 |
|
| Science Forum Index » Space Forum » Big problems for MRO... |
|
Page 1 of 1 |
|
| Author |
Message |
| Pat Flannery... |
 Posted: Thu Oct 29, 2009 12:18 am |
|
|
|
Guest
|
|
| Back to top |
|
|
|
| Rusty Shackelford... |
| Posted: Thu Oct 29, 2009 12:18 am |
|
|
|
Guest
|
Pat Flannery wrote:
[quote]http://www.azstarnet.com/sn/science/315108.php
Pity if it breaks down after all the great photos.
Pat
[/quote]
It would be a shame to loose that asset. Anyone know when the next
orbiter is scheduled to enter Martian orbit? Is MSL going to leave an
orbiter at Mars? Given the the direct approach aerobraking scheme that
has been used for recent landers/rovers I suspect not. |
|
|
| Back to top |
|
|
|
| Sylvia Else... |
| Posted: Thu Oct 29, 2009 10:45 pm |
|
|
|
Guest
|
Pat Flannery wrote:
[quote]http://www.azstarnet.com/sn/science/315108.php
Pity if it breaks down after all the great photos.
Pat
[/quote]
So the reset takes it to the state where it's "on the ground waiting to
be turned on".
Great design.
Why does it even have such a state?
Sylvia |
|
|
| Back to top |
|
|
|
| David Spain... |
| Posted: Fri Oct 30, 2009 6:55 am |
|
|
|
Guest
|
Sylvia Else wrote:
[quote]Pat Flannery wrote:
http://www.azstarnet.com/sn/science/315108.php
Pity if it breaks down after all the great photos.
Pat
So the reset takes it to the state where it's "on the ground waiting to
be turned on".
Great design.
Why does it even have such a state?
Sylvia
[/quote]
A quote from the article:
/quote
The unclear voltage signals have caused the orbiter in one instance to switch to a backup computer and in the three other instances
to reset the computer. Engineers worry that if these actions happen in a short enough time frame, the memory of the main computer as
well as the memory of the backup computer could be reset.
"There's a case where the spacecraft may not remember that it is in mapping mode," Erickson said. "It might think it's on the ground
waiting to be turned on."
/endquote
Well I don't have all the facts on the MRO programming, but given what the article says, it would be a 'reasonable' speculation that
if the resets occur during a short window where the orbiter is switching between computers it would force both computers to execute
programming not from their writable 'main' memory but from fixed normally non-writable boot-strap memory. Memory that cannot be
changed or not easily changed from the ground without considerable risk of loss of vehicle. Such memory is normally used to program
initial start-up, such as when the vehicle is powered on for the very first time as it would be 'on the ground'. Such memory is
usually very limited in size. It would likely not be large enough to hold all the mission programming necessary for the probe to
operate in 'mapping mode'. If you know a bit about PC's think of it as the probe's equivalent to the BIOS memory in your PC.
The fact that they are contemplating a fix even for this scenario would indicate they are perhaps considering a modification to the
boot-strap software to prevent catastrophic simultaneous erasure of both main and backup computer memories. There is some degree of
risk in applying the fix. If the voltage 'glitch' event should happen while re-programming this critical memory, it would be
possible to lose the computer operated by that memory completely and forever, as the programming in this critical memory must be
correct for the computer to recover from a reset.
I have designed and built three control systems that operate more or less under these principles. Luckily for me, the hardware they
are controlling is not some 150 million miles away give or take a few million at any given time... :-)
Dave |
|
|
| Back to top |
|
|
|
| Sylvia Else... |
| Posted: Fri Oct 30, 2009 5:18 pm |
|
|
|
Guest
|
David Spain wrote:
[quote]Sylvia Else wrote:
Pat Flannery wrote:
http://www.azstarnet.com/sn/science/315108.php
Pity if it breaks down after all the great photos.
Pat
So the reset takes it to the state where it's "on the ground waiting
to be turned on".
Great design.
Why does it even have such a state?
Sylvia
A quote from the article:
/quote
The unclear voltage signals have caused the orbiter in one instance to
switch to a backup computer and in the three other instances to reset
the computer. Engineers worry that if these actions happen in a short
enough time frame, the memory of the main computer as well as the memory
of the backup computer could be reset.
"There's a case where the spacecraft may not remember that it is in
mapping mode," Erickson said. "It might think it's on the ground waiting
to be turned on."
/endquote
Well I don't have all the facts on the MRO programming, but given what
the article says, it would be a 'reasonable' speculation that if the
resets occur during a short window where the orbiter is switching
between computers it would force both computers to execute
programming not from their writable 'main' memory but from fixed
normally non-writable boot-strap memory. Memory that cannot be changed
or not easily changed from the ground without considerable risk of loss
of vehicle. Such memory is normally used to program initial start-up,
such as when the vehicle is powered on for the very first time as it
would be 'on the ground'. Such memory is usually very limited in size.
It would likely not be large enough to hold all the mission programming
necessary for the probe to operate in 'mapping mode'. If you know a bit
about PC's think of it as the probe's equivalent to the BIOS memory in
your PC.
[/quote]
It rather sounded to me as if the reset state for each computer was for
it to consider that it was on the ground, and that it relies on the
other computer to tell it that it's not. Thus if both are reset within a
short time, they're stuffed.
Which just begs the question of why that's the reset state. My system at
home doesn't default to waiting to be turned on, or to having an
operating system installed. It defaults to running its already installed
operating system. It doesn't seem unreasonable for the reset state in a
space vehicle to involve pointing the antenna at Earth and waiting for
instructions, and there's no need for all of that to be in boot ROM.
Sylvia. |
|
|
| Back to top |
|
|
|
| David Spain... |
| Posted: Fri Oct 30, 2009 6:16 pm |
|
|
|
Guest
|
Sylvia Else wrote:
[quote]
It rather sounded to me as if the reset state for each computer was for
it to consider that it was on the ground, and that it relies on the
other computer to tell it that it's not. Thus if both are reset within a
short time, they're stuffed.
I don't infer that from the article. Another reasonable speculation is there[/quote]
is a mechanism for keeping memory between the two in sync and a hardware+software
mechanism that allows fail-over from one to the other in cases of these voltage
'glitches'. If the glitches are such that a reset can fire off to both computers
within a certain critical time window, both computers erase their respective
memories and that effectively ends the mission.
[quote]Which just begs the question of why that's the reset state. My system at
home doesn't default to waiting to be turned on, or to having an
operating system installed. It defaults to running its already installed
operating system. It doesn't seem unreasonable for the reset state in a
space vehicle to involve pointing the antenna at Earth and waiting for
instructions, and there's no need for all of that to be in boot ROM.
[/quote]
Well in fact it does, that is why it is called a boot-strap ROM. You cannot
send instructions to a probe that does not know how to listen. So you have two
choices. Either cram all of the instructions necessary to perform the listening
task in ROM or leave enough instructions in the writable memory (RAM) from a previous
download to allow the probe to listen for new instructions. If there are more
instructions to do this than will fit into
the ROM, you have to leave those instructions in RAM and expect the computer not
to erase them on fail-over. Assuming the code that would do that erasure is in ROM
and if that ROM happens be re-writable you can reprogram what is in ROM to *not*
do that and hope that the power glitch does not corrupt RAM so badly that the probe
*forgets* how to listen to Earth.
The bottom line in all this is a risk assessment. If the risk of accidental erasure
is more significant than the risk of RAM corruption due to the voltage glitch (which,
remember, may not actually be real but due to a sensor artifact) you'd probably want
to go ahead with the reprogramming.
Dave |
|
|
| Back to top |
|
|
|
| Sylvia Else... |
| Posted: Fri Oct 30, 2009 11:29 pm |
|
|
|
Guest
|
David Spain wrote:
[quote]Sylvia Else wrote:
It rather sounded to me as if the reset state for each computer was
for it to consider that it was on the ground, and that it relies on
the other computer to tell it that it's not. Thus if both are reset
within a short time, they're stuffed.
I don't infer that from the article. Another reasonable speculation is
there
is a mechanism for keeping memory between the two in sync and a
hardware+software
mechanism that allows fail-over from one to the other in cases of these
voltage
'glitches'. If the glitches are such that a reset can fire off to both
computers
within a certain critical time window, both computers erase their
respective
memories and that effectively ends the mission.
Which just begs the question of why that's the reset state. My system
at home doesn't default to waiting to be turned on, or to having an
operating system installed. It defaults to running its already
installed operating system. It doesn't seem unreasonable for the reset
state in a space vehicle to involve pointing the antenna at Earth and
waiting for instructions, and there's no need for all of that to be in
boot ROM.
Well in fact it does, that is why it is called a boot-strap ROM. You cannot
send instructions to a probe that does not know how to listen. So you
have two
choices. Either cram all of the instructions necessary to perform the
listening
task in ROM or leave enough instructions in the writable memory (RAM)
from a previous
download to allow the probe to listen for new instructions. If there are
more
instructions to do this than will fit into
the ROM, you have to leave those instructions in RAM and expect the
computer not
to erase them on fail-over. Assuming the code that would do that erasure
is in ROM
and if that ROM happens be re-writable you can reprogram what is in ROM
to *not*
do that and hope that the power glitch does not corrupt RAM so badly
that the probe
*forgets* how to listen to Earth.
The bottom line in all this is a risk assessment. If the risk of
accidental erasure
is more significant than the risk of RAM corruption due to the voltage
glitch (which,
remember, may not actually be real but due to a sensor artifact) you'd
probably want
to go ahead with the reprogramming.
Dave
[/quote]
It seems to me that the operating system could be held in flash memory,
which, being nonvolatile, wouldn't be affected by voltage glitches.
Assuming each computer has a separate copy, which can be updated by the
other computer, I wouldn't have thought there'd be any difficulty unless
one computer fails hard, since the flash memory for one could be updated
and checked before the flash memory for the other was. In particular a
voltage glitch resetting a computer while it was updating the flash
memory of the other would simply mean the process had to be restarted.
Flash memory sizes easily reach gigabytes, which is ample for the task.
Sylvia. |
|
|
| Back to top |
|
|
|
| David Spain... |
| Posted: Sat Oct 31, 2009 9:05 am |
|
|
|
Guest
|
Sylvia Else wrote:
[quote]It seems to me that the operating system could be held in flash memory,
which, being nonvolatile, wouldn't be affected by voltage glitches.
[/quote]
That depends. Flash memory is electrically eraseable, it would depend on
the nature of the 'glitch'.
[quote]Assuming each computer has a separate copy, which can be updated by the
other computer, I wouldn't have thought there'd be any difficulty unless
one computer fails hard, since the flash memory for one could be updated
and checked before the flash memory for the other was. In particular a
voltage glitch resetting a computer while it was updating the flash
memory of the other would simply mean the process had to be restarted.
[/quote]
That is all certainly possible. I am assuming it is also all speculative
since you haven't stated that you *know* that to be the case for the MRO.
[quote]Flash memory sizes easily reach gigabytes, which is ample for the task.
[/quote]
I would agree with that, however, electronics rated for space have to meet
much tougher environmental standards than consumer electronics which tend to
lead in the performance & capability curve. Also, these probes have very
long development lead times. You cannot use the technology benchmark as it
exists today, you have to go back in time to when the MRO program was begun
and look at the technology that existed then. In fact, more likely you need
to look back at technology that existed 10 years prior to that time for the
electronics that have been rated for a space environment that were likely
employed in the MRO.
Dave |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Sat Nov 28, 2009 12:45 pm
|
|