Redundancy

How external failures are handled in connection with the Warm Redundancy . In particular:

How do individual devices attached over the Bus Switch react to a redundancy switch over?
- How are protocols/endpoints disturbed during a redundancy switch over
- What are the effects of partial/not completed commands.
Which state needs to be synchronized accross the MCU's to avoid data loss in case of a redundancy switch over?
How often can we expect a redundancy switch over to occur?
- What is the maximum redundancy switch over frequency we can tolerate?
- What is a reasonable upper bound for the exepected redundancy switch over frequency in Space?
- What do operations look like under both the extreme maximum tolerable and the expected?
How severe a redundancy switch over would be for systems on the MCU (See Modes and Functional Decomposition in [1])
- How sensitive are certain opreations to redundancy switch over.

Redundancy Switch Over (RSO)

See [4] for the specification of the Switchover.

The MCU

Test Report from Open Source Satellite [3].

External Systems and Devices

The interaction of a redundancy switch over with other systems should be specified using the Flatsat and the FSTL.

Protocols

TODO Sebastian Pfeiler

State Synchronization

Which state needs to be synchronized for the supervisor to taker over after a redundancy switch over See [2] for a technique on fault recovery.

TODO Sebastian Pfeiler

References

[1] O. Tl and G. Ielpo, ‘SAGE-SYS-SW’, Mar. 2024.

[2] Ying Zhang and Krishnendu Chakrabarty, ‘Fault recovery based on checkpointing for hard real-time embedded systems’, in Proceedings. 16th IEEE Symposium on Computer Arithmetic, Boston, MA, USA: IEEE Comput. Soc, 2003, pp. 320–327. doi: 10.1109/DFTVS.2003.1250127.

[3] P. Madle, ‘STM32H753 Radiation Test Report’. Open Source Satellite, May 18, 2021.

[4] ‘SAGE-DR-OBC’, Mar. 2024.

Redundancy Switch Over (RSO)​

The MCU​

External Systems and Devices​

Protocols​

State Synchronization​