Is NASA ready to build the next-generation software system for space exploration?
The Sierra hiking season is over—for me at least. I'm not one of those hearty souls who think little of marching over the passes in all conditions. It's good to know your limitations.Excerpt
The success of the scaling-up process depends upon the fact that the conceptual integrity of each piece has been radically improved — that the number of minds determining the design has been divided by seven. So it is possible to put 200 people on a problem and face the problem of coordinating only 20 minds, those of the surgeons...Let it suffice here to say that the entire system also must have conceptual integrity, and that requires a system architect to design it all, from the top down. (Ch 3. p. 36-7)
...Conceptual integrity in turn dictates that the design must proceed from one mind, or from a very small number of agreeing resonant minds.(Ch 4. p. 44)
ExcerptBuilding a large-scale-software system, like a spacecraft, requires a lot of people. That's a problem. According to Brooks' Law the number of communication paths grows exponentially with the number of programmers. Hence the project manager's grand challenge: ensure that hundreds of engineers from different disciplines are all working with the same principal goals in mind. Good luck. Nothing is more dismaying than another-vague-management-mandate while the clocking is ticking and the schedule is evaporating. Fact is, most engineers don't grok the deep concerns outside of their domain and don't care so long as they have sufficient guidance and schedule to meet their deadlines.
...neither cities nor States nor individuals will ever attain perfection until the small class of philosophers..are providentially compelled, whether they will or not, to take care of the State, and until a like necessity be laid on the State to obey them...
— Plato, around 380 BC, Book VI. (499b)2
 |
| Title page from oldest manuscript of The Republic |
Until philosophers are kings, or the kings and princes of this world have the spirit and power of philosophy, and political greatness and wisdom meet in one, and those commoner natures who pursue either to the exclusion of the other are compelled to stand aside, cities will never have rest from their evils, nor the human race, as I believe, and then only will this our State have a possibility of life and behold the light of day.Plato, The Republic, Book V. (473c)
![Sir Karl Raimund Popper. By Flor4U (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons](http://commons.wikimedia.org/wiki/File%3ASir_Karl_Raimund_Popper.jpg) |
| Karl Popper, Viennese Philosopher (1902-1994) |
Excerpt
What a monument of human smallness is this idea of the philosopher king. What a contrast between it and the simplicity of humaneness of Socrates, who warned the statesmen against the danger of being dazzled by his own power, excellence, and wisdom, and who tried to teach him what matters most — that we are all frail human beings. What a decline from ...Plato's kingdom of the sage whose magical powers raise him high above ordinary men; although not quite high enough to forgo the use of lies, or to neglect the sorry trade of every shaman — the selling of spells, of breeding spells, in exchange for power over his fellow-men.—Karl Popper, Chapter 8, "The Philosopher King."
Excerpt
In the surgical team, there are no differences of interest, and differences of judgment are settled by the surgeon unilaterally. These two differences—lack of division of the problem and the superior-subordinate relationship—make it possible for the surgical team to act uno animo. (p. 35)
 |
| The co-pilot is only supposed to tap into team communications From Mythical Man-Month p. 38 (1975 version) |
 |
| Some chiefs have limited authority |
Attack dog
Some chiefs have clout
(Meyer Lansky did)
The best defense is a good offense, preferably one that preserves the appearance of impartiality. #2 can keep anyone with an opposing view safely on the defensive. For example, just as a Vice Presidential candidate is expected to relentlessly hector the opposition, a worthy #2 will undercut technical initiatives that threaten the Chief.
Henchman
Every job has its dirty deeds. For example, since the Agency does not tolerate failure (see "Failure is not an option"), remedial measures, like blame displacement, are frequently needed. #2 can do that dirty work so that the Chief's hands remain bloodless.
Parade sweeper
Leadership is not merely a matter of opining with one's feet on the desk — especially in a a paperwork hungry bureaucracy. Someone must take on the stultifying job of feeding the beast meaningless paper. Here's where #2 may make his most meaningful contribution.
Spy
Knowledge is power. A smart Chief must know what the troops are thinking. But, a Chief can have no real friends; unfiltered information seldom penetrates the management bubble. There's too much to be gained by flattery and it's too tempting to rail against leadership. #2 can help. She can be a friend, a trusted advocate for the working stiff, and a reliable reporter of the sentiments that lie beneath the surface.
