Dedicated fault tolerant control and data acquisition system

Ref-Nr:

Technology abstract

The proposed technology description is offering solutions to research or industrial organisations which are using unique, non-serial high reliable fault tolerant control and data acquisition system in a harsh environment. The proposed system can be used for monitoring the environment status of nuclear power station or research reactors. The advantages are fault tolerance, long life time, small size and the real-time, multitasking operating system easy to adapt to different sensors.

Technology Description

SGF, following the order of Max-Planck-Institute, extraterrestrische Physik has designed the Command and Data Management Subsystem of the Rosetta Lander. The laboratory and engineering model was designed and manufactured in Hungary and the flight model was manufactured by the Max-Planck Institute. CDMS is in charge of controlling the whole Lander operation, including preparations for separation from the orbiter, thermal and power management, as well as separation, descent and touch down. In addition to playing an essential role in controlling the whole landing scenario, CDMS has the following tasks to perform on the comet’s surface: to receive and execute telecommands coming from Earth, to collect and send science and housekeeping information of Lander’s subsystems and scientific experiments to Earth, and to control the sequencing of science operations.
The structure of CDMS is modular. Its functional sub-units, plugged into a common mother board, are as follows: two Data Processor Unit (DPU) boards, two Real Time Clock boards, two Central Interface Unit (CIU) boards (designed by Wigner RCP), two Mass Memory boards (designed by the Finnish Meteorological Institute) and a Power Distribution board. Manufacturing of the flight unit was made in Germany but our engineers did its integration.
Due to the vital tasks to be performed by CDMS, it has to have a fault tolerant architecture. Since in most of the mission phases there is no possibility for external intervention from Earth, CDMS should recognize eventual faults and then recover autonomously by ruling out failed functional sub-units and activating their redundant counterparts. The basic core that will ensure fault tolerance is the two DPUs both running in hot redundant mode. One of them, marked as the primary DPU is in charge of performing actual payload control. The other one, marked as the secondary DPU, keeps observing whether any change happens in the actual DPU roles in order to be able to take over the primary role at any time in case of a fault in the primary one.
Both hardware and software means are implemented to support fast fault recognition and then recovery. DPU context data, a set of crucial data are saved in regular time intervals. This will then be taken by the current secondary (future primary) DPU as a basis to rebuild the operational environment in case of an eventual role change. Harris RTX2010 processor has been selected for the DPU boards because it was the lowest power consuming, space qualified, radiation hardened, 16-bit processor. CDMS is a real-time control and data acquisition system, and it has to process tasks in parallel. Therefore, a real-time, pre-emptive multitasking operating system has been developed by the SGF to run application tasks executing the required functions in parallel.
The software system ensuring vital and emergency functions for the Lander is located in the highly reliable PROM memory. This software takes about 40 kilobytes but it should be compressed before storing the PROM. This program must be decompressed before running which is done in the case of a malfunction in the main software located in the more destroyable EEPROM memory. The 62-kilobyte main software system stored in the EEPROM controls all the functions of the Lander and its contents can be exchanged or repaired via telecommunication. Software patches can be uploaded by telecommands from the Earth to modify any part of the software, even the operating system itself. The starting program module loads the selected software into the RAM memory, modifies it according to eventual patches, and passes control over to the initializing part of the operating system already loaded. In the case of emergency, hardware decoded telecommands (HWTCs) can be uploaded from the Ground that can be interpreted by the computer without software. These commands can modify initializing parameters or restart the system in emergency mode.

Innovations & Advantages

The fault tolerant control and data acquisition system has a flexible easy to use high level programing interface. It works generally on two types of tables. One set of tables describe the necessary activity in a certain time moment or duration. The other table describe the dynamic behaviour of the system that is contents the list of conditions to change the actual activity to new static activity. 

Further Information

See: A. Balázs, at all: Command and data management system of the Philae lander; Elsevier, Acta Astronautica 125(2016)105–117

Current and Potential Domains of Application

The proposed system can be used for monitoring the environment status of atomic power station or research reactors.