CN111857884B - High-reliability satellite-borne software starting system and method - Google Patents
High-reliability satellite-borne software starting system and method Download PDFInfo
- Publication number
- CN111857884B CN111857884B CN202010734383.0A CN202010734383A CN111857884B CN 111857884 B CN111857884 B CN 111857884B CN 202010734383 A CN202010734383 A CN 202010734383A CN 111857884 B CN111857884 B CN 111857884B
- Authority
- CN
- China
- Prior art keywords
- starting
- mode
- satellite
- code
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 239000007787 solid Substances 0.000 claims description 51
- 230000008569 process Effects 0.000 claims description 21
- 230000009191 jumping Effects 0.000 claims description 6
- 238000012423 maintenance Methods 0.000 claims description 6
- 238000012360 testing method Methods 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 5
- 238000007711 solidification Methods 0.000 claims description 3
- 230000008023 solidification Effects 0.000 claims description 3
- 230000004913 activation Effects 0.000 claims 1
- 230000000977 initiatory effect Effects 0.000 claims 1
- 230000006870 function Effects 0.000 description 18
- 230000007246 mechanism Effects 0.000 description 6
- 239000000969 carrier Substances 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 230000007774 longterm Effects 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1675—Temporal synchronisation or re-synchronisation of redundant processing components
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a high-reliability satellite-borne software starting system and a method, comprising the following steps: an initialization module configured to initialize parameters using a root program; the three-mode starting frequency module is configured to perform three-mode starting on the satellite-borne software; and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
Description
Technical Field
The invention relates to the technical field of spacecraft control, in particular to a high-reliability satellite-borne software starting system and method.
Background
As the human aerospace activities are more frequent and the footprints of aerospace exploration are more and more distant, the human aerospace activities are gradually expanded from an initial near-ground orbit to a deep space with more distant orbits, planetary exploration and the like. The complexity of the harsh complex space environment and the spacecraft itself place higher demands on the reliability of the start-up of the on-board software. The on-board software needs to be able to start up normally in extremely complex situations and to have a certain self-error correction capability. The starting mode of the traditional aerospace software generally adopts PROM memory software of an antifuse, and adopts a main mode and a backup mode to increase reliability. The software is started by adopting a simple triple-modular redundancy mode or is not started by triple-modular redundancy. In addition, limited by FLASH capacity, only critical modules are typically triple modular redundant, and triple modular redundancy for all codes is lacking. Although the reliability of the satellite-borne software can be increased to a certain extent, the following disadvantages exist:
1) The satellite-borne software does not carry out triple-modular redundancy in the starting process, and when the code is influenced by the space environment and has certain bit errors, the software can fail to start, and the task of a spacecraft can fail;
2) The traditional triple-modular redundancy starting mode can be started normally when dealing with some bit errors of codes, but a plurality of codes stored in an extreme environment can have errors of the same bit, so that the error bit is used as the normal bit when performing the triple-selection double-voting, and the starting failure is caused;
3) The traditional satellite-borne software starting mode does not have a cross-starting function and lacks the capability of coping with complex environments. When the code in a certain area is wrong and cannot be recovered, the mode can lead to the single machine to be stopped due to the fact that the single machine is always unable to be started normally, the satellite function is invalid, and the satellite task is influenced;
4) PROM capacity limitations and only one write, cannot be altered once writing is completed. This limits the flexibility of the spacecraft to a large extent. With the more and more diversified roles of the spacecraft, on-orbit optimization or new function addition may be required according to actual conditions, and the new function addition can only be performed by launching a new spacecraft, so that the cost is high;
5) The on-track running of the software may cause that the memory program cannot be started normally again due to the single event upsetting accumulation effect.
Disclosure of Invention
The invention aims to provide a high-reliability satellite-borne software starting system and method, which are used for solving the problem of low starting reliability of the existing satellite-borne software.
In order to solve the technical problems, the invention provides a highly reliable satellite-borne software starting system, which comprises:
an initialization module configured to initialize parameters using a root program;
the three-mode starting frequency module is configured to perform three-mode starting on the satellite-borne software;
and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
Optionally, in the high-reliability spaceborne software starting system, the high-reliability spaceborne software starting system further includes a fixed storage carrier, a first non-fixed storage carrier, a second non-fixed storage carrier and a third non-fixed storage carrier, wherein:
the fixed storage carrier stores the root program so that the initialization module loads the root program onto a satellite;
the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier all store state marks and satellite-borne software images;
the three-mode starting frequency module and the sequential starting module determine to start the three modes or the sequential starting according to whether the three-mode starting frequency is more than or equal to 2;
and the three-mode starting frequency module and the sequence starting module load the satellite-borne software image onto a satellite.
Optionally, in the highly reliable on-board software start-up system,
the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier all comprise a three-mode starting times storage area, a three-mode code selection mark storage area, a curing area code storage area and a reconstruction area code storage area;
the code storage area of the solidifying area and the code storage area of the reconstruction area both store the codes of the same satellite-borne software image;
the three-mode starting frequency module and the sequential starting module determine to start the three modes or the sequential starting according to whether the three-mode starting frequency is more than or equal to 2;
and the three-mode starting frequency module judges whether codes in the code storage area of the curing area are used as satellite-borne software images to be loaded on the satellite or codes in the code storage area of the reconstruction area are used as satellite-borne software images to be loaded on the satellite according to the three-mode code selection mark.
Optionally, in the highly reliable satellite-borne software starting system, each three-mode starting times storage area has three-mode starting times, and the three-mode starting times of each three-mode starting times storage area are subjected to first voting to obtain a first mode voting result; and
the first mode voting result of the first non-solid storage carrier, the first mode voting result of the second non-solid storage carrier and the first mode voting result of the third non-solid storage carrier are subjected to second voting to obtain a final mode voting result;
when the satellite-borne software is started, the three-mode starting frequency module and the sequence starting module determine to perform the three-mode starting or the sequence starting according to the final mode voting result.
Optionally, in the highly reliable on-board software start-up system,
each three-mode code selection mark storage area is provided with three-mode code selection mark bits, and the three-mode code selection marks of each three-mode code selection mark storage area are subjected to first voting to obtain a first state voting result;
the first state voting result of the first non-solid storage carrier, the first state voting result of the second non-solid storage carrier and the first state voting result of the third non-solid storage carrier are subjected to second voting to obtain a final state voting result;
when the satellite-borne software is started, the three-mode starting frequency module and the sequence starting module determine to perform corresponding starting operation according to the final state voting result.
Optionally, in the high-reliability on-board software start-up system, the three-mode start-up includes:
judging whether the number of times of the triple-mode starting is more than or equal to 2, if yes, exiting, otherwise judging whether a triple-mode code selection mark is started from a reconstruction area code storage area;
if yes, copying codes in the code storage area of the reconstruction area, loading the codes into a temporary memory area in a three-mode, and changing a three-mode code selection mark into a mode of starting from the code storage area of the solidification area;
otherwise, copying the codes of the code storage area of the curing area, loading the codes into the temporary memory area in a triple mode, and changing a triple mode code selection mark into a mode of starting from the code storage area of the curing area;
jumping to a starting address, and starting a bootstrap program;
judging whether the three-mode starting is normally started, if so, setting the three-mode starting frequency to be 0 and ending, otherwise, judging whether the three-mode starting frequency is more than or equal to 2, if so, starting sequentially, and otherwise, restarting the three-mode starting.
Optionally, in the high-reliability on-board software start-up system, loading the high-reliability on-board software into the memory temporary storage area through a three-mode includes:
firstly judging whether each byte of the codes of the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier can pass the test of three-out-two, copying the byte data to a memory temporary storage area if the test passes, and performing the triple modular redundancy copy of the next byte;
if the byte is not satisfied, performing bit-by-bit three-taking-two operation on the byte, and performing three-mode copying of the next byte after completing the operation of the byte;
addresses of bytes that do not satisfy the two-out-of-three operation are recorded.
Optionally, in the high-reliability on-board software start-up system, the sequential start-up includes:
reading a sequence starting code sequence number;
copying the mirror image code of the corresponding sequence number to the memory temporary storage area;
setting the next starting code sequence number;
jumping to a starting address, and starting a bootstrap program;
judging whether the starting is normal, if so, recording a normal code sequence number, otherwise, repeating the steps.
Optionally, in the highly reliable on-board software start-up system,
in the process of the three-mode starting, recording the addresses of bytes which do not meet the three-taking-two operation, and correcting the bytes which do not meet the three-taking-two operation in the loading process after the software is started successfully;
when the sequence is started, the sequence starting module records the normal code sequence number, and after the sequence is started, the satellite-borne software mirror images corresponding to the normal code sequence number are used for refreshing other satellite-borne software mirror images;
the satellite-borne software starts to normally run, and starts an on-satellite task process and a code inspection process; comparing the consistency of the stored data in the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier by using the task idle time, and recording inconsistent addresses and inconsistent quantity; and when the inconsistent number is greater than a threshold value, correcting the stored data at the inconsistent address by the on-board software in a maintenance task.
The invention also provides a high-reliability satellite-borne software starting method, which comprises the following steps:
the initialization module uses a root program to initialize parameters;
the three-mode starting frequency module is used for carrying out three-mode starting on the satellite-borne software;
and when the three-mode starting fails, the sequence starting module sequentially starts the satellite-borne software.
In the high-reliability satellite-borne software starting system and method provided by the invention, the parameter is initialized by the initialization module by using the root program, the satellite-borne software is subjected to three-mode starting by the three-mode starting frequency module, and when the three-mode starting fails, the satellite-borne software is sequentially started by the sequential starting module, so that the satellite-borne software is combined with three-mode redundancy and sequential starting in a starting mechanism, the starting reliability of the satellite-borne software is greatly improved, and the system and method are particularly suitable for complex application scenes such as the aerospace field.
The invention optimizes the traditional triple-modular redundancy mode and the sequential starting mode, and the satellite-borne software starting mechanism can correct software errors, thereby greatly reducing the error probability of the satellite-borne software and improving the capability of the satellite-borne software to cope with the space complex environment.
The invention endows the space-borne software with a cross-mutually-starting function, and can effectively cope with the scene that the single machine is not started normally and is dead due to the fact that the regional code error cannot be recovered. The satellite is effectively ensured to successfully complete the set task.
The three non-solid storage carriers in the invention can be repeatedly erased and programmed, thereby increasing the flexibility of satellite functions. The satellite functions can be optimized in orbit or new functions can be added according to actual conditions, and the functional density of the satellite is improved.
According to the method, when software normally operates, the consistency of data stored by three non-fixed storage carriers is monitored by using the task idle time, and when the inconsistent quantity exceeds the threshold, the Nor Flash error data is corrected by using the maintenance task, so that the long-term stability of satellite operation is improved.
Drawings
FIG. 1 is a flow chart of a method for starting up highly reliable satellite-borne software according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of three non-solid storage carriers in a highly reliable on-board software start-up system according to an embodiment of the invention.
Detailed Description
The high-reliability on-board software start-up system and method provided by the invention are further described in detail below with reference to the accompanying drawings and specific embodiments. Advantages and features of the invention will become more apparent from the following description and from the claims. It should be noted that the drawings are in a very simplified form and are all to a non-precise scale, merely for convenience and clarity in aiding in the description of embodiments of the invention.
The invention provides a high-reliability satellite-borne software starting system and method, which aim to solve the problem of low starting reliability of the existing satellite-borne software.
In order to achieve the above-mentioned idea, this embodiment provides a highly reliable start system and method for on-board software, including: an initialization module configured to initialize parameters using a root program; the three-mode starting frequency module is configured to perform three-mode starting on the satellite-borne software; and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
Specifically, in the highly reliable spaceborne software starting system, the highly reliable spaceborne software starting system further includes a fixed storage carrier, a first non-fixed storage carrier, a second non-fixed storage carrier and a third non-fixed storage carrier, wherein: the fixed storage carrier stores the root program so that the initialization module loads the root program onto a satellite; the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier all store state marks and satellite-borne software images; the three-mode starting frequency module and the sequential starting module determine to start the three modes or the sequential starting according to whether the three-mode starting frequency is more than or equal to 2; and the three-mode starting frequency module and the sequence starting module load the satellite-borne software image onto a satellite.
