ROSINA Contingency Recovery Procedure K. Altwegg B. Fiethe University of Bern Physikalisches Institut Sidlerstrasse 5 CH-3012 Bern Switzerland {| TABLE !Document Reference: !!RO-ROS-MAN-1023 ! |- |Issue: Issue 1 ||Rev.: |- |Date 21.03.2006 ||Pages: |} Table of Content Document Change Record 4 List of reference documents 4 1 General 5 2 Failure detection and recovery strategy 5 2.1 List of possible failures (incomplete), see FMECA: 5 2.2 DPU errors 6 2.2.1 Errors monitored by the DPU 6 2.2.2 Emergency Boot 7 2.2.3 Errors which cannot be monitored by the DPU 7 2.3 Sensor errors 7 {{{Document Change Record}}} Document Change Record| {| TABLE !Issue !!Rev. !!Pages changed, added, removed !!Date !!Reasons for Changes !!Approval ! |- |1 ||- ||All ||15.03.2002 ||Initial Issue || |- |1.0 || ||6 ||09.07.2002 ||Emergency boot || |- |1.1 || ||Delete annex A, replace with reference to Annex D4 ||21.03.2006 ||Consistency between documents || |- | || || || || || |} {{{List of reference documents}}} {| TABLE !RD1 !!ROS-Man-1009 !!ROSINA User Manual ! |- |RD2 ||ROS-TUB-SP-05/2.3. ||ROSETTA/ROSINA, DPU - S/C Event Packets |} {{{1 General}}} ROSINA is a highly autonomous instrument. All housekeeping values from the three sensors are constantly monitored by the DPU. Whenever such a value is outside the specified limits the DPU takes corrective actions according to appendix D4 of the user manual and issues a sensor error report which is sent as an event to ground.Therefore the on ground monitoring can be restricted to such sensor error events and to DPU error events. {{{2 Failure detection and recovery strategy}}} {{2.1 List of possible failures (incomplete), see FMECA:}} {| TABLE !Unit !!Failure !!Method of Analysis !!Handled by !!Recovery ! |- |DPU ||Power converter ||TBD ||TC ||Redundant |- | ||Processor ||TBD ||TC ||Redundant |- | ||Interfaces to sensor ||TBD || ||None |- |RTOF ||High voltage breakdown in ion source ||TBD ||TC ||Switch off faulty unit, measurement possible with the other unit |- | ||Filament burnout ||TBD ||TC ||Redundant |- | ||High voltage breakdown in Reflectron ||TBD || ||None |- | ||Pulser breakdown ||TBD ||TC ||Switch off faulty unit, measurement possible with the other channel |- | ||Detector failure, degradation ||TBD ||TC ||Switch off faulty unit, measurement possible with the other channel |- | ||Cover opening failure ||Cover Status ||TC ||Fail Safe Mechanism |} {| TABLE !DFMS !!High voltage breakdown in ion source or transfer optics !!TBD !! !!None ! |- | ||Filament burnout ||TBD ||TC ||Redundant |- | ||High voltage breakdown in zoom optics ||TBD ||TC ||Switch off, measurement possible without zoom optics |- | ||Two dimensional detector failure, degradation ||TBD ||TC ||Switch off faulty unit, measurement possible with the channeltron |- | ||Initial cover opening failure ||Cover Status ||TC ||Fire redundant actuator |- | ||Cover opening failure ||Cover Status ||TC ||Fail Safe Mechanism |- | ||High voltage breakdown in ESA ||TBD || ||None |} {| TABLE !Unit !!Failure !!Method of Analysis !!Handled by !!Recovery ! |- |COPS ||Burnout of filament ||Filament current HK ||TC ||Switch to redundant filament |- | ||TBD ||TBD || ||TBD |} {{2.2 DPU errors}} {2.2.1 Errors monitored by the DPU} The status of the different DPU subsystems (memory, interfaces, power switches) is monitored constantly by the DPU itself. If an error occurs the appropriate action (memory error correction, power cycle) is taken and one of the following events is sent to ground: YRNG3007 EID44100 DPU latch-up report YRNG3008 EID44101 DPU memory error report YRNG3009 EID44102 DPU general error report YRNG300A EID44103 DPU sensor I/F error report For a description of these error reports refer to the document RD2. They contain the status of the DPU, the identification of the error and useful parameters. In this case the experimenter should be notified as soon as possible. {2.2.2 Emergency Boot} For the Rosina DPU emergency situation that the complete program contents in EEPROM is lost, a special booting mode is implemented in the boot software remaining in a PROM. In the time frame between switch on and 10s after switch on the DPU is in this special booting mode, where only memory load command packets for software download are accepted. No TM packets except TC acknowledge and execution packets are generated during this mode. A time update command is ignored, any other command packet will produce a not acknowledge TM packet. If NO command packet is received within 10s after the last packet, the booting mode is canceled and the DPU will try to boot from EEPROM. After the complete S/W was loaded successfully, the DPU will start program execution with the new S/W immediately. It is important that the first memory load command is sent before the 10s after power-on are timed-out! Therefore, the nominal switch-on OBCP could not be used for the emergency handling. There has to be an emergency OBCP, which starts the S/W load from S/C SSMM within the 10s. {2.2.3 Errors which cannot be monitored by the DPU} If telemetry is not sent by ROSINA for more than 5 minutes, the following procedure should be executed: TC: ZRNP100E, disable science If TM is still not generated after 1 min., TC: ZRNP101A, TM reset If TM is still not generated after 1 min, power cycle ROSINA (TBC) {{2.3 Sensor errors}} All housekeeping values of the sensor are constantly monitored by the DPU. If a housekeeping value is outside a given range the DPU takes an appropriate action (repetition of command, switching off of faulty unit, etc.). For a complete list of all monitored housekeeping and the appropriate action taken by the DPU see appendix D4 of the user manual. At the same time an event is generated (YRNG300B, EIF44104, sensor error) and sent to ground. For a description of these error reports refer to the document RD2. They contain the status of the sensor, the identification of the housekeeping value affected and its actual value. In this case the experimenter should be notified as soon as possible