System configuration and executive requirements specifications for reusable shuttle and space station/base by Curran, R. T. et al.
N A  S A C O N T R A  
R E P O R T  
C T O R  
~" 
SYSTEM CONFIGURATION AND EXECUTIVE 
REQUIREMENTS SPECIFICATIONS FOR 
REUSABLE SHUTTLE A N D  SPACE STATION/BASE 
by J. R. Kennedy, R. T. Curran, W. S. Fitzpatrick, 
and J. M .  Johnson 
Prepared by 
COMPUTER SCIENCES CORPORATION 
Huntsville, Ala. 3 5 802 
for George C. Marshall Space Flight Center 
N A T I O N A L   E R O N A U T I C S   A N D   S P A C E   A D M I N I S T R A T I O N  W A S H I N G T O N ,  D. C. MAY 1971 
I 
https://ntrs.nasa.gov/search.jsp?R=19710017542 2020-03-11T20:05:08+00:00Z
Presented  in  this  report are computer  executive  system  requirements  for  the  Reusable 
Shuttle and Space Station/Base. Conceptual hardware configuration aspects that directly 
influence the respective executive systems are delineated. Performance requirements 
are defined  which  constrain or impel  system  software  to a specific  configuration. 
Functional  requirements  are  derived  for  each  respective  vehicle's  executive  system. 
Executive  design  requirements  comprising  preliminary  guidelines,  objectives,  and 
standards  for  system  software  functional  design are established. This report  defines 
the  software  modules  necessary  for  effective  operation of intricate Space Shuttle and 
Station/Base  computational  complexes. 
18. DISTRIBUTION STATEMENT 
Unclassified - Unlimited 
;IF. (of t h h  m#*) 121. NO. OF PAGES 122. PRICE* 
17. KEY WORDS 
Space  Station  Data  Management  Systems 
Executive  Routine  Information  Management 
Reusable  Shuttys ems 
Avionics 
Real  Time  Monitor 
Onboard  Computer 
19. SECURITY  CLASSIF. (d thi. roPQI) 20. SECURITY CLASS 
Unclassified  Unclassified 175 3.00 I 
NASA CR-1820 I 
4. T I T L E  AND SUBTITLE IS. REPORT DATE . . 
System  Configuration  and  Executive  Requirements  Specifications 
for  Reusable  Shuttle  and  Space  Station/Base 
' 7 .  AUTHORIS) J. R. Kennedy,  R. T. Curran, W. S. Fitzpatrick, 8.PERFORMING  ORGANIZATION  REPORT J 
and J. M. Johnson . M534 
9. PERFORMING ORGANIZATION NAME AND ADDRESS 
Computer  Sciences  Corporation 
Field  Services  Division,  Aerospace  Systems  Center 1 I .  CONTRACT OR GRANT no. 
10. WORK UNIT NO. 
8300 South Whitesburg  Drive  NAS-24930 
Huntsville.  Alabama 35802 13. TYPE OF REPORT & PERIOD COVERE1 
National  Aeronautics  and  Space  Administration 
12. SPONSORING AGENCY NA'ME AND ADDRESS Contractor  Report 
I Washington, D. C. 20546 14. SPONSORING AGENCY CODE 
I 
15. SUPPLEMENTARY  NOTES 
Work  performed  for  George C .  Marshall  Space  Flight  Center 
Computation  Laboratory 
16. ABSTRACT 
For sale by the  National Technical Information Service, Springfield, Virginia 22151 

FOREWORD 
The work  Teported herein  was  administered  in the  Systems Research 
Branch, Computer Systems Division, Computation Laboratory, MSFC , 
with Bobby C. Hodges assigned as Contracting  Officer's  Representative. 
In addition to his routine  duties as Technical  Monitor, Mr. Hodges has 
added significantly to our  insight  into and understanding of related NASA 
programs through careful planning, coordination with in-house effort, 
and encouragement. 
iii 
.. . .. . . . . . . . . " - 
SYSTEM  CONFIGURATION 
AND 
EXECUTIVE  REQUrrZEMENTS  SPECIFICATIONS 
FOR 
REUSABLE SHUTTLE 
AND 
SPACE STATION/BASE 
TABLE OF CONTENTS 
Page 
SECTION  I.  INTRODUCTION 
A. General 
B. Scope 
C.  Vehicle Electronics System Descriptions 
D. Executive Requirements 
E. C onventions 
A. General 
B. Integrated Avionics System  Functions 
1. General 
2. Avionics System  Functions 
3. Avionics System  Hardware  Description 
1. General 
2 .  Central  Computer Complex  Monitor 
3.  Crew Display and Control  Computer 
SECTION 11. REUSABLE  SHUTTLE 
C. Executive  System  Functional  Requirements 
Subsvstem Monitor 
3 
3 
3 
5 
5 
7 
9 
9 
12 
12 
12 
13 
35 
36 
36 
49 
D. 
4. Flight  Control  Subsystem Monitor 50 
5. Navigation and Sensor Computer 60 
Subsvstem Monitor 
Executive  System Performance Requirements 62 
1. General 62 
3.  Subsystem Performance  R quirements 62 
4. Summary 66 
2.  System Performance  Requirements 62 
iv 
, 
Page 
SECTION III. SPACE  STATION/BASE 
A. General 
B. Data Management System Description 
1. General 
2.  DMS Functions 
3. DMS Hardware  Description 
1. General 
2. DMS Executive 
3. GNC Executive 
4. Biomedical  Executive 
1. System  Performance 
2.  Subsystem Performance 
C. Executive  System  Functional  Requirements 
D. Executive  System Performance’Requirements 
SECTION IV. EXECUTIVE DESIGN  REQUIREMENTS 
A. General 
B. Procedure Design Requirements 
1. Attribute  Specification 
2. Documentation Standards 
3. Performance  Measurement 
1. External Data Attribute Specification 
2. External Data Documentation Standards 
D. Level of Desi@  Detail 
1. Executive Functions 
2. Executive Modules 
1. Evaluation 
2. Comparison 
C. Data Design Requirements 
.. .~. 
E. Evaluation and Comparison Methodology 
REFERENCES 
69 
69 
71 
71 
71 
74 
94 
94 
103 
109 
112 
120 
120 
121 
131 
131 
X32 
132 
135 
135 
138 
138 
140 
140 
140 
145 
147 
148 
154 
158 
BIBLIOGRAPHY I 5.9 
V 
LIST OF ILLUSTRATIONS 
Title 
Integrated Avionics  System Baseline 
Figure 
II-B-1 
Page 
14 
II-B-2 Space  Shuttle  Avionics System 15 
Baseline Computer  Functional  Diagram 17 II-B-3 
II-B-4 Inertial  Measuring Unit DIU 19 
Controls & Display Baseline  System  Schematic II-B-5 20 
II-B-6 Simplified Data Bus 22 
II-B-7 Dedicated Special Computer  Configuration 23 
II-B-8 Data Transmission  Distribution  for  the 
Orbiter Aft  Bus 
24 
II-B-9 
II-B-10 
II-B-11 
II-B-12 
II-B-13 
II-B-14 
II-B-15 
II-B-16 
Data Bus Message  Structure 
Reconfigurable  Computer  Functional  Diagram 
26 
27 
29 
30 
31 
32 
33 
34 
Power and Mode Reconfiguration of Subsystems 
Checkout Functions 
Display Checkout 
IMU Checkout 
Central Computer Checkout 
Computer Switching 
II-c-1 Relationship of Kernel to the  Remainder of 
the  System 
40 
Distributed  Multiprocessor Configuration; 
Part  A and Part B 
75-76 ID-B-1 
III-B-2 DMS Block  Diagram 78 
vi 
I’ 
Figure 
III-B-3 
III-B-4 
III-B-5 
IU-B-6 
III-B-7 
KC-D-1 
m-D-2 
m-D” 
III- D-4 
TV-B-1 
IV-B-2 
IV-c-1 
IV-c-2 
IV-E-1 
IV-E-2 
IV-E-3 
Title 
Distributed Computer Configuration 
Design Reference Module Data Acquisition 
Subsystem 
Digital Data Terminal 
Analog Terminal 
Remote Data Acquisition Unit 
Page 
79 
87 
89 
90 
91  
Interface Identification 122 
Digital Data Interfaces  to Data Terminals 123 
Space Station Subsystem Data, Acquisition Requirements 127 
Computer  Subsystem Performance  Requirements 128 
Form 1: Procedure Attribute Documentation 
Format 
Form 2: Functional Procedure Description 
Format 
133 
.136 
Form 3: External Data Attribute Documentation 139 
Format 
Form 4: Functional External Data Description  141
Format 
System Feature  Summary 150 
System Procedure  Attributes 156 
System  Comparison  Summary 157 
vii 
Symbol 
ACK 
AIOP 
ALU 
AM 
A/D 
ASM 
BIT 
cc 
ccc 
CDD 
COSY 
CPU 
CPSU 
CRT 
DAU 
DBI & CU 
DCC 
DIOP 
DIU 
DMS 
DRSS 
DEFINITION OF SYMBOLS 
Definition 
Acknowledge 
Analog Input/Output Package 
Arithmetic Logic Unit 
Amplitude Modulation 
Analog to  Digital 
Assembly 
Built In Test 
Central Computer 
Central Computer Complex 
Central Data Display 
Checkout Operating  System 
Central  Processing Unit (including ALU) 
Central  Processor Subunit 
Cathode Ray Tube 
Data Acquisition Unit 
Data Bus Interface and Control Unit 
Crew Display  and  Control  Computer 
Digital Input/Output Package 
Data Interface Unit 
Data Management System 
Data  Relay  Satellite  System 
viii 
Symbol 
ECLS 
ECR 
EI;D 
EOM 
ERD 
EVA 
FCS 
FDM 
FF 
Definition 
Environmental  Control  and  Life Support 
Executive  Control  Routines 
Error  Logging Device 
End of Message 
Error  Recording  Device 
Extra  Vehicular  Activity 
Flight  Control  Subsystem 
Frequency Division  Multiplexing 
Free Flight 
FO/FO/FS Fail Operational, Fail Operational, Fail Safe 
FWA 
G&N 
GNC 
HE 
IAS 
IF 
IMU 
IOCU 
IO P 
I/O 
J E P  
K 
KBS 
KB 
First  Word Address 
Guidance and Navigation 
Guidance, Navigation, and Control 
Hardware  Executive 
Integrated  Avionics  System 
Intermediate  Frequency 
Inertial  Measurement Unit 
Input/Output Control Unit 
hput/Output  Package 
Input/Output 
Jet  Engine Processor 
One Thousand (or 1,024) 
Kilo Bits/Second 
Keyboard 
Symbol 
KB/SW. 
LRU 
LU 
LSI 
MBPS 
MDC 
MODEM 
MSA 
MTJX 
NSC 
ocs 
os 
PFCD 
POL 
RDAU 
REP 
ROM 
R/W 
SDI 
SHF 
SMD 
SOM 
Definition 
Kilo Bits/second 
Line  Replaceable Unit 
Logical Unit 
Large  Scale  Integration 
Million  Bits/Second 
McDonnell Douglas Corporation 
Modulator/Demodulator 
Main Store  Allocator 
Multiplexer 
Navigation and Sensor  Computer 
Onboard Checkout System 
Operating  System 
Primary  Flight Control  Display 
Problem  Oriented Language 
Remote  Data  Acquisition Unit 
Rocket Engine Processor 
Read  Only Memory 
Read/Write 
Standard Data Interface 
Shared High Frequency 
Systems Monitor  Display 
Start of Message 
X 
Symbol 
TBD 
TDM 
TLC 
TTY 
UHF 
XMIT 
Definition 
To  Be  Defined 
Time  Division  Multiplexing 
Time Line Controller 
Teletype 
Ultra High Frequency 
Transmitter 
xi 
SYSTEM  CONFIGURATION 
AND 
EXECUTIVE  REQUIREMENTS  SPECIFICATIONS 
FOR 
REUSABLE  SHUTTLE  AND SPACE STATION/BASE 
SUMMARY 
The two major  concerns of this document have been  descriptions of the 
computational systems  hardware and the  requirements  analysis of their  impact 
on executive  software development. The report  outlines what are believed  to 
be  the  current conceptual trends  for both reusable  shuttle and space station 
computational  hardware. These  discussions are in  light of their effect on soft- 
ware executive requirements, of course. Specification of performance and 
functional executive  software requirements  for  computer  complexes on the 
reusable  shuttle and on the space station are derived  separately. A single set 
of design  requirements is developed to apply to both systems. Design  proce- 
dures and evaluation criteria have equal  applicability  to both systems. 
The  reusable  shuttle  executive  software  system  operates  in  the environ- 
ment of a distributed  multi-computer  system with  dedicated computer  subsystems. 
Logical procedure modules are derived to satisfy  the  requirements  arising  from 
interaction of mission  requirements,  avionics  hardware and applications. 
The space station executive software  operates in an  environment with 
many functional similarities and some  important  differences  in  hardware and 
applications. Hardware differences lie in  the fact that  the space station com- 
puter  system  does not exhibit  dedicated characteristics  to  the  degree that these 
characteristics are exhibited in  the  reusable  shuttle. The  applications or  en- 
vironment  difference is caused by the  existence of requirements  to  support 
experiments with high data rates, archival of results, and other  more complex 
data management requirements. 
Differences  in  mission,  hardware, and level of available  information 
cause  separate  treatments of the two executive software  systems.  Experience 
in  computer  applications with similar  attributes has been  drawn on in  the 
definition of the  executive  software functional requirements  for each. 

I 
SECTION I. INTRODUCTION 
A. General 
The development of design  specifications for .flight operational  executive 
systems  to  support  major NASA spaceborne  electronics  systems  in  the coming 
decades is an  activity  currently  receiving growing attention. A primary objec- 
tive of the Marshall Space Flight Center Computation Laboratory's  Systems 
Research  Branch has been a continuing effort  to  broaden  the scope of awareness 
in  the  areas of future on-board executive system concept  formulation and design 
philosophy. The purposes of this objective a re  manifold, in  that  many  related 
benefits  accrue  from a coherent and persistent  effort  to  refine  the  overall 
understanding of spaceborne  executive  systems. Some obyious benefits are: 
0 NASA can guide efforts in this area with clearer goals 
in mind, 
0 Proposed  concepts  can  be more intelligently  evaluated, 
0 The general  state-of-the-art of the computing sciences 
may be enhanced, and 
0 Greater  cost  effectiveness  can  result. 
to name but a few. This report, therefore, supports major NASA objectives 
through delineation and outline of spaceborne  computer  systems  hardware 
features and executive system  requirements  for both the  reusable  shuttle and 
earth orbiting  space station. 
B. Scope 
The development effort  required  for  each of the vehicle software  systems 
consists of Flight  System  Analysis and Software Development. 
1. Flight  System  Analysis.  This  activity  includes: 
0 Functional  Specification 
0 Operational  Specification 
0 Performance' Specification 
3 
Concept Formulation 
Algorithm  Identification 
Simulation 
Equation Formulation 
Algorithm  Evaluation 
System  Functional Alternatives 
Trade  Analyses 
2. Software Development. This  activity includes: 
Requirements  Analysis 
System  Design 
Program Functional  Design 
Program Component Detail Design 
Program Component  Coding 
Program Component  Checkout 
Software  Integration and Test 
Flight Readiness  Verification 
Flight System  Analysis  consists of mission  problem  analysis  oriented 
toward determining and defining the  solutions  to  mission  problems  such as 
vehicle guidance and control, experiments control, etc. Software Development, 
which can,  to a limited  degree, run concurrent with  Flight  Systems  Analysis 
but generally follows it, consists of the  total  process of defining, designing, 
fabricating,  and  testing of the  required  software/hardware complexes. 
The  scope of this  report is not broad enough to  address any aspects of 
Flight  System  Analysis. This  activity is currently being  pursued  under  other 
NASA contracts, and preliminary  reports are only now becoming  available. 
4 
The two major  concerns of this  report have to do with descriptions of 
the  computer  systems  hardware and the  requirements  analysis aspect of Soft- 
ware Development as it applies  to executive systems  for  control of the  space 
system  computers. 
C. Vehicle Electronics System Descriptions 
Subheadings in Sections I1 and 111 of the  report outline what are believed 
to be the most recent  trends  in  concepts for flight hardware  for both the  shuttle 
and station. Every  effort was made to  critically  survey all formal documenta- 
tion describing  requirements and trade  studies leading to  the  designs depicted 
in  this  report;  in many cases,  preliminary and informal  documentation was  
correlated  to  achieve a better perspective. However, much of the on-going 
design  process is being executed in  the fashion of a painter  capturing a changing 
scene on canvas. For  this  reason, and also  because we have attempted  to ob- 
serve the  results of a process while it is evolving, we have managed  to extract 
and describe only a  "broad-brush" version of the  system  hardware;  very  little 
architectural  detail  has been defined and is therefore not described  in  the 
report. Since the primary  concern  here is with the  computers and their gross 
relation to other  subsystems,  detail concerning other  subsystems was, for  the 
most part, intentionally supressed. 
The report then concentrates on the  computer  complexes, mass and/or 
auxiliary  storage, and the  data bus subsystems.  This is felt  to  be  sufficient  for 
support of a future executive  functional  design  effort. 
D. Executive Requirements 
Requirements are  considered  to  be grouped into classes depending on 
their  nature as follows: 
0 Design Requirements 
0 Performance  Requirements 
0 Operational  Requirements 
0 Functional  Requirements 
5 
Design requirements have to do  with  the  specification of  how a design is 
to  be  performed. Documentation  and  implementation standards,  level of design 
detail,  design  flexibility,  degree of modularity,  and special  features  to allow 
for  system  testing and performance  measurement are but a few typical  design 
requirements. 
Performance  requirements  specify how well a system is to perform. 
This  specification is normally  accomplished by the definition of a set of para- 
meters that  can  be  measured or  evaluated  through system  operation.  The  spe- 
cification  outlines  acceptable  values  for  these  parameters  to  aid  in  design and 
system performance evaluation. Timing characteristics, accuracy, reliability 
and capacity are examples of performance  requirements. 
Operational  requirements  specify aspects of the  system  peculiar  to its 
operation  under  the  various  constraints and conditions imposed upon it. For 
example, environmental conditions such as temperature, humidity, pressure 
and foreign  particle population counts  constitute  operational  constraints  that 
influence design. Another important class of operational  requirements has to 
do with man-machine interactions and associated  responses. 
Finally,  functional requirements  specify  operations  to  be  performed, 
the inputs and resources  to be used, and the  associated outputs. Functional 
requirements are often extracted  from not only the  nature of the  process involved 
but also  from  the previously  mentioned  requirements as influencing factors. 
Functional requirements are determined not  only by  the  hardware  architecture, 
but also  explicitly and implicitly by applications  programs. For example,  the 
presence of a CRT display  in  the  system  indicates that the executive  system 
must  provide program  modules  to  support  these  devices;  complex  display appli- 
cation programs  may  require a display file management program module in  the 
executive. 
A particular functional requirement  may  be  satisfied  in a design by any 
one of several logically different design procedures. These procedures may 
vary  in execution time,  core  requirements,  reentrancy  requirements, o r  other 
attributes. Furictional requirements and performance requirements are related 
by the fact that  performance  requirements may force  selection of a particular 
technique from among  the  several  possible  techniques  available.  For  example, 
in  the  calculation of spacecraft attitude,  accuracy  requirements may dictate 
that .sampling and calculation  routines  must  be  entered  every 100 ms  rather 
than every 500 ms. If a particular  task scheduling o r  dispatching technique 
does not permit execution of a program module at intervals of 100 ms o r  less, 
then it is eliminated from consideration.  Failure mode requirements (FO/FO/ 
FS) may require  that  multilevel  interrupt  techniques  be employed rather than a 
single  level  priority  interrupt  scheme. 
6 
The  report  deals with performance and functional requirements  for exe- 
cutive  systems  for both the  shuttle and station  separately.  Because of the 
asynchronous  phasing of these two NASA programs,  the  level of detail is not 
comparable  for  the two vehicles. A single set of design  requirements was  
developed in a separate  section  to  apply  to both systems  because of the  dual 
applicability. 
The development of meaningful performance  and  operational  requirements 
specifications  necessitates  an in-depth analysis of all flight  system  application 
program and hardware  requirements. Although this is clearly beyond the  scope 
of the report, the major reason  for  lack of description  in  this area is the  general 
lack of availability of documented results of flight  systems  analysis. 
The major area of interest  in  the  report is the  specification of functional 
requirements.  Every  effort  has been  made to outline these  requirements with 
clarity and  comprehensiveness. In certain  discussions, a tutorial  approach  was 
taken  because  the  subject  warranted it, while in  other  discussions,  conciseness 
was  the guideline because  the  concepts were assumed  to  be well understood. 
E. Conventions 
While every  reasonable  effort  has been  made to  adhere  to a common set 
of definitions and terminology, time  has had a mitigating impact. For this 
reason,  some of the areas of possible  difficulty are clarified  here  in the interest 
of promoting  understanding. 
0 CPU, ALU, computer and processor are frequently  used 
interchangeably. In most cases, the arithmetic logic 
and control unit is the  hardware  device being discussed, 
but frequently,  the combined (synergistic)  arithmetic 
logic and control unit and main  (macroprogram and data) 
memory complex is the functional entity of interest. In 
all cases, context should clarify  the  actual meaning. 
0 Bulk store,  mass  storage, mass memory, and auxiliary 
storage are interchanged promiscuously. Again, context 
should clarify  the  actual  storage of interest. 
7 

SECTION 11. REUSABLE SHUTTLE 
A. General 
This  section of the  report  discusses  the  reusable  shuttle by consi- 
dering a hypothetical  vehicle consisting of a composite of the  booster and orbiter, 
The  discussion is divided into three parts as follows: 
0 Integrated  Avionics  System  Description, 
0 Executive System Functional  Requirements, and 
0 Executive  System Performance  Requirements. 
The first of these  parts  represents a comprehensive  organizational 
delineation of the  major  hardware  elements  related  to computing within the 
avionics  system complex. Particular attention is given to reviewing the  major 
avionics  functions and discussing  hardware  specifics  insofar as they are defined 
at this evolutionary stage. Major emphasis is placed on those  elements  relating 
to the  computer  complexes and their  associated  closely-related  devices and 
peripherals.  Particular  attention is also  directed  to  the  bus  structure and its 
related  control and data  transfer concepts. Due to  the  scope of the study, no 
details  regarding non-computing subsystems are given. 
The  second part,  based heavily on the  hardware,  concerns itself 
with the  determination and description of functional requirements  for a set of 
executive  routines, o r  real-time  monitors,  for  the  various  computer  complexes 
within the  shuttle  avionics  system. 
The  final  part of the  section  deals with performance  requirements 
for the  executives.  Ideally, the following methodology  would be invoked to 
determine performance requirements. First, all application (problem- or  
mission-oriented)  tasks would be modeled by analysis and simulator  design  to 
determine cumulative distribution functions for each of the following task 
attributes: 
0 Time  interval allowed for task execution, 
0 Memory space, 
0 Number of normalized  operations per execution, 
9 
0 Number of input and output requests per 
execution, and 
0 Buffer size for input and output requests; next, 
a typical  mission  profile would be developed to show when, on a relative  time 
scale, each  task would be  activated for  execution; this  profile would then serve 
as the  basis  for a system load  model that is used  to envelope the following 
system load attributes: 
0 Memory space as a function of time, 
0 Number of operations per unit of time, 
0 Number of input and output requests per unit 
of time, and 
0 Data transfer volume per unit of time. 
Certainly  other  task and system load attributes could be  the object of determina- 
tion, but these are sufficient to show the method. 
The required  number of operations per unit time is a function of the 
timeline  task execution  frequency,  the  time  intervals allowed for  task execution, 
and the  number of operations per task execution. Task execution rate is the 
number of required  operations divided by the  allowed time  interval.  This rate 
must  be  maintained  throughout the allowed time  interval. Given the  timeline 
scale showing  when each  task is activated, we can  superimpose overlapping 
intervals additively to obtain required execution rate as a function of time. If 
we assume  that  this rate is absorbed  mostly by accessing  main  memory  (the 
validity of this  assumption depends on how task  operations a re  "normalized"), 
then we have developed a measure of required  main  memory access rate as a 
function of time.  The volume of input/output distributed  over  the allowed exe- 
cution time  gives  the  other component of main  memory  access rate which, 
when combined with operation rate,  gives a composite  measure of required 
main  memory speed. 
This  speed  represents  an "effective" speed which can  be obtained 
in many ways  such as by using one very  large and fast processor/memory  system, 
o r  by using several  slower  devices  in parallel. Associated with each choice, 
of course, is a set of required executive routines  for  support.  The  cost and 
complexity of these  routines  must  be  merged  into  the  overall  trade  analysis  to 
determine  an optimal  configuration  satisfying the  mission  timeline  task  require- 
ments. 
10 
The trade  analysis will result  in  specification of performance 
requirements  for executive routines. These requirements might include: 
0 Maximum time  to  activate a task, 
0 Maximum time to initiate an I/O request, 
0 Maximum main memory used by the 
executive, etc. 
The point of this  discussion is now clear. A significant  deficiency exists with 
regard  to  performance  requirements  for  the  shuttle executives.  The reason  for 
this is that  comprehensive  performance  requirements a re  derived, as shown 
above, almost  exclusively from application  program  performance requirement 
specifications, and these a re  not specified in sufficient detail  at  this time. 
Functional requirements, on the  other hand, are based  primarily on the  hard- 
ware  architecture and application program functions. Although considerably 
more definitive detail is required in these  areas, a priori knowledge was appli- 
cable due to the nature of the  mission  functions and the applicability of past 
experience with related  and/or  similar  systems. 
11 
. ... . .. . .- ." . . - . . . .. . . . ." - .. . . .. 
I 
B. Integrated Awionics System Functions 
1. General. This section outlines the Integrated Avionics System 
for  the  reusable space shuttle. Specific mission  oriented functions required  to 
be performed by the  complete  system are described.  Characteristics of the 
avionics hardware conceptual configuration described various documents 
and presentation  notes  that  directly  impact upon the  executive  system  require- 
ments are delineated. Major emphasis is directed  to  the  Arithmetic Logic 
Units (ALU's), storage, and data  bus  subsystems  since  they have the  greatest 
influence on the  executive design. Other aspects of the  system are not considered 
in detail  for  this  report. 
2. Avionic System  Functions.  The space shuttle will  utilize an 
on-board computerized  integrated  avionics  system  to  provide  information  pro- 
cessing and system  control  required  for autonomous  vehicle  operation. It will 
relieve  the crew of excessive workload by automatically  performing  time criti- 
cal functions and providing priority  sorting and data  compression of that infor- 
mation needed by the  crew. 
The general avionic  functions to  be  performed are: 
a. Engine control - jet and rocket. 
b. Communication to ground and space station. 
c. Attitude reference. 
d. Flight control - aerodynamic and reaction jets - manual 
and automatic. 
e. Navigation in orbit and atmosphere. 
f. Guidance during boost, orbital burns, entry and landing. 
g. Displays for pilot and copilot. 
h. Power control and  conditioning. 
i. Control, checkout and status monitoring of vehicle 
subsystems. 
0 Environmental Control and Life Support (ECLS) 
0 Hydraulics 
12 
Landing Gear 
Lights 
Hatches  and  Doors 
Electrical  Power 
Propellant 
Separation 
Payload 
j. Flight  recording:  maintenance and emergency. 
k. Information  management. 
1. Software for on-board checkout, ground checkout, 
mission planning. 
' m. TV cameras, alignment,  closed circuit. 
3. Avionics System Hardware Description.  The space  shuttle 
Integrated Avionics System baseline is shown in  Figure II-B-1(1). References, 
shown in  parentheses, are given at the end of each  section. The Integrated 
Avionics System (IAS) is comprised of a central computer  for  centralized 
data  management and several dedicated processors  for special hi-iteration cal- 
culations. All  other  subsystems  requiring U S  attention  in  the form of data 
communication, o r  command and control are interfaced  through a network of 
multiplexed data  buses.  Data  bus-to-device  interface is accomplished  through 
a standardized  digital  interface unit (DIU). This unit is to be  designed  with 
general  purpose  flexibility  sufficient  to allow direct computer  communication 
with  any external  subsystem  while  requiring only minimal special interface 
circuitry design. 
The major functional elements of the  complete  Integrated  Avionics 
System and corresponding  subsystems are shown in  detail  in  Figure 11-B-2(2). 
Quantity numbers are assigned  to  processing units and digital  interface  units 
(DIU'S) reflecting  the redundancy required for meeting failure mode criteria 
(i. e., fail operational, fail operational, fail safe). 
a. Computers. The IAS system computers provide computa- 
tional  capability  required  by all other  subsystems  during all phases of the  space 
shuttle mission.  The majority of these computations are presently planned to 
13 
Guidance  and  Navigation 
S t rap  Down IMU Package 
with  Processor  
Lase r   S t a r  Tracker::::: 
Horizon Sensor:::: 
Trainable TV:::::: 
Nav. Base Assembly 
Air   Data   Sensors  
RFND Radar Interface:::: 
One DIU P e r  Unit 
Flight  Control 
Main  Engine  Interface 
Aileron Servos::+ 
Rudder Servos 
Elevator  Servos 
Flap  Servos 
Engine  Gimbal  Servos 
Attitude Jets 
Maneuver  Jets 
Rate Gyros 
Jet   Engine  Interface 
O d I U  P e r  U n i t  
I 
I 
1 
r 
DATA MANAGEMENT 
Peripheral   Processing  Negates  Need  for  Hi-Speed 
Computer 
0 2 Micro Sec.  Central  Computer Centralized 
0 Dedicated Peripheral  Processors  for  Special  
0 Mass Memory for Mission Planning, Software 
Data  Management 
Hi-Iteration  Calculations 
Verification  and  Growth 
r----- 
I IMU 1 
r -------- ]Rocket 1 
\Engine 
16K 16 Bit Word 
L "d"" 1 'Per Comp. 
t 
Provide 96K 
Compute r 
64K 32 Bit 
Words 
P rocesso r  k 
32 Bit I 
LWords ""-" /Coma I 
I (Jet   Engine , r - - - - - - -  1
I 27K BPS 
Hydraulic  Piperotection One DIU Per Unit 
One DIU P e r  Unit 
Multiplexed  Data  Bus 
2 3 0 K  BPS  Maximum  Data  Rate  Requirement 
Lighting  Ha  tc he s 
Displays  and  Controls 
) isplays 
0 Symbol Generators 
0 Pr imary  F l igh t  Control 
0 Reticle   Projector  
0 Sys  tem  Monitor  Displa 
0 Central  Data  Display 
0 Display Processor  
0 Alpha Num Display 
;rew  Controls 
0 Yoke 
0 Rudder  Brake 
0 Translation 
0 Attitude 
0 Jet  Throt t le  
0 Sensor Pointing:::: 
0 Mode Switch Panel 
0 Keyboard 
Displays 
One DIU P e r  Unit 
;ommunications  &Navaids 
0 UHF Transce iver  
0 SHF Transceiver:::: 
0 Recovery Beacon 
0 Intercom Stations 
0 Antennas 
0 ILS Set 
0 DME, VOR 
0 ATC Trans.  
0 Radar Al t .  
0 Trans i t  RCVR 
FIGURE 11-B-1 
INTEGRATED AVIONICS SYSTEM  BASELINE 

be  performed  in  the  central  computer complex. However, dedicated special 
purpose  computational devices are utilized  to satisfy unique computational re- 
quirements. Specific characteristics of each of these  computer  complexes are 
as follows: 
(I) Central computer .(CC). A functional diagram of the 
Central Computer is shown in  Figure 11-B-3(1). The  unit is comprised of an 
Arithmetic Logic Unit (ALU), 4-16K memory modules  and an input/OUtPut (I/o) 
control unit. Data paths exist between each of the  memory modules, the ALU 
and the I/O control unit. Eight buses are connected to  the 1/0 control  unit. 
Logic  capability is available  for  direct  memory  to  bus  transfers  or  cycle  stealing 
memory  transfers. 
The following Central Computer characteristics are defined: 
0 Number of computers (max.) 4 
0 Memory  Size (max. words) 256K 
0 Memory Modules  (max. ) 16 
0 Word Length (bits) 32 
0 Half Word Length (bits) 16 
0 Add Time  (microseconds) 2 
0 Multiply Time  (microseconds)  10
The  central  processor is projected to have an  instruction set conr 
sisting of 100 instructions with eight  general  purpose registers. Direct  addres- 
sing will  be  available to  the 64K words of main  memory.  Each  memory module 
will  be powered and  switched As 16K x 34 bit modules. Two bits will  be  utilized 
for parity. 
(2) Digital interface  unit  processor. Each subsystem 
will  be  interfaced  with  the 1/0 bus through one of 16  slightly  different  variations 
of digital  interface  units.  In  most cases these  units wil l  consist of a line ter- 
minal only. However, in a few specific cases a more  sophisticated  approach is 
required. A 16-bit parallel  processor with approximately 2.5K of memory is 
envisioned in addition to  the line terminal.  Basic building  blocks for  storage 
are 512 word  blocks of MOS R/W and MOS R/O memory. Other  characteristics 
of the  Processor include  add times  in  the 2 microsecond  range;  local  memory 
is partitioned with approximately 25% having read/write  capability and 75% with 
16 
II_ Central  Processing  
1 Input/output Unit 
Direct Memory to Bus 
Communications 
I 
I, 
I _ "  """ " " -  I i " " " " " _ "  I 
BASELINE COMPUTER FUNCTIONAL DIAGRAM 
FIGURE II-B-3 
read only. Twelve to  sixteen  units of this type are envisioned. 
A typical block diagram of this  type of DIU is shown in  Figure 
11-B -4 (2). 
(3) Main engine processor. Main engine or  rocket 
engine control will  be effected  through the  main  engine  processors.  Each of 
these  engines is currently envisioned to  require  the following computers with the 
indicated characteristics: 
0 Number of Computers 4 
0 Memory sizes,  each  (words) 6K 
0 Word Length (bits) 16  
0 Add Time  (microseconds) 2 
(4) Jet engine processor. Jet engine control wil l  be 
effected  through the jet engine processors. Each of these  engines is currently 
envisioned to  require  the following computers with the indicated characteristics: 
0 Number of Computers 4 
0 Memory  Size, each  (words) 1.3K 
0 Word Length (bits) 16  
0 Add Time  (microseconds) 2 
(5) Display processor. Display of information is 
effected  through the  use of multimode  cathode ray tube (CRT) devices.  These 
programmable  devices allow the  display of only that  data  pertinent  to  the  current 
mission phase; all other  data is relegated  to  the  status  monitor o r  cautional 
warning  classification. 
Each of the  five CRT displays are driven  by a symbol generator. 
The  display  processor is interfaced through a bus  network to each symbol gen- 
erator  for display  driving.  Display  driving is also possible from  the  central 
computer  via  the  bus network to  the  symbol  generator.  Figure 11-B-5(1) shows 
the  complete  control and display  baseline  schematic. 
Characteristics' of the  display  processor's are as follows: 
18 
INERTIAL  MEASUREMENT  UNIT  DIU 
r -,. ?fiTBT>T/T - -, 1 r LRU I /O A """"""""""I" 1.I 
LINE +" ANALOG  SIGNAL  AN LOG I 
 TERMINAL + MUX COND ' i 
36/28 I 
I .  
I (4) (21, I LL i-,,,, I I 
I 1/10 I 
,ANALOG I 
DIGITAL +,- DIGITAL I I 
' 
m 1 + I '  
7 
P 
W 
POWER 
SUPPLY I 1 -  
BI-LEVEL1 I
DIGITAL 18/10 I 
DIGITAL I 
SERIAL I 
CLO.CK I 
212 I 
I 
I 
I A 3 SEC ADD WITH  INDEXING I 
A TOTAL LRU I/O CAN EXPAND TO 512, X/Y WHERE X ARE USED 8 Y ARE SPARED 
A BUS EQUIVALENT DATA RATE IS 400,000 Hz 
I 
I 
L""", 1 
I 
I 
I 
I 
I 
FIGURE II-B-4 
CONTROLS & DISPLAYS  BASEUNE 
SYSTEM SCHEMATIC 
Data - 
Bus 
To/frorr 
CPU 
N 
0 
1 Proj. 
Liz-" 
J2E GEN 4 GEN Indicator 
MICRO 
0 V I W E R  
\ I CDD 1 
Computer 
Keyboard 
(2/2) 
(1 0/2) 
(4) Mode Switches 
D Panel 
(3 I Control Yoke - (4) Rudder Pedals (D(Brakes-I 
Translational 
Hand Controller Throttles 
Sensor Steering 
Stick 
(Hand Controller) 
(2/2) 
Controller 
FIGURE II-B-5 
0 Number of Computers 4 
0 Memory  Size, each (words) 6K 
e Word Length (bits) 32 
0 Add Time  (microseconds) 2 
Memory is utilized  to  refresh  the  CRT'i at a rate of 50-60 Hz to 
prevent  flicker.  Source  data update occurs-at a low 1 Hz rate. 
b. Bus structure. Space shuttle intercommunication is to be 
effected  utilizing individual hard  wires as the  transmission medium  between  black 
boxes and from  subsystem  to subsystem.  The  signal  transmission technique 
chosen is the  multiplexed data bus. 
The  system  employs serial digital  time division  multiplexing (TDMJ 
and is computer  controlled  using a request/reply  data flow control technique. 
Bi-phase  (Manchester)  digital coding and alternating  current coupling methods 
are employed. The  system  timing  reference  (clock)  required  for  synchroniza- 
tion is transmitted  over a separate bus. 
Bus-to-subsystem  interface is effected  through  standard  Digital 
Interface Units (DIU'S). An example of the  interconnection technique and the 
interconnection redundancy is shown in  Figure 11-B-6(2). Four  buses are run 
aft for interconnection to all subsystems  in  this area. An additional four  buses 
are run  forward (i. e., toward  the cockpit) for interconnection with subsystems 
located  there. Eight bus positions are available on each 1/0 controller  for  bus 
interconnection to  the  central  computer. 
Although computer-to-subsystem  intercommunication is achieved  via 
a bus network, each of the  dedicated  processors are afforded an  intercomputer 
channel for additional  communication. This  capability is provided to enable 
simultaneous  computer-to-computer  communications  while the  bus network 
is in  use  for  another function. The layout of the communication links is shown 
in  Figure 11-B-7(1). 
Figure 11-B-8(1) outlines  the expected data  transmission  distribution 
over  the  orbiter aft bus. Message  length in 8-bit bytes is plotted as a function 
of both number of transmissions  per second and number of bytes  transmitted per 
second. 
A total  traffic estimate for Aft Data Bus No. 1 by MDC/TRW has 
been  placed at approximately  1.08 KB/sec. The  possible  operational  capability 
range of the  complete  bus  system is 100 KBS-5MBPS. 
21 
SIMPLIFIED DATA BUS 
IUHFIDE 
XMlT I ' 
, f i 2  U 
1 1 
2 
3 
4 
;ES 
I It 4 I I  ft 3 I 
I DISPLAY 
I I 
1 
Crew  Display  Data 
m Management 
Bulk Memory  Computer  Computer SIS’S 
DIU’ s Dm 
j’ 
MONITORING & 
CHECKOUT  BUS 
1 
I 
t 
I 
ENGINE  CONTROL  FLIGHT  CONTROL GUIDANCE & IMU 
COMPlEJTER COMPUTER 
- NAVIGATION 
COMPUTER PROCESSOR 
8 . .  . . . .  I 
HARDWIRED HARDWIRED OTHER  G&N 
SENSORS 
IMU 
ENGINE  CO TROL  FLIGHT  CON ROL 
INTERCOMPUTER CHANNEL 
DEDICATED  SPECIAL  COMPUTER CONFIGURATION 
FIGURE II-B-7 
600 
500 
E 
R 
3 
' 400 
PI 
t% 200 
0 
E w 
E 
100 
0 
1 2 I 
DATA TRANSMISSION DISTRIBUTION 
FOR  THE ORBITER AFT BUS 
3000 
2500 
a 
0 
?I 
2 
2000 ! 
c3 
2 
H 
1500 
B 
; 
El 
1000 8 
zi 
cd 
500 
4- 
4 6 8 10 12  14 16 18 
MESSAGE LENGTH IN 8-BIT BYTES 
FIGURE JI-B-8 
30  32 
The data  bus  message  structure is displayed in Figure 11-B-9(1). 
Although the  bus  transmission  structure is not specifically  identified, it is 
assumed  from  the  vertical  parity byte  provision that  the  transmission is parallel 
by bit  up to one byte and then serial by byte. 
Bytes are  comprised of 8 bits plus one bit  for  horizontal  parity. 
Data message length varies depending upon the  specific DIU in use. 
Computer memory  requirements  for  data  bus  control  are  as follows: 
Function 
Bus Scheduling 
1 
Memory Requirements 
(Words) 
500 
Control selection of appropriate 1/0 
program for data bus. 
Modify programs as required  to 
accommodate changing requirements 
and reconfiguration. 
Initiate IOCU action. 
1/0 Drivers 
Command List - List of Data Bus  Commands 1000 
IOCU Programs - Bus  Control Programs 1000 
2500 
c. System  reconfiguration. Avionics system  reconfiguration 
to meet the  failure mode criteria  as  currently envisioned will be effected  through 
two distinct techniques. 
(1) Central computer. The first is for protection of 
the  central  computer  in event of an LRU failure. LRU's a re  identified to  be 
the  centra1  processing  unit, a 16K memory bank, and an 1/0 control unit. Each 
of these, is quadruply  redundant with module selection as a function of the 
system executive, envisioned to be '!hardware" executive in this  case.  This is 
depicted schematically  in Figure 11-B-lO(1). 
(2) Subsystem  reconfiguration.  Reconfiguration in  the 
event of failures  in  the  remaining  subsystems is effected as a software function 
25 
FROM  CENTRAL  COMPUTER  TO  DIU'S: Overhead: 3 Bytes 
Address Function Data Parity 
1 1 0-7 1 <- Number of Bytes 
(DIU 
Dependent) 
TO  CENTRAL  COMPUTER  FROM  DIU'S: Overhead: 2 Bytes 
I-"...\ Address 
1 0-32 1 <- Number of Bytes 
(DIU 
Dependent) 
Address: Identification of DIU 
Function: Data Assignment or Request 
Data: Information to  be Communicated 
Vertical Parity: Burst Error Detection 
DATA BUS MESSAGE FORMATS 
FIGURE II-B-9 
I I I 
I I r '  
I 
r l  1 1 I 1 
Memory  Memory  Memory  Memory 
# I # r # # - - - 
1 I.) 2 - 3 4 - - 
4 I 4 4 4 
I 
Select Central  Processing 
Executive 
Input/output Unit r t 
Direct Memory to Bus 
Communications I I Selected Bus Parameters 
I 
I Comparison Logic for 
- " " " " " _  """"""" 
RECONFIGURABLE  COMPUTER  FUNCTIONAL  DIAGRAM 
FIGURE 11-B-10 
of the  central  computer. At this point in  time it is not certain as to whether this 
is an application or  system  program function, Figure II-B-ll(1) shows function- 
ally how subsystem  reconfiguration will be effected. 
Figures 11-B-12(1) through 11-B-16(1) show checkout functions at 
various  levels and for various  subsystems. The  significance of the  central 
computer is shown in each  case.  Pilot/copilot  activated  reconfiguration capa- 
bility exists for  the  central computer. This  includes  override capability for 
the  executive. 
28 
BUS 1. 
2 Failure BUS Cause of Failure Mode 
3 
4 -  
r 
I/O Detection Reconfiguration 
Module* I 
I Module* 
2 i I A I 1  I 
I - I t  I I I 
Power 
Selection Reconfiguration 
Change 
Matrix Elements Decision 
Change 
I * c Actuate Substation Power 
i Breakers via Substation 
Switching I 
- 
DIU (except computer 
breakers) mb Module* 
Mission 
Phase 
Panel Switches 
I 
A 4 1  Keyboard 
1 I Mode 
1 - Module* 
* Software Modules 
POWER AND MODE RECONFIGURATION O F  SUBSYSTEMS 
FIGURE 11-B- 11 
w 
0 
CENTRAL COMPUTER 
0 TREND ANALYSIS 
0 PARITY  CHECK 
0 REASONABLENESS 
0 REDUNDANT  UNIT 
COMPARISON 
MULTI-FAILURE 
EVALUATION 
+ CORRECTIVE  ACTION 
+ STIMULI  COMJUND 
+ TEST COMMANDS 
LRU DIU - -
I 0 LIMIT CHECKS 
0 OPERATIONAL DATA 
0 LIMIT CHECKS 
PARITY  CHECK 
KEY SIGNALS PRESENT N c x )  
KEY SIGNALS PRESENT-- REDUNDANT  UNITS 
+ TEST SIGNALS GENERATION COMPARISON 
POWER SWITCHING 
ALTERNATE UNIT 
It C O r n O L  
DATA BUS 
I r I  
I 1 DIU 
DISPLAYS 
TREND ANALYSIS 
REASONABLENESS EVAL. 
0 MISSION SITUATION 
0 REDUNDANT UNIT COMP 
+ CORRECTIVE ACTION 
+ STIMULI COMMAND 
CHECKOUT FUNCTIONS 
FIGURE ll-B-12 
- GSE (PRELAUNCH  ONLY) 
0 W T  CHECKS 
0 TREND ANALYSIS 
0 MISSION SIMULATION 
+ STIMULI COMMAND 
+ OFF-BOARD STIMULI 
GENERATION 
-I- TEST COMMANDS 
DISPLAY 
PROCESSOR 
(4) 
I 
10101010= 
10101010 
1 
GO/NO GO 
L 
WARE] VJDEO 
GEN. (2) ' \  CRT I\ I '  
I \ 1 \ 
t Go/m GO 
SMD 
(PFCD & 
C DD) 
SYMBOL 
GEN. (2) 
/ GO/NO GO 
CDD \ 
\ 
CDD 
CRT SYMBOL 
GEN. (1) 
(1) OM) 
DISPLAY CHECKOUT 
FIGURE II-B-13 
? 
IMU NO. 1 PROCESSOR & DIU NO. 1 
0 PULSE  TORQUEING 
DATA ACCUMULATION 
l l  0 COORDINATE  RESOLUTION 0 DATA COMPARISON (AND 
REJECTION) I 
I 10 DATA FORMATTING I '  
0 BUFFERING 
0 GENERATE PARITY 
1 
I LN.Lu I I &ROCESSOR & DIU NO. 3 
I I 1 I 
DIU - 
PARITY 
CHECK 
P 
IMU NO. 4 - 
PROCESSOR & DIU NO. 4 
NO. 4 
~ ~~ ~~~ ~ ~~ ~ 
CENTRAL  COMPUTER 
B COMPARE NO. 1, 2 
TO 3, 4 
B REASONABLENESS 
CHECK 
SELECT DATA TO 
USE FOR G, N & C 
IMU  CHECKOUT 
FIGURE II-B-14 
MY STATUS 
I / f 3 STATUS 2 STATUS DIU  CENTRAL 4 44 STATUS 
HE CONTROL 
CENTRAL I 
4 HE COMMAND TO 1 
4 HE  COMMAND TO 2 
4 HE  COMMAND  TO 3 
HE COMMAND TO 4 3I -I 
I I I CENTRAL 
COMPUTER 
OTJTPUT NO. 3 
L"- 
I DIU  CENTRAL 
1 COMPUTER . STATUS DATA 
OUTPUT  NO. 4 
L"- 
CENTRAL COMPUTER CHECKOUT 
FIGURE 11-B-15 
I 
! 
w 
tP 
I 
2 3 
HE 
COMPUTER IN-COMMAND (SWITCH) 
DIAGNOSTIC CRT 
1. ALL FOUR  COMPUTERS OPERATE .AT  CRITICAL  TIMES. ONE IS IN CONTROL. 
2.  HARDWARE EXECUTIVE (HE) NORMALLY  CONTROLS  WITCHING. 
3.  CREW  CAN  DISENGAGE  HE AND SELECT ANY COMPUTER  MANUALLY. 
4. SELF-TEST LIGHTS AND COMPUTER  DIAGNOSTICS  ASSIST  CREW IN COMPUTER  EVALUATION. 
5. COMPUTERS MONITOR  HE ACTION  TO  INSURE SAFE CONDITION. 
COMPUTER SWITCHING 
FIGURE II-B-16 
C. Executive System Functional Requirements 
1. General. Space shuttle Executive  System  Functional  Require- 
ments are derived from several sources: - 
0 Mission  requirements  analysis, 
0 Hardware  architecture  analysis, 
0 Applications requirements  analysis, and 
0 Combinations of the above. 
Mission  reliability  requirements have  significant effect on the moni- 
tor  system complexity both explicitly and implicitly  through  hardware redundancy. 
In fact, this  requirement  implies  multilevel  program  priority  interrupt capa- 
bilities.  Hardware affects monitor  system  requirements  directly  in  that  support 
must be provided for  each  peripheral  device  present  in a computer  subsystem. 
Subsystem  complexity will be  an indication of the  number of possible  concurrent 
activities. The relative  importance of these  activities with their  response  time 
performance  requirements will  determine  the  necessity  for  priority scheduling. 
This is an  example of the  interaction between Performance  Requirements and 
Functional  Requirements. 
Monitor system functional requirements  resulting  from  consideration 
of applications  support  requirements are as follows: 
0 The applications programmer will not have access to 
the complete instruction repertoire. The system will  
operate in a privileged mode. Capability must be 
provided to  perform  those needed functions which can- 
not be  accomplished by applications  due  to  this 
restriction; 
0 To ensure correct scheduling, the monitor must handle 
all requests  for  peripheral  device  usage; 
0 The monitor system can provide a virtual machine with 
programming  conveniences that  reduce  applications 
development effort; and 
35 
0 The monitor system cgm provide powerful tools for 
execution of applications  programs by implementing 
supervisor calls such as TURN ON, DELAY, etc. 
The  applications  interface is provided by the Request 
Processor Module which processes all supervisor 
calls. Relatively few of the  monitor  system Functional 
Requirements a re  affected by the  applications  programs, 
per se. It is the  interaction between the application 
programs  primarily that gives rise to  the Functional 
Requirements. 
The Functional  Requirements are grouped by computer  subsystem. 
Requirements which a re  common to all subsystems a re  fulfilled by the  Central 
Computer Complex. 
2. Central Computer Complex (CCC) Monitor. The  monitor 
subsystem  for  the  Central Computer Complex must  support  the following mission 
functions (3) : 
0 
0 
0 
0 
0 
0 
0 
Guidance, 
On-Board  Mission Planning, 
Configuration and Sequencing Control, 
Energy Management, 
On-Board Checkout, 
Display Executive Control, and 
Data Base Executive Control. 
In order  to accomplish  this  support,  the CCC monitor will handle 
error  detection; analysis,  alarm,  isolation, and recovery  for  other  computer 
subsystems. For the  recovery function, the  monitor will maintain tables of 
reconfigurable  subsystems. Upon detection of hard  failures,  the monitor will 
accomplish a preplanned  reconfiguration  to  ensure  mission  integrity. 
In addition,  the  monitor will  accept  data and task scheduling  informa- 
tion from  the Uplink Modem  and other computer subsystems.  It will also  trans- 
mit  data and task  schedules  to  other  computer  subsystems. The  monitor will 
interface with supervisors of the  other computer subsystems  in  order  to provide 
these  task scheduling  and data  transfer functions. 
36 
a. Capabilities. Thorough search of the available space 
shuttle documentation has indicated that the  computer  system executive require- 
ments  may have many similarities to  existing  computer applications. Process 
control  applications, for instance, have the following requirements: 
0 Analog input/output. 
0 Digital input/output. 
0 Scientific  calculations. 
0 Computer  actuated  isplays. 
0 Error logging. 
0 Initialization. 
Message  switching  applications have the following requirements: 
Message transmit initiation. 
Buffer manipulation. 
Message error  detection. 
Error recovery  procedures. 
Message-receive initiation/continuation. 
Error logging. 
Initialization. 
Real-Time  Terminal System  applications  must  satisfy  the following 
requirements: 
0 
0 
0 
0 
Time-slice partitioning. 
Error logging. 
Buffer manipulation. 
Message  initiation. 
37 
0 Error recovery  procedures. 
0 Initialization. 
All of the above requirements  are  present  explicitly or  implicitly  in 
the  space  shuttle application.  The above systems are characterized by stringent 
response  time  requirements, many .concurrent  activities,  varying  importance 
of activities,  relatively slow speed  peripheral  devices, and a high degree of 
interaction of activities.  These  same  characteristics are evidenced by the 
space shuttle. 
Experience has shown that  the following capabilities are  necessary 
in order  to  satisfy  requirements with the above characteristics: 
Priority  interrupt  structure. 
Priority  level independent of priority 
hardware  structure. 
Capability to  selectively inhibit interrupts. 
All  communication with 1/0 devices will 
take place  via  the supervisor. 
Privileged mode of operation (i. e. , 
privileged  instruction  repertoire). 
Memory  protect  facilities  for  task and 
data protection, and 
Variable  program  priority  level (dyna- 
mically  variable  in  real-time  under 
application, executive, or  event occur- 
rence  control). 
b. Assumptions.  The following functional requirements 
will  be assumed  for  the  computer  architecture, which will significantly  affect 
monitor requirements. 
(1) Portions of the monitor will reside in the main store. 
Parts of the  monitor will  possibly reside  in bulk and be  called  into  the  main 
store as required.  Performance  requirements might ordinarily prohibit the 
delays  associated with loading large  portions of the  monitor as needed. However, 
systems  exist that would likely  permit  this  form of memory  hierarchy for 
executive  residence. For example, this concept would be  feasible with the IBM 
38 
System 360 Models 85 and 195. These  computers  use a cache  execution memory 
with a large bulk or  extended main store. The gross  features are: 
0 .Memory reference  to an instruction  located 
in  cache  memory  brings  in  that  instruction 
plus the next seven  instructions  for execu- 
tion. 
0 Memory reference to an instruction not in 
cache  memory  brings  that  instruction, plus 
the next seven  instructions  from bulk to 
cache  memory  for execution and also  loads 
blocks of instructions into  cache  memory. 
Since program  instructions tend to  cluster, 
many subsequent memory  references  will 
be directed  to  the  relatively fast cache  mem- 
ory. Instructions a re  fetched in groups, 
reducing  the  number of memory  references 
required. Experience has shown that this 
combination operates  at about 80% of the rate 
that  a  computer with all  cache  memory would 
reach. 
(2) The functional relationship between elements of the 
Executive Control Routines and other  elements of the  software  system is shown 
in  Figure 11-C-1. 
(3) The monitor system will  consist of a kernel with 
ancillary  program modules. 
c. Executive control routines (ECR). The ECR group of 
modules is associated with  the  functional requirements  for  resolving  priority, 
resource allocation, and program execution conflicts. The following program 
modules will comprise  the executive  control  routines  portion of the CCC monitor: 
(1) Task Scheduler will have responsibility for appending 
requests for program module execution on the  proper  priority  thread. 
(2) CPU Allocator will maintain records of available 
CPU's and upon request  will  perform  necessary functions to  associate  an 
available CPU with an  active  program module. Upon release,  the CPU will 
be  returned  to  the  available pool. 
(3) Main Store Allocator (MSA) examines indexed tables 
to  isolate  main  store  space needed by requesting  program  modules. 
39 
FULL OPERATING SYSTEM 
Linking lkader  
Module Update 
Source  Languages 
Utility Programs 
Simulators 
BASIC MONITOR 
Error  Analysis/Recovery  Data Bus - AFT 
Reconfiguration  Computer - Computer  data  link 
Central  Alarm  Package  M ssage  Transmit 
Uplink  Modem Package  Message  Receive 
1/0 Package  Message Queue Handler 
KB, Switch Panel Abort Routines 
ELD, Maintenance Recording  Initialization 
Mass Store 
Data Bus - FWD 
KERNEL EXECUTIVE CONTROL ROUTINES 
Interrupt  Handler 
Task  Scheduler 
Task  Executor 
Resource  Allocator 
Request Processor 
Computer  Hardware  Diagnostics 
Tables 
Watch-Dog Timers 
FIGURE 11. C .I. Relationship of Kernel to the 
Remainder of the  System 
40 
. .. . -. . . . . 
If scratch  or high speed store is used,  then the MSA will  determine demand for  
high speed store also. Given sufficient  available  storage,  the MSA associates 
storage with program module and performs  the  necessary  associated accounting. 
Upon storage release, the MSA will  return  storage  to  the  available 
pool. It is possible that periodic  "garbage  collecting"  may  be necessary  to 
provide sufficient areas of contiguous storage.  This may imply necessity  for 
dynamic relocation of active  program modules. 
(4) Task executor (dispatcher). Functional Require- 
ments are  the following: 
0 Determine  highest  priority module requesting 
execution. 
0 Cause resource  allocation  to be effected. 
0 Perform  initialization of module. 
0 Cause execution of program module. 
(5) Task terminator/suspender. This module must satis- 
fy the following functional requirements: 
0 Remove program module in  question  from 
active  priority  thread. 
0 Perform  necessary housekeeping operations 
to  maintain  thread  integrity. 
0 For task  suspension,  an  appropriate lock 
(state  variable) must  be set  to  ensure that 
module is not executed. The module, 
however, is not removed from  priority 
thread. Then, when the lock is removed, 
the task can be executed. 
(6) Request processor. Functional requirements will be: 
0 Request analysis. 
0 Parameter passing,  possibly by micro-code. 
0 Passing  control  to  proper  equest  program 
module based on logic of request  analysis. 
41 
(7) Main store protect/unprotect.  This  module  must 
satisfy  the following functional requirements: 
(a) Perform  required  hardware manipulations to 
cause  read/write prohibition, if required. Such actions could be  the following: 
0 Test key index data for validity. 
0 Execute computer instructions to effect 
inhibition. 
0 Perform error analysis on key index data. 
(b) Similar  actions  must be taken to remove 
prohibition. 
(c)  It is possible  that status must be updated so as 
to  maintain records of available unprotected storage. 
(d) These functional requirements are generally 
satisfied by coordinating  implementation  with  the resource allocation modules. 
(8) Interhpt handler.  This module should accomplish 
the following Functional  Requirements: 
Save required  registers and storage contents 
for  interrupted  program.  This may be done 
by micro-code. 
Analyze status  registers  for  source of e r ror  
interrupts. Invoke required e r ro r  processing 
modules. 
Analyze status  registers for source of abort 
interrupt. Invoke suitable abort procedure 
modules. 
Enable or  disable preplanned interrupts. 
Determine  interrupt  priority and make  monitor 
call to  task  executor at that  priority  level. 
When all interrupt  requests have been ser- 
viced, notify task  executor  (dispatcher). 
42 
(9) Abort procedures - TBD. 
(10) Real-time  clock/interval  timer.  These  modules 
must  satisfy functional requirements  to  accomplish functions associated with 
various  software  clocks  that  the  monitor and (possiQly) application programs use. 
Some of the  clocks a re  the following: 
0 Diagnostic countdown(s). 
0 Program module execution(s). 
0 Program module delay(s). 
0 Interval  timer(s). 
0 System  performance  measurements. 
(11) Time slice partitioning. Module must  meet the 
following functional requirements: 
0 Maintain records of elapsed time since ini- 
tialization of program module. 
0 Compare elapsed time with requested time. 
0 Cause elapsed time to approximate requested 
elapsed timehime period. 
(a) Hardware. 
0 Error fault  detection. 
0 Passive  instruction examination. 
0 Other  software  triggers. 
@) Software. 
0 System auditing. 
43 
0 Event tracing. 
0 Performance  recording and analysis. 
These  considerations are discussed in detail in Campbell and 
(13) Initialization  routines.  System  initialization 
routines  comprise  the  collection of programs  necessary  to  meet Functional 
Requirements  to  bring  the  hardware/programming  system on-line from a cold 
start. A cold start implies  that no programs are running in  the complex and, 
therefore, all bootstrapping  must be done  by the  initialization  programs. 
Once system  initialization  has been  performed,  other  application 
oriented  initialization  may  be  necessary.  The  act of loading or  changing the 
operating  system  programs will be considered initialization. "Changing" is 
included in  the definition  because  the  monitor system  required  for pre-launch 
checkout and post-flight analysis  may  be  considerably  different  from  the  system 
required  to  support flight. The following initialization  programs will be required: 
0 System initializer (not part of this study). 
0 Pre-launch checkout initializer (not part of 
this study). 
0 Flight system  initializer. 
0 Post-flight system initializer (not part of 
this study). 
0 Possible initialization routines to operate as  
a function of mission phase. 
d. Time line controller/interpreter (TLC). This module 
will  satisfy functional requirements  to act as the  system  manipulator  for  mission 
profile related requirements. The monitor  system  must  support manipulation 
of space shuttle  tasks  based on the following factors: 
(1) Elapsed  time. 
(2) Time  difference  from  reference  time. 
(3) Occurrence of arbitrary events. 
44 
JI 
0 Events  must  be  detected. 
0 Appropriate program modules must be 
notified of occurrence of specified  events. 
0 Appropriate tasks must be scheduled to 
accomplish  reaction  to  event  occurrence. 
e. Central alarm package. This group of programs handles 
the tasks germane  to  satisfying functional requirements  for  recording  errors 
within the  computer  system, logging on output media,  displaying and maintain- 
ing a history, and other  alarming  requirements. The programs will format down- 
link output, output to  the  printer, and output to the Error Logging Device (ELD). 
The  modules will maintain a history of alarms active within the  system and  out- 
put this  history on demand to  the  specified output devices. The following pro- 
gram packages (modules) will be  required: 
0 Alarm  history maintenance, 
0 Alarm output, 
0 Alarm  analysis, and 
0 History output. 
f. Input./output package (IOP). This collection of subroutines 
will satisfy  message 1/0 functional requirements  for  the following devices: 
printer, ELD, keyboard inputs. Output messages will be formatted by the user 
routines: 
The IOP will operate  in conjunction with the  device  handler for the 
specific device. Since the IOP will place the  message  in an output buffer,  the 
calling  program  may  be  rolled-back after  the  call is made without destroying 
the message. All  output, correct returns, etc., become the responsibility of 
the IOP. Once the buffer has been  loaded, the device  handler will  have the 
responsibility  for outputting the  message. 
For keyboard input, the IOP performs error  checking on words and 
message, and handles out-put e r ror  notifications,  internal  message  formatting, 
analysis of message  contents for action or data, and transmission of action re- 
quests.  The following program modules will be  required: 
(1) 1/0 request  processor. 
(2) 1/0 initiator(s). 
45 
(3) 1/0 continuator(s). 
0 1/0 error  analysis. 
0 Input message  format. 
0 Input message error notice output. 
0 Input message decoding/analysis for action 
or  data. 
0 Input message transmit action requests. 
g. Device handlers. Device handlers are collections of 
program  modules  concerned with the  functional  requirements  for manipulation 
of external devices  that are usually  interrupt  driven.  The  modules are divided 
into  initiator-continuator pairs. The  initiator  has  the  responsibility  for  analysis 
of the  calling  sequence,  proper  response (i. e., setting  buffer  lengths, etc. ), 
and transmission/receipt of the first character or block. The  continuator is an 
interrupt  driven  program  responsible  for  send/receipt of character or  that 
part of a message  sent/received  during  an  interrupt  cycle,  error  analysis on 
character, if required,  determination of termination  conditions,  proper  return 
from  termination  (either  normal or  error), and  housekeeping associated with 
termination. 
Usually, a continuator  will  require  either a predetermined  number 
of characters or  an EOM character. The transmission/receipt of characters 
will continue  until one of these  conditions is met or  until  an e r ror  is encountered. 
Upon meeting  termination  conditions,  the  continuator  will  perform a 
longitudinal record  check  for  errors.  Response  to  error conditions  may differ 
with the individual  continuator. 
Initiator/continuator pairs should be provided for  the following 
devices : 
0 Keyboards. 
0 Uplink  modem. 
0 Data buses and intercomputer data link. 
0 Error logging  device (ELD). 
0 Health  monitoring  system. 
46 
Printer. 
0 LRU checkout bus. 
0 Mass storage  devices. 
0 Displays. 
0 Downlink  modem. 
h. Error  detection, analysis and recovery. Error routines 
will  be  concerned  with  functional  requirements for the  detection of malfunctions 
in  the  internal  computer  hardware and in  peripheral  devices  attached  to  the 
computer,  exclusive of the BIT panel, and compensation for  these malfunctions 
to  meet  the  system  reliability  performance  requirement. 
In order  to accomplish e r ro r  analysis and recovery  in a sophisticated 
hardware/programming  system,  considerable  study is required  to  determine  the 
most  propitious method of meeting  the  hardware  system  performance  specifica- 
tions. In nearly all cases, some combination of hardware/software will be re- 
quired  in  determining  hardware malfunctions, e. g., the  interval  timer or  
periodic  interrupt-diagnostic countdown. In general, it is assumed that where 
transmission of data is involved, hardware  parity  checks of varying  sophistica- 
tion  will  be  required.  This is not to  be  limited  to  message checking, but is also 
to  be done as a matter of course on transfers  to and from  storage.  Furthermore, 
after distinguishing  hard failures  from  transient  failures,  the  usual  requirement 
is for substitution of standby  equipment for  the LRU that  has  failed.  The sub- 
system  monitor will  be notified of an  error condition by the  presence of an error- 
generated  interrupt which will  cause  the  related  handler  to  relinquish  control  to 
the  appropriate e r ror  processing  program module. 
(1) Error diagnostic  routines.  Computer  system 
diagnostic  routines will include off-line and on-line computer  hardware  exer- 
cisers with associated output routines.  Computer  peripherals will  be checked 
using a software watch-dog timer. When the  device  generates  an  inte.rrupt 
response,  the  timer  will  be set for a period greater than  the  expected  interrupt 
period. The  interrupt  return  routine (continuator) will reset the  timer. If the 
timer  runs out, the  device  will  be  considered  to have  failed. 
( 2 )  Configuration mode control. This will  be  accom- 
plished  by  maintaining a current configuration status along  with a list of available 
back-up states, and by coding preplanned sequences  to move from  the  failure 
state to  the  desired state upon LRU failure, with  accompanying  housekeeping 
functions related  to available states and present  status. 
47 
i. Communication handler. This module must meet func- 
tional  requirements for transmission and receipt of messages. The following 
requirements  must  be  satisfied: 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
Request  processing, 
Data bus  selection, 
Destination  selection, 
Buffer  allocation, 
Error diagnostics, 
Queue maintenance, 
Termination  conditions, 
Message statistics, 
Module return execution, and 
Module roll-back in the event of failure. 
j. Tables. Current values of the following system descrip- 
tors must  be  maintained: 
Masks, 
Flags (semaphores), 
Common constants, 
Global variables, 
System  configuration status, 
Subsystem  monitor  data, 
Applications program communications data, and 
Branch  vectors. 
Tabular  values  must  be  protected by access  control policies. 
48 
J 
3. Crew Display and Control Computer (DCC) Subsystem Monitor. 
The DCC monitor system  will  satisfy functional requirements  similar  to  require- 
ments  discussed previously for the CCC. Since the  computers are  similar  in 
design  to  the delineation  possible with the information presently  available, it 
Seems  reasonable  to conclude that much of the  software  utilized  in  the CCC can 
also be  used in the DCC. For these  reasons  this  section will be organized to 
reflect  the functional requirements  derived  from  the  hardware  architecture and 
applications  requirements of the DCC subsystem  that are different  from  those of 
the CCC subsystem. 
a. Executive control routines (ECR). Some of the program 
modules considered  necessary  for  the functional requirements  discussed  for 
the CCC will be  present in the DCC in a functionally  abbreviated  form.  This 
arises from  the  fact that there is a master-slave  relationship between the CCC 
and the DCC in  these  cases. The CCC exercises  control, while the DCC program 
modules exercise implementation  functions.  The following are examples of 
program modules exhibiting the  master-slave  relationship  discussed above: 
0 Abort  procedures. 
0 System  performance  measurement  routines. 
0 Initialization  routines. 
b. Central alarm package. This group of program modules 
will have functional responsibility  to  transmit  alarm notification  to  the CCC for 
further processing. Upon detection of an anomaly  the appropriate  message will  
be  formatted and transmitted. 
c. Device handlers. The following unique device handler 
modules will be required: 
(1) Cathode ray tube (CRT) system. 
(a) Message initiator. 
(b) Message  continuator. 
(c) Message position calculations (blanking, etc. ). 
(d) Image  oriented  calculations  (geometry). 
0 Beam position. 
0 Reference  orientation. 
49 
(e) Cursor positioning. 
(f) Message  intensity  illumination. 
(g)  Display file  manager. 
(2) Alphanumeric  display. 
0 Display  initiator. 
0 Display  buffer formatter. 
0 Display  image selector. 
(3) Mass stores. Mass storage devices a re  not pre- 
sently specified for  the DCC. Should requirements change5 support from ini- 
tiator/continuator  pairs will be  required. 
d. Summary. We have discussed the functional requirements 
derived from  interaction of hardware  architecture and applications  requirements. 
These can be summarized  as follows: 
0 Functional requirements will be similar to  those 
derived  for  the CCC. 
0 The method used in the notification of a hard 
failure is a function of the  level of hierarchy. 
CCC failures  are  transmitted  to  the hardware 
executive for reconfiguration. Other subsystem 
hard  failures  are  reported  to  the CCC for recon- 
figuration. 
0 Many  of the software modules utilized in meeting 
the Functional Requirements of the CCC can  be 
utilized  in  the  monitor  system for the Crew 
Display and Control Monitor System. 
4. Flight  Control  Subsystem (FCS) Monitor. The FCS monitor 
will be required  to provide general functions as  outlined in the  discussion of the 
CCC with respect  to the following computer  subsystems: 
0 Rocket engine processors (REP). 
0 Jet engine processors  (JEP). 
50 
0 Special DIU processors. 
The following program modules will exhibit the  master-slave  symbiosis  discus- 
sed for the DCC: 
0 Abort  procedures. 
0 System  performance  measurement  routines. 
0 Initialization  routines. 
The FCS special processors  enumerated below are envisioned (1) (location and 
specifications of the DLU's TBD): 
Special Processors 
Orbiter  Booster 
Rocket Engine  4 22 
Jet Engine 8 12 
Display and Control 4 4 
Special DIU'S  16-20  16-20 
Total 32-36  54-58 
This  section is organized to  reflect  the  interaction of hardware 
architecture and applications that give rise to FCS  functional requirements. 
a. Executive control routines (ECR). The ECR will  satisfy 
functional requirements  similar  to  requirements  discussed  in  the CCC. Imple- 
mentation will  vary somewhat since  the  computer  architectures involved differ. 
We anticipate that  the following functional  modules will  be  required: 
0 Task  scheduler. 
0 Task  executor. 
0 Task  terminator/suspender. 
0 Interrupt handler. 
0 Real-time  clock  routines. 
51 
Modules satisfying  functional requirements unique to  the CCC, as discussed 
above, will not be present. 
b. Central alarm package. The central alarm package will 
satisfy functional requirements  identical  to  corresponding  requirements  presen- 
ted in the  discussion of DCC requirements. 
c. Analog input/output package (AIOP). The AIOP will 
handle communication  between  analog sensors, output devices and dedicated 
processors (Special DIU'S). Since all dedicated processors are alike, all 
AIOP's will be functionally similar. The AIOP modules will  satisfy  the follow- 
ing functional  requirements: 
0 Perform demand 1/0 upon detection of a request 
from  the  astronaut-pilot. 
0 Provide different 1/0 frequencies to be defined 
by further  system  trade  studies. 
0 Select a particular sensor via an analog MUX. 
0 Convert from analog  value  into  previously 
defined engineering  units. 
0 Format  message  for  transmission  to CCC. 
0 Output an analog value to a MLTX. 
0 Convert from engineering units to analog or  
digital  values for output. 
Studies of relative  computer loading may show that  engineering 
units conversions should be  performed  in CCC. 
The following functional modules will be required: 
(1) Analog input. 
(a) Scan. 
0 Initiator will prepare masks and flags 
as required and examine scan  classes 
for current activity. If a scan is 
required, it is accomplished  via  the 
Analog Scan Continuator. 
52  
e Continuator will execute sensor selec- 
tion and reading  via  the  analog MUX. 
@) Conversion. This  will  be  accomplished by 
applying mathematical  transformations  to  the  readings provided by the Analog 
Scan Continuator. These  transformations are usually  linear,  quadratic or 
some  similar  relation that is relatively  easy  to evaluate. 
(2) Analog 'output. This module must output a prescribed 
analog voltage or  current  to a selected device. Digital to analog  conversion 
will be effected. 
d. Digital input/output package (DIOP). The DIOP will  per- 
form functions similar to  the AIOP functions,  but for digital  devices.  The 
following functional  modules will be required: 
(1) Digital input. 
(a) Digital MUX. If digital sensors and  output 
devices are  connected through a MLTX, then the conventional logical method 
is to  operate via the  initiator, continuator combination. This  procedure is 
necessary when hardware  register  settling  times  are significant and there  are 
different  scan  frequencies  present.  The  Digital Scan Initiator and Digital Scan 
Continuator will satisfy functional requirements similar to  the analog modules. 
(b) Without digital MUX. If digital sensors and 
output devices are  connected directly  to  the  computer  hardware,  logical  require- 
ments  become  simpler. The  Digital Scan routine  can  be executed at a pre- 
determked frequency  to input each  value without the  complexities  associated 
with manipulating the MNX. 
0 Pulse  information. Input of pulse  type 
information is likely  to  bypass  the 
Digital MNX. Particular logical require- 
ments. are a function of hardware-pro- 
gramming trade-off. Relative processor 
loading will  significantly  affect hardware 
requirements. If studies show the 
expected processor load to be on the  order 
of 50% of available computing time  or 
more, we can expect to accumulate  pulses 
via hardware and periodically  transmit 
accumulation to  the  processor  for 
evaluation. If processor loading is 
relatively light (20-25%), we can expect 
53 
the  processor  to  perform  the  integration, 
depending on the  number of expected 
integrations required. This is another 
example of Performance  Requirements 
interacting with  Functional  Requirements. 
,... 
(2) Digital output. The effect of the requirement for a 
digital MLTX on Digital Output is identical  to  that for Digital Input.  With these 
considerations in mind, some  possibilities  for Digital Output are  as follows: 
(a) Contact closure. This is the act of setting 
or  resetting a bistable device. Contact closures  can  be  either  momentary or 
latching. Functional Requirements follow: 
0 Select bistable  device, 
0 Output set or reset command, 
0 Check status to ensure validity, and 
0 Notify Central Alarm Package if invalid. 
@) Pulse output. This is the transmission of 
pulse type information similar  to  that  discussed above. 
(c) Loading digital  values  into  registers.  This 
has the following functional  requirements: 
0 Select registers, 
0 Transmit value from computer storage 
to  registers, 
0 Test register to ensure validity, and 
0 Notify Central Alarm Package if invalid, 
e. Direct digital control (DDC). Study is required to deter- 
mine feasibility of employing DDC techniques in the  control of the various 
actuators  that  will  interface with the  computer  system.  Hardware  simplifica- 
tion  may certainly  result at the  cost of additional development effort. 
DDC accomplishes  control of actuators by filtering  each error  sig- 
nal  with a composite of historical  effects. A considerable amount of experience 
54 
in control  using  hardware methods to implement the  filtering  has  been  amassed. 
Identical results  can be obtained using  programming  techniques with a concur- 
rent  reduction  in  hardware  complexity and  weight. 
In effecting DDC, there  are programming  considerations  such as 
the following: 
(1) Controller mode equations. Conventional methods 
use  simple  mathematical  transformations  called  Proportional,  Reset or Integral, 
and Rate. A single  mode  equation would generate  an  actuator  correction  signal 
that is proportional to  the  error signal. 
Actuator  Correction = K*E 
where 'IKff is proportionately Constant 
"Ef1 is error  signal 
Transformations will be as  complex or  simple a s  required by the 
control law. 
(2) Special transformations. These can be applied a s  
desired. A convenient procedure is to develop an interactions matrix. This 
matrix will predict  the effect of the  history of changes  in one actuator on all 
variables. The  effect of previous  moves on all variables  can  be  used  to  deter- 
mine more  nearly  the  necessary  correct  actuator moves and thereby  increase 
system  response without increasing  the tendency to become  unstable. 
(3) Mission profile  considerations  affect  logical 
operations  in  that  control  loops may be required  to provide different  character- 
istics as a function of mission phase. Some considerations follow: 
0 Loop-delete is required  to  remove a control 
loop from  the loop library. 
0 Loop-enter  provides  capability t u  start up 
new control  loops as required by adding to 
the  active library and utilizing  the Loop 
Activate module. This module provides 
facility  for on-line reconfiguration of con- 
trol svstem. 
0 Change-mode-constants allows  alteration of 
control loop characteristics  as required. 
55 
0 Loopactivate causes a control loop in the 
loop library  to  be placed in  an  active  status. 
0 Loop-deactivate  places a loop  in the loop 
library  in  an  inactive  status. 
0 Sequencing functions can be imbedded in the 
DDC features by insertion of programming 
modules to effect sequencing as part of the 
system requirements. The programmed 
testing and operating  system  calls  necessary 
to  accomplish sequencing  functions  can  be 
more efficiently  imposed as part of the 
monitor  than as part of an  applications pro- 
gram. These sequencing functions can be 
utilized as an  interface  to  the CCC Time-Line 
Controller modules (e. g. , sequence  requests 
will be  transmitted  from CCC to  destination 
special processor). A special processor 
monitor will interface with the  transmitted 
sequence  request  to  effect  a series of events 
that  represent a desired sequence. 
f. Filtering, smoothing and prediction.  Mathematical pro- 
cedures  can  be employed to  remove  estimated error  components of signals 
and otherwise  pre-process incoming data,  possibly  in real-time, to transform 
it into more amenable  values o r  formats  for  further processing. Some available 
techniques a re  : 
0 Exponential smoothing. This is possibly the  most 
attractive candidate for removing  estimated error  
in  data  from  the point of view of programming 
simplicity and rapidity of execution. Exponential 
smoothing transformations a re  of the following 
form: 
New value = K.*(New Datum) + (1-K) * (Previous 
New Value) 
where K is the  smoothing  constant ( O G K L 1 ) .  
Simulation techniques,  using historical  data,  where 
possible, are  useful in estimating K values. 
56 
0 Trending. This  operation  can be performed on 
data once the estimated error  is removed. 
0 Limit checking. This  can  be  performed  against 
either,  the smoothed data or the  trend  data  to check 
violations of magnitudes and rates of change. Noti- 
fication of anomalies are transmitted  to the CCC for 
further evaluation and recording. 
g. Device handlers. Device handling modules meet function- 
al requirements  to  direct  the  operation of peripheral 1/0 units.  Generally a 
device  handler will consist of a symbiotic pair of functional modules: 
(1) Device initiator.  This module satisfies request 
analysis,  parameter  transfer, and initialization requirements. 
(2) Device continuator. This module satisfies  require- 
ments  to  manipulate peripheral  devices using data provided by the Device Initia- 
tor. Common requirements a re  device  selection,  data transfer  to or from a 
device,  storage of information in tables,  program accounting associated with 
termination conditions, and error  detection and analysis. Special functions 
may be required by variations in hardware  architecture  in addition to the  common 
features. 
Device handlers will be  required  for  the following peripheral equip- 
ment: 
0 Analog MLTX, 
0 Digital MUX, and 
0 Data bus. 
h. Communications handler. Communications handlers 
satisfy functional requirements  for  the  receipt,  transmission,  recording,  error 
analysis, queue manipulation and other  logical  aspects of message  transmission 
between special processors and the CCC via a data  bus or  other link. Communi- 
cations  handlers will interface with a device  handler which will manipulate the 
peripheral  hardware  in question.  Messages will'be broken  into two classifica- 
tions: 
(1) Transmitted  messages. The message  transmit 
initiator will be  functionally  identical to  the Data Bus Initiator in the event that 
the only communications  may be via the  data bus. If other communications 
media are available, for example  computer to computer,  the  Message  Transmit 
57 
Initiator  will  be a module meeting  the following functional requirements: 
0 Request analysis, 
0 Parameter  transfer, 
0 Communication media  selection, 
0 Device initiation, and 
0 Output message queue handling. 
(2) Message  acquisition. This  requires the following 
modules : 
(a)  Message receive  initiator.  This module 
satisfies  the following functional requirements: 
0 Buffer assignment. 
0 Initialization. 
If the  data  bus is the only communications  media,  the Message 
Receive  functional requirements will be  met by the Data Bus Handler. 
(b) Message receive continuator. This module 
satisfies  the following functional requirements: 
0 Input message queue handling, 
0 Word and message parity check and 
corrective  action (horizontal and longi- 
tudinal  check), 
0 Message continuity check for possible 
lost  messages, and 
0 Message analysis for content to distin- 
guish between whether  data o r  task 
execution request  was  transmitted. 
Sequencing commands  can  either be 
transmitted by the CCC, as required, 
special  processor and sequence execu- 
tion  commands  transmitted by the CCC 
to  cause  operations of a complete  sequence 
of events. 
58 
. or  sequences can be stored in the 
i. Tables. Functional Requirements a re  identical to the 
Functional Requirements  presented  in  the  discussion of the CCC with the excep- 
tion that configuration status  tables are not required. 
j. Error detection, analysis and recovery.  Computer 
logical  operations to meet  Functional  Requirements to provide mission  reliability 
through er ror  detection, analysis and recovery  will  operate in several ways: 
(1) Computer hardware diagnostic routines are required 
to  exercise  computer logic and storage  during  otherwise  idle  time and compare 
actual  results with expected results. Malfunction notification will be  transmitted 
to CCC for  recording and further evaluation. 
(2) Diagnostic countdown techniques are required when- 
ever  an event is expected to occur within a known time.  The  diagnostic count- 
down can  be set to a period greater than the expected  elapsed  time. If the event 
occurs, it can trigger  resetting of the diagnostic timer. If the  diagnostic count- 
down runs out, then the device responsible  for  the event is deemed  to have failed. 
This failure notification is transmitted  to the CCC for  recording and further 
evaluation. 
(3) Configuration mode control will meet functional 
requirements  to be effected by either  the  subsystem, CCC or hardware executive. 
It is not clear at this  time which is the optimal place. Intuitively, it seems 
better  to have subsystem configuration mode control  residing  in  the CCC and 
CCC mode control  in  the  hardware executive. 
(4) Protect violation functional requirements can be 
categorized as  responses to: 
0 Attempts to write into storage in which 
"protection" has been invoked, 
0 Attempts  to execute  privileged instruc- 
tions, and 
0 Attempts to refer to  storage  locations 
outside of module boundaries. 
The  functional requirements  for  these  situations are presently un- 
defined. 
(5) Error recovery routine functional requirements 
include  the following: 
59 
0 Analysis  to separate transient malfunctions 
from "hard" failures, and 
0 Graceful degradation in the event of a hard 
failure. 
k. Summary.  Considering the above discussion, it is evi- 
dent that although Functional  Requirements for  the  Flight Control Monitor 
System will have some  similarities  to  the CCC Monitor System,  the  hardware 
architecture and  applications  requirements give rise  to a greater  degree of 
special purpose requirements: 
The FCS Monitor System  can  be viewed as similar 
to a  typical  industrial  process  control  system with 
additional message switching and reconfigurable 
capability. 
The hardware  architecture is dedicated  to  sensor 
analysis and manipulation. 
Sequencing capability  must  be provided by inter- 
action  with  the CCC monitor  system. 
Data can be pre-processed  to  reduce computing 
load on CCC. 
Peripheral  devices  require a symbiotic  pair of 
functional  modules for  each class of device. 
Reconfiguration requirements may be satisfied 
by procedures implemented in  the CCC and  FCS. 
Presently,  the specific functional requirements 
have not been determined. 
5. Navigation and Sensor Computer Subsystem (NSC) Monitor. 
The NSC monitor  system will be required  to provide  functions similar  to func- 
tions  described  in  the  discussion of the FCS. These functions pertain  to  the 
following computer  subsystems: 
~~~. . 
0 IMSJ processors. 
0 Special processors. 
60 
A schematic  diagram of a typical IMU processor is shown in Figure 
11-B-4. The IMU processor acts as a data  concentrator  for navigation sensor 
and  calculated  data to be utilized by the CCC for guidance calculations. 
Data from  sensors, such as Radio Altimeters, will be analyzed  by 
special processors  associated with DIU'S. The NSC monitor will interface with 
CCC hardware-programming  combinations via the  data  buses and IOCU's. 
The NSC system will transmit navigation  data, status information,  and error  
messages  to  the CCC system.  The NSC system  will  receive  data and task execu- 
tion and sequencing directives  from  the CCC system. 
Functions associated with the  modules  itemized below are similar 
to those  discussed  for  the FCS: 
Executive control  routines, 
Central alarm package, 
Analog input/output package, 
Digital input/output package, 
Direct  digital  control, 
Filtering, smoothing, and prediction, 
Device  handlers, 
Communications handlers, 
Tables, and 
Error detection,  analysis and recovery. 
This  monitor package will be concerned primarily with input of sensor  data 
with few anticipated outputs to  peripheral  controllers. 
D. Executive System Performance Requirements 
1. General.  Performance  Requirements are defined as a measure 
of how well the  system  must  perform  in  terms of parameters  such a s  timing, 
accuracy, reliability, and capacity. Performance Requirements may arise  from 
hardware (e. g. , where it is desirable  to  drive a peripheral device at its maxi- 
mum input o r  output rates) or from  applications (e. g. , where  tolerance  limits 
require scanning a sensor at a given rate). Convenient points for  measuring 
Performance  Requirements are at an  interface through which data is transferred 
between devices. For this reason, and because  they  represent  logical applica- 
tions groupings, Performance  Requirements will be  categorized as  either  system 
or  subsystem. 
2. System  Performance  Requirements, System Performance 
Requirements are  constant throughout the computing complex. 
a. Fail operational, fail operational, fail safe is a perfor- 
mance criteria that the  entire  system  must meet. This  requirement  has a signi- 
ficant effect on programming complexity. It implies: 
0 Multilevel program module priority  interrupt, 
0 Configuration control, and 
0 Redundancy within subsystems. 
b. Sensor performance requirements a re  logically identical 
although particulars  may  vary through  the  system. Sensors  must be categorized 
by type (digital o r  analog),  scan  period,  conversion  requirements and other 
pertinent  parameters  to  establish  performance  requirements  for  the  program 
modules responsible for scanning and conversion. Similar  requirements a re  
necessary  for output devices which must be categorized by parameters  such 
as digital/analog, output period, conversion equations required, output type 
(pulse), etc. No sensor performance requirements have been determined at 
this  time. 
c. Configuration status and control register formats must 
be designated.  Reconfiguration  sequences  must  be defined utilizing  the above 
registers to determine  status maintenance and configuration change require- 
ments;  these have not yet  been defined. 
- 3. Subsystem Performance  Requirements.  Subsystem  Perfor- 
mance  Requirements apply to a particular  subsystem. 
62 
a. Central computer complex (CCC). 
(1) Hardware. 
Data bus traffic must  be  determined.  Present 
estimates place Aft Data Bus traffic at 1.08 
kilobits/sec. This estimate combined with 
Forward Data Bus traffic will help set Per- 
formance  Requirements for  the IOCU's and 
their related driver programs. Other data 
requirements must also be considered. A s  
system definition evolves, further  estimates 
will be refined. 
Mass store  transfer  rate must  be  established 
to set an upper bound  on the transfer of in- 
formation  to and from main storage. Mass 
storage  size is estimated as  14.7K words/ 
computer, which is extremely low. 
Sensors must be classified by scan  frequency; 
whether they a re  analog o r  digital, signal 
level, conversion factors, smoothing, limit 
checking, alarms, and other  allied  require- 
ment s. 
Core size  requirements  must  be  further  re- 
fined. Present estimates are 64K, quadruply 
redundant. Of available core, 38K is estimated 
as  being required with 686 ms/sec peak 
calculations. These estimates a re  likely to 
be optimistic. 
IOCU specifications  must  be  delineated. 
Hardware  executive  performance requirements 
must be described. 
Built-in test (BIT) procedures need to  be 
defined (TBD) . 
(2) Applications-related performance for the CCC has 
been defined (3) as  follows: 
63 
Guidance will  establish  data  rate  performance 
requirements on the Navigation and Sensor 
subsystem. In addition, output performance 
requirements will ensure that the output task 
can  be  transmitted  to  the Flight  Control  sub- 
system  to manipulate the  rocket  engines, 
if required. 
Presently,  error  tolerances have been set  for 
certain mission phases. Error  analysis must 
be  performed on the  sequence of events  from 
sensor scanning  through  conversion,  calcula- 
tion,  data  transmission,  conversion  to  digital, 
and output to  determine  the contribution to 
e r ror  of each phase. Performance require- 
ments  for  each phase  can  then be set so  that 
total error  is less than error  tolerance. 
On-Board  Mission Planning must  be defined 
with regard  to  its 1/0 requirements,  frequency 
of execution and other  pertinent  parameters 
to  estimate  effect on system loading and 
necessity  for  establishing  related  Performance 
Requirements. 
Configuration and Sequencing Control is 
discussed in Section II. C. 2. h. 
Energy  Management  must be defined more 
clearly  to  establish  related  requirements. 
&-Board Checkout Management - TBD. 
Display Executive Control - TBD. 
Data Base Executive Control - TBD. 
b. Flight control system (FCS). 
(1) Hardware.  Consists of eight jet engine processors 
with 1.5K words  main store each, and four  rocket engine processors with 6K 
words  main store each. 
0 Performance  Requirements are concerned 
with sensor 1/0 rates as discussed above for 
the CCC. 
64 
I 
Data bus 1/0 rates must be defined. 
(2) Applications. Execution rates for program modules 
involved in conversion and control loop calculations  with accompanying equations 
must  be defined. Sequencing procedures  must be defined for engine startup and 
shutdown. 
c. Navigation and sensor subsystem (NSC). 
(1) Hardware. Consists of four IMSJ 3-Packs with 
associated special processors. Each special  processor has 1536 words R/O 
memory, 512 words R/W memory. 
8 Performance  Requirements will be established 
as discussed above for  the FCS. In addition, 
e r ror  analysis  must be performed as discussed 
above for  the FCS. 
0 Data bus 1/0 rates must be established. 
(2) Applications. Performance  requirements a re  a 
function of mission phase. Data are  to be provided for guidance calculations 
in  the following phases: 
0 Launch, 
0 Orbital  nsertion, 
0 Rendezvous, 
0 Station keeping, 
0 Entry, 
0 Booster and orbiter ferry between airports. 
Double-precision  attitude  determination  can  be  made  in about 14  ms 
plus overhead (5). The following are  accompanying considerations (1): 
0 Accuracy  requirements  will specify  update 
frequency. 
0 IMU gyro drift is estimated to be 12 sec. of 
arc/hr. 
65 
I 
0 Error  of update algorithm is a function of 
sampling  period and  magnitude of slew angle. 
This  must  be  considered  in  requirements  for 
these  calculations. 
d. Crew display and control subsystem (DCC). 
(1) Hardware.  Consists of four  display  processors, 
6K words  each, connected  through the  redundant  data  bus  to  symbol  generators, 
two input keyboards, a mode  switch panel, and various  sensors. 
0 Performance  Requirements for data transfer 
between the  Display  Processor and the 
Symbol Generator(s)  must  be  established. 
Presently,  image  refreshment is estimated 
at Usee rep rate. 
0 Mass store  requirements and transfer rates 
must  be  established. 
0 Keyboard input frequency and program module 
requirements  must be estimated as part of 
system load. 
0 Other  sensors  must  be  analyzed as discussed 
above for  the CCC. 
(2) Applications.  Display support modules must  meet 
performance  requirement of one display update each second. The perspective 
display  calculations  must  satisfy  this  requirement with respect  to execution time; 
that is, the  logic  module  time plus  overhead  and  other activities cannot exceed 
one second. The  sophistication of the  display will  be  forced  to  conform  to  this 
constraint. 
e. Special DIU processors. 
(1) Hardware - TBD. 
(2) Applications are primarily concerned with sensors 
and must  be  analyzed as  discussed above for the CCC. 
4. Summary. A s  is noted above, it is seen  that  performance 
requirements are defined as measurable  standards of achievement  for  the moni- 
tor system. 
66 
I 
0 There are standards that are  invariant through the 
avionics monitor system. For this reason, those 
qualities a re  categorized as System Performance 
Requirements. 
0 There are other standards that are peculiar to a 
subsystem. They are  categorized as Subsystem 
Performance Requirements. 
0 Considerable effort will be required to complete 
all performance requirements. Many are  undefined 
to date. The determination of all monitor  system 
performance  requirements will entail knowledge of 
the  intricacies of the  operation of all of the functional 
modules of each  subsystem and of the  interactions 
between these subsystems. This knowledge is pre- 
sently deficient. 
67 
References 
1. Space Shuttle Integrated Avionics. McDonnell Douglas Slide Presentation, 
McDonnell Douglas Astronautics Company, June 12, 1970. 
2. Space  Shuttle  Integrated Avionics. McDonnell Douglas Slide Presentation, 
McDonnell Douglas Astronautics Company, February 11, 1970. 
3. Integral Launch and Reentry Vehicle Systems, Configuration Design and 
Subsystems, Volume I, Book 1. NASA CR.-66863-1 (MDC E0049), 
McDonnell Douglas Astronautics Company, November 1969. 
4. Campbell, D. J. and Hefher, W. J. : Measurement and Analysis of 
Large Operating Systems during System Development. Proceedings of 
FJCC, Volume 33, No. 1, 1968. 
5. Hrastar, John: Attitude Control of a Spacecraft with a Strapdown Inertial 
Reference System and Onboard Computer. NASA TN D-5959, September 
1970. 
SECTION III. SPACE  STATION/BASE 
A. General 
The purpose of this section is to  describe  the  space  station  data 
management system  hardware  configuration, and to  determine and define 
the  performance and  functional  requirements  related  to  executive  systems 
responsible  for  control of the  multi-computer  data  management  system. 
The section  consists of major  divisions devoted to 
0 Data Management System  Description, 
0 Executive  System  Functional  Requirements, and 
0 Executive  System  Performance  Requirements. 
The first part  places  particular  emphasis on functions,  hardware 
description, and the bus structure. Of the  four  major  computer  complexes 
within the  data management system, two are at the first stages of conceptual 
design and are outlined only roughly at this time.  The  remaining two are 
identical  and, while  they are still conceptual  in  nature,  more advanced from 
a definition  standpoint.  The  functions of these  complexes with respect  to  the 
space  station  mission  are  delineated  clearly. The bussing  concept is also 
outlined in  some  detail functionally. 
The second and third  parts  are  concerned with analysis of the com- 
puting hardware  architecture and characteristics of space  station  application 
software  leading  to a logical  determination of the  performance and fbnctional 
requirements  for  executive  control of the entire  data management system. 
Application  functional and performance  requirements do not,  for the most 
part,  exist at this time  necessitating a large  degree of a priori  insight  into 
the  nature of the  programs. As  a result,  experience and intuition  combined 
with largely  speculative and  conceptual  information forms  the  major  ration- 
ale  for  requirements development. Despite the general  lack of expected 
time-line  activity,  the functional requirements outlined in  this  section  are 
felt  to  be not only credible, but also  comprehensive. 
69 
0 Antenna Control. Selection and pointing of antennas. 
0 Navigation. Calculation of Onboard Orbital Ephe- 
meris with sensor  derived update. 
0 Stabilization/Control.  Implementation of control 
laws, attitude reference transformations, and 
energy  management. 
0 Rendezvous and Docking. Computations  upporting 
rendezvous and docking operations. 
0 Reconfiguration. Dynamic modification of sub- 
system  equipment and software  configurations. 
0 Subsystem  Consumables  Management.  Consumable 
utilization and  prediction of replenishment  require- 
ments; rescheduling of consumable  expenditure  to 
conform  to  available  stores. 
0 Inventory  Control.  Subsystem spares  status and 
replenishment requirements, record-keeping. 
0 Maintenance  Information  Control.  Location and 
display of subsystem  maintenance,  setup, and 
operating  procedures. 
0 Habitability Status/Support of Other Vehicles. 
Status  determination of logistic and experiment 
modules (when docked) for  habitability. 
0 Checkout. Status,  diagnostics,  fault  isolation  for 
all station,  integrated  and  attached module sub- 
sys  tems . 
0 Self-check.  Self-diagnosis for  error  detection 
and recovery. 
0 Training. Simulation of infrequently  performed 
station  operations,  such as docking, to  maintain 
crew  proficiency. 
b.  Experiment (computation) support. 
0 Experiment  Control and Scheduling. Initiation, 
operation, and termination of experiments 
according  to  mission  timeline. 
70 
€3. Data Management System Description 
1. General. It is the intent of this section to establish the status 
of those  aspects of the  Data Management System (DMS) baseline  that  directly 
influence  executive  system  requirements  analysis  and design. Overall  system 
functions to be  performed by the DMS are described. The current conceptual 
computer  hardware  configuration is described with specific  emphasis  on  the 
areas that  directly  impact upon executive  requirements. 
2. DMS Functions.  Functional requirements consist of those con- 
straints imposed on the  data management system  in  performing  the functions 
allocated to it or  arising  from  crew and program  element  interface  considera- 
tions. They are listed below (1). 
a. Subsystem (computation) support. 
0 
0 
0 
0 
0 
0 
0 
0 
0 
Subsystem Control and Scheduling. Master control 
of automated  subsystem and experiment  operations. 
Display Generation and Control. Control of inte- 
grated  subsystem  displays and the  generation of 
display commands. 
Data Bus Control. Timing and control of data 
reception and transmission via the  data  bus. 
Telemetry Control. Selection and scheduling of 
downlink data  transmittal. 
Data Acquisition Formatting. Sequencing, encoding, 
and scheduling of subsystem  data. 
Decommutation. Retrieval and reconstitution of 
encoded subsystem  data to its original or to  some 
other  desired  form. 
Storage. Control of subsystem data accumulation 
and retrieval. 
Command.  Command validation, storage, and 
execution for  subsystems. 
Data Computation. Redundancy reduction, trend 
extrapolation, and general data manipulation in 
support of subsystems. 
71 
0 Display  Generation  and  Control.  Control of 
experiment  displays and generation of display 
commands, 
0 Data Acquisition  Formatting. Sequencing, 
encoding,  and  scheduling of experiment  data. 
0 Decommutation.  Retrieval .and reconstitution 
of experiment  data  to its original  or a new form. 
0 Storage.  Control of experiment  data  accumula- 
tion and  retrieval. 
0 Experiment Data Correlation.  Association of 
experiment  data with operational  data,  such 
as position/velocity  coordinates. 
0 Experiment  Calibration.  Correlation of sensor 
calibration and usage  data with sensor outputs 
accompanied by mechanical  adjustment of equip- 
ment and software  parameters. 
0 Data  Compaction. Redundancy reduction and 
software data compression  algorithms. 
0 Inventory  Control.  Generation of experiment 
spares  status and replenishment lists. 
0 Maintenance  Information  Control.  Location and 
display of maintenance, repair, and operating 
procedures  for  experiments. 
0 Checkout. Status, diagnostics,  fault  isolation 
for-experiments. 
0 Self-check.  Self-diagnosis for  error  detection 
and recovery. 
0 Experiment Planning.  Short-range  (daily o r  
bi-daily  planning). 
0 Crew  Health and Proficiency  Testing.  Analysis 
of physiological  and  psychological data in con- 
junction  with laboratory equipment. 
72 
. c. Data acquisition. 
0 Signal Conditioning. Conversion of sensor out- 
puts  to  desired amplitude levels and frequency 
content; i. e. , scaling and frequency to voltage 
conversion. 
0 Multiplexing. Combining of multiple  data 
channels  into  one  channel using  frequency or 
time  division techniques. 
0 Analog to Digital Conversion. Encoding of 
sampled  analog  data  to a selected  digital  form. 
0 Formatting. Collection of a prescribed amount 
of data,.  along  with its associated synchroniza- 
tion words,  control  words,  timing  signals, and 
other  required overhead  information  into  proper 
order  for onboard or downlink distribution  and 
processing. 
0 Limit Checking. Comparison of a measured 
parameter  against  prescribed  limits. 
0 Address Decoding. Recognition of instructions 
contained within a binary-coded control  signal. 
0 Hardware  Programming. Synchronization and 
control of digital  logic circuits and events by 
timing signals (microprogramming). 
d. Data distribution. 
0 Addressing.  Command  selection of device, 
word o r  message,  transfer, and acquisition. 
0 Decoding. Deciphering of a device address, 
channel address, and instructions. 
0 Error Detection. Determination of message 
V a l i d i t y .  
0 Buffering. Temporary storage of analog-oriented or 
digital data after acquisition and prior  to  transfer. 
73 
e. Data storage. 
0 Recording. Transformation of electronic 
. signals to a form  or medium  allowing their 
accumulation and retention. 
0 Retrieval. Location and transformation of 
recorded data to its original  form. 
f. h a g e  processing. 
0 Film Development. Photographic processing. 
0 Image  Transformation. Conversion of imagery 
to a form suitable for viewing and editing. 
0 Image Storage.  Storage of video, analog, and 
digital data in physical  form. 
o Image Retrieval. Acquisition of records stored 
on film,  microfilm, o r  tape. 
3. DMS Hardware  Description.  The DMS consists of two indepen- 
dent (DMS and experiment)  multiprocessor complexes and a dedicated,  hard- 
ware-redundant Guidance, Navigation and Control (GNC) computer. A dedi- 
cated  simplex  computer has been included within the biomedical  facility. 
All subsystems are interconnected  through a complex data  bus network. 
a. Data management systems. Block diagrams of the basic 
features of the  computer  complex  architecture are shown in Figure III-B-1, 
parts  A and B. A command/control  console  located on both the  central 
operations  and  the  experiment  control  decks  facilitates  direction of computer 
operations,  modification of existing  software  routines and subsystem mode 
changes. Portable  control units located on other  decks provide supplemental 
crew/subsystem interfacing. 
The DMS and experiment  computers  and  their functions a re  shown, to- 
gether with main and auxiliary  memory, in Figure ID-B-l(1). The main 
memory is arranged in modules which a re  connected to  the  processors via  a 
switching unit. The  quantity of Arithmetic Logic Units (ALU's) possible for 
each  multiprocessor complex is limited to the  number of memory modules 
ports  less  the  number of 1/0 Bus  Controllers.  Under  this  scheme, any mem- 
ory  module or  group of modules  can be used by any of the  multiple processors. 
The memory modules will  be used to store  programs in the  active  state. 
Other  programs and data will be maintained in mass storage. 
74 
1 M 
- 
I 
Bus 
Controller 
- 
c 
-e 
I 1 
' I Arith I 
16K uy@ Unit C"" Local 
Storage  Con rol 
Interface and 
Control Unit 
Common 
Memory' Memory 
Common - - - --., 
- 
-" - - 
( I  - " - 
A "" - Y 
N 
I I Arith 
I Logic 
16K I Unit 
Storage I control 
Local I--- - - -  Bus 
Controller 
' Unit 
Bus Interface and : 
I 
Control Unit 
I I I L 
I - "" I - 
- "" 4 ,  
1 -" - - 
Auxiliary 
Memory Memory 
Auxiliary 
r 
- 
7 
1 
I 
I, 
Display Commands 
DISTRIBUTED  MULTIPROCESSOR  CONFIGURATION - PART A 
(Station Control and Suppox't) 
FIGURE lII-B-1 
75 
Main Subsystem 
Data Bus: Up To 
25 MH Capability 
z 
1 M 
Common  Common 
Memory  Memory 
"" 
1 
" - L- .I 
0 "" 
- ""_ A - 
1 N  
I I Arith I 
I 
I 1 16K I I Logic 
Local t- - " - unit 
- 
r 
Bus 
Controller Control Unit Control Unit 
- Interface and 
I I Controller I 
- I 
I I 
""_ * P  
4.""" 
I 
I 
Auxiliary  Auxiliary 
Memory  Memory 
I 
I Arith I 
J. 
Bus Interface and Bus 1 
I
" 
Display Commands 
DISTRIBUTED  MULTIPROCESSOR  CONFIGURATION - PART B 
(Experiment  Control  and Support) 
FIGURE  III-B-1 
76 
Main Subsystem 
Data Bus: Up To 
25 MH Capability z 
The mass  storage will be a  random-access  device,  but of slower 
speed  than  the  main memory modules. Other large amounts of data 
requiring infrequent access will  be stored on a bulk data,  sequential 
auxiliary  device,  such as a tape unit. 
Bulk data  storage  utilizes  ultra-high  density magnetic  tape recording 
techniques and is configured in a system  to  meet high data volume storage 
requirements and relatively slow access  speed  requirements. It is expected 
that this storage  subsystem configuration  will be used  primarily  for  recording 
of digital data  prior  to  processing on-board or  prior  to  return  to  earth via 
logistics  vehicles. 
Block diagrams showing the  relationship between the  data  management 
computer  complex and the  internal  subsystems is shown in Figures III-B-2(2) and 
m-B-3(2)* The complex is comprised of two multiprocessors (each system 
consists of at  least two individual processors) and two dedicated  processors. 
The multiprocessors  perform station-keeping and experiment  control while the 
dedicated processors  perform Guidance and Navigation (G&N) functions (hard- 
ware redundant) and support  biomedical requirements (simplex). 
The  station-keeping and experiment  control  processors  comprise a 
symmetric  multiprocessor configuration  where  each set has two processors, 
one shared  memory  set, and common I/O channels. 
A .dedicated processor implemented in a dual redundant  configuration 
is chosen  for  the G&N subsystem  since it offers the  highest  degree of availa- 
bility (a complete backup station is. available in the  event of failure)  for  this 
critical function. Biomedical applications are  accomplished with a simplex 
dedicated processor;  i.e., one processor,  memory  set and 1 / 0  set. 
Salient  features of the DMS are  as follows: 
(1) Computer. 
DMS Multiprocessor as  master executive and 
computation center. 
Experiment  Multiprocessor  for  processing and 
sub-executive  control. 
GNC Dedicated Dual Processors. 
Dispersed  Processors  for  localized computation 
and interface  simplification. 
77 
ANALOG DATA  ACOUlSlTlON  DIGITAL  DATA  ACQUISITION 
ANALOG. DISCRETE AND DIGITAL SOURCES 
SUBSYSTEMS, ATTACHED  AND  INTEGRATED 
EXPERIMENTS. DOCKED  MODULES + + + + 
+ .) + 
Q)MMUNICATIONSSUESYSTEM 
DOCKING  ATTACHED 
INTERFACE ROAU  RDAU  EXPERIMENT 
INTERFACE - 
DIGITAL  DATA  TERMINALS 1 * t ? 
” ””” “- 
_.-.. r l  . l  
~ U L T I P R O C E S O R  ’ 
EXPERIMENT I 
CONTROL SUPPORT I 
ANALYSIS I 
REDUCTION 
TERMINAL  TERMINAL 
MAIN  MAIN 
STORE ’’ STORE I DMS MULTIPROCESSOR ’ 0 DMS EXECUTIVE I 0 MISSION OPS SUPPORT 
I 0 TELECOMMUNICATIONS 1 
I. CONTROL L - - e DISPLAY A d  0 SUBSYSTEMSSUPPORT 
SCHEDULING 
I 
I 
BULK STORAGE 
COMPLEX f I I 0 DISPLAY 
e” 0 REDUCTION 0 ANALYSIS 
CONTROLLERS 
TERMINAL 
PROGRAM  STORE 
MEMORY SUBSYSTEM 
PORTABLE COMMAN 
CONTROL  DISPLAY 
IMAGE PROCESSING 
COMMAND  CONTROL  AND  DISPLAY 
FIGURE III-B-2 . DMS BLOCK DIAGRAM 
78 
DISTRIBUTED COMPUTER CONFIGURATION 
! _""""""""""""""""! 