As shown in fig. 2, in the highly reliable satellite-borne software starting system, the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier all include a three-mode starting times storage area, a three-mode code selection mark storage area, a curing area code storage area and a reconstruction area code storage area; the code storage area of the solidifying area and the code storage area of the reconstruction area both store the codes of the same satellite-borne software image; the three-mode starting frequency module and the sequential starting module determine to start the three modes or the sequential starting according to whether the three-mode starting frequency is more than or equal to 2; and the three-mode starting frequency module judges whether codes in the code storage area of the curing area are used as satellite-borne software images to be loaded on the satellite or codes in the code storage area of the reconstruction area are used as satellite-borne software images to be loaded on the satellite according to the three-mode code selection mark.
Further, in the highly reliable satellite-borne software starting system, each three-mode starting times storage area is provided with three-mode starting times, and the three-mode starting times of each three-mode starting times storage area are subjected to first voting to obtain a first mode voting result; the first mode voting result of the first non-solid storage carrier, the first mode voting result of the second non-solid storage carrier and the first mode voting result of the third non-solid storage carrier are subjected to second voting to obtain a final mode voting result; when the satellite-borne software is started, the three-mode starting frequency module and the sequence starting module determine to perform the three-mode starting or the sequence starting according to the final mode voting result.
Further, in the highly reliable satellite-borne software starting system, each three-mode code selection mark storage area is provided with three-mode code selection mark bits, and the three-mode code selection mark bits of each three-mode code selection mark storage area are subjected to first voting to obtain a first state voting result; the first state voting result of the first non-solid storage carrier, the first state voting result of the second non-solid storage carrier and the first state voting result of the third non-solid storage carrier are subjected to second voting to obtain a final state voting result; when the satellite-borne software is started, the three-mode starting frequency module and the sequence starting module determine to perform corresponding starting operation according to the final state voting result.
As shown in fig. 1, in the high-reliability on-board software start-up system, the three-mode start-up includes: judging whether the number of times of the triple-mode starting is more than or equal to 2, if yes, exiting, otherwise judging whether a triple-mode code selection mark is started from a reconstruction area code storage area; if yes, copying codes in the code storage area of the reconstruction area, loading the codes into a temporary memory area in a three-mode, and changing a three-mode code selection mark into a mode of starting from the code storage area of the solidification area; otherwise, copying the codes of the code storage area of the curing area, loading the codes into the temporary memory area in a triple mode, and changing a triple mode code selection mark into a mode of starting from the code storage area of the curing area; jumping to a starting address, and starting a bootstrap program; judging whether the starting is normal, if yes, ending, otherwise, setting a three-mode code selection mark of the corresponding code storage area.
Specifically, in the highly reliable on-board software start-up system, loading the on-board software start-up system into the memory temporary storage area through the three-mode includes: firstly judging whether each byte of the codes of the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier can pass the test of three-out-two, copying the byte data to a memory temporary storage area if the test passes, and performing the triple modular redundancy copy of the next byte; if the byte is not satisfied, performing bit-by-bit three-taking-two operation on the byte, and performing three-mode copying of the next byte after completing the operation of the byte; addresses of bytes that do not satisfy the two-out-of-three operation are recorded.
As shown in fig. 1, in the high-reliability on-board software start-up system, the sequential start-up includes: reading a sequence starting code sequence number; copying the mirror image code of the corresponding sequence number to the memory temporary storage area; setting the next starting code sequence number; jumping to a starting address, and starting a bootstrap program; judging whether the starting is normal, if so, recording a normal code sequence number, otherwise, repeating the steps.
In addition, in the high-reliability satellite-borne software starting system, in the process of three-mode starting, the addresses of bytes which do not meet the three-taking-two operation are recorded, and after the software is started successfully, the bytes which do not meet the three-taking-two operation in the loading process are corrected; when the sequence is started, the sequence starting module records the normal code sequence number, and after the sequence is started, the satellite-borne software mirror images corresponding to the normal code sequence number are used for refreshing other satellite-borne software mirror images; the software starts to normally run, and starts to start an on-board task process and a code inspection process; comparing the consistency of the stored data in the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier by using the task idle time, and recording inconsistent addresses and inconsistent quantity; and when the inconsistent quantity is larger than the threshold value, correcting the stored data at the inconsistent address by the satellite-borne software in the maintenance task.
