Return to Human Space Flight home page

Backup Flight Control

Even though the four primary avionics software system GPCs control all GN&C; functions during the critical phases of the mission, there is always a possibility that a generic failure could cause loss of vehicle control. Thus, the fifth GPC is loaded with different software created by a different company than the PASS developer. This different software is the backup flight system. To take over control of the vehicle, the BFS monitors the PASS GPCs to keep track of the current state of the vehicle. If required, the BFS can take over control of the vehicle upon the press of a button. The BFS also performs the systems management functions during ascent and entry because the PASS GPCs are operating in GN&C.; BFS software is always loaded into GPC 5 before flight, but any of the five GPCs could be made the BFS GPC if necessary.

The BFS interface programs, events and applications controllers, and GN&C; are provided by the Charles Stark Draper Laboratory Inc., Cambridge, Mass. The remainder of the software, as well as the integration of the total backup flight control system, is provided by Intermetrics and Rockwell International. The GN&C; software is written in HAL/S by Intermetrics of Boston, Mass.

Since the BFS is intended to be used only in a contingency, its programming is much simpler than that of the PASS. Only the software necessary to complete ascent or entry safely, maintain vehicle control in orbit and perform systems management functions during ascent and entry is included. Thus, all the software used by the BFS can fit into one GPC and never needs to access mass memory. For added protection, the BFS software is loaded into the MMUs in case of a BFS GPC failure.

The BFS, like PASS, consists of system software and applications software. System software in the BFS performs basically the same functions as it does in PASS. These functions include time management, PASS/BFS interface, multifunction CRT display system, input/output, uplink/downlink and engage/disengage control. The system software is always operating when the BFS GPC is not in halt.

Applications software in the BFS has different major functions, GN&C; and systems management; but all of its applications software resides in main memory at one time, and the BFS can process software in both major functions simultaneously. The GN&C; functions of the BFS, designed as a backup capability, support the ascent phase beginning at major mode 102 and the deorbit/entry phase beginning at major mode 301. In addition, the various ascent abort modes are supported by the BFS. The BFS provides only limited support for on-orbit operations through major modes 106 or 301. Because the BFS is designed to monitor everything the PASS does during ascent and entry, it has the same major modes as the PASS in OPS 1, 3 and 6.

The BFS systems management contains software to support the ascent and entry phases of the mission. Whenever the BFS GPC is in the run or standby mode, it runs continuously; however, the BFS does not control the payload buses in standby. The systems management major function in the BFS is not associated with any operational sequence.

Even though the five general-purpose computers and their switches are identical, the GPC mode switch on panel O6 works differently for a GPC loaded with BFS. Since halt is a hardware-controlled state, no software is executed. The standby mode in the BFS GPC is totally different from its corollary in the PASS GPCs. When the BFS GPC is in standby, all normal software is executed as if the BFS were in run, the only difference being that BFS command of the payload data buses is inhibited in standby. The BFS is normally put in run for ascent and entry and in standby whenever a PASS systems management GPC is operating. If the BFS is in standby or run, it takes control of the flight-critical and payload data buses if engaged. The mode talkback indicator on panel O6 indicates run if the BFS GPC is in run or standby and displays a barberpole if the BFS is in halt or has failed.

The BFS is synchronized with PASS so that it can track the PASS and keep up with its flow of commands and data. Synchronization and tracking take place during OPS 1, 3 and 6. During this time, the BFS listens over the flight-critical data buses to the requests for data by PASS and to the data coming back. The BFS depends on the PASS GPCs for all of its GN&C; data and must be synchronized with the PASS GPCs so that it will know when to receive GN&C; data over the FC buses. When the BFS is in sync and listening to at least two strings, it is said to be tracking PASS. As long as the BFS is in this mode, it maintains the current state vector and all other information necessary to fly the vehicle in case the flight crew needs to engage it. The BFS uses the same master timing unit source as PASS and keeps track of Greenwich Mean Time over the flight-critical buses for synchronization.

The BFS also monitors some inputs to PASS CRTs and updates its own GN&C; parameters accordingly. When the BFS GPC is tracking the PASS GPCs, it cannot command over the FC buses but may listen to FC inputs through the listen mode.

