11 june 2003 united defense lp -- proprietary1 auto-reconfiguration on grizzly dr. ns mohan united...

11 June 2003 United Defense LP -- Proprietary 1

Auto-Reconfiguration on GrizzlyAuto-Reconfiguration on Grizzly

Dr. NS MohanUnited Defense, L.P.

Ground Systems Division


Grizzly Grizzly Grizzly Grizzly


System Requirements & KPPsSystem Requirements & KPPsSystem Requirements & KPPsSystem Requirements & KPPs

Key Grizzly Program requirements:► M1 Abrams Chassis► Redundant Drive-By-Wire

• Automatic switch-over of controllers within 200 ms► Survivable Mine Clearing Blade (MCB), ADCS & PDA► Ability to plow in varied soil and terrain conditions at higher

speeds with Auto Depth Control KPPs:

► Gross Combat Weight: less than 70 Tons► Defeat/clear mines buried at depths up to 12 inches► Defeat/breach complex obstacle in 21 minutes

• Mine field; Anti-tank ditch; Concertina wire► Mobility & Survivability comparable to M1 Abrams


Vetronics DescriptionVetronics DescriptionVetronics DescriptionVetronics Description

VETRONICS HW & SW ELEMENTS

ADCS/MCBControl

CrewInterface

SystemControl

PowerDistribution

VisionDrive

ControlPDA

Control

ADCS ControllerMCB ValveDrive

ADCS CSCI

Crew Interface RIOMCentral Control PanelPrimary/SecondaryControllers

Primary &SecondaryController

Primary/SecondaryControllerPowerDistribution UnitRemoteSwitching Units

Video ControlUnitPrimary/SecondaryControllers

Drive TransmissionRIOMDrive Engine RIOMTransmissionElectronic Control(WTEC III)Primary/SecondaryControllersBraking & SteeringActuatorsDECU (GFE)

PDA RIOMPrimary/SecondaryControllerCrew InterfaceRIOM

System ServicesCSCIOperatingEnvironment

Crew Interface CSCICCP ControlFirmwareCrew InterfaceFirmwareApplique’ Software(GFE)

System ServicesPowerDistribution UnitInterfaceFirmware

Vision ControlUnit FirmwareCrew InterfaceCSCI

Drive Control CSCIDrive (Engine) RIOMInterface FirmwareDrive (Transmission)RIOM interfaceFirmwareWTEC III Firmware

PDA CSCICrew InterfaceCSCIPDA RIOMInterface FirmwareCrew RIOMInterface Firmware

HA

RD

WA

RE

SO

FT

WA

RE


Hardware ElementsHardware ElementsHardware ElementsHardware Elements

Controllers► Primary (PC), Secondary (SC) Fully redundant

Auto Depth Control Subsystem (ADCS) Controller

2 Drive Remote IO Modules► Configured to support redundancy of functions

PDA RIOM Crew Interface RIOM Actuators – Braking, Steering


Software ArchitectureSoftware ArchitectureSoftware ArchitectureSoftware Architecture

Software Configuration Items►Auto Depth Control Subsystem (ADCS)►Crew Interface Subsystem (CIS)►Drive Control Subsystem (DCS)►Power Driven Arm (PDA)►Operating Environment►System Services (SS)

Multi-layered approach Reconfiguration support SS, CIS


Software Architecture – contd.Software Architecture – contd.Software Architecture – contd.Software Architecture – contd.

RTGS OE

OS: Board Support Package, Real Time Operating System (VxWorks)

bus

To Display

DCS (Driver/Primary)

PDA (Driver/Primary)

System Services

Display Management (Driver/Primary)

State Controller (Driver/ Primary)

CIS

1553

OE

OS: Board Support Package, Real Time Operating System (VxWorks)

DCS PDA

System Services

Display Management State

CIS

1553

(Commander/ Secondary) (Commander/

Secondary)

(Commander/ Secondary)

(Commander/ Secondary)

RTGS To Display

OE

OS: Board Support Package, Real Time Operating System

(VxWorks)

ADCS

System Services

1553 PC

SC

ADCC Controller


Software Architecture – contd.Software Architecture – contd.Software Architecture – contd.Software Architecture – contd.

Software Configuration Items► System Services (SS)

• Utilities (e.g., storage management)• Insulated the applications from lower level details (OE,

hardware)• APIs provided to the application SCIs, provides portability• Followed the ICD closely, changes in ICD generally did not

affect the applications (no code changes) • Reconfiguration support


Reconfiguration of ControllersReconfiguration of ControllersReconfiguration of ControllersReconfiguration of Controllers

Manual – by the operator ► If something is not behaving correctly► For testing of functionality (maintenance mode)

Automatic ► Switches to secondary controller when primary fails► Time limit: 200 ms for resuming normal

operations► Periodic exchange of health status between the two

controllers (heartbeat) – Keep Alive Signal via 1553 bus


Reconfiguration SupportReconfiguration SupportReconfiguration SupportReconfiguration Support

Backup controller configured as simultaneous remote terminal and bus monitor

All CSCIs run lockstep in both controllers. The copy on the backup controller will have its outputs suppressed, until needed.

The CIS_CSCI is designed to accommodate reconfiguration

► Operator inputs to PC are duplicated by System Services and sent to SC via 1553 (latency for SC)

► Same inputs same outputs


Reconfiguration Support - contd.Reconfiguration Support - contd.Reconfiguration Support - contd.Reconfiguration Support - contd.

PC duplicates inputs & sends them to SC (both DRIOMs, DECU).

Keep Alive signal (via 1553 between controllers)► 40 Hz

Drive Control critical data saved & exchanged periodically – RS-423 link between controllers

► 40 Hz


Reconfiguration Power-upReconfiguration Power-upReconfiguration Power-upReconfiguration Power-up

The PC and the SC are differentiated by the RT address on the 1553 connector:

► PC = 0001► SC = 0010

At power-up, both controllers initiate a time delay = (RT address – 1)*5 ms, tipping the scale in favor of the PC

Upon timeout, check for bus activity► IF no activity, assume role of bus controller and initiate bus

schedule► ELSE, assume role of RT


Reconfiguration ScenariosReconfiguration ScenariosReconfiguration ScenariosReconfiguration Scenarios

Notify

OperatorTake over as

Bus ControllerRemove power from

other controller

PC detects SC failure YES N/A YES

PC detects SC is not ready to take over

YES N/A YES

SC detects PC failure YES YES YES

SC detects PC is not ready to take over

YES NO NO

To avoid PC tying up the bus:

►SC sends a reset command over RS-423 link

►SC takes over as Bus Controller

►SC sends command to PDU to remove power from the PC


Manual Reconfiguration of Manual Reconfiguration of ControllersControllersManual Reconfiguration of Manual Reconfiguration of ControllersControllers

During maintenance mode, operator can select to switch controllers as Bus Controller

► PC transmits a dynamic bus control command to SC► SC accepts control by setting dynamic bus control

bit in status word► Control is relinquished by PC (current Bus

Controller)► Operator notified when this is complete

This is an application of standard mechanism provided by 1553 specification for transfer of control


Reconfiguration of Drive Reconfiguration of Drive Remote I/O ModulesRemote I/O ModulesReconfiguration of Drive Reconfiguration of Drive Remote I/O ModulesRemote I/O Modules

Implemented within DCS software Manual – by the operator

► If something is not behaving correctly► For testing of functionality

Automatic ► Switches to secondary DRIOM

when primary fails

• By function (e.g., Braking) or DRIOM as a whole

► Periodic status via 1553 (BIT)

DRIOM 1 DRIOM 2

DCS Inputs

1553 Bus


SummarySummarySummarySummary

Requirement of Redundancy of Drive-By-Wire satisfied by

► Duplicate controllers automatic switchover within 200 ms

► Duplicate Drive Remote I/O Modules automatic switchover by function or as a whole

Tested thoroughly within System Integration Laboratory and on the vehicle fully satisfied the requirements at max speed of 45 mph

All Key Performance Parameters (KPPs) and EMD exit criteria were met or exceeded

11 june 2003 united defense lp -- proprietary1 auto-reconfiguration on grizzly dr. ns mohan united...

Documents

united defense lp

cis slide

ns mohan united defense

bus slide

hz slide

steering slide

m1 abrams slide

controllers heartbeat