The Impact of Risk Management

The Impact of Risk Management:

An Analysis of the Apollo and CEV Guidance, Navigation and Control Systems

Katherine H. Allen

Robbie C. Allen

Ilana L. Davidi

Elwin C. Ong

9 May 2005

16.895J/STS.471J/ESD.30J - Engineering Apollo

Guidance and ControlPage 19 May 2005

Table of Contents

Introduction

Apollo Guidance, Navigation, and Control System Overview

History

Apollo Guidance Computer Team

Primary Guidance, Navigation, and Control System Architecture

Apollo Guidance Computer Hardware Architecture

Display Keyboard

Risk Management in Apollo

Apollo Guidance Computer Hardware

Apollo Guidance Computer Processor

Apollo Guidance Computer Memory

Apollo Guidance Computer Software

AGC Software Architecture

Software Design and Implementation

Software Review and Testing

Human Interface Design

DSKY Design

Manual Control Hardware and Software

Control: Manual vs. Autonomous vs. Automatic

System Level Risk Management Decisions

In-Flight Maintenance

Abort Guidance System

Summary

Risk Management of Crew Exploratory Vehicle (CEV)

CEV Computing Hardware

CEV Mission Software

CEV Automation

Culture of Safety

Conclusion

Appendix A: Word Length and Arithmetic Precision

Appendix B: DSKY Commands

Appendix C: Digital Autopilot

Bibliography

Introduction...... 2

Apollo Guidance and Control System Overview...... 3

History...... 3

Primary Guidance, Navigation, and Control System Architecture...... 5

Apollo Guidance Computer Hardware Architecture...... 6

DSKY...... 8

Risk Management in Apollo...... 9

Apollo GNC Computer Hardware...... 9

Apollo Guidance Computer Processor...... 11

Apollo Guidance Computer Memory...... 13

Apollo Guidance Computer Software...... 15

AGC Software Architecture...... 15

Software Design and Implementation...... 16

Software Review and Testing...... 18

Human Interface Design...... 19

DSKY Design...... 19

Manual Control Hardware and Software...... 20

Control: Manual vs. Autonomous vs. Automatic...... 22

System Level Risk Management Decisions...... 25

In-Flight Maintenance...... 25

Abort Guidance System...... 26

Risk Management of Crew Exploratory Vehicle (CEV)...... 26

CEV Computing Hardware...... 27

CEV Mission Software...... 27

The Famous 44...... 30

CEV Automation...... 31

Culture of Safety...... 31

Conclusion...... 33

Appendix A: Word Length and Arithmetic Precision...... 34

Appendix B: DSKY Commands...... 34

Appendix C: Digital Autopilot...... 38

Bibliography...... 40

Introduction...... 2

Apollo Computing Systems...... 3

Apollo Computer Hardware...... 4

Lunar Module Landing System Architecture...... 4

PGNCS Architecture...... 5

Apollo Guidance Computer Hardware Architecture...... 6

Apollo Guidance Computer Processor...... 7

Apollo Guidance Computer Memory...... 9

Apollo Guidance Computer Software...... 10

AGC Software Architecture...... 10

Digital Autopilot...... 11

Software Development and Testing...... 12

Human Interface Design...... 14

DSKY Design...... 14

Manual Control Hardware and Software...... 16

Anthropometry, Displays, and Lighting...... 18

Control: Manual, Autonomous, or Automatic?...... 19

System Level Risk Management Decisions...... 21

In-Flight Maintenance...... 21

Abort Guidance System...... 22

CEV...... 23

CEV Computing Hardware...... 23

CEV Mission Software...... 24

CEV Automation...... 24

CEV Risk Management Techniques...... 25

Culture of Safety...... 26

Conclusion...... 28

Appendix A - Word Length and Arithmetic Precision...... 29

Appendix B – DSKY Commands...... 29

Bibliography...... 33

Guidance and ControlPage 19 May 2005

Introduction[1]

Building tThe Apollo Guidance, Navigation and Control (GNC) System (GNC) was one among the most significant challenges and risky forof the programApollofor the Apollo pProgram. In the 1960s, computers were far from commonplace and were still relatively . They were perceived as new and untested technology, . and fFew of the astronauts were eager to trust their lives to a sewn-together bundle of wires what amounted to a series of zeroes and ones sewn together.The digital computer along with its complex software and novel human interfaces were on the leading edges of engineering discovery at the time, yet the system proved to be one of the most successful. This success is often attributed to the highly motivated individuals who designed the system and their characteristic attention to detail, but these reasons do not allay the fact that the Apollo GNC system had a higher level of risk associated with it when compared to today’s standards. The system contained many potential single point failures and relied heavily on unproven technologies and techniques from integrated circuits to high-level interpretive languages and one-of-a-kind human computer interfaces.

The team responsible for building Tthe GNC System team was aware of this mistrust. Because of it, they felt that they had to produce a perfect system. However, Mmore was at stake thaen trust, however: because it was critical to mission success and the safety of the crew, the system had to work perfectly every time it ranwas run. This requirement was made even more challenging to fulfill considering the GNC team had to rely on unproven technologies (such as integrated circuits) and had to live with many potential single-point failures in order to meet budget and time constraints.Perhaps, paradoxically, the Apollo guidance and navigation system was successful because it was risky. Because it was such a challenge, the engineers were forced to design the simplest system that could satisfy the requirements. The simplicity of the system allowed the engineers to fully understand the system and this understanding then provided the means for the engineers to discover as much of the unknown technical risks as possible. Perhaps even more important, the engineers knew that the system was risky, and this awareness provided the motivation to ensure that the system would work.Despite containing many potential single-point failures and relying on unproven technologies such as integrated circuits, the computers managed risk well enough to not fail to and to earn the trust of those involved with the program.

Space vehicle design has evolved tremendously since Apollo and while the systems today can carry out more complex requirements, these complexities have had severe consequences for the safety and reliability of today’s space systems. Looking forward to the next generation spacecraft referred to as Crew Exploratory Vehicle (CEV), the vehicle would surely be able to accomplish much more than Apollo using time-tested technologies, but it would also have a lot more complex requirements for fault tolerance, automation, and human-computer interactions. Further more, the environment in which CEV is being built is considerably different and more demanding. Today’s political and social atmosphere is drastically different than Apollo’s, and due to the recent Columbia disaster, NASA is being scrutinized even more closely than ever. For the sake of safety, CEV may end up being so redundant and fault tolerant that it will be too complex to manage effectively, and hence, there will be a failure because nobody will understand the system well enough to predict how it will work.

While the term “risk management” was not used during the Apollo program, the engineers were performing excellent risk management by today's standards during the design of the system. For the purpose of this paper, we are defining risk management as follows:

The GNC team was very careful to evaluate the risks associated with various design choices, performing what amounts to present-day risk management and . Eeach decision was scrutinized and checked by many sources. Due to this intense focus on safety and testing, It is due to this superior risk management that the astronauts and those that directed them were ultimately willing to trust their lives to a computer, which in turn made the Apollo missions successful. The team did not fear risk; they sought only to mitigate it through innovative, yet not-overly-complex technologies.

Understandably, the unique nature of the program meant that the risk management was very different and more liberal than today’s standards. This report will examine some of the most challenging and risk consequential decisions made during the design of the Apollo GNC System. After we provide a brief overview and history of the GNC System, we will describe the technologies used for the hardware and software and discuss the main risk factors associated with these design choicesSpecifically, the report will focus on the Lunar Module (LM) Landing System and its associated GNC systems including particular aspects of the hardware, software, and human factors design. These systems will be described along with discussions of the risks involved with particular design decisions made. System level risk management decisions will also be examined, including the decisions for in-flight maintenance and backup for the primary system. Following this discussion, the risk management techniques of Apollo will be compared to today’s techniques. The discussion will be illustrated by an example on how the CEV landing system might be designed, using the technologies and techniques available today.We will begin by introducing and detailing the Apollo Guidance and Control System. Once the system itself has been explained, we will walk through the hardware and software systems, examining them in light of the risk management techniques used by the teams. We will close by looking at how the lessons learned from the successes and failures of Apollo can be applied to the design and implementation of the Crew Exploratory Vehicle (CEV).

Apollo GNC Guidance, Navigation, and Control System Overview

History

The MIT Instrumentation Laboratory under Charles Stark (Doc) Draper received the contract to provide the primary navigation, guidance, and control for Apollo in August of 1961. At the time, NASA was still debating how to land on the moon. Whether one large rocket or a small lunar module descended to the moon, the spacecraftvehicle would need to have the the ability to autonomously guide itselfthe spacecraft to the moon, land it safely, and return the astronauts back to Earth.

The Instrumentation Lab was the pioneer of inertial guidance, navigation, and control. Doc Draper had first applied the use of gyros on the Mark 14 gun sight during WWII. The effectiveness of the system led to more advanced applications, including self-contained inertial systems on aircraft and missiles. By the mid 1950's, the Instrumentation Lab was working on a number of applications of inertial guidance including the Air Force's Thor missile, the Navy's Polaris missile, and a robotic Mars Probe [HALL40].