Hand holder
Two heads is better than one; at least when it comes propping up the boss. With #2 at his side, a Chief makes a much more commanding presence. Best of all the Chief can be assured of close support should he be faced with dissent. There's no better hedge against those unsettling moments of insecurity.
Note to Chief: Effective hand-holding requires occasional dissention to preserve the appearance of honest and considered support. Don't be alarmed.
A short digression
Gaius Gracchus, tribune of the people,
presiding over the Plebeian Council
 |
| General Jean Victor Moreau (1763-1813) |
 |
| Louis Alexandre Berthier (1753-1815) |
Excerpt from catalog cover letter
From the rudimentary but effective Apollo Guidance and Navigation System that landed the first humans on the lunar landscape to the 500,000 lines of code used to put the Mars Curiosity Rover on the surface of the Red Planet, software has always been at the core of NASA’s mission successes…The technologies featured in this catalog represent NASA’s best solutions to a wide array of complex problems, and they are on offer here to the public for use.
—David Lockney, the Technology Transfer Program Executive
 |
| caveat emptor |
 |
| NASA Press Release (14-102) |
Excerpt
What['s]...remarkable is how well the software works. This software never crashes. It never needs to be re-booted. This software is bug-free. It is perfect, as perfect as human beings have achieved....
...That's the culture: the on-board shuttle group produces grown-up software, and the way they do it is by being grown-ups. It may not be sexy, it may not be a coding ego-trip -- but it is the future of software.— Charles Fishman, Fast Company, 1996
Once upon a time...
there was perfect software
ExcerptAfter reading the last posting, a friend, from my NASA days, sent me a link to a 1996 Fast Company article by Charles Fishman about the on-board Shuttle team at Johnson Space Center. The article, They Write the Right Stuff describes how the team managed their work. For the remainder of this posting, I'll refer to the article as simply the "...Write...Stuff."
A mythology has arisen about the Shuttle software with claims being made about it being “perfect software” and “bug-free” or having “zero-defects,”all of which are untrue.—Nancy Levison, 2013
As the rest of the world struggles with the basics, the on-board shuttle group edges ever closer to perfect software. — Charles Fishman
 |
| Space Shuttle Main Engine hoisted into the A-2 Test Stand, Stennis Space Center (1979) |
 |
| Space Shuttle Main Engine Controller (2005) The controlled was attached directly to the engine body |
In July 1971, NASA contracted Rocketdyne to build the Space Shuttle Main Engine (SSME). Each shuttle main engines had a pair of dedicated, redundant controllers that were attached directly to the engine. These controllers managed the low-level functions of the main engines like servo control, command data converter, sensor data transmission and fault response. In the initial implementation, these controllers were Honeywell HDC-601s and the software was written in assembler. By early 80's it was clear an update was needed. Rocketdyne updated the SSMe controllers to the Motorola 68000 and rewrote the software in C.
In March 1973, NASA contracted with IBM to build the Primary Avionics Software System (PASS). PASS was comprised of two parts the Flight Computer Operating System (FCOS) and the application software. FCOS handled engine sequencing, steering and redundancy management by providing the controlling function for the software built by Rocketdyne. The application software which included guidance, navigation and systems management. PASS is the software that is discussed in the "...Write...Stuff."
PASS ran five 'general purpose computers.' IBM selected the AP-101/S processor which was based on the same architecture as the IBM 360. Earlier versions of the AP-101/S had been flown on the B-52 and the B-1B. The processor used a variety of word sizes depending on the function. For example, instructions could be either 16 or 32 bits. Floating point could be 32, 40 or 64 bit words. The average speed for math operations was about half a MIP. Program state for all process was preserved in 64-bit status word that was updated with every instruction cycle. As if that wasn't complicated enough, the processor was capable of handling 61 interrupts at 20 priority levels while preserving real-time constraints.
The five AP-101/S computers were divided into two separate systems. A quad-redundant, fault tolerant 'primary' system, and a Backup Flight Control System (BFS). PASS controlled both. All the computers processed the same data. This meant all the primary computers had to stay in synch. Reliability and safety in the primary was based on a voting scheme that checked all the computers to ensure they were producing the same result. If one computer had a different result, it was isolated.
If the primary system failed, BFS kicked in. That meant the BFS also had to be synchronized with the primary. Synchronizing the primary and backup systems would proved to very difficult and lead to a major defect that delayed the initial shuttle launch. The synchronization problem is a fascinating story captured in John Garman's article, "The Bug heard 'Round the World." 7
Each processor had access to about 100K words (36-bit words) of shared memory. Memory was addressed by using a 16-bit word plus an extension for the last 4-bits from the status word. Since the memory was limited, software loads had to be swapped out at different mission phases. The largest loads were about 100K words for Ascent and Entry. Swapping software loads while maintaining system state must have been a bit tricky.
Shuttle software loads.
(from Tomayko, Developing software for the space shuttle )
PASS was going to be (and still would be) a difficult programming job. After coding the Apollo software in assembler, the engineering team knew PASS would be too complicated to write in assembler. After much debate, they decided they needed a high-level programming language. In 1969, NASA contracted Intermetrics8 to develop a new programming language, High-order Assembly Language/Shuttle or HAL/S9
HAL/S code snippet
from http://history.nasa.gov/computers/Appendix-II.html
The software was expensive; the cost was vastly underestimated. Originally, NASA thought the cost for development of the Shuttle software would be around $20M. In the end, NASA spend $200M for the original development (and that's 1970 dollars). Not surprising, over 50% of the PASS modules changed during the first 12 flights in response to requested enhancements. By 1991, the Agency had spent a total of $324 million. In 1992 NASA estimated it was spending $100M a year for maintenance of the onboard software.10
It's easy to understand why the maintenance costs were astronomical. The system was very complex and difficult to understand. Each release had to be free of any mission-ending errors. Both factors would drive testing budgets. Not only because large testing teams running extensive test protocols were necessary, but because the hardware and software required for development and test was not commercially available. Hardware had to be stockpiled, salvaged or reengineered from scratch at a significant cost. Similarly, all the software development tools had to be custom built and all programmers had to be trained at agency expense. (No university was churning out cadres of HAL/S programmers.)
Despite all that expense, the software was not bug free. According to Levison, during the first ten years, 16 'severity 1' errors were found. Of those, eight of remained in the flight code—operators simply avoided command that might trigger these errors. In addition, there 12 errors of lower severity that occurred during flight.
Not all errors occurred in the early days. In April 2009, a serious software communications error occurred in flight a few minutes after Endeavor reached orbit. So happens that bug was introduced in 1989 when a warning about code misalignment was inserted in the code. In other words, despite the Fishman's panegyric, the shuttle software was never bug free.
"If there are lessons to be learned from "the bug", they must be in how we view ourselves and our task. Building software in a large system against fixed schedules is not conducive to "bugfree" products. We can minimize the errors, and we can minimize the flight criticality of the ones that remain...but we can't treat it like a problem with a methodological solution." — Jack Garman, "The Bug Heard 'Round the World" (1981)Despite all the tumult that the cancellation of the Cx Program created in the Agency, from a software perspective, it's a good thing it was stopped. The management did not have a realistic understanding of the software challenge they were facing. By contemporary standards, the Shuttle's PASS software would not be considered a 'big' package. Estimates at the time sized the Cx software in 100's of millions of lines of code. Using the methods described in the "...Write...Stuff," those software development efforts would not have converged—even with an infinite amount of money. An unimaginable failure was in the making.
Software is a very unusual industry. You can run an assembly line with a whip, although American managers are belatedly realizing that there are better ways...Formal devices and management tricks can aid or impair it, but the impetus must come from within. The collective mind and will of the technical staff is the essence...If management strays too far from the will of the workers, tries to shape it into something that it is not, the only possible outcomes are chaos or outright rebellion. — Tony Flanders, A History of IntermetricsBut then who knows, maybe, one day, someone in senior NASA management will grasp its own lessons learned, so that, once again, NASA can do the right stuff.
a) Tomayko's Computer in Spaceflight: The NASA Experience, Chapter 4
b) Levision's Software and the Challenge of flight Control
c)Lethbridge's Spaceline.org. http://www.spaceline.org/rocketsum/shuttle-program.html
d) Mattox and White's Space Shuttle Main Engine Controller
ExcerptBrooks says that some jobs are too large for a small team. However, if you have a large team, Brooks' Law kicks in adding significant communication overhead, bogging down progress and bloating cost and schedule. What's the manager of a large software project to do?
