|Computing - Military Style|
|Originally published November, 1998|
|¿ 1998, 2005 Carlo Kopp|
One of the most shameless myths created and perpetuated by the entertainment industry is the notion that military computers are somehow much more powerful and "hi-tech" than those employed by the industry at large.
Nothing could be further from the truth, and with the exception of a handful of highly specialised digital signal processing systems, most computers employed in military systems are one, two, three or even four generations behind in technology, in comparison with their commercial cousins.
In this month's feature we will explore the specialised and in many respects very different world of military computers.
A Different World?
To attempt to attach a simple label to a military computer, and generalise its attributes, is about as futile as attempting to do the same for commercial computers.
Computers used by the military can however be broadly divided by the type of operating environment they must accommodate, and it is the environmental constraints which indeed turn out to be the most important differences between military and commercial computers.
The first category of computers used in the military are basic fixed base support machines, used for admin and bean counting purposes, in essentially standard office environments. Such machines are no different from their commercial cousins, although often they must meet electromagnetic emission requirements such as the US NACSIM 5100 TEMPEST standard. While the machine might be a very ordinary PC, server or workstation, it cannot be allowed to leak Van Eck radiation from the monitor, or eavesdroppable emissions from is LAN and serial interfaces. So the quartermaster's PC will probably be identical to the machine on your desk, but the spook's machine, or HQ wordprocessor, is likely to be the more expensive TEMPEST model.
The next step up the hierarchy of environmental resilience is the "ruggedised" military computer. A ruggedised machine is a hybrid of commercial grade electronic hardware, packaged in a Milspec or Military Standard (Mil-Std- in the US, STANAG in Europe) casing or chassis. The chassis will be made to comply with one or more military environmental standards. Such machines are deployed in the field, or used in "undemanding" airborne, land-mobile or naval environments.
Finally, we have military embedded computers, designed form the ground up to survive in harsh environments, and fully compliant with the full gamut of military reliability standards. These are the processors which are installed in satellites, fighter planes, missiles, torpedoes, smart bombs and other military equipment. Such machines may implement commercial, or specialised military instruction sets.
Reliability and Milspecs
The military reliability standards were developed by the US DoD during the fifties and sixties, in an attempt to produce standard engineering guidelines for the construction of equipment, electronic and mechanical, which could provide known and predictable reliability performance in harsh temperature, humidity, shock, vibration and radiation environments, and would employ standard interfaces and component packaging.
The genesis of the US DoD MilSpec system lies in the WW II experience, when the US ramped up its even then massive industrial base for the construction of war material. One of the immediate difficulties experienced was standardisation, since specific pieces of equipment were essentially proprietary products and thus components were not frequently interchangeable between different maker's equipment, a major issue if you are stranded in Woop Woop, with two remaining radios within the perimeter, and bloodthirsty enemy soldiers trying to overrun you. The other difficulty experienced was with achieving predictable reliability in what were becoming increasing complex pieces of equipment. Could you afford to sortie a dozen fighters on a mission, and have half of then turn back enroute since various bits and pieces stop working along the way ? A final and no less important issue was providing a common benchmark for the enormous subcontractor base to work to, so if prime contractor X wants to build a tank, bomber or battleship, he can easily specify to a subcontractor the design and test specifications for the nut and bolts, or other components to be purchased.
Many standards now regarded as common in the computer hardware industry, such as the JEDEC chip packaging scheme, are essentially US military standards.
The US MilSpec standards are enormous, by any measure, and rival or exceed in complexity many if not most industrial specification and standardisation schemes. Any standard you can contemplate, a MilSpec probably exists for it, produced at some stage during the last forty years. Whether it is gasoline, hose fittings, paint composition, chip packaging, or machine instruction set, there is a Milspec for it.
The MilSpecs which are most important from a general computer industry perspective are those which cover the areas of component packaging, and reliability vs operating environment.