The Apollo requirements for self-contained guidance, navigation, and control were similar to the projects completed at the Instrumentation Lab, but it would also be a lot more complex. Apollo would require a much more powerful computation system than any of their previous projects. This computer could be either analog or digital. The decision to use a digital computer was one of the first major decisions made and one with many risk-associated implications. While it is conceivable that an analog computer could have accomplished the requirements of Apollo, the system would have been much bigger and heavier than the eventual digital computer developed by MIT [HHBS]. An analog computer would also have been much more difficult to program, and the tasks it performed would have been much more limited, with consequences for the design of the rest of the spacecraft and mission. The engineers at MIT had a very good reason for choosing digital over analog; they had gained a lot of experience with digital computers from their previous projects.

To apply the guidance and control equations for the Polaris missile, MIT had developed a set of relatively simple equations that were implemented using digital differential analyzers. The digital differential analyzer designed by MIT was nothing more than someused memory registers to which stored numbers and adders that produced the result of the incremental addition between two numbers.

Although simple by computational standards, the work on the Polaris digital system provided the necessary base of technology needed for the Apollo Guidance Computer (AGC). However, wire interconnections, packaging techniques, flight test experience, and the procurement of reliable semiconductor products were all required for the successful delivery of the AGC [HALL44].

In the late 1950's, the Instrumentation Lab was granted a contract to study a robotic mission to Mars. The mission would involve a probe that would fly to Mars, snap a single photo, and return it safely to Earth [BAT]. The requirements for the proposed probe led to the development of the Mod 1B computer. After the success of the Polaris computer, the Digital Computing Group was once again poised to extend the capabilities of their digital computing design. The Mod 1B computer would have been responsible for navigation and control of the probe through its mission had it been launched. The resulting computer design used core-transistor logic and core memories. It was a general-purpose computer, meaning it could be programmed, unlike the Polaris system.

While the Polaris computer could only calculate one set of equations, the Mod 1B computer could be programmed to perform any number of calculations. Although tFurther development of digital computer technologies was performed at the Instrumentation Lab for the MIT MIT Mars Probe project. Although the Mars Probe was cancelled before ever being fully built, the engineers continued work on the computer continued to evolve and it provided the necessary knowledge and experience needed for the design of the AGC hardware. There was also no doubt, following all the work and achievements of theDigital Computing GroupMIT that the AGC design would be digital rather than analog [KLABS,HALL]. Although digital technology was less well known, and hence more risky than analog systems, within the Instrumentation Lab this tradeoff was probably never fully analyzed, as digital technology was a natural progression from all their previous experience in building aerospace computing systems.

Although simple by computational standards, the work on the Polaris digital system provided the necessary base of technology needed for the Apollo Guidance Computer (AGC). Wire interconnections, packaging techniques, flight test experience, and the procurement of reliable semiconductor products were all required for the successful delivery of the AGC [HALL44].

In the late 1950's, the Instrumentation Lab was granted a contract to study a robotic mission to Mars. The mission would involve a probe that would fly to Mars, snap a single photo, and return it safely to Earth [BAT]. The requirements for the proposed probe led to the development of the Mod 1B computer. The computer would have been responsible for navigation and control of the probe through its mission had it been launched. The resulting computer used core-transistor logic and core memories. It was a general-purpose computer, meaning it could be programmed, unlike the Polaris system. While the Polaris computer could only calculate one set of equations, the Mod 1B computer could be programmed to perform any number of calculations. Although the Mars probe was canceled before it was built, the computer continued to evolve and provided the necessary knowledge and experience needed for the design of the AGC hardware.

Apollo Guidance Computer Team

Work on the design of the AGC was led by Eldon Hall at the Instrumentation Lab. Major contributions were made by many different people, including Ramon Alonso, Albert Hopkins, Hal Laning, and Hugh Blair-Smith.

Eldon Hall had completed an AB in Mathematics at Eastern Nazarene College, an AM in Physics at Boston University, and was completing his PhD at Harvard when the Instrumentation Lab recruited him in 1952. He was key in encouraging the Instrumentation Lab and the Navy to adopt digital computing equipment on the Polaris missile [KLABS,HALL]. He was responsible for the development of the digital differential analyzers used on Polaris. Soon after, Hall was promoted to group leader and formed the Digital Development Group where he led the work on the Mod 1B Mars computer. After the successful flight of the Polaris missile in 1960 and having completed a bread-board version of the Mars computer, his group was poised for the challenge of designing the AGC, and in 1961, the contract was awarded to the Instrumentation Lab.

Hal Laning spent a long career at MIT, having earned an undergraduate degree in Chemical Engineering and a PhD in Applied Mathematics in 1947. He began his tenure at the Instrumentation Lab in 1945 and was soon put in charge of a small group, formally called the Applied Mathematics Group. Laning wrote what is arguably the world’s first compiler, George, for MIT’s Whirlwind computer in 1952 [LOH,SB]. He was vital to the development of the AGC, being responsible for the design of the operating system among many notable contributions.