The invention relates to a multifunctional controller for a satellite.
In satellite technology, key components pertaining to control and safety on board a satellite are generally designed in a redundant manner to prevent a total failure of the satellite should a module or components fail. The internal components in the onboard computer (OBC) and in the power control and distribution unit (PCDU) of a satellite are therefore designed in a particularly redundant manner since a component failure in these units can result in the total malfunction of the satellite.
The OBC controls important functions of the satellite and runs the onboard software (OBSW) to do so. It receives the required commands for this via ground-based radio via an antenna and transceiver and a decoder board that transforms the digital signals of the transceiver back into data packets and forwards them to the OBSW on the CPU of the OBC (cf. FIG. 1). The PCDU controls the components' supply of electrical energy from the solar panel and the battery of the satellite. For example, to operate a payload of the satellite, the OBSW actuates a controller of the PCDU that closes a corresponding switch to supply the payload with electrical energy. As soon as the payload is activated, it can be controlled by the OBC. Data regarding the payload can then be recorded, analyzed, and transmitted by the OBSW to a ground station via telemetry. The redundant construction of key components that are part of such a complex sequence control system, prevents a total failure of the satellite due to various malfunctions, such as malfunctions on data buses, software errors, or insufficient power supply.
In addition, the PCDU and the OBC are the high-availability components on board of each satellite. The current control and emergency shutdown of equipment must function in every fault incident. The automatic power supply to the OBC and the booting of the OBC must also function reliably after a voltage loss in the satellite as soon as the satellite receives enough power again from the solar panels in the sun-phase of the orbit. In the OBC, it must be possible in all cases, including after a software crash or hardware failure of a component, e.g., CPU, data bus controller, or memory board, to switch over to the corresponding redundant component.
To enable these switchovers, all of the internal OBC constructional components are each wired in a cross-wise manner (also known as cross-coupling) so that, e.g., CPU A can serve both data bus controllers A and B and both memory modules Memory A and B (cf. again FIG. 1). The same applies for CPU B. The same cross-coupling principle applies for the elements within the PCDU.
Within the OBC and the PCDU the reconfiguration units and the PCDU controllers are two key elements for emergency operation input commands issued from the ground. The reconfiguration units execute the redundancy switchovers in the OBC. To do so, they must receive the corresponding commands. These can come from the OBSW if it has detected errors (cf. dashed line connections between the CPUs and reconfiguration units in FIG. 1). In the event of a crashed OBSW or a defective CPU, special reconfiguration commands can also be sent from the ground via transceivers and decoder boards to the reconfiguration units. Via a special sub-module of the reconfiguration units known as a command pulse decoding unit (CPDU), emergency commands can also be sent from the ground to the PCDU controllers for the emergency shutdown of redundant loads or to activate other electric circuits. These CPDU commands (also known as high-priority Class 1 or HPC1 commands) run via the dotted connections depicted in FIG. 1.
In this way, the OBC and PCDU have three standardized types of interfaces: data bus connections, power connections from the PCDU to the OBC, and the so-called CPDU emergency command lines from the OBC to the PCDU.
However, the implementation outlay for the required division of functions of the components involved in the reconfiguration is high. In addition, the test outlay increases since each of these high-reliability components must be subjected to time-consuming tests. Therefore, one of the problems addressed by the present invention involves a lower cost arrangement.
The multifunctional controller according to the present invention combines the two highly critical components, namely the reconfiguration unit and the PCDU controller for controlling and distributing power to satellite components, in a single chip, whereby the implementation costs for a satellite control and safety device can be reduced. By combining these two units, the module described as a combined controller in FIG. 3 can jointly implement various safety and control functions in the OBC/PCDU architecture, in particular the monitoring of the power supply, the turning on and off of the power supply of satellite components as well as the switchover between redundant components in the PCDU and/or OBC. Reconfigurations can still be triggered by the OBSW or the ground via the decoder boards.
The multifunctional controller can be implemented as an Application Specific Integrated Circuit (ASIC) or Field-Programmable Gate Array (FPGA). The multifunctional controller generally requires lower design and test costs than a solution consisting of individual components as is used in conventional satellites, since only one ASIC or FPGA module must be developed or only one firmware must be developed for a microcontroller. Accordingly, the component testing expenses also decrease. In addition, complex system tests for the interaction of the two units combined in the multifunctional controller can be simplified.
An embodiment of the invention is directed to a multifunctional controller for a satellite that has the following: a reconfiguration unit or reconfiguration functions for reconfiguring components of the onboard computer and/or turning off electrical loads of the satellite in the event of a fault, and a unit for controlling and distributing power to satellite components or control functions for controlling the distribution of energy to satellite components.
The reconfiguration functions can also allow one to trigger power resets and/or soft reset commands for reconfiguring components of the onboard computer and issue them to the corresponding components. Soft resets are issued to CPUs.
The multifunctional controller can—like a typical reconfiguration unit—have inputs for triggering reconfiguration functions when receiving corresponding commands. For example, via these inputs, trigger signals from the onboard computer can be received by means of which the onboard computer requests certain modules to be reconfigured, for example in the event of a sporadic interruption of a bus controller or the switchover to a redundant module when a module, such as a memory module, is functioning incorrectly.
Furthermore, the controller can have and implement inputs for monitoring signals from the onboard computer to execute a reconfiguration of the corresponding components of the onboard computer when a monitoring signal is missing. The monitoring signals may originate from watchdog circuits that are, for example, integrated in modules and components of the onboard computer and monitor their function.
To do so, the watchdog circuits transmit monitoring signals when modules or components function error-free. If no cyclic monitoring signal from a certain component is received by the controller, the reconfiguration unit can identify the corresponding components and initiate reconfiguration tailored to these components via a corresponding signal that is issued to the affected components.
In addition, the controller can have inputs for commands from decoder modules for the hardware reconfiguration of the onboard computer and/or the emergency shutdown of electrical loads of the satellite and/or electrical switchovers. These inputs can be designed in such a manner that, for example, they forward these commands directly to the controller, which then, for example, triggers a hardware reconfiguration of the onboard computer and/or actuates the unit for controlling and distributing energy in such a way that it executes an emergency shutdown for corresponding electrical loads to conserve the electrical power supply pertaining to satellites.
Lastly, the typical function of a PCDU controller to monitor components regarding the electrical power supply of the satellite can be implemented in the combined controller to turn off electrical satellite components receiving a shortage of electrical energy as detected by the monitoring system and/or after such a shutdown, to successively supply satellite components with electrical energy when the monitoring system determines there is sufficient power. To this end, the combined controller may have inputs for monitoring the components for supplying electrical power to the satellite and be designed in such a way to turn off electric satellite components when monitoring determines there is an insufficient supply of electrical energy and/or after such a shutdown, to successively supply satellite components with electrical energy when the monitoring system determines there is sufficient power.
For example, electrical voltages may be monitored by electrical energy sources such as a solar panel and/or a battery of the satellite. If monitoring determines that the supply of electrical energy is no longer sufficient for the satellite components, some or all satellite components may be turned off. After a failure of the power supply in the satellite, for example when it is in the shadow of the Earth and the battery energy is no longer sufficient for the power supply, successive satellite components can be placed back into operation upon exceeding a certain voltage threshold when, for example, the satellite re-emerges out of the shadow of the Earth—preferably the controller first, then the onboard computer, satellite position control devices and so on.
Also belonging to the functionality of a conventional PCDU controller according to FIG. 1—which is also integrated in the combined controller—is controlling the electrical power supply and their power electronics in a satellite for distributing electrical energy to one or more supply buses and the control of the associated circuit-breakers of electrical loads of the satellite.
The combined controller can be optionally integrated in the OBC, in the PCDU, or even in a separate housing. The outlay for the wiring between the OBC and PCDU is practically minimal if the integration takes place in the PCDU, which is why this is also depicted in such a manner in FIG. 3. However, this solution is not mandatory.
In a conventional OBC/PCDU architecture according to FIG. 1, the emergency shutdown commands from the ground run on the lines, drawn in a dotted manner, between the CPDU and PCDU on analog connections, since this represents a standardized interface. The combined controller is of course a purely digital module and therefore enables the emergency shutdown command to be received directly as a tele-command packet digitally from the decoder board. This further simplifies the architecture.
Another embodiment of the invention relates to a constructional component pair consisting of the OBC and PCDU for issuing commands to a satellite and the control of its energy supply with                OBC constructional components, which include all the usual OBC constructional components as they are used in conventional architectures, for controlling satellite equipment, storing data, decoding tele-commands, and generating telemetry data as well as for the internal power supply,        PCDU constructional components, which include all the usual PCDU constructional components as they are used in conventional architectures, in particular input lines from solar panels, in-/output lines to the battery, a PCDU power electronics system for distributing electrical energy to one or more supply buses and with PCDU circuit-breakers for turning on/off electrical loads of the satellite at one of the supply buses, and        two redundant multifunctional controllers according to the invention and as described herein with reconfiguration functions for monitoring the correct functioning of components of an onboard computer of the satellite and for switching over between redundant components and/or reconfiguring components of the onboard computer and/or turning off electrical loads of the satellite in the event of a malfunction, and control functions for controlling the current distribution to satellite components.        
Lastly, an embodiment of the invention relates to an OBC/PCDU combination with such a combined controller, in particular for miniature satellites, for controlling the functions of the satellite, for supplying electrical energy to the electrical loads of the satellite, for controlling the supply of electrical energy in a satellite, and for monitoring the satellite onboard computer according to the invention and as described above.
Another embodiment of the invention relates to a satellite, in particular a miniature satellite, with a transceiver for receiving signals via radio, an onboard computer for controlling functions of the satellite, a solar panel for supplying electrical energy to electrical loads of the satellite, a battery for supplying electrical energy to the electrical loads of the satellite, and a device for commanding the satellite and controlling its energy supply according to the invention and as described above.
Additional advantages and application possibilities of the present invention emerge from the following description in connection with the embodiments depicted in the drawings.