Advanced software techniques for space shuttle data management system  Interim report by Vere, S. A. et al.
General Disclaimer 
One or more of the Following Statements may affect this Document 
 
 This document has been reproduced from the best copy furnished by the 
organizational source. It is being released in the interest of making available as 
much information as possible. 
 
 This document may contain data, which exceeds the sheet parameters. It was 
furnished in this condition by the organizational source and is the best copy 
available. 
 
 This document may contain tone-on-tone or color graphs, charts and/or pictures, 
which have been reproduced in black and white. 
 
 This document is paginated as submitted by the original source. 
 
 Portions of this document are not fully legible due to the historical nature of some 
of the material. However, it is the best reproduction available from the original 
submission. 
 
 
 
 
 
 
 
Produced by the NASA Center for Aerospace Information (CASI) 
https://ntrs.nasa.gov/search.jsp?R=19710005951 2020-03-11T23:58:03+00:00Z
n0^o
O
a
a
1
:_
^	
fr
^^	 € ^f
_^_	
3
-	 ,
_s	 _^
-^	 _
i
^^
=	 ^ i
—	 ^ ;
_	 ;
_	 ii
i
,._
6^
^-s '
^ 9
^_
^^
--	
^^
^
T
A
rn
C
C:
6 i
(iHRt^
G3
(CODE)
(CAiO ^^
^•,
'l^J,,
.}^S,
J
r
. ^;	 ^
^^^^^:-
v5 3!lge'es / san dieno / wash^r,gtr,n, d.c.
^^^^ ` -^ r^^  ^ 5 2 6 ^ I^
^^yJ
/^, t ^,	 a
^cV ^ ^ rrt -n j^^^^^^^Q7	 ^ -.^ r ^	 r'Vr
^ L ^ [x.
: 1 ^n  ^.
^^ G ';
^^^^^ ILDl.6 ^ti .,
.^
^=
C^' JIB ^°^-
3
Advanced Software Techniques for
Space Shuttle Data Management System
First Interim Report
Contract No. NAS ^-11225
November 20, 1970
Prepared by:
Michael D. Richter
Richard C. Rountree
Raymond J. Rubey
Steven A. Vere
y=
;_.
1
r-	 •-
^:
R
TA13LE OF CUNTEN7'S
1.	 Introduction 1
^ 2,	 Functional Analysis . 	 .'. 2
^ 2. 1	 Inertial Measurement Unit 3
2. 2	 Unitized Pointing Platform . 6
2. 3	 Displays	 . . . . 7
2.4	 Trackers. 9
2. 5	 Landing Aids	 . .	 . . 12
^ 2. 6	 Primary Propulsion Subsystems 14^
2. 7	 Reaction Control Subsystc:tn . 15
3.	 Computer Configuration Analysis . 16
.^
3. 1	 Central Computer Facility Configurations . 17
3.2	 Executive llesign 19
3. 3	 Architectural Aspects Study 24
Q
-ii-
-_ .
•1.	 INTRODUCTION
This interim report describes the activities performed during the first
third of the study of Advanced Software Techniques for the Space Shuttle
Data Management System. The results of two tas}cs are reviewed in this
repert. The first task is to identify and analyze the functions to he ac-
complished by the Space Shuttle unboard computing; fiystem and estimaie
their probable computational impact. The activities to be performed in
accomplishing this task are complete and the results are presented in
Section 2. The second task is to identify the advantages and disadvantages
of alternative com}^uter configurations and architectures for the Space
Shuttle application so that meaningful hardware/software tradeoffs can be
made. The preliminary results of this tasl_: are presented in Section 3.
It is anticipated that the hardware/software tradeoff activities will continue
through the remainder of the study. Other tasks to be performed during
this study but not discussed in this report are to investigate the application
of higher order programming languages to S pace Sln^ttle software develop-
ment and to analyze the support software and hardware required fo g• the
onboard software's development and verification.
-1-
- - _ _	 _
==
_^-
-2-
s
._^
2.	 FUNCTIONAL ANALYSIS
The analysis of the functions to be performed 'uy the Space Shuttle com-
puter system has been necessary to establis;^ the desired characteristics
of that computer system and the computation ]o^d to be imposed on it. The
computational load can be qualitatively estimated in terms of the computer
memory required, the number of instructions th^.t must be executed in a given
interval, and the input/output rate; thst must be maintained. Also important
are factors relating to the computational tasks: t:hcir relative priorities, their
periodicity, the amount of intertask communication, and the number and attri-
butes of routines shared between tasks. As this section will describe, it has
not been possible to establish firm and r1^1^a,1Pd functional requirements at this
stage of the Space Shuttle cicvelapme^^^. Rather, the it,nctional analysis chat
has been performed has indicated t^^e rough order of mag^:itude of co:npt.tational
requirements and operating en• • :ronment for the maximum Space Shuttle avionics
configuration. It is apparer.^ that the computational load ranges from one close
to that of Apollo to one th-it lard:.• ground-based computers of today would have
difficulty in supporting. Th:^ range of loads indicates that further study of the
hardware interfacing ^.vith the computer system and of the functions to be per- 	 -
formed by the compt^t^r system in supporting this hardware is required 'o bring
the computational requirements within reasonable bounds.
The iollo^=p ing avionics subsystems have been examined:
•	 Inertial Measurement Unit
•	 Unitized Pointing Platform
•	 Displays
•	 Trackers
•	 Landing Aids
•	 Primary Propul si.on
•	 Reaction Control
Each of these subsystems is described in the following paragraphs of this sec-
	
_ _ -
tion. The input/output requirements associated with each have been given pri-
mary emphasis in this study because a proper understanding of these require- 	 _=-
ments is essential to the computational functions that must be performed. The
	 =—
principal source of information about the avionics subsystem hardv^^are and 	 =_
functions has }p een the Preliminary Measurement and Stimuli List. Where the 	 -_
documentation is incomplete or inconsistent, assumptions have been made as 	 _
to the most probable hardware configuration. 	 -
A major computational function not yet analyzed in detail is the malfunction (or
error) diagnosis, circumvention, and system reconfiguration necessary to meet
13, 130
1.75
24
43
3. 5
14
16, 384
0. 96
ib
NA
1.92
5. 76
4096
5. 0
18
27
!0
70
2
20/^
2150
4. 0
18
NAB
NA
NA
-3
•
thc^ fail-operational/fail.-operational/f;iil-safe requirement. A preliminary
sur^^cy of this function indicates ghat the software needed to implement this
requireme nt could double the computational load, while the 1'ar greater
ni,mher of possible sequences of program execution introduced by this soft-
ware could increase by an order of magnitude the time and cost required for
verification and validation activities.
2. 1	 yiertial Measurement Unit (IMIJ)
Tl,e inertial measurement unit is tl^c most important avionics subsystem for
the guidance and navigation function. Two main alter^latives exist, each
having different computational requirements. The first is a gimbaled IMU
such as that used in the Apollo Primary Guidance.. Navigation and Control
System; the second is a strapdown 1MU that is a development of the type of
system employed in the Lunar Module Abort Guidance System. A review of
documentation and study activities l,as indicated that for the maximum apace
Shuttle configuration, both NASA and the Phase I3 contractors have given pri-
mary consideration to a strapdown IMU. A gimbaled platform would likely
be the choice, However, if budget and other constraints dictate the choice of
an "off-the-s11^1f" system.
Because a strapdown IMU presents the most difficult computational problems,
four different systems were analyzed as to their computational aspects as
summarized in Table 2-1. The four systems are:
•	 Lunar Module Ai;^rt Guidance System (LM/AGS)
•	 Advanced Supersonic Transport (ASST)
•	 Redundant Sensor System (RSS)
•	 MIT Dodecahedral Strapdown Inertial Reference Unit (MIT-SIRU)
Table 2-1. Computer Characteristics for Four Strapdown IMU Systems
S stem
Characteristic	 LM/AGS	 ASST	 RSS	 MIT-SIRU
Memory capacity (words)
Cycle time (µsec)
Word length (bits)
Repertoire ( instructions)
Computation time (4:. sec) Add
Multiply
Major cycle (sec)
Minor cycle (msec)
*Not Available
7'he .LM/AGS was a complete gilidance system intended to back up the pri-
mary system in the event of failure. It was basicall; reliant on the primary
system for initiali ;anon; hence mc, mory capacity for such tasks as a].ignmcnt
and calibration was min,mlzcd. 'There was no requirement for failure de-
tection, diagnosis, and correction logic. 'I'hc technolol;y era represented is
1964 - 66, although it has been refined to the present time with a peak empha-
sis at tiic Apollo 11 lunar landing in 196$.
Computer characteristics sllowrl for the ASST were foI• an IMU-local compu-
ter. It was intended to be supported by a 6^i00-word main computer. The
ASST was an early attempt at the six-redundant-sensor strapdo^vn approach.
Hence, memory capacity for f^:ilure detection, diagnosis, and correctionlogic
was optimistic. The overall GNF^C subsystem configuration more closely re-
sembles that expected for Spac^ S]tuttle than that of LM/AG5 or RSS, i. e. ,the
ASST treated nnllti-IML'/comF;:cers, navaids, flight profile prediction and
steering, etc. The technolofiical era of the ASST work was 1967.
The RSS was a laboratory e^:periment to demonstrate reliability/performance
capabilities in conjunction with faililre detection, diagnosis, and correction
logic. The large memory capacity sl-Town is based on an exotic alignment
scheme and experiment-related driver Sllbl'OUtl)1eS and I/O. More than 7000
words may be expunged if these functions are deleted. A preliminary RSS
memory capacity estimate was 2400 words. This vas rnacie in 196$, subse-
quent to the ASST venture. However, detailed examination of failure detection.
diagnosis, and correction requirements and alignment and calibration require,-,
ments (thrr,ugh to the spring of 1970) greatly increased the memory estimate.
The MIT-SIRU ernplo} • s six gyros and six accelerometers along axes perpendic-
ular to six of the 12 plane faces of a dodecahedron. The SIRU sensors redun-
dantly measure annular rate and acceleration along the six functional axes. A
digital computer program computes vehicle angular rate alld acceleration froTn
data received from sets of sensors. )3y comparing the redundantly determined
vehicle data, a failed gyro or accelerometer is detected.
Of the systems studied, the MIT-SIRU is most in accord with I^'ASA requirements.
For this reason the A4IT-SIRiJ has been reviewed in more detail than the other,
less capable systems. Ln the MIT-SIRU instrument, loops deli^^er incremental
velocity (DV) and attitc:de (GO) to a dual redundant multiplexer that transmits data
and receives control and sampling messages from the digital computer assembly
on dual data buses; a serial data transmission format is used. A local processor
has been considered part of the overall STRU system. T11e DV and ^B are com-
pensated; checked for failures, malfunctions, or out-of-tolerance behavior; and
I
-4-
t-
1
converted to attitude and velocity information along equivalent triad-axes
(X, Y, L) by the local processor. The velocity a^^d attitude arc then for-
warded in dual fortes to the: central computer facility for guid<:nce and navi-
gation calculations,
Each functional axis contains a tert;ay torque rebalanced gyro and acceler-
ometer, power supply, electronics, r.nd temperature control. Instrument
loops deliver the ^V and 09 data at a 4800-pulse/second (pps) rate. aviatrix
processors and algorithms operatu at a 100-upc}ate/second rate. Velocity
and attitude processing is done sequentially in each 10-msec interval. The
local processor would he a 16 -bit machine. Data rates are estimated from
the following assumptions:
•	 Sitt}71e-precision ^vorcis for three velocity and four attitude
	 i(quaternion) components at a 100-Hz rate imply 11,?.00 bits/
sec (bps) during powered flight. Attitude-only during coast
yields 6900 bps.
•	 Failure stat^t:^ of each functional axis is indicated by single
bits (go, no- f*o) to the central computer facility. Display
lights are triggered every second, and computer signals are
deliverer} at 500-msec. intervals.
The 1^'ASA system outlined in the Preliminary Measurement and Stimuli List
differs pritnariJy in three areas:
•	 DV and A6 pulses are sent directly to the GN&C computer
•	 Different sampling rates are involved
•	 Additional sensor charac.teristica (e. g. , temperature) are
monito reef
According to the NASA concept, nV and D8 are delivered to the GSE at a
	 ^
9600-pps rate for tests. In all other phases they are accumulated in the
guidance, navigation, and control computer memory and then monitored at
1 sps. This implies t}^at curing the test phases the 12 sensor loops load
the data bus at a 115, 20U-bps rate:, assuming 1 bit/pulse. Strapdown inac-
curacies become. prohibitive when attitude algorithms arc not updated at
	