IW1.*.1151 C W C . W l M 1 4 I U N  
FIGURE III-B-3 
(2) Data acquisition. 
Data acquired by remote units; remote units 
perform A/D conversion,  multiplexing, and limit 
checking. 
0 Standard terminals used for interface to data bus. 
0 DMS computers  provide  control,  sequencing 
and formatting. 
(3) Data distribution. 
0 TDM/FDM  Coax Bus. Multiple buses provide 
redundancy. 
0 Control provided by polling and selection from 
Master Station. 
(4) Display controls. 
0 Integrated  displays. 
0 Centralized  mission  control/operations  center. 
0 Master  experiment  control  center. 
0 Portable units for remote control/display. 
0 Controls. Nonmechanical. 
(5) Bulk data storage. 
0 Tape selected on basis of recording density and 
low volume of medium. 
(6) Image processing. 
0 Minimal system for control and calibration of 
experiments. 
b. Processor and memory description. Certain common 
ground rules apply  to all DMS subsystem  configurations as follows: 
80 
All  general  purpose  processors  have  the  same  per- 
formance capability. Fewer assemblies in imple- 
menting  the  computer  subsystem  minimizes  spare 
assemblies, maintenance, training and manuals. It 
also  provides maximum levels of fail-safe  capability 
and software  interchange. 
A minimum of two auxiliary  memory units in  critical 
operations  shall  be on-line at all time. File tapes, 
disc units, and 64K memory  units  will  be  assigned 
in  pairs  to  the  central  processors in station  control 
and management. High density  and  incremental mag- 
netic  tape units may be  assigned  singly. 
A t  least two spare units shall  be stocked for all units 
involved in  critical  operation. Two or  more  spare 
units  have  been  included  for  all  central  processor, 
main  memory,  file  tape, or  disc units involved in 
GNC processing or station  control and data manage- 
ment  processing. 
A monolithic  memory has  been  chosen  for  the  shared 
main  memory  because of weight,  power .and volume 
considerations.  Discs a re  used for  the  auxiliary mem- 
ory and file-tapes  for  program store. High density 
tapes a r e  used to record  data  occurring  at high rates 
primarily from the experiment packages. For low 
rate  data  occurring  asynchronously,  incremental  tapes 
a re  provided. 
The two multiprocessor  configurations allow executive  control of station 
operations and experiment operations control. The DMS multiprocessor con- 
tains  the  master  executive function  that coordinates  all  operations. 
Near autonomous operations of functions assigned  to  the two processors 
minimizes  data  transfer between the two equipment  groups.  Each multiprocessor 
requires high rate, parallel  data  transfer.  Transfer  across  the  data  bus  nor- 
mally is limited  to  executive  control functions. This  enables  greater  utilization 
of the  available bandwidth of the  data  bus  for  data and control  transfer between 
experiments and subsystems. 
81 
In special instances,  the configuration boundary of one multiprocessor 
extends  into the  physical area of the  other  multiprocessor.  This  occurs under 
control of the executive program which reassigns a processor  memory  or 
1/0 unit. The  reassignment  results  from  an  error condition or  temporary 
processing overload. Data Bus bandwidth and data access  time  limit this 
type of reassignment. 
A single  simplex computer is dedicated to Biomedical-class experi- 
ments on the basis of a large  number of specialiied  measurements and to 
provide  maximum  flexibility and freedom  for  crew  interface. Since the 
function is not flight  critical, a  simplex  machine  was chosen. 
The  Onboard- Checkout System (OCS) utilizes the DMS basic  operating 
system. This includes the operational language, compiler, and the utility 
and supervisory  routines  necessary  to  support checkout operations.  The 
major OCS software  effort lies in  the  special application programs unique 
to checkout. 
The central  processors will  have a standard  instruction  set supple- 
mented with real-time features. Special macro-instructions  improve  opera- 
tion of certain high usage  arithmetic  (compare o r  search  program  routines). 
Using the  operating  system  set  simplifies  program checkout and simulation 
of real-time  performance.  Processors  used  for both multiprocessor and 
dedicated  processor functions are identical  with  the  possible exception of 
microprogram modules. These  differences  shall not affect  the  capability 
for any processor  to  execute  the  supervisor and critical station-keeping 
programs.  This  design  requirement  assumes  that any processor may  be 
used as a physical and logical  replacement  for a processor  assigned  to  the 
Space Station control function. (1) 
A common set of processing and storage  units is used for  all con- 
figurations  to  minimize  spare  requirements and maintain  a high level of fail- 
soft  capability for critical  operations. 
Characteristics of each  unit a re  summarized below: (3) 
(1) General  Purpose  Processor. 
0 150-200 KOPS capability. 
0 Floating point arithmetic. 
0 Shared memory bus. 
82 
Y 
0 8-Channel, Hi-speed 1/0 interface. 
0 Word Length - 32 bits, plus check bits. 
(2) Main memory. 
0 Type - monolithic. 
0 Capacity - 16,384 - 32 bit word length, plus 
check  bits. 
0 Cycle time - 1 micro  sec. 
0 Access  time - .5  micro  sec. 
0 Interface - 6 ports  for interconnection t~ 
processors (up to 4) and bus controllers. 
0 Control - random  address. 
(3) Magnetic disc. 
0 Capacity - 14,500,000 bytes plus  check bits, 
per  disc pack. 
0 Data rate - 312,000  bytes per  second 
transfer,  read  or  write. 
0 Access  time - 72.4 msec  average. 
0 Control - record  addressable. 
0 Interface - 2 ports  for interconnection  to 
processor 1/0 channels or Bus Controllers. 
(4) High-density tape. 
0 . Density - 16,000 bits/in. 
0 Tape  speed - 100 in. /sec. 
0 Tracks - total: 128 (16 byte)  plus check 
bits. Single operation: 1 6  (2 byte) plus 
check  bits. 
83 
0 Data Rate - 800,000 words per sec. 
0 Reel Capacity - 1,000 ft. 
0 Interface - 2 ports for interconnection  to 
processor 1/0 Channels o r  Bus Controllers. 
(5) Incremental magnetic tape. 
0 Density - 1,000 bits/in. 
0 Tracks - 16 plus check  bits. 
0 Reel Capacity - 2,400 ft. 
0 Interface - 2 ports  for interconnection to 
processor 1/0 Channels or Bus Controllers. 
(6) Monolithic memory - auxiliary. 
0 Type - Monolithic. 
0 Capacity - 64K words , 32 bits plus check bits. 
0 Cycle Time - 2.0 micro  sec. 
0 Access  Time - 1.0 micro  sec. 
0 Interface - 2 ports  for  interconnection  to 
processor 1/0 Channels or Bus Controllers. 
0 Control - Word Addressable. 
The  computer  auxiliary  memory  provides  the  capability for reading 
a variety of stored  programs  into  the  computer on an as-needed basis  for 
selected o r  intermittent  computer  operations. The programs  will have  been 
prepared  in advance  and  kept in  storage  in  anticipation of the above; or new 
programs  will  be  generated, as required, on the ground and transmitted 
(via R F  link) or  carried (via logistic  vehicle)  to  the  station. 
84 
During system  operation, one of the  processor modules  will  contain 
the  executive  program and will function a s  a master  controller. It will 
assign  tasks and equipment to the  other  processors a s  the computation work- 
load  varies. ,When equipment is not  actually  operating, it will be placed in 
a standby condition to  conserve power. Periodically,  each  processor will 
run self-test  routines to detect failures. If a failure is detected,  the  failed 
unit will  be switched out of the  system and replaced by another module. The 
crew  will  be notified via  the Onboard Checkout System (OCS) so that corrective 
action  can  be  initiated. 
c. Bus structure. 
(1) Data distribution. The digital portion of the Data Dis- 
tribution  Subsystem is a data bus consisting of a primary and a  redundant  coaxial 
cable  for  digital  transmission through  the Space Station. Twisted wire  pairs 
are  used for secondary  buses. 
Important Data Distribution  Subsystem  characteristics  are: 
0 Digital  control of all  subsystems. 
0 TDM/FDM  of digital data in a half-duplex mode. 
0 Standard interface  hardware is made feasible 
by the standard  interface word. 
85 
Within the Digital Data Distribution  Subsystem,  addressing and con- 
trol is accomplished  either under multiprocessor  control or by manual  control 
from an astronaut input console. This  control is accomplished  through the  use 
of a standard  interface word. It consists of 32 bits which provide  14  bits  for 
terminal/channel  addressing,  a  read/write  bit  to  ensure  that  terminals wi l l  have 
access to the line  in  proper  sequence, a 16-bit (half word) data/command word, 
and a parity bit.  The form of the  data word may  serve  to  indicate  the  proper 
mode and gain for a remote  data  acquisition unit as commanded by the con- 
troller, a  word  count when a continuous frame of data is to be  transmitted by 
a terminal, or simply acknowledgement by a write device  that it has  accepted 
the  data and no errors have been found. 
In addressing  terminals/devices which a re  to output data, a one word- 
period  delay will  ensue,  prior to that unit's transmission on the  line,  to allow 
time for a  second  command  to be issued  to a receiving  device to  accept  data. 
The  transmitting device will then respond with its terminal/channel  address 
followed  by data. A receiving  deviceherminal wil l  wait to acknowledge mes- 
sage  receipt until an end  of message  indication,  message word count equal to 
zero, or an acknowledge request  from  the  bus  control unit. 
If the  addressed  terminal cannot  respond  immediately with the  requested 
data,  the  terminal  originating  the  response wil l  so inform  the  multiprocessor 
by raising a "not ready''  bit. In this  case,  the  multiprocessor will  interrogate 
the  terminal  at  some later time to get  the  desired data.  Terminal-to-terminal 
data  transfer is segmented  via the use of subcarriers.  This allows  simultaneous 
terminal  control of subsystem  terminals by the DMS operations  control  com- 
puter and experiment  terminal  control by the  experiment  control  computer. 
It also allows certain  types of data to be transferred  in a  semi-controlled, un- 
interrupted  data  stream and divides  the  distribution system into  somewhat more 
manageable  segments. The net result is a  reduction  in  terminal-to-terminal- 
data  rates,  response-time  requirements, and the  size of individual buffer 
storage  devices. 
Data, entirely  digital  in form, is time multiplexed onto a specified 
carr ier  frequency (or frequencies) which is, in  turn,  frequency multiplexed 
with other carriers onto the common data bus system. The  exact  configura- 
tion of the  bus  in terms of number of lines,  partitioning of data  types, and 
carrier frequency  allocation  involves  consideration of total Space Station data 
requirements and has not  yet been established. 
(2) Data acquisition. The Data Acquisition System (DAS) 
is controlled by the DMS multiprocessor and is interconnected by the  data bus. 
Figure 111-B-4(1) shows the selected  subsystem concept. All  information sources 
a re  coupled to  the  data  bus through one of two types of terminals (anaIog or 
86 
”-” 1 
I L“” 
I ”- 1. ”””- J 
ANALOG  DATA  TERMINAL 
I 
I I 
“f ”I 
PROCESSOR 
I I 
r 
. 
SUBSYSTEM/ 
INPUTlOUTPUT  EXPERIMENT 
PROCESSOR 
ANALOG.  DISCRETE, AND 
DIGITAL SOURCES  SUBSYSTEMS 
AND  INTEGRATED  EXPERIMENTS 
WITH PROCESSORS 
DESIGN REFERENCE MODULE-DATA ACQUISlTION SUBSYSTEM 
FIGURE ID-B-4 
digital) which are  addressable by the DMS processor. The standard  digital 
control  word is the  means of control.  Each  terminal  can handle eight  four- 
wire  interfaces. The  number of inputs to a  digital  terminal is expandable to 
512 by connecting  a  Remote Data Acquisition Unit (RDAU) to each input. Each 
RDAU will  accept up to 64 analog and/or 8-bit digital  signals and will  accept 
formats  transferred from the  computers. 
The  system is activated by a control  word from the DMS processor. 
The  addressed  terminal will then  place its data on the  data bus and the DMS 
processor  can  either  accept it or, through  additional  control words,  route 
it to another  subsystem/experiment. 
(a)  Digital Data Terminal. The device which pro- 
vides  the  data  bus  interface is the  digital  data  terminal and is shown in Fig- 
ure ID-B-5(1).. The terminals contain modulator/demodulators (RIODEMS), 
input/output logic, and interface  data  control logic. They also contain buffer 
storage  to  accommodate  irregular  data  rates  from  interfacing equipment and 
to allow assembly of data  for block transfer onto the  bus.  This  terminal is 
designed to handle eight standard  four-wire  interfaces with individual bit rates 
of one million bits  per second (Mbps) or less. Each interface is isolated  to 
prevent propagating  a data  source  failure to  another interface. The  digital 
MODEM interfaces with the  data bus  and isolates  the  data bus from the terminal 
electronics  to  prevent  electrical loading in  either  direction. Clock logic is 
modular and divides  the  data  bus  clock  to  whatever  frequency or frequencies 
that are  required by the individual interfaces. Buffer storage is also modular 
and may be provided as a single quantity unit for  the  terminal , o r  expanded/ 
contracted  for any or all interfaces individually. This  feature allows storage 
to  be  tailored  to a particular  interface  data  rate. The DMS processor  can 
efficiently utilize  this  storage by sending  a control word to  cause the terminal 
to  sample its inputs, and, at a later  time, send another control word to re- 
quest a data dump. 
(b) Analog data terminals. The modular  analog 
terminals  operate  in an  amplitude modulation (AM) configuration (see  Figure 
III-B-6(1). Each input is raised  to a different intermediate frequency (IF). 
The IF signals a re  then  shifted to a  frequency  spectrum compatible with the 
data bus. Any or  all analog  inputs  may  be selected (via a  control  word  from 
the DMS processor) through 'the address  decoder and logic for simultaneous 
output. The  analog output is placed directly on the  data  bus through  an isolator. 
(c)  Remote  data  acquisition unit. The RDAU (see 
Figure III-B-7(1)) performs the following five  functions: 
88 
R DAU'S AND 
DIGITAL 
INTERFACES 
r """"""" 1 
I 
I 
I 
I 
b. 1 STORAGE 
BUFFER 
- 
1 
:i 
CONTROL 
8 
? . 
INPUT/ 
LOGIC 
1 b MODEM 4 b OUTPUT 
I 
1 
I 
I 
I 
4 
* TIMING 
(CY', 
I I 
L """"""" J 
DIGITAL DATA TERMINAL 
FIGURE III-B-5 
In 
FD 
0 
In 
I I 
1 I 
I 1 
I I 
I I 
I I 
I I 
I I 
Oscillator 
r 
Gate 1 + Balanced 
Modulator 1 
-. 
Mixer c Isolator 
4 
- - 
I A 
Gate 8 Modulator 8 4 H Balanced t 1 
1 
II 
r 
Address 
Decoder 4 Modem 
and  Logic - 
i r 
I 
I I I I 
I 
IF 
1 Oscillators 
I 
To Data Bus 
ANALOG TERMINAL 
FIGURE III-B-6 
Address Mode I I f 
7 1 '  Address/Data 
r"l Timing 
+ 
Channel 
Address/Mode 
1 
Main 
Programmer 
Limit 
Memory 
+- 
Digital 
Comparator 
t
1 
4 Register 
1 I 
1 Bi-Level F l  Ana1:g Variable Gain I Analog/Digital Multiplex  Multiplex  Multiplex Amplifier Converter 
I 
Bi-Level 
Inputs 
I - I 
Digital  Analog 
Inputs  Inputs 
REMOTE DATA ACQUISITION UNIT 
FIGURE 111-B-7 . 
0 Signal conditioning, 
0 Multiplexing, 
0 A/D conversion, 
0 Limit checking, and 
0 Timing. 
Signal conditioning is accomplished  through  a programmable gain 
amplifier or both a programmable gain amplifier and a  preconditioning  (ahead 
of the  multiplexer) network. 
The 64-channel multiplexer  can  accommodate  selected  combinations of 
analog and digital  inputs. 
The analog to  digital (A/D) conversion  bit  rate  equals  the  clock  rate 
of the RDAU. The A/D converter output is digitally  compared with high and 
low limits  extracted  from a  self-contained  local  read/write  memory. If the 
measured  parameter  exceeds  either  limit,  the  return  data is flagged so the 
DMS processor is aware of  any failures o r  out-of-tolerance  conditions  (check- 
out functions) . 
d. System reconfiguration. The computer subsystem is a 
physically distributed computational configuration. The DMS multiprocessor 
main  memory  modules, and auxiliary  memory  units a r e  on Deck 3. The experi- 
ment  multiprocessor,  main  memory  modules, and auxiliary  memory  units a re  on 
Deck 1. This  distributed  organization allows for  graceful  degradation and a 
complete backup system  to  be  available  in  the event  that one multiprocessor be- 
comes  completely  inoperative.  This backup capability will  be  used in the 
following manner: 
0 The.experiment multiprocessor shall contain a count- 
down timer (watch dog) which must  be  reset by the DMS 
Multiprocessor before the timer reaches zero. There 
will also be a buffer of critical  parameters contained 
within the  experiment  processor  that will be updated 
by the DMS computer  at  the  same  time as the  timer 
reset. In the event  that the DMS computer  does not reset 
time  before  zero count, the  experiment  computer 
takes  over  the job of the DMS computer  (the master 
executive is always in the  experiment  processor's  main 
storage) using  the table of critical parameter  as an 
initial  data  base. 
92 
I 
Each auxiliary memory unit group will contain all the 
programs  that are  required by that  particular multi- 
processor. The programs  required  for main store will 
read  in  from.auxiliary  store (in a nondestruct  manner 
s o  that  a  complete  program set always resides  in 
auxiliary  memory) as  needed. Additions or  changes to 
the onboard program set can  occur via up-link or  crew- 
initiated  action (1). 
0 Reconfiguration at lower system levels has not been 
studied  in  detail at this  time. The current thinking is 
to  isolate  the  fault  to a Line  Replaceable Unit  (LRU) and 
inform the crew of its fai!ure. The procedure, then, is 
to  replace  the  failed unit with a stored  spare.  It is a 
safe assumption  that on-line, or at  least dormant,  redun- 
dancy will exist in critical  subsystems such as Guidance, 
Navigation and Control (GNC) and life  support  systems 
where human response would be a  limiting  factor. At 
this  time  there is little  lower  level  detail as  to  the ex- 
tent of redundancy to  be  incorporated for dynamic recon- 
figuration. 
93 
C. Executive System Functional Requirements 
1. General. The purpose of this section is to outline the func- 
tional  requirements of an executive  control  program for the  space station. 
The  preceding  sub-section has  described  the  hardware  associated with the 
computer  systems as presently envisioned. The following sub-section will  
relate  hardware and space station  mission  requirements  to yield the execu- 
tive functional requirements. 
Executive  functional requirements  are developed through  a five  step 
procedure. The steps are: 
0 Major on-board space station functions are  
enumerated, 
0 The computer application programs that will 
be developed to  implement  these functions 
are  illustrated, 
0 The DMS multiprocessor executive functional 
requirements are outlined, 
0 The GNC executive functional requirements are  
discussed, and 
0 The Biomedical  executive  functional require- 
ments a re  presented. 
The  functional requirements  reflect  a meld of performance  demands 
and hardware  capabilities.  Neither  performance  nor  hardware is well 
enough defined at this  time  to draw an  isomorphic  correspondence between 
them and the executive functional requirements. However, there is suffi- 
cient  information to  determine  major functional requirements and to define 
features  required  to  support  those functions. 
94 
The  objective of the  executive is to  control,  direct, and serve the 
application programs in fulfilling the  total Space Station mission functions. 
To uncover the functional requirements of the executive control  software, 
we may block out the functions of the Space Station and the functions of the 
application  programs  (these  functions have been  considered  to  some  detail 
under NASA contracts (4)). If the functions and features of the computing 
requirements  can  thus  be  established, the  functional requirements  for execu- 
tive  software  control  can  be defined. 
a. On-board functional requirements. The on-board functions 
to be  supported by the  computer complex for  the Space Station mission  are: 
(1) Checkout. 
(a) Preflight . 
Mode control. 
Subsystem monitoring. 
Status display. 
Data acquisition. 
Calibration. 
Component substitution. 
Stimuli  control. 
Diagnostic. 
Fault  isolation. 
Failure effect  intelligence. 
Limit check. 
Fault/tutorial display. 
Data/status  summary. 
95 
(b) Operations. 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
Mode control. 
Subsystem monitoring. 
Status  display. 
Data acquisition. 
Trend  analysis. 
Data storage and retrieval. 
Calibration. 
Component substitution. 
Stimuli  control. 
Diagnostic. 
Fault  isolation. 
Failure effect  intelligence. 
Limit check. 
Fault/tutorial display. 
Inventory. 
Data/status  summary. 
(2) Flight  operations. 
(a) Manned. 
0 Subsystem status display. 
0 Overall  subsystem  control. 
0 Activity scheduling. 
0 Configuration control. 
96 
Personnel/skill scheduling. 
Inventory  management. 
Operational procedures. 
Emergency procedures. 
Data acquisition. 
Communications center. 
(b) Unmanned. 
0 Subsystem status display. 
0 Overall subsystem control. 
Configuration control. 
0 Inventory  management. 
0 Operational procedures. 
0 Emergency procedures. 
0 Data acquisition. 
(3) Training. 
0 Free-flying module operations refresher. 
0 Rendezvous refresher. 
0 Reentry refresher. 
0 Emergency procedure refresher. 
(4) Network. 
0 Scheduling. 
0 Verification. 
0 Checkout. 
97 
0 Acquisition. 
0 Validation. 
0 Compression/decompression. 
0 Formatting. 
0 Distribution. 
0 Ground commands. 
(5) Experiments. 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
Data acquisition. 
Decommutation. 
Format. 
Conversion. 
Reduction. 
Edit. 
Accumulate. 
Storage. 
Retrieval. 
Analysis. 
Archival. 
Summation. 
Distribution. 
Image  processing. 
Control. 
Antenna  pointing. 
98 
(6) Engineering data management. 
0 Process OCS derived  summary data. 
0 Model subsystem  specified  performance. 
0 Performance evaluation. 
0 Performance enhancement. 
0 Biomedical monitoring. 
b. Application tasks. Application programs to fulfill the on- 
board functions  can be  listed in functional groupings. Each function (and 
explanatory subfunction) is listed  according  to  the  major onboard features 
they supervise. The features by function group are: 
(1) Mission  control. 
(a) Checkout supervisor. 
0 Onboard checkout backup. 
0 Onboard checkout evolutionary development. 
(b) Flight operations  upervisor. 
0 Subsystem status. 
0 Configuration control. 
(c) GNC supervisor. 
0 Tracldng  data  processor. 
0 Numerical  integrators. 
0 Vector  analysis. 
0 Trajectory  determination. 
0 Evaluation  calculations. 
0 Station  acquisition. 
99 
(d) Training  supervisor. 
0 Space station operation. 
0 Experiments  operation. 
0 Onboard checkout operation. 
a Emergency  proc6dures. 
Ground support. 
(2) Functional experiments control. (Experiments supervisor. ) 
Storage. 
Archival. 
Analysis. 
Retrieval. 
Image  processing. 
Summation. 
(3) Engineering evaluation. (Engineering data supervisor. ) 
0 OCS data processing. 
0 Performance evaluation. 
a Performance enhancement. 
0 Subsystem modeling. 
a Test  data  processing. 
100 
(4) Information facility. (Information supervisor. ) 
0 Mission planning. 
0 Scheduling. 
0 Logistics/inventory. 
0 Experiment data distribution. 
0 Engineering  data  distribution. 
c. Executive support. Executive control ,programs are re- 
quired  to  provide  resources  to  the  application  programs that satisfy  mission 
functions. There are  limited resources, for example ALU's, main memory, 
channels, and data  bus; and these  resources  must  be  allocated among the 
application  demands  in  such a way that  all  mission functions are  satisfactorily 
supported. 
Two policies are noted.(and  they are  basic  to executive  systems): 
(1) Uniform identification  header will be appended to every  task  in  the  system, 
and (2) the  executive will interface all communications  external  to  the  task. 
(1) A uniform header  will  contain all the  attributes  neces- 
sary to initiate scheduling of a task on any of the  system  processors.  The 
header will contain  the initial task  priority,  core  requirements, execution 
time estimates, facilities required, dead-line, start-time, and other perti- 
nent information. Pertinent information will include, for example, the type 
of microcode to be  executed (if available in  the  hardware).  Thus, a common- 
high-level  language is encouraged which produces code  executable on several 
computers  optimized by the  microcode  most  suitable for the  application. 
(2) The  executive will provide all interfaces to the  task. 
Tasks are not dependent upon individual computer  system  resources and a re  
free  to  access  other  external  subsystem  resources. To the  scheduler  each 
of the  subsystems (propulsion for example),  whether demanding or responding 
to  requests, is a resource  to  be  allocated. All programs  can  be  operated 
through a c o b o n  set of procedures  regardless of their individual natures. 
The  uniform header  will  permit  task-data sets to  surrender  personality,  but 
maintain coded attributes and traits. 
10 1 
The  configuration discussion (III. B) describes four  identifiable  com- 
puter complexes.  The  biomedical subsystem  contains a  computer  dedicated to 
biomedical  experiment functions. The GNC subsystem  contains a  dual- 
redundant  computer that is dedicated to GNC functions. The DMS computer 
is a multiprocessor handling data management. The  second multiprocessor 
is identified with experiments and onboard checkout. All computer ALU's 
have access to the same subsystems  via  identical  data  bus  interfaces. 
The multiprocessors  specified  for data management and for  experiment/ 
checkout are identical. All  interfaces are identical and all subsystems a re  
within reach of each ALU of each  multiprocessor.  This is not to  say that ad- 
vanced concepts will not be implemented. On the  contrary,  it is quite  possible 
that  several  very  different object procedures might be implemented in  micro- 
code and  executed on the  same  processor  concurrently. 
The DMS executive will supply the  required  resources to the applica- 
tion programs and direct the  overall  computer  system scheduling  activities. 
The ALU's, the  interfaces, and the  subsystems  are  resources to be managed. 
The interface code  and  command procedures will be independent of which 
multiprocessor is directing  the  task. 
A -  single  baseline  executive is required  for  the  multiprocessors.  This 
executive will be implemented in each  multiprocessor. The  header  identifi- 
cation  for  each  task will identify  the  control  programs  to  be used. For exam- 
ple, certain experiments may require unique I/O handlers. These special 
handlers would be  brought.into  a  segment  overlay  portion of the executive and 
executed. Any special  subsystem functional requirements would be attended to 
by the  handler  tailored  to  those functions. To  proceed  a s tep further  in  our 
example,  suppose that a multiprocessor  failure  has  occurred and that DMS 
functions and experiments a re  being conducted on one multiprocessor.  Further, 
let us postulate  that  different bulk storage  access methods are  used by the 
competing tasks. The header identification  can be used to  see that each task 
is linked to  the  proper  access method. Thus, the backup computer  has  the 
capability of applying code that is common to  the two systems and code that is 
peculiar  to  either of the  systems. 
Intuitively, it appears  that a single  executive for  the two multiproces- 
sing  systems will  be less expensive to develop than two independent multi- 
processing/multiprogramming systems. The baseline executive, further, 
will have a higher.degree of confidence testing and validation. The overall 
product will be more  resistant  to  obsolesence due to  its  wider  applicability 
and adaptive  nature. 
102 
The  dual  redundant  computer described (lII.B) will be  dedicated to GNC 
functions. The dual-redundancy will be entirely for backup. Multiprocessing 
will  not  be available. 
The GNC executive will receive commands from  the DMS executive. 
The  commands  may  originate as astronaut manual control,  stored  mission 
timeline, or commands  telemetered  from  the ground mission control., The 
prime GNC executive function will be  the sequencing of application programs 
to execute the  manuvers identified by commands,  self-testing, and subsystem 
fail-safe  support. 
The Biomedical  executive  has  a  limited  number of functions to support. 
However, a great deal of flexibility is desired in the  area of manual  initiation, 
modification, and addition of task  software. Most of the presently  considered 
biomedical  functions require an astronaut  in  the loop. The GMC executive is 
concerned with acquiring  sensor  data  for  the application programs and pro- 
viding displays and manual capabilities  for  the  astronaut. 
Each of the  executives will be  discussed to present  their functional 
requirements. The DMS Executive will be adaptive for DMS multiprocessor 
or experimentdcheckout  multiprocessor. A GNC Executive functional re- 
quirements is developed for  the dual  redundant  computer.  The  biomedical 
subsystem is supported by a Biomedical  Executive  functional requirements 
description. 
2. DMS Executive. We have reviewed the  space  station functions, 
the  applicationsoftware functions, the  hardware  configurations,  the combina- 
tion of functions  to be performed,  software  tasks  to  be supported, and hard- 
ware required executive features that, in  turn,  specify  the  required functions. 
The features of the DMS Executive for  multiprocessors and their   functiod 
requirements are: 
a. System  control. 
(1) Scheduling. 
Task  course scheduling. Course  scheduling 
occurs when a new task is initiated, a change in 
task attributes  occurs, or there is a change in 
hardware or software state. 
Device inventory. Device inventory  builds  and 
maintains  configuration maps and tables of 
103 
facilities available  for  assignment  and facilities 
assigned  to  each  task. 
0 Command interpreter.  The command interpreter 
checks  format of headers  (tasks)  and input control 
stream. Decodes for scheduler. 
0 Dynamic allocator.  The  dynamic  allocator  assigns 
main  memory  and ALU time  to  the  tasks  being 
processed. 
0 Dispatcher.  The  dispztcher  dispatches ALUs to 
tasks. 
(2) Task-to-task calls. Inter-task communication is made 
via.  supervisor calls. 
(3) Parallel task execution. This refers to the capability 
of a running task  to  initiate the  execution of another  task. 
(4) Program timed request control. 
0 Mission  timeline decode  and interpretation. 
0 Real-time  clock  services will be  required. 
0 Interval timers and watch dog timers will 
support  several functions. 
(5) Priority interrupt processing. Interrupts a re  closely 
identified  with  scheduling  functions.  The hardwired  priority  levels may deter- 
mine  servicing  order. The nature of the function will  determine  the  primity 
level  assignment, 
(6) Task termination/suspension. 
0 Task  termination. Completed tasks are removed, 
files  closed, main storage  returned  to  the  dynamic 
allocator, and facilities released  to  the  device 
inventory  routine. 
0 Task  suspension.  The function is required  to  tem- 
porarily suspend individual task processing. This 
possibly  includes  the  capability of rolling-out  por- 
tions of a task onto mass storage (to free  main 
memory  for a high priority  user). 
104 
I 
(7) Mass storage allocation. Scratch and permanent files 
are assigned  space as files are opened or expand. Mass storage  handlers are  
required  (access method) to  interface  users. Multiple access methods  may be 
required  to  support  various functions  (experiment vs. display  requirements,  for 
example). 
(8) Fast buffer assignment. Some portion of high speed 
memory is required  for  temporary  buffers.  These  buffers  are  seized and 
quickly released by the fast buffer  assignment module. 
(9) Overlay manipulation. A comprehensive  overlay struc- 
ture will  be  required due to  the  size of application tasks in a multiprocessing 
. structure. A segment directory will be supported. 
(10) Memory protection. The security of program files, 
tasks, and data is basic  to  the  reliability and safety of the  entire  system. The 
hardware  design will constrain  the  procedures  necessary  for maintaining pro- 
tection. For example, memory  organization protektion keys can be hardware 
implemented; memory  protection  passwords can be  software implemented. 
(11) Request processor. A module to process all supervisor 
calls. It decodes  requests  for  services and links  to  the executive  routine spe- 
cified. For example, an  acronym  such as EXIT would generate a trap o r  inter- 
rupt  to  the  request  processor which would link to  the  termination  procedure. 
b. Input/output control services (IOCS). Input/output requests 
will  be processed by the  supervisor.  This may be accomplfshed by macro  call 
or  micro coding. The functions required are: 
(1) Request queueing. If the requested service is not avail- 
able, it is added to a priority queue. 
(2) 1/0 handler. The 1/0 handier establishes the connec- 
tion between the  device and the channel. 
Initiator. The initiator determines that the task can 
legally access the  information and satisfies addi- 
tional  constraints  such as buffer area  requests. 
0 Continuator. The continuator  supports  the  data 
transfer with error  recognition, recovery proce- 
dures, and termination  procedures. 
105 
(3) Data bus control. The data bus scheduler will poll o r  
capture (via interrupt)  the common data bus. The  scheduler  will implement a 
control  algorithm  to  maximize  the  effective  use of the bus. 
c. System monitoring. Functional requirements include support 
to output, record, and  maintain  status of anomalies  detected by the checking 
procedures.  The following specific functional requirements  must be satisfied. 
(1) Alarm history maintenance. Status tables must be 
initiated and updated. These  tables will indicate: 
0 Present  alarms in  system. 
0 Present  alarm notification/recognition. 
(2) Alarm output control. This requirement will be met 
by logical  procedures to: 
0 Determine alarms  requiring output. 
0 Alarm  message  formatting. 
0 Alarm  message output. 
(3) Alarm  history recording. This  requirement  indicates 
the following: 
0 Upon demand, the tables of system alarms 
will be  interrogated. 
0 Alarm history output messages will be 
formatted. 
0 Alarm history message will be output. 
d. Computer system performance monitoring and logging. 
Functional requirements a r e  satisfied by a combination of hardware and soft- 
ware. Meeting the functional requirements  can  be  critical  to  system design. 
106 
J 
Hardware  and  software triggers must  be provided to  gather  the following 
statistics: 
0 Number of executive  requests. 
0 Number of bus  transfers. 
0 Average  bus data volume. 
0 Percent ALU utilization. 
0 Percent  main  memory utilization. 
0 Error frequency count. 
a Failure count. 
e. Error recognition. Functional requirements will  be satisfied 
by a combination of hardware and software techniques.  Requirements  can be 
categorized as follows: 
(1) Hardware. Requirements include: 
0 Fault  interrupts. 
0 Parity  generated  interrupts. 
0 Illegal attempts to execute privileged 
instructions. 
0 Protect violations. 
0 Overflow/underflow. 
0 Other  techniques TBD. 
(2) Software. Requirements include: 
0 Longitudinal record check for parity. 
0 Testing access keys for protected files. 
0 Testing format of system calls. 
107 
0 ffBusy'f  returns. 
0 Analysis of data formats where possible. 
0 Diagnostic countdown will be required to 
detect malfunctions such as endless loops 
or stalled  peripherals. 
f. Failure detection and recovery. Functional requirements will 
be met as  follows: 
(1) Fault interrupts. Where possible hardware faults will 
generate  an  interrupt. The monitor  system will be responsible  for  directing 
execution of the  appropriate module to  perform  recovery  procedures. 
(2) Limit checks. The monitor system will cause limit 
checks  to  be  performed on critical variables.  Limit  violations  will  indicate 
malfunction and appropriate  recovery  routines will be invoked. 
(3) Errors. As is discussed above, there are error detec- 
tion procedures. Some of the errors  are generated by hardware  failures. 
Where this is the case, e r ror  detection and failure  detection a re  identical. 
(4) ,Transient failures. Requirements are that transient 
failures-  must  be  separated  from "hard" failures.  Different  recovery  action is 
taken  in  each case. For the case of transient  errors, the appropriate  recovery 
action  may be merely  to  record  the  fact  that  the  failure  has  occurred.  For  hard 
failures,  recovery  procedures involve graceful  degradation or  reduced system 
capability  until  the  failed item is replaced. 
(5) Restart  after  failure.  Recovery  requirements include: 
0 Initialization. For  certain classes of failures, 
this is the only alternative. It is a cold start ini- 
tialization of the  failed  sub-system or system. 
0 Checkpoint. This functional requirements is met 
by taking  snapshots of the  system  during operation. 
That is, periodically, critical parameters  are 
sampled and stored. In the event of failure,  the 
system is reconstructed by returning  to  the previous 
checkpoint and restarting using  values of critical 
parameters  at  that  time. 
108 
3. GNC Executive. A system of executive  control  programs will 
be 'developed to  support the GNC application functions. The  executive  software 
will include  the following functions: 
a. System control function. The GNC control function is limited 
to.scheduling.  made up of several  control modules: 
0 Task coarse scheduling. Makes a new task or  module 
available for execution. Entries  to the coarse  scheduler 
may be by interrupt,  time  control o r  DMS command. 
0 Facilities inventory. Maintains the  status of all sub- 
systems  interfaced or  required by GNC functions. 
0 Dynamic memory  allocator.  Assigps  memory  to appli- 
cation  tasks. Prepares switch list to  direct ALU time. 
b. Task-to-task calls. Interfaces interaction between application 
programs. For  example, updating ephemeris  tables  from new calculations o r  
from ground transmissions. 
c. Program timed request control. Support for real-time clock 
and mission  timeline demands. 
d. Priority interrupt processing. Interpretation of interrupts 
and signalling  affected modules. 
e. Task  termination/suspension. Wrapping-up completed programs 
(return  resources  to  facility inventory, memory  to the memory  allocator).  This 
is also  required  in  order  to  temporarily  defer a program's execution. 
f. Overlay manipulator. Some of the larger application functions 
may require  overlays  (trajectory  calculations, for example). 
g. Request processor. Decodes and schedules routines to satisfy 
inputs from  the DMS or  ground control. 
h. 1/0 operation and control ,services. 
0 I/O request scheduling. Conflicting requests  for  data 
bus and subsystems will be queued until  the  resource 
can be allocated. 
109 
1/0 control. Modules will be required to initiate 1/0 
transfers and to  support  transfers  to completion. 
0 1/0 device  handlers.  The  lowest  level  interface  handlers 
will  be  required  to  perform all hardware-related func- 
tions (such as er ror  recognition and retry). 
0 Data link control. Due to the common  bus technique, 
the GNC system could directly  utilize  the  data link o r  
it could use  the DMS services  for  this function. 
0 Communication handling. The  xecutive will provide 
communication interface  to all other  systems and sub- 
systems. 
i. System monitoring. The configuration will monitor itself and 
record any alarms. In the event of a hard  failure,  the  failing redundant proces- 
sor will be  determined and replaced. In the  event of complete loss during 
critical  maneuvers, a multiprocessor will be  interrupted  for backup. 
j. Performance monitoring. This function requires maintenance 
of at least  the following: 
0 Number of executive  requests. 
0 Number of bus  transfers. 
0 Average  bus  data volume. 
0 Percent of ALU utilization. 
0 Percent main memory utilization. 
0 Error frequency count. 
0 Failure count. 
k. Error recognition and recovery. 
(1) Program  error detection. 
0 Incorrect 1/0 request. 
0 Busy return. 
110 
0 Incorrect format. 
0 Non-convergent process. 
0 Error recoveqf sequences. 
0 Parity error  recovery sequence. 
(2) Failure detection and recovery. 
0 Hardware diagnostics. 
0 Fault isolation. 
0 Spare  switching. 
0 Degraded  mode  operation. 
0 Restart sequence. 
1. Configuration control. Units of the configuration will be re- 
moved by failure o r  for maintenance. The executive will maintain knowledge of 
the  viable  configuration. 
111 
I 
4. Biomedical Executive. A dedicated  computer is provided for con- 
trol of biomedical  data  acquisition,  control and display.  The  Biomedical  Super- 
visor  will  require  real-time  capabilities, but not all of the  sophisticated  opera- 
ting system  devices employed in  the  multi-processors.  Almost all of the  experi- 
ments and analyses  require manual  intervention  to set up and perform.  That 
is, most require  an  astronaut as part of the  experiment (5). 
The  Biomedical  Supervisor  must  provide  support to  satisfy  the following 
functional requirements. 
0 On-board checkout. 
0 Data  acquisition. 
0 Data management. 
0 Monitor system  services. 
A s  is seen above, the functional requirements  dictate a real-time manage- 
ment information and control  system.  This  system  class is characterized by: 
0 Stringent response  time  requirements. 
0 Many concurrent  activities. 
8 
0 Varying importance of activities. 
0 Slow speed  (relatively)  peripheral devices. 
0 High degree of interaction of activities. 
Experience has shown that the following capabilities are  necessary  to 
satisfy  requirements with the above characteristics: 
0 Priority  interrupt  structure. 
0 Priority level independent of priority 
hardware  structure. 
0 Capability to selectively inhibit interrupts. 
0 All  communication with 1/0 devices via 
the  supervisor. 
112 
. . .. 
0 Privileged mode of operation (i. e., privileged instruction 
repertoire). 
0 Memory protect facilities for task and data protection, and 
0 Variable program priority level (dynamically variable in 
real-time under application, executive, o r  event occurrence 
control). 
Functional requirements a re  derived  from  the following sources: 
a. Hardware. 
(1) Multiplexer  control.  Functional requirements are to 
handle the interface with sensors and output devices. 
The following requirements  exist: 
(a) Analog/digital scan. 
0 Sensor  selection. 
0 Input value. 
0 Convert to digital, if required. 
0 Limit check. 
0 Alarm  anomalies. 
(b) Analog/digital output. 
0 Select output device. 
0 Transmit output value after converting 
to  digital value, if required. 
0 Output checking and alarming may be 
required. 
(2) Mass store control.  Functional requirements  are: 
0 Analyze requests. 
113 
0 Determine  addresses in main store and 
bulk store. 
0 Allocate  storage, if required. 
0 Perform  transfer. 
0 Perform  rudimentary  error check. 
0 Perform  appropriate exit. 
(3) Display  control.  Functional  requirements are: 
0 Initiation. 
0 Update. 
0 Formatting. 
0 Possible  calculations TBD. 
(4) Data bus control. Functional requirements are to pro- 
vide support  for  receipt and transmission of messages via the  data bus. The 
following specifics a re  required: 
(a) Message  receipt  initiation. 
0 Buffer  assignment. 
0 History table initiation for message. 
0 Error  check. 
@) Message  receive continuation. 
0 Error  check. 
0 Data storage. 
0 Message termination  control. 
0 Maintain count of messages received. 
114 
are : 
(c) Message  transmit. 
0 Initiate control codes. 
0 Continue upon receipt of acknowledgment. 
0 Accounting procedures for message 
termination. 
0 Maintain control count of messages sent. 
(5) Operator  interface control.  Functional requirements 
0 Detect operator  request. 
0 Analyze request. 
0 Respond to  request  analysis. 
(6) Input/output control.  Functional requirements  are: 
(a) 1/0 initiation. 
0 Request  analysis. 
0 Buffer  assignment. 
0 Formatting. 
0 Device selection. 
0 Transmission of initial character. 
(b) 1/0 continuation. 
0 Character output. 
0 Logic associated with termination 
conditions. 
0 Special criteria may be required 
for  message  analysis. 
115 
(7) Resource allocation.  Functional requirements are: 
(a) Competing demands. Resolution of request con- 
flicts  for  the following resources: 
0 Mass store. 
0 Main store. 
0 Data bus. 
0 Displays. 
0 Magnetic tapes, if present. 
0 Other  peripheral  devices. 
(b) Accounting for  available  resources. 
(8) Interrupt  service. Functional requirements  are: 
0 Save critical  registers and main storage 
for  interrupted  program. 
0 Analyze cause of interrupt. 
0 Invoke appropriate  servicing modules. 
0 Restore  pre-interrupt conditions. 
(9) Error detection,  analysis and recovery.  Functional 
requirements are: 
0 Determine  experiment  status. 
0 Isolate malfunction. 
0 Determine  r medial  ction. 
0 Cause remedial  action  to be displayed. 
(10) Alarming.  Functional requirements  are: 
0 Maintain tables of alarms  present and 
output. 
I- 
o Format  larm  essages. 
0 Cause output of alarm  messages. 
0 Record alarm  achowledgment. 
b. Applications support. The following functional requirements 
a re  derived from  the  interaction of the  hardware  architecture and the applica- 
tions  requirements placed upon the  hardware: 
(1) Experiment  support.  Functional  requirements  are: 
(a) Human interaction capability. 
0 Display functions. 
0 Input console functions. 
(b) Data processing capability. Large volumes and 
rates of data a re  expected for some biomedical functions. Supporting applica- 
tion functions include: 
0 Information attrition. 
0 Data reduction. 
0 Mass  tore functions. 
0 Magnetic tape  functions. 
(2) File management. Functional requirements are: 
0 Address  egment by name. 
0 Storage  allocation by system. 
(3) Inventory  calculations.  Executive  functional  require- 
ments are satisfied by considerations  already  discussed (file management  and 
human interaction/control). 
(4) Task execution. Functional requirements  are: 
0 Priority  request queue control. 
117 
0 Complete resource  allocation and 
linkage. 
0 Initialize  program module. 
0 Cause module execution. 
(5) Task scheduling. Functional requirements  are: 
0 Append requesting module to  appro- 
priate  priority  thread. 
0 Perform  necessary housekeeping to 
maintain thread  integrity. 
(6) Task  termination/suspension.  Functional  requirements 
are  : 
0 Remove module from  request  hread. 
0 Perform  appropriate housekeeping to 
maintain  thread  integrity. 
0 Program control is relinquished for  task 
suspension, but the module is not removed 
from the request  thread. 
(7) Queue maintenance.  Functional requirements  are: 
(a) Lists. 
0 Initialize. 
0 Append, insert .or remove items from 
list. 
0 Perform  logical  operations  associated 
with  termination. 
@) Buffers. 
0 Initialize, i. e. , determine size and 
location. 
118 
0 Read/write  data  into  buffer. 
0 Perform logic associated with 
termination. 
(c) Tables. Current values of selected system param- 
eters such as  tuning constants,  masks,  semaphores,  assignments,  etc. , must 
be maintained. 
(8) Management  information.  Functional requirements  for 
support  have  been  satisfied by previous  discussion.  Actual  management infor- 
mation system is an  applications function and is not studied in  this  report. 
(9) Summary. A s  is seen above, the  functional require- 
ments  for  the Biomedical Executive are  similar  to functional requirements  for 
a real-time management  information and control  system. 
(a) The monitor must provide support for: 
0 High data  rate experimentation. 
0 Data call-up  services. 
0 Astronaut  computer  system  interaction. 
(b) Functional requirements for support of these 
functions a re  derived  from  the following considerations: 
0 Hardware. 
0 Applications requirements-hardware 
interaction. 
119 
D. Executive System Performance Requirements 
Executive system  performance  requirements are not well defined at this 
time. However, some performance constraints can be found. There are two 
sources of performance  requirements;  internal and external functions. The 
f inal  measure of performance is the  capability to  support  the  required  tasks 
within the  constraints of accuracy,  timing,  control,  flexibility, and reliability. 
The  most often stressed performance  requirement  concerns  reliability and con- 
figuration control. At  least one level of fail  operational with the second failure 
fail-soft for  mission  critical  elements  are  firm  performance  standards. 
1. System  (Internal) Performance. The Software Requirements 
Document (4) specifies  system  performance as the  capability of processing 
information and displaying/transferring  data  to  satisfy  system functions. Per- 
formance  requirements  for  internal functions should take  the  form of specifica- 
tions  for individual elements: 
0 Available resource assignments (i. e., ALU time, main 
memory, bulk store). 
0 Accuracy. 
0 Input/Output rates and volumes. 
0 Frequency of execution. 
0 Duration of execution. 
The sum of these individual performance  measures should be  the  over- 
all system performance requirements. System performance is measured  also 
in a larger  sense  for: 
Responsiveness. 
Interface difficulty. 
Flexibility. 
Maintainability. 
Reliability. 
Modularity. 
Overload handling capacity. 
120 
- 2. Subsystem  (External)  Performance.  Subsystems (biomedical, 
experiment, GNC, etc. ) have received a great  deal of study since they a re  
building blocks  that  interface  the  system  with  the real world. Our  concern 
is not with subsystem  performance per se, but with  performance  forcing 
factors at the executive  interface. 
Some of the  factors  that  impact heavily upon performance have been 
estimated. For example, data rates and subsystem interfaces produce loads 
upon executive  control programs. A minimum  performance  requirement is 
thus  established that executive services  be  capable of satisfying  these demands. 
The  executive  functions of hardware/software  interface,  resource al- 
location, checkout and application  program  supervision a re  performance 
dependent upon several factors. Some of these factors are: (1) interface 
functions, (2) subsystem  control and data rates, and (3) execution speed. 
a. Supervisor - hardware  interface. Major interface functions 
are identified  in  Table III. D. 1 as  extracted (4) from Volume 111, Software 
Requirements Document. The interface points between functions/sensors/ 
subsystems and on-board executive supervisors are supported by 1/0 handlers 
and interface  routines. Data captured  from  the  interface  handlers is made 
available  to  the on-board supervisors (as marked). 
Digital  data interfaces are  further defined (6) in Table III. D. 2 excerp- 
ted from Appendix A, Data Acquisition  Subsystem Trade Study. The sources, 
data  rates,  data  descriptions, and the quantity of each are listed. 
b. Subsystem control and data rates. Considerable work has 
been done toward definition of data  requirements (collection and storage) 
for experiments. A great  deal of historical information is available on GNC 
data  requirements. The following (6) is a summary of the  available  current 
hardware  performance  requirements which will impact  the  executive  software 
design. 
(1) Data  acquisition. 
Signal conditioning. Conditioning of input 
signals ranging from 5 volts  to 20 millivolts, 
4 gains (1 to 250) programmable  by  command. 
Multiplexing. Sequential and random access 
of channel inputs. 
Formatting. Capable of operating under 
software control. 
121 
Onboard 
Interface Functions 
A. 
B. 
C. 
D. 
E. 
F. 
G. 
H. 
Vehicle Sensors 
1. Space  Station Performance 
2. Space Station  Status 
3. Experiments Data 
4. Navigation 
5. Acceleration 
6. Rendezvous 
7. Tracking 
8. Balance 
Space  Station Communications 
1. Displays 
2. Indicators 
3. Switch/Keyboard Inputs 
4. Printer 
5. Terminals 
Vehicle  Controls 
1. .Balance 
2. Subsystem 
3. Colzfiguration 
4. Maneuvering 
5. Target Acquisition 
6. Stimuli 
Instrument Landing System (ILS) 
Automatic Landing System (ALS) 
Free Flying Module (FFM) 
Personnel 
Ground Control Uplink/Downlink 
INTERFACE IDENTIFICATION 
Table III. D. 1 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
\.. . 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
I_ 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
- 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
X 
- 
DATA RATE 
____ ~ "- 
5.1 Kbps 
5.1 Kbps 
0.76  Kbps 
167.03 Kbps 
5.60 Kbps 
5.1 Kbps 
10 Kbps 
50 Kbps 
1000 Kbps 
50 Kbps 
SOURCE 
Remote Data Acqui- 
sition Units (RDAU) 
RADU 
Subsystem 
Processor 
Integrated  Experi- 
ment Processors 
Integrated  Experi- 
ments 
RDAU 
Command Receiver 
Transponders 
R F  receivers  or 
docking ports 
R F  receivers 
. DATA DESCRIPTION 
Subsystem mission Data 
Subsystem checkout data  for 
Space Station Subsystems without 
dedicated processors. 
Subsystem checkout data  for 
Space  Station  Subsystems with 
dedicated  processors. 
Scientific  experiment data  from 
Integrated  experiments with 
dedicated processors. 
Scientific  experiment data  from 
integrated  experiments without 
dedicated processors. 
Checkout data  from.  integrated 
experiments without dedicated 
processors. 
Digital commands  to or from MSFN, 
orbital tug, DRSS, ALShLS. FF 
module (4), attached module (3) , 
remote  sub-satellites (2). 
Tracking  information  to or from 
MSFN, orbital tug, DRSS, 
ALShLS, FF module (4), remote 
sub-satellites (2). 
Digital wide  band data  to  or  from 
MSFN, DRSS, FF experiment 
modules  (4),  attached  modules (3) , 
and remote  sub-satellites (2). 
Digital narrow band data  from 
orbital  tug, ALS/ILS 
Astronaut EVA. 
~- - 
DIGITAL DATA INTERFACES  TO DATA TERMINALS 
Table III. D. 2 
123 
Analog-to-digital. 8-bit accuracy. 
Limit checking. Capable of parallel bit-by- 
bit  comparison of 8-bit digital words. Able 
to  generate out-of-limit flag upon non-compari- 
son of any  given word. 
Address decoding. Provision for decoding 
terminal channel and word  addresses. 
Timing. Programmable clock rates. 
Buffering. Modularly expandable. Storage 
periods  (capacity divided by input data  rate) 
in excess of bus polling periods or  interrupt 
driving intervals. 
(2) Data distribution. 
0 Addressing. Ability to address up to 256 
independent devices. Transfer data at com- 
posite rate greater than 50 megabits  per 
second. Ability to  address up to 64 channels 
within a terminal. Provisions to include 
information  transfer between data terminals 
under computer control. Provision to allow 
information transfer between data  terminal 
and computer under computer control. Man- 
ual  interrupt should acquire data  bus  in less 
than 1 second. 
Decoding. Control word to consist of 32 
bits. Data words to consist of 16 bits. 
0 Error detection. Minimum receiver signal- 
to-noise ratio (S/N) of 13 db for analog data 
channels. Minimum receiver S/N of 29 db 
for video channels. Elemental bit error 
rate of to 10-6. Probability of undetected 
error  less than Message  blocks  tobe 
rejected if the  bit  error  rate is exceeded 
within the  message period. 
124 
(3) Data storage. 
0 Digital  recording. Bit packing densities of 
16 x lo3 bits/inch/track. 28 tracks/recorder. 
Data capacity of l o l o  bits minimum per re- 
corder. Estimates are   for  state-of-the-art 
devices  for 90 day storage of 7.97 x lo9  bits 
per day. 
0 Video recording.  Frequency  response 
-4.5 MHz -3 db. Record  time 3 hours mini- 
mum. 
0 Digital data retrieval. Maximum time re- 
quired  to  locate a given starting  address  label 
to average 10 seconds. 
0 Image  processing.  Control and calibrate ex- 
periments. The following applications may 
be beyond practical  physical  limits (power, 
weight, and volume): image viewing, selec- 
tion, and editing; manual enhancement, selec- 
tion and filtering. 
o Subsystem (computation) support. Continu- 
ous computation support  shall  be provided 
in  the event of component failures. Capa- 
bility  shall  decrease  gradually  in  the event 
of failures. Redundant subsystem control 
will be physically separated by one space 
station deck. Capability shall  be provided to 
replace  the  programs  stored  in  volatile  pro- 
gram  store by programs  from  auxiliary 
storage. Capability for quick and delayed 
time  program changes by ground personnel. 
Provision for selection of operating  modes 
and data readouts by crewman. Access to 
DMS computer from both control and remote 
control console. Uplink capability of 120 
kilobits per second digital data. Downlink 
capability of 120 kilobits per second  plus up 
to 10 megabits  per second on a time-shared 
basis. 
125 
0 Digital data (total peak rates). 805 sources 
of mission  data; peak rate 60 KBS. 3296 
sources of experiment  data; peak rate 22 IMBS. 
4450 sources of checkout data;  peak rate. 
175 KBS. 
0 Digital data (total average rates). 804 sources 
of mission  data 60 KBS. 3296 sources of 
experiment data 11.5 MBS. Since GNC data 
normally is processed within the GNC sub- 
system  computer, checkout data will average 
approximately 115 KBS. 
The data  acquisition  requirements have been summarized (6 )  by sub- 
system,  Table 111. D. 3 (extracted from Appendix A, Space Station DM3 Sub- 
system  Requirements). The  table  illustrates loading factors  that  specify 
control  program  performance  at  subsystem  interfaces  for  number of test 
points and for  average  data  rates.  These do not represent  subsystem  per- 
formance o r  total  data  acquired, but only that  data  acquired by the DMS. 
c. Execution Speed.  Speed of execution,  main memory re- 
quirements, and auxiliary  storage  requirements have been estimated (5) for 
some major functions. These may not be performance  requirements,  rather 
performance estimates. However, they illustrate a speed to storage rela- 
tionship  that  may be of design value when trading-off speed vs. memory opti- 
mization  techniques  (Table III. D. 4, as  taken from Appendix A l ,  Space Station 
DMS Subsystem  Requirements). 
The  collection of available  estimates  that  constrain  performance will 
be of value  in the executive  design phase. These  estimates will  greatly 
assist in trading-off design  concepts including data management, queue con- 
trol and scheduling  procedures. 
126 
SPACE  STATION  SUBSYSTEM  DATA  ACQUISITION  REQUIREMENTS 
Subsystem Name 
Guidance  and  Navigation 
Power 
Reactor 3 50 
Solar Array and Batteries 450 
Distribution 200 
Data Management System 
Communication 
EC/LS 
Structures 
Attitude  Control 
Propulsion 
Crew  System/Docking 
Total 
Checkout  Data Requirements 
Number of 
Test Points 
500 
1000 
7 50 
42 5 
3  55 
190 
470 
550 
305 
4550 
Data Rate 
bit/sec 
(Average Rate) 
60.5 x 10 
16.89 x 10 
3 
3 
13.58 x 1 0  
4.648 x 10 
4.99 x 10 3 
3 
3 
2.334 x 10 
6.1 x 10 
66.73 x 10 
3 
3 
3 
175 x 10 3 
-. 
Mission  Data Requirements 
Number of 
Test  Points 
95 
200 
75 
50 
90 
20 
85  
100 
35 
805 
Data Rate 
bit/sec 
7.6 x 10 38 
I 
4 x 10 
7.2 x 10 
1 . 5 ~  10
6.8 x 10 
8 x 10 
2.8 x 10 
3 
3 
3 
3 
3 
3 
- 
60 x 10 3 
Table ID. D. 3 
FUNCTION 
SUBSYSTEMS 
MASTER EXECUTIVE 
ONBOARDCHECKOUT 
NAVIGATION  AND  CONTROL 
SUBSYSTEM  CONTROL  AND 
PROCESSING 
MISSION SUPPORT 
CREW  SUPPORT 
EXPERIMENTS 
_EXPERIMENT  SUB-EXECUTIVE 
EXPERIMENT  CHECKOUT 
EXPERIMENT  CONTROLAND 
PROCESSING 
EXPERIMENT  SUPPORT 
TOTAL 
MAX 
SPEED 
(KOPS/SEC) 
60 
65 
200 
100 
5 
2 
60 
35 
800 
5 
1,132 
MAIN  STORAGE 
(INSTRUCTIONS 
AND  DATA) 
(K WORDS) 
20 
20 
48 
30 
5 
4 
20 
16 
80 
5 
681 
COMPUTER  SUBSYSTEM  PERFORMANCE  REQUIREMENTS (6) 
Table II. D. 4 
AUXILIARY 
STORAGE 
(K WORDS) 
" 
58 
" 
" 
4 02 
24 
" 
17 
6,000 
350 
6,851 
128 
REFERENCES 
1. Space  Station  Definition, Vol.  V, Subsystems, Book 4, Electronics. 
MSFC-DRL-160 Line  Item 8 (MDC GO605), McDonnell Douglas Astro- 
nautics Company, July 1970. 
2. Space Station Phase B Study Results, GPSS/360 Data Flow Simulation 
Model. IBM Presentation, IBM Corporation, August 12, 1970. 
3.  Space  Station Definition, Vol. V, Subsystems, Book  3, Information 
Management. MSFC-DRL-160 Line Item 8 (MDC GO605), McDonnell 
Douglas Astronautics Company, July 1970. 
4. Space  Station Development Definition, Vol. III, Software Requirement 
Document. MSFC-DRL-160 Line Item 18 ( M E  G0544), McDonnell 
Douglas Astronautics Company, May 1970. 
5. Space  Station Data Management System  Subsystem  Requirements, 
Appendix 1. IBM Preliminary Documentation of Space  Station  Require- 
ments, IBM Corporation, 1969. 
6. Space  Station Definition, Vol. V, Subsystems, Book 4, Electronics, 
Appendixes A through D. MSFC-DRL-160 Line Item 8 (MDC G0605), 
McDonnell Douglas Astronautics Company, July 1970. 
129 

SECTION IV. EXECUTIVE DESIGN REQUIREMENTS 
A. General 
This  section  discusses  guidelines,  objectives, and standards  that will  
form the  methodological baseline  for  executive  systems functional designs 
to be  developed in  accordance  with  the  report. The purpose of specifying 
design  requirements is to  insure  that  certain  design  objectives not directly 
related  to  system function or performance  are  met. In order  to  establish 
a framework of clarity with regard  to  the  approach  taken  here and elsewhere 
in this report, it is necessary  that a good understanding of the  objectives of 
the  design  effort  prevail. 
The primary  purpose of the design is to  provide  a  functional  descrip- 
tion of the  shuttle and station  executive systems  in  sufficient  detail so as to 
enable  subsequent  development of a comprehensive  deterministic  model and 
digital  simulator for these  systems.  The  design  therefore is directed not so 
much toward forming  the  basis  for  further  system development (e. g. , detail 
design), although it certainly will satisfy  this need to  a large extent, as it is 
directed  toward  forming  the  basis  for  the  understanding so necessary  to  sim- 
ulator  realism. A s  a result,  the  design will likely, on the one hand, be more 
tutorial  than  absolutely  necessary and may not outline, on the  other hand,  de- 
tails that could not be modeled feasibly  even if they  were outlined. 
With these thoughts in mind, care  has been taken to insure  that  certain 
information will  be provided in the  overall  design documentation and that  this 
information will be  presented  in  a way that will simplify the extraction of 
executive  features  that are  of major  concern  to  a  simulation  effort. 
The  topics of concern in this  design  requirements  specification  are: 
0 Procedure Design, 
0 Data Design, 
0 Level of Design Detail, and 
0 Design  Evaluation and Comparison Methodology. 
Procedure,  in  the  context of the  specification, is taken  to  mean  a 
logical  algorithm, or set of precisely defined rules, for performing an 
131 
arbitrary function. While the  prevailing  assumption is that  procedures will 
be  fabricated or implemented  in  the  form of computer  programs, they are 
certainly not restricted  to  this  interpretation  since a digital  logic  circuit or 
logic  control  store would suffice  and,  in many cases,  actually  be  preferable. 
While system  data are frequently given little or  no concern,  history 
supports  the  fact  that  this is a gross  error of omission. Indeed,  given a 
set of functionally sound procedures  that  constitutes an  executive,  the sta- 
bility and credibility of the  executive is completely  determined by the  nature 
and structure of data.  The  specification  therefore  addresses  the  treatment 
of data in a design  effort. 
"Level of software  design  detail" is not a  concept that can be  speci- 
fied  numerically or with precision  as is the  case with digital  logic  circuit de- 
sign. For instance,  a  logic  designer has a clear  image of the  required  level 
of detail i f  he is to work to  the  "gate  level. No such  definitive  boundary exists 
in  the  software  realm.  There is a distinct  boundary  imposed at the  "instruction 
level,  but even this familiar boundary is becoming  defocused by trends  in 
microprogramming.  The  specification technique  used in  this  report is to out- 
line a priori functions and modules to  be included  in  the  design. 
One of the major  concerns of the design  effort will be  to  present in- 
formation  in  such  a way as  to  facilitate  subsequent evaluation of the  design 
through analysis of the  r7paper1'  design  to  augment  the planned simulation 
effort.  To guide this  aspect of the  design,  certain evaluation cri teria  are 
defined to  insure  that  the  design documentation enhances evaluation. Having 
defined criteria  for  measurement of values,  it is possible  to  contrast two de- 
signs by comparison of the  measures. A methodology for  this  comparison is 
discussed  as the  final  design requirement  specification. 
B. Procedure Design Requirements 
The report is concerned here with outlining a set of procedure  attributes 
to  be  determined  during  design, a standard  format  for  the  description of all  pro- 
cedures, and a set of a priori  system  parameters which can  be  measured and 
recorded  numerically by the  cognizant procedures  in  order  to  evaluate  system 
performance. 
1. Attribute Specification. Form 1 is provided as a preliminary ve- 
hicle for  concisely  recording  selected  attributes of procedures.  The  attributes 
included in  the  form are defined as follows. 
132 
... . " ~ . . .~ ~ . "_ ~ ~ 
1. Name: 
2. Size  Estimates: 
a.  Code: 
b. Local.Data: 
3. Relative  Statement Type: a. Cohputational: 
b. Logical : 
4. Execution' Condition: 
a. Frequency : 
b. Number of Operations: 
a.  Number of Loops: 
b. Number of Paths: 
c. Number of Blocks: 
d. Block Exit Density: 
a. Simple: 
b . Function : 
5. Complexity: 
6. Type: 
( 1) Integer: 
(2) Real: 
(3) Boolean: 
(4) Complex: 
(5) Special: 
7. Class: 
a. Reentrant: 
(1) Recursive: 
(2) Non-Recursive: 
b. Non-Reentrant: 
8. Priority: 
9. Development Time: 
10. Residence Requirements: 
11. Events Causing Execution: 
a. Procedures  that  Reference: 
b. Interiwpt: 
c. Queue Processing: 
d. Direct Call: 
- ~~ 
I 
PROCEDURE  ATTRIBUTE 
DOCUMENTATION FORMAT 
Form 1 
Figure IV. B. 1 
133 
a. Name. Each program is assigned a unique alphanumeric 
name.  The  name will be  sufficient to  locate and define  the module in libraries, 
internal  storage, or external  storage and is formed by the  rules  for  acronym 
definition (shown in  Form 2). 
b. Size estimates. Estimates are provided here for number 
of lines of code and space  required  for  local data.  Since no specific  word- 
lengths  in  bits are  assumed,  each  entry  provides a qualifier  that  can  be used 
to develop a  conversion  factor. All sizes  are given in  decimal, and lines of 
code are  qualified as  either  assembly code (ASM) or  problem  oriented  lan- 
guage (POL) code, such as FORTRAN, BASIC, etc. 
c. Relative statement type. The number of each different 
instruction  class is estimated (logical o r  computational). 
d. Execution condition. The frequency of execution (number 
of times  per second) and the  number of operations  per execution  (number of 
instructions executed per  call). 
e. Complexity. The complexity of a procedure is measured by 
the  number of loops,  number of paths,  number of flow diagram  blocks, and 
block  exit  density. These  factors  impact  design  intimacy, complication of 
coding, and thoroughness of checkout. The exit density  calculation will be 
a  valuable measure of complexity since it relates decisions and paths at 
module level. 
(1) Number of loops. The enumeration of repetitively 
executed sequences of instructions. Loop level is multiplied by the  number of 
loops at  each  level (1, 2, . . .) to account for  nestedness. 
(2) Number of paths. The number of transitions that can 
be  made  among procedure subdivisions. Thi.s is the  same as the  total  number 
of exits  from  all blocks. 
(4) Block exit density. Value of (2) divided by value of (3), 
f. Type. This attribute is specified by the usage. A procedure 
is either a simple  procedure o r  a function. 
(1) Simple. This refers to a procedure that accepts input 
parameters and returns output parameters only through use of a formal para- 
meter  list o r  through  global variables. 
134 
(2) Function. A procedure which accepts input through 
a formal  parameter list and returns a single output through a hardware 
register is a function. It may return an output that is . i n  the machine format 
of an integer,  real, boolean, complex, or special  variable. 
g. Class. Class is determined by the structure of a procedure 
and may  be non-reentrant/non-recursive (normal),  reentrant, or  recursive. 
(1) Reentrant. This is a procedure that can be called re- 
peatedly at any stage of execution and properly complete eich  call.  This . 
implies  that  the  program module may not be  dynamically modified and does 
not store  intermediate  results locally. 
(2) Recursive. A procedure which calls itself (through the 
use of push-down lists) is said  to  be  recursive. The call may be direct or in- 
direct through  another  procedure. A recursive  procedure is not strictly  re- 
entrant  since it can not be  called  at 9 point in its execution. It is however 
reentrant  in  the  sense  that the recursion is accomplished by repeated  calls to 
(reenters  at  the beginning) itself. 
h. Priority. An integer from 0 to n (where 0 is the highest 
priority)  that  indicates  the  estimated  relative  importance or urgency for execu- 
tion of this  procedure. 
i. Development time. The estimated man-months required for 
total  programming  implementation  (requirements andysis through  checkout, 
including documentation). 
j. Residence  requirements. Main memory allocation requirements 
for  procedures,  transient  areas,  overlays, ' and  bulk storage  considerations will 
be  estimated: an  indication of storage  requirements when the  program is m  a 
dormant state is included. 
k. Events causing execution. An indication of what event(s) 
must  occur  in  order to cause execution of the procedure is given. This should 
expose transition  routes among procedures and  show the  initiating  conditions 
and mechanisms  for  procedure  connectivity.  Examples are  direct  call by 
another procedure,  indirect  call by queuing, and interrupt activation. A list 
of the  procedures  that  reference this procedure is given. 
2. Documentation Standards. Form 2 is provided as a standard for 
describing all modules within the  design. It is shown as a  prototype to  make 
it self-explanatory. 
3. Performance Measurement. A list of a priori parameters is 
given below. Throughout the  design, this list will dictate  the  inclusion in 
certain modules of design  specifications  that add the function of sampling or  
measurement.  The  general  concept will include retrieval  from  storhge of 
135 
Procedure  Identifier: An upper case alphanumeric  mnemonic  identifier of un- 
limited  length is provided as a name. An acronym  for this identifier 
will follow the  name and be  enclosed in parentheses.  The  acronym is 
formed  by following a set of rules until  the  name has been  reduced to 
six (6) or fewer  characters  according to the  rules.  The rules are: 
1. If the name is six or fewer characters long, the acronym is the name. 
2.  Otherwise, beginning at the rightmost character in the name and work- 
ing leftward,  delete vowels  until six characters  remain  (in which 
case the  acronym  becomes  the six remaining characters) or  more 
than six remain. In the latter  case, again working from  right  to 
left, delete characters until six remain. the acronym is then 
these remaining characters. In forming the acronym, leading 
vowels are  treated  as consonants. 
Example:  INTeRRuPt (SNTRRP) 
Purpose: This is self-explanatory. A brief description sufficient to indicate the 
role of the procedure and its relation to other  procedures is given. 
Approach:  The design philosophy  and algorithms  for  performing  the intended func- 
tions are explained. This  includes a prose functional description of control 
considerations, flow diagrams, and a description of (local)  data  that a r e  used 
but  not described  elsewhere. Flow diagramming follows these rules: 
1. Control Flow - Solid line with arrow. 
2. Data Access/Store - Dash line with arrow. 
3. Procedure Entry Point - Call-by-name is indicated by a bubble; a 
keyed (interrupt/queue)  entry is indicated by a  double line with arrow. 
4. Off-Page Connector - Acronym.  alphanumeric. 
Local  data, i. e.,  data defined as  part of the body of the procedure, a r e  de- 
scribed  here. Global data  descriptions and descriptions of other  data de- 
fined external  to the body of the  procedure are provided on separate  sheets 
according to a  specified  format and are  merely  referenced  in the  approach. 
A discussion is given of special language features  that wil l  enhance pro- 
gram  development or execution by reducing core  requirements, execution 
time, coding, or linkage complexity. A list of useful macro instructions 
or kequently  used  procedures  (hardware  or  software)  that  will enhance 
program  preparation  and/or execution will be given. 
External  Procedures  Referenced:  The  names of all procedures  referenced by this 
procedure are itemized  here  as a linear list of names  separated by c o m a s .  
Called  procedures  that  execute  concurrently  (possibly) have their  names 
underlined. 
External Data Referenced:  The  name(s) of all  external  data  referenced by this 
procedure is itemized  here  as a list. A statement is included to show if a 
data  entry is added,  deleted or changed. 
FlJNCTIONAL  PROCEDURE  DESCRIPTION  FORMAT 
Form 2 
Figure W, B. 2 
136 
the  most  recent  value of the parameters followed by  action necessary  to  cause 
them  to  be  recorded on a mass  storage device or transmitted  to ground for 
subsequent analysis. The list is not necessarily exhaustive and may  be  modi- 
fied  during  design.  The  task  name &nd an event  identifier are assumed  to  be 
appended to all recording actions. 
a. Task activation time. This is the (real) time at which the 
system first becomes  aware  that a task  must  be executed. 
b. Task memory request time. This time is recorded each 
time a request  for  memory is made  either by or on behalf of a  task. 
C. Task memory assign time. This time is recorded each time 
a request for  memory  for  the  task is granted.  This is paired with its cor- 
responding  request time. 
d. Task memory request size. The size of a task  memory  re- 
quest is recorded  at  the  time of the  request and is associated with the  request. 
e. Task memory release time. When memory is released for 
a task,  the  time and size of the release  are  recorded. 
f. Task queued for execution time. The time when a task is 
queued, after  activation,  for  assignment of processor  time. 
g. Task first execution time. For each task activation, the 
time when the  task is first assigned  processor  time is recorded.  Processor 
identification is also  recorded. 
h. Task idle time. Each time a task ceases to use an asidbed- 
processor, but does not terminate  in  some  sense, the  event and time  are 
recorded. The deassigned processor is also recorded. 
i. Task reassigned a processor. Each time an idle task is 
reassigned a processor the time and processor  are  recorded. 
j. Task termination time. Time is recorded when a task 
terminates  in  some  sense.  The  deassigned  processor is also recorded. 
k. Supervisor request time. Each supervisor request will be 
identified and the  request  time  recorded. The servicing  processor will be 
recorded. 
1. Interrupt time. Each interrupt that occurs will be identified 
and the  time  recorded. The nature of certain high kequency  interrupts  may 
preclude  such  measurement under some conditions. In this case,  the  number 
137 
of occurrences will be counted by incrementing an associated  counter that can 
be  sampled  over  relatively  large  time intervals. 
m. Task  priority.  Task  priority will  be  recorded  at activation 
time and each tme thereafter when a  change occurs. 
n. 1/0 buffer. Each input/output supervisor request will cause 
originating  task  name, buffer size,  source  device,  destination  device, and 
transmission  media (channel, bus,  etc.)  to  be  recorded. 
C. Data Design Requirements 
The  need to emphasize  data  usage and structure policies  has been dis- 
cussed and should be  clear.  This  subsection  provides a discussion of those 
points of interest felt to be most  pertinent to data documentation. The class of 
data  to which these  comments  are  directed is what can be  referred to as ex- 
ternal  data.  That is, data which are defined to reside  external  to  the definition 
constituting  a  procedure body. Data defined strictly  local to a procedure, and 
therefore  referenced only by that procedure, are  discussed on Form 2. Attr i -  
butes and documentation are discussed. 
1. External Data Attribute Specificatkn. Form 3 exhibits a pre- 
liminary list of attributes  associated with external  data. The list is defined 
as follows : 
a. Name. A name uniquely identifying the data. It is formed 
in a  manner similar  to  that of a procedure  name. 
b. Size estimates. See "Size Estimate" discussion found on 
Form 4. 
c: Procedures that reference. This is a list of names of 
procedures  that  reference  this named  data structure. 
d. Reference frequency. This provides an estimate of the number 
of times  the  data  structure is referenced  in a specified  interval.  The type of 
reference is indicated by breakdown of the estimate into categories showing 
changes, additions (expansion), and deletions (compression). The estimates 
a re  dependent on the execution  frequency and logic of those  procedures  that 
reference  the  data. 
e. Structure type. The logical structure of the data is in- 
dicated by stating whether it is simple  (linear unconnected single  variables), 
138 
I 
1. Name: 
2. Size  Estimates: 
3. Procedures  that Reference: 
4. Reference Frequency: 
a. El.ement Changes: 
b. Element Additions: 
e. Element Deletions: 
5. Structure Type: 
a. Simple: 
b. Array: 
c. List: 
d. String: 
e. File: 
f. Record: 
g. Memory Map: 
EXTERNAL DATA ATTRIBUTE DOCUMENTATION FORMAT 
Form 3 
Figure IV. C. 1 
139 
/ 
I 
array, list, string, file, record, or memory map. Other types may prove 
of interest  as design  progresses. 
2. External Data Documentation Standards.  Form 4 delineates 
a prototype  documentation format  that is self explanatory. 
D. Level of Design Detail 
Level of design is implied  intuitively by delineation, below, of execu- 
tive functions to  be  addressed by the  design  effort and a  modular  organization 
list for  the real  time flight  executive system. The functions and modules are 
a priori in  nature having been derived  from  a  cursory  analysis  based on ex- 
perience. They a re  not intended to be exhaustive. 
1. Executive  Functions. 
a. System  control. 
(1) Scheduling. 
0 Device scheduling 
0 Task loading and relocation 
0 Main memory allocation  (dynamic) 
0 Task swapping (roll-out/in) 
Dynamic  dispatching (ALU) 
(2) Task-to-task call linkage. 
(3) Parallel task execution. 
(4) Program  timed  request  control 
0 Mission  time-line  controVinterpretation 
0 Watchdog timing 
0 Real-time  clock/interval  timing 
0 Subsystem stall  a arms 
140 
Data Identifier: A'mnemonic name with specifications  similar  to  those given 
for'nam.ing  procedures is provided. 
-pose: A brief  description of the  reason  for  specifying  these  data is provided. 
This should  include a discussion of usage.  Impbrtant  simple  variables 
will be  collected  together  in a single  description when their  logical  rela- 
tionships warrant. This format is reserved primarily, however, for 
descriptions of data  structures  such as files,  records,  memory'maps, stackr 
queues and packed word  components. 
Structure: A prose  description of the  specific  structure of the  elements of data 
and the reason for choice of this  structure,  unless no other choice is per- 
tinent, is given. A diagram showing the relations among components of 
the  data is included along with a description of each component. Structure 
can be simple, array, list, string, etc. 
Size  Estimate:  The  size of each component is estimated  in  number of bits. In 
the  case of components whose size is dictated  exclusively  by  hardware 
register  sizes or logic  functions, no size is given,  but the commonly ac- 
cepted register name (e. g. , accumulator,  index,  etc. ) or  logical function 
(integer  arithmetic,  floating point arithmetic,  character manipulation, 
etc. ) is indicated. A formula is also given which indicates  the  total  struc- 
ture  size in  number of bits as a function of register and logical function 
sizes. 
FUNCTIONAL EXTERNAL DATA DESCRIPTION FORMAT 
Form 4 
Figure IV. C .2 
141 
(5) Interrupt processing. 
(6) Task termination/suspensiOn. 
(7) Mass storage allocation (file control). 
(8) Fast buffer assignment. 
(9) Overlay (segment) manipulation. 
(10) Memory  protection. 
(11) Request (supervisor call) processor. 
(12) Device inventory. 
b. 1/0 operation and control. 
(1) I/O request scheduling. 
0 Request  initiation 
0 Request queueing 
0 Device and channel  allocation 
Channel or processor  program  generation 
(2) 1/0 device handling. 
0 Keyboard 
0 Teletype 
0 CRT systems 
0 Digital  contact closures 
0 A/D and D/A interface and multiplexing 
0 Error log and recovery 
142 
(3) 1/0 data transfer monitoring. 
(4) I/O system status monitoring. 
(5) I/O system status updating. 
(6) Symbolic 1/0 assignment. 
(7) Data movement control. 
0 CPU to subsystem (CPU or  other device) 
0 Up/Down link telemetry 
0 CPU to/from bus 
(8) Communication handling. 
0 Message  transmit 
0 Message  receive 
0 Message queueing 
c.  System  monitoring. 
(1) Anomaly/error alarm monitoring. 
0 Alarm output control 
0 Alarm  history  recording 
(2) Computer system  performance monitoring and logging. 
0 Executive requests  utilization and timing 
0 Number of bus transfers 
0 Average  bus  data volume 
0 Arithmetic logic unit utilization 
0 Main memory utilization 
143 
Error frequency count maintenance 
0 Failure count monitoring 
Queue lengths 
0 Channel utilization 
0 Device  utilization 
Interrupt  frequency 
d. Support  programming. 
(1) On-line error correction. 
(2) Program path reconstruction  (interrupt  history dump). 
(3) Contiguous listing of machine errors.  
(4) Program parameter modification. 
(5) Imbedded selective trace routines. 
e. Error recognition and recovery. 
(1) Program error detection. 
0 Incorrect I/O requests 
0 Requests for equipments already in use 
(busy return or  queuing) 
0 Incorrect  data  formats 
8 Incorrect  instruction o r  formats 
0 Unstable iterative or  non-convergent process 
(2) Error recovery/action sequencing. 
(3) Parity error recovery sequencing. 
144 
f. , Failure detection and recovery. 
(1) . Hardware  diagnostic  routine execution. 
(2) Diagnostic countdown. 
(3) Failure  recovery. 
Spare  switching  (reconfiguration) 
0 Degraded  mode  operation 
(4) Restart after equipment failure. 
(5) Configuration control. 
2. Executive Modules. 
a.  Master  control. 