Reliability in the most fundamental of terms is defined as the equipment's probability of survival, i.e. ability to continue working, as a function of time spent in a given operating environment. Reliability is measured in terms of Mean Time Between Failure (MTBF), or simply the statistical average of time between hardware faults accumulated over a very large population of equipment items.
The central mathematical premise behind most reliability theory, and the US MilSpec system, is a little known theorem called Lusser's Product Law, which states that in a serial system, where the failure of any component results in the failure of the equipment item, the probability of survival P[survival] of the equipment is the product of the probabilities of survival of each component.
Robert Lusser was one of Werner von Braun's rocket scientists on the V2 project, which in its early days was plagued by incessant failures, on the launch pad or in flight. Perplexed with their inability to get the missile working properly, Lusser consulted Erich Pieruschka, one of the mathematicians on the project, about why they could not get it to work. Once they applied some basic probability theory to the problem, it all became very obvious, and thus Lusser's Product Law was born. Needless to say, everything else is now history, and the deluge of Scud like V2 rockets which landed on the UK in late 1944 was the proof of the pudding.
If we know the reliability numbers, ie probability of survival, for each and every component in a complex system, we can then calculate the reliability of the system. Or conversely, if we need a system to have a certain reliability, we can calculate in turn the required reliabilities for all of the bits and pieces which make up the system.
Determining the reliability of an electronic component can be an expensive and time consuming chore, and indeed this is one of the underlying reasons why modern military equipment is often worth its weight in gold, or more !
To understand why, it is helpful to digress a little into failure mechanisms in electronic components, an area which like basic reliability theory, is most sadly not taught in most Australian university engineering and computer science courses. Since we invest most of our engineering and comp sci talent into supporting equipment rather than designing it, this is all the more an incongruity in the scheme of things.
Electrical failures in components result typically from dielectric breakdowns in insulators, mechanical open and short circuits, migration effects in semiconductor PN junctions, and migration effects in metal. To this we can also add the insidious effects of corrosion in materials.
Without delving too deeply into the materials science behind these effects, we can state that all of these phenomena are accelerated in effect either by shock, vibration, temperature, temperature changes, humidity, and the presence of corrosive agents such as salt or chemicals left over from production processes.
Temperature alone can be destructive since it accelerates the diffusion of dopants in semiconductors, and this over a period of time will result in semiconductor junction dopant gradients, the reason why transistors work in the first place, flattening out to the point where the junction ceases to be a junction and the component fails. High temperatures also accelerate the migration of metal between connections or chips, causing eventual short circuits.
Temperature changes cause mechanical expansion and contraction which causes all manner of turmoil, from printed circuit board delamination, through hole and via connections shearing off, to pins on packages or connectors developing metal fatigue.
Vibration and shock cause straight mechanical failures, or metal fatigue. A particularly nasty manifestation of vibration is the excitation of flexural modes in printed circuit boards, not unlike those on your stereo system woofer.
Humidity is insidious in its effects, since it reduces the effectiveness of cooling systems, and also precipitates on components during rapid temperature changes, thereby producing an electrolyte for dissimilar metals and production residues on components, thus facilitating corrosion.
Clearly all three of these basic environmental factors, temperature/changing temperature, vibration/shock, and humidity are damaging within themselves, and also mutually supportive in impairing the reliability of any piece of equipment. This needless to say is true of commercial and military equipment. The big difference between the two contexts, is that one simply increases costs and cuts profit margins, whereas the other costs lives and loses battles. Recent examples of the latter are the failed US attempt to extract hostages from Teheran in 1979, when the use of support category rated minesweeping helicopters instead of highly reliable combat search and rescue helicopters caused a mission failure and loss of lives, or the sinking of at least one RN destroyer in the Falklands, due to a intermittently failing missile launcher.
For electronics which we wish to loft into orbit on a satellite, we can also add the wondrous effects of radiation, which increases defect density in semiconductors to the point where they eventually break down.
The simple consequence of these factors is that the harsher the environment, the less reliable any given type of component is. If we wish a component to exhibit a certain level of reliability in a very harsh temperature/vibration/humidity environment, we have no choice other than to alter its design and/or packaging to accomodate these conditions.
The harshest military environments require chips in metal can or ceramic rather than molded epoxy packages, gold plated pins on packages and connectors, no or few socketed chips, surface mounted passive components, chemically sterile manufacturing environments, and extremely tight quality control and testing.
To be really certain, once the device is made and passes its basic electrical tests, it is then stress tested at an elevated temperature to weed out the devices with incipient failures. At the end of this arduous process, we have the MilSpec rated version of whatever chip we started out with, including a hefty bundle of test reports to attest to the fact that the chip indeed meets the MilSpec in question. This is also why a MilSpec rated version of a commercially used chip costs several times more.
What the US MilSpec and NATO STANAG systems provide is a standards framework for manufacturing, testing, verifying and measuring the reliability of electronic components, and tabulated reliability data for standardised devices.
Essentially the MilSpec system divides operating environments by their degree of harshness, and provides cross reference tables which specify the failure rates of chips and passive components, depending on their environmental rating, type and operating temperature.
In this manner, a designer can calculate apriori the failure rate of a board full of chips, or a box full of boards, or a system full of boxes, knowing the MilSpec rating of the components used and the operating environment. The design engineer's bible is called Mil-Hdbk-217E, and is essentially a compilation of such tables, periodically revised to include new devices.
Because 217E is based on Lusser's product law, and a huge statistical base, it provides a very high confidence level that the end product will indeed meet specs. Reading through it can be most revealing, since it shows not only the tremendous reliability improvement of MilSpec rated devices over their commercial cousins, but also the huge statistical variance in commercial devices. An interesting side effect is that a commercially rated chip in MilSpec packaging may well be just as statistically reliable, but since it hasn't been tested as thoroughly, it must be tabulated with a much lower reliability to account for the greater variance.
The MilSpec system has been much maligned in recent years, the common accusation being that it results in "gold plated" equipment which is often several times as reliable statistically, once in service, than it was originally calculated to be. The upside however is that in service support costs are often well below calculated expectations.
Another criticism of the MilSpec system is that the accumulation of a sufficient statistical reliability database for any new component is time consuming and very expensive, since a large batch of components must be tortured to death in a cyclic test environment emulating the MilSpec environment rating. It can take months or years until sufficient data is accumulated to satisfy the statistical confidence criteria, as a result of which the MilSpec version of the commercial chip may not ship to customers until several years after commercial clients get it.
An example would be the stores management computer on the RAAF's Hornet fighters, delivered during the mid eighties. That was the period of the 386/387 combo in commercial desktop computing. The Hornet used a MilSpec rated Intel 8080 and AMD 2900 bitslice processor in this box.
The emergence of ruggedised military computing equipment is a direct reaction to this effect, since a ruggedised chassis is designed to provide a box which isolates the "soft" commercially rated components from the "harsh" military operating environment, yet still provides the user with a system which is competitive in performance and price with commercial equipment.
The drawback of ruggedised machines is size and weight, since armour plating a Pentium, SPARC, Alpha or SGI system requires a solid package of metalwork, vibration dampeners, excess cooling and a MilSpec power supply. Therefore, ruggedised is only a partial solution to the problem, but one which is often more than adequate. Systems on ships, surveillance aircraft, mobile command posts and surveillance systems, can often be implemented as ruggedised equipment, since the volumetric requirements and environment permit it.
The computers which are packaged into tanks, missiles, torpedoes, combat aircraft, guided bombs and satellites alas still have to be built from the ground up to a MilSpec rating, since the weight, volume, cooling and radiation shielding needs of commercial components are not compatible with the tight packaging and cooling environments of the system.
Interfaces, Architectures and Software
While the reliability and environmental aspects of the military environment are by far the most unique and demanding aspect of military computing, they are not the only one.
The military have developed over the last two decades a unique and somewhat idiosyncratic package of standard interfaces, architectures and software tools, especially to support embedded systems.
The origins of unique interfaces go back to the late sixties and seventies, when the US military fielded the first generation of fully digital weapon systems on ships and aircraft. At this time, the commercial computing world was firmly wedded to the proprietary interfaces which often plague us today as legacy systems. To integrate a large number of embedded digital systems into a single interoperable package, often common across several types of aircraft, missile, ship or tank, common interfaces are pretty much a requirement from the outset. So a number of standard busses were defined. The most important of these is the 1 Mbit/s Mil-Std-1553B bus, analogous in many respects to the commercial Ethernet precursors of that period.
The big difference was that the 1553B bus uses much higher signalling levels to withstand much nastier noise and interference levels, and it uses a centralised protocol model rather than a decentralised collision detection model. In real time embedded systems, response times have to be highly predictable and a collision detection bus isn't the best strategy for achieving this. The 1553B bus is today the dominant connectivity standard for military embedded systems, and is used to interconnect computers, sensors and weapons. Its drawback is poor throughput, which is often worked around by dedicating multiple busses in the equipment. Instead of a common shared bus, the main computer has multiple bus interfaces and a bus to an individual black box.
The success of the 1553B standard is attested to by the fact that it was adopted by ARINC, with modifications, for commercial avionics, and also copied by the Soviets.
Machine architectures are another area of uniqueness in military equipment, and one which has created much debate in recent years.
During the early days of digital military equipment, each black box or system was built around a Milspec implementation of what were essentially proprietary machine architectures. That meant that a commercial mini was built up to MilSpec stands, using MilSpec rated chips in Milspec ceramic or metal can packages, and tortured to MilSpec standards. The hardware therefore did what was asked of it and everybody was happy.
This blissful union of commercial machine architectures and military hardware standards did not persist for very long. Realtime embedded performance needs typically resulted in code which was initially written in Fortran, or a proprietary language, then compiled down to assembler, and the assembly code then hand tuned for maximum execution speed, resulting in huge reams of assembly code specific to the processor and system.
Very soon the military found itself embedded in a software maintenance problem of gargantuan proportions, since every tweak to the code, and every tweak to the hardware, both essential aspects of evolving military systems to match an opponent's technological moves, produced massive cost overheads. The defence contractor who produced the system had a licence to print money, in the simplest of terms.
Falling back on the true and tried methods of standardisation, the US Air Force created the PDP-11 like Mil-Std-1750A 16-bit machine instruction set for embedded computers, and the US Navy standardised on its CDC UYK-14 architecture, for ships and aircraft. Almost all US embedded systems since the late seventies have been built with these machine architectures, with the exception of specialised signal and data processors, built around DSP chips like the TMS320 series, or exotica like the i860 vector engine, or UK Transputers.
Concurrently, the USAF also standardised on the Fortran / C like JOVIAL high level language, so that across the board high level and assembly code was now standardised. In the UK, CORAL became the high level language of choice, while assembly code commonly continued to be produced in proprietary instruction sets.
This standardisation effort was a major improvement in many respects over the earlier hodgepodge of adapted commercial equipment, but many in the US DoD system considered it to be inadequate, since it still left a big split between the Air Force and Navy embedded systems, and the large number of software systems developed and run on commercial support machines. It also did not address issues such as code documentation, the lack thereof being an important piece of leverage to a contractor wishing to retain software maintenance contracts on a previously developed product.
Thus was born ADA, the favourite hate object of many in the Comp Sci community. The idea behind ADA was to produce a high level language standard to encompass all military applications, from the high speed realtime embedded systems, down to the massive equivalents to commercial systems, used for logistics and specialised databases.
Needless to say, the objectives of the ADA program were ambitious and far reaching, since the language was to combine the attributes of low level systems languages such as C and JOVIAL, number crunching languages such as Fortran, beancounting languages such as COBOL, and the then flavour of the month object oriented languages, while adding in a pedantic documentation mechanism to force the undisciplined code commenting averse programmers to do the proper thing and describe what they were actually trying to do, all of this while reducing bugginess in code through language features.
Like any racehorse designed by committee, ADA proved to be a bit of camel. The most difficult problems arose in meeting the needs of fast, tightly coded embedded systems, always running short of CPU cycles and memory. While features like object orientation and task (process) rendezvous provided wonderful means of simplifying embedded code design, the first generation of compilers usually managed to be language standard compliant, but too slow and memory hungry, or fast and tight enough, but not compliant. Chaos ensued, and the often very heated techno-religious debate between proponents and opponents of ADA ran for many years. Even today we can occasionally see manifestations of this. Interestingly, the latest -9(X) flavour of ADA is considered by many to meet the needs of its consumers. However, the basic objective of blanket standardisation was never met.
The evolutionary trends in hardware which solidified during the eighties and early nineties revolved about replacing existing board sets in -1750A and "Yuk 14" systems with much faster, but architecturally identical boards, retaining often the existing code. Much of the in service equipment we see today, designed during the seventies and eighties, and incrementally upgraded in between, still runs JOVIAL, CORAL, Fortran, assembler, C, C++ and whatever language of convenience managed to slip past the ADA "regulators", through waivers approved to meet th pressures of then time schedules.
So today we have a tower of Babel in military computing, revolving about a mix of commercial and military standard machine instruction sets, board layouts, busses, new and old military language standards, and flavour of the month commercial standards.
The Future ?
The existing 16-bit military machine standards which have been pretty much mandatory in embedded systems are now three to four generations behind the current state of the art in commercial machines. In many instances this has proven to be irrelevant, since a flight control system or missile guidance package at most requires doubling, tripling or quadrupling of its compute performance over the life of the host system, to accommodate growth in the code it hosts. Thus the result has been the emergence of specialised manufacturers such as Performance Semiconductor or CPU Technology, who produce MilSpec rated -1750A chips, ROMed microcode and all, with improved clock speeds, year by year. These devices are built first and foremost for extreme reliability, and the internal architecture is generally stable. An interesting deviation from this trend has been the development effort by CPU Technology to produce a superscalar instruction set compliant -1750A processor, with something close to ten times the performance of the currently standard 3-10 MIPS engines. So ships, aircraft and missiles designed in the sixties, and built during the sixties, seventies and eighties, and refitted in the meantime with -1750A based systems, will live on with new build -1750A processors.
The push to force ADA standardisation has faltered and appears to have been abandoned, with the realisation that maintaining cadres of specialised ADA cutters itself imposes a cost burden, over the use of commercially common languages. So current systems are mostly coded either in ADA, or JOVIAL, CORAL, or C and C++. Unix and Unix-like realtime operating systems are becoming increasingly common.
The biggest pressures today in military computing are cost vs performance. The cost of specialised, low production volume military chips, lagging in performance due to stringent testing needs, provides a glaring contrast against the rapid and unhindered evolution of commercial hardware, which has in the last decade transitioned from CISC to RISC, RISC to superscalar RISC, and now superscalar RISC to VLIW. The first cracks in the standardisation armour developed when the i960 and MIPS architectures were accepted as alternatives to -1750A, for embedded systems, about a decade ago. Some demanding applications even then were hosted on high performance, fully MilSpec rated VAX machines, and later Alphas.
The failure of the military to define a board level parallel bus, for backplanes and motherboards, compounded the difficulties in hardware standardisation. So in service equipment today employs a mix of proprietary backplanes, variants of industry standards like VME and Multibus, and range of proprietary board sizes, as well as the sole MilSpec SEM standard for board form factors.
Internal system bandwidth requirements for equipment such as radars, electronic warfare equipment, optical equipment and weapons management systems have outstripped the capacity of the ubiquitous -1553B bus, no differently than has occurred with its commercial cousin, the 10 Base X Ethernet.
Wherein lies the future for military computing ? Several interesting trends are evident at this time.
The first trend in high density embedded systems is a away from the seventies "federated system architecture" model in which a central CPU controlled a package of variously intelligent black boxes in various parts of the system. The current trend, typified by the US F-22 fighter and its Central Integrated Processor (CIP), is to go for a large, dual redundant, multiprocessing machine with a very fast, fault tolerant backplane. Instead of doing the compute intensive chores in specialised black boxes, like radar and electronic warfare signal and data processors, all compute intensive work is concentrated in the redundant central computers. Like this, several processor boards can fail, and the compute load is simply shifted to other, working boards, in the main processor.
The mix of -1750A general purpose processors, specialised vector processors, and digital signal processing chips, all on various board shapes and sizes, and using various busses, is replaced by a model where all processing is done by a battery of identical, general purpose superscalar RISC engines, in a standard form factor on a common high speed backplane. The black boxes are "dumbed down" to their analogue components, and high speed digital to analogue, and analogue to digital converters, which interface to the central processors through high speed busses. The software maintenance effort is concentrated in the central processors, which perform all computing on the system. Compute performance upgrades are addressed by adding or replacing identical central processor boards.
The next trend is typified by the Joint Strike Fighter (JSF) development program, in which specialised internal busses are to be replaced with a MilSpec variant of the IEEE Scalable Coherent Interface (SCI). This is essentially a case of taking the fastest commercial bus standard in existence, and producing a variant robust enough to survive a MilSpec environment. In this fashion, MilSpec environmentally rated versions of bus interface chips can be used directly, or MilSpec versions of commercial SCI processor boards are used. The linear segmented bus topology of the -1553B model is replaced with a mix of rings and switches, designed to handle Gigabits/sec of data throughput.
These two trends will dominate the design of new equipment.
Equipment built around existing standards, and semi/non-standards, will remain in many instances in service for decades (the US are planning to keep their B-52s, built in the early sixties, until 2030 !). Such systems will need to be incrementally upgraded through their remaining life, to remain competitive. One approach will be newer -1750A based boards in existing semi-proprietary formats. The other is the rapidly proliferating MilSpec VME standard, essentially commercial/industrial embedded VMEbus hardware manufactured to MilSpec environmental standards. A number of manufacturers now supply MilSpec rated VME chassis, designed to fit in aircraft, armoured vehicles and ships. Depending on the environmental harshness, either fully MilSpec or industrial grade VME processor and I/O boards can be fitted. Processor architectures now available cover the Motorola/IBM PowerPC/RS-6000, Pentium, Alpha, SPARC and MIPS engines, as well as the trusty -1750A. This will allow the use of almost current commercial Silicon, as well as much reducing development time and prototyping costs. Systems can be developed, and code cut, on commercial variants of boards, while the MilSpec variant is being certified "everything-proof".
A 10 Mbit/s optical fibre variant of the -1553B bus, the -1773 bus, has been adopted and will reduce some pressure insofar as box-to-box bandwidth goes. Optical 10-Base-F and 100-Base-F Ethernet has been adopted for some systems, such as command and control aircraft and naval weapon systems.
The clear trend in supporting established military systems will be to replace specialised hardware with MilSpec variants of commercial hardware, or ruggedised commercial hardware, where ever possible.
The differences between military computing and commercial computing are profound, and as much a reflection of different functional and support needs, as much as a deeply differing history. The lessons to be learned from the last two decades of evolution in this area is that standards must be defined in a manner which can be evolved smoothly and continuously, and that excessive reliance upon specialised and closed standards is guaranteed to cost dearly. In a period where "bang-per-buck" is the driving criterion, military computing has travelled a full circle, back to it roots in MilSpec rated variants of commercial computers. History repeating itself ?
|$Revision: 1.1 $|
|Last Updated: Sun Apr 24 11:22:45 GMT 2005|
|Artwork and text ¿ 2005 Carlo Kopp|