CN111857884A - High-reliability satellite-borne software starting system and method - Google Patents
High-reliability satellite-borne software starting system and method Download PDFInfo
- Publication number
- CN111857884A CN111857884A CN202010734383.0A CN202010734383A CN111857884A CN 111857884 A CN111857884 A CN 111857884A CN 202010734383 A CN202010734383 A CN 202010734383A CN 111857884 A CN111857884 A CN 111857884A
- Authority
- CN
- China
- Prior art keywords
- starting
- module
- satellite
- mode
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 44
- 239000007787 solid Substances 0.000 claims description 35
- 230000008569 process Effects 0.000 claims description 21
- 230000009191 jumping Effects 0.000 claims description 6
- 238000012423 maintenance Methods 0.000 claims description 6
- 238000007711 solidification Methods 0.000 claims description 6
- 230000008023 solidification Effects 0.000 claims description 6
- 238000007689 inspection Methods 0.000 claims description 5
- 230000005055 memory storage Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 description 20
- 230000007246 mechanism Effects 0.000 description 6
- 239000000969 carrier Substances 0.000 description 5
- 230000010485 coping Effects 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 230000007774 longterm Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/16—Error detection or correction of the data by redundancy in hardware
- G06F11/1675—Temporal synchronisation or re-synchronisation of redundant processing components
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a high-reliability satellite-borne software starting system and a method thereof, wherein the high-reliability satellite-borne software starting system comprises the following steps: an initialization module configured to initialize a parameter using a root program; the three-module starting time module is configured to carry out three-module starting on the satellite-borne software; and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
Description
Technical Field
The invention relates to the technical field of spacecraft control, in particular to a high-reliability satellite-borne software starting system and method.
Background
With the increasing frequency of human space activities and the increasing distance of space exploration footprints, the human space activities gradually expand from the initial near-earth orbit to the high orbit and the farther deep space such as planet exploration. The harsh and complex space environment and the complexity of the spacecraft itself place higher demands on the reliability of the start-up of the satellite-borne software. The on-board software needs to be able to start normally under extremely complicated conditions and has a certain self-error correction capability. The traditional starting mode of the aerospace software generally adopts PROM storage software of an antifuse, and adopts a main mode and a backup mode to increase reliability. The software is started by adopting a simple triple modular redundancy mode or is not subjected to triple modular redundancy during starting. In addition, limited by FLASH capacity, triple modular redundancy is generally performed only on key modules, and triple modular redundancy is not performed on all codes. Although the method can increase the reliability of the satellite-borne software to a certain extent, the method has the following defects:
1) the satellite-borne software does not carry out triple modular redundancy in the starting process, and when certain bit errors occur when the code is influenced by the space environment, the software is failed to be started, and the task of the spacecraft is possibly failed;
2) the traditional triple-modular redundancy starting mode can be normally started when dealing with bit errors of certain bits of codes, but errors of the same bit may occur in a plurality of parts of codes stored in an extreme environment, so that the bit with the error is taken as a normal bit when the two-out-of-three voting is carried out, and the starting failure is caused;
3) the traditional satellite-borne software starting mode does not have a cross mutual starting function and lacks the capability of coping with complex environments. In the mode, when a code in a certain area is wrong and cannot be recovered, a single computer cannot be normally started all the time, so that the single computer is halted, the satellite function is invalid, and the satellite task is influenced;
4) PROM capacity is limited, and only one programming can be performed, and once programming is completed, the PROM cannot be changed. This limits the flexibility of the spacecraft to a large extent. As the roles of the spacecraft are more diversified, on-orbit optimization or addition of new functions may be required according to actual conditions, and the addition of new functions can only be performed by launching new spacecraft, so that the cost is high;
5) the on-orbit operation of the software can cause that the memory program can not be normally started again due to the single event upset accumulation effect.
Disclosure of Invention
The invention aims to provide a high-reliability satellite-borne software starting system and a high-reliability satellite-borne software starting method, which aim to solve the problem that the existing satellite-borne software is low in starting reliability.
In order to solve the above technical problem, the present invention provides a high-reliability satellite-borne software start system, which includes:
an initialization module configured to initialize a parameter using a root program;
the three-module starting time module is configured to carry out three-module starting on the satellite-borne software;
and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
Optionally, in the high-reliability satellite-borne software starting system, the high-reliability satellite-borne software starting system further includes a fixed storage carrier, a first non-fixed storage carrier, a second non-fixed storage carrier, and a third non-fixed storage carrier, where:
the fixed storage carrier stores the root program so that the initialization module loads the root program to a satellite;
the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier all store state marks and satellite-borne software images;
the three-module starting frequency module and the sequence starting module determine to carry out three-module starting or sequence starting according to whether the three-module starting frequency is more than or equal to 2;
and the three-module starting frequency module and the sequence starting module load the satellite-borne software mirror image to a satellite.
Optionally, in the high-reliability satellite-borne software starting system,
the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier respectively comprise a three-mode starting time storage area, a three-mode code selection mark storage area, a curing area code storage area and a reconstruction area code storage area;
the code storage area of the curing area and the code storage area of the reconstruction area both store the same code of the satellite-borne software mirror image;
the three-module starting frequency module and the sequence starting module determine to carry out three-module starting or sequence starting according to whether the three-module starting frequency is more than or equal to 2;
and the three-mode starting time module judges whether the codes in the code storage area of the curing area are loaded to the satellite as the satellite-borne software mirror images or the codes in the code storage area of the reconstruction area are loaded to the satellite as the satellite-borne software mirror images according to the three-mode code selection mark.
Optionally, in the high-reliability satellite-borne software starting system, each three-module starting time storage area has three-module starting times, and the three-module starting times of each three-module starting time storage area are subjected to first voting to obtain a first mode voting result; and
voting for the second time to obtain a final mode voting result according to the first mode voting result of the first non-solid storage carrier, the first mode voting result of the second non-solid storage carrier and the first mode voting result of the third non-solid storage carrier;
and when the satellite-borne software is started, the three-mode starting frequency module and the sequential starting module determine to carry out three-mode starting or sequential starting according to the final mode voting result.
Optionally, in the high-reliability satellite-borne software starting system,
each three-mode code selection mark storage area is provided with three-mode code selection mark bits, and the three-mode code selection marks of each three-mode code selection mark storage area are voted for the first time to obtain a first state voting result;
voting for the second time to obtain a final state voting result according to the first state voting result of the first non-solid storage carrier, the first state voting result of the second non-solid storage carrier and the first state voting result of the third non-solid storage carrier;
and when the satellite-borne software is started, the three-module starting frequency module and the sequential starting module determine to carry out corresponding starting operation according to the final state voting result.
Optionally, in the high-reliability satellite-borne software starting system, the three-mode starting includes:
judging whether the three-mode starting times is more than or equal to 2, if so, exiting, otherwise, judging whether the three-mode code selection mark is started from the code storage area of the reconstruction area;
if so, copying the codes of the code storage area of the reconstruction area, loading the codes to a temporary storage area of the memory in a three-mode, and changing a three-mode code selection mark to start from the code storage area of the solidification area;
otherwise, copying the codes of the code storage area of the solidification area, loading the codes to the temporary storage area of the memory in a three-mode, and changing a three-mode code selection mark to start from the code storage area of the reconstruction area;
jumping to a starting address, and starting a bootstrap program;
and judging whether the three-mode starting is normal, if so, setting the three-mode starting frequency to be 0 and ending, otherwise, judging whether the three-mode starting frequency is more than or equal to 2, if so, sequentially starting, and otherwise, restarting the three-mode starting.
Optionally, in the high-reliability satellite-borne software starting system, loading the high-reliability satellite-borne software starting system into the temporary memory area in a three-mode manner includes:
firstly, judging whether each byte of the code of the first non-solid storage carrier, the code of the second non-solid storage carrier and the code of the third non-solid storage carrier can pass a check of two out of three, copying the byte data to a temporary memory area if the check is passed, and copying the next byte of triple modular redundancy;
if the byte does not meet the requirement, performing bit-by-bit two-out-of-three operation on the byte, and performing three-mode copy on the next byte after completing the operation on the byte;
the address of the byte that does not satisfy the two-out-of-three operation is recorded.
Optionally, in the high-reliability satellite-borne software starting system, the sequential starting includes:
reading sequence starting code serial numbers;
copying the mirror image code corresponding to the serial number to a temporary memory storage area;
setting the serial number of the next starting code;
jumping to a starting address, and starting a bootstrap program;
and judging whether the starting is normal or not, if so, recording the serial number of the normal code, and otherwise, repeating the steps.
Optionally, in the high-reliability satellite-borne software starting system,
recording addresses of bytes which do not meet the two-out-of-three operation in the three-mode starting process, and correcting the bytes which do not meet the two-out-of-three operation in the loading process after the software is successfully started;
when the sequence is started, the sequence starting module records the normal code serial number, and refreshes other satellite-borne software images by using the satellite-borne software images corresponding to the normal code serial number after the sequence is started;
the satellite-borne software starts to normally run, and starts an on-satellite task process and a code inspection process; comparing the consistency of the data stored in the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier by using the idle time of the task, and recording inconsistent addresses and inconsistent quantity; and when the number of the inconsistency is larger than a threshold value, the on-board software corrects the stored data at the inconsistent address in the maintenance task.
The invention also provides a high-reliability satellite-borne software starting method, which comprises the following steps:
the initialization module initializes the parameters by using a root program;
the three-module starting frequency module is used for carrying out three-module starting on the satellite-borne software;
and when the three-mode starting fails, the sequential starting module sequentially starts the satellite-borne software.
According to the high-reliability satellite-borne software starting system and method, the initialization module is used for initializing the parameters by using the root program, the three-mode starting frequency module is used for carrying out three-mode starting on the satellite-borne software, and the sequential starting module is used for sequentially starting the satellite-borne software when the three-mode starting fails, so that the mode that the satellite-borne software is combined with three-mode redundancy and sequential starting in a starting mechanism is realized, the reliability of starting the satellite-borne software is greatly improved, and the high-reliability satellite-borne software starting system and method are particularly suitable for being applied to complex application scenes such as the aerospace field.
According to the invention, the traditional triple-modular redundancy mode and the sequential starting mode are optimized, the software error can be corrected by using the satellite-borne software starting mechanism in the scheme, the error probability of the satellite-borne software is greatly reduced, and the capability of the satellite-borne software for coping with the space complex environment is improved.
The invention endows the satellite-borne software with a cross mutual starting function, and can effectively deal with the scene that the single computer cannot be normally started due to the failure of recovery of regional code errors, thereby causing the dead halt of the single computer. The satellite can be guaranteed to complete the established task smoothly.
The three non-solid storage carriers can be repeatedly erased and programmed, so that the flexibility of the satellite function is improved. The satellite function can be optimized in orbit or new functions can be added according to actual conditions, and the function density of the satellite is improved.
In the invention, when the software normally runs, the task idle time is utilized to monitor the consistency of the stored data of the three non-fixed storage carriers, and when the inconsistent quantity exceeds the threshold, the Nor Flash error data is corrected by utilizing the maintenance task, thereby increasing the long-term stability of the satellite running.
Drawings
FIG. 1 is a flow chart of a high-reliability satellite-borne software starting method according to an embodiment of the invention;
fig. 2 is a schematic structural diagram of three non-fixed storage carriers in a high-reliability software boot system according to an embodiment of the present invention.
Detailed Description
The high-reliability satellite-borne software starting system and method provided by the invention are further described in detail in the following with reference to the accompanying drawings and specific embodiments. Advantages and features of the present invention will become apparent from the following description and from the claims. It is to be noted that the drawings are in a very simplified form and are not to precise scale, which is merely for the purpose of facilitating and distinctly claiming the embodiments of the present invention.
The core idea of the invention is to provide a high-reliability satellite-borne software starting system and method to solve the problem of low starting reliability of the existing satellite-borne software.
In order to implement the above idea, this embodiment provides a high-reliability satellite-borne software starting system and method, including: an initialization module configured to initialize a parameter using a root program; the three-module starting time module is configured to carry out three-module starting on the satellite-borne software; and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
Specifically, in the high-reliability satellite-borne software starting system, the high-reliability satellite-borne software starting system further includes a fixed storage carrier, a first non-fixed storage carrier, a second non-fixed storage carrier, and a third non-fixed storage carrier, where: the fixed storage carrier stores the root program so that the initialization module loads the root program to a satellite; the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier all store state marks and satellite-borne software images; the three-module starting frequency module and the sequence starting module determine to carry out three-module starting or sequence starting according to whether the three-module starting frequency is more than or equal to 2; and the three-module starting frequency module and the sequence starting module load the satellite-borne software mirror image to a satellite.
As shown in fig. 2, in the high-reliability satellite-borne software boot system, the first non-fixed storage carrier, the second non-fixed storage carrier, and the third non-fixed storage carrier each include a three-mode boot frequency storage area, a three-mode code selection flag storage area, a solidified area code storage area, and a reconstructed area code storage area; the code storage area of the curing area and the code storage area of the reconstruction area both store the same code of the satellite-borne software mirror image; the three-module starting frequency module and the sequence starting module determine to carry out three-module starting or sequence starting according to whether the three-module starting frequency is more than or equal to 2; and the three-mode starting time module judges whether the codes in the code storage area of the curing area are loaded to the satellite as the satellite-borne software mirror images or the codes in the code storage area of the reconstruction area are loaded to the satellite as the satellite-borne software mirror images according to the three-mode code selection mark.
Furthermore, in the high-reliability satellite-borne software starting system, each three-module starting time storage area is provided with three-module starting times, and the three-module starting times of each three-module starting time storage area are voted for the first time to obtain a first mode voting result; voting for the second time to obtain a final mode voting result according to the first mode voting result of the first non-solid storage carrier, the first mode voting result of the second non-solid storage carrier and the first mode voting result of the third non-solid storage carrier; and when the satellite-borne software is started, the three-mode starting frequency module and the sequential starting module determine to carry out three-mode starting or sequential starting according to the final mode voting result.
Furthermore, in the high-reliability satellite-borne software starting system, each three-module code selection mark storage area is provided with three-module code selection mark bits, and the three-module code selection mark bits of each three-module code selection mark storage area are voted for the first time to obtain a first state voting result; voting for the second time to obtain a final state voting result according to the first state voting result of the first non-solid storage carrier, the first state voting result of the second non-solid storage carrier and the first state voting result of the third non-solid storage carrier; and when the satellite-borne software is started, the three-module starting frequency module and the sequential starting module determine to carry out corresponding starting operation according to the final state voting result.
As shown in fig. 1, in the high-reliability on-board software start-up system, the three-mode start-up includes: judging whether the three-mode starting times is more than or equal to 2, if so, exiting, otherwise, judging whether the three-mode code selection mark is started from the code storage area of the reconstruction area; if so, copying the codes of the code storage area of the reconstruction area, loading the codes to a temporary storage area of the memory in a three-mode, and changing a three-mode code selection mark to start from the code storage area of the solidification area; otherwise, copying the codes of the code storage area of the solidification area, loading the codes to the temporary storage area of the memory in a three-mode, and changing a three-mode code selection mark to start from the code storage area of the reconstruction area; jumping to a starting address, and starting a bootstrap program; and judging whether the starting is normal or not, if so, finishing, and otherwise, setting a three-mode code selection mark of a corresponding code storage area.
Specifically, in the high-reliability satellite-borne software starting system, loading the high-reliability satellite-borne software starting system into the temporary memory area in a three-mode manner includes: firstly, judging whether each byte of the code of the first non-solid storage carrier, the code of the second non-solid storage carrier and the code of the third non-solid storage carrier can pass a check of two out of three, copying the byte data to a temporary memory area if the check is passed, and copying the next byte of triple modular redundancy; if the byte does not meet the requirement, performing bit-by-bit two-out-of-three operation on the byte, and performing three-mode copy on the next byte after completing the operation on the byte; the address of the byte that does not satisfy the two-out-of-three operation is recorded.
As shown in fig. 1, in the high-reliability on-board software start-up system, the sequential start-up includes: reading sequence starting code serial numbers; copying the mirror image code corresponding to the serial number to a temporary memory storage area; setting the serial number of the next starting code; jumping to a starting address, and starting a bootstrap program; and judging whether the starting is normal or not, if so, recording the serial number of the normal code, and otherwise, repeating the steps.
In addition, in the high-reliability satellite-borne software starting system, the address of the byte which does not meet the two-out-of-three operation is recorded in the three-mode starting process, and the byte which does not meet the two-out-of-three operation in the loading process is corrected after the software is started successfully; when the sequence is started, the sequence starting module records the normal code serial number, and refreshes other satellite-borne software images by using the satellite-borne software images corresponding to the normal code serial number after the sequence is started; starting the on-board task process and the code inspection process by the software; comparing the consistency of the data stored in the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier by using the idle time of the task, and recording inconsistent addresses and inconsistent quantity; and when the number of the inconsistency is larger than the threshold value, the on-board software corrects the stored data at the inconsistent address in the maintenance task.
The embodiment also provides a high-reliability satellite-borne software starting method, which comprises the following steps: the initialization module initializes the parameters by using a root program; the three-module starting frequency module is used for carrying out three-module starting on the satellite-borne software; and when the three-mode starting fails, the sequential starting module sequentially starts the satellite-borne software.
According to the high-reliability satellite-borne software starting system and method, the initialization module is used for initializing the parameters by using the root program, the three-mode starting frequency module is used for carrying out three-mode starting on the satellite-borne software, and the sequential starting module is used for sequentially starting the satellite-borne software when the three-mode starting fails, so that the mode that the satellite-borne software is combined with three-mode redundancy and sequential starting in a starting mechanism is realized, the reliability of starting the satellite-borne software is greatly improved, and the high-reliability satellite-borne software starting system and method are particularly suitable for being applied to complex application scenes such as the aerospace field.
According to the invention, the traditional triple-modular redundancy mode and the sequential starting mode are optimized, the software error can be corrected by using the satellite-borne software starting mechanism in the scheme, the error probability of the satellite-borne software is greatly reduced, and the capability of the satellite-borne software for coping with the space complex environment is improved.
The invention endows the satellite-borne software with a cross mutual starting function, and can effectively deal with the scene that the single computer cannot be normally started due to the failure of recovery of regional code errors, thereby causing the dead halt of the single computer. The satellite can be guaranteed to complete the established task smoothly.
The three non-solid storage carriers can be repeatedly erased and programmed, so that the flexibility of the satellite function is improved. The satellite function can be optimized in orbit or new functions can be added according to actual conditions, and the function density of the satellite is improved.
In the invention, when the software normally runs, the task idle time is utilized to monitor the consistency of the stored data of the three non-fixed storage carriers, and when the inconsistent quantity exceeds the threshold, the Nor Flash error data is corrected by utilizing the maintenance task, thereby increasing the long-term stability of the satellite running.
The invention improves the reliability of satellite-borne software starting, and the starting mechanism combines the characteristics of triple-modular redundancy starting and sequential starting and increases the cross mutual starting function of software. The triple-modular redundancy start not only realizes the triple-modular loading function, but also can record the address of error data in the loading process so as to correct errors in an application layer after the loading is finished; the sequence starting is realized by recording the serial number of the normally started mirror image when the software is started, and after the software is successfully started, the normally started mirror image is used for carrying out coverage refreshing on other mirror images so as to ensure the reliability of the codes on the satellite; the software cross starting function ensures that the images of the software started each time are different, when the code fault of a certain area cannot be recovered during on-orbit running or ground debugging of the satellite-borne software, if the software does not have the cross starting function, the software can be started from the wrong image area all the time, so that the software cannot be started normally all the time, and the dead halt is caused. The situation occurs in the satellite which runs in orbit, corresponding hardware is disabled, task failure is possibly caused, even if the satellite runs on the ground, the satellite can be solved only by single-machine uncapping, and time and labor are consumed.
The invention provides a high-reliability satellite-borne software starting mechanism which combines the characteristics of traditional triple modular redundancy and sequential starting and increases the cross mutual starting function of software. The method can greatly improve the reliability of the start of the satellite-borne software and can correct software errors. Meanwhile, the aerospace-grade Nor Flash capable of being repeatedly programmed is used as a carrier for software storage, so that the aerospace-grade Nor Flash can be erased, programmed and reconfigured, the flexibility of the satellite can be greatly improved, and the satellite is endowed with higher function density.
The invention comprises a hardware carrier and software, wherein the hardware takes PROM and 3 sheets of domestic aerospace Nor Flash as the carrier for storing the software. The PROM is used for storing boot programs and guiding the start of the satellite-borne software; the Nor Flash is used for storing a state mark and a satellite-borne software mirror image (see fig. 2), wherein each Nor Flash is divided into a three-mode starting time storage area, a three-mode code selection mark storage area, a curing area code storage area and a reconstruction area code storage area. The method comprises the steps that a mark storage area of each Nor Flash respectively stores three parts of two marks (the marks are represented by one byte), when the marks are used, the marks in each Norflash are read in a triple-modular redundancy mode, then triple-modular voting is carried out on the results of the triple marks read in the triple-modular redundancy mode to obtain final marks, and when software is started, corresponding starting operation is carried out according to the results of the triple-modular voting twice. When mirror image software is loaded, firstly, codes of a curing area or a reconstruction area are selected to be loaded according to a three-mode starting mark, and after a code loading area is determined, the codes of a corresponding area are loaded to a memory temporary storage area in a three-mode.
The starting process of the satellite-borne software is shown in FIG. 1. The scheme combines the triple-modular redundancy starting and the sequential starting, the start of the mirror software is carried out in the triple-modular redundancy mode by default, and in an extreme case, when the triple-modular redundancy starting fails, the start of the satellite-borne software is carried out in the sequential starting mode. According to the scheme, the byte address with errors can be recorded in the three-mode starting process, and the bytes with errors can be corrected immediately after software is started; and when the sequence is started, the serial number of the code of the normal starting mirror image is recorded, and the wrong mirror image is refreshed by using the correct mirror image after the code is started so as to ensure the correctness of the mirror image software. In the running process of the mirror image software, the code inspection process periodically checks and corrects the codes so as to ensure the reliability of the codes on the satellite.
The specific scheme is as follows:
1) powering on and starting, and running a boot program by software from the PROM;
2) the boot program initializes the hardware and prepares the environment for the next code loading;
3) boot loading of the satellite-borne software code: when loading, firstly judging whether the three-mode starting times are more than or equal to 2, if not, selecting the code of the curing area or the reconstruction area according to the three-mode code selection mark for loading, firstly judging whether each byte of the three-part code can pass the check of two out of three, copying the byte data to the temporary storage area of the memory if the check passes, copying the three-mode redundancy of the next byte, if the byte does not meet the check, performing bit-by-bit two out of three operation on the same byte of the three-part code, and then performing the three-mode copying of the next byte after completing the operation of the byte; when the three-mode starting frequency is not less than 2, and the starting mode is sequential starting, starting the codes one by one according to the storage sequence of the codes until the software is started successfully;
4) after the software is started successfully, firstly correcting error bytes in the loading process, and then starting an on-satellite task process and a code inspection process by the software;
5) the software starts to normally run, the consistency of three Nor Flash storage data is compared by using the idle time of a task, and inconsistent addresses and the number of generated inconsistent addresses are recorded; and when the stored data of the three Nor Flash chips are inconsistent and are larger than the threshold value, the software corrects the error data in the maintenance task.
In summary, the above embodiments describe in detail different configurations of the high-reliability on-board software starting system and method, and it goes without saying that the present invention includes but is not limited to the configurations listed in the above embodiments, and any modifications made on the configurations provided by the above embodiments are within the scope of the present invention. One skilled in the art can take the contents of the above embodiments to take a counter-measure.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. For the system disclosed by the embodiment, the description is relatively simple because the system corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
The above description is only for the purpose of describing the preferred embodiments of the present invention, and is not intended to limit the scope of the present invention, and any variations and modifications made by those skilled in the art based on the above disclosure are within the scope of the appended claims.
Claims (10)
1. A high-reliability satellite-borne software starting system is characterized by comprising:
an initialization module configured to initialize a parameter using a root program;
the three-module starting time module is configured to carry out three-module starting on the satellite-borne software;
and the sequential starting module is configured to sequentially start the satellite-borne software when the three-mode starting fails.
2. The high-reliability on-board software boot system of claim 1, further comprising a fixed storage carrier, a first non-fixed storage carrier, a second non-fixed storage carrier, and a third non-fixed storage carrier, wherein:
the fixed storage carrier stores the root program so that the initialization module loads the root program to a satellite;
the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier all store state marks and satellite-borne software images;
the three-module starting frequency module and the sequence starting module determine to carry out three-module starting or sequence starting according to the three-module starting frequency;
and the three-module starting frequency module and the sequence starting module load the satellite-borne software mirror image to a satellite.
3. The high reliability on-board software start-up system of claim 2,
the first non-solid storage carrier, the second non-solid storage carrier and the third non-solid storage carrier respectively comprise a three-mode starting time storage area, a three-mode code selection mark storage area, a curing area code storage area and a reconstruction area code storage area;
the code storage area of the curing area and the code storage area of the reconstruction area both store the same code of the satellite-borne software mirror image;
the three-module starting frequency module and the sequence starting module determine to carry out three-module starting or sequence starting according to the three-module starting frequency;
and the three-mode starting time module judges whether the codes in the code storage area of the curing area are loaded to the satellite as the satellite-borne software mirror images or the codes in the code storage area of the reconstruction area are loaded to the satellite as the satellite-borne software mirror images according to the three-mode code selection mark.
4. The high-reliability satellite-borne software starting system as claimed in claim 3, wherein each three-module starting time storage area has three-module starting times, and the three-module starting times of each three-module starting time storage area are subjected to first voting to obtain a first mode voting result; and
voting for the second time to obtain a final mode voting result according to the first mode voting result of the first non-solid storage carrier, the first mode voting result of the second non-solid storage carrier and the first mode voting result of the third non-solid storage carrier;
and when the satellite-borne software is started, the three-mode starting frequency module and the sequential starting module determine to carry out three-mode starting or sequential starting according to the final mode voting result.
5. The high-reliability on-board software startup system of claim 3, wherein each three-module code selection flag storage area has three-module code selection flag bits, and the three-module code selection flags of each three-module code selection flag storage area are subjected to first voting to obtain a first state voting result;
voting for the second time to obtain a final state voting result according to the first state voting result of the first non-solid storage carrier, the first state voting result of the second non-solid storage carrier and the first state voting result of the third non-solid storage carrier;
and when the satellite-borne software is started, the three-module starting frequency module and the sequential starting module determine to carry out corresponding starting operation according to the final state voting result.
6. The high reliability on-board software boot system of claim 3, wherein the three-mode boot comprises:
judging whether the three-mode starting times is more than or equal to 2, if so, exiting, otherwise, judging whether the three-mode code selection mark is started from the reconstruction area code storage area;
if so, copying the codes of the code storage area of the reconstruction area, loading the codes to a temporary storage area of the memory in a three-mode, and changing a three-mode code selection mark to start from the code storage area of the solidification area;
otherwise, copying the codes of the code storage area of the solidification area, loading the codes to the temporary storage area of the memory in a three-mode, and changing a three-mode code selection mark to start from the code storage area of the reconstruction area;
jumping to a starting address, and starting a bootstrap program;
and judging whether the three-mode starting is normal, if so, setting the three-mode starting frequency to be 0 and ending, otherwise, judging whether the three-mode starting frequency is more than or equal to 2, if so, sequentially starting, and otherwise, restarting the three-mode starting.
7. The high-reliability satellite-borne software startup system according to claim 6, wherein loading it into the memory buffer in a three-mode manner comprises:
firstly, judging whether each byte of the code of the first non-solid storage carrier, the code of the second non-solid storage carrier and the code of the third non-solid storage carrier can pass a check of two out of three, copying the byte data to a temporary memory area if the check is passed, and copying the next byte of triple modular redundancy;
if the byte does not meet the requirement, performing bit-by-bit two-out-of-three operation on the byte, and performing three-mode copy on the next byte after completing the operation on the byte;
the address of the byte that does not satisfy the two-out-of-three operation is recorded.
8. The high reliability on-board software boot system of claim 7, wherein the sequential boot comprises:
reading sequence starting code serial numbers;
copying the mirror image code corresponding to the serial number to a temporary memory storage area;
setting the serial number of the next starting code;
jumping to a starting address, and starting a bootstrap program;
and judging whether the starting is normal or not, if so, recording the serial number of the normal code, and otherwise, repeating the steps.
9. The high reliability on-board software boot system of claim 8,
recording addresses of bytes which do not meet the two-out-of-three operation in the three-mode starting process, and correcting the bytes which do not meet the two-out-of-three operation in the loading process after the software is successfully started;
when the sequence is started, the sequence starting module records the normal code serial number, and refreshes other satellite-borne software images by using the satellite-borne software images corresponding to the normal code serial number after the sequence is started;
the satellite-borne software starts to normally run, and starts an on-satellite task process and a code inspection process; comparing the consistency of the data stored in the first non-fixed storage carrier, the second non-fixed storage carrier and the third non-fixed storage carrier by using the idle time of the task, and recording inconsistent addresses and inconsistent quantity; and when the number of the inconsistency is larger than a threshold value, the on-board software corrects the stored data at the inconsistent address in the maintenance task.
10. A high-reliability satellite-borne software starting method is characterized by comprising the following steps:
the initialization module initializes the parameters by using a root program;
the three-module starting frequency module is used for carrying out three-module starting on the satellite-borne software;
and when the three-mode starting fails, the sequential starting module sequentially starts the satellite-borne software.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010734383.0A CN111857884B (en) | 2020-07-24 | 2020-07-24 | High-reliability satellite-borne software starting system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010734383.0A CN111857884B (en) | 2020-07-24 | 2020-07-24 | High-reliability satellite-borne software starting system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111857884A true CN111857884A (en) | 2020-10-30 |
| CN111857884B CN111857884B (en) | 2023-11-14 |
Family
ID=72947473
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010734383.0A Active CN111857884B (en) | 2020-07-24 | 2020-07-24 | High-reliability satellite-borne software starting system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111857884B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113687871A (en) * | 2021-05-28 | 2021-11-23 | 西安空间无线电技术研究所 | Anti-deadlock method and device for start of satellite-borne microprocessor |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0802709D0 (en) * | 2008-02-14 | 2008-03-19 | Transitive Ltd | Multiprocessor computing system with multi-mode memory consistency protection |
| CN107515800A (en) * | 2017-07-17 | 2017-12-26 | 上海卫星工程研究所 | On-board software dependability design system and method based on software redundancy |
| CN110737482A (en) * | 2019-10-08 | 2020-01-31 | 浙江大学 | On-line two-out-of-three starting device and method for satellite star service system |
-
2020
- 2020-07-24 CN CN202010734383.0A patent/CN111857884B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB0802709D0 (en) * | 2008-02-14 | 2008-03-19 | Transitive Ltd | Multiprocessor computing system with multi-mode memory consistency protection |
| CN107515800A (en) * | 2017-07-17 | 2017-12-26 | 上海卫星工程研究所 | On-board software dependability design system and method based on software redundancy |
| CN110737482A (en) * | 2019-10-08 | 2020-01-31 | 浙江大学 | On-line two-out-of-three starting device and method for satellite star service system |
Non-Patent Citations (1)
| Title |
|---|
| 王德波: "基于COTS器件的异构冗余星载计算机加固设计", 《电子测量技术》, vol. 43, no. 10, pages 1 - 6 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113687871A (en) * | 2021-05-28 | 2021-11-23 | 西安空间无线电技术研究所 | Anti-deadlock method and device for start of satellite-borne microprocessor |
| CN113687871B (en) * | 2021-05-28 | 2024-05-03 | 西安空间无线电技术研究所 | Method and device for starting up and preventing deadlock of satellite-borne microprocessor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111857884B (en) | 2023-11-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108446189B (en) | Satellite-borne embedded software fault-tolerant starting system and method | |
| CN111176908B (en) | Program on-orbit loading refreshing method based on triple modular redundancy | |
| CN107220097B (en) | On-orbit programming and overloading method for large-scale complex structure software | |
| CN112332902B (en) | On-orbit reconstruction system and method for on-satellite autonomous control | |
| CN112732334A (en) | High-continuity navigation satellite software reconstruction method | |
| CN102541690A (en) | Intelligent card and method for recovering data | |
| CN110874245A (en) | Tiny satellite on-board computer and reconfigurable implementation method thereof | |
| CN113918386A (en) | Autonomous fault tolerance and fault recovery method for on-orbit processing system | |
| CN113268263B (en) | Method and system for refreshing readback of FPGA | |
| CN111857884A (en) | High-reliability satellite-borne software starting system and method | |
| CN110674046B (en) | Method for improving reliability of satellite-borne embedded file system | |
| CN113608720B (en) | Single event upset resistant satellite-borne data processing system and method | |
| US10866867B2 (en) | Method of error correction in a flash memory | |
| CN112099833B (en) | Remote updating method for firmware of spaceborne computer | |
| Fitzsimmons | Reliable software updates for on-orbit cubesat satellites | |
| CN111158660B (en) | Multi-mode on-orbit programming method for on-board software EEPROM (electrically erasable programmable read-Only memory) | |
| EP2368187A1 (en) | Replicated file system for electronic devices | |
| CN111176732B (en) | Software and hardware redundancy safety starting and maintaining method based on MRAM | |
| CN113849456A (en) | Spaceborne FPGA reconstruction method | |
| CN113535468A (en) | Starting method and starting device of DSP chip | |
| CN208351451U (en) | A kind of fault-tolerant activation system of spaceborne embedded software | |
| CN116414313A (en) | Deployment method of high-reliability on-orbit file system | |
| CN113760605B (en) | Implementation method for recovering communication between deep space detector and ground after power failure and power on of detector | |
| CN113377005B (en) | Air management and control method, system and storage medium for redundancy airplane management computer software | |
| CN113687871B (en) | Method and device for starting up and preventing deadlock of satellite-borne microprocessor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |