Free Bold They Rise: The Space Shuttle Early Years, 1972-1986 (Outward Odyssey: A People's History of S) by David Hitt, Heather R. Smith Page B
Authors: David Hitt, Heather R. Smith
Tags: History
that same situation on the shuttle because of the way they did the software. The shuttle, when it’s flying, the computers all compare answers with one another, and then they vote among themselves to see if anybody’s gone nuts. If a computer has gone bad, the other computers can override its output so that it isn’t commanding anything. But to make that scheme work, you have to have at least three computers working. Otherwise, you can’t vote. You could have [two systems voting], but if they vote against each other, you don’t know which one’s the bad one.
The decision was made to put five of the computers on the orbiter, with four of them active in the primary system, with the idea that this would create a system that could tolerate three failures. However, Peterson said, this produced much higher failure rates than expected. While the system provided a high amount of redundancy in theory, the reality was that because of the way it was designed, the system actually could tolerate only one failure safely. The four primary computers were not truly redundant for each other; only the spare provided redundancy. If one computer failed, the spare would take its place. After that, however, further failures would endanger the cooperative “voting logic” between the computers that verified the accuracy of their results.
But the complexity of the way the thing was put together kind of defeated the simplistic redundancy scheme that they had. It’d be like driving a car that had two engines or three engines, and any one of them would work. Well, that way you could fail two engines and you’d still drive right along. But if it takes two engines to power the vehicle, then you don’t have that, and if it takes three engines to power the vehicle, you don’t have any redundancy at all. It gets to be a game then as to how you trade all this off. When I looked at all that and we put the study together, we said, “You know, you’re going to have some failures that are going to really bother you because you’re going to lose components.” For example, you’re on orbit and you’ve got four computers and one of them fails. Well, now you’ve got three computers left in the primary set. But do you stay on orbit? Because if you suffer one more failure, your voting algorithm no longer works. Now you’re down then into coming home on a single computer and trusting it. And nobody wanted to do that.
So they said, “Gee, I’ve got four computers. I can only tolerate one failure, and then I’ve got to come home.” We had four of some of the other components, and it was kind of the same sort of thing. If one of them fails, we are no longer failure tolerant. We’ve lost the capability to compare results and vote, and so we don’t want to stay on orbit that way. So now, all of a sudden, the fact that you’ve got four of them causes more aborts because the more things you have, the more likely you are to have one fail. You’d get more failures and more aborts with four computers than if you’d gone with some other plan. That was pretty controversial for a while. We predicted—and there were some people that were really upset about that—we predicted a couple of ground aborts due to computer failures. Essentially we’d get chewed out for saying that, but in the first thirteen flights, we hit it right on the money. We had two ground aborts in thirteen flights.
When the shuttle was built, the air force was also using redundancy systems, Peterson recalled. Then the air force built what it called confederated systems, in which each component was independent. “They cooperated with each other, but they shipped data to each other, but they weren’t really closely tied together,” Peterson explained.
The shuttle was tightly integrated. It runs on a very rigid timing scheme. The computers on the shuttle actually compare results about a little more than three hundred times a second. So it’s all tightly tied together. Well, when
The decision was made to put five of the computers on the orbiter, with four of them active in the primary system, with the idea that this would create a system that could tolerate three failures. However, Peterson said, this produced much higher failure rates than expected. While the system provided a high amount of redundancy in theory, the reality was that because of the way it was designed, the system actually could tolerate only one failure safely. The four primary computers were not truly redundant for each other; only the spare provided redundancy. If one computer failed, the spare would take its place. After that, however, further failures would endanger the cooperative “voting logic” between the computers that verified the accuracy of their results.
But the complexity of the way the thing was put together kind of defeated the simplistic redundancy scheme that they had. It’d be like driving a car that had two engines or three engines, and any one of them would work. Well, that way you could fail two engines and you’d still drive right along. But if it takes two engines to power the vehicle, then you don’t have that, and if it takes three engines to power the vehicle, you don’t have any redundancy at all. It gets to be a game then as to how you trade all this off. When I looked at all that and we put the study together, we said, “You know, you’re going to have some failures that are going to really bother you because you’re going to lose components.” For example, you’re on orbit and you’ve got four computers and one of them fails. Well, now you’ve got three computers left in the primary set. But do you stay on orbit? Because if you suffer one more failure, your voting algorithm no longer works. Now you’re down then into coming home on a single computer and trusting it. And nobody wanted to do that.
So they said, “Gee, I’ve got four computers. I can only tolerate one failure, and then I’ve got to come home.” We had four of some of the other components, and it was kind of the same sort of thing. If one of them fails, we are no longer failure tolerant. We’ve lost the capability to compare results and vote, and so we don’t want to stay on orbit that way. So now, all of a sudden, the fact that you’ve got four of them causes more aborts because the more things you have, the more likely you are to have one fail. You’d get more failures and more aborts with four computers than if you’d gone with some other plan. That was pretty controversial for a while. We predicted—and there were some people that were really upset about that—we predicted a couple of ground aborts due to computer failures. Essentially we’d get chewed out for saying that, but in the first thirteen flights, we hit it right on the money. We had two ground aborts in thirteen flights.
When the shuttle was built, the air force was also using redundancy systems, Peterson recalled. Then the air force built what it called confederated systems, in which each component was independent. “They cooperated with each other, but they shipped data to each other, but they weren’t really closely tied together,” Peterson explained.
The shuttle was tightly integrated. It runs on a very rigid timing scheme. The computers on the shuttle actually compare results about a little more than three hundred times a second. So it’s all tightly tied together. Well, when
Similar Books
Scorpio Invasion
Alan Burt Akers
The Key To the Kingdom
Jeff Dixon
A Year of You
A. D. Roland
Throb
Olivia R. Burton
Dreams of Fire (Maple Hill Chronicles Book 1)
Elizabeth Alix
Northwest Angle
William Kent Krueger
What an Earl Wants
Kasey Michaels
The Red Door Inn
Liz Johnson
Keep Me Safe
Duka Dakarai
