Apollo Guidance Computer History Project

Second conference

September 14, 2001

Relations with Grumman

JIM MILLER: The mission that I was involved with, which was subsequently called Apollo 5, though we called it 206, was the unmanned first flight of the Lunar Module.

FRED MARTIN: This is the flight I think I mentioned the last time. Is this the one that was at the Cape and the engine shut off in two seconds or four seconds?

JIM MILLER: I'll mention a little bit about what happened because I think it was revealing. NASA had never flown a Grumman space-craft before and so had never guided one. And we had never flown a Block II system before. We had never flown a digital auto-pilot before. So there was a lot of new stuff. And this rope-mother was new. And we had a lot of veterans, and a lot of other people that were new. And our relations with Grumman were different than the relations with North American.

DAN LICKLY: Hoag talked last time about it.

JIM MILLER: It was just a whole different ball game. And I, for one, had never had any contact with the NASA Mission Control people. And didn't have much, as it was. But I did go down there to one flight procedures meeting. It was run by the guy who was going to be the flight director. And let me not mention his name. But it was a terrible meeting, I thought. The guy was so arrogant and obnoxious that people just stayed quiet who probably should have asked questions or spoken up.

But in the event of the flight, things began to go badly at the first scheduled burn. Although we had simulated it lots of times, when the command went to the engine, unknown to me, as the mission-program guy and as the former simulation guy, there was preliminary pressurization of tanks that took place between the fire command and when the engine actually lit up. I had been told by the person that wrote the descent burn software that it had to have a very narrow window in the startup for some reason or other - I don't remember what. We had a fairly narrow window in there. And, because of the timing of the interrupt that governed the accelerometer monitoring for ignition, it just missed reaching the delta-V threshold by milliseconds, if I remember. So the software shut it down.

And, utter chaos took over in the Mission Control center. Everybody was climbing all over everybody to find out what happened - totally preventing knowledgeable people from finding out what happened. It was a bad scene. I don't know if that continued on other flights. But it certainly screwed up this one.

FRED MARTIN: Jim, were you at Houston then?

JIM MILLER: Yes. Let me go on. We had put in there, as a part of the mission software, a fairly extensive ability to reprogram all of these burns. And we, through the hierarchy of Jack Garman up to the flight director, told them that we could easily reprogram the burn and try it again. The answer was "It's no longer within telemetry coverage." Somehow they had designed this mission, unbeknownst to us, in a way that there was no possible way to use this reprogramming software if anything went wrong. Of course, that was the only purpose for which this reprogramming software had been put into the flight computer.

But, there was no telemetry coverage if the mission didn't go exactly perfectly. Of course, there was no need to reprogram it if that's what happened. So here we were out of telemetry coverage. Then they decided to use the LM abort guidance system to do that burn, and subsequently to do the 'abort stage' burn, which jettisoned the descent stage. completely without involving our primary guidance system. Control was taken away from the guidance software. Then, NASA abruptly handed control back to the primary guidance system.

Well, nobody had ever planned for or thought that that would happen. Our guidance on the LM thought that it was in the descent configuration because it had not commanded separation. But by then, the descent stage was gone. So the digital auto-pilot had this sporty little vehicle when it thought it was controlling a much more massive one. So it was doing horrible limit cycles and burning fuel like nobody ever saw.

NASA said, "What's going on?" I knew right away what was going on. Nobody, of course, had asked MIT anything when all this was happening. They just 'knew better' and took over. Of course, as I feared, they didn't know better. But I, again, sent information up the chain of command to the flight director: If they would activate the heat-soak program that we had been asked to put in there, the first thing the program would do would be to check agreement between the computer's input bit that indicated whether the descent stage was present and what the guidance system thought. And if it found a mismatch, it would correct the guidance system. So this was a way to get the mission back in sync with just one uplink command.

When this was made known to the flight director, he said "We can't do that program. We've never run it in our practice simulations here at Mission Control." And here was this second thing in the flight software that we had put in that couldn't or wouldn't be used by the Mission Control people. Well, the result was not good. And, we took a lot of flak for that, a lot of it undeserved. But I think it really shook up the Mission Control people who realized that their ability to handle things was much lower than they thought. And their ability to understand and deal with the possibilities of what would go wrong in the flight computer and in the system other than that was rather incompletely developed. And I think they went through a lot of learning and made a lot of changes that led to success later, in situations like the first lunar landing, where something really unexpected did come up. And there were people there in Mission Control who were confident enough, or foolish enough, to say GO - and it worked.

Without some of those blunders that happened early, there would have been a much worse outcome.

FRED MARTIN: Let me ask you. Did the clever things that you had put in, were they known to the Mission Control?

JIM MILLER: They were in the software. They were tested. They were in the GSOP (Guidance System Operations Plan) for the mission. Our contacts knew that they were in there. We didn't have time to do anything that wasn't our job. We barely had time to do things that were our job. I was working seven days, 80 hours a week during that time. Aaron Cohen kept saying, "Go down to Grumman and talk to them." Wait a minute. Who's going to do the configuration control? I had to stay there every night looking at the day's proposed changes to the flight software to make sure that the assembly was successful. I didn't have time to go to Grumman. Our progress would have stopped. And how could such a meeting be made useful anyway?

FRED MARTIN: When you were down there, that was one of the only launches that I went to. I was at the Cape at that time. When that happened, I was telling the group here last time that there was a lot of finger pointing that occurred on this narrow window you were talking about. As to whether this was a programming error or whether we were programming exactly what the engine spec was. We were programming the characteristics of the engine that were given to us from Grumman. And there was a lot of finger pointing as to whose fault it was. Of course, along came Doc Draper who was down at the Cape. He wanted to know what was going on. So there was this picture of this madhouse room with a listing this big opened up to page 179 or whatever it is. And somebody sticking Doc Draper's nose into these various assembly language things trying to explain about how this engine was cut off.

JIM MILLER: That points out something else that I didn't think of but is worth saying. I don't know if 206 was the first mission of this sort but it may have been the first where Houston had told us that they, not we, were going to be responsible for what we called the erasable load, which was the set of values that was preloaded into the AGC's erasable memory before launch. So the responsibility for the erasable load was ostensibly with the guys down in Houston.

Well, that was fine. But for the simulations, we had to have a lot of values preloaded into erasable memory for every run. For convenience, there was a piece of code called "Mr. Clean" which would preload values we thought would be fine for erasable to start with. And Houston could override those before launch. But, it turned out that Houston never touched the erasable load, at least for 206. So the values we had in there for the simulator, and which always worked in the simulator, were what flew. And Grumman ran their simulations, and we never heard, or at least I never heard anything from Grumman about the descent stage pressurization delay. So something is funny there.

Here was another one of these mismatches - we never saw what Houston might have done to the erasable load. It turns out they didn't do anything. But there were these interface gaps that weren't local but between geographic locations. But the fact that it went wrong caused people to shore up the defenses a little bit on missions that came later. But, without some of those mishaps, I don't know where we would have come out.

But that was a tremendous disappointment to all of us that busted our tails on 206. And it was never possible to point the finger. I could never point a finger at anybody. I remember exactly where I was standing when the person who was responsible for the descent stage burn -- I'm not going to mention his name but everybody here knows who I mean -- told me there were restrictions on the startup time window. So the number came directly from him. I didn't make it up. So it wasn't something just crazy that we did. But, mishaps helped us a lot. The accident that took three lives had nothing to do with the AGC software, but it had the biggest effect. Because I think without that accident, we never would have made the schedule and maybe never would have made the landing.

ALEX KOSMALA: Something else I remember about it. It was to have flown the flight program 204. That program, which we were forced to release, was just so lousy, so shot full of bugs. It would have killed them anyway, is my feeling. It was sort of a blessing, if you can call it that, that it was ditched, was never used, and we went on to Block II.

JIM MILLER: But it's an example of how, I mentioned before, each program was supposed to be an evolutionary step from the one before. This one had a crew on it. The one before had no crew on it. If you don't think that was utterly different - it was utterly different.

ALEX KOSMALA: And I remember we had six weeks to turn it out.

JIM MILLER: Yeah. Very short. Of course, nobody wanted to be the one that caused the schedule to slip. We were confident Grumman would make the schedule slip. We just knew that they would never make it. Of course they did. Which caught a lot of us by surprise. A lot of good things happened too.

Academic environment

site last updated 12-08-2002 by Alexander Brown