[Date Prev][Date Next][Thread Prev][Thread Next] - [Date Index][Thread Index][Author Index]

Re: AO-40 info from AMSAT-UK

> >Please note that this is a *software* watchdog. There is no hardware
> >watchdog. If the IHU has crashed, than a RESET command can be issued from
> >ground. This would be the last resort. It is a very fail-safe system, which
> >has been used before on AO-10 and AO-13. However, it was decided to check
> >and analyze all other possibilities before issuing such a drastic command.
> >There is no need to hurry and we don't want to miss any option...
> I may not be an engineer but know that NASA usually has two different 
> backup systems to the primary. Am I to assume that we did not even have one 
> backup to the software watchdog system, in case of computer failure? If so 
> I think we should fix that in any future sats.

In similar systems I've seen, there is a RESET command which is
recogonized by the hardware in the command receiver(s) to perform some
sort of low-level reset or bootstrap function.  Typically, this is
would be implemented in "hard logic" rather than recognized by software.

My guess is that the receipt of such a command would drop the IHU
into a low-level bootstrap loader, which may require a reload of
the whole of the software.  It's anyone's guess if this would be
better or worse than the current situation.

I've got no personal experience operating a satellite, but I do have
a lot of experience running large networks, which are complex
distributed systems.  It really is important to analyze the situation
that you're in, and figure out what "problem" needs to be addressed
first.  You don't want to start performing random operations, hoping
for the best.  For example, in the case of a large network, perhaps
you don't want to start rebooting routers - you could make a problem
(reaching one set of destinations) into a disaster (by partitioning the
network, and losing the ability to manage part of it at all).  

As someone else mentioned, the batteries continue to be charged 
ndependently of state of the IHU, so perhaps power isn't likely to
be a critical factor.   I don't know what resource is likely to be
problem if the satellite is left without active control for a while.

It's interesting to note that AO-10 has been running along for years
without the benifit of active control.

It's really easy to panic and just make a situation with incomplete 
knowledge worse.  It would appear that the folks managing the 
spacecraft some the luxury of some time to consider and analyze before
needing to take more intrusive steps which might introduce even more

There's always time to panic later if needed; don't waste it now :-)


Via the amsat-bb mailing list at AMSAT.ORG courtesy of AMSAT-NA.
To unsubscribe, send "unsubscribe amsat-bb" to Majordomo@amsat.org