sign in sign up
<<
Home , CONTOUR, Living With a Star, MESSENGER, New Horizons

An Incremental Strategy for Flight Software Reuse

Gary M. Heiligman, T. Adrian Hill, Robyn L. LeGrys, and Stephen P. Williams The Applied Physics Laboratory 11100 Johns Hopkins Road, Laurel, MD 20723-6099 mailto:[email protected]

Abstract IDPU software is delivered with the instruments; C&DH and G&C software are provided with the spacecraft bus. This paper describes a process of spacecraft flight In 1997, JHU/APL completed the critical design review software development that reuses requirements, designs, (CDR) for the TIMED mission. Mission-level CDRs for and implementations. Beginning in 1997, The Johns three other flight projects followed in quick succession: Hopkins University Applied Physics Laboratory CONTOUR in 2000, MESSENGER in 2002, and STEREO (JHU/APL) developed the flight software for five different in 2003. The CDR for a fourth mission, , space missions: (1) Thermosphere, , will also be held in 2003. Each of these missions requires Mesosphere Energetics and Dynamics (TIMED), (2) C&DH and G&C software; some require instrument Nucleus TOUR (CONTOUR), (3) software as well. Surface, Space ENvironment, , and Ranging As one of its unique capabilities, JHU/APL’s Space (MESSENGER), (4) Solar TErrestrial RElations Department provides experience and expertise in Observatory (STEREO), and (5) New Horizons, a mission developing and testing spacecraft flight software. A group to and beyond. JHU/APL met strict constraints of of less than 30 developers delivers the software for these budget and schedule by reusing products from each and future missions. Software reuse plays an important mission for the following one in a successively more role in the way the group creates these comprehensive fashion. Keys to the success of this reuse programs. are consistent external interface protocols, rigorous At JHU/APL, reuse consists of taking the requirements, requirements management, retention of the original designs, source code, and associated documentation from development documentation, use of a consistent past missions as the starting point for each new mission. development process, and a group organization that The developers of CONTOUR and later missions have fosters reuse. The reused packages include bootstrap, task succeeded in reusing incrementally greater portions of the scheduling, uplink, command handling, autonomy, and software from past missions in a process that we describe 1553 bus support. here. 2. Motivations for reuse

2.1. Reliability 1. Introduction Because failure of a critical computer program could The Johns Hopkins University Applied Physics easily lead to the loss of the entire mission, reliability is Laboratory (JHU/APL) has been developing spacecraft paramount for spacecraft flight software. JHU/APL flight software ever since the first general-purpose therefore takes a conservative approach to the were flown on spacecraft [1]. This software is development of both hardware and software. For example, of three types. JHU/APL uses only space-qualified, radiation-hard (1) Command and data handling (C&DH) programs processors and memory in its spacecraft. The development process telecommands, transmit , and tools (compiler, locator, and operating system) must also provide onboard data storage. be highly reliable. “Flight heritage”—the proven (2) Guidance and control (G&C) programs determine the capability of an article to perform to specifications in the spacecraft’s attitude and and control them. harsh environment of space—is considered an asset in (3) Instrument programs control and take data from the both hardware and software. payload and usually run on a dedicated instrument In software, flight heritage is obvious when source data processing unit (IDPU). code is reused from previous missions. However, flight heritage is also valuable for designs and requirements, mission all affect the software in fundamental ways. The because correctness of these products is just as critical to different mission drivers, though, are often the most mission success as bug-free software. critical barriers to reuse, because they may dictate that a solution that worked for past missions is untenable for the 2.2. Volume new mission. They may affect the level of autonomy, the The C&DH and G&C programs for each mission timing constraints, or the basic assumptions under which require tens of thousands of lines of code. Starting in the software must function. 1997, JHU/APL has had to develop spacecraft flight 3.2. Focus on individual missions means limited software at a rate of approximately one new mission per year. Developing this much software anew for each effort for reuse per se mission would strain JHU/APL’s in-house capability even Flight software development at JHU/APL is funded if time were not a factor. almost entirely by the individual missions. Mission managers are understandably reluctant to devote precious 2.3. Time dollars allocated to their own mission to fund reusability Deep-space missions must be launched on a schedule improvements that primarily benefit future missions. And dictated by the dynamics of the . In order to missions not yet funded for implementation generally are be ready for launch, the software must be developed, unable to provide the resources to ensure that a flight integrated, and tested. Thus reuse often becomes essential software product is developed for reusability. Thus there is even if the developers would like to make changes (for no ready pool of money for reuse per se. The staff efficiency, maintainability, reusability, etc.), because there organization within JHU/APL takes on the responsibility is simply not enough time. of fostering reuse as a part of its primary goal of developing mission-specific software. 3. Barriers to Reuse 4. Framework for reuse 3.1. Differences in mission-level requirements dictate different solutions 4.1. Hardware architecture The most important barrier to reuse is the different The spacecraft before TIMED distributed the data requirements at the mission level that lead to different processing over hardware in several different ways and software architectures. The five missions discussed in this used a variety of processors and implementation paper are the following. languages. Since then, however, three features have (1) TIMED is the first mission in NASA’s Solar contributed to the stabilization of G&C and C&DH Terrestrial Probes program. It studies the ’s software. upper atmosphere with four remote-sensing 4.1.1. The integrated electronics module (IEM). On instruments. It has performed its scientific mission TIMED and all subsequent missions, a PCI backplane successfully since its launch on December 7, 2001. connects the command and data handling (C&DH) (2) CONTOUR was a Discovery-class mission to explore processor, solid-state recorder, and transponder interfaces the diversity of . It performed flawlessly for six in one physical box: the IEM. Consistency of uplink weeks of phasing orbits, but it was destroyed on protocols is in part a result of this decision. Most missions August 15, 2002, during the solid- motor burn have two IEMs for full redundancy. that was to place it in heliocentric orbit. (3) MESSENGER is a Discovery-class mission to fly by 4.1.2. The UTMC SµMMIT chip. TIMED and all and orbit Mercury. It is manifested for launch on subsequent missions have used a consistent protocol and 10, 2004. hardware set to communicate between the processor and (4) STEREO is the third mission in NASA’s Solar many system components: the MIL-STD-1553B Notice 2 Terrestrial Probes program. It consists of two bus and the SµMMIT integrated circuit family from identical spacecraft in different heliocentric orbits. UTMC. Consistency of this interface enables much of the Launch (from a single vehicle) will occur in external communication software to be reused. November 2005. 4.1.3. The power distribution unit interface. On (5) New Horizons is the first mission to Pluto- and CONTOUR and all subsequent missions, electronics in the the of rocky, icy objects beyond. Launch power distribution unit provide the interface to the power is planned for January 2006. system electronics and some hardware We summarize the differences for these five missions (e.g., thrusters, -angle sensors, reaction wheels, and in the Appendix. The number and types of processors, solar-array drives). It translates 1553 bus messages into how they are interconnected, and the lifetime of the command signals to the hardware and translates data signals into 1553 bus messages. Consistency of this the developers reuse part or all of a product from an earlier interface also leads to software reuse. mission. Also, during the review of a partially reused design, the 4.2. Development methodology and language reviewers may find defects in a reused portion of the A shared methodology and language are essential for design. The corrective actions may apply to both the reuse. The flight software developers use a “waterfall” earlier and later missions; thus, corrective actions development methodology, as shown in Figure 1. themselves can be reused. Software Acceptance Requirements Requirements Test Plan Review Test Plan 4.4. Process documentation Definition Review (Each Build) Generation Each mission requires a software development Preliminary Preliminary Design Design management plan (SDMP) tailored to its unique needs. Review Large portions of this document are often reusable. Detailed Detailed Design Perhaps more importantly, consistency of the software Design Review modus operandi means that the developers need not learn

Code a new way of doing business when they begin work on a Code Walkthroughs mission. It is particularly important that the graphical design notation not change, because these products are Unit Test both time-consuming to produce and nontrivial to review.

Build 4.5. Development tools Integration Repeat for and Test Each Build For a mission to reuse the development products of a Acceptance Test preceding mission efficiently, paper copies are inadequate. (Each Build) The reason is that the products inevitably require tailoring Final Release for each new mission. JHU/APL addresses this problem in two ways: by using a consistent tool set across missions Figure 1. The flight software development and by retaining the development products from past methodology missions in their original form. Table 1 is a list of the tools most heavily used for The design methodology, based on the process of software development Shumate and Keller [2], is tailored for the development of mission-critical, embedded, real-time software. Program Table 1. Development tools definition language (PDL) is used in addition to the Product Tool Vendor Shumate-Keller graphical notation to describe functional designs. The designs are implemented in the C Itemized requirements DOORS Telelogic programming language as set forth in the ANSI 1990 Diagrams VISIO Microsoft standard [3]. Commands and telemetry Excel Microsoft 1553 bus schedules Excel Microsoft 4.3. Reviews and code walkthroughs Process documentation Word Microsoft One of the most important contributing factors to Presentation graphics PowerPoint Microsoft effective reuse at JHU/APL is the participation of developers from other missions on each mission’s review In addition, where the hardware permits, JHU/APL also panels. The Space Department’s policies and procedures uses a consistent development environment. For example, dictate that for each mission all requirements, all designs, MESSENGER and STEREO both use VxWorks 5.3.1 and and all new code must be peer-reviewed. The reviews Tornado 1.0.1 from River Systems with the Multi follow a set procedure, and every review panel must 1.8.8 C compiler from Green Hills Software. TIMED, include a participant not involved with the development of CONTOUR, and New Horizons use Nucleus+ from that mission. Accelerated Technologies and the Tasking C compiler. Thus developers of later missions learn about products 4.5.1. Retention of editable electronic copies. The from earlier missions. Often, this knowledge comes at a documentation for each mission is delivered into a formal stage such that the product can be reused in the later configuration control system. However, this system mission with minimal effort. usually accepts documents in Microsoft Word or Adobe When the outside reviewer is from a mission at a later PDF format. For reuse it is critical that the products from stage of development, the reviewer may recommend that each phase of the development project be retained in an editable form so that they can be tailored for the next mission. Thus the DOORS, VISIO, PowerPoint, etc. Products of the development process are listed in Table documents in their native formats are kept intact past the 2. Those that are reused in whole or in part are in boldface. end of the mission so they can be reused. Table 2. Reusable development products 4.5.2. Isolating changes to reused software. One of the biggest challenges to partial reuse is determining Phase Products whether a change from heritage introduces a defect. At Requirements Itemized requirements JHU/APL, the solution is to review the reused products definition Acceptance test plan (and the new ones) for each mission, with two exceptions. Context diagrams First, fully reused source code is not inspected. Second, Preliminary design Task communication graphs the reused portion of partially reused source code is not Software architecture diagrams inspected unless the interface or environment changes. Data flow diagrams Commands and telemetry 4.6. Group organization Bus schedules The Embedded Applications Group of JHU/APL’s Detailed design Task flow diagrams and PDL Space Department is responsible for developing spacecraft Method flow diagrams and PDL flight software. This organization provides the physical Package diagrams space, desktop computers, and office software for the Dependency diagrams developers (the missions provide development host Header files computers, development tools, and the target platforms). It Coding Source code files also sets policies and procedures, provides training, Unit test Unit test harnesses manages the staff, and defines the culture in which the (All phases) Software development developers work. The individual developers are usually management plan assigned to only one mission at a time, so it is through the Coding standards group organization that reuse is fostered. Two factors assist in fostering reuse. In general, the product types that are reusable are “building blocks”; those that are not reusable describe how 4.6.1. A culture of mutual assistance. If a project fails, the building blocks are put together. For example, the task JHU/APL views it as a failure of the entire organization. communication graphs describe how all the flight software Thus developers are not motivated to segregate themselves functions work together: because the spacecraft have on their own projects and responsibilities; instead, they are different functional roles these diagrams are generally not encouraged to communicate with developers on other reusable. On the other hand, task flowcharts describe the projects and with subsystems outside of flight software on operation within a given functional area: these are often their own missions. The group management facilitates this reusable because the functional task and its requirements communication by keeping the group apprised of the are reused from mission to mission. progress of each mission and encouraging the sharing of lessons learned. Developers can spend a limited amount of 5.2. Requirements definition time attending meetings or answering questions not An essential feature of JHU/APL’s development directly related to their primary mission without charging process is careful management of requirements. a special budget. This encourages a culture of mutual Developers of each mission review software requirements assistance, which is essential for reuse to succeed. to ensure that they are itemized, complete, consistent, 4.6.2. An emphasis on heritage as an asset. JHU/APL unambiguous, verifiable, and traceable to the parent advocates that developers be able to answer the question system specification. The requirements management tool “What did past missions do?” before creating their own (DOORS) organizes the requirements hierarchically, so new requirements, designs, or code. Because the design developers of successive missions can select individual documentation from the previous missions is readily requirements, modules, sections, or even whole documents available, answering this question is typically easier than for reuse. creating a new document. This type of reuse is enormously valuable because all the succeeding development phases can take as their 5. Incremental reuse at each development starting point the products from a previous mission. phase Measures of requirements reuse are probably a better indicator of software heritage and reliability than metrics 5.1. Reusable development products at later phases. 5.3. Preliminary design The developers perform functional and structural design, and the addition propagates through package decomposition during this phase, i.e., they identify tasks diagrams, flowcharts, header files, and source code. (threads of program execution) and packages (mutually dependent groups of functions and data structures). Many 6. Reused functional areas individual tasks are reused from mission to mission. But Table 3 provides a summary of the functional areas that the task communication graph tends not to be very have been or are being reused by the sequence of missions reusable because the way that the tasks interact with one starting with TIMED. Items in italics achieved a level of another varies widely from mission to mission. Similarly, reuse of 50% or more. many individual packages are reused repeatedly. But the software architecture diagram that describes how packages Table 3. New and reused functional areas depend on one another varies considerably for each Functional area New Reuse mission. development(s) Within packages and tasks, data flow diagrams and the Bootstrap TIMED CONTOUR data dictionaries are heavily reused. Reusing command New Horizons and telemetry descriptions is valuable at this stage because Bootstrap MESSENGER STEREO the detailed designs and implementations follow directly Uplink TIMED CONTOUR from the description of the command. MESSENGER 5.4. Detailed design STEREO New Horizons The developers define the package diagram—the Command TIMED CONTOUR functions and data stores implemented by each package— executive and MESSENGER during detailed design. This product is highly reusable macros STEREO from mission to mission, although functions are frequently New Horizons added or removed during the development process. Task scheduler CONTOUR MESSENGER Application program interfaces (APIs) are also defined Preliminary design, STEREO during this phase. When an API can be reused from a detailed design, and New Horizons previous mission, all the detailed designs and code that use code that API are more reusable. As with the software 1553 bus support CONTOUR MESSENGER architecture diagram, the dependency diagram—the “who Requirements, STEREO calls whom” graph—tends to be less reusable because the preliminary design, New Horizons way that packages fit together varies from mission to and code mission. In detailed design, developers represent the functional Hardware-specific TIMED CONTOUR flow of tasks and methods with either graphical notation utilities New Horizons or pseudocode. These products are reusable either in Detailed design and whole or in part when the functional areas they implement code are similar. Hardware-specific MESSENGER STEREO utilities 5.5. Code Detailed design and code Source code reuse is the most rudimentary form of Autonomy and TIMED CONTOUR reuse. Mission management often measures reuse at this time-tagged rules MESSENGER level because it is a convenient metric for flight heritage. STEREO However, it is an inconsistent indicator of software New Horizons reliability unless the products from preceding phases are reused. In other words, if heritage source code is used in Autonomy reverse MESSENGER STEREO New Horizons new ways, new defects may manifest themselves. polish notation Rather than dictate full reuse in such cases, JHU/APL advocates incremental reuse when the interfaces must be 6.1. Bootstrap different but the underlying algorithms are the same. An example of this incremental reuse occurs when a resource The bootstrap program takes the processor from its is used by only one task in one design but shared by many initial—possibly indeterminate—state after reset to the tasks in a later design. When this pattern occurs the shared point that the spacecraft flight application can start. resource requires a protection mechanism (e.g., a mutual On spacecraft that have fully redundant processors, the exclusion semaphore). This is added during package bootstrap program also provides access to the backup processor while the primary processor runs the flight two functional areas that are reused: one for the bus application. The and extent of this capability is controller and another for the remote terminal. determined during requirements definition and affects the itemized requirements and preliminary design products. 6.6. Hardware-specific utilities Much of the detailed design is dependent on the Detailed designs and code that provide a layer of processor and operating system, so there are two lineages abstraction to the hardware can be reused when the target in the later development phases. The MESSENGER- hardware and O/S are the same from mission to mission. STEREO lineage uses the BAE RAD6000 processor and The bootstrap program and the task scheduler overlap with VxWorks; the TIMED-CONTOUR-New Horizons lineage this functional area of reuse. Among the utilities that are uses the Synova Mongoose V processor and Nucleus+. reused are the following. 6.2. Telecommand packet handling 6.6.1. Non-volatile memory programming. STEREO reuses MESSENGER’s designs and code for writing to For spacecraft uplink, TIMED developed the interface electrically erasable programmable read-only memory to the spacecraft transponder and identified formats and (EEPROM). TIMED, CONTOUR, and New Horizons use protocols from the Consultative Committee on Space Data for long-term storage, and there is Standards (CCSDS). All missions following have held extensive reuse of these designs and code as well. largely to these decisions, so there is a great deal of reuse of these products. 6.6.2. Peak power tracking. The power distribution unit transmits data to the processor, which then calculates 6.3. Command executive, macros, autonomy, and a voltage regulator setting that optimizes the power from time-tagged rules the solar array and the charging of the battery. This The developers of TIMED created requirements, algorithm and much of the software that implements it are designs, and code that defined how the spacecraft executes reused from TIMED for MESSENGER and STEREO. individual commands, command sequences (“macros”), CONTOUR used fixed power settings, and New Horizons and commands that must be executed at a specific time. uses a radioisotope thermoelectric generator (RTG), so This functional area has remained stable throughout the they do not reuse this software. succeeding sequence of spacecraft. A key part of the 7. Example of incremental reuse: autonomy TIMED design that is carried over to following missions is the API: the function calls and signatures needed to fit a One criticism of “institutionalized” reuse is that it often new command into the design framework are the same. stifles the ability to insert new technologies into already existing systems. JHU/APL has successfully applied the 6.4. Task scheduler approach of incremental reuse in the area of flight How tasks are scheduled and synchronized is one of the software that performs autonomy by expanding the essential elements of preliminary design. The design capability of the on-board software from mission-to- developed for TIMED is used on succeeding missions, mission while maintaining significant reuse at both the albeit tailored for the two different target environments. design and coding levels. The source code must be modified for each mission to The JHU/APL missions use an on-board autonomy handle the differences in timing requirements and task engine that is capable of evaluating autonomy rules used lists. for spacecraft health and safety. An autonomy rule contains a premise (e.g., battery temperature > 30°C), 6.5. MIL-STD-1553B bus support persistence limits (how long the condition must persist), Although the MIL-STD-1553 bus architectures and and a response (usually a command or macro that is schedules are very different for each mission, the executed to respond to the condition). The autonomy rules requirements for bus support are fairly similar; these and are not compiled into the flight software; rather, they are some preliminary designs are reusable. TIMED developers designed by the spacecraft Safing Engineer and loaded to created a spreadsheet template to develop the bus the spacecraft. The on-board autonomy engine flight schedules that following missions have reused. software executes and acts on the loaded rules. At the detailed design level, however, each mission is At the heart of the on-board autonomy engine is the unique. This is because each message type requires its Data Collection Buffer (DCB). The DCB is a collection of own processing. Thus much of the detailed design and the data points from all subsystems on the spacecraft that is application levels of code are not reusable. populated by the flight software and is refreshed at a 1 Hz Bus support software beneath this layer is more rate. DCB data include hardware data such as raw reusable. The function calls that exchange data with and voltages, currents, and temperatures, and software data control the SµMMIT chip are reused. There are actually such as counters and flags. These points are all available for use by the Safing Engineer for autonomy rules the existing design and implementation from a previous premises. mission (CONTOUR). 7.1. TIMED capability 8. Plan for the future On TIMED, C&DH developers introduced the The motivations for software reuse will only increase in autonomy engine to the flight software. The software the future. Where reuse enables JHU/APL to develop implementation provided support for performing simple reliable flight software rapidly at low cost, new missions arithmetic and relational operations of data points in the will pursue it. Two trends in particular are expected to DCB. There were a limited number of predefined affect the software development process and software expression formats that could be used as the premise of the reuse. rule (e.g., “A > B AND C > D”). The software API included methods to evaluate the rule premises, increment 8.1. New hardware platforms persistence counters, fire commands and macros, as well Only radiation-hardened microprocessors can be used as support enabling and disabling autonomy rules and for mission-critical applications in . resetting running persistence counters. Development of these processors lags conventional 7.2. CONTOUR enhancements processor development by several years; nonetheless, new generations of computer architecture become available to Both developers and operators recognized a need to flight software developers and old generations become expand the capability of the autonomy engine. The obsolete. For example, the BAE RAD750 processor (a TIMED version treated all DCB data points as 16-bit radiation-hardened Motorola XPC750) will supersede the unsigned integers. While this was adequate for most cases RAD6000. there was a need for greater flexibility. On CONTOUR, Using newer processors affects the software the team enhanced the flight software implementation to development process in several ways. First, any time the support the use of 32-bit unsigned integers and IEEE-754 processor or the tool chain changes at least some of the 32-bit single precision floating point in the premise of code becomes obsolete. JHU/APL’s incremental reuse rules. This provided far greater flexibility to the Safing strategy is well suited to deal with these changes, because Engineer in the development of the rules. Despite this they can be isolated by phase and/or functional area and increased capability, CONTOUR reused more than 90% of products not affected by the change can be reused. This is the design and implementation directly from TIMED. particularly true at the requirements level. Furthermore, the changes were isolated to specific Second, because they are faster than older processors, methods, and the API remained generally unchanged. This newer processors typically perform more functions in their minimized impact to other subsystems within the software flight programs. This is likely to lead to fewer processors while providing greater capability. with more functions in each. For example, the G&C and C&DH functions can be combined into a single complex 7.3. MESSENGER enhancements program on a single processor. The reused designs from On MESSENGER, an even more powerful change was individual programs can be combined in such a case; introduced: a Reverse Polish Notation (RPN) evaluation however, the more complex the software, the more ways engine. Instead of restricting the rule premises to a list of that it can fail. predefined expressions, the RPN engine allowed any Third, more modern software tools are available on arbitrary combination of DCB data points, constants, and newer processors. These include more mature compilers operators to be used as the premise of a rule. In addition, following more modern language standards, full-featured the list of possible operators found in rule premises was debuggers, tools for visualizing processor performance, expanded. An entire new software implementation was and stable operating systems. The use of these tools is required to perform the rule premise calculations using likely to lead to a more reusable base of flight software RPN. This replaced the older style premises with products because fewer modules will be the result of predefined expression formats. Despite this significant customizing to meet the foibles of a less-mature tool. new development, the remaining elements of the autonomy implementation were directly reused from 8.2. Unattended operation CONTOUR, including all of the management required to Increased spacecraft autonomy is perhaps the dominant maintain persistence counters, fire commands and macros, trend in spacecraft flight software innovation today. Deep etc. This implementation will be used on both STEREO space missions must carry out their missions without and New Horizons. Again, a new technology and oversight from the ground because the round-trip light expanded capability was introduced while still leveraging travel time makes real-time remote operation impossible. For near-Earth missions the motivation for autonomous operation is cost: multi-mission programs continually design, and code developed for the sequence of missions strive to decrease the recurring cost of operations in order described here in order to minimize operational costs. to fund the next generation of spacecraft. TIMED has already made significant strides in the 9. References realm of unattended operations: operations of the [1] Malcom, , and Utterback, Harry K., “Flight Software instruments and the spacecraft are decoupled, and most in the Space Department: A Look at the Past and a View Toward ground contacts are now unattended. STEREO expects to the Future”, APL Tech. Dig. 20, JHU/APL, Laurel, MD, Oct – achieve a similar level of autonomy during its operational Dec 1999, pp. 522 – 532. phase. The next JHU/APL challenge will be two Geospace missions: Ionosphere-Thermosphere Storm Probe (ITSP) [2] Shumate, Ken, and Keller, Marilyn, Software Specification and Radiation Belt Storm Probe (RBSP) are part of and Design: A Disciplined Approach for Real-Time Systems, Wiley, New York, 1992. NASA’s “Living With a ” program. They will doubtlessly reuse much of the base of requirements, [3] International Standard ISO/IEC 9899:1990: Programming Languages—C, ISO, Geneva, 1990.

Appendix: Diversity of JHU/APL spacecraft missions

TIMED CONTOUR MESSENGER STEREO New Horizons Mission 2 years, 625 km 5 years, 1 AU 5 years transfer, 1 2-5 years, 1 AU 15+ years, Solar profile Earth orbit heliocentric orbit year Mercury orbit heliocentric orbit System escape Integrated 2 2 2 1 2 electronic modules (IEMs) Computers 1 C&DH 1 C&DH 1 C&DH / G&C 1 C&DH 1 C&DH per IEM 1 GPS Nav 1 G&C 1 Fault protection 1 G&C 1 G&C Processor 12 MHz 12 MHz 25 MHz 25 MHz 12 MHz architecture Mongoose V Mongoose V RAD6000 RAD6000 Mongoose V (MIPS R3000) (MIPS R3000) (IBM RS/6000) (IBM RS/6000) (MIPS R3000) Operating Nucleus+ Nucleus+ VxWorks VxWorks Nucleus+ System Solid-state 2.5 Gbit DRAM 5 Gbit DRAM 8 Gbit SRAM 8 Gbit SRAM 64 Gbit Flash recorder Power system Movable solar Fixed solar array Movable solar Fixed solar array Radioisotope array array thermoelectric Attitude 0.05° (actual) 0.1° (planned) 0.02° (planned) 0.002° (planned) 0.002° (planned) control G&C sensors Sun sensor, star Earth-Sun sensor, Sun sensor, star Sun sensor, star Sun sensor, star trackers, gyros, star trackers, trackers, gyros tracker, gyros trackers, gyros GPS gyros G&C Reaction wheels, Thrusters Reaction wheels, Reaction wheels, Thrusters actuators torque rods, solar thrusters, , thrusters, antenna array drive solar array drive Instrument 1553 bus (all) 1553 (mass spec.) Dedicated (imager) 1553 bus (all) Dedicated (all) data interface Dedicated (others) 1553 bus (others) Downlink 10kbps – 4Mbps 10bps – 255kbps 10bps – 104kbps 11bps – 720kbps 10bps – 104kbps Mission Decoupled Non-repeatable Mercury orbit Attitude jitter, Non-repeatable drivers instrument encounters, open- thermal, non- decoupled encounters, RTG, operations loop maneuvers repeatable instrument lifetime encounters operations