CHAPTER 5 SYSTEMS: COMMAND AND DATA HANDLING—THE BRAINS OF THE INTERNATIONAL SPACE STATION 100 This provides redundancy throughout the network, protecting against such problems as high-velocity debris hitting the ISS or a fire that may disable a single channel. Data are transmitted at multiple rates at the same time (0.1 Hz, 1 Hz, and 10 Hz), the higher speeds being for the most critical items. A controlling MDM is called a bus controller (BC) as it sends out commands and timing signals to all the devices on the bus and, in turn, reads the status telemetry that is transmitted by the client MDMs. Any device that is listening on the bus is known as a Remote Terminal (RT). The BC will send a command to an RT and the RT will, in turn, report the status of that command back to the BC. Thus, a command to open a valve might have to travel from the ground, over to White Sands Test Facility, up through the Tracking Data Relay Satellite System (see Chapter 13) and over to the ISS on S-band, and be received by the C&C MDM, transmitted to a Tier 2 MDM, and routed by the Tier 3 computer to the destination device before the action takes place. The status of the command on the RT is then routed along the reverse path to the flight controller’s computer display—a process that must occur within seconds of sending the command. The MDMs have several different operating states, but generally there are three main ones. The first is an interim state called Standby. After booting up, the MDM is ready to perform its role but is not actually doing anything. This is similar to a desktop computer having booted up but with no applications having been launched. At this point, the MDM is a remote terminal on the bus, listening for commands. Some MDMs will transition to the Operational state automatically, whereas others require commanding. At this point, the MDM can exchange commands and telemetry between the lower computers or sensors on the busses underneath it, which means it is now the BC and is fully operational. Where there are redundant MDMs, only one can be a BC the other MDM stays in Standby or Backup. As with earthbound computers, MDMs can fail at any time however, due to extensive testing, such failures are rare. If the computer hardware fails or locks up, the computer is no longer a BC. If the software detects something wrong (e.g., a numerical value out of valid range), rather than lock up in an analogous “blue screen of death,” the MDM will usually automatically enter the Diagnostic state. This is similar to the safe mode on most desktops or laptops. In this state, the flight control team can look at health and status indicators to determine the problem. Generally, these errors are transient mistakes fixed by patching computer code or rebooting. The C&C MDMs are configured as an operational Primary, a Backup ready to take over instantly, and a Standby. This is unlike the Russian system where multiple duplicate units run simultaneously, comparing data and voting on the results. If the Primary should fail or be commanded out of its role by the ground control team, the Backup would take over almost instantaneously. Whereas some reconfiguration of the system would be required, most critical functions are ready to take control. Some configuration can be commanded to the Backup while additional status information is routinely “check pointed” between the MDMs to ensure a smooth and expeditious transition. The Standby would take over directly as Primary if the other two MDMs should fail however, additional configuration is required since no check point data or configuration is available in the Standby mode. (Although exchanging check point data is efficient in keeping computers in synchronization, it can potentially propagate some software error and therefore is blocked to the Standby.) However, the nominal case would be for the MDM to transition to the Backup role after a Primary MDM has failed or been commanded out of operations automatically, where the operators would then configure it as a Backup. Time is one of the most critical parameters on the ISS for several reasons. First, time is critical for knowing the location of the ISS in its orbit. Traveling at a speed of nearly 8 kilometers/second (5 miles/second), a few seconds of error can quickly turn into large uncertainties in distance. Location accuracy is crucial when another vehicle is coming to the ISS or for pointing the Ku antenna precisely at a Tracking and Data Relay Satellite. Second, with such a large number of computers, it is important that information is exchanged carefully. The CCS acts as the global timekeeper on the ISS. Basically, it sets the time, and all other computers in the C&DH system synchronize to it. Although computers can maintain time fairly accurately, no two oscillators behave exactly the same. The oscillator essentially acts like a clock pendulum. Two computers