Guidance, Navigation & Control (GNC) — Engineering Reference

1. At a glance

Guidance, Navigation, and Control (GNC) is the integrated set of three onboard subsystems that takes a vehicle from launch to mission end: Guidance decides what to do (trajectory and targeting), Navigation answers where am I and how am I moving (state estimation from raw sensors), and Control computes how to make the actuators realise that intent (closed-loop force and moment commands). The three functions are conceptually distinct but operationally fused — modern systems share a single state vector, a single estimator, and a single real-time scheduler, and the boundary between them blurs at the lowest level (a quaternion estimator output feeds directly into the pitch loop with no intervening “guidance” layer).

GNC governs the operating envelope of every powered, instrumented vehicle that flies, falls, or drives autonomously: commercial and military aircraft, missiles, launch vehicles, spacecraft, drones, autonomous cars, marine vessels, submarines, and increasingly legged and wheeled robotics. The discipline draws on [[Engineering/classical-control]], [[Engineering/state-space-methods]], [[Engineering/h-infinity-robust]], [[Engineering/sliding-mode-control]], [[Engineering/adaptive-control]], [[Engineering/mpc-control]], [[Engineering/system-identification]], [[Robotics/bayesian-estimation]], [[Engineering/signal-processing-dsp]], [[Engineering/aerodynamics]], [[Engineering/propulsion]], and [[Engineering/realtime-embedded]]. It is the dominant cost driver of any aerospace program: GNC software is typically 10⁵–10⁷ lines of safety-critical C, Ada/SPARK, or (increasingly) Rust, representing 10–30 % of program cost and almost all of the certification risk.

2. Why it matters

GNC failures are the most expensive class of engineering bug ever observed. The historical record drives every modern requirement, review gate, and coding standard:

• Ariane 5 Flight 501 (1996). Inertial Reference System carried Ariane 4 code untouched; horizontal-velocity float-to-int16 conversion overflowed 37 s into flight on Ariane 5’s higher trajectory; both primary and backup IRS shut down identically; vehicle yawed, broke up, self-destructed. Loss: ≈ US$ 370 M plus payload.
• Mars Climate Orbiter (1999). Ground software (Lockheed Martin) emitted thruster impulses in lbf·s, flight software (JPL) consumed them as N·s — a factor-of-4.45 unit-conversion gap accumulated over cruise. Vehicle entered Mars atmosphere ≈ 57 km too low and disintegrated. Loss: ≈ US$ 327 M.
• Mars Polar Lander (1999). Three Hall-effect leg-deploy sensors fired briefly on parachute extraction; touchdown logic accepted the transient as “weight-on-leg” and shut off descent engines at ≈ 40 m altitude. Vehicle free-fell.
• Schiaparelli EDM (2016). IMU saturated during parachute-bridle deploy; integrated attitude became negative (“upside-down”) for ≈ 1 s; Navigation Filter accepted the spurious attitude; retrorockets fired briefly then cut off at 3.7 km altitude; lander struck Mars at ≈ 540 km/h.
• 737 MAX MCAS (2018–2019). Manoeuvring Characteristics Augmentation System trimmed nose-down on a single AoA-sensor input; loss of two aircraft (Lion Air 610, Ethiopian 302), 346 fatalities, US$ 20 B+ direct cost, type fleet grounded for 20 months.
• Tesla Autopilot incidents. Phantom-braking and sun-glare false negatives on the vision-only stack continue to drive NHTSA investigations.

These are not arcane edge cases — they are the standard pathologies (unit handling, sensor redundancy, integer overflow, saturation, single-fault tolerance) that every GNC engineer now designs against by reflex.

3. First principles

3.1 The canonical GNC stack

A typical fixed-wing autopilot or missile architecture, top to bottom:

Layer	Rate	Function	Output to next layer
Mission planner	0.1–1 Hz	Route, mode logic, autoland gates	Sequence of waypoints, profile flags
Guidance	5–50 Hz	Trajectory generation, targeting law	Reference state $(p_r,v_r,q_r)$ and feed-forward $(a_{ff},{\omega }_{ff})$
Navigation	100–400 Hz	Sensor fusion (EKF / UKF / factor graph)	State estimate $\hat{x}$, covariance $P$
Outer control	50–100 Hz	Position / velocity / attitude tracking	Body-rate command ${\omega }_c$, thrust $T_c$
Inner control	200–1000 Hz	Body-rate stabilisation, gain scheduling	Actuator commands $u$
Actuators	hardware	Servos, gimbals, thrusters, control surfaces	Forces and moments on vehicle

Bandwidth scales inversely with altitude in the stack. The inner rate loop runs at 1 kHz; the planner runs at 1 Hz. Every layer is closed-loop. Real-time determinism is hard: worst-case execution time (WCET) must be bounded and proved; DO-178C Level A flight-critical software is allocated to specific deterministic schedulers (ARINC 653 partitioning, rate-monotonic priority assignment).

3.2 Redundancy and voting

Single-string GNC is rare above DO-178C Level C. Standard architectures:

• Dual-channel with comparator — two identical FCCs cross-check at the bus; mismatch fault-tree drives mode revert. Used on most regional jets.
• Triplex MAJORITY (TMR) — three channels vote; one faulty channel is masked. Aircraft sensors (3 AoA vanes, 3 ADIRUs on A330/A350), Shuttle GPCs.
• Quadruplex DISSIMILAR — four channels on dissimilar hardware/OS/compilers (Boeing 777 Primary Flight Computer used three Intel/AMD/Motorola variants compiled by three Ada vendors). Tolerates common-mode design fault, not just hardware fault.
• Sensor diversity — heterogeneous physics on the same measurement: pitot + GPS + inertial-derived airspeed, GPS + INS + star tracker for attitude, radar altimeter + barometer + GPS for altitude.

3.3 The six-degree-of-freedom rigid-body equations

The plant model underneath every GNC design is the standard 6-DOF rigid-body set, expressed in the body frame for the rotational part and in a navigation frame for the translational part:

$m({\dot{\mathbf{v}}}_b+{\mathbf{\omega }}_b\times {\mathbf{v}}_b)={\mathbf{F}}_b,\mathbf{I}{\dot{\mathbf{\omega }}}_b+{\mathbf{\omega }}_b\times (\mathbf{I}{\mathbf{\omega }}_b)={\mathbf{M}}_b$

with $m$ the vehicle mass, $\mathbf{I}$ the inertia tensor about the centre of mass, ${\mathbf{F}}_b$ the resultant force (gravity + aero + thrust), and ${\mathbf{M}}_b$ the resultant moment (aero + thrust-misalignment + reaction-control). For aircraft, ${\mathbf{F}}_b$ is parameterised by the stability and control derivatives — $C_{L\alpha }$, $C_{m\alpha }$, $C_{m\dot{\alpha }}$, $C_{n\beta }$, $C_{l{\delta }_a}$, $C_{m{\delta }_e}$ — that come from wind-tunnel tests, CFD ([[Engineering/cfd-deep]]), and parameter-identification flight tests. Mass and inertia are themselves time-varying for any vehicle that burns propellant (a Falcon 9 first stage drops from 549 t to ≈ 38 t in 162 s) and must be propagated alongside the kinematic state in flight-grade simulations.

The linearised small-perturbation form $\dot{\mathbf{x}}=A\mathbf{x}+B\mathbf{u}$ — with $A$ and $B$ evaluated at a trim point — is the basis for almost every operational autopilot. Most large aircraft autopilots schedule $(A,B)$ as a function of Mach number, dynamic pressure, mass, and centre-of-gravity position; the controller gains are then interpolated across an $n$-dimensional table.

3.4 Coordinate frames

Every flight code carries a frame book and a transformation discipline. Standard frames:

Frame	Origin	Axes	Used by
ECI (J2000)	Earth centre	Inertial, equinox-fixed	Orbital propagation, star tracker output
ECEF (WGS-84)	Earth centre	Rotating with Earth	GPS solution, ground stations
NED / ENU	Vehicle	North-East-Down (or East-North-Up)	Aircraft navigation, vehicle telemetry
Body	Vehicle CG	Fwd-Right-Down (aero) or X-Y-Z (mfgr)	Rate gyros, accelerometers, control
Wind	Vehicle CG	Aligned with relative wind	Lift/drag bookkeeping
Sensor / Nozzle / Mount	Hardware	Local	Calibration corrections

Transformations are quaternion-based in modern code (no gimbal lock, fewer trig calls). The classic failure is a hand-coded Euler-angle sequence whose convention (“ZYX intrinsic” vs “XYZ extrinsic”) was never written down — Mars Climate Orbiter’s unit bug is the same family of mistake one level up.

Quaternion algebra (Hamilton convention). Body-to-nav rotation as $q=[q_w,q_x,q_y,q_z]$ with $\Vert q\Vert =1$. Composition of two rotations: $q_3=q_1\otimes q_2$. Rotating a body-frame vector to the nav frame: ${\mathbf{v}}_n=q\otimes [0,{\mathbf{v}}_b]\otimes q^{-1}$. Equivalent rotation matrix:

$R(q)=\left[\begin{array}{ccc}1-2(q_y^2+q_z^2)& 2(q_x{q}_y-q_w{q}_z)& 2(q_x{q}_z+q_w{q}_y)\\ 2(q_x{q}_y+q_w{q}_z)& 1-2(q_x^2+q_z^2)& 2(q_y{q}_z-q_w{q}_x)\\ 2(q_x{q}_z-q_w{q}_y)& 2(q_y{q}_z+q_w{q}_x)& 1-2(q_x^2+q_y^2)\end{array}\right]$

Body-rate-driven quaternion propagation: $\dot{q}=\frac{1}{2}q\otimes [0,{\mathbf{\omega }}_b]$. Renormalise every cycle to fight numeric drift off the unit sphere.

4. Guidance methods

4.1 Proportional Navigation (Yuan 1948)

The canonical missile guidance law: commanded lateral acceleration proportional to line-of-sight (LOS) rate times closing velocity:

$a_{cmd}=N^{\prime }\cdot V_c\cdot \dot{\sigma }$

where $N^{\prime }$ (effective navigation ratio) is typically 3–5, $V_c$ is the closing speed, and $\dot{\sigma }$ is the inertial LOS rate measured by the seeker. The geometric content: drive LOS rate to zero ⇒ constant bearing ⇒ collision course. PN is provably optimal for a constant-velocity, non-manoeuvring target intercept in the constant-bearing limit.

Variant	Equation	Used for
Pure PN (PPN)	$a\perp$ LOS	Original Yuan formulation
True PN (TPN)	$a\perp V_m$ (missile vel)	Most BVR seekers
Augmented PN (APN)	$a=N^{\prime }{V}_c\dot{\sigma }+(N^{\prime }/2)a_T$	Manoeuvring target
Optimal Guidance Law (OGL)	Solves time-to-go optimal control	Modern radar-homing
Predictive PN	Uses target accel estimate from EKF	THAAD, SM-3 terminal

4.2 Predictor-corrector

Used for re-entry guidance (Apollo Command Module, Shuttle Orbiter, Orion). At each cycle: forward-propagate the trajectory to landing/target under the current bank-angle command; compare predicted landing to desired; correct bank-angle profile via Newton iteration. Survived because it is robust to atmosphere-model error and runs in the few-hundred-Hz envelope of 1960s flight computers.

4.3 Energy management

Shuttle approach used HAC (Heading Alignment Cone) — a spiralling cone whose geometry trades excess kinetic + potential energy for heading alignment to the runway, with bank-angle modulation as the single control. The autoland that followed (TAEM → A/L) was a deterministic energy-bleed problem solved in closed form.

4.4 Trajectory polynomials and splines

Drone waypoint smoothing uses minimum-snap (Mellinger & Kumar 2011) polynomial trajectories — 7th-order piecewise polynomials whose coefficients minimise integrated snap (4th derivative of position) subject to waypoint and continuity constraints. Solvable as a single QP. The basis of nearly every quadrotor autopilot since 2012.

4.5 Optimisation-based (MPC) guidance

The dominant modern approach for new programs. Convex SOCP formulations (Acikmese & Ploen 2007, lossless convexification) reformulate the originally non-convex powered-descent landing problem into a convex problem whose solution is provably the same optimum. SpaceX Falcon 9 first-stage landing burn runs an MPC-style guidance at 25–50 Hz; Mars 2020 Perseverance used MPC-augmented terrain-relative navigation; autonomous cars (Waymo, Apollo, Tesla FSD planner) all use MPC for trajectory tracking.

4.6 Guidance law selection by phase

A real long-range engagement chains multiple guidance laws by flight phase:

Phase	Typical law	Sensor	Rationale
Boost (0–10 s)	Open-loop pitch program	None (or INS)	Aerodynamic loads dominate; closed-loop instability margin is poor
Mid-course (10–90 % range)	INS + GPS waypoint following or explicit guidance	INS, GPS, datalink	Long-range, low-bandwidth correction
Hand-over	Datalink update + seeker acquisition	Datalink + seeker	Switches from internal navigation to external observer
Terminal (last 1–10 s)	PN, APN, OGL, or sliding-mode	Seeker (radar, IR, laser)	Highest bandwidth, smallest miss distance

For ICBMs and orbit-transfer missions the equivalent split is boost → coast → terminal-guidance burn; the underlying transition logic is the same.

4.7 Lunar and Mars EDL

• Apollo PGNCS (Primary Guidance, Navigation & Control System; MIT Instrumentation Lab) — explicit guidance polynomial in time-to-go, with Hal Laning’s interpreter language for mission flexibility. Landed Apollo 11–17.
• Mars Science Laboratory / Mars 2020. Hypersonic entry with bank-angle modulation (Apollo heritage), supersonic disk-gap-band parachute (Viking heritage), powered-descent rocket pack with closed-loop guidance, terminal sky-crane manoeuvre. M2020 added Lander Vision System (LVS) — terrain-relative navigation via descent imagery matched to onboard map for hazard avoidance.

EDL timeline (Mars 2020 typical): entry interface at 125 km altitude, peak deceleration ≈ 12 g at 35 km, parachute deploy at Mach 1.7 / 11 km, heat-shield separation at 8 km, radar lock at 4 km, powered descent start at 2 km / 100 m/s descent rate, sky-crane manoeuvre 20 m above surface, touchdown at < 1 m/s. Total wall-clock duration: ≈ 7 min (“seven minutes of terror”), entirely autonomous because Earth round-trip light-time is 8–24 min.

5. Navigation methods

5.1 Inertial Navigation System (INS) and strapdown integration

Three orthogonal accelerometers and three gyros mounted to the vehicle body (“strapdown”; older gimballed platforms stabilised the sensor block inertially). Integration:

$\dot{q}=\frac{1}{2}q\otimes {\omega }_b,{\dot{v}}_n=R(q)a_b+g_n,{\dot{p}}_n=v_n$

where $q$ is the body-to-nav quaternion, ${\omega }_b$ and $a_b$ are bias-corrected gyro and accelerometer measurements, $R(q)$ rotates body-frame specific force into the nav frame, and $g_n$ is local gravity. Error grows without bound: position error from a gyro bias drifts as $\frac{1}{2}g\cdot (\text{bias})\cdot t^3$ — a tactical-grade 0.1 °/hr gyro yields ≈ 0.85 km of position error in 1 h.

IMU grades (covered in [[Robotics/sensors-pose-motion]]):

Grade	Gyro bias	Typical sensor	Typical use
Consumer MEMS	5–20 °/hr	Bosch BMI088, InvenSense	Phones, hobby drones
Industrial MEMS	0.5–3 °/hr	ADIS16505, SCHA600	Pro drone, AGV
Tactical	0.05–1 °/hr	Sensonor STIM300, Honeywell HG1700	Tactical missile, vehicle GNSS-aided
Navigation FOG / RLG	0.001–0.01 °/hr	Honeywell HG9900, Northrop LN-100G	Submarine, airliner inertial, ICBM

5.2 GNSS

GPS (US), GLONASS (Russia), Galileo (EU), BeiDou (China), QZSS (Japan), NavIC (India). Standalone single-frequency civil: 3–10 m σ; dual-frequency / SBAS: < 1 m; RTK with base station < 2 cm; PPP without base station, ~20 cm after convergence. Update rates 1–10 Hz typical.

5.3 Sensor-fusion aiding hierarchy

Aiding	Adds	Typical correction rate	Cost
Barometric altimeter	Vertical position	50 Hz	$
Magnetometer	Heading	20 Hz	$
GNSS	Position + velocity	1–10 Hz	$$
Radar altimeter	AGL altitude (terminal)	10–100 Hz	$$$
Doppler velocity log (DVL)	Body velocity (underwater)	5 Hz	$$$
Star tracker	Inertial attitude	1–10 Hz	$$$$
Visual / VIO	Position + velocity (GNSS-denied)	30 Hz	$$
Terrain-relative (TRN)	Position from map match	1 Hz	$$$$
USBL / LBL acoustic	Position underwater	0.5 Hz	$$$

5.4 The extended Kalman filter — the workhorse estimator

For a nonlinear discrete process ${\mathbf{x}}_{k+1}=f({\mathbf{x}}_k,{\mathbf{u}}_k)+{\mathbf{w}}_k$ with measurement ${\mathbf{z}}_k=h({\mathbf{x}}_k)+{\mathbf{v}}_k$, process noise covariance $Q$ and measurement noise $R$:

Predict step (run at IMU rate, typ. 100–400 Hz):

${\hat{\mathbf{x}}}_{k|k-1}=f({\hat{\mathbf{x}}}_{k-1|k-1},{\mathbf{u}}_{k-1}),P_{k|k-1}=F_k{P}_{k-1|k-1}{F}_k^T+Q_k$

with $F_k=\partial f/\partial \mathbf{x}{|}_{{\hat{\mathbf{x}}}_{k-1|k-1}}$.

Update step (run at aiding-sensor rate, typ. 1–50 Hz):

$K_k=P_{k|k-1}{H}_k^T(H_k{P}_{k|k-1}{H}_k^T+R_k{)}^{-1}$

${\hat{\mathbf{x}}}_{k|k}={\hat{\mathbf{x}}}_{k|k-1}+K_k({\mathbf{z}}_k-h({\hat{\mathbf{x}}}_{k|k-1})),P_{k|k}=(I-K_k{H}_k)P_{k|k-1}$

For attitude states, the error-state formulation (ESKF) propagates the full quaternion in the nominal state and linearises only a 3-component attitude error around it — this avoids the over-parameterisation of a 4-element quaternion inside the EKF covariance and is now standard in all flight-grade INSs (Trawny & Roumeliotis 2005, Madyastha et al. 2011). Full detail in [[Robotics/bayesian-estimation]].

5.5 Sensor-fusion architectures

Loosely coupled GNSS/INS. GNSS position/velocity solution treated as a measurement update to the INS-driven EKF. Simple, modular, but loses skill when fewer than 4 satellites are visible (the GNSS receiver outputs nothing).

Tightly coupled GNSS/INS. EKF measurement is raw pseudorange and Doppler from each satellite individually. Continues to update with 1–3 satellites — invaluable in urban canyons, jamming, foliage. Standard in modern military and high-end commercial INSs.

Deeply / ultra-tightly coupled. EKF state feeds the GNSS code-tracking loops directly. Robust to high dynamics and weak signals; used in launch vehicles and hypersonic test vehicles.

Visual-inertial odometry (VIO). IMU at high rate + monocular or stereo camera at 30 Hz, fused in EKF (MSCKF — Mourikis & Roumeliotis 2007) or factor graph (Forster et al. 2017 IMU pre-integration). Used in drones (Skydio), AR/VR (Quest, Vision Pro), and emerging in autonomous cars.

5.6 Initial alignment and gyrocompassing

A strapdown INS cannot start from arbitrary attitude — it must align before navigation begins. Two phases:

• Coarse alignment (≈ 1 min). Average accelerometer measurements over a stationary period to recover roll/pitch from the gravity vector ($\varphi =\arctan (a_y/a_z)$, $\theta =\arctan (-a_x/\sqrt{a_y^2+a_z^2})$).
• Fine alignment / gyrocompassing (≈ 5–15 min for nav-grade). The east gyro measures Earth rate × cos(latitude) plus heading-coupled bias. Closed-loop Kalman alignment estimates heading to better than 0.1 mrad for a navigation-grade FOG; tactical-grade requires GPS-aided in-motion alignment instead.

Submarines, ballistic missile submarines, and ICBMs cannot use GPS pre-launch and depend on gyrocompass alignment to seconds-of-arc accuracy — this is why navigation-grade RLGs (ring-laser gyros) remain a strategic asset under ITAR / Wassenaar control.

6. Control methods

Method	Strength	Typical use	Reference
PID + cascaded loops	Simple, model-free tuning, robust	Most operational autopilots (rate, attitude, altitude)	[[Engineering/classical-control]]
Gain scheduling	Covers wide envelope (Mach, altitude, mass)	All large aircraft, missiles	[[Engineering/adaptive-control]]
LQR / LQG	MIMO, optimal in $\Vert \cdot {\Vert }_2$	Satellite, hard-disk, missile	[[Engineering/state-space-methods]]
H∞ / μ-synthesis	Quantified robustness to uncertainty	F-22 flight law, HDD head-positioning	[[Engineering/h-infinity-robust]]
Adaptive (MRAC, L1)	Tolerates parameter variation and failure	NASA AirSTAR F-18 IFCS, X-15 reaction-jet	[[Engineering/adaptive-control]]
Sliding mode	Insensitive to matched disturbance	Missile terminal, agile drone	[[Engineering/sliding-mode-control]]
MPC	Handles constraints natively	Falcon 9 landing burn, autonomous cars, EV powertrain	[[Engineering/mpc-control]]
Reinforcement learning	Learns aerobatic / contact policies	Drone racing (Kaufmann 2023), legged locomotion	[[Robotics/rl-for-control]]

6.1 The cascaded-loop pattern

Almost every operational autopilot, from a hobby quadcopter to a 787, is built as a cascaded loop with progressively narrower bandwidth from inside out:

1. Innermost (200–1000 Hz): angular-rate loop. PI on ${\mathbf{\omega }}_{cmd}-\hat{\mathbf{\omega }}$ with gyro feedback. Bandwidth set by actuator and sensor bandwidth (typ. 30–80 rad/s for aircraft, 100–300 rad/s for agile drones).
2. Attitude loop (50–200 Hz): P or PD on $q_{cmd}-\hat{q}$ outputs body-rate command. Bandwidth ≈ 1/3 of rate-loop bandwidth.
3. Velocity / heading loop (10–50 Hz): PI on velocity or course error outputs attitude command.
4. Position / waypoint loop (1–10 Hz): P or feed-forward on position error outputs velocity command.

The bandwidth-decade-per-layer rule is folklore but well-grounded: each outer loop sees the inner loop as approximately unit gain only if it is at least 3× slower. Violating this couples the loops and breaks the design.

6.2 Gain scheduling

For aircraft and missiles with envelope variation $>2\times$ in dynamic pressure $\bar{q}=\frac{1}{2}\rho V^2$, a single fixed-gain controller cannot meet stability margins across the envelope. Standard practice: parameterise gains on $(\text{Mach},h,m,x_{cg})$ at a grid of trim points, then interpolate linearly between them at run-time. Hidden risk: a hidden non-linearity (limit cycle, actuator rate limit) can sit at an off-grid condition. Modern best practice (since the 1990s) is Linear Parameter-Varying (LPV) design which proves stability between the grid points and is increasingly synthesised via LMI / H∞.

7. Worked examples

7.1 Example A — Proportional Navigation engagement

Missile pursuing a non-manoeuvring target. Measured at one engagement instant:

• Closing velocity $V_c=800\text{m/s}$
• Range to target $R=5\text{km}$
• Time to intercept $t_{go}\approx R/V_c=6.25\text{s}$
• LOS rate $\dot{\sigma }=0.05\text{rad/s}$
• Navigation ratio $N^{\prime }=3$

Commanded acceleration:

$a_{cmd}=N^{\prime }{V}_c\dot{\sigma }=3\cdot 800\cdot 0.05=120{\text{m/s}}^2\approx 12.2g$

For a 100 kg missile, lateral force required $F=ma=100\cdot 120=12\text{kN}$. A tactical air-to-air missile rated to 30 g manoeuvre envelope (≈ 300 m/s²) handles this with margin from aerodynamic control surfaces and divert thrusters. Design check: if $N^{\prime }\dot{\sigma }{V}_c$ regularly exceeds the airframe limit early in flight, the seeker is locked too soon or the launch envelope is being flown outside its kinematic boundary.

Effective navigation ratio selection. Stochastic analysis (Zarchan 2019 ch. 8) shows that for white seeker-noise of bandwidth ${\omega }_n$, miss distance from noise scales as $\sqrt{N^{\prime }}$, but miss distance from target manoeuvre scales as $1/(N^{\prime }-2)$. The two terms balance at $N^{\prime }\approx 3$–$5$ — the canonical choice. For augmented PN with target-acceleration estimate, $N^{\prime }=3$ on the kinematic term plus $N^{\prime }/2$ on the estimated-accel term is optimal under a quadratic miss-distance penalty.

Zero-effort-miss formulation. Equivalent to PN: $a_{cmd}=N\cdot \mathrm{ZEM}/t_{go}^2$, where ZEM is the predicted miss vector assuming zero further acceleration. Modern terminal-guidance laws (THAAD, SM-3) compute ZEM directly from the EKF state and a propagated target model, then apply optimal-control gains derived from Bryson-Ho (1975) terminal-state regulator.

7.2 Example B — Tactical-grade GNSS/INS Kalman filter

15-state EKF: position (3), velocity (3), attitude error (3), gyro bias (3), accelerometer bias (3). IMU 200 Hz, GPS 1 Hz.

• IMU spec: Sensonor STIM300; gyro bias 0.5 °/hr (≈ 2.4 × 10⁻⁶ rad/s), accel bias 0.05 mg (≈ 5 × 10⁻⁴ m/s²).
• GPS: σ_pos = 1.5 m horizontal, σ_pos = 3 m vertical, σ_vel = 0.05 m/s.

Steady-state horizontal position uncertainty under continuous GPS aiding:

${\sigma }_{pos,ss}\approx \sqrt{{\sigma }_{GPS}^2+({\sigma }_{accel}\tau {)}^2}$

with $\tau \approx 1$ s (the GPS update interval): $\sigma \approx \sqrt{1.5^2+(5\cdot 10^{-4}{)}^2}\approx 1.5\text{m}$ — limited by GPS.

During 60 s GPS dropout:

Position drift from accelerometer bias: ${\sigma }_p\approx \frac{1}{2}{\sigma }_a{t}^2=\frac{1}{2}\cdot 5\cdot 10^{-4}\cdot 60^2=0.9\text{m}$ — still below GPS-only error.

During 1 h dropout (worst case for tactical grade):

Position drift from gyro bias coupled through gravity tilt error: ${\sigma }_p\approx \frac{1}{2}g\cdot {\sigma }_g\cdot t^2=\frac{1}{2}\cdot 9.81\cdot 2.4\cdot 10^{-6}\cdot 3600^2\approx 153\text{m}$ — tactical IMU degrades to ≈ 150 m after 1 h. Navigation-grade (FOG, 0.001 °/hr) gives ≈ 0.3 m in the same hour.

7.3 Example C — Falcon 9 landing-burn MPC (concept)

State vector (14 elements): position $\mathbf{p}\in {\mathbb{R}}^3$, velocity $\mathbf{v}\in {\mathbb{R}}^3$, mass $m$, attitude quaternion $\mathbf{q}\in {\mathbb{R}}^4$, body rate $\mathbf{\omega }\in {\mathbb{R}}^3$.

Constraints:

• Gimbal angle $|{\theta }_g|\le 5°$ (Merlin 1D-FT engine limit)
• Thrust $T\in [300,845]\text{kN}$ (≈ 40–100 % single-engine)
• Mass $m\ge m_{dry}\approx 25,600\text{kg}$
• Terminal position at landing zone $(x,y,z)=(0,0,0)$
• Terminal velocity $|\mathbf{v}|\le 2\text{m/s}$ vertical, $|{\mathbf{v}}_{horiz}|\le 0.5\text{m/s}$
• Glide-slope: position cone above landing point

Horizon: ≈ 10 s at 25 Hz ⇒ $N=250$ steps.

Formulation (Acikmese & Ploen 2007 lossless convexification): rewrite thrust as $\mathbf{T}=m\Gamma \mathbf{u}$, $\Vert \mathbf{u}\Vert \le 1$, with $\Gamma$ a slack variable; the originally non-convex thrust-magnitude lower bound becomes a convex second-order cone constraint. Solver: SOCP via custom interior-point (Boyd’s CVXGEN-style code generator) on the flight computer. Runs in O(10 ms) per solve. Result: sub-metre landing precision demonstrated > 350 times by SpaceX since 2015.

Three-phase guidance. Boost-back burn (180° flip + retrograde), re-entry burn (decelerate to subsonic), landing burn (powered touchdown). Each phase runs its own MPC formulation with phase-specific constraints. Grid-fins (mid-flight) are commanded by a separate aerodynamic controller; engine gimbal handles thrust-vector control during burn phases. The hand-off between aerodynamic and thrust-vector control is the historically hardest part — solved by Falcon 9 ≈ 2016 after several crashes during the 2014–2015 development campaign.

7.4 Example D — Aircraft pitch-axis short-period stability

Generic transport aircraft at cruise: Mach 0.78, $h$ = 11 km, $m$ = 80 t, $I_{yy}$ = 4.2 × 10⁶ kg·m². Short-period mode characterised by:

${\omega }_{sp}\approx \sqrt{\frac{-M_{\alpha }+M_q{Z}_{\alpha }/V}{1}}\approx 1.4\text{rad/s},{\zeta }_{sp}\approx \frac{-(M_q+Z_{\alpha }/V)}{2{\omega }_{sp}}\approx 0.45$

Cooper-Harper Level 1 handling qualities (MIL-STD-1797A) require ${\zeta }_{sp}\in [0.35,1.3]$ and ${\omega }_{sp}^2/(n/\alpha )\in [0.28,3.6]$. Bare-airframe damping just meets the lower bound; the autopilot adds a pitch damper — a simple proportional feedback of pitch rate $q$ to elevator ${\delta }_e$ — with gain $K_q\approx 0.5$ s/rad to lift ${\zeta }_{sp}$ to ≈ 0.7. This is the simplest, oldest, and most common autopilot loop in service.

8. GNC architectures by domain

Domain	Vehicle examples	Primary GNC vendor	Control approach	Software level
Commercial transport	A320neo, 737 MAX, 787	Honeywell, Collins (RTX), Thales	Gain-scheduled C* law, autoland CAT IIIb	DO-178C Level A
Business / regional	Gulfstream G700, E-Jet E2	Collins, Honeywell, GE	Cascaded PID + autopilot	DO-178C Level A
Fighter	F-22, F-35, Rafale, Su-57, J-20	Lockheed, Honeywell, BAE, Dassault	Triplex/quadruplex FBW, H∞ + adaptive	DO-178B/C Level A
Tactical missile	AMRAAM, Meteor, R-37, PL-15	Raytheon, MBDA, RTX, NORINCO	Mid-course INS+GPS, terminal seeker, PN/APN	MIL-spec equivalent
Strategic / ABM	SM-3, THAAD, GMD, S-500	Lockheed, Raytheon, Almaz-Antey	Predictive guidance, divert thrusters	MIL Level A
Launch vehicle	Falcon 9, Atlas V, Ariane 6, SLS	SpaceX in-house, ULA, ArianeGroup, Boeing	Closed-loop guidance (IGM heritage) + MPC landing	NASA-STD-7009 / ECSS
Spacecraft	JWST, ISS, Starlink, Mars 2020	NASA/JPL, Northrop, SpaceX, Airbus DS	Reaction wheels + thrusters, EKF + star tracker	ECSS Cat A
Drone (UAV)	Skydio X10, MQ-9, Switchblade 600	Skydio, GA-ASI, AeroVironment, Auterion	PX4/ArduPilot cascaded PID + EKF, autonomy stack	Civil: ASTM F3201; mil: varies
Autonomous car	Waymo, Tesla FSD, Mobileye, Apollo	Waymo, Tesla, Mobileye (Intel), Baidu	MPC path + behavioural planner	ISO 26262 ASIL D
Marine / submarine	Virginia-class, Saab Kockums	Lockheed UWS, Saab, L3Harris	Cascaded PID + acoustic INS aiding	Navy spec

8.1 Certification flow (commercial avionics)

Type-certified avionics traverse a defined process gated by FAA / EASA:

1. Requirements capture (system + software + hardware) traced to each numbered DO-178C objective.
2. Architecture and design with explicit failure-condition mapping (catastrophic / hazardous / major / minor / no-effect) to assurance level.
3. Coding to MISRA C / Ada SPARK / JSF AV C++ as appropriate; structural coverage to MC/DC at Level A.
4. Independent verification by a separate team — peer review, formal review, requirements-based test.
5. Hardware/software integration, lab integration, and HIL test.
6. Iron-bird ground integration with real actuators and hydraulics.
7. First flight under restricted envelope, expanding through cleared-envelope test points.
8. Type Inspection Authorisation (TIA) flights with FAA pilots aboard.
9. Type Certificate issuance.

The cost ratio for Level A vs Level C software is roughly 3–5×; for Level A vs no certification it is 10–20×. This is why startups (Joby, Wisk, Beta) often spend 5–8 years on a single aircraft to first delivery.

9. Edge cases and gotchas

• Coordinate-frame errors are the single most common catastrophic class. Mars Climate Orbiter 1999 (lbf·s vs N·s), Hubble primary mirror 1990 (test-fixture frame misalignment ground the wrong figure). Mitigation: dimensional analysis in the type system (Ada/SPARK, Rust uom, F# units of measure); SI-only flight code by mandate.
• Integer overflow / floating-point truncation. Ariane 501 — 64-bit float horizontal velocity cast to 16-bit signed integer. Mitigation: explicit saturation, range proofs (SPARK GNATprove), MISRA C 10.3 + 10.6.
• Sensor saturation and noise spikes. Schiaparelli 2016 — IMU saturated, NavFilter accepted negative attitude. Mitigation: innovation gating in the EKF, sensor health monitor that votes out implausible measurements.
• Single-sensor dependency. 737 MAX MCAS used one AoA vane out of two installed; a vane strike on one aircraft was sufficient. Mitigation: cross-channel monitor on every safety-critical input; “no single point of failure” is a hard certification requirement under 14 CFR 25.1309.
• Actuator saturation. PID integrators wind up against rate or position limits, then unwind violently. Mitigation: anti-windup (clamping, back-calculation), command limiting at the rate level.
• GNSS denial and spoofing. Pervasive in current conflict zones. Mitigation: TRN, VIO, multi-constellation receivers, signal-authentication (Galileo OSNMA, GPS M-code).
• Time synchronisation across distributed bus. ARINC 664/AFDX or TTEthernet for hard real-time avionics; PTP (IEEE 1588) or PPS for sensors with independent clocks. Latency budgets must explicitly include sample-and-hold delays — a 10 ms unmodelled lag can flip a phase margin sign.
• Radiation single-event upsets. Cosmic-ray-induced bit flips. Mitigation: rad-hard CPU (RAD750, GR740), ECC memory, scrubbing, watchdog reset, voting logic on three asynchronous channels.
• Common-mode software failure. Dissimilar implementations on Boeing 777 PFC (three CPUs, three compilers, three Ada vendors). Single-vendor stacks remain a recognised programmatic risk.
• Mars Polar Lander 1999 — leg-deploy transient interpreted as touchdown. Mitigation: persistent sensor confirmation (≥ N consecutive samples) before mode change, plus altitude cross-check.
• DART asteroid impact 2022. SmartNav (terminal optical navigation) successful hyperbolic intercept of Dimorphos — one of the few completed hyperbolic terminal guidance flights, validation of next-gen autonomy.
• Tesla Autopilot phantom braking and sun-glare false negatives. Sensor-fusion confidence weighting and operational-design-domain enforcement remain open ML/perception problems.
• Numerical conditioning of EKF covariance. $P$ can lose symmetry/positive-definiteness over millions of updates. Mitigation: UD factorisation (Bierman 1977), square-root form (Potter / Carlson), or Joseph form of the update equation — all numerically stable at the cost of 1.5–3× compute.
• Quaternion sign ambiguity. $q$ and $-q$ represent the same rotation; an estimator can flip sign and a downstream loop expecting continuity will see a discontinuity. Mitigation: enforce $q_w\ge 0$ at every update.
• Sample-rate aliasing. Aero or structural modes above Nyquist alias into the control band. Mitigation: analog anti-alias filter before ADC, plus digital notch on known structural modes (B-1B “structural mode control system” is the textbook example).
• Control-actuator interaction (PIO / APC). Pilot-induced or autopilot-coupling oscillation, infamously YF-22 1992 ground crash and Saab Gripen 1989/1993. Mitigation: gain stabilisation rather than phase stabilisation in the critical band, plus rate-limit handling per Mitchell-Hoh criteria.

