105 SYSTEMS: COMMAND AND DATA HANDLING—THE BRAINS OF THE INTERNATIONAL SPACE STATION CHAPTER 5 Many modules possess C&W panels with colored lights that indicate an alarm is present (Figure 6). Pushing a button on the C&W panel will silence the alarm tones until another failure occurs. Crew members can manually initiate an alarm by pushing an alarm button on the panel if, for example, they detect something such as smoke that the automated systems failed to detect. Each alarm also has an associated detailed text message that is displayed in the C&W Summary. This text message explains, in English, the nature of the failure (Figure 7). Generally, the ground will try to work most events unless a long period without communications (either scheduled or unplanned due to a failure) is anticipated. If an individual alarm becomes a nuisance, it can be “inhibited” to prevent disturbing the crew unnecessarily. In this case, the system completely ignores the alarm and no one, not even the ground, is alerted. An example might be the water level of a condensation tank. If the level is oscillating right above and below a critical level, the alarm might be triggered repeatedly. If it is deemed noncritical and the ground can monitor the level closely, the alarm is then inhibited. The audio alarm also could be suppressed when the crew might need to be alerted to an alarm eventually but not immediately. In this case, the lights would still illuminate and the message would be present on the PCS, but no alarm tone would be issued. Thus, the crew and ground could monitor the situation without being deafened by the loud tones. This is especially useful during crew sleep periods. Software The software executing in each MDM, the User Application Software, is unique to the function of that particular MDM. For example, the software executing in the GNC MDM contains routines that are needed for attitude control and navigation. Different software runs in the External MDM, which is mainly concerned with controlling the solar arrays and the External Thermal Control Systems. Utilities such as communicating on the bus are common between all the MDMs (although with a few minor deviations developed across the different systems). Different segments of Boeing, the prime ISS contractor, produced different software systems. All combined, the ISS C&DH system consists of approximately 1.8 million lines of computer code. Sometimes, software needs to be changed. This can be accomplished in two different ways on the ISS. First is through the use of a Pre- Positioned Load (PPL). A PPL is a file of data parameters or commands that can be uplinked by the flight controllers at any time to change specific values. For example, a critical PPL is the one that controls load sheds. A load shed occurs if the Electrical Power System cannot produce enough electricity. This could happen if the guidance system failed and the ISS was no longer able to point the solar arrays at the sun. If a load shed is triggered, the PPL will execute the commands inside of it to power off the least- critical equipment first and then pause. If the power problem is more severe, the flight control team or the automatic software will resume the execution by the PPL, thus powering off additional equipment. This list of equipment also changes as the station changes (e.g., if modules are added or moved) therefore, the PPL is periodically updated. Alternatively, the temperature at which a heater turns on or off might need to change, just like adjusting the thermostat in a house. Rather than change the software code, the software looks at a particular value defined in the PPL. If this needs to be changed for whatever reason—say, from 18ºC (64ºF) to 15ºC (59ºF)—a new value is set in that particular PPL. The software itself can also be updated. This is discussed further in Chapter 6. Another critical function of the C&DH system is to recover the function lost when a failure occurs. This software is generally referred to as Failure Detection, Isolation, and Recovery. The software will first detect the failure of a component and annunciate a C&W message, depending on the severity. Many key ORUs on the ISS have what is called a heartbeat—basically, software that is constantly counting up. If this number is changing, the ORU is alive. A static heartbeat means the ORU is no longer healthy. Many systems that die will also loose computer communications with the MDM. Isolation refers to the software taking an action to put the system into a safe configuration. For example, if a valve is stuck closed in the cooling system, the pump can be damaged by trying to push fluid against it. This is called dead heading. The isolation software will turn off this pump. Recovery means that a backup system, if available, would be turned on.