The embodiment also provides a high-reliability satellite-borne software starting method, which comprises the following steps: the initialization module uses a root program to initialize parameters; the three-mode starting frequency module is used for carrying out three-mode starting on the satellite-borne software; and when the three-mode starting fails, the sequence starting module sequentially starts the satellite-borne software.
In the high-reliability satellite-borne software starting system and method provided by the invention, the parameter is initialized by the initialization module by using the root program, the satellite-borne software is subjected to three-mode starting by the three-mode starting frequency module, and when the three-mode starting fails, the satellite-borne software is sequentially started by the sequential starting module, so that the satellite-borne software is combined with three-mode redundancy and sequential starting in a starting mechanism, the starting reliability of the satellite-borne software is greatly improved, and the system and method are particularly suitable for complex application scenes such as the aerospace field.
The invention optimizes the traditional triple-modular redundancy mode and the sequential starting mode, and the satellite-borne software starting mechanism can correct software errors, thereby greatly reducing the error probability of the satellite-borne software and improving the capability of the satellite-borne software to cope with the space complex environment.
The invention endows the space-borne software with a cross-mutually-starting function, and can effectively cope with the scene that the single machine is not started normally and is dead due to the fact that the regional code error cannot be recovered. The satellite is effectively ensured to successfully complete the set task.
The three non-solid storage carriers in the invention can be repeatedly erased and programmed, thereby increasing the flexibility of satellite functions. The satellite functions can be optimized in orbit or new functions can be added according to actual conditions, and the functional density of the satellite is improved.
According to the method, when software normally operates, the consistency of data stored by three non-fixed storage carriers is monitored by using the task idle time, and when the inconsistent quantity exceeds the threshold, the Nor Flash error data is corrected by using the maintenance task, so that the long-term stability of satellite operation is improved.
The invention improves the starting reliability of the satellite-borne software, combines the characteristics of triple-modular redundancy starting and sequential starting by a starting mechanism, and increases the cross-starting function of the software. The triple-modular redundancy starting not only realizes the triple-modular loading function, but also can record the address of error data in the loading process so as to correct errors in an application layer after loading is completed; the method comprises the steps that when software is started, the sequence starting is carried out, the sequence number of the normally started mirror image is recorded, and after the software is started successfully, the normally started mirror image is used for carrying out covering refreshing on other mirror images so as to ensure the reliability of codes on the satellite; the function of the cross start of the software ensures that the mirror images of the software started each time are different, when the code fault of a certain area cannot be recovered during the on-orbit running or ground debugging of the satellite-borne software, if the software does not have the function of the cross start at this time, the software can always start from an error mirror image area, so that the normal start is always impossible, and the dead halt is caused. This situation occurs in an on-orbit satellite, and the corresponding hardware may fail, which may cause task failure, and even on the ground, a stand-alone uncapping process is necessary to solve the problem, which is time-consuming and labor-consuming.
The invention provides a high-reliability satellite-borne software starting mechanism, which combines the characteristics of traditional triple-modular redundancy and sequential starting and increases the cross-starting function of software. The invention can greatly improve the starting reliability of the satellite-borne software and correct software errors. Meanwhile, the scheme of the invention adopts the space-navigation-level Nor Flash capable of being repeatedly programmed as a carrier for software storage, can erase, write and reconstruct functions for many times, can greatly improve the flexibility of the satellite, and gives the satellite higher functional density.
