Triple Synchronized Controller for Spacecraft Power Subsystems

Future spacecraft missions will require autonomous electric power management and distribution systems. The key element of such a system is a highly reliable microprocessor based controller that can be adapted through software changes to a wide variety of mission requirements and power system configurations. This paper describes the operation of a triple modular redundant microprocessor based controller and the associated hardware and software. The controller employs a balanced mixture of radiation hardened hardware and structured software redundancy. Each module on the triad is "tightly" synchronized with the other two, and voting is used to mask the effects of a failed module. The self test features of the controller will detect any fault through an interaction of hardware and firmware. For a transient fault, the controller will recover and continue operation. If the fault is permanent, it will report the error, turn off the defective module and reconfigure itself. The controller has been tested for both normal and failure (artificially induced faults) modes of operation to verify the integrity of the design. The objective of this research work was to develop a radiation hardened controller that is capable of meeting the autonomy requirements of an Electrical Power Subsystem for a spacecraft. As part of development work, a trade study of different fault tolerant techniques was done. The trade study concluded that a controller that is triple modular redundant (TMRC), tightly synchronized and that employs structured software redundancy was the best solution.