Applications of discrete network simulation in space vehicle checkout  Volume 1 of final report by unknown
General Disclaimer 
One or more of the Following Statements may affect this Document 
 
 This document has been reproduced from the best copy furnished by the 
organizational source. It is being released in the interest of making available as 
much information as possible. 
 
 This document may contain data, which exceeds the sheet parameters. It was 
furnished in this condition by the organizational source and is the best copy 
available. 
 
 This document may contain tone-on-tone or color graphs, charts and/or pictures, 
which have been reproduced in black and white. 
 
 This document is paginated as submitted by the original source. 
 
 Portions of this document are not fully legible due to the historical nature of some 
of the material. However, it is the best reproduction available from the original 
submission. 
 
 
 
 
 
 
 
Produced by the NASA Center for Aerospace Information (CASI) 
https://ntrs.nasa.gov/search.jsp?R=19690019471 2020-03-12T03:11:39+00:00Z
I7	 W	 ^Q	 O	 d
	
\ u ^,^ ^	
r^g3J 31 r''u_
GENERAL DYNAMICS
	
-	
Convair Division	 c	 NO	 C'
Oj
C"i	 CO
	
CIO 	 Cq vCDW
Z^ W \ O
0	 W T
^ ^ I
Ix
a	 4 \ ~	 A?135.1 (REV. 5.65)W	 R
V	 c
U	 ^ SV
J ^
^Z m
_^ z
toi NWOA AAI11DY1
.1
REPORT NO. GDC-DDF67-004
Applications of
DISCRETE NETWORK SIMULATION
IN SPACE VEHICLE CHECKOUT
FINAL REPORT VOLUME I
G=,-NEMAL DYNAMICS
G"onva.,*r Division
REPORT NO. GDC-DDF47-004
I
Applications of
	 J	 '
DISCRETE NETWORK SIMULATION
IN SPACE VEHICLE CHECKOUT
FINAL REPORT VOLUME 1
DECEMBER 1967
Submitted to
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
GEORGE C. MARSHALL SPACE FLIGHT CENTER
HUNTSVILLE, ALABAMA
under
CONTRACT NAS8-21104
Prepared by
CONVAIR DIVISION OF GENERAL DYNAMICS
HUNTSVILLE, ALABAMA
,.	 ..,..,,,.,. ^-.,:ate_ .^•-.
ABSTRACT
A technique for the use of computer programs in validating test procedures is
presented. The Discrete Network Simulation technique in conjunction with additional
computer programs is used to validate Saturn Instrument Unit Test Procedures.
The results of a study for the adaptation of the computer programs associated
with the Discrete Network Simulation and Automatic Malfunction Analysis techni-
que are discussed. Several possible modes of operation are presented. Volume
II documents the programs developed undgr this study.
ii
fTABLE OF CONTENTS
List of Illustrations	 iii
List of Tables	 iv
Summary	 V
1. TEST PROCEDURE VALIDATION BY DISCRETE NETWORK
SIMULATION	 1
1.1 Shortcut Modeling Technique, 	 1
1.2 Demonstration Model 	 2
1.3 Logic Model for Instrument Unit 	 3
1.4 New Computer Program Req^tirements 	 10
1.5 System Simulation	 11
1.6 Comparison of Simulation Results with Test
Procedure Predictions	 11
2. COMPUTER PROGRAMS	 17
i
2.1 DNS Update Program	 17
2.2 Name/Time Card Generator Program 	 17
2.3 Down Translation and Culling Program 	 18
2.4 DNS Preprocessor Editor Program	 19
2.5 DNS/ATOLL Input Conversion and Punch Program 	 19
2.6 Discrete Network Simulation Program	 19
2.7 DNS/ATOLL Comparator Program 	 20
2.8 On-Line Simulation with Univac 1108	 20
3. CONCLUSIONS AND RECOMMENDATIONS	 24
3.1 Conclusions	 24
3.2 Recommendations .	 25
iii
iM1
ILLUSTRATIONS
1. Composite of ESE sheet 53 and IU sheet 18.	 8
2. Simulation normal history printout. 	 12
3. Simulation 'variable print' printout. 	 13
4. Comparator program printout.	 15
5. Partial cycle list from IDA. 5003 simulation. 	 16
s
t
a
r
iv
7I
TABLES -
A. Instrument Unit Electric Schematics.	 4
B. Advanced Electrical System Schematic IU Power
ESE, Saturn 1B
	 5
C. Advanced Electrical System Schematic W ESE
Saturn 1B	 6
D. Distribution of Variables in IU Model
	
9
SUMMARY
Rapid technological advances have increased the complexity of systems, necessitating
the need to improve existing techniques and create new methods of automatic checkout
of systems. This report contains a technique, developed under contrast NAS8-21142,
for applying Discrete Network Simulation (DNS) to the validation of test procedures.
DNS is an analytical tool which is capable of thoroughly and accurately analysing
complex systems. It consists of a family of computer programs, the Down Translation
and Culling Program (DTC), the Pre-Proces . sor Editor Programs (PREP-ED), and the
Simulation Program. These programs have been used in conjunction with the Automa-
tic Malfunction Analysis (AMA) programs to al.d in the automatic checkout of complex
systems.
The use of DNS has proven to be a valuable tool for d iterming component failures
during automatic checkout of the engine cutoff system for the Saturn S-1C stage. An
analysis of the results obtained from this application indicated that much of the data
generated by the Simulation Program could be of value for validating test oroceftres.
The Simulation Program uses a Boolean logic model of the system to simulate the
operation of the hardware. When the input deck corresponds to the discrete outputs
(DO's) of the test procedure, the action of the discrete inputs (DT's) in the model will
be the same as the predictions in the procedure. This indicates that a technique for
validating test procedures could be developed, using DNS with the test procedure as
an input.
Vi
TEST PROCEDURE VALIDATION BY DISCRETE NETWORK SIMULATION
Verification of automatic test procedures requires a n4anual effort which is both
tedious and time consuming. Each manual operation and discrete computer instruction
(DO) must be traced through the schematics to determine if the effect on the hardware
is the same as the results predicted by the test procedure. In order to do this the
state of the hardware at the time of the input must be taken into account, since different
results can be obtained by the same input depending upon the state of the hardware.
This requires that a detailed state of the hardware be maintained and updated with each
new input while validating the procedure. A, check of the variables associated with a
particular system must be made to ensure that each has been properly tested. Even
when personnel familiar with the system are used the time required to validate a test
procedure in this manner is excessive.
A technique has been developed which can greatly reduor this task, and increase
the accuracy of the verification. The purpose of this techniq !.ie is to automatically
determine how well the test procedure checks the hardware. It checl ,:,s the accuracy
of the predicted discrete response-) (DI) associated with DO inputs, determines those
components which have not been cycled during the test, shows components which have
been over tested, and points out the differences between the state of the hardware before
the test and its state after the test.
The basic documentation necessary for this technique is a so.t of detailed schematics
of the system, including prints of the black boxes, and a card image tape of the ATOLL
test procedure. A logic model of the system is then developed from the schematics.
This model is used with the existing Discrete Network Sim?.elation program to simulate
the hardware. The simulation inputs necessary to drive the model a,•e generated auto-
Mrn`ically from the ATOLL tape by the Input Generator Program. The result, of the
simulation are automatically compared to the test procedure predictions on the ATOLL
tape to determine any differences which may exist. This is done by the use of the
Comparator Program. These differences can easily be checked to determine their
cause, and corrective action taken.
1.1 SHORT CUT MODELING TECHNIQUE
E A, short cut modeling technique was used in creating the DNS model for test procedure
validation. This produced a model which was tailored to test procedure validation and
was still compatible with the DNS programs.
i,
1
The revised technique: (a) allowed a model for a larger system to be constructed,
(b) eliminated the need for one program (Down Translation and Culling, DT&C) in the
simulation process, and (c) reduced the time required to construct the model.
When developing a model for test procedure validation, it is assumed that the
hardware functions properly and that there are no component failures. It is not
necessary to include individual relay contacts, or inactive variables in *he equations.
Inactive variables (those which do not change state during the normal operation of
the system) were not written, since thoy could only affect the system by failing. Some
examplos of inactive variables are ..fuses, pins, and plugs. Individual contacts were
not written since they function as the coils with which they are associated, and it was
only necessary to write the coil equation, By limiting the model to those variables
necessary to describe the system in its normal operating configuration it was possible
to increase the size of the model, in terms of the logic described, without increasing
the required computer storage. This made it possible to validate the test procedure
with a single model, eliminating the task of interfacing two or more separate models.
i
	
	
The DT&C program pe. ,forms two functions in creating data for Automatic Malfunction
Analysis. It gives all the variables a three letter code for compatibility with the Pre-
Processor Program, and creates coded data for use with the AMA programs. Since
the information generated by the DT&C is not necessary for test procedure validation,
it was advantageous to eliminate the DT&C for this applic ; 4fon. In order to do this it
was necessary to write the model in a form which could be iliput directly to the Pre-
Processor Editor.
The DNS Pre-Processor Editor Program requires all variables to have six char-
acters or less. To bypass the DT&C and have the model compatible with the Pre-
Processor, it was necessary to limit all variables to six characters. This was done
without any major loss to the variable identity, since the name was designed previously
to aid in locating the item in the hardware. As this was not necessary for test proce-
dure valid!,,,,' 	 such things as chassis and sub-chassis were eliminated from the var-
iable name, where possible the variable naive contained the schematic page number on
which they appear. By eliminating the DT&C from the process, a considerable amount
of time is saved. Although the actual running tine fe?r t1w DT&C program is relatively
small, the total turn around time can be high. Also, since he three letter coded variables
must be used to drive the simulation, a change in the model which affects these codes
requires a new input deck. There were approximately 10, 000 cards in the input deck for
the test procedure simulation. Eliminating the need to repunch these cards each time
the model was changed saved a great deal of time and effort.
1.2 DEMONSTRATION MODEL
To demonstrate the feasibility of using Discrete Network Simulation for test procedure
validation two small models were prepared.
2
F}
E
C_ e ing method was prepared of the Range Safety
S stem..	 the S-1C--stage as shown on drawing 60B55701, sheets 53 and 54 and ESE
SK65B7400, sheets 189-194 and 495. This model contained 209 active variables
including 74 Discrete Inputs which are monitored during the Range Safety Test Procedure.
The driving functions for this model were taken from Test Procedure 68, This model
was written using variables with more than six characters, which necessitated the use
of the DT&C program. This was done to compare the short modeling method with the
modeling used for AMA. It was decided that the short cut method would do all that was
required for test procedure validation in a much shorter time and made the validation
of the model much easier.
To confirm the short cut modeling method and to develop a printout that could
be easily read and checked against the test procedure predictions, a second small
model was written. This model covered a part of the Emergency Detection System
designated by the Quality Assurance Laboratory and was to be complete enough to
check out IDA 5010 of the Emergency Detection System IU SA-208. It included all or
part of the following sheets, 20-28 from drawing 7910538 and sheets 186-198 from
drawing 40Z 15449-3 . This model was run with the driving tanetions taken from IDA
5010 of the EDS Test Procedure for IU SA-208, combined with the necessary inputs
to bring all the variables in the model to the state that they would be if the test proce-
dure had started from the, beginnings,  These inputs included mostly busses and latching
coils that had to be either set or reset.
1.3 LOGIC MODEL FOR INSTRUMENT UNIT
A logic model of the Instrument Unit 209, electrical networks and its associated
Electrical Support Equipment (ESE) was prepared after the information obtained from
the two small test models had been analyzed.
The model was to be capable of validating three major test procedures - Power
Distribution and Control (PD&C), Emergency Detection System (EDS), and General
Networks. In order to avoid over writing and to optimize the time required to create
the model, the Quality Assurance Laboratory set up some general boundaries which they
felt would incompas the hardware exercised by the procedures. This included the
stage schematics 7910133 shown in Table A, the IU ESE Power No. 40Z08707-5 shown
in Table B, and IU ESE No. 40215449-5 shown in Table C. An analysis of the IU-209
schematics indicated that the IU-208 EDS model could be updated to the 209 configura-
tion. A model of the black boxes created a problem due to the lack of available docu-
mentation. In most cases the black boxes were not written. This resulted in a few
indicators (DI's), which are monitored by the procedure, being left out of the model.
Since these DI's were easily identifi--d, this discrepancy had very little effect on
the results of the validation. In other cases where limited documentation was available,
parts of the black boxes that affected the net-work during the tests were included in the
model. The major black box, in terms of the number of variables and its effect on the
3
TAB LE A
DRAWING 7910133
INSTRUMENT UNIT ELECTRIC SCHEMATICS
Sheet Title
10 28 Volt Power Distribution and Power Transfer
11 56 Volt DC, 28 Volt DC, and 5 Volt DC, Power Distribution
P°o lation and Voltage Measurements
12 Cooling System and Air Bearing Supply
13 Switch Selector Address/Verification Register
14 Switch Selector Address/Verification Register
15 Switch Selector Address/Verification Register
16 Switch Selector Enable/Verification Register
17 Switch Selector Read/Reset
18 Switch Selector Power & Data Adapter Functions
19 EDS Power .
20 EDS Power
21 IU/SC, IU/S-IVB and IU/ESE Interfaces
22 IU/SC;' IU/S-IVB acid IU/ESE Interfaces
23 IU/SC, IU/S-IVB and IU/ESE Interfaces
24 IU/SC, IU/S-IVB and EIS Interfaces
25 IU/SC, IU/S-IVB and IU/EDS Interfaces
26 EDS Two Engine Out and Excessive Rate Auto Abort Inhibito
27 E LS Functions
28 Control Signal Processor Control - EDS Rate Gyro Package
29 IU/SC and IU/ESE Interfaces
31 IU/SC, IU/ESE Interface and SC Control of Saturn
32 Flight Control Computer
33 Control Signal Processor Control Accelerometers
36 ST-124M-3 Platform
40 Data Adapter Power Command Receiver and Decoder "Power
43 IU/S-IVB/.'5-1B Interface Connectors Mated
44 Power Distribution to RF Systems
45 Telemeter Calibration
46 Telemeter Output
47 Wracking Systems and C-Band lnhWite
48 Measuring Racks Calibration
49 28 Volt and 5 Volt Distribution for Measuring Racks and
Measurement Transfer
4
Sheets
29 thru 48
51
57
.65 thru 67
69 thru 72
74 thru 77
79 thru 82
84 thru 88
91
TA33 LE B
DRAWING 40208707--5
ADVANCED ELECTRICAL SYSTEM SCHEMATIC
IU POWER ESE, SATURN 1B
y,
W
5
ei{
+M1
1
t
i
A
TAB LE C
DRAWING 402154/19-5
ADVANCED ELECTRICAL SYSTEM SCHEMATIC
IU ESE SATURN 1B
Sheets
34 199 thru 200
44 thru 47 210 thru 211
50 thru 66 216 thru 244
69 thru 83 247 thru 248
88 thrta 100 250
'	 106 258
108 273 thru-275
110 thru 112 279 thru 289
116 305 thru 307
153 thru 169 315 thru 316
171 thru 172 319 thru 320
175 thru'1.77 333 thru 353
180 356 thru 362
184 thr u 195
rest of the' hardware, was the Switch Selector. It was originally written from the
drawings for the Mod I Switch Selector which were available at the time. The simu-
lation indicated that the Mod I version did not function properly for all of the tests.
It became necessary to obtain documentation on the Mod II Switch Selector, and to
update the model to that configuration.
To keep the variable names within the six character limitation and still maintain
a unique designation, a standard notation was used for each type of variable. Coils
and switches were prefixed by the page number on which they appeared followed by the
letter 'K' or 'S' and its number designation. DI's, DO's, and busses were written
as they appeared on the schematics. Fuses were prefixed by an 'F' and followed by
the nearest connector designation. The cables were designated by the last six characters
as they appeared in the test procedures.
An example of the variables as they appear on the documentation, and their
designation for the model is shown in Figure 1 which combines parts of sheets 53
from ESE drawings and 18 from the IU drawings to show how variables were identified
and how equations for the model were written. The Boolean operators *(AND), +(OR),
and / (NOT) are used in writing the logic equations. Thus, the equation DI71 = /53K15
*6D110 says that DI71 will be energized when.the bus 6D110 is energized and the coil
K15 is not energized. Discrete inputs, discrete outputs, and busses were written using
the same designation as 3s used on the drawings. Variable names for coils were created
by prefixing the drawing designation by the page number on which the coil appears.
t	 Thin, coil K15 on the drawing becomes 53K15 in the model. The completed model con-
tained 2324 variables in 1930 equations. Table D shows the number of each type of
variable.
1.3.1 VALIDATION OF THE MODEL -Validating the logic model is always a major
task. It became even more difficult for this model, since the test procedure alterd the
configuration of the hardware during certain portions of the test. It therefore became.
necessary to validate the model for the different configurations dictated by the test pro-
cedures. This resulted in a process of simulation, comparison, and analysis. A .sim-
ulation was run using a specific configuration as designated by the procedure. The
results of the simulation were then compared to the predicted results of the test proce-
dure. If the results of the simulation agreed with the predicted results of the test
procedure,that portion of the model was considered valid. This could result in an
erroneous validation if both the test procedure and model contained the same error.
Since the possibility'of this occurring is slight, the model can be considered correct.
When the results of the simulation did not agree with the predicted results of the pro-
cedure, an analysis was made to determine if there was an error in the model, the
procedure, or the simulation inputs. Due to limitations in contract funding, the dif-
ferences between the simulation results and the test procedure predictions for IDA's
5015 and 5032 were not completely investigated..
h
7
0 o O O
--4 r-4	 ?--I
^ Ooxo
^\ r+ Q o0
n u II	 a ,^
a^
A00to^
cd
m	 a
a^
a^
W
rn
W
0
Q)
U
F^
P4 0
40 z
II	 11	 11
00
I H
W
rE,a
F µ^
x
rn
^ M
W ^
O
A
tp 
CA
0
tf.)
rl
^9.
•TAB LE D
DISTRIBUTION OF VARIABLES IN IU MODEL
Variables
DI (Discrete Input) 	 458
Do (Discrete Output)	 283
Nodes	 42
:fusses	 86
Coils	 913
Fuses	 93
Switch Selector Channel	 112
Legs	 104
Pressure Switches	 30
Timers.	 1
Pump	 1
Jumper	 7
Valves	 14
Cables	 40
Power Isolation Board	 6
Voltage Monitor	 6
Switches	 96
Condenser	 .2
Solenoids	 12
Regulators	 14
Miscellaneous	 5
Total	 2305
No.
c'.
1
1.4 NEW COMPUTER PROGRAM REQUIREMENTS
t,
1.4.1 UPDATE PROGRAM - Validating a large model requires a great deal of card
handling. Each change, addition, or deletion from the model requires all of the cards
I to be re-run through the Pre-Processor Program. This can often result in problems
other than those normal to modeling. The cards often become worn and will not feed
into the reader or they may be dropped or shuffled. These types of problems usually
'	 result in a considerable amount of lost time. It was advantageous to minimize the
amount of card handling associated with the development and validation of the model.
To do this, the Update Program was developed, which loads and stores the model on
tape. The tape is used as input to the preprocessor, and all corrections or changes
can be made on the tape. The complete card deck need only be processed once.
1. 4.2 TIME CARD PROGRAM - There must be a time card for each variable in
the model and each variable name must be identical to the name in the equations.
The generation of these cards is time consuming, and any clerical error will result
in an invalid preprocessor output. The delays caused by this can be appreciable
depending on computer turn-around time. To eliminate this problem the Name/Time
Card Generator Program was developed. This program generates the time cards
from the equation deck. This eliminates the job of keypunching time cards, and
ensures that all time cards match the variable names in the equation.
1. 4.3 INPUT. PROGRAM - The simulation of the system for test procedure validation
requires a set of driving functions which correspond to the test procedure command
instructions (DISO) and manual operations. The driving functions for the sample test
model for IDA 5010 of the EDS were keypunched directly from the test procedure which
recaired approximately 700 cards not including the initialization inputs. There are
11 IDA's in the procedures which were to be validated. Since IDA 5010 was one of
the shorter tests, it was assumed that at least 7700 cards would be needed. After
estimating the time required to keypunch and eliminate typographical errors from
this many cards a better method of generating these inputs was investigated. As a
result a program was written which could generate the driving functions from the
ATOLL tape. The DNS/ATOLL Input Conversion and Punch Program punches the
step, sub-step, discrete output (DO), and comment cards from the ATOLL tape.
The comment cards must be checked to determine if they contain a manual input, in
which case the input card must be keypunched from the procedure. Since there is
no standardized method for indicating manual operations and identifying the variables,
it was not possible to generate these automatically. The majority of the manual
inputs are contained in the test preparation steps which average 50 cards per test
procedure.
An option to put the inputs on tape instead of punching cards was included in the
Input Generator Program. This tape is compatible with the Update Program, and
comment cards can be deleted and manual inputs added. This tape could then be used
as input to the Simulation Program. This option was not used in this initial application,
a	 since simulation was done in small segments for checking the model, and card handling
(	 was not a problem.
1.5 SYSTEM SIMULATION
The Simulation Program has several print options which allow the user to select
the type of printout best suited to his need. Two types of printouts were used when
running the simulation of the three test procedures for this application. The normal
history printout (Figure 2) shows all of the changes of variable states for a given
input. This shows the variables that have changed state, what caused them to change
state, and what variables they will cause to change state. The logical sequence of
events from an input (initiator) to an indicator (terminal) can be followed. This type
of printout Is valuable in determining the reason for a differonca 4 etwoon the simula-
tion results, and those predicted by the test procedure.
The ''V'ariable Print' printout (Figure 3) shows the actions of only those variables
which are specified by the user. The names of the variables which the user is interested
in monitoring are punched, one variable name to a card, and become part of the simu-
lation input deck. Only those variables appear on the printout. By specifying only
DI's and DO's a printout is obtained which resembles the test procedure. This makes
a manual comparison of the simulation and the test procedure much easier than with
the normal printout.
In order to obtain some ` additional information, which the Quality Assurance
Laboratory indicated would aid in test procedure validation, modifications were made
to the simulation program to count the number of times each variable changes state.
This has two major functions for test procedure validation. It provides an easy means
of determining if all the variables connected with a particular system have been exer-
cised by the procedure, and shows any variables which may have been overtested. The
di-R	 M^	 t r.	 1	 b	 „t ;v, ,4 r ;^ is
 already at, the st 4.Pprogram
	 also tuE3ui±^ed ^„ prin
t
 ^.TiYA N^ all, input ;sh^ h a -_,	 >a_^
which it is being input to. This identifies steps where a DO was not turned off after
completion of a previous portion of a test.
1.6 COMPARISON OF SIMULATION RESULTS WITH TEST PROCEDURE PREDICTIONS
The predicted results in the test procedure are compared to the simulation printout
to determine where differences occur. An analysis is made to determine if the dis-
crepancies are a result of an error in the schematics, the model, or the test proce-
dure. Initially, the comparison of the simulation and test procedures was done
manually. For the test model, a variable print simulation was run which showed only
DO's and DI's. These were then compared to the test procedure DO inputs and DI
predictions to determine any differences.
Although this was an improvement over the methods of manually validating a
procedure, it was still a tedious and time consuming task. For this reason the DNS/
ATOLL Comparator Program which automatically compares the simulation results
with the test procedure predictions was developed. The Comparator Programs ,compares
the simulation results on tape to the ATOLL tape and prints the differences between
the two. This limits the manual analysis required to determine the reason for the
r:
11
*STEP NO	 013700
Yr _	 INPUT= :,R- ..:- 	 005 5 —1 2	 ...^.
SSK9S 1
ENTER
	
_ :	 SSK9S	 —___ ^3-..:.^-_ .	 :ffi_._^_ 21—
61K91 1
-.61K93 1.,. _
61K95 1
61K97- 1 --------
62K99 1
a 62K  101
	
_ ---1-
62K103 1
62K 105 1
SSK9R 0
^'— '--EN T E R	 S S K 9 R ^-----1{j
ENTER	 61K91 1 9
ENTER	 61K93 1 9
DI688 —0
ENTER	 61K95 1 9
I	 DI687
ENT ER , 	 61K97 1 9
DI686 .
EN TER	 62K99 1 9
DI685
ENTER	 62K101 1 9
D I-6-8 4
ENTER	 62K103 1 9
D1683 fl--
ENTER
	 62K105 1 9
DI682 -	 —"I
ENTER	 DI689 0 9
-"	 --ENTER	 -D-I-6 8 -8
ENTER	 DI687 0+ 7
ENTER—	 —`D1-6 86 ------6
ENTER	 0I685 0 5
ENTE	 —01684 -----4
ENTER
	 DI683• ^ 3
NT E R	 D 1-68 -------0---
INPUT	 D055 0 1
THERE WERE	 20 EVENTS IN CASE	 260
Figure 2. Simulation normal history printout.
12
w*STEP NC	 013700
INPUT
   :_,,=D4:55	 _	 .__._	 Y_ _	 1 2 _r._	 . m
ENTER D1689 0 9
INTE R 0I688 '0 8
ENTER 0I687 P0- ^7
ENTER DI686 0 b
EhTEK 16 85 0 5
ENTER ^DI684
a,	
0 4a
ENTE-R DI683 0 3
ENTER 0I682• 0 2
INPUT 0055 0 1
TNERC WERE	 27 EVCNTS IN CASE 	 290
discrepancies encountered. The Comparison Program also determines variables
which change state more than once in a given step, either in the simulation or the
test procedure. It locates and prints a message for all branches in the procedure,
4 nd lists those variables which were not exercised during a test.
At step 20 substep 0 (Figure 4) a test with a branch to step 20 substep 8 has
been encountered by the comparator. A message is printed to call attention to
this point in the procedure. In step 40 substep 0 DI0511 has become a one in the
simulation but was not predicted by the test procedure. Due to insufficient documen-
tation on a black box DIO233 and DIO226, step 126 substep 0, were not written, and
a message is printed when they are encountered in the procedure. In step 130 sub-
step 0 three DI t s were predicted by the test procedure but were not energized in-the
simulation. Those steps where a discrepancy occurs and the Lype of discrepancy
encountered are printed by the comparator.
Where the comparator indicates that a discrepancy has been encountered, the
cause of the discrepancy can be determined by tracing the logic through both the
normal print simulation and the schematics. If the discrepancy is due to an error
in the logic model, it should be corrected and another simulation run. If the cause
of the discrepancy is an error in the schematics or the test procedure, appropriate
action should be taken to inform the people responsible for the documents of the error.
Ensuring that all the predictions associated with the inputs in a test,procedure
i	 are correct is not a complete validation. It must also be determined if the procedure
effectively checks the hardware of the system being tested. It is necessary to know
if all of the system has been exercised, if any components have been over tested,
and LO the system has been altered in any way by the procedure. By analyzing the
simulation list and the comparator cycle list, this information can be obtained. The
simulation list tells what variables have been cycled during the test, and the number
of times each variable has been cycled. From this any variables which have been
over tested can be readily identified. The difference between the state of the hardware
before and after the test can also be obtained from the simulation list. The simulation
list shows the variables, their state at the time the list is made, and the number of
half cycles (state changes) for each variable. An odd number of half cycles would
indicate that the variable is in a different state than it was at the beginning of the
test. The exceptions to this are those , variables such as latching relays which must
be pre-set before the run begins.
Figure 5 is a copy of a part of the cycle list for the simulation of IDA 5003 of the
General Networks Test Procedure. This shows that coil 65K123 was cycled ten times
while coil 65K124 was not exercised at all. Coil 67PK2 was turned off, on, and off
again giving it a total of 3 half cycles which indicates that it is in the opposite state
from that which it was at the beginning of the test.
s
14
Figure 4, Comparator  program printout.
15.
DISCRETE NETWORK SIMULATION VS ATOLL TEST PROCEDURE COMPARISON
IBM TEST PROCEDURE	 IUA5003
STEP	 0023
NOTE
	 TEST
SUBSTEP
AT STEP
00
0020 SUBSTEP 06 CAN BRANCH TO 002008
STEP	 0043 SUBSTEP 00
_	 DNS DISCRETE IN NOT IN ATOLL
D10511 = -1.
STEP	 0124 SUBSTEP u C-
NOTE _ 1EST AT STEP 0125 SUBSTEP 00 CAN BRANCH TO 012900
STEP 0126	 _ SUBSTEP 00
NOTE- -- ATOLL DISCRETE IS NOT IN DNS MODEL
D10233
DIO226
STEP 0133	 SUBSTEP 00	 -	 ---
ATOLL OI SCRETE IN NOT IN SIMULATION
DIO263	 = 1.
D 10264
0IO273 
	 is
STEP 014)	 SUBSTEP 00
NOTE
	 TEST AT STEP 0141 SUBSTEP 00 CAN BRANCH TO 014500
I5 O O	 O O	 M	 N	 N	 O	 N N N N	 O C
^ f
r-4 H ' 0-1 r-4
I
If	 • • • • • • o s • e o •  • o •	 +
> O C O O r-4 O O ,4 r-+ O rp O O 8 4 CO) .-^ O rT -^ •-
O
cd
M
O
Qin
Qf
H•
0
w
W
a^
.	 U•
ar.l
d>a
^•4
^^Cd
•
F4
f
W
N
ulc
,o r
Ch C
r-4 r
D ^
4-
ti
.o
v 1
x^
•c> .
,o
L
L
L
r
L fl r
^o
.o .
'^ O r
j r-4 r
1u1U
r-4 r
00 C
r-1 r
115 L
^ r
N r
N r
LN u
r-4 r
q G
N ?^
tf1 L
r-1 r
N
.a r
LC) L
-4 P
Lt^►
^ 4
r-- C
x.
%0
i
O r
N C
UM u
r^l r
ra q
N N N
^e	 a. L
.o	 %0
.o
Nt	 •o rNcyINP
U1	 Ln L
r--0	 r^ r
1
^ to
f
LLJ
j	 -i C
u
u
4
l
► i
P
{
'
I
F
w
—^ C
4	 i r
f
1
S
• J
i
'	 co
'
•
r
t
r
u
d
,
V) tH i
J
r ^
V ° Ln
-4 .-+f .-4 .-4
	 .-4 ^z N C
L^ ^C'^:VTC Y	 Y ^
-% ° °n	 Ln t .o
	 •o
0	 %o %0 10	 10	 •o
-4 N % .o 00 C
OC,^O 0 O O OC
1 t1l^^ Ln U U') to	 , U) u
2
COMPUTER PROGRAMS
Test procedure validation by Discrete Network Simulation utilizes six computer programs
developed by the Convair division of General Dynamics. These programs provide a. fast
accurate means of determining errors in the test procedure and the extent to which the
procedure checks the hardware.
2. 3, DNS UPDATE PROGRAM
The logic models associated with applications of DNS, require large quantities of IBM
cards. When the model is being developed and validated it is continuously being changed
and updated. This requires a great deal of card handling, since each time a change
or addition is made, a new Preprocessor must be run using the entire card deck. In
order to minimize the amount of card handling associated with the development of a
logic .model, the DNS Update Program was developed. The program provides the
capability for;
^-	 rM;i ^ .. r,4 image file of the model on rapeI •	 GeneraV..- ,lg a. Val u ,.,.uu.gv 	 v.. .+,.a...s 	 _1,	 t .
2. Inserting new or additional cards into the model, where desired.
3. Deleting individual or groups of cards from the model.
4. Correcting individual cards.
With this capability the complete card deck of the model need only be handled once,
when loading it on tape. Each modification to the, model is done with a small binary
deck and data cards. The program incorporates the change into the model, creates
a new tape of the corrected model, and a printout of the updated model.
2.2 NAME /TIME CART) GENERATOR PROGRAM
The logic model for DNS applications consists of an equation section and a time card
section. Each variable in the equation section must have a time parameter card
associated with it, in the time card section. Each time parameter card contains
the variable name, its pickup and drop out times, and an activity code relating to its
working state for Discrete Network Simulation (DNS). If the variable is to be considered
17
i
as a candidate for Automatic Malfunction Analysis (AMA), the card must also contain
the hardware classification code for the variable. Complete and thorough checks
throughout this entire process are required to avoid errors, since the data entries
and format for these cards must be accurate if results from the subsequent DNS and
AMA programs are to be valid. The time parameter cards are normally written
by the analyst on coding sheets and subsequently keypunched.
The NAME/TIME Card Generator Program eliminates most of the manual
generation of these cards. The program uses the punched equation card deck as an
input and:
1. Compiles a list of variables.
2, Determines the required timing, and classification data for each variable.
3. Punches this information on cards to create the time parameter cards.
4. Prints a list of the card images,
f
This program greatly reduces the time required to manually generate and validate
the time parameter cards and has increased the overall effectiveness of the DNS
technique.
2.3 DOWN TRANSLATION AND CULLING PROGRAM
The DTC Program permits the use of descriptive variable names of up to twenty-four
characters. This permits variable names to be constructed from the actual name -and
location of a component within a system. Therefore, the logic equations can be written
in descriptive engineering terms that are readily identifiable, even to those unfamiliar
with the program.
The DTC Program processes the system model, and assigns to each variable an
arbitrary three-letter code. This three-letter symbol is subsequently used in the
remaining DNS programs. When a printout of the processed data is obtained, the
three-letter code is replaced by the original engineering term or descriptive word
simplifying the analysis of the, processed data.
Only those variables that are active (change state as a result of normal system
actions) are retaifted for the actual simulation. Variables that do not change state as
a result of "system reactions", but do change state if they fail, are classified as
"Inactive" and culled from the logic equations by the DTC Program. The program
also culls unspecified variables (those w,Uch do not have a time parameter card) from
the equations. Specific types of variables can be designated as failure candidates by
the DTC. This information is used in the subsequent AMA programs. The following
outputs are, generated by the DTC Program.i
18
1. A tape containing the coded equations and the time parameter data. This
tape is an input to the subsequent Preprocessor Editor. Information on this
tape is in Binary Coded Decimal (BCD) .format.
2, A binary tape that includes a table of the complete variable names in their
original format. This tape is required as an input to the AMA Program.
3. A printout of the time parameters and equations, exactly as they appear on
the input card deck.
2.4 DNS PREPROCESSOR EDITOR, PROGRAM
The DNS Preprocessor Editor Program (PREP-ED) is a combined form of earlier
Convair division DNS Preprocessor & DNS Editor Programs. This program utilizes
the culled and coded output of the DTC Program or the six character variable punched
card deck and is required to 'order' or 'process' the data for the DNS simulation and
AMA programs. The program provides a series of tables that define the interdependency
relationship of each active variable within a model. Self-checking diagnostic features
are built into the program to ensures that every variable on the left hand side of any
equation also appears on right hand side of an equation unless it is identified as. a terminal.
It checks that activation times have been supplied for each variable and produces a listing
of the logic equations and timing; information for reference. The Prep-ed produces:
.1. A printout of the reference tables (used mostly for model validation).
T
2. A binary tape for use with the AMA programs.
3. A binary tape for use with the simulation program.
2.5 DNS/ATOLL INPUT CONVERSION AND PUNCH PROGRAM
To utilize the Discrete Network Simulation (DNS) Programs for test procedure verifica-
tion, it is necessary to derive driving functions for use with the Simulation Program
from the ATOLL test procedure. This program generates the driving functions from
a card image tape of the ATOLL test procedure. The cards are punched in a format
compatible with the Simulation Program. TEST operators which may re; .
 Jre branches,
and SEMI's which may request manual operations are identified. The analyst must check
these areas to determine if additional inputs are required.
2.6 DISCRETE NETWORK SIMULATION PROGRAM
After the system model has been processed through the DTC and PREP-ED programs,
system operation can be simulated using the DNS program. The model, as written,
represents the system in a static condition. The driving functions (Input :Deck), gener-
ated by the Input Conversion and Punch Program is then required to establish the model
in the initial condition for the simulation and to represent the a Itivities to be simulated.
19
The Input Deck contains the state of each input required to 'drive' the model and the,
time that the input will be processed. The results of the simulation are recorded on
the output tape.
The program first establishes an initial condition for the state of the variables
in the model. On the basis of this state, it examines all equations in the model and
the logic predicts what variables will change state. The simulation represents real
time; therefore, after the prediction has been made, the program looks up the activa-
tion times for the variables changing state, and imposes that time delay on the program
before allowing the predicted changes to occur.
2.7 DNS/ATOLL COMPARATOR PROGRAM
The Comparator Program validates the test procedure by comparing the results of the
test procedure simulation with the ATOLL predictions for the test procedure, and
lists any differences encountered. Areas of differences are manually examined to
determine the reason for the difference.
2.8 ON-LINE SIMULATION WITH UNIVAE 1108
With the installation of the remote terminal multiprocessing Univac 1108 system
nearly completed, an investigation was conducted to determine how the DNS programs
could be efficiently utilized on this system.
The initial application of AMA was based on a pre-test technique wherein the
model of the system under test and its associated test procedure were completely
simulated on the IBM 7094 computer at the Computation Laboratory. T his required
a complete analysis for each indicator in the system at each point in the procedure
where the checkout computer compared the system indicators to a predetermined list
to identify 'no-go's'. Complete analysis of each indicator for failures that could cause
a single or group of indicators to indicate a 'no-go' was performed on the IBM computer.
The generated effect and cause data was edited for redundant information and reformatted
in terms of test block, step, substep, and indicators. This edited information was s^^,ored
on tape for search by the checkout computer and the desired AMA data was displayed on
the CRT when required. The size of the system under analysis and the length of the test
procedures require a considerable number of computer hours for complete analysis.
The majority of the data generated will never be interrogated due to the anticipated low
frequency of component failures, however, data which can isolate and identify• component
failures is very valuable.
It was determined that the RCA 110A computer will be connected to the Univac 1108
system as a remote terminal. In actual operations, the Univac Executive system would
treat the RCA 110A the same as any other remote terminal connected to the system.
By using the checkout computer as a remote terminal, the status of the system as deter-
mined by its procedure can direct the operation of the Discrete Network Simulation Program.
20
In this manner, only the AMA data that is actually required during a given test operation
will be generated. This will eliminate many computer hours that otherwise would be
taken to generate data for which there is no requirement.
Since significant portions of the existing DNS programs are written in the symbolic
language of the IBM 7094; the major task for adapting the DNS programs for use on,
the Univac system is the conversion or rewritting of these programs into a Univac
compatible language. The large bulk storage capability of the Univac allows the
assumption that all reference data required for the DNS programs will be stored on
r	 drum, thus simplifying the total processing to accomplish system simulation.
It appears that very little changes would be required in the Preprocessor Editor
Program other than to combine with one Preprocessor Program those functions that
are presently accomplished by the Down Translation and Culling Program.
2.8.1 SIMULATION PROGRAM - The Similati.on Program uses the tables produced
by the Preprocessor Program, accepts inittial conditions and external forcing functions,
and then provides a time variant history output of activities during the simulation process.
To operate with the MSF C Univae 1108 system three different versions of the simulation
program will be provided. A principal diff , a.-ence 'between the three versions of the
simulation program will be how the initial conditions, and external forcing functions are
provided relative to the required output of the simulation program. For Malfunction
Analysis a list defining the sta.tus of all variables at a fixed point in its operational
or time sequence ;is produced.
2.8.1.1 PRE -TEST *MODE - The simulation is run prior to the actual test operations
during which sz)me malfunction analysis could be required. The driving function for the
simulation program is the test procedure, plus the control functions which will cause
the program to record a state last defining the status of all the variables at each point
in the procedure where a stimulus is produced. This state list will be referenced to the
point in the procedure where it was made so it can be used by the AMA program later.
In this mode of operation, the simulation program will also keep track of the number
of times that each variable has changed state and provide this as additional information
with the state list when regh,d,red.
2.8.1.2 NORMAL MODE - The normal mode is defined as the operation whereby the
simulation is not started until the point in the procedure where the AMA. to be conducted
is known. The initial conditions and internal forcing functions are adequately defined
by the test procedure. The external input will require that the simulation defines the
system at a specified point in the test procedure by block, step, and substep. It is
anticipated that the initial conditions can be summarized so that the simulation can
begin at the beginning of any selected test block. The forcing functions would then be
sequentially read from the input tape into the system until the desired point in the
procedure is reached and a state list defining the status of the system would be produced.
1
21
Since the status of all the DO's in the model can be requested from the RCA 110A
DO profile table, the status of the DO's in the input and forcing functions will be
compared to the actual status of the DO's to assure that the model is in the state
requested.
2.8.1.3 MODIFICATION MODE - In the modification mode the ,simulation program
will obtain the driving functions for the simulation from the DO commands that are
transmitted by the RCA 110A computer. This would allow the simulation of the system
to follow the actual test operations when either the procedure is being modified through
manual operations at the test conductors console or the test procedure has branched
to an alternate mode of operation. The simulator program would request the DO
reference profile from the control computer and then mask the reference profile so
that only those DO's that were actually in the model would be evaluated. * Any differences
between the DO profile and the latest state list of the model would be determined and
these differences would constitute the inputs to thp. simulation program. Once it was
determined that the modification mode of simulatiW was to be used, a more realistic
simulation of the system could be conducted if a list could be constructed in the RCA110A
of the DO commands in the order that they were initiated. The lists would then be used
as the inputs for the simulation program and allow the DO commands to be input in the
same sequence as they were in the actual operation. This method would impose additional
requirements upon the programming and operation of the checkout. computer but it would
take into account those few cases where the order of the output commands to the system
being simulated affects its operation.
2.8 .2 AUTOMATIC MALFUNCTION ANALYSIS PROGRAM - Automatic Malfunction
Analysis (AMA) is an analytical technique to determine the cause of an indicated 'no-go'
on any of the discrete inputs (DI) being monitored. The normal simulation derived .state
list;. is used as the basis for the analysis. This state list represents the time variant
status or values of the variables. Analysis is the reverse of simulation. Simulation
derives the status of the, indicators; AMA uses the indicators to drive the analysis of the
system. The analysis determines what component failures could cause various indica-
tors or combinations of indicators to fail for the exact system configuration under con-
sideration as defined'by the state list. The type of failures to be considered for each
category of components are inputs into the analysis program.
For the Univac 1108 application two modes of operation of the AMA program
will be required. In the current versions of the AMA program, the analysis . a conducted
for all the DI's that are in the model for each state list that is used for AMA. The
indicators - effect and component - cause data derived from the analysis is used by
the AMA editor program to provide translated and edited analysis data. The capability
for complete AMA. from a state list should be retained in this application since valuable
analytical data, can be determined from analysis of all the indicators in the system.
The second mode of operation for the AMA progr?m represents the anticipated
requirement for the pseudo-real time operation, In this mode, the AMA program would
22
only conduct the analysis for those indicators (DI) that are actually in a 'no-go' status
at a given point in the procedure (state list). The discrete inputs that are determined
to be in a 'no-go' status by the RCA 110A computer would be transmitted from the 110A
registers to the 1108 computer. The status of these indicators would be compared to
their status in the normal simulation state list prior to the beginning of the analysis
to ensure that a valid 'no-go' condition exists. Due to the interdependency of the elec-
trical networks, many variables have a high 'common point value' (common point value
equals the number of indicators in the model that a variable can. affect) . This will
require that the first portion of the AMA processing be completed regardless of the
number of indicators that the program will be requested to investigate. After the
I Atial processing the program will complete the analysis for only those indicators
that are requested by the RCA 110A computer, either from the DI 'no-go' or from
the test conductors console.
2.8.3 AMA EDITOR PROGRAM - . The output of the AMA program lists the possible
failure candidates in the internal machine coding. The Editor Program provides the
interface to the translation dictionary to convert this variable identification back into
engineering terminology. The translation dictionary will provide the reference keys
to look up any additional information required for each of the components listed. The
AMA editor output format will be compatible with the requirements of the RCA 110A
display system so ghat this information may be transmitted by the Univac Executive
system to the RCA 110A without any additional format conversion. The exact output
format of this program will be determined after close coordination with both the
Test and Computation Laboratories.
23
CONCLUSIONS AND RE, COMMENDATIONS
3.1 CONCLUSIONS
1. The versatility of the DNS technique-was demonstrated by its effectiveness
and adaptability as a basis for test procedure validation, developed under-this
contract.
2. The DNS programs can be used to verify test procedures. When IDA 501.0
of the Emergency Detection System was simulated and the results com-
pared with the test procedure predictions, it was found that only 15 of 347
steps did not agree. A manual check of these 15 steps, in which only 4
discrete inputs were involved, showed that each disagreement was due to
relay timing that caused these DI's to cycle. Notes in the test procedure
indicated that this cycling might occur.
3. Through the use of the DNS technique, test procedures can be validated
quickly and efficiently. It is capable of greatly reducing the tedious and
time consuming task of manual validation.
4-0 Test procedure validation by the DNS technique provides an accuracy check.
of the hardware. drawings. Since the model is written from the drawings,
any errors in them will be reflected in the equations and will cause a dis-
crepancy between the test procedure and the simulation. These discrepan-
cies will be flaged by the comparator program and a manual check 'by the
analyst will find the drawing error.
5. Test procedures that are well defined can be readily and effectively vali-
dated by the DNS technique. If wiring changes directed by the test procedure
are not reflected in the schematics, the changes will not be included in the
DNS model. Updating the model to incorporate this type of logic change
lengthens the overall time required to validate a procedure and may result
in the development of a model that is unique only to the procedure being
validated.
6. The logic model should be written using the best possible documentation.
The model can be no more accurate than the documents from which it is
written and the simulation used to verity the test procedures no more
accurate than the model.
t=
24
