Exploring the software that flies SpaceX rockets and starships (opens in new tab)

It's standard way to program in industrial automation, flight control and safety critical system.

It's how digital PLC process control loop works. Programmable logic controller (PLC) https://en.wikipedia.org/wiki/Programmable_logic_controller

> Wow, sounds an awful lot like a typical event loop from a game engine.

I coulda sworn I recall John Carmack making a similar comparison when he was working on Armadillo Aerospace, but implying that rockets were actually a bit simpler.

Apparently I misrecalled...

https://twitter.com/id_aa_carmack/status/557223985977765890?...

Embedded high-integrity systems have traditioanlly used this kind of cycle.

It's simple to reason about and analyse. You can make assertions about worst case execution time and memory useage and you know for a fact what the order of execution is. The concurrancy on large systems like this often comes in the form of a lot of small computers talking to each other over some network/bus rather than having many systems all running on the same hardware.

Building concurrant systems with predictable real-time characteristics is hard. When you have a bunch of things that really need to happen every Nth of a second in order to fly straight, a simple approach like this is definitely preferrable. In situations like this predictability tends to be more important than raw performance (assuming you can reliably hit minimums).

That doesn't mean people don't use multi-threading in domains like this, but it's one of those things you want to keep as simple as you can and avoid where possible.

Seems like a really clean and testable system, too. Can make a harness with a set of inputs, run the cycle and test outputs consistently. Performance is also easily checked, each cycle needs to run without 100ms for the 10hz systems, I guess, including garbage collection.

Nice it see things kept this simple.

The article's indeed light on details, but what it describes sounds very similar to autonomous driving / driver assistance software I have experience with. That's not really surprising, as the overall system for an autonomous car and a spaceship is very similar - keep processing inputs from sensors, calculate some values and manage state machines, use those results to adjust outputs, some of which may operate actuators, and repeat.

The similarity with game event loops is IMO superficial. A game typically processes events as fast as it can, and the time between any two iterations of the loop is completely unpredictable. One frame could render in 20ms and the next in 25ms, which is completely fine. For a car or spaceship though, there are hard real-time requirements. Like the article describes, some Dragon tasks run every 100ms, others run every 20ms. A lot of effort has definitely gone into making sure the tasks can complete quickly enough, with some margin, and there are definitely systems that monitor these deadlines and treat even one timing miss as a major failure.

SpaceX has been hiring game developers for years now, they even showed up at GDC once to pick up game devs.

The part that's way harder though is that at least in a game engine, you know the absolute world state and when you make a change to your world state, it happens exactly as you wanted.

In dynamic systems, such as a rocket, robot, etc., reality is fuzzy. Your loop is mostly about "what is my best guess at my present state" and "what is my desired next state". You make changes to try and get from A to B but you may not exactly achieve B. You may have not even been in state A. The error propagates back into your next guess of state, and this repeats forever.

Sensors like GPS give you an absolute position but they're imprecise. Inertial navigation is extremely accurate in telling you the change from a sample to the next, but as your position is the second integral of your acceleration, any error compounds quickly (admittedly the quality of the INS available to people willing to spend 10s of millions of dollars on a vehicle FAR exceeds what you'd be able to put in a car). Some rockets have even used ground based radar measurements uplinked to them to further improve position estimates. They probably still do this, I just don't have any hard data on current launchers.

I can't really think of any other way of doing it. Interrupts? That would be bonkers though.

The flight software is actually a real-time (aka deterministic) embedded system software. And the control loop is the typical control loop found in embedded systems: 1 - read data from sensors through ADC (Analog-To-Digital Converters), I2C, SPI, CAN (Controller Area Network) and so on; 2 - compute the output to actuators, such as motors, hydraulic cylinders, valves, motors, lights and so on, using some control law and the current state; 3 - repeat the cycle. The algorithm that drives the output may be based on algorithms from control theory, namely state space model, PID control or Kalman filter. The computers that they may be using might be single-board computers based on ARM-core, MIPS-core, PowerPC or even X86 variant for embedded systems and/or lots of microcontrollers. Before the advent of computers, the control theory algorithms were implemented using "analog computers", which are specially designed analog circuits for computing differential equations.

Control theory algorithms can be developed using tools such as Matlab, Matlab-Simulink, Modelica or Scilab-Scicos (Open-Source) from Inria. Besides C or C++, another language used in embedded systems like that is Ada, which is much safer and reliable than both C and C++.

This is also how I'd normally implement control systems in general. Sample the input, calculate, then set output.

This is an extremely common pattern for robotics processing... so I wonder if they just consider the rockets a robot where you're just using a finite state machine based on inputs.

Industrial applications often use PLCs, Programmable Logic Controllers that also do this.

That's basically how an arduino works and, IIRC, the Apollo Guidance Computer.

> Wow, sounds an awful lot like a typical event loop from a game engine.

Or Arduino's loop() method, where all the code just runs in a loop "forever."

You could probably use some of the game "Kerbal Space Program" source code. Would be a good start to control the rockets.

In all the embedded code I’ve seen there is invariably a “while(true)” somewhere. Is this not the same?

If you analyze the physics, you find that the way the inertia works out is that smaller things need shorter control cycles. The relevant timescales for large objects ends up being longer.

The question is not the distance travelled but how quickly you need to react. If you're gimballing a rocket engine, this is not going to be a device that can do much movement within 20ms.

I can answer some of that, 2024 is the current limit. But 2028 is being considered and I think its politically likely.

It could probably be extend even further but it would require incensing maintenance and expensive re-qualification.

NASA already has a plan however. They have a contract with Axiom Space to extend the ISS with new modules. After they have about 4 new modules they should eventually decouple after ISS and be a free floating station.

NASA already has a program in planning for a commercial space station. The same way they did Commercial Crew and the moon lander. They have already asked companies to come up with plans for a station. SierraNevada really wants that contract and SpaceX will probably bid something, probably others. These would be free floating privately run stations

So NASA basically hopes that sometime between 2024 and 2028 there will be two new stations and then its politically easier to drop ISS.

Crew Dragon can still do free flying missions (as they will do later this year) but SpaceX hopes to replace it with Starship.

I think the ISS will be dragged along until there's a plan for a new station which may include replacing the more ancient components instead of an entirely new station. I have a hard time seeing NASA and the US government giving up on having a continuously operated space station in LEO. What that likely means given the overall gridlock and every administration messing with the plans at NASA is that the ISS limps along until the modules themselves need to be replaced.

If your mention of "non sensitive software" means you're looking for a position that isn't covered by ITAR, that's not possible. Even the people working in the SpaceX cafeteria are covered by ITAR.

should be able to, but you do have to be a us citizen / resident I believe

If I understood it correctly, they’re not talking about a chip literally running at 50Mhz. They’re talking about polling a sensor in a loop running on a 50Mhz timer. The processor doing that is certainly running at a much higher clock frequency

That's the number of times per second the main update code runs and it has nothing to do with the number of clock cycles or instructions per second the CPU can run (other than the fact that the chip needs to be fast enough to have the update code finish before the next time it needs to start).

Chips have internal timers which can be configured programmatically so they emit hardware interrupt in specified time intervals. When the interrupt is emitted, CPU jumps to the method which executes the certain program. After that it goes idle, waiting for the next cycle.