Background:

The purpose of this protection is to reset the Control Computer (CC) if it fails to update its time word. The CC receives time from the C&DH system like other subsystems and it mirrors the time it receives into two 16-bit telemetry words. If the least significant bit of the low word fails to update for more than 50 seconds, then a cold start is performed on the CC. RTS 49 continues to bring instrument systems back on-line. The most probably cause for this failure would be some type of software bug which needs to be examined by instrument code developers.

There are two occasions when the clock will be suspended and for which Action Points 33 and 34 MUST BE DISABLED. In one case the CC halts the update of the time word while it is loading memory from EEPROM, for example, during instrument turn-on operations when the Data Handling Computer Writeable Control Store (WCS) is being loaded. (NOTE: This has not been observed of late and is not reflected in the procedures. An explanation is supplied in AR#95. This needs to be re-verified before removing) The other is prior to DPU boot completion (~15 seconds after DPU power is applied). The TI_inst_safe_off procedure sets action points that use DPU supplied telemetry to DISABLED until the DPU boots, at which time the action points are re-enabled using TI_inst_safe_on.

Key Telemetry:

1033 - Control Computer Aliveness Sensed (ActionID, RTSID, fails)

Value #1: The Actionpoint number that failed its limit.

Value #2: The RTS number that was requested.

Value #3: The number of consecutive failures that triggered this Actionpoint

Value #4: Unused.

IKCCTWLW - Low word of the DPU clock; can be found on the DPU_STATUS page

This safing sequence involves the following RTS/Action Points:

Recovery Procedure:

RTS 49 will take care of the cold start and powering instrument systems back on, however it will leave the sequencer in a paused state. At some point the ICSQRESM command will have to be sent to resume instrument sequences. This should be done at the direction of the EOF and may be done via timeline command or from the ground. Additionally, any patches that were made to RAM only will have been erased. The procedure TI_cc_patches should be run to load any necessary patches. The procedure has been written to first look at the CC software version and only load patches which pertain to that s/w version.

References:

http://tracedata.nascom.nasa.gov/~trace/cdhsw/trace/design/sc/pre_rts.htm