CN101819445B - Embedded satellite-borne fault-tolerant temperature control system and verification method thereof - Google Patents

Embedded satellite-borne fault-tolerant temperature control system and verification method thereof Download PDF

Info

Publication number
CN101819445B
CN101819445B CN2010101079949A CN201010107994A CN101819445B CN 101819445 B CN101819445 B CN 101819445B CN 2010101079949 A CN2010101079949 A CN 2010101079949A CN 201010107994 A CN201010107994 A CN 201010107994A CN 101819445 B CN101819445 B CN 101819445B
Authority
CN
China
Prior art keywords
fault
temperature control
temperature
host
computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010101079949A
Other languages
Chinese (zh)
Other versions
CN101819445A (en
Inventor
王青
杨飞
董朝阳
解志君
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beihang University
Original Assignee
Beihang University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beihang University filed Critical Beihang University
Priority to CN2010101079949A priority Critical patent/CN101819445B/en
Publication of CN101819445A publication Critical patent/CN101819445A/en
Application granted granted Critical
Publication of CN101819445B publication Critical patent/CN101819445B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Safety Devices In Control Systems (AREA)

Abstract

The invention discloses an embedded satellite-borne fault-tolerant temperature control system and a verification method thereof. The system comprises a satellite management computer, an on-satellite temperature control system and a ground monitoring and fault injection computer; the on-satellite temperature control system comprises a temperature control calculation host machine, a temperature control calculation standby machine and an environmental simulation computer; and the temperature control calculation host machine and the temperature control calculation standby machine are temperature control computers. The verification method comprises the following steps of: 1, initializing a file allocation; 2, initializing the system; 3, beginning simulation; 4, injecting and executing a fault; 5, processing redundant fault tolerance; 6, monitoring the ground and evaluating the fault; and 7, evaluating a fault model and a redundancy strategy of the temperature control system. The fault injection and the verification process of the whole running stage of the real satellite-borne temperature control system are completely realized; and the method is simple, convenient and reliable, and greatly reduces the test time and expense for the practical system.

