CN110196564B

CN110196564B - Smooth switching dual-machine redundant power distribution system resistant to single-particle irradiation

Info

Publication number: CN110196564B
Application number: CN201910470266.5A
Authority: CN
Inventors: 岳梦云; 刘巧珍; 卢伟; 黄晨; 彭越; 张宏德; 徐晨; 岳玮
Original assignee: China Academy of Launch Vehicle Technology CALT; Beijing Institute of Astronautical Systems Engineering
Current assignee: China Academy of Launch Vehicle Technology CALT; Beijing Institute of Astronautical Systems Engineering
Priority date: 2019-05-31
Filing date: 2019-05-31
Publication date: 2020-11-20
Anticipated expiration: 2039-05-31
Also published as: CN110196564A

Abstract

The invention provides a smooth switching dual-machine redundant power distribution system resistant to single-particle irradiation, which comprises a host machine, a standby machine and a load power supply and distribution module, wherein the host machine and the standby machine are a current machine and a non-current machine, and the current machine and the health state of the current machine are transmitted to the other party in real time to ensure that the non-current machine and the current machine know the current working state of the other party; when the on-duty aircraft outputs a power distribution control signal to the load power supply and distribution module according to a preset time sequence or receives a power distribution instruction input from the outside, the on-off of the load power supply and distribution is controlled, the bus voltage at the output end of the load power supply and distribution module is acquired, whether the power distribution instruction is executed correctly is judged according to the acquisition result, when the instruction is not executed correctly, the on-duty aircraft transmits the power distribution instruction to the off-duty aircraft through an internal serial port, the output control function of the off-duty aircraft is started temporarily, and the off-duty aircraft executes the power distribution instruction once in a supplementing manner.

Description

Smooth switching dual-machine redundant power distribution system resistant to single-particle irradiation

Technical Field

The invention relates to a smooth switching dual-machine redundant power distribution system resistant to single-particle irradiation. Belongs to the technical field of power distribution.

Background

For a space flight measurement and control system, the reliability of a single machine is particularly concerned, particularly, the single machine of a space vehicle needs to avoid error output caused by a severe space environment, and a design method of three-machine redundancy or two-machine redundancy is usually adopted.

One-three machine redundancy

Triple redundant processors are typically designed according to triple modular redundancy, two out of three voting. The method is divided into two modes of tight coupling and loose coupling. The tightly coupled triple-modular redundancy system has high reliability, but the system design is complex, the information exchange amount is large, and a software designer needs to write a large amount of fault-tolerant management software after fully understanding the design intention of the system. In addition, the system bus is difficult to process, and if one set of system bus is adopted, the system has poor real-time performance and a single point exists; if three sets of buses are adopted, too many connector points are occupied, so that the template cannot integrate more functions, and the volume and the weight of the system are increased. And the loosely coupled three machines are redundant, the design is relatively simple, the information exchange quantity of each single machine is small, the fault-tolerant management link is reduced, and the burden of a software designer is lightened. In addition, the system bus single-point problem is thoroughly solved. The biggest difficulty of the triple redundancy technical scheme is the synchronization mechanism among CPUs. The processor has strong real-time performance, and data acquisition, operation, judgment and instruction output control tasks are completed periodically, so that the synchronization of the three machines is very important. The purpose is to eliminate the accumulated error generated by the small difference of the dominant frequencies of each processor and ensure the simultaneity of data acquisition and processing of each CPU board.

(II) double-machine cold standby

The system is provided with two identical single machines, only one single machine is in a power-on state, data can be backed up to spare single machine hardware at regular time, but the spare machine cannot automatically take over when a fault occurs, and hardware and service need to be started manually. Some ground-based devices that are not tasked with this backup method may be used.

(III) double-machine parallel output

The system is provided with two identical single machines which are in power-on state, receive control signals and execute output, and the output is effective as long as one set of output exists between the two single machines. The design is usually used in the application of keeping on and not keeping off, or two single machines are respectively supplied with power, and when a single machine fails and can not be turned off, the single machine is powered off.

(IV) dual-machine hot standby

The equipment comprises two sets of sub-equipment with thermal redundancy, each single machine can independently complete all functions in the controller, and the current machine in the information control combination is the host. The main and standby functions and design are completely consistent.

Under normal working state, the host machine and the standby machine both receive signals, the host machine is the current-class machine, and the standby machine does not output signals. The main machine monitors the working state of the other side through internal communication, when the standby machine monitors that the working state of the main machine is abnormal, or the main machine continuously suffers from dog biting, network failure and the like, the main machine is judged to have a failure, and when the on-duty machine is switched from the main machine to the standby machine, the main machine and the standby machine can be switched back and forth for many times. In summary, the conventional redundancy design method has the following disadvantages:

(1) the triple redundancy technical scheme needs to use three identical CPU boards, needs higher cost, simultaneously limits the miniaturization of equipment volume and needs to especially ensure the synchronization among CPUs;

(2) the double-machine cold standby needs to manually start the equipment, so that the time required for switching is long;

(3) the dual-computer hot standby redundancy can solve the problem of single-point failure caused by complete failure of equipment due to environment or other factors, but lacks effective correction capability for accidental error output of a single channel; and increases the power consumption of the single machine.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: the defects in the prior art are overcome, the single-particle irradiation resistant smooth switching dual-computer redundant power distribution system is provided, and information loss caused by switching of the main computer and the standby computer is avoided. Meanwhile, the power distribution instruction can be correctly executed through a compensation mechanism, and operation failure caused by single event reversal or other hardware circuit failure reasons can be avoided.

The technical solution of the invention is as follows: a smooth switching dual-machine redundant power distribution system resistant to single-particle irradiation comprises a host machine, a standby machine and a load power supply and distribution module, wherein the host machine and the standby machine are an active machine and a non-active machine, and the active machine and the non-active machine send the health state and the current working state of the active machine and the current working state to each other in real time to ensure that the non-active machine and the active machine know the current working state of each other; when the on-duty aircraft outputs a power distribution control signal to the load power supply and distribution module according to a preset time sequence or receives a power distribution instruction input from the outside, the on-off of the load power supply and distribution is controlled, the bus voltage at the output end of the load power supply and distribution module is acquired, whether the power distribution instruction is executed correctly is judged according to the acquisition result, when the instruction is not executed correctly, the on-duty aircraft transmits the power distribution instruction to the off-duty aircraft through an internal serial port, the output control function of the off-duty aircraft is started temporarily, and the off-duty aircraft executes the power distribution instruction once in a supplementing manner.

The non-current airliner monitors the health state of the non-current airliner in real time, when the non-current airliner detects that the non-current airliner is abnormal, the output control and external instruction receiving function of the non-current airliner is started according to the latest normal working state of the non-current airliner stored before, the subsequent power distribution operation is executed according to the preset flow or the external instruction, the operation result is collected, when the collection operation result is executed correctly, the original current airliner is controlled to be powered on and reset again, the power on and reset of the original current airliner is defaulted to be in the non-current airliner state, the output control and instruction receiving function is forbidden, and the operation of the power.

The on-duty aircraft monitors the health state of the off-duty aircraft in real time, and when the off-duty aircraft continuously has more than N times of dog biting reset, the on-duty aircraft sends a power-on reset signal to the off-duty aircraft; if N times of dog bites occur again after resetting, the current airliner controls the power supply of the non-current airliner to be powered off, the current airliner stops working, and N is more than or equal to 2.

The health state comprises a heartbeat signal, a reset signal and a power supply voltage.

The working state comprises system time, a latest external power distribution instruction and a power distribution state after the latest external power distribution instruction is executed.

The host machine and the standby machine are completely the same and comprise a central processing controller, a remote control instruction receiving interface module, a dual-machine interaction interface module, a power distribution state acquisition circuit, a power distribution instruction analysis circuit and a power supply conversion control module;

the central processing controller sends the self health state and the current working state to the dual-computer interactive interface module in real time, stores the health state and the current working state of the standby computer or the host computer received by the dual-computer interactive interface module, and detects whether the standby computer or the host computer runs normally; if the non-current airliner is abnormal, the current airliner controls the non-current airliner to restart, the current airliner is restarted, N times of continuous dog bites are accumulated again, and the non-current airliner is powered off; if the current airliner is abnormal, starting an output control function of a non-current airliner, restarting the original current airliner, forbidding the output control function after restarting, completing dual-machine switching, and if the original current airliner is restarted and continuous N times of dog bites are accumulated again, controlling the new current airliner to cut off the power;

in the flight mode, generating a power distribution instruction according to a preset time sequence or receiving a power distribution instruction input by a remote control instruction receiving interface module, and outputting a power distribution gating instruction and a power-on or power-off driving instruction of a corresponding channel to a load power supply and distribution module; judging whether the power distribution instruction is executed correctly according to the power distribution result acquired by the signal acquisition module, and if the power distribution instruction is not executed correctly, sending the power distribution instruction to the interactive interface module; controlling the enabling signal of the remote control instruction receiving interface module of the non-current airliner to be in an invalid state, so that the non-current airliner does not receive an externally input power distribution instruction;

receiving a power distribution instruction sent by an interactive interface module in a non-current airliner mode, and outputting a power distribution gating instruction and a power-on or power-off driving instruction of a corresponding channel to a load power supply and distribution module according to the power distribution instruction; when the abnormal operation of the current airliner is detected, starting an output control function and an external instruction receiving interface of the non-current airliner, reading the latest normal working state of the stored current airliner, continuously generating a power distribution instruction or receiving the power distribution instruction input by a remote control instruction receiving interface module according to the time sequence after the normal working state, outputting a power distribution gating instruction to a load power supply and distribution module, judging whether the power distribution instruction is correctly executed or not according to the power distribution result acquired by a signal acquisition module, if the power distribution instruction is correctly executed, switching to the current airliner working mode, and sending a restarting instruction to a power supply exchange controller of the original current airliner;

the remote control instruction receiving interface module receives an externally input power distribution instruction and outputs the power distribution instruction to the central processing controller when the enable signal is effective under the control of the enable signal, and does not receive the externally input power distribution instruction and does not output the power distribution instruction to the central processing controller when the enable signal is ineffective;

the signal acquisition module is used for acquiring the bus voltage of each load at the output end of the load power supply and distribution module and transmitting the bus voltage to the central processing controller;

the power distribution instruction analysis circuit decodes the power distribution gating instruction sent by the central processing controller, and selects the power-on or power-off driving instruction of the corresponding access to output; generating a pair of complementary power-up and power-down commands for a power-constant distribution channel that only needs to be guaranteed to be switched on; generating four pairs of complementary power-on and power-off instructions for a power constant distribution channel with higher requirements on the connection and disconnection reliability;

the power supply exchange controller is used for carrying out power supply conversion on the externally input power supply and distribution signal to obtain required secondary power supply voltage to supply power to the central processing controller of the opposite side, and meanwhile, receiving a control signal of the central processing controller of the opposite side and restarting or powering off the computer;

the reset circuit generates a reset signal after being electrified and controls the central processing controller to reset; and receiving the 'dog feeding' operation output by the central processing controller, and generating a reset signal to control the central processing controller to reset if the 'dog feeding' operation output by the central processing controller is not received within the preset time.

The load power supply and distribution module comprises a driving instruction fusion module, a power constant power distribution management module and a power non-constant power distribution management module;

the driving instruction fusion module is used for connecting the power-on or power-off driving instructions of the same channel of the host machine and the standby machine in parallel to obtain a fusion driving instruction, and then sending the fusion driving instruction to the power constant distribution management module and/or the power non-constant distribution management module corresponding to the channel;

the power constant distribution management module outputs a power supply signal with constant power;

and the power non-constant distribution management module outputs a power supply signal with non-constant power.

The power-invariant distribution management module includes: the two instruction driving modules are respectively marked as a first instruction driving module and a second instruction driving module, and the two power distribution output modules are respectively marked as a first power distribution output module and a second power distribution output module;

the instruction driving module comprises resistors R1, R2, R3 and R4, triodes V1 and V2, wherein one end of the resistor R1 is an input end of the instruction driving module, the other end of the resistor R1 is connected with a base electrode of the triode V1, the resistor R2 is bridged between the base electrode and an emitter electrode of the triode V1, the emitter electrode of the triode V1 is grounded, and a collector electrode of the triode V1 is an output end of the instruction driving module; one end of the resistor R3 is the input end of the command driving module, the other end is connected with the base electrode of the triode V2, the resistor R4 is bridged between the base electrode and the emitting electrode of the triode V2, the emitting electrode of the triode V2 is grounded, and the collector electrode of the triode V2 is the output end of the command driving module;

the power distribution output modules comprise magnetic latching relays K1, resistors R9, R10, R11, R12, R13, R14 and MOS tubes MOS 1; the magnetic latching relay K1 is a double-end double-throw switch, and has 6 contacts, wherein two contacts are grounded and used as the immobile end of the switch, the other two contacts are suspended and used as the first mobile end of the switch, the two contacts are used as the second mobile end of the switch and are connected in parallel to one end of a resistor R13, the other end of the resistor R13 is divided into two paths, one path is connected in series with the resistor R14 to a load distribution power supply bus, and the other path is connected to the grid of an MOS (metal oxide semiconductor) tube;

the input ends of the first instruction driving module and the second instruction driving module are connected with the fused power distribution instruction signal; the output end of the first instruction driving module is connected with a power constant channel power-off signal end; the output end of the second instruction driving module is connected with a power-on signal end of the constant-power channel;

the drain electrodes of the MOS tubes of the first distribution output module and the second distribution output module are connected with a power constant channel bus; one end of a first coil of a magnetic latching relay K1 of the first distribution output module and the second distribution output module is connected with a power-off signal of a power constant channel, the other end of the first coil is connected to a positive bus of the secondary power supply of the equipment through resistors R9 and R10 which are connected in parallel, one end of a second coil of the magnetic latching relay K1 is connected with a power-on signal of the power constant channel, and the other end of the second coil is connected to the positive bus of the secondary power supply of the equipment through resistors R11 and R12 which are;

the distribution output module further comprises a capacitor C1 and a distribution output, wherein the capacitor C1 is connected with the capacitor distribution output in series and bridged between the load distribution power supply bus and the grid of the MOS tube.

The power distribution output module further comprises diodes V5, V6, V7 and V8, and the diodes V5 and V6 are connected across the two ends of the first line packet of the magnetic latching relay of the first power distribution output module in a bridging mode; and the diodes V7 and V8 are connected across the second wire packet of the magnetic latching relay of the second distribution output module in a bridging mode.

The power-invariant distribution management module includes:

eight command driver modules, noted as: the system comprises a first instruction driving module, a second instruction driving module, a third instruction driving module, a fourth instruction driving module, a fifth instruction driving module, a sixth instruction driving module, a seventh instruction driving module and an eighth instruction driving module;

the system comprises four instruction holding modules, a first instruction holding module, a second instruction holding module, a third instruction holding module and a fourth instruction holding module;

the power distribution system comprises eight power distribution output modules, a first power distribution output module, a second power distribution output module, a third power distribution output module, a fourth power distribution output module, a fifth power distribution output module, a sixth power distribution output module, a seventh power distribution output module and an eighth power distribution output module;

the instruction driving module comprises resistors R21 and R22 and a triode V21, one end of the resistor R21 is the input end of the instruction driving module, the other end of the resistor R21 is connected with the base electrode of the triode V21, the resistor R22 is bridged between the base electrode and the emitter electrode of the triode V21, the emitter electrode of the triode V1 is grounded, and the collector electrode of the triode V21 is the output end of the instruction driving module;

the command holding module comprises a magnetic holding relay K3, diodes V31, V32, V33 and V34, resistors R41, R42, R43 and R44, wherein the diodes V31 and V32 are bridged at two ends of a first line packet of the magnetic holding relay K3; the diodes V33, V34 are connected across the second wire packet of the magnetic latching relay K3. One end of a first coil of the magnetic latching relay K3 is connected with a first input signal, the other end of the first coil is connected to a positive bus of the secondary power supply of the equipment through resistors R41 and R42 which are connected in parallel, one end of a second coil of the magnetic latching relay K3 is connected with a second input signal, and the other end of the second coil is connected to the positive bus of the secondary power supply of the equipment through resistors R43 and R44 which are connected in parallel; the magnetic latching relay K3 is a double-end double-throw switch, and has 6 contacts in total, wherein two contacts are grounded and used as the immobile end of the switch, the other two contacts are suspended and used as the first mobile end of the switch, and the other two contacts are used as the second mobile end of the switch and are connected in parallel to the instruction holding output end;

the power distribution output modules comprise resistors R49 and R50, capacitors C11 and C12 and an MOS transistor MOS 11; one end of the resistor R49 is connected to the input end of a power distribution command, the other end of the resistor R50 is divided into two paths, one path is connected with the resistor R49 in series to the source of the MOS11, the other path is connected to the grid of the MOS11, and the capacitors C11 and C12 are connected in series and then bridged at two ends of the R49;

the output ends of the triode collectors of the first instruction driving module, the second instruction driving module, the third instruction driving module, the fourth instruction driving module, the fifth instruction driving module, the sixth instruction driving module, the seventh instruction driving module and the eighth instruction driving module are respectively a power non-constant channel first power-off signal, a power non-constant channel second power-off signal, a power non-constant channel third power-off signal, a power non-constant channel fourth power-off signal, a power non-constant channel first power-up signal, a power non-constant channel second power-up signal, a power non-constant channel third power-up signal and a power non-constant channel third power-up signal;

a first input end and a second input end of the first instruction holding module are respectively connected with a first power-off signal of a power non-constant channel and a first power-on signal of the power non-constant channel;

the first input end and the second input end of the second instruction holding module are respectively connected with a second power-off signal of a power non-constant channel and a second power-on signal of the power non-constant channel;

the first input end and the second input end of the third instruction holding module are respectively connected with a third power-off signal of a power non-constant channel and a third power-on signal of the power non-constant channel;

a first input end and a second input end of the fourth instruction holding module are respectively connected with a fourth power-off signal of the power non-constant channel and a fourth power-on signal of the power non-constant channel;

the instruction holding output end of the first instruction holding module is connected with the power distribution instruction input ends of the first power distribution output module and the second power distribution output module;

the instruction holding output end of the second instruction holding module is connected with the power distribution instruction input ends of the third power distribution output module and the fourth power distribution output module;

the instruction holding output end of the third instruction holding module is connected with the power distribution instruction input ends of the fifth power distribution output module and the sixth power distribution output module;

and the instruction holding output end of the fourth instruction holding module is connected with the power distribution instruction input ends of the seventh power distribution output module and the eighth power distribution output module.

The source electrode of an MOS tube in the first power distribution output module is connected with a load power distribution bus, and the drain electrode of the MOS tube is connected with the source electrode of an MOS tube in the third power distribution module;

the source electrode of an MOS tube in the second power distribution output module is connected with a load power distribution bus, and the drain electrode of the MOS tube is connected with the source electrode of an MOS tube in the fourth power distribution module;

the source electrode of an MOS tube in the fifth power distribution output module is connected with a load power distribution bus, and the drain electrode of the MOS tube is connected with the source electrode of the MOS tube in the seventh power distribution module;

and the source electrode of the MOS tube in the sixth power distribution output module is connected with a load power distribution bus, and the drain electrode of the MOS tube is connected with the source electrode of the MOS tube in the eighth power distribution module.

Compared with the prior art, the invention has the beneficial effects that:

(1) after the standby aircraft passes the recovery confirmation state, the switching of the standby aircraft can be completed, so that the primary and standby switching process cannot influence the time sequence flow and the receiving instruction of the on-orbit aircraft;

(2) through the redundancy design of a hardware single circuit, the failure of any instruction driving circuit or MOS tube does not affect the instruction execution effect, and the failure of instruction execution caused by factors such as single event reversal is avoided;

(3) if the current airliner fails to normally execute the instruction due to accidental faults, the instruction can be sent again by the non-current airliner after the execution failure is confirmed according to the recovery state, and the reliability is improved;

(4) the switching strategy is realized through software in the CPU, and extra hardware cost is not required to be added;

(5) after the computer is switched off, if the host is confirmed to be invalid, the power supply is disconnected, and the electric quantity of the battery is saved.

(6) The invention can be applied to electrical equipment, in particular to the redundancy backup design of electronic equipment of the on-orbit aircraft, has the characteristics of strong flexibility and strong reliability, and is beneficial to better executing a space test task of the on-orbit aircraft.

Drawings

FIG. 1 is a flowchart illustrating dual redundancy according to an embodiment of the present invention;

FIG. 2 is a functional block diagram of a system according to an embodiment of the present invention;

FIG. 3 is a circuit for instruction resolution according to an embodiment of the present invention;

FIG. 4 illustrates a power constant supply channel redundancy circuit according to an embodiment of the present invention;

FIG. 5 is a power non-constant supply channel redundancy circuit according to an embodiment of the present invention;

fig. 6 is a circuit of a remote control command receiving module according to an embodiment of the present invention.

Detailed Description

The invention is described in detail below with reference to the figures and specific embodiments.

The invention provides a smooth switching double-machine redundant power distribution system capable of resisting single-particle irradiation.

As shown in fig. 1, the system has the following features:

(1) the main machine and the standby machine are an active machine and a non-active machine, and the active machine and the non-active machine send the health state and the current working state of the self to the opposite side to ensure that the non-active machine and the active machine know the current working state of the opposite side; the health state comprises a heartbeat signal, a reset signal and a power supply voltage; the working state comprises system time, the latest external instruction and the state after the latest external instruction is executed.

(2) And the on-duty aircraft outputs a power distribution control signal to the load power supply and distribution module according to a preset time sequence or receives a power distribution instruction input from the outside, controls the on-off of the load power supply and distribution, recovers the bus voltage at the output end of the load power supply and distribution module, judges whether the power distribution instruction is executed correctly according to a recovery result, and when the instruction is not executed correctly, the on-duty aircraft transmits the power distribution instruction to the off-duty aircraft through an internal serial port, temporarily starts the output control function of the off-duty aircraft, and the off-duty aircraft performs the power distribution instruction once in a supplementing manner.

(3) The non-current airliner only receives the health state and working state information of the current airliner and does not receive external instructions;

(4) the method comprises the steps that a healthy state of a current airliner is monitored in real time by the non-current airliner, when the non-current airliner detects that the current airliner is bitten by a dog for N times continuously or the power supply voltage is lower than 4.4V, the current airliner is judged to be abnormal, when the non-current airliner detects that the current airliner is abnormal, the function of output control and external instruction receiving of the non-current airliner is started according to the latest normal working state of the current airliner stored before, subsequent power distribution operation is executed according to a preset flow or an external instruction, the operation result is collected, when the collection operation result is executed correctly, the original current airliner is controlled to be powered on and reset again, the power on and reset state of the original current airliner is defaulted to be the non-current airliner state after.

(5) When the airliner monitors the health state of the non-current airliner in real time, and when the non-current airliner continuously has more than N times of dog biting reset, the airliner sends a power-on reset signal to the non-current airliner; and if the dog bites N times after resetting, the current airliner controls the power supply of the non-current airliner to be powered off, and the current airliner stops working.

As shown in fig. 2, the host and the standby are completely the same, and include a central processing controller, a remote control command receiving interface module, a dual-computer interaction interface module, a power distribution state acquisition circuit, a power distribution command analysis circuit, and a power conversion control module;

the power distribution instruction analysis circuit decodes the power distribution gating instruction sent by the central processing controller, and selects the power-on or power-off driving instruction of the corresponding access to output; generating a pair of complementary power-up and power-down commands for a power-constant distribution channel that only needs to be guaranteed to be switched on; four pairs of complementary power-up and power-down commands are generated for a power-constant distribution channel with high requirements on connection and disconnection reliability.

And the power supply exchange controller is used for performing power supply conversion on the externally input power supply and distribution signal to obtain required secondary power supply voltage to supply power to the central processing controller of the opposite side, and meanwhile, receiving a control signal of the central processing controller of the opposite side to restart or power off the computer.

Example (b):

the present invention will be described in detail below using a dual redundant power distribution system for an in-orbit aircraft as an example.

The dual-redundancy power distribution system of the on-orbit aircraft can receive the commands sent by the ground through space-based measurement and control according to the self time sequence or through a 422 serial port to realize the connection control of the power-constant power distribution channel and the connection and disconnection control of the power-non-constant power distribution channel.

As shown in fig. 2, the dual-redundancy power distribution system includes a central processing control module (including a main CPU processing circuit and a standby CPU processing circuit), a load power supply and distribution module (including a main power distribution instruction analysis circuit, a power constant power supply and distribution circuit, and a power non-constant power distribution circuit), and a remote control instruction receiving module (including a main power distribution circuit and a standby power distribution circuit).

1. Designing a central processing control module:

1.1CPU Circuit

The current and non-current airliners respectively adopt a single chip microcomputer of 80C32 model, a built-in central processing unit, a 128-byte internal data storage RAM, 32 bidirectional input/output I/O ports, 2 16-bit timing/counters and 5 two-stage interrupt structures, a full-duplex serial communication port and an on-chip clock oscillation circuit.

Health state information such as heartbeat signals, reset signals, power supply voltage and the like, and working state information such as system time, latest external instructions and the like are interacted between the CPU of the current airliner and the CPU of the non-current airliner through an internal RS422 serial port.

1.2 reset Circuit design

The equipment reset circuit consists of an initial power-on reset circuit, a watchdog reset circuit and a restart reset circuit.

i. Initial power-on reset circuit

In order to ensure that a CPU has a stable initial state after the equipment is powered on and simultaneously ensure that software starts to run after an oscillator enters the stable state, a power-on reset circuit is required, and the design is realized by adopting a common RC charging circuit and a Schmitt phase inverter.

Watchdog reset circuit

The watchdog circuit is a timer monitoring circuit, is formed by configuring an RC circuit by adopting a binary counter 54HC4060, is timing independent of software, and is cleared by a time constant, and is operated by the software to feed dogs. If the software is in a program of 'running away' or 'crash', the 'dog feeding' operation cannot be executed, and further the dog bite reset occurs. And if the current flight records that the number of times of continuous dog biting of the non-current flight is accumulated to 4 times, judging that the opposite side has a fault, controlling the non-current flight to restart, accumulating the number of continuous dog biting again after restarting, and controlling the non-current flight to power off. (ii) a If the number of times of continuous dog biting of the current airliner is accumulated to 4 times by the non-airliners, judging that the other party has a fault, entering a dual-airliner switching process, and restarting the original current airliner after switching is completed. If 4 continuous dog bites are accumulated again after restarting, the original flight is powered off.

iii restart reset circuit

The reset circuit is implemented by MAX706, and generates a 200ms power-on reset signal during the power-on process of the device, so that the 80C32E system can be reset effectively. When four times of dog bites occur continuously, restarting operation is executed; meanwhile, the chip has a voltage monitoring function, if the airliner monitors that the power supply voltage is lower than about 4.4V, the chip informs the information of the illegal airliner as a condition for entering a dual-machine switching process, and after the switching is confirmed to be completed, the RESET pin of the MAX706 of the original airliner always outputs a RESET level to realize power failure. If the airliner monitors that the power supply voltage is lower than about 4.4V, the RESET pin of the MAX706 is directly enabled to output the RESET level all the time, and the power-off is realized.

2. Load power supply and distribution module design

2.1 instruction resolution Circuit

The host command analysis circuit generates input address lines A _ A0-A _ A3, data lines A _ D0-A _ D7, a plate selection signal A _ CS _ PD and a write signal A _ WR through a host CPU. The address lines are sent to a 3-8 decoder to generate gating signals A _ SEL 1-A _ SEL5 of the latches, and then the latches generate driving instructions of the power distribution module.

The standby machine command analysis circuit inputs address lines B _ A0-B _ A3, data lines B _ D0-B _ D7, a plate selection signal B _ CS _ PD and a write signal B _ WR. The address lines are sent to a 3-8 decoder to generate gating signals B _ SEL 1-B _ SEL5 of the latches, and then the latches generate driving instructions of the power distribution module. Different strobe signals are used to select different latches, resulting in different drive commands.

When the drive commands of the current airliner and the non-current airliner are connected in parallel, the final drive commands (namely cmd 1-cmd 6 in fig. 3) are obtained, and in a normal state, because a CPU of the non-current airliner is in a non-enabled state, a command analysis circuit of the non-current airliner does not work, and the drive commands are determined by the current airliner. When the host computer detects that the sent command is not executed, the non-current airliner temporarily starts the output control function of the non-current airliner, and the command analysis circuit of the non-current airliner generates a driving command to realize command reissuing.

2.2 constant power supply and distribution management module

The power constant supply and distribution management module provides constant low-power supply output for the load and needs to ensure the connection reliability of the load. The main machine and the standby machine share the same power supply and distribution circuit and are controlled by two MOS tubes in parallel. The driving command is amplified and driven by a triode to be used as a control level of a power supply and distribution circuit, the control level is latched by a magnetic latching relay, and the previous state can be kept even if a secondary power supply or a CPU (central processing unit) fails.

As shown in fig. 4, the power-constant distribution management module includes: the two instruction driving modules are respectively recorded as a first instruction driving module and a second instruction driving module, and the two power distribution output modules are respectively recorded as a first power distribution output module and a second power distribution output module.

the power distribution output module comprises a magnetic latching relay K1, resistors R9, R10, R11, R12, R13, R14 and an MOS tube MOS 1; the magnetic latching relay K1 is a double-end double-throw switch, and has 6 contacts, wherein two contacts (4 and 9) are grounded and used as the immobile end of the switch, the other two contacts are suspended (2 and 8) and used as the first mobile end of the switch, the other two contacts (3 and 7) are used as the second mobile end of the switch, and are connected in parallel at one end of a resistor R13, when the first line packet is powered on, the immobile end is connected to the switch, and when the second line packet is powered on, the mobile end is connected to the switch. The other end of the resistor R13 is divided into two paths, one path is connected with the resistor R14 in series to a load distribution power supply bus (28v), and the other path is connected to the grid of the MOS tube.

The input ends of the first instruction driving module and the second instruction driving module are connected with the fused power distribution instruction signal; the output end of the first instruction driving module is connected with a power constant channel power-off signal end; the output end of the second instruction driving module is connected with a power-on signal end of the power constant channel.

The drain electrodes of the MOS tubes of the first distribution output module and the second distribution output module are connected with a power constant channel bus; one end of a first wire packet of a magnetic latching relay K1 of the first distribution output module and the second distribution output module is connected with a power-off signal of a power constant channel, the other end of the first wire packet is connected with a positive bus (+12V) of the secondary power supply of the equipment through resistors R9 and R10 which are connected in parallel, one end of a second wire packet of a magnetic latching relay K1 is connected with a power-on signal of the power constant channel, and the other end of the second wire packet of the magnetic latching relay K11 and R12 which are connected in parallel are connected with the positive bus (+.

The distribution output module further comprises a capacitor C1 and a distribution output, wherein the capacitor C1 and the capacitor distribution output are connected in series and are connected between the load distribution power supply bus (28v) and the grid electrode of the MOS tube in a bridging mode.

The power distribution output module further comprises diodes V5, V6, V7 and V8, and the diodes V5 and V6 are connected across the two ends of the first line packet of the magnetic latching relay of the first power distribution output module in a bridging mode; the diodes V7 and V8 are connected across the second line packet of the second distribution output module magnetic latching relay in a bridging way;

in this module, the output ends of the command driver module are cmd1 and cmd 2. When the cmd1 driving command is high, the triodes V1 and V2 are conducted, the power constant A channel power-off command is pulled to a low level, at the moment, the two ends of the coil 1 in the magnetic latching relays K1 and K2 are powered on, the switches are in an off state, and at the moment, the grid voltage V of the MOS1 and the MOS2 in the power supply and distribution circuit is in an off state_GThe voltage is 28V, the MOS tube is in a disconnected state, and the channel A bus with constant power is not electrified; when the cmd2 driving command is high, the triodes V3 and V4 are conducted, the power-on command of the power constant A channel is pulled to a low level, at the moment, the two ends of the line pack 2 in the magnetic latching relays K1 and K2 are powered on, the switches are both in an on state, and at the moment, the grid voltage V of MOS1 and MOS2 in the power supply and distribution circuit is in an on state_GThe partial pressure of 28V on R13/R14 and R19/R20, the MOS tube is in a conducting state, and the power constant A channel bus is electrified.

The triode and the magnetic latching relay used for driving the instruction isolation amplification in the power supply and distribution circuit, the divider resistor, the filter capacitor, the MOS tube and the like used for supplying power to the bus are all designed in a redundancy way, and the single-point risk is eliminated.

2.3 power non-constant power supply and distribution management module

The power supply and distribution management module with non-constant power supply and distribution provides power supply with variable power for the load according to requirements, and the power supply and distribution management module is subjected to multiple times of switching in the whole flight process, so that the reliability of connection and disconnection needs to be considered simultaneously. On the basis of the power constant power supply and distribution management module, the channel reliability is improved through the following ways.

For the power-on or power-off instruction, the instruction analysis circuit outputs four instructions respectively, and drives four pairs of series-parallel MOS (eight in total) tubes which are finally output after the optical coupling isolation, the amplification triode and the magnetic latching relay are carried out as shown in fig. 5.

As shown in fig. 5, the power non-constant distribution management module includes:

the command holding module comprises a magnetic holding relay K3, diodes V31, V32, V33 and V34, resistors R41, R42, R43 and R44, wherein the diodes V31 and V32 are bridged at two ends of a first line packet of the magnetic holding relay K3; the diodes V33, V34 are connected across the second wire packet of the magnetic latching relay K3. One end of a first coil of the magnetic latching relay K3 is connected with a first input signal, the other end of the first coil is connected with a positive bus of the secondary power supply of the equipment through resistors R41 and R42 which are connected in parallel, one end of a second coil of the magnetic latching relay K3 is connected with a second input signal, and the other end of the second coil is connected with the positive bus (+12V) of the secondary power supply of the equipment through resistors R43 and R44 which are connected in parallel; the switch of the magnetic latching relay K3 is a double-end double-throw switch, and has 6 contacts in total, wherein two contacts are grounded, the two contacts are suspended as the stationary end contacts, and the two contacts are connected in parallel to the instruction holding output end as the moving end.

The source electrode of the MOS tube in the first distribution output module is connected with a load distribution power bus (28v), and the drain electrode of the MOS tube is connected with the source electrode of the MOS tube in the third distribution module;

the source electrode of the MOS tube in the second distribution output module is connected with a load distribution power supply bus (28v), and the drain electrode of the MOS tube is connected with the source electrode of the MOS tube in the fourth distribution module;

the source electrode of an MOS tube in the fifth power distribution output module is connected with a load power distribution bus (28v), and the drain electrode of the MOS tube is connected with the source electrode of the MOS tube in the seventh power distribution module;

and the source electrode of the MOS tube in the sixth power distribution output module is connected with a load power distribution bus (28v), and the drain electrode of the MOS tube is connected with the source electrode of the MOS tube in the eighth power distribution module.

In the module, the output ends of the command driving module are cmd3, cmd5, cmd7, cmd9, cmd4, cmd6, cmd8 and cmd 10. When cmd3, cmd5, cmd7 and cmd9 drive commands are high, the triode V21, V23, V25 and V27 are conducted, the power-off _1/2/3/4 of the B channel with non-constant power is at a low level, and the magnetic latching relays K3 and K4The two ends of the coil pack 1 in the K5 and K6 are electrified, and the grid voltage V of MOS 11-MOS 18 in the power supply and distribution circuit is at the moment_GThe voltage is 28V, the MOS tube is in a disconnected state, and the B channel bus with non-constant power is not electrified; when cmd4, cmd6, cmd8 and cmd10 driving commands are high, the trios V22, V24, V26 and V28 are conducted, the power non-constant B channel power-up _1/2/3/4 is at a low level, two ends of a coil package 2 in the magnetic latching relays K3, K4, K5 and K6 are powered up, switches are all in a switch-on state, and at the moment, grid voltages V11-MOS 18 in the power supply and distribution circuit are in a grid voltage V-type_GThe voltage division of 28V on the resistor is realized, the MOS tube is in a conducting state, and the power non-constant B channel bus is electrified.

In the circuit, cmd5/cmd6 is used for driving MOS tubes V11 and V12, cmd7/cmd8 is used for driving MOS tubes V13 and V14, cmd9/cmd10 is used for driving MOS tubes V15 and V16, and cmd11/cmd12 is used for driving MOS tubes V17 and V18. Any one instruction failure can be verified, and any 3 MOS tube failures can not cause the load to be incapable of being powered up or powered down.

3. Remote control instruction receiving module design

The remote control command receiving interface chip AM26C32 of the main standby machine of the on-orbit aircraft is powered on constantly, when the main machine works, the enable signal B _ RX of the receiving interface of the preparation machine is in a low level, and the standby machine does not receive commands; when the standby machine works, the enable signal A _ RX of the receiving interface of the host machine is controlled to be at low level, and the host machine does not receive instructions and does not influence each other. As shown in fig. 6.

4. Optimizing the dual-computer redundancy design:

the dual-machine redundant power distribution system in the method is optimized in two aspects of command complementary transmission and switching strategies except that the redundant design is carried out on a power distribution circuit:

4.1 Handover strategy

When the CPU board of the main machine (the current airliner in the initial state) is reset due to dog biting, the number of times of the main machine dog biting recorded by the standby machine (the non-current airliner in the office state) is added with 1, and if the standby machine judges that the main machine continuously suffers from dog biting for four times, the main-standby switching process is started. In order to avoid the power failure of the channel which is powered up before, the main machine and the standby machine output simultaneously in the process of cutting the machine. And according to the latest normal working state of the host machine stored before, starting the function of receiving an external instruction of the standby machine, executing subsequent operation according to a preset flow, and recovering the operation result, when the recovery operation result is correctly executed, switching the standby machine into the current-class machine, and simultaneously controlling the host machine to be powered on and reset again, wherein the default is a non-current-class machine after the host machine is powered on.

In addition, if the voltage monitoring end of the MAX706 of the host computer is lower than 4.4V, the standby computer is informed, a main-standby switching process is entered, and after the switching is completed, the power supply of the original airliner is powered off, so that the power consumption is saved.

The current airliner periodically transmits the system time, the latest external command and the state backup after the latest external command is executed to the non-current airliner, and the state backup is stored in the EEPROM. During the ordinary flight, the backup is carried out every 10 min; during task development, backup was performed every 10s due to the intensive operations. The backup intervals can be modified conveniently by software.

4.2 instruction Compensation

In order to avoid instruction failure caused by single event reversal or circuit hardware failure, after the CPU board of the airliner outputs any channel (assumed as an A channel) power-on instruction, the instruction is sent to the non-airliner through an internal serial port, the recovery state of the A channel is detected in the next period, if the recovery state of the A channel is low level, the power-on is considered to be unsuccessful, the CPU output of the non-airliner is set to be effective by the airliner, and the A channel power-on instruction is reissued. Similarly, after the CPU board of the airliner outputs a power-off instruction of any channel (assumed as the B channel), the CPU of the airliner needs to judge the recovery state of the B channel, if the recovery state of the B channel is high level, the CPU output of the non-airliner is set to be effective, and the power-off instruction of the B channel is sent again.

Under the condition of keeping the state of a hardware circuit unchanged, the CLK signal of an output chip of a standby machine in the single chip microcomputer is controlled by changing the software setting of the CPU, and a redundancy strategy can be flexibly changed, such as only host control, parallel output of the standby machine or a standby machine reissue mechanism and the like.

Parts of the specification which are not described in detail are within the common general knowledge of a person skilled in the art.

Claims

1. The smooth switching dual-machine redundant power distribution system is characterized by comprising a host machine, a standby machine and a load power supply and distribution module, wherein the host machine and the standby machine are an active machine and a non-active machine, and the active machine and the non-active machine transmit the health state and the current working state of the active machine and the current working state to each other in real time to ensure that the non-active machine and the active machine know the current working state of the other party; when the on-duty aircraft outputs a power distribution control signal to the load power supply and distribution module according to a preset time sequence or receives a power distribution instruction input from the outside, the on-off of the load power supply and distribution is controlled, the bus voltage at the output end of the load power supply and distribution module is acquired, whether the power distribution instruction is executed correctly is judged according to the acquisition result, when the instruction is not executed correctly, the on-duty aircraft transmits the power distribution instruction to the off-duty aircraft through an internal serial port, the output control function of the off-duty aircraft is started temporarily, and the off-duty aircraft executes the power distribution instruction once in a supplementing manner;

the health state comprises a heartbeat signal, a reset signal and a power supply voltage; the working state comprises system time, a latest external power distribution instruction and a power distribution state after the latest external power distribution instruction is executed;

2. The smooth switching dual-machine redundant power distribution system resistant to single particle irradiation of claim 1 is characterized in that a non-current machine monitors the health state of the current machine in real time, when the non-current machine detects that the current machine is abnormal, the output control and external instruction receiving function of the non-current machine is started according to the latest normal working state of the current machine stored before, the subsequent power distribution operation is executed according to the preset flow or the external instruction, the operation result is collected, when the collection operation result is executed correctly, the original current machine is controlled to be powered on and reset again, the power on and reset state of the original current machine is defaulted to be the non-current machine state after the power on and reset of the original current machine, the output control and instruction receiving function is disabled, and the power cutting operation is completed.

3. The smooth switching dual-machine redundant power distribution system resisting single particle irradiation according to claim 1, wherein the on-board machine monitors the health status of the off-board machine in real time, and when the off-board machine continuously has more than N times of dog bite reset, the on-board machine sends a power-on reset signal to the off-board machine; if N times of dog bites occur again after resetting, the current airliner controls the power supply of the non-current airliner to be powered off, the current airliner stops working, and N is more than or equal to 2.

4. The smooth switching dual-machine redundant power distribution system resisting single event irradiation according to claim 1, wherein the load power supply and distribution module comprises a driving instruction fusion module, a power constant power distribution management module and a power non-constant power distribution management module;

5. The system according to claim 4, wherein the power constant distribution management module comprises: the two instruction driving modules are respectively marked as a first instruction driving module and a second instruction driving module, and the two power distribution output modules are respectively marked as a first power distribution output module and a second power distribution output module;

6. The smooth switching dual-machine redundant power distribution system resistant to single event irradiation according to claim 5, wherein the power distribution output module further comprises diodes V5, V6, V7 and V8, wherein the diodes V5 and V6 are connected across the first wire packet of the magnetic latching relay of the first power distribution output module in a bridging manner; and the diodes V7 and V8 are connected across the second wire packet of the magnetic latching relay of the second distribution output module in a bridging mode.

7. The system according to claim 4, wherein the power non-constant distribution management module comprises:

the instruction holding output end of the fourth instruction holding module is connected with the power distribution instruction input ends of the seventh power distribution output module and the eighth power distribution output module;