CN106371951B - method for implementing triple modular redundancy - Google Patents
method for implementing triple modular redundancy Download PDFInfo
- Publication number
- CN106371951B CN106371951B CN201610780826.3A CN201610780826A CN106371951B CN 106371951 B CN106371951 B CN 106371951B CN 201610780826 A CN201610780826 A CN 201610780826A CN 106371951 B CN106371951 B CN 106371951B
- Authority
- CN
- China
- Prior art keywords
- module
- function
- modular redundancy
- triple modular
- core
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/18—Error detection or correction of the data by redundancy in hardware using passive fault-masking of the redundant circuits
- G06F11/181—Eliminating the failing redundant component
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Hardware Redundancy (AREA)
Abstract
The invention discloses methods for implementing triple modular redundancy, which specifically comprise the following steps of 1, obtaining the core function of equipment needing triple modular redundancy protection, 2, analyzing an interface module and a function module covered by the core function, 3, sequencing the interface module and the function module according to the priority, and 4, implementing triple modular redundancy on the interface module and/or the function module according to the priority sequence.
Description
Technical Field
The invention relates to the technical field of spacecraft stability, in particular to methods for implementing triple modular redundancy, which are suitable for an electronic information system.
Background
The spacecraft is a main material carrier and an information carrier in space application activities, and whether the spacecraft can run stably for a long time directly determines whether an on-orbit task can be completed smoothly. In space, however, spacecraft are often affected in many ways.
(1) High energy particle and cosmic ray effects: in a space environment, electronic devices running on the track, in particular programmable logic devices such as SRAM type FPGA and the like are easy to have the effects of Single Event Transient (SET), Single Event Upset (SEU) and the like, so that data single failure is caused at light time, and the whole system is crashed at heavy time; single Event Transient (SET) and Single Event Upset (SEU) effects mainly affect electronic devices, and appear as direct effects on hardware integrated circuits.
(2) Spacecraft internal seismic device effects: since the spacecraft often has vibration-characteristic devices, the communication quality may be affected when the devices are operated, such as single communication failure caused by unstable signal transmission. The range of interface communication impact caused by impact to internal shock devices may involve hardware and software.
In order to enhance the reliability and stability of the spacecraft and ensure that the system or equipment can shield or tolerate types of faults, two methods of hardware reinforcement and software reinforcement are commonly used at present.
(1) The hardware reinforcement is mainly realized by adding external devices or adopting a radiation-resistant production process device. However, such additional arrangements or modifications to the device manufacturing process add significant cost and the complexity of the spacecraft design is necessarily increased by adding external devices.
(2) For example, triple modular redundancy is implemented on an SRAM type FPGA, the influence of single event faults can be eliminated on fixed range, accidental interference of factors such as low-frequency vibration on communication between devices can be reduced, the triple modular redundancy has the advantages of simplicity, flexibility, easiness in reconstruction and the like, and is widely adopted in the industry .
Therefore, how to reasonably determine the implementation range of the triple modular redundancy and to maximally reinforce the stability and reliability of the spacecraft becomes a key point of technical problems and research to be urgently solved by the technical personnel in the field.
Disclosure of Invention
In order to solve the problems that the conventional method for implementing the triple modular redundancy cannot reasonably determine the implementation range, cannot sufficiently reinforce the stability and reliability of the spacecraft and the like, the invention provides methods for implementing the triple modular redundancy, determines the implementation range from the aspects of the flight mission and the function of the spacecraft, and then implements the triple modular redundancy in a targeted manner, thereby enhancing the reliability and the stability of the aircraft to the greatest extent.
To achieve the above technical object, the present invention discloses methods for implementing triple modular redundancy, the method comprising the steps of,
step 1, acquiring a core function of equipment needing triple modular redundancy protection;
step 2, analyzing an interface module and a function module covered by the core function;
step 3, the interface module and the function module are subjected to priority sequencing;
and 4, implementing triple modular redundancy to the interface module and/or the functional module according to the priority order.
Aiming at the task to be executed by the equipment, the invention better solves the range and sequence problem of implementing the triple modular redundancy from the core function of the equipment, and has better reinforcing effect on the reliability and stability of the spacecraft compared with the traditional method.
, the method further includes the steps of,
step 30, after step 3 is executed, judging whether the triple modular redundancy implemented on the interface module and the functional module simultaneously meets the core function requirement and the hardware resource bearing capacity: if yes, entering step 4; if not, executing step 31;
step 31, determining whether the core functions of the interface module and the function module can be merged: if yes, combining corresponding core functions, and then returning to the step 1; if not, intercepting the interface module and/or the functional module with high priority according to the bearing capacity of the hardware resource, and then executing the step 4.
Considering the specific task angle of the spacecraft and the limitation of internal residual hardware resources, the invention takes the core function requirement and the hardware resource bearing capacity which need to be met by the interface module and the function module into consideration, and if the conditions are met, triple modular redundancy is implemented; and if the conditions are not met, replanning.
, in step 3, the interface modules and function modules are prioritized by a time dimension and a space dimension.
The invention designs and decomposes all modules from two dimensions of time and space, can simultaneously consider various factors such as single event upset, single event transient, interface noise and the like, and is simple, convenient and easy to implement compared with the traditional method.
, in step 3, a priority matrix table with the space dimension as the abscissa and the time dimension as the ordinate is formed, and the priority level gradually decreases from the top left corner to the bottom right corner of the priority matrix table.
On the priority matrix table, the interface modules and the functional modules are classified in detail, and the processor selectively and orderly implements triple modular redundancy according to the level.
Step , in step 1, the working mode and main functions of the equipment are analyzed from the task profile perspective, and further the core functions of the equipment needing triple modular redundancy protection are obtained.
The invention implements triple modular redundancy design and faces to the task profile, can preferentially carry out redundancy processing on the FPGA functional module supporting the core function, improves the use efficiency of hardware resources and improves the working stability and reliability of equipment.
Step includes, in step 1, identifying as core functions of the device functions that affect the success or failure of the task and/or functions that present a serious security risk.
The invention solves the problem of equipment reliability, reduces or even avoids the influence of other factors on equipment work, so the invention judges the key of the reliability problem by a mode of identifying the function influencing the success or failure of a task and/or the function with serious potential safety hazard, pertinently implements triple modular redundancy and solves the problem that the equipment is interfered.
Step , in step 2, according to the core function of the device, the interface module and the function module covered by the core function are analyzed on the basis of the basic logic module of the FPGA.
Because the FPGA often bears the core function of the equipment, the invention can judge the range of implementing triple modular redundancy on the basis of the FPGA basic logic module and solve the problem of equipment reliability.
And , when the equipment is performing on-orbit tasks, the method of the invention has a wider application range than and can be used for the aircraft performing on-orbit tasks.
The invention has the beneficial effects that: compared with the prior art, the method for implementing the triple modular redundancy has the advantages of combining the flight mission of the spacecraft, orienting to the core function of the mission and the like, implements the triple modular redundancy aiming at the core module of the aircraft, and realizes the sufficient reinforcement of the reliability and the stability of the aircraft.
Drawings
FIG. 1 is a flow chart of a method of implementing triple modular redundancy in accordance with the present invention.
Fig. 2 is a priority matrix table with a spatial dimension as an abscissa and a time dimension as an ordinate.
Fig. 3 is a priority matrix table refined on the basis of fig. 2.
Detailed Description
The invention will be explained and explained in detail below with reference to the drawings.
As shown in fig. 1, 2 and 3, the present invention discloses methods for implementing triple modular redundancy, comprising the steps of,
step 1, extracting a related task path according to a task to be completed by the equipment, analyzing a working mode and a main function of the equipment from the perspective of a task section, and acquiring a core function of the equipment needing triple modular redundancy protection by analyzing the working mode and the main function of the equipment, for example, by using a mode conversion chart or a function item decomposition method, and the like.
In this embodiment, a device requiring triple modular redundancy protection, which may be a spacecraft or other aerospace operation device or apparatus, may be performing an in-orbit mission.
Step 2, finding out a corresponding software code according to the extracted core function, and analyzing an interface module and a function module covered by the core function in a modular manner, in this embodiment, the determined code is subjected to logic synthesis to obtain a corresponding basic logic module of the FPGA, such as Slice or LUT of an FPGA chip of Xilinx corporation, and then analyzing the function module and the interface thereof covered by each key function path.
Step 3, as shown in fig. 2 and 3, the interface modules and the function modules are subjected to priority ordering and are refined layer by layer, in this embodiment, the interface modules and the function modules are subjected to priority ordering through a time dimension and a space dimension, an implementation strategy of triple modular redundancy is deduced, a priority matrix table with the space dimension as a horizontal coordinate and the time dimension as a vertical coordinate is formed, and as shown in fig. 2, the priority level is gradually reduced from the upper left corner to the lower right corner of the priority matrix table; of course, the priority matrix table may have a time dimension as an abscissa and a space dimension as an ordinate. In the present invention, the "time dimension" can be understood to describe the execution order of the function modules in time, and the "space dimension" can be understood to describe the execution order of the function modules in space.
Specifically, step 3 can be implemented as follows.
(1) For the interface modules and the functional modules, the priority ordering is carried OUT according to the IN-OUT data flow direction, for example, the priority of the data entry module and the priority of the data interface module can be set according to the aircraft task, and module sequences which are subjected to the priority ordering according to the set rule are obtained.
(2) As shown in fig. 2, a priority matrix table with the horizontal axis as the spatial dimension (X-axis) and the vertical axis as the time dimension (Y-axis) is created, and then the module sequence is placed at the position | X | Y |, as shown in fig. 2, and the module 1, the module 2, and the module 3 … … are placed.
(3) As shown in fig. 3, the priority matrix table is further decomposed or divided by according to the emphasis point of the specific task or fault, and the range and the sequence for implementing the triple modular redundancy are also changed according to the emphasis point of the specific task or fault, for example, the triple modular redundancy can be implemented by using the following formula as an example.
Formula , if it is important to protect transient faults such as Single Event Transient (SET), etc., then move the module to | Y | X | area, as in module 2 in fig. 3, that is, send the same signal to the module 3 times in sequence, and take the same logic value in the signals output by the module as the correct result, that is, time sequence 3 takes 2;
the formula II is as follows: if the charged period such as key protection Single Event Upset (SEU) is not self-resolving fault, moving the module to | Y | X | area, as shown in module 1 in fig. 3; the module logic is copied into 3 parts, the original module is included, and the logic values in the 3 parts of logic output signals are the same and taken as a correct result, namely, the module structure is in a three-mode;
the formula III is as follows: if it is necessary to protect against faults such as single-event transient (SET), single-event upset (SEU), etc., at the same time, the module is copied into 2 parts, which contains the original module and is respectively moved into | Y | X | area and | Y | X | area, as shown in the module 3 in fig. 3.
The formula four is as follows: if no special requirements such as time sequence synchronization, chip pin triple modular redundancy and the like exist, the data interface module is preferentially moved to the | Y | X | area, and the implementation mode of taking the time sequence 3 into 2 saves resources.
And 30, after the step 3 is executed, judging whether the triple modular redundancy implemented on the interface module and the functional module simultaneously meets the core function requirement and the hardware resource bearing capacity, if so, entering a step 4, otherwise, executing a step 31, in the step, judging whether the triple modular redundancy implemented design meets the core function coverage angle and whether the required quantity of the FPGA basic logic module is less than the current resource allowance angle, if so, performing the triple modular redundancy, and if of the triple modular redundancy are not met, executing the step 31 and replanning.
Step 31, re-analyzing and judging whether the core functions of the interface module and the function module can be merged: if so, combining corresponding core functions, and then returning to the step 1 until the module to realize triple modular redundancy simultaneously meets the core function requirement and the hardware resource bearing capacity; if not, intercepting the interface module and/or the functional module with high priority according to the bearing capacity of the hardware resource, emphasizing on realizing the module with higher priority, implementing triple modular redundancy on the relevant module with the highest influence on the success or failure of the aircraft task or the potential safety hazard, and then executing the step 4.
"merging" is understood to mean that two or more interface modules and/or functional modules have similar functions or purposes, and it is considered that parts of modules are removed from the interface modules and/or functional modules, and the removed modules do not implement triple modular redundancy, thereby achieving the effects of reducing the number of modules to be processed, reducing the occupation of hardware resources, and enabling the remaining hardware resources to satisfy triple modular redundancy operation.
And 4, implementing triple modular redundancy to the interface module and/or the functional module according to the priority order. In the embodiment, triple modular redundancy is implemented on the FPGA device in an incremental implementation mode, three units with the same structure are used for storing or processing data in parallel, a voter is used for carrying out majority voting on the three-way data operation results, and the voting results are output as final results.
The method for implementing triple modular redundancy can be used for sufficiently reinforcing the reliability and stability of the aircraft, and for similar electronic information systems, physical mechanical systems, combustion systems and the like, the method can also be applied to in other application scenarios under the technical teaching of the invention.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents and simplifications made in the spirit of the present invention are intended to be included in the scope of the present invention.
Claims (7)
1, A method for performing triple modular redundancy, the method comprising the steps of,
step 1, acquiring a core function of equipment needing triple modular redundancy protection;
step 2, analyzing an interface module and a function module covered by the core function;
step 3, the interface module and the function module are subjected to priority sequencing;
step 4, implementing triple modular redundancy to the interface module and/or the function module according to the priority order;
further comprising:
step 30, after step 3 is executed, judging whether the triple modular redundancy implemented on the interface module and the functional module simultaneously meets the core function requirement and the hardware resource bearing capacity: if yes, entering step 4; if not, executing step 31;
step 31, determining whether the core functions of the interface module and the function module can be merged: if yes, combining corresponding core functions, and then returning to the step 1; if not, intercepting the interface module and/or the functional module with high priority according to the bearing capacity of the hardware resource, and then executing the step 4.
2. The method of claim 1, wherein in step 3, the interface modules and function modules are prioritized by a temporal dimension and a spatial dimension.
3. The method of claim 2, wherein in step 3, a priority matrix table with a spatial dimension as abscissa and a time dimension as ordinate is formed, and the priority level is gradually decreased from the upper left corner to the lower right corner of the priority matrix table.
4. The method for implementing triple modular redundancy according to claim 1, wherein in step 1, the working mode and the main function of the equipment are analyzed from the perspective of task profile, and further the core function of the equipment needing triple modular redundancy protection is obtained.
5. Method for implementing triple modular redundancy according to claim 4, characterized in that in step 1 functions affecting the success or failure of a task and/or functions presenting serious safety hazards are identified as core functions of the device.
6. The method for implementing triple modular redundancy according to claim 1, wherein in step 2, the interface module and the function module covered by the core function are analyzed on the basis of the basic logic module of the FPGA according to the core function of the device.
7. The method of implementing triple modular redundancy of claim 1, wherein the device is performing an on-track task.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610780826.3A CN106371951B (en) | 2016-08-30 | 2016-08-30 | method for implementing triple modular redundancy |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610780826.3A CN106371951B (en) | 2016-08-30 | 2016-08-30 | method for implementing triple modular redundancy |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106371951A CN106371951A (en) | 2017-02-01 |
| CN106371951B true CN106371951B (en) | 2020-01-31 |
Family
ID=57900412
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610780826.3A Active CN106371951B (en) | 2016-08-30 | 2016-08-30 | method for implementing triple modular redundancy |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106371951B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112699491B (en) * | 2021-01-08 | 2023-07-11 | 北京空间飞行器总体设计部 | Redundant design method for manned spacecraft capable of being maintained on orbit |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1985269A (en) * | 2004-03-31 | 2007-06-20 | 皇家飞利浦电子股份有限公司 | Method and system for transferring budgets in a technique for restrained budget use |
| CN102521082A (en) * | 2011-12-08 | 2012-06-27 | 上海交通大学 | Recovery and fault tolerance method and recovery and fault tolerance system for check points in satellite-borne real-time operating system |
| CN104317662A (en) * | 2014-09-11 | 2015-01-28 | 上海卫星工程研究所 | SRAM type FPGA on-orbit single-particle turning protection quantitative evaluation method |
| WO2015086488A1 (en) * | 2013-12-13 | 2015-06-18 | Thales | Triple software redundancy fault tolerant framework architecture |
-
2016
- 2016-08-30 CN CN201610780826.3A patent/CN106371951B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1985269A (en) * | 2004-03-31 | 2007-06-20 | 皇家飞利浦电子股份有限公司 | Method and system for transferring budgets in a technique for restrained budget use |
| CN102521082A (en) * | 2011-12-08 | 2012-06-27 | 上海交通大学 | Recovery and fault tolerance method and recovery and fault tolerance system for check points in satellite-borne real-time operating system |
| WO2015086488A1 (en) * | 2013-12-13 | 2015-06-18 | Thales | Triple software redundancy fault tolerant framework architecture |
| CN104317662A (en) * | 2014-09-11 | 2015-01-28 | 上海卫星工程研究所 | SRAM type FPGA on-orbit single-particle turning protection quantitative evaluation method |
| CN104317662B (en) * | 2014-09-11 | 2018-01-26 | 上海卫星工程研究所 | The in-orbit single-particle inversion protection quantitative estimation methods of SRAM type FPGA |
Non-Patent Citations (1)
| Title |
|---|
| 一种SRAM型FPGA内嵌CPU软核的SEU效应防护设计与验证;杜新军 等;《遥测遥控》;20150131;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106371951A (en) | 2017-02-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110633206A (en) | System and method for automation requirement-based test case generation based on equivalence class analysis | |
| CN104866762B (en) | Security management program function | |
| CN107871050B (en) | Data-oriented and object-oriented hybrid modeling method and storage medium | |
| US20090171643A1 (en) | Method to aid the design of a system architecture | |
| CN103268273B (en) | Failure criterion determination method based on function analysis and mechanism analysis | |
| CN115759876B (en) | Digital twin geometric model maturity assessment method, device and storage medium | |
| US9626263B2 (en) | Testing a control unit by means of a test environment | |
| CN111124927B (en) | Testing method for multi-partition airborne software | |
| CN106371951B (en) | method for implementing triple modular redundancy | |
| US10171395B2 (en) | Aircraft message management system | |
| Höfig et al. | ALFRED: a methodology to enable component fault trees for layered architectures | |
| Athavale et al. | Flight safety certification implications for complex multi-core processor based avionics systems | |
| CN105654312A (en) | Involuntary passenger identification method and involuntary passenger identification system | |
| US20120259613A1 (en) | Advance Phase Modeling, Simulation and Evaluation Method of a Computation Platform | |
| US6812476B1 (en) | Electronic system operating under irradiation, process for designing such a system and application thereof to the control of a mobile robot | |
| CN107885607B (en) | Modeling method based on embedded system software multi-view accident model | |
| US20190034458A1 (en) | System and method for use of business intelligence for rule based manufacturing process design | |
| CN109145432B (en) | Method for evaluating single event effect influence of ground-to-air 100 km aircraft | |
| CN114118790A (en) | Security analysis method and system based on SysML civil communication navigation system | |
| Kobayashi et al. | The effectiveness of D-Case application knowledge on a safety process | |
| DE112021003131T5 (en) | AUTOMATICALLY CORRECT TOUCHSCREEN ERRORS | |
| Chen et al. | Resource-oriented Petri net-based approach to deadlock prevention of AMSs | |
| CN107341287B (en) | Method for automatically determining number of modes of element in printed board assembly penetrated by mode pitch line | |
| Zheng et al. | A safety analysis research of resource process integration for IMA system | |
| Athavale et al. | The power of dense silicon: trending features and support at chip-level enabling new levels of integration and dependability for avionics systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |