MAVEN Particles and Fields Operational Flight Software Code

Fault Protection (FP) Failure detection and correction (FDC) requirements, approach, and detailed design R

FP Requirements Associated Requirements P 1. Users must be able to disable HV or

FP HV Details HV Registers These are high voltages, each separately controlled, so they

FP Definitions Safing Status 1. Quick digest on all requests and measures 2. “Allowed”

FP CMD & TM Tasks CMD Task 1. Decodes all S/C messages 2. Zone.

FP Safing Task, Failures Has_Failed( bit ) 1. If the Instrument Status bit is

FP EUV Aperture Is. EUVOpen() 1. FSW reads the 2 -bit status of the

SEP FP SEP 1&2 Doors Is. SEP 1 Open() 1. FSW Selects SEP 1

FP STATIC HV STAT Mgr() 1. Decodes STATIC messages 2. Resets Timer(9) when HSK

FP STATIC HV Man. STATHV() 1. If STATIC is off, HV is off so

FP SWIA HV SWIA Mgr() 1. Decodes SWIA messages 2. Resets Timer(10) when HSK

FP SWIA HV Man. SWIAHV() 1. If SWIA is off, HV is off so

FP SWEA HV SWEA Mgr() 1. Decodes SWEA messages 2. Resets Timer(11) when HSK

FP SWEA HV Man. SWEAHV() 1. If SWEA is off, HV is off so

Slides: 15

Download presentation

MAVEN Particles and Fields Operational Flight Software Code Walkthrough Fault Protection Peter R. Harvey Sw. CW (Peer) Review 1 UCB

Fault Protection (FP) Failure detection and correction (FDC) requirements, approach, and detailed design R 1. The spacecraft shall provide the instrument zone alert states to the PFDPU, RSDPU, and NGIMS at a rate of once a second for the following: EUV boresight in Ram below parameterized altitude SEP 1 parameterized rectangular FOV 1 in Sun SEP 1 parameterized rectangular FOV 2 in Sun SEP 2 parameterized rectangular FOV 1 in Sun SEP 2 parameterized rectangular FOV 2 in Sun Ambient Density STATIC > parameterized density limit Ambient Density SWIA/SWEA > parameterized density limit Ambient Density EUV > parameterized density limit IUVS parameterized rectangular FOV in Sun Ambient Density IUVS > parameterized density limit Ambient Density NGIMS > parameterized density limit R 2. The payloads shall respond to a transition into a zone alert region by putting the affected instruments into a known safe state until a transition out of the zone alert region occurs. R 3. The payload shall respond to a transition into a zone alert region by blocking all internally sequenced and spacecraft initiated commands that would put an instrument into an unsafe instrument state until a transition out of the zone alert region occurs. R 4. The payloads shall issue a safe me request if the affected instrument is unable to properly configure upon transition into a zone alert region. Instruments shall stop generating Heart. Beat messages. R 5. The payloads shall configure all affected instruments into a safe state if a zone alert message has not been received for a parameterized amount of time. R 6. The payloads shall configure all affected instruments into a safe state upon power up until a zone alert status is established. R 7. Heart. Beat should indicate PFDPU is fully functional, meaning TBD (should be sent every 1 second). Sw. CW (Peer) Review 2 UCB

FP Requirements Associated Requirements P 1. Users must be able to disable HV or Door operations, regardless of S/C Zone Alerts. (e. g. PF GSE cannot release Zone Alert and allow HV to ramp up when we don’t want it to. ) P 2. Door Actuations have a timeout following actuation of TBD seconds for the SMA to cool down. Implementation Details 1. Telemetry Task does not itself need to be monitored. If it fails, the S/C will know and take action. 2. When Tasks succeed, they clear their respective “time-since-task” register. 3. PF will principally rely upon Relative Time Sequences for Open/Close or HVON/HVOFF sequences. 4. PF FSW will have two independent software activities: one for safing actions, one for safety verification. 5. Each safing action expected duration will be independent of others and will be commandable 6. If you remove power from PF, hardware circuits will safe the HV and will close the EUV, SEP 1, SEP 2 doors within 5 minutes. On power up, PF is guaranteed to be safe (meet R 6). 7. If you remove power from STATIC, SWEA or SWIA, their High Voltages are zero. So, before asking for the Spacecraft to safe the PF, the PF FSW would prefer to turn off these non-complying instruments. Sw. CW (Peer) Review 3 UCB

FP HV Details HV Registers These are high voltages, each separately controlled, so they all need to come down to be safe. SWEA: SWEMCPHV SWENRHV Note SWENRHV does not have a DAC. It just comes on to full scale when you enable it. Analyzer, Def 1, and Def 2 HV are based on NRHV. If NRHV is low, the others have to be. SWIA: SWIMCPHV SWIDef. Raw. V SWISwp. Raw. V Note – the last two share a single control– they should ramp up and down together. Analyzer, Def 1, and Def 2 HV are based on Def. Raw and Swo. Raw. If Def. Raw and Swp. Raw are low, the others have to be. STATIC: STAAcc. HV STAMCPHV STADef. Raw. V STASwp. Raw. V Note – the last two share a single control– they should ramp up and down together. Analyzer, Def 1, and Def 2 HV are based on Def. Raw and Swo. Raw. If Def. Raw and Swp. Raw are low, the others have to be. Sw. CW (Peer) Review 4 UCB

FP Definitions Safing Status 1. Quick digest on all requests and measures 2. “Allowed” register is combination of Zones and User Enables registers. 3. “Instrument Status” is independent measures of what’s actually happening. Sw. CW (Peer) Review 5 UCB Safing Status can be returned in “Safe Me” message

FP CMD & TM Tasks CMD Task 1. Decodes all S/C messages 2. Zone. Alerts Reset Timer[6] TM Task 1. Determines “Safe Me” status from safety failures or task stoppages (meets R 5, R 7). 2. Will not send normal telemetry including NOOP (Heartbeat) when “Safe Me” is being req’d (meets R 4) Sw. CW (Peer) Review 6 UCB

FP Safing Task, Failures Has_Failed( bit ) 1. If the Instrument Status bit is safe, then returns(Not. Failed) 2. If the bit is Allowed, returns( Not. Failed). 3. Otherwise, the Instrument is out-of-compliance. The respective Timer is incremented. 4. If the Timer exceeds its Limit, then it returns (Failed=1) Safing Task 1. Computes the Instrument Status register (6 bits) 2. Computes what is Allowed by a combination of Zone Alerts and User Enables. 3. Calls Door and HV managers to act (meets R 2). 4. Calls Power managers to shut off non-complying instruments (meets R 2). . 5. Clears its task timer. A failure is an unallowed state for a period of time. Status is developed by reading back from electronics, not by FSW variables. Sw. CW (Peer) Review 7 UCB

FP EUV Aperture Is. EUVOpen() 1. FSW reads the 2 -bit status of the EUV Ap 2. Compares that to the Open & not-Closed condition. Is. EUVAllowed() 1. If either “Boresight in RAM” or “Density High” Zone. Alerts, then EUV Aper is not allowed. 2. If user Enable is low, EUV Aper is not allowed. Sw. CW (Peer) Review 8 UCB Man. EUVAper() 1. If open but not allowed, this routine starts RTS (5) 2. If closed but allowed, this routine starts RTS(11) 3. Does not matter whether LPW/EUV power is On or Off

SEP FP SEP 1&2 Doors Is. SEP 1 Open() 1. FSW Selects SEP 1 Door status and directly reads its status. Is. SEP 1 Allowed() 1. If either “SEP 1 FOV 1” or “SEP 1 FOV 2” Zone. Alerts, then SEP 1 Door is not allowed. 2. If user Enable is low, SEP 1 Door is not allowed. Is. SEP 1 Allowed() SEP 1 FOV 1 in Sun? Yes Zone[1]=1? Return( 0 ) No SEP 1 FOV 2 in Sun? Yes Zone[2]=1? Return( 0 ) No User Enabled ? Enable[1]=1? No Return( 0 ) Yes If no SEP 1 comm Is Task[12] > Limit? Yes Return( 0 ) Low Bias. Mon => Sun Bias. Mon > "-0. 2 V" No No Yes Return( 0 ) OK, its allowed Return( 1 ) Sw. CW (Peer) Review 9 UCB Man. SEP 1 Door() 1. If open but not allowed, this routine starts RTS[6], SEP 1 Door Closure. 2. If closed but allowed, this routine starts RTS(11), SEP 1 Door Open 3. If SEP is off, doors will close as a result. 4. Identical logic used in SEP 2

FP STATIC HV STAT Mgr() 1. Decodes STATIC messages 2. Resets Timer(9) when HSK message found. 3. Resets its timer when STATIC is off. Sw. CW (Peer) Review 10 Is. STATHVOn() 1. If STATIC Off, HV is off. 2. If any HV > 100 V, then HV is ON. UCB Is. STATAllowed() 1. If Zone Alert[5]=1 then No. 2. If User Enable[3]=0, then No.

FP STATIC HV Man. STATHV() 1. If STATIC is off, HV is off so exit. 2. If HV is ON but not allowed, this routine starts RTS[8], STATIC HV Off. 3. If HV is OFF but allowed, this routine starts RTS(14), STATIC HV On Sw. CW (Peer) Review 11 UCB Man. STATPower() 1. If no HSK coming out, then turn STATIC off. 2. If HV not complying, then turn STATIC off.

FP SWIA HV SWIA Mgr() 1. Decodes SWIA messages 2. Resets Timer(10) when HSK message found. 3. Resets its timer when SWIA is off. Sw. CW (Peer) Review 12 Is. SWIAHVOn() 1. If SWIA Off, HV is off. 2. If any HV > 100 V, then HV is ON. UCB Is. SWIAAllowed() 1. If Zone Alert[6]=1 then No. 2. If User Enable[4]=0, then No.

FP SWIA HV Man. SWIAHV() 1. If SWIA is off, HV is off so exit. 2. If HV is ON but not allowed, this routine starts RTS[9], SWIA HV Off. 3. If HV is OFF but allowed, this routine starts RTS(15), SWIA HV On Sw. CW (Peer) Review 13 UCB Man. SWIAPower() 1. If no HSK coming out, then turn SWIA off. 2. If HV not complying, then turn SWIA off.

FP SWEA HV SWEA Mgr() 1. Decodes SWEA messages 2. Resets Timer(11) when HSK message found. 3. Resets its timer when SWEA is off. Sw. CW (Peer) Review 14 Is. SWEAHVOn() 1. If SWEA Off, HV is off. 2. If any HV > 100 V, then HV is ON. UCB Is. SWEAAllowed() 1. If Zone Alert[6]=1 then No. 2. If User Enable[5]=0, then No.

FP SWEA HV Man. SWEAHV() 1. If SWEA is off, HV is off so exit. 2. If HV is ON but not allowed, this routine starts RTS[10], SWEA HV Off. 3. If HV is OFF but allowed, this routine starts RTS(16), SWEA HV On Sw. CW (Peer) Review 15 UCB Man. SWEAPower() 1. If no HSK coming out, then turn SWEA off. 2. If HV not complying, then turn SWEA off.