PROJECT ORACLE

Approved Release 2004/10/28 :-CIA-RDP80-014R000100230024-0- 11 November 1975 MEMORANDUM FOR THE RECORD SUBJECT Project ORACLE On 29 October 1975 of the Agency me with the AMP representatives, Mrs. Lemos and .Messrs. Wood and Slingland for the purpose of determining the direction and status of AMPEX's design of the ORACLE Mass Storage. System. There were four areas discussed in detail that we felt were not being properly designed.. We asked AMPEX to tell us clearly what they were doing. The remainder of this paper is devoted to our understanding of the designs, there implications, commentaries and references that explain our concern, and a statement of our requirements for each design area. I. Storage Control Processors accessing Transport Drivers Hardware Design Mr. Wood stated that the current AMPEX desgn permitp one an ne ,tq ontro Prace~sor (SCP) to be enabled at an iven time to access anr.of Sher Transport Drive . j Q. TNe ' CP's aTTD'sare `cabled together in such a way that when one SCP is in control of the TD's, the other SCP is blocked from all access to any of the TD's by a hardware interlock. In order for the second SCP to gain access to the TD's, the first SCP must relinquish its control and then it is possible for the second one to take over. Once the second SCP is in control the first one is inhibited from all access'to the TD's. Any interrupt issued by a,TD is serviced by whichever SCP is currently in control. The TD does not know which SCP should handle the interrupt, it is expected in this design that this type of problem can be adequately solved at the SCP level. The drawing below illustrates how these hardware elements are tied together logical.. STAT Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0  Approved F Release 2004/10/28 CIA-RDP80-014R000100 30024-0 Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0 TD 6  Approved ,pr Release 2004/10/28: CIA-RDP80-01%94R000100230024-0 Implications The above design gives control, at any given time, of all TD's to a single SCP. If dual SCP control of TD's is desired, the two SCP's could flip-flop by means of software logic. A flip-flop technique would permit segregating or sharing those functions in the two SCP's that require an SCP-TD association. Implementation of such a scheme adds complexity to the software logic which would have to reside in both SCP's. The areas particularly affected are hand- shaking protocols, timing, and recovery. It also requires that a wise choice be made initially as to which functions are shared or segregated between the-SCP's. The choice is critical since once designed and implemented, subsequent changes would not be easy. AMPEX has chosen not to develop a flip-flop design. They have ruled out any type of dual SCP operation, the second SCP is for back-up only. The hardware design does not permit selective accessing of TD's by both SCP's concurrently and the software design requires that-all accesses of TD's be made from only one SCP. There are advantages to the design chosen by AMPEX. A single SCP controlling all the TD's needs only the simplest software and somewhat reduces maintenance or the hardware. There is a major disadvantage to the design. It is impossible to use the redundant equipment for software development and testing. Although the backup SCP and TD's can be put off-line there is no way of using them independent of the production system. This means that once the system is in production, fixing of existing bugs can be done only by taking down the production system. Assuming that the production system cannot be down very often such work would require long periods of elapsed time. Larger efforts such as minor improvements to the existing system, development of the new functions, e.g. time sharing, and adjusting interfaces to new levels of operating systems become impossible unless more hardware is added or all of this work is contracted out. Approved For Release 2004/10/28: CIA-RDP80-01794R000100230024-0  Approved Fire Release 2004/10/28: CIA-RDP80-01 *AR000'100230024-0- It should be obvious to the reader that all of the above mentioned tasks are necessary. The delivered system will not survive unless it is enhanced and modified'to accommodate new operating systems. The AMPEX Design versus Contract Specifications The AMPEX design of the accessing paths among the SCP's and TD's does not comply with the specifications stated in the AMPEX Proposal TBMP 73-1 and in the Mass Storage System Design. The following paragraphs trace the reasons for our conclusion. Only documentation referenced by the contract is used as a basis for argument. We have had-many conversations with _MPEX during preparation of the specification that leave no doubt, -' '--:; _,.. however, it is felt they cannot be used as part of the record. Reference: AMPEX Proposal, Page 2-1, Paragraphs 3 and 4. The TBM* Memory System is highly modular in construction. System capabilities can be varied-over a wide range by configuring the system to include different numbers of each of five basic building blocks: Transport Modules (storage capacity), Transport Driver Modules (multiple seek/search), Data Channel Modules (internal data thruput), Storage Control Processor (file management) and External Data Channel Processor (data interface handling). Stora e capacity is available over a range from 1011 bits to 3 x 101 bits in 1011 bit increments, while sustained thruput can be specified up to 4.2M bytes per second in .7M bytes per second increments. Switching matrices interconnect the hardware modules. They are constructed to allow multi-path access to any of the hardware modules. Systems configured with redundancy for all of the five basic building blocks therefore offer highly desirable degradation characteristics since no single unit failure brings the entire system down. Commentary: The above paragraphs introduce. the general philosphy of the system. Namely it is intended to be modular, expandible, highly interconnected, and that given redundancy of equipment the system will be operable during the failure of one of the basic units. The statement concerning single unit failure-is important. AMPEX has used a single line to electrically interconnect the SCP's and TD=s. Failure of this line will bring down the entire system. No provision for redundancy has been made by AMPEX. Thus the design is incon- sistent with the specification. Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0  Approved Rev Release 2004/10/28 CIA-RDP80-01 R000100230024-0 Reference: AMPEX Proposal, Page 2-41, Paragraph 3. Availability 24 Hours per. Day 'Scheduled maintenance of the MSS is performed on a module basis, and there is no requirement for scheduled down- time of the complete system. Preventive maintenance is usually conducted during off-hours. The hardware utilization does not exceed 12% for any module during the night shift (1800- 0800). The Transport utilization is less than.2% during this period leaving more than ample for maintenance. Preventive or corrective maintenance can be conducted in the off-line mode concurrent with on-line operations. See Section 13.1 for maintenance procedures. - Commentary: .. On-line refers to the array of hardware devices that are-in use for production operations. Off-line refers to those hardware devices that are logically and sometimes physically disconnected from the on-line system. The paragraph above calls for maintenance of off-line devices concurrent with on-line operations. Some maintenance and hardware tests require that an SCP access a TD. When an SCP and a TD are both put off-line, the AMPEX design will not permit. the needed access. Thus the specification that requires off-line maintenance concurrent with on-line production cannot be satisfied because of the way AMPEX has cabled the SCP's and TD's. Reference: Mass Storage System Design, page-19, paragraph 1 TBMTAPE'initialization is performed by a stand-alone SCP and TDP. Initializing a TBMTAPE begins with the ecording`and testing of three longitudinal tracks: the Address, Tally, and Control Tracks. This is followed by search testing to determine tape packing characteristics. Finally the wearing qualities of the tape are tested by repeated reads of a single block. Commentary: The key point is in the first sentence which pairs a stand-alone SCP with a TDP (Transport Driver Processor). Approved For Release 2004/10/28: CIA-RDP80-01-7948000100230024=0- -  Approved Nor Release 2004/10/28 : CIA-RDP80-01` R00010g230024-0 The TDP is an integral part of the TD. The term stand-alone is defined in the same document as an SCP be.ng off-line to the Mass .Storage System. The tape initialization process requires that a stand-alone SCP access a TD. This cannot be done given the described AMPEX design because the on-line SCP would have control of all of.the TD's. the on-line SCP cannot transfer control of the TD's to the other SCP when it is in a stand-alone condition. Thus the referenced specifi- cation cannot be satisfied-because the stand-alone SCP is unable to access a TD. Agency Requirements concerning SCP access to TD's 1. The Storage Control Processors (SC''s) must be able to access the Transport Drivers (TD's).in such a manner that given redundancy of SCP's and TD's, no single failure will cause the entire Mass Storage System to be inoperable. 2. A stand-alone SCP must be able to access a TD so that a TBMTAPE can be initialized. 3. An SCP must have access to the TD'a such that off-line maintenance of an SCP can be concur_ent with on-line operation of the Mass Storage System. Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0  Approved.h Release 2004/10/28 CIA-RDP80-01 4R00010230024-0- 230024-0- II. Usage of Two Storage Control Processors in the.Mass Storage System 'Software Design Mrs. Lemos stated that AMPEX is designing and developing' the Mass Storage System (MSS) such that only one Storage Control Processor (SCP) will be active. The second SCP's role is purely back-up and will be switched into the system when a failure occurs in the first SCP. . Implications The above design greatly simplifies the software logic needed for the Mass Storage System. If a single SCP can drive the system such that system thrrughput can be maintained as specified then we cannot say that two active SOP'S is superior to a single SCP system ---It is difficult to reconstruct why a dual-SCP system was---- originally specified. The major problem here is that the revision of the design was done unilaterally by AMPEX. There were no prior joint discussions on this matter, we were simply informed of the AMPEX decision. The AMPEX Design versus Contract Specifications The AMPEX design of using a single active SCP for the MSS rather than two active.SCP's does not comply with the specifications stated in the AMPEX Proprosal TBMP 73-1 'and in the Mass Storage System Design. The following, paragraphs trace the reasons. Reference: AMPEX Proposal, Page 5-1, Paragraphs 1 and 2. Control of MSS is divided into three parts and is per by three sets of computers. Overall system control is provided by the Storage Control Processor Complex consisting of one or more SCP's. The TBM* Memory System configured for the ORACLE application comprises two identical SCP's. The SCP Complex communicates with subscribing host CPU's, performs file management and space allocation functions, defines the necessary functions and transmits the corresponding Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0  Approved For Release 2004/10/28 : CIA-RDP80-0144R00010023Q024-0 commands to the other controllers in the TBM* Memory System. During normal operations, one of the SCP's acts as the Master (SCPM) exercising overall TBM* Memory System control while the second one operates in a Slave mode (SCPS) per- forming file management and space allocation functions. Commentary: The specification calls for two concurrently active SCP's having different but complementary functions. Reference: AMPEX Proposal, Pages'5-2, Paragraphs 2 and 3. The SCPM exercises overall system control. It allocates tasks to the other processors within the MSS, keeps an audit trail and a file management trail for all tasks entering the MSS, keeps an activity log for each file and for hardware resources, monitors overall MSS operation, and automatically switches to a degraded mode if hardware resources become unavailable. The SCPS normally performs space allocation for the DSS,?and maintains the?TBMCATALOG consisting of the Master File Directory of all files stored on TBMTAPE and the On-Line File Directory for all mounted TBMTAPE's in the DSS. The SCPS thus performs most of the file management functions under the supervision of SCPM. Commentary: These paragraphs give further detail about the functions to be allocated to each SCP. References: .AMPEX Proposal, Page 5-2, Paragraph 4. Page 5-11, Paragraph 5. Page 5-12, Paragraph 2. Page 5-14, Paragraph 2. Page 2-10, Paragraph 5, 6, and 7. Commentary: These paragraphs are not reproduced here. All specifi- cally discuss the concurrent use of a master and slave SCP. Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0  Approved Vir Release 2004/10/28: CIA-RDP80-01'lt4R00010d~230024-0G Reference: Mass Storage System Design, Page 113, Paragraph 2. The'MSS software provides the capability to attach three consoles to each SCP in the system. (See Section 3 for the hardware configuration). During MSS operation, one SCP is considered to be the master SCP; the other the slave. The consoles attached to the master SCP are used to issue commands to the system. Other consoles are attached to various sub- components as required for maintenance. Hosts connected to the master SCP can also issue certain commands. Commentary: This paragraph gives detail about activity on the master Summary It should be clear that the AMPEX design which eliminates the master-slave SCP feature is contrary to the specifications referenced by the contract. Agency Requirements Concerning Dual SCP's. Technically, it is not clear that the Mass Storage System requires more than a single active SCP. We must verify that the single mode will not create excessive averhead, however, before permitting AMPEX to-continue. Other consideratiors concerning AMPEX averal7, performance should preclude simply permitting the specification change. We should not forget that the single or dual decision provides us with good'leverage that can be used to advantage elsewhere. Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0  Approved FooRelease 2004/10/28: CIA-RDP80-01711 8000100230024-0 .III. Access of Data Private to the Mass Storage System Software Design The Mass Storage System (MSS) keeps extensive information about the identification, location, and status of the data files under its control. This information along with other internal MSS records is stored on two disks that are private to the MSS. Only the MSS can directly access and use the information. The Storage Control Processors (SCP's) and the External Data Channel Processors (EDCP's) are the MSS hardware modules that access these private disks.. Presently, AMPEX has designed the software such that the SCP's require a dedicated disk control unit to access the private disks. Dedicated here, means that only the SCP's can use the control unit. When the EDCP's require access.it must be gained via another control unit. The figure below shows the AMPEX design. SCPl DISK CONTROL UNIT SCP2 EDCP1 DISK CONTROL UNIT EDCP2 RIVATE DISK1 RIVATE DISK2 Approved For Release 2004/10/28 : ?CIA-RDP80-01794R000100230024-0  Approved R&WRelease 2004/10/28: CIA-RDP80-0118000100230024-0 Implications The *use of a dedicated controller by the SCP's requires that a second one be made' available in the event the first one fails. If this were not done the failure would result in the MSS being inoperable. Thus the impact of the AMPEX design is limited to the additional funds required for a spare controller and the space needed for its placement. The AMPEX Design versus Contract Specifications' The AMPEX design which requires a dedicated disk control unit to service the SCP's is contrary to what has been specified in the AMPEX Proposal TEMP 73-1 and in the Mass Storage System Design. The MSS Design calls for two disk control units with dual access features to he used to serve any of the SCP's and EDCP's. The AMPEX Proposal specifies a single control unit with a Four Channel Switch to serve the -SCP's and EDCP's. Specific references and drawings are shown below. - - -- - Reference: AMPEX Proposal, Page 2-24, Table entitled, "1012 Bit TBM* Memory System Hardware Configuration" CGS 2 SCP's (Storage Control Processors) 2 EDCP's (External Data Control Processors) 1 3330 Control Unit with 2 Spindles and a Four Channel Switch 6 Host CPU message interface links co each SCP 8 Data interface links on each EDCP,, providing for 16 shared device controllers vich as 3830's, 3803's, channel to channel adapter, etc. in any combination. Commentary: This table lists the hardware needed fc-r a 1012 bit system. The item - "1 3330 Control Unit with 2 Spindles and a Four Channel Switch" - states very clearly that cniy a single disk control unit is needed. Approved For Release 2004/10/28 :.CIA-RDP80-01794R000100230024-0  Approved F Release 2004/10/28 :CIA-RDP80-01 04R000100230024-0 Reference: AMPEX Proposal, Page 2-36, Paragraph 2 The 3330 disk system. internal to CCS can be accessed from either of the SCP's and EDCP's. One spindle will nor- mally be dedicated to the MSS Catalog and not accessible by the EDCP's. The second spindle serves as backup, and can also be used for internal data staging, diagnostics and maintenance functions,' etc. Commentary: The first sentence refers to the private disks for use by the MSS. It provides further-elaboration of the table described in the previous Reference. - References: AMPEX Proposal, Page 2-25, Table entitled, "10" Bit Initial TBM* Memory System Hardware Configuration" AMPEX Proposal,- Page 3--1--Table entitled; "Hardware Required for the Initial MSS' AMPEX Proposal, Page 4-1, Table entitled, "Hardware Required for the Complete MSS" Commentary: The above references are not reproduced here, but all of them list a single disk control unit to be used to service the SCP's and EDCP's. Reference: Mass Storage System Design, Page 9, Figure 3. Approved For Release 2004/10/28 :. CIA-RDP80-01794R000100230024-0  3 ,?30Z Approved For Release 20041 0/28: CIA-RDP80t01794R000100230024-0 JAI rA I F ;7.5' 5 33301 33 301 Figure 3. ORACLE BSS Configuration, Oct - Dec, 1975 Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0 3 $'302 S C .'O. Z-  Approved F"Release 2004/10/28: CIA-RDP80-0171000100230024-0 .Commentary : The above figure shows two disk control units to provide all EDCP's and SCP's with access to the private disks. There is no control unit allocated specifically for the'SCP's. Summary : All of the above references prove that. the AMPEX design .does not comply with the specifications. Access to the private disks of the MSS must be provided by disk control units that are shared among the SCP's and EDCP's as specified in the Mass Storage System Design (Speci- fication) dated March 19, 1'975. Agency Requirement Approved For Release 2004/10/28 : CIA-RDP80-01794R000100230024-0