![[Data Structures]](hena-gifs/data-structures.gif)
The HENA instrument as a whole can be turned on and off by the CIDP. The HENA DPU can control the power of some internal subsystems. These are the decontamination heater (H_HTR_DEC_PWR), the survival heater (H_HTR_SURV_PWR), the wax actuator (H_SEN_ACT_PWR), the analog electronics (H_SEN_ANLG_PWR), the calibrators (H_SEN_CAL_PWR), the high voltages (H_SEN_HV_PWR and H_SSD_BIAS_PWR), and the SSD preamps (H_SSD_PRE_PWR).
HENA has five individual high voltages: start, stop and coincidence MCP voltages and plus and minus collimator voltages. Before setting any high voltage (HV), the HVs must be turned on with H_SEN_HV_PWR. HV level commands (H_SEN_HV_LEVEL) will be locked out until individual high voltages are enabled via H_SEN_HV_CNTRL. Each HV has an upper limit; appropriate upper limits must be specified via the H_SEN_HV_LIMIT command before any levels are set. If an individual HV is disabled its level will be set to zero immediately. If the HV subsystem is turned off, all high voltages will have their levels set to zero and individual voltages disabled.
The levels of the HENA HVs are set via the H_SEN_HV_LEVEL commands. HV level commands cause the indicated high voltage to ramp to its given goal level. The ramp rate is a parameter. If a new goal is set before the old goal is reached, the new goal is followed. If an HV limit is set below the current goal, the goal is automatically dropped to the limit and the voltage is ramped to this new goal. Exceptions are that the HENA collimator levels are always zero in ion mode and that the MCP levels may be reduced when the sun is in the field of view (see Sun and Earth Avoidance Modes below).
There are two HV safing inputs to the HENA DPU. One input limits the maximum HV level that can be set. The second input notifies the software that all HV operations should be disabled. Any command that effects the HV subsystem will be rejected if this input is active. Neither HV safing input will be active during flight.
The DPU monitors hardware that detects the breakdown of the HENA plus and minus collimator high voltages. A breakdown alarm is sent each time a breakdown is detected.
In addition to the MCP and collimator HVs, there is an SSD bias HV. The SSD bias is controlled similarly to the other HVs. A goal and limit can be set via H_SSD_BIAS_LEVEL and H_SSD_BIAS_LIMIT and the actual voltage is ramped towards the goal by a rate parameter.
HENA calibrators can inject data into the MCP and the SSD circuitry The calibrators are normally powered off; to generate signals they must be enabled with the H_SEN_CAL_PWR command. The calibrators can produce signals for the front and back MCPs (Wft, Wfb, Wb, Wb, and Ib); coincidence is derived from Wft in hardware. An additional signal, time, simulates the time of flight. The SSD calibrator can also produce a signal for the SSD. The signal can be configured to go to any of the pixels via H_SSD_PIX_CAL.
Each of the above signals can be set manually with the H_SEN_CAL_SET command. The DPU can also run a canned sequence of calibration settings via the H_SEN_CAL_SEQ command. A calibration sequence applies new signal values every eight sectors. The sequence has fifteen steps, and repeats every spin.
Calibration sequences are uplinkable data structures (see below). There are three sequences.
The shutter is controlled by a stepping motor. Stepping the motor in the clockwise (CW) direction opens the shutter; stepping the motor in the counter-clockwise (CCW) direction closes the shutter. A single step moves the motor and the shutter by 1.8°. A parameter determines the number of steps needed to fully open or close the shutter, but should correspond to approximately 130°. Other parameters control the motor step rate and power level.
The HENA DPU has a number of memory resources that are visible to the user. The next section documents the layout of the memory and the commands that are used to modify or examine it. There are several data structures that the user can access to modify the operations of the instrument. These are described in subsequent sections.
The HENA DPU has both volatile RAM and non-volatile EEPROM memory. These memories, along with some memory-mapped I/O, appear within the DPU's bank-switched memory map as shown below. There are sixteen 64 kbyte pages in four address spaces. Most of the pages are replicated across the address spaces; the exceptions are the sixteen RAM pages in pages 4-7.
| Page | Space 0 | Space 1 | Space 2 | Space 3 |
|---|---|---|---|---|
| 0 | RAM / PROM (16 kbytes) | |||
| 1 | RAM | |||
| 2 | RAM | |||
| 3 | RAM | |||
| 4 | RAM | RAM | RAM | RAM |
| 5 | RAM | RAM | RAM | RAM |
| 6 | RAM | RAM | RAM | RAM |
| 7 | RAM | RAM | RAM | RAM |
| 8 | EEPROM | |||
| 9 | EEPROM | |||
| 10 | EEPROM | |||
| 11 | EEPROM | |||
| 12 | ANA boards | |||
| 13 | SPC Actels | |||
| 14 | SSD Actel | |||
| 15 | SSD Actel | |||
Memory can be accessed, with the H_MEM_DAT_CHECK, H_MEM_DAT_COPY, H_MEM_DAT_LOAD, H_MEM_DAT_READ, and H_MEM_DAT_WRITE commands. By default, DPU memory cannot be modified by ground command. An H_MEM_DAT_WRITE command must be issued to identify a region of memory that can be modified before an upload or memory copy command can be used. The H_MEM_DAT_WRITE command must specify an address space, a page number, and lower and upper addresses within the page. Writes can be disabled by issuing a H_MEM_DAT_WRITE command with an invalid address space specified.
Memory can be loaded using H_MEM_DAT_LOAD. A load consists of a sequence of H_MEM_DAT_LOAD commands. The entire destination area must be enabled via H_MEM_DAT_WRITE. A load can also come from the CIDP in an almost identical format.
Memory may be copied with the H_MEM_DAT_COPY command. The command specifies address space, page, and address for both the source and destination and the number of bytes to be copied. Up to one page may be copied with a single H_MEM_DAT_COPY command. The entire destination area must be enabled via H_MEM_DAT_WRITE.
A block of memory can be examined either with H_MEM_DAT_CHECK or H_MEM_DAT_READ. The check command computes the checksum of the identified region and returns a memory checksum package with the result. The checksum is computed by taking the exclusive-or of every byte in the identified region. The read command produces memory dump packages for the identified region.
All of the memory access commands specify one or more memory ids; a memory id consists of an address space number and a page number. Similarly, memory dump and checksum packages use the same memory id format.
| 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
|---|---|---|---|---|---|---|---|
| spare | spare | address space | page | ||||
Several data structures that effect HENA operation can be modified or downlinked by command. Default values for the data structures are stored in non-volatile EEPROM with the HENA flight software. On boot, these defaults are copied into RAM for use by the software. The RAM versions can be modified either with H_MEM_STR_LOAD commands or with data structure specific commands. The default data structures can be changed by uplinking the entire program into EEPROM with the H_MEM_DAT_LOAD command. The RAM copy of the data structures can all be downlinked with the H_MEM_STR_READ command.
Configuration data describes the state of the HENA instrument. After boot, the configuration of HENA can be changed via standard HENA commands. Configuration data is downlinked regularly as part of the status data. The actual content of the configuration data is defined in the housekeeping telemetry section.
Other data structures include parameters (for algorithms), calibration sequences, monitor limits, and the SSD bad pixel map. These data structures can be changed via the H_MEM_STR_LOAD command. Since the data structures are not expected to be changed frequently, they are not downlinked unless requested via the H_MEM_STR_READ command.
A large block of parameters are used to control the SSD. On startup,
the default
SSD parameters
are loaded from non-volatile EEPROM memory
(see above)
into RAM and then into the SSD.
The H_SSD_PH_LEVEL,
H_SSD_PIX_CAL, H_SSD_PIX_CNTRL, H_SSD_PIX_DIAG, and H_SSD_PIX_THRE
commands modify the RAM copy of the SSD parameters, in addition to the
appropriate SSD hardware. The RAM copy of the SSD parameters can be
downlinked via the H_MEM_STR_READ command.
HENA data is collected in a variety of modes selected by ground command. Most modes are simple; for example, the charge mode determines whether the collimators are charged. More complex modes, that effect several aspects of the system are discussed in more depth here.
The shutter can be operated in four different modes. During manual operations the shutter motor and phase are controlled directly via H_SHUT_PWR and H_SHUT_MOVE commands. During automatic operations the shutter may be opened and closed automatically as the sun or earth enters and leaves the HENA field of view (see Sun and Earth Avoidance Modes below). In an open operation the shutter power is enabled, the shutter motor is rotated in the CW direction, and the shutter power is disabled. In a close operation the shutter power is enabled, the shutter motor is rotated in the CCW direction, and the shutter power is disabled. For both open and close operations the number of steps is determined by a parameter.
HENA can be configured to collect or reject data that arrives while the sun is in the field of view. The shutter can be closed, the HV ramped down, or event collection suppressed for the duration of sun exposure. Each of these operations can be individually enabled or disabled via the H_MOD_SUN command. All of these could be disabled when the sun is near the spacecraft spin axis and therefore always outside the HENA field of view. Any or all could be enabled when sunlight could enter the HENA sensor. The time of the occurrence of the sun pulse in previous spins is used to predict when the sun will be in the sensor's field of view in the current spin. If shutter closure is enabled, a parameter determines the length of the closure centered on the center of the HENA field of view. If HV ramp down is enabled, the MCP high voltages are reduced over the quarter of the spin (90°) that the sun is in the field of view. The voltages start ramping down before the sun comes into view; ramping the voltage back up starts immediately after the sun leaves the field of view. The ramp down time is predicted from the current HV levels, the safe levels, and the step rate and will be started so that the ramping is complete at least one second before the sun enters the field of view. If event rejection is enabled, no events are processed from the time that the voltages would start ramping down (whether or not the HV is actually ramped down) and resumed when the HV would be restored.
HENA can also be configured to collect or reject data that arrives while the earth is in the field of view. Automatically closing the shutter can be enabled or disabled via the H_MOD_EARTH command. The time of the occurrence of the nadir pulse is used to predict when the earth will be in the sensor's field of view. If shutter closure is enabled, a parameter determines the length of the closure centered on the center of the HENA field of view.
Normally, events are collected from HENA-M and HENA-S and accumulated into images and saved as PHA results. In backup mode, energy images are read directly from HENA-S and accumulated. Backup mode allows for data products which are independent of event logic or measurements from the other HENA sensors. When combined with closure of the HENA shutter (providing a pinhole aperture), neutral images binned in energy may be obtained. Note: the shutter is not closed automatically. In backup mode, transmission of HENA-M TOF images and PHA data and HENA-S m-TOF images and PHA data are automatically disabled. Backup mode is selected by ground command.
A group of six macros are called automatically at various positions in the spin. These macros are intended to be used to protect the sensor from the sun and the earth. The timing of these macros is determined by the sun and nadir pulses and four parameters. An earth start macro is run a parameterized number of sectors before the earth is in the center of the HENA field of view. An earth end macro is run a parameterized number of sectors after the earth is in the center of the field of view. Similarly, there are sun start and sun end macros with their own pair of parameters. There are also a bright start and bright end pair of macros that are executed whenever the first bright object enters the field of view and the last bright object leaves the field of view. When these macros are invoked automatically, commands from the macro, or from any macro they call, are not echoed. However, if the macros are invoked in any other way, their commands are echoed.
Alarms report problems found by the HENA software. Each alarm is described by an ID, two values, and a flag. The ID indicates the problem that has occurred and the accompanying values offer additional information. The flag indicates whether the alarm was caused by a transient or a persistent condition. See Appendix 2 for a list of alarms.
The alarms are divided into two groups: one for reporting internal software problems and another for reporting out-of-limit conditions for monitored data. Software problems are all reported as transient alarms. When the problem occurs, the alarm is generated and the software recovers from the problem as best it can.
A collection of environmental data is monitored by the DPU. There are 32 analogs including voltages, currents, and temperatures read and monitored from the DPU's housekeeping A/D. Some of the accumulators are monitored; the most-significant 8 bits of the 10-bit log-compressed value are watched. Also, the HV breakdowns are monitored. The monitoring is event driven: a monitor cycle is performed on each item as it becomes available. For example, each DPU analog is monitored when it is read from the A/D.
Each monitored item has a lower and upper limit. If an item is out of limits one cycle, but back within limits on the subsequent cycle, a transient alarm is reported. The alarm ID indicates the item being monitored and whether the value was too low or too high. The value accompanying the alarm is the out of limits data. If an item is either too high or two low for two consecutive monitoring cycles, a persistent alarm is reported. Again, the ID indicates the item being monitored, etc. The value accompanying the alarm is the second out-of-limits data value. If enabled via the H_MON_CNTRL command, the DPU will also act to eliminate the problem; a high or low response macro designated for the alarm is run.
If the item is out of limits for more than two cycles, indicating that the first response failed to eliminate the problem, more drastic action is taken. Monitors are divided into three classes; the class determines what action is taken. For count rate monitors, the macro is rerun. For temperature monitors, nothing is done. For current or voltage monitors, if enabled via command, the shutdown macro is run.
The following pseudo-code description of the normal and panic reactions to a high monitor summarizes the discussion above. The low responses are similar.
react_high: issue persistent high alarm if enabled (via H_MON_CNTRL command) execute high response macro for this alarm panic_high: case of monitor class current/voltage: if enabled (via H_MON_CNTRL command) run shutdown macro temperature: nop count rate: if enabled (via H_MON_CNTRL command) execute high response macro for alarm
The monitored data is summarized in the following table. The monitor class is encoded as S=shutdown, N=nop, and R=redo. The reported alarm IDs are for low and high excursions; similarly there are low and high response macro Ids.
| Source | Class | Alarm Ids Low / High | Macro Ids Low / High | ||
|---|---|---|---|---|---|
| Bias V | S | 128 | 192 | 19 | 19 |
| +30V Supply Voltage | S | 129 | 193 | 21 | 21 |
| +15V Supply Voltage | S | 130 | 194 | 21 | 21 |
| +5V Digital Supply Voltage | S | 131 | 195 | 4 | 4 |
| +5V Analog Supply Voltage | S | 132 | 196 | 17 | 17 |
| -5V Supply Voltage | S | 133 | 197 | 17 | 17 |
| +5V Digital Supply Current | S | 134 | 198 | 4 | 4 |
| +5V Analog Supply Current | S | 135 | 199 | 17 | 17 |
| -5V Supply Current | S | 136 | 200 | 17 | 17 |
| High Voltage Supply Current | S | 137 | 201 | 5 | 5 |
| Heater Supply Current | N | 138 | 202 | 23 | 22 |
| MCP Thermistor | N | 139 | 203 | 23 | 18 |
| SSD Thermistor | N | 140 | 204 | 23 | 18 |
| HENA Sensor Base Thermistor | N | 141 | 205 | 23 | 18 |
| Shutter Thermistor | N | 142 | 206 | 0 | 16 |
| MEU Thermistor | N | 143 | 207 | 0 | 1 |
| Start MCP Voltage | S | 144 | 208 | 7 | 7 |
| Stop MCP Voltage | S | 145 | 209 | 8 | 8 |
| Coinc MCP Voltage | S | 146 | 210 | 6 | 6 |
| Positive Collimator Voltage | S | 147 | 211 | 9 | 9 |
| Negative Collimator Voltage | S | 148 | 212 | 10 | 10 |
| analog ground/spare | N | 149 | 213 | 0 | 0 |
| digital ground/spare | N | 150 | 214 | 0 | 0 |
| SSD +5V Digital Voltage | S | 151 | 215 | 4 | 4 |
| SSD +5V Analog Voltage | S | 152 | 216 | 24 | 24 |
| SSD +5V Amptek Voltage | S | 153 | 217 | 20 | 2 |
| SSD -5V Analog Voltage | S | 154 | 218 | 24 | 24 |
| MCP +5V Voltage | S | 155 | 219 | 25 | 25 |
| MCP -5V Voltage | S | 156 | 220 | 25 | 25 |
| Shutter Status | N | 157 | 221 | 0 | 0 |
| Instrument Current | S | 158 | 222 | 2 | 2 |
| Shutter Current | N | 159 | 223 | 0 | 16 |
| Start Fast | R | 160 | 224 | 0 | 12 |
| Stop Fast | R | 161 | 225 | 0 | 13 |
| Coincidence | R | 162 | 226 | 0 | 11 |
| Energy | N | 163 | 227 | 0 | 20 |
| Positive Collimator Discharge | R | 164 | 228 | 0 | 14 |
| Negative Collimator Discharge | R | 165 | 229 | 0 | 15 |
Part of the
DPU's memory
is protected by error correction and detection
coding. If any single bit is corrupted in any sixteen bit word (or in
its check data), the bit will be corrected when the word is read.
However, two corrupted bits cannot be corrected. Therefore, the DPU
software periodically reads, then writes back, every memory word to
correct lurking single bit errors.
The HENA DPU has a watchdog timer. If the watchdog timer is not
tickled from time to time, the processor is reset. The watchdog
timeout is 2.95 seconds. The watchdog does not run until it has been
enabled; once enabled, it can never by disabled except by processor
reset, watchdog or otherwise. The DPU monitors all periodic processes
every second. If they are all running, the watchdog is tickled. Some
aperiodic processes do not participate.
If the DPU does not receive any communications from the CIDP within 300
seconds, it runs H_SYS_SHUT
in anticipation of losing power from the CIDP.
Return to HENA Software User's Guide.
Report problems to John Hayes.
