From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,a1eff3a9508d6cba X-Google-Attributes: gid103376,public From: pontius@btv.MBI.com (Dale Pontius) Subject: Re: Space Station S/W in Ada -- No Tasking? Date: 1998/05/08 Message-ID: <6iuvei$1270$6@mdnews.btv.ibm.com>#1/1 X-Deja-AN: 351416827 References: <354dadfd.2883074@news.mindspring.com> Content-Type: text/plain; charset=us-ascii Organization: IBM Microelectronics Division Mime-Version: 1.0 Newsgroups: comp.lang.ada Date: 1998-05-08T00:00:00+00:00 List-Id: In article , gwinn@ma.ultranet.com (Joe Gwinn) writes: > In article , >> While the rest of the discussion on this sounds correct, I think >> that what was being implicitly rejected here is the way that the Space >> Shuttle computers do voting. In the Space Shuttle, voting is based on >> whether three different computer systems come up with about the same >> answer at about the same time. If no two agree, the results of a >> fourth are arbitrarily accepted. (Is that both right and concise?) >> Since the computers do not get their data synchronously, the actual >> data values, and the control inputs computed from them, will be >> slightly different. > This is my understanding as well. Three of the computers are identical, > IBM 4pi units if I recall, while the fourth unit is hardwired analog, the > theory being to protect against common-mode hardware failures. > However, there is one added issue to be addressed: common-mode failure in > the software. A classic solution is N-version programming, where two or > three completely independent and isolated teams develop the software for > the digital computers. The theory of this is that the teams, being > isolated, will not make the same mistakes, so they can cross-check each > other, both during system integration, and operationally. > IIRC, there are five IDENTICAL computers on the shuttle. Four of them are running the same software, in sync. Three of them are continually voting to deliver results. If there is a non-unanimous vote, the loser is taken offline and the fourth computer is made active. If there is another unanimous vote, the whole cluster is brought down and the fifth computer is made active. The fifth computer hardware is identical, but the software was programmed by an entirely different group of people in a different programming language. This is an attempt to avoid 'deeply systemic' software errors. (The first four were programmed with a language called HAL/S, I believe.) This is long ago hearsay, listening on an internal IBM newsgroup to one of the people who was on the hotseat when Columbia's first liftoff scuttled. Of course he's since probably been sold to Loral then Lockheed Martin with the rest of that division. Dale Pontius (NOT speaking for IBM)