mission, the memory contents are "swapped out" for program applications that are needed for the next phase of the mission.
In support of the development of this safety-critical flight code, there are another 1.4 million lines of code. This additional software is used to build, develop, and test the system as well as to provide simulation capability and perform configuration control. This support software must have the same high quality as the on-board software, given that flawed ground software can mask errors, introduce errors into the flight software, or provide an incorrect configuration of software to be loaded aboard the shuttle.
In short, IBM/Loral maintains approximately 2 million lines of code for NASA's space shuttle flight control system. The continually evolving requirements of NASA's spaceflight program result in an evolving software system: the software for each shuttle mission flown is a composite of code that has been implemented incrementally over 15 years. At any given time, there is a subset of the original code that has never been changed, code that was sequentially added in each update, and new code pertaining to the current release. Approximately 275 people support the space shuttle software development effort.
Originally the PASS was developed to provide a basic flight capability of the space shuttle. The first flown version was developed and supported for flights in 1981 through 1982. However, the requirements of the flight missions evolved to include increased operational capability and maintenance flexibility. Among the shuttle program enhancements that changed the flight control system requirements were changes in payload manifest capabilities and main engine control design, crew enhancements, addition of an experimental autopilot for orbiting, system improvements, abort enhancements, provisions for extended landing sites, and hardware platform changes. Following the Challenger accident, which was not related to software, many new safety features were added and the software was changed accordingly.
For each release of flight software (called an operational increment), a nominal 6- to 9- month period elapses between delivery to NASA and actual flight. During this time, NASA performs system verification (to assure that the delivered system correctly performs as required) and validation (to assure that the operation is correct for the intended domain). This phase of the software life cycle is critical to assuring safety before a safety-critical operation occurs. It is a time for a complete integrated system test (flight software with flight hardware in operational domain scenarios). Crew training for mission practices is also performed at this time.
To manage the software production process for space shuttle flight control, descriptive data are systematically collected, maintained, and analyzed. At the beginning of the space shuttle program, global measurements were taken to track schedules and costs. But as software