2.3.7.3 DPA Hardware Recovery Modes

The DPA processors must be `rugged'. The design goal was to expect and support occasional crashes and hence reboots due to single event upsets or other radiation induced crashes. The hardware supports graceful and efficient crash/reboot mechanisms.

The DPA is operable following any one single-point failure. It must be modular enough to degrade gracefully if a section of the hardware should fail. Operation following double-point failures is not guaranteed.

Due to the eccentric orbit and the long life of the AXAF mission, the total projected radiation dose on the electronics is significant. In most cases immunity to a total dose of at least 50 kRads was required. Memory devices, especially program memory, have an extremely low single-event upset rate.

The BEP reset circuitry consists of three reset sources: a power-on reset, a watchdog reset, and a discrete commanded reset. The power-on reset charges an RC network with a time constant of about 50 ms. The watchdog reset consists of a 32-bit readable and writable counter internal to the Mongoose processor. Upon reset, the counter is set to a certain value and allowed to decrement. Its end-of-count signal will directly drive the BEP reset. The discrete reset allows a 1-bit pulse command (out of a 16-bit serial digital command) to reset the BEP. This line will be directly driven by the RCTU. The watchdog reset and discrete reset have pulse widths consistent with the maximum required by any device on the board. Local status bits will be provided to the processor indicating if a reset was initiated by the watchdog timer or the command interface (for the discrete reset).

The FEP reset sources are: a power-on reset, a watchdog reset, and a BEP-controlled reset. The power-on and watchdog resets are identical to the BEP versions. The BEP-controlled reset is a dedicated wire driven by the BEP. It is controlled by a BEP read/write control register. Both BEPs will be powered at any one time.

A standby mode will be provided by the DPA, as commanded by the Spacecraft. The average and maximum current allocation for the DPA during standby mode is given in Table 2.3. One likely implementation of standby mode would be to turn off power to all the FEPs. Another might be to stop the DPA processor/logic clocks.

A signal will be sent to the DPA indicating when a Spacecraft radiation monitor has been set. Similarly, a signal will be sent to the DPA when the radiation monitor has cleared. One effect of the radiation monitor will be to cause the DPA to issue a DEA power shutdown command for the CCD components which might deteriorate if exposed during periods of high radiation activity. The spacecraft will also carry a bright object monitor which will similarly affect the DPA. (Note that the action taken when the radiation monitor signal arrives is programmable. ACIS has the capability of ignoring Spacecraft monitor signals if that is desired, by loading an appropriate software patch.)