Apollo Onboard Flight Software
The on-board flight software team developed the software on the Apollo Guidance Computer (AGC) that took humans to the moon and back.
The biggest challenge: the software was man-rated...astronauts lives were at stake. Not only did it have to be ultra-reliable, it would need to have the flexibility to detect anything unexpected (e.g., a hardware or astronaut error) and recover from it in real time during a real mission.
The software was developed by the software people, a new breed of engineer. The task at hand for the software people (the "software engineers"): develop the software for the Command Module (CM), the Lunar Module (LM) and the systems software (used by and residing in both the CM and the LM). The systems software included the design and development of the error detection and recovery programs such as restarts and the Display-Interface-Routines' Priority Displays. The software engineers created the overall design of the software structure (the “glue”) that held everything together as an integrated system of systems.
Updates were continuously being submitted into the software from hundreds of people over time and over many releases for each and every mission (when software for one mission was often being worked on concurrently with software for other missions); making sure everything would play together and that the software would successfully interface to and work together with all the other systems including the hardware, peopleware and missionware for each mission.
Because the onboard flight software for the manned missions was asynchronous, it had the flexibility to handle the unpredictable: higher priority jobs interrupted lower priority jobs, based on events as they happened. It was up to our team to determine the relative importance of each process and to assign to it a unique priority to ensure that all events would take place in the correct order and at the right time relative to everything else going on.
The man-in-the-loop Priority Displays interface routines gave the software the ability to communicate asynchronously in real time with the astronauts─the software and the astronauts running in parallel within a system-of-systems environment. With this as a backdrop, the Priority Displays warned the astronauts in the case of an emergency by interrupting the astronauts' normal mission displays and replacing them with priority alarm displays─providing the astronauts with emergency related options from which to select. This had never been done before. Such was the case on Apollo 11 just before landing on the moon when the computer, as a result of the rendezvous radar switch having been left on, became overloaded. The priority alarm displays were a reminder to the astronauts to put the radar switch back to where it belonged.
Since it was not possible (certainly not practical) on Apollo to test the software "before the fact" by ”flying” an actual mission, it was necessary to test the software by developing a mix of hardware and digital simulations of every (and all aspects of an) Apollo mission which included man-in-the-loop simulations (with real or simulated human interaction); and variations of real or simulated hardware and their integration in order to make sure that a complete mission from start to finish would behave exactly as expected.
Engineers responsible for the software's development gave each mission flight program an identifying name. The practice was informal to begin with, but has since been adopted as official nomenclature associated with Project Apollo seen in the list below:
CORONA - unmanned command module in the suborbital Apollo flight test
SOLARIUM - unmanned earth orbital command module flight program.
SUNBURST - unmanned earth orbital lunar module flight program.
SUNDISK - manned earth orbital command module flight program.
SUNDANCE - manned earth orbital lunar module flight program.
COLOSSUS - the flight program for the command module for manned flight to the moon.
LUMINARY - the flight program for the lunar module for manned flight to the moon.
For the software developers, this was ‘the opportunity of a lifetime” according to Margaret Hamilton. “We were handicapped by the computer's time and space constraints, giving "software experts" the license to be “creative", resulting in tricky programming. Requirements were "thrown over the wall" by "non-software experts" who assumed that all the software programs would somehow "magically" interface together. Fortunately, this was not the case. For, if it had been, we would never have learned what we did about errors and how to prevent them.
Although there were more than enough opportunities to make errors, there were now the opportunities to come up with new ways to prevent them. We evolved “software engineering” rules and techniques with each relevant discovery. Although many errors were found during the software’s pre-flight phases, no software errors were known to have occurred during flight on any of the Apollo missions.