[AR] Re: The NASA paper on manual control of the Saturn.
- From: Norman Yarvin <yarvin@xxxxxxxxxxxx>
- To: arocket@xxxxxxxxxxxxx
- Date: Wed, 13 Nov 2013 21:28:21 -0500
On Fri, Oct 11, 2013 at 12:47:07PM +1300, Michael Fincham wrote:
>On Thu, 10 Oct 2013 16:26:52 -0700 (GMT-07:00), David Weinshenker wrote:
>> Yes, please put it up for download
>> somewhere
>
>I've put it up online here:
>
><http://finch.am/u/nasa-saturn-manual-control-pdf>
>
>It'll probably hang around for a while at that URL if anyone wants to
>grab a copy.
I just got around to having a look at it. A few things stand out.
For one, this wasn't manual control as in "something that would work
if all the computers fail". The pilot wasn't given eight levers, one
for each control signal (pitch and yaw for the four gimbaled F-1
engines), and told "have at it... you can control this thing, sure you
can, I mean you have ten fingers, and there are only eight signals, so
you have two fingers to spare". Instead his control input was sent to
the control computer for the launch vehicle, which translated it into
engine movements. If any computer was cut out of the equation, it was
the control computer for the spacecraft, which was also involved in
normal flight... but it seems like that computer was mostly just
relaying data from the gyros in the spacecraft (although that part
isn't described well in the paper, and others may wish to correct me
as to the true way the two computers interacted). In any case,
technically, using the joystick didn't cut either computer out of the
loop; instead the pilot's signals were added to the computer's -- but
it seems like the joystick had enough control authority to thoroughly
override the computer's choice. That is, as long as the computer was
working and obeying the joystick; "computer failure" does not appear
on the list of failure scenarios they considered.
Besides the joystick, the pilot was also given six switches to turn
off parts of the automatic control loop. Those were in case various
sensors failed. But they considered those sensor failures to be low
probability, and the ability to override them not a big contributor to
the overall benefit of the system. Skimming through the procedures
for sensing those faults and flicking those switches (Appendix B),
they read like things that, these days, could and should be done in
software.
They found that it was important to give the pilot a "load relief
system", meaning lift sensors: he had a display showing the output of
accelerometers mounted near the center of mass of the vehicle, so that
what they sensed (at least in two dimensions) was aerodynamic lift.
The idea was to fly so as to minimize that lift -- which,
interestingly, was to be done even before any failure had occurred, so
as to give "a greater margin of safety in the event of a system
failure". I don't know whether the astronauts actually ended up doing
that.
From simulating one particular failure (engine gimbal actuator hard
over, the failure mode they figured was the most probable) in "95%
wind", they gave the automatic system an "effectivity" of 0.488, the
piloted system with lift sensors an "effectivity" of 0.322, and the
piloted system with no lift sensors an "effectivity" of 0.045. In
each case that number is the probability of the launcher being broken
up by wind and other forces, so a lower "effectivity" is better
(making it a poor choice of word -- but at least they weren't being
modern and politically correct, and using "piloted" as a euphemism for
"manned": here "piloted" actually means piloted).
But in some of the other failure scenarios the pilot didn't help: for
the "loss of thrust in one engine" scenario (another thing they
thought there was a big chance of, and rightly so), the differences in
success rates were marginal, and vehicle loss was highly probable.
These days, introducing extra lift sensors and only giving access to
them to the human would be cheating: the normal thing to do would be
to let the computer code use them too, for cross-checking and/or for
flying in a degraded mode. But back in the days when every byte was
precious and computers were programmed in assembler (if not in machine
code), it was a normal sort of thing to do. (For the simulations they
did for the paper, they didn't even use a digital computer; instead
they used "a 400-amplifier analog computer complex with extensive
function generation capability".)
But given that this wasn't computers versus wires-and-cables-and-
hydraulics but rather computers in automatic mode versus computers in
joystick mode, it's also permissible to wonder whether the joystick
mode was what it should have been. Were the control parameters
altered appropriately for the engine-out scenario, for instance? The
computer knew that the engine was out, and could have altered them --
but did it alter them, and if so did it do it well? Likely not, since
if it did it well, why would a human be needed in the first place? Or
maybe no possible control action would work in those cases -- they
were pushing the system rather hard, considering cases near max-Q and
with high winds and high wind shear, but they don't address the
question of whether the system was controllable in those failure
cases, or whether no possible set of commands would work. (It's the
kind of question you could throw a lot of computer power at, these
days, but they didn't have a lot of computer power.)
--
Norman Yarvin http://yarchive.net/blog
Other related posts:
