DE2751416A1 - NUMERICAL SYSTEM FOR DATA HANDLING, IN PARTICULAR FOR SPACE VEHICLES - Google Patents

Description

DrF Zumiicinserv. D ^. E. Astmann L / O 1 4 I 6

Di R.Koonios'. - ': · ■' "'^. Tt. HoUbau fJipl - Ing Γ. K. ._ ■.: ■■ Ί ι Ξ jtnstein JUr

V a 1 c .; i λ Ii \. ■. 't β Munich 2, Bri> uliau £: trale 4' 3

MATRA 0613 77 B

Numerical system for data handling, in particular for space vehicles.

The invention relates to numerical systems for data handling which can be used to ensure that control processes are running. She finds a particular important, though also not exclusive, application in the systems built into a spacecraft, whose one task is to ensure the Leadership exists.

This latter application makes it necessary, especially when the spacecraft has a long duration mission, if any several years to use a system with a high level of reliability, especially when executing certain tasks, since a system failure which would prevent their execution will result in the failure of the job Has. The data handling system must also be fast enough in order to ensure all necessary control and monitoring functions during the periods in which the number of those to be fulfilled Tasks is greatest (e.g. in a three-axis control or in orbit in the case of a satellite). At the same time, however, the weight and energy consumption of the system must be as small as possible.

Control systems which are built into spacecraft and which contain a specialized computing device are already known. However, to limit the effects of organ failure, the essential organs must be duplicated by a second identical organ kept in readiness, which is the case with a

809821/0900

275U16

- ^ - 0613 77 B

Failure takes the place of the first. In addition, each time a new application is contemplated, practically the entire Structure of the system and its program modules according to the Rescheduling user needs, increasing the cost of planning and execution and the risk of failure, since the system is seldom fully proven. After all, the entire system must remain operational, even during periods little activity, so that the energy consumption is always equal to that required during the periods of greatest load on the system is.

Furthermore, there is a digital system for data handling with a common memory and n_ independent general purpose processors known (AFIPS joint computer conference 19 75, vol. 44, pp. 551-559: Ornstein "Pluribus - A reliable multiprocessor"), in which each of these general purpose processors has the entire control capacity of the system and its own local one Contains RAM.

The system contains several collecting lines, which in themselves and because of the "interface" lines take up a lot of space.

The aim of the invention is to provide a system for digital data processing which can be used in a spacecraft can be installed with small interiors and which with high reliability the essentials incumbent on him Performs tasks. This is achieved by having the general purpose processors (11, 12, 13), the working memory (19) of which has sufficient capacity to accommodate the control programs of the system has, as well as the common memory (16) and input and output circuits with a single, in divided Time working collecting line are connected in parallel, whereby this Samuelleitung against disturbances in it switched on Systems is secured and wherein the common memory (16) contains the control data of the system and the user programs.

The invention makes use of the facts that

- at present the processors can be manufactured in the form of LSI circuits that take up little space, while the manifolds made up of electrical conductors, as well as those made up of discrete components

809821/0900

- bit

0G13 77 B

275U16

"Interface" lines are not miniaturized to the same extent can be

- a breakdown seldom results from the interruption of a conductor in a collecting line.

The manifold can be made reliable that between this manifold and the electronics Components with which it is connected a gate or gate designed in this way is interposed, that regardless of the nature of the breakdown of the component or the gate, this gate can be put out of operation, without affecting the operation of the collecting line.

This solution is by far the one that has been used so far The preferred solution, according to which the manifold has been doubled, resulting in an excessive duplication of the electrical conductors or wires.

The parallel treatment obtained apparently increases the speed and reliability. in the In normal operation, the tasks are divided between the processors. In the event of a fault in one of the processors or in the event of a arbitrarily disabling one of them to increase the life and reduce the consumption of the system only the speed of treatment is affected, but all tasks can -

809821/0900

275U16

- 2 - 0613 77 B

still to be met. The same applies to decommissioning all processors except one. With a suitable design of the common store, only part of it fails result in the impossibility of performing certain tasks (e.g. making a particular attempt). The essential part of the shared memory can of course be doubled by a portion held by, which in the case of a Disturbance of the first intervenes automatically.

It should be noted that the parallel connection of η processors on a common bus does not necessarily mean that Work slows down. This is because the time of a working cycle in the shared memory is generally considerably shorter than that Duration of a processor command (generally a quarter of the same). Therefore, if these latter are not too numerous (not more than three in the example given), there is no noticeable slowdown in the work of the processors due to conflicts that occur appear at the point of access to the common manifold.

Each processor is generally constituted by a commercially available microprocessor in complementary MOS technology, for example the INTERSIL IM 6100 microprocessor or COSMAC from HCA, if the necessary invoices are sent with a Microprocessor can be implemented with words of eight bits.

To further increase the reliability of the system, it is advisable to organize the usage tasks in independent modules to subdivide, which to ensure their expiry do not count on any other program than a doubled program. The connection between these modules, each of which is housed on a memory page with a low capacity (e.g. 1 kilowort) is ensured by a double activity in the doubled portion of the shared memory.

Each processor contains in a local memory the program of the system, the failure of which the failure of the system would result. The failure of one or two processors therefore only causes a deterioration in performance.

The system is designed in such a way that the capacities of the microprocessors are used as much as possible, in order to directly access the input and Control output channels. In this way one achieves one at the same time

809821/0900

275U16

2- ß - 0613 77 B

• τ

Material savings and an increase in the reliability of the system.

By the way, if only one processor is in operation, all tasks are carried out in series, so that there is no problem of parallel execution of branched programs.

The invention is explained below by way of example with reference to the drawing.

Fig. 1 is a principle diagram of the entire system.

Fig. 2 shows schematically the distribution of the memories Blocks.

The schematic in a greatly simplified form in FIG. 1 The system shown here can be seen as consisting of the following parts:

- three identical non-specialized processors 11,

12 and 13, which independently with a common data bus line 14 »a common address bus line 13 and a control bus (not shown) are connected;

- a common memory 16;

- Intermediate modules input / output for connection to edge units.

These various components are described in turn below.

Since the three processors are identical, it will suffice to describe the processor 11. Its main element is a microprocessor 17, which by means of integrated circuits on a large scale LSI is formed. It is assumed below that it is a INTERSIL IM 6100 A microprocessor in circuits with complementary MOS with fixed length words of twelve bits and single addressing. The execution time of an elementary instruction (addition a digit of twelve bits) is 5μβ below the normal supply voltage of 5 V. This microprocessor has the double advantage of being compatible with the tried and tested program modules that have already been developed for the PDP 8 E mini calculator and are available in a military version, which is capable of working between - 55 ° C and + 125 ° C »i.e. in the temperature range, which may be encountered in the case of a spacecraft, particularly a satellite.

The Mikropro-809821/0900 equipped with a crystal oscillator 18

275U16

- 7rt 0613 77 B

zesBor 17 are not used by the other processors 12 and 13 accessible local memory 19 »a control device 20 for expansion the addresses of the memory (e.g. INTERSIL type IM 6102) and a device 21 for monitoring the status of the processor of the type generally referred to as "watchdog". For this there is an intermediate module with the bus lines, which the processor 11 geetattes, the common memory 16 and the input and Control exit edge units part-time.

The local memory 19 receives a capacity that depends on the intended application. This memory 19 contains in all Cases a random memory and possibly a reprogrammable one Read Only Memory 22. In a typical case, read only memory 22 has a capacity of 1 kiloword of twelve bits. It can in particular be a reprogrammable read-only memory (or PROM) with complementary MOS of the INTERSIL IM 6312 AM type Act. The permanent memory should be the control program of the processor (general control device of tasks, control device of internal Interrupts, handling of immediate access to the memory or DMA, common subroutines, instruction codes, etc.) maintain. The random memory can, for example, consist of three memories 23 of the Type IM 6561, each of which is intended for 256 words of four bits.

The control device 20 for expanding the memory addresses contains a timer in real time and an integrated logic direct access to the memory. This control device enables the addressing capacity of the processor to be increased. Separated This is because the microprocessor has an addressing capacity limited to four kilowords of 12 bits, which is insufficient. For the sake of example, it is assumed that the control device 20 is provided in order to bring this capacity to 32 kilowords. The timer is controlled in real time by the associated microprocessor. It is therefore independent of the rest of the system. The presence of this timer, which in particular is used to accumulate can be used in real time or as a clock a circuit for requesting an interrupt, which of the external interruption circuits are independent and permitted, any of the processors 11, 12 and 13 independently of the to let the other two work.

809821/0900

-ί-

275U16

0613 77 B

The processor 11 also contains an intermediate module with the common storage tank and with the manifolds. This intermediate module contains a set of gates 25 which allow data to be transmitted with the data bus 14 in both directions allow. A second set of ports 26, which is only intended for making the transfer from the processor, is between the inner bus 27 of the processor, which supplies the microprocessor 17 and the memories 22 and 23, and the address bus 15. The data transmitted in this way form the least significant bits of an address in the shared memory, while the more significant bits are transmitted from the expansion control device 20 via a set of additional ports 28 will. It is assumed below as an example that addresses thus represented by words of fifteen bits are obtained.

The shared memory 16, like any local memory, has random memory or RAM (which is generally memory with complementary MOS with low consumption in the case of use in the room are) and reprogrammable read-only memories or PROM (generally two-pole memories, which are provided with a circuit for interrupting the supply if it is important is to reduce consumption).

In order to reduce the consequences of a failure, the common memory is expediently divided into a number of separate ones Blocks, with each task completely contained in a single block and without the intervention of any of the monitors Processors cannot get to another block. Furthermore, the data of the system, the disappearance of which is complete Failure of the device would result in a duplicated block so that the required reliability is obtained.

In the embodiment shown in FIG. 1, the common memory 16 contains:

a memory 36 for the data of the system (in particular an activity table of tasks and variables of the system). This memory 36 and its address decoder 37 are duplicated by a memory and a decoder which are the same designed but not shown, which are normally on standby but in the event of a fault by means of an external

809821/090 0

275U16

- 0613 77 B

their control can be used. The memory 36 contains e.g. a page in RAM 38 of 1 kiloword of twelve bits (e.g. IM 6508 from INTERSIL) and three pages in ROM or PROM 39 of 1 kiloword each (e.g. IM 5624). The page in RAM 38 is designed to be accessible only through a split marker so that the erasure their content is avoided by incorrect addressing. The time of access to this page by one of the processors will be checked by the corresponding watchdog circuit, which one Rejection process triggers if the allocated duration is exceeded will;

a memory containing the user programs, which is not duplicated and is formed by blocks 29, each of which is provided with an address decoder 30. In Fig. 1 a single one of these blocks is shown. In addition to the decoder 24, it contains a page of 1 kiloword and three in RAM Pages of 1 kiloword in ROM or PROM. The division into separate pages enables better protection of the memory.

The shared memory also contains the command codes already contained in the local memory.

Fig. 2 shows schematically the structure thus obtained. In this figure, "Block Zero" is everyone's local memory Processor (which is only accessible for the corresponding microprocessor), with "Block 1" which the data of the system containing memory (i.e. the memory 36) and with "Blocks 2 to 7" the memory 29 for receiving the usage programs.

Access to blocks 2 to 7 is divided between the three processors 11, 12 and 13. As stated above, the training is so chosen that the failure of a block affects a minimal number of tasks. The programs are structured for this purpose. Each task is completely contained in a block, and no task can go directly to another block. Execution a task does not depend on any other task that is not duplicated in a memory, so that one has parallel chains of treatment receives. In addition, each block contains a "monitor call" module to change the program of one of the processors in such a way that its monitor program is activated. After all, they are Program modules designed so that a task which depends on another task, if possible, in the same blook

809821/0900

275U16

-JBf- 0613 77 B

ΛΑ

is entered. '

The following is an example of what the typical functions are which are in a shared memory if the device is used, stored on a geostationary satellite to be stabilized along the three axes are.

Block 1, which forms the memory of the system, contains the data necessary for the operation of the entire device (State of the satellite and the edge units, state of the tasks and the processors, etc.). Blocks 2 to 7 can in particular contain the program modules for the typical control functions able to include:

a) the subroutines of the general program blocks, numerical Filters of the first and second order, the consequence of the actuation of the organs to change the position by holding open-close (which in particular contains the ratios of the cycles and comparators with double threshold),

b) the usual routines for checking the situation, such as:

- the control during the transfer to the desired place,

- the treatment of the data supplied by a probe carried by the satellite (filtering and generation of commands to activate nozzles by open-close control),

- Control in normal operation (generation of the number of sinusoids of periods of 24 hours of good stability, treatment the data supplied by the sensor and generation of the commands for starting up by open-close control of the motors of the inertia wheels and / or nozzles, task of monitoring all the equipment for checking the position),

- Control while holding in the right place, which contains tasks which are similar to those to be fulfilled in normal operation, but with different algorithms, overlay the orbit control commands among the attitude control commands using the same activation subroutine.

Finally, the input-output circuits circuits operating in parallel and circuits operating in series. Below are only the circuits that work in parallel

809821/0900

275U16

- y- _An 0613 77 B

gen briefly described.

The device shown schematically in FIG. 1 contains one or more input and output channels with words of twelve bits. Since these channels are identical, there is only one Channel shown.

If the microprocessors are IM 6100, the address part of the input / output instruction consists of six bits to choose from an organ and three bits to control the organ. Two channels can be provided and viewed as one and the same organ will. The three control bits are then used as a sub-address, input or output command and command for setting an indicator decoded.

The two channels are made in parallel by means of one and the same Decoder controlled, which of the address bus 15 one sent out from any of the processors 11, 12 and 13 Receives instruction. The appropriate channel 33 is then energized and transmits the received data through line 34 from data bus 14 to input-output connector 35 and from the connector to the line. In both cases, the indicator 32 is set.

FIG. 1 also shows, in a greatly simplified manner, the circuits for handling interruptions. There are two interrupt levels provided, namely an inner one (reserved for the real-time timer of any processor ^ and an outer one, common to all processors (user interruption).

The Behend.lungaachaltung shown contains an interrupt register 40 with 12 bits. Upon receipt of an interrupt request on a line 41, this register 40 queries everyone Processors by means of a control logic 42 and an interrupt line 43. All free processors (i.e. those not on a Locked task) compete. The first one available deals with the interrupt command. The module for handling the Interrupts in memory 36 determine the task required and, depending on the urgency assigned to it, takes the following Measures:

- it shows an identifier bit in its priority table of the tasks

- or causes immediate and complete execution

809821/0900

H 0613 77 B

the task when it is critical.

As can be seen, three critical tasks can be handled at the same time, and there is only a single level of memory to provide, which simplifies the program modules and makes them more reliable.

There are, for example, twelve outer break lines 41 intended. A circuit 44 for bringing up to date brings the occupancy information from the data bus 14 to the Register 40.

It should also be noted that the structure of the system allows working in "direct memory access" (DMA) without additional circuitry by using one of the processors determined for the DMA function during a fraction of the operating time. The DMA function is programmed under the activity tasks. As soon as a processor is reserved for a DMA sequence, the interruption of the program is prohibited and the indicators ■ of the corresponding input-output channel are set.

Finally, the system has an electrical supply (not shown). This supply is doubled and allows an auxiliary supply by an external command to replace the normal supply in the event of its failure bring. A connection between the supply and the "watchdog circuits" of each processor enables the latter the re-initialization of the device after the auxiliary supply has taken the place of the failed supply.

A circuit for analog-numerical conversion can of course be added to the input-output circuits described above be added, which is also connected in parallel to the manifolds 14 and 15.

Since the operation of the system is clear from the description above, only some general information about made their peculiarities.

First of all, it should be noted that those in the activi-. The urgency table can have four states identified by indicators according to tasks:

1. "ACTIVE" if the task is currently being carried out,

2. "BBRBlT" or "IH READINESS" when executed as soon as a processor can take it over,

809821/0900

275U16

0613 77 B

3. "INACTIVE" if it is not in either of the above two states,

4. Finally "DEAD" when not in the states (1) and (2) can occur, e.g. if the corresponding task cannot be carried out in order to take a fault into account.

A given task can change from state (3) to state (2) by another task or an interruption to be brought. It is brought from state (2) to state (1) by the processor handling it.

Ea oei assumed that first the three processors 11, 12 and 13 are free. Upon an interrupt request, the monitor effects each processor in order the urgency, the reading of the tasks in the "READY" state in the activity table (in the shared memory 16). Of the three processors, the first to take the reading takes over (which, if the three processors are in operation, randomly is determined because the timers of the control circuits 20 are asynchronous) the most urgent task in the "READY" state, i.e. whose execution was requested. The processor then reserves access to block 1 and if it is interrupted when aroused, he cancels it. It checks whether the task is still in the "READY" state because another processor it may have taken over since the first reading. In this case the processor releases access to block 1 and returns to the State of visiting a "ready" task. If, on the other hand, the task is still in the "READY" state, changed the processor changes the status of the task from "READY" to "ACTIVE" and enables access to block 1. He saves his index in the local memory of the monitor, so that the indication of the processor which carried out the task in the event of a malfunction is kept. The task is then carried out. When it finishes, the processor brings the task into the table the status "INACTIVE".

