1 / 24

Reconfigurable Avionics for Hubble Servicing Missions Ed Cheung – Jackson & Tull Will Clement – Clement Engineering

Reconfigurable Avionics for Hubble Servicing Missions Ed Cheung – Jackson & Tull Will Clement – Clement Engineering Ray Bietry – Orbital Sciences Corp. New Carrier Avionics. The Hubble Space Telescope Project regularly flies new components to the observatory on Space Shuttle Carriers.

issac
Download Presentation

Reconfigurable Avionics for Hubble Servicing Missions Ed Cheung – Jackson & Tull Will Clement – Clement Engineering

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Reconfigurable Avionics for Hubble Servicing Missions Ed Cheung – Jackson & Tull Will Clement – Clement Engineering Ray Bietry – Orbital Sciences Corp.

  2. New Carrier Avionics • The Hubble Space Telescope Project regularly flies new components to the observatory on Space Shuttle Carriers. • Current generation of avionics for HST carriers are aging and need replacement. • New avionics will be reconfigurable and flexible with the use of reprogrammable FPGAs from Xilinx (Virtex series). • The approach will be to use three redundant Xilinx FPGAs (XFPGA) with one non-reprogrammable Actel FGPA (AFPGA). • AFPGA votes on the outputs of the three XFPGA to mitigate SEU events. • XFPGAs will contain core avionics functions. • Test flight will be in May 2005 time frame.

  3. System Architecture

  4. Sync Generator • Sync resets all three XFPGAs so they are synchronized. • - Allows voting to reject single faults.

  5. Selector/Voter and Latch • Output is voted result of three inputs. • "Error" is bit-by-bit status of an input being in the minority. • Latched status remains set until read by SCB slave. • Will count allerrors if they occur less frequently than telemetry frame rate (0.25 sec interval). • Downlinked in telemetry stream. • Control bits can cause selection of one input to bypass voting. • Useful for testing. • Set by external connector. Voter cannot be disabled in flight. • The following telemetered down (per XFPGA): • watch-dog time-out. • SCB error. • telemetry stream error. • configuration error.

  6. Voter/Selector and Error latch • This voting method requires temporal synchronization of the three XFPGAs

  7. Embedded Processor • VHDL source code is available for various microcontrollers. • HST currently owns COTS software tools (‘C’ compilers and assemblers) for 8051 and Microchip PIC CPUs. • VHDL source code obtained for a microcontroller compliant with the Microchip PIC 16 instruction set (35 instruction, RISC architecture) • Modifications made to the VHDL to add a UART, block RAM access, and an application-specific bus interface.

  8. Serial Communications Bus • Performs general purpose IO and data storage for the XFPGAs. • Allows easy IO expansion while minimizing changes to PWB. • Master resides in XFPGA, controlling one slave in the AFPGA. • All lines to slave are voted for error rejection. • 8-bit address. Refers to location inside SCB slave. • 16-bit data path.

  9. Telemetry Frame Generator Note: The processor reads the telemetry generator’s address lines in order to watch for the start of a new frame. This allows it to update the frame counter and start I/O Operations (so each frame has fresh data).

  10. PSP Command Interface • Conforms to ICD-19001 PSP Shuttle Interface. • Data stream is 16kHz carrier with 180 degree phase change. • Simple interface circuit consists of “422” receiver and discrete components. • Allows analog or digital PSK stream. • High sensitivity and dynamic range. 1 - 15 Vp-p input voltage range. • 3 to 4.5Vp-p required. • Can use differential or single-ended source. • Data presented byte-wide to Microprocessor in FIFO. • Minimizes processor work load.

  11. PSP Command Decoder

  12. Watch Dog • MDM output is normally low. • If 1 processor stops stroking watchdog for > 600 seconds, error output will go high. • Allows for at least one reconfiguration and sync cycle. • If > 1 processor stops for > 2 seconds, Error Output will go high. • Stroke input is produced by Microprocessor software. Synchronous to telemetry frame (high during idle period). • 4 Hz frequency.

  13. Configuration Scrubber • Configuration Scrubber consists of 2 subsystems: • Readback & Compare • Configure

  14. Configuration Scrubber • “Readback & Compare” • Reads all 3 Virtex FPGAs, simultaneously compares configuration data on a byte-by-byte basis, and notes miscomparisons. • If no Virtexs miscompare, then Configuration Scrubber returns to idle state. • If a Virtex miscompares, its configuration memory is cleared and reloaded from the PROM. At the next system sync, it will be resynchronized with the other two. No loss of system function. • If more than one Virtex miscompares with the others, all erroneous units are cleared and reloaded from the PROM (just as is done on power-up). AFPGA holds all state information so XFPGAs can pick up where they left off when the next resynchronization occurs. Command and telemetry are lost until resynchronization.

  15. Configuration Scrubber • PROM SEU issues and mitigation • PROM memory is hard to SEUs • PROM readback is susceptible to SEUs • Only the XFPGA which miscompares with the others is scrubbed. • If readback encounters an SEU, the XFPGA will receive a bad load (but it already had a bad load). • When the next scrub interval arrives, that XFPGA will again miscompare and be scrubbed. • Probability(2 consecutive PROM readback SEUs) < 7.1e-16 • (435 days/SEU, readback time ~ 1 second ―› λ = 2.66e-8 SEU/readback)

  16. XFPGA SEU Statistics • Xilinx SEU statistics (per device): • Results obtained by GSFC Radiation Group for XQVR1000 device

  17. SEE Mitigation – Configuration RAM • Expected rate : 1.1 Days/SEU in a XQVR1000 device. • Mitigation : read back and rewrite configuration if needed. • Afterwards, synchronization pulse puts system in lock-step. • Net effect : Probability of <2 during one scrub period is 98.7%. • Assumes 50% of a ‘1000 device utilized and 14 day mission. Numbers in chart presume a ‘1000 device

  18. SEE Mitigation – Configuration RAM For each XFPGA: Mean SEU/scrub period Poisson Distribution Probability of 0 errors Probability of 1 or more errors For system: Probability of >1 XFPGA with SEU Probability of <2 for duration of mission *This presumes 50% utilization of an XQVR1000 device

  19. SEE Mitigation – Block RAM • Expected rate : 24 Days/SEU in a XQVR1000 device. • This type of memory holds the telemetry frame and the Processor RAM (variables in C code). • Mitigation : Data contained in this type of memory is updated every tlm frame based on telemetry or data from AFPGA. • Net effect : vanishingly small. • 0.25 sec / tlm frame. m=1.2E-7 (SEU/tlm frame). • Probability of >1 XFPGAs corrupted = p(system) = 4.3E-14. • Expected time until >1 XFPGA hit = t ~ 182k years.

  20. SEE Mitigation – CLB Flip Flops • Expected rate : 29 Days/SEU in a XQVR1000. • Holds variables (signals) in VHDL code. • Mitigation : sync pulse. • Acts as a Power-On-Reset, resets everything except PSP. • PSP Command Decoder is reset by processor when S/W detects stopped command counter, by comparing to other two. • Net effect : One corruption in telemetry every 511 years. • 2.1 minutes / sync pulse. m = 5.2E-5 (SEU/sync interval). • Probability of >1 XFPGAs corrupted = p(system) = 8.07E-9. • Expected time until >1 XFPGA hit = t ~ 511 years.

  21. SEE Mitigation – SEFI/POR • Expected rate : 483 Days/SEU in a XQVR1000 device. • Will require power cycle to clear. • Mitigation : Watch-dog will time-out, and module will be shut down. • Net effect : One shut down every 166 days. • Mission length = 14 days. m = 2.9E-2 (SEU/mission). • Probability of 0 FPGAs corrupted =

  22. SEE Mitigation – Half Latches • Introduced by Xilinx synthesis/layout tools to store constant values. • Set up during configuration of the FPGA. • Can be initiated by asserting the ‘PROGRAM’ line. • Their state cannot be read from the configuration memory or any other means. • Unknown upset statistics. • GSFC Radiation report recommends elimination from design as they are not directly observable. • Eliminated using a procedure developed by Xilinx. • Continued functional errors can be used to trigger reconfiguration.

  23. EEPROM SEE Statistics • 18V04 SEU statistics: * Does not include protons • Results obtained by GSFC Radiation Group

  24. SEE Mitigation – Readout Circuit • Interface circuit susceptible to SEUs. Creates errors similar to bit flip in configuration memory. • Since only one XFPGA is configured at one time, any errors will be erased on the next scrub cycle. • PROM is read out only if miscompare in configuration found. • Read out takes < 1 second ( 1.16E-5 days) Mean SEU/readout period Poisson Distribution Probability of 0 errors Probability of 1 or more errors Number of reads per error Corresponds to 71 years if 1 read per minute

More Related