"Redundancy in Space Shuttle Avionics"

Hugh Blair-Smith
MIT Instrumentation Laboratory

Abstract

The Space Shuttle is among the earliest systems (if not the earliest) designed to a FO-FO-FS criterion, meaning it had to Fail (fully) Operational after any one failure, then Fail Operational after any second failure (even of the same kind of unit), then Fail Safe after most kinds of third failure. The computer system had to meet this criterion using a Redundant Set (RS) of 4 computers plus a backup of the same type, which was (ostensibly!) a commercial off-the-shelf type. Quadruple redundancy was also employed in the hydraulic actuators for elevons and rudder. The overall system had to continue safe operation within 400 msec of any failure, but the decision to shut down a computer had to be delegated to the crew. Among the interesting problems to be solved were "control slivering" and "sync holes." The first flight test (Approach and Landing only) was the proof of the pudding.

 

2006 MAPLD International Conference - Session G
"Digital Engineering and Computer Design: A Retrospective and Lessons Learned for Today's Engineers"

2006 MAPLD International Conference Home Page