In article , says...


Henry Spencer wrote:
There's nothing particularly wrong with that, if you think of software
uploads as routine practice rather than as a dire emergency measure.


What happens if you launch them, and then run into some
software-spacecraft compatibility problem that can't be fixed before the
time that the software is needed, due to a compatibility problem that
can't be fixed in-flight; but could have been found via ground testing
of the systems and software on the ground prior to launch? If that had
happened on the two MER flights they would have had no way to get them
ready for landing.

You build a fault-tolerant design that lets the old software keep
running while the new software gets loaded and tested onboard.
You have a separate control, not owned by the software in question,
which can activate either software load, so you have a backout
even if the new software is a steaming heap straight from the
catbox. The two sides can talk to each other and transfer data,
so nothing gets lost in the process. When you're satisfied with
a new load, the alternate side can be synched up to run the same
software with the same data, in lock-step, so that you have a hot
backup incase of a hard failure. And the system bus can be
switched to either processor.

You build software that is self-rebooting, so that
the system restarts itself automatically when there's a failure.
You build a patching system that can apply updates to running
software without taking it down and *without* physically
replacing the old software, so that the patch can be backed
out (again without a restart) if necessary.

None of this is new; fault-tolerance concepts and continuous
operation have been around for a long time. A lot of our
key infrastructure items (think about phone systems, power,
etc.) run this way.

Henry's right; you make it routine, which means it's part of
the design specs and part of the design process. I work for
a major telephone switch manufacturer, and that's the way it
gets done. Patching capability is a check-off point on design,
and an absolute requirement for accepting any fix.

Diane