Thanks for that. Monroe > -------- Original Message -------- > Subject: [AR] Re: The NASA paper on manual control of the Saturn. > From: Norman Yarvin <yarvin@xxxxxxxxxxxx> > Date: Wed, November 13, 2013 7:28 pm > To: arocket@xxxxxxxxxxxxx > > > On Fri, Oct 11, 2013 at 12:47:07PM +1300, Michael Fincham wrote: > >On Thu, 10 Oct 2013 16:26:52 -0700 (GMT-07:00), David Weinshenker wrote: > >> Yes, please put it up for download > >> somewhere > > > >I've put it up online here: > > > ><http://finch.am/u/nasa-saturn-manual-control-pdf> > > > >It'll probably hang around for a while at that URL if anyone wants to > >grab a copy. > > > I just got around to having a look at it. A few things stand out. > For one, this wasn't manual control as in "something that would work > if all the computers fail". The pilot wasn't given eight levers, one > for each control signal (pitch and yaw for the four gimbaled F-1 > engines), and told "have at it... you can control this thing, sure you > can, I mean you have ten fingers, and there are only eight signals, so > you have two fingers to spare". Instead his control input was sent to > the control computer for the launch vehicle, which translated it into > engine movements. If any computer was cut out of the equation, it was > the control computer for the spacecraft, which was also involved in > normal flight... but it seems like that computer was mostly just > relaying data from the gyros in the spacecraft (although that part > isn't described well in the paper, and others may wish to correct me > as to the true way the two computers interacted). In any case, > technically, using the joystick didn't cut either computer out of the > loop; instead the pilot's signals were added to the computer's -- but > it seems like the joystick had enough control authority to thoroughly > override the computer's choice. That is, as long as the computer was > working and obeying the joystick; "computer failure" does not appear > on the list of failure scenarios they considered. > > Besides the joystick, the pilot was also given six switches to turn > off parts of the automatic control loop. Those were in case various > sensors failed. But they considered those sensor failures to be low > probability, and the ability to override them not a big contributor to > the overall benefit of the system. Skimming through the procedures > for sensing those faults and flicking those switches (Appendix B), > they read like things that, these days, could and should be done in > software. > > They found that it was important to give the pilot a "load relief > system", meaning lift sensors: he had a display showing the output of > accelerometers mounted near the center of mass of the vehicle, so that > what they sensed (at least in two dimensions) was aerodynamic lift. > The idea was to fly so as to minimize that lift -- which, > interestingly, was to be done even before any failure had occurred, so > as to give "a greater margin of safety in the event of a system > failure". I don't know whether the astronauts actually ended up doing > that. > > From simulating one particular failure (engine gimbal actuator hard > over, the failure mode they figured was the most probable) in "95% > wind", they gave the automatic system an "effectivity" of 0.488, the > piloted system with lift sensors an "effectivity" of 0.322, and the > piloted system with no lift sensors an "effectivity" of 0.045. In > each case that number is the probability of the launcher being broken > up by wind and other forces, so a lower "effectivity" is better > (making it a poor choice of word -- but at least they weren't being > modern and politically correct, and using "piloted" as a euphemism for > "manned": here "piloted" actually means piloted). > > But in some of the other failure scenarios the pilot didn't help: for > the "loss of thrust in one engine" scenario (another thing they > thought there was a big chance of, and rightly so), the differences in > success rates were marginal, and vehicle loss was highly probable. > > These days, introducing extra lift sensors and only giving access to > them to the human would be cheating: the normal thing to do would be > to let the computer code use them too, for cross-checking and/or for > flying in a degraded mode. But back in the days when every byte was > precious and computers were programmed in assembler (if not in machine > code), it was a normal sort of thing to do. (For the simulations they > did for the paper, they didn't even use a digital computer; instead > they used "a 400-amplifier analog computer complex with extensive > function generation capability".) > > But given that this wasn't computers versus wires-and-cables-and- > hydraulics but rather computers in automatic mode versus computers in > joystick mode, it's also permissible to wonder whether the joystick > mode was what it should have been. Were the control parameters > altered appropriately for the engine-out scenario, for instance? The > computer knew that the engine was out, and could have altered them -- > but did it alter them, and if so did it do it well? Likely not, since > if it did it well, why would a human be needed in the first place? Or > maybe no possible control action would work in those cases -- they > were pushing the system rather hard, considering cases near max-Q and > with high winds and high wind shear, but they don't address the > question of whether the system was controllable in those failure > cases, or whether no possible set of commands would work. (It's the > kind of question you could throw a lot of computer power at, these > days, but they didn't have a lot of computer power.) > > > -- > Norman Yarvin http://yarchive.net/blog