(1) Mission phase control. 
0 Phase  termination 
0 Phase  initiation 
(2) Configuration mode control. 
0 E r r o r  detection/isolation 
0 Error recovery 
(3) Astronaut/pilot control. 
(4) Central interrupt control. 
(5) Mission schedule control. 
0 Schedule interpreter 
0 Schedule editor 
0 Subsystem supervisor  control 
(6) Device handlers. 
145 
Device availability  control. 
Device diagnostics. 
Request  processor. 
Message  initiation. 
CPU-CPU data and signal control. 
CPU-bus handler. 
b. Task  scheduler. 
(1) Priority recognizer. 
(2) Device availability queue control. 
(3) Main storage availability queue control. 
(4) ALU time queue control. 
(5) ALU time dispatcher. 
c. Main storage  control. 
(1) Task relocation control. 
(2) Task swap control. 
(3) Main storage allocation control. 
(4) Main storage  release  control. 
(5) Main storage protection control. 
d. Mass storage  control. 
(1) File directory control. 
(2) File allocation control. 
(3) File release control. 
146 
(4) File protection control. 
(5) File processor control. 
e. I/O communication  control. 
(1) I/O supervisor. 
(2) Input control. 
(3) Output control. 
(4) Command/control output director. 
(5) Display manager. 
E. Evaluation and Comparison Methodology 
Future manned space  flights will require a  higher  degree of autonomy 
and expanded reliance upon on-board computers than has been  exhibited by 
past and current  systems. The associated  increased computer responsibilities 
and capabilities  require an  executive  operating  system  that will  enhance every 
facet of the  mission.  This  subsection  discusses  methods for evaluating and 
thereby  comparing  these  operating  system  designs.  Because of the  extreme 
cost of implementing operating  systems to  an  acceptable  level of reliability 
and performance,  it is desirable to be  able to  evaluate  their design prior to 
commitment of funds and manpower. Analytical (relatively  inaccurate) and 
deterministic  (more  accurate)  simulation techniques  have  proven their value 
in forecasting performance. However, no suitable methodology exists for 
evaluating the features and scope of a  design  that exists  in a documented form 
only. For this  reason, the systems under discussion here are "paper" systems. 
That i s ,  they are  design  documents  (flowcharts and descriptions)  that are  
conceptual in  nature. It is quite  true that  concepts are  difficult to  compare. 
Many features of operating  systems are complex,  non-deterministic, and 
avoid measurement even on checked-out operating systems. However, paper 
operating  systems  can be evaluated to a degree and this  report wil l  describe . 
a  procedure for doing so. 
A preliminary list of evaluation criteria  has been developed as  part of 
the study. The list is exhaustive in that all  operating  system  features which 
reflect on total  mission  performance  can  be  represented. The criteria and each 
definition will  be  refined as the study progresses to  enable more comprehen- 
sive  system evaluations. 
147 
A comparative  analysis produces  guidelines and measures  for  deter- 
mining the  relative value of executive software and  computer  hardware config- 
urations. The hardware configuration has undeniable impact on the executive 
software. For example, software complexity may be greatly influenced by 
the  processor communication/isolation differences  basic  to  the  integrated vs. 
federated  computer  hardware  approaches.  Every  attempt is made  to  keep 
the  comparison criteria independent of computer  configuration to  prevent in- 
troduction of hardware  biases into the evaluation. Gross architectural fea- 
tures (such as number .. of - independent computers in a system), however, pro- 
hibit total independence. 
The analysis involved definition of comparison criteria, identifica- 
tion of comparable  system  features, and the investigation of the design docu- 
ments. The design documents a re  assumed  to include  flowcharts,  prose 
descriptions, and  programming  estimates  for  successive  levels of software 
definition. Ideally,  the  systems  to  be  compared should exist at the  same  level 
of definition for each  level of evaluation. 
Individual module descriptions a re  to be analyzed and compared on the 
basis of prototype or  generic  analytical and subjective  criteria. For example, 
comparison of the  number of instructions,  the  number of nested  loops, and 
the  number of submodules  (such as device  handlers) is a relative  enumeration 
technique. Estimates of certain  values,  such  as  program size, oan be based on 
recorded  values  for  similar  operational modules. Even though these  histori- 
cal values  may  pertain  to  very  different  hardware,  their  relative or ratioed 
values  can  be  useful  indicators. 
1. Evaluation. The following list itemizes  system  features which 
a re  for  the  most  part  intuitive  in  nature: 
0 Modularity 
0 Complexity 
0 Flexibility 
a Storage  availability 
0 Development effort 
0 Storage  requirements 
0 System integrity 
0 Reconfigurability 
148 
a Maintainability 
0 Performance 
In order  to understand  the  applicability of these  terms  to an  executive 
system and its functional  design  specification, we  must  iiiscuss  their meaning 
as applied to a software  system.  Before  proceeding with this discussion, the 
term  "architectural"  must  be defined with respect to software. 
llArchitecturell is taken to  be  that lohcal configuration or organization 
of computer  programs and hardware  as it appears to the  user of the configuration. 
The word ''logical" is underlined  in order  to emphasize  the  fact  that, 
to the  user,  the  system may  appear  to exhibit a very  different  organization 
than it actually  has in the view. of the  designer - whom we assume  has  the 
most  realistic and factual  vantage point. 
We now define the  intuitive features, making frequent  reference  to 
the concept of architecture.  Bear  in mind that architecture is relativistic 
in  nature and depends on the point of view from which the  organization is 
examined. Figure IV. E. 1 summarizes  these  features. 
a. Modularity. To the software designer, his system would be 
highly modular if it was  made up of a very  large  number of essentially autono- 
mous  subprograms. His ability  to alter small  portions of the  system would 
be enhanced to a large extent. We might compare an extremely modular soft- 
ware system with a digital logic design  based on discrete components. How- 
ever, in the  same way that  discrete  element  circuits have a high "overhead" 
in  the  form of large rise times, long delays,  and high packaging weights and 
volum'es, highly modular  software  systems  suffer  from high "overhead" in the 
form of time to link procedures, and storage  for  the code to accomplish these 
"housekeeping" chores. 
Obviously, in  the  same way that digital designers a re  trending away 
from  discrete components and  toward large  scale  integrated (LSI) circuits 
because of the  speed and mass/volume  advantages,  the  software  designer  must 
do the  same. However, while the  digital  designer is focusing his design ef- 
forts on packaging widely used high-level modules such a s  memory  modules, 
multipliers,  decoders, etc. , we must acknowledge that his efforts cannot be 
applied  to "one of a kind" hardware  devices  that do not use  the modules. The 
LSI packaging concept applies  in  cases  where  the module-level function is 
well understood;  and considerable  uncertainty still exists as to what functions 
to  modularize 1 
149 
SYSTEM EVALUATION 
FEATURES 
Reconfigurability 
System  Integrity 
Average  Functional Subroutine Modularit: 
Average  Functional  Macroinstruction 
Modularity 
Complexity 
Flexibility 
Storage Requirements 
Storage  Availability 
Development Eff 01% 
- 
BEST 
SYSTEM 
VALUE 
'?High?' 
Lowest 
Lowest 
Lowest 
Highest 
Lowest 
Highest 
Lowest 
SYSTEM FEATURE SUMMARY 
Figure IV. E. 1 
150 
Naturally the  same may be  said about software  modularization as we 
trend toward packaging larger  scale  software modules. In the digital logic 
world,  the logic  modules  become the building blocks for  the  system  architect. 
The  same is true  in  the  case of software.  The  architect  in  each  case  must 
place himself at  the vantage point of the  user  in  order to  design  a  system  that 
fits the  user's needs. 
The level of system  software  modularity  has  matured to a point com- 
parable  to  the  integrated  circuit of the  early 1960's. The system  software 
analogy to LSI will  not be  feasible  until  the  inherent  flexilility of micropro- 
gramming is applied to  the definition of high-level instructions  tailored to 
enhance  software  system design. Through this medium the  software  architect 
and designer can realize  the packing density  increase and time delay decrease 
so necessary  for  the achievement of a high degree of user-oriented  software 
modularity. 
Consider now the  measurement of modularity of a  system.  Clearly 
it is not desirable  simply  to have a large number of procedures,  since  this 
trends toward  a "discrete element"  design  approach. It is furthermore unde- 
sirable to have the  total  system  expressed as a single  procedure.  The latter 
is true because  some  degree of breadboarding will be required coupled with 
flexibility  to  alter subfunctions without manipulating the  entire  system. 
(If mission  requirements could be  rigorously  specified without the  possibility 
of future deviations,  the necessary  requirement  for  flexibiiity would be dimin- 
ished and  we might justify  the development of special  software  fabrication 
tools  to map  a  fully-checked out breadboard  system into one single  procedure 
with extremely low inherent  overhead. This is not likely  to be feasible in the 
first generation  reusable  shuttle o'r space  station.) 
The lfproperlf  degree of modularity  seems  to depend on the  conclusive- 
ness with which  we can define the function of the modules. The  functions of 
the  major modules listed previously  constitute  a  collection of well  understood 
functions. It is, therefore, on the  basis of these functions that we will  define 
"modularity". 
Two levels of modularity for each function are considered  to  be  impor- 
tant. The lowest  level is the  number of macroinstructions  required by a 
design to define the function, and the highest  level is taken to  be  the  number 
of procedures - or  subroutines - required by a  design to define the function. 
We, therefore, will have two measures.of  modularity  for  each of the following 
functions : 
15 1 
I".. .,,, - "._.""" 
System  control, 
1/0  operation and control, 
System  monitoring, 
Support programming, 
Error recognition and recovery, and 
Failure  detection and recovery. 
Average  system functional modularities  for  each of the two levels a re  
measures of system  modularity and are  the  average of each  modularity Over 
the above functions. 
Notice that a s  we become  more adept at defining higher  level  system 
sub-functions that a re  used  in  a high number of instances,  these sub-functions 
tend'to become subroutines. This causes the subroutine modularity measure 
to  increase, indicating  a relatively  detrimental  trend  because of the  associa- 
ted linkage overhead increase. At  the same time, however, the macro- 
instruction  modularity  measure must decrease tending to  restore the  balance 
somewhat. The above trend is definitely  desirable even though system 
overhead increases. The reason, of course, is that well-established sub- 
routines  become  candidates for implementation as  microsequences in control 
store o r  conventional logic modules in system  hardware,  This  results in a 
reduction in  subroutine  modularity.  This  trend might be referred  to  as 
"software  to hardware bootstrapping". 
b. Complexity. Complexity, like -modularity, is defined with 
respect to  a system's  architecture  and,  therefore, differs from vantage point 
to vantage point. System  complexity is defined to be  the  total  number of com- 
mands and supervisor  requests provided by the  system to the  user. A system 
design  that  can  provide  the  flexibility  to  support all  requirements with a  small 
number of commands and requests is obviously less complex  to the  user than 
one requiring a larger  number  because it is easier  to  use and interface with. 
c. Flexibility. This system feature also takes on different de- 
finitions depending on the point of view. From the user's point of view ft is 
identical  to complexi,$y by definition.  This illustrates  a  set of conflicting 
user  desires  since he at once wants  a highly flexible system and yet needs 
simplicity. We define  flexibility to be  the s m e  as complexity to  remain con- 
sistent with the  architecture concept. We should recognize  that an assump- 
tion is being made  here; we assume  that, while a less complex System 
152 
may  support the same set of requirements as  one that is more complex,  the 
more complex system  offers a  wider  selection of ways to  satisfy  the  require- 
ments and is therefore  more flexible. 
d. Storage Availability. This is taken to be the size, in main 
memory words, of the  memory  space in a given hardware configuration that 
is available  for accommodation of user  programs. This is admittedly a 
configuration-dependent definition. However, consistent with the concept 
of taking the user's viewpoint of architecture, this is a meaningful definition. 
e. Development Effort. Development effort is defined to be 
the  number of computational statements divided by twelve (12) plus  the 
number of logical  statements divided by eight (8). See Form 1, Item 3. 
The numerics are weighting factors taken to  mean  that computational 
statements  can be developed at the rate of twelve (12) per day and logical 
statements can  be developed at eight (8) per day. 
f .  Storage  Requirement. This measure of system  design 
"goodness" is defined to  be the size, in  main  memory  words, of the memory 
space  required  to accommodate the complete  executive system. 
g. System  Integrity. This intuitive system architecture 
feature is a measure of how well the system  responds,  from the user's 
viewpoint, to errors  in  his  programs and failures  in the hardware. Since 
future  space  systems wil l  be designed  specifically  to  meet  failure mode 
recovery  performance  requirements that are  established independently 
of a particular  user, we will  concern  ourselves  here only with the  response 
of the system  to  user  program  errors. 
System integrity then  reduces  to  consideration of two classes of 
user-induced errors;  errors  resulting-from  improper  use of the system and 
errors  resulting  from  instability  in  the nser's programs. 
Examples of improper  use of the system include such  things as: 
failure  to  request allocation of a  device before attempting to  access it, 
failure  to  return  storage  that  has  been  allocated, and improper sequenc- 
ing of requests  for  service when a  specified  ordering  must  be  observed. 
Instability  in the user's  program can occur  as a result of an  improbable 
set of parameter  values  that  cause looping or non-convergence in an 
iterative  procedure. 
Presumably,  the first class of user-induced errors  will be  eliminated 
during component testing and total  system checkout. This is the burden of 
testing and quality assurance  activities during development. However, it is 
clear that no numerical value  can be placed on the system's  ability  to  resist 
15 3 
or detect and recover  from  these two classes of errors.  Typically,  the 
design will include  exhaustive  provisions for guarding  against  them. Cross- 
checks on the  validity  and  sequencing of all operations  requested of the  system 
by either command or supervisor  calls, and setting and checking watch-dog 
timers and stall alarms is commonplace. If features  such as these are found 
in a design, we indicate  system  integrity by acknowledgement (rryesrr).  This 
requires  that the logical  aspects of interactions among functions  be  thoroughly 
reviewed. Failure  to  take  into  account all contingencies will  be  indicated by 
lack of acknowledgement (%off). 
h. Reconfigurability. This system feature is measured by 
whether the user  must  be  aware,  in  his  program  design, of different  architec- 
tural  configurations. If, subsequent to a system  failure, the user  must show 
awareness , i n  any functional  way, of a change  in architecture , we say  that 
the  system  exhibits a "low" degree of reconfigurability. If, on the other 
hand, system  failures do not impact on the user's  program  logic, we say 
the system  exhibits a %ighIf degree of reconfigurability.  This definition 
does not take  into  account  the  possibility  that  the  system may not be  able 
to reconfigure and may, therefore, fail "hard. The justification for this 
lack of accounting comes  from the mission  performance  requirement that 
space  systems  must  be  able  to  sustain  failures  through  reconfiguration or  
hardware multiple redundancy. Adequate reconfigurability or hardware 
redundancy is , therefore , tacitly  assumed. 
i. Maintainability. System maintainability is a measure of the 
effect  on  system  architecture  resulting  from  improvements , expansions, 
corrections, o r  other  changes  to  the  system. If user program logic,  format, 
or  organization  must  be  altered as a result of system  maintenance  activities, 
we say  that  the  system  exhibits a 'low"  degree of maintainability; it is Wgh" 
otherwise.  This feature is dependent to a great extent  on  the  design  aspects 
of system  support  activities and programs. Since this  report  does not. address 
this  subject, we  exclude  maintainability  temporarily  from  the  list of evaluation 
features. 
j. Performance. This system feature is also excluded tempo- 
rarily  from the  evaluation criteria  because  it is indeterminate on the  basis of 
design  analysis only. 
2. Comparison.  The literature (1) , (2) has not yielded  information 
relating'to  the  comparison of complex real time  executive  system design. This 
was to  be expected since  the  field of computing sciences is still  relatively 
immature. 
154 
However, a preliminary method that is based on the  attributes and 
features  discussed previously has  been developed. This  comparison methodo- 
logy consists,  firstly, of filling out the chart suggested by Figure IV. E. 2 
where  the  attributes of all system  procedures  are  recorded. Next, the total 
of each of thG attributes taken  over all  procedures is transferred  to  the 
appropriate column shown in  Figure N. E. 3 for each of two systems. The 
features shown in Figure IV. E. 1 are  also evaluated for each system and 
recorded on Figure IV. E. 3. Finally,  the  total  size of external data is 
recorded  based on some  arbitrary value for any variables  required to 
obtain a constant value. 
Figure IV. E. 3, thus  completed, brings  the  major  features and attri- 
butes of each  system  together  in  sharp  contrast.  Further  comparison must 
be  made by subjective  comparison  based on the  application of weighting factors. 
This  aspect of comparison is felt  to be beyond the  scope of the  report. 
155 
1111 
rn 
Q) 
.c1 
5 
B 
4 
32 
B 
E 
s” 
0 
0 
a, 
N 
m 
.rl 
Procedure 
Name 2 0 
U 
I 
System Procedure  Attributes 
Figure IV. E. 2 
156 
System Comparison  Summary 
Figure IV. E. 3 
157 
REFERENCES 
1. Budd, A. E. : A Method for  the  Evaluation of Software Executive Opera- 
ting o r  Monitor Systems. The MITRE Corporation, Bedford, Massachu- 
setts , September 19 67. 
2. Anderson, M. D. and Marek, V. J. : Evaluation of Aerospace Computer 
Architecture. AIAA Paper No. 68-836, AIAA Guidance, Control, and 
Flight Dynamics Conference, Pasadena, California, August 12-14, 1968. 
158 
BIBLIOGRAPHY 
1. Adelman, A. and Kemp, A. J. : Space Station Information Management. 
Institute of Electrical and Electronics  Engineers (EASCON) Conference 
Presentation, Washington, D. C., October 29-31, 1969. 
2. Advanced Topics in Systems Programming. University of Michigan 
Engineering  Summer  Conferences,  June 16-27, ,1969. 
3. Anderson, M. D. and Marek, V. J. : Evaluation of Aerospace Computer 
Architecture. AIAA Paper No. 68-836, AIAA Guidance Control, and 
Flight Dynamics Conference, Pasadena, California, August 12-14, 1968. 
4. Budd, A. E. : A Method for the Evaluation of Software ,Executive, 
Operating or Monitor Systems.. The MITRE Corporation, Bedford, 
Massachusetts, September 1967. 
5. Campbell, P. J. and Heffner, W. J.: Measurement and Analysis of 
Large Operating Systems During System Development. Proceedings 
of FJCC,  Vol. 33, No. 1, 1968. 
6. Chestnut, Harold: Systems, Engineering Tools. John Wiley and Sons , 
Inc., New York, New York, 1966. 
7 ,  Comparative Operating Systems, A Symposium. Association of Computing 
Machinery, Cleveland/Akron Chapter, Brandon Systems Press, Inc. , 
1969. 
8. Computer Subsystem Trade Study, Appendix 3, IBM Preliminary 
Documentation of Space Station  Requirements, IBM Corporation, 1969. 
9. Data Acquisition Subsystem Trade Study, Appendix 4, IBM Preliminary 
Documentation of Space  Station Requirements. IBM Corporation, 1969. 
10, Data Distribution Subsystem Trade Study, Appendix 5, IBM Preliminary 
Documentation of Space  Station Requirements. IBM Corporation, 1969. 
11. Data Management System Requirements , Section 4.1 , IBM Preliminary 
Documentation of Space  Station  Requirements. IBM Corporation, 1969. 
12. Data Management System Station Technology Assessment, Appendix 9, 
IBM Preliminary Documentation of Space Station Requirements. IBM 
Corporation, 1969. 
13. Data Storage Subsystem Trade Study, Appendix 8, IBM Preliminary 
Documentation of Space Station Requirements. IBM Corporation, 1969. 
159 
14. 
15. 
16. 
17. 
18. 
19. 
20. 
21. 
22. 
23. 
24. 
25. 
Digesu, F. E. : A Conceptual Design of Space Shuttle Integrated Avionics 
Systems. NASA TM-X-53987, February 3, 1970. 
Experiments  Requirements, Appendix 2, IBM Preliminary Documenta- 
tion of Space Station Requirements. IBM Corporation, 1969. 
Find Report,  Integral Launch and Reentry Vehicle, Executive Summary; 
Special  Studies, Vol, 111, Part A (Sections  1-3 and  Appendix A); and 
Part B  (Sections 4-5 and Appendixes B, C , and D). Lockheed Missiles 
and Space Corporation, A959837, December 22, 1969. 
Frasier, C. W. and Gardiner, R. A.: Space Shuttle Vehicle Electronics. 
NASA MSC .Report  Presented at the Space Shuttle Vehicle  Symposium, 
Washington, D. C., October 17, 1969. 
Guidelines and Constraints Document, Space Station Program,  Phase B. 
MSFC Document No. SE-001-009-2H, Space Station Task Team, National 
Aeronautics and Space Administration,  Marshall Space Flight Center, 
June 12, 1970. 
Hokom, R. A.: Executive Program Control for Spaceborne Multiproces- 
sors. Autonetics, A Division of North American Aviation, Inc., 1968. 
Hrastar, John: Attitude  Control of a  Spacecraft with a Strapdown Inertial 
Reference System and Onboard Computer. NASA TN D-5959, September, 
1970. 
Image Processing System Trade Study, Appendix 6, IBM Preliminary 
Documentation of Space Station R.equirements. IBM Corporation, 1969. 
Information  Management Study, Final  Report,  Overall  Summary  Results. 
MSC 00197 (MTR-1524, Vol. l), The MITRE Corporation, June 30, 1970. 
Integral Launch and Reentry Vehicle Systems, Configuration Design 
and Subsystems, Vol. I, Book.1. NASA CR-66863-1 (MDC E0049). 
McDonnell Douglas Astronautics  Corporation,  November, 1969. 
Integral Launch and Retrieval Vehicle Systems, Executive Summary. 
NASA CR-66862 (MDC E0049), McDonnell Douglas Astronautics 
Corporation, November, 1969. 
Integrated Avionics for Space Shuttle Vehicles, McDonnell Douglas 
Slide Presentation. McDonnell Douglas Astronautics  Corporation, 
September 25, 1969. 
160 
26. Integrated Avionics Software. McDonnell Douglas Slide Presentation, 
McDonnell Douglas Astronautics  Corporation,  September,  1969. 
27. Integrated Avionics Systems Trade-offs. McDonnell Douglas Slide 
Presentation, McDonnell Douglas Astronautks Corporation, 
February 11, 1970. 
28. Martin,  James:  Design of Real-Time  Computer  Systems.  Prentice- 
Hall, Inc.., Englewood Cliffs, New Jersey, 1967. 
29. Martin,  James:  Programming  Real-Time  Computer  Systems.  Prentice- 
Hall, Inc., Englewood Cliffs, New Jersey, 1965. 
30. Master Executive Control Techniques for an Advanced Avionics Digital 
Computer System. Naval A i r  Systems Command Project No. AIR-5333F4- 
69-1 Final Report, Honeywell Document No. 14206-FR, Honeywell, 
Systems  Research Division, Research  Department. 
31. Mendelson, Myron J. and England, A. W. : The SDS Sigma 7, A Real- 
Time  Time-sharing  Computer.  Proceedings of the  Fall  Joint Computer 
Conference (FJCC), 1966. 
32. Miller, W. F. : Computation and Control in Complex Experiments. 
Presentation  at IBM Scientific Computing  Symposium for Man-Machine 
Communication, Yorktown Heights, New York, May 3-5, 1965. 
33. Preliminary Performance Specifications, Vol. II and III, Product Con- 
figuration Requirements. MSFC DRL-160 Line Item 1 9  (MDC GO633), 
McDonnell Douglas Astronautics Company, July 1970. 
34. Preliminary System Design Data, Vol. 1, Space Station Preliminary 
Design. MSFC-DRL-160 Line Item 13 (MDC GO634), McDonnell Douglas 
Astronautics Company, July 1970. 
35. Project Gemini Final Report Summary. NAS9-996,  IBM Corporation. 
36. Sholta,  Louise:  Digital Processing - A System  Orientation.  Prentice- 
Hall, Inc. , Englewood Cliffs, New Jersey, 1963. 
37. Space Master Phase A Final Report. MCR-69-36, Martin Marietta 
Corporation, Denver Division, December 1969. 
161 
38. 
, 39. 
40. 
41. 
42. 
43. 
44. 
45. 
46. 
47. 
48. 
Space Shuttle Final Technical Report, Vol. I,  11, m, Tv, V, VI, VII, 
VIII, E, X. General Dynamics Report No. GDC-DCB69-046, General 
Dynamics Corporation, Convair Division, October 31, 1969. 
Space Shuttle  Integrated Avionics. McDonnell Douglas Slide Presentation, 
McDonnell Douglas Astronautics Company, June 12, 1970. 
Space Shuttle Integrated  Electronics. IBM 69-M43-0003 Slide Presenta- 
tion, IBM Corporation, September 29, 1969. 
Space Shuttle Main Engine Statement of Work, Phase B. Appendix to 
Procurement  Request DCN 1-0-21-00001, NASA, George C .  Marshall 
Space Flight Center, February 16, 1970. 
Space Shuttle  System Program Definition Phase By Statement of Work. 
Enclosure No. 4 to R F P  No. 10-8423, National Aeronautics and Space 
Administration, Office of Manned Space Flight, Washington, D. C .  , 
February 1970. 
Space Station  Data Management System  Subsystem  Requirements, 
Appendix 1. IBM Preliminary Documentation of Space Station Require- 
ments, IBM Corporation, 1969. 
Space Station Definition, Vol. V, Subsystems, Book 4, Electronics, 
Appendixes A through D. MSFC-DRL-160 Line Item 8 (MDC GO605), 
McDonnell Douglas Astronautics Company, July 1970. 
Space Station Program Definition, Summary. MSFC-DRL-160 Line Item 
8 (MDC G0605), McDonnell Douglas Astronautics Corporation, August 
1970. 
Space Station Definition, Vol. V, Subsystems, Book 4, Electronics. 
MSFC-DRL-160 Line Item  8 (MDC GO605), McDonnell Douglas Astro- 
nautics Company, July 1970. 
Space Station Definition, Vol. V, Subsystems, Book 3 ,  Information 
Management. MSFC-DRL-160 Line Item 8 (MDC GO605), McDonnell 
Douglas Astronautics Company, July 1970. 
Space Staiion Devo,hpment Definition, Vol. 111, Software Requirement 
Document. MSFC-DRL-160 Line Item 18 (MDC GO544) McDonne11 Douglas 
Astronautics Company, May 1970. 
162 
49. Space Station Phase B Study Results, GPSS/360 Data Flow Simulation 
Model. IBM Presentation, IBM Corporation, August 12, 1970. 
50. Standardized Interface Study,  Appendix 7. IBM Preliminary Documen- 
tation of Space Station Requirements, IBM Corporation, 1969. 
51. UNrVAC  1108 Operating System Exec. 8. UNIVAC Division of Sperry 
Rand Corporation, August 23, 1968. 
52. Vocabulary for Information Processing. UNIVAC - Sperry Rand Corpor- 
ation, Philadelphia, Pennsylvania, October, 1968. 
NASA-Langley, 1971 - 6 
163 
