Space Shuttle Main Engine Controllers

The controller is an electronics package mounted on each SSME. It contains two digital computers and the associated electronics to control all main engine components and operations. The controller is attached to the main combustion chamber by shock-mounted fittings.

Each controller operates in conjunction with engine sensors, valves, actuators and spark igniters to provide a self-contained system for engine control, checkout and monitoring. The controller provides engine flight readiness verification; engine start and shutdown sequencing; closed-loop thrust and propellant mixture ratio control; sensor excitation; valve actuator and spark igniter control signals; engine performance limit monitoring; onboard engine checkout, response to vehicle commands and transmission of engine status; and performance and maintenance data.

Each engine controller receives engine commands transmitted by the orbiter's general-purpose computers through its own engine interface unit. The engine controller provides its own commands to the main engine components. Engine data are sent to the engine controller, where they are stored in a vehicle data table in the controller's computer memory. Data on the controller's status compiled by the engine controller's computer are also added to the vehicle data table. The vehicle data table is periodically output by the controller to the EIU for transmission to the orbiter's GPCs.

The engine interface unit is a specialized multiplexer/demultiplexer that interfaces with the GPCs and with the engine controller. When engine commands are received by the EIU, the data are held in a buffer until the EIU receives a request for data from the GPCs. The EIU then sends data to each GPC. Each EIU is dedicated to one space shuttle main engine and communicates only with the engine controller that controls its SSME. The EIUs have no interface with each other.

The controller provides responsive control of engine thrust and propellant mixture ratio throughout the digital computer in the controller, updating the instructions to the engine control elements 50 times per second (every 20 milliseconds). Engine reliability is enhanced by a dual-redundant system that allows normal operation after the first failure and a fail-safe shutdown after a second failure. High-reliability electronic parts are used throughout the controller.

The digital computer is programmable, allowing engine control equations and constants to be modified by changing the stored program (software). The controller is packaged in a sealed, pressurized chassis and is cooled by convection heat transfer through pin fins as part of the main chassis. The electronics are distributed on functional modules with special thermal and vibration protection.

The controller is divided into five subsystems: input electronics, output electronics, computer interface electronics, digital computer and power supply electronics. Each subsystem is duplicated to provide dual-redundant capability.

The input electronics receive data from all engine sensors, condition the signals and convert them to digital values for processing by the digital computer. Engine control sensors are dual-redundant, and maintenance data sensors are non-redundant.

The output electronics convert computer digital control commands into voltages suitable for powering the engine spark igniters, the off/on valves and the engine propellant valve actuators.

The computer interface electronics control the flow of data within the controller, data input to the computer and computer output commands to the output electronics. They also provide the controller interface with the vehicle engine electronics interface unit for receiving engine commands that are triple-redundant channels from the vehicle and for transmitting engine status and data through dual-redundant channels to the vehicle. The computer interface electronics include the watchdog timers that determine which channel of the dual-redundant mechanization is in control.

The digital computer is an internally stored, general-purpose computer that provides the computational capability necessary for all engine control functions. The memory has a program storage capacity of 16,384 data and instruction words (17-bit words; 16 bits for program use, one bit for parity).

The power supply electronics convert the 115-volt, three-phase, 400-hertz vehicle ac power to the individual power supply voltage levels required by the engine control system and monitor the level of power supply channel operation to ensure it is within satisfactory limits.

Each orbiter GPC, operating in a redundant set, issues engine commands to the engine interface units for transmission to their corresponding engine controllers. Each orbiter GPC has SSME subsystem operating program applications software residing in it. Engine commands are output over the engine's assigned flight-critical data bus (a total of four GPCs outputting over four FC data buses). Therefore, each EIU will receive four commands. The nominal ascent configuration has GPCs 1, 2, 3 and 4 outputting on FC data buses 5, 6, 7 and 8, respectively. Each FC data bus is connected to one multiplexer interface adapter in each EIU.

The EIU checks the received engine commands for transmission errors. If there are none, the EIU passes the validated engine commands on to the controller interface assemblies, which output the validated engine commands to the engine controller. An engine command that does not pass validation is not sent to the controller interface assembly. Instead, it is dead-ended in the EIU's multiplexer interface adapter. Commands that come through MIAs 1 and 2 are sent to CIAs 1 and 2, respectively. Commands that come to MIAs 3 and 4 pass through a CIA 3 data-select logic. This logic outputs the command that arrives at the logic first, from either MIA 3 or 4. The other command is dead-ended in the CIA 3 select logic. The selected command is output through CIA 3. In this manner, the EIU reduces the four commands sent to the EIU to three commands output by the EIU.

The engine controller vehicle interface electronics receive the three engine commands output by its EIU, check for transmission errors (hardware validation), and send controller hardware-validated engine commands to the controller A and B electronics. Normally, channel A electronics are in control, with channel B electronics active, but not in control. If channel A fails, channel B will assume control. If channel B subsequently fails, the engine controller will shut down the engine pneumatically. If two or three commands pass voting, the engine controller will issue its own commands to accomplish the function commanded by the orbiter GPCs. If command voting fails and two or all three commands fail, the engine controller will maintain the last command that passed voting.

The backup flight system computer, GPC 5, contains SSME hardware interface program applications software. When the four primary GPCs (1, 2, 3 and 4) are in control, the BFS GPC does no commanding. When GPC 5 is in control, the BFS sends commands to, and requests data from, the EIU; and in this configuration, the four primary GPCs neither command nor listen. The BFS, when engaged, allows GPC 5 to command FC buses 5, 6, 7 and 8 for main engine control through the SSME HIP. The SSME HIP performs the same main engine command functions as the SSME subsystem operating program. The command flow through the EIUs and engine controllers is the same when the BFS is engaged as for the four-GPC redundant set.

