However, because the FTPP hides its redundancy fromthe application software, one can validate user softwareon a simplex processor -- a task at least an order ofmagnitude simpler than validating software on aredundant machine.(8) Open Architecture: The FTPP supports anonproprietary, open architecture for both hardwareand software, including processors, I/O modules, fiberopticlinks, and operating systems. Obviously, this isan essential attribute for any Mars computerarchitecture.(9) Commercial-Off-The-Shelf (COTS) Elements(Hardware and Software): Due to the openarchitecture, FTPPs can be constructed out of any PEs,IOCs, backplane buses, or power supplies, and canhost any real-time operating system. We haveconstructed FTPPs out of many different commercialPE boards and hosted several operating systems,including Ada run time systems. The NE is aNondevelopment Item (NDI), as are the fault-tolerantsystem services.(10) Small Physical Size: A key element of meeting thestringent weight, volume, and power requirements ofthe Mars mission will be the packaging technology.The experience we have with Multichip Modules(MCMs) leads us to believe that we can package the NEon a single MCM that measures no more than 4 cm 2 .The physical parameters of PEs and IOCs can also bereduced comparably. This also leads to reduced powerconsumption due to shorter interconnects bothbetween chips on an MCM and between MCMs.TechnicalDemonstration PlanThe architecture and implementation of the Fault-TolerantParallel Processor have been refined over the last few years bybuilding and testing three generations of FTPP hardware andsoftware, called Clusters C1, C2, and C3. Table 1 details someof the characteristics of the FTPP clusters.A 4-NE, 8-PE configuration of the FTPP, using PowerPC 604Ebasedprocessor boards, VxWorks operating system, and a 64-bitVMEbus backplane is now being constructed as the FlightCritical Computer for NASA’s X-38 Crew Return Vehicle for theInternational Space Station. A test flight of the X-38 Vehicle 201from the Space Shuttle is scheduled for March 2001.Although most of the key desirable features for the manned Marsmissions have been demonstrated in the instantiations of theFTPP discussed above, some critical technical parameters areunique to the Mars mission. The most important of theseinclude small weight, volume, and power. The fault-tolerancespecifichardware in the FTPP has already been gathered in onemodule, the NE, so that technological advances in theminiaturization of COTS processors, memories, etc., can be fullyleveraged. A concerted effort is required to implement the NE ona single MCM or possibly even in a single Application SpecificIntegrated Circuit (ASIC).It would also be necessary to customize the Fault-TolerantSystem Services software layer for the various phases of the Marsmission. This includes demonstrating various processor and NEreconfiguration strategies, such as powering up cold spares andinitializing them in redundant or parallel operational groups, asTable 1. Selected characteristics of FTPPs.Advanced Fault-Tolerant Computing for Future Manned Space Missions7
well as reversing the whole process. Rapid recovery from singleeventupsets occurring in quick succession in a high-radiationenvironment should also be part of a technical demonstrationplan.Beyond the demonstration and validation of key architecturalcharacteristics and implementation parameters, it is alsonecessary to start defining the various phases of the mannedMars mission, specifically, their computational performance andreliability requirements. A mission-specific fault-tolerantcomputer can then be configured on which to demonstrate theaforementioned characteristics.An aggressive technical demonstration plan can be executed overa period of about 2 years.Summary and ConclusionsManned missions to Mars are going to be extremely demandingfrom the viewpoint of the onboard information processingsystems. Such systems would need to be operational for longdurations and meet the safety criteria of manned spacecraft.A fault-tolerant computing approach that uses parallel-hybridredundancy, implemented in an open system architecture, hasbeen proposed to meet the stringent mission requirements.Many of the key architectural attributes such as real-time errormasking, dynamic reconfiguration between high-throughput andhigh-reliability configurations, use of COTS hardware andsoftware, and low fault-tolerance overheads have beendemonstrated via three generations of increasingly matureimplementations.AcknowledgmentContributions to this paper by Robert L. Shuler of NASA JohnsonSpace Center are gratefully acknowledged.References[1] Harper, R.E. and J.H. Lala, “Fault-Tolerant Parallel Processor,”AIAA Journal of Guidance, Control, and Dynamics, Vol. 14,No. 3, May-June 1991.[2] Lala, J.H., “Fault Detection, Isolation, and Reconfiguration inFTMP: Methods and Experimental Results,” 5th DigitalAvionics Systems Conference, Seattle, WA, November 1983.[3] Lala J.H., R.E. Harper, and L.S. Alger, “A Design Approach forUltrareliable Real Time,” Special Issue of IEEE ComputerMagazine on Real-Time Systems, Vol. 24, No. 5, May 1991.[4] Lala, J.H. and R.E. Harper, “Architectural Principles forSafety-Critical Real-Time Applications,” The Proceedings ofthe IEEE: Special Issue on Real-Time Systems, January 1994.[5] Harper R.E., “Critical Issues in Ultrareliable ParallelProcessing,” PhD Thesis, Massachusetts Institute ofTechnology, Cambridge, MA, 1987.[6] Hopkins A.L., Jr., J.H. Lala, and T.B. Smith III, “The Evolutionof Fault-Tolerant Computing, 1955-85,” DependableComputing and Fault-Tolerant Systems, Vol. I: The Evolutionof Fault-Tolerant Computing, Springer-Verlag, Wien, Austria,1987, pp. 121-140.[7] Hanaway, J.F. and R.W. Moorehead, “Space Shuttle AvionicsSystem,” NASA SP-504, Superintendent of Documents, U.S.Govt. Printing Office, Washington, DC 20402, 1989.[8] Lala J.H. et al., “Advanced Information Processing System(AIPS)-Based Fault-Tolerant Avionics Architecture for LaunchVehicles,” Proc. Ninth AIAA/IEEE Digital Avionics SystemsConf., IEEE Press, Piscataway, NJ, 1990, pp. 125-132.Advanced Fault-Tolerant Computing for Future Manned Space Missions8
- Page 2 and 3:
Letter from thePresident and CEO,Vi
- Page 4 and 5:
Information TechnologyMilton AdamsE
- Page 6 and 7:
BiographyMilton Adams has been at D
- Page 9 and 10:
Figure 1 represents a functional de
- Page 11 and 12:
Programs. In effect, these controll
- Page 13 and 14:
Although the terminal area traffic
- Page 15 and 16:
Table 2. ATFM performance evaluatio
- Page 17 and 18:
In the experiments, a nominal capac
- Page 19 and 20:
[3] Wambsganss, Michael C. “Colla
- Page 21 and 22:
Guidance, Navigation, and Control A
- Page 23 and 24:
A Control Lyapunov FunctionApproach
- Page 25 and 26: x( 0) ∈ X and w(t) ∈Wfor all t
- Page 27 and 28: (b) Select a quadratic RCLF V i (x)
- Page 29 and 30: at each grid point. In the case w 1
- Page 31 and 32: References[1] Ball, J.A. and A.J. v
- Page 33 and 34: Guidance, Navigation, and Control A
- Page 35 and 36: Relative and Differential GPSData T
- Page 37 and 38: The first term on the right in the
- Page 39 and 40: H R# δρ R,GPS -H A# δρ A,GPSThi
- Page 41 and 42: selection; and (3) shown that the a
- Page 43 and 44: Guidance, Navigation, and Control A
- Page 45 and 46: Segmentation of MR ImagesUsing Curv
- Page 47 and 48: (3)where ν now represents a contin
- Page 49 and 50: Experimental ResultsThe results of
- Page 51 and 52: Table 1. A summary of segmentation
- Page 53 and 54: Guidance, Navigation,and ControlJim
- Page 55 and 56: BiographyGeorge SchmidtGeorge Schmi
- Page 57 and 58: clock and ephemeris errors, as well
- Page 59 and 60: maintained in a rigid structure, wh
- Page 61 and 62: Table 5. “Typical” absolute GPS
- Page 63 and 64: performed, then the target location
- Page 65 and 66: tightly-coupled system, however, ca
- Page 67 and 68: Concluding RemarksRecent progress i
- Page 69 and 70: As real-time systems evolve into th
- Page 71 and 72: Advanced Fault-TolerantComputing fo
- Page 73 and 74: The Viking and Voyager were both in
- Page 75: Containment Regions (FCRs). There a
- Page 79 and 80: As real-time systems evolve into th
- Page 81 and 82: Automated Station-Keepingfor Satell
- Page 83 and 84: Figure 2. Minimum elevation angles
- Page 85 and 86: anomaly M and/or the ascending node
- Page 87 and 88: However, since optimization and rec
- Page 89 and 90: is maintained in the Northern Hemis
- Page 91 and 92: autonomy. It must have the ability
- Page 93 and 94: [31] Neelon, Joseph G., Jr., Paul J
- Page 95 and 96: Draper’s primary goal is to Drape
- Page 97 and 98: )Rotordynamic Modelingof an Activel
- Page 99 and 100: Eq. (9) becomes:λ[ R ] { Φ } = [
- Page 101 and 102: chosen to be 24, for a total of 48
- Page 103 and 104: InertialInstruments/MechanicalDesig
- Page 105 and 106: BiographyJeffrey Borenstein is curr
- Page 107 and 108: process step. Process information i
- Page 109 and 110: Figure 4. Control chart for boron d
- Page 111 and 112: References[1] Barbour, N., J. Conne
- Page 113 and 114: Draper Laboratory continues to engi
- Page 115 and 116: Validating the Validating Tool:Defi
- Page 117 and 118: calculates miscellaneous terms, suc
- Page 119 and 120: Table 1. Suggested specification sh
- Page 121 and 122: User Accuracy as aFunction of Simul
- Page 123 and 124: 20-min averaging, this clock lockin
- Page 125 and 126: Table 2. Sample high-level summary
- Page 127 and 128:
AcknowledgmentR.L. Greenspan, J.A.
- Page 129 and 130:
Systems IntegrationRich MartoranaPe
- Page 131 and 132:
BiographyAnthony Kourepenis is an A
- Page 133 and 134:
control is employed to maintain the
- Page 135 and 136:
Table 1. Summary of automotive yaw
- Page 137 and 138:
Resolution (60 Hz) deg/h10000000100
- Page 139 and 140:
References[1] Greiff, P., B. Boxenh
- Page 141 and 142:
Guidance, Navigation, and Control A
- Page 143 and 144:
An Integrated Safety AnalysisMethod
- Page 145 and 146:
Infrastructure ModelsSystemRequirem
- Page 147 and 148:
Figures 6 and 7 illustrate the bloc
- Page 149 and 150:
Notice that each flight track descr
- Page 151 and 152:
Table 7. Safety statistics at 1700-
- Page 153 and 154:
Guidance, Navigation, and Control A
- Page 155 and 156:
An Optimal Guidance Law forPlanetar
- Page 157 and 158:
Note that the states in the three d
- Page 159 and 160:
Crossrange (Kft)10090807060504030Cl
- Page 161 and 162:
The 1997 Charles StarkDraper PrizeT
- Page 163 and 164:
The 1997 Charles StarkDraper Prize1
- Page 165 and 166:
“Draper encourages its personnel
- Page 167 and 168:
Gimballed Vibrating GyroscopeHaving
- Page 169 and 170:
“Draper encourages its personnel
- Page 171 and 172:
Optical Source Isolator withPolariz
- Page 173 and 174:
“Draper encourages its personnel
- Page 175 and 176:
Hunting Suppressor forPolyphase Ele
- Page 177 and 178:
“Draper encourages its personnel
- Page 179 and 180:
Sensor Having an Off-Frequency Driv
- Page 181 and 182:
proof mass from transients and enha
- Page 183 and 184:
1997 Published PapersThe following
- Page 185 and 186:
monitoring of space structures and
- Page 187 and 188:
measured by kinematic degrees of fr
- Page 189 and 190:
i.e., what percent of the earth’s
- Page 191 and 192:
McConley, M. W.; Dahleh, M. A.; Fer
- Page 193 and 194:
unaffordable, or even misguided. Bu
- Page 195 and 196:
The Draper DistinguishedPerformance
- Page 197:
Educational Activitiesat Draper Lab
Change language