[Sis-csi] Green book thoughts
Lloyd Wood
L.Wood at surrey.ac.uk
Sun Apr 23 16:39:01 EDT 2006
At Thursday 2006-04-20 10:26 +0200, Chris.Taylor at esa.int wrote:
>This is one of the more interesting discussions that has been generated by
>group and there is another aspect related to retransmission that has not been
>touched upon. From what I have seen over the years ( I work in the area of
>flight system design), ground controllers are extremely careful and hesitant
>when it comes to releasing commands to the spacecraft. Automated sequences
>are anathema and there is still a clear preference to release each command by
>hand. I guess this practise is easily understood when it is considered that a
>single incorrect command could result in the unrecoverable loss of remote
>hardware. Some may argue that this is even more reason for relying on
>automated software but as this is also hand crafted and subject to bugs, I
>believe the "man in the loop" aspect will remain important part of spacecraft
>control.
I think that a distinction needs to be made here between the
spacecraft platform and the spacecraft payloads that the platform
supports, controls and carries. You may be careful about issuing
commands altering platform state, but can more cavalier about
payloads, which can be reset and rebooted at will -- or even
autonomously in onboard software, with the use of watchdogs to check
a computer is running properly and reboot it if it isn't. The
platform must not prevent access to the payloads; the payloads' state
does not affect platform state. This is more obvious if the platform
and payloads are separate computers.
(If your level of integration is such that the platform and payloads
are one and the same, then that degree of integration requires a very
high level of intense engineering resources to create in the first
place. So, clearly, money's no object, and you can also afford the
extra staff to worry about how everything affects everything else
because there's no clear separation.)
[..]
>I guess one message from this is that we should be looking at the link
>characteristics before deciding what is necessary higher up in the stack. If
>our links are near on perfect occasional data loss due to link errors could
>be acceptable and errorrs (e.g. due to SEUs in the flight system) can be
>covered by application level checksum.
I'm still a fan of the end-to-end principle; that is you have an
application-level checksum no matter how good the link, to cover for
and discover corruption in the path, wherever it is. The checksum may
not be necessary, but as a debugging tool it's essential.
L.
<http://www.ee.surrey.ac.uk/Personal/L.Wood><L.Wood at surrey.ac.uk>
More information about the Sis-CSI
mailing list