|
|
Thread Tools | Display Modes |
#21
|
|||
|
|||
Operating systems used in spacecraft?
Michael J Wise wrote:
3) Redundant CPUs, one of which is running a different operating system, so if the other two get frotzed by Yet Another Windows Exploit in deep space, the Penguin can Save The Day. Or the Mac, as the case may be. Henry Spencer wrote: Only if the Windows machine(s) haven't already fired the pyros, left the gas valves open, pointed the camera at the Sun, etc. Doesn't the Shuttle have three computers all running in parallel, with majority vote ruling? That sounds like a good system. Two machines would have to have the same bug for anything to go wrong. Of course bugs in the *specification* from which the three programs were all independently written are possible. -- Keith F. Lynch - - http://keithlynch.net/ I always welcome replies to my e-mail, postings, and web pages, but unsolicited bulk e-mail (spam) is not acceptable. Please do not send me HTML, "rich text," or attachments, as all such email is discarded unread. |
#22
|
|||
|
|||
Operating systems used in spacecraft?
In article ,
Jan C. =?iso-8859-1?Q?Vorbr=FCggen?= wrote: The Space Shuttle uses different control systems which back each other up but the software is very, very closely related to each other (the backup is a stripped down version of the original) and it all runs on the same hardware. That is not the case - the BFS is completely indepedant, in software development, tools and history - from PASS. Which is not an accident -- considerable efforts were made to ensure independence. This shows in design differences, too; for example, the main software runs under a preemptive multitasking system, whereas BFS uses a "commutator multiplexing" scheme where the scheduling is completely predetermined. -- MOST launched 30 June; first light, 29 July; 5arcsec | Henry Spencer pointing, 10 Sept; first science, early Oct; all well. | |
#24
|
|||
|
|||
Operating systems used in spacecraft?
In article ,
Keith F. Lynch wrote: 3) Redundant CPUs, one of which is running a different operating system, so if the other two get frotzed by Yet Another Windows Exploit in deep space, the Penguin can Save The Day... Only if the Windows machine(s) haven't already fired the pyros, left the gas valves open, pointed the camera at the Sun, etc. Doesn't the Shuttle have three computers all running in parallel, with majority vote ruling? It's actually four, with elaborate arrangements for cross-connecting things as desired. (There are only three of some of the more important subsystems, so if one computer is acting up, you can cross-connect to put the other three in charge of those.) The majority-rules voting is done in hardware. This works only because all four are running the *same* software, bit for bit identical, in lockstep. You couldn't get the necessary low-level timing synchronization on machines running different code. -- MOST launched 30 June; first light, 29 July; 5arcsec | Henry Spencer pointing, 10 Sept; first science, early Oct; all well. | |
#25
|
|||
|
|||
Operating systems used in spacecraft?
Actually they share tools too. Both BFS and PASS use the same
compiler (HAL/S). I always thought that was not the case, that BFS used assembler instead and quite different run-time support...? Jan |
#26
|
|||
|
|||
Operating systems used in spacecraft?
"Keith F. Lynch" wrote:
Doesn't the Shuttle have three computers all running in parallel, with majority vote ruling? That sounds like a good system. Two machines would have to have the same bug for anything to go wrong. Kevin Willoughby wrote: Alas, multiple machines with the same bug is common, since four of the Shuttle's computers are running identical code. Oh. I guess that redundancy is only meant to protect against hardware failures. The right thing to do would be to have them run completely different code. Of course the code would have to all be written from the same specification, and that specification could contain bugs. The fifth Shuttle computer is running very different code written from a very different specification, to minimize the chance of common-mode bugs. When does the Shuttle rely on that fifth computer, and ignore the other four? Obviously it will never win a majority vote, unless three of the other four all simultaneously go berserk in different ways, which seems unlikely. I very briefly taught programming. I took a fiendish delight in developing test cases for student's programs. I was surprised to see multiple programs all fail on the same test case. The details of the failures differed, but the programs tended to fail on the same test cases. I'm not surprised. Tough cases are tough. Presumably, space Shuttle and space probe code would be written by excellent programmers, and then thoroughly tested. The redundancy isn't to make crappy code marginally usable, but to make good code even better. To add one more "9" at the end of the software reliability. Of course you'll never get all the nines to roll over and give you 100% reliability. But you can get arbitrarily close. Formal research by experts in N-version programming have found the same thing: N-version programs are *not* N-times better than 1-version programs. I'm not sure what N-times better *means*. What twice as good as 99% reliable? 198% reliable? -- Keith F. Lynch - - http://keithlynch.net/ I always welcome replies to my e-mail, postings, and web pages, but unsolicited bulk e-mail (spam) is not acceptable. Please do not send me HTML, "rich text," or attachments, as all such email is discarded unread. |
#27
|
|||
|
|||
Operating systems used in spacecraft?