The engine controller provides all the main engine data to the GPCs. Sensors in the engine supply pressures, temperatures, flow rates, turbopump speeds, valve position and engine servovalve actuator positions to the engine controller. The engine controller assembles these data into a vehicle data table and adds status data of its own to the vehicle data table. The vehicle data tables output channels A and B to the vehicle interface electronics for transmission to the EIUs. The vehicle interface electronics output over both data paths. The data paths are called primary and secondary. The channel A vehicle data table is normally sent over both primary and secondary control (channel A has failed); then the vehicle interface electronics output the channel B vehicle data table over both the primary and secondary data paths.

The vehicle data table is sent by the controller to the EIU. There are only two data paths versus three command paths between the engine controller and the EIU. The data path that interfaces with CIA 1 is called primary data. The path that interfaces with CIA 2 is called secondary data. Primary and secondary data are held in buffers until the GPCs send a data request command to the EIUs. The GPCs request both primary and secondary data. Primary data is output only through MIA 1 on each EIU. Secondary data is output only through MIA 4 on each EIU.

During prelaunch, the orbiter's computers look at both primary and secondary data. Loss of either primary or secondary data will result in data path failure and either an engine ignition inhibit or a launch pad shutdown of all three main engines.

At T minus zero, the orbiter GPCs request both primary and secondary data from each EIU. For no failures, only primary data are looked at. If there is a loss of primary data (which can occur between the engine controller channel A electronics and the SSME SOP), the secondary data are looked at.

There are two primary written engine controller computer software programs: the flight operational program and the test operational program. The flight operational program is an on-line, real-time, process-control program that processes inputs from engine sensors; controls the operation of the engine servovalves, actuators, solenoids and spark igniters; accepts and processes vehicle commands; provides and transmits data to the vehicle; and provides checkout and monitoring capabilities. The test operational program supports engine testing. Functionally, it is similar to the flight operational program but differs with respect to implementation. The computer software programs are modular and are defined as computer program components, which consist of a data base organized into tables and 15 computer program components. During application of the computer program components, the programs perform data processing for failure detection and status to the vehicle. As system operation progresses through an operating phase, different combinations of control functions are operative at different times. These combinations within a phase are defined as operating modes.

The checkout phase initiates active control monitoring or checkout. The standby mode in this phase is a waiting mode of controller operation while active control sequence operations are in process. Monitoring functions that do not affect engine hardware status are continually active during the mode. Such functions include processing of vehicle commands, status update and controller self-test. During checkout, data and instructions can be loaded into the engine controller's computer memory. This permits updating of the software program and data as necessary to proceed with engine-firing operations or checkout operations. Also in this phase, component checkout, consisting of checkout or engine leak tests, is performed on an individual engine system component.

The start preparation phase consists of system purges and propellant conditioning, which are performed in preparation for engine start. The purge sequence 1 mode is the first purge sequence, including oxidizer system and intermediate seal purge operation. The purge sequence 2 mode is the second purge sequence, including fuel system purge operation and the continuation of purges initiated during purge sequence 1. The purge sequence 3 mode includes propellant recirculation (bleed valve operation). The purge sequence 4 mode includes fuel system purge and the indication engine is ready to enter the start phase. The engine-ready mode occurs when proper engine thermal conditions for start have been attained and other criteria for start have been satisfied, including a continuation of the purge sequence 4 mode.

The start phase covers operations involved with starting or firing the engines, beginning with scheduled open-loop operation of propellant valves. The start initiation mode includes all functions before ignition confirmed and the closing of the thrust control loop. The thrust buildup mode detects ignition by monitoring main combustion chamber pressure and verifying that closed-loop thrust buildup sequencing is in progress.

The main stage phase is automatically entered upon successful completion of the start phase. The normal control mode has initiated mixture ratio control, and thrust control is operating normally. In case of a malfunction, the electrical lock mode will be activated. In that mode, engine propellant valves are electrically held in a fixed configuration, and all control loop communications are suspended. There is also the hydraulic lockup mode, in which all fail-safe valves are deactivated to hydraulically hold the propellant valves in a fixed configuration and all control loop functions are suspended.

The shutdown phase covers operations to reduce main combustion chamber pressure and drive all valves closed to effect full engine shutdown. Throttling to minimum power level is the portion of the shutdown in progress at a programmed shutdown thrust reference level above the MPL. The valve schedule throttling mode is the stage in the shutdown sequence at which the programmed thrust reference has decreased below the MPL. Propellant valves closed is the stage in the shutdown sequence after all liquid propellant valves have been closed, the shutdown purge has been activated, and verification sequences are in progress. The fail-safe pneumatic mode is when the fail-safe pneumatic shutdown is used.

The post-shutdown phase represents the state of the SSME and engine controller at the completion of engine firing. The standby mode is a waiting mode of controller operations whose functions are identical to those of standby during checkout. It is the normal mode that is entered after completion of the shutdown phase. The terminate sequence mode terminates a purge sequence by a command from the vehicle. All propellant valves are closed, and all solenoid and torque motor valves are de-energized.

Each controller utilizes ac power provided by the MPS engine power left, ctr, right switches on panel R2.

Each controller has internal electrical heaters that provide environmental temperature control and are powered by main bus power through a remote power controller. The RPC is controlled by the main propulsion system engine cntrl htr left, ctr, right switches on panel R4. The heaters are not normally used until after main engine cutoff and are only turned on if environmental control is required during the mission.