While the first processor was executing a task, an external interrupt command may have been issued. Of the The first processor, which is ready to receive the interruption, reads the instruction register and, if necessary, decodes it to

809821/0900

275U16

₀₆₁₅ 77 B

Mood of the urgency of the interruption the most urgent.

The programs can also include an activation bit of a task set, not to request the execution of a task, but to have direct access to the memory for an entry or exit edge unit. This process is carried out by the processor that is free, and not through a wired logic. This solution allows the reliability to be improved since it eliminates the presence of avoids parallel circuits with the edge units.

In each block it is possible to bring a task into the "TOT" state by means of an external control, in particular if the task cannot be carried out for any reason (malfunction, programming error, etc.). If the task is in the ¹¹ TOT "state, the processors skip the task reading the memory 36. As can be seen, the failure of any part of the memories does not cause the system to be put out of service, but at most a simple deterioration in its performance For example, if one of the blocks 0 is disturbed, it is sufficient to put the corresponding processor out of operation by means of an external control It is sufficient, however, to reinitialize the whole system. If one of the blocks 2 to 7 is finally disturbed, one simply loses the user programs contained in the block, which then changes to the "TOT" state in the activity table of block 1 .

The "watchdog circuit" of each processor enables in particular:

- to interrupt the execution of a task if you Access to block 1 takes too long. The circuit then stops the processor and it is switched back on by an external command Operation set;

- in the event of a fault in the supply, to determine this, to effect the replacement of the faulty supply by the supply in readiness (this process can, however, be carried out by using an external remote control), and then to initiate the system again, triggering the execution of the corresponding routine.

809821/0900

275U16

λ V5 - 0613 77 Β

desolate. The remote control change can be done in a very simple way transmit an electromagnetic Reluio with two positions Hai tt? K rice done;

- in the event of an error in the program sequence, interrupt execution and initiate the processor again. Fnlln ο I repeat the error and a permanent stönui, ¹ ? mitfilit, can never shut down the processor in a logical way or trigger an alarm on which the processor cuts through; Remote control uusßeochiedon wii'd.

809821/0900

Blank page

Claims (9)

PATENT CLAIM 0613 77 B 275-18 Digital or numeric data handling system, in particular for space vehicles with a shared memory and n_ independent general purpose processors, each of these Processors has the entire controllability of the system and has its own main memory, characterized in that the general-purpose processors (11, 12, 13), the working memory (19) of which is sufficient to hold the control programs of the system Has capacity, as well as the common memory (16) and input and output circuits with a single, in shared Time working collecting line are connected in parallel, this collecting line compared to disturbances in the connected to it Systems is secured and wherein the common memory (16) contains the control data of the system and the user programs. 2. System according to claim 1, characterized in that the common memory (16) has a block (36, 37) which is doubled by an additional, standby block which contains the data, the disappearance of which leads to the complete failure of the system and one or more blocks containing the user programs. 3. System according to claim 2, characterized in that certain user programs to increase the reliability in different blocks are doubled. 4. System according to claim 2 or 3 »characterized in that each task to be carried out is defined by a program which is contained in one and the same block and not to another block without the intervention of the monitor program of one of the Processors can arrive. 5. System according to one of claims 1 to 4 »thereby characterized in that each processor has an integrated circuit microprocessor (17), one for the other processors not accessible local memory (19) and a control circuit (20) to expand the addresses of a memory, the capacity of which is compatible with that of the shared memory. 6. System according to claim 5 »characterized in that the local memory (19) of each processor has a fixed memory (22) for storing the processor programs, i. E. in particular the monitors, the treatment of the internal interruptions and, if necessary, a treatment for the immediate 809821/0900 ORIGINAL INSPECTED 275U16 - \ jö - 0613 77 B Access to the memory, and a random memory (23) contains. 7. System according to claim 5 or 6, characterized by Means which apply interrupt requests coming from outside to all processors in parallel. 8. System according to one of claims 5 hie 7, characterized in that that each control circuit for expanding the addresses of a memory contains a timer in real time, which is controlled by the associated microprocessor and is independent of the rest of the system. 9. System according to one of claims 1 to 8, characterized by three identical processors, which are independent of one another can be put in or out of operation by an external control, with the time of the cycle in the common memory is at least three times shorter than the duration of a processor instruction. 809821/0900