Reconfigurable G and C computer study for space station use.  Volume 2 - Final technical report  Final report, 29 Dec. 1969 - 31 Jan. 1971 by unknown
FINA 
FINAL T T 
31 January 1971 
J. Jurison 
Program Manager 
Distribution of this report is provided in the interest 
of information exchange and should not be construed 
as an endorsement by NASA of the material presented. 
Prepared Under Contract No. ~ ~ ~ ~ - 1 0 4 1 ~  
https://ntrs.nasa.gov/search.jsp?R=19710010314 2020-03-11T20:47:12+00:00Z
FORE D 
This final report  covers the work performed by Autonetics Division 
of North American Rockwell Corporation under a study contract entitled 
Reconfigurable C&C computer Study for  Space Station Use. The report  
is  submitted t o  the National Aeronautics and Space Administration 
Manned Spacecraft Center under the requirements of Contract NAS 9-10416. 
The study program covered the period f rom December 29, 1969 through 
January 31, 1971. The NASA Technical Monitor was Wlr. E. S. Chevers. 
The final report  consists of seven (7) volumes: 
Volume I Technic a1 Summary 
Volume PI Final Technical Report 
Volume III Appendix I. Model Specification 
Volume IV Appendix 2 .  IOP - VCS Detailed Design 
Volume V Appendix 3. System Analysis and Trade-offs 
Volume VI Appendix 4. Software and Simulation Description 
Volume VI1 Appendix 5 .  D-200 Computer Family 
and Results 
Appendix 6. System E r r o r  Analysis 
Appendix 7. Reliability Derivation for  Candidate 
Computer s 
Appendix 8. Power Converter Design Data 
Appendix 9. Data Transmission Medium Design 
YOU ARE READING THIS VOLUME 

VOLU 
TABLE OF CQNTENTS 
Page . 
1.0 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
1.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
1.2 General Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
1.3 Program Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
2.0 Technology Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
2 . 1  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
2.2 Semiconductor Logic Technology . . . . . . . . . . . . . . . . . . . . . . . .  
2.3 Memory Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
2.4 Multichip Packaging of Uncased Devices . . . . . . . . . . . . . . . . . .  
3 . 0  Summary of System Analysis and Trade-offs . . . . . . . . . . . . . . . . . . .  
3.1 Background and Ground Rules . . . . . . . . . . . . . . . . . . . . . . . . .  
3.2 Baseline System Description . . . . . . . . . . . . . . . . . . . . . . . . . .  
3.4 Functional Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
3.5 Computer Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
3 . 6 Computational Allocation Trade-offs . . . . . . . . . . . . . . . . . . . .  
3.7 Summary and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
3.3 Mission Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
4.0 Definition of Candidate Computers . . . . . . . . . . . . . . . . . . . . . . . . . .  
4 . 1 Investigation of Failure Tolerance Requirements . . . . . . . . . . . .  
4.2 Development of Computer System Concepts . . . . . . . . . . . . . . . .  
4 . 3 Investigation of System Concepts . . . . . . . . . . . . . . . . . . . . . . .  
4.4 Candidate Configuration Evaluation . . . . . . . . . . . . . . . . . . . . . .  
4.5 Definition of Candidate Computers . . . . . . . . . . . . . . . . . . . . . .  
4.6 Reconfiguration Analysis of Candidates . . . . . . . . . . . . . . . . . . .  
4.7 Quantitative Data for Candidate Computers . . . . . . . . . . . . . . . .  
5.0 Evaluation of Candidate Computers . . . . . . . . . . . . . . . . . . . . . . . . . .  
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
. 5.2 Description of the Evaluation Model . . . . . . . . . . . . . . . . . . . . .  
5.3 Selection of Evaluation Method . . . . . . . . . . . . . . . . . . . . . . . . .  
5.4 Candidate System Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . .  
1-1 
1-1 
1-1 
1-3 
2-1 
2-1 
2-1 
2-11 
2-21 
3-1 
3-1 
3-3 
3-5 
3-6 
3-13 
3-14 
3-26 
4-1 
4-2 
4-12 
4-14 
4-29 
4-39 
4-64 
4-83 
5-1 
5-1 
5-4 
5-16 
5-20 
i i i  
C70-17 1/301 
Page . 
6.0 I/O Data Bus Investigation ............................. 
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
6.2 Baseline Bus Control ............................. 
6.3 I /S  Bus Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
6.4 Error Protection Techniques ........................ 
6.5 I/O Bus Configurations ............................ 
6.6 Summary of Preferred Baseline echanization . . . . . . . . . . . .  
7.0 Mechanization of Selected Computer Systems . . . . . . . . . . . . . . . . .  
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  7.1  General 
7.2 Functional Description . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
7 .3  Mechanization of Internal Modules .................... 
8.0  Software and Simulation ............................... 
8.1 Introduction ................................... 
8.2 Simulation System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
8.3 RGC Software System ............................. 
8.4 Simulation Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
9.0 Local Processor Trade-offs and Design ..................... 
9.1  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
9.2 Local Processor Trade-offs ........................ 
9.3 Candidate Local Processor Evaluation . . . . . . . . . . . . . . . . . .  
9.4 Recommended Local Processor Description . . . . . . . . . . . . . .  
10.0 Power Distribution Investigation .......................... 
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
10.2 Interface Characteristics ........................... 
10.3 Generalized Distribution Bus System . . . . . . . . . . . . . . . . . . .  
10-4 Load Isolator Failure Characteristics . . . . . . . . . . . . . . . . . .  
10.5 Examples of Bus Switching .......................... 
10.6 Comparison of Isolation Devices ...................... 
10.7 Recommended Configuration ......................... 
6-1 
6-1 
6-1 
6-6 
6-20 
6-31 
6-32 
7-1 
7-1 
7-3 
7-4 
8-1 
8-1 
8-2 
8-26 
8-39 
9-1 
9-1 
9-1 
9-15 
9-15 
10-1 
10-1 
10-1 
10-4 
10-9 
10-9 
10-14 
10- 16 
VOLUME H 
CONTENTS (Cont) 
Page . 
11-0  Recommendations far Future Effort ........................ 11-1 
1 1 . 1  Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  11-1 
11.2 Software and Simulation ............................. 11-1 
11.3 Computer/VCS Studies .............................. 11-2 
11.4 1 / 0  Data Bus Study ................................ 11-2 
12.0 References ......................................... 12-1 
V 

Figure 
1.1 . 
1.2 . 
Page 
1-2 
1-4 
. 
2.1 . 
2.2 . 
2.3 . 
3.1 . 
3-2 . 
3.3 . 
3.4 . 
3.5 . 
3.6 . 
3.7 . 
3.8 . 
4.1 . 
4.2 . 
4.3 . 
4.4 . 
4.5 . 
4.6 . 
4.7 . 
4.8 . 
4.9 . 
4.10 . 
4.11 . 
4.12 . 
4- 13 . 
4.14 . 
4- 15 . 
4.16 . 
4.17 . 
4.18 . 
4.19 . 
4.20 . 
4.21 . 
4.22 . 
4.23 . 
4.24 . 
4.25 . 
4.26 . 
4.27 . 
4.28 . 
4.29 . 
Functional Hock Diagram. G&C System . . . . . . . . . . . . . . . . . .  
Program Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Basic 4-Phase Gate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
CMOSNORGate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
4-Phase CMOS Gate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Guidance and Control subsystem . . . . . . . . . . . . . . . . . . . . . . . .  
G&C Top Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Attitude Determination Flow Diagram - First Level . . e . .. . e . . 
CMG Computational Requirements Versus Program Allocation . . . .  
RCS Computational Requirements V e r s u s  Program Allocation . . . . .  
SIRU Computational Requirements Versus  Program Allocation (. . 
OAS Computational Requirements Versus Program Allocation . . . 
Recommended Computational Allocation . . . . . . . . . . . . . . . . . . . .  
Failure Detection and Reconfiguration Approaches . . . . . . . . . . . . .  
Voting and Duplication on Computer Module Level . . . . . . . . . . . . .  
Voting at Lower Module Level .......................... 
Use of Codes for Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Computer/Bus Configurations . . . . . . . . . . . . . . . . . . . . . . . . . .  
Bus/LPConfigurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Inputing Voting Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Configuration 1.A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Configuration 1B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Configuration 1 C  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Configuration 2B with Switch ........................... 
Category 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Non-Modular Multicomputer ........................... 
Modular Multicomputer Organization . . . . . . . . . . . . . . . . . . . . . .  
Modular Multiprocessor Organization . . . . . . . . . . . . . . . . . . . . .  
Memory Module Interface for ultiprocessor . . e . . e . . * . e 
Computer System Interconnection Diagram . . . . . . . . . . . . . . . . .  
Computer System Interconnection Mechanization . . . a e . . e . * 
IOP - VCS Mechanization ............................. 
VCS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
D Register Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Voter-Comparator-Selector . ....................... 
Configuration 2B* with Modular ulticomputer . . . . . . . . . . . . . . .  
Configuration 36" with Modular ulticomputer . . 
Configuration 2B with Multico e r . * . -  . . . . . . . . . . . . . . . . . .  
Configuration 3C with Modula tiprocessor . . . . . . . . . . . . . . .  
Non-Modular Multiprocessor Weconfiguration . . . . . . . . . . . . . . .  
Configurations 2A. BB. 2C . . . . . . . . . . . . . . . . . . . . . . . . . . . .  
Non-Modular Multiprocessor Organization . . . . . . . . . . . . . . . . . .  
e . . e e . . * . 
2-7 
2-10 
2-10 
3-2 
3-7 
3-8 
3-19 
3-20 
3-23 
3-25 
3-29 
4-4 
4-8 
4-10 
4-11 
4-15 
4-16 
4-24 
4-31 
4-31 
4-31 
4-33 
4-33 
4-33 
4-41 
4-42 
4-44 
4-45 
4-48 
4-50 
4-51 
4-52 
4-55 
4-57 
4-59 
4-68 
4-68 
4-75 
4-77 
4-79 
C70-17 1/301 
5.1 . 
5 - 2  
5.3 . 
5.4 . 
5.5 . 
5.6 . 
5.7 . 
5.8 . 
5.9 . 
Page . 
5-2 
5-7 
5-7 
5-7 
5-8 
5-8 
5-12 
5-13 
5-13 
6.1 . 
6.2. 
6.3 . 
6.4 . 
6.5 . 
7.1 . 
7.2 . 
7.3 . 
7.4 . 
7.5 . 
7.6 . 
7. . 
7.a . 
7.9 . 
7.10 . 
7.11 . 
7.12 . 
8.1 . 
8.2 . 
a.3 * 
8.4 . 
9.1 . 
9.2 . 
9.3 . 
9.4 . 
9.5 . 
9.6 . 
9.7 . 
9.8 . 
9.9 . 
9.10 . 
9.11. 
creasing Attributes sired ....................... 
termediate Values .............................. 
termediate Values .............................. 
Final Attribute Values ............................. 
Final Attribute Values ............................. 
Ten Pin Rule Weighting Factor ....................... 
Weighting Factors ....................... 
anagement Clarity Weighting Factor . . . . . . . . . . .  
Increasing Attributes Desired ........................ 
Control Word Formats .............................. 
Assumed Range of Noise Spectrum ...................... 
Encoding/Modulation Techniques ....................... 
it  Timing Techniques .............................. 
Two-Dimensional Parity ............................. 
Computer Block Diagram ............................ 
Computer Memory Bus .............................. 
Central Processing U n i t  ............................. 
Memory Functional Block Diagram ...................... 
Bus Interface Electronics ............................ 
Timing and Control Section ........................... 
Basic Write Timing ................................ 
Basic Read Timing ................................. 
IOP Block Diagram ................................ 
IOP Program Operation ............................. 
Clock Unit Block Diagram ............................ 
Power Converter Block Diagram ....................... 
Internal Structure (Compartment) ....................... 
/OBuses ....................................... 
QataOutput ...................................... 
DataInput ....................................... 
Local Processor Definition ........................... 
CS Valving Controls ............................... 
Local Processor Block Diagram ....................... 
ntral Processing Unit ............................. 
xed Memory System .............................. 
Discrete Outputs .................................. 
Discrete Inputs ................................... 
Converter ........................... 
erconnection ......................... 
SIU-Block Diagram . e e . e . a . . e e . . a a . e e . . 
s ................................. 
viii 
6-2 
6-8 
6-11 
6-30 
6-18 
7-2 
7-5 
7-a 
7-14 
7-16 
7-19 
7-24 
7-24 
7-26 
7-30 
7-32 
7-28 
8-3 
8-17 
8-29 
8-30 
9-2 
9-12 
9-16 
9-21 
9-22 
9-24 
9-25 
9-27 
9-30 
9-32 
9-18 
VOLUME XI 
ILLUSTRATIONS (Cont) 
Figure Page . 
10- 1 . Generalized Distribution System ........................ 10-5 
10.2 . Bus Switching Configuration 2 .......................... 10-11 
10.3 . Bus Switching Configuration 3 .......................... 10-12 
10.4 . Power Control Block Diagram .......................... 10-17 
10.5 . Power Control Logic Flow Diagram ...................... 10-19 
ix 

VOLUME I1 
LIST OF TABLES 
Table Page 
2.1. 
2.2 . 
2.3 . 
2.4 . 
3.1 . 
3.2 . 
3.3. 
4.1 . 
4-2 
4.3 . 
4.4 . 
4.5 . 
4.6 . 
4-7 e 
4.8 . 
4.9 . 
4.10 . 
4.11 . 
4- 12 . 
4- 13 
5.1 . 
5-2 
5.3 . 
5-4. 
5.5 . 
6.1 . 
6.2 . 
6.3 . 
6.4 . 
9.1 . 
9.2 . 
9.3 . 
9.4 . 
10.1 . 
10.2 . 
10.3 . 
10.4 . 
10.5 . 
10.6 . 
10-7 e 
orysummary ...................... 
uirements ........................ .......................... 
eSystemData ............................ 
Computer Requirements - Minimum Preprocessing . e 
Estimated Computer Requirements - Maximum Preprocessing a e 
Local Processor Functional Requirements ................ 
Processor Module Mechanization ...................... Summary Matrix ................................. 
IQP Module Mechanization .......................... 
Memory Module Functions .......................... 
odule Physical Data e . a . e . . e . 
Semiconductor Memory Module Physical Data .............. 
Predicted Reliability per Computer .................... 
Computer System Candidates Reliability .................. 
Computer Module Physical Data ....................... 
Candidate Computer System Physical Data 0 . . . . e . e . . 
Candidate Cost Data ............................... 
Growth Potential ................................. 
Software and Interconnection Data ...................... 
Circuit Technology Weighting Factors . 0 e . e . n . e 
Relative Value of Candidates ......................... 
LP Operation ................................... 
Transmission Methods ............................. 
Possible Data Link Cables .......................... 
Error  Protection Techniques ......................... 
Weighting Factors Furnished by the NASA 
Memory Technology Weighting Factors .................. 
Additional Evaluation between Competitive Candidates 
................ 
........ 
Functional Characteristics of the Candidate Preprocessor 
Basic Instruction List of the Candidate Preprocessor ......... 
LP-to-Subsystem Interface Requirements ................ 
MIL-STD-704A Cateogry B - DC Power .................. 
..... 
Local Processor Requirements ....................... 
MIL-STD-704A Category B - AC Power .................. 
Summary 0fRequirements ........................... 
DC Source Failure Matrh ........................... 
DC Load Failure Matrix ............................ 
Bus Isolator Failu Characteristics Matrix ............... 
Comparison of AC olatorDevices .................... 
2-13 
2-14 
2-17 
2-18 
3-15 
3-16 
3-28 
4-38 
4-83 
4-84 
4-85 
4-85 
4-86 
4-87 
4-88 
4-90 
4-91 
4-92 
4-93 
4-94 
. 5.2 
5-15 
5-15 
5-23 
5-24 
6-5 
6-13 
6-16 
6-28 
9-3 
9-4 
9-5 
9-10 
10-1 
10-2 
10-4 
10-7 
10-8 
10-10 
10-15 
X i  
1, l SUM 
The purpose of the study i s  to define t 
and specify the configuration for a modularized reconfigurs 
tolerant guidance and control computer system suitable for 
station complex  The study includes power distributi  
elements at various subsystems, input/output data bu 
of necessary software to  demonstrate the self-test  and recodigarat ion 
ability of the sys tem by computer simulation, 
mary of the resul ts  o% the studys 
This volume contains a sum- 
1. 2 G E N E M I ,  REQUIRE 
The computer sys tem is required to  support the Guidance and Cont1-01 
(G&C) requirements of the Space Station during each mission phasre, 
Space Station is expected to operate in a circular 200 - 300 mile orbit 
55 degree inclination with added capability for  polar orbits. 
can be broken down into four major phases: Prelaunch, Boost, Orbit 
Injection and Orbital Coast, 
The naission 
The orbital coast phase was the phase of pr imary  C O R C ~ ~ P ~  for this steady 
and is  used to estimate the memory size8 speed, and signal interface 
requirements for  the computer s y s t e m  
subsystems as shown in the functional block diagram, Figure 1 - l e  
The GhG sys tem consists of several  
The GSIC computer and computing elements at subsystem level per form 
all  computational tasks  associated with navigation and attitude cont~oP 
function. 
display and control functions a r e  handled by another computer complex, called 
the Informt ion  Management Data PPOC~SSQP,, 
Data processing functions associated with the experiments and 
The la t ter  provides mode 
control signals and receives navigation data f r o m  the G&C co F* 
A common multiplexed data bus provides a means of trans% 
between the subsystems and the guidance and control C O X X I P U ~ ~ T  
The manned environment and ong periods of independent 
dictate more stringent reliability equirernents than have been 
spacecraft computers in the past, It has Po be modular for ease of m i n t e n -  
This m e w s  that it must  be able to detect fa i lures ,  isolate fa i lures  to a 
modular level, and recover f rom fai lures  by reconfiguring the system 
(replacing the faulty. module with a ~ ~ a ~ ~ ~ *  
ance and be tolerant to  three failures in a Pail op, fail op, fail safe e r e  
MANAGEMENT SUBSYSTEM 
The study has been organized into individual tasks as shown in 
Figure 1-2. 
Plan (Reference 1-1). It should be noted that the Hndividual taeks a r e  
closely interrelated and somewhat iterative in nature. Task 12, Cost 
and Schedule Plan for Breadboard System Development, has been 
deleted by direction of NASA. 
The task descriptione a re  described in the Detailed Program 
This volume presents the objectives and results of each of the tasks 
in detail. 
been included in the appendices. 
In cases where the supporting d a b  is too voluminous, it has 
This volume consists of eleven (11) sections. This section presents 
the background and overall objectives and requirements of the study. 
Section 2 presents the results of the technology review and defines the 
recommended logic circuit, memory and packaging technologies. 
Section 3 summarizes the system requirements, computer requirements, 
and includes the trade-off data that lead to the overall system concept. 
Section 4 describes the failure tolerance requirements and their  impact 
on the selection of candidate systems. 
model developed for the candidate systems and summarizes the results 
of the evaluation. 
1 / 0  data bus. 
Computer System mechanization in detail. 
ware developed during the study and summarizes the results of the 
simulation. 
trade-offs and describes the recommended L P  design. 
the power distribution study results and Section 11 presents the recom- 
mendations for future effort. 
Section 5 presents the evaluation 
Section 6 is devoted to the technical discussion on the 
Section 8 describes the soft- 
Section 7 describes the recommended Reconfigurable G&C 
Section 9 presents the results of the Local Processor  (LP) 
Section 10 presents 
1-3  
B 
0 
1-4 
2 1 INTRODUCTION 
In order  to establish a technological baseline for system tradeoffs 
i n  the Reconfigurable G&C Computer Study, a brief technology review 
has been conducted. The review covered three areas: semiconductoy 
logic technologies 
and packaging. 
gies considered should be producible in 1972 and that no substantial 
development should be required. 
important factor in  evaluating a technology but other characterist ics 
important to  spaceborne systems such as size,  weight and power were 
also covered. 
given below. 
memory technologies (magnetic and s e ~ ~ ~ i c o n d a c t ~ r ) ,  
General. ground rules for the review were khat technolo- 
Reliability was considered the most 
Ground rules for particular technological areas are 
2.1.1 Semiconductor Logic 
Logic bit ra tes  of typically 1 Mhz are expected in the Reconfigurable 
G&C Computer system. 
four phase P-channel MOS, complementary MOS and low power bipolar 
including bipolar MSI. 
Logic techfiologies were limited primarily to  
2.1.2 Memories 
Memory modules of interest  i n  this system a re  likely to  be f rom 2 to 
16K words of f rom 24 to 36 bits each. 
modules may require multi-access ports for multiprocessor configurations. 
Cycle t i .nes will probably not be less than 1 psec,  with 0 .5  psec.  access.  
The bulk of the effort  was concentrated on core,  plated wire,  and films for 
magnetic memories and dynamic P-channel MOS, complementary MOS, and 
bipolars for semiconductor memories. 
Par i ty  woald be included. The 
2.1.3 Packaging 
F r o m  reliability considerations this effort was limited to  characterizing 
various methods of packaging uncased devices on ceramic substrates 
2.2 SEMICONDUCTOR LOGIC TECHNOLOGY 
2.2.1 - General 
Semiconductor technologies under consideration for use in  iogic 
portions of the Reconfigurable Computer have been limited to  those with 
proven reliability and producibility. 
MOS, and complementary MQS (CMOS) fail into this category. 
and P-channel circuits a r e  currently being produced by a large number of 
Three technologies, bipolar, P-channel 
Both bipolar 
2 -1 
670-171/301 
2.2. H (continued) manufacturers and therefore represent virtually 
CMOS, because o f t  limited number of suppliers, must 
red as a slightly higher risk. 
The reliability s f  a system can be greatly enhanced by reducing 
number of connections required. 
o increase the level of integration on the semiconductor devices to 
Care must be taken however, in the logical 
One method of accomplishing this 
reduce interface signals. 
apportionment of the system or  the number of signals can actually 
increase.  Of the three technologies beekg considered, P-channel MOS 
is of the highest level of integration, approximately twice that 
ac There i s  no reason 
to expect that this ratio is likely to change i n  the future, although higher 
levels ob integration will be achieved in  all technologies. 
with either bipolar or  CMQS technologies. 
Another method of reducing system interconnects is through the use 
These inter-  
They eliminate one or  two of the three connections 
of uncased devices on ceramic interconnecting substrates. 
connection techniques a re  applicable to all  the semiconductor technologies 
under consideration. 
required by conventional packaging techniques. 
The inherent reliability of semiconductor technologies can be related 
Control of the gate oxide thickness i s  usually considered 
to the number of steps in the fabrication process and the criticality of 
masking steps. 
the one cri t ical  step in  MOS circuit fabrication. 
however, can be determined visually unlike the cri t ical  diffusion depths 
in  bipolars e Furthe rrnore , the addition of silicon nitride to the gate 
insulation allows a thicker gate insulation of less critical thickness. 
thicker gate insulation also greatly reduces the possibility of device 
failures due to gate insulation shorts. 
The gate oxide thickness, 
The 
Power i s  an important re l i  ability factor in integrated circuits. Many 
failure modes are accelerated by high temperatures. 
keep chip temperatures low by using low power circuit techniques. 
4-phase P-channel MOS and CMOS have very low power dissipations. 
Bipolars generally have high power dissipations, e .  g. 
dissipate P watt of power. 
heat f rom the chips may limit use of high reliability interconnection 
schemes with uncased devices. 
smaller interconnects in order to cool the chip, the amount of heat that 
can be dissipated on a ceramic substrate i s  limited to 2 to 4 watts. N o  
more than 4 large bipolar arrays could, therefore, be interconnected 
per  substrate. 
It i s  desirable to 
Both 
a large a r r ay  may 
The requirement to remove large amounts of 
Since heat must be conducted through 
2 -2 
2 2.1 (continued) 
logic technology for the Reconfigurable GLC Computer. 
is we11 established and is capable of the highest levels of integration, 
is compatible with high reliability interconnect techniques and i e  POW pcwer 
when a 4-phase clocking circuit ~ ~ c ~ ~ n ~ ~ ~ t ~ o n  is used, TMe permits high 
density packing which minimizes both size and weight of the system, 
It i s  concluded that P-channel MOS is the most suitable semiconductor 
The tech~Tlogj  
1t 
2.2.2 Bipolar Technology 
Bipolar integrated circuits have evolved to a point where their 
performance, cost and reliability make them prime candidates for 
virtually any system. 
allow for ease and speed of system design. 
have low power versions available for applications where high speed 
performance i s  not required. 
standpoint with MOS logic at speeds around 1 Mhz. 
has been somewhat slow in the introduction of devices of higher c o m -  
plexities. 
available in  the past year. 
The wide variety of types and functions available 
Most types of bipolar logic 
These begin to compete f rom the power 
Bipolar technology 
More medium complexity devices, however, have become 
A number of bipolar circuit families a re  available for consideration 
including DTL, ECL, RTL, and TTL. ECL and RTL can be eliminated 
for the following reasons Preliminary systems specifications indicate 
that system reliability is of pr imary importance and that only moderate 
circuit speeds a r e  required, 
secondary importance. ECL i s  very fast and has a good speed/power 
product This, however, is only realized when operating at maximum 
speed. Since only moderate speeds are required, the higher power of 
ECL over other circuit types is not justified. 
for this application and has limited fanout capability. 
have low noise immunity which could lead to transient system failures. 
Neither ECL or  RTL has a significant number of MSI devices available. 
MSI o r  LSf devices can increase reliability by reducing interconnections. 
Both DTL and TTL a r e  definite candidates for the reconfigusable 
Power is  a consideration although of 
WTL tends to be too  slow 
Both ECL and RTL 
computer. 
line of DTL o r  TTL or both. 
so  that they may be mixed i f  desired in a system. 
and medium speed (power) lines available. 
also available but it i s  faster than i s  required in this appbicavion and its 
higher power cannot be justified. The medium speed TTL has a typical 
gate delay of 10 nsec,  DTE has a gate delay of 25 nsec and low power TTL 
a delay of 33 nsec, . The compatibility of these circuits allows regular 
TTL to be used where speed o r  drive is required and DTL o r  %OW power 
TTL to be used in less  cri t ical  areas .  
Almost every major semiconductor manufactures makes a 
The 4x0 types a r e  electrically compatible 
Both types have low 
A high speed TTE line is 
2-2  
670 -P71/3QP 
2 . 2 . 2  (continued) 
The TTL Pines have the most extensive number of logic functions 
These range f rom single flip-flops and quad gates to 
brief summary of the types of functions presently 
is given below: 
uad 2 input NAND 
Quad 2 input N 
Quad 2 input NAND 
Dual J-K F/F 
4-bit counter 
4 -bit counte r 
4 -bit Full Adde r 
4-bit k i t h  Logic 
8 -bit Shift Reg. 
BCD to Decimal 
Decoder 
TTL 
DTL 
LPTTL 
TTL 
LPTTL 
TTL 
LPTTL 
TTL 
TTL 
TTL 
LPTTL 
TTL 
Delay/ 
Preq. 
10 nsec 
20 nsec 
33 nsec 
20 Mhz 
3 Mhz 
18 Mhz 
3 Mhz 
60 nsec 
28 nsec 
18 Mhz 
6.5 Mhz 
25 nsec 
Power 
(Avg. ) 
40 mw 
72 mw 
1.8 mw 
100 mw 
7.2 mw 
128 mw 
16 mw 
390 mw 
175 mw 
17.5 mw 
140 mw 
Remarks 
typical 
typical 
typical 
max delay 
typical 
typical 
typical 
Kn the event that standard MSI devices a re  not available, desired 
functions can be mechanized with "discrete" integrated circuits, o r  
SI devices can be designed. 
sive and require a long lead t ime, but this problem can be 
Completely custom bipolar designs 
largely circumvented by the use of standard cell a r rays .  
The standard cell a r r a y  approach configures a standard matrix of 
gates into many different functions by a custom metal interconnection 
pattern. Two configuration techniques, discretionary wiring and fixed 
a r ray ,  a r e  currently available 
2 -4 
2.2 .2  (continued) 
the good cells by testing them individually, and then using a computer 
program to generate a unique meta~lizatbon pattern for: each wafer using 
only the good cells,  The unique meta%lbzation pattern presents a ~~~~.~~~~~~ 
question since no two devices of the 5 a m  function are likely to have the 
same interconnect pattern,  
advantage of MS%/LSI is greatly reduced, 
to  three layer  metallization which complicate s the proce B s and 5 ~ ~ ~ ~ ~ ~ ~ n t ~ ~  
reduces the yield. 
Discretionary wiring involves fabricating a wafer of cells de$ermining 
Since the large wafer i s  packaged the s ize  
This technique requires a two 
A more satisfactory approach is  the fixed a r r ay ,  Here a standard 
a r r a y  of cells is fabricated in which all cells a r e  assumed good. 
custom interconnect pattern i s  designed to  mechanize the desired function 
and i s  superimposed over the a r ray .  A large number of a r r ays  are fabri -  
cated on each wafer and bad a r r ays  a re  discarded through teeting in the 
usual semiconductor method. 
identical and depending on yields, many a r r ays  may come f rom each 
wafer. 
s imilar  packaging can be considered. At present,  standard cell  arrays 
of f rom 12 to  112 cells a r e  available. 
layers  of metalization while the 112 gate a r r a y  requires three.  
be a serious problem in large bipolar a r rays .  
dissipate approximately one watt and therefore must be provided with an 
adequate heat sink. Beam leading or  flip chipping such devices i s  very 
questionable since all heat must be conducted through the leads. Power 
will also limit the number of devices that can be rnomted on a common 
substrw Y 
A fixed 
Each a r ray  fabricated in thio manner is 
The chip size i s  comparable with other technologies and therefore 
The smaller  a r r ays  require two 
Power can 
A 112 cell a r r a y  wil l  
2.2.3 Four-Phase P-Channel MOS 
The P-channel MOS technology is a fully developed, mature tecknoBogy 
applicable to a wide variety of systems. 
currently producing P-channel MOS circuits while new process  techniques 
a r e  coming into use whish enhance both performance and reliability. Two 
circuit  techniques a r e  most commonly used in P-channel MOS: two-lphase 
Numerous manufacturers a r e  
) and four-phase (4- 1 -  
ntages in both powe 
Four-phase circuits require only that power dissipated in  charging 
Of the two, 4-fl circuits have significant 
and functional density. 
and discharging circuit  capacitances. 
to CMOS and unlike 2-4 MOS or bipolar circuits which require power con- 
suming resist ive voltage divide . At no time does a DC path exis& between 
power supply and ground in a 4 gate. 
4-@ LSIC is about 50 mw at  1 Mhz. This power can be reduced in standby 
situations o r  for modules not requiring that high a frequency by reducing 
the clock frequency. 
In this respect they a r e  s imilar  
The average clock power for a 
2 - 5  
C70 -171f 301 
2 a 2 e 3 (continued) 
gate (using P-channel devices) is  shown in figure 2-1. 
The gate operation proceeds as follows: 
1. During time T1 and T2 clock d, is able to charge the gate 
capacity to %I negative voltage." 
2, During T2  clock Q is  additionally able to charge the load 
capacity, At end o$ T both the gate and load capacity are 
charge negative uncon&tionally. Thus, the output is not 
valid during T2'  
At T 
and t%e device connecting the gate to  the negative supply is off. 
If a path exists through the logic, the gate capacity will be dis - 
charged a s  well as the load. 
remain negative e 
The &put is valid until clock d2 connects the load with the gate. 
accept inputs a t  other t imes so that their  operation overlaps 
this gate. 
Three phases a re  needed for general logic functions. 
phases a re  generally used to provide more efficient logic 
mechanizations 
3 .  clock d, is  zero so that one end of the gate is at ground 
If no path exists,  the load will 
4. At T clock d is zero so the load is isolated f rom the gate. 
5 .  In general, to perform logic, other clocks are mechanized to 
Only 2 clock phases a re  needed for shift regis ters .  
Four 
The high functional density obtainable in MOS circuits results f rom a 
simple process  and the ratioless nature of 4-0 logic. The single channel 
ocess  requires only one diffusion step. 
gate s t ructures  a re  self-isolating and therefare no chip a rea  is required 
for isolation. 
The size of the FETS a r e  determined only by the required gate switching 
speed and its output capacitive load. 
smallest  producible size (0.6 x 0.6 mils). 
required pe r  gate, however, to  perform the precharge and isolation 
functions 
The FETS and diffused 
Only one FET is required in a gate p e r  logical input. 
In many cases FETS can be the 
Qne o r  two extra  FETS are  
Four - phase circuits have found applications ranging f rom aerospace 
digital computers to desk top calculators. A 24-bit parallel  general 
purpose computer was developed by Autonetics in 1968-1969 which is  
mechanized with 8 MOSlLSI device types. 
2 -6 
I------ 
CAPACITY 
- Y 
FIGURE 2-1, BASIC $-PHASE GATE 
2 -7  
C70 -171/301 
system has been developed which enhances circuit 
ajor inter-circuit  noise and extends the logical 
Up to eight levels of inverting ailable to the designer. 
d in  a single clock period. Non-inverting levels 
ate has maximum flexibility in communicating 
systems put serious restrictions on the inter-  
Using the advanced clocking system, communications between gates. 
complex ESP devices have been developed with over 200 inverting logic 
gates mechanized with over 1500 FETS. The circuits operate at  clock 
rates  in  excess of 1 Mhz (4 Mhz phase rate). 
building block devices is currently under development at Autonetics. 
A detailed description of these and other MOS/LSI devices is given in 
Appendix 5 where the use of such devices as  building blocks is discussed. 
A new family of computer 
In addition, it should be noted that considerable work is being done 
by several  manufacturers on silicon gate MOS devices. 
uses polycrystalline silicon for the gate electrode and offers a reduced 
threshold voltage on the gate. 
and bipolar compatibility that can be achieved with these devices. The 
maturing of this process will result  in the mix of MOS and bipolar devices 
to use each to its fullest advantage. 
2.2.4 Complementary MOS 
This technology 
The significant result is the higher speed 
Complementary MOS (CMOS) technology is beginning to emerge as  a 
competitive technology to both bipolar and P-channel MOS. 
CMOS costs have been extremely high and its use was limited to appli- 
cations where its ultra-low standby power was of paramount importance. 
A limited number of standard functions, however, a r e  now available at 
competitive prices.  
example is a 4-bit parallel  adder with car ry  look ahead. 
7-bit binary counter., 
basis. In the memory area,  64-bit memory chips a r e  available and a 
254-bit chip has been developed but is not now generally available. 
Until recently, 
Most of these fal l  into the MSI category. One 
Another is a 
More complex circuits a r e  available on a custom 
The main reason for  the slow development of CMOS appears to be the 
The small  number of 
e r s  certainly supports this contention. On€y 3 or semiconductor 
acturers  a re  generally recognized as  CMOS sourc s. Most of the 
complex process required to fabricate the devices. 
semiconductor companies, however, a r e  currently engaged in 
ity of isolating substrate areas  of opposite polarities and the 
to control the threshold voltages of both the N and P-channel FETS 
process development f o r  CMOS. Principal difficulties involve the 
simultaneous lly , 
C70 -14l/301 
2-2 .4  (continued) 
di s sipation, relative ly speed and high noise immunity* These are 
offset by the more complex process  and a lower functional density th 
is obtainable with some other technologies. 
of a typical CMOS MSI function is about 5 s w .  
be considerably higher. 
switch their output capacitances. 
tional to the square of the supply voltage and the switching rate. The 
ripple-through nature of CMOS logic may also cause switching spikes 
which add to these losses through unnecessary switching. 
with the 15 volts required to achieve high svsritching speed, DC paths exist 
between the supply and ground during switchings 
be dissipated in this manner, particularly i f  signal trnsitions a r e  relatively 
slow. 
of P-channel delays. 
Gates with large fan-in will be slower than equivalent P-channel gates. 
The advantages of C S a r e  its low standby (quiescent) power 
Quiescent power dissipation 
Operati 
Like all gating technologies, 
This represents a power loss propor- 
Furthermore,  
Substantial power can 
Gate delays in CMOS a r e  about four times bipolar delays and half 
This assumes that gate structures are kept simple, 
The functional density of CMOS is approximately equal to that of 
current bipolar MSI but less than that achieved with P-channel 
One reason for this is the additional area required on the chip 
separate substrate areas  for N and P-channel FETS. 
duality required in the classical  complementary gate structure. 
MOS devices are required for each 
P-channel. Any CMOS gate with more than two inputs will require more 
MOS E'KTS than an equivalent single channel gate. The FET sizes also tend 
to be larger than in single channel ratioless logic. The structure duality 
can be further illustrated by referring to the CMOS NOR gate in Figure 2-2. 
Note that while the P-channel devices a r e  conllected in parallel (ORed), the 
N-channel devices a r e  in ser ies  (ANDed). 
speed limiting factor which cannot be avoided in  classical CMOS logic. 
Another is the 
Two 
gate input; one N-channel and one 
A string of ser ies  devices is a 
2 . 2 . 5  Cross Technologies 
By combining technologies i n  a single semiconductor device, some of 
the best characteristics of each can be realized. 
beneficial combinations are PMOS and bipolar, CMOS and bipolar, and 
CMOS and 4-(8. One of the problems in Pa 
capacitance between devices. By adding t diffusion to 
process,  it is possible to produce both common collector N 
lateral N P N  bipolar transistors.  
saturation resistance and the la teral  NPN has low 
theless, the common collector NPN's can advants 
emitter follower odput  dr ivers ,  These dr ivers  h e r ior  elrive to 
straight PMOS drivers  and load the internal circuitry less. 
N P N  could be used to mechanize a current sense amplifier on a ]P 
memory device. 
Among the potentially 
is  driving the interface 
The common collector N P N  has high 
The lateral 
This could reduce access t ines to 100 nsec or lees, 
2 - 9  
Logic 
puts 
FIGURE 2 -2.  CMOS NOR GATE 
+ v  
Precharge  
Clock 
OUTPUT 
Pa olation 
Clock 
Prechar 
Clock 
AtBtCtD 
2 -10 
C70-178/301 
2 . 2 , 5  (continued) The same bipolar t ransis tors  can be fabricated wit 
CMOS. 
diffusion step s 
In this case,  it is possible to obtain the devices with the existing 
Combining 4- circuit techniques th a CMOS process can produce 
devices with the packing density of 4- 
ventional CMOS an power 112 to  l l 4  PMOS. Figure 2-3 shows 
the circuit for a 4- CMOS gate. Note t ircuit is mechanized with 
one device per  logic input and therefore maintains the 4-69 advanta 
number of devices over conventional CMOS. 
qual o r  greater than con- 
The precharge is the only P-channel device in the gate. 
is precharged throughout this devi e by a clock going to ground, 
threshold drop encountered in a 4- 
This permits a drop in supply volt ges and clocks with a resuiting decrease 
in power. 
operated in a grounded source comfiguration instead of as a source 
follower. 
higher mobility of N-channel devices over P-channel may be traded off 
several  ways. 
sizes the same as in PMOS gates, an increase of up to three t imes PMOS 
speed can be obtained. 
devices made as  small as possible, the chip size can be reduced or  the 
functional density increased. 
result. Finally, i f  supply and clock voltages a r e  decreased, speed 
equivaieid to PMOS gate can be obtained at about 1/4 POW 
CMQS output dr ivers  would improve capacitive drive and 
could be used between 4 4  gates a s  required. 
2.3 MEMORY TECHNOLOGY 
The 
The 
PMOS gate is  therefore eliminated. 
Precharge speed is increased since the precharge device is 
The isolation and logic devices a re  all N-channel devices. The 
By maintaining logic levels at the same voltage and device 
If the logic levels are maintained but the logic 
Some limited q e e d  increase may still 
Conventional 
2 .3  1 Semiconductor Memories -
Semiconductor memories have been limited in the past to scratch 
pad applications where extremely high speed was required. 
density, high power, and high costs barred them from other applications. 
Recent developments 
density and reduced both power and cost to a point where semiconductors 
a r e  now replacing magnetics as  main frame memories. 
true in small and medium size memories such a s  required in  micro-  
processors and digital interface units. A summary of semiconductor 
memory device characterist ics i s  given in Table 2-1. 
cussions of the various semiconductor technologies a r e  presented in  
the following sections. 
'I' 
particularly in the MOS area,  have increased 
This is especially 
More detailed dis- 
2.3.1. I P-Channel MOS Memories - The highest density random access 
read/write semiconductor rnernorie 8 currently available a r e  P-channel 
C70 -1711 301 
e 3 . L 1  (continued) 'MOS devices. Devices for 64 to  1024 bits a r e  cur -  
rently available or w i l l  be in  the very near future. 
are currently on the market. 
address decode and 1/0 circuits. 
mil chip using the silicon gate MOS process .  
and the power is 2 mw/bit during access  and 5Oaw during standby. 
other static device does not include full address decoding o r  I / O  circuitry. 
While  this requires external decode and sense devices, it permits  memory 
systems with access  times as fast a s  100 nsec. 
and this may be reduced substantially by strobing the power to the chip, 
PMOS memories a re  
One is completely self-contained including 
o types: static and dynamic. Two 256-bit static memory devices 
It is mechanized on a small  110 x 122 
Access time is about 1 p s e c  
The 
Power per  bit is 1 mw 
The power required for decode and sense must be added to the 
basic memory device power. 
Dynamic memory devices differ f rom static devices in that they 
use the charge on a capacitor as the storage medium and require clocking 
at a minimum rate to retain information. 
pe r  chip are pratieal  using this technique. Several manufacturers, 
including Autonetics, a r e  currently developing devices of this type, 
Autonetics' device contains 512 bits and requires three clock signals. 
The device includes partial  address decoding and complete 1 / 0  circuitry. 
Two configurations have been designed; a 512 x l-bit chip and a 64 x 8-bit 
chip. Access t imes including full address  decode a r e  less than 500 nsec. 
The power is 200luw/bit when clocked at 1 Mhz. 
in this power a re  possible by gating the clocks during standby. 
word 32-bit memory system using these devices can have a standby power 
less than 400 mw. Such a system could be constructed using conventional 
flat packs on f rom 4 to 8 printed circuit  boards. 
Memories of 512 to 1024 bits 
Substantial reductions 
A 4096 
As an example of the use of the Autonetics 512 word by one bit device, 
a 4096 word by 4-bit memory requires 32 devices (RWMD 30024) and 
b o  address  decoder (AD 30021) devices. 
address decoders perform a decode of the first 9 bits of address to form 
the X, Y, and Z inputs to each RWMD device. 
two decoders decode address bits 10, 11, and 12 to form a device select  
of 1 of 8 blocks of 4 RWMD devices, All  input signals can have a logic 
110" of Prom 0 to t 2  volts and a logic "1" f rom -5 to  -25 volts. 
Three sections of the two 
The fourth section of the 
Addressing of the memory cells is accomplished by address bits 
1, 2, and 3 forming the 1 of 8 (X) select lines, bits 4, 5, 6, forming the 
l of 8 (Y) select  lines, bits 7, 8, 9, forming the 1 of 8 ( Z )  select lines. 
The X, Y, and Z select lines will  activate one of the 512 cells in each 
device. 
forming a 4-bit read o r  write cycle. 
The 1 of 8 device selects wi l l  activate a block of 4 RWMD devices 
2 -12 
d 
I 
N 
w' 
4 
r? 
9 
* 
w 
* 
2 -13 
C70 -1?1/301 
th the address, read command and clocks applied, a read cycle 
will occur. The information data output f rom the memory will  be avail- 
able at  the output in less  than 500 nsecs after the application of an 
address code. The readout is non-destructive so there is no need for a 
rewrite cycle after read. 
applied, a write cycle will  occur. 
With  a write command, address and clocks 
These 4096 word blocks can be connected together to form larger  
memories with the special gate in  each address decoder used to select 
the block of memory desired. 
The most convenient building blocks using the above described memory 
Combinations devices contain 2 address decoders and 32 memory devices. 
of these blocks can be configured into any desirable size memory system. 
Receiver dr ivers  may be needed when loads exceed the device drive 
capabilities. The number of devices needed for various configurations 
i s  given in Table 2-2. 
TABLE 2-2. MEMORY DEVICE REQUIREMENTS 
1024 words x 32 bits 
4096 words x 32 bits 
8192 words x 32 bits 
x 32 bits 
32,768 x 32 bits 
No. of Addresa 
De code r s 
(AD 20031) 
2 
3 
12 
24 
48 
96 
192 
No. of 512 Word 
x 1-Bit Memory 
Dev. (RWMD-30024) 
32 
64 
256 
512 
1024 
2048 
4096 
Total 
Bits 
16,384 
32,768 
131,072 
262,144 
524,288 
1,048,576 
097,152 
- 
r ies  that the low 
nt. Memories by nature a re  
ly the small  number of storage 
e a re  active. The great majority 
maintain the 
2 -1 
2 . 3 , l .  2 (continued) 
CMOS memory devices still 
i s  possible f rom single channel 
reported is a 254-bit a r r a y  on a 17,400 sq. mil die, 
required for each bit. 
uffer from lower packing density 
e The largest  CMOS memory deviea 
Twelve FETS are 
Access time i s  approximately 305 naec. 
The above 256 bit a r ray  i s  not generally available today but it i s  
reasonable to expect CMOS memories ob this density to  be producible 
in 1972. A 16-bit chip has been available for several  years.  
bit memories have been developed and at least one manufacturer is 
expected to market suck a device. 
2.3.1.3 Bipolar Memories - In applications requiring high speed 
memory access,  bipolar semiconductor memory circuits m a y  be 
required. 
polar memory devices. 
60 nsec. 
a r e  5 to 6 mw/bit. 
a r e  available. For  extremely fast memories, 64-bit devices having 
access times of 5 nsec and requiring 10 mw/bit a r e  available 
Sixty-boai 
Several manufacturers are currently producing &-bit bi- 
The typical access t imes for these chips is 
Both conventional Plat packages and beam lead chips 
The penalty for this speed is power. Typical power dissipations 
2.3.1.4 MOS Read Only Memories (ROM) - Very compact ROM'e 
can be produced using the MOS technology. 4096 bit ROM's are currently 
available, MOS ROW arrays are very similar to diode arrays.  
preseiice o r  absence of a MOS device o r  a diode denote whether a one o r 2  
a zero is  stored. 
The 4096 bit a r ray  for ROM developed by Autonetics requires an 
a rea  of only 64 x 96 mils. 
added, the total chip a r e a  i s  a relatively moderate 130 x 150 mils. 
ROM is organized a s  a 512 word by 8 bit memory. 
require about 60 mw when operating at l Mhz. 
zero. Even when a memory system employing this 4096 bit RBM is active3 
the byte organization requires only three ROM's to be dissipating power at 
a time for a 24-bit word memory. 
would require 24 ROM's active at a time for  a 24-bit word memory. 
The 
A single bit of storage can occupy as little as 1,5 mils e 
When the necessary decoders and dr ivers  a re  
The 
It i s  designed to 
Standby power i s  virtually 
A one-bit-per-word chip organization 
The read access time for the 4096 ROM is less  than 500 nsec with a 
total memory cycle time ob abo 
function of the a r r a y  size,  larger  a r rays  being correspondingly slower. 
OS RQM speeds a re  a strong 
2 -15 
ies have been criticize 
and the d i f f i c u l ~  
ble interest  has 
mories  a re  non-volatile and have 
times a r e  expect be about 
write times have f a r  been very 
sidered only for 
torage mechanism involves the switching of the threshold 
field effect transistor.  
&e the devices suitable for memory applications. 
the a r r ay  characterist ics of the devices, a 32 x 2 bit 
fabricated a t  Autonetics. Plans a re  underway to 
a r r ay  during the coming year. 
require an approximate 100 x 100 d l  die and will include full address 
decoders and the circuits necessary for reading and writing the array.  
lopmental. It cannot be considered a s  
gnificant r isk.  
The hysteresis in this 
The a r r ay  will  
agnetic memories considered for this application may be broken 
down into three categories: 
P. Core 
2 .  Plated Wire 
3. Thin Film 
The major categories, of course, can be broken down into sub- 
re but for this study a "2-1/2 D" 
h case. This choice is best for 
K word and 14K word 
logy. Table 2-4 depicts 
ems. A separate table is not provided 
aeic items a re  the same as  for plated 
Id be smaller in size. 
ay, and power dissipation. 
oals of the recon- 
2 -14 
c 
b c n 
w 
u 8 
m 
1 
hl 
w 
cl 
F9 
4 
E 
a, 
0) 
E 
C?O -171/3Q1 
M e 
m 
M 
9 
m 
M * 
rl 
M 
rc 
' r n  
E 
0 
.Id 
.c, 
0 
i! 
0 u 
$. 
cd 
k 
k 
m m c o  cc 
-&hl M 
o m 0  0 
- - (u m 
m m m  cc 
- - (u m 
o m 0  0 
rlrltu m 
C70-171/301 
2.3.2.1 Reliability - A major i tem affecting reliability of a memory 
system is the number of connections in the mymory element array, The 
plated wire o r  thin film technologies Rave an advantage of about 2-1/2 to  
1 over a core system in this area due pr imari ly  to the number of memory 
elements that can be put on one plane, It was judged that core  a r r ays  no 
bigger than 128 x 144 could be used while plated wire o r  thin films could 
have 256 x 574 elements on a plane. 
Another important i t em is electronic circuit  complexity. Timing 
and control and sense amplifier circuits a r e  about equivalent in all three 
technologies. Word circuits €or a core system a re  increased by 50 per- 
cent and bit circuits by %OO% to 300% over that required for plated wire 
o r  thin film. In addition, the semiconductors used for bit d r ivers  in  a 
core  system must drive a much larger  amount of current  (by ana order  of 
magnitude) than the other technologies which result in larger devices or 
in  devices being driven to  a higher power level and hencep l e s s  reliable. 
Perhaps a better way to compare circuit complexity than circuit 
counts would be to compare circuit  board a reas .  
about 50 percent less  circuit boards a r e  required for a plated wire o r  
thin film memory for the la rger  memory capacities. 
c reases  to 16 percent for the smaller  memories.  
this advantage of the plated wire and thin film memories isthat more 
MSlr!LSI can be used with them than with a core system due to  the 
difference in  bit current  levels. A bit current  of 40ma can be driven 
throug1; MOS multiplexer switches and bipolar MSE t ransis tors  
levels required by core systems make ESH/MSI interfaces with the memory 
stack impractical. 
This comparison shows 
This advantage de- 
The major reason for  
but 400ma 
2. 3.2.2 Transient Failure Immunity - The NDRO capability of plated 
wire or  thin film memories would minimize transient failures. 
guard that would need be put in a NDRO memory would be to make sure  
that a write cycle would continue to completion once it had started,  thus 
insuring a memory word is not left in some undetermined magnetic state 
i f  power transients were elcperienced. 
need to be protected such that the data is rewritten after readout if  
t ransients were experienced. 
system, a weight penalty would be paid in order  to  protect core  memory 
contents f r o m  loss  during transients,  
The only 
A core memory, being DWO, would 
Due to the power level required for a core 
2.3.2.3 Cost - It appears that core and plated wire memory systems 
will be equivalent in  the la rger  capacities (l6K words) and at speeds of 
1 ps cycle t imes.  
per-bit .  Thin f i lmmemor ie s  would be roughly 2-1/2; t imes this cost ,  
Smaller sized memories would be more expensive in all cases  but the 
increase would probably be less  w-i% 
technologies since a 3-D coincident current organization could be used 
Price-per-bit  in either case should be about five -cents 
a core system than the other 
2 -19 
2.3.2,3 (continued)- w ch would be more economical in the smaller  
2-1/2 D a ~ r a n g e m e n t ~  
Potential - Although none of the magnetic technologies 
nd themselves to true modularity, growth potential can be provided in  
o r  instance, a core system could be designed so that the 
be increased by adding additional planes to the stack and 
components to an electronics module to increase the 
alternate would be to have growth potential components built 
nic circuit modules f rom the start so that only an increase 
in  a r r a y  planes would be required. In any event, i f  growth i s  desired 
netic memory design should be optimized to include the growth 
s ta r t  ra ther  than trying to make "add-ons" after the fact. 
2.3.2.5 Volume and Weight - The volumes of both core and plated 
wire memories would he roughly equivalent for a 16K word memory capacity. 
A thin film unit would be on the order  of 30 percent smaller ,  
are based on space required for conventional multilayer type circuit modules 
in all cases. 
designed for present day avionics systems. 
design numbers f rom core manufacturers. 
to be about half the size of the plated wire a r r a y  and to use the same 
circuitry a s  the plated wire system. 
estimate would be proportional to the volumes. 
2.3.2-6 Power - Plated wire and thin film memories have a large power 
advantage over a core system, requiring approximately 37 watts a s  com- 
pared to 295 for a 16K 36-bit system. This is due to two reasons: 
These estimates 
The plated wire a r r a y  is assumed to be s imilar  to that 
The core stack i s  based on 
The thin film a r r ay  is assumed 
Relative weights for a first order  
1. Plated wire and thin films being NDRO require no restore  cycle 
following readout but in a core system data must be restored 
after each information retrieval. 
2 .  The digit drive is approximately 10:l higher for a core system 
(460 ma vs.  40 ma). Since this current is required for  each bit 
of the data word during a write (or restore) cycle, it is quite 
apparent why the core system dissipates so much more power. 
osd currents  a r e  about the same in  each case. 
2.3.2.7 Technology Criticality - 
- 
1972, core  systems will be about 
m e t  the 1 ps speed requirement 
This memory technology is old 
like today and. will be able to 
a 2-1/2 D organization in a military environment. 
clinical r isk of using this technolo y is almost non-existent. 
Therefore, 
2-20 
C70 -14%/3Ol 
2 3 2 e ‘7 (continued) 
2. - Plated wire is a production item at 
P re in  military systems are the ID 
(Advanced ivfkailateman contract] and Poseidon memory, By 19142, several  
good sources for military systems should be available and &he technical 
r i s k  low, 
3 .  Thin Film Technoloq --This technology is skill “just around the 
corner”  for most companies. Although many companies have done a 
lot of work on it and it ha5 even been used in actual h a r d w a ~ e ,  yield 
problems and low output signals still a r e  not completely solved. 
system requiring very low power and very small size, this technology 
might be a good choice. 
and a high technical r i s k a  
For 8 
However, there would be a development effort 
2 . 3 . 2 . 8  Summary - Based upon the evaluation both plated ?wire and 
core memories could meet system requirements at low or no development 
risk. Although similar in some areas ,  plated wire memories have 
definite advantages in  areas  such as power, reliability, and transient 
failure tolerance. Therefore, it is recommended a s  the prime candidate 
for magnetic memory systems in  the reconfigurabk GhC Computer eystem, 
2 . 4  MULTICWP PACKAGING OF UNCASED DEVICES 
Evc r since electronic equipment designers became proficient i n  the 
use of semiconductor devices, they have been fascinated by the possibi- 
lities offered by the uneased device. 
chip with that of the packaged device and have visualized orders  of magni- 
tude reductions in the size of their equipments. 
dutifully divided wafer costs by the number of die per wafer (suitably 
weighted by a yield estimate) and have decided that a significant cost is  
involved in packaging devices. 
wire bonds required to electrically connect the chip to the pin-outs and 
have foretold large increases in reliability. Thus the multiple lures of 
reduced costs reduced size, and improved reliability have been responsible 
for the generation of a wide variety of approaches to the utilization of uncased 
semiconductor devices 
They have compared the size of the 
Further,  they have 
Finally, they have counted the number of 
Autonetics has been actively developing technology for multichip 
packaging of uncased devices over the last several  years .  
to  many facets of this new technology a r e  presently being investigated and 
applied to uncased MOS/LSS[ devices developed by Autonetics, 
key factors being developed is that of device bonding, 
both to  die bonding--mechanically fastening of the device to the substrate, 
and to  lead bonding - -  electrically connecting the die to the circuit. Wi th  
discrete devices die bonding is usually an alloying procedure which provides 
a very good thermal path from the chip to the substrate but increases rework 
cost and time and precludes salvage QP the chip POP re-use or for post-mortem 
procedures. 
Various approaches 
One of the 
Device bonding refers 
Organic plastics have been used for  &his p u ~ p o s e  i n  various 
2 -211 
676) -171/301 
2,4  ~ c o n t ~ n ~ e d ~  mult~chip packaging approaches. This enhances the 
rework procedure somewhat but gene ally involves relatively long 
curing cycPes and destructive device removal. Current thinking i s  
to eliminate die bonding and to rely on the lead bonds for mechanical 
a penalty is incurred in t e rms  of increased thermal resistance to  the 
substrate. For the power levels being considered ( 1 watt!chip5 this 
appears tolerable e 
th. This is practical  f rom the mechanical point of view; however, 
Although lead bonding has generally been done with "flying lead" 
s approach is not compatible with elimination of die bonding. 
In addition it is usually considered to be expensive, subject to operator 
e r r o r  in  complex assemblies, and a historical source of unreliability. 
Fo r  these reasons this method of lead bonding is not considered for  the 
approach to device bonding, 
Thus the three device bonding methods considered to be available 
in a practical sense are:  
1. The~mocompression,  beam lead configuration; 
2. Ultrasonic, flip chip Configuration; 
3. Solder reflow, flip chip configuration. 
Qf these three approaches the first and third, namely thermo- 
compression beam lead and the solder reflow flip chip, appear to 
offer the most promise. 
range f rom conventional looking flat packs on multilayer boards to 
stacks of ceramic: substrates interconnected with side rails .  
Methods of packaging uncased devices can 
The reliability over wire bonded devices can be partially realized 
even i f  only one device i s  mounted per  package. In this case one of the 
three bonds normally required per  interface lead is eliminated. Some 
reliability is therefore gained but the individual packages must st i l l  be 
soldered or  welded one at a time to a multilayer board. The potential 
size and weight advantages of beam lead devices a re  entirely las t  in 
this one device per  package configuration. 
other approach is to bond a few devices on a relatively small  
ceramic interconnecting substrate. 
protective package OF can and the interface connections on the sub- 
s t ra te  a re  bonded to the leads on the can, 
on printed circuit boards in the conventional manner. The printed 
circuit boards can usually be high ~ e l ~ a b i 1 i ~ y  two sided instead of 
These a re  then mounted in a 
The cans can then be mounted 
because of the 
spy similar pac 
onnects made possible through 
's advanced avionics circuits 
to connect interface 
onal 6 to 2. The 
2-22 
C 7 0 -171 / 3 01 
2.4 (continued) bipolar ]IC's o r  12 OS LSB devices can be inter-  
connected on such a substrate. 
to  40. 
Substrate interface leads can be limited 
By making the ceramic substrate an integral par t  of the package, 
larger  substrates with more de 
this type may be 2 x 2 inches and contain up to 40 devices. 
i s  toae packaged singly some protective cover needs to be placed over the 
mounted devices with the substrate acting as the back of the package. The 
seal does not need to be hermetic since the devices can be nitride 
passivated. 
provide connection to the outside world. 
mating with an edge connector. In this case the substrate becomes a 
miniature printed circuit board. 
are required, however, more than one edge wil l  be required and edge 
connection becomes awkward. 
periphery of the substrate so that it can be plugged into a two sided printed 
circuit board. Perhaps four such substrates could be interconnected on 
one board. 
ces can be utilized. A typical substrate of 
If the substrate 
A portion of the edge of the substrate i s  left uncovered to 
This area can have fingers f o r  
If  a large number of interface connections 
An alternate is  to place pins around the 
To illustrate the kind of densities which can be achieved on Parge 
ceramic substrates with beam lead o r  flip chip devices, two substrates 
developed by Autonetics a r e  described below, The first i s  for a 24-bit 
parallel Central Processing Unit (CPU) using flip chip devices. 
CPU i s  mechanized with 2 3  LSXC's, some with more than 1000 Field Effect 
Transis tors  per  LSIC. 
one S n ~ k  by two inch single side substrate in only two layers. 
layer metallization is for the approximately 9000 crossovers.  
has been fabricated f i rs t  using KMER as  an insulation layer to evaluate 
alignment and tooling problems, and secondly, using silicon oxide to 
evaluate a practical insulation. The two mil lines and four mil center-to- 
center line spacing in this substrate is desirable f rom the function appor- 
tionment and MOS circuits; however, it i s  pressing the state-of-the-art 
for low cost interconnection. 
This 
The CPU was laid out and interconnected on a 
The second 
This layout 
A read/write memory board has been laid out which will contain 
32 Read/Write MOS memory chips and 2 address decoder chips. 
2 inch by 2 inch board size has 0.005 inch interconnection circuit lines 
on 0.010 inch centers.  
connections * Insulation dots and crossover conductors a r e  used to achieve 
specific patterns. The technology was developed by using a crossover tes t  
pattern of 0.005 inch wide conductors (chromium, gold) with insulation 
(silicon oxide) and 0.005 inch wide crossover conductors. 
deposition was used for the first conductor layer and insulation dots. 
The crossover bridges were i ron plated; this was necessary for continuity 
of the bridges over the thick silicon oxide. 
deposited, covered with a photo-resist, pattern exposed, and etched. 
The 
The ceramic boards a r e  metallized for chip inter-  
Vacuum 
All of these materials were 
2-23 
C7 0 -171 / 3 01 
2 4 (continued) 
Instead of packaging substrates singly, very compact systems can be 
constructed by stacking substrates. 
cable to all semiconductor computers where size and weight a r e  critical. 
In systems using magnetic memories,  however, the advantages a i e  less  
apparent. 
a s  applied to a 16-bit parallel  computer. 
This concept is particularly appli- 
The following paragraph illuetrate s this stacking concept 
The advanced package contains uncased MOS LSI circuits mounted on 
ceramic printed circuit boards with beam leads and assembled into a 
computer package. This packaging design was compared in detail with 
conventional packaging methods (single 42 lead IC's packaged on multi- 
layer boards) and showed the following advantages: It required one- 
hundredth the volume; one-tenth the weight: one-half the number of 
thermocompression bond joints. 
demonstrated a temperature r ise ,  between the heat sink and the component, 
that was one-fourth the estimated thermal r ise  of the conventional package. 
These savings a re  reflected in the improvement of the computer reliability 
figure (17,481 h r  MTBF as  against 9016 h r  MTBF for the conventional 
package). 
and the lower temperature at  which the IC's are  operating. 
An advanced package tes t  model 
This i s  the result  of the reduction of bonding and solder joints 
2 -24 
C70-171/301 
3.0 S U  RY OF SYSTEM LYSIS AND TRADE-OFFS, 
This section covers a summary of the requirements analysis per -  
formed in determining the guidance, navigation and control computer 
requirements for the space station and the trade-offs conducted in order 
to determine the hierarchy of the computational elements within the 
system. 
Appendix 3. 
The details of the analysis and results are  presented in 
3.1 BACKGROUND AND GROUND RULES 
The study dealt with the Guidance, Navigation and Control subsystems 
of the Space Station. 
sented in Figure 3-1. 
dedicate a computer system exclusively for guidance and control functions. 
This G&C computer is the central data processor for the G&C subsystems 
containing various sensors and actuators required to perform navigation 
and attitude control of the system. Data processing functions associated 
with experiments and display and control functions a r e  handled by another 
computer complex called the Information Management Data Processor .  
The latter provides mode control signals and receives navigation data 
f rom the G&C computer. 
A functional diagram of the overall system is pre-  
Earl ier  analysis has indicated the desirability to 
R common multiplexed data bus provides a means of transferring 
data between the subsystems and the guidance and control computer 
complex. The data bus offers not only reduction in weight, volume and 
power, but allows system flexibility permitting modifications and 
additions, standardized interfaces and increased reliability. 
The orgafiization of the computer system offers several variations 
between two extremes: 
(1) A highly centralized system with a powerful computer complex 
which communicates directly with sensor elements and actuators. 
(2) A highly decentralized system in which each sensor and actuator 
subsystem has its own local processor performing the control 
computations and checkout functions associated with that subsystem. 
Between these extremes, there i s  room for several  variations. For  
example, the local processor could be nothing more than a data compression 
and multiplexer device necessary for interfacing with the data bus. 
other hand, it could be a general purpose computer consisting of a pro-  
cessor ,  memory and "standard interface unit", The advantages of such 
a system is that although it may require more hardware, it could prove to 
be moye cost effective because of the high degree of hardware standardiza- 
tion. The detailed mechanization of the oabsystem functions could be 
On the 
3-1 
ATA BUS - I 
FIGURE 3-1. GUIDANCE AND CONTROL SUBSYSTEM 
3 -2  
C70-171/301 
3.1 (continued) handled by softwarej permitting ease and flexibility of 
making changes without impacting the central data processor functions e 
This approach has been made more attractive by recent advances in  
digital computer technology which permit a substantial reduction of 
size,  weight and power through Large Scale Integration (LSI) in  logic 
and memory implementation. 
The purpose of this portion of the study was to investigate the total 
computational requirements of the C&C system and determine the degree 
of decentralization. 
analysis: 
Attitude Subsystem (OAS); (c) Control Moment Gyros (CMG's) and 
(d) Reaction Control Subsystem (RCS). 
Four subsystems were selected for detailed 
(a) Strapdown Inertial  Reference Unit (SIRU); (b) Optical 
The trade-offs were conducted keeping the following objectives in  
mind : 
Reduction of development r i sk  and cost  by staying within 
projected 19 72 technology. 
Reduction of management and technical interfaces between 
subsystems. 
Reduction of development costs by utilization of standardized 
ha*=dware. 
Reduction of data rates on the 1/0 data bus. 
Reduction of cost of design changes through built-in flexibility. 
3.2 BASELINE SYSTEM DESCRIPTION 
The baseline system as shown in Figure 3-1 consists of the 
following sensors  and actuation subsystems : 
3.2.1 Strapdown Inertial  Reference Unit (SIRU) 
Th- inertial  reference system uses six single degree of freedom 
gyroscopes and six linear accelerometers in a dodecahedron ar ray .  
The instruments a re  of pulse-rebalance type- The principal merits 
of this configuration is  that it offers failure isolation of up to two out 
of six of both types of instruments and continuous system operation 
with up to three out of six failures. Furthermore,  when all instru-  
ments a re  operating, the redundancy permits cancellation of some 
e r r o r  sources associated with the strapdown operation. 
3 -3 
C70-171/301 
3.2.2 Optical Attitude Sensors (OAS) 
The OaS subsystem includes both s ta r  t rackers  and horizon 
scanners.  The s ta r  t racker  measurements a re  used to provide attitude 
corrections while horizon scanner measurements a re  combined with 
computed state vector to update the estimate of the space vehicle state. 
Two two-degree of freedom gimbal systems are  used to hold two s tar  
t racker  heads and two horizon scanner heads with each head mounted 
rigidly with respect to others. 
3.2.3 Control Moment Gyros (CMG's) 
The CMG subsystem was assumed to have three two-degree of 
freedom control moment gyros configured for zero net angular 
momentum at gimbal nulls €or purposes of accommodating local 
vertical  and artificial "g" mission modes. 
attitude hold and low rate maneuvering. When the gyro gimbal. output 
axes have precessed away f rom the nominal valve, momentum dumping 
o r  desaturation is implemented with the RCS subsystem to restore  the 
gimbal output axes to the vicinity of their  original position. 
The subsystem i s  used for 
3.2.4 Reaction Control Subsystem (RCS) 
The Reaction Control Subsystem contains sixteen (16) reaction 
je ts  arranged in four orthogonal quad stations. 
to produce pure couples about the three control axes under normal 
operation. 
higher attitude maneuver ra tes ,  desaturate the CMG's and provide 
translation for orbital makeup/stationkeeping. 
source i s  available to each RCS station and the distribution i s  controlled 
by quad valves in each propellant line. 
locally controlled by quad valves (series-parallel)  i n  each of the fuel 
and oxidizer Pines. 
The jets a r e  arranged 
The RCS is used to remove high rate transients,  provide 
A dual bi -propellant 
Each je t  is assumed to be 
3.2.5 Rendezvous Sensor 
The Rendezvous Sensor i s  used to provide on-board generated data 
with respect to  distant shuttle vehicles. 
range and two line-of-sight angles to  the shuttle vehicle. 
3.2.4 Docking Sensor 
The data generated include 
The Docking Sensor subsystem generates the necessary data for 
Four sets  of performing control during the final phases of docking. 
docking sensors  a re  shared among various docking ports. They provide 
e and two line-of-sight angles to  the shuttle vehicle. 
3 -4 
C70 -171 / 301 
3 . 2 .  7 The Balance Control Subsystem 
The Balance Control Subsystem will compensate for  large shifts 
of mass  on the Space Station such as shutble vehicle docking and undocking 
o r  elevator o r  cargo motion, 
3 a 3 MSSEBN ~ ~ ~ ~ R ~ ~ T ~ ~ N  
It is required only in the artificial !'g'' mode. 
The Space Station i s  expected to operate in a circular 200 ~~ 300 mile 
The orbit of 5 5  degree inclination with added capability for polar orbits. 
mission can be broken down into four major phases: Prelaunch, Boost, 
Orbit Injection and Orbital Coast. The on-board G&C system, after 
participating in prelaunch checkout, will remain passive during launch 
until the orbit  has been established. All  C&C functions a re  being con- 
trolled by the boostex during this phase. 
of control, the Space Station G&C system will require activation and 
checkout. After control is  t ransferred,  the C&C system will perform 
functions of attitude control and navigation in an unmanned orbital 
coast condition. References for attitude Control may consist of the 
initial reference upon control t ransfer  (inertial o r  local level) a s  well 
a s  other inertial  o r  local level references to be executed upon sub- 
sequent command. 
determination in a primary role and to receive ground t rack update as  an 
incidental role. The duration of unmanned operation is expected to be 
less than two days. 
