The complexity in many cases has been generated, not because it was required, but rather because of conditions under which the design occurred. Lack of confidence in the system on part of the user in many cases has been another disadvantage for automated systems. Inadequate learning time for the user has resulted because of poor planning and crash program conditions. One of the major reasons for automatic checkout system failures has been inadequate planning in the area of checkout program generation -- those instructions in machine language that tell each component exactly what to do. More than one program has resulted in capable, but ignorant, checkout hardware.

Another item that should not be overlooked is the degeneration of operator knowledge about the total system in the presence of working automation. A system may work so well that the operators lose touch with the actual process being carried out; when there is trouble, panic and lost time occur. Any well thought-out automation program must consider and overcome these disadvantages.

The state of the art in various types of checkout equipment, both analog and digital, has greatly improved over the last few years. It is possible to obtain reliable conversion and processing equipment to work



with digital intelligence equipment of greater reliability than ever before. It is now possible to foresee a checkout system made up of existing equipment that is reliable and accurate. In the Saturn program it will be possible to have checkout equipment operating in an air conditioned environment. It can be operated by engineering personnel and subjected to preventive maintenance, and it can achieve the reliability currently expected of industrial automation. Once a system is working, it can be expected to continue to do so. An automatic checkout system tailored specifically to the needs of the Saturn and Nova programs can be generated with a high degree of confidence that the system will work properly.

The following automation requirements should be followed for overall system:

  1. The development must cover all foreseeable programs from Saturn C-1. through Nova.
  2. The same technologies, in fact the same hardware wherever possible, should be used throughout the Saturn-Nova developments, just as vehicle technologies in hardware are being utilized from one vehicle configuration to another.
  3. The hardware and techniques developed must fit into the plans and facilities of both the contractor and the launch site.
  4. The system must provide for both manual and automatic operation in an either/or fashion until user confidence and training are adequate.
  5. Maximum time should be provided for personnel training and systems design proofing.
  6. The test programming of delivered hardware will be adequate and proven.
  7. A systematic method of data processing must be developed to handle the large flow of test results and performance history generated by the automatic process.

Before discussing the various checkout configurations and plans, it is necessary to clarify and define certain operations and test conditions. The vehicle measurements and controls are separated into: (1) operational measurements and controls used to prepare and launch the vehice; and (2) telemetry measurements used to evaluate flight performance.

Measurements of the state of the vehicle are needed for both vehicle operation and for measuring programs. Such measurements go both to the operational equipment and to the telemetry system. Prior to assembly, the stage also has operational and measuring and telemetry checkout requirements. Separate stage interface GSE is generated as an integral part of the stage design. The equipment may be no more than a standard electrical distribution system or, in some cases, it may contain controls and manual monitoring equipment. Some versions may have such items as analog to digital conversion equipment to allow proper mating with digital ground support equipment.



Stage interface GSE is broken into two main categories: circuitry concerned with the operational task, and circuitry utilized to manipulate and evaluate the measuring and telemetry hardware. Here the stage and its interface GSE are connected to the facility test equipment. Non-electrical stimuli, such as pressures, are fed directly from the facility test equipment to the vehicle. To properly simulate upper and lower interfaces, stage substitutes are provided so that the entire operation can be evaluated. In the case of liquid propulsion stages, most of this operation would be concerned with evaluating and calibrating the outputs of the various measuring adapters contained within the stage. The future development of an rf link can reduce the number of hard wires which travel through the stage interface GSE. Interface GSE for measuring and telemetry systems will consist of electrical measurement stimulation circuitry and a set of digital acquisitional equipment.

At the launch site all measuring and telemetry information can be received through an rf link from each stage or up to launch day through a coaxial cable to avoid radiation. All of the operational portions of the stage interface GSE are connected to the operational and launch equipment, thus completing the circuitry required to prepare and launch the vehicle. The intelligence and comparison units to handle the operational measurements and controls of the vehicle system will be the computer complex. The heart of this complex will be a medium-size general-purpose digital computer, which will handle the digital guidance equipment. The computer will be expanded to handle the various types of analog and digital equipment in operational checkout. It also will generate commands and data to preset and launch the vehicle.

As soon as the digital guidance system is introduced in the present Saturn C-l configuration, automatic checkout equipment will be installed at the stage contractor site as well as at the launch site. For a number of vehicles, the dual capability of manual and automatic checkout possibilities will be available until the new digital checkout system can be proven. By the time the Saturn C-4 configuration is ready to be launched, it will be mandatory that the new automatic checkout scheme with the digital mode be operational because the distances between launch site and control room are so great that no other method will be possible.

Te new automatic system will demand an extreme amount of engineering discipline and enforcement of standardization at the stage contractor's plant as well as at the launch site, to make the system reliable and to achieve our goal.



Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz