Command and Data Management Subsystem (CDMS) of
the Rosetta Lander (Philae)
The European Space Agency’s Rosetta spacecraft was launched in March 2004 from Kourou, French Guyana. It will rendezvous with a comet called Churyumov-Gerasimenko beyond the Mars’s orbit, and its Lander will descend onto the surface of the comet at 3 AU in 2014. The lifetime of the Lander on the surface of the comet should be at least four days, during which will be powered by nonchargeable primary batteries, and solar panels will provide power even for several months afterwards by charging secondary batteries.
Our team to the order of MPE has designed the Command and Data Management Subsystem (CDMS) of the Rosetta Lander. The engineering model was manufactured in Hungary and the flight model was by the Max-Planck Institute. CDMS is in charge of controlling the whole Lander operation, including preparations for separation from the orbiter, thermal and power management, as well as separation, descent and touch down. In addition to playing an essential role in controlling the whole landing scenario, CDMS has the following tasks to perform on the comet’s surface: to receive and execute telecommands coming from Earth, to collect and send science and housekeeping information of Lander’s subsystems and scientific experiments to Earth, and to control the sequencing of science operations.
The structure of CDMS is modular. Its functional sub-units, plugged into a common mother board, are as follows: two Data Processor Unit (DPU) boards, two Real Time Clock (RTC) boards, two Central Interface Unit (CIU) boards*1, two Mass Memory boards*2 and a Power Distribution board. Manufacturing of the flight unit was made in Germany but our engineers did its integration.
Due to the vital tasks to be performed by CDMS, it has to have a fault tolerant architecture. The design baseline is that CDMS should remain functioning in all conceivable working combinations of its functional sub-units without any degradation in its functionality. Since in most of the mission phases there is no possibility for external intervention from Earth, CDMS should recognise eventual faults and then recover autonomously by ruling out failed functional sub-units and activating their redundant counterparts. The basic core that will ensure fault tolerance is the two DPUs both running in hot redundant mode. One of them, marked as the primary DPU is in charge of performing actual payload control. The other one, marked as the secondary DPU, keeps observing whether any change happens in the actual DPU roles in order to be able to take over the primary role at any time in case of a fault in the primary one.
Both hardware (watch-dog, Hamming coded instruction and data protection all over the memory) and software means are implemented to support fast fault recognition and then recovery. DPU context data, a set of crucial data (variables, parameters, references to buffers and parameter tables), considered to be sufficient to reconstruct and restore a ceased Lander control process possibly with the „highest fidelity”, are saved by the current primary DPU into the secondary one in regular time intervals. This will then be taken by the current secondary (future primary) DPU as a basis to rebuild the operational environment in case of an eventual role change.
Harris RTX2010 processor has been selected for the DPU boards because it is the lowest power consuming, space qualified, radiation hardened, 16-bit processor with features to provide so complicated functions as the CDMS has to perform. It is a stack based, Forth language oriented processor with an exotic and challenging instruction set. CDMS is a real-time control and data acquisition system, and it has to process tasks in parallel. Therefore, a real-time, pre-emptive multitasking operating system has been developed to run application tasks executing the required functions in parallel.
*1 Developed by the KFKI Research Institute for Particle and Nuclear Physics
*2 Developed by the Finnish Meteorological Institute
Space and Ground Facilities Ltd.