Vehicle, the Space Station will hold the commanded attitude preparatory 
to  docking and transition. 
Immediately pr ior  to  t ransfer  
The navigation function i s  to  perform orbit  
Upon a command Prom an approaching Logistics 
After manned entry to  the Space Station, an interval of familiarization 
and checkout will require the G&C system to perform attitude control and 
navigation during orbital coast, s imilar  to  unmanned operation but with an 
additional provision for manual inputs. 
After the familiarization interval, the booster undergoes end-to-end 
transposition under manual control. Next, the booster and Space Station 
combination i s  deployed and spun-up with the G&C system's only 
requirement during spin-up being to provide and maintain commanded 
spin rate ,  The combination i s  spun for artif icial  "g" assessment  during 
the f i r s t  month of manned operation. During this time the GLC system 
i s  to provide balance control for  wobble damping, maintain commanded 
spin rate (appriximately 4 RPM),  and cor rec t  for  spin axis precession 
within prescribed l imits.  The GLC system i s  not required tc perform 
navigation o r  state vector determination of Experiment Modules during 
the artificial "g" period. After the combination i s  despun and retracted,  
a zero "g" configuration under manned operation will commence. 
3-5 
C 70 -171 / 301 
3 3 (continued) 
system performing functions of attitude control and navigation. 
reference may include local level (earth), inertial ,  and solar inertial. 
n addition, the G&C system will perform functions of state vector 
determinations of co -orbiting vehicles , calculations of t ransfer  impulses 
pursuant to rendezvous or  dispatch, steering commands to incoming 
vehicles during rendezvous, and translation (steering) and attitude 
commands to docking vehicles. Also, the G&C system will compute and 
issue stationkeeping commands to the reaction jets.  Since the force 
levels will be relatively small  and stationkeeping may be considered 
as continuous operations (being inhibited only by on-board experiments, 
convenience of system momentum budgets , or  convenience of orbital 
angle) it is considered as  a task to be performed during orbital coast 
ra ther  than defined as  a separate mode. 
The zero "g" operation wi l l  consist of orbital  coast with the G&C 
Attitude 
The orbital mast phase is  the phase of pr imary concern for this 
study and is used to estimate the basic memory size,  speed, and signal 
interface requirements for  the computer system. 
i s  no differentiation between the unmanned mode and the manned mode 
for this phase since the unmanned mode i s  considered a subset of the 
manned mode. 
Furthermore,  there 
3 . 4  FUNCTIONAL REQUIREMENTS 
The functional requirements imposed on the G&C computer system 
a re  shown in  the top flow diagram for the overall system mechanization - 
Figure 3-2. To determine the computer requirements, detailed flow 
diagrams a t  further levels of detail were developed to determine the 
relationship between each computational subtask. 
an example of the first level of detail for  the attitude determination 
function. Fo r  functions involving the SIRU, OAS, RCS and CMG's,  
mechanization equations were developed for  each major block of the 
flow diagram and estimates were made of the number a rd  types of in- 
structions necessary to solve each equation. Fo r  the remaining functions, 
data f rom previous computer programs were extrapolated o r  new equations 
were derived in cases  where no previous data existed. The results were 
compiled in t e rms  of computer memory requirements (instructions, 
constants, and data) and the number of t imes each instruction was 
executed per  second. 
short instruction rates ,  which corresponds to a number of short  instruc- 
tions, such a s  Add, per  second. 
assumed to require twice the time for execution as compared to a short  
ins  tsuction o) 
Figure 3 -3  presents 
The latter figure was normalized to equivalent 
A long instruction, such as  Multiply, was 
brief description of the computational functions and the method of 
estimating computer requirements a r e  described below: 
3 -4 
C70-171/301 
ENTER PnELACNCH 
PnOGRAhl MODULE 
I N  I 
Ih'lTULILE PROCRAM 
BOOSTER TO SPACE STATION 
I d 
-~ 
[ -ATTI'IVDE DETERMINATION I 
Ih'lTIALUE (COARSE ALIGN) 
DETEI<BIINE STATUS OF SGiU 
AKU OhS 
RECOLFICURE AS REQUIRED 
COMYC~lX AND UPDATE UMECT- 
loti COSINES 
I NAI'ICATION DETERhllNATlON I 
DETERYINE STATUS OF HORIZON 
SCANSEIt 
RECONFIGURE AS REQUIRED 
COMFCTE AND UPDATE ORBITAL 
POSITION 
'7' 1 ARTIFICAL "6" MODE 1 
LHITUEIZE J U t  ARTIFICIAL "G" 
NODE PERFORN S A X  U,PQOWN 
CON RTTATIOSAL 
REQUUlEMESTS COUR'TE 
ATTITUDE CORRECTIONS 
CHG - CON+ROLLER 
ncs - CONTROLLER I 
COMPUTE I c o m m  JET 
SELECT LOGIC 
MONITOR RESPONSE 
BECONFIGUAE AS REQUUIED 
, N ( f )  FOR EM 
Uw)ATE7 
REAU 0 COMMAND RR 
COMPUTE ERRORS 
UPDATE STATE VECIOPtF 
PAOVlUE LVEWIAL REFERZNCE 
UNIT ALIGNMENT I COMPUTE '4 COYXlA#DS 
COIIPC'TE SEPARATION I COhlhlANDS , N(-) MODE t 
_k 
-TERMINAL RENDEZVOUS 1 
I I Y  
BERIYI)R.\( RENDEZVOUSTO- 
COCKING TRAtiSlTIOti 
READ SENSOR DATA 
COAlpUTE 0. OUTWT COMMANDS 
MONITOR FOR CONTACT 
F IGURE 3-2 ,  G&C TOP FLOW DIAGRAM 
3 -7 
C70-171/301 
1 
FIGURE 3-3. ATTITUDE DETERMINATION 
FLOW DIAGRAM - FIRST L E V E L  
3 -8 
C40 -171/301 
3.4.1 Attitude Determination 
The prime purpose of this function is  to provide the direction cosines 
F o r  this study, 
The two subsystems 
for attitude Tontrol of the space station/logistics vehicle a 
control was provided in  both inertial  and local level, 
used in performing this function a r e  the SHRU (Strapdown Inertial  Reference 
Unit) and OAS (Optical Attitude Sensor). A first level flow diagram for 
attitude determination is shown i n  Figure 3-3. 
example of the f i r s t  level of detail in determining the computational r e -  
quirements. 
major computational blocks, 
This diagram presents an 
The computer functions can be broken down into the following 
a. 
b. 
d. 
e .  
f .  
g .  
h. 
C. 
Gyro filter equations 
Failure detection and isolation equations 
Star selection routine 
Star pointing command and control 
Star t racker  failure detection 
Direction cosine update equations 
Direction cosine orthogonalization 
Star t racker  measurement update equations 
3.4.2 Navigation Determination 
The purpose of this function is to estimate and update the space 
station position and velocity relative to the reference system. Again, 
the S I R 3  and OAS subsystems a r e  used exclusively in computing these 
data. It includes the following functions: 
a.  
b. 
d. 
e .  
f .  
g* 
h. 
i. 
C. 
j .  
Accelerometer f i l ter  equations 
Failure detection and isolation equations 
Delta velocity update 
Position and velocity update 
Int e g r ation routine s 
Polynomial prediction coefficients 
Horizon scanner command and control 
Horizon sensor scanning angles 
Measurement angle computations 
S t  ate update me a surement equations 
3.4.3 Maneuver Determination 
This function generates the CMG's andlor  RCS steering command 
signals for  attitude and/or navigation corrections. The control law 
assumed for this study uses proportional plus ra te  and is based on the 
phase plane relation to minimize limit cycling. This function provides 
for  various steering modes including: 
3-9 
C70-171/301 
3 e 4-3 (continued) 
a. 
b. 
c. 
d. CMG desaturation maneuver 
e .  
Hold attitude (fine o r  coarse) 
Low rate maneuver (employing CMGb) 
High rate maneuver (employing RCS) 
Manual / automatic outer -loop commands 
3.4.4 Artificial "G" Mode 
The purpose of this function is to perform both the static and 
dynamic computational requirements necessary for  balance control. 
Balance control may be viewed in  two par ts  a s  static balance and 
dynamic balance. Static balance, insofar as practical, should be 
viewed as a pre-spin-up activity. 
spin-up are conducive to static balance transfer,  then static balance 
may include the initial time period of spin. 
ments could be viewed as a non-G&C system responsibility since a 
different system may contain the status of housekeeping layout and the 
extent of consumables. However, in the sense that minimizing static 
unbalance will minimize dynamic balance requirements , there is  some 
justification for  the G&C computer to compute static balance require- 
ments. 
utilizing the following assumptions : 
However, i f  the I tg 'I forces during 
Static balance require- 
The computer requirements a re  estimated based on a model 
a. Spin rate control, spin-up deployment (such as cable length 
control i f  required), and spin-down retraction control are 
not considered a par t  of the balance system. 
The CMG's will be used for wobble damping and other cyclic 
effects. 
b. 
c. The RCS will be used for long-term drift effects such as 
spin-axis precessing and/or for  high attitude rates.  
d e  A second order compensation will  be considered adequate for 
the dynamic conditions with associated time lags between 
sensor response to torque generation as well as geometric 
displacement due to spin. Although the effects will not be 
comparable i n  all three axes, the computation requirement 
may be treated similarly. 
e. Five spin rate conditions will be assumed in keeping with 
artificial "g" assessment at different levels. 
will correspond to five sets  of constants for compensation. 
This as sumption 
3 -10 
C70-171/301 
3 I 4 5 CMG Steering 
The function CMG Steering is mechanized using the H-vector control 
law to generate the appropriate CMG torque and momentum errors for 
the attituGt control of the space station, and to provide for deeaturation 
of the gyros. This function i s  broken down into the following subfmctione: 
a. Control mode actuation logic 
b. Torque e r r o r  computations 
c. Momentum e r r o r  computations 
d. Desaturation sensitivity logic 
e ~ Failure detection and isolation 
f. Reconfiguration model and logic 
3 . 4 . 6  RCS Steering 
The purpose of the RCS Steering function is to provide the necessary 
logic and computations to compute the torque and force commands, and the 
engine valve control, and provide failure detection, isolation and recon- 
figuration of the reaction control system. It is made up of the following 
subfunctions : 
a. Control mode actuation logic 
b. Torque and/or Force computations 
c .  Engine value control logic 
d .  Failure detection 
e ~ Failure isolation 
f .  Reconfiguration 
3 . 4  ~ 7 Experiment Module Update 
The purpose of this function is to provide the necessary logic and 
computations to update the state vectors of the experiment modules 
(2 modules plus 1 taxi). 
outside the scope of this study. However, for purpose of estimating, 
the space station's state vector computation in combination with update 
measurement equations for the rendezvous radar  was used. 
The exact mechanization for this function i s  
3 . 4 . 8  Module Dispatch 
The purpcse of this function is to provide the capability to  align a 
simple inertia! reference on board the taxi vehicle and provide appropriate 
commands to transport  the experiment module to and from the space 
station via the taxib gross  estimation was made using alignment 
procedure data f rom previous studies combined with simplified command 
and control eqi tations for a co -orbiting vehicle 
A 
3 -11 
C70-171/301 
3.4-9 Terminal Re-ndezvous 
The purpose of this function is to  compute the rendezvous radar  look 
angles, process the return angles, and compute the command and control 
signals necessary to position the external vehicle (shuttleltaxi) in a pre-  
docking stationkeeping window. 
simplified equations were used €or computer requirements estimate. 
Extrapolation of Apollo information and 
3.4.10 Docking 
The Docking function is mechanized to execute the necessary logic 
and computations for performing the transition f rom rendezvous to 
docking (and vice versa),  and establish appropriate monitoring to  
provide six degree-of-freedom command and control necessary to 
docking the external vehicle. Limited data is  available on automatic 
docking. Some work has been per -  
formed on the AAP (Apollo Applications Program) towards automatic 
docking, however, no work has reportedly been done relative to AAP 
computer sizing a d  the information is  not readily available. Therefore, 
in order  to establish representative computer requirements, automatic 
docking equations were generated based on a 6-degree of freedom 
automatic docking model. 
Apollo docking has been manual. 
3.4.11 Computer Housekeeping 
Computer housekeeping is defined as including the following functions : 
a. Program Executive 
b. Computer Diagnostics 
c . Utility Routine s 
d. lInput/Output Storage and Control 
The estimates provided for each of these functions a r e  based on 
previously mechanized programs of comparable complexity and magnitude 
(e. g . ,  F-111 Avionics System). 
The executive, a s  estimated, is structured to provide such functions 
as power-up power -down sequence, real-time clock control, job 
scheduling, transient control, etc. An estimate of 1200 words is 
allocated for this function. 
The estimate for performing computer diagnostics is set at 1200 words. 
This estimate is considered sufficient to cover normal memory,CPU, and 
I / O  type diagnostics. 
3 -12 
C70-171/301 
3.4 a 11 (continued) 
than the normal avionics package due to an increase in additional utility 
functions a 
The estimate for the utility package (1200 words) is slightly higher 
The 1 / 8  estimate is based on the number of signals requiring 
storage not covered by the operational estimates.  
i s  the status monitoring words associated with each of the various 
subsystems and associated instructions for alerting the executive 
program, 
the data bus traffic. 
zations which vary as a function of computer organization, 
given (900 words) i s  considered reasonable. 
3 . 5  COMPUTER REQUIREMENTS 
A typical example 
Also included a r e  the command instructions for handling 
The estimate is based on previous I[/O mechani- 
The estimate 
The results of the central  G&C computer requirements analysis a r e  
presented in Tables 3-1 and 3-2. 
ments for a system without local processing capability a t  the subsystem 
level while Table 3 -2  represents the other extreme, where the central  
processor  functions have been minimized by performing as many functions 
at the subsystem level as  possible. 
systems were selected as  candidates for performing computations at 
subsystem level and were subject to detailed analysis and trade-offs: 
SIRU, OAS, RCS and CMG’s. Therefore ,  the computer requirements were 
grouper4 into two categories : one category of computer functions which 
could be performed at the central  computer o r  in  the subsystem itself, 
which were the subject for the detailed computational allocation trade - 
offs between the subsystems and the central  computer cornplex, and the 
second category of computations which were not subject to a trade-off 
analysis. 
Table 3-1 represents computer require-  
Fo r  the second case,  only four sub- 
The f i r s t  category involves the RCS, GMCk, SIRU, and OAS sub- 
systems and includes the following major functions: 
a a Attitude Determination 
b. Navigation Determination 
c .  Maneuver Determination 
d,  CMC Control 
e ,  RCS Control 
The remaining functions, which deal with the outer-loop command 
and control requirements, a r e  categorized as follows: 
a ,  Experimental Space Module Updates 
b. Taxi (co-orblting shuttle) Alignment 
c, Terminal  Rendezvous 
d, Docking 
e ,  Balance Control 
3 -13 
C70 -171 / 301 
3,5 (continued) 
category are 1'7,400 words of memory and 814,800 equivalent short  
operations p e r  second. 
The computer requirements for the functions performed in the first 
The requirements for the category two functions a r e  21,200 words 
of memory and 79,200 short operations per second. 
as background in Table 3-1 a r e  computations scheduled at intervals much 
greater  than once per  second (e. g., once every 1000 seconds). A design 
allowance for performing these functions and for non-periodic functions 
as rendezvous and docking is estimated for background operations. 
Typical background computations include, for example, star selection, 
star pointing, star tracker failure detection, direction cosine orthogon- 
alization and attitude update. 
also intended to accommodate reconfiguration functions which a r e  
exercised only in case of a computer failure. 
The requirements listed 
The twenty percent duty cycle allowance is  
The estimated computational requirements for the case having 
maximum preprocessing at the subsystem level a r e  given in Table 3-2. 
In this case, only those functions dealing explicitly with the SIRU, OAS, 
CMGb and RCS are examined, with the carry-over of requirements f rom 
Table 3-1 for the remaining functions. It must be noted that i n  providing 
this estimate,  little consideration is given here with respect to the 
computer size and/or speed necessary at the subsystem level to arrive 
at these values. 
section. 
storage and 263,800 short operations per second. 
preprocessing at subsystem level for the four specific subsystems investi- 
gated, the central computer requirements can be reduced by 10,300 words 
of memory and 604,000 equivalent short  operations. 
reduction in requirements is the effective reduction of speed to the level 
where it is well within the state-of-the art of aerospace computer 
technology. The reduction in memory capacity at the central computer 
will become more significant when one considers the fact that the central 
computer complex will be mechanized with redundant computers, while 
at the subsystem level the degree of computer redundancy might be lower 
than at the central processor.  
Such considerations a r e  presented i n  the following 
The estimates provided in Table 3-2 are 7,100 words of memory 
This means that by 
The significant 
3 ,6  COMPUTATIONAL ALLOCATION TRADE-OFFS 
The objective of the computational allocation trade-offs was to deter - 
mine the best allocation of computations between the central G&C computer 
system and local processors dedicated to the following subsystems: SIRU, 
O S ,  RCS and CMC's.  The local processor appears to perform certain 
functions better than the central processor.  
signal formatting, data reduction, self -test and performance monitoring 
can reduce the complexity of this central  computer, reduce 1/0 bus data 
rates, and offer better subsystem isolation such that subsystem changes 
For  example, such items as  
3 -14 
C70 -171/301 
T A B L E  3-1 
ESTIMATED COMPUTER REQUIREMENTS 
MINIMUM PREPROCESSING 
Equivs1ent 
I t e r a t ion  ope F ibtiopls 
Short 
Storage Rate Per Sacolnd 
P r o g r a m  Module R e  q ui r erne nt s N a l S e c  X 1 0 m 3  
1. Atti tude De te rmina t ion  3 ,400  100 320 
2 .  Navigation De te rmina t ion  4 , 1 0 0  100 170 
3. Maneuver  De te rmina t ion  1, 100 20 j200 60.8 
4.  CMG Cont ro l  3,100 20 64 
5* RCS Cont ro l  5 ,700  1oj200 200 
Subtotal  17,400 814.8 
6. Exp. Module Update 4 , 0 0 0  
7 .  T a x i  Module Align 1 ,000  
8. Re-,dezvous 3 ,000 
9. Docking 2 ,200  
10. Balance Con t ro l  6 ,500  
11.. Execut ive 1,200 
12. Diagnos t ics  3,200 
13. Util i ty Rout ine s P, 200 
20 
1 
20 
20 
41.8 
13.2 
12.2 
14. 1 / 0  Cont ro l  900 12 
Subtotal  2 2li,200 79 .2  
Subtotal  1 17,400 814.8 
120 * 15. Background - 1. 
T o t a l  38,600 1014. G 
:k Sto rage  r e q u i r e m e n t  included with 
o the r  (1 -14) tabulat ion.  
3 -15 
C70 -171/ 301 
TABLE 3-2 
ESTIMATED COMPUTER REQUIREMENTS 
MUM PREPROCESSING 
Equivalent 
Short 
Iteration Operations 
Rate Per Second Storage - Program Module Requirements NoJSec x 1 ~ - 3  
1. Attitude Determination 2,100 100 13 0 
2. Navigation Determination 2,900 100 40 
3. Maneuver Determination 1,100 20/200 60.8 
4. CMG Control 400 20 8 
5. RCS Control 600 10/200 25 
Subtotal 1 
6-14. Subtotal 2 
15. Background 
7,100 
21,200 
- 
263.8 
79.2 
67 
Total 28,300 410.0 
3 -16 
C70-171/301 
3.6 (continued) will result  in no o r  minimum changes in the central  
computer software. In the previous section, the computational t a s k s  
which could be subject to allocation trade-offs were identified and 
grouped into category 1. 
problem CT Ltermining  the best split of these tasks  between the central  
processor  and the local processor  dedicated to each of the four subsystems. 
This trade-off phase was concerned with the 
The following objectives and cr i te r ia  were established for performing 
these trade-offs. 
1. Minimization of hardware complexity. 
2. 
3 .  
Minimization of 1/0 data ra tes .  
Minimization of management interface affecting: 
(a) Number of interface signals 
(b) Technical data exchange 
4 .  Minimization of central  computer load 
5 .  Maximum reliability 
6 Maximization of programming efficiency including impact 
of program changes, 
The computational blocks which could be located either in the local 
processor  o r  the central computer were listed and were grouped in such 
a way that they were consistent with the basic objectives of the study. 
The requirements for  the local processor  were then determined in t e r m s  
of memory (both read-only memory for program storage and constants, 
and reCl2-write memory for  data and variables),  speed (equivalent short  
operations per  second), 
and number of interface signals (data control commands, discretes ,  etc.  ). 
The computational allocation was then selected that satisfied best  the 
evaluation cr i ter ia .  
I/@ bus data rate (number of 16 bit words/sec.) ,  
3.6.1 CMG's and RCS Trade-offs  
The computational requirements estimate for the CMG's was conducted 
in accordance with the H-vector control law. 
configuration was based on comparing measurement data of 30 signals 
against the response of a simulated model subjected to the same input 
e r r o r  signals. The technique was based on the capability to rese t  the 
model on desaturation of the CMG's, respectively, thus always having 
a base reference to reset  the open-loop model. 
consisted of four (4) engine stations having four (4) bi-directional 
engines per  station. Failure and isolation was implemented by monitoring 
transducers (pressure and temperature) strategically located in the dual 
redundant bi-propellant fuel lines, across  the quad-redundant control 
valves, and on the engines themselves. Both subsystems, a s  previously 
mentioned, have their  associated computation requirements divided 
Failure detection and r e -  
The RCS configuration 
3 -17 
3.6.1 (continued) in30 six major computational program modules as 
listed: 
CMG's RCS 
A Control Mode Detection Control Mode Detection 
B Torque E r r o r  Computation Torque /Force Computation 
C Momentum E r r o r  Computation Engine Valve Control 
D Desaturation (Momentum Dump) Failure Detection 
E Failure Detection & Isolation Failure Isolation 
F R e  configuration Re configuration 
Ten (10) different combinations of these modules f rom maximum to 
Of the ten minimum were evaluated for both subsystems respectively. 
different cases ,  six (6) each a r e  selected for discussion here.  
3.6.1.1 CMG's - The amount of preprocessing estimated for the CMGls, 
Figure 3-4, does not impose any real stringent requirement if  all of the 
processing were performed at either the subsystem level o r  in the central  
processor .  However, in viewing the c r i te r ia  of minimizing the load on 
the central  computer and minimizing management interface, processing at 
the local level is recommended. 
in  keeping with the trade-off c r i te r ia  (minimum I/Q data ra tes  and number of 
data signals) the suggested split is the allocation configuration given for 
case 3, where : 
In allocating the most optimum split and 
Allocation 
Configuration 
Computational P rogram Module s 
Performed at Subsystem Level 
1 None 
3 
5 
6 E 
3.6.1.2 RCS - The allocation configurations evaluated for the RCS a re  
given in  Figure 3 - 5 .  
in  this figure represent an L P  (Local Processor )  configuration having 
triple redundancy and servicing all  four stations. 
the requirements a r e  considered to be a maximum and relatively 
stringent on the local processor.  However, based on the same 
attributes given for the CMG's, case three is  recommended as  the 
optimum split, where : 
However, the requirements estimated and presented 
In this configuration, 
3 -18 
C70 - 1 w 3 0 1  
1 2 3 4 5 6  
COXII’UTATIONAI, ALLOCATION 
60 
50 
n- 
0 
+ 40 
X 
8 
0, 
a, 
E 20 
v3 
\ rn 30 n 
v) 
10 
1 2 3 4 5 6  
C O h ~ P U T A T I O S A I .  A L I D C A T I O N  
0 
1 2 3 4 5  6 
FIGURE 3 - 4 .  CMG COMPUTATIONAL REQUIREMENTS 
VERSUS PROGRAM ALLOCATION 
3 -19 
C70-171/301 
I; 
z 
z 
0 
cl c 
\ 
1 2  3 3R 4 5 6 
COMPUTATIONAL ALLDCATION 
20 
a- 
0 
r( 
X 
1 2 3 3 A 4 5 d  
COMPUTATIONAL ALIDCATION 
200 
ea- 
2 
Y 
c 
8 
& 
x 
v) 
\ 
v: 100 n 
W 
C 
""0 
3 
d 
x 4  
1 2 3 3 A 4 5 6  
COMPUTATIONAL A L ~ ~ A l I O N  
1 2  3 3A 4 5 6 
COLIPUTA?IO?IAL ALLOCh'fION 
FIGURE 3 - 5 .  RCS COMPUTATIONAL REQUIRE 
VERSUS PROGRAM ALLOCATION 
3 -20  
C70-171/301 
3.6  ~ 1 2 (continued) 
All0 cati on 
Configuration 
Computational. Modules 
Performed at Subsystem Level 
1 None 
2 A, B, C, ID, E, F 
3 
5 
A second L P  configuration (38)  became very  attractive and was 
evaluated la ter  in the study. This configuration consisted of dual L P ' s  
located at each engine station. In this configuration, the requirements 
imposed on the L P  were reduced significantly in  the a rea  of memory and 
speed,especially (See Figure 3 - 5 ) .  The reduction is attributed to  the 
distribution of failure detection and reconfiguration requirements over 
four (4) separate L P  configurations, This configuration i s  much more 
desirable in  that i t  
speciflcd for  the CMG's (commonality), and f rom the aspect of having 
the computers located near each engine station. That i s ,  the engine 
stations a re  separated by many feet and would need long leads o r  a 
sophisticated sub-multiplexing system for data t ransfer  between station 
electronics and the centrally located L P  complex. 
reduces the L P  requirements to be within those 
The recommended configuration and allocation split i s  st i l l  in con- 
formance with case 3 above. This allocation offers the same attributes 
previously discussed with an even greater  magnitude. A la rger  number 
of the data signals (152) 
flags (discrete signals) and a re  anticipated a s  a requirement for on- 
board checkout recording where processing is  performed at the subsystem 
level. 
sidering four L P  locations as  opposed to one. 
estimated, represent failure and reconfiguration 
The data ra tes  and data signals a r e  somewhat higher when con- 
3 . 6 . 2  - SIRU and OAS Trade-offs  
The computational requirements estimated for the SIRU and OAS, 
center around performing the inner -loop attitude control functions and the 
outer -loop guidance /navigation functions. For  the candidate systems 
specified, the following computation modules were selected as appropriate 
break points in the various computations for allocation trade-offs. 
3 -21 
C70 -171/301 
3 e 4 2 (continued) 
SIR u -
A. 
B. 
C. 
D. 
E. 
OAS 
___. 
A. 
B. 
c. 
D. 
E. 
F. 
A basic 
Fil ter Instrument Outputs 
Failure Detection and Transformation to  Body Coordinates 
Direction Cosine Matrix Update 
Direction Cosine Orthogonalization 
Generation of Attitude E r r o r  Signals 
Failure Detection 
Compute Horizon Sensor Scanning Angles 
P rocess  Measured Data 
Compute Horizon Sensor Pointing Angles and Rates 
Compute Star Tracker  Pointing Angles and Rates 
Make Star  Selection 
ground rule in making these allocations was to  assign to the 
central  computer those computations that a r e  independent of data f rom 
the subsystems 'and/or cornputations that involve one o r  more 
sensors .  And in keeping with this rule,  the following computations a re  
explicitly assigned to the central  computer: 
1. 
2 Integrated Position and Velocity 
3 .  
4. Maneuver Determination 
Attitude Update Using Star Tracker  Data 
Position and Velocity Update f rom Horizon Measurement 
The trade-offs for  both subsystems involved sequentially cascading 
each of the modules into the LP and accumulating the memory and speed 
requirements and defining the interface for  each module. 
3.6.2.1 SIRU - The requirements withrespect to  minimum preprocessing 
at  the subsystem level, as  shown i n  Figure 3 - 6 ,  involves only the data rate 
and data signal requirements necessary to  per form the computations in the 
central  computer. In this configuration, it is recommended, however, to 
accumulate the foregoing pulses at the subsystem level for an obvious 
reduction in the data ra tes .  
should be accumulated and transmitted at the update rate commensurate 
with the direction cosines (specified at 100 timeslsec. per this study), 
That is, the 10 kc accelerometer pulses 
F o r  the case where maximum processing is  performed a t  the sub- 
system level, configuration 6 ,  the speed requirement is approaching the 
state -of -the -art. The major contributing factor for the excessive speed 
requirement is the 100 t imes pe r  second update rate assumed for this 
study. An analysis, although very limited, indicates that an update rate 
of ten (10) times p e r  second in the case of the space station environment 
would be more than adequate for both the inner and outer-loop control. 
3 -22 
C10-171/301 
1 2 3 .  4 1 2  B 4 5 5 
COhlPUTATIONAL ALIT>CATION 
2 y -i 5 1 2 3 4 5 6 6 1 
COh IPU TAT ION A L A LLOL'A TION 
3 -23 
C70 -171 / 3 (bl 
3.6.2.1 (continued) . For  this reason, along with the above mentioned 
attributes, the recommended computational allocation is configura- 
tion 5 which includes all but one of the five program modules given I 
where : 
All0 cation 
Configuration 
Computational Program Modules 
Performed at Subsystem Level 
a None 
2 A 
4 
6 A, B, C, D, E 
Generation of the attitude e r r o r  signals, program module E ,  
is recommended a s  being performed in  the central  computer. 
argument here is that the e r r o r  signal outputs are required for CMG 
and RCS actuation commands and effectively come under the basic 
ground rule of two o r  more subsystem involvement. 
were reduced f rom 100 to 10 t imes pe r  second, the L P  configuration 
recommended, Case 6 ,  would fall into 01- below the same class  of L P  
recommended for the CMG's and RCS, 
reduction of two to one for the update rate is recommended based on the 
analysis performed under this study. 
recommended case a re  typical of those given for  the CMG's.  That i s ,  
subcontractor isolation, ease of subsystem buy-off at subcontractor's 
facility, minimum total system integration problems, and process  
designing amenable to the subsystem redundancy. 
The 
If the update rate 
In any case,  a minimum 
The attributes concerning the 
3 . 6 . 2 . 2  OAS - The system mechanization employed in this study 
requires measurement data f rom both the star t racker  and horizon 
scanner at nominally very slow rates  (on the order  of once wery 100 seconds 
and greater) .  Consequently, recommending the use of local processing is  
totally based on reduction of management interface and failure detection 
and isolation at the subsystem level. Figure 3-7  presents the results for  
the cases  evaluated under this study. In any event, Case 7 i s  suggested 
as an optimum split relative to unloading the central  computer and r e -  
ducing management interface, where: 
3 -24 
C70 -171/ 301 
100 
1 2 3 4 5 G 7  
COMPUTATIONAL ALLOCATION 
" 
1 ' 7 3 4 5 6 7  
COLIPUTATION A L A L E  ATION 
1 2 3 4 5 6 7  
2 O h  i P I J  'T A TION A I, A LLOC A TION 
1 2 3 4 5 6 7  
C0h:PI 1 T A  TIONA L ALLOCATION . .  
FIGURE 3-7. OAS COMPUTATIONAL REQUIREMENTS 
VERSUS PROGRAM ALLOCATION 
3 - 2 5  
C70-171/301 
3. 6 *  2 . 2  (continued). 
Allocation 
Configuration 
Computational Modules 
Performed at Subsystem Level 
1 None 
2 A 
A, B, C, D,  E, F 7 
3.7 SUMMARY AND CONCLUSIONS 
The foregoihg analysis indicates that the central  G&C computer r e -  
quirements can be reduced to a level where they are within the state-of- 
the-art of present  aerospace computer technology by employing local 
processors  in  subsystems. By allocating the computations, as  shown in 
Fig. 8, the central  computer complex will require as a minimum 29,600 
words of memory and be capable of executing 500,000 operations per  
second with the recommended computational allocation. 
requirement for  the 1/0 data bus is reduced to approximately 88,000 bits 
p e r  second. 
does not include any overhead such as control, address and e r r o r  detection 
and/or correction bits 
functional characterist ics shown in Table 3 -3  can satisfy the preprocessing 
requirements of the subsystems investigated without resulting in a pro-  
liferation of on-board computer systems and excessive development costs.  
The local processor  can be mechanized with state -of-the-art LST: technology 
and would introduce no significant size,  weight and power penalties in the 
overall  G&C system. 
The data rate 
This figure represents only the actual data transmitted and 
A standardized local processor  design with 
The approach offers  several  advantages over conventional centralized 
computer organizations presently employed in  a i rcraf t  avionics systems : 
1. Reduction of Development Risk. The requirements can be met by 
state -of-the -art computer technology of mode rate speed and 
memory capacity. 
Management Interface Clarity. 
reduced to a level where they can be explicitly defined ear ly  
Subsystem checkout and sell-off is greatly 
simplified by this approach. 
The sybsystem interfaces are 
e program. 
3 -26 
C70 -171/301 
CES m A L  COh\:PUTER C@! iP1,EX 
A 1 L ~ L D E  CP3A'iE t'SI!G ST.iR IRP.CKEP I?.'?'. 
IS'IEGRATED POSITION AND VELOCITY 
POSITION AND VELOCITY UPDATE 
AlA NEU VLR DE TERMIN A TION 
GE?:ERATION OF ATTITUDE ERROR SIGNALS 
Ch1G CONlROL hlODE DETECTION 
RCS CONTROL MODE DETECTION 
RCS TORQUE COMPUTATION 
CX1G TORWE ERROR COAIPUTATION 
EXPERIMENT hIODULE UPDATE 
TAXI hlODULE ALIGN 
RENDEZVOUS 
DOCKING 
EXECUTI\'E ASD I/O COKTROL 
DIAGNOSTICS 
BALANCE c o N m a L  
SrRU 
FILTER Is S TRUME N T OU 'I P f ! TS 
FA11 CRE DETECTIOS 
?RA>~~l-OR\lATION 10 BDDY COORDINATES 
31REC1 IOU COSINE ?.IATRIX UPDATE 
DIREC1 ION COSINE ORT!iAGONALIZATION 
- CAG 
XlOXlES TUM ERROR COMPUTATION 
DI~SA'l'VKA?'ION 
FAIIXRF: DETECTION AND [SOLATION 
RECON FIGURATION 
RC S 
thGINE VALVE CONTROL 
FAILURE DETEClION 
liECUS:'ICUR.4TION 
-
I'AI1,IIRE ISOLATION 
FIGURE 3 -8. RECOMMENDED COMPUTATIONAL ALLOCATION 
3 -27 
C70 -171/301 
3.7 (continued) 
3 .  
4. 
5 .  
6.  
7. 
Reduced Data Bus Rates .  
greatly reduced. 
rate can adequately handle any overhead and expected growth 
requirements. 
The traffic on the data bus i s  
A bus system designed for 1 MHz data 
Reduced Development Cost. 
will reduce o r  eliminate requirements for any special purpose 
logic required at the subsystem level. 
Flexibility. 
by the local processor programs and will not reflect back into 
the central computer programs. 
Growth Potential. 
more local processors.  
Standard local processor design 
Most subsystem hardware changes can be absorbed 
The system can be expanded easily by adding 
Programming Ease. The subsystem supplier can program his 
own local processor,  since he i s  most familiar with the computer 
requirements at that level and will be able to handle subsystem 
changes at minimum cost. 
TABLE 3 - 3  
LOCAL PROCESSOR FUNCTIONAL REQUIREMENTS 
Word Length 16 bits 
Memory 
(Read Only) 4096 words 
(Read/Write) 512 to 1024 words 
Speed 
Add Time 2 .5  psec. 
Multiply Time 10 psec. 
Instruction Set Conventional plus double 
precision add, subtract, 
store,  fetch 
3 -28 
C7@-171/301 
The objective of task 4 was to a r r ive  at  a se t  of candidate computers 
capable of meeting the Reconfigurable G&C Computer requiremenate and 
provide data on the set  of candidates suitable for performing an evaluation 
to select tne prefer red  candidate The most impDrtant requirement placed 
on the Reconfigurable G&C Computer i s  the reliability o r  failure tolerance 
cri terion, nam.ely the fail op-fail op-fail safe (FOOS) requirements, This 
requires that the f i r s t  two failures be tolerated so that the system remains 
operational and that the third failure be tolerated so  that the system r e -  
mains safe. 
F i r s t ,  the basic approaches to  meeting the FOOS requirement will be 
discussed followed by the development of computer system concepts to 
satisfy the FOOS requirement. 
puters along with quantitative data will be presented. 
4.1 INVESTIGATION OF FAILURE TOLERANCE REQUT.REMENTS 
Finally the definition of candidate com- 
4 , l .  1 Introduction 
This task was initiated by conducting a survey of past  activity related 
Most of the work to  date has to redundancy and reliable computer design. 
concentrated on the treatment of single failures or 2 limited n m b e r  of 
multiple failures. 
subject mat ter)  Further,  due to this concentration much of the activity 
i s  not zp l i cab le  to modern LSI semiconductor technology, The fail op - 
fail op - fail safe reliability requirement imposes stringent requirements 
on the redundancy schemes to be considered in the study. 
that the failure detection schemes provide 100 percent prcbability of 
failure detection and whatever switching scheme i s  proposed for recon- 
figuration be 100 percent effective; in other words, failure i s  tolerated. 
(Reference 4-1 contains an excellent survey of the 
It requires  
In  order to proceed with task 4 in a meaningful manner it was necessary 
to provide a thorough definition of the reliability requirements on the com- 
puter system. The next section presents  these definitions Investigation 
of approaches to meet the requirements led to the evaluation of s o m e  basic 
redundancy schemes; these a re  also presented below. 
4.1. 2 Reliability Requirements 
4.1.2.1 Definition of Failure - The type of failures that a r e  considered 
for the fail op - fail op - fail safe cri terion i s  defined as a "module" 
being a single failure. A moduless capability is varied in this study, 
spanning the spectrum Prom a single computer to  a memory, I / O  unit, etc,  
and to byte size sections of a memory. 
the nature of electronic equipment that this is the only reasonable assump- 
tion. 
It is apparent when considering 
This equipment i s  typically constructed f rom integrated circuits 
4 -I 
4.1.2.1 (continued) - some discrete components, some form of in te r -  
connect board (multilayer, o r  printed circuit) ,  and sonie form of 
interconnect between boards. A single failure event may take place 
within an integrated circuit and not cause another component to fail,  
or on the other extreme a single failure event may take place in an 
interconnect board (e. g. ,  shorting two planes) appearing as  i f  a 
multitude of individual components (e. g. , integrated circuits)  failed. 
Therefore,  a single failure is  treated a s  a worst case condition 
that an entire module has failed where the module typically has the 
capability noted above. 
independent of other single failures. That i s ,  one module having 
failed will not result  in the failure of another module. This is the 
key to defining a single failure and the module size. It i s  apparent 
that a module must be considered on a reasonable scale such a s  central  
processor  unit. This also imposes special design considerations on the 
interface of various modules in the computer system such that the single 
failures a r e  truly independent. 
A single failure is also defined as  being 
This definition of a single failure i s  highly cri t ical  to the direction 
of the study because of two factors: (1) the fail op - fail op - fail safe 
requirement implies that all  failures be treated,  and (2) all practical  
failure detection techniquesassume one o r  some bounded number of 
single failures that a r e  independent of other single failures. 
Having defined what constitutes a single failure,  the study may then 
proceed in an orderly manner to meet the reliability requirements. 
Failures such as  a meteorite destroying the computer a r e  not defined as  
a single failure i f  they affect more than one module. 
failures that result  in multiple failures by the definition above a re  not 
to be considered in meeting the fail op - fail op - fail safe requirement. 
However, a s  a ground rule the computer system design i s  based on the 
assumption that the computer system must be split among two compart- 
ments of the spacecraft. This affords some failure tolerance of catas-  
trophic type events that can result  in multiple failures. 
These types of 
4.1-2.2 Failure Tolerance - The computer system is designed to 
tolerate failures i n  a fa i l  op - fail op - fail saie manner. 
defined a s  a single failure for the purpose of this study. 
to the consideration of time between failures. 
that two or more single failures do not occur simultaneously and a re  
spaced by minimum time intervals of approximately one second. 
definition is intended to exclude, for design purposes, single failures 
that randomly may occur nearly simultaneously (milliseconds) while 
including single failures that may occur within several  seconds and longer. 
Each fail is 
This also leads 
It is assumed in the study 
This 
4-2 
C70 -171/301 
4.1.2.2 (continued) 
That is  100 percent failure detection is required for  a module. 
intended to include both permanent and transient failures.  
Fail is  a lso defined to  include all possible modes of a single failure, 
This i e  
Fail op is  defined as operationally performing the critical computations 
after any failure. 
time allowed between the occurrence of a failure and becoming operational 
again, and (2) the amount of the total computations that are considered 
cr i t ical  with regards to the fail op criterion. With respect to  the first 
variable] i t  i s  assumed that the time to  be operational af ter  a failure 
occurs i s  somewhat less  than one second, i. e. 
be very short ,  This time is also expected to depend on the phase of the 
mission and the nature of the cri t ical  computations; the switching time 
defined above is  expected to be a worst case condition. With regards to  
the second variable,  the percentage of computations that are considered 
cri t ical]  i t  is expected to depend strongly on the phase of the mission. 
It i s  assumed that this may vary from the entire computational load to 
a very small percentage of the load. 
Two variables may be considered at this point: (1) The 
the switching time must 
Fail safe has been defined to include a confidence level for  rapid re- 
configuration. 
it be detected,and the reconfiguration be rapid for  most Eailures (Ref .  4-2). 
Reconfiguration for  fail safe requires that only a portion of the computa- 
tional capability required for all  the cr i t ical  computations be properly 
operattng after a failure. 
for fail safe operation. The exact percentage of the total requirement 
that may be considered fail safe has not been specified. 
to be properly operating in a fail safe mode, after the occurrence of a 
failure, is the same as  in  the fail op case (typically, milliseconds) fo r  
most of the failures (nominally, this has been se t  at  95%). The goal is  
to be properly operating after all the failures;  however, for the remaining 
5% (approximately) that a r e  not recanfigured rapidly, more time may be 
taken to reconfigure. 
Fail safe requires that upon the occurrence of any failure,  
In other words, degraded modes are acceptable 
The time allowed 
4.1. 3 Computer Organization Considerations 
4.1. 3 .1  Impact of Basic Requirements - The reliability requirements 
defined in the previous section were evaluated with regards to computer 
organizations. 
of the requirements on the approaches to computer organizations. 
failure definition and failure tolerance requirements have been discussed 
above. These requirements lead to  treating two cases:  fail op- fail op - 
fail safe (FOOS) and non-critical failure tolerance (where a probability 
Figure 4-1 contains a char t  illustrating some of the effects 
The 
may apply) * 
4 - 3  
4 -4 
C70-171/301 
4.1.3.1 (continued) - 
and reconfiguration must provide a probability of failure detection of 1. 0, 
a reconfiguration time that is  l e s s  than one second, and a probability 
of succesf'- 1 reconfiguration of 1:O. FOP all przctical purposes t h i s  
requires that the failure detection be accomplished external to  a module. 
Schemes that employ hardware redundancy and/or software self tes t  
routines internal to a module for  purposes of self failure detection cannot 
be relied upon to  provide detection for all possible failure modes of a 
module. 
R e f .  4-3 thru 4-9, and a r e  therefore not applicable). 
To meet the FOOS requirement the approach taken to failure detection 
(Most past  studies yelied on one o r  both of these techniques, 
This leads to  massive redundancy to accomplish detection, i, e . ,  
modules a r e  replicated to detect failures by comparison of redundant 
output signals. 
Figure 4-1, namely, static and dynamic. The former employs voting 
techniques and the la t ter  duplicate comparison for failure detection. 
Voting requires a majority to make a decision, ie,  two out of three,  
three out of five, etc.  
reconfiguration inherent in  the voting process  ~ Duplicate comparison 
techniques employ a comparison of the outputs of two modules, i f  they 
disagree,  the discrepancy provides failure detection. To meet  the rapid 
reconfiguration t ime,  this disagreement detection is then used to auto- 
matically switch in  a third module. Of course, enough modules must be 
provided to handle three failures as dictated 5y the FOOS requirement. 
Two schemes to accomplish this a r e  indicated in  
It provides for detection by a majority vote with 
As indicated in Figure 4-1 codes may also be used to meet the FOOS 
requirement. 
however, replication is  required to provide a spare module for  automatic 
switching in order  to accomplish reconfiguration. The use of coding may 
have some meri t  for failure detection in modules such a s  memories and 
will be discussed in  more detail la ter  in this section. 
Codes may be used for the failure detection mechanism; 
The alternate failure tolerance requirement is for non -cri t ical  failure 
tolerance a s  shown in Figure 4-1. As discussed in the previous section, 
i t  i s  expected that the failure tolerance requirements will actually vary 
during the mission depending upon the mission phase and functions being 
performed, ranging f rom practically all fail op to practically non-critical. 
Failure detection for non-critical failure tolerance is  dependent on two 
additional parameters:  speed and coverage. On one extreme is the need 
for rapid failure detection (perhaps a s  fast as for  the fail op case)  for 
- all failures and on the other extreme i s  the allowance for delayed failure 
detection o r  less  than 100% failure detection with a rapid detection time. 
If rapid failure detection i s  required, then the speed for  reconfiguration 
must also be considered. Again, reconfiguration could be rapid or delayed. 
4-5 
l. 3. B {continued) -- 
re c onfigu r ation wit 
nts of the fail op ca e a s  indicated in Figure 4-1. 
100% detection begins to merge into the 
Delayed 
~ e ~ o ~ f ~ g u r a ~ o n  allows duplication to be used for  detection and subsequent 
isolation a t  a later time to decide which of the two modules failed. 
Considering the situation where detection may be delayed o r  less 
100% failure dete ction coverage is required, opens up many possi- 
e s  to detection and reconfiguration. It should be noted here  that 
While a failure detection method may provide a percentage 
the percentage of failure coverage is an extremely difficult topic to 
evaluate. 
verage of 95%” this applies while the detection scheme is being used. 
the failure is not detected by the test method, it m a y  very well be 
detected at some later time as the outputs of the failed module a re  used 
as inputs to some other system. In other words as t ime increases ,  the 
probability of the failure being detected will approach 1.0 . 
many software and hardware techniques that may be applied to  detect 
failures under these requirements; as  indicated in  Figure 4-1, parity, 
codes, and software tes t  routines are just some of the methods available. 
Reconfiguration may also be accomplished with a combination of hardware 
and software techniques employing isolation, switching and reinitializing 
of modules (Ref.‘4-3 thru 4 - 9  
There a r e  
employ many of these techniques). 
The intent of Figure 4-1 is to  provide an overview of the approaches 
to computer organization, f rom a redundancy viewpoint, that may be 
taken depending on the failure tolerance, failure detection and failure 
reconfiguration requirements imposed on the computer system. It is 
expected that a mix of most of the various requirements depicted in 
Figure 4-1 will  be imposed on the computer system under study. 
The fail op requirement will be discussed below with reference to 
the voting, duplication, and coding methods, indicated in  Figure 4-1, 
that may be used to satisfy this requirement. Since the fail op is the 
g requirement, fail safe  w i l l  be treated a s  a subset of it. 
4 . 1 . 3 . 2  Application of Basic Approaches - The voting and duplication 
methods a r e  applied in Figure 4-2 for  the case where a module is  a 
single computer and one module is required for the total computational 
load. 
meet the FO FO requirement. 
assigned the same computational job and the majority voter performs a 
3 out of 5 vote on the outputs. 
module failures and continue operating (in fact, at  full capability after 
total of seven (7) modules a r e  provided. 
A non-adaptive voting organization requires five (5) modules to 
The modules C1 through C5 a r e  each 
The organization can tolerate any two 
e second failure).  Fail  safe cannot rely on using the voter unless a 
4 -4 
C70-171/301 
4 1.3.2 (continued) - 
The majority voter,  of course, must be made redundant so that it 
will withstand the required number of failures and continue to operate. 
In fact, this redundancy should be carr ied to the output interface, 
providing one output interface will in most likelihood result  i n  a single 
point of failure. 
interfaces a re  required at a minimum. 
possible to c a r r y  this concept further and consider the majority voting 
function external to the computer system. 
reduces to a se t  of computers operating in  parallel .  
at this point, to discuss the voting or  interface mechanization in  detail 
but simply to point out the modular structure of the different organizations. 
(Section 4 .2  will t rea t  this topic in  detail. 
§imp?y 
Preliminary evaluatim indicates four o r  five output 
I t  should be noted he re  that it i s  
Then the computer organization 
It is not the intent, 
The adaptive voting organization shown in Figure 4-2 requires four (4) 
of the same computer modules used in the above case (1 less )  
in  this organization i s  that the majority voter is a two out of three voter 
with four (4) inputs. 
that i t  recognizes a discrepancy in one of the three inputs it i s  voting on and 
disregards that input f rom then on, 
third input to be voted on. 
A t  a slight increase in complexity of the voter ,  one of the five modules in  
the Lon-adaptive case  have been eliminated. 
The difference 
This requires that the voter be adaptive in  the sense 
Another module is then used for the 
Again, two module failures may be tolerated. 
A non-adaptive duplication organization i s  shown in Figure 4-2. As in 
The the non-adaptive voting case,  five of the same modules a re  required. 
boxes labeled DD a re  disagreement detectors,  which simply do a comparison 
of the outputs f rom a pair  of modules. Two such disagreement detectors a re  
required. A discrepancy indicates failure in one of two modules, isolation 
to a module i s  not provided; the correct outputs a re  obtained from a pair  of 
modules with no disagreement detected. 
having failed, the module C provides the cor rec t  output. 5 
In the case of both pa i r s  of modules 
This duplication concept may be extended to  an adaptive case in  which 
(4) modules a r e  used a s  shown in  Figure 4-2. 
this case detects a disagreement between a pair  of modules and then uses 
another module to  provide the cor rec t  output signals as in the non-adaptive 
case  above. 
pa i r  of modules by comparing each module of the failed pair t o  the current 
pa i r  of operating modules. 
be used as a spare  mGdule to back up further failures.  It should be noted 
the above voting and duplication schemes solve the f a i l  op - fail op case. 
The fail safe requirement can be satisfied with no increase in the number 
of modules for the adaptive cases. For  the non-adaptive cases  one more 
module may be required to satisfy fail safe operation. 
The disagreement detector in  
The detector subsequently isolates the failure to one of the 
The good module of the failed pair  may then 
The module size in the above cases  was considered to be a single 
A module may also be mechanized at a lower level, for computer. 
example; memory (M) ,  arithmetic processor (P), and input/output pro-  
cessor  (I /O) modules may be considered. In addition, the individual 
4 -7 
C70-171/301 
oting - Non- 
Adaptive 
Duplication - Non-Adaptive 
Adaptive 
FIGURE 2. VOTING AND DUPLICATION ON COMPUTER MODULE LEVEL 
4 -8 
C70 -171/301 
4.1.3.2 (continued) - capability of these modules could be varied, 
In each case,  at this lower level of modularity, the organization to meet 
the FOOS requirement will assume the same s t ructures  as given in 
Figure 4-2 .  As an example, Figure 4-3 indicates the required structure 
where three modules a r e  used, M, P and I /O.  This example assnines 
that the capability of each module is  such that, one of each type is suf- 
ficient to handle the total computational load (same assumption as in  
Figure 4-2). 
i s  used here .  
redundant. 
example; voting on inputs o r  voting on cutputs. 
time to consider the voters in detail but merely to indicate the structure 
of the modules to meet the FOOS requirement. 
cusses the problems of voting) 
It is  seen that the same structure  as required in  Figure 4-2  
A s  mentioned previously, the voters of course must be 
Many possibilities exist  in  the design of the voters ;  for 
It is not the intent at this 
(the next section dis-  
The above schemes may be considered to be more o r  l e s s  massive 
redundancy since they require at least  duplication of a module to  detect 
failures.  There is  another approach that may be considered for  failure 
detection which i s  in  a different direction than the massive redundancy 
approach. 
e .  g . ,  residue codes, It has application to modules such as a memory 
and i s  depicted in Figure 4-4. 
divided up into a se t  of byte modules. Each byte represents a portion 
of a word from memory. In the example, four bytes represent the 
memory word. 
an 8 bit "slice" of the memory. Each byte is  also mechanized by a 
module. 
For  each word stored in memory a code is also stored, therefore,  
all modules operate in parallel  when reading o r  writing in the memory 
system. 
The checking code can be designed to provide failure detection for any 
failure mode of one module. 
less than a complete duplication of hardware. 
spare  modules (bytes) may be used to replace the failed modules. The 
code checker itself must be redundant so that it does not compromise the 
system. Further,  a complete replication of this memory system must 
also be provided as shown in Figure 4-4 in  order  to accomplish recon- 
figuration. 
detecting; once the failure is detected another replicated system must 
be turned to in order  to provide a correctly operating system. 
f rom a failure detection standpoint, this approach has some merits; 
however, reconfiguration requires that massive redundancy be resorted 
to such as duplication. 
The detection scheme involves the use of checking codes, 
The memory system in  this figure is  
If the word length i s  32 bits, each byte would represent 
The code used for  checking is  also mechanized in a module. 
A code checker monitors the output f rom the memory system. 
It will provide this detection with much 
As indicated i n  Figure 4-4, 
The memory system with code checking is self-failure 
Therefore, 
It must be recognized that some form of the structures presented 
above must be present in any of the candidate organizations in  order to 
meet any FOOS requirements. 
4-9 
C70-171/301 
FIGURE 4-3 VOTING AT LOWER MODULE L E V E L  
4 -10 
I 
C70 -171/301 
t .: 
8 
a 
T c c 
4 -11 
C70-171/301 
4.1.3.2 (continued] - From the present investigation voting and dupli- 
cation appear to be the only reasonable solutions to  meeting the FOOS 
requirement. Further,  the adaptive case has the most appeal since it 
can meet  both the fail op - fail op and the fail safe requirement with four 
(4) modules. 
4.2  DEVELOPMENT O F  COMPUTER SYSTEM CONCEPTS 
4.2.1 Introduction 
In the previous section it was found that a minimum level of redundancy 
of four using adaptive voting or  disagreement detection is required to meet 
the FOOS requirements. 
redundancy may be less than four. In this case, one is faced with transit-  
ioning a boundary of a higher level of redundancy to a lower level. 
Particular attention must be paid to such a transition in order to prevent 
severe over -designs o r  under -designs with regard to redundancy and 
failure tolerance. 
system is concerned which requires a level of redundancy of four, extends 
up to  the point of interface with the subsystems (LP's). Thatis ,  it includes 
the computer system and the bus system. 
subsystem side of the boundary will depend on the particular mechanization 
of the subsystem and its functional interrelation with other subsystems. 
Somewhere in the G&C system, the level of 
The FOOS boundary, insofar as the G&C computer 
The level of redundancy at the 
Since the key to meeting the FOOS requirement is massive redundancy 
( 4) with some form of a decision process (voting or  disagreement de- 
tection), a good deal of attention was focused on this topic to define the 
computer system concepts. 
solution would be to simply provide four single computers providing four 
busses to the subsystems and require the subsystem to perform a n  
adaptive majority vote. 
as w i l l  be discussed below. 
cussed below, primarily involving the method of interconnections and the 
way the decision processes (hereafter referred to as "voting") a r e  implemented. 
A straight-forward and simple attempt at a 
a simple approach such as this has problems 
There a r e  many approaches as  will be dis- 
4.2. 2 Definition of System Concepts 
4.2.2.1 Introduction - Three computer/bus configurations and three 
bus /LP configurations have been defined as representing a large class of 
possibilities in design of the system concepts, these form a set  of nine 
basic system concepts. 
final system configuration to one of the nine candidates. The candidates 
have been chosen simply to provide an organized approach to evaluation 
of the system. 
It is not the intent to necessarily res t r ic t  the 
4 -12 
C70-171/301 
4.2.2.2 Ground Rules - The follow ground rules were 
didate system conc for  the definition and evaluation of the 
1. 
2 .  
3. 
4. 
5 .  
6. 
7. 
a .  
9. 
10, 
The computer system will consist of four (4) separate wit 
will fnterfzce with four (4) data busses,  
computer module redundancy h l l  be considered independently. 
Further  bue and/or 
Al l  candidate systems will be designed to  interface d t h  sub- 
systems whose redundancy requirements dictate f rom one (1) 
to four (4) LP'S. 
Subsystem failures on a function basis shall not cause computer 
system failures ( real  o r  apparent) which would be counted in 
the three failure survivability c r i te r ia  imposed on the computer 
system. 
The central  computers in  the candidate systems will be pictured 
as  self -contained, independent units However, in  subsequent 
sections, module level reconfiguration capability will be 
considered. 
Candidates will be described only up to the LP interface. 
subsystem interconnection will be treated separately. 
LP to 
Computational requirements for a given subsystem will vary in 
criticality and hence, in redundancy requirements and allowable 
reconfiguration t ime, f rom highly cr i t ical  to  non -critical. Fo r  
study purposes, these categories of criticality have been 
identified: 
a. 
b. 
c ,  
The "Ten Pin Rule" will apply, 
the number of interconnections between modules to 50 pins 
maximum. 
may be considered but a r e  undesirable. 
The computer system will be physically split into two separate 
compartments, 
be primarily on the bus and communication at memory cycle 
speeds would appear to be unfeasible 
N o  interruption of output data is permitted. 
Interruption i s  permitted for periods less  than 5 cycles. 
Interruption i s  permitted for extended periods. 
As currently defined, this limits 
Configurations resulting in 50 to  200 interconnections 
Communication between the compartments will 
Majority voting and/or comparison on computer outputs will be 
utilized for failure detection. 
All  communication on the busses i s  initiated by the computer 
system, i. e . ,  input from a LP only occurs ae a result  of a 
request f rom the computer system, 
4-13 
C70 -171 / 301 
4.2.2.3 System Configurations - The three computer/bus configurations 
a r e  shown in Figure-4-5 and called candidates 1, 2 and 3 .  
configurations a r e  shown in  Figure 4-6 and called candidates A, B and C. 
The characterist ics of these a r e  summarized below: 
The three bus/LP 
Candidate 1 - Each of the four busses i s  dedicated to one of the four 
computing units. L P  participation in  voting is implied since the only 
data path between computers i s  through LP's. 
Candidate 2 - Each computer can t ransmit  on only one bus but can receive 
information Prom all busses.  
bus interface without LP participation. 
Candidate 3 - Al l  computing units can both t ransmit  and receive on all 
busses.  
bus terminal. 
A level of voting i s  possible at the computer/ 
Some type of switching and/or  voting function i s  implied at each 
Candidate A - 
voting required must be accomplished beyond the LP ' s .  
Each L P  is connected to  only one bus. Any subsystem level 
Candidate E3 - Each L P  i s  connected to all four busses.  Some level of 
voting/switching in the L P  i s  implied. 
Candidate C - 
Voting function at  LP ' s  would vary f rom subsystem to subsystem. 
L P ' s  a r e  selectively connected to f rom 1 to 4 busses,  
4 .3  INVESTIGATION OF SYSTEM CONCEPTS 
The system concepts defined above were subject to an investigation 
frm an operational, software, and hardware standpoint. This section 
presents  the results of this investigation. 
4.3.1 Assumptions 
4.3.1.1 Software - For  purposes of this study the anticipated require- 
ments have been categorized in a general sense. 
definitions were applied: 
The following 
Crit ical  Function o r  Computation - The software routine (s )  
necessary to per form the computations for a given system function 
without regard to  redundancy. 
equals the operational requirements where the t e r m  "operational" 
is  used as in fail-operational. 
Non-critical Function o r  computation - The software routine (s)  
necessary to  perform a function which may be required of the 
computer system but which i s  not par t  of the operational require- 
ment and hence need not survive computer failures.  These include 
such "background" functions a s  may be interrupted o r  discontinued 
i f  sufficient computational capability is not available due to failures 
o r  an extremely high load of cri t ical  computations. 
The total of all  cri t ical  functions 
4 -14 
C70-171/301 
CANDIDATE 2 
D A T E  3 
P nal 
FIGURE 4-5. COMPUTER/BUS CONFIGURATIONS 
4 -15 
C70 -171/301 
CANDIDATE B 
CANDIDATE C 
9 
= LP 
FIGURE 4 . 6 .  BUS/LP CONFIGURATIONS 
4 -16 
C70 -171 / 301 
4.3.1.1 (continued) - 
Critical  functions a r e  further categorized according to the sensitivity 
of the external subsystems to  e r r o r s  o r  gaps in  the output data f rom the 
function 
Three levels of e r r o r  sensitivity have been defined. Note that a 
given function may be placed in different levels dependent on the overall 
system mode and/or external conditione I 
E r r o r  Sensitivity Level 1: This level allows interruption and/or 
e r r o r s  in  computational output data for extended periods of time, 
possibly until manual repair  or intervention i s  accomplished. 
This implies that either the function is non-essential o r  e r r o r s  
in  its operation can be readily detected and circumvented external 
to  the computer system (by an operator, for ins&ance). 
case,  when the computer system is informed of the e r r o r ,  it would 
attempt reconfiguration. 
may be singly computed and will be re fer red  to  as having a 
redundancy requirement of one or  a s  R1 functions. 
In the latter 
Computations which fall into this category 
E r r o r  Sensitivity Level 2: This level allows interruption (but not 
e r r o r s )  in the computational output data for periods not exceeding 
5 or 6 update cycles. 
least  doubly computed to allow output comparison and hence failure 
detection. Reconfiguration time for these functions must obviously 
be i e s s  than the 5 or  6 cycles specified. 
redundancy requirement of two and will be referred to as  R 2  functions. 
E r r o r  Sensitivity Level 3: This  level allows no interruption or  e r r o r s  
in computational output data. Computations in this category must be 
at least  triply eomputed in order  that output voting can be performed 
to  detect and isolate failures allowing selection of a cor rec t  data set .  
These functions have a redundancy requirement of three and a r e  r e -  
ferred to as  R3 functions. 
Computations in this category must be at  
.These functions have a 
The nature of the computations, cri t ical  and non-critical, is assumed 
to cover a wide range in t e rms  of time-criticality and in t e r m s  of ar i th-  
metic /logical characterist ics 
4.3.1.2 B u s / L P  Operation - As previously indicated, i t  is assumed 
that the system has at  least  Pour (4) independent busses,  These busses 
interface with Input/Output Processors  (POP'S) in the computer system 
and with LP's  at the subsystems. 
t o  provide isolation to  prevent LP  failures from inducing bus failures, 
The Bus /LP  interface must be designed 
C70 -l71/ 3 01 
operates in a requested data fashion where al l  data 
either direction is initiated by the computer system. Some 
Ety for data buffering and/or voting is assumed potentially 
Be in LP's, but reducing the requirement for these capabilities 
is considered desirable. 
~ y ~ c h r o n i z a ~ o n  of data on the four busses is assumed possible and 
in  fact is the technique preferred.  This synchronization may be either 
bit-by-bit o r  on a f rame or  time slot basis,  however data on the busses 
induced by a common e r r o r  source.  
4 . 3 . 1 . 3  LP/Subsystem Operation - All subsystem/computer communi- 
cation is assumed to occur over the bus system with LP's providing the 
subsystern/bus interface. 
recipient, o r  both with respect to the computer system. Moreover, the 
inputs f rom any given subsystem to the computer system may be required 
in order to generate the outputs toother subsystems. 
e staggered by some number of bits to preclude identical e r r o r s  
A subsystem may be a data source, a data 
Subsystems may be inherently redundant, functionally redundant? or  
have no redundancy whatever. LP redundancy for a given subsystem 
may range f rom one to four and is not necessarily correlated with the 
redundancy of the subsystem itself. 
In cases where a given subsystem and/or the LP's for that sub- 
system a re  redundant and the subsystem is a data source, the data from 
corresponding redundant elements, though correct ,  may not be identical 
due to  analog/digital conversion variation, timing differences, etc. 
This potential difference wil l  subsequently be referred to as  resolution 
uncertainty in the data. 
Two alternate mechanizations have been assumed for operating a 
subsystem with redundant LP's. 
ternate 1: Redundant LP's a r e  operated one at a time where the 
particular LP in use at  a given time is controlled at least  indirectly 
by the computer system. The implication of this mode of operation 
is that detection of subsystem failures can be accomplished by some 
means other than data comparison/voting, e.  g . ,  internal o r  
external testing of the subsystem or  modeling of predicted subsystem 
responses. 
can independently determine the accuracy of a single data se t  from such 
a subsystem. A further implication of this mode of operation i s  that 
a voting process requiring agreement of a majority of the computers 
will be used to control switching of LIP'S. 
Therefore,  it w i l l  be assumed that the computer system 
4 -E8 
C70 -171/301 
4.3. 1.3 (continued) - 
: Redundant LIP'S are operated in  parallel  and m a y  be 
operating f rom a single o r  redundant subsystem. 
of this mode of operation is that the computer system is supplied 
redud--,k i q u t  data sets  which represent  the same parameters  but 
which may differ due to resolution uncertainty in the data. In 
general, a means of determining data accuracy other than comparison 
of redundant data vi611 not be available. 
redundant EP's i s  a possibility but is not assumed to be the general  case 
The implication 
Intercommunication of the 
4.3.2 General Considerations 
While investigating the configurations, many considerations were 
found to  apply to the majority of the configurations. These considera- 
tions a r e  presented at this t ime rather  than with the discussion of each 
of the Configurations 
4.3.2.1 Simultaneous Fai lures  - One of the basic ground rules applied 
to  the study s ta tes  that simultaneoua failures (separated by l e s s  than 
one second) of two o r  more computer modules will not be considered 
when evaluating the ability of the system to survive,k'OOS, A ground 
rule such a s  this seems reasonable when applied to the occurrence of 
failure events 
In attempting to  provide maximum flexibility of the system, many 
cr i t ical  functions may be computed triple redundantly in order  to f ree  
the fourth computer for non-critical functions until such time a s  it i s  
needed to replace a failed unit. While b+ng used as  a spare ,  the fourth 
computer could experience failures that would go undetected either because 
little redundant computation was being performed or  because the failure 
did not exhibit itself in the computations OF testing being performed, 
Any subsequent failure in one of the three "crit ical  computation'' coni- 
puters  will cause the fourth computer to pick up the failed computer's 
functions, but it may immediately fail because of the ear l ie r  undetected 
failure and will  appear to the system as simultaneous failures. 
Another type of failure may occur which affects only a portion of 
the program o r  is sensitive to a particular data configuration. 
of failure will be referred to  as a mode sensitive failure. Mode sensitive 
failures may also appear a s  simultaneous failures although the actual 
failure events may have occurred hours apart .  
This type 
Simultaneous failures can result  in  three undesirable situations with 
respect to a given. data set. 
1. The two failed units produce resul ts  which disagree with each 
other and with any g3od computer(s) performing the same function. 
4-19 
C76 -171/ 301 
4.3.2.1 (continued) - 
2, The two failed units produce results which disagree with each 
other but one of which agrees  with the good computer(s) p e r -  
forming the function. 
3 .  
h analysis of these situations indicates several  potential problems 
mainly related to two failed units producing identically incorrect  results 
or results which agree with a non-failed unit. 
case where a R2 function i s  being computed, the spare  computer has an 
unobserved failure, and one of the two active computers fails. Now, 
when the failed spare  is initiated to resolve the discrepancy, it will 
!'vote outt1 the wrong computer in the case where failed units generate 
identically incorrect  results. 
The two failed units produce identically incorrect  results. 
For  example, take the 
There a r e  many considerations associated with preventing and/or 
circumventing seemingly simultaneous failures. 
sideration seems worthy of note here.  
results which agree with other units, failed o r  unfailed, cause the most 
significant problems, it i s  important to consider the probability of this 
situation occurring. For continuously varying arithmetic functions 
dependent on multiple inputs, the chances of two independent failures 
affecting the computations in  a manner which changes the results 
identically should be reasonably small., However, logical functions 
which result in one of a small  number of possible conditions such a s  a 
binary, on-off decision, would demonstrate a ra ther  high probability. 
One approach to reducing the probability in these cases  would be to 
include redundant data with the results of the logical function. Compu- 
tation of the redundant data would be based on a more complex function 
related to the input parameters  for the logical function, thus providing 
an e r r o r  code of sor ts  on the function. 
4.3.2.2 Voting Methods - The failure detection requirements as  defined 
Three general methods of accomplishing 
One particular con - 
Since failed units producing 
imply decisions on output data., 
voting (and hence data selection) for the decision process have been 
identified and a re  discussed below. A more detailed description of 
implementation techniques i s  presented later (Para .  4.3.2.4 and Section 4.4). 
4.3.2.2.1 Voting at  the Bus /LP Interface - If the FOOS boundary i s  ex- 
tended to include the bus system, and the conclusion that 100 percent 
failure detection requires data voting is valid for bus failures, then 
performing data comparison and voting at the Bus /LP interface, i. e . ,  
within the LP, would seem to be a necessity. In the simplest case where 
all functions a r e  being computed in parallel by all four computers and 
reconfiguration of the compute? system is not required, no further action 
need be taken to meet the FOOS requirement. f reconfiguration is desired 
4-20 
C70-171/301 
4.3.2.2.1 (continued) - at the computer o r  computer module level, 
then it is necessary that the results of the vote be transmitted from 
the voter (LP's) to the four computers. 
when and knw to reconfigure (para. 4 .3 .2 .  5). 
The computers can then decide 
Since each EP i s  voting on the data it receives and is sending the 
results of that vote back to the computers, the computer system i s  
required to resolve problems arising when the voting results disagree 
between LP's i. e . ,  it must indirectly diagnose LP/bus failures. 
4 .3 .2 .2 .2  Voting at  the Computer/Bus Interface - Several of the 
candidate systems a r e  interconnected in a manner which would permit 
performing a vote on the outputs of the computers to the bus system. 
This would be accomplished by allowing each computer to monitor 
outputs f rom the other computers so that at least  three computers 
would vote on the validity of data on each bus. 
performed simultaneously with or lagging the output of data to the bus 
system and consequently would not prevent transmission of incorrect 
data for the current transmission period, The voting results could be 
sent on the same busses as  data OF four separate vote busses could be 
used. If the FOOS boundary is at the bus /LP interface, then a second 
vote must be taken at  the bus /LP interface to detect and correct  bus 
failures. In this case, the only apparent advantage of also voting at  
the computer/bus interface is  that bus failures a r e  more easily identified. 
This second vote would also detect any incorrect data that might have been 
transmitted . 
This voting would be 
If the FOOS boundary i s  at  the computer/bus interface or  i f  techniques 
such as e r r o r  coding can be relied on for detection of bus failures, the 
second vote (at the LP) would be unnecessary. 
mentioned, incorrect data will  be transmitted on a bus for one cycle after 
the failure occured. 
the LP must be directed to the proper bus from which to obtain data, 
A means of obtaining this direction, other than voting itself, is  for the 
computer system to transmit at periodic intervals, no less  frequent than 
the end 
vote on the dataa. In this case,  the EP, as  a minimum, is  required to 
buffer at least  two sets of data and to input from three different busses 
the voting results of at least three of the computers. 
the three sets  of votes to determine which of the two sets  of data is bad, 
i f  any. 
(comparison of votes) could just  as easily compare the data sets.  
is the case, then operating in the manner just  described seems to offer 
only one slight advantage over the previous method and that i s  a potential 
reduction in execution time and buffer storage requirements at the kP 
since only three votes need to be compared rather than three entire data 
sets .  However, it is possible that with a synchronous bus system, data 
could be compared automatically as it is received thus eliminating the 
need to buffer more than one set of data, 
However, a s  previously 
Since R3 functions cannot tolerate any loss of data, 
of each data transmission block, the result of each computer's 
It must then compare 
It would seem that a LP capable of performing this function 
If  this 
4-21 
can tolerate a si gle cycle or more of data 
to buffer one se t  of data 
arison of the votes is  
advantage gained over voting at  the bus / 
4.3.2-2.3 Computer Interface Voting with Transmission Control - Voting 
at the bus/LP interface appears to require a fair amount of complexity in 
the LP and/or voting device. Simply voting at the computer/bus interface 
and transmitting not significantly reduce this complexity, 
primarily be c aus 11 required to perform its own vote either 
on the data or on the results of the computers' votes. If this Comparison 
of the data and/or the computers' votes can be eliminated, then a signifi- 
cant advantage would be gained. 
It appears that the only hope of reducing voting requirements a t  the LP 
while still retaining the FOOS capability would be to design the system such 
that sufficient information is present on a single bus to determine the 
validity of the data on that bus. 
multiple busses and performing some sor t  of voting in order to select 
the correct  one. 
Any other approach implies monitoring 
Clearly, to achieve an independent bus approach requires that more 
than one computer be able to transmit on a given bus and that multiple 
computers have control over a transmission through a voting process. 
A potential mechanization of such an approach i s  presented later.  
The approach is intended to retain the FOOS capability in the computer 
system while allowing a LP to receive data on a single bus with no require- 
ment to compare data o r  votes. 
preclude transmitting on multiple busses for some or  all  LP's. 
Note that such an approach does not 
4.3.2.2.4 External Voter - The actual comparison of output data that 
is required for voting m a y  be performed by the computers at the com- 
puterdbus interface or by the LP at the bus /LP interface. This seems 
r~easonable since the computers certainly a re  capable of doing it and in 
many cases the LP will also be capable of performing the vote with little 
o r  no additional hardware required. 
If it i s  desirable an external voting device which i s  separate f rom the 
computers and the LP's could be used. t was determined that such an 
external voting device would not change the characterist ics of voting at  
the two different interfaces. The results of the voter would have to be 
sent to the computer and to the LP to effect reconfiguration. 
represents a single point of failure, four of the devices would be required 
and the computers and LP's would still have to vote on whether to accept 
the external voters '  decisions, 
Since it, 
The only benefit of the external voter 
4-22 
c70-171/301 
4.3.2.2.4 (continued) - appears to be remoteness which can include 
bus failures further down the line. However, this type of voter is not 
very  amenable to  selective computational redundancy since it would have 
to  be capable of changing voting modes for different blocks of data which 
would also complicate adapting. A mechanization such as suggested fo r  
the LP would seem to be required. 
4 .3 .2 .3  Input Voting 
4.3.2.3.1 General Discussion - In general, multiple copies of data 
generated by a given subsystem will be transmitted to  the computer 
system. The copies may be transmitted f rom one LP or redundant LP's 
and f rom one subsystem o r  redundant subsystems. The data is in  many 
cases  used by more than one computing unit in the computer system to 
generate redundant outputs to  the same o r  different Subsystems. These 
redundant outputs a r e  a t  one o r  more points in the system compared for  
purposes of failure detection. 
The redundant input data se t s  received at the computer system f rom 
a given subsystem may differ as a result  of two situations: (1) an external 
failure (bus, LP, subsystem), o r  (2) resolution uncertainty in  the data. 
In both cases i f  the differences a r e  not resolved pr ior  to  use of the data 
in a computation, a failure will be indicated by ohe o r  more output voters .  
(Output voting i s  assumed to be based on cor rec t  data sets  being identical, 
since modeling of the affect of allowable input variations on outputs would 
in  general require a rather  complex voting process . )  If the cause of the 
apparent failure was resolution uncertainty in the input data, then the 
failure indication is erroneous. If the cause was a failure external to the 
ccmputer subsystem, then it i s  necessary to isolate the failure so  that 
internal computer system elements a r e  not mistakenly discarded through 
reconfiguration and so that external reconfiguration can be accomplished. 
The most obvious means of solving both problems i s  to  provide 
capability in  the computer system for voting on the redundant input data 
so that a single data set  can be chosen and used by all  computing units, 
thus insuring that output discrepancies represent  actual failures.  This 
requires  that all input se t s  be supplied to  all  computers. 
In order  to determine the necessity and/or benefits of input voting, 
the two problem situations mentioned above were investigated to deter - 
mine i f  solutions other than input voting a r e  available, and a r e  discussed 
i n  the following paragraphs.  In both situations assume a configuration 
such as pictured in Figure 4-7 where input voting is not possible. 
Assume that data f r o m  Subsystem I is required to compute data for 
Subsystem II. 
4 -23 
C70-171/301 
COMPUTERS 
FIGURE 4-7. INPUTING VOTING EXAMPLE 
4 -24 
C70 -171/ 3 01 
4 . 3 . 2 . 3 . 2  External Failure - If the LP ' s  in  Subsystem I a r e  being 
operated singly (para. 4.3.1. 3) and a failure in LP-A unique to  bus W 
occurs,  then Computer 1 detects an e r r o r  and is no longer capable of 
generating outputs for Subsystem I%. 
t o  switch Pium EP-A to LP-B; however, switching requires the consent 
of a majority of computers. The only way that Computers 2, 3,  and 4 
can be informed of the problem is via Computer 1.  
The desired reconfiguration is 
However, information f rom Computer 1 may be faulty due to a 
computer system failure, i. e . ,  an internal fault may have caused 
Computer 1 to think that LP-A is failed. 
seeing no e r r o r  in  LP-A themselves, disagree with #I on the desirability 
of switching. 
Hence, the other computers,  
A possible solution i s  to design a more sophisticated reconfiguration 
algorithm. For  example, i f  one computer votes to switch LP ' s ,  the 
other three could tentatively agree while remembering the fact that LP-A 
was apparently at least  3 / 4  operable. This would cause the desired 
switching to  occur. Since all four computers would now presumably 
agree that the subsystem was operating, the failure could probably be 
attributed to  LP-A.  It is, of course,  possible that the failure was 
sensitive to  a particular mode, input data se t ,  e t c . ,  and thus might 
disappear when L P  is switched, but of course the reconfiguration 
algorithm could be designed to  attempt to  return to LP-A i f  subsequent 
failures in LP-B and/or Computer 1 a r e  indicated. 
If L P ' s  A and B a r e  being operated in parallel ,  a slightly different 
Now Computer 1 cannot select  the cor rec t  data set  
situation can occur. 
i n  unique to  bus W. 
(assuming comparison is the only available method), and therefore cannot 
generate outputs for Subsystem II. 
is not apparent since one L P  failure has occurred and Subsystem I. i n  this 
configuration i s  only Fail-safe. 
vided a distinct advantage in this situation since Computer 1 could continue 
to  perform effectively even after the failure. 
Again, assume that a failure occurs i n  LP-A which 
This t ime a clear  ground rule violation 
Of course,  input voting would have pro-  
Once again, however, by complicating the reconfiguration technique 
the same benefit could be obtained, i . e . ,  have Computer 1 t r y  using each 
of its two data sets .  
problem has been isolated and Computer 1 is still  on the a i r .  
4. 3 . 2 . 3 . 3  Resolution Uncertainty - This case is  only meaningful when 
the LP 's  a r e  operated i n  paral le l  since it i s  assumed that, particularly 
with a synchronous. bus system, the L P  will be capable of insuring an 
identical data se t  on all four buses. Resolution uncertainty in data sets  
f rom parallel  L P ' s  must be resolved in  each computer by identical 
algorithms (averaging, truncation, etc. This would seem to present  
When the output voter indicates agreement,  the 
4-25 
C7Q -171/3Q1 
4.3 .2 .3 .3  (continued - no particular problem until an e r r o r  similar 
to  the one previously described (para. 4.3.2.3,2) is postulated. 
NOW Computer 1 would derive a different value for  the input and 
Once again, this situation would cause an output voter discrepancy. 
could apparently be resolved by increased software complexity. This 
time Computer 1 would have to  tell the other computers that it has  an 
input e r r o r  f rom LP-A and request them to stop using data f rom LP-A 
so that all four computers could then use only LP-B and would once 
again agree. 
It should be noted that techniques other than input voting are also 
available for isolation of bus and/or bus unique L P  failures. One such 
technique would be transmission tes t s  conducted by multiple computers, 
i . e . ,  one computer requests, via a LP, that a test message be transmitted 
from another computer. Receipt of the cor rec t  reply validates both bus 
links, receipt of incorrect  reply o r  failure to receive a reply indicate 
faults which can be potentially isolated by further tes t s  conducted between 
other combinations of computers, busses,  and LP's .  
4 . 3 . 2 . 3 . 4  Summary - From the investigations thus fa r ,  it would appear 
that provision for input voting is  not an absolute necessity, but its benefits 
in t e rms  of simplification of fault isolation and reconfiguration procedures 
make it well worth considering. 
cedures will  more clearly indicate the extent of the benefits to be derived. 
Further detailed design of these pro-  
4 .3 .2 .4  kP Voting Mechanization - During the course of evaluating the 
various configurations, the actual mechanization of a voter a t  the LP 
gradually evolved. 
was that of keeping the L P  synchronized with the data. This i s  necessary 
to prevent the L P  f rom voting on data f rom different computation cycles. 
For  voting at the LP, it was assumed that the four IOPs a re  synchronized 
and consequently the busses are synchronized. 
compare the data as it is received f rom the bus. 
One of the f i r s t  and most serious problems encountered 
This allows the L P  to 
To meet the FOOS requirement with just four computers, an adaptive 
But to  account for reconfiguration the adaptive voter voter is  necessary. 
must be able to return to a previously failed computer/bus. 
seemed desirable that the voter be capable of being told which se t s  of 
data should be used for the vote, i. e . ,  allow the computer system to 
direct  the adaptation process.  
It therefore 
Since the bus i s  susceptible to intermittent noise type failures,  it was 
also desirable that the voter not adapt too soon. 
determine whether a failure is intermittent pr ior  to initiating reconfiguration. 
It is  preferable to 
4 -26 
e 7 0  -171/301 
4.3.2.4 (continued) - 
redundant computations should be the maximum redundancy at any one 
time, 
will only vote on at  most, three se t s  at any given time. 
In order  to provide maximum spare computing capatility, triple 
The voter then is capable of looking at  Pour sets of data but normally 
The following mechanization attempts to account for the i tems 
mentioned above. 
busses.  During the computer program initialization the four computers 
will transmit to the LP 's  information about which busses should be used 
fo r  voting. The L P  wil l  then "adapt" to those busses which the majority 
of the computers requested. 
the L P  voter to a given se t  of busses will hereafter be referred to a s  
the ballot. 
The LP voter will initially be monitoring the four 
The computer information used to direct  
The voter will continue to vote on three busses until a discrepancy 
is detected at which time the voter wil l  direct  the LP to use one of the two 
remaining valid sets  of data and will report  the discrepancy to all dour 
computers The computers will attempt to r e  -establish the "accused" 
computer. 
re-established, the failure will be assumed to have been intermittent. 
the voter reports that it has failed after having been re-established, the 
backup computer will  be brought on board and the ballot will be changed 
to adapt the voter to no longer vote on the failed computer/bus and also 
to ignore its ballot. 
c o r n p t i r s  to reconfigure, the ballot could be changed to direct  the voter 
back to a previously failed bus i f  it i s  again in  use. 
If the "accused" computer does not fail in the vote after being 
If 
After a second computer failure has caused the 
For R2 functions which a re  only double redundant, three busses could 
sti l l  be voted upon. 
report  absence of data as well a s  erroneous data. 
computers to determine i f  the absence was intentional o r  not. 
R 2  functions, when a fault i s  detected, it cannot be isolated until the 
backup computer is brought on board. Then the three-bus voting will 
serve to identify the failed computer 'bus SO that it can be removed from 
the system. 
In this case,  the voter must be able to recognize and 
It would be left to the 
Also, for 
The ballot should be transmitted with each block of data. The voter 
The voting results will be reported to all four computers, even 
will not act upon any ballot that is  not agreed up.on by at  least  two corn- 
puters.  
though they may not be participating in the vote, s o  that each computer 
knows the status of the total computer system, 
The capability of the adaptive voter to return to a previously failed 
computer/bus could be provided by a means other than the ballot method. 
The voter, whether implemented by hardware o r  software, could be 
mechanized to vote on three inputs and switch to a. fourth whenever a 
failure i s  detected. 
past  failures, i t  always switches to  whichever input is not being voted 
on at the time bf detecting a failure. 
mittent failures. 
In this manner the voter i s  not retiuired to remember 
This technique will tolerate in te r -  
4 -27 
C ? O  -1711 3 81 
4,%, 2 I 4 ~ c o n ~ ~ ~ e ~  
oes not supply s of the vote Bo e r  
en all four computers a r e  required to operate in  a parallel, 
~ ~ ~ e r .  To allow some flexibility the voting results must be 
the computer syst  Suppose that cri t ical  functions a r e  
d u n d ~ ~ t l ~  computed. 
and switches its voti include the spare  computer. Since 
n the voter detects a failure it notifies 
e spare  computer is not performing the redundant computations, it 
will be voted out and 
vote again. If  on this vote the first failed computer now passes,  the 
computer system would assume that the failure was intermittent and 
would not reconfigure. I f  it fails the vote a second time, the computer 
system would assume a hard failure and would initiate configuring the 
spare computer to pick up the redundant computations for the next cycle. 
Interleaving double redundant with triple redundant computations would 
not be allowed with this technique because this could cause apparently 
simultaneous failures with only a single actual failure. 
the voter would not be able to select the correct  se t  of data. 
e first failed computer will be switched into the 
Should this happen 
4.3.2.5 Requirements for Reconfiguration - It is possible to operate 
any of the configurations in a manner which requires no reconfiguration 
within the computer system. 
pletely identical programs in all four computers which perform al l  
cri t ical  functions (Rl, R2, and R3) in parallel. Adaptive majority voting 
is performed on the four outputs at  the LP/subsystem to allow FOOS 
operation. 
Operating in this manner has the appeal of simplicity but has several  
major drawbacks: 
of performing the total operational task individually. 
no "spare" computers a re  ever available. 
to lack of flexibility in choice of reconfiguration paths. 
in input data. 
This is accomplished by utilizing com- 
No feedback of voting status is required by the computers. 
1. 
2. 
3. 
4. 
5. 
The f i r s t  level of reconfiguration capability which could be introduced 
into the computer system involves taking advantage of the varying function 
redundancy (e r ror  sensitivity) requirements. That i s ,  R 3  functions would 
be computed by only three of the four computers pr ior  to a failure; R 2  
functions would be performed by only two computers at a time, and R1 
functions would be split among the computers. 
i n  the memory and speed requirements fo r  each computer since R1 
functions could be shared by two computers rather than being performed 
by both. 
which could be devoted to non-critical functions prior to the occurrence 
of failure. 
Each computer must be sized (memory and speed) to be capable 
Restricted capability to perform non-critical functions since 
Overall reliability penalty in te rms  of probability of success due 
Requirement that LP/subsystern account for resolution uncertainty 
The LP's must be capable of adaptive majority voting. 
This would allow reduction 
It. would furthe I make available considerable computing capabili% 
4-28 
C70 -171/301 
4 e 3.2 5 (continued) - 
available i n  the system. 
In order  to accomplish this mode of operation, two things must be 
1. T&e Tesults of the voting process  must he available to  the computers. 
2. The computers must be able to communicate with each other. 
This level of reconfiguration will be performed on a function and/or 
a computer basis.  Al l  four computers will participate in the reconfiguration 
computations and the d a t a  that is t ransferred between computers will 
possibly include program modules as well as reconfiguration status , function 
initialization data, synchronization data, etc. The amount of data required 
to be t ransferred can potentially be quite large and hence the speed, 
efficiency, and convenience of the commwication paths i s  significant. 
Procedures  for reconfiguring each e r r o r  sensitivity level of cri t ical  
functions have been considered in  some detail,  but a r e  only significant 
in  this discussion in  that they exhibit the extent of computer intercommuni- 
cation required. 
Another level of reconfiguration can be introduced i f  module -level 
switching (IOP/memory/CPU) under computer control is provided. 
advantage of this i s  an increase in probability of success due to more 
flexibility in  reconfiguration paths 
presumably be restricted to modules within a given compartment (two 
computers /compartment) , however, the switching function must rely 
on a voting process  in which all four computers participate. 
previous discussion, the major significance of this level of reconfiguration 
is the necessity for a considerable amount of computer -to-computer 
communication; indeed, additional communication is  required in this 
level since switching information and module level fault isolation data must 
be t ransferred.  
type of reconfiguration does not seem germaine to  the present  problem 
(meeting FOOS) except for the implication of increased communication. 
The 
The module -level switching would 
As in the 
The additional fault isolation required to accomplish this 
4.4 CANDIDATE CONFIGURATION EVALUATION 
The following section presents  the mechanization and evaluation of 
the nine configurations identified in  Section 4.2.2. 
4.4.1 Category 1 
4.4.1.1 General Description - Each of the four data busses i s  dedicated 
to the IOP  of one of the four computers. 
is only possible i f  multiple busses a r e  connected to a given LP and the L P  
is capable of "relay" data transmission. 
Communication between computers 
4-29 
.1.2 - Configuration 
is connected to any L 
subsystem in order  to meet the 
the intent of Ground rule #2. 
nt which is in conflict w i  
4.4.1.3 - Configuration LB - this configuration all  LPss are connected 
four busses (Figure 4-91.. Adaptive majority voting is performed on 
No reconfiguration is required in  the com- uter outputs i n  each EP. 
puter system %o satisfy the FOOS requirement. 
employed to increase reliability and/or make available spare  computational 
capability, each LP would report the results of its voting to the computers 
and the computers would use the LP's to provide computer-to-computer 
communication. 
If reconfiguration is 
4.4.1.3.1 Input/Output Voting - Input voting is not possible in  this con- 
figuration since data sets  on a given bus a r e  available to only one computer. 
Therefore, input e r r o r s  wi l l  be detected as  output discrepancies and 
further isolation will rely on such techniques as  previously discussed 
(Para.  4 . 3 . 2 . 3 ) .  
similar to the one described (Para. 4.3.2.4) i f  computer system reconfigu- 
ration is included. Simpler, l ess  flexible voting mechanisms a r e  of course 
possible i f  this level of reconfiguration is not included. 
Output voting is performed in the LP's by a mechanism 
4.4.1.3.2 Reconfiguration - In order  to allow any computer system r e -  
configuration, the results of the LP voting process must be transmitted 
to all  computers and communication paths must be established between 
computers. The results of each LP vote could be readily transmitted in  
the "acknowledge" message issued in response to the computer's t rans-  
mission request. 
L P  participation. 
one computer to another, which could be mechanized in  the following manner: 
Communication between computers can only occur with 
Every LP would need the capability to  relay data f rom 
For  (the case that one computer wants to transmit to another: 
1. 
2 .  
3, 
Computer 1 transmits to L P - A  and specifies that the data is for 
The LP would buffer the data and wait for a request f rom 
Computer 2 would periodically address LP-A and request any 
When addressed, LIP-A would transmit the data to Computer 2. 
5. The next time that Computer 1 addressed LP-A,  the LP's 
Computer 2 .  
Computer 2. 
data directed to it. 
acknowledge message would indicate completion of the relay. 
Since the EP's buffering capability would presumably be limited, it 
If another computer requests would retain only one message at  a time. 
data relay, the LP would indicate a "busy" status in the acknowledge message. 
4-30 
C70 -171/301 
FIGURE 4-8. CONFIGURATION 1A 
3 
e 
E 
FIGURE 4 - 9 .  CONFIGURATION 1B 
FIGURE 4-18. CONFIGURATION 1C 
4-31 
C70-171/301 
4.4.1.3.2 (continued) - A specific order  could be established which 
assigned LP 's  as relays between particular computers such that failure 
of a given relay L P  would automatically assign another one. However, 
computers would be required to send requests to multiple EP ' s  on a 
regular basis in  order  to prevent undetected LP failures f rom breaking 
the relay link. 
In the case that one computer wants to  initiate a data relay f rom 
another, the relay system would function the same way except that the 
initiating computer would first relay a data request to the other computer. 
4.4.1.3.3 Hardware/Software Mechanization Considerations - There 
seem to be no significant hardware considerations unique to this configu- 
ration. 
and should therefore present the least problem f rom the standpoint of 
physical and electrical  isolation of failures. 
intelligence is required of the LP i n  this configuration. 
The bus/computer interface is the simplest  of all the configurations 
However, a fair  degree of 
F r o m  a software standpoint, the computer intercommunication 
system i s  very cumbersome and inflexible, and makes high rate  o r  high 
volume data t ransfer  difficult. 
4.4.1.4 Configuration 1C - This configuration differs f rom 118 only in 
that it allows connecting less  than four busses to a given L P  (Figure 4-10). 
There is  little benefit to be derived from reducing bus /LP  connections in  
this configuration since removing a bus f rom a L P  also removes the 
capability of a computer. 
capability the number of LP's in a given subsystem must be increased 
in direct  proportion to the reduction in bus connections and any L P  
failure reduces the amount of computer system capability available to the 
remainder of the subsystem. 
Therefore,  in order  to retain the FOOS 
Operation of this configuration would not differ significantly f rom lB, 
therefore no further discussion is presented. 
4.4.2 Category 2 
4-4.2.1 General Description - Each of the four computers can t ransmit  
on only one of the data busses,  but each computer can receive data on all  
four busses. 
over the bus system (Figures 4-11 and 4-12). 
4.4.2.2 Configuration 2A - This configuration allows only one bus 
connection for each LP. 
buso each subsystem must have at least  four L P ' s  in order to have a 
FOOS capability in the computer system. 
r e  stric tion (. 
Communication between computers i s  therefore possible 
Since only one computer can transmit on a given 
This is a rather undesirable 
4-32 
C70 -171 / 301 
- ~~ 
FIGURE 4-12. CONFIGURAT 
r - - -  - 
FIGURE 4-13. C 
4-33  
not differ significantly f rom 
in the following section. 
4.4.2.3 Go ration 2B - Two alternate modes of operation were 
considered for this configuration: 
Alternate 1 - Operation is identical to that described for configuration 1B 
except that input voting is performed and computers communicate directly 
over the bus in place of the L P  relaying technique. 
Alternate 2 - Each computer monitors the data being sent to the LP 's  
f rom other computers. 
performing the associated function and the results of each computer's 
comparison is transmitted on its bus to the L P  and/or used as  a vote to 
control transmission on other busses. 
The data se t s  a r e  then compared in  each computer 
4.4.2.3.1 Input/Butput Voting 
configuration since each computer can receive the data f rom all  busses. 
The IOPs a re  assumed to be capable of selectively monitoring transmission 
f rom LP's by examining the address and control information in the data 
requests sent f rom computers to LPs.  
a r e  being used by a given computer, its IOP will  accumulate up to four 
copies of the data. 
the data wi l l  compare the redundant data and choose a single set. Each 
computer will then use that data set i n  its computations and will report  
the result  of its comparison to the other three for use in the reconfiguration 
computations, 
- Input voting can be accomplished in this 
If the data set(s) being transmitted 
All computers involved in the computations requiring 
Output voting at  the computer/bus interface (Para .  4.3.2.2.2) i s  
performed in Alternate 2 of this configuration. 
has the ability to monitor each of the other three busses, but f o r  purposes 
of voting, it would only monitor that data which is redundant to i t s  own 
calculations Thus, i f  a particular computer i s  ope rating on R2 functions, 
it will only monitor one other bus for voting purposes. Since it has been 
assumed that the bus system is synchronized to within some tolerance 
time slot, the computer knows that it only needs to monitor the other 
bus(es) at  the same time that i t s  own data i s  being transmitted o r  received. 
If the redundant data does not appear on the other bus, the voter will fail 
that compute re  
An individual computer 
Once the vote has been taken, there a re  two methods of using the 
results. The f i r s t  method is for the computer to transmit at  the end of 
every data block, the result of the vote on that block. The LP would 
examine that vote and compare it with the votes received f rom the other 
busses and if a failure has occurred, switch to one of the busses which 
4-34 
670-171/301 
4.4.2.3.1 (continu d) - agreed wi rity vote. The E 
essentially voting on votes so that th s must also be adaptive, 
preferably by ballot (Para. 4 .3 .2 .1 )  computer system. The 
second method of treating the vote 
above OP zutonomously- This method utilizes a switch on the bua 
(Figure 4-12 The majority vote is used in this case a s  a go/no-go 
indication to the switch which must be adaptive since it bas four inputs. 
This provides a means of halting transmission of faulty data to a LP, 
which in turn recognizes the fault by notin the absence of data. 
d in conjunction with the 
In the case of R2 data, a fault wil l  be detected but only two voting 
results will be sent to the switch. In order  to insure a majority-of-three 
decision by the switch, the backup computers for the R 2  function will 
always send a "go!! indication until one of two operational computers indi- 
cates a fault. When this happens, the backup computers will send a 
'!no-go" indication taking both of the operational computers off their 
busses.  
this R 2  function and when it is  ready, it will notify the other Computers 
which can now isolate the fault by comparison with the third set  of data, 
Once isolated, the faulty unit will be taken off of the bus and the other 
two will provide the double redundancy required by R2 function$. 
One of the backup computers will now reconfigure to pick up 
4 . 4 . 2 . 3 . 2  Reconfiguration - In Alternate 1, L P  voting would be used 
for failure detection. The results of the voting process would be t rans-  
mitted to all four computers over multiple busses. 
process would then proceed utilizing the bus system for computer-to- 
computer communication without L P  participation. 
have a unique address analogous to a L P  address,  therefore, messages 
directed to a computer would not be monitored by LP's .  Computer-to- 
computer messages would differ from computer-to-LP messages in that no 
acknowledge would be sent in response to a transmission request since the 
computer on the receiving end is  incapable of transmitting on the same bus. 
Acknowledgement of data transfer would either be implicit in some other 
action or  would be transmitted over the receiving computer's bus which 
would be monitored by the transmitting computer. 
The reconfiguration 
Each computer would 
In Alternate 2, the results of the voting process in each computer 
will be exchanged with every other computer in order t o  compute the 
desired reconfiguration, 
occur as described for Alternate 1. 
Communication between computers would 
Note that category 2 configurations allow a minor increase in r e -  
configuration flexibility over category 1. 
data on all busses,. it is possible for a given computer to switch to 
another bus in the event of input-sensitive bus o r  LP failures which do 
not affect all busses,  
Since each computer can receive 
4-35 
~ ~ i z a ~ o n  C o n ~ ~ ~ e r a t i o ~ s  - Two con- 
tional bus-to-computer connec 
a h a ~ ~ w a ~ e  standpoint: 
2. The difficulty of implementing the bus switchpictured in  Figure 
4-12 to provide an adaptive voting function therein. 
The only significant software consideration introduced by this 
the necessity for data comparison and voting in  the com- 
effect of this load on the duty cycle requirements of the 
IOPs does not appear prohibitive. 
4.4.2.4 Configuration 2C - The relationship of configuration ZC to 
2B is analogous to the relationship of 1C to 1B as discussed previously 
(Para. 4.4.1.4). 
4.4.3 Category 3 
4.4.3.1 General Description - Each of the four computers can both 
t ransmit  and receive on all four data busses (Figure 4-13). 
implementation of this category is common to configurations 3A, 3B and 
3C, therefore, a single description will be presented. In this configuration, 
independent I/Q channels f rom all four IOPs a r e  routed to each of four 
switches associated with the four busses,  The switch wi l l  connect at most 
one of the channels at a time to the bus allowing the computer associated 
with that channel to t ransmit  and receive data over that bus. The switch 
position is determined by a majority vote on four inputs to the switch, 
one input f rom each of the computers. 
can monitor data on all four busses independently of whether they a r e  
switched into any bus. 
The proposed 
Further ,  each of the four computers 
4.4.3.2 Input/oUeput Voting - Input voting i s  possible in this configuration 
and would be accomplished in  the same manner as described previously. 
In this category the computer/bus configuration at  any given time i s  
determined by the states of four different switches, one switch dedicated 
to each bus. The results of each computer's vote must be sent to these 
switches. In Configuration 233 with switches, a go/no-go indication was 
all that was required by the switch. In this case,  the results of the vote 
must define which computer i s  to t ransmit  on a given bus. 
four inputs a r e  required by the switch, the inputs must be generated in  
an adaptive manner under control of the computers. 
may have an "off" position for isolation purposes. 
In category 3, faulty data will be transmitted, but a valid data indicator 
Again, since 
Note that the switches 
can be sent as the f inal  word of every data block in the following manner. 
The redundant computers w i l l  be selected for transmitting data on the bus 
4-36 
4 .4 .3 .2  (continued) - i n  a predetermined order .  Assume this order  
to  be (1) operating, ( 2 )  backup (3) backup B. 
ree  computers will 
pleting tke data transmission. 
backup A will append an abort  indication a 
mitting the data a second time. If backup 
sends an abort  indication when indeed the 
operating computer and backup B will detect this e r r o r  and immediately 
vote to  switch to backup B which will 
manner the L P  can be assured of r ec  a valid set  of data. The 
switch itself would not be capable of generating a valid data indicator 
even i f  it fails. 
11 the switch to g 
In $he event faulty data ins detected, 
ill then append the valid data indicator to the dat 
immediately begin t rans  - 
f d l e  in  such a way that it 
t a  was valid, then the 
smit the valid data. In this 
The voting process  in  category 3 will account for R3, R2 and R l  
functions. Again, with R2 and R1 functions, i f  a failure occurs,  the 
computer will automatically remove their  data from the bus system 
until the fault is isolated after a reconfiguration has taken place. 
Category 3 provides the potential for varying the number of redundant 
transmissions of redundantly computed information while still maintaining 
FOOS. If the bus system i s  outside the FOOS boundary, o r  i f  means other 
than voting can be used for  bus fault detection, transmission of tr iple re-  
dundant computations may be limited to a single bus by relying on other 
detection methods ( e r ro r  coding) to  detect transmission e r r o r s .  
requires allotting a second time slot for every block of data to  allow for 
transmission of data f rom a second computer in  the event that a fault i s  
detected in  the f i r s t  transmission, 
every data block, the L P  will abort  faulty data and prepare to accept the 
retransmitted data. 
will be in use at any given time. 
but no requirement to  redundantly t ransmit  any se t  of data is present. 
Use of several  busses i s  desirable to reduce the density required for  data 
on the bus. 
This 
Since a valid data indicator is p a r t  of 
Note that this does not imply that only a single bus 
Several  busses may be in  use simultaneously, 
4 .4 .3 .3  Reconfiguration 
process  internal to  the computer system will  be the pr imary  means of 
failure detection. 
detection reported by the LP 's  will as usual be distributed to  all dour 
computers fo r  use in reconfiguration computations. Once again, the bus 
system is used for  the required computer intercommunication without the 
aid of LP ' s ,  In this configuration, acknowledgement of the transmission 
request could be made over the same bus but might not be a desirable 
mechanization. 
- In this configuration, the resul ts  of the voting 
This information together with the resul ts  of bus e r r o r  
Note that another level of reconfiguration flexibility has been introduced 
over  the category 2 config-nations e 
switched, a computer can switch to 
and all four busses can still be used 
OP interface can be 
he event of a bus failure 
compute r failures /D 
4-37 
C 70 -1'71 / 3 01 
dware /Software Mechanization Considerations - The 
t which controls the connection between XOP's and busses 
requires a detailed hardware mechanization consideration. 
functional diagram (Pigure 4 -13) is, of course,  simple -minded and 
actual implementation of this concept is treated i n  detail later. 
The 
F r o m  a software standpoint this is the most sophisticated con- 
figuration, but the software design difficulty relative to the other 
categories appears to be largely a mat ter  of degree. 
4.4.3.5 Alternate Implementations - There a r e  many possible approaches 
to implementing the voting and switching requirements presented i n  this 
configuration. One which meri ts  conside ration is to  implement the data 
voting and switching element totally in  hardware. 
bus system, this would appear feasible and could relieve the requirements 
on the IRP hardware and software. 
Assuming a synchronous 
4.4.4 Summary - 
The evaluation of the nine configurations has tended to uncover simil- 
ar i t ies  in  alternate approaches rather than differences. 
able to  consider further only the two approaches corresponding to 
configurations 2B (Alternate 1 ) and 3C. 
workable approach, but reconfiguration demands a flexible, efficient 
computer-to-computer communication system. Configuration 2B 
(Alternate 2) does not seem reasonable since little benefit, ei ther in  
terms of reduction in L P  requirements or  in  reconfiguration flexibility 
is derived. 
It appears reason- 
Configuration 1B appears to be a 
Of the two preferred approaches, configuration 3C offers the optential 
of a highly flexible system and is  the recommended system concept. 
Table 4-1 is  a summary matrix comparing configurations lB, 2B and 3C. 
TABLE 4-1 SUMMARY MATRIX 
Alternate 1: Alternate 2: 
Canputer a) & b) same as above a)Output voting a t  
~ o n f . 3 C  P e s  a) L P  Good a)Highly flexible. a)Complex design 
b C anpuke r b)Output voting a t  req'd for switchin 
compute r reduces elements. 
4-38 
C70 -171/301 
4 .5  DEFSNHTION O F  CANDIDATE CQ 
4. 5.1 Introduction 
%he previous two sections presented the failure detec.ebon/keconf~gura- 
tion concepts and several  computer system organizational concepts to 
satisfy the FOOS requirements. A5 noted in  the last section, system 
concepts 3 6  and 2B were selected a s  offering the greatest  potential, 
concept 3C required an adaptive voter switch at the interface to each of 
the four busses.  
referred to in Section 4.4.3.5 was given further consideration and 
selected as the preferred implementation of system concept 3C. 
alternate mechanization places the voting on data function directly in  the 
device that interfaces with the bus (an additional benefit is to vote before 
the data is actually placed on the bus, thereby inhibiting the t r a n s d s s i o n  
of erroneous data), This device will hereafter be referred to as the VCS 
(Voter - Comp a r  ator -Switch). 
The 
In the progress  of the study the alternate implementation 
This 
There a r e  many alternate internal computer organizations that can be 
used to mechanize the four-level redundant computer system, the simplest 
being four conventional single computers. 
internal organizations chosen as  candidates. 
of these candidates must meet the FOQS requirements.  
as discussed in the pr ior  two sections, is proposed to be met by adaptive 
voting means that do not rely on peculiarities of the internal computer 
organization (other than that four independent computing elements be pro  - 
vided). Four basic computer organizations will be discussed below. Each 
of the organizations have been considered for implementation by two 
technology approaches, one involves current low r i s k  technology while the 
other uses higher r i s k  future technology. Further ,  these eight possibili- 
t ies  a r e  subject to the two system concepts, with and without the VCS 
device (this corresponds to configurations 3C and 2B in  Section 4 .4 ) .  
This section presents the 
It should be noted that all  
This requirement, 
This yields a total of 16 candidates that provide a quantitative output 
The description of and derivation of to the evaluation task {Section 5.01, 
data on the candidate computers is  p re s  ented below: 
4. 5 .2  Candidate Organizations 
Four computer organizations have been applied as  candidates, they 
consist of two multicomputers and two multiprocessors. Since the internal 
organization is not the basis for meeting the FQOS requirement, a great 
deal of effort was not placed on deriving internal organizations; the organi- 
zations used a r e  representative of many used in  past  studies (Ref. 4-3 
through 4-9). As a result  of the computer requirements analysis performed 
in  Section 3.0 it was decided that the b a d e  (non-redundant) storage capacity 
shall be 32K words (32 bits) and the speed capacity shall be 500,000 adds/ 
second (operand f rom memory). 
4 - 3 9  
4.5.2.1 Non- ulticomputer - 
zation is shown in Figure 4-14. 
located in  two compartments of the ace Station. Each 
e processor  and 1/0 section will b 
Each computer will  be non-expandable 
contains a processor ,  memory and section. The character-  
ned later (Section 4.5.3). 
term-s of memory and 
Each memory in this organization will consist of 32K words of 32 bits 
t parity. 
non-modular for redundancy purposes (spare P, 
be provided within each computer). 
o r  X/O modules cannot 
This organization operates a s  a se t  of four single computers. It may 
be used a s  a single computer with redundancy o r  in a multicomputer mode 
where four computers a r e  solving the computational load in a non-redundant 
manner. 
and multicomputer operations may be performed by this system. 
It i s  also envisioned that a m i x  of both redundant single computer 
In addition to a ser ia l  digital bus to the LP's, each 1 / 0  processor  
contains a parallel (16 bits) digital interface for high speed data t ransfer  
to a mass  memory o r  the information management system. 
interface is not included in  the FOOS requirements. 
This parallel  
Two system concepts (1 and 2) a r e  shown in F'igure 4-14. Concept 2 
contains the VCS device re fer red  to ear l ier  and corresponds to configuration 
3C selected in Section 4.4 above. 
would correspond to configuration 2B of Section 4.4. 
i s  quite unique, i t  was subject to  a detailed investigation. 
further discussion of the computer system operation with this device i s  
deferred to Section 4. 5.5. 
Concept P simply excludes the VCS and 
Since the VCS device 
Therefore,  
4.5.2.2 Modular Multicomputer - As shown in Figure 4-15, this organi- 
zation i s  s imilar  to  the previous one in  that it consists of four single computers. 
It differs in  that each computer i s  modular within itself by means of an 
expandable common bus. The solid line modules in  Figure 4-15 depict 
operational modules while the dashed line modules indicate redundant spare 
modules. 
operational memory modules (4) may be used on the common bus. 
one processor  and 1 / 0  module may be operational on the common bus. 
The number of spare  M, P and 1/0 modules that may be provided a r e  
defined later in the preliminary hardware mechanization considerations 
(Section 4. 5). 
zation i n  a s imilar  manner a s  for the pr ior  organization. 
The memory modules will be 16K words. Up to 64K words of 
Only 
The two system concepts a r e  also 'reflected on this organi- 
This organization may be operated in  a combination of redundant single 
computer and multicomputer modes a s  in  the previous organization. 
addition, it x a y  be initially configured with a variable number of memory 
on can be varied depending on the computational load. 
In 
.in each computer. In fact, the number of memory modules turned 
4 -40 
I 
4 -4 
4- 
c 7 0  -171/ 301 
4.5.2.3 Non-Modular Multiprocessor - A non-modular multiprocessor 
organization is  shown in Figure 4-16. Essentially, this organization 
consists of a pair  of multiprocessors,  one in each compartment. 
memory module has the capability of being accessed by two busses.  
se rves  a processor  and ]C/O unit, 
Each 
A bus 
The memory units shown in Figure 4-16 will contain 32K words of 
storage. The organization will not contain provisions for expandability 
o r  the addition of spare  redundant modules. - mustbe  provided in this organization that a r e  not required for the pr ior  
two organizations : 
Several extra  functions 
1. 
2. 
3. 
Each memory module must have two bus ports.  The logic and 
hardware mustbe designed so that failures within the memory 
module cannot simultaneously render both busses useless e 
(See section 4 .5 .3  for some preliminary considerations). 
of extreme importance to preserve the FOOS capability. 
Each memory module must have pr ior i ty  control logic to permit  
simultaneous operation of both busses.  
-
This i s  
A lockout function controlled by each bus is required. 
shall be included as pa r t  of each bus to control the lockout: 
Two lines 
00 N o  lockout - full multiprocessing 
01 N o  access  by other bus - full lockout 
10 
11 
Set boundary regis ters  to define scratchpad 
a rea  for other bus (write a rea )  
Read only access  by other bus 
This organization may be operated as a pa i r  of dual multiprocessors 
o r  in  a variety of other modes. 
memory allow it to be se t  up to function as a multicomputer o r  redundant 
single computer as in the pr ior  two organizations. 
allows the system to operate in a Fail  @-Fail @-Fail Safe mode. 
cannot be met when operating as a multiprocessgr since independence 
failures could no longer be assumed.) 
The provision of lockout functions in  
This lockout provision 
(FOOS 
4. 5.2.4 Modular Multiprocessor - As seen i d  Figure 4-17, this organi- 
zation is  similar to the pr ior  multiprocessor.  The diiterence is that a 
certain amount of modularity and expandability a r e  provided, 
memory module will contain 16K words. The memory modules will be 
capable of operating with more than two busses  to  allow for processor  
expandability. Fo r  preliminary design purposes,  provision for  a total 
of three (3) busses  should be provided. A total of 192K words of memory 
may be provided in each compartment. Spare redundant M y  P, a?d I / O  
modules shall be capable of being provided in  the system; the amount of 
this capability depends on initial preliminary hardware design considera- 
t i o m  given in Section 4 .5  e 7. 
Each 
4 -43 
C70 -171/ 301 
m 
E w 
l3 
pr; * 
Pt c 
0 u 
E 
 
j: 
u 
L L 
S y s t e m  Concept 1 
--- A 
Sys tem Concept 2 
4 -44 
C70-171/301 
i 
d 
--v----' - --- \ 
System Cmcept 1 
- '.J 
System Cmcept 2 
_ _ _  - 
c 
4-45 
670  -171/ 3031 
4.5.2.4 (con 
This organization wi l  contain the same lockout hardware features 
in  each memory module as described for the pr ior  mulfiprocessor. 
It also may be operated in a variety of modes as previously discussed 
above 
4.5.3 Computer Architecture 
The following ground rules apply to each organization. Differences 
in the M, P, and 1/0 units between each organization a r e  due only to 
requirements wique to the particular organization. Once again, the 
details of the internal architecture a r e  not the key to meeting the FBCXi 
requirement, therefore, a representative architecture has been selected. 
4.5.3.1 Processor  - 
. Arithmetic Word Length: 32 bits 
e Data Options: 1. Fixed Point 
a) Half word 
b) Full word 
2. Floating Point 
. 
. 
Data Option Controlled by Mode Select 
Add Time (and o p e r a d  fetch from memory) 
5 2  pseconds 
Microprogram Control Unit 
. Instruction Format: 16 bit and 32 bit 
. Registers: 
32 bit 
. Accumulator . Lower Accumulator 
. Temporary Storage 
16 bit 
. 8 Base/Index 
. Program Counter 
. Control Panel Interface 
. 4 Discretes 
a 4 Interrupts 
4 -46 
C70-171/301 
4.5.3.2 Memory - 
. 
, Word Length: 32 bits t parity (1 parity bit for each 16 bits) 
e Multiprocessor Xnterface: (as shown in Figure 4-18) 
Size specified in  each organization 
The multibus interface i s  designed so that failures a r e  in-  
dependent among the interfaces.  
~ Multiprocessor lockout: (as specified in  Section 4.5.2.3) 
4.5.3.3 I / O  - 
e Independent Processor  with limited 1/0 handling 
instruction repe rtoi re 
Baseband time division multiplexed interface to 
bi-directional twisted pair  bus (ser ia l  bus) 
16 bit paral le l  high speed channel under external control . 
4.5.3.4 Memory Bus - 
. Common bus shared by Processor  and 1OP with priority 
resolved by processor,  
4. 5.4 Computer Technology 
Two approaches have been considered; the first i s  low r i s k  state- 
of-the -art and the second higher r i sk  currently developmental technology: 
1. Logic: P channel 4 8 MOS 
Memory: Plated W i r e  
Conventional Packaging 
2. Logic: P channel 4 8 MOS 
Memory: MNOS and MOS Read W r i t e  
Packaging: Beam leaded uncased devices on ceramic substrates 
with the substrates  assembled into large packages 
(approximately 1-1/2" x 1-1/2") and these packages 
mounted on conventional boards 
These technologies were discussed in Section 2,O and w i l l  not be 
discussed any further in  this section. 
4 -47 

C70 -171/301 
4.5. 5 -- 1/0 Processor  - and VCS MeLhanieation 
As discussed above system concept 3 6  U O ~ S  a unique device entitled, 
the VCS (Voter-Comparator-Switch) that interfaces with the I / O  Processors  
and the ser ia l  data busses to  the LP's. This section will present a detailed 
investigation of the characterist ics of the VCS device, 
4.5. 5.1 IOP-VCS Operation - This section describes the operation of the 
Input/Output processor  and the voter-comparator-switch both within the 
computer and between the computers. 
system with the interface between the computers and the 1/0 busses de-  
picted. 
housed in  one physical module. Each computer contains a connection to  
one of the four 1/0 busses in the system. 
contains four other connections: three receive channels, one f rom each 
of the other computers, and one output channel to all the other computers; 
it is via these connections that the voter -comparator-switch (VCS) concept 
is mechanized. 
Figure 4-19 shows the computer 
Four computers comprise the system, each is shown as  being 
In addition, each computer 
Figure 4-20 shows the interconnection in greater  detail where the 
VCS i s  depicted as a separate entity f rom Computer 1. 
The architecture of the overall  system has been designed so  that 
the computer system may be operated in a wide variety of modes: focrr-way 
voting (all four computers doing the same job, with one or more of the VCS's 
voting on the information), three-way voting with the fourth computer dor - 
mane or  doing a different job, two-way comparison with the other two 
computers also in  comparison dormant O P  doing distinct jobs, and four 
non-redundant computers. 
system which is distributed among all the computers. 
redundant, in a distributed sense,  to satisfy the FOOS requirement. 
Actual control of the mode r e s t s  in  the VCS device which essentially i s  
the "front end" of each computer. 
The mode is under the control of the executive 
The executive is  
A detailed block diagram of the VCS - IOP section of a computer is 
shown in Figure 4-21. The VCS device outputs on one E/O bus; it has a s  
inputs, the outputs of the four 1/0 processor  sections of the four computers. 
o r  selectionlogic, 
a control unit as  shown in Figure 4-21. 
directed by each of the lour computers, 
the VCS in that it must be adaptive to failures of the four computers. 
control unit is  designed to  function under majority control of the computers. 
B e h ~ w n ,  these inputs to  the VCS may be used by the voting, comparison 
The block diagram containing this logic i s  directed by 
This control unit i s  further 
The control unit is the heart  of 
The 
The computers operate on their  own independent clocks, While the 
clocks a r e  nominally at the same frequency, there  may be some drift 
between the computers. Hence, the computers cannot operate in  bit sync. 
4-49 
5 a 
u 
4-50 
C70 -171/301 
r -  --. 
! 
I B  
I 5 
p l n l  
0 
V 
E 
? 
i 
! 
cn 
V +. 
. .. 
I _  - 
. .. 
cx w 
0 
nl 
d 
I 
w 
4-51 
I 
4-52 
C70 -171 / 301 
4 ,5 .5 ,1  (continued) - (Sync of the clocks was considered, but rejected 
due to  the difficulty of designing around the FOOS cr i ter ia) .  Relatively 
close sync of operation is required when operating in either the voting or  
comparison modes. Synchronization of the Z/O processors (and the C P U )  
is accomplrshed by c ross  communica+ion of the J./O processors.  
computer has a channel into the si/O processors  of the other computers. 
When synchronization is  about to take place, the computers to  be synch- 
ronized transmit commands to each other via their  respective channels. 
These commands are  decoded and act a s  interrupts to the ?./O processor.  
Receipt of the commands from the participating computers synchronizes 
the s ta r t  of the P/O program. 1/0 processors  will have the capability to 
mask the synchronizing interrupts thereby preventing failed computers 
f rom affecting other computers. 
(16 bit) out of sync operation of the computers. 
the use of shift regis ters  in  each channel f rom the other computers at the 
input to the VCS logic. This tolerance on synchronization allows for  
certain contingencies such as allowance for parity e r r o r s  in memory 
operation in  addition to the slight drift of the four clocks and similar 
occurrences which would be extremely difficult i f  not impossible to  
de sign around i f  some tolerance were not available, 
Each 
The design of the VCS allows a *1/2 word 
This is accomplished by 
The channel buffers in  the 1/0 processor a r e  ser ia l  in/out and 
parallel  out reg is te rs  that  a r e  monitored by decoding logic. 
decodes commands and routes the commands and data to the appropriate 
destination. A computer may communicate to another computer directly 
via  tnis channel. This buffer a lso sends commands destined for the VCS 
to  the control unit of the VCS and data destined for the VCS is  sent out 
t o  the shift regis ters .  
flag bits to  be used in routing the transmissions.  
This logic 
All commands and data will contain appropriate 
Transmissions output by the YCS on the 1/0 bus a re  checked by 
monitoring the end of the bus. 
with this channel sends the monitbred information to the appropriate 
computers. Upon checking the transmission, the computers can send a 
validation t o  the LP's .  
and the LP 's  inhibited f rom using bad data. 
The decoding and routing logic associated 
In this manner e r r o r s  on the bus may be detected 
The voting comparison and selector logic and the control unit of the 
VCS are described in detail in  the next section. 
unit contains a ' I  'I matrix and an "R" matrix. The 'lPt1 matrix is the 
permissible states matrix and the "R" matrix i s  the requested mode 
matrix. 
puter on itself (each computer will contain hardware/software self t es t  
features capable of providing a self failure indication with a specific 
confidence, the self test/reconfiguration factors will be discussed separately 
in  Section 4 . 5 . 6 )  e and of a computers opinion of the other computers. 
(This is  input to the control unit as a command with flag bits) .  
matyix i s  driven by logic that operates under majority control. 
majority control is adaptive to failures in  the computer system. 
Basically, the control 
The IlP'' matrix basically is  the set  of failure indications of a com- 
The "P" 
This 
4-53 
C70-171/301 
4. 5. 5.  l (continued) - 
as input to the control unit f rom the computers (this is input as a 
command). 
two way comparator, o r  a selector switch. The "R" matrix is connected 
to logic that is  also adaptive to failures and operates by majority control. 
The "R" matrix basically is  the set  of desired operational modes 
The possible modes are a four way voter, three way voter,  
The computers may change the mode of the system by sending 
appropriate commands to the VCS. Since majority control is required to 
do this, they must be synchronized and all be aware in their executive 
of the modes of the system that are to be used o r  they must communicate 
to each other via the IOP's of the desired modes of the system. 
case,  the 3OP's must all independently command the VCS of the desired 
mode of the system (the VCS adapts to failed computers by masking their 
commands). 
In any 
The ltP'l and I'R" matrix of the VCS may be monitored by any of the 
computers by commanding the VCS to  send theircontents to the computer. 
In this way a computer can check to see i f  the proper mode has been set 
up before outputting data. 
It should be noted here that the initial considerations in design of the 
VCS considered using twobuffer shift registers p e r  computer input channel 
that provided inputs to the VCS logic. These dual shift regis ters  allowed 
a maximum out of synchronism of 1 word in the outputs of the computers. 
Difficulty a r i ses  however i f  a failure occurs that results in  a failed com- 
puter being up to 1 word out of synchronism (faster) then the non-failed 
computers. To  cope with this situation, a third shift register was added 
to each channel. The maximum tolerance on synchronism remains 1 word. 
If a computer fails, such that it i s  less  than 1 word out of synchroninm 
with the non-failed computers then it will not disrupt operation of the VCS. 
If a computer is more than 1 word out of synchronism with the majority 
then it is automatically defined as failed. 
4.5.5.2 VCS Mechanization - The control unit and voter-comparator- 
selector logic will be described below. A block diagram of this portion 
of the VCS is shown in Figure 4-22. 
4.5. 5.2.1 P Matrix - The function of the VCS control unit is to connect 
the VCS output unit appropriately to  receive data f rom the four computers. 
Another function of the control unit is to determine which computers a r e  
good o r  bad. The control unit consists of two basic functional elements: 
The P matrix and the R matrix. 
the good and bad state of the four computers while the R matrix contains 
the desired operating mode of the four computers (4V, 3V, 2CO selector). 
The P matrix contains infornation on 
4-54  
C70 -171 /301 
4-55 
C70 -171 / 3 01 
4.5.5.2.1 (continued) - 
The P matrix is described below: 
It i s  seen to be a 4 X 4 matrix. The dia onal elements AA, BB,  CC, 
DD are the prime information desired f rom t a e P matrix (this is  what the 
R matrix uses). These elements define whether a computer is  good o r  bad 
(if AA = 1, Computer A i s  good). The off diagonal elements AB, BA, etc., 
a r e  one computer's opinion of another computer, i. e. , AB is Computer A's 
opinion of Computer B. In general: 
(i, j )  = i t s  tes t  of j 
= 1 i f  i tests j to be good 
= 0 i f  i tests j to be bad 
The off diagonal elements (i, j )  a r e  directly input to  the P matrix f rom the 
computers themselves while the diagonal elements a r e  derived from logic 
associated with the P matrix. 
The logic that derives the diagonal elements will be explained below. 
The basic cr i ter ia  for declaring a computer good o r  bad is as follows: 
A computer is good until either it reports itself as bad (self test/bite signal 
f rom computer = 0) o r  a majority of the other good computers think it is  bad. 
The equations that are used to  derive the diagonal element will be given 
below. 
A, B and C follow directly. 
The register that contains the I'D" column of the P matrix, AD, BD, 
CD, DD, is  a s  shown in Figure 4-23. 
Those for computer 'IDft will be given; the equations for computers 
4-56 
C70 -171/3Ol 
- BD 
DD 
4,5. 5-2.1 (continued) 
D (Self Test) 
on -volatile 
fan out to other VCS's 
1 
Figure 4-23. D Register Logic 
The flip flops that contain the te rms  AD, BE), CD a r e  se t  directly 
by each of the computers A, E) and C respectively. 
derived as shown in the diagram of Figure 4 - 2 3 .  
the self test/BITE signal received from computer D. 
"anded" with the contents of DDe, the enable DD flip flop, 
and zero set (1DDe and ODDe) terms for DDe ape given below: 
The t e r m  DD is 
This signal is  
The term "D" represents 
The one set  
4-57 
4.5, § e  2.1 (continued) - 
ts the adaptive logic of the P matrix. T 
mask out failed computers f rom decision 
flip flop must actually be Ron-volatile (it 
also copied into a non-volatile storage, 
nce i t s  condition cannot be lost 
ce the adaptive logic can only 
ttempt to re-establish the term8 
, DD after more than one failure can not be guaranteed. 
failures a t  a ti 
e t e r m  shows the condition wherein the set  of DDe is accom- 
the inverse of ODDe, an attempt to do so could cause the system to "blow 
up" after three failures. (After three failures the ODDe will go false 
and, i f  lDDe were derived f rom this, self test/BITE would have to be 
relied upon from all  the failed computers) e 
repair  of the system. Note that lDDe cannot be derived f rom 
The output f rom the P matrix logic to the R matrix logic is the 
good/bad indic on of the four computers. If we let 
i = good state of computer i 
i = bad state of computer i 
Then, for computer D 
XD = DD 
ZD = 
The situation when one Computer fails, reports the o:her computers 
a s  bad, but fails  to report i tself  a s  bad should be mentioned here. sup- 
pose this has happened to Computer A, the resultant configuration of the 
P matrix is: 
A B C D  
a 
B 
C 
D 
f this is the first failure in the system, then BA, CA and DA would 
be se t  to  1. 
on the diagonal elements of the P matrix since the logic requires a 
majority opinion a s  explained above. Since a i s  the bad computer, it is 
up to computers B, C and D to inser t  0 ' s  in BA, GA, and DA (only 2 out 
of the three are required); once this is accomplished, the t e r m  AA will 
be forced to a zero. 
The t e rms  AB, AC, and AD being 0 would have no effect 
4-58  
4 .5 .  5 .2 .1  (continued) - 
Note that after two failures, it may not be possible to reach a majcrity 
opinion in the logic associated with the P matrix. 
the pr imary t e r m  relied on is the self test/BITE indication. 
For the third failure, 
4 . 5 . 5 . 2 . 2  R Matrix - The output unit of the VCS has the capability of 
acting as a 4 input voter, 3 input voter, 2 input comparator, o r  a 
selector switch on the outputs of the 4 s e t s  of buffer triple shift 
PJ- 
regis ters  as shown in Figure 4-24.  
FIGURE 4-24  VOTER -COMPARATOR -SELECTOR 
Input A 
B 
C 
Input ___ 
vcs 
Output 
4-59 
4.5.5,2.2 (continued) 
The R matrix switches the appropriate voter, comparator or selector 
to receiveinputs f rom the selected computer(s). The I2 matrix coupled 
with the results of the P matrix (IC., 2.) then allows the VCS to function 
in  a particular mode. 
The method of switching these inputs is by means of the R matrix. 
For  exarnpl&, t#e R matrix would be set  to: 
A B C D  
A 1 1 1 1  
B 1 1 1 1  
C 1 1 1 1  
D 1 1 1 1  
i f  the VCS i s  to work as  a 4 input voter, as: 
A B C D  
A 1 1 1  
B 1 1 1  
c 1 1 1  
D 
i f  the VCS i s  to function a s  a 3 input voter between computers A, B, C. 
No ambiguity should be presented by the R matrix, for example: 
1 1 1  
1 1 1  
I l l  
1 
would represent a conflict to the particular VCS - that is, whether to 
operate a s  a 3 input voter on computers A, B ,  C o r  as a selector output- 
ting computer D. 
The R matrix decoding logic i s  designed such that the majority of the 
A computer that will not be 
good computers (as defined by X., Z . )  must agree on a particular mode 
for that mode to be selected by the R'matsix. 
participating i n  that particular mode i s  required to inser t  all  0 ' s  in its 
particular row. 
it will go along with whatever mode the others want to operate in. 
This essentially represents a don't care condition; i. e . ,  
The R matrix i s  decoded as follows for a 4 input voter: 
4-60 
C70 -171/301 
4.5.5.2.2 (continued) - 
Where the nomenclature here is: 
r..; i, j = A, B,  C, D representing an element i n  the R matrix 
r 
representing decoded condition of ith row 
1J 
ik;  i = A, B, C, D k = numeric 0 
A three input voter between computers A, B ,  C would be decoded 
as follows: 
3V/ABC = (rA14)(rB14)(rC14) XAXBXc 
(rA14)(rB14' XAXB (rDo t ZD) 
-t (rA14)(rC14) XAXC (rDo + ZD) 
+ (rB14)(rC14) XBXC (rDo + ZD) 
Similar conditions apply for  3V/ABD, 3V/ACD, 3V/BCD.' 
A two input comparator between A and B would be decoded as follows: 
2CO/AB = (rA12)(rB12) XAXB (rCo t Zc) 
-t (rA12)(rB12) XAXB (rDo -t ZD) 
Similar conditions apply to 2CO/AC, 2CO/AD, 2CO/BC, 2CO/BD, 2CO/CD. 
A single input selector f rom A would be decoded as follows: 
S(A) = (rA8) XA ( rBo + ZB)(rCo + Zc)(rDo -t ZD) 
Similar conditions apply to  S(B), S(C), S(D) 
The additional proviso per ta ins  t o  S(A) and that is X must be anded 
to  the equation. The state of the R matrix must be deco C P  ed to  obtain: 
4v 
3V (ABC) 
3V (ABD) 
3V (ACD) 
3V (BCD) 
2co (AC) 
2 c o  (AD) 
2co (CD) 
2CO (BC) 
2CO (BD) 
4 -61 
a0 -171 I 3  01 
4.5,5.2.2 (continued) - 
s (A) 
s (B) 
s (C) 
s (D) 
These signals then enable the particular voter/comparator/switch 
and determine which lines (computers) are connected. 
voter block diagram is: 
The four input 
M 
Where 
M is the voted output 
AX, BXa CX, DX indicate a discrepancy in lines A, B, C, D 
respectively, UDVD indicates an undecidable voter discrepancy 
M = ABC + ACD + ABD -+ BCD 
AX = TABCR+ABCB 
BX = A B C D + & l E 6  
cx = A B E D + & ~ ~ c D  
DX = ABCb + 25c"D 
where the terms A, B ,  C, D in the above equations are 
necessarily anded with 4V. 
The three input voter becomes: 
E 
F 3v 
1 
EX FXGX 3V 
M = E F t E G t F G  
EX = EFC +EF_G 
FX = E%G t EFS 
GX = EFG t EFG 
4-62 
C70-171/301 
- 
4a 5 .  5.2.2 (continued) - 
And the two input comparator: 
Where M = W  
SD = $ t & 
The switching of the input lines BCD to the lines E, F, G, H, 1 
E = A. 3V (ABC) -k A. 3V(ABD) t A, 3V (ACD) t B. 3V(BCD) 
F = B. 3V(ABCf + B. 3V(ABD) -t C. 3V(ACD) + C. 3V(BCD) 
G = C. 3V(ABC) t D. 3V(ABD) t B. 3V(ACD) t D. 3V(BCD) 
H = A. 2CO(AB) t A. 2CO(AC) t A. 2CO(AD) t B. 2CO(BC) t B. 2CO(BD) 
t C. 2CO(CD) 
I = B. 2CO(AB) t C. 2CO(AC) t D. 2CO(AD) t C. 2CO(BC) t D. 2CO(BD) 
t D. 2CO(CD) 
and the selector is switched by 
is accomplished by means of the switching network: 
. 
M = A.S(A) t B S(B) t C S(C) t D S(D) 
4.5.5.2.3 S Matrix - The S matrix contains the e r r o r  status of input 
data to the voting and comparison logic discussed above (4V, 3V, 2CO): 
-- 
The S matrix i s  a 4 X 4 matrix, a 1 X 4 matrix i s  all that i s  required to  
indicate any e r r o r s  in data from computers A, B, C or D. However, to  
allow the computers to reset  the matrix t o  zero,  the row (1 X 4) is r e -  
peated three t imes thereby resulting in a row for each computer. Therefore 
1, j = 2 , j  = 3 , j  = 4 , j  
1, j = any errors in data f rom computer j 
For  computer A, j = f. and from the above discussion. 
1, a = t V(&bBG) t 3V(ABD) 
V( O(AB) -t 2CO(AC) 
J- 2c 
4-63 
C70 -l?1/3Ol 
t can be seen that in a voting mode the logic will  detect 
ity, whereas in  a comparison mode the logic w i l l  
set two bits i f  a discrepancy exists. 
4.5.5.2.4 VCS C o m m h c a t i o n  - The VCS contains three matrices as 
described above. 
from the computers. 
i f  sampled. 
elements that they can se t  a r e  I i d t e d .  
Each of these matrices may be sampled under command 
All 16 bits of the matrix a r e  sent to the computer 
The computers can also se t  the matrices. However, the 
P matrix: each computes cart se t  the non diagonal elements in its row 
R matrix: each computer can se t  its row 
S matrix: each computer can rese t  its row 
4 .6  RECONFPGURATION ANALYSIS QF CANDIDATES 
4 . 6 . 1  Introduction 
Previous studies have resulted in two computer system configurations 
(Section 4.2) and for each configuration four computer inte mal  organizations. 
This section presents the evaluation of these eight configurations with 
respect to the general procedures used for fault detection and reconfiguration. 
4.6.2 Computer System Level 
eneral  - At the computer system level. there i s  little to be done 
in  the a rea  of fault detection and reconfiguration without discussing the 
computer internal organization. 
will be brief. 
output data to detect failures and reconfiguration a t  the computer level to 
satisfy the FOOS cr i ter ia ,  
4 .6 .2 .2  Output Data Voting - AS indicated in previous sections, voting 
on independent, redundantly computed output data is the only method which 
will p r o ~ d e  100 percent confidence of detecting a failure. 
techniques do not provide 100 percent detection of failures. Given the two 
computer system configurations, the voting will be performed a t  the local 
processor in configuration 2B and a t  the computer in configuration 3C. 
The voter itself may be mechanized with either hardware or combined 
hardwarelsoftware techniques. In either case it is assumed that the 
voters a r e  functionally the same. 
Consequently the discussion at this level 
The two principal a reas  of interest  a r e  the use of voting on 
Self-test 
hen the voting i s  performed at the local processor (LP), a s  in 
configuration 2B, each LP wtl l  be voting and adapting independently of 
every other EP in the system. If the four computers a re  each executing 
4-44 
C70-171/381 
4 . 6 . 2 . 2  (continued) - identical programs in  paralle:!, there is little 
difficulty posed by this situation. Each El? may 5 d t c h  to any one of 
the computers as required without affecting any other L P ,  
quadruple redundant computation5 a r e  being performed then the com- 
puters  must be notified of m y  failures detected by any one of the LPs, 
If all LPs report  the same failure at the same time, a decision to u5e 
the fourth computes is obvious, 11 a failure is reported by l e s s  than all 
EPs, then several  questions should be answered before reconfiguring 
the fourth computer. 
failure, this could imply that, 
If less  than 
For  instance, i f  only one L P  voter reported a 
1. The voter failed. 
2. 
3. 
4 .  Or, i f  input voting is not performed, an LP/subsystem 
There was an intermittent bus failure 
The computer failed such that it only affected the output data 
to that particular subsystem, 
may have failed causing different input data to be t rans-  
mitted to  the different computers, thereby making the 
output data inconsistent. 
To detect the voter failure, the computer would rely on the LP 
self-test ,  redundant LP feedbacks, o r  periodic tes ts  by the computer, 
i. e .  , the computer would send data forcing all combinations of possible 
votes and examining the resul ts  f rom the LP. 
mittent bus failure, would be identified (if not by a bus self-test o r  e r r o r  
coding scheme) by requiring that a failure be detected a t  least  twice 
sequentially before adapting the voter. In the third case where only data 
to  a single L P  was erroneous due to a computer failure, the computer 
self- tes t  may detect this o r  a computer failure could be assumed once 
the bus and LP have been cleared of any fault. 
can be eliminated by input voting. 
Situation 2, the inter-  
The fourth situation 
Only i f  the computer has failed would computer level reconfiguration 
be initiated. It is  assumed that a "hard" bus failure would affect all  EPs 
on that bus and would be indicated by all  voters in  the system receiving 
data during that program cycle, The reasons for investigating the nature 
of the failure before reconfiguring is to make maximum use of the fourth 
computer for non-critical computations before reconfiguration i s  required, 
In configuration 3C voting would be at the computer interface, con- 
sequently, with proper isolation, bus and LP failures would not cause an 
erroneous vote on the output data. 
at the L P  selects the cor rec t  se t  of data at the t ime of its receipt, in  
configuration 3C the voter selects the data pr ior  to i t s  t ransmiss im.  
When the computers have verified, via feedback, that the data was t rans-  
mitted correctly they will validate the data for use by the LP.  If a faulty 
transmission occurred, it could only have been the fault of the voter O F  
bus. In this case  the computers would select  a second voterlbus and r e -  
t ransmit  the data, The LP5 wi l l  be aware o b  the situation by the absence 
of the valid data indication with the original se t  of data, 
Whereas in configuration 2B the voter 
4-65 
e r  Level Reco four computer system 
four computers to  execute 
s instance the voter 
nfiguraticsn 2B the LPs 
ation 3C the computers 
will vote on and select the data sets. 
The second way is for three computers to be executing identical 
programs in parallel  while reserving the fourth computer as backup. 
This allows the fourth computer to be used for non-critical data compu- 
tations pr ior  to the first failure, 
some functions could be computed in  fewer than three computers. 
configuration of these functions Is analogous to reconfiguring triple redun- 
dantly computed functions. 
the failure, directs the use of one of the remaining two good sets  of data, 
and begins reconfiguration procedures for bringing the spare  fourth 
computer on board. Since the fourth computer Pa required to satisfy 
the FOOS criteria,  the cri t ical  programs must be resident in its memory. 
Other sources for loading the programt such as mass memory or another 
computer's memory, will not be used to configure the fourth computer after 
the first failure. These other sources may be used in  reconfiguration 
procedures following subsequent failures since the FOOS cr i ter ia  will 
already have been satisfied. 
(Based upon sensitivity levels (Section 4.2) 
Re- 
Xm this mode of operation the voter detects 
Assuming that the cri t ical  programs a r e  resident in the memory of 
the fourth computer, the modifiable parameters  will be the only data 
required to complete configuration of this computer. 
parameter  i s  any word in memory that is not constant during the course 
of executing the program. This set  of parameters  includes all  external 
input data plus internal flags, codes, modified instructions and intermediate 
computational data that is calculated and saved by the program for use in  
any subsequent computation cycle. Some parameters  may be modified 
during the course of a single cycle but are  either not required for subsequent 
cycles o r  a r e  reinitialized to a fixed value pr ior  to any subsecpent use. 
These parameters  a r e  not included in  the set  of modifiable parameters  
required to configure a spare computer. 
discussed later i n  more detail (Para.  4.61.3.2.1) 
A modifiable 
Configuring a spare  computer i s  
Once the fourth computer is configured to perform the redundant 
computations the voter will be directed to adapt to include the fourth 
computer and exclude the failed computer. 
the mdnimurn time between failures is greater  than the t ime required 
to configure the fourth computes. 
This method assumes that 
4.6.3 Computer Internal Organization Level 
4.6.3.1 General - Four computer internal organizations will be con- 
sidered. 
two of the multiprocessor type (Section 4.3.2). 
Two organizations a r e  of the multicomputer type, the other 
n each of the two types 
4 -66 
C70-171/301 
4.6-3.1 (continued) - of organizations, one version is non-modular, 
i. e . ,  no spare modules a r e  available to the computer system, and the 
other version is modular. 
special cases of the modular organizations, they will be treated secondarily. 
Since the non-modular organizations a r e  
4.4.3.2 Modula fticomputer - The pr imary  characterist ic of the 
modular multico 
(memories, p rocess  
computer (Figures 4-25 and 4-26). 
two computers in  a compartment is the same a s  between compartments, 
namely, the se r i a l  bus system o r  the high speed bus. 
zation is the availability of spare  modules 
OP's)  associated with each individual 
The communication path between 
The following discussion and Paragraphs 4.6.3.2.1 and 4 .6 .3 .2 .2  
assume that system configuration 2B is  t h e  one implemented unless other- 
wise stated. 
be discussed (Paragraph  4.6.3.2.3) after configuration 2B, 
The distinguishing characterist ics of configuration 3C will 
In configuration 2B each bus to  the system is dedicated to a single 
Consequently i f  that bus o r  the IOP(s) associated with computer IOP. 
that computer have failed, the computer and i t s  associated modules a r e  
lost to the system until repairs  a r e  made. 
(Paragraph  4.6.2.2) ,  the LP ' s  vote on the validity of the data being output 
by the system and report  back to  the computers. 
L P D s  wil l  be unable to notify the concerned computes directly. The current 
definition of bus operation is  that the end of a data transmission to an LP 
would cause the LP to automatically t ransmit  status information. Hence 
bus failures would be detected indirectly by lack of this response. Also, 
by requiring the L P ' s  to  report  to each computer the status of all computers, 
the bus failure can be made known to the concerned computer indirectly 
by its monitoring of the other buses. 
A s  mentioned previously 
When a bus fails the 
The most obvious change required after a failure has occurred is to 
Upon detecting the failure, the voter will automatically adapt the voter. 
notify the LP to use one of the consistent sets  of data. 
the vote to a new set  of output data several  other i tems must be taken into 
account, 
on the bus, then the next subsequent votes on that data set  should pass and 
adapting the voter is undesirable. 
puters  a r e  voting on the validity of input data. 
data, the computer would recognize this and use the good data that was 
transmitted on one of the other busses.  
computations of thethree computers will always use the same input data 
even though one of the busses may have experienced a failure. 
voting is not used; then any erroneous data, even intermittent e r r o r s ,  
used by a particular computer could cause that computer to have erroneous 
data f rom that point on unless the other computers can somehow correc t  
the situation. 
state of the spare  computer/bus. 
to  perform the redundant computation there is no requirement to adapt 
the voter. 
But before switching 
If the failure was due to  an intermittent problem, such as noise 
It is assumed in  this case that the com- 
If the noise affected input 
In this manner, the parallel  
If input 
The other i tems to consider before adapting the voter is  the 
Until the spare  computer is configured 
4-67 
c 70 -171 / 3 0 
FIGURE 4-25.  CCNFIGURATION 2B* WITH MODULAR MULTICOMPUTER 
4-68 
- 
determined 
the critical computations. 
Ht is assumed that the spare  computer was idle OF being used for non- 
cri t ical  computations at the time of the failure. The first task will be 
Once the failure has been 
figuring is to configure the 
re computer's memory with the cri t ical  programs if they 
resident in memory, Except when the computer is  r e -  
quired to satisfy the FOOS ceiteria (Paragraph 4.4.2.3), the load source 
for  the programs will be either the mass memory or the memory of one of 
the remaining good computers in  the system. 
would be used when possible since the latter method would be more time 
consuming and would require participation by another computer. 
The former load method 
s stated previously (Paragraph 4.6.2.38, the fourth computer is  
required to have all cri t ical  programs resident in its memory. 
depicted (Figure 4-25) the modular multicomputer has two 16K memory 
modules for the cri t ical  programs and one l6K memory module for a 
spare.  It i s  assumed that the spare l6K memory module would contain 
the non-critical programs and would be switched into the associated 
processor  and IOP. The other two 16K memories would contain the 
critical programs and would be switched off o r  protected from any modi- 
fication. 
the results of the voting being performed on the o ther three  computers' 
outputs. 
switch in  the memories containing the cri t ical  routines and will begin 
execution of a reconfiguration routine. 
the consent of the other computers since if  it occurs inadvertantly o r  
does not occur when required then that computer has failed and will be 
counted against the FOOS criteria.  
switched will not affect the other computers o r  LPs. 
being configured is not the fourth computer then it has already failed and 
probably has no spare memory available and must load the cri t ical  programs 
before proceeding e 
As 
The non-critical computations would include a routine to monitor 
When this routine determines that a failure has occurred it will 
This switching does not require 
Also, the fact that it has or  has not 
If the computer 
Once the cri t ical  programs a r e  in memory, the spare computer's re -  
configuration routine will request transmission of all modifiable data 
(Paragraph 4 . 6 . 2 . 3 )  f r o m  the remaining good computer(s). This transfer 
of data is  one of the more critical procedures required for reconfiguration. 
Two communication paths a r e  available, the serial bus and the high speed 
bus. The high speed bus will normally be used for computer-to-computer 
communications e 
If after the spare computer has been configured, the voter indicates 
that the spare is failing a second attempt to configure the spare  will be 
attempted. However, this time the modifiable data will be transmitted 
via the ser ia l  bus network. 
subject to the FOOS cr i ter ia  and hence cannot be the sole means for con- 
figuring the fourth computer after the first failure. This switching to the 
serial bus, which is  subject to FOOS cr i ter ia ,  wil l  insure that satisfaction 
of FOOS is  not jeopardized,) 
(it i s  assumed that the high speed bus is  not 
4-63  
4.6.3.2.1 (continued) - 
Whichever bus network i s  used to communicate the data, since they a r e  
both subject to noise e r ro re ,  it seems reasonable when configuring the spare 
computer, that the two remaining good computers transmit the required data 
in order that the spare computer could compare them for discrepancies. 
These would be resolved before reconfiguration could be completed. As 
previously pointed out (Paragraph 4.6.2.31,  modifiable data which i s  not 
required as  an input to any subsequent computations need not be transmitted 
from the other cmpu te r s .  
One technique frequently suggested for recovering after a failure i s  
called "rollback". 
it consists of retaining 2 known good set of data f rom one computation cycle 
so that i f  on the next cycle a failure should occur the programs,  upon recovery 
will lhwllbacktl to the good se t  of data to resume computations. This technique 
i s  not necessary in a system in which redundant computations a r e  made. 
Given the ground rule that simultaneous failures wi l l  not occur, data f rom 
the current computation cycle a re  always available f rom one of the other 
computers. 
have to rollback with it to maintain the consistent, redundant data required 
for voting. 
Rollback varies depending upon the system but in general 
In addition, i f  one computer used rollback, all  computers would 
If  the amount of modifiable data required to "restart" a computation 
i s  so great that i t  cannot be transmitted during the period of the highest 
rate cycle, then the reconfiguration routine will  decide which data for 
each rate will be transmitted in which cycle. 
E. g . ,  suppose that the routines calculate and/or sample data at 
three rates,  8, 4, and 2 times per  second. Then, the calculations over 
a one second period for the data would occur as follows: 
Cycle 
1 
2 
3 
4 
5 
6 
7 
8 
Fraction of Second 
1/8 
2 /8 
3 / 8  
4 /8 
5 /8 
6 /8 
7 /8 
8 f 8  
8 /sec (X) 4 / sec (Y) 2 / sec 
x Z 
x Y 
x 
x 
X z 
X Y 
X 
X Y 
Suppose that three cycles a re  required to send the total mount of 
modifiable data (X t Y + Z) to another computer. If the request for 
transmission occurs in cycle 2 ,  then some o r  all  of data set  Z can be 
sent during that cycle. During cycle 3 the remainder, i f  any, of data 
set  Z can be sent, but none of data sets o r  Y can be sent since they 
4-70 
C70 -171/ 301 
4.6.3.2.1 (continued) - will  change in  the next cycle which we have 
assumed is required to complete transmission, 
sets  must be sent during cycle 4. 1% the total of X and Y is  too great for 
t r m s d s ~ i o n  during that one cycle then additional cycles will be required, 
this example, i f  cycle 5 were required to complete transmission of X and 
Y we see that data set  Z has changed again and consequently the first t rans-  
mission is longer useful, The reconfiguration routine will have to 
analyze the situation first and in this case would send all  or par t  of data 
se t  Z in cycle 5, the remainder of Z and all o r  par t  of Y in cycle 6, and 
the remainder of Y and all of X in  cycle 7. This sample also points out 
that sufficient spare transmission time for all of set X must be allowed in 
every 118 second cycle, for all of X and Y in every 1/4 second period, and 
for all of %, Y, and Z in every 1/2 second period, 
Consequently X and 'd data 
Once the transmission of the set  of modifiable data has been accomplished, 
the computer being configured will begir- normal computations on the next 
cycle and the two remaining computers will now send a ballot to the voters 
to direct  them to adapt to include the fourth computer's data and exclude 
the failed computer's data. 
4.6.3.2.2 Reconfiguring a Failed  compute^ - After the spare computer 
has been configured the triple redundant computations a r e  available to 
the system and further diagnosis, isolation, and reconfiguration of the 
previous failure can now proceed without interfering with the system 
operation. 
during the time that the fourth computer is being configured. In the 
modular multicomputer system, i f  one were to assume that a spare 
memory, p rocessor,  and H/O processor were available, then isolation 
could possibly be accomplished by substituting the spare modules, one -at- 
a-time, for  the previously operating modules. 
one shortcoming. 
tr iple redundant computations, it is possible that one o r  more of them have 
already failed, but have gone undetected, pr ior  to the operational module 
failure. A self-test performed by software is  effective but certain failures 
could render this means completely inoperative. 
computer by another computer is  attractive but implies that the other 
computer can control the failed computer. 
it becomes possible for a failed computer to cause a failure in a good 
computer by erroneously exercising this control, 
Majority voting by the remaining computers to  control a given computer 
offers protection against this situation, but it introduces additional 
complexity which does not seem justified for self-teat and diagnosis. 
In most cases the failed computer can be performing self-test 
This method has at least  
Since the spare  modules have not been involved in the 
Self-test of the failed 
If control by another i s  allowed 
This cannot be allowed. 
The self-test  should be a combination of hardware and software 
techniques, 
a reconfiguration module. 
program execution based upon timing characterist ics 
of a watchdog timer of a preset  period (about P second) which operates 
Two principal hardware items are built-in-test (BIT) and 
The BIT is  normally a hardware check on the 
BIT usually consists 
4 -74 
C70-P71/ 301 
i n d e p e ~ d e n t ~ ~  of 
a t  it sends a spe 
purpose of the recodigura  
configuration process whenever the 
is to assure  control 
clates that a failure 
has caused the processor to lose control. 
Upon system initialization the computer program will send information 
spares.  TMs information is essentially a pointer The normal 
operation is them resumed by the active computer. 
which triggers the BIT e r r o r  signal, indicating that the processor ie no 
longer in  control, the R M  w*lP automatically switch OR the spare modules 
to which it wan pointing and switch off all other modules. In addition 
it will indicate a starting location (probably by an interrupt signal) for 
the processor and memory just switched on. This starting location wi l l  
be the beginning of a self-test and reconfiguration routine which must be 
resident in the spare  memory. These routines would reset  the BIT net- 
work and per form self-test  of the newly configured computer. If this 
tes t  passes then the modules operating at  the time of the failure will be 
tested. 
telling it which processor,  memory, and IOP a r e  available as  
While testing the other modules the R M  pointers will  still indicate 
the original set of spare modules. This i s  to protect against the failed 
module bringing down the computer when it is switched on to be teated. 
If the failed module brings down the computer, the BIT t imer wil l  detect 
it and the R M  wil l  return to the o a1 set  of spares.  
appropriate flags the self-test wi ow that the las t  module it switched 
on caused the failure which t r igg  BIT. Self -test will be able to 
switch in  memory modules one -at-a-time for testing but cannot switch 
on the processor since both processors cannot be on simultaneously. 
To tes t  the processor the self-test wil l  connect it with a good memory 
module not used by the self-test. 
to be tested and turn its own processor off. 
to effect this simultaneous switching of processors.  ) The memory module 
being used for  this tes t  will have already been tested and loaded with 
a special routine by the spare processor.  
by this change, e RM will  reconfigure the computer back to the original 
spare modules. f BIT i s  not triggered, then the special  routine will 
test the processor further.  If it i s  good then the spare  memory (to which 
the R M  i s  still  painting) will be connected. 
the reconfiguration routine in the spare  memory to  tes t  the IQP. 
By setting 
It will then turn on the processor 
(Note: Hardware is required 
Again, i f  the BIT i s  triggered 
The program will return to 
4-72 
e70 -171 /301 
failed module habe been located, the remaining modules 
ured into I complete computer and the crit ical  pPograms 
efther maas memory or another computer. The W M  will 
also have its poi 
which remain an 
figuration. The 
but this would only be done i f  no more spa tes  are available. 
configured computer is  now an operable spare and can be configured when 
needed in the manner described previously {Paragraph 4,6.3.2.1). 
rected by the program to any good modules 
ld also be directed to modules which a r e  in use 
i f  possible, a r e  not used in the current con- 
This r e -  
The presence of spare modules in a computer requires that a 
"resources table" be maintained. This table would list all modules 
available and as modules fail, the reconfiguration routine will remove 
them from the table so that subsequent reconfigurations will not use 
them. Since modules can be repaired or replaced by an operator, a 
means for him to update the resources table must be available. 
If the failure was such that the computer i s  still grossly operable, 
such as an IOP failure which affects external inputs and outputs, the BIT 
will not detect the failure nor cause the R to reconfigure. In this case 
the self-testportion of the normal program would be relied on to isolate 
the failure The reconfiguration program would cause the failed module 
to be replacedby a spare, would update the available resources table, 
and report  the new status to the other computers, 
Recanfiguring a failed computer with a memory .nodule that is not 
large enough for all critical programs is a possibility. 
considered at this time since it would be a much more difficult procedure 
and would only operate in a degraded mode. 
This will not be 
In summary, the tes t  diagnosis and reconfiguration internal to a 
given computer is autonomous and is a combination of hardw 
software techniques using one -at-a-time replacement methods i f  necessary 
to determine the fault. 
s mentioned previously, the 
3.2,l  and 4,6.3.2.2) assumed that 
If 3C (Figure 4-26) had been used 
there would be little difference. The major difference is  that the voter 
is  now at the computer instead of the EP and that a bus failure does not 
remove a computer from t 
Again, input voting or  a single source OB input data is assumed to 
assure  that discrepancies in  o data a r e  a computer fault. ]in con- 
figuration 2B every LP was a which posed a problem when all 
EPs did not agree on the vote. onfiguration 3C this problem is re- 
duced somewhat but not eliminated since voting is  done on data sets  and 
the failure may only involve a single data set  rather than a11 data s e t s .  
4 -73 
for considerin configuration 36 
can potentially educe the number 
voting complexity at the LP. 
amputers a r e  such 
functions and are 
communicating with the system via a single bus. The fourth computer 
is used as a spare,  is computing non-critical data, and is utilizing a 
different bus than the other three computers. 
Initially the three co uters  a r e  transmitting the redundant data to a 
voter which may be mechanized with hardware and/or software. 
is compared and a consistent data se t  is transmitted from the voter. 
Since the voter t ransmit ter  could fail it is necessary to verify the data 
on the bus. It is proposed that this be accomplished by making the bus 
loop, beginning and ending at the computer system, such that each of the 
three computers can examine the transmitted data and compare it to i t s  
own data. 
failure of it constitutes a computer failure to be counted against the 
FOOS criteria.  
The data 
The voter will be contained in  the computer, hence any 
Since a failed voter t ransmit ter  can send invalid data to the LPs a 
majority consent "valid data" indicator must also be sent. 
not use the data until this indicator Is received as  the last  word of the data 
block. 
fault and the computers would switch to a second voter l t ranamit ter  and bus. 
The LPs will recognize the need to switch busses by the absence of the 
valid data indicator a t  the end of the data block. 
t ransmit  the cor rec t  data on the second bus. Redundant data could be 
sent on a second bus i n  this configuration, but that defeats the main ad- 
vantage of this configuration. 
The L P s  will 
If erroneous data was sent then the voter / t ransmit ter  or  bras i s  a t  
The computers will r e -  
If a computer has failed then the voter will detect the discrepancy 
in the output data, switch to t ransmit  one of the consistent sets of data, 
and report the failures back to the computer system. 
When a computer failure is reported by the voter the reconfiguration 
of the spare computer takes place a s  previously described (Paragraph 
4.6.3.2.1). When the spare computer has been configured, computer 
e o m a n d s  will cause the voter to  adapt to switch out the failed computer 
(Paragraph 4.5.5)  and begin voting on the spare  computer's data. 
If the failed computer happens to be the one performing the vote, 
then the computer's would agree to switch to another computers's voter 
to leave the failed computer completely free to reconfigure internally. 
4 -74 
C70 -171/301 
icomputer - The noa -modular mudticompute r 
rocessozp, HOP, and a single memory module. 
d such that one is ai spare prior to the first 
failure, then the operation i s  similar to that praviouePy described 
(Paragraph 4.6.3.2, I), (Critical programs will  be resident in the 
fourth (spare) computer, thus noa-critical functions can only utilize 
the left-over memory. 1 
FIGURE 4-27. CONFIGURATION 2B WITH MULTICOMPUTER 
The principal characterist ic is  that there is  no computer internal 
reconfiguration possible. 
available to the system, nor a r e  any of its modules. 
Once a computer has failed it i s  no longer 
In the modular multicomputer the R 
into the system whenever the processor 
perform that function. 
spares  the RM is unnecessary. 
additional form of self-test. 
power off to  that computes o r  to inform the other Computers or  an operator 
of the failure. Self-test is  required to isolate a fault when the system is  in 
the safe condition. It will also furnish inportant diagnostic data for use 
when servicing the computer. 
was necessary to switch spares  
st control and was unable to 
Since the non-modular organization cannot have 
The B T would still prove useful as an 
The BIT e r r o r  signal could be used to turn 
Since no reconfiguration is possible, the only routines required a r e  
those for configuring the fourth (spare) computer after the f i r s t  failure. 
4-75 
ular Multiprocessor - The modular multiprocessor organi- 
(Figure 4-28) with 
The spare  modules 
zation combined with system configuration 3 6  is 
spare  memories,  a spare  processor  and a spare  
represent the capability of the system to be expanded and a r e  not necessarily 
suggested €or the system. The following discussion assumes use of system 
configuratian 2B except where noted and wi l l  assume spare  modules to show 
the full capability of this system. 
The multiprocessor differs f rom the multicomputer in  that every 
memory module within the compartment i s  accessible to every processor  
and to every IOP in the compartment. 
to prevent one processor  and/or IOP from interfering with the other 
processor  and/or IOP operation and memory data. 
requires triple redundant computation, the operational use of the multi- 
processor  would be nearly identical to that of the multicomputer, and in  
fact does not fall under the normal definition of f'multiprocessing. 
Lockout protection must be provided 
Since the FOQS cr i ter ia  
In system configuration 2B, the voting will still be performed by the 
local processors .  
assuming that it was serving as a spare,  will be configured in  the same 
manner as  described for the multicomputer organization (Paragraph 4.6.3.2.1). 
Even though one computer can access  data directly f rom the adjacent 
computer's memory there is no advantage, since for reconfiguration, 
a s  was previously stated (Paragraph 4.6.3.2.1), two redundant sets  of 
modifiable data will be requested and compared to  detect transmission 
e r ro r s .  This means that communications with the other compartment 
a r e  required and a re  the same as  for the multicomputer organization. 
When a failure is detected, the fourth computer, again 
The computer internal fault diagnosis and isolation i s  also s imilar  to 
the multicomputer operation (Paragraph 4.6.3.2.2). It i s  more complex 
because of the many different communication paths to be checked and 
because of the additional modules to be tested and their history recorded. 
I€ the normal self-test does not detect and/or isolate the fault, then 
substitution of spare modules may be attempted to determine the fault. 
hereas  the modular multicomputer required a reconfiguration module, 
the second operating processor  in the compartment will  serve this function 
for  the multiprocessor. 
dicated by a BIT network. 
LOSS of control by a processor  will still be in- 
This control by one processor  over the other introduces perhaps 
the most critical problem associated with the multiprocessor. 
comprising two computers a r e  not electrically isolated from each other 
as they a re  in the 'case of the multicomputer. Consequently, devising a 
means of protecting against a failed computer (processor, memory, .TOP) 
from "failing" i t s  adjacent computer is necessary as was indicated by the 
preliminary design considerations of Paragraph 4.5.2.3. 
tion it i s  very desirable that software be able to control the "lockout. 
The modules 
For reconfigura- 
4-76 
C70 -1711301 
4-77 
proces sor  whenae BIT detected failure occurs . 
emory module may be connected to any processor 
ent has  a definite benefit over the multi- 
mory module can serve a s  
m y  good modules of a 
s for  the adjacent computer. 
For  example, the non-modular multiprocessor cannot be reconfigured 
But should the adjacent computer subsequently first failure. 
auld possibly reconfigure using the good modules of the previously 
mputer in  the same manner that the modular multicomputer uses 
spare modules. 
In summary, the multiprocessor organization has virtually no affect 
Switching of modules is more complex but is offset by the 
on the operational programs since they will be o2erated in  a multicomputer 
manner. 
advantage of providing a more flexible system in comparison to the multi- 
computer system. 
reconfiguration software because of the additional paths possible. 
This added flexibility increases the complexity of the 
The self-test for the multiprocessor is almost identical to self-test 
for the mulkicomputer. 
of the additional "lock out" logic and other hardware features required. 
Some additional testing will be required because 
The self-test and reconfiguration of the modular multiprocessor in 
system configuration 3C w i l l  be slightly more complex than configuration 
2B since the self-test will  have to test the voter/switch. 
With the multiprocessor, one processorlmemory can transmit on 
a second bus by switching to 
miton any one of the four bu 
i s  operating. 
compartment provides the only additional reconfiguration paths but these 
will be routed automatically by the voter/switch in  most cases. 
computers will have control of the voter switch to cause it to adapt after 
a failure o r  a reconfiguration and also for self-test purposes. 
4.6 .3 .5  Non-Modular Multiprocessor - The non-mod ap" multip r oce s s or 
can only be reconfigured after the adjacent comput 
only if the same module (memory, processor,  P not fail  in both. 
Reconfiguration in this case is relying upon two failed computers to r e -  
configure themselves into one good computer. To gain confidence khat 
any reconfiguration can be accomplished, it seems reasonable that the 
e adjacent POP, In 3C any IOP can t rans-  
s a s  long as  the corresponding vster/switch 
This ability to transmit data on the busses from the other 
The 
failed, and then 
C70 -171 / 301 
4 6 . 3 . 5  (continued) - reconfiguration paths be determined pr ior  to the 
second failure within the compartment and the information relayed to the 
computers in the other compartments. 
IOP failures, since they don't offset the self-test o r  reconfiguration 
ability of the processor/memory can be handled autonomously by a multi- 
processor 
adjacent processor/memory both a re  aware of it and a r e  capable of r e -  
configuring. 
possible, If the semnd failure is  either a processor or  memory, there 
remains a second processor /memory combination capable of analyzing 
the situation and reconfiguring, assuming that agreement to reconfigure 
can be obtained from the other compartment. 
If the f i rs t  EOP fails9 i t a  own processor/memory and the 
If the second failure i s  the other ]COP, no reconfiguration is 
Memory or processor failures frequently eliminate the processing 
capability of the "computer" and consequently remove it f rom partaking 
in the reconfiguration process. 
Suppose we have the situation pictured below (Figure 4-29) .  
An example will help clarify this. 
GURATION --
s s m e  the first failure to be P1. As soon as the voter indicates 
this failure, "computer 2" analyzes the failure and isolates it to P1. 
It knows that i f  P2 fails no reconfiguration is possible. I f  either IOP 
fails, then P 2 / M 2  can detect this and reconfigure without outsSde help. 
But i f  M2 fails, then P2 must be connected to 1. But a p r o g r a m i n  
M2 cannot be relied upon to do this since it has failed. However, i f  
after P1 failed, "computer 2') detected this and reported to the other 
compartment computers of the failure; then when the next failure occurs, 
the other compartment recognizes it and causes the one possible recon- 
figuration to take place. Howevert since a majority agreement is  required 
4-79 
4,6* 3 .5  (continued) - to switch and since the other compartments 
The switch woul have to retain 
may also have experienced a failure, to  get a majority requires 
"computer 2" to vote on the switch. 
that information until the computer in  the other compartment sen 
confirmation of the "computer 2" failure, at which time the s w i t  
will occur. 
Another possible means of treating t s situation is to  provide a 
This would essentially provide 
fixed program capability (a small read-only memory) in  each processor 
for a minimal reconfiguration routine. 
the processor some independence f rom the memory for reconfiguration. 
In the above example, once "computer 2" detected the failure in P1, 
it would notlfy the reconfiguration program and the other compartment. 
Now i f  M2 fails, the processor,  P2, and at least  one computer in  the 
other compartment can vote on the reconfiguration path. 
In summary, the non-modular multiprocessor cannot be reconfigured 
internally until after two failures have occurred in  the same compartment, 
which means that a s  many as three computers may f a i l  before reconfigura- 
tion is possible. Since two failures had to occur in  the same compartment, 
reconfiguration becomes more complex because additional information is 
required from either the other compartment or  another device, such as  a 
fixed processor program, to confirm the reconfiguration path. 
4.6 .4  Other Considerations 
In the above discussion it was always assumed that the basic operation 
was three computers processing redundant programs in parallel  using the 
fourth for badc -up and for processing non-critical programs. 
functions of e r r o r  sensitivity 1 or  2 (Para. 4.2.3.1.1) the computations 
may be single or  double redundant. If a failure occurs in  one of these but 
does not affect any triple redundant computations, then the function would 
be assumed by the other computer(s) involved in the triple redundant com- 
putations before calling on the fourth computer. So that this level of r e -  
configuration is essentially a function o€ the software rather than the 
hardware. 
Fo r  
In every situation, except possibly for quadruple redundant computations a 
it is assumed that the computer system is directing the voter a s  to how many 
and on which lines the vote is to be base 
One may get the impression that the two modular organizations a r e  
more flexible than the non- modular organizations because the previous 
discussions always assumed spare mod es  were available. It i s  quite 
possible that spare modules will not be provided, but the modular organi- 
zations will still be the more flexible for  the following reasons: 
4 -80 
C70-171/301 
4 . 6  e 4 (continued) 
single 32K memory p e r  processor .  
several  memories totaling 32K, suck as two 16K modules. In the case 
of the multiprocessor organizations, i f  it is non-modular two memory 
failures i n  a compartment wi l l  preclude any reconfiguration. If it were 
modular with two 16K memories,  then a single memory failure disables 
one "computer" but the remaining memory module i s  now available as  a 
spare  to the adjacent "computerf1. This advantage is  not present  i n  the 
multicomputer o r  ganiz ation because the computers a r e  e le ctrically 
isolated. 
adjacent computer for automatic reconfiguration. 
The non-modular organizations as described (Section 4.5) have only a 
The modular organizations havk 
Modules of one computer can never serve as spares  fo r  the 
There i s  another possible advantage of the modular organizations. 
In the modular organization 
In the non-modular organizations, a single memory failure may disable 
all computing capability of that computer. 
the failure of one memory module does not necessarily completely disable 
the computer since it can operate out of one of the other memory modules, 
assuming that appropriate hardware controls a r e  provided. This  could 
prove quite useful for  self-test  after a failure. By programming self- 
tes t  routines in  each of the memory modules, it i s  possible to  diagnose 
the original memory failure and also maintain surveillance of the r e -  
maining modules until being manually serviced, 
4 . 6 . 5  Summary 
The simplest  operation and reconfiguration is using the non-modular 
multicomputer in a quadruple redundant fashion. 
c r i te r ia  but provides little o r  no spare  computing capability and no r e -  
configuration capability except for discarding failed computers. 
This satisfies the FOOS 
The modular multicomputer and non-modular multiprocessor appear 
to  be of about equal complexity with the multiprocessor leaning toward 
software to accomplish reconfiguration and the multicomputer toward 
hardware with its reconfiguration module. 
If no spare  modules a r e  provided then the modular multicomputer 
is essentially identical to  the non-modular multicomputer. The modular 
multiprocessor with no spares  does have additional reconfiburation paths 
over the non-modular multiprocessor (Section 4.6 .4) .  
The self-test  required for diagnosis and isolation to a computer module 
is not significantly different i n  any system except for  adding tes ts  for 
additional hardware such a s  a voterlswitch in  the 3C configurstions o r  
switches required by the multiprocessors and modular multicomputer. 
4-81 
4.6.5 (continued) 
The reconfiguration routines 
number of reconfiguration paths i 
computer with spares  appears to  reqmre  
reconfiguration module a 
Assuming complexi4y of the recofigurat ion software is not the 
deciding factor, then the modular multiprocessor appears to provide 
the maximum number of reconfiguration patha without the addition of 
spare  modules e 
4.7 QUANTITATIVE DATA FOR CANDIDATE COMPUTERS 
4.7.1 Introduction 
Section 4.5.2 defined the four internal computer organizations 
and Section 4.5.3 defined the architecture to be used to mechanize 
each organization. This section will present the quantitative data for 
the candidates which will be used in Section 5 to conduct the evaluation 
of the candidates. The estimates €or the candidates were derived 
using current  state-of-the-art technology techniques at Autonetics. 
This approach enabled the derivation of accurate data for the evaluation. 
Two technology approaches were used in these estimates as were defined 
in  Section 4.5.4. 
The 
be given 
numbering system used in describing a11 of the candidates will 
below: 
Computer Organization : 
1: Non-modular multicomputer 
2 : Modular multicomputer 
3 : Non-modular multiprocessor 
4: Modular multiprocessor 
System Concept: 
1: Without VCS (concept: 2B 
in Section 4.2) 
2 :  With VCS (concept 3 6  in 
Section 4,2) 
Te c%molog-y: 
C : Conventional (magnetic memory 
and conventional packaging) 
: Advanced (semiconductor memory 
and advanted packaging. 1 
4-82 
C7Q -171/3O1 
4.7* 2 Physical Characterist ics 
The physical characterist ics will be given €or the module5 that 
comprise the organization (processor,  memory, IOP, VCS) for each 
of the two technology approaches. 
4.7.2.1 Processor  Module - The architecture of the processor  module 
is given in Section 4.5.3.1, 
computers with this architecture, the physical characterist ics were 
estimated. 
approaches. 
estimate is given in Appendix 5 of this volume. 
derived for two types of processor  modules; a basic module for the non- 
modular computer organizations (1 & 3) and a basic plus delta module 
for the modular computer organizations (2 & 4). 
a r e  given below in  Table 4-2. 
Baaed on typical past  designs of aerospac'e 
MQS/LSI technology was used for the logic in both technology 
A detailed description of the MOS/LSI devices used in the 
The estimates were 
The hardware estimates 
TABLE 4-2 PROCESSOR MODULE MECHANIZATION -- 
Components I - Processor  Module 
Basic 46 MOS/LSI 
2 Hybrid thin fi lm 
30 Bipolar MSI IC 
50 Discrete 
Basic t Delta 46 MOS/LSI 
For the conventional technology approach the processor module is 
on one 8" x 12" multilayer (6) board with a 174 pin connector. 
mounted on both sides of the board individually with the exception of the 
hybrid thin film circuits. 
Parto a r e  
The advanced technology approach for  the processor  module is on one 
6" x 8: printed circuit  board. 
beam-leaded MOS/LSI devices mounted uncased (see Section 2.3) on a 
2" x 2" ceramic s strata.  Three of these substrates a re  used. The 
clock buffers and interface circuitry a r e  contained on hybrid thin film 
circuits e 
4.7.2.2 IOP Module - The architecture of the IOP was briefly described 
in  Para 4.5.3.3, In addition, the IO%> contains one mas ter  ser ia l  
channel ve/ t ransmit) ,  three recei -only ser ia l  channels, and a built- 
i n  test timer for  self check purposes. 
The arithmetic and control functions use 
for the processor module, two 
ne for organizations 1 & 3 
4. Based on previous 
g estimates were made 
as shown in Table 4-3. 
4-83 
4.9.2.2 (continued) 
TABLE 4-3, IOP MODULE MECW 
l Hybrid thin film 
36 Bipolar MSI IC 
89 Discrete 
Basic t Delta 
1 Hybrid thin film 
48 Bipolar MSI IC 
121 Discrete 
1 
The packaging is the same as  for the processor  module, the con- 
ventional technology uses a 8’l x 12” MLB and the advanced technology 
uses a 7” x 8” PCB . 
4.7.2.3 Memory Module - Two basic types of memory modules were 
used: magnetic and semiconductor; each will be treated separately below. 
4.7.2.3.1 Magnetic Memory Module 
The conventional technology approach uses plated wire a s  the 
magnetic storage medium. Estimates a r e  based on present prototypes 
developed using Autonetics’ five mil plated wire. 
modules were estimated; a 32K x 32-bit word module and a 16K x 32 bit 
word module. 
while the 32K module i s  used in the non-modular organization. Further,  
a delta i s  required for each of the two types of modules to implement the 
memory modules for the multiprocessor organizations (Organizations 3 & 4). 
The memory operates with a 41 second cycle time with read access  time of 
0 . 6 ~  seconds. 
estimates. 
of the memory module; Table 4-4 contains the additional functions required 
of the other computer organizations. 
Two types of functional 
The 16K module is used in  the modular organizations 
A read/write ratio of four was used in derivingthe power 
The non-modular multicomputer requires the simplest €unctions 
4-84 
C70-171/301 
4 7.2.3.1. (continued) 
The estimated physical character is t ics  for  these modules are given in  
Table 4-5. 
TABLE 4-5. MAGNETIC MEMORY MODULE PHYSICAL DATA 
Module 
Basic 32K 
Basic 16K 
Basic 32K t 
Delta (Org. 3) 
Basic 16K t 
Delta (Org. 4) 
1350 34.6 
790 23.7 
13 90 36.1 
820 25.7 
Power 
51 
39.2 (operating) 
23.2 (stand-by) . 
57.8 
45.4 (operating) 
29.4 (stand-by) 
4.7.2.3.2 Semiconductor Memory Module - The advanced technology 
approach uses semiconductor memory with devices mounted uncased on 
2" x 2" ceramic substrates. 
on printed circui t  boards The memory modules were mechanized with 
1024-bit MNOS devices and 512-bit read/write MOS devices. 
a 7:l ratio of devices would be used, i ,  e. ,  for a 16K module 14K of MNOS 
and 2K of MOS would be used. The same functions as listed in  Table 4-4 
apply in  this case and will not be repeated here. The estimated physical 
character is t ics  for the memory modules are 
The substrates are then mounted as packages 
It was assumed 
iven in  Table 4-6. 
4-85 
e 7 . 2  3 . 2  ( c o n ~ n u e ~  
TABLE 4-6. SEMICONDUCTOR M ~ ~ O ~ ~  ODULE PHYSICAL 
Module 
Basic 32K 
Basic 16K 
Basic 3ZK + 
Delta (Org. 3) 
Basic 16K + 
Delta (Qrg. 4 )  
4 . 7 . 2 . 4  VCS Module - 
576 18. 5 
320 6 . 4  
576 12.0  
320 4 - 6 5  
Power 
2 2 . 5  
16.2 (operating) 
15. 6 (stand-by) 
2 9 . 3  
The VCS module was functlonallv described in 
detail i n  Section 4 . 5 . 5 .  
anize system concept 2 .  
module is given below: 
This module is used in  the candiiates that mech- 
The estimate of physical characterist ics for this 
ComDonents 
4 MOS/LSH 
1 Hybrid Thin Fi lm 
3 Bipolar MSI IC 
11 Discrete 
These components a re  mounted on a two-sided printed circuit board. 
A 8" x 12" board is used for the conventional technology approach and a 
7" x 8" board is used for the advanced technology approach. 
4 . 7 . 2 . 5  Computer Module - This section presents the total. estimates for 
each type of computer module based on the above data for each individual 
type of module in addition to estimates for  power converter and clock 
functions. 
(4 organizations x 2 system concepts x 2 technology approaches). 
dition, 
quantitative evaluation of the candidates presented in Section 5 .  
candidate is a variation of the modular multiprocessor in te rms  of 
packaging. Candidate 4 * assumes one physical package per compartment 
(two total per spacecrafff whereas a l l  the other candidates assume two 
physical packages per  compartment. The numbering system of the can- 
d i d a t e ~  is explained in Section 4.7.1. 
4 . 7 . 2 . 6  Candidate Computer System Data - The computer modules listed 
below a r e  combined in this section to fo rm the set  of physical data for each 
candidate computer system. The data given i n  Table 4-8 include cabling 
between the computers and, therefore,  a r e  not simply four times the in-  
dividual module parameters.  
The datais  presented in  Table 4 - 7  for  the 16 candidates 
In ad- 
a 17th candidate was added (42c*) as a result  of feedback f rom the 
This 
-86 
C70 -171/301 
TABLE 4-7. COMPUTER MODULE PHYSICAL DATA 
:andidate 
l1C 
l2C 
'lA 
'2 A 
21c 
2 2 c  
21A 
22A 
3 1 ~  
3 2 ~  
3 1 ~  
3 2 ~  
4 1 ~  
4 2 ~  
42E 
4 1 ~  
1.21 
1. 28 
0.526 
0.56 
1. 56 
1.63 
0.58 
0.62 
1. 24 
1. 31 
0.58 
0.625 
1. 61 
1.68 
3. 36 
0.58 
0,625 
67.0 
71.1 
25.8 
28.0 
88.88 
92.98 
28.56 
30.1 
69.3 
73.4 
26.3 
27.8 
104.2 
108.3 
212.6 
29.06 
31.6 
Power (Watts) 
103.5 
106.0 
65.1 
67.8 
123.0 
125. 5 
I '  
81.7 
83.2 
112.6 
115.1 
74.5 
77.0 
140.0 
142. 5 
285.0 
98. 9 
101; 4 
4-87 
C70 -1?1/301 
TABLE 4-8. CANDIDATE COMPUTER SYSTE 
;andidate 
l1C 
l2C 
21C 
22C 
3 1 ~  
3 1 ~  
3 2 ~  
3 2 ~  
4 1 ~  
4 1 ~  
4 2 ~  
4 2 ~  
'1A 
'2A 
21A 
22A 
3 Size (F't. 1 
4.84 
2.10 
5.12 
2.24 
6.24 
2.32 
6.52 
2.48 
4.97 
2.33 
5.25 
2. 51 
6.45 
2.33 
6.73 
2. 51 
103 
284 
112 
3 56 
114 
372 
120 
279 
107 
295 
113 
419 
118 
435 
128 
Power (Watts) 
414 
260 
424 
271 
4 92 
327 
502 
333 
4 50 
29% 
460 
308 
56 0 
396 
57 0 
406 
4-88 
C70 -l71/301 
.7.3 
4 ,9 .3  le 
to a d e 31 
could to @liability for each 0 
didatee. 
and the total for a computer module for each of the candidate computer 
systems 
Table 4-9  contains the failure rate data for the individual modul 
Appendix 7 contains the details used in deriving the data i n  Table 4-9. 
The derivation is based on accumulated past  history of similar  components 
with suitable extrapolation to the space station time period of application. 
4.7.3.2 Candidate Computer System Reliability - Reliability models 
were derived €or each candidate computer system in order  to determine 
the reliability of each candidate. 
given in  Appendix 7. The failure rate data given i n  Table 4-9 was used 
with a mission time of six months to calculate the candidate reliability 
o r  probability of success,  
organization (2 and 4) candidates were assumed to contain no spare P, 
M or 1 / 0  modules in the reliability calculations. 
candidate reliabilities i s  given in Table 4-10. 
The details of these derivations a r e  
It should be noted here  that the modular 
A summary of the 
4 .7 .4  Miscellaneous Data 
' Size, weight, power, and reliability data for the candidates have been 
presented i n  the prior two sections, the remaining parameters  €or the 
candidates will be given below. 
4.7.4.1 Cost - The cost data for the candidates i s  given in  Table 4-11. 
This cost was developed from past  experience with s imilar  systems using 
the detailed pa r t s  lists developed €or each candidate. 
cludes both non-recurring and recurring costs for 20 systems. ft i s  given 
as relative cost i n  Table 4-11 with candidate 1 
base (cost = 1. 0 ) .  
The estimate in- 
being used as  a reference 
1W 
Potential - The growth potential o r  expandability data i s  
12. 
1 number of processor  modul and the initial number o€ 
max a r e  the maximum 
Mint,  Pint, and lt/Oint a r e  the initial amount of storage 
XOP modules respectively. 
amount that these 
o r  modi fication. 
s of modules may be expanded to without any redesign 
od is the module size o r  increment that can be added 
and the m&mory. 
. 3  Software - Basi e rated 
cally, i .  e ,  as  a set  
re - 
configuration p e r  of instructions 
-8 9 
C70 -171/301 
TABLE 4-9 .  PREDICTED RELIABILITY PER COMPUTER 
(FAILURE / lo6 HRS.) 
landidate 
12.944 .3865 
12 e 3244 .3865 
15.1554 .3865 
15.1554 .3865 
13.0256 .3865 
13.0256 .3865 
17 e 1930 ,3855 
50.4X)O .3554 
17 e 1930 .3865 
50.4200 .3551r 
43.1999 03554 
43,1999 -3554 
48.5770 -3554 
48 * 5770 3554 
43.8209 93554 
43.8209 -3554 
chassis vcs 
4-90 
C70 -171/301 
v) 
M 
R 
Q, 
*, 
? 
r- 
M 
a cn 
s 
Q1 
00 . m  a .  
\o 
Lo 
m 
Q: 
Qt 
m 
- 
m m 
? .  
i 
4-91 
C?0-171/301 
TABLE 4-11. CANDIDATE COST DATA 
Relative Cost 
1.8 
1. 0 
1.82 
1.005 
3.36 
1.08 
3.45 
1.09 
1.86 
1.065 
1.89 
1.07 
4 .27  
1.15 
5.24 
1.25 
4 -92  
C70-171/301 
LE 4-12. GROWT 
Candidate NT 'MAX *OINT 
l2C 
5c 
'2A 
'1A 
2 2 c  
21c 
22A 
21A 
3 2 c  
3 1 ~  
3 2 ~  
3 1 ~  
%C 42E 
4 1 ~  
42 
4 1 ~  
128K 
128K 
128K 
128K 
256K 
256K 
256K 
256K 
128K 
128K 
128K 
128K 
384K 
384K 
3 84 
3 84K 
K 
128K 
0 
0 
0 
0 
16K 
16K 
16K 
16 K 
0 
0 
0 
0 
16K 
16M 
' 16M 
16K 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
4 4 
6 4 
6 4 
6 4 
6 4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
6 
6 
6 
6 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
- 93 
ontbued) - an at were estim 
It should be n this does not repxese Of 
32-bit locations required of the instructions be 
implemented with 112 word 04-bit) locations, 
4.7.4.4 Xnterconnections - Table 4-13 also contains the listing of the 
number of connections (pins) required on each computer module. It 
accounts for all external interfaces (power, control panel, mass memory, 
busses, etc,) 
TABLE 4-13. SOFTWARE AND INTERCONNECTION DATA 
Candidate 
'1C - '1A 
'2C - '2A 
%C - 21A ' 
22C- 22A 
3 ~ ~ -  3 1 ~  
3 2 ~  - 3 2 ~  
4 1 ~  - 4 1 ~  
4 2 ~  - 4 2 ~  
42E 
Software 
(Instruction & 
Data Words) 
34,800 
35,100 
36.500 
36,80Q 
36,500 
36, aoo 
37,700 
38,000 
38,086 
Interconnection 
(Pins /Module) 
68 
70 
68 
70 
138 
14 Q 
144 
148 
79  
- 94 
C90- 17 1 /301 
5.0 EVALUATIO NDIDATE CO ERS 
5. 1 INTRODUCTION 
The objective of Task 5, Ev 
select the best candidate comput 
definition, 
ment of the evaluationmodel, and (b) actual evaluation of candidate 
computers by applying the model to candidates under consideration, This 
section of the report  covers both of these phases. 
model and provides the rationale used during the development of the mode 
It also describes the evaluation process  and summarizes the conclusions 
drawn f rom the evaluation. 
uation of Candidate Comp 
system for further study 
This effort can be broken into two distinct phases: 
It defines the evaluation 
Much of the rationale used during the development of the evaluation 
model was based upon information presented in  the Work Statement, i d o r m a -  
tion obtained f rom the Space Division of NR, and the relative weighting 
factors provided by the NASA. 
information contributed pr imari ly  to defining the scope of the computer 
sys tem and in turn the scope of the evaluation model, whereas the weighting 
factors were used as a basis fo r  defining details of the evaluation model. 
Table 5-1  contains a list of the relative weighting factors as prsvid?ed by the 
NASA. 
respect to that candidate yielding the most beneficial value for  the attribute 
under consideration. 
characteristic that meets o r  exceeds the requirement for that characteristic. 
The Work Statement and the Space Divirion 
They a r e  specified a s  both additive and multiplicative, and with 
An attribute is defined to be a computer system 
Development of the evaluation model consisted of two basic activities: 
Selection of the evaluation method and definition of the computational details. 
The total effort was split about equally between the two activities. 
selecting the method of evaluation, trade-offs were required in  the following 
areas:  
In 
1. Basic Approach 
2. Computational Technique 
3. Data Normalization 
4, Set Comparison ods 
5, Interpolation Schemes 
ng the f o l l o ~ n g  a ~ ~ ~ ~ t  
- 1  

C70- 1'41/301 
5. 1 (Continued) 
The definition of these i tems was not selective in nature but rath 
developmental. 
Four basic computer organizations were selected for evaluation: 
1. Non-modular multicomputer 
2. Modular multicomputer 
3. Non-mdular multiprocessor 
4. Modular multiprocessor 
Two system concepts were also considered: one with a voter/compara- 
tor/switch at each computer 1/0 section, the other without the VCS. 
addition, two different technologies were used to  implement the candidate 
systems. 
In 
This resulted in  a total of 16 candidates to be evaluated. 
A detailed description of the evaluation model is presented in Section 
5. 2 of this report. 
tive inforfnation needed to per form an evaluation, and discusses the 
interpretation of data obtained f r o m  an evaluation. 
the rationale used during the development of the evaluation model with 
emphasis on the selection of the evaluation method. 
the evaluation process ,  provides quantitative evaluation data on the 16 ' 
candidate systems considered, and summarizes the conclusions drawn f rom 
the evaluation. 
It defines the method of evaluation, defines the quantita- 
Section 5. 3 discusses 
Section 5.4 describes 
5. 2 DESCRIPTION OF T 
The computer system candidate ev uation model provides a relative 
evaluation of the candidates. 
a pseudo-normalization scheme for evaluating the attribute data. On the at- 
tribute level, a relative comparison of the candidates is based upon a se t  
comparison method where the average of the set  is defined to have an attri- 
bute value of zero pr ior  to  the pseudo-normalization. The remainder of the 
set  receives an attribute value based upon deviations f rom the average and a 
l inear interpolation scheme. 
rnanner. 
It employs analog computational techniques and 
All ten attributes a r e  evaluated in the same 
Quantitatively, the total relative value of a computer system candidate 
is defined as a weighted l inear combination of the computer system attribute 
values. More specifically, 
$ = K K K K (k P t k2W t k3V + k4C i k5PE t k6RF t k7G t 1 2 3 4 1  
k8R t kqT t klOMod) 
where, 
$ =  
K1 = 
K2 = 
K3 = 
K4 = 
P =  
w =  
v =  
e =  
PE = 
RF = 
G =  
w =  
% =  
- 
k2 - 
kg - - 
Total Relative Value of Candidate 
Ten Pin Rule Weighting Factor 
Subsystem/Management Clarity Weighting Factor 
Technology Criticality Weighting Factor 
Clarity of Approach Weighting Factor 
Power Attribute Value 
Weight Attribute Value 
Volume Attribute Value 
Cost Attribute Value 
Programming Ease Attribute Value 
Reconfiguration Flexibility Attribute Value 
Growth Potential Attribute Value 
Reliability Attribute Value 
Transient Immunity Attribute V 
4 * 3  k6 = 8.6 
8.6 k7 = 10,O 
8,6 kg = 14,3 
10,o 
C 70.- 171 /301 
5. 2 (Continued) 
The multiplicative weighting factors Kl through Kq can be more accurately 
The multiplica- 
defined as risk factors. 
value of a candidate is more significant than any other factor. 
tive weighting factors a r e  variables, dependent upon the design of a candidate. 
Detailed definitions of these factors a re  presented later in this section. 
factors k through klmO a re  defined as additive weighting factors. They 
indicate t h e relative importance of the various computer attributes such a s  
power, weight, volume, etc, 
As a result, their in uence on the total relative 
The 
The method of computing the attribllte values for a given set  of candi- 
dates is as  follows: 
1. For  each attribute, add the respective values of all 
candidates and divide by the number of candidates 
to obtain the average of the attributes. For  example, 
1 PA 
p~~~ = ";;" ,/' 
i =  1 
where, 
PA = the power attribute 
PAVE = the average of the power attributes 
n = the number of candidates 
By definition, the average of the attributes has an attribute 
value (intermediate value pr ior  to  normalization) of zero. 
F r o m  the example, the power attribute value for PAVE 
equals zero. 
2. Find the difference be 
the average a ~ t r i b u ~ ~  
For  attributes 
subtract the in 
Where. increae 
average for ea  
ir 
C70-171/301 
5, 2 (Continued) 
3. Computer intermediate attribute values for each candidate by 
dividing the deviation for each candidate by the average. 
Furthermore,  limit the range of this intermediate value to 
between -1 and t l  by letting all attribute deviations that a r e  
more than double the attribute average have a value of t1. 
The range for the example is then 
4. Modify each of the above intermediate values by adding 1 and 
dividing by 2. 
t1" to "0 to tl". 
example i s  
This in  effect changes the range f rom "-1 to 
The modified intermediate value in the 
(Wi = (P"). t l  + 
where, 
5. Obtain the final attribute value by multiplying the modified 
intermediate values by a scale factor equivalent to the inverse 
of the maximum modified intermediate value. In the example, 
whe re I) 
6, Substitute these values into the weighted l inear combination 
equation. 
Graphically, steps 1 through 3 can be depicted as shown in 
Figures 5-1 and 5-2. Figure 5-1 is the case where decreasing 
attributes such as powerp weight and volume are desired; and 
Figure 5-2  is the case  where increasing attribute8 a r e  desired 
such as reliability, gr and modularity. 
-6 
C70- 17l/301 
5 . 2  (Continued) 
Figure 5-1. Decreasing Figure 5-2. Increasing 
Attributes Desired Attributes Desired I 
After applying step 4 of the above procedure, Figures 5-1 and 
5-2 result into Figures 5-3 and 5-4, respectively. 
R 
- 7  
C70- 17 1 / 30 1 
5 . 2  (Continued) 
And finally, after applyin 
into Figures 5 - 5  and 5-6 ,  respectively. 
step 5 ,  Figures 5-3 and 5-4 result 
Figure 5-5,. Final Attribute Figure 5-6. Final Attribute 
Values Values 
F r o m  these illustrations, it can be seen that the final attribute values 
will have a range f r o m  0 to 1, and that the best attribute will always have a 
v d u e  of 1. 
The above method of computing the attribute values will be applied to  
all ten attributes. 
Since the attribute values a r e  highly dependent upon the attributes of 
each candidate, care  must be taken to  accurately determine each attribute. 
But even more important, the effort spent in determining the attr ibutes 
should be split equally among the candidates; i. e. the confidence level in  
one candidate's attributes should equal that of another. The importance 
of this aspect lies in the fact that the average of the attributes is the basis 
for determining the attribute values; therefore, the accuracy of the evalua- 
tion can be easily perturbed by inadequately determining the attributes of 
only one candidate. 
I$ the following paragraphs, a definition is provided for each of the ten 
attribute s. 
Power: The power attribute efined as the total power con- 
the candidate c th s imultaneo~sly d f rom 
ant power bus s e 8 G maneuver in the ed 
C70- li’1/301 
5,2 (Continued) orbital coast phase, 1% shall include all computer modules 
whether they be actives dormant o r  in a standby mode. 
preprocessor power o r  power required for voting logic that is remotely 
located f rom the centralized computer. 
terms of watts, 
It does not include 
The power attribute is e 
Decreasing values a r e  desired for  the power attribute. 
The weight attribute 
all c r system modules, all 
base chassis structure to which all modules a r e  mounted. 
consideration (study ground rule). 
forced air ducting and blower weight, interface cabling to external systems, 
pre-processor weight, control and display weight, and chassis structure 
external to the module and module base weight. 
expressed in te rms  of pounds. 
is defined as the sum total weight of 
module cabling o r  bussing and the 
Spares are not under 
It does not include coldplate weight, 
The weight attribute is 
Decreasing values a r e  desired for the weight attribute. 
Volume: The volume attribute ( 
s mane s t rectangular par  all e 1 epip ed t 
computer system, 
assemblies (each of which may contain several  modules), then the volume 
would be the sum total of all the rectangular parallelepipeds. The volume 
does not include cabling t9 exkernal systems but does include inter-module 
cabling. It will include all handles, connectors and protrusions. The volume 
attribute is expressed in te rms  of cubic feet, 
) is defined as the volume of the 
will fully enclose all modules of the 
Should the computer system consist of two o r  more main 
Decreasing values are desired for the volume attribute. 
Cost: The cost attribute (C 1 is defined as the sum total cost of the 
D D T m e f f o r t ,  the production cos&of ten (10) systems plus ten (10) complete 
spares,  and the software cost, 
of the computer system, 
Maintenance and GSE costs a r e  not included, 
in terms of dollars. 
These costs cover only the centralized par t  
They do not cover the preprocessors o r  data busses. 
The cost attribute is expressed 
Decreasing values a r e  desired €or the cost attribute. 
: The p r o g r a m i n g  ease attribute (PE 
being inversely proportional to the to  
of uniquely programmed instruction words required. 
programs that are completely ~ ~ ~ ~ ~ d a ~ %  where completely implies that the 
redundant routines need not be re 
architectures, a special modifie been added to  this attribute. 
modifier normally has a value o 
cular candidate is more difficult to p r o g r a m  
It does not include any 
rammed. Due to different co 
but it may be less than one if a parti-  
Mathe matic ally, 
- 
5 . 2  (Continued) 
k - architectural modifier 
N = number of uniquely programmed instruction words 
Pe 
Increasing values a r e  desired for  the programming ease attribute. 
* The reconfiguration flexibility attribute 
enaent of the number of different operational 
s y s t e m  The modes will involve only 
memory, processor,  and input/output modules o r  submodules. 
either automatically o r  manually commanded, but they must be electrically 
reconfigurable. 
They may be 
Power supply and clock reconfiguration modes are excluded. 
Increasing values a r e  desired for  the reconfiguration flexibility attribute. 
Growth Potential: The growth potential attribute (GA) is defined as 
that growth that is possible by physically adding memory modules, processor 
modules, and input/output modules. 
modules is not considered. Additions to the computer system cannot 
degrade existing performance. 
Hardware modification t o  existing 
Mathematic ally, 
GA 
where, 
KM 10, Kp = 2, K10 = 5 
- Memory Growth 
- Processor  Growth 
= Input/Output Growth 
GM 
cP 
GIO 
Memory Growth is defined as 
GM - - 
wherep 
M - Maximum number of full length memory 
x -  words feasible under design 
NT = Initial number of full length memory words 
in first o ~ ~ r a t i o n ~  system 
- 
MMOD - nimum number of f u l l  length memory words 
C70- 171 f 3 0 1  
5. 2 (Continued) 
Processor  growth is defined a e  
where, 
Pmx = Maximum number of processor modules that 
a r e  feasible under design 
Initial number of processor modules in f i r s t  
operational system 
= PINT 
Input/Qutput growth is defined as 
where, 
IOmx = Maximum number of input/output modules that 
a r e  feasible under design 
Initial number of input/output modules in first 
ope rational system IOINT 
= 
Increasing values a r e  desired for  the growth potential attribute. 
Reliability: The reliability attribute ( R  ) is defined as the probability 
of mlssion success for the computer eystem &r a 180 day mission. 
hardware under consideration includes only the computer system modules and 
inter-module cabling. 
busses. This attribute is in addition to the fail op, fail op, fail safe criteria. 
The 
It does not include preprocessors  and external data 
Increasing values a r e  desired for  the reliability attribute. 
The transient immunity attribute (T 
as ute r rm without e r r o r  
ele inte This attribute 
problems associated with the sses. It does include e r r 0  
that occur during reconfiguration, h o w e ~ e ~ ~  Of p r i  
putting of incorrect info 
which can accurately de 
No ~ ~ ~ ~ ~ ~ a ~ ~ ~ e  measure has been ~ ~~n~~ 
att r i b u t ~ *  
Since this attribute is not q 
date will hav 
value of 0. 7. 
C70-171/301 
5 . 2  (Continued) 
The modularity attribute (Mod ) is defined a s  the total 
ght replaceable modules which conAitute a par t  of the com- 
puter s y s t e m  They do not include any preprocessor  modules. 
Increasing values a r e  desired for the modularity attribute; 
In addition to computingthe attribute values for each candidate, the four  
multiplicative weighting factors must a l s o  be determined. A definition of 
these factors and the method for determini= their quantitative values a r e  
provided in the following paragraphs. 
Ten Pin Rule Weighting Factor: The ten pin rule weighting 
actor is a numerical value corresponding to the worth of 
candi(dKatl! with respect to the maximum number of electrical 
It is with respect to those pins required for 
interconnect pins that exist on any one of the candidate's 
modules. 
flight operation, and it does not include covered tes t  pins. 
A design goal of ten (10) pins has been extablished, and an  
upper limit of fifty ( 5 0 )  pins is highly desired. 
pin rule weighting factor for a given pin count is defined 
as follows: 
The ten 
P in  Count 
(XI 
Weighting Factor 
(K1) 
O<x 5 50 
50< xs 100 
1 0 0 ~ x 5 2 0 0  
200<x 
= 1  E; = - . 0 0 2 x  t 1.1 
K1 = -.OOPX I. 1.2 
K1 = 0 
Graphically, these relationships are a s  shown in Figure 5-7. 
Figure 5-7. Facto 
5-12 
C70- B 7% /30P 
5. 2 (Continued) 
o and can be measured 
by the amount of different data that is exchanged via 
electrical interfaces, 
defined as the number of different pieces of information 
that enters  or  leaves the centralized computer. 
ing factor will then be determined f r o m  this information. 
The subsystem/management weighting factor is determined 
in a manner similar to that for the attributes. 
for  the interface data is computed taking all candidates 
into consideration. 2 for the average is defined to be 0.9 (not zero as in  the 
case of the attributes). Deviations f r o m  the average a r e  
then computed. A candidate with twice the average ha6 a 
value of 0. 8, and a candidate with no data flow (an impos- 
sibility) has a d u a  of 1. 0. 
1. 0 / (KZ)h4AX is then used to determine the final 
weighting factor, 
The mechanics of determining this attribute are shown in 
Figures 5-8 and 5-9. 
More specifically, the effectiveness is 
The weight- 
An average 
An intermediate weighting factor (K ) 
A scale factor equivalent to  
C70- l’?1/301L 
5 ,  2 (Continued) 
The technology 
er ical  value cor- 
respondiig to {he r k k  involved in using an advanced 
technology. 
the program by schedule slippage and/or developmental 
risk. Systems requiring large amounts of brute force 
engineering o r  systems that a r e  e d r e m e l y  complex in 
their integration a r e  not classified by being technological 
critical. 
requiring scientific breakthroughs, that have not been 
previously used, o r  where material discoveries a r e  
required, a r e  criticalil. 
The technology criticality weighting factors a re  specified 
by definition. 
factors for  the various circuit and memory technologies, 
respectively. 
a r e  a function of chip density, while the memory technology 
weighting factors a r e  defined for various speeds. 
weighting factor for a given candidate is defined as that 
value for  the most cri t ical  technology used in the system. 
The r isk is usually in the f o r m  of jeopardizing 
Howeverp new hardware, o r  components 
Tables 5-2 and 5-3 define the weighting 
The circuit technology weighting factors 
The 
Clarity of Approach: 
-factor (K,) is a num‘erical value which corresponds to 
The clarity of approach weighting 
the appea? of the technical approach upon the e;aluation. 
The best approach has a value of 1.0 and the poorest 
approach a value of 0.9. Fo r  purposes of this study, it 
is constant of 1. 0. 
The general method for evaluating a set  of candidates is 
as follows: 
1. Determine the basic attributes for  each 
candidate by analysis. 
Determine the attribute values for  each 
candidate f r o m  the methods specified in 
this section. 
2. 
3. Determine the multiplicative weighting 
factors for each c 
* 8n a candidate by c Q basis, sub- 
into the total stitute the attribute 
evduation equation, 
d result  
on for e 

5 ,2  (Continued) 
The interpretation of the results is simple. The entire evaluation is on 
a percentage basis. For  example, if a computer sybtem was the best in all  
a r eas  with respect to the other candidates and if the risk attributes were all 
ideal, that system would have a valuation of 100, $ = 100. A valuation of 100 
is the highest possible valuation. 
will have a valuation in the range of 60 to 80. Relative comparisons a r e  also 
simple. If the best candidate has a valuation of 75, and the second best 
candidate has a valuation of 60, then the best candidate is at  least  25 percent 
better than all of the other candidates. 
More likely however, the best candidate 
' 
5. 3 SELECTION O F  EVALUATION METHOD 
Pr io r  to selecting a particular method of evaluation, a set  of goals was 
established to insure that the evaluation model itself would be of value. If 
the evaluation model could not reliably evaluate the candidates, it would be 
of little use. Since the function of the evaluation model is to determine which 
computer candidate will receive further study and definition, its quality must 
be assured. 
, 
The most obvious goal was to make the evaluation model quantitative. A 
qualitative evaluation would be comparable to a sales pitch, and thus of little 
use. Two of the more important goals were to d e  the model accurate and 
highly objective. The accuracy goal is self-explanatory. However, the 
objectiveness goal is an aspect that is often overlooked in many evaluations. 
Evaluator subjectivity and corporate goals have a tendency to  bias evaluations. 
Base of interpretation i s  a quality that makes the evaluation model acceptable; 
therefore, it was a goal. If the evaluator cannot easily understand the model 
and interpret the results, they obviously will not accept the conclusions. 
And finally, the mechanics of the model should be relatively simple; i. e. , it 
should be easy to  compute. 
In summarizing the goals, the evaluation model was to be quantitative, 
Indeed, accurate, highly objective, easy to interpret  and easy to compute. 
these goals have been met. 
As a starting point, it was decided to define the value of the computer 
system as a weighted linear combination of the computer system attributes. 
Computer attributes can be thought of a s  a computer characterist ics that 
meet o r  exceed the computer system requirements. It was assumed that 
all computer systems would meet o r  exceed the computer system require- 
ments. Thus, all computer systems that a r e  proposed as candidates a r e  
considered to be viable for  the application. Numerous references a r e  in 
agreement with this concept. 
The first major aspect in selecting the evaluation method was to deter-  
mine which approach to use. Two main approaches were considered: A 
and an absolute apprcacho 
ison of the candidates, whereas 
ion with respect to the specific 
The relative approach provides a 
absolute approach pro- 
ication, 
5.3, 1 (Continued) 
h the the evaluation is independent of the applica- 
tion. As I detailed mission r ~ ~ u i ~ ~ ~ e n t ~  
during the ation, The mathmatice are 
simple in the relative approach, beca 
candidates can be easily obtained. 
interpolation would be simplified, an 
remote, 
respect to the specific application a r e  not a 
absolute comparison, Areas for candidate rovement with respect to 
the application are also more difficult to seea 
This 
On the other hand, the worth o r  meri ts  of this approach with 
gh as they would be for an 
, if it i s  practical. to  use, is the best 
different candidates with respect to t 
ecific a reas  for improvement for a11 candidates, 
However, normalization and interpolation a r e  in 
Thus, there is a tendency for  eubjectivity to be introduced into the evaluation. 
For thie approach, the mission r ~ ¶ u i r ~ ~ e n t s  and desi n goals must: be known. 
Within each approach there is a choice of computational t e c ~ n i ¶ ~ e $ ~  Two 
that were considered during the study a r e  an iterative discrete technique and 
a basic analog technique, The iterative discrete method requires iteration of 
the l inear combination equation as many times as there a r e  candidates. After 
each iteration one candidate is ~ ~ i ~ ~ a ~ ~ ~ ~  
one iteration p e r  evaluation. 
eneral more comples  
The analog method requires only 
ies the mathemati 
and interpolation, 
cy of this tecbldq 
es increases,  the number of 
candidates increases, and a s  the d ~ f f e r ~ ~ c e s  between the relativ 
factors becomes smaller. 
candidates, 
The output of the evaluation is an ordering of the 
Relative differences between candidates is not available, 
provides an ou de e3 i r able 
c o m ~ a r i s o n e  o s d t e  are 
ally provided. This technique-does not require a lar e number of a ~ ~ ~ b u t ~ ~  
After selecting the approach, the computational technique, and whether 
o r  not to use normalization, a set  comparison xm thod was chosen, Four set  
comparison methods were considered during the study. 
was defined such that the average attribute of the se t  equalled zeroI Devia- 
tions f rom this average a r e  then employed for computing the attribute value. 
The second method consisted of setting the required attribute for the set  to 
zero. The third was defined such that the best attribute of the' se t  equalled 
one, and the fourth was defined such that the worst attribute of the set  
equalled zeroo 
The first method 
set  comparison method i 5  highly 
e simdified mathematics. The 
mdthod gains in a"ccuracy a s  the number of Gandidates increase. 
positive and negative character of the attribute deviations, a pseudo-normali- 
eation scheme i s  required to obtain the final attribute vahes .  
relative comparisons on the attribute level a re  more complex, and have a 
little l e s s  meaning than other se t  comparison methods. 
applicable to  a relative approach than an absolute approach. 
Due to the 
As a result, 
This method is more 
using the method demands that the com- 
puter system tsd. If they a r e  estimated, 
subjectivity i s  introduced. 
method. It is easy to compute, the results have more meaning with respect 
to the application, accuracy i s  good, and areas  for improvement a r e  readily 
seen. 
relative comparison, is only fair. Interpolation schemes a re  rather difficult 
to develop, and thus allow for more subjectivityy. 
to the absolute approach. 
If the requirements a r e  known, this is a good 
Although the meaning of the results is good, the interpretation and 
This method is more suited 
se t  comparison method provides the best 
It is easy to compute providing that the 
variables a r e  normalized, and it is moderately objective for  a wide range of 
variable values. Areas  for improvement a r e  fairly observable, and inter- 
polation schemes are not too difficult to develop. Accuracy is affected by the 
number of candidates, and will increase as the number of candidates increases. 
Computer system requirements a r e  not needed for  this method. Objectivity 
diminishes if the number of candidates is reduced or if there are only small 
differences between the candidate This method implies that the candidate 
with the best attribute of the set  ot be improved. Application of Ohia 
method is best suited to a relative approach. 
e 
arison method is ost the 
easy to compute highly - -  
~ o r &  candidates, Nor 
y be bounded. Interpretation 
de are specified. For the 
velop, Due to poor 
hod is not too ~ e l i a ~ l @ *  
5- 1 
c 70- 17 P / 3 0 I 
5. 3. 1 (Continued) 
For  each set comparison method, many interpolation schemes c 
defined. 
and cubic functions e and e stimation. 
Those considered during the study were linear functions, parabolic 
Linear interpolation is easy to  
interpretation is easy, it is l e s s  re  
provides the widest separation in attribute values over a given r w g e  of 
attributes resulting in the good interpretation, It is much better for  an  
attribute with a short range, and much poorer for  greater ranges. 
mpute and highly objective. 
stic than other schemes. T 
Parabolic and cubic schemes a r e  more difficult to compute than l inear 
They too a r e  highly objective. schemes, but they a r e  much more realistic. 
They a r e  more suited for evaluation over a wide range since they provide 
less  discrimination in the a r e a  of interest, 
Interpolation by estimation should be used only as a last resort, It is 
highly subjective and its realisticity depends upon the estimator. There is 
often difficulty in obtaining an estimate that is agreeable with all concerned. 
In some cases,  this method may be the only method possible due to  the in- 
ability to quantitatively define an attribu tee 
5. 3. 2 Selected Method 
The relative approach was selected a s  the best approach for  the evalua- 
tion model, 
demanding of the mission specifics as is the absolute approach. If all candi- 
dates a r e  designed with the mission objective in mind, then the merits of the 
approach a r e  quite meaningful, 
This approach is simpler to compute, more objective, and not as 
Analog techniques were chosen as the mathematical foundation for  the 
model. 
interpretable output at the expense of more complex computations, 
amount of subjectivity introduced by these techniques is highly dependent 
upon the details of the technique, and is felt to be minimal. 
These techniques provided an accurate, highly desirable and easily 
The 
In conjunction with the above selection, the set  comparison ITE thod that 
was selected is "the average of the sat  equals zero.  'I This method i s  highly 
objective, is easy to  compute, provides 80 
morep the system requirements need not b 
four candidates will be evaluated, the accu 
With the selection of this set  
technique was employed. This r e  
results associated with the "best 
Thus, the good features of both B 
A linear interpo ation scheme 
the t r a ~ s ~ e ~ t  Y 
espolation is t 0 
scheme se 
5.. 19 
6 7 0 -  17l /30l  
5,4 CANDIDATE SYSTE EVALUATION 
Sixteen candidate computer systems were defined based on four different 
computer organizations, two different systems concepts and two different 
technologies. 
Section 4. 7, 1. 
A numbering system describing the candidates is defined in 
A detailed hardware description was prepared for  each candidate, show- 
ing the number of LSI circuits, printed circuit  boards and memory arrays.  
The hardware description also indicated size, weight and power estimates. 
Therefore, the hardware descriptions served as the primary sources of 
data for  determining the attributes. 
dates presented in  Section 4 of this report  served as the basis for  determining 
such attributes as the growth potential, transient immunity and modularity. 
Certain attributes such as the subsystem/management clarity, technology 
criticality and clari ty of approach were based on judgmental factors to a 
certain extent. 
The functional descriptions of the candi- 
The subsequent discussion provides assumptions and ground rules which 
were employed and a r e  not apparent f rom the summary (Table 5-5)  or  f rom 
the basic definition of the evaluation model. 
Power: The power attribute value (P) was based on the total power 
consumption of the computer system; i. e,, four times the power of the 
individual computer power. 
W e i  ht The' weight attribute value (W) was based on four times the 
weig lidhi: o t e individual computers plus the following weight for inter-computer 
cabling: 1.6 pounds for  non-modular multiprocessors and 2 pounds'for 
modular multiproce s sor s. 
Volume: The volume attribute value (VI was computer using the indivi- 
dual camputer volume multipled by four plus the following intercomputer 
cabling volume: e 008 CU. ft. fo r  non-modular multiprocessor configuration 
and .009 CU. ft. for  modular multiprocessor configuration. 
__p_ Cost: Rough order  of magnitude costs were developed by formula 
method based on past  experience with similar computer systems and recent 
cost estimates for  computers employing advanced technology, 
included both non-recurring and recurring costs for  20 systems. 
assumed that there would be no non-recurring costs for development of LSI 
circuits. The cost of flight software and software aids such as assemblies 
and simulators were included in the estimate. 
The estimate 
It was 
: 
total instructions required to  imple 
The programming ease attribute v 
e computers. The att inversely proportional 
of instructions, 
tical, the archite 
ecturs  of the candidates 
ssigned a value of 1.0 
5-2 
C70- 171 /301 
5.4 {Continued) 
: The reconfiguration flexibility attribute 
valu 
pute 
to the computers (arithmetic processors memory module, I/O processor 
level) was also taken into account. 
figuration is not always possible. Therefore, a probability of ,. 5 
to all internal reconfiguration paths, resulting in a more realist i  
reconfiguration flexibility, 
Growth Potential: 
e r  of different data flow modes of the com- 
fault isolation and reconfiguration internal 
ssumed that module level recon- It was 
The growth potential attribute value (G) was computed 
Table 4-12 summar- on the formulas presented in Section 5.2 of this report. 
izes  the modularity characterist ics for the candidate systems. 
Reliabilit : The use of mission probability of success (Ps) was found to 
resu +t in a very minimal spread in attribute values even for widely disparate 
values of Ps. The same is t rue if  probability of failure (P ) is used. It 
was concluded that a new term,  effective MTFB (Me) woulfbe more mean- 
ingful and should be used in computing the reliability attribute values. The 
effective MTBF is defined as the mean time between failures which a non- 
redundant system would have in order  to meet the same mission probability 
of success as the candidate system. The value of Me is calculated f r o m  P s  
af te r  P s  has been determined in the normal manner considering all redundancies 
and reconfiguration features of the candidate system. By definition, 
- 
Me 
wherei, 
t - 4320 hrs. (18 
This is good approximation for system where M >> t. A detailed dee- 
cription of the reliability model used in the computat!on of Ps is p ~ ~ s e n ~ ~ d  i  
Appendix?. , 
ference between the 
the presence o r  lack 
a r e  able to detect transients a s  
pagated through the data 
VCS were assigned 1.0 
immunity attribute .v 
-21  
C7Q- 4. '71 /301 
5,4 (Continued) 
Ten Pin  Rule: 
a st  
The ten pin rule weighting factor (M ) was obtained 
alculation based upon the number of pins required fo 1 
external connection of each computer module. 
A value of 1. 0 was assigned to all 
e s  exchanged the same amount of data can 
with other subsystems. 
: The technology criticality weighting factor (K3) 
was 
technology factors were different for a given candidate system the lowest 
factor representing the most cri t ical  technology was chosen. 
s 5-2 and 5-3. In case the circuit and memory 
The clarity of approach weighting factor (K4) was 
set  andidates, as specified in Section 5. 2. 
Table 5-4 shows the summary of the evaluation results. 
The evaluation results point out several  interesting facts: 
Systems with VCS were always rated higher than the same systems 
without VCS. 
provided by VCS outweighing the additional hardware and 
software needed. Therefore, systems without VCS were eliminated f rom 
further consideration. 
This i s  due primarily to the additional transient immunity 
Conventional technology offers substantial advantages over advanced 
technology. The difference is pr imari ly  caused by the higher r isk of MOS 
technology. Also, it should be noted that the advanced technology systems 
were rated low in the a r e a s  of reliability. The relatively low reliability was 
due pr imari ly  to the higher failure ra te  of the MNOS semiconductor memory 
as compared to the plated wire memory. Therefore, systems mechanized 
with advanced technology were eliminated f r o m  fur ther  consideration. 
multicomputer ) 22c (modular multicomputer), and 4 (&dular multi- 
processor). it became apparent at this point that the e&uation was very 
sensitive to the "ten pin rule. " In particular, candidate 4 
degraded by this candidate. Consequently, 4 
physical version using a total of 2 modules ri&%er than 4 computer modules. 
This new version was labeled 42=. Ev 
c a n ~ i d a t e ~  lzcO 22cs and dZcD and between 12co 22cg and asc. 
Three candidates were identified as most nromising: 1 (non-modular 
is severely 
was consichfred in  a different 
uations were then conducted between 
luatione a r e  p re  ted in Table 5-5. As ated 
in arly has much h r total relative value 
O t  
5-22 
a 
a 
E 
7 
5 
! 
c 
a 
b. 
C 
I- s 
4 
6 
3 
.I- 
t n 
c 
4 
i; 
LT 
E 
.. . . 
"cc 
M 
0 
0 
0" 
rd 
9 
Q' 
00" 
4 
In 
Q' 
0 
E 
M* 
Q' 
0 
m 
o\ 
N 
9 
In 
0 
0 
* 
rd 
0 
0 
0 
00 
I 4  
4 
0 
0 
d 
8-4 
0 
9 
co' 
0 
9 
co' 
4 
Y; 
0 
m 
cc 
0 
9 
N 
a0 * 
0 
0 
e 
0 
m-4 
0 
In 
0 
0 
* 
d 
- -  
c 
d n 
4 
3 
s 
s( 
0 
00 
d 
P 
r( 
B i -  
3r 
0 
- 
N 
r- 
m-4 
i- 
9 
N' 
d 
3 
n 
n' 
OI 
N 
G 
w 
m 
$ 
N 
0 
m 
Q' 
0 
Q\ 
In 
0 
9 
0 
0 
d 
0 
0 
d 
3 
4 
-d 
0 
9 
Q' 
u 
N 
Pd 
C70-171/301 
was then chosen fo r  further study and evaluation through 
n. The recommended candidate was also redefined as the 
"restructurable multicomputer. '( The new definition is more descriptive 
since the system is used in a multicomputer mode of operation in order  to  
satisfy the fail op, fail op, fail safe criterion, 
paths in the system are used for  reconfiguration capability only. 
The multiprocessor data 
Table 5-5. Additional Evaluation Betwe e n 
Competitive Candidates 
C A N D I D A T E  T 7 - K  m /- 9 K  n $ 
- _- .--. -
l2c  e 964 71.46 68. 7 
22c .960 68.92 66. 2 
42c . 708 90.01 63. 6 
4;c .942 84.74 79. 7 
5-24 
C70-171/301 
6. 0 I /O D 
6. 1 INTRODUCTION 
The 1/0 Bus Investigation is divided into five major sections. The first section 
The second section details the con- covers the method of bus control and operation. 
siderations involving the selection of a baseline data transmission technique for  the 
data link. 
clocking techniques and synchronization methods. 
i s  stipulated for each ob these. 
given in Appendix 9. 
Also included at  the end of this section a r e  data cable considerations, 
A baseline o r  preferred approach 
Detailed design considerations for  the data link are 
The third section covers in detail the e r r o r  protection study performed and the 
results of that study. 
operational format for the bus specified to utilize this technique of e r r o r  control. 
The fourth section discusses the impact on the bus system of the two candidate 
GN&C system configurations reported in Section 4. 
A selection of an  e r r o r  protection technique is made and an 
Finally a summary of the preferred baseline mechanization of the 1/0 data bus 
Detailed operational sequences 
i s  presented. 
mechanization and summarizes the overall report. 
of computer to LP and LP to computer communications are not specified. 
details a r e  configuration dependent, and a r e  detailed in the report section on the 
IOP 2nd the local processor. 
flexible and configuration independent, and it i s  this level that has been documented. 
6. 2 BASELINE BUS CONTROL 
This section brings together the salient features of the  baseline 
These 
The overall operation of the bus system is highly 
All communication on the data bus will be under computer control. All bus 
lines go to all computers indirectly through the VCS structure allowing each com- 
puter to monitor the operation and data on each of the four bus lines. 
is dedicated to a computer, and its IOP has control over this bus. 
initiate all bus communication. 
Each bus link 
The IOP will 
The bus operation can be divided into three major categories. These are:  
receive computer data, transmit data to computer, and other operational commands. 
During the receive computer data operation, each LP addressed will accept data 
f rom the computer for its associated subsystem Under transmit data to  computer 
operation, the addressed LP will transmit selected data f rom its subsystem on the 
appropriate bus. Command operation will be used to transfer commands f rom the 
computer to the LP for  higher level control ob the LP/Subsystern, 
The 'bus operation will be defined as request-acknowledge communication. 
means that for any request there will always be an acknowledgement f rom the LP. 
Only computers can make requests. The k 
i ts  acknowledgement signal. 
This 
will be allowed to ask for a request in 
All request messages wi L have an identic format,  as will all acknowledgement 
messages. The cod 
any bus Operation. 
gories of operation. 
a r e  shown as a single 32 bit computes word at the IOP which becomes two 16 bit 
words on the data bus and in the L 
request messages will be the primary methods of initiating 
o bus control request words will be used for all three cate- 
hese words will be constructed as shown in Figure 6-1. They 
nded to the start ofthese words is a three 
6 -  1 
C70-171/301 
o ' m  'L A 
0 
SI '2; 
t- L N 
N 
n 
3 
8 
8 
i3 
li 
$ 
a 
B 
u 
a 
0 
m 
a 
pc 
4 c u 
0 
4 
0 
B 
a w 
B 
5 
0 u 
B 
I q-:. 
2 
;d 
h m .  o \ l  4 :  
e-.-# 
[c I-- --j 
n 
P; 
0 
3 
4 
0 
p: 
k 
m 
B 
3 
8 
8 
czr 
n 
3 
4 
0 
P; 
I+ 
I 
9 
w 
d 
cr 
s" 
W 
6 -2  
C70-171/301 
bit sync code discussed later.  
ring each time the IOP initiates communication with a subsystem. 
These words will precede all data rnessa 
6. 2. 1 Computes to Local Processor  Control Words 
These control words are used when dat is to be sent to o r  requested f r o m  a 
local processor. The fields of the control words are defined as follows: 
Field 
Computer Addre B s 
Type 
Retransmit 
LP Address 
! +  
Data Location 
Reply Buses 
Bits Dedini tien 
P 
4 
2 
1 
5 
1 
6 
4 
Indicates which co 
a r e  to receive the control 
word. Any combination of 
computers may be addressed 
by setting the appropriate 
bits to ONE. 
Identifies control word type. 
ONE: Message is to be sent 
again if  an e r r o r  is 
detected in the 
transmission. 
ZERO: Message is to  be 
sent once. 
Identifies the local processor 
being accessed by the 
computer. 
ONE: Data are 20 be input 
ZERO: Data are to be output 
f rom the computer. 
Identifies the L P  memory 
address which contains the 
starting L P  memory 
location. 
C70-171/301 
The LP address  field will have a distinct code word for each addressable LP,  up 
to a total of 32. This allows communication with any single LP. Any subsystem 
with more than one Local Processor  can have a separate or  identical address for 
the additional unit. 
The spare  field bits can be used to delineate the operation of the LP. The basic 
transmit o r  receive data operation is the 1/0 bit. Other possible control i tems will 
be power-on-off to  subsystem; special transmit routines for self-test, such as ADC 
calibration checks; different modes of data entry o r  transmission, such as retrans- 
mit all keceived data; request for  status register contents; etc. 
6.2.2 Acknowledge Control Words 
These control words are generated by the LP and sent to the computer. The 
control words are sent to acknowledge the receipt of data by the LP o r  to start the 
transmission of data by the LP. 
Acknowledgement messages will always be transmitted after receipt of a request. 
These messages will also have a common format utilized by all LP's. 
is also shown in Figure 6-1. 
code. 
IOP. 
This format 
An acknowledge is always preceded by a three bit sync 
The sync field will be used for synchronization of received messages at the 
The requested (addressed) LP will respond with its hard wired address in the 
address field. 
message. 
on operation of the LP as well as on proper receipt of commands when no other 
action is requested. 
This is.a check on which LP is transmitting the acknowledgement 
The control fields will be identical to the ones received as another check 
An LP status field will be defined which will give gross indicates of the current 
operation of the LP. 
1) Pari ty  e r r o r  in request word ( o r  other e r r o r  detection results). 
2 )  Pari ty  e r r o r  in received data (or  other e r r o r  detection results). 
3) Result of power control command and other commands. 
4) Gross LP status based on self-test (BITE). 
These flags will indicate such things as: 
5)  Gross subsystem status based on self-test (BITE). 
6 )  LP request for  comp ete data dump to computer, 
Commands performed by the EP will be such that a parallel real  time indication of 
e o r  absence of the command signal will always be available for inclusion 
ledge word o r  on a later request for  status by the IQP. The other 
fields ob the acknowledge word are as defined in 6 .2 .  1. 
ion for  the three fuactiona categories follows set  patterns. These 
6- 
Q) 
M a 
Q) s s 
5 
4 
M 
-5  
C70 -17l/301 
Bus switching is done at the individual LP'S to reply to the IOP's. This informa- 
tion is sent to the LP in the second control word in the reply buses field. 
reply can be transmitted on one, twot three o r  all bus lines back to the central 
computer complex. 
The LP 
Reconfiguration information can also be provided in the request and acknowledge 
words as needed. This is one type of higher level LP control o r  status information. 
One of the data words available to the computer on request (for data) is a detailed 
BITE status word(s). This can be requested on an  "as needed" basis o r  any other 
frequency that might be desired. It will always be transmitted to  the computer when 
a f u l l  data "dump" is performed, since it i s  handled in the same manner as any 
other data word. 
Appropriate no-data timing intervals will be included in the overall communica- 
tion scheme for  "guard"bands between words o r  messages. 
after the computer finishes transmitting and before the LP can respond. 
necessary to  adjust for  timing delays and skew between different u s e r s  of the bus. 
The data clocking technique will be such that all data is disassembled under control 
of the clock used to originally assemble it. 
This principally occurs 
They a r e  
Detailed operational sequences at the L P  are described in the Local Processor  
Section. 
6.3 1/0 BUS LINK 
The IOP/VCS operation is described in its section and not repeated here. 
The job of the data link is to provide a t  its output a replica of the signal applied 
The data link for this discussion includes only that equipment required to its input. 
to  transmit a signal f r o m  one one point to  another. 
between many users. 
The link will be time shared 
Reliable data transmission is accomplished by the use of e r r o r  detecting o r  cor-  
This section of the report discusses 
recting codes and by guaranteeing a signal-to-noise ratio in the transmission link 
adequate to  produce acceptably low e r r o r  rates. 
and evaluates various modulation-demodulation methods to achieve this end. 
The first consideration for the data link shall be reliability. In evaluating trans- 
mission techniques suitable for the data link, the following design rules were 
conside red: 
Design for high reliability; 
Low error ra tes  compatible with the system; 
Minimum susceptibility to  noise; 
Minimal noise emitted by the data link; 
Redundant Operation; 
and cost and power; 
am of maintainability tional a ~ j u ~ t m e n t  s 
6-6 
C70-171/301 
The general philosophy f o r  the design of the data link must encompass all the 
above ground rules with special emphasis on reliability,, 
minimizing the effect of noise a s  related to reliability. 
mission technique for  low e r r o r  ra te ,  and employment of low powered micro- 
circuits,  works hand-in-hand with a system that operates with small signal levels. 
All of the above will be used to reduce the l e  and effects of susceptible and 
emitted interference. 
cannot be determined without information about the levels and spectra of 
Stress  will be placed upon 
Selection of the best t rans-  
It should be noted th e degree of noise rejection required 
6 .  3. 1 Signal and Noise Considerations 
The probability of bit e r r o r  of a system is a function of the signal-to-noise 
ratio, the noise bandwidth and the data rate. 
width of the communication channel is unknown. 
Gaussian, but for  a i rcraf t  this assumption is not generally valid. It is assumed 
that the spacecraft conducted o r  common mode noise is not Gaussian either, and 
probably follows an l / f  characteristic similar to  aircraft as in Figure 6-2. 
The distribution of noise in the band- 
In many cases, it is assumed 
The data transmission link has two conflicting requirements, low probability of 
e r r o r  and low interference with other signals. 
related to received signal power. This is t rue except at very low probability of 
e r ror .  However, increasing signal power increases generation of interference. 
The probability of e r r o r  is inversely 
The energy per  bit, E, is inversely proportional tofrequency of data for a given 
signal power level. 
data rate to maintain a constant energy per bit. 
certain amount of energy is required to make a decision as to whether the symbol 
representing a 1 o r  a 0 was received. The transmitted power must equal the pro- 
duct of the energy per  bit and the bit rate plus the channel lOS8eS. 
the decision as to  whether a 1 o r  0 was received is known to iqcrease with the amount 
of signal energy that can be integrated during a bit time. 
signal power, a data waveform o r  code symbol should be selected that will deliver 
the maximum energy to the receiver. 
occurs when the energy of the 1 symbol is equal to  the energy of the 0 symbol. 
symbols should have equal probability of detection. 
Thus, the signal power must be increased in proportion to the 
In digital data transmission, a 
The reliability of 
W i t h  a given bit time and 
The maximum likelihood of a correct  decision 
The 
The approach taken for this study is to improve the data transmission channel 
by reducing its susceptibility to  noise. 
signal to  noise ratio can be maintained with low signal power, 
reducing the noise interference emitte 
noise affecting the data transmission 1 
channel by conduction o r  radiation, 
With reduced noise in the 
Th 
cal devices which use 
operated can cause tr 
is the worst  off 
670  -171/301 
DBW 
HZ 
-
-60 * 
-80 
-100 
-120 
-140 
-160 
-180 
Noise Power 
Density 
-- -_I _ - ~ I -- 'I _- -' 
.1K 1. OK 10K 0.1M 1M 10M lOOM 
+ Frequency HZ 
C70-171/301 
Noise coupled by capacitance i s  a lso presentt. Interference 04 this type is 
usually caused by high frequency, high voltage elements in close proximity to  the 
data link, 
Electromagnetic radiation interference usually enters a channel by field induction 
linking the closed loop formed by the signal path and the return path which f o r m  a 
data channel. 
portional to the loop area.  
The noise voltage induced by the loop antenna ef€ect is directly pro- 
The radio frequency interference emanating f r o m  a data transmission link must 
be kept low to prevent excessive interference with the operation of other systems. 
Analogous to the data link noise susceptibility problem, R F I  generated internal to the 
data link is transferred f rom its source to  other systems by either conduction or  
radiation o r  both, 
al to the loop area  as well as the current in the channel. 
The radiated part  of the RFI  emitted by the data link is proportion- 
The data link can therefore act  as a n  RFI receiver or  transmitter using the same 
mechanisms of conduction and/or radiation. 
duce radiated o r  conducted RFI will not be susceptible to  radiated o r  conducted RFI. 
In a practical sense, the radiated and/or conducted RFI can be reduced to a level 
which i s  no longer troublesome. Methods and hardware for  accomplishing this a r e  
considered in the following paragraphs. 
In general, a cable that does not pro- 
A method of rejection of common mode o r  conduction noise is to balance and 
isolate the data link f rom the terminal equipment grounds. Well balanced t rans-  
formers  and transmission lines provide several features that help improve the noise 
problem. 
Current that is coupled through the transformer will be balanced, and transmitted 
If the transmission path is balanced alsop the noise will be cancelled and equally. 
have no observable effect on the data signals at the receiver. Magnetic coupling of 
ground conduction noise, through the transformers,  is also balanced because of the 
center tapped windings at the transmit and receive terminals. Currents induced by 
RFI radiation linking the I ~ o p  also have no effect on the received data signal. 
the preceding analysis, a well balanced isolated transmission system having small 
loop a r e a  is most advantageous. 
F r o m  
, 
External shielding without balance aids in the rejection of radiated and capacitive 
coupled interference. 
obtained by a well balanced system. 
lines with differential receivers which a r e  
other signals below a certain threshold, 
tively high data levels. 
The degree of rejection, however, will prove l e s s  than that 
Noise 
T 
be rejected by use of direct co 
to reject common 
e of noise! rejectio 
There a r e  other means b 
in the data link can be reduce 
rated f r o m  the noise spectra b 
high power noise frequencies. 
Pulse amplitude, r i se  t 
emitted by a pulse, lncrea 
increases the emitted inter 
signal will be subjected to, 
signal. 
6-9 
C70-171/301 
Determining the most desirable data bandwidth and signal level with respect to  
hardware and noise is a complex trade-off. 
menting the data transmission link appear in the following section of this report. 
6. 3.2 
Some of the possible methods for  imple- 
Types of Data Transmission 
There a r e  several  methods by which the data transmission may be accomplished. 
Three general methods of applying and recovering data signals are'considered here. 
* 
For  the following discussions, some definitions are applicable: The NRZ-L , 
PCM (pulse code modulated) code f r o m  the multiplexer will be at a one megabit 
second rate. Bit clock will be supplied by the data link, both a t  transmit and receive 
terminals. 
At the receiver, NRZ-L, PCM code waveforms, a replica of the remote input, will 
be supplied to  the multiplexer. 
techniques 
6.  3. 2. 1 NRZ Data Transmission System (Method A i  
to the possibility of transmitting the basic NRZ-L data without modification (encoding). 
Essentially, the NRZ-L data is passed through a low pass  filter and applied to  the 
line via an amplifier o r  suitable line driver. A crystal  clock is well filtered and 
applied to  the line also. The adding circuits for  the filtered NRZ-L and clock a r e  
l inear,  and no intermodulation occurs. 
which will result in less complexity and weight. 
characterized on both transmit and receive ends to keep RFI at a minimum 
data power level on the. transmission line will be reduced to produce low RFI emission 
and still allow low e r r o r  rate. 
Word o r  frame synchronizing will be accomplished in the multiplexer. 
Figure 6-3 is an illustration of various data encoding 
An initial consideration leads 
The filtering is accomplished by RC networks 
The transmission line will be well 
The 
The clock is a line spectrum signal, whose frequency is located well above the 
The data transmission band, where it is easily separated at the receive terminal. 
band limited data causes low interference at clock frequency. 
is a multiple of data rate, spectrum energy of data will be low at clock frequency and 
data interference with clock will therefore be low. 
filters will be chosen for the smallest allowable time delay commensurate with system 
operation. 
Since clock frequency 
The time constant of the clock 
The advantage of this system is equipment simplicity because no encoding or  
decoding is necessary. 
The disadvantages are: 
a The necessity of transmission to zero frequency, and in the low 
frequency region where the assumed noise is at its greatest. 
will require the use of balanced transmission cable 
noise improvement and also necessitate DC couplin 
Bit sync must be transmitted s ~ p a ~ a t e l y  since there may be a lack 
of data trahsitions over ny bit periods. Phase lock synchronizers 
which derive bit timing f r o m  basic data a r e  not attractive for opera- 
This 
e 
under these conditions because of long pull in times and 
able loss  of data. 
-return to zero-level) is data in w 
ob absence OP a "1", 
the level of the si 
C10-171/301 
I r 
.- i 
ii I ! I I . .  ^ I  . .- 
-. ~ . . . ._ _ I  
I r-----* 
I. 
f 
L- -7 
i -  
1 
.-- 
i-.-- 
.. ---- 
I 
.- 
I-.- 
I 
. . .  . . I  
!- 
! 
I L 
I 
i-- 
--I I  .--- . . .  . . I  
i 
i I _ - _ _ _  -9  , 
i i .- i 
I 
1 r . -- 1 I L -.- I 
f - 4 0  
A 
0 
.L) 
2 I I I . .
(d N N N c 
670-171/301 
6* 3*2.2 Modern, Bi-phase Level { thod 8).  NRZ-E data is encoded to Bi- 
phase Eeve 
for  a "one" and the opposite direction fo r  a "zero". 
used with t ransformer coupling (AC coupled) and resis tor  isolation. 
f i l ter  is used at the receiver to reduce the noise bandwidth of the system. 
filtering can be accomplished by either LC or  RC networks. 
be well balanced at both ends to keep RFI at a minimum. 
the line will be reduced to produce low RFI emission and still allow a low e r r o r  rate. 
nchester) in which a transition occurs every bit time, in one direction 
A balanced transmission line is 
A band pass 
The transmission line will 
The 
The data power level on 
The receive terminal decodes the Manchester to NRZ-L which will be a replica 
of the tkansmit input. 
struction of the clock a t  the transmitter. 
T o  allow this, the receive clock must be an accurate recon- 
Important requirements for  this clock a r e  the preservation of the frequency and 
the phase of the transmit clock. Since the Manchester code contains a transition for 
every bit, and is synchronized by the transmitter clocky the code transitions contain 
sufficient information to reconstruct a proper receive clock. 
samples of the code transitions are made in the signal conditioner. These are phase 
compared with the output f rom the receiver voltage controlled crystal  oscillator in a 
phase detector. 
meters are selected to  allow good frequency pull-in and close phase-lock. 
At the receiver input 
The detected output closes the oscillator control loop. Loop para-  
The advantages of this method are:  
1. Transmission system does not require response to DC and can 
be band liinited, thereby reducing the interference susceptibility 
and emission. 
2. Receive clock can be reconstructed f rom received data. 
.3. The transmission band is located in a lower noise band than 
that required to  transmit the basic NRZ-L data. 
The disadvantages are: 
1. It requires complex means to derive received clock. 
2. The circuit complexity is greater  than that required to  
transmit only basic NRZ-L data. 
Two other techniques a r e  available for  clocking and bit synchronization using 
The prime frequency of the clock is generated we11 above the 
this method of data transmission. 
transmission path. 
In one, clock information is sent directly over the 
ss-band required by the encoded data. The sine wave thus generated occupies a 
ne spectrum which can be easily filtered f r o m  the data at the receive terminal. 
clock at either terminal is the line oscillator frequency divided by eight. 
Over and above the advantages of 
hase-locked loo 
e previous system is the feature of reducing 
to dividers at each t e ~ m i n a ~ .  
dva 
his be made accept 
of this t ~ c h ~ i ~ ~ e  e j i t ter  that ~ r ~ v a ~ l ~  in the clock 
4- 12 
c70-171/301 
The second technique uses a clock at each transmitter and receiver and no clock 
on the line. 
quency, and the same type of circuitry is used to derive the bit timing f r o m  the 
Manchester data using a faster  clock t o  strobe the time intervals f r o m  transition to 
t rans  it ion. 
This clock frequency is a l so  approximately eight times the data fre- 
6 .  3. 2. 3 Modem, R F  FSK (Method C). 
a t rue c a r r i e r  system utilizing frequency shift keying. 
modulates the ca r r i e r ,  shifting it up o r  down in frequency. 
AC coupled to the transmission line. 
characteristic impedance for  minimum R F I  and driven with low power. 
less complex. 
The third type of data transmission sys tem is 
Bi-phase-L or NRZ-L data 
The modulated signal is 
Fil tering is 
The transmission line is terminated in  its 
Clocking techniques for  this type of system a r e  of the same possible types as 
those for  the basic o r  Bi-phas e system (A, V). 
is that the transmission spectrum is limited to a band centered about the carrier 
frequency. 
the spectrum on the spacecraft thereby reducing the interference susceptibility to the 
lowest possible. 
fo r  method A o r  B. 
The main advantage of this system 
This allows placement of all data transmission in a low noise portion of 
The circuit complexity of this system is greater than that required 
A comparison between the three methods is illustrated in  Table 
6 - 2 .  
Table 6-2. Transmission Methods 
Basic System 
Transmit Data Directly, Bit Sync Transmitted Separately 
DC Coupled to Line 
Transmission in  Highest Noise Region 
Simple F i l te rs  
Equipment Simplicity 
Modem, Bi-Phase Level 
Transmit Combined Data and Clock 
AC Coupled 
Transmission in Medium Noise Region 
Fair ly  Complex Filters 
Medium Equipment Complexity 
Modem, Car r i e r  
Transmit Data on a Different (Carr ie r )  Frequency 
AC Coupled 
Transmissions in  Low Noise Region 
Filtering Less Complex 
Most Hardware 
6 -  13 
c70 -1711 301 
6. 3. 3 Baseline Method of Data Transmission 
Method B, baseband transmission of Bi-phase level encoded data (Manchester) 
was selected a s  the baseline approach for  the 1/0 bus, 
design, this system utilizes a minimum of hardware for  the maximum economy and 
reliability. At the fairly low data ra tes  for  the 1/0 bus, this method of data t rans-  
mission presents  little risk. 
By careful and proper 
Method A has numerous disadvantages which outweigh its fairly simple imple- 
DC coupling to the data link is probably the major disadvantage of this mentation. 
technique. It is, however, feasible to employ this type of data link for internal 
computer bus structures of short length. 
Method C has one distinct advantage and i s  certainly a viable alternative to 
method B even with the added hardware it requires,  
transmission band into a low noise region of the frequency spectrum may be the only  
reasonable solution i f  the spacecraft is "noisy". 
proably be over-design, but by the same token, it can't be completely ruled out. 
Receiver f i l ters  for  this c a r r i e r  system a r e  also much easier  to design and require 
smaller components than for  method B. The required signal power for  this method 
should be lower than for  method B due to the smaller  margin allowed for  noise. 
The ability to move the data 
To specify this method now wonbd 
6. 3 . 4  Data Link Transmission Cable 
Data links within the spacecraft require relatively short transmission paths. The 
electrical requirements of low signal attenuation, low delay distortion, and wide band- 
width a r e  easily fulfilled for data links by existing cables. Choice of cable based upon 
these transmission requirements .alone is very broad. However, other requirements 
can greatly res t r ic t  the cable choice. 
operate satisfactorily in hostile noise environments. 
straints prevail, such a s  weight, strength, flexture, operation in the physical 
environment, size, configuration, physical limitations on connectors, etc. In 
addition, cost  may be a factor. 
The cable may be subjected to  and should 
Also many mechanical con- 
The data cable cannot always be ideally routed within the station, It may share  
ducts and be cabled with wires  of other electrical services. 
powered electrical  apparatus o r  near  electrically sensitive sensors may become 
unavoidable. 
cable becomes a serious problem. 
Routing near high 
Therefore, the susceptibility to and emission of interference of the 
F rom available data, no consideration was given to  a single wire-ground return 
transmission system, since the conductive noise alone shall render this  a poor t rans-  
mission path at its best, iMultiplexing data on power cables o r  on wires  for other 
services  Palls in the same unusable category. 
The use of shielded, twisted pair  is considered an economical solution. How- 
ever,  experience in the field of c o m u n i c a t i o n s h a s  shown that the nonuniformity in 
the ordinary twisted pair ,  even when well shielded, has limited use in the t rans-  
mission of complex high frequency waveforms. 
employed in high level o r  lower quality signaling where interference is  no problem. 
High quality twisted pair  shielded cables a r e  a must if they a r e  to be used for  the 
I/O bus s y s t e m  
These types of cables a r e  usually 
6 -  14 
C70-1711301 
The transmission of basic NRZ-L data i 
ments. If the data continuously marks o r  sp 
the transmission band is in  the high conducti 
be used to overcome noise. Low pass  filtering may be emplo 
but the high frequency cut-off must not unduly limit the data r 
Encoding NRZ-L data to Manchester improves the cable requirements. 
The band can be limited by fi l ters,  since only the encoded 
Chester code does not require coupling to DC. 
severe noise region. 
transitions need be preserved to  reconstruct the clock and code. 
The transmission band is im a less 
Reducing the 
(noise) band allows the signal level to be reduced with a consequential redcction in 
RFI. 
odulating an  R F  c a r r i e r  with Bi-phase imposes the least restrictions on the 
cable. 
transmitted,, 
The transmission band is in  a low noise region. No DC component need be 
Band limiting can be employed, 
Possibly, the best cables for  the data link considering noise rejection and low 
emitted RFI a r e  those specially designed for this type of service. A common one is 
the video pair  presently produced for the commercial television industry. 
is a special design, well balanced, doubled shielded, twisted-pair which has  proved 
superior to good quality single wire coaxial cable as to conductive interference 
rejection. The main objections to this cable a r e  its weight and the commonly avail- 
able connectors which a r e  relatively large and unwieldy. 
cable o r  twinax is another good choice of cable, 
a r e  more readily available and a r e  of small size. 
This cable 
Two conductor coaxial 
Connectors for this type of cable 
The use of a special light weight (approximately one pound per  1, 000 feet) flat 
The cable features an internal shield design, with an extremely small 
Laboratory tes ts  have shown much merit  in its ability to operate in a 
cable has been considered. 
figuration. 
loop area.  
hostile noise environment. Connectors a r e  not readily available for  this type of cable 
a t  the present time. Table 6 - 3  i s  a compilation of data on some possible cable types. 
'The preferred cable for  this application is a high quality, medium impedance, twisted 
pair shielded cable similar to F V P Z -  19. The special light weight flat cables should 
also be considered especially if  new developments and improved connectors become 
available. 
Autonetics has developed and tested a cable of this con- 
6 . 3 .  5 Clocking Techniques 
Various clocking techniques were outlined in the data transmission link section. 
The simplest technique was not included in that discussion. 
rate clock lines f rom data lines, with the clock generated at the computer and 
continuously illuminating the lines, o r  with the clock generated at each transmitter. 
The latter technique has the simplest decoding technique while the former technique 
is almost as simple except for some compensation necessary at  the computer to  
handle the skew and delays during SIU transmission. 
It would be to have sepa- 
In the first case,  all clocking per  bus would be dependent on the single clock 
source and driver at the computer end of the bus. The second technique would a 
SIU responses after loss of the clock driver at the computer end, but this is only 
possible i f  commanded by the computer through a separate bus to the SIU. 
6 -  15 
6 7 0  -171/3O1 
0 
0 
00 + 
In 
\ u  
0 
In 
00 
$U 
0 
0 
00 + 
\ 
In 
Inu 
m m -4 m 
In 
I i  
N 
N 
N 
4 
In 
N" 
0 9 
Pi N" 
9 00 m 
B\ t-" In In In 
N N 4 Q) 00 4 OI 
N N N m -  
In In 
P- 0 In 0 0 0 + I  9 2 In In 00 P- 
c70 -171/301 
The three methods of clocking discussed in 6 .  3. 2, 2 are:  (1) utilizing a derived 
clock at the receiver in a phase-lock loop (2) transmitting a higher Prequsnc 
with the data o r  (3) providing a higher frequency clock source at each SITU, 
The first method is fairly complex and more suited to simplex operation and 
not the half-duplex message burst type Operation to  be used on the 1/0 data bus. 
can therefore be eliminated on these grounds. The comments above for  a clock 
technique utilizing a single clock source apply to this second method as well. Sepa- 
rate clock receivers and fi l ters a r e  also required in both cases to receive the clock 
a t  each SIU. 
%t 
The third method requires separate clock sources at each SIU. In all likelihood 
these clock sources will be required for LP operation anyway and as such already 
exist at the SIU interface. 
These techniques can be then listed for comparison as follows and a r e  shown in 
Figure 6-4. 
1. Separate Clock Lines 
a. Single Clock Source 
b. Multiple Clock Sources 
2. Derived Clock 
a. 
b. 
Single Higher Frequency Clock Source 
Multiple Higher Frequency Clock Sources 
In terms of line dr ivers  and receivers, given that LP clocks exist at each SIU, 
la and 2a have the same number of clock receivers and drivers. 2b requires none. 
l b  has twice as many line dr ivers  and receivers as la o r  2a. 
Techniques la and lb  require twice as many data lines as 2a and 2b, but 2a and 
2b require dividers and logic to  derive the clock f r o m  the data. 
The choice then rests between la  (half the hardware of lb) and 2b (much less 
hardware than 2a). 
twice the data lines. 
complex clock deviation circuitry. 2b also has an identical design at both the com- 
puter-bus interface and the bus-SIU interface while la does not. 
adjustable delays at various receivers as well as special compensation circuitry at 
the computer-bus interface data receiver. 
la has the simplest clock reconstruction circuitry at the cost of 
2b eliminates the need for  the extra data link at the cost of more 
la may require 
The preferred choice of technique is 2b. This eliminates the extra data li 
and discrete and linear circuits (clock receivers) at each SIU in favor of additi 
digital circuits more compatible with LSI techniques. 
Manchester decoders a r e  now identical throughout the bus system. 
also reduces considerably the interface pins necessary at each SIU. 
1 data receivers and 
This selection I 
6-17 
C70-171/301 
w > 
M 
W 
. ,  
6-18 
C70-171/301 
6, 3, 6 Synchronization Technique 
Two types of synchronization a r e  necessary for bus operation. The first type is 
bit synchronization. 
receive ends of the data link. 
timing f r o m  the received data s t r eam in Bi-phase Manchester encoded f o r m  as dis- 
cussed earlier.  
This establishes equal t ime intervals at both the t ransmit  and 
Bit synchronization will be achieved by deriving the 
The second type of synchronization required in the system is group synchronixa- 
This is used to pinpoint an origin of time, which i s  the reference necessary to 
There a r e  two broad categories of 
One is to send a sync code as 
tion. 
assemble detected bits into words and messages. 
synchronization techniques for  group synchronization. 
a par t  of the data s t r e a m  and the second is to t ransmit  a sync code in a different f o r m  
f rom that of the data. 
A request-acknowledge system has controlled message bIocks and predetermined 
format. 
No question of synchronization exists in the communication f rom LP to  computer, 
The computer has requested this response and knows when it is to occur within l e s s  
than one bit time. 
delays and skew problems. 
extremely simple and minimal. 
requiring a minimum of overhead. 
fashion a s  data. 
Few if any major synchronization problems result in this type of operation. 
The only timing differences to be resolved a r e  due to various line 
A 3-bit Barker  code15 is proposed for  this purpose, 
It will be transmitted by the LP in  an identical 
The sync code for this portion of the sys tem can be 
The sync code will be rO117. - -  
The synchronization at  the LP to be achieved when the computer is transmitting 
occurs at somewhat random intervals. 
data transmissions occur. 
alerted that the next code broadcast will be a sync code. 
"dead band" interval can be quite large i f  the computer is not initiating any requests. 
Before each of these sync codes occur,  no 
By requiring this "dead band" interval all SIU's can be 
In this system operation the 
To shorten this interval and limit the time over which the SIU is "looking" for 
sync a "transmit no-data band" will be used. 
This transmit band will be generated by the computer bus control. When it turns  
on the t ransmit ter  at the computer to initiate a message, the t ransmit ter  will first 
transmit a minimum of two zeros. 
data, The proposed code for this direction of transmission will be a second configura- 
tion of a 3-bit Barker  code. 
This will then be followed by the sync code as 
Thus at the SIU, a no transmit interval, followed by one o r  two zeros ,  indicates 
the t ime to  look for  the sync code. 
receiver ( i f  not, more can be allowed) and ready it to sync detect. 
/olOO~ must then be detected exactly and correctly o r  the SIU will rese t  to  a "wait for 
To tTansmit" interval. 
Two zeros  should be enough to bring up the 
The sync code 
The use of different sync codes for  computer-to-EP and LP-to-computer trans-. 
SIU sync detectors will not be able to missions rules out LP-to-LP communication. 
detect the sync code generated by the SIU. 
when another SIU is transmitting and going through a n  address  recognitio 
thereby possibly receiving false data. Additional safeguards a r e  a lso p r  
the sync code is  always followed by the LP address  concerned with the c 
This prevents SIU's f r o m  becoming active 
6 -  19 
c70-171/301 
An incorrect receipt of the sync code by an L P  (at the proper time) also shall 
This is an  attempt to keep multiple LP’s f rom not elicit a response f rom the LP. 
transmitting simultaneously. 
LP does not know when o r  whether a response is  to be made. 
4 .  4 ERROR PROTECTION TECHNIQUES 
Also, without correct  reception of the sync code , the 
There a r e  many techniques available for  controlling e r r o r s  in ciigital communi- 
cations. 
an engineering decision. 
e r r o r s  to some reasonable number consistent with the design constraints of cost, 
size,  weight, power, band width, etc. 
for  e r r o r  control produce diminishing results. 
In general, the necessary e r r o r  protection for reliable communication i s  
The available techniques reduce the number of undetected 
Beyond this point the expenditures necessary 
Of importance in any specification of e r r o r  control techniques must be some 
realistic assessment  of the expected cause of the e r r o r s  to be controlled. E r r o r s  
fall into many classifications (see ref. 6-12) and can be due to  hardware, software, 
and/or external influences. 
external interference o r  noise. 
is  of pr ime importance in selection of a means of e r r o r  protection coding. For  
example, a simple parity check consisting of one bit can be used. 
effective only for noise sources that produce an odd number of e r r o r s  in the data 
word including the parity bit. 
the parity code is very efficient. 
istic, the parity check is of little value. 
The most difficult category to approach i s  e r r o r s  due to 
The resultant data after this type of e r r o r  
This code is  
If the expected noise characterist ics a r e  of this type, 
If, in fact, the e r r o r s  do not follow this character-  
Thus the f i r s t  task of e r r o r  control i s  to  attempt to define the expected e r r o r s  
that can occur and should be at  least  detected. Also to be defined is the result on 
the system of undetected e r ro r s .  This gives the design goal of the system in relation 
to  the portion of e r r o r s  that need to be controlled for the desired operation of the 
s y st em. 
This leads directly to the second task. Given that an e r r o r  occurs,  and it is to 
be detected to some confidence level, what action must be taken to minimize the 
effect of the e r r o r  on the system. E r r o r  prctection can be roughly divided into two 
a reas ,  (1) e r r o r  detection and ( 2 )  e r r o r  correction after detection. 
E r r o r  detection is by far the major technique employed in e r r o r  protection. 
i s ,  of course,  necessary to detect e r r o r s  before e r r o r  correction can proceecl. But 
some systems can operate with little or  no e r r o r  correction, as long as e r r o r  
detection is used to eliminate erroneous operation utilizing bad data. Simple techni- 
ques such as retransmission of data, o r  no operation until the next valid piece of 
data is received, can be used for correction. 
schemes reconstruct the cor rec t  data ( e r r o r  correction) f rom the erroneous data 
( e r r o r  detected). 
It 
The most complicated e r r o r  protection 
Thus the impact of incorrect data at a systems input must be evaluated to deter-  
mine the extent of e r r o r  protection required for desired operation. Also the t ime 
allowable for corrective action must be defined 
data for a period of t ime, o r  an interruption of service until appropriate action is 
taken, require a l e s se r  degree of e r r o r  protection techniques. 
not allow this type of event may require very complicated schemes to insure 
continuous correct  data. 
Systems which can tolerate loss  of 
Systems which can- 
6 - 2 0  
C70-171/ 301 
The following then need to be defined: 
1) Sources, frequency, and types of e r r o r s  expected in th 
2 )  Number of e r r o r s  against which system should be protected; 
3) 
4)  E r r o r  rate allowable; 
Confidence Level for  e r ror .  protection; 
5) User system tolerance to e r r o r s ;  
6)  Action desired or  required after e r r o r  detection; 
7)  
8) 
Response time for  corrective action; 
Evaluation cr i ter ia  to trade off various techniques that can achieve 
the desired results. 
The following e r r o r  protection techniques will be discussed in subsequent sections. 
The characterist ics of each technique, along with the hardware and/or software impli- 
cations will be examined. The advantages and disadvantages of the techniques will be 
related to  the system constraints of size, weight, power, reliability, maintainability, 
and cost, where possible. 
1) Parity Checking Techniques; 
2)  Complex Parity Checking Techniques; 
3) Hamming Codes; 
4) BCH Codes; 
5) 
6 )  
F i r e  Codes and Other Burst  Codes: 
Block Versus Convolution Coding Techniques; 
7) Combinations of Codes; 
8) Retransmission Techniques. 
6.4. 3 Parity Checks 
A simple method of checking for e r r o r s  is to use one redundant bit for this sole 
The value of this bit is SO chosen that the number of I ' l s s "  in the group ob 
These are consequently called odd ~ a p i ~ y  or even 
In this way, a single e r r o r  in any one of the bits can a l w a y ~  be 
purpose. 
bits to be checked is odd o r  even. 
parity checks. 
detected. 
Several important properties of parity checks are the following: 
1) An e r r o r  in the ari ty bit itself wil 
2)  Parity check can detect errors to  o ot 
detect e r r o r s  to an even number of 
C70 -17U301 
3)  Pari ty  check is invariant to shifting of the data if no bits are 
added o r  deleted; 
4) Par i ty  check is independent of the binary point location. 
There a r e  no overwhelming arguments in favor of either odd o r  even parity. 
parity is usually used for  two reasons. One: a string of bits including parity can 
never contain all zeros;  and two: if the string had an  even number of bits then the 
all 1 ' s  case  also can never occur. 
functions that produce no output, o r  all " 0 ' s "  output and all " 1 ' s "  output, Neither 
parity check, odd o r  even, detects double e r r o r s  by itself. 
Odd 
These two cases  can be used to detect circuit mal- 
Pari ty  checks need not include all bits of a group but can be selectively applied. 
Also, multiple parity checks may be used within a given group of bits a r  word, such 
that each parity bit checks some predetermined set of bits. 
of most e r r o r  detection techniques. 
Parity bits a r e  the basis  
Single bit parity on a group of bits (word) i s  the most common and extensively 
used e r r o r  control technique. 
noise sources when applied at a word level. 
hardware and can be performed in parallel  o r  ser ia l  fashion. 
6.4. 1. 1 Complex Pari ty  Techniques. 
advantage in  coding for  e r r o r  control. 
parity to  distinguish it f r o m  simple o r  modulo-2 parity techniques. 
can detect some e r r o r s  that perturb an  even number of bits, but not all. 
twice the number of parity bits per  word o r  other group of bits being checked. 
It is extremely effective for  random and independent 
It is the simplest technique in t e rms  of 
Multiple parity bits can be used to some 
One such parity technique i s  called modulo-4 
Modulo-4 parity 
It requires 
Moddo-4 has some advantages when detecting dependent e r r o r s  such a s  for  hard- 
ware faults, rather than random er rors .  F o r  example, double e r r o r s  o r  faults that 
tend to cause all erroneous bits to go to the "one" state o r  all bits to  go to  the "zero" 
state a r e  detected. 
6.4. 1.2 Hamming Codes. 
the e r r o r  detecting and correcting codes. 
describing this c lass  of codes in 1950, more generalized codes have been constructed, 
of which Hamming codes a r e  a special class.  
detect and correct  e r r o r s  of a random, independent nature a r e  well documented. 
Hamming codes a r e  the simplest and most well-known of 
Since the publication of Hamming's paper 
The application of Hamming codes to 
The Hamming codes a r e  quite easy to implement. The code is constructed by 
incorporating a number of parity checks for  each word. 
parity of certain groups of information bits within the word. 
bits required for  a certain word size can become quite large and this imposes a 
practical  limit on the use of this code. 
bits, single e r r o r  correcting o r  double e r r o r  detecting Hamming codes require 5, 5, 
and 6 check bits. 
Each parity bit checks the 
The number of checking 
For  computes word sizes of 16, 24, and 32 
Using Hamming codes adds more circuit  complexity and costs more than simple 
parity checking. 
cost and reduced coding efficiency. * They a r e  certainly the simplest e r r o r  correcting Hamming codes detect a l a rger  number of e r r o r s  for  this increased 
s i f  so desired. 
e although serial peration is possible with modification oh. storage, 
amming encoding and decoding is usually performed in 
*Code efficiency is defined as the ratio of the actual information bits to the total num- 
be r  of bits used to effect t ransfer  of these information bits, as a percentage of 100. 
6 - 2 2  
c70-171/301 
One disadvantage of Hamming codes is  the inability to distinguish between 
multiple and single e r r o r s .  Fo r  example, using the single e r r o r  correcting or 
double e r r o r  detecting code, i f  single e r r o r  correction is assumed and a double 
e r r o r  occurs,  the correction will  take place and fo rm a valid code word but it will 
be an erroneous result. 
to, that taken if only one e r r o r  occurred. Thus one might be more inclined to use 
Hamming codes for  e r r o r  detection than corrections, especially where erroneous 
outputs a r e  to be avoided. 
6.4. 1.3 BCH Codes. The binary BCH (Bose-Chauduri-Hoquenghem) codes a r e  a 
generalization of Hamming codes for  multiple e r r o r  correction. 
c lass  the best of th k wn constructive codes for channels perturbed by random, 
independent e r r o r s  e '-" The e r r o r  correction procedures of BCH codes are fairly 
complicated. 
codes utilizing a digital computer and programming the decoding procedure. Large 
amounts of storage a r e  necessary for  practical code lengths as well as computer 
time. 
This action cannot be separated from, and will be identical 
They a r e  as a 
Kastenholz6"9 has investigated techniques for  implementing these 
The procedures involved in BCH e r r o r  correction generally consist of solving 
for  the roots of a t-degree polynomial and a set  of t simultaneous equations (t equals 
the number of correctable e r rors ) .  Recent work indicates that there  may be ways of 
reducing this complexity. 6"13 The Berlekamp algorithm is one such technique, 
using either hardware o r  software, that speeds up the process of solving for  the 
roots of the e r r o r  polynomial. 6-4 
The use of BCH codes for  error-detection only should also be considered. This 
par t  of the decoding process  is by far the easiest  and least  time-consuming. 
BCH codes a r e  cyclic codes. 
occurs since shifted cyclic code words a r e  a lso valid code words. 
detection a r e  then necessary. 
6.4. 1.4 F i r e  Codes and Other Burst  E r r o r  Codes. 
recting codes will increase the reliability of data transmission at the cost of a 
relatively large increase in redundancy. 
the fact that multiple e r r o r s  a r e  likely to be adjacent ones. 
developed o handle this case and a r e  called burst  o r  non-independent e r r o r  correct-  
ing codes. k-=l  Fi re  codes a r e  a generalization of much of this work on codes to 
protect against the incidence of non-independent e r r o r s .  
The 
Such codes a r e  undesirable when loss  of syncronism 
Other methods 0% 
Conventional multiple e r r o r  cor -  
Suchcodesdo not make an efficient use of 
Codes have thus been 
The F i r e  Codes compose one of the most efficient c lasses  of burst  e r r o r  control 
codes. 6-9 Although F i r e  Codes a r e  quite good they take a long t ime to decode and 
have a low efficiency for  shorter block len ths, 6-4 The decode process  can be 
simplified and shortened by eliminating some of the e r r o r  correction capability of 
the code. 
F i r e  Codes a r e  oriented toward single burst  e r r o r s  p e r  message over a fixed 
Multiple burst  e r r o r s  a r e  a good channel model but not 
Stone developed aom 
message size, 
a r e  known capable of correcting multiple bursts. 
codes but they a r e  difficult to implement. 
Reed-Solomon codes a r e  the most practical  codes POI- multi 
rection, They are character  based codes and a special case of 
decoding fo r  Reed-Solomon codes i s  complex and usually requir 
mentation, 6- 13 In neral ,  they a r e  simpler but similar in dec 
BCH codes far the e block length. 6=-4 The code efficiency i 
4 - 2 3  
C70 -171/3 Oi 
6.4. 1.4 Block Versus Convolutional Coding Techniques. 
sions of codes only block type codes have been considered. 
techniques a r e  not as well investigated o r  studied. The redundancy is usually higher 
in convolutional codes, 
convolutional codes and it is also argued that these codes a r e  perhaps more adaptive 
to change in channel statistics. 6-4 
In the preceding discus- 
Convolutional coding 
It is possible to  have a simpler decoding algorithm using 
The methods of implementing these two basic types of codes differ substantially. 
These differences can be important enough to give either type of code an advantage in 
a particular application. 
approximately the same inherent capabilities. As far as theoretical e r r o r  protection 
capability, there appears to be no significant difference between block and convolu- 
tional codes. 6-13 
Both types a r e  subject to similar limitations and have 
Block codes have a simpler structure and a r e  more useful for reasonably clean 
channels where low redundancy codes and simpler decoding algorithms can be used 
to satisfy the transmission requirements. 6-4 Since data is usually transmitted in 
blocks, block codes a r e  better suited where e r r o r  detection is required. 6-10 
Convolutional codes can require considerable storage depending on block sizes and 
code lengths. 
4. 1,  5 Combinations of Codes. It is well known that combination of codess utilizing 
the advantages of each t pe of code, can be more effective than implementation ob any 
ob the individual codes. ;-= l Code combinations can take many forms, such as a dif- 
ferent code structure for  sub blocks o r  words than for  the overall block. Many types 
of the previously discussed codes can be used together. 
An example of this type of e r r o r  control might utilize a random e r r o r  protection 
code for par t  of the system and a burst  e r r o r  code €or a different part. 
w o ~ d  be matched to the expected channel character is t ics  for that portion of the system 
to be protected. 
Each code 
Various t e s  of coding structures have been defined in the literature. Inter- 
leaved codes 6T3 a r e  used to  break up e r r o r  bursts  with subcodes interpreting the 
e r r o r s  as independent. 
protect against situations that would require codes with impractical decoding com- 
plexity. 
redundancy, and hence reduced efficiency, compared with the more sophisticated 
single code approach, 
In this manner subcodes of l e s se r  complexity can be used to 
The disadvantage of these types of codes is the higher than necessary 
Two-dimension;a14"3 and N-dimensional codes a r e  another c lass  of e r r o r  pro- 
tection techniques that utilize the previously discussed codes o r  combinations of these 
codes;, The two-dimensional 
structure organizes data into rectangular blocks with separate (similar o r  diss imilar)  
codes applied to the .rows and the columns. 
pendently, checking first the rows and then the columns, o r  simultaneous decoding 
can be done. 
These structures a r e  also termed intesated codes. 6 - l  
The decoding process can function inde- 
T e ser ia l  operation is much simpler and more practical than the 
parallel  one, 6-31 
This type of coding allows identical or different codes to be applied to the rows 
and c o l u m s  depending on the e r r o r  statist ics of the data o r  channel. 
dimensional a r r a y  can be, of course,  changed to a one-dimensional vector. In this 
form, a code with l e s s  redundancy (higher efficiency) could be obtained BOP the entire 
block. 6 - 8  However, as noted aboves the combined decoding process  might be s impler  
various codes and block lengths inherent in the iterated code technique, 
Any two- 
e more complex structure. Also this does not allow the Blsxibili 
6-24 
C70 -l7l/3Q1 
6.4. 1.6 Retransmission Techniques. 
e r r o r  protection provided it is possible to retransmit the data. 
transmission systems this implies the existence of a bi-directional charm 
other feedback method to request the retransmission. Data links within 
system can usually regenerate messages at the sending end when a meBs 
covered in e r r o r  at the receiver. 
E r r o r  detection is an attractive means of 
In the ca5e of data 
If a feedback channel i s  present, one could calculate the probability of 
requests for  retransmission and the average time the system operates in that 
given the noise statistics of the channel. 
t e rms  of efficiency o r  throughput. 
effective against highly clustered e r rors .  6-13 For  random e r r o r  channels, o r  com- 
binations of random and non-independent e r r o r s ,  some e r r o r  will tend to appear 
regularly. In this event some minimum forward e r r o r  correction ean be used if  
necessary to improve the performance of the channel. 
Performance could be then evaluated in 
In general, detection and retransmission i 5  
Benice and Frey6-2 have examined the question of retransmission type 
systems based on an analysis that allows e r r o r s  in the feedback channel and unde- 
tectable e r r o r s  in both directions. Their investigation has shown the a reas  of 
relative superiority for both forward e r r o r  Correction and retransmission type 
systems based on throughput and undetected e r r o r  rate. 
channels and channels with a low probability of random e r r o r s ,  retransmission 
systems a r e  shown to be superior. 
e r r o r  ra tes  is the forward e r r o r  correction method substantially better. 
In almost all burst  e r r o r  
Only with an independent e r r o r  channel with high 
The redundancy o b  forward e r r o r  correction is the additional bits added for 
this purpose. 
all bits retransmitted. 
detecting code redundancy a s  well a s  the probability of retransmission. 
e r r o r  probability, relatively long blocks o r  messages could be transmitted and 
fairly good efficiency achieved. 
Using a detection-retransmission scheme the redundancy also includes 
Therefore the efficiency of this technique depends on the 
With a low 
A somewhat increased e r r o r  probability will increase the retransmissions, 
This can be overcome somewhat by decreasing the block size to decrease erroneous 
blocks. Further increases in e r r o r  probability can shorten the block length SO much 
that even the e r r o r  detecting code is inefficient. 
some simple forward e r r o r  correction to lower the number of transmissions. 
At this point one might consider 
Detection-retransmission can achieve a large reduction in e r r o r  rate with a 
modest amount of equipment, 
protection. 6-4 Also, i t  is pessimistic to  assume that data is truly random, but no 
attempt is normally made to take advantage of any redundancy inherent in the data o r  
in the data transmission process. 
little or  no effect, especially i f  a new data sample is to occur at frequent i ~ ~ e ~ ~ a ~ s ~  
Thus one might only request retransmission after the loss  of two adjacent (in time) 
data samples. 
o r  size of retransmitted blocks depending on the priority o r  criticality ob the use 
the mode of operation of the system at that point in time. 
It is probably the most economical technique of e r r o r  
In many cases  discarding erroneous data has 
Another possibility is to vary the handling of retransmission requests 
6.4. 2 Comparisons of E r r o r  Protection Techniques 
The previous sections have detailed the various error controP techni 
their applications, advantages and disadvantages. Each coding technique has 
gene Pall, been developed t o  satisfy a specific channel requirement o r  assume 
6-25 
C7Q -l-?l/30l 
problem. 
degree of that type of code that can be applied to a specific situation. 
Within each code type exists a wide range of choices as to the size and 
The basic differences between most e r r o r  protection codes relate to the type of 
e r r o r s  to be detected and/or corrected. 
for  a specific application, the channel statistics must be known. 
usually not available and thus models a r e  used that approximate physical channels. 
The basic models for  data channels a r e  discussed in the next section. 
In order to compare these coding techniques 
These statistics a r e  
6* 4. 2.  1 
allows selection of the type and degree of e r r o r  control cDding necessary to insure the 
desired performance. This is the ideal situation, Practically, only estimates of 
channel statistics can be made, based on the kind of channel to be used and the pos- 
sible external influences, without actually simulating the channel and its environment 
to great detail. Thus models have been developed which a r e  gross approximations of 
possible channels. 
be performed mathematically. 
Channel Models. An accurate determination of channel characteristics 
These models were conceived to allow analyses of the channel to 
Each model has a physical interpretation. 
The basic channel model is called the BSC o r  Binary Symmetric Channel. The 
channel e r r o r  statistics are independent of the binary symbol being transmitted, and 
each channel e r r o r  is independent of all other channel e r r o r s o  
percent noise, the probability of a "1" being detected as a "0" is 1, as is the prob- 
ability of any "0" being detected as a "1". 
e r r o r s  are completely random and independent. Thermal noise in circuits can pro- 
duce e r r o r s  of this type. 
For a channel with 10 
This model satisfies the case where all 
Another channel model commonly used is called the burst channel. Disturbances 
Within the span within this channel occur within a span of bits called the burst length. 
the p r  b bility of e r r o r  is high, and outside of the span the probability of e r r o r  is 
ZBffQ. f?--' This model is approximately t rue if  one considers the probability of e r r o r  
outside the burst  is very small compared to the probability of e r r o r  within the burst. 
'This channel assumption is based on the fact that whenever an e r r o r  occurred the 
channel is in a state where it is very susceptible to other e r r o r s  within a short span 
of time. 
another burst  occurs. In real channels this type of behaviour can occur with irnpul- 
sive noise switching transients. 
When the channel is not in an  e r r o r  state it continues e r r o r  f ree  until 
Neither the BSC o r  the burst channel model a r e  very satisfact r Experimental 
A third model, results show neither model accurate for most practical purposes. 
called a compound channel model, 6-4 was developed in order to present a more 
practical approach to actual channels. 
state it operates muck like the BSC channel. and in the second state like the burst 
channel. 
into con side ration. 
This channel model has two states. In one 
Thus multiple sources of e r r o r ,  both independent and dependent, are taken 
Other models have also been developed along the same lines as the compound 
channel. 
Reed-Solomon codes were developed for this model. 
e r r o r s  OCCUK in mdt ip le  bursts with each burst  having a certain rmaximum duration, 
One is the low density burst  channel which allows for bursts within bursts 
e is the multiple burst  channel which has proven to be fairly practical. 6-4 
The multiple burst channel 
6-26  
C'70 -1'9l/301 
6,4, 2.2 A model to represent the co 
munication channel for  the space station will need to approximate the 
f o r  good "wire" communications. The signal to noise ratios fo r  hard 
tend to  be high and can be adjusted as part of the design. 
low level that few e r r o r s  a r e  introduced f r o m  this source. 6-8  ImpuPs$ve noise is 
usually a more serious problem. 
usually unknown at designt ime.  
this type of channel. 
specific type (or  c lass)  of impulsive noise was expected and nothing elge. 
model accounts for noise and e r r o r s  due to faulty equipment and components. 
Spacecraft Channel Model. 
Random noise is sufficiently 
Switching transients do exist on board but are 
Certainly the basic BSC model is not adequate for 
The burst  channel would probably be reasonable if only one 
Neither 
The spacecraft system is also to be designed insensitive to all types of noise, not 
just specific noise sources. 
to be expected in t e rms  of channel e r r o r  statistics. 
probably more practical yet and a good channel model choice. 
codes amenable to this type of channel a r e  little known, 
Certainly a compound channel model would be the minimum 
The multiple buret  channel is 
Unfortunately) good 
The compound channel model i s  probably the best  model for the spacecraft bus 
system. 
sources. 
t e r m s  of design for e r r o r  control. 
desired fo r  the spacecraft data channel. 
6.4. 2 . 3  E r r o r  Protection for the Spacecraft Channel. 
e r r o r  protection techniques is given in Table 6-4. 
the various coding techniques which a r e  aimed at the control of random, independent 
channel e r r o r s  a r e  of little value if  used by themselves. 
parity checks, Hamming codes, BCH codes and others. The burst  codes of F i r e  and 
others a r e  a lso somewhat lacking for  this channel model. 
It is flexible enough to include both random and burst  e r r o r e  f r o m  multiple 
The additive effects of the e r r o r  sources a r e  probably "worst case" in 
This fits the highly reliable communication 
A comparison chart  of 
Given the compound channel model, 
These include the simple 
Thus the conclusion is, given a realist ic channel model none of the so-called 
e r r o r  protecting codes a r e  really designed for  this situation. 
immediately comes to mind is the use of combinations of coding techniques. 
offers some distinct advantages in the e r r o r  control selection process. 
One possibility that 
This 
It is a lso well known that a considerably lower e r r o r  rate can be achieved with a 
given code technique by using e r r o r  detection than by using forward e r r o r  correct io  
Another advantage of this approach is that most e r r o r  protective codes are eas ie r  to 
implement for  detection only than the more complex decoding for e r r o r  correction. 
Detection-retransmission techniques were shown to be superior t 
correction when independent e r r o r  ra tes  a r e  low and burst  e r r o r s  ar  
situation i s  quite similar to the expected channel characterist ics 
munications channels. The space station data bus is bi-direction 
amenable to this type of operation. The undetected e r r o r  rate is 
in the space station application. 
e r r o r  detection-retransmission scheme 
of overriding importance for  this applic 
It is this parameter  that is minimized with the 
Throughput is a lso maximized, 
6-27 
4 -28 
C70 -171/301 
6.4. 3 Baseline Method of E r r o r  Control 
Taking into consideration the ope rational requirements and design considerations 
for  the 1/0 data bus as detailed in the preceding section, a baseline method of e r r o r  
control is chosen, It is assumed that a good design practices will keep the bit e r r o r  
rate low (independent e r r o r s )  for  the bus. 
The operation of the 1/0 data bus is based on a request-acknowledge system 
Each communication f rom computer to LP is under computer control and is always 
bi-directional for proper operation. 
sion type system will be the baseline method of e r r o r  protection. 
An e r r o r  detection and request for  re trans mi^^ 
The bus communication takes place in blocks or messages to and f rom each S 
Each message contains a variable number of words, i. e.,  each message is of vari- 
able length. 
protection coding. 
simplest of the various techniques, simple odd parity checks. 
All words will be of identical length. Each word will have e r r o r  
The baseline method of e r r o r  protection for  the words will be the 
rotection will detect all e r r o r s  to odd numbers of bits (independent o r  dependent) in 
ach word. 
This type of word 
Utilizing this same format, a more complex method of e r r o r  control can 
be applied for greater e r r o r  detection if  deemed necessary. 
single bit parity will, of course, reduce the efficiency o r  throughput of the system 
and require either more hardware o r  software techniques. 
Anything more than 
Each SIU also has provision for receiving multiple independent copies of each 
word and voting if necessary, 
and allows some correction without apparent retransmission. 
This makes the baseline method even more attractive 
It is also proposed that the baseline method of e r r o r  control includes a check on 
The baseline method for this message check will be again simple 
each variable length message. 
technique utilized. 
odd parity. 
message. 
taining only parity bits, 
earlier. 
This can be extremely difficult depending on the coding 
One parity bit will be sent that checks a single bit in all words of the 
Thus an additional word is transmitted at the end of each message con- 
This is a f o r m  of two-dimensional parity checking discussed 
It is illustrated in Figure 6-5. 
Given the baseline method of e r r o r  controlo all e r r o r s  in a message isffecting 
three bits o r  less  will be detected. Also all burst  e r r o r s  of word length o r  less wil 
be detected by this method. (Bursts are defined as length b and not every bit within 
this segment must be in error .  ) To detect other possible e r r o r s ,  the two parity 
checks act  in such a way that an  undetected e r r o r  can occur only when every err 
ous word and every erroneous bit position contain an even number of e r r o r  bits. 
The total number of e r r o r  bits must be an even number, four o r  greater, to cause a 
combined detection failure, The effectiveness of the message parity word i ~ c ~ e a s e s  
with the size of the message; the fract  of all possible erroneous message 
that will not be for large Ed (N equals the number of words etected approaches 1 
in message). 6 2  
tion word length has an even number of bits, thus wit 
all "0" word is a n  invalid word. The same check can be applied to the 
word, i. e. , that any message (excluding the checkword) containing an 
words cannot have an all "0's" in bit position f .  
This baseline me 
no predetermined kno 
done by software or h 
6 -  29 
C70-1'91/301 
o c o  
Y i 
FIGURE 6-5, TWO-DjLMEMS%ONAL P 
6 - 3 0  
670-171/301 
very attractive especially in systems such as this where the data transfer ie f r o  
parallel (computer memory) to serial  (to bus) to parallel (LP memory) a 
This method of e r r o r  control becomes less efficient when message lengths get 
shorter. 
percent. 
critical items this gives maximum protection of the control word information, 
For  double word messages (control words) the efficiency is less than 66 
Howevers the e r r o r  protection provided in this case is quite high. For  
The request for retransmission upon e r r o r  detection is handled by the comput 
The computer can thus determine the throughput of the system by the method in 
which it handles these requests, and can adjust €or degraded modes of operation o r  
subsystem criticality. It is also assumed that the computer can request the details 
of the parity check results to make i ts  own determinations for fault detection and 
isolation, The two-dimensional simple parity check can also be used to correct  
single e r r o r  and simultaneously detect two e r r o r s  to increase the system thsoug 
This might be done only at the computer (in software) where the cost is shared f o r  
all L P ' s  involved. 
Additional protection can be provided within this format for control information 
by judicious selection of the codes representing this information, 
can be selected so  that multiple bit e r r o r s  are required to transform one valid 
control field code into another valid code, such a s  in the case of the reply bus code. 
Most of the options available utilizing the baseline method of e r r o r  control a r e  
Control field codes 
dependent on actual implementation and hardware involved. Until an actual hardware 
design of the, overall information transfer system is done these should rightly remain 
options. Given the design, there will probably be a number of e r r o r s  due to specific 
hardware faults that one would want to specifically protect against. The flexibility 
of the baseline system allows for these design inherent a reas  to be e r r o r  protected 
and/or isolated. 
6. 5 1/0 BUS CONFIGURATIONS 
The I /O  Bus System in this report has been mechanized in such a manner as to 
allow operation in either of the two candidate system approaches. 
sary,  has been assumed a s  par t  of the LP and not of the SIU. 
independent, redundant interconnections BO up to four independent party lines. 
Voting, i f  neces- 
Each SIU hae 
Similarly, a voting configuration at each LP would in all likelihood change th 
basis for determining necessity of retransmission by the computer bus control 
(IOP). 
format specified for  the bus system. 
These changes a r e  easily accommodated within the existing data t ransmi 
6-31 
C70 -171 / 301 
6.. 6 SUMNeaRY OF PREFERRED BASELINE RiLECHLBNIZATPON 
The I / O  d a t a  bus will operate as four separate, independent communication 
links. 
control in a request-acknowledge format. 
messages, each message headed by two control words and ending with a check word. 
The number of words in a data message is variable up to a maximum of 6 3  total words. 
The operation of each individual data bus will be under complete computer 
Communication on the bus will be in 
The baseline method of data transmission on each bus will be baseband, utilizing 
bi-phase level encoding (Manchester). 
cables, balanced and terminated. 
data link and resis tor  isolated f rom the data line for short circuit protection. 
data link will be a t rue party line configuration. 
subsystem design for the G N K  s y s t e m  
the received data utilizing a higher frequency clock source provided for  the LP. 
data synchronization code will be used for  group synchronization at each SIU. 
different synchronization code will be used for communications to the computer 
ruling out any communication between L P ' s  on the same party line. 
The data links will be twisted pair  shielded 
Each SIU will be coupled via transformers to the 
The 
Appendix 9 i s  a data transmission 
A 
Clocking for each SIU will be derived f rom 
A 
Two-dimensional simple odd parity checks will be used on all messages for  e r r o r  
An e r r o r  detection-request retransmi ssion scheme will be used to ensure protection. 
correct  data transfer to each LP e The retransmissions will be under computer con- 
t rol  and mode sensitive to allow full computer control of the bus system throughput. 
The possibility of simple forward single e r r o r  correction plus double e r r o r  detection 
is available with this e r r o r  control format to improve throughput at any time. 
Each SIU will have multiple 1/0 bus ines and circuitry to allow multiple independ- 
This level of hardware redundancy at the ent receptions of the same data if  desired. 
SIU also allows SIU reconfiguration after SIU o r  bus failures. 
such that no single SIU failure shall cause loss of any data link. 
pendent, transmitter enable circuitry and time-outs shall be used for this purpose. 
The SIU design and operation is included in the report on the Local Processor  
(Section 9). 
The SIU design shall be 
Redundant, inde- 
6 - 3 2  
C70-171/301 
7.0 MECHANIZATION OF SELECTED COMPUTER SYSTEMS 
7, 1 GENERAL 
The evaluation of the candidate computer systems resulted in  the selec- 
tion of organization number 4, the restructurable 
vote r - c ompar at o r - switch sy s tem concept I mechanized with conventional 
technology. 
of the selected candidate, 
multicomputer, with the 
This section of the report  deals with details of the mechanization 
The computer system previously shown in Figure 4-17 is a complex of 
four identicalcomputers configured as a set  of two multiprocessors and tied 
together by data links. Each computer will be a general purpose digital 
machine operating on an internally stored program. Table 7-1 lists the 
major features of the computer. 
The computer will consist of three operating areas:  
1. Central processing unit (CPU); 
2. Memory; 
3. Input/Output Processor  (IOP). 
The CPU will perform arithmetic and logical operations on data accord- 
ing to the stored program. 
munications with devices external to the computer. 
imbedded i n  the discussion of the IOP. 
volatile storage for permanent and temporary data and for programs. 
7-1 i s  a block diagram of the computer. 
puter system was shown in Figure 4- 17. 
The IOP will perform the task of handling com- 
The VCS device will be 
The memory will provide non- 
Figure 
The block diagram of the total com- 
Table 7-1. Computer Major Features 
1 Data Word Size 16 o r  32 bits including sign 
’ Instruction Word Size 16/32 bits 
Logic Dynamic MOS, 4 phasep 1 megahertz bit ra te  
Memory Type Plated Wire 
Memory Size 32,768 words ( 3 2  bits) 
(expandable to  65 ,536)  
Operates independent f rom CPU on internally 
sorted program, Serial  and Parallel channels, 
Serial  Data Rate: 1 megabit pe r  second; 
Paral le l  Data Rate: 250K words per second, 
Special Features  Real Time Clock 
Floating Point 
Majority voting o r  comparison mode on output 
to  local processor  subsystems via VCS function 
7- 1 
C70 -171 / 3  01 
t 
2Pi 
a 
Li 
5 0  
H 
0 
€4 
0 
5 
a 
0 0  
dUt-0 m 
EPP 
R 
m 
0 
t3 
I 
I 
I 
I 
I 
I 
I 
I 
t- 
3 
a 
P2 
7- 2 
C70 -171 / 3 01 
7. 2 FUNCTIONAL DESCRIPTION 
7, 2, 1 Central Processing Unit 
The CPU will execute a program stored in the memory. This program 
will consist of instructions of the following types: 
1. Arithmetic (add, subtract, multiply, divide, etc. ) 
2. Logical (and, o r ,  complement) 
3. Shift 
4. Data moving (load, s tore)  
5. Branch (conditional, unconditional) 
The CPU will have the capability of single precision, double precision, 
The CPU will be capable of 
All operations 
fixed and floating point arithmetic operations. 
addressing the memory directly, indirectly o r  by indexing. 
will be done in paral le l  except the shift operations which will be serial. 
7. 2. 2 Memory 
The memory will be made up of independent modules each consisting of 
a plated wire a r r a y  and electronics for  reading and writing in the a r r a y  and 
for  control functions. The basic memory configuration will be two modules 
and the maximum configuration will be four modules. 
of each memory module will be: 
The characterist ics 
1. Word Length: 32 bits 
'2. Capacity: 
3. Type: 
4. Cycle Time: 
16,384 words 
NDRO 
1 microsecond 
5. Parity: 1 bit for  each 16 bits 
Each module will be capable of interfacing with three parallel  buses. 
Operations over the Each bus connects the module to a n  IOP and a CPU, 
buses will be controlled by the memory module electronics. 
the buses will be on a round robin priority basis unless configured in a 
special mode by the lockout electronics. 
Service over 
Data will be read f rom the memory in 32 bit words. The requestor will 
decide whether to  use par t  o r  all of the word. Data will be read into memory 
a s  full words or  half words. Either half of the word may be written into with 
the other half not being disturbed. The requestor will control the type of 
memory write wanted. 
7. 2. 3 Input/Output Processor  
The IOP will control the flow of data between the computer and the rest 
of the s y s t e m  The IOP will have three t 
a- 3 
C70-171/301 
a. Type P Used for  computer to computer data flow; 
b, Type 2 
Type 3 
Used for data flow over the data 1 / 0  bus to 
equipment outside of the computer complex.; 
Used for  block transfer of data with the m a s s  
memory complex and data management system. 
c. 
The type 1 input/output section will consist of three input channels and 
one output channel. Each of the input channels will be dedicated to a specific 
computer. The output channel w 1 be connected to all other computers. The 
input and output channels will be 
neously, Data will be sent bit ser ia l  and word ser ia l  over these channels. 
ble to operate independently and simulta- 
The type 2 input/output section will consist of one input channel and one 
The channel will have a dedicated cable to connect the com- output channel. 
puter with the local processors (LP) in the subsystems in the spacecraft. 
Data will be sent over this channel in a bit serial  and word ser ia l  fashion. 
The type 3 input/output section will consist of a single bi-directional 
channel consisting of 17 data lines and two control lines. Response to 
requests on this channel may be inhibited by the setting of a flag in one 
the IOP commands. Data will be sent over this channel in a bit paralle 
word ser ia l  fashion. 
Transmissions over the type I output and type 2 channels will be initiated 
by the IOP executing commands f rom a 
memory. Transmissions over the type 3 channel will be initiated solely in 
response to external requests. The IOP will be capable of operating the 
computer system in a voting, comparison or  non-redundant mode by means 
of the VCS functions described previously in Section 4. 5. 
program which is stored in the 
7, 3 MECHANIZATION O F  INTERNAL MODULES 
'9.3, 1 
The computes memory bus provides the communication path between the 
three functional areas of the computer (CPU, IOP, and Memory). Traffic 
flows between the CPU and the memory o r  between the IOP and the memory. 
There is no direct  path between the CPU and IOP. A block diagram of the 
bus is shown in Figure 7-2. A memory interfaces with three buses while the 
CPU and IOP each interface with only one bus. 
The bus consists of the following: 
e Address lines 18 
2, Control lines 4 
16 
e Data-out lines 15 
The bus is operated at a ten (BO) 
ccess time as seen by 
Fate in order  to m i n t a i n  the effec- 
P U  and IOP at a nominal one micro- tive memory 
second. 
7-4 
C70-171/301 
7-5 
C70-171/301 
The address lines a r e  used to c a r r y  the code specifying the memory 
module (4 bits) and the desired location (14 bits) in that module. The given 
numbers represent the largest  computer configuration that is possible (16 - 
16K modules in each compartment with this addressing scheme). 
The control lines a r e  used to control memory operation. Two of these 
lines c a r r y  signals representing the operational status of the two computers which 
a r e  physically co-located i n  the cornpartm&.Each line is driven by one diag- 
onal t e r m  of the P matrix f rom the VCS of the IOP assigned to one of the 
computers. The other four control lines a r e  used to  car ry  the codes that 
represent the various memory commands. 
Separate data-in and data-out lines a r e  used to maintain maximum bus 
speed and simple circuit arrangement. Savings in circuit complexity a r e  
derived by using a half-word byte channel instead of a full-word channel, The 
CPU will utilize both half- and full-word formats while the IOP will use fu l l -  
word format only. Full words are to be sent as two half-word bytes 100 
nanoseconds apart. 
The IO8 and CPU share the use of the memory bus; access to the memory 
bus will be handled on a first-come-first-served basis. However, since the 
IOP and CPU programs areasynchrmous with respect to each other, some 
provision must be made to eliminate conflicts due to  simultaneous requests 
for  the bus. 
To prevent any disruptions in the messages and to reduce hardware buffering 
requirements, the IOP is to have priority over the CPU in the event of simul- 
taneous bus requests. 
CPU must send a signal to the IOP requesting bus access. 
if the IOP needs the bus at that time o r  is presently using the bus and sets  a 
bus access  ready line true o r  false accordingly. As soon as the IOP releases 
the bus, the CPU will be allowed to use it. 
The IOP sends and receives data in serial and continuous fashion, 
This priority assignment is performed by the IOP. The 
The IOP determines 
7.3. 2 Central Processing Unit 
7. 3. 2. 1 
(CPU)of the computer. 
perform the computational task a s  seen in this study. The details of some 
features (e. g. number of registers or  interrupts, number and exact types of 
instructions) will be subject to change as a result of studies now in progress  
o r  studies that a r e  to be made in the future. 
Introduction. This section describes the central processing unit 
The features described a r e  the minimum required to 
7. 3. 2. 2 General. 
era1 registers in its instruction implementation. The instruction set  provides 
€or 16 bit half-words, 8 bit immediate operands, and 32 bit words, 
The CPU is  a 32 bit, parallel operating unit using gen- 
Memory addressing is by full wordo that is, every 34 bits (32  data +- 2 
parity) of memory has an address, The 18 bit address may access any one of 
196,608 words 9f memory (12 modules, 16,384 words/module; 4 modules/ 
GPU) .  
into a 32 bit word. 
words. 
A memory word i s  read out to the CPU 16 bits at a time and assembled 
Data may be 14 bits in length (half-word) o r  3 2  bits (full-word). 
A buffer assembles full-word instructions from two half- 
Status control words (SCW) are used to define the status of the connguter, 
These contain interrupt status idormation, comparison results and condition 
codess and instruction address. 
addresses  and used in the execution of interrupts, 
SCWs s a r e  established in fixed memory 
7 - 6  
C70-171/301 
19, 3, 2, 3 anhation. The C 
7-3, Functio regis ters  and log 
Register File 
Usual Function 
Provides storage for  gener 
re gi st e r s 
P C  (18) Program Counter 
A (32) 
E (32)  Extension Register 
General Purpose Data Regis ter  
(32) Memory Data Buffer 
Pr ior i ty  Logic Interrupt Sensing Logic 
Prior i ty  Mask Interrupt Mask Logic 
LHW (16) 
RHW (16) 
Instruction Left Half Word 
Regis te r  
Instruction Right Half Word- 
Re gist e r 
I\RD CNTL 
MAR (18) Memory Address Register 
OP (4), OPX (4) 
Multiply - Divide Control Logic 
Operation Code Register 
IX (18) 
TI (32) 
Auxiliary Operating Register: . 
This register is used to  hold 
intermediate results during 
floating point and indexing 
operations. 
Indexing Storage Register: This 
register is used to hold numbers 
used for  indexing of instructions. 
Temporary Buffer: This regis ter  
is used for counting of shifting 
during normal shift and 
normalizing operations, 
File Address Register, Decode 
Logic and Count: This register 
is used during register to register 
operations to  keep t rack of the 
register being used. 
Condition Code Decoder: This 
regis ter  is used to s tore  results 
of comparison operations and to 
control the logic concerning 
operation as a result of the 
comparisons. 
Shift Control Logic: 
7- 7 
-L71/30 
L 
7-8 
C70-171/301 
Usual Function 
used to  control all shift and 
normalizing ope rations. 
Computer Memory Designator: 
This register is used to  hold the 
two bit code that specifies which 
group of four memory modules 
is to  be accessed over the 
memory bus e 
Communication with the memory is accomplished through MAR and MB. 
The MAR is provided information regarding memory address f rom the adder, 
the AGE and f r o m  the dedicated address matrix selected by the enabled inter- 
rupt. Data and instructions a r e  processed through the memory buffer 
register,  MI3* 
The memory addressing for  obtaining instructions and operands is gen- 
erated through use of the P C ,  2, A and IX registers. 
and E registers a r e  used for the arithmetic functions. 
adder serves  both functions. Also to  be noted a r e  the logic blocks to perform 
shifting and the operations of And, OR, Exclusive OR and Comparison. 
latter logic, together with the Adder and Shift Matrix outputs, is used to 
generate the 32 bit status control word. 
scratch pad memory used for index register storage as well as general 
register operations. 
7. 3. 2.4 
state of the CPU as the result of conditions occurring in the CPU o r  external 
to it. An interrupt is serviced when the preceding instruction is finished and 
the next instruction not yet started. The interrupt causes a dedicated address 
definition and information transfer to and f rom me. mory locations. 
initial dedicated address is used to store the current contents of the Program 
Counter. 
f rom the next full word location. This word contains the address of the start 
of the interrupt subroutine. The interrupt action requires a write and a read 
memory cycle. 
Further, the Z, A, 
Thus, the single 32 
The 
The Register File is a high speed 
Each register is 32 bits long. 
Interrupts. The interruption system enables the change of the 
The 
The dedicated address is then incremented and a word obtained 
Both external and internal interrupt capability is provided. A priority 
interrupt system provides program control for  rapid response to special 
external and internal conditions. 
Each priority interrupt is assigned a fixed address in memory which 
contains the linkage information to obtain the start of the corresponding sub- 
routine. 
possible through the restoration of the original contents of the program 
counter. 
Should a higher priority interrupt occur, new locations a r e  defined for  status 
retention. 
lower level operation accompli shed automatically. 
Upon completion of that routine, return to the original program is 
Further, each level of priority interrupt can interrupt lower levels. 
The highest priority program will be processed and return to 
7-9  
C7 0 -171 / 3 01 
An interrupt masking capability with loading and reading instructions is 
provided f o r  inhibiting various interrupts and s atus monitorin ~ 
Masked interrupts remain pending until unmasked and taken. 
permits reassignment of priorit ies in real time, 
7. 3. 2. 5 Instruction Formats. 
formats. 
codes RR, R, S ,  PC, RS, RSX, RRS, and SI. The format code expresses, in 
general terms, the operation to be performed. 
$his capability 
The CPU will utilize eight basic instruction 
These eight basic instruction formats a r e  denoted by the format 
1 a 
2, R denotes Register operation; 
3. 
RR, denotes Register - to- Re giste r ope ration; 
S, denotes a shift operation; 
4. PC, denotes a Program Counter operation; 
5. RS, denotes Register-toestorage operation; 
6. RSX, denotes Register-to-Storage-Indexed operation 
(indirect option also available 1; 
7. RRS, denotes Register-Register-Storage operation; 
8, SI, denotes storage and immediate operand operation, 
Formats P through 5 a r e  half-word format instructions and formats 6 
through 8 are full-word format instructions. 
For  addressing purposesI operands can be grouped in three classes: 
explicitly addressed operands in main storage, immediate operands placed as 
part  of the instruction stream, and operands located in the general purpose 
register file. 
To permit the ready relocation of program segments and to provide for 
a flexible specification, all instructions referring to main memory have the 
capacity of employing a f u l l  address. 
memory is modified by the following: 
This address used to refer  to main 
Base Address (53) is a 16-bit number contained in a general 
by the program in the 53 field o b  the instruction. 
ed in every address specification. 
The base addressing shall provide for addressing 
The base 
register shall be utilized as a means of relocation of programs 
and data., 
all of main memory, 
is a 16-bit number contained in a general register 
by the program in the X field of the instruction. It 
shall be included o d y  in the address specified by the RSX 
instruction format. 
7-10 
C70-171/301 
In forming the address, the base address and index are treated as 
unsigned 16-bit positive binary integers, 
binary numbers, ignoring overflow. 
The two 
Examples of instruction types in the various formats a r e  as follows: 
1, RR Format 
- Add Registers 
- Subtract Registers 
- Multiply Registers 
- Divide Registers 
- Logical And 
- Logical OR 
- Logical Exclusive OR 
- Load Registers 
2. R Format 
- Branch on Condition 
- Branch on Condition, Return Status 
3. S Format 
- Shift Left 
- Shift Right 
- Cycle 
4. PC Format 
- Branch on Condition 
5. RS Format 
- AddHW 
- Add F W  
- Subtract WW 
- Subtract F W  
- Multiply 
- Divide 
- Store HW 
- Store F W  
- Load MW 
- Load F 
C70 -171/301 
4, SI Format  
- Compare Immediate 
- AND Immediate 
OR Immediate 
- Exclusive Or Immediate 
7. RSXFormat 
- AddHW 
- Add F W  
- Subtract HW 
- Subtract F W  
- Multiply HW 
- Multiply F W  
- Divide 
- Load F W  
- Store HW 
- Store F W  
8. RRSFormat  
- Load Multiple 
- Store Multiple 
- Branch on Register Condition 
7. 3. 2. 6 Read Only Memory. When the computer fails, as indicated by 
the P Matrix of the VCS in the IOP, a program is  to be executed by the CPU 
to determine the functional a r e a  that has failed. 
stored in main memory because the failure may be in the memory module o r  
the memory bus. 
memory (ROM) in the CPU. 
onlw external reconfiguration on the computer system level is accomplished 
by the non failed computers. 
This program cannot be 
A fault isolation program will be stored in a read only 
This program is for internal reconfiguration 
The ROM will be a semiconductor memory with a capacity of approximately 
€4192 bits, All addressing and 
readout circuitry required for the memory will be par t  of the ROM package, 
The program will be stored a s  32 bit words. 
7. 3. 2. 7 Arithmetic Formats, 
arithmetic in the &woss co 
-word or full word in  the f 
tions a r e  specified in two par t  
The mantis 
The CPU operates in either floating o r  
Bement number s y s t e m  
d point operations, Data 
issa and characteristic) 
full 32 bit word. 
24 bits of the word and t 
actional par t  of the number) 
of two multi- characteristic ( 0  r 
plier of the number) is stored in sev bits, The sign bit up the thisty- 
second bit of the word, 
a- 12 
C70 -171 / 301 
7. 3, 2.8 
memory by means of the memory bus. The bus was described in Section 
7,3, I, 
the CPU by automatically appending the two bits of the computer memory 
designator register to  the most significant end of the sixteen bit address 
derived from the instruction or  f r o m  the program counter when a memory 
module is accessed, The computer memory designator register is loaded 
by the CPU program permitting f u l l  addressing capability for the maximum 
number of memory modules (12) in one compartment (theoretically 16 can 
be addressed however each CPU o r  computer is designed to  power a maxi- 
mum of 4 modules and a maximum of three busses o r  computers may be 
provided in one compartment). 
Memory Bus Interface. The CPU interfaces with the main 
The address sent over the address lines of the bus is developed in 
7. 3. 3 
7. 3. 3. 1 General Description. 
access  16K word, 34 bit plated wire memory modules for the main storage 
function. 
second, respectively. 
first half-word and an additional 100 nanoseconds for the second half-word. 
The computer will utilize up to four (4) random 
Read and write cycle t imes will be 750 nanoseconds and 1.0 micro- 
Read access time will be 500 nanoseconds for the 
Each memory module is composed of a 16,384 word plated wire a r r a y  
organized internally as a 1024 x 16 multiword (2-1/2 D) s y s t e m  
of organization reduces the word access lines and circuitry by adding a 
third selection dimension. Word addressing in the 16,384 word stack is 
accomplished by a selection of one of 32 "X" positions and one of 32 "Y'l 
positions, thus isolating one of the 1024 word lines of the chosen stack. A 
''2" selection of one of the 16 words along the selected word line completes 
the addressing. This operation involves the low-level switching of the 
proper input for  each of the 34 sense amplifiers during a read cycle o r  
driving the proper lines with bit current f o r  each of the 34 bits in the word 
during a write cycle. 
This type 
This type of organization minimizes the required circuitry and yields an 
The efficient and reliable system with correspondingly less stand-by power. 
multiword organization (16 - 34 bit words on each word line) is possible 
because of the plated wire properties of equal drive word current for both 
read and write as well as the nondestructive readout. 
7.3. 3.2 Functional Block Description, 
shown in Figure 7-4. 
The memory may be broken down as 
7. 3. 3,2. 1 
lowing functions during both Read and W r i t e  cycles: 
The word access circuitry performs the fol- 
1. kes the 1 of 32 "X" selection and the 1 of 32 "Y" 
selection resulting in the required 1 of 1024 word 
line selection for  the chosen stack, 
2. 
3, 
Provides the required Read and Write word drive currents. 
Supplies a r ray  charging current to force recovery of the 
memory word line bias voltage between memory cyc 
a- 13 
7- 14 
C70 -171/301 
7,3. 3 . 2 . 2  
drive to the e a  (as determined by the address) for  
each of the word during a Write cycle. During a 
Read cycle, the appropriate one of 16 bit lines is selected as an input to the 
sense a q l i f i e r  for each bit in the requested word. The sense amplifier 
then provides lification and discrimination before outputting data at a 
suitable logic 
The bit/sense electronics provides bit 
The circuitry consists of decoder-low level switch devices, sense 
amplifiers and bit current drivers. 
7 . 3 , 3 . 2 . 3  
ments requir 
The a r r a y  provides the NDRO storage ele- 
n A 16,384 word block consists of two dual 
planes of plated w i r e  mats laid out in-a  one crossover per  bit arrangement 
plus the word isolation diodes and low level switch devices. 
7. 3. 3. 2 . 4  
the required ding, temporary storage and buffering 
required to make the memory module function. 
junction with a tapped delay line being used as a central timing element. 
The timing and control circuits provide 
It consists of logic in con- 
Operations are determined by decoding the control and command words 
received over the memory buses f rom the CPU o r  the IOP. 
7. 3. 3. 2. 5 
vide the necessary buffering to match the memory buses with the internal 
circuits of the memory module. 
ra tor  to determine whether data on the bus are for the particular memory 
module. 
Bus Interface Electronics. The bus interface electronics pro- 
Also provided is the module address compa- 
7. 3. 3. 3 The memory module mode control is 
located in the timing and control (TAC) section while the address and control 
code decoding is done in the bus interface electronics (BIE) section. 
sections control access operations to the array.  
7. 3, 3 .3 .  1 Bus Interface Electronics Section. 
the functions of address detection, control code decoding and readlwrite 
operations for data sent over the buses. 
sections, one for  each bus. 
shown in Figure 7-5. 
Memory Module Control. 
Both 
The BIE section performs 
The memory module has  three BIE 
A block diagram of a single BIE section is 
7. 3. 3 .3 .  1, B Normal eration. Each memory module of the computer is 
assigned a four bit ad The module will accept only those control 
codes that accompany an address c-ode whose four (4) most significant bits 
a r e  the same as the module address code, The module address code is held 
in the module addres register of the BIE section. The address code is also 
stored in a dedicated ocation in memory. Upon recovery f rom a power 
transient, the module address code is accessed f rom the a r r a y  and-placed in 
the module address register to return the module to the pre-transient condi- 
tion. 
stored in the array,  
program by using one of the control codes, 
s s  code, 
Each BIE section may have a different addressp so all codes must be 
The module address code may be changed by the CPU 
7- 15 

C70-171/301 
Properly addressed control codes a r e  decoded by the BIE section logic 
and the proper operation started, The control codes are:  
l e  
2. 
3. 
4. 
5. 
6. 
7. 
Read Data Word 
the memory location specified by the 
address on the bus address-lines a r e  read into the BIE 
buffer register. 
placed on the bus data out lines followed 100 nano- 
seconds la te r  by the least  significant 16 bits. 
Write Full Word 
lines into the buffer register to form a 32 bit word. 
This word i s  written into memory at the location 
specified by the address on the bus address lines. 
The most Significant l 6  bits a r e  
tes  are read f r o m  the bus data in 
Write Left Half Word 
?he bus data in lines a r e  read into the most significant 
bit positions of the buffer register, 
a r e  then read into the most significant half of the 
memory location specified by the address on the 
bus address lines. 
These 16 bits 
rite Left Half Word except 
that the least  significant bit positions of the b g f e r  
register and memory location a r e  affected. 
Mode Command Present  
The five most significant bits of the bus data in 
lines a r e  read into the TAC section buffer register 
associated with this bus. 
Read Module Mode 
The contents of the module mode register in the 
TAC section a r e  read into the BIE biffer register 
and placed on the bus data out lines. 
Restore Module Address 
holding the module address code and places that 
code into the module address register. 
s the memory location 
The operation of the module, due o the above control codes, 
altered by the module mode. This wiP be discussed in the mode nd 
paragraph, 
7. 3. 3. 3, I. 2 Module Address Determination, 
to the computes, the memory address register 
module can either be forced to a given state OP 
arbi t rary state. Good system design demands 
so the initial module addressee 
unknown and most likely mon-re 
9-17 
C70 -17l/30l 
undesirable. 
undetected system perturbations may cause one o r  more bits of 
change giving an unknown address t o  the module. 
provided to enable the CPU to sample or  set the contents of the 
each memory module. 
Further, during operation it is possible that noise o r  other 
Some means mus 
The assignment of a fixed address code (actually the four most signi- 
ficant bits of the 9.8 bit address code) that is unique to each module will do 
the job. The maximum number of memory modules on a memory bus will 
be twelve. To have the fixed codes and the MAR codes all different will 
require 24 codes and the addition of another bit to the address code for a 
total of 19 bits. 
avoided if fixed and MAR codes a r e  allowed to be idential but not for  any 
one module and the control codes honored by the module restricted accord- 
ing to the way the address code is defined at the module. 
This extra bit and the circuitry required to use it can be 
If the four bit code is held in the MAR, the control code described in 
7. 3. 3. 3. 1, 1 will be honored by the module. 
code, the following control codes will be honored: 
If the four bit code is the fixed 
1. Read Module Address 
The contents of the module address register of the 
BIE section a r e  read into the buffer register and 
placed on the bus data out lines. 
2. Store Module Address 
The BIE section reads the bus data in lines into 
the buffer register. 
register a r e  then placed in the dedicated memory 
location. 
out and placed in the module address register. 
The contents of the buffer 
This memory location is then read 
The fixed code will be set  into the modules by manually attaching a plug 
The plug wi 1 have four codes wired into it for the 
Each computer will have a 
Each compartment which can 
to a computer connector. 
maximum set of computer memory modules. 
plug which will be generated in sets of three. 
contain three computers is considered to be independent since memory 
buses a r e  restricted to  within a compartment so the plugs can be identical 
for  each compartment. 
7. 3. 3 . 3 . 2  
memory operating modes and determines the timing for the modde. 
block diagram is shown in Figure 7-6. 
Timing and Control Section. The TAC section controls the 
A 
7. 3. 3.3.2.  1 Timing. 
in the res t  of the computer. A tapped delay line is used to  generate the 
various intermediate time interva 8 for  proper module operation. 
computer fails (as indicated by th P matrix of the VCS), the mod 
The buses operate on? a request/ac 
to switch between clocks during no 
The module timing is based upon the logic clock used 
ly switches t o  the logic cloc the other computer in the compartment* 
ledge basis so that it is not necessary 
7-18 
7-19 
C70-171/301 
Normally9 requests over the three buses a r e  handled on a f i r s t  come, 
first served basis. 
request f rom bus 3 will not be serviceduntil after the requests fgom bus 1 and 
2 a r e  honored. 
serviced Bast will be honored first. 
Should all buses request service at the same time, the 
Betweenbuses 1 and 2 ,  the request f rom the bus that was not 
7. 3. 3 ,  3 .  2 .  2 Mode Control. 
mined by mode commands received f rom the CPU. 
only i f  identical mode commands a r e  received over buses 1 and 2. 
commands over bus 3 will not be honored by the module. 
mands a r e  sent by the CPU. 
of buses 1 and 2. 
bus 3. 
The operating mode of the module i s  deter- 
Mode 
A mode change is made 
Two mode com- 
One command determines the operating status 
The other command determines the operating status of 
The mode commands for buses 1 and 2 are: 
1. 
2. 
3. 
4. 
5. 
6 ,  
1 control codes 
and all mode cornmands received over both buses. 
Priority is as described in paragraph 7. 3. 3. 3. 2. 1. 
Full operation over bus 1; no operation over bus 2: 
The module will accept and honor all mode commands 
received over both buses, The module will accept and 
honor all control codes received over bus 1. The 
module will not accept o r  honor any control codes 
sent over bus 2. 
Full operation over bus 2; no operation over bus 1: 
Same a s  2 except that the roles of bus 1 and bus 2 
a r e  reversed. 
received over both buses. The module will accept and 
honor all control codes received over bus 1. The module 
will  accept and honor only read control codes over bus 
2. 
a r e  reversed. 
received over both buses. 
honor all control codes received over bus 1. The 
module will accept and honor dl control codes received 
over bus 2 that access a given set of locations in 
memory or  that call for a. read module address or  
mode ope ration, 
The module will accept and 
7-20 
C70-171/301 
7. Full operation over bus 2; scratch pad operation over bus 1: 
Same as 6 except that the roles of bus 1 and bus 2 are 
reversed, 
8. Full operation over bus 1; scratch pad and read only 
pt and honor all mode commands 
received over both buses. 
and honor all control codes received over bus 1. The 
module will accept and honor all control codes received 
over bus 2 that access a given set  of memory 
locations or  that call for  a read operation. 
The module will accept 
9. Full operation over bus 2; scratch pad and read only 
operation over bus 1: 
Same as 8 except that the roles of bus 1 and bus 2 
a r e  reversed. 
10. Restore Module Mode 
m e  module will access the memory location holding 
the module mode command and read the contents of 
that location into the mode register. 
The mode commands for bus 3 are:  
1. 
2. 
3, 
4. 
5, 
No operation over bus 3: 
N o  control codes received over bus 3 will be honored. 
Full operation over bus 3: 
All control codes received over bus 3 will be honored. 
Read only operation over bus 3: 
The module will accept and honor only read control codes 
over bus 3. 
Scratch pad operation over bus 3: 
The module will accept and honor all control codes 
received over bus 3 that access a given set of 
locations in memory o r  that call for a read module 
add re  s s ope ration. 
received over bus 3 that access a given set of 
memory locations or  that call for a read operation. 
The arrival of a mode command over bus 1 or  2 s tar ts  a mode change 
sequence in the TAC section. 
buffer register in the TAC section that is associated with the bus over which 
the mode command was received. 
the other bus, both buffer registers a r e  compared. 
disagree, the mode register is not changed and the module continues to 
operate in the previous mode. 
The mode command is transferred into a 
When a mode command is received over 
E the two regiaters 
7-21 
670 - 171 / 3 01 
If the two registers agree, the contents of the buffer register associated 
with bras 1 a r e  read into the memory location dedicated to holding the module 
mode comnaand. 
into the mode register. 
That memory location is accessed and the contents read 
The failure of either computer as indicated by the P> matrix of the VGS 
of that computer will cause the TAC section to  accept and honor mode com- 
mands f r o m  the remaining good computer without going through the mode 
cornnand comparison sequence. 
indicated by the P matrices,  the mode register is set  to full operation over 
both buses and the mode command comparison logic is disabled. 
When both computers a r e  failed as 
7. 3. 3 . 4  Data Protection. 
data stored in memory may have to be protected in two ways. 
protection is to keep bad data f rom being sent f rom the memory modde  and 
the other type is to keep certain data in memory f rom being changed by the 
C P U  o r  IOP writing in those locations. The first type of protection can be 
achieved simply by generating and storing a parity bit with each half-word 
and checking this parity when the half-word is read out. 
protection can be achieved by preventing write operations into specified 
memory locations when the system is on line. 
7, 3. 3 .4 .  P 
memory locations can be achieved in two ways although functionally, the 
results a r e  the same, 
tected will result in an interrupt being generated and the write operation 
being terminated. 
knowledge of system facts that a r e  not now available but will be known at the 
time of actual hardware design. 
here but no recommendation is made for selection.. 
To insure proper operation of the system, the 
One type of 
The second type of 
Memory Write Protect. Protection against writing in specified 
An attempt to write in a memory Pacation that is pro- 
Selection of the protection method rnechanizatim requires 
The two types of protection will be described 
7. 3. 3.4. 2,  ]I Word Protect. One method is to  protect each individual word 
in memory by storing a protect bit d o n g  with the word in memory, 
write operation is called for, the contents of the memory Location are read 
out and the protect bit investigated. 
is generated and the write operation terminated, If the bit indicates write, 
the write operation is completed, 
When a 
If the bit indicates protect, an interrupt 
This method is very flexible and can be used anywhere in memory without 
having to structure the p r o g r a m  The additional bit stored in memory 
requires a larger  a r r a y  (about 2 , 8 %  increase) along with one more each of a 
read and write channel circuitry. Perhaps the most important aspect of this 
method is the requirement for a read eration before a write operation, 
This means that a write operation will take a minimum of 1,75 microseconds 
instead of a normal one microsecond. 
7. 3. 3.4.2. 2 Block Protect. 
of memory locations by comparing the address of a write operation against 
protected addresses. 
the operation is terminated, 
This method involves protecting specified blocks 
If the addresses match, an interrupt i o  generated and 
E the addresses do not match, the operation is 
compileted, 
7-22 
C70 -171/301 
The addresses specifying the upper and lower bounds of each protected 
In a simple case, 
block must be held in logic of the memory module. The more blocks, the 
more addresses and d s o  the more bits in each address, 
the protection of half the module would require the comparison of only one 
bit, the more significant one of the address. 
protected but in two separate blocks, comparison of at least the two most 
significant bits must be made. 
small blocks leads iLo large amounts of logic. 
Lf half the memory is to be 
Thus, it can be seen that a large numbey of 
The codes specifying the block limits could be entered by means of 
wired plugs attached to external computer connectors. 
of hardware needed is related to the size and number of protected blocks. 
Again, the amount 
Time to accomplish the write operation in this method does not increase 
The effective memory write cycle time will remain 
regardless of the size o r  number of protected blocks since all comparisons 
can be done in parallel. 
at one microsecond. 
7. 3.  3. 5 
7. 3 .  3,5. 1 
word. 
corresponding bit. 
included in the cycle to optimize wire performance. 
operation requires one word current pulse, which is coincident with the bit 
currents  (see Figure 7-7 for timing diagram). The total meraory write 
cycle is accomplished in l e s s  than 1. 0 microsecond. 
Memory Ope rations 
W r i t e  C cle The write operation is accomplished by the 
coincidence o T--y-% word and it currents  at each bit address for the selected 
The polarity of the bit current establishes the storage state for the 
A pre-write of the storage state complement i s  also 
Hence, the write 
The cycle begins when the memory module receives an address and a 
write control word. 
determined by the control word. 
Whether a half word o r  full word is to be written is 
The address inputs a r e  decoded and internally generated timing pulses 
command the selection of the appropriate X and Y word current switches and 
the proper pair  of bit current switches for each bit. 
and bit current switches a r e  then keyed to produce the required drive cur-  
rents in the selected word and bit lines. 
of the bipolar bit currents and, therefore, the polarity of each bit written. 
7. 3. 3. !jO 2 Readout is accomplished by applying a current 
down the selected word access lines and then sensing the polarity of cor- 
responding induced voltage on the sense/bit line (plated wire) for each of the 
bits in the requested word. 
plated wires along the selected word line, the gating of the appropriate 
signal inputs to the sense amplifiers is made for each bit. 
The word current source 
Input data determines the sequence 
Read Cycle. 
Since signal outputs will be present on all 
The cycle (see Figure 7-8 for timing diagram) begins when the memory 
receives the address,  and a read control word. The address i s  decoded and 
internally generated timing pulses command the selection of the appropriate 
X and Y word current switches and gate "on" the proper MOS switch and pre-  
amplifier in the sense amplifiers for each bit. Word current is then routed 
7-23 

C70-171/301 
down the proper line, and the selected plated wire  output signals a r e  then 
amplified and discriminated to become available in the output data register. 
Information becomes available a t  the memory interface in 16 bit segments, 
the first segment 500 nanoseconds after the cycle start command and the 
second 600 nanoseconds after the cycle start command. 
memory read cycle requires 750 nanoseconds. 
7. 3, 4 
A complete 
Input / Output Processor  Module 
In Section 4. 5 a description of the IOP and VCS system operation was 
given; in  addition, a detailed description of the VCS was presented. 
mechanization of the IOP will be described in this section with the VCS 
included in the IOP. 
The 
The Input/Output Processor  (IOP) of the computer performs these 
functions: 
a. Communication with devices external t o  the computcr. 
b. P r o g r a m  time synchronization. 
c. Computer fault detection. 
d. Voting comparison on data transmitted to local processors.  
The f i r s t  two functions a r e  performed by the IOP executing commands 
that a r e  stored in the computer memory o r  by the IOP responding to control 
words received f r o m  another computer. The fault detection function is built 
into the hardware and requires no stored commands. 
performed by the VCS section of the IOP hardware a s  specified by the setting 
of twa matr ices  in the VCS section. 
The ias t  function is 
A block diagram of the IOP i s  shown in Figure 7-9. 
The IOP interfaces with external devices over three types of data buses: 
Type 1 bus for computer-to-computer communication; 
Type 2 bus for computer-to-local processor  communication; 
a. 
bo 
c. Type 3 bus for computer-to-mass memory system 
c ommunic at ion. 
The type 1 and 2 buses a r e  ser ia l  channels with the messages being 
handled in a bit se r ia l  and word ser ia l  fashion. 
of a control word ( 3 2  bits long) and f rom one to  6 3  data words (16 bits long). 
All words sent over the buses will have a parity bit for  each 16 bits. 
parity bit is used to  make each word have an odd number of binary ones in the 
word. 
channel. 
These messages a r e  made up 
The 
The type 1 data bus consists of four (4) input channels and one output 
The type 2 data bus consists of one input and one output channel. 
The type 3 data bus is a parallel  channel with the messages handled in a 
bit parallel  and word ser ia l  fashion. 
of 16 data lines, one parity line and two control lines. 
The channel is bi-directional consisting 
Each word is sent over 
7-25  
C 70- 171/ 301 
7-26 
c70-171/301 
this bus on a "ready-read" basis so no timing need be furnished over the 
bus, Messages consist of 
a control word and f rom one to 127 data words. 
a r e  initiated by the data management system and the IOP can mask off this 
bus during critical data transmission modes over the other two buses, 
Again, odd parity i s  used for each 16 bit word. 
Operations over this bus 
A real time counter is included in the IOP to provide a repetitive time 
period reference for IOP and C P U  program synchronization. The counter is 
counted down to zero from a set value at the logic clock rate. At zero, the 
counter issues an interrupt to the CPU and IOP mode controls, resets itself 
and starts counting down again. The length of the time period is program- 
mable. 
Detection of a computer failure is made by the built in test  equipment. 
This consists of a counter in the IOP that operates as a "dead man" detector 
in that, if the counter i s  not reset  periodically, it will reach a zero count 
and issue a computer No-Go discrete. 
in the system (this i s  the "D" input to the VCS as shown in Figure 4-23) and, 
when true, causes the computer issuing it to be ignored by the operating 
computers. 
of this counter a r e  detected. 
cated location in memory and loading the binary value found therein into the 
counter and zeroing this location after access. 
this location to keep the counter reset. 
This discrete is sent to all computers 
Failures both in hardware and software that prevent the resetting 
The counter will be reset  by accessing a dedi- 
It is up to the CPU to reload 
The VCS function is  included in the IOP. The operation of the VCS is 
controlled by the P and R matrices. The R matrix contains the mode of the 
computer system operation as defined by each computer. 
contains the Go/No-Go status of each computer as determined by itself and 
other computers. 
determines which entries in the R matrix are to be allowed to participate in 
system mode determination. 
computer failures so  that bad computers cannot disturb the system mode of 
operation. 
The P matrix 
The Ga/No-Go status of each computer in the P matrix 
In this way, the R matrix is adapted because of 
The VCS was described in detail in Section 4. 5. 
In order  to provide data in sync (t 1/2 word) to the VCS f rom the four 
computers, i t  is necessary to synchronize the four computers. 
contains a master sync controller that performs this function. 
sync controller receives a control word generated internally by the IOP 
program and also receives control words f r o m  the other computers (via Type 
1 input channels). 
the synchronization. 
The IOP 
The master 
The timing of receipt of these controP words determines 
This synchronization is accomplished on a periodic basis 
The IOP is set  into operation by the decoding of a command and/or a 
control word. 
accessed according to the command program counter in the IOPe 
words a r e  also stored in the memory and a r e  also received f rom other com- 
puters in the system over the inter-computer bus. Commands a r e  executed 
in sequence as  any other software program. 
when specified by a command or when a control word is received over the 
inter -c ompute r bus. 
The commands a r e  stored in the computer memory and a r e  
Control 
Control words a r e  executed only 
7-27 
C70 -171/301 
The IOP command list is as follows: 
1. Halt and Proceed 
2. Jump 
3, Conditional Skip 
4. Fetch Control Word 
Figure 7-10 indicates a typical layout of the IOP program. The opera- 
tion of the fetch control word can be seen to mechanize the data transfer 
operations of the IOP. 
address that points to the location of a control word. The control word con- 
tains information that describes the type of operation to be performed (e. g. # 
input f r o m  local processors,  output to another computer, etc. )e Following 
each control word is an address that points to the location of a data block., 
The data block is the location into which input/output data is to be placed. 
Each fetch control word instruction contains an 
The IOP mechanization was considered in detail resulting in the detailed 
Due to the length of the mechanization, it is reported separately 
bit, micro sequence, and timing specifications for all the IOP functions and 
operations. 
in Appendix 2. 
Fetch (CW) - 
Fetch (CW) 
0 
re 
a 
c 
Jump 
(Data Address) 
(Data Address) 
Figure 7-10, IOP Program Operation 
7- 28 
C70 -171 / 301 
7. 3. 5 Power Converter and Clock 
7. 3. 5. 1 
that a r e  used throughout the computer. 
ence so that the electrical  levels and timing in the various a reas  of the 
computer have definite meaning with respect to each other. 
General, The power converter and clock units supply signals 
These signals form a common refer-  
7. 3. 5. 2 Clock Unit, 
timing for the computer. 
pensated crystal  oscillator operating at a frequency high enough to  satisfy 
the requirements of the highest speed logic in the computer. 
the operating frequency of the logic will be one megahertz while the memory 
buses will operate at ten megahertz. 
f rom the logic frequency by the use of a tapped delay line. A block diagram 
of the clock unit is shown in Figure 7-11. 
A master  clock circuit  provides the fundamental 
This mas ter  clock consists of a temperature com- 
In this computerp 
Internal memory timing will be derived 
The output of the oscillator is amplified and transmitted to  the memory 
bus interface circui ts  in the CPU, IOP and memory modules. 
la tor  output is a lso used to  provide a timing signal to a four phase clock 
generator. The output of this generator consists of four signals that a r e  
used as timing signals in the MOS logic. 
symmetrical and a r e  time displaced with respect to each other but all have a 
period of one microsecond. 
The oscil- 
These timing signals a r e  not 
The overall accuracy of the mas ter  clock will be f 100 parts pe r  million 
for long t e r m  and 4 80 par t s  per  million for  the shortTerm (about 48 hours). 
7. 3. 5. 3 
match the requirements of the computer circuits with the characterist ics of 
the pr imary  power supply, 
capable of supplying all secondary power for  the maximum computer config- 
uration of one CPU, one IOP and four memory modules. 
Power Converter Unit. A power converter is necessary to  
Each computer will have a power converter 
In Section 10 i t  will be shown that foup independent power buses would be 
needed in order  to meet the failure c r i te r ia  of this overall system. 
puter complex will be connected to  these buses in  such a way that the failure 
of two buses will result in the loss of only one computer. 
a typical connection. 
The com- 
Table 7-2 i l lustrates  
Table 7-2, Conyputer/Power Bus Connection 
4-29 
670-171/301 
C70-171/301 
The input power is assumed to be t28 VDC with a normal working range 
of 24 to 28. 5 volts and with transients limited f r o m  20 to 35 volts. This will 
allow the use of a DC to DC type of converter with the attendant weight, sizep 
and reliability benefits. 
7.3.5.3.1 Organization, The power converter unit will have the following 
functional areas: 
1. Load Controller 
2. DC to DC Converter 
3. Preregulator 
4. Series Regulators 
5, Switching Regulators 
6 .  RFI  Fi l ters  
A block diagram of the power converter is shown in Figure 7-12. 
7. 3. 5. 3. 1. 1 Load Controller. 
switches and the bus monitor and selector unit (BMSU). 
pe rf o r m s  the s e functions. 
The load controller consists of two power 
The load controller 
1. Isolation - Failures in the power bus will not tend 
to propogate into the computer o r  vice versa, 
2. Selection - Only one power bus will be connected t o  
the converter input at one time. 
3. Detection - Voltage level at the converter input will be 
monitored and a switch to  the alternate power 
bus will be made if certain conditions are 
violated. 
The BMSU performs function 3 and provides the control signals for  
function 2. The BMSU will monitor the voltage level at the input to the DC to 
DC converter. Voltage level excursions outside of the limits 20 to 35 volts 
for a period of time exceeding 50 microseconds will cause the BMSU to 
signal a change to the other power bus, This switching f rom one bus t o  the 
other will continue as long as there is sufficient power available to operate 
the load controller. The power for  the load controller circuits will be taken 
f r o m  both power buses in front of the load controllers to insure operation as 
soon as one bus has power within the controller operating ran 
The power switches perform fun 1 and 2. The switches a r e  opened , 
o r  closed due to the signals f rom the 
that one is closed when the other is open. 
a failure leading to shutdown by breaking fuse links, 
be solid state to reduce bus switching t imes and t 
Fast switching times result in the secondary leve 
remaining constant when going f r o m  one bus to another so that computer 
operation is not affected. 
leading to mechanization selection. 1 
The switches a r e  connected so 
Both switches in the same state is 
These switches are to 
gain increased r e ~ i a ~ ~ ~ i t ~ ~  
of the power co 
(See Section 10 for  details concerning trade offs 
9-31  
C70-171/301 
TO MEMORY MODULE 
A 
dju FAm f - d  N 3 w 
TO CPU, POP, CLOCK UNIT 
a >  
[ b? la- w 
1 
k 
- 
7-32 
C70-171/301 
7, 3, 5. 3. 1. 2 
into a square wave which is applied to a transformer. 
by driving two power t ransis tors  with timing signals f rom a f ree  running 
multivibrator. 
the transistors apply 28 VDC power to either side of a center tapped pr imary 
winding of the transformer. 
the effect of producing a square wave that can be processed by the transformer. 
The multivibrator operates in a frequency range of 12 to  18 kilohertz. 
DC to DC Converter. This unit changes the input DC power 
This is accomplished 
When on, The t ransis tors  a r e  alternately turned on and off. 
The center-tap is connected to ground. This has 
The required voltage levels to  drive the regulators are developed f r o m  
the secondary windings of the transformer, 
filtered and distributed to the regulators. 
7. 3. 5. 3, 1. 3 
logic circuits of the memory modules and the coarse regulation for the power 
for  the memory read and write circuits. 
requirements in the ser ies  regulators. 
These voltages are rectified, 
Pre-Regulator. This unit delivers the power to drive the 
This is done to reduce the design 
7. 3. 5. 3. 1. 4 
regulator that uses a ser ies  dissipative element to control the output levels. 
These regulators provide the final regulation and fast response time required 
by the memory. In addition, one of these levels is temperature compensated 
to  allow the memory to properly function over large temperature variations. 
Series Regulators. These regulators are the usual type of 
7. 3. 5.3. 1. 5 This type of regulator uses the 
principle of pulse width modulation to control the output levels. Higher 
efficiencies can be obtained f rom this type regulator over the series regulator. 
The regulator operates at frequencies about twenty (20) kilohertz which 
results in high frequency harmonics of appreciable power being developed 
that can cause interference in other systems. 
supply the power requirements of the CPU and IOP logic. 
7. 3. 5. 3. 1. 6 
DC to DC converter, switching regulators and rectifier switching operations 
that must be suppressed. The paths that this energy may take a r e  the con- 
ductive path over the wires connecting the power converter into the system 
and the radiative path through the air. 
are placed in ser ies  with every line going to o r  f rom the power converter. 
These fi l ters a r e  low pass  fi l ters having high attenuation of frequencies above 
100 hertz. 
intercept the radiated energy and return it to the system ground. 
Switching Regulators. 
These regulators a r e  used to 
RFI Filters. Components of R F  energy are generated by the 
Fi l ters  made up of reactive elements 
The power converter will be enclosed in anRFtight enclosure to 
7-33 
C70- 171/301 
8.0 SOFTWARE AND SIMULATION 
8. 1 INTRODUCTION 
The Software and Simulation task had a three-fold objective: 
1. 
2 .  
3. 
Design and develop a software simulation of the selected 
computer system design developed during Task 7 (Section 7) ,  
The simulation should be suitable for  use as a tool f o r  
evaluation/demonst ration of preliminary de sign concepts 
and techniques. 
Design and develop the software routines necessary to 
operate the simulated computer system in a FOOS 
environment. 
Utilize the simulation system to debug the software and 
system design and to demonstrate and evaluate the feasi- 
bility and functional performance of the selected computer/ 
software system. 
The Reconfigurable G&C Computer (RGC) simulation system which was 
developed during this task consists of two computer programs: The RGC 
Assembly program, and 2 .  The RGC Computer System Simulator program. 
These programs a r e  available in a fo rm suitable for execution at NASA MSC. 
The simulation system is  described in more detail in Section8. 2 and Appendix 
4. 
1. 
The software routines programmed for  execution on the Simulation System 
a r e  re fer red  to as  the RGC Software System and constitute a limited'bperating 
system"for the simulated RGC computer system. 
of three sub-programs: 1) Executive program, 2 )  Input/Output program, and 
3 )  Resource Controller program, 
detail in Section 8. 3 and Appendix 4. 
This software is composed 
These programs a r e  described in more 
Use of the Simulation system involved four pr imary activities: 
1. Refining and solidifying the functional design characteristics 
of the selected system being evaluated during the study. 
Debugging and evaluating operation of the Simulation system 
itself. 
2.  
3. Debugging and refining software for  the selected system 
de sign. 
Evaluating overall system performance using fault 
simulation. 
4. 
These activities a r e  described in Section 8 .  4. 
C70- I7 1. / 30 1 
8, 2 SIMULATION SYST 
8, 2. B General 
The RGC Simulation System is comprised of two separate computer 
programsp the RGC Assembly Program and the RGC Computer System 
Simdator  Program. These programs are written in the FORTRAN IV 
language and a r e  compatible f rom a language standpoint with most medium 
and large scale general purpose computer system; among them, the IBM S360, 
CDC 6600, XDS Sigma 5/7, and Univac 1108. 
executed on all the above systems except the 11 08. 
The two programs a r e  executed independently. 
The programs have been 
The Assembly Program 
is used to process programs written in a symbolic assembly language for 
execution on the simulated RGC computer system and convert them to a format 
suitable for input to the Simulator p r o g r a m  
Program produces a printed listing of the programs. The Simulator Pro-  
gram simulates functional operation of the selected RGC computer system 
de  sign by "executing" the assembled RGC computer programs and providing 
a printed trace of CPU, IQP, and memory activity and interaction. Simu- 
lation is performed at a functional, machine-register level and does not 
duplicate specific logic o r  circuit mechanizations. 
Additionally, the Assembly 
8. 2. 2 
Volume 2, Section 7 of this report describes the detailed mechaniza- 
The simulation of this tion 0% the selected RGC Computer System design. 
system design was developed to represent only the functional aripecte of the 
design in order to demomnstrate/evaluate the system's conformance to 
functional performance requirements, specifically the FOOS requirements. 
Therefore, in order to make the simulation as efficient and cost-effective 
as possible, the system architecture that is mechanized in the Simulator 
program was modified f rom the mechanization described in Section 7. The 
modifications were carefully considered to insure that the functional integ- 
rity of the simulation was not degraded, The IOP instruction repertoire is 
the most obvious a r e a  of change. Due to  the inefficiency of dealing with bit 
level operations in the Fortran language, it was desirable to eliminate the 
I O P s  compressed control word format described in the mechanization of 
Section 7. This was accomplished by assigning the control word functions 
to separate instruction types in the simulated IOP and eliminating the 
control word concept. It should be observed that the IOP functions remain 
intact., however, 
8n the other hand, functions considered to be particular 
unique i n  the system design are simulated in a more detailed exact manner 
and, in fact, portions of the VCS a r e  siimdated at a logic equation level. 
The remainder of Section 8 , 2 ,  2 is a description of the computer system 
ieed in the Simulator P r o g r a m  
8 - 2  
I 
. ! .  q 
4 
x 
.r( 
k 
i d  
, d  
i I 
i 
I '  ck 
M . 
Irl 
. - .  -. 
I 
I /  
1 
C . ... 
.. .. . .-- . . . - 
I 
.id 
c., 
d 
-. -. 
, . *  1 rr( 
L) 
8- 3 
C70- 171 /301 
8. 2, 2. 1 
following physical module s : 
General, The simulated computer system is comprised of the 
4 central processing units (CPU) 
4 input / output p roce s sing units (IQP) 
8 memory modules 
The computer system is divided into two physically separate and dis- 
Each compartment contains two computers where a tinct compartments. 
computer consists of 1 CPU, 1 IOP, and 2 memory modules. The particu- 
lar modules comprising a given computer may vary, but the t e r m  "Computer 
1" always refers  to the collection of modules currently associated with 
IOP 1. 
computers 1 and 2; compartment B is identical and contains computers 3 
and 4. 
Figure 8-1 is a block diagram of compartment A which contains 
The size and number of memory modules may be varied in the simula- 
t o r  but 8 modules with 2000 words/module will be assumed in the following 
description. 
8. 2. 2. 2 
main memory; i. e., all the memory in 3+s compartment. 
address (1, 2, 3, o r  4) for a given memory module can be modified under 
program control; hence module 1, for  instance, might represent addresses 
1 to 2000 at one time and locations 6001 to  8000 another time. Moreover, 
the module address is unique to a memory bus and hence to a CPU/IOP 
combination, so each module has 2 addresses. Therefore, module 1 might 
simultaneously represent locations 1 to 2000 f o r  CPU 1 and locations 4001 
to 6000 for CPU 2. The Sh4.A instruction i s  used to set  the memory module 
address. Use of the instruction requires knowledge of a module's current 
address in order to  change the address. 
address to more than one module would create conflicts on the bus and make 
those modules inoperative. 
8. 2. 2. 3 
a r e  provided to prevent inadvertent memory modification and/or accessing 
conflicts. 
Memory Addressing. Each CPU can address 4 modules of 
However, the 
Obviously assigning the same 
Memory Access. Several levels of memory access control 
Each individual memory location contains a "storage protect" indicator 
which determines whether modification of its contents a r e  allowed. 
indicator is se t  during initial program loading. 
execution an attempt is made to  modify a "protected" location, the Storage 
Protect Interrupt (#2) is generated, 
This 
If during instruction 
In addition, each memory module has  five different access options which 
a r e  selected by control commands f r o m  the two CPU's in the compartment. 
The access option determines what level of memory access is available to 
each of the two memory channels (buses). 
8-4 
,..I" 
C70-171/301 
8.2. 2. 3 (Continued) 
The options are:  , ?  
(1) 
( 2 )  
Both channels open (read and write) 
Channel A open, ChanRPil B closed (no read o r  write) 
(3) Channel B open, Channel 
(4) Channel A open, Channel B open for read only 
( 5 )  Channel B open, Channel A n for r e d  only. 'g. 
:r ."* . 
The SAC instruction is used to select the option for each memory 
module. However, as long as both computers in the compartment a r e  
"good" (as determined by the diagonal elements of the P-matrix) selection 
of a new option can only be accomplished by agreement of the two CPU's in 
the compartment. 
only it can select a new option. When neither computers a r e  good, either 
one can change the option without agreement f rom the other. 
instruction execution, acceqs is requested over a closed memory channel, 
the Access Violation Interrupt (#e) is generated. 
When only one computer in the compartment is good, 
If during 
8. 2. 2.4 
characteristic s : 
Central Processing Units. Each CPU will have the following 
R9' 9 General Registers (R1 - 
1 P r o g r a m  Counter 
100 Word Non-Alterable Local Memory (ROM) 
The nine general registers may be used €or address modification, as 
arithmetic accumulators, o r  as auxiliary storage registers. Register 9, 
however, is used a s  a pointer €or a special data "stack" associated with 
each CPU, and therefore its use as a general register must be restricted. 
The program counter is used to maintain the memory address of the 
cur  P e nt in s t ruc t i  on. 
8. 2, 2.4. 1 
described 
which is c 
(Appendix 4). 
Instruction Formats. The instruction repertoire will be 
entation in the following general format 
format for  the Assembly P r o g r a m  
Q)PC SYMSQL N, SYMB(DL$N, SYMB9L$N 
where: 
QPG = a 3-character mnemonic instruction code 
8-5  
C70-1?1/301 
8. 2. 2,4. 1 (Continued) 
In general, the instruction mnemonic will be a direct computer instruc- 
tion, however, a small number of "pseudo-instructions" in included as a 
par t  of the computer description whose function is to provide some action o r  
control in the Simulator p r o g r a m  
There may be as many as three symbols of the form SYMBGL$N 
included for  a given instruction where the symbol o r  number preceding the 
$ refers  to  a memory address and $N specifies address modification 
(indexing) by register N. Obviously, $N is omitted if indexing is Rot 
desired for the particular address. 
8. 2. 2.4. 2 Two formats a r e  provided for  arithmetic 
data, floating point and integer fixed point. The range of numeric data, 
binary format, and precision of arithmetic operations will vary depending 
on what computer system is being used for simulation. However, these 
differences should not be noticeable in programming the computer since 
data formats in the assembler and simulator will be decimal and all compu- 
tations except integer arithmetic will be performed in floating point. 
Data Formats, 
8. 2. 2.4. 3 
address modification, indexing. Normal addreas modification is performed: 
i. e . ,  the effective operand address is determined by summing the operand 
address and the contents of the specified index register. Address modifica- 
tion is only defined when the register contains a fixed point integer. 
8, 2. 2.4.4 Both floating point and fixed point 
integer arithmetic is provided. 
accumulated in either a general register o r  a specified memory Location. 
In the description of the following instructions, the t e r m  "operand address" 
re fers  to the value of SYMBQ)L$N (i. e., the effective address) and the term 
"operand" refers  to the contents of the memory location o r  machine regis- 
t e r  designated by the operand address. 
is used to designate an operand address, any of the nine general registers 
may be specified at the programmer's discretion, however, indexing is not 
permitted in that case. 
Indexing. Any of the general registers may be used for  
Arithmetic Instructions. 
Results of arithmetic operations can be 
Note that where the t e r m  SYMB@L$N 
1. Mv -#L$N, ~ L $ N  (Move) 
2, MVA SYMB#L$N, SYMB&$N, K (Move Address) 
The 1st operand replaces the 2nd operand. 
If K = 0, the 1st operand 
mherwis e ,  the ne goltive 
the 2nd operand, 
30' X H  SW@@% m$M 
The 1st and 2nd op 
The sum of the 1st 
3rd operande 
replaces the 2nd operand, 
operand address replaces 
(Exchwe) 
4. ADD SYMB@$N, m @ $ N  (Add) 
e interchanged. 
nd the 2nd operand replaces the 
Integer fixed point addition i s  performed, 
8-6  
C70-%71/301 
8. 2, 2,4.4 (Continued) 
FLA 
SUB SYMB#L$N, SYMB#L$N, S W @ $ N  (Subtract) 
t ion  i s  performed. 
$Mp SyMBflL$N (Floating Subtract) 
ing point subtraction i s  performed. 
number e 
The product d the  two ope places the  3rd operand. 
Integer fixed point multip 
FLM SYMI3@$N, SYh5@$N, SYMB$L$N (Floating Multiply) 
Same as MtTL except floating point multiplication i s  performed. 
DIV -L$N, -$N, SYMB&$N (mvide) 
The resul t  of dividing the  1st ope 
replaces the  3rd e Integer division i s  performed 
and the  resul t  i s  
MUL ~ $ L $ N ,  SYMB$L$N $N (Multiply) 
i s  perfarmed. 
in to  the 2nd operand -
$N, SYMB#L$N (Floating Divide) 
ing point division i s  performed. 
(Convert t o  fixed point) 
t ing  point) i s  converted t o  a 
a) and replaces the 2nd operand. fixed point integ 
C70-%71/301 
ogicd data will be represented as 
machine flags (flip-flops). A set  of 
ed with each memory module, The 
can be set, reset ,  tested, and further manipdated under CPU program 
control. 
The following instructions a r e  provided for  logical manipulation. For  
this gpoup of instructions the value of the operand designator FLAG 
only defined for the range 1 to 400. 
1. 
2, 
3. 
4. 
5 0  
6 e  
7. 
a. 
9. 
10 0 
$N, FLAG@ (set f 
specified by the ope 
REj'li FLAG@, FLAG@, FLAG@ (Reset 
chine f h g ( s )  specified by the  ~ p e  
ITIT I, FLhlG$N, Fwa@$N (Invert flags) 
The s t a t e  3f the  b l x k  of I flag(s) specified by the 2nd 3 erand 
is inverted and cmied int:, the block s tar t ing with the 3r% rperand. 
A bl.ack Df I flags start ing with the 3rd Dperand i s  set/reset t:, 
CPY I, FLAG$N, FLAG$N (copy f lags)  
e state of the block start ing with the 2nd qerand. 
m G @  ( h d f  
he 3rd Dpemnd i s  
correspond t 3  the l x i c a l  p rduc t  3f the  
(Or f l a g s )  
operand i s  set/reset t 3  
correspond t:, the 1 W i c a l  s a  of' the flags specified by 
the  1st and 2nd operands. 
S!T% I, K A G @  (Set black) 
The block af I f s star t ing with the 2nd operand is s 
(Reset block) 
s star t ing with the 2nd operand i s  reset. 
RSB 1, 
The block of I 
I, FLAG@, FLAG@ (PAND' blxck) 
block of I flags stcarting with the 2nd ope 
(logical product) with the b l x k  starting with 
and the resul t  replaces the l a t t e r  block. 
om I, FLAG@, ( 'ORq block) 
Same as ANB except 1 sum. i s  used instead of 
product e 
C70- 171 /301 
8. 2. 2 . 4 6  
with each computer, 
9 i s  used a s  a pointer for the stack. 
upward and the pointer always contains the address of the uppermost stack 
entry. 
instructions a5 temporary storage for saving register data. 
the stack may be used for  "scratch" storage where subrouthe re-entrance 
is desired. 
A 50 word temporary data stack is associated 
e stack locations a r e  addressed I - 25 w d  register 
The stack is filled f rom address f 
The stack i s  used in conjunction with BSR, RET, RRT, and IRT 
Additionally, 
The following instructions a r e  provided for that purpose: 
1. ms SYMB@$N, K (Move TO Stack) 
The first operand replaces the ccntents of the stack 
location specified by R 9  + K. 
incremented by K. 
If K > 0, register 9 is 
(K must be an integer). 
2. MFS SYMB&L$N, K (Move Frau Stack) 
The contents of the stack locat im specified by R 9  + K 
replace the f i r s t  operand. 
(K must be an integer). 
Register 9 i s  unchanged. 
8. 2. 2.4. 7 
for  condition 
Branch Instruction. The following instructions a r e  provided 
modification of the Droaram execution 
sequence. 
a general register. 
Note that the first operand for these inst;ucGons may not specify 
The pr-ram counter i s  se t  t o  the operand address. 
2. BRI SYMB#L$N (Branch Release Interrupts) 
Same as B except the interrupt level currently active 
i s  released, (See description of Interrupt System). 
3. BSR SY%B&$N, K (Branch t o  Subroutine) 
The program counter i s  se t  t o  the operand address. 
previous value of registers R4, R3, R2, Rl, and the program 
counter are stored i n  that order i n  the data stack start ing 
at the address specified by R9 + 1 + K. 
incremented by K + 5 where 0 9, K p 50. 
The ' 
Register 9 i s  
4. RET K (Return) 
The cmtents of the stack l x a t i o n  specified by R9 replace 
the contents of m counter. Register 9 i s  decremented 
by K + 5, where 
C70- 171 /30 1 
8. 2. 2,4. 7 (Continued] 
5 .  rn K . (Return & Restore) 
The contents of the f ive  stack l x a t i o n s  start ing damward 
f rm the address specified by Rg replace the  contents :,f the 
program cmnter and Rl - R4 respectively. 
decremented by K + 5 where 0 5 K 5 50e 
6. IRT K (Interrupt Return) 
Register 9 i s  
The contents of the nine stack locations s tar t ing dmmrd 
f rm the address specified by Rg replace the cmtents of the 
prDgram cmnter and R1 - R 8  respectively. 
decremented by 9. I n  addition, the interrupt l eve l  currently 
active (if any) is released. 
Register 9 i s  
(See description of Interrupt 
System) * 
70 Eil3 SYMB@L$N, SyMB@L$N, SyMB$L$N (Branch on EQua1) 
If the 2nd and 3rd 3perands are numerically equivalent, the  
program c m t e r  i s  set t 3  the 1st operand address. 
the prqmun counter i s  incremented nmmally. 
Otherwise, 
8. Bm -&$N, SYMB@L$N, SYMB&$N (Branch on Not EQual) 
If the 2nd and 3rd merands are numerically different, the  
pr3gram counter i s  set t:, the  1st Dperand address. Otherwise, 
the program counter i s  incremented normally. 
9. BGT SYMB@L$N, SYMB@L$N, SYMBjdL$N (Branch an Greater Than) 
If the 2nd operand i s  numericdly larger than the 3rd operand, 
the program cmnter i s  set t:, the 1st operand address. Other- 
wise, the prqram cmnter i s  incremented normally, 
10. BLT SYMBjdL$N, SYMB@L$N, SYMBjdL$N (Branch 3n Less  Than) 
If the 2nd operand i s  numerically smaller than the 3rd 
operand, the prxram cmnter i s  set t 2  the 1st opemnd 
address. 
normally* 
Otherwise, the prcgram counter i s  incremented 
11. BIL SYMB@L$N, SYMB&$N, SYMB&$N (Branch i n  Limits) 
If the 2nd operand is numerically larger than-or eq-1 
t:, the 3rd 3pemnd and smaller than or equal t o  the 
cmtents of the 3rd opemd address plus me, the prwram 
cDunter i s  set t o  the 1st Dpperand addresse 
program cmnter i s  incremented normally. 
Otherwise, the 
8-10 
C70- 171 /30l 
8. 2. 2.4, 7 (Continued) 
12. B& SYMBOL$N, SYMBOL$N, SYMBOL$N (Branch Out of L i m i t s )  
If the 2nd operand i s  numerically smaller than the 3rd 
operand a r  larger than the  cantents ~f the 3rd operand 
address plus one, the pragram counter i s  set t o  the 1st 
operand address. 
incremented normally a 
Otherwise, the program counter i s  
13. B I  SYMB#L$E, SYMB#L$N, DATA (Branch and Increment) 
The sum of the 2nd operand and the value of DATA replace the  
2nd operand. If the sum i s  negative, the przgmm counter 
i s  set t o  the  1st operand address. 
counter i s  incremented normally. 
Otherwise, the przgram 
140 BS SYMBfiL$N, I?LAG$N, FLAG$N (Branch on Set)  
If the f lags  specified by the 2nd operand and 3rd operand 
are set, the  program counter i s  set t o  the 1st operand 
address. 
normally. 
Otherwise, the pr3gram cmnter is incremented 
15. BR SYMB#L$N, FLAG$N, FLAG$N (Branch on Reset) 
If the f lags  specified by the 2nd operand and 3rd operand 
are reset, the program caunter i s  set t a  the 1st qerand 
address. 
ncwmaU.y. 
Otherwise, the  prDgram caunter i s  incremented 
16. BM SYMl3#L$N, FLAG$N, FLAG$N (Branch on Mixed) 
If the state of the f lags  specified by the 2nd and 3rd 
operands i s  different, the  program counter i s  set t a  the 
1st operand address. 
incremented normally. 
Otherwise, the pragram counter i s  
17. BMS SYMBOL$N, FLAG$N, U G $ N  (Branch on Mixed Specif ic)  
If the  f l ag  specified by the 2nd operand i s  set 
specified by the 3rd operand i s  reset, the program cmnter 
i s  set t o  the  1st operand address. Otherwise, the program 
counter i s  incremented normally. 
the f lag  
18. BBS SYMBfiL$BJ, I, m G $ N  (Branch on Block Set) 
If the block 3f I f lags  s tar t ing with the  3rd operand i s  set, 
the  prqmm counter i s  set t a  the 1st operand 
w i s e ,  the  program caunter i s  incremented normally. 
ddress. Other- 
C70-- 1 7 P / 30 l 
8. 2. 2. 4. 7 (Continued) 
19. BBR SYMB$L$N, I, FLAG$JY (Branch on Block Reset) 
If the block of I f lags  start ing with the  3rd operand i s  
reset, the pr3gram csunter i s  set t s  the 1st operand address. 
Otherwise, the prDgram cmnter i s  incremented normally. 
20. BBE SYMB$L$N, FLAG@, FLAG@ (Branch on Block EQual) 
If the block of 4 f lags  s tar t ing with the 2nd operand i s  
logically equivalent t o  the block of 4 f lags  s tar t ing with 
the 3rd Dperand, the prcgram csunter i s  set t o  the 1st operand 
address e 
normlly 
Otherwise, the  program counter i s  incremented 
8. 2. 2 .4 .8  Control Instructions. The following instructions provide 
basic mode control: 
1. W I  (wait f o r  Interrupt) 
The program counter i s  incremented by one and CFV enters a 
%on-cmpute" mode. 
when any interrupt i s  received, at which t i m e  normal execution 
will be resumed. 
The "compute" mode w i l l  be reentered 
2. BLT ( H a l t  ) 
The CPU enters a "halt" mode.  
i n  t h i s  mode. 
No interrupts are recognized 
3.3 SIB SYMB~L$N, SYMB@L$N (Select Module Address 1 
The address of the memory module specified by the  1st operand 
address i s  set t o  the 2nd operand address. 
4, SAC (Set Access Control) 
This instruction selects the memory access option specified 
by the 2nd operand address for the  memory module specified 
by the 1st operand address. 
f ollms : 
The access options are as 
(1) Both chanrels open 
(2) 
(3) 
(4) 
(5)  
Channel A open, channel B close& 
Channel B open, channel A closed 
Channel A open, channel B open for read only 
Channel B open, channel A open for read only 
8-  12 
8.2.2. 
word n 
Each CPU contains a 100 
pose of this memory is to 
provide capability for autoAomous 'CPU opepatloon to ass is t  in modble level 
reconfiguration, 
instructions a r e  provided to enable program branching between main mem- 
ory and the ROM. 
This memory is addressed a s  locations 1 to 100 and two 
1. BEM r n f l L $ N  (Branch t o  Local Memory) 
The local memory mode is established. 
i s  set  t o  the 1st operand address ( in  the ROM). 
The program counter 
20 BMM SYME$L$N (Branch t o  Main Memory) 
The main memory mode is established. 
set  t o  the 1st operand address ( i n  main memory). 
The progmm counter is 
8.2.2.4. 10 Interrupt System., 
CPU. Two levels of 
control are provided for the interrupt system: 
enabled or  disabled under CPU control, and 2) each individual interrupt 
level can be armed or  disarmed selectively under CPU control. 
individual interrupt level is disarmed, no interrupt at that level is recognized 
r retained. When a level i s  armed, the interrupt level will become active if: 
1) an interrupt i s  present, 2 )  the interrupt system i s  enabled, and 3) no 
level of higher priority is currently active. 
g ram sequence, stores the contents of registers,  R8, R7, *.  . , R1, and 
the program counter in the data stack advancing R9 by 9,  and executes the 
instruction in one of six fixed locations in the ROM. This instruction will 
normally be a BMM or B instruction which t ransfers  control to the inter- 
rupt processing subroutine. Normally an interrupt level, once active, 
remains in  that state until an interrupt return instruction (IRT o r  BRI) is 
executed signifying that processing has been completed. However, the 
level may be temporarily made inactive if  a level of higher priority requires 
servicing. 
Six interrupt levels a r e  provided for each 
A different priority is associated with each level. 
1) the entire system can be 
When an 
When an interrupt level becomes active, the CPU interrupts the pro- 
The following instructiona a r e  provided for  control of the interrupt 
system. 
until after exe 
It should be noted that an interrupt level will not become active 
ion of one instruction s ~ b s e ~ u e n t  to an E1 instruction. 
upt system is enab 
2, 
3. 
C70- 17 li /301 
8. 2. 2 , 4 ,  10 (Continued) 
4. DAI I, I, I ( Disarm Int e r rup t s ) 
The interrupt(s) specified by the operand(s) a r e  disarmed. 
( I =  1, 2, 6) 
5. EX1 I, I, I (Execute Interrupts) 
The interrupt(s) specified by the operand{s) a r e  initiated. 
( I  = 1, 2, e 2  6) 
The interrupt assignment is as follows where interrupt I is the highest 
priority: 
1, Power Up 
2. Storage Protect/Access Violation 
3" p1 1 o r  P33 (ZA o r  C' 
4. 
5. Pr imary  RTC 
6 .  Secondary RTC 
PZ2 OP P44 (ZB o r  zD) 
* 
* 
8. 2. 2 .4 .  11 
ware system, a set of "pseudo" instructions is included in the CPU 
instruction set which would normally not be available and may have no 
effect on the CPU itself, but which provides control of special simulator 
features during program execution. 
addresses in the object computer memory but no time is associated with 
their  execution. 
Pseudo Instructions. For  convenience in the simulation soft- 
These instructions a r e  assigned 
1. DLY SYMBgL $N , K ( D e  1 ay 1 
This  in s t ruc t ion  causes  the  CPU t o  "waste" the  amount of t i m e  
spec i f i ed  by t h e  value of t he  1st opermd and t o  replace t h e  
1st operand with t h e  value K, 
l oca t ions  are a f f ec t ed  and the  t iming r e l a t ionsh ip  between 
o the r  CPU and I / O  processors i s  maintained. 
2. P A B C , . .  ( P r i n t  1 
No o t h e r  e g i s t e r s  or  memory 
The spec i f ied  s t r i n g  of up t o  56 alphanumeric characters i s  
pr in ted  on the  s imulator  output l i s t i n g -  together  with the  
simulated computer cumulative execution t i m e .  
"The primary RTC is the one f rom the corresponding IOP (RTCl for CPUIL) 
The secondary RTC is the one from the other IOP in the compartment. 
8- 14 
C70- 1 w 3 0 l  
8, 2. 2.4, 1 1  (Con 
3. P D  SYMB@L$N, SYM@L$N, s ( P r i n t  Decimal In t ege r )  
The operand(s) i s  p r in t ed  on t h e  simulator output l i s t i n g .  
The operand(s) i s  assumed t o  be an in t ege r .  
4. P F D  ' SYMB@L$N, SYMB@L$N, S@L$N ( P r i n t  F loa t ing  Decimal) 
Same as P D  except t h e  operand(s) i s  assumed to be a f l o a t i n g  
po in t  number. 
5 .  PF I, FLAG$N (P r in t  Flags 1 
The s t a t e s  of t he  block o f  I flags s t a r t i n g  with t h e  2nd 
operand are p r in t ed  on the  output l i s t i n g .  
8. 2. 2.4. 12 e The following table specifies the 
execution ti e. No units need be associated with 
the times since only relative time i s  significant for the simulation, however 
for convenience they are referred to as microseconds. 
INSTRUCTION EXECUTION TIME 
ADD, F L A ,  SUB, FLS, BIL, B@L, CPY, ANB, @RB, AND, $R 
MUL, FLM, SIN, COS, SQR 
D I V ,  FLD 
SCH 
3 
5>.5 ~ 
1 0  
3.5 
MVA, SET, RST, STB, I V T ,  RSB, BS, BR, BM, BBS, BI ,  BIB 
BMS, RET, MTS, MFS 2 
B, E I ,  D I ,  A I ,  D A I ,  EXI, WT, HLT, B R I ,  SMA, SAC 1 
BSR, RRT, IRT 6 
BE, BNE, BGT, BLT, M V ,  CgM, F L C ,  F I X ,  FLT 2.5 
8. 2. 2. 5 
processor having the following characteristics: 
ut Processing Unit. Each IOP is an independent 
Stored ~ ~ ~ g ~ a ~  control 
5 
C70- I71 / 301 
8. 2, 2, 5 (Continued) 
Figure 8-2 is a block diagram of the data channels connecting the IOP 
with external subsystems (LPs) and with other IOPs. 
logic has been called a VCS and is described in detail in Section 4. 
8 , 2 . 2 . 5 . 1  Memory Addressing. 
main memory. 
numbers 1 and 2. However, as previously indicated, the CPUs can 
reassign the memory module addresses; hence, each IOP may actually,  
operate with any memory module, in the same compartment. 
8. 2. 2. 5 . 2  Real Time Clock. Each IOP contains an independent timing 
source which is used to generate a fixed frequency clock pulse referred to 
as the Real Time Clock (RTC). This clock is used to maintain a real time 
reference in both the CPUs and the IOPs. 
IOP is routed in the form of a program interrupt to the two CPUs in the 
corresponding computer compartment. 
The voting/comparison 
Each IOP can address only 2 modules of 
F r o m  an addressing standpoint these two modules a r e  always 
The RTC associated with a given 
The RTC is normally used as a "proceed" indication in the IOP program 
causing the IOP to continue after execution of an IDL (Idle) instruction. If 
the RTC occurs in other than an idle mode the IOP program counter is set 
to location 7. 
8. 2, 2. 5 . 3  
the four IOPs, a sync controller is provided in each IOP which derives a 
I 1  master  sync" signal from the four RTCs in the system. 
ler is initiated by an SNC (Sync) instruction and the process is-as follows: 
Master Sync. In order to allow for synchronous operation of 
The sync control- 
The IOP transmits a sync message addressed to all 
computers. 
interval pr ior  to the RTC pulse where the interval is 
precisely the transmission t ime for the message. 
All operating IOPs likewise transmit a sync message. 
If at least  two computers a r e  included in the synchroni- 
zation process as specified by the mask word of the 
SNC instruction, then the second sync message received 
is used as a "master sync" point. 
RTC time to be reset  and the IOP program Po proceed 
after a 6 ps delay. 
This message is initiated a fixed time 
This causes the 
If only two computers a r e  indicated in the mask and 
a second sync message is not received within 6 ps 
o r  if  only one computer is indicated by the mask, 
then the receipt of the first sync message is used as 
the master sync point. 
Note that the IOPs own sync message is included if  
indicated in the mask word, In this case, the IOP 
accounts for the transmission time of the sync mes- 
sage and "simulates" receipt of its own transmission, 
1 
I 
I 
I '  
I--  
I 
I 
I 
IQ 
. 
C70- 17l/301 
8,  2. 2. 5. 3 (Continued) 
(5) If at the time of execution of an SNC instruction, the 
RTC t imer  is l e s s  than the sync message transmission 
t ime plus 6 ps, then the IOP program counter is set  to 
location 7, 
(6) Sync messages received at any t ima other than during 
execution of an SNCinstruction a r e  ignored. 
8.2. 2. 5.4 
interval time Watchdog Timer  (WDT). The t imer  is 
counted down and when it reaches zero, the IOP automatically reloads it 
with the contents of location 5 and s tores  zero into location 5. If the WDT 
ever  goes negative, a no-go signal is sent to  the P-matr ices  in each IOP 
which will reset  the diagonal element corresponding to the IOP issuing the 
signal. 
the corresponding compartment. 
set  to  location 6. 
Each IOP contains a continuously running 
The P element going false t r iggers  an interrupt to the two CPUs in 
Additionally, the IOP program counter is 
This operation occurs regardless of IOP mode. 
The WDT is used to  detect gross  C P U  malfunctions which result  in loss  
of CPU program control, 
reload the WDT reset  value in location 5 at regular intervals such that the 
WDT would not run out. 
g ram control, but is limited to a mavimum of approximately 60 MF 
In normal operation, the CPU program would 
The interval of the WDT t imer  is under CPU pro- 
As previously indicated, the WDT f rom a given IOP i s  used to determine 
the state of the P-matrix diagonal element corresponding to that computer. 
Hence, this signal i s  routed to the P-matr ices  in every other IQP. 
8. 2. 2. 5. 5 IOP Instructions. 
1. OS DATA, VCS, LP (Qutput to Subsystem) 
This instruction initiates a data t ransfer  f r o m  the IOP to an 
external subsystem through a VCS (in the same IOP o r  another 
IOP), The memory location specified by DATA contains the 
number of words (excluding the output control word) to  be 
transmitted and DATA 4- 1 contains the first word of the 
message. The symbol, VCS, specifies the f i rs t  of two 
consecutive memory locations, each of which contains a 
VCS address  (an integer, 1-4). The value of the symbol, 
kP, is the sum of theLocal Processor  address  (an integer 
between 8-20] and the output C O R t P O 1  code 36520. 
The output transmission process  is as follows: 
A. Data is transmitted simultaneously OF individually f r o m  
any/all IOPs to a given VCS. 
is the output control word which is the sum of the o 
control code, 36520, the LP address,  and the VCS address 
t imes IO? 
on a word basis where sync between IOPs must be w i n -  
The first word transmitted 
The vcs compares the data f rom the POPS 
8-  18 
C70- 171 /30 1 
8. 2. 2. 5. 5 (Continued) 
€3. 
C. 
D. 
E. 
tained -6. 15 ps. 
mode iz each VCS i s  controlled by the state of the 
R-matrix which is set  by mode control commands 
f rom all four computers (see LR instruction). 
Data transmission is word and bit serial (16 bits 
t parity per  word) at a 1 MH rate. 
The results of the data comparison/voting process 
in  the VCS determine what data (if  any) is t rans-  
mitted on the data bus to the local processor. 
Each bus i s  a closed loop, beginning and ending 
at a VCS. As data i s  transmitted, it is simulta- 
neously received in  the same VCS and routed on 
a common bus to all IOPs. 
Selection of the comparison/voting 
Each IOP which is transmitting data automatically 
compares this "feedback" of the data with the 
data it has  transmitted on a word by word basis. 
When the entire message (one output instruction) 
has been transmitted, the IOP automatically 
t ransmits  one more word, a "Go/No-Go" indicator. 
This word i s  taken f rom one of two dedicated 
memory locations, depending on the results of 
the feedback comparison. 
indicator and 9 is the No-Go. 
Location 8 i s  the Go 
The feedback of the Go/No-Go word is examined 
in the IOP. 
ceeds to the next program instruction. 
the entire message (hence the OS instruction) is 
repeated. 
a third is attempted. 
second of the two VCS address  words i s  selected 
and the transmission is attempted up to three (3) 
more times. 
faulty, the IOP reselects the first VCS address 
word and proceeds to the next program instruction. 
If transmission is successful using the second 
address  word, this selection is retained for sub- 
sequent I /O operations until the occurrence of 
th ree  successive faulty transmissions which 
cause a return to the first address. 
If "Go" i s  indicated, the IOP pro- 
If "No-Go, " 
If the second transmission i s  also No-Go, 
If the third fails, the 
If all s ix  ( 6 )  transmissions a r e  
If, during the output process,  the feedback does not 
occur o r  is interrupted (due to  no majority at the 
VCS o r  to noise on the bus) the transmission is 
terminated and the retransmission process  initiated. 
8-  19 
8. 2. 2. 5. 5 (Continued) 
2. OSN DATA, VCS, LP (Output to  Subsystem, No Retrans- 
mission) 
Same as OS except that no attempt is made to repeat the t rans-  
mission when a No-Go is indicated. Note that the symbol VCS 
specifies only a single VCS address word for  this instruction. 
3. IS DATA, VCS, LP (Input f rom Subsystem) 
This instruction initiates the transmission of data f rom a sub- 
system to the computer system. 
specified by DATA contains the number of words to be 
transmitted and the data words a r e  to be stored starting at 
DATA t1. 
locations which contain codes designating which data bus(es) 
a r e  to be used for  the reply transmission, 
integer ranging f rom 1 to 4321 and is comprised of f rom one 
to  four of the integers 1, 2, 3, o r  4 where each integer can 
appear only onceo 
The memory location 
The symbol VCS specifies the first of two memory 
The code is an 
Examples : 
123 Transmit data request over bus 1 and 
receive over buses 1, 2, and 3. 
243 1 Transmit over 2; receive over 1, 2, 
3 and 4. 
The value of the symbol, LP, is the sum of the local processor 
address (0-20) and the input control code 41630, 
process is as follows: 
A. 
The input 
An input request is transmitted simultaneously o r  
individually f rom any/all IOPs t o  a VCS. 
request consists of two words. The first word is 
the sum of the input control code 41630, the LP 
address, and the reply bus code times 105e 
second request word is the message length (DATA tl).  
The "output" of the input request words through the 
VCS and back to  the participating computers is 
identical to the data output process previously 
described except that the GolNo-Go indicator is not 
transmitted. 
however, 
The input 
The 
The feedback comparison is performed 
Be After the input r e  uest is transmitted, the IOPs await 
an "acknowPedge" message f rom the LP transmitted 
on the same bus a s  the request. 
message is the s u m  of the first input request word and 
the constant 50, and is compared with the expected 
The acknowledge 
1 participating IOPs. 
8- 20 
C70-171/301 
8. 2. 2. 5. 5 (Continued) 
4. 
5. 
C. Retransmission of the input request is attempted if either 
of the following conditions occur. 
(1) The feedback of the input request fails to compare. 
(2) The acknowledge is not received within 84 ps o r  is 
incorrect. 
The retransmission and VCS address switching process 
is the same as described for output transmissions except 
that the VCS address selection affects the selection of 
input buses as well as the output bus. 
the acknowledge message is at fault, no VCS address 
switching occurs. 
However, if only 
D. If no retransmission is indicated, the data input process 
will proceed and data transmitted from the LP will be 
stored in memory. At the conclusion of the message the 
IOP stores  one more word which is equal to 1 if  no 
e r r o r s  were detected and -1 if transmission was 
unsuccessful o r  faulty. 
E. If retransmission is required, storing of data resulting 
f rom a faulty LP transmission is inhibited. 
ISN DATA, VCS, LP (Input f rom Subsystem, No Retransmit) 
Same as IS except no retransmission is attempted. Note that 
the symbol VCS specifies only a single VCS address word for 
this instruction. 
OC DATA, C O W ,  ADDR. (Output to  Computer) 
This instruction initiates a data transmission to  one o r  more 
of the other computere (IOPs), The memory location speci- 
fied by DATA contains the number of words to be transmitted 
and DATA t l  contains the first word of the message. 
IOP(s) being addressed is determined by a code contained in 
the location specified by C O W .  
integer between 1 and 4321 and is comprised of the integers 
1, 2 ,  3 and 4, each being used only once. 
The 
The code contains a decimal 
Example: 123, 321, etc. means transmit to 
computers 1, 2 and 3, 
The location specified by ADDR. contains an integer, 0 - 9 .  
This integer is used to select one of 10 locations in the 
ter which will cone 
a is to  be stored. rate block of 
The memory assignment 
add r e s  s where 
input channel 
. .  
ten (10) locations is dedicated to eac 
o every other SO 
8-24. 
8. 2. 2. 5. 5 (Continued) 
IOP 1 location 80 - 19 
IOP 2 location 20 - 29 
6. 
7. 
8. 
9. 
0. 
IOP 3 location 30 - 39 
IOP 4 location 40 - 49 
For  example, assume that an  OC instruction is being executed 
by IOP 2, location COMP contains 3, and location ADDR . 
contains 5. The instruction would cause data to be trans- 
fe r red  fror.  IOP 2 ' s  memory starting with DATA tl to  IOP 3's  
memory starting with the address contained in location 25. 
Data transmission is bit and word ser ia l  at a 1 MH rate 
where a word is 16 bits plus parity. No acknowledge is 
given by the receiving IOP(s) and no feedback comparison 
is performed on the transmitted data, 
L R  DATA, VCS (Load R) 
(See General Note. ) 
This instruction initiates transmission of a mode control 
message to one o r  more VCSs. The four machine flags 
starting with the one specified by DATA are used to set  
the appropriate row in the R matrix of the VCS(s) determined 
by a code in the location specified by VCS, The code is 
analogous to the ones described previously and allows 
selection of any combination of the four VCSs. 
Note. ) 
(See General 
LP DATA, VCS (Load P) 
This instruction is analogous to LR and is used to set  
three elements of the appropriate row in the P-matrix 
of one o r  more VCSs. 
SAR DATA, VCS (Sample R) 
The VCS mode determined by the current R-Matrix configura- 
tion is stored in four consecutive machine flags starting 
with the one specified by DATA, 
VCS contains the VCS address ( 1 ,  2, 3 o r  4). (See General 
The location specified by 
Note. b 
SAP DATA, VCS (Sample P) 
This instruction is analogous to SR and s tores  the four 
diagonal elements of the P-matrix. (See General Note, ) 
SAS DATA, VCS (Sample S )  
This instruction is analogous to  SR and SP and stores the 
contents of the appropriate row of the s matrix. (See General Note. ) 
8-  22 
C70-171/301 
8. 2, 2. 5. 5 (Continued) 
11. 
12. 
13. 
14. 
15. 
16. 
17. 
18. 
RS vcs (Reset S) 
This instruction sets  the elements of the appropriate row in the 
S matrix to zero, 
VCS address (1, 2 ,  3 o r  4). (See General Note. ) 
The location specified by VCS contains the 
J SYMBOL (Jump) 
The program coQnter i s  set  to  the value of SYMBOL. 
BC SYMBOL, COUNT, INIT (Branch and Count) 
The contents of the location specified by COUNT a r e  incremented 
by one. 
of COUNT a r e  set  to the value of INIT and the program counter 
is set  to  the value of SYMBOL. 
counter is incremented normally. 
T F  SYMBOL, FLAG (Test Flag)  
If the machine flag specified by FLAG is set  (l),  the program 
counter i s  set  to the value of SYMBOL. Otherwise the 
program counter is incremented normally. 
SF FLAG (Set Flag) 
The machine flag specified by FLAG is set. 
R F  FLAG (Re set  Flag) 
The machine flag specified by FLAG i s  reset. 
IDL (Idle) 
The IOP enters an idle (non compute) mode during which no 
further instructions a r e  executed. This mode is retained 
until a "proceed" signal occurs due to the real  time clock. 
When this occurs, the IQP proceeds to the next instruction 
in sequence. 
SNC SM Sync) 
The IOP enters  2n idle ( n o n - c o ~ u t ~ ~  mode during which no 
further instructions a r e  executed. 
until a "Start Cycle" signal is generated by the master sync 
controller (see description of master  sync). When this 
occurs, the IOP proceeds to 
If the incremented value exceeds 31, the contents 
Otherwise the program 
This mode is retained 
four co 
s a r e  to 
- 23 
8. 2. 2.5. 5 (Continued) 
GENERALNOTE: (OC, LR, LP, SR, SP, SS, SAM, RS, OS, OSN, 
IS, ISN) 
As pictured in Figure 8-2, output data f r o m  a given IOP is transmitted 
on the same bus as is used for feedback data o r  input data f rom the 
system bus associated with that IOP. 
data to another IOP while Bus 4 is being used. 
conflict, data on the system bus is given priority. Hence, if an OC 
instruction, for example, is being executed in IOP 4 when a transmission 
is initiated on Bus 4, execution of the OC instruction will be terminated, 
re-initialized, and remain pending until the bus becomes available, at 
which time it will begin execution again. 
instruction is encountered while the bus is busy, execution of the 
instruction will be delayed until the bus is free. 
This potential delay o r  interruption of instruction execution can occur 
with any instruction requiring transmission of data to another IOP; i. e., 
OC, LR, LP, SR, SP, SS, SAM, RS, OS, OSN, IS, I-, Note that no 
delay can occur on these instructions when they are addressed to  the 
VCS in the same IOP. 
Therefore, IOP 4 cannot send 
To resolve a potential 
Likewise, if the OC 
8- 24 
C70- 171 /301 
8-2, 3 RG@ Assembly Program 
The Assembly Program f o r  the Reconfigurable G&C Computer System 
(RGC) is used to process programs written in a symbolic assembly language 
and prepare them for input to the RGC Computer System Simulation Program, 
The architecture and functional characterist ics of the RGC computer system 
are described in Section 8. 2. 2. Programs written for  this computer system 
a r e  input to the Assembly program in the form of a punched card deck. The 
Assembly program produces a printed listing of the programs and a punched 
card deck suitable for input to the RGC Computer Simulation program (Section 
8. 2. 4). 
The Assembly P r o g r a m  is written in Fortran IV for  execution on the 
IBM S360/65 at Autonetics and the XDS SIGMA 5 at NASA MSC. However, 
the language is compatible with the Fortran compilers for the Univac 1108 
and CDC 6600 systems also. 
The program is constructed in a "two-pass" organization common to 
many symbolic assemblers. 
all symbolic references a r e  evaluated and a table of symbol values is 
constructed. 
pass. 
disc storage for more rapid access during pass  2. 
During the initial pass  over the input card deck, 
Some checking of input format is also performed in the first 
As the input cards  a r e  read during pass  1, they a r e  saved on magnetic 
During the second pass,  the symbol table constructed during pass  1 is 
used to assign memory addresses to all instructions, operand references, 
data items, etc. 
instructions/card) in the object deck together with control information used 
by the Simulation program during the loading process. 
checking is performed in pass  2, and the results of the assembly process are 
printed in  a one-input-card/line format on the program listing. 
This information is punched in a compressed format (3 
Further e r r o r  
A user-oriented description of this program is contained in Appendix 4 
of this report. 
8. 2,4 
The Simulation Program for  the Reconfigurable G&C Computer System 
(RGC) is designed to simulate execution of programs written for the RGC 
system and input in card deck form in the format produced by the RGC 
As se  p r o g r a m  The architecture and functional characterist ics of the 
RCC uter system a r e  described in Section 8. 2. 2, 
The simulation can be characterized as functional and interpretive, 
indicating that 
cated.and that 
erformance of the RGC system is dupli- 
instructions a r e  individually examined and 
reted to  determine appropriate simulated actions. 
is constructed in a highly 0 
r e  six major program n 
ocessor, 3. CPU Executive, 
8-25 
8,  2.4 (Continued) 
The Main Executive maintains overall simulation timing, sequencing, and 
mode control. A "ring" structure is employed to control timing and sequencing. 
The ring defines the sequence and duration of simulated execution of each of 
the IOPs, CPUs, and VCSes and initiates the Fault Generator when necessary, 
When conditions in the simulation indicate the necessity to update a given pro- 
cessor ,  a "call" is placed in the ring for that processor for the t ime at which 
the conditions were established. For  example, executing an IOP instruction 
which caused simulated data transmission to a VCS would result in insertion 
of a call  to that VCS in the ring at  the time of a r r iva l  of the data. 
manner the parallel operation of the RGC system processors is realistically 
simulated in a necessarily ser ia l  manner. 
In this 
The Input Processor  is used to load the RGC programs into the simulated 
memory modules and to initialize the simulation. 
The CPU and IOP Executives control simulated execution of the CPUs 
and IBPs respectively. 
is maintained in a common status a r e a  such that common routines a r e  used 
to  simulate all CPUs o r  IOPs. 
formed by the Instruction Processor  module which consists of a unique sub- 
routine for each CPU and IOP instruction type. 
The unique status of each processor being simulated 
The bulk of the simulated execution is per- 
The YCS Simulator simulates the detailed logic in the four VCSes. The 
The time resolution in the sirnulation is therefore main- 
timing relationships between the VCSes and the IOPs is very cri t ical  to 
system operation, 
tained more precisely when YCS activity is being simulated. 
The Fault Generator performs two basic functions. Initially, it processes 
the data on the fault list cards  which select pre-planned faults to be simulated. 
Subsequently during simulation of malfunctions, it interacts with the C P U  and 
I@P Executives and the VCS Simulator to alter conditions in the simulation 
affected by the fault being simulated. Much of the Fault Generation is merely 
program "linkages" inserted in the normal execution sequence which provide 
for  transfer of data and control between the Fault Generator and the other 
program routines to  allow for  the necessary interaction. These linkages can 
be readily used for insertion of additional fault types o r  specific malfunction 
conditions not included in the set of pre-planned faults. 
A user-oriented description of this program is contained in Appendix 4 
of this report. 
8.3 RGC SOFTWARE SYSTEM 
The RGC Software System consists of routines programmed in a sym- 
bolic assembly language for execution on the simulation system described in 
Section 8. 2. 
programs which might be imp emented in an actual guidance and control 
computer to  perform the executive, inputloutput, and reco 
Except for  format differences, these routines a r e  identical to 
Operation of an integrated multi-computer system presents some unique 
(The terms integrated system, is used here to exc 
problems in the a r e a  of overall system control, sequencing, and mode/status 
maintenance, 
computer systems which are essentially operated as a group of independent, 
non-interacting units, ) 
8-26 
C70- 131 /301  
8. 3 (Continued) 
The m j o r  problems ar i se  f r o m  considerations of the effect of processor  
failures on overall system performance and are primarily r e  ated t o  determining 
where to assign pr imary system control and how to reassign it in the event 
of a failure. The reassignment problem is particularly troublesome since 
reassignment implies a higher authority and the unit o r  function 
being reassigned is, by definition, itself the highest authority in the s y s t e m  
In systems where f ault tolerance is  not a pr imary concern, these problems 
are normally overcome by some variation of a "distributed" software 
executive. 
multiple computers with some limited set of simple indicators (such as watch- 
dog t imer,  parity checks, etc. ) being used to trigger system degradation or 
reconfiguration, 
In most systems designed primarily for  fault-tolerance, a "hard-core" 
control unit is usually employed in  one f o r m  o r  another which has responsi- 
bility for pr imary configuration control. 
to  increase the survivability of this hard-core unit. 
That is, the system level executive functions a r e  shared by the 
Internal circuit redundancy is used 
The philosophy of operation e'mployed in the RGC software system is a 
logical extension of the concepts developed in the overall system design and 
s tems from the desire  to achieve extremely high failure detection/reconfigura- 
tion probabilities without the necessity for unique, special purposer hard-core 
hardware. A redundant, majority-controlled software system is employed. 
Although it is resident in all compvters, it is not"distributed" in the normal 
sense, since the entire function is duplicated identically and computed 
redundantly in all computers, 
in terms of system control and decisions a r e  achieved through a majority 
voting process. The highest level of system control - the decisions as to 
which computers are operational - is accomplished in the VCS's contained 
in each IOP. 
mitted to  the VCS's and the VCS logic performs an adaptive majority vote on 
this data. 
accepted a s  the current system status. Lower-level decisions a r e  resolved 
through a software voting process  which involves the computers exchanging 
opinions and accepting the resultant majority opinion. 
Each computer, therefore, has equal status 
Each computer's opinion of the health of all computers is trans- 
The result of this vote is, in turn, monitored by each computer and 
During the Task 4 activity described in Section 4 of this volume, reduc- 
This involves identifying tion of computational redundancy was investigated. 
criticality related to  the sensitivity of the external 
Classi- 08s  of data f rom a particular computation functiom. 
fying functions in this manner would allow selective reduction of the number 
three required for  the m.ost cri t ical  functions down to one for a non-critical 
ine software system developed during the study 
y and all functio s a r e  assumed to behighly 
of three paralle computations pr ior  to eyetern 
e r s  required to redundantly compute given functions, f rom the 
8.. 27 
8. 3. 1, 1 Theory of Operation, Critical computations, i. e, those corn- 
putatians falling within the "fail-operational" requirements, will be redundantly 
computed by up to three computers. * The redundantly computed data will 
be transmitted to a single VCS for voting/comparison and transmission to 
external subsystems. 
systems will be simultaneously received over multiple buses. 
copies will be received in  all computers performing the computations. 
VCSs and, hence, 1 / 0  buses in use at a given time, is determined by the 
status of those units and is not necessarily related to the computers currently 
assigned to  the cri t ical  computations. 
pictured in Figures 8-3 and 8-4. 
8. 3. 1. 1. I 
memory, o r  
times, 
Up to three copies* of input data f rom external sub- 
The multiple 
The 
The data inputi'output process is 
Unit Status, Each unit in the system, computer, CPU, IOP, 
ve a status condition associated with it at all 
The three possible conditions are defined below: 
1. - A unit which has demonstrat9d no ** ce last being brought on line. 
2. - A unit which has been 
epancies but which is able 
to pass dl system tests. 
3. - A unit which has suffered an 
ent failure. 
The minimum requirements for a computer to maintain operational 
status are:  
1) Maintaining 1/0 sync with the cri t ical  computers as deter-  
mined by the 1/0 TEST cycle. 
Monitor and exchange of system status with all other 
ope rational c omput e r s 
True state of the corresponding P matrix diagonal 
element. 
2 )  
3) 
NOTE: Conditions 1 and 2 are necessary cr i ter ia  for the other 
computers to vote for a true-state of the P matrix element corresponding to  
a given computer. 
8. 3, 1. 1, 2 System Status, 
is defined as the modules currently associated with a given IOP) has one of 
two system assignments at a given time. 
Each opereational computer (where a computer 
Cr i t ica l ,  - An operational computer which is participating in the 
redundant cri t ical  computations. 
will be crit ical  simultaneously. 
Three computers (if  avai 
"Reduction to l e s s  than three occurs ody after two failures of co rutess o r  buses. 
**A level of repeatability is required before a failure is identified in order to 
avoid er roneous~g reacting to transients, 
8-28 
C70-171/301 
I 
FIGURE 8-3. DATA OUTPUT 
8-29 
C70 -171/301 
I 
FIGURE 8 -4. DATA I N P U T  
8-30 
8, 3, 1. I ,  2 [Continued) 
critical computer5 'but which i5 not performi 
tiono. (There will only be a spare computer 
computers are operatiosaP. 1 
Each YCS has one of four oy5tsm5 assignments a t  a given 
time e 
- The VCS (hence, s y ~ t e m  %/O bus) currently b e k g  used 
t of all crit ical  data* 
- The "Backup" VCS which replaces the primary VCS 
1 of a failure. This bus is used for t 6 second COPY Of 
input data, 
Associate - The bus being used fsr the third copy of input data. 
- An operational VCS which is not currently being used in 
UQ. 
In Figures 8-3 and 8-4: Computers 1, 
Computer 4 is 
VCS lis Primary; 
VCS 2 is Seconda~y; 
VCS 3 i s  Associate; and, 
VCS 4 is Spare, 
d 3 a r e  Critical; 
8. 3. 1. 1 . 3  
real- t ime - cloc Each LOP has a separate e real-time reference for 
the " c o q u t e r "  associated with each IOP, 
sources is accomplished by the. 
corri ion timing referemce is es 
under LOP program control. T n must be maintained within 
16 ps for  proper VCS o 
examining the voting B s from the Primary and Secondary VCSes. 
Synchronization of the four timing 
~ ~ l l e r s  in the LOPS. 
s maintain synchronization 
Once the 
ration. Qut-of- sync conditions a re  detected by 
Synchronization between POP and CPU is maintained on a rate (computa- 
tional frequency) basis. T 
rate a r e  synchro 
tional rat e5 a r e  
is divided into f~ 
ocesses the RTC inte 
8-31 
8. 3. 1.2 (Continued) troller. The Executive a d  Resource Controller 
a r e  executed by the CPU; the Input/Output program is executed by the IOP, 
The following sections describe these programs in detail, They a r e  des- 
scribed as if contained in a single computerr, however it must be remembered 
that identical copies of these programs a r e  executed simultaneously in all 
four computers. 
Listings of these pr.ograms a r e  included in Appendix 4 of this report, 
a. 3 . 2  
The Input/Output program is executed by the IOP and transmitslreceives 
data being supplied/processed by the ( X U  program 
Output program is executed independent of the C P U  and will sequence properly 
with o r  without the C P U  data. 
However, the Input/ 
The 1/0 program is composed of four separate routines, RT1, RT2, RT4, 
and IOTEST. 
of one of these routines. 
normally enters the Idle mode to await the next RTC. 
pletion of IOTEST (every ei 
with all operational camput 
receipt of the sync signal f rom step Sync Controller, initiates 
execution of the next program routine. 
four routines is as follows: RTl ,  RT2, RT1, RT4, RTl, RT2, RTl, IOTEST, 
etc. It can be seen that the RT1, RT2, and RT4 routines a r e  executed at 
1/2, 1/4, and 1/8 of the RTC frequency, respectivelyy. These rates cor- 
respond to the three fixed-interval computational frequencies available in the 
Executive Program in the CPU. 
Receipt of the Real-Time Clock pulse (RTC) causes execution 
However at the com- 
h RTC), the master sync process is initiated 
Upon completion of the routine, the program 
d in the sync process. In this case, 
The sequence of execution of the 
Each of the three routines performs the ingutloutput functions required 
by the corresponding computational frequency, 
computed parameters  to external subsystems, requesting input data f rom 
external subsystems, and transmitting "modifiable" data to the other 
computers. 
necessary to completely define the state of a computational function(s). 
data is necessary to initiate computations in a computer which is going 
through a transition f r o m  spare status t o  crit ical  status. 
This consists of transmitting 
The t e r m  modifiable data is used to designate all the parameters  
This 
One of four unique the I/Q program at the c of 
each of the input/output 
Program to synchronize the 
updates. 
the spare. 
ese  flags are used by the 
i o n d  frequencies with the 
Note that only the IOTEST routine is executed when a computer is 
The IOTEST routine i s  executed every eighth cycle and is used to  moni- 
to r  the status of the VCSes and to perfarm test  fun 
status is sampled and saved for processing by the CPU. 
1. 
8-  32 
8, 3. 2 (Continued) 
2, - these samples 
determine the majority opinion as to the unit status of the four 
computers. Samples from two VCSes are taken to  detect VCS 
failures, . 
3. = these samples 
naples f r o m  two 
VCSes are taken -to detect VCS failures, 
Two test functions are performed; the VCS Test, and System Status 
Test. 
VCS Test - This test  is conducted by the cri t ical  computers. It con- 
sists of each computer transmitting one of'two tes t  messages to the Primary 
and Secondary VCSes. The messages a r e  sent in a predetermined sequence 
of four combinations as follows: 
1. Computer 1 - Message 1 
Computer 2 - Message 2 
Computer 3 - Message 2 
Computer 4 - Message 2 
2. Computer 1 - 
Computer 2 - Message 1 
Computer 3 - Message 2 
Computer 4 - Message 2 
3. Computer 1 - Message 2 
Computer 2 - 
uter 3 - Message 1 
Computer 4 - Message 2 
4. Computer 1 
ing each test cycle in the 1 / 0  pro- 
gram; hence the test is completed every 32 cycles, 
During the test ,  the VC mode as is currently 
being used for 
voting statue ( 
T the test mesaa 
ad and saved for 
C7Q- 17 1 / 3 Q  B
8. 3. 2 (Continued) can be seen f rom the message combinations, the test  is 
used to verify proper detection and reporting of data discrepancies by the 
voting logic in the VCSes. 
- This tes t  is conducted by all 
uter transmitting a system status message to the 
compute r s e 
It c 
Primary VCS. 
puters, and the message is addressed to  a "dummy" LP address so that the 
voting function is performed. 
following data: 
The VCS is put into a mode t o  include all operational com- 
The system status message consists of the 
Operational Computers 
Critical Computers 
Operational VCSes 
Pr imary  VCS 
Secondary VCS 
Associate VCS 
VCS Test Sequence Counter 
The purpose of this test  is twofold; 1) to provide a means of verifying 
I /O  sync in  a spare o r  transitional computer, and 2) to  provide majority 
verification of the pr imary system status camputed and maintained in each 
of the operational computers. 
status (S-matrix) is sampled and saved for processing by the CPU. 
After the message is transmitted, the voting 
8. 3 . 3  Executive P r o  gram 
The Executive program is executed in the CPU and is responsible for  
task scheduling, synchronization of I /O data, maintenance of real-time 
reference, and time-critical status monitoring. 
the CPU a r e  divided into four groups depending on their  frequency of 
execution; i. e , ,  computation rate. The four groups a r e  Rate 1, Rate 2 ,  
Rate 4, and Background. The first three groups represent precise iteration 
requirements; Rate 1 is executed at 1 / 2  the frequency of the RTC, Rate 2 at 
1/4, and Rate 4 at 1/8. 
is available and hence its iteration sate is variable. As previously indicated, 
four program flags set by the Inputloutput program a r e  used to initiate com- 
putations at each of the rates; hence, once completed, the tasks in Rate l will 
not be executed again until the RTC interrupt occurs and RT1 flag is set. 
All tasks to be executed by 
The Background group is executed whenever time 
Within each rate, execution of the individual tasks occurs in a fixed, pre-  
determined sequence. However, determination of which rate to execute is 
based on a priority structure where Rate B has the hi  
Background has the lowest. Hence, once initiated a1 
completed without interruption but Rate 4 tasks 
Rate 2 or  Rate 1. 
each rats is completed pr ior  to the next setting 
Obviously the total computation 
8-34 
8, 3, 3 (Continued) 
being executed and each sate has status flags which determine the mode of 
that rate. 
At any given time, the parameter,  RATE, contains the current rate 
The three possible modes are: 
1) Done - all tasks in the rate have been completed. Nothing 
e r  is to be done until the appropriate 1/0 f lag  is set. 
2) the rate was interrupted during execution by 
iority rate. 
3) Initialized - the I /O  flag for the rate has been set  but 
execution of tasks in the rate has not begun. 
In the current system only three tasks are included in the schedule. 
Rate 2 Sample Task, and the Resource These a r e  Rate 1 Sample Task, 
Controller. The tasks a r e  executed at the Rate 1, Rate 2, and Rate 4 
frequencies respectively, and the first two tasks are simple arithmetic and 
logical computations used to represent real-time computational tasks. The 
Resource Controller is described in the next section. 
Every eighth 1 / 0  cycle is a tes t  cycle indicated by the setting of the 
IOTEST flag. 
routine. 
When this occurs the Executive executes a status update sub- 
This subroutine has two functions: 
1. Examine the IOP flags which indicate the 1/0 
transmission status. 
if three successive faulty message transmissions 
a r e  detected by the IOP, 
flags a r e  used to update four of the Resource 
Controller , E r r o r  Status flags, ElVASl, 
EIVASZ, and E2VAS2. 
One of these f l a g s  is set  
The states of the IOP 
E2VAS1, 
2.  Test for completion of a transition f r o m  non- 
cri t ical  status to cri t ical  status. 
has been completed, the system status data i s  
updated to reflect the new status. 
If a transition 
8- 35 
C7Q- 1 '7 1 / 3 Q 1 
8. 3. 4 Resource Controller P rogram 
The Resource Controller Program is composed of two major routines, the 
1/0 Monitor and Test routine, IQMAT, and the System Configurator, RECONF. 
8. 3. 4. 1 
the status samples stored by the Input/Output program and uses this informa- 
tion to update the Resource Controller E r r o r  Status flags. 
executed a t  the Rate 4 frequency, the same frequency as IaTEST. The E r r o r  
Status flags a r e  described in Table 8-1. 
8. 3. 4. 2 This routine is executed at the Rate 4 f r e -  
quencv and is responsible for computing and maintaining the system status 
data. Onae initialized, the system status will remain constant as long as all of 
the E r r o r  Status flags remain reset. 
the Status Change Analysis subroutine, SCANAL, is executed. This subroutine 
uses a generalized pattern comparison structure to evaluate the change in 
status. 
tings, a r e  stored in two data tables. The table, EPAT1, contains the 1-set 
f lags  in the pattern and the table, EPATQ, contains the 0-set flags. 
appearing in either the 1-set or  0-set entries a r e  "don't care" elements for  
the particular pattern. 
Input/Output Monitor and Test Routine. This routine examines 
The routine is 
System Configurator. 
When one o r  more of these f l a g s  is set ,  
E r r o r  patterns,  i. e. particular combinations d E r r o r  Status f lag  set- 
F l ags  not 
When a status change is detected, the pattern of E r r o r  Status f l a g  settings 
is compared against the patterns stored in the e r r o r  pattern tables. 
is found, a unique subroutine associated with the particular e r r o r  pattern is 
executed. This subroutine updates the system status to reflect the effect of 
the detected fault. 
confi gu rati on s . 
If a match 
Three subroutines a r e  used to compute new system status 
1. CPASIN - This subroutine computes the system status (cri t ical  o r  
non-critical) for  the four computers using their current unit status 
(operational o r  non-operational). 
2, VCASIN - This subroutine computes the system status (Pr imary ,  Secon- 
dary,  Associate) for  the four VCSes using their  current unit status 
(operational o r  non-operational) and the previous status assignments. 
3. SSREST - This subroutine performs a software majority vote on its 
own system status data and the data received f rom the other three 
computers. 
as the new system status. 
operational status a r e  included in the voting process. 
Table 8 - 2  is a list of the e r r o r  patterns currently in the 
cates the resultant action when a pattern match is found. It 
that this is a minimum set and represents  the initial baselin 
tion of failure modes and fault isolation techniques would un 
expand both the number of patterns and the number of E r r o r  §tatus fla 
The data resulting f rom the voting process is then used 
Note that only computers which have 
8-36 
_I_aJ___- 
-- 
e, 
5 
z 
a0 
E 
.d 
a 
M 
F 
c 
2 
.rl c,
d 
5 
d 
0 
, '$ 
.d 
rn 
M 
cd 
A 
6( 
$ 
;i 
+J 
Id 
k 
0 
k 
k w 
k 
e, 
0 
k 
E 
0 u 
a, 
V 
k 
7 
0 
(0 
A 4
c, 
2 
A 
I 
co 
e, 
id 
b 
3 
x 
.d 
k 
x 
k 
c , '  
.d 
.5 ? 
e, 
e, 
& 
M 
Id 
v) 
P 
.d 
: 
.d 
rn 
m 
Q, 
V 
V : 
e, 
e, 
k 
M 
0 
.r( 
P 
M 
E 
r r (  
c) 
$ 
z 4 
.d 
c, .d
k 
V 
rn 
rn 
a, 
u x u 
4 
0 
\ 
H 
8 
.d 
10 
e, 
V 
V 
7 rn 
0 B 
+I 
c ) h  
E &  
k P) 
i .d - a m  
E d  
0 
U 
4 
9 
3. 
M N N  w w  N w 
m 
C 
k 
8 
c, 
n" 
k 
0 
k 
k 
l;i 
k 
8 
0 
k 
C 
0 
U 
8 
0 
k 
s 
rl #-I
c, 
51 
2 
N 
t 
00 
8 
Id 
I3 
3 
C 
0 .* 
c, 
Y 
c, 
C 
Id 
c, 4
2 
2 
* 
m 
M 
Id z 
x 
m 
3 
cr) 
+I 
k 
0 
k 
& w 
C70- 171 /301 
: $  
! .,+ 
t p c  
i 
1 
f 
I 
! 
i 
! 
i 
! 
I 
I 
I 
I 
t 
I 
! 
I 
1 
I 
8.4 SIMULATION ACTPVITLES 
8.4. 1 
system was two-fold: 
The underlying purpose for the development and use of the Simulation 
1. To provide a tool which could be used for development and 
evaluation of computer/software system designs oriented 
toward fault -tolerant sy stern ope ration. 
Use the tool to develop and evaluate the system design proposed 
to  satisfy the FQQS requirements. 
2. 
Use of the Simulation system during the course of the study involved four 
primary activities. 
1. Refining and solidifying the functional design characterist ics 
of the selected system being evaluated during the study. 
Debugging and evaluating operation of the Simulation system. 2 .  
3. Debugging and refining the software for  the selected system 
design. 
4. Evaluating overall system performance using fault simulation. 
The simulation activities, particularly number four, a r e  somewhat open- 
The pr imary 
ended in that sys tem evaluation and design refinement efforts can be extended 
almost indefinitely particularly in  the a r e a  of fault simulation. 
goal during this study was to provide a reasonable level of confidence in  the 
feasibility and functional performance of the proposed system in t e r m s  of 
satisfying the FQOS requirements. 
not achieved in the a r e a  of fault simulation, it is felt that the primary goals 
were  accomplished and the desired confidence attained. 
Although some of the desired goals were 
8.4.2 Svstem Debugging 
As previously indicated, all three elements involved in the simulation 
process  (simulator,  simulated system, and software for the simulated system) 
were  designed and developed in parallel  during the study. 
siderable amount of "interactive" debugging and design refinement were 
required in order  t o  reach a point where total system operation was possible. 
l e l  development of the simulator and simulated system required by the 
desired schedule. During the first stage, a general simulator system was 
developed which allowed for  a la rge  variation in the detailed design of the 
actual system to be simulated. 
the detailed RGC computer system design in the simulator once that design 
Therefore a con- 
The Simulation system was actually developed in two stages due to  paral-  
The second stage involved implementing 
8-  39 
C70-171/301 
8.4. 2 (Continued) had been reasonably well formalized, This approach 
worked reasonably well with one exception, 
simulation due to the IOP/VCS design, in t e r m s  of time resolution between 
simulated processors,  was not anticipated. 
in the "general, ' I  first-stage version of the Simulator would not adequately 
represent the synchronous operation of the asynchronous IOPs (proper per-  
formance of the VCS depends on synchronous arr ival  of data f rom all IOPs, 
but the IOPs have independent clocks and operate on independent stored pro- 
grams). 
described previously was implemented. 
The precision required in the 
The timing structure implemented 
In order to  overcome the difficulty, the timing ring structure 
The system design to be simulated was developed in considerable detail 
before it was implemented in the second-stage of the simulator development. 
In addition, the design is such that the unique, cri t ical  features a r e  mainly 
contained in the IO.P/VCS a r e a  and not scattered through the various elements 
of the system. Consequently, design modifications implemented during the 
debugging process were largely limited to the IOP and were primarily refine- 
ments in the VCS operation, such as the logic associated with transferring 
data f r o m  the IOP input channels to the VCS voting logic. 
The philosophy of operation and general structure of the software for 
the simulated computer system were developed as an integral par t  of the 
overall system design; i. e. , software considerations were applied 
development of the system design not after the fact. For this r e a  
coqcepts of system control, specifically the reliance on majority control of 
system configuration, a r e  consistently applied throughout the design of both 
the hardware and software system, The primary problems discovered in 
debugging the software system were the normal varieties of programming 
"bugs e I t  
8.4. 3 System Operation 
Operation of the overall system was evaluated in three phases: 
1. 
2. 
Detailed operation of the IOP/VCS/bus s y s t e m  
Fault-free operation of the total combined hardware/ 
software s y s t e m  
3. System operation with injection of simulated malfunctions. 
The first phase consisted of simulating combinations of up to four IOPsa 
The individual VCS modes (4-way voter, 3-way voter, 2-way comparator, 
and selector) were selected and various combinations of data messages were 
simulated to verify the proper responses to both correct  and incorrect data 
comparisons in each of the modes. 
between the data messages,from the IO s were varied to 
o r  out-of-sync conditions caused by ti ng variations o r  I 
Examples of eight cases run in the 3-way voter mode a r e  provided in 
Appendix 4. 
In addition, the timing relationships 
8-48 
cao- 17 l /301 
8,4, 3 (Continued) 
The second phase of system ev uation involved simulating total system 
operation in  the four possible syste configurations reflecting the number ob 
computers which a r e  "operational, 'I This phase was intended t o  verify 
operation of the hardware/software system in its steady-state modes of 
operation and to provide a baseline operation f rom which fault simulatio 
could proceed. 
and it resulted primarily in further debugging of the software. 
of this phase is presented in Appendix 4, 
No significant problems were uncovered during this phase 
An example 
The third phase involved injection of simulated faults in the system to 
verify proper detection and recovery. It shoula be realized that while this 
is the f i rs t  point at which faults were simulated in an automatic, preplanned, 
manner, it  was not the first time at which system operation was observed 
in t h e  presence of faults. 
represent a degree of fault simulation. In the first phase, faults were 
simulated by "pre-setting" erroneous data in the IOP messages and by 
using the "DLY" (delay) feature in the simulator to simulate IOP timing 
anomalies. 
observed in  the process  of debugging the software system and, in fact, the 
effect of apparent system failures caused by program "bugs" is a very 
important consideration in i t s  own right, although not directly germane to  
EOOS considerations. 
Both of the previous phases of evaluation 
During the second phase, the results of "unplanned" faults were 
It was necessary to cut the fault simulation phase somewhat short of 
hoped-for goals due to funding considerations, however, a limited set  of 
faults were simulated and successfully detected. The pr imary  a r e a  where 
additional fault simulation was desired is in  the IOP/VCS, since this area 
is critical to the design approach. 
C70-171/301 
9.0 LOCAL PROCESSOR TR BE-OFFS AND DESIGN 
9.1 INTRODUCTION 
The purpose of this section is to  report  the results of evaluating 
The need for local processing 
various local processor  options and their  applicability to the Space 
Station Guidance and Control System. 
has been established from the overall system analysis and trade-offs. 
A common 1/0 data bus has been assumed to provide the means of 
exchanging data between the local processors and the central  G&C 
computer complex. 
computations associated with its subsystems, including on-board 
checkout and in-flight performance monitoring, and to provide a 
standardized digital interface with the data bus. 
The purpose of the local processor is to perform 
The local processor can be considered to consist of three (3) 
distinct sections as  shown in Figure 9-1. 
1. 
2. 
3 .  
Interface with the data bus - called Standard Interface Unit (SIU) 
Arithmetic processor and memory section for instruction 
and data storage - called Preprocessor .  
1/0 section providing interface with the subsystem electronics - 
called Electronic Interface Unit (EIU). 
A general description of a candidate local processor  design has been 
furnished by NASA for the purpose of evaluating its capability to perform 
the computational tasks.  Tables 9-1 and 9-2 show the functional character-  
i s t ics  oE this processor.  It should be noted that the evaluation was con- 
strained by the lack of more detailed descriptions of the candidate to an 
examination of the speed, word length, memory capacity and input/output 
characte r i  stic s . 
In addition, the objective of this task i s  to consider alternate local 
processor  design approaches to determine their  meri ts .  Modular designs 
and special purpose processors fall into this category. 
of this study task i s  a functional description of the local processor  design 
recommended for the application. 
The final result  
9 .2  LOCAL PROCESSOR TRADE-OFFS 
Trade-offs considered in the local processor  design can be categorized 
as  follows: (a) preprocessor trade-offs, and (b) E I U  trade-offs. The 
trade-offs leading into SIU design have been conducted as  par t  of the data 
bus design study. 
9- 
C70- 171/301 
E w 
E-r m * m s m 
9 - 2  
C70-171/301 
TABLE 9-1 
FUNCTIONAL CHARACTERISTICS OF THE CANDIDATE PREPROCESSOR 
Word Length 16 bits 
Memory Capacity 
Fixed (ROM) 1024f4096 words *< 
Scratchpad (RWM) 641512 words * 
Speed 
Add Time 
Multiply Time 
10 psec. 
20 psec. 
R e  giste r s 
Accumulator 
Utility 
Memory Data 
Memory Address 
Instruction Set ** 
28 Register Manipulation and Control 
12 Input/Output Control 
Electronic Interface Unit 
1 
1 
12 . Analog Channels (Input) 
16 -bit Digital Paral le l  Channel (Input) 
16 -bit Digital Paral le l  Channel (Output) 
4 Original Specification/Modified Specification ** See Table 9-2 for basic instruction list 
9-3  
G70- 171 /301 
TABLE 9-2 
BASIC INSTRUCTION LIST OF THE CANDIDATE PREPROCESSOR 
iri thme ti c Functions 
Add 
Subtract 
Multiply 
Divide 
Absolute Value 
Double Precision Add 
and Subtract 
Logic Functions 
And 
Or 
Exclusive o r  
C omple me nt 
Shift Right 
Shift Left 
Rotate 
Control Functions 
Clear 
Increment 
De creme nt 
Condition 
Read 
Write 
9.2.1 Preprocessor  Trade-offs 
The preprocessor  trade-offs a r e  pr imari ly  concerned with the 
processor  type (general purpose vs. special purpose), operating speed, 
word length and memory characterist ics.  
9.2.1.1 General Purpose vs.  Special Purpose Preprocessors  - Although 
the local processor  requirements have been treated in  terms of general 
purpose processing, special purpose processors  should not be completely 
ignored. Since each special purpose processor  can be designed for the 
specific application, total system weight, volume and power can be 
minimized. 
output section can be designed to fit the computational task, and thereby 
minimize and simplify the software 
Also, the overall organization, instruction set  and input/ 
Special purpose processors  also have drawbacks. Non-recurring 
hardware costs will be higher because there will be many processors  
to be developed. 
would be greatly increased. 
complex unless the interface standards such as  data formats and power 
supplies are clearly defined at  the beginning of the program and 
strictly enforced the r e  afte re  
Logistics and spare par ts  problems for the spacecraft 
Integration problems can also be very 
Two special purpose processors  using incremental processing 
methods have been considered briefly in this study., These a r e  a digital 
differential analyzer (DDA) and a Coordinate Rotation Digital Computer (CORDIC). 
9-4 
C70- 171 /301 
9.2.1.1 (continued) 
DDA's hdve found numerous applications in  guidance and navigation 
The general form 
The potential advantage 
systems where the computational task consists primarily of a solution 
of differential equations and extrapolation equations. 
of equations for the local processors is such that an exclusive DDA 
approach is  highly inefficient and impractical. 
of a DDA is in  a hybrid general purpose (GP)/DDA computer, where the 
DDA can be exploited for solution of continuous functions and the G P  can 
be used for initializing and updating the DDA, decision making, mode 
switching, solution of complex but slowly varying functions and solution 
of non-continuous functions. By employing the hybrid approach, it is 
generally possible to substantially reduce the processing speed require - 
ments of the GP processor below that necessary in an all GP computer. 
The major trade-off, therefore, l ies between the relative complexities 
of the faster G P  processor,  and the slower hybrid GP/DDA. 
The CORDIC processor similarly reduces the speed requirements 
of a GP processor  i f  used in parallel with the GP to compute sine and 
cosine functions and to perform coordinate axes rotations. 
this trade-off is  between a fast GP processor and a slower GP pro- 
cessor/CORDIC hybrid system. 
purpose processor trade -off will be considered in  conjunction with 
speed trade-offs in the following section. 
Again, 
Therefore, the GP vs .  special 
TABLE 9-3  
LOCAL PROCESSOR REQUPREMENTS 
9 - 5  
9.2,1,2 Speed Trade-offs - investigation of the candidate system 
defined in Table 9-3 indicates that the speed requirements vary over a 
wide spectrum. 
Strapdown Inertial Reference Unit - 382,500 short  operations pe r  second. 
One solution to this requirement is to  use a single preprocessor design 
which is  sufficiently fast for SIRU computations. The speed is  within the 
state -of -the - a r t  of aerospace computers using semiconductor memories,  
the cost  and complexity of a fast  computer (400,000 operations/sec.)  
is nearly the same a s  it is for a computer with one-fourth of the speed. 
A second solution i s  to design one preprocessor  to satisfy RCS, CMG 
The highest speed requirement is  imposed by the 
and O M  speed requirements and to  t rea t  the SIRU separately. F o r  the 
SIRU, one could achieve the speed by either {I) using multiples of the 
same processor ,  (2) provide a special purpose processor like a Digital 
Differential Analyzer (DDA) o r  a CORDIC processor  to complement the 
basic preprocessor ,  o r  (3) t ransfer  some computational load to the 
central  G&C computer complex. However, all three alternatives have 
very serious disadvantages. The first one, splitting the functions 
between several  parallel  computers, requires three or  four slow pro- 
cessors  operating in parallel. The task of splitting computations between 
paral le l  processors  appears feasible but introduces additional complexity 
and overhead in the software design. The prime disadvantage is the 
additional hardware required - considering that either triple o r  quadruple 
redundancy will be required, the total  number of SIRU preprocessors  
could be as  high as  16! 
system where high reliability is  of utmost importance. 
This certainly is not the right approach to a 
The second alternative appears to  provide some gain in effective 
speed with either a hybrid GP/DDA o r  GPICORDIC approach. 
systems could be mechanized with state -of-the-art MOS LSI circuits. 
A standard DDA integration circuit  in a single chip has been developed by 
Autonetics. The device is a complete self-contained integrator/servo 
designed for  use in parallel  operation. 
a r e  required to mechanize a minima? processor for inertial  platform 
control functions a 
requiring an excessive number of integrators the CORDIC processor  
could be implemented with readily available shift registers and read-only 
memories.  
Both 
Approximately 40 such integrators 
For  more sophisticated gimballed inertial  navigation 
However, it appears that a speed increase by a factor of four cannot 
be achieved with either approach. 
and the disadvantages of special purpose design, no further investigations 
into GP/special  purpose hybrid systems is  considered necessary. 
Considering the added hardware penalty 
9-6  
9.2.1.2 (continued) The third alternative does not provide any relief 
at  the preprocessor  level unless the computational load at the SIRU is 
reduced down to almost minimal level: instrument output filtering, 
failure detection and coordinate transformation. F rom the overall 
system consideration, this was not ccnsidered a desirable solution. 
Therefore,  the first alternative, using a common preprocessor  design 
of adequate speed to  handle the most demanding computations, approxi- 
mately 400,000 operations per  second, appears to be the best  choice. 
9.2.1.3 Word Length Trade-offs - Another key design Yarameter fo r  
the preprocessor  is the word length. A 16 bit instruction word provides 
an adequate number of bits f o r  defining instructions, specifying address 
modifiers and address field. For the data word,16 bits has been judged 
adequate fo r  all RCS and CMG computations. However, certain compu- 
tations in position and attitude determination do require more than 16 bit 
precision. 
was made to  determine the extent and the frequency of such high precision 
computations and whether longer word length o r  double precision arithmetic 
capability is  required, 
An investigation of the SIRU and OAS computation requirements 
Of prime concern was the need for double precision multiply capability 
because of i ts  added complexity to  the processor  design. Simple double 
precision computations, such as add, subtract, store and fetch a re  
relatively easy to  implement and 60 not add much to  the hardware com- 
plexity of the processor .  Therefore,  the analysis of SIRU computations 
was made assuming that the simple set  of double precision instructions 
was included in the instruction set. 
The results of the investigation show that practically all  SIRU com- 
putations can be performed such that double precision multiply is not 
required. 
multiplication is the direction cosine orthogonalization when multiplication 
of the elements of the C matrix occurs, This can be accomplished with a 
software double precision multiply routine. 
cosine update equations indicates that a double precision multiply i s  not 
required. 
The one computation that would appear to need double precision 
An analysis of the direction 
An approximate equation for round-off e r r o r  i s  
4 r = (2 . lX1o5)  rn Vi3 (9.1) 
where n is the word length in bits 
T 
f 
is the time the round-off e r r o r  has to  
accumulate in seconds 
is  the frequency of computation in 
t imes /second 
is  the attitude e r r o r  in a r c  seconds due 
to the computations 
9 - a  
9.2 1.3 (continued) 
5 and 2.1 x 10 is  the number of arc seconds 
per  radian 
if r = 4 ,  T = 1000, f = 100, then n = 24 so  that 
a word length of 24 bits o r  more should be 
used to represent the direction cosine matrix 
unde r these conditions e 
for a second order  algorithmhas the form 
The updating equation 
‘ntl = (I t AQ t A 8 7 2 )  Cn (9.2) 
where I is  an identity matrix, and 
pulse counts as follows: 
8 is a matrix of accumulated 
(9.3) 
A Q Z  
0 
If the maximum #A8 pulse = ~~~ rate is 10,000 pulses/second and i f  the pulse 
accumulation registers are emptied every e 01 seconds, the maximum 
value of A Q x ,  A Q y ,  or  AeZ is 100. 
by 8 bits including a sign bit. 
This quantity can be represented 
Computation of equation 9.2 by the sequence 
(9.4) 
(9.5) 
would require double precision multiplication to preserve 24 bits of 
accuracy. 
and only uses 16 bit multiplication is: 
A computation sequence that preserves 24 bits of accuracy 
(9.6) 
Cn+l = Cn+B 
This i s  possible since the pulse count for  8 can be represented by only 
8 bits of a 16 bit word. The quantity A, using a 16 bit representation 
for C in equat 9.6, can be shifted such that its meaningful data, 
afterqhe 16 bit C multiply, i s  i n  bit locations 9-24. The C +A 
addition of 9.7 can b% performed in double precision and the shating, 
as for AIused for B in equation 9.7 to give significant data in bit 
locations 9-24 of B. 
equation 9.8 gives a cntl accurate to 24 bits. 
A double precision addition of B to C in n 
9-8 
9,2,1.3 (continued) 
Another computation that needs double precision operations i s  the 
filtering of the instrument outputs and then only for the long t e r m  filter 
and under the unlikely condition that the 10,000 pulses pe r  second a re  
all. unidirectional and must be summed for 60 seconds o r  longer. This 
requires representation of numbers on the order  of 600,000 which requires 
a 21 bit word (including sign). 
Considering the Optical Attitude Sensor, the only computations re  - 
quiring more than 16 bits are those for the computation of s t a r  t racker  
pointing angles and these a r e  dependent on the %ttitude accuracy require- 
ments. 
t racker  computations a r e  to be one-tenth of this, then numbers on the 
order  of 1 part  in 360,000 need to be represented which would require 
19 bits e 
If the required attitude accuracy i s  * 01 and the e r r o r  due to star 
Horizon sensor measurements can be made to an accuracy of about 
a lo and i f  computational e r r o r s  a r e  to be one-tenth of this quantity, 
numbers on the order  of 1 par t  in  9000 need to be represented which only 
requires 14 bits. 
The foregoing analysis indicates that a i6-bit data word is adequate 
for the subsystems investigated. 
quirements can be minimized by careful scaling of the quantities and 
proper  shifting of data to preserve significant bits. 
precision capability for adding, subtracting, storing and fetching is r e  - 
quired in the instruction set. 
Double precision multiplication re- 
Limited double 
9.2.1.4 Memory Trade-offs - While the requirements of the central G&C 
computer complex indicate a definite need for some form of a magnetic 
main 
a combination of a read-only and read-write MOS semiconductor memories. 
The two prime objections to a semiconductor memory in the central G&C 
computer complex are :  (1) volatility of the read-write memory and ( 2 )  
inability to alter electrically the content of the read-only memory. 
two arguments do not apply to the local processor  for the fol owing reasons. 
memory, tRe local processor  memory can be best implemented with 
These 
Each local processor  performs only functions dedicated to a specific 
sub system 
and, once 
program to be co 
nection pattern. 
ed 
emce 1s 
-9 
G70- l71/3Ol 
9,2,1.4 (continued) 
the local processor because the central  computer complex is  capable of 
retaining the last  se t  of computed data and can reinitiate the local pro- 
cessor  program with minimum interruption in case of power transients. 
The volatility of the read-write scratchpad memory is not cri t ical  in 
MOS semiconductor memory offers several  advantages  in the local 
processor.  Among the major advantages are lower size,  weight, power 
and cost  than magnetic memory, especially in small  capacities required 
for the local processor.  
with the same clock as  the logic circuitry and does not require additional 
interface and timing circuits. 
l inear with the capacity, which means that semiconductor memories can 
be broken into any size modules without cost penalty. 
on the other hand, require that a large magnetic a r r ay  size be driven by 
a few electronic circuits to be economical. 
The MOS semiconductor memory will operate 
The cost of a semiconductor memory is 
Magnetic memories) 
Present  state -of -the -art memory technology permits bit densities 
as  high as  4096 for ROM's and 512 for RWM's. 
words ROM and 512 words of RWM can be mechanized with 14 ROM devices, 
16 RWM devices and 2 address decoder circuits. 
of these devices a re  presented i n  Section 2. 
9 .2 .2  _. Electronic Interface Unit (EIU) Trade-offs 
A typical memory of 3584 
Detailed characterist ics 
The studies concerned with the EIU have been based on the analysis 
of signal interface requirements. 
presented in Table 9-4.  Because of the lack of detailed description of 
the subsystem hardware, the interface between the local processor and 
subsystem electronics has been based on certain assumptions. 
assumptions a re  summarized briefly i n  the following paragraphs a 
These interface requirements a re  
These 
TABLE 9-4 
LP  - TO - SUBSYSTEM INTERFACE REQUIREMENTS 
* FOP Test and ** Could be Analog 
9-10 
C70- 171/301 
9.2. 2. 1SIRU Interface - The instrument outputs a r e  
cremental form - a total of twelve incremental inputs. 
the only subsystem that provides incremental inputs to the local processor,  
it is considered more cost effective to locate the precounters for the 
instrument outputs in the SIRU electronics package rather than in the EIU 
of the local processor.  
cally read into the local processor through a digital, whole-word input 
channel. The remaining inputs and outputs a r e  used primarily for tes t  
and performance monitoring purposes. 
Since the SIRU is 
The contents of these precounters will be periodi- 
9.2.2.2 OAS Interface - For  this subsystem, the pointing angle commands 
and angular readouts a re  assumed to be in digital form. 
of the analog signals a r e  voltage and temperature monitoring signals 
Again, the bulk 
9.2.2.3 RCS Interface - A valve control scheme using quad redundant 
valves shown in Figure 9-2 i s  assumed for the study. The scheme p e r -  
mits full operational capability after local processor failure in the engine 
station. 
requiring the power amplifiers to be located at the valve controls. 
analog signals monitor temperature, pressure and flow rates e 
A l l  valve controls a re  discrete signals at bipolar logic levels, 
The 
9.2.2.4 CMG Interface - The CMG interface consists primarily of six 
gimbal angle inputs and six gimba? rate outputs. 
to be digital, whole-word signals requiring a resolution of 12 bits. The 
outputs could be either in digital o r  analog form. 
systems have analog output requirements , it is  recommended that digital 
interface be used for gimbal rate outputs. 
The inputs a r e  assumed 
Since no other sub- 
9.2.2.5 Standardized EIU - An analysis of Table 9-4 indicates that the 
functional interface requirements for the four subsystems considered do 
not vary as  widely as one may initially expect. If one also considers the 
data rates estimated for the local processor,  the following conclusions 
can be 
1. 
2. 
3.  
- 
readily drawn: 
D a t a  rate requirements are very low compared to  the p r e -  
processor 1/0 capability. 
Because the local processor i s  dedicated to one subsystem, 
all 1/0 events can be initiated under local processor control. 
No  need exists for the local processor to accept data f rom 
many s our ce s asynchronous ly e 
It is  feasible to meet the different EIU requirements with one 
standardized EIU design. 
block approach does not appear to offer any advantages over 
a single design because the requirements do not vary widely 
enough, 
A modular standardized building 
C70- 171 /301 
I I  I I  
- --x 
- -% I 
L- _I 
- -x  
I - - Y  
- - y  7 -  - 
- - %  s-- 
m 
M 
IA u 
d 
(3 
E 
o\ 
9-12 
9.2.2.5 (continued) 
4. The standardized EIU can be broken into two main sections: 
a digital section (input and output) and an analog section 
(input only)'. The following section describes the results of 
mechanization trade-offs fo r  these two sections * 
9,2.2.5.1 Digi ta l  EPU Section - Two basic considerations in the 
design of the digital section of the EIU are: (1) form of data t rans-  
mission (ser ia l  o r  parallel), (2) method of implementing channel 
c ont r ol 
Because of the low data ra tes ,  ser ia l  data transmission could be 
used for implementing digital data channels in  the EIU. 
advantage of ser ia l  transmissions is  reduced number of line drivers,  
receivers  and interconnections. 
data rate capability. Although the overall data rates a re  quite low, 
there may be t imes when there exists a need to t ransmit  several  pieces 
of data a t  high rate,  Therefore,  use of ser ia l  channels may limit the use - 
fulness of the local processor  for other subsystems not investigated under 
this contract. Therefore,  it i s  recommended that the data transfers take 
place in  parallel in order to assure  the usefulness of the local processor 
i n  a wide range of applications. 
The basic 
The main disadvantage i s  the limited 
There a r e  basically three methods used for controlling data t ransfers  
i n  aerospace computers: (a) programmed data transfer,  (b) direct 
memory access  (DMA), and (c) multiplexer channel. 
The f i r s t  method is the slowest but has the advantage of flexibility,, 
Some form of interrupt i s  required for this method. 
place between an I/C bus and one of the processor  registers o r  a memory 
location specified on the 1 / 0  instruction. 
Data transfer takes 
Direct memory access provides data transfer between memory and 
external devices by "stealing" memory cycles f rom the processor  program. 
This type of t ransfer  i s  quite fast  and i t s  maximum data rate i s  limited to 
the memory speed. 
quired at the EPU or subsystem electronics. 
Word count and memory address registers are  r e -  
A multiplexer channel would provide the DMA with capability to  
sustain several  %/0 operations on a t ime-shared basis. 
services  the peripheral  devices asynchronously as  the input data becomes 
available O F  when the receiving devices can receive data. The use of a 
This 
mode uses stored control words and assigns a reas  in memory as  input/ 
output buffering areas .  
The channel 
/O channel requires a buffer mode of data transfer,  
These a reas  a r e  under control of the programmer.  
9-13 
C70- 171 /381 
9.2.2.5.1 (continued) 
Considering that the local processor interfaces with only one sub- 
system and rates are quite low, the programmed data t ransfer  method 
i s  quite adequate, requires minimum amount of hardware and offers most 
flexibility. 
9 .2 .2 .5 .2 Analog E I U  Section - There are two approaches to locating 
interface conversion equipment. The first distributes the conversion on 
operations to the sensors where the signals are generated. The various 
signals 2re converted to a standard digital format and transmitted to the 
digital section of the EIU. 
own analog-to-digital converter (AD C), a digital register and some logic 
to read out i ts  contents upon computer command. 
several  advantages and disadvantages. 
(a) single point failures can be isolated to the specific sensor, (b) signal 
grounds can be isolated resulting in reduced noise effects, and (c) the 
ADC can be operated at  slow speed commensurate with the associated 
sensor data rate and (d) full advantage can be taken of future development 
of digital sensors.  The major disadvantage of this approach is that it 
requires more hardware resulting in higher system complexity, weight 
and cost. 
It i s  the recommended method. 
This means that each sensor must have its 
This approach has 
Among the advantages is that 
. The second approach is to integrate the conversion equipment in the 
EIU section of the local processor.  
mitted in analog form to a multiplexcr and encoded in the ADC located in 
the ETU. 
approach: hence, hardware costs are reduced. 
In this case the signals a r e  t rans-  
Time sharing of conversion equipment is possible with this 
Considering the large number of analog signals and the relatively slow 
sampling rates,  the second approach definitely results in reduced hardware 
cost and complexity. 
the local processor is  recommended. 
Therefore a time shared ADC in the EIU section of 
Another important factor in the E I U  design is the determination of the 
It is usually determined by the sensor 
If many sensors a re  located in one source area,  the multi- 
location of the multiplexer switch. 
distribution, 
plexer is  located in that a rea  to save wires and Pine drivers and receivers. 
Otherwise, the multiplexer is  located in o r  near the receiver, o r  EIU in this 
case. 
into several  sections that a r e  located near sensor areas.  
of these multiplexers a r e  multiplexed again at the ADC input. 
of the sensors in the Space Station can vary widely between subsystems. 
For  example, in the SIRU all sensors are  located in close priximity while 
in the RCS subsystem the temperature and pressure gauges a re  widely 
separated physically. It is important that the EIU have enough flexibility 
to interface efficiently with all subsystems and therefore a multiplexer at 
the EIU i s  recommended with additional discrete signals being provided 
for multiplexing control at the subsystem electronics 
Sometimes a compromise is made and the multiplexer is broken 
Then the outputs 
The location 
9- 14 
C70- 171 /301 
9.3 CANBEBATE LOCAL PROCESSOR EV 
An evaluation of the candidate preprocessor  described in  Tables 9-1 
and 9 -2 was made by comparing the functional characte nistics against 
the requirements. 
processor  i s  the speed. 
i n  order  to satisfy SIRU requirements. 
preprocessor  have been treated in Section 9.. 2.1.2 and will not be 
repeated in this section. In addition, the lack of discretes  and/or interrupts 
may present some difficulties i n  interfacing with the subsystem electronics. 
Eight (8) 
subsystem electronics is provided. 
local processor design .Is presented in  the next section. 
9.4 RECOMMENDED LOCAL PROCESSOR DESCRIPTION 
The most cri t ical  limitation of the candidate p re -  
The problemof using a slow 
An improvement by a factor of four is required 
analog channels a re  adequate i f  some multiplexing at the 
A description of the recommended 
The LP is a programmable, parallel, digital machine utilizing a 
semiconductor memory, MOS logic, and having an input/output section 
that can be tailored to t The LP is to interface wi th  the 
type 2 data bus that is described in  the reports  on the reconfigurable 
G&C computer. The functional a r eas  of the LP are:  
application. 
a) Central Processing Unit (CPU)  
b) Memory 
c ) Electronic Interface Unit (EIU) 
d) Power Converter 
e )  Clock 
f )  Standard Interface Unit (SIU) 
Figure 9-3 is a block diagram of the LP. 
subsystem will  consiet of DC voltage analog and discrete type signals. 
The discrete signals can be pulse o r  on/off types. 
9.4.1 Central Processing Unit 
The LP interface with the 
The CPU operates on an internally stored program made up of 16-bit 
All  operations in instructions. 
the C P U  a re  done in  parallel  format as far as possible to attain maximum 
computing speed .I 
The basic logic speed is one megahertz. 
Data i s  handled in ordinary fixed point binary format with negative 
ata words are 1 
Double precision operations are possible in  
numbers expressed in  two's complement, 
including sign. 
ata word is 31 bits long including sign, 
CPU is o ~ ~ a ~ i z @ d  into the foll g functional blocks: 
To Subsystem C70- 171 I 3 0 1  
I 
I. 
9.4 e 1 (continued) 
a)  Register File: 
b) Program Counter (13): 
c) Accumulator (16): 
d) Extension (16): 
e )  Buffer (16): 
f )  Instruction Register (16): 
g )  Control "A" (5): 
h) Shift Matrix ( 5 ) :  
i) Address R e g i s t e r  (16): 
j )  Operation Register (4): 
k) File Address Register (9): 
1) Condition Register (4): 
m) Auxiliary R e g i s t e r  (16): 
n) Adder (16): 
General register storage (each regis ter  
is  16 bits long). 
Controls instruction access  f rom memory. 
General purpose data register.  
General purpose data register.  
Memory data buffer register. 
Holds instruction being executed. 
Controls multiply and divide operations e 
Controls shifting operations 
Wolds memory address of operands. 
Holds operation code. 
Controls general register operation. 
Holds results of comparison operations. 
General parpose data register.  
Para l le l  adder /subtractor.  
The number in parentheses indicates the size of the function in te rms  
of the number of flip flops required to mechanize the function. 
diagram of the CPU is shown in  Figure 9-4. 
A block 
The CPU has a flexible instruction repertoire that includes the 
following : 
a)  Arithmetic (Operands in  memory and/or regis ters)  - Add - Subtract 
- Multiply 
- Divide 
b) Comparison 
- Compare regis ters  
- Compare register and memory 
- Branch on condition 
c) Shift 
- Shift left 
- Shift right 
d) Double Precision 
- Add - Subtract 
- Fetch 
- Store 
9-17 
C70- 171/301 
. . k  
9-  18 
C70- 171 /30 1 
9.4,l  (continued) 
e )  Data  Movement 
- Fetch memory 
- Store in memory 
- Exchange registers 
f )  I / O  Control 
- Set output discrete Group A 
- Set output discrete Group B 
- Read input discrete Group A 
. Read input discrete Group B 
- Input parallel  data word 
- Output parallel data word 
- Disable interrupts 
- Enable interrupts 
- Read analog input X (Coding identifies one of 8) 
- Read analog input group in sequence. 
The CPU has two internal interrupts, one from the SIU and one from 
the EIU. 
the commanded analog-to-digital conversion and the data i s  ready for the 
CPU. 
EIU and place it in memory. The CPU then returns to the point of inter-  
ruption in the program. 
The interrupt f rom the E I U  indicates that the EIU has completed 
The CPU branches to a subroutine to take the data word from the 
The interrupt f rom the SIU has two functions depending upon where the 
CPU i s  in the program. 
the interrupt indicates the reception of a control word by the SIU. 
CPU branches to a dedicated location in memory to s ta r t  an input o r  output 
routine and sets  the interrupt false. 
the CPU can return to the point in the main program where the CPU was 
interrupted. Next, the control word in the SIU is read into the CPU. The 
address field is  placed in the program counter and that location accessed. 
When the C P U  i s  executing the main program, 
The 
All pertinent data i s  saved so that 
The content of that location is  the f i rs t  instruction of a subroutine that 
A counter i s  formed by storing the number- will handle the data transfer.  
of -words field into memory. 
The CPTT idles until the SIU interrupt goes true. The CPU sets the 
interrupt false and then accesses memory for a data word and places the 
word in a buffer i n  the SIU or  reads the data word from the SZU buffer and 
s tores  the word in  memory depending upon whether the operation i s  an 
input OF output. 
CPU increments the memory address register and decrements the number- 
ords counter. If the counter is  non-zero, the C U idles until the SIU 
interrupt goes true to repeat the above operations. 
The CPU restores  conditions pr ior  to the interrupt and continues with the 
main program, 
In either case,  after transferring the data word, the 
i the counter is zero,  
9- 19 
C70- 171 /301 
9.4.1 (continued) 
external interrupts. 
to a specified location for the next instruction. 
dedicated memory location assigned to it. 
the lowest numbered interrupt has the higher priority provides orderly 
processing of the interrupts. 
interrupts until it finishes processing an ear l ier  o r  higher priority interrupt. 
In addition to the internal interrupts, the CPU has a minimum of four 
Each external interrupt wi l l  force the CPU to branch 
Each Interrupt has a 
A simple priority scheme that 
The CPU automatically disables all other 
9.4.2 Memory 
The memory is  made up of a read only section and a read/write 
section. 
and the read/write section has memory addresses 0000 through 0511. 
The memory uses MOS technology in its mechanization. Figure 9-5 
shows a block diagram of the memory. 
The read only section has memory addresses 0512 to 4095 
The memory contains 4096 words each 16 bits long. Each word is 
addressable on a random access basis.  
f rom the memory in parallel. 
of 750 nanoseconds and a memory write cycle time i s  a maximum of 
one microsecond. 
Words are written into or read 
A memory read cycle time i s  a maximum 
9.4.3 Electronic Interface Unit - - 
The E I U  is made up of four areas:  
a) Discrete output area 
b) Discrete input area 
c) Analog input a rea  
d) Parallel  data bus area 
Al l  operations of the EIU a r e  initiated and controlled by execution of 
instructions by the CPU. 
the L P  is through the registers of the CPU. 
Data transfer between the EIU and the rest of 
9.4.3.1 Discrete Output A r e a  . The discrete output area of the EIU 
consists of circuitry for  a minimum of 32 discrete output signals divided 
into two identical groups. A buffer register having one bit position for 
each output holds the data received f r o m  the CPU. The outputs of this 
register a re  conditioned by line dr ivers  and placed on the output lines. 
The output signals a r e  complementary types requiring two wires per  
signal. The voltages on these lines a r e  always complements of each 
other. 
voltage states of the lines can be arbitrari ly defined. 
used a r e  t 5  VDC and ground. 
handle drive requirements. 
True and false conditions for the signal represented by the 
The voltage levels 
The line dr ivers  a r e  bipolar circuits to 
The res t  of the circuits are MQS type circuits. 
9-20  
C70- 171 /30 1 
i 
L t i  
I 
Q\ 
P) 
k 
20 
iz 
9-21 
C70- 171/301 
9.4.3 1 (continued) Discrete outputs are  organized in groups of 16 to 
conform to the E P  internal word size.  When used as  a pulse type discrete,  
these outputs can be driven to give 250,000 pulses per  second maximum. 
Single pulse outputs can have pulse widths as  narrow as  four microseconds. 
Figure 9-6 shows a block diagram of the discrete output area.  
9.4.3.2 Discrete Input Area - The discrete input a rea  i s  capable of 
receiving a minimum of 32 discrete type signals. These input signals 
a re  complementary types as  discussed above. The signals on the input 
lines are conditioned by line receivers and strobed into a buffer regis ter  
upon command from the CPU. Al l  circuits are  MOS type except for the 
line receivers which a re  bipolar. The input discretes a re  organized into 
groups of 16 to conform to the LP  internal word size. 
block diagram of the discrete input area.  
Figure 9-7 shows a 
9.4.3.3 Analog Input Area - The EIU has the capability of accepting up to 
eight d-c analog voltage inputs and converting these voltages into a twelve 
bit digital number including sign. 
per  bit plus five microseconds for settling time o r  a total of 53 micro- 
seconds per  input. 
The conversion time is four microseconds 
An input filter is  provided on each input line to  prevent surges on these 
lines immediately af ter  the input mu1tiplexer switch is closed thus assuring 
accurate measurements Overvoltage and short  circuit protection is e m -  
ployed on the inputs to help prevent faults f rom propagating f rom one sub- 
system to another. 
Figure 9-8 shows the basic block diagram of the converter. Initially, 
the register is  set  to  zero,  causing the output of the DAC ladder network 
t o  be equal to zero volts, then on: of the ser ies  input switches is  closed 
connecting an input line to the comparator amplifier. 
to allow for input switch closure, the bits of the regis ter  (most significant 
first) a r e  sequentially set  and rese t  depending upon the polarity of the 
output of the comparator amplifier. In this manner, the converter makes 
a sequential convergence on the analog input voltage until the number in 
the register corresponds to the input voltage to a resolution of f 1/2 of 
the least significant bit. 
After sufficiant time 
Reference voltages for the ladder network a re  supplied by a precision 
power supply to insure a high accuracy in the conversion procedure. 
Conversion is initiated by the CPU executing one of the read analog 
After completing the conversion, the digital number input instructions e 
i s  held in a buffer register and the CPU notified by an interrupt. 
group of analog input conversions a re  desired, the CPU executes the read 
analog input group in sequence instruction. The converter s ta r t s  the 
operation by converting analog input one. After setting the interrupt true,  
If a 
9-22 
I 
I 
1 
I 
I 
1 
I 
I 
I 
I 
I 
I 
1 
I 
I 
I 
I 
I 
I 
I 
I 
I 
1 
c70-171/301 
f- 
m 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
1 
I 
1 
I 
I 
I 
I 
I 
1 
I 
C70- 171 /301 
I 
I 
I 
I 
I 
I 
I 
I 
I 
1 
I 
I 
I 
I 
L- 
0 0  
L 
I 
! 
I 
I 
I 
I 
I 
I 
I 
I 
I 
1 
1 
I 
I 
I 
I 
4 
-2 E: 
H 
-2 E: 
H 
9-24 
(270- 171 /301 
k aJ a a 
3 
3i 
k 
Q) 
. r i  
to 
f 
2 
9-25 
C70- 171 /301 
9.4.3.3 (continued) the converter s ta r t s  the conversion process on 
analog input two. A three bit comte r  that is incremented after each 
conversion controls the stepping through the inputs. The CPU has 
53 microseconds to  clear the previous data f r o m  the buffer regis ter  
before the new data is read into the buffer register.  This continues 
until all eight analog inputs have been converted into digital numbers. 
9.4. 3.4 Paral le l  Data Bus - The E I U  has the capability of sending and 
receiving parallel  digital words over a parallel  data bus. 
handles words in  17 bit format of which 16 bits a r e  data and one bit is 
parity. 
valid 
a block diagram of the data bus. 
The bus 
Two gating signals to  indicate when the data on the data lines a r e  
a re  shared by the input and output channels. Figure 9-9 shows 
Transmissions over the parallel  data bus a r e  done on a closed loop 
basis between the sending and receiving stations The sending station 
places th2 data on line and se t s  a data valid signal true. The receiving 
station senses the data valid signal t rue and reads the data lines into a 
buffer register.  The receiving station now sets  a data accepted signal 
true.  The sending station upon receiving the data accepted signal sets 
the data valid signal false and prepares  for the next transmission. 
the data valid signal goes false, the receiving station sets  the data 
accepted signal false. 
When 
The bus is new ready for the next operation. 
Transmissions originating outside the L P  a r e  started by the receipt 
of an interrupt by the CPU. 
s tores  enough data for  the return to  that spot in  the main program and 
then executes an input data word instruction. This causes the parallel  
data bus control to t e s t  the data valid line. 
the data lines a re  read into the buffer register.  The data accepted line 
is set  t rue and the ready signal to the CPU is also se t  true.  
senses  the ready line going t rue and reads the word f r o m  the buffer 
regis ter  into the accumulator. 
signal false when the data valid line goes false. 
sent, the above operation is  repeated with the CPU executing another 
input data word instruction. 
The CPU branches to  a subroutine which 
When this line goes true,  
The CPU 
The data bus control sets  the data accepted 
If more words are to be 
Transmissions originating within the L P  start when the CPU sets  an  
output discrete true to a le r t  the receiving station. The CPU then loads 
the buffer regis ter  with the data word and executas the output data word 
instruction. The outputs of the buffer regis ter  are automatically placed 
on the output channel lines. 
true and monitors the data accepted line. When the data accepted line 
goes t rue,  the control sets  the data valid line false and sets the ready 
line to the C P U  t rue.  
The data bus control se t s  the data valid line 
The above is repeated i f  more words a r e  to be sent. 
9-26 
Cont rcd 
L o g i c  
Receiver 
1 
Input EaLa Word 
Retidy 
Output Data Word 
Accumulat 3r 
Parallel 
Bus 
output 
Faral le l  
Input 
Bus 
Figure 9-9. Parallel Data Bus 
C70- 171 /301 
9 ~ 4.3 4 (continued) 
The major difference i s  the higher effective data rate f o r  the multiple 
word messages due to  a better ratio of data words per  channel setup 
time. 
The data rate for this type operation is 66,000 words per second. 
multiple word messages, the data rate approaches 143,000 words per 
second as  a limit. In practice, the data rate will be between 66,000 aild 
100,000 words per  second. 
Single or  multiple word messages a r e  handled the same in the EIU. 
The lovcest data rate occurs if all messages a re  single word type. 
For  
9.4.4 Power Converter -- -
The power converter provides the required highly regulated secondary 
voltages for the L P  circuits. 
grade +28 VDC primary power source. No damage to the power converter 
o r  other circuits in the L P  wi l l  occur due to transients or  less  of primary 
power. 
primary source. 
The converter operates from a computer 
The L P  requires approximately 72 watts of power from the 
9.4.5 Clock 
The L P  clock used for internal +iming is derived from a master  
The oscillator is  oscillator operating at an 8 megahertz frequency. 
crystal  controlled and designed to be relatively insensitive to environmental 
changes. The oscillator output is used to drive a four phase generator 
which supplies timing signals to the MOS logic. 
is counted down to derive a one megahertz timing signal for the bipolar 
circuits and the memory. 
of f 100 parts per  million. 
The oscillator output 
The master  oscillator has a long term accuracy 
9.4.6 Physical Characteristics 
The L P  is contained in a package with the dimensions 7.5 inches high, 
13. 5 inches wide and 10 inches deep. 
pounds. 
a r e  seven, including the power converter. 
The LP weighs approximately 18 
Al l  components a re  mounted on plug-in modules of which there 
9.4.7 --- Standard Interface Unit 
The standard interface unit o r  SIU provides the interconnection between 
the 1/0 Data  Bus and thz C P U  of the Local Processor.  
to interconnect to a subsystem directly i f  a clock source and memory 
storage logic a re  available, i.e. , no computational capability is required 
by the SIU. 
One output bus i s  provided from the SIU to the remainder of the Local 
Processor.  
It can also be used 
Each SIU connects to all four 1/0 bus lines in the G&C System. 
Th-. unit has all digital interfaces. 
9-28 
C70- 171 /301 
9.4.7 (continued) 
address.  
Al l  communication between the SPU and the subsystem o r  the central 
computer complex i s  controlled by the central computers. 
mation is transferred exclusively on the 1/0 data buses. 
t ransfers  take place at a one megahertz bit rate in a request-acknowledge 
format. 
Each SIU i s  independent of all other SIU's and has its own hardwired 
Up to 32 ,addressable SPU's can be accommodated by the system. 
This infor- 
Al l  data 
9.4.7.1 SIU - Data Bus Interconnection - The method of interconnecting 
an SIU to the four data buses is  shown in Figure 9-10. 
provided with a "T" connection for every Local Processor  at the appropriate 
location along the data link cable. 
connection providing one continuous data link cable f rom end to end. 
The other par t  of the "T" contains a tap from each side of the twisted 
pair  line. Fully resistive taps a r e  used, with a resistor in each of the 
two lines f rom the twisted pair  cable forming a high impedance bridging 
tap. 
connected directly to another twisted pair  cable molded directly into the 
tap structure. 
Each data bus i s  
These llT's" have a straight through 
These can be brought to a connector on the "T" unit o r ,  preferably, 
Each tap so formed can be placed up to a few feet f rom the box housing 
the SIU. This allows a routing of the four data link cables with spatial 
saparation for damage immunity. The closest any two data link cables 
need to come to each other i s  then a function of the box location and the 
length of the cable f rom the "T" connection. 
directly at the main data link cables reduces the data line degradation 
due to shorts on the branch cable or  at the SIU. 
Utilizing resistive taps 
Each branch twisted pair  cable i s  connected to its own connector on 
the SIU package. Two miniature transformers a re  connected in parallel 
to the two wires,  one transformer for the data link receiver and one for the 
transmitter.  
circuits.  
receiver to eliminate unwanted signals and noise. 
receiver pair  i s  AC coupled to the 1 / 0  data link bus. 
SIU's a r e  identical. 
SIU i s  connected in a party line fashion via one data link bus. 
The transmitters and receivers a r e  individual integrated 
There is  a filter circuit and bias offset circuit ahead of each 
Thus each t ransmit ter /  
Connections at all 
Therefore one transmitter/receiver pair  i n  each 
Not shown in the interconnection figure are the ends of the four data 
Each end of each line is terminated in the data l ink cable 
These terminations occur at the I OP's where 
A similar method of data link interconnect 
link bus lines. 
characterist ic impedance. 
the cables originate and end. 
to  that outlined in  Figure 9-10 is  used at the IOP's with only the number 
of transmitter /receiver pairs  differing due to the somewhat different 
communication interface a 
9-29 
ii 
9 . 4 . 7  2 SIU Operation - Each SIU responds only to communications 
f r o m  one of four sources. These sources a r e  the four IOP's of the 
central  computer complex, 
therefore received by onlv one data receiver per  SZU. 
mode of operation, the SIU is  in an idle mode, with its transmitters 
off and all four of its receivers active. The active receivers a r e  
monitoring their individual data buses o r  POP'S, waiting for a message 
from the central computer complex. 
Each POP has a different data bus and is 
During the normal 
A block diagram of an SIU is shown in Figure 9-11. Only one of the 
four receivers is  shown, the others are  identical. 
sequences for the SIU are  discussed in the 1/0 Data BUS Study, Section 6, 
Each sequence is  initiated by a transmission to the SIU from one IOP. 
This transmission is  received by one of the four receivers. The first 
and second words received (16 bits each plus parity) a re  control words 
and specify the SIU operation for the seql;ence initiated. For  any sequence 
these control words are  identical in format and operation. 
formats are  shown in Section 6 (Figure 6-1, page 6 - 2 ) .  
The data transmission 
The word 
Leading the first control word i s  a three bit sync code. This is the 
first information to the SIU receiver and must be detected for proper 
operation. 
to the individual receiver control that a valid SIU message follows, 
It also sets the timing and synchronization of all following data for that 
message 
Proper  sync detection s tar ts  the receive process and indicates 
Every IOP message transmission will be detected by each SIU receiver 
connected to that IOP data bus. 
the proper time (after no bus transmission o r  dead band zone) puts the 
individual SIU receiver into the receive address mode, allowing the input 
register to be filled from the receiver output. 
enough (16 bits) to  hold the first control word that is received. 
operation is independent of the mode of the other three receivers.  
The detection of a correct sync code at 
This input register i s  long 
The 
The first two fields of the first control word specify data to be used by 
the IOP and a r e  discarded by the SIU. 
data which may be of use to the local processor and is available. 
fourth field of the first control word i s  the local processor address. When 
this field has entered the shift register it is  compared by the address com- 
pare  circuit to the pre-wired address at  each SIU. 
bit for  bit, the SIU-Local Processor  that was addressed enters the receive 
mode, and all others go back to the idle (wait for sync) mode. 
The third field i s  retransmission 
The 
If the address compares, 
The next field is  an 1/0 bit, specifying the message operation of 
receiving data or  transmitting data. 
available for other control functions. 
i s  an odd parity bit, bit 17. 
for the l6  bits already received, 
its sequence. 
Spare bits follow this field and a r e  
Appended to the end of the word 
This i s  checked against the derived parity 
If OK, the SIU receive mode can s ta r t  
'This causes a C P U  interrupt. At this point only one receiver 
9-3  1 
I 
I 
1 
I 
1 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
I 
d l  
el 
I 
cz 
I 
I 
I 
1 
I 
I 
1 
1 
I 
I 
I 
51 
t 
I 
c-41 
e’ 
51 
S I  
I 
I 
I 
I 
I 
I 
I 
I 
D 
1 
I 
I 
m 
cr: > 
V 
d 
w w w w  a a a  a 
I I 
I. I I  
9 -32  
9 . 4 , 7 . 2  (continued) - can be operated and all other receivers a re  
blocked from initiating an SIU receive mode. 
however, and ready to respond on a first-come-first-served basis. 
The receiver select. switches are set  for the single receiver being 
se rviced a 
They still a r e  operational 
In the SIU receive mode, the f i rs t  control word i s  shifted into the 
1/0 register as the second control word is  received and shifted into 
the input register.  
by the block parity circuit for later checking. The second control word 
passes  directly through the input register and i s  followed by one of two 
types of words. 
operation is to  receive data f rom the IOP, a data word follows. 
is to transmit data, a block parity check word follows. 
Also the whole 16 bit word is  added, ii>odule two, 
This is indicated by the I / O  bit. If the requested 
If it 
If a block parity word is to follow, as  soon as it has been received 
serially by the input register,  it i s  compared with the module two sum 
formed from the first two control words. If it is the complement (odd 
parity) of this sum no e r r o r  is  present and the SIU can proceed into the 
t ransmit  mode. If it is incorrect,  the SIU returns to the idle mode. 
In the other case,  where data words follow the control word, the 
second control word is decoded from the 1/0 register. 
specifies the data location in memory where the L P  CPU has the memory 
address for  the first data word stored, and the number of words in  the 
message. The number of words field is stored by the CPU and used to 
determine the length of the ensuing message. 
the 1/0 register,  it is transferred to the buffer register and a CPU 
interrupt generated. 
into the proper memory location during the next 15 psec. 
data word fills the 1/0 register,  the block parity word for the whole 
message fills the input register. (All words in the selected input register 
are added module two for a message). 
data e r r o r .  The 
CPU determines the end of the message and signals the end of the receive 
sequence (this is checked) and the SIU enters  the transmit mode as before. 
Two sequences exist for the transmit mode, one in which an acknow- 
ledge is transmitted, and the second in which data is transmittzd. 
transmit acknowledge takes place after the data receive mode ends. Two 
acknowledge words a re  transmitted by the SIU, similar to the two control 
words. The t ransmit ters  used for this operation were specified by the 
second field of the second control word, and can be one, two, three or  
all four. 
This word 
After  each data word is in  
The data word is stored under CPU program control 
As the last 
This is compared for  a receive 
E r r o r s  a re  reported to the CPU in the SIU acknowledge. 
The 
9-33 
C70-171/301 
9.4.7.2 (continued) 
The f i rs t  acknowledge word ccntains a field for the reply bus infor- 
mation (output of Reply Select Circuit), the type field is repeated, the 
data location regis ter  contents are placed in  the data location field 
and the 1/0 bit set  for the operation the SIU is performing. 
acknowledge word contains a field for the local processor  address 
(pre-wired), the number of words just  received o r  to  be transmitted, and 
the status of the LP.  
The second 
This data is prefaced by a pre-wired sync code of three bits for SIU- 
IOP communication. 
for each a re  transmitted. 
I / O  regis ter  and serially transmitted last. 
Then the two acknowledge words plus a parity bit 
The block parity check sum i s  inserted in the 
The SIU returns to the idle mode. 
Theother t ransmit  sequence is s imilar  to  the data receive mode, except 
the second acknowledge word i s  followed by data. 
by the received second control word and i s  read out of (rather than into) 
the memory a word at a time under CPU control into the data buffer 
regis ter .  It i s  paral le l  transferred into the 1/0 regis ter  a t  the start of 
each transmit word time. A l l  transmitted words a r e  added modulo two 
so  the check sum can be entered and transmitted after the las t  data word 
This data was specified 
Transmissions by an SIU will be ignored by i ts  own receivers and all 
others except the IOP's due to the non-detectable sync code preceding each 
SIU transmission. During the receive mode the clock source for  all timing 
is  derived f rom the received data s t ream. 
decoded and distributed under control of the clock used to assemble it. 
Each individual receiver control uses  its own line derived clock until the 
SIU enters  the receive mode and all other receivers  a re  locked out. 
When the SIU i s  transmitting it uses the LP 8 Mhz clock divided down to 
1 Mhz for  all internal clocking and Manchester encoding. 
In this fashion all data i s  
A BITE t imer  is used to monitor all data transmissions and receptions. 
Since these messages a re  all of a fixed maximum length this t imer  can 
signal the necessity to lock out a continually operating receiver o r  turn off 
the SIU t ransmit ters  upon SIU failures. This action i s  reported to the 
CPU and to  the IOP through the L P  status word when possible. 
9-34 
10.0 POWER DISTRIBUTION INVESTIGATION 
10.1 INTRODUCTION 
This section discusses the Power Distribution Study, The objective 
was to determine a preferred power distribution system for the G&C 
system. The preferred system, described i n  Section 10.7, consists of 
solid state load controllers packaged with the G&C load at the interface 
point with the Electrical  Power Subsystem (EPS). The load controllers 
a r e  controlled by a logic level power control module in the Local P r o -  
cessor  (LP). The power to  the LP is controlled separately to afford a 
method of iselating failed LP's by removing power. 
The first discussion concerns characterist ics of Mil-Std-704A input 
power and its impact on power converter design. 
note that special llcomputer grade" power has been proposed on some 
recent avionic systems to  circumvent the design problems introduced 
by Mil-Std-704A. Next, the generalized characterist ics for a dis t r i -  
bution system a r e  developed along with failure characterist ics.  
types of load and source isolators a re  discussed in Appendix 8. 
10.2 INTERFACE CHARACTERISTICS 
It is  interesting to 
Various 
10.2.1 Input Power 
Mil-Std-704A power has been assumed a s  the power available at 
the G&C system interface for the purposes of this study (Ref. 10-1,4.5-3.2). 
Less severe transient surge voltages defined by curves 5 and 6 of Mil-Std- 
704A have also been considered (Ref. 10-2). F o r  convenience, the char -  
acterist ics of this power is summarized in  Tables 10-1 and 10-2. 
TABLE 10-1 
I 
Summary of Mil-Std-704A, Category B-AC Power, 
Nominal 31, 400 Hz, 115 VAC. 
* Min. voltage for space station may be 3.5 volts greater  due to less  
maximum voltage drop in distribution bus (Ref. 10-1). 
10 -1 
C70-171/301 
10 2.1 (continued) 
TABLE 10-2 
Summary of Mil-Std-704A, Catego I 
T ran s ient s 
e I I I I 
NSSL - Normal Steady State Limit 
ASSL - Abnormal Steady State Limit 
ESSL - Emergency Steady State Limit 
Mil-Std-704A AC input power has the advantage of being well defined 
and of having characterist ics well known to designers of avionic equipments. 
Much equipment already exists that operates f rom it and therefore it p r e -  
sents low technical r i s k  and lower cost  for equipment design o r  modification. 
However, since the volume and weight of magnetic components var ies  
inversely with the three-fourths power of frequency (Ref. lO-3), there is 
a size and weight advantage of going to a higher frequency source. 
main disadvantage is that l ess  equipment has been designed for higher 
frequency A C  power and development cost and r isks  could be anticipated 
to be greater.  
desirable. 
The 
Direct distribution of this higher frequency power is 
However, it can be generated in the load if  necessary o r  desirable. 
One method used to reduce the volume and weight of magnetics in some 
electronic equipment using Mil-Std-704A power is to use the DC power and 
static DC to DC converters operating at  frequencies determined by the 
switching limitations of the solid state switch and the required volt/turn 
resolution of the transformer.  
10 -2 
C70 -171/301 
10,2. 1 (continued) 
For  t ransis tor  switches, conversion frequencies to 5 KHz a r e  usual, 
to 20 KHz common,and to  100 KHz o r  higher possible,, 
power t ransformers  reduced in volume and weight, but the required 
filtering i s  greatly reduced at these frequencies. The reduced energy 
storage of the reduced fi l ters essentially turns the transient voltages 
of Mil-Std-704A into steady state voltage and regulation is  usually r e -  
quired. 
inefficient. Since the open loop gain of many types of switching regu- 
la tors  i s  proportional to the input voltage, it makes switching regulators 
more difficult to stabilize. 
switching regulators i s  a problem. 
at the 80V limit and high current  capability a t  the 8 volt limit. 
combined with fast switching t imes and adequate forward and reverse 
secondary breakdown ratings makes the power t ransis tor  design a 
risky, expensive, low yield compromise of conflicting requirements ~ 
There i s  much to  be gained i f  the 28 VDC bus can be held within more 
reasonable limits, say 24 to  32 volts. 
to  meet the audio susceptibility requirements of Mil-I-6181D o r  Mil-Std- 
461A with the input a t  28 volts and work f rom the normal steady state 
level of 24 to 28. 5 V of Mil-Std-704A. 
Not only a r e  the 
The eight to  eighty volt swing makes dissipative regulator 
Also selecting the power t ransis tor  for 
High breakdown voltage is required 
This 
This would allow the equipment 
Static inverters  a r e  a sdurce of radio frequency noise and line 
f i l ters  used to fi l ter  this noise can usually be designed to  sufficiently 
attenuate very short  duration spikes (a few microsecmds) outside the 
normal steady state value. 
Another method used to reduce the volume and weight of magnetics 
operating f rom Mil-Std-704A power is  to directly rectify the AC power 
and operate a DC to DC converter f rom the resulting high voltage DC. 
This is  possible because of the availability of power t ransis tors  with 
very  high voltage breakdown. 
techniques needed for this type conversion a r e  different, the arguments 
a r e  the same for limiting the transient tolerance range., 
Although the components and design 
10.2.2 Load Power 
Power controllers in the G&C system will have to  handle maximum 
loads f rom 10 watts to  over 2 kilowatts (Ref. 10-1). 
in Table 10-3. 
watt range. 
of 28W to  8KW and 1.0 to 75 amperes a re  within the range to be considered. 
Power may be DC, one phase AC o r  three phase 
These a r e  summarized 
Power controllers within the computer may be in the low 
F o r  the purpose of this study, load controllers over a range 
10-3 
C70-171/301 
10.2. 3 Environment -
Discussion of the environmental characteristics of the various 
components in the G&C power distribution system will include only 
thermal  considerations since the behavior of solid state power devices 
to  other environmental conditions should be similar to other solid 
state components in  the system. 
TABLE 10-3 
SUMMARY O F  REQUIREMENTS 
Ave 
CMG's 
Tracker 
Horizon Edge 
Tracker  
IMU 
G&N Compute1 
Docking Sensor 
Miscellaneous 
TOTAL 
:: 10 watt positive adding e r r o r  
4 50 
200 
10 
160 
20 
30 
880* 
Max 
1360 
200 
10 
200 
20 
200 
35 
2075 
Emerg 
460 
10 
16 0 
2c  
30 
680 
Launcl 
460 
10 
16 0 
20 
30 
680 
i reference copiec 
460 I 1360 
10 10 
160 200 
20 20 
200 
30 35 
680 1825 
[Ref. 10-1 ) 
1 
4 r onme nt 
Eme r g 
460 
10 
16 0 
20 
30 
680 
10.3 GENERALIZED DISTRIBUTION BUS SYSTEM 
10.3.1 DC Power -- 
Figure 10-1 shows a distribution system made up of two sources, two 
busses, and two loads. 
with isolators. Each bus needs one isolator for each source and one 
isolator for each load that is  to be connected to  it. 
sources, four busses and sixteen loads would require sixteen source 
isolators and sixty-four load isolators o r  eighty isolators.  
The sources and loads are connected to  the busses 
For example, four 
10-4 
C70 -171/301 
FIGURE 10 -1. GENERALIZED DISTRIBUTION SYSTEM 
10-5 
C70-171/301 
10.3.1 (continued) 
failure modes of the source o r  load. 
The necessary characteristics of the isolator depend on the possible 
Tables 10-4 and 10-5 list the various isolator characteristics for 
various failure modes of DC sources and loads. 
served from the data in the tables. 
works for all failure modes i s  a ser ies  switch. Since it isolates a 
failure by disconnecting either the source or  power, the failure mode 
can never be fail operational. If the ser ies  switch fails after a load or 
source failure, it must always fail open in order to maintain isolation. 
If the FOOS cr i ter ia  means that power must be available after three 
failures, then four sources and four busses a re  required to meet the 
cri teria.  
Two things can be ob- 
F i rs t  is  that the only isolator that 
The second observation that can be made from the tables is that 
i f  the source o r  load have certain limited possible failures modes, then 
other isolators a r e  available that may let the failure cri teria be met 
with something less  than brute force quadruple redundancy. 
It is  of interest  to note that the results shown in the tables a r e  valid 
for other than a power interface. 
digital driver and the load its rece' iver.  
Fcr example, the source could be a 
10.3.2 AC Power 
In concept, it would be possible to develop a failure matrix for an 
AC system similar to the one developed for the DC system. Additional 
failure modes such as low frequency, high frequency and phase rotation 
reversal  woiild need to be considered. However, the general conclusions 
would be the same. 
fails open; the failure mode i s  fail safe, and quadruple redundancy is  
needed to meet the requirements. If failure modes of the sources or loads 
a r e  limited, it may be possible to have failOp failures and reduce the order 
of redundancy. 
four-wire wye input for three phase transformers,  they can be designed 
to be fail Op i f  any siligle wire opens. 
The only universal isolator is  a ser ies  switch that 
One thing that should be mentioned is that by using a 
In addition to circuit breakers,  magnetic components such as  satur- 
able reactors and others can be used as ser ies  switches. 
10 -6 
C70 -171/301 
x 
P; 
E 
W 
3 
d 
w 
P; 
9 
6( 
w u 
cfi 
? 
0 
u 
VI 
n k 0 
c, 
cd 
rl 
0 
m 
k 4  
a, 
c f i b  k a, 
$c 
Id 
a, 
k 
a 
CI .r( z 
k 
.r( u 
k 
8 
Y 
Id 
8 
k a 
al 3 
m 
+I 
5 u  
O k  
k 
e, 
y: 
Id 
e, 
6.1 a 
a, 3 
E5 
5 v  
O k  
B s I 
W 
a, 
m 
k 
; B 0 
a, 
10-7 
C70 -171/301 
R c 
0 
cl 
u 
n 
k 
0 
c, 
rd 
d 
0 
rn 
H 
p c p c  PI h P I P I  
0 0  =1. 0 3  0 
& & 
B 
0 
3 
I4 
0 
a, 
c, 
3 
Id 
rn M 
0 
a, 
3 ...I 
.r( 6,
.r( 
a 
3 
0 
; s pc 
d 
rd 
E 
0 
...I 
+, 
Id 
k 
i 
II 
pc 
0 
10-8 
C70 -lal/30l 
10.4 LOAD ISOLATOR F 
It is  assumed that the source isolators are par t  of the Space Station 
power distributlon system and that four busses a re  made available to  the 
G&C system load. 
easily simplified. 
of switch'ing and oping as  shown in Table 10-6. 
some form of or i  
rectifier on each 
switch isolators a r e  all considered to be break before make. This i 5  
necessary for  AC power from sources not in sync and may be desirable 
in  any event to  prevent tying a good bus into a failed bus. 
is  that the load is without power during the break before make period. 
This would be the most complex system an 
These busses may be handled by several  c 
The dotted lines indicate 
An example would be a transformer inside the load. 
AC bus With the DC outputs tied together. The ser ies  
The disadvantage 
The normal switch logic is for normal power-up operation. Different 
logic may be desirable after failure detection, during bus maintenance o r  
checkout, o r  for degraded operation modes. 
If the assumption is  made that oping in the load requires additional 
hardware, which i s  probably a good assumption, then Configuration 2 is  
the best for loads that can tolerate a Break Before Make (BBM) transient 
loss  of power. If BBM transientr: a re  unacceptable, Configuration 3, 5, 
o r  6 i s  necessary with 3 being the least complex. 
Where the statement "can be fail OP. . . I t  in the "Bus Fail Short" 
column is made, it means that this is possible for isolators with proper 
characteristics, namely, unilateral power flow. 
It should be noted that a shorted load may pull the bus down before 
the isolator disconnects it. 
o r  load contains current limiting. 
10.5 EXAMPLES OF BUS SWITCHING 
This can be prevented i f  either the isolator 
Figure 10-2 i s  an example of Configuration 2 of Table 10-6 where one 
of four busses may be switched to the load with break before make 
switches causing a momentary loss of power at the load. 
is  an example of Configuration 3 of the same table where two busses 
a r e  or-& in the load and each bus is  backed up by a redundant bus connected 
with break before make switches. 
momentary loss of power. The two configurations a r e  quite similar in 
hardware and failure modes, the latter requiring additional complexity 
in the load and additional monitors and voters. 
Figure 10-3 
In this configuration the load sees no 
The power switch is assumed to be a ser ies  
overloaded. 
be reset  after tripping for an overload in some way. 
cycling the input logic line off and on, by removing input power or  by use 
of a separate control line. 
It is  turned on or off a s  commanded 
This could be by 
10-9 
s 
N 
N 3 
9 I rn (u 
rn 
f 
3 
8 
I 
N N 
a 3 
rn la" i 
N N 
a 3 
8 1 rn 
s I s  
I 
U + +  
N 
3 
V 
N 
3 
I 
N 
0 
8 cn 
+ + +  
C70-171/301 
- - - 7  
c 
a 
a 
I 4
% I  
1 
c, 
k 
a m I  
I 
10-11 
C70-171/301 
/ \ 
/ \ .  
\ /- / 
C70-171/301 
10. 5 (continued) 
it sees  on the control line. 
indicates i f  the switch has tripped because of an overload. 
As a minimum, the status line indicates what the power switch thinks 
It is  probably desirable that the status lire 
The examples operate a s  follows: 
10.5.1 Checkout 
1. Command Power OFF 
2. Check status lines, adaptive voter output and individual monitor 
outputs 
3. Initiate failure isolation sequence i f  false,  proceed i f  t rue.  
4. Sequence each switch on in turn and check status lines, adaptive 
voter output and individual monitor output. 
5. Initiate failure isolation sequence i f  false,  declare system 
operational i f  t rue.  
10.5.2 Normal Operation 
Bus selection may be by priority logic, pre-programmed logic 
o r  random depending on selection logic. 
on o r  off a s  commanded, 
In any event power is programmed 
10.5.3 Failure Mode Operation - Power Loss 
When adaptive voter output indicates loss of power, the active bus 
i s  switched off and a new bus switched on. 
transient. 
then terminated o r  cycled continuously. 
There i s  a loss of power 
This can be repeated until all busses have been tried and 
10. 5.4 Failure Mode Operation - Shorted Load 
For  a true short  it i s  desirable to declare the load knocked out 
and go into same system backup mode. 
one o r  two busses see an overload s t r e s s ,  
the overload indicator is  in  e r r o r  and the load is not shorted, the system 
has been disabled by one failure. 
to t r y  to drive a short  with at least  one more bus to  verify that the load 
i s  truly shorted. 
each bus a t  least  once. 
This is desirable because only 
The disadvantage is  that if 
F o r  this reason it seems desirable 
The extreme would be to cycle the shorted load onto 
10.5. 5 Failure Mode (heration - Non-Commanded Power ADDlication 
This may be an impossible o r  an acceptable failure mode, If not, a 
backup fail safe element must  be included that can be dependably opened, 
This might be a backup switch that i s  par t  of the main power distribution 
10 -13 
C70-171/301 
10.5. 5 (continued) system o r  a redundant independently activated switch 
or  fuse link in the power switch, Deciding which switch is the failed one 
may be a problem, especially i f  the result of activating the redundant 
switch i s  irreversible such as blowing a fuse link. 
10, 5,6 Failure Mode Operation - Monitor Failure 
The adaptive voter i s  assumed to have the capability of detecting 
when one monitor is reading different f rom the majority and masking 
i ts  output f rom future decisions. By using five monitors and a five input 
voter, three monitor failures still  produce a valid output f rom the voter. 
Given additional knowledge from the system such as  the selection and 
status commands and pr ior  history, fewer monitors may be necessary 
for triple fail-op. 
10.5.7 - Failure Mode Operation - Logic Failure 
As  a minimum, logic failure can induce failures that appear as power 
loss and non-commanded power application failures. These can be pro- 
tected against and the ability to simulate the failures logically may be a 
desirable checkout tool. Other logic failures could prevent meeting the 
triple fail-op cr i ter ia  and therefore be unacceptable. 
these unacceptable failure modes is a major consideration in implementing 
the logic. 
10.6 COMPARISON OF ISOLATION DEVICES 
Circumventing 
An investigation of various isolation devices and their failure modes 
was performed during the study. Diodes for  DC applications include 
computer diodes, diffused diodes, ion implantation diodes and Schotty 
bar r ie r  hot c a r r i e r  diodes. 
types were investigated. 
aperture magnetic switch developed by Stanford Research Institute for 
Jet Propulsion Laboratory under N contract, and the parametric 
magnetic device called Paraforme 
Also, solid state controllers, under development for aircraft applications 
were examined, and finally, electromechanical relays were considered 
briefly for comparison purposes Detailed information on the operation 
and failure modes of these devices i s  
For  AC systems, magnetic isolators of three 
These were a simple magnetic amplifier, a four 
, a product of Wanlass Electric Co. 
presented in Appendix 8. 
Table 10-7 compares various characteristics of AC isolators. The 
transformer i s  given as a reference for the magnetic devices. 
and weight efficiencies of the solid state and conventional circuit breakers 
a r e  around two orders  of magnitude better than the magnetic devices. 
The solid state device has as good efficiency as the gnetic devices, but 
is poorer than the nearly lossless conventional circ breaker Howeve r ,  
the solid state device presents the greatest cooling problem, dissipating 
The volume 
10 -14 
C70-171/301 
10.6 
with a 40 C temperature r i sqand  ten times more than a conventional 
breaker.  
of solid state circuitryJ makes cooling ol these devices critical. 
(coginued) 32 t imes more power p e r  cubic inch than a transformer 
This, combined with the sensitivity of reliability to temperature 
TABLE 10-7 - 
COMPARISON QF AC XSOLATOR DEVICES 
Power 
Frequency 
Dimensions 
Voluye 
w/in 
Weight 
w /lb. 
Power loss  
efficiency 
Power ~ o s s / i n ~  
Parametric SRI* Magnetic Solid State Circuit 
Trrznsbrmer Transhmer  Switch Amplifier Controller Breaker 
(1) (2) (3 1 (4 9 ( 5 )  (6 1 
lOOw lOOw 40w 10 ow 1150w 2300w 
400 MZ 400 HZ 2 . 5  KHZ 400 Hz 400 H 400 H 
3 1.5 in  1 i n  
2 .3  x 2.1 6 e 5 x 1 s 6  3 .2d ia .  l x l x f i n ,  1 . 5 x 6 . 6  
x 2.3 in,  
25 in3 35 in  
x 3.l im 
15. 0 in3' 45 in  
6.7 2.2 1.6 2.88 1150 1530 
1. 9 lb. 4.7 lb. - 2 lbs. 0.13 lb. 0.13 lb. 
53 21 - -  50 8000 16000 
7.5w 15w 1 . 6 ~  19w 16w 2. lw 
9370 8 77'0 9670 84% 88% 99% 
0.5  0.33 0.063 0.54 16w 1.4w 
x 1.6 $ne x 4.5  in. 3 3 
Remarks Compari- Also pro-  2. 5KHZ 
son only, vides Square 
not used voltage re- wave in-  
as switch gulation put power 
Srnalle st Smallest 
s ize  unit size unit 
* Different frequency, power level, and leaving out drive transformer and control 
power makes comparison with others invalid. 
(1) Ref. (10- 4 )  Chapter 5. 
core and coil losses.  
Assumes 4Ooc Rise, 3.57'0 regulation and equal 
( 2 )  Volume estimated at 3X, and weight as 2. 5X, t ransformer, ,  
(3) R e f .  (10-5). 
(4) Ref. (10-6 1- 
(5) Ref. (10-7). 
(6) Ref. (10-8 
Includes control power and inductor i n  cur ren t  source, 
-4OOc to t l O O o c  temperature range. 
10-1 5 
C70 -171/301 
10.7 RECOMMENDED CONF1GURATPC)N 
The recommended configuration i s  based upon the following constraints 
suggested by the general system studies:: 
a)  When power is supplied f rom the Electrical  Power Subsystem, all /most 
of the LP 's  and G&C subsystems will remain powered-down. 
circuitry will be energized to recognize a L P  address and L P  power 
on/off command Prom the data bus o r  an auxilliary bus. 
Power can be applied to and removed f rom any L P  by commands on the 
data bus and/or an auxilliary bus. 
Subsystem power i s  controlled by a powerecl-up LP. 
Figure 18-4 is a block diagram of a configuration meeting these 
Sufficient 
b) 
c)  
constraints. 
recommendations with rationale a r e  given. 
The various blocks a r e  discussed in  detail and then specific 
10.7.1 - Subsystem Load Controllers 
Characterist ics a r e  assumed to be similar to those listed in  
Reference (10-11) and discussed in Appendix 8.  
tion should be such that any internal short that would load the power input 
would activate the fail safe current  circuitry assuring a fail open failure 
mode. 
failure modes i f  one bus i s  tied to the input and another to the output. 
Since this i s  a possible condition i f  there i s  a logic o r  load controller 
failure, the failure mode should be an acceptable and well defined one. 
Controllers for  three-phase power a r e  tied together through the power 
control logic so  that 3hey turn on, off, and t r ip  together. A s  indicated 
by the power loss/ in  
heavily influenced by thermal design requirements e 
The internal configura- 
The AC load controllers a r e  bilateral  devices with undefined 
row of Table 10- 7 ,  the location of the pa r t  will be 
The load controllers should use E M  suppression techniques such as 
zero crossover switching for AC controllers and controlled waveforms 
for  DC controllersto generate acceptably small EMI. Since normal design 
practice i s  to place EM1 fi l ters right at, o r  as  par t  of, the input power 
connectors , interposing a load controller between the input connector and 
filter could compound EM1 control problems for the individual subsystem 
designers. 
10.7,2 LP and PC Circuitry 
The Power Control (PC) logic can be par t  of the LP,  par t  of the 
load controller, o r  a separate module. If par t  of the load controller o r  
LP, it can share  the power supplies and packaging of these units which 
10 -14 
C70 -171/301 
m 
k 
C70-171/301 
10.7.2 (continued) i s  a definite advantage i f  the added complexity in  the 
L P  o r  load controller a r e  acceptable. 
indicating what this logic might look like. The logic could be hardwired, 
under software control, o r  a combination. 
out--for example, the option to t r y  a new bus i f  the tr ip indicator indicates 
a shorted load. 
Figure 10-5 is a flow diagram 
Some options may be left 
10.7.3 Monitor 
The monitor circuit is a simple circuit that detects the presence 
o r  absence of acceptable power. 
t rol lers ,  with the power control logic, o r  at the subsystem load. 
located with the load, it provides the most credible information about 
the presence of power at the load. 
It can be located at the power con- 
If 
10.7.4 L P  and P C  Load Controller 
The purpose of this controller is to conserve power when a LP and 
subsystem a r e  not activated and to isolate a failed LP. 
placement of this controller and/or the associated address decoder and 
signal recognition circuitry may be with the L P  o r  physically separated 
f rom it,  depending on how a failed L P  is  to be isolated in the overall 
system. 
10.7. 5 B e c i f i c  Recommendations and Rationale 
10.7. 5.1 - Use solid state load controllers similar to those: described 
but with additional considerations given to failure modes. Rationale : 
These devices a r e  competitive with mechanical breaks in all aspects 
except power loss and offer orders  of magnitude improvement in 
number of operating cycles. (Table 10- 7 ). 
rate of development for a i rcraf t  electrical systems and should not present 
any development risk for the Space Station program. 
The physical 
The technology is i n  a high 
10.7. 5.2 - Package the controllers as par t  of the load electronics i f  
thermal and EEN design permits. Each bus should be brought into the 
load controller on a separate connector, which is the interface with the 
electrical power subsystem. It is  assumed each bus will be brought to the 
load in a separately routed cable. Rationale: Simple interface and 
consistent with EMI and mechanical redundancy design practice. 
10.7-5.3 - Package the power control logic as a separate module in the 
LP. 
interface. If LP loses power, load controller must open. Logic will be 
hardwired. Rationale: Logic can be powered f rom L P  internal power. 
Simpleinterface with data bus and load. 
control identical for all loads but i f  not, modules with appropriate logic 
Communicate with the load controllers on the normal LP/Load 
It i s  desirable to have power 
10-18 
C70 -l71/301 
6 T 
IS TRIP IHDICATOR OH? 
10-19 
C70-171/301 
10.7.5.3 - (continued) - can be plugged into LP. This allows failed 
Software controlled logic offers L P  to  be isolated by removing power. 
only minor advantages in trouble shooting and operational flexibility. 
10.7. 5.4 - Power LP with separate load controller. The location of 
this controller and its logic a re  to be determined by system considera- 
tions to be made la ter  from the following options. 
a) Package as  par t  of L P  and control through data bus. 
b) Package separately f rom controlled LP (may be in one o r  more 
separate LP's) and control through data bus and/or separate bus. 
Rationale: Allows failed L P  to be isolated f rom system by removal of 
power. 
is par t  of the overall study. 
How best to isolate failed LP's and meet the FO-S cr i te r ia  
10.7. 5. 5 
route the signal over the LP/load interface. 
be desirable especially with redundant LP's .  Rationale: Best place 
to sense power i s  where it is needed. Interface is already available. 
Sufficient redundancy is required i n  monitor to  prevent monitor failure 
negating other redundancy measures. 
10.7.  5.6 - Determine required bus redundancy in  conjunction with 
total required system redundancy. Ratim ale: Although par t s  of this 
s$udy assumed four busses available to each load, the system redundancy 
requirements may possibly be met with one o r  two busses per  load. 
This has to be determined f rom the overall system redundancy requirements. 
- Package the "power present" monitor with the load and 
Redundant monitors may 
$ 
10-20 
C70-%71/301 
1 1, 0 RECOMMENDATIONS FOR FUTURE EFFORT 
11.1 INTRODUCTION 
A fault tolerant computer system capable of fail op, fail op, fail safe 
operation has been defined and the feasibility of the concept verified 
through software simulation. It is considered a significant step, toward 
the goal of an operational fault tolerant computer system with applica- 
tion not only in the Space Station, but in other manned or unmanned 
space systems where high reliability is of utmost concern. 
ing l is t  of activities a r e  recommended as logical extensions of this 
study. 
11.2 SOFTWARE AND SIMULATION 
The follow- 
The simulation activity conducted during the study period provided 
primarily assurance of design feasibility and demonstration of the 
simulation system operations. There are two major a reas  where 
additional simulation activity would be particularly valuable, 
11. 2. 1 VCS Fault Detection/Isolation 
Since the voting functions in the VCS a r e  the primary means of 
failure detection in the RGC system, it is particularly critical that the 
hardware/software system be mechanized in the manner that provides 
a high probability of proper isolation of VCS failures. The impact of 
erroneously assigning VCS failures to other system elements is very 
great. Therefore it would be highly desirable to  investigate/evaluate 
system performance under a rather detailed simulation of VCS mal- 
functions. 
capabilities in the Simulator and investigating a reasonable variety of 
VCS malfunction cases. 
This can be accomplished by expanding the fault-generation 
11. 2. 2 Module-level Reconfiguration 
The RGC system is designed t o  allow for module-level (CPU, IOP, 
memory) reconfiguration within each of the two physical compartments. 
A preliminary analysis of the techniques required to mechanize the 
capability was performed during the study, but the necessary software 
routines were not programmed. System reliability, in te rms  of 
probability of mission success, can be significantly enhanced by 
adding the level of reconfiguration capability but the probability of 
successful reconfiguration must be high and the possibility of induced 
o r  propogated malfunctions caused by the additional reconfiguration 
paths must be essentially eliminated, 
ware routines and performing additional fault simulation would be 
valuable in assessing the feasibility/desirability of a module-level 
reconfiguration implementation, 
Developing the required soft- 
C70-171/301 
11. 2. 2 (Continued) 
Regardless of what specific follow-on simulation activity is 
planned, i t  would appear that a minimal effort should be expended on 
increased documentation and/or user-orientation on the Simulation 
System. This system represents a rather general tool which could 
be used for a variety of design evaluation tasks. 
investment already made it would seem judicious to assume that f u l l  
use of the tool can be made in the future. 
Considering the 
11.3 COM.PUTER/VCS STUDIES 
Concurrent with the simulation activity, additional system studies 
should be conducted to investigate areas  that were beyond the scope of 
this study. This effort should include the following: 
e Further investigation of system fault tolerance, 
criticality of computations, fail op boundaries, etc, 
Further effort on design to guarantee failure 
independence to assure  assumptions in meeting FOOS. 
. VCS definition - Further study to permit designing 
VCS as an add on black box to today's off-the-shelf 
c omput e r s 
e Detailed logical design of VCS to permit a complete 
s p e c if i c at i on f o r hardware de ve 1 op me nt . 
e Further work on hierarchy of control in the selected 
computer organization, e. g., lockouts to assure  a 
flexible design while still satisfying FOOS. 
e Study of the applicability of the local processor design 
for  other subsystems not covered under this study. 
11.4 1/0 DATA BUS STUDY 
The baseline e r r o r  protection scheme for the 1/0 data bus uses two- 
dimensional simple parity checks and request for retransmission. 
performance of this e r r o r  protection method depends on a large number 
of variables, many of which a r e  difficult to estimate for the Space 
Station application. A more thorough evaluation of this protection 
method should be conducted, This can best be achieved by computer 
simulation, allowing a wide latitude of values for  the variables to be 
exercised and simulating and computing the performance of the bus 
subsystem Hardware tests a r e  also necessary in this effort to help 
define the ranges of hardware dependent variables, 
ables to be exercised are:  noise sources, probability distributions for 
The 
Some of the vari- 
11-2 
C70-171/301 
11.4 (Continued) noise, S/N ratios, data line lengths, message 
lengths, internal control word encoding, sample ratesp message 
rates, and retransmission logics. 
Various performance measures can be computed in the simulation 
such as throughput probability of undetected e r r o r ( s )  and IOP utilization. 
Given the simulation routine, the effects of changes to the baseline 
e r r o r  protection scheme can be evaluated. These can include. simplify- 
ing the scheme as well as increasing its complexity by, for  example, 
appending a cyclic code check for burst  e r r o r  detection and/or correction. 
The performance for hardware or  software forward e r r o r  correction 
can a lso  be computed. 
evaluated, with the selected method at any point in time determined by 
subsystem message criticality, subsystems and system status, and 
system ccnfiguration. 
Combinations of coding techniques can also be 
-3 
C 70 -171/301 
12.0 REFERENCES 
1-1 
4 -1 
4-2 
4-3 
4 -4 
4-5 
4-6 
4-7 
4-8 
4-9 
5 -1 
5 -2  
5-3 
Detailed Program Plan, Reconfigurable G&C Computer Study 
Space Station Use, Autonetics C70-111/301. 
Short, R. A. The Attainment of Reliable Digital Systems 
Through the Use of Redundancy - a survey, IEEE Computer 
Group News, March 1968. 
Technical discussions with NASA - MSC. 
Koczela, L. J., Study of Spaceborne Multiprocessing Phase I 
Final Report, NASA CR 1446, February 1970. 
Koczela, L. J., The Distributed Processor  Organization, 
Advances in  Computers, Volume 9, Academic Press 1969. 
Roth, J. P., 
Repairing Computer, AD 825 460, 
Phase I1 of a n  Architectural Study for  a Self- 
November 1967. 
Godberg, J., Techniquts for the Realization of Ultrareliable 
Spaceborne Computers, N70-18784, June 1968. 
Control, Guidance, and Navigation for  Advanced Manned Missions; 
Volume Lz, Multiprocessor Computer Subsystem, MIT, N69-28660, 
January 1968. 
Cok, F. Be, ,Self Repair Techniques Investigation, AD 657 247, 
June 1967. 
Agnew, P. W., An Architectural Study for a Self Repairing 
Computer, AD 474 976, November 1965. 
Farr, D, L, ,  e t  al: Spaceborne Computer Design Evaluation 
NASA Contract NAS 12-589, North American Rockwell Gorp. 
Autonetics Division, July 1968. 
Koczela, Le J. , et al: Study of Spaceborne Multiprocessing 
Second Quarterly Report. NASA Contract NAS 12-108, North 
American Rockwell Gorp., Autonetics Division, October 1966, 
Anderson, M. D. and Marek, V. J, : Evaluation of Aerospace 
Computer Architecture. 
A M  Guidance, Control, and Flight Dynamics Conference, 
August 1968. 
Paper  No, 68-836, Presented at the 
12 -1 
C 70 -171/ 301 
12.0 (continued) 
5 -4 
5-5 
6-1  
6 -2 
6-3 
6 -4 
6 -5 
6 -6 
6 -7 
6-8 
6 -9 
6 -10 
6 -11 
6-  12 
Chestnut, Harold: Systems Engineering Tools, John Wiley & Sons, 
Inc,, New York 1965. 
Chapanis, Alphonse, e t  al: Operations Research and Systems 
Engineering, Johns Hopkins Press, Baltimore, 1960. 
Abramson, N., and Be Elspas, Double E r r o r  Correcting 
Encoders and Decoders for  Non-independent Binary Er ro r s ,  
UNESCO International Conference on Information Processing, 
1959, pp 493-4. 
Benice, R. J., and A. He Frey, Comparisons of E r r o r  Control 
Techniques, JEEE Transactions on Communication Technology, 
December 1964, pp. 146-154. 
Calingaert, P., Two -dimensional Par i ty  Checking, Journal of 
the ACM, April 1961, pp 186-200. 
Chien, R. T., Recent Developments in Algebraic Decoding, 
Proceedings International Telemetering Conference 1969. 
Eisenbies, J. L, , Conventions for Digital Data Communication 
Link Design, IBM System Journal, V.6 #4, 1967, pp 267-302. 
Gallagher, R. G. Information Theory and Reliable Communi- 
cation, Wiley 1968. 
Hsiao, Me Ye, and J. T. Tou, 
Codes in Computer Reliability Studies, 
Reliability, Vol. R-18 #3, August 1369, pp 108-118. 
Application of Error-correcting 
IEEE Transactions on 
Kastenholz, C, E. E r r o r  Control Techniques in Tactical 
Command and Control Systems, 
May 4, 1964. 
Kastenholz, C. E. General Purpose Computer Encoding and 
Decoding of E r r o r  Control Codes, National Electronics Con- 
ference, October 1964. 
Autonetics TM 341-2-4, 
Lucky, R. W. and J, Salz, and E. J. Weldon, Principles of 
Data Communication, McGraw Hill, l968., 
Peterson, W. W. ~ E r r o r  Correcting Codes, Wiley 1961. 
Sellers, Hsiao, & Bearnson, E r r o r  Detecting Logic for Digital 
Computers, McGraw Hill 1968, 
12 -2 
C 70 -l71/ 301 
6 -13 
6 -1 
6 -15 
18-1 
10-2 
10-3 
10 -4 
10-6 
-7 
0-8  
10-9 
B, T. and W, T, Chien, Coding for Error Go 
Systems Journal, #I, 1969, 
f, J. K, e t  ail:, Algebraic Coding dancy, 
E Transactions opb ~ e 1 ~ a b ~ ~ ~ ~ y ~  VoL w 9 ,  
pp 91-107. 
Willard,  M. Wes Optimum Code 
tion 1962 National Telemetering 
ay 1962, Paper #5-5, 
Systems Wequi 
ev, E, Space Di 
bruary 13, 1970. 
erchange Meeting wi A, January 21, 1970, 
at Autonetics, 
Corey, P, D, ,  Ana CCI for Static 
Power Conversions 
Aerospace, June 19 
B re Circuit 
NASA - PASC 
