This is a free translation from the blog post of Pascal Bally and Vincent Weber from Inneance
Fifty years ago, on the night of July 20-21, 1969, two astronauts from the Apollo 11 mission, Neil Armstrong and Buzz Aldrin, were the first men to set foot on lunar soil. NASA was thus fulfilling the objective set in 1961 by President John F. Kennedy to land a safe crew on the Moon before the end of the 1960s. This first one embodied a universal dream and symbolized the human and technological achievements that enable humanity to push back the frontiers of knowledge.
When the Apollo missions started, it was essential for NASA to have an extremely powerful computer that could be integrated into the spacecraft. In 1961, MIT was appointed to design and build an on-board navigation and control computer, which would become the AGC: Apollo Guidance Computer, the first computer to use integrated circuits.
Interestingly, the contract drawn up by NASA did not contain any specification as to how to design such a machine for the simple reason that, at this stage, NASA did not really know what the computer specifications of the Apollo programs should be! In 1963, MIT defined more precisely what the AGC should be: a computer designed to control, test and operate a guidance system; and to determine and apply changes in the speed of a spacecraft to optimize its performance in a lunar mission. However, the necessary software and programming techniques did not exist and had to be designed from scratch.
Apollo Guidance Computer
In fact, MIT developed 2 AGCs: one was located in the command module and was the centre of the ship's guidance, navigation and control system. The second one was located in the lunar module and was used to control the landing and return ascent to the control module as well as the mooring.
The AGC receives its main information from the inertial system as well as from two radars, when they are activated. Using navigation programs for each phase of the mission, it is thus able to control the main engines and the orientation engines in direction and thrust, so that the ship follows the calculated trajectory. Astronauts use a console to enter the various instructions: launching a navigation program, requesting information, resetting the position, entering the flight parameters to be executed, etc.
AGC user interface.
AGC keyboard and display installed in the Apollo control module (source: https://images.nasa.gov/).
The JMA was structured in two parts containing different modules. The first part contained a volatile memory module (current RAM memory) and a non-volatile memory module (current ROM memory). The second part of the AGC contained 24 logic modules, 5 interface modules and 2 power supplies.
The non-volatile memory of the AGC was a magnetic toroid string memory. This type of memory was the dominant form of computer RAM for about twenty years (from 1955 to 1975). In summary, this memory was composed of small ferrite cores (rings) traversed by conductive wires. The direction of the electric current flowing through these wires made it possible to magnetize the cores and to write and read information on them¹. This memory being woven by hand, writing and assembling a program took several months...
Figure 2: Stranded strands constituting a magnetic core memory in the 1960s. , seen from a magnetic toroid memory: we visualize the toroids and the read/write wires that run through them (source: Wikipedia).
the weaving of the software in this string memory (source: documentary Moon machines).
The volatile memory of the AGC had a capacity of 4 kilobytes and the non-volatile memory (on which flight schedules were written in particular) had a capacity of about 36,000 words or 72 kilobytes. In comparison, our current home computers have nearly 10,000 times more RAM memory capacity and nearly 1 billion times more ROM memory capacity.
Remarkable progress
Today we are surrounded by extremely powerful computers. It is difficult for most people, who are not engineers or computer developers, to imagine that it is possible to do anything with resources as limited as those available at the time. But it should not be forgotten that at the time of the AGC's design, this device was the first on-board computer. This was a considerable advance in miniaturization: the AGC measuring only 61x32x17 cm and weighing 32 kilos, at a time when the computer was a machine occupying a space of several cubic meters (comparable to a large room).
A period Apollo 16 Luminary 1E Apollo Guidance Computer MIT manual, Section 4 Operational Modes, dated Dec 1971 with about 500-800 pages of software programming and information. Luminary 1E was the name of the software version used for the Lunar Module on the Apollo
In addition, the AGC was the first computer to use intégrés circuits and was also a major advance in software programming because it was the first time software was used to solve problems in real time.
The design principles developed for the AGC as part of the Apollo missions have thus become fundamental to the software engineering sector, in particular for the design of reliable systems based on asynchronous software, priority planning, testing and the integration of human skills within an execution loop.
Thus, the AGC incorporated a unique operating system. This one operated a task planning called "pre-emptive planning with fixed priority". With this type of scheduling, the computer's scheduler ensured that the processor would always execute the task with the highest priority among all the tasks to be executed. In an emergency, the JMA scheduler allocated more time to tasks with the highest priority. Non-core operations were abandoned in order to free up resources. This type of operation became the basis for critical systems for all subsequent manned flights.
The computer therefore played an essential role in Apollo missions, allowing engine control and management of many subsystems, earning it the nickname of "the fourth man in the crew". Without the computer, astronauts would not have been able to place the lunar module on the Moon, as it alone could both integrate the many tasks inherent in the different phases of flight and optimize fuel consumption sufficiently to make do with the limited room for manoeuvre available.
Alarms 1202
During the delicate phase of the descent to the selenite ground, the AGC of the lunar module had to work together with the so-called "landing radar" and the astronauts in order to carry out a successful landing. Another radar, the "rendezvous" radar, was to be used in the event of cancellation of the landing and immediate return to the control module, which remained in lunar orbit.
During the descent phase, the crew was hampered by a "1202" alarm. At the time, the Houston control centre determined that the alarm was a saturation of the computer's capabilities, which could have led to the cancellation of the mission's continuation or even to a disaster. However, by the very design of the JMA, this unforeseen event has remained inconsequential. Therefore, after 30 long seconds, the Houston control center notified the two astronauts that this alarm could be ignored and that the mission could continue .
The subsequent investigation will reveal that the computer's memory overload was due to the continuous transmission of signals from the appointment radar to the computer. In fact, this alarm was the result of two errors: on the one hand, the lunar landing procedure provided to astronauts incorrectly indicated that the rendezvous radar should be left on, and on the other hand, there was a design defect in the interface between the computer and the rendezvous radar. Simulations carried out on land did not detect these errors, because during training, the appointment computer was not connected for lunar landings simulés.
Nevertheless, and thanks to its design, the AGC did not lock or lock despite this alarm. The latter stopped all tasks except those with the highest priority, before restarting itself. This operating mode was not an error, but rather a "restart protection". The AGC had been designed so that all the data it was working on was stored, which meant that it could be turned off and on again or restarted at any time and be able to resume work where it had left off. These unique features saved the mission and allowed Armstrong to control the orientation of the landing gear while the AGC controlled the descent for a successful landing!
And so it was that a computer about as powerful as the microcontroller of a modern toaster brought men to the Moon safely, and six more times after that....
Apollo and the birth of Software Engineering
The AGC software together with the Apollo Guidance Computer (AGC) was a revolutionary leap in technology that helped navigate the Apollo astronauts to the moon and back fifty years ago. The MIT instrumentation lab was awarded the first Apollo contract by NASA to design the computer and its software. The MIT engineering team would be basically starting from scratch.
And we’re not talking just about the nuts and bolts...the hardware. Software would need to be “programmed” and the software would be ground breaking. The design work at MIT IL would be one of the earliest foundations for computer programmers–even the term “software engineering” would be coined at the lab during this project. Just like the spacecraft and the computer hardware, the software had to be developed from scratch and evolved as NASA got closer and closer to the manned flights.
On-board flight software for the manned missions was developed for both the Command and Lunar Module computers. In addition to the operating system, the AGC had both an assembly language and a sophisticated software interpreter developed at the MIT lab that could handle more complex ‘pseudo’ instructions than the AGC. These instructions could simplify navigation programs and handle complex navigation equations in the background so as not to overwhelm the AGC power and memory capabilities.
The famous 1201 and 1202 priority alarm displays that interrupted and replaced the astronauts' normal displays with the Priority Displays during the Apollo 11 lunar descent signaled executive overflow was caused because the rendezvous radar was left on during the landing sequence and was stealing precious “cycles” from the AGC. This is in fact exactly what the computer and the software were meant to do– The MIT IL team (led by Margaret Hamilton) had intentionally designed the software with a priority scheduling capability that could identify the most important commands and that allows those to run without interruption pushing less important commands to the side.
The story about the Apollo 11 landing and the Priority Displays was one of error detection and recovery in real time. It was about the astronauts, mission control, the software and the hardware; and how they all worked together during an emergency as an integrated system of systems. It was about creating new, man-machine and software engineering concepts to do things never done before.
Unlike a system where the software (or hardware) might "know" of a serious problem without the pilot's knowing it, the Priority Displays were able to determine right away if a particular alarm had occurred that fell within the category of an "emergency alarm" and they let the astronauts know about it too.
No known software errors ever occurred during any of the Apollo missions. The AGC software influenced the design of systems and software for future spacecraft including Skylab, the Space Shuttle and digital fly-by-wire aircraft systems.