Sidereal Time Rollover
 

----------------------------------------------------------------------

Date: Tue, 17 Sep 85 12:41:04 CDT
From: mooremj@EGLIN-VAX
Subject: Another Horror Story -- Sidereal Time Rollover
To: risks@sri-csl.arpa

How many of you real-time programmers have been bitten by time rollover at
midnight?  How about *sidereal* time rollover?  It happened like this:

In the late 70's I worked on the USNS Redstone, which is the primary tracking
and support ship for at-sea test launches of the Trident Submarine Launched
Ballistic Missile.  I wrote a section of program which took telemetry data
from the Trident's Inertial Guidance Unit and reduced it to provide track
data.  Now, Inertial Guidance is like the little girl in the famous rhyme:
when it's good, it's very very good, but when it's bad, it's very very bad.
As such, we had some fairly extensive reasonableness checks on the data.
One in particular took the data's time tag (in sidereal hour angle format),
differenced it with a reference hour angle computed at program initialization,
converted the answer to seconds, and compared this to the program's running
time.  If the two times were dissimilar, the IG data was rejected.  This
check worked beautifully on numerous tests, with both simulated and actual
input data.

Unfortunately, the programmer (blush, cringe, hang head in shame) completely
overlooked the possibility that the sidereal hour angle could reach 2*pi
radians and roll over during the mission.  This eventually happened on a "2+2"
test launch.  In a "2+2" launch, two missiles are launched close together,
then two more are launched close together after a lengthy delay.  The sidereal
hour angle rolled over about five minutes before the first missile was
launched.  The program decided that the IG data had a bad time tag and promptly
rejected it.  Fortunately, other devices were tracking the missiles; mission
rules stated that if no track data was received for a certain period, missiles
in flight must be destroyed.

During the delay between the first and second missile pairs, I carefully --
very, very carefully -- patched the running program to disable the time check.
On the second pair of missiles, the IG data was great, which was a good
thing, because for about 40 seconds, no other device tracked them; if the IG
had also failed, the missiles would have been destroyed.  If the sidereal
rollover had occurred *between* the two pairs of launches...(gulp)

The moral: the check worked great on numerous tests, until a peculiar set of
conditions occurred.  When the bug bit, we were able to save the test; but
with just a small change in conditions, we could have destroyed two Trident
missiles unnecessarily.  I don't know what they cost, but I'm sure it's at
least $10,000,000 each.

                                   Marty Moore (mooremj@eglin-vax.arpa)

----------------------------------------------------------------------