Spacecraft computing systems with high-level specifications and FPGAs by Ong, Elwin, 1979-
Spacecraft Computing Systems with 
High-Level Specifications and FPGAs 
BY 
Elwin C. Ong 
B.S. Aerospace Engineering 
University of California, Los Angeles (2001) 
S.M. Aeronautics and Astronautics 
Massachusetts Institute of Technology (2003) 
Submitted in partial fulfillment of the requirements for the degree of 
Doctoral of Philosophy in Aeronautics and Astronautics 
at the 
Massachusetts Institute of Technology 
May 11, 2006_5 
C&\k*% AGWk< 
8 2006 Massachusetts Institute of Technology 
/r A 
Author 
May 11, 2006 
-- ----- --- 
Nancy G. Leveson, Professor 
Committee Chair, Department of Aeronaecs - - and Astronautics 
Certified by - 
Srini Devadas, Professor 
Depawent of Electrical Engineering and Computer Science 
Certified by I - V 
Richard Katz 
1 1 h NASA Goddard, Offite of Logic Design 
- 
Accepted by t 
Jaime Peraire, Professor 
Chair, Committee on Graduate Students, 
Department of Aeronautics and Astronautics 
OF TECHNOLOGY 

Spacecraft Computing Systems with 
High-Level Specifications and FPGAs 
BY 
Elwin Ong 
Submitted to the Department of Aeronautics and Astronautics 
on May 11, 2006 in partial fulfillment of the requirements for the 
Degree of Doctor of Philosophy 
Abstract 
A typical modem spacecraft requires computer processing in every major subsystem. The 
most popular method to carry out these processing requirements involves the use of a 
primary computer based on microprocessors. To carry out each spacecraft's unique processing 
requirements, custom software is specified, written, compiled, and executed by the 
microprocessors. The current process leads to a dedicated group of software engineers to 
design and create spacecraft software. This process is expensive and error-prone. Errors that 
occur during the translation of subsystem specifications into software specifications have led 
to failures and anomalies. 
This thesis describes a new methodology and toolsets that allow spacecraft subsystem 
engineers to capture and analyze typical spacecraft processing requirements in a unified and 
formal specification methodology. Subsystem engineers capture processing requirements with 
a pair of formal high-level specification languages specifically designed for spacecraft 
requirements. Control-oriented requirements such as fault detection and isolation features 
are captured with SpecTRM-RL, while data-oriented requirements such as control law 
algorithms are captured in a new language and toolset called Octavia. Once subsystems 
engineers have completed the high-level specifications, the specifications are automatically 
converted into a combination of software code and hardware descriptions using a set of 
autocode generators. Using recent advances in Field Programmable Gate Array (FPGA) 
technology, a unique computing system can be synthesized from the autocode generated 
components. 
Thesis Supervisor: Nancy G. Leveson, Ph.D. 
Title: Professor of Aeronautics and Astronautics 

Acknowledgments 
I would like to thank my thesis committee for their guidance and support throughout this 
challenging academic process. I would like to thank my thesis supervisor, Nancy Leveson for 
her generous support and for giving me the opportunity to work with her throughout my 
career at MIT. I have learned a great deal more than I could have imagined because of her 
direction. I would also like to thank Srini Devadas and Richard Katz who provided 
invaluable insights and expertise for this thesis. You have made the work thoroughly 
enjoyable. Thanks to my thesis readers, Raymond Sedwick and Kristina Lundqvist. Thanks 
also to Igor Kleyner and David Petrick at NASA Goddard who provided much needed 
technical assistance. 
I would like to express my gratitude to my parents and my family. I would especially like to 
thank my mother for her continued patience. Mom, I'm sorry, but this might not be the last 
degree I collect. 
I would like to thank all my friends and colleagues and everyone I've met and worked with 
throughout my time here at MIT. I would especially like to thank Karen for her invaluable 
friendship and counsel during the course of writing this thesis. I owe a debt of gratitude to 
the friends I've made on the East-side: JK, Natasha, Mirna, Kathryn, Ping, Gerry, Jamie, 
Frank, JT, Victor, Polly, Miwa, Steve, Thomas, Brad, Seth, Geoff, Damian, and Nik. I want to 
also thank all the Professors and Academic Staff who have helped me throughout my long 
academic career. I want to especially thank the staff of the MIT Aero/Astro department: 
Marie, Barbara, Phyllis, and Brian. 
Finally, I want to thank my Freckles. Thanks for making me laugh and smile, always. 
Contents 
....................................................................................................................... Acronyms List -13 
........................................................................................................................ 1 . Introduction 15 
....................................................................... 1.1 Brief History of Spacecraft Computing -16 
............................................................................................................. 1.2 Current Issues -18 
...................................................................... 1.2.1 Hardware Development Issues 18 
...................................................................... 1.2.2 Software Development Issues -20 
....................................................................... 1.2.3 Issues Related to Complexity -21 
...................................................... 1.2.4 Issues Related to Engineering Interfaces -22 
......................................................................................................... 1.3 Thesis Objectives 24 
.............................................................................................................. 1.4 Thesis Outline 25 
................................................................................... 2 . Spacecraft Hardware and Software -26 
................................................................................................... 2.1 Spacecraft Hardware 29 
..................................................................................................... 2.1.1 Memories -29 
............................................................................................ 2.1.2 Microprocessors 30 
2.1.3 FPGAs ............................................................................................................ 31 
................................................................................ 2.1.4 Space Radiation Effects -34 
..................................................................................................... 2.2 Spacecraft Software 35 
2.2.1 Advantages of High-Level Specifications and Autocode Generation ............. 36 
................................................................... 2.2.2 Control-Oriented Methodologies 37 
...................................................................... 2.2.3 Data-Oriented Methodologies -42 
........................................................................................... 2.3 Co-design Methodologies -47 
............................................................ 2.3.1 Survey of Co-Design Methodologies -48 
..................................... 2.3.2 Comparison of Co-design Methodologies to Thesis -51 
2.4 Chapter Summary ........................................................................................................ 54 
3 . High-Level Specifications .................................................................................................. -55 
3.1 Chapter Outline .......................................................................................................... -57 
3.2 SpecTRM.RL ................................................................................................................ 58 
............................................................. 3.2.1 SpecTRM-RL Syntax and Semantics 59 
3.2.2 Structure of SpecTRM-RL ............................................................................. 60 
3.2.3 SpecTRM Toolset ......................................................................................... -70 
3.2.4 Automatic Analysis Tools ............................................................................. -72 
................................................................................ 3.2.5 SpecTRM-RL Summary -75 
3.3 Octavia ........................................................................................................................ 75 
3.3.1 Octave ........................................................................................................... 76 
3.3.2 Control Theory Toolbox ................................................................................ 78 
3.3.3 Octavia Block Diagram Language and Toolset .............................................. 81 
3.3.4 Verification of Octavia .................................................................................. 83 
......................................................................................... 3.3.5 Octavia Summary 84 
3.4 Chapter Summary ....................................................................................................... -85 
4 . Autocode Generators .......................................................................................................... 86 
4.1 Chapter Outline .......................................................................................................... -86 
4.2 SpecTRM-RL to VHDL Generator ............................................................................... -87 
4.2.1 SpecTRM-RL FSM ......................................................................................... 87 
4.2.2 VHDL Features .............................................................................................. 90 
4.2.3 SpecTRM-RL to VHDL ................................................................................... 93 
4.2.4 SpecTRM-RL to VHDL Generator Summary ................................................ 101 
4.3 Octavia to C Generator .............................................................................................. 101 
4.3.1 C Programming Language ........................................................................ . lo1 
4.3.2 Octavia to C ............................................................................................... -102 
4.3.3 Octavia to C Generator Summary .............................................................. -107 
4.4 SpecTRM-RL to C Generator ..................................................................................... 108 
4.4.1 Octavia to C ............................................................................................... -108 
4.4.2 SpecTRM-RL to C Generator Summary ....................................................... 113 
4.5 Verification of Autocode Generators .......................................................................... 113 
4.5.1 SpecTRM-RL to VHDL Generator Verification Process ................................ 114 
............................................... 4.5.2 Octavia to C Generator Verification Process 115 
...................................... 4.5.3 SpecTRM-RL to C Generator Verification Process 116 
..................................................................................................... 4.6 Chapter Summary -116 
..................................................................................................... 5 . Landsat 7 Backup ACS -118 
........................................................................................................ 5.1 Chapter Outline -120 
................................................................................. 5.2 Landsat 7 Spacecraft Overview 121 
............................................................................ 5.2.1 Backup ACS Components 122 
...................................................................................... 5.2.2 FDIR Specification 122 
.............................................................................. 5.2.3 Control Law Algorithm -125 
.......................................................................................... 5.3 High-Level Specifications 127 
......................................................................... 5.3.1 SpecTRM-RL Specification -128 
................................................................................. 5.3.2 Octavia Specification -140 
................................................................................. 5.3.3 Specification Analyses 142 
............................................................ 5.3.4 High-Level Specifications Summary 143 
................................................................................................ 5.4 Autocode Generators -144 
................................................................................ 5.4.1 SpecTRM-RL to VHDL -144 
................................................................................................ 5.4.2 Octavia to C 144 
........................................................................................ 5.4.3 SpecTRM-RL to C 145 
.................................................................... 5.4.4 Autocode Generator Summary 145 
.......................................................................................... 5.5 FPGA Computing System -145 
........................................................................ 5.5.1 Memec Design FPGA Board 145 
.......................................................................................... 5.5.2 FPGA Synthesis -148 
........................................................... 5.5.3 FPGA Computing System Summary -152 
.......................................................................................... 5.6 Closed-Loop Simulations -153 
........................................................................................ 5.6.1 Simulation Setup 153 
..................................................................................... 5.6.2 Simulation Results -156 
............................................................ 5.6.3 Closed-Loop Simulations Summary 158 
..................................................................... 5.7 Hardware versus Software Evaluation -159 
..................................................................................................... 5.8 Chapter Summary -161 
..................................................................................................................... 6 . Conclusions -163 
........................................................................................................ 6.1 Thesis Summary 164 
............................................................................................................. 6.2 Contributions 165 
............................................................................................................. 6.3 Future Work -167 
....................................................................................................................... Bibliography -169 
............................................................ Appendix A - Landsat 7 SpecTRM-RL Specification 173 
........................................................................ Appendix B - Landsat 7 VHDL Description -175 
....................................................................... Appendix C - Landsat 7 Octavia C Program -177 
............................................................... Appendix D - Landsat 7 SpecTRM-RL C Program 179 
..................................................................... Appendix E - Landsat 7 Simulation Program -181 
List of Figures 
................................................. Figure 1: Current Spacecraft Software Development Process 20 
............. Figure 2: Computer Processing Requirements of Landsat 7 . Adapted from [SAB05] 26 
Figure 3: Typical Spacecraft Computing Architecture ............................................................. 28 
Figure 4: Simple Spacecraft Mode State Transition Diagram .................................................. 38 
Figure 5: Example of super-states in Statecharts ..................................................................... 39 
........................................................... Figure 6: Intent Specifications. adapted from [LEVOO] 41 
.................................................... Figure 7: Block diagram description of spacecraft velocity -44 
Figure 8: Block-diagram of a control law. adapted from [WIK06] .......................................... 45 
Figure 9: New Design Process Interface .................................................................................. 55 
.................................................... Figure 10: High-Level View of Process Described in Thesis -56 
.............................................................................. Figure 1 1 : Example of an AND/OR Table -60 
............................................................................ Figure 12: Structure of SpecTRM-RL Model 61 
............................................................................. Figure 13: Example of an Output Element -62 
................................................................................. Figure 14: Example of an Input Element 64 
................................................................................. Figure 15: Example of a Mode Element -66 
........................................................................ Figure 16: Example of a State Value Element -67 
.................................................................................. Figure 17: Example of a Macro element 69 
Figure 18: Example of SpecTRM-RL Function Element ........................................................... 70 
Figure 19: SpecTRM Toolset Environment .............................................................................. 71 
..................................................................................... Figure 20: Nondeterminism Analysis -73 
......................................................................... Figure 2 1 : SpecTRM Simulator Environment -74 
Figure 22: Octave Command Line Interface ............................................................................ 77 
Figure 23: Example of GNU Plot Output ................................................................................. 78 
Figure 24: Impulse and Step Input Responses in Octave ......................................................... 79 
Figure 25: Bode and Nyquist Frequency Response Outputs .................................................... 80 
Figure 26: Screen shot of Octavia Environment ...................................................................... 82 
........................... Figure 27: SpecTRM-RL Element and Equivalent State Transition Diagram 88 
Figure 28: Interconnected FSMs in a SpecTRM-RL Specification ............................................ 89 
Figure 29: VHDL Data-Types ................................................................................................... 90 
Figure 30: Example of a VHDL Process Statement ................................................................. -92 
Figure 31: Auto-Generated WDL Description for SpecTRM-RL Output Element ................... 94 
Figure 32: Auto-Generated VHDL Description of SpecTRM-RL Input Element ....................... 96 
Figure 33: Auto-Generated VHDL Description of SpecTRM-RL Mode Element ....................... 98 
................... Figure 34: Auto-Generated VHDL Description of a SpecTRM-RL Macro Element 99 
................ Figure 35: Auto-Generated VHDL Description of SpecTRM-RL Function Element 100 
Figure 36: Simple Octavia Block Diagram Specification ....................................................... 103 
Figure 37: Auto-Generated C Program from Octavia Specification ....................................... 105 
Figure 38: Auto-Generated C Code from SpecTRM-RL Output Element ............................... 108 
Figure 39: Auto-Generated C Code for SpecTRM-RL Input Element ..................................... 110 
Figure 40: Auto-Generated C Code for SpecTRM-RL Mode Element .................................... 111 
Figure 41: Auto-Generated C Code for SpecTRM-RL Macro Element ................................... 112 
Figure 42: Auto-Generated C Code for SpecTRM-RL Function Element ............................... 113 
Figure 43: ModelSim Simulation Environment .................................................................... -115 
Figure 44: From Specifications to FPGA Computing System ................................................. 119 
Figure 45: Landsat 7 Spacecraft ............................................................................................ 121 
Figure 46: Backup ACS Control Law Block.Diagram, derived from [MM195] ...................... 126 
Figure 47: Landsat 7 Backup ACS SpecTRM-RL Model ......................................................... 128 
Figure 48: IMU Attitude Rate A Input Element ..................................................................... 129 
Figure 49: IMU Attitude Rate Limit Check Macro ................................................................. 130 
Figure 50: IMU Channel Input Element ................................................................................ 132 
Figure 51 : IMU Health State Value Element ........................................................................ -133 
Figure 52: RWA Health State Value Element ........................................................................ 134 
Figure 53: ACS Mode SpecTRM-RL Element ......................................................................... 136 
Figure 54: RWA Torque Output Element ............................................................................ 137 
Figure 55: Octavia Interface SpecTRM-RL Element .............................................................. 139 
Figure 56: Octavia Interface SpecTRM-RL Element .............................................................. 140 
Figure 57: Landsat 7 Backup ACS Octavia Specification ....................................................... 141 
........ Figure 58: SpecTRM-RL and Octavia Combined Simulation of Landsat 7 Backup ACS 143 
............................................................ Figure 59: Memec Design FPGA Development Board 146 
.................................................... Figure 60: Landsat 7 Backup ACS Computer Architecture 149 
Figure 61 : Landsat 7 Backup ACS FPGA Utilization Data ..................................................... 151 
........................................................... Figure 62: Block Diagram of Simulation Architecture 154 
....................................................................................... Figure 63: Simulation Setup in Lab 155 
Figure 64: Step Input Response from Closed-Loop Simulation ............................................. 157 
Figure 65: Software-dedicated Architecture and Simulation Setup ...................................... 160 
Figure 66: Evaluation of Hardware versus Software Performance ........................................ 160 
Acronyms List 
ACS 
ALU 
API 
ASIC 
BRAM 
CAD 
CAN 
CSP 
CSS 
COTS 
CPLD 
CPU 
EDK 
FDIR 
FPGA 
FSM 
GPS 
HDL 
IC 
IMU 
LUT 
MDS 
MMU 
MTR 
PLB 
Attitude Control System 
Arithme tic-Logic Unit 
Application Programming Interface 
Application-Specific Integrated Circuit 
Block Random Access Memory 
Computer Aided Design 
Control Area Network 
Communication Sequential Processes 
Course Sun Sensor 
Commercial Off-The-Shelf 
Complex Programmable Logic Device 
Central Processor Unit 
Embedded Development Kit 
Fault Detection Isolation and Recovery 
Field Programmable Gate Array 
Finite State Machine 
Global Positioning System 
Hardware Description Language 
Integrated Circuit 
Inertial Measurement Unit 
Look Up Table 
Mission Data System 
Memory Management Unit 
Magnetic Torque Rod 
Processor Local Bus 
PLD 
RISC 
RPM 
RWA 
TTP 
VHDL 
VHSIC 
VLSI 
- Programmable Logic Device 
- Reduced Instruction Set Computer 
- Revolutions per Minute 
- Reaction Wheel Assembly 
- Time-Triggered Protocol 
- VHSIC Hardware Description Language 
- Very High Speed Integrated Circuits 
- Very Large Scale Integration 
Chapter I 
Introduction 
Spacecraft play a major role in our modem society. They allow us to receive television, 
telephone, and Internet service. They allow us to study stars in the distance and help predict 
the weather on our own planet. Soon, they may even transport us to Mars. At the core of 
every modem spacecraft is a computing system made up of one-of-a-kind hardware and 
software. This custom-designed computer is responsible for many functions on the 
spacecraft, from receiving and decoding commands from the ground to collecting data from 
instruments, and analyzing telemetry from various sensors. Because the computer interfaces 
with almost every subsystem on the spacecraft, it requires a lot of effort and care to design. 
Each interface must be designed and tested separately before the entire system can be put 
together and tested as a whole. Moreover, each interface must not interfere with any other 
function of the spacecraft, even in the event of a fault. Similarly, the engineers who are 
responsible for the design of the computer must interact with many different teams, each 
team responsible for a specific function of the spacecraft. Because of these complexities, 
designing a spacecraft computer is at present a challenging and expensive process. 
Before discussing issues related to the current process in detail and how they may be improved, it 
is worthwhile to look back to the development of the first spacecraft computers and how the 
process has evolved to the current state-of-the-art. 
I .  1 Brief History of Spacecraft Computing 
Today, it is difficult to imagine how any complex system such as a spacecraft can function 
without a computer. From cars to telephones, televisions, and even the common wrist watch, 
computers are integrated into every aspect of our technologies. Yet, in the early days of 
spaceflight, including the first manned American missions, computers were largely absent. 
NASA did not trust the reliability of computers in those days [TOM88]. Control of spacecraft 
relied on the quick reactions of astronauts and a team of engineers on the ground wielding 
slide rules and integration tables. But as the requirements of each successive mission became 
more and more complex, it became clear that computers were needed to automate routine 
tasks and assist in real-time calculations and control. NASA, together with its contractors, 
pushed the advancement of embedded computing systems. Improvements in logic design, 
packaging, fault-tolerance, and miniaturization were made as a result of NASA's need for 
reliable computers in space [HALL96]. 
Starting with Gemini and continuing with Apollo and the Space Shuttle, NASA continued to 
integrate ever more sophisticated computers on board the spacecraft. Whereas the original 
Mercury capsule piloted by Alan Shepard did not have a single computer aboard, the Space 
Shuttle today is completely dependent on its array of sophisticated computers. The Space 
Shuttle Computing Complex is responsible for almost every aspect of the Space Shuttle's 
mission. It automatically guides and powers the Shuttle from lift-off into orbit. It is used by 
the crew in orbit for orbital maneuvers and performing science experiments. At the 
conclusion of each mission, it is responsible for flying the Shuttle from orbit back into the 
atmosphere. 
Given its critical role, the Space Shuttle Computing Complex is designed to be extremely 
reliable and fault-tolerant. It includes five general-purpose computers. Four computers run 
the same software and constantly monitor the health of the other computers. A fifth 
computer runs separate software and is used as a backup to the primary system. Each 
revision of the software is rigorously inspected and tested before flight by a dedicated group 
of engineers, separate from the developers. These requirements come at a tremendous cost. 
The original primary software alone has over a million lines of code [SPE84]. It was 
developed by a team of over 100 engineers and verified by another 80 engineers [SPE84]. 
Computing systems on unmanned spacecraft contributed significantly to the current state-of- 
the-art in spacecraft computing as well. Starting from simple command sequencers on the 
Mariners and Viking probes to hugely complex and integrated systems on Galileo and Cassini, 
computers allowed engineers to build ever more capable systems. Many advances in 
embedded computing technology and processes were tried and tested on unmanned systems 
before they were incorporated into manned spacecraft. For example, distributed computing 
was first tried and used successfully on the Voyager spacecraft and later became the 
foundation of the Space Shuttle Computing Complex. Unlike a traditional architecture where 
the computer is connected directly to a single set of sensors and actuators, distributed 
computing ties many different sets of sensors and actuators to a single processor through a 
databus. This architecture allows engineers to use a single multipurpose computer instead of 
several dedicated computers, reducing the total weight and volume required. 
The first unmanned probes were manually controlled from the ground. Controllers would 
upload commands along with a time at which those commands should be executed. The only 
way controllers on the ground could tell if the commands worked was by reading the stream 
of telemetry data beamed back from the spacecraft. As computers became more capable, 
engineers gradually introduced some automation into the software. The first automation 
software was introduced on the Mariner spacecraft that flew to Venus and Mercury in 1973. 
"The sequencer would not only carry a detailed program for the next mission phase but also a 
constantly updated bare minimum program to complete the mission if the spacecraft lost 
contact with the ground. If a command was not received for a certain time, then the 
sequencer would follow whatever commands were in the backup program." [TOM881 
The most prominent automation software used today is the fault protection software, which 
is an advanced version of the backup programs first used on Mariner. Today's fault 
protection software is used to automatically monitor the status of major components on the 
spacecraft. By reading data from the on-board sensors and checking it against expected 
values, the spacecraft computer is programmed to detect faults and take actions to safe-guard 
its mission without need for intervention from ground controllers. A very common action 
taken is to "safe" the spacecraft by turning off unnecessary equipment and aligning it for 
optimal line-of-sight communication with the ground. By configuring itself to a safe state, the 
spacecraft conserves resources and buys time for engineers on the ground to diagnose and fix 
the problem. Automatic fault protection software has proved extremely useful. In one of the 
most recent examples, the Mars Spirit Rover entered safe-mode after a software error in its 
memory system caused the computer to crash [CHA04]. In safe-mode, the spacecraft was 
able to maintain the minimum set of equipment needed to communicate with ground 
controllers. Safe-mode allowed engineers time to determine the error and send the 
spacecraft new software to correct the problem. 
Automation software has also caused some problems, and in some instances, the result has 
been catastrophic. In 1999, the Mars Polar Lander crashed into the Martian surface after its 
on-board software shut off its descent rockets prematurely [EULOl]. The software was 
programmed to automatically determine when the spacecraft touched-down on the surface 
by reading signals from three sensors in its landing legs. However, while still in the 
atmosphere, a spurious signal from one these sensors caused the software to believe the 
spacecraft was already on the ground. The resulting loss of the $165 million mission 
highlights the continuing need for improved software and computer development process, 
despite great advances made since the first computers were flown into space. 
1.2 Current Issues 
This section described the issues with the current spacecraft computing development process. 
These issues are divided into four topics: 1) hardware development issues, 2) software 
development issues, 3) issues related to complexity, and 4)issues related to engineering 
interfaces. These issues are described in the following sections. 
1.2.1 Hardware Development Issues 
Unlike ubiquitous desktop computers today, spacecraft computers are designed and built to a 
very different and exacting set of specifications. They are designed for reliability and safety 
before anything else. The space environment is extremely hazardous. Spacecraft computers 
are designed to work in harsh conditions, including large temperature, vibration, and 
pressure changes. In addition, spacecraft are exposed to high concentrations of radiation and 
heavy ions. To protect against these effects, spacecraft computers are designed with larger 
and heavier microelectronics than those used on Earth. These requirements lead to designs 
that sacrifice performance for reliability. While spacecraft computers are slower and have a 
lot less memory than their desktop counterparts, they are much more rugged and reliable. 
The performance of spacecraft computers is likely to remain far behind desktop computers. 
Most spacecraft today employ a single multipurpose computer. This computer is usually 
procured from one of a handful of companies that specialize in space-grade computers. Since 
the market for these specialized computers is small compared to the rest of the computing 
industry, there is not a lot of incentive for companies to rapidly invent and promote newer 
technologies. Furthermore, most space programs require that every new component go 
through an expensive qualification process before its first flight. Introducing a new 
spacecraft computer is thus much more expensive and time-consuming than a normal 
desktop computer. 
Hardware performance is intricately linked to the complexity of the software it is able to 
execute. Complex software requires more memory and higher processing speeds. Since 
computers were first introduced on spacecraft, engineers have constantly encountered the 
problem of software outgrowing the performance limitations of hardware [TOM88]. A lot of 
effort is spent to evaluate and modify software to conform to available hardware resources. 
The performance of spacecraft computers has consistently lagged behind the desired 
complexity of software. This trend will continue, as hardware performance is limited by 
computers available on the market. One aim of this thesis is to illustrate the feasibility of 
generating unique spacecraft computers with field programmable gate arrays (FPGA) 
technology. FPGAs are generic semiconductor devices that can be programmed for any 
number of applications. Recent advances in FPGA technology allow the synthesis of 
microprocessors and other complex logical functions on a radiation-hardened FPGA device. 
If unique FPGA computing systems can be synthesized to process typical spacecraft processing 
requirements, spacecraft engineers will have more options to carry out processing 
requirements intended for spacecraft computers today. An FPGA computing system can be 
developed to off-load certain processing requirements such as the fault detection isolation 
and recovery procedures for spacecraft subsystem components. 
1.2.2 Soffware Development Issues 
At present, spacecraft software development is a challenging and expensive process. Like any 
safety-critical system, software can have extremely damaging effects if designed improperly. 
A lot of effort and money is spent to design the software for safety, and, to validate the 
software through rigorous testing once it is complete. Developing software for spacecraft is 
particularly difficult because every spacecraft is one-of-a-kind and therefore requires software 
specifically tailored for its mission. Figure 1 illustrates the typical software development 
process taken for a typical spacecraft. 
Subsystem Specification 
- 
- 
Source Fl 
.-. ... .-..-..-.-..-..-.  . -.....-.-. _ .._.._....... ._, .-.. -........-.-..- .._. ......................... .-.-. ....................... -. .-..- ...... ....-..-. .. .-... _.._.._. -. .- . -.- ..-.....-..-..-..-...._.....-..-.  .. .-.... 
j Subsystem Engineers 1 Soltware Engineers / Coders j Hardware Engineers 
....~..~..~..~.............-..........-........_.._.._..~.~..-..-.....-..-.~..~............................~..~..~.............~............. - - -. ....................... .................. -.-..- .......... # 
Figure 1: Current Spacecraft Software Development Process 
The typical software design process starts with requirements for each subsystem. The 
requirements are generated by the respective subsystem engineers. As an example, the 
Guidance Navigation and Control subsystem engineers have a set of requirements specific to 
that function on the spacecraft. These requirements may cover topics such as the attitude 
control sensors and actuators required, control laws necessary to maintain or change the 
spacecraft attitude, and fault protection requirements for the subsystem. Once completed, 
the subsystem requirements are documented as a specification document and handed over to 
software engineers. The software engineers gather all subsystem specifications and produce 
a software specification for the spacecraft. Next, the software is coded, usually manually, 
from the software specifications. This programming task is sometimes performed by another 
group of people. Once all the code is written, it is first loaded onto a development computer 
and tested. After these tests are complete, the software is loaded onto the actual spacecraft 
computer and tested again. 
As shown, the current development process involves many different groups of people. At 
each step, the specification must be translated from one form into another. These 
translations are potential sources of errors. A lot of effort is spent to ensure that the original 
intent of the subsystems engineers are correctly implemented in the actual code embedded in 
the computer. Another aim of this thesis is to reduce the number of steps and people in the 
current process. This thesis outlines a methodology that allows subsystem engineers to 
interface directly with the engineers responsible for the computing hardware. The software 
is captured in the form of a formal specification, which can be automatically converted into 
executable hardware and software, reducing the role of software engineers and coders from 
the development process. The methodology also eliminates the manual translation efforts 
required at present, removing potential manual translation errors. 
Issues Related to Complexity 
Computers allow spacecraft engineers to design systems far more complex than would be 
possible otherwise. A spacecraft requires thousands of different components, but these 
components are traditionally separated neatly into distinct subsystems. As the components in 
any one subsystem only affect one function on the spacecraft, engineers are able to predict its 
behavior and manage off-nominal conditions effectively. Computers allow interfaces 
between subsystems and components that have traditionally been physically and functionally 
separate. As an example, when a fault is detected with a thermal subsystem component, the 
fault protection software may trigger a spacecraft safe mode, which affects the attitude 
control subsystem, as the spacecraft automatically repositions itself for maximum line-of-sight 
communication with Earth. This, in turn, affects instruments that have been trained at a 
specific direction. 
Automation software like fault protection software adds complexity by increasing the number 
of interactions between components. A component in one subsystem is no longer isolated to 
just one function of the spacecraft. A failure of that component can have cascading effects 
throughout all other subsystems and functions. If not designed and analyzed carefully, 
anomalies and failures can result from inconsistent, or even conflicting automations. 
Ironically, the fault protection software can become the source of the anomaly. As an 
example, the Near Earth Asteroid Rendezvous (NEAR) spacecraft suffered an anomaly during 
an engine bum designed to bring the spacecraft into orbit around the asteroid Eros in 
December of 1998. A harmless but unaccounted transient in the engine and maneuvering 
software caused the spacecraft to automatically transition into safe-mode. However, for 
reasons that could not be completely accounted for, the spacecraft fault protection software 
caused the spacecraft to perform a series of unnecessary attitude actions, which nearly 
depleted all of its fuel and ended its mission [LEE04]. The spacecraft eventually recovered 
by entering a different and more elementary safe mode. 
The anomaly on the NEAR spacecraft illustrates the risks of additional complexity introduced 
with automation. This anomaly illustrates how subtle errors can arise from automation and 
the need for better techniques to deal with the resulting complexities. 
Complexity makes it more difficult to predict interactions between the components within a 
system, as well as the interaction between the system and its environment. However, 
complexity can be made intellectually manageable by presenting meaningful information in a 
coherent and structured context intrinsic to human problem solving [LEV98]. This thesis 
describes some techniques to better tackle the complexities that occur in large engineering 
systems like spacecraft. These techniques are derived from the work of Nancy Leveson and 
her students. This thesis extends Leveson's Intent Specifications Methodology [LEVOO], and 
allows engineers to model the system in a way that matches their intrinsic understanding of 
their unique system. Complementary tools designed specifically for spacecraft systems are 
also developed. These tools allow spacecraft engineers to manage complex interactions 
between various components through visualizations and abstractions. The tools allow 
engineers to analyze models of the spacecraft, at different phases during the development 
process, and from different points of view. 
1.2.4 Issues Related to  Engineering Interfaces 
Issues related to the process of designing a spacecraft involve communication and interfaces 
between engineers. There is a wide range of expertise required to develop and operate a 
spacecraft successfully. A team of engineers is required, comprised of people from various 
backgrounds, including attitude control, navigation, thermal, propulsion, communications, 
systems, financial, and managerial disciplines. As with interfaces between components on a 
spacecraft, the number of interactions between engineers from different backgrounds has 
increased as a result of computers and automation. Errors can, and have, resulted from 
ineffective or deficient communication and understanding between engineers from different 
disciplines. 
As an example, the Mars Climate Orbiter (MCO) spacecraft was lost in 1999 when it crashed 
into the Martian atmosphere. The failure was blamed on a simple units conversion error. It 
was found that engineers who designed and wrote the spacecraft navigation software used 
imperial units, while parameters provided by the thruster manufacturers were in metric units 
[EULOl]. The error was the result of two groups of engineers having different conceptions, 
or mental models, of the spacecraft. The difference in their backgrounds led to different 
views of how the spacecraft functioned. The problem was then worsened by deficient 
communication between the two groups. 
Errors such as the one found on MCO are likely to increase as engineers continue to add more 
automation to spacecraft. As the connections between various subsystems increase, the 
interface between engineers from different backgrounds will also increase. Engineers will 
need a better understanding of the entire spacecraft, rather than just their own subsystem. 
As an example, some space-borne telescopes are cooled with cryogenics in order to detect 
faint infrared signals from distant stars. Once the cryogenics are depleted, the mission is 
over. Therefore, it is extremely important that the cryogenic tanks are kept away from the 
direction of the sun. While the cryogenics are designed by thermal subsystem engineers, 
attitude control engineers must also understand the thermal properties of the spacecraft and 
design the attitude control system to avoid pointing the cryogenic tanks at the sun. In 
addition, as each subsystem has its own automated fault protection and recovery methods, 
engineers from both subsystems must understand and be able to predict the effects of 
automation from subsystems other than their own. 
At present, engineers from different subsystems communicate and interface through 
manually written specification documents. Written in English prose, these documents 
describe each subsystem, how they function, and their interface with other subsystems. Even 
for a moderate-sized spacecraft, these documents can get extremely complex in themselves. 
It becomes very difficult to read and fully comprehend every detail of the document. It is 
even more difficult to analyze and detect minute issues, which may arise from the complex 
interactions between components and subsystems. 
This thesis aims to improve communication and interfaces between engineers by unifylng and 
formalizing the specification process. The informal specification documents are replaced 
with a unified set of formal specifications derived from Leveson's SpecTRM-RL language 
[LEVOO] and a new block-diagram modeling tool called Octavia. Together, the unified 
specifications serve as a common and formal language between different groups of engineers. 
SpecTRM-RL and Octavia are both specifically designed to be easy to read and to be 
understood by engineers from different backgrounds. They are designed to facilitate the 
human review process and to allow engineers to better analyze the specification and detect 
errors. Tools are developed that allow engineers to simulate and perform formal 
mathematical analyses on the specification. These tools allow engineers from different 
subsystems to interact dynamically as they combine their individual subsystem specifications 
and perform simulations and analyses of the entire spacecraft. 
1.3 Thesis Objectives 
This thesis has two primary objectives: 1) to develop a formal and unified specification 
methodology to capture typical spacecraft processing requirements, and 2) to illustrate the 
feasibility of using FPGAs to carry out typical spacecraft processing requirements. This thesis 
describes the development of two distinct components: 1) a high-level and formal 
specification methodology and accompanying toolsets, geared specifically to spacecraft 
systems, and 2) autocode generators that generates intermediate hardware description and 
software code from the high-level specifications. These intermediate components are used to 
synthesize an FPGA computing system. 
1.4 Thesis Outline 
This thesis is organized as follows. Chapter 1 presents an introduction to the problem of 
designing spacecraft computing systems and the objectives of the thesis. Chapter 2 presents a 
review of current techniques in formal specifications, autocode generation, and spacecraft 
computing systems. Chapter 3 describes the first component of the thesis: the high-level 
formal specification methodology and the toolsets developed to capture and analyze these 
high-level formal specifications. Chapter 4 describes the second component of the thesis, 
which involves the automatic conversion of the high-level formal specifications into 
intermediate hardware descriptions and software code. These intermediate components are 
used in the synthesis of a prototype FPGA computing system. Chapter 5 describes an 
example designed to illustrate the application of the methodologies and toolsets developed in 
the thesis. The example also illustrates the feasibility of using high-level specifications and 
FPGAs to develop and carry out typical spacecraft processing requirements. Chapter 6 
presents some conclusions and notes on future work. 
Chapter 2 
Spacecraft Hardware and Software 
The number of processing requirements for spacecraft computers have increased dramatically 
since the first spacecraft computers were introduced [TOM88]. Almost every subsystem on a 
modern spacecraft requires computers for its tasks. Figure 2 shows some of the computer 
processing requirements of a recent spacecraft. Landsat 7 was launched in 1999 and is 
currently in orbit providing images of the Earth's land surfaces and surrounding coastal 
regions1. 
Maneuver u
Data-Oriented 
Figure 2: Computer Processing Requirements of Landsat 7 - Adapted from [SABOS] 
1 For more information on Landsat 7, see http://landsat.gsfc.nasa.gov 
The computer processing requirements for Landsat 7 are typical for many modern spacecraft. 
Computers are used to maneuver the spacecraft, control solar arrays, point the antennas, 
determine the attitude, support instruments, etc. As shown in Figure 2, typical spacecraft 
processing requirements can be divided into two categories: control-oriented and data- 
oriented. Control-oriented processing involves logical requirements that describe discrete 
events and the actions required in response. An example of control-oriented processing is the 
fault management or fault protection specification. A fault protection specification describes 
logical requirements that .signal discrete failure events and which actions are taken in 
response. Data-oriented processing is characterized by a set of mathematical operations 
performed on data and inputs at regular intervals. An example of data-oriented processing is 
the attitude determination specification. The spacecraft attitude is determined by performing 
a set of mathematical operations on attitude sensor data. These operations are carried out at 
a steady rate, continuously throughout the spacecraft's mission. 
Control-oriented and data-oriented processing requirements are carried out on a spacecraft 
through a combination of computing hardware and software components. Figure 3 
illustrates a typical computing architecture for a modem spacecraft. 
L I 
Figure 3: Typical Spacecraft Computing Architecture 
The computing system shown in Figure 3 is composed of several major components. The 
primary computer carries out the majority of the processing requirements. The primary 
computer is composed of a microprocessor and some memory devices. Software is stored in 
the memories and executed by the microprocessor. There is typically more than one primary 
computer on a spacecraft. Most spacecraft have a backup computer that is used in case the 
primary computer fails. The primary computers communicate with sensors and actuators on 
different subsystems through a databus. The databus is the cable that transfers information 
between different electronic devices. The databus also specifies an interface protocol. The 
protocol ensures that no two devices transmit information on the cable at any given time. 
Some specialized functions on the spacecraft may require more processing power than can be 
provided by the primary computers. In that case, a custom programmable logic device is 
designed to carry out those processing requirements. Programmable logic devices such as 
Field Programmable Gate Arrays (FPGA) are hardware devices that can be programmed to 
carry out any control-oriented or data-oriented requirements. As an example, instruments 
usually have a custom FPGA to read data from the instruments, process the information, 
format the outputs, and transmit the outputs to the primary computers. 
This chapter is divided into three sections. The first section describes current spacecraft 
computing hardware devices. An overview of memories, microprocessors, and FPGAs, along 
with the methods in which they are procured and implemented on a spacecraft is provided. 
Because space radiation effects are an important aspect of spacecraft hardware, a discussion 
of space radiation effects and common design measures is also provided. The second section 
is related to spacecraft software. The second section describes two advanced software 
development technologies: high-level specifications and autocode generation. The software 
on most spacecraft is informally specified and manually coded. High-level specifications 
allow software specifications to be captured formally while autocode generation can 
automatically generate source code from the high-level specification. High-level 
specifications and autocode generation are usually developed together as part of a 
methodology. Some methodologies are designed for control-oriented applications while 
others are designed for data-oriented applications. A review of methodologies for both 
processing types is provided. High-level specifications and autocode generation can also be 
used to develop hardware. In the third section of this chapter, methodologies that involve 
generating both hardware and software from high-level specifications are described. These 
methodologies form a research field called co-design [STA97]. 
2.1 Spacecraft Hardware 
Spacecraft computers are based on the same underlying technologies as any other computing 
system. Computers can be divided into three sets of electronic devices: memories, 
microprocessors, and programmable logic devices. 
2.1. I Memories 
Memories are used to store information. Memories can be categorized into two types: 
volatile and non-volatile. Volatile memories are generally used to store information 
temporarily. The information is lost once power is removed from the device. Non-volatile 
memories are used to store information more permanently. They do not lose the information 
stored when power is removed. Non-volatile memories generally operate at much slower 
speeds than volatile memories, but they are also much cheaper to produce. Spacecraft 
computers traditionally use non-volatile memories because power can be lost unexpectedly. 
Memories are typically organized into blocks called registers. Access to information stored in 
the device is easily retrieved and modified by accessing individual registers. Each register in 
a memory device is accessed through a unique address. A memory management unit (MMU) 
is typically used to facilitate addressing of registers stored in different sections of the memory 
device or over multiple devices. Memories for spacecraft computers are usually procured as 
commercial-of-the-shelf (COTS) components. Major suppliers of spacecraft memory devices 
include Aeroflex' and Seakr Engineering2. 
Microprocessors 
Microprocessors are generic logic devices that can perform a specific set of instructions on a 
set of data. The data is usually retrieved from a memory device or transferred directly from 
an input device like a keyboard or sensor. Microprocessors operate sequentially, retrieving 
and operating on one set of data at a time. The rates at which these instructions are 
performed are relatively fast, so microprocessors can be used for a variety of time-critical 
applications. Like memories, microprocessors are procured as COTS components. The major 
suppliers of spacecraft microprocessors include BAE Systems3, Motorola4, and Synova5. 
Microprocessors are extremely popular. Most spacecraft processing requirements are carried 
out on a microprocessor. Microprocessors are popular because they are easily tailored for 
different applications. By writing and compiling code, or what is traditionally termed 
software, a generic microprocessor becomes a unique processing device like a calculator, an 
automatic teller machine (ATM), or even a nuclear reactor controller. With software, the 
same microprocessor can be used on different spacecraft with very different requirements. 
In the early days of microprocessors, code was written with individual binary instructions 
[TOM88]. The process was challenging, error-prone, and difficult to review. Today, high- 
1 http://www.aeroflex.com 
2 http://www.seakr.com 
3 http://www.baesystems.com 
4 http://www .motorola.com 
5 http://www .synova. corn 
level programming languages allow programmers to write code using more intuitive 
semantics and data-structures. Each programming language has an accompanying compiler 
that converts the high-level program into binary instructions for the microprocessor. The 
most common programming languages used on spacecraft are C and Ada. 
Another important innovation contributing to the rapid adoption of microprocessors is the 
operating system. An operating system is a collection of programs of commonly performed 
tasks such as accessing memory, retrieving data from input devices, and sending commands 
to output devices. There are a host of operating systems available. Each is developed for a 
specific set of applications. For embedded and safety-critical computing systems, the major 
operating systems in use today include Wind River's VxWorks7, Green Hills Software's 
integrity2, and the open source ~ y n u x ~ o r k s ~  operating system. 
FPGAs 
Field programmable gate arrays (FPGA)s are part of a family of hardware devices called 
programmable logic devices. Programmable logic devices are specialized logic devices that 
may be used for any number of computing functions such as device interfacing, data 
communication, digital signal processing, timing and control operations. Common types of 
programmable logic devices include Application Specific Integrated Circuits (ASIC), Very 
Large Scale Integrated (VLSI), Field Programmable Gate Arrays (FPGA), and Complex 
Programmable Logic Devices (CPLD). ASICs and VLSIs are designed from the transistor level 
up. Each circuit is uniquely designed, usually for an application with relatively high 
performance requirements. Compared to microprocessors and other programmable logic 
devices, ASICSs and VLSIs are expensive. They are usually used for high-volume applications 
where their design and manufacturing cost may be leveraged effectively. 
FPGAs and CPLDs are generalized logic devices. They are made up of a large number of 
programmable logic units. These logic units are usually in the form of basic binary operators 
or look-up-tables. The form of logic units used is what differentiates FPGAs and CPLDs. 
Their naming convention is used interchangeably in this thesis without loss of generality. By 
forming connections between individual logic units, an end-user can design or 'program' an 
FPGA to their unique specification. Because they are of a general design, FPGAs are 
relatively cheap to manufacturer. Also, due to their low-power requirements, FPGAs have 
expanded from commercial applications and found applications in critical systems such as 
automobiles, airplanes, and spacecraft. Major suppliers of programmable logic devices 
include Xilinxl , Atera2 , and Acte13. 
FPGAs are becoming increasing sophisticated. A typical FPGA today contains more than one 
million logic units or 'gates', packaged in a chip that is no bigger than one square inch. Also, 
with increasingly sophisticated tools, some FPGA applications are beginning to rival 
sophisticated programs traditionally intended for microprocessors. In fact, a user can create 
a custom microprocessor with an FPGA. Xilinx and Actel currently supply FPGAs embedded 
with microprocessors. 
Much as high-level programming languages and operating systems have allowed users to 
design more complex and sophisticated software for microprocessors, advanced tools for 
developing programmable logic devices like FPGAs have contributed to their popularity. The 
most significant of these tools are hardware description languages, hardware simulators, and 
hardware synthesizers. Together, these tools allow designers to take advantage of the 
tremendous number of gates available in an FPGA. 
Hardware description languages (HDL) allow designers to describe a hardware circuit in a 
textual format. HDLs are analogous to programming languages with the addition of 
semantics for expressing timing and concurrency. HDLs allow designers to encapsulate 
complex circuits into blocks, and to create a hierarchal set of circuits by describing the 
connections between each block. The two most common HDLs are VHSIC (Very High Speed 
Integrated Circuit) Hardware Description Language (VHDL) and Verilog. 
The power of HDLs is revealed through simulators and synthesizers. Hardware simulators 
can accurately simulate a circuit based on an HDL description. Used together, the simulator 
and HDL offer a tremendous increase in productivity over traditional methods of drawing 
schematics. Accurate simulators also allow designers to save cost because their designs can 
be tested without committing any actual hardware components. The design can be 
transferred to the target device once sufficient tests have been performed on the simulators. 
The most popular simulator used today is Mentor Graphic's ~odels im' .  
Before synthesizers, hardware engineers had to convert their schematics or HDL descriptions 
into a list of connections between each and every logic unit, known as a netlist. This was a 
time-consuming process. The advent of modern synthesis tools has greatly increased 
productivity by automating this process. Synthesis tools can now create hardware based on 
HDL descriptions alone. They can create hardware based on structural descriptions, which 
describes connections between binary components. They can also generate hardware based 
solely on behavioral descriptions. Behavioral descriptions are analogous to software in that 
they describe what the circuit should do as opposed to what the circuit is made of. Given a 
specified behavior, synthesis tools are able to generate a circuit that performs the desired 
behavior. Major suppliers of synthesis tools include Cadence Design System2, Mentor 
Graphics3, and Synopsys4. 
Hardware description languages, simulators, and advanced synthesis tools make it easier to 
design FPGAs, but they also have some drawbacks. Because HDLs, simulators, and synthesis 
tools are based on an abstraction of the actual logic units in an FPGA, they are susceptible to 
errors between the intent of the designer and the translation performed on the abstraction. 
Furthermore, due to their increased sophistication, these tools allow users to create extremely 
complex logic, which can be difficult to validate. Research conducted at NASA's Office of 
Logic Design5 shows that a large number of design errors found on Spacecraft FPGAs can be 
attributed to the improper use of these design tools as well as an inadequate knowledge of 
commonly practiced hardware design techniques [KATZ99]. Katz points out numerous 
examples, including the improper use of special pins, inadequate handling of clock skews, 
and disregard for start-up transients. Although design tools are not directly responsible for 
improper designs, they prevent or hamper detection of errors because the tools hide the 
underlying physical representation of the system. In most cases, the translation algorithms 
behind these design tools are proprietary and are not made known to the end-users. 
Identifying and tracking down errors can be difficult when the complete specification is 
unobtainable. 
Space Radiation Effects 
All electronic devices are susceptible to radiation effects. Radiation produces two types of effects 
on electronics: total ionizing dosage effects and single event upsets. Radiation imparts energy on 
particles that causes electrons to escape from their molecular structure. The result is an excess of 
charged particles, or ions. Total ionizing dosage represent the cumulative effect of ion buildup on 
a device throughout its lifetime. Because ions carry a charge, the buildup of ions over time 
degrades electronic circuits and causes erroneous behavior and failure [SCA03]. Single event 
upsets involve heavy ions, which are particles whose size are on the order of the microelectronic 
circuit components. Because these particles travel at extremely high velocities, if they come into 
contact with a circuit, they can sever connections, destroy the component, or cause erroneous 
behaviors [MAY031 [GIB99]. 
The space environment is filled with radiation from the Sun and sources outside the solar system. 
On Earth, the atmosphere and magnetosphere provide protection against space radiation. 
However, all spacecraft outside the Earth's protective barrier come into direct contact with this 
radiation. In 1998, the Galaxy 4 spacecraft unexpectedly failed, causing a major outage in pager 
senrice throughout the United States. Evidence collected from numerous other spacecraft 
anomalies during the same time period suggests that space radiation was the most likely cause of 
Galaxy 4's failure [BAK98]. At the time of the failure, there was a measurable increase in radiation 
produced by an intense solar flare event1. 
Although radiation effects on spacecraft electronics are unavoidable, there are methods to mitigate 
the effects of total ionizing dosage and single event upsets. Space-grade microelectronics are made 
from heavier and larger components than those used on Earth. These components can withstand a 
higher dose of ions before failure. Most spacecraft electronics must undergo an extensive 
radiation qualification process to measure the total ion dosage the component can withstand 
before failure [LAB02]. Fault tolerance methods are applied to counter single event upsets 
[MAYO3]. Redundancy is implemented at multiple levels of the computing system. At the 
computer level, multiple memory modules and processors are used. At the circuit level and within 
1 For more information on solar flares and other space radiation effects, see 
http://www.spaceweather.com 
each memory module or processor, there are usually multiple circuits, organized into functionally 
redundant units. Finally, redundancy is provided at the bit level by encoding so that bit errors 
occurring during transmission between circuits are detected or automatically corrected [KATZ06]. 
Spacecraft hardware is tightly coupled with the software that it stores and executes. The next 
section describes some advanced methods for developing spacecraft software. 
2.2 Spacecraft S o m a r e  
The majority of spacecraft processing requirements are accomplished with software executed 
on microprocessor-based computers. Software allows engineers to quickly configure and re- 
configure a computer. Tools like operating systems and programming languages have 
significantly improved the efficiency and productivity of programmers since the first 
microprocessors were introduced. However, writing good software, especially for safety- 
critical systems like spacecraft remains difficult. Safety-critical systems demand software that 
is near error-free. Software engineering research has introduced many different processes, 
techniques, and tools to improve software development. It has spawned an industry of 
companies, conferences and publications. Despite five decades of research however, 
development of safe and error-free software remains a challenge [LEV95]. 
To ensure that new innovations in software engineering meet safety standards, governments 
have set up certification processes dedicated to software in aviation, military, and nuclear 
industries. The most popular of these are based on standards such as DO-178B [RTCA99], 
MIL-STD-498 [MIL97], and DOE-STD-1172 [DOE03]. These standards outline processes that 
must be followed to achieve certification. For example, DO-178B describes the 
documentation efforts and levels of testing required for any software that is executed on 
commercial aircraft in the United States. 
Unlike the aviation industry, there is no single official certification process for all spacecraft. 
However, many organizations generally follow one of the government standards. In 
addition, NASA has created its own software assurance standard known as NASA-STD-8739.8 
[NASA05]. The standard applies to all software contracted by NASA, which includes all 
spacecraft software. 
This section provides an overview of two recent and promising innovations in software 
engineering: high-level specifications and autocode generation. The advantages of these 
recent innovations are described. Next, a survey of high-level specification and autocode 
generation methodologies is provided. Some methodologies are designed for control- 
oriented applications. These methodologies are usually based on finite state machine (FSM) 
descriptions. Other methodologies are designed for data-oriented applications and usually 
involve block-diagram methods. The methodologies described in the survey are divided 
among the two application types. 
2.2.1 Advantages of High-Level Specifications and Autocode Generation 
High-level specifications and autocode generation are two recent and promising innovations 
in software engineering. The two technologies are usually developed as part of a 
methodology. There are several advantages of using high-level specifications over traditional 
coding techniques. High-level specifications describe software systems using abstractions to 
better communicate the intent of the software designers. Just as programming languages 
provide a more intuitive abstraction of the underlying binary instructions, high-level 
specifications provide yet a higher layer of abstraction over code. Most high-level 
specifications use diagrams to describe interactions and structure. These visual cues can 
communicate a lot of information and are easier to read than code [DUL02]. High-level 
specifications also facilitate descriptions of more complex systems. High-level specifications 
make use of encapsulations, hierarchies, and other methods to manage complexity and allow 
designers to create larger systems and systems with many more interactions than is possible 
with traditional methods. Lastly, high-level specifications introduce more powerful computer 
aided development (CAD) tools into the design process. CAD tools provide faster integration, 
testing, and deployment of software through automation. Many CAD tools for high-level 
specifications allow different users to share and work together on the same system. Once a 
design is captured, tests and analyses can be performed automatically. Most CAD tools allow 
designers to simulate their systems using the design captured in the high-level specifications. 
These analysis tools allow designers to interact with the specifications and detect errors early 
in the design process. 
High-level specifications are based on a number of formats. Some are based solely on text, 
while others are based on graphical elements, or they can be a combination of both. They 
can be built on formal mathematical semantics or informally with structured prose and 
graphics. Languages based on formal semantics are generally more difficult to write than 
informal methods; however, they are much more powerful. 
A formal high-level specification language allows designers to use powerful and automatic 
tools to analyze and review the captured specification. One of the most popular automated 
tools is the autocode generator. Autocode generators generate source code that is 
functionally equivalent to the high-level specification. Autocode generators derive code that 
is predictable and free of human coding errors. While the generated code is generally less 
efficient, autocode generators improve overall efficiency and productivity by allowing 
designers to eliminate or significantly scale back the coding process. The most popular 
formats for autocode generators are C and Ada. Like most software development tools such 
as programming languages and compilers, autocode generators must gain trust among users 
before they are widely adopted. Autocode generators should be rigorously tested and 
certified to government standards before they are used on safety-critical systems. 
There are a variety of high-level specifications and autocode generators currently available. 
Each is designed for a specific set of applications. Some specifications are designed to 
capture control-oriented systems, while others are better suited for data-oriented processing 
applications. Spacecraft processing requires both. The high-level specification described in 
this thesis involves a combination of two different high-level specifications. SpecTRM-RL is 
used to capture control-oriented specifications while data-oriented specifications are captured 
in Octavia. 
2.2.2 Control-Oriented Methodologies 
High-level specifications designed for control-oriented processing are usually built on finite 
state machines (FSM). FSMs are the most widely adopted method to describe discrete events 
and logical requirements for control-oriented processes. FSMs capture the behavior of a 
system through states, transitions between states, inputs to the state machine and outputs 
from the state machine. A FSM is visualized with a state transition diagram. A simple state 
transition diagram that describes the modes of a spacecraft is shown in Figure 4. 
Sun sensor input = Acquired 
Sensur Reading(s) = Out of Range 
I 
Send Signal to 
Ground 
Figure 4: Simple Spacecraft Mode State Transition Diagram 
FSMs are popular because they are an intuitive way to describe the internal states of a system 
and its transitions. In Figure 4, the states of the spacecraft mode are Launch, Sun 
Acquisition, Normal, and Safe Mode. The transitions between states occur as a result of a set 
of discrete events or inputs. Outputs are triggered upon entering a state. In the example, the 
FSM default state is Launch. Ten minutes after launch, the spacecraft transitions to Sun 
Acquisition in order to deploy its solar arrays and aim them at the sun. When sensors on- 
board have acquired the sun, the spacecraft transitions into its Normal operating mode. The 
spacecraft remains in that mode until a fault is detected, at which time it transitions 
automatically into Safe Mode. The Safe Mode automatically triggers a distress signal that is 
sent to ground stations on Earth. After engineers have determined the cause of the fault, a 
special command is sent to return the spacecraft back into Normal Mode. 
FSMs are formalized with a set of rules that govern their behavior. As such, formal analyses 
can be performed on a FSM. Model checkers can be used to examine a FSM to determine if it 
is able to reach an undesirable state for any given set of inputs. A nondeterrninism analysis 
can be used to check if the FSM is capable of being in two separate states at the same time. 
Simulations allow designers to design their own test cases and observe the results in real- 
time. All of these analyses can be performed automatically with CAD tools. Together, these 
analysis tools provide a powerful method to detect errors that is not possible with traditional 
software engineering methods. There are several high-level specification methodologies 
based on FSM semantics. Several are designed specifically for safety-critical systems like 
spacecraft. Following, a survey of these methodologies is provided. 
Statecharts 
In 1984, David Hare1 introduced a novel method to organize large state machines called 
Statecharts [HAR87]. The primary innovation behind Statecharts is a hierarchical state- 
machine, whereby groups of states are organized into super-states. Instead of one giant 
state-machine, states are organized into layers of parallel state-machines, as shown in Figure 
5. 
Figure 5: Example of super-states in Statecharts 
Statecharts are captured graphically. Groups of states can be organized to form a super-state. 
In Figure 5, A, By and C are super-states. Each super-state is an independent state-machine 
that runs concurrently with all other super-states within the hierarchy. Statecharts effectively 
organize the complexities that occur in large state machines. The state-machine is more 
readable and easier for humans to understand. Formalized rules govern the communication 
and interactions between super-states, and between states within a super-state. 
The Statemate toolset developed by I-Logixl allows users to capture and analyze Statecharts 
in an integrated environment. Users can capture their Statecharts using a graphical interface 
that corresponds to drawing them out by hand. Once captured, the tool can perform 
simulations of the state machines. Statemate also has an autocode generator that can 
generate a C or Ada program directly from the captured Statechart specification. 
Esterel and SCADE 
Several high-level specifications are based on the hierarchical FSM concept developed by 
Harel. Among them are Esterel and SpecTRM-RL. The Esterel language was developed by 
Gerald Berry in France [BER99]. Esterel is based on the same underlying FSM semantics as 
Statecharts including state hierarchies, concurrency, and parallel state machines. Unlike 
Statecharts however, Esterel specifications are captured in textual format. 
The SCADE toolse?, developed by Esterel Technologies is designed for safety-critical systems. 
The SCADE autocode generator is certified to DO-178B standards. The toolset allows users to 
automatically generate code from high-level Esterel specifications. The toolset can generate 
either C or Ada programs. Code for one of the Airbus A340 Fly-by-Wire Computers was 
generated with the SCADE tool [BRIE99]. 
Intent Specifications and SpecTRhl-RL 
SpecTRM-RL was designed by Nancy Leveson and her students specifically for safety-critical 
systems [LEV98]. SpecTRM-RL is the fonnal modeling language within a larger 
specifications methodology known as intent specifications [LEVOO] . The methodology is 
structured in seven levels, as shown in Figure 6.  
Lam, Functioml 
Figure 6: Intent Specifications, adapted from [LEVOO] 
Unlike most specification methodologies, each level of the intent specification does not 
represent refinement of the system. Instead, each level represents views of the same system 
from different perspectives. Levels 0, 1, 2, and 3 of intent specifications include information 
generated during system design. Levels 4, 5, and 6 involve details carried out at 
implementation and during operation of the system. 
The horizontal dimension is divided into four parts. The first column depicts information 
about the system's environment. The second column contains information related to human 
operators such as human factor design. The third column represents information regarding 
the system itself, and the fourth column integrates the verification and validation processes 
involved at each level. The structure of the intent specification is designed to capture the 
intent of the designers. Information at every level and column can be linked to form a 
specification, which answers "Why" in addition to "What" and "How". 
SpecTRM-RL is the formal modeling language used within Intent Specifications. It forms 
Level 3 of the framework. Keeping with the goals of intent specifications, SpecTRM-RL is 
designed for readability and human review. Originally developed to specify the TCAS I1 
airborne collision avoidance system, the language was designed collaboratively with aircraft 
engineers, airline operators, and other external reviewers [LEV99]. SpecTRM-RL uses a 
combination of graphical and textual elements that match traditional formats found in 
engineering drawings and specifications. This thesis uses the SpecTRM-RL specification 
language to capture spacecraft control-oriented processing specifications. A more detailed 
description of the specification language is provided in Chapter 3. 
High-level specification languages based FSMs such as SpecTRM-RL are not well-suited to all 
applications. The type of system that can be modeled by a FSM must be limited to a finite 
number of states. For this reason, FSMs are only suited for control-oriented processing 
specifications. In control-oriented systems, states are generally known beforehand, or they 
form logical subsets. For example, a spacecraft is designed with a finite number of modes. 
These modes are designed by the spacecraft engineers and are thus known before hand. 
States that correspond to variables in the environment can be separated into subsets derived 
from the logic requirements of the system. For example, the spacecraft may require different 
responses to different temperature readings. If the temperature is below a lower threshold, a 
heater is turned on. If the temperature is above an upper threshold, then excess heat is 
drained. If the temperature is in between the two thresholds, then no action is required. 
Once these logical requirements are set, then the state transitions of the temperature reading 
are easily obtained. The temperature is logically separated into the transitions high, medium, 
and low, with transition points at the thresholds. 
2.2.3 Data-Oriented Methodologies 
Data-oriented processing requirements are different from control-oriented requirements. 
Data-oriented processing requires tracking states with a finite but large number of transitions. 
Instead of being able to group a reading into subsets such as high, medium, or low, data 
processing tracks minute changes that occur over time. For example, the velocity of a 
spacecraft can be derived from acceleration measurements, as shown in Equation 1. 
- 
current- ' last + A acurrent 
Equation 1 : Spacecraft Velocity State 
Equation 1 is the data processing specification of the spacecraft velocity. Stated in words, the 
current velocity of the spacecraft is equal to the last velocity state, plus the incremental 
change in velocity since the last measurement. The velocity state must specify the set of 
incremental transitions between zero and the maximum velocity of the spacecraft. It is 
impractical, if not impossible, to create an equivalent FSM. The state machine will contain an 
unreasonably large number of states. 
Data-oriented specifications are a major part of spacecraft software. These specifications are 
characterized by algorithms or by a series of mathematical operations performed on a set of 
input data that results in a set of outputs. The control laws that maintain the spacecraft 
attitude take inputs from attitude sensors and perform a series of complex mathematical 
algorithms to derive output commands for the attitude control actuators. Data sent between 
the spacecraft and ground must first be formatted and encrypted. Raw sensor information 
must be transformed into a form that can be recognized by the spacecraft computers. The 
processing of these data involves a series of operations performed at regular intervals and 
results in a set of outputs. 
One of the simplest method to specify data-oriented requirements is by using block-diagrams. 
For example, the equivalent block diagram for Equation 1 is shown in Figure 7. 
I I 
Figure 7: Block diagram description of spacecraft velocity 
'measured 
- 
In Figure 7, the algorithm for the spacecraft velocity is described using blocks connected by 
arrows. The arrows represent variables of interest while the blocks encapsulate mathematical 
operations. For example, the At block on the left is a multiplication block. The block takes 
the measured acceleration variable and multiplies it with a constant value. The summation 
block in the middle of the Figure takes two inputs and adds them together. The block on the 
lower right represent a delay operation. The output of the block is the value of the input 
variable a constant time unit ago. 
Vcul*ent 
At a a v
Block diagrams can be used to describe many different data-oriented applications. One of the 
most dominant data-oriented applications on spacecraft are control law algorithms. Control 
law algorithms take inputs from sensors throughout the spacecraft and produce intermediate 
variables such as the spacecraft attitude, altitude, and orbital location. These variables are 
used to determine the output commands for actuators and instruments on the spacecraft. For 
example, the attitude control law specifies the amount of rotation needed to put the 
spacecraft in a desired attitude. The amount of rotation is sent to attitude control actuators 
to produce the desired change. Control laws are traditionally specified with block-diagrams. 
Engineering student are taught control theory using block-diagrams such as the one shown in 
Figure 8. 
+ 
vlas4 At delay 
4w 
Figure 8: Block-diagram of a control law, adapted from [WIKOG] 
The notations in Figure 8 are specific to control theory1. However, all data-oriented 
processing requirements can be specified with similar notations. The block-diagram in Figure 
8 is a data processing specification based on formal mathematics. It is also easy to read, and 
conforms to standard engineering training. Block-diagrams are a natural method to describe 
data processing specifications. Several methodologies are designed to capture data-oriented 
specifications using block-diagrams. A survey of these methodologies is provided next. 
Matlab and Simulink 
Mathwork's Matlab and Simulink are industry standards for modeling data-oriented 
applications such as control laws, signal processing, and message encryption/decryption 
algorithms. Matlab is a programming language geared specifically for mathematical 
operations, and Simulink is a block diagram manipulation tool. With Matlab and Simulink, 
users can design algorithms by connecting blocks on the screen, replicating the traditional 
method used by engineers with pen and paper. 
Using Mathwork's toolsets, users can perform simulations and other types of analysis on the 
specification. They can also automatically generate an equivalent C program. Autogenerated 
code from Matlab and Simulink have been used on spacecraft control systems [DEL99], 
[WARD99 1. 
1 For background information on control theory, refer to R. Dorf and R. Bishop, Modern Control 
Systems, Prentice Hall, 2004. 
Octave and Octavia 
Although Matlab is the industry standard, there are several competing software tools 
available including Mathematica, Maple, and Octave. Octave is an open source software 
created by two university professors, James B. Rawlings of the University of Wisconsin- 
Madison and John G. Ekerdt of the University of Texas. The original intent of the creators 
was to provide their students with a tool that is equivalent to Matlab, but free from expensive 
licensing fees [EAT97]. The source code for Octave is available for free through a general 
public license. 
Since its original inception, the open source community has contributed significantly to the 
project, producing a toolset that includes many of the functionalities available in Matlab. The 
current version of Octave has built-in functions for control theory, signal processing, 
nonlinear systems, and many others. Unlike Matlab, however, Octave does not have an 
equivalent block diagram manipulation tool, or an integrated environment to perform 
simulations and generate code. 
Chapter 3 describes the development of a new toolset called Octavia. The development of 
Octavia is a major component of this thesis. Octavia is an integrated environment that 
emulates Mathwork's Simulink toolset. It features a block-diagram manipulation tool along 
with the capabilities to perform simulations and generate C code automatically. The 
development of Octavia allows spacecraft engineers to capture data-oriented applications in 
an environment that is integrated with the other high-level specification toolset used in this 
thesis, SpecTRM-RL. Octavia and SpecTRM-RL allow spacecraft engineers to capture both 
data-oriented and control-oriented processing specifications respectively. Descriptions of the 
toolsets and process developed for this thesis are provided in Chapter 3. 
The high-level specifications and autocode generation methodologies described in this thesis 
are traditionally geared towards producing software. Some methodologies however can 
generate hardware as well as software from high-level specifications. These methodologies 
form a research field called co-design [KUM96]. The next section describes the goals of co- 
design research and provides a survey of current methodologies. 
2.3 Co-design Methodologies 
Control-oriented and data-oriented processing can be accomplished through hardware or 
software. Each has distinct advantages and disadvantages. Software is comparatively easy to 
develop, implement, and change. There are more people familiar with software than 
hardware. Most engineering students are taught at least one programming language while 
hardware design is mostly limited to electrical engineers. There are also far more companies 
dedicated to software and software development. As a result, software is often cheaper to 
develop. With modern programming languages and compilers, software is also easier to 
install and modify. Software can be installed and changed by compiling source code and 
uploading it to memory. Modern software development tools make these procedures 
relatively easy. 
Software has limitations however. Performance requirements such as timing constraints and 
data throughput are difficult to guarantee in software, especially when there are multiple 
software applications running on the same processor. Modern operating systems allow 
multiple programs to share the same processor. Processor resources are divided equally or 
prioritized according to the real-time requirements of each program. But as the number of 
programs increase, the amount of time given to each program is reduced. Much effort is 
needed to ensure software meets time critical requirements. 
The primary motivation to develop hardware as opposed to software is performance 
guarantees. Unlike software, timing constraints and data throughput requirements can be 
guaranteed in hardware. Hardware allows engineers to carry out processing requirements 
independently. Specifications that involve multiple tasks can be separated and implemented 
using independent hardware devices. Hardware performance is limited only by the physical 
characteristics of silicon and electrons. Super-computers, high-speed Internet routers, and 
graphics processors are some examples of high-performance hardware applications. 
Hardware also has some drawbacks however. Some applications are simply not well suited 
for hardware. For example, a simple bubble sort algorithm can be carried out with less than 
ten lines of software code on a standard microprocessor. The same algorithm developed on 
custom hardware requires a complex set of registers, comparators, and finite state machines. 
Hardware is also very difficult to modify once the design has been programmed into silicon. 
Many devices, including most space grade FPGAs, can only be programmed once. The 
capability to change configuration is an important property for spacecraft. Requirements 
may change during the lifetime of the mission and errors found in-flight have to be corrected. 
At present, it is not possible to reconfigure hardware devices in-flight1. 
Since the 1990s, researchers have worked on combining the advantages of hardware and 
software to form a unified methodology. The term co-design is used to describe the process 
to create custom computing platforms with a combination of hardware and software 
[KUM96]. Although the methodologies among researchers differ in their goals, techniques, 
and specialization, they all have one thing in common. All co-design methodologies start 
with a high-level specification. This high-level specification is used to describe the behavioral 
requirements of the application. Once the high-level specification is complete, the 
requirements are partitioned into hardware and software requirements, with the goal of 
leveraging advantages of each method [KUM96]. 
The methodology developed in this thesis shares some common themes with co-design 
research. Both involve a high-level specification to capture the requirements of the 
application. Both use a combination of hardware and software to carry out those 
requirements. Both aim to better manage complexity through visualizations and abstractions. 
Lastly, both make use of CAD tools to improve efficiency and productivity. 
There are currently several competing co-design methodologies. A brief survey of the most 
popular methodologies is provided next, followed by a comparison to the methodology 
developed in this thesis. 
2.3.1 Survey of Co-Design Methodologies 
A high-level system design methodology must have methods to capture both high-level 
architectural and behavioral concepts such as algorithms and data structures, as well as low- 
level hardware design descriptions such as concurrency and state transitions. Current co- 
design solutions can be divided into two groups: those based on a software programming 
language, and those based on a hardware description language. The following sections 
1 The recent introduction of reprogrammable FPGAs should provide the capability for in-flight 
reconfiguration. However, the technology has not been used widely on spacecraft. 
provide a short survey of methodologies in each group'. 
Methodologies Based on Programming Language 
SpecC and SystemC are two popular co-design methodologies based on the C programming 
language. The C language is good for capturing high-level behavioral specifications, but the 
language requires extensions to capture low-level hardware design descriptions. 
SpecC is developed by the SpecC Technology Open Consortium, a consortium backed by 
Japan's top-tier electronics and semiconductor companies [GAJOO]. The methodology is 
based on extending the C programming language to allow the modeling of concurrent 
sequential processes for software, FSMs with datapath for hardware and discrete events for 
protocols. SpecC models are captured textually like a traditional C program. Once captured, 
the model is divided into control-oriented and data-oriented components. The control- 
oriented components are modeled with a traditional FSM, while the data-oriented 
components are modeled with a pipeline sequential process. The FSM and pipeline 
sequential process are viewed using a formalized set of visualizations described in the 
language. The SpecC language also specifies a communication interface that allows data 
transfer between different components in the model. The Development tools and example 
applications may be obtained from the SpecC website2. 
Like SpecC, SystemC is also an open standard based on the C++ programming language. 
The control board of the standards group includes Cadence, Fujitsu, Mentor, Motorola, NEC, 
Sony, and Synopsys. SystemC supports an iterative, use-case driven, and executable system 
modeling methodology by borrowing elements from both UML and VHDL. SystemC share 
many concepts with objection-oriented programming. The aim of the SystemC methodology 
is to facilitate development of new applications from libraries of reusable components 
[MUL03]. SystemC includes a number of class libraries that facilitate the description of 
concurrent processes. These libraries allow SystemC models to describe hardware 
components much like a traditional hardware description language like VHDL. SystemC also 
provides a set of libraries that facilitate communication among various components. These 
libraries can be used to specify how and when information is transferred between different 
1 For a more comprehensive survey, see [KUM96]. 
2 http://www.ics.ucic.edu/ -specc/ 
concurrent or sequential components. A SystemC model is also captured textually much like 
a traditional C+ + program. The SystemC website provides development tools and libraries 
to extend the traditional C+ + libraries1. 
There are a number of academic research groups dedicated to the design of co-design 
methodologies. One of the most comprehensive is the Ptolemy framework developed at 
University of California ~erkeley~.  Ptolemy is designed for the simulation, prototyping, and 
synthesis of digital signal processing systems [HYL03]. Ptolemy includes a collection of open- 
source toolsets designed for experimentation and promote academic research. Ptolemy 
supports both C+ + and JAVA programming languages. The strength of Ptolemy is its unified 
framework for the simulation of heterogeneous computation models including synchronous 
data flow (SDF), FSMs, Synchronous or Reactive specifications, Process Networks, etc. 
[HYL03]. Each of these computation models has a different model of time. Ptolemy 
facilitates the combination of systems described in different computation models through a 
unified scheduling mechanism. Once a design is captured and simulated, Ptolemy also 
provides the ability to automatically generate C code or VHDL. The autocode generators can 
be targeted to a number of architectures including a set of microprocessors, digital signal 
processing processors, FPGAs, and ASICS. 
Methodologies Based o n  HDL 
SystemVerilo$, and ESTEREL HDL4 are two popular methodologies based on hardware 
description languages. These methodologies extend HDLs to capture high-level architectural 
concepts that are popularly described in software. 
SystemVerilog is a recently ratified hardware description and verification language (HDVL) 
standard. It is a major extension of the established Verilog HDL, and was developed by 
Accellera5. SystemVerilog is targeted primarily at hardware applications that require faster 
integration with software. Its intended users are primarily hardware engineers who are 
experienced with Verilog [BERGOS]. SystemVerilog provides a mechanism to call a 
1 http://www.systemc.org 
2 For a more comprehensive survey, see [GUP95]. 
3 http://www.systemverilog.org 
4 http://www.esterel-technologies.com 
5 http://www.accellera.com 
traditional software function described in C or C++. These mechanisms allow the 
description of both hardware and software components. SystemVerilog is designed for 
simulation. A SystemVerilog model featuring the Verilog description and C or C+ + functions 
can be simulated using a SystemVerilog simulation tool. 
Esterel HDL is an effort led by Professor Stephen Edwards at Columbia University to extend 
the Esterel language. The Esterel hardware compiler is designed for embedded applications 
like automotive systems. The Esterel compiler can generate hardware in the form of netlists 
of gates that can be used to synthesize hardware [EDW04]. In addition to Edwards's 
research, Esterel Technologies also has an HDL generator, which can automatically convert 
an Esterel specification into either VHDL or Verilog. The Esterel HDL autocode generators 
are certified to DO-178B standards. Information on the Esterel HDL autocode generators can 
be found on the Esterel website. 
2.3.2 Comparison of Co-design Methodologies to Thesis 
The co-design methodologies surveyed posses distinct advantages and disadvantages over the 
methodology described in this thesis. The co-design methodologies surveyed are far more 
mature than the methodology described in this thesis. The work described here is intended 
to illustrate the feasibility of providing a unified and formal methodology for spacecraft 
systems. The methodologies and toolsets developed in this thesis lack many of the advanced 
capabilities provided by the co-design methodologies described. These capabilities include 
semantics to model the interfaces between hardware and software components, partitioning 
algorithms to select the best combination of hardware and software implementation, design 
resource estimation algorithms, simulation test bench generation and other formal 
verification techniques. These capabilities are beyond the scope of this thesis. Chapter 6 
discusses some future work to extend the methodologies and toolsets developed here to 
provide these additional capabilities. 
The semantics of the co-design methodologies surveyed allow the description of complex 
interactions between hardware and software components. SpecC, SystemC, and Ptolemy 
provide communication mechanisms to enable the transfer of data between hardware and 
software components. Information related to timing constraints and data structures can be 
specified directly with expressions designed in the programming language used by these 
methodologies. SystemVerilog and Esterel HDL have similar mechanisms to describe 
communication interfaces between hardware and software components. The methodologies 
and toolsets developed in this thesis do not have specific semantics to describe the interface 
of hardware and software components. The autocode generators developed in this thesis 
convert SpecTRM-RL and Octavia high-level specifications into VHDL and C respectively. 
The interface between these intermediate hardware and software components are left up to 
the spacecraft hardware engineers. Chapter 5 presents an architecture that features a 
possible interface between the hardware and software components in a prototype FPGA 
computing system. 
The methodologies and toolsets developed in this thesis also lack an automated partitioning 
scheme or the ability to explore different partitioning schemes. Hardware software 
partitioning is used to optimize the system design by leveraging the advantages of hardware 
and software. The methodology described in this thesis relies on spacecraft engineers to 
divide processing requirements between control-oriented and data-oriented sections. Once 
this manual partitioning effort is complete, the requirements are converted into hardware or 
software components. This manual partitioning effort does not allow the system design to be 
optimized. Each of the co-design methodologies surveyed provide capabilities to simulate 
different partitioning schemes once the processing requirements are captured. In additon, 
the Ptolemy framework also provides partitioning algorithms that automatically analyzes the 
requirements and selects an optimized hardware software partition based on heuristics 
[GUP95]. These simulations and algorithms provide system designers with an opportunity to 
explore and optimize the partitioning of the system. 
Along with hardware software partitioning schemes, the co-design methodologies surveyed 
also provide the capability to estimate the resources needed to implement a computing 
system. Once the processing requirements are partitioned into hardware and software 
components, an estimate of the hardware and software resources required to implement the 
system design can be calculated. The resource estimation tools provide a way for designers 
to select an appropriate target computing system such as an FPGA or more advanced ASIC or 
VLSI. 
The high-level specification languages used to capture spacecraft processing requirements 
provide several formal analysis tools. These tools, however, are only designed to analyze the 
blackbox behavior of the specification. There are no analysis tools to verify the hardware and 
software components that are generated from the high-level specifications. Timing 
constraints such as data latency and task completion deadlines are not guaranteed in the 
autocode generated hardware and software components. The co-design methodologies 
surveyed provide a more comprehensive verification framework. SystemC has a verification 
library that allows users to verify timing constraints in a simulation environment1. Esterel 
Technologies provides a design verification tool in the SCADE toolset2. The Ptolemy 
framework includes a verification tool called CHARON [HUR02]. The SystemVerilog 
language is specifically designed to support verification. The SystemVerilog language 
supports assertion-based verification techniques and simulation-based verification tools 
[BERG051 . 
There are a number of advantages provided by the methodologies and toolsets developed in 
this thesis. The high-level specification languages used in the methodology are specifically 
designed for spacecraft subsystem engineers. These engineers are usually not trained in 
software or hardware engineering. The co-design methodologies surveyed require training in 
a programming language or hardware description language and some understanding of 
concepts in computation. The semantics of the high-level specification languages are 
designed specifically for engineers who may not have a background in software and 
hardware engineering. The SpecTRM-RL semantics are designed to mimic standard English 
prose, while the semantics of Octavia are based on block-diagrams, which are used by 
engineers from diverse backgrounds. 
The semantics in the co-design methodologies surveyed are based on programming languages 
and hardware description languages. Spacecraft subsystem engineers will have to be trained 
in these languages before they are able to review the specification. The high-level 
specification languages used in this thesis are also specifically designed for human review. 
The semantics of the languages are designed to be readable and easily understood. The 
semantics of SpecTRM-RL and Octavia are designed to be readable and easily understood by 
engineers with little training [LEV98]. SpecTRM-RL and Octavia also feature visualizations 
to help engineers review a specification. These visualizations provide a way to manage and 
view the underlying system that is more intuitive than the textual representations provided 
by the co-design methodologies surveyed. SystemC, Ptolemy, and Esterel HDL provide 
visualizations to describe FSMs and data-flow graphs. Experiments are required to make a 
more formal comparison of the visualizations used in this methodology and the visualizations 
provided by other methodologies. 
2.4 Chapter Summary 
This chapter provided a review of the state-of-the-art in spacecraft hardware and software 
development. A review of common spacecraft hardware devices such as memories, 
microprocessors, and FPGAs was provided. Most hardware components are procured as 
COTS components. A survey of the most popular suppliers of spacecraft hardware was 
conducted. This chapter also described two recent innovations in spacecraft software 
development; high-level specifications and autocode generation methodologies have the 
potential to improve the current spacecraft software design process. This chapter provided a 
survey of software methodologies that can generate software using high-level specifications 
and autocode generators. Finally, high-level specifications and autocode generators can be 
used to develop hardware in addition to software. This chapter provided an overview of the 
co-design research field along with a brief survey of current methodologies. 
The next chapter will describe the first major component of this thesis: the development of 
high-level specifications specifically designed for spacecraft processing requirements. The 
chapter will provide descriptions of the two high-level specification languages used in the 
thesis: SpecTRM-RL and Octavia. Descriptions of the development of accompanying toolsets 
for each high-level specification languages follows. Lastly, the new spacecraft specification 
design process using these high-level specifications and toolsets is described. 
Chapter 3 
High-Level Specifications 
This chapter describes the first of two major components developed in this thesis: high-level 
specifications and toolsets specifically designed for spacecraft computing systems. These 
high-level specifications are an integral part of a new spacecraft computing development 
process. Unlike the traditional spacecraft computing development process first described in 
Chapter 1, this new process greatly reduces the role of software engineers and software 
specifications and allows spacecraft subsystem engineers to interface directly with spacecraft 
computer hardware engineers. Figure 9 compares the interfaces between the traditional 
process and the new process developed in this thesis. 
Subsystem 4 
Engineers Algorithms Protection 
Software S o f h a  re 
*Engineerr U 
Hardware - Engineers 
Software j] 
N wit lnt erf ace 
-4 + Current Interface 
Figure 9: New Design Process Interface 
This chapter is the first of three chapters that will describe the methods and tools developed 
for a new spacecraft computing development process. Figure 10 provides a high-level 
overview of this new process. The process starts with capturing high-level specifications and 
ends with the synthesis of a unique computing system for the spacecraft. 
Prototype 
Simulation 
I Chapter 5 
--
Chapter 3 Chapter 4 
p....-.-.---.-..-.--.--.-.--.----.---.--.--.-.- " .-...--..-- 
I / 1 New Contributions / 
Solution Exists j 
I I 
Figure 10: High-Level View of Process Described in Thesis 
The new process described in this thesis starts with a pair of high-level specifications to be 
described in this chapter. Control-oriented specifications such as fault detection and isolation 
features are captured in SpecTRM-RL, while data-oriented specifications such as control law 
algorithms are captured in a new language and toolset called Octavia. Using the tools to be 
described in this chapter, high-level simulations and other formal analyses can be performed. 
These analyses allow engineers to detect errors and observe the behavior of the specification. 
Once the high-level specifications are complete, the specifications are automatically 
converted into software code and a hardware model described in VHDL. The autocode 
generators are described in the next chapter. The autogenerated code and hardware model 
can be executed and simulated with a prototype FPGA computing platform. After the 
prototype system is validated, spacecraft hardware engineers use the automatically generated 
software code and hardware model to synthesize the actual computing system for the 
spacecraft. Fault tolerant measures are implemented at this stage by hardware engineers to 
protect against radiation effects and hardware failures. 
The spacecraft computing development process outlined in Figure 10 is applied to the backup 
attitude control system of the Landsat7 spacecraft in Chapter 5. High-level specifications are 
redeveloped for major components of the spacecraft's backup attitude control system 
including its fault protection and control law algorithms. From these high-level 
specifications, the autocode generators are used to generate hardware and software 
components and synthesized on a prototype FPGA computing system. Finally, closed-loop 
simulations are performed to validate the prototype computing system and illustrate the 
feasibility of the new design process. 
3.1 Chapter Outline 
This chapter describes the high-level specification languages and toolsets used to capture 
spacecraft processing specifications. Control-oriented specifications are captured with 
SpecTRM-RL, while data-oriented specifications are captured with a new specification 
language called Octavia. This chapter is organized as follows. Section 3.2 provides a 
description of the SpecTRM-RL specification language. SpecTRM-RL was developed by 
Nancy Leveson and her students specifically for large control-oriented systems [LEV99]. The 
Safeware Corporation provides the commercial SpecTRM toolset to capture and analyze 
SpecTRM-RL specifications [SAFE03]. A description of the toolset and its accompanying 
modeling and analysis tools is also provided in Section 3.2. In Section 3.3, the Octavia 
specification language and toolset by the same name is described. Octavia is a new 
specification language developed in this thesis specifically for spacecraft data-oriented 
specifications. Octavia is based on the open-source Octave mathematical programming 
language [EAT97]. Section 3.3 provides a brief background on the Octave language and 
describes the extensions made to Octave to create the new Octavia language and toolset. 
In Chapter 2, the typical computer processing applications of a modem spacecraft were 
presented. These applications can be divided into two major categories: control-oriented and 
data-oriented. Control-oriented applications involve keeping track of discrete states in the 
system and determining the appropriate actions the system should take in response to 
discrete events. Data-oriented applications involve a set of continuous states and are 
characterized by a series of mathematical operations performed on a set of data at regular 
intervals. The methodology developed in this thesis uses two separate high-level 
specification languages to capture typical processing specifications on a spacecraft. 
SpecTRM-RL, to be described in this section, is used to capture spacecraft control-oriented 
specifications, while the next section will describe the Octavia language used to capture 
spacecraft data-oriented specifications. 
SpecTRM-RL is part of a family of specification languages based on an underlying 
hierarchical and parallel finite state machine (FSM). As presented in Chapter 2, FSM 
languages are a natural method to specify control-oriented applications. Unlike other 
languages based on FSMs however, SpecTRM-RL is designed to specify only blackbox model 
behavior. The blackbox model only allows statements and observations to be made in terms 
of outputs of the system and the inputs that trigger those outputs [LEV99]. Computing 
specifications traditionally include design information such as memory allocation schemes, 
assignment of variables and registers, and partitioning of functions into subprograms 
[LEV99]. This additional information is an artifact of the hardware and software design 
process that is not necessary to capture system behavior. During the development of 
SpecTRM-RL, Leveson and her colleagues discovered that this additional information actually 
make it more difficult to review the system design [LEV99). To enhance the human review 
process, SpecTRM-RL was designed with only the most essential features of FSM-based 
languages. By limiting features and constraining the language to blackbox model 
descriptions only, SpecTRM-IU specifications are easy to read and review while remaining 
powerful enough to capture any control-oriented processing specification. 
The following sections provide a description of the SpecTRM-RL language. The syntax and 
semantics of the languages is first described. Following, the structure of a SpecTRM-RL 
specification is described. Lastly, an overview of the SpecTRM toolset is provided. Features 
such as the built-in analysis tools and simulation environment are described. 
3.2.1 SpecTRM-RL Syntax and Semantics 
The primary motivation behind the design of SpecTRM-RL was to create a formal 
specification language that could be easily understood by engineers without computer science 
or discrete mathematics backgrounds [LEV99]. Unlike most formal specification languages, 
the syntax of SpecTRM-RL is designed to be simple and regular [ZIM02]. Logic specifications 
in SpecTRM-RL are not composed of traditional predicate logic or even more abstract 
methods like Communication Sequential Processes (CSP) [HOA79]. Instead, logic 
specifications are captured in prose-like statements such as 'State A is in Condition X' or 
'Value of B x Transitions Ago is Y'. SpecTRM-RL syntax also include commonly used 
mathematical functions like "Absolute Value", "Maximum", "Minimum", and "Square Root"'. 
Functions can be referenced directly in statements. For example, the statement 'Absolute 
Value (X) < MaximumOl)' is a valid SpecTRM-RL statement. The prose-like syntax of the 
SpecTRM-RL language was designed specifically to enhance the readability of the language. 
Minimal training is required to read a SpecTRM-RL specification [ZIM02]. 
The SpecTRM-RL language supports four data-types: Real, Integer, Enumerated, and 
Duration. The Integer and Real types correspond to IEEE standards [IEEE85]. Enumerated 
values are specified by users and can take on any string value. For example, the combination 
{On, Off) is a valid enumerated data-type. Data corresponding to time durations are 
specified with duration types. SpecTRM-RL supports duration units from hours down to 
nanoseconds. 
SpecTRM-RL features an intuitive method to declare combinations of logic expressions. It 
uses an AND/OR table. An example of an AND/OR table is shown in Figure 11. 
1 A complete list of SpecTRM-RL expressions can be found in [SAFE03]. 
= Normal 
I . .  - -- - -- - --  --- . -- . - . -. - -- - . 
Figure 11 : Example of an AND/OR Table 
I 
The AND/OR table in Figure 11 captures the logic specification for one of the transitions in 
the "Spacecraft Mode" described in Chapter 2 (Page 38). The AND/OR table in Figure 11 
captures the logic specification required to enter the "Normal" mode. The rows represent 
AND statements while the columns represent OR statements. T and F represent true and 
false while a star represent a 'don't care' condition. In the example, the "Spacecraft Mode" 
transitions to "Normal" if all rows in the first column are true, or all rows in the second 
column are true. The AND/OR table is designed specifically for readability and to facilitate 
the human review process. It has been shown to be more readable than other techniques 
currently used [ZIM02]. 
AND/OR tables form the basic building blocks of a SpecTRM-RL specification. The next 
section describes how these AND/OR tables are used to construct the six elements of the 
SpecTRM-RL language and how these elements are used to construct a specification. 
3.2.2 Structure of SpecTRM-RL 
SpecTRM-RL specifications are constructed from six elements: Outputs, Inputs, Modes, State 
Values, Macros, and Functions. These six elements are used to specify, or model the behavior 
of a system. A visualization of the basic structure of a SpecTRM-RL model is shown in Figure 
12. 
Environmental 1 
1 Measured Variables 
Measured 
Feed back 
Controlled I--- Devic e 
I 
Controlled 
Command 
L 
Figure 12: Structure of SpecTRM-RL Model 
Everything within the large box in the middle of Figure 12 represents the specification of the 
system being modeled. The smaller boxes on the edges are external components that interact 
with the system. Interactions with human supervisors are given special attention and are 
grouped separately from other components. Output and Input elements are used to model 
the interfaces between the system and external components. Internal system behavior is 
modeled with Mode and State Value elements. Macro elements are used to store commonly 
used logic and Function elements allow the specification of custom mathematical functions. 
The following sections provide a more detailed description of each SpecTRM-RL element. 
Output Element 
Figure 13 is an example of a SpecTRM-RL Output element. The "Commanded Attitude 
Angle" Output element is used to model the interface between the attitude control system 
and the attitude control actuator device on the spacecraft. 
-1Output Command I 
Commanded Attitude Anale 
J 
Destination: Attitude Control Actuator 
Fields: 
Name: Angle 
Type: Real 
Acceptable Values: [-90,0., 90.01 
Units: Degrees 
Granularity: 1 Degree 
Hazardous Values: None 
Exception -Handling : Force t o  0 
Description: The attitude actuator rotates the spacecraft t o  this angle 
Comments: N/A 
References: Spacecraft, Octavia Calculated Anale 
TRIGGERING CONDITION 
Spacecraft in mode Normal 
Spacecraft in mode Sun Acquisition 
MESSAGE CUNTENTS 
Field: Value: 
Angle Octavia Calculated Angle 
- -- 
Figure 13: Example of an Output Element 
Information about the destination of the output, the format of the output message, exception 
handling procedures, and elements referenced to the Output element are required. This 
information is necessary to ensure that the specification is unambiguous, and provides 
context for reviewers. References to other parts of the specification including other 
SpecTRM-RL elements are linked. These links allow reviewers to quickly navigate between 
various sections of the specification. 
The Output element is triggered based on a set of conditions specified in an AND/OR table. 
In the example, an output command is issued whenever the spacecraft is in either "Normal" 
or "Sun Acquisition" mode. When the Output element is triggered, a message is sent to the 
external device with the information specified in the Message Contents table. In the example, 
a message containing the change in angle to be commanded is sent to the "Attitude Control 
Actuator" device. The actual value of the output message is obtained from the control law 
specification captured in Octavia. Section 3.3 will describe how the control law algorithm is 
specified. 
Output elements and Input elements allow SpecTRM-RL specifications to interface with 
Octavia specifications. The Octavia language has equivalent elements to interface with 
SpecTRM-RL. These interfaces allow spacecraft engineers to combine control-oriented and 
data-oriented specifications and form one complete specification of the spacecraft. Chapter 5 
will provide a description of how these specifications are combined. 
Input Element 
Figure 14 is an example of a SpecTRM-RL Input element. Similar to Output elements, 
information about the source of the input, the format of the data, and references to other 
elements is required. The "Attitude Angle" Input element has a number of possible 
transitions. AND/OR tables are used to specify the conditions for each transition. The 
"Obsolete" transition, specified in the third AND/OR table, is required for all Input elements. 
Leveson's research has shown that many accidents are caused by a failure to specify 
conditions for invalid or absent inputs [LEVOO]. The "Obsolete" transition forces designers to 
account for off-nominal or absent inputs. 
Figure 14: Example of an Input Element 
------" 
llnput Value I 
Attitude Angle 
Source: Attitude Sensor 
Type: Real 
Possible Values (Expected Range): [0,0..360.0] 
Units: Degrees 
Cran ularity: 1 Degree 
kception-Handling: None 
References: Ground Updated Attitude Anale 
Appears In: Attitude Svstem 
DEFINITION 
= New Data for Attitude Angle 
l ~ t t i t u d e  Angle was Received I FI 
= Previous Value o f  Attitude Ang Ie 
Input elements can also be in the "New Data" transition. This is the default transition for the 
condition when new data is received from an external component or human s u p e ~ s o r .  The 
"New Data" transition is specified in the first AND/OR table in Figure 14. The table 
evaluates to true whenever new data is received. 
Attitude Angle was Received 
Time Since Attitude Angle was Last Received < = 5 seconds 
A "Previous Value" transition is usually specified for every Input element. As the name 
suggests, the "Previous Value" transition means the Input element retains the same data value 
as the last valid data value received. The "Previous Value" transition accounts for the period 
after new data is received and the time at which the data is no longer deemed valid. In the 
1 
= Obsolete 
System Start 
Attitude Angle was Never Received 
Time Since Attitude Angle was Last Received > 5 seconds 111 
= Ground Updated Attitude Angle 
Ground Updated Attitude Angle was Received 
Ground Updated Attitude Angle i s  Obsolete 
example, this period is five seconds. Five seconds after data is received, if no new data is 
received, the input transitions from "Previous Value" to "Obsolete". 
Lastly, Input elements can take on the value of other Input elements. This transition is 
specified by referencing the name of the other Input element, as shown in the final AND/OR 
table in Figure 14. 
Input and Output elements are used to specify the interfaces between the system and its 
environment. The other four SpecTRM-RL elements are used to model the internal behavior 
of the system itself. 
Mode and State Value Elements 
Mode and State Value elements model internal system behavior. These elements specify the 
intermediate logic that occurs between receiving inputs and sending outputs. Figure 15 is the 
equivalent Mode element for the FSM depicted in Figure 4 in Chapter 2. The four states of 
the original FSM are combined to form a Mode element, labeled as the "Spacecraft Mode". 
Each state of the original FSM is captured as a transition. Instead of circles and arrows, the 
transitions are specified by AND/OR tables. 
There are two types of Mode elements in SpecTRM-RL: A Control Mode and a Supervisory 
Mode. Control Mode elements represent major operational modes of the automation. The 
example in Figure 15 is an example of a Control Mode element. The "Spacecraft Mode" 
specifies distinct operational scenarios of the spacecraft. Because the behavior of the 
spacecraft automation differs for each phase of the mission, specifyrng the "Spacecraft