Study of spaceborne multiprocessing, phase 1 by Koczela, L. J.
N A S A  C O N T R A C T O R  
R E P O R T  
STUDY OE SPACEBORNE 
MULTIPROCESSING 
PHASE I 
by Loztis J. Kocxela 
Prepared .by 
NORTH AMERICAN ROCKWELL CORPORATION 
Anaheim, Calif. 
for Electronics  Research  Cetzter 
. ,  
. .  
N A T I O N A L   A E R O N A U T I C S   A N D   S P A C E   A D M I N I S T R A T I O N  W A S H I N G T O N ,   D .  C .  F E B R U A R Y  1970 
https://ntrs.nasa.gov/search.jsp?R=19700011301 2020-03-12T01:21:04+00:00Z
NASA CR-  1446 
TECH LIBRARY KAFB. NM 
STUDY OF SPACEBORNE MULTIPROCESSING 
PHASE I 
By Louis J. Koczela 
Distribution of this  report is provided  in  the  interest of 
information exchange. Responsibility for the contents 
resides  in  the  author or organization  that  prepared it. 
Issued by Originator as Report No. C6-1476.10/33 
Prepared  under  Contract No. NAS 12-108 by 
NORTH AMERICAN ROCKWELL CORPOFtATION 
Anaheim,  Calif. 
for Electronics  Research  Center 
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 
- 
For sale by the Clearinghouse for Federal Scientific and Technical Information 
Springfield, Virginia 22151 - Price $3.00 

The study described i n  t h i s  r epor t  was  performed by 
Data Systems Division of Autonetics, a Division of North 
American  Rockwell Corporation, Anaheim, Caiifornia.  The 
work was done under NASA Contract NAS 12-108 with Mr. F. H i l l s ,  
Electronics Research Center, Computer Research Laboratories, 
Cambridge, Massachusetts, as the  NASA project engineer. 
The study began i n  March 1966. The contract  par t ic ipants  
inc  luaea : 
L. J. Koczela - Principal Investigator 
A. 0. Wiliman 
Q. J. Burnett 
F. H. Fowler 
J. S. Hirsch 
R. A. Hokom 
iii 

CONTENTS 
Page . 
Foreword . . . . . . . . . . . . . . . . . . .  iii 
Summary . . . . . . . . . . . . . . . . . . .  1 
I . Introduction . . . . . . . . . . . . . . . . . . .  
II . Computer  Requirements . . . . . . . . . . . . . . .  
2.1 
2.2 
2.3 
2.4 
2.5 
2.6 
2.7 
2.8 
2.9 
Introduction . . . . . . . . . . . . . . . . .  
Mission  Profile . . . . . . . . . . . . . . .  
Mission  Objectives . . . . . . . . . . . . . .  
Mission  Functions . . . . . . . . . . . . . .  
Spacecraft  System  Description . . . . . . . . . .  
Computational and Data Processing  Functions . . . . . .  
Mission-Function Time Line Profile . . . . . . . .  
Detailed  Computational  Functions . . . .  . . . . .  
Computer  Requirements . . . . . . . .  . . . . .  
111 . Component Technology . . . . . . . . . . . . . . .  
3.1 Introduction . . . . . . . . . . .  . . . . .  
3.2 Circuit Technology . . . . . . . . . . . . . .  
3 . 3  Memory  Technology . . . . . . . . . . . . . .  
rV . Multiprocessor Candidate  Organization . . . . . . . . .  
4.1 Introduction . . . . . . . . . . . . . . .  
4.2 Multi-Computer and Modular Multiprocessor . . . . .  
4 . 3  Distributed  Processar . . . . . . . .   . . . .  
V . Simulation and Evaluation of Candidate Organizations . . . . .  
5.1 Simulation and Reliability  Analysis . . . .  . . . . .  
5.2 Critical Evaluation  and  Recommended  Approach . . . . .  
VI . Detailed Design of the Modular Multiprocessor Organization . . .  
6.1 Modules . . . . . . . . . . . . . . . . .  
6.2 Failure and Error  Detection and Control . . . . . . .  
VI1 . Summary and Recommendations . . . . . . . . . . . .  
Appendix A . Detailed  Computer Requirements . . . . . . . . .  
Appendix B . Mass Storage Considerations . . . . . . . . . .  
Appendix C . Fault and Erro r  Control . . . . . . . . . . . .  
References . . . . . . . . . . . . . . . . . . . .  
V 
1 
3 
3 
6 
7 
7 
8 
15 
19 
19 
47 
55 
55 
55 
58 
59 
59 
59 
123 
161 
161 
181 
189 
189 
272 
299 
301 
311 
317 
335 

I LLUSTRATIONS 
Figure 
1.1 . 
2.1 . 
2.2 . 
2.3 . 
2.4 . 
2.5 . 
2.6 . 
2.7 . 
2.8 . 
2.9 . 
2.10 . 
3.1 . 
4.1 . 
4.2 . 
4.3 . 
4.4 . 
4.5 . 
4.6 . 
4.7 . 
4.8 . 
4.9 . 
4.10 . 
4.11 . 
4.12 . 
4.13 . 
4.14 . 
4.15 . 
4.16 . 
4.17 . 
4.18 . 
4.19 . 
4.20 . 
4.21 . 
4.22 . 
4.23 . 
4.24 . 
4.25 . 
4.26 . 
4-2 7 . 
4-2 a . 
4.29 . 
4.30 . 
. Page 
Block Diagram of Study Approach . . . . . . . . . . .  2 
Scientific Experiment and Exploration Function Data . . . . .  
Computational and Data  Processing Function . . . . . . .  16 
Probability  Density Function . . . . . . . . . . . .  39 
Cumulative Distribution Function . . . . . . . . . . .  39 
K CO Alpha Spectrum . . . . . . . . . . . . .  41 
Command and Control Function Interface  Diagram . . . . .  9 
Handling Interface  Diagram . . . . . . . . . . . . .  10 
Subsystems . Computer  Interfaces . . . . . . . . . .  12 
Ffow &art for Status  Monitoring  Routine . . . . . . . .  46 
Computer  Storage  R quirements . . . . . . . . . . .  51 
Computer Speed Requirements . . . . . . . . . . .  52 
Cross-Section of P-Channel  Junction  Type MOS/SOS Transistor . 56 
18-Bit Instruction Word . . . . . . . . . . . . . .  60 
16-Bit  Instruction Word . . . . . . . . . . . . . .  60 
Instruction Word Formats . . . . . . . . . . . . .  62 
Duplexed Computer . . . . . . . . . . . . . . .  72 
Two Computer  Approach . . . . . . . . . . . . . .  73 
12K Memory  Board  Supply and  On-Off Switch . . . . . . .  76 
Output Switching of Critical Conditioners . . . . . . . .  80 
Logic Levels  for  Control of Critical Conditions . . . . . . .  81 
Scientific  Experiment  Program  Logical  Representation . . . .  93 
Sequence of Periodic  Program Execution . . . . . . . .  96 
Queue Chain . . . . . . . . . . . . . . . . .  97 
Priority Actions . . . . . . . . . . . . . . . .  97 
Memory  Allocation . . . . . . . . . . . . . . .  100 
Reconfiguration Process . . . . . . . . . . . . . .  101 
Reconfiguration Process . . . . . . . . . . . . . .  102 
Software Costs . . . . . . . . . . . . . . . . .  106 
Multiprocessor . . . . . . . . . . . . . . . .  108 
Approximate  Line Count . . . . . . . . . . . . . .  111 
General  Multiprocessor  Configuration . . . . . . . . .  115 
Sequential  Steps in Computation . . . . . . . . . . .  125 
Applied Parallelism in the Computation . . . . . . . . .  125 
Applied and Natural  Parallelism  in  the Computation . . . . .  125 
Applied Parallelism . Degree of Complexlty vs Gain . . . . .  129 
Natural  Parallelism Curve . . . . . . . . . . . . .  130 
Distributed  Processor . . . . . . . . . . . . . .  134 
Distributed  Processor  Cell . . . . . . . . . . . . .  136 
Active  Redundant Test Cells Within a Cell Group . . . . . .  140 
Distributed Processor Cell Group Configuration During . . . .  
Group Testing . . . . . . . . . . . . . . . . .  142 
General Distributed  Processor  Configuration . . . . . . .  145 
Logic Array . . . . . . . . . . . . . . . . .  150 
vii 
I LLUSTRAT I ONS (CONTI 
Figure 
4-3  1. 
4-32. 
4-33. 
4-34. 
4-35. 
4-36. 
4-37. 
4-38. 
5-1. 
5-2. 
5-3. 
5-4. 
5-5. 
5-6. 
5-7. 
Page -
151 
153 
154 
154 
155 
156 
157 
158 
163 
166 
172 
173 
174 
175 
5-8. 
5-9. 
5-10. 
5-11. 
thru 
5-13. 
6-1. 
6-2. 
6-3. 
6-4. 
6-5. 
6-6. 
6-7, 
6-8. 
6-9. 
6-10. 
6-11. 
6-12. 
6-13. 
6-14. 
6-15. 
6-16. 
6-17. 
The Cell-Group  Machine . . . . . . . . . . . . .  
Input Data Item/Macro Formats . . . . . . . . . . .  
Cell-Group Status Board Entry . . . . . . . . . . .  
Task  Status  Table  Entry . . . . . . . . . . . . .  
Dead Restart Program . . . . . . . . . . . . . .  
Output Data  Item/Message  Formats . . . . .  . . . . .  
Transition Reconfiguration (Phase Start) . . . . . . . .  
Transition  Reconfiguration  (Unanticipated). . . . . . . .  
Block Diagram of Monte Carlo  Simulation . . . . . . . .  
Multicomputer On-Off Failure Rate  Effects on P . . . . . .  
Erro r  In Monte Carlo  Simulations . . .  . . . . . . .  
Multicomputer  Probability of Success . . . .  . . . . .  
S 
Multicomputer Failure Detection Probability  Effects on Ps . . .  
Multicomputer  Unavailability . . . . .  . . . . . .  
Multicomputer P v s  Number of Computers With . . . . . .  
Pd = 0.99 and 1.0 . . . . . . . . . . . . . . .  
Multiprocessor  Probability of Failure  Detection  Effects on P 
Multiprocessor  Unavailability . . . . . . . . . . . .  
Monte Carlo Simulation of Spaceborne Multiprocessing Study - . . 
Multicomputer  Organization . . . . . . . . . . . .  
Multiprocessor  Organization . . . . . . . . . . . .  
Processor Block Diagram . . . . . . . . . . . .  
Instruction Word Format . . . . . . . . . . . . .  
Real  Time  Clock. . . . . . . . . . . . . . . .  
Processor  Registers . . . . . . . . . . . . . . .  
Processor  Registers and Connections . . . . . . . . . .  
Memory  Cycle  Timing . . . . . . . . . . . . . .  
Basic Memory Cell Utilizing Complementary MOS Transistors. . 
Without Selection or  Readout Provisions . . . . . . . .  
Logical Operation of a Coincident Select Memory Cell .  . . . .  
Organization of a Coincident Select Memory Cell Arm. . . . .  
Connection of 18 Arrays to Form a 4,096 Word, 18 Bit, . . . .  
Subassembly for a Memory Module . . . . . . . . . .  
Organization of a 12,000 Word, 18 Bit, Memory Module . . . .  
Memory Module Volatility Circumvention . . . . . . . .  
12x18 3D Memory (Todays Technology). . . . . . . . .  
NDRO Multiword Memory (Todays Technology) . . . . . .  
NDRO Read and Write Signals . . . . . . . . . . .  
Future NDRO Read and Write Signals . . . . . . . . .  
S 
Multiprocessor  Probability of Success . . . . . . . . .  
S '  
. . . . .  . . . . . . . . . . . . .  
176 
178 
179 
180 
182 
thru 
184 
190 
190 
191 
192 
2  16 
217 
22  1 
230 
231 
233 
234 
235 
238 
2 43 
2 45 
2 85 
2 50 
viii 
Figure 
6.18 . 
6.19 . 
6.20 . 
6.21 . 
A.1 . 
c.1 . 
c.2 . 
c.3 . 
c.4 . 
c.5 . 
I LLUSTRATI ONS ( CONTl 
Pea'e 
Future NDRO Memory . . . . . . . . . . . . . .  251 
Input/Output  Module . . . . . . . .  . . . . . .  259 
Executive Flow Diagrams . . . . . . . . . . . . .  291 
Computer  Requirements  per  Phase . . . . . . . . . .  309 
Detection of Standard Faults by Complementation . . . . . .  322 
Self-checking Adder Without High-speed Carry . . . . . .  323 
Two Bits of Adder Used in Parity Checking Addition . . . . .  325 
Parity Checker Used in Parity Checking Addition . . . . . .  326 
Coincident Current Memory - 4K Stack Fault Dktection . . . .  280 
3-Bit Parity Checker . . . . . . . . . . . . . . .  326 

C6-1476.10/33 
TABLES 
Table -
2-1 .. 
2 -2 .. 
2-3. 
2-4. 
2-5. 
4-1. 
4-2. 
4-3. 
4-4. 
6-1. 
6-2. 
A-1. 
- Page 
Scientific  Experimentation  Subsystem  Functions . . . . . . 14 
Mission-Function  Time Line Profile . . . . . . . . . 20 
Interplanetary  Experiment  Computer  Requirements - . . - - 44 
M a r s  Orbital  Experiment  Computer  Requirements - - - . - 45 
Computer  Requirements by Mission Phase - - . - . 48 
Speed and Storage  Requirements  for  Phase 12, M a r s  Orbital . . 65 
Speed and Storage  Requirements  for  Phase 12, Mars Orbital, . - 
With a 12 Bit and 18 Bit Word Length - - - . - - - . . 66 
Non-Critical Phase Reconfiguration  Summary . - - - . . . 116 
Reductions in Computation Time Due to Parallelism . . - . . 127 
Software Test  Characteristics- - - - . . . . . 2 72 
Executive  DataB sT ble - . - . . . . . . 288 
Computer  Requirements . - . . - . . . . . 301 
xi 
. . 
STUDY O F  SPACEBORNE MULTIPROCESSING 
Louis J. Koczela 
Autonetics, A Division of North  American  Aviation,  Inc. 
Anaheim, Calif. 
SUMMARY 
This  final  report  presents  the  results of a research study of multiprocessing 
computer  organizations and their  application to future  space  missions. A manned 
Mars  lander  mission  in  the 1980 time  period  was  investigated and computer  require- 
ments defined. Three multiprocessing computer organizations were developed: the 
multicomputer, the modular multiprocessor, and the distributed processor. An 
evaluation of the three  organizations  resulted  in  the  modular  multiprocessor a s  the 
optimum  candidate for the  selected  mission;  this  organization  was  then  subject  to  a 
detailed  design  investigation. 
I. INTRODUCTION 
The  purpose of this  study  was  to  investigate  multiprocessing  computer 
organizations and their  application  to  future  space  missions. A block diagram of the 
study  approach is given in  Figure 1-1. As a  base  for  the  study, manned space  missions 
in the 1980 time  period  were  selected  to  define  the  computational  requirements.  The 
particular  mission  selected  for  a  detailed  investigation  to  define  the  requirements  was 
the manned Mars  landing  mission.  This  mission  covers  a  broad  spectrum of require- 
ments (long duration, widely varying computational loads, and high reliability demands); 
therefore,  using it a s  a  base  will  result in applicability  to many other  missions in the 
same  time  period  such a s  extended earth  orbital  space  stations. 
The  selected  mission  was  investigated in detail  to  define  the  requirements.  This 
effort is covered  in  Section 11 of this  report.  Based on  an analysis of the  mission and 
computational  and  data  processing  functions,  the  computer  requirements  were  defined 
for each  phase or  mode of the  mission, 
In addition to defining  the  requirements, it was  necessary  to  define  the technology 
to be considered as sta.te-of-the-art for  the  time  period of interest  before  proceeding 
with an  investigation of multiprocessor  configurations. Although the  time  period of 
the  missions  considered is 1980, it is necessary  to  use technology that  will  be  avail- 
able  for  designers in approximately 1975, so that  reliability  has  been  established.  The 
investigation and  definition of the technology base is given  in  Section HI. 
1 
Multiprocessing  organizations are considered  to  offer  considerable  advantages 
in application to  future manned space  missions.  These  organizations  can  result in: 
(a) efficiently  meeting  the  widely  varying  computational  loads of different  phases of 
a mission, (b) efficiently  mechanizing  the diverse  requirements of various  subsystems 
of a mission  such as a command  module and a lander module, (c) an overall  net 
reduction  in  power  due to  the  ability  to  turn  modules on and off, (d) increase in 
reliability,  given  that  failure  rates of dormant  equipment a r e  lower than operating 
equipment, and (e) enhancement of probability of mission  success and availability  due 
to reconfiguration  around failures at a low module  level. 
Using the  requirements and  technology  defined a s  a base,  three  organizational 
approaches  to  multiprocessing  were  investigated.  These  were (a) multicomputer, 
(b) modular multiprocessor, and (c) the distributedprocessor. The general organiza- 
tional  features  such as word length, instruction  format,  were  evaluated and traded 
off. Each of the  three  organizations  was  subject  to a preliminary logic design, a 
failure  analysis, and a software  analysis.  This  topic is treated in Section IV. 
Using  the results of the preliminary  design a simulation  (reliability) and critical 
evaluation of the  three  candidates  was  performed (Section V). From  the  results of 
the  evaluation  the  modular  multiprocessor  was  selected  for  further  investigation. 
In order  to  evaluate  the  candidate  multiprocessing  organizations,  the  computer 
system  characteristics  were weighted by NASA ERC in terms of relative  importance 
as follows: (a) Computer Probability of Mission Success - 100, (b) Power - 10, 
(c) Growth Potential - 4, (d) Development risk - 1, (e) Weight - 1, (0 Size - 1, 
(g) cost  - 1. 
Extensive  investigation  was  performed on the  selected  organization  in terms of 
design,  failure  analysis and software  considerations,  these  topics are  covered inSectionVI. 
COMPUTATIONAL 
REQUIREMENTS 
DEFINE 
MISSION 
MODES 
MISSION 
EQUATIONS 
ERRORS 
COMPUTER -b 
REQUIREMENTS 
SOLUTION RATES 
I 
MULTIPROCESSING 
CONFIGURATIONS 
PRELIMINARY  CONFIGURATION 
REPRESENTATIVE PERFORMANCE 
CONFIGURATIONS DESIGN ANALYSIS 
CRITICAL 
EVALUATION 
.. ~ - 
PERFORM 
EVALUATION PRELIMINARY 
EVALUATION 
CONFIGURATION 
DESIGN 
. + 4 .  > 
SELECT 
CONFIGURATIONS -b CoNFIGURAT1oN -b 
DETAILED 
FAILURE 
DESIGN -b ANALYSIS 
SCFTWARE 
DESIGN 
,- I  J 
Figure 1-1. 3lock Diagram of Study Approach 
2 
1 1 .  COMPUTER REQU I REMENTS 
2.1 INTRODUCTION 
In the  study of Multiprocessing  Systems, a problem  immediately a r i ses   as   to  the 
meaning of several  terms.  Since  the extended use of more complex structural 
computers is rather  recent,  the  terms  associated with  them  have  not  become  firm. 
A great  deal of confusion arises  in  reading  reports and in verbal  communication if the 
meaning of terms is not clear: therefore,  further  definitions shall be given. The 
following is an  attempt  to  define  some common terms in accordance with the  most 
common usage. Al l  use of the terms in this report  will  be  consistent with the 
definitions. 
Availability (operational) 
The  probability  that  a  system or equipment when used  under  stated  conditions 
and in an actual supply environment  shall  operate  satisfactorily  at any  given 
time. It may be expressed as: 
A0 
- MTBM 
- MTBM + MDT 
where 
MTBM = mean  time  between  maintenance and ready  time  during 
the  same  interval 
MDT = mean  downtime 
Availability (inherent) 
Similar  to A, except  relates  to  ideal supply environment and does not consider 
scheduled or  preventive  maintenance. 
Ai - MTBF + MTTR 
- MTBF 
Backup 
Refers  to  a  function o r  hardware not involved in a primary mode, function, o r  
task which will be used  in  case of failure of the  primary. 
Cellular  Arrays 
An arrangement of computational cells (generally  rectangular),  all  perform 
basic  logic or arithmetic  operations and can  derive  inputs and send outputs 
to each of its neighbors. (The  information is generally  transmitted  through 
the array in parallel with operations  being  performed on  a bit  per cell per 
operation basis. ) One form of distributed logic. 
3 
Distributed Logic 
The  decentralization of the  logic elements on an array  basis.  Each  element 
(cell) of the array can  communicate with a number of other cells. Each of the 
cells has  some  memory  associated with it. The  complexity of each cell can 
vary  from  the execution of a few logic  operations  to a (small  computer.)  The 
control  for execution of a program is distributed  among  the  cells. 
Iterative  Array 
Synonymous with "Cellular  Array. 
Iterative  Circuit  Computer 
Synonymous with  "Distributed Logic. 
Maintainability (Ref: MIL-STD-778, 8 April 19641 
Maintainability is a characteristic of design and installation which is expressed 
as the  probability that an  item  will  conform  to  specified  conditions within a 
given period of time when maintenance  action is performed in accordance with 
prescribed  procedures and resources. 
Microprogramming 
Computer  control  mechanization  wherein  the  instructions are handled as macros. 
Each macro is interpreted  in  terms of micro-operations by either programmed 
o r  modifiable logic (core  or diode memory).  The  micro  operations are the  basic 
instruction set of the  computer and are defined  in terms  basic, logic, shift, 
and transfer operations. (Same as "stored logic..") 
Multicomputer 
Two or  more  computers with intercommunication which operate on one or  more 
programs.  The  computer  implied  consists of an  arithmetic unit-memory-and 
input/'output unit. 
Multiprocessing 
Simultaneous  execution of two or  more  programs  or  sequences of instructions 
by a multipath structure. 
Multiprocessor 
A computer  capable of multiprocessing  (multiple  arithmetic units, memories, 
and input/output units with versatile communication is one  hardware  approach). 
Cellular  arrays is another. 
Multiprogramming 
Interleaved  execution of two or  more  programs by a computer complex. 
4 
Parallel Processing 
Simultaneous  execution of two or  more sequences of instructions  (generally 
branches of same  program) by a computer having  multiple  arithmetic o r  logic 
units. 
Probability of Mission  Success 
Probability  that  mission  objectives are attained. 
Reconfiguration 
Changing pieces of hardware  performing a  function. This may be manual or  
automatic and may be performed  as a result of system  failure  or change in 
mission mode. 
Redundancy 
Additional time, computation, or  hardware used above the  basic  requirements of 
a function so that a required  probability of success of that function can be 
attained. 
Functional Redundancy - Use additional or  backup  functions. 
Active  Redundancx - Techniques which sense  faults,  isolate  them and 
switch out or  replace failed  equipment. 
Passive Redundancy - Faults  are not detected, they are  masked by 
extra equipment. Defective equipment remains in place. 
Reliabilitv (RETMA definition) 
Reliability is the  probability of a  device  performing  its  purpose  adequately  for 
the  period of time intended under  the  operating  conditions  encountered.  Measure 
commonly used is Mean-Time-Between-Failure  (MTBF). 
Reoair 
The  process of returning  an  item  to a specified condition  including preparation, 
fault location, item procurement, fault correction, adjustment and calibration, 
and final test. 
Active Repair  Time - The  time  during which one or  more technicians 
a re  working on the  item  to  effect a repair. 
Mean Time  to  Repair (MTTR) - The statistical mean of the  distribution 
of times-to-repair,  The  summation of the active repair  times  during 
a given period of time divided by the  total  number of malfunctions  during 
the same time interval. 
Repairability - The  capability of an item  to be  repaired. 
5 
Self-organizing 
Processes employing neural network type redundancy. System  reorganizes 
around  faulty  -modules or  cells. (Infers random  type  techniques. ) 
Self-Repairing 
A self-repairing  system  is one which has  the  capability  to continue to work 
correctly,  even i f  some of its elements malfunction. 
In high redundancy  techniques e r ro r s  may be masked by voting  techniques. 
In lesser redundant techniques errors  must be detected, isolated, and 
then  the system is reconfigured  around  the  fault by changing its mode of 
operation. 
Time  Sharing 
Time multiplexing of several  users on a computer. This will, in general, 
require  processing of different  programs  for  each  user. No restrictions on 
type of computer a re  implied by time  sharing definition. 
The manned Mars landing and exploration  mission  was  selected as representative 
for  application of spaceborne  multiprocessing  techniques.  The  establishment of the 
mission  requirements is a necessary first step in  the process of developing an appro- 
priate  multiprocessor  concept. A number of studies  relating  to manned Mars  missions 
have been conducted throughout industry  under  numerous NASA contracts.  The docu- 
mented results of these  studies were reviewed with the  objective of establishing the 
particular  mission  requirements which would influence  the on-board computational 
and data processing facility. By taking full advantage of related  studies, a realistic 
appraisal of mission  requirements  was  obtained with a minimum of delay in  the 
conduct of the  multiprocessor study. The following discussion, as  it  relates  to  the 
manned Mars mission  description is based  primarily upon information  provided  in 
references 1 through 11. 
2.2 MISSION PROFILE 
The  selected manned Mars mission  covers a 420-day period  and  consists of 
three primary phases, i. e., Trans Mars, Mars Stay and Trans-Earth. The following 
is a brief  description of each  phase. 
2.2.1 Trans-Mars 
The  trans-Mars  phase  lasts  approximately 120 days and  begins after  the  space 
craft is placed  in  an Earth  orbit and  checkout of all  subsystems is completed.  The 
first operation is an Earth  to  Mars  injection  maneuver.  The  trajectory is then 
determined  utilizing  Earth  tracking  facilities in addition to  the on-board system  to 
accurately  deteimine  the  trajectory  errors and the  required  corrections.  The  next 
operation is the  selection of the  desired  spin  plane and subsequent spin-up. This 
establishes  the  artificial  gravity  environment  required  for a major  part of the  mission 
duration. Navigational fixes are made as the  mission  proceeds with velocity 
corrections  performed when necessary.  The  spacecraft is de-spun  about  five days 
prior  to Mars arrival. It is then  lined up for  proper  altitude  and  attitude  into  the 
entry  corridor to perform the aerodynamic braking  maneuver. A circular Mars 
orbit is obtained by applying a velocity  increment  utilizing the mid-course  propulsion 
system. 
6 
I - -  
2.2.2 Mars Stay 
During  the Mars stay  period, which lasts about 40 days,  three  major  operations 
occur.  These are: separation of the Mars Excursion Module (MEM) probably during 
the first day  in orbit;  rendezvous  and docking of the MEM with the  mission module, 
about the  last day in  orbit; and transfer of scientific  samples and  equipment from  the 
MEM to the  mission module. The MEM is then  abandoned  in Mars orbit  where it may, 
using automated sensors, continue to  measure and transmit  data  to  Earth. Communi- 
cations with  the MEM and Earth as well as scientific  observation of Mars if3 continu- 
ously  maintained by the  mission  module  during  the Mars stay period. 
2.2.3 Trans-Earth 
This  phase lasts about 260 days. The first operation, following navigational 
determinations of exit trajectory and  launch time, is the Mars to  Earth injection 
maneuver.  Navigational fixes  are  performed  for  the next several days  and corrections 
carried out utilizing the mid-course stage. A s  the  trajectory is finalized, the space- 
craft is spun up. Navigational fixes are periodically  made  to  provide  corrections 
during  spin  coast.  Approximately  five  days  prior  to  Earth  arrival  the  spacecraft is 
de-spun. The final entry trajectory is determined and corrections made. About two 
days  to as little as three  hours  before  arrival,  the  crew  enters  the  Earth Re-entry 
Module  (ERM) and separates  from  the  mission module. 
2.3 MISSION OBJECTIVES 
The  primary  objective of the manned Mars  mission is exploration of the  surface 
of the  planet Mars to  develop knowledge concerning its composition, structure and 
life forms.  Exploration of the  surface  will  be  carried out by personnel and scientific 
equipment which will be landed on the planet. The  mission module supports the 
landing party in this  effort by providing  communications  and  data  processing  for  the 
MEM and also by performing  cooperative  experimentation and observation, Addition- 
ally, while in Mars  orbit,  it  can  take  advantage of its wide coverage of the  planet  to 
acquire  data beyond the exploration  radius of the landing party. 
Although Mars  exploration is the  primary  objective, only ten  percent of the 
overall  mission  time is spent in the Mars area, Consequently, there is considerable 
experimentation  and  observation  activity  carried out during  the  trans-Mars and 
trans-Earth  phases. 
2.4 MlSSXON FUNCTIONS 
There are three  major functions  that  must  take  place throughout the  entire 
mission  in  order  to  assure  successful accomplishment.  These  mission  functions, 
so called,because  they are of a broad enough nature  not to be included  within the 
subsystem  functions but rather  establish  the  requirements  for  subsystem  functions, 
are : 
1. Life support (Crew Survival) 
2. Command and Control 
3. Scientific Experimentation and Exploration 
7 
The life support  functions  assure  the  physical  and  psychological  health of the 
crew.  These  functions would include physiological and psychological testing, health 
preservation activities, radiation protection, rescue operations, and checkout 
operations  prior  to  major  maneuvers. It is not  likely that the  computational  and  data 
processing  complex  will  be  essential  to  the  critical  crew  survival  aspects of the life 
support function. However, the computer will be used to  perform  tasks  necessary  for 
the  testing and checkout operations, which are essential  to  overall  mission  success. 
The command and control function is cmcerned with  monitoring  operations, 
control of subsystems,  control of interfaces,  abort  decision and control, command 
locations (internal and external  repair  crews, and MEM crew). The major components 
of command and control include spacecraft guidance  and control,  telecommunications, 
crew displays and controls,  power  distribution and overall  mission module interfaces. 
A simplified  interface  diagram of the command and control function is shown in 
Figure 2-1. Through computation, data collection, storage and display, the command 
and control function provides  appropriate  orientation and  sequencing  command  signals 
to  major  subsystems and informs  the  crew of subsystem  operation, consumption rate 
and storage level of storables, navigational position, spacecraft  attitude, and antenna 
and instrument  orientation.  It  also  records  important  information on subsystem 
malfunctions, command messages and mission  history. 
The  scientific  experimentation and exploration function is closely  related  to  the 
mission profile. For example, on arrival  or  departure  from  the  planets  (Mars and 
Earth),  the  main  experiments a re  those  connected with planetary  observations. 
During the  trans-Mars and trans-Earth  phases,  the  experimental  effort  is  concentrated 
on the  interplanetary  bodies and solar  physics.  The  interplanetary  environment is 
continuously  monitored. 
The  crew  members are an integral  part of the  scientific  subsystem and therefore, 
will  participate in the  preparation and operation of certain  experiments.  They will 
program  times  for  data  acquisition,  assist  in  observations, and reduce  some  data 
prior  to  transmission. Some operations  will be automated  but with provisions  for 
manual  data  check and override. 
A simplfied  interface  diagram  illustrating  the  data handling associated  with  the 
scientific  experiment and exploration  function is shown in Figure 2-2. 
2.5 SPACECRAFT SYSTEM DESCRIPTION 
2.5.1 Spacecraft Configuration 
The major  elements of the spacecraft,  exclusive of propulsion  units, are the 
Mars Mission Module (MMM), the Mars Excursion Module (MEM), and the  Earth 
Re-entry Module (ERM). All three modules will contain subsystems which require 
computational and data  processing  support.  For conducting the  multiprocessor  study, 
emphasis  has  been  placed upon the MMM. However, the  necessity  for  compatibility 
between subsystems throughout the  overall  spacecraft,  makes  the  multiprocessor 
concept for  satisfying  computational and data  processing  requirements  applicable  to 
all three  major modules. 
2.5.2 Major Subsystems 
There are six major  subsystems which require  varying  degrees of computational 
and data  processing  activity and consequently exert  the  primary influence on 
8 
LFE SUPPORT SYSTEM SCIENTIFIC EXpERlMENT AND EXPLORATION  SYSTEM 
c ATTITUDE CONTROL SENSORS 
L 
7 
L BAND T R A N S W E R  AND  RECErVER S BAND TRANS-R 
AND RECENER 
- 
_I 
t c 
I 
I 
CONTROLS AND DISPIAYS 
CONSOLE 
J 
b 
4 7  COMMUNICATIONS  ANTENNAS 
COMPUTER/DATA PROCESSOR I 1 I 
ATTlTLDE CONTROL PROPULSION EARTH REENTRY MARS  EXCURSION UNMANNED RECON GROUND  OR  ORBITAL 
TORQUE SOURCES STAGES MODUZE (ERM) MODULE (MEW PROBES SUPPORT FACILITY 
Figure 2-1. Command and Control Function Interface Diagram 
SCIENTIFIC SENSORS 
*SPECTROMETERS 
*RADIOMETERS 
*MAGNETOMETERS 
*ULTRAVIOLET 
*INFRARED 
STATUS  MOMTORS OF 
OTHER VEHICLE SU% 
SYSTEMS 
IMAGE SENSORS 
*VIEWFINDER  CAMERA 
W E l E S C O E  CAMERA 
*PAN. CAMERA 
*FRAME  CAMERAS 
1 ANALOG TAPE RECORDER j-1 RECORDER DISPLAY OF RAW  SENSOR 
I 
I 4 
SIGNAL 
CONDITIONING UNIT 
(SHAPE  SIGNAL 
WAVEFORM, 
FILTER NOISE) 
I 
PROVIDES B A C L  UP 
DURING  DOWNTIME 
OF COMPUTER 
FOR DIRECT T O  
EARTH  TRANSMISSION 
CONTROLS 
MONITORS . 
FILM 
PROCESSORS 
(FILM DEVEL- 
OPED IN NEAR 
REAL TIME) 
c c ,  
FILM 
VIEWERS 
t c +  
PHOTO 
SCANNERS 
(FOR SELECTED 
I C ,  
I 
P I C T U ~  
ONLY) 
t I 
1 I 
DATA I 
CONVERTERS I 
AND I I 
BUFFERS I 
1 ~- "" 
t I 
L ~ I 
DATA 
PROCESSOR 
t 
COMMAND AND 
CONTROL  SYSTEM 
(GUIDANCE AND DICRAL TAPE 
RECORDER DISPlAY CONSOLE + CONTROL, 
CONTROLS AM> 
TELECOMMUNICATIONS 
ETC) 
r b 
Figure 2-2. Scientific Experiment and Exploration Function Data Handling 
Interface  Diagram 
10 
requirements  for  the on-board computer  system.  These  subsystems are: 
(1) Guidance and Navigation, (2) Attitude Control, (3) Telecommunications, 
(4) Scientific Sensor Experiments, (5) Reconnaissance. and (6) Life Support. A 
simplified  interface block diagram which identifies  the  major  components of each 
subsystem is shown in  Figure 2-3. The following paragraphs are brief  discussions 
of the  functional  requirements of each  subsystem. 
2.5.2.1 Guidance and Navigation 
The guidance  unit of any system concept  must  supervise  the  flight  according  to 
a flight plan. In doing so, the guidance  unit is required  to  generate and issue 
commands  to  the  attitude  control  subsystem,  propulsion  subsystem, and communica- 
tion  subsystem.  The  navigation  unit is required  to  determine all kinematic  variables 
compatible with the  functions  performed by the guidance unit. In general,  these 
kinematic variables are position, velocity, acceleration, attitude, angular velocity, 
angular  acceleration, and time.  The  variables are  determined with respect to a 
specified  reference  frame. 
The guidance  and  navigation subsystem,  for  utilization throughout  the manned 
Mars mission,  must  be  able  to  determine  the  kinematic  state of the  spacecraft  at all 
times  during  the  mission and  through  comparison with the  required  kinematic  state 
at  that moment, as derived  from  targeting  data;  be  able  to  generate  suitable 
commands for  the velocity-to-be-gained required  for  the  correction of any naviga- 
tional errors ,  A s  shown in  Figure 2-3, the main elements in the subsystem are 
a stable  platform  inertial  measuring unit (IMU), a scanning  telescope, a sextant, 
and a ranging sensor  (radar). 
2.5.2.2 Attitude Control 
The  attitude  control  subsystem  operates in  conjunction with the  guidance  and 
navigation subsystem  to  provide: (1) angular  orientation and stabilization of the 
spacecraft about three  axes, (2) translation  control  during  rendezvous and docking 
maneuver, and (3) thrust  vector  control  during  coast  corrections. 
The  major  elements of the  attitude  control  subsystem a re  shown in Figure 2-3. 
The body fixed accelerometers and gyros  also  provide a back-up inertial  measuring 
unit (strapdown) for  the guidance and navigation subsystem.  The  three-axis rate gyro 
package contains  the  sensing  elements and associated  circuitry  required  to  provide 
angular rate stabilization  control and display  information.  The  horizon sensor  senses 
the  location of local  vertical with respect  to  the body reference while the sun sensor 
senses  the  line of sight (LOS) of the  sun with respect  to  the body reference.  The 
astrotracker  senses  the LOS with respect  to  selected stars. 
The  propulsion  engines and reaction jets are also included as a part of the 
attitude  control  subsystem.  The  attitude and translation  commands a re  combined, 
decoded and converted  to jet selection signals which activate  the  reaction jet control 
valves. Similarly, for propulsion engine control, attitude commands are converted 
to engine  deflection  commands. 
2.5.2.3 Tele-communications 
Each of the  three modules (MMM, MEM, ERM) making up the manned Mars 
spacecraft  will  have its own communication  functions  to  perform, with the added 
11 
LIFE SUPPORT S / S  
0 LIFE SUPPORT S / S  CONSOLE 
0 LIFE SUPPORT S/S 
SCIENTIFIC  SENSORS S/S 
0 CONTROL & DISPLAY CONSOLE 
0 ANA=  TAPE  RECORDER 
0 STRIP  CHART RECORDER 
0 MASS SPECTROMETER 
0 MFTEOROID  SYSTEM 
0 RADIATION  SYSTEM 
0 MICROWAVE  SYSTEM 
0 MAGNETIC  SYSTEM 
0 ULTRAVIOLET  SYSTEM 
0 VISIBLE LIGHT SYSTEM 
0 INFRARED SYSTEM 
A?TITUDE  CONTROL S / S  
0 ATTITUDE  CONTROL CONSOLE 
0 CIMBALIED STAR  TRACKER 
0 HORIZON  SCANNER 
0 SUN SENSOR 
0 BODY FIXED ATTITUDE  GYROS 
0 BODY F M E D  ACCELEROMETERS 
0 BODY FIXED RATE  GYROS 
0 REACTION  JETS 
0 PROPULSION ENGINES GIMBAL 
ACTUATORS 
SUBSYSTEMS SUBSYSTEM 0 ALL SUBSYSTEMS 
PERFORMANCE  SEW-TEST 
MONITORING  COMPUTATIONS 0 SELF TEST CONSOLE 
DATA  PROCESSING 
AND CONTROL 
COMPUTATIONS 
IMAGE SENSORS 
PROCESSING 
AND CONTROL 
COMPUTATIONS 
I I  I 
I I  
IMAGE SENSORS S/S 
0 CONTROL & DISPLAY CONSOU 
0 SIDE LOOKING RADAR 
0 TV CONTROLS & MONITORS 
0 VIDEO  TAPE  RECORDER 
0 VIEWFINDER  CAMERA 
0 TELFSCOA CAMERA 
PANORAMIC CAMERA 
0 FRAME  CAMERAS 
TELE-COMMUNICATIONS s/s 
TELECOMMUNICATIONS 
COMPUTATION 
0 TELLCOMM. CONSOLE 
0 RECElVEU/TFUINSMIl" 'E~ 
COMMUNICATIONS  ANTENNA I 
I '  J 
I 
I ATTITUDE CONTROL 
COMPUTATIONS  GUIDANCE C 
GUIDANCE C NAVIGATION S/S 
0 GUIDANCE & NAV. CONSOLE 
0 STABLE PLATFORM IMU 
RANGINC  RADAR 
SCANNING TELESCOPE 
0 SEXTANT 
NAVIGATION 
COMPUTATIONS I I 
I- 
Figure 2-3. Subsystems - Computer Interfaces 
I" - 
provision  that  each  system  be  compatible with one another  whenever  operations so 
require.  The  tele-communications  subsystem  has  the following basic  types of 
functional  requirements: 
1. 
2. 
3. 
4. 
5. 
6. 
Voice - Two-way voice  communication  capability  between  the  individual 
crew  members, between the  three modules and between  the spacecraft 
and Earth should exist at all times. 
Telemetry - The telemetry  system is required  to  transmit  measurements 
related  to  the  engineering status of the on-board systems,  crew  status 
concerning  psychological  and  physiological  data and scientific  experimen- 
tation  data. 
Television - Television  transmission is part of the  spacecraft's 
communication system and serves  the dual  purpose of monitoring 
scientific  data and furnishing  public  information. 
Data Processing - The large  number of engineering and status  measure- 
ments which must be processed,  analyzed and transmitted,  require on- 
board  data  displays,  data  storage and data  control. 
Tracking - This function provides  near  Earth and Mars  tracking  capability 
and aids in the  recovery of the crew at the end of the  mission. 
Rendezvous - Upon completion of the Mars surface exploration,  the MMM 
and MEM must  accomplish a rendezvous and docking  maneuver which 
requires  howledge of range,  range rate and bearing  measurements  to 
the  target  vehicle. 
2 . 5 . 2 . 4  Scientific Experimentation 
A s  shown in Figure 2-3 and Table 2-1, the  measurement  techniques  for 
scientific experimentation include microwave, infra-red, visible-optical, ultra- 
violet, radiation, magnetic field, meteoroid and mass spectrometry. Table 2-1 
shows the  relationship between the  scientific  experimentation  subsystem function, 
the  mission  profile and  the measurement  techniques. 
2 . 5 . 2 . 5  Reconnaissance 
A s  shown in Figure 2-3, the  reconnaissance o r  image  sensor  subsystem  consists 
of photographic and optical  sensors. Employment of such sensors  in  the manned Mars 
spacecraft is designed to make  full use of man's  capabilities.  The  crew  members are 
most effectively used in the collection, processing, handling, selection, and trans- 
mission of imagery  data. 
The  major  subsystem  elements include television,  viewfinder  camera,  telescope 
camera,  panoramic  camera and stereo high resolution  frame  cameras.  The tele- 
vision  system is intended to  serve a backup to  the photographic cameras and to pro- 
vide a real-time view of the  Mar's  surface.  The  viewfinder  provides a visual 
reference  to  the area which is mapped by the  cameras. It also is used as a pointing 
and tracking  aid  for  the high resolution  telescopic  camera.  The  panoramic  camera 
provides a maximum of ground coverage with equal  angular  resolution at every  scan 
13 
Table 2-1. Scientific Experimentation Subsystem Functions 
~~ 
Trans-Mars 
~ ~~ 
Arrlve and Depart 
Mars Mars  Orbit 
M a n  atmoephere  and 
surface  absorption and 
emission spectra 
Mars  atmosphere  and 
surface  absorption and 
emission  spectra. 
Airglow.  Satellite 
Twilight phenomena. 
absorption and 
emission 
Mars  atmospheric and 
surface  absorption and 
emission  spectra. 
Airglow.  Aurorae. 
Twillght  phenomena 
Mars  atmosphere 
Aurorae.  Spectra of 
absorption  spectra. 
radiation  belts. 
Flux. directionality, 
species, energy spec- 
trum of trapped 
radiation 
Measurement  Tecbnique 
Microwave  Spectroscopy Solar  microwave 
emission txum; thermal  emissim 
Mars absorption  spec- 
spectrum; albedo 
Solar microwave 
emission 
Aborption  spectnun of 
Earth;  thermal  emis- 
sion  spectxum. Mic- 
wave albedo 
thermal  emission 
Earth absorption and 
spectra.  Infra-red 
albedo 
~~ 
Infra-Red  Spectrorcopy Mars  absorption and 
thermal  emission 
spectra.  Infra-red 
albedo 
Solar  Infra-red 
emission 
Solar  corona  Infra- 
Photosphere  emission 
red emission. 
Visible-Optical  Spectroscopy Earth  absorption and 
emisslon  spectra, 
albedo 
Solar  line  spectra. 
Spectra of selected 
astronomical  objects 
Mars  absorption and 
emission  spectra. 
Albedo 
Solar  line  spectra. 
Spectra  from  corona. 
Solar  line  spectra. 
Spectra of selected 
astronomical  objects 
Solar  photosphere and 
corona spectra 
Ultra-Violet  Spectroscopy Earth  absorptlon and 
thermal  emission 
spectra. Albedo 
Mars absorption  and 
Albedo 
emission  spectra. 
-L 
Radiation  Spectroscopy 
energy  spectrum of 
Flux, directionality. 
trapped radiaticm  and 
impinging  radiation 
species. energy spec- 
Flux, directionality, 
trum of radiation in 
interplanetary  space 
Flux. directionality, 
species. energy 
spectmm in Mars 
neighborhood 
Flux, directionality. 
trum of radiation in 
species, energy spec- 
interplanetary  space 
A? 
Aemmagnetosphere ' Aeromagnetosphere Magnetic Field Local  magnetic  field Magnetic  field  in 
space 
Magnetic  field in space 
Meteoroids 
of meteoroid8 
Flux, directionality 
of meteoroids 
Flux, directionality 
of meteoroids 
Flux, directionality Flux, directionallty Flux, directionality 
of meteoroids of meteoroids 
Interplanetary  gas 
meteoroid  composition 
composition, Micro- 
Interplanetary  gas 
composition,  Micro- 
meteoroid  composition ~ 
Mans Spectrometry ! Mars upper atmosphere 
i 
". 
angle so that  complete  planetary  coverage can be obtained  in a minimum  time.  TWO 
frame  cameras  provide high-resolution stereo  pictures of the  planet's  surface by 
viewing the  same  surface area from  two  different  aspects. 
2.5.2.6 Life Support 
The life support  subsystem is one of  the  most critical subsystems in the MMM.. 
The  necessity  for  maintaining a habitable  environment  for  the whole 420 day mission 
leads  to  exacting fail-safe operation,  reliability  and  maintenance  requirements. 
Interface with the  computer  complex, if any, would be throclgh the  instrumentation, 
controls and displays  required  for  the  environmental  control  system.  The  implementa- 
tion of a digital  computer  in life support  appears  to be limited to  the  monitoring of 
direct indicating instrumentation as illustrated in Figure 2-3. However, it is possible 
that  use of the  computer  for life support  control functions, rather than  individual 
controller  electronic Itblack boxes, 11  will become  feasible. 
2.6 COMPUTATIONAL AND DATA PROCESSING FUNCTIONS 
2.6.1 General 
Three  primary  mission functions were  described  previously.  These functions 
require  computer  operations  that fall into  two  general  categories.  The first is 
command and control  computation, which obviously relates to  the command  and control 
function. The second group is mission  data  processing, which is primarily  concerned 
with the  processing of the  scientific  experiments and exploration  data but also includes 
some  limited  processing of data from  the life support  system. 
The type of computer  operation  required  for command  and control is decidedly 
different from that employed for  mission  data  processing. Consequently, any multi- 
processing  computer  system should  logically  evolve  from this  natural  separation of 
computational tasks. 
In order  to  investigate  varying  degrees of multiprocessing and also  establish 
their  respective computational  requirements,  it is necessary  to  partition  further  the 
two  major computational  and  data  processing  categories.  The  subdivision of functions 
through  four  levels is illustrated in Figure 2-4. The guide line  for  partitioning 
functions is not limited  simply  to  separation  according  to  computational  characteristics 
but is also influenced by failure  protection  objectives. Such factors as the  ability  to 
implement  alternate  modes of operation as well as the  opportunity  for  maintenance 
and repair,  also have to be  considered. 
2.6.2 Computer Operations 
In paragraph 2.8, relating  to  computer  requirements,  the individual functions 
and  their  respective  requirements are discussed in some  detail. It is the intention 
here  to  describe in a general  manner  the  compltational and data processing  tasks 
that are required of the  computer, 
Processing  for guidance,  navigation  and control is primarily computational in 
nature, Input data  from  the  various inertial and optical  sensors  are  used  to compute 
location,  orientation and directional  acceleration of the  spacecraft. When combined 
with  previously  processed data from  the same sources,  the  past and predicted flight 
path  and  velocity of the  vehicle is computed. This path is compared with the  pre- 
established  desired  trajectory  to  determine  deviations  and  drift rates. Should an 
15 
Command and Control 
Mission Data 
Processing 
Vehicle Guidance 
and Control 
3uidance and Navigation 
Vehicle Attitude  Control 
Telecommunications  Telecommunications I 
‘Image Sensor Data 
Processing 
Experiment Data 
Processing 
4 
Scientific Sensor Data 
(Proc. 
System  Self-Test  Operations 
\System  Performance Monitor 
I 
System Checkout 
Navigation 
Targeting 
Required Velocity 
Velocity-to-be Gained 
Flight Sequencing 
Steering 
G&N Controls and Displays 
Optical Sensors  Orientation 
Angular  Rate  Stabilization & Control 
Translation  Control 
Thrust Vector  Control 
Attitude Controls and Displays 
I Antenna Orientation Data Processing Communications Controls and  Displays 
Image  Sensors  Orientation & Sequencing 
Image  Sensors Data Correlation/AnalysL 
Image Sensors Data Compression 
Image Sensors  Controls & Displays 
Scientific  Sensors  Orientation  etc 
Scientific  Sensors Data Correlation 
Scientific Sensors Data Compression 
Scientific Sensors  Controls & Displays 
Automatic  Self-Test  Operations 
Self-Test  Controls and Displays 
Performance Data Compression 
Monitor Controls and Displays 
1 
1, 
Figure 2-4. Computational and Data Processing Functions 
alteration of the  predicted path  be required,  tht optimum method of achieving the 
desired path,  velocity  components,  and/or  implementation of the  spin up  and  de-spin 
maneuver, is computed. 
The  computation task  most  characteristic of guidance,  navigation  and  attitude 
control  processing is state (position  and  velocity)  estimation  based upon statistical 
filtering.  The  process  consists of using a statistical filter to optimally estimate  the 
components of the  vehicle  state  vector  from a sequence of measurements  made by the 
imperfect  instruments on board  the  spacecraft. 
In general,  the  estimation method works as follows: 
In anticipation of the  ith  group of observations and the ith estimation  cycle,  the 
computer  integrates  the  equations of motion from  the  previous  best  estimate of the 
state at the  time of the  ith  estimate.  The  estimator K is determined by use  of the 
expected state and covariance  matrix of estimation e r ro r  corresponding  to  the  time of 
the  ith  estimation  cycle.  The  expected  values of the  observables  (space  angles) a r e  
computed. The  observations are  made  from  the  spacecraft  actual  position and as  
such conlxin the sensor  error.  The computed space angles are  subtracted  from  the 
observed  angles.  The  residuals a r e  operated upon by the  estimator which produces an 
optimal  estimate of the  deviation between the  actual and  expected  spacecraft  state. 
This  estimated  deviation is added to  the expected state  to  form a new, corrected  set 
of initial conditions for  the next integration cycle. Finally, the covariance matrix of 
estimation  error is corrected  to  reflect  the  latest  estimation. 
Optimal  filtering  techniques  may  also  be  applied  to  attitude  determination. 
Because of long term  gyro  drift  characteristics,  devices  such as sun sensors,  horizon 
sensors, and star t rackers   are  needed to provide  long term  attitude  reference. 
However, these  instruments are not sufficiently accurate  to  provide  the  precision 
attitude information needed. The recursive optimal  filtering technique is one of 
several methods  available  for  utilizing  the  observables  to update knowledge of vehicle 
attitude. Others include least squares and partial correction. The latter two methods 
require  less computational  complexity but at the  expense of attainable  accuracy, 
An additional  computation of special note is employed in the  event  that  strapdown 
inertial  sensors  are  used  for  either  primary  or backup  navigation. The  strapdown 
system uses body fixed gyro  displacement signals in a high speed  direction  cosine 
computation which effectively simulates  the gimbal  system in a stable  platform  inertial 
mechanization. 
Processing  for  tele-communications is concerned  primarily with reduction of 
the  volumes of data  received  from  numerous  sources  to  the  minimum  quantity con- 
sistent with maintaining the  integrity of the  information,  This is accomplished  through 
a variety of data  sampling and  compaction  techniques,  Data  processing aids in the. 
communications task of determining  transmission times and durations,  power  require- 
ments,  antenna  boresight  calculatione, and the  information  content of specific  trans- 
missions,  This  determination is based upon considerations of possible  interference 
from intervening  bodies,  predioted  power  and  equipment  utilization  requirements. 
These  factors  are of particular  concern  during  the  return  to  Earth  phase of the  mission 
o r  in the event of degradation in  communication  facilities. 
17 
Computer  operation in support of the  scientific  experimentation  and  exploration 
function  consists  primarily of data handling  and data  processing. Its objective is to 
optimize  the flow of information  from  the  data  gathering  sensors to  the  crew and to 
the  communication  subsystem. A large  portion of the  data  to be processed is in the 
form  of  imagery. It is likely  that a sienificant  saving in transmission  time can  be 
realized, without loss of information O r  increase in  communications bandwidth, by 
application of data  compression  techniques. 
In addition to  data  compression  techniques,  transmission  time  can  be  reduced 
by the  avoidance of unnecessary  overlap  or duplication in the photographic  imagery. 
The  computer  can  be  used  to  control  the  image  collection  automatically  thus  relieving 
the  crew of the  task of keeping track of picture  overlap  or duplication. With the aid 
of navigational data,  the  computer  schedules  the  operation of the  cameras and insures 
collection of precisely  the  right amount of duplicate  imagery. 
The  processing  associated with the  scientific  experiment  sensors  includes 
sensor operation control, data compression and data analysis. The control functions 
pertain to computer  selection and sampling of inputs  according  to  some  programmable 
criteria as in the following examples: (1) certain  sensors or groups of sensors are 
activated  according  to  the  mission  phase, (2) the  indications  from an active  sensor may 
call  for  the use of an  otherwise  inactive  sensor, (3) the  selection of the  different input 
samples  from  the  same  sensor can vary  during  the  course of the  mission  or  according 
to  the  status of the  sensor, and (4) the  sampling  rate of each  active  sensor can  be 
varied  according  to  such  criteria as the amount of change in the  data  magnitude,  the 
relative change when compared to  other  sensor  readings,  the maximum  allowable 
data  storage  rate  or  data  transmission  rate, a priority  basis  or when the  readings 
pass through  maximum  and  minimum  conditions. 
A s  in the  case of the image sensor  data  processing,  data  compression techniques 
a re  used by the  computer  to  reduce  the  vast  amounts of data  being  collected. In 
addition to reducing  the  data  through  compression  methods,  the  computer can  conduct 
an analysis of the contents of the data.  This is normally done when the  results of the 
analysis is required  for on-board operation and  evaluation by the  crew. An example 
of this  type of processing by the  computer, is the  comparison of a multicomponent 
spectrum, as detected by an  active  sensor,  to a pre-stored series of reference  spectra. 
Various  curve  fitting and correlation  procedures can  be  used  in order  to  establish  the 
best  match and identify the  elements in the  sample.  Correlation and  matching  between 
sensors can also be used as an aid to automatic  instrument  calibration. 
Performance  monitoring, and  in some  cases  the  actual  testing of subsystems, is 
a significant  data  processing function. The  objective is the  immediate  detection of 
sub-standard  performance on the  part of any major  element in each  subsystem.  The 
monitoring  task  requires  simply  the  sampling and recording of performance  data  for 
purposes of display or  telemetry. Some data  compaction  may  be  used in order  to 
reduce  the  data  transmission  load,  Comparison of test point measurements  against 
pre-stored  tolerance  limits is perhaps  the  most  prominent test under  computer 
control. However, a number of rate tests and cross-checks,  may  also be conducted, 
all of which help  in  establishing  the  operating status of each  subsystem. 
A more  sophisticated  utilization of the  computer  takes  place in the context of 
an on-board checkout system. Here, the computer, operating in conjunction with 
special  purpose equipment, would control checkout operations  such as: (1) selection 
and  control of function generators, (2) selection of stimulus  and  measurement  points, 
18 
(3) selection and control of measurement  devices, (4) timing and sequencing of the 
stimuli  and  measurement  signals, (5) comparison of observed with expected results, 
(6) setting .or sensing of the state of the  system  under  test, and (7) communication 
with  the  crew. 
2.7 MISSION-FUNCTION TIME LINE PROFILE 
The Mars mission flight profile  defined  previously  indicated a mission  time  to 
Mars of 420 days. This  imposes a duty cycle,  for  some on-board equipment, of over 
10,000 hours  for a flight  initiating  from  Earth  orbit.  To  this  must  be  added ground 
checkout time and operating  time while in Earth  orbit. 
In order  to  provide a base  for defining computer  requirements as a function of 
time and assess the  computer  reliability  requirements, but without constraining  the 
computer  configuration, a mission-computer function time  line  profile was generated. 
The  results are presented in Table 2-2. It can be seen  from  the  profile  that many of 
the functions are expected to  operate  in  excess of 10,000 mission  hours. In the  case 
of guidance and navigation it appears  that  advantage  can be taken of shut down periods. 
During trans-Mars and trans-Earth  coasting  phases, which make up about 80 percent 
of the  total  mission  time,  the guidance and navigation  functions are active only for 
short  periods of time  (for computing trajectory  corrections) and computations are 
made at widely spaced  intervals of time. Most of the  remaining functions are active 
throughout the  entire  mission  time, although for  some it is not necessary  that  the 
computing be done  continuously. 
2.8 DETAILED COMPUTATIONAL FUNCTIONS 
In the  previous  sections a description of the  system  and a general  discussion 
of the  computational  functions  was  given. This  section will discuss in more depth 
the  computational  algorithms  associated with the  computer functions. The functions 
will be described in four parts as previously identified, namely: (1) Vehicle Guidance 
and Control (2) Telecommunications, (3) Experiment Data Processing, and (4) System 
Checkout. These  descriptions of the computational functions will provide the base 
for defining  the computer  requirements and also provide  insight  into  the  types of 
computations required. 
2.8.1 Vehicle Guidance and Control 
The Vehicle  Guidance  and  Control (hereafter  referred  to BB Navigation  and 
Guidance or  simply N&G) consists of 15 basic  modes: 
1. 
2. 
3. 
4. 
5. 
6. 
7. 
Atmospheric Ascent 
Earth  Orbital  Coast 
Trans Mars Injection 
Trans Mars Coast 
Trajectory  Correction 
spin UP 
Trans  Mars Spin Cruise 
19 
Table 2-2. Mission-Function Time Line Profile 
r 1 TRANSMARS (120 DAYS) TRANSEARTH (260 DAYS MARS AREA (40 DAYS) 
h3 
0 
TOTAL RUNNING I o I 2 TIME(HRS) 1 * N i) m I N m 2 I r r  "DMPUTER  FUNCTIONS 11- -L * *  * "- GUIDANCE & NAVIGATION 1 I * * * I  * * * I 1  * * *  :t * . I *  - * *  -' ' - * -  - * *  - I  * *  VEHICLE ATTITUDE CONTROL I' I *  * I *  I * ! *  * ~ l * ' *  * , * / * I *  * I *  * * k *  "- ' - . * 1  I "- - - *  - l * I - / *  * I -  * ' * ; *  I i - * * I  - I * *  I . * *  1 - - - IMAGE SENSOR DATA PROCESSIN2 SCIENTIFIC SENSOR DATA PROCESSING * * I  - "+"- "p" * * I * , *  * * * ' , * I *  * -+ * / *  * ) *  SUBSYSTEM SELF-TEST OPERATIONS / * I -  SYSTEM RRFORMANCE 
MONITOR I * I *  "I 
8. 
9. 
10. 
11. 
12. 
13. 
14. 
15. 
De Spin 
Mars Approach  Correction 
Aerobraking 
Mars  Orbit  Injection 
Mars Orbital  Coast 
Trans  Earth Injection 
Earth Approach  Correction 
Earth Re-entry 
This is not  intended to imply  that there are 15  phases  to  the  mission  since  some 
of the basic  modes will  be entered into several  times (e. g. spin up  and de  spin  for 
trajectory  corrections on both trans  Mars and trans  Earth  portions of the  mission). 
A description of the N&G functions for  each  mode  will  be given below. These  modes 
will then  be  translated  into  computer  requirements  per  mission  phase.  It  should  be 
noted that  references 5, 12, and 13  were  used  throughout  paragraph  2.8.1. 
2.8.1.1  Atmospheric  Ascent 
The  atmosoheric  ascent O r  Ilboostlf will  be primarilv  controlled bv the  booster 
guidance system: However, it is possible  that  the  spacecraft  computer will have 
access  to  the information  from  the  booster guidance instrumentation] in this case it is 
likely  the  spacecraft  computer  will  compute  position  and  velocity  during boost. 
2.8.1.1.1 Computations 
The IMU Mechanization function requires  the following functions to  be 
implemented: 
1. Process  Accelerometer Outputs 
2. Navigation  Computation: 
a. Compute  Navigation Reference 
b. Extrapolate  Gravity Velocity 
Detailed  mechanization  equations  will not be  given  here  for  these functions. 
These  detailed  equations  were  given in reference 16,  the first quarterly  report of 
the  study.  The Bame holds true  for  the  remainder of the N&G functional  description; 
appropriate  comments will be made regarding  the  equations  where  necessary o r  
they will be  included  where  they hold particular significance to  computer  mechanization 
or complexity. 
21 
2.8.1.2 Earth Orbital Coast 
During this mode of navigation the  basic equation  describing  the  motion of the 
vehicle is given by 
- d " -  u -  
dt r 
2 r + - r = Z  3 
Where 'F 'is 4_he vector position of the  vehicle, u is the  gravitational  constant of the 
planet, and a is the  vector  acceleration which prevents  the  motion of the  vehicle  from 
being precisely a conic with the planet at the focus. Basically  the motion of the  vehicle 
is computed using a method such as Encke's.  Periodically, due to  accumulated  errors, 
orbit  determination is performed  to  update  the state of the vehicle.  The  method of 
determining an orbit  described  here is that of using  star-landmark  tracking.  The 
star  trackers are used to  provide a precise  attitude  reference while a landmark  tracker 
is used to provide  data  for  updating  the state vector of the vehicle.  Therefore,  the 
functions a re  broken down into four sections: (1) Attitude Reference, (2) Landmark 
Tracker Operation, (3) Orbit Determination, and (4) Navigation Computation. 
2.8.1.2.1 Computations - Attitude Reference 
1. Star Selection  Routine - This  routine  outputs  the  Line of Sight to two stars in 
inertial  coordinates.  The stars are  selected which will be in the  telescopes 
field of view and checks are made  to see that a chosen s t a r  is not in a 
prescribed cone about the  sun, moon, and earth. 
2. Star Tracker Pointing 
3. Tracker Acquisition and Tracking - The  tracker will require a scan  program 
to  be  superimposed on the commanded angles.  The  scan  dither  program may 
appear as: 
A" 
1 2 3  P A 1 2 3  p.. 8 : commanded  angles 
Time of star presence  must  be  accepted by the  computer  to  interpolate 
the star angles. 
4. Kalman Filter Star Data - 
T T -1 Bn = Pn Mn cMn Pn Mn + Cn) 
22 
Xn = Bn AY A 
r! 
i= F* 
Where 
Pn : 11 x 11 covariance  matrix of the  estimation e r ro r s  Xn 
evaluated at time tn 
I : 11 x 11 Identity Matrix 
Bn : 11 x 2 Filter Matrix 
Mn : 2 x 11 Output Matrix 
K : 11 x 11 Constant Matrix (gyrodrifts, biases, etc.) 
Xn : 11 x 1 Optimum Estimate of Errors  
A 
AYn : 2 x 1 Pointing  Residuals 
@: 11 x 11 Transition Matrix for Propagation of the Covariance 
Matrix 
F : 11 X 11 System Matrix 
Cn : 2 X 2 Covariance of White Observation Noise 
5. Compute Body fo Inertial Transformation from Gimbal Angles 
6. Compute Locally Level to Inertial Matrix 
7. Compute Locally Level to Body Matrix 
8. Generate Attitude Control Signal 
2.8.1.2.2 Landmark Tracker Operation 
1. Landmark  Tracker Pointing: 
a. Compute Initial Estimate of Landmark Position 
b. Correct Tracker Gimbal Angles 
c. Compute Angular Rates and Incremental Conditions 
d. Rapid Updating of the Gimbal Angles 
23 
2. Landmark Tracker Data Processing 
a. Pattern  Correlation  and  Tracking - This function requires  the  computer  to 
store  the  present and previous  digital  scan of a landmark and shift  the two 
scans  relative  to  each  other so as to obtain a best  match;  the  shift between 
scans is then  used to compute  the  observational  residual. 
b. Computation of the Observational Residuals 
c. Computation of Expected Variance 
2.8.1.2. 3 Orbit  Determination Computation 
1. 
2. 
3. 
4. 
5. 
6. 
Prefilter Observational  Residuals - Observational  residuals  may  be obtained 
at a rate  different  from  that  used  to  perform  the  orbit  determination 
computation. Therefore, a prefiltering  such as a least  squares method may 
employed  between iterations. 
Computation of the Output Matrix 
Computation of the  System  Description  Matrix 
Initial  Estimates of Covariance  Matrices 
Optimum Filter Computations 
similar definitions as given  in the  attitude  reference  section apply 
except the  matrices involved are reduced to 9 x 9 and  2 x 9. 
Propagation of Covariance Using the  Transition Matrix 
& =  F@ 
where a fourth order Runne-Kutta integration is used. 
24 
7. State  Vector  Correction 
A5 = b - A- m 
where : 
- 
At : correction  to be applied to  the  state  vector 
b : optimum filter computed in 5 above 
2.8.1.2. 4 Navigation Computations 
1. 
2. 
3. 
4. 
5.  
6.  
Rectify  Osculating  Orbit 
Update Osculating  Orbit - The  difference in the  eccentric  anamoly, AE, is 
computed in an  iterative  manner. 
Compute Perturbations and Evaluate  Derivatives 
Update for Runge-Kutta Integration 
Update State  Vector  Estimate 
Correct  the  State  Vector 
2.8.1.3 Trans Mars Injection 
During  this  mode powered  flight is again  encountered and the  navigation  functions 
of 2.8.1.1, Atmospheric Ascent, are applicable. In addition, the computer is required 
to compute  the  required  velocity  to  achieve  the  desired  trajectory and the  velocity-to- 
be-gained to implement steering  during  the  maneuver. 
25 
2.8.1.3.1 Process Accelerometer Outputs 
2.  8.1.3.2 Navigation Computation 
2.8.1.3.3 Required Velocity Computation 
The  required  velocity  for  trans  mars injection  may  be  defined as that  velocity, 
at  the  present  position,  that will place  the  vehicle on a conic  passing  through a specified 
time. 
2.  8.1.3.4 Velocity-to-be-Gained Steering 
The  steering mechanization is a combination of two  methods (a) alignment of the 
thrust vector, ZT, with thevelocity-to-be-gained, V vector akd @) alignment of the 
thxst  vector  to  cause  the  time  rate of change of the s' G vector, VG, to be parallel 
to VG and oppositely directed. A scaler mixing parameter, V, of these two methods is 
chosen to maximize fuel  economy during  the  maneuver. 
2.8.1.4 Trans Mars Coast 
This mode of navigation consists of making sightings on planetary  bodies to 
determine  position and  velocity  and  monitoring  the  velocity-to-be-gained  for a trajec- 
tory  correction. 
2.8.1.4.1 Attitude Reference 
2.8.1.4.2 Navigation Computation 
Time did not permit defining a suitable  mechanization  for  this function. 
2.8.1.4.3 Velocity-to-be-Gained (Monitor) 
2.8.1.5 Trajectory Correction 
The  basic  functions  required  during  this navigation  mode are the powered  flight 
functions of 2.8.1.1, the  required  velocity to be  gained as described in section 2.8.1.4, 
and the  steering function. 
2.8.1.5.1 Process Accelerometer Outputs 
2.8.1.5.2 Navigation Computation 
2.8.1.5.3 Velocity-to-be-Gained 
(Same a8 2.8.1.  4.3 Velocity-to-be-Gained (Monitor) except whendvexceed  some 
value  and thrusting is initiated.) 
2.8.1.5.4 Velocity-to-be-Gained Steering 
26 
2.8.1.6 Spin Up 
During this mode the functions required are a determination of the  angular 
velocity to be  gained  and steering  commands  to  achieve  the  desired  angular  velocity. 
Time  has not permitted  defining a representative  computer  mechanization  for  these 
functions. 
2.8.1.7 Trans Mars Spin Cruise 
The functions required  during  this  mode are similar to those  required  during  the 
coast  mode  described in 2.  8.1.4 (Attitude Reference, Navigation  Computation, 
Velocity-to-be-Gained  Monitor), in addition,  .the angular  velocity  to be gained will 
need to   be monitored. 
2.8.1.8 Despin 
This mode is identical  to 2.8.1.6 (Spin Up) with the exception that  the  desired 
angular velocity is 0. 
2.8.1.9 Mars Approach Correction 
- 
The functions for  this mode are the  same as those  required in 2.8.1.5 (Trajec- 
tory  Correction)  except  that a different  mechanization is used  for  the  velocity  to  be 
gained  computation  (variable time of arrival guidance instead of fixed time of arrival 
guidance). 
2.8.1.9.1 Process Accelerometer Outputs 
2.  8.1.9.2 Navigation Computation 
2.8.1.9.3 Velocity to be Gained 
- 
iD = unit [ (1 - cos e)2 T + s i n  e (A - cos e + T x i  ) I  
rP r n  P 
2.8.1.9.4 Velocity to be Gained Steering 
2.8.1.10 Aerobraking 
Many of the functions required  during  this mode are expected to be similar  to 
those of 2.8.1.15 (Earth Reentry). However, some simplification exists since it is 
not  required to  steer the  vehicle  to a desired landing site. The  detailed  equations  for 
27 
the  required  functions were obtained  from  reference 13. A brief  description of the 
required functions follows: 
Out of Atmosphere  Flight  Predictor. 
Predicts flight  conditions at top of atmosphere and range  to  top of 
atmosphere. 
In-Atmosphere Flight Predictor. 
Flight  prediction by integration of equations of motion with constraint and 
damping  loops. 
Coefficient  Setup  and Extrapolator. 
Linear  extrapolation of predicted  information with energy and time. 
Non-Dimensional Constraint and Damping Computation. 
In-Atmosphere  Command  Generation. 
2.8.1.11 Mars Orbit Injection 
Navigation and guidance  functions during  this  mode are  similar  to  those  required 
in 2.8.1.3 (Trans Mars Injection) with the exception of the  required  velocity 
mechanization. 
2.8.1.11.1 Process Accelerometer Inputs 
2.8.1.11.2 Navigation Computation 
(Same except  gravitational  calculations are on Mars) 
2.8.1.11.3 Required Velocity Computation 
2.8.1.11.4 Steering 
2.8.1.12 Mars Orbital Coast 
This mode will require  the  same functions as in 2.8.1.2 (Earth  Orbital  Coast). 
The method of orbit  determination  using star-unknown landmarks  may  be  used  to 
advantage here, 
2.8.1.13 Trans Earth Injection 
The functions of this mode a re  quite similar t o  those of 2.8.1.3 (Trans  Mars 
Injection) with the exception of the  required  velocity  mechanization. 
2.8.1.13.1 Process Accelerometer Inputs 
2.8.1.13.2 Navigation Computation 
28 
2.  8.1.13.3 Required Velocity Computation 
2.8.1.13.4 Steering 
2.8.1. i4 Earth Approach  Correction 
~ 
The  functions  in  this  mode are similar  to  those of 2.8.1.9 (Mars  Approach 
Correction) with the  exception of the  required velocity  computation  (additional  computa- 
tions  required  due  to  an  entry  angle  and  landing site requirements). 
2.8.1.14.1 Process Accelerometer Outputs 
2.8.1.14.2 Navigation Computation 
2.8.1.14.3 Velocity to  be Gained 
2.  8.1.14.4 Velocity to be Gained  Steering 
2.8.1.15 Earth Re-Entry 
The  mechanization of this 
good description  and  discussion 
mode is quite  complex  and  Reference 13 provides a 
of these equations. Briefly these functions are given - 
below: 
1. 
2. 
3. 
4. 
5. 
6 .  
7. 
Out of Atmosphere  Flight  Predictor;  Prediction of flight  conditions at top of 
atmosphere  and  range  to  top of atmosphere 
In  Atmosphere  Flight  Predictor;  Flight  prediction by integration of equations 
of motion with constraint and  damping  loops 
Coefficient  Setup  and  Extrapolator;  Linear  extrapolation of predicted 
information with energy and time 
Spherical  Range  Computation;  Transformation of destination  and  target 
location to  energy  management  coordinates 
Nondimensional  Ground Area Attainable  and Target Overflight  Ground Area 
Attainable  prediction 
Nondimensional  Constraint and Damping Computations 
In Atmosphere Command Generation 
2.  8.2 Telecommunications Requirements 
~- ~ " . 
This function is concerned with the  data  transmission function primarily.  The 
information  obtainable on this function was  somewhat  lacking  and some  interpolation 
had to  be applied to  define the  requirements. 
29 
2. 8 .2 .1  Transmission  Instrumentation  Pointing  Commands 
The functions  involved here are computing desired Line of Sights,  various 
coordinate  transformations, computing  pointing angles, and commands p, a .  The 
equations a r e  quite similar  to  those involved in paragraph 2.   8 .1 .2 ,  the  attitude 
reference mechanization of the  orbital  coast  phase. 
2 . 8 . 2 . 2  Command Processing 
Communication of commands  from  the  ground will require  the  computer  to 
accept and store  after  proper  verification a number of commands. These commands 
may be in realtime  or  stored  time.  Stored  time  commands  require a command storage 
program which is cycled  through  periodically  to  detect  commands  to  be  executed. 
Once a command is to be  executed,  the  computer outputs  an execute  signal with the 
appropriate  address  for  destination  purposes. 
2. 8 . 2 . 3  Data Formatting 
The  allocation of this function is difficult to define at  this  time.  There will 
undoubtedly be  requirements  for  formatting and coding data  prior  to  transmission. 
However, some coding of data will be  taking  place in functions  described in other 
sections of this  report (such as the  data  compression in paragraph 2.8 .3) .  At certain 
times  it may be required  to  process bulk data prior  to  transmission. Some of the 
algorithms  described in the  data  compression  section will be  applicable  here. 
2 . 8 . 3  Scientific Experiment Computational Requirements 
The  description of computational  requirements  for  the  scientific  experiments 
shall  be given in three  parts: (a) the  scientific  experiment  instrumentation, @) the 
computational  algorithms  to  be  applied to the  scientific  experiments, and (c) the 
resultant  computer  requirements. 
2 . 8 . 3 .  1 Scientific Experiment Instrumentation 
An investigation of References 1 and 14 provided what may  be  considered as  
representative  instrumentation  for  achievement of the  scientific  experiments.  The 
following is a list of the  basic  classes of experiments  to be performed: 
1. Investigation of Interplanetary Bodies: Comets and asteroids in close 
approach with the  vehicle  will be studied. 
2. Analysis of the Interplanetary Medium: Various environmental properties 
need to be monitored  such as: neutral gas,  charged  particles,  neutrons, 
electromagnetic radiation, meteroid, magnetic fields, etc. 
3. Observations of Solar Phenomena: Various observations will be made to 
determine  properties of the photosphere,  chromosphere,  corona and 
magnetic  moment and fields. 
4. Analysis of the Aeromagnetosphere: Measurements will be made to deter- 
mine a magnetic field  map  and  magnetically  trapped  energetic  charged 
particle  belts. 
30 
I 
5. 
6. 
7. 
Analysis of the Topography  and Surface Composition of Mars: Measure- 
ments will be  made  to  determine  the amount of energy  absorbed and 
reflected by the planet in different  regions of the  electro-magnetic  spectrum, 
the  composition of various areas of the plant,  the  existence  and  distribution 
of plant life and the topography of the planet. 
Determination of the  Periods and Gravitational  Properties of Mars: The 
gravitational  field and rotation of the planet  will  be  determined and various 
properties of the satellites of the planet will be  determined. 
Analysis of the  Martian  Atmospheric  Structure  and Composition: Measure- 
ments  must  be  made  to  determine  the  molecular and isotopic  density 
distributions, the atmospheric density, the pressure, the temperature, etc. 
The first four  types of experiments  may  be  considered as the  cruise  or  inter- 
planetary  experiments while the last three are Mars orbital  or Mars vicinity  experi- 
ments.  To  achieve  these  desired  scientific  objectives  the following instrumentation 
requiring o r  having the  possibility of on-board data  processing may be  identified. 
2.8.3.1.1  Interplanetary 
1. 3-Axis Magnetometer 
The output of the  magnetometer  will  be  three  channels  representing flux 
intensity.  Sampling  requirements are expected to  be at a rate of 12  channels/ 
minute with a resultant information rate of 120 bits/minute. On-board 
data  processing  may  be  utilized  here  to  compress  the  data  prior  to  trans- 
mission by an encoding or curve  fitting  approach. (These will be  covered 
in  Section  2.8.3.2. ) 
2. 6-Axis Hi Energy Spectrometer, 3-Axis Moderate Energy Spectrometer, 
Proton  Plasma  Spectrometer,  Electron  Plasma  Spectrometer, X-Ray and 
UV Photometer, Ion Chamber 
The output of these  instruments will constitute  approximately  191  channels 
with a total  sampling  rate of 224 channels/minute with a resultant  informa- 
tion rate of 1120 bits/minute. On-board data  processing can  be utilized with 
this  instrumentation  to  compress  the  data  prior  to  transmission by utilizing 
encoding, curve fitting, and statistical methods. 
3. Micrometeoroid  Spectrometer 
Three  channels of information  will  be  received  from this  instrument;  the 
sampling rate is expected to  be  quite low (3 channels/hour  total)  resulting 
in an information rate of 30 bitshour.  On-board data  processing  may  be 
utilized to compute the  mass  from  the momentum-velocity ratio and the 
data  may  be  readily  compressed  using statistical methods. 
4. Infrared Telescope and Spectrometer, Microwave Radiometer, Visible 
Wavelength Optics  and  Telescope 
This  instrumentation is primarily  required  during  the  Mars  orbital phase. 
However, it will probably be used  during  the  interplanetary  cruise  to 
31 
measure such  properties a8 sdar microwave  emission,  solar  infrared 
emission, spectra of selected astronomical objects, etc. The rates of 
taking  meaclurements are expected to be considerably  lower  than when the 
instrumentation is used in the  Mars  orbit. It has  been  assumed  that  the 
average  information rate is approximately 800 bits/sec  for  purposes of 
assigning  requirements.  Generally,  the  data  processor may be utilized 
here  to  compress  the  data  prior  to  transmission. 
5. General Human Performance Measurement 
This  instrument is expected to be used  periodically,  for  example,  four 
hours/every  four  days.  The  data rates are expected to be 75 bits/minute 
input to  the  data  processor and 100 bits/minute output to  the  instrument 
while the  experiment is being conducted. The data  processors will be 
utilized to  activate  various  lights and  output numerics on the  display panel 
and to reduce  the  data obtained from  the panel responses. 
2.8.3.1.2 Mars Orbital 
The  discussion above for  interplanetary  instrumentation will also apply for  the 
Mars  orbital  phase with the exception of the  instrumentation  identified  in (4). The 
information  rate is expected to  be  considerably  higher in this  phase  for  these  instru- 
ments. It  may be reasonable  to  assume  that  the full data  transmission capability of 
the  spacecraft will be utilized in this  phase  to  make as many multiband spectral 
observations as possible.  Predicted  capabilities  for  the  transmission  rate  for 
1980 time  period  missions  appears  to  be  approximately  (conservatively) 20,000 bits/ 
second.  The  data  processor  may  be  utilized  to  compress  the  data  obtained  from  the 
observations; a conservative  estimate of data  compression  that will be obtained of 
2 to 1 will be  assumed. If it is assumed  that  the  transmission  consists of 80% assigned 
to   the observations,  this  results in 16,000 bits/second. Application of data  compres- 
sion results in a capability of handling 32,000 bits/second  from  this  instrumentation. 
Of course, a higher rate may  be  established if buffering of some  form is used. 
However, this figure may  be  considered as a real time  limit.  The  number of bits 
per  observation  per  frame will  depend on the  region of the  spectrum  (visible, IR, etc. ) 
that  the  observation is made in and properties of the  optics  (resolution,  field of view, 
etc.). It will  be assumed  here that  one frame will consist of approximately 106 bits 
(400 x 400 lines,  6 bit  coding to a cell);  this  results in a maximum  processing  rate 
of one frame  every 30 seconds  (this  may  be  considered a maximum  average  rate i f  
buffering is available). 
Data processing will  be performed on the  observation  data  to  achieve  compres- 
sion  prior  to  transmission;  the method of curve  fitting by computing coefficients of 
orthogonal  polynomial series may  be  considered as representative  of a compaction 
algorithm. 
In addition to  processing  data  from  the on-board instrumentation,  there a r e  
expected to be a number of remote  sources of information  (probes,  excursion  module) 
which will require data processing of experimentation  information  received  via  data 
links. These remote sources are: 
1. Orbital  Probe 
This  probe will be equipped with instrumentation  identical to  that  listed 
under  items 1, 2 and 3 of the  interplanetary  instrumentation.  The 
32 
information rate for  this  environmental  instrumentation is expected 
to  be of the  same magnitude. 
2. Landing Probe 
One or   more  of these  probes  may  be  expected  to  be  launched  prior  to 
launching the  excursion module. Typical  instrumentation  for  such a probe 
may  include: 
Gas densitometer 
Barograph 
Thermistor and Shield 
Radar  Altimeter 
Gas Chromatograph  (or  mass  spectrometer) 
Hi-Energy Partical  Detector 
Flux-Gate Magnetometer 
X-Ray and UV Photometer (5 bands) 
Sound Velocity Detector 
Ionospheric  Charge  Density  Probe 
The  data  from  these  instruments will be transmitted  to  the  mission module. 
This  data  may  be  expected  to  consist of 31 channels at a sampling  rate of 
151 channels/sec total. The resultant total information rate is 1356 bits/ 
sec. Data processing will  be performed on the  data  for  compression  prior 
to  transmission  to  earth. 
3. Mars  Excursion Module 
A listing of some of the  possible  instrumentation on board  the  excursion 
module is given below; this list is by  no means  complete  since  numerous 
experiments  currently undefined may be desired on the  surface of Mars. 
Barograph 
Soil Penetrability  Probe 
Thermistors (air and  ground) 
Flux-gate Magnetometer 
Soil Density Meter 
Anemometer 
33 
I 
Soil Chemical Composition 
Hi-Energy Particle  Spectrometer 
Gamma Ray Scintillator 
Neutron Detector 
Soil Electrical Conductivity 
Sound Velocity  and Seismic Microphone 
Seismic  Detector 
Radiometer, Sweep Frequency 
Insolation Spectrometer 
TV Subsystem 
Data  from these  instruments will be transmitted  to  the  mission module 
where  data  processing will compact the  data  prior  to  transmission  to  earth. 
In addition to achieving  data  compaction by encoding  and curve  fitting 
methods,  the  data  may  be  actually  processed  to  achieve  the end results of 
the  experiment. An example of such an end result is computing the  chemical 
constituents of a soil  sample  based on the  data  from  the  soil  composition 
analyzer  subsystem. 
2.8.3.2 Computational Algorithms 
This  section  contains a discussion of some of the  potential  algorithms  that may 
be implemented for  processing  the  data  to  achieve  data  compression  and a description 
of other computation functions required. Data compression  or data reduction may be 
grouped into three  classes  for  this application: (1) compression by an encoding o r  
curve  fitting method  whereby  the  data  may  be  reconstructed  after  compression, 
(2) compression by computing some  statistical  properites of the  data (such as mean 
and variance) and transmitting only the  statistical  properties.  This method is useful 
when the  original  data  need not be  reconstructed. (3) compression by computing the 
desired  or end  objective of the  experiment  on-board  instead of on the ground. These 
three  general  classes will be  discussed in more  detail below: 
2.8.3.2.1 Encoding and Curve  Fitting Data Compression 
1. Debiasing - If the  signal is expected to  have a small dynamic range with 
a large magnitude, it may  be  advantageous to  subtract a bias value  (for 
example,  the RMS value) from  each  sample and transmit  the deviation 
from  this  bias value. An example of the  applicability is in the  monitoring 
of a power  supply  voltage; the value is expected to  have  small  variations 
abcut  some RMS value  say 28 volts. It will require a fewer  number of 
bits  to  represent  the  signal if  28 is subtracted  from  each  sample. 
34 
Computation: Yn - K = Tn 
Y 
(Where Yn is the  actual  value of the n-th sample. Ky is the  bias  constant 
for  the signal Y. Tn is the  transmitted  value  for  the  sample.) 
2. Difference Coding - Instead of transmitting  the  value of the  sample,  the 
difference between successive  samples  may be  transmitted.  This  trans- 
mission of first order  differences is quite  similar  in applicability as 
debiasing; if the  dynamic  range between samples is small  or  the signal 
is relatively  "smooth, I t  a smaller  number of bits will be  required  for 
representation. An important  property of the  above two methods is that 
they  introduce no e r r o r  due  to  compression. 
Computation: Yn - Yn-l Tn -  
3. Zero  Order Polynomial Predictor - The  Zero  Order Polynomial Predictor 
(ZOPP) method,  commonly known as the  floating  aperture  method,  may  be 
classified as curve fitting as may  be all the  predictor and interpolator 
methods. Basically the ZOPP transmits only the differences between 
samples if  the  differences  exceed  some  preset  value  (this  preset  value is 
equal to half the  aperture width, A). If no  value of the  difference is 
transmitted at time t,  the  value of the  sampled signal is assumed  to  be 
the  same as at t-1. 
Computation: i f  I Yn - Yn-l 1 >A/2 (Transmit y n 
4. Zero Order Polynomial Interpolator - The Zero Order Polynomial Inter- 
polator (ZOPI) is very  similar  to  the  ZOPP with t h e  difference  being  that 
instead of predicting  succeeding  values  from  past  values,  successive 
data  points a r e  examined  and a horizontal  line  fitted  to as many  consecutive 
points as possible without creating errors   greater  than  that  permitted. 
Rather  than  attempting  to  describe  the  computations  mathematically, a 
flow chart is given below showing the  computations  required  for a given 
sample of the  signal: 
Y. is the current sample 
Ku is the Upper Bound 
K is the Lower Bound 
1 
1 
A is the  aperture width 
Yt is the  transmitted  difference  (difference between horizontal 
line  approximations) 
35 
5. First  Order Polynomial Predictor - With this  farm of prediction, two data 
values a re  used to  predict succeeding  values. If the  prediction is within 
the  error  tolerance, no  new data is transmitted; new information is trans- 
mitted only when examination of successive  data  points  reveals one which 
does not lie within the  predicted  region.  For  the first order polynomial 
process,  straight  lines are involved  and the  process  has  the form: 
Where: Yt is the predicted 
A 
(Case A) 
value of y at  time t 
Yt is the  actual  value of y at time t 
is the  information at time t 
36 
N is a number of time  intervals = (t + n) - (t + k) 
k designates  the  time  interval at which the last transmission 
of information occurred 
A is the magnitude of the  permissible maximum e r r o r  
The  difference between Case A and Case B is as follows: With Case A, 
when it is necessary  to  send  more information to define a new line,  the last 
predicted point becomes a point of the new line. With Case B, two new 
differences are transmitted, one giving the  difference of the first point 
of  the new line  from  the last predicted point on the  old  line, and the  second 
difference giving the  difference between the  second point on the now line 
and the first point  on the new line. 
6. First Order Polynomial Interpolator - The First Order Polynomial Inter- 
polator (FOPI) is an extension of the ZOPI technique. First  order polyno- 
mials  (straight lines) a r e  fitted to as many succeeding  data  points as 
possible without exceeding a specified error.  When the  specified e r r o r  
is exceeded,  information  sufficient  to  define a line which fits the  previous 
data  points is transmitted;  the examined data point becomes  the first of a 
new set  of points.  Successive  data  points a r e  added to  it until  the  specified 
e r ro r  is exceeded. To specify the approximating line, the following 
information is sent: 
A 
Yt+n-l - yt+n 
and N where  these terms have  the  same  meaning as used in the  discussion 
of the  FOPP.  The  first  piece of information  sent  defines  the  starting point 
of  the  line,  the  second  its  slope and the  number of intervals, N, the length 
of the line. 
7. Orthogonal Polynomial Series - Orthogonal function series may be employed 
for  data  compression by fitting  one series  to  each  successive  time  interval 
of sensor  data, and  then  telemetering  the  resultant series coefficients 
rather  than  the  sensor  data itself. As an  example, a four  term  trigonometric 
Fourier  Series could be  fitted to each  successive  interval of 20 sampled 
data  values  from a sensor,  say a video scan,  resulting  in a possible 
compression  ratio of 5 to 1. Orthogonal polynomial compactors are well 
suited  to  applications  where  the  sensor is being  sufficiently  utilized so 
that its output data  has an information  density  too high to be  reasonably 
compacted by neighborhood  commonality compression  approaches. 
This  approach  does  notrequire a priori  assumption  or  restriction on the 
structure of the  data  other  than  that it be continuous.  Polynomials are 
chosen  for  orthogonal  expansion  basis  functions f i  (x) because of their 
properties of providing  minimal  mean square weighted e r r o r  power aeries 
approximation,  smoothing,  and  interpolation series for  sampled  data 
environments. 
37 
An 11 term  compactor series of polynomials fi (x), over an interval T of 
sensor  data y  (tj, o 5 t d T, is given by: 
where 
a. 1 1  = k . j r  w(2 &) fi( 2 A) Y (t) dt 
Here w (2 A) is a compaction e r r o r  weighting function and the  ki a r e  normal- 
izing constants. In order  to  evaluate  the coefficient integrals,  ai, on board, 
a numerical  integration is made,  replacing  the  equation by: 
N 
j=O 
a. 1 Y Z  d.. Y( j 5 )  
1J 
where  the  dij are  the  set of constant multipliers  stored on board  the  space- 
craft.  This set of constants, dij, a r e  computed on the ground by methods 
which will not be gone into  here.  After  receipt of the  transmitted coefficient, 
ai,  the compacted  approximation Ya(t) to  the  original  data can  be recreated 
by the  series given above. 
2.8.3.2.2 Compression by Statistical Reduction 
Often only the  statistical  nature of certain  measurement  data is of interest as in 
the  determination of ion density o r  distribution of meteorite  impacts.  The  data 
compression in this  case  results in the  determination of certain  statistical  parameters 
such as the  mean or  variance,  or  certain points on a probability  distribution  curve. 
1. Quantiles  Representation 
Further  discussion beyond that given here on this  topic may  be found in 
Reference 15. A basic  assumption involved  in this method is that  the  time 
history of the  measurement  data is of no importance  and  that a probability 
density  curve is what is primarily  desired as a result of the  experiment. 
Representation by quantiles is an effective  means of compressing  data  under 
these assumptions. Basically, this method may be described as follows: 
a probability  density  function (x) is approximated by computing quantiles 
which represent a cumulative  distribution function of the  variable (x). A 
probability density function is shown in Figure 2-5. The variable, x, may 
typically be the  number of particle counts per second and the  curve  for 
many experiments may  have the  normal  distribution shown in Figure 2-5. 
If the  particle  counts are accumulated  for a given period of time,  say 
1000 seconds,  then  the  cumulative  distribution function F(x), shown in 
Figure 2-6, may be approximated by the  quantiles Q(n) where  these  quantiles 
represent  the  number of times (or frequency) particle counts up to  some 
value, X, were received in the given time period, 1000 seconds. The 
value  and  number of the  quantiles  to  be  used is set and  then  the  particle 
38 
X 
Figure 2- 5. Probability Density Function 
Xi x2 - . . - . . . . . . 
xN 
A 
Figure 2-6. Cumulative Distribution Function 
counts are accumulated for  the  time period. At the end of the  time  period 
the  number of the  particle  counts of a given  value received  (starting  from 0 
and working towards  the  maximum N) are counted  until the first quantile is 
reached,  the  value of X, resulting in this quantile is stored, and the  process 
is continued until  the  desired  number of quantiles are computed. It has 
been shown that  four  quantiles  may  be  sufficient  for a statistical 
representation. 
Computation: 
During  Fixed  Sampling  Period: 
Accept  input  data X 
Update frequency of data X 
At End of Sampling Period: 
Add frequency of X sequentially  starting  from x = 0. 
If the  cumulative  frequency  exceeds Q1 store  the value of X 
and use the next  quantile Q2. 
39 
Continue  until all quantiles are computed, 
Output the  values of Q and associated  values of X. 
2. Representation by Moments 
In addition to  the  statistical method described above, another  statistical 
approach is to compute  the  moments  directly. In general  the  pth  moment 
is given by: 
The  second  moment (P = 2) is called  the  variance and the  first moment  the 
mean. The mean is given by: 
2.8.3.2.3 Compression by Complete Data Reduction 
This method of data  compression  differs  from  the above  two (2. 8.3.2.1 
and 2.  8.3.2.2) in that  it is not specified by a unique mathematical  algorithm and its 
approach is to compute  the desired end objective of an experiment  on-board,  based 
on the raw data  from  the  sensors. Obviously the  computational  algorithms depend 
on the  particular  experiments and  two applications of this  approach will be  given 
he re : 
1. Experiment: Composition Analysis 
An experiment to analyze a soil  sample may consist of bombarding  the 
sample with alpha particles and measuring  the  returned  scattered  energy. 
This  scattered  energy  spectrum may  be  analyzed  to  yield  the  elemental 
composition of the  sample. A typical  result  from  such an experiment is 
shown in Figure 2-7. This sample consisting of potassium, carbon, and 
oxygen may  be  completely  analyzed on board  rather  than  transmitting  the 
scattered  energy  data  to  the ground. The  procedure  used  may  be of a 
least squares fit to  reference  curves  stored on board,  computing the 
slopes o r  breakpoints on the  curves and determining  the  elements, o r  many 
other  possible  curve  fitting  methods. Some  additional  discussion beyond 
that  here may  be found in  reference 10 on this  experiment. 
2. Experiment: Human Performance 
The  objective of this  experiment is to  measure  samples of crew  member 
performance on a set of tasks  to  detect any changes in his  environment. 
The  results of this  experimentation  will  be  compared with biomedical  data 
to  see what correlation  exists and provide an evaluation of the effects of 
environment  onhuman  capability. A typical  performance test unit  may 
consist of a panel with colored  warning  lights and response  buttons and 
arithmetic  indicators.  The  experiment  data may consist of responses  to 
40 
6oC 
B 
$. 300 
w 
100 
0 
1 -  
l -  
- 
L - 
30 
-. . . 
- 
- 
* . .  
"f CARBON 
. .  - 
T 
Oi,, 
. . .  . . . . . .  t " .- 7 
100 200 250 
CHANNEL NO. 
Figure 2- 7. K2 CO3 Alpha Spectrum 
warning lights and results  from  arithmetic  manipulations. Some of this 
data may be  reduced by the  computer on board by computing the  desired 
end results. A set of computations  for  reduction of such  data may be 
described by: 
a. Reduce data from warning light tests: 
(1) Compute mean response  time  for  each of 10 lights 
(5 red, 5 green) 
n 
where $ is the ith measured  response  time of the j 
light. j : 1 to 10, n : 60 
th 
5 
(2) Compute grand  mean  for  red  light 
41 
(3) Compute grand  mean  for  green  lights 
10 
tr GMG J=6 m 
5 
(4) Search  through  red  response  times and determine  minimum. 
(5) Search  through  red  response  times and determine  maximum. 
(6) Search  through  green  response  times and determine  minimum. 
(7) Search through green  response  times and determine  maximum. 
(8) Compute mean  response  time  for  red/5  minute  period 
50 
m k=l 'k 
tR = z tR r 
50 
where 10 measurements are assumed  for  each of the  5  red  lights 
during a 5 minute  period. If the test lasts 30 minutes, six of 
these  response  times need to be calculated. 
(9) Compute mean response  time  for  green/5  minute  period 
b. Reduce data from arithmetic tests: 
(1) Compute percent correct/total period. 
(2) Compute percent correct/each 5 minute period. 
(3) Compute mean  time  to  solve  for  total  period. 
30 
t i=l 
tm = z ti 
30 
(4) Compute mean  time  to  solve  for  each 5  minute  period. 
10 
tm = x ti 
5 i=l 
10 
(6) Compute minimum and maximum  response time of total period. 
(6) Corrpute minimum and maximum  response  time of each 6 minute 
period. 
42 
2.8.3.2.4 Sensor Sequencing and Scheduling 
The  scientific  instrumentation  consists of a variety of sensors as described 
previously (2.8.3.1). During any one phase  such as the  interplanetary  cruise,  it may 
be desirable  to  implement  various  portions of experiments  based on other  events o r  
conditions, some of which may be predetermined and others adaptive. Thus, as con- 
ditions  such as distances  from  planetary  bodies change, scientific phenomena  change 
such as solar  activity.  The  instrumentation may be  utilized in a manner  to  collect 
the optimum  amount of information. 
2.8.3.2.5 Sensor Pointing and Control 
The  computer  requirements  will  be  broken down to two distinct  phases  for 
processing of information  from  the  scientific  instrumentation,  interplanetary and 
Mars  Orbital,  since  these are the two major  differences in terms of experiment 
utilization. 
These requirements are given in Tables 2-3 and 2-4. Storage, speed, and word 
length a r e  given for  each of the  computational functions presented in section 2.8.3.2. 
The  numerical  values  were  obtained  from a trial  programming  procedure  using  the 
data  presented in section 2.8.3.2 and assumptions  where  necessary. 
2.8.4 System Checkout 
This function consists of various  performance  monitoring and self-test 
operations. In general, it is desired  to achieve (a) malfunction detection, and 
@) malfunction isolation.  These  items a r e  achieved by two basic  programs in the 
computer: (a) the  status evaluation program, and (b) the status utilization program. 
The  status  evaluation  program is entered  into firet and three  basic  types of 
tests  are  performed on parameters monitored: (1) range  evaluation  (tolerance  test), 
(2) rate evaluation,  and (3) failure  prediction;  each  parameter may  be subject to one 
or  more of these tests. Upon detection of a parameter out of tolerance in  any test,  the 
crew is advised of the  result on the  display  panel.  Then  the out of tolerance condition 
results in an exit  to a status  utilization  program.  This  program may read in  additional 
parameters and perform  further  tests on these  parameters in  an  attempt to  isolate 
the malfunction. Upon completion of the  utilization  program  the  evaluation  program is 
returned  to  complete  the  remainder of the  monitoring  program. 
Some of the  status  monitoring  data may also  be  transmitted  to  the ground. In 
this case, data  compression  (as  described  in  the  scientific  instrumentation  section) 
may be  applied to  reduce  the  transmission  requirements. 
43 
I .  
A flow chart is shown in Figure. 2- 8 describing the status evaluation  functions. 
The status evaluation  routine in this  drawing  may be considered a s  the isolation 
routines. 
Table 2-3. Interplanetary Experiment Computer Requirements 
Function 
1. 
a. 
b. 
C. 
d. 
e. 
f. 
g. 
h. 
i. 
j. 
2. 
3. 
Data  Compression 
Debiasing 
Difference Coding 
Zero  Order Poly- 
nomial Predictor 
Zero  Order Poly- 
nomial  Inter- 
polator 
First Order Poly- 
nomial Predictor 
First Order Poly- 
nomial  Inter- 
polator 
Orthogonal  Poly- 
nomial Coef- 
ficients 
Quantiles 
Computation 
Moment Com- 
putation 
Data Reduction 
Sensor Sequencing 
and Scheduling 
Sensor  Pointing 
and Control 
Storage 
(Words) 
Jnstr. Const. Var. 
17 
19 
20 
110 
73 
175 
324 
76 
57 
250 
750 
600 
2 
0 
21 
19 
19 
19 
24 
30 0 
5 
5 
125 
50 
4 
100 
75 
100 
100 
100 
300 
380 
150 
700 
150 
26 
Speed 
(Operations/Sec) 
Short Long 
0.5 
7 
7.5 
41 
27 
64 
6361 
33 
30 
20 
200 
1000 
-" 
"- 
"_ 
"_ 
0.5 
0.5 
522 
-" 
1 
1 
2 
400 
Word 
Length 
(Bits) 
10 
10 
10 
10 
10 
10 
12 
10 
10 
14 
16 
16 
44 
Table 2-4. Mars Orbital Experiment Computer Requirements 
Function 
1. 
a. 
b. 
C. 
d. 
e. 
f. 
g. 
h. 
i. 
j. 
2. 
3. 
Data  Compression 
Debiasing 
Difference Coding 
Zero  Order Poly- 
nomial Predictor 
Zero  Order Poly- 
nomial  Inter- 
polator 
First  Order Poly- 
nomial Predictor 
First  Order Poly- 
nomial Inter- 
polator 
Orthogonal  Poly- 
nomial Coef- 
ficients 
Quantiles 
Computation 
Moment Com- 
putation 
Data Reduction 
Sensor Sequencing 
and  Scheduling 
Sensor Pointing 
and Control 
~~ ~~ 
Instr. 
17 
19 
20 
110 
73 
17 5 
324 
76 
57 
750 
1000 
1500 
Storage 
(Words) 
Const. 
5 
0 
45 
41 
41 
41 
40 
630 
11 
5 
175 
100 
Var . 
~ ~~~~ 
10 
220 
160 
210 
210 
210 
520 
800 
315 
90 0 
200 
75 
Speed 
(Operations/Sec) 
Short Long 
340 
2900 
3000 
16500 
10800 
25600 
110,000 
12700 
12000 
1000 
500 
10000 
"- 
-" 
"- 
"_ 
200 
200 
35,300 
"- 
400 
20 
5 
4000 
Word 
Length 
(Bits) 
10 
10 
10 
10 
10 
10 
12 
10 
10 
14 
16 
16 
Note: Some of the  storage  requirements  for  these two phases are duplicated,  and 
therefore  they  may not be  summed up, e. g. , total  storage  required  for 
"Difference Coding' for  the  entire  mission is 19 instructions. 
45 
-e P.+RAMETER 
ORTAlN Ith 
FROM UlEhlORY 
+ 
PERFORM RANGE 
I 
PERFORM RATE 
j - ]+I  I A ISOUTION ROUTINE 
NO 
I PARAMETER 
k - k * l  
PERFORM FAILURE 
PREDICTION TESTS 
Figure 2-8. Flow Chart for Status Monitoring Routine 
46 
2.9 COMPUTER REQUIREMENTS 
In the  previous  sections  the  computer functions  have  been presented and in this 
section  the  computer  requirements  shall be given. Before  presenting  the  requirements, 
it may  be  worth  while to  discuss  in  general  the  methods  used  in obtaining the  require- 
ments.  Basically  the  computer  requirements are determined by investigating  the 
equations  and  functional flow diagrams  necessary  for implementation of the  system. 
Analysis of these  identifies: (1) subfunctions for commonality, thereby resulting in 
possible subroutines, and (2) interdependence, i. e., the  determination if partial 
results are required in later computations.  A trial  programming  procedure is then 
used to  obtain the  requirements.  Trial  programming is coding without concern of 
address location o r  optimum coding. The  requirements are then  derived  in  terms 
of storage and  speed. 
The  computer  requirements  for  the  multiprocessor  study  were  first  derived 
assuming a basic G P  computer with a basic  instruction  repertoire was available; 
the  requirements  were  then  derived  assuming  certain  features  available  such as 
indexing, multiple accumulators, etc. Appendix 1 contains a tabulation of the require- 
ments  obtained  assuming a basic GP computer.  The  requirements are tabulated as 
storage (instructions, constants, and variables) in words, speed (short: Add, Subtract, 
etc. and long: Multiply, divide, etc. operations) in operations per second, and word 
length in bits where  available. A detailed  tabulation of the  requirements  for  all  the 
functions in every  phase of the  mission is given  in this appendix. It should be 
remembered when reading  this appendix that no special  features  such as indexing] 
multiple  accumulators,  indirecting,  etc  were  assumed and no consideration was given 
to banking and computer word  length i. e. double precision and half length requirements 
were not considered in determining  the  speed and storage  requirements. 
Tradeoffs  were  made on machine  features by evaluating  the  effects on the 
requirements.  These  tradeoffs  will  be  discussed in detail  in  Section IV, 
Paragraph 4.2.1. The  requirements  presented  here in Table 2-5 a re  based on the 
following assumptions: an 18 bit word size  computer with considerations of multiple 
precision  operations and banking requirements,  two  accumulators a re  available, one 
index register is available, and a basic  instruction  repertoire is available. It should 
be  noted that no provision is made  for  executive, self test, utility  subroutines o r  
Input/output requirements in the  numbers given in  Table 2-5. A  rough estimate of the 
total  requirements  can  be  determined] if desired, by approximately a 20-25% increase 
in the  figures given in Table 2-5. (This  also  holds  true  for Appendix 1.) 
Storage  requirements given below are  the  total  number of words for  instructions, 
constants, and variables;  speed  requirements  are  the  total  number of operations  per 
second  (equivalent short  operations  where it is assumed a long operation = 3 x short 
operation). 
It should  be  noted for  the  purpose of presenting  the  requirements  that  the  mission 
has been  broken down into  twenty phases.  The  requirements  for  the  four  basic  functions 
described in paragraph  2.8 are given for  each of these twenty mission  phases. 
47 
Table 2-5. Computer Requirements by Mission Phase 
Mission  Phase 
1. ATM.  ASCENT 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status  Monitor 
2. EARTH  ORBITAL 
a. Navigation and Guidance 
b. Telecommunication 
c. scientific  Experiments 
d. Status  Monitor 
3. TRANS  MARS INJ. 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status Monitor 
4. TRANS  MARS  COAST 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status  Monitor 
5. TRAJ. CORR. 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status Monitor 
6. SPIN UP 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status  Monitor 
Storage 
(words) 
664 
600 
960 
2224 
6143 
600 
3560 
10303 
1994 
600 
1820 
4414 
5026 
2800 
4753 
3560 
16139 
2479 
2000 
4753 
1820 
11052 
1060 
2800 
4753 
1820 
10433 
Speed 
(Short ops/sec) 
" 
1852 
1600 
1360 
4812 
101202 
1600 
8000 
110802 
51904 
1600 
4050 
57554 
65360 
6500 
10572 
8000 
90432 
133904 
6500 
10572 
4050 
155026 
63000 
6500 
10572 
4050 
84122 
~ ~ ~~ 
48 
Table 2-5. (Cont) 
- _ _ _ ~  
Mission  Phase 
" . ~ ~ ~ _ _  
7. SPIN CRUISE 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status Monitor 
8. DESPIN 
(Same as 6. SPIN UP) 
9. MARSAPPR. CORR. 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status Monitor 
10. AEROBRAKING 
a. Navigation and Guidance 
b. Telecommunication 
c.  Scientific  Experiments 
d. Status Monitor 
11. MARS ORBIT INJ. 
a. Navigation and Guidance 
b. Telecommunication 
c.  Scientific  Experiments 
d. Status Monitor 
12. MARS ORBITAL 
a. Navigation and Guidance 
b. Telecommunication 
c.  Scientific  Experiments 
d. Status  Monitor 
13. TRANS EARTH INJ. 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status  Monitor 
Storage 
(words) 
5616 
2800 
4753 
3560 
16729 
10433 
2799 
2800 
4753 
1820 
12172 
3400 
2800 
4753 
1820 
12773 
1329 
2800 
4753 
1820 
10702 
-
6143 
5730 
6840 
3560 
22273 
-
1749 
2800 
4753 
1820 
11122 
-
Speed 
(Short ops/sec) 
69160 
6500 
10572 
8000 
94232 
84122 
133904 
6500 
10572 
4050 
155026 
42000 
6500 
10572 
4050 
63122 
39904 
6500 
10572 
4050 
61026 
101202 
15000 
255000 
8200 
379402 
55704 
6500 
10572 
4050 
76826 
49 
Table 2-5. (Cont) 
MissiQn Phase 
14. TRANS  EARTH  COAST 
(Same as 4. TRANS MARS 
COAST) 
15. TRAJ. CORR. 
(Same as 5. TRAJ. CORR.) 
16. SPIN U P  
(Same as 6. SPIN UP) 
17. SPIN CRUISE 
(Same as 7. SPIN CRUISE) 
18. DESPIN 
(Same as 8. DESPIN) 
19. EARTH APPR. CORR. 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status Monitor 
20. EARTH  RE-ENTRY 
a. Navigation and Guidance 
b. Telecommunication 
c. Scientific  Experiments 
d. Status Monitor 
16139 
11052 
10433 
16729 
10433 
3544 
60 0 
1820 
5964 
6200 
600 
1820 
8620 
Speed 
(Short ops/sec) 
~ " 
90432 
155026 
84122 
94232 
84122 
193904 
1600 
4050 
199554 
63360 
1600 
4050 
69010 
~ 
Two graphs are given (Figure 2-9, Figure 2-10) showing  the speed and storage 
requirements  per phase.  Each of these  graphs  consist of computations  performed 
continuously (shown as solid  lines) and computations &t may Il_e performed  periodi- 
cally (shown as dotted  lines). It should  be noted that  speed  requirements which are 
periodic are not additive - that is they  will not require  simultaneous  computation of 
their  periodic  programs.  These  periodic  computations are 1/2 hour  every 3 days 
(Navigation and Guidance  functions), 1/2 hour  every 5 hours  (scientific  experiments), 
and on demand  (checkout  functions). It should  be noted that only a portion of the 
above three functions can  be  broken down into such  periodic  portions. In addition, 
these  periodic functions  may be  scheduled so as not to  occur  during  short  duration 
phases such as 5, 6, 8, 9, 10, 11, 13, 15, 16, and 18. This is why the speed and 
storage  requirements on the  graphs are lower in these  phases  than  those given  in 
Table 2-5. It should  be noted that  the  total  storage  required  for  the  other  phases 
shown in Figure 2-9 corresponds  exactly  to  that given  in the  table. (Note that  the 
storage shown in  dotted lines is required  periodically only. ) 
in Figure 2-10. In phases 4, 7, 14, and 17 when the  periodic  requirements  exist, 
the  speed  requirements are actually  greater  than  those given in  the  table.  This is 
However, this is not the  case for the  total  speed  required  per  phase as shown 
50 
I 
24 ,- 
I 
1 
20 I 
a 
4 
0 
'r 
DASHED LINES 
INDICATE  FUNCTIONS 
THAT MAY BE PERFORMED 
PERIODICALLY 
8 
=I- 
O. 4 
I 
I 
9 10 
0.6 - 
- 
11 
- 74. : 
- 
12 13 14 15 16 
I 
MISSION PHASE 
Figure 2-9.  Computer Storage Requirements 
I 
1 
DASHED LINE 
INDICATES 
FUNCTIONS 
THAT MAY 
BE REQUIRED 
PERIODICALLY 
2 3 4 5 6 7 8 9 1 0 1 1  
MISSION PHASE 
13  14  15  16  17 18 
 19 20 
Figure 2- 10.  Computer Speed Requirements 
due to  the  fact  that  the  requirements  for  the  functions  were  listed in the  table as 
continuous requirements. If functions are performed  periodically, in particular'  the 
scientific  experiments  data handling, there  must  be  more  data  processed in a shorter 
period of time.  This  increase in processing  speed  may  be  varied by changing the 
on/off ratio of the function. The 1/2 hr/5 hrs  for  the  experiment  data  processing 
gives a 1/10 ratio, which gives  approximately  an  increase in speed by a factor of 
10 over  the  speed  requirement of this function if it were  processed continuously. 
These  periodic  requirements were pointed out since they  may  effect the  design 
of a multiprocessing  system.  This  may  be  seen  from  Figures 2 - Y  and 3-10 since  it 
may now be possible  to  turn a portion of storage in a computer on and off periodically 
which may  have the effect of reducing  power consumption  and also  increasing 
reliability. 
It is important  to note here  that  the  total  storage  requirement  varies  from  phase 
to phase. The storage has not been cumulative added from phase to phase since it 
has been  assumed  that a bulk storage  facility  will be available  for  storing  the  programs 
required in each  phase. If the  computer  were  required  to  store  the  programs  for  the 
entire  mission  the  total  storage  required  per  phase would increase considerably.  The 
effects of this  type of storage  approach can be  seen by examining the chart shown in 
Appendix A. 
The above discussions  have  established  the  computer  system  speed and storage 
requirements. However, there are several  other  considerations  that effect the 
computer  requirements: 
There  are  several  phases in which the computations  being carried out may be 
considered as ffcritical. 1 1  The critical computations  have  two  distinct  considerations: 
failure detection and reconfiguration. Phases 10 and 20, Mars Aerobraking and Earth 
re-entry, contain critical computations,  the navigation and guidance computations of 
these  phases are  critical in both failure  detection  and  reconfiguration.  The  critical 
nature of these computations  can be appreciated if one considers  that as part of the 
navigation and guidance  function, attitude  commands are being  computed  and the  vehicle 
may  be  near a temperature  or  acceleration  limit,  loss of attitude  commands  may 
possibly  cause  destruction of the vehicle. After investigating  the navigation and 
guidance function for  these  entry  phases, a total  time of 5 seconds was defined as the 
maximum  acceptable  to  detect a failure and also  reconfigure  the  computation;  recon- 
figuration is defined here as having the  computational  program with all the  necessary 
values of the  variables  mechanized and being performed  correctly in a computational 
facility after a detected  failure. 
It should  be noted here  that  during  phase 10, Mars aerobraking,  the round trip 
communication time  delay  may  be on the  order of 30 minutes. This  time  delay  makes 
it unfeasible to  rely on earth  based  assistance  during  such a critical phase. 
Another  important point to  note is that two reliability  requirement  constraints 
may be identified: Probability of Success and Availability. Probability of success is 
the  appropriate  parameter  to  consider as a reliability  requirement  during  the  critical 
phases of the  mission while availability  should  be  considered  for  the  non-critical 
phases  such as cruise and coast, Probability of success is not a very meaningful 
term in the  non-critical  phases; a computer failure has different effects on the 
mission depending on whether it occurred in critical o r  non-critical  phases.  Generally 
what one is interested in during  the  non-critical  phases is what portion of that  phase is 
the  computer  system  operating  correctly or availability of the  computer  system. 
53 
Phases 3, 5, 9, 11,  13, 15 and 19, which are basically trajectory corrections, 
may also be  considered  critical. However, the computations are critical only in terms 
of failure  detection  and  once  again  the 5 second  figure  should  be  the  maximum  time 
allowed to  detect a failure. Unlike the  critical computations  during the  entry  phases, 
loss of the computations  during  the  above  phases  can  simply  result in  shutting down 
the  thrust  motor with no catastrophic  results,  therefore,  reconfiguration is not critical. 
The  critical  factor is to  detect a failure and terminate  the  thrusting  maneuver, after 
the  failure is repaired a new trajectory  calculation  can  be  made  and a new correction 
computed  and  applied. (This does not preclude  the  possibility of being able  to recon- 
figure in 5 seconds  also,  since  this  requirement  imposed by phases 1 0  and 20 may 
result in having this capability in these  other  critical phases also,  particularly  since 
phase 20 is the  last  phase of the  mission.) 
This Section has  presented  computer  system  requirements  for  the  manned Mars 
mission. Based on these  .requirements  various  multiprocessing  concepts  shall  be 
considered to evaluate  their  potential  in  meeting  these  requirements. 
54 
I 11. COMPONENT TECHNOLOGY 
3.1 INTRODUCTION 
In establishing  the  multiprocessor  configurations and performing  the  tradeoffs 
to determine  the  most  promising  approach it is necessary  to  establish  the technolo- 
gies to be  used in  memories and circuits. The time  period of interest  for  the Manned 
Mars Mission is 1980; however  the technology time  frame should  be 1973-1975. 
This means  that a usable technology must  be  in  production by this time in order to 
allow for prototype  construction and testing, and final  design and construction of the 
computation system. The prototype system will of course need  extensive  reliability 
tests  (greater  than a year). Computer  technology has had such a drastic change over 
the last six to  eight years  that it is hard  to  predict  the  most  applicable technology at 
the end of the next six to eight years. Since it is desirable to  choose a specific 
technology so that  the  study  can  proceed  on a relatively  concrete  basis, a reasonable 
approach  seems to be to  examine  technologies  currently  under development, use 
their functional characteristics  for design, and extrapolate  their  physical  characteris- 
tics to 1975 in order to perform  tradeoffs.  This is the approach being used. 
3.2 CIRCUIT  TECHNOLOGY 
3.2.1 Introduction 
In the  semiconductor  industry  the  trend is toward more complex array type 
structures  in which hundreds of circuit functions are interconnected on a single chip. 
This approach provides lower power and higher reliability. The power is reduced 
primarily because interconnection capacitance is reduced. Reliability is primarily 
increased  because  there is an order of magnitude  reduction in components and 
connections. The array type structures  are  currently being produced in limited 
quantities;  however,  it is expected  that by 1975 the  array type  approach will be a 
common  proven  technology. 
Presently  there  are two device  approaches  available which are compatible with 
array fabrication techniques: MOS, and bipolar IC's. 
The circuit technology under  primary  consideration  for  this study is MOS 
(Metal-Oxide-Semiconductor). In particular, by the 1973-1975 time frame isolated 
MOS devices on an insulating  substrate  (heteroepitaxial technology)  should  have 
proven high reliability, low power and cost, and good radiation resistance. An 
example of this technology is the Silicon-on-Sapphire (SOS) circuitry  presently being 
developed at Autonetics. As a result  the  sections of this report  discussing  circuit 
implementations will refer to  the use of MOS-SOS chips. The densities and packaging 
used will be those  assumed to be reliably  feasible in 1975. 
3.2.2 Advantages of MOSSOS For Space 
The SOS technology consists of a sapphire  substrate with interconnected thin 
film  silicon  devices  on  one  surface. The devices are fabricated  in  electrically- 
isolated  islands of the  silicon film. Array  intraconnections are made by vacuum 
deposited  aluminum or  other  metal  films. The result is a fully integrated  thin  film 
circuit  array on  an  insulating  substrate  employing  single  crystal  silicon  material and 
silicon  integrated  circuit  batch  fabrication  processes.  This  technique  thus  possesses 
the  electrical  isolation and design  flexibility of thin  film-hybrid circuits which is the 
55 
essential attribute  necessary to succeed  in  making large, high density  functional 
devices. It also provides all the advantages associated with MOS technology. 
Figure 3-1  shows a cross-sectional  view of a MOSSOS field  effect  transistor. 
For  space  applications MOS should  prove to be  the technology of the  future  for 
a number of reasons. Its power drain is significantly  lower  than  that  associated with 
bipolar  circuits. The higher  yields and much  smaller  size of MOS enable MOS chip 
complexities  to be increased  over  that of bipolar. It is anticipated  that  the  increase 
in  density offers  the  potential of a greater  reliability  since fewer packages and 
intraconnections are necessary  in a given system.  (Data'tends  to point to the  fact 
that  the  number of packages in a system and not the  complexity of the  packages  have 
the dominant  effect on system  reliability. ) Simpler  processing and this same high 
density also gives MOS circuitry  the  potential  for a large cost savings. The only 
present  disadvantages  associated with MOS circuitry co,mpared to bipolar  circuitry 
are its slower  speed and lower  radiation  resistance. The speed  difference  should be 
somewhat  overcome by the  development of practical MOS-SOS complementary  cir- 
cuits.  These  circuits  presently  yield lOns gate switching speeds in Autonetics' 
labs. However,. in space applications the requirements for computation speed as 
defined in  the  previous  chapter a r e  not severe and in any case can  be more  reliably 
met by multiprocessor  organizations  such as those  under study on this  contract. 
Very high radiation  resistance is at least not a requirement  for manned space 
missions; however, it may be for other missions. Studies are presently being 
carried out to investigate  such  developments as new insulation  layers  in MOS 
devices. Replacement of SiOz by other  insulators  such as MgO offers the possibil- 
ity, by 1975, of an increase  in  the  radiation  resistance of MOS devices by an order 
of magnitude o r  more. MgO MOS devices  have been made in  Autonetics'  labs. 
GATE STRIP 
0.1 MICRON 
METAL DRAIN 
- 10 MICRONS - \ 
SILICON ISLAND 
I SAPPHIRE 
Figure 3-1. Cross-Section of P-Channel Junction Qpe MOS/SOS Transistor 
66 
As mentioned earlier, the  fabrication method associated with MOSSOS devices 
give it a number of attributes beyond those of bulk MOS devices. A few of these  are 
listed: 
1. The electrical isolation of all elements and interconnections on an 
insulator  enables  fabrication of devices with better  electrical  character- 
istics, with multilayer  interconnections, and with the  possibility  for 
improved reliability. A reliability improvement is possible  since  less 
silicon  surface area is available  for  failures,  such  as  shorts  through  the 
Si02  layer. 
2. Negligible parasitic lead capacitance and no substrate capacitance 
means  that  transient power can be reduced by a factor of two o r  more. 
3. The transparency along with good thermal conducting properties of 
the  sapphire  substrate  provide  excellent  opportunity  for packaging 
innovations. 
4. High tolerance to radiation (compared to bulk MOS) is expected due to 
the  inherent  device  isolation and small device  junction size. 
There are a number of other points of interest  in a discussion of the  advantages 
of MOS-SOS for  space  applications;  however,  the above discussion should  adequately 
substantiate the choice of a heteroepitaxial technology (MOS-SOS). In short,  this 
technology should be well established by 1975 and should also offer  reliability,  power, 
and cost  advantages over  other technologies. 
3.2. 3 MOS/SOS Characteristics  for 1973-1975. 
As mentioned earlier, an accurate  estimation of the  physical  properties of 
MOS/SOS in the 1973-1975 time  frame is difficult  to  make. Such an  estimation would 
most likely be conservative  since  actual  processing  breakthroughs cannot be antici- 
pated. In any case to make estimations, Autonetics' past experience in its MOS 
and MOS/SOS pilot line  construction of complex  chips (800 FET's per 100 x 150 mil 
chip) and from  Research and  Development Lab  work on MOS/SOS technology was used. 
The present MOS devices  (FET's) are about . 3 by . 8  mils  (larger  devices are also 
used) and can be spaced  approximately 1.2 mils  center to center  (present MOS/SOS 
devices cannot quite do this well); however  actual  complex  circuits need so many 
lines and crossovers  that  the  average  densities are not  nearly this high (800 FET's 
per 100 x 150 mils).  Future  multi-level  crossover  development and interconnection 
schemes along with smaller  devices should  enable circuits to be  built with an average 
center to center  spacing of 2 mils; however, this will  require a considerable amount 
of MOS/SOS process improvement. In order to  be  slightly  conservative an average of 
2 mils.  center to center  spacing will  be used  for 1975 MOS circuits. This  gives 
approximately 5,500 FET's  per 150 mils  square.  The,actual  chip  size to produce 
good yields on complex circuits is not clear; however, 150 mils  seems  reasonable 
and will be chosen as a conservative  estimate. The actual  number of FET's probably 
lies in a range around 5,600, such as 4,000 to 6,500. Clearly, a few processing 
breakthroughs  enabling  yields to be increased would make  larger  chips  available. 
For example, a 200 mil  square chip (or larger) may  well be usable  in  the 1975 time 
frame, Such a chip could contain 10,000 FET's. The 5,500 density number will be 
used to estimate  the  number of MOS/SOS chips  necessary  for implementation of any 
given  candidate. In these  estimates it is not critical aa to whether  the  chip is 150 mils 
aquare o r  200 mils  square. The  only fact of importance is that a small chip with 
5,500 devices can be produced with reasonable  yields. 
57 
Complementary MOS/SOS circuits presently  show 5 to 10 ns unloaded gate 
switching  speeds  in  the lab; as  a result these  devices in  production  in the 1975 time 
frame should  be capable of operating at a five  megacycle o r  better clock rate. The 
processors under  consideration  for  this  mission only require about a two megacycle 
clock;  consequently,  the MOS/SOS chips will easily  be  able  to handle the  speed 
requirements. 
MOS chips are presently packaged in forty lead packs. This situation should be 
improved with future packaging methods. As an aid, for example, lines could be 
fanned out on the  sapphire  substrate so that larger packages could be used. Again, it 
is difficult to predict  the  development of the packaging  technology, but it should 
certainly be reasonable to expect 100 to 150 pin packs for MOS/SOS chips  in  the 1975 
time frame. 
3 . 3  MEMORY  TECHNOLOGY 
Three  main  types of memory have  been considered  for  the  multiprocessing 
candidate systems. These are DRO core memory, NDRO magnetic memory, and 
NDRO semiconductor (MOS/SOS) memory. 
All three  approaches have  been considered  for  the  multiple  computer and modular 
multiprocessor  organizations. The NDRO magnetic  memory  has been chosen over  the 
DRO core  structure  for the 1975 time  frame. The reasons behind this choice along 
with a discussion of these two approaches are given in Section VI. In short, the NDRO 
magnetic structure  offers  increased  reliability due to less sensitivity to transients, 
high quality  control  from a batch  processed  structure, and the  ability  to  use many LSI 
circuits in its structure. (DRO structures in the 1975 time  frame  appear to require 
too much current to be amenable to the  use of LSI circuitry. ) This structure also 
dissipates less power than a DRO structure. A choice was not made between the NDRO 
magnetic and semiconductor  structures. Both of the  structures should be able  to  meet 
the  reliability  requirements  in  the 1975 time  frame; however,  the  magnetic structure 
requires  fewer  processing  developments  in  order  to  meet  these  requirements. (Its 
risk is lower. ) However, either  structure  offers low risk. The semiconductor memory, 
on the  other hand, should  dissipate less power than the magnetic structure. Both of 
these  structures  are  discussed  in  some depth  in  Section VI. 
The distributed  logic  structure  presented  in Section IV, 4. 3 uses MOS/SOS chips 
for  memory and processing.  This technology has been discussed  in Section 111, 3.2. 
A bulk memory is also included in all three  organizations.  This  memory will  
contain about 108 bits and will be used  to  store all programs  for all phases and for 
buffering of telecommunications, TV, and other high rate input output. This memory 
is discussed  in Appendix 2. 
58 
IV. MULTIPROCESSOR CANDIDATE ORGANIZATIONS 
4.1 INTRODUCTION 
Three candidate multiprocessor  computer  organizations  were  designed to 
implement  the  requirements set forth in section  2  using the technology base  established 
in section 3. These candidates are: (1) Multi-Computer, (2) Modular Multiprocessor, 
and (3) Distributed  Processor.  The  first two candidates have sufficient general 
commonalities  to  warrant  their  being  presented in paragraph  4.2 with the  commonalities 
and  peculiarities of each  discussed  therein. The Distributed  Processor will be  discussed 
in  paragraph  4.3. 
4.2 MULTI-COMPUTER AND MODULAR MULTIPROCESSOR 
4.2.1  General  Organizational - Considerations  and  Features 
4.2.1.1 General Features 
Many of the considerations  were the same in the preliminary  design of the 
Multiple  Computer and the  Modular Multiprocessor  (hereafter  referred to simply as 
Multiprocessor);  therefore, a discussion of features common to both organizations 
and how the  requirements  effect the  organization is given prior to a  discussion of  any 
of the  candidate  organizations.  The features  discussed in this  section are   for  the  most 
part  arithmetic and control or  processor  section  oriented.  There  are  also a number of 
similar  features in  the  memory and Input/output sections of these two candidates; how- 
ever, it was felt  that the considerations  leading to these  sections  were  sufficiently 
unique to warrant  separate  discussions  for  all the  candidates. 
An 18 bit  instruction word shown in Figure 4-1 has been  chosen,  This format was 
chosen after  tradeoffs.on  various  other  formats  described below; these  tradeoffs a re  
reported in paragraph  4.2.1.2 and were  performed by analyzing  a  number of represent- 
ative  programs. A s  an alternative] the format of the chosen 16 bit  instruction word is 
shown in  Figure 4-2;  the 16 bit  approach could be  taken if further study were expended 
to  determine  (a) if a 32 bit double precision  data word is sufficient to meet  data  accu- 
racy  requirements  and (b) if not having indirect  addressing and  having  a total of 5 
instead of 9 Index/Bank registers did not reduce  the  programing  efficiency  greatly, 
The first 6 bits of these  instructions  are used for the op code. 0 eration code exten- 
sions  for  instructions  that do not require full addresses]  e.g., $0 instructions,  accu- 
mulator  to  accumulator  operations,  and  register  transfers]  give the facility  for many 
more than 64 instructions. 
The  instructions will use a banking scheme so that  it will only be necessary to 
have an  address  decrement  in the  Instruction word. Programing  studies  carried out 
on  various  programs  at  Autonetics  and also on this study  have shown that a 7 bit 
address  decrement  provides  little  inefficiency  penalties in terms of speed  decreases 
or  storage  increases,  and  that the indexbanking  scheme  using full  length registers 
greatly  reduces  the banking problems, 
The 18 bit  instruction  contains one bit, I, for  indirect  addressing. Both instruc- 
tions  contain  B  and  T bits  for the Index/Banking tags, One bit is used  for the B tag 
and  specifies  one of two indexbank  registers,  the 18 bit  instruction  contains  3  bits  for 
the T tag to specify either one or  none of 7 registers while  the 16 bit  instruction  uses 
59 
1 6 7 8  11 18 
I 6 OP CODE I I1lB1l T3 I ADDRESS I 7 
Figure 4-1. 18-bit Instruction Word 
1 6 7  9 16 . " 
I 6 7 OP CODE 1B'I T2 I ADDRESS 1 
Flgure 4-2. 16-blt Inetructlon Word 
60 
2 bits  for the  T  tag  to  specify either one o r  none of 3 registers.  This Index/banking 
scheme  offers a certain amount of double  indexing o r  banking. The indexbanking 
schemes will  be further  discussed below. It should be mentioned that the indirect bit 
was  considered to be of marginal  value; the other 17 bits  were  firmly  chosen  based on 
an evaluation of the  features. An indirect  bit was considered next  in terms of utility 
to complete  the 18 bit word. 
Various  possibilities  considered  for  the 18 and 16 bit  instruction word formats 
are shown in Figure 4-3. Of course many other  variations  are  possible; however 
these  were  considered  the  most  promising  possibilities.  'It  should be noted that  for  all 
instructions  for which i t  is applicable  the  6  bits  for the op code a r e  broken down into 
5 bits  for the op code  and  1 bit  for  an  accumulator tag. A s  part of the  programing 
analysis  the  use of the  second  accumulator  was  evaluated to determine if the use of 
the  accumulators  was  symmetrical enough to include an  accumulator tag. This  simpli- 
fies the logic somewhat. 
Two basic banking-indexing schemes  were  considered; the first  scheme was 
selected  using:  1 and 3 bits. One scheme uses: one bit to specify one of two full-length 
registers and then two or  three  other  bits to specify either one o r  none of three  or 
seven  other  registers. The  second  scheme  uses:  four  bits to specify any combination 
of five registers taken zero, one, o r  two at  a time. The important point to notice 
about both of these  structures is that  there is no real distinction between bank regis- 
ters and  index registers  since they are both full  length (18 bits). Any of the registers 
can  be  added  to  the address  decrement to  generate a full length address  or  certain 
combinations of  two registers can  be  added  together  (depending on which of the two 
schemes is chosen)  and  added  to  the address  decrement to generate  a  full  length 
address.  These  schemes have a number of advantages in terms of flexibility of use. 
For example one of the indexbank  registers  can  be  used to address a  certain bank 
and  can also be  counted down and  compared  to a value.  The schemes  also  offer the 
ability to double index. This  means  that a program can be set  up (including index 
decrementing and comparing) without regard  to the  location of the  program. Double 
indexing also  makes the programer's task much easier where  a  number of index 
registers  are needed, for example matrix manipulations. It is important to notice 
that full  length bank registers  means  that  there are no fixed bank boundaries.  The only 
constraint  is that  a bank contains a maximum of 128 words.  This  means  that i t  is not 
necessary  for the programmer  (or the assembler) to pack a number of programs  or 
blocks of data into  fixed size and  location  banks.  (This would be necessary if bank 
registers containing only the upper 9 bits of an  address  were used. ) Full  length 
bank/index registers  also  means  that banks of information are relocatable  to any 
location  in  memory. 
Two upper  accumulators  will  be  used.  This  decision  was  based on programing 
studies  carried out a t  Autonetics on previous  programs  and  also on this study.  Some 
of these  tradeoffs  on two accumulators are given in  paragraph  4.2.1.2.  The two accu- 
mulators  will be used  referenced by an  accumulator  bit in the operation code in a 
number of instructions  that  access the  memory. For accumulator to accumulator 
instructions a separate register instruction  format  utilizing  operation code extension 
is used.  This  format  enables  the  processor  to  carry  out  logical  and  arithmetic  oper- 
ations  using  the  accumulators  and the indexbank  reglsters. A s  a result,  the index/ 
bank registers now used  for  hot  storage  plus  addressing are increased.from the 16 
blts  required  for  addressing to 18 bits. This provides  for  efficient use of the 9 index/ 
bank registers  since they must be connected  to  the adder  for  generating  an  address in 
any  case. However it should  be  noted  that  the  above use of the indexbank  registers 
61 
1 6 7 8  11 18 
OP CODE T . ADDRESS - 
6 3 I 7 
1 6 7 8  10 ~ 18 
I 6 
~ ~ __- 
8 
OP CODE  ADDRESS I 
1 6 7  10  18 
6 1 3 
~ 
I I 8 OP CODE B T ADDRESS 
1 6 7  11 18 
6 
ADDRESS T I OP CODE 
7 4 1 I 
1 6 10 
I 1 1 
.. . - 18 
6 
OP CODE 
4 
T 
8 
ADDRESS 
1 6 7  9 16 
6 7 
CODE  ADDRESS I 
Figure 4-3. Instruction Word Formats 
62 
... 
will  not  make  them  equivalent to accumulators  (or  like  true  general  registers)  since 
they cannot  be used  to  carry  out  operations  directly with operands  from  memory. 
This  latter  feature  was  evaiuated to be of little  use if two upper  accumulators are 
available. Further  discussion of the value of the  above features is discussed in para- 
graph 4.2.1.2. 
It is possible  to  include  indirect  addressing as either a bit  in the instruction  word 
o r  as one of the index registers' tag  values. The former implementation  enables 
indirect  addressing  and indexing whereas the latter  does not. The  former  approach  was 
selected as discussed  in 4.2.1.2. 
The indirect word format (the  word  picked up by the initial  address)  uses  bits one 
and two to  specify  the  indirect  operation  and  bits 3 to 18 to  specify an  address.  Bits 
one  and two are interpreted in the following manner: 
1:2 = 00 - end - direct  address 
01 - index with T1 register 
10 - indirect  address 
11 - index with T1 and  indirect 
It  should be noted that  the above format not only  allows  multiple  level  indirecting 
and indexing but also  allows  simply indexing after indirecting.  This  latter  feature is 
very useful when a reconfiguratlon  has  caused a block of information to be moved to a 
new location. 
For a time  consideration was also given  to using one  bit to specify  fixed bank 0 
(upper  address  bits  equal to 0) and one bank register  instead of two bank registers 
specified by this  bit.  The thought was  that  this would save  hardware and also provide 
for  easy  subroutine  linkage  and bank/index constant storage; however,  the  multi- 
processor  organization  imposes  certain  restrictions on accessing  memories which will 
be  discussed  later and  this  made  using  a fixed bank impractical. 
It is possible to include a masked  mode of operation in the processor. The 
masked mode would be entered by an  instruction  that would set the  masked  flip-flop 
to one. All appropriate  instructions  executed while the flip-flop is "one" would use 
the  second  upper  accumulator to mask  the  operands  that c o w  in from  memory.  For 
example a masked mode  add  could  be  executed as follows: 
U1 + U2 (M) - U1 M = m+B1 
where 
U1, Us = accumulators 
B1 = Index/bank register B1 
m = address  decrement 
(M) = contents of location M 
The masked mode is useful if there are a reasonable  number of operations with 
data  that is packed with more than  one character  per word. This  situation  exists  for 
some  scientific  experiments  where 8 o r  9 bit data seems to be  sufficient. In these 
63 
situations the masked mode  could be  used to obtain  half  word  operations.  The 
present  requirements  study  has not uncovered  sufficient  situations in which a masked 
mode would be  useful  to  warrant its inclusion  in  the final processor  specification. 
However future  requirements  studies  should  investigate in some depth  the  usefulness 
of such a mode especially in relation  to one-half word data operations. I€ further 
information on the  masked mode is desired  reference 18 listed the  instructions  that 
could be  executed  in  this mode. 
Some floating  point o r  double precision  operations are certainly  necessary  for 
the computation system. The needs  for  these  operations  have  been  investigated to 
some  extent, but  a  much more thorough  investigation is necessary to explicitly  deter- 
mine the following: 
1. Is floating  point o r  double precision the best  increased  precision mode? 
2. Should hardware (a double precision o r  floating  point  mode) o r  software  be 
used? 
3. If hardware is used,  should a few double precision  or floating  point  instruc- 
tions  be  included in the  single  precision mode (or  conversely)? 
The  preliminary  precision  investigations  carried out in this  study  indicated  that 
a floating  point  hardware mode  using two word data would be well used  in many navi- 
gation  and  scientific  experiment  operations due to both the  need for a considerable 
amount of scaling  and  precision beyond 18 bits. A s  a result floating  point  instructions 
are  listed and  their  operation  briefly  discussed in section  6.1.1. However it  should 
again be mentioned that  the  above  conclusions need further  substantiation  since  it is 
not clear whether 30 bits of precision are sufficient. If not, a double precision mode 
with 36 bits of precision would be used.  The two word  floating  point  number  will use 
a 30 bit  mantissa  and a 6  bit exponent although further study of this point is also 
necessary  since a 29 bit  mantissa and a 7 bit exponent  may be a better solution. In 
any case  the  chosen  floatin point  number  provides for  thirty  bits of precision  on  data 
of magnitudes  between  L"3gand 232. An additional reason  for  inclusion of floating 
point hardware  was  that by making a few simple  additions to the  adder (exponent 
operations  must be inhibited from affecting  the  mantissasand  conversely), no additional 
registers need to be added to the processor. A sizeable amount of control is necessary 
to carry out the  operations, but, as mentioned earlier, a large amount of gating can 
be  efficiently  and  reliably  handled with MOS arrays. 
A repeat mode has been  included  in the  system.  It is particularly useful for 
carrying out  memory check sum  tests  and  for moving  blocks of data in  main  memory. 
This  latter function is necessary  during  reconfigurations, at  mission phase  changes, 
and on a lesser  scale  during  operational  periods. In this mode  the  operand  cycle of 
an  instruction is executed on a succession of operands.  The mode is entered by giving 
a repeat command (REP)  that sets a flip-flop  and  roads a specified index register, T7, 
with the  number of operands  to  be  processed.  The next instruction is then executed in 
the repeat mode.  Execution of operand  cycles  continues with T7  counted down each 
cycle  until  it reaches  zero. At this point  the instruction is terminated  and  the next 
instruction  accessed.  Clearly  this  repeat mode will save a significant  amount of time 
any time a list of data  must be processed by one instruction, A good example of this 
time  savings is in the  execution of a check sum test on a program,  (This test may be 
carried out periodically prlor to the executlon of 80me programs. ) Wlthout a repeat 
mode the  check sum baslcally  lnvolves a two lnstructlon loop of add  and  decrement  and 
64 
test an index register.  This is a 6 ps loop that is executed n times  for an n instruc- 
tion program.  The  same loop with a repeat mode requires only one instruction  cycle 
of 2 ps followed by n  operand  cycles of 2 ps. This  means a check sum loop execution 
time of 2 ps plus 2n ps compared  to 6n ps. The  instructions  that  can  be  executed  in 
the  repeat mode a re  given in  Section VI, 6.1.1 along with a more detailed  discussion of 
its implementation. 
4.2.1.2 Evaluation of Features 
This  section  discusses  the  results of the  evaluation  and  the basis  for  the 
selection of the features  presented in the  preceding  section and certain  other  features 
required  in  the  preliminary  design of the  candidate  organizations. 
4.2.1.2.1 Multi-Accumulators and Indexing 
The  requirements  presented in Appendix 1 for phase 12 of the  mission  (Mars 
orbital)  were  reevaluated with the  ground rule  that two accumulators and one index 
register  were  available.  The  effects on the  requirements  from  these  features is 
expected  to  carry  over  into  other  phases  also.  It should also be  noted that  these 
requirements did not take  into  account  computer  word  length.  The only effects 
examined were  that of multi-accumulators and indexing. Table 4.1 presents  the 
results  from  this evaluation. 
Table 4-1. Speed and Storage Requirements for Phase 12, Mars Orbital 
Function 
~ 
W q u i r e m e n t s  
~ 
Navigation and Guidance 
Telecommunication 
Science  Experiments 
Status Monitor 
Totals 
Storage 
a  b 
5625  4348 
6700  4700 
8940  8561 
5560 3560 
26825 21169 
Speed 
a  b 
48949  46732 
13000  13000 
325715  252496 
8000 8000 
395664 320228 
a: no indexing, one accumulator 
b: one index register, two accumulators  (Requirements  do  not  consider word 
1enRth) 
For Navigation and Guidance indexing  accounted for  most of the decrease in 
storage  requirements  (approximately 23% decrease) while the  speed  requirements had 
a net reduction  (increase due to indexing and a decrease due to two accumulators) of 
approximately 6%. The  Scientific  Experiments-function had a slight  decrease in 
storage (approximately 4%) and a significant  decrease in speed (approx. 23%). The 
effect of these features is presented  in  more  detail  in  Reference 17. The results 
of this evaluation  indicate  that two accumulators and  indexing are desired. 
65 
4.2.1.2.2 Word Length and Banking Size 
The  requirements  for Mars orbital  phase  used  above  (from Appendix 1) were 
evaluated with the  consideration of computer  word  length, Two word  lengths  were 
considered: 12 bits and 18 bits.  The  requirements  were  initially  determined without 
taking  into  account  word  length.  It  was  assumed  that two accumulators  and  one  index 
register  were  available in each case. The results of this  evaluation are given in 
Tahle 4-2. 
Table 4-2. Speed and Storage Requirement 
With a 12  Bit and 18 Bit E 
~ for Phase 12, Mars Orbital, 
x d  Length 
Storage (words) 
X2 bit 18 bit * 
Navigation and Guidance 
Telecommunication 
9373 6143. 4348 
11194 6840 8561 Scientific  Experiments 
7730 5730 4700 
Status Monitor 
Total 
I 4260  3560  3560 
132557 22273  21169 
"- 
Speed (oPs/sec) 
12  bit 18 bit * 
140,196  01,202  46,732 
26,000  15, 0  13, 0 
272,421  245,000  252,496 
8,400 8, 200 8,000 
447,017  369,402  320,228 
*Indicates  no  consideration of word  length. 
Storage  and  speed  requirements  increased in the  Navigation  and  Guidance  function 
primarily due to the need for  triple  precision with a 12 bit  word  and  double  precision 
with an 18 bit  word.  The  requirements  for  the  Scientific  Experiments  function  decreased 
somewhat with an 18 bit word primarily  due  to  the  ability to make  use of half  word 
storage and  operations,  these  gains  due  to half  word capabilities are eliminated with 
the  12  bit  word. 
Based on the  above  evaluations,  the  18  bit  word  was  selected  since it provides 
programming ease and reasonable  processing  speeds while using  little  extra  memory. 
This  will  be  explained below. It should  be  noted  that  the reasons  for  the exact format 
of the  instruction  word  have not been  defined  yet,  the  remainder of this  evaluation 
section  will  complete  the  evaluation of the  format. In  addition, it should  be  mentioned 
that  the 18  bit  discussion  here  applies  equally  well  to a 16 bit  word  discussion.  The 
reasons  for the exact word  length  selection, 16 or  18  bits, are given  below  in 4.2.1.2.3 of 
this  section  where an evaluation of numerous  machine  features are presented. 
This  discussion  presents  the  reas.ons behind a choice of a word  length  in  the 
vicinity of 18 bits  rather  than one  in  the  vicinity of 12  bits. An 18  bit  instruction  word 
leaves  room  for  the  inclusion of 64 operation  codes.  This  means  that no double  length 
instructions  will  be  necessary  since  the 64 operation  codes with extension  provide 
sufficient  instructions  to take advantage of multiple  accumulators and index/bank 
registers. 
The advantage of thls word  length can beet be understood by looking Into the 
dlfflcultles  encountered wlth the 12 blt word, A 12 blt lnetructlon word would require 
a double length lnstructlon  capablllty if lndexlng, multlple  accumulators,  lndlrect 
66 
addressing, etc., are to be included. From the discussion in 4.2.1.2.1 above 
it is seen that  elimination of these  features would result in approximately a 20% 
increase in storage. On the  other hand  inclusion of these  features  necessitates  double 
length  instructions which result in approximately  a 30% increase in storage.  This 
eliminates  some of the  advantages of the 12 bit  word in attempting  to  reduce  storage. 
The  Navigation  and  Guidance data is greater than 24 bits and as a result would have  to 
be  operated upon in triple  precision with a 12 bit  word.  This  also  increases  storage. 
less than l h t h  decrease in the number of bits of storage and in fact gave a 1/3 
increase in the  number of words.  This  increase in the  number of words can result in 
more  circuits  required  for  the 12 bit  memory.  The  complexity of a 12 bit  processor 
with  double length  instruction  capability  versus  the  complexity of an 18 bit  processor 
with only single length  instruction  capability is about  the  same.  In  addition,  the 12 bit 
processor would need to be faster. A s  a  result,  there are very  little if any hardware 
gains by using  a 12 bit  word. An 18 bit  word  was  therefore  selected,  thereby  also 
providing  a more  flexible  machine to the programmer (no triple  precision  operations 
or double length  instructions to worry  about).  It  should  also be noted that  a larger 
instruction  word  was not considered  since not only is  it not warranted by the data 
requirements but also a 7 bit bank causes no significant  inefficiency  penalties. 
me r suits presented  above in Table 4-2. showed that a 12 bit  word  provided 
The  choice of the 18 bit  word  leaves the possibility of using  a 7 or  8 bit bank. A 
7 bit bank was selected,  some of the  considerations involved in this  selection a re  given 
below. 
There is some  increase in storage and  execution  time when going from  a 256 word 
bank to a 128 word  bank size.  Past  studies  at Autonetics  on  some  navigation  and 
guidance  routines  indicated  that  a 128 word  bank resulted in  only a  slight  increase in 
inefficiency over a 256 word bank. In addition, in the  program  used in the  evaluation 
here,  there  appeared to he  little  inefficiency in this bank size. One of the primary 
reasons  there  appeared  to  be  little or no problems  was due to the  full  length I/B 
registers  since they did not result in rigid bank boundaries  every  certain 128 words. 
In particular, when indexing  with these  full  length  registers  there is practically no 
effect due to  the bank size. Most of the problems in going from  a 256 word bank to 
a 128 word  bank then arise  from non optimized  location of data. However, a n  optimum 
banked assembler or forcing the programmer  to handle  the  data  banking  optimization 
could  reduce  this  problem  considerably.  It  is  therefore  recommended  that  a 7 bit bank 
be used. 
4.2.1.2.3 Accumulator Tag, Register-Register Operations, Indirect 
Addressing,  and Index/Bank Register  Schemes 
The  above features  were  evaluated by investigating  their  usefullness in a  number 
of programs which were  considered as representative of the  computational  functions. 
These programs included: (1) Navigation and Guidance: Star Tracker Pointing, Body 
to Inertial  and  Locally  Level to Inertial  transformation  Matrix, and  Kalman Filter 
Computations, (2) Scientific Experiments: zero order polynomial predictor, 
orthogonal polynomial series, and quantiles computation, and (3) Status Monitoring. 
Details on these  programs may  be found in Section 11, 2.8. 
These  programs  were  mechanized  assuming  all  the  above  features were 
available.  Then  the  programs  were  reevaluated with certain  restrictions so as to 
obtain  asnwers to: (1) if there is no accumulator  bit in the  instruction  word, what 
Ih 
67 
additional instructions are required?, (2) what instructions are used in register- 
accumulator  and  accumulator-accumulator  operations?; (3) what is the effect of not 
having  indirect  addressing?; (4) what is the effect of the  indexbank  register 
schemes, i. e., any 5 I/B registers taken 0, 1, or 2 at  a time, 1 B  bit  and 2 T bits 
giving  any  one of 2 registers taken  with  any  one or none of 3 other registers, and 
1 B  bit and 3 T  bits  giving  any  one of two registers  taken with  any  one o r  none of 7 
other  registers; and (5) what is the  effect of not having  double  index/banking  (single 
level  only). 
The  answers to the above questions  were  used to aid in selecting between  a 16 
and  18 bit  instruction  word  and  also  for the particular  instruction  word  format (see 
paragraph 4.2.1.1 for the formats  considered). A summary of the results will be 
given  below, detailed  discussions  are given in Reference 18. 
1. Accumulator Bit 
The following instructions  used  the  accumulator  bit in the  routines 
programmed. 
Load 
Store 
Add 
Subtract 
Multiply 
Divide 
Compare 
Jump on Conditions 
Sum of Products - Multiply 
Jump on  Minus o r  Zero 
Logical  rrAnd'r 
A considerable  number of instructions  made  use of the  second  accumulator. 
It is therefore  recommended  that  some  means of providing for identifying 
accumulator 1 or  2 be  provided for  those  instructions  that could use  either 
accumulator. 
2. Instructions between Renisters and Instructions between Registers and  Accumulators 
Instructions  used  (Register-Accumulator) or (Register) 
Store 
Load 
Subtract 
Add 
Multiply 
Shift 
Absolute  Value 
Compliment 
Instructions  used  (Accumulator-Accumulator) 
Add 
Subtract 
Multiply 
Divide 
68 
Sum of Products - Multiply 
Square 
Load 
Store 
A considerable  number of instructions  made  use of communication between the 
accumulators.  Also many instructions  were  used between the registers 
and  the  accumulators although not as many as between  the accumulators. 
It is recommended  that full arithmetic and transfer  instructions  be  pro- 
vided between  the accumulators  themselves and also between  the  accumu- 
lators and registers.  There  was no apparent need for  instructions between 
the registers  themselves,  therefore  this feature is not  recommended. 
3. Indirect Addressing 
Although limited  use  was  made of indirect  addressing in the programs 
evaluated,  where it did occur  (primarily  for  subroutine  linkage)  savings 
of between 6 and 8 percent in storage was  achieved for  some  programs. The 
savings in timing  were  negligible  however. 
Indirect  addressing is of considerable  importance when it is  desired to do 
list  processing.  This is due to the fact  that  the  link  addresses  normally 
encountered in lists can be  considered  to  be  indirect  addresses to the 
following words in  the list. The need for  list  processing  is not apparent in 
the present  requirements.  Therefore,  the  merits of indirect  addressing due 
to list  processing will  depend on future  requirements, if any, for  list 
features. 
It is recommended  that  indirect  addressing  be included since  there are some 
present  indications of its  merits and  the  combination of its  inherent  flexi- 
bility of programming  and  potential to future  requirements  make it a pro- 
mising  feature. 
4. Index/Bank Register Schemes 
The preferred  approach  is to use 2 + 7 registers. The primary  reason  for 
this choice is the  availability of nine registers  versus only  five with the 
others. In code sequences  where  multiple  banks  and  indexes  require  more 
than  five current  registers, the  housekeeping  involved in storing the 
recovering  register  values went as high as 9% in storage and/or  timing. 
The approach  using 5 registers with any  combination 2 at  a time  shows  some 
advantage in coding where  five or less registers were used.  The  savings, 
however, are in  the 3% range  for  storage and less than 1% in  timing. 
It  should also be  noted that  the  approach  using 2 + 7 registers  also  provides 
additional facilities  for  temporary  storage when not all 9 registers are used 
for indexing/banking. It is also worthwhile to mention  that  the coding which 
uses a large number of registers involves  multi-level  iterations  and a large 
data base.  Therefore  in  these  programs the loss in efficiency due to less 
registers shows  up more pronounced. 
69 
5. Double Index/Banking Capability 
Without this capability  some of the scientific experiements  programs  were 
somewhat’lengthened,  some of these  programs had execution  time 
increased by 50 percent.  This  capability is very  useful  in  programs involving 
matrix operations. It is recommended that this capability be included. 
4. 2. 1. 3 Requirements and Organizational  Considerations 
There are a  number of requirements  that  influence  the  computer  design.  These 
have  been rated as reliability - 100, power - 10, flexibility - 4 ,  and all others 1. Essentiallythis 
says  that  the  computer  organization  should  try to take  advantage of various  schemes 
to increase  reliability and lower  the power in light of the  various  computational 
requirements. For reliability there are two basic considerations, one is an availa- 
bility requirement of 0.997 for  the whole mission.  This  can  essentially be inter- 
preted as a level of satisfaction  for  thc  mission. In other  words, if the  computer 
system is operating 99. 7% of the  time  the  desired  degree of success will be  obtained. 
Another  important  consideration is a probability of success of 0.997 for  critical 
mission  phases. The computer  system  must be able  to function during  these  critical 
phases in order  for the mission to be completed. During these  critical  phases 
5 seconds are allowed to reconfigure  to a second  operating  system if the  primary 
system fails. These  numerical  reliability  values  were  obtained  from an examination 
of  the references cited in Section 2.1. 
The above availability and probability of success  requirements have a profound 
i d u e n c e  on the  system. In particular in order  to  meet  the  probability of success 
during  the  critical  mission  phases  some  type of on-line back-up must be available. 
During  non-critical  phases  average  times of 1/2 hour can be allowed to get back 
on-line; as a result a repair replacement  ability is sufficient. 
One of the ways the  importance of reliability and power  affects the computer 
system is in terms of the  amount of hardware  that  can be kept off during any phase. 
Data  from  Autonetics  experience  tends to point toward  the  fact  that  computers  that 
a r e  not on-line  have reliabilities on the  order of 3 to 10 times  or  more  greater than 
the on-line  modules;  however this number  has not been validated by a thorough 
analysis. In fact it is not  even clear if the  off-line  modules should be turned off 
o r  if bias power  should be maintained.  The  above dictates  that  equipment be kept 
off-line as much as possible.  Therefore  the  computer  systems  are  designed so that 
during long phases a good portion of the computing hardware can be turned off. This 
should not only increase  reliability but also  save a significant amount of power. 
It should also be mentioned  that there will be separate computer  systems in the 
Mars Mission Module and in the Mars Lander. These two computer systems should 
be  the same type since  that will provide a simple  sparing philosophy and will lower 
development and production costs.  Sparing can be  simplified  since  the  Lander com- 
puter  system  must only be on-board the  Lander and functioning correctly  from  Earth 
to Mars and while in the M a r s  area. On return, a Lander  computer  system  can be 
pulled off and placed  aboard  the  Mars  Mission Module to function as spares for  the 
return to Earth. 
An interesting point to notice about the  computational  requirements is the 
variation of speed and storage throughout the  various mission phases. In particular, 
during  the long Trans-Mars and Trans-Earth  phase8  the  storage and speed  require- 
ments are relatively low and at about the same level. As a result it is desired to 
70 
design  the  computer system so that much of the computation  speed and storage could 
be turned off during  these  phases.  Figures 2-8 and 2-9 also show the amount of 
storage  that is absolutely necessary to have operating continuously  throughout the 
Trans-Mars and Trans-Earth  phases. The rest of the  memory  system could be 
turned on and off periodically as shown in order to save power and increase  reliabil- 
ity. During phase 12 (Mars Orbital)  the  maximum amount of computation resources 
will be in the  system; as a result this phase  dictates  the maximum need for 
computational resources. 
4.2. 2 Multi Computer Organization 
4. 2. 2. 1 Organizational  Considerations 
The past  paragraphs have presented  the  requirements  for  the Mars Mission 
computatior system and also  some explicit  features of the  processors within this 
computation system.  The following paragraphs  present  the  multiple  computer 
organization and features  that  were developed from  the above requirements. 
It  should first be noted that a single  computer  organization can immediately be 
thrown out since 5 seconds back-up in case of failure  during  critical  mission  phases 
could not be provided. In order to provide  this type of back-up a second  on-line 
computer  carrying out the  critical computations must be available. A single compu- 
ter  would also need a very high MTBF, and would be power and reliability consuming 
during low computational  load  phases.  Another  disadvantage is that  this  type of an 
organization is unable to flexibly meet unplanned variations in computational require- 
ments by addition o r  subtraction of the  number of modules in the  system. 
4. 2. 2.1. 1 Duplex Computer Approach 
A duplexed computer  approach as shown in  Figure 4-4 was next considered.  This 
approach is discussed in some detail in Reference 17. Briefly i t   uses two computers 
each  capable of carrying out all  the  computations for the  most  heavily loaded phase 
of the  mission. The  computations are  carried out in both computers and the results 
sent  to the output switch. During normal  operation  the  primary  computer's  outputs 
are  used and  the secondary  computer  does output comparisons; however if the  secon- 
dary  computer  discovers  a  discrepancy it can carry out a  software  self-ckeck and i f  
it passes a lengthy  self-check process  it  will  take  over outputing information. 
The supposed  advantage of this type of an approach is in  the ease and complete- 
ness of failure detection; however the  development of operational  hardware and soft- 
ware  self-tests  for a multiple  computer,  to be described next, has been evaluated to 
be not much harder than  the  development of non-operational self-tests  for one of the 
duplex computers.  There  are  also  quite  a  number of disadvantages to this approach. 
These are listed below: 
1. Each computer must be able to handle all the computations. This 
means two large power  consuming  computers. 
2. During long relatively low computation phases, Trans-Mars and 
Trans-Earth  for  example,  there will  be no chance to lower power 
and increase  reliability by turning  a good portion of the  system off. 
71 
SENSORS 
I OUTPUT SWITCH 
SECONDARY 
COMPUTER 
Jom 
Figure 4-4. Duplexed Computer 
3. After  a  failure of the  primary  computer  there is no checking of the 
computation system; as a result a failure may occur and never get 
detected. 
For  the above reasons a duplexed computer  approach  was  rejected. 
4.2.2.1.  2 Multi Computer Approach 
1. General  Considerations 
The chosen  multiple  computer  system will be a two computer  approach 
where  the  computers  operate  separately  each  carrying  out  its own self 
check. At least two computers  are needed in this  system  since  there is 
a need  to  continue operation while  one of the  computers is in a state of 
repair   or replacement. This computer approach, shown in Figure 4-5, 
was chosen  because it is well suited to the  system  requirements as 
demonstrated by the  discussion below. Clearly i f  the  requirements 
were to be increased  for  other applicable missions additional computers 
could be added to the  system. 
A proper use of the above computer  system  during  the  critical and 
.non-critical Non-Mars phases and the  Mars-Orbital  phases is discussed 
in  a  later  paragraph. Very simply during Non-Mars non-critical phases 
only one computer will be in operation  carrying out all the  functions of 
the  system. During the  critical  phases two computers will be on-line- 
the first one doing all of the  system functions and the  second doing a 
72 
SENSORS SENSORS 
\ \  I t  k \ I /  \ I /  
corn. COND." corn. --- 
I/O 
P (250 K SHORT 
OPS/SEc) 
M (24K) 
12K 
""" 
12K 
P (250 K SHORT 
c 12K -"" 
12K 
1 
Figure 4-5. Two Computer Approach 
redundant  calculation of the  critical  information  (navigation and guidance 
information). This method of operation enables a reconfiguration in less 
than 5 seconds.  During  Mars  orbital  operation two computers will be 
carrying out the computations. Reconfiguration in these phases is 
handled by a combination of repair  replacement and switch-over to the 
non-failed computer. 
The size,  speed, and number of modules in a Multiple Computer approach 
is dictated by many factors. The most  important of these  for  the Mars 
mission is of course reliability. For any given computational requirement 
the  best  reliability will be obtained by using the  least  number of computer 
modules  (not less than two) as long as the  speed  requirements do not force 
the use of a less reliable  memory and circuit technologies. This is 
clear by considering  the  fact  that a lesser number of modules  simply 
means less components for any given set of requirements.  Another 
important  influence on the  size,  speed, and number of modules in the 
system is the fact that off-line reliability is assumed to be much  higher 
than on-line reliability. For  the Mars Mission this can be interpreted 
to  mean that it is desirable  to  turn off as many modules as possible  during 
the Trans-Mars and Trans-Earth phases. As a result, the size of the 
modules  should  be  adjusted so that  during  these  phases  the  maximum 
amount of computation resources are turned off. A third  influence on the 
73 
size of modules is the  computational  requirement  for  the  highest  computation 
rate  phase, namely the Mars  Orbital  Phase. IXlring this phase it is desirable 
to  have all the  modules  in  the  system on and in  use so that there will  not  be  a lot 
of extra  hardware  in  the  system.  Another  factor not considered  here  that 
may have some  influence on the size of modules is the requirements  for the 
Mars  Lander Module. These  requirements have not been evaluated and as  a 
result cannot  be  considered. 
The above  trade-off considerations  dictated  a  processor  size of approximately 
250,000 short  operations  per  second, and a  memory  per  computer of 24,000 
words. The memory is modular by 12,000 words as  shown in Figure 4-5. The 
memory  size  was  decided upon by examining Figure 2-8 in Section II. This 
figure shows that during the Trans-Mars and Trans-Earth  phases, 4, 7, 14, 
17, essentially  24,000  words are  required if  executive and 1/0  programs  are 
included.  This  figure  also showed that approximately 12,000 words of storage 
was  needed  to  come in only intermittently.  This  was  interpreted  to  mean  that 
the best  memory  size  for the Trans-Mars and. Trans-Earth  phases is 24,000 
words with 12,000 word  modules  capable of individually  having their power 
turned off. 
Phase E, Mars Orbital, was next analyzed for storage requirements. Two 
computers  each with 24,000 words  were  determined  to  easily  provide  suf- 
fient  storage  since  the  actual  requirements  for this phase are  approximately 
30,000 words  including 1/0 and executive  programs.  It  was  also  determined 
that  during  the major  portion of phase 12, one computer could  have one of its 
E K  memory  boards  turned off thus allowing  an increase in reliability and a 
decrease in power.  This  memory is also  a  convenient  size  for  implementation 
with a thin-film NDRO memory in the 1973-1975 technology time  frame. Using 
projected  densities it enables  getting  a  maximum  amount of words  per module 
and thus  make  best  use of the drivers,  receivers, and sense  amplifiers. 
The processor  speed  requirements  for  the  Trans-Mars and Trans-Earth 
phases are relatively low in comparison  to  other  shorter  phases. Since 
circuit counts for  processor  implementations  are not actually  increased 
for  reasonable  increases in processor  operating  speed,  it was decided 
to make  one processor capable of handling the  fastest  non-Mars  orbital 
phases.  (This is true as long as the  increase in operation  speed  does not 
require  the  use of a new circuit technology. ) The processor, including 
execution of executive programs, was therefore  made  capable of handling 
250,000 short operations per second. (See Figure 2-9 in Section IL) 
This  also  means  that two processors will not only easily  be  able to handle 
the  Phase 12  computation  load but also will have extra computation  power 
available  during all phases so that they  can catch up on the  computations 
even if some  reasonably long interruption  occurs  for a repa i r   o r  replace- 
ment  operation. In order to see  that by 1980 a 250,000 operation  per 
second processor is feasible to implement in MOS o r  MOS-SOS circuitry 
(or  bipolar  arrays), a calculation of the  clock  rate was carried out using 
250,000  operations  per  second,  2  memory  cycles per short  operation 
and 4 clock pulses (bit times) per  memory cycle. This calculation shows 
the  need for a 2.0 microsecond  memory  read o r  write  cycle  for a NDRO 
74 
1 -  
memory and a 2.0  megacycle  clock for the  processor. This certainly 
is reasonable  for  the 1975 technology time  frame as expressed  in 
Section Ill, 3-1. 
The  computer  configurations  for  the  multiple  computer  during  the  various 
mission  phases are tabulated below. As mentioned above both the 
computers and the 12K memory  modules within the  computers  are capable 
of separate turn-on and turn-off. 
Phases 1, 2: Computer 1, 1 memory module 
Phases 3, 5, 6, 8, 9, Computer  1, 1 memory module 
10, 11, 13,  15,  16,  18, Computer 2, 1 memory module - active 
19, 20: redundancy 
Phases 4, 7, 
14, 17: 
Phase 12: 
Computer 1, 1 memory module on continuously, 
2nd memory module on intermittently  as shown 
on storage  requirement  graph - Figure 2-8. 
Computer 1, 1 memory module 
Computer 2, 2 memory modules 
The distribution of the  computations is relatively  straight  forward  except 
for  Phase 12. During this phase the functions are distributed as follows: 
Computer 1 
Computer  2 
Telecommunications 
Status  Monitoring 
Scientific  Experiments  (part) 
Update Minimal Nav. & Guid. 
Navigation and Guidance 
Scientific Experiments (part) 
In case of a failure during Phase 12 several  actions may occur. If 
Computer 1 fails, Computer 2 proceeds and Computer 1 is repaired. A 
failure of Computer 2 will cause Computer 1 to enter into a minimal 
navigation routine which was continually  updated by Computer 2, 
Computer 1 will also proceed with its other computations as  normal. 
If a spare  computer  or module is not available  for  repair, then the 
operative  computer is reconfigured with a new program, this reconfigura- 
tion will contain: 
Navigation and Guidance 
Status/Monitoring 
Telecommunications  (reduced) 
Scientific  Experiments  (reduced) 
E Computer  2  failed  under  these  conditions,  Computer 1 will enter the 
minimal  navigation  and  guidance  routine  until  the  reconfigured  program is 
loaded with the  normal  navigation and guidance  routine  into  Computer 1. 
Reconfiguration is further  discussed in Paragraph  4.2.2. 3. 
75 
SYSTEM 
s UPPLY 
Another  consideration in the  design is the power supply. A distributed 
supply has been chosen for this system.  Distributed  supplies  appear to 
be  the  most  reliable and easily  implemented  supplies  for future time 
frames.  This is partly  due  to  the  fact  that a central supply needs  large 
capacitors on each  board of the  computer  system  in  order  to supply 
constant power when transient switching is taking place. Distributing  the 
supply by using a power  supply per  board  eliminates  these  large  unreliable 
capacitors. This distribution also enables each board to receive only the 
primary power level of the  system.  This combined with the above fact may 
mean  that  the  distributed  supply  actually will have less components  than a 
central supply system. The distribution of the power supply is made even 
more  reasonable with the  onset of the MOS and MOS/SOS circuitry,  since 
these  circuits allow microminiaturization  due to their need for high voltages 
and low currents. Two other advantages of distributing  the power supply 
a re  the  ease of expanding the  system and its power  requirements and the 
ability  to conveniently turn off all power to various  sections of the  system, 
for example a memory module. This  power turn off can occur by the 
astronauts at phase  changes o r  automatically after failures. 
In order to  implement this last  feature a transistor switch will be  used on 
the input to each power supply where  appropriate. Such a switch for a 
supply is shown in Figure 4-6. In the  actual  implementation this switch 
may be a trans-switch  (controlled by pulses) in order to provide  isolation 
of system o r  battery ground and memory ground, 
POWER OKOFF 
SWITCH 
POWER LOGICAL I POWER SUPPLY T CONTROL I 
b VOLTAGE 
MEMORY 
LEVELS 
Figure 4-6. 12K Memory Board Supply and On-Off Switch 
76 
I 
2. Processor, Memory and 1/0 Structure 
From  the above discussion and from the processor  features given earlier 
a rough count can  be  obtained of the  hardware  necessary to implement  the 
processor  for  one of the  computers in this two computer  candidate.  This 
count as presented below was  actually  made with the aid of the  processor 
design given in  Section VI. Therefore a full  understanding of the  purpose 
of all the  listed  hardware can only be  obtained by reading  Chapter 6. 
a. 
b. 
C. 
d. 
e. 
f. 
g. 
h. 
i. 
j. 
k. 
1. 
m. 
n. 
Two upper  accumulators (36 bits) 
One lower  accumulator (18 bits) 
One 15-bit  program  counter 
Two 18-bit bank registers 
Seven 18-bit  index registers 
One 6-bit instruction register and decoding for 64 op  codes 
One 18-bit memory  register 
One 4-bit tag  register 
One 5-bit shift register 
One 18-bit parallel  adder (a ripple  carry  adder is sufficient) 
Bit time and mode clocks - 8  bits 
Real  Time  clock (25 bits) 
Fill clock  (enables  the  processor to take up slack  time in 
periodic  programs with background programs) - 8  bits 
Control Flip-flops - 14 bits 
This  gives a total of approximately 320 flip-flops for implementation 
of the  processor. Using FET densities  estimated  for MOS/SOS in the 
1975 time  frame (approximately  5,500 FETS per 150 mils  square), 
a rough  approximation says this processor could be implemented on 
approximately two chips. Of course depending on the  density and yield 
tradeoffs in this time  frame,  the  chips may be slightly larger than 
150 mils  square. 
77 
The  memory  hardware  estimate below is for a 24K 18  bit  word NDRO magnetic 
memory.  (For  example  today  this  memory would be  fabricated  from  plated  wire.) 
The  complete  memory is actually  made up of 12K modules. A discussion  leading  to 
the  decision  to  use  an NDRO memory is given in  section  6.1.2  along with  block  dia- 
grams of memory  systems.  Section 6. l. 2 also points out that  this  memory could 
be  either a thin film  magnetic  approach or  a semi-conductor  approach.  The  circuit 
counts are   for  a magnetic  memory  assuming LSI circuits (Bipolar)  can  be  used in 
the 1975 time  frame. 
1. TWO 12K modules of 1,000 word by 216 bit  lines..  Hardware  per module: 
a. Word circuits - 16 LSI ckts. 
b. Bit drivers - 18 LSI ckts. 
c. Sense amplifiers - 18 LSI ckts. 
d. Decoders - 3 LSI ckts. 
2. One Current Source per 24K 
3. One LSI timing  generator  per 2% 
4. One MOS/SOS or  LSI chip for  the  data register (18 bits),  the  address 
register (15 bits), and read and write flip-flops. 
The 1/0 section of the  computer  system is shown in  Figure 4-5. Each compu- 
ter has a central  programmed  controlled 1/0 section  plus a number of connections 
to  conditioners and high rate  devices  such a s  a bulk storage unit. The  connections 
to  the high rate  devices  are  parallel and those  to  the  conditioners  are  serial.  The 
conditioners in turn are connected to a number of sensors and devices  that handle 
both the  inputting  and  outputting of data.  There  are a number of reasons  for  the 
present 1/0 structure. The  trade-off was  essentially  carried out  between  the 
structure shown in Figure 4-5 (a  central 1/0 unit of exactly  the  same  form in each 
computer including standard  format  signals  to a number of conditioners connected 
to  these 1/0 units) and a  completely  centralized  structure which would have  the 
conditioning  functions  included in the 1/0 unit  associated with each  processor. The 
reasons  for  using  the  conditioner  structure  instead of the  latter  structure are given: 
1. Typically a completely  centralized 1/0 unit is used  to get a more efficient 
use of hardware;  however, in this system  where  reconfiguration is pos- 
sible by disconnecting  conditioners  and  connecting  them  to  the  second 
computer, a centralized 1/0 unit would have to have enough hardware  to 
handle all the  sensors. As a result a central 1/0 unit would not  provide 
any hardware  savings  over  the 1/0 unit  using  single  copies of conditioners 
on-line. 
2. The conditioner structure is also  easily  able  to  adapt  to a change in sen- 
sors, addition of sensors, or improvements in the sensor design. All 
that is necessary is to add a conditioner or  replace one that is already 
there;  whereas in the  completely  centralized 1/0 structure  there is a 
need to  replace  the complete 1/0 unit (the 1/0 unit  will  be  just one MOS/ 
SOS chip). 
3. The conditioner 1/0 structure  also  provides ease of adapting  the  computer 
system  to  the  Mars-Lander Module. This module  will  have  significantly 
78 
different  sensors  from  those on the Mars Mission Module. A s  a result the condi- 
tioner  structure  will  provide  the  ability  to  use  exactly  the  same  basic  computer with 
only the  need  to change the  appropriate  conditioners in this module. 
A s  mentioned earlier a number of sensors  must  be handled  in a strictly  per- 
iodic  fashion; as  a result a program  scheduler  has  been included  in the  design of 
this computer system. The scheduler is explained in paragraph 4.2.2.4.  Basically 
the  scheduler uses the  processor  real  time clock to be sure  that  all  periodic  pro- 
grams  are  handled at the proper  rate and time.  The background programs  or non- 
periodic  programs are interleaved with those  that are periodic.  The  calling of 1/0 
variables can be handled in two ways: first,  the  programs can have a header  asso- 
ciated with them  that  lists  the 1/0 variables  that  must  be  called  prior  to  program 
execution. When the  program is brought into execution its 1/0 variables are then 
called by an 1/0 program. If processor waits for I/O variables can be  limited,  this 
is a very  efficient method.  The  second way to handle 1/0  variables  is to add two 
extra clocks  or  timers  to  the  processor and use these in conjunction with the  sched- 
uler and Real  Time Clock to  call I/O variables  early. This  procedure  has  been 
programmed and is shown to  yield a software  overhead of 0.5% processor  time  per 
100 programs  per second.  This  extra  software and hardware  cost should not prove 
worthwhile in this  system in light of the  relatively  small  number of periodic  pro- 
grams  that  must  be handled, and the low repetition  rates of the  periodic  programs 
(20 times  per second is the  highest rate). The processor will also be given the 
ability  to  call  1/0  variables  from a header and then  leave  the  1/0 unit  to preempt 
memory  cycles and thus  take  care of loading  the data into memory.  During  this 
period  the  processor can execute  a  check  sum on the  fixed  locations of the program 
and  begin operating on the  program  until  the need  to use the  data  comes up. It 
should also  be mentioned that  the 1/0 units  will  receive  interrupts and send these  to 
the  processor  as  necessary. 
No need is seen at the  present  time  for both of the  computers  to  process  a 
single job  in parallel and thus have  a  need to exchange extensive  amounts of data 
or  program information. However, during certain phases of the computations a 
few words  will  be necessary  to be exchanged between computers,  such  as,  tele- 
communication  interleaving  control  words and a few pieces of navigation and guid- 
ance  data. A s  a result a serial  channel  from  the 1/0 unit of the  secondary  computer 
to  that of the  primary  computer  will  be included  in the  system. A rough 1/0 unit 
hardware count is  given below. This only includes  the  section  in  the  computer itself 
(not the  conditioners).  This count a€so  assumes  that  the bulk storage unit has  its 
own control  unit with buffering on its outputs.  The design of the 1/0 unit is similar 
to  that  for  the  multiprocessor;  therefore, a description of the  hardware is given in 
Section VI, 6.1.3 
1. One buffer register (18 bits) 
2. One assembly shift register (18 bits) 
3. One memory register (18 bits) 
4. Two memory address counters (15 bits each) 
5. One 7-bit count register for  controlling off-line transfers 
79 
6. One 4-bit count register for  controlling on-line transfers’ 
7. Seventeen control flip-flops. 
This  gives a total of 112 flip-flops. Using the same MOS/SOS densities as for 
the  processor  the 1/0 could be implemented on one MOS/SOS chip. In fact if high 
yields permit larger  chips,  the  processor and 1/0 could be implemented  together on 
two 200 mils  square chips. 
The  explicit  design of the  conditioners  can  not be given here  since  the  sensors, 
their  characteristics, and their  interface  signals are not yet specified. However, 
a cursory  treatment of 1/0 rates and sensors  was given in  Reference 17. 
The  redundant  calculation of certain computations  during critical phases  has 
been discussed;  however  the output  switching of the critical  conditioners  has  not been 
made  clear.  Figure 4-7 shows  the  output  switching for a primary  computer  and a 
secondary  computer  during a critical mission  phase.  These two computers  can  be 
assumed  to  be  the  primary and secondary  computers  in  the Two Computer  implemen- 
tation, o r  the two separate  sections of the  Multiprocessor  during a critical  phase 
(see paragraph  4.2.3).  Figure 4-8 shows how the  logic  levels  for  control of the out- 
put  switch are generated within each  computer.  The  switch is initialized with the 
primary  computer in control. If a failure  occurs in the  primary  computer,  the sec- 
ondary  computer  will  take  over and  continue operating. If there is a failure in the 
secondary  computer while the  primary  computer is still  failed, all signals  to  the 
outputs  will  be  turned off. The BITE circuitry is discussed  in  paragraph  4.2.2.2. 
CRITICAL SYSTEM OVTPUTS 
Figure 4-7. Output Switching of Critical Conditioners 
80 
I 
PRIMARY TRUE IF BAD 
PROGRAM )S 1- 
TO OUTPUT 
BITE SWITCHES 
CONTROLLED TIMING FF 
PULSE CIRCUIT 
7 .R 0 
INITIALIZATION 
SWITCH - 
SECONDARY TO OUTPUT 
PROGRAM SWITCHES 
CONTROLLED 
PULSE CIRCUIT 
Figure 4-8. Logic Levels for  Control of Critical Conditions 
4 . 2 . 2 . 2  Failure Considerations and Reconfiwration 
The  ability  to  reconfigure  the  spaceborne  multiprocessor in the event of equip- 
ment failures is required in order  to  meet  the  probability of mission  success and 
availability  goals. This  section  discusses  the  design of this capability  for  the Mul- 
tiple  Computer  System. 
The discussion is presented in  the following five parts: 
1. Basic  Guidelines 
2. Error  Detection and Isolation Tests 
3. External Status Reporting 
4. Reconfiguration 
5. Backup Equipment Assurance 
The first part  enumerates  the  important ground rules  that  are  basic  to the  approach 
taken.  The  next two parts  discuss  the  problem of performance  assurance and its 
reporting which would signal  the start of reconfiguration.  The  discussion of recon- 
figuration relates  the  actions  required  for  reconfiguration as a function of the  mission 
phase.  The  final part  discusses  testing of backup  equipment to  assure its readiness 
when reconfiguration is required. 
81 
It should be mentioned here  that  the  approach  discussed  in  Section IV for  fail- 
ure  detection and isolation tests is based  primarily on a software  approach. This 
holds true  for  all  three of the  candidates. If solid  failures  are  assumed  the  software 
approaches will be adequate. However, if intermittent type e r ro r s  are considered 
to  be of any significance (by this is meant errors  that  result in  faulty  conditions  exist- 
ing only for  short  periods of time, on the  order of microseconds),  then  hardware 
failure  detection  may  be necessary. To  complete this  topic  hardware  failure  detec- 
tion  methods  will also be  considered  for  the  selected  candidate.  It should also be 
noted that  the  considerations on reconfiguration were thought to be more difficult 
or  worst  case in some  respects with software  failure  detection  methods  (hardware 
methods may offer  greater  ease of fault  isolation) and therefore a broader  spectrum 
of reconfiguration  problems  has  been  assessed. 
4.2.2.2.1 Basic Guidelines 
1. Equipment is less  prone  to  failure when it  is turned off, rather than when 
it is on. Therefore,  where  equipment is not needed by the computational 
requirements of a particular  mission  phase,  it is desirable  to  turn it off. 
2. Similarly,  power is conserved by turning  equipment off when not  needed. 
3. At worst,  the  time  from  the  occurrence of an e r r o r  to  the  time  the  system 
is reconfigured and properly functioning  should  not  exceed 5 seconds. 
Generally this  minimal  time  applies  to  the  critical  mission  phases and 
can  be  much longer  for  non-critical  phases. 
4. Crew participation  can be considered  for the following  functions: 
a. Reconfiguration during non-critical phases 
b. Turn-on and requests  for checkout of idle standby  equipment 
c. Replacement of a  failed equipment with a spare,  verification of the 
repair, and insertion of the  equipment  back  into  the  system. 
Within the  framework of these  basic  guidelines  the  goal,  for  each  candidate config- 
uration, is to achieve 100 percent  error detection  capability and subsequent  recon- 
figuration which maximizes  the  probability of mission  success and the  availability 
of the equipment. (Failure  detection  based on solid type failures  will  be  primarily 
considered  here. ) 
4.2.2.2.2 Erro r  Detection and Isolation Tests 
The following paragraphs  describe  the tests required  to  insure  timely  indica- 
tions of the  multiple  computer system  status  during  the  mission. 
1. Memory Check Sum 
The memory  check  sum  routine  simply add6 the  contents of fixed storage 
locations  (instructions  and  constants) without regard  to overflow  and  com- 
pares the result with the  prestored  correct  response.  The function of the 
test is to check for  potential  malfunctions in the computer  memory and 
processor. 
The  check 8um routine could be written  to add all of fixed storage at one 
time.  This method was  not  chosen  because of programming  inefficiencies 
82 
which would result from having to  keep  track of which blocks in memory 
contain  fixed  ififormation and which contain  variable  information.  Instead 
a check  sum  routine would be  built  into  each  major  programming segment 
and would be  performed at the  outset of the  segment and possibly  also at 
the conclusion, time  permitting.  Parameters  such as the starting  address, 
number of locations  to  be added,  and  expected  check sum  response are 
included as part of the  program  segment package. Initialization,  execution 
of the  check  sum, and  checking of the  response would be  handled by a utility 
routine. With indexing and the appropriate index test, decrement, and 
transfer  instruction  the check sum execution  can  be  handled by a two instruc- 
tion loop. 
2. Arithmetic Section Functional Test 
This test checks  the  performance of the  arithmetic  section  logic  circuits 
of the  processor. No special test instructions are envisioned; therefore, 
no  additional  hardware would be  designed  into  the  system  to  perform  this 
test.  Patterns  for exhaustively  testing  the  arithmetic logic are prestored 
in memory and under  program  control  act as stimuli  to  the logic. The 
responses of the logic a re  compared with prestored  correct  responses to 
determine  the  status. 
Based on previous  experience in writing  this  type of test, it is estimated 
that  for  this application  the test would require 425 instructions and 75 con- 
stants and temporary  storage  locations.  For a 4 psec add time  the  test 
would run for about 2 msec.  The  degree of completeness, o r  the ability 
of this  test  to  detect  arithmetic  section  errors is expected  to  be high, say 
about 99 percent. Of course,  proving  this would require a thorough anal- 
ysis which involves  determining  likely component failure  modes and the 
ability of the  test  to  detect  the  effects  produced by the  component failure 
modes. 
The test  is  performed  at a periodic  rate.  Its  frequency would be adjusted 
to  insure  that  the  worst  case  reconfiguration  time of 5 seconds  during 
critical  phases would be  met. 
3. Program Control Test 
This test checks  the  ability of the  computer  to  execute  instructions in a 
legitimate operational sequence. Computer malfunctions which produce 
effects that are described by saying  the  computer is hung-up within an 
instruction, within a loop of random size,   or wandering  aimlessly through 
instruction sequences, would be detected. Malfunctions producing such 
effects  can  originate in the  control  logic of the  processor,  the  memory, 
the  clocking system,  or  the power  supply. 
Implementation of this test requires  insertion of built-in test equipment 
(BITE) to mechanize a timing device. A s  an example, a digital  timer 
would operate as follows: Under program  control, a periodic  square wave 
is set up  and acts as input to  the  timer which consists of counters and 
associated logic. Tolerances are set on the  duration of the "high" and 
r r l o ~ f '  portions of each  cycle of the  square wave  and on the  period.  The 
inability of the  computer  to  provide  this  prescribed  square wave, which 
would occur in the  presence of a control  error, would be  detected by 
83 
wired-in  logic  associated with the counter  and  result in the  setting of an 
e r r o r  flip-flop  indicating a computer  failure.  The  period of the  square 
wave and the  associated  tolerances would be  determined  to  satisfy  the 
worst case reconfiguration  time  requirement of 5 seconds. 
From  the  programming point of view, periodically,  an  instruction  has  to 
be executed to  effect  the high portion of the wave,  and  a prescribed  time 
later  another  instruction is executed to  effect  the low portion. 
4. Input Signal Tests 
Tests  performed on input signals  can  detect  failures due to   e r rors  in sen- 
sors, in data  transmission, in input signal conditioning circuitry,  or  in 
transferring  the  signal  through the input section of the  computer  to  either 
the  arithmetic  section o r  the  memory. Where tests  are  performed  dur- 
ing normal  operation of the system (on-line) the  stimuli are not  "canned" 
as they a re  in the case of arithmetic  section  tests  since  the  sensors are 
not  interrupted  to  provide  prescribed input signals. In place of prescribed 
sensor  values  for  testing  purposes,  the  validity of these  signals can be 
tested within  the arithmetic  section of the  processor by a combination of 
the following techniques: reasonableness tests, dual redundant inputs, 
and BITE. Reasonableness  tests  use  criteria such' as the  expected  range 
and/or rate of the input parameter  for  error detection. Redundant inputs 
allow the  disagreement between  the  inputs to  provide e r r o r  detections 
BITE in the  form of input conditioner built-in stimuli  under  program con- 
trol  provides a backup of reasonableness tests and  redundancy both for 
enhancing the e r r o r  detection  capability and for   error  isolation.  The 
redundancy  technique is the  least  desirable due  to  reliability and  power 
considerations and would be used  selectively, only if a study of the  pro- 
posed reasonableness  tests, BITE, and the  criticality of the input signal 
indicate it is necessary. 
Given that e r ro r s  will be detected by the above  mentioned  techniques, the 
isolation  problem is to  determine if the input device, 1/0 conditioner, o r  
computer is the error  source. It is assumed  that  the input  device  cannot 
monitor its own status completely and will  require  computer  participa- 
tion for its status  determination.  It is fwther  assumed  that if digital 
transmission  errors  represent a significant  problem, it would be handled 
by simple  parity checking. A description of the  detection and isolation 
process follows. 
Included  in  the program  segment  requesting an input is the test required 
to verify it. If the input is acceptable normal operation continues. If the 
input is found to be in error ,  the error  status is recorded in  an assigned 
bit  position of a status word  in memory.  (Assume  one status word is 
reserved  for  each  1/0  conditioner  thereby allowing reference  in  this 
description to T/O conditioner status  words".)  Normal  operation con- 
tinues, even in  this  error  case, except  that  the  previous  value of the input 
is used in the  computations  in  place of the  present value. At  a prescribed 
point  in the  program,  the  executive looks at  the  contents of the 1/0 condi- 
tioner  words. If this is the first cycle  in which an  error   has  been  detected, 
the  executive  permits  performance of at least one more input cycle. Note 
that  the  number of input cycles  resulting  in  error  reports hould be greater 
a4 
than one (1) since  there is little likelihood that an e r r o r  will occur at the 
start of a cycle. But, once having occurred, if it is a solid failure, it 
will  be  present  throughout  all  subsequent input cycles and its effect  will  be 
truly  represented by the 1/0 conditioner status words. 
.. Next, consider the manner in which the 1/0 conditioner status words can be 
used  to  isolate  the  failure once the  failure  history is complete.  Basically 
the process is closely coupled to  the function of the  failed  circuitry. If the 
failure  occurs in circuitry  peculiar  to a particular input, only that input 
signal  will  be  affected and only one input will  be flagged in one of the 1/0 
conditioner status words. Such errors   are   e i ther  in the sensor, the trans- 
mission path  between sensor and conditioner, o r  in  the  conditioner  prior  to 
the point where  inputs a re  multiplexed. If failures are indicated in more 
than one input signal,  the  failed point must  be in time-shared  circuitry. 
This could be in the  conditioner  between  the  point  where  inputs are multi- 
plexed and its output to  the  computer,  the  transmission  path  to  the compu- 
ter,   or in the computer input circuitry. (An additional source could be a 
gross  sensor  error  where the sensor provides more than one input signal 
and all have  been  affected. Such specific  cases  can  be checked for by the 
executive program if the  sensor cannot  be  depended upon to  provide  such 
information.) In the multiple computer configurationmore than one con- 
ditioner is tied  to  the  computer input unit;  therefore, e r ro r s  in  the  com- 
puter's input circuitry  will  affect  most input signals. 
Thus, it can  be seen  that  the  number of input signals and their  relation  to 
one another can provide a certain  degree of isolation of the error.  This 
degree of unambiguous isolation is related  to  the  failure  rates of the com- 
ponents  within the  isolable  boxes  that can  be associated with each  effect. 
If all inputs were bad, one would suspect  the  computer input unit; if the 
bad  inputs were  associated with one conditioner, one would suspect  the 
conditioner first even though there is circuitry within the  computer input 
associated only with that one conditioner,  etc. 
From  the  programming point of view, each  input has  associated with it 
certain  parameters and tests employing those  parameters.  Tests on 
operational  inputs are  performed  at  the  rate the  operational  program 
requires the inputs. Tests on non-operational inputs such as those sup- 
plied by BITE test signals are performed at a periodic rate. Detection 
of failures  result in status notification by means of 1/0 conditioner status 
words  in  memory.  The  executive  program  interrogates  these  status  words 
each  cycle. A full  cycle  fault  isolation  routine is entered after the  true 
failure  history  has  been  recorded  in  the  status  words.  Isolation to a sen- 
sor, an 1/0 conditioner, of the  computer input unit is achieved. 
5 .  Output Signal Tests 
In order  to  automatically  detect e r ro r s  in output signals,  the loop on these 
signals must be closed. For this reason, all conditioner outputs are fed 
back  to  conditioner  inputs and thereby  made  available for checking  within 
the arithmetic  section of the  processor. A s  opposed  to input sienal verifi- 
cation by means of reasonableness  tests, output signals are, known at the 
time they are commanded. Therefore  reasonableness tests are not  required. 
Al l  comparisons can be done digitally. Thus, for example, the output 
85 
voltage  derived  from a digital output word  can  be  brought  back  into  the 
conditioner,  converted A to D, and  the  resulting  digital  input  value  com- 
pared with the  original  digital output  value. 
The  programming  requirements  for  output  signals  are  similar  to  those  for 
inputs.  Associated with each output signal is a  test which  involves  execut- 
ing an input  command  for  the 1/0 conditioner  input  channel  reserved  for  the 
feedback of the  output,  and  a  comparison of input and output digital  values. 
Test  failure  results in notification by means of 1/0 conditioner  status  words 
and a  possible  suspension of this  output  (note  that  for input errors  past 
values were used while accumulating the failure history. The same, of 
course,  cannot  be  done  for output errors).  The executive interrogates  the 
status  words  each  cycle. When the  failure  history is completed  a  full  cycle 
fault  isolation  routine is entered  and  the  error is isolated  to  either  the  com- 
puter output  unit or  to  the 1/0 conditioner. 
4.2.2.2.3 External Status Reporting 
The  status of the  multiple  computer system  is continually  reported  to  the  space 
crew by means of control  panel  indicators. In  the case of a  failure they also  provide 
the  information  to  expedite  off-line repair. 
The isolable units are  computers, 1/0 conditioners and input devices. A s  men- 
tioned previously,  the  need  for  the  computer  to  isolate  input  device e r rors  is prob- 
ably  required  in  addition  to its  normal  status  monitoring of status  signals  generated 
by external  devices. 
The  following tests have  been  described  to  monitor  performance: 
1. Memory Check Sum 
2. Arithmetic Section Functional Test 
3. Program Control Test 
4. Input Signal Tests 
5. Output Signal Tests 
Failures detected by the first  three  tests  imply  isolation to the  computer and, there- 
fore, can be  used  to  control  a  "computer fail light." The  simplest  implementation 
would be to  have  the  program  control  test  failure  activate  the  light and to  have fail- 
ures in  the  memory  check  sum or  arithmetic  section  test  cauee  a failure in  the  pro- 
gram  control  test  (as,  for  example, by executing a halt  command in the  event of a 
failure). 
Input tests involve e r ror  isolation  to  either  a  computer, an ILO conditioner, or  
an  input  device. Output signal  teats involve isolation  to  either a computer  or an 1/0 
conditioner.  In  these  cases one method of failure notification is to have an 9nput  or 
output fail Ii@W and a  status  word  dlsplay  to  indicate  the  computer  input,  computer 
output, 1/0 conditioner, o r  input device as the most likely error  source. The exec- 
utive  program would control  these  indicators, and in  cases  where 1/0 ccmditioners 
or input devices  have  failed, but operation of the  system  can  continue (this point  will 
86 
be discussed in more  detail  in  the  section on reconfiguration  that follows), the exec- 
utive is responsible  for  terminating  calculations involving the  failed  units. 
4.2.2.2.4 Reconfiguration 
This  section  discusses  the  task of reconfiguring  the  multiple  computer  system 
in  the  event of a failure. It is assumed  that  the  failure  has  been  detected,  correctly 
isolated, and reported  to  the  flight crew. Of course a spare  must exist. If not, 
depending on the  failed  item,  the  mission  may fail. 
From  the point of view of determining a reconfiguration  plan or  strategy,  the 
mission  can  be divided into  three  types of phases:  non-critical, critical, and Mars 
orbital.  The  plans for  each of these  phase types differ  because of the  speed of recon- 
figuration  required or  desired and because of the  allowable  status of the  system  dur- 
ing  reconfiguration. 
1. Non-Critical Phases 
During  non-critical  phases  the  primary  system,  comprised of the  primary 
computer and associated 1/0 conditioners and 1/0 devices, is performing 
the  required  mission functions. The secondarysystem is turned off except 
for  periodic  intervals  at which it  performs self-checking  functions.  The 
compositionofthe secondary system is determined as follows: First, in 
anticipation of becoming  active  during critical  or Mars orbital  phases it 
contains  the  secondary  computer and associated 1/0 conditioners  and 1/0 
devices  required  for  the  particular  phase. Second, in anticipation of a 
failure in the  primary  system  it  can contain  additional 1/0 conditioners and 
1/0 devices  to  form a source of verified  spare  units. 
In the  event of a failure in the  primary  computer,  the  astronaut would shut 
down the primary  system. The  secondary  computer would assume  its  role. 
Physically,  either  the  primary  computer would be  removed and replaced by 
the  secondary  computer, o r  the  connector(s)  to  the  primary  computer would 
be  disengaged and connected to the  secondary  computer. The power to  the 
ttnewtl  primary  system is then restored,  the  system is checked, and then the 
mission  functions a re  resumed. 
In the  event of a failure of an 1/0 conditioner in the  primary  system,  either 
the  entire  primary  system is shut down while repair is effected, or, 
provisions may exist to  remove  the 1/0 conditioner  and  allow the rest of the 
primary  system  to  remain in operation. Physically, the failed 1/0 condi- 
tioner is replaced by a "like" 1/0 conditioner  from the secondary  system, 
the new conditioner is checked,  and  then its mission function is resumed. 
Failures  in 1/0  devices may be repaired by a method similar  to  that 
described  for 1/0 conditioners. 
The  time  required  to  affect  repairs in the  manner  described above is a 
function of the  accessibility and  mounting of the  units, and of the  ability of 
an astronaut  to  perform  physical  repair  actions in the  environment of the 
Mars Mission Module. Extensive data on astronaut  repair capability is a 
mission function of some  current  space  programs and would be  available 
for  use  in developing  plans for the Mars landing mission.  Present  data 
87 
indicates  that  space  maintenance is feasible in a zero G environment  with o r  
without a spacesuit. For evaluation  purposes, as described  in  Section 5, it has 
been assumed  that  the  space  crew  can  perform  repairs within 30 minutes. 
Restoration of the  secondary  system after its equipment has been  used to 
reconfigure  the primary  system will  be  discussed in the  section  dealing with 
backup  equipment assurance. 
2. Critical  Phases 
During  the critical  phases  the  primary  system is performing both critical 
and non-critical  mission  functions and its outputs are controlling  the  vehicle. 
The  secondary  system is also  turned on, performing  the  critical navigation 
and guidance functions in an active standby redundant mode. In addition, it 
is performing  checking  functions on spare 1/0 conditioners and devices. 
The  time  duration of the  phase is comparatively  short,  never being longer 
than  about 40 minutes. 
Failures in the  computer or  certain of the 1/0 conditioners or  devices of the 
primary  system  that  affect  the  critical  functions  will  require  rapid  reconfig- 
uration. In this  event,  control of the  vehicle is automatically  passed  to  the 
secondary  system by issuance of a  logic  level  derived for the BITE circuitry 
associated with the program  control  error  detection of the  primary  computer. 
This  circuitry is functionally described in paragraph 4.2.2.1. Basically 
the  essential  event  that  occurs is activation of the  secondary  system outputs 
and deactivation of the primary  system outputs. This concludes the recon- 
figuration for a critical  failure in the  primary  system.  The  time  to  effect 
this reconfiguration is expected to  be much less than  the  allowable  maximum 
time of 5 seconds. The primary  system is then shut down, either  automati- 
cally, o r  manually by the  astronaut. 
Failures in non-critical 1/0 conditioners or  devices of the primary  system 
result in no immediate reconfiguration of hardware,  Instead,  the  error, 
having  been detected is reported  to  the  flight  crew  for  repair  action to be 
performed at the  conclusion of the  critical  phase,  and  the  non-critical 
calculations  that are  affected a re  suspended.  The  rationale  for  this plan 
assumes  that  the  primary  system, without the  capability of performing 
certain  non-critical  calculations,  can still perform  more  mission functions 
than would be performed by the  secondary  system after an  automatic 
switchover. 
3. Mars Orbital  Phase 
Thk Mars  Orbital  Phase  requires  the  maximum  storage and speed  capability 
to  perform the  mission functions. To  accommodate  this,  the load is shared 
by the two computers and associated 1/0 conditioners  and  devices. The two 
systems  shall continue to be referred  to as the primary and  secondary  for con- 
sistency,  even though in this phase  neither  system is devoted to a standby 
or backup role. 
In  normal  operation  the  primary  system is performing  navigation and 
guidance and a part of the  scientific  experiment  functions.  The  secondary 
system is performing status monitoring, telecommunications, the remainder 
88 
of the  scientific  experiments, and minimal navigation and guidance for  
backup purposes. By minimal is meant  that  portion of navigation and 
guidance which would be  performed by the  secondary  system  in  the  event of 
a loss of the  full  navigation and guidance  function of the  primary  system, 
in order  to  facilitate  subsequent  restoration of full  navigation and guidance 
during  reconfiguration. 
The  manner in which reconfiguration is handled in  this  phase is contingent 
on the  availability of a spare  for  the failed unit. 
First, assume a spare is present. Consider the secondary system. A 
failure  here  is handled  in a similar way as  described  for a  non-critical 
phase  failure of the  primary  system.  The only difference is  the source of 
the  spare.  It can either be obtained from  spares  stored, or, from an on- 
line  configuration i f  spares are tacked onto the primary and/or  secondary 
systems and periodically verified by test  programs. Next, consider a 
primary  system failure. A s  part of the normal  operating  program  the 
primary  computer  is  transmitting  the  latest updated navigation and guidance 
data  to  the  secondary  computer  via  the  intercomputer communication  link  in 
anticipation of a primary  system failure and the  subsequent  performance of 
the  navigation and guidance  function by the  secondary  system. A s  a  practical 
matter, the  secondary  computer would store  at  least two sets of such  data; 
one  being  the latest set and the  others  being  the sets prior to  it.  Then when 
a  failure cf the navigation and guidance function of the  primary  system  was 
signalled,  the  secondary  system can start its minimal navigation and 
guidance  function using  the  set of data  most  likely  to be correct. Switch- 
over  to  the  secondary  system may be  made automatic in order to assure  the 
presence of a good set of navigation and guidance data in the  memory of the 
secondary  computer. If the primary  system  failure  does not  affect  the 
navigation and guidance  function,  switchover  need not be automatic and the 
reconfiguration of the primary  system is handled similar  to  that  for non- 
critical  phases. Of course, i f  as part of the repair  activity  it  were 
necessary  to  remove  the navigation and guidance  function,  the secondary 
system would have to be told to  assume  that  role. 
Next, assume  that  a  spare is not available. If a computer failed, the tasks 
of the  operating  computer would be  reassigned  to  perform  full  navigation 
and guidance, reduced communications, full status monitoring, and 
reduced scientific experiments. Physically, aside from shutting off the 
failed system, reconfiguration would also  entail  connecting  the  appropriate 
1/0 conditioners and associated 1/0 devices  to  the  operating  computer  if 
they were not  already linked there in a standby manner. If 1/0 conditioners 
fail, many reconfiguration  possibilities exist depending on the  commonality 
of 1/0 conditioners and the  preference of performing  certain  tasks in  lieu of 
others. 
4 . 2 . 2 . 2 . 5  Backup Equipment Assurance 
The basic functions  assigned  to  backup  equipment are to  enable  rapid  reconfigu- 
ration  during  critical  mission  phases  in  order  to  enhance  the  probability of mission 
success, and to  provide a source cf verified  spares  generally  during  non-critical 
phases in order  to  increase  system availability. 
59 
In  order  to  assure  the  readiness of backup units they  must  be  tested. It is 
undesirable  to continually test them  because of power  considerations, and also  because 
of reliability  considerations if it is assumed  that  the  failure rate of equipment varies 
directly with i ts  usage, Therefore they would be  tested  periodically. 
The  configuration of the backup, o r  what has been  called  the  secondary  system, 
is predicated both on the  anticipation of a failure  in  the  primary  system and on the 
expected role of the  secondary  system. 
During  the  major  part of non-critical  phases  the  secondary  system  contains the 
secondary  computer,  and  those  available 1/0 conditioners and devices which can be 
inserted as spares  into the primary  system in the  event of a failure of the  primary 
system.  The  secondary  system could consist of a complete  duplication of the  primary 
system if the  duplicate  set of equipments  existed.  Where  there is commonality of 
equipments a s  may be  true in the  case of 1/0 conditioners,  one of each  type is all  that 
is required.  Where  duplicate I/O devices  either  do not exist  or  it  is not feasible  to 
connect them  to  the  secondary  system,  the  associated 1/0 conditioners and secondary 
computer 1/0 unit  can still be tested when a ffloop back"  capability is provided to  route 
1/0 conditioner  outputs  back  to 1/0 conditioner  inputs  via a special  test.cable.  Thus 
the  nature of the backup  configuration  can  be seen  to  present a certain  degree of 
flexibility. No attempt  to pin it down will be made  during  this  study  (for any of the 
candidates). 
Checkout programs  for  the  secondary sys tem when it is in  this  "sparing"  role 
would be organized  similar  to  the  operational  checkout  programs.  The  program 
control BITE would operate continuously. The  arithmetic  section  functional  test would 
be the  same, but can  be expanded if required.  The  memory  check  sum would be 
included with each test program  segment and  could be expanded to check  sections of 
memory and processor  controls not  specifically  needed by the test programs.  The 
input/output test would depend on the 1/0 configuration.  The entire  testing could be 
initiated on-demand by the  operator and be  continually  recycled.  The  operator  can 
be assisted by having the  primary  system  mark  time between  checkouts  and  indicate 
to him when to  initiate  the checkout of the  secondary  system.  The  secondary  system 
can  mark  time  to  indicate when the  required  number of test cycles  have  been com- 
pleted  and when shutdown of the  secondary  system is to  be  performed. 
In a prescribed  period  prior  to  entry  to a critical  phase  the  secondary  system 
must contain at least  those  equipments  necessary  to  enable  the  secondary  system  to 
take  over  the  primary  system  role in the  event of a primary  system  critical  failure. 
This  will allow the  required  rapid  reconfiguration  during  critical  phases. 
In  these  time  periods  the checkout programs  for  critical equipment  may  be 
identical to  those  performed by the  primary  system  for  critical equipment.  Checks 
of spare 1/0 conditioners and devices  may  be  included as part of background 
calculations. 
During  the Mars Orbital  phase, with the  secondary  system  active,  operational 
type testing would be employed. Spares  can be tested both  in the  primary and secondary 
syetem if the  required computing  power is available. 
Restoration of a full backup  capability,  during any portion of the  mission, 
whether it be due to a failure  in  the  primary  system  for which the  secondary  system 
eupplies  the spare,   or whether it be  due  to a failure in the  secondary  system itself, 
90 
ia accompliehed  manually by the flight  crew. Performance of the  repair actions is 
similar  to  that  previously  described  for a primary  system  failure in a non-critical 
phase. 
4.2.2.3 Software Considerations 
The  computational  requirements of this  mission  were  used  to  determine certain 
basic  software  design criteria. No matter which type of computer  system is finally 
selected  these criteria will still be valid. 
1. Computational Characteristics 
There are a number of obvious features of the required computations  that 
influence  the  software  approach. 
The greatest  difference between this  mission's  needs and that of most 
present-day  projects is the wide variety of computational classes. Precise 
calculations  for navigation  and  guidance, large  data  processing functions 
and others ranging  in  between  these  extremes,  all with varying  timing 
constraints,  must  be  concurrently  executed. 
There are certain  processes  that  must  be  performed throughout  the entire 
mission and others  that  will  be done once. Additionally, the duration of 
the  mission and  the nature of program longevity  imply that  unanticipated 
computations  will  be  added  to  the  work  load of the  computer  system. 
Another characteristic of these  requirements is the  wide range of computa- 
tional loads between phases. In actuality,  even within a given phase  the 
load can  vary  quite  radically. 
2. Software Criteria 
In view of these  characteristics a number of conclusions  concerning  the 
nature of the  software  can  be made. 
3. Dynamic Resources Allocation 
The processor,  memory, and 1/0 resources of the  computer cannot  be 
pre-allocated  to  all of the functions to  be  performed  during  the  mission. 
A means  for providing  some  degree of dynamic  usage of these  resources 
must  be employed. 
If the  systemwere  to  be "hard-wired, the  size of the  computer would be 
prohibitive. By accepting  the  dynamic  approach  the  sizing  problem is 
reduced to consideration of the  maximum  needs at any  one time  during  the 
mission, in this case, during  the Mars orbital  phase. 
4. Flexibility 
In order  to  permit handling of unanticipated programs, and also  to effectively 
process constantly  changing program  mixes, it is necessary  to have an 
executive  scheduling  algorithm  that  can  be  externally  controlled  through 
program  requests. 
91 
4.2.2.3.1 General 
The  functional design of the  support  programs, which are the  Program  Sequencer, 
the  Reconfiguration  Program,  the  Request  Processor,  the 1/0 Supervisor, and the 
Self-Test  Program, was influenced by the following factors: 
1. Computational requirements - The computational loading during different 
phases varies to  such a degree  that  the  computers'  functional  configuration 
must have flexibility. The periodic, o r  cyclic, nature of many computations 
must be maintained.  The  system  must  be  capable of processing  unanticipated 
programs. 
2. Availability criteria - A positive  means  for  detection of e r ro r s  within the 
computer  system is essential.  Fault  isolation of 1/0 e r ro r s  must  be 
performed. Upon failure, a means  for smooth  transition  to a backup 
configuration  must  be  available. 
3. Programming flexibility - The software development must not be hindered 
by an  excessive  number of restrictions,  since in-flight programming might 
be  required. A positive  means  for  program  control  must  be  incorporated. 
Preliminary  estimates of the  cost of these  support  programs  (detailed in 
4.2.2.3.8) are  less than: 3000 words  and 10, 000 ops/sec. Overhead in the computa- 
tion programs  for  interfacing with the  support  software  will  be less than 1 percent. 
4.2.2.3.2 Concepts of Program Design 
1. Program Design  Conventions 
In order to permit  efficient  operation of the  total  software  system,  the 
following  conventions a re  imposed on the  design of computational programs: 
a. All programs will be relocatable  and  will be permanently  stored  in 
mass  storage. 
b. External variables, which are all data used by more than one 
computational program and all  data  required  for  restart  after 
reconfiguration, will be assigned fixed locations. For  data used 
by more than one program,  this  provides  for  ease of relocating  these 
programs  particularly during  reconfiguration between mission 
phases (if fixed  locations  were not assigned, moving one program 
could require going through other  programs and recording new 
data location assignments). For data  required  for  restart  after 
reconfiguration, this facilitates  inputting and  outputting of such 
data when it is required in  a number of different  programs. 
c. A computational program's  internal  variables  will be segregated  from 
its code and constants.  Utility  programs  cannot  have  internal  variables; 
the programs which call it must  supply  data  areas and references. 
d. Periodic  programs  will  have  a  fixed  execution  time, and periods  must be 
integer  multiples of all higher  frequency  periods. 
2 .  Scientific Experiments Execution 
A special  scheme  for scheduling  the  execution of the  scientific ex- 
periments  support  programs will be  implemented.  Attempting  to 
92 
schedule  them as periodic  programs is too rigid in view of the following 
considerations: 
a. A fixed frequency during a phase would be unrealistic. The rate at 
which data is input  from  a  particular  sensor would be  alterable so that 
the  associated  data  processing function can  signal  for an increase  or 
a  reduction  in  the  sampling. 
b. At uncertain  unpredictable  times  the  data  from  a  sensor may be .of nil 
value; for  instance, on the  dark  side of a Mars orbit  some TV reception 
might  be  worthless.  This is also  the  case when a sensor malfunction 
is  discovered. 
c. In the Mars Orbit Phase the reconfiguration from the full computer 
system involves going to  a  reduced  configuration.  The  associated 
reduction in the  computational load i s  achieved by reducing  the 
scientific  experiment  loading;  the  preferred method would be to 
continue most  experiments with reduced  data  sampling  rates. 
In examining  these  programs,  it  can be seen  that they really  consist of several 
distinct  parts  (represented in Figure 4-9). The data  is input from  a  sensor  at  some 
frequency and then stored in the  mass  memory. When a  sufficient  backlog has  been 
accumulated  the  data  reduction  processing is performed.  The end result  is an output 
for  either  telemetry  or console  display.  In order  to achieve  the  objective of optimum 
efficiency  along with flexibility  these  parts  are  considered  as  separate  programs. 
INPUT DATA FROM 
SENSOR AND PLACE 
BUFFER AT P (SAME 
IN MASS STORAGE 
FREQUENCY) 
. .  
"""""" 4 
r------ 
t 
I 
I 
I 
I WHEN SUFFICIENT It ""A 
I I DATA IS IN THE BUFFER, IT IS PROCESSED FOR TRANSMISSION TO I r----- -# 
GROUND t --e 1 
I 
L"", .I 
Figure 4-9. Scientific Experiment Program 
93 
MASS STORAGE 
1 
1 DATA BUFFER 
/ CONSOLE BUFFER 
7 
L 
TELEMETRY BUFFER 
ogical  Representation 
The  program  for input of sensor  data and buffering on the mass  storage  is 
executed  at  the  highest  potential  frequency  for  the  data  sampling.  The  actual  sample 
rate is controlled by setting  a READ/NO  READ flag  under  control of a frequency 
count. A NO READ setting would cause  suppression of the  buffering  operation; not 
the sensor input  operation;  thus,  reasonableness  testing of the  sensor  data would be 
performed  at  a  constant  rate, 
The  data  reduction  program i s  not  performed  periodically, but as  a  request 
program when a  sufficient  backlog  has  been  buffered. A special  Data  Buffer  Monitor 
program is executed  periodically  to  determine  the  status of the  various  buffers. When 
the  loading  level for  a  buffer is high enough, the  appropriate  flag  in  the  Request  Board 
(described in 4.2.2.3.5) is set.  The  measurement  used  for  the  ith  buffer is the 
following formula: 
bi - di 
t. =- 
1 r. ’ 
1 
where 
bi = the  size of the  ith  buffer. 
di = the load in the  ith  buffer. 
ri = the  loading rate  for the  ith  buffer. 
thus 
ti = the  time  until  the ith buffer  will overflow. 
When this  measure is less than  a set  limit,  the  associated  data  reduction  program 
is requested. In order  to  prevent overflow,  a priority is assigned  to  the  program when 
the  time-to-overflow is less than  a  second  present  limit. 
Thus, when experimental  data is sparse  the  computational  support is infrequent, 
but when large  data  rates  are  encountered the same scheduling  mechanism  permits 
full  processing  capability. 
4.2.2.3.3 Program Sequencer 
The  programs  that  are  executed  during any one phase  are  classified  as follows: 
1. Periodic - Execution is cyclic and each  iteration  occurring  at a prescribed 
frequency. 
2. Background - Execution is cyclic with no  timing  restraints. 
3. Anticipated Request - Execution is on command; during execution certain 
subprograms may be periodic. 
4. Unanticipated Request - Execution is on demand. 
94 
The  basic  problem is to  insure  that all periodic  programs  execute  properly.  The 
solution, which is dependent on the rules for  programming  periodic  programs is to 
sequence  within a fixed  time-interval  cycle;  the  length of the  interval  being  equal  to  the 
highest  frequency of the  periodic  programs.  The  periodic  programs are ordered  from 
most frequent to least frequent, bo, pl, . . . , Pn) . 
counter,  initially set to  the  programs'  frequency, is zero  the  program should be 
executed. The programs are then executed in order of frequency. To  permit time- 
interval  cycling with low overhead, an interrupt  system is employed. 
At each  cycle a counter  associated with each  program is decremented; when this 
A s  an example, Figure 4-10 shows a partial  time  history of the  sequence of 
execution of the following. 
Program  Frequency Execution Time 
a 1 sec. 0.25 sec. 
b 2 sec. 0.25 sec. 
C 4 sec. 0.5 sec. 
d 4 sec. 0.25 sec. 
e 8 sec. 1.0 sec. 
f 8 sec. 0.25 sec. 
Notice that  program e could  not finish  execution  before  the end of the  second 
interval. It was interrupted so that  programs a and b could be properly sequenced 
and then was  resumed.  The  shaded areas in Figure 4-10 are time  gaps  where no 
periodic  computations a r e  scheduled. This  time is used  for  the background and request 
programs. 
If no requests  are being processed  the background programs  are executed in a 
cyclic  sequence.  The  request  programs are executed on a first-in - first-out  basis 
with the  ability  to  assign  priorities.  Figure 4-11 shows  the  organization of the  Request 
Queue; Figure 4-12 lists the  priorities and the  queue alterations  that are made  to 
accommodate  each. 
The  structure of entries  in  the  Periodic Schedule, Request, and Back- 
ground  tables is given in  Table 6-2 of Section VI. The process  that  occurs at each 
time-interval  interrupt is illustrated  in  the  executive flow diagram of Section VI, 6.3. 
In order  to  maintain  the frequency of periodic  programs,  ffdummy't  periodic 
programs  corresponding  in  execution  timing  to  the  periodic  computations of anticipated 
request  programs are continuously executed. Also, within periodic  programs  there 
will  be  conditional program  paths  that may o r  may not  be  executed on any one cycle. 
Both of these  situations create "dead time." 
95 
I I I I I I I I I I 
0 1 2 3 4 5 6 i ;I ; 
W ua 
Figure 4-10. Sequence of Periodic Program Execution 
CURRENT REQUEST BEING PROCESSED 
NEXT REQUEST 
A2 
1 1  “ANYTIME + SUBCHAIN ? 1 “ANYTIME + SUBCHAIN 
Figure 4-11. Queue Chain 
Figure 4-12. Priority Actions 
97 
Dead time can  be  executed a s  a delay,  but this would lead to poor  computer 
utilization. Therefore, a FILL function has been designed. This function is employed 
by setting  the  clock of a secondary  interrupt  system  to  the length of the  dead  time and 
transferring  control  to  that  portion of the  executive which fills  normal  time  gaps.  The 
time-interval, or  primary,  interrupt  system  will  override and reset this  system 
whenever it is  invoked. 
Input operations  can  lead  to  some  dead  time  also. This is of such  short 
duration, however, that use of the  FILL function is prohibited. Thus in most  cases a 
simple  delay  must  occur.  For many periodic  programs  the  first  action is the input of 
parameters;  to avoid time  loss  here, a special  procedure is employed. This  consists 
of executing a program  specified  "early 1/Ot1 code prior  to  performing  executive 
housekeeping and program  initialization  functions. 
Unanticipated request  programs  are sequenced as though they were  anticipated, 
except  that  some  computer  reconfiguration is always involved. This  subject is covered 
in the  next  discussion. 
4.2.2.3.4 Reconfiguration Program 
Reconfiguration  will  be  required  to  handle  mission  phasing,  failure  recovery, 
and  unanticipated requests  in  all  phases. Following are the  different  means employed 
to reconfigure: 
1. Phased  Restart - This  means is employed when a completely new program 
load is required;  for  instance, when a single  computer  must  overlay a 
current  phase with the  next  phase.  This is accomplished by executing  the 
loader as the  highest  priority  request  program and  maintaining all periodic 
computations  in  the current  phase  until  the new phases'  periodic  programs 
are loaded, along with any associated  special  purpose  restart  programs. 
At  this  time  the new periodic  programs begin executing and their  restart 
programs are functioning properly,  the  remainder of the  programs  for  the 
phase are loaded;  background and anticipated  request, which overlay  the 
restart  programs and any residual  from  the old  phase.  Thus  a  smooth 
transition  from  phase  to  phase is achieved. 
2. Cold Start - This means is used when a computer is turned on. It operates 
essentially the same as a Phased  Restart  except  that  there are no "old" 
periodic  programs  to  be  executed. 
3. Request Overlay - Whenever an unanticipated request is to be handled, the 
program  must  be loaded. This is accomplished by loading  into  unused core 
and overlaying  lower  priority  anticipated  request  programs. If there is not 
enough room for  this, a command from  the  console is required  to  either 
turn on the  secondary  computer,  upgrade  the  priority, o r  cancel  the  request. 
98 
In order  to  permit  these  operations,  the  memory of the  computer ie organized 
in a  particular  manner  as  represented in  Figure 4- 13. Thus  the load mofile  for  each 
phase  must  group  its  programs  according  to  classification.  Figures 4-14 and 4-15 are  
general flow diagrams of these reconfiguration processes.  Further  details on the 
reconfiguration programs may be found in  the  executive flow diagram in Section VI, 6.3. 
The  loader is a program  that uses load profile  information  residing  in  mass 
storage - the  following tables are used: 
1. Program Load Profile - Contains the name of the program, its location in 
mass  storage,  its  size,  check  sum information,  periodic  frequency (if any), 
early 1/0 entry (if any),  program  entry, and pointers  to  the load profiles of 
any utility  programs  it  uses. 
2. Phase Load Profile - Contains the phase name, and pointers to the load 
profiles of the programs  for the  phase.  This  list of pointers is grouped so 
as  to  delineate  periodic,  background, and anticipated  request  classifications. 
Since  the  code  in  the programs  use  register  dependent  addressing no address 
construction is required.  Therefore, the loader merely fills in the appropriate 
Program  Sequencer  tables,  determines  a  program  origin, and inputs  the  program 
code from  mass  storage  to  main  memory. 
99 
PERMANENT  LOCATIONS PERIODIC  PACK 
I 
RESTART DATA EXECUTIVE  PROGRAM I CONTINUOUS  PACK 
I 
I 
I 
I 
INTER-PROGRAM DATA ; EXECUTIVE  TABLES I . NON-CONTINUOUS PACK I I I 
I 
I 
1 
I 1 I 
I I 
I 
I 
I 
I 
I -(EMPTY) 
I 
I I 
I I I 
I 
I 
I 
I 
I I 
1 
I 
I A 
\ J 
FIXED 
! ! 
7 
Figure 4- 13. Memory Allocation 
A T  PHASING SELF-START 
I 
" r----- 1 
SELF-  LOAD ROUTINE 
BECOMES 'NOW' REQUEST 
PROGRAMS 
PERMANENT PART  OF I EXECUTIVE I 
L""J 
- 
I " I-"" 1 
PHASE DEPENDENT LOAD- 
PROFILE DATA IS LOADED I HIGHEST CORE PLACED IN I 
L"" J 
OLD PERIODIC PACK IS 
COPIED IN CURRENT NON- 
CONTINUOUS PACK REGION 
AND A TEMPORARY  {Pj} SWITCHED IN 
TABLE IS CREATED 
TEMPORARY {Pi)IS 
1 RESTART PROCRAMS  FOR 1 
I P- PERIODIC PROGRAMS ARE LOADED  AS {Bj} 
I 
A T  COLD 
SELF-START 
DU"Y{Pj}IS a EXECUTIVE SELF- INITIALIZATION IS EXECUTED NEW TABLE AREA FOR THE EXECUTIVE AND NEW PERIODIC PACK ARE 
LOADED INTO PERMANENT 
I I AREA AND NEW {Pj} TABLE IS CONSTRUCTED 
n NEW {Pj)IS SWITCHED IN AND LOADER GOES TO FILL FUNCTION UNTIL RESTARTS HAVE FINISHED 
ARE LOADED AND THE NEW {RjAND {Bj} 
NEW CONTINUOUS AND NON-CONTINUOUS PACKS 
TABLES ARE GENERATU) . 
I """"" 
MODULE TURN-OFF FLAG IS SET IF 
NON-CONTINUOUS  PACK + EMPTY REGION I I i .12K 
I""""1 
Figure 4-14. Reconfiguration Process 
101 
c A.r REQUEST ADDITIONAL LOAD 
LOAD PROFILE FOR 
REQUESTED PROGRAM 
IS BROUGHT IN 
P 
N 
0 
I 
+ EMPTY REION 
> DORMANT NON-CONTINUO 5 EMPTY REGION 
+ E M P T Y  REGION 
FOR SPECIAL LOAD 
SHORT 2ND COklPUTER REORGANIZE NCIK-CONTINUOUS 
PACK IF NECESSARY 
OVERLAY LOAD REMOVE OVERLAID 
PROGRAhl AND PROCR4hqS FROM - 
PLACE IN IRj) 
r J 
Figure 4-15. Reconfiguration Process 
4.2.2.3.5 Request Processor 
Requests  for  additional  computations  contained  in  anticipated or  unanticipated 
request  programs  are made by setting a flag in a special  Request  Board  table con- 
sisting of a string of byte  flags  corresponding  to  all  possible  requests;  there i s  room 
in the  flag  to  specify  priority.  The two primary  sources  for  requests are the 
following: 
1. Program generated requests - Whenever a computational program, 
on the  basis of a test,  determines  that  some  special  processing  must 
be  done, it merely sets the  appropriate  flag  in  the  Request Board. 
2. Console requests - A request can be generated via console message 
input. One of the  request  programs always in memory is the Console 
Message Processor, described below. A periodic program, the Console 
Interrogator,  is continually  checking to see if a message  has been 
presented on the  console. If so, the  flag in  the  Request  Board for the 
Console Message  Processor is set with the  highest  priority. 
The Console Message  Processor  verifies  messages,  checks  their  validity, and 
takes  that  appropriate  action. On the mass  storage  there  is a list of request  program 
names  cross-referenced  to  the Request  Board.  This  list  is  used  to  determine which 
flags are to  be set. 
Before  the  Request Queue is processed by the  Program Sequencer,  another 
program, the Request Monitor, is executed. This program scans the Request Board 
and, if a flag  has  been set, alters  the Request Queue and, when needed, initiates 
Request  Overlay.  The  name of the  request  program  is obtained from  the  cross- 
referenced  list mentioned  above. 
4.2.2.3.6 Inpnt/Output Supervisor 
In order  to  provide a  complete  means of input and output with dynamic 
conditioner/sensor  configurations, a standard  system is provided. 
The key feature  is a Conditioner/Parameter Logic Table which represents  the 
configuration of the 1/0 conditioners and the sensors,  or  parameter  lines, via cross- 
referencing. When a sensor is connected or  removed  from a conditioner, or  when 
a conditioner is added or  deleted,  this  information  must  be  transmitted  to  the 1/0 
. Supervisor  (as a console  message) so that  this  logic  table  can  be updated. 
In order  to  reduce  overhead in exercising I/O, the following utility  routines 
are provided: 
1. GET - The computational program specifies the parameter desired, the 
number of inputs, the location for its storage, and reasonableness  test 
information. This routine then uses the Conditioner/Parameter 
Logic Table  to  determine  the  source of the input, issues  the  appropriate 
1/0 commands, performs  reasonableness  tests, and transmits the 
data  to  storage. 
103 
2. PUT - The computational program specifies the parameter being output, 
the  number of outputs,  and  the  location of the output data.  This  routine 
finds  the  proper output line,  issues  the  appropriate 1/0 commands  to 
transmit  the  data, and verifies  the output. 
4.2.2.3.7 Self-Test Program 
A number of means  are  used  to  detect  errors  in the computer  system.  Regard- 
less of what  an actual  malfunction is, the real purpose of the self-test process is to 
detect  them and classify  them as one of the following: 
1. Computer failure - ~ n y  memory, processing unit, I/O unit, or critical 
1/0 source malfunction is considered as a total  computer  error and a 
backup system  must  be implemented. 
2. 1/0 failure - A malfunction in a single  conditioner o r  a single 1/0 source 
that is performing  non-critical  functions  causes  that  particular component 
to be  blocked off. The  remainder of the  system  continues  performing in 
this reduced  status. 
There are a number of techniques  used to  detect  errors. One is the  Pulse 
Stream  Test. A periodic  program (executed at the  highest  frequency)  alternately 
sets and resets a pulse flip-flop; this  device is hardware  monitored and, if the 
frequency is not  maintained (within some  tolerance), a computer  failure  signal is 
transmitted. Thus, logic sequencing malfunctions, closed loops, and program halts 
will  be  detected.  Other self-test processes  signal  the  discovery of e r ro r s  by 
executing a halt  command which causes a pulse failure. 
Another  technique is the  use of check-sums.  Since the  programs  are  organized 
so that code and constants a r e  blocked  and  check-sum data is available  in  the  Program 
Sequencer  tables, this check is made on a periodic  basis on selected  programs. 
There is an Arithmetic Unit Test  performed  periodically to detect  malfunctions 
in that  processor’s  logic. 
Input errors  are detected on the  basis of reasonableness tests, e. g., magnitude, 
value  range, and parity. Output e r ro r s  are detected by hardware  feedback and a full 
comparison  test.  Conditioner e r rors   a re   a l so  detected by issuing test values  through 
special  hardware  feedback loops from a periodic  program; this test determines if 
the  entire conditioner is good o r  bad. 
A t  the beginning of each  time-interval  cycle a test is made of the  Conditioner 
Status  Words, which is where e r ro r  notification is made by the tests just  described. 
If any 1/0 e r ro r s  have occurred, a flag is set and at  the start of the  next  cycle a 
comprehensive  test of all  the  status  words is made;  this is done to  detect multiple 
errors.  
If a single  source e r r o r  was  detected,  that  sensor is blocked off. If multiple 
source  errors in only one conditioner o r  a single  periodic  conditioner e r r o r  was 
found, that  conditioner is blocked off. If error8 are detected in more than  one 
conditioner, a halt is executed  (indicating  computer  failure, 
104 
This  covers  the self test  that is performed by software  methods.  Hardware 
methods  may  be  used  in  addition  to  this.  The  hardware  methods  will  simply  require 
the  monitoring on a periodic  basis of failure notification  signals set by the  hardware 
failure  detection  equipment. 
4.2.2.3.8  Cost of Support Software 
The  estimates in this  section  have  been  derived  from a set of formulas involving 
the following parameters (the  assumed  value is included). The  maximum  phase is 
expected to be  the Mars  Orbital  Phase (phase  12). 
1. nf number of periodic programs in phase 
n = 20 f max 
2. nr number of anticipated request programs in phase 
n = 30 r max 
3. % number of background programs in phase 
"b rnax = 10 
4. nu number of utility programs in phase 
n = 1 0  u max 
5. nc  number of 1/0 conditioners 
n = 20 c rnax 
6.  ns  number of 1/0 sensors 
n = 100 s rnax 
Another  assumption is that  all  periodic  support  functions  will  be  executed  at 
0.05 seconds. In the  Mars  Orbital  Phase  these  estimates are for  each  computer. 
The  table in Figure 4-16 gives  the  cost of each  part of the  support  system. 
105 
Support Function Storage weed (ops/sec. ) 
Formula Max. 
)Program  sequencer 
Periodic 
Request 
Background 
Linkage Support 
Reconfiguration Program 
Phased Restart 
Cold Star t  
Request  Overlay 
Hequest Processor 
I/O Supervisor 
Cond. /Parm. Logic 
Status Check 
PUT, GET 
Self-Test  Program 
Check Sum 
Arith. Unit Test 
Pulse  Stream 
1/0 Teats 
12nf + 50 
6nr + 50 
4nb + 20 
2nU + 20 
nc + 4ns i 40 
2nc + 40 
nc + 100 
2000 
* 
600 
* 
6340 
(15 00) 
(6000) (At 0.1 frequency) 
(40) 
(800) 
Totals 2836 8940 
Figure 4-16. Software Colrtr 
106 
4.2. 3 Modular Multiprocessor 
4. 2. 3 1 Organization 
4. 2. 3. 1. 1 General  Considerations 
The computational and reliability  requirements are the  same as those given for 
the  multiple  computer.  This of course  means that  the  general  processor  features 
discussed earlier apply to  the  multiprocessor. It should also be noted here  that  the 
multiprocessor was the  candidate  chosen for  further  design; as a result a thorough 
discussion of its features and operation is given in chapter 6. 
The multiprocessor  has  three 12K memory  modules, two processor modules, 
and  two I/O modules with full  intercommunication between the  memories and proc- 
essors and between the  memories and the input/output modules,  these are the  modules 
required to meet the maximum computation requirements. Again, since  there is a 
need  to  continue operations while any one of the  modules is in a state of repair  (during 
critical  phases),  there  must be at least two of each type of module. The Multi- 
processor  structure is shown-in Figure 4-17. The ability to expand the system to 
four  memory  modules,  three  processor  modules and three 1/0 modules is also 
included as shown by dotted lines in this  figure.  Further expansion would require 
addition of a separate  multiprocessor  system with an 1/0 link to the  original  system. 
This  approach is taken due to the  fact  that  expansion of the  original  system beyond 
3-4-3 would require so many interconnections  that  the  system may become 
impractical. 
This  organization  offers  the  ability  for any processor  to  use any memory module 
for  either  instruction  or operand storage and  likewise any input/output  module  (through 
communication  to any memory module) for input/output operations to the desired  sensors. 
Each  module  can interleave  communications with any of the  other  modules  in any 
sequence.  It is possible.for  example  for  processor P1 to be executing  an  instruction 
sequence from memory M and receiving its operands from memory M only. Essentially 
the  modules  can  operate iddependently of and simultaneously with each  other. 
Communication  may  be restricted between modules by the use of lockout features 
that are  incorporated  in the  design.  These lockout features allow a  processor  to  set  a 
lockout  in a  selected  memory  to  prevent any other  processor  from using  that  memory, 
the lockout feature in the input/output modules is also  operated  similarly.  This  feature 
allows  the  modular  multiprocessor  to  'operate  essentially  as a multicomputer  during 
phases when critical computations a re  being performed  in  a  redundant  manner. 
each processor module  functions  independently of the  other  processor  modules in a 
conventional manner.  The  processors request memory  cycles  accordine  to  their own 
internal  timing,  the  granting of a  memory  cycle  may  take only several nanoseconds if 
the  memory is free  or up to  several  microseconds if other  modules are  granted  access 
first. The  memory  modules  communicate with all of the  processor and 1/0 modules. 
These  modules  request  memory  cycles  and  are  granted  cycles by the  scanning circuitry 
in  each  memory module.  The scanner is a  simple  round  robin type of scanner  for 
choosing which processor  or I/O module  will  receive  the  next  memory  cycle. I t  
2 
The operation of each of the modules is discussed  in  detail  in  Section VI. Briefly, 
107 
operates  as an asynchronous  counter  and is therefore  capable of scanning  all  request 
lines  in much less than 1 bit  time.  The 1 / 0  modules  operate on instructions  received 
via  a  memory  module.  They  receive  requests  for 1/0 operations  from  the  memories 
and  contains  scanning  circuitry  similiar  to  that  in  the  memories  to  choose which 
memory  request is honored.  The 1/0 module  also  generates  requests  for  memory 
cycles when it  has information  to transmitt  to a memory.  The  sensors will  normally 
be connected  to  the 1 /0  through conditioners on serial  links.  However,  the bulk 
storage device will be connected to each of the 1/0 modules by a  parallel  data  link. 
The I/O module  contains  the  capability for 1 /0  operations with the bulk storage  unit 
and any of the sensors simultaneously. 
BIT 
I/Oi 
I 
SERIAL I 
SENSORS 
Figure 4-17. Multiprocessor 
108 
The proper use of this  computer  system  during  the  various  mission  phases i  
discussed later in this section. Very simply, during Non-Mars non-critical phases, 
one processor, one  memory, and one 1/0 module are in  operation and the  second 
memory comes into operation periodically. During the critical phases, the second 
processor and the  third  memory module  plus the  second I/O module are brought  into 
operation.  These  latter  modules  lock  out  all  requests  from  the  primary  processor 
(they are also locked  out of the  primary  system).  This  means  that  the  system  oper- 
ates in a manner very similar to two separate  computers and, as a result, is able  to 
guarantee reconfiguration within the  five  second  time  constraint.  During  Mars- 
Orbital  operation, all modules  in  the system  are in operation and all communication 
lines between the modules are allowed. Thus, fu l l  advantage can be taken of the 
multiprocessor  structure. 
The trade-offs involved in deciding  the  size,  speed and numbers of each  type of 
module in the  system  are  essentially  the same as  those given for  the two computer 
approach.  The  interesting point to  notice is that  the  multiprocessor  organization only 
has  three 12K memory  modules  whereas  the  multiple  computer  has  four 12K memory 
modules - two in each  computer. The multiprocessor  organization was able  to  save 
this 12K module due to its full inter-communication capability. During Non-Mars 
Orbital  computations 20K is needed in a number of cases.  This  can  be  provided by 
two of the  memory  modules  operating with one  processor.  The  third  memory  module 
comes  on and operates with the  second  processor  during  critical Non-Mars Orbital 
phases. In this way, all the Non-Mars Orbital  memory  requirements are easily 
satisfied. During the Mars Orbit, 30K of memory is adequate; a s  a result,  three 12K 
modules will do the job in all phases.  This  was not possible in the  multiple  computer 
scheme  since  each  processor did not  have access to all the  memory  modules  in  the 
system, and, therefore,  each  processor'had to be given two 12K modules. 
The processor's  speed  requirements are also  approximately  the  same as for  the 
multiple  computer  case; a s  a result, MOS-SOS technology can again be  used  for  the 
implementation of a 250,000 short  operation per  second processor. 
The  power  supply for  this candidate  will  be  distributed  to  each  board just  as  for 
the  multiple  computer. 
The computer  configurations for  the  multiprocessor  during  the  various  mission 
phases are tabulated below. 
Phases 1, 2: Processor one, I/O one, memory 
module  one 
Phases 3, 5,  6, 8, 9, 10, 11, 13, Processor one, I/O one,  memory 
15, 16, 18, 19, 20: module  one; processor two, r/O two, 
memory module  two-active  redundancy 
Phases 4, 7, 14, 17: 
Phase 12: 
Processor one, I/O one,  memory  one 
on continuously,  memory  three on 
intermittently. 
Processor one and two, I/O one and 
two, memory modules one, two and 
three. 
109 
4.2.3.1.2 Processor, Memory, and I/O Structure 
Since  the  processor has all the  features given earlier and also  carries out 
250.000 operations  per second, it is basically  the  same as that given for  the  multiple 
computer. However, the need to communicate with three  separate  memories and two 
separate I/O units  requires  some  extra flip-flops and gates and a fairly  large  number 
of extra  lines.  The  extra  flip-flops are the following: the  program  counter, and the 
nine index-bank registers are all increased to 16 bits. The control flip-flops are now 
increased to eighteen. This gives a total of approximately 330 flip-flops for  this 
processor. This processor would also  take  one to two chips  for its implementation  in 
MOS/SOS circuitry. In order to get a rough feeling  for  the  number of lines  necessary 
for implementation of the  multiprocessor an approximate  line count from  the memo- 
ries to  the  processors and I/O units is presented in Figure 4-18. The specific  inter- 
face  lines in the count are discussed in chapter 6; however it is presented  here in 
order to give a first cut  comparison between the  multiprocessor and multiple  computer 
intercommunications. It should  be  noted from  the  figure  that  the  multiprocessor 
requires almost  three  times as many interconnections as the  multiple  computer. 
The use of a two-way driver/receiver on the  data  lines  provides a good line 
saving;  however as the  number of modules  in  the  Multiprocessor increases the  number 
of lines  necessary to provide fu l l  intercommunication  becomes  very large. Therefore, 
as mentioned earlier, intercommunication  should be  restricted if for any given mission 
the  number of necessary  processors gets beyond three and memories beyond four. 
The memory  hardware is again  almost  the same as that  for  the  memory  in  the 
Multiple  Computer  candidate. However there are a few extra registers and interface 
circuitry  chips along with a large  number of extra  lines. The primary  difference is 
that  there are three 12K modules,  each  one  operating as a separate memory;  whereas 
in  the Multiple  Computer there were two 12K modules per  computer and both of these 
together  acted  like a 24K memory.  This  simply  means  that in the  multiprocessor 
each 12K module must  have not only the word and bit circuitry  listed  for  the  multiple 
computer 12K module  but also the  timing and registers listed  for  each 24K memory. 
This is not a significant increase in the  hardware  associated with a 12K module. The 
mutliprocessor  memory  modules  must  also  have lockout hardware and a six bit 
scanner (2 extra bits provided for expandibility)  to  choose which processor  or J/O unit 
receives  the next memoly cycle. This extra  hardware amounts  to  approximately  nine 
extra MOS/SOS chips. (With the  development of bigger  packages this could be  reduced 
to four or five  arrays. ) The  lockout hardware  consists of a flip flop for  each proc- 
essor and I/O module and some gating to set these  flip  flops.  The  processors have 
an instruction that sends a signal to the  appropriate  memory  in  order to setup  the 
lockout so that only this processor and a specified I/O unit  can use the  memory.  This 
hardware is used to  protect  the  memory  modules  from an errant  processor  during 
critical phases and also to provide  undisturbed computing for  periodic  computations. 
In other words,  during critical computations  one processor  operates with  one of the 
memories and I/O units while the  other  processor  operates with the  other two memo- 
ries and I/O unit. Each  processor  locks  the  other out of its memory  (or  memories) 
and I/O unit. This lockout enables  each  section of the  multiprocessor  to  determine 
accurately  whether it has  failed o r  not. After a failure,  reconfiguration  can then  be 
carried out  easily within the 5 second  maximum time. This lockout feature is also 
useful for  periodic computations. When a processor is executing a periodic computa- 
tion  with.a  memory it does  not want to be  interrupted  repeatedly by another  processor 
since this.would  lengthen the  periodic  computation and possibly  have  an  adverse  effect 
on accuracies. Locking out the other  processor  during  the  short period while a 
periodic computation is in execution  eliminates this possibility. 
110 
MULTIPROCESSOR 
48 
p2 p1 p2 
so 
EACH MEMORY HAS APPROXIMATELY 
"PLINEs48 
&I/O LINES 50 
TOTAL PER 12K 98 
TOTAL PER SYSTEM 294 LINES 
MULTIPLE COMPUTER 
I MEMORY 24K I 
EACH COMPUTER HAS 49 LINES 
TOTAL PER SYSTEM 98 LINES 
Figure 4-18.. Approximate Line Count 
111 
The I/O structure  for  the  multiprocessor is basically  the  same as that described 
for the  multiple  computer.  The only difference is that  the 1/0 modules are available 
to a l l  processors through the  memories. This can increase the  wait  for I/O variables; 
however the programs can be arranged  to  minimize queuing at the 1/0 units o r  memo- 
ries. In particular  during  periodic  computations a processor  memory and 1/0 unit 
work together and lock  the  other  processor out.  The  lockout hardware  in  the 1/0 is 
exactly  the  same as that in the  memory and in fact is also used in the same  manner 
during  critical  phases.  The  program  scheduler  using  the  Real  Time Clock and call 
of I/O variables  from  the  header of each  program will be used here as explained for 
the  multiple  computer. The 1/0 registers are the same as those  listed earlier except 
for  the addition of three lockout  flip-flops, a 3 bit  memory  request  scanner,  interface 
circuitry  for up to  four  memories, a few  control  flip-flops,  and  the  increase of 
the  memory  address  counter  to 16 bits.  This  gives a total of 150 flip-flops. One 
MOS/SOS chip will  easily  handle this. A diagram of the 1/0 unit hardware and  a 
discussion of its operation is given in Section VI. 
4.2.  3.2 Failure Considerations and Reconfiguration 
The introductory  remarks and basic  guidelines given in Paragraphs 4.2.2.2 and 
4.2.2.2.1 for  the  multiple  computer  candidate apply equally  well  to this candidate, 
so they need  not  be  repeated.  Therefore  the  discussion will begin with e r r o r  detection 
and isolation tests. Recall  from  the  discussions  on  the  multiple  computer,  that soft- 
ware  approaches  to  failure  detection are considered  here.  Since  the  multiprocessor 
was the  selected  candidate, a hardware  approach will also be  considered in  Section VI. 
It should also  be noted that due to considering  the  software  approach  first, many more 
problems  associated with reconfiguration are uncovered. 
4.  2.  3.2. 1 Erro r  Detection and Isolation Tests 
The following paragraphs  describe  the tests required to insure  timely  indications 
of the  multiprocessor status during  the  mission. 
1. Processor-Memory  Tests 
The memory  check sum, arithmetic section  functional  test, and program  control 
test, as described  for  the multiple  computer  system, would also  be  the  primary  tests 
for detection of e r ro r s  in memory or  processor modules of the  multiprocessor con- 
figuration. The nature of these tests need  not  be  described  here again. 
In the  multiprocessor  configuration  the  requirement  has been established  to 
isolate errors to the  processor  or  memory. The above tests provide this capability 
only to a limited extent. For example, a processor  arithmetic  error can  be  isolated 
to the  processor by executing the  arithmetic  functional test twice,  once from  each of 
two memories.  Normally  the  test would be executed  the  second  time only upon failure 
of the first test. Similarly, a memory  failure is isolable by a check sum  where  the 
memory is an operand source, not an instruction  source,  for two processors. Where 
a memory is an instruction  source at the time of its failure  the  program  control test 
will detect  the error, as it will if the  processor  contains a control  error. 
The approach  chosen to isolate  errors betweer  ^memories and processors (and 
between processors and 1/0 units too) generally takes advantage of the  fact  that  isola- 
tion  need  not  be  instantaneous and that  the  space  crew is available to perform  pro- 
cedures as required  for  isolation  subsequent to e r r o r  detection.  The  penalty of this 
112 I '  
approach is that  more  equipment  than  otherwise  necessary  may  be placed  in  a tfdowntt 
condition at the  time an e r ro r  is detected  and, of course,  also  that  more  crew  partici- 
pation is required. However, an analysis of the mission success and availability 
requirements  shows  that  those  requirements  can  be  more  than  adequately  met with 
this approach. The alternative is to add redundant hardware such as memory parity 
checking and arithmetic coding schemes. 
In the  section  on  reconfiguration  the  procedures  for  isolation of processor and 
memory  failures  will  be  discussed  in  some  detail. 
2. Input, Output Signal Tests 
The basic  nature of these tests for  the  multiprocessor is similar to that 
described for the multiple computer system. That is, reasonableness tests and BITE 
circuitry  can  be  used  to  check input signals, and output  signals  are checked by looping 
them back into the  computer. The results of the  checks are recorded in I/O condi- 
tioner status words and these in turn  are checked by the  full  cycle  fault  isolation 
routine to isolate  the  failure. 
The new problem  that arises in the  multiprocessor is the  ability to isolate 
e r rors  between processors and I/O units. Generally, certain processor failures, 
and 1/0 unit failures, will result in the same conditioner status words. The isolation 
ambiguity is resolved by taking advantage of the  built-in  flexible  communication  paths 
between each of the  processors and each of the I/O units. Thus, one processor can 
attempt  to  talk  to two I/O units, o r  two processors  can  attempt  to  talk to the  same 1/0 
unit. The implementation of this  test is dependent on the  multiprocessor  configuration 
at the  time of the  failure. As such  it  will  be  further  discussed in the  section  dealing 
with reconfiguration. 
4. 2. 3, 2. 2 External  Status  Reporting 
The status of the  on-line  units of the  system  is continually  reported by means of 
two sets of control panel indicators. Each set  is controlled by a processor. In case 
of a failure  the  indicators  either  flag  the  failed  module, o r  flag  a  trouble  area which 
forms  the  basis  for  the  initiation of further tests to  isolate  the  failure.  The  isolable 
modules are memories, processors, I/O units, conditioners, and input devices. 
Each set of indicators  consists of the following: 
computer f a i l  light 
processor - memory  lamp 
processor - I/o unit  lamp 
conditioner  lamp 
input device  lamp 
numeric  readout 
113 
The computer f a i l  light is controlled by the BITE circuitry  for  the  program 
control  test of the  associated  processor.  Recall  that  the BITE circuitry is installed 
here  because  the  computer cannot be  relied on to actively  report its own status. 
Errors  reported by this  lamp  implicate  either  the  associated  processor o r  a memory. 
All other  indicators  represent  the  situation  where  the  prcjcessor  has been able  to 
actively make a decision, These other  indicators are meaningful only i f  the computer 
fa i l  light is off. The  indicators  are  tied to discrete outputs from  the  processor and 
are set by the  program when certain  errors are detected. As implied by their  names, 
the fault may be in the  processor-memory  area,  pr0cesso.r-1/0 unit area,  or  more 
definitely, a conditioner o r  an input device. The numeric readout is associated with 
either of the 4 lamps  that are  lit, further  specifying  the  failed unit or  most likely 
failed unit, in a prescribed coded form. 
Normally, failures detected by the  program  control  test,  arithmetic  functional 
test, and memory check sum will be reported by either the  computer f a i l  light, o r  the 
processor-memory l amp  and numeric readout. Failures involving input o r  output 
signals are reported by either  the  processor-1/0 unit lamp,  the  conditioner  lamp, o r  
the input device lamp. The specific conditioner o r  input device is reported on the 
numeric readout. 
Further  details on how this failure notification system is used is given in the 
succeeding  sections on reconfiguration and backup  equipment  assurance. 
4. 2. 3. 2. 3 Reconfiguration 
This  section discusses the task of reconfiguring  the  multiprocessor after a 
failure  has been detected and reported to the space crew. It will be shown that, as 
compared  to  the  multiple  computer  system,  the  multiprocessor  affords an inherently 
higher probability of mission  success and higher  system  availability. The former is 
achieved by being able to withstand selected  multiple failures during  critical  phases. 
The latter is achieved  mainly by eliminating  the need to include  module  replacement 
time as a part of reconfiguration  time  during  non-critical  phases  for  certain  failures. 
As  in the case of the  multiple  computer system  the  reconfiguration plan is 
based on the  type of phase  in which the failure occurred;  either  non-critical,  critical, 
o r  Mars orbital. 
Figure 4-19 represents the general multiprocessor configuration. The nomen- 
clature given therein will be  used  throughout the  discussion. 
1. Non-Critical Phases 
During  non-critical  phases  the  primary  system  consists of M1, P1, 1/01, 
C11, . . . , c 1 N  and M3 as required  for the  performance of non-continuous functions. 
The secondary system consists of M2, P2, 1/02, C21, . . . , c2M. The primary sys- 
tem is performing  the  required  mission  functions;  the  secondary  system is normally 
turned off except for  periodic  intervals when it is turned on and checked,  Generally, 
the configuration of the  secondary  system is based on the  anticipation of a failure in 
the  primary  system, and its subsequent  role as a checkout  device and as a source of 
verified  modules  that will become a par t  of the  primary-  system  during  reconfiguration. 
114 
Figure 4-19. General Multiprocessor Configuration 
The reconfiguration process  starts with a  failure  notification by the  primary 
system. As stated in the previous section, failure notification consists of a computer 
fail light controlled by BITE circuitry, processor-memory, processor-I/O, condi- 
tioner, and input device'fail  lamps  controlled by discrete outputs  from  the  processor, 
and a readout  specifying  the  most  likely  unit  containing  the error.  
There  are two reconfiguration  procedures; one i f  the e r ro r  is in either  a 
memory,  processor, o r  1/0 unit, and the  other if the error  is in a conditioner o r  
input device. 
The procedure  for  memory,  processor,  or 1/0 unit failures  uses  the  secondary 
system as a checkout device to test  the  primary  system and isolate  the failure. Where 
the  primary  system  has  isolated  the error  the procedure  provides  corroboration. 
More  often  however,  the  primary  system will be unable to  isolate its memory- 
processor-I/O unit failures. The procedure is as follows: First, the power to the 
primary  processor P1 is turned off. The secondary  system is turned on and checks 
itself with the  same  tests it has been periodically  performing when there was no 
e r r o r  in the  system.  (The  tests  are  described in the  section on backup assurance. ) 
Next it starts checking  the  primary  system.  During  these  tests all instructions to be 
executed by P2 are read out of M2. M1 is checked by loading it with selected bit pat- 
terns and verify the loading. Similarly for M3. In the worst case, all locations of 
M1 and M3 are  accessed. An M1 o r  M3 failure is isolated by these  tests and reported 
via  the  control  panel  readout  reserved  for P2fs reports.  This  report would confirm 
the  primary  system's failure report wherein either the  computer f a i l  light  came on o r  
the P-M light came on with the  readout  specifying  either M1 o r  M3 as  the  likely e r r o r  
source. If both M 1  and M3 are found to  be  correct, checkout automatically continues 
115 
with P2-M2 checking I/O1. The nature of the e r r o r  which would cause I/O1 to be 
suspect  probably  requires  the  performance of only a select few input/output operations. 
Typically the BITE inputs  from  the  conditioners would be accessed and several outputs 
would be tried.  This  test  removes  the ambiguity of errors  reported by the  primary 
system  processor-1/0  lamp, i. e. , if the  test  fails, I/O1 is the  failure  source; if the 
test passes, P1 is the failure source. 
In the case of failures in either  conditioners o r  input devices,  the  primary  sys- 
tem  isolates  the failure (by means of the  conditioner status words and full  cycle  fault 
isolation  routine) and reports  the  failed unit by means of the  conditioner or  input 
device f a i l  lights and the  readout, In this  case  the  secondary  system  is not used for 
fault isolation although it will probably be turned  on to check  the  replacement  prior to 
its insertion in the primary system. As a precautionary measure, the astronaut may 
request  certain  prescribed  readouts  from  the  primary  system to insure  that  the con- 
ditioner involved  in  sending the failure readout is correct and has  not,  through  its own 
failure, implicated another conditioner. 
Having isolated  the failure by the above procedures,  the next step is to recon- 
figure the system around the failed unit. Because of the  flexible  communications 
several possibilities exist for processor-memory-1/0 unit failures. Since the sec- 
ondary  system is active and functioning  in cases of those  failures,  the  present plan 
calls  for using the P2-M2 combination in the reconfigured  primary  system. 1/02 is 
used only if I/O1 has  failed, and then it  must be connected  to the  conditioners asso- 
ciated with 1/01. Conditioner o r  input device  failures  also  require physical replace- 
ment to effect reconfiguration. Thus, for  processor  or  memory  failures, reconfigu- 
ration is effected without physically  replacing  the  failed  module, while for  other 
failures physical replacement is required.  Replacement of processor o r  memory 
modules is performed off-line, after reconfiguration has been accomplished. This 
represents an improvement  in system availability over  the  multiple  computer  system. 
Table  4-3 summarizes  the  reconfiguration  procedure. 
Table 4-3. Non- Critical Phase Reconfiguration Summary 
Primary System 
Prior to Failure 
Ml,MS,Pl,I/Ol, 
C l l , .  . . , clN 
Failed 
Unit 
M1 
M3 
P1 
1/01 
C l j  
~ . 
Failure 
Detected 
BY 
Primary 
Primary 
Primary 
Primary 
Primary 
Failure 
Isolated 
BY 
"" 
Secondary 
Secondary 
Secondary 
Secondary 
Primary 
116 
~~ .. . . ." . . . -. . ~- . . 
Reconfigured Primary  System 
~~~ -~ "i -. . .I. - 1 
M2,P2,M3,1/01,Cll,. . . , C I N  
M2,P2,Ml,I/Ol, C l l ,  . . . , C I N  
M2,P2,M3,1/01,Cll, . . . , C I N  
M2,P2,M3,1/02,Cll,. . . , C I N  
M2,P2,M3,1/01,Cll, . . . Czk, . . . clN 
~. 
2. Critical  Phases 
The  reconfiguration process  for the multiprocessor  system is similar in its 
basic concept  to  that  previously  defined for  the  multiple  computer  system. However, 
because of the  flexibility of inter-module  communications and the  ability to isolate 
failures to  the  lower  level with confidence,  the  multi-processor can  withstand certain 
multiple failures during  critical  phases.  This will result in a higher  probability of 
mission  success  for this candidate. 
Referring to Figure 4-19, the  primary  system,  consisting of M1, M3, P1, 1/01, 
C11,. . . , C ~ N ,  and associated input/output devices is performing  the  mission func- 
tions, both critical and non-critical. The secondary system, consisting of M2, P2, 
I/02, C21,. . . , c2M and associated input/output devices, is in an active standby 
redundant mode. Failures in the  primary  system are detected by the  primary  system, 
and where  the  failure  involves units performing  critical functions,  an  automatic 
switchover to the  secondary  system  for  control of the  vehicle is initiated. This con- 
stitutes reconfiguration and is accomplished  in  much less than the  allowable 5 seconds. 
Noncritical  failures in the  primary  system result in a suspension of associated compu- 
tations,  not in an automatic  switchover to the  secondary  system.  Failures in the 
secondary  system result only in a failure notification. No reconfiguration is necessary 
to  sustain  the critical functions. 
Now then, after the first critical failure  the  operating  system can be informed 
of the  failed  system's  status as reported on the  failed  system's  failure  notification 
lights.  The  operating  system can then  perform  isolation  checks  on  the  failed  system; 
if required, as part of its background calculations and report  the  total  system status. 
(The  memory  storage  requirements  for  the  isolation  programs  should  be  readily 
available  considering  the  ttrelatively low" storage  requirements  for  the  critical navi- 
gation and guidance  function.) If the  failed unit were a processor, the operating  system 
can  bypass  subsequent  failures in I/O units,  conditioners, and  input devices by re- 
assigning tasks. If the  failure was  in a memory it is conceivable  that  the  primary and 
active  redundant  configuration  can  be  reinstituted  in  anticipation of the  next  failure. 
For an I/O unit failure, subsequent failures  in a memory or  processor may  be 
tolerable. Similar possibilities exist for a critical  conditioner  failure. 
One additional  consideration is worthy of mention  in the critical phase configura- 
tion of the  multiprocessor;  that is the  possibility of a single failure  bringing down the 
entire  system. The possibility of such an effect is considered  negligible  because of 
the  memoly lockout feature incorporated in the  design.  Basically,  prior to the 
inception of the critical phase, P1 is locked  out of M2, and P2 is locked out of M1 and 
M3. The  lockout feature is described in more  detail in Paragraph 4.2. 3.1. 
As has  been  stated,  reconfiguration  during  this  phase is automatic,  being 
accomplished  well  within the allowable 5 seconds;  Failed units are repaired by 
replacement  during  non-critical  phases  in  the  manner  previously  described. 
3. Mars Orbital Phase 
During the  Mars  orbital phase the  entire  multiprocessor  system is on; taking 
fullest advantage of the  configuration  in  the  performance of the  required computational 
tasks. 
117 
During this  phase  there are no critical computations. However, to shorten 
reconfiguration  time in the  event of a 10.6s of the navigation and guidance  function, a 
minimum  navigation  function is performed in a standby  redundant mode. 
A basic  conflict exists in the  design of the  reconfiguration  system  for  this 
phase. On the  one hand it is undesirable to restrict the  inherent  flexibility of the 
communications between processor and memory  modules, while on  the  other hand if 
such  restrictions do not exist there is the  possibility  that failures in  these  units will 
result in simultaneous  processpr  failure  notifications,  implying  that a known starting 
point for subsequent failure isolation  does not exist. Several  examples of this  effect 
will now be  presented. 
First, suppose a memory fails, say M1. If at the  time of the failure M1 is 
acting as a source of instructions  for one processor,  say P1, then P1 is likely to 
fail  its program control test. While Pl's BITE timer is marking  time  to  recognize 
the  error, P1 could  conceivably write into a good memory,  either M3 o r  M2, and 
contaminate it. Or, P1 could lock P2 out of M3 o r  M2. Then P2 may subsequently 
indicate a failure while attempting  to  operate with M3 o r  M2. In the  computer's  time 
frame these two failures might  be f a r  apart, i. e. , many computations may occur 
between the  first and second  failure  indication. However, in  the  time frame of the 
astronaut,  the  failures may appear  to  occur  simultaneously. The result is that  the 
reconfiguration  procedure  does not have a known good starting point and requires a 
certain amount of trial and error. 
As another  example, if at the  time of Ml's failure it is acting as an instruction 
source,  not only for P l y  but  also  for P2, both processors will fa i l  their  program 
control tests and simultaneous  failure  notifications will result. 
Similar to  these  previous  examples, if P1 were to fail  with a control  type e r r o r  
it would be  detected by its program  control test. While the  program  control  timer is 
marking time prior  to  signalling  the error, it is difficult  to  predict P l ' s  actions. It 
is possible  that it can contaminate the  system. 
Thus, as opposed to the  non-critical and critical phases,  the  reconfiguration 
procedure  for  the Mars orbital  phase  can  involve trial and error,  since a known good 
starting point for  reconfiguration may not exist. 
Next, what reconfiguration  may  entail will be examined if the known good 
starting point is not available. Remember, this situation arises only for  certain 
cases of memory or  processor  failure. 
First, the  entire system is shut down; all computations are suspended. Next, 
using  one  processor-memory pair ,  say P1-M1, a checkout program is loaded  into M1 
from bulk storage.  This  program would be similar to that  used  for checkout  in non- 
critical phases. Then, P1-M1 proceeds to check itself. If P1 o r  M1 contains a 
failure,  the  cdmputer f a i l  lamp  will  be lit. In this case,  the error is in P1 o r  M1 and 
the  procedure is restarted, this time however,  loading the checkout program into the 
P2"2 pair. The P2"2 system will pass  its self-check  (assuming single errors).  
If P1 o r  M1 dogs.not contain a failure, it can be used as a checkout  device for M3, 
M2, and P2, similar to operation in non-critical  phases.  That is, the rest of the 
system,  except P2, is turned on, and checked starting with M3 then M2. If both M3 
and M2 are correct,  the  error is assumed  to be in P2. 
118 
Once the  error  is isolated  to  the  processor o r  memory,  the  operational  program 
is reloaded, and computations resume at a reduced  level, depending on whether the 
failure was in a processor  or  memory. The  navigation  and  guidance  function  must 
start  over,  from an initialization  routine,  since  the  previous  values  have  been  lost. 
It is estimated  that it will  take at most J/2 hour to compute  accurate  data. Concur- 
rently,  the  failed  module is replaced with a spare, if the  spare is available, and the 
full mission functions are eventually resumed. If the spare is not available,  the 
mission  functions are reassigned,  some  being  suspended or reduced. 
Reconfiguration time  for this type of failure is mainly a function of the  time  to 
resume  the navigation and guidance  function  and the  time  to  remove and replace  the 
failed unit. These actions are not  sequential, but rather  overlap  one  another. 
Astronaut  participation  does  not appear to  be  excessive. He is required to control 
power to the  units, to call  for  the loading of processor-memory  pairs,  to  interpret 
the  failure  notification lamps, and finally to remove  and  replace  the  failed module. It 
is assumed  that  reconfiguration  time  here is of the  brder of magnitude of 30 minutes. 
Next, the  types of communication restrictions  that might be applied  to reduce 
the  necessity of the above procedure  will be discussed.  Essentially  the  restrictions 
tend to assure having a known good memory-processor pair at the start. Further, 
referring to Figure 4-19, they would be  applied  such  that if P1 reports a failure, M2 
and P2 are known to be good, and if P2 reports  afailure, M1 and P1 are known to be 
good, The good memory-processor pa i r  is then  used to isolate  the  failed module. 
The first feature is intended  to  make it difficult for a processor  to  write into a 
memory,  thereby  tending  to  reduce  the  possibility of system contamination by a failed 
processor  or failed  memory  that  affects a processor.  This is done by requiring  the 
processor to execute a specific  sequence of commands  to  enable its writing into any 
one of the memories.  These special commands, which in  the  simplest ease would 
consist of one  Enable Write command  containing a particular  memory  number, would 
be  msociated with hardware  in  the write control  circuitry of the  processor.  Thus 
when a STORE command  into a memory is executed, a write  control would be issued 
only if writing into that  memory  were enabled. In line with the  basic  approach  to  the 
problem, this feature  does  not  impose  much of a constraint on the Pi-M1 pair   or  on 
the P2-M2 pai r  since  the  enable  write  sequence  need only be  executed  once at the 
start. For Pl-M2, Pl"3 , P2-M1, P2-M3, each time the writing was enabled, and 
after writing  occurred, it would be followed by a Disable  Write command, such  that 
future  writing again requires execution of the  write  enable  sequence. Note that this 
technique is extremely  flexible  since it is under stored  program control. 
The  next feature is a programming  constraint, and  involves no additional  hard- 
ware. It requires  that both processors should  not be  simultaneously  executing  instruc- 
tions  from  the  same memory. This feature  guards  against  the  possibility of a failure 
in one  memory  causing  program  control failures in both processors.  From  the pro- 
gramming point of view this can be  accomplished  in  several ways. By one method, 
all instructions  executed by a particular processor would be  relocated  to a particular 
memory  prior  to execution. By a second method, prior  to using a particular  memory 
as an instruction  source  the  processor would first seek  permission of the  other 
processor.  This can be done by having each  processor  store a particular  pattern  in a 
known memory  location when it is using  the  memory as an instruction  source, and 
erasing  that  pattern when it is finished with the  memory.  Alternately  the  processor 
using  the  memory  can  lock  out  th8,other  processor. A  combination of these  methods 
is the  likely  solution, with emphasis on those  requiring  the least computing  power to 
perform the function. 
119 
A third and final feature represents  another  programming  constraint. Given 
that P1-M1 o r  P2"2 will  be  the  eventual  base upon which reconfiguration and e r ro r  
isolation  procedures are built, one would tend  to restrict the  number of write requests 
from P1 to M 2  and from P2 to M1. Basically  the  reason  for this is that  failures  occur 
randomly and therefore would occur as P1 is writing into M2 o r  88 P2 is writing into 
M1. Further, when a processor  appears to be berserk,  either due to its own error o r  
a memory error, there is less of a chance of accidentally  executing a write enable 
sequence and/or subsequent  instructions  causing  writing. 
The  extent  to which these three features are used  should be determined by 
further study. It appears  that  the first and third  features are most  likely, and the 
second feature less likely o r  toned down. 
Up to here only memory-processor failures have been considered. Failures in 
the input-output area in the Mars orbital  phase will now be discussed. 
Failures involving  an  ambiguity of either a processor  or 1/0 unit  can be resolved 
by the full cycle  fault  isolation  routine if the  processor is normally  communicating 
with I/O devices  through both 1/0 units. Then, as is the case for  conditioner failures, 
the  group of apparent  failed input and/or output signals, can be  associated with either 
a particular I/O unit, o r ,  if all appear to be bad, with the  processor. Actually, 
where both processors have  equal  facility in  communicating  through both 1/0 devices, 
I/O unit failures will result in similar failure reports by both processors and  no 
further  isolation  activity is needed. Similarly a failure  report  from only one proc- 
essor would implicate  the  processor. 
If each  processor is not normally  communicating  with  one of the 1/0 units,  it 
can  attempt to perform  selected input and output operations  through  that  channel  to 
resolve  the ambiguity. The result  can be  substantiated by requesting  the  other 
processor to perform a similar  operation, although this may  not  be necessary. 
In the event of this type of a failure,  be it the processor  or 1/0 unit, tasks 
would be reassigned. The navigation and guidance function is preserved,  either at 
full strength o r  in a minimal  manner depending on the  failed unit. The full computa- 
tional  capability is restored only after the failed unit has  been  replaced. 
Finally,  conditioner o r  input device  failures are isolated by the  full  cycle  fault 
isolation  routine.  Communications involving the  failed unit are suspended until a 
replacement is inserted into the  system. 
4 . 2 . 3 . 2 . 4  Backup Equipment Assurance 
In order to assure the  ability of backup  equipment to take over its role in the 
system as required, it will be  periodically  tested. 
Referring to Figure 4-19,the  backup system  during  non-critical  phases  consists 
of M2, P2, I/02, C21,. . . , C2M Normally its configuration consists of at least that 
equipment to perform  the  navigation and  guidance  function during  critical  phases in 
the event of primary  system  failure, o r  to assume a full computational  load  during 
the Mars orbital phase. 
The tests on the backup  equipment are initially  disjoint  from  the  primary 
equipment. That is, prior  to  the start of testing the  primary  processor P1 locks  the 
120 
backup out of M1, M3, and I/Ol. The backup tests itself by performing  navigation 
and guidance  computations,  memory  check  sums, and arithmetic  functional  tests: 
These  tests would be similar  to  that  performed by the backup computer  in  the  multiple 
computer  system. At the  conclusion of this self-check,  the backup reports  successful 
completion  via its readout.  The  astronaut  then  tells  the  primary  system  to initiate 
interface  checks. P2 is allowed to test its ability to communicate with M1, M3, and 
I,/Ol, and P1 tests its ability to communicate with M 2  and 1/02. These  tests are 
expected  to  be short and simple  since only the  interface  circuitry is being  checked. 
Typically, for example,  the  processor to memory test might assure  the ability  to 
transfer  ones and zeros on the  data  lines  for both read and drite requests, and the 
ability to address  several  selected  memory  locations.  The  results of the  interface 
tests are reported  via  the  respective  processor  readouts. If no e r r o r  is dstected, 
the  secondary  system is returned  to  the  idle state. If an e r r o r  is detected it would be 
assumed  that  the backup  unit  involved is incorrect so as not to suspend  primary  sys- 
tem functions. The suspected backup unit is replaced and the test is repeated. If it 
fails again, the  primary  system's unit is replaced. This concludes the  procedure  for 
backup  equipment assurance  during  non-critical  phases. 
During critical  phases,  the backup system is on-line performing at least the 
navigation and guidance function in  active standby redundancy. The lockout feature 
is used to separate  processor,  memory, and I/O units associated with primary and 
secondary  systems. This serves to  assure  that  single  failures will  not bring  the 
entire  system down (as can  occur  during  the  Mars  orbital  phase).  The backup system 
tests itself while performing its operational function.  Where e r ro r s  are detected, 
the  primary  system can be  used  to  isolate the failed unit on request  from  the  astronaut. 
As in  the  discussion  presented  for  primary  system  reconfiguration, this testing would 
allow  the  ability  to  continue  operation  in the  event of additional failures during  the 
critical phase. 
During  the  Mars  orbital  phase,  the  term backup  equipment  does  not  really apply, 
although there is a minimum  navigation  and  guidance backup function.  Thus  in this 
phase  checks are  done as part of the  operational  program. 
4.2. 3. 3 Software Considerations 
4.2.3.3.1  General 
The  functional  design of the support  programs  for this configuration is essen- 
tially  the  same as that  for  the  multi-computer  described  in  Paragraph  4.2.2. 3. 
Therefore, this section will not describe  the  full  design but will cover  the  differences 
between the two. 
The primary  factor  that  creates  differences  in  the  software d sign is the func- 
tional Configuration during  the Mars Orbital  Phase when all modules are intercon- 
nected. This differs  from  the  previous  design  where,  the two computers  were  both 
functioning but were independent from  each  other. 
The costs  for  the  support  programs  (detailed in Paragraph  4.2.3.3.8) are less 
than: 3000 words and 10000 cps/sec. Overhead in the computational programs will 
be between 2 - 6% in time and storage. 
Section VI contains a detailed  design of the  overall  executive and reference 
should  be  made there  for  further  information  on  the  concepts  introduced  in this 
chapter. 
121 
4.2.3.3.2 Concepts of Program Design 
The same conventions apply for this design, and scientific  experiments are 
executed as before (see 4.2.2.  3.2). 
4.2.3.3.3 Program Sequencer 
The same scheme of processing  periodic  programs on a time-interval  interrupt 
schedule and filling  in with priority-ordered  request and  background  computations is 
used (see Section 4.2.2.3.3). However, during  the Mars Orbital  Phase a few modifi- 
cations are necessary: 
1. The periodic programs are grouped into two packages, p1 and P 
separate  schedules. Two processor-module  groups P1 - M 1  an 3’ P2 with - M2, 
are assigned to process  these packages. When PI is operating on PI in MI, 
a logic  block is set to prevent P2 from executing  in M1 in order to insure 
proper  timing  through PI: the  same is true  for P2 - b52. 
2. The request queue is in M 3  and is accessed by both processors when they 
are free to do so. Therefore,  some additional logic is required to avoid 
interference. 
When a processor begins  scanning  the  request queue, it sets  a bypass to 
prevent  the  other  from  scanning at the  same time. This should  involve a 
delay of only a few  machine  instructions and is reset when it is safe to do so. 
A flag is set in the  request queue entry  for  the NOW request  program when 
a processor begins executing it. Thus, when the  other  processor  examines 
this entry it wi l l  know not to duplicate and will pick up the  next  entry for 
execution. 
3. The background programs are also divided into two groups, one for each 
processor-module group, so that when no requests are being  filled dual non- 
interferring  processing can  be done. 
4.2.3.3.4 Reconfiguration Program 
During the critical and non-critical  phases,  reconfiguration to handle  mission 
phasing failure  recovery and unanticipated requests is accomplished  the same as 
before with  one  additional task involved. The  backup  computations are loaded for 
P2 - M2, and PI- M I -  M3 - I/O1 is mutually  blocked off from P2 - M2 - 1/02: 
this involves the  setting of logic flags. 
In phasing to Mars Orbital from phase ll, the P2 - M 2  - I/02 logic  blocking 
must  be  removed while the  periodic  computations are picked up. The means for doing 
this is presented in the  executive flow diagram in section 6.3. 
A special backup  load profile is available for the Mars Orbital  Phase which has 
only one periodic  package and fewer computational programs  (reduced  scientific 
experiments and communications).  This is used  if one processor and/or two 
memories fai l ,  since in these cases only one  processor-module group can be 
utilized. 
122 
If'M3 during  this  phase  contains only request  programs,  the  failure of one 
memory  module  will  allow  reconfiguration  to  the  original  load  profile.  The only loss 
will be in the  additional  time involved in handling  the former M3 programs as unantici- 
pated  programs. 
4 . 2 , 3 . 3 . 5  Request Processor 
(See 4 . 2 . 2 . 3 . 5 )  
4 . 2 . 3 . 3 . 6  1/0 Supervisor 
(See 4 . 2 . 2 . 3 . 6 )  
4 . 2 . 3 . 3 . 7  Self-Test Program 
Although there is a considerable  increase in this  area,  primarily in fault  isola- 
tion,  the  impact is on the  makeup of the  backup configurations  and  not  the  primary 
system. 
A new area is the  failure  notification  process.  The  tests  performed a re  the 
same as before (see 4 . 2 . 2 . 3 . 7 ) .  
4 . 2 . 3 . 3 . 8  Cost of Support Software 
There is some  increase  in  cost  over  the  multi-computer  configuration's  design 
(see 4 . 2 . 2 . 3 . 8 ) .  The primary one  being  the  overhead  caused  in  the  computational 
programs  due to using an  ENABLE/DISABLE accessing  scheme, 
The support  costs  that  increase are: 
1. Request  scheduling 20 words 170 ops/sec. 
2. Linkage  support 6 words 40 ops/sec. 
3. Reconfiguration 120 words * 
These  additions (146 words  and 210 ops/sec. ) make a grand  total of 2981 words and 
9150 ops/sec. 
It should be mentioned here that,  since  the  multiprocessor  candidate  was 
selected  for  further  investigation, a detailed  design of the  overall  executive  may  be 
found in Section VI. 
4.3 DISTRIBUTED PROCESSOR 
This section  covers  the  preliminary  design of the  distributed  processor candi- 
date. A description of an  analysis of parallelism  within  computations  shall  be  given 
prior to the organizational  description,  fault  detection,  and  software  considerations. 
4 . 3 . 1  Parallelism 
Two types of parallelism  were  considered:  Natural  Parallelism  and Applied 
Parallelism.  These two types were defined a s  follows. 
123 
1. Natural Parallelism - The  property of having  the  capability  for  carrying 
out a number of groups of operations on distinct  data  bases or on  the same 
data base  simultaneously  and independently. 
2. Applied Parallelism - A number of groups of exactly  the  same  operations 
on distinct data bases or on the same data base simultaneously. 
Basically  the  nature of most of the  distributed  logic  organization  machines 
conceived of to date  may  be  broken down to one of these two classes or a combina- 
tion of the two. The Solomon type of distributed  processor  is  primarily an "Applied 
Parallel"  machine while  the  Holland  type may  be  considered a "Natural Parallel" 
machine.  References 20-25 cover a fairly  broad  spectrum in the  type of distributed 
machines  designed  this far. The -Holland  type distributed  processors  (local  control) 
can  handle  natural  parallelism  very  easily;  however, although  applied parallelism is 
also handled  just  like natural parallelism,  the  price of local  control  seems high when 
applied  to a large  number of "Applied Parallel"  problems.  The Solomon  type distri- 
buted processor (global  control) is designed to easily  handle "Applied Parallel" 
problems, but it  is not well suited to the  handling of "Natural Parallel' problems. 
In fact,  to  enable Solomon type  computers to handle  even two "Natural  Parallel" 
computations,  the  ability  to  interleave  control  signals would need  to  be  instituted. 
This  distinction  in  parallelism  led to investigating  the  computations to deter- 
mine  the  effectiveness of the two types of parallelism in a distributed  machine with 
application to the  manned Mars mission.  The  computation task for the  manned 
Mars mission  as defined by the  requirements in paragraph 2,8  was  investigated 
and  the two types of parallelism  were  considered for the  indiviudal tasks. A 
description of how this  was  accomplished is given below. This  section  is  concerned 
with determining  the  effectiveness of parallelism. How it is actually  implemented 
will be  presented in paragraph 4.3.2.  
The  simple  example  given  in  Figures 4-20 to 4-22 is the  computation of 
a/x + b/x + cy = z. Figure 4-20 illustrates'the  sequential  steps of computation 
on a single  computer (S), while the  numbers  above  each  circle  indicate  the  time 
required to compute  the term in the  circle.  It  may  be  noticed  that  the  a/x  and  b/x 
term fit  the  definition of applied  parallelism,  therefore, they are computed a s  in  
Figure 4-21 using  applied parallelism,  The  term A/S in the  drawing is the  ratio 
of time  required on the Applied machine  to  that  required on the  Single machine  for 
the  total computation. As  shown  in this  example, it takes 2/3 as 10hg on the  applied 
machine for the  computation  to  be  performed,  also  the  degree of applied  parallelism 
required in this  computation is defined as 2 and  occurs only during  the  portion of 
the  computation  where  a/x  and  b/x are computed. 
It may also be  seen  that  the  term c/y need not necessarily  be  computed  after 
a/x  and b/x  in Figure 4-21, that is the  capability for  computing cy in parallel with 
a/x  and  b/x would lead  one to the  computation flow of Figure 4-22. This  capability 
exists if natural parallelism @ available.  However, to say  that  thisisnow a 
combination of applied  and natural parallelism Is rather  meaningless  according to 
the  definitions,  since  Figure 4-22 could be  implemented by natural parallelism  alone. 
That is, three  groups of operations could exist simultaneously, two of which a re  the 
same  mathematically. However, this type of an  approach  can  lead to serious 
inefficiencies when one considers  the  mechanization of such  natural  parallelism on a 
124 
0.333 0.167 
Figure4-20 . Sequential Steps in Computation 
_ .  - A 2  
s ’ 3  
Figure 4-21. Applied Parallelism in the Computation 
Flgure 4-22. Applied and Natural  Parallelism in the Computation 
125 
distributed  machine  since a global or  central  control function  may be  utilized  to con- 
trol  processors  performing the same  operation  simultaneously while  the natural 
parallelism  characterized by distinct  operations  simultaneously  requires  local con- 
trol to  be  given  to  distributed  processors.  (Further  discussion  on  this  implementation 
will be given in  section 4.3.2. ) 
It is for  these  reasons  that  the  term  "Total  Parallelism" is introduced. This 
term  indicates  the combination of applied parallelism with natural  parallelism as 
previously  described in arriving  at  Figure 4-22. Basically,  this  term  simply  implies 
using  applied  parallelism  where  possible in the  computation task and then natural 
parallelism  where  possible  after  that,  The  total  parallelism then results in  the ratio 
T/S = 1/2 for  Figure 4-22 and in addition  to  the  applied parallelism used here the 
degree of natural  parallelism  used is 2. 
The computational tasks  for phase 12, Mars Orbital,  were  analyzed  to  determine 
the ratios A/S and T/S; Table 4-4 lists the results  from the analysis.  It  should be 
noted that  the  functions listed in Table 4-4 correspond  exactly  to  those  identified in 
paragraph 2.8, e. g. the scientific  experiment  functions  correspond  directly  to  those 
listed in Table 2-3. The quantity %s indicates  the  time  required on the single com- 
puter, A/S is the reduction  due to Applied Parallelism and the % /s, which is the 
time  required  on  an Applied parallel  computer, is given for all tte sub functions  such 
as "Orbit Determination. Also, the overall A/S for each sub function is given 
besides  each  "Totaltt.  Likewise  the  results with Total  parallelism  are given in the 
last two columns.  The  totals  for all the  functions are given at the  end of the  table and 
are repeated  here: 
-= 0.135 
" 
S - 0.025 
This shows  that Applied parallelism  gives  approximately a 7 to 1 reduction in  
computation time and also providing  natural  parallelism in addition results in a 40 
to 1 reduction  in  computation  time. 
It is interesting to note here  the  differences in the ratios between the  functions. 
For example, 1.1.3 gives  an A/S of 0.001 and 1.3.4 of 0.00134 both these  functions 
involve the  manipulation of large matrices,  thereby making use of applied parallelism; 
many other  functions  have  numbers much higher  such as 0.5 since they do not lend 
themselves to parallelism. 
Therefore,  considering  these  different  ratios  along with their  relative  require- 
ment  (percent of time) as was done in Table 4-4 gives a good indication of the  effective- 
ness of parallelism when considering  an  overall  problem  for  this  space  mission. 
It should also be  pointed  out here  that  this  subject of parallelism within compu- 
tations  has  been  studied  to  some  extent in Reference 23. The  investigations  listed 
in  that report  were of parallelism within individual type8 of functions  such as an NXN 
Matrix Inversion, etc. 
126 
Table 4-4. Reductions in Computation Time Due to Parallelism 
Function 
1. Nav. & Guid. 
1.1 Att.  Ref. 
1.1.1 
1.1.2 
1.1.3 
1.1.4 
1.1.5 
1.1.6 
1.1.7 
Total 
1.2 Ldmk. Tkr. 
1.2.1 
1.2.2 
1.2.3 
1.  2.4 
1.2.5 
1. 2. 6 
1.2.7 
1.2.8 
Total 
1.3 Orbit  Determ. 
1.3.1 
1.3.2 
1.3.3 
1.3.4 
1.3.5 
Total 
1.4 Orbit Integration 
1.4.1 
1.4.2 
1.4.3 
1.4.4 
1.4.5 
1.4.6 
1.4.7 
Total 
1.0 Nav. & Guid. Total 
% S  %A/S %T/S 
1.31 
1.56 
0.28 
1.48 
1.51 
2.8 
2.6 
11.54 
2.9 
0.003 
1.1 
0,03 
0.003 
0.005 
6.1 
10.141 
"_ 
0.016 
0,024 
0.0067 
4.65 
0.016 
4.713 
0.002 
0.05 
0.028 
0.002 
0.009 
0.002 
0.26 
0.353 
0.531 
0.5 
0.001 
0.323 
0.046 
0.31 
0.384 
0.336 
0.325 
0.5 
0.04 
0.25 
0.5 
0.5 
0.41 
0.345 
"_ 
0.3 
0.3 
0.45 
0.00134 
0.5 
0.0063 
0.66 
0.80 
0.41 
0.056 
0.585 
0.35 
0.5 
0.535 
3.895 
3.497 
0.0298 
- 
0.189 
0.531 
0.5 
0.001 
0.156 
0.046 
0.31 4 
0.384  
0.167 
1.937 
0.216 
0.5 
0.035 
0. 2 
0.5 
0.5 
0.41 - 
0. 246 
"_ 
2.500 
0. 25 
0. 25 - 
0.42 
0.00134- 
0.5  
0.0044 
0.0208 
0.630 
0.690 
0.  223 
0.056 
0.284 
0.350 
0.400 
0.119 
0.338 
26.75  0.285 7.61  0.093 2.500
-(indicates functione  combined to give total  parallelism) 
127 
Table 4-4. Reductions  in  Computation Time Due to Parallelism (Cont) 
Function 
2.0 Tele-Comm.  Total 
3.0 Sci. Exp. 
3 .1  Data Comp. 
3 .1 .1  
3.1.2 
3.1.3 
3.1.4 
3.1.5 
3.1.6 
3.1.7 
3.1.8 
3.1.9 
3.1.10 
Total 
3 .2  Sequencing & Total 
3.3 Pointing & Total 
3.0 Sci. Exp. Total 
4,O Sys. Check- Total 
Scheduling 
Control 
out 
GRAND TOTAL 
56s A/S %A/S T/S %T/S 
4.1  0.25  1.02  0.15  0.617 
0.0235 
0.329 
0.395 
0.855 
1 .0  
2.4 
51.5 
2.4 
1. 88 
0.27 
61.06 
0.141 
6.0 
67.201 
0.167 
0.017 
0.0106 
0.0175 
0.0175 
0.0175 
0.05 
0.003 23 
0.01 
0.06 
0.0437 
0.50 
0.30 
0.067 
0.167 
0.017 
0.0106 
0.0175 
0.0175 
0.0175 
0,033 
0.00323 
0.0094 
0.03 
2.668  1.695 
0.0275 
0.0705 0. 25 0.0353 
1. 8 0. 25 1.5 
4.538  0.0252  1.695 
2.3  0.15  0.345  0.12  0.275 
100 0.135  13.513  0. 25  2.500 
__t (indicates  functions combined  to  give total  parallelism) 
Thus far nothing has been  mentioned with regards to the degree of each kind 
of parallelism  required  to  achieve  these  reductions,  In  fact,  these  reduction  ratios 
assumed  all the parallelism  that could be  made  use of in the  problem  was available. 
The computations were gone over to assess the  problem of a finite  dzgree of 
parallelism and the results are shown in Figures 4-23 and 4-24. It is seen  that  the 
maximum  gain  due to applied parallelism ( l / O *  135) is approached  rather quickly  and 
in fact,  for  this  particular  set of computational tasks no further gain  was  possible 
after a degree of 1331. This  curve  shows  that a reasonable  degree of applied  paral- 
lelism that may be  utilized is somewhere between 12 and 25.  Beyond 25, the gains 
do not increase  very  much.  It  should  be noted that  this  curve is a succession of 
steps  since  there is a certain gain for a degree of 1 and no more  gain  until a degree 
of 2 is utilized, etc. Another note is that  this  curve  assumes no natural  parallelism 
is available, all gains are simply  applied, 
128 
Figure 4-23. Applied Parallelism - Degree of Complexity Vs Gain 
129 
0 10 20 30 40 SO 
COMPUTATION REDUCTION RATIO 
Figure 4-24. Natural  Parallelism Curve 
130 
The  natural  parallelism  curve is shown in  Figure 4-24. This  curve was derived 
assuming all the  applied pamllelism  that could be  utilized  was  available.  This  was 
done to single  out  the  effects of adding  natural  parallelism on  top of applied  parallel- 
ism.  "he natural parallelism  problem  resembles  that of a PERT routine, A maxi- 
mum of 45 naturally  parallel  groups were conceived of in analyzing  the  computational 
tasks. However, all of these could not be effectively utilized. A s  examples, con- 
sider  task 1.3 Orbit  determination;  this  has a degree of 3 in terms of natural 
parallelism: 1.3.1,  1.3.3, and a group consisting of 1.3.2,  1.3.4, and 1.3.5 may 
be  computed in parallel due to natural  parallelism giving a degree of parallelism of 
3. The  worst  case  group is task 1.2.8, the  time  required  for  the  three  prior  groups 
forming task 1.3 "Orbit  Determination" is less than  the  computation  time  required 
for the group  consisting of 1.2.8. Therefore,  there  is no gain  in  splitting  the  com- 
putations in 1.3 into a degree of 3. Another  example  may be given  within a small 
function,  consider 1.3.1. There  is  also a gain within this  function due to natural 
parallelism and  once  again  the  gain is  not sufficient to be  used when considering  the 
group 1.2.8. 
Following a procedure  such as this,  one  may  arrive  at the  maximum  degree of 
natural parallelism  that may be  utilized, of course,  more  may  be  used as described 
above, however, no gain  results,  this  maximum  degree was 6 for the total  computa- 
tional  task. The points  between 1 and 6 a r e  difficult to determine  since  there  are 
many possibilities of combining  the  given  computations  within a natural  group to 
achieve  the  maximum  reduction  ratio with that  number of groups.  This  curve 
approaches a straight  line as the  assignment of tasks is  optimized. 
From the results of this  analysis, a natural  degree of parallelism of 6 results 
as the  optimum case. However, there are many  problems which it appears  will  exist 
when combining tasks as described  above into natural groups.  Indeed,  the  communi- 
cations  between  natural  groups  may  reach  very high rates due to chopping a given 
small function  such as   for  example 1.1.1 in  half  and splitting  it  between hvo natural 
groups. Therefore, the'optimum value of 6 may not be practically achievable. To 
determine what  may be  achieved would take  an  extensive  additional  effort  and is not 
warranted  at  this  time. It is  estimated  that a feasible  number  for  the  degree of 
natural  parallelism  for the total  computational  task  may  be on the order of 12 to 20; 
this  does not include  overhead  functions  such as  executive  program,  self test, etc. 
4.3.2 Distributed  Processor  Organization 
4.3.2.1 General Considerations 
This  section  describes a new distributed  logic  structure  that is capable of 
carrying out  computations while  taking  advantage of both natural  and  applied  paral-- 
lelism. In other  words,  the  machine  is  capable of operating  under  local o r  global 
control.  This  should  enable  the  structure to obtain  high  hardware  utilizations  while 
reducing  instruction  and data storage. The  interesting  property of this  structure is 
that  it  was not deslgned  to  solve a particular type of computational  problem as 
distrlbuted  logic  structures  have  been  in the past; but instead, it was designed a s  a 
general  purpose  computer to take  advantage of the new MOS o r  MOS/SOS technologies 
and to provide  very high rellabillty  due to the  use of many levels of graceful 
degradatlon. 
131 
The  mission  requirements  given earlier in  the report  generally apply  to this 
structure. In particular the same  computational  speeds  must be met  and  the  exist- 
ence of critical  computations  means  that  there  must be an on-line  backup. Equipment 
should also  still  be  kept off-line as much a s  possible to increase  reliability. How- 
ever, the  amount of separate  main  memory  required and  the  downtime  due to repairs 
have no real  applicability  here.  The latter point is not applicable  since  spares will 
be  kept as fixed modules  within a single  computation  structure.  The  different  interpre- 
tations of the  requirements will become clearer as the structure is  explained. 
The following description of the  distributed  processor  gives a fairly  complete 
conceptual  description of the  machine.  Further  developments of the  explicit  features 
of the machine  will  depend on a good amount of programming  effort  and  software 
development.  This will certainly  result in new hardware  trade-offs. A s  a result of 
the  uniqueness of this  design  and of the lack of programming  experience with distri- 
buted  logic structures in general, a number of features  such  as  the  length of the 
instruction  word o r  the  number of operations will not be given a s  they were  for the 
multiple computer and multiprocessor. However, the description is conceptually 
complete including a hardware  and  reliability  estimation so that  it  may  be  compared 
to  the  other two candidate  organizations. 
4.3.2.2 Global and Local  Control  Structures 
Two basic  types of distributed  processing  were  investigated, One type used 
dobal control,  and  was  typified by the Solomon machine.  The  other type used  local 
control as for example,  the Holland machine.  The Solomon machine  uses many cells 
o r  processing  elements  executing  the  same  operation  in  parallel or not executing  the 
operations. A common control  unit  and common addressing of the  cell  memories  is 
used.  This  machine is described  in depth in the  literature,  This type of a structure 
takes good advantage of applied  parallelism;  however,  it is not able to  take  advantage 
of the natural parallelism in the  computations. In fact  it was designed  explicitly to 
be able to handle  problems with a good amount of applied  parallelism,  such a s  
solutions of partial  differential  equations o r  very  large  matrices, A s  a result, when 
this type of a structure is applied to general  purpose  problems  it  has low hardware 
utilization due to  the  fact  that a good portion of the  time a cell is not executing an 
does not  take  advantage of the  graceful  degradation  ability  inherent in a  distributed 
structure  since  failures within  the  relatively  complex  control  unit  and  memory could 
bring  the whole system down. 
- instruction  that  is sent  on the  communication  lines.  This type of structure  also 
The Holland machine  uses many cells executing  different  operations in parallel, 
Any cell  can  operate as a controller,  an  accumulator or a storage unit.  Paths to 
operands  are then built  from  the  controller  cell to storage  cells and  then back to a 
cell  designated as  an  accumulator in order to carry out  the  operations.  This path 
building  necessity  extremely  complicates  the  programming of the Holland type 
machine  and  also  makes  the  reconflguration  problem after a failure  very difficult. 
There have  been a number of attempts to solve  the path  building problem in order 
to take advantage of the  local  control  features of this type of a machine;  however,  an 
adequate  solution has not  been  found,  This  means  that  this type of a structure  also 
has low hardware  utilization due to problems of paths crossing  and of optimal  pro- 
gramming.  The  structure also has the  additional  programming  problem of a 
relatively  small  instruction  set.  The Holland machine,  and  a  number of varlations 
132 
to try to solve  the  path  building  problem are described  adequately in the literature. 
Another  disadvantage of the Holland type machine  for  general  purpose  computation is 
the  fact  that  even though it is able to execute  either  naturally  parallel or  applied 
parallel computations, it  is obviously  inefficient if a large  number of applied parallel 
computations  must  be  carried  out,  These  computations  must  be  operated upon as if 
they were  naturally  parallel  and as a result  extra  instruction  and constant storage is 
necessary along with more  programming  effort to lay  out  the  solutions. 
4.3.2.3 Autonetics Distributed Processor 
4.3.2.3.1 General Organization 
The  chosen  distributed  logic  structure  uses a number of groups of cells  each 
carrying  out a task in order to  handle  the  computational  requirements. This struc- 
ture is shown  in Figure 4-25. Each  group of cells will actually carry out a complete 
task (such as a navigation  and  guidance  problem), a number of tasks, o r  even a part 
of a  task dpending upon how many  computations are  necessary to do a given  problem. 
The  primary  consideration  used in dividing programs  amongst  the  groups is to limit 
the  inter-communication  amongst groups as much as possible. In this way the  inter- 
group bus can be used  primarily  for  communication  to 1/0 variables  and to one of 
the  groups  operating as the  Executive. Within a group  one of the cells  operates as 
a controller  and  provides  commands  for  the  others.  The  individual  cells.can  either 
accept  these  commands o r  execute  commands  from  their own memory. In this way, 
both local  and  global  control  can  be  carried out simultaneously  within a group. At 
the same  time  all  the  groups  can  be  operating in parallel,  This type of operation 
enables both the  natural  and  applied  parallelism  inherent  in  the  general  purpose 
spaceborne  problem to be  efficiently carried out. It  should  also  be noted that there 
is no main  memory  in  the  system, All  instructions,  contents  and  variables are 
stored within cells.  Since  it 1s also  necessary  for  this  system to reconfigure  within 
five  seconds  during  crltical  phases, a second  inter-group  bus  in included  in  the 
structure.  This 1s not shown in Figure 4-25. 
Paragraph 4.3.3 discusses  proper use of this  computer  system  during  the 
crltlcal, non-crltical, and Mars orbltal phases. Very simply, during non-Mars, 
non-critical  phases,  approximately 12 groups with three  more  groups  coming on 
and off perlodlcally will be used to carry out  the  computations. There will also  be 
four  groups handling  executive  functions  along  with a number of spares  connected 
to  the inter-group  bus  but not  Operating. During  crltical  phases,  the  system will be 
dlvided up into two sections.  The first section wlll contain 12 operating and four 
executive  function  groups  and will carry out all the  computatlon of the  system.  The 
second  section will use the  redundant  inter-group  bus  along with two computational 
groups  and  four  executive  functlon  groups. Again, there  will  be a number of spares 
off-line  (but connected to  the  inter-group  busses)  that will be  available to either 
sectlon. A lock-out feature of the same type as  described  for the  Multiprocessor 
will be used In each  group  swltch  connectlng  the  inter-cell  bus to the  inter-group 
bus.  This will enable  the system to operate  in a manner  similar to two separate 
computers  and  a8 a result be able to guarantee  reconfiguration  within  the  five  second 
time  constralnt.  During Mars orbital  operation  the  system wlll use 20 groups doing 
the computatlons, four executive  functlon  groups,  and a number of spares off-line but 
conneoted  to  the  Inter-group bus, From the above, we can  see  that  reconfiguration 
after any  group  failure 1s simply a matter of detecting which has  falled  and  switchlng 
133 
.. . . . " - 
SENSORS 
v 
TO TWO GROUPS 
""""_ 
SERIAL 
COMMUNICATlONi 
'DES TOALL I I 
FOUR NEIGHBORS 
(WRAP AROUND ! I I 
BOTTOM SIDE I _-.. a I 
TO SIDE) 
Yl UP SWlTCH d 
"" 
' \ L 
Figure 4-25. Distributed Processor 
over to a spare group. No replacement  will be necessary  since all spares are on-line, 
This type of sparing philosophy  obviously enhances  the  availability  of  the  system. It 
is possible  here  since  adding  extra  groups only means  an  extra  connection to  the 
inter-group  bus  and as a result will not increase the  connections or   s ize  of the 
distributed  processing  system. On the  other hand, this type of a sparing philosophy 
was not used  in  the  Multiple  Computer o r  Multiprocessor  since a large  increase in 
connections would have  been necessary thus  making  the  approach  impractical. 
In order to  take best  advantage of the MOS technology and  to  get a flexible 
general  purpose  structure, a cell  was  chosen  to  be  one MOS SOS chip. In the 1973- 
1975 time  frame  this  chip  has  been  estimated to contain  about 5,500 FET's on a 
0.15 inch square chip.  This  organization would actually  need a slightly larger chip 
(0.2 inch-square) so that  about 10,000 FET's would be available.  This is certainly 
reasonable if yields  can  be  increased o r  if discretionary  wiring  can  be  used  to con- 
nect  redundant  re-asters. With a  large chip one-half of the  chip  could  contain 32 
18 bit  registers  for  memory  and  control  and  the  other half could  be  used  for  logic. 
This organization is then able to provide a good amount of processing  power  in a 
single  cell.  It also limits the  intercommunications  amongst  cells  since  each  cell 
only communicates to its  four  neighbors  in a serial  manner and in a bite  parallel 
manner to the inter-cell bus. A picture of a cell is shown in Figure 4-26. This 
figure will be explained  in  depth later in this  section.  The  limited  intercommuni- 
cation  and  the small size of the cells  means  that a complete  distributive  logic  com- 
puter  system of 625 cells  could  be  included on a 8" x 8" two layer board. This 
structure providing  on  the order of 16,000 to 20,000 words of control,  instruction, 
and data storage  should be sufficient  for  the Mars Lander  Mission. 
The  number of cells in  a  group  was  chosen  to  best suit the  applied and natural 
parallelism  inherent  in  the  Mars  Lander  Mission  computations.  The  development of 
the  curves  to  determine  the  number of cells in  a  group is given  in section 4.3.1. An 
analysis of these  results  along  with an estimation of the  executive and I/O functions 
suggested  that  a  structure  containing  approximately 25 groups of 25 cells  per  group 
would be a good solution.  The  function of these  groups a s  executive o r  I/O processors 
is given  in paragraph 4.3.4. The  operation  within a cell will be carried out in both 
byteparallel and serial  manners  at  speeds up to two megacycle  clock  rates.  The 
intercommunications on both the intercell and intergroup  bus  can  be  carried out at  
least  at one megacycle  per  bite  rate.  However,  for  the  Mars  Lander  Mission, it 
appears  that  these  cells could operate  at  a much  slower  rate  than two megacycles  and 
that  the  intercell  and  intergroup  buses could also  operate at less than one megacycle' 
per  bytecommunication  rate.  The  exact  speed  to  be  used  should  be  determined  in 
future  study of this  candidate. As mentioned  earlier,  the  tasks will be  divided up 
among  the  groups so that  intercommunication  from  group  to  group will be  limited a s  
much a s  possible.  This  will  enable  the  intergroup bus to  be  used  for  executive 
monitoring  and 1/0 communication.  This  division of tasks  among  groups will also 
enable  the  power  to  be  turned off to  certain  groups  during a number of phases.  This, 
of course,  increases  reliability and lowers  power  dissipation. It should be noted that 
the  storage  in  this  structure is volatile;  however,  this should  not be much of a disad- 
vantage  since  the  primary  power  supply will be  backed  up and will be of high reliability. 
Even if a  power  failure  should  occur,  bringing  the  system  back up only involves 
reloading  information  from  the bulk storage unit. A volatility  discussion  was 
given for the semiconductor  memory  in  Section VI. This  discussion  also  demonstrated 
that  volatility  did  not  present any severe  problems. 
135 
Macro from inter-group  bu8 
"i" , dontrol cell 
NL 4 
I 
I 
I 
1 
L 
Hicroprogram 
Storage 
t 
Storage 
Registers 
- 7  designat r 
I 
I 
bit 
To Nei hbors 
A NT 'I NL 
I 
9 Neighbor 
+, Logic 
Communication ' > NR 
I 
I 
I 
"- T- " " V  
N (Neighbor bottDm) B 
Figure 4-26. Distributed Processor Cell 
136 
4 .3 .2 .3 .2  Explicit Features 
Each cell operates as the  controller of the  group,  an  operating  cell, or a stor- 
age  cell.  The  controller cell provides  the  global  control  for a group by placing macro 
instructions on the  inter-cell  bus.  These  macro  instructions  have  yet  to be defined. 
However, they will be instructions such as matrix inversion, sum check, sine, etc. 
The  operation  cells  receive  these  macros  from the controller or from  their own stor- 
age registers, decode  them,  and  then  use  them  to read out a sequence of operations 
from the micro-program storage contained in a cell. See Figure 4-26. The sequence 
of instructions  from  the  micro-program  storage  cause  storage  registers and control 
registers to be added,  exchanged, or transferred to  neighbors., Again referring  to  Figure 
4-26 this  means  that  the  control  registers  allow a macro  from the inter-cell bus to 
load  the  operation register or they allow a macro  from a cell  storage  register to load 
the  operation  register.  This  operation is then carried out and the next operation 
obtained in the same  manner.  For  some computations, a cell may need more  storage 
than is available within itself. It  can then use one of its  neighbors as a storage  cell. 
The  neighbor  communication  logic is then  used  to  obtain  information necessary to the 
computation being carried out in a given cell. Al l  the storage within a cell is address- 
able  and can be used in arithmetic or logical  operation. The controller  cell, denoted 
by the designator  bit,  controls  the  use of the inter-cell bus by the operating  cells and 
also  controls the  group  switch shown in Figure 4-25. The  group  switch  contains a 
small amount of decoding  logic  and a flip-flop register. If the  inter-group bus  con- 
tains a command, this  command is let through  onto  the inter-cell bus immediately 
after the present  transmiasion on the  bus. If the command is for  this group,  it will be 
recognized  and  accepted by the controller  cell.  This  group will then remain connected 
to the inter-group bus until the transmission  is  completed. If the command is not for 
this group, the group will be immediately disconnected from the bus. The command 
from the  executive  group  contains a task  name  that can  be  recognized by the control- 
ling  cell.  Each  group  switch  (there is a switch for  each of the two inter-group  buses 
that connect to an  intercell  bus)  contains a lock-out register.  This  register can be 
set  by the executive  group and operates in exactly  the same  manner  as the lock-out 
register in the memory and 1/0 units of the multiprocessor. In other  words,  during 
critical  phases the register is set  s o  that any given group will only accept  commands 
and communicate over one of the two inter-group buses. This, of course, enables 
isolation of fallures so that  reconfiguratlon can be  carried out within the five  second 
tlme  constraint.  The above description  should  demonstrate  that the ability of this 
system, or of a group In particular, to operate with both global  and local  control 
means  that good hardware  utilization  can  be  obtained while using a minimum  amount of 
storage (It  takes  advantage of both applied  and  natural  parallelism). 
The executlve  uses a number of groups to control the two inter-group  buses, to 
handle I/O, to handle  communication with the bulk storage unit, to hold global data so 
that any group  may use It, to  handle data communication from  group to group, to send 
out macros to load  the  system, and to allocate 1/0 time on the  inter-group  bus.  The 
operation of the executive is described in more  detall in the following two sections. 
Information over the  Inter-group bus is bite  parallel.  The  number of bits in a byte 
should be determlned in future  study of this candidate. However, a rough approxi- 
mation says that 9 bit  bytes a t  one magacycle per blte  rate would certainly  be  adequate. 
However, for any partlcular  system, making  the  bus leas  parallel  means  that less 
drive  must  be provtded by the cell, This, of course,  results in lower  power  and  higher 
reliability  due  to less connectlons  and drivers.  It should also be mentioned that the 
groups  can  use the inter-group  bus only when sampled  and  allocated  time by the  execu- 
tive.  Information  on  this  bus is tagged with control  bits,  names of tasks, data addresses 
and data ltself. An example of possible word formats is given  in Paragraph 4.3.4.  
137 
It should be noted that  the  groups are of fixed size. At first  this  may  seem to 
provide a restriction on  the  ability to allocate  tasks  among the various  groups. 
However, further  inwstigation  shows  that  fixed size groups  actually  alleviate many of 
the programmer's  problems in optimizing tasks to groups. In particular  after a num- 
b e r  of reconfigurations due to failures,  tasks  that  were  optimized  for one group  size 
might not be able  to  fit into either  smaller or larger groups in an  optimum  manner 
For example, a number of small  tasks  placed in a large group would provide many 
communication problems.  It is also clear that  the  executive would have  many prob- 
lems in trying to shuffle cells  from  group to group  and in matching tasks to  varying 
size  groups  after a number of failures. A s  a result  the need for  reconfiguration  flexi- 
bility and the need to provide  the programmer with reasonably  small  groups of cells 
in which to optimize the program  points  toward a system  structure  as  has been shown. 
These points are discussed to some  extent  again in Paragraph 4,3.4. 
4.3.3 Failure Considerations and Reconfiguration 
-. 
The  introductory remarks and basic  guidelines  given in Sections 4.2.2.2 
for the  multiple  computer  candidate  apply  equally  well to this  candidate, so they  need 
not be repeated.  Therefore the discussion will  begin with e r r o r  detection  and  isolation 
tests. 
4.3.3.1 Error  Detection  and  Isolation Tests 
The  tentative  conclusion  for  detecting e r ro r s  in the  distributed  processor  system 
is to use a group  testing  scheme. By this method all cells of a group are checked a t  the 
same  time,  rather than  checking  the  individual cells within a group at  different  times. 
Further,  at checkout time,  the  entire  group  is devoted to the checkout and does not 
participate in the operational  problem.  Because  the  distributed  processor is a rela- 
tively new computer  approach, a brief  discussion of some  other checkout approaches 
which were considered will be presented, followed by a description of group  testing. 
One set  of testing  schemes  empuasized the use of tests that  did not depend on the 
existence of self-test  programs.  Instead  testing would be carried out using  operational 
data. 
By the first  of these  methods, e r r o r  detection  hardware would be  built into each 
cell. No special testing mode would be required. Checks would be  performed con- 
tinually  along with the  operational  problem.  Parity  bits would be generated  and  checked 
as the primary  means of detecting  data  transfer e r ro r s  within  the cell  and between 
cells. Outputs would be fed back and checked. Inputs would involve redundant receiv- 
ers. Control circuitry would probably be redundant  and  checked for  disagreement. 
Arithmetic  logic could either be  redundant o r  use check  bits.  The  immediate  disad- 
vantage of this  scheme lies in the large amount of redundant  hardware  required 
(probably more than  double). 
A second  approach uses  active  redundant  cells in a multiplexed  manner.  Refer- 
ring to Figure 4-27, a cell  group  containing 20 operational cells and  5 teat  cells  is 
depicted. The operational data flow paths between cells are not shown, only those 
for testing a re  shown. Cell T1  is  responsible for testing cells C1, C4. C5, and C17; 
T2 for testing cells C2, C6, C7, and C11; etc. Periodically, during normal operation, 
four test time  slots are reserved so that  each  test cell may  check its  adjacent  cells. 
All test  cells  act in parallel,  testing  one  operational cell at each  test  time  slot.  The 
test action at  any test  time  slot  consists of checking  the results of the  previous  test, 
and if OK, setting up the teat of the  next cell by loading its  contents  into  the  test cell. 
138 
Upon resumption of the  operational  program, the test  cell  performs the same opera- 
tional calculations as the cell under  test. A s  an  example,  assume  that  T1  is nbw 
checking C5 and is to test C i  next.  Operationally  T1  is  performing the same problem 
as C5. At testing  time  the  results  generated by T1 are compared with those  generated 
by C5. If disagreement  exists  the  error is reported to the  executive processor to 
suspend  group  operation. If no disagreement  occurs,  T1  is  loaded with the contents 
of C 1  and  will  redundantly perform C l ' s  calculations  during the  next operational  cycle. 
Some of the pitfalls of this  approach are  as follows: First,  there  is a loss of flexi- 
bility of operational  communication  paths  between cells since  one of the four  paths is  
used only for  testing. Second, the  ability to provide the test  cell the same inputs as 
the  cell  under  test  during  the  active  redundant  test  phase may pose a severe  program- 
ming constraint. Third, the three operational communication paths are not checked. 
Fourth, e r ro r s  in circuitry  peculiar to the  execution of a particular  macro  are 
detected only if that  macro  is being  executed while the cell is tested.  Therefore  there 
could be a n  excessive  delay  (greater than 5 seconds) between  the occurrence of an 
e r ro r  and its detection. Fifth, some redundant hardware is  probably.required for 
disagreement  detection.  Finally,  the  symmetry  and  efficiency of test  cell utilization 
is geometry dependent. For example, in Figure 4-27 each  test  cell uses all  four of i ts  
inter-cell  communication  paths and 5 test  cells  test 20 operational  cells. In a 4 x 4 
test  cell  matrix  the  symmetric  approach is to  have 4 test cells checking 12 operational 
cells, with each  test  cell  checking 3 operational  cells. 
A third  approach  reduces  the  redundant  hardware by employing  time-redundancy. 
By this method a sequence of program  steps  is  performed by the  group,  the tasks of 
the cells within the group a r e  interchanged,  the  program  steps are repeated, and the 
results of the two executions a re  compared.  The obvious disadvantage of this 
approach  is  the  reduction in operating  speed by a  factor  greater than two. 
A second set  of testing  schemes  differ  from the  above three  approaches in that 
testing is  performed by executing  self-test  programs,  These  approaches are  more 
in-line with the testing philosophy of the  multiple  computer and multiprocessor 
candidates. 
The first approach involves a ''floating test-cell" concept. Here, one cell in  
each group contains a test  program. In operation,  all  other  cells  perform the opera- 
tional  problem  while this  cell  tests  itself.  After a prescribed  number of program 
steps, the testing  task of the successfully  tested  cell  is exchanged with the operating 
task of another  cell within the  group,  that  other  cell then testing  itself  during the next 
program sequence. Thus the testing is multiplexed, with all cells eventually executing 
the  self-test,  except  possibly  the  group  controlling  cell.  The  biggest  drawback of 
this method is the storage  limitations of the individual cell.  That  is,  it  is highly 
unlikely  that a comprehensive  self-test  program can be held in the storage  registers 
of an  individual cell. Note that a cell is in fact a processor and requires the same 
attention to its individual controls  and  registers as does  the processors of say the 
multiple computer or multiprocessor candidates. Unlike those candidates, however, 
the  cell  doesn't have the memory  capacity for test  program  storage. One might con- 
sider adding hardware  to  reduce  the  software  test  storage  requirements, in effect  pro- 
viding a comprornlse between  the e r r o r  detection  hardware  testing  approach  previously 
mentioned and this  all  software  approach.  Similarly,  additional  cells within the group 
could be assigned  solely to hold  the  checkout problem  and conduct tests on each of the 
operating  cells in turn.  Each of these  latter  approaches  may  be  possible, but have 
been dlsregarded in favor of the approach which conceptually appears to be  able  to do 
the job in the simplest  manner  and  at a reasonably low cost in redundant  hardware 
and time.  This  is  the  group  testing  approach which will now be  described. 
139 
r I ,  
- C 15 C14 , ~ T4 
i . . 
c . h 
C18 . T s -  c19 ' 
I 
Y . f 
C8 
c - - T3 
J 
C16 - 
I-] 
Figure 4-27. Active Redundant Test  Cells Within a Cell Group 
140 
Figure 4-28 depicts the distributed  processor  configuration  for  group  testing. 
There are an estimated 22 groups  required  for  the  maximum  operational  computa- 
tions. These are G1, G2, . . . , G20, Exec, and I/O. In addition there are two 
groups redundantly  added for  testing  purposes; the Test  Store and Temp  Store  groups. 
The Test  Store  holds the self-test  program  that  is  used to check  each of the other 
groups  and  itself.  The  Temp  Store  group  provides a temporary  storage for the con- 
tents of a group when the group is. being  tested  and  performs the  function of the  group 
under  test. A s  such,  it  is redundantly connected to the inputs and outputs of the 
sys tem . 
Groups are  tested  sequentially, not simultaneously,  under  control of the 
Executive Group. A s  a n  example of the operation, consider the testing of G1. First  
the contents of G1 are transferred to the  Temp  Store  group which is then assigned 
the function of G1. Next, G 1  is  loaded with the test  program  from the Test  Store 
group and G 1  tests  commence. If no e r ro r   i s  detected  the  contents of the Test  Store 
group are restored into G1 and G 1  resumes  its  operational  functions.  Testing then 
proceeds to the  next group in a similar  manner. If a n  e r ror   i s  detected  during G1 
tests, the executive is  notified and e r r o r  isolation procedures a re  begun, Note that 
the 1/0 group is tested by the same  procedure without disconnecting system inputs 
and outputs since  the  Temp  Store  group  contains  redundant 1/0 connections, Also 
the  Executive  group is similarly  tested given that it  can  assign  its  executive function 
to the Temp  Store  group  during  its  self-test. 
Conceptually this  form of group  testing  can  be done continually during  opera- 
tion  provided there  is a test  time  slot  available  for  transfer of data  amongst the 
Temp Store, Test Store, and tested group. During this transfer the groups not 
being  tested are idle.  Assuming there are about 800-18 bit words to be transferred 
from a group,  that three  such  transfers are required,  and that the inter-group bus 
can  accommodate whole word  parallel  data a t  a 1 mc  rate, the 2400 words  can be 
transferred in about 2.40 ms. Extrapolating linearly, about 5 ms   a re  required if 
transfers  are by 9 bit bytes, and 40 ms if transfers  are  serial. The size of the 
available  test  time  slot would be determined  during  a  detailed  design  effort.  It 
would be based on the number of groups  present in the  most  heavily loaded critical 
phase  and  the  need to test  each  group at   least  once  each 5 seconds in order to 
satisfy  the  critical  reconfiguration  time  requirement. 
Next, consider how the  cells within a group would be tested. One or several 
cells of the  group would be  assigned the local  executive  function  to  conduct  the test 
and report  test  results to the system executive.  The  remaining cells of the  group 
would execute a test  problem in the following manner.  Each  cell would perform the 
same  macro  at the same  time,  transmit  the  result of the macro to each of its  four 
neighbors,  check  the  data  received  from  each of its  four neighbors  against  its 
own computer  result,  and  report to the  local  executive  over  the  inter-cell bus. 
Assuming  that only one  failure will occur  at any one time, a cell's  failure  will 
generally  result in each of its  four  neighbors  identifying  it as a failed  cell  and 
probably it will  identify all of its  neighbors as having failed.  The  local  executive 
will decode  the failure  reports  and  format a statue  message to the  system  executive 
over the  inter-group  communication  system.  Inherently  this  procedure  provides 
the  ability to isolate the error to the cell level and  subsequently  bypass  the  failed 
cell during  operation.  Then a group  can continue operation  even in the presence of 
one (or  possibly  more than one) bad cells providing  the  remaining  computing  power 
141 
L 
CONDITIONERS 
Figure 4-28. Distributed Processor Cell Group Configuration During Group Testing 
of the  group is sufficient  for  its  assigned  task. The extent to which this  cell  isolation 
is achievable would be determined  during a design  effort. A more  conservative 
approach would be to  bypass  the  entire  group when any  cell within  the group  failed. 
Getting  back  to  the  actual  test,  all  operational  macros would be  executed and in 
addition  probably several  macros  specifically  designed  to  aid  the  testing function. 
Examples of such  special  macros  may  be CHECK SUM and DISAGREEMENT DETECT, 
to  quickly  sum  the  contents of the  cell's  storage  registers, and  to  test  results  received 
from  a  neighboring  cell-  and  report  to  the  local  executive. 
It is likely  that  the  testing will involve  a  second  phase with a new local  executive 
assignment  in  order  to  perform  a  complete  check of the cell@)  used  for  the  local 
executive in the first  phase. 
In  addition  to  group  testing,  tests would be  performed on input and output signals, 
in a  manner  similar  to  that  described  for  the  multiple  computer and multiprocessor 
candidates, to detect and isolate  errors in conditioners and input devices. 
4.3.3.2 External Status Reports 
The  executive  cell  group  controls  the  issuance of external  status  reports. Two 
types of reports  are  issued: one attesting  to  the  ability of the  executive  to issue  a 
report, and the other  to  indicate  failures  elsewhere in the system. The executive 
processor  group is the obvious  choice for  this function since  it  receives  the  results of 
each of the  group's  tests and maintains  a  cell  group  status  board  table  (described  under 
software  considerations in Paragraph 4.3.4). 
The  ability of the  executive  to issue  a  failure  report is handled by a  pulse stream 
detection  method, similar to  that  described  for  the  multiple  computer and multiproces- 
sor  candidates. The BITE is mechanized in the  1/0  group, with the controlling  com- 
mands  for  pulse  generation  originating  at  the  executive and transmitted  to  the  1/0  group 
periodically. In general,  failures in the executive processor  or  inter-group communi- 
cation  bus will cause an executive processor  failure  lamp  to  be  lit. 
The  second  status  report type is the  more  normal one wherein  the  executive  group 
reports  the  failure of another  group  or  a  conditioner  or input/output  device by means of 
a  numeric  readout. 
As indicated in the  following section on reconfiguration, two of the  above sets of 
indicators  are  required: one controlled by the  executive  group of the primary  system, 
and the  second  controlled by the  executive  group of the  backup or  secondary  system 
associated with each of the  phases. 
4.3.3.3 Reconfiguration 
This  section  discusses  the  task of reconfiguring  the  distributed  processor  after 
a  failure  has  been  detected and reported  to  the  space  crew.  Inherently  this  system 
affords the highest  potential  probability of mission  success and availability of all  the 
candidates  because an  individual  group  can  continue  to  operate in the  presence of a 
failed  cell(s), and because the system  can  continue  to  operate  optimally in the  presence 
of a failed  group(s), given of course  that  spare  cells  are  available  in  the  group and 
spare  groupe  are  available in the  system.  Further,  a  large  number of group  failures 
can  be  tolerated  prior  to  mission  failure  because  critical  computations  can be sustained 
with relatively few operable groups. In essence,  there  exists  a  status zone between 
143 
full  available  computing  power and mission  failure  for which  additional failures  may 
result only in the  elimination of lowest priority  computing  tasks and not in mission 
failure.  This zone can  be  termed one of degraded  performance. 
As in  the  case of the  previous  candidates  the  reconfiguration  plan is based on the 
type of phase in which the  failure  occurs:  either  non-critical,  critical,  or  Mars  orbital. 
Figure 4-32 presents the  distributed  processor  configuration.  The  solid  lines 
represent  the  portion of the  system  required  solely to satisfy  computational  require- 
ments. There are 22 cell groups (Exec, I/O, Gl-G20), the primary intergroup bus, 
and conditioners C11,. . . . , c1N. The dashed lines represent redundant hardware 
required  to  enable e r r o r  detection,  and  rapid  reconfiguration  during  critical  phases. 
Included are  the Test Store group, the Temp Store group, spare groups S1, . . . SN 
(the  determination of the  number of spare  groups is discussed in Section 5), a  secondary 
intergroup bus, and a redundant set of conditioners C21, . . . , c2M. In addition 
there  are  redundant connections  from G3 and G4 to  the  conditioners.  The  functions of 
the  redundant  hardware  will  be  described in the  succeeding  paragraphs,  using  the 
nomenclature given in Figure 4-29. 
4 .3 .3 .3 .1  Non-Critical Phases 
During  non-critical  phases  the  primary  operational  system  consists of the  follow- 
ing cell groups: Exec, Test Store, Temp Store, I/O, and that subset of G5 through G20 
required  to  satisfy  the  computational  requirements of the particular  non-critical  phase. 
In addition, the system includes the primary intergroup bus, conditioners C11, . . . , 
ClN, and associated input/output devices.  The  remainder of the items depicted in 
Figure 4-29 are  off-line, and selected  elements would be  brought on-line during  the 
phase only in the  event of failure in the primary  system,  or in preparation  for  entry 
into  a  phase with different  computing resources  requirements  (such a s  a  critical  phase 
or  Mars  orbital  phase),  or  for  backup  assurance  testing  (as  described in Paragraph 
4.3.3.4). 
Only failures in the primary system are considered. Failure considerations for 
the backup (off-line) system will be discussed  in  the  section on backup  equipment 
assurance, 
Failures can be  categorized  as  being  either  "hard  core"  or  not  hard  core, and 
the  techniques  to  isolate  the  failure  source  will  differ. A hard  core  failure is one 
which prevents  proper  operation of the  automatic e r r o r  detection  and  isolation  procedure. 
First, the  hard  core  failure  will be discussed and how it  can be handled. The 
hard  core  includes  the  Executive  cell  group,  the  Temp  Store  group,  the  primary  inter- 
group  bus, and the  portion of the 1/0 group and a  conditioner essential to the  control 
of the  executive processor  control  lamp on the  control  panel.  These  elements are 
somewhat  similar  to  memory  or  processor  failures of the  other  candidates which 
caused  the  computer  fail  light to come on. In this  candidate  the  1/0 and conditioner 
failures have  been  tentatively added to  the  hard  core  rather  than  giving  the  executive 
group  a  more  direct  line  to  the  control  panel,  The  reason is that  the  system  executive 
may be flexibly  assigned; any cell  group  can be the  executive,  and  all would have  to  be 
provided  the  capability,  thereby  increasing  hardware. 
With the  available  flexibility of communication  paths,  there  are  many  possible 
methods  to  isolate  hard  core  failures. One such method, similar  to  the  multiprocessor 
method, is to bring  a  portion of the  backup  system on-line and have  it  perform  isolation 
tests on the  hard  core. 
144 
1 
b 
c5 G6  G7  G18 G 19 G20 
I I I 
I PRIMARY INTERGROUP BUS I 
I 
I SECONDARY INTERGROUP BUS 
- - - 
-& """"- --&"-&"-A 1 
I 
I 
1 
I 
I 
I 
110 DEVICES 
- 
I/O DEVICES 
Figure 4-29. General Distributed Processor Configuration 
The  portion of the backup system conducting  the test is G1, G2, G3, G4 and a 
redundant  conditioner  communicating with the  control  panel,  say C21. G1 through G4 
perform functions equivalent to the Exec, Test  Store, Temp  Store, and 1/0 cell  groups 
respectively of the  primary  system.  The functions of G1 and G2 may be  flexibly 
assigned to idle  groups of the backup system.  The  functions of G3 and G4 are assigned 
at the  time they are connected to  the  conditioners and the  assignment is flexible only in 
the  sense  that any two available  cell  groups of the backup system can be  connected  to 
the  conditioners. 
During  testing  the  secondary  intergroup  bus is used. First the  cell  groups of the 
primary  hard  core  are checked by the  group testing method. If necessary,  conditioner 
tests are performed next. If the failure has still not  been  detected  and  reported, it is 
likely  to  be in the  hardware of any of the  primary  system  cell  groups connected to  the 
primary  intergroup bus. To  automatically  isolate  the cell group  causing  the  failure 
would involve  additional tests wherein  the  suspected  groups are turned on one at a time 
and  the  communications  checked. 
Next assume  the  failure is not  in  the hard  core,  Failures in the  cell  groups a re  
detected by group  testing as  described in Paragraph 4.3 .3 .1 .  The  failed  group status 
is entered by the  executive processor  in its cell group status  table and another  avail- 
able  group is assigned  the  task of the  failed group. Note that  the backup system is not 
involved in this  procedure  (as opposed to  primary  system  processor  or  memory  fail- 
ures in  the  multiprocessor  candidate).  Failures in conditioners or  input devices would 
be handled similarly  to  the method described  for  the  multiprocessor  candidate. 
The  reconfigured  system's  structure  depends on the  failed  element.  For hard 
core  failures  the  system  consists of a new hard  core and set of operating  cell  groups 
which can  be  assigned flexibly. For  non-hard core  failures of cell groups,  the  recon- 
figured system is identical  to  the  original one except  for  the  failed  cell  group whose 
function would be  reassigned.  Similarly,  for  failures in conditioners o r  I/O devices. 
The  present concept calls  for  spare  cell  groups  to be  designed  into  the system, 
thereby obviating the  need for  physical  replacement after failure. Any of the  available 
spare  groups S1, . . . , SN may be  brought on-line to  make up for  the computing  power 
lost by the  failure. 
4.3 .3 .3 .2  Critical Phases 
The  reconfiguration process  for  the  distributed  processor  during  this  phase is 
similar  to  that  described  for  the  other  candidates.  Inherently,  however,  this  candidate 
has  the  greatest  potential  for  sustaining  multiple  failures  during  this  phase with rela- 
tively  the least redundant  hardware. 
During  this  phase  the  distributed  processor  acts  functionally  like tw independent 
computers  as long as no failures occur. Referring to Fi re 4-29, the primary system 
consists of cell groups Exec, Test Store, Temp Store, I x ,  a subset of G5 - G20 
required for the operational calculations, and Conditioners Cll ,  . . . , c 1 N  and asso- 
ciated input/output devices.  The  secondary  system  consits of the  cell  groups G1 - G4 
which provide  the  Exec,  Test  Store,  Temp  Store  and I/O functions for the secondary 
system, a subset of G5 - G20 (not used by the  primary  system), and conditioners 
C21, . . . , C ~ M  and associated input/output devices, The primary intergroup bus is 
reserved  for  the  primary  system and  the  secondary  intergrow  bus is reserved  for 
secondary  system communication. 
146 
First,  consider  reconfiguration  for  the first failure  in  the  system. If it occurs 
in the primary  system, it is detected by the  primary  system in either a passive man- 
ner by the BITE circuitry  associated with hard  core  failure, by the  group testing e r r o r  
detection  technique  in which case  the  executive  can identify the  failed  group, o r  by 
input-output signal  testing as with the  previous  candidates. In any case,  where  the 
failure affects a critical computation, control of the  vehicle is automatically  passed  to 
the  secondary  processor.  This  constitutes  reconfiguration  for  this  case and is accom- 
plished  in  much less than the  allowable  five  seconds. 
Non-critical failures in the  primary  system  result in  a suspension of the  associ- 
ated computations, not in an automatic switch-over. Failures in the secondary system 
result only in failure notification. 
Next, consider  the  actions which might  be  taken after the first critical  failure  to 
restore a  backup  capability for  the  critical  functions and thereby  be in a position  to 
withstand a second critical  failure.  Regardless of whether  the primary  or  secondary 
system contained the first failure, i f  it  was a cell group  not  contained  in  the  hard core, 
the  executive  can isolate  the  failed group, place  it in a failed status, and bring a spare 
cell  group on-line to  assume the function. The  system  is  restored providing parameter 
values affected by the  first  failure can be restored.  There  are  several ways this can 
be done: either by using  the last lmown  good set of parameters of the  failed  system 
which have  been  continually stored  during  operation, o r  by obtaining  the  latest  values 
from  the  system which did not fail. Thus,  for  a non-hard core  cell group failure, any 
second  failure  during  the  critical  phase can  be tolerated. 
If the first  failure  was  hard  core,  the  remaining good system can be requested 
to  perform  checks on the  hard  core of the  failed system in  a manner  similar  to  that 
described  for  the  non-critical  failures. Where the failure is identified as  either Exec 
or  Test  Store  (or G1 or G2 for the  secondary  system)  the  full backup system can be 
quickly restored by reassigning  tasks. Any second  failure in  the  phase can then  be 
tolerated. If the  failure is identified a s  Temp  Store o r  1/0 (or G3 o r  G4 for the 
secondary  system)  a  full backup  cannot be quickly restored  because of the  need for 
physically changing connections to the conditioners. A compromise is achievable by 
assigning an  unused cell group to  the  Temp  Store function  and  then, for  the  remainder 
of the critical  phase,  checking  all  elements of the  reassigned  system  except  the 1/0 
group. Alternately, no compromise  need  exist if additional groups were provided 
backup communication  paths  to  conditioners. If neither of these two alternatives  were 
acceptable,  the  full backup is not restorable, but all the  remaining  groups of the  failed 
system would be  available  in a more  restricted  role  for  future  failures in the good 
system. Finally, if the  hard  core  failure  were  identified as on an intergroup bus, it 
is questionable i f  the  full backLp could be restored  during  the  phase  because of the 
actions  required  to  identify  the  failed group. Again though, all groups of the  failed 
system  are  available  to the good system, on the  operating  intergroup bus. Similarly, 
where  conditioners or  1/0 devices  fail, a full backup is not restorable, but  the 
remainder of the  system is available  for  use in the  event of subsequent  failures, 
A s  was  the  case  in  the  multiprocessor  candidate,  single point failures  that  bring 
the  entire  system down a re  of concern.  To  guard  against  this an intergroup  bus lockout 
feature,  under  executive  control,  has  been  incorporated.  In  effect tbe primary system 
is locked  out from  the  secondary  intergroup  bus by the  secondary  system  executive, 
and vice  versa.  This  feature  was  described in detail  in  Paragraph 4.3.2. 
147 
4.3 .3 .3 .3  Mars Orbital Phase 
Referring  to  Figure 4-29, all  elements depicted  play an active  role  in  the  system 
during this phase with the  exception of the  spare  cell  groups and possibly  the condi- 
tioners C21, . . . , C2M, and the secondary intergroup bus. 
As opposed to the  previous  candidates, a minimal  backup  navigation and guidance 
function is not performed and  hence for  certain  failures  reconfiguration  time would be 
greater than otherwise  attainable. Since critical functions are not  performed in this 
phase,  there is no 5-second reconfiguration  time  constraint and the  probability of 
mission  success is not affected. The potential increase in reconfiguration  time  may 
decrease  system  availability, but this effect is reduced  since only failures in selected 
portions of the system can cause it. The  availability  effect is described  in  Section 5. 
The main  reason  for  not  implementing  the backup  navigation  and  guidance  function 
is the  additional cost in hardware,  over and above that  depicted in Figure 4-29. About 
six  extra  cell  groups would be required.  The  rationale behind this  will now be 
explained. 
To  implement a backup it is necessary  to  minimize  circuitry whose failure would 
cause both the  primary and backup functions to fail. This  results in a configuration 
similar  to  that in critical  phases. Thus a second Executive, Test  Store,  Temp  Store, 
and 1/0 cell  groups are required. Whereas for critical phases G1 - G4 were  assigned 
to  these  functions,  during the Mars orbital  phase  they are not  available  since  the 
system  has been  sized  to  reduce  hardware by using G1 - G4 for  primary computations. 
Thus  four extra  groups would be required  to  perform  these  functions.  In addition, it 
would be necessary  to  perform  the minimum  navigation and guidance calculations in 
cell  groups not performing  the  primary function,  and to  communicate  results  from  the 
prime  to the backup for updating purposes.  This would probably result in the addition 
of two more  cell groups. 
Failures  during  this  phase can  be categorized as either  hard  core, not hard  core 
but  affecting  the  navigation and guidance  function, o r  not  hard  core and  not affecting 
the navigation and guidance function. In the  latter two cases, failures  are self- 
isolatable by the  system and where the navigation  and  guidance  function is not  affected, 
reconfiguration is fast, simply  requiring  the  assignment of a spare group  to  the  failed 
group's function. Where the navigation and guidance function is affected,  the  spare 
group is again  assigned  the  failed  group's function,  but in addition  an  initialization 
routine is required  since  previous  values  have  been  lost. It is estimated  that  it may 
take  approximately 1/2 hour  to  reimplement  the N and G function,  Finally, for  hard 
core  failures a procedure  similar  to  that  described  for  non-critical  phases  can be 
used with one exception,  The  exception is that  the  isolation  tests would probably  be 
conducted by a hard  core  made up by reassigning  elements of the primary  system not 
in  the  original  hard  core. 
148 
4.3.3.4 Backup Equipment Assurance 
A s  in  the  case of the other  candidates  the backup o r  off-line equipment is 
periodically  tested in order  to  insure  its  ability  to  take  over  an on-line role as 
required. 
Referring  to Figure 4-29, during  non-critical  phases  the off-line equipment 
consists of cell groups G1 through G4, the  subset of G5 through G20 not  required  for 
the computational requirements of the phase, and spare  cell groups. In addition, it 
contains conditioners C21, . . . , c2M and associated 1/0 devices. Normally, this 
equipment is required  either  to  furnish  spares  for  the  primary  system,  to be  operably 
configured as an  active  standby  redundant  system  during  critical  phases, or  to provide 
the  additional  computing  power  required  during  the Mars orbital  phase.  Tests on the 
backup would be  performed on a request  basis.  Testing  may  be conducted  and con- 
trolled by the  primary  system,  interleaved  into its computational  cycle  in  available 
dead  time, o r  may  be largely  divorced  from  the  primary  system by assigning  cell 
groups G1 through G4 the  test  controlling  role.  The  latter  case will be assumed  since 
reconfiguration  for  hard  core  failures in non-critical  phases  involves  the  existence of 
a secondary  executive  system, as does  the  preparation  for  entry  into, and the  action 
within, critical phases. Once G1 through G4 a re  assigned, the test program is loaded 
from bulk storage. Data is  entered  to denote which cell groups, conditioners, and 
input devices are to be tested.  Testing then starts, with all communications initially 
proceeding  over  the  secondary  intergroup  bus. 
The  bus  lockout feature is used  to  isolate  the  primary  system  from  the backup 
system and  thereby  reduce  the  possibility of e r ro r s  in the backup system  affecting 
primary system operation. Group testing, as described in Paragraph 4.3.3.1, would 
be  used  to  check  all  cell  groups.  Conditioners and input devices can  be  checked with 
operational  type  problems if the input devices a re  available. Where input devices are 
not available a combination of built-in test  stimuli and the  routing of conditioner  outputs 
to  inputs would be used.  Test  results  are  reported by means of the  secondary  control 
panel readout. Where failures  exist, the failure can be classified as  hard-core in 
which case  further  isolation  testing  is  required,  or as not  hard  core in which case  the 
failed  group is identified  and  removed  (electrically)  from  the  system. If no failure is 
detected, the second phase of testing  is  entered.  This  involves  interface  tests, i. e. , 
the  ability of the  primary  system  to communicate with elements of the backup system 
and vice  versa.  Test  results are reported by means of the  respective  executive  read- 
outs. If no  failure is detected  the backup system  has been  completely  verified and is 
returned  to  the off-line status. If a failure exists further  testing may  be required  for 
isolation,  possibly with new executive  assignments. 
During critical  phases a portion of the backup system is on-line  in active  standby 
redundancy and is tested  operationally  similarly  to  the  primary  system. No testing.of 
the off-line portion is expected to  be done during  these  relatively  short  periods. 
During  the Mars orbital  phase  the  maximum  computing  power is  on-line. 
The  several  spare  elements  that  comprise  the backup would be checked periodically 
by the  primary  system. 
149 
4.3.4 Software Considerations 
4. 3.4.1 Reconfiguration Flexibility 
The basic  difficulty in  programming a distributed-logic  machine  lies in trying 
to  achieve  optimal  code (i. e. , maximum  machine  utilization and no usage  conflicts) 
while retaining reconfiguration flexibility. With enough work, a single program can 
be  mechanized  in an appropriate  array of processor  cells,  Figure 4-30(a) , so that  in 
all possible parallel execution  sequences no path-building conflicts  arise, and with 
minimal delays, unused cells, and overhead. If one cell should fail, however, the 
optimum  solution for  the new array,  Figure 4-30(b),  might be unrelated to the  origi- 
nal in any direct o r  predictable  manner. At least (k - I).! solutions would be re- 
quired to anticipate  handling k failures with optimality.  For  the  mission  under  study, 
reconfiguration is also necessary to meet  several  mission phase requirements. Each 
phase is sufficiently unique (with the  possible  exception of some  coast  phases)  that a 
separate solution for  each is required. Add to this  the  fact  that  unanticipated compu- 
tations  must be processed and therefore  the need for  reconfiguration  flexibility is 
overwhelming. 
The main  software advantage of the  candidate  distributed-logic  machine, 
Figure 4-31, is the  fact  that it is modularized into  approximately 24 mutually  exclu- 
sive  standardized  groups of processor  cells.  This  approach  permits  programming of 
the mission function into locally optimum, group-size task-modules. It must be noted 
that  overall  optimality,  for any one  configuration, is not as good as it could be  for 
a non-modularized machine, but the  optimality  level will be consistent  after  multiple 
reconfigurations due to mission phasing,  unanticipated  requirements, or  failures.  
Better  overall  optimization  might  also be achieved if the  groups  were of various 
sizes and tailored to the specific task needs. Once again, however, the necessary 
reconfiguration  flexibility would be  missing. 
FAILED  CELL: CANNOT BE USED 
ON PATHS OR TO CONTAIN 
INSTRUCTIONS/ DATA 
Figure 4-30. Logic Array 
160 
INTER-GROUP BUSS 
Figure 4-31. The Cell-Group Machine 
This  flexibility of this organization  provides  several  side-effect  benefits inclu- 
ding  the following: 
1. Reduced Executive - The monitoring procedure need be concerned only 
with groups' status and assignments;  the  reduction in table  size alone 
is significant. Of course, the reconfiguration process is itself greatly 
simplified. 
2. Graceful Degradation - So long as spare groups are available, no loss 
in computational capacity will occur. Otherwise, low priority tasks 
can  be deleted o r  backup task modules, which require  fewer  groups, 
can  be  loaded. 
3. Time-sharing - Those task-modules performing only non-continuous 
functions  during a phase  can time-share groups. 
4. Easier Programming - It is much simpler to optimize programs for 
a 25 cell  array than a 300 cell  array and modifications to one task- 
module will generally  necessitate  redesign of jus t  one cell-group's 
coding, not the  entire  program. 
5. Standard Load Format - The task-modules can be organized easier on 
the  mass  storage  since they are standard-sized. This also means that 
a single  algorithm will handle all task-module  loading into the  groups. 
4. 3.4.2 Support Software Design 
The  Executive processors, including the 1/0 Supervisor, will occupy two 
cell-groups. The most  striking  difference  in  the  software  design  for  this  candidate 
and the two previous  ones  (described  in 4.2.2.3 and 4.2.3.3) is that  program, o r  
task, sequenc,ing is not required  whereas a new function, inter-group  communication, 
is necessary. Another  significant change is that  some  executive  functions are 
localized within the task-modules. 
151 
4. 3.4.2.1 Inter-Group Communication System (ICs) 
Each  task-module is constructed to be  essentially independent; in  fact,  the 
size of the  cell-groups is partly  determined by the  capacity requirements of the 
various independent mission functions. However, some inter-group data transfers 
will occur on  the  Inter-Group Bus due to  the following: 
1. Global data, i. e., those  parameters of interest  to  more than one inde- 
pendent function, must  be  passed  from  the  task-module which computes 
it to those  that use it. This is not done directly, but through the Global 
Data Area  described below. 
2. Some mission functions are too large to be programmed  in only one 
task-module. When multiple task-modules are used, the interface 
data  necessary  to connect the  parts of the function must be passed. 
3. The 1/0 System will use this bus to pass  some  data  to and from  task- 
modules. 
4. Executive macro instructions are issued on the Inter-Group Bus. 
5. Messages to various Executive processors must be passed from the 
task-modules. 
In order to avoid conflicts,  the ICs monitor  controls  the usage of the Inter- 
Group Bus. Each  task-module  in  the  computer is allotted weighted usage on a 
time-shared  basis. When a task-module is activated,  the  number of accesses 
available per  cycle  required is allocated;  the  total  number of accesses  available 
must  be large enough to handle the  highest  possible  number of cumulative  require- 
ments. At a fixed rate, the ICs monitor selects, in turn, particular task-modules 
for use on the  line as follows: 
1. Task-module output - A macro is issued to enable the task-module to 
write a data  item (a parameter  value o r  a message) on the  line.  The 
data  item, which could be null, is then read by the ICs monitor and 
passed  to  the ICs decoder, which determines its destination. 
2. Task-module input - A data  item or   macro is written with a key identi- 
fying the  destination  task-module. Only the  designated  task-module 
has the  proper  mask to permit  reading of the input. 
3. NO-FAIL indication - The task-module must write a special  data  item 
which signifies a NO-FAIL condition in  that  cell-group, 
A certain portion of this time-share  cycle is reserved  for  exclusive use by the 
Executive processors; this will vary depending  on how many task-module accesses 
are currently required. This "executive-time" is used to issue macros intended 
for all o r  some of the  task-modules. 
Each  task-module is continuously attempting to use the ICs Bus. A key mask, 
which is unique for  each task-module and is not hardware  oriented, is used  to  control 
actual  access. 
152 
In order  to  avoid  extensive  bookkeeping  in  trying  to  distrubte  global  data  to  the 
proper  task-modules a Global Data  Area (GDA) is maintained in the ICs. Every 
global parameter  that  will be used  anywhere  in  the  entire  program is allocated  fixed 
location register  storage. When a global data  item  is output from  a  task-module  it 
will  contain a header  identifying  it as  such and its fixed  location in the GDA. This 
header is interpreted by the ICs decoder  and  that  data  value is  stored in  the GDA. 
When a  task-module  requires  global  parameter  a  message  to  the GDA monitor is 
output  giving the  location of the  item  and  the  header  to  be  placed on it before it is 
input  to the  task-module. 
Figures 4-32 and 4-33 contain  examples of possible  word  formats.  These 
formats  are only included to facilitate  understanding of the  software  communication 
routines and will  not be explicitly  specified at  this  time.  Further  study on an orgmi- 
zation  like  this  should  include  investigation of possible  formats.  The  fixed  codes 
used in Figure 4-32(a) are: 
1. c - Control  bit = { I 01 data  item 00 message 1 
2. KEY - Key specifying  which  task-module or  Executive processor the 
data  value or  message is to be transmitted. 
3. ID - The  fixed  location of data values in the receiver or a message 
number. 
4. TEXT - A data  velue or a message. 
C I  KEY 1 ID 1 TEXT I 
Figure 4-32. Output Data Item/Message Formats 
Figure 4-32 (b) is an example of a data  item  containing a value for  a global 
parameter X, a key to the Global Data  Area  the  parameter's  location  and  the  value 
of X are  present.  Figure 4-32 (c) represents  a  parameter X that is to be input  to a 
task-module.  Figure 4-32(d) shows  a  message  being  sent  to  an  Executive  processor 
(P); when a  processor  may  receive  multiple  messages a message  number, n(m), must 
be  included. 
The  data  item  format is shown in  Figure  4-33(a), (b), and  the  macro  format in 
4-33 (c), (d) ; field  codes  and an example is given for each.  The  field  codes a re  the 
same  as  for  Figure 4-32 except  as  follows: 
1 
C S KEY I TEXT J 
Figure 4-33. Input Data Item/Macro Formats 
The  ICs  monitor  does  not  request or schedule  data  transmission  except as 
directed by other  Executive  processors.  However,  since  more than one input  to a 
task-module  may  be  specified,  during a time-share  cycle,  each  task-module will 
have  a  first-in-first-out  data  item  queue  maintained in the  ICs. 
4.3.4.2.2 Reconfiguration Program 
Two main  tables  are  used  to  monitor and control  the  configuration of the 
computer;  these  are  cell-group  Status  Board  and  the  Task  Status  Table.  Formats of 
these  tables are illustrated in Figures 4-34 and 4-35, respectively. 
CG A S 
where: 
CG: Cell-group internal name 
S: Status Failed, spare, dormant-task, active task 
A: Assignment (Task Statue Table entry) 
Figure 4-34. Cell-Group Status Board Entry 
154 
TK  ICSA PR Q LP 'CG S 
where : 
TK: 
S: 
CG: 
LP: 
Q: 
. PR: 
ICSA: 
Task  key 
Status (Active, dormant, requested, delete-flag unloaded) 
Cell-group  assignment 
Mass-storage  location 
(Tasks in cell-groups)  Query  mask  for NO-FAIL indication  verify. 
(Tasks  not  in  cell-groups) Queue pointer  for wait string. 
Priority (non-interruptable, immediate, ASAP, 0) 
Number of ICs  accesses  required  per  time-share  cycle 
Figure 4-35. Task Status Table Entry 
As with other  candidates,  there  are  three  conditions  that  can  necessitate  recon- 
figuration: failure, phasing, and unanticipated requests. There are two primary 
means of performing  reconfiguration:  dead restart  and  transition. 
A dead restart  must  be  performed  whenever  a  power  failure  or ICs failure 
occurs  since,  in both cases,  the  computer is down and  the  volatile  registers  are 
wiped  out. When the  failure  has  been  corrected, a special load program  can  be 
keyed in  automatically or  manually  via  the  console.  This  program  performs a 
computer  verification test and loads in the  Executive  task-module which  then controls 
the  loading of the  other  task-modules. A logical  diagram of this load program is 
shown in Figure 4-36. 
Al l  other  conditions  cause  transition mode  reconfiguration,  which is performed 
in  the  Reconfiguration  Program.  Figure 4-37 shows  the  logic of a phasing  reconfigura- 
tion. Figure 4-38 (a) and (b) shows  the  additional  logic for  failure and unanticipated 
request  reconfiguration.  The  basic  process  consists of identifying  task-modules  to  be 
deleted,  scanning  a Load Profile,  making  task-module  assignments, and initiating 
loading. When a task-module  terminates  execution, it must send an "end-of-task" 
message  to  the  Reconfiguration  Program.  This will enable  processing of the  wait 
queue of request  programs. 
If multiple  failures  reduce  the  number of cell-groups  such  that  %on-interruptable'' 
task-modules  cannot  be  loaded, a backup  load  must  be  initiated. This mould consist of 
critical  task-modules and a priority  ordered list of backup-mode,  non-critical  task- 
modules. 
The Load Profiles mentioned  above are  located on the  mass-storage and consist 
of pointers  to  initial  loads  for  task-modules.  There a re  Load Profiles  for  each  phase 
(primary and backup) and for  each  individual  task  module. 
155 
V?XlFi' THE LOAD THE EXECUTIVE 
OPERATION OF CELL TASK-MODULES SET 
CROUPS AND T H E  WITH AN EMFTY TASK H I GET AND PASS PHASE NO.TO EXECUTIVE INTER-CRUJP BUSS STATUS TABLE 
I 
SIGNAL EXECUTIVE START 
Figure 4-36. Dead Restart  Program 
4.3.4.2.3 Request Processor 
A task-module may upon testing a condition or receiving an input from the 
console, or  completing an assignment,  request  that  another  task-module  be  executed. 
This request is issued  in  the  form of a message  to  the  Request  Processor which 
contains  the key of the  requested  task-module. 
When a request is received,  an  entry  for  the  task-module is made in the Task 
Status  Table. If an entry  already  exists, it is checked  to  see if it is already  loaded; 
if so, an initiate  execution  command is issued. In all  other  cases  the  unanticipated 
request  entry of the  Reconfiguration  Program is executed. 
The  request  message  can  also  contain a priority  to  be  assigned  to  the task- 
module. 
The  cell-group which contains  the 1/0 Supervisor is connected  to  the  conditioners. 
When a task-module  wants  to  input  a  parameter,  it  sends  a  message via ICs to 
the 1/0 Supervisor. This message  indicates which mnsor is to be  sampled and a 
header  which is to be added 80 that the value may be sent as a  data item, via ICs 
again, Reasonableness tests are  performed in the task-module, not in the 1/0 
Supervisor, 
156 
I I LOCATE NEW PHASE LOAD PROFILE ON MASS STORAGE 
n TAG TASK-MODULES IN ARE T Q  BE DELETED TASK STATUS TABLE THAT 
/-\ """"""_ 1.' J r 
REPLACE A TAGGED TASK 
ONE CONSTRUCTED FROM A 
STATUS TABLE ENTRY  WITH 
THE SAME CELLGROUP 
LOAD  PROFILE ENTRY: KEEP 
8 
CONTINUES FOR 
THIS PROCESS 
ENTRIES 
I 
I STATUS BOARD I ALL TAGGED 
ASSIGNMENT I 
LOAD CELLGROUP 
WITH LOADER 
ROUTINE 
ISSUE START LOAD 
SIGNAL 
0 
I 
I 
I 
I 
I 
J 
UNLOADED  TASK-  MODULES 
CREATE  TASK  STATUS  SET  THEIR  STATUS 
TABLE ENTRIES WITH 
"UNLOADED" STATUS 
T O  "SPARE" IN CELL 
GROUP  STATUS BOARD 
Figure 4-37. Transition Reconfiguration (Phase Start) 
157 
UNANTICIPATED REQUEST OR 
UNLOADED REQUEST START 
% 
CELLCROUP FAILURE 
START 
CC FORMAT 
CHANGE STATUS 
OF ENTRY TO 
"ACTIVE" 
I 
L 
FIND TASK STATUS 
TABLE ENTRY FOR 
FAILED TASK-MODULE 
ASSIGNMENT 
REMOVE CELLCROUP 
i 
I 
- 
"REQUESTED" 
1ST CHOICE CELLCROUP  STATUS 
FOR USABLE ENTRY 
A - 
TAG TO INTERRUPT 
ASSOCIATED ENTRY 
IN TASK STATUS 
TABLE 
PRIORITY 
WAIT QUEUE 
ASSIGN TO TASK 
Figure 4-38. Transition Reconfiguration (Unanticipated) 
158 
Outputs are handled  similarly,  except  that two transmissions,  a  select  message 
and then  the  data item, must  be sent by the  task-module on the ICs. Verification of 
output feedbacks is performed in the 1/0 Supervisor. 
4.3.4.2.5 Self-Test Program 
(See Paragraph 4.3.3.) 
4.3.4.3 Task-Module Software Design 
Each  task-module is required  to  perform  certain  "local-executive"  functions. 
In  general,  the  actual  construction of these  routines  will  vary within each in order 
to  achieve  local  optimality. 
The  controlling  cell of the  cell-group  will, of course,  contain  all  the  scheduling 
logic  for  the  programs in the  task-module. 
The  logic  to transmit the NO-FAIL indication  and  the end-of-task message  must 
be  contained in each  task module. 
4.3.4.4. Estimate of Software Overhead 
The  overhead  costs a r e  considerably  higher  for  this  candidate and a re  expected 
to be on the  order of 20 percent.  This is based on the  fact  that two cell-groups a re  
used  for  Executive and 1/0 operation and at  least one cell in  each  cell-group  assigned 
to  task-modules is required  for  local  executive  control. In addition, two cell  groups 
will  be  required  for  the  self  test  operations. 
159 

V. SIMULATION AND EVALUATION OF CANDIDATE ORGANIZATIONS 
5.1 SIMULATION AND RELIABILITY ANALYSIS 
5.1.1 Monte Carlo Method 
5.1.1.1  Introduction 
The  reliability  and  availability of the  various  candidate  configurations  were 
investigated by means of a Monte Carlo  reliability  analysis  program.  This is a  com- 
puter  program which generates  simulated  statistics  for  each  configuration. Some 
consideration  was given to  closed  form  analytical  expressions  for  the  reliability 
analysis. However, the  mission  complexity  proved  this  to  be too difficult  to  derive 
in  the  time  available. 
Monte Carlo  techniques of analysis  refer to  the  simulation of random  variables 
in  a  process by the  generation of random  numbers o r  sequences. For reliability 
analysis,  the random event which is simulated is  component or  subsystem  failure.  It 
has  been found that  electronic equipment  exhibit  random failure  rates which have  an 
exponential  distribution.  That is,  the  probability of failure  as  a function of time, 
Pf(t), is  exponentially distributed. 
Pf(t) = l-e-At where A is the expected failure rate. 
This equation is  interpreted  as meaning: Given that  the equipment is currently  failure 
free, the  probability  that  a  failure  will have occurred by some  later  time  t is given by 
Pf(t) = 1-e- At . 
It  can  be shown that  the  expected  time  to  failure is X-’. The  probability  density 
function for Pf(t) is Ae-At. The expected value of time,  E(t),  is then found by 
0 
II 
E(t) is then  defined as  the mean time to failure, MTTF. 
5.1.1.2 Operation of Monte Carlo  Program 
The Monte Carlo  program  solves  the  probability of failure equation  in reverse. 
It generates  a  random  number which is evenly distributed between zero and one. It 
sets this equal  to  the  probability of failure and  solves  for  time  to  failure. 
Pf(t) = 1-e - A t  
O r  t = - In  1-Pf(t) MTTF 
161 
This equation is solved  for  each  piece of equipment  in  the  system.  The A o r  MTTF 
which is used  in  solving  for t is a function of whether o r  not the  equipment is turned 
on o r  off. It has been found that  electronic  equipment is susceptable  to  failure even 
while it is sitting  idle.  This  idle  failure rate is  distributed exponentially also and  the 
failure  rate is approximately  proportional  to  the  active  failure  rate. For  this  analysis 
it is assumed  that  the  idle  failure  rate is directly  proportional  to  the  active  failure 
rate; so that Pf for  an  idle  piece of equipment is: 
-At Pf(t) = 1-e 
CY 
where CY is the  constant of proportionality. 
A block diagram of the Monte Carlo  program  is given  in  Figure 5-1, the Monte 
Carlo  program first generates  the  time  to  failure  for  each  piece of equipment  based 
on its original  status  i.  e.,  active o r  idle.  The program then  checks if  any of the 
times  to  failure of active  equipment are   less  than or  equal  to  the length of the  first 
phase of the  mission. If there is a  failure,  another  random  number  is  generated and 
compared with a  probability of detection of the  failure. If the  random  number i s  lower 
than the  probability of detection  the  failure is recorded  as  a  detected  failure.  That 
equipment is  then replaced (in the  simulation) and the program continues. If the 
random  number is  higher than the  probability of detection  the  failure is recorded a s  an 
undetected  failure.  Idle equipment failures  are  recorded when the  piece of equipment 
is turned on either when it has replaced  an  active  failed  piece of equipment o r  when it 
is turned on at  the beginning of a new phase. Once the  failure is recorded  the equip- 
ment is treated  the  same  as  active equipment which has  failed, i. e., it is replaced 
and  downtime is accumulated. Downtime i s  accumulated  in two ways: by the  replace- 
ment time  for  failed  equipment  and by not having  any spares in a  multi-equipment  mode 
(such as  Mars  Orbital  phase  where 2 computers  are  required in the Multi-Computer 
Approach). If all the  equipment has  failed  the  mission is terminated  and  recorded a s  
a  failure. Downtime was  also  recorded  for  undetected  failures  and noted separately 
from  the downtime  identified above. A n  undetected failure  results  in  a  mission  failure 
when a  critical  phase  is  entered. 
If none  of the times  to  failure  are within the first phase,  the  program  generates 
new times  to  failure  for  the equipment which change status (on/off) for  the next phase 
and the  program continues a s  before. 
If when all the phases  are completed  and not all  the equipment  has  failed (com- 
puter  available  for  critical  phases)  the  mission is recorded  as  a  success.  This  pro- 
cess is repeated  a  large  number of times  for  each configuration  and statist ics  are 
accumulated which indicate  probability of success and  availability. 
5.1.1.3 Accuracy, Confidence, and number of runs 
The  number of runs, N, necessary  to  achieve  a  given  accuracy and  confidence 
in  the  results  can  be found from  the following equation: 
162 
GENERATE Tf2 GENERATE Tf 
Secondary ( d  Prime 01) 
GENERATE NEW 
A T f l  Based on p 4 
Success 
Change M 
. 
Generate 
Q, Detect ion 
Probability 
F 
W 
Record Undetected 
Failure - If Critical 
Phase Record Failure 
No d-b Failure  yes 
M: MISSION PHASE 
p ,  n: FAILURE RATES 'M: MISSION PHASE TIME 
Figure 5-1. Block Diagram of Monte Carlo Simulation 
where  p is the  probability  to  be  determined, K2 (0) is a  confidence  function  which  will 
be  discussed below and, c is the  allowable error .  
This  equation is derived below. 
The  runs  generated  by  the Monte Carlo  program  are  essentially independent 
Bernoulli trials, Since Bernoulli trials obey the binomial probability law, it i s  
desired  to  find  the  statistics which describe binomially  distributed  probabilities (see 
Reference  19).  In  order  to  simplify  this  task without sacrificing  accuracy  the  normal 
approximation  to  the  binomial  distribution is  applied. This  states that: 
Where N is  the  number of trials 
f is the  relative  frequency of success of an  event with probability  p of success n on each  trial. 
IN (fn - PI1 
h is  the allowable e r ro r  of JNPO 
0 
This  can  be  rewritten  as 
where 7 i s  the  standard  deviation of the  .results of Bernoulli tr ials 
This  equation  states that:  the probability  that  the  ratio of the  difference between the 
simulated  probability  and  the  actual  probability, (fn - P), and the  standard  deviation, 
( JT), of the  Bernoulli trials is less than o r  equal  to  some  constant  h, is equal  to 
twice the positive normal distribution of h minus one. If h = c / y ,  where L is the 
allowable e r ro r  between the  simulated and actual  probabilities,  the  previous  equation 
becomes: 
164 
where a is the confidence  level which is desired then 
a 
which will be  satisfied if 
K (a) can  be found from  a  table of the  normal  curve of error.  If the  value of 1 /2  a is 
found in  the  area column the  corresponding  value in the  t  column is K (a) .  Note that 
for  the  worse  case 
N 2 when p = 1/2  
4 2 
for  p  greater  or  less than 1/2 the  number of trials  (runs)  decreases.  This  means  that 
i f  nothing i-s known of the  probability  that is  being  simulated  the  worse  case  must  be 
used  but if  the  probability  can first  be  estimated the  number of runs  can  be  reduced. 
This equation  can also be  used  inversely,  that is if a number of runs  have  been 
made,  an error  limit  can  be  established  for  a given confidence  level. 
10, 000 runs  were  used  in  the Monte Carlo  Simulation and the  error was  calculated  for 
different  values of p  (from 0.8 to 1.0) with different  confidence  values  (from 0 . 7 5  to 
0.95); these  calculations a r e  shown in Figure 5-2. 
5.1.2 Simulation Results 
5.1.2.1 Introduction 
This  section  presents  the  results  from  the Monte Carlo  reliability  simulation of 
each of the  candidate  organizations. Two items  are to  be  determined  from  the  simu- 
lation: Mission Probability of Success and Computer System Availability. The 
required  goal  for both of these  items  was set at 0.997; this  was  the  value  generally 
used  in  the  references  cited  in  Paragraph 2.1. It should be noted that  probability 
of success refers only to  the  computer  system  and not to  the combined vehicle  systems 
165 
Y 
Figure 5-2. Error In Monte Carlo Simulations 
166 
probability of success.  Probability of success  was identified as being able  to  perform 
the  computations  during critical  phases  (phase 10 Mars  Aerobraking  and  phase 20 
Earth ReEntry). This is the  appropriate  parameter  to  consider  during  these  phases 
and  not availability:  Time  to  replace a failed  module  was  assumed  to  be fixed at  
1/2 hour  for  the  purpose of this simulation (in some  cases a spare module i s  switched 
in  electronically and time  to  repair is 0 for  this  case). 
ThBtwenty  mission  phases  were  grouped  into 15 phases  for  the  simulation,  the 
tabulation below shows this grouping: 
Mission  Phases Monte Carlo Phase 
1,2 Atmospheric Ascent 
Earth  Orbit  Injection 
1 
3 Trans Mars Injection 2 
4 Trans  Mars  Coast 3 
5 Trajectory  Correction 4 
6 , 7 ,  8 Spin Up 
Spin Cruise 
De Spin 
9 Mars Approach  Correction 
10 Mars  Aerobraking 
11 Mars Orbit Injection 
12 Mars  Orbital  Coast 
13 Trans Earth Injection 
14 Trans Earth Coast 
15 Trajectory  Correction 
16,17,18 Spin Up 
Spin Cruise 
De Spin 
5 
6 
7 
8 
9 
10 
11 
12 
13 
19 Earth  Approach  Correction 14 
20 Earth  Re-Entry 15 
The module structure will  be  repeated  here  for  each  candidate  organization, a
detailed  description of each was given in  Section IV, Multi-Computer:  one entire 
module, Multiprocessor: three types of modules, Input/Output, Processor, Memory, 
Distributed  Processor:  an  array of identical modules. 
167 
The computer  module  useage as a  function of mission  phase is given below: 
Multi-Computer 
Phases 1 , 2  
Phases 3, 5,6,8,9,10, 
11,13,15,16, 
18,19,20 
Phases  4,7,14,17 
Phase 1 2  
Multiprocessor 
Phases 1 , 2  
Phases 3,5,6,8,9,10, 
11,13,15,16 
18,19,20 
Phases 4,7,14,17 
Phase 1 2  
Distributed  Processor 
Phases 1 , 2  
Phases  3,5,6,8,  9,10, 
11,13,15,16, 
18,19,20 
Phases 4,7,14,17 
Phase 12 
One Computer Module  (one memory  section on) 
Two Computer  Modules  (one  memory  section on 
in  each)  (one  computer  in  active  redundancy) 
One Computer Module  (one memory  section  on, 
2nd section  on  intermittently) 
Two Computer Modules (one with  one memory 
section on, 2nd with two memory  sections on) 
One 1/0 Module, 1 Processor module, 1 memory 
module  on 
Two 1/0 Modules, 2 Processor  modules, 
2  memory  modules  on (1 each  in  active 
redundancy) 
One 1/0 Module, 1 Processor module, 
1 memory  module on; 1 memory  module on 
intermittently 
Two 1/0 Modules, 2 Processor  modules, 
3  memory  modules on 
16 groups  on 
1 2  groups on (6 in  active  redundancy) 
16 groups on, 3 groups on intermittently 
24 groups on 
16 8 
5.1.2.2 Tabulation of Results 
Below is a tabulation of the  cases  that  were  simulated and a summary of the 
results 
MTBF on MTBF off 
Case No. (hrs)  (hrs) ’Det Spares 
Multicomputer 
(Spares = number of computer  modules  exceeding 2) 
- 
1  8000  80000 0.99 0 
2  8000 80000 0.99 1 
3  8000 80000 0.99 2 
4 16000 160000 0.99 0 
5  16000 160000 0.99 1 
6  16000 160000 0.99  2 
7 25000 250000 0.99 0 
8  25000 250000 0.99 1 
9  25000  250000 0.99 2 
(Cases 1 through 9 assumed no on/off capability in memory  section) 
11  16000  160000 0.99 0 
12  16000  160000 0.99 1 
13  16000 160000 0.99 2 
14 8000 80000 0.998 1 
15  8000 80000 1.0 1 
16  25000 250000 0.998  1 
17  25000 250000 1.0 1 
21  8000 80000 0.99 0 
2 2: 8000 80000 0.99 1 
23  8000 80000 0.99 2 
24 25000 250000 0.99 0 
169 
PS - 
0.6026 
0.8140 
0.9220 
0.8366 
0.9544 
0.9874 
0.9216 
0.9822 
0.9953 
0.8906 
0.9749 
0.9923 
0.8810 
0.8811 
0.9921 
0.9920 
0.7096 
0.8721 
0.9524 
0.9482 
MTBF on MTBF off 
Case No. firs) Ws) PDet Spares PS 
7 -
25  25000  250000 0.99 1 0.9900 
27  8000 80000 0.75 1 0.7520 
29  25000 250000 0.99 2  0.9953 
30 25000 250000 0.90 1 0.9646 
31 25000 250000 0.75 1 0.9278 
32  8000 40000 0.99 2  0.9345 
33 16000 80000 0.99 2  0.9895 
34 8000 400000 0.99 2 0.9657 
35  16000 800000 0.99 2  0.9926 
36  25000  250000 1.0 2  0 9995 
37  25000 1,000,000 0.99 2 0.9970 
38  25000 25000 0.99 2  0.9845 
39 16000 16000 0.99 2  0.9456 
40 8000 80000 1.0 0 0.7119 
41 8000  80000 1.0 2  0.9619 
42 25000  250000 1.0 . o  0.9529 
Multiprocessor 
(Spares = Number of the following sets of modules: 1 1/0 Module, 1 Processor 
Module, and 2 memory  moduIes  exceeding  the following baseline  configuration 
2 1/0 modules, 2 Processor Modules  and 4 memory  modules,) 
43 * * 0.99 0 0.8227 
44 * * 0.99 1 0.9593 
45 * * 0.99 2  0.9851 
*MTBFfs on: 1/0 66,700 hrs  
Processor 28,600 hrs 
Memory 20,000 hrs 
*MTBF off = 10 X MTBF on 
17 0 
MTBF on MTBF off 
Case No. firs)  firs) 
46 ** ** 
47 ** ** 
48 ** ** 
49 ** 
50 ** 
** 
** 
51 ** ** 
52 * * 
53 * 
54 * 
* 
* 
**MTBF's on: I/O 208,300 
Processor 89,500 
Memory 62,500 
**MTBF off = 10 X MTBF on 
Distributed  Processor 
'Det 
0.99 
- 
0.99 
0.99 
0.75 
1.0 
1.0 
1.0 
1.0 
1.0 
Spares *S - 
0.9717 
0.9941 
0.9971 
0.9233 
0.9746 
0.9987 
0.8219 
0.9676 
0.9949 
55 *200,000 2,000,000  0.99 
56  *200,000  2,000, 0  0.85 
1 0.9998 
3 0.9978 
*GROUP MTBF 
Spares = Number of groups  exceeding 24 
5.1.2.3 Discussion of Results 
5.1.2.3.1 Multi-Computer 
The  results  from  the  simulation  are  given  in  Figures 5-3 through 5-7 for  the 
Multi-Computer  candidate. Figure 5-3 shows the  mission  probability of success (Ps) 
as  a  function of the  number of computers  used,  three  MTBF's  are shown 8,000, 
16,000 and 25,000 hours. In addition,  the  dashed  curve below each  solid  curve  shows 
the  effect of not having  the  capability of turning off part of the  memory.  The  solid 
line  for  each  MTBF  assumed that the  memory  was divided  into two sections with the 
capability 6f turning one section on and off independently of the  rest of the  computer; 
it is seen  that  this  capability had a  significant  effect on the Ps, The  conditions  on 
these  curves  were a Probability of Detection of Failures (Pd) of 0.99 and  an on/off 
ratio of failure  rates (Xon/Xoff) of 10. 
17 1 
Figure 5-3. Multicomputer Probability of Success 
172 
Figure 5-4. Multicomputer On-Off Failure  Rate  Effects  on Ps 
173 
Figure 5-5. Multicomputer Failure Detection Probability Effects on Ps 
174 
I 
Figure 5-6. Multicomputer Unavailability 
175 
Figure 5-7. Multicomputer Ps vs Number of Computers with Pd = 0.99  and 1.0 
17 6 
r .- 
The effects of on to off ratio  in  failure rates are shown in  Figure 5-4. This 
curve shows that the  improvements in Ps with  an  increasing Aon/Aoff ratio are quite 
significant,  particularly with lower on time MTBF's. It is seen that most  improve- 
ment  generally  has  been  realized  in Ps by the  time  a  ratio of 10 has been  reached. 
Probability of failure detection has a limiting effect on P, as  more and  more 
spares  are added. Figure 5-5 shows  the  effects of Pd on a system of 3 computers 
with a A o n / A o f f  ratio of  10. It is seen  that  the  linear  region of this  curve  has been 
traversed  for  the Pd'S  considered  (0.75 - 1.0). Two MTBF's  were  plotted  25,000 h r s  
and 8,000 hrs.  This  curve  points out a significant fact: that  gains  in Ps as function 
of Pd are linear,  that is, an  increase  in  Pd  from 0.95 to  say 1.0 produces  a  linear 
gain in  Ps, which is the  same gain in  increasing  Pd  from 0.80 to 0.85. 
It was mentioned previously  that  Availability  was  the  other  parameter of con- 
sideration. Downtime was  accumulated  due to two factors:  time  to  replace with a 
spare and the  time  that  the  full computing capability  was not available  (for  example 
1 computer only working during  phase  12,  Mars  Orbital, when 2 are required). 
Availability is defined by: (Mission Time - Down Time) / Mission Time. Down time 
was  very low and  to  visualize  the  large  numbers  for  availability,  unavailability  was 
computed in  its  place so that a semi log  plot  might  be  constructed.  Unavailability is  
simply Down Time/Mission  Time,  the  results  are shown in  Figure 5-6 for  a  Pd of 
1.0 and A o n / A  off = 10. 
Figure 5-7 contains  a  comparison of Ps vs  the number of computers  for a 
Pd = 0.99 and Pd = 1 .0 ,  the  limiting  effect of Pd is seen  as  more  spares  are added. 
5.1.2. =Multi-Processor 
The  results of the Multi-Processor  Simulations a r e  shown in  Figures 5-8, 5-9, 
and 5-10. It  should be noted that  considerably  less  points  were  obtained  for  this 
candidate,  this is due to two factors: 1) the amount of computer  time  to  simulate  this 
system  increases  considerably due  to its added  complexity  in  the smaller module 
breakout and 2) Many of the results obtained for  the Multi-Computer follow through, 
such as  the A o d A o f f  ratio  effects, and it was thought not worth  while repeating  them. 
Figure 5-8 shows the Ps vs number of computer systems curve, a computer 
system is defined here  as an 1/0 module, a  Processor module  and 2  Memory  modules, 
this  basically has the  capability of the Multi-Computer plus  some  additional  features 
a s  explained in  Section IV. Two MTBF values were considered and the MTBF (on) for 
each of the  modules is  indicated on the  curve.  The  group MTBFA corresponds  fairly 
closely  to  the 8, 000 hr  Multi-Computer  while the group  MTBFB corresponds  to  the 
25,000 h r  Multi-Computer (it should be  remembered  that  the  Multiprocessor  system 
exceeds  the Multi-Computer capability and this is not a true  comparison between the 
two). Again a  Pd of 0.99 was  used  in  this  curve;  to  determine what Ps would be 
achieved with a  Pd of 1. 0 (for MTBFB) a point was  obtained at Pd = 0.75  and a  straight 
l ine projected  (Figure 5-9). Ps then  turned out  to be  1.0 which is  exactly what was 
expected after studying  the results of case 45 (Pd = 0.99) on the  computer  print out. 
This  case showed that there  were no failures  during  the  critical  phases and Ps was 
1.0 prior  to  entering  the first critical  phase and  did not change  until  the  next critical 
phase  was  entered. What this  meant is simply  that  the only failures  occurring having 
an effect on Ps were undetected failures  (an  undetected  failure  did not amount  to  a 
mission  failure  until  a  critical  phase  was  entered with that  undetected  failure). 
177 
Figure 5-8. Multiprocessor Probability of Success 
178 
Figure 5-9. Multiprocessor  Probability of Failure  Detection Effects on Ps  
179 
Figure 5-10. Multiprocessor Unavailability 
180 
In addition,  points were later generated with a Pd = 1.0 for both  MTBF's  and  also 
plotted  on Figure 5-8. It can  be  seen that Pd is quite a limiting factor as a higher P, 
is approached. 
Unavailability is shown in Figure 5-10 for  the two MTBF's, the  curves  are 
similar to the Multi-Computer except  that .they a r e  considerably  better in terms of a 
much lower Unavailability. 
5.1.2.3.3Distributed Processor 
No curces are plotted  for  the  Distributed  processor  organization  for two reasons 
1) a s  above the  runs  take  considerably  longer due to  the  Modularity involved, 2) the P, 
was expected  to be  very high  due to  the  sparing  capability of modules  left over  from 
non-critical  phases  requiring  large  amounts of modules. 
Two runs  were  made,  each  with  a 200,000 hr  MTBF (on) for  each group,  a  Pd 
of 0.99,  and Xon/Aof f  of 10. The first run  assumed only 1 extra  group  was  provided 
as a spare, ps was 0.99980 and  deviated  from  1.0 only due to undetected failures, 
downtime  was 261.03 hours.  It  should  be noted that  the only MTBF considered  was 
200,000 hrs,  this is considered  a  lower bound  on the  group MTBF  and since P, was 
met  easily with this  value,  higher  MTBF's  were not simulated. 
Another  run was made with a Pd of 0.85 and three  spare groups. This  run 
gives two effects,  the effect of Pd on Ps and the  effect of spares on downtime. P, 
was 0.9978 and downtime was 219 hours. Two important  facts  should  be pointed  out 
here: 1) the  limiting  factor of Pd in  an  organization  like  this  and 2) a new, more 
refined,  definition  for downtime is necessary  since downtime was  accumulated when 
all 24 groups were not operating  during  the  Mars  Orbital  Phase.  Certainly  the  entire 
computer  system is not down and  a  more  reasonable  answer is 23/24 of the  system is 
available  or  some  lower  fraction depending on the functions  being  performed by the 
groups  (since  the  loss of  one  group  may  preclude  the use of another  group, etc.). 
As examples of the  computer  print  outs  associated with each  case,  three  print 
outs a r e  shown in Figures 5-11 through 5-13. It should be noted that downtime is given 
in two columns,  the first ltReplacementtl  is due to  replacing  a  failed module with a 
spare   o r  not having the  full computing capability  available a s  explained  previously,  the 
second,  ''Undetected Failure" is due to having an  undetected failure and still using  the 
computer  system a s  though it were functioning correctly (once a critical  phase is 
reached with an  undetected  failure,  a  mission  failure is scored).  Replacement down- 
time is the  value  used in  computing  availability. The  column  "Total  Equipment  Fail- 
ures"  indicates  this  function  for  the  total  10,000  runs  for  each  case.  The  numbers in 
the downtime columns are the  average  for  each run. 
5.2 CRITICAL EVALUATION AND RECOMMENDED APPROACH 
5.2.1 Evaluation of Organizational  Features 
A summary of some of the  organizational  features is given below. 
5.2.1.1  Multi-Computer 
The  principal  advantages of this  organization are the  minimal  number of corn-. 
ponents  and  communication  lines  necessary  per  computer,  a good match of hardware 
181 
. 
P C h T E   C L R L c   S l P U L A m C h  C F  
SPbC.EBORNE  PULTIFPCCESSING  STUDY - C U L T I C C P P U T E R   O R G b h I Z A T I O N  
CASE h* -- S Y S T E C  S T b T I S T I C S  
hliHl3ER GF - H R S .   L V E R I I G E   C C k h T I P E   P E R   M I S S I C N  
I h  C C h T I N U C U S   P R O B A B I L I T Y  
t a r  O P E R A T I C h  OF S L C C E S S   R E P L A C E H A TU h D E T * F L I L U R E  
6 m 2 . a  
7 f9C3.2 
B f9C3m 8 
9 3938.1 
15 1cleo.s 
1.ooaoa 
1.00000 
1. 00000 
0.99510 
Om99510 
0.99410 
0.99150 
0.99090 
0.55290 
0.95290 
0.c5290 
0.00150 
0.00000 
0.00185 
o.0aooo 
4.85783 
o.oooc8 
0.00294 
129.06033 
____ 
- Om00196 
"~ 
o.oooao 
O.Ol)QO@ 
0.03006 
0 .,OQbOO 
0 . 00000 
0 . 0000 0 
0.00000 
0.00000 
o .ooooa 
0.001 82 
158.90771 
0.00942 
0.00942 
0.00000 
Om00000 
0.00000 
0 .ooooo 
TOTAL 
E Q U I P M E N T  
F A I L U R E S  
3 5  
9 
41 
1 
9 84 
0 
0 
0 
648 
-" 
-
- 
0 
200 5 
0 
0 
Figure 5-11. Monte Carlo Simulation of Spaceborne  Multiprocessing Study - Multicomputer  Organization 
C C h T E  C A P L C   S I C U L A T I C N  O F  
SFPC€BCRNE C L L T I F R L C E S S I N G   S T U C Y  - C U L T I C C K P L T E R  ORGbhIZATION 
C A S E  17 -- S Y S T E P  STPTISTICS 
F L M e E E  CiF k R S o  A V E K b G E   C C k k T I C E  P E P  MlSSIOh 
I h  C C h T l k L C b S  PHG8AEILITY 
C P E F A T I E h  O F  S U C C k S S   R E P L A C E M E N T   U k O E T o F b I L U R E  
Pd - 1.0 
3 Camputem 
TOTAL 
EOUIPHENT 
F A I L U R E S  
Figure 5-12. Monte Carlo Simulation of Spaceborne Multiprocessing Study - Multicomputer Organization 
r tLMekH CF F R S .  
I h  C C h T l l v L C L l S  
C P t  F A T  1Ch 
P C h T E  C b H L C  S I C U L d T I C k  C F  
S F F C t B L H N E  C L L T I F F C C E S S I N G   S T U C Y  - C U L T I C C P F L T E R   C R G d N I L A T l O N  
C P S t  -- S Y S T E C   S T b T I S T I C S  
b V E R b G E  C C k h T I C E  F E R  MISSICF;  T C T b L  
P R O B A B I L I T Y  EaurPwur 
CF SUCCESS HEPLPCECEhT U h C E T . F P 1 L U R E   F b I L U H E S  
Figure 5-13. Monte Carlo  Simulation of Spaceborne  Multiprocessing Study - Multicomputer  Organization 
to requirements,  and  relatively  simple  failure  detection  to  a module. The good match 
of hardware  to  requirements results in  an  efficient  use of the  hardware,  and  simple 
failure  detection  to a replaceable  module which in  this  organization is an  entire com- 
puter.  The  executive  program  for  this  approach is relatively  straight  forwarded  since 
each  computer  operates  essentially  as  a  separate  unit on all  programming  tasks. 
Some  disadvantages  with  this  organization a r e  adaptability  to  a  change  in 
requirements,  the  relatively  large  module  size in meeting  reliability  requirements, 
and  difficulty  in  attempting to detect  failures  to  a  lower  level  than  a  computer,  The 
problems  in  meeting  additional  computer  requirements  are  a  severe  disadvantage  with 
this  organization. If there is a need for  increased  computational  capability,  another 
complete  computer  must  be  added, a s  a  result,  a  relatively  small  change in the 
requirements  can  cause  a  large  change  in  the  hardware in the  computer  system. 
Another  problem  area  apparent in the Manned Mars Mission due to  this  limited  flexi- 
bility is in  the  computer  system  for  the  Lander  Vehicle.  The  computer  requirements 
are expected  to  differ  substantially  between  the  Lander and the  Orbiting  vehciles and 
as a  result  considerable  inefficiency is expected  with  an  approach  such a s  this. 
The  module is an  entire  computer in this  approach  and  to  meet  reliability 
requirements by adding spares  means  that  relatively  large  spare  modules  must  be 
added. To  detect  failures  to  a  lower  level is difficult with this  organization if it is 
attempted  to  make  the  modules  smaller. 
5.2.1.2 Multiprocessor 
The  main  advantages  with this organizational  approach  are  flexibility  in  terms 
of expansion  to  a  change in requirements,  possibility of withstanding  multiple failures, 
localization of failures  to  modules  due  to  full  intercommunication  providing  the  ability 
to make good use of spare equipment, less down time due to  replacement,  and  a good 
match  to  the  requirements. 
One of the  most  important  advantages of the Multi Processor  is its ability  to 
expand (or  contract)  in  relatively  small  increments  to  meet  changes in computational 
requirements. For example  in  the Manned Mars  Mission  considered, if in  the  Mars 
orbital  phase 350,000 operations  per  second were  required i n  each of the two proces- 
sors,  this  organization would be  able  to  meet  this  requirement by  adding  an  extra 
Processor module to  the  system. A Multiple  Computer  organization would have to 
add  a  complete  computer  to  meet  these  requirements.  This  change  means  more 
power  and  less  reliability  for  the  Multiple  Computer  system;  whereas  the  power and 
reliability would only  change  slightly for  the Multi Processor  system. Changes of 
this  type may be  required  between  missions a s  well a s  between  different  classes of 
missions  such  as  Mars Landing vs Mars  Fly by. In addition,  the  requirements  for 
the  Lander  vehicle of the  manned  Mars  mission  may  impose  these types of changes  in 
the  requirements. It is obvious from  the above that the Multi Processor  also  has  the 
capability of providing  a  relatively  close  match  to  the  requirements.  The  relatively 
small module size  also  offers  the  possibility of turning  modules on  and off between 
mission  phases  as  computational  requirements  change  with  the  resultant  reliability 
gains  over  a  multi-computer or single  conventional  computers a s  shown in the 
simulations. 
Another  important  feature of the  Multiprocessor is that  due  to  the  relatively 
smaller  size of the  modules  and  increased  intercommunication  capability it is con- 
siderably  simpler  to  isolate  failures to the  module  level.  This  also  provides  the 
185 
ability  to  withstand  certain  multiple  failures.  For  example  in  a  system  containing 
three  memories, two processors, and two I/O modules, it is possible  to  have  any two 
memories  fail,  any one processor and  any  one 1/0 unit  fail  and still construct  a  work- 
ing  system.  This  working  system  could  carry out the  critical  computations of a 
critical  mission phase. It can  also  be  seen that after  a  module  fails it may  be 
replaced  while  the  other  module  takes  over  a part  of its task.  This  offers  the  potential 
of having less &stem downtime  and hence  increasing  computer  system  availability. 
In  terms of disadvantages  the  Multiprocessor  has  some  problems none of which 
are  severe.  The  most  significant  item is that the  number of lines  for  communication 
between  the  modules  increases  considerably  as  the  number of modules  in  the  system 
increases.  This  presents  some  packaging  problems  and may reduce  reliability  due 
to the extra connections. Another problem. is that expansions i n  terms of modules 
are  limited and must  be  anticipated  in  the  design  phase.  Finally  the  software is more 
complex  than  that  for  the  Multi-Computer,  however,  this  increase  in  complexity is 
quite  small. 
5.2.1.3 Distributed Processor 
The  Distributed  Processor  organization  offers  the following advantages:  a  wide 
adaptability  to  changes in computational  requirements due to the  capability  for expan- 
sion  in  terms of quite  small  hardware  increments,  the  possibility of "graceful  degrada- 
tion,It  a good use of the MOS/SOS technology,  and  the  possibility  for high reliability 
and low power  due  to no main  memory  in  the  organization. 
A very  important  feature of this  organization is its adaptability  to  changes in 
requirements.  Additional  groups  may  be added to  the  organization as  required without 
any  redesign of the  system.  Likewise  groups  may  be  deleted  from  the  system a s  they 
fail, of course  all of the  computational  requirements  may not be  met  as these failed 
groups a re  deleted. However, the reduction in capability  may  only  result  in  the 
elimination of a  small  portion of the  computational  task  thereby  resulting i n  "graceful 
degradation" due to  failures.  This  organization  also  makes good use of the  technology 
in that an  entire  cell is mechanized on one MOS/SOS chip and it is this  use of the  tech- 
nology which eliminates  the need for  a  main  memory  thereby  offering  significant  gains 
in  power  and  reliability. It should also  be noted that  reliability  requirements  can  be 
met  relatively  easily  since  the  module  increments a re  quite small. In addition, these 
spare modules  will  generally  be  located  in  the  same  physical  package as  the  primary 
modules  and  therefore  offer  the  possibility of a  completely  sealed  package  in which 
failed  modules a r e  replaced by electronic  switching.  This  will  also  have  a  significant 
improvement  for  system  availability  since  repair  time is eliminated.  Finally  the 
capability of turning  modules  on  and off has  a  significant  gain  in  reliability  particularly 
in  light of the  very  close  match  to  the  varying  requirements  that  can  be  realized. 
These  advantages  are not realized without some  problems,  some of which are: 
relatively  more  complex  software  and  expansion  capability  must  be  accounted  for in
the  design.  The  software is considerably  more  complex  for  this  organization a s  
explained  in  Section IV. Some of the  factors  contributing to this  complexity are  the 
increased  executive  functions due to  group  interactions  and  control,  and  the  selection 
of optimum MACRO's and MICRO's. 
186 
5.2.2 Critical Evaluation 
The  computer  configuration  required  for  each  organization  was  chosen  from  the 
results of Paragraph 5.1.3 to  achieve  a 0.997 probability of mission  success  and  a 
0.997 availability. It should  be noted that Ps was  weighted a s  100 in terms 01 relative 
importance a s  compared  to  the  other  factors  weighted below, this  resulted in  using 
PS as  a  design  criteria  due  to its heavy  weighting. This  resulted in the following 
configurations: 
Multi-Computer 
4 Computers (25,000 hr  MTBF) (2 spare  computersoverthose 
actually  required) 
Multiprocessor 
3 1/0 Modules (208,000 hr  MTBF) (1 spare 1/0 and processor  and 
3 Processor Modules (89,500 hr  MTBF) 2 spare  memory  modules  over 
6 Memory Modules (62,500 hr  MTBF) those  actually  required) 
Distributed  Processor 
27 Groups (3 spare  groups  over  those 
actually  required) 
Some of the  organizations  actually  have  a  probability of success  greater  than 
that required  and  this  could  also  be added in  to  the  evaluation;  however,  all  that  was 
considered  here  was that the  reliability  requirements  were  satisfied. 
The  actual  criteria of importance  for  the Manned Mars  mission which were  used 
to  measure  the  utility or effectiveness of the va ious  computer  organizations a re  given 
below  along  with their  relative  importance  or ranking. 
1. Power 10 
2. Volume 1 
3. Weight 1 
4. cost  1 
5. Development Risk 1 
6. Growth Potential 4 
The first four  objectives of the  system  are  self  explanatory, in general, it is 
desired  to  minimize  them. Development  Risk is defined as  the  probability of meeting 
the  development  schedule  with  a  fixed  design and  within  a  stated budget. This is a 
factor  to  consider when  choosing  amoung  subsystems  with  advanced  state-of-the-art 
concepts o r  hardware, o r  with  complex  hardware. 
187 
Growth potential is also  an  important  objective,  since it is not always  possible 
in advance to predict new o r  improved  sensors.  In  addition,  this  potential  tends  to 
offset development risk,  since it allows  the  possibility of alternate development 
schemes.  This  was defined as the  expected  modification costs  for adding  additional 
hardware  to  the  system. 
Using mathematical  evaluation  techniques,  the  three  candidates  were  evaluated. 
The  techniques and the  actual  mathematical  evaluation a r e  contained  in  detail  in 
Reference  17, only  a summary will  be given here. 
The  characteristics of the  candidates  used  in  the  evaluation included: Power, 
Volume, Weight, Cost, Development Risk, Growth Potential, and Flexibility. These 
characteristics  were  related through  a matrix  to  the  system  objectives. When 
numerical  values are  inserted in the  matrix,  an  expression  for  the  incremental  value 
o r  worth of a candidate is obtained. The  results  were: 
Distributed  Processor: AV = +0.0366 
Multi-Processor: AV = -0.0027 
Multi-Computer: AV = -0.0326 
AV is the  incremental  increase in value of the actual candidate  compared  to  the 
average candidate. 
It is thus  seen  that the distributed  processor  candidate  has  the  greatest  positive 
AV. The  actual  numerical  values  used  in  the  matrix  were  in  anticipation of technology 
for 1980 time  period  missions.  For  current technology the  multi-processor would 
result  in  the greatest AV, since  the  risk and cost  associated with the  distributed 
processor would be  very high. After reviewing  the  values  used  in  the  evaluation, it 
was  decided  to  be  more  conservative  and  question  the  distributed  processor technology 
availability for these missions, Therefore, the multi-processor candidate was 
selected  for  further study. I t  was  also  felt  that  this technology would undoubtedly be 
available  for  these  missions,  in addition to being  potentially  available for  earlier 
applications. 
188 
V 1. DETAILED DES IGN OF THE MODULAR  MULTIPROCESSOR 
ORGAN  IZAT  ION 
The  multiprocessor  organization  was  presented and  functionally  described  in 
Section lV. A block diagram of the organization is shown in Figure 6-1. The multi- 
processor  consists of two processor  modules,  three  memory  modules,  and  three 
input/output modules. These  modules  satisfy  the miss.ion computational requirements. 
Expandibility of one more of each  type of module is provided as  indicated by the  dotted 
lines  in  the figure. The  organization  features  full  intercommunication between modules 
as  described  in Section IV (any 1/0 module  may communicate  with.any  memory module 
and any processor module may.communicate with any memory  module).  This  section 
of the report will  provide  a  more  explicit  specification of the  contents and  operation 
of each moudle in  the  system along with a  presentation of the system  software and fault 
and error  control methods. 
6 . 1  MODULES 
6 . 1 . 1  Processor 
There  are two processors in  the system  for the Mars  Lander  Mission although 
the capability to expand to three  processors is included. The processors  onerate on 
two's complement fixed or floating point operands. They use a 500 nanosecond clock 
with four  clock  times  (bit  times)  per  memory  cycle which gives  a  capability of 
250,000 short  operations  per  second. A condensed block diagram of the processor 
module is given in  Figure 6-2. 
The processor  features,  such  as  instruction  format, index/banking schemes, 
etc. , were  introduced in  Section IV and selected on the basis of programming evalua- 
tions  discussed in that  section. A summary of these  features will be given here  prior 
to  introducing  the  processor  details. 
The processor  instruction  word  format  is shown in Figure 6-3. The first  6 bits 
of the  instruction are  used  for the  operation  code.  Operation  code  extension for 
instructions  that do not require  full  addresses give  the facility  for .many more than 
64 instructions.  The  instruction  uses  a banking scheme s o  that  it is only necessary 
to have an address  decrement  in  the  instruction word.  The banking scheme will  use 
full  length registers  thereby  reducing banking problems. 
One bit, I, is used  for  indirect  addressing. The format  used  for  the  indirectly 
addressed word provides  the  facility  for  multiple  level  indirect  addressing and indexing. 
Index/banking is accomplished by the B bit and the  T  bits (3) of the  instruction 
word. The B bit is used  to  specify one of two full length registers and the  T  bits none 
or  one of seven  other  full  length  registers  to be used  for  index/blanking. It is important 
to note that  there is no real  distinction between bank registers and index registers since 
they a re  both fu l l  length (18 bits). Any of the  registers can be added  to the  address 
decrement  to  generate  a full length address  or  certain combinations of two registers 
can be added together and  added to  the  address  decrement  to  generate a full  length 
address. A number of advantages  with this index/banking scheme  were  given  in 
Section IV. 
Two upper  accumulators  are used.  Full  arithmetic  capability is provided be- 
tween the  accumulators and  between  the accumulators and the index/bank registers. 
189 
Ih 
to---- 1 
'1 250 K 
SHORT o p s / s E  
p2 
4 
n 
I p3 I 
I 
I 
L 
BIT PARALLEL 
L"p"a 
"""_ J "" 1 I 
I I 
M1 
I I 
M3 ' I M4 M2 
1 
I 
p"A"- 
12 K 12 K 12 K 1 12 KI 
I 
> + . Loor" 
I 
"""_ r""J 
I 
BIT  PARALLEL^ I 
SENSORS 
I 
Figure 6-1. Multiprocessor Organization 
El STORAGE 
1-1 
PROGRAM COUNTW 
I i 
I I INSTRUCTION REGISTER 
I ADDLR INDEXiBANK RECISTLRS 
INDM/BANK REGISTERS 
SHIFT COUNT RU;ISTER I 
I DECODING & CONTROL I I CONTEOL & STATUS 
REGISTWS 1 
I RUilSTERS I TIMING 
Figure 6-2. Processor Block Diagram 
190 
I -  
. .. . 
I 
""." "- 
11 18 
Figure 6-3. Instruction Word Format 
6.1.1.1 Real Time Clock and Interrupt  Features 
6. 1. 1. 1. 1 Clock 
A real  time clock as shown in Figure 6-4 will  be  used  in  each  processor.  The 
lower 25 bits of this clock are  hardware  registers, while  the  upper 18 bits,or  more if 
desired,  are  in  the  memory.  The  hardware  portion is divided into two sections, an 
18 bit  clock  register (RTC) and a 7 bit  clock  extension register (EXT). The RTC 
register can be  set and read by processor  instructions. Once it is set it will  count 
down to zero and send out an interrupt.  The Ext register can not be read  or  set, but 
it can  be  initialized  to  zero  in  order  to  setup  precise  timing  at  the beginning of a 
computation  phase. Unlike the RTC register  this clock and the  memory  clock count 
UP. 
It should be remembered  from  discussions  in 4.2 of the  executive program 
scheduler  that  the real time  clock is used  to  interrupt a processor whenever it is 
time  to initiate the  highest rate periodic  program;  therefore  the  chosen  approach for 
the  clock is to set the RTC for  the  time  closest below the  highest rate  program's 
period. When .the clock  counts down to  zero it will  interrupt  the  executive  in  order  to 
notify the  scheduler  that  the  specified  period is up. The executive  will  then carry out 
its tasks and then  waste any remaining  time  until it is precisely  time  to start the  pro- 
gram (within 2 ps). Just  before giving control  to  the  program it will  again set the 
RTC to the  proper  period. Note that this method of operation  gives  the  ability  to 
time a period down to 2 ps (one instruction)  even though the least significant  bit of the 
RTC register  has a value  greater than 2 ps. This  fine of precision on the  periodic 
program rates is not necessary if it is possible  to  specify  that  the  chosen  rate  for a 
sensor should  be a multiple of 64 ps, for  example;  however it does  give  the  increased 
flexibility of operating with  any sensor  that  may  have  been  setup  to  operate at almost 
any specific rate (a multiple of 2 ps).  Therefore, a non-setable clock, although 
requiring no executive  action  for  resetting, would not  have  the  full  flexibility of the 
above clock. The only  penalty  actually  payed for this clock  scheme is that  one  must 
191 
. . . . . . -. 
18 BIT MEM. RTC 
-51 DAYS (MAXIMUM 
VALUE) 
s 0.5 p s  
18 BIT RTC * 7 BIT EXT 4 
b 
16. I1 SEC (MAXIMUM 
VALUE) 
Figure 6-4. Real Time Clock 
in each  phase of computation  keep track of the  time  base of the  memory real time 
clock. This is because  it is incremented  each  period by the  executive  just  prior  to 
giving  control  to  the  highest rate periodic  program.  This is a small penalty. 
The  time weighting of the RTC register depends on the  variation  from  phase  to 
phase in the rates of the  highest rate programs.  This  variation  has not been accur- 
ately  established at this time; however  a  reasonable  estimate  for  the RTC register is 
that shown in  Figure 6-4. This weighting was chosen  to  allow  for  fairly low frequency 
periodic  programs, up to 16.77 seconds, while  not  being forced  to  waste too much 
time  in  order  to handle higher  frequency  programs. A maximum of 64 ps may  have to 
be  wasted, but the  majority of this time is actually  well  spent  in  storing  the registers 
of the  interrupted  program. 
It should also be  noted that  the RTC interrupt should  have a high priority so 
that  accurate  length  periods  can  be  maintained. If a long  wait occurs after the  zero 
interrupt,  greater than 64 ps, a pulse o r  two could  be  missed  causing  the  period of a 
program  to  drift.  This is not  tolerable if it continues  for any length of time.  There- 
fore making  the RTC of high enough priority  that it will  be  honored within 64 ps 
eliminates any problems. 
A list of instructions  for  the RTC. register is given below: 
(set  real  time (M)-RTC *The  executive  can of course  t 
clock) 41.rs o r  reset the m mory  r al time 
clock by normal  instructions 
accessing  the  memory  since  it 
keeps  track of the  memory  clock 
location. (M) is the contents of 
memory location M. 
192 
2. E C  
(read  real  time 
clock) 
RTC - U *This  enables  reading of the RTC 
RTC can  be  read by the executive 
with  normal  instructions;  however 
the RTC Ext is not readable. U is 
the  upper o r  lower  accumulator. 
* whenever  d sired.  The  m mory 
The  programmer will also have the  ability  through  the  LPR  (load  processor 
registers)  instruction  to reset the RTC and the RTC extension  registers (0 -RTC, 
Ext). This will  be done at the start  of a mission  phase when it is desired to  synchro- 
nize  the real time  clock with the 1/0 and with mission  time. 
The  clock  will  run  continuously  while  the processor is operating;  therefore 
starting  the  clock is not necessary though initializing it (resetting) is necessary.  The 
interrupt  mask  register will be able  to  inhibit  the RTC from  receiving  pulses  from  the 
RTC Ext so that  the  clock  can  be  ignored o r  halted  whenever  desired. 
A fill clock will  be  used with the  present  executive  scheduler  since  this  scheduler 
will operate in  a more  predictable  manner if each  periodic  program is of a fixed length. 
Branches within  a program  may  leave  some  free  time  at  the end of some  executions of 
the  program.  Rather than  wasting  this  time by waiting  until  a  fixed time is over  the 
executive  can  check  to see how much time is left. If it is over  some At, a  fill  clock 
can  be set with the time  left  (tl), and background programs  can be  executed for  this 
period.  The  specification of the At depends on the amount of time (overhead) necessary 
to  get  into and out of a  background  program.  128 ps would seem  to be a reasonable 
At, but this  number  can  be  varied.  The maximum t l  necessary depends on the amounts 
of time  left  over by various  program  branches.  It is clearly  very difficult  to  explicitly 
specify, but a few milliseconds  seems  reasonable. If more  time is necessary  it will 
simply be necessary to reset the  fill  clock  for  another  period.  Therefore with a 
128 p s  At, 32 ms should easily provide a sufficiently long tl.  This  specifies  an 8 bit 
fill  clock  that  gets  its  least  significant  pulse  from  the RTC extension  in  the  same 
manner  as the RTC. Note also  that 8 bits  means  that it can  be  simply loaded from 
the  decrement of an instruction.  The  fill  clock is set and then  counts down to zero 
and interrupts  the  processor.  It  must  also  be  preserved i f  an interrupt  occurs.  There 
seems to be no reason  to  read o r  halt  the  fill  clock with the  present  executive  structure. 
3- - SFC, B 
m-FC if B = 0 *This provides for a fixed load 
(set fill clock) of the FC from  the  decr ent o r  
Ulo-17- FC if B = 1 a load from one of the accumu- 
lators following a  subtraction and 
comparison. m is the address 
decrement in the  instruction 
word. 
* 
6. 1. 1. 1. 2 InterruDts 
There are only three  actual  processor  interrupts  presently planned for  the 
system, a memory  interrupt, a real time clock  interrupt, and a fi l l  clock  interrupt. 
The rest of the  situations  that  might  generally  generate  interrupts a re  handled by a 
request  processor  program  that  periodically  scans an I/O status word  in the 1/0 
units. This  approach  was  chosen  since  the 1/0 rates are not high enough to  warrant 
193 
a more  hardware  oriented  system.  The  system  also  includes a two-bit interrupt 
mask  register so 'that  the real time  clock o r  fill clock  interrupts  can  be  masked by 
the  executive.  The 1/0 unit can  also be interrupted, but this  situation  will  be  dis- 
' cussed in 6.1.3 with the 1/0 unit presentation. 
The  highest  priority  interrupt is the RTC zero  transition  interrupt. On the 
occurence of this  signal a flip  flop is set, and the  executive  will be entered  after  the 
present  instruction is completed. This  signal  notifies  the  executive  that it is time to 
setup  execution of the  highest rate periodic  program and to  update  the  memory real 
time clock. 
The  second  highest  priority  interrupt is the "no response"  interrupt.  This 
interrupt  sets a flip  flop in the  processor and notifies  the  executive  that  the  processor 
has not received a response  from  the  addressed  memory.  This  will  be  caused by a 
one  shot noting a failure of the  memory  to  respond  to a request within 14 ps o r  bv a 
lockout  being on to  this  processor.  Fourteen P S  was  chosen  for the no response  failure 
time to allow for  two other  processors to receive two memory  cycles  appiece (IO instruction) 
and three 1/0 units  to  receive  memory  cycles.  This is a worst-case  situation with the 
maximum  number of modules in the system. The executive  will  take  over  after  the  interrupt 
and  check  to see what caused the no response  condition. If a failure  has  occured the failure 
status word will be  updated if necessary and the  appropriate  reconfiguration  operations 
initiated. If a processor is simply  correctly locked  out of a memory, a new program 
will  be  scheduled. 
It  notifies  the  executive  that a time  gap  due  to a branch in a program  has been  filled 
with background. The  executive  will then either call the next  periodic  program o r  
will  reload  the fill clock if the  initial  time  gap  was  greater  than  the 32 ms capacity of 
the clock. A flip-flop is also set on the  occurence of this  interrupt and the  executive 
will  again  be entered after the  present  instruction is completed. 
The  third  interrupt, of lowest  priority, is the fill clock zero  transition  interrupt. 
When any of the above interrupts  occur, a status word for  the  interrupted 
program  must be stored in the  memory.  The  status  word  will  be  automatically  stored 
in four  sequential  memory  locations,  regardless of the type of interrupt,  specified by 
a hard-wired address  in  each  processor and the  processor's  primary  memory  register 
(a two bit  register  in  each  processor  specifying which memory  module  serves  as  the 
primary module for this processor).  The  contents of the  five  location  status  word is 
shown below. The  use of the  specified  registers and flip  flops  will  become clear 
after  reading  Paragraph  6.1.1.3. 
Location  Contents 
1) P (Program  counter) 
2) B1 (Bank register one) 
3) L (Lower  accumulato ) 
4) T1 (Tagged register one) 
5) 
Fill 
clock (control  word) 
10 - 13 14 - 16 
Interrupt  Arithmetic  Processor 
194 
Explanation of bits  in 5) 
8-9 01 Fill clock interrupt 
u) No response  interrupt 
(Storing  the real  time  clock  interrupt is not 
necessary  since it has  the  highest  priority) 
10-13 0001 G (Greater than) 
0010 L (less than) 
0100 E (equal) 
1000 0 (overflow) 
14-16 001 FM (Floating Point Mode ) 
010 RM (Repeat Mode) 
l00 LS (Load  Status) 
The  status  words shown here  must be  picked up by the  hardware s o  that an executive 
program  will be able  to  gain  control of the  processor without  losing the status of the 
interrupted  program. The explicit  sequence of operations  that  occur following an 
interrupt  are given below. It should be noted that an interrupt may  occur  at  anytime; 
however, no interrupt action occurs  until  the  present  instruction is complete  (for 
repeat  instructions only the present  instruction  cycle  will be completed no repeat 
cycles will be executed). 
1. After the present instruction is complete the above status word is stored 
in  five  consecutive  memory  locations by the  hardware.  The  initial  storage 
location for the status word is specified by the fixed wired  address and 
primary  memory  register.  This  address is loaded into the program counter 
after  it  has been transferred  to  the  memory buffer register.  The  program 
counter is then used  to  address  the  memory  for  five  sequential  write  cycles. 
The  five  cycles load the above status words. 
2. The  contents of the  sixth  location following the  wired  address is picked  up 
and placed  in  the  program  counter.  This  location is used  as a jump into 
the  appropriate  executive  routine. Note that a different executive routine 
can  be  entered  for  each  type  interrupt  even though all interrupts  use  the 
same  storage  locations  for  the  status  words.  The  program  counter is 
simply  used  directly  to  jump  for  the real time clock  interrupt, it is 
incremented  once  for  the no response  interrupt, and it is incremented 
twice  for  the fill clock  interrupt. 
3. Each executive interrupt  routine  that is now entered  must first move the 
status words  to an appropriate  storage area. This is done so that  future 
interrupts will not destroy  the  stored  information  before  the  interrupted 
program  can  be  restarted.  The  executive  will then pickup the rest of the 
processors registers and place  them in the  same  storage area. These 
registers, U1, U2, B2, and T2-T7 are all directly addressable. When all 
the  processors registers have  been stored  the  appropriate  interrupt  flip 
flop is reset and the  executive will begin the tasks associated  with  the 
interrupt. It should also  be noted here  that in order to store  the  complete 
195 
set of registers  the executive does  not  have  to alter any of the  processor 
registers not automatically  loaded  into  the status word. T1 and B1 a r e  
simply  loaded with bank addresses so that all the  other  processor  registers 
including  those  in  the  memory  (status  word)  can  be moved directly  to any 
area of memory  desired. 
The  sequence of actions  that take place if a higher  priority  interrupt  occurs 
while a lower  priority  interrupt is being  processed  must now be  specified. In this 
situation  the  higher  priority  interrupt  takes  control of the  processor  after completion 
of the  present  instruction. If the initial five status words  have not all  been  stored, 
the new interrupt  completes  this  process and then jumps to  its  executive  routine. If 
these  words have  been stored,  the  hardware  will  use  the  hardwired  address  plus  five 
to pick up the jump for  the  priority  interrupt.  The  executive  then  takes  over and 
begins storing  the status word in  the  normal  manner. Note that  in  the latter case the 
existing  status  word  (setup by the earlier interrupt) and processor registers can  be 
stored  since  each  interrupt  executive  routine  does  not  change  any of these locations 
until after it  has  turned off its  interrupt flip-flop. (While the flip-flop is "on" the 
executive is only involved  in storing  the  complete  status word in an appropriate 
storage  area. ) The above sequence of events  means  that when the  originally  inter- 
rupted  program is returned  to  the  processor,  it  will  be  immediately  interrupted by 
the  lower  priority  interrupt.  This is of course  simply  the  original  interrupt  trying 
again  to  get  processed. 
The interrupt  process  discussed above  may take  greater than 90 ps to store  all 
fourteen  processor  status  words in a specified  storage  area.  This would be  a  worst 
case time if both processors  were  using  the same memory  (each  processor would get 
one half the  memory  cycles) and if each 1/0 unit  was  to  request a  cycle. This situa- 
tion is unlikely if the  programs are carefully  allocated; however i t  could occur 
especially if a third  processor  were added  to the  system.  This  situation would cause 
no problems  unless a periodic  program  was  waiting  for execution. The only time 
that  this  situation  exists is when the  real  time  clock  interrupt  occurs. A little 
careful thought as follows will show this to  be  the  case. If a no response  interrupt 
occurs  during a periodic  program  execution,  the  system  has  definitely  failed  since 
a periodic  program cannot be locked out of its own primary  memory.  Therefore  the 
processor-memory  combination  will  be  turned off and the  astronauts notified. If 
a fill clock interrupt  occurs and a periodic  program is to  be  executed  next,  the 
other  processors are locked  out of this  processors'  memory  since  periodic  programs 
must  already be processed.  (Remember  that  the lockout is on any time  periodic 
programs are being  executed or  a critical computation  phase is taking  place. ) As a 
result  the  interrupt and executive  routines  will  be handled directly by the  memory  in 
less than 50 ps. In order  to  limit  the  storage  time when a real time clock interrupt 
occurs,  the  memory lockout is simply set at the  time this interrupt  occurs.  The 
storage sequence  will  then  take a fixed  length of time  to be  executed  (approximately 
46 ps).  
The only part of the  interrupt  process  not  yet  specified is the method of loading 
the  processor  to restart an interrupted  program.  The  addressable  registers U1, Us, 
B2, and T2-T7 a re  loaded by instruction.  The  same  basic  hardware  that  was  used 
to  store  the five interrupt  status  words is then used  to  read B1, L, TI,  the  control 
word, and P from five sequential memory locations. A load status command (LDS) 
that  loads  the  program  counter  with  the initial address of the  five status words is 
used  to initiate the above sequence of operations. 
196 
r- 
Program completion interrupts have  not  been  included  in  the  above since  jumps 
to  certain  executive  routines  will  be  placed at the  end of the  programs.  Internal 
failure  interrupts  from self-check  routines o r  hardware  have  also not been  included 
(except for  the no response  interrupt)  since  the  failure detection  studies of Section IV, 
4.2 specified  that  the  processor and a memory  or 1/0 unit  be  turned off after the 
detection of any internal  error.  These  failures will also set failure status flip-flops 
in the 1/0 units. 
An arithmetic  interrupt  may  be  necessary  for ground  checkout,  but it does not 
Seem  to be useful for  the  operational  phases of the  mission.  Therefore its inclusion 
should be investigated along with any ground  checkout studies. 
A need for  external  interrupts  (this includes  any  external  sources, e. g. console, 
vehicle  subsystems, etc. ) i6 also not  foreseen  at  this  time. The requests and signals 
that could be considered  interrupts  will  instead  set flip-flops in  the 1/0 units. This 
status word in the I/O unit  can be set  by requests  from  scientific  experiments  or  from 
the astronauts, and by external  failure  signals  from  the  various  system  modules. The 
status word  will be periodically  monitored by the  executive, and the  requests  passed 
to  the  request  processor  program and executed as  necessary. A s  an example of the 
above procedure  consider what  happens when the  failure  bit of a status word is set  
indicating a failure of processor No. 1 and/or memory No. 3. These modules will 
first be turned off. The correctly  operating  processor  will  detect  this  failure when 
its  present round of periodic  programs have been completed. It  will than make  the 
highest  priority background program the  diagnostic  program  to  localize  a  failure to 
a processor or a  memory. 
6.1.1.2 Instruction Set 
This  section  gives  the  instruction  set  selected  for  the  multiprocessor.  The set 
was  chosen  from  a  larger  list  initially  generated and  given in  Reference 18, the  third 
quarterly  report. 
The  operation times  listed  for  each  instruction  assume  a 2 ps memory  cycle. 
This  cycle  time and its  relation  to  the  processor  are  discussed in Paragraph  6.1.2. 
on the  memory. This  discussion  points out that  the  execution times  for a number of 
instructions could actually be decreased  since  the  desired  memory (1 ps access  time 
and 2 ps cycle  time)  will  probably  actually  have a 1. 5 ps cycle  time;  however,  since 
the  explicit  control  unit and control  sequences have not been  designed  yet, only 
approximate  instruction  execution  times  using a 2 p s  memory  cycle are given in  the 
following list. 
The following abbreviations are used: 
Repeat Mode: RM 
Floating Point Mode: FM 
Address Decrement: m 
Address  after banking and/or indexing: M 
Contents of addressed  memory position: (M) 
Replaces: - 
197 
Upper Accumulators, Lower Accumulator: U1, U2, L 
Accumulators: A 
Index/Bank registers, accumulators: R 
Memory Buffer Register: MB 
Index/Bank Registers  specified by T  bits: Tn 
Index/Bank Registers specified by B bit: BO, B1 
Program Counter: P 
n position left shift of A: LAn 
n  position  right  shift of A: RAn 
n  position  left  cycle of A: LA: 
n  position  right  cycle ofA: RA: 
In order  to show the  primary  tasks  carried out in each  bit  time of an  instruction, 
the  instruction and operand  cycle of the "add" instruction  are given below. 
Add (4 p )  
Bit  times 1 
-
P to  memory 
(set up inst. 
address) 
1 
MB to  mem- 
ory (Set up 
operand 
address) 
Instruction  Cycle 
2 
memory  to MB 
(processor  receives 
instruction) 
Operation  Cycle 
2 
-
memory  to MB 
(processor  receives 
operand) 
3 4 
m + B " M B  MB + Tn-MB 
(Set  up  oper- 
and address) 
P +  1-P 
3 4 
U + MB-U 
(addition 
performed) 
It should  also  be  noted  that two columns, RM and FM, are included  in  the 
instruction list in order  to show  which instructions can be  executed in the  repeat 
mode o r  floating point mode. The  instructions  not  checked in the  columns can be 
used in the  special  modes,  but  they  will be executed as shown for  the  normal mode 
of operation.  The  floating point mode of course  uses all double  length  words. 
Operation  times  for  the, repeat mode  depend  on the  number of operands  to  be 
processed.  For  example,  for  a list of n  operands, a repeat  mode  instruction would 
take 2 ps plus  n times the  execution  time  for  the  instructions  operand  cycle.  The 
operation  times  for  floating point instructions are very dependent on the amount of 
198 
hardware added to  speed  the  instructions up. Since  the requirements  for floating 
point operations are not explicitly  specified, no operation  times  will  be  given  for  the 
floating  point  operations;  -however, as an example an implementation of a simple 
floating  point add and multiply  operation  using  the  existing  multiple  registers  was 
investigated. This add operation takes 25 ps and the multiply 40 ps. These operation 
times could easily  be  decreased by  adding  additional hardware if future  requirements 
studies dictate this. The  functional  operation of both the  floating point  and repeat 
modes are discussed  in  greater depth in Paragraph 6.1.1.3. 
6.1.1.2.1 Arithmetic and Logical Instructions 
1. ADD RM F M  -
=U(') (M) + U - U *Since the  memory  contents X X -
- 4 ps (2 memory cycles) are loaded into the memory 
buffer  register  the  actual 
add is between the MB and the 
accumulator. The add opera- 
I tion  itself  takes 500 ns. 
2. ADD - register to register (Op code extension) (2) 
ADR R1 + R2- R1 *This  in truction and all 
other  register  instructions 
shown below. 
- 2 PS use  the  registerformat 
Register  Instruction  Format: 
1 : 6  7 : 14 15 : 18 
OP Op code Registers 
Code extensions 
1 : 6 - These bits are always the same. They use one of the available 
64 op codes  to  specify  the  register  class of instructions.  The 
explicit  instruction is specified by 15:18. 
7 : 14 - Bits 7:lO specify R 1  and bits 11:14 specify R2. In instructions 
using only one register, only bits 7:lO are of interest. A s  
mentioned earlier R could be any of the Index-bank registers  or 
accumulators. 
15 : 18 - These  bits  specify  the  register  instruction  to  be executed. 
The  capability of using  the index-bank registers and accumulators in register 
operations  costs  very  little  in  terms of hardware; as a result this full  capability 
has been included. Note  .that full register to register operations  have  been 
Recall  that  the  accumulator  bit  can  make ADU either ADUl o r  ADU2. 
(2) A l l  instructions  labeled "register to register' '  or  "register" will be implemented 
by op  code  extension. 
199 
included even though present  evaluations show little need for  more  flexibility 
than register to  accumulator  operations. However  only a minimum of usage is 
necessary  to  warrant  the  small amount of extra hardware. 
3. and 4. Subtract - same as  1 and 2. - RM - F M  
5. 
6. 
7. 
8. 
Complement - register 
COR - R1- R1 *Floating Pt. would com- 
plement R1  dnd R2 (if this 
mode is desired  here) 
Multiply 
E U  (M)xU-U, L *A two bit  at a time X X 
multiply will  be  used. - 1 0  ps 
Sum of Products Multiply 
*Note that  this is a full 
length sum of products 
possible with only one 
accumulator. 
- 1 0  ps multiply. This is not 
Multiply - register 
MPR R1  X R2-R1, L *The  only restriction is 
that R1  o r  R2 do not 
additional restriction 
that R 1  is U1 o r  U2 
could save  some  control 
hardware complexity. 
- 8 ps include L. Placing  the
9. Square - register 
- 8 ps 
10. Divide 
DIU - U, L f (M)-U quotient 
L remainder - 14ps 
*This  time is for a 
straight one bit at a time 
divide. 
X X 
X X 
200 
11. Divide - register 
DIR - R1, R2 + (MB) -R1 quotient 
L remainder - 12 ps 
*Adding the  restriction 
that R1 and R2 are only 
U1, U2, and L would 
simplify  the  control 
hardware. 
12. And 
- ANU (M) - U-U 
13. And - register to register 
ANR R1 R2-R1 
- 2 I.rs 
14. and 15. Or - Same forms as And 
16. and 17. Exclusive Or - Same forms as And 
18. Absolute  value - register 
Register  Transfers 
19. Exchange - register to register 
EXR R1- R2 
20. Transfer - register to register 
TRR - R1- R2 
- RM FM -
X X 
201 
I 
Shifts 
The shift instructions  use a special  format as shown below. It  should also  be 
noted that on all  non-cyclic  right shifts the  sign is spread;  whereas  non-cyclic 
left  shifts  insert  zeros. 
. . .  . - . ~  
1:6 17 : 18  12 : 16 9 : 11 7 : 8  
OP Op Code Shift Index Register 
Code 
1 : 6 - These bits are always the same. They use  one of the available 
Extension count Tag - Tn Specification 
64 op codes  to  specify  the  shift  class of instruction.  The  explicit 
shift instruction is then specified by 17:18. 
7 : 8 - These bits specify the register to be shifted. Note that the index 
registers could also be shifted, but this  feature is felt  to  be of 
little value. 
01 u1 
10 u2 
11 L 
9 : 11 -  his gives  the index register  to be  used  to index the  shift count. The 
index for the shift count is in  bits 14:18 of the  specified index register. 
12 : 16 - These  bits  specify  the amount to  shift  the  indicated  register  up  to 
a 32 position shift. 
17 : 18 - These  bits  specify  the shift instruction  to  be executed. 
21. Short Right Shift 
- SRS R A ~ - A  
( 2 # S +  # S  
n-1 (i)) 
(same time for all *Note that  floating  point 
shifts) mode can be. used  to  convert 
the  short shifts to long 
shifts with  L as the  right 
hand register. 
22. Short Right  Cycle 
SRC - RA:-A 
- SLS LA”-A 
23. Short  Left Shift 
- RM FM -
X 
X 
X 
(1)This  number  and all shift execution times  may  be  shortened  considerably by  putting 
In hardware  for  group shifting. The  need  for this feature should be investigated in 
the  future. 
202 
24. Short Left  Cycle 
SLC - LA: - A 
Load and Store 
25. Load U 
26. Load Address - register 
LDA M-U - *This  instruction is of value when used  for gen- 
erating  indirect  addresses. 
27. Load B Registers 
LDB, B, Tn (M) -B *B is either  register B1 or 
B2 M = T  + m  n 
4 PS -
28. Load Tagged Registers 
LDT, B, Tn (M)-Tn *Tn is any one of the tagged 
index-bank registers. 
M = B + m  
29. Load Immediate 
LDI, B, T m "B - if  Tn=  000 *This instruction is useful 
for loading  the index-bank 
m -T if T * 000 registers when they are 
being  used  for indexing n- n 
- 2 PS only. 
30. Store U 
31. Store  Zero 
" 
RM FM 
X 
X X 
X X 
*This instruction is useful X 
in the  executive  scheduler 
routine  for  setting  up  the 
chaining  between  programs. 
203 
32. Store  Decrement 
STD -
- 4 I.ts 
33. Store  B  Register 
STB, B, Tn B-(M) 
M = T  + m  n 
- 4 P S  
34. Store T Register 
STT, B, Tn Tn-(M) 
M = B + m  
*This  instruction is useful X 
for changing decrements in 
instruction  words. 
*This  in truction could  be X X 
made as fast as 4 ps if  it 
is considered  useful 
enough to add another  mem- 
ory  processor  interface 
line;  otherwise it will take 
6 ps. The 4 ps execution 
time  takes  advantage of the 
1 ps access of the NDRO 
memory. In any case if 
used  frequently  this  instruc- 
tion  will save  time and 
storage. 
36. Transfer Memory to Memory 
TMM, B, Tn (MI) - (M2) *B + m  gives  the  address of X 
MI and Tn  gives  the 
address of M2. The 
ory  cycle and some  storage; 
however its  real  value  will 
come with use in the  repeat 
mode to  transfer blocks of 
etorage. 
6 P S  - instruction  saves a mem- 
204 
Control  Operations . 
37. Unconditional Jump 
- J M P M-P 
38. Jump on Minus or Zero U 
JMMU U 5 0 M-P *This  instruction could  be 
included  in the JMC instruc- 
tion 48; however, it is used 
frequently enough to be 
included directly. This of 
course  decreases execu- 
tion time  for  this 
operation. 
_I I”  
2 PS -
39. Jump and Set Index 
JSX, Tn P -Tn 
M + B - P  
*This  instruction is for 
subroutine linkage. It 
must  be  preceded by a load 
bank, if not indirected, in 
order to setup B with the 
proper  subroutine  address. 
If indirected  relative to B. 
the  proper location of the 
subroutine  can be kept  in 
the  working storage region 
for this program. This 
latter  approach is the  most 
convenient. Note that the 
command also  stores  the 
return  address in  an index- 
bank register. A J M P  
instruction indexed by the 
same index-bank register 
will  return back  to the 
original  program  exit  plus 
the  displacement  (m). 
This  instruction is con- 
venient if it is desired to 
have  the  calling  sequence 
(subroutine  parameter 
values) in the  program bank 
after the JSX. (For example 
the  periodic  programs may 
obtain  the 1/0 variables and 
place  them  here. ) In this 
205 
40. Jump and Store Return 
- JAS p - (M) 
(M+l)  - P 
* 
41. Decrement and Skip on 
Tn comparison 
JXTC, B, T, Tn-1 -Tn 
case the  loaded index regis- 
ter can  also  be  used by the 
subroutine to get at the 
calling  sequence. 
*With this  instruction  the 
working storage  has a place 
for  the  return  address above 
the  location  that  contains  the 
subroutine  address. While 
in the  subroutine,  the  same 
bank-index register  that is 
used  for working storage 
reference can  be  used  to 
get  at  the  calling  sequence 
in  the working  storage. 
The  setting  up of the sub- 
routine  address in P does 
not have  to be indirected 
but it is shown this way 
since it is easiest. 
Another  approach would 
use a bank register  set 
up so that Tn would 
address  the subroutine. 
The  jump would then 
load this index  in the  pro- 
gram  counter  aid  use 
B + m to store  the pro- 
gram  counter.  This 
method would take only 
4 ps,  but it would require 
setting up  Tn first. 
*The register  to  be com- 
pared is first  decremented 
by one. This instruction is 
good for counting down a 
register  that is being  used 
as an index  and bank 
register. 
206 
42. Decrement and Skip on 
B comparison 
DSBC, B, Tn B-1-B 
if  B 5 (M) -. 
then P + 2 - P  -
M = T  + m  n 
- 4 PS 
43. Decrement and Skip on 
Immediate Index Comparison 
DSIXC, B, Tn  Tn-1 -Tn 
if T s m  1 i f  Tn # 000 n 
B- 1- B 
if B S m  
" 1 if T~ = ooo 
P + 2 - P  
44. Compare 
C M P  u>(M);1- G;O "E, L *This  instruction  requires 
the inclusion of G, E, and 
processor. 
-
U =  (M); l -E;O "G,  L L flip flops in the 
U < (M) ; l -   W-G,  E 
45. Compare  Immediate 
CMPI R > m,l-G,O-E,  L *The B and Tn bits  are 
decoded so that  thev  will 
R = m , l -  E , o - - G ,  L indicate one of U1, U2, 
L. B. o r  T-. 
- RM 
X 
207 
46. Compare B Registers 
CMB   > (M);l--G, 0-E, L 
B = (M);l -E, 0 -G, L 
B < (M);1 --L, 0 -G, E 
M = T  + m  n 
47. Compare  Tn  Registers 
CMT Tn > (M), 1- G, 0 --E, L 
Tn =(M), 1-E, 0 - - G ,  L 
Tn<(M),l-L,O-GG.E 
M = B + m  
- 4 PS 
48. Jump on Conditions 
JMC, B, Tn If any condition 
true then 
B + m-P 
49. Compare and Skip 
- CAS U > (M);P + 1-P 
U = (M);P + 2- P 
U < (M);P + 3-P 
*Tn  holds a masking  bit 
for each condition. The 
conditions can be L, G, 
E, 0 (over flow), or  I/BL 
(I/O busy or  locked out). 
These conditions a re  held 
in flip  flops  in  the Pro- 
cessor. The masking Tn 
bits are "anded" with the 
respective conditions in 
order  to  determine a jump. 
*This instruction could  have X 
been  made non-indexable 
with  Tn, and then used  the 
Tn registers for a branch 
on the conditions. 
208 
50. Compare Absolute 
Greater and Skip 
CAGS I W I  > p J ) I  *This is a useful  instruc- 
tion for  scientific  experi- - then P + 2 -P ment  data  compression. 
51. Compare  Tolerance 
and Skip 
CTS If U + L 2 (M) 2 U-L *This instruction is useful - - in status monitoring and 
then P + 2 - P  data  compression. 
- 4 PS 
52. Compare-Register 
CMR R1 > R2.1-G, 0-E, L 
R =  1 R2, E, 0 
.L, 0
G, L 
,G ,  E 
53. Increment  Tn  Registers 
INT, B,  Tn Tn + (M) - Tn  *This  instruction is useful 
for moving  up and  down 
lists, and for handling the 
addresses in matrix 
manipulations. 
M = B + m  
4 PS -
54. Decrement Index-Bank 
Registers and Skip 
DXS, B, Tn Tn - m - Tn 
if Tn # 000 
T 5 0  P + 2 - P  n 
B - m-B 
if Tn = 000 
B S O  P+2-P  
209 
55. Decrement and Jump on 
Tn Greater Than Zero 
DJTZ, B, Tn Tn - 1-Tn 
Tn > 0, M -P 
M = B + m  
* 
56. Decrement and Jump on B 
Greater Than Zero 
M = T   + m  n 
57. Execute 
EXC (M) - MB 
58. Repeat 
REP (MI “7 
M = B + m  
*This  instruction  initiates  the 
repeat  mode  for  the  instruc- 
tion following it. A repeat 
flip  flop is set and  an  index- 
bank register, T7, is loaded 
*This  instruction sets up 
the  address of the next 
instruction in the  memory 
buffer register. The pro- 
gram  counter is not incre- 
mented for this instruction. 
It  will then  be incremented 
and used  to continue the 
normal  instruction flow after 
the  instruction  addressed by 
the  execute  (unless  this 
instruction is a jump). The 
execute is then  just a  one 
instruction jump. It should 
be  noted  that  this is the only 
instruction  that  does not 
leave  the  memory  buffer 
empty  after its completion; 
as a result it is non- 
interruptAble. 
210 
with the  number of 
operands  to  be  processed. 
This  register is counted 
down to  zero and the 
repeat mode terminated. 
T6 is also  used  to hold the 
program  counter  during  the 
execution of the following 
command in the  repeat 
mode. A functional descrip- 
tion of the  repeat mode is 
given  in the next section. 
59. Repeat  Immediate 
REP1 m -T7 
60. Set Real Time Clock 
- SRC (MI -RTC (1) 
61. Read Real Time Clock 
- RRC (register) RTC -U (1) 
- 2 PS 
62. Set Fill Clock 
SFC,  B m -FC B=O (1) 
Ul0 - 17-FC B=l 
63. Load Status  Address 
" 
LDGA (M) -P 
1 -Is 
*Same as  58 except for 
immediate loading of T7. 
*This  instruction  loads 
the  program  counter with 
the  initial  address of five 
status  words  that  will 
then be  automatically 
loaded  into  the  processor. 
LS is the  load  status  flip 
flop in the  processor  that 
("See section  6.1.1.l(a)  for  comments on these  instructions. 
211 
64. Call 1/0 
- CIO (M) -I/O 
(M+l) - 1/0 
6 s  
is used  to start the  loading 
operation. Since the status 
word  addresses will be 
picked  up from an executive 
table,  there is no need  to 
indirect  this  instruction. 
The  instruction  operation 
was explained in para- 
graph  6.1.1. l(b). 
*This  instruction is used  to 
send two control  words  to an 
1/0 unit  in  order  to  start an 
1/0 operation. Bit 17 of the 
address is set  to one  in 
order to  specify  that  the 
memory  contents should  be 
sent to the 1/0 unit. The 
1/0 unit  number is specified 
in the first two bits of the 
control word. A full explana- 
tion of this  instruction is 
given  in  paragraph  6.1.3 
on I/O. 
65. Load Processor Registers - 
register 
- LPR MB7 = 0 then reset  all *IF the  corresponding  bits 
flip  flops in MB8 to MB13 a re  one  the 
MB7 = 1 then set  all or   reset  depending on MB7. 
appropriate  flip  flops are   set  
flip  flops If the  bits are 0, nothing 
occurs. An explanation of 
the  flip  flops is given  in 
paragraph  6.1.1.3. MB8, 9- PMR 
MB1O, 11- IMR 
MB12-  FM 
MB13- F 
MBI4 = 1 then 0 - RTC, 
RTC EXT 
212 
66. Load Lock Out - register 
- LLO MB7 = 1 then set *MB8 9 give  the I/o unit 
lockout  and IdB10,11  .give  the 
memory  unit  to be locked 
MB - 0 then reset out o r  enabled. Upon 
- lockout receipt of the  instruction 
the  processor  immediately 
sends a "1" signal back  to 
the  memory on its lockout 
line. The memory then 
uses  bits 8, 9 in  its output 
data  register to store  the 
1/0 unit  from which it will 
receive requests. It also 
uses bit 7 to  decide on 
setting o r  resetting  its 
lockout registers.  This 
operation  takes  effect 
before  the next memory 
cycle. The 1/0 unit is also 
sent a  signal by the memory 
notifying it  that only this 
memory is to  be used. 
It should be  remembered  that  some of the  instructions  presented above are  
register to register  instructions;  therefore  these are implemented by op code 
extension. A large  number of these  instructions have  been  included  to  give  added 
flexibility. Some of the  instructions given above do not require an accumulator 
specification;  therefore,  these  can  make use  of the  accumulator  bit  for  further op 
codes. In addition some  instructions do not require both the accumulator  specifica- 
tion and the  indirect bit for  indirect  purposes;  therefore  these  bits may be  used to 
increase  the op codes.  (The  immediate  instructions are  good examples of this. ) 
A 5 bit op code and an accumulator  bit are  used  for  all  instructions  where  it 
is possible to use  the two accumulators;  for  the  other  instructions  the op code  will 
be  considered  to  be 6 bits. (This distinction is only of real  importance  to  the 
hardware).  The  op code is considered  to  be 7 bits  for  instructions that do not use 
multiple  accumulators o r  indirect  addressing. 
Following is a tabulation of the  instructions  into  five  columns: (a) those 
requiring an accumulator  tag, (b) those not requiring an accumulator  tag,  (c) 
register to register  instructions (op  code  extension bevond 6 bits),  (d)  shift  instruc- 
tions (op code  extension beyond 6 bits), and (e) instructions without indirecting or  
multiple  accumulators. 
213 

6.1.1.2.2 No Indirect Bit, No Accumulator Bit 
LDI, B, Tn 
DSMC, B, Tn 
CMPI 
DXS, B, Tn 
REP1 
LDSA 
Six op code bits  will  be  used  for  the tagged and non-tagged instructions above. 
This  means  that when counting the  number of instructions  used,  the  accumulator 
tagged instructions should be multiplied by 2. One instruction should be added to 
designate  register  op  code  extension  instructions and one  to designate  shift  instruc- 
tions. One half of the no indirect  bit  instructions  should be added since they  can use 
the  indirect bit to distinguish between two instructions.  The above is represented by 
the following calculations: 
Number of 
Instructions = 2x (Acc. tag instr. ) + (no acc. tag instr. ) + 2 
+ 1/2 (no ind. bit instr. ) 
= 2 x 1 9 + 2 1 + 2 + 3  
= 64 
This  is, of course,  the  number of op codes  available  from six bits. 
6.1. 1. 3 Functional DescriDtion 
The  past  sections  have  discussed  the  basic  processor  features and its  operation 
in the  overall  multiprocessor  system.  This  section  will  give an explicit  explanation 
of the processor's  internal operation.  This  will  include a presentation of registers, 
timing, and aontrol. 
6.1.1.3. 1 Registers 
Figure 6-5 shows all  the  registers in the  processor and the  majority of the 
control flip-flops. (A few additional  flip  flops  may  be added instead of gating  to  aid 
in  the  explicit  implementation of the  instructions. ) There is also, of course, a large 
amount of gating  that is not shown. However the effects of this gating on the  operation 
of the  processor  will  be explained. Figure 6-6 gives a better understanding of the 
processor  operation by presenting  some of the  connections  in  the  processor.  The 
Control flip-flops fn these  figures  will be discussed in 6.1.1,3.4. 
215 
I p J  
INPUT/ 
OU TPU T 
GATING I ADDER LOGICAL AND TRANSFER UNIT (ALTU) INPUT/ OUTPUT GATING  OPERA - TIONAL REGIS - T ERS 
INSTRUCTION DECODING AND CONTROL 
GENERATION (IDCG) 
REQUEST 
HARD WIRED 
INTERRUPT ADDRESS +CON - 
TROL 
)TIMING 
Figure 6-5. Processor Registers 
J 
216 
Figure 6-6. Processor Registers and Connections 
217 
L - Lower  Accumulator:  The  lower  accumulator is used  primarily in  multiply, 
divide, and floating  point  operations  to hold the  lower half of a data  word; 
however it  can  also be  used  for hot storage and data  manipulation in shift 
and register operations. This accumulator, U1, and U2 have a two bit 
extension  onto their eighteen bits in order to hold the overflow carries which 
may  be  generated in the two bit  at a time  multiply  operation.  This  extension 
is not shown on the bank-index registers; but either the  accumulator exten- 
sion will be time  shared  for  register  multiplies  or  the  extra  bits  will be 
added. 
U1, U2 - Upper  Accumulators:  The  upper  accumulators a r e  the  primary  arith- 
metic and logical  registers in single  precision  operations.  They  are  also 
used to hold the  upper half of data  in  floating point operations and to hold 
and manipulate  data  in  shift and register  operations. 
P - Program Counter: This  register is used  to  sequence  the flow of control  in  the 
processor.  It is not only used  to  access  instructions but also to  provide 
memory  addresses  for  interrupt  status word storage and for  the  operand 
cycles of instructions  operating  in  the  repeat mode. It must  therefore  be 
connected both to the ALTU and to the memory  interface lines. 
MB - Memory  Buffer:  The  memory  buffer  receives  data and instructions  from 
the  memory,  sends  data and operand  addresses  to  the  memory, and holds 
the  divisor  in divide operations and the  multiplicand  in  multiply  operations. 
It  also  holds  one of the  operands in all  other  arithmetic and logical  opera- 
tions with the  memory, and holds  the  next  instruction  address  for an 
"execute" command. In addition to the above tasks  since  the M B  receives 
all  instructions  it  keeps many of these  bits  for  the  instruction decoding and 
operation. For example, i t  holds the B bit for address generation, the 
register to  be  shifted  in a shift operation,  the  registers to be  operated on 
in register operations, and the op code  extension for  register and shift 
operations. 
Bl, B2 - B Index - Bank Registers:  These  registers hold both index and bank 
values  for  address  generation and looping  control.  They  also  provide hot 
storage and take part in  register  operations and comparisons with memory 
contents. One of these two registers is added to the  .address  decrement 
for  all  operand  address  generation, 
T1  to T7 - Tn Index - Bank Registers:  These  registers have  the same functions 
as  the B registers. The only difference is that  operand  addresses can be 
generated without  adding any Tn register to  B + m. (Tag 000 specifies no 
indexing with the Tn  registers. ) 
ALTU - Adder, Logical, and Transfer Unit: This  unit  contains  all  the  circuitry 
for  carrying out arithmetic and logical  operations  including  comparisons. 
It also  provides  for  transfers amongst  all  the  registers mentioned  above and 
detection of overflows. 
ER - Instruction  Register:  The  instruction  register  holds  the six bit op code 
throughout the instruction execution. 
218 
TR - Tag  Register:  The  tag  register holds  the indirect, and Tn bits of the 
instructions.  It is necessary so that  m + B  can  be  generated,  stored in MB, 
and then  added  to Tn  prior to  an  operand  cycle. 
SCR - Shift Count Register: This  register holds  the  shift  count for  shift com- 
mands, for  normalizing  floating point numbers, and for equalizing  operand 
exponents in floating  point  addition  and  subtraction. It is counted down to 
zero by one count for  each  shift.  The  register  can  be loaded from  the ALTU 
in  addition  to  the MB since  shift  counts  may  be indexed prior  to being  loaded 
into SCR for execution. 
6.1.1.3.2 Timing 
The  basic  functions'of  the RTC Ext, RTC, and F C  have been described  earlier, 
however their  operation  as  depicted in Figure 6-6 will  be briefly  discussed along with 
the  operation of the  bit  time  counter (BTC) and mode counter (MC). A l l  the  counters 
in the  system  operate  from a 500 ns clock. At this  time  it is not clear if a good small 
substitute  for  a two megacycle  crystal will be developed by the 1975 technology time 
frame; however  even with a crystal  oscillator only  a small portion of a MOS/SOS chip 
will be necessary  for  the  oscillator  circuitry and one shot.  The crystal would then 
either  be mounted on the SOS chip o r  in a separate  small  pack  The clock  will  provide 
the  basic  time  unit  pulse  to  the RTC Ext and BTC. These  counters in turn count up 
and drive  the RTC and FC, and the MC respectively. It should be noted from Fig- 
ure 6-6 that  the  operation of both the RTC and FC can  be  inhibited by control  signals 
from  the  interrupt  mask  register  in  the  control unit. The  bit  time  counter  provides 
the  control  unit with four  lines,  each  signifying  a  separate  bit  time in  the instruction 
o r  memory  cycle.  The  mode  counter  provides  timing for  the execution of the  longer 
instructions. A three  bit mode counter is sufficient for  the  longest  single  precision 
instruction  (divide), but as  many as  five  bits may  be necessary in order to  provide 
timing for floating  point  divide and multiply. This will depend on how much hardware 
is added to  speed up the  floating point operations.  The end of this  section  discusses 
floating point in greater depth. A four bit mode counter is shown in Figure 6-5. The 
bit  time and mode counters  are reset to zero by the  control  unit  at  the  start of an 
instruction or  operation  cycle.  This  occurs when the  processor is accepted by a 
memory. After this  the  counters count up and there  values a re  used by the  control 
unit  until  the  instruction  execution is complete. 
6.1.1.3.3 Memory Interface 
The  lines on the  memory-processor  interface are given below. 
Component Processor 
Interface  Memory 
Output (to  mem ry) 
request *One separate  line to each  memory - It requests 
memory cycles. 
address/data *18 bit two-way bus  common  to all  memory 
modules - It  sends  addresses  to  the  memory and 
sends and receives data. 
219 
read/write 
lockout 
lockout direct 
power off 
- Input (From Memory) 
busy 
lockout 
*Bit 18 of the a d d r e d d a t a  bus - This  line is 
available  for  read/write  designation  since  the 
memory  address  sent  over  the  lines is only 
14 bits  (each  module  contains 12K words). 
*One separate  line  to  each  memory - This  line is 
sent by a LLO command to notify the  memory  to 
look at  bits 7 to 9 in its data  register  for lock- 
out  information. 
*One separate  line to  each  memory - This  line is 
sent on the  occurrence of a real  time clock 
interrupt  to notify the  memory  to lock out all 
other  processors. 
*One common line  to  all  memories - This  line 
used  to turn off all lockouts by this  processor 
after  it  has  failed  or has been  turned off by the 
astronauts. 
*Bit 17 of the  address on the  address/data bus - 
This  line  notifies a requested  memory  that  the 
data  word  for  the  present  processor  memory 
cycle should be  sent to  an 1/0 unit. 
*One separate  line to each  processor  from  each 
memory - It is used  to notify  a processor of 
acceptance of a request. 
*One separate  line  to  each  processor  from  each 
memory - It notifies a processor if this 
processor is locked out of any memories. 
data  *The  same common 18 bit bus listed  un er output. 
1/0 busy o r  locked out *One seperate  line to each  processor - It notifies the 
processor  that  the  called 1/0 unit is busy or  locked. 
The  timing of a memory  cycle is given below and shown in Figure 6-7. 
1. The  processor  sends a request  to a memory (0 to 1 transition  occurs on the 
request 1ine)and at  the  same  time  it  places  the  memory  address and read/ 
write  request on the  address/data  lines. 
2. The  memory module contains a simple  round robbon type of scanner  for 
sequentially  selecting and granting  processor and I/O requests  for  memory 
cycles.  After  the  memory  scanner  picks up the  address  from  the bus 
and sends  the  processor a not  busy  signal (0 to 1 transition  occurs on the 
busy  line).  The  memory  uses the next 500 ns to address  the  specified 
memory  position  and  to  load its data register if a read is required. 
3. The processor  uses the- 1 transition of the  busy  signal to start its bit 
time  counter  and  prepare  to  read  or  write.  For a read  cycle  the  pro- 
cessor  memory buffer is loaded  during bit  time two by the 1 to 0 transition 
of the  memory  busy  signal.  The only requirement is that  this  load  must  be 
complete lBs after  the  memory  accepts the processor  request -
220 
REQUEST LJNE 
TO MEMORY 
0 - 150 ns 
MEMORY ADDRESS n 
ON ADDREWDATA BUS I I 
0 -200 ns 
RD/WRlTE REQ 
MEMORY 
BUSY 
LINE 
n 
0 -200 n,. 
- - - -NOT BUSY 
(0 T O  1 TRANSITION SIGNIFIES MEMORY HAS GRANTED 
PROCESSOR A CYCLE AND ACCEPTED MEM ADDR.) - 50 ns - 900 ns 
- 50 ns IF PROCESSOR IMMEDIATELY GETS  THE MEM 
CYCLE, UP T O  141 s IF THE PROCESSOR MUST WAIT 
FOR ALL OTHER MODULES T O  GET  A  CYCLE 
MEMORY 
ADDRESSES 
SPECIFIED 
POSITION - 50 ns - -500 ns - 
MEM DATA 
REG IS LOADED 
IF THIS IS A 
READ CYCLE - 50 ns  - 500 ns 
LOAD MEM BUFFER 
WITH  DATA ON MEM .~~ ~ ~ 
BUS FOR A READ CYCLE -900 ns 1050 ns 
LOAD MEM BUFFER 
WITH DATA T O  OUT- 
A WRITE CYCLE 
PUT T O  MEM BUS FOR 
-150 ms 650 ms 
Figure 6-7.  Memory Cycle Timing 
221 
For a write  cycle,  the  processor  loads ita memory  buffer register and  bus 
to  the  memory with the  data. It then turns off its request  signal upon the 
0 to 1 transition of the memory busy  line (this will occur approximately IIIO ns 
after the  memory  busy  signal.  The 1 to 0 transition of the request signal 
causes  the  memory  to  load its data register with the information on the common 
bus.  The write  may  therefore be accomplished  in  approximately 650 ns. 
6.1.1.3.4 Control 
The  control  section of the processor  receives a number of lines  from  the 
memory and from  various  parts of the  processor which i t  then uses to set  control flip- 
flops or  to  generate  sequences of control  signals  that  get  sent throughout the  processor 
and back  to  the  memory.  This  operation is depicted in Figure 6-6 and will be func- 
tionally  described  here. 
The flip-flops greater than (G), less than (L), and equal (E) represent conditions 
generated  from a comparison  carried  out  in  the ALTU. After the  comparison,  these 
flip-flops are   set   or   reset  by the ALTU as appropriate.  The  control  unit then uses 
these  flip-flops  to  control  future  processor  actions  during a JMC (jump on conditions) 
instruction.  The overflow (0) flip  flop is set o r  reset by the ALTU after arithmetic 
overflows. It can then be  used to cause a jump  during  execution of a JMC. It is also 
used in  floating point operations  to  signify  the  need  for  the  hardware to normalize. 
The 1/0 busy o r  locked  out (I/O BL)  flip  flop is set or   reset  by a signal  from  the 
memory  (the 1/0 sends  the  signal  to  the  memory first) during a CIO (Call I/O) instruc- 
tion. It  notifies  the  processor  that  the 1/0 unit  requested is busy o r  locked  out from 
the  requesting  memory;  as a result a CIO command  should  generally  be followed by 
a J M C  instruction  to  check  the 1/0 BL flip-flop. I€ an 1/0 unit is not available, the 
processor  control  can then  jump to  the  executive so that a new program  can be 
scheduled. 
After an interrupt  occurs,  the  control  unit  generates a store  status  sequence  to 
store  five  words in memory. A s  soon as  the  present  instruction is completed, the 
appropriate  flip flop, RTCI (real  time clock  interrupt),  FCI  (fill  clock  interrupt), or  
N R I  (no response  interrupt) is set.  These flip  flops are set respectively by the RTC 
zero  interrupt,  the FC zero  interrupt,  or  the  request  timer "one shot" and gating. 
(This  latter  hardware  checks  to  see if the  processor is requesting a memory  cycle 
from a memory  it is locked out of, o r  if the  processor has not been  granted a request 
for  greater than 14 ps)  The  control  unit then executes  the  interrupt  sequence  given 
in paragraph 6.1.1.1. A s  also  mentioned  in  this  section  the IMR (interrupt  mask 
register) can  be  used  to  inhibit  the RTC and FC so that  these  interrupts  will not 
occur.  This  section  also  mentions  that  the load status flip-flop (LS) is set by the 
LE6 command in order to  reinitialize  an  interrupted  program. 
The  Bite  timing  circuitry and  output switch flip-flop (OS) are used  to  check 
failures of the  processor and to  switch  control of critical outputs  to  another  pro- 
cessor.  These functions were  discussed in paragraph 4.2.2.2. 
The  failure  flip  flop  (F) is set by the  checking  hardware o r  by a software  self 
check  routine  using  the LPR command. This  flip  flop sends the processor  status 
to the 1/0 units and also  causes  the  processor  to turn off. The 1/0 units have a 
failure  status word for the status of all modules. This ie discussed  again in 
paragraph 6.1.3. 
The  section of the  control  unit  labled in6trUCtiOn decoding and control  generation 
(IDCG) has  the task of sending  out  sequences of control  signals.  Theee  sequences are 
generated by decoding and combining all input control flip-flop lines, memory  signals, 
222 
timing information, and MB, IR, TR, and SCR register contents. The purpose of most 
of the  control  lines  into and out of the IDCG section  can  be  understood  from  the earlier 
register and memory interface explanations. For example, the memory buffer register 
sends  bit  positions  seven  to  eighteen  to  the  control  section  in  order  to  provide  the  B  bit, 
R1 and R2 for register operations,  R1  for  shift  operations and op code  extension for 
both register and shift  operations.  The  control  section then uses  these  lines along 
with others,  such as  the op  code  from IR, to  generate  control  sequences  to  implement 
a given instruction. Some of the  lines  providing  control signals to  the  processor 
registers  are shown in Figure 6-6 coming out of the  right  side of the IDCG. For 
example,  these  lines go to  the ALTU to  initiate  transfer o r  arithmetic  operations, 
etc. , to  the P, B, and T registers to  increment or  decrement by one, or to  the 
accumulators  to  cause  shifts. 
The  repeat mode operation was explained  in  paragraph  4.2.1.2., however the 
repeat mode instruction  cycle  timing will  be shown here in order to  offer  a  deeper 
understanding of the  operation of the mode. It is initiated by the  REP command 
setting  the RM flip  flop  and  loading T7 with the number of operands  to be processed. The pro- 
gram  counter of the  instruction  to  be  processed in  the  repeat mode is saved in Tg, 
and this counter is then  used  to address  the  memory  for  all  repeat mode operand 
cycles. The cycles of course continue until T7 has been counted down to zero. The 
above operation is demonstrated by the following timing  diagram of the  REP  instruc- 
tion and  the "add" instruction in the  repeat mode. 
Instruction  Cycle 
"
Bit  Times: 1 2 
REP (4 p s )  
" 
P to  Memory Memory  to MB 
(address  inst) (receive  inst) 
Operation  Cycle 
Bit  Times: 1 2 
REP  (4 p s )  
MB to Memory Memory to MB 
(address  operand)  (receive  operand) 
Instruction  Cycle 
Bit  Times: 1 2 
ADD (2+2n p s )  
P to  Memory Memory  to MB 
(address  inst) (receive inst) 
3 4 
m+B-MB P + 1-p 
1 -  RM 
3 4 
MB -T7 
3 4 
m+B -MB MB+Tn-MB 
P-T6 MB-P 
223 
Omration  Cvcle 
Bit  Times: 1 
” 
2 3 4 
ADD (2+2n ps) -
P to  Memory  Memory  to MB U+MB - U T7 # 0 
(address operand) (receive operand) T7 - 1 - T7 then continue 
&n 0-RM 
P+1- P T7 = 0 
T6 -P 
Floating point operations a re  only briefly  discussed in this  report  since  the con- 
clusion  to  definitely  include  a  floating point mode  cannot be made without a much 
deeper  investigation of the  applicable  requirements;  however,  they  have been briefly 
investigated in order to  offer an  understandinE of their  possible operationand-implementa- 
tion  in this  multiprocessor  system.  This  mode can be  implemented with the same  set 
of processor  registers as defined earlier.  The only necessary additions are  a good 
amount of control  hardware and the  ability  to  mask  operations on the  mantissa (30 
bits)  from affecting the exponent, and conversely. This can be fairly simply accom- 
plished by hardware additions in the ATLU and at  the registers.  For example, during 
part of an  operation only the  mantissas could be allowed to go to  the ATLU (zero’s 
can be  automatically  substituted  for  the exponent bits). A t  the  conclusion of such an 
operation of course  the exponent bits  (zeros) would not be loaded  back  into a register. 
In fact  the addition of a  masked  mode of operation would make some of the  additional 
hardware  useful  for both the  masked and floating  point  modes.  The  sequence of 
primary  hardware  operations  for a floating  point add is given below. 
1. Subtract exponents 
2. Store the difference in SCR (shift counter) 
3. Normalize the smallest operand with the count. 
4. Save the exponent 
5. 30 bit precision add of the mantissas 
6. Normalize the result if overflow occurs 
7. Store answer with exponent 
This  operation would take  approximately 25 ps with the  present  processor 
hardware; however, if the requirements show it to be worthwhile, this  operation could 
be  substantially  speeded up. For example  the  memory  buffer could be made double 
length in  order to hold both parts of the  mantissa  for  the add, the  adder could  be  made 
double length, and group shifting could be added to speed the normalization. These 
same innovations would also  substantially  increase  the  speed of floating point subtract, 
and  multiply  while  making the  hardware  implementation of floating point divide 
practical. It would probably also  prove worthwhile to  make a number of single  preci- 
sion  operations  available in double precision. This could  be  accomplished by 
224 
eliminating in floating  point  mode  some of the  single  precision  operations.  These free 
op codes  could  then  be  used while in  floating  point  mode  for  useful  single  precision 
operations, such a s  single precision load,etc. 
In a final  design of the  processor  additional  provisions  will  have to be  made  for 
ground  check out. This  may  even  require  the  addition of a debug  mode  with halt 
instructions etc. Explicit  specification of these  features would be  tied  to development 
of the ground check  out equipment. 
6. 1.1.4 Rough Chip Distribution 
~. 
Section 111, 3. 1 discussed  the  circuit  densities,  connections, and yields  for 
MOS/SOS technology in  the 1973-1975 time  frame.  The  conclusions of this  section 
were  that  device  densities with reasonable  yields  including  crossovers should be on 
the  order of 5, 500 FET's  per roughly 150 mils  square.  This  was  felt  to  be  relatively 
conservative  since  processing  break  throughs could easily  enable  chips of approxi- 
mately  the same densities and four times  the  area to  be  produced with good yields. 
The  processor  described  in  this  section  requires  approximately 330 flip-flops for its 
implementation. An approximation  for  the  gates and the  drivers  (for  interface  lines) 
in  the  system would give  a rough total  (including  the  flip  flops)  FET o r  device count 
of 11, 000. If the  processing  break  throughs  develop,  this  processor could easily  be 
placed on a 250 mil  square chip. One feature of the  processor  that  might  help  to 
enhance its  implementation on a  single  chip is the  similarity  amongst  the  accumulators 
and the bank-index registers. It may  be  possible  to  build  one or  at  most two register 
types and place  spares on the  single  chip.  Discretionary  wiring  techniques could then 
be  used  to connect the  correctly  operating  registers and thus  improve  the  chip  yields. 
If the above break  throughs do not materialize  the  processor could be placed on two 
smaller chips. The distribution amongst chips would be as  follows: 
Chip One 
L, U1, U2, P MB,  B1, B2, TI -T  ALTU,  RTC Ext, RTC, FC, BTC, MC, 
> 7' 
500 11s clock. 
This would amount  to approximately one-half of the  devices - 5, 500 FET's 
Connections to chip - approx. 140 
Chip Two 
IR, TR, SCR, All control flip-flops, all control gates. 
This would also  take  approximately one-half the  devices - 5, 500 FETIs 
Connections to  chip - Approximately 130 
The above distribution of hardware  requires 150 lead  packages  for  the  chips. 
This is much more  sophisticated than todays 40 lead  packs; but as pointed out  in  3.1, 
these packages should be available. The above organization offers an additional 
advantage of being  able  to  use  a  microprogrammed  control  unit s o  that  simply changing 
"chip two" changes  the  instruction set and operation of the  processor. Chip one could 
then  be  standardized  for  a  number of diverse  missions  that  may  require  different 
instruction sets. Another  approach  to  the  distribution of processor  hardware would 
225 
be to  simplify "chip two" by  placing some of the  control  generation  hardware in 
"chip one". This would of course  increase  the  FET  density  in "chip one", but it 
would also  provide a sizable  reduction in inter-chip connections. The final  decision 
on hardware  distribution  must  wait  for  the  final  design stages when the technology 
base is precisely known. 
6.1.2 Memory 
Both magnetic  and  semiconductor memories have  been  studied  for  the  multi- 
processor  main  memory.  The  magnetic  studies first looked at  todays DRO core 
memories and NDRO plated wire  memories as examples of the state of the art. A 
batch fabricated NDRO multiword  memory  was then chosen as the  preferred  magnetic 
memory  approach  for  the 1973-1975 time  frame.  The  semiconductor  memory  studies 
investigated an NDRO MOS/SOS coincident select memory  organization. Both this 
system and the  magnetic  system are shown to  meet  all  the  system  requirements  while 
offering  relatively  little  risk  in being able to meet the reliability  goals of the Manned 
Mars Mission  in 1980. The MOS/SOS memory is shown to  dissipate  less power  than 
the  magnetic  memory, but it will  probably also  offer  slightly  greater  development 
risks. As can  be  seen  from  the above, neither  system  has  the decided advantage; as 
a result a choice  between the two cannot now be made. Both systems should  be 
developed and investigated in  much greater  detail  in  order  to  be  able to choose  the 
most  desirable approach. 
6.1.2.1 LSI Semiconductor Memory 
6.1.2. 1. 1 Introduction 
This  section  describes a solid  state  memory  candidate  for  the  main  multi- 
processor memory. It should  be remembered  that  there are one  to  four  memory 
modules (3 for the  mission  considered) with the following characteristics: 
No. of words 12, 000 (Variable  Storage) 
Bits  per word 18 
Read/write  cycltime 2 PS 
MTBF 62,  500 hours 
Failure rate goal 1.6% per 1000 hrs. 
The above  MTBF and failure rate goals  where  obtained  from  the Monte Carlo 
simulations,  described in Section V. 
The  design of the  solid state memory is based on. projected  production technol- 
ogies in the 1973-1975 time period. As for  the  processor modules, MOS/SOS 
technology has been  chosen as representative. 
When the  reliability and performance  requirements of the  multiprocessor 
memory are translated  to  hardware  requirements  for  the  semiconductor  main 
memory,  three  very  important  features  become  apparent. 
1. Large Scale Integration via Batch Fabrication is essential  for  attaining 
reliability and performance  objectives. 
226 
2. One or   more standby power sources  are needed for volatility circumvention 
for a read/write  semiconductor  memory. 
3. The use of memory  circuits which have  extremely low standby power 
dissipation is very  desirable  in  order  to achieve: (a) LSI with low operating 
temperatures and, consequently, enhanced reliability; and (b) volatility 
circumvention by means of one or  more  small standby  power  sources. 
These  three  reasons make  the  use of complementary MOS field  effect transistors 
manditory for achieving  a  read/write  memory  cell with extremely low standby  power. 
A comparison of the  approximate  standby power for a bipolar  transistor  memory  cell 
and a MOS field  effect  transistor  memory  cell  illustrates  the  problem. 
Item -
Standby current* 
per  cell 
Number of cells 
per  array 
Standby current* 
per  array 
Number of Array 
per module 
Standby current* 
per module 
Standby current* 
for  3  modules 
*nominal  value  at 25°C 
Complementary Complementary 
MOS Bipolar 
Memory  Cell Memory  Cell 
2 nA 0.2 mA 
4, 096 4, 096 
8PA 800 mA 
54  54 
0.432 mA 43.2A 
1.29mA 129A 
Both of the  memory  cells in the above example a re  inherently  volatile. How- 
ever, due to  the  extremely low standby current of the  complementary MOS memory 
cell, and the  availability of high reliability  rechargeable  secondary  batteries, i. e., 
heremetically  sealed  Nickel Cadmium batteries designed for  space applications, it is 
practical to use  one or more standby  power  supplies for volatility  circumvention. 
In the  case of the  complementary  bipolar  memory cell, the standby  power  supply 
current is so large  that  volatility  circumvention is very  difficult  to achieve. Very 
large and heavy  standby batteries would be  required  for  volatility  circumvention  for  a 
few hours.  This  latter  problem  may  be  solved by a number of separate well  isolated 
power lines  from  the  redundant  primary  spacecraft power supplies; however, a  rela- 
tively large amount of power would be  drawn from  these  batteries by the  bipolar  cells. 
One other  principal  factor  must  be  considered in choosing between MOS field 
effect  transistors and bipolar  transistors  as a memory  circuit element. This is 
demonstrated reliability. A choice for 1967 is easy - bipolar transistor. However, 
a choice  for 1973-1975 must  be made. This  allows 6 to 8 years  for  the MOS produc- 
tion  technology to  become  mature and for  reliability  data  to become  available.  The 
227 
' basic  problem with MOS field effect transistors  has  been  silicon  surface  instabilities. 
I Many improvements were made from 1964 to 1967. Stable P-channel MOS transistors 
are being made  in 1967 by several  manufacturers. Obtaining stable N-channel 
enhancement mode MOS transistors  has been more difficult. However, at  the 1966 
International  Electron Device  Meeting, Signetics and Westinghouse  reported  success- 
ful fabrication of monolithic  complementary MOS transistors. In a paper  entitled 
"Monolithic MOS Complementary Pairs" by K. K. Yagura, G .  M. Catlin and J. D. 
Hutchensen of Signetics  Corporation,  it  was  said  that t ' I n  recent  years,  stable, 
discrete N-MOST'S and P-MOST'S have  been  produced and marketed, but is has 
generally been found that  the  fabrication of the two devices on the  same  substrate led 
to  incompatible  processing  steps.  The  major  problems  in  process  compatibility  have 
now been solved and stable  complementary MOS pairs   are  being  produced  which.show 
excellent  potential for  use in high speed, low power  integrated  circuits. ' I  Signetics 
reported a lift  test of 800 hours  at 125°C resulted  in  less  than 50 mv  drift  in  either 
P-MOST o r  N-MOST (threshold  voltage). 
Westinghouse  presented  a  paper  entitled  "Integrated  Complementary MOS 
Circuits" by J. C. Tsai, H. W. Van Beek, C. C. Roe and F. Schliesing where they 
reported "Life test  data shows  that both type MOS transistors  were  stable  after 
temperature  bias  tests  at 150°C for  a few thousand hours. I '  
Autonetics  has  successfully  fabricated both N-channel and P-channel MOS 
transistors  utilizing Silicon-on-Sapphire. This technology appears to offer the 
possibility  for  at  least  as good if not greater  reliability than  bulk MOS technology. 
Various  circuits  functions  fabricated  at  Autonetics out of bulk MOS technology  have 
logged a  substantial  number of hours.  These  hours  have  been  on bulk MOS wafers in 
demonstration equipment and on life  test. Only a  very few failures have occured, as  
a  result this limited  information has shown a failure  rate between 2% and 4% per 1000 
hours.  These  rates should go down substantially as more  data is accumulated since 
the  portion of equipment  made from  newer  devices  have  shown.no  failures  to  date. 
These  rates should also  be  substantially  reduced as life  test  results  are  fed back to 
the processing  labs in an attempt to improve  reliability. 
The  work  done by the  above three  companies  shows  the  interest  in  complemen- 
tary MOS circuits.  This  interest will provide the incentive for developing a  mature 
production process  for LSI complementary MOS circuits in the next few years.  The 
fact  that  stable  P-channel and N-channel MOS transistors  are being  made in the 
laboratory today shows  that  the  reliability  problems which have  beset MOS field  effect 
transistors in the  past a r e  being  solved. Six to eight years should be  more than 
sufficient for  maturing  the  batch  fabrication  techniques  to  make LSI complementary 
MOS arrays. 
6.1.2.1.2 Organizational Considerations 
The  organization of the  memory  has  been  chosen  to  enchance  the  reliability of 
the  system.  This is done by minimizing  the  number of external  connections in the 
memory  system and the  number of leads on each array of cells by using  coincident 
selection  rather than a linear selection technique. For an example, the number of 
leads on an array  utilizing  coincident  selection  will  be  compared  to  those on an array 
utilizing linear selection. For convenience, assume the array contains a matrix of 
60  by 72 memory cells with the  appropriate decoding  and  output circuits included  in 
228 
the  array(1).  Assume  that  the  array is to be  used in a 4,320 word 18  bit  memory. 
(This example is of course for a memory  slightly  more than a  third of the  size needed 
for the  multiprocessor  main  memory. ) 
Item -
Coincident  Linear 
Select  Array  Select Array 
Input leads  for  addressing 13 6 
Input lead  for  control 2 2 
Power supply 2 2 
Input lead  for  data 1 18 
Output leads  for  data 
Total per  array 
1 
19 
- 
18 
46 
- 
For  this  example,  18  arrays  are  required in either  case to make a 4,320 word 
1 6  bit memory. Note that the coincident select  array is organized  as 4, 320 words of 
one bit whereas  the  linear  select  array is organized as  240 words Gf 18  bits.  This 
is a decided  advantage for the  coincident select  system  because no additional  logic 
gating is needed at the array outputs. There  are only 18 output leads from the 18 
coincident  select  arrays and each  lead  provides one bit of the 4, 320 words. In the 
case of the linear  select  system,  there  are  18  arrays  each having 18 output leads, 
making a  total of 324 outputs  leads.  Since  a  selected word could come  from any one 
of the 18 arrays, an 18 input "or" logic gate is needed for each of the 18 bits in the 
word. Because these "or" logic gates have so many leads, it may not be practical 
to  integrate them in one o r  two packages. Using 9 packages each with two 18 input 
gates and 40 external  leads would be reasonable  for  a rough comparison  here although 
improved  future  packaging  methods may make  many more than 40 leads  per  wafer 
practical. The resulting comparison of the two systems i n  the example is shown in 
the following table: 
Number of LSI memory 
arrays 
Coincident Linear 
Select  ystem  S lect  ystem 
18 18 
Number of LSI logic arrays none 9 
Number of leads  per  m mory  19 
array 
Number of leads  per logic 
array 
Total  number of leads 
" 
342 
46 
40 
1,188 
Total  number of arrays  18 27 
(1)  60 by 72 is convenient for  a  linear  select  organization  since it allows an even 
number of 18  bit  words to be  fit  into  an  array. 
229 
Many small  differences between the two systems have not  been  included,  but 
they  should not change  the results shown above very much, 
For  the  reasons  outlined above, a  coincident  selection  technique is recom- 
mended for  the 12K-18 bit multiprocessor  semiconductor  memory modules. 
6. 1. 2. 1. 3  Explicit  Memory  Organization 
Starting with the basic  memory  cell,  a  description  will  be given of a  cell, an 
array, a module subassembly, and finally a memory module. Figure 6-8 shows the 
schematic of a conventional complementary MOS bistable  circuit without any pro- 
visions  for  reading or  writing.  Referring  to  the  schematic of Figure 6-8 note  that 
Q1 and Q2 are  never both on simultaneously  except  for  a  very  short  transient  time 
during  a  change in logic  states.  Since one of these two MOS transistors is always off 
in a standby  mode,  the only current drawn from  the supply  voltage is the  leakage 
current of the "off" transistor. In one logic state, Q1 and Q4 a re  on, Q2 and Q3 a re  
off. In the other logic state, Q1 and Q4 are  off, Q2 and Q3 are on. There  are two 
leakage  current  paths in this  basic  memory  cell, one  through Q1 and Q4 and the  other 
through Q3 and Q4. Addition of read and write  circuitry will add at  least one more 
leakage current path,  making a minimum of three  per  memory  cell. 
The  magnitude of the  leakage  current in each of the  three  paths  depends upon the 
specific  processes and type of isolation  being  used,i. e. , silicon-on  sapphire, and the 
junction temperature. Specifically, the leakage current depends primarily on the 
area of the p-n junction, the  lifetime of the  minority carr iers  in the  vicinity of the p-n 
junctions, and the junction temperature. For MOS transistors  fabricated on silicon- 
on-sapphire with a 1973-1975 mature  process,  the  estimated nominal  leakage current 
per  memory  cell is 0 .1  qA at 25°C. A value of 2 qA per  cell, at 25"C, is assumed  for 
all  calculations. This is 20 times  the  estimated  value  and  still  leaves  total  memory 
leakage current  very  small.  Because of the  fact  that  leakage  current is approximately 
doubled for  every 10°C rise in junction temperature,  it is recommended  that  the 
ambient temperature of the multiprocessor  be maintained  at 35°C o r  less.  This is 
practical  since  the power dissipation of a memory  module is estimated  as only  0.47 
watts  during continuous operation and 5  milliwatts  during  standby  at 25°C. Keeping 
the  ambient temperature low should also enhance  the  reliability of the  system. 
A block diagram of a  possible  memory  cell  design is shown in  Figure 6-9 along 
with a  truth table. +V 
f 
. "  ~ 
0 7. 
4r 
Figure 6-8. Basic Memory Cell Utilizing Complementary MOS Transistors Without 
Selection o r  Readout Provisions 
230 
P +v 
1 
Bi j 
BIT OUTPUT 
Sjl 0 
ONE-SET INPUT COINCIDENT SELECT 
NDRO 
Sj O 
RS MEMORY CELL Rj 
0 
ZERO-SET INPUT OREAD COMMAND 
0 Gnd 0 Wi  RITE  COMMAND 
FUNCTION OF 
ij CELL 
NOT SELECTED 
NOT SELECTED 
NOT SELECTED 
NOT SELECTED 
NO CHANGE 
WRITE r'O'l 
WRITE "1" 
NOT ALLOWED 
NOT SELECTED 
NOT SELECTED 
NOT SELECTED 
NOT SELECTED 
READ 
NOT ALLOWED 
NOT ALLOWED 
NOT ALLOWED 
Rj - 
0 
0 
0 
0 
0 
0 
0 
0 
1 
1 
1 
1 
1 
1 
1 
1 
Wi 
0 
0 
0 
0 
1 
1 
1 
1 
0 
0 
0 
0 
1 
1 
1 
1 
- SP - 
0 
0 
1 
1 
0 
0 
1 
1 
0 
0 
1 
1 
0 
0 
1 
1 
Sj" - 
0 
1 
0 
1 
0 
1 
0 
1 
0 
1 
0 
1 
0 
1 
0 
1 
Figure 6-9. Logical  Operation of a Coincident  Select  Memory  Cell 
231 
I 
The  organization of a  memory cell array is shown in Figure 6-10. The array  has 
18  external  leads  as shown. The  physical  size of the  array would be  approximate1  y 
1.2  inches by 1.2  inches by 0.05 inches.  The matrix of 64 by  64 memory  cells would 
probably  be  made by starting with  a matrix of 100 by 100 cells,  testing  the cells to 
determine  the good/bad cell location  pattern and  then  using  discretionary  wiring 
techniques  to  connect  a 64 x 64 matrix of good cells.  Discretionary  wiring  techniques 
will  probably  be necessary  since  reasonable  yields on this complex of a circuit may 
be difficult to obtain. A l l  cells, decoding gates,  logic  gates and output gates would 
be made simultaneously with batch  fabrication  techniques.  The  array is organized 
as 4, 096 words of one  bit. A 100  x 100 cell  wafer  was  chosen  since  this is consistent 
with the estimates of MOS/SOS device  densities  for  the  processors (5 ,  500 FET's  per 
150 mils  square). 
Figure6-11  shows how 18  arrays  are connected  to  make  a  subassembly  containing 
4, 096 words of 18  bits.  Three of these  subassemblies  are needed to  make  a module 
of 12,000 words, 18 bits. There are 324 interconnections in each subassembly and 
52 leads  either  to  or  from each  subassembly. 
The  organization of a  memory module is shown in Figure 6-12. (Note that if 
expandability to three  processors and three 1/0 units is desired, two more Input- 
Output units  must  simply be added. ) Four sets of eighteen  time-shared  data  lines 
are used from the module to the No. 1 processor,  the No. 1 I/O, the No. 2 proces- 
sor, and the No. 2 I/O. Only one processor  or 1/0 unit  can have access  to  the 
memory module at any one  time. There will  be  4  control  lines  from  the  memory 
module to  each  processor and 1/0 unit for  data  transfer  control. In order  for a  unit 
to write an 18  bit word  into the  memory module,  the  following sequence of events 
must occur. The processor or I/O, assume No. 1 processor, must request a 
memory cycle from one of the modules. When the module is available, No. 1 proces- 
sor takes  control and the  other  units a r e  prevented  from having access  to  the module. 
(There is a  simple  round-robin  scanner in each  memory  module  that  takes  turns 
choosing  one of the  processor  or 1/0 units. ) A s  noted earlier in chapter 6, this 
means  that  periodically  a  processor o r  1/0 may  have  to  wait as long as  14 ks before 
getting access to a memory module. The frequency of waits can, of course,  be 
minimized by good program placement. After gaining control of the module, a 
14 bit  address word and a  write command are transferred  from the No. 1 processor 
to  the  address  register in the  memory module. This  operation is enabled by one 
of the two lines  from  the  data  transfer  control  to  the input/output  module. These 
lines  enable  transmitting  or  receiving  to and from  each  processor  or 1/0 unit. The 
appropriate 4, 096 word  subassembly is enabled  to receive an address by means of 
two lines going from  the Input Data  Control  and  Address Register to  each of the  three 
sublines going from  the Input Data  Control  and  Address Register to each of the  three 
subassemblies shown in Figure 6-12. (00-disable  sub-assembly; 01-enable read; 
10-enable  write).  Twelve of the 30 lines going  to the  three  subassemblies  transmit 
the  address of the  selected  word within the  subassembly.  The above address setuD 
operations  occur  in less than 500 ns. The #Iprocessor  cannow  transfer  the 18bit 
word to be stored in the selected location. A s  presently shown, the No. 1 pro- 
cessor  transmits  the word  through  the input-output gates,  through  the input data 
control  gates, and to  the  selected  location in the subassembly. Eighteen of the 
30 iines going to  the  three  subassemblies  transmit  the  data.  The No. 1 processor 
is required  to  transmit  the  data  during  the full write time which also  takes one  bit 
time of 500 ns. The write  cycle.  time is then less than 1 p,s (approximately 650 ns). This 
means the second half of the 2 p  memory  cycle is spent  in  standby.  The  processor 
is then able  to  use  the two bit  times left in the  memory  cycle  to  prepare  for  the next  cycle. 
232 
DATA 
INPUT 
READ 
WRITE 
1 LTNE 1 
1 LINE 1 - 
b LOGIC FOR 
1 GENERATTNG SELECT 
b 
Sj', Sj", Rj ADDRESS 
ENABLE 1 LINE 
~ ! 4 
I I  n = 64 
ROW 
SELECT 
DECODER 
AND 
ADDRESS 
ENABLE 
64 LINES 
64 x 64 
CELL 
ARRAY 
BIT 
OUTPUT 
GATING 
AND 
OUTPUT 
DRIVER 
*THESE ARE NECESSARY (INSTEAD OF ONE LINE) DUE TO 
CAPACITANCE LOADING 
Figure 6-10. Organization of a Coincident Select Memory  Cell  Array 
COLUMN. 
ADDRESS 
6 LINES 
DATA 
OUT 
1 LJNE 
- 
PARALLEL WORD INPUT 
BIT 1 BIT 18 BIT 2 
v . v v 
ROW 
SELECT n = 6 LINES* 
“”””_. 
COLUMN 
SELECT n - 6 LINES* ”““””- 
ARRAY #1 ARRAY #2 ARRAY #18 
READ ””””“ 
WRITE e ””””“ 
BIT 18 
t 
PARALLEL WORD OUTPUT 
Figure  6-11. Connection of 18 Arrays  to  Form a 4, 096 Word, 18 Bit, 
Subassembly for a Memory Module 
TIME SHARED 
DATA/ ADDRESS 
LINES # 1 I/o 
INPUT- 
18 LINES 
I I 
TIME SHARED 
DATA/ ADDRESS 
LINES #1 OUTPUT 
LINES 
PROCESSOR 
CONTROL LINES 
d l  I/O 
CONTROL 
LINES # 1 
PROCESSOR 
CONTROL 
LINES #2 
PROCESSOR 
CONTROL LINES 
#2 I/O 
I 
DATA 4 LINES 
TRANSFER 
CONTROL 2'' 
' 
11" 
I 4 2 LINES 
TIME 
SHARED 
DATA/ 
ADDRESS LINES #2 
INPUT- 
OUTPUT 
PROCESSOR 7 I 
L 
TIME 
SHARED 4-f , DATA/ADDRESS LINES #2 1/0 1 8  LINESINPUT- OUTPUT 
INPUT 
DATA 
CONTROL 
AND 
ADDRESS 
REGISTER 
2 
30 - ASSEMBLY 1 8  LINES SUB- Jr 
2 LINES b 
WORD 
4,096 
SUB- 
b ASSEMBLY 
30 LINES 
4,096 
18 LINES 
2 LINES 
ASSEMBLY 
WORD 
OUTPUT 
GATING 
18 LINES 
Figure 6-12. Organization of a 12 ,000  Word, 18 Bit, Memory Module 
To  read a word  in the  memory module, the  #1  processor  must again  gain con- 
trol of the module. A s  for writing, a 14 bit  address  word and a read command a re  
transferred to  the  address register. Since  the  selected  word  could be in any of the 
three  subassemblies, a 3-input "or" gate is required  for  each of 18  bits in a word. 
These  gates  are shown in Figure 6-12as Word Output Gating. The  selected  word is 
transferred to the Input-Output block, as shown in Figure6-12, and is setup on the 
data  lines  to  processor No. 1. A t  the end of bit  time two the  processor  strobes  the 
word  into its memory  buffer  register.  Therefore  the  read  operation  occurs  in 
one ps .  
The  estimated  number of arrays  in a memory  module is given in the following 
table. 
Number of Arrays  Number of 
Function Per Module External  Connections 
hput-Output 2 (l)(l) 
to  #1  processor 
Input-Output 
to #2 processor 
Input-Output 
to #1 I/O 
Input-Output 
to #2 I/O 
Data Transfer 
Control 
60 
Input  Data Control and 2 
Address  Register 
1 30 
60 
Subassembly  #1 18 52 + 324(2) 
Subassembly #2 18 52 + 324 
Subassembly  #3 18 52 + 324 
Word Output Gating 2 
Total 
- 
67 
76 
562 + 962 
(1) The  number in parenthesis  may  be  more  representative of future packaging 
methods. In fact  the 1/0 units and data  transfer  control  may well  be com- 
bined into one array.  This would put no strain on element  densities within 
the array. If a packaging  technique  with 100 to  150  connections  could  be 
developed  the total  number of arrays would drop to 56. 
(2) Number of connections internal to a subaseembly. From the above it can be 
seen that each  memory module has an eetimate of about  1500  connections 
external to the  array. 
238 
6.1.2.1.4 Volatilitv Circumvention 
The  suggested  power  distribution,  voltage  regulation, and volatility  circum- 
vention for  each  memory module is shown in Figure6-13. L€ a short  occurs  inside a 
module, short circuit protection is needed  to  prevent this  short  from  causing a 
power failure  for  the  other modules. In the case of an input short  circuit,  the diode 
D and transistor Q prevent a reverse power flow through  the  voltage  regulator and  a 
consequent  power failure to  one or   more  modules. 
For a standby  power  source, it is recommended4-d a hermetically  sealed 
nickel-cadmium  rechargeable  battery  be used.  Assuming  a  nominal  standby current 
of 0. 5mA per module, the  standby  current  for  the  three  modules is 1. 5mA at 25°C 
and 3mA at 35°C. A battery having an ampere-hour  capacity of 0.45 A. H. could 
supply  standby  operation for 300 hours at 25°C o r  150 hours at 35°C. A hermetically 
sealed high reliability  nickel-cadmium  battery  electrically  similar  to a Sonotone 
S-101 or an Eveready BH450 would provide  the following characteristics: 
Initial  cell  voltage  1.45  volts 
Nominal cell  voltage 1. 25 volts 
Endpoint cell voltage 1.10 volts 
Nominal ampere-hour  capacity 0.45 A. H. 
Volume per cell 0.42 cu. in. 
Weight per  cell 0.80 ounces 
A battery of eight cells in series would have  the following characteristics. 
Initial  voltage, 8 cells  11.6  volts 
Nominal  voltage, 8 cells 10.0 volts 
Endpoint voltage, 8 cells 8. 8 volts 
Nominal  mpere-hour  capacity 0.45 A. H. 
Dimensions  1.2" x 2.4" x 2.4" 
Volume 7 cu. in. 
Weight 8 ounces 
Concerning  the life expectancy,  the  "Eveready"  Battery Applications and 
Engineering Data manual states  that "Cycle life of the nickel-cadmium sealed  cell 
depends upon the way it is used. The  factors  affecting  life  expectancy  are: 
Amount of overcharge 
Depth of discharge 
Temperature of charge 
237 
PRIMARY 
POWER 
1 TO OTHER MODULES 
STANDBY 
-”- 
TO OTHER 
MODULES 
t 
ALTERNATE STANDBY 
POWER, IF NEEDED 
REGULATOR 
Ql OUTPUT 
, SHORT 
MODULI CIRCUIT ++V FOR - PROTECTION 
1 
VOLTAGE 
REGULATOR 
REGULATOR 
MEMORY  MODULE 
NOTE: 
Dl AND Q SERVE AS REDUNDANT INPUT SHORT CIRCUIT PRODUCTION. 
Q1 IS A SdRIES REGULATING TRANSISTOR IN THE VOLTAGE REGULATOR. 
Figure 6-13. Memory Module Volatility  Circumvention 
238 
Temperature of overcharge 
Temperature of use 
A cell which is discharged  through  only a fraction of its full capacity on each 
cycle will give many more  cycles than a cell which is fully  discharged  each  time. 
Under  conditions of very light or  casual service, the  expected life is several  years. 
Concerning trickle charging,  the  Eveready  manual states, "A trickle  charge is a 
continuous  constant current  charge given to a battery to  maintain it in a fully 
charged condition, with no external  load  connected  to  it.  This may  be used  for 
batteries in storage, o r  in  standby service where  their  use is in an emergency  such 
as failure of the  normal power  supply. If This  says  that  the  trickle  charged  standby 
batteries  in this system should offer high reliability  since  they are used  under optimum 
conditions. 
Gulton Industries, Inc., Metuchen, New Jersey, has published reliability data 
on some of their  hermetically  sealed high reliability  batteries  designed  for  space 
applications. For  their VO-12HS cell, they report 2, 017,360 cell-hours of operation 
with  no failures.  This  data is from  the  Orbiting Geophysical Observatory  Program 
and is accumulated  from life tests, cell evaluation tests,  battery development and 
acceptance tests, spacecraft testing, and battery storage. The data shows a demon- 
strated  failure rate of less than  0.12% per thousand hours  at a 90% confidence  level. 
This is for a large 12 ampere-hour cell. Based on this  data, it is assumed  that 
8 cells having a 0.45 ampere-hour  capacity  each will have, in 1973-1975, a failure 
rate less than 0.2% per thousand  hours at  a 90% confidence level. 
It  should  again  be  noted here  that  these  extra  batteries may not even  be 
necessary if a reliable  redundant  power  supply is employed for  the  spacecraft.  The 
same  circuitry  as shown in Figure6-13would  be  used with totally  isolated  primary 
and standby  power lines  from  the  central  spacecraft supply. 
6.1.2.1. 5 Power Calculations 
In order to get a feeling  for  the  memory power dissipation a rough estimate 
was  made of power dissipation  during  operation.  The  operating power dissipation 
of a memory cell array is estimated as follows: 
1. Assume a "1" is to  be  written  in a cell. 
2. The greatest supply current will be drawn by the array when the Wi line 
and the Sj line are being charged.  This is because of their  relatively high 
capacitance which must  be  charged. 
3. Assume the Wi line has a capacitance of lOpf, the Si line has lOpf, the 
supply  voltage is.6.0  volts and the  voltage rise time is 100  nanoseconds. 
239 
4. 
5. 
6. 
7. 
From  these  estimates, 
IS 
= c f per  line 
= 10 pf 6 volts loo nanoseconds 
= 0.6 ma per line 
21s = 1. 2 ma 
To allow for  other switching transient  currents,  such as decoding  and out- 
put  gating, assume the 1.2 ma flows  continuously for  the 1 ps write  period 
rather than for 100 nanoseconds. This  gives a conservative  estimate of 
7 . 2  mw per  memory cell array.  This  value  will  not  vary  significantly with 
ambient  temperature. 
The  calculations of power dissipation are made  using 10 mw for  either a 
logic array  or  a memory  cell  array. 
Because  each of the  memory  modules  has a supply  voltage  regulator, 
assume  the input voltage  to  the  module is 10. 0 volts, with a 4  voIt drop 
across  the series regulator.  This  will  increase  the power dissipation by 
2/3. A relative high voltage drop is needed across the  regulator  because, 
during  standby  operations,  the  battery  voltage  will  drop  to  the endpoint 
voltage of 8. 8 volts.  The regulator can  maintain  6.0  volts output with 
8. 8 volts  to  the input of the  regulator. 
A summary of the  operating and standby  power  dissipation is given  in  the 
table below. 
Standby Power Standby Power  Operating  Power 
- Item Dissipation, 25°C Dissipation, 35°C Dissipation 
Array 80 W 160 pW 17 mW 
Module 5.4 mW 10.7 mW 0. 53 W(l )  
(1) Referring  to  Figure6-l2note  that only one of the  three  subassemblies is 
operating at any one time. The other two are on standby. Therefore 31 
arrays  are  dissipating power. 
6. 1. 2. 1.6 Reliability  Calculations 
The  failure rate goal for a memory  module is 1.6%  per thousand  hours. For a 
3 module memory, the goal is 4.8% per thousand hours, as  stated previously. An 
estimate of the  failure  rate goal for an array of 64  by 64 memory cells is determined 
below. Note that  the I S 1  arrays  for  performing  the logic  functions  in a memory 
module are  included as equivalent  to a memory cell array in determining  the  failure 
rate goal of an LSI array. 
240 
Failure  Rate No. Per Failure  Rate Failure  Rate 
Item Per Item Module Per Module For 3 Modules -
Connections 0.00001% 1500 0.015% 0. 045% 
8 cell  battery, 0.2%  2/3 (1) 0.13% (1) 0. 40% (1) 
0.45 A. H. 
Power supply - 
circuits 
1 0.02%  0.06% 
M I  logic and 0.0213% 67 1.43 
memory  arrays 
4. 29 
(1) This assumes 2 standby power sources  for  3  memory modules. Only one 
may be required, or  the  central  spacecraft  supplies may be used. 
Based on the above failure  rate  apportionments,  the  array  must have a  failure  rate 
no greater than 0. 0213% per thousand hours. This is a reasonable goal for 1973-1975. 
This goal is believed  to  be  reasonable  because of the  fact  that  stable  complementary 
MOS devices a re  being  made in the  laboratory today and there is 6  to 8 years  to 
mature this technology. A s  an example of what can  be  accomplished in 6 years, 
examine  the  demonstrated increase in the reliability of discrete  bipolar  transistors 
from 1960 to 1966. In 1960, the  manufacturers  demonstrated  failure  rate  for  a  small 
signal N P N  silicon  transistor  was 1% per 1000 hours. This was a  transistor  used in 
the Minuteman computer. In 1966, a  small  signal N P N  silicon  transistor in the 
Minuteman computer  has  demonstrated  a  failure  rate of 0. 0062%~ per thousand  hours. 
This shows better than two orders of magnitude increase in reliability. If the 
present rough experimental  estimates  are  close  to  correct,  approximately  a two 
orders of magnitude increase on the 2% to 4% per 1000 hours given earlier  for  a bulk 
MOS array would meet  the  needs of the  memory arrays  for  this  system. (l) Another 
reason  for expecting  the  goal  to  be  attained is that  the  industry is  considerably 
higher on the  learning  curve for  the  silicon  planar technology in 1967 as  compared 
to 1960. This means that significant improvements can be made in less time. The 
array  also  has two features which &enhance.  the  reliability. One is the low number 
of external  leads on the LSI array package,  18 in the  case of the high usage  memory 
cell  array. The other is the very low power dissipation of an array. 
6. 1. 2. 2 Magnetic  Memory 
6.1.2.2.1 Introduction -" 
This  section  discusses  the  selection of the  magnetic  memory  for  use in the 
1975 technology time  frame.  The  memory  system  requirements  (the  same  require- 
ments  as given in Paragraph 6.1.2.1. ), i. e., random access,  read  write at 2 psec 
cycle  time,  reduce  the  types of memories to  be  considered  to  a  coincident  current 
DRO core  structure and a  multiword  organized  batch  fabricated NDRO structure 
(e. g., plated w i r e  today). Under today's technology, the  selection of the  most 
reliable  approach is simply  a  matter of selecting  the  approach which uses  the  least 
number of operational  circuits. However, with the advent of LSI techniques and the 
(l)It should also  be  remembered  that  the  2%  to 4% per 1000 hours was obtained 
from  minimal  data with almost no failures. 
241 
capability of fabricating  multifunction  circuitry,  the  problem must now also  be viewed 
in light of what approach is most  ammendable  to LSI techniques.  This point is made 
since the  coincident current  approach  contains  the  least  number of operational circuits 
for today's structures but because of the  drive  levels (both present and projected) 
appears  to  be  less  ammenable  to LSI. Therefore today's choice  for  the  most  reliable 
memory would be  a DRO core  structure; however  the  choice  made  here  for  1975 is a 
batch fabricated NDRO structure.  This  choice  has been made  for the following 
four  reasons.  The  reasons  are  listed in order of importance  for  this application: 
1. The NDRO structure will take maximum advantage of LSI techniques in the 
1973-1975 time  frame;  whereas  the DRO core  structure  does not  appear  to 
have the same potential. The NDRO approach  therefore  offers  higher 
reliability both due to the increase in circuit  reliability  (less  circuits) and 
the  decrease in the  number of connections  in  the  system. 
2 .  The NDRO structure  has  less  sensitivity to transients due to the fact that 
it  does not require a restore cycle. 
3. The NDRO structure will be batch fabricated. This offers the opportunity 
to  institute  effective on-line  quality control and reliability  improvement 
programs. These programs will  feedback on the production process in 
order to modify it to produce more  reliable  devices. 
4. The NDRO structure offers lower power operation than the DRO structure 
both due to higher  speed  operation  and  the  ensuing  lower  duty  cycle and to 
the  lack of the  need  to  regenerate  after a read cycle. 
To illustrate  the above statements,  discussions and basic block diagrams  for 
both approaches shall be presented. Finally, the multiword NDRO structure  shall 
be detailed (i. e., LSI circuits will  be  projected and reliability  figures  assigned) 
so that a quantitative  understanding of the  approach and its  ability  to  meet the 
multiprocessor  system  requirements  may  be gained. 
The two approaches  shall  first be described in light of today's  technologyin order to 
understand  the  effects of 1975  technology. 
6.1.2.2.2 Present Day Memories 
This  section  shall  describe  the  coincident  core  memory and the NDRO 
multiword  memory on the  basi.s of today's  technology. 
Coincident Core Memory 
A Coincident Current (CC) structure is shown in Figure 6-14. The CC approach 
under  today's technology has certain  organizational  constraints which reflect  in  the 
system organization. These constraints are as follows: 
1. Sense Lines are restricted  to 4K elements due to  line  delay and 
attenuation, and noise considerations. 
2. Bit  lines are restricted  to 4K elements due to  time delay and noise effects. 
242 
REGISTER 
U SOURCE +Y CURRENT ps 
w P 
ENERATO DR & SW'S 
DIODES 
SOURCE 
DR& SW'S 
DIODES DIODES 
d 
16 Y 
DR & SW DIODES __C DR & SW'S 
16 Y 
18 BIT (18) I 
16 X I' 
DR & SW 
DATA njPIJT 
REGISTER OR'S 
I 
SOURCE 
I -  Y SOURCE SOURCE I 
Figure 6-14, 12x18 3D Memory (Todays Technology) 
Active Circuits 
Word  Switches - The  drive  matrix  consists of switches  arranged in matrix 
fashion so that unique  word selection is made by selecting two X switches 
(one on each  side of the  array) and two Y switches.  The  number of word 
switches required = 128 total. (See Figure 6-14). The switches a re  packaged 
four  per IC with nine  connections. 
Word Diodes - Discrete  diodes are required  to  isolate  the  drive  electronics. 
The  total  required = 512 per module. These  are packaged as  sixteen  per IC 
with ten  connections. 
Word Gates - Gates are  required  to  use  the  address information  to select 
the  appropriate X and Y switches. For  the  organization shown 1 gate  per 
switch is required,  Total = 128. They are packaged as  two per IC with twelve 
connections. 
Inhibit Drivers - The  number of inhibit drivers  required is equal  to  the  number 
of bits  times  three  (the  number of 4K arrays)  or  18 x 3 = 54. These  drivers 
are  packaged separately due to power limitations.  Each  package  has six 
connections. 
Inhibit Gates - The drivers  must  be  selected, depending upon data input, and 
clocked; as  a result each  driver  requires an input gate. These  are packaged 
with  the driver. 
Current  Sources - Positive and negative X & Y currents  are  required  for a 
system  total of 4. Each source  requires  approximately 10 IC's with ten  pins 
per IC. 
Timing  Generator - This  generator is required  to  generate  the  sequence of 
timing  pulses  for  the  read and write  cycles. It requires  approximately 
1 0  IC's with five  pins per IC. 
Sense  Amplifiers - The  number of S/A required is equal  to  the  number of bits 
times 3 o r  18 x 3 = 54. These  are packaged separately with ten  connections. 
S/A Gates - The  three  sets of sense  amplifiers  must  be gated  into the common 
data  register.  Total  requirements = 18-3 input "or"  gates packaged four  to an 
IC with 14 connections. 
Data and address  registers along with some  interface  circuitry  must  also be 
included; however, this is not dependent on the memory technology. Therefore, 
it  will not  be discussed  here. 
244 
14 BIT ADDRE69 
REGISTER 
DR'S GENERATOR 
18 BIPOLAR 12 X 18 ARRAY 
ORGANIZED 
1K X 216 
REGISTER 
'WORD 
'BIT 
I 
BIT 
Figure 6-15, NDRO Multiword Memory (Today's Technology) 
READ WRITE 
200 n sec I 200 n sec 
I I 
I I 
t o o  ns I 
150 n sec 
NDRO Read and Write  Signals 
245 
[WRITE 13 
[WRITE 0 1  
A summary of the  coincident current electronics is given below: 
Type Circuit CKTs - IC Connections 
Word Switches 128 32 288 
Word Gates 128 64 768 
Word Diodes 512  32 32 0 
Inhibit Driver & Gates 54  54  324 
S/A s 54  54  540 
S/A Gates  18  5 70 
Current  Sources 4 40 40 0 
Timing  Generator 
TOTAL 
1 1 0  50 
291 2760 
- - -
This  table  will  be  compared in the following section  to  a  similar  table  for 
a  plated wire NDRO memory. 
NDRO Multiword  Memorv 
A good example of an NDRO multiword structure  in  today's technology is a 
plated wire  memory  as shown in  Figure 6-15. A multiword structure  (more than 
one 18 bit  word on a word line) is used  since it saves a  considerable amount of 
electronics. Such structures have  the  important  property  that  single  words on a 
multiword  line  can be  written into without disturbing  the  other  words an  the  line. 
The optimum  multiword  organization for  the 12K by 18  memory module is 
one K word lines of 216 bits  or 12  words.  The two permutations around 1K by 
216 (i. e., a) 2K by 108, and b) 512 by 432) a re  ruled out for  the following reasons: 
1. The  sense/bit  line is limited (by bit  drive and sense  line delay  considera- 
tions)  to 1K elements;  hence a duplication of bit drivers and S/A1s would 
be  necessary  for a 2K by 108 structure. 
2. The  word  line  length is limited  to about 240 elements by line inductance 
and delay  considerations;  thus  a  duplication of hardware would also  be 
necessary  in  a 512 by 432 structure. 
3. It is also  the  case  that  the  total amount of circuitry is minimized by using 
1K by 216. 
This structure is shown in  Figure 6-15. The  theoretical  operation of thin  film 
NDRO magnetic memories is well  discussed in the  literature and as a result will  not 
be  presented  here; however, Figure 6-16 gives a diagram of the  read and write 
signals. It should be noted that in todays  multiword film structure  bipolar  bit write 
signals are required  to  overcome skew  and dispersion effects. As a result  the  write 
246 
. . 
cycle  time is increased  over  the read. Future  film  structures should be of higher 
quality and thus  be  able  to  take  advantage of unipolar  write  signals. One additional 
useful feature of the  multiword  devices  under  consideration,  such as  plated  wire, 
is that  they only require  unipolar word line  drive.  This not  only saves circuits but 
also connections. 
Active Circuits 
Word Switches - The  drive  matrix is organized so that unique  word selection is 
obtained  by selecting two switches  (one on each  side of the  array).  This  requires 
32 unipolar switches on each side. Total switches = 64. The switches are 
packaged four  per IC with nine  connections. 
Word Access Diodes - One diode per  line  for  isolation of the  unipolar  drive 
electronics  total  diodes = 1024 per module. These  are packaged as eight per 
I/C with  nine  connections. 
Word Gates - A s  for  the CC memory, one gate  per  switch is required  for 
selection. Total Gates = 64. They a re  packaged two per IC with twelve 
connections. 
Word Current  Source - The  lines are accessed by the 64 matrix  switches and 
the  current  drive is steered  to  the  selected lines. This requires  just one 
central  current  source. This source  requires  approximately 10 IC' s with 
ten  connections  per IC. 
Bit  Drivers - There  must be one bipolar  bit  driver  for  each of the  18  bits in a 
word. This gives a total of 18  per module. They are packaged as one bipolar 
driver  per IC with 10  connections. 
Bit Switches - Since  the  memory is organized with  each word access line 
containing  twelve  eighteen  bit  words, there  must be a selection of one of 
twelve  words for  the  bit  drivers  to  write into. This selection is carried out 
by bit  switches.  Ideally only one bipolar  bit  switch would be  required  per  word; 
however, with the  present  plated  wire  memories,  the 100 ma IB requires  four 
bipolar  return  switches  per  word  to  sink  the  bit  current.  Total  bipolar  bit 
switches = 48. These are packaged three  per IC with 12 connections. 
Bit  Driver  Gates - The  bit  drivers  must  be  selected epending upon data input 
and clocking for  the  write  operation.  They are not used in the  read operation. 
Each  bit driver  requires one selection  gate  for a total of 18 gates.  These a r e  
packaged as two per IC with 10  connections. 
Sense  Amplifiers - The  sense  amplifiers  are  relatively  simple so that one will 
be  connected to  each  bit line. A one of twelve  decoder will  then  choose the 
correct eighteen sense amplifiers, Total S/A = 216. They are  packaged 
separately with 1 0  connections. 
Timing  Generator - This  generator  produces  the  timing  pulse  for  the  read 
and write cycles. It requires 1 0  IC's. 
247 
Type CKT CKTs IC - Connections 
Word Sw's 64 16 144 
Word Gates 64 32 3 84 
Bit DR's 18  (36)  18  180 
Bit  Gates 18 9 90 
Bit  Sel Sw's 48 16  192 
Current  Source 1 10 100 
Timing  Generator 1 10 50 
S/A's 216  216 2,160 
Word Diodes 
TOTAL 
1024 128 1,152 
455 4,462 
The  circuit and  connection totals given here  for  an NDRO memory should  be 
compared  to  those  given  earlier  for a DRO memory.  From  this  comparison  it  can  be 
seen  that a DRO core  structure should be  more  reliable today than  a NDRO plated 
wire structure  since  the  latter  structure  contains  more  electronics and connections. 
The power dissipation of the two memories is very  similar and ranges  from 35 to 
40 watts; however, over half the power  dissipation in the NDRO structure is from 
stand-by  power on the  sense  amplifiers.  This  dissipation will be  reduced by an 
order of magnitude  in future  systems  using power  strobing of the  sense  amplifiers. 
(The amplifiers  are  turned off for a portion of each  cycle. ) Of equal  importance 
is the  fact  that  thin  film NDRO structures  are expected  to  offer large  decreases in 
word current, bit current, and line impedance in the future. This should enable 
these  structures to take optimum  advantage of LSI techniques  in  the 1973-1975 
time frame.  For  the above reasons a thin film, multiword NDRO structure is 
chosen  over a DRO structure   for   mmetic  main  memorv  in  the 1975 time  frame. 
6.1.2.2. 3 Future Memory Organization 
This  section  describes  the  organization of a 12K word 18 bit NDRO memory  for 
the main multiprocessor memory. A particular  memory  device is not specified, but 
the  chosen  device  will  be a  thin film  batch  fabricated  structure with  multiword 
capability, (e. g., plated wire, bi-core are applicable from today's technology). In 
order to describe  the  projected NDRO memory  certain  assumptions about the 
performance  characteristics and modifications  to  present  circuit  approaches  are 
required, These assumptions and modifications are listed below. 
Assumptions: 
1. The memory will be organized as one IS word lines by 216 bit lines. The 
reasons for this are the same as those given for the current NDRO structure. 
248 
The  line length  limitations  may  be  relaxed  somewhat  in  the 1975 time  frame, 
but this organization still requires  the minimum  number of circuits. 
2. One crossover per bit will be used. Orthogonal structures require common 
mode noise  cancellation.  This  can  be  achieved  in 2 ways a) 2 crossovers 
per  bit  operation o r  b) addition of a common  mode cancellation  line 
(dummy non magnetic element).. The word  line  inductance is a  function of the 
number of crossovers down a word  line; so that  for 2 crossovers  per  bit 
the electrical length of the  word  line is doubled. If the  second  technique 
is employed (i. e. dummy line)  then  the  eleotrical  length of the  line is only 
increased by the  ratio of active  to dummy lines. For example, 1 dummy 
for 4 active  lines  gives a 20% increase  in length, 1 dummy for 8 active  lines 
gives an 11% increase  in length. 
The  latter  approach  will  be  used in this  system with one dummy line per on 
active lines. (n determined by noise) 
3. Improvement in present thin film  memories o r  additions of new structures 
should  enable the following properties  to be  readily  achieved by 1975. 
a. Unipolar  write  current - The signals for  the  read and write  cycles 
a re  shown in Figure 6-17. Note the  difference between this figure 
and Figure 6-16 where a bipolar  write  signal  was  used  to  overcome 
skew and dispersion  effects.  The  read or  write  operation will take 
less than 500 qsec. 
b* 'word = 200 ma 
c .  Lit = 25 ma 
d. Z o  = 30 Sl's 
These  properties will enable LSI circuits to be used  for  the  memory  electronics. 
4. Bipolar  bit  currents  will  still  be  required in order to be able  to  write "lis" 
and "O1sl ' .  
5. The timing and control will be packaged into one LSI chip. 
Modifications for LSI 
1. 
2. 
3. 
One word driver with base  to  emitter  selection will  be  used  for  each of the 
1024 lines.  This  approach  will  be  used  instead of matricizing  drivers and 
switches  because  the  latter  approach would require a large  number of 
isolation diodes. An MI pack can  be  fabricated with  a number of drivers 
almost as easily as with a number of diodes. As a result  matricizing 
the  switches would actually  require  more LSI arrays. 
One sense  amplifier per line  will be used. This is again for  the  reason  that 
this approach  requires  less LSI arrays than  an  approach  using sense 
amplifiers and  gates. 
One bit  driver  per line will  be used  for  the same reason as given  in 1 above. 
249 
READ WRITE 
m UNIPOLAR ["RITE 1) [WRITE 0 3  
Figure 6-17. Future NDRO Read and Write  Signals 
The above points  enable a memory  structure as shown in Figure 6-18 to  be 
specified.  This  structure  takes  advantage of LSI techniques to package  a  number of 
drivers, switches, and sense amplifiers in arrays. The packaging of these circuits 
in arrays was  estimated  for  the  1975  time  frame and is specified along  with con- 
nections, and reliabiIity per array  in  the following material. Figure 6-18 also 
shows input/output and control  sections going to  the  processors and 1/0 units. These 
modules were  briefly  discussed  in  Paragraph  6.1.2.1. They  will be added  to the 
reliability  calculations  for  this  memory as 9 arrays with 270 connections and a 
reliability of .02%  per  array.  The functions of this  interface  logic  will  be  discussed 
again  in  the following section. 
Based on the above discussions, a reliability  estimation  for this memory is 
given below: 
Word Switches 16 Modules 1024 CKTS 
Matrix of 64 SW's arranged 8 x 8 with 64 outputs 
17 Logic Inputs 8x, 8y, lz 
2  Power 
1 Current  Source 
This  can be accomplished  because only one  switch is actuated  at any  one time. 
Total Connections = 84 
Anticipated Reliability = 0.02%/1000 hrs  
250 
TIhlING AND 
CONTROL 
FROM DATA 
TRANSFER CONlXOL 
I/olq-q 
18 INPUT 
p 1 4 4  OUTPUT +- 
p1 - 
I D 1  
4 t 
pit, DATA  TRANS 
p2 KYm +- 
p2 
J 
I. 
I DECODER 1 0 F  16 I 
DRIVERS 
12 BlT "1" I 12 LINES 
I I  I I 1 
12 BIT "1" 
REGISTER - 12 BIT "2" DRIVERS 12 LINES 
12 BIT "2" 12K X 18 MEMORY ARRAY 
216 BIT LINES) 
(1024 WORD LINES BY 
Figure 6-18. Future NDRO Memory 
Bit  Driver 18 Modules 216 CKTS 
Module contains 12 Bipolar  Bit  Drivers 1 DR. per module is activated 
per  write time 
Connections. 12 Logic Line to Select 1 of 12 
2 Data Lines (1's & 0's) 
2 Timing 
3 Power 
12 Output Lines 
Total Connections = 31 
Anticipated  Reliability = 0. 01%/1000 h r s  
- S/A 18 Modules 
12 S/A's per module 
216 CKTS 
~ 1 1  S/A'S receive signals for logic select. S/A output to  be  processed 
12 Logic Lines to Select 1 of 12 
2 Strobes 
4 Power 
15 Input 
1 output  Total  Connections = 34 
Anticipated  Reliability = 0. 01%/1000 h r s  
Timing  Generator 1 Module 
4 Input 
12 output 
4 Power 
Total  Connections = 20 
Anticipated  Reliability = 0. 005%/1000 hrs  
Address  Register 1 Module 
Inputs 15 Logic 
Output .28 
Power - 4 
Total = 47 
20 CKTS 
14 CKT 
252 
Data Re asters 
Inputs 36 
Outputs 18 
Timing 2 
Power 4 
# Connection 60 
1 Module 
Reliability = 0. 015 %/1000 hrs 
Decoder A (2- 1of 8's) 1 Module 
Input 24 
Output 16 
Power 4 
Total  Connections = 44 
Reliability  0.01%/1000  hrs 
Decober B (1 of 16) 
Input 8 
Output 16 
Power 4 
Total = 28 
- 
Reliability = 0. 01%/1000 
Decoder C (1 of 12) 
Input 8 
Output 12 
Power 4 
Total = 24 
1 Module 
Reliability 
0.01%/1000  hrs 
253 
Array 
Word Circuits 
Bit DR 
S/A 
Decoders A 
B 
C 
Address Reg 
Data Reg 
Timing Gen 
Current  Saurce 
Logic Arrays 
Total 
Reliability 
1 
1024 
216 
216 
2, 1 of 8's 
1 of 16 
1 of 12 
14 
18 
1 
1 
5 
Table 
L. s. I CKTS 
16 
18 
18 
1 
1 
1 
1 
1 
1 
1 
9 
Array 
Word CKTS 
Bit 
S/A 
Decoders 
Register 
Register 
Timing 
*Current  Source 
Logic Arrays 
Total. 
68 
# Connections/Mod 
3, 000 
84 (1344) 
31  (558) 
34 (612) 
44 
28 
24 
47 
60 
20 
10 
270 (total) - - 3000 
Per Mod 
Reliability 
0.02%/1000 h r s  
0.01% 
0.01% 
0.01% 
0.01% 
0.01% 
0.01% 
0.015% 
0.005% 
1.0% 
.02%/1000 h r s  
x3 
3,000 x 0.00001 96 = 0.030%/1000 hrs  0.90g/lOOO hrs  
16 x 0.02 
18 x 0.01 
18 x 0.01 
3 x 0.01 
1 x 0.01 
1 x 0.01 
1 x 0.005 
l x  1 
9 x 0.02 
0. 32 
0. 18 
0. 18 
0. 03 
0. 01 
0. 01 
0.005 
1. 0 
0. 18 
0. 96 
0. 54 
0. 54 
0. 09 
0. 03 
0. 03 
0.015 
N/A 
0. 54 
1.945%/1000 hrs 3.835%  /lo00 hrs 
* Current  Source need  not be  repeated  with  increased  Modularity 
264 
The above calculations  show  that the NDRO magnetic  structur.e should  be able 
.to  easily  meet  the  reliability  requirement of 4.8% per 1000 hours  for  the  multi- 
processor  main  memory. 
A rough  power calculation was carried out using  the  current  levels  given  earlier 
under  llassumptions"  in  order  to  get a feeling  for  the  memory power  dissipation. 
Assuming  the sense  amplifiers  will  use power strobing,  this  memory  will  dissipate 
about 11 watts per 12K module. 
The  timing of this  memory with a processor is the  same  as  described in 
paragraph  6.1.2.1.  The NDRO magnetic  memory  will  easily  be  able  to  setup  addres- 
sing  in 500ns and then read or  write within another 500 ns.  This will  provide  informa- 
tion  to  the  processor by the end of bit  time two. 
It should  again be noted here  as in the  introduction  to  the  memory  section  that 
both  the NDRO magnetic and semiconductor  memories a re  able with little  risk to 
meet  all of the  multiprocessor  main  memory  requirements.  The  semiconductor 
memory  uses  substantially less power  but it offers a slightly  greater  risk in being 
able  to  meet  the  reliability  requirements  in  the 1975 time  frame. A s  a result 
neither  memory  structure  can be  chosen  at this time. Further development and 
investigation are  necessary  in  order  to  make a  valid  choice. 
6.1.2. 3 Memory Interface Hardware 
The  multiprocessor  memory  must  have a good amount of interface  hardware in 
order to  handle the communications  to  the processors and 1/0 units.  The primary 
parts of this  hardware are: 
1. 
2. 
3. 
A six bit  round-robin scanner is used  to  choose  the  processor o r  1/0 unit 
to  receive the  next memory  cycle. For  the given mission only four  bits 
of the  scanner will  be used  since only two 1/0 units and two processors 
are present. The scanner is simply an asynchronous counter that 
sequences  through  all  the  memory  request  lines  until one is found  up. 
Since  the  count is done in an  asynchronous  fashion, it will take  less than 
200 ns  to sequence through all six states. 
A six bit lockout register is used  to hold the 1/0 or  processor modules 
that are locked  out of the  memory.  The  operation of the lockout has been 
explained  in  detail in Section IV. 
A quantity of timing and control  circuitry is included to  generate  the 
memory  timing and the  interface  signals  to  the  processors and memories. 
The  operation of this hardware is explained  in  paragraph  6.1.2.1 and 
ehown in  Figures6-12and 6-18. It amounts  to about 9 chips of MOS/SOS 
hardware.  This could be  reduced  to  four  to  five  chips if a 150 pin pack is 
developed. An interface  description of the  control  signals  to  the  processor 
is given in paragraph  6.1.1. A similar  description  for  the  control  signals 
to  the 1/0 units is given in the  following section  describing  the 1/0 units. 
Both the  semiconductor and magnetic memories have  been  described as  
capable of completing their  read and write  transmissions in one microsecond.  This 
is the  preferred method of operation  since  slower  operation would not  simplify  the 
memory  circuitry. A s  a result  the  memories will  be  able  to be recycled  in 1. 5 ps 
255 
instead of the  required 2 ps. This increased  speed  can  clearly  be  used  to  decrease 
any  queueing at the  memories. However it could also  be  used by the  processors on 
instructions  that only require  three  bit  times  for execution. For  example, if an 
instruction  cycle  does not require indexing with the  Tn  registers,  the  processor 
control unit can terminate,  at  the end of bit  time 3, all  instructions  that do not 
have any functions  besides indexing to  perform  in bit time 4. When the  final  control 
sequences  for  the  instructions are laid out, this 1. 5 ps memory  cycle  can  be  taken 
advantage of in a number of instructions. As a result  the  approximate  instruction 
execution times given earlier in  the  instruction  list  will  be  decreased in some  cases. 
2 56 
I 
6.1.3 Input/Output Unit 
6.1.3.1 Introduction 
The  input/output section of the  multiprocessor is a hierarchical  structure with 
the  sensors at the bottom, the conditioners next, and the 1/0 units on top. This 
structure is shown in Figure 4-17 and was  discussed  in  Section IV. The  sensors are 
devices  that  carry out the  actual  monitoring and control  tasks in the  spacecraft.  The 
conditioners are specialized  to  provide  the  proper  control  signals  to  the  sensors 
attached  to them. They receive  commands,  such as  read zind write,  from  the 1/0 
units and then use  these  either  to  obtain  .data  from  the  sensors  or  to  send  the  sensors 
data o r  command sequences  to  be  executed.  The  communication  links between the 
sensors and conditioners and conditioners and 1/0 units  are  serial  since  the  sensors 
pass  relatively  small  blocks of words at low repetition  rates.  The 1/0 units  them- 
selves  are not closely  associated with individual sensors  or  devices. They simply 
receive  calls  for 1/0 actions  from  the  processors  (through  the  memories) and then 
send a read or  write command  (along with a  data word if appropriate) and sensor 
name  to  the  appropriate  conditioner  or  to  the bulk storage unit. (Communication to 
the bulk storage is over  parallel  lines  since  this unit  will  have high access  rates 
within a block of storage.) The  conditioners then control  the  sensor  operations 
including  sending  data  back  to  the 1/0 unit if necessary. 
Many of the  techniques  that  will be used in the Mars Lander Mission for handling 
guidance and control,  status  monitoring, and scientific  data have been established; 
however, there will  certainly  be many new developments. A s  a  result  the  sensors  to 
be used in such  a  mission are  presently not well  defined,  especially in the area of 
scientific  experiments.  This of course  means  that  the  conditioners  also cannot be 
well  defined since  their  primary  task  is to  generate  control  sequences,  carry out 
analog to digital conversion, etc. for the sensors. However, certain general proper- 
ties of the programs  necessary  to  operate upon and handle  the  data  from  the  sensors 
can be defined. These  properties,  typical of a wide range of spacecraft  programs, 
will  be  used to obtain  a first approximation to the  design of the 1/0 units. 
There  are  three  basic 1/0 program  types:  those  associated with periodic 
sensors, the bulk storage unit, and request and background programs. The programs 
associated with the  periodic  sensors are  characterized by relatively low periodicity 
rates, a maximum of about 20 repetitions  per second,  and short  to medium sensor 
waits  for  single and multiple word data samples.  Clearly  there  are  some  exceptions 
where  the  sensor  waits may be  hundreds of microseconds, but in these  cases  the 
processor should call  the 1/0 data long before  the  data is needed.  Typically,  the 
periodic  data  will  be  called  from  the  header of a program in order  to  waste  the 
minimum  amount of processor  time waiting for  data. 
The  programs  using  the bulk storage unit  will generally  initialize  a  transfer of 
a  data block to or  from the  bulk storage unit  and  will  then relinquish  control of the 
processor.  The  access  rate within a block of storage in the  bulk storage unit  may be 
as low as 1 0  ps or  less;   as a result, the 1/0 unit must  be  able  to  adequately  interleave 
these  transmissions with the  lower rate 1/0 programs. The bulk storage unit  will be 
used  relatively  infrequently  for  its  main  task of reloading  the  memories at phase 
changes or  reconfigurations, but it must  also  act  as a data  buffer  for TV pictures  at 
Mars (approximately 30, 000 bits/second),  for  certain  scientific  experiments, and 
fo r  telecommunications (approximately 20, 000 bits/second).  For  these  latter  tasks 
during  certain  phases of the  mission,  the bulk storage unit  may be  required  to trans- 
mit  blocks of data  to  the  multiprocessor  for  computation  every few hours;  however, 
2 57 
since this is  transmission  from a buffer, it can  simply  be handled as a background 
program and therefore not interrupt  the  periodic  programs.  The  third  type of 1/0 
program is that  associated with request and  background programs.  These  programs 
along with the  Executive  generate  all  requests  for  data  from  the bulk storage as 
discussed above. They also require serial sensor data. (This data may experience 
long sensor  delays.) The background and request  programs  are scheduled as time 
is available and consequently are  interruptible by the  periodic  programs. 
6.1.3.2 1/0 Unit Connections and Structure 
The 1/0 unit is shown connected directly  to  the  memory in Figure 4-17 ; 
however,  consideration  was  also given to connecting  the 1/0 unit to the processor 
instead of to  the  memory.  The  primary  problem with the latter type of connection is 
that  the 1/0 unit must  preempt a processor  for  all  its  memory  cycles. Note that 
this is the case in a single  computer  system, but in a  multiprocessor  the  memory 
modules can service  more  memory  cycles than the  processors can provide. For the 
periodic  type  programs  I/O-processor  connections  present  no  problems;  for if the 
1/0 unit  was  connected directly  to  the  memories,  it would most  likely  be  using  the 
same  memory a s  the  processor and would consequently steal  a  memory  cycle  from 
the  processor anyway. Programs  that  transfer blocks of data  to and from  the bulk 
storage could be set up so that they do not use  the  same  memory  that  the  processor 
typically uses  for  program  storage. In this  case, with connections directly to all 
memories, the 1/0 unit would not  have  to preempt  memory  cycles  from  the  proces- 
sors  and as  a result would take good advantage of the system  resources (i. e., the 
extra memory module). However, if the 1/0 unit was connected to the processors, 
it would have to  preempt  processor  memory  cycles even though the processor and 
1/0 unit were  using  different  memory  modules.  There  are  other  less  important 
reasons  for  using  I/O-memory  connections, but the above discussion should  be 
sufficient  to  demonstrate  that having  the 1/0 units connected to  the  memory  provides 
the  most  flexible  multiprocessor  system. 
Figure 6-19 shows the registers and main connections in the 1/0 unit. This 
unit is designed so that  transfers  from both the bulk storage and the sensors can be 
conveniently interleaved. To enable  this,  there is a set of registers  to handle b u k  
storage requests (BR, PMAC, PC-Ch, PWC) and a set to handle sensor requests 
(ASR, SMAC, Sc-Ch, C-D, SWC). The basic function of each of these registers 
will  be outlined below. 
6.1.3.2.1 Registers 
MR - Memory register: The  memory  register  receives  data and instructions 
from  the  memories and sends  data  to  the  memories.  The  data going to  the 
memories can  be from  either the sensors (ASR) or  from  the bulk storage (BR). 
- ASR - Assembly  shift register:  This register receives  serial  data  from  the 
conditioners and sends  it  to the MR for  transmission  to  the  memory.  It is 
also  used  to  send  serial  data and control  words  to  the  conditioners. 
- SMAC - Serial  memory  address  counter:  This  counter  is  set up  by the 1/0 
control word from  the  memory. It holds  the  memory  location for  reading o r  
writing serial 1/0 data. This value is decremented by the  control  circuitry 
after each serial word is transmitted  either  to the  memory or  to the conditioners. 
258 
to 
Ln 
(0 
CONDI- 
TIONERS 
TO CONDI- 
CONTROL 
SIGNALS T O  
REGISTERS T O  MEMORY 
CONTROL SIGNALS 
SMAC 1 6  
M R ASR 
MR - 
COMMAND 
DECODING 
AND CONTROL 
GENERATION 
- 
ZERO  RESET 
MR  MR MR MR MR M R  MR 
I + + + I 
MR  MR 
I t 
MR 
TO BULK STORAGE 
FROM BULK 
STORAGE 
MR 
& 
"r' PMAC 1 6  
7BR MR 
1 
PC 2 Ch 1 
MR  MR 
1 I 
MR RESET  (FROM CONTROL  SECTION) 
TO CONTROL PANEL 4 1  4 1  
$ 4  
'1. REQUEST  PROGRAM STATUS WORD: 
SC-Ch - Serial command  and  chain  bit:  The  command  and  the function of the 
chain  bit  will  be  discussed later in this  section.  The SC bits  are held for con- 
trolling  memory  cycles  (read o r  write) and for  sending  commands  to  the condi- 
tioners.  The Ch bit  influences  the  generation of control  signals in the 1/0 unit. 
&D - Conditioner and device  registers:  This  re  'ster holds  the  name of the 
conditioner and sensor  participating in a serial I F  operation.  The  register is 
loaded from the MR. It  sends  the  device  name  to  the  specified  conditioner  as 
part of the  conditioner command  word. 
SWC - Serial word count register:  This  register  specifies the  number of serial 
1/0 words to  be  transferred.  It is loaded from the MR and is decremented  along 
with the SMAC by the  control  circuitry  after  each  serial word is  transmitted. 
The serial  operation is  terminated when this  register  is equal to  zero. 
- SB - Serial busy  flip  flop: This  flip flop i s  used  to  notify  the memories on 
request  that  the  1/0 unit is busy executing  a serial 1/0 program. It is reset by 
the SWC register when this  register  is  decremented  to  zero. 
- SNR - Scanner register:  This  register  is used  to  sequentially  grant  the  memo- 
ries  access  to the 1/0 unit. It  sequences  through  the  request  lines and halts  as 
soon as  a  line is found up. The scanner will  sequence  through  the  request  lines 
as long as  ei ther SB or  PB  are  zero, o r  the lockout register  is not set. 
- Lockout register: The register  is  set by a  control  line  from  each of the 
four (three  for  this  mission)  memories. A memory  will  set  the lockout register 
at the start of a critical computation phase or   a t  the start  of a periodic  program 
execution. For  a  memory module to set the lockout, it  must  set  the lockout flip 
flops  associated  with'the  other  three  memories.  This  will  enable only this 
memory  to  use  the locked 1/0 unit for  serial  or  parallel  1/0  transmission. 
The  setting of the lockout register  also  causes the 1/0 unit  to  be interrupted and 
store  its  status in the  interrupting  memory. 
BR - Buffer register:  This  register  receives  parallel  data  from the bulk storage 
and sends  it  to  the MR for  transmission  to  memory.  It  is  also used to send 
parallel  data and control  words  to the bulk storage unit. 
PMAC - Parallel  memory  address  counter:  This  counter,  set up by the 1/0 
control  word, holds the  memory  location  for  reading  or  writing  parallel 1/0 
data.  This  value is  decremented by the  control  circuitry  after  each  parallel 
word is  transmitted. 
PC-Ch - Parallel command and chain bit:  These  bits function just as the SC-Ch 
bits only for  parallel  transfers. 
pwC - Parallel word count register:  This  register functions just  like the SWC 
except  for  parallel I/O operations. 
- PB - Parallel busy  flip flop: This  flip flop has the same function as  SB except 
for  parallel  operations. 
There are also a  number of control and status  flip  flops shown in Figure 6-15 
that  will  be  explained later in this  section. 
260 
6.1.3.3  Timing 
The  timing in the 1/0 unit is fairly  simple  and  can  be  carried out by a few one 
shot  multivibrators.  These  devices  must  time  the  memory  interface  request  signal 
(500 ns). the  shifting of the ASR (500 n s   o r  1 ps), and the  acceptance  interval  for  the 
memory  request (14 ps as given in  section 6.1.1).  Some  additional timing may be 
necessary  for  timing  the  requests  to  the  conditioners, but this cannot be  specified at 
this  time.  The  remainder of the  actions  carried out by the 1/0 unit are asynchronously 
timed (the conclusion of one event starts another). If in the 1975 time frame a small 
simple  hardware  clock is developed, it could be  substituted  for  the  multivibrators. 
However, the  multivibrators  will  probably  prove  to  provide  the  least  complex  timing 
for  the 1/0 unit. 
6.1.3.4 Memory Interface 
The  lines on the  1/0  memory  interface a re  given below. It should  be  noted that 
except  for  a few additions and deletions,  this  is  the  same  as  the  processor-memory 
interface. 
Component I/O 
Interface Memory 
Output (to  memory) 
request 
address/data 
read/write 
lockout 
serial busy 
parallel busy 
accept 
One separate line to each memory. It is  used to 
request  memory  cycles. 
18-bit two-way bus  common  to all  memory  modules. 
It  sends  addresses and data  to the memory and 
receives  data and control  words  from the memory. 
Bit 18 of an address on the address/ 
data bus. This line is  used to notify the memory 
of a  read  or  write  request. 
One separate line to each memory. It notifies a 
memory  that  it  is locked  out of this  1/0 unit. 
One common line to all memories. This line 
notifies  all the memories  that  this I/O unit i s  
carrying out a serial I/O program. 
One common line to  all  memories.  This  line 
notifies  all  the  memories  that  this I/O unit is  
carrying out a parallel  1/0  program.  It  should 
be noted that both a serial and parallel busy a re  
required  since it is possible  for one to be busy  and 
the  other  not  busy o r  free to  service a  request. 
One separate  line  to  each  memory.  This  line  notifies 
the memory  that its request fo r  I/O access is granted. 
261 
Input -
busy 
request 
lockout set 
lockout 
One separate  line  to  each 1/0 unit  from  each 
memory.  It  notifies an I/O unit of acceptance of a 
request. 
One separate  line  to  each 1/0 unit  from  each 
memory.  It is used  to  request  the 1/0 unit  to 
receive a control  word  from  the  memory. 
One separate  line  to  each 1/0 unit from  each 
memory. This line requests the 1/0 unit to lockout 
all  other  memories. 
One separate  line  to each 1/0 from  each  memory. 
This line  notifies an 1/0 unit if  it is locked out of 
any memories. 
address/control  Same as the  address/data  bus given in output. 
The  timing and functions of the above lines  that are  associated with an 1/0 unit 
requesting a memory  cycle are  the  same  as  for a processor  requesting  a  memory 
cycle. The description is  given below. The operation of the 1/0 unit control section 
to  provide  parallel or serial  addresses,  etc., is described  later in this  section. 
1. The 1/0 unit  sends  a  request  to  a  memory ( ' ' O f f  to "1" transition  occurs on 
the  request  line). At the  same  time  it  places  the  memory  address and 
read/write  request on the  address/data  lines. 
2. After the  memory  scanner  chooses  the  requesting 1/0 unit for a memory 
cycle,  the  memory  picks up the  address and read/write  information  from 
the  bus. It then sends  the 1/0 unit a not  busy  signal (''0" to "1" transition 
occurs on the  busy  line).  This  signal is  also  used  to  start  the 500 ns 1/0 
request one shot. The memory uses the next 500 ns  to  address the specified 
memory  position and to load its  data  register if a  read i s  required. 
3. For a write operation the 1/0 unit uses the "0" to 111" transition of the busy 
signal  to load its MR and memory  bus with the  data word for  memory. 
After 500 ns the 1/0 unit request  signal  will  turn off. The " 1 ' l  to "0" transi- 
tion of this  signal  causes  the  requested  memory  to  read  the  contents of the 
1/0 memory  bus into its data register. 
4. For a read  operation  the 1/0 unit MR is loaded within 1 ps of the  acceptance 
of its request. The  load is  accomplished by the  memory  placing  the  data 
on its  bus  to  the  requesting 1/0 unit and then  turning off its busy  line. The 
1/0 MR is loaded from  the  bus by the "1" to "0" transition on the busy  line. 
The  lflock out set" line  causes  the 1/0 unit to be  interrupted on its " O f t  to "llf 
transition.  The lockout set  notifies an I/O unit that it is  about to  become involved in a 
periodic 1/0 program execution.  The "lockout" line from a memory, on the  other hand, 
notifies  an 1/0 unit that it is locked out of this  memory module.  The programs  will 
schedule 1/0 so that  an 1/0 unit will  never  be  sending  data  to a memory module from 
which it can be locked  out during  periodic  program  executions.  This  means  that 1/0  
unit one, for  example, will use memory  modules one and three  to  store 1/0 variables 
262 
but  not memory module two since  this latter memory  will  lock out all 1/0 units  except 
1/0 unit two during  periodic  computations.  This  programing  restriction  is  necessary 
so that  an 1/0 program will  not  be  interrupted due to its memory  not being  available. 
This situation would require that  the  serial or  parallel 1/0 program involved store its 
status in its primary  memory;  however,  the  program  that  initialized  this 1/0 program 
would not be able  to  be  notified conveniently that its 1/0 has been interrupted. A s  a 
result there  is  not a convenient method of reinitializing  the 1/0 program when the 
locking memory is again  free. An additional  problem is that  this  type of an interrupt 
would require  nesting  since  more than  one memory could  lock out the same 1/0 unit 
before  the  original 1/0 program is brought  back  into  execution.  Future  investigation 
of the above problem should be carried out in order  to  try  to  relieve the  programing 
restriction. 
In order  to explain  the rest  of the  memory  interface  lines,  a  discussion of the 
CIO (call I/O) instruction is  necessary. The CIO instruction is used by the  processor 
to  initiate 1/0 operations by sending two control  words  to  the I/O unit from  the  memory. 
The  1/0  control  words will  be described  shortly, but in any case two words are  neces- 
sary  to  initiate an 1/0 operation.  The processor  sends the memory  a  request  for  a 
memory  cycle and also a signal on a separate  line ( the '1/0" line)  to  the  memory. 
(This  was  explained in section 6.1.1 under "Memory Interface. It) The  memory then 
responds  to  the  processor in the normal  manner  except  for two changes.  The  proces- 
sor   is  granted two memory  cycles in a row (the  scanner  is inhibited while the ttI/Ott 
line is up); and the  data is sent  to an 1/0 unit  instead of back to the  requesting  proces- 
sor. In order  to  determine which 1/0 unit to send  the  data to, the  memory looks at 
the  first two bits of the first control word and interprets  these  as an 1/0 unit name. 
The  third  bit of the  control word is also checked to  see if  a serial  or  parallel 1/0 
operation is being requested. After  the above i s  accomplished the memory will send 
a request  to  the  proper 1/0 unit i f  all of the following three conditions do not exist: 
1. The memory is locked out of the 1/0 unit. (The lockout line from the 1/0 
would be one in this  case.) 
2. The  memory  has  a  request  for  a  parallel  1/0  operation and the  parallel 
busy line is up from  the  specified 1/0 unit. 
3. The  memory  has  a  request  for a serial 1/0 operation and the serial busy 
line is  up from  the  specified 1/0 unit. 
If any of the  above three conditions exists,  the  memory  sends  the  1/0 BL (l/O busy or  
locked out) signal  back  to  the  processor.  This  terminates  the CIO instruction and 
both the  memory  and  processor are freed. If none of the  conditions  exists,  the 
memory's  request  to  the 1/0 unit  will  be granted within 2 ps. The "0" to "1" transition 
of the  accept  signal  from  the 1/0 unit  will load the  memory  bus and the 1/0 MR with the 
information  from  the  memory's  data  register.  The  accept  signal  will then remain up 
for  the next  memory  request.  In  order  to  generate  the  next  request  the  processor 
increments  the  address of the previous 1/0 control word by one and sends  this new 
address  to the  memory.  The  memory  loads  the  second  control word into its data 
register and sends a request  to  the 1/0 unit  with its  accept  line up. The 1/0 unit will 
then turn off its accept  signal.  The tlltl to t t O t '  transition of this  signal  will  again load 
the  memory  bus  and  the 1/0 memory register with the  information from  the  memory's 
data register. It should also be  noted that between the receipt of the first and  second 
control  words  the 1/0 unit  must  distribute  the  contents of the first control word to  the 
proper 1/0 registers. The execution of the complete CIO instruction (including 
processor  instruction  access)  takes six microseconds. 
263 
6.1.3.5 1/0 Control Word Format 
The  previous  subsection  presented  a  discussion of the CIO instruction.  The 
control  words  called by this  instruction  will now be  presented and discussed. 
The 1/0 control word format  is shown below: 
bits: , k o Z ,  3: 10 , 11:  2 , 13 , 1 4 :  18 Word 1 Device Name Command Chain Count Word 
bits: 19:  20  21: 36 
Word 2 Count Word 1 Memory Address 
, Unit ~- ~ ~ - 
Bits 
1 :2 1/0 Unit: These bits are decoded by the memory during a CIO instruc- 
tion  in order  to  determine the 1/0 unit to  receive  the  control  words. 
3:lO Device Name: If bit three is 1, the device is  the bulk storage. Bits 4 
to 10 will then be  loaded  into  the BR to be sent  to  the bulk storage  as 
the  upper  seven  address  bits for this unit. If bit three  is 0, the device 
i s  one of the  sensors connected to the conditioners. Bits 4 to 6 will 
then represent the  conditioner and bits 7 to 10 will represent  a  device 
(sensor) on the chosen conditioner. In the  latter  case,  bits 4 to 10 will 
be immediately loaded  into  the C-D register  to  prepare  for  receipt of 
the  next  control  word.  The  device  name  organization mentioned  above 
provides  for  a  total of 128 devices.  This should be sufficient since 
many of the sensors  will  send  more than one word on request. Actually 
only 126 device  names  will  be  usable  since one device  name  will be used 
to  call  a  request  program  status  word, and a  second  will be used  to  call 
a  failure  status word. These  status  words will be discussed  later in 
this  section.  The  correct  trade-off between bits for the conditioner 
name and bits  for the sensor  name cannot be made at  this  time, but that 
shown will  probably  be  close  to  correct. 
11:12 Command: Bit twelve i s  used to denote read (I/O unit reads from the 
memory) or  write (I/O unit writes into  the  memory). Bit eleven is used 
along with the  chain  bit (bit 13) to  specify  immediate  reading o r  discrete 
reading o r  writing.  Immediate  reading  means  that  the  second  control 
word from  memory  actually  contains  a  data  word  rather than a  memory 
address,  Discrete  words  are  sent  to  conditioners in order to provide 
special  control  sequences or to  provide  control  signals  such as “turn off” 
to  devices.  Discrete  words  are  also  sent  from  the  conditioners  to  the 
memory in order to  provide  the  computation system with status  informa- 
tion on the  sensors and conditioners. A listing of the above instructions 
is  given below: 
B11, B12 = 00 - Write: A word o r  words are obtained from the speci- 
fied  device and written  into  the  memory  location given by the SMAC or  
PMAC. 
2  64 
B11, B12 = 01 - Read: A word o r  words  are  read  from  the  memory 
location  given by  SMAC o r  PMAC and  sent  to  the  specified  device. 
13 
B11, BIZ, B13 = 100 - Not used. 
B11, B12, BIJ = 110 - Read immediate: The second memory control 
word is used  irectly  as  a  single  word of data  for the  specified  device. 
This  command will have  no  real  use with  the bulk storage  unit, but it 
should be  useful for  a  number of serial  devices. 
B11, BIZ, B13 = 101 - Discrete  write:  This  command is used  to  pick 
up a discrete  word'from  the  specified  conditioner  and  device  or  from 
bulk storage.  The  exact  contents of the  discrete  words  cannot  be  speci- 
fied  until  the  devices  themselves  have  been  specified.  The  chain  bit is 
used  for  command  extension  in  this  case  because no more than one 
discrete  word will typically  be  picked up at  a  time. In the  cases  where 
it would be  desirable  to chain an additional CIO must  be  executed. 
B11, B12, B13 = 111 - Discrete  read:  This  command is used  to  pick up 
the  second  control  word as  a discrete  word and send it directly  to  the 
specified  device.  The  chain  bit  comments given  above  apply here. 
Chain: The  commands  discussed  above  use this bit  for  command  exten- 
sion when bit  eleven is 1. When bit  eleven is 0, this bit is used  for 
command  chaining.  In this  case  the I/O command is executed on the 
specified  number of words  (see  word count  below); and then  instead of 
terminating  this I/O program when the  word  count register (SWC or  
PWC) goes  to  zero,  the  word count register is incremented  twice  and a 
request is sent  to  the  memory. ?tvo control  words a r e  picked up from 
the hvo memory  locations following the  previous I/O program  data  area. 
(These  words were set up  by the processor  prior  to  its execution of the 
initial CIO instruction.)  These  control  words a r e  then used  to  continue 
execution of an I/O program with serial  or  parallel  devices. If serial 
(parallel)  devices  were  used in the first I/O program, they must  also  be 
used in the  chained  program;  otherwise  a new control  word could be 
brought in for a busy parallel  (serial)  device.  This  chain  can  be  contin- 
ued a s  long as  desired.  The chaining of I/O programs may  prove  to  be 
particularly  useful  for  transferring  large  blocks of words  behveen 
memory and the bulk storage unit. Note that  using  the  chaining  feature 
saves the  trouble of requiring  the  processor  to  monitor  the  transfer of 
data and to  execute  a  number of CIO instructions. 
14:20 Word Count: These bits are loaded into the SWC o r  PWC registers. 
These  registers  are then  used  to count the  number of words  transmitted 
in  the I/O program  and  to  terminate  the  program when the count goes  to 
zero.  The SWC register only uses  bits 17 to 20 since a single serial  
device will probably  never  transfer  more  than  sixteen  words;  however. 
if the  situation  arises,  the SWC register could easily  be  increased. 
The PWC register, on the  other hand, is seven  bits  since  the bulk 
storage unit may want to  transfer  as  many  as  128  words quite  often. 
In fact  the  word count section of the  control  words could be  increased 
to allow  for more  words  to  be  transferred  from  the  bulk  storage  with 
one set of control  words;  however, all the  other  bits  in  the  control 
words  have  been put  to good use. If in  the  future  less  than 64 serial  
265 
devices are needed on a single 1/0 unit  another  bit could be  made 
available  for  the  word count. However, this  problem is actually 
alleviated by the use of the  chain  bit.  This  bit  makes transfers of 
blocks of words  longer  than  128  words  relatively  simple.  In  fact one 
of the  main  reasons  for  adding  the  chain  bit  to  the  control  word  instead 
of making  the  word count eight  bits  was  to  enable  long  word block trans- 
fers  without the  need  for  processor  intervention. 
21:36 Memory Address: These bits provide the initial memory address for 
reading o r  writing.  They are loaded  into either the SWC o r  PWC. 
A third I/O control  word  will  be  required  for 1/0 programs  working with the 
bulk storage unit. This word will  provide  eighteen  more  address  bits  for  the bulk 
storage location. This word  will  be  picked up  by the 1/0 unit  from  the first memory 
location  given  in  the PMAC. A total of twenty-five address  bits  are then  available  for 
bulk storage  addressing. (Seven bits  were obtained from  the  device  name  locations  in 
control  word  one.) If more  bits are necessary  for  addressing this unit,  a  fourth 
control  word would have  to  be obtained. A twenty-five-bit address would be  sufficient 
for a bulk storage of approximately  6  x108  bits  stored  as  18-bit  words. A number of 
108 bit  bulk  storage units are  discussed in Appendix II. 
6.1.3.6 1/0 Device  Interface and Word Format 
The  interfaces  to  the  devices and the  control  words  for  the  devices cannot be 
explicitly  specified  until  the  devices  themselves  have  been  designed. As a result this 
section  will only give a discussion of =e of the  lines ard bits  that may be  necessary 
on the  interfaces  and in the  control  words. 
Since  the access of I/O variables is program  controlled,  the 1/0 unit  should  send 
requests  to  the  devices.  The  requests  will  cause  the  conditioner  to  immediately  begin 
receiving  information  over a two-way serial  line.  There  should  be no  need for  the 
1/0 unit to check  and see if the  device is busy  since it would probably  be  a  programming 
error   to   use a device  twice in succession without  allowing it sufficient  time  to  complete 
its f i rs t  operation. A s  a result, if an 1/0 program is interrupted  while  a  device is 
busy, the  present  operation  should  be  halted  immediately  and  the  present  data  or con- 
t rol  word will have to  be obtained  again  when  the  interrupted  program is restarted. 
This  means that the  devices  should  receive  a  halt  line  from  the 1/0 units.  In  order  to 
enable  loading of I/O variables  from  the ASR and BR into  the  devices,  each 1/0 unit 
could send  the  bulk  storage  and  each  conditioner  separate "load" lines. A l fO" to "1" 
transition on one of these lines would then  cause  the  appropriate  device, bulk storage, 
o r  conditioner,  to  receive a word o r  a  bit.  Similar  lines could be run from  each 
conditioner and from  the  bulk  storage  to  the 1/0 unit.  These  lines would enable  loading 
of data  from  the  devices  into  the 1/0 unit. 
In addition to  the  above  lines,  each  conditioner  and  device  may  have  a  number of 
separate  lines  to  the 1/0 unit for  failure notification.  These  lines would set the C/S 
flip-flop and conditioner  device register. The  existence of these lines depends on 
whether o r  not  the  conditioners  and  sensors  have  some  self-checking  hardware. If 
they are not  able  to  check  themselves,  they  will  be checked under  program  control. 
In this latter  case  there would be  no  need  for  failure  notification lines. 
At  the  present  time it appears  that  the  best way for  the computation  system  to 
handle certain devices  and  functions is to  have  them set a request  flip  flop in the 1/0 
unit when they  require  servicing.  (This of course requires lines  from  the  devices  to 
266 
each 1/0 unit.)  These  flip  flops would be periodically  monitored by an executive  pro- 
gram in order  to  see if servicing  was  required. A good example of such a device  may 
be an astronaut input/output console. A request flip-flop, C, is  shown in Figure 6-19 
for  this  device.  This  console will probably  be  included  to  enable  the  astronauts  to do 
some  programing  and  to  request  a  variety of outputs  from  the  computation  system. 
Another  example is the use of a  failure flip-flop a s  shown in Figure 6-19. This  flip- 
flop would be set any time  one of the  failure  status  word  flip  flops is set. After noting 
that  the F flip  flop  was one the  executive would reset the  flip  flop  and then read  the 
failure  status  word  in  order  to  determine  the  proper  corrective action. 
An example of some of the  contents of a control  word  for  a  conditioner is given 
below: 
bits: 0 1: 4 5 6 
Data Write Name 
Control/ Discrete Read/ Device 
Bits -
0 Control/Data:  This  specifies  that  he following word is a  control  word 
or  a data  word. 
1 :4 Device Name: This gives the device name on the conditioner that is 
receiving  the  control  word. 
5 Read/Write:  This  requests  a read  (from  memory) or  write (to  memory) 
operation  from  the  specified  .device. 
6  Discrete:  This  notifies  the  conditioner  that  he  read/write  command is 
for a discrete word. 
The  control  word  for  the bulk storage is also not specified at  this  time,  but  the 
following example is probably  accurate: 
Word 1 
Word 2 
Bits 
1 
-
2 
3:9 
10:16, 
19:36 
bits: 
bits: 19: 36 
IBulk Address I 
Read/Write:  This  requests a read  (from  main  memory) or  write (to 
memory) operation. 
Discrete:  This  tells if the  next  control  word is a  discrete  for  a  read. 
For a write operation  with  the  discrete  bit on, control  word two is 
ignored  and  the bulk memory  sends a status  word  back  to  the I/O unit. 
Word Count: This is the  word count from  the 1/0 unit's PWC register. 
Bulk Address:  This is the address of the first bulk word  to  be trans- 
ferred  or loaded. 
267 
Note that  bits 17 and 18 of control  word  one a r e  presently  unused.  It  should  also 
be  noted  that  the  bulk  storage  will  be  connected  to  more  than one 1/0 device. A s  a 
result,  whenever it is busy  the 1/0 unit  using it will  send  all  other 1/0 units a busy 
signal  that  will  be  used  to set their  PB  flip  flops.  This  will  inhibit two 1/0 units  from 
accessing  the bulk storage  at the same  time. 
6.1.3.7 Functional Description 
A functional  description of much of the 1/0 unit  has  been  given  throughout  this 
section; however, additional clarification in certain  areas is needed. In particular, 
a  discussion of the  control flip-flop sequencing of operations, and  the  handling of 
interrupts  will  be given in this  section.  In  order  to  best  understand  this  subsection 
Figure 6-19 should be  referenced. 
As mentioned earlier,  a CIO instruction  initializes  the I/O unit for a  parallel o r  
serial  1/0 program.  The  request  for  access  to  the 1/0 unit is honored by the  scanner 
(SNR) which is then  locked on the  memory  for two requests (first and  second  control 
words). After the first control  word is transferred  to  the MR, portions of the  word 
a re  loaded  into  the  appropriate serial  or  parallel  registers and the SB and S (serial) 
flip-flops o r  the P B  and P (parallel)  flip  flops a r e  set. The S o r  P flip-flops are used 
to  tell the  control  section of the 1/0 unit which device type receives  the  next  memory 
word.  After  the  second  control  word is received and transferred by the  control 
circuitry  to  the  appropriate registers, the 1/0 unit is no longer  under  control of the 
memory.  The 1/0 control  section  next  loads  the  control word for  the  device  into  the 
ASR o r  BR and then  transmits  this  word  to  the  device.  For  a  read  operation,  a 
memory  cycle is requested by setting  the SR or  PR at  the  same  time the above opera- 
tion is taking  place. (The sequencing of operations  with  the  memory  has  been  discussed 
earlier.)  The  memory  cycle, when granted,  reads  a  data  word  from  the  location  speci- 
fied  by  the SMAC o r  PMAC. The  memory  address is placed  directly on the  memory  bus 
as shown in Figure 6-19. The  data  word is loaded into first  the MR and  then  into either 
the ASR or  BR. At  this  point  the S or P flip-flop is turned off and the  data  word  must 
be  sent  to  the  appropriate device.  The  timing  for the transmission of the  serial word 
is generated  from  the  control  section  timing  hardware.  The  number of bits  shifted is 
counted by the serial shift  counter (SSC). After the  data  word  has been transmitted  to 
the device  the SMAC or PMAC and SWC o r  PWC are  decremented. If the  word  count- 
ers have  not  reached  zero,  the  above  operation  repeats itself, starting with the  setting 
of the SR or PR  flip flop in order  to send  a  request  to  the  memory.  (There is of course 
no  need to  send  another  control  word.) If the  counters  have  reached  zero  the 1/0 pro- 
gram is terminated and the  appropriate  flip  flop,  PB o r  SB, is set to  zero. 
The  operation of the I/O unit  for  a  write  operation is very  similar  to  that  for a 
read.  However, after the  control  word  has  been  sent  to  the  device  the S o r  P flip  flop 
is turned off and  a memory  cycle is not requested. First the  specified  device  obtains 
a data word  and  sends  this  back  to  the 1/0 unit.  The  data  word is loaded by a "0" to 
"1" pulse on the  rrload''  line  from  the  devices  to  the 1/0 unit. For  transmission  over 
the serial line,  the 1/0 unit  control  section  counts  the  load  pulses in the SSC. When 
the count reaches 18, the  word  transmission is complete and  a memory  cycle is 
requested by setting SR o r  PR. When the 1/0 unit  obtains  a  memory  cycle  the  address 
from  the PMAC o r  SMAC is placed on the  memory  bus and a t  the  same  time  the  data 
word to  be  sent  to the memory is transferred  from  the ASR o r  BR to  the MR. While 
the data word is being  transmitted  to  the  memory,  the SMAC or  PMAC and SWC o r  
PWC are decremented.  The  write  operation is then terminated o r  repeated,  just  like 
the  read  operation,  depending on whether  the  counters  have  reached  zero o r  not. 
268 
If the  chain  bit is set  to one by the  initial  control  word,  the  termination  procedure 
given  above for  read and write  operations is altered. When the word counter  reaches 
zero,  the  set chain  bit  flip flop causes the  control  word  flip flop (CW) to  be set to one 
(see Figure 6-19), the  word  counter  (parallel or  serial)  to  be  incremented twice, the 
SR or PR flip flop to  be set, and also  inhibits  the  resetting of SB or PB. The  next two 
memory  cycles will use  the SMAC or PMAC for a memory  address, and the  words 
received  will  be  treated as control  words.  After  receipt of the first control word the 
SWC and SMAC or PWC and PMAC a re  decremented.  After  receipt of the  second 
control  word,  the  registers are again  decremented.  The word counter  will then 
generate a zero  signal  that  will  cause  the CW flip-flop to  be  reset.  The SB or  PB 
flip-flops  will remain set and the 1/0 unit  then proceeds  in  the  same  manner as i f  a 
CIO instruction  has  just been carried out. 
One additional  point  should  be  mentioned  about  the  operation of the control flip- 
flops SR, PR, S, and P. During the simultaneous operation of a parallel and a serial 
1/0 program by a single 1/0 unit,  one program may request a memory  cycle while the 
other  program  is in the midst of a  memory  cycle.  For  example, SR could be one with 
a serial device  waiting for a  memory  cycle. If the bulk storage  must now also be 
supplied a memory cycle, the P flip flop will be set, but P R  will not be set. A s  soon 
as  SR returns  to  zero after its  memory  cycle, P will go to zero and PR will  be set. 
A s  a result, no data i s  lost, and the  granting of memory  cycles  will be sequenced. 
One situation has been presented  earlier  that  causes the 1/0 unit to  be  interrupted. 
This  occurs when the lockout set line  from a memory to an 1/0 unit goes to one. This 
notifies an I/O unit that  it  is about to  become involved in a  periodic  program  execution. 
The 1/0 unit is  interrupted  immediately  unless  a  memory  cycle  is in progress, in which 
case the  cycle i s  completed first. The interrupt  is then carried out in the following 
fashion. The lockout register is set so that only the  interrupting  memory will have 
access  to the 1/0 unit. A serial  status word must now be stored if the SB flip  flop is 
one. If this flip flop is  zero, the  1/0 unit is  ready  to  receive  a  memory  request  since 
no serial 1/0 program  is in progress. The serial  status word is  stored by setting  the 
interrupt flip-flop (I) and thus  causing  the 1/0 control  circuitry  to  carry out the follow- 
ing  actions: 
1. A memory cycle is  requested and the primary memory register (PMR) and 
the  hard  wired  address a re  used for the memory  address.  The PMR is used 
for  the two most  significant  address  bits.  (The PMR can be set by the  exec- 
utive with the CIO instruction and the device  name  bits  referring  to  a  request 
status word. ) 
2. The SMAC is then transferred  to  bit  positions 3 to 18 of the first  interrupt 
memory  location  and  the last two bits of the SWC register  are  transferred  to 
bits 1 and 2 of the  same word. The PMR and hardwired  address  are next 
transferred  to  the SMAC. 
3.  The second 1/0 status word as  shown below is transferred  to  the MR and the 
SMAC is decremented. 
bits: ~1:" ~ 3  4: 10 11: 12 13  14:  16 17: 18 
Cond-Device @lank) bits 1 and 2 
-~ of swc 
4. Another memory cycle is requested and the SMAC is used for the memory 
address.  This is just the hardwired address minus one. 
269 
5. This  memory  cycle  loads the status word from the MR into the second inter- 
rupt  memory  location.  The I and SB flip  flops are reset at the  same  time. 
The 1/0 unit is now ready  to  carry out periodic 1/0 programs. 
Note that a parallel  status word  was  not  saved  since  the  periodic  programs do not 
use  the bulk storage  unit. When the  periodic  programs  are completed, the executive 
must  restore  the  interrupted 1/0 program by simply giving a CIO instruction with the 
stored  status  words as the  control  words.  (These  status  words  were  purposefully 
stored with the registers in the  same  positions  as in the  original  control  words.) 
Before giving the CIO, the I/O unit name  must  be  entered in status word  one, bits 1 
and 2. 
The  failure  status word  in Figure 6-19 is  set  by a line  to  each 1/0 unit from  each 
module in  the  system as mentioned earlier.  These flip-flops also  drive  lights on the 
astronaut's  control panel. The failure  status word is read by the executive program 
whenever  the  request  program status word "F" flip-flop is  found up. The  executive 
program  will then compare  the new failure  status word with the last value of this  status 
word stored in the  memory in order to determine what failure  has  occurred. The 
appropriate  reconfiguration and software checking actions  will then be taken. 
The 1/0 unit as  shown in  Figure 6-19 contains 150 flip-flops. An approximation 
for  the  gates and drivers in the  system would give a rough total  (including  flip-flops) 
FET  or device count of 5, 000. This should easily  be  implemented on a  single 150 mil 
square chip  in  the 1975 time  frame.  (This  assumes  the 5, 500 FET's  per 150 mils 
square  presented  earlier  for the processor.) 
270 

6.2 FAILURE AND ERROR DETECTION AND CONTROL 
A preliminary  treatment of failure and e r ro r  detection and control  was  given 
in Section IV for  the  multiprocessor  organization.  The  coverage in that  section of 
this  topic  was  primarily  based on software  methods of failure and e r r o r  detection. 
Since  the multiprocessor was  selected  for  further  investigation,  hardware  methods 
of failure and e r ro r  detection were  also investigated. This  section  will  therefore 
cover both hardware and software  approaches  to  failure and e r r o r  detection. The 
appropriate  use of the two methods or  the  'mix' of the two of them to achieve failure 
and e r ro r  detection  cannot  be  specified at this  time. One of the most  important 
parameters that  will  influence this  mix is the  probability of failures o r  errors  being 
intermittent  or  transient. If the probability of intermittents is negligible, then 
software  methods  may  suffice with very  little if any hardware  methods added and 
vice-versa.  It should also  be  mentioned  here  that  the  maximum  time  to  detect  a 
failure or  e r ro r  is a very  important  parameter when determining  the  proper mix. 
This  time was  defined as  5 seconds  for  the  application and this is relatively long 
enough so as  not  to  penalize  software  methods  heavily  (the  smaller  this  time,  the 
higher  the  percentage of time devoted to  software  self  test).  The two approaches 
are presented  here and further study is necessary to  determine  the  exact  mix of the 
two that  should be employed. A general  treatment of the  topic of failure and e r ro r  
detection and control is given in Appendix 3;  preliminary thoughts and various 
approaches  to  this topic a re  given in that  section. 
6.2.1 Software Methods 
Software  self tests  are of two general  types,  problem  oriented and machine 
oriented. Both programs, if  properly designed, that is, lmowledge of the hardware 
failure modes used to determine checking values, will be equally complete. Problem 
oriented  programs  utilize  the  operational  program by either  testing  the  normal output 
for  reasonableness or  running a set of pre-chosen  constants. Machine oriented  self 
tes ts   are  designed  such  that  the test  problem is based on the  hardware  characteristics 
independent of the  particular  sequence they are  exercised in the  operational mode. 
Table 6-1 contains  the dominant  advantages and disadvantages of each  approach. 
Both processes have  the  common  disadvantage  that  the  percentage of lost computation 
time is directly  proportional to the  required  speed of e r r o r  detection time and the 
error  reporting is most often  the absence of a go signal  rather than a positive 
signal output. They have the common advantage of flexibility  as  compared to hardware 
approaches. 
Table 6-1. Software Test Characteristics 
~~ ~ 
Problem  Oriented Advantages 
~~~ ~ ~- ~ ~~~~~~~ ~ . . ~ ~ 
1. Minimum extra storage requirements. 
2. Errors affecting only that  particular  program being 
executed are detected. Useful when computer is per- 
forming  a  very  limited  set of functions. 
3. Running time is short when the  operational  program 
has  a high cycle rate. 
272 
Table 6-1. (Cont) 
Disadvantages 
1. Changes each time operational program changes. 
Added analysis and recertification of completeness 
required. 
2. Special safeguards must be implemented to inhibit 
outputs when test problem is being executed. In 
general, this lengthens operational program. 
3. Different error  response  for  each  computer in the 
system. 
Machine Oriented Advantages 
1. Same program used for all processors. 
2. Program independent of problem changes. 
3. Added property of distinguishing between operational 
program  mistakes and computer  failures. 
4. Is generally constructed for in-house use and is 
available with small modifications for  operational  use. 
Disadvantages 
1. Requires additional storage capacity. 
2. Execution time longer when operational program has 
a high cycle  rate. 
- - ~ ~~ . " 
Following is a  listing of machine  oriented  software  tests.  These  programs 
can  be  made  complete enough to provide  a  probability of detecting  failures or e r ro r s  
very high, approaching loo%, given that these a re  solid failures o r  errors.  These 
tests may or  may  not detect  intermittents or transients, of course as the  tests 
are run at a higher  rate and take  proportionately  larger  amounts of computation 
time away from  the  operational  program,  more  intermittents  or  transients will be 
detected. 
6 . 2 . 1 . 1  Memory Check Sum 
The  memory  check  sum  routine  simply  adds  the  contents of fixed storage 
locations  (instructions and constants) without regard  to overflow and compares  the 
result with the  prestored  correct  response.  The function of the test is to  check  for 
potential  malfunctions  in  the  computer  memory and processor. 
The  check  sum  routine could be  written  to add all of fixed storage  at one  time. 
This method was not chosen  because of programming  inefficiencies which would result 
from having to  keep  track of which blocks in memory  contain  fixed  information and 
which contain variable  information.  Instead a check sum  routine would be  built  into 
273 
each  major  programming  segment and  would be  performed  at  the  outset of the  segment. 
Parameters such as the  starting  address,  number of locations  to  be added, and 
expected  check  sum  response a re  included as part of the  program  segment package. 
Initialization,  execution of the  check  sum, and checking of the  response would be 
handled by a utility routine. With indexing and the  appropriate index test,  decrement, 
and transfer  instruction  the  check  sum  execution  can  be handled by a two instruction 
loop. 
6.2.  1.2 Arithmetic Section Functional Test 
This  test  checks  the  performance of the  arithmetic  section  logic  circuits of the 
processor. No special test instructions are envisioned, therefore, no additional 
hardware would be  designed  into  the  system  to  perform  this  test.  Patterns  for 
exhaustively  testing  the  arithmetic  logic are prestored in memory and under  pro- 
gram  control  act as stimuli  to  the logic. The  responses of the logic are  compared 
with prestored  correct  responses to determine  the  status. 
Based on previous  experience in writing  this  type of test,  it  is  estimated  that 
for  this application  the test would require 425 instructions and 7 5  constants and 
temporary  storage locations. For a 4 psec add time  the  test would run for about 
2 msec.  The  degree of completeness, o r  the  ability of this  test to detect  arithmetic 
section e r ro r s  is expected to be high, (about 99 percent). Of course, proving this 
would require  a thorough analysis which involves  determining  likely component 
failure modes and the  ability of the  test  to  detect  the  effects produced by the compo- 
nent failure  modes. Such an effort would be in order i f  further design were performed 
on the  multiprocessor  organization. 
The  test is performed  at  a  periodic  rate.  Its  frequency would be  adjusted  to 
insure  that  the  worst  case  reconfiguration  time of 5 seconds  during  critical  phases 
would be met. 
6.2.1.3 Program Control Test 
This  test  checks  the  ability of the  computer  to  execute  instructions in a 
legitimate operational sequence. Computer malfunctions which produce affects 
that are described by saying  the  computer is hung-up within an instruction, within a 
loop of random size,   or wandering aimlessly through instruction  sequences,  wmld 
be  detected. Malfunctions producing such  effects  can  originate in the  control  logic 
of the  processor,  the  memory,  the  clocking  system,  or  the  power supply. 
Efficient  implementation of this  test  requires  insertion of built-in test 
equipment (BITE) to mechanize a timing device. A s  an example, a digital timer 
would operate as follows: Under program  control, a periodic  square wave is set up 
and acts as input to  the  timer which consists of counters and associated logic. 
Tolerances are set on the  duration of the ,'high'' and r r l o ~ "  portions of each  cycle of 
the  square wave and on the  period.  The  inability of the  'computer  to  provide  this 
prescribed  square wave, which would occur in  the presence of a control  error, would 
be detected by wired-in  logic  associated with the  counter and result in the  setting 
of an e r ro r  flip flop  indicating  a  computer  failure.  The  period of the  square wave 
and the  associated  tolerances would be  determined  to  satisfy  the  worst  case  recon- 
figuration time requirement of 5 seconds. 
274 
From  the  programming point of view, periodically, an instruction  has  to  be 
executed  to  effect  the high portion of the wave, and a prescribed  time  later  another 
instruction is executed  to  effect  the low portion. 
In  the  multiprocessor  configuration  the  requirement  has  been  established  to 
isolate  errors  to  the  processor or memory.  The above tests  provide this capability 
only to  a  limited extent. For example, a processor  arithmetic  error can be  isolated 
to  the  processor by executing  the arithmetic functional test twice,  one  from  each of 
two memories.  Normally  the test would be  executed  the  second  time  only upon 
failure of the first test. Similarly,  a  memory  failure is isolable by a check sum 
where  the  memory is an operand  source, not an instruction  source,  for two 
processors. Where a memory is an instruction  source  at  the  time of its failure 
the  program  control test will detect  the  error, as it will if the processor  contains  a 
control  error. 
The  approach  chosen  to  isolate e r ro r s  between memories and pmcessors (and 
between processors and I/O units too) generally  takes advantage of the  fact  that 
isolation need  not be  instantaneous and that  the  space  crew is available  to  perform 
procedures as required for isolation subsequent to e r ro r  detection. The penalty of 
this  approach is that  more  equipment than otherwise  necessary may be placed in a 
"down" condition at  the  time an e r r o r  is detected and, of course,  also  that  more  crew 
participation is required. However, an analysis of the mission success and availability 
requirements  shows  that  those  requirements  can  be  adequately  met with this  approach. 
6.2.1.4 Input Signal Tests 
Tests  performed on input signals  can  detect  failures due to   errors  in sensors, 
in data  transmission, in  input signal conditioning circuitry,  or in transferring  the 
signal  through  the input section of the  computer  to  either the processor  section or  
the  memory.  Where  tests  are  performed  during  normal  operation of the  system 
(on-line)  the stimuli  are not "canned" as they are in  the case of arithmetic  section 
tests  since the sensors  are not interrupted  to  provide  prescribed input signals. In 
place of prescribed  sensor  values  for  testing  purposes,  the validity of these  signals 
can  be  tested within the  arithmetic  section of the  processor by a  combination of the 
following techniques: reasonableness tests, dual redundant inputs, and BITE. 
Reasonableness  tests  use  criteria  such as the  expected  range  and/or  rate of the input 
parameter  for  error detection. Redundant inputs  allow  the  disagreement between the 
inputs  to  provide e r r o r  detection.  BITE in the  form of input conditioner  built-in 
stimuli  under  program  control  provides a backup to  reasonableness  tests and 
redundancy  both for enhancing the e r ro r  detection  capability and for   error  isolation. 
The  redundancy  technique is the least desirable due to  reliability and power considera- 
tions and  would be  used  selectively, only if a  study of the  proposed  reasonableness 
tests, BITE, and the  criticality of the input signal  indicate it is necessary. 
Given that e r ro r s  will  be  detected by the above  mentioned  techniques, the 
isolation  problem is to  determine if the input device, 1/0 conditioner, or  computer 
is the  error  source. It is assumed  that  the input device  cannot  monitor its own 
status  completely  and will require  computer  participation  for  its  status  determina- 
tion. It is further  assumed  that i f  digital transmission  errors  represent a significant 
problem, it would be handled by simple  parity checking. A description of the 
detection and isolation  process follows. 
275 
Included in  the  program  segment  requesting an  input is the test required  to 
verify it. If the input is acceptable  normal  operation  continues. If the input is found 
to  be  in error,  the e r ro r  status is recorded  in  an  assigned  bit  position of a status 
word in  memory.  (Assume  one status word is reserved  for  each 1/0 conditioner 
thereby allowing reference in this  description  to "I/O conditioner  status words"). 
Normal  operation  continues, even in  this  error  case, except  that  the  previous  value 
of the input is used in the  computations  in  place of the  present value. At a  prescribed 
point in the  program,  the  executive looks  at the  contents of the 1/0 conditioner  words. 
If this is the first input cycle in which an error   has  been  detected,  the  executive 
permits  performance of at least one more input cycle. Note that  the  number of input 
cycles  resulting in error  reports should  be  greater than one since  there is little 
likelihood that an e r ro r  will occur  at  the  start of a cycle. But, once having occurred, 
if  it is a  solid  failure, it will  be  present throughout all subsequent input cycles and i ts  
effect  will be truly  represented by the 1/0 conditioner  status  words. 
Next, consider  the  manner  in which the 1/0 conditioner  status  words  can  be 
used  to  isolate  the failure once  the  failure  history is complete.  BPsically  the process 
is closely coupled to  the function of the  failed  circuitry. If the  failure  occurs in 
circuitry  peculiar to  a particular input,  only that input signal will be  affected and only 
one input will  be flagged in one of the 1/0 conditioner  status  words. Such e r ro r s  are 
either in the sensor, the transmission path between sensor and conditioner, o r  in the 
conditioner  prior  to  the point where  inputs are multiplexed. If failures  are indicated 
in more than one input signal,  the  failed point must  be  in  time-shared  circuitry.  This 
could be in the  conditioner  between  the point where  inputs a re  multiplexed and its 
output to  the  computer,  the  transmission path to the  computer, o r  in the  computer 
input circuitry. (An additional source could be a  gross  sensor  error where  the  sensor 
provides more than one input signal and all have been affected. Such specific  cases 
can  be  checked for by the  executive  program if the  sensor cannot  be depended upon to 
provide  such  information. ) In the  multiprocessor  more than  one conditioner is tied 
to  the  computer input unit., therefore,  errors in the  computer's input circuitry will 
affect  most  input  signals, 
Thus, it can be  seen  that  the  number of input signals  affected and their  relation 
to one another can provide  a certain  degree of isolation of the  error. The degree of 
unambiguous isolation is related  to  the  failure  rates of the  components within the 
isolable boxes that  can  be  associated with each effect. If all  inputs  were bad, one 
would suspect  the  computer input unit; if the bad inputs  were  associated with one 
conditioner,  one would suspect  the  conditioner  first even though there is circuitry 
within the  computer input unit associated only with that one conditioner,  etc. 
From  the  programming point of view, each input has  associated with it  certain 
parameters and tests employing those  parameters.  Tests on operational inputs are  
performed  at  the  rate  the  operational  program  requires  the  inputs.  Test on non- 
operational  inputs  such  as  those  supplied by BITE test  signals  are  performed  at  a 
periodic  rate. Detection of failures  result in status notification by means of 1/0 
conditioner status  words in memory.  The  executive  program  interrogates  these 
status  words  each  cycle. A full cycle  fault  isolation  routine is entered  after  the 
true  failure  history  has been recorded in the status words.  Isolation to a  sensor, 
an 1/0 conditioner, or  the  computer input unit is achieved. 
276 
6.2.1. 5 Output Signal Tests 
In order  to  automatically  detect e r ro r s  in  output signals,  the loop on these  sig- 
nals  must  be  closed.  For  this  reason, all conditioner  outputs are fed back to 
conditioner  inputs  and  thereby  made  available  for  checking within  the arithmetic 
section of the  processor. A s  opposed  to  input signal  varification by means of 
reasonableness  tests, output signals are known at the time they are commanded. 
Therefore  reasonableness tests are not required. A l l  comparisons  can  be done 
digitally. Thus, for example, the output voltage derived from a digital output word 
can  be  brought back  into the  conditioner,  converted A to D, and the  resulting  digital 
input value  compared with the  original  digital output value. 
The  programming  requirements  for output signals are similar to  those  for  inputs. 
Associated with each output signal is a  test which involves  executing  an input com- 
mand for  the 1/0 conditioner input  channel reserved  for  the  feedback of the output, and 
a  comparison of input and output digital  values.  Test  failure  results in  notification by 
means of 1/0 conditioner status  words and a possible  suspension of t h i s  output 
(note  that for input errors  past  values were used while  accumulating  the  failure 
history. The same of course, cannot be done for output errors). The executive 
interrogates  the  status  words  each  cycle. When the  failure  history is completed a 
full  cycle  fault  isolation  routine is entered and the  error is isolated to either  the 
computer output  unit o r  to  the 1/0 conditioner. 
A problem  that arises in the multiprocessor is the  ability  to  isolate e r ro r s  
between processors and 1/0 units. Generally, certain processor failures, and 1/0 
unit failures, will result in the same conditioner status words. The isolation 
ambiguity is resolved by taking  advantage of the  built-in  flexible  communication 
paths between each of the  processors and each of the 1/0 units. Thus, one processor 
can  attempt to talk to two 1/0 units, or  two processors can  attempt to talk  to  the 
same 1/0 unit. The  implementation of this  test is dependent on the  multiprocessor 
configuration  at  the  time of the  failure. It  was further  discussed in section  4.2.3.2 
dealing with reconfiguration. 
6.2.2 Hardware Methods 
Hardware  methods of failure  or  error detection  shall  be  considered in this 
section,  each of the  modules shall be treated  separately in the  discussion  that follows: 
6 .2 .2 .1  Memory 
Fault  detection  methods  were  considered  for  three  different  memorv  amroaches: 
coincident select  semiconductor,  and DRO ferrite  memories, and the NDRO ferrite 
memory.  Each of these was  considered unique enough to warrant  separate  treatment. 
6.2.2.1.1  Coincident  Select LSI Semiconductor  Memory 
The  coincident select  semiconductor  memory  organization  described in 6. 1. 2 . 1  
was  investigated  to  determine  the  hardware  fault  detection  methods  that may  be 
employed. The memory  organization is shown in  Figure 6-12. The  selected  hardware 
detection  methods  will  be  described below. 
The  selection of the  hardware  fault  detection method  was based on a  functional 
evaluation of the  memory.  Reference should be  made  to  Figure 6-12in the  discussion 
below. Primarily  this  consisted of determining  whether  the word  has-been  written 
277 
or  read  correctly.  The  address is checked as it enters  the  memory module from  the 
processor  for  correct  parity.  The  address is further checked at the output of the 
address register. Since  the output is connected  to  each of the 4K x 18 memory  stacks 
this then guarantees  that  the  correct  address is inputted  to  each  stack. 
It  should now be noted that any failure in the  addressing function from  this 
point on will  propagate  as a failure  in  one  bit  position of the  selected word and will  be 
detected by a check on the  word as  it  is read out of the  memory.  This holds true  for 
single  failures as is being considered, of course,  the probability of certain combina- 
tions of multiple failures  will  reduce  the  probability of detection. The fact  that only 
one  bit  will  be  affected by any failures may be  seen by referring to Figure 6-10 the 
organization of the  memory  cell  array. A s  shown in  the  drawing,  each  cell  array 
contains its own row and column address decoding and selection  circuitry. Each 
cell  array  represents one bit of a word and also  each  cell  array  receives  the  same 
address.  Thus any failure  in one of the  arrays will  affect only the  corresponding bit. 
It was  stated  that  the  address is checked and verified  correct  before  it  enters 
each 4K stack.  This is accomplished in  the block  labeled Input Data  Control  and 
Address Register. A 14 bit  address  enters this block, it is parity checked in the 
address register. Twelve of these bits then are  sent to the 4K stacks. The 
remaining two bits  are  used  to  control  the  selection of one  out of the  three  stacks. 
This  selection is combined with control  signals  from  the  Data  Transfer  Control 
block to control  each of the two control  lines  to  each 4K stack.  The  signals on each 
of these two control  lines a re  monitored by a series of logic gates and checked 
against  the  original two bits in the  address register to  determine  that  the  proper 
control  signal  was  activated.  This is a feedback type check on the  logic  decoding 
and gating  circuitry. 
A parity  check is performed  at  the  interface  to  the  processors  (after  the 
1/0 blocks) to detect  errors in  the  data  read out of the  memory.  This  parity  check 
will  detect  all  single  failures and certain multiple failures  from  the 4K stacks 
through  the Word Output Gating and the 1/0 blocks.  The  Data Transfer  Control 
Block will  contain some checking circuitry  to  detect  the  issuance of the  proper 
gating  control  signals. However, the  request  scanning  functions of this block can  be 
checked by the processor. The processor will  simply  check  the  time  to have  a request 
for a memory  cycle honored. If the  time  exceeds a preset amount then the  memory 
is declared faulty. The  results of all the  fault  detecting  circuitry a re  outputted to 
the  line  labeled "fault". 
It should be noted here  that a small  number of logic  elements  can  be included 
in the  fault  detection  circuitry  to  validate  the  fault  detection  capability.  This  consists 
of logic for decoding three  addresses  to  provide  inputs  to  the  detection  circuitry  to 
simulate a bad state. The  fault  line  may  then  be  sampled by the  processor  to 
determine  whether  it is activated.  The  parity  checker  circuits  can  be  checked by 
injecting a word  into  the  module  with incorrect  parity and monitoring  the  "fault'  line. 
To summarize,  the following hardware is recommended for  hardware  fault 
detection  methods on this type of memory  organization:  parity  checking  at  the 
interface  to  the  processors and at  the  address  register in the Input Data Control  and 
Address  Register block, stack  selection  address  decoding  check by feedback  in this 
same block, and comparison of control  signal  states out of the  Data  Transfer and 
Control  block with those  entering it from  the  processors. It is felt that this will 
provide a high degree of confidence  in  checking  the memory  (close  to 100%). 
278 
, 
6.2.2.1.2 Coincident Core DRO Magnetic Memory 
The  organization of this  memory module is the  same as that shown in 
Figure6-12for  the  semiconductor  memory.  The  major  differences are in the  blocks 
labeled 4K stacks.  The DRO Magnetic memory  consists of a different  approach  to 
address decoding  and switch  selection;  sense and  inhibit circuitry and a data  register 
are also needed. These  are shown in  Figure 6-20, a detailed  description of the 4K 
stack block. 
To  detect  failures in this memory module  the  same  discussion  as given  above 
to functionally checking the semiconductor memory module applies. However, the 
4K stack block for  this  organization  requires  some  additional  fault  detection  circuitry. 
The  reason  for  the  additional  detection  hardware  required is basically  that  the  bits 
are not  separated  as  in  the  semiconductor  memory.  The  address decoding and switch 
selection  circuitry is used  to  select  one row and one  column for  all  bits in the  stack. 
Failures may  occur which can  cause  more than one row or  more than  one  column 
being  energized. As an  example if one column is energized and two rows were 
energized;  the  coincident  current  at two cores in each  bit  plane  will  be 3/4 Is where 
Is is the  normal full coincident current  used  to  switch  the  cores.  The  cores then 
may, may not o r  might  possibly  switch with this  current depending on the  core  stack 
design.  It is therefore  possible  to have  a  random  effect with regards  to  the word 
read out of the  core  stack with this  type of failure. 
Failures  such as this  dictated  special  hardware  for  detection.  The  approach 
taken was to  monitor  the  driver and sink  switch  selection  right  at  the input to  the 
core stack. A s  shown in Figure 6-20 several logic gates  are  used to  monitor  the 
selection and compare  this with the  address  sent to  the 4K stack block. This  checking 
determines  that the proper  selection  has  been made, and that not more than  one 
driver or  switch has been turned on. Therefore,  since  the  address  into  this block 
has  been  checked  for  correctness,  the  monitoring  circuitry  verifies  that  the  correct 
address  has  been  selected.  This is a feedback type check on decoding circuitry. 
It should also  be noted that six addresses are decoded to  be  used  as a test on the 
detecting circuitry. Whenever, these addresses are selected a fault output signal 
from  the  memory  module  must  be  present.  The  detecting  circuitry shown in 
Figure 6-20 represents only a quadrant of a 4K stack,  this  circuitry is therefore 
quadrupled for  the  entire block. 
There may also  be  faults in this block which are not  detected by this monitoring 
circuitry. However, these  faults  will  be  detected by the  parity  check on the  word 
readout.  Examples of these  faults  are  those in the  sense  or inhibit  amps o r  in  diodes 
associated with  the driver and sink  switches. 
Referring  once again to Figure6-12this  overall  memory module  block diagram 
requires  some additional  hardware  for  fault  detection  in  the  blocks  labeled 4K stacks 
as discussed above; in addition to  that  hardware and that  discussed  for  the  semi- 
conductor  memory  some  additional  circuitry  has to be placed  in  the Word Output 
Gating block. Three additional lines are inputted  to  this block  (the read  lines  from 
the Input Data  Control and Address  Register block), these  lines  simply  control  the 
outputting of the  proper 4K stack. This  requires an extra gate for  every  bit line 
into  the Word Output Gating block. What this hardware  does is it prevents two stacks 
from outputting a word  simultaneously. This  situation could occur if one stack  had 
its read  control and timing  circuitry  frozen  true. As noted previously  this 
simultaneous output of more  than one  word  can  produce  random effects that  are 
279 
ADD 
REG 
TEST 2 
ERROR I I 
1 - 
NOTE: * INDICATES FAULT DETECTION CIRCUITRY 
Figure 6-20. Coincident Current Memory -4K Stack Fault Detection 
difficult  to  detect.  The  circuitry  described above essentially  prevents  the  occurrence 
of these  faults. 
6.2.2.1. 3 Linear  Select -. . -NDRO ." Ferrite Memory 
The  organization of this  memory module is given in  Figure 6-18. Functionally 
it is somewhat similiar to  that  described  in  Figure6-12for  the  other two memories. 
The  main  difference is that a 12K stack is used  in  place of the  three 4K stacks.  This 
eliminates  the  need  for  the Word Output Gating block. In addition  the Input Data 
Control and Address  Register block is considerably  simpler  since it is not required 
to  select one out of three  stacks. 
With regards  the  fault  detection  problem,  the  stack  selection  address  checking 
circuitry in the Input Data Control and Address  Register block is no longer  required. 
The  organization of the 12K stack is shown in  Figure 6-18. This block is functionally 
checked by the  same  approach  described  for  the Coincident Core DRO Memory 4K 
stack  described above. However, the  exact  structure of the  selection  circuitry 
monitoring  gates  differs  slightly  from  that shown in Figure 6-20. 
To check  the  word line  drivers and sink  switches  the output of each  line is 
checked  at  the input to  the  stack by the  feedback  approach  described in para- 
graph  6.2.2.1.2 to  determine  that  the  proper 1 out of 32 drivers and 1 out of 32 sinks 
was selected. In addition, the selection switches for controlling the write selection 
gates and the  bit output gates  are  monitored in the  same  manner and compared with 
the 4 bits of the  address  reserved  for  this function  to determine  that  the  proper one 
out of 1 2  was  selected.  Parity  checking is performed  functionally and in the  same 
places  as with the other two memories. 
6.2.2.2  Processor 
The processor module was  investigated  to  determine  the  hardware  methods 
that would be  used  for  hardware fault  detection.  Reference  should be made to 
paragraph  6.1  Figure 6-6 for  details on the  processor. 
6.2.2.2.1 Data Transfers 
Data transfers will  be  checked by testing  the  parity of the  contents of a register 
after  it  receives new data. For  this  purpose,  every  register whose contents a r e  
thus checked  will  be  connected  to  a parity bus. The  parity bus  will be connected  to 
a parity  checker, which will generate an alarm when incorrect  parity  occurs. 
The  segments of an instruction are  stored  in  several  registers.  The  parity of 
the information transferred  to  these  registers will  be  checked by  cohcatonating 
their contents. This  parity checking  will  provide  a  check on all  the  registers  in  the 
processor section and the communication to and from them (U1. U2, L, MB, B1, 
B2, T1--T7, OER,  IR. TR, SR in Figure 6-6. 
6.2.2.2.2  Adder 
The  operations  performed by an adder will  be  checked and a  parity  bit will be 
concatonated  with  the  output  operand  before  the result is transferred  to a register. 
Since  some  operations  will  be  checked by parity,  the output of the  adder  will  be  gated 
into  the  parity  checker. 
281 
Since  the structure of the  adder is not firm,  the  plans  for checking  the  operations 
are tentative. However, the following techniques a r e  contemplated. 
AND - The  results of a  logical  multiplication  can  be  obtained  from  the carries if 
the  carry  inputs to  the  adder  bits a r e  set equal  to  zero.  The carries will  be 
checked and their  parity can be  generated and concatonated  with  the  result. 
Checking parity of the result will detect e r ro r s  between the  generation of carries 
and their  transmission  to the  adder output. The  parity  bit will be  generated in a 
parity  generator  capable of calculating  the Mod 2 sum of the parities of the  adder 
inputs  and  the  carries. However, the parities of the adder inputs will in this 
situation  be  treated as though they were equal  to  zero. 
OR - The  results of a  logical addition  can be  checked by parity. If A and B a r e  
two words, then 
P (AB) = ZAi Bi } (mod 2) 
P (AB) = EA.  
P (AB) 5 E x i  Bi 
It can  also  be seen that 
P (A UB)  P ( A E )  @ P  (AB) @ P (AB) 
p (A)  E P (AB)  @ P (AB) 
p (B) P (AB) @ P (AB) (mod 2) 
P (A) @ P (B) @ P(AB) P (AB) @ P (E) @ 3P (AB) 
P (AB)  @ P (AB) @ I? (AB) 
Hence 
P (AUB) 3 P (A) @ P (B) @ P (AB) (mod 2) 
Now P (AB) is the  parity of the carries when the.carry inputs to the  adder  bits 
a r e  zero.  Thus,  a  parity  bit  can  be  obtained  from  the  sum of the  parities of the 
carries and the  adder inputs. 
EXCLUSIVE OR - In exclusive  or,  the  parity of the  result is equal to the  sum of 
the  parities of the  inputs.  Hence,  the  parity  bit  will  be  generated by regarding 
the carries as equal  to  zero. 
2 82 
ADDITION, SUBTRACTION - In addition o r  subtraction,  the  parity of the  result 
is : 
P (A f B) = P (A) + P (B) + P (C) 
where C is the set of carries.  The  carries  are checked  independently of the 
over-all  parity  check and  then  fed  into  the  parity  generator along  with  the parities 
of the inputs. 
The  structure of an adder  making  use of parity  checks  for addition and subtraction 
is shown in Figure C-3 of Appendix c. 
6 . 2 . 2 . 2 . 3  Decoders 
Decoders  will  be  checked by feedback  to determine  whether o r  not the  correct 
signal and only that  signal is generated.  The  approach is identical  to  that shown in 
Figure 6-20 used  for checking the  address decoding for the ferrite  memory  organiza- 
tions. If a  control  memory is used  for  the  instruction decoding and control  signal 
generation function  the  detection hardware would be  organized  the  same  as given  in 
Figure 6-20. It should be noted that conventional  logic decoders can be  checked in  a 
similar  manner; however, some  additional  detection  circuitry would be  needed within 
the  logic  net. 
6 . 2 .   2 . 2 . 4  Gating Signals 
Gating signals will  be  checked by parity. All the  gating  signals  together with a 
set of pseudo-gating signals  are  transmitted to a  parity  checker.  Parity should be 
odd at  all  times except for transient  intervals  during which parity is not examined. 
One pseudo-gating signal is a  parity  signal.  This is generated  for  each  clock 
period of each  instruction.  Its  truth  value is determined so  that odd parity is 
generated. 
Another  type of pseudo-gating signal is used in connection with a  conditional 
gating signal. For a given combination of instruction and bit  time,  a  gating  signal 
will  be  generated if  and only if certain conditions a r e  true.  For  these  combinations 
of instruction and bit  time  there  should  be  another  gating  signal o r  pseudo-gating 
signal which is generated if and only if  these  conditions are  false. Then, regardless 
of the  truth  value of the  set of conditions,  exactly  one of these  gating  signals o r  
pseudo-gating signals  will  be  generated  for  that  instruction and bit  time.  Hence  the 
parity of the  entire set of gating  signals and pseudo-gating signals will  not depend on 
the  truth  value of these conditions. 
A third  type of pseudo-gating signal is used  to  guarantee  that  the fan-out of any 
gate  includes an odd number of gating  signals which would be in e r ror   as  a result of 
an e r ro r  in the output of the  gate. 
6. 2.2 .2 .  5 Control FliD-FloDs 
The  states of the control flip-flops (RM, PMR, IMR, etc., in Figure 6-6) can be 
checked by parity,  special  redundancy and  duplication. 
283 
The  parity  of  a set of flip-flops is known if one of the following is known: 
1. The initial parity and the number of triggerings. 
2. The  parity of the set of values inserted into the flip-flops. 
Thus, if either of these is known, a  parity  check  can  be  used  to test the  correct- 
ness of the  configuration of states. 
For  some sets of flip-flops parity  may not be  sufficient.  There  may  be redun- 
dancies which would f i x  the  parity  even though a  single  fault is present. For example, 
a set of flip-flops  may  be  designed so that  any  one of them should be set. If the  wrong 
one  were  set,  parity would remain odd. In this  situation it might  be  possible  to  com- 
bine  the  flip-flops  into  subsets.  Then if the  flip-flop which is set  is in the  wrong sub- 
set, an e r ro r  is detected.  This is an  example of the  special  use of redundancy. 
A preliminary  examination of the  control  flip-flops  indicates  that  they  may  simply 
be checked  by  parity. 
6.2.2.2. 6 Counters 
Counters  can  be  checked by duplication o r  by the  use of unit  distance  counters. 
Unit distance  counters  appear  the  most  attractive  in  terms of adding little  additional 
hardware; however, problems are encountered  since  most  data loaded  into the  counters 
will  be in regular  binary code. This  means  that  code  conversion  must be provided 
either via  software  or  hardware.  Time  has not permitted  investigating  this  topic 
further;  therefore,  a  specific  recommendation  for  checking  the  counters cannot be 
made. 
6.2.2.2. 7 Clock Pulse  Stream 
A fault  in  the clock-pulse stream is detected by the  charging o r  discharging of a 
capacitance. A flip-pulseis triggered by every clock pulse. Its output will charge o r  
discharge  a  capacitance  in  accordance with the  state of the flip-flop. Hence if  the 
flip-flop  changes state  every  pulse  period,  the  resulting  voltage  will  assume  a  correct 
stable value. However, if  the flip-flop remains  in  the  same  state,  the  voltage  will go 
to  a  value which is either  higher o r  lower  than  that  correct  stable  value, depending upon 
the  state of the flip-flop. When the  voltage  goes above or  below a  threshold, an alarm 
is generated. 
6.2.2.2. 8 BITE Timing  Circuitry 
This  hardware is used in conjunction with software  checks. A s  explained in that 
section  the  instruction  sequencing  test is used  to  control  the  setting and resetting of a 
flip  flop which is used  to  charge  a  capacitance and deviation  from  a nominal value  will 
be  detected by tolerance  circuitry which controls  the  generation of an alarm. 
6.2.2.2.9 Request Timer 
A simple one-shot timer  can  be  used  to  insure  that a request  signal is honored 
within  some  period of time.  This  time would have  to  be set to  the  worst  case  permis- 
sible. It  should be noted that  this is a check on the  memory  modules and the  interface 
therein. 
284 
The  above discussion  presented  hardware  detection  methods  for  the  processor. 
It can be  seen  that  the  processor  requires  relatively  more  hardware than  the memory 
for fault  detection. It is doubtful that it would be  necessary  to add in all  the above 
hardware  checks when hardware and software  fault  detection  methods a re  combined. 
A preliminary  feeling  for  this  indicates that: (a) parity checking on data  transfers, 
(c) feedback  checking on decoders, (e) parity check on the  state of control  flip-flops, 
(h) BITE  Timing  Circuitry, and (i) Request Timer  as  described above would probably 
be  used.  The first three  are  relatively inexpensive and checkout  a large portion of 
the  processor and the last two may  almost  be  required  since  it is difficult to replace 
them  entirely with software.  The  remainder of the  hardware  detection  methods would 
probably  be  subject  to  extensive  trade offs with software methods. 
6 .2 .2 .  3 Input/Output 
Hardware  approaches to fault  detection for  the 'I/O module a re  given below. 
Reference should be made  to  Figure 6-19 for  details on this module. 
6 . 2 . 2 .  3 . 1  Transfers 
Transfers of data  words,  control  words and addresses between the  memory and 
the I/O will be checked by a  parallel  parity  checker.  The  registers involved in these 
transfers will be connected  to a  parity  bus,  also  connected to this bus is a  parity 
checker. 
Data transfers between the  Assembly Shift Register and the  Conditioners a r e  
checked by parity. To check or  generate  parity  at the Conditioner in question, a flip- 
flop  can  be  triggered once for  each one transmitted in the  serial channel. If necessary, 
an extra bit  position  can  be filled with a  zero to make  even  the  total  number of bit 
positions. Then it would be  possible to check odd parity  over an even number of bit 
positions.  The  parity  check would then guarantee  that  at  least one has been trans- 
mitted. Otherwise, the parity would be even for  an all zero word. It would also 
guarantee  that  at  least one zero  has been transmitted.  Otherwise  there would be one 
from  each of an  even number of bit  positions  to  give  even  parity. 
Data transfers between  the  Buffer Register and the Bulk Storage would also be 
protected by parity  checks.  The  thoroughness of the  protection will depend upon the 
final  design of the Bulk Storage.  These  parity  checks will also  provide  fault  detection 
capability  for  the two aforementioned registers and the MR register 
6 . 2 . 2 . 3 . 2  Counters 
The  same  comments as given for  the  processor apply here. No final  recommen- 
dation  has been reached  for  the  counters. 
6 . 2 . 2 . 3 . 3  Decoders 
Decoders  for  selecting  specific  conditioners o r  devices a re  checked by feedback 
of the acknowledge signal.  Each  feedback  signal is compared with each  bit of the 
register if any bit of the  register is inconsistent with the  feedback  signal,  an  alarm is 
generated. 
285 
6 .2 .3 .3 .4  Acknowledgements 
Control  signals  transmitted between the 1/0 and another module to  initiate 
cooperative  actions a re  protected by acknowledgements. Associated with each  control 
signal of this type, there is a time delay. If the acknowledgement does not arrive 
before  the  time  delay  expires,  an  alarm is initiated. If an extraneous acknowledge- 
ment is received, an alarm should be generated. The control flip-flops whose states 
determine  the  appropriateness of the acknowledgement are used  to  detect  the  extrane- 
ous acknowledgement. This is accomplished as explained under "Decoders. I t  
The  time  delay  associated with  an  acknowledgement is designed  to  expire when 
1. The delay in the acknowledgement is longer than the maximum delay in a 
good device. 
2. The delay in the acknowledgement is longer than the requesting device can 
tolerate. 
Situation (1) always calls  for a n  alarm leading  to  a  roll-back or  reconfiguration. 
Situation (2) may call  for  such an alarm. On the  other hand, it could result  from 
congestion o r  latency. 
6 .2 .   3 .3 .  5 Control Flip-Flops 
Same  comments  as given in the  processor  section apply here. 
286 
6 . 3  EXECUTIVE  PROGRAM 
In the following paragraphs, flow diagrams of the  major  executive  functions a r e  
presented  (Figure 6-21). Several  areas are not included: the effect of 1/0 and e r ro r  
detection  management on the 1/0 Supervisor,  message  processors, and the  self-test 
routines. 
Following is a  list of the entries referenced in the  diagrams;  those  that  are not 
designed a re  marked with an  asterisk (*): (reference should be  made  to  Paragraph 4 .2  
for  general  discussions on these  routines). 
1. 
2. 
3. 
4. 
5. 
6. 
f 7 .  
h o .  
- PIE (Program  Interrupt  Entry) - Entered  from  the RTC zero-transition 
interrupt. Performs basic scheduling of periodic, request and background 
programs. 
- PPT (Periodic  Programs  Termination) - Point  at which periodic  programs 
return  to  PIE when completed. 
- RPT  (Request Programs  Termination) - Point at  which request  programs 
return  to  PIE when completed. 
- BPT (Background Programs  Termination) - Point a t  which background pro- 
grams  return to PIE when completed. 
FSE (Fill  Start Entry) - Entered  from  the  fill function. Status is  saved  and 
is entered to schedule background  computation. 
FEE  (Fill Exit  Entry) - Entered  from  the  fill  clock  zero  transition  interrupt. 
The  background status is saved  and  the  program  issuing  the  fill  request is  
resumed. 
PLE (Phased Loading Entry) - Entered as a NOW request  program. 
Accomplishes  loading  and  initialization of a new program  configuration 
without closing down the  current  periodic  computations  until  the new 
periodic  programs are  ready to  take  over. 
CSE (Cold Start Entry)  -When  a  dormant  processor-memory-1/0  configura- 
tion is  activated,  control is eventually  passed  to  this  entry with RTC already 
at zero.  Preparations  are made for  entry into PLE  for loading of a  pro- 
gram configuration. 
- RLE (Request Loading Entry) - Used to load  request  programs on a  priority 
basis. 
RSE (Request  Select  Entry) - Entry for  selecting  request  programs  for 
execution  with  specified priorities. 
RME (Request  Monitor  Entry) - Places  selected  request  programs in the 
request scheduling  queue  according  to  priority. 
- CMP (Console  Message Processor) - Reads, verifies and  initiates  action  in 
response  to  directives  from  the  console. 
287 
r 
w 
E 
Ir 
LI 
0 
w 
c 
*13. PST (Periodic Self-Test) - Performs  whatever  is  necessary  at  the RTC 
frequency. 
*14. CSc (Comprehensive Sei€-Check) - Complete validation of the system (hard- 
ware  and  software). Used only from CSE and  fault  isolation programs. 
15. FFE (Forced  Fault  Entry) - Creates  a  failure condition for  the  processor - 
memory  combination by issuing  a  pulse  stream flip-flop signal  out of 
synchronization. 
p{ "16. (READ) - Used to transmit information from  Mass  storage  to  main  memory. 
A data  base is assumed in these  designs.  Table 6-2 lists  these  parameters with 
cross-references  to  the  entries which use them: 
Table 6-2. Executive Data Base Table 
Parameter  Description 
-~ . .,. . - ~ 
~~~ ~~ ~ 
checksum value, check start  
point & check  segment length 
L SP(i) interrupt  r gister  save  area "___ -. . . .- - - Entry for ith request  program  in  the R(i)consists Of Request  Scheduling Table  (R-table) 
L\\W aueue Pointer a checksum data: 
checksum value, check start  
point & check  segment length 
"" ". 
Entries 
~ - 
PIE,  PLE, CSE 
-. - 
PIE, PLE, RLE 
288 
Table 6-2. (COnt) 
Parameter Entries Description 
PIE,  PLE Entry  for  ith  background  program i n  th  
Background Table (B-table) 
&\\=tion entry 
e 
\YGtion  entry 
pointer  to next background 
checksum  data: 
Checksum value, check start  
point & check  segment  length 
.. . ~ 
&\A pointer  to next background 
PIE, FSE,  FEE Hard-wired  area  for  interrupt  system 
storage of registers 
Primary and secondary areas  for  request 
programs  status  retention 
Status  retention  area  for background 
programs 
Status  retention  area  for  fill function 
users 
Empty Storage  capacity 
" ~ ~~~ 
~ .. 
. ~ 
. ~ ~ ~ 
PIE 
PIE,  FEE 
FSE,  FEE sX 
R LE 
PIE, CSE Primary  interrupt  system clock ~~~ 
Fill function interrupt clock 
Index of periodic  program  currently in 
execution 
Index of periodic  program  last  interrupted 
Number of periodic  programs 
~. ..~ ~ ~ ~ 
~ ~~~~~ ~ ~~ 
~ 
PI E 
PI  E 
PIE 
PI E 
PI E Indices of currently executing  and last 
interrupted  request  programs 
Index of NOW request  program 
~ ~ ~ . . ". . ~ 
PIE, RME, RLE 
PIE, RME, RLE Index of NEXT request  program 
r a' rx PIE, RME, RLE Indices of first request  programs on the ASAP and  non-priority  queues 
289 
Parameter Entries Description 
I I 
r* i Index of request  program being  executed PIE by "this" processor 
r? 
1 
Index of request program being executed 1 PIE 
by "opposingTf processor 
~ ~~ ~~ 
r Index of request  program  selected  for PI E 
C execution 
b* PIE Index of background program  currently  in 
execution 
Index of next background program  to  be 
executed 
PIE 
~- 
bP 
Table 6-2. (Cont) 
I I 
- 
- 
I 
J 
J 
Next phase number P LE 
Entry  for jth request  program i n  the 1 RME 
r V I Index of request  program  being loaded 1 RLE 
rr Number of entries in the  Request  Board RME 
290 
NEXT INTERRUPT 
RESET  RTC  FOR 
FLOP SIGNAL 
STREAM FIJP- 
- ""- 
r S T A T U S  A T  R T C  1 
I SAVED IN PROPER I INTERRUPT IS 
SAVE REGISTERS EVEAREA - - J 
SAVE REGISTERS 
PLACE  FC  RESIDUE MOVE Sx To SI 
FOR FILL RESTART REGISTEQS 
AND R E W A D  
MOVE S, AND MOVE SI AND MOVE  %AND 
SAVE REGISTERS SAVE  REGISTERS 
SB 
SAVE REGISTERS 
IN  SR  IN SR* 
EXECUTE (PST) 
F z ,  Z O T R Z  r--- 
SCHEDULING '1 
L,,,-,J 
r. = O  
EXECUTE EARLY RESET t ( i )  
1/0 AT e (i) TO f (i) 
I 
fi p* p** 
RESTORE REGISTERS FROM Sp (p**) 
OF P (i) : C.S. 
FORM CHECKSUM 
((TEST) 
Figure 6-21. Executive Flow Diagrams (Sheet 1 of 8) 
291 
I REQWST PROGRAMS SCHEDULING 
1 L " " " " -  
r* = r 
I 1 YES 
FORM CHECKSUM 
OF R ( rc)  : C.S. 
(SCHED.) 
r* = r C.S. = C (r  ) 
R c  FFE (TEST) 
Figure 6-21. Executive Flow Diagrams (Sheet 2 of 8) 
292 
"""""" 7--------- - -  1 
I REQUEST  QUEUE IS I 
I REORGANIZED WHEN THE I 
I TOP REQUEST IS SATISFIED I 
L """""_ -I 
Figure 6-21. Executive Flow Diagrams (Sheet 3 of 8) 
293 
""""""_ 
7""" 7 
L----,,,J 
I SCHEDULING BACKGROUNDPROGRAMS I 
YES _____. b * = b N  
A 
NO 
bN = QB @,)
- 
v 
FORM CHECKSUM 
RESTORE REGISTERS 
i FROM SB 
OF B @*) : C.S. 
YES 
l"----- 1 
MOVE SI AND 
SAVE REGISTERS L" "A 
I + 
RESTORE REGISTERS FROM Sx 
Figure 6-21. Executive Flow Diagrams (Sheet 4 of 8) 
294 
l T H E  FUNCTIONAL  CONFIGURATION Is RECONFIGURED 1 
""" 1,"""- I 
""""""
WITHOUT  DISRUPTION OF ANY PERIODIC CALCULATIONS 
v - .- .~ COPY CURRENT PERIODIC PROGRAM PACK  INTO 
READ/ READ  IN THE CURRENT  REQUEST  PROGRAMS  AREA  AND 
LOAD PROFILE FOR P# ALTER THE Xp AND e ENTRIES FOR ALL P (i) P - . -. 
~ ~~ 
b 4 
" 
b 
I H FROM THE LOAD PROFILE INFORMATION CONSTRUCT THE NEW P (i), R (i), AND B (i) TABLES AND COMPUTE THE LOAD POINTS FOR THE NEW PROGRAMS. COPY P (i) TABLE INTO CURRENT  REQUEST PRO AREA  AND  THEN SET BMS TO USE THE DUPLICATE: 
T 
READ  IN 
PROGRAM  LOAD COMPLETE THE P (i) 
PROFILE FOR EACH P (i) TABLE ENTRY 
"
NO EAD/ READ IN THE 
P (i) PROGRAM 
I 
ADD  AN ENTRY IN A 
DUMMY B (i) 
TABLE  FOR THE RESTART 
PROGRAM 
RESTART PROGRAM 
' 
Figure 6-21. Executive Flow Diagrams (Sheet 5 of 8) 
295 
Q 
lo"""""""" 
I"-,--,-,,,,J FROM  OTHERS DEPENDING ON THE MISSION PHASE 
MODULES MUST BE BLOCKED  OUT  OR UNBLOCKED I 
READ/ READ  IN THE 
\ R (i) OR B (i) PROGRAM 
1 7 1  TRANSFER TO 
Figure 6-21. Executive Flow Diagrams (Sheet 6 of 8) 
296 
I 
* * 
CONSTRUCT DUM MY 
P(i)  TABLE 
I PLACE 1 COUNT IN RTC 
T--------- - - -  7 
I 
I I 
L - - - - - - - - - - - - J 
' A  CONFIGURATION IS CONSTRUCTED I 
I FOR A DORMANT SET OF MODULES 
Figure 6-21. Executive Flow Diagrams (Sheet 7 of 8) 
297 
1 
I TYES I 
I- RL E (RECONFIG.) 
LOAD PROFILE FOR r.. 
I 1 
l?=p 7 1  MPLETE  AN R (i) ENTRY 
ES MUST BE INCREASED BY: 
(1) TURNING ON DORMANT 
OR (2) REMOVAL OF UNBUEUED 
MEMORY (lF AVAILABLE) 
R 11) 
I 
MOVE REMAINING PROGRAMS AND 
Ea CONTINUOUS MEMORY 
ALTER THE x ~ ( i )  ENTRIES TO MAKE ' 
OR (3) RiMOVA L OF R (I) ON 
OR (4) REMOVAL OF R (i) ON 
rx CHAIN 
ra CHAIN 
Figure 6-21. Executive Flow Diagrams (Sheet 8 of 8) 
298 
VI 1. SUMMARY AND RECOMMENDATIONS 
A summary of t h e  work  accomplished  during th i s  study  along with areas 
requiring  further  investigation is given below. Computer requirements were defined 
for what is considered as a representative  future manned space  mission,  the M a r s  
Lander  Mission.  Some  significant  points about the requirements are the widely 
varying  computer  requirements in terms of speed and storage  from phase to  phase 
and the  critical  nature of the computations  during  certain  phases  such as atmospheric 
entry.  The  requirements have a large influence on the  computer  design and there are 
many areas which could not be  covered  completely  primarily  due  to a lack of data. 
Some of the  more  important  areas are: (a) the interface between the computer and 
the  sensors,  information is lacking as to the  nature of the  signals  expected, (b) pre- 
cision  requirements  for  various  computations  needs  to  be  firmly defined, also  the 
question as to  whether  floating point is needed for  some navigation and guidance 
functions should be decided, (c) the structure of a reliable bulk storage unit for  the 
time  eriod of interest should  be  investigated and (d) the  investigation and  design of ultra 
r e l i a h t y  switch  networks. Any future  requirements  studies should  take into  account the 
above  points. 
Three  types of multiprocessing  organizations  were  presented.  These  organiza- 
tions  span technology that may be  considered as  state of the art to that expected  over 
the next 10 years. The modular  multiprocessor  organization  was  selected  for a 
detailed investigation. All the  functional features of the memory, processor, and 
Input/Output modules have been  designed.  The  next step in the  design of the  computer 
would be a detailed  logic  design and layout. The  modular  multiprocessor was shown 
to  meet  the  requirements of t h i s  mission  quite  efficiently.  Its  organization  permits 
t h e  turning on and off of any module and thereby  providing a good match  to t h e  diverse 
computational requirements  from  phase  to  phase. It also  provides the capability for 
a significant  enhancement in probability of success and availability as was shown in 
the  simulation  results.  This is due to the reconfiguration  around failures  at  the 
module level and the  increase in reliability  due  to  turning  modules off given that 
dormant failure rates are lower  than  operating  failure rates, 
The  simulation pointed out two points that need fu r the r  investigation: (a) the 
relative  difference between dormant and operating  failure  rates  needs  to  be  deter- 
mined, this factor  has a profound effect on the  computer  design and (b)  monte  Carlo 
methods  become  increasingly  expensive  in terms of computer  time as the organiza- 
tional complexlty is increased and analytical methods  should be developed for complex 
missions  such as this one. 
With regards  to  the functional  design of the three organizations,  the  distributed 
processor is the one which needs  more work in all areas (logic  design, failure 
analysis,  software)  to  further assess its advantages and disadvantages. The area of 
the  modular  multiprocessor which should receive fur ther  study is the input/output 
software  mechanization and in  particular  the  software  utilization of 1/0 failure 
detection  information. 
Software and hardware  failure  detection  methods have been  investigated, it is 
felt that t h e  relative importance of intermittent  type  failures is an area in  need of 
immediate  attention to  determine  the  relative  use of these two  methods for  failure 
detection. 
299 

APPEND IX A. DETA I LED COMPUTER REQU I REMENTS 
This appendix contains a tabulation of computer  requirements on a per  phase 
basis  (Table A-1). The  requirements  for  each  phase are given for  each of the four 
basic functions: (a) Navigation and Guidance, (b) Tele-Communications, (c) Experi- 
ment  Data  Processing, and (d) System Checkout. These  four functions are fu r the r  
broken down into  sub  functions for  each phase. Section II, 2.8 contained a discussion 
of each of these sub  functions. It should be noted that the requirements are given as 
sub  totals  for  each of the  four  functions  for  each  phase and also as totals  for  each 
phase. 
In addition a "Cumulative  Total" is tabulated  for  each  phase.  This  cumulative 
total is the total  storage  that would be  required  in t h e  computer if the  programs  for 
each  phase were commulatively stored in the  computer ( t h i s  is the  case if a bulk storage 
unit is not used).  The storage  requirements are not directly added on to  each  other 
from  phase  to  phase  since many of the  functions are identical in more than one phase; 
as an  example the  tele-communications  functions of the  trans-Mars  coast and trajectory 
correction are identical.  The  storage  requirement  tabulated a s  cumulative would 
exist in a computer that is not reloaded with new programs  from  phase  to  phase. 
It should be noted that  these  requirements  were  derived  before an 18 bit 
computer with  indexing and other  features  previously  discussed was decided upon. 
Therefore, these requirements do not take  into  account word  length  required in 
arriving at storage and speed,  that is, no half length o r  double  length considerations 
a re  made and no special  features  such as indexing, indirecting,  or  multiple  accumula- 
tors are assumed available. The same  general  discussion as given in Section II, 2.9 
holds true  for  deriving  the  computer  requirements and for overhead  requirements 
(executive, I/O, etc. ). 
Figure A-1 contains the requirements in a graphic form. The storage is 
plotted as  a solid  line and a  dotted  line;  the  dotted  line is the  cumulative  storage plot. 
Table A-1. Computer  Requirements 
1. 
1.1 
1 . 1 . 1  
1.1.2 
Requirements 
Phase 1 Atmos- 
pheric  Ascent 
Navigation and 
Guidance 
Process  Acceler- 
ometer Outputs 
Navigation 
Computation 
Subtotal 
I Storage 
Instr Const Var 
(Words) 
- " 
320 26 3 
290  16  9 
610  42  12 
~ "_ ~ " . ~~ 
301 
Speed 
Short Long 
:Operations/second: 
24 0 37 
488  29 
728  66 
Word 
,ength 
Bits 
Requirements 
1.2 
1.4 
2. 
2.1 
2.1.1 
2.1.2 
2.1.3 
2.1.4 
2.2 
2.4 
3 .  
3 . 1  
3 .1 .1  
3.1.2 
3.1.3 
3.1.4 
Telecommunications 
Status  Monitoring 
Total 
Earth  Orbital 
Coast 
Navigation and 
Guidance 
Attitude  Reference 
Landmark  Tracker 
Operation 
Orbft  Determina- 
tion Computation 
Navigation 
Computation 
Subtotal 
Telecommunications 
Status Monitoring 
Total 
Cummulative  Total 
Trans Mars Injectior 
Navigation and 
Guidance 
Process  Acceler- 
ometer Outputs 
Navigation 
Computation 
Required  Velocity 
Computation 
Velocity to  be 
Gained Steering 
Subtotal 
Storage 
Instr Const  Val 
(Word@ 
800 50 50 
1000 300 60 
241 0 392 122 
1756 422 183 
517 313 8 
1478 88 230 
57 3 18 39 
4324  841  460 
Same as 1.2 
1 . 4  plus 1000  2  
3000 
9124  2191 770 
9734  2233  782 
m e  as 1.1.1 
ame as 1.1.2 
1000 
200 
1810 
40  60 
10  20 
92  92 
Speed 
(Operations/second 
Short Long 
1000 
1000 
2728 
11520 
9483 
7576 
493 
29072 
1000 
5000 
35072 
480 
97 6 
10000 
3000 
14456 
2 00 
120 
3 86 
3320 
3000 
433 
47 
6800 
200 
1000 
8000 
74 
58 
3000 
7 00 
3832 
Word 
Lengtt 
Bits 
30 
30 
30 
30  
302 
Table A-1. (Cont) 
I 
L 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
4 
5 
5 
5 
5 
- 
Requirements 
I. 2 
I. 4 
!. 
i. 1 
:. 1.1 
:. 1.2 
:. 1.3 
:. 2 
'. 3 
:. 3.1 
.3.2 
.3.3 
.4 
.1 
.l. 1 
. 1.2 
Telecommunication 
Status Monitoring 
Total 
Cummulative  Total 
Trans Mars Coast 
Navigation and 
Guidance 
Attitude Reference 
Navigation 
Computation 
Velocity to  be 
Gained (Monitor) 
Subtotal 
Telecommunication1 
Scientific 
Experiments 
Data Compression 
Sequencing 
Pointing and 
Control 
Subtotal 
Status Monitoring 
Total 
Cummulative  Total 
Trajectory 
Correction 
Navigation and 
Guidance 
Process  Acceler- 
ometer Outputs 
Navigation 
Computation 
Storage 
- . . 
Instr Const Var 
~~ . 
(Words) 
Same as 1.2 
1.4 plus 
1000 
4610 
11934 
Same as 2.1.1 
1000 
1500 
4256 
1.2 plus 
2000 
1121 
750 
500 
2371 
Same as 2.4 
300 60 
742 262 
2583 922 
30 50 
25 60 
477  293 
100 1000 
414 2009 
125 150 
50 25 
589 2184 
13427  25163727 
18805  33274216
Same as 1.1.1 
Same as 1.1.2 
Speed 
Short Long 
[Operations/seconc 
1000 
3000 
18456 
11520 
3000 
2500 
17020 
5000 
6591 
200 
1000 
7791 
5000 
34811 
48 0 
976 
200 
350 
43  82 
3320 
1000 
900 
522 0 
500 
525 
2 
400 
927 
1000 
7647 
74 
58 
Word 
Lengtl! 
Bits 
12 
16 
16 
303 
Table A-1. (Cont) 
Requirements 
5.1.3 
5.1.4 
5.2 
5.3 
5.4 
6. 
6.1 
6.1.1 
6.1.2 
6.2 
6.3 
6.4 
’. 1 
’. 1.1 
’. 1.2 
I. 1.3 
Velocity to  be 
Gained 
Velocity  to  be 
Gained Steering 
Subtotal 
Telecommunications 
Scientific 
Experiments 
Status Monitoring 
Total 
Cummulative  Total 
spin UP 
Navigation and 
Guidance 
Angular  Velocity 
to  be Gained 
Steering 
Subtotal 
Telecommunications 
Scientific 
Experiments 
Status  Monitoring 
Total 
Cummulative  Total 
Spin Cruise 
Navigation and 
Guidance 
Attitude Reference 
Navigation 
Computation 
Velocity to  be 
Gained (Monitor) 
Storage 
~ 
Instr Const Var 
iame as 4.1.3 
jame as 3.1.4 
2310 77 
Same as 4.2 
Same as 4.3 
Same as 3.4 
9481 1416 
18805 3327 
500 40 
400 30 
900 70 
Same as 4.2 
Same as 4.3 
Same as 3.4 
807  1  1359 
92 
3446 
4216 
50 
40 
90 
3444 
19705  33974 6
ame as 2.1.1 
m e  as 4.1.2 
%me as 4.1.3 
Speed 
Short Long 
30000 
3 000 
34456 
5000 
7791 
3 000 
50247 
5000 
10000 
15000 
5000 
7791 
3000 
30791 
11520 
3000 
2500 
10000 
7 00 
10832 
500 
927 
3  50 
12609 
1500 
4000 
5500 
500 
927 
350 
7277 
3320 
1000 
900 
- 
1 
” 
” 
A 
- 
Wore 
;en@ 
Bit1 
-
304 
Table A-1. (Cont) 
. 
Requirements 
7.1.4 
7.2 
7.3 
7.4 
3. 
3. 
3.1 
3.1.1 
j. 1.2 
). 1.3 
). 1.4 
3.2 
9.3 
3.4 
Angular Velocity 
to be  Gained 
(Monitor) 
Subtotal 
Telecommunication 
Scientific 
Experiments 
Status  Monitoring 
Total 
Cummulative Total 
De Spin 
(Same as 6. Spin 
Mars Approach 
Correction 
Navigation and 
Guidance 
Process  Acceler- 
ometer Outputs 
Navigation 
Computation 
Velocity to  be 
Gained 
Steering 
UP) 
Subtotal 
Telecommunication; 
Scientific 
Experiments 
Status Monitoring 
Total 
Cummulative  Total 
-T 
T 
Same as 6.1.1 
47 56 517 
Same as 4.2 
Same as 4.3 
Same as 2.4 
13927 2556 
19705 3397 
8071 1359 
19705 3397 
Same a s  1.1.1 
Same as 1.1.2 
4.1.3 plus 
3 00 
Same as 3.1.4 
261.0 
Same as 4.2 
Same as 4.3 
15 
92 
Same as 3.4 
9781 143  1 
20005 3412 
343 
3  837 
43 06 
3444 
43 06 
5 
97 
3451 
4311 
Speed 
Short Long 
1000 
18020 
5000 
7791 
5000 
35811 
30791 
480 
97 6 
30000 
3000 
34456 
5000 
7791 
3000 
50247 
300 
5520 
500 
927 
1000 
7 947 
7277 
74 
58 
10000 
7 00 
10832 
500 
927 
350 
12609 
Word 
Lengtf 
Bits 
Requirements 
10. 
10.1 
10.2 
10.3 
10.4 
11. 
11.1 
11.1.1 
11.1.2 
11.1.3 
11.1.4 
11.2 
11.3 
11.4 
12. 
12.1 
12.2 
Aerobraking 
Navigation and 
Guidance 
Entry  Constraint 
and Steering 
Telecommunicationt 
Scientific 
Experiments 
Status Monitoring 
Total 
Cummulative  Total 
Mars Orbit 
Injection 
Navigation and 
Guidance 
Process  Acceler- 
ometer Outputs 
Navigation 
Computation 
Required  Velocity 
Steering 
Subtotal 
Telecommunications 
Scientific 
Experiments 
Status  Monitoring 
Total 
Cummulative Total 
Mars Orbital 
Coast 
Navigation and 
Guidance 
Telecommunications 
Table A-1. (Cont) 
Storage 
~~ 
Instr Const Var 
3 000 200 200 
Same as 4.2 
Same as 4.3 
Same as 3 .4  
10171  1539 3554 
23005  61245 1
Same as 1.1.1 
Same as 1.1.2 
400 
same as 3.1.4 
1210 
Same as  4.2 
Same as 4.3 
Same as 3.4 
20 15 
72 47 
83  11411  3401 
23405  6324526 
Same as 2.1 
4.2 plus 200  1000 
1500 
Speed 
~ 
Short 
12000 
5000 
7791 
3 000 
27791 
480 
976 
7000 
3000 
11456 
5000 
7791 
3000 
27247 
22800 
10000 
Long 
"" ~ . 
3000 
500 
927 
350 
4777 
74 
58 
2000 
700 
2832 
500 
927 
350 
46  09 
4516 
1000 
~~ 
Word 
kngtl 
Bits 
30 
306 
I' 
Table .A-l. (Cont) 
. - 
Requirements 
12.3 
12.3.1 
12.3.2 
12.3.3 
12.4 
13. 
13.1 
13.1.1 
13.1.2 
13.1.3 
13.1.4 
13.2 
13.3 
13.4 
14. 
15. 
Scientific 
Experiments 
Data Compression 
Sequencing 
Pointing 
Subtotal 
Status  Monitoring 
Total 
Cummulative Total 
Trans  Earth 
Injection 
Navigation and 
Guidance 
Process  Acceler- 
ometer  Outputs 
Navigation 
Computation 
Required Velocity 
Steering 
Subtotal 
Telecommunication 
Scientific 
Experiments 
Status  Monitoring 
Total 
Cummulative  Total 
Trans  Earth Coast 
Same as 4. 
Trajectory 
Correction 
(Same as 5.) 
Storage 
Instr Const Va: 
4.3 plus 445 154( 
500 
200  50 51 
1000 50 51 
407  1 1134 3831 
Same as 2.4 
16695 3625 660( 
26605 4377 717: 
Same as  1.1.1 
Same as  1.1.2 
7 00 30 2! 
300 15 l! 
1610 87 5: 
Same as  4.2 
Same as 4.3 
Same as  3.4 
8781  1426 340t 
27605 4422 7212 
Speed 
Short Long 
194840 
500 
10000 
205340 
5000 
243140 
480 
976 
10000 
4000 
15456 
5000 
7791 
3000 
31247 
36120 
5 
4000 
40125 
1000 
46641 
74 
58 
3000 
1000 
4132 
500 
927 
350 
59  09 
Word 
.engtt 
Bits 
12 
16 
16 
307 
C6-1476.10/33 
Table A-1. (Cont) 
. Requirements 
16. spin UP 
(Same as 6.) 
17. Spin Cruise 
(Same as 7. ) 
18. De Spin 
(Same as 8. ) 
Correction 
19. Earth Approach 
19.1 Process  Acceler- 
ometer Outputs 
19.1.2 Navigation 
19.1.3 Velocity to be 
19.1.4 Steering 
Computation 
Gained 
19.2 
19.4 
20. 
20.1 
20. 2 
20.4 
Subtotal 
Telecommunicatior 
Status  Monitoring 
Total 
Cummulative Total 
Earth  Re-entry 
Re-entry Energy 
Management and 
Guidance 
Subtotal 
Telecommunication 
Status  Monitoring 
Total 
Cummulative Total 
Storage 
Instr Const Var 
Same as 1.1.1 
Same as 1.1.2 
9.1.3 plus 
600 
Same as 3.1.4 
3210 
Same as 1.2 
Same as 3.4 
6010 
25 20 
117  17 
767  287 
28205  44477 32
10.1 plus 250  250 
2300 
53 00 450 450 
Same as 1.2 
Same as 3.4 
8100  110  620 
30505  46977482
308 
Speed 
Short Long 
480 
976 
45000 
3 000 
49456 
1000 
3000 
53456 
183 00 
1000 
3000 
22300 
74 
58 
15000 
7 00 
15832 
200 
3 50 
16382 
446 0 
200 
350 
5010 
- 
Wore 
Lengt 
Bits 
n 383.1 
100 - 
88.1 88.1 
80 - 
- - 
69.1 - 
60  - 59. I 57.8 - 52.6 - 52.6 - - - 49.0 67.8 
40 - 42.1 41.1 
- 
31.6 - 
20 - 
3.9 
0 -  
.” . 
l U E . 0  -
I 
a 
0 
w 
< 
0” 
6 
Figure A-1. Computer Requirements per Phase 

APPENDIX B. MASS STORAGE CONS I DERATl ONS 
B1 INTRODUCTION 
There  exists  the  need  for providing a mass storage  medium in the  computer 
system.  This is dictated  by  the  fact  that it is desired  to  store  the  mission  programs 
in some device  assuring  the  integrity of approximately 106 bits. In addition, it is 
desired  to  provide a data buffer between sensors and the  computer.  This is used  to 
&ore  data  in bulk  quantity prior  to  processing  either  due to the  desirability  for  burst 
processing on  accumulated  sensor  data  such as video scans and/or  buffer  bursts or 
hi-rates  from  sensors.  The  total  storage  required is expected to  be on the  order of 
108 bits  for  data and mission  programs with the  majority of this  for  sensor  data.  The 
discussion  in  this  section  will  present technology trends  that  may  be  applicable  to  the 
mass  storage medium required  for  the manned Mars  mission. 
Much of the  difficulty of selecting an optimum  approach  to a 108 bit  memory 
system  arised  because  no  non-mechanical  systems  that  large have been  constructed. 
The  general  undesirability of massive moving elements in  a spaceborne  system, the  
maintenance  requirements, and the  dependence on a mechanical  determination of data 
rate are  factors which have eliminated  electro-mechanical  systems  such as tape and 
drum  storage  from  consideration. 
Several  groups within the  industry  have  been funded under  government  contracts 
for  the development of 108 bit memory  systems. While none of the  systems have yet 
been  completed,  the  development of portions of such  systems have been  carried  to  the 
point where  full-system  problems are illuminated and reasonable  predictions of sys- 
tem  characteristics  can  be made. 
The  three  outstanding  approaches  to mass  storage include assemblies of mag- 
netic  plated wire arrays,  stacks of planes of toroidal  cores etched  from  thin  permalloy 
sheets, and an  assembly of long flat  strips of glass coated with permalloy and with 
copper. 
All of these  approaches t o  mass  memory  utilize a random-access word organized 
configuration. The application herein considered could use a different  type of organi- 
zation in which random access is provided  to  blocks of information with serial  access 
to  the  bits  constituting  the  block (BORAM). Non-mechanical versions of this  type of 
memory are currently  under  development; however, their  progress and  application to 
mass  memory is several  years behind the  previously  mentioned  systems. 
Some details of these  various  approaches  are  described in  the following 
paragraphs. 
BL 1 Plated Wire Memory 
The  fundamental  operation of a plated wire  memory cell was  described in sec- 
tions 3 and 6. A recent  study  contract, funded by the Rome Air Development Center, 
resulted in a proposed  108  bit  memory  design  (characteristics of the  system have been 
simulated) with the following characteristics:  (Reference 26) 
The  system  will  be  organized as ten 107 bit modules.  Each  ten-million-bit  mem- 
ory  plane  constituting a module  contains 2048 word-line  solenoids  encircling 4608 
plated  wires  (plus a small  number of common  mode  cancelling wires).  The  modules 
311 
will be organized with 64 words of 72 bits on each  word  line, and each  time all the bits 
in  such a word  group  line are interrogated, only the bits belonging to  the  selected  word 
are routed by a set of gates  to  the  sense  amplifiers.  This  mode of operation is possi- 
ble  because of the  non-destructive  characteristics of the  interrogation,  thus  making 
restoration of information in interrogated  bits  unnecessary.  This  property is very 
important  because it allows a memory  configuration  to  be  chosen which leads  to a 
minimal  number of bit and word drivers and sense  amplifiers.  (The  organization 
could easily  be changed to 256 words of 18 bits or  other  combinations whose product 
totals 4608 bits. ) 
The  design  word rate for  readb-g and writing  will  be  100  kilocycles  per  second 
which corresponds  to  a serial bit  rate of 7.2  megacycles  per  second. 
The output signals,  appearing on the  bit  lines a re  of the  order of 5 millivolts in 
amplitude and  70 nanoseconds wide. 
The word lines will be  spaced  at 0.045 inch centers and the  bit  lines  spaced  at 
0.015  inch centers,  resulting in a storage  density of approximately 1500 bits per 
square inch. 
Ultimately all of the  circuits in the  system are expected to  be of the  micro- 
electronic type. Near future  designs  use a combination of integrated  circuits and 
cordwood packages  using  discrete  components. 
Interconnection  will  be  made  through  multilayered  boards  with  soldering  and 
wire-wrap  technique. 
The size of the lo8  bit  memory  will  be 4 x 5 x 1. 5 feet, o r  30 cubic feet in 
volume. The total weight will be approximately 750 pounds. It is predicted that 
future  efforts will reduce  the  volume  to 20  cubic feet. 
The power  consumption decreases with lower  speed  operation, and with an 
increasing  ratio of read  to  write  cycles. At the  7.2  megacycles  per  second  bit  rate 
the  power  consumption is estimated  to  be 7 2 . 5  watts, but decreases  to 30 watts a t  a 
0.72  megacycle  per  second  bit rate. The latter rate is entirely  acceptable  for  this 
application.  Increasing  the  number of read  cycles  per  write  cycle would effect up to a 
14% reduction  in  the  power  consumed. 
A reliability  computation  considers  the  failures  arising only from  the  joints in 
the  memory  stack and from  the bit and  word access matrices.  Assuming a transistor 
failure rate of 10-9 per hour and a failure rate of joints of 10-10 per hour,  the esti- 
mated  mean  time between failures is 7600 hours  for a 108 bit memory,  According  to 
Autonetics  experience with transistor  reliability, 10-9 per  hour  failure rate is opti- 
mistic. A more  realistic figure of 10-8 reduces  the MTBF to 3300 hours. If one 
assumes a flat pack reliability of 10-9, the  MTBF rises to 22, 000 hours. Manufac- 
turing  cost  per  bit  for  the  108  bit  system is projected  to  be  0.108  cents  per  bit in 1970. 
B1.2 Etched Permalloy Toroid Memory 
Rome  Air  Development  Center  has  sponsored  the  development of a mass  memory 
technique  which utilizes  toroids  etched  from  sheets of permalloy as the  storage ele- 
ments which are batch  fabricated,  along with the  associated  conductors,  into 256 x 256 
bit memory planes. (Reference 27) 
312 
.. . 
A coincident-current  memory  organization is used.  The  writing  system is 
conventional requiring  the coincidence of pulsed  fields on the  X and Y lines with the 
writing of a zero   o r  one  determined  by  the  presence o r  absence of the  inhibit  line  cur- 
rent  in  each plane. The  reading  operation  uses a two-frequency  selection  scheme 
which is nondestructive. In the  reading  operation only a toroid at the  intersection of 
the  selected  row and  column drive  line is energized  by  fields of both  frequencies W1 
and W2. The  core  acts as a non-linear  mixing  element  to  produce  a  sum  frequency 
component on the sense line. The signal is amplified, narrow-band filtered, and 
phase  detected  against a reference which yields a signal whose  output polarity  depends 
on the state of the  core.  The  read  drive  frequencies of 570 kilohertz  for W1 and 930 
kilohertz  for W2 result in a sum  frequency of 1.5 megahertz.  The  result is a read 
time of 10  psec with a nominal  signal  amplitude of 50 pv rms. 
The  batch  fabricated  memory  planes  consist of flat toroids  etched  from sheet 
permalloy with the  associated  wiring  formed by  etching and plating  copper.  The top- 
ology is such  that  wires  never  cross on t h e  same plane, thus  allowing  the  wiring 
pattern  to  be  formed by  two layers of etched  copper  insulated  from  each  other and the 
permalloy  toroids, but  connected  by  means of plated  regions  through  the  interior of the 
toroids. Using highly developed photoetching procedures  the  toroids are fabricated on 
25 mil  centers which results in 1600 bit  per sq.  inch density within t h e  plane. 
The 108 bit  system  requires 1616 planes of 256 x 256 bits  per plane.  They  will 
be assembled  into  16  block with 101  plane  per block.. The  word  length is 100 bits. 
The  design  package  has a volume of 5 cubic feet corresponding  to  a weight of 
468 pounds. Power  figures  range  from 98 watts  for a read-only  mode to a maximum 
of 179 watts  for write-only, at a  maximum write-in  word rate of one word every 23 
microseconds. 
Trade-offs  among  the  parameters can reduce  memory  size and power  consump- 
tion. If the  word  length is extended to 200 bits,  for  example, and t h e  write-in rate 
decreased  to one  word every 80 microseconds,  the maximum  power would decrease  to 
110  watts,  the  size  to  4  cubic feet and the weight to  374 pounds. 
The  present  status of t h i s  development is that of attempting  to  fabricate  the 
256 x 256 bit planes. Hence, no system reliability data is available. Therefore an 
attempt  to  estimate a MTBF  figure  by  considering only the plane  edge  interconnections 
and the  number of semiconductors  will be made.  The  interconnections  will  be 
1,600, 000 for  the 108 bit  memory  (versus 180, 000 for  the  plated  wire  memory) and 
t h e  number of integrated  circuit  packages  plus  discrete  semiconductors  total 4481. 
Assuming 10-9 per hour failure rate for interconnections,  the  interconnection are the 
dominant  factor, so that  changing  the  failure rate for  semiconductors  from 10-8 to 
10-9  only changes  the  calculated  MTBF  from 4900 to 6000 hours. 
The  small signal amplitudes and the  nature of the  read-out  system  requires  a 
consideration of effect on reliability of coherent  noise  in  the  sense  lines and random 
noise in the  sense  amplifier.  This is calculated  to  correspond  to  an  erroneous  reading 
of one bit every  10,000  hours, which  may be detected and corrected by repetition of 
the  interrogation. 
A cost figure of 0.083 cents for electronics plus 0.056 cents  for  memory  planes 
is estimated  for a total  cost of 0.139 cents  per bit. 
313 
B1.3 Flat Film Strip Memory 
Lincoln Laboratories is engaged in the development of a mass  memory  using  flat 
magentic films at  very high storage density. 
The  storage  elements are formed of rectangular  glass  strips coated first with 
permalloy and then copper.  These  strips are etched  into 2 mil  lines on 4 mil  centers 
terminating in a pattern of lands which provide fan-out to a pressure  connector. 
Twenty-four of these  substrates,  each 2 f t  by 1 inch, are placed side by side  forming 
a square plane  and  another similar plane is placed  above  it with its strips lying per- 
pendicular  to  the first set, with an  insulating  layer between. A square  array  results 
with 6K bits on a side  for a total of 36 x 106 bits. 
Current work on the  project is centered about the  assembly of a one  million bit 
model  using 10 inch substrates. Recent  experiments  center about a bit  density of 250 
words per inch and 50 digits  per inch, i. e., 12.500 bits  per  square inch. (Refer- 
ence 28) Cost  projections are in  the  order of 0.3 cents  per bit. 
While this approach  achieves  extremely high density  for  the  memory  stack, it 
also  has  several  unfavorable  characteristics. High coercive  force  films are used  to 
reduce  the  effects of demagnetizing  fields at the high bit  density, which require cur- 
rents in the 100 to 500 ma. range. Read-out is destructive and, therefore,  all  bits of 
a word must  be  rewritten  each  time after reading, which results  in  excessive power 
consumption  in this application when the  ratio of read  to write cycles  exceeds one. 
The  destructive  readout  characteristic  precludes the  sharing of bit  line  circuits so that 
the  linear  select  organization  requires many more  circuits than  the  plated  wire  or 
etched  toroid  approaches.  Since  reliability of the  system is so strongly dependent on 
the  electronics, this approach  to  the  mass  memory  requirement  does not appear 
favorable. 
BL4 BORAM 
A  type of mass  memory that seems  to  be well  adapted to  this  requirement is that 
being developed under the BORAM concept. BORAM, an  acronym  from Block Oriented 
Random Access  Memory, has  been  promulgated by the U. S. Army  Electronics Com- 
mand at Fort Monmouth, New Jersey. 
The  basic  idea of BORAM is that  the  mechanization  be an all-electronic or  
static  type  memory with rapid  random access  to the  blocks of data (1 microsecond 
access  time) with the  subsequent  sequential  transfer of a block on a character-by- 
character  basis. A 1. 5 to 3 million character  per second transfer rate is envisioned. 
Other requirements in the  total concept  include removable  storage  media and asynch- 
ronous transfer capability. 
From  the viewpoint of the  mass  storage  requirement of the  study, the memory 
would appear as a group of serial storage  devices with random access  to  each  device 
and serial access to the  bits within the  selected  device.  The  important  advantage is the 
large  factor of minimization of electronics and interconnections and the consequent 
gain in reliability. 
A specific  implementation of the  mass  memory under this concept  cannot be 
delineated at the  present  time  because  applicable  devices are in  the early stages of 
development. Among these developments the  most  interesting  ones  include a 
ferroacoustic  delay line, a thin  film  storage  strip which responds  to the  field from a 
314 
propagating  domain  wall  in an  adjacent  strip, and a new technique  which utilizes  the 
controlled  propagation  and  interaction of domain tips  through a pattern of magnetic 
film  channels  (Reference 29). 
It is reasonable  to  assume  operating  goals  for  these  devices, with resped ' to  
speed and density, of 10,000 bits  per  square inch  and 1 megacycle serial data  transfer 
rate. Then 20 of these  devices  each  storing 5 x 106 bits could  provide the  required 
108 bit  storage.  Since  random accesi   to any of the twenty blocks could be attained 
very rapidly, the maximum access time would be  approximately  five  seconds.  Since 
the  total  circuitry would be  reduced  to  the  selection  circuits  for  the twenty blocks, 
driver  circuits (probably a maximum of four  per  block) and a read amplifier  per block, 
system  failure due  to  the  electronics could be  made  very  small. 
The  aspect of this  approach  that is unfavorable is the  uncertainty of t h e  develop- 
mental  time  scale which willdlow  mechanization of the  system. 
B1.5 Reliable BackuD Mass  S torae  
The  backup mass  storage is used  to  store the  guidance and control  functions that  
would be  necessary  to  complete  the  mission if t h e  primary  mass  storage  was to fail. 
This  memory should, of course,  be  very  reliable and in  fact, it is probably  reasonable 
to  carry a spare due to its relatively  small  size,  approximately 2 x l o5  bits. Although 
extensive  investigation of the  mass  memory  was not  planned for this study, it appears 
that the backup storage could be read. only. This, of course, would provide obvious 
reliability  advantages  due  to the lesser numbers of circuits. 
A number of possibilities exist for  this memory. One is a fixed  memory,  such 
as the "Silicon on Sapphire Diode Array". A second is a memory of the same technol- 
ogy as the primary  mass  storage only without write  circuits.  The  best  solution will 
depend on the  relative  reliabilities and power  and on the  ability of the second approach 
to use spares  from  the  primary  mass  storage. 
BL 6 Conclusion 
The above discussion  demonstrates that there are a number of memories on the 
order of 108 bits  either  under  development or being  considered  for  development; 
however, the  near  term  systems are large and also  dissipate a good quantity of 
power. If any of these approaches are to  be  made  applicable  to  this study,  both the 
power dissipation and size will  need to  be  substantially  reduced.  Future  developments 
along the  lines of "BORA"*  may  offer  the  best  system for space. 
315 

- APPENDIX c= FAULT AND ERROR CONTROL 
Faults can  lead  to the  generation of e r ro r s  and can  cause down time. It is 
therefore  necessary  to  consider  the  risks  associated with the possible  occurrence of 
faults as well as methods of remedying or  at least  reducing the i r  harmful  effects.  The 
harmful  effects of errors  can  be  reduced by error  correction  or by special  treatment 
of erroneous  results. Down time as a result of faults can be reduced by reconfiguring 
the system  to evade  the  effects of known faults and by diagnosing faults so  that repair 
is facilitated. 
Techniques for  overcoming  these  harmful  effects may require an enlargement of 
t h e  system. Two questions regarding t h i s  enlargment of t h e  system arise. First, the 
enlarged  system  contains  more  elements which can  become  faulty and therefore is 
more likely  to contain a  fault. Hence, it is natural  to ask  whether or not there will 
indeed be a net enhancement in reliability.  This  question will be  treated in sec- 
tion C 2 . 1  . 
The  second  question  involves the  additional  costs,  the  additional weight and t h e  
other  penalties  associated with the enlargement of the  system. Will improvements in 
t h e  system  be worth the  price 7 To answer  this  question  rationally,  it is  necessary to 
optimize  the  relationship between the  penalties,  the  probability of mission  success and 
the  expected  productivity of the mission. 
Three  processes used  in  overcoming  these  harmful  effects will  be consdiered- 
e r ror   o r  fault detection, error treatment, and system reconfiguration. The techniques 
used will usually involve more than one of these  processes. Also, it  is  sometimes 
difficult to  determine  where one leaves off and the  other  begins. However, it is useful 
to  consider  the  characteristics of these  processes  separately.  Error o r  fault  detec- 
tion  involves the  determination  that an e r ror   o r  fault is or  is not present and also  the 
initiation of an alarm or  corrective  procedure when appropriate. Error   or  fault detec- 
tion  may be  performed fo r  every  step of an operation, it may be  performed  after the  
completion of a set of operations, or  it may be  performed  periodically. When e r ro r  
detection is performed  for  every  step of an  operation,  redundant  computing  elements 
are  usually  introduced  into the  system. When it is performed upon the  completion of a 
set of operations, redundant computations are  performed. When fault detection is 
performed periodically, a self-test  program is used. This self-test program will not 
detect faults causing  intermittent errors  unless they occur  during  the  self-test 
program. 
Treatment of e r ro r s  may  involve error  correction by redundant  logic, e r ro r  
correction by roll-back, or  special handling of erroneous  results.  Error  correction 
does not necessarily involve e r r o r  detection.  Therefore, it may be  necessary to 
include in check-out procedures  some  provision  for t h e  detection of faults whose 
e r ro r s  are corrected.  This could be done by injecting e r ro r s  into the system  to 
determine whether or  not they are corrected  or by disabling  redundant features during 
check-out. 
Roll-back procedures are simplest when they  involve transient  errors. In th i s  
case, a recaIculation  performed in exactly  the  same  manner as the  original computa- 
tion will produce the  correct  result when the  transient  error  does not recur.  For 
reproducible errors,  the roll-back  procedure would be  more complicated.  The  recal- 
culation  then  must  use  different  logic  paths  to  evade  the fault causing the e r ror   o r  to  
correct  the  error.  This will be  treated in further  detail in section c. 2 .2 .  
317 
. System reconfiguration involves the removal of a fault from the active system or 
the introduction  into the  system of a means of correcting  the  errors  due  to the  fault. 
The  most  simple  techniques involve the  removal of the faulty  element  from the  active 
system. However, it is possible  to  resequence  the  operations of the  system so that  
the faulty  element is not used in a manner that will cause an uncorrected  error. 
Faults of the following types will be  referred  to as "standard  faults" hereafter 
in this  report 
1. An open input to a gate 
2. The  inability of a gate  to  drive  to  zero the  node to which its output is 
connected. 
3. The inability of a node to go to one. 
C 1. TECHNIQUES FOR FAULT OF ERROR DETECTION 
This section will treat methods of detecting e r r o r s  in data  processing  operations 
and methods of detecting faults thru  the  errors they  cause. 
Most of the  error detection  techniques  treated in this  section involve the use of 
redundant  hardware  for  checking  each  step of a computation as it is performed. 
However, some  consideration will be given to   e r ror  detection  techniques  in which some 
of the  computations in a program are used  to  check the  results of other  computations. 
Most of the fault  detection  techniques  used involve the  use of self-test  or diag- 
nostic  programs.  These  programs are used at various  times  to  verify that there are 
no faults in the  system  or  to help locate  faults which  may be  present  in  the  system. 
Usually self-test or  diagnostic  programs in a general  purpose  computer  do not  involve 
special  circuits  other than circuits  for responding  to  the  detection of a fault, although 
provisions  for  disabling  self-correcting  features or  alternately  injecting  errors may 
be  required  for  checking out redundant circuits. Other fault detection  techniques  utilize 
special  hardware  to  detect  specific  faults,  for  example, a circuit which will, generate 
an alarm if clock  pulses do not occur  regularly. 
The error  patterns which are to  be  detected by specific  fault  or e r r o r  detection 
techniques a r e  established by one of two approaches.  In the  first hardware  oriented 
approach, an effort is made to consider the  faults  or combinations of faults which may 
occur and, from  these,  to  determine a set of possible  error  patterns.  This method 
has  the advantage of making  it  possible fn principle  to  assign a failure rate to  each 
e r ro r  pattern. Hence, if any combination of faults is considered  to be so improbable 
that the  associated error  pattern can be neglected,  then a failure rate can  be  assigned 
to  that  neglected  pattern.  From  this, a summation  can  be  made  to  obtain  the combined 
failure rate of all known neglected error  patterns. However, to obtain the  failure rates 
for unknown faults,  experimental  techniques are required. 
In the  second  functional  oriented  approach,  the set of error  patterns  to  be 
detected is established without considering  the  logical  details of the  systems or   the 
faults which may  occur.  This method makes it possible  to  design  the e r ro r  detection 
procedure  prior  to  the completion of the  logical  design. If intelligently  used, it could 
detect  most of the  reasonably  probable error  patterns and some  others  besides. 
However, for  fault  detection,  this  approach is inefficient. To be  certain that all 
318 
possible  faults  have had opportunities  to  generate  errors, it is necessary  either  to 
examine the loglc  structure  or  to  check many  functional  situations to be confident that 
d l  logic paths have been used. 
Fault detection and e r r o r  detection  techniques  have  different  principal  objectives. 
Fault detection  equipment is designed  primarily  to  prevent a fault  from  causing  future 
error8 rad to  initiate its removal  from  the  active  eystem.  It may also  invalidate 
erroneous reeults before  they are used. Error  detection  equipment is designed  pri- 
marily to initiate the  correction of m e r r o r  or epecial handling of erroneous 
reeults. However, an alarm  from an fault  detection  system  may  also  perform  some 
o r  all of the  principal  functions of an alarm  from an e r r o r  detection  system  and  vice 
versa. 
With these  general  concepts  in mind, specific  fault  detection and e r ro r  detection 
techniques will be  considered. 
CL 1 Continuous Error Detection o r  Fault Detection 
CL 1.1 Data Transfers 
Self-checking  codes  can  be  used  to  verify  the  accuracy of a data  transfer.  The 
theory of self-checking  codes  has  been  intensively developed. Therefore  further 
comments of a  general  nature on this topic are not in orcer. 
CL 1.2 Memory 
Self-checking  codes  can  be  used to  verify  the  accuracy of transfers between 
memory and the  other  modules. 
Self-checking  codes  can  also  be  used  to  verify  the  address.  Extra  bits  can  be 
hard-wired  into  each  memory  location.  These  bits could be concatenated  with  the 
address  to  form a  self-checking code. For  these  extra  bits,  sense  amplifiers would 
be  required,  but  inhibit drivers would not be required. 
Decoding circuits can  be  checked  by  feedback  and  comparison  with  the  original 
code or  address  to  verify  that  the  proper signal alone is generated. 
The  memory cells of a DRO memory  could  be  checked out before  information is 
stored into  the  memory  location.  This could be  accomplished by adding an extra read 
operation at the  beginning of a write  cycle.  This would add a half cycle  to  every 
write cycle, but would not affect  the read cycle.  The  sequence of operations  for 
writing with the  memory cells checked  before  writing are as follows: 
1. Insert  ones in all bits of the  memory  data  register 
2. Write 
3. Insert  zeros in all bits of the  memory  data register. 
4. Read (thus  inserting  ones in t h e  memory  data register bits  corresponding 
to  ones in memory cells of the  addressed  location) 
5. Test  the  memory  data register. If any bit  contains a zero go to an e r ro r  
routine. 
319 
6 ,  If all bits of the  memory data register contain  one& tranrfer  the word to  
be  stored  to  the  memory data re@ster. 
7. Write 
Thie fault-checking  routine will protect  the stored data  from  faults in the  mem- 
ory cells themselves. However, it will not provide  complete  protection  from  faults in 
the  write  circuitry. Reardlng back the stored word would provide  this  protection, 
especially in NDRO memories. 
Residue  checks are performed by adding in mod n  arithmetic  the addend  and the 
augend used in an addltion. The result should be  congruent (mod n) to  the sum. If 
the sum is in error by an amount  which is divisible by n, the  residue  check  will not 
detect  the  error. 
3- many adders,  most faults will cause  errors which are a power of two. Thus, if n = 2 1, most e r ro r s  wlll be detected. 
If the  adder  operates in mod 2p arithmetic,  overflow is equivalent to a  subtrac- 
tion of 2p from  the  answer.  Therefore  some  provision  must  be  made  for  overflow  in 
designing a residue  check  unless  the  modulus of the  arithmetic is divisible by the 
modulus of the  residue check. If the  adder  operated in 2=-l arithmetic,  the  modulus 
of the  adder  will  be  divisible by the  modulus of the  residue  check if r is a multiple of k. 
CL 1.3.2 DuDlication Check 
Addition can  be  checked by duplication of the  adder.  The  result  obtained  from 
the two adders is compared  to see if they are  the  same. A check of this  nature will 
catch any faults which may  occur in one  adder  provided that the  other  adder . makes no 
errors.  This technique is especially  advantageous if reconfiguration is provided  for. 
If the  self-checking  doctrine is abandoned,  one of the  adders could carry on if the 
other  failed. 
.CL  1.3.3  Complementation  Checks 
In mod 2" arithmetic  there are three inputs:  the addend, the augend  and the 
input carry to the  units bit. Now, if 
s = A + B + C o  
(Zn - 1) - 6 = ((2" - 1) - A) + ((2n - 1) - B) + (1 - C) + 2n 
or 
320 
In otherwords, if the  ones  complement of the input operands  to a mod  2n addition is 
formed,  then  the  ones  complement of the  sum is formed.  Similarly, in mod 2"-1 
addition 
s = A + B  
8' = A' + B' (mod 9-1) 
One can therefore check an addition  by calculating the  sum, and then  calculating the  
sum of the complements and finally seeing if the  results are ones  complements. 
It should be noted (See Figure C-1) that it is possible  to  construct an adder so 
that  the signals at all the nodes of t h e  adder are complemented if all the  inputs of the 
adder are complemented. If an adder is thus  constructed. a "standard" fault will 
cause an e r r o r  in one but  not  both of either  the  sum or the  sum of the complements. 
Thus a complementation  check  will  detect all standard e r ro r s  in an adder of th i s  
structure. 
CL 1.3.4 Self-checking Adder 
Figure C-2 shows one bit of an adder with internal self-checks. An e r ro r  
caused by a single  standard  fault will be  detected. 
If an input to any decoding gate is open, for  some  values of t h e  operands there 
will be two sum-carry  combinations  indicated. If these two combinations have the 
same carry, both s and Twill  be indicated, This will cause the gate connected to s 
and E to go low and indicate an error. When the inputs are complemented, t h i s  fault 
will have no effect so that t h e  correct  answer will be obtained and no e r ro r  will be 
indicated. It can then be  stated that the fault has been  evaded  by  complementation. 
If the two combinations of sum and carry  simultaneously  indicated have the  eame 
sum but different  carries, all the sum-carry  combinations of the next stage will be 
inhibited.  Hence all four  sum-carry nodes  will  be high and the "no output" error   for  
the next node will be indicated. 
If standard  faults of type b and c appear,  the errors  associated therewith will 
cause two sum-carry nodes to  be  zeros or all sum-carry nodes to  be ones. 
If the Acc. Bit  does not go into  the  correct  state, a fault will be indicated 
because  the state of the flip-flop does not match  the s or B signal. If neither s or ZT 
is high a similar alarm will appear. 
Faults inhibiting the  detection of an alarm will not cause an error  unless  some 
other fault is present. However, these faults may stifle alarms. To avoid degrada- 
tion of the  system leading  ultimately  to  undetected errors ,  it would be  desirable  to  be 
able  to  verify that there are no faults  inhibiting  alarms.  The  gate  for  causing one of 
the nodes to equal  zero  incorrectly  can  be  used in  checkout to  demonstrate  that having 
two gates equal to  zero can be detected. 
Similarly, it is possible  to  verify  that here is no  fault  preventing  the  detection 
of a condition in which all sum-carry nodes  equal  one. This is accomplished  by a fifth 
input on one of the  adder gates to  make that  gate have an  incorrect one output. This 
is required  for  the units bit only. 
321 
" 
f i Y  D 
1 cn(Xey) , - CARRY OR 
X 
- 
X@Y 
HALF . 
ADDER  ADDER 
HALF SUM 
Y _I 
i - 
C 
FIG. C-lA ADDER  WHOSE FAULTS CANNOT BE DETECTED 
BY COMPLEMENTATION, THE SIGNALS xny, x ~ p  AND cn(xmy) 
ARE NOT ALWAYS COMPLEMENTED WHEN x, y, A N D  c are 
COMPLEMENTED 
x x y j c c  
- - 
" 
S 
C 
F 
FIG. C-1B ADDEq IN WHICH 
STANDARD FAULTS CAN BE 
DETECTED BY COMPLEMENTATION. 
THE SIGNALS A T  ALL NODES  ARE 
COMPLEMENTED WHEN THE 
INPUTS ARE  COMPLEMENTED. 
Figure C-1. Detection of Standard Fault6 by Complementation 
322 
T 
J 
Figure C-2. Self-checking Adder Without High-speed Carry 
323 
An additional test device  to  force  the  Accumulator  bit  into  the  wrong state 
verifies that the "wrong state" alarm is not  inhibited. 
Faults freezing the e r r o r  node into the  zero state cannot be  evated  by  comple- 
mentation. Note that  the signal on this node is not complemented when all the inputs 
to  the  adder are complemented. 
CL 1.3.5 Parity Check 
Figures C-3 and C-4 show a technique for  performing a parity check on an 
addition. It should be noted that  the i th  bit of the  sum is given by the  formula 
Si = Ai 8 Bi 4 Ci 
P(B) = Bo 8 B1 63 . . . 63 Bn 
P(C) = co 8 c1 8 . . . 4 cn 
Also, the  parity of the  sum is 
P(S) = so 8 SI 8 . . . 8 sn 
= (Ao Q Bo 8 Co) 8 (A1 63 B1 8 C1) 8 . . . 8 (An 8 Bn 8 Cn) 
= (Ao %3 A1 8 . * .  8 An) 8 (Bo Q El 8 . . . 8 Bn) 8 (Co 8 C1 8 . . . 8 Cn) 
P(S) = P(A) 8 P(B) 63 P(C) 
Now, when parity  bits  are  used  for checking data  transfers, P(A) and P(B) are carried 
along with A and B. Therefore P(S)  can  be  calculated  from  P(A),  P(B) and the carries 
into the adder bits as  shown in Figure C-4. Also shown in Figure C-4 is the parity 
checker  used  to  verify  that the  addition is correct. The  .parity  check is not  sufficient 
to  guarantee that the addition is correct.  The  carries may have been  incorrect.  Since 
the  parity check uses  the  carries to  compute the  required  parity of the sum, an e r ro r  
in a carry would cause not  only an e r ro r  in t h e  sum but also an equivalent e r ro r  in the 
sum parity bit. Thus a further check on the carries. In Figure c-3  the  carries  are 
checked by generating both carry and not carry  for  each  bit.  Then  the  results  are 
compared by exclusive  or  networks. 
Note that  in  Figure C-5 either the  parity  checker  or the parity  generator has an 
even number of bits.  Thus one of these must have at least one node which is not com- 
plemented when the inputs a re  complemented. In the  example shown in the figure, 
there  are an even number of data  bits.  Therefore  the  parity  bit  for the sum is the  
same as the  parity  bit  for the complement of the  sum. 
324 
- 1  
c2T 
E 
cO 
Figure C-3. Two Bits of Adder Used.in Parity Checking Addition 
I 111111111111 1111111111111 
AUGEND  PARITY  BIT 
ADDEND  PARITY BIT I 
”_ 
‘n s2 ‘1 P + ‘n-1 ‘1 ‘0 
ADD 
PARITY 
GENERATOR 
ACCUMULATOR - 
(OUTPUT EQUALS THE 
COMPLEMENT OF THE 
PARITY OF THE INPUTS) 
n 2 1 P 
A CHECK ADDITION 
SUM OK 
PARITY - EVEN 
CHECKER 
ODD PARITY REQUIRED FOR 
ADDEND, AUGEND 
AND SUM 
Figure C-4. Parity Checker Used in Parity Checking Addition 
EVEN 
Figure C-5. 3-Bit Parity  Checker 
326 
Cl. 2 Periodic Fault Detection 
Fault  detection is performed by self-test  programs  executed at regular intervals. 
The  purpose of these  programs is to  detect the  presence of faults so  that they  can be 
removed  from  the  active  system. Fault detection will not determine  whether  or not a 
discovered  fault had caused  an  error. However, it can  verify  that the  computations 
made up the last time the  computer  was found to  be  fault-free are free from  reproduc- 
ible errors.  On the  other hand, it is doubtful that  fault  detection  techniques will  check 
for  marginal conditions so thoroughly  that  protection  from  transient e r ro r s  could be 
guaranteed. 
The self-test program  carried  to its ultimate  conclusion  will  check  each  logic 
path thru  the equipment so that if any fault could effect  the  signals th ru  any logic  path, 
an e r r o r  will be  detected. 
Practical  limitations may interfere with the achievement of this objective. For 
example, the e r ro r s  due  to  some  faults do not always have reproducible effects. For 
example, a spurious  signal  might  attempt  to set a flip-flop  while a correct  signal 
attempts  to reset the flip-flop. If there are no loading  conditions or  permanent  circuit 
parameters  permanently  biasing  the  response of the flip-flop to  the  racing condition, 
the  effect of the  spurious  signal on the  state of the flip-flop is not reproducible. 
The  self-test  program may attempt  to  detect  faults  causing  non-reproducible 
effects.  This might be done by exercising these marginal  logic  paths  under  a  variety 
of conditions o r  at least  exercising  them  repeatedly in t h e  hope that  conditions which 
could cause an e r r o r  would arise accidentally. 
A limitation, which also  applies  to e r ro r  detection and error  correction, 
involves the difficulty of listing all possible  combinations of faults and determining 
the i r  effects.  First,  there is the theoretical difficulty of conceiving all the possible 
failure  modes, Second, there is the  effort involved in determining  the  effects of each 
of an overwhelming number of possible fault patterns.  Thus,  it is necessary  to  limit 
the  number of fault  patterns  investigated. A good approach is to  limit  the  investigation 
to  single  faults  plus  possibly a few multiple  fault  patterns  caused by the  same nucleus 
of failure. 
By arranging  the  self-test  program so that  the  logic  paths involved in each  test 
involve  many previously checked  logic paths and only a few new logic  paths,  the  effect 
of multiple failures upon the execution of the  test  program is reduced. 
Performing  the  self-test  program  frequently,  reduces  the  probability  that two or 
more  statistically independent faults will develop  between  two  check-out  operations. 
It should be noted that  even  through  uninvestigated failure  patterns may occur, 
there is a good chance that they may be  detected even though reliable  diagnostic 
information for locating th i s  exotic  fault  pattern is not available. 
CL 3 Programmed Error Checks 
It is possible  for the programmer  to  verify the accuracy of many of his  results 
by adding extra instructions  to  his  program. 
327 
a 
An example of how results can be checked  can be drawn  from  the  matrix 
multiplication 
h 
Ai. b. = C 
3 i  
(i = 1, 2, . . . , m) 
j=l 
The  programmer  can add instructions  for  computing 
2 A. 1. = Ai (j = 1, 2, . . . , h) 
i=l 
h 
Ajbj = C 
j = l  
and determining  whether  or not 
5 c i = c  
i= 1 
Other  checks can be  designed  for  other  types of computations. 
These  error  checks  provide good protection from faults. However, there  is  
always  the  possibility  that  some  fault  might  cause  an e r r o r  in  the  results and an 
equivalent e r ro r  in the  check.  To  design  the  check  calculation  to avoid this  risk would 
require  an  extensive  logical  analysis of the  error  patterns due to  possible  faults. 
Through  extensive  software  development, a procedure  for  automating  this  analysis 
might be developed. 
c. 2 TECHNIQUES FOR TREATMENT OF ERRORS 
Errors  may  be  treated  in two ways - they  may  be  corrected or  the  erroneous 
results  may  be  subject to special handling (probably rejection). When erroneous 
results are given special handling, the  manner  in which they should be handled is 
normally  more  closely  related  to  the  application  than  to  the  computer  hardware. 
Therefore,  the  remainder of this  section will be devoted  exclusively  to e r r o r  
correction. 
C. 2 . 1  Error Correction by Redundant Logic 
C. 2.1.1 Self-correcting Codes 
The  most  thoroughly  explored area of error  correction  thru redundancy is the 
self-correcting code. The  theory of self-correcting  codes is related  to  the  theory of 
self-checking codes. Since the  general  theory is widely known, it will not be discussed 
further. 
When self-correcting  codes are used, it is possible  to  correct  the  error without 
setting  an  alarm  indicating  the  existence of the  error. 
328 
(2.1.2 Self-correcting Logic Circuits 
Logic  networks can be so constructed so that a single  standard  fault in a segment 
of logic will not cause  an  error.  Furthermore, many  other  types of faults  causing an 
erroneous signal at only  one node within that  segment of logic  will not cause an e r r o r  
at the output of the  network. Many techniques have been  developed for  this  type of 
redundancy. Among them is Quadded Logic. 
The  reliability  advantage of self-correcting  logic  will now be  discussed.  Assume 
that  the  probability of a fault  in a segment of logic is p  and that all faults are statis- 
tically independent of one  another. Also assume  that a new redundant  system  will con- 
tain  one  logic  segment  and  will f a i l  if there is a single  fault and that a redundant  system 
will  contain  n  logic  segments and will fail if there are faults in two or  more  segments. 
The  probability  that  the non-redundant system  will not fail is 
(1 - P) 
The  redundant  system  will not fail if none of t h e  logic  segments  contains a fault. 
The  probability  that none of the  logic  segments  contains a fault is 
(1 - PI" 
Also, it will not fail if only one logic  segment  contains a fault. The probability that 
exactly one logic  contains a fault is 
Hence, the  probability  that  the  redundant  system  will not fail is 
so tha t  the  probability  that it will  fail is 
1 - (1 - pin - np(1 - p) - n-1 n(n - 1) 2 2n(n- 1)@ - 2) 3 + 3n(n- l)(n- 2) 3 2! p - 3! P 4! p -... 
Hence the  probability of failure  for  the redundant  system is not greater  than 
Therefore  the  probability of failure is less for  the  redundant  system  than  for  the non- 
redundant  system if 
If faults are not  eliminated  from a redundant  system  during check-ouc, its 
advantage in enhanced freedom  from  uncorrected  errors is diminished. Suppose that 
there   are  N logic  segments  in  the non-redundant system and N corresponding sets of 
n segments  in  an  equivalent  redundant  system.  Then  there  will  be  an  uncorrected 
329 
e r r o r  in the non-redundant system if there is a fault in any segment and there will be 
an uncorrected error  in  the redundant  system if there are two faults in any segment. 
The  probability  that  there are no faults in any of the N segments of the non- 
redundant  system is 
If each of M sets of segments in the  redundant  system  has a single  fault,  the 
probability  that none of these M sets of n segments  has  more  than one fault is 
The  probability  that  none of the  remaining N-M sets of n segments  has two faults 
is 
Therefore,  the  probability  that  there  will  be  no  uncorrected  error in N sets of n 
segments in which m sets of segments  contain a single  fault is 
The  probability of no uncorrected e r r o r  
if 
N-M 
(1 - p)(n-l)N [ 1 + (N - l ) p ]  = 
1 <  
(1 - PIN 
will be greater for  the redundant  system 
Let 
Then this condition becomes 
(n-2)N 
This is equivalent to  the  condition 
330 
Now the  first  factor is the  probability  that  there  will  not be two faults in a set of n 
segments. This is less than one. The second factor is greater than one. Hence B 
must  be  positive and it must  be  large enough to  compensate  for  the  first  factor. Note 
that B > 0 if 
N > (n - l)M. 
C2.2 Error Correction by Rollback 
. ~ ~ -  
If an   e r ror  is detected it is often  possible  to  correct  the  error by repeating 
the calculation. 
Usually  rollback  procedures  repeat  the  calculation  using  exactly  the  same  logic 
paths as were  used when the  error  occurred. Such procedures  can  correct  transient 
errors.  The  number of times  the  same  calculation  can  be  rolled  back  before  an  alarm 
is set is usually  specified. If this  number is exceeded, it could be decided  that  the 
e r r o r  was not transient. 
It is also  possible  to  roll  back  some  computations so that  the  logic  paths  used in 
the  second  computation are different  from  those  used in the first. If an adder is 
structured so  that  complementing  the  inputs  will  complement  the  signals at all nodes, 
a simple  roll  back  procedure  suggests itself. If an e r r o r  arises in  the  performance of 
an addition, complement all the  inputs  to t h e  adder.  Then  the output of the  adder 
would be  complemented  to  obtain  the  desired  sum.  As  was  previously  explained, if an 
adder  has a structure  satisfying  this condition, no standard  fault will cause both the 
original  addition and the  addition with complemented  inputs to  be  incorrect. 
Other rollback procedures for addition are possible. For example, the addend 
and the augend can  be  shifted so that  the faulty  adder bits are confronted  with a com- 
bination of inputs which do. not exercise  the  faults. However, for  an  appropriately 
structured  adder  this technique is less powerful  than  complementation. 
Rollback procedures  often  can be designed  to  take  advantage of the  many  redun- 
dant paths in most computers to correct an erroneous computation. However, the 
design of most of these  procedures  depends upon the  detailed  structure of the  system. 
C3. SYSTEM  RECONFIGURATION OR REPAIR 
Three  courses of action are possible after a system is discovered  to  be faulty: 
1. Discontinue  operations 
2. Continue operations, accepting the possible consequences of the faults 
3. Reconfigure or repair the system 
The  first solution is unthinkable. It is the  situation which would have to  be 
faced if all other  available  courses of action are impossible o r  excessively  perilous. 
In most  situations,  this  solution would not be  accepted  unless  the  computer  were a 
failure. 
331 
C6-1476.10/33 
The  second  solution is better. If the  computer  has  built-in error  correction 
features  this solution could be  entirely  satisfactory. If the  system is designed so that 
operations can tolerate  some  errors, continuation .of operations  might still be  accept- 
able as a form  graceful  degradation.  Finally, it might be  possible  to  reprogram  the 
system o r  redesign  the  sequences of operations in some of the  instructions so that  the 
harmful effects of e r ro r s  due  to known faults  will be remedied.  This  approach, how- 
ever, is a form of reconfiguration. 
The  third  solution is reconfiguration or  repair .  In this solution, either  the 
hardware or  the  software is modified to  eliminate o r  reduce t h e  harmful effects of 
known faults. 
C3.1 ReDairs 
Repairs  performed with perfection will not degrade operations. However, their 
performance requires spare parts, tools, skills and/or time. When these are avail- 
able,  repairs provide the  best maintenance. 
To  make  repairs with a minimum  amount of test equipment, it is necessary  to 
have accurate knowledge of t h e  location of a fault which is to  be removed  from  the 
system.  This knowledge will  be  provided  whenever  possible by diagnostic  programs 
and built-in  fault  detection circuits. 
The  simplest  repair  procedure  involves t h e  removal and replacement of a faulty 
module. This method is the simplest to perform. However, this means that spare 
parts provisioning  must  be  provided at the  modular  level. 
Another repair technique would involve simple  adjustments to remove  from  the 
active  system  faulty  elements within a module. Such adjustments  also would invoIve a 
knowledge of the  location of the  fault.  Furthermore,  in  this  case,  the fault would have 
to  be located more  closely  than  to  the module. 
A s  an  example of a repair technique by adjustment,  consider a memory with a 
spare bit  position. If one of t h e  active  bit  positions  was found to  be defective,  the 
fault could be  remedied  by  disconnecting  the  faulty  bit  position and connecting  the 
spare bit  position  into its place. 
The  facility with  which this could be  performed would depend upon packaging 
techniques. One technique  which would facilitate t h i s  type of repair would be a circular 
connector. All bit positions of the  memory would be connected to  the  memory  side of 
the connector. However, on the  computer  side of the connector, one pin would not be 
connected. lf one bit of the  memory were found to be faulty, the  connector could be 
rotated so that  that  faulty  bit  position would be connected to  the disconnected  pin on the 
computer  side. 
C3.2 Reconfirmration 
C3.2.1 Reconfirmration at the Model Level 
The  simplest  form of reconfiguration  involves  switching out a defective  module 
and possibly switching in a sound one. For  this  technique, it is necessary  to  divide 
the  system  into  modules and to have more  than one  module of each  type. Some modules 
may  be  spares. In this  type of reconfiguration,  no  operational  degradation  occurs 
until  the  spares are consumed. 
332 
C3.2 .2  Reconfiguration at the Sub-Module Level 
The  reconfiguration  need not be done at the module  level. Spare  logic  circuits 
can  exist within a module.  Then, a register can  be  used  to  control  the  selection of 
circuits used. If e r ro r  detection or  error  correction  circuitry are used, it may be 
desirable  to  provide test modes for switching  out  some of the  redundant  circuitry 
while the cooperating  logic  elements are bein&, checked out. In systems with this 
feature a test mode  might also  be  used  to  remove  defective  redundant  circuitry  from 
the  active  circuit. 
If a  memory or  a transfer  bus had a faulty  bit  position and a spare  bit position, 
t h e  faulty  bit  position could be switched out and the sound bit position could be  switched in. 
If a mod 2n-1 adder had a  faulty  bit  position,  the  adder could be  converted  to a 
mod 2n-1 adder by breaking  the  connections between the  defective  bit and its neighbors. 
In this  case,  it 1570uld also  be  necessary  to  reconfigure  the sign tests s o  that  the  proper 
bit would be  tested  as  the  sign. An equivalent  effect could be  obtained by inserting a 
spare  bit in the  adder and disabling it. Then, if a bit  were found to  be defective, the  
spare  bit would be enabled and the  defective  bit  disabled. 
In a micro-programmed  computer,  a  defect in the  memory  storing  the  micro- 
program could be evaded by changing the  operation code of the  instruction whose 
micro-program was located in the  defective  memory  locations. 
C3.2 .3  Reconfiguration by Instruction Sequence  Modification 
The  defects of an adder  will  usually  cause an erroneous power of two to  be added 
to  or  subtracted  from  the  results whenever the  operands  cause  certain  logic  paths  to  be 
used.  Thus, if an adder is known to contain a fault (or several  faults)  the  error pat- 
terns which might occur can be  listed. Hence a roll  back  routine  can  be  designed  for 
correcting the  error  pattern  associated with the given fault. 
A s  the  error  pattern will not occur in every addition, t h i s  roll back  technique 
cannot be  used with every addition. It would therefore  be  necessary  to  use  some 
e r ro r  detection  scheme  to  determine  whether  or not the  operands  currently  being 
combined cause an error.  Thus  the  roll-back  routine should be  used only after an 
error  has been  detected. 
333 

1"- - 
REFERENCES 
1. Study of Subsystems Required for a Mars Mission Module SID64-1-1 through 5. 
Contract NAS-9-1748, Space and Information  Systems  Division,  North  American 
Aviation, Inc. (2 January 1964) 
2. Manned Mars Landing  and Return Mission Study. SID 64-619-3. Contract 
NAS"1408 ,eandnfo rma t ion   Sys t ems  Division]  North  American 
Aviation,  Inc. (April, 1964). 
"-__I 
3. 
4. 
5. 
6. 
7 .  
8. 
9. 
10. 
11. 
12. 
13. 
14. 
15. 
___ A  Study of Mission  Requirements  for Manned Mars and Venus Exploration 
FZM-4366-3 vol 3. Contract NAS-8-1i%-8, General Dynamics/Fort Worth 
(30 May  1965). 
Manned Mars and Venus Exploration Study. GD/C AOK 65-002, Vol. 1, 2 and 3. 
Contract NAS-8-11327, General  Dynamics/Convair  (21 May 1965). 
&ace Navigation Guidance and Control, R-500 vol. 1 and 2. Contract 
m 9 - 4 0 6 5 ,  MIT Instrumentation Laboratory (June 1965). 
Study of Conjunction Class Manned Mars Trips. Douglas Report SM-48662. 
Contract NASw-1028, Douglas Missiles and Space  Systems  Division  (June 1965). 
S o h .  Robert  L., "A Chance for an Early Manned Mars Mission" Astronautics 
and Aeronautics] Vol. 3, No. 5, pp 28-33, May 1965. 
Bell, M. W. J . ,  An Evolutionary  Program  for Manned Interplanetary  Exploration, 
AIAA/AAS Stepping Stones to  Mars M e e G y x a G r e ,  Maryland, 
March 28-30, -1966, pp. 87-98. 
Wood, E. C. and Greene, D. W., On-Board Checkout System Concept AIAA/AAS 
Stepping Stones to Mars Meeting, Baltimore, March 28-30, 1966. pp. 263-268 
-__ Spaceborne  Memory  Organization  (Appendices)  Interim  Report 120171RI. 
Contract NAS-12-38, Honeywell Systems and Research Division 
(15  December 1965). 
S-IIB Orbital Launch Vehicle SID 65-895. Space and Information  Systems 
Division] North American Aviation] Inc. (Sept. 1965). 
Standardized Space Guidance System, Autonetics, Division of North American 
Aviation] Report #SSD-TDR-64-129 Annex G 
Study of an Advanced Energy Management System  for  Re-Entry  Vehicles,  Bell 
Aerosystems Company, FDL-TDR-64-79 
Manned Mars  and/or Venus  Flyby Vehicle  Systems Study, North  American 
Avaitio) 
Data Compression by Quantiles, J P L  Space  Program  Summary, No. 37-17] 
Volume IV 
335 
16. 
17. 
18. 
19. 
20. 
21. 
22. 
23. 
24. 
25. 
26. 
27. 
28. 
29. 
Study of Spaceborne Multiprocessing, Autonetics, Anaheim, Calif., 1st Quarterly 
Study of Spaceborne Multiprocessing, Autonetics, Anaheim, Calif., 2nd Quarterly 
Report, Volumes 1 and 2, C6-1476.4/33. 
Study of Spaceborne Multiprocessing, Autonetics, Anaheim, Calif., 3rd Quarterly 
Report, C6-1476.8/33. 
Modern Probability Theory and Its Applications, E. Parzen, Chapter, 5, 
Survey of Highly Parallel  Information  Processing Technology and Systems, 
Westinghouse, Baltimore, Maryland. 
Advanced Computer  Organization Study Vol I and Vol 11, Goodyear Aerospace 
Corp. , Akron, Ohio. 
The Solomon Computer, Slotnick, et. al. , Proc. - Fall Joint Computer 
Conference/l962. 
- A Study of Iterative  Circuit  Computers, TDR AL-TDR-64-24, A i r  Force 
Avionics Laboratory, Wright Patterson AFB. 
A Universal  Computer  Capable of Executing an  Arbitrary Number of Sub- 
Programs Simultaneously, John Holland, Proc. - Eastern Joint Computer 
Conf.  /1959. 
Intercommunicating Cells, Basis for a Distributed Logic Computer, C. Y .  Lee, 
Proc. - Fall  Joint  Computer Conf. /1962. 
Medium-Speed Mass Random-Access  Memory, C.  Chong, G. Reid, 
A . 4 - 5 7 1 ,  March, 1965. 
Study and Investigation of Technique for  Constructing Medium-Speed Random 
Access  Mass  Memory,  Tech. Rpt. No. RADC-TR-64-538, March, 1965. 
A Magnetic Film Memory Development Program, I. I. Raffel, Lincoln 
Laboratory, Mass. Inst. Tech. , IMarch, 1965. 
Controlled Domain Tip Propagation Part 11, R. I. Spain and H. I. Jauvtis, -~ ~ _ _  
Journ. Appl. Phys. 37,  2584, June, 1966. 
336 NASA-Langley, 1970 - 8 CR-1446 
