Thursday, June 4, 2020

Software Engineering Within SpaceX

Yasoob Khalid (via Hacker News):

They talk about the tripple redundancy system and how SpaceX uses the Actor-Judge system. In short there are 3 dual core ARM processors running on custom board (according to elteto). For each decision a “flight string” compares the result from each core on a single processor. If the output matches the command is sent to different controllers. There are 3 processors (with dual cores) so that means each controller/sensor will get three different commands. The controllers then act as the judge and compare the three commands. If all three are in agreement, they carry out the operation. If even a single command is in disagreement, the controller carries out the command from the processor which had previously been sending the correct commands.

As Alfred Spector and David Gifford explain, the Space Shuttle did something similar, only the judge wasn’t a microprocessor:

For the aerosurface actuators, each of the four computers sends out an independent command on an independent bus. With no failures, the commands should be identical. The voting is done at the actuator using a hydraulic voting mechanism, called a force-fight voter. In it, there are four hydraulic ports called secondary ports, each commanded by one of the four GPCs. The secondary ports go into the primary ports, which are heavy-duty actuators that connect to what’s called a “summing bar,” which is no more than a massive steel rod. If there are three good computers and one bad one, the three good commands physically out-muscle the fourth. This limits the control authority a little bit--we don’t get the total force we’d like to get, but there’s still enough power to control the vehicle. If you have a large enough pressure differential for a large enough time, the port is hydraulically bypassed, which relieves the pressure in that one port. The remaining three ports then regain their full authority.

Previously:

Update (2020-06-09): See also: Reddit AMA.

1 Comment RSS · Twitter


The 777 is said to have done this but with even more diversity among the processors, to avoid common mode failure, by using an Intel 80486, Motorola 68040, and AMD 29050, among other key fault tolerant features.

Freely available description here: https://citemaster.net/get/3c501aaa-39d5-11e4-9cb6-00163e009cc7/R8.pdf

DOI here: https://ieeexplore.ieee.org/document/495891

Leave a Comment