AutoReconfiguration on Grizzly Dr NS Mohan United Defense

Auto-Reconfiguration on Grizzly Dr. NS Mohan United Defense, L. P. Ground Systems Division 11 June 2003 United Defense LP -- Proprietary 1

Grizzly 11 June 2003 United Defense LP -- Proprietary 2

System Requirements & KPPs § Key Grizzly Program requirements: M 1 Abrams Chassis ► Redundant Drive-By-Wire ► • Automatic switch-over of controllers within 200 ms Survivable Mine Clearing Blade (MCB), ADCS & PDA ► Ability to plow in varied soil and terrain conditions at higher speeds with Auto Depth Control ► § KPPs: Gross Combat Weight: less than 70 Tons ► Defeat/clear mines buried at depths up to 12 inches ► Defeat/breach complex obstacle in 21 minutes ► • Mine field; Anti-tank ditch; Concertina wire ► 11 June 2003 Mobility & Survivability comparable to M 1 Abrams United Defense LP -- Proprietary 3

Vetronics Description 11 June 2003 United Defense LP -- Proprietary 4

Hardware Elements § Controllers ►Primary (PC), Secondary (SC) Fully redundant § Auto Depth Control Subsystem (ADCS) Controller § 2 Drive Remote IO Modules ►Configured to support redundancy of functions § PDA RIOM § Crew Interface RIOM § Actuators – Braking, Steering 11 June 2003 United Defense LP -- Proprietary 5

Software Architecture § Software Configuration Items ► Auto Depth Control Subsystem (ADCS) ► Crew Interface Subsystem (CIS) ► Drive Control Subsystem (DCS) ► Power Driven Arm (PDA) ► Operating Environment ► System Services (SS) § Multi-layered approach § Reconfiguration support SS, CIS 11 June 2003 United Defense LP -- Proprietary 6

Software Architecture – contd. 11 June 2003 United Defense LP -- Proprietary 7

Software Architecture – contd. § Software Configuration Items ► System Services (SS) • Utilities (e. g. , storage management) • Insulated the applications from lower level details (OE, hardware) • APIs provided to the application SCIs, provides portability • Followed the ICD closely, changes in ICD generally did not affect the applications (no code changes) • Reconfiguration support 11 June 2003 United Defense LP -- Proprietary 8

Reconfiguration of Controllers § Manual – by the operator ► If something is not behaving correctly ► For testing of functionality (maintenance mode) § Automatic ► Switches to secondary controller when primary fails ► Time limit: 200 ms for resuming normal operations ► Periodic exchange of health status between the two controllers (heartbeat) – 11 June 2003 United Defense LP -- Proprietary 9

Reconfiguration Support § Backup controller configured as simultaneous remote terminal and bus monitor § All CSCIs run lockstep in both controllers. The copy on the backup controller will have its outputs suppressed, until needed. § The CIS_CSCI is designed to accommodate reconfiguration ► Operator inputs to PC are duplicated by 11 June 2003 System Services and sent to SC via 1553 United Defense LP -- Proprietary 10

Reconfiguration Support - contd. § PC duplicates inputs & sends them to SC (both DRIOMs, DECU). § Keep Alive signal (via 1553 between controllers) ► 40 Hz § Drive Control critical data saved & exchanged periodically – RS-423 link between controllers ► 40 Hz 11 June 2003 United Defense LP -- Proprietary 11

Reconfiguration Power-up § The PC and the SC are differentiated by the RT address on the 1553 connector: PC = 0001 ► SC = 0010 ► § At power-up, both controllers initiate a time delay = (RT address – 1)*5 ms, tipping the scale in favor of the PC § Upon timeout, check for bus activity IF no activity, assume role of bus controller and initiate bus schedule ► ELSE, assume role of RT ► 11 June 2003 United Defense LP -- Proprietary 12

Reconfiguration Scenarios Notify Operator Take over as Remove power from Bus other controller Controller PC detects SC failure YES N/A YES PC detects SC is not ready to take over YES N/A YES SC detects PC failure YES YES § To avoid PC tying up the bus: SC detects PC is YES NO ►SC sends a reset command over RS-423 link not ready to take over►SC takes over as Bus Controller NO ►SC sends command to PDU to remove power from the PC 11 June 2003 United Defense LP -- Proprietary 13

Manual Reconfiguration of Controllers § During maintenance mode, operator can select to switch controllers as Bus Controller ► PC transmits a dynamic bus control command to SC ► SC accepts control by setting dynamic bus control bit in status word ► Control is relinquished by PC (current Bus Controller) ► Operator notified when this is complete § This is an application of standard mechanism provided by 1553 specification for transfer of control 11 June 2003 United Defense LP -- Proprietary 14

Reconfiguration of Drive Remote I/O Modules § Implemented within DCS software § Manual – by the operator ► If something is not behaving 1553 Bus correctly DRIOM 1 ► For testing of functionality § Automatic DRIOM 2 DCS Inputs ► Switches to secondary DRIOM when primary fails • By function (e. g. , Braking) or DRIOM as a whole United Defense LP -- Proprietary ► Periodic status via 1553 (BIT) 11 June 2003 15

Summary § Requirement of Redundancy of Drive-By -Wire satisfied by ► Duplicate controllers automatic switchover within 200 ms ► Duplicate Drive Remote I/O Modules automatic switchover by function or as a whole § Tested thoroughly within System Integration Laboratory and on the vehicle fully satisfied the requirements at max speed of 45 mph § All Key Performance Parameters (KPPs) and EMD exit criteria were met or 11 June 2003 United Defense LP -- Proprietary 16