Standard interface definition for avionics data bus systems by Saponaro, J. A. et al.
V	
. " It,-	 &--	 lkc.jjA, '	 _	 •;4	 a 
- .	 ' 
4Ecr	 -.	 :	 11? ar	 &EC1 14). 
NASA
CR 
t	 ?	 _a	 - 115187 
 
C 1(R) 
I- I r	 r --	 ___ 
-. .	 , -- 
 
L	 j-	
-k	
L	 :lIk 
.;Z4	 I	 -1 , 1 r A^ N COPY RE	 —I) 
TECHNICAL	 y 
- 
:• .	 L':*l -	 AF2 zo 
-- ,-	 - ru 
I	 - r-	 ' '	 '•Fr	 '-	 -i-.	 .'	 -.t_-	 ----- a	 4— 
•i	 . . -..'_t,—_ ?'	 ;	 • ...	 vr	 -.	 • '	 ----, -.	 . 	 . 	 -	 V	 ;V.*	 4•	 .'L 
-	
-..J4V . -	 •	 V.	 • 	 •-._•T. •	 44 g .	 -' -r-	 .	 .	 :.• '	 V 	 •	 • 	 ,a 
-	 '-	 - 
#' .) -	 .	 4l ft	 f_ .  
• 	 - -	
.;f	
:	 z 
.	
•	 :VV:pl_	 &• .-: ; 4:-.	 ViV 
. 	
4cPJt ¶ç*	 (1	 4J	 :: e&J11 
•::';-t - '	 z- 	 -	 .•' 4 p '	 .-	 :%••,	 -	 -- 
I 
 
I-	 (V'a	 •::  
-	 i..;-	 '"-	 •'	 •1	 -.	 .-	 q"4 
-:	
a 
 
•i 7	 i$"t-
	
.'	
a	 1•	 •( 
._r 
-'	 j. 'ac;	 • .	 .	 I	 I lu	 i	 p	 2	 V 
V	
V	 ____	
I.	 - 
V	
:
V 
2	 -	
P 
.4	 -..V	 I	 -	 I	 S-.	 ' ,, V 	 S	
.3	 VVV	
V	 f5,.	 SV	
•SV V 
"•
 
9	 .a (&	 -,	 - t	 -	 V-V 
IVS 	 5'	
1. 
,- p	 _. 
I	 VS	 /	 VSV 
fS	
a 
VVI	 55	
.f	 V	 55 
. 	 ..	 - 
•.	
r	 V-s.-' 	 .1	 V.	 VS	 - -
pm 
Fl
	 4	 - r	 e 
 
'' 
L 
 
.V- 1 V ) 	
L": '	
5V_ , 	 V	
•VS,	
--V•V-: 
- 	 .J	 ê5V-5V-,. ,t5 V- VS*.VVSV-S.V	 .s - - V	 V •__J	 /	 _____________
A
https://ntrs.nasa.gov/search.jsp?R=19710027295 2020-03-11T22:17:32+00:00Z
L.
•1 
TECH LIBRARY KAFB, NM 
IIH I III IMI 	 II II	 II 
0062681 
0 
p TA. cl. ^'-i	 u f 
.0
^,vitas)Y7 
OR pO
cc	 cC'i\ 
¶.-
_[TI 
flflLi
r: ki1i
Final Report 
Standard Interface 
Definition 
For Avionics Data Bus Systems r/,tI,?I.	 f6 Pe(70-
)MIY 1. 
By: Alex L. Kosma].a, Joseph A. Saponaro, and 
John P. Green, Jr. 
May t9-71 
Prepared under Contract NAS 9-11477 by 
2.
INTERMETRICS, IN 
380 Green Street 
Cambridge, Mass. 02139 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE. MASSACHUSETTS fl210 • ii' ao
-C
Foreword 
This document is the final report on the definition of a 
S
. Standard Interface Unit for avionics data bus systems. 
The study was sponsored by the Manned Spacecraft Center, Houston, 
Texas, under Contract NAS 9-11477.
	 It was performed by 
Intermetrjcs, Inc., Cambridge, Massachusetts, under the 
technical direction of Mr. Alex L. Kosma].a. 
The study program covered the period from 16 December 1970 
through May 16 1971.
	 The Technical Monitor for the Manned 
Spacecraft Center was Mr. Cline W. Frasier. 
The publication of this report does not constitute approval 
by the NASA of the findings or recommendatic,ns contained 
therein. 
INTrMETRICS INCORPORATED 	 380 GREEN STREET
	 CAMBRIDGE MASSACHUSETTS 02139
	 617 RM lRAfl
Table of Contents 
Chapter 1 Introduction 1 
1.1 Background to the Study I 
1.2 Objectives of the Study 2 
1.3 Approach to the Study 2 
1.4 Overview of the Report 4 
1.5 Summary of Recommendations 4 
1.5.1	 Bus Control Summary Recommendations 5 1.5.2	 Recommendation of Standard Interface Unit 
 Organization 6
 
Chapter 2 Space Shuttle Data Bus Definitions and 
Ground Rules 7
 
2..1. Introduction 7 
2.2 Data Bus Definition and Terminology 7 
2.2.1	 Definition 7 2.2.2	 Terminology 9 
2.3 Review of Shuttle Data Bus Reauirernents and 
Ground Rules 10 
Chapter 3 Reliability, Redundancy and Organization is 
3.1 Definition of Failure Tolerance 15 
3.2 Failure Detection and Isolation 18 
3.2.1	 Computer Failure Detection and Recovery 18 3.2.2	 Data Bus Error Detection and Recovery 21 3.2.3	 Subsystem Output Voting 23 
3.3 Redundancy Interfacing 24 
3.3.1	 Computer to Bus Interface 24 3.3.2	 Bus-to-LRU Interface 30 
3.4 Relationship of Computer to Bus 37 
3.4.1	 Central Computer, Single Bus 38 3.4.2	 Distributed Computers, Single Bus 40 3.4.3	 Distributed Computers, Multiple Buses 44
1 
INTERMETRICS I NCORPORATED
.
 380 GREEN STREET.. CAMBRIDrF MASAII prTc A1fl.	 n ..-
rj 
Chapter 4 Operation and Control of the-Data Bus 47 
4.1 Data Bus Access and Control Philosophy 47 
4.1.1	 General Description of Bus Access Methods 47 4.1.2	 Qualitative Evaluation of Access Methods 49 
4.2 Control and Operation of the Data Bus by the BCU 54 
4.2.1	 Bus Message Format 56 
4.3 Operation and Control of the Data Bus by the Computer 60 
4.3.1	 Overview of Computer I/O Operations 60 4.3.2	 Computer to Bus Operations 62 4.3.3	 I/O — Processing Memory Conflicts 
(Buffering and Interlocking) 67 
4.4 Description and Analysis of I/O Transactions 68 
4.4.1	 Definition of an
	 'I/O Transaction" 68 4.4.2	 Functional Description of Bus Transactions 69 4.4.3	 Description of the Transactiôr. Sequence 72 4.4.4	 Bus Efficiency and Latency 74 
4.5 I/O Timing Difficulties 78 
Chapter 5 Data Bus Error Control 79 
5.1 Introduction
79 
5.2 Information Coding Review ijiscussion 80 
5.2.1	 Coding Theory 
5.2.2	 Single Parity 80 
5.2.3	 Error Correcting Codes 80 81 5.2.4	 Higher Order Error Correcting Codes 83 5.2.5	 Burst Errors and Burst Codes 83 5.2.6	 Fire Codes and Other Burst Codes 85 5.2.7	 Horizontal and Vertical Parity Coding 85 5.2.8	 Repeated Transmission 86 5.2.9	 Transmission Over Multiple Paths 86 5.2.10 Data Feedback/Echo Check 87 
5.3 Detection and Retransmission Vs. Forward 
Error Correction 87 
Chapter 6 Bus Implementation Factors 91 
6.1 Transmission Problems 91 
6.2 Non-carrier (Base-band) Signalling Schemes 92 
.6.3 Carrier Modulation Techniques
	 . . 96
ii 
....rn.arrnu,.e. - a ia----------------------------... a.._.-..... ..........a.. sc•. 	 ...	 ... ... ... 
S• 
6. 4- Bit Synchronization 98 
6.5. Transmission Media 99 
Chapter 7 Summary Review and Recommendation 105 
7 1 Introduction 105 
7.2 Command and Control of the Shuttle Data Bus 106 
7.2.1	 System Configuration 107 
•:: 7.2,2	 Bus Control Policy 108 7.2.3	 Bus Data Structure 112 7.2.4	 Functions of the Interface Unit 115 
7.3 Organization of the Data Bus Terminal 118 
7.3.1	 Introduction 118 7.3.2	 Functions of the Bus Terminal 118 7.3.3	 Interfacing the LRU to the Bus 123 7.3.4	 Recommended Bus/SIU/EIU Configuration 127 7.3.5	 Recommended Bus/SIU Interface Design 129 7.3.6	 Expansion of SlU/EIU Capabilities 132 
/	 .
Appendix A Discussion of the Effects of Cross-strapping 135 
Appendix B Analysis of a Typical Avionics System 143 
5.1 Introduction	 . 143 
B
.2 Operation 144 
B
.3 Control Requirements 147 
Appendix C Shuttle Soitware Structure and Organization 149 
C.1 Introduction 149 
C.2 Overview of Shuttle Software 149 
C.3 Synchronous Control Structure 151 
C.3.1	 Description of Synchronous Operation 
C.3.2 151 Advantages and Disadvantages of a 
Synchronous Control Structure 152 
C.4 Asynchronous Software Structure 153 
C.4.1	 Executive States and State Transition 154 C.4.2	 Overview of Asynchroncus Operation 154 C.4.3	 Advantages & Disadvantages of an-
. Asynchronous Structure
	
- 155 
Lia, ..1NTERMF.Tflcc lN('.(PPflATr •	 Qf% tDC&I	 e,.	 ..•. ......

•F 
-	
. ._••	
...--....•-•-. ;__.._____.. ...-.
____	 •_•__•____•__•_________	 •--. 0	 - ..	 •-.. ....
	 -	
.. 0 t_. • '.-J.- .-t_t..?:. 
List of Figures
Page No 
Figure 2.1 Data bus system elements and 8 
terminology 
Figure 3.1 Computer configuration with 
external comparator and voter 20 
• S. :.: Figure •3.2 single strings without cross 25 Connection 
Figure 3.3 Cross connection between BCU and bus 27 
£ Figure 3.4 Cross connection between computer and BCU 27 
Figure 3.5 Quad redundant BCU configuration 29 
Figure 3.6 Single string no cross connection 31 
Figure 3.7 Cross connection between SIU and bus 31 
Figure 3.8 Cross connection between SIU and EIU 33 
Figure 3.9 Cross Connection between EIU and LRU 35 
Figure 3.10 Bay oriented configuration 36 5 Figure 3.11 Central computer control .	 39 
Figure 3.12 Central bus control with distributed 
processing 41 
Figure 3.13 Bus control by several computers 43 
Figure 3.14 Distributed computers and multiple buses 43 
Figure 4.1 Basic functions during a bus transaction 55 
Figure 42 Computer to BCU I/O comr-nd operation 64 
Figure 4.3 Representative bus command message 
organization 71 
- Figure 4.4 Sample read/write transactions 73 
Figure 4.5 Bus I/O transaction efficiency 75
3 
Figure 4.6 'requency of I/O transactions versus number' 
.	 .
 
of dat:a bytes
	 .	 . 76 
Figure 6 1 Modulation waveforms 94 
Figure 6.2 Modulation energy spectra 97 
Figure 6.3 Noise attenuation for twisted shielded 
pair (TSP) and coaxial cakle versus frequency 102 
Figure 7.1 Standard bus interface functions 120 
Figure 7.2 Electronic interface functions 122 
Figure 7.3 SIU to EIU cross connection complexity 124 
•	 . Figure 7.4 Cross ccnnection at bus via separate SI1J 126 
Figure 7.5 Cross connection at bus via line couplers 128 
Figure 7.6 Recommended SIU/EIU terminal organization
.	 131 
Figure A.1 Simple and cross connected configurations 136 
• F.igure.A.2 Figure of merit (P(A)/P(B))
	 for P
	
= l01 139 
• Figure A.3 Figure of merit (P(A)/P(B)) for P
	 =10 140 
Figure A.4 Figure of merit (P(A)/(PB))
	 for	 s = io8 141 
Figure B.l Control sequence for range measurement
	 . 145 
Figure B.2 Control sequen
	 for range and range rate 
measurement
	
.	 .. 146
F 
Figure C.1 Task States 158 
Figure C.2 System Flow
	 .	 .	 •	 . .	 .	 . 159 t.4
• r.	
_:.u.OJ. :.... t.,	 '..-.-.,c.....: .-:.	 •... -	 ;.	 •.. 
Chapter 1

Introduction 
1.1 Background to the 1-n
Design concepts for the next generation of manned space 
vehicles have been formulated over the last few years and are 
currently being evaluated to establish specifications for the 
vehicles, their subsystems and the operational procedures. 
Common to all the proposed concepts has been an integrated 
approach to the avionics system, in which all subsystems communi-
cate with, and are coordinated L and controlled by the onboard computer system.
	 A shared data bus has been proposed as the 
common communication link between subsystems and the computer(s). 
This study has been concerned with the major factors that 
influence the design of
	 data a	 bus for the avionics system 
of the proposed NASA Space Shuttle.
	 Although the various design 
approaches to the Shuttle data bu; developed to date have 
differed in many aspects, all recommend the concept of a 
multiply redundant data bus,
	 data a	 bus control unit, and a 
bus interface unit for connecting the avionics subsystems to the common bus.
	 Designs for the bus interface unit have 
stressed commonality and s tandardization, because a standard interface unit is estimated to minimize the number of types 
and the complexity of hardware and vendor interfaces required 
for each subsystem.	 Key issues in the design of the bus system are::	 the functions and role of the interface unit as 
a part of the bus system, error detection and recovery, re-
dundancy, and bus control philosophy.	 Since the interface unit is an integral 
[7- part of the data bus system and cannot be viewed as a "stand alone" ele m ent, its definition and design 
must be considered with respect ;O the total approach to the bus system design.
1 
$NTERMETRICS INCORPORATED.. 380 GREEN STREFT..AMPIn1
	 ........ 
S 
1.2 Objectives of the Study 
The central effort has been to identify those factors that 
form the major design drivers for the bus syster*, and to define 
the functional interfaces between the data bus, the bus control 
unit, and a standard bus interface unit. It was not the objective 
of this effort to dete:inine the specific requirements for, nzr 
to develop a detailed design of the total data b'a: system. It 
was to review already defined requirements and idntify those 
key design features of the bus that affect.the nature Of the S:
	
	
computer-to-subsystem c ommunication and consequently, the

specification of the stLndard interface unit. Although this 
study analyzed the communications between the computer and 
standard iaterface unit, it th4 not include detailed evaluation 
of the bus control unit design, nor the detailed design of the 
standard interface unit-to-subsystem interface. The objective 
of this study was to analyze the various approaches to an 
integrated Shuttle avionics organization, and to make recommenda-
tions on general characteistjcs of the data bus system with 
emphasis on the definition and functional spec-ification of a 
standard data bus interface unit. 
1.3 Approach to the Study 
Since the scope of this study dic e
 not include a derivation 
of the primary performance and operational requirements for 
the Shuttle data bus., initial reviews of Shuttle data requirements 
and existing studies of proposed data bus designs were under-
taken. It was intended to gather information on the various 
approaches such as design objectives and functional requirents; 
elements of the bus system and their functions; bus control 
method; configuration management tec)nique; number of communica-
tion paths; command format; error decection and recovery scheme; 
modulation technique; physical considerations; and redundancy 
interfacing. Some difficulty was encountered in obtaining this 
information in sufficient quantity and detail. This was because 
of the preliminary nature of the studies, the Continually chan'ing 
requirements, and often because the des.red information was 
proprietary in nature. 
It was realized early in the study that in order to define 
the func 6ions of the elements of the data bus it was necessary 
to evaluate a number of higher level aspects of data bus design. 
A dgniflcant effort was expended in analyzing the problems 
and pcssible solutions associated with the following areas: 
2 
INTERMETRCS INCORPORATED ..Rfl (RPN STCr • e'j&aotrv-e	 -
. 
.
a)Computer configuration 
*
The communication of data and control 
over the data bus was found to be greatly influenced by the 
configuration of the control computer(s) with respect to 
the data bus. 
b) Failure toleranceand reliability. The effect of the Shuttle 
failure tolerance criterion on the degree of redundancy in 
the data bvs system, the techniques for the detection of 
failures and eventual reconfiguration of the but were found to 
impact the design of the bus elements directly. 
C) Data bus management. Several data bus control techniques 
were analyzed for relevance to the Shuttle. The type of 
control was found to impact the nature of the computer I/o 
with the bus, and the design of the standard interface unit. 
The definition of a functional, specification for a standard 
interface unit should only be made when a comprehensive lisa of 
r3quirements for it is known. Because of tho early stage of 
development of the Shuttle vehicle concept this level of informa-
tion was not available. The various designs under consideration 
at the beginning of this study were based on diffeLnt (and 
changing) requiremnts and ground rules. It was cons*-uently 
difficult ta evaluate several design approaches on a coxtuon 
basis. 
In the absence of a specific set of requirements for the Shuttic 
data bus it became apparent that no single approach to a design 
stood out as a clear candidate for implementation. A general 
impLession was gained that almost any
 suggested approach could 
be made to do the job. Some criteria for evaluation had to be 
established in orde..- to arrive at a set of specific recommenda-
tions. Chapter 2 provides a summary of the basic requirements, 
ground rules, and assumptions that this study used as a foundation. 
The evaluation and recommendations presented in Chapter 7 were 
guided by two basic ground rules, namely: 1) choose the simpler 
approach, and 2) choose the approach that solves one problem at 
a time, wnerever the reuirements or assumptions provided no 
clear decision path. 
Finally, one other concluEion was reached early in the study. 
•	 It was that the implementational details of a data bus design such 
as technology, transmision media,-modulation techniques, etc. 
are of significantly less importance than the higher level questions 
•	
above. This was reflected in the amount of effort apportioned 
to this aspect of the problem.
3 
INTERMETRICS I NCORPORATED .
 3O GRE.N STREET S
 CAMBRIfl(F MASRA IITT fl)1fl
L. . 
1.4 Ov.rview of the Report 
This report is divided into seven chapters.
	 Chapters 3, 4, 5, and 
importance 
6 are presented in no particular logical order or degree of 
of their subject matters. 
a) Chapter 2 lists the requirements for the Shuttle data bus 
system that were adopted for the purpose of this study, 
and gives reasons for the less substantiated assumptions 
that were made. 
b) Chapter 3 provides a discussion of the impact on data bus 
complexity and management difficulty of the assumed FO-FO-FS 
failure criterion.
	 Various configurations for interconnecting 
computers and bus control unit, buses, and interface units are 
reviewed. 
c) Chapter 4 presents a detailed appraisal of the problems of 
providing command, control, and data acquisition over a 
common data bus.
	 Bus access methods, data formats and 
bus traffic are analyzed. 
d) Chapter 5 reviews a variety of error control techniques. 
Error coding, transmission feedback, retransmission, and 
voting are included in the discussion. 
• e) Chapter 6 gives a brief treatment of selected harth're 
problem areas.
	 Modulation techniques, transmi c ,ion media, coupling and synchronization are discussed. 
.	 .
f) Chapter 7 reviews the material of the previous chapters 
and makes specific recommendations in the area of bus 
control, and the functions of a standard interface unit 
1.5 Summary of Recommendations 
•	
.	 •:.: The recommendations fall into two categories: 
•
a) those associated with the general problems of command, control, 
. and data acquisition by a common data bus in an integrated 
avionics system; 
b) the definition of the functional organizit
	 ii 02	 i standard 
•	 .	 • data bus interface unit. 
The major points are very briefly summarized in the following 
paragraphs. For definitions of the terms used, and for further 
clarification of the recommendations, reference should be made 
to chapters 2 and 7.
4 
IMTRUETRICS INCORPORATFn • ' RnPIJ CTDCT. OAl*Orlar-r 
1.5.1	 Bus Control Summary Recommendations 
a)	 One authority, i.e. the computer/BCU, should contra], all 
.. .	 commands and, data acquisition via the data bus;.
	 Any other 
computer must be interfaced to the bus via a standard 
interface unit, and must be regarded as any-other-subsystem. 
• b.)	 The computer should initiate and control all bus communica-
tions.	 Control should be by the command/response address 
technique.	 No remote terminal may determine its own need to access the bus.
	 Each terminal will respond only to the 
comouter/Bcrj.	 A possible waiver of this rule may be made 
•	
.'.. 
. in the case of recording, telemetry, or displa y
 equipment, but a non-standard interface unit is then required. 
C)	 The following error control transmission policy is recommended: 
• 1)	 path verification via feedback transmission by 
each SIU of at least its address bits upon i-'ing 
accessed by the BCU.
	 No verification of echo 
check by the E.CU is recommended prior to the release 
of the data to the LRU by the terminal. 
2)	 Message verification at the terminal and the BCU 
by horizontal and vertical parity bits.
	 Message 
verification at the terminal is required before 
feedback of address echo. 
3)	
. Error corr.ctjon by re-transmission or re-request 
of message by the ECU. 
•	 . 4) .	 . Higher security for "critical" commands to be 
• . .
	 achieved Outside of the bus by software controlled •
multiple transmission O.. message; successful receipt 
to be determined by the subsystem. 
d)	 A byte
-serial.data transmission is recommended. 
• The data byte size should be a submultiple of the computers 
memory word/byte length.
	 The bus command byte should be 
• determined by the nature of the bus : traffic, when more 
• .	 .	 exactly known. 
e) ,	 A variable length message format with a limit of 32 bytes 
is recommended.	 A 2-bit field in the control format is 
sufficient to specify a 1,4, 8 or 32 byte data block. 
•
f)	 A "busy" indication by the terminal is recommended to allow for terminal and LRU latency .
, and as a mechanism for expanded terminal capabilities.  
•	 •	 .	
, 
i	 .. INTERMETRtCS INCORPORATED • 	 cRFFN STRFT • ('J' 	 I1AOA
. 
.
FT
1.5.2 Recommendation of Standard Interface Unit Organization 
a) The communication of data to and from the subsystem should 
be the interface unit's prime design consideration. Addi-
tional functions may be added later, but must abide by the 
• •-	 constraints of the bus control structure and data formats. 
b) A standard interface with the bus is recommended for all 
terminals. For the subsystem interface a fixed maximum 
of 512 electronic interface channels is recommended, in 
order to size the channel address field. A maximum of 16 
•	 channels each of analog, parallel digital and serial digital 
input and output signals is suggested as a standard electronic 
interface, with modular expansion from 0 to 16 to suit the 
•	
-requirements of a particular equipment. An "invalid channel 
-. •	 address" signal is recommended to indicate a less than 
•	 maximum interface implementation. (This standard interface 
cannot be made a recommendation of the study, since specific 
equipment requirements have not been determined to date.) 
C) The 512 channels could be assigned differently than above, 
but a non-standard electronic interface would be the result. 
A modular internal structure could alleviate the problem 
of terminal diversity. 
-	 d) A unified terminal with combined siu and EIU facilities 
•	 is recommended, although a separate input channel for each 
bus line should be provided to the point of address comparison. 
•	 e) Redundancy interfacing should be performed at the bus-to-
terminal interface by special line coup.ing elements, which 
provide 4-to-many and many-to-4 interfacing. 
f) Line conditioning, signal ampliZicatjon and noise discrimjna-
• • •	 tion should be provided. They may be conveniently accommodated 
• •	 In the line coupler.
6 
,•	 • INTERMETRIC.S INrOQPnQATanI. ,312f% 'oc, c.rrrrr -------------------------------------•
Chapter 2 
..
	 Spice Shuttle Data Bus Definitions and Ground Rules 
2.1 :.troduction 
The definition of a standard interface unit for the Shuttle 
data bus depends directly on, and is constrair-dby, such factors 
as: the avionics configuration requirements, avionics subsystem 
and equipment data requirements, redundancy techniques and cen-
tralization versus decentralization of functions. The objective 
and the scope of this study did not include a detailed analysis 
of the avionics system requirements. These were assumed to be a 
formulated and derived by others. 
2.2	 Data Bus Definition and Terminology 
2.2.1	 Definition 
The space Shuttle data bus system is the principal medium 
of communication between components of the inte grated avionic 
system and the computer complex.
	 it is a multiply redundant, 
common, shard interface to flight electronics and mechanical equip-
ment providing remote acquisition and distribution of commands, 
data and other information.
	 The Shuttle data bus system 
illustrated in Fiaure 2.1 is composed of three major elements: 
a)	 a bus control unit, 
• b)	 a redundant set of transmission lines, and 
C)	 a nuniberof remote termina1
•	 7 
INTERMETRICS INCORPORATED • 380 GREEN STREETCAMEsRIDGF. MASSAIITrQ Aifl. 
-, I
1 
I	
C,.j I cc Cl*
ui 
UA 
cc 
LU
uj 
Ifi	 4c I 
•1 
L... 
 Ill! ...	 I 
	
• 	 • 
	
•	 88 
5,4
8	 - 
F 
• 2.2.2	 Terminology 
The nomenclature utilized throughout the report attempts 
to utilize, as much as possible, existing terminology and acronyms 
rather than defining new ones.	 However,	 to avoid confusion and 
preconceived association:; the following definitions are provided. 
a)	 The data bus.
	 The data bus is composed of a sot of redundant 
• bus lines.	 Each bus line is a single communication channel, 
capable of two-way transmission of serial dicjital information 
between several remote terminals and the bus ccntrol unit.. 
Physically a bus line may be a
	
-ingle coaxial cable, or balanced 
line such as a twisted shielded pair, on wt , ­ 1 1
 information 
is transmitted by time or frequency division multipicxinu. 
b)	 ECU	 'us Control Unit).
	 The ECU is the control element of 
the data bus system.
	 It provides the prima ry
 interface of 
the bus system to the computer complex.
	 It i3 the primary 
I/O peripheral to the computer complex, containincj a parallel 
interface with control and shared access to the computer 
memory.	 The functions of the RCU are discussed in more 
• detail in Chapters 4 and 7. 
C)
	 Terminal.	 The terminal is a remote unit which interfaces 
between a bus li..e and a remote avionics equipment.
	 A terminal 
is addressable by the computer/BCu for the input or output of data to the equipment.
	 It consists of two basic elements: 
a standard interface unit (SW) and an electronic interface 
• unit (Elu),	 which may or may not be physically separated.. 
d)	 Standard Interface Unit (Slu).
	 The SIU is that part of a 
-' terminal associated with thfunctions necessary to interface 
with the bus.
	 It contains line termination, signal modulation 
and demodulation, trJnsmitter and rec-iver control, and 
terminal address decoding logic. 
lei
e)	 Electronic Interface Unit (E1U).
	 The ZIU is that part of a 
terminal associated with the functions necessary to interface 
avionics equipment.	 The EIU inputs and outputs information 
to a number of analog and digital 1/0 interfaces in response 
to I/O commands.	 Data and commands received or acquired by the 
EIU are routed through the SIU portion of che tcrminal for 
communication on the bus. 
f)	 Lowest Replaceable Unit (LRU).
	 In this stud	 LRU is d2fined 
as the smallest piece of avienics equipment recognized and 
addressed. by the bus system.
	 More than one LRU may be connected 
to an EIU.
	 The following could
	 all be categorized as LRU's: 
a single beacon, a VHF transceiver, an inertial measuring 
Unit, a remote processing computer. 
9 
INTERMETRICS INCORPORATED
	 380 GREEN STREET
	 CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 868-1340
•	 h) Subsystem. A subsystem is defined as a collection of LRU's 
which constitutes a function recognized within the integrated 
•	
avionics hierarchy. Examples of subsystems are the reaction 
•	 control system (RCS), the electrical power system (EPS), 
the environmental control system (ECS), the inertial subsystem. 
A subsystem may be geographically distributed about the vehicle. 
2.3 Review of Shuttle Data Bus Requirements and Ground Ru 
Several organizations, including the Phase ti contractors, have 
Conducted analyses of data bus and other Shuttle system require-
ments. The results of many of these studies have been published 
for the NASA Manned Spacecraft Cent-..r. A review of the information 
made available during the course of this study was conducted. 
•	 Several problems arose in obtaining a common set of data and 
communication requirements for the bus, principally due to the 
continually changing nature of Shuttle o'erational requirements, 
and the differenc e s in system design approaches and objectives. 
A summary of the major requirements of the Shuttle obtained from 
this review are listed below. Although there are many detailed 
•	 system requirements for the Shuttle avionics system, only those 
•	 pertinent to the functional specification of interface unit 
were used. 
•	 1	 a) The study has assumed that the Shuttle data bus system meets the failure tolerance requirement s pecified for all electronic 
subsystems; namely, that it shall "fail operational" after 
the failure of two most critical components, and "fail safe" 
after the third failure. Accordingly, the failure tolerance 
specification has been interpreted as requiring quadruply 
redundant bus lines. A more detailed interpretation of this 
•	 failure tolerance requirement is presened in Chapter 3. 
Although this failure tolerance requirement has been as 
and not analyzed or justified in detail, it is clearly of 
significant impact to the organization of the bus lemerts, 
in particular the remote terminal. The necessity of inter-
connecting .an avonic subsystem of rn-level redundancy with a 
quad redundant bus has been a key design driver in formulating 
the SIt) requirements. 
b) The concept of a central cha:ed data bus with standard remote

interfaces to avionics equipment is assumed to be the most 
INTERMETRICS INCORFRATEr.) 380 GREEN STREET • CAMBRIDGE. MASSA('-IIISTTc fl10 -
• -	 cost effective concept for both the Shuttle orbite r and boostr vehicles 
c)	 The primary function of the data bus system is to provide 
a communication path between the avionics equipment and the 
prime Computer complex.
	 No gencral requirement forterrninalt.o 
terminal communication which cannot, or need not be routed 
through the comput.r complex has been identified. 
d)	 Subsystem interfaces.	 The data bus must provide a capability 
of interfacing to redundant electronic subsystems.
	 The 
'..-.	 exact number and type of such subsystc4ns ha. heen.changing 
as the operational requirements evolve. 	 The representative 
list provided below was assumed to indicate the scale of the 
system. 
1)	 Primary propulsion subsystem:
	 this system consists 
of two orbital insertion engines and one orbital 
maneuvering engine. 
• 2)	 Reaction control subsystem:
	 at least 20 RCS jets 
located in the nose, wings and tail for effecting 
rotation and translation in space. 
3	 Hydraulic system:
	 hydraulic power generation, 
distribution, control, and conversion of mechanical 
energy.	 It consists of supply lines, gimbals, 
pumps, aerodynamic surfaces, flaps, wheel controls, 
-.• 
/ etc. 
4)	 Elctrical power generation and distrLtion system: 
fuel cells and battery, and the auxiliary power 
units located throughout the Shuttle. 
5)	 Navigation aids/air data:
	 a collection of equipment 
providing navigation and landing capabilities 
(ALS, •radar altimeter, TACAN, DME, etc.).
6) Environmental control system: • the environmental 
-	
•	 control system provides temperature, pressure, and 
•
	
	 humidity control of equipment, equipment bays, and. 
personnel compartments. • 
7) Cryogenic system: contains the hydrogen and oxygen 
for the primary propulsion, the reaction control 
system, the fuel cells and the auxiliary power units. 
•	 ••	 •	 •	 11, 
-	
INTERMETRCS IN(r,RPnrATFn • %Rfl (RJ TFT	 jDcIrt •IIAA• 
8) Dip1ays and controls: this system is assumed 
have local processing capability and accepts dynamic 
data through the bus for updating of display para-
meters. 
9) Telecommunication: this system consists of various 
transmitters and receivers including S-band,. C-band, 
VHF, telemetry encoder, EVA communications, air 
traffic control communications, etc. 
10) Guida-ice, navigation and control: this subsystem 
is composed of elements necessary to control, stabilize 
and navigate the Shuttle vehicle during all phases 
of the mission. It interfaces to the reaction con-
trol system, jet engines, aerodynamic control sur-
faces, and landing gear, etc. It has access to 
sensors which include the inertial subsystem, horizon 
and star trackers, approach landing aids, rendezvous 
radar, radar altimeter, etc. 
Although this list of subsystems may not be complete for the 
final organization of the avionics system it is meant to be 
representative. it is estimated that approximately 150 to 
250 LRU's are associated with the subsystems listed above. 
e) Data requirements. The following is a summary of the data 
requirements abstracted from the various studies of Phase B 
contractors. 
1) Speed. Pak load estimates of data rate for hoth 
the Shuttle and orbiter have ranged between 100,000 
and 250,000 bits per second, including overhead. 
Considering an average overhead of approximately 
50% for each bus transaction and allowing for a 
minimum of 100% expaision to the maximum speed, 
a capability of J0b bits per second has been assumed 
to be an adequate requirement. This speed should 
allow the computer to acquire data at a rate of 
approximately 10,000 average transactions per second. 
2) Measurements. Estimates have ranged between 4000 
and 6500 unique data points to be sampled from the 
total complement of avionics equipment by the 
central computer. Data types include: 
digital parallel 
digital serial 
analog 
discrete 
12 
INTERMETRICS INCORPORATED • 380 GREEN STREET • CAMRIfl
	 UA	 uc,i-ro
IF 
The majority of these data points are iaeasurements 
input to the computer, and are estimated at approxi-
mately 60% to 70% of the traffic on the data bus.. 
3) Response time/sampling frequency. The maximum 
sampling frequenc of measurements is estimated at 
fifty samples per second. The average sampling fre-
quency for status information is between 2 and 5 
samples pez second. Very little information was 
made available on response requirements and load 
distribution of subsystems. 
4) Number of terminals. The number of terminals estimated 
varies considerably depending upon the degre'e of 
redundancy, interfacing policy and the design of 
the terminal. The number of independently addressable 
terminals is assumed to be somewhere between 50 and 
200. 
f) Physical requirements. Each bus line was assumed to be physically 
separated aboard the vehicle for reasons of reliability. it 
was assumed that bus .Lines will be run down each side of 
the vehicle, and that the bus will be capable of transmitting 
over distances of 300 to 500 feet. It is assumed that the 
equipment will be located in several equipment bays located 
throughout the vehicle. Terminals must be capable of being 
separated from the bus by distances of up to 50 feet.
-F 
.iH 
13	 Ii 
INIERMETRICS INCO1ORATED 380 GREEN STREET . CAMP,R;flF MAcAuIIc	 -	 -.-
PRIiX)FDING PAGE BLANK NOT FILMED 
Chapter 3 
Reliability, Redundancy and Organization 
3.1 Definition of Failure Tolerance 
Before a detailed evaluation of the Shuttle data bus can 
be undertaken it' is important to consider the requirement for 
failure tolerance,, since it is this factor that introduces the 
greatest complexity into an integrated Shuttle avionics system. 
As usually stated, the avionics system must remain fully operational 
after the first and second failures, and must fail in a safe 
manner after the third. In a practical system failure tolerance 
implies that each major element in the system must possess 
internal functional redundancy, and a highly effective technique 
for failure detection to allow quick reconfiguration in the 
event of a failure. 
The high level of redundancy that is required for a multiple 
failure criterion allows application of voting and comparison 
techniques to systems which generate output data; for example, 
the computer, and sensors such as the IMU, radar, pressure 
and temperaturetransducers. Voting of passive elements such 
as actuators requires the feedback of information which indicates 
the element's response to the conuuand. 
The penalty that must be paid for voting as an approach 
to failure protection is that all redundant copies of a given 
piece of equipment must be powered up, functional, and operating 
identically. 
The level of redundancy and the technique of failure detection 
• depend on the interpretation, of the failure criterion. The 
greatest difficulty attaches to the definition of the "failed 
safe" condition. Two interpretations are possible: 
• - _	
a) To treat the "failed safe" conditions, as "graceful 
•	 .	
.	
degradation". In this concept the failure results in a 
reduced system capability which, nevertheless, retains 
15 
INTERMETRICS INCORPORATED . 380 GREEN STREET . CAMBRIDGE MASSACHUSETTS 02139 1917 RR1Afl 
....... .	 .
F 
certain functions critical to the safety of the crew and 
the vehicle. The security of these functicris must, therefore, 
be treated as part of the system design specification. This 
approach allows the greatest economy of equipment, but suffers 
from a difficulty of definition and of sophistication of 
system design ;
 especially in the area of software. 
b) To treate the "failed safe" condition as "operational". This 
obviates the need to specify a diminished set of critical 
functions, and avoids the difficulty of their implementation. 
It suffers, however, from the need for full redundancy of 
•	 equipment to allow performance in an undegraded fashion 
after the failure to the "safe' condition. 
The ;econd approach has been assumed during this study, because 
the detailed definitions required for graceful degradation cannot 
be undertaken at this early stage of Shuttle development. 
A clarification of the "operational" condition prior to 
the "failed safe" is necessary to establish the degree of 
redundancy required by the second definition above. 
a) It may be defin, as a fully operational condition in which 
there will be a luO% certainty of failure detectiofl, with 
a near-instantaneous reconfiguration. 
b) It may be less strictly interpreted, as a fully operational 
state with a small but finite probability that certain failure 
•	 modLs may pass undetected, or remain unresolved, and that a 
small, buL finite time may be required to recover from a 
failure transient. 
The first interpretation virtually demands that sufficient 
redundancy among the unf ailed elements remains for majority voting 
to take place even in the penultimate failure state. Majority 
voting provides almost perfect error detection when errors occur 
elativcly irfrequent.ly in an uxicotrelated random fashion. 
An added attraction is the capability for immediate error correction 
upon determination of the dissenting vote. 2he penalty is that 
at least triple redundancy is required prior to the failure to 
the saf' condition. For the full FO-FO-FS tolerance this implies 
that five levels of redundancy must initially be available. 
The second interpretation above allows the reqJirements of 
the failure detection tech:.ique to be relaxed, and a 'wer degree 
of redundancy to be used.
	 At least dual redundancy is required 
by the 'operational" definition of the "failed safe" state, anc1 
allows comparison to be used to trap the final failure. For the 
l 
tNTE.MFTRIC3 INCORPORATED - 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS 02139
. (17 R.iRn
1 
-i
S4 
failure characteristics escribed above comparison provides for 
almost certain detection'. Consequently, FO-FO-FS tolerance 
can be provided by
 four levels of redundancy, rather than five. 
Comparison, however, does snot provide an indication of which of 
the redundant signals or equipment has failed. .A supplementary 
method must be employed to identify and isolate the failure: 
a) Self-diagnosis. In the case of computers, a degree of 
assurance can be provided by special self-test software 
•	 which exercises most of the basic operations in the processors, 
memory, and I/O. However, the volume and complrxity of the 
diagnostic routines required for near certain probability 
of fault isolation precludes their use in parallel with 
the operational software. These routines must replace 
the operational software for as long as it takes to track 
down the ailing element. During this period the computer 
•	 can obviously not provide the full complement of capabilitjs 
to the system. 
For the less "intelligent" systems in the Ivionics less 
•	 extensive diagnostics are possible, and in fact, less 
are needed. 
b) Built-in test equipment (BITE) can be designed into' the 
avionics equipment, to provide measurement data not normally 
utilized in operation. When a failure is indicated 
these measurements are sampled, either by. the computer in' 
the system, or by special sequencing and comparison circuitry 
to determine the malfunction. Hardware complexity limits 
the degree of isolation by BITE. 
•	 C) Functional Testing. The suspected equipment is cycled through 
a functional sequence of operations of which it is required 
to be cap.ble by specification, again either by the computer, 
or by special equipment. This is the least exhaustive 
technique, but it demands the least amount of diagnostic 
•	 hardware and software. In conjunction with failure 
detection by comparison it may provide the most cost effective 
approach. 
It is obvious from the foregoing discussion that a less-than-
1.00% certainty 'of detection and recovery for the final failure 
must be included in the definitionof the "safe" condition, as 
must the finite response time to resume an operational status. 
17 
INTERMETRICS INCORPORATED • 380 GREEN STREET -
 CAMBRIDGE MASSACHUSETTS 021Q •	 QiO,n
.3.2 Failure Detection and Isolation 
Having discussed the impact of a given failure tolerance 
criterion on the degree of redundancy in the system, some of the 
finer points of failure detection and recovery by voting, comparison, 
and other diagnostics will now be reviewed. In a well designed 
system, with high signal to noise ratios and a mim.mal likelihood 
of widespread or catastrophic failure modes errors will be random, 
uncorrelated, and infrequent. In this environment comparison 
of redundant, independently-computed output data provides a 
near certainty of failure detection. Current estimates are that 
the Shuttle avionics system will probably be Characterized as 
such a system. Comparison is being proposed for error detection 
in the Shuttle data bus system in the areas of: 
a) the computers 
b) the data bus 
C) other sensors. 
These areas will now be examined in turn. 
3.2.1 Computer Failure Detection and Recovery 
Although the computer operates in a highly involved and 
complex fashion, it is deterministic and exact: a given operation 
will always yield the same result if repeated with the same 
input data. The major problem for computer comparison in a real 
time environment such as the Shuttle data bts is the synchronization 
of computations which involve time dependent functions and input 
data. Synchronization can be achieved by: 
a) central control of the computer clocks; 
b) careful gating and distribution of input data; 
C) strict identity of hardware and software operation.
A comparator/voter mechanism adds to the hardware and software 
complexity. it also incurs operational delays, because time is 
required: 
a) to wait for synchronization of clock and data; 
b) to perform the comparison; 
c) to decide on the results of comparison; 
d) to take corrective action. 
18 
NTERMETRICS INCORPORATED 380 GREEN STREET • CAMRRIIF MA.cSA('i-4IIT7Q fl)1n. 
.
	
c. 
I.
S 
.
To minimize overhead, the comparison should, therefore, take 
place at a fairly high level of operation, rather than instruction 
by instruction. Comparing the operation of the computers at the 
point where they influence their environment, i.e., at the computer/ 
bus interface, is a logical choice, provided that outputs occur 
frequently enough. 
	
-•	 Comparison and voting can be done in varying degrees, with 
varying hardware and software complexity: 
a) majority voting on the output data of three or more computers, 
re.ucing to comparison with diagnostics when less than 
three good computers remain. The bus receives only the 
data derived from the majority vote. Failure isolation 
and correction is automatic as part of the voting process. 
	
•	
The complex voter that this requires must be sufficiently 
redundant and possess adequate error protection to meet the 
failure tclerancc criterion, because it is an in-line 
	
•	 element in the data bus. 
b) Majority voting on the indications of health, but not on the 
output data. One computer is selected Lc: be "active", 
and its outputs control the bus directly. The other 
computers are used as standards to provide independent 
checks on the operation of the active computer. A voting 
mechanism decides on the basis of a majority of comparator 
	
•	 results. whether the active computer is operating correctly. 
	
•	
It may also determine which of tha inactive computers has 
developed a failure (see Figure 3.1).
	 In the event of a 
failure of the active computer one of the others is made 
active. The voter mechanism may be considerably simpler 
than the data voter of the previous paragraph, since it 
only operates on binary values; its response time need only 
match the reconfiguration dynamics, not the transmission 
frequency of the bus. Furthermore, since it is not an in-
line element of the system, it may not have to meet the 
same stringent failure toleraflce requirements. Each com-
parator can be considered a part of a computer's I/O section 
and is thus naturally redundant. In fact, the comparison 
could be performed, by software, interna:. to each computer. 
As a cDnsequence of voting binary, rather than many-valued 
byte or word data, the simplicity of the second method pays a 
penalty in the lower inherent certainty of correctly interpreting 
failure conditions. There is a greater possibility for split 
vote situations to arise with binary variables, and a greater 
likelihood of identical multiple failure. However, these conditjcns 
will only arise when failures in the comparison and voting logic 
itself produce erroneous indication of computer health; the 
lower complexity of this voter will aid the achievement of the 
necessary reliability.
19 
INTERMETRICS INCORPORATED . 380 GREEN STREET -.CAMBRIDGE. MASSACHUSETTS 321AQ • i17t	 I 
'V
I 
it
For either voting approach, once less than three good computers 
remain, reliance must be placed on self-diagnosis to determine 
the faulty computer. No self-diagnostic technique can ce 
infallible; a disagreement between two computers could yield 
the following conditions: 
a) one computer determines itself to be faulty, the other 
finds itself healthy. This is the expected result. 
b) Neither computer detects a malfuictjon. This may be 
because the fault was transient, or because it was a border-
line case beyond the capability of the diagnostic method. 
C) Both computers detect malfunctions. This event is highly 
unlikely in the case of uncorrelated random errors, but 
may easily occur for common mode problems such as physical 
environmental transients (e.g., power supply and thermal 
variations). 
One insidious possibility for a processing failure that may 
not be trapped by any of the techniques discussed so far is that 
of the software error. The software in each of the redundantly 
operating computers must, for the purpose of comparison and 
voting, be virtually identical. It is, therefore, inherently 
.on-redundant. A software fault will produce data which, being 
identically erroneous, will appear to compare correctly. This 
conditi3n must be classed as a design error which, along with the 
similar logical hardware fault, must be prevented by careful 
design and adequate verification, rather than by complicating the 
system in an effort to make it immune to conceptual errors. 
3.2.2 Data Bus Error Detection and Recover 
Although there are two causes of failure in the bus 
system, namely hardware failures and transmission errors, these 
may not be separable in cause or cure. Usually, the same error 
detection and recovery procedure handles both.
	 Of the two 
main approaches, error correction coding or voting on multiple 
transmission, the first is treated in some detail in Chapter 5 
and th' second in Appendix A. 
The repeated transmission of a message over a single path 
is a well known forn of coding and can be used for error 
detection (by comparison,-requiring all messages to be identical) 
or error correction (by voting, and accepting the message that 
is made up of the most often received bits).
	 It is easy to 
21 
INTERMETRICS INCORPORATED . 360 GREEN STREET • CAMRRIDCW MAACiITT fl1fl - II
implement, but as coding systems go, it is relatively inefficient. 
In order to get a Hamming distance four code for three error 
detection, the message must be repeated four times. The same 
error detecting capability can be obtained with many fewer bit 
using other coding schemes. 
The transmission of the message over multiple separate paths 
is in many ways similar to the multiple transmission over a 
single path. It is true that the message is received and verified 
•	 at the output with less delay than is associated with the 
•	
sequential transmission scheme, but on an overall basis, there 
•	 is no improvement in the utilization rate of the available channel 
capacity. In analyzing
 the probability of an undetected error, 
• :	 for random independent errors, there is no difference between •	
the two schemes. For errors caused by external influences, 
such as EMI, the probability Of having a.l of the channels 
affected in the same way by an external occurrence appears to 
•	 be qute low, especially if the channels are physically separated. 
In severe case:, it is possible to offset the multiple trans- 
missions from each other by a small number of bits, so that 
•	 the same information bit will :to t
 be effected on each line. 
However, the prob'bility of having some number of sequential
 
transmissions over a single channel be altered identically by 
•	 sequential external occurrenc's, is of very low probability. 
•	 Therefore, unless the reduction in throughput rate becomes 
unacceptable, there appears to be little advantage, from the 
Point of view of error detection and correction, to be derived 
by parallel transmission. The redundancy of the bus should be 
determined by the need for hardware failure protection alone. 
Voting on multiple transmissions from the computers implies 
•	
a complexity at the receiving terminal: 
•	
a) storage must be provided to hold each transmission, 
if sequential; 
b) a majority voter to act on the redundant transmissions s required; 
c) for parallel transmission, a back-up error detection policy is 
•	 required in the event of hard bus failures since voting is not 
feasible with less than three good lines; 
• •	
d) the results of decisions on transmission validity made at 
the terminal must be communicated back to the control computer 
•	 to maintain an Up-to-date configuration status. This prevents 
•	 the use of a pure command/response bus control policy (see 
Chapter 4).
22 
INIERMETRICS INCORPORATED . 380 GREEN STREET CAMBR;OGE. MASSACHUSETTS nio •	 o
4 
e) For parallel transmission each terminal must: access all 
buses to perform voting. The Catastrophic failure of a 
tcrmiaal could incapacitate the whole bus system. In' '	
addition, for physically separated bus lines (e.g.', port 
and starboard cable routing), extra weight. is incurred for 
cross connections.
	 0 
This complexity discourages the use of transmission voting 
as an error detection and correction scheme for all comnlunLcatjons, 
since other techniques such as echo checking, described later, 
offer as much security without the. overhead. However, critical 
•	
communications can be Conducted with a higher degree of confidence 
by repeated serial transmissions. The buffering and voting of 
these should properly occur outside of the bus, in the particular 
subsystem involved. It. should be noted that in the absence of 
comparison mode of SIU operation, it becomes almost imperative 
that bus transmissions should only occur on one line at a time 
to woid the confusion that would result at the subsystem from 
the receipt of several simultaneous messages. This is especially true for configurations that require only one SIU connection to 
each bus line. 
3.2.3 Subsystem Output Voting 
has l The voting of data received over the busby the computer 
ess value so far"as validating the transmission of the 
•	 infcrmation, since the computer has considerable flexibility 
in determining correct system operation (error coding, echo 
checking, etc.) that does not involve the complexity of 
•	 :	 voting, or multiple transmission by terminals. However, 
comuarison of data from redundant subsystems provides a powerful 
•	 fault detection and isolation capability which would be difficult 
to match by other diagnostic techniques (e.g., BITE). This 
capability should, however, have little influence on the design 
of the bus system: it is more a problem of data management by 
the. software.. Each computer in a redundant configuration must 
be able to access the data from each redundant element of the 
subsystem, which imposes a constraint on the interconnection 
of computers, bus lines and terminals. This will be discussed 
in the next section.
	 . 
Multiply generated data from transducing subsystems, such 
as the inertial reference, present other problems for voting 
in addition to those of time synchronization described earlier. 
Such data is generally derived from analog quantities and is 
subject to drift, scale factor errors, etc. 
23 
I NTEPMETRICS INCORPORATED 380 Gr'EEN STREET CAMBRIDGE MASSACHUSF rc n9iAci 117 000
3•3. Redundancy Interfacing 
This section will discuss the interconnection of the basic 
units of the Shuttle data bus system; i.e., the computer s
 bus 
control unit, bus, bus interface unit, and subsystem. Although 
•	 •	 five levels of redundancy could be required to meet the FO-FO-FS 
criterion, a maximum of four will be assuIflec in the discussion. 
It is expected that strict adherence to FO-FO-FS throughout 
the avionics systems will not be demanded, nor will it, indeed, be 
practical. It has been assumed for this study that some systems, 
because of non-criticality or extreme reliability will not be 
•	
.	 required to demonstrate four-fold redundancy, but will, never-
	
. •.•	 tholess, demand the full failure tolerance from the bus.. 
To interface these to the quad-redundant bus presents a redundancy 
matching problem cross connection, or cross-strapping of the 
different levels becomes necessary. That an overall increase 
in system reliability may be a by-product of cross-strapping is 
indicated in Appendix A. Another reason for cross-strapping 
	
• .
	 is to provide a greater flexibility for the application
,
 of 
comparison and voting among the redundant levels, and for the 
management of system reconfiguration. Finally, in a real Shuttle 
environment with geographically divided bus lines, cross-strapping 
prevents a situation in which the left side computers could not 
run the right side equipment... The question of cross-strapping 
occurs mainly at the computer/bus and at the gus/subsystem inter-• faces. These areas will be examined in turn. 
•	
.	 3.3.1 Computer to Bus Interface 
This interface involves the computers, BCWs and the 
•.
	
	 bus lines. Only the expected case of quad redundant computers 
and four buses will be considered. The several options are 
illustrated in Figures 3.2 through 3.3 and are now compared 
in turn. 
a) Configuration 1 (Figure 3.2) 
This is the simple approach of no strapping at all. The 
computer, BCU and bus constitute a single string unit. A 
•
	
	 failure of one of the elements in the string fails one 
entire bus line. Communication of data between computers 
must be done via the bus terminal or by special purpose 
cross links between the computers. Error checking of the • 
bus by comparisc:- is impos'ibie at the computer end. Each 
bus terminal must access all bus lines, which makes the 
whole bus system vulnerable to a catastrophic terminal 
failure. The bus terminal is Complicated by having to 
bear the brunt of bus system failure detection and correction, 
reconfiguration, and status monitoring. If comparison 
24 
L. . INTERMETRCS INCORPORATED . 380 GREEN STREET• CAMBRLDGE, MASSACHUSETTS 02139 • (617 868- 1840
BCU NOT
	
LINE NO. I

COMPUTER 
NO. I
I
 
L
COMPUTER 1________ 
NO. 2
	 8 C NO.1	
NO. 2

COMPUTER	 BCU NO. 3f	 NO.3 
COMPU TER 
• .•
	
BCU 
NO. 41	
NO.4 
•	 Figure 3.2
	 4 single strings without 
cross Connection 
•	 25 
.__•r_-_•..•
or voting of the computers and the I-CU's is to be done in 
this configuration, it must be accomplished by the terminals. 
•	 •	 Voting f sensor outputs is plainly not possible, even at 
the terminals. Certain subsystems must have all LRtJ's 
powered up and running; e.g., the inertial measurement Unit. 
These subsystems require all the string elements.of the bus to 
be up and running: partial bus operation is not feasible 
without cross-strapping.'S 
b) Configuration 2 (Figure 3.3) 
In this configuration the computer and }3CU are 
. a single 
string unit: cross-strapping occurs at the BCU/bus line 
•:	 interface, enabling each computer/BCU to access any bus 
•	 line. The access may consist of either 
1) transmit and receive on one line and receive-
only on the others 
or
2) transmit and receive on all. 
Configuration 2 provides: 
1)	 the capability for each computer/Ecu to monitor 
the bus line outDuts of the others, thereby 
enabling the comparison/voting of computer 
performances discussed in Section 3.2.1.
	 Note 
that this arrangement includes the BCU in the 
error detection loop. 
2)	 The ability to reconfigure the arrangement of 
active cornputer/LCU and bus lines in the event 
of failure.
	 In this configuration it is nit 
possible to transmit onto the bus the majority 
voted output from the several computer/ECU's, 
•	 since data for voting is only available after 
S
the bus has received the active computer's output. 
•
Furthermore, a failure to the active coxnputer/BCU 
is detected only after •the erroneous message has 
• S	 been transmitted into the bus system.
	 Since the 
•	 •	 terminal in this co n:.tguration need not access 
every bus
	 t ine, as ses necessary in Configuration 1, 
• it has been relieved of the burden of checking 
on computer operation.
26 
INTERMETRICS INCORPORATED 380 GREEN STREET
.
 CAMBRIDGE. MAcSArHu'rr n,1'n -
— 
IBUS LINE 
	
COMPUTER	 NO.2__^ 
NOA 
COMPUTER  
NO. 2
	 k	 OCU NO. 2 
COMPUTER 
NO.3	 I 	 BCU NO. 3 
COMPUTER 
O.4 J BCUNJ ± 
Figure 3.3 Cross connectiOn .between.DCtj 
and bus
BUS LINE 
	
COMPUTER
	 T-^ BCU	 NO. I 
	
COMPUTER	
____t i. ? I
	 J BCU NO. 2	 NO. 2 NO. 2 
	
COMPUTER	 I t I
 
NO. 3	 - BCU NO. 3 
	
COM?UTER	 I  O. 4	 I BCU NO. 4 
'Lgure 3.4 Cross connection between 
computer and BCLJ
c) Configuration  (Figure 3. 4) 
This is an alternate cros s-strapping arrangemèn which, as 
far as the bias lines and the terminals are cbncerned, has 
similar characteristics to that of Configuration 2. However, 
each BCiJ/hus linu is
.
 now the single string element, rather 
than the computer/Bctj. Cross-strapping occurs betseen 
the computers which nakes possible the parallel transfer 
of data with a great inclaase in the speed of compàricon. 
This may allow comparison to be performed before erroneous 
data is transmitted to the bus, and a measure of majority 
outpu voting, even with only one active computer. Comparison 
ana voting may be performed with sojtwa'e, with consequent 
flexibility. 
However, since the computer to BCU is likely to be a parallal 
data intcrfe, it will be complex. Cross-strapping at this 
pcint will therefore present considerable difficulty. -The 
complexity can be limited if a computer's access to the 
...ther BCU's is restricted to receive-only, and if it 
transmits to the bus only through its own ECU, which is in 
turn, dedicated to a particular bus line. This restriction 
means, however, that a bus line failure will, in effect, 
•	 disable a computer. 
d) Configuration 4 (Figure 3.5) 
In this configuration the computers, the BCU's and the bus 
• lines are all separately reconfigurabie. Cross-connection 
exists between the computers and the BCU's and between the 
BCU's and the bus lines. This arrangement can be considered: 
1) as a combination of Configurations 2 and 3 above. 
The reconfiguration flexibility thereby achieved 
• is severely off-set by the complexity of the inter-
ccnnectjons and the magnitude of the configuration 
management task; 
•	 .	 2) As the o"ly one that allows fullmajority voting 
•	 of ccmpt	
. outputs by the BCU before transmission 
over tht
	 S. 
•	 In the second of these two roles, illustrated in Figure 1.3.4, 
Configuration 4 suffers from a number of disadvantages: 
•	
- 1) Since the I3CU functthris as a majority voter on 
all the computer outputs, it is necessarily a 
single point element of tie system. It must, 
therefore, be internally redundant to meet the 
•	 FO-FO-.F5 crit-rjon, and in addition must Possess 
its-own failure detection, isolation and reconfigura- 
tion mechanism. - 
-	 -•	 .	 .	 ..	 ''	 .	 -28'  
:-,	 INTEAMETRCS INCORPORATED . 380 GREEN STREFT
	
- 
I
SF 
COMPUTER
NO. 1
I BCU NO. 1 
I BCU No. fl2	 Bus LINE NO I 
it 
COMPUTER
	
BCU NO. 3
	 BUS LINE NO. 
BCU NO.4  
BUS LINE NO. 3 
COMPUTER  14 0. 3 
COMPUTER
NO. 4 
. ^ 
^q_
Figure 3.5 Quad redundant BCU configuration 
.5
29 
I..	 •..	 ...................... 	 ••---._•...	 ...........	 .55.
2) It is not possible to drive the bus lines with 
non-idei.jjcal data (as might be desired in a 
future expansion ,of the capabilities of the bus 
system), siice there is no clear dedication of 
a BCU to each bus line. For the same reason 
parallel input voting would be difficult. 
The foregoing discussions have assumed that the computer is 
performing a central function in the control of the bus, and 
that replication is purely to achieve failure tolerance. it 
is possible to consider more than one computer in the operation 
of the bus system, as described in Chapter 4, but these cases 
will not be discussed here. Suffice it to say that the com-
plexities of cros s-connection, failure detection and isolation, 
and reconfiguration management increase steeply with each 
multiply redundant computer that is added to the system. 
3.3.2 BUS-TO-LRtJ Interface 
•:
The configuration of this interface is influenced by the 
configuration of the computer/bus interface and by the redundancy 
levels existing in the subsystem to be serviced by the bus. The 
elements of this interface are shown in Figur3 3.6 through 3.10 which illustrate the major options for ross-strapping 
the connection from a quad redundant bus tc triply redundant 
subsystem. From the point of view of red
	
-icy izterfacing 
these elements are characterized as folio. 
a) SIli - connects to each bus line by a single, serial data 
pach. May be simplex or internally redundant. 
b) EIU - connects to each SIU by one or two serial data paths, 
and several control lines. Need not be physically separate C
rom the SIU (or from subsystem, depending on configuration). 
C) LRU - connects to each SIU by a complex interface that 
may consist of various signal types: serial, parallel, 
discrete and analog, of up to 50 or 100 signal paths. 
Taking each cross-strapping option. in turn the following observations can be made. 
a) Configuration 5 (Figure 3.6) 
This is the trivial case of no cross-strapping at the terminal. 
The bus, SIU, EIU and LRU Constitute a single string element. 
A failure of any one componant fails the whoic string. Re-
configuration consists of isolating the faulty string and 
switching to a good one. This has the advantage of simplicity. 
LrdJ's may be geographically separated without involving 
local cross-connection penalties. However, the subsystem 
is serviced by a bus that does not meet the FO-FO-FS failure 
criterion, since the fourth line is not connected. 
30 
T&PL4TL.C'	 . OA 1rI	 rr	 . -
. 
[1
•	 I	 I	 •	 I 
EIU	 EIU B
	 F EW ci 
Figure 3.6 Single string no cross connection 
BUS LINE NO. 1 
-	 Mfl )	 - 
NO.3 
I 
SIUA	 I 
• EIIJA EIUB EIUC • é IRUC 
Figure 3,7
	 Cross connect.on between SITJ and bus 
31 -..- . ---
INTFRUT1U	 IMt'tD .O*y r . 'ØI% lkI
b) Confi3uratiOn 6 (Figure 3.7) 
Cro
ss-strapping occurs at the bus/SIU, interface. The SIll, 
EIU, and LRU are here a single string element, and each LR[J 
can .
 be
 accessed by all bus lines. The full failure tolerance 
of the bus is therefore avai1a1e to the subsystem. Re-
configuration is, as for the first example above, still a 
matter of switching to a good string. Disadvantages of 
this approarth are: 
.
1) The SIll and EItJ are considered a part of, and their 
redundancy is determined by, the subsystem. The 
complexity of the SIU/EItJ combination may force 
the use of a higher level of redundancy in a sub-
system of superior reliability than would otherwise 
be Considered. 
2) Eaci level of subsystem redundancy reaires fou 
connections to the bus, in this case a total of 
12. Bus connections chra,1, i"-.	 -
ea, as is -	 z1 discussed in Chapter 6.
	
1J.111iz 
3) A catastrophic failure of one SIll can disable the 
whole bus system. (The use of bus line couplers 
can limit this to failure of the subsystem only.) 
4) Comparison of the outputs of LRU's cannot be 
accomplished locally. (This is not a serious drawback, since local voting may be undesirable S	 in any case on grounds of complexity.) 
5) It is not possible for one terminal to compare, or 
:	 vote on, multiple, Parallel hnq 
6) A separate address in the bus control word format 
must be provided for each SI(J to allow for re-
cor.figuratjo 
7) Only one EIU may be serviced by each SIU. 
C) Configuration 7 (Figure 3.8) 
Here crocs-strapping occurs at the Sill/Elu interface. The 
SIll becomes an element of the bus, and the ETU is considered 
a part of the LRU. The degrees of redundancy of SIU and 
EIU are, therefore, determined by the bus and subsystem 
respectively. The advantages of this arrangement are: 
IIJTPUFTIC I(aATS • )aA tru,,—&u
32
rFigure 3.8 Cross connection between SIU and EIU 
-.33
I
F 
!'
1) No single SIU failure can disable the bus system,' 
although 'it could disable all EIU's (and therefore 
the subsystem). 
2) LRU comparison could be done at the SIU level 
(although at considerable, cost in complexity)'.' 
3) If bus configuration is controlled by the Computer/BCrJ 
(which is probable), then a separate address is not 
required by each SIU at a terminal. 
4) Cross-strapping involves only a 'few physical paths, 
since data at this point is still largely serial. 
The disadvantages are: 
1) Four SITJ's are required even if the subsystem 
•	 ' 	
' redundancy level is lower (this is only a 'real 
disadvantage for reliable but critical subsystems 
which require the full FO-FO-FS bus tolerance). 
2) The bus system can only be run in a simplex 
communication mode (e. g ., command and data 
cannot be assigned separate paths). 
3) The cross-strapping complexity, though much lower 
than Configuration 8,may exceed that of 6 '. This 
is of concern if the bus lines are separated by 
considerable geographical distance. 
d) Configuration 8 (Figure 3.9) 
In 
. this configuration the bus redundancy is carried to'the 
EIU level and cross-strapping occurs at the LRU interface. 
This approach allows the SIU and EIU to be considered as 
one unit, an advantage if one standard bus-to-subsystem 
interface is specified. However, its overwhelming dis-
advantage is the complexity of cross-connecting an inter-
face that may consist of 50 to 100 separate paths to each 
LRU. Such an a rrangement should be considered only for very simply connected LRU's. 
e) Configuration 9 (Figure 3.10)
	 ' 
This is not strictly a different configuration, but rather 
a version of configuration 7, designed to 
' cope with the 
problems of widely separate LRLJ's. Such separation may 
be snecified to reduce the vulnerability of Shuttle avionics 
elements to catastrophic occurrences such as meteorite 
34  
IP.n'FPL4fTPIr. IP.	 DAQAn • on	 rr- ,..a. m.,... 	 ,..	 •... -.
I 
•i 1^ 
t	 S
I	 I	 I	 I 
	
EIU 1 1	 EIU 2 J	
EIU 3
	 EIU 
L 6RU A 
•	 1 
Figure 3.9 Cross connection between ElU and LRU 
33 
-	 TATIQvem-	 I•	 -- - - ••.-- -.- •• 
ri 
cr 
cz C13 cc 
-4---
CJ 
C.) cc 
0 
•
U L) co I C42 
Ti
ca 
co 
co cc
cc 
Cie CA o C; ci z z z 
W W W LL cc 0 
Z Z a Z 
-i — — = z go	 G03	 uj cc 
-
t	 U) Cl) (I) 
• U)	 I
r. 
0 
(U 
tin 
—4 
0 
C) 
U 4-I 
U 
I-I 
0 
>1 
(U 
0 
'-4 
C) j1 
.-4 
collision, or the explosion that crippled the Apoith 13 
service module.
	 Rather than associating a group of SITJ's 
•with a specific subsystem, Configuration 9 associates a 
group of SW's with a particular level of redundancy. 
This approach is particularly suited to the clustering 
of equipment into bays located at strategic positions 
in the Shuttle vehicle.
	 For example, a group of four 
subsystems each with triple redundancy would require only 
three groups of SIU's, two in one bay and one in the other. 
• The long cross-over leads from port to starboard and vice 
versa (indicated by L in Figure 1.3.9) can be formed by 
• T-junctions into the bus lines; i.e., each need only be a 
single data path.
	 In the mechanization of Configuration 7 
on the other hand, this arrangement would require four 
groups of SIUs, with vehicle cross-overs occurring at the 
more complex SIU/Elu interface.
	 In general, Configuration 9 
scores whenever equipment can be so grouped that the number 
of subsystems serviced by one bus terminal exceeds the 
subsystems' degree of redundancy. 
3.4	 Relationship of Computer To Bus 
• The relationship between the computers and the' rest of 
the data bus system is a complex subject.
	 The choice of a con-
figuration that best meets the requirements Of the Shuttle is 
impacted by many factors,'most-of 
S.
them outside the scop
	 of this study.	 However, one important consideration of direct conse-
quenceto the design of the bus is the co!rputei's role as the 
controlling element in the system. 
The following discussion will take amore general view of 
the integrated avionics system thai thatassuxned'so far, in 
order to compare and contrast the various approaches.
	 The only 
*assumption made is that all or part of the complement of avionics 
equipment will be interconnected by common data buses, rather 
than by dedicated interfacing.
	 The configurations then involve 
the use of one or more computers, and one or more data buses. 
The options may be summarized as; 
a)	 single (central)	 computer, single 'bus 
•	 b)	 distributed computers, single bus 
c)	 distributed computers, multiple buses.
37	
.;•	 .• 	 •'. •• 
INTERMETP!CS JN(flRPflAT1fl.4an (OPJ QTQCCT • (AiabnIr,-r, &&A^ 	 .'----	 .'•._-.---"--• 
..
There are several variations of these, depending on the require-
ments specified for the system and the functions of the elements. 
3.4.1 Central Computer, Single Bus 
Topographically, this is the simplest arrangement (see 
Figure 3.11, although it imposes a higher level of sophistication 
on both hardware and software than the distributed approaches. 
The central computer is the sole authority on the bus and all 
bus communications are initiated and directed by it. In addition, 
it exercises cntro1 over sub-system operation (for example; 
IMtJ, radar, environmental control, power distribution, etc.) 
and performs all required computations and data processing. 
Only under certain conditions, described later, may pr-cessing 
be performed elsewhere. All the avionics subsystems and their 
equipments interface with the one common bus, and the resulting 
bus traffic data structure must accommodate the full complement 
of addresses, commands, and data interfaces. Since there is 
only a single functional copy of the computer and the bus, 
the replication of equipment to achieve the required level 
of redundancy is minimized; i.e., the amount and complexity of 
reconfiguration hardware and software, and the number of inter-
faces to be controlled. The main drawbacks to this approach 
ae that the central computer must 
a) accommodate all Shuttle avionics functions; 
b) possess a high level of performance; 
C) contain a greater volume of software, of greater complexity, 
than any computer in a distributedarrangement.* 
The software burden of the completely centralized computer

configuration can be alleviated, without degenerating the autonomy 
* It should be pointed out, though, that the total volume of 
software in a distributed set of computers, performing an equiva-
lent job, will be hi;her than in a central computer, for the 
following reasons: 
a) each computer must carry its own set of executive and system 
routines 
b) bus control routines must exist in each computer (although some 
hardware/software trade-offs can be made with the bus control 
unit); 
c) certain bus systei data, such as status information, must be 
maintained in each computer to enable it to use the bus 
intelligently; 
d) extra software is required to enable the computer-to-computer 
communications.
38 
NTERMETRICS INCORPC)RATFfl • W CPP$PJ STQT • r iap ir,t. IjAou,,rr-,	 -
.H, 
•H
Figure 3 11 Central computer control 
In
39 
INTERMETRICS iNCORPORATED 3E0 GREEN
	 E'T • MPItW.0 UAA'&JfleT?,2 I• -	 --
I.
I
of control that the central approach offers, by dedicating
.
 to 
a subsystem its associated processing task. A separate 
computer may then be introduced into the subsystem to take 
over the task from the central computer. The condition, however, 
being that it forms a part of the subsystem, and that it makes 
no demand to control or directly access the bus. Any data 
requirement will be communicated through the regular subsystem-
to-bus interface. The cezitra). computer need not then be aware 
of the other computer. 
Two examples of such an arrangement could be the display 
processor, which provides stored display formats and refreshing 
to the crts, and the main propulsion system. processors. A 
configuration which treats these as subsystems in a centrally 
managed bus system is shown in Figure 3.12. 
The software in the central computer services all equip-
ment connected to the bus and performs all-the functional 
requirements of the system. The bouudaries of a functional 
subsystem tend to disappear, and exist only as shared software 
in the computer. For example, the stabilization and flight 
control system will consist of redundant sensors connected 
to the bus operated by programs which are allocated a portion 
of the central computer resource. The total flight control 
subsystem (including software) is therefore not a visible 
separate entity but becomes, in fact, part of an integrated 
avionics system. 
The centralized system promotes standardization of approach 
to system design problems. Centralized software and a central 
bus provide the means to impose this standardization. 
A centralized system does not, however, provide isolation 
or localization of changes. Changes made to a particular 
system such as electrical power distribution, may not be 
easily or absolutely isolated from the rest of the system. 
Nor does it provide a hazdware independence of functions. That 
is, security of subsystems is only achieved through the bus 
system design.. 
3.4.2 Distributed Computers, Single Bus 
The sharing of the resource of the single bus between 
the several control computers characterizes this configuration. 
Two different versions of this configuration allow each cnmputer 
to gain access to its subsystems: 
a) Time-slotting. Tn this approach (Figure 3.13) a time-
based sequencer ., external to the bus and the computers, 
grants exclusive use of the bus to each computer in turn. 
40 
INTERt IETAICS !NCORPORATED 330 GREEN STREET . CAMBRiDGE. MAS5:t.HU 4;FTTS fl21 • 117 oo
. 
.
'I CENTRAL1 
M?UTER 
CCU 
sw	 sw	 stu 
[;CC, 
PROCESSOR
.	
N 
•	
UBSYSTE 1	 SUBSYSTE" 	 SU3SSTEM 
LJ	 LTJ 
Figure 3.12 Central bus control with distributed 
processing 
41 
INIERMEThICS INCORPORATED .
 380 GREEN STREEt • CAMflRIfl( UAArWIIQQ	 •
I 
During its interval of control, ech Computer has dole 
access to all subsystems. The intervals are pre-set 
•	 in the sequencer and of fixed duration, giving this approach 
• •	
an apparent simplicity. A mor flexible, but more 
complex, • .,•
	
	 variation on this technique places control of the access 
interval in the hands of one of the computers, so that the 
assignment of computers and subsystems to the bus may be 
varied in response to the changing requirements of 
different operating modes and mission phases. 
b) Master-slave relationship. In this arrangement, the 
responsibility for the overall management of the system 
rests with the master computer. The control of the bus 
•
	
	 is transferred to a slave computer at instances of time and 
for periods determined by the master computer in accordance 
•
	
	
with the needs of the system. This has very similar 
characteristics to the time-slotting technique with variable 
time slots, but is not Constrained to a cyclic control 
Sequence. 
A computer-th_compLiter communication link becomes an unavoidable 
requirement of both these arrangements for two main reasons: 
a) configuration status, operation mode, and other operational 
information about the bus must be communicated from one 
computer to the next to prevent uncontrolled or inadvertent 
interaction between the different activities within the 
computers. 
b) It is very likely that a degree of communication and control 
overlap will occur in which a common item of equipment on • •	
the bus will be accessed by more than one computer. In •	
such cases a difficulty arises if the transaction of control 
and data between computer and equipment is not complete •	
by the time the computer relinquishes the bus. The equip-
ment is then obviously not prepared to be accessed by the •	
•	 next computer in the control sequence. (Conf l ict-over its • •	
allocation could be tackled by providing a locking mechanism in the equipment itself. Such amechanism would, however, 
•	 violate the principles of a command/response bus control 
Policy, since the equipment would be ca-able of exercising 
•	 •-	
a control. initiative.) Conflict between two or more computers 
over the sharing of a common resource is a well known 
• :-	
• problem, and requires Cooperation between the computers. 
•	 Computer-to-co4nputer data transfer can take place either: 
a) over the common data bus, by providing a'spe j a1 time-
slot and/or message format for this purpose, or 
b) over dedicated data paths between the-co mputers (through •	 • •	 •	 I/O or memory access channels). 
42 
INTERMETRICS INCORPORATED 380 GRN TRPT • AU qDInC IjAOO*ss	 •-	 • - 
A
I "UCD 
SW	 Slu	 S • • S S	 SW 
COMPUTER H COMPUTER I 	
.______ 
COMPUTER NO. 1
	 NO.2	 u	 I	 NO. N 
Figure 3.13 Bu control by several Computers 
SUBSYSTEMS
	 (SUBSYSTEM)
	 1SUBSYSTEM NO.1	 i
/ NO.2 	 NO.N I 
1igure 3.14 Distributed computers and multiple buses 
43 
INTERMETRCs INCORPORA1 ED • 380 GREEN STREET • C.AUPiflt UCCAsU, I1rO	 .-	 ..-
S 
.
The need for such communication breaks down the independence 
of the various computers, and the characteriscics of the distri- buted ,
 configuration tend to assume those of the central. The 
key issue here is whether the separate computers can be uniquely 
	
•	 identified with independent functions and dedicated subsystems 
or whether interaction of control and data between the computers 
is unavoidable. If the independence of the computer functions 
cannot be assured, then a physical distribution of processing 
introduces problems of Communication and control that may create 
greater difficulty than if the job were accomplished in a single 
computer. 
3.4.3 Distributed Computers, Multiple Buses 
In this configuration, (see Figure 3.14 ) a subsystem that 
can be identified as independent, i.e., not requiring the 
-	
services of equipment in other subsystems, is administered 
• -:	 by a dedicated bus and control. computer. A central command 
computer coordinates the activities of the various subsystem 
computers. Its functions are: 
	
•	
a) to perform most mission oriented computational tasks (such 
as targeting, navigation); 
b) to perform high level system decisions (such as mission 
mode selection); 
C) to coordinate and control communication between the distributed 
	
•	 computers of 'high level, but low rate and low volume date. 
(such as crew commands). 
	
•	
The local computers perform all high speed operations required 
by the local buses and their equipment. They provide a fully 
operational subsystem capability to the command computer. 
This implies a high degree of autonomy in the areas of: 
a) status monitoring, 
b, fault detection and isolation, 
c) reconfiguration in response to failure indication, 
d) all processing required to implement subsystem functional 
capability. 
.1
•	 •	
• 
•INTERMETRCS INCORPORATED • 380 GREEN STREET • CAMRRIfliP A £twtQr ye ^n4 -
I t 4 
•:.
In essence, the local computers provide a bandwidth compressio 
by removing from the 
• central computer the burden of processing 
at high repetition frequencies and the control of activities 
requiring fast time responses 
The provision of separate buses encourages the formation 
of functionally related sets cf equipment into subsystems. 
Since the subsystems are no lcnqer tied together by the common 
control mechanism of a single data bus, they can achieve the 
•
degree of independence required tor a distributed computer 
configuration. 
The configuration management function can be more easily 
distributed than in the case of the single bus configurations, 
•	 because of the degree of local autonomy poEsible with dedicated buses. 
•	 The penalties of this approach are:
	 - 
a)	 multiple buses imply a weight and power disadvantage 
over the single bus (although the penalty is far less 
than for a dedicated wiring approach). 
b)	 In colrmon with the other multiple computer approaches, 
there is a replication of hardware and software that is 
avoided in the central computer configuration.
	 . . 
• !.. . 
• ..	 .	 .,. .	 ..
F 
45 
i . WTERMETRICS I NCORPORATE r) . 	 O GREEN STREET . CAMBRIDGE. McAIJTT	 AO& 12a. l	 .
'.'Page missing from available version" 
pa^c 4G,
.PREOEMNG PAGE BLANK NOT flLM) 
Chapter 4 
Or ration and Control of the Data Bus 
4.1 Data Bus Access and Control Phiiosophy 
•
	
	 Since the Shuttle data bus constitutes a central communica-

tions resource shared among multiple terminals and a central 
controller, a fundamental feature of its design is the method 
by which it is allocated to a particular communication path. 
The data bus systcrn is essentially a "party line" shared by 
all terminals: when access is granted, the bus is dedicated 
to a single communication path between a transmitting and 
receiving station. 
Selection of the bus access method is a basic decision 
because it constrains the design of both the remote terminal 
and the bus control unit. A general description of candidate 
approaches and a comparative evaluation is provided in this 
section. 
4.1.1 General Description of Bus Access Methods 
•
	
	
Several approaches to accessing a communication line have

evolved out of the de;ign of digital data acquisition and tele-
communications syrLem. Wour categories of line access and 
control have been identified: contention, polling, sequential 
time slot, and addressing. 
j4.1.1.1 Contention Access 
A contention access method is one in which the remote 
terminals that desire to transmit bid" or contend for the 
use of tile bus. The firdt terminal to initiate contact on the 
U.ne, not currently in use,. seizes the line and prevents its 
use by other terminals until it has Concluded transmission. 
A contention method Iuust provide a means for resolving conflicts 
between contending stations. The quaue list of "contending 
47 
INTEM ETAICSINCORPORfiTED 
. 380 GREEN STREET. •
 CAMBRIDGE. MASSACHUSETTS W. 110 • t17'. A.a.ia.n
IF 
requests" is either examined in a prearranged sequence or 
allocated via priority. The contention access method allows 
random accessing of the bus by terminals which have determined 
their own need to tIansmit,rather than by planned allocation 
via a central controller. The method requires a degree of 
control intelligence at the terminal. 
- S
	
	
An interrupt controlled bus represents a form of contention

access in which the central controller receives an interrupt 
•	 signal from a terminai requiring service. The controller 
• :	 allocates the bus to the queue of interrupt requests according 
to a pre-defined allocation algorithm. 
4.1.1.2 Polling 
Polling is a systematic, centrally controlled method 
	
•	
of permitting terminals to transmit without contending for 
access to the bus. Polling is accomplished by the central 
controller which periodically contacts the remote terminals 
and requests each if it requires the uus. The controller will 
colitinue to poll the remote terminals in some orler until 
one is found to require the bus. 
The most straightforward polling technique involves a 
polling signal sent in a "round robin" sequence, and each 
terminal returns a positive or negative response. More 
efficient schemes exhibit Sophistication in the polling sequence, 
or the order in which units are polled. One such scheme reported 
by MIT involves a polling signal recognized by all terminals. •	
Each terminal requiring access attempts to transmit its unique 
number by transmitting a '1' onto the bus corresponding to each bit •	
position containing a one in its wired-in identificaticn. During 
•	 transmission periods corresoonding to zeros in its identification 
	
•	 code, the terminal only monitors the bus. If it detects a '1' in 
this interval it ceases transmission and awaits another poll message. 
•	 If a station succeeds in transmitting a complete number it has won 
the poll. It is important to note that a terminal cannot access 
the line in a system controlled by polling; however, utilization of 
the bus is random depending on terminal need and the outcoc of 
:	 the 'o1l. 
4.1.1.3 Sequential Time-Slot Format 
•
	
	
Time slot data acquisition is essentially a method 
of granting access through a commutator such that data is 
transmitted in a prearranged order and is str...poed .ut by a 
decommutator. In such a system all units on the line must 
be synchronized because of the rigid tim 4.ng
 requfiements of 
the structure. This approach has been used successfully in 
data acquisition, monitoring, and telemetry systems. The method 
involves a1locati:g the bus to a pticular path for a fixed 
time interval within a time frame. A time frame is organized 
48 
NTERMETRCS INCORPORATED.- 380 GREEN STREET • CAMBRiDGE.	 rre rw •	 oe
1 .	 - 
•	 into fixed time slots and is initiated by a sync pu1e.
	 Each 
remote station requiring access begins counting clock pulses 
• and at predetermined count starts to transmit its message.
	 The •	 sampling rate for each terminal can be varied by. changing the 
•	 interval of time allocated to it. 
A variation cn this approach incorporates a format code 
into the time slot structure defining the. format of the data. 
The format code can be changed during the mission by the con-
troller as communication requirements change. 
.
The term "time slotting" has also been used in another 
context to describe a method for sharing the control of a bus 
system among several controllers.
	 It was examined in Section 3.4.2. 
4.1.1.4	 Command Response Addressing 
In a command response addressing schezie access to the 
bus is centrally managed by the controllor.
	 Under this concept, 
the controller transmits an appropriate command to the terminal including:
	 synchronj
.atjon header, terminal address, function be to	 performed (transmit, receive), data, and parity coding. 
•	 Upon recognition of its address, the terminal interprets the 
Command and begins transmitting or receiving the appropriate data. 
Using command response access, a terminal does not initiate 
•	 any Communication unless it is commanded to by the controller. 
Terminals only "speak"
	 "spoken when	 to". 
• In contrast to the polling scheme a terminal is not "polled" 
as to whether it wants the bus or not but rather is " Commanded" to send or receive a message.
	 Command/response addressing is 
similar to a polled system in that 
• a terminal responds Only when addressed. 
•
A fundamental characteristic of command response control is that the " i ntelligence" of when, what, and how often to 
communicate is in the controller (i.e., computer software). 
:
There are consequently no access Conflicts to r solve as in the Contention method, or local decisions required as in the 
polled system.	 • 
4.1.2	 Qualitative Evaluation of Access Methods 
•	 The advantages and disadvantages of the several bus 
access methods are discussed next. • They are summarized in 
Table 4.1. 
• • .•.•	 .••	 ••	 •	 49	 • •	 • 
INTERMETRICS INCORPORATED .
 380 GREEN STREET, CAMBRIDGE. MASACHUFTTS 00110 •
Access Method	 Advantages	 Disadvantages 
Contention 
..t.
1. Efficient allocation with 
a small number of 
terminals. Bus communica-
tion only when needed. 
2. Effective for a random 
input/Output environment 
at the terminal. 
3. Provides flexible struct 
for adding terminals.
1. Requires local in-
t lligence at the 
terminal to deter-
mine nee1 to access. 
2. Requires resolution 
of access conflicts. 
3. Non-detejnistic 
bus traffic. 
4. Failed terminals 
difficult to detect 
Polling 1. Centrally controlled
	 1.. Terminal access is 
allocation. No conflicts
	 random, I/O loading in access,	 difficult to predict. 
2. Comparatively efficient 
in bus util j zaion. Access 
granted only for positive 
responses to polls.
Time Slot i. Least complex terminal. 
Format (Fixed 
•	 • and Variable) 2. Efficient data transfer. 
Little or no Overhead in 
message format. 
• .-_________________ 3. Simple to test 
Command Response 1. Access and utilization are Addressing determined in advance
	 and 
the load balanced in 
•
accordance with computer 
requirements. (No backlog 
of I/O).
2. Polling frequency 
for individual 
terminals must achieve 
system response 
requirements 
3. Terminal errors may 
be undetected for 
negative response 
to poll. 
I. Inflexible. 
2. Rigid timing and 
synchronization 
1. Inability to effi-
cientiy accommodate 
random input streams. 
Table 4.1 Bus Access Method Comparison 
5': 
INTERMETAICS INCOPORATEO 380 GREEP; STREET • CAMRPIn( uace*ja-
	 - 
Disadvantages Advantages 
1
Command Response 
Addressing (cont'd 
•: 
*
2. Relatively simple 
terminal design. 
3. Flexibility achieved 
via software I/O 
command bits. 
4. Error control 
procedures more 
positively controlled. 
5. Simple to reccnfigure 
via .oftware.
2. Overhead in traffic 
required for address-
ing and command data. 
3. BCtJ complexity is 
greater than other 
approaches 
Table 4.1 Bus Access Method Comparison (contsd.) 
51 
2	 INTERMETRICSINcORPOMTED • 380 GREEN STREET • CAMBRIDGE. MASSACHUSETTS 02 , 32•	 RsLi&in
4.1.2.1 Contention Advan:ages and Disadvantages 
One aivantage of the contention bus access  method is 
that it could be .he most efficient from a system point of view. 
Utilization of the bus occurs only when it is required, terminals do.
 not have to be polled, commanded, or preprogrammed into a' 
tire slot. This approach is most effective wh'e the events 
which result in bus cor.triunication are random; for example, inputs 
from the crew. it allows equipment to be added very simply, 
even after the system structure has been established. 
However, contention access requires each terminal to possess 
enough intelligence to know when it needs to comznu4licate.
	 This increases the comdexity of the SW in the Shuttle bus system. 
Another difficulty arises in assigning fixed priorities to 
each unit such that conflicts in access can be rc,lved, parti-
cularly in the 'case of the Shuttle with 'a large anticipated 
•	 number. of terminals. 
Since bus access is random, 'the load on the bus: is not 
balanced and at peak loads a backlog of access requests for 
service will accumulate. This could affect the response time 
Lor certain subsystems with high frequency bus utilization 
requirement3, such as the flight control system. 
The non-deterministic allocation of the bus creates 
difficulties in system and software verification, particularly 
in testing for operation under all'traffjc 'conditions. Another 
.problem with an interrupt controlled system is that a failed 
terminal cannot immediately be recognized by the controller. 
It may not be able to bid for the line and consequently the W	 fault may exist without being detected, To avoid this situation 
the controller would be required periodically to sample the 
status of each terminal and to determine ite status. The 
freq'ency of this status check could be high for terminals 
connected to time critical subsystems,' diminishing the 
efficiency of bus utilization provided provided by the approach, and 
increasing its complexity.
 
If the Shuttle data bus consisted-of a small number of 
intelligent terminals this approach would be a reasonable 
candidate.  
4.1.2.2 Polling: Advantages and Disadvantages 
The major advantage of a pclled,scheme is that it 
eliminates random access to the bus but maintains a moderately 
efficient data transfer; i.e., communication only occurs 
when a poitie response to a poll is received. The efficiency 
of bu g
 utilization will depend on the selection of a polling 
aequenev and frequency which minimizes the number of negative 
•	 responses. It is effective with' a large' number of terTninal9 
because it eliminates bus conflicts, ard with a communication 
•	 .	 •	 ,	 r 
52 
iERMETR'CS.tNcO2ORATE.) • ,360 il4EEN STREET . CAMBRiDGE. MASMCMLJFTTs n'o •
F 
requirement that is largely non-random. 
The polling sequence and frequency must be consistent 
with system response and data requirements.
	 If the polling 
sequence is implemented via hardware, it must be determined 
in advance of system development, and'becomes an integral 
part of the communication system.
	 Software control of the 
polling sequence would, of course, provide greater flexibility. 
Disadvantages of this technique are: 
a)	 although bus conflicts are avoided, the utilization of 
the bus is random, and at any time depends on the polling 
• .
sequence and the terminal responses. 
b)	 A faulty terminal may respond negatively or not respond 
at all to a poll request, making error detection difficult. 
The design of the system must allow the status of each 
terminal to be determined without requiring a response 
to the poll. 
c)	 It requires intelligence at the terminal. 
4.1.2.3	 Sequential Time Slot:
	 Advantages and Disadvantages 
This approach is of course the simplest, imposing 
the least complexity on the terminal.
	 Each terminal is pre-
wired to recognize its time slot by a synchronized time delay 
in the frame.
	 It is extremely efficient if the same information 
is communicated during the entire mission with very small 
changes.	 The only overhead in communication is the synchroniza-
tion pulse, parity and coding bits (and possibly a format type). 
It enables full central control and is most effective for data 
acquisition.
	 Since the structure of a frame format is relatively 
fixed it requires a minimum of software and is simple to test 
and verify. 
The principal disadvantage lies in its inflexibility.
	 The 
rigid timing and message structure is built into the hardware. 
It allows very little variation in bus communication require-
ments from one Shuttle mission phase to the next, and it is 
questionable whether it can satisfy all s.-stem demands, without 
lcsing its simplicity.
4.1.2.4 Command/Response: Advantages and Disadvantages 
The command/response addressing scheme offers several 
advantages. First, there are no access conflicts. Communication 
requirements rire predetermined by the designer and then imple-
mented via software. Tiere is no overloading of the bus. 
53	 4 
INTERMETRtCS INCORPORATED . 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 - (617) 868-1840 
F 
•0
Utilization of the bus is balanced by allocatin the 1/0 
s ervicing requirements to the available bus time. Correspondingly, computer 
processing may be interleaved with a predetermined.I/O structure. 
As a result, the traffic on the bus, and the processing in the 
computer become deborministic, and may be more easily tested 
and verified.	 .	 .	 .. .	 . . 
The system imposes no significant complexity or intelligence 
requirement on the remote terminal. it provides certain error 
control characteristics. Since it is centrally controlled, 
a remote terminal only "speaks" when commanded to via a unique 
address. The terminal can be designed to include its own 
address in the response. Although this "echo check" is not an 
integral feature of a command/response system, the enhanced 
error detection control it provides cannot be as easily obtained 
in a polled or contention approach.
	
--- 
Finally, command/response provides reasonable flexibility in accommodating to a variety of I/O requirements, since this is accomplished by changing the software controlled io command sequences. 
A basic disadvantage of the command/response addressing 
technique is that it does not allow randomly occurring events 
to be transmitted to the computer as they occur. Rapid 
response can only be achieved by commanding the terminal for 
the information at a high enough frequency. A command/ 
response bus access method decreases the efficiency of bus 
utilization, since time critical or high.frequency events impose a proportionately 'iigh bus I/O rate. 
The addition of the command and address bits required 
to obtain or send data contributes to a higher bus traffic 
overhead for the command/response access method than any of 
the other approaches.	 .	 . 
...i 
--
4.2 Control and Operation of the Data Bus by the BCU 
Once a particular access method is selected, the communica
-tions procedure established to perform a single i/o transaction 
impacts the design of the bun system elements. The following 
steps, illustrated in Figure 4.1., 'must be taken in order for 
,a single computer to send and receive data from a set of 
avionics equipment. 
a). In a command response access concept, the computer directs 
all I/O requests:in the system. It indicates along which 
54:,'.. 
INTERMETRICS INCORPORATED 380 GREEN STREET .CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 868-1840	 1
:3 
-a 
:3 
U) 
:3 
'3 
.
-	 55 
-V.
•	 2
z 0
cc 
I-I-a 
_-;- 
I_W I U) W 
IL 
I_Ia. I IL
cr 0 U4 
I—
z C3 U, 
0
LAJ
z 
;; 0	 00 W 0 
a 
WWz0 z W 
a 
•	
.••
S.-
U) 
CD<
_.U, 
-,z 
cr I— I-
-
-a I_U,
— 
La	 cr 
aC3
	 I-
ZI-)	 0 
0
'3 
•	 a. >. iaa 
W< a 0 
<U) cc rc 
'30<	 cr M w us I-I 
<a.0	
->> ••	 S	 S	 • ?	 J - 
-I WI
3, I	 I.)	 -' 
<I	 MPH 
1 
•(	 1 
MA
I	 hi
Id
-.
lI 
<I	 2i'
	
'1IJJ
( 
011 
—4 
;dI L" 
h
U) 
to 
I-1 
-.- .I	 ci 
9-1 
C) 
•1 
U) 
(U 
cr 
Q) 
6-i 
--4 
bus line and to which remote terminal the message is routed, 
and if data is re quested, where to put it when it has been obtained. 
b) The BCU must encode the message and transmit it to the
proper remote station over the selected bus line. 
C) The remote terminal responds to the command, selects the 
appropriate channel to
. the LRU and executes the appropriate functions to obtain the data. 
d)	 Signal Conditioning and conversion takes place at the 
terminal, which then encodes and transmits the data back to the control unit. 
e)	 The established error-Control scheme is maintained throughout the transaction. 
f)	 The ECU transfers the data to the computer and informs it 
of the completed request or 11.t. 
The details of this transaction influence the bus message 
format., the functions of bus elements,and
corTunu1jcatjon security.	 The message format and structure must satisfy the data a"Jisition and distribution requirements, Without unduly Complicating the bus hardware design.
	 A level of transmission "security" must be established to minimize the probability of 
•	 an undetected crror,without significantly increasing the 
equipment complexity or message overhead.
	 The following sections provide a general discussion of bus operation and the bu format and structure.
	 The error control scheme is discuss
 sed in Chapter 5. 
4.2.1	 BUS Message Format 
In general there are four basic parts to the structure.: 
of any communication message:
	 the message header and terminator, the addres and routing information, function 
content.	 code, and message 
I Message	 Address	 Function
	 Mess	 e	 E0M I Header	 Routing	 Code	 Content
	 JSync L  Sync 
The first three parts of the message are associated with the 
•	 communication system.
56 
INTERMETRICS INCORPORATED
	 380 GREEN STREET
	 CAMBRIDGE MASSACHUSETTS 0213
	 (617) 868-1840
I 1
4.2.1.1 Message Header and Terminator 
• .	 Message synchronization is required to enable terminals.: 
to recognize the start of a message and is usually a uni'ue 
control signal recognized by the terminal. it is essential 
that the synchronization signal be different and clearly dis-' 
tinguishable from data to avoid misinterpretation.. The 
characteristics of the sync signal will depend on the modulation 
technique selected. It is usually assigned a pulse width or 
phase change different from the standard data bit. 
There are four possible sync signals: at the beginning 
and end of the BCU to SIU message and at the beginning and end 
of the SIU to BCII message. However, from a communication point 
of view they are not all necessary. The end of the BCU to 
Slu message can be distinguished by the "idle bus" when the 
BCU stops transmitting; similarly for the end of the SIU to 
BC(J message. However, detection of an "idle bus" may cause 
circuit difficulties in either the BCU or SIU. The use of 
different sync signals for BCU to SIU messages and SIU to BCU 
message rules out inadvertent siu to SIU communications, since 
the.SIU need only respond to a BCU sync. 
In any case, the only positive requirement for any address 
system is that there be a sync signal, clearly distinguishable 
from data, so that each terminal can begin to look for its 
own address in synchronization with the message. The need for 
other sync signals for end of message, accept, knowledge, etc.,, 
is a function of the communication procedures and the details 
of the implementation. 
4.2.1.2 Address and Routing 
The address portion of the message identifies the 
sender and receiver by "to X" "from Y". In a centrally Controlled 
system, where there is no termi nal-to-terminal communication, 
there is no requirement for the "from" part o 2
 the address. 
All communications are initiated by the BCU'with transmitting/ 
receiving occurring only between BCU and
.
 one SIU. 
The "to" part of the message identifies the path to the 
LR(J via an SU address and an EIU address. A separate EIU 
address is necessary when the bus terminal communicates with 
more than one EIU. If the SIU and EIU were combined into a 
single unit, then the address could be combined. 
57 
INTERMETRICS INCORPORATED . 380 GREEN STREET . CAMBRIDGE ;
 MASSACHUSETTS 02139
.
 (517) 868-1840
4.2.1.3 Group Addressing 
A group addressing capability would be required to send 
a single message to more than one SIU or EIU, as mi ght be 
required to enable a passive flight recorder on the line to 
receive data intended for other terminals. Group SIU addressing 
could be an advantage in transmitting the same data to every 
element of a distributed subsystem, such as the individual quads lit the RCS system. Group addressing would be useful 
in the entral management of a redundantly configured Subsystem, 
particularly if identical commands are issued by the computer to 
every redundant unit. 
Group addressing on the bus requires the SIU to recognize 
more than one address. However, there is the problem of 
coordinating the return transmissions of echo or data messages. 
Coordination could be implemented in several ways: by sequential
 time Slotting of the sin responses, by ignoring the echo in the 
Passive device, or by a contention access method. The SIU, 
EIU address and function codes would need to be coded in a way 
which would have group meaning. Th tradeoff hare is between 
the added complexity of the SIU and ECU hardware,and the addi-
tional software and memory to store multiple commands instead 
of one. A modification to the computer/BCU message to provide 
a routing indicator and a list of Slu addresses, which would 
enable the BCU to send multiple messages, could alleviate the 
computer software burden. 
In summary, however, it is felt that group addressing 
is probably not worth the additional complexity in bus system 
design if, as has been est.mated, there is adequate capacity 
in speed to accommodate the inefficiencies encountered. 
4.2.1.4 Function Code 
The function code field of the bus command specifies 
the action to be taken by the interface unit in acquiring or di stributing data or signals to the LRU. The structure and 
format of this field is directly impacted by the requirements 
of the electronic interface portion of the remote terminal. 
In order to provide the capability of interfacing the majority 
of electronic equipment, the following types of interfaces 
would be required: 
a) digital parallel, 
b) • digital serial, 
c) analog data, 
d) discrete.
it.. 
-1 
a., 
In
58 
INTERMEtRICS INCOPDRATEo 380 GREEN STREET CAMBRiDGE, MASSACHUSETTS 02139
.
 (617) 868-1840
The function code does not have to be in a standardized 
format for all terminals. More parallel digital signals 
may be required for a particular LRU, but less analog. The 
electronic interface ...tself need not be standardized. The 
function can be decoded and interpreted by specially tailored 
function controllers at the terminal. Alternatively the 
fuflction code could represent the address of a location in a 
ccntrol memory which stores special control sequences within 
the interface unit. There are several ways of organizing the 
funtion code field, which are discussed in the following 
paragraphs. 
a) Channel Addressing
 
Under this concept, each interface is assigned a channel 
address, and the function code becomes part of the address 
structure. Group addressing is possible only if channel 
addresses aro in sequence (e.g.,
	 through 6, not 1, 3, 5, 
et.). Input or outputs may be implicit in the channel 
address number, or specified via a format. The interface 
unit is requird to distinguish between input and output 
channel addresses, to determine if data is to be sent 
back. 
Channel addressing is the simplest function code to implement 
and allows the greatest flexibility. However, it can be 
very inefficient ii channel addresses are not assigned 
in a way which can .e effectively utilized. 
b) Functional Classification of Interfaces 
In this method interfaces are functionally classified and 
:.•	 a code for each class or subclass is defined. For example, 
all communications can be functionally organized into the 
following categories: cumands, moding, functional input, 
functional output, and others. The functional categories 
•	 are assigned a coded number and all interfaces are assigned 
to a category. A function code would then involve input 
or output of all date. in the corresponding category. 
Obviously each major category can be further subdivided 
into subclasses by extension of the function code field. 
A significant advantage of this method is that the efficiency 
of information transfer can be much higher if information 
is generally transferred in a block. It can also be useful 
from the computer's point of view,since all data in the 
•	
"functional group" may be desired at the same time. (e.g., 
all status information).
59 
•	 INTERMETJCS INCORPORATED 380 GREEN STREET
.
 CAMBRIDGE MASSACHUSETTS 02139 (617) 8581840
A small high speed memory of the read/write or read only 
type described above is well within the state of technology., 
This concept provides the most general and flexible capability, 
although it obviously increases the complexity of the EIU. 
Memory size could be expanded to wconunodate increases in equipment requirerr&ents,or to extend the terminal, capability 
to provide functions such as limit checking of data, or the 
monitoring of LRtJ status.
	 Ultimately the terminal becomes 
a small computer capable of providing a local service to 
the equipment and thereby reducing bus traffic. 
4.3	 Operation and Control of the Data Bus by the Computer 
Viewed from the computer the data bus is a single, 
relatively high speed, asynchronously operable, peripheral I/O device, capable of perfozrning data gathering and data distri-bution.	 Under the 
•
command response access concept, the computer 
initiates and directs I/o operations on the data bus.
	 It directs 
I/O by commanding the bus control unit with a set of I/O 
requests.	 The BCU then controls and synchronizes the data bus 
system to carry out: these requests.
	 Most likely, the bus system 
will be mechanized in a way which allows the bus to operate 
independently of the CPU once an I/O F command is issued by the computer.	 This means that the data bus system and computer. 
operate asynchronously. 
4.3.1	 Overview of Computer I/O Operations 
There are two basic approaches to the design of the 
computer software for controlling the activities of the bus. 
These. are identified and treated in greater detail in Appendix C 
than is required for the purpose of this section.
	 The first is 
the synchrohous, fixed I/O method, in which i/O control is based 
on apr2etermined execution sequence and a fixed time cycle. 
The second schedules I/O operations on a demand basis.
	 The 
characteristics of :the two are summarized in the following 
sections.
	 To a large extent the computer executive and I/O. 
60 
IN INCOOThD	 380 GREEN STREET
	 CAMBRIDGE, MASSACHUSETTS 02IQ	 t17 Oo 40
t I
control st::ucture can be considered independently of the control 
structure chosen for the bus. 
4.3.1.2 Computer I/O Operation in a Synchronous Structure 
•1
Fixed sequence structured software requires I/O opera-
tions to be interleaved with processing tasks in the minor 
cycle. The inputs required by piocessing tasks in a minor 
cycle must be available prior to execution of the minor cycle. 
The concept requires commanding the BCU (or dispatching 
I/o), each minor cycle to input data required for the "next 
minor cycle", and output data from the "last cycle". I/O 
software for controlling the data bus is operated in each 
minor cycle. For example: 
Bus Inputs for pro- Inputs for pro- Inputs for pro-
Activity cessing during N cessing during N+i cessing during N+2 
Outputs from N-2 Outputs from N-i Outputs from N 
Computer Process inputs Process inputs Process inputs 
Activity from N-2 for from N-i for from N for 
output during N output during N+l output during N+2 
Cycle N-i N
[	
N+i
The dispatching of an I/O command list to the BCU can occur at 
the beginning of each minor cycle. However, it is necessarY' 
that the list of I/O be completed by the bus system prior to 
the start of processing the next minor cycle. Thus, the bus 
will be operating for only a portion of the minor cycle at 
a percentage of its speed. For example, the BCU may be 
commanded for lb ms of I/O every 20 ms. In this case there would 
be 4 ms idle bus time unless the BCU were commanded again to 
perform some additional I/o on checkout functions. 
At the beginning of each cycle I/O commands are checked 
for errors. If no errors have occurred, the next I/O list is 
sent to the BCU and computer commences its processing sequence. 
If I/O errors occurred, an error recovery and fault isolation 
routine must be operated and the sequence of processing tasks 
re-scheduled accordingly. Prior to the end of the minor cycle 
I/O scheduling is operated to set up the I/O command list for 
the next dispatch to the BCU. 
61 
INTEPMETRICS INCORPORATED . 380 GREEN STREET •
 CAMbRIDGE, MASSACHUSETTS 02139 •
 J6171 868.1R4n 
Since much of the Shuttle data bus design conducted to date 
has postulated this philosophy of software operation, it will 
be assumed for the description of BCU activities in the iollowing 
sections. 
4.3.1.3 Computer I/O Operations in a Demand Structure 
The alternative approach to fixed sequence I/O is 
scheduling I/O operations on a demand basis. Typically, this 
is accomplished in asynchronously controlled software structures 
as follows: 
a) when an I/O request is made by the computer software, control 
is transferred to an I/O scheduler, and a command is inserted 
into an I/O queue. 
b) The task requesting the transfer is placed into a "wait 
state". 
c)	 Upon availability of the 1/0 device, the queued .1/0 requests 
are processed via the dispatcher which uses an algorithm, 
e.g., first in/first out (FIFO), to determine which I/O 
request to service next. 
d)	 The I/O requests are sent to the BCU one at a time, or in 
a list for bus execution. 
e)	 When the I/O request has been serviced, the issuing task 
is informed and allowed to continue. 
This approach is used on large ground-based systems, particular-
ly where I/O requirements are not known or impossible to pre- F determine.	 The demand I/O concept does not appear consistent 
with command response or fixed sequence scheduled processing 
tasks.	 However, if a distinction were made between computer 
input and output requests, output requests because of their 
independence of processing tasks may lend themselves to demand 
scheduling. 
4.3.2	 Computer to Bus OperEttions
	
S. 
An evaluation of the requirements of the interface between 
the computer software and I3CU is directly dependent on the design 
of the L3CU.	 There are obviously tradeoffs between complexity 
in the BCU hardware design and the computer software.
	 The BCU 
in an extreme case could become a computer itself, dedicated to 
commur.ications functions, supplying all communication of data 
in and out of the bus system.
	 At the other extreme, it could 
simply perform time synchronization, transmitting and 
receiving control, and error coding.
	 Somewhere in the middle, 
the basic BCU capabilities cc-in be extended by providing the 
BCU with a limited set of registers and logic, and a 
62	 . 
INTERMETiCS INCORPORATED
	 380GREEN STREET . CAMdRIDGE, MASSACHUSETTS 0213
	 (A17% RPJ lflArt
-F 
....... 
direct memory access (DMA) interface' to the computer's memory. 
By cycle stealing from the computer, the DMA can su pply' commands 
and data to the ECU directly from, the memory. Commands and data 
are sent to the ECU either by incorporating a starting address and the 
number of commands into the channel command word, or by chain-
ing commands and instructing the BCU via the operation cce 
in each bus comnand. A limited capability will be assumed' for 
purposes of this discussion, although comments are made on 
areas where an expanded BCU capability may lessen the software 
problems. The basic computer-to-BCU operations are the foilowiig: 
a) I/O dispatching - involves commanding and controlling the 
BCU with I/O to be performed. 
b) I/O scheduling - involves scheduling bus commends to be 
issued the next minor cycle. 
C)
.
 I/O error processing - checking previous I/O commands

issued for errors and taking appropriate action. 
4.3.2.1 Dispatching I/O: Computer/Bus Interface 
The BCU is provided with a list of I/O commands by 
loading an I/O channel with a command word from the computer 
(see Figure 4.2). The channel comiand word must contain suffi-
cient information to enable the BCU to execute all the appro- 
priate I/O commands in the list. Once this channel is loaded, 
the computer and ECU may operate independently. The channel 
command word contains an address of the first BCU command, 
•
	
	 and the number of BCU commands to be processed. (BCU commands 
may also he linked by addresâ chaining.) The ECU commands 
can be stored in sequential memory locations, and the list 
operated on in sequential order by the BCU. Upon completion 
- -. .theBCU_canb,e,,instruted to ipterrupt the processor with an 
I/O complete signal. (Alternatives, more in line with 
interrupt" policy, can be devised, such as a "BCU busy" signal 
accessible to the-computer enabling it to determine statu. 
•
	
	
of the BCU.) In e.ther case, it is necessary to coordinate 
the asynchronous operation of the computer and BCU so that the 
•	 computer is aware of the status of the BCU. 
4.3.2.2 BCU Command Format
	 . 
The ECU command format must contain instructions for 
the ECU to execute the computer's I/o request. A single 
command will contain four' parts: control information for the 
message, status information, skeleton bus message format, data 
linkage addressing information.
 
63	 .	 ...	 -. 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE MASSACHUSETTS 02139 (617) 868-11840
COMPUTER PROGRAM
	
TABLE OF BCLI COMMANDS 
XEC!TE I/O 
I !'JSTRUCTION 
LOAD CHANNEL
COMMANDS CONTROL
	 VIA IN CHA'1EL 
•H
DATA
TRANSMISSION

COMMANDS 
INPUT/OUTPUT

DATA 
- Fjüj4	 C6€€BCU- I70cornrnand
- operatjon - 
64 
INTERMTRlCS I NCORPORATED . 380 GREEN STREET (;AMBR g DE, MASSACHUSETTS 02139. (617
	 a-ic;o
BCU 
control
I/O	 .
.	 .us command . Lihkage 
SlU	 . 
#
Functiàn 
code 
[P code status	
.
data
a) . Control	 .	 ..	 ..	 .	 .	 .	 . 
The control part of the ECU command contains information 
pertaining to the type of operation requested of the BCtJ. 
Examples of individual BCU operation codes are Read, 
	
S.	
. Write, Skip, Linkage. With fixed I/O tables in the computer' 
	
•	
memory, a "no-operation" code may be desirable to skip 
commands at certain times such as unrequired jet on commands 
	
• .
	 in a fixed I/O schedule. If the BCU contained memory, and 
• .	 .	
was more of a communication processor, this part of the 
BCU command may contain a pre-programmed ECU memory 
	
• -:	 .	 address for execution.
	 . 
b) Status Bits 
Status bit(c) are required to enable the computer to 
determine if the bus command was completed successfully. 
The computer must be inforived of bus errors so that it 
can reconfigure and reschedule accordingly. An incomplete 
•	
.	 I/O transaction will result in rescheduling the processing 
	
•	 .	
. tasks. An "incomplete i/o" status indication may also
be desirable. 
	
S
T	 c) Skeleton Data Bus Message 
The skeleton bus message contains the actual bus command 
associated with the I/O transaction. The contents of the 
in Section 4.2.1. It 
•
	
	 contains information which
	
- 
during the course of the mission. Specifically, the 
•	 .	 terminal addressing will vary with the status of the avionics 
• :-	 configuration; a specific communication path must be chosen 
.'	 . .
	 prior to execution of the command.. For example, a request 
for data from a redundant subsystem (e.g., radar) requires 
• I-	 information as to which LRU is active, and which data path 
to use. It is
	 onable to assume tuat c-n,figuration

management is a computer software funct n, and therefore 
this information must be supplied to the BCU in some form. 
•	 •.	 The degree to wh 4.ci
 the computer wil l need to modify the 
bus message format at run time will depend on the extent 
and capability of the BCU. •.	 . 
In ord—t
 to establish fixed I/O command tables required 
by the synchronous i/o method it may be useful to define 
a symbolic nd "physical" relationship similar to that 
NTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 . (617) 868-1840 
I 
-.	 -. 
•.
used with tapes, disks, etc. ,in a conventional facility. In this case a symbolic assignment, such as ISS	 or ISS for inertia], subsystem active
	
A 
and standby  respectively, will be associated with the subsystem.	 The symbolic identification is then associated via configuration tables 
to a physical unit such as ISS#l, ISS#2, etc.
 I/o bus con
	
Predetermined unands would be generated using symbolic identifi- 
cation and their physical identification determined at 
run time by the computer or by thc BCU via the transfer tables of the computer.
	 Path identification for a specific physical unit (i.e., which 
• Slu/Elu address) must also be determined dynamically. 
If each physical unit had a single path, i.e., a unique 
address	 B(JS#, S IU#, EIU#)
	 the problem is solved. However, there is more than 1 path to each unit; the address
must be determined from the status of buses and SW's.
	 The complexity of this problem will, of course, depend on the 
redundancy interfacing and cross
-connections established in the system.	 For example, consider a system configuration
 of a quad-redundant bus, 4 SIU', and up to 4 EIU's per Slu.	 There could be up to 64 possible paths depending 
on the cross-strapping. 
•	
S Physical Unit
	 Bus	 siU	 EIU 
LRU#1	 1	 A	 X 2	 B	 Y 3	 C	 Z 
S	 4	 D	 W 
•.••• 
S..
If the SlU is an extension of the b,'s such that 
SIUA cannot be addressed via bus #2, then there are 16 possible paths to -a 
bus and interfaced to a single LRU, then there 
•	 •.
5	 4 paths to it.
	
are only. 
The funct i on of inserting addresses could be allocated to the ECU, assuming it had memory, by sending it a table 
of physical 
•	
.•.IS_. equipment codes, and the current path.	 The current path would be updated by the configuration manage-ment task as confi guration switching occurred. 
d)	 Data Linkage Addressi 
This part of the bus command identifies the ccmputer 
memory location of the data to be output, or the destination of the data input from the bus. If the bus format allows
INTERMETRICS INCORPORATED 380 GREEN STREET
.
 CAMBRIDGE, MASSACHUSETTS 02139 
• (6i7)3184O -. 
An Unsuccessful I/O transaction detected by the BCU 
during bus operations IS eventually communicated to the computer, 
using the error control bits in the bus command table.
	 If the BCU is commanded with a list of I/O requests,
an I/O error will 
not be detected until the start of the next minor cycle.
	 At the beginning of each minor cycle, the error status of all 
• messages is checked.
	 If errors Occur, the minor cycle task 
schedule is modified accordingly, and the I/O error recovery procedures are initiated.
	 Design of the I/o error recovery 
software procedure is not within the scope of this study; some 
of the alternatives are: 
a)	 the I/O request could be rescheduled via an alternate path.	 A reconfiguration of equipment may be required. 
• b)	 Fault isolation tasks could be initiated to determine 
what to reconfigure (the BCU, SIu, or subsystem may have failed) 
• C)	 The sequence of tasks contained in the following minor 
cycle must be aLered, delayed entirely,or allowed to 
continue with "old" data. 
•
4.3.3	 110 - Processing memory Conflicts (Buffering and terlocking) 
-h Independent operation of the bus and computer can result 
-----
ji 
data	
--
Th-i-s-prob-1-exa-__ 
occurs when a processing task is ------using data while the bus 
control unit is at the same time attempting to input
or output the same data for the same memory locations.
	 The problem is 
more likely to occur for data that is sampled at a high 
frequency, when use of the data cannot be easily 
synchronized. It is also more likely to oC'ur in a block of data rather than 
a single word because of the inhore-t interlock of a single 
word access.	 Fox example, attitude angle information from the 
inertial unit may be in use by the digital autopilot task when 
the BCU inputs new values via the DMA.	 In this case the auto-is pilot	 operating on partly new and partly old values.,
	 This problem can be avoided by several approaches: 
67 
INTERMETRICS INCORPORATED • 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 8681840
a) the I/O input and Output in this category can he 
into different memory
-locatic'is
	 It may be transferred •
 to other locations,
- or a pointer can be switched-between-two sets of registers for the data item, one set for I/O, 
one for Processing. In put data may In.any event require 
to be smoothj or compensated prior to use. This is
.
 the general concept of "double buffering" of 
.
input or output. 
b) The data could be interlocked via a control i ndicator or busy bit, during the time either the BCLJ or the computer is 
using it. However, this would require the BCU to access, 
test, set and release the indicator with a consequent increase in its complexity. 
c) I/O can be planned by
 Predetermining and adjusting the 
sequence of I/O commands to avoid the conflict. I/O 
commands can be designed to Occur at the Opposite end 
of the cycle from the Conflicting processing task. This 
approach, although consistent with Synchronous bus control and I/o philosophies, appears risky due to the inaccurate 
estimates of timing. It is, in fact, similar to the 
approach used to solve the memory conflict problem in ipoilu. This was only partially successful, and it 
could only be.verjfjd by extensive testing. 
4,4 Description and Analysis of I/O Transactions 
4.4.1 Definition of an "I/O Transaction" 
An "I/O transaction" is defined as the complete sequence 
of operations performed by the BCU in carrying out a single 
I/O request from the computer. Once the ..B.ctJ_baS -received -and 
-	 intep±d acon)!nand from the computer, it 
synchronizes the terminals on the line', transmits a message to the specified 
terminal, and receives the appropriate response. A transaction 
occurs between the BCU and a single terminal. it is the basic bus Communication activity. it is independent of any other transaction over the data bus sys tem.. There are two types of I/O transactions that are performed by the data bus: read and Write transactions. . 
a) . A read transaction is the sequence of steps performed by 
the bus. system in acquiring data from the avionics equip-
ment. It can be termed a "get" command, to sample a 
specified LRU equipment interface. 
68 .	
: 
0	 • . 	 . . . 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE, MASS A-HUSETTS
.
02139 (617) 868.1840
b) A write transaction is a sequence of steps to send data 
to an LRU interface. It can be described as either a 
"receive" command, or a "do" command. The sitj receives 
the data or command and delivers it to the specified 
equipment interface. 
A third type of transaction may be required, termed an 
"SIU Event Status Command", in which the BCU transmits a 
command message to an SItJ, requesting it to return its event 
status register. 
This transaction enables the computer to determine if 
S random events (interrupts) have occurred at LRU's connected to L. particular siu station. A reschedulingcf processor 
tasks and read/write transactions may be necessary as a conse-
quence of the event. 
4.4.2 Functional Description of bus Transactions 
A discussion of how the bus system performs a transaction 
provides another step towards a specification of the bus/SItj/EIU 
hardware desiyli. In oder to describe the operation of the 
bus during a transactc-. an
 assumption must be made with regard 
to a specific bus to SIU to ETU configuration, and an error 
control approach. it is important to emphasize that this 
section is intended to describe the functions required at 
each bus element, and not to select a final design. Several 
configurations of a standard bus terminal were considered, but a 
detailed bus command format was only designed for one. 
5 ;\ The example configuration assumes 
.a physical separation of 
• SIU and EIU.
	 Each SIU is connected to only 1 bus line and 
may service up to 8 EIIJ's.
	 Each EIU provides analog and digital interfaces to equipments.	 The other terminal configurations 
-
cross-strapped to all four buses.
	 These two approaches to the 
• standard interface unit are discisecL more fully in Chapters 
• 3 and 7. 
The error control method selected for analyzing the trans-
•
action is transmission error detection through vertical and 
horizontal parity, and path verification by address echo.
	 A detailed discussion of error control philosophy is given in 
Chapter 5.
variable number of 8-bit data bytes was selected as 
the basic transmission format.
	 A 3-byte command format is
•1 
I 
69 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 868-1840 
•
: 
•	 ..	 :a	
.	 .	
-.	 - .	 - 
selected since 16 bits are considered inadequate to provide the 
range of addressing and function codes.
	 A minimum of 18 bits are required for the command word in this configuration (7 for 
siu address, 3 for EIU address, and an 8 bit function code). 
•	 .. Figure 4.3 illustrates a representative format designed around the 3 byte command
message with a variabju data message. 
The asterisked fields are mandatory.
	 R ' prontatjve use for the other bits in the 3 byte Command are discusnod below: 
*L)	
SIU address	 (up to 128 Since only one Lorminal address per 
station is required. See Section 3.) 
b)	 Slu transaction bit.
	 This bit may be uned to command an Slu station to send an event status mes q 'Iqo.
	 This is a two byte response from an SlU 
• containing the status of 16 
events or conditions that are assigned nmcng ElU's at a termini.	 Each is set in an EIU by the occurrence of a local random
event such as a hand controller movement, display input, or fault occurrence. 
*c)	 EIU address	 (up to 8 EIU's per SIU) 
d)	 Error control bits.
	 These are sent in an echo message from SIU to BCU when an error occurs assocjat ød with the LRU. Typical of the possible
error response conditions are: 
1)	 Parity failure at EIU 
2)	 EIU/LRU busy 
3)	 No response by EIU 
4)	 Improper channel 
•	
..
This information could be provided by a special request 
to the Slu.
	 Making it part of the command format simplifies IU/EIu logic.
	 If-the information were not provided to the 
BCU, a "no echo" response for all the above conditions will 
be treated in the same way. 
e)	 I/O control.
	 This control bit determines whether the 
-
specified channel address is an input or output operation. 
,•'- f)	 Block. • This field of the command message identifies a 
single or multiple channel address grouD.
	 It is used in Conjunction with "Block size" to specify the size of the 
message block.
70 -
INTERMETRICS INCORPORATED
	 380 GREEN STREET • CAMBRIDGE. MASSACHUSETTS 0239 .
 (617) 868-1840
• .-• .••,	 •,•	 S 
;'n e- . ' 4
•. •	 ••.. S	 • 
"-4 
•
• 
— 
+ J • N 
cc 
— w 
IK 
_h C.3 
S 
_±__
irco
uJ 
LU 
ca cc
al 
.v .
-.1 0 U 
w 2 LU U) w< LUZ • 
Cc cj .0 
I • 
•-j!EELJ!!_h!IJ 
.
fD 
•
4 
• -
P. 
CC
z I I' 
-
I1 
- -----
LU ) -• LU to 
Co
---- •	 ------ -- .-- -
a-- --
C3
•
0 LU 
.40 S 0	 I•
a 
---.-•
0 
• ---
2 LAJ . 
________
.--
• a 
Ca ci 
• S
I-
• 
S
uj 
• --
S 
• S 0 •5 
71_____
*g) Channel Address. This specifies the EItJ interface by one 
of the methods listed in Section 4.2.1.4. 
h) Block Size. The block size identifies the number of 
channels to be sampled. 
4.4.3 Description of the Transaction Sequence 
The steps involved in read and write transactions using 
this format are illustrated in Figure 4.4. A brief description 
of the transaction is as follow3: 
a) A read transaction begins when the BCU initiates a sync 
signal on the bus, followed by transmission of the bus command 
word. The BCU then waits the response. 
b) All "up" receivers on the line receive the sync signal. 
Each compares the SIU address in the message with its cwn 
prewired address. If no match occurs the rest of the message 
is ignored, and then each STU monitors the line for th 
next T3CU sync. 
C) If the address check shows agreement, the SIU decodes the 
ER) address and then routes the message to the specified 
ER) over a sria1 channel*, while checking for horizontal 
parity in each byte. 
d) The Slu awaits the parity check signal from the EIU to 
insure that the message was received properly, and upon 
its receipt, transmits an echo message to the BCU. If the 
EIU does not tce.ept the message, the SIU transmits its 
address cho with the appropriate error control bits set 
-- - -	 - - - - -- - 
e) During the time the Slu is transmitting the returfl echo, 
the ER) decodes the function code (channel address or 
memory), multiplexes the requested inrut channels, performs 
A/D conversion if required, and sends the requested data 
to the Slu. A time lag is incurred by this process, termed 
the LRU latency.. It is discussed below. 
f The SRI verifies parity and continues transmitting the 
data message to the BCE). 
* Serial transfer is considered advantageous in minimizing 
the number of interconnectjc. 
72 
INTERMTRICS INCORPORATED 380 GREEN STREET
.
 CAM8PIDGE, MASSACHUSETTS 02139
. 117 Q1OAA
0LU 
u.
uj 
ca 
ca 
LU 
•
L LU 
LU LU 
zr1 
a) C) ILi II 
H1 
LJ cz
co	 V3 E 
ZD
I uj	 C3 
-ao - o
co	 C4 ioo— 
Lt39 FLJ1 cc	 m 
co 
uj 
CJ
J J 1 p11' Tr-ml,
73
The BCU, after transmitting the initial command, monitors 
the line for the return echo. If no echo is received within 
a fixed time interva]., a transmission error is deemed to-have'-
 
occurred, and the computeris informed via the I/O error control. 
When the BCU receives the echo check, it accepts the rec's ted 
number of data bytes, verifies parity, and transfers the data 
to the requested locations in computer memory, after which the 
read transaction is completed. 
Write transactions are performed using similar procedures 
as illustrated in Figure 4.4. A total time to complete an I/O 
transaction using this command structure and error control 
procedures has been estimated for 
. a block of size N bytes to be approximately: 
/
WRITE transaction =(59 + 9N)ps 
READ transaction = (69 + 8N)ps 
4.4.4 Bus Efficiency and Latency 
£
4.4.4.1 Efficiency 
The bus utilization efficiency can be Computed by the 
ratio of information bits in a transaction to the total number of bits in the transaction. If we consider the total number of 
bits in a transaction to be the total transaction time (including 
.I	 delays,etc.) times the bus speed (assumed to be 1 MPS) we 
obtain a worst case estimate of bus efficiency. Information 
• transfer efficiency estimates for a 3-byte command format are 
illustrated in Figure 4.5. 
•	
The bus system will operate at about .a 50% efficiency 
•	 for transfers of 10 or more bytes. This illustrates the obvious 
• fact that to maintain efficiency the software should be 
structured to obtain information from LRU's in blocks. For 
example, status data should be oLtai.ned in functionally related 
groups, such as a.Y. temperature readings. 
•	 A significant factor is the number of I/O transactions 
that the bus can completo in a minor bus conrol cycle. 
Figure 4.6 contains a plot of the I/O transactions, Consisting 
of a given.nuxnber of data bytes, which can be completed during 
at fixed interval of time. Based on an avarage block of length t.	
•	 8data bytes, approximately 170 transactions cca be completed 
during a 10 ms interval. It is apparent that even though the 
1•	
74 
INTERMETRICS INCORPORATED
.
 380 GREEN STREET
.
 CAM RIDGj:	 SAC: IcTYQ M4 13n -
N
r -
100 - 
•:
WRITE TRANSACTION 
75	 - READ TRANSACTION 
• C) 
z
- 
1i1 
H 
C) 
H
50	 - 
Z 
0 
H 
o I/O TRANSACTION: 
BIT DATA BYTE 
• 3 BYTE COMMAND WORD 
25	 - • VERTICAL & HORIZONTAL PARITY 
• ECHO CHECK 
0 8	 16	 24	 32 
NUMBER OF BYTES OF INFORMATION	 •
--1 
Figure 4.5	 Bus I/O transaction efficiency 
f.-
75
-•.--	
.
20
U	 8	 r	 24	 32
DATA BYTES PEI TRANSACTION
...
TRANACTICN TYPE: 
• 8 BIT DATA BY TE 
• VERTCAL AND HORIZONTAL PARITY 
3 BYTE COMMAND 
• ECHO CHECK ADDRESS 
efficiency of information transfer may be less than 50% in most 
•	 cases, the actual number of transactions completed during an 
interval of time should be adequate to service the expected Shuttle I/O requirements. Figure 4.6 illustrates that careful 
scheduling of the bus during any minor cycle will be re o uired, particularly if the size of blocks vary. 
4.4.4.2 Subsystem Latency 
When a read transaction command is received by the EIU, 
an interval of time is required, called the latercy time, for the 
EIU to interpret it, to carry out the Command, and return the 
.	 data. A delay can be caused by analog-to-digital conversion, 
serial/parallel conversions, inherent equipment dynamics, etc. 
If an I/O request from the computer has a latency time exceeding 
a certain fixed interval, it must be organized into two or more 
transactions. An example is the computer request for DME 
transponder range.
	 The inherent characteristic of the DME 
(see Appendix B) is that to obtain range to a specific point; 
the DME measures the time a signal takes to traverse the 
distance to that point and back again. The latency time required 
for this operation is intolerable in the I/O transaction structure 
described above. This type of transaction must he divided into 
two transactions: one to command the range to be read, and 
the other for reading the range. Coordinating these inter-
dependent transactions so that they occur at the right time, 
presents problems to the I/O scheduling software design. 
A form of latency occurs for certain types of block data 
transfer from computer to subsystem. Error control that depends 
on horizontal and vertical parity cannot provide verification of 
the correct receipt of a data block until the last byte has been 
received (the last byte is, in fact, the vertical parity 
byte). To prevent erroneous data from being transmitted to 
a subsystem, the complete block must be buffered at the terminal 
until it is verified. It is subsequently transmitted to the 
subsystem for which it is intended. However, this second trans-
mission may take a considerable time, by bus standards: a 32 
byte block will take over 0.25 milliseconds at 106 bits per 
second. This is enough time for several other transactions 
to take place. 
For both kinds of latency, it is essential, to allow no inadvertent interference with the terminal from other transactions For this reason it is desirable to provide for the indication 
of an EIU/LRU "busy" Condition via the status bit(s) asso-
ciated with the SIU echo return. This bit can be interrogated 
by the BCU to provide an I/O error indication to the computer 
whenever another Command is addressed to the busy terminal. 
77 
NTERMETRICS INCORPORATED 380 GREEN STREET
.
 CAMBRIDGE, MASSACHUSETTS 02139 •
 (617) 868-1840
4.5 I/O Timing Difficulties 
• :•
	
	 A class of system problems exists in the operation of a 
time shared bus which is associated with the correlation of data 
and commands with "time". For example: 
a) Correlation of data and absolute time. Several system compu-
tations demand the acquisition of data from separate sub-
systems at the same time. For example, a navigation measure-
ment combines sensor data with attitude information, correlates 
•	 both to the same absolute time, and updates the navigation 
•	
data.	 With a synchronously controlled data bus, in which 
• •	 sampling is performed only at fixed minor cycle intervals, 
time may.only be established with a granularity of the 
saupling period. That is, all samples taken during one minor 
cycle are associated with the same time tag. If a finer time 
reference is required it must be provided by a local clock. 
In an asynchronously driven bus system a finer reference time 
quantization may be obtained because a specific I/O command 
may be serviced within approximately 100 us (depending on the 
I/O queue backlog). 
A related processing problem arises in the derivation of a 
rate of change by differencing two measurements. In this 
case a difference in time must be either assumed or computed 
for two measurement samples. For high frequency samples 
obtained with a sy:lchronouEly driven bus, the order of the
 
I/O command in the list may be important, particularly if a 
fixed delta time is assumed in the calculation. 
b) Local nrecision timing. Another problem that may arise concerns 
the precision timing of events at geographically separate 
and remote subsystems, for example, the timing and coordination 
of firing commands to the RCS jet thrusters. From a system 
-----point -of - vi-ew, i-t--i-s-des-i-rab-le_todes i-g-n--suchsubsystems0_ 
receive a message which contains not only the command but also 
-	 the firing interval. The impact on I/O complexity, bus traffic 
and response, of separate transmissions to command the thruster 
on and then off could be considerable if this type of bus 
activity predominates. The capability for local precision 
timing may be incorporated into the subsystem or terminal. 
78 
• -
	 INTERMETRICS INCORPORATED
.
 380 GREEN STREET' CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 868-1840
F 
C	 -*	 td•	 -	 - 
Chapter 5 
Da'..a Bus Error Control 
•	 5.1 Introduction 
Since the Shuttle data bus provides the sole communications 
for onboard avionics equipment, an important design requirement 
is that it provide a reliable transfer of information in the 
presence of both permanent and transient failures. Permanent 
failures are caused by equipment failures and are a direct func- 
tion of the simplicity and reliability of the data bus system 
elements(i.e. BCU, bus, SIU, EIU, and LRU). Transient Iailures 
are caused by such effects as electromagnetic interference, which 
must be anticipated in the Shuttle environment. The characteristics 
of the interference are anticipated to be predominantly impulsive, 
and primarily caused by coupling to the line of transients and 
noise from switches, motors, relays or other sources. "Burst 
errors" involving multiple errors close together are to be expected 
in this environment. A major task of the data bus design will be 
to incorporate an error control approach which provides "security" 
of communication in the presence of noise of largely unknown 
characteristics. 
Several error control techniques have been applied in 
communication systems to reduce the probability of undetected 
•	 errors. The techniques generally attempt to satisfy a proba-
bility goal within the system design constraints of cost, weight, 
• power, or bandwidth.- - ------- - --
•	 Thereare-two basic objectives of the shuttle data bus 
-:
	
	 error control scheme to be satisfied in the presence of potential 
permanent and transient errors: 
a) To maximize the probability that a transmitted message is •	
correctly received by the correct terminal; 
b) To minimize the probability that an incorrect message is 
•	 ;-•	 received.	 - 
•	 Most commonly a particular error detection scheme has been 
•	 coupled with retransmission or forward error correction. Various 
79 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 •
 (61) 868-1840 I
forms of information coding to obtain an error detection and/or 
correction capability have been used.
	 Numerous codes have been 
devised to satisfy a particular communication channel error 
probability.	 Prior to discussing the specific error control 
approach appropriate to the shuttle data bus, a review of informa-
tion coding schemes is presented with a discussion of their advan-
tages and disadvantages. 
5.2	 Information Coding Review Discussion 
5.2.1	 Coding Theor 
Coding modifies the message to be transmitted by adding 
redundant bits to the transmitted message.
	 These extra bits are 
examined at the receiving terminal to determine whether an c ror 
has been introduced and in some casesto locate the error bit 
within the message so that it can be corrected. 
The methods of detecting and correcting erro:s can most 
• easily be explained with the aid of the concept of Hamiuing 
distance.	 Briefly, the Hamming distance between two strings of 
binary symbols	 (of equal length) is the number of positions in 
which the symbols in the string are different.
	 Thus, the symbol 
• strings 1100 and 1000 are separated by a Hamming distance of 1, 
while 1100 and 0011 are separated by a distance of 4. 
In the study of codes, one of the parameters of interest is 
the minimum Hamming distance between any two valid code words in 
the set (for codes in which all the code words contain the same 
number of bits).
	 Thus, if a code has a minimum Hamming distance 
of two between any code words, at least two symbols must be 
--
changed in order to change one valid code word into another valid 
--With- de word.	 such a- code ±twou-id-bc-possib-ie-to--detect- any---- - 
• single symbol error, and also many but not all, possible errors 
affecting more than one symbol. 
5.2.2	 Single Parity
 
A common example of such a code is the single parity 
check, in which the code word is generated from the binary message 
string to be transmitted by adding a single bit such that the 
total number .of "l's" in the code word is even (or odd). 	 The 
choi.e of even or odd parity has no effect on the random error 
correcting properties of the code, and is usually made to faci-
litate the detection of certain equipment failures which can 
produce all "l's" or all "0's" in the received message. 
80 
INTERMETRICS INCORPORATED	 380 GREEN STREET .
 CAMBRIDGE, MASSACHUSETTS 02139 .
 (617) 868-1M0 •'
In particular, errors affecting an odd number of bits will be 
detected but errors affecting an even number of bits will not. 
The single parity bit is extensively used for error control, 
principally because of its simplicity in terms of hardware. It 
is effective against random independent noise. 
5.2.3 Error Correcting Codes 
For some applications, the mere detection of an error is 
not sufficient. it is necessaryto determine from the received
	
•1 
symbol string the nature of the error, or, to be more precise, 
to cetermine the message that should have been received in the 
absence of noise. This can be achieved by error correction codes. 
5.2.3.1 Hamming Single Error Correcting Code 
The well-known Hamming single error correcting code is 
an example. This is a code having words of length 2m_1 where m 
is any integer. There are m parity bits and 21_ 1m information 
bits. The construction of the code word from the message bits 
will be illustrated for m=3. 
Bit Posicion	 B1	 B2	 B3	 B4	 B5	 B6	 B7 
Parity-Message
	
p1	 p2	 H1	 P3	 M2	 M3	 M4 
The parity bits are determined from the equations: 
- !i + +M4 = 0(or 1)	 (modulo2additions) -	 -- 
P2 +M1 +M3 +M4 =0 (or l) 
P 3 +M2 +M3 +M4 =O (or l)  
At the receiver, the three parity equations are checked 
to give three error states E3, E2 , and E1 .	 (A "1" denotes that '1 the equation did not check, ard a 1,01, indicates that it did.)
	 • 
These three error bits are ordered as a binary number E3E2E1, 
called the syndrom, which equals number of the message bit that 
• should be changed.
81 
INTERMETRjCS INCORPORATED . 380 GREEN STREET
.
 CAMBRIDGF, MASSACHUSETTS 02139
	 (617) 868-1840 
-------.------- -- -
-	 •	 - 
If two or more errors occur in the transmission, then either the received word passes the parity tests and is incorrectly' '.	
accepted by the decoder, or the decoder recognizes that an error •	 --•	
has occurred but incorrectly identifies the nature of the error 
and incorrectly "corrects" the received message. 
The Hamming codes tha' are discussed here have the interest-
ing property that every possible received word is within t1e 
error correcting distance (in this case a "sphere" with a "radius" 
of a Hamming 
.distance 1) of some valid code word. A code having 
• .;'
	
	 this property is called a perfect code or a close packed code (1). 
In general, most codes do not have this property. In fact, for 
codes capable of correcting more than one error, only a few such 
codes are known. 
5.2.3.2 Augmented Hamming Codes 
In the case of non-perfect codes, several strategies 
can be used when the received message is not within the specified 
correcting range of any valid code word. On one hand, the distance 
to each valid code word can be determined and the nearest valid 
code word selected for the decoder output. If two valid code 
•	 words are equidistant, outside knowledge of the message probabi-
lities could be used to resolve the tie. At the-other extreme, 
•	
. any received message not within the assured error correcting 
•
	
	 range o the code could be labeled as a detected but uncorrectable 
error. 
•An example of a code for the latter strategy is the 
augmented Hamming code generated from the Hamming code described 
• earlier by adding one additional overall parity bit. This code 
has a minimum distance of four, and, while it ia not a perfect 
code., everypossible.receivedseq.uence 
of two of ce or more valid words. This code can be used as a 
single error correcting, double error detecting. code. 
It is worth noting that a particular code can be used in 
a number of different ways, depending on how' the Jecoder is 
*	
. mechanized. The extended Hamming code will detect some but not 
all higher order errors (and will "correct" some other high 
order errors to produce a wrong message). The srme' code could 
also be used as a triple error detecting code. In this case, the 
code will also detect many more of the higher order errors. In 
fact, it
 will-detect-any error pattern that does not convert 
the transmitted code word to another 'valid code word. 
It has also been shown that this same code can correct all

single errors and-also all double errors in adjacent bits,'provjded 
82	 • 
INTERMETRICS INCORPORATED 380 (
- EN STREET CAMBRIDGE MASSACHUSETTS 02139 (617) 868-184 0
I.	
'_•-_-.&•_ 
the parity bit is not in error 2).
	 sig tis decoding procedure 
very few if any nigher order errors will be detected. 
5.2.4 Higher Order Error Correcting
 Codes 
Codes are known which have sufficient Hamming distance 
between valid words so that they can correct two or more errors 
in a block. In general, these codes ara either trivial (repeti
-
tion of each message bit an odd number of times with majority 
voting, called a binary repetition code), or are too complicated 
to describe in detail here. 
Among the better known of the constructive (ncn-random) codes 
are the Reed-Muller codes (3], and the Bose, Chanclliuri and 
Hocqueughem (BC1 Cos). BCH codes are a generalization of 
Hamming codes for multiple error correction. The correction 
procedures are, however, fairly complicated. The technique for 
BCH error correction Consists of solvin g
 the roots of a N degree 
polynomial and a set of N equations, wl'ere N is the number of 
Correctable errors. The complexity of the correction process 
forces BCH ccdes to be considered only for error detection. 
Correction becomes feasible if a processing capability is avail-
able, and a delay in the receipt of the message is acceptable. 
BCII codes are cyclic codes and have the disadvantage of being 
sensitive to loss of synchronism since shifted cyclic code words 
are also valid code words. 
• _-
	 5.2.5 Burst Errors and Burst Codes 
In many instances where coding has been employed to 
detect or correct random errors in a data transmission system, 
•	 the improve r;ent in system performance has not been as great as 
xpe-cted. Thereason -±s -often- that--the—assumpt-ion -0-f -add-it-i .re-
white gaussian noise, or other mechanisms which generate 
. independent bit errors, is not valid. Generally, in a real 
environment the errors occur in groups or bursts. Electro-
magnetic interftence of duration longer than one bit trans.. 
mission time would be an error source with this characteristic. 
•
	
	
A simple example is provided below to illustrate such a 
problem. Consider the case of a system oper'ting at 
one million bits per second, and using coherently detected amplitude 
modulation at 15 db signal to noise ratio. We will assume that. 
-	 the syster is-perturbed by gaussian noise so that errors are 
•	 random and independent. The probability of a bit rror for this 
condition can be calculated to be one in 1.26 x 10 0
 bits.	 The 
cod2 is a three error correcting code having 23 bits, with 12 of 
- •. them information. The example is a special case known as the 
83 
INTERMETR:CS INCORPORATED 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS 02139 (617) 868-1840
I 
Golay code.
	 This code is close packed, and we can, therefore, 
neglect all of the possibilities of detecting higher order errors 
as they always result in a word error.
	 The following observations 
arc made: 
a)	 a single bit error in a word is expected with probability 23 x 7.9
	 109 x	 = 1.8 x 1- 7
 per word, or once every 126 sec. 
b)	 a double bit error will occur with probability 1.6 x 10-17 
or once every 47.5 years. 
c)	 the probability of three or more errors and consequently the probability of an undetected error in a word
 small.	 is vanishingly 
If, however, the mechanism of the disturbance is such that 
or 10 consecutive bits the probability of error is 0.5, there 
will be an average of 5 errors in th
	 burst of ten bits, so error bursts will occur every 633 seconds.
	 Since .17 of these bursts 
will have three or less errors, and neglecting the fact that in some cases a burst laps over the division between two blocks, 
a decoding error will occur approximately every 25 minutes. 
The description of the burst error channel given above is 
obviously a very simple case.
	 Yet it illustrates the signifi-
cant difference in conclusions which can be drawn about the expected 
performance of a control approach. 
Some general observations can be made on the performance 
of error control codes in the presence of burst noise.
	 If a 
code with a minimum Hamming distance of h is used as an error 
detecting code, any burst causing up to (h-i) errors will be 
detected.
	 For bursts cauiiig more than (h-i) errors, most, but 
not a1-rj will bedetected;---- The exact--percentage-of--.errorsof.. 
various lengths that will be passed depends on the code used. 
At the other extreme, if the burst is sufficientl y
 long 
and severe, so that the received bits have no correlation with 
the transmitted message but are instead received with a proba-
bility of error of 1/2 for each bit, then an estimate of the 
probability of passing an error is again possible.
	 If the coded 
word has n bits, k of which are information, the remaining (n-k) 
r
bits are redundant.
	 The k information positions in the word can be filled by the random process with any bits, and there will 
then be one and only one set of values for the redundant bits that 
will result in a coded word.
	 The probability of this particular 
set of values being chosen is (1/2)flk. 
The assumption that a noise burst will result in bits being 
received as "1" or "0" with probability 1/2 is, however, not always 
84. 
INTERMETRIC	 INCORPORATED
	 380 GREEN STREET .
 CAMBRIDGE, MASSACHUSETTS 02139
.
 (617 RRP.i
valid. Sometimes .a noise burst (or hardware failure) is more 
likely to cause errors' in oric direction, such as turning
 
to ".0's", than the other direction. Such situations arise. from. 
•the details of the modulation scheme used and the design of the 
hardware, and are very-difficult to evaluate in a general way. 
• 'When possible, it is usually good design practice to design' 'the 
code so that the most likely types of equipment failures will not 
result in a valid code word. Examples of this would be elimina-
tion of' all "l's" and/or all "0's" as valid code words.' 
52.6 Fire Codes and Other Burst Codes 
Some special error correcting codes have been developed 
which are especially applicable to error correction in channels 
which are subject to burst errors. For a given level of redundancy, 
these codes are able to correct more errors in a burst than would 
be possible if the errors were assumed to be random. These codes. 
require long blocks and complicated decoding procedures. Two 
examples of these codes are cited: 
a) Fire Codes
 
-•	 Fire-codes are oriented towards a single burst of errors per 
message. They are inefficient for short blocks, however, 
and are not particularly good for multiple bursts on a single 
•	 ' block. 
-b) Reed-Solomon Codes 
The Reed-Solomon codes are a special case of the generalized 
BCH codes, oriented tcward multiple burst error correction. 
They are moderately efficient, and for the same block length 
-'	 are similar to BCH codes in decoding complexity. 
.2.7 Horizontal and Vertical Parity Coding 
A coding technique which has been .proposed for the Shuttle 
baseline data bus systems is vertical and horizontal parity 
coding. This coding scheme assigns a single parity bit to each 
byte or word of the message (horizontal parity), and an extra 
byte or rd for vertical parity on the preceding bytes. This 
approach detects all odd numbers € errors. An undetected error 
can only occur when each byte and every bit position contains 
an even nuir.ër of errors. The scheme fails t. detect errors only 
when an' even number of errors, equal to or greater than four, occurs 
with the errors paired in rows and columns. The efficiency of 
this approach is moderately high for messages of several bytes, 
85 
H INTERMETRICS I NCORPORATED380 GPEEN ST	 CAMBRIDGE, MASSACHUSETTS 0139 (617) 8681840
but is poor if the number of bytes of data in a message is small. 
For example, the effective information rate of an 8 bit byte 
of data would be computed by 
E _8N 
9(N+l)	 where N is the number of bytes 
It can be seen that for a small number of data bytes the 
efficiency is low (i.e. 44% for 1 byte, 59% for 2 bytes). When 
the block size increases, however, the coding scheme becomes more 
efficient (i.e. 79% for 8 bytes, 91% for 32 bytes). Although 
there are more efficient coding techniques, this scheme has a 
major advantage in that itp implementation in terms of the 
encoding, tecoding and detection logic required in the SIU, EIU, 
and BCU data bus equipment is probably the simplest. 
5.2.8 Repeated Transmission 
The repeated transmission of a data message over a single 
path is a well-known method for error detection. DeLction is 
accomplished by requiring all messages received to be identical. 
The t i me diversity, or spacing of transmissions provides inde-pendence. 
Implementation of this approach as the prime error control 
approach in the Shuttle data bus would require the BCU to transmit 
the (uncocied) data to the remote station, and vice versa, two 
or more times. The remote terminal would require a comparator 
or voter to determine an "acceptable" transmission. Retransmission 
for error correction is still required for ambiguous voting result:-,. 
The method is relatively simple 
inefficient, particularly for block 
get a Hamming distance four code for 
message must be repeated four times. 
caobility can be obtained with many 
schemes.
to implement, but is very 
transmission. In order to 
three error detection, the 
The same error detecting 
fewer bits using other coding 
5.2.9 Transmission Over Multiple Paths 
The transmission of the me'sage over multiple separate 
paths between a single BCU and single LRU is similar to the redui-
dant transmission over a single path. it is true that the 
message is received and verified at the output with less delay 
thanis associated with the sequential trarsmissjon scheme, but 
86 
1NTERMETR I.CS INCORPORATED 38n GREEN STREFJ .
 CAMBRIDGE, MASSACHUSETTS 02139 . (A171 Rc.1OAn
on an overall basis, there is no improvement in the utilization 
rate of the available channel capacity.
	 The necessity of providing 
parallel channels to allow continued operation in the event of 
a permanent hardware failure would directly affect the Shuttle 
data bus if it were the prime error control method used.
	 It 
would require independent paths to be maintained for the FS mode 
of operation, increasing the number of buses required for FO/O/FS. 
The approach would increase the complexity of the BCU and 
SIU units, since it requires transmissions over multiple paths 
. to be synchronized, so that comparison or voting could be 
performed at the receiver, or storage for delayed receipt. 
5.2.10	 Data Feedback/Echo Check 
In this method, urccded data is saved in buffer storage 
at th	 transuitting element and sent to the receiver.
	 The 
receiving element transmits back the entire message.
	 The trans-
mitting element then performs a bit-by-bit verification of the 
entire message.	 Upon verification by the transmitter, the receiv-
ing element is instructed to use the information on receipt of a 
"verify message from the transmitter. 
If an error is detected the transmitting unit can retransmit the entire message.	 If the error was caused by an external noise 
transient, the second transmission should be valid.
	 This method 
'.
is referred to is an echo.	 One of the problems with this approach 
•
is the probability of transmitter's verification being in error. 
An endless chain of echoes may result in requiring the receiver 
• to echo the echo, etc.
	 Complete feedback of all data requires 
• twice the time to transmit a message.
	 Its main advantage is the 
high degree of error detection it provides. 
5.3	 Detection and Retransmission Vs. Forward Error Con.ectjon 
In the analysisof data transmission systems, two distinct 
cases have bean studied.
	 The first case is Forward Error Correc-
tion, in which the decoder at the receiver studies the received 
message and, if an error is discovered, attempts to deduce the 
correct message from what was actually received.
	 The second case 
is retransmission, in which the decoder checks the received message 
for signs of error, and if an error is detected the decoder informs 
the transmitter.	 The transmitter can then retransmit the message 
or take whatever other action is indicated. 
A forward error correction scheme is considered undesirable 
for the Shuttle data bus since it would require too much complexity 
87
IP.J1EqMET	 NCORPORATED 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 868-1840 
at the terminal and BCU, particularly for correcting more than 
1 error in a me ssage. The method prefer--ed is to combine an error 
detection scheme with retransmission for recovery. 
The advantages of the retransmission approach to error

recovery are reduced complexity of the decoder and the reduction 
in the probability
 of an. undetected error for a given level of 
coding. 
The classic studies of retransmission systems were reported 
in two papers by Benice & Frey in 1964 (4). In these papers, 
three cases were considered: 
1. Idle RQ - in which the transmitter sends a message and 
then sits idle until the decoder indicates whether a 
retransmission is requesteo. Presumably, this includes 
a "no response" from the terminal. 
2. Simple RQ - in which messages are sent continuously. 
When an error is detected and a retransmission requested, 
the source repeats the requested me°3age. 
3. Dual RQ - in which messiges are transmitted as in Simple 
RQ, except that the requested message and all subsequent 
messages are repeated. 
The Idle-RQ system appears to be most appropriate to the 
Shuttle data bus, since the bus traffic is expected to consist 
of a large number of relatively short communications between the 
bus controller and the many terminals along the bus. The advan-
tages of the other schemes are acnieved when full duplex trans-
mission systems (simultaneous continuous transmission in both 
directions) is used. The Shuttle data bus is not expected to 
be used in this manner. 
-	 Thé	 ditións for hichthe- Id.e-RQschcme- be come s
—a--poor-- -candidate are not app l icable to the Shuttle data bus. In many 
•
	
	 data transmission systems, thi transit time of the channel is 
long compared to the length of a message. Thus, the transmitter •	
-.	 wastes a lot of time sitting in the idle state waiting for the 
message OK or retransmit signal. In the Shuttle data bus, the 
round-trip time to the farthest subsystem will only be a few 
microseconds, or its. 
In the dat1 presented by Benice & Frey, the computed k
	
	 probability of an undetected error for the Idle RQ system drops 
rapidly until a certain minimuia probability is reached, and then 
no further improvement is possible. This bahavior is traced to 
the failure of the retransmission request to be recognized at the 
88 
NTERMETRICS INC01PORATED . 380 GREEN SIREFI .
 CAMBRIDGE, MASSACHUSETTS 02 1 39 . 167 868-1840
'U ..:	 . .......-.	 ..	 - 
transmitter. The minimum error probability is the probability 
that some kind of error will be detected in the forward message, 
and then the retransmission request is changed to a confirmation 
that the message wa OK. 
In the othe: two retransmission schemes, the retransmission 
request was encoded as a part of a message moving in the opposite 
direction anti was, therefore, protected by the same level of 
coding as t.he original message. The occurrence of any error in 
a returrd message was construed to be a retransmission request 
for the forward message. This attitude results in a small decrease 
in throughput rate, and a large decrease in probability of an 
undetected error. 
In the Idle RQ scheme, Beni.ce and Frey postulated a one bit 
confirmation message for most of the work, and this results in 
a minimum probability of undetected word error of about 5 x 10-8 
for a bit error probability of 10- 5
 and a 511 word message. By 
changing the returned accept retransmit request message to a 
7 bit format, the minimum probability of an undetected error was 
reduced to 5 x 10-38. The point to be made here is that the 
retransmit reguest must be suitably protected if it is not to 
turn out to be the limiting factor in the probability of error 
in the transmission system. The penalty for this is a slight 
reduction in the throughput rate of the system, which does not 
appear to be a prime consideration in the Shuttle data bus system. 
•';
89 
INTERMETRICS INCORPOrATED 380 GREEN STREET • CAMBRIDGE, MASSACHUSETTS 02139 .
 (617) 8€3-1840
References for Chapter 5 
1 Berlekamp, E R ,
	 ebraic Coding The, McGraw Hill Book Co., New York, 1968.. 
2. Abramson, N.M., "A Class of Systematic Codes for bn- I ndependent Errors", IRE Transactions on Information 
Theory. PGIT5, No. 4. December 1969, pp. 150-13 
3. Peterson, W.W., Error Correctin 
Cambridge, Mass., 1961.
	
g Codes, The M.I.T. Press, 
4. Benjce, R.J. and Frey, A.H., Jr., "An Analysis of Retrans-
mission Systems", IEEE Transactions on Communication Technolo. PGCOM-12, No. V. December 196 ,5145 and "Comparisons of Error Control Techniques", Ibid, pp . 146-154.
•	
Chapter 6 
•	
Bus Implementation Factors 
6.1 Transmission Problems 
S.
	
	
This section will briefly review some of the factors 
affecting the implementation of a Shuttle data bus. As mentioned in 
Chapter 2, it is a finding of this study that, although these 
factors can be of critical importance in determining whether 
the data ous provides adequate performance, whether it is 
vulnerable to environmental transients and hardware failures, 
and whether it minimizes the penalties of power and weight, 
they are not as significant as those of redundancy management, 
control policy and overall configuration. 
The major factors that impinge on the hardwar
	 design decision are: 
a)	 the specified performance requirement.
	 This is, of course, the prime design driver.
	 There appears to be a natural breakpoifli?1fe design cf the system at a dat.
	 ate of
j 
about	
the transmission 
medium and the choice of integrated circuit technology. 
MOS technology is currently unable to operate at dircujt 
speeds below a few hundred nanoseconds, whereas bipolar 
- -IC-'-s--a-re -faster-by nearly-an--order
--of--magnitude---
	
-	 - -	 - 
b)	 The expected signal-to-noise ratio of the environment. This is, after performance, probably the overriding factor in the design of the total system.	 The choice of signalling 
technique and type of communication medium arc, for
a given data rate and specified error frequency, driven by this 
factor. 
c)	 The bandwidth and distribution of the noise spectruu.
	 This factor is virtually impossible to define Without real 
•
measurements in an actual shuttle vehicle.
	 To formulate design guidelines attempts have been made to characterize 
it, e.g., as white with Gaussian distribution.
	 From studies of the charcterjstics of aircraft environments, no simple 
91 
INTERMETRICS INCORPORATED
	 380 GREEN STREET .
 CAMBRIDGE, MASSACHUSETTS 021r,9 - (617) 83-1840 li 
-
••	 S	 •.	 •.•.•..-.	 •	 :'.	
. 
•	
0	 •.	
.	 °.	
.;_..;	
.5.	 .	 •	 .	 •-..	 .	
.	 •.	 .	 - 
noise model is known to be satisfactory.
	 Diverse sources 
of radiated noise such as actuator solenoids, motors, radars, 
and the effects of ground coupled current transients are 
very difficult to characterize in a general fashion. 
•	 Experience has indicated that noise energy in a realistic 
environment is distributed as 1/f
	 t the lower frequencies (below 106 hertz). Assessments of transmission techniques 
whose findings depend solely on the performance in the 
presence of Gaussian noise must be questioned.	 The approach 
usually followed is to ensure a high SNR, so that the system 
is not	 sensitive to the shape of the noise spectrum. 
. ::.
. d)	 The complexity of the bus transmitting and receiving 
equipment.	 The more Sophisticated signalling techniques, 
such as modulated carrier, demand a greater complexity in 
the modulation and demodulation circuitry.
	 In a Shuttle 
system, with an estimated total cou.t of upwards of 200 
bus line terminals, a minimal complexity at the terminal 
is of obvious importance.
	
- 
• A real Shuttle data bus design will encounter many diffi-
culties of implementation in coping with the above constraints, and 
trying to meet the operational requirements of the Shuttle. 
Although this study specifically did not address itself to 
such problems, two areas that have received much attention 
were examined, namely the transmission technique and the trans-
mission medium.
	 These are now described. 
6.2	 Non-carrier (Baseband) Signalling Schemes 
A great number of techniques for directly encoding a signal 
for transmission on a channel has been devised in the field of 
-
communications.	 Table 6.1 summarizes some of the major prop-
erttssof- basebandsignatlinq - tchriques-, ...nd thetr 
waveforms are depicted in Figure 6.1. 
a)	 Non-return to Zero (NRZ):
	 Figure 6.1a 
A '1' is represented by a fixed voltage level of one polarity, 
1 0' and a	 by an equal level of the opposite polarity.
	 De-
tection becomes a simple matter of polarity discrimination, 
e.g., by Schmitt trigger.
	 A sequence of unequal numbers of 
'l's	 '0's and	 produces a non-zero average component which demands	 DC , a	 channel capability, with DC coupling or some 
form of signal restoration at tL	 receiving end.
	 NRZ is •
• vulnerable to noise whose energy is inversely proportional - 
to frequency, as is typical in aircraft electrical systems. 
Since the signal contains a maximum of one transition per 
•	 bit the channel bandwidth requirement is low.
	 However,
92 
NTERMETRICS INCORPORATED . 380 GREEN STREE7 . CAMBRIDGE, MASSACHUSETTS 02139 .
 (617) 868-1840 
NR 17	 1. Simple detection 
2. Bandwidth equal to 
date rate 
.__
Biphase	 1. Sync inherent in data 
2. No DC component 
3. Zero frequency trans-
mission not required
1.. Requires DC

Coupling 
2. Transmission to 
zero frequency 
3. Requires separate 
sync 
1. Requires bandwidth 
Of twice data rate 
fl
Bipolar	 1. Bandwidth equal to 
data rate 
2. Zero frequency trans-
mission not required 
3. No DC component 
1. Requires bandwidth - 
of twice data rate 
2. Requires DC 
coupling 
3. Requires trans-
mission to zero 
frequency 
4. Requires detection 
of zero signal 
level 
1. Requires separate 
sync 
2. Requires detection 
of zero signal 
level
Bipolar RZ	 1. Sync inherent in data 
2. Simple detection 
Table 6.1 'Comparison of Modulation Schemes 
93 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE MASSACHUSETTS 02139 (617) 868-1840
	
4 
DATA
+ 
NRZ	 0 
+ 
BiØL	 0 
+ 
BIPOLAR RZ 0 
BIPOLAR
	 0
I, I 
!IIIiI 
I 
!IEIIOEL'U'JUi! 
lmmpimiDi
I., 
a) 
c) 
d) 
7
	
Figure 6.1 Modulation waveforms 
94 
,	 INTERMETRICS INCOAPORATEO . 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 .
 (6171 RRRiPn 
• because signal transitions occur ohly when the data changes 
'1' from	 to '0'	 (and vice versa), there is difficulty in 
obtaining bit timing for long sequences
	 'l's	 'U's. :. 
•
of	 and 
Synchronization must be provided by a clock signal in 
addition to the data.
	 Since the data frequency is a 
V.
submultiple of the basic clock, its energy spectrum shows 
a minimum -at the clock frequency (see Figure 6.2a). 
-	
- Effective clock and data separation can, therefore, be 
achieved by band-pass filtering the clock and low-pass 
filtering the data 
RZ is similar to 4RZ in bandwidth and power spectrum, but 
• has a higher error probability in the presence of noise. 
•
b	 Biphase
	 (Manchester):
	 Figure 6.1b
- 
-4.
bit interval, in one direction for 'l's and in the Opposite 
-	 for '0's.	 Detection involves phase discrimination, which is 
a more complex procedure than level detection.
	 Bit timing is inherent in the waveform, and there is no DC component. 
However, the frequency of transitions
requires apprcxiinately twic•	 the channel bandwidth of NRZ, although from Figure 
6.2h it can be seen that most of the transmission energy into goes	 the data at a point in the spectrum which has 
a lowcr noise energy than for NRZ.
	 Synchronization can be derived from the signal by detecting the zero crossings, 
filtering the resulting signal and using it to drive a local oscillator in a phase locked loop.
	 This is considerably more complex than NRZ 3ynchronization,	 Two alternatives 
•: are possible: 
1)	 superimposing a separate clock signal on the 
data at a frequency well above the data passband, 
-	
aiid then dividing it down at the receiver; 
E-
2)	 equipping each receiver with an independent clock 
•
.	 of high enough frequency to provide fine grain 
strobing of the data signal transitions.
:3 
The first technique requires a higher channel bandwidth. 
• Both of these techniques present difficulties in clock 
jitter due to uncertainties in the clock-to-data phase 
relationship, and in the frequency division logic. 4: 
C)	 Bipolar:	 Figures 6.1c and 6.1d
-1: 
In Bipolar RZ modulation '1' and '0' are denoted by positive
- 
and negative going pulses, of usually a half bit duration. 
Betwecn symbols the signal returns to zero volts, which pro- 4 vides the capability for bit synchronizat on	 Detection is 
95
 
INTERMETRICS INCORPORATED
	 380 GREEN STREET • CAMBRIDGE, MASSACHUSETTS 02139 • (617) 868-1840
A scheme that has been termed bipolar modulation but is 
more strictl a combination RZ and NRZ, is depicted in 
Figure 6.1d. It aims to achieve the modest bandwidth of 
NRZ without requiring a transmission to zero frequency, and 
without a non-zero average component. A '0' is represented 
by a zero level, and a '1' by a non-zero level, whose 
polarity alternates with successive 'l's. Some logic is 
necessary after level detection, to extract data from the 
both NRZ and RZ, this bipolar scheme requires separate bit 
synchronization, and like RZ suffers from zero-level noise 
problems. 
d) Other Techniques 
Techniques involving multi-level signalling, and variations 
and combinations of the above schemes have been proposed to 
suit the special requirements of specific signalling environ- 
ments. They will not be further reviewed in this report. 
6.3 Carrier Modulation Techniaues 
In carrier systems the information is impressed on a carrier 
signal of a nominally fixed frequency, to occupy a band in the 
--spectrum- corrcz-pond-i-ng- to -- lower- -noise- energy-. -- A -greater--- ----- - 
utilization of channel capacity is possible by operating at a 
high frequency, with a consequent increase in the transmission 
efficiency. Transmission media tend to possess better character-
istics at higher frequencies; e.g., the variatin of signal 
delay and attenuation across the operating band is less.
	 his 
becomes an important factor at frequencies in excess of 10 bits 
per second. These are major advantages. However, the drawbacks 
of carrier modulation schemes are considerable, and must be care-
fully weighed,even if a severe noise environment indicates their 
use.-	 - 
Modulation and demodulation are more complex than for non-
carrier systerns,sjnce the data and synchronizationmust first be 
combined and then stripped from the carrier. It is not possible, 
- as with non-carrier modulation, to use digital circuitry 
directly to drive and sense bus transmission.- --
-	 -	 96	 -	 --
IN TER METRICS INCORPORATED 380 GREEN STREET CAMBRIDGE MASSACHUSETTS 02139 (617) 868-1840
b) Bi-Ø 
d) BOLAR
f 
L 
fo = DATA A) 
Ji Figure 6.2 Modulation energy Specta 
.97 
-	 ---.
To take advantage of the noise immunity of carrier systems 
the' carrier frequency must be high, up to ten times the data 
rate. The frequencies generally exceed the ability of the 
simpler shielded cables, which having less controlled character-
istics, are less able to provide unattenuated and undistorted 
transmission. 
A synchronization signal (clock) can be carried with the 
data, depending on modulation technique, either by combining 
modulation techniques, by modulating a separate carrier 
separated from the signal carrier by the bit rate (this 
facilitates filtering), or by Combining the clock in phase quadrature with the data. 
6.4 Bit SynchronjZat3n 
The distribution of timing information is necessary to the 
operation of the data bus system, whatever the choice of 
modulation technique. Some of the problems of deriving bit 
timing from or with the data have already been discussed. In 
general, it is possible to generate the timing 'signal either 
centrally at the computer/BCU, or locally at the terminals. It 
can be transmitted inherently in the data, or over the same 
physical path as the data, or on a separate clock line. 
a) Central Clock 
The central clock signal is continuously distributed to 
all terminals, which then employ it to re-transmit their 
responses. The advantages of this technique are: 
1) simplicity at the terminal; 
-----2) ---provision, of. a common, _sychois lock to all 
systems on the bus. 
Its disadvantages are: 
1) a clock failure disables all operations that 
require timing information, until recorl±iguratjon 
can occur; 
2) data received by the computer/ECU from remote 
terminals will be phase-skewed with respect to 
the clock, requiring compensation logic at the 
ECU end of the bus.
•L 
.
.1! 
98	
k 
INTERMETRICS INCORPCRATED . 380 GREEN STREET
.
. CAMBRIDGE. MASSACHUSETTS fl2i0 •
I 
b)	 Local Clock 
The method suffers from the complexity of additionjlc'ck 
circuits at the terminal.
	 However,most terminals will probably 
reqire a source of Liming independently of their communica-tion function.	 The advantages of
	 loc a	 ally generated clóOk 
are:
1)	 no clock skew problems, 
• 2)	 no dependence on central clock for local timing. 
C)	 Separate Clock Lines 
clock line can be consid^red f • ,r either locally or centrally generated 
• must be traded against the eom'lexity of superimposing, and then separating data and syncllronizatjDn.
	 Although the 
extra line can be dedicated to contjnuou
	 transmission of 
synchronization alone, a variatior on this approach has 
combinec computer command data and synchronization on a line 
separate from terminal zesoonses.
	 The rsultinc' dual simplex 
communication mode has been claimed to effect savings in 
line coupling and drive and sense electro4
.iics, which offset 
the weight and power penalty of the additional bus line. 
•	 However, to meet a FO-FO-FS failure criterion the 
arrangement demands at least five
- redundant pats, and 
switching between receive and transmit modes at each- trrninal, 
and at the BCJ.	 If there is no switching, up to e ight lines 
will be required. 
•	 This mode of operation creates an added degrec.of difficulty 
to the problem of error detection and bus reconfiguration. 
- 
•
This mustbe -considered along-wi-th-the weightpenajlyjn 
making an evaluation. 
6.5	 Transmission-Media 
Many techniqes for transmitting datr'.ovr distances of 
several hundred feet are available.
	 Transmission media range 
from modulated light beams for data rates above 10 9 hertz, to 
• the conventional wiring of current aircraft and spacecraft, which is limited to a 1C 4 -to 10 5
 hertz data rale. As indica ted in 
Chapter 2, most estimates that have been made of the Shuttle 
data rate requirement indicate thata li)6 to 2 xl0 6
 bits pe r 
second capability would be adequate.
	 '\ccordinuly, the choi.:e 
• 	 •.
99. : 
INTERMETR;CS I NCORPORATED	 380 GREEN STREET
	
CAMBf1DGE
	 SAL4USE7S J2 139	 c617 869-1s4
of transmission medium for the Shuttle data bus can be limited 
to tne several varieties-oi varieties-o miniature coaxial and balanced 
twin cable. Single wire conductors do nnt possess inherent 
irmur.!ty from spurious electrical and magnetic field disturbances. 
They arn also emitters of interfering electromagnetic fields 
when carrying high-level signals, unless very heavily (i.e., 
doubly) shielded. Single conductor wire has generally been 
eliminated for all but ve-y short cable runs. The basic 
electrical performance requirements for the transmission paths 
in the Shuttle are: 
a) wide andwjdth 
b) Low frequency and phase (delay) distort-ion 
C) low attenuation 
dinnuz.ity
--tocondutedandradi ate dnojse.__ 
In addition, the Shuttle application makes the following 
considerations important: 
a) cost and availability 
b) low weight and volume per unit le.gth 
C) resistance to temperature, nrcure, vibration, shock, etc. 
d) physical flexibility and ability to share cable ducts with 
other wt ring 
e) ease of physical and electrical connection. 
Since the Shuttle data rate requirement is modest many available 
cable types can meet the bandwidth anc attenuation requirements. 
to be: 
q) twisted shielded pair (TS?) 
b) uhielciecj coaxial cable, single and twin 
c) flat cable. 
Each type exists in various perfcraanco grades. The apecial flat 
cable is ntill under development. TSP is liqhtweight and usabic 
to several methertz, depending cn specification. Coax can be 
extended tc tunareds o' megahertz, but becomes very bulky and 
unwieldy. The. least known and least 'pecifiable shuttle vehicle 
parameter appears ta be the nature of the noise environment. A 
nvucs 9.CORPORATVD 380 GREEN STPCET CAMBRIDGE.
	 021,9 (617) C. i8t
low SNR environment, with noise energy concentrated into the 
low frequencies makes the use of the twlstei shielded pair in 
a balanced mode mandatory with any of the Daseband signalling 
techniques described previously, especially those with trans-
mission to zero frequency.
	 Figure 6.3 illustrates-the"
 relative. 
noise immunity of TSP and coaxial cables..
	 TSP is superior at 
the low frequencies where.shielding becomes ineffective, because 
of the mutual.cancellation of the individual conductors' induced 
fields.	 If the noise environment is severe, a high-frequency 
carrier signalling technique may become desirable, requiring 
use of standard single or twin coaxial cable. 
A problem for any cable type is the geographical location 
of the equipments to be interconnected.
	 It will in general be necessary to provide branching of the data bus.
	 Such branches 
must not introduce undue reflections or attenuation.
	 The total equi  
•
addition or subtraction of terminals should not alter the basic 
characteristics of the line.
	 These properties may be difficult to achieve with the less well-balanced and uniformly constructed 
cable types without line conditioning or the use of active 
couplers and repeaters.
	 This naturally adds to the complexity 
and unreliability of the bus, which the use of simple TSP seeks 
• to minimize.	 However, as will be discussed later, line couplers 
may be required anyway to effect redundancy interfacing. 
The coupling of drivers and receivers to the bus lines has 
received a great deal of attention.
	 Whether AC or DC coupling be used is determined by the modulation scheme.
	 The noise 
problem favora the use.of balanced line coupling:
	 the inherent 
.
immunity of TSP to radiated noise is enhanced by driving and 
sensing the line in a balanced mode, since ths rejects Common 
mode noise created by ground return paths.
	 AC coupling allows balancing through center-tapped transfOrmers.
	 The inductance 
-of—the--trans-fo .rmer,
-however-, 
-affects :th0characteristjcs of. the tranmjssjo
	 line, which is a more serious problem for 
•
baseband than carrier signalling techniques, since the latter 
••. permits a degree of tuziing to achieve noise rejection.
	 Capaci-
.tative coupling has also been used to drive ar. AC line.	 DC 
•
coupling is achieved through resistive bridge networks. 
. A factor that may impinge directly on the choice between 
AC and DC coupling is that an . AC coupling will not transmit 
.	 It can filter out continuous anomalous line conditions 
f r such as open circuits, shorts to grourd or shcrts to a DC supply 
rail, etc.
	 Such conditions in the line driver of an AC-coupled 
bus terminal need not incapacitate the conpiete line to which 
it is interfaced.	 By suitable choice of driving and sensing 
impedances it may be	 ssible to allow continued operation, 
even when violent impedance changes. occur on either side of 
101 
tNTPMErqICS1NCCJOPAT( . 380 GREEN STR:ET .
	 :671	 6?p,' 
AN!	 1fl 1W
>1 
C) 
a) 
C) 
rn 
a):, 
•	 (1) 
cnC) 
cm
CR 
p. 
•i.
-	 I 
2	 I
4J 
w
O•-i 
cc
- 
=
-J
-
C-) 
z
.01) 
•-I 
w 
a 
0 w 
cc 0-1616 a. 
Aj 
C) 
0. 
( go) Pljyfljjymom . 
102
F 
a coupling.	 The situation could be treated, not as a catas-
trophic failure, but as a Condition of reduced signal to noise 
ratio.	 This would be much more difficult with DC coupled 
modulation schemes, for which the zero level represents an information state. 
•
.................. 
• 
• 1 
• :11 
I 
•	 103	 •	 •
:'-
. 
• INTEAMETFUdS INCOTh'ORATED	 38() GREEN S1(ffT . f MBRDO& MA.SkCHUSETTS 02t39
. (6171 8.1840
- 
PRECEDING PAGE BLANK NOT FILMED 
Chapter 7 
Summary Review and Recommendation 
... ............. 7.1 Introduction 
Th.s chapter will review the material presented in the first 
part of this report and make more specific recommendations in 
certain areas of the Shuttle data bus design. Section 7.2 
reviews the problems of management and control of the data bus, 
and Section 7.3 addresses the main ob)ective of this study, 
namely the functional specifications f a data bus interface 
unit.
In order to make recommendations in areas where there was 
no clear criterion two general ground rules were established; 
a) The simpler solution was •preferred. This was interpreted 
• very broadly. Ce mplexity was considered a disadvantage 
.1	 not only at the circuit and logic level, but in control, 
equipment configuration, interconnections, software, program 
- -	 management, etc. Otherwise desirable attributes such as 
--	
éi cpádabilTty, performance per -
 ce, high technothgy -and--so-
on, were discounted in favor of expediency and cost effective-
ness. Cost was not measured in specific terms of dollars, 
but rather in tno de gree of difficulty of a given approach. 
•	 The choice of the simpler approach was. considered to minimize
development risks and to achieve a higher probability of 
•	 operational reliability. 
b) Groat weigit was given to approaches that kept functional 
requirements separated. For example, the provision of 
capabilities at the data bus interface unit :
 that were not directly concerned with bus communication, but influenced 
•	 •	 the bus control Structure and data format was not favored. 
8cue of the central role of the data bus there 13 . tempta-
tion o burden it with fu'ttions that are more properly 
•	 105	 •	 •	 •	 •	
• •	 • 	 •.	 •	 •	
•. • im TfMETRICS thCPP(IRATEO e 333 GREEN S1RE . CAV SAW. 5.. U'SSACH1JST t 9 IV
 
----------•--- -.-- ___t
the concern of the sbsystem or the computer. For this 
study the bus was considered to be primarily a communications 
and data acquisition system, and not a tool witi:. which to 
tackle general avionics system problems. 
In addition to these general guidelines the evaluation of 
the bus system was directly depend.;t on the Shuttle system 
communication requirements and imposed design criteria defined 
in Chapter 2. In addition to the data requirements of speed, 
types of messages, number of units, etc., several other important 
criteria were used in evaluating h'is design features: 
•	 a) Simplicity and ease in verification. Because of complexity 
and the degree of reliability specified for the integrated 
avionics, the data bus system must remain as simple and 
easy to verify as possible. The elimination of non-deter-
-ministic. .cperationjsdesjre 
h) Efficiency in data transfer was not a prime objective. 
It should not be an essential, requirement to maximize the 
efficiency of a data transfer or access scheme, provided 
that operation remains within a reasonable margin of the 
limit. If overhead is encontered to achieve design simplicity 
and "testability" it should oe accornxnodted by the speed 
requirements.
C) Flexibility.	 In pursuit of simplicity care must be taken 
to avoid an inflexible systcm, especiaLy since the Shuttle 
concept is at an early level of developztent.
	 However, flexibility in desi gn of the bus was considered only where 
.
a potential, need was apparent.
	 Speculation on the as yet 
unestablished requirements
	 future of	 Shut'le activities. 
was discouraged.
	
. 
d) 
-
Standardization in bus design.
	 A technique which maximized àde	 of Standrdizat1-on--possj-bj-i-
	 aniinpementat .j-on--	
—__4------- of the data bus, or one that involved estaoljshed System design procedures was favored
-	 - 
over an aptroach unique to the specific problem. 
7.2 Cornand and Control of tie 
- Shuttle Data Bus 
the
In this Section the basic Structure of the data bus system, fu'-ctrng that it need, .4 
control or need not perform, the type of to be excrcisd, and the type of data structure required 1l bo reviewed and evaluated.
106
o 
tNTtWETRCS INCORPORATED
. UO CN STR
	 CA.lBRGf MASS^CWjSf
	 •7 B%- t) 
------	 ---------	 - 
7.2.1	 System Configuration 
The configuration of the bus with respect to the computers, 
the bus control unit, the terminal and the subsystem was discussed 
in Chapter 3.
	 The computer's role as the controlling authority 
over the operation of the bus was identified as a critical system 
decision factor.
	 Two aspects combine to make the computer's job 
difficult: 
a)	 the scope of the centralized approach to Shuttle avionics; 
• b)	 the management of multiple redundancy implied by the assumed 
FO-FO--FS criterion. 
Even though the processing task has been estimated
	 to fall 
-- withithe capability of a single computer of moderate size and 
speed, the 
been raised.	 The arguments for division have included ease of 
management, less costly software production,
	 nd ability to develop 
the system incrementally.
	 The arguments	 zgainst division are 
based on the amount of duplicated hardware and software.
	 Chapter 3 
• concluded that distribution of the computing tasks would be easier 
if each computer could be associated with a distinct, independent 
functional area. 
In the Shuttle application strict separation of functions 
is not straightforward, because: 
•	 a) it is difficult to identify subsystems (for example, data 
j management versus guidance and ndvigaticn) with independent • functions and equipment.
	 ( Exceptions are displays, main 
engines, and perhaps t 1ii environmental, control system, which 
does not contribute a major pioportion ot the avionics 
complement.) 
b) The specification of a common data bus forces the need	 or 
coopezation between all computers and subsystems that interface 
with the bus. 
c). The high level of reduadaz.cy imposcd by.. the FO-FO-FS 
failure tolerance creates an aiditlonaj. degree of difficulty 
in the management of the bus tnd its subsystems.	 It bccomes 
a major task to maintain the operational integrity of the 
system	 it ..ay be necessary to dothcate this function to 
to a system management
	 omputor.
	 By the nature of its task, 
this computer is intimately related to all subsysto3ma on the Shutt.e, binding th.m operationally and preventing the 
est'blihment of strict iadepende,ce.
107 
fl1fflVETRC3 tNCOROw1EO • 38C GREFN STE1 • CAMflai3Gc. MASSACHu$TTS 02139 . 	 &ie 
If control of the bus is divided between several differèt computers, 
then the following problems are created 
a) the management of the bus system's con figuration by rore than •	 one computer.-Even if management is not a shared function, 
the monitored status of the system, and the results of all 
• 	
S	
reconfiguration decisions must be communicated from one computer 
to the next via DMA, via the bus control unit, or via the bus 
• itself. 
b)	 The resolution of Conflict over the use of shared subsystems by more than 
•
one computer, especially subsystems that require 
several bus transactions to effect a Completed sequence 
of operations (e.g., the reading of range and range-rate from a navigation radar.
	 See	 Appendix C.). 
• These 
data bus.
	 it is 
-
a recommendation •of this study  that at all times only one computer be provided-with the ability 
•
to directly access, 
control. or otherwise influence the activity on the data bus. 
•
Another computer may be introduced into the system but only to provide added processing capabilities. It must be interfaced to the bus through 
the standard bus interface as just another subsystem to be s erviced by the bus, and must operate within the constraints of the bus
3 control policy.
	 The recommended approach to computer bu& control is as illustrated in Figure 3.12.
V
7.2.2 Bus Control Policy.
 
In this section techniques for bus communication control, 
and error detection and correction are evaluated and 
recommendations are made. 
	
72-2-. 1 Bus Acces-a-Me-thod
	
--	 -----
Of the four approaches discussed in Chapter 4, the 
command/responae ddresng access method is considered to be 
more directly applicable to the Shuttle avionics data bus, 
principally btcause of its simplicity, its detErministic behavior, 
and its fl'xj.ble addressing at'ucture.Although tha polling and contention methods result i:. a .aore efficient bus 
utilization, and provide more general and sophist:cat., solutions to the 
cation problem, the increased complexity required of the bus 
elements does not apear justifiable. Furthercore, the random access operstion permttud by these techniques can result in
 
unpredictabl 1,0 service and response rate, and an increased 
difficulty of testi.g and validatior. 
	
•	 leo 
L?4TERMETRJCS tNCOPOR&TEp . 3 GP. EN STRrET CAMS
	 • MA *.cHUSET IS 02,39 -	 840 
Command/response addressing is the simplest approach which 
can do the job. There is, however, a reservation to be made 
concerning its inability to service random events without incurring 
a high sampling frequency. An instance of this kind of bus 
activity is the monitoring of 
.a large number of t'rmina1s for their 
operational status. A sampling of every terminal in a 250 terminal 
data bus system can be completed in less than 2 milliseconds, 
assuming a 1 megabit per second data bus rate. This represents 
about 10% of a typical 20 millisecond bus minor cycle. (In 
practice it would not be necessary to sample every terminal in 
•	 every cycle. Random event indicators would probably be grouped 
into a few interfaces. These factors would reduce the actual 
duty cycle considerably.) 
Although this example does not pose a major problem, if this 
kind of tiVttybëcs
	 iftt	 tinof
 but
 the margin of advantage, that command/response 
has over the polling access technique will narrow. A strict 
command/response structure can be modified by incorporating a 
form of group addressing for terminals servici.g subsystems 
with random outputs. The problem lies in coordinating a numDer 
of simultaneously echoed responses from such a group. The Shuttle 
requirements as known to date do not justify the introduction 
of further complexity into the bus design to solve this problem. 
A reservation if far less significance is that command/ 
response allows transactions to occur only between computer/I3Ctj 
and any terminal. it precludes the terminal-to-terminal communica-
tion required by tcleratry or On-board flight recording equipment. 
.	 However, the needs of these systems could be satisfied by a non-
standard bus interface unit that: 
a) .ad no transmit cpabi1ity, 
b) was able to receive transmissions from many other terminals. 
With some processing capability, the te1eetry or recording 
subsystem could extract the desired information from the stream 
of bus traffic. 
7.2.2.2 Error Control Technique 
Each of the error control co1es discuss .ee in Chapter 5 
was devised to offer the btist aolution to the regiirement g
 of a 
particular cunictjon system and its assumed channel error 
characteristics. The main differnce between the codes was the 
typo of error environment (e.g., random, burst, etc.). Since. 
109 
IUTERMETP CS 04COPPORATED - 30 GREEN sir CAUDATWE. MASSACNMErTS02139 .
 (7)
--
accurate i.nformatjon about the channel error characteristics of 
the Ghuttle data bus is not available, none of the basic channel 
models assumed i.or analysis (e.g., binary symmetric, binary 
erasure, burst) can be chosen with certainty. The anticipated 
noise environment for the Shuttle is such that it is advisable 
to assume a complex burst noise characterjstic,whjch may not be 
amenable to analytical definition. The findings of Chapter 5 
are Summarized here. 
a) Coding techniques which are designed for the control of 
random, incependent errors are not satisfactory for the 
Shuttle bus. These include simple parity, Hamming codes 
and I3CH codes. Fire codes and other burst codes capable 
of protection against burst errors are not satisfactory 
because of the required complexity at BCIJ and terminal, and 
of burdt noise in term o-f---------.--
duration, inten3ity, and spectrum are not known in sufficient 
detail to judge their suitability and effectiveness. 
b) A forward error correcti,n method is considered qurstionabl, 
for the Shuttle data bus error control scheme, primarily 
due to the complexity required to correct two or more e.rors. 
An error detection scheme with recovery by retransmission 
is recommended as the basic control approach. Detection 
and retransmission have been shcwn to be superior to forward 
error correction when independent error rates are low and 
burq t errors are expected. 
C) The two dimensional parity check is Considered a reasonable 
approach for the detection of Shuttle transmission errors. 
The coding of parity is simple and requires no predetrrmjned 
knowledge of message length. It offers a high certainty 
of detection of random errors (the probability of an undetected 
error for an error probability of 10-b is in the order of 
- ]3U färã 4-bytetranarnjssj0)
	 Its major drawback is 
the fairly low efficiency for short transmissions that results 
from the vertical, parity byte: for single byte transfers 
It could fall below 50%. 
Correction by retransmission requires error detection and 
the capthility to request ro-trar.smis g ion at bcth ends of the 
counjcatjon link. In a cond/reuponac environme.t, the 
terminal may not initiate such a request. The need to retransmit 
a messago incorrectly received from the BCU r.
,jst be built into 
the bus control structure. It is recommended that there be Auto-
matic feedba-k from a terminal upon receipt of 41Y BCU command 
of an identifying message (e.g., its address), wnlch would servo 
to indicate that:
110 
rNTEFiE1BmG& !NORPC'ATED • W. PEC) ST qtEr CAM8RIQGL WSSACMUSETTSfe(6I7
SI 
a)	 there was no hardware failure of the path to the termlnal 
b)	 the correct terminal rec...ived the message, 
¶	 c)	 the terminal correctly verified the horizoital and vertical 
parity within the r'essage Aw 
The BCU has, of course, the ability to request retransmission 3 by a terminal of data which the BCtJ found to fail the check for
 parity.	 A "time-out" check 4 n the BCU may suffice to determine 
the non-receipt of an echo. 
S This "address echo" technique can be impleitiented in more	 . than one way:
 
a)	 the transmitted message is held at the terminal until echo 
--_veri fi.ca ti on _isacknQ
	 edged" via a signal
	 r içu, or L-j:. 
b)	 the transmitted message is routed directly to its d(-
	 ation - 
once parity has been verified by the SW without awaiting 
an acknowledgement from the BCTJ. 
A conreivable error that illustrates, the difference between these 
methods is one in which a noise burst changes the address in the
- 
message so that it is received by t
	 wrong terminal.	 For this 
to occur the terminal address must be chaged by noise ;'ithout
 
affecting the two-dimensional parity bits.
	 This requires at 
least four kits clustered at intersecting rows and columns in the --1 data block to be in error.
	 The probability of this is approxi-
	 . mately l/mth . the probability of one error in an rn-byte message,
 i.e. less than lO-.
 
W	 Method (b) above would complete the transaction before the'
 
error had been discovered by a failure of the "echoed* address
 
check back at the BCIJ.
	 In method (a)	 the BCU would not send a
	
•. '	 '• 
èrificatiori o 
theSIU, and the-transaction could-be kil-led. -
	 ----- - 
. 
However, method (a) suffers from some drawbacks: . - t-
.-. 
/	 a)	 it inserts another delay into the transaction,  
b)	 the increasej security may not be necessary for all messages, . . 
C)	 the traffic overhead for a bus trar.s'ctjon is inreased;  
-	
d)	 there is no c'firmation by the UCU that its
	 acknow1edge 
'	 signal was correctly received, or that the trnsactjon
	 as
 
.completed.
- 
kTt	 REE4 STPcZT CAMBPJOGE U$$ACHu$ yS 139 •
 (8171 M-1840 
I
.-	
-	 ;••
t 
- C	
S 
The probability of the kind of failure described 
above is - judged to be too-low ,
 to justify the added complexity and inefficiency of method (a).
	 A single feedback of the terminal address is recoended to validate transmission.
3 
•
For a very small class of messages a .urther increase in the 
security of communication may be 
:-
required.
	 These are the so- •	 called "critjcaj	 Commands, of which amain engine on(off)
	 is 
-If example.	 an this class of command constitutes no more than 5% 
-	 to 10% of all output commands from the computer (which in turn 
are expected tu be only 30% of all bus 
•
communications), then only 2% or so of all bus COmanc
	 are "critical".	 Such	 low a	 probability is considared not tt., justify an increased level of 
•	 •  
error control for general bus communication.
	 This separate class of command should be handled by
j 
•	 -i 
-
redundant, multiple transmissions, which are 
-
initiated by
 the software con3rned with thft critical a e tivitv andinterpreted and acted upönby the specific subs" ten. iardwaro 
•
•	 A final obso . vatjon on the proposed error Zontrol scheme is that verification of tho correct receipt-of data (or comm,and) by 
thE. LRU cannot be achieved by the data bus system itself. Although a command/response system has, by the return of data from the LRU, 
an implicit verification of input requests by the central 
computer, validatjc .n of the receipt of computer data outputs or commands cannot be verified positively Without rnonitoring the status or -	 mode of the LRU subsequent to transmission. 
7.2.3	 Bun Data Structure 
•.
 This Section reviews the size cf the basic wi
	 of data, 
- - the basic command :fort, and the data orginization 
•
•-.•	 -.
t 
-	 - •	
-	 The selection of a word, byto, or bit data organization is . iflj1uCed by several considoration,j 
-aY the standardization of established components (e.g., shift :	 registers, counters, 
• NIl
multiplexers, etc.); 
...	 _
- 
-	
b)	 the-word/byte orgsnizatjoa of meiry in the computer, 
51 - C)	 th. bus message format and data rquiromeas; 
•
- 
d)	 the reuirement for min.Laua overhead,
• 4 
112
1 
'CMWOE. MA
	 •n 11!
S.
The choice of an 8 bit data byte or a 16 bit word organization 
is attractive because of its standardization and availability 
in the industry. Several other organizations (e.g., 10. bit'byte, 
20 bit word) would provide more efficient packing but require 
non-standard sized circuit functions. Most available flight' 
computers have memory 'organizations which are word-oriented. 
They are typically multiples of 8 bit bytes.' The selection of 
a data organization not compatible with the computer memory 
will result in inefficient packing and processing by computer 
and BCU. 
Another impact on the basic data size comes from the different 
scalings and formats of digital data from the various sensors 
in the avionics system, especially if there is an emphasis on 
the use of existing equipment. A byte rather than word organiza-
tion minimizes packing inefficiency. 
7.2.3.2 Command Format 
In Chapter 4 a command format of three 9-bit bytes was 
assumed in the discussion of bus tra:sactions. It is tempting 
to consider the possibility of a 2-byte format for the increase 
in utilization efficiency it offers. Two factors preclude the 
use of a 9-bit byte for a 2 byte command: 
a) the assumption that the Shuttle will require 'more than 128 
addressable terminals, requiring at least' an 8-b1t address; 
b) the necessity for the indication of terminal status as a 
part of the echoed address established in Chapter 4, requiring 
at least 1 bit. 
It is interesting to compare the transmission efficiencies 
of a 3-byte (9-bit byte) versus , a 2-byte '(10 or 11 bit byte) 
command format, if it is assumed that in all cases a standard 
8-bit data byte is retained. The efficiency of a read transaction 
,(see section 4.4) for block lengths of 1, A .  a d 32 bytes is as 
follows:  
Numb	 of
' B:^e 8' 32 
it (3-byte 
command) '47% '	 73% 
10-bit (2-byte
' ' -
-	 '	 -  
 command) 13%	 - 49%	 ' 69% 
•	 11-bit	 (2-byte
-
-	 ' 
•' 
command) '12% 45% '	 63%
Read Transaction'Efficiency 
I ('(%DD	 ATc. • QOfl (D&.i ThCcT . ('A I anr,r,'r-  
It can be seen that for short transactions, involving less than 8 
data bytes, a 10 or 11 bit 2-byte command is more efficient, even 
though the Dyte carries 1 or 2 redundant bits in addition to the data. 
In summary the recommendation is that the basic data size be 
keyed to the word size of the controlling computer. For example 
a 32-bit or 24-bit control computer would dictate an 8-bit data 
byte, whatever the bus command structure. This minimizes main 
storage inefficiencies and reformatting logic in the BCU. The 
command byte structure is not as critical. it depends on the scope 
of the avionics system and on the nature of the majority of bus 
transactions. The marginally superior efficiency of the 10 or 
11-bit byte would not alone justify the use of 'a different size 
command byte. However, the saving in register lengths at the 
terminals, coupled with the possibility of improved security by 
using the spare bits for parity, makes the 2-byte command structure 
with a 10 or 11-bit byte a strong candidate. 
7.2.3.3 Block Size 
The question is whether to provide for transmission 
of a fixed or variable number of data bytes, and if variable, 
should the number be continuously expandable from 1 to n bytes, 
or in steps. A variable data capability incurs a higher command 
word overhead to specify the block size. The choice between a fixed 
or variable length message format depends on the acceptable effi-
ciency of transfer, and on the expected nature of the average 
bus. transaction. The following qualitative observations can 
be made about Shuttle data bus comnu.cations: 
a) control commands, from the computer to a subsystem are probably 
single byte transfers. Howver, only 25% - 30% of all trans-
actions are expected to be like this. The majority of 
transactions will be data acquisition by the computer. 
b) It is the nature of a control computer to handle data in groups 
of functionally related types (e.g. inertial angles, state 
vectors, status measurements, etc.). 
C) Certain subsystems require large amounts of contiguous data

to be transferred (e.g., the cisplay system, telemetry). 
d) At the present stage of Shuttle development the specification 
of an optimum fixed data size cannot be made with any certainty. 
These observations support the premise that a variable data 
length is required. The simpler software and hardware of a fixed 
C k
114: 
INTFRMFTRU INd flIPCIATIfl • 'flfl fQM QT0tr.
. 
.
F 
•	 data format must be traded against the overhead of: 
a) transmitting redundant bits for shorter messages; 
•	
b) structuring a number of transactions to trnsfer messages 
longer than the fixed length. 
There is obviously a need to limit the maximum length of the 
	
• :	 variable message. It is desirable to have a limit on the time 
occupancy of a bus communication to ensure that a sufficient number 
of messages can be sent by the computer each minor cycle, and that 
•	 the response requirements dictated by the higher frequency sampling 
rates can be satisfied. A variable data format with a maximum 
•	 length is recommended for bus data transmission. A 32 byte maximum 
•	 with fixed lengths of 4, 8, 32 bytes seems to be a reasonable 
length. It requires buffering of up to 32 bytes at each terminal, 
•	 •.	 and the order code must contain two more bits to specify the 
•	 fixed lengths. 
7.2.4 Functions of the Terminal 
This section reviews some of the functions that may be 
performed by the bus terminal, and makes recommendation for and 
against the inclusion of various data handling capabilities. 
•	 I
7.2.4.1 Standardization of Terminal 
k
	
	 The basic task is to provide for the tansfer of data and 
commands from the bus to the destined avionics equipment. This 
involves extraction of the data from the bus signa, decoding thc 
function, selecting the appropriate equipment interface, and 
•	 converting and conditioning the digital data to the form (analog, 
	
• .	 serial digital, etc.) specified for that interface. Specification 
of the unit is made difficult by the conflict between standardization 
and flexibility. At this early stage of Shuttle avionics definition 
it is impossible exhaustively to specify the number and range of 
•	 •	 equipment interfaces. It is not possible, therefore, to define 
the optimized set of ccmmon interface requirements to which a 
•	
•	 standard subsystem thterface unit should be designed. Three 
major options face the data .us designer: 
a) maintain standardization by equipping every terminal with the 
capability of servicing the gamut of possible electrical 
signal types; 
b) maintain standardization at the expense of generality by 
providing a restricted set of standard interfaces; 
•	 115 
INTERMETRCS INCOPPOATED . 380 GREEN STREET . CAMBRIDGE. MASSACHUSETTS fl2i% • iR17 RR1QAfl
- 
IX
C)	 provide generality at the expense of standardization by 
custom designing the electronic interface to meet individual 
equipment requirements 
The first option provides complete freedom to the system designer, 
but at prohibitive cost in complexity, power, and size.
	 The 
last allows the same freedom, but the cost is reflected in the 
design, development, production and eventual maintenance of a 
diverse collection of different terminal units.
	 The second 
approach compromises flexibility and complexity in order to 
maintain standardization, and is the one recommended.
	 Interface 
•'
- requirements that fall outside the selected standard set require 
the design of special equipment, to be associated with th 
subsystem.	 For the range of signals to be specified in the 
next section, this situation is expected to arise only rarely.
 
7..2.4.2 
	 Type and Number of Interfaces 
The next question becomes: what shall the set of standard 
•	 •..
.	 interfaces be?
	 Both the diversity and the number of signals is 
important.	 The product of these quantities will be defined as 
the number of channels for which the address in the bus command 
•	 .	
. wrrd must be sized.
	 A nine bit adJress allows up to 512 channels 
to	 'e specified.	 It is considered -that this is more than adequate 
for any single item of equipment, and is in line with the terminal 
address field requirement discussed in Section 7.2.2. 
..
A fixed selection of signal types must include analog, 
.	
. parallel di gital, serial digital and possibly discrete on/off. 
•\	 : The discrete signal is extremely convenient in the control of •	
•.:	 . . electronic equipment, but is awkward to handle in a.byteoriented 
data organization.It is recommended that these signals .
 are 
grouped and read as parallel digital inputs rather than individually 
The setting and resetting of latches or flip-flops required to 
•	 •°
read discrete	 presents a degree of difficulty to the bus command 
structure,	 and	 it is considered best to let the subsystem cope 
with it.
	 The 512 channels must include the ability to specify 
:1	 • •	 the length of the variable block,. and to indicate whether the 
.
•	 data command is for input or output.
	 The 9-bit nhannel addresc 
can be assigned the following fields to realize a fixed standard 
electronic interface capability.
 
116 . 	 • 
INTERMETRICS INCORPORATED
	 380 GREEN STREET	 CAMBRIDGE MASSACHUSETTS 02139
	 (617) 868 1
V 
Number of Bits
	 Function 
1-	 Input or output indication 
2	 Block size 
01	 4 bytes 
•	 10	 8 bytes 
11	 32 bytes 
2	 Signal type 
• 01	 analog 
10	 parallel digital 
-'
11	 serial digital 
4	 Signal address 
• Four signal address bits allow up to 16 signals of each type to 
be addressed.	 This interface specification represents a maximum 
capability.	 Fewer signals can be implemented in a particular 
terminal, as discussed in Section 7.3, or a channel hit can 
be saved if a maximum of 8 signals is adequate. 
7.2.4.3	 Other Functions 
- •. it The basic function of the terp inal is to transfer data and commands to the equipment.
	 Additional capabilities 
-	 :-c have been proposed for the terminal, such as: 
• a)	 checking input signals for out-of-nominal limits; 
•	 b)	 local timing and counting; 
•	 c)	 local data compression; 
d)	 local sequencing of subsystem functions such as built-in 
test equipment. 
• Even though these functions are considered to be valuable, for 
off-loading the central computer's task, and for relieving the 
bus traffic,-it is nevertheless recommended that the basic 
specifications of the data bus and the terminal be devoted to 
the communication function. 
The detailed design of the bus control structure, the 
data format and the organization of the terminal need not exclude 
the eventual incorporation of further capabilitis.
	 Techniques 
for expansion without reworking the whole structure are discussed 
in Section 7.3.6.
117 
INTERMETRICS INCORPORATED
	 380 GREEN STREET •
 CAMBRIDGE, MASSACHUSETTS 02139 .
 (617) 868-1840
/. 
/
7.3 Organization of the Data Bus Terxnnal 
7.3.1 Introduction 
The discussions of Chanters 3, 4, 5, and 6 and the 
preceding sections of this chapter have been concerned with how 
the Shuttle avionics subsystems, the computers, and the data 
bus should be corfigured and controlled. An overall set of 
requirements for the nature of the interface between a subsystem 
and the data bus have been generated. It is the objective of 
this section to conduct a more detailed examination of the charac-
t-.eristics of this interface and to make specific ..ecommendations 
for th' interface unit. 
7.3.2 Functions of the Bus Terminal 
The functions of this interface are determined by: 
a) The basic bus design and bus control philosophy; 
b) The generalized subsystem (or LRTJ) interface requirement; 
c) The degree of decentralization of the avionics functions 
(e.g., how much failure detection, local processing, 
etc. is done locally rather than by the central computer). 
The first and second categories determine the nature of the 
interface with the bus and the LRU respectively. The third 
• category cannot be defined with much certainty at this stage 
of Shuttle development. The addition of capabilities beyond 
those required for communication over the bus is described in 
J. Section 7.3.6. 
7.3.2.1 Functions of the Bus Interface 
Physically this interface consists of a single data 
path for each bus line. Electrial1y, it may be a coaxial or 
a balanced shielded line terminated in its characteristic 
impedance. Functionally, it performs the following basic tasks. 
First, those associated with the receive mode: 
a) Coupling of the interface unit to the bus line. 
b) Detection, demodulation of the incoming signal, and 
•	 conditioning to standard logic levels. 
C) Identification of the synchronization signai which 
indicates that a message is about to begin. 
•	 118 
rf INTERMETRICS INCORPORATED 380 GREEN STREET S CAMBRIDGE, MASSACHUSETTS 02139- (617) 868-1840
.7
._
*..'.	 .'	
•'.-.-•-	 :.'-'-A-•	 . ,..	 -'
d) Derivation of clock signal if' inherent in the data,-o'.' 
synchroni: tion of a separately derived or received' clock 
with the incoming data.'
 
e) Decoding of address by' "anding" with a wired-in pattern 
to determine if terminal is the ,
 intended. recipient of the 
message.	 .	 .	 .	 .	 . 
f) Determination of the active bus line. This sets an 
internal flag to indicate on which line to respond. 
The operations that follow this point in the receive 
sequence involve the manipulation of the data rather than its 
reception. They are: 
g) Acceptance of the message, byte-by-byte. 
h) Decoding of the message into function codes, channel 
addresses and data. 
i) Determination of correct parity in the received data. 
From this point the receiver functions of the interface unit 
are determined more by the subsystem and operational require-
ments. For the recommended Command/Response addressing tech-
nique, the basic bus trari"smitter functions are: 
j)' Coupling to the lines.'
 
k) Modulation of the active line. 
1), Transmission of beginning-of-message sync pulse, if 
required.	 . 
m) Transmission of wired-in address, if correct receipt 
of the incoming message has been established. 
n) Transmission of the terminal status bit(s) (e.g. EP1/ 
LRUbusy).
 
o) Transmission of all data bytes, as determined by the 
function code.
 
p) Generation of horizontal parity on-every byte, and 
vertical parity on data blocks.
 
q) Transmission of an end-of-message sync, if required. 
The above receive and transmit functions are provided by 
the basic control elements depicted in Figure 7.1, which 
purposely does not show all logical interconnections. 
119 
INTERMETRICS INCORPORATED 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS 02139 (617) 868-1840 
I -
•_,. : 
H [I1i 
LLI 
o
_ 
LU 
.fl
LU 
0
bc
_ 
CC UJ
ci
4J 
II
w
"-I L!!_J L.!JJ 
•: rtLsa.r1LLtJ LU C3 V 
uj
LU 
us
120
;••
7.3.2.2 Functions of the Subsystem Interface (EIU) 
In Chapter 4 and Section 7.2, the requirements of 
the electronic subsystem interface were analyzed and estimated. 
Taking the recommendations of Section 7.2, the electronic 
interface Consists of the following signals: 
a) 16 analog input 
b) 16 analog output 
C) 16 parallel digital input 
d) 16 parallel digital output 
e) 16 serial digital input 
1) 16 seri.l parallel output 
g) 4 digital address lines 
h) 1 LRU status signal 
This interface capability is illustrated in Fig. 7.2, which 
also points out the elements of an interface controller necessary 
to allow these interfaces to be operated by a bus interface 
unit. (Again, the diagram is not intended to define all the 
logic, only the basic functions.) In the simple command/response 
control philosophy that has been recommended the interfaces 
are addressed serially; i.e., not more than one input or output 
channel of any one signal type can be active at a time. This 
allows a simplification of the addressing and control logic 
and a reduction in the number of interface connections. For 
example, one set of 4 digital address lines will suffice to 
select any of the 64 digital channels. The analog output could 
probably be multiplexed on t.nc line by using the address lines 
to indicate its destination. The individual signal interface 
types can be made modularly expandable to the maximum of 16 
allowed by a fixed distribution of 512 ch..nnels, without chang-
ing the basic control structure, by plug-in cards or by custom-
ized LSI chip assembly. This allows the LRU interface unit to 
be matched to the requirements of a specific LRT3 electronic 
design without incurring an inordinate component redundancy, 
or power dissipation from unused circuitry within the EIU. The 
software that communicates with the subsystem must, however, be 
made aware that the EIU interface has been thus restricted. 
An "invalid channel address" signal would probably be justified 
to warn of the erroneous addressing of functions that had not 
been implemented in a particular EIU. 
An important function of the EIU poltion of the interface 
unit is to provide sufficient bufferirg to hold the maximum 
121 
I	 INTERMETRICS INCORPORATED • 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS (2139 •
 (617) 868-1840
4-
C3(•, 
LU 
cc	 C6 
- - - ,JCONT. LOC.0 
ENABLE	 . FUNCTION].- — 
CONTROLLER .	 - - -	 i ODR 
BUSY  
CHANNEL ADDRESS
_J••1GIC 
-ATA IN
PARITY INPUT REGISTER	 .
-_5 CONT 7G PARITV	 -- 0 
cc 
uJ 
-J 
0 
-J 
(C 
'.1W
IANALOG.

INPUT 
LRU 
STATUS 
FT-PARALLEL 
DIGITAL 
INPUT 
DATA BUFFER
0	
- - L I.IODRESSE 
LOGIC
DATA 
OUT
PARITY OUTPUT REGI FR
	 GENERATOR
MNT
- 
UA Lip-
DIGITAL 
ADDRESS 
PARALLEL 
• DIGITAL 
• OUTPUT 
• — M ANALOG _______
E : OUTPUT 
 
_Jcoi 
. LOGIC•
- . .	 . .	
. __ _____________ DIGITAL 
• .	 0	 ••	
0	 • 	 . 	 •0 • —
HIFT AEGIST
— INPUT 
7
HIFT REGISTER = OUTPUT 
Figure 7.2
	 Electronic interface functions 
•0
O
- 
0 
____-
122
block size of 256 bits suggested in ectior. 7.2 until the 
vertical parity bit has been received at the tt.rminal. During 
the subsequent transmission of the block to the LRU the EIU 
"busy" signal is set.
	 See Section 4.4 for details.) 
7.3.3 Interfacing the LRU to the Bus 
The problem of interfacing a quad-redundant bus with a 
subsystem of arbitrary redundancy was discussed in Chapter 3. 
This area will now be r'-examined in the light of the dntailad 
analyses of the bus system function offered in Chapters 4, 5, 
and 6, and the previous jectioas of this chapter. The problems 
are conveniently illustrated by the case of a triply-redundant 
subsystem. Ignoring the fairly unattractive case of cross-
strapping the 50-100 wires at each LRLJ interface, there are 
two basic approaches. 
7.3.3.1 Cross-strapping between SIt) and EIU (Figure 7.) 
This is the case of the physically separate and remote 
Elti discussed as Configuration 7 in Section 3.3.2. Each SIt) 
must provide a path to several EIU's, to a maximum determined 
by system considerations. (Scme current designs propose an 
EIU fan-out capability of eight.) 
U 
S
Since the EIU in this configuration is a separate physical 
unit, geographically located with the LRU rather than the bus, 
its connection with the SIt) constitutes at least the five 
signals indicated, namely: 
a)	 Input data
 
b)	 Output data 3: 
c)	 Enable
S 
d).	 Parity check Ok	 .	 . 
e)	 Status	 (busy) 
In the example considered here, at least 15 wires per 
SIt), or a to..al of 60 wires for the complete SIU/EIU interface 
are necessary.	 However, since the utilization of the EIU inter.-
faces, and therefore the EIU's themselves, can be sequential, 
only one siu to EIU path is active at any one instant.	 The
	 . I 
60 wires could be arranged into a 15-wire bus, or they could 
all be multiplexed into one 5-wire channel to minimize physical 
-.	 123-
!NTERMETRICS INCORPORATED . 380 GREEN STREET
	 CAMBRIDGE. MASSACHUSETTS 32133 .
 (617) 868-1640
BUS LINE	 NO. 1
1 WIRE 
5 WIRES 
N WIRES
LIJi 
.
.0•	
. 
.:nez-i:rs.z w.
 ve rthis 
..:rv. 
a Z Z	 c's,	 r:r:nc	 ass.:, 
e:n	 es. 
7.3.3.2	 C: -is s-s:rarinc 	 eween S us and 
the EIU were not a se arate
	 and if "ach Efl 
were a
	 ciated with only
 one SIT..,	 the local	 ition
 
would be eiiinated.	 There would be fewer s i ft recisters .ind 
less	 aritv loic since only
 the bus	 nicaion ohannol 
need be verified in a con.bjned Slu/Elu. 
This	 approach was described as Con:Ticu:-atic'n6
	 in section 
3.3.2.	 The major disadvar.taes were identi±ied as 
a)	 The Slu constitutes a sincle point f,ii1ure for the bus, 
• since it connects to all lines. 
b)	 Four bus connections are required for each redundant 
LRU	 (total lin.9	 i2 in the chosen exarple). 
The first of these objections could be answered by providin 
• a separate Sill for each bus line, and coinbinin
	 the outputs	 f 
4 SIU's into a common summing point at the input of an 
(See Figure 7.4).
	 The justification for this approach would 
be: 
a)	 Since the SIU is dedicated to one EIU it requires less 
addrssing capability, and can therefore be a much simpler 
device. 
-	
. b)	 The SIU to EIU connection could consist of less than the 
5 wires previously defined. 
It is unlikely, however, that the SU/EIU interfaces can 
be less than 2 or 3 wires
	 (input, cut.put, and control).
	 When 
summed into a single connection, this still results in a total 
of 5 to 10 wires for the three SIU/DITI interfaces in this 
example.	 The approach requires a total of 12 'T"s rdther 
than 4, and the total number of connecticis t
	 the bus is still 
12.	 In summary, the separation of Sill and EITJ does not seem 
to offer a solution to the cross-connection prcilem.
125 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 (6171 868-1840 
uJ 
cla 
z —
ro 
(I, 
4-) 
to 
0. 
--1 
4.) 
0::) 
OW 
04-) 
0Q1 
IW 
un 
N 
W 
'-I 
.-' 
U, 
LU
LI, 
LI	 U.) 
EE 
—. CN z 
126
	
I
7 .3 .4	 Recommended Bus/SIU/EIU Configuration 
The SIU could be combined with the EIU if büstermirátion 
and fan-out were considered as a problem outside .of the SIU. 
A line coupling unit could provide this function,. and its use.is
 
.	 illustrated in Figure 7.5.	 A line coupler	 (LC)	 is considered 
a part of each bus linea
	 It is basically a receiver-transmitter, 
i.e., a line repeater, which in a real implementation of a 
data bus in the Shuttle may be required in any case for the 
reasons of attenuation, pulse delays, reflections, etc. discussed 
in Chapter 6.
	 Each LC provides a local fan-out of the bus to S. J	 a number of SIU's.	 From the point of view of the bus a LC is identical to a single SIU connection, both electrically and in 
terms of vulnerability to failure.
	 To an SIU each fan-out has 
the characteristics of a bus connection. 
The resulting combined SIU/EIU unit made possible by this 
concept results in the simplest approach to matching redundant 
subystemsto the bus.
	 It scores because it minimizes the 
following: 
*	 :.	 a)	 The number of physical interconnections. 
b)	 The complexity of the SIU and EIU. 
C)	 The total number of SIUs and EIUs. 
The disadvantages of the combined SIU/EIU configuration that 
were identified in Section 3.3.2 may be re-evaluated for the 
S
line coupler approach as follows: 
a)	 Only one EIU may be interfaced via an SIU.
	 Since the 
•	
.	 combined SIU/EIU is not much more complex than the EIU 
itself, additional EIU capabilities can be provided by 
interfacing another SIU/Elu via the line couplers to the 
bus. 
b)	 The ccbined SIU/EIU is required to interface every LRU 
function.	 The question here is 1
 can an LRU be interfaced 
•	 directly to the SIU.	 If not, an EIU of some minimal 
complexity is required. 	 (The modularly expandable EIU 
design approach of Section 7.32 can assure minimal cOmplex-
ity.) 
'c)	 Only one bus line at a t	 .e .;an be used for communication 
•	 on the data bus.	 Although this objection can be levelled 
against other bus interfacing configurations that use a 
simple addressing technique, it seems an obvious limitatiofl 
for this SIU design. 	 It is discussed in the next sections. 
127.	 •• 
INTERMETRICS INCORPORATED . 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS 02139 . (617) 868-1840
BUS LINE 
NO. 1 
NO.2 
NO.3 
NO.4
VI RE 
I WIRE 
N WIRES 
.1
Figure 7.5 Cross connection at bus via line couplers 
128
d) Each SIU, being interfaced to all four ius lines, consti-
tutes a single point failure for the whole bus system for 
signal failures such as: 
1) Continuous low level' 
2) Continuous high level 
3) Uncontrolled transmission of ameaningless signal 
•	 4) Intermittent or noisy signal levels. 
These would be faithfully communicated on all the bus lines 
by the purposely passive line coupling units. This subject is 
also discussed in .the next section. 
7.3.5 Recommended Bus/SIU Interface Design 
Although possessing the outstanding advantages of minimal 
interconnection complexity, the chosen Slu/EIU configuration 
appears to suffer from a vulnerability to common noise and failure 
modes: 
a) If all bus lines are simply 'OR'-ed into each SIU, the 
presence of noise or erroneous signals on one bus line may 
prevent the signal-carrying line from being properly read 
by the terminal. 
b) A noisy Slu could transmit garbage indiscriminat.ly 
on all lines, destroying the operation of the bus. 
c) A short circuit or continuous high level common to all 
the terminals of one SIU could prevent the line couplers 
from responding to any input or output signals, effectively 
shutting off the whole station, and perhaps destroying 
bus operation. 
These deficiencies can be remedied by careful specification 
of the line coupling unit and the SIU input channels. 
7.3.5.1 SIU Input Channel Specification 
It is apparent that a simple input OR-ing of the bus 
lines is not an adequate approach. Each bus termination at 
the SIU must be able independently to perform the following 
functions; 
a) Coupling and line termination 
129 
INTERMETRICS INCORPORATED . 380 GREEN STREET . CAMBRIDGE. MASSACHUSETTS 02139 •
 (617) 868.1840
b) Modulation and demoth.lat on 
C) Detection of sync signal 
d) Address verification 
e) Bus line usage indication
	 (and latch) 
For each SIU these functions must be repeated four times, once 
per bus line.	 Further security can be achieved by aeparatinq 
the circuitry, electrically and physically, by individual power 
buses and individual packaging.
	 The other :unctions of the 
SIU/Elu defined in previous sections are not duplicated.
	 Each 
SIU bus interface element feeds into, and is fad by, a common 
poir.:- in the unit, beyond which only s i mp le redunthancy is 
employed.	 Figure 7.6 illustrates these details.
	 Too reasons 
for the input duplication are the following: 
a) Theseparate line terminations prevent common connector and 
input circuit problems from affecting all bus lines. 
b) Providing separate sync and address verification on each 
bus line prevents a noisy line from affecting the signal line.	
Incoming noise must pass the sync test and address 
comparison before it reaches the point where it merges 
with valid signal.
	 The likelihood of this occurring with 
• random noise is remote. 
• c) Placing the bus usage indicator after the address compara-
tor prevents the latch from being-set by noise.
	 It also 
enables a future extension of the data bus capabilities 
to simultaneous use of more than one line by more than 
oneSlU. 
• d) Transmission from the EItJ onto the bus must pass the 
usage latch test before being passed to the line drivers. 
Since only one latch may be set at any time, this prevents 
a "berserk" EIU from "drowning" all lines with garbage. 
e) To further minimize the possibility of noise from being 
transmitted onto any line by the SIU, the inactive bus 
transmitting circuits in each SIU may be powered off 
by the usage latch condition.. 
7.3.5.2	 Line Coupler Sec'i1ication 
The line coupler's primary functions are 
...t ,_._	 a.__	 _____.z__ -D4L .LJ.Bt LeLiL.ndtion;
130 
:-	 INTERMETRICS INCORPORED 380 GREEN STREET • CAMBRIDGE, MASSACHUSETTS 02139 (617) 068-140 
N.'..
HER SIU AT 
TATION 
MAIN BUS LINE NO. 1 
.
r
DEMOD/MOD
II 
SYNC 
(JET/TRANS 
ADDRESS 
VERIFY/ECHO 
LATCH 
RECV/TRANS 
11 FUNCTION DECODE 
2) PARITY CHECK/GENERATOH 
3) CHANNEL SELECT 
4) LRU INTERFACE CONTROL
L 6RU 
Figure 7.6 Recommended Slu/EIU terminal organzatio 
131 
b) Signal sensing, amplification, conditioning, and 
retransmission. 
c) Fan-out and fan-in. 
Its electrical design can aid the security of the system by 
providing some discrimination to noise as follows: 
a) The susceptibility of the bus system to continuous 
high or low level signal levels, produced by short-
circuits to ground or to DC supp.iy lines, can be lessened 
by AC coupling techniques (see Chapter 6). This factor 
favors the use of modulation t€ hniques that have no DC 
requirement. 
b) Signal discrimination is possible in each line coupler 
receiver. Input circuits can be sophisticated to reject 
signals whose characteristics differ from the chosen 
modulation scheme (e.g. discrimination against pulses 
whose durations fall outside the nominal spread of the 
expected data pulse). 
7.3.5.3 Summary 
The combined Slu/Elu organization of Figure 7.6 
is the recommended design for the Shuttle data bus standard 
interface unit. In conjunction with the proosed line coupler 
elements it demonstrates a minimal interconnection complexity, 
yet retains a simple addressing and control policy. The 
suggested organiza i
-ion offers considerable security to insidious 
hardware and signal failures. Its complexity lies between that 
of the single combined SIU/EIU and that of the C1U with four 
physically separate SIUs. The approach scores over the confi-
guration described in 7.3.3.1, because it eliminates the 
necessity for a multiplexed SIU to EIU interface. 
7.3.6 Expansion of SIU/Elu Capabilities 
The capability of the standard terminal can be increased 
by the incorporation of a small control memory and associated 
sequencing logic. Such a terminal would possess considerable 
"intelligence", i.e., be capable of making and acting on local 
decisions, which is not allowed in a command/response control 
structu.c. However, the provision of the "terminal busy" indi-
cation as part of the echoed address (see Section 7.2) opens 
/ /
I.	 132 
NTERMETRCS INCORPORATED 380 GREEN STREET . CAMBRIDGE, MASSACHUSETTS 02139 . (617) 868-184
NF 
-	 .:Y.-	 :- .	
-	 .	 --	 -.	 :... ..	 -	 -.-	 .	
•...-
the possibiltty of this more sophisticated ype of terminal 
operation without violating any control ground rules. For 
example, ever if a terminal is initiated into a lengthy sequence 
of operation;, during which time many bus transactions-are 
possible, the busy signal will prevent unintended transactions 
from interferring with the sequence. The terminal would 
operate in a similar. manner to block transfers (see Section. 7.2). 
Two concessions to the command/response access control must 
be made:	 . 
a) terminal sequences may only be initiated by the computer; 
b) no terminal may initiate bus activity unless commanded 
to by the computer. 
A suggested mechanism for this expansion is to treat part of the 
9-bit channel address field as the address of locations in a 
read-only control memory which stores the special sequences. 
If the sequences are themselves stored as a microprogram, then 
the basic terminal can remain standardized, provided that a 
standard (but diminished) set cf electronic interfaces is 
also a part of the design. Such an ex?anded. terminal would 
be able to provide the further functions outlined in 
Section 7.2.
	 .	 .	 . 
133	 .. 
INTERMETRICS INCORPORATED . 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 (617) 858-1840
•	 . •-•	 ••	 .>	 . 
PRECEDING PAG2 BLANK NOT FILMED 
Appendix A 
Discussion of the Effects of Cross-strapping 
This section discusses the effects of cross-strapping bus 
elements connected in series. The purpose is to evaluate when 
cross-strapping is desirable or undesirable and to determine 
the associated gains or losses in reliability resulting from 
cross-strapping. 
Consider the two simple configurations illustrated in 
Figure A-i. In either configuration A or B the system requir2s 
that one S and one L unit are operating for the system to operate. 
B is cross-strapped, i.e., each S unit is interconnected to 
each L. Let PS be the probability of failure of the S unit, 
and PL that of the L unit. Then let 
-x t 
ps=i_eS 
-A L t 
= 1 - e  
•	 j
where As and AL are the failure rates for units S and L 
respectively. If the bus to which the S units are connected 
is assumed infinitely reliable, its effect can be ignored in 
the following calculations. 
The probability of failure of configuration A is given by: 
P(A)	 P(S1 or L1 ) P(S 2
 or L2) 
Since one S unit and one L unit are required for operation, this 
results in
P(A) =+ L + 2 
P L - 2 PS L - 2 SL + S2 L2 
The probability of failure of configuration B, again assuming 
that one S and one L are required to operate, is given by: 
P(B) = P(S 1
 and S 2 ) -'- P(L1and L2) - P(S 1
 and S 2 ) P(L1
 and L2) 
•	 135 
INTERMETRICS INCORPORATED . 380 GREEN STREET . CAMBRIDGE. MASSACHUSETTS 02139
.
 (617) 8681840
CONFIGIIRA TION A 	 CONFIGIMA TION 8 BUS	 BUS Si [ S2 	 MS2
 
Figure A.I. Simple and cross connected configurations 
136 INTERMETAICS INCORPORATED 380 GREEN STREET S 5.MBRtDGE, MASSACHUSETTS 02139 .
 (617) 868-1340
or	 P(S)	
=+	 L 2
 -	 S 2	 L 
Hcwever, the additional complexity of i.he S and L units in 
configuration B to provide cross-strapping will result in increased 
failure rates.
	 Therefore let: 
Ps (B )	 = Ps(A)	 + 
PL(B)	
= PL(A)	 + 
The gain or loss incurred by cross-strapping can be gauged by 
defining a figure of merit: 
FOL	 P(A) -	 P(B) 
In order to simplify the number of variables the following 
definitions and assum ptions are made: 
a)	 Let P	 = K PS F
 
i.e., let unit L be K times as likely to 
fail in a given inte':val as unit S. 
b)	 Let.X5 (B)	 XS (A)+ 
AL (B ) =	 L (A) + 6X  
and furthermore let 
• .	 6AS_6AL	
. 
from which it can be shown that 
6SPS_6PL 
C)	 Let	 tSP	 = F PS
	
where F is the fraction. 1
.
 increase in un-
reliability due to interconnection. 
a)	 Finally, since: 
P,(13)	 = P.(l	 + F)
.1 
PL (B) = 	 + F), 
FOM can be expressed as a function of P S , F, and K. 
137	 .
INTERMETRICS INCORPORATED . 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 •
 (6171 868-1840 
or	 FOM = P(A) [Pg,K] 
P(B) [Ps,F,K] 
FOM is plotted against K for various values of F in 
Figures A-2 through A-4, for failure probabilities P
= 10 104,and 108. 
The principal result is that the maximum gain in total 
reliability of configuration B over configuration A occurs when 
the probabilities of failure of the two units are equal, 
i.e., K = 1, and when the reliability of the added inter- 
connection is good, i.e., F = 0. 
138 
iNTERMETRICS INCORPORATED 380.GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139 . (617 Rfi-1R4n
CD
0 
'-4 
0
U) 
4 
- 0 
LU
- 
I-
0 -
- 
LU - 
.0 
• U_ 
-
uj 
I.-
a) 
—I 
ui 
cm 
U) 
C)
a) 
0• 
Ln 
LL.	 ci 
11	 C.2 
it
LL CD
U 
LL 
0 0 
(.•4	 . .••; 
0 
U-
•	
-: -.-	 •	 139	 • :
Jo
I 
140
F 
Lill cz
LL CD 
n	 cm 
11	 LO 
Cl 
a	 cm
CD
-4 
0
a) :•4-
.1J 0 — 
a) 
- 5 
'-1
•1-) 
41 
ri 0 
4-) 
ii. 
a) 
•tJ' 
--4 
U) •	 - 
1-i 
o_.
ci 
CD 
0 
U-
II
-J 
CD 
CD
I-
w 
0 
w 
LA-
-J 
-j 
w 
LU 
CD 
LU 
CD 
CD
> 
I-
I 
0 
II 
U) 
0 
4-4 
U) 
a, 
4.1 
0 
a, 
ru 
--I 
1
• 1	 .'	
•,. 
•	 -
PRkXE.)LNG PAGE BLANK NOT FILJ,iEL) 
Appendix B 
Analysis of a Typical Avionics Subsystem 
B.l Introduction 
No specific items of Shuttle avionIcs equipment have been 
defined to date. The design of a data bus interface unit is, 
however, dependent on the specific requirements of the various 
interfaces. In order to provide a basis for a general evaluation 
of design criteria, some assumptions of interface characteristics 
were made in the body of this report. The following provides 
a description of the Distance Measuring Equipment (DME) produced 
by the Cubic Corporation as CR-100. Although it is not intended 
to suggest that this particular unit should be specified for 
the Shuttle, it is considered to be representative of the types 
of probleis that will be encountered in all data bus interfaces. 
No attempt has been made to optimize thE interface to the CR-100. 
Instead, the interface of one version of the prototype is taken 
as a given constraint, as if the system were purchased "off 
the shelf". 
The system operates as follows. A phase modulated signal is 
transmitted by an interrogator in the vehicle along with an 
identification code to designate which of a number of transponders 
located at known points is to reply. All transponders within 
range of the interrogator are listening, and if the designated 
transponder is within range, it retransmits the modulation from 
the received signal back to the interrogator on a different 
carrier frequency. The interrogator receives this signal, 
recovers the modulation, and compares it with that transmitted. 
The time delay between the transmitted and the received modula-
tion, multiplied by the speed of light, is twice the distance' 
to the transponder.
143 
INTERMETRICS INCORPORATED .
 380 GREEN STREET CAPBRIDGE, MASSACHUSETTS 02135 (617) 868-1840
• -• 
B.2 Operation 
•
	
	 All moding and timing is controlled external to the CR-lOO. 
The required sequence of control commands is as follows. Assuming 
•	 that the interrogator is already powered up, the DME must first 
•	 receive the ID of the desired transponder, and then be given a 
mode command to begin the interrogation. A mode command consists 
of a 5 bit parallel input which must be held for the duration 
of the mode. 
The mode must be maintained for at least the round trip 
transmission time (1 mile = 11 microsec) plus 50 millisec 
for the circuits in the transponder and interrogator to lock 
onto the signals. After this time has elapsed, the DME can 
be commanded to terminate the measurement. The time at which 
the command is received will be important, since it determines 
the time for which the measurement is valid. 
The output data becomes available about 0.5 millisec 
after the command to terminate the measurement is received by 
the interrogator. The data consists of five 11-bit words, four 
of which i:epresent the range, and the fifth is a data quality 
word whose bits ix1icate whether or not the various parts of 
the DME functioned properly. These five words are read out of 
the DME one at a time by sending a unique mode command for 
each word. The readout requires about 100 microsec per word. 
Another -iersion of the CR-100 has the capability of also 
measuring range rate, or more precisely, the change in range 
over a known time interval. 	 This measurement is made by 
the cycles of doppler shift of the carrier during a 
•
counting 
4 knoun time period.	 It requires a slightly different timing 
sequence.	 In ..nis case, the equipment supplying the mode 
commands must wait at least 100 millisec after the command 
to start transmission, and then issue a command to begin the 
range-rate measurement.	 It must then wait another period, 
typically of th	 order of 900 millisec, before commanding 
the termination of the range-rate measurement.
	 The accurac.es 
of the measurements are of the order of 30 cm for absolute 
range and 1 cm for changes in range.
	 The output data is in 
the form of seven 11-bit words which are read out of the DME 
in the manner described earlier.
	 The timing requirements are 
• illustrated in Figures 3.1 and B.2.
144 
INTERMETRICS INCORPQFTED 380 GREEN STREET CAMBR;DGE, MASSACHUSETTS 02139 .
 (617) 868-1840 
s-I 
fn 
a) 
C) 
a) 
a) 
s-I 
s-i 
0 
(34 
C) 
0 
C) 
U) 
—I 
0 
5-i 
4-I 
r. 
0 
U 
'—I 
C) 
$-I 
0-I 
4 
.1
LL 
cm 
Ln
L&J go 
13, CA
>) 0  U. 0! 
(U, UI 0 a: 0 0 — < 
r:j 
LU :E ME 0 0 z ca o cc C3 co 
U
145
HE 
F 
It, 
I, 
A
UI 
I.-
1)
 LU
 LLUU
t 
U. 
CD 
 
CD I	 u. 
cn 
r) 
A T	
—u, 
0
LSJ 
cr CO 
cc 
Ir 
CD 
cc 
wLU 
I-
z 
0 
"0 
0 
0 U) CC 
0. Z 
CC 
0 
w 
I-
S..
I-
U Z 
>w 
LU 
El 
	
u,	 U 
ac 
- r 
I 0z 
I -< 
,. 
	
-S	 0 
_•z
U)UJ 
LU 
-
U) 
ui 
C' 
z 
cc 
1
[[C 
L 
[[ 
[	
[C 
•	 •(	
-	
C 
•	 E 8
ci	 C 
C^ 
• •	
_;•	 U)
It	 ca	 n	 40 
u . 44	 6 44	 z 30	 00— kc 
at 
cc
En	 CA 
h
•	 146 
-	 •--,	 •
•	 B.3 Control Requirements 
A number of functions must be provided externally in order 
for the DME to operai. properly. For the inputs, both the 
mode commands and the transponder address must be applied to 
the DME in parallel, and held for the duration of the mode 
and the transmission cycle respectively. The mode command is 
a five bit word and the transponder address is eight bits. 
The timing accuracies required for the application of the 
mode commands must be considered. Tor the range measurement, 
the effective time of the measurement is a rectangularly 
distributed random variable, having a distribution of 0.5. 
milliseconds, immediately following the start of the mode 
command to terminate the measurement. If the system application 
• •
	 requires it, a simple change to the interrogator can reduce 
the width of this distribution to a few microseconds. In 
any case, for a veh.icletravellinyat orbital velocity of 
22,000 ft. per second, an error in timing of 1 millisecond 
can introduce an error of up to 22 feet (depending on the 
angle between the velocity vector and the direction of the 
transponder). 
For the delta range system, the timing between the start 
and end of the delta range measurement is critical. An error 
Of 0.9 millisec in a normal 900 millisec measurement will 
introduce an 0.1% error into any velocity determination that 
is derived from the delta range data. 
In order to obtain the output data from the DME, a different 
mode command must be used for each of the five or seven data 
words. The data words become available as parallel 1-1-bit 
words 100 microsec after the appropriate mode command is 
applied. 
The source of mode control commands will also be required 
to generate a blanking input to the interrogator. This is a 
1 microsec pulse occurring each time the mode input changes 
prevent the interrogator from trying to interpret the mode 
input while it is changing. Most of the information reliability 
determination and failure analysis is in the data quality word 
which accompanies the data. This word contains bits which 
indicate that a return signai was received from the transponder, 
that the various phase locked loops achieved lock and remained 
in lock during the measurement, and so on. In addition to this 
word, it might be desirable to arrange for about four discrete 
outputs from the DME to indicate that various parts of the 
equipment are active, and a few analog voltages to allow 
measurement of such quantities as transmitter input and output 
power and received signal strength. These measurements, if 
taken during the right portion of the measurement cycle, could 
provide useful. data for checkout, failure monitoring and 
telemetry.
147 
INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE. MASSACHUSETTS 02139 (17) 368-1840
• Description Type
• 
Level
Number. of 
Pins	 •'' Comments 
Inputs mode 
control
5 hit 
parallel
DTL. 
compatible
 
5 + ground severe tim 
constraint 
for some 
mode 
blanking 1 bit DTL 
compatible
1 + ground' 1 usec pul 
transmission 
address
8 bit 
, parallel
DTL 
compatible
8 + ground 
•	 :
must be he 
during tra. 
mitting 
modes 
power on discrete close 28V 1 + ground 
relay coil 
- to ground 
Outputs range data (4) 
data	 ' 11 bit 
parallel '
, data word 
compatible 11 + ground
appears on 
output linf 
100	 isec 
 after cor-
delta 
range data
(2) 
11 bit 
parallel
'	
'
responding 
mode commai 
is receive 
data 
quality
(1) 
11 bit
 
parallel 
discrete estimated not 4 + grrund 
test	 ' 
points  
4 points available 'for failur 
analysis, 
check out 
and telemel analog	 ' 
test'
estimated 
4 signals
not 
available
, 4 + ground 
points .'i 
•	 4
Tablc B • ]. List,of DME Interface Signals 
J.
INTERMETRICS INCORPORATED .
 380 GREEN STREET .
 CAMBRIDGE MASSACHUSTtTS 02139 . (617) 868-1641 
Appendix C 
Shuttle Software Structure and Organization 
C.l Intrcc.iuctjon 
The successful implementation of a time-shared data bus 
Z the Shuttle will depend to a large extent not only on the 
capabilities of the bus system, but its ability to be coordinated 
with, and effectively used by the computer. An evaluation of 
the organization and design of the software was not an integral 
part of this study. However, this appendix has been included 
to overview and comment on the software concepts under considera-
tion for application in the Shuttle. It presents a aeneral 
description of the synchronous and asynchronous software control 
structures, a discussion of I/O operations with each, and 
identifies their resoctiv 	 irR -- - - --
	
advantages
--
  	 CO 
C.2 Overview of Shuttle Software 
The total onboard system has been estimated at approximately 
50,000 32-bit words of operating memory, requiring an estimated 
speed of 200,000 equivalent cdd operations per second. For 
purposes of this discussion the onboard software may be broadly 
• classified into two areas: the executive and a set of functional 
program modules. The executive and supervisory software comprise 
the following functions: 
a) program control (scheduling and dispatching, sequencing 
control), 
b) interrupt supervisor, 
c) system subroutines and services, 
d) hardware configuration management, 
L
149
INTERMETRICS INCORPORA TED 380 GREEN STREET .
 CAMBRIDGE, MASSACHUSETTS 02139 .
 (617) 858-1840
e)	 common executive data tables, 
f)	 error d2tectlon and recovery routines, 
g)	 memory resource management, 
h)	 system monitoring. 
The functional software is under control of the executive 
and supports the phases of the nominal mission:
	 preflight, 
• boost, insertion, orbital operations, coast- and powered-flight, 
rendezvous, docking, undocking, entry, and landing.
	 The 
functional areas comprise the following: 
a)	 stabilization and flight control, 
b)	 guidance, 
c)	 powered and unpowered navigation, 
rM
d)	 targeting, 
• e)	 displays and controls, 
if)	 onboard checkout and fault isolation, 
cj)	 subsystem management. 
.
Ideally, the onboard software and its executive should be 
7 esignea in a way which is not only tailored to meet the 
operational requirements of the Shuttle, but is structured to 
enhance its reliability and ability to adjust to changing needs. 
The computational environment of the Shuttle will include 
three types of jobs:. 
•a)	 Cyclic tasks.	 Those tasks which are performed on a 
regular periodir basis, such as guidance, navigation, 
telemetry, etc. 
b)	 Demand tasks	 ¶.. ese tasks are typically functions which 
must be performed at a certain time or at the occurrence 
of a certain event; examples include stabilization and 
control, turning off jets, etc. 
c)	 Response/request tasks.
	 These are tasks which are performed 
•
•	 in response to a pre-selected mode such as the rendezvous 
,IF'	 *IIfO#%DATr'. -
	 #'AI I	 I#'f	 Ii	 i-...	 -.	 - -
•	 mission mode. Generally these tasks are major sequences 
of functions initiated throughout the mission by the crew. 
An important factor impacting the choice of software organiza-
tion and control is the level to which the crew will be capable 
of requesting jobs or major mission modes. If a crew member is 
allowed interactive communications with the computer, then the 
job stream will become less deterministic and more random in 
nature and will require more of an asynchronous structure. 
C.3 Synchronous Control Structure 
II The Shuttle Phase B baseline approaches to data have been 
based on a synchronous control structure. In a synchr3nous 
control structure a predetermined sequence of processing tasks 
is referenced to some basic time cycle. The main advantage 
S •	 is that scheduling and allocation of the CJ are solved ahead 
•	 of, rather than in real time. 
• Mission programs are organized into several major cycles 
associated with a functional sequence.
	 Each major cycle is 
composed of a series of operations of minor cycle programs such 
that the major cycle is completed every N minor ccles.
	 I/O 
interleaving and memory usage are pre-planned and precedence 
relationships are built into the sequence. 
C.3.1	 Description of Synchronous Operation 
• •: The following describes a synchronous operation. 	 It is 
based on a tinier-interrupt, fixed schedule, time slice mode of. 
operation.	 A 20 millisecond interval is used as basic referene 
frame for the system, providing a minor cycle sampling rate 
of 50 cycles per second,
	 tinder this concepL jobs are organized 
into short routines, and when the executive detects a timer-
interrupt (i.e., every 20 milliseconds)
	 it examines the "task 
schedule tables" to determine which set of routines is to be 
operated during the next program interval.
	 Each 20 millisecond 
interval contains all 50/second tasks, and portions of other 
lower frequency tasks.
	 The minor cycle is operated every 
20 milliseconds and a percentage of that time is distributed 
among the tasks that are assigned to each minor cycle.
	 A back 
- ground job is run 4 n the slack time before the next minor 
cycle.	 Under a command response concept, scheduling I/O in 
• a synchronous structure is similar to the scheduling of tasks. 
The I/O requirements for each mission phase or major cycle 
are predetermined and sysnchronized with the structure of tasks 
operated in the major cycle.
	 The I/O request list is assumed 
151 
INTERMETRICS INCORPORATED '380 GREEN STREET' CAMBRIDGE, MASSACHUSETTS 02139 .
 16171RAR-ian
to be fixed.	 Since the I/O requirements will have different 
frequencies, they are incorporated in each
.
 minor cycle in 
correspondence to load balancing of' the processing tasks. 
For an example, assume all I/O requirements for a particular 
mission phase are organized into 3 categories of frequencies: 
50 times/sec, 5/sec, and 1/sec.
	 Assume that X, Y, and Z are the 
number of commands in each category.
	 Assume further that a 
minor cycle occurs every 20 ins and that a BCU is commanded 
with	 list 
.
a	 of I/O requests each minor cycle.
	 The average 
number of I/O operations required to be scheduled each minor 
cycle are:
	 all of the 50/sec requests, 1/10 of the 5/sec 
requests, and l,'SO of the 1/sec signals.
	 In a synchronous 
structure tables, of predetermined I/O requests are organized 
'
according to sampling frequencies.
	 The appropriate number of 
I/O entries to command each minor cycle are selected from these 
tables.	 The synchronized concept attempts to avoid non-deter-
ministic behavior of I/O, I/O queues, and I/O backlog. 
Several types of I/O activity cannot be determined in advance; 
for example, the command of jets on and Off.
	 The I/O scheduler 
-'	 ma'i accomplish this by providing a. place for te command in 
the appropriate list and then causing the BCU t- skip the 
command or incorporate it, depending on the reLlts of the 
stabilization and control tasks. 
C.3.2
	 Advantages and Disadvantages of a Synchronous Control 
Structure 
This type of executive provides some significant advantages: 
a)	 It has deterministic behavior and simplicity., 
b)	 The requirement for re-enterable programs is either 
eliminated or minimized, since the environment is not a 
multiprogrammed one (provided of course, first, that major 
cycle tasks are not interrupted via the timer interrupt; 
and second, that they are totally independent of the minor 
cycle) 
c)	 Conflicts in processor allocation, memory allocation, and 
data tables are avoided by scheduling and allocating in 
advance. 
d)	 It eliminates the need for the dispatcher to search a 
priority quue, which minimizes the executive overhead.
152 
INTERMETRICS INCORPORATED . 380 GREEN STREET CAMBRIDGE. MAS9AC.I-111STT fl1Q •	 oo 
- 
e)	 Fxnally since scheduling and allocation are preplanned, 
theoretically there are no computations or I/O overloads 
or any degraded response. 
Powever, there are some disadvantages 
a)	 This type of fixed-sequence executive organiation does 
not provide a structure which allows for external inter-
action by the operator, or which copes with a random job 
stream.	 Jobs must be predetermined and assigned to slots 
•
in a sequence and must operate within the basic reference 
framework.	 it is not clear at this point whether all 
• Shuttle requirements can be so predetermined. 
b)	 Lengthy calculations must either be broken up into short 
segments, interconnected in such a way as to meet the 
requirements of the seQuence, or be shifted somehow into 
the background.
	 There are several activities, as targeting, 
which involve calculation times on the order of minutes. 
It is not clear whe ther it is feasible or cost effective 
to break them into short segments and interconnect them to 
•	 form a complete computation.
	 If, however, they are operated in the background and are interrupted by the minor cycle 
every 20 milliseconds, then they must be multiprogrammed. 
This implies re-entrant routines and, if they are not totally 
independent from minor cycle computations, a priority 
Structure. 
•	 c)	 The structure does not seem to possess an inherent flexibility 
to incorporate changes in the design of the sequences.
	 The 
requirements to rebalance the load in the fixed sequence 
after a modification may result in a major redesign. 
d)	 The sequence must accommodate the worst car'-' computational 
requirement.	 For example, if the crew is provided the 
option to display a parameter durin g
 a particular mission •	
phase, then the calculation of that parameter will have 
to be incorporated into the sequence whether or not the 
crew ever requests it 
CA	 Asynchronous Software Structure 
In an asynchronous control structure scheduling and allocation 
of the processor are accomplished in real timE! according to the 
needs of the operating environment.
	 Under this concept Processing 
tasks are assigned a priority which establishes their relative 
importance to each other.
	 A task with a given priority runs 
until a wait is encountered, or the existence of a higher 
priority task is established.
153 
• •.	 ••.	 •• 
INTF.RMETRICS INCORPORATED
	 380 GREEN STREET
	 CAMBRIDGE, M/'SSACHUS!TTS 02139
.
 (617) 868-1840
C.4.1	 Executive States and State Transition 
The distinction between synchronous and asynchrcnous 
control structure can be illustrated by the "states" in which 
a task will exist while operating under each structure.
	 In 
a synchronous structure, tasks are in one of two states:
	 actively 
running or not running.
	 At any instant of time only one task 
-
- -.	 is in the running state and all others are not running.
	 The 
transition to the running state occurs when a task's scheduled 
time slot arrives. 
• In an asynchronous structure, a task, while present in the 
system, will exist in one of 4 states:
	 actively running, waiting, 
ready to run, or "in limbo".
	 The executive insures the proper 
transition of states depending upon either internal or external 
stimuli.	 Refer to Figure C.l.
	 The running state definition 
is obvious.	 Note that the "running" state can only be entered 
• from the "ready" to run state.
	 This unifies the dispatcher 
functions.	 The waiting state is either a voluntary or involuntary 
state, depending upon its cause.
	 A voluntary wait would be 
• •.	 a wait for completion of I/O, or perhaps some external time 
stimulus.	 An involuntary wait would be awaiting resources 
(i.e., memory)
	 to become available.	 The state of limbo occurs 
when the task voluntarily releses the processor without expecting 
any external stimulus to ready it.
	 The ready state can be entered 
from all other states and indicates that a job has all the 
facilities available to it to run.
	 The function of the dis-
patcher is to pick the mast appropriate task from the ready 
queue and start it running.
	 State changes from wait to ready 
would occur when the awaited stimulus has occurred.
	 The change from limbo to ready state occurs when a schedule request is 
issued by some task.
	 The switch from running to ready occurs t when a task is preempted by a higher priority task or interrupt. 
in summary an asynchronous structure is one in which one or 
more tasks may be in the ready state awaiting allocation of 
the processor.	 In a simplex computer system this is termed 
multiprogramnu.ng, i.e., the concurrent operation of more than 
• one task. 
kC.4.2 Overview of Asynchronous Operation 
r •: 
•	 •
An overview of the operation of a general asynchronous 
executive is illu:itrated in Figure C.2.
	 The scheduler and 
• dispatcher, once in control, should be able to pick a task and 
run with it.
	 The scheduler assigns or reassigns task priorities, 
verifies that all the task resources are available, and maintains
•	 154 
INTERMETRICS INCORPORATED . 380 GREEN STREET CAMBRIDGE, MASSACHUSETTS 02139
.
 (617) 868-1840 
.•	 ••	 -	 W 
the overall view of real time events. All task starting is done 
through the dispatôher. 
The scheduling function in abroad sense consists of making 
appropriate entries in task blocks and priority queues so that 
the dispatcher need only select jobs from the top of the ready 
list. If there is a number of tasks to be scheduled, the scheduler 
treats some as more important than others and executes them first. 
If the. dispatch function occurs at some time other than at the 
end of a program, then a mul tiprogrammed environment is a direct 
result. 
•	
The interrupt handier "posts" the event complete, makes the 
task ready if possible, and then passes control to the scheduler 
to act on the information it has provided. 
The resource allocator is invoked as ax-. executive function 
by the scheduler to test readiness to run, and if not ready, 
will inform the scheduler of the requirements for readiness. 
It may also be invoked to test availability of contention items. 
I/o in an asynchronous structure is generally scheduled 
on a demand basis. An active task requiring I/O schedules its 
•	 request via an I/O queue. The task is placed into the wait 
state until completion of the I/O request. The I/O control 
routines operate on the I/O queue and interface the I/O peri- 
pheral (i.e., the bus system) to perform the request. I/O is 
performed asynchronously with other processing tasks in the 
system. After acknowledging receipt, initiation or completion 
•	 of the I/O request, the scheduler is informed via a simulated 
or actual interrupt. The task awaiting the I/O request is then 
placed into the ready state and awaits processor assignment. 
C.4.3 Advantages and Disadvantages of an Asynchronous Structure 
Some, of the advantages of an asynchronous structure are: 
a) it is able to adapt to a random job stream; i.e., it does 
.j	 not require load rebalancing and it can tolerate periodic 
overload and backlog, because it is, in fact, designed to 
•	 cope with this problem; 
b) it has a greater flexibility for incorporating changes than the fixed sequence approach; 
C) coupled with an interrupt mechanism it is more adaptive 
to a real time environment;
155 
INTERMETRICS INCORPOP.A1ED . 380 GREEN STREET . CAMBRIDGE MASSACHUSETTS 02139 .
 (617) 868.1840 
--	 -•
d). its structure does not require long
	 such
as targeting,. ec. to be arbitrarily organized into fixed 
blocks to fit into some fixed cycle or sequence; 
The disadvantages are:
 
a) the multiprogrammed environment resulting from this type 
of scheduling is more complex and difficult to test and 
verify; 
b) in a real-time system in which a task must be scheduled at 
specified tunes, the priority assignment must be chosen 
and '3signec accordingly. 
The type of program control ultimately selected will probably 
be some variation of one of these approaches. 
C.5 Computer Interrpts and Their Effect on Organization
 
One of the basic motivations for structuring Shuttle soft-
ware in a synchronous control organization is the expected diffi-
culty in handling interrupts. Because of the randomness of 
operation introduced by interrupts it might be desirable to 
eliminate external interrupts entirely. However, it is not 
Possible to eliminate all types of interrupts, Particularly 
internal interrupts, which require responses to error 
conditions. The real problem in verification is not aggravated by the actual* 
hardware interrupt,, but from its effect on the multiprograe 
environment., 
The interruption of a running program in response to an 
external signal was introduced into the computer technology to 
serve two purposes: 
a) to provide rapid response-time to asynchronous events, 
b) to eliminate the overhead of polling for the occurrence 
of an awaited event.
	 . 
In single-process
	 sYeins,particu1ar1y dedicated systerts,where most or all of the conoutatjon is devoted to a single 
application, the introductjor of interrupt-mode computation 
raises a hazard. At arbitrary times an interruption can intro-
duce what appears to be a parallel task which is, at least 
conceivably, capable of disrupting the progress of the interrupted 
task by "invisibly" altering its variables. 
*.y the "actual" interrupt it' is meant the hardware transfer to a 
specific location to perfoxn some minimum function and 
then resume. 
a
	
•	 ,	 .	 .	 .	 '	
156	 .	 ' 
	
- -
	 INTERMETRICS INCORPORATED 380 GREEN STREET CAMBRIDGE MASSACHUSETTS 02139 (617) 868 18
H 
P
It is reasonable to presume that it is easier to verify a 
program which will operate from beginning to end (or to some con-
venient point) without a swap of the Droces3or to some other 
job. In a sense, the objective is to minimize the scale of 
multiprogranirning in the system. 
C.6 Summary of I/O Operations Versus Software Structures 
A bus I/o transaction once initiated by the computer is 
independent of the computer software organization. The command/ 
response addressed bus may be directed by a computer with either 
an asynchronous or synchronous software structure. The main 
difference will be in the scheduling and dispatching of I/O 
requests, and in the coordination of I/O with processing. 
In the synchronous structure, I/O requests must be preplanned 
and interleaved with the task processing. I/O requests are 
dispatched in a list every minor cycle and carried out con-
currently with task processing. A synchronous software structure 
requires a command response bus access method. A polling or 
contention access method would be difficult to run with a 
synchronous structure. 
In an asynchronous structure, I/O is scheduled on a demand 
basis by the processing tasks, and is dispatched to the bus 
system by the I/O control. After completing the I/O transaction 
the bus system signals the event (via an interrupt) and the 
processing task is informed accordingly. The bus system may 
be commanded with a list from the I/O queue, or with a single 
request. An asynchronously structured software can command 
a bus with any form of addressing. it may prove advantageous 
even with the cmmand/response addressing method. 
In either structure, the bus system is designed to accept 
a command, or list of commands, and executes them as described 
in Chapter 4. However, the system I/O throughput and response 
for a given bus design will not be independent of the structure 
of the software system. Of concern to the bus are the events that 
occur from initiation of a command from the central computer 
until its completion by the subsystem. The interaccions between 
the computer and the bus control unit is of specific importance; 
i.e., what happens to the CPU once an I/O command is initiated, 
and what happens when the transaction is complete? The answers 
to these questions will have a great influence in determining 
the I/O control software performance. 
INTERMETRICS iNCORPORATED . 380 GREEN STREET . CAMBRDGE, MASSACHUSETTS 02139 . (7) 868-1840 
- ----- -	 -.
• .a4 
• - 
I.. 
U) $4;, 00 
44 0 
4JØ
tp L WO •d • ..-I 
.,-' 
En (U 
\
4141 
WC) 
u• 0)0 
I 04 P4 a)_4 
00) Uz4 I U) $40)4-1 0)0) 
IL)	 0) :i4 
i
Io 
Ill) 
'b  
0)0 
tp 
0 r4
,-44) 
'ci	 G) 
rU) 
410 
0
I0)• [4
:: •-i 
7b •d U) 
41 
U) a) 
J Or-4 
04 0) 
o 
4I4 
OEC) 
s.•_;r-f0
U)H 
'U	 •	 •• • • 158 
U) 
4J ,-
U) 
0). . 
b1  WAu 
41 t 
fl Iij 
rit cx 
H 
' 1L1J-
0 C4 
Z4Q 
I __ tpI 0) 
X^^: 14
.
E. 
$4 
;I 
144 :0) 
0	 44 
4j
.	 I	 W 
'H4
I jW •rlC1 I 
- 4i • ,-1	 I	 I I	 0)0 
 -- 0...i
. 43 
•. (0V),i	 (1)0) 
o 4.iJ1	 f•d 4)
 10 •d, 	E-4 E-4 00 fl '0 %
9 .0 1 0
m 
0)r-4 14r-4 0)0) to 
C 
coo 
. Ø	 'H 4 
--
.
--I 0 r4 
. 43.t IIH r-4 
P 
159 . 
1N1'ERMETRICS INCORPORATED
	 380 GREEN STREET
	 CAMBRIDGE, MASSACHUSETTS 02139
	 (617) 868-1840
- 2 .. -'_	 3::	 .	
:	
r	
': 
,.	 -	 ' 	
)	 '.	 _	 _'_t	 ,,	 .'	 ..- 
w	 , '•1, 	 :	 -	 I	 I	 ''	 ' :	 f	 * 
4	 .*	 .-	 "	 '.	 ;.	 ,	 •1L	
4	
;,a	 '	
'(	 -.	 - 
,;	
r	
.	
;:	
: .	
- ;:	 , iL 
•?	 .	 ,.-	 - ,	 -'	 "F	 r'	 .	 ':1A I	
'_3	 I	
-	 4.r	 .	 .	
,J	
,) -4 
2f/:&ê 
*.. I, '	 a;	 '
 ,
	
-	
.	
LI.I.	
. 
I , -	
. 2vq I" 
_,r4 
 ' .	 . ,	
:	
h \	 '\	 ,
 ­­ , I
-
 .WI., ­
 I 1? ^ i, — - 5'	 . :
	 :i ;f:	 J[::J) - ,	 - I.",.- - __,r'.1 I.., ., . - - I , . --- 
;_	 .	
.\	 -	 .	 .	 .	 r-	 -	 ..	 .	 . V	 •	 •	 V 
•':•Vh	
Vt VV I V	
V 
\	 -	 •	 -r	 V	 '_)- :1	 ,_ 
z?	 - •	 -	 V-V	
_V	 •• ---. - •	 V	 V	 •V	 • 	 • •	 V	 V_V	 ;	 ,V V	 VVV_
	
_V: 
f 
r	 '	
_z ?V	 '	 '	 b	 •VV	 V	 ?Vj 
.	
V IV	 ,,	 jY-	 •	 .1 
Vj I	 ' 	 -	 -	 -'	 V	 -	 -. WH 
_Ve	 _	 _V	 •_	 V	 A 
%	 -	 Vt	 V•	 b	 t	 . 
i	 ::C	 ,	 .	 ,, , 
V %	 ?	 #	
tV 
#	 z	 V	
.	
V	 •	 .	 Vi	
' i	 .	 Vs,	
,i!-.-	 I	 &	 4;. 
_	 -	
-:.;	 i, ::;	 :	 -	 - * 
r	 ..	 V 
I
,	 V	 _	
jr,, 
4V;!	
_- '-:	 :	
V	
_;$;:
 
.­_ 
-	
V	 VV	
V	
. •VVVV,:
	 -- ' 
V _	 • 
i\	 ' 
V.; V	 I \ '	 j	 ,	 ; - V 2
 il ^, -.^  "t — 
. 	
:	
iDi
IIJ :t
: 	
t:.xtA; — -  i^ 
V:r .	 Itu8 '-d'
	 - 
•V '	 •	
F	 ' 
	
-	 -'	
•'	
::	
.-	
_	 -
	 ,. _ ,zl ^,^ A--, 
	
7	 F	 4
	 , 11
-	
•5-\	
V	 -	 7 ,
	
,^_ 
V	 -	 -	 V	 --	 •V	 -	 V 
-	
2	 7	
V
-
 . I -	 ,	
. 
	 .- ,
	
, - ^ .1.) -	
-	 - 
*^^-_ 'g 
--	 :	 --	
-	 VV	
VVSVVS VVVSVV V	
VV V 5 7V
	
-,v ^, 
-	
-	
-	 V_
	 ^ T. . 1j'	 ;	 :	 : , 
* 
u ^ .	 ", - '_	 '^ _	 - ,,: - , 7 - ­1 ,,-,--, -1.1;-2^,.' f, ^ '. ;^, "; L 	 ,^. " , .	 , ^ I	 I	 ,^,	 --	 , , ;.,&,^ - 	 ^ 
	
'	 •'I
 , ,	 /	 1^1. ^ - e *	 1, .:	 .1	 .	 .	 11 I 1^ "N.", ­ . ^ 
I	 1^ ^_. ^1'1 
1. 
` 
,	
_^, I	 ^	
1. - I
	
I	 .	
...	 ^	 - - ­ ^ 
: " ^	 I	 ^	
^	
I	 I I _^,	 I e5n^ I	 .1	 , ,j
"
^ 
.	
.	 ,	
^	
`^^t­ ',`*^K;^;	
,	 1, 4^
	 ,	 `,^--	 -	 , , ,- , 
il -	 - ­ - "A-,,! 
-	
-	 -	
-'-
11
7	
7 
-	 - 
V	 -	
S:AV - -	 - S - V	 5	 :•-5V4S	
. 
1	
*
._5 
VS	 - 
-	 'VVVV5VV;V..VVS.	 '* V	
V5 V	
-	 V	
V	 V	 VVV:V	 -	 VS 
- 
V	 V575VS	
VS	 V	 V	
V 
.7	
5,	 •S 
4	 -	
V	 55	 54 
	
V	
--2 
-	
7	
.-	 -	
- 
V	 -	 -	 ­4 
V -
	 VVV5	 V	 -	 - -	 V	
--	
,s	 4 -
 It
- V7 	
5	
.4,,
O