Keith F. Lynch wrote:
Doesn't the Shuttle have three computers all running in parallel, with majority vote ruling? Henry Spencer wrote: It's actually four, with elaborate arrangements for cross-connecting things as desired. (There are only three of some of the more important subsystems, so if one computer is acting up, you can cross-connect to put the other three in charge of those.) The majority-rules voting is done in hardware. This works only because all four are running the *same* software, bit for bit identical, in lockstep. You couldn't get the necessary low-level timing synchronization on machines running different code. Why would you need low-level timing synchronization? So what if one computer wants to take an action a tenth of a second before the others? Just how critical is timing? Will disaster happen if anything happens even a whole second too early or too late? Each action will take place as soon as two of the three computers decide it should happen. -- Keith F. Lynch - - http://keithlynch.net/ I always welcome replies to my e-mail, postings, and web pages, but unsolicited bulk e-mail (spam) is not acceptable. Please do not send me HTML, "rich text," or attachments, as all such email is discarded unread. |
#28
|
|||
|
|||
Operating systems used in spacecraft?
(Christopher M. Jones) wrote:
The Space Shuttle uses different control systems which back each other up but the software is very, very closely related to each other (the backup is a stripped down version of the original) and it all runs on the same hardware. Um, no. The BFS and PASS are utterly unrelated other than the share the same set of basic specifications and run on common hardware. D. -- The STS-107 Columbia Loss FAQ can be found at the following URLs: Text-Only Version: http://www.io.com/~o_m/columbia_loss_faq.html Enhanced HTML Version: http://www.io.com/~o_m/columbia_loss_faq_x.html Corrections, comments, and additions should be e-mailed to , as well as posted to sci.space.history and sci.space.shuttle for discussion. |
#29
|
|||
|
|||
Operating systems used in spacecraft?
"Keith F. Lynch" wrote:
[...] Formal research by experts in N-version programming have found the same thing: N-version programs are *not* N-times better than 1-version programs. I'm not sure what N-times better *means*. What twice as good as 99% reliable? 198% reliable? Turn it around -- 99% reliable means 1 failure in 100 tries. Twice as good would be 1 failure in 200 tries (or 1/2 in 100) or 99.5% reliable. /dps |
#30
|
|||
|
|||
Operating systems used in spacecraft?
"Keith F. Lynch" wrote:
[...] Why would you need low-level timing synchronization? So what if one computer wants to take an action a tenth of a second before the others? Just how critical is timing? Will disaster happen if anything happens even a whole second too early or too late? Each action will take place as soon as two of the three computers decide it should happen. 1) I've seen references to control responses needing to control millisecond behaviours (oscillations in guidance, for instance). Think about going down the freeway and being late by a second in spotting your exit. At 60 mph, you can correct for that. At 120 mph, maybe. At Mach 25 --- 2) How long it takes to decide "it" is a function of how fine "it" is -- if "it" is something like giving a green light to an operator, you have more time to decide then if you're running stepping motors to align something, and so on. If you're comparing the actions of modules on the same bus, say for a 2-of-3 or Quad Mode Redundancy scheme among processors or memory modules, you have nanoseconds to decide (and that's for old processors; Pentium 1's may have started pushing on picoseconds). /dps |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Decision on the Soyuz TMA-4 spacecraft prelaunch processing | Jacques van Oene | Space Station | 0 | April 1st 04 01:12 PM |
Voyager Spacecraft Approaching Solar System's Final Frontier | Ron Baalke | Science | 0 | November 5th 03 06:56 PM |
Soyuz TMA-3 manned spacecraft launch to the ISS | Jacques van Oene | Space Station | 0 | October 21st 03 09:39 AM |
The Final Day on Galileo | Ron Baalke | Science | 0 | September 19th 03 07:32 PM |
BAE Systems Microprocessors Enroute To Mars | Ron Baalke | Technology | 0 | July 29th 03 10:40 PM |