The BFS GPC controls its own instrumentation/PCMMU data bus. The BFS GPC intercomputer communication data bus is not used to transmit status or data to the other GPCs; and the MMU data buses are not used except during initial program load and MMU assignment, which use the same IPL source switch used for PASS IPL.

A major difference between the PASS and BFS is that the BFS can be shifted into OPS 1 or 3 at any time, even in the middle of ascent or entry.

The BFC lights on panels F2 and F4 remain unlighted as long as PASS is in control and the BFS is tracking. The lights flash if the BFS loses track of the PASS and stands alone. The flight crew must then decide whether to engage the BFS or try to initiate BFS tracking again by a reset. When BFS is engaged and in control of the flight-critical buses, the BFC lights are illuminated and stay on until the BFC is disengaged.

Since the BFS does not operate in a redundant set, its discrete inputs and outputs, which are fail votes from and against other GPCs, are not enabled; thus, the GPC matrix status light on panel O1 for the BFS GPC does not function as it does in PASS. The BFS can illuminate its own light on the GPC matrix status panel if the watchdog timer in the BFS GPC times out or if the BFS GPC does not complete its cyclic processing.

To engage the BFS, which is considered a last resort to save the vehicle, the crew presses a BFS engage momentary push button located on the commander's or pilot's rotational hand controller. As long as the RHC is powered and the BFS GPC output switch is in backup on panel O6, depressing the engage push button on the RHC engages the BFS and causes PASS to relinquish control during ascent or entry. There are three contacts in each engage push button, and all three contacts must be made to engage the BFS. The signals from the RHC are sent to the backup flight controller, which handles the engagement logic.

When the BFS is engaged, the BFC lights on panels F2 and F4 are illuminated; the BFS output talkback indicator on panel O6 turns gray; all PASS GPC output and mode talkback indicators on panel O6 display a barberpole; the BFS controls the CRTs selected by the BFS CRT select switch on panel C3; big X and poll fail appear on the remaining CRTs; and all four GPC status matrix indicators for PASS GPCs are illuminated on panel O1.

When the BFS is disengaged and the BFC CRT switch on panel O3 is positioned to on, the BFS commands the first CRT indicated by the BFC CRT select switch. The BFC CRT select switch positions on panel C3 are 1 + 2 , 2 + 3 and 3+1. When the BFS is engaged, it assumes control of the second CRT as well.

If the BFS is engaged during ascent, the PASS GPCs can be recovered on orbit to continue a normal mission. This procedure takes about two hours, since the PASS inertial measurement unit reference must be re-established. To disengage the BFS after all PASS GPCs have been hardware-dumped and software-loaded, the PASS GPCs must be taken to GN&C; OPS 3. Positioning the BFC disengage momentary switch on panel F6 to the up position disengages the BFS. The switch sends a signal to the BFC that resets the engage discretes to the GPCs. The BFS then releases control of the flight-critical buses as well as the payload buses if it is in standby, and the PASS GPCs assume command.

Indications of the PASS engagement and BFS disengagement are as follows: BFC lights on panels F2 and F4 are out, BFS output talkback indicator on panel O6 displays a barberpole, PASS output talkback indicators on panel O6 are gray and BFS release/PASS control appears on the CRT. After disengagement, the PASS and BFS GPCs return to their normal pre-engaged state.

If the BFS is engaged, there is no manual thrust vector control or manual throttling capability during first- and second-stage ascent. If the BFS is engaged during entry, the speed brake is positioned using the speed brake/thrust controller and the body flap is positioned manually. The BFC system also augments the control stick steering mode of maneuvering the vehicle with the commander's rotational hand controller.

The software of the BFC system is processed only for the commander's attitude director indicator, horizontal situation indicator and RHC. The BFC system supplies attitude errors on the CRT trajectory display, whereas PASS supplies attitude errors to the ADIs; however, when the BFC system is engaged, the errors on the CRT are blanked.

Curator: Kim Dismukes | Responsible NASA Official: John Ira Petty | Updated: 04/07/2002
Web Accessibility and Policy Notices