National Academies Press: OpenBook

An Assessment of Space Shuttle Flight Software Development Processes (1993)

Chapter: 3. The Space Shuttle Flight Software Development Process

« Previous: 2. Independent Verification and Validation of Critical Software
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

3

THE SPACE SHUTTLE FLIGHT SOFTWARE DEVELOPMENT PROCESS

INTRODUCTION

The Space Shuttle avionics system controls, or assists in controlling, most of the Shuttle systems including: automatic determination of the vehicle's status and operational readiness; implementation sequencing and control for the solid rocket boosters and external tank during launch and ascent; performance monitoring; digital data processing; communications and tracking; payload and system management; guidance navigation and control; and electrical power distribution for the orbiter, external tank, and solid rocket boosters.

This chapter describes the numerous parts of the complete flight software development and upgrade process. Chapter 4, Chapter 5, Chapter 6 and Chapter 7 discuss the Committee's findings and recommendations that resulted from the investigation of the complete process.

THE SOFTWARE

The software programs are written in High-order Assembly Language (HAL/S), which was developed especially for the Shuttle, and are executed on the General Purpose Computers (hereafter simply referred to as the computers or GPCs).

Two essentially independent software systems have been developed to operate the orbiter avionics system:

  • The Primary Avionics System Software (PASS) consists of application software, which performs the actual functions that are required to fly and operate the vehicle, and operating system software, which controls the computer operations and provides the facilities to ensure that the application software can execute. The operating system software is always resident. On the other hand, since the applications software is too large to fit into a computer at one time, it is divided up into separate functional overlays. The overlays are stored on Mass Memory Units and are loaded into the on-board computers as they are needed for each phase of flight (descent, orbit, and entry).

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
  • The Backup Flight Software (BFS) provides backup capability for the critical phases of a mission and therefore contains only the software necessary to complete ascent or entry safely, maintain vehicle control on orbit, and perform the systems management function during ascent and entry (when there is no PASS systems management). Because its functions are limited, all the BFS software can fit into a computer at the same time and need never access mass memory (although a copy of the BFS software is loaded into the mass memory unit so that another computer could take over the functions of the backup computer in case of a backup computer failure). The BFS is designed to monitor everything that PASS does during ascent and entry.

The application flight software (and occasionally system software) has to be changed as a result of changes in Shuttle hardware (including an upgrade in the computers used), detected errors, and decisions to add functionality. As stated earlier, these major updates to the software are called Operational Increments (OIs) and occur approximately once a year. As can be seen in Figure 3-1, each operational increment takes up to 28 months to develop, so the development of different operational increments proceeds in parallel.

In addition to the basic software, each mission has specific requirements that relate to the activities to be carried out on that flight. The software development contractors deliver the OI base to the Space Transportation System Operations Contractor (STSOC), who configures it for the mission by adding mission-specific (payload) data, initialization data, telemetry format data, and flight software patches (corrections in response to late change requests and discrepancy reports) to produce a final integrated mass memory load.

THE PROCESS

The process for Shuttle software development and V&V is more complex than is practical to present completely here. In addition, a number of the internal processes used by the development contractors are deemed proprietary. Although the Committee was given access to much of this proprietary information, it is not appropriate for publication in this report. Instead, the Committee has included documents in Appendix D and Appendix E that provide detailed but non-proprietary information. The Committee feels it is helpful in understanding the findings and recommendations, however, to have an overall view of the process.

Figure 3-2a, Figure 3-2b through Figure 3-2c (Figure 5-1, Figure 5-2 through Figure 5-3 of the roadmap document included in Appendix E) show the development-process steps, and the V&V activities associated with each step, for the PASS and BFS software developed at JSC. Figure 3-3a, Figure 3-3b, Figure 3-3c, through Figure 3-3d are similar descriptions of the process steps and V&V activities for the Block 1 Space Shuttle Main Engine Controller (SSMEC) developed by the Marshall Space Flight Center (MSFC). The Block 1 SSMEC roadmap differs from the roadmap used at JSC for the PASS and BFS. In addition, there has recently been a major upgrade to the SSMEC (again developed by Rocketdyne for MSFC), called Block 2, which uses a third roadmap that is similar, but not identical, to the Block 1 roadmap. Also, each of the software development contractors (IBM, Rockwell/Downey, and Rocketdyne) have their own internal software development and V&V processes that are not shown on any of the roadmaps.

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source Shuttle Program Office

Figure 3-1 The Software Development Process takes as many as 28 months to complete a single Operational Increment (OI)

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source Shuttle Program Office

Figure 3-2a The Flight Software Definition Phase

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source: Shuttle Program Office

Figure 3-2b The Flight Software Development Phase.

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source Shuttle Program Office

Figure 3-2c The Flight Software Mission Preparation Phase

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source Shuttle Program Office

Figure 3-3a Block 1 Space Shuttle Main Engine Controller Requirements Definition Roadmap

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source Shuttle Program Office

Figure 3-3b Block 1 Space Shuttle Main Engine Controller Software Development Roadmap

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source: Shuttle Program Office

Figure 3-3c Block 1 Space Shuttle Main Engine Controller Verification/Validation/Certification Roadmap.

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Source Shuttle Program Office

Figure 3-3d Block 1 Space Shuttle Main Engine Controller Mission Readiness Roadmap

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

Many groups are involved in the development and V&V efforts (NASA calls this the flight software community):

  • The Space Shuttle Engineering Integration Office (by assignment to the Space Shuttle Avionics Office) has primary responsibility for the entire process of software verification and validation.

  • The Shuttle Program Office has the final authority for all flight software requirements. Within this office, the Shuttle Avionics Software Control Board (SASCB) prioritizes and evaluates all Change Requests (CRs) and Discrepancy Reports (DRs). Change packages are approved by the Program Requirements Control Board with the SASCB recommendation and then their implementation is managed by the SASCB.

  • The Mission Operations Directorate (MOD) at JSC develops the operational requirements for a Shuttle mission and uses the Shuttle Mission Simulator located at JSC for validating mission plans and procedures and to train the flight and ground crews.

  • The JSC Engineering Directorate (ED) has systems engineering responsibility for the total Shuttle hardware and software systems and evaluates the capability of each system to accomplish planned mission objectives. The JSC Flight Data Systems Division (FDSD) reviews each change in the flight software using the Software Development Facility (SDF) at JSC to perform verification tests prior to an OI release and uses the Software Production Facility (SPF) to generate and verify all patches to OIs after delivery. Engineering Directorate personnel, with support from Rockwell/Downey, use the Shuttle Avionics Integration Laboratory (SAIL) to analyze hardware and software interfaces and operations.

  • The SR&QA Office at JSC has a voting member on the SASCB (software control board) and tracks Operation Notes, User Notes, and waivers associated with flight software discrepancies. The SR&QA Office at MSFC performs a similar function for assuring the quality and safety of the SSMEC.

  • The Flight Software Development Contractors, IBM, Rockwell/Downey, and Rocketdyne, develop the PASS, BFS, and the SSMEC respectively. Within its own company, each contractor uses managerially-independent organizations, Internal IV&V, to review and examine the flight software at each stage of development. A requirements group ensures that the specified requirements are understood and that the flight software module designs incorporate the intent of these requirements. The programming group ensures that the flight software module designs are coded properly according to approved development standards. The test group verifies that the code executes properly and accomplishes the functions stated in the requirements. The build group ensures that only approved flight software modules are used in OI loads released for verification and final delivery. The SSMEC is delivered to the Shuttle Program Office at JSC as a finished package, i.e., as government furnished equipment.

  • The Flight Crew Operational Directorate (FCOD) at JSC assesses each change or discrepancy for flight safety and operational impacts using desktop review or simulators.

  • The Space Transportation System Operations Contractor (STSOC) supports JSC's MOD and Reconfiguration Management Directorate. Using government furnished equipment, flight data, and software patches from development contractors to install late corrections to fix problems documented in DRs, the STSOC reconfigures the OI loads for use on specific missions. The STSOC is currently a division of Rockwell International (and several

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×

subcontractors) based in Houston, separate from the Rockwell/Downey personnel who build the BFS. The STSOC performs mission-specific tests (Level 8 testing) to verify the performance of the reconfigured system and prepares the Initialization Loads (I-Loads) 1 that are unique to each mission. Other IBM and Rockwell/Downey personnel independently build PASS/BFS software loads and perform bit-level comparisons with the newly built OI load.

  • The Systems Design Contractors, Rockwell, Lockheed, and Charles Stark Draper Labs, design tests and use the SAIL to verify that both the PASS and BFS flight software loads are compatible with hardware interfaces, perform as designed, and conform to the mission requirements. Results of each test are compared with those generated by independent offline simulations performed by the IV&V and development contractors.

Independent Verification and Validation (IV&V) is performed by Intermetrics for the PASS and BFS and by Smith Advanced Technologies for the SSMEC. The role of the IV&V contractors in assuring the software was discussed in Chapter 1, and their current functions are shown in Table 1-1 (see also Appendix D). In general, the IV&V contractor concentrates on software used during the most critical phases of flight, particularly the ascent and descent phases. The contractor typically evaluates the CRs and DRs that are submitted to cover changes in the software. However, they also often submit CRs and DRs themselves and use their specialized tools and expertise to perform a detailed evaluation of the software itself (see Appendix D for a discussion of the tools used).

1  

I-Loads are a large number of data sets that contain mission parameters such as ascent and descent profiles, wind data, payload mass information, unique characteristics of the orbiter being used for a given mission, etc. These data sets are updated for each mission and are even updated on the day of launch in certain cases. They are not strictly a part of the flight software, but without this initializing data the software would not run properly. The Committee did not consider the processes by which I-Loads are determined, controlled, tested, or assured.

Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 39
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 40
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 41
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 42
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 43
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 44
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 45
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 46
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 47
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 48
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 49
Suggested Citation:"3. The Space Shuttle Flight Software Development Process." National Research Council. 1993. An Assessment of Space Shuttle Flight Software Development Processes. Washington, DC: The National Academies Press. doi: 10.17226/2222.
×
Page 50
Next: 4. The Space Shuttle Flight Software Verification and Validation Process »
An Assessment of Space Shuttle Flight Software Development Processes Get This Book
×
Buy Paperback | $45.00
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Effective software is essential to the success and safety of the Space Shuttle, including its crew and its payloads. The on-board software continually monitors and controls critical systems throughout a Space Shuttle flight. At NASA's request, the committee convened to review the agency's flight software development processes and to recommend a number of ways those processes could be improved.

This book, the result of the committee's study, evaluates the safety, oversight, and management functions that are implemented currently in the Space Shuttle program to ensure that the software is of the highest quality possible. Numerous recommendations are made regarding safety and management procedures, and a rationale is offered for continuing the Independent Verification and Validation effort that was instituted after the Challenger Accident.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!