Description

A kind of embedded satellite-borne fault-tolerant temperature control system and verification method thereof
Technical field
The present invention relates to a kind of embedded satellite-borne fault-tolerant temperature control system and verification method thereof, belong to Aero-Space, Based Intelligent Control and embedded computer field of information processing.
Background technology
Atmospheric envelope has left in spaceborne system, under the direct irradiation of strong sunshine, periodically gets in the shade of the earth or the moon, often is in the environment of extreme cold and sweltering heat.If do not take any measure, temperature variation is very big, will have a strong impact on the spaceborne computer operate as normal.At present, spaceborne temperature control system is divided into passive type temperature control and active temperature control, and they directly overlay satellite surface (passive), or is placed in the flow direction (initiatively) of inside satellite part of appliance and servo-drive system adjusted heat, and this patent relates to active temperature control system.
Active temperature control system mainly comprises following 3 parts:
Thermistor: i.e. temperature sensor, be distributed in whole spaceborne various piece, be used for obtaining variation of temperature.Temperature sensor can be divided into two kinds by the effect difference: a kind of control that is used for spaceborne computer to well heater or refrigeratory, and promptly the temperature that records according to one or more sensors of spaceborne computer is controlled the switch to well heater or refrigeratory; Also have a kind of sensor only to be used for measuring temperature, do not participate in the control of well heater directly, but he is as the backup of first kind of sensor, when first kind of sensor goes wrong, it is replaced.
Heating/cooling device: mainly control its switch automatically, device is operated in the temperature range of requirement by spaceborne computer.Controlled variable exists on the spaceborne computer with various forms, can make amendment according to spaceborne situation in orbit in ground.These controlled variable comprise that heating/cooling device working method, sensor distribute and the temperature range of heater button.
Temperature controller: mainly realize temperature control algorithm, control signal is passed to heating/cooling device by software.
Spaceborne temperature control system since in orbit the time longer, receive many disturbing factors such as space particle radiation through regular meeting, the fault that causes thus can cause soft, the hardware of computing machine to lose efficacy.Therefore, in order to realize high reliability and high security, need in system, use measures such as redundancy fault-tolerant; The verification of correctness of fault tolerant mechanism and design proposal becomes the important step of spaceborne temperature control system development; Because embedded computer equipment crash rate in reality is extremely low, and out-of-service time and process be difficult to estimate, and the Space Vehicle System equipment manufacturing cost is expensive in addition; The cost of equipment failure is very high; How to adopt the effective means analog machine to lose efficacy, thereby its redundancy fault-tolerant mechanism is verified and assessed, be a difficult problem that exists in the spaceborne temperature control system development process always; From document, see; The instance that adopts which kind of fault filling method checking redundancy fault-tolerant mechanism to spaceborne temperature control system is not arranged both at home and abroad as yet, therefore, develop a kind of with low cost, simple and easy to do significant and practical value of fault filling method that board computer system reliability and redundancy fault-tolerant characteristic thereof are evaluated and tested.
Summary of the invention
The objective of the invention is to propose a kind of embedded satellite-borne fault-tolerant temperature control system and verification method thereof in order to address the above problem.
A kind of embedded satellite-borne fault-tolerant temperature control system comprises temperature control system and ground monitoring and fault injection computing machine on Star Service supervisory computer, the star;
Connect through the 1553B bus between the temperature control system on Star Service supervisory computer, the star, temperature control system is connected through Ethernet on ground monitoring and fault injection computing machine, Star Service supervisory computer and the star;
The Star Service supervisory computer is as 1553B bus controller bus controller; Be called for short BC; Be responsible on star temperature control system and send temperature range reference value in emulation sign on and the cabin; And at failure message, work state information and the temperature data of each emulation cycle t through 1553B bus collecting temperature control system; And with the data transfer that collects to ground monitoring and fault injection computing machine, ground monitoring and fault are injected duty and the temperature curve that computing machine shows temperature control system on the current star, verify the fault-tolerant reliability of spaceborne temperature control system;
Described temperature control computation host, temperature control are calculated standby host and are adopted active and standby machine dual-computer redundancy strategy; After emulation begins; Respectively through temperature range reference value in the cabin of 1553B bus reception Star Service supervisory computer transmission; And the temperature data in front deck that sends at each t reception environment simulation computer in emulation cycle; Based on temperature range reference value in the cabin temperature in front deck is controlled, the temperature control instruction that the heater or the cooler of generation after calculating are opened or closed returns to the environmental simulation computer;
The environmental simulation computer is as temperature control system data source on the star; Be used to simulate variations in temperature in the actual spaceborne system flight course cabin; Based on true temperature The data spline method match temperature curve; Positive sunny side and opaco temperature model in the environmental simulation built-in computer cabin; Executing agency does not work when simulating spaceborne system and being in positive sunny side and opaco, heater is opened, the temperature variations when cooler is opened, and executing agency is heater or cooler;
Ground monitoring and fault are injected computing machine and are accomplished data monitoring and fault function of injecting; The user injects computing machine temperature control system and environmental simulation computing machine injection failure message on star through ground monitoring and fault; Temperature control system receives and resolve fault information on the star, corresponding failure is characterized, and the influence that causes according to fault; Adopt predefined fault-tolerant strategy that the system implementation redundancy fault-tolerant is handled, the system of assurance is in normal operating conditions.
A kind of verification method of embedded satellite-borne fault-tolerant temperature control system comprises following step:
Step 1, initialization files configuration;
Ground monitoring and fault are injected computing machine and are carried out the configuration of temperature control system initialization files; Deploy content comprises that temperature control computation host, temperature control calculates temperature range setting value in the 1553B bus duplex redundancy mode of standby host, the cabin and set and be scheduled to the failure message that will take place; After generating configuration file, wait for that the temperature control computer is landed extraction through Ethernet on the star;
Step 2, system initialization;
If I emulation does not begin; After temperature is controlled computation host, the startup of temperature control calculating standby host, connect with the client form respectively and land ground monitoring and fault injection computer, obtain configuration file; Based on the profile information initialization system, wait for that emulation begins;
If II emulation begins, show that then it is to be in rebooting status after the fault that standby host is calculated in the control of temperature control computation host or temperature, then reinitialize computing machine according to current profile information and Ethernet information, begin emulation from current time.
Step 3, beginning emulation;
Send the emulation sign on by the Star Service supervisory computer; Temperature control computation host on the star; Standby host is calculated in temperature control and the environmental simulation computer begins emulation simultaneously; The transmission temperature data and the temperature sensor status information of environmental simulation computer cycle property are controlled computation host to temperature; Standby host is calculated in temperature control; Temperature control computation host and temperature control are calculated standby host and are received the back based on temperature range reference value in the cabin; The command signal that produces heater or cooler open and close returns to the environmental simulation computer; The environmental simulation computer based is in command signal running temperature simulation algorithm, and the simulation Current Temperatures changes;
Step 4, fault are injected and are carried out;
After emulation began, ground monitoring and fault were injected computing machine config failure information at any time, were sent to the environmental simulation computing machine through Ethernet and carried out the fault injection;
The temperature control computer is read as failure system, fault subsystem, abort situation, fault type, predetermined failure generation time, predetermined failure duration with pre-configured fault and the real-time fault model that injects through ground monitoring and fault injection computing machine; And be translated into the fault performance behind the given time, carry out at the fixed time;
Step 5, redundancy fault-tolerant are handled;
Temperature control system is according to the fault type that has taken place, and utilization redundancy fault-tolerant mechanism is handled, and for single well heater or sensor fault, works on through using other well heater; For single temperature sensor fault, adopt three machines voting form, residue two-way temperature sensor is exported; Can not repair fault for what temperature control computation host occurred, then system automatically switches to temperature control and calculates standby host and carry out work, and the assurance system normally moves;
Step 6, ground monitoring and assessment of failure;
Ground monitoring and fault are injected real-time monitoring of computer temperature control system duty and temperature curve; When fault took place, whether the performance of monitoring fault was correct, and whether redundancy fault-tolerant mechanism processing mode is effective; Can system work on; Do not switch like system, then send and force switching command, judge whether that can send command signal by ground forces to switch by the mode of presetting;
Step 7, the fault model and the redundancy strategy of temperature control system are assessed, as not meeting the demands, fault model and redundancy strategy reseted meter after, carry out new round checking;
If a) fault model of Current Temperatures control system and redundancy strategy have realized that in simulation process expectation function and index satisfy the desired design demand, then keep current barrier model and redundancy strategy as alternatives;
B) if the fault model of Current Temperatures control system and redundancy strategy are not realized expectation function in simulation process; Perhaps index does not satisfy the desired design demand; Then fault model and redundancy strategy are reseted meter; Carry out new round simulating, verifying then, satisfy functional requirement until fault model and redundancy strategy.
The invention has the advantages that:
(1) data transmission bus that adopts among the present invention is the 1553B bus, has advantages such as data transmission is reliable, quick, at aviation field certain application is arranged, but still is in the development stage at the especially spaceborne spacecraft of aerospace system.Here the 1553B bus that adopts is not only the experimental verification of a success, and has met the development trend of following aerospace system, has the practical development prospect;
(2) realization that the present invention is complete the fault in whole service stage of true spaceborne temperature control system inject and proof procedure, simple and reliable method greatly reduces the test duration and the expense of real system;
(3) environmental simulation computing machine according to the invention utilizes ethernet communication to realize the injection of remote failure; And, realized the environmental simulation scheme of physical fault tolerance temperature control system through built-in temperature sensor module, redundancy fault-tolerant processing module, environment temperature simulation algoritic module;
(4) the environmental simulation machine adopts unique environmental simulation algorithm, and the environment temperature model of three kinds of situation has been contained the actual temperature control procedure of spaceborne temperature control system;
(5) the dual-host backup redundancy scheme that standby host adopts is calculated in temperature control computation host and temperature control; Be provided with at the 1553B bus termination; Standby host is calculated in temperature control computation host and temperature control can inject computing machine reception initial configuration file through landing ground monitoring and fault, is the Hot Spare mode of RT-RT or the cold standby working method of RT-BM with system configuration;
(6) the present invention be one can be complete realization satellite-borne fault-tolerant temperature control system fault inject and checking, and have the time cycle short, can autonomous config failure, realize the verification system of the characteristics such as real-time injection of fault.The present invention has experimental directive function to the research of the fault-tolerant temperature control scheme of Future Spacecraft system, with this technology to having far reaching significance with using in the Comprehensive Control of actual Space Vehicle System.
Description of drawings
Fig. 1 is the structural representation of a kind of embedded satellite-borne fault-tolerant temperature control system of the present invention;
Fig. 2 is a verification method process flow diagram of the present invention;
Fig. 3 is the method flow diagram of step 2 according to the invention;
Fig. 4 is the method flow diagram of step 3 according to the invention;
Fig. 5 is the method flow diagram of step 4 according to the invention;
Among the figure:
Temperature control system 3-ground monitoring and fault are injected computing machine on the 1-Star Service supervisory computer 2-star
Standby host 203-environmental simulation computing machine is calculated in the control of 201-temperature control computation host 202-temperature
Embodiment
To combine accompanying drawing and embodiment that the present invention is done further detailed description below.
A kind of embedded satellite-borne fault-tolerant temperature control system of the present invention, as shown in Figure 1, comprise temperature control system 2 and ground monitoring and fault injection computing machine 3 on Star Service supervisory computer 1, the star;
Temperature control system 2 comprises temperature control computation host 201, temperature control calculating standby host 202 and environmental simulation computing machine 203 on the star, and it is the temperature control computer that standby host 202 is calculated in temperature control computation host 201 and temperature control;
Connect through the 1553B bus between the temperature control system 2 on Star Service supervisory computer 1, the star, ground monitoring and fault are injected on computing machine 3, Star Service supervisory computer 1 and the star temperature control system 2 and are connected through Ethernet;
Star Service supervisory computer 1 is as 1553B bus controller Bus Controller; Be called for short BC; Be responsible for sending temperature range reference value in emulation sign on and the cabin; And at failure message, work state information and the temperature data of each emulation cycle t through 1553B bus collecting temperature control system; And the data that collect are passed to ground monitoring and fault through Ethernet inject computing machine 3, ground monitoring and fault are injected duty and the temperature curve that computing machine 3 shows temperature control system 2 on the current star, verify the fault-tolerant reliability of spaceborne temperature control system.
Temperature control system 2 adopts active and standby machine dual-computer redundancy strategy on the star; After emulation begins; At first through temperature range reference value in the cabin of 1553B bus reception Star Service supervisory computer 1 transmission; And at when front deck in the temperature data of each emulation cycle t through 203 transmissions of Ethernet reception environment analog computer; Then according to temperature range reference value in the cabin, judge whether to need to open or close well heater or refrigeratory is controlled temperature in front deck, return to environmental simulation computing machine 203 through Ethernet calculating the temperature control instruction that well heater that the back produces or refrigeratory open or close;
Environmental simulation computing machine 203 is as 2 data sources of temperature control system on the star; Be used to simulate temperature variation in the actual spaceborne system flight course cabin; According to true temperature The data spline method match temperature curve; Positive sunny side and opaco temperature mould in the environmental simulation computing machine 203 built-in cabins, when simulating spaceborne system and being in positive sunny side and opaco topworks do not work, the temperature variations when well heater unlatching, refrigeratory unlatching, topworks is well heater or refrigeratory; After emulation begins; Temperature control system 2 on Current Temperatures data transmission to the star that each emulation cycle t obtains simulation through Ethernet; And the temperature control instruction of reception temperature control computing machine, then according to instruction simulation topworks, open or close; According to temperature conditions and topworks's state in front deck, temperature variation when Simulation execution mechanism opens and closes;
Ground monitoring and fault are injected computer 3 and are accomplished data monitoring and fault function of injecting; It injects fault message through Ethernet temperature control system 2 on star with the environmental simulation machine; On the star temperature control system 2 and environmental simulation machine receive and resolve fault information after; The application and trouble tokenizer characterizes corresponding failure; The influence that causes based on fault then; Adopt predefined fault-tolerant strategy that system is implemented redundancy fault-tolerant and handle, the system of assurance is in normal operating conditions;
Described environmental simulation computing machine 203 comprises ethernet communication module, environment temperature simulation algoritic module, fault injection processing module, redundancy fault-tolerant processing module and temperature sensor module;
The ethernet communication module adopts a type packing forms, accomplishes environmental simulation computing machine 203, temperature control computer, ground monitoring and fault and injects ethernet communication and data transmission between the computing machine 3;
The environment temperature simulation algoritic module obtains the temperature control instruction that the temperature control computer is sent, according to temperature and topworks's state in front deck, and the temperature variation when Simulation execution mechanism opens or closes, and the temperature data after the storage change;
Temperature sensor module analog temperature sensor function is gathered the temperature data of environment temperature simulation algoritic module output, exports the temperature control computer after the packing to;
Fault is injected the fault message that processing module receives ground monitoring and 3 injections of fault injection computer at any time; After emulation begins; Fault is injected the timer poll fault message of processing module, when timer judges that fault takes place constantly, based on fault message system is carried out the corresponding failure simulation;
The redundancy fault-tolerant processing module is responsible in fault the back taking place corresponding failure is handled; The operate as normal and the data of assurance system are normally exported; When temperature sensor breaks down, according to the data redundancy mode of temperature sensor three machines voting, output temperature data.
Positive sunny side and opaco temperature model are set in the described environment temperature simulation algoritic module, and when simulating spaceborne system and being in positive sunny side or opaco, topworks does not work, well heater is opened, the temperature variations when refrigeratory is opened.
Be specially:
1) do not work well heater and refrigeratory contract fully when topworks;
Under the situation of topworks's Close All, temperature model comprises two kinds, and when being in sunny slope, temperature is automatically to increase in the cabin, and when being in opaco, the temperature in the cabin is successively decreased automatically;
Specific as follows:
Temperature increases: T=T '+(T a+ Rand), wherein, T ' is a last moment temperature, T aBe the temperature amplitude that per second increases, Rand is the random number between 0~1, T aWith Rand be variable, set according to actual conditions, common span is 0.6~0.8.
Lapse of temperature: T=T '-(T b+ Rand), and wherein, T bBe the amplitude that per second successively decreases, T bSet according to actual conditions with Rand, common span is 0.8~1.2.
2) when the well heater of topworks is worked;
When well heater was worked, there were relation the number and the working time of temperature variation and well heater work.Temperature data when the well heater that we utilize remote measurement to obtain is opened is set up model to temperature variations.Calculate of the influence (about the function of time) of a well heater to environment temperature.
The spaceborne system temperature variation tendency of table 1 table
Time (s) ?0 1 2 3 4 5 6 7 8 9 10
Increment (℃) ?0 0.1 0.5 0.5 0.6 0.8 0.9 0.9 1.0 1.0 0.9
Temperature (℃) 0 0.1 0.6 1.1 1.7 2.5 3.4 4.3 5.3 6.3 7.2
Time (s) 11 12 13 14 15 16 17 18 19 20 21
Increment (℃) 1.0 1.0 1.0 0.9 0.9 1.0
Temperature (℃) 8.2 9.2 10.2 11.1 12 13
Can find out by the temperature difference in the table 1, well heater when work, preceding 5 second temperature variation slower, temperature increment tends towards stability after 5 seconds, increases by 0.9 to 1.0 degree centigrade basically p.s..This table has only been listed preceding 16 seconds data, and 16 seconds later data can increase by 0.9 to 1.0 degree according to per second and obtain.
Open the time and the temperature increment data are set up model through well heater, the method for modeling adopts spline method;
The temperature model of temperature: T=T in the cabin Just+ T Increase (t), wherein, T JustBe initial temperature, T Increase (t)Be the added value of well heater unlatching t temperature during second,
Figure GSA00000019519000071
Figure GSA00000019519000072
The added value of representing n well heater unlatching t temperature during second, wherein, 0<t i<t, i=1,2 ..., n, t iRepresent that i well heater open the time, n is the well heater number of opening;
3) when the refrigeratory of topworks is worked;
The modeling of refrigeratory when work environment temperature is similar during with well heater work, opens the time and temperature decrement data are set up model, the method employing spline method of modeling through refrigeratory;
The temperature model of temperature: T=T in the cabin Just-T Subtract (t), wherein, T JustBe initial temperature, T Subtract (t)Be the minimizing value of refrigeratory unlatching t temperature during second,
Figure GSA00000019519000073
Figure GSA00000019519000074
The minimizing value of representing the individual refrigeratory unlatching t of n ' temperature during second, wherein, 0<t ' i<t, i '=1,2 ..., n ', t ' iRepresent that the individual well heater of i ' opens the time, the refrigeratory number of n ' for opening.
Described temperature sensor module temperature data acquisition process is: at positive sunny side and opaco No. three temperature sensors are set respectively and carry out data acquisition, as shown in table 2, the mode that adopts three machines to decide by vote is handled M to temperature data 1, M 2, M 3Represent the temperature data that No. three temperature sensors are gathered, e is a preset threshold, when two temperature data differences during less than this threshold value, thinks that two temperature datas are close values, and is promptly simultaneously effective or invalid;
Table 2 sensor three machines voting way of realization
Decision condition Inefficacy numerical value Preferred value
|M1-M2|<e,|M3-M2|<e,|M1-M3|<e 0 (M1+M2+M3)/3
|M3-M2|<e,|M1-M2|>e,|M1-M3|>e M1 (M2+M3)/2
|M1-M2|<e,|M1-M3|>e,|M3-M2|>e M3 (M1+M2)/2
|M1-M3|<e,|M1-M2|>e,|M3-M2|>e M2 (M1+M3)/2
|M3-M2|<e,|M1-M2|>e,|M1-M3|<e No effective value
When environmental simulation computing machine 203 faults are injected the temperature sensor fault of processing module reception ground monitoring and 3 injections of fault injection computing machine; The temperature sensor output valve of correspondence is added corresponding random number; Make it produce drift and depart from original setting threshold, the simulated failure phenomenon, this moment, temperature sensor module adopted the redundant fashion of three machines voting; Filtration excludes the temperature data that produces wrong temperature sensor, adopts all the other two-way effective sensor temperature average outputs.
Temperature control computation host 201 is calculated standby host 202 with temperature control and is adopted the dual-host backup redundancy scheme on the star, and on 1553B bus termination configuration mode, active and standby machine can adopt two kinds of configuration modes to realize dual-computer redundancy; A kind of is that host configuration is remote terminal remote terminal, is called for short RT, and standby host also is configured to the Hot Spare mode of RT; Another kind is that host configuration is RT, and standby host is configured to bus monitor bus monitor, is called for short the cold standby mode of BM; Before the emulation; The user injects computing machine 3 through ground monitoring and fault the backup mode of employing and the remote terminal address and the subaddress information of correspondence is set, and then information is write text as the initial configuration file, after standby host 202 startups are calculated in temperature control computation host 201 and temperature control; Connect through Ethernet respectively and land ground monitoring and fault injection computing machine 3; Receive initial configuration file separately,, this machine is configured to corresponding bus termination then according to this machine profile information; Be that active and standby machine is configured to the Hot Spare switching mode of RT-RT or the cold standby switch operating mode of RT-BM, wait for that emulation begins;
RT-RT Hot Spare switching mode is the redundancy switching mechanism to terminal RT; Temperature control computation host 201 all has separately independently RT address with temperature control calculating standby host 202 on the star; Receiving data simultaneously resolves; Only temperature is controlled computation host 201 output datas on the star; The switching of temperature control computation host 201 and temperature control calculating standby host 202 through the messaging list of band branch is set, promptly is provided with the redirect that message is accomplished in the jump instruction of message under error situation by BC on the star, perhaps by BC the active and standby machine RT of message poll visit temperature control system is set; Select operate as normal RT output data then, i.e. the RT output data of visit temperature control calculating standby host 202 when the RT of temperature control computation host 201 makes mistakes;
The RT-BM cold standby switches to temperature control computation host 201 as the host work output data; Temperature control is calculated standby host 202 and is not calculated; But as BM through 1553B monitoring bus host data state, when temperature control computation host 201 broke down, temperature control was calculated standby host 202 and is monitored temperature control computation host 201 bus data faults and put from the form as main frame RT; Take over 201 work of temperature control computation host, output data;
Under two kinds of above-mentioned switching modes, temperature control computation host 201 is calculated standby host 202 with temperature control and is regularly sent local state information to the other side simultaneously through Ethernet, when temperature control computation host 201 faults; Temperature control is calculated standby host 202 switchings and is taken over host work; After the fault machine is restarted, at first receive Ethernet data, judge that through the status information that receives current system has off to exist; Exist if any main frame; Then oneself is changed to backup machine, only calculates as backup RT and do not export or monitor current main frame as B M and move, prepare to take over host work at any time.
Ground monitoring and fault are injected computing machine 3 and are comprised fault database, fault injecting controller;
The fault type that possibly occur in the temperature control system course of work that fault database is integrated, the fault model of fault comprises the time of origin of fault type, injection mode, injecting addresses, fault, the duration of fault in the fault database;
The fault injecting controller is the supervisory routine of fault injection model; Be used to control whole fault injection process; The user selects fault model, and selected fault is injected in the application program of temperature control computation host 201, temperature control calculating standby host 202 and 203 operations of environmental simulation computing machine through the fault injecting controller.
The fault injecting controller to the fault injection process be divided into that fault configuration and real time fail are injected in advance;
Fault configuration is meant that injecting computing machine 3 by ground monitoring and fault provides human-computer interaction interface in advance; The user searches fault database, selects the specific fault model, generates the failure message tabulation of arranging by the time; Be incorporated in the initial configuration file, supply the temperature control computer to read through Ethernet;
After real time fail was injected and is meant that emulation begins, the user injected computing machine 3 through ground monitoring and fault, selects fault model in real time, generates the packet of specific format, is sent to the temperature control computer through Ethernet, realizes the real-time injection of fault.
Described environmental simulation computing machine 203, temperature control computation host 201, temperature control are calculated in the standby host 202 the fault signature device are set; The fault signature device carries out Fault analytical according to the failure message that injects through the Fault analytical model; Failure message is converted into corresponding fault, takes place and sign in the predetermined time of origin simulated failure of fault, the Fault analytical model is corresponding one by one with the fault model of fault database; When fault model added, corresponding Fault analytical model was also wanted corresponding interpolation.
The verification method of a kind of embedded satellite-borne fault-tolerant temperature control system of the present invention, flow process is as shown in Figure 2, comprises following step:
Step 1, initialization files configuration;
Ground monitoring and fault are injected computing machine 3 and are carried out the configuration of temperature control system initialization files; Deploy content comprises that temperature control computation host 201, temperature control calculates temperature range setting value in the 1553B bus duplex redundancy mode of standby host 202, the cabin and set and be scheduled to the failure message that will take place; After generating configuration file, wait for that the temperature control computer is landed extraction through Ethernet on the star;
Step 2, system initialization;
If I emulation does not begin; After temperature is controlled computation host 201,202 startups of temperature control calculating standby host, connect with the client form respectively and land ground monitoring and fault injection computer 3, obtain configuration file; Based on the profile information initialization system, wait for that emulation begins;
If II emulation begins; Show that then it is to be in rebooting status after the fault that standby host 202 is calculated in the control of temperature control computation host 201 or temperature; Then reinitialize temperature control computation host 201 or temperature control calculating standby host 202, begin emulation from current time based on current profile information and Ethernet information;
As shown in Figure 3, specifically comprise following several steps:
1. temperature control computation host 201 powers up simultaneously with temperature control calculating standby host 202 and starts and the local network interface initialization;
2. the temperature control computer judges whether this machine had received configuration file;
(1), explains that computing machine is to start for the first time, after then landing the ground fault and injecting computing machine and obtain configuration file if the temperature control computer did not receive configuration file; Directly read configuration file; Confirming the duty and the initialization of this machine, is Hot Spare like configuration information, and then the main frame standby host all is initialized as RT; As for cold standby then host configuration be RT, standby host is BM;
(2) as accepting configuration file, then acquiescence is from restart the back state as fault, directly through Ethernet and standby host communication; Obtain current standby host duty,, then write down oneself state and should be configured to standby host if standby host is a main frame; Read configuration file then, revise oneself state and initialization;
3. after temperature control computation host 201 is controlled the 202 difference initialization of calculating standby host with temperature on the star; Begin to carry out temperature control, temperature control computation host 201 is accomplished the data transmission and the temperature control instruction output of bus as the output machine; Whether standby host is calculated in temperature control then normal through the monitoring bus Host Status; Simultaneously, pass through mutual transmit mode data of Ethernet and data sync between the active and standby machine, so that standby host is taken over from current calculation level when hostdown;
4. temperature control computer cycle judges whether to inject fault, can take place when predetermined as injecting fault, then handles according to fault type;
But 5. be having a rest property recovered failure temporarily, still work on after the fault recovery, do not carry out active and standby machine and switch like fault;
6. be well heater or refrigeratory or sensor fault like fault, work on, do not carry out active and standby machine and switch through using other well heater or refrigeratory or sensor;
7. be the collapsibility fault like fault, after carrying out active and standby machine and switching, reinitialize after the fault machine is restarted.
Step 3, beginning emulation;
Send the emulation sign on by Star Service supervisory computer 1; Temperature control computation host 201 on the star; Temperature control is calculated standby host 202 and is begun emulation simultaneously with environmental simulation computer 203; Environmental simulation computer 203 periodic transmission temperature datas and temperature sensor status information are to temperature control computation host 201; Standby host 202 is calculated in temperature control; Temperature control computation host 201 receives the back based on temperature range reference value in the cabin with temperature control calculating standby host 202; The command signal that produces heater or cooler open and close returns to environmental simulation computer 203; Environmental simulation computer 203 is based on command signal running temperature simulation algorithm, and the simulation Current Temperatures changes;
Concrete steps are as shown in Figure 4, comprise following step:
1), initialization temperature control system; Star Service supervisory computer 1 sends the emulation sign on through the 1553B bus; Temperature control computation host 201, temperature control calculating standby host 202 begin emulation simultaneously with environmental simulation computing machine 203 on the star; The temperature control computer at first receives on the 1553B bus and controls the bound reference value by the temperature of Star Service supervisory computer 1 transmission, as carrying out temperature controlled judgement scope.
2), environmental simulation computing machine 203 is according to the current simulation run stage, temperature in the cabin of simulation current time, periodicity is sent to the temperature control computer, obtains temperature data in the cabin after the collection of temperature control computer;
3), the temperature control computer is according to the temperature data that collects, and preestablishes that the temperature range reference value compares in the cabin, judges at first whether current well heater or refrigeratory have been in open mode;
(1) if well heater or refrigeratory are opened, then periodically judges temperature value T in the current cabin SurveyThe setting value T that whether surpasses well heater AddOr the setting value T of refrigeratory Cold establishingScope as surpassing, is then sent instruction for environmental simulation computing machine 203 through Ethernet and is closed well heater or the refrigeratory of having opened; As do not surpass, then be held open state, wait for the judgement of following one-period;
(2) do not open like well heater or refrigeratory,, periodically judge temperature T in the cabin then according to temperature value in the current cabin SurveyWhether less than minimum temperature T LowIf, less than, send the instruction heater for environmental simulation computing machine 203 through Ethernet, otherwise judge T SurveyWhether greater than maximum temperature T High, open refrigeratory greater than then sending instruction for environmental simulation computing machine 203 through Ethernet; As need not open, the state that then keeps shut is waited for the judgement of following one-period;
4), after environmental simulation computing machine 203 receives temperature control instruction,, obtain corresponding ambient temperature data, supply following one-period temperature acquisition to use according to the corresponding environment temperature simulation algoritic module of instruction operation.
Step 4, fault are injected and are carried out;
After emulation began, ground monitoring and fault were injected computing machine 3 config failure information at any time, were sent to environmental simulation computing machine 203 through Ethernet and carried out the fault injection;
The temperature control computer is read as failure system, fault subsystem, abort situation, fault type, predetermined failure generation time, predetermined failure duration with pre-configured fault and the real-time fault model that injects through ground monitoring and fault injection computing machine 3; And be translated into the fault performance behind the given time, carry out at the fixed time;
Flow process is as shown in Figure 5, specifically may further comprise the steps:
After a, the beginning emulation, ground monitoring and fault are injected computing machine 3 and are judged whether config failure, and the fault configuration mode comprises pre-configured fault and real time fail injection;
B, fault configuration mode in advance in this way; Then the user has disposed a plurality of faults of arranging according to time sequencing before emulation; After generating the failure message tabulation, ground monitoring and fault injection computing machine 3 are incorporated into configuration file with it, when the initialization of temperature control computer, read;
C, inject failure mode in real time in this way, then the user selects fault from fault database, carry out the configuration of failure message after, be sent to the temperature control computer with the form of packet through Ethernet;
The pre-configured fault that d, temperature control computer will receive and inject fault immediately according to time sequence;
When e, fault took place according to the time, the temperature control computer was carried out the failure message parsing, carries out fault then, and after the fault generating, according to the type and the influence of fault, temperature control system is used redundancy switching mechanism and carried out active and standby machine switching or device mask;
Behind f, the redundant switching, temperature control system is collected the oneself state information after switching, and is sent to ground fault injection computing machine and monitors, and simultaneously, upgrades the faults itself tabulation, waits for fault generating next time.
Step 5, redundancy fault-tolerant are handled;
Temperature control system is according to the fault type that has taken place, and utilization redundancy fault-tolerant mechanism is handled, and for single well heater or sensor fault, works on through using other well heater; For single temperature sensor fault, adopt three machines voting form, residue two-way temperature sensor is exported; Can not repair fault for what temperature control computation host 201 occurred, then system automatically switches to temperature control and calculates standby host 202 and carry out work, and the assurance system normally moves;
Step 6, ground monitoring and assessment of failure;
Ground monitoring and fault are injected computing machine 3 real-time monitoring temperature control system duty and temperature curves; When fault took place, whether the performance of monitoring fault was correct, and whether redundancy fault-tolerant mechanism processing mode is effective; Can system work on; Do not switch like system, then send and force switching command, judge whether that can send command signal by ground forces to switch by the mode of presetting;
Step 7, the fault model and the redundancy strategy of temperature control system are assessed, as not meeting the demands, fault model and redundancy strategy reseted meter after, carry out new round checking;
If a) fault model of Current Temperatures control system and redundancy strategy have realized that in simulation process expectation function and index satisfy the desired design demand, then keep current barrier model and redundancy strategy as alternatives;
B) if the fault model of Current Temperatures control system and redundancy strategy are not realized expectation function in simulation process; Perhaps index does not satisfy the desired design demand; Then fault model and redundancy strategy are reseted meter; Carry out new round simulating, verifying then, satisfy functional requirement until fault model and redundancy strategy.
Embodiment:
With embodiment verification method provided by the invention is described.
Step 1, initialization files configuration;
Ground monitoring and fault are injected computing machine 3 and are carried out the configuration of temperature control system initialization files; Here select RT-RT Hot Spare mode, desired temperature is 19~25 degrees centigrade of positive sunny sides in the cabin, 23~30 degrees centigrade of opacos; Set the 100th second generation well heater 1 fault; Set the 105th second generation sensor 1 data-bias fault, behind the generation configuration file, wait for that temperature control system 2 computing machines connect extraction on the star.
Step 2, system initialization;
After temperature control system 2 active and standby machines start on the star, connect with the client form respectively and land ground monitoring and fault injection computing machine 3, obtain configuration file,, wait for that emulation begins according to the profile information initialization system.Temperature control system 2 active and standby machine 1553B bus configuration start for the RT-RT mode on the star of system at this moment.
Step 3, emulation begin;
Send the emulation sign on by Star Service supervisory computer 1 as BC, temperature control system 2 active and standby machines and environmental simulation machine begin emulation simultaneously on the star, and host configuration is RT 1, standby host is RT 2Environmental simulation computing machine 203 periodic temperature data and the sensor status information of sending; Temperature control system 2 active and standby machines receive the back according to temperature range reference value in the cabin on the star; The command signal of calculating back generation well heater or refrigeratory open and close returns to the environmental simulation machine, and the environmental simulation machine is simulated according to command signal running temperature modeling algorithm, and the simulation Current Temperatures changes.
Step 4, fault are injected and are carried out;
After emulation began, ground monitoring and fault are injected computing machine 3 can inject failure message immediately, is sent to the temperature control system computing machine through Ethernet, injects the 150th second temperature control system main frame permanent fault here.
The temperature control computer reads the initial configuration file and obtains the tabulation of pre-configured failure message, and first heater failure took place on the 100th second, and first sensor fault took place on the 105th second.Series arrangement on schedule, fault is read as concrete failure message (failure system, fault subsystem; Abort situation (fault function instrument), fault type, predetermined failure generation time; The predetermined failure duration) be mapped as the concrete fault signature of software after, at 150 seconds, the temperature control system computing machine received the failure message of instant injection; Analyze the back and carry out the sign corresponding failure, i.e. temperature control system main frame collapse is restarted.
Step 5, redundancy fault-tolerant are handled;
Temperature control system uses the redundancy fault-tolerant mechanism that self designs to handle according to the fault type that has taken place, for single well heater or refrigeratory fault, works on through using other well heater or refrigeratory; For the single-sensor fault, adopt three machines voting form, adopt residue two-way sensor to export; Can not repair fault for what the temperature control system computing machine occurred, then system automatically switches to standby host and carries out work, and the assurance system normally moves.
At the 100th second, first well heater will no longer be worked.The temperature calculation formula is in the cabin at this moment: T=T Just+ T Increase (t), wherein,
Figure GSA00000019519000131
Behind first heater failure
Figure GSA00000019519000132
Temperature rate-of-rise reduces.
At the 105th second; First sensor in the temperature collect module will produce fault, be about to the corresponding sensor output valve and add corresponding random number, make it produce drift and depart from original setting threshold; The simulated failure phenomenon; This moment, temperature sensor module was called three machine voting algorithms automatically, filtered to exclude to produce wrong sensor temperature value, adopted all the other two-way effective sensor temperature average outputs.
Original sensor temperature sampled value T=T '+(T a+ Rand), directly let sensor M here 1Data produce drift and depart from original setting threshold, so when the voting formula of getting two with form of software three carries out temperature acquisition, and M wherein 1, M 2, M 3Be three tunnel acquired signal values, e is a preset threshold, and satisfy this moment | M 3-M 2|<e, | M 1-M 2|>e, | M 1-M 3|>e, sensor M 1Lost efficacy, gave up this road sensing data, adopted M 2, M 3The output of sensing data average, temperature data still is in normal condition, on average compares with three circuit-switched data, and its acquisition precision descends to some extent, but it has realized the effective isolation and the eliminating of fault data.
At the 150th second, the temperature control system computing machine injected information according to fault, occurred crashing restarting fault; At this moment, host implementation is restarted, and temperature control system application fault tolerance strategy is realized the redundant automatically switching of two-shipper; Switch to standby host and work on, reinitialize after the fault machine restarts.
Step 6, ground monitoring and assessment of failure;
Ground monitoring and fault are injected computing machine 3 through receiving each set state information that Star Service supervisory computer 1 is beamed back, and resolve the back with literal, curve and dynamic pilot lamp presented.Operating personnel judge according to the indication situation whether correctly fault shows, whether the machine-processed processing mode of redundancy fault-tolerant is effective, whether system needs Long-distance Control to force hand-off process.
Step 7, the fault model and the redundancy strategy of temperature control system are assessed, as not meeting the demands, fault model and redundancy strategy reseted meter after, carry out new round checking;
The situation that the fault tolerant mechanism of evaluating and testing in the test lost efficacy has: 1, system does not implement correct active and standby machine switching; The time of 2, switching is longer; Can not satisfy the expection requirement, 3, should not implement to have carried out change action when active and standby machine switches, 4, switching back fault machine, to restart the back initialization incorrect.
Situation about losing efficacy for the fault model evaluate and test in the test has: 1, fault is successfully injected, and 2, inject not sign of back, 3, fault sign on schedule, 4, fault signature is incorrect.
To the problem that occurs in the above simulation process, the fault model and the redundancy strategy of temperature control system designed again, carry out new round simulating, verifying then, in checking, reach the expectation index requirement up to improving back redundancy fault-tolerant strategy and fault model.

Claims (8)

1. an embedded satellite-borne fault-tolerant temperature control system is characterized in that, comprises temperature control system and ground monitoring and fault injection computing machine on Star Service supervisory computer, the star;
Connect through the 1553B bus between the temperature control system on Star Service supervisory computer, the star, temperature control system is connected through Ethernet on ground monitoring and fault injection computing machine, Star Service supervisory computer and the star;
The Star Service supervisory computer is as 1553B bus controller bus controller; Be called for short BC; Be responsible on star temperature control system and send temperature range reference value in emulation sign on and the cabin; And at failure message, work state information and the temperature data of each emulation cycle t through 1553B bus collecting temperature control system; And with the data transfer that collects to ground monitoring and fault injection computing machine, ground monitoring and fault are injected duty and the temperature curve that computing machine shows temperature control system on the current star, verify the fault-tolerant reliability of spaceborne temperature control system;
Temperature control computation host, temperature control are calculated standby host and are adopted active and standby machine dual-computer redundancy strategy; After emulation begins; Respectively through temperature range reference value in the cabin of 1553B bus reception Star Service supervisory computer transmission; And the temperature data in front deck that sends at each t reception environment simulation computer in emulation cycle; Based on temperature range reference value in the cabin temperature in front deck is controlled, the temperature control instruction that the heater or the cooler of generation after calculating are opened or closed returns to the environmental simulation computer;
The environmental simulation computer is as temperature control system data source on the star; Be used to simulate variations in temperature in the actual spaceborne system flight course cabin; Based on true temperature The data spline method match temperature curve; Positive sunny side and opaco temperature model in the environmental simulation built-in computer cabin; Executing agency is heater or cooler, and executing agency does not work when simulating spaceborne system and being in positive sunny side and opaco, heater is opened, the temperature variations when cooler is opened;
Described environmental simulation computing machine comprises ethernet communication module, environment temperature simulation algoritic module, fault injection processing module, redundancy fault-tolerant processing module and temperature sensor module;
The ethernet communication module adopts a type packing forms, accomplishes environmental simulation computing machine, temperature control computer, ground monitoring and fault and injects ethernet communication and data transmission between the computing machine;
The environment temperature simulation algoritic module obtains the temperature control instruction that the temperature control computer is sent, according to temperature and topworks's state in front deck, and the temperature variation when Simulation execution mechanism opens or closes, and the temperature data after the storage change;
Temperature sensor module analog temperature sensor function is gathered the temperature data of environment temperature simulation algoritic module output, exports the temperature control computer after the packing to;
Fault is injected the fault message that processing module receives ground monitoring and the injection of fault injection computer at any time; After emulation begins; Fault is injected the timer poll fault message of processing module, when timer judges that fault takes place constantly, based on fault message system is carried out the corresponding failure simulation;
The redundancy fault-tolerant processing module is responsible in fault the back taking place corresponding failure is handled; The operate as normal and the data of assurance system are normally exported; When temperature sensor breaks down, based on the data redundancy mode of temperature sensor three machines voting, output temperature data;
Ground monitoring and fault are injected computer and are accomplished data monitoring and fault function of injecting; The user injects computer temperature control system and environmental simulation computer injection fault message on star through ground monitoring and fault; Temperature control system receives and resolve fault information on the star; Corresponding failure is characterized; And the influence that causes based on fault; Adopt predefined fault-tolerant strategy that system is implemented redundancy fault-tolerant and handle, the system of assurance is in normal operating conditions;
Described ground monitoring and fault are injected computing machine and are comprised fault database, fault injecting controller, and environmental simulation computing machine, temperature control computation host, temperature control are calculated in the standby host and comprised the fault signature device;
The fault type that possibly occur in the temperature control system course of work that fault database is integrated, the fault model of fault comprises the time of origin of fault type, injection mode, injecting addresses, fault, the duration of fault in the fault database;
The fault injecting controller is used to control whole fault injection process, and the user selects fault model, and selected fault is injected in the application program of temperature control computation host, temperature control calculating standby host and environmental simulation computer run through the fault injecting controller;
The fault injection process of fault injecting controller is divided into fault configuration and real time fail injection in advance;
Fault configuration is meant that injecting computing machine by ground monitoring and fault provides human-computer interaction interface in advance; The user searches fault database, selects the specific fault model, generates the failure message tabulation of arranging by the time; Be incorporated in the initial configuration file, supply the temperature control computer to read through Ethernet;
After real time fail was injected and is meant that emulation begins, the user injected computing machine through ground monitoring and fault, selects fault model in real time, generates the packet of specific format, is sent to the temperature control computer through Ethernet, realizes the real-time injection of fault;
The fault signature device that environmental simulation computing machine, temperature control computation host, temperature control are calculated in the standby host carries out Fault analytical according to the failure message that injects through the Fault analytical model; Failure message is converted into corresponding fault; Take place and sign in the predetermined time of origin simulated failure of fault; The Fault analytical model is corresponding one by one with the fault model of fault database, and when fault model added, corresponding Fault analytical model was also wanted corresponding interpolation.
2. a kind of embedded satellite-borne fault-tolerant temperature control system according to claim 1; It is characterized in that; Positive sunny side and opaco temperature model are set in the described environment temperature simulation algoritic module; When simulating spaceborne system and being in positive sunny side or opaco, topworks does not work, the temperature variations when working;
Be specially: 1) do not work well heater and refrigeratory contract fully when topworks;
If be in sunny slope, temperature T is to increase automatically in the cabin, at this moment, and T=T '+(T a+ Rand), wherein, T ' is a last moment temperature, T aBe the temperature amplitude that per second increases, Rand is the random number between 0~1, T aWith Rand be variable, set according to actual conditions;
If be in opaco, the temperature T in the cabin is successively decreased automatically, at this moment, and T=T '-(T b+ Rand), and wherein, T bBe the amplitude that per second successively decreases, T bSet according to actual conditions with Rand;
2) when the well heater of topworks is worked;
Open the time and the temperature increment data are set up model through well heater, the method for modeling adopts spline method;
The temperature model of temperature: T=T in the cabin Just+ T Increase (t), wherein, T JustBe initial temperature, T Increase (t)Be the added value of well heater unlatching t temperature during second,
Figure FSB00000558529000031
Figure FSB00000558529000032
The added value of representing n well heater unlatching t temperature during second, wherein, 0<t i<t, i=1,2 ..., n, t iRepresent that i well heater open the time, n is the well heater number of opening;
3) when the refrigeratory of topworks is worked;
Open the time and temperature decrement data are set up model through refrigeratory, the method for modeling adopts spline method;
The temperature model of temperature: T=T in the cabin Just-T Subtract (t), wherein, T JustBe initial temperature, T Subtract (t)Be the minimizing value of refrigeratory unlatching t temperature during second,
Figure FSB00000558529000033
Figure FSB00000558529000034
The minimizing value of representing the individual refrigeratory unlatching t of n ' temperature during second, wherein, 0<t i'<t, i '=1,2 ..., n ', t ' iRepresent that the individual well heater of i ' opens the time, the refrigeratory number of n ' for opening.
3. a kind of embedded satellite-borne fault-tolerant temperature control system according to claim 1; It is characterized in that; Described temperature sensor module temperature data acquisition process is: at positive sunny side and opaco No. three temperature sensors are set respectively and carry out data acquisition; Adopt the mode of three machines voting temperature data to be handled M then 1, M 2, M 3Represent the temperature data that No. three temperature sensors are gathered, e is a preset threshold, when two temperature data differences during less than this threshold value, thinks that two temperature datas are close values, and is promptly simultaneously effective or invalid;
Be specially: when | M 1-M 2|<e, | M 3-M 2|<e, | M 1-M 3| during<e, the numerical value that do not lose efficacy, the temperature data preferred value of output is (M 1+ M 2+ M 3)/3; When | M 3-M 2|<e, | M 1-M 2|>e, | M 1-M 3| during>e, inefficacy numerical value is M 1, the temperature data preferred value of output is (M 2+ M 3)/2; When | M 1-M 2|<e, | M 1-M 3|>e, | M 3-M 2| during>e, inefficacy numerical value is M3, and the temperature data preferred value of output is (M 1+ M 2)/2; When | M 1-M 3|<e, | M 1-M 2|>e, | M 3-M 2| during>e, inefficacy numerical value is M2, and the temperature data preferred value of output is (M 1+ M 3)/2; When | M 3-M 2|<e, | M 1-M 2|>e, | M 1-M 3| during<e, there is not effective value;
When the environmental simulation computer failure injects the temperature sensor fault of processing module reception ground monitoring and the injection of fault injection computing machine; The temperature sensor output valve of correspondence is added corresponding random number; Make it produce drift and depart from original setting threshold, the simulated failure phenomenon, this moment, temperature sensor module adopted the redundant fashion of three machines voting; Filtration excludes the temperature data that produces wrong temperature sensor, adopts all the other two-way effective sensor temperature average outputs.
4. the wrong temperature control system of a kind of embedded satellite carrying according to claim 1 is characterized in that, temperature control computation host and temperature control are calculated two kinds of configuration modes of standby host employing and realized dual-computer redundancy on the star; A kind of is that host configuration is remote terminal remote terminal; Be called for short RT, standby host also is configured to the Hot Spare mode of RT, and another kind is that host configuration is RT; Standby host is configured to bus monitor bus monitor, is called for short the cold standby mode of BM;
The implementation of two kinds of configuration modes is: before emulation begins; The user injects backup mode and corresponding remote terminal address and the subaddress information that computer installation is adopted through ground monitoring and fault; Then information is write text as the initial configuration file; After temperature is controlled computation host and the startup of temperature control calculating standby host, connect through Ethernet respectively and land ground monitoring and fault injection computing machine, receive initial configuration file separately; Then according to this machine profile information; This machine is configured to corresponding bus termination, and promptly active and standby machine is configured to the Hot Spare switching mode of RT-RT or the cold standby switch operating mode of RT-BM, waits for that emulation begins;
Under the RT-RT Hot Spare switching mode; Temperature control computation host and temperature control calculating standby host all have separately independently RT address on the star; Receive data simultaneously and resolve, temperature control computation host output data on the star only, the switching that standby host is calculated in temperature control computation host and temperature control on the star by BC through the messaging list of being with branch is set; The jump instruction of message under error situation promptly is set accomplishes the redirect of message; Perhaps the active and standby machine RT of message poll visit temperature control system is set, selects operate as normal RT output data then, be i.e. the RT output data of visit temperature control calculating standby host when the RT of temperature control computation host makes mistakes by BC;
The RT-BM cold standby switches down; Temperature control computation host is as the host work output data, and temperature control is calculated standby host and do not calculated, but passes through 1553B monitoring bus host data state as BM; When temperature control computation host breaks down; Temperature control calculating standby host monitors temperature control computation host bus data fault and puts from the form as main frame RT, takes over the work of temperature control computation host, output data;
Under two kinds of above-mentioned switching modes, temperature control computation host and temperature control are calculated standby host and are regularly sent local state information to the other side simultaneously through Ethernet, when temperature control computation host fault; Temperature control is calculated the standby host switching and is taken over host work; After the fault machine is restarted, at first receive Ethernet data, judge that through the status information that receives current system has off to exist; Exist if any main frame; Then oneself is changed to backup machine, only calculates as backup RT and do not export or monitor current main frame as B M and move, prepare to take over host work at any time.
5. the verification method of an embedded satellite-borne fault-tolerant temperature control system is characterized in that, comprises following step:
Step 1, initialization files configuration;
Ground monitoring and fault are injected computing machine and are carried out the configuration of temperature control system initialization files; Deploy content comprises that temperature control computation host, temperature control calculates temperature range setting value in the 1553B bus duplex redundancy mode of standby host, the cabin and set and be scheduled to the failure message that will take place; After generating configuration file, wait for that the temperature control computer is landed extraction through Ethernet on the star;
Step 2, system initialization;
If I emulation does not begin; After temperature is controlled computation host, the startup of temperature control calculating standby host, connect with the client form respectively and land ground monitoring and fault injection computer, obtain configuration file; Based on the profile information initialization system, wait for that emulation begins;
If II emulation begins; Show that then it is to be in rebooting status after the fault that standby host is calculated in the control of temperature control computation host or temperature; Then reinitialize temperature control computation host or temperature control calculating standby host, begin emulation from current time based on current profile information and Ethernet information;
Step 3, beginning emulation;
Send the emulation sign on by the Star Service supervisory computer; Temperature control computation host on the star; Standby host is calculated in temperature control and the environmental simulation computer begins emulation simultaneously; The transmission temperature data and the temperature sensor status information of environmental simulation computer cycle property are controlled computation host to temperature; Standby host is calculated in temperature control; Temperature control computation host and temperature control are calculated standby host and are received the back based on temperature range reference value in the cabin; The command signal that produces heater or cooler open and close returns to the environmental simulation computer; The environmental simulation computer based is in command signal running temperature simulation algorithm, and the simulation Current Temperatures changes;
Step 4, fault are injected and are carried out;
After emulation began, ground monitoring and fault were injected computing machine config failure information at any time, were sent to the environmental simulation computing machine through Ethernet and carried out the fault injection;
The temperature control computer is read as failure system, fault subsystem, abort situation, fault type, predetermined failure generation time, predetermined failure duration with pre-configured fault and the real-time fault model that injects through ground monitoring and fault injection computing machine; And be translated into the fault performance behind the given time, carry out at the fixed time;
Step 5, redundancy fault-tolerant are handled;
Temperature control system is according to the fault type that has taken place, and utilization redundancy fault-tolerant mechanism is handled, and for single well heater or sensor fault, works on through using other well heater; For single temperature sensor fault, adopt three machines voting form, residue two-way temperature sensor is exported; Can not repair fault for what temperature control computation host occurred, then system automatically switches to temperature control and calculates standby host and carry out work, and the assurance system normally moves;
Step 6, ground monitoring and assessment of failure;
Ground monitoring and fault are injected real-time monitoring of computer temperature control system duty and temperature curve; When fault took place, whether the performance of monitoring fault was correct, and whether redundancy fault-tolerant mechanism processing mode is effective; Can system work on; Do not switch like system, then send and force switching command, judge whether that can send command signal by ground forces to switch by the mode of presetting;
Step 7, the fault model and the redundancy strategy of temperature control system are assessed, as not meeting the demands, fault model and redundancy strategy reseted meter after, carry out new round checking;
If a) fault model of Current Temperatures control system and redundancy strategy have realized that in simulation process expectation function and index satisfy the desired design demand, then keep current barrier model and redundancy strategy as alternatives;
B) if the fault model of Current Temperatures control system and redundancy strategy are not realized expectation function in simulation process; Perhaps index does not satisfy the desired design demand; Then fault model and redundancy strategy are reseted meter; Carry out new round simulating, verifying then, satisfy functional requirement until fault model and redundancy strategy.
6. the verification method of a kind of embedded satellite-borne fault-tolerant temperature control system according to claim 5 is characterized in that, described step 2 specifically comprises following step:
1. temperature control computation host and temperature control are calculated standby host and are powered up startup and local network interface initialization simultaneously;
2. the temperature control computer judges whether this machine had received configuration file;
(1), explains that computing machine is to start for the first time, after then landing the ground fault and injecting computing machine and obtain configuration file if the temperature control computer did not receive configuration file; Directly read configuration file; Confirming the duty and the initialization of this machine, is Hot Spare like configuration information, and then the main frame standby host all is initialized as RT; As for cold standby then host configuration be RT, standby host is BM;
(2) as accepting configuration file, then acquiescence is from restart the back state as fault, directly through Ethernet and standby host communication; Obtain current standby host duty,, then write down oneself state and should be configured to standby host if standby host is a main frame; Read configuration file then, revise oneself state and initialization;
3. after the initialization of standby host difference is calculated in temperature control computation host and temperature control on the star; Begin to carry out temperature control, temperature control computation host is accomplished the data transmission and the temperature control instruction output of bus as the output machine; Whether standby host is calculated in temperature control then normal through the monitoring bus Host Status; Simultaneously, pass through mutual transmit mode data of Ethernet and data sync between the active and standby machine, so that standby host is taken over from current calculation level when hostdown;
4. temperature control computer cycle judges whether to inject fault, can take place when predetermined as injecting fault, then handles according to fault type;
But 5. be having a rest property recovered failure temporarily, still work on after the fault recovery, do not carry out active and standby machine and switch like fault;
6. be well heater or refrigeratory or sensor fault like fault, work on, do not carry out active and standby machine and switch through using other well heater or refrigeratory or sensor;
7. be the collapsibility fault like fault, after carrying out active and standby machine and switching, reinitialize after the fault machine is restarted.
7. the verification method of a kind of embedded satellite-borne fault-tolerant temperature control system according to claim 5 is characterized in that, step 3 specifically comprises following step:
1), initialization temperature control system; The Star Service supervisory computer sends the emulation sign on through the 1553B bus; Temperature control computation host, temperature control calculating standby host and environmental simulation computing machine begin emulation simultaneously on the star; The temperature control computer at first receives on the 1553B bus and controls the bound reference value by the temperature of Star Service supervisory computer transmission, as carrying out temperature controlled judgement scope;
2), the environmental simulation computing machine is according to the current simulation run stage, temperature in the cabin of simulation current time, periodicity is sent to the temperature control computer, obtains temperature data in the cabin after the collection of temperature control computer;
3), the temperature control computer is according to the temperature data that collects, and preestablishes that the temperature range reference value compares in the cabin, judges at first whether current well heater or refrigeratory have been in open mode;
(a) if well heater or refrigeratory are opened, judge periodically then whether temperature value surpasses range of set value in the current cabin,, then send instruction for the environmental simulation computing machine and close well heater or the refrigeratory of having opened through Ethernet as surpassing; As do not surpass, then be held open state, wait for the judgement of following one-period;
(b) do not open like well heater or refrigeratory; Then according to temperature value in the current cabin; Whether need heater or refrigeratory temperature controlled, like needs, then send instruction heater or refrigeratory for the environmental simulation computing machine through Ethernet if periodically judging; As need not open, the state that then keeps shut is waited for the judgement of following one-period;
4), after the environmental simulation computing machine receives temperature control instruction,, obtain corresponding ambient temperature data, supply following one-period temperature acquisition to use according to the corresponding environment temperature simulation algoritic module of instruction operation.
8. the verification method of a kind of embedded satellite-borne fault-tolerant temperature control system according to claim 5 is characterized in that, described step 4 specifically may further comprise the steps:
After a, the beginning emulation, ground monitoring and fault are injected whether config failure of computer judges, and the fault configuration mode comprises pre-configured fault and real time fail injection;
B, fault configuration mode in advance in this way; Then the user has disposed a plurality of faults of arranging according to time sequencing before emulation; After generating the failure message tabulation, ground monitoring and fault are injected computing machine it are incorporated into configuration file, when the initialization of temperature control computer, read;
C, inject failure mode in real time in this way, then the user selects fault from fault database, carry out the configuration of failure message after, be sent to the temperature control computer with the form of packet through Ethernet;
The pre-configured fault that d, temperature control computer will receive and inject fault immediately according to time sequence;
When e, fault took place according to the time, the temperature control computer was carried out the failure message parsing, carries out fault then, and after the fault generating, according to the type and the influence of fault, temperature control system is used redundancy switching mechanism and carried out active and standby machine switching or device mask;
Behind f, the redundant switching, temperature control system is collected the oneself state information after switching, and is sent to ground fault injection computing machine and monitors, and simultaneously, upgrades the faults itself tabulation, waits for fault generating next time.
CN2010101079949A 2010-02-05 2010-02-05 Embedded satellite-borne fault-tolerant temperature control system and verification method thereof Expired - Fee Related CN101819445B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101079949A CN101819445B (en) 2010-02-05 2010-02-05 Embedded satellite-borne fault-tolerant temperature control system and verification method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101079949A CN101819445B (en) 2010-02-05 2010-02-05 Embedded satellite-borne fault-tolerant temperature control system and verification method thereof

Publications (2)

Publication Number Publication Date
CN101819445A CN101819445A (en) 2010-09-01
CN101819445B true CN101819445B (en) 2012-05-16

Family

ID=42654574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101079949A Expired - Fee Related CN101819445B (en) 2010-02-05 2010-02-05 Embedded satellite-borne fault-tolerant temperature control system and verification method thereof

Country Status (1)

Country Link
CN (1) CN101819445B (en)

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102135920B (en) * 2011-01-17 2013-06-05 中国航天科技集团公司第九研究院第七七一研究所 Fault injection system for embedded spaceborne computer and injection method thereof
CN102945001B (en) * 2011-08-15 2015-01-14 中国航空工业集团公司西安飞机设计研究所 Servo actuator system simulator and simulation method thereof
CN102333038B (en) * 2011-10-21 2013-11-13 上海交通大学 Non deadlock routing method based on network on chip
CN102571498B (en) * 2012-02-09 2016-03-09 华为技术有限公司 Fault injection control method and device
CN103257350B (en) * 2012-05-07 2014-12-24 中国交通通信信息中心 Double-computer duplex automatic switching method
CN102916852B (en) * 2012-09-26 2015-04-08 中国航天科技集团公司第九研究院第七七一研究所 High-low temperature testing equipment of 1553B bus communication devices
CN103529820B (en) * 2013-09-26 2016-02-10 北京航天自动控制研究所 A kind of direct fault location test macro and method of testing being applicable to embedded device
CN103885421B (en) * 2014-03-26 2017-04-05 上海航天电子通讯设备研究所 A kind of STD bus controller
CN104750137B (en) * 2015-03-17 2016-11-30 航天东方红卫星有限公司 A kind of satellite temperature control data processing method based on look-up table
CN104731071B (en) * 2015-03-17 2017-06-16 成都智慧之芯科技有限公司 Master redundancy heat backup method in centralized control system
CN105162529B (en) * 2015-06-17 2016-10-26 北京空间飞行器总体设计部 A kind of 1553B bus data fault injection device
CN105067933B (en) * 2015-08-31 2018-08-31 中国人民解放军63908部队 General-purpose system and test method for electronics testability demonstration and assessment
CN105446887B (en) * 2016-01-11 2018-01-19 中国科学院光电研究院 A kind of spaceborne embedded type data communication failure Dynamic injection system and method based on Digital Virtual Technique
CN106325348B (en) * 2016-08-29 2017-10-03 中国科学院长春光学精密机械与物理研究所 Multi-mode electrically operated control method
CN108614539A (en) * 2016-12-12 2018-10-02 中国航空工业集团公司西安航空计算技术研究所 AEF airborne equipment failure diagnosis and prediction model verification method
CN109211429B (en) * 2017-07-03 2020-12-22 佛山市顺德区美的电热电器制造有限公司 Temperature sampling method and device and cooking appliance
CN109375960B (en) * 2018-09-29 2021-10-01 郑州云海信息技术有限公司 Copyright information loading method and device
CN109558278B (en) * 2018-11-09 2022-03-15 天津航空机电有限公司 Dual-redundancy CPU control board based on DSP and CPLD
CN109240127A (en) * 2018-11-20 2019-01-18 上海航天控制技术研究所 Simulation and verification platform and emulation verification method
CN109507627B (en) * 2019-01-04 2021-03-12 广东电网有限责任公司 Simulation method of direct-current electronic transformer
CN112286041B (en) * 2020-09-09 2023-02-03 许继集团有限公司 Switching method and switching control system for electrical equipment redundancy monitoring device
CN112286125B (en) * 2020-10-30 2021-09-17 东南大学 Event-triggered fixed-time fault-tolerant control method and system for motor-driven fan
CN112527029B (en) * 2020-12-07 2022-03-18 上海卫星工程研究所 Wireless passive temperature control system applied to satellite thermal control system
CN112748751A (en) * 2020-12-22 2021-05-04 中国航空工业集团公司沈阳飞机设计研究所 Digital airplane environment control system and method
CN113721681B (en) * 2021-09-13 2022-04-26 北京微纳星空科技有限公司 Satellite temperature control device, satellite temperature control method, electronic equipment and storage medium
CN113929281B (en) * 2021-11-23 2023-07-25 蚌埠凯盛工程技术有限公司 Temperature control method and system for platinum channel in float process
CN115421532B (en) * 2022-11-07 2023-01-31 中国科学院苏州生物医学工程技术研究所 Multi-channel temperature control system, method and medium of organ chip culture system
CN116779152B (en) * 2023-08-21 2023-12-05 瑞鞍星医疗科技(苏州)有限公司 Anesthesia robot system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003165500A (en) * 2001-12-03 2003-06-10 Mitsubishi Electric Corp Temperature control device
CN1963784A (en) * 2006-12-13 2007-05-16 北京航空航天大学 Method and apparatus to realize universal emulation by emulation apparatus based on 1553B bus
CN101477382A (en) * 2009-01-21 2009-07-08 北京航空航天大学 Nano-satellite spacing heat sink simulator
CN101628628A (en) * 2009-08-03 2010-01-20 北京航空航天大学 Self-correcting redundancy switching mechanism for spacecraft system and verification method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003165500A (en) * 2001-12-03 2003-06-10 Mitsubishi Electric Corp Temperature control device
CN1963784A (en) * 2006-12-13 2007-05-16 北京航空航天大学 Method and apparatus to realize universal emulation by emulation apparatus based on 1553B bus
CN101477382A (en) * 2009-01-21 2009-07-08 北京航空航天大学 Nano-satellite spacing heat sink simulator
CN101628628A (en) * 2009-08-03 2010-01-20 北京航空航天大学 Self-correcting redundancy switching mechanism for spacecraft system and verification method thereof

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
杨娟,李运泽.纳卫星主动温控系统建模与仿真.《计算机仿真》.2008,第25卷(第7期),58-61. *

Also Published As

Publication number Publication date
CN101819445A (en) 2010-09-01

Similar Documents

Publication Publication Date Title
CN101819445B (en) Embedded satellite-borne fault-tolerant temperature control system and verification method thereof
CN103544092B (en) A kind of based on ARINC653 standard air environment health monitoring system
Stanovich et al. Development of a smart-grid cyber-physical systems testbed
CN103473156B (en) Hot backup fault-tolerance method based on real-time operating systems and used for three satellite borne computers
CN101628628A (en) Self-correcting redundancy switching mechanism for spacecraft system and verification method thereof
CN103488494A (en) Multi-firmware synchronous updating and upgrading method for blade server
CN106844877A (en) The analysis method of multimode phased mission systems dependability parameter
Li et al. A new method for reliability allocation of avionics connected via an airborne network
Nardone et al. Model checking techniques applied to satellite operational mode management
CN106339553B (en) A kind of the reconstruct flight control method and system of spacecraft
Wang et al. Design of reconfigurable real-time telemetry monitoring and quantitative management system for remote sensing satellite in orbit
Zhang et al. Risk assessment of offshore micro integrated energy system based on fluid mosaic model
CN105843745B (en) It is a kind of for testing the method and system of redundancy management software
Levinson et al. Development and testing of a vehicle management system for autonomous spacecraft habitat operations
KR101278554B1 (en) An initial state extraction and estimation system for satellite simulator
CN106201981A (en) A kind of near space ship borne computer multi-CPU system self-adapting reconstruction method
CN114019991B (en) Method for realizing double-computer architecture satellite and rocket separation program control task
CN107273575B (en) Satellite task autonomous design method and system for quick response requirements
Bickford et al. Real-time sensor validation for autonomous flight control
CN109870997A (en) A kind of triplex redundance flight control computer system
CN108459582B (en) IMA system-oriented comprehensive health assessment method
Horikawa et al. Detecting Faulty Sequences of FDIR Functions on Spacecrafts Using Model Checking
Xu et al. Integrated System Health Management Research and Application on Satellite
CN117439274B (en) State monitoring method based on energy management control system
Ghosh et al. An Automated Deployment and Testing Framework for Resilient Distributed Smart Grid Applications

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120516

Termination date: 20170205