RU2449352C1 - Method creating four-channel fail-safe system for on-board high-fault tolerance and energy efficient control complex and use thereof in space applications - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method is realised based on equipment for widening the range of peripheral devices and introducing multibus interaction of a system kernel with blocks of automatic power equipment and peripheral devices.

EFFECT: considerably broader functional capabilities, high fault tolerance, energy efficiency and resource saving.

6 cl, 2 dwg

Description

The invention relates to computer technology and can be used to build highly reliable fault-tolerant integrated onboard control systems in space, aviation, nuclear, chemical, energy and other industries that require high reliability of the computer complex for a long time interval of about 10 years, without physical maintenance, while maintaining stability to the action of ionization and radiation, malfunctions and equipment failures.

A known method and computer system for fault-tolerant processing of information of critical functions of aircraft, based on fourfold hardware redundancy and majorization of signals in the paths of the implementation of critical functions of complexes of airborne equipment in order to increase the reliability and reliability of processing [1]. If there is an ambiguity in the majority comparison in different paths, it is eliminated by a majority comparison of the results of comparing the signals of the individual synchronized results of the test control of each of the blocks of the information path. In the known method, the duty cycle is divided into two stages. At the first stage, according to the results of the analysis of the state of a multi-tier computing system, a "working" circuit is selected that contains only serviceable components of each tier. At the second stage, calculations are performed on this "working" circuit.

The disadvantage of this method is the complexity of the real-time synchronization algorithm of the test control results obtained in various paths, as well as a decrease in the overall system reliability due to a four-fold increase in the total component failure rate due to the continuous parallel operation of all four system paths and increased resource consumption. Even failed components remain powered. This approach leads to increased energy consumption, which may be acceptable for aircraft with short operating periods, but not acceptable for spacecraft.

Known three-channel redundant control system [2], designed to build highly reliable computing control systems. The known system implements receiving information from subscribers, processing information and issuing it to subscribers. These tasks are solved by hardware majorization of signals in a three-channel redundant control system. The problem of majorizing bidirectional signals in highways was also solved. With the introduction of controlled operation (by periods of clock frequency and along the edges of the control signal), the mismatch of the input and output signals is used to diagnose system failures.

The disadvantages of the known control system is the impossibility of reconfiguring the system in the event of failures, which reduces the value of the diagnostic procedures, the ability to generally parry only one failure, and increased power consumption due to the parallel operation of the three channels of the redundant control system. The latter leads to a decrease in reliability due to the total increase in the failure rate of the system. Another common drawback of systems with hardware majorization of diversity signals is the difficulty of reliable synchronization at frequencies above 30 MHz. In addition, the tight connection between the microprocessor used and the associated synchronization system makes it difficult to switch to another component base and scale the system.

Closest to the proposed invention is a three-channel control system [3]. In the prototype, the control system consists of three identical channels, each of which contains a computing unit - a computer or microcontroller, an input-output unit, the main and backup transceivers of the serial interface connected to the computing unit and the input-output unit and intended for the organization of interprocessor exchange between the channels of the system, the main and the backup trunk, connected to the corresponding input-output blocks of the three channels. Each channel computer has two synchronization outputs to adjacent channels and two synchronization inputs from adjacent channels, as well as two information inputs about the health of adjacent channels and two information outputs about the health of this computer for distribution to adjacent channels. Each computer through the matching unit and the input / output controller goes to the external bus to issue control signals to external devices and issue an information signal about its health. If one channel fails, the failed channel is blocked and does not give anything out (for external consumers), and control information from two serviceable channels goes to external consumers, where it is restored by software or hardware majorization. The presence of channel health signals allows you to work on one remaining channel when the other two fail.

The bottleneck of the prototype is the development by each channel of a signal of its own good condition. The mechanisms to achieve a high level of reliability of the signal of their own health, the prototype is not disclosed. At the same time, it is known that this problem represents one of the great difficulties in the theory and practice of technical diagnostics. The low reliability of the self-service signal does not allow to achieve high reliability of real-time control systems, which are also designed for long-term operation (about 10 years) without maintenance.

The disadvantage of the prototype is the lack of mechanisms for working with multi-channel (in particular, 4-channel) and multi-bus systems that provide longer operation without maintenance and require more complex mechanisms for distributing computing, local control, executive and peripheral devices on buses, as well as assessing the current state reconfiguration and recovery of calculations and control than those available in the prototype.

Another disadvantage of the prototype common to most 3-channel majorized structures is the increased power consumption and resource consumption due to the continuous parallel operation of the three channels of the control system. The latter also leads to a decrease in reliability due to the total increase in the failure rate of a system operating in a similar mode.