_---
intervals in the range of 10-50 msec.
T}te requirement to monitor IMU status will increase these data rates. Tem-
perature measurement accuracies call for 1l-bit words at 10 samples per
-5-	 =	 _	 --
1,^
second (sps), yielding 1 3 "LO bps to displays and recorder. 131ower and heater
on/off signals to the recorder and ground display arc indicated at 1 sps.
Several comrrcnts are offered I • egarding Space Shuttle philosophy of fail-
operational/fail-operational/fail-safe. The first is that a single MIT-SI1tIJ,
as presented, will not adhere to the failur. a criterion. Only two like sensors
can fail with the current software. Internal moritori.ng of the sel+sors (c, g. ,
gyro ^^hccl speed) will Pcrn:it three failur_s. however, ' r oth of the multi-
plex units fail, the criterion is again not satisifcd. Four mu,tiplex u»its in
conjunction with the two ::cts of six sensors will satisfy the criterion. Catas-
trophic failure considerations would make two MIT-SIRUs mandatory.
2. 2	 Unitized Pointing Platform
The unitized pointing platform consists of a mechanical base with two degrees
of freedom and a set of three sensor; star tracker, sun sensor, and horizon
scanner. Commands from the COITlplltlllg system drive the mechanical axes
of the assembly, moving the reference for the sensors. N.^ Wither source of
navigation or alignment iliformation is indicated in the available data, so that
it is assumed that sta g• /horizon measilrements will be crnployed for all location
data e^:cept when one or more tracker is ful;ction4l. It is assumed that IMU
stability is sufficient to obviate the need for use of the platform during atmos-
pheric flight. Initial alignment of the IMU will require stahillzation of the
spacecraft, acquisition of the sun and the horizon by the sensors, driving the -
platform by the computer to p^+t each of at least two reference stars sequen-
tially in the field of view of the tracker, and processing of the tracking error
signals, platform azimuth and elevation, and spacecraft attitude (from the IMU)
for each sighting. Confirmation of IMU alignment is obtained by drivinb the
platform to at leas: one additional reference star and verifying its location in the
tracker's field.
Occasional star sightings v^^ill be made under colrlputer control to maintain
alignment, and the altitude of a sequence of reference sta* • s above the horizon
provides position data. In either case, the computing system drives the plat-
form to the nominal position and rcacls t'^e sensor cr2• or sig:^als. Operationally,
one or two such points may be taken every !0 min • Ites as other tasks permit, so
that the residual errors are minimized. Each platform angle covers a range of
t30 degrees, and 16-bit quantization s^;ems desirable. The horizon scanner
provides only elevation deviation, which, depending upon tl^e field of view of the
t2• ac]cer, may he gilantizedv^-ith up to t4 bits. Similarly, azimuth and elevation
deviations from the sun sensor may be quantized to :4 bits each; practical argu-
ments suggest that 16 bits will be used for each datum. The scanner will pr^-
vide periodic data, of the order of 10 times per second. The sun sensor and
I
-6-
tstar trac]cer havr. data available continuously, but the fc^rn:er will be sampled
uh to 10 times per second and the latter ncr.d be read only once per star. The
ahovc rates arr mar};inal to obtain 5-arc-second accuracy with a residual
attitude rate of 0, O1 degree pear second.
In the absence of utilization data, it is reason.^.blc to hypot}:esize that the
two platforms will be alte.rnatec}, and that while the si};i:tinb frr.qucncy may
be doubled, the data rates during a sighting will be as given above. If the
field of view of the tracker is assumed to be 5 dcl;rces in each axis, lb-bit
quantization of its data pair appears more Lhan adequate, yielding less than
0. 6-arc- second error. Them a^,pe^rs to be no requirement for commanding
the platform repetitively once alignment has been obtained; that is, given an
inertial rcierence, a single pair of platform command:,• will drive the sensors
to the desired attitude through a platform servo loop. If the reliability or
other cost of such a loop is unacr_cptable, it will be necessary to generate in-
cremental commands with computer-derived d.imping to drive the platform
to the desired position. In that event, platfot • m angles may have to be both
read and commanded at up to 30 times per second to obtain the desired c^tabil-
ity, and it may be preferable to use a platform rate coinmancl rather than an
angle command as the interface. The analogy between these functions and
those of the digital autopilot may be strong enough to allow some common usage
of routines.
ir. addition to the normal monitor and command functions, calibration is indi-
cated for the horizon scanner ar.d will probably be required for the other sensors
as well. Without data on the mechanisms to be employed, one may only estimate
that a few hundred words of program may be needed for each sensor, and that
the star tracker and sun sensor would be calibrated once for each set of measure-
ments (perhal,s once per 10 minutes of use) and the horizon scan7cr will require
collection of :lata over several scans {perhaps 10) in the same period.
2.3	 Di splays
The definition of the display hard^^are is the Ieast complete of any of the avionics
subsystems and, as outlined below, tl^e range of computational requirements
is several orders of magnitude. Several significant hardware tradeoffs for the
displays are a pparent as regards the extent to whic}. analog hardware can be
used to reduce the computing load to reasonable proportions. To illustrate this,
tl^c displays needed for tl^e dynamic displays which would be required for the
blind landing phase have been considered.
One display for bli p l landing is a video image of the runway as it would appear
through t}ic window. From AWAILS or from ILS and the altitude radar, the
-7-
computing system determines the vector in inertia+1 coordi,u,t.es to the. end
of the• runway; t.riviaJly, this may he rotated into tl,e vehicle. frame. The
magnitude cf the• vector (distance to end of runway) establishcF 1.he scale
of the image, while the pitch, roll, and yaw anl;lera control the display per_
spectivc. Several analog mechanization:+ exist to provide a Get"1' image or
a projected slide using these data with frequent update. The maximum load
they would impose on the computinf; system would be four single-precision
words sent 30 times per second.
The cost of the ans,log hard^.vare may be considered excessive in dollars,
poun.}s, failure eflect, or other significant measure. In that event, the
burden may be transfcrrcc' to the compuaer, which would provide int:cnsity
information for each poila of the frame. Evc • a if refreshment of the imat;c
were accomplished in hardware, the lc.^d would not be eased on an animated
display, since the rotating coordinate system of the example requires major
processing. We m^+y assume that only a single intensity ]eve) is required
for the line image to be trcncrat^d, but we must ^cncrate 50, 000 to f 50, 000
bits per frame. To prevent disturbing flicker or erratic motion, the up-
date rate for the display will lie of the order of 3U frames per second, yield-
ing a data ratF for the one display of the order of 3 million bits per secc,nd.
From the point of view of the software, it is probably easiest to locate the
image• points in the followinE; way. For each frame, each line is represented
as a segment in the form Y = AX ^^ I3, where X and Y are Cartesian coordi-
nates on the display and A, 13. and fete termini of the segment are oomputr.d
from the orientation. .i3ach display line establishes a value of X, and each
solution represents a point to be displayed. Assuming six such lines in the
image, six solutions must be sougl-,t, each involving a product, a sum, and
at least two tests. With each solution found, allowa*^ce is made for the finite
widt}^ of the display line by providing a number of conaeciitive dots equal to
the inverse of A for all !\ less than 1. (That algorithm allows the effective
brightness of t}^e line to increase by 40 °,'o as it approaches the perpendicular
to fete scan line, but it is the simplest implementation.) The segment is trun-
cated as required.
For each display frame, t}ie computer must determine six sets of four seg-
ment parameters alld one inversion. For each of t}ie 400 to 500 lines in a
frame, it must filed the solution (one multiply, one ^ ►dd), determine the left
and right termini of the line segment (one add eac}^), test each tc;minus for
inclusion in the display (four or eight compares). and assemble a sequence
of binary words with each bit corresponding to a point on the scan line. The
first scicn set is stored; eac}, of the five successors is rJR'ed with the first
._
_g..
6on a word-by-word basis to establish the composite display. Ty:.
15 such words will be required to depict a scan line, suggesting; .. .
posite requirement for each line in excess of 6 multiplies, 18 add.,,
compares, and 15 logical ORs. The available time is of the order
msec divided by 400 lin?s, or 75 µsec. Assuming that 10 adds require
the same time as one :»altiply, the arithmetic operations alone sug;t;ei;t
a maximum add time of less than 1 µsec for final computation.
Note that the four items required for command to the analog system are
essentially available in the computing system without further processing;
in the all-digital configuration they are supplemented by six projections
in three-dimensional space. The four parameters of each segment must
be determined for each frame, suggesting that a typical CPU with 0. 5 µsec
add time would be hard pressed to handle the animated display if dedicated
to it full time. Recognizing that only a single, simple display of its type
has been considered, one sees easily the impact on system configuration
of display requirements. The requirement to support colored displays
would further increase the computing load. Simple and multiparameter
trend analysis may be added, further to increase the computing load for
related displays.
2.4	 Trackers
—
	
	
Three tracking subsystems have been reviewed: the docking laser, the
rendezvous radar, and the infrared tracker. No interaction between these
subsystems has been described, although it is likely that it will exist and
that it will have significant computational impact. The docking laser has
no equivalent existing projects and therefore its potential computational im-
pact has been given the most consideration.
2.4. 1
	
Docking Laser
The docking laser collects data for the determination of target attitude to
assist in automatic docking. It transmits a beam to the passive base, re-
ceives reflections from each of the three targets on the docking ring, and
determines the range and some relative attitude data from analysis of the
detected signal. Dual-tone laser modulation allows operation over a range
of 0. 25 statute mile without ambiguity, and the system is capable of accuracy
to a fraction of 13 feet (equal to the wavelength of the high tone). Incoming
light is collected by a Cassegrain telescope and passed through a filter to an
image dissector. Two degrees of freedom are scanned electronically within
the image dissector upon command from the computing system; tither a posi-
tional command or a discrete may he employed depending upon the sophisti-
cation of the scan control and monitor electronics.
-9-
Two cases for scan control and monitor electronics have been considered:
a sophisticated processor internal to the laser system and a simple inter-
face package requiring the central computer facility to do most of the proc-
essing. Sophisticated scan control and monitor electronics will provide a 	 !!^
set of scan patterns depending upon the quality of the data collected in the 	 {
scan itself. With such a package, the system inputs reduce to a single dis-
crete to initiate scanning in both directions, with the actual pattern under
control of the laser electronics. Scan termination would be commanded by
removal of the discrete. Feedback would be required from the range com-
puter to the electronics to signal the presence of a return. The computing
system for so elaborate an internal scan-control package would do only the
processing required for guidance purposes. The internal evidence favoring
such a configuration as assumed here includes the identification and correc-
tion within the laser system of glare areas and the simplicity of the indicated
interfaces with the computer.
The simple interface package would accomplish format conversion and little
more. For this alternative, the computing system must maintain a map in
memory of the pattern of returns, command each displacement of the image
dissector aperture separately, and maintain detailed control of the scan pat-
tern. The suggested command rates would be up to 10 6 displacements of the
effective aperture per second in each of the two directions; more probable
rates will be 10 4
 during the most active scanning phases (e. g. , acquisition
of target) and less than 10 3 for the others.
The azimuth and elevation of the target returns are provided to the computing
system for interpretation. A separate computer detects range through phase
measurement and transmits two types of data:
•	 Low tone range, apparently whole cycles of the high frequency
between transmission and return, hence scaled as integers
from 0 to 200 It
• High tone range, presumably multiples of some fraction of a
wavelength of the high frequency, probably requiring four or
five bits in encoding.
Each scan angle may be encoded with up to eight bits, although a reasonable
design of the optics might allow five bits to suffice, and other considerations
might prompt an attempt to use 10. A set of laser data (hinh and low tones,
azimuth and elevation angles) may be available as often as 1,000 times per
second with the operating frequencies in use.
6
-10-
-11-
i
There are three targets on the base, so the solution of base position is
overdetermined. One computational approach to the utilization of the
laser data has been reviewed to determine the possible computational
impact. In this approach three major routines are required for determin-
ation of docking data: a dynamic model of the base, a Kalman filter, and
a coordinate converter. The last adapts input data to the requirements of
the model, presumably resolving each input set into inertial position of its
target. The laser may provide 1, 000 sets per second, and the rar„r 10
sets per second. Each set requires development of two sine-cosine pairs,
four multiplies, and two additions.
The measured data are compared with the set from the six-degree-of-
freedom model. Since the Kalman filter to be applied to the derived error 	 E
is the most complex routine in the set, it may be desirable to rotate the
coordinate system into a frame suitable for estimation of errors. Note
that the base may be executing attitude maneuvers (including those associ-
ated with holding attitude) during the period of measurement, and that no
external source is available to identify firing of the base reaction control
system. Thus, the Kalman filter will have to identify a probable firing for
the model.
The Kalman filter derives best estimates of target state and attitude and of
errors in the data. Its use requires the development and inversion of a
large matrix (depending upon the number and size of the error sources),
yet it must be amenable to rapid cycling so that docking may be performed
in real time.” There exist three parameters of position error and three of
velocity for each of the four targets under consideration (including the trans-
ponder), plus two or more for each degree of freedom in data collection.
This suggests that the matrix for inversion will be of the order of 36 by 36
elements. The computational load resulting from the inversion of such a
large matrix every millisecond is beyond the capability of a foreseeable on-
board computer system. Both the docking laser hardware and the method
by which its output is utilized clearly must be more fully analyzed so that
a practical system can be developed.
2.4.2
	 Rendezvous Radar
The rendezvous radar is also referred to in the available documentation as
the microwave tracker and the microwave rendezvous tracker radar. The
9-GHz beam is transmitted and received through a diplexed, phased array,
and the output data are the commanded angles and the derived range and range
rate. As in the docking laser, the question of drive for tracking is not
6resolved in the available material; search patterns may be generated in-
terxially, or they may be obtained through the computing system. It
appears unlikely that skin-track capability is incorporated in the rendez-
vous radar; if this is correct, then rendezvous with a passive base must
be effected without rendezvous radar data, at least until very close range.
Although the indicated data rate is 1 sps (each sample consisting of two
angles, range, and range rate), it seems likely that up to 10 times that rate
might be desired in conjunction with the automatic docking mode. Each
datum should be encoded with 16 bits. If steering of the beam is to be a
computing system task, two words of 16 bits each will be required (azimuth
and elevation to the base). The finer steering required to keep th- beam
locked onto the target is a normal function of the demodulation elt .Lronics,
so that the steering command will not require reiteration while the "data 	 i
good" discrete is supplied by the rendezvous radar.
2.4. 3	 Infrared Rendezvous Tracker
The infrared rendezvous tracker detects the thermal radiation of the base
to determine polar coordinates within its field of view (5-degree full-cone
angle about the longitudinal axis). Scanning is indicated as entirely under
internal control. Data siiould be available at least once per second, each
set consisting of the azimuth and elevation of the base, with each angle
encoded to no more than eight bits (four would suffice for a small telescope
even using a cooled detector). The signal data converter is shown as re-
solving the polar data into azimuth and elevation; no advantage is evident
for this configuration over performing the conversion in the computing sys-
tem. Complementing the usual monitor for system performance is the set
required for control and monitoring of detector temperature. Depending
upon detector design, it may be possible to use the infrared rendezvous
tracker with the sun in the field or reflected by the base. It is possiblethat
sun-avoidance logic for the scan pattern may be required, suggesting two
eight-bit words per second from the computing system to the scan control
when the sun is in the field of view.
2. 5
	 Landing Aid s
Five landing aids have been reviewed: altitude radar, ATC transponder,
VOR TACAN, instrument landing system, and all-weather automatic instru-
ment landing system. The last three systems are complementary in prin-
ciple but will have significant periods of combined operation where their
data will be supplementary.
-12-
-13- BE
6
2. 5. 1	 Altitud . Radar
This radar determines height above. the local terrain from the transit time
of a signal at 9 Gl-.z. Since terrain variation will be a significant factor in
the received data, smoothing will be required by the computinf; system. It
seems likely that 16 bits will suffice for the data, and that a norninal rate
of the order of 100 cosec between samples will provide rapid response and
effective smoothing. One possibility is that landing at the nominal site would
call for removal of known terrain variation from the data, either comple-
menting or replacing smoothing. Since the vehicle must be capable of landing
at unplanned sites, such a feature for the nominal seems to be of little advan-
tage, while it might.=—commit a significant portion of memory.0
2. 5. 2	 ATC Transponder
The air traffic control transponder receives its input at 1030 MHz from the
ground, converts it to 1090 MHz, modulates it with selected guidance data,
and transmits the resultant. Normal functions of monitor and self-check
are required, but the interface for guidance data must also be supplied. No
interface between the ATC transponder and the guidance system is shown in
the Preliminary Measurement and Stimuli List. It is probable that the fol-
lowing data should !,e required no more than once per second:
•	 Reference time (GMT)
•	 Mean altitude above terrain (unweighted average of altitude
radar data)
•	 Inertial state vector (referenced to the rotating earth)
•	 System status code (synthesized from individual status data).
Other data available in the landing phase would appear to be of little value
to those receiving the transponder signal. The computing system interface
is independent of the operating mode of the transponder during landing phases.
The resulting data rate is of the order of nine single-procision words per
second, all drawn from existing data and requiring a minimum of computation.
2. 5. 3	 VOR TACAN
VOR TACAN is a pair of data sources (omnirange and TACAN) providing
inflight data relative to earth-fixed transmitters. Each system employs a
6signal from the ground decoded onboard into an identifying g one for the trans-
mitter, a reference bearing, and a variable bearing as a function of vehicle
position relative to the antenna. It is assumed that manual identification of
the station will be emploved; the A/D and digital requirements for automatic
operation seem more costly than this supplementary information is worth to
the mission. TACAN also includes an active ranging path to its antenna.
Particularly because of the short range over which VOR TACAN data are
good, eight-bit encoding of each bearing signal and of range would appear
sufficient. While- data are available essentially continuously, sampling inter-
vals of 1 second are sufficient unless TACAN data are to be used to derive
wind velocity. In that case, 12-bit range and bearing data will be needed,
and rates of the order of five samples per second may prove useful.
2. 5.4	 Instrument Landing System (ILS)
The ILS brings the vehicle to the middle marker of the runway through detec-
tion of azimuth and elevation from a reference transmitter. A supplementary
anteruia. signals passing of the outer and middle markers. The detected sig-
nals of glide slope (elevation) and localizer (azimuth) may be usefully encoded
to about eight bits and sampled once per second; the two marker signals should
be discret-es to the computing system, and require sampling at the same rate
but for only the brief period near their expected occurrence. Ambiguities exist
in ILS data which may require resolution in the computing system both for
display and for automatic landing. Comparison between alU and ILS data
should be sufficient to determine which of the five possible ILS references
has been detected and to optimize the landing trajectory.
2. 5. 5	 All-Weather Automatic Instrument Landing System (AWAILS)
AWAILS provides angular interfaces equivalent to those of ILS and supple-
ments them with measurement of range to a transponder on the runway.
Again, eight-bit encoding of each of the three data should suffice and one
sample per second would appear adequate. AWAILS would be employed only
in the final stages of landing.
i
2.6
	 Primary Propulsion Subsystems (PPS)
The primary propulsion subsystems employ two separate sets of engines.
The main engines are used for the final stage of boost, while subsequent
major thrust maneuvers employ the orbit maneuvering subsystem (OMS).
Hydrogen fuel is used to cool each active nozzle regeneratively; the oxygen
oxidizer drives both turbopumps for the OMS, while preburners drive pumps
in the main engines. Helium is used for pressurization of each subsystem.
-14-
0A reasonable construct for operation of either engine subsystem calls for
a set of pre-ignition commands over a period of seconds to minutes, an
engine-on signal maintained throughout thrusting, separate gimbal angle
commands of indeterminate rate and quantization for either degree of free-
dom, and a mixture-ratio command. In the absence of data about a specific
PPS configuration, the following estimates are made for the design carrying
least load on the computing system.
About each axis, each engine may be gimbaled approximately 5 degrees, and
quantization to 0. 1 degree would be useful. A reasonable interface would.
allow for up to 10 commands per second per axis, each incrementing or de-
crement:ing the gimbal angle by one s;.ep. biitiation of thrust may use two
discretes (engine sequence start and thrust start), or it may require a sequence
of discretes issued on a time base; the most difficult implementation v: ould
provide discretes triggered by measurements of PPS parameters under com-
puting system control. Measurement of propellant quantities and flow rates
provides the data for computer determination of the desired mixture ratio;
the increment/decrement discrete is required no more than once per second.
Each incremental signal may require a discrete which causes the controller
to drive to the reference (null) position. The normal monitoring and mode-
control functions should be assumed.
Z. 7	 Reaction Control Subsystem (RCS
The reaction control subsystem employs 20 thrust chambers burning hydro-
gen and oxygen to generate relatively small torques and forces for attitude
control and for small velocity increments. Since the propellants are not
hypergolic, a high-voltage discharge is required to ignite each pulse; whether
a continuous-thrust mode is to be provided is not clear from the documenta-
tion. If continuous thrusting is possible, the output of the computing system
may be a discrete for each chamber (assuming hard wiring rather than the
use of the data bus). In that event, the signal is counted down with a tolerance
of the order of 1 to 5 cosec. If only a pulsed mode is available, the number
of such pulses (up to perhaps 800 per second) must be transferred to the
buffer in a local processor for each assembly. Two or three such items are
required for each. assembly, depending upon whether it includes four or six
thrust chambers.
Many configurations may be constructed in which computing system functions
are assigned to local hardware and software. The above configuration does
not allow for some modes of employing rate gyros, nor is it clearly the pre-
ferred type of interface if control surfaces are to be used in atmospheric
flight. The specific mechanism by which a command signal actuates the RCS
is not clear from the available documentation, and is significant in determin-
ing the software requirements.
-15-
6I
3.	 COMPUTER CONFIGURATION ANALYSIS
In addition to a determination of computational requirements from the
functional analysis, performance of a hardware/software tradeoff analy-
sis requires an assessment of the software aspects of alternative hard
«, are configurations. The functional analysis is directed towards the
determination of whether a particular computer configuration can 0 , ve
the problems arising in the Space Shuttle application. The computer con-
figuration analysis is directed towards the selection of the configuration
which minimizes the effort and cost required to produce the software.
The baseline computer configuration consists of a central computer facility
(CCF) communicating with standard acquisition control and test units (ACT)
or digital interface units (DIU) bus as shown in Figure 3-1. The alternatives
in this baseline which are being addressed in the computer configuration
analysis include the configuration of the CCF, the partitioning of computa-
tional tasks between the CCF and the ACT/DIUs, and the architectural
features desirable in the CCF and the ACT/DIUs. The study to date has
concentrated on factors influencing the choice of a particular CCF. Analy-
sis of a particular CCF configuration requires an understanding of the execu-
tive programs which control execution of tasks and an evaluation of the influ-
ence particular architectural features have on that configuration's program-
rnability, software maintainability, and ease of software verification and
validation. CCF configurations are discussed in Section 3. 1, executive de-
signs in Section 3. 2, anti architectural features in Section 3. 3.
Central
Computer
Facilitv
Data Bus.
I _—= ==ACT/DIU
	
ACT/DIU
	 ACT/DIU
	 • • • 0 • •
1MU	 Display	 Contr,-)iServos
Figure 3-1. Baseline Computer Configuration
-16-
3. 1	 Central Computer Facflit}_ Configurations
A siunplcx organization is clearly the most desirable in t( rms of program-
inability and verification and validation case. however, its disadvantages --
the relatively restricted computational capability it affords and the redundant
hardware required to meet the rcliabili+y requirements of the Space Shuttle
application -- have made it necessary to study multicomputer and multi-
processor organizations. For this study a relatively restricted definition
of multicomputer and multiprocessor has been established. As shuwn in
Fil ,, ure 3-2, a multicomputer cc nfiguration has two or more central processing
units (CPUs), memories, anc input/output processors. A multiprocessor
similarly has two or more CPUs, memories, and input/outt-,ut processors,
but communication is by means of direct rr:^mory access.
The advantages of a multicomputer organization are several. No hardware
or software scheme is required to lock out a processor from a memory.
During debugging, errors in a task on one processor cannot disrupt tasks
on others. The isolation of memory units may make verification and vali-
dation easier. Memory access time is not degraded by competition between
processors. The disadvantages of the multicomputer organization are that
the I/O processor must be called to transfer data between memory units
for tasks running oil different processors. Duplicate utility routines, exec-
utive routines, etc. , must exist in each memory unit. It is difficult for
processors to share workloads equally: one processor might remain idle
while another had a backlog. The only recourse would be to transfer the
task routines between memory units using the I/O processors, or to duplicate
the routines in eaci, memory.
Among the advantages of the multiprocessor is the fact that common routines,
such as executive and utility routines, need not be duplicated. It is not nec-
essary to transfer data or programs between memory units when various
tasks sh.-;re data. Assignment of processors is flexible: if Task A is run-
ning on Processor 1 and is interrupted by Task I3, which is of higher priority,
Processor 2 can take up Tash A when it finishes its own current task. Thus
the processors can be kept busy and throughput is increased. The disad-
vantages of such an organization include the need for a hardware or software
memory lock scheme to insure orderly use of common data and programs.
Memory access time is degraded when processors try to access the same
module at the same time. During program testing or operational use there
is opportunity for an error in one task to disrupt tasks on other processors.
The high flexibility permits a large number of possible system states,
making impractical verification and validation and by exhaustive testing alone.
6
-17-
II
I00
u
0
c4
I^
I
6
I	 }^
a
E
0
u
N
0
fd
t•+
CA
t7
U
a^
0
to
U)
u
u
0
0
a
•r,
b
a
k
W41
0
a
0
u
N
M
CO	
—
W
i
J
-18-
•The multicomputer thus tends to be less efficient but makes verification
and validation easier than the multiprocessor.	 However, if multi-
processor capabilities are not utilized to promote efficiency, the multi-
processor car result in soft%, are simpler than that of a corresponding
multicomputer. This can be seen by dividing; all the software routines
of the multicomputer shown in Figure 3-2 into the following four cate-
gories:
Job routines (R J)
Executive routines (RE)
True I/O routines (RI)
Intercomputer data transfer routines (R,F)
Assume that there exists the multiprocessor also shown in Figure 3-2
with identical C?Us, memories, and input/output processors as that of the
multicomputer anal d i ffering only in the additional memory-CPU channels.
The addressing of P,:emory 1 is exactl y the sarne in both systems. if the
size of Memory 1 is 1 1 and the size of Memory 2 is 1 2 , in the multi-
processor configuration the addresses in Memory 2 range from A l + 1 to
R 1 + k 2 1 Routines RJ1 , R F1 , and RIi are transferred unchanged from
the multicomputer to multiprocessor Memory 1. The address references
in R J2 , RE2 , and RI2 are modified to fall in the range 1 1 to k 1 + 4' 2 , givingR j1 2 , RF 2 , and R'I 2 , which then go into multiprocessor Memory 2. The
int-crcomputer. routines RT1 and R T2 are replaced by a simpler set of mem-
ory copy instructions R t^ l and RC2.
Thus the software changes required to go from the multicomputer to the
multiprocessor involve simplifications if no attempt is made to take ad-
vantage of multiprocessor capabilities to increase efficiency. Intertask
communication in a multiprocessor can be accomplished in a way similar
to a simplex computer, avoiding input/output complexities that can occur
in a multicomputer configuration.
Thus two factors are important in the selection of a central computer
facility configuration: the extent of the intertask communication and the
design of the executive to control the sequencing of task execution. The
first factor is addressed in the functional analysis phase of the current
study (Section 2). The alternatives in executive design are discussed in
Section 3.2 following.
3.2
	 Executive Design
The primary function of the executive program is control of scheduling,
initialization, execution, and termination of tasks. The executive also
4
-i9-
6t
controls input/output operations, provides a mechanism for reconfigura-
tion of the computer system when hardware failures occur, and furnishes
the utility subroutines common to several tasks. ']'lie functional analys.s
of the avionics subsystems has indicated that the Space Shuttle computa-
tional problem inherently involves operation of the central computer facil-
ity in a multiprogramming mode. For example, the calculations of vehicle
attitude and position, the reduction of information froze the clocking laser,
the monitoring of subsystern temperatures and voltages, and the generation
and refreshment of display ,, are tasks which all must be accomplished with-
in tirning restrictions which arc largely independent of the requests for per-
formance of these tasks. This requires the establishment of a priority
structure by which the executive determines the task., 	should be per-
formed at each interval of time. A comp:ic.ation arises when the time that
a task can wait before its processing can begin is shorter than the length
of time that anoi.her task takes to perform. This Nvould require that the
first task interrupt the second if the timing requirements were to be satis-
fied or that the second task be broken into shorter subtasks. Regardless
of the approach taken, the situation occurs in which two tasks are simulta-
neously in a. state where their execution has begun but is not yet complete.
This concurrent execution of two or more tasks is the essence of multi-
programming.
If there were no hardware limitations and intertask communication were
at a minimum, a simple solution to the problem introduced by multi-
programming would be to dedicate a computer to each task. For the nurr.-
ber of tasks in the Space Shuttle application this is clearly impractical.
Therefore, the executive program must do the scheduling such that tasks
can be executed in parallel. The problem of developing an executive to
accomplish such multiprograinnied scheduling is no more difficult and r.ay
even be easier for a simplex configuration than for the multiprocessor or
multi computer configurations in which the number of processors or com-
puters is significantly less than the number of tasks.
An important consideration in executive design is the separation of execu-
tive functions from the task programming. To the greatest extent possible,
the design, coding, and checkout of a task should be independent of he
executive actions taken to schedule that task. Similarly, the executive
should be independent of the specific taskF so that it is easy to add or de-
lete a task in the set of tasks to be scheduled and executed. if the! execu-
tive is modular, such changes in the tasks to be scheduled or the attributes
of the tasks themselves do not require corresponding changes in the execu-
tive. in terms of organization, a modular executive will provably use a
priority scheduling scheme. While the past priority schernes have generally
-20-
6lF
1<
been applicable only to aperiodic tasks, the Space Shuttle computational
problem is characterized by a high percentage, of tasks that must be exe-
cuted periodically. Fixed-priority sclic(luling is not meaningful for pe-
riodic tasks. Periodic 'Task A may not have a subjectively high priority
rela'_-ive to Task I3, but w hrn its cycle time arrives it roust be executed,
even if the execution of B must be suspended in some manner. This can
be accomplished by making the priority of a periodic task a step function
variable as shown in Figure 3-3. The upward step occurs at the cycle
times, and the width of the step is the execution time of the task.
If the task need not be performed on an exact interval, but only regularly
at approximately a given interval, the priority can be made some increas-
ing function of the time since last execution as suggested in Figure 3-4.
If high-priority aperiodic tasks must be scheduled together with fixed-
length periodic tasks, Hardware efficiency will be low since large empty
time spaces must be left: between the processing of the periodic tasks to
insure that the high-priority aperiodic tasks will never be delayed verl,
long. If a dynamic priority scheme is used and "periodic" task routines
are written to allow for variable-length tasks, these empty time spaces
are obviated. When the aperiodic tasks occur, they can squeeze in be-
tween the periodic tasks, and empty time spaces need not be provided
a priori. The tradeoff is the software complexity introduced by allowing
variable-length periodic tasks and the dynar-iic priority scherne versus
the hardware efficiency resulting f rom an elimination of need for empty
time spaces.
In a multicoinputer or multiprocessor configuration, decisions must be
made as regards the residency of the executive and the permitted flexi-
bility in task allocation among processors. These decisions affect the
efficiency of the executive, the difficulty of its development, and the
problems encountered in verification and validation. The options as to
executive residency are that:
!a) The executive functions are (or can be) performed by each
processor
1b) The executive functions are performed by only one pro; , es-
sor.
The options as to the flexibility of task allocation are that:
2a) All job tasks can be performed by all processors
2b) Job tasks are divided into sets, and each set is allocated
to a different processor.
4
-21-
Very Nigh
Priority
0
A
Very High
Priority
0
Period
Time
Figure 3-3. Priority of Periodic Tasks
Executiu,i Interval
Time Since Last Execution
Figure 3-4. Priority of Quasiperiodic Tasks
-22-
ti
'------`• -^^--^*.R'.t+^'^--.r-•--,er.11.^-^---_-"-^'-f^-^-^v- - 	 _	 -- _
	
---^a^.!^e-l^!!^---Ty-+!'r^-m^,+^-
Three basic choices have been considered for the nultiprocessor execu-
tive. A multiprocessor floating executive consists of Options la/2a. A
multiprocessor distributed executive consists of Options la/2b, that is,
each processor performs the executive functions for its own set of tasks.
A multiprocessor dedicated executive corresponds to Options lb/2a or
Options lb/2b.
In the multiprocessor configuration, Option la implies that any processor
must be able to interrupt any other processor, while Option lb requires only
that the executive processor be able to interrupt the other processors. Be-
cause of the asymmetry implied, 11) is not as desirable in view of the re-'
dundancy requirement, but does result in a simpler executive. Option 2a
implies that the task scheduler will use a single job queue. Option 2b im-
plies that a separate queue will be used for each processor. For the single-
queue case, a processor will never execute a task having lower priority than
one in queue, and no processor will ever be idle unless the queue is empty.
For the multiqueue case, it is possible for a high-priority task to be in queue
for one processor while another processor is executing a task of lower pri-
ority. In this case it is also possible for one processor to be completely
idle while tasks are still in queue for another.
The c'zoices in multicomputer executives are more limited than those avail-
able for multiprocessors. The practical executive options for a multi-
computer are la/2b and 1 b/2b.
Option 2a is impractical for a multicomputer, since it would require that
w	 routines be transferred between the memories of the various computers.
Option 1b would require more intercomputer 1/0, and also might imply
lower hardware efficiency if the total amount of executive tasks were not
enough to keep a processor busy. It is also hard to imagine how one com-
puter could handle I/O for the others, and so a dedicated executive multi-
computer system would be primarily a dedicated scheduler system.
Detailed study of t ine alternatives in executive design and their advantages
and disadvantages requires an examination of the types of architectural
features that can reduce or eliminate common problems. Some of the
architectural aspects are discussed in the following section.
-23-
t
lb
3. 3	 Architectural Aspects StnL
Software criteria such as computational capability, programmability, and
ease of verification and validation for a particular computer system de-
pend on both the gross configuration (i. e. , simplex, multicomputer, or
multiprocessor) and the specific architectural aspects of the system. For
example, a multicomputer configuration with all of the desirable architec-
tural aspects such as floating-point arithmetic, memory lock, and adequate
word length might be more desirable in terms of the above software cri-
teria than a simplex computer lacking these features.
The architectural features of proposed configurations can be divided into
two classes:
1) Internal features are those which affect the prograrnining
of a single task. They will influence both job task and
executive functions.
2) External features are those which affect the programming
of interaction between one task and another, or between
a task and the external world. They will influence only the
executive functions.
Typical internal features are the job instruction set, addressing scheme,
word length, microprogramming facility, and internal register system.
Internal features are largely configuration-independent. Thus, for exam-
ple, the utility of a floating-point instruction set is the same for both the
simplex and multicomputer configurations. Typical external features are
executive or mode instructions, interrupt facility, memory lock features,
and I/O features. External features are configuration-dependent; for exam-
ple, the utility of a memory lock feature would be dependent on whether a
multicomputer or a multiprocessor configuration was being considered.
Two external and one internal architectural aspects have been examined in
detail. The external ones considered are interrupt mechanisms and mem-
ory locks; the internal one is register stacks. Each of these is discussed
in the following paragraphs.
3. 3. 1
	 Interrupt Mechanisms
An interrupt mechanism, a common feature of real-time control com-
puters, serves to signal to the executive that a request for the processing
of a particular task or set of tasks has occurred. If properly designed
and used, interrupts can contribute to efficient utilization of a computer's
-24-
6resources. Interrupts are properly lit. , con , _-r rn c-,nly of 011..+,.,
the executive routines and ought to be invis_:,_ c to the last:
To interrupt a task rcmning on a processor, ,t is sufficient to store*
contents of the instruction register and inte-^;al data registers of t *,:e •.
cessor in memory. A pointer to this info 	 on is retained in a list t•
permit the task to be reloaded and continue{'_ ;-t a later time. I'o ma'• c
interrupts as quiet: as possible, it is desir.; : _e. that the number of intern o
registers not be too great, since the conter_': s of each one must be 
,tor. i
to effect the interrupt. If an elapsed-time r : zister exists, this too i:,;:,t
be stored. The minimun, interrupt mechar_:s--n is a signal (the interrupt
signal) which can cause an immediate bran :.:- to some specified instruc-
tion after storing the contents of the instruc t:on register. A micro-
programmed interrupt procedure could auto-atically store the contents
of the machine's internal registers on rece_ _ : of an interrupt signal. For
the Space Shuttle application it is highly des :.-able that enough computer
memory exist so that for a given mission p___:._ e, all necessary task rou-
tines would reside in main memory. Conse _ g ently, the only time penal t"
involved in an interrupt would be the time r_ _^ _essary to store the internal
registers. To begin a new task a memory _=-:. ap with an auxiliarN ,
 stora ;e
device would not be necessary.
Two classes of interrupts can be distinguis 	 for the Space Shuttle appli-
cation:
1) External interrupts are those initiated by local processors
or sensors.
2) Executive interrupts are those generated internally by the
executive routines. For exan_ple, if a task tries to access
a locked section of memory, it would be interr s :nte d and
placed on a waiting list unti l- the memory section is unlocked.
The external interrupts would be received (nossibly after a poll) by an I/O
processor, or in a multiprocessor configuration by the processor perform-
ing I/O functions. In a multiprocessor, only the processor with the lowest
priority task should be interrupted. It is desirable that the processor to be
interrupted be chosen (either by hardware or software means) without inter-
rupting another processor to perform an executive routine, since doing so
would increase executive routine overhead.
It has been suggested that the need for interrupts can be eliminated by
dividing all tasks into segments, each one so short that it can always be
I
.e
i
-25-
-26-
0
allowed to finish before starting another. Two disadvantages of this
approach are that overall computer response time is degraded and ex-
tra effort must be expended in segmenting the program. Further, if
changes in program requirements, design, or implementation occur
the resegmentation may involve a disproportionate amount of additional
effort-. It can be seen that a system which attempts to get by without
interrupts is less flexible than one which us,-s them as a programming
convenience. Segmentation of tasks and the elimination of interrupts has
the advantage that the point where a task is interrupted is predetermined
and therefore verification and validation can be simplified.
The extent of the savings in verification and validation becomes appar-
ent from a look at the conditions which are necessary to prove correct
program behavior. In the no-interrupt situation it is very prcbable that
it will be impossible to determine the sequence in which an arbitrary
pair of independent task segments (say A and B) would be executed. Thus
it would be necessary to prove that sequence A-B produced the same re-
sult as sequence B-A. In other words, what is required is a demonstra-
tion of the comi71utativity of A and B. For the interrupts-allowed case it is
necessary to prove that at any point in the execution of Task A it is pos-
sible to execute Task B and vice versa. This is logically identical to
proving that A and B can be executed in parallel. Techniques that exist
for determining whether two programs can be executed in parallel are
directly applicable to demonstrating the mutual interruptibility of two
programs. An examination of such techniques and their application to
the demonstration of corn mutativity gives insight in the verification and
validation activities required for each case.
In considering the memory locations used by a routine, four sets can be
distinguished:
1) M 1 (A) is the set of memory locations which are only read
by routine A.
2) M 2 (A) is the set of memory locations which are first read
by A and later written into by A.
3) 1\4 3 (A) is the set of memory locations which are only written
into by A.
4) M 4 (A) is the set of memory locations which are first written
arPt into by A and later read by A.
•In considering interruptibil.it y of r, .:._ _; ,• a simpler sate;
be used. Define
R(A) = M 1 (A) U M ? (n) IJ
W( A ) = M2( A ) U M;(A) I 
The R(A) is the set of location„ p),;..,
 __ ^ read by A. W( A. : _ :::^.e set of
locations which are written inl„ l,y /., :: routine A is invr— . t	 n any I10
activity, the inputs to A must h, irn^. l.: _ = in R(A) and the c	 -ts from A
must be included in W(A). In ^I, r^.;;,- . ^ _. two routines can z.	 xecutc•d in
parallel, the situation is as sl,,,v^r, i:. :--:.ire 3-5A. A and	 -_ e two rou-
tines which tentatively have a ;,, • r • i,,l ,_ ring. P represe--.:: :::c remain-
der of the program. The colldllio,n;; ::__ :ring that A and B
	
be execut-
ed in parallel (as ii. Figure 3. 1 ,1 , )
 are:
1) R(B) n W(A) - q), where : is the null set. (B	 not
read any memory loca t
__-s written into by
2) R(A) n W(B) = q, (n does. -,;t read any memo:- '- .- _orations
written into by 1.. )
3) W(A) n W(B) n (n, t (P) 'J'- .=,(P)) = (p (P does r r,* -, r st rc,aci
from any local i-n;; written intoby both A an :
Now consider the problem of inl,•, • i •cc F,ts . Two routines, A an ,`  l,, exec a-
ed in "normal" order can be in dicated -1 s in Figure 3-5C. 1:1 B can :nter-e
rupt A, the execution can be in dicated a, in Figure 3-5D. A., and A, mf : i-
cate the two segments of A whirl, ;,rc scaarated by the ex(
indicates the interrupt point, and P indicates succeeding, rc,::::nc•s. To in-
sure that the interrupt cannot c ..use soit« , are failure, the followinr, rr qt; trr-
ments must be satisfied:
1) W(A2 ) n R(B) - Y (A 2 must not write into any locations which
are read by B. )
2) R(A 2 ) n W(B) y (n 2 must not read any locations which are
written into by l%, )
3) W(A 2 ) n W(B) n (Ni 1 (P) U \4 2 (P)) = 4 (If A 2 and L' write into
any common locations, these locations must not be read by
any succeeding rt , utines. )
-27-
ii
a
P
Figure 3-5B
A
Figure 3-5A
ci— — — —
ti
Figure
Figure 3-5C
	
Figure 3-5D
Figure 3-5. Commutativity and lnterruhtihilil
-2R-
NO
•These conditions are identical to the conditions that must be satisfied to
allow B Lo be executed in parallel with A2 (Figure 3-5E,). The interrupt
point ce may occur anywhere in A, and the instructions comprising A2
will always be a subset of the instructions comprising A. Bence guaran-
teeing that B can be executed in parallel with A guarantees that B can be
executed in parallel with any A 2 C A, which guarantees that B can inter-
rupt A at any point. The converse statement is also true.
Checking conditions 1 and 2 does not appear to present any practical
problem. For condition 3, a practical procedure would be to check
W(A) n W(B) first. Only in the case where this is non-null would it be
necessary to check intersection with M l (P) U M 2 (P), which in general
would be much larger than W(A) or W(B).
The conditions for commutativity of two routines have the same structure
but with simpler defintions for the R's and W's:
R '(B) n W'(A) =
R ' ( A ) n W' (Y) = tF
W (A) n1Y (13)U R'(P) = cp
where
R' (A)	 N1 1 (A) U N12(A)
W'(A) = M 3 (A) U M4(A)
If the M's are substituted into the equations above and redundant terms
are eliminated, the terms which must be null are:
Inte rruptihil ity
M1(A)M2(B)
M l (A)M3(B)
M1(A)M4(B)
M 2 (A)M 1 (B)
M2(A)M2(B)
M2(A)M3(B)
M2(A)M4(B)
M3(A)M1(B)
M3(A)M2(B)
M3(A)"3(B)(MI(P) U M2(P))
M3(A)M4(B)
Commutativity
M i (A)M3(B)
MI(A)M4(B)
M 2 (A)M 2 (B)(M l (P) U M2(P))
M2(A)M3(B)
M2(A)1,1 a(13)
M3(A)M1(B)
M3(A)M2(B)
M 3 (A)1\43(B)( M 1( P )U M2(P))
M 3 ( A )M 4 ( B )(M i (P) U M2 (p))
M4(A)M1(B)
M4(A)M2(B)
i
-29-
6f
InlcrruhtibiIity
M 4 (A)M I (l3)
M4(A)MZ(B)
M4(A)M3(I3)
M4(A)NI4(I3)
 tit tivity
M.,(A)N13(B)(M 1 (P) U MZ(p))
N1,1 (A)M 4 (13)(M I (P) U M2(P))
4V
The above demonstration indicates that the conditions required to deter-
mine whether two program segments can be mutually interruptible are
not more numerous or more complex than those necessary to establish
that they are commutative.
3. 3.2
	 Mernory Locks
The preceding discussion of interrupts and their effect on program verifi-
cation and validation indicates that a significant problem exists in prevent-
ing one task from referencing another task's data and thereby causing
unwanted task interaction. In multiprogramming environments, memory
locks are commonly used to prevent such undesirable interaction of inde-
pendent programs. For the Space Shuttle application, memory locks would
insure orderly interaction of related tasks. The purpose of a memory lock
is to temporarily isolate certain regions of memory from certain tasks.
Four types of memory locks exist: read, write, execute, and total. A
read lock prevents a task from reading a region of memory	 da ta and is
useful to prevent data from being used while being modified. A write lock
prevents a task from writing in a region of memory and is useful when a
task is accessing data which must not be disturbed by other tasks. An
execute lock prevents a task from executing instructions in a region of
memory. Such a lock is useful to prevent two processors from executing
a routine simultaneously. Since execution of an instruction requires that
memory be read, the read and execute locks may be combined into a sin-
gle read lock. A total lock prevents any kind of interaction between a
task and a region of memory, whether read, write, or execute.
The desirable size of the regions of locking is highly dependent on details
of the interacting tasks. The simplest scheme is to have uniformly sized
blocks to which the locking applies. If such blocks are too large, much
more memory may be locked than is really desired. If too small, locking
overhead may be unacceptably high. For the Space Shuttle application,
with its relatively fixed set of tasks, it might be feasible through micro-
programming to use variably sized locking regions, with the sizes tailored
to specific sections of data or specific routines.
-30-
^t
il
t
44
To make any routine A secure from undesirable interrupts, the following
procedures inay be used:
1) Read lochs are placed on all locations in the set W(A) at
the beginning of A. After the last write statement in A
for a given location, the lock on that location is lifted.
2) Write locks are placed on all locations in the set R(A) at
the beginning of A. After the last read statement in A
for a given location, the lock on that location is lifted.
3) Write locks are placed on all locations in the set W(A) at
the beginning of A and are lifted at the end of A.
To see that these locking procedures are effective, recall the three con-
ditions for interruptibility:
1) R(B) fl W(A) = cp
2) R(A) fl W(13)	 cp
3) R(P) n W(A) n W(B)
Procedure 1 exactly satisfies condition 1, since the read lock on W(A)
halts any routine B only if B tries to read frorn W(A). Procedure 2 ex-
actly satisfies condition 2, since the write lock on R(A) halts any rot.tine
B only if B tries to write into R(A). Procedure 3 oversatisfies con-
dition 3. The write lock on W(A) will halt any routine B if B tries to
write into W(A). This is equivalent to the condition W(A) fl W(B) = cp,
which implies that condition 3 is true. A procedure simpler than
all three of the above is the place a total lock on R(A) and W(A) for the
entire duration of routine A. The disadvantage is that other routines will
sometimes be Mocked unnecessarily.
Implementing memory locks through microprog rain ming would combine
the efficiency of hardware with the flexibility of software. Memory lock-
ing implemented entirely in hardware would be undesirable because of
the redundancy requirements. Implementation entirely through software
would be slow and possibly unreliable. For example, if testing; and setting
of a lock flag takes more than one instruction, it is possible for two tasks
to set a lock at the same time. These tasks would then proceed to use the
memory as if each one had :xclusive access. The result is software fail-
ure. The minimal feature is a —Pest and Set/Branch" instruction, which
in single instruction tests a word and sets it to 1 if it was 0 or branches
to another address if it was already 1.
—31—
%a
— —
	
— — — — 
6For microprogram implementation, a binary matrix can control access-
to memory. One dimensien represents tanks and the utl)er represents
the lockable regions of memory (there may be no need to provide for the
locking of all main memory). A 1 in the matrix indicates a task ni.cy
access the memory region. A 0 indicates the task is lacked ant.
When a task finds itself locked out, there are two alternatives open:
(1) stay on the processor and wait until the lack is removed, or (21 re-
linquish the processor t.o a wailing task and go onto a lockout waiting
list. This lis f would be scanned by the executive whenever a loa-, is
removed to se if any of the tasks can continue. The choice between
the two proceuures depends on how long the lock can be expected to xie•t.
and how long it takes to swap jobs on a processor. It may be desirat,le
to designate both short locks and long locks. For a short lock, 0,c task
would follow the first procedure; for a long lock, it would follow lie !c-c-
ond.
A pointer lock may be useful when a linear data structure is shared by
two or more tasks. A region of memory is designated as controlled by
pointer lock. Memory locations up to the pcinter may be accessed.
Locations past the pointer are locked. Figure 3-6 depicts the scheme.
Open Region
Pointer -^	 Section  of memory governed
	 i
by pointer lock
Locked Region-
Figure 3-6. Pointer Locks
-32-
•The task producing; the data advances the pointer as it is refreshed (pos-
sibly automatically via microprogramming; a special "Store and Advance
Pointer" instruction). Tasks accessing; the data are allowed to proceed
Lip to the pointer but no further. Thcy need not wait until the entire data
section is refreshed before beginning to use the data, which would be the
case if a block lock were used.
Prevention undesirable task interaction by means of memory locks results
in a degradation in efficiency because a task's execution might be inhibited
for a period of time until that lock is removed. This might be tolerable
for a low-priority task atteinpiing to reference data being computed by, a
high-priority task, but it would be intolerable in the converse situation.
Other architectural features such as indirect addressing and single insf.ruc-
tions which accomplish the transfer of an entire block of data also provide
a partial solution to the problems of task interaction. However, the em-
ployment of these features to maintain, multiple copies of data items which
must be shared requires additional memory. Whether the memory locks
that have been discussed or data duplication techniques are employed de-
pends on both the time delays that can be tolerated and the size of the data
arrays being; shared.
3.3. 3	 Register Stacks
Any computer program of the complexity of that to be encountered in the
Space Shuttle application involves a hierarchical structure of subprograms,
routines, subroutines, statements, and expressions. In such nested
structures an operation at one level cannot be completed until those at the
next lower level are completed. An examination of the nested structures
existing in a typical program suggests some architectural features which
facilitate a solution of the problems they present. One such architectural
feature is a push-down stack mechanism for registers.
In programming, nested structures are commonly observed in:
1) Arithmetic and logical expressions
e. g. , (A + B) (C + D) or . NOT. (A. OR . B)
2) Subroutine calls
e, g. , program A calls subroutine B, which calls sub-
routine C. and so on
3) Interrupt levels
e.g. , program A is interrupted by program B, which is
interrupted by program C, and so on.
1
-33-
I
i
The existence of one or more hardware-implemented stacks, together
with related stack-manipulation instructions, can simplify or eliminate
the software chores usually required in the evaluation of arithmetic and
logical expressions. it also minimizes the number of instructions needed
to save and restore partial results. A hypothetical implementation will
illustrate the way in which a stack-oriented computer would work.
Such a system permits a simple one-to-one correspondence between the
reverse Polish notation for expressions and their object code. The string
AB+CD+" becomes the object sequence:
LOAD A
LOAD B
ADD
LOAD C
LOAD D
ADD
MULTIPLY
For a machine with stacked registers, techniques exist which make it
possible to generate object code directly from the infix notation of a higher
level language.	 Thus the compiler for a stack register machine can be
easier to write and will run faster than a compiler for a machine with con-
ventional arrangement of data registers. The object code produced by the
compiler will compare more favorably with assembly code than is usually
possible in a conventional computer organization. Consequently, use of
a higher level language is more attractive for such a machirie.
Subroutine transfers and returns can be performed faster and programmed
more easily if special subroutine branch and return instructions are pro-
vided which use a hardware stack. A return pointer and other necessary
information are placed on a stack before transferring to the subroutine, and
removed to effect tht return. 	 r
If one level of indirect addressing is added in conjunction with the stack,
all task routines and subroutines can be made automatically reentrant. As
a routine or subroutine goes into execution, either by a subroutine call or
througli initiation by the task scheduler, a marker is placed on the stack
and the parameters and data for tl, e routine are entered above it. Address-
ing of data local to the routine is relative. Prior to data fetch, the address
of the marker is added to the relative address to obtain the absolute address.
Essentially, the details of reentrant programming have been built into hard- 	 i
ware.
6
-34-
6Similarly, the saving of the state o2 the computer when an interrupt occurs
is simplified in that only a return address and the value of the pointer need
he saved. When an interrupt occurs to resume execution it is only neces-
Mary to reset the pointer to its previous value and return to the address
saved. Interrupts arc thus handled in a fashion ed,:ivalent to subroutines.
-35-
