Re: Space Station S/W in Ada -- No Tasking?

[gwinn@ma.ultranet.com (Joe Gwinn)]

It appears that Roger Racine has more recent and detailed data than I do;
I am reporting on my recollection of a talk by some NASA people many years
ago.  I would not be in the least surprised if the control system had been
upgraded since then, either.

Joe Gwinn


In article <rracine.2.000E0315@draper.com>, rracine@draper.com (Roger
Racine) wrote:

> In article <gwinn-0705982150240001@d195.dial-5.cmb.ma.ultra.net>
gwinn@ma.ultranet.com (Joe Gwinn) writes:
> 
> >In article <EACHUS.98May6171227@spectre.mitre.org>,
> >eachus@spectre.mitre.org (Robert I. Eachus) wrote:
> 
> >> In article <354dadfd.2883074@news.mindspring.com>
> >munck@Mill-Creek-Systems.com (Robert Munck) writes:
> >> 
> >>   >  "To make troubleshooting easier, the software that runs
> >>   >  the trio of computer networks aboard the space station is
> >>   >  written to operate in synchronous, or serial, fashion 
> >>   >  rather than the faster but more complex asynchronous."
> >> 
> >>     While the rest of the discussion on this sounds correct, I think
> >> that what was being implicitly rejected here is the way that the Space
> >> Shuttle computers do voting.  In the Space Shuttle, voting is based on
> >> whether three different computer systems come up with about the same
> >> answer at about the same time.  If no two agree, the results of a
> >> fourth are arbitrarily accepted.  (Is that both right and concise?)
> >> Since the computers do not get their data synchronously, the actual
> >> data values, and the control inputs computed from them, will be
> >> slightly different.
> 
> >This is my understanding as well.  Three of the computers are identical,
> >IBM 4pi units if I recall, while the fourth unit is hardwired analog, the
> >theory being to protect against common-mode hardware failures.
> 
> This is really getting off the subject of Ada, but it is difficult to allow 
> misconceptions to propagate.  There are 5 main computers (IBM 4pi AP-101s) on 
> the Shuttle.  Four work together during critical flight phases (ascent and 
> entry).  This is the Primary Avionics SubSystem (PASS).  They each get data 
> from the same sensors, and they each send data to the same effectors.  The 
> effectors have a means to throw away data from a computer if the value 
> disagrees with the data from the others. The 4 computers simply send a 
> synchronization message to each other periodically.   If a computer fails to 
> send the message at the appropriate time (with a little leeway), they
tell the 
> crew, but keep going.  The crew can turn the power off a computer if they 
> decide to.  There is more to the syncronization, but that is the concise 
> version.  The software on all 4 of these computers is identical, and contains 
> a priority-based pre-emptive executive.  
> 
> The 5th computer is the Backup Flight System (also an AP-101).  It can only 
> take control if a crew member presses a button (this has not happened to
date, 
> except during simulations).  It has software developed "independently".  The 
> quotes are there because the algorithms within the guidance, navigation 
> and control software are the same for both systems, so there could be common 
> errors.  The operating system on this computer is a cyclic executive 
> (i.e. not priority-based pre-emptive tasking).
> 
> The Shuttle is completely digital, by the way.  There is no analog backup.  
> The 5 computers get their data from the same types of sensors, and use the 
> same effectors.
> 
> >However, there is one added issue to be addressed: common-mode failure in
> >the software.  A classic solution is N-version programming, where two or
> >three completely independent and isolated teams develop the software for
> >the digital computers. The theory of this is that the teams, being
> >isolated, will not make the same mistakes, so they can cross-check each
> >other, both during system integration, and operationally.  
> 
> >It's a pretty good theory, but falls down if for instance the control law
> >requirements are not correct.  The Swedes lost a prototype fighter
> >aircraft at the Paris Air Show to just such a problem a few years ago. 
> >Fortunately, nobody was hurt, although the airplane was destroyed.
> 
> >My recollection is that NASA used two teams, so two of three computers
> >will contain the same software.
> 
> As I mentioned above, 4 of the 5 have the same software; the 5th was
developed 
> by a different team (in fact, different companies).
> 
> >Anyway, one cannot expect the outputs of these slightly different programs
> >to match to the bit, nor is it important in practice that they be that
> >close, so the voting unit compares the absolute value of the algebraic
> >difference to a threshold.  I would guess that the tolerance is no more
> >than a few percent of full scale.
> 
> The voting of outputs is done at the actuators, not by the computers.
> 
> >>     In the ISS, where voting is required, two out of three computers
> >> will have to agree, but based on identical data, and bit for bit
> >> compares.  The Space Shuttle approach does provide more reliability
> >> where the algorithms are not known to be stable, but is a maintenance
> >> nightmare.  (All computers getting the same overflow is no help, and
> >> the SS flight guidance software does go through about 20 different
> >> flight regimes during landing.  At the boundary between some of those
> >> modes, the flight control algorithms are known to be unstable.  So
> >> that approach is not only appropriate to the shuttle, it seems to be
> >> necessary.)
> 
> >One could wonder if ISS will really use bit comparison, because they too
> >may wish to have multiple versions, for exactly the same reasons.
> 
> The ISS software is not considered to be of the same criticality as the Space 
> Shuttle software, since problems can not happen nearly as fast (one gets 
> extremely bored watching a simulation of the Space Station maneuvering).  
> There is no backup software.
> 
> Roger Racine