The technical result of the proposed method and system for its implementation is a significant expansion of functionality due to the expansion of the range of peripheral devices and the introduction of multi-bus organization of the interaction of the computing core of the system (BCVS) with power automation units and peripheral devices, increasing the survivability of the system, energy efficiency and resource conservation.

In the proposed system, the number of channels is increased to 4 and numerous methods and mechanisms for assessing the health of the system channels are introduced, which made it possible to increase fault tolerance by countering failure situations, reconfiguring when faults occur, optimizing power consumption and saving the resource, depending on operating modes and choosing the current one system configuration, thereby increasing the overall reliability and survivability of the system.

The specified technical result is achieved due to the fact that in the known method of forming a fault-tolerant system of the on-board control complex (BCC) of increased survivability and efficient energy consumption, which consists in 3-fold redundancy of control channels, the fourth control channel is additionally formed, each channel includes a computational and executive systems, establish the main mode of operation such a configuration of the computing core, in which they operate one channel of the computing core in "grief than "active mode, that is, in the controller mode of the active channel, the second channel in the" hot "passive mode, that is, in the monitor mode of the active channel, and in the other two channels set the" cold "reserve mode, accept that for the operating system everything channels are identical, differing only in physical numbers, and any channel can be assigned one of a set of logical names (identifiers) generated by the operating system during operation, while due to the symmetry of the channels using the operating system, Iodically rotate the channels and thereby reduce the dose of accumulated radiation and contribute to its partial resorption in the off mode, and with a long period of operation, in the process of degradation of the on-board control system due to successive failures of two channels, they continue to operate one channel in the “hot” active mode and the second channel - in the "hot" passive mode, identify a possible third failure of one of the two channels that remained operational, and carry out operation of the onboard control complex until complete exhaustion of the function of the resource, i.e. up to a single channel. The channels of the interprocessor exchange of diagnostic information in the computing core and in the executive core are reserved using a serial multiplex information exchange channel by setting the combined mode of operation of the channels of these computing cores - "Terminal Device - Monitor" (except for the Controller channel), and the computing core in each of the four of channels contains two identical banks of reprogrammable read-only memory with hardware ability to reprogram one ban from the Earth against the background of regular work with another bank and the launch of the system and its operation from any bank of reprogrammable read-only memory device with subsequent equalization of the contents of banks. The initial configuration of the multi-channel computing core is selected, including in the presence of hardware failures of individual duplicated parts of the computing core. The BKU operating system is configured to cancel some prohibitions when trying to enter the computing core channel into active mode with negative test results, which improves the system survivability in the event of complex malfunctions caused, for example, by multiple failures, and the on-board software is organized in such a way that allows you to configure the cyclogram of the computing core from the Earth, enter the correction of on-board software using software inserts without affecting I am a permanent storage device of the system, and download the software from the ground test and start-up complex (NPPK) using the multiplexed information exchange channel. They use multifactor control of information exchanges over multiplex and interprocessor channels with the formation of a 16-bit integral sign - the words of exchange completion, which allows to identify the current state of the system in detail, monitor the computing process using end-to-end counters with a failure point and control according to the criterion of passing through all buses information exchange.

The specified technical result is also achieved due to the fact that in the known system of the on-board control complex (BKU) containing the on-board digital computer system (BTsVS), an additional control and control unit consisting of a computer system and executive boards, five control units, a solar unit position sensors, astro-sensor block, flywheel control engine complex, gyroscopic angular velocity vector meter, internal multiplex serial data bus interchange, external to the CCU system, a multiplex serial data bus, an internal parallel bus between the control and control unit and control units, interfaces to the target equipment unit, which includes an on-board data acquisition system and an on-board radio complex, to pyrotechnic devices and to related systems - to the on-board equipment of the command-measuring system and to the telemetry system, to the thermal regime support system, the first and second control systems directional antennas, to power supply systems, orientation of solar panels, a mechanical solar control device and to an electrification control system, with the possibility of exchanging between devices and related systems via internal and external serial data bus and an internal parallel bus exchange between the control and monitoring unit and the units control, at the same time, the inputs and outputs of the astro sensors block, the complex of engine controllers, are functionally connected to the internal information bus flywheel, the first inputs and outputs of the BCBC and the control and monitoring unit, the interfaces to the first inputs and outputs of the first and second control systems for highly directional antennas, the target equipment unit and the telemetry system, the input of the astro sensors block, the inputs and outputs of the gyroscopic meter of the angular velocity vector and block solar position sensors are interconnected and connected to the output of one-time commands of the control and monitoring unit, and the internal information bus of the parallel interface is connected to the second input-output of the unit board and control and is functionally connected with the first inputs and outputs of the control units, the external information bus is functionally connected with the second inputs and outputs of the on-board digital computer system and the first inputs and outputs of the on-board equipment of the command and measurement system, and on-board equipment on the external multiplex serial data exchange bus command-measuring system acts as a controller, and the BCVS as a terminal device (OS). The second input of the control and monitoring unit is functionally connected to the on-board equipment of the command-measuring system, the second output of the control and monitoring unit is connected to the second inputs of the control units, and its third output is functionally connected to the second input of the on-board equipment of the command-measuring system, the output of the first control unit is connected with the input of the thermal management system and with the first input of the propulsion system, pyrotechnic devices are connected to the second output of the second control unit, the third output of the control unit is functionally connected to the propulsion system through its second input, the output of the fourth control unit is connected to the input of the electrification control system, with an antenna-feeder system and the target equipment unit, the output of the fifth control unit is functionally connected to the solar cell orientation system and the mechanical solar control device batteries and with the input of the power supply system, the second inputs of the first and second control systems of highly directional antennas are functionally connected to the antenna feeder with system and with the input of the telemetry system, and the second input of the antenna-feeder system is connected to the output of the on-board equipment of the command-measuring system.

Figure 1 presents the structural diagram of the system of the onboard control complex, where the dotted line shows the devices and service systems that are not part of the BCU; figure 2 - configuration of the computing system of the control unit and control.

The method of forming a 4-channel fault-tolerant system of the onboard control system of increased survivability and efficient energy consumption is as follows.

In the proposed system of the onboard control complex (BKU), a control method is adopted in which a strategy is formed that has the following properties:

1. The main mode of operation of the 4-channel system is the configuration of the computing core "1 + 1", which means that one channel of the computing core operates in the "hot" active mode (controller), the second channel operates in the "hot" passive mode, i.e. . in monitor mode of the active channel. The monitor executes the same program fragment as the controller, but does not return its result to the interface. This result is transmitted to the controller via the interprocessor switching network for mutual comparison. The other two channels are in the cold reserve mode. The main mode of operation, due to the comparison of the two channels, has the reliability of detecting a possible failure of one of the channels of the "hot" mode, which is practically equal to 1, while at the same time it is 30% more economical in energy consumption than in the prototype.

2. For the operating system, all channels ("faces") are identical, differing only in physical numbers. Any channel can be assigned one of the set of logical names (identifiers) generated by the operating system during operation. So, a working controller on the internal multiplex serial data bus receives a hexadecimal value of 9 (1001), the master terminal device (DU) on the external bus also has identifier 9. The identifiers on the internal bus and passive op-amp on the external bus are assigned 6. Good faces of cold identifiers 2 receive the reserve. If one of the faces was faulty, it turns off and it is assigned the status of “first failure” (identifier 1), and of a failed one three times - “faulty” with identifier m 0. In the BUK, the priority face is assigned the status of “Leading Shelter” (7), the next highest face is assigned the status of “Passive Shelter” (4), and the least priority face or a failed face is assigned the same codes as in the BCVS .

3. On the short critical sections of the working sequence diagram (start, launch into orbit, separation of separable parts, and some other tasks), three channels of the system work in the mode of software majorization of the processed information (squibs in the mode of hardware majorization). The fourth channel (if it is in good condition) is in the “cold” reserve, i.e. off, but in the system configuration table it is listed as operational.

4. Due to the symmetry of the channels, the operating system periodically rotates the channels in order to reduce the dose of accumulated radiation and partially absorb it in the off mode.

5. The computing core of each channel contains two identical banks of reprogrammable read-only memory devices (RPSUs) with the hardware ability to reprogram one RPSU bank from Earth against the background of regular operation with another bank and starting the system and its operation from any RPSU bank with checking the correctness of the newly entered task and gradual alignment of the contents of both banks.

6. The channel of interprocessor information exchange in the computing core is reserved using a serial multiplex information exchange channel in accordance with GOST R 52070-2003 by setting the combined operation mode of the computing core channels - “Terminal Device-Monitor” (OU-M) (except for the Controller channel).

7. The choice of the initial configuration of a multi-channel computing core, including in the presence of hardware failures of individual (duplicated) parts of the computing core.

8. The operating system can be configured to cancel some prohibitions when trying to enter the channel of the computing core into active mode with negative test results. This feature allows you to improve the survivability of the system in the event of complex disruptions caused by, for example, multiple failures.

9. Autonomous testing is carried out and subsequent input into the synchronism of the channel of the computing core from the cold reserve.

10. The algorithm for autonomous testing of random access memory (RAM) is used as a background task with determining the location of failure of RAM cells.

11. The computing process is controlled using end-to-end counters with the determination of the point of failure and by the criterion of passing the exchange on all information buses.

12. Multifactor control of information exchanges via multiplex and interprocessor channels is carried out with the formation of a 16-bit integral feature - the words of the completion of the exchange.

13. The on-board software is organized in such a way that it allows you to configure the cyclogram of the work of the computing core from the Earth, enter the correction of the on-board software using software inserts without affecting the system’s permanent storage device, and download the software from the ground-based test-launch complex (NPPT) with using the multiplex channel.

14. During a long period of operation, in the process of degradation of the system due to successive failures - two channels, the system continues to operate in the "1 + 1" mode, which guarantees reliable detection of a third failure of one of the two channels that remained operational that could occur. To identify a failed channel, control methods have been developed that allow the identification of a failed channel with a reliability close to 1. These methods are given in the next section. Thanks to this, the system is able to function until the functional resource is completely exhausted, i.e. down to a single channel, which increases its survivability.

It might seem that greater reliability and survivability could be achieved by increasing the number of system channels over the selected four. But increasing the redundancy ratio has always been a product of a compromise between the desire to increase the degree of fault tolerance and obtaining acceptable weight and size and energy characteristics. Each additional channel increases both weight and size characteristics and energy consumption. In addition, theoretical calculations show that for highly reliable systems with long lifetimes, an increase in the redundancy ratio of more than 4–5 does not make sense, since the so-called latent (hidden, i.e. difficult to detect) malfunctions begin to have a major impact on the overall reliability of the system. identified by working test procedures. The greatest danger is represented by such hidden failures in the mechanisms of error control, reconfiguration, and system recovery. Since 100% detection of all potential faults is virtually eliminated, latent failures have a small but non-zero probability of existence. Over long periods of existence, they discount the excessive depth of the reserve. For these reasons, the proposed invention selected 4-fold reservation.

The system of the on-board control complex (BKU) contains an on-board digital computer system 1 (BTsVS), a control and control unit 2 (BUK), consisting of a computer system 3 (BC) and executive boards 4 (IP), five control units 5 (1BU), 6 (2BU), 7 (ZBU), 8 (4BU) and 9 (5BU), block of solar position sensors 10 (SDP), block of astro sensors 11 (HELL), a set of 4 control flywheel engines 12 (KUDM), gyroscopic angular velocity vector meter 13 (GIVUS), pyrotechnic devices 14 (PT), internal multiplex serial information bus data exchange 15 (MKIO-1), external multiplex bus for serial information exchange 16 (MKIO-2) external to the BCU, internal parallel exchange bus 17 between the BUK 2 and control units BU 5-9, interfaces to the target equipment block 18 (CA ), which includes the on-board data acquisition system 19 (BSSD) and the on-board radio complex 20 (BRTK), and to the service systems - the on-board equipment of the command-measuring system 21 (BAKIS), the telemetry system 22 (TMS), the thermal management system 23 (SOTR), the first 24 (1СУ ОНА) and the second 25 (2СУ О NA) control systems for highly directional antennas, power supply system 26 (SES), solar cell orientation system 27 (SOSB), mechanical solar battery control device 28 (MUBS), and electrification control system 29 (SEC).

The exchange between devices and related systems is carried out on the buses MKIO-1, MKIO-2 and the internal parallel bus exchange 17 between the BUK 2 and the control units BU 5-9.

Appointment BKU

The above composition of the spacecraft is designed to solve the problems of controlling a spacecraft (SC), the main of which is to provide the required operating conditions for onboard target equipment.

The tasks of the BKU include:

- management of the functioning of related systems, devices and components of the spacecraft;

- control of the motion of the center of mass and the angular motion of the spacecraft. As the executive bodies for controlling the motion of the center of mass and the angular motion, the spacecraft BKU uses correction engines, stabilization engines and flywheel control engines (outside the orbit correction sections);

- building and maintaining a constant solar orientation;

- inertial orientation - triaxial stabilization of the spacecraft relative to a given program position according to the information of the gyroscopic angular velocity vector meter (GIVUS) with astro correction of the GIVUS drifts according to the measurements of astro sensors;

- issuing a corrective pulse;

- "spin" for passive gyroscopic stabilization of the spacecraft. In addition to controlling the dynamics of the spacecraft, BKU in terms of interaction with adjacent systems and managing their work implements:

- the issuance of relay control commands (RKU), including the supply / removal of electrical supply voltage (including with a change in polarity);

- issuing digital control commands;

- issuing arrays of digital information;

- monitoring and diagnostics of individual service systems;

- the formation of the onboard time scale (BSA) with an error of ± 10 ^-6 s / s during the entire period of active spacecraft existence in orbit.

The connections between the BKU subsystems are implemented as follows.

Functionally connected with the internal information bus 15 (MKIO-1):

- inputs and outputs of the astro sensors block 11, the complex of control engines-flywheels 12, the first inputs and outputs of the on-board digital computer system 1 and the control and switching unit 2, the first inputs and outputs of the first 24 and second 25 control systems of highly directional antennas, the target equipment block 18 and telemetry system 22 (TMS);

- the input of the block of astro sensors 11, the inputs and outputs of the gyroscopic meter of the angular velocity vector 13 and the block of solar position sensors 10 are interconnected and connected to the output of one-time commands (RC) of the control and monitoring unit 2.

The internal information bus 17 of the parallel interface is connected to the second input-output of the control and monitoring unit 2 and is functionally connected to the first inputs and outputs of the control units 5, 6, 7, 8, and 9. These control units provide communication and control of adjacent systems, units, and actuators spacecraft organs under the control of the control and monitoring unit 2. The control and control unit 2 provides information exchange with the BCVS 1, with the executive bodies and sensors of the spacecraft by converting machine-format information into analog video e, suitable for control of executive bodies and reverse conversion of analog signals of executive bodies and sensors into machine code.

External information bus 16 (MKIO-2) is functionally connected:

- with the second inputs and outputs of the on-board digital computer system 1 (BTSC) and the first inputs and outputs of the on-board equipment of the command-measuring system 21 (BAKIS). On bus 16 MKIO-2 BAKIS 21 acts as a controller, and the BCVS 1 as a terminal device (OU);

- the second input of the control and monitoring unit 2 is functionally connected to the on-board equipment of the command-measuring system 21, and the second output of the control and monitoring unit 2 is connected to the second inputs of the control units 5, 6, 7, 8, and 9. The third output of the unit 2 is functionally connected to the second input of the onboard equipment command-measuring system 21;

- the output of the first control unit 5 (1BU) is connected to the input of the thermal system 23 and to the first input of the propulsion system 30 (DU);

- pyrotechnic devices 14 are connected to the second output of the second control unit 6 (2BU);

- the output of the third control unit 7 (3BU) is functionally connected to the propulsion system 30 through its second input;

- the output of the fourth control unit 8 (4BU), for transmitting relay control commands (RCUs), is connected to the input of the electrification control system 29, with the antenna-feeder system 31 (AFS) and the target equipment unit 18;

- the output of the fifth control unit 9 (5BU) is functionally connected with the orientation system of the solar panels 27 and the mechanical control device for the solar panels 28 and with the input of the power supply system 26;

- the second inputs of the first 24 and second 25 control systems of highly directional antennas are functionally connected to the antenna-feeder system 31 and to the input of the telemetry system 22;

- the second input of the antenna-feeder system 31 is connected to the output of the on-board equipment of the command-measuring system 21.

The composition and purpose of the target equipment 18 (CA) and service systems is given below.

The target equipment 18 provides the implementation of the basic scientific and applied tasks planned for a particular spacecraft. In particular, on many spacecraft, the target equipment 18 has an on-board radio complex 20 (BRTK) and an on-board data acquisition system 19 (BSSD). For example, in spacecraft of the Electro-L type, BRTK 20 and BSSD 19, multispectral images and data on the heliophysical situation at the spacecraft’s orbit are processed and transmitted, as well as telecommunication functions are performed. The complex of service systems includes on-board equipment of the command and measuring system 21 (BAKIS), telemetry system 22 (TMS), power supply system 26 (SES), propulsion system 30 (DU), solar system orientation system 27 (SOSB), mechanical control device solar batteries 28 (MUBS), thermal management system 23 (SOTR), pyrotechnic devices 14 (PT), electrification control system 29 (SKE), highly directional antenna control systems 24 and 25 (1СУ ОНА, 2СУ ОНА) designed to provide functional payload and the spacecraft as a whole in accordance with the requirements.

Functional relationships of the complex of target equipment 18 and the complex of service systems with buses 15 (MKIO-1) and 16 (MKIO-2) and the control and monitoring unit 2 (BUK) are shown in Fig. 1.

The computing core of the BKU is the On-Board Digital Computing System 1 (BTSVS), which ensures the performance of computational processes in the framework of the tasks solved by the BKU KA. BTsVS 1 hardware include:

- processors;

- memory and memory controllers;

- input-output ports;

- Interfaces to information exchange channels: MKIO-1 15, MKIO-2 16, and the internal serial interface between the four channels ("faces") of the BCVS 1;

- power supplies.

The BCVS 1 software is intended for solving flight problems, as well as for controlling and diagnosing adjacent systems.

A component of BTsVS 1 are multiplexed information exchange channels, which are understood as a combination of software (drivers), hardware (controllers) and data transmission lines that carry out information exchange of digital codes, regulated by standards and protocols, and which are bidirectional, half-duplex wired digital lines with a plurality of transmitters and receivers connected to the information transmission line, with centralized control of the data flow carried out to controller.

Structurally, the BCVS 1 is a four-channel (“tetrahedral”) redundant computing system composed of four functionally independent channels (“faces”). With full serviceability of the channels, one or two of them, depending on the tasks currently being solved, are in cold reserve. This means that, when fully operational, the BCVS 1 has the configuration (1 + 1.2), which is understood as 1 channel active (controller), another channel in the hot reserve passive (monitor), performing the same program fragments as the controller, and two channels - in a cold reserve; or has a configuration (1 + 1 + 1, 1), which is understood as 1 channel active (controller), two more channels passive in the hot standby (monitors) and one channel in the cold standby.

The algorithm for determining a serviceable channel is based on an assessment of the reliability of its calculations, confirmed by the identity of the output information on another channel (monitor). Due to this, the high reliability of the calculations, almost close to 1, is preserved in the presence of two serviceable channels, i.e. even if the other two channels have already failed. In this case, the main difficulty arises when diagnosing - which channel failed in case of a discrepancy in the calculations? To solve this problem, each channel of the BCVS 1 contains built-in hardware and software control. Their action makes it possible to identify a failed channel and take it out of operation, leaving the last working channel in the system. To this end, a method of multifactor control of information exchanges over a multiplex (MKIO) and interprocessor (MPO) channel with the formation of a 16-bit integral feature - the word complete exchange (SZO) was used. SZO includes checking the parity bits during the transmission of information, checking the number of successfully completed exchanges, messages from the highway drivers about deviations. A method of controlling the computational process using end-to-end counters with determining the point of failure and monitoring by the criterion of passing the exchange on all buses of the information exchange is applied. If all these efforts do not make it possible to unambiguously identify one of the two failed channels, then, on command from the Earth, the system can be turned off and then turned on, during which the channels of the BCVS 1 pass an intensive test test, as at the first turn-on, which allows determining the failed channel.

The control units 5, 6, 7, 8 and 9 (1BU ÷ 5BU) are intended for the organization of interaction between the digital computer system 3 (BC BUK) and the executive bodies and sensors of the onboard control system. It can be either simple sensors (contact, thermistor), simple actuators (squib, heater, valve), or electronic units that require direct control commands. In the simplest case, these are the power management commands of the electronic unit.

The control and monitoring unit 2 (BUK) provides the exchange of information with the BCVS 1, with the executive bodies and sensors of the spacecraft by converting machine-format information into an analog form suitable for controlling executive bodies and the reverse conversion of analog signals from executive bodies and sensors to a machine code.

On the structural diagram of the BKU (figure 1) reflects the types of communication taking into account the reservation of devices and blocks BKU. Reservation implemented:

a) for BTsVS 1 - four faces of synchronously (at the beginning of each clock cycle) working computers with interprocessor exchange in various configurations determined by the software depending on the serviceability of the channels: (1 + 1 + 1, 1), (1 + 1 + 1, 0), (1 + 1, 1, 1), (1 + 1, 1, 0), (1 + 1, 0, 0), (1, 1, 0, 0), (1, 0, 0, 0). Here "1" means a working channel in the "Controller" mode, or in the "cold reserve", "+1" means a working channel in the "Monitor" mode, "0" means a faulty channel;

b) for astro sensor 11 - three monoblocks mounted on a common instrument base with spaced axes of sight. The BCVS 1 controls the selection of the circuit and the number of simultaneously activated astro sensors. The terminal device (hereinafter referred to as the OA) of each astro sensor has its own logical address;

c) for a gyroscopic measuring instrument of angular velocity vector 13 — the instrument incorporates four gyroblocks whose sensitivity axes are oriented along the generatrices of the rotation cone around the instrument axis OXp with a half-angle of 54 ° 44′08 ′ ′. Each gyroblock in combination with a temperature control system, a secondary power source and an electronic part is combined into a measuring channel with its own independent output. The initial configuration is selected from 4 possible basic “triples”, in case of failure of one gyro block, the only “troika” remains without reservation;

d) for a set of control engines-flywheels 12 (KUDM blocks) - four, but the failure of only one block can be countered by software.

e) solar position sensors 10 - duplicated;

f) power automation units (executive boards 4) are 3 times redundant, controlled by the majority principle, having duplicated buses as a source of information.

Inside the computing system 3 of the control unit 2 (BUC) (FIG. 2), all faces are exchanged among themselves according to the “each with each” type.

In Fig.2: 1, 2, 3, 4 - the edges of the BUK 2 of the BUK calculator; A - active state of the channel, Z - passive state of the channel, K, L, M - serial communication channels with executive boards 4 (3 faces), working with external subsystems.

The BUK equipment interacts with the duplicated communication line of the MKIO-1 channel in the BCU. Messages from the BCVS are received by all included faces of the BUK. The response of the BCVS is transmitted only by one (for example, the first) face of the BUK. The remaining faces of the beech work in monitor mode. If by means of the monitoring and diagnostic system a malfunction of the leading face is detected, its transmitter is blocked, and the terminal device functions are transferred to the next in the order of the beech edge. The output information of the BUK computer system is (mainly) a set of one-time commands (RC), which from the point of view of the machine format is an ordered array of bits.

The external channel of the BUK is autonomous, main in accordance with GOST R 52070-2003. The basis of the BUK are typical electronic boards arranged in a section according to functional features. The section is a technological assembly designed to optimize the internal communications and devices of the ACU with external subscribers of the ACU, which leads to a decrease in overall mass characteristics.

The exchange channel according to GOST R 52070-2003 is implemented on the basis of the NHi-1582ETGW chip (main and backup lines) operating in the terminal device or monitor mode.

Inter-processor communication channel - based on the serial port integrated into the chip, used in synchronous mode for delivery, and a separate channel for reception, the exchange speed is 2.5 Mbps.

The intra-block serial communication channel with devices operating on executive bodies and devices for receiving information from external subsystems is made three-channel with reconfiguration capabilities. The synchronization of the work of the BEC computer system and the BCVS is carried out by a command received from the BCVC in the 4 format (synchronization) at the beginning of each cycle.

The exchange of information between the processor and the output devices is "channel to channel". Majorization of output information is performed on the output switching keys. Majorization of input information is done programmatically.

All signals are sent to the line through TTL inverters with an open collector at the output. All lines are suitable for each of the actuators. The outputs of the response data must initially be in the Z-state.

A byte exchange channel is formed from a serial synchronous channel BUK, on which ligation is performed between 4 faces of the BUK computer system and 3 faces of executive boards (K, L, M), Fig.2.

For switching circuits, n-channel transistor switches are used on MOS field-effect transistors. The output switches for communication of the ACU with the executive bodies of the ACU and related systems have three channels. The switches organized recovery of information on a majority basis.

Thus, the hardware composition of the control and monitoring unit (BCC), multi-bus architecture, and configuration management and system recovery in accordance with the strategy that implements through the software 14 of the above system properties allow reaching ultimate survivability with respect to failures of the BCVS, BEC computing system and executive boards BUK, i.e. work down to the last facet in each of these subsystems, by controlling the cyclic replacement of the reserve, provide the best opportunities for the absorption of low-energy ionization of electronic equipment, reduce overall energy consumption and save a resource.

Information sources

1. RF patent 2413975, G06F 11/00, publ. 03/10/2011.

2. RF patent 2387000, G06F 11/16, publ. 04/20/2010.

3. RF patent 2333529, G06F 15/16, publ. 09/10/2008.

Claims (6)

1. The method of forming a 4-channel fault-tolerant system of the onboard control system for increased survivability and efficient energy consumption, which consists in 3-fold redundancy of control channels, characterized in that they form the 4th control channel, each channel includes a computing and executive systems, set the main mode of operation such a configuration of the computational core, in which one channel of the computational core is operated in the "hot" active mode, that is, in the active controller mode channel, the second channel - in the "hot" passive mode, that is, in the active channel monitor mode, and in the other two channels set the "cold" reserve mode, accept that for the operating system all channels are identical, differing only in physical numbers, and to any channel one of the set of logical names (identifiers) generated by the operating system during operation can be assigned, while due to the symmetry of the channels using the operating system, the channels are periodically rotated and thereby reduce t doses of accumulated radiation and contribute to its partial resorption in the off mode, and with a long period of operation, in the process of degradation of the on-board control system system due to successive failures of two channels, one channel continues to operate in the “hot” active mode and the second channel "Hot" passive mode, identify a possible third failure of one of the two channels that remained operational, and carry out the functioning of the system of the onboard control system for about the complete exhaustion of a functional resource, that is, up to a single channel. 2. The method according to claim 1, characterized in that the channels of interprocessor exchange of diagnostic information in the computing core and in the executive core are reserved using a serial multiplex information exchange channel by setting the combined mode of operation of the channels of these computing cores - "Terminal Device - Monitor" (for exception of the Controller channel), and the computational core in each of the four channels contains two identical banks of reprogrammable read-only memory with hardware programming from the ground of a bank on a background of staff working with another bank, and run the system and its operation of any bank reprogrammiruemogo permanent memory, followed by alignment of the contents of banks. 3. The method according to claim 1, characterized in that the initial configuration of the multi-channel computing core is selected, including in the presence of hardware failures of individual duplicated parts of the computing core. 4. The method according to claim 1, characterized in that the operating system of the on-board control complex is configured to cancel some prohibitions when trying to enter the channel of the computing core into active mode with negative test results, and the on-board software is organized in such a way that allows you to configure the operation sequence computing core from the Earth, enter on-board software correction using software inserts without affecting the system’s read-only memory, and load rogrammnoe provision of ground verification-starting complex using multiplex traffic channel. 5. The method according to claim 1, characterized in that multifactor control of information exchanges over multiplex and interprocessor channels is used with the formation of a 16-bit integral feature - the word completion of the exchange, which allows to identify the current state of the system in detail, monitor the computing process using end-to-end counters with determination of the point of failure and control by the criterion of passing the exchange on all buses of information exchange. 6. 4-channel fault-tolerant system of the onboard control system for increased survivability and efficient energy consumption, comprising an onboard digital computer system, characterized in that the control system comprises a control and monitoring unit consisting of a computer system and executive boards, five control units, a solar position sensor unit , astro sensors block, flywheel control engine complex, gyroscopic angular velocity vector meter, internal serial multiplexer bus information exchange external to the on-board control system system; multiplex serial data exchange bus, internal parallel exchange bus between the control and monitoring unit and control units, interfaces to the target equipment unit, which includes an on-board data acquisition system and on-board radio complex, pyrotechnic devices and related systems - to the on-board equipment of the command-measuring system, to the telemetry system, to the heat supply system about the regime, the first and second control systems for highly directional antennas, to power supply systems, orientation of solar panels, a mechanical solar control device and to an electrification control system, with the possibility of exchanging between devices and related systems via internal and external serial data bus and internal parallel bus exchange between the control and monitoring unit and control units, while the inputs / outputs b are functionally connected to the internal information bus eye of astro sensors, a set of control engines-flywheels, the first inputs and outputs of the on-board digital computer system and control and monitoring unit, interfaces to the first inputs and outputs of the first and second control systems of highly directional antennas, the target equipment unit and the telemetry system, the input of the astro sensors unit, the inputs are the outputs of the gyroscopic meter of the angular velocity vector and the solar position sensor unit are interconnected and connected to the output of one-time commands of the control and monitoring unit, and the internal the formation bus of the parallel interface is connected to the second input-output of the control and monitoring unit and is functionally connected to the first inputs and outputs of the control units, the external information bus is functionally connected to the second inputs and outputs of the on-board digital computer system and the first inputs and outputs of the on-board equipment of the command-measuring system moreover, on the external multiplex serial data exchange bus, the on-board equipment of the command-measuring system acts as a controller, and the on-board digital computer system as a terminal device, the second input of the control and monitoring unit is functionally connected to the on-board equipment of the command-measuring system, the second output of the control and monitoring unit is connected to the second inputs of the control units, and its third output is functionally connected to the second input of the on-board equipment measuring system, the output of the first control unit is connected to the input of the thermal system and to the first input of the propulsion system, to the second output of the second pyrotechnic devices are connected, the output of the third control unit is functionally connected to the propulsion system through its second input, the output of the fourth control unit is connected to the input of the electrification control system, with the antenna-feeder system and the target equipment unit, the output of the fifth control unit is functionally connected to the orientation system solar panels, with a mechanical solar control device and with an input of a power supply system, the second inputs of the first and second control systems are acutely The direction of antennas operatively connected to the antenna-feeder system and to the input of the telemetry system, and the second input of the antenna-feeder system is connected to the output of the onboard apparatus command-measuring system.

Images