comp.lang.ada
 help / color / mirror / Atom feed
From: pontius@btv.MBI.com (Dale Pontius)
Subject: Re: Space Station S/W in Ada -- No Tasking?
Date: 1998/05/08
Date: 1998-05-08T00:00:00+00:00	[thread overview]
Message-ID: <6iuvei$1270$6@mdnews.btv.ibm.com> (raw)
In-Reply-To: gwinn-0705982150240001@d195.dial-5.cmb.ma.ultra.net


In article <gwinn-0705982150240001@d195.dial-5.cmb.ma.ultra.net>,
        gwinn@ma.ultranet.com (Joe Gwinn) writes:
> In article <EACHUS.98May6171227@spectre.mitre.org>,
>>     While the rest of the discussion on this sounds correct, I think
>> that what was being implicitly rejected here is the way that the Space
>> Shuttle computers do voting.  In the Space Shuttle, voting is based on
>> whether three different computer systems come up with about the same
>> answer at about the same time.  If no two agree, the results of a
>> fourth are arbitrarily accepted.  (Is that both right and concise?)
>> Since the computers do not get their data synchronously, the actual
>> data values, and the control inputs computed from them, will be
>> slightly different.
> This is my understanding as well.  Three of the computers are identical,
> IBM 4pi units if I recall, while the fourth unit is hardwired analog, the
> theory being to protect against common-mode hardware failures.
> However, there is one added issue to be addressed: common-mode failure in
> the software.  A classic solution is N-version programming, where two or
> three completely independent and isolated teams develop the software for
> the digital computers. The theory of this is that the teams, being
> isolated, will not make the same mistakes, so they can cross-check each
> other, both during system integration, and operationally.
>
IIRC, there are five IDENTICAL computers on the shuttle. Four of them
are running the same software, in sync. Three of them are continually
voting to deliver results. If there is a non-unanimous vote, the loser
is taken offline and the fourth computer is made active. If there is
another unanimous vote, the whole cluster is brought down and the
fifth computer is made active. The fifth computer hardware is identical,
but the software was programmed by an entirely different group of
people in a different programming language. This is an attempt to
avoid 'deeply systemic' software errors. (The first four were
programmed with a language called HAL/S, I believe.)

This is long ago hearsay, listening on an internal IBM newsgroup to
one of the people who was on the hotseat when Columbia's first liftoff
scuttled. Of course he's since probably been sold to Loral then
Lockheed Martin with the rest of that division.

Dale Pontius
(NOT speaking for IBM)




  reply	other threads:[~1998-05-08  0:00 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
1998-05-03  0:00 Space Station S/W in Ada -- No Tasking? Robert Munck
1998-05-03  0:00 ` Robert Dewar
1998-05-07  0:00   ` JP Thornley
1998-05-05  0:00 ` Roger Racine
1998-05-05  0:00   ` Robert Munck
1998-05-12  0:00     ` Carla Taylor
1998-05-06  0:00   ` William D. Ghrist
1998-05-05  0:00 ` LarryButts
1998-05-06  0:00 ` Robert I. Eachus
1998-05-07  0:00   ` Joe Gwinn
1998-05-08  0:00     ` Dale Pontius [this message]
1998-05-08  0:00     ` Roger Racine
1998-05-08  0:00       ` Joe Gwinn
1998-05-08  0:00   ` Chris Warwick
replies disabled

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox