Opinions on safety of dropbox ???

Chip Fetrow tacos at fetrow.org
Fri Aug 8 01:15:49 CDT 2014


There were four, not five.

The hardware for all four was the same.  Three operated the same software and “voted.”  The fourth computer was programmed by a totally separate software team, and the teams were not allowed to have any contact with each other.  The idea was that the software could not contain the same errors.

To answer an earlier question, if the two systems did not agree pre-launch or on orbit, nothing would be allowed to happen.   This stop would allow humans to look at the problem(s) and decide what to do, and hopefully fix the problem.

I happened to see this happen once.  I have no idea how often it happened.

One of the early launches was stopped because of a main engine fault.  Somewhere around here I have a 6 CM square slide of the engine start, and stop.  It was only mSs.  For some reason, only one engine (of 3) flashed.  It was the engine vendor who supplied the slides to the press.  This delayed the launch for months.  They figured out the problem, and rescheduled the launch.  I don’t know what computer(s) were involved.

Later, I was picked to rebuild the Mutual Radio Networks’ studio at the launch pad.  This site, the press mound, was used for all manned launches, but when the Shuttle program started, NASA wanted to move the press back, as a problem on the pad could kill the press.  The networks went nuts, as we were already a mile away from 39B, so NASA backed down.  I should have kept track, but just before each launch NASA would give instructions on what to do if there was a “pad emergency.”  I do recall a few.  Only one was “kiss your ass goodbye.”  The last two were, “You have 20 minutes to get in your vehicles and get out,” and the last one was, “Go inside a permanent building and shelter in place.”  Mostly, it depended on the wind direction and speed.

STS-134 was the 20 minute deadline launch, and that would have been interesting.  I got to the press mound  more than 12 HOURS before the launch, and I was parked way out in the grass, well beyond the parking lot.  Thankfully, even though getting out of the lot would have been difficult, I spent enough time on the island that I knew a much faster way out, though it would dump me out of the base way north, and no where near Titusville, or even near any road to Orlando.


Anyway…

That early launch…

I was sent down to completely rebuild the studio, with only two weeks to do it.  The studio was a throwback from Project Mercury, but hey, balanced audio is balanced audio.  No problem.  I rebuild it in no time, and had some free time, so I played press photographer.  FUN!

I was told they were not going to send down an operations technician, so I would have to operate the audio equipment for the launch, and of course, stay.  Oh, heck, more paid free time in Florida.  DARN!


Then came the launch.  At T-about nothing, the clock froze and they scrubbed the launch (again).  Then there was the press briefing.  My job was to feed the briefing back to DC (Arlington) and record it on 1/4” tape locally.  The reporter was Jim Slade, a real NASA Fan Boy, who had attended every manned launch from the first to Challenger.  They didn’t send him down for that disaster until after it happened — then they gave him all the petty cash and sent him to the airport.  He wash’’t even allowed to go home to pack clothes — “BUY SOME THERE!”

Anyway, T-minus nothing and a press conference.  Jim was, by far, the most senior reporter, so he got the first questions.  NASA explained that the computers had a software error, and would likely miss the software interrupt to separate the tank.  Jim came back into the studio and said, “No problem.”  I said. “WRONG, HUGE PROBLEM!”  Normally, I would not argue with a very senior reporter, but we got into it.  I repeatedly told him to go back in as I said they would not be able to get the tank off, but NASA had mislead him and everyone else.  He said there there is a button to release the tank, which was true, but it did not bypass the computer, and I knew that.  He grudgingly went back.  I explained that I wrote software and I knew what I was talking about.  He had to wait for all the “reporters” to get done, including the big guns like the Orlando Middle School Memio Press.  Three computers agreed.  The odd one did not.

He asked about the button, and NASA said there was one.  He asked if it would have worked, and NASA said, um,  NO.  Of course, all TV and the big guys were gone, so no one heard it.  Jim came back to the studio, ashen faced, thanked me, and downplayed it in the report.  The crew would have died.  During much of the manned program, the press gave NASA a pass.


I had run into an old girlfriend on the base.  We had lunch, caught up and parted.  She later came by the studio and offered me her press badge as she could not stay for the delayed launch.  I took it.  I called my then girl friend, now wife, and told her I could get her on the press mound,  She quickly accepted, got a plane ticket and a speeding ticket (her only ticket ever) going to the airport.  I picked her up and she was not at all happy that her name was now that of my ex.  She got over it.  Security was a joke then, but is very tight now, and has been for some time.  For some time you have had to show the gate guard both a Press Pass and a second ID like a driver’s license.  If you are driving, you must have a DL.


The next day the software was repaired, and the launch went off.  It was, and still is, the loudest thing I have ever heard.  I actually felt my liver vibrating inside my body.  This was before they got the sound suppression system tuned up well.  Much of that “white smoke” seen at launch was the sound suppression water being turned into steam.  Of course, the main engines made a lot of steam too.

I kept turning down the fader on the mic Jim was using.  It was a step attenuator, and I only had one more click to go off.  I grabbed the Master Gain, a control which was never used, and turned it down and down.  I could not believe how loud it was and became very happy the mic he had was an Electro Voice 635A, which really accepts loud sounds and abuse.  You can put one inside a base drum for example.

As the Shuttle was lifting off, Jim waved me from the control room into the studio, then pushed me out the door, outside.  I was only there for seconds, as I felt responsible for the broadcast, but it was LOUD!  Of course, I did take some pictures.  My now wife was blown away too.  She did try to yell at me, but I could not hear a word.


Coming back to the issue, if those two sets of software did not agree on the ground, everything stopped, which I witnessed.  The same thing would happen on orbit.  If they did not agree, the de-orbit burn would not be allowed.  I believe, but am not sure, but in critical phases, the three would win out if no human became involved.

—chip

On Aug 6, 2014, at 11:27 AM, tacos-request at amrad.org wrote:

> Message: 5
> Date: Tue, 05 Aug 2014 20:58:12 -0700
> From: Tom Azlin W7SUA <tom at w7sua.org>
> To: tacos at amrad.org
> Subject: Re: Opinions on safety of dropbox ???
> 
> Yup
> 
> They also had a backup flight control system with a fifth computer that 
> ran separately developed software just in case there was a common 
> failure on the other four. I do not remember reading about any failures 
> in the main four computers. Perhaps someone else on list knows more?
> 
> 73, tom w7sua
> 
> On 8/5/2014 7:21 PM, Mark Whittington wrote:
>> What happens when there's a tie?  Flip a virtual coin?


More information about the Tacos mailing list