Shuttle Main Engine Controllers
The controller is an electronics
package mounted on each SSME. It contains two digital computers
and the associated electronics to control all main engine components
and operations. The controller is attached to the main combustion
chamber by shock-mounted fittings.
Each controller operates in conjunction with engine sensors,
valves, actuators and spark igniters to provide a self-contained
system for engine control, checkout and monitoring. The controller
provides engine flight readiness verification; engine start and
shutdown sequencing; closed-loop thrust and propellant mixture
ratio control; sensor excitation; valve actuator and spark igniter
control signals; engine performance limit monitoring; onboard
engine checkout, response to vehicle commands and transmission
of engine status; and performance and maintenance data.
Each engine controller receives engine commands transmitted by
the orbiter's general-purpose computers through its own engine
interface unit. The engine controller provides its own commands
to the main engine components. Engine data are sent to the engine
controller, where they are stored in a vehicle data table in the
controller's computer memory. Data on the controller's status
compiled by the engine controller's computer are also added to
the vehicle data table. The vehicle data table is periodically
output by the controller to the EIU for transmission to the orbiter's
The engine interface unit is a specialized multiplexer/demultiplexer
that interfaces with the GPCs and with the engine controller.
When engine commands are received by the EIU, the data are held
in a buffer until the EIU receives a request for data from the
GPCs. The EIU then sends data to each GPC. Each EIU is dedicated
to one space shuttle main engine and communicates only with the
engine controller that controls its SSME. The EIUs have no interface
with each other.
The controller provides responsive control of engine thrust and
propellant mixture ratio throughout the digital computer in the
controller, updating the instructions to the engine control elements
50 times per second (every 20 milliseconds). Engine reliability
is enhanced by a dual-redundant system that allows normal operation
after the first failure and a fail-safe shutdown after a second
failure. High-reliability electronic parts are used throughout
The digital computer is programmable, allowing engine control
equations and constants to be modified by changing the stored
program (software). The controller is packaged in a sealed, pressurized
chassis and is cooled by convection heat transfer through pin
fins as part of the main chassis. The electronics are distributed
on functional modules with special thermal and vibration protection.
The controller is divided into five subsystems: input electronics,
output electronics, computer interface electronics, digital computer
and power supply electronics. Each subsystem is duplicated to
provide dual-redundant capability.
The input electronics receive data from all engine sensors, condition
the signals and convert them to digital values for processing
by the digital computer. Engine control sensors are dual-redundant,
and maintenance data sensors are non-redundant.
The output electronics convert computer digital control commands
into voltages suitable for powering the engine spark igniters,
the off/on valves and the engine propellant valve actuators.
The computer interface electronics control the flow of data within
the controller, data input to the computer and computer output
commands to the output electronics. They also provide the controller
interface with the vehicle engine electronics interface unit for
receiving engine commands that are triple-redundant channels from
the vehicle and for transmitting engine status and data through
dual-redundant channels to the vehicle. The computer interface
electronics include the watchdog timers that determine which channel
of the dual-redundant mechanization is in control.
The digital computer is an internally stored, general-purpose
computer that provides the computational capability necessary
for all engine control functions. The memory has a program storage
capacity of 16,384 data and instruction words (17-bit words; 16
bits for program use, one bit for parity).
The power supply electronics convert the 115-volt, three-phase,
400-hertz vehicle ac power to the individual power supply voltage
levels required by the engine control system and monitor the level
of power supply channel operation to ensure it is within satisfactory
Each orbiter GPC, operating in a redundant set, issues engine
commands to the engine interface units for transmission to their
corresponding engine controllers. Each orbiter GPC has SSME subsystem
operating program applications software residing in it. Engine
commands are output over the engine's assigned flight-critical
data bus (a total of four GPCs outputting over four FC data buses).
Therefore, each EIU will receive four commands. The nominal ascent
configuration has GPCs 1, 2, 3 and 4 outputting on FC data buses
5, 6, 7 and 8, respectively. Each FC data bus is connected to
one multiplexer interface adapter in each EIU.
The EIU checks the received engine commands for transmission
errors. If there are none, the EIU passes the validated engine
commands on to the controller interface assemblies, which output
the validated engine commands to the engine controller. An engine
command that does not pass validation is not sent to the controller
interface assembly. Instead, it is dead-ended in the EIU's multiplexer
interface adapter. Commands that come through MIAs 1 and 2 are
sent to CIAs 1 and 2, respectively. Commands that come to MIAs
3 and 4 pass through a CIA 3 data-select logic. This logic outputs
the command that arrives at the logic first, from either MIA 3
or 4. The other command is dead-ended in the CIA 3 select logic.
The selected command is output through CIA 3. In this manner,
the EIU reduces the four commands sent to the EIU to three commands
output by the EIU.
The engine controller vehicle interface electronics receive the
three engine commands output by its EIU, check for transmission
errors (hardware validation), and send controller hardware-validated
engine commands to the controller A and B electronics. Normally,
channel A electronics are in control, with channel B electronics
active, but not in control. If channel A fails, channel B will
assume control. If channel B subsequently fails, the engine controller
will shut down the engine pneumatically. If two or three commands
pass voting, the engine controller will issue its own commands
to accomplish the function commanded by the orbiter GPCs. If command
voting fails and two or all three commands fail, the engine controller
will maintain the last command that passed voting.
The backup flight system computer, GPC 5, contains SSME hardware
interface program applications software. When the four primary
GPCs (1, 2, 3 and 4) are in control, the BFS GPC does no commanding.
When GPC 5 is in control, the BFS sends commands to, and requests
data from, the EIU; and in this configuration, the four primary
GPCs neither command nor listen. The BFS, when engaged, allows
GPC 5 to command FC buses 5, 6, 7 and 8 for main engine control
through the SSME HIP. The SSME HIP performs the same main engine
command functions as the SSME subsystem operating program. The
command flow through the EIUs and engine controllers is the same
when the BFS is engaged as for the four-GPC redundant set.
The engine controller provides all the main engine data to the
GPCs. Sensors in the engine supply pressures, temperatures, flow
rates, turbopump speeds, valve position and engine servovalve
actuator positions to the engine controller. The engine controller
assembles these data into a vehicle data table and adds status
data of its own to the vehicle data table. The vehicle data tables
output channels A and B to the vehicle interface electronics for
transmission to the EIUs. The vehicle interface electronics output
over both data paths. The data paths are called primary and secondary.
The channel A vehicle data table is normally sent over both primary
and secondary control (channel A has failed); then the vehicle
interface electronics output the channel B vehicle data table
over both the primary and secondary data paths.
The vehicle data table is sent by the controller to the EIU.
There are only two data paths versus three command paths between
the engine controller and the EIU. The data path that interfaces
with CIA 1 is called primary data. The path that interfaces with
CIA 2 is called secondary data. Primary and secondary data are
held in buffers until the GPCs send a data request command to
the EIUs. The GPCs request both primary and secondary data. Primary
data is output only through MIA 1 on each EIU. Secondary data
is output only through MIA 4 on each EIU.
During prelaunch, the orbiter's computers look at both primary
and secondary data. Loss of either primary or secondary data will
result in data path failure and either an engine ignition inhibit
or a launch pad shutdown of all three main engines.
At T minus zero, the orbiter GPCs request both primary and secondary
data from each EIU. For no failures, only primary data are looked
at. If there is a loss of primary data (which can occur between
the engine controller channel A electronics and the SSME SOP),
the secondary data are looked at.
There are two primary written engine controller computer software
programs: the flight operational program and the test operational
program. The flight operational program is an on-line, real-time,
process-control program that processes inputs from engine sensors;
controls the operation of the engine servovalves, actuators, solenoids
and spark igniters; accepts and processes vehicle commands; provides
and transmits data to the vehicle; and provides checkout and monitoring
capabilities. The test operational program supports engine testing.
Functionally, it is similar to the flight operational program
but differs with respect to implementation. The computer software
programs are modular and are defined as computer program components,
which consist of a data base organized into tables and 15 computer
program components. During application of the computer program
components, the programs perform data processing for failure detection
and status to the vehicle. As system operation progresses through
an operating phase, different combinations of control functions
are operative at different times. These combinations within a
phase are defined as operating modes.
The checkout phase initiates active control monitoring or checkout.
The standby mode in this phase is a waiting mode of controller
operation while active control sequence operations are in process.
Monitoring functions that do not affect engine hardware status
are continually active during the mode. Such functions include
processing of vehicle commands, status update and controller self-test.
During checkout, data and instructions can be loaded into the
engine controller's computer memory. This permits updating of
the software program and data as necessary to proceed with engine-firing
operations or checkout operations. Also in this phase, component
checkout, consisting of checkout or engine leak tests, is performed
on an individual engine system component.
The start preparation phase consists of system purges and propellant
conditioning, which are performed in preparation for engine start.
The purge sequence 1 mode is the first purge sequence, including
oxidizer system and intermediate seal purge operation. The purge
sequence 2 mode is the second purge sequence, including fuel system
purge operation and the continuation of purges initiated during
purge sequence 1. The purge sequence 3 mode includes propellant
recirculation (bleed valve operation). The purge sequence 4 mode
includes fuel system purge and the indication engine is ready
to enter the start phase. The engine-ready mode occurs when proper
engine thermal conditions for start have been attained and other
criteria for start have been satisfied, including a continuation
of the purge sequence 4 mode.
The start phase covers operations involved with starting or firing
the engines, beginning with scheduled open-loop operation of propellant
valves. The start initiation mode includes all functions before
ignition confirmed and the closing of the thrust control loop.
The thrust buildup mode detects ignition by monitoring main combustion
chamber pressure and verifying that closed-loop thrust buildup
sequencing is in progress.
The main stage phase is automatically entered upon successful
completion of the start phase. The normal control mode has initiated
mixture ratio control, and thrust control is operating normally.
In case of a malfunction, the electrical lock mode will be activated.
In that mode, engine propellant valves are electrically held in
a fixed configuration, and all control loop communications are
suspended. There is also the hydraulic lockup mode, in which all
fail-safe valves are deactivated to hydraulically hold the propellant
valves in a fixed configuration and all control loop functions
The shutdown phase covers operations to reduce main combustion
chamber pressure and drive all valves closed to effect full engine
shutdown. Throttling to minimum power level is the portion of
the shutdown in progress at a programmed shutdown thrust reference
level above the MPL. The valve schedule throttling mode is the
stage in the shutdown sequence at which the programmed thrust
reference has decreased below the MPL. Propellant valves closed
is the stage in the shutdown sequence after all liquid propellant
valves have been closed, the shutdown purge has been activated,
and verification sequences are in progress. The fail-safe pneumatic
mode is when the fail-safe pneumatic shutdown is used.
The post-shutdown phase represents the state of the SSME and
engine controller at the completion of engine firing. The standby
mode is a waiting mode of controller operations whose functions
are identical to those of standby during checkout. It is the normal
mode that is entered after completion of the shutdown phase. The
terminate sequence mode terminates a purge sequence by a command
from the vehicle. All propellant valves are closed, and all solenoid
and torque motor valves are de-energized.
Each controller utilizes ac power provided by the MPS engine
power left, ctr, right switches on panel R2.
Each controller has internal electrical heaters that provide
environmental temperature control and are powered by main bus
power through a remote power controller. The RPC is controlled
by the main propulsion system engine cntrl htr left, ctr, right
switches on panel R4. The heaters are not normally used until
after main engine cutoff and are only turned on if environmental
control is required during the mission.