...one does the cutting and the others give him every support that will enhance his effectiveness and productivity.(p. 35)
 |
| Brooks' Law |
 |
| You won't find a Chief Programmer in the group |
Excerpt
Absolutely vital to Mills's concept is the transformation of programming "from private art to public practice" by making all the computer runs visible to all team members and identifying all programs and data as team property, not private property. (p. 32)
[Newton] said, "If I have seen further than others, it is because I've stood on the shoulders of giants." These days we stand on each other's feet!2— Richard Hamming
 |
| Brooks' breakdown of of software product types (from page 5, Mythical Man-Month ) |
Excerpt
...each segment of a large job be tackled by a team, but that the team be organized like a surgical team rather than a hog-butchering team. That is, instead of each member cutting away on the problem, one does the cutting and the others give him every support that will enhance his effectiveness and productivity.(p. 32)
Excerpt
When Švejk subsequently described life in the lunatic asylum, he did so in exceptionally eulogistic terms: 'I really don't know why those loonies get so angry when they're kept there. You can crawl naked on the floor, howl like a jackal, rage and bite. If anyone did this anywhere on the promenade people would be astonished, but there it's the most common or garden thing to do. There's a freedom there which not even Socialists have ever dreamed of.―Opening sentences of Chapter 4,
- Chief Programmer
- In keeping with the surgical team metaphor, Brooks calls the chief programmer the surgeon. The surgeon is responsible for the design. She or he also codes, tests and writes the documentation. On top of that, the chief is also responsible for code management and process tools.4
- Brooks recommends that the chief have at least 10 years in the saddle and plenty of systems and application knowledge. He doesn't mention that this doyen will need to have the endurance of a sled dog because he or she will be facing the prospect of a 100 hour work week.
- Copilot
- Number 2 on the surgical team is the co-pilot (the surgical team has lifted off.) The co-pilot is the chief programmer's "alter ego." He or she shares the same responsibilities and skills as the chief. However the co-pilot's responsibility is restricted to that of a sidekick, "thinker discussant" who knows all the code and, maybe even, writes some. In some cases the co-pilot serves with plenipotentiary powers when the chief is otherwise occupied. Finally the co-pilot is a hedge against any rogue bus that might flatten the chief.
- Brooks suggests the co-pilot need not be as experienced as the chief. He doesn't mention that the co-pilot will most likely be a cypher since a dissenting voice in NASA is likely to be traded to another team.
- Administrator
- The administrator handles the money" and other duties that make up 95% of the typical management responsibilities found in a large bureaucracy. But, Brooks is emphatic, the "surgeon is boss."
- Brooks skips lightly over the what it means to handle the money. If he means writing proposals, writing budgets, allocating funds, hiring staff, and lobbying with funding sources, he's described a full time role that preempts any technical work. What's more he's allocated the source of all political power to the administrator, including the ability to hire a new surgeon. Perhaps this role should really be called manager.
- Editor
- Brooks recognizes that engineering team must document how the system is built and how it should be used. For unity of conception, many of these documents must be written by the chief, who is one horrendously busy person. Hence, the editor is needed to gather the recorded wisdoms of the chief and turn them into a thing of beauty and devotion.
- Two secretaries
- In Brooks' world of the 1970's, documents were not generated automatically. Someone had to type them. As a practical matter, he suggests that the editor and the administrator get secretaries.
- Those were the days. On my last job at NASA, a secretary (now called an administrator) was shared by 20 engineers. They were our experts on the bureaucracy; they instructed us on how we needed to complete those endless administrative tasks. And while a trip to the secretary usually resulted in another work assignment, their instruction was necessary for survival in the maze of institutional rules.
- Program clerk
- Any programming effort produces a mountain of artifacts. Managing all the programming products is not for the faint-hearted. Consequently Brooks adds a Program clerk to his team. Nowadays, the job is almost entirely handled by software.5
- Toothsmith
- Brooks knows that just because you have tools, it doesn't mean that they will always work or that the team will know how to work with them. As a matter of necessity, Brooks recommends the team include a toolsmith.
- The need for a toolsmith is as great as ever. Ironically, this position is seldom funded and usually lands as an extra duty for one of the better programmers. As a practical matter, this means one of you best team members is making a small contribution to the actual product.
- Tester
- Brooks know that it's not going to be right just because the programmer said so. He recommends that a team include a tester. Nowadays we'd call this an independent tester. The role is now considered de rigueur.
- Language lawyer
- From the earliest days, high-level programming languages have been as vague and suggestive as a sacred text. If a team is to work against a common understanding, official interpreters are necessary. Brooks calls them language lawyers.
- The term is now derisive. Nobody likes being told what to think, but most everyone recognizes commonality is better than anarchy.
- Straight-shooter
- The straight-shooter is tone deaf or indifferent to the impact that actions have of the keepers of the treasury. Blessed with a clear and constant vision of what could and should be, the straight shooter lacks the ability to see that in reality the organization cares little for the end result. While there is little risk that the straight shooter can hit a political target, there is a genuine risk of ricochet which adds a creative aspect to management since a fertile imagination is needed to keep the monthly reports sounding worry-free.
- Techno-purist
- The techno-purist lives in isolation, always purported to be close, but never-ever reaching, a holy grail. She rhapsodizes on the object of her quest in an incomprehensible language. And, despite never seeing the work used in actual practise, the techno-purist has an undaunted, irrepressible, laser-like determination. She is convinced that funding is a birthright and the hereditary responsibility of management. While her babbling7 will never be understood by those who pose a threat in upper management, this fundamental bond of dependency ensures neither the techno-purist or the manager will ever be lonely.
- Pollyanna
- The Pollyanna has suffered many setback, but has confidence that this time things are different. At core he is an irrepressible and persistent optimist who eagerly brightens the day with hope despite all evidence to the contrary. This enviable trust in good things stems from a perennial inability to derive the future from the past. And, "since those without hope are wretched,"8 he makes an important contribution. There is little risk from the Pollyanna because, to paraphrase Prospero, hope is not the stuff that funding is made on.
- Sycophant
- The Sycophant is master of knowing agreement. He knows how to agree in just the right measure. As a patron's fervent protector, he knows with whom he should disagree and when. In ancient Rome, a triumphant general rode in a four-horse chariot past cheering hordes while a slave who whispered, "momento mori".9 Today's bureaucratic proconsul is more likely bring the sycophant along to handle the messy business of quarreling with a naysayers. However, like a fickle house cat, he is warm and affectionate, so long as there's tasty fare. But if a neighbor has better table scraps, danger lurks for any creature that resembles a rat or a bug. Be wary of the Sycophant.
- Politician
- The politician shifts adroitly with the winds of influence and fashion. Look behind your local Grand Poohbah and you will find the politician in his wake. He travels light; unburdened by principle or unneeded loyalties. And he's agile, ready jump Poobahs as the occasion calls. So, be on the lookout, the politician may soon jump into the express lane and pass you on the road to glory.
- Foot Dragger
- The Foot Dragger is the embodiment of mature engineering judgment. Possessed of a domineering judgement, she will climbed to the rank of senior technical lead as a reward for holding back progress. She can often be recognized by the rendering of a considered technical judgment with the words, "I don't understand." So, if you are stymied and your budget and schedule or evaporating, there is likely a Foot Dragger in the lead.
- Perfectionist
- The Perfectionist knows the dreaded consequence of compromise. He stands alone as the standard bearer of quality and the last bastion against the tide of disaster. While the perfectionist is unable to bring a task to conclusion, he is able to maintain technical ascendancy by subduing dissenters with disapproval. But you need not worry about the Perfectionist, the tide of events will surge past him.
- Awfulizer
- In the Awfulizer's assessment, failure lies at every turn. The broken interface, the overlooked requirement, the architectural mismatch, the woeful ignorance of managers all foretell of impending budget or schedule debacles. Success is always a miracle. The Awfulizer poses no direct concern for, like the beeping horns of Manhattan, the warnings are just part of the background. However, pay attention, for a warning may arm a hostile team with budget stealing rhetoric.
 |
| Figure 1: Team Archetype scaled for potential greatness |