The invention comprises a hardware carrier and software, wherein the hardware takes PROM and 3 domestic aerospace grade Nor Flash as the carrier for software storage. The PROM is used for storing boot programs and guiding the start of satellite-borne software; the Nor Flash is used for storing a state flag and a satellite-borne software image (see FIG. 2), wherein each Nor Flash is divided into a three-mode startup time storage area, a three-mode code selection flag storage area, a curing area code storage area and a reconstruction area code storage area. The method comprises the steps that a mark storage area of each Nor Flash stores three parts of two marks (the marks are expressed by one byte) respectively, when the marks are used, the marks in each Nor Flash are firstly subjected to triple-modular redundancy reading, then triple-modular voting is carried out on three mark results read through triple-modular, a final mark is obtained, and when software is started, corresponding starting operation is carried out according to the twice triple-modular voting results. When the mirror image software is loaded, the codes of the solidifying area or the reconstruction area are selected according to the triple-mode starting mark to be loaded, and after the code loading area is determined, the codes of the corresponding area are loaded into the memory temporary storage area in a triple-mode.
The starting flow of the satellite-borne software is shown in figure 1. The scheme combines the mode of triple-modular redundancy starting and sequential starting, and the mirror software is started in a triple-modular redundancy mode by default, and in an extreme case, when the triple-modular redundancy starting fails, the satellite carrier software is started in a sequential starting mode. In the scheme, an error byte address is recorded in the process of three-mode starting, and error bytes are corrected immediately after software is started; and when the sequence is started, the serial numbers of the normal starting mirror codes are recorded, and the correct mirror images are used for refreshing the wrong mirror images again after the codes are started so as to ensure the correctness of the mirror image software. In the running process of the mirror image software, the code inspection process periodically checks and corrects the code so as to ensure the reliability of the code on the satellite.
The specific scheme is as follows:
1) Powering up and starting, and running boot programs by software from PROM;
2) Initializing hardware by a boot program, and preparing an environment for the next code loading;
3) boot loads the satellite-borne software code: when loading, firstly judging whether the number of times of the triple-modular starting is more than or equal to 2, if not, selecting a code of a curing area or a reconstruction area according to a triple-modular code selection mark to load, when carrying out triple-modular, firstly judging whether each byte of the triple code can pass the check of three-out-of-two, if the check passes, copying the byte data to a memory temporary storage area, carrying out triple-modular redundancy copy of the next byte, if the byte is not satisfied, carrying out bit-by-bit triple-out operation on the same byte of the triple-split code, and carrying out triple-modular copy of the next byte after completing the operation of the byte; when the number of times of the three-mode starting is more than or equal to 2, and the starting mode is sequential starting, starting the codes one by one according to the storage sequence of the codes until the software is successfully started;
4) After the software is started successfully, firstly correcting the error bytes in the loading process, and then starting an on-board task process and a code inspection process by the software;
5) The software starts to run normally, three Nor Flash storage data consistency are compared by using task idle time, and inconsistent addresses and inconsistent quantity are recorded; and when the non-consistency of the three Nor Flash storage data is larger than the threshold value, correcting the error data in the maintenance task by the software.
In summary, the foregoing embodiments describe in detail different configurations of the highly reliable on-board software start-up system and method, and of course, the present invention includes, but is not limited to, configurations listed in the foregoing embodiments, and any contents that are transformed based on the configurations provided in the foregoing embodiments fall within the scope of protection of the present invention. One skilled in the art can recognize that the above embodiments are illustrative.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, the description is relatively simple because of corresponding to the method disclosed in the embodiment, and the relevant points refer to the description of the method section.
The above description is only illustrative of the preferred embodiments of the present invention and is not intended to limit the scope of the present invention, and any alterations and modifications made by those skilled in the art based on the above disclosure shall fall within the scope of the appended claims.
Claims (5)
1. A highly reliable on-board software start-up system, comprising:
an initialization module configured to initialize parameters using a root program;
the three-mode starting frequency module is configured to perform three-mode starting on the satellite-borne software;
the sequence starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails;
the system comprises a fixed storage carrier, a first non-fixed storage carrier, a second non-fixed storage carrier and a third non-fixed storage carrier, wherein the fixed storage carrier stores the root program so that the initialization module loads the root program on a satellite, the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier store state marks and satellite-borne software images, a three-mode starting time module and a sequence starting module determine to start three modes or start the sequence according to the three-mode starting time, the three-mode starting time module and the sequence starting module load the satellite-borne software images on the satellite, the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier comprise a three-mode starting time storage area, a three-mode code selection mark storage area, a curing area code storage area and a reconstruction area code storage area, the curing area code storage area and the same satellite-borne software images, the three-mode starting time module and the sequence starting module determine whether the three-mode starting time module loads the three-mode starting time codes on the satellite-mode starting time code or the satellite-image loading sequence as a three-mode starting time code storage area;
wherein the three-mode activation comprises:
judging whether the number of times of the triple-mode starting is more than or equal to 2, if yes, exiting, otherwise judging whether a triple-mode code selection mark is started from a reconstruction area code storage area;
if yes, copying codes in the code storage area of the reconstruction area, loading the codes into a temporary memory area in a three-mode, and changing a three-mode code selection mark into a mode of starting from the code storage area of the solidification area;
otherwise, copying the codes of the code storage area of the curing area, loading the codes into the temporary memory area in a triple mode, and changing a triple mode code selection mark into a mode of starting from the code storage area of the curing area;
jumping to a starting address, and starting a bootstrap program;
judging whether the starting is normal, if so, setting the three-mode starting times to 0 and ending, otherwise, judging whether the three-mode starting times is more than or equal to 2, if so, starting sequentially,
otherwise, restarting the three modes;
wherein the sequential initiation comprises:
reading a sequence starting code sequence number;
copying the mirror image code of the corresponding sequence number to the memory temporary storage area;
setting the next starting code sequence number;
jumping to a starting address, and starting a bootstrap program;
judging whether the starting is normal, if so, recording a normal code sequence number, otherwise, repeating the steps.
2. The high-reliability on-board software starting system according to claim 1, wherein each three-mode starting times storage area is provided with three-mode starting times, and the three-mode starting times of each three-mode starting times storage area are subjected to first voting to obtain a first mode voting result; and
the first mode voting result of the first non-solid storage carrier, the first mode voting result of the second non-solid storage carrier and the first mode voting result of the third non-solid storage carrier are subjected to second voting to obtain a final mode voting result;
when the satellite-borne software is started, the three-mode starting frequency module and the sequence starting module determine to perform the three-mode starting or the sequence starting according to the final mode voting result.
3. The high-reliability on-board software start-up system of claim 1, wherein each of the three modulo-code selection flag storage areas has three modulo-code selection flag bits, and the three modulo-code selection flags of each of the three modulo-code selection flag storage areas vote for a first time to obtain a first state voting result;
the first state voting result of the first non-solid storage carrier, the first state voting result of the second non-solid storage carrier and the first state voting result of the third non-solid storage carrier are subjected to second voting to obtain a final state voting result;
when the satellite-borne software is started, the three-mode starting frequency module and the sequence starting module determine to perform corresponding starting operation according to the final state voting result.
4. The high-reliability on-board software start-up system of claim 1, wherein loading it into the memory scratch pad by a three-mode approach comprises:
firstly judging whether each byte of the codes of the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier can pass the test of three-out-two, copying the byte data to a memory temporary storage area if the test passes, and performing the triple modular redundancy copy of the next byte;
if the byte is not satisfied, performing bit-by-bit three-taking-two operation on the byte, and performing three-mode copying of the next byte after completing the operation of the byte;
addresses of bytes that do not satisfy the two-out-of-three operation are recorded.