10. Software, standards, and assurance

Standard	Domain	Notes
RTCA DO-178C (2011)	Avionics software	5 levels A (catastrophic) – E (no effect); supplements DO-330 (tools), DO-331 (model-based dev), DO-332 (OOP), DO-333 (formal methods)
RTCA DO-254 (2000)	Avionics hardware	Mirror of DO-178C for FPGA/ASIC
MIL-STD-1797A	Aircraft flying qualities	Cooper-Harper handling-qualities rating
MIL-STD-882E	System safety	Hazard tracking and risk classification
NASA-STD-7009B	Models and simulation	Credibility assessment for M&S in safety-critical use
ECSS-E-ST-40C / ECSS-Q-ST-80C	European space	Software lifecycle and product assurance
ISO 26262	Automotive functional safety	ASIL A–D for road vehicles
ISO 21448 / SOTIF	Auto perception safety	Safety of the intended functionality, esp. for ADAS/AD
ARP4754A / ARP4761	Aircraft development	Process and safety-assessment guidance
MISRA C / C++	Coding standards	Civil/military-grade C subset
JSF AV C++	F-35 coding standard	Stricter than MISRA C++; bans heap, exceptions
CERT C / CWE	Security coding	Increasing influence as cybersecurity gates appear in airworthiness

Languages: C dominates (DO-178C-qualified compilers from Green Hills, Wind River, IAR); Ada / SPARK retains a fortress in airworthiness — Boeing 777 PFC, F-35 fuel system, Lockheed C-130J flight control, Eurofighter avionics. Rust is emerging through Ferrocene (Ferrous Systems), the first DO-178C-qualified Rust toolchain (ASIL D / DO-178C Level B as of 2024). Auto-coded MATLAB / Simulink Embedded Coder and ANSYS SCADE (KCG code generator, DO-178C Level A qualified) ship the majority of new commercial avionics control law code.

Operating systems: VxWorks 653, Integrity-178B (Green Hills), LynxOS-178, PikeOS, RTEMS (open-source, in Curiosity rover via VxWorks layer; in CubeSats directly), Wind River Helix Virtualization.

HIL / SIL benches: dSPACE SCALEXIO, NI VeriStand, Speedgoat, ETAS LABCAR. Closed-loop simulation against hardware-in-the-loop is mandatory for DO-178C verification and is where most program risk is bought down before flight test.

11. Tools, vendors, and hardware

• Avionics FCC / FMS: Honeywell (Primus Epic, Apex), Collins Aerospace / RTX (Pro Line Fusion, FMS-6000), Thales (TopFlight, FlytX), GE Aerospace Avionics, BAE Systems Avionics, Leonardo, Diehl Aerospace.
• Missile GNC: Lockheed Martin Missiles & Fire Control, Raytheon Missiles & Defense (RTX), Northrop Grumman, Boeing Defense, Aerojet Rocketdyne (now L3Harris), MBDA, IAI, Roketsan, Kongsberg Defence & Aerospace.
• Launch GNC: SpaceX (in-house C++ on QNX/Linux), Blue Origin, ULA (Lockheed FCC heritage), Rocket Lab, Firefly Aerospace, Relativity Space, ArianeGroup, JAXA, ISRO. MATLAB/Simulink Embedded Coder is common across the new-space tier.
• Autonomous-car SW: Tesla Autopilot/FSD (in-house C++ + neural perception), Waymo Driver, Mobileye EyeQ (chip + stack), Aurora, Zoox; Baidu Apollo (open-source).
• Drone autopilot: Auterion (PX4 commercial), Skydio (proprietary), DJI (proprietary), ParaZero (safety chute autopilot), ArduPilot (open-source, OEM integrations).
• Simulation: ANSYS SCADE Suite, MATLAB/Simulink with Aerospace + Robotics System Toolboxes, PreSagis FlightSIM, NASA GMAT (open), JSBSim (open, F-15 + 737 flight-dynamics models), X-Plane SDK + plug-ins, RotorLib (rotorcraft).
• Embedded HW: STM32H7 / Cortex-M7 dominates hobby and small-drone autopilot (Pixhawk family, Cube Orange, Holybro Durandal); automotive Infineon AURIX TC3xx and Renesas RH850 for ASIL-D; rad-hard RAD750 (BAE), GR740 (Cobham Gaisler), LEON3FT for space and strategic missile; FPGA — Microchip RTG4 and Xilinx Versal AI Edge for high-throughput onboard processing.

11.1 Actuators and effectors

Effector	Used on	Bandwidth	Notable
Hydraulic servo (3000 / 5000 psi)	Large aircraft control surfaces	5–20 Hz	Boeing 777/787 5000-psi system, redundant pumps
Electrohydrostatic actuator (EHA)	A380 / A350, F-35	5–20 Hz	Self-contained pump + motor + cylinder, replaces central hydraulics
Electromechanical actuator (EMA)	F-35 secondary, drones	10–50 Hz	Ball-screw + BLDC; no fluid
Engine gimbal (TVC)	Falcon 9, Saturn V, Ariane	5 Hz	Thrust-vector control via hydraulic or electric actuator
Reaction wheels	Spacecraft, JWST	0.1–1 Hz	Momentum storage; require periodic desaturation
Cold-gas / hot-gas thrusters	Reaction control, divert	Pulsed, 10 Hz	Bang-bang or PWM modulation
Aero control surfaces	All atmospheric vehicles	5–30 Hz	Limited by surface inertia + actuator slew
Grid fins	Falcon 9 re-entry, R-77, Soyuz LES	2–5 Hz	Deployable, drag-rich, robust to high-Mach
Vanes / jet vanes	Tactical missiles, V-2 heritage	30–100 Hz	Insert into exhaust; high authority but high drag

Actuator dynamics enter the control loop as a second-order lag with rate-limit non-linearity. For DO-178C Level A loops the actuator model must be validated against hardware test data to within ±10 % bandwidth and ±5 ° phase across the operating envelope, or the certifiability of stability claims collapses.

12. Cross-references

• [[Engineering/classical-control]] — PID, Bode/Nyquist, the workhorse inside almost every GNC loop.
• [[Engineering/state-space-methods]] — LQR, LQG, observers, the basis for MIMO GNC design.
• [[Engineering/h-infinity-robust]] — quantitative robustness, flight-control H∞ synthesis.
• [[Engineering/sliding-mode-control]] — robust nonlinear law for missile terminal and aggressive drones.
• [[Engineering/adaptive-control]] — MRAC, L1 adaptive, failure-tolerant flight control.
• [[Engineering/mpc-control]] — receding-horizon for landing-burn, trajectory tracking, autonomous driving.
• [[Engineering/system-identification]] — empirical plant models that feed every controller.
• [[Engineering/signal-processing-dsp]] — anti-alias, notch, complementary, and Kalman filtering.
• [[Engineering/propulsion]] — engine + thruster dynamics that the inner loop drives.
• [[Engineering/aerodynamics]] — derivative tables and stability derivatives feed gain schedules.
• [[Engineering/realtime-embedded]] — schedulers, WCET, ARINC 653, RTOS choice.
• [[Engineering/microcontrollers]] — flight-computer-class MCUs.
• [[Engineering/fpga-design]] — onboard accelerators, DO-254.
• [[Robotics/bayesian-estimation]] — EKF, UKF, factor graphs at the heart of navigation.
• [[Robotics/multirotor-design]] — quadrotor GNC stack, minimum-snap trajectories.
• Planned: [[Engineering/hypersonics]], [[Engineering/spacecraft-attitude-control]], [[Engineering/orbital-mechanics]].
• [[Languages/ada]], [[Languages/Tier3/scientific]].

13. Citations

• Stevens, B. L.; Lewis, F. L.; Johnson, E. N. — Aircraft Control and Simulation, 3rd ed., Wiley, 2016.
• Etkin, B.; Reid, L. D. — Dynamics of Flight: Stability and Control, 3rd ed., Wiley, 1996.
• Zarchan, P. — Tactical and Strategic Missile Guidance, 7th ed., AIAA Progress in Astronautics, 2019. (canonical missile-guidance reference)
• Lin, C.-F. — Modern Navigation, Guidance, and Control Processing, Prentice-Hall, 1991.
• Siouris, G. M. — Aerospace Avionics Systems: A Modern Synthesis, Academic Press, 1993.
• Yuan, L. C.-L. — “Homing and Navigational Courses of Automatic Target-Seeking Devices”, J. Applied Physics 19 (1948) 1122. (origin of Proportional Navigation)
• Acikmese, B.; Ploen, S. R. — “Convex Programming Approach to Powered Descent Guidance for Mars Landing”, JGCD 30 (5) 2007. (lossless convexification)
• Acikmese, B.; Carson, J. M.; Blackmore, L. — “Lossless Convexification of Nonconvex Control Bound and Pointing Constraints of the Soft Landing Optimal Control Problem”, IEEE TCST 21 (6) 2013.
• Boullard, T.; et al. — “Schiaparelli Anomaly Inquiry Report”, ESA, 2017.
• Ariane 501 Inquiry Board — Lions, J.-L. (chair), Final Report, ESA / CNES, 19 July 1996.
• Mars Climate Orbiter Mishap Investigation Board — Phase I Report, NASA, 10 November 1999.
• Boeing 737 MAX MCAS — US House T&I Committee Final Report, September 2020; JATR Observations and Recommendations, October 2019.
• RTCA — DO-178C Software Considerations in Airborne Systems and Equipment Certification, 2011; DO-254 Design Assurance Guidance for Airborne Electronic Hardware, 2000.
• MIL-STD-1797A Flying Qualities of Piloted Aircraft, USAF.
• NASA-STD-7009B Standard for Models and Simulations.
• Brogan, W. L. — Modern Control Theory, 3rd ed., Prentice-Hall, 1991.
• Bryson, A. E.; Ho, Y.-C. — Applied Optimal Control, Hemisphere, 1975.
• Battin, R. H. — An Introduction to the Mathematics and Methods of Astrodynamics, revised ed., AIAA, 1999.
• Markley, F. L.; Crassidis, J. L. — Fundamentals of Spacecraft Attitude Determination and Control, Springer, 2014.
• Mellinger, D.; Kumar, V. — “Minimum Snap Trajectory Generation and Control for Quadrotors”, ICRA 2011.
• Mourikis, A. I.; Roumeliotis, S. I. — “A Multi-State Constraint Kalman Filter for Vision-Aided Inertial Navigation”, ICRA 2007.
• Forster, C.; Carlone, L.; Dellaert, F.; Scaramuzza, D. — “On-Manifold Pre-Integration for Real-Time Visual-Inertial Odometry”, IEEE Trans. Robotics 33 (1) 2017.
• Kaufmann, E.; et al. — “Champion-Level Drone Racing using Deep Reinforcement Learning”, Nature 620 (2023) 982–987.