Re: Space Station S/W in Ada -- No Tasking?

[gwinn@ma.ultranet.com (Joe Gwinn)]

In article <EACHUS.98May6171227@spectre.mitre.org>,
eachus@spectre.mitre.org (Robert I. Eachus) wrote:

> In article <354dadfd.2883074@news.mindspring.com>
munck@Mill-Creek-Systems.com (Robert Munck) writes:
> 
>   >  "To make troubleshooting easier, the software that runs
>   >  the trio of computer networks aboard the space station is
>   >  written to operate in synchronous, or serial, fashion 
>   >  rather than the faster but more complex asynchronous."
> 
>     While the rest of the discussion on this sounds correct, I think
> that what was being implicitly rejected here is the way that the Space
> Shuttle computers do voting.  In the Space Shuttle, voting is based on
> whether three different computer systems come up with about the same
> answer at about the same time.  If no two agree, the results of a
> fourth are arbitrarily accepted.  (Is that both right and concise?)
> Since the computers do not get their data synchronously, the actual
> data values, and the control inputs computed from them, will be
> slightly different.

This is my understanding as well.  Three of the computers are identical,
IBM 4pi units if I recall, while the fourth unit is hardwired analog, the
theory being to protect against common-mode hardware failures.

However, there is one added issue to be addressed: common-mode failure in
the software.  A classic solution is N-version programming, where two or
three completely independent and isolated teams develop the software for
the digital computers. The theory of this is that the teams, being
isolated, will not make the same mistakes, so they can cross-check each
other, both during system integration, and operationally.  

It's a pretty good theory, but falls down if for instance the control law
requirements are not correct.  The Swedes lost a prototype fighter
aircraft at the Paris Air Show to just such a problem a few years ago. 
Fortunately, nobody was hurt, although the airplane was destroyed.

My recollection is that NASA used two teams, so two of three computers
will contain the same software.

Anyway, one cannot expect the outputs of these slightly different programs
to match to the bit, nor is it important in practice that they be that
close, so the voting unit compares the absolute value of the algebraic
difference to a threshold.  I would guess that the tolerance is no more
than a few percent of full scale.



>     In the ISS, where voting is required, two out of three computers
> will have to agree, but based on identical data, and bit for bit
> compares.  The Space Shuttle approach does provide more reliability
> where the algorithms are not known to be stable, but is a maintenance
> nightmare.  (All computers getting the same overflow is no help, and
> the SS flight guidance software does go through about 20 different
> flight regimes during landing.  At the boundary between some of those
> modes, the flight control algorithms are known to be unstable.  So
> that approach is not only appropriate to the shuttle, it seems to be
> necessary.)

One could wonder if ISS will really use bit comparison, because they too
may wish to have multiple versions, for exactly the same reasons.


Joe Gwinn