5. The highly reliable on-board software start-up system of claim 1,
in the process of the three-mode starting, recording the addresses of bytes which do not meet the three-taking-two operation, and correcting the bytes which do not meet the three-taking-two operation in the loading process after the software is started successfully;
when the sequence is started, the sequence starting module records the normal code sequence number, and updates the satellite-borne software mirror image by using the satellite-borne software mirror image corresponding to the normal code sequence number after the sequence is started;
the satellite-borne software starts to normally run, and starts an on-satellite task process and a code inspection process; comparing the consistency of the stored data in the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier by using the task idle time, and recording inconsistent addresses and inconsistent quantity; and when the inconsistent number is greater than a threshold value, correcting the stored data at the inconsistent address by the on-board software in a maintenance task.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010734383.0A CN111857884B (en) | 2020-07-24 | 2020-07-24 | High-reliability satellite-borne software starting system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010734383.0A CN111857884B (en) | 2020-07-24 | 2020-07-24 | High-reliability satellite-borne software starting system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111857884A CN111857884A (en) | 2020-10-30 |
| CN111857884B true CN111857884B (en) | 2023-11-14 |
Family
ID=72947473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010734383.0A Active CN111857884B (en) | 2020-07-24 | 2020-07-24 | High-reliability satellite-borne software starting system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111857884B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113687871B (en) * | 2021-05-28 | 2024-05-03 | 西安空间无线电技术研究所 | Method and device for starting up and preventing deadlock of satellite-borne microprocessor |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0802709D0 (en) * | 2008-02-14 | 2008-03-19 | Transitive Ltd | Multiprocessor computing system with multi-mode memory consistency protection |
| CN107515800A (en) * | 2017-07-17 | 2017-12-26 | 上海卫星工程研究所 | On-board software dependability design system and method based on software redundancy |
| CN110737482A (en) * | 2019-10-08 | 2020-01-31 | 浙江大学 | On-line two-out-of-three starting device and method for satellite star service system |
-
2020
- 2020-07-24 CN CN202010734383.0A patent/CN111857884B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0802709D0 (en) * | 2008-02-14 | 2008-03-19 | Transitive Ltd | Multiprocessor computing system with multi-mode memory consistency protection |
| CN107515800A (en) * | 2017-07-17 | 2017-12-26 | 上海卫星工程研究所 | On-board software dependability design system and method based on software redundancy |
| CN110737482A (en) * | 2019-10-08 | 2020-01-31 | 浙江大学 | On-line two-out-of-three starting device and method for satellite star service system |
Non-Patent Citations (1)
| Title |
|---|
| 基于COTS器件的异构冗余星载计算机加固设计;王德波;《电子测量技术》;第43卷(第10期);1-6 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111857884A (en) | 2020-10-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108446189B (en) | Satellite-borne embedded software fault-tolerant starting system and method | |
| CN107391189B (en) | On-orbit programming method of satellite-borne software | |
| US8527730B2 (en) | Data updating method, memory system and memory device | |
| US5913219A (en) | Database recovery apparatus and method of using dual plane nonvolatile memory | |
| DE102008003944B4 (en) | Memory system and programming method for a memory system | |
| US8914702B2 (en) | Bit error repair method and information processing apparatus | |
| CN111176890B (en) | Satellite-borne software data storage and anomaly recovery method | |
| CN107220097B (en) | On-orbit programming and overloading method for large-scale complex structure software | |
| US20010049799A1 (en) | Disk array device including a memory with backup power supply and method thereof | |
| RU2248627C2 (en) | Method and device for changing content of memory devices of control blocks | |
| CN111857884B (en) | High-reliability satellite-borne software starting system and method | |
| CN112332902B (en) | On-orbit reconstruction system and method for on-satellite autonomous control | |
| CN110674046B (en) | Method for improving reliability of satellite-borne embedded file system | |
| CN106980557B (en) | Storage partition-based satellite-borne software heterogeneous backup method | |
| US10831601B2 (en) | Reconstruction hard disk array and reconstruction method for to-be-reconstructed hard disks therein including comparing backup data with an access timestamp of first, second and third hard disks | |
| CN113961151B (en) | Storage method and device of fault log, electronic equipment and storage medium | |
| CN113849456A (en) | Spaceborne FPGA reconstruction method | |
| CN111158660B (en) | Multi-mode on-orbit programming method for on-board software EEPROM (electrically erasable programmable read-Only memory) | |
| CN112099833B (en) | Remote updating method for firmware of spaceborne computer | |
| CN208351451U (en) | A kind of fault-tolerant activation system of spaceborne embedded software | |
| CN112506527A (en) | On-track reconstruction breakpoint continuous transmission implementation method based on antifuse Field Programmable Gate Array (FPGA) | |
| US10866867B2 (en) | Method of error correction in a flash memory | |
| CN114924808B (en) | SRAM type FPGA on-orbit reliable loading method based on double storage programs | |
| CN113377005B (en) | Air management and control method, system and storage medium for redundancy airplane management computer software | |
| CN115565598B (en) | Data storage and repair method and system for temporary failure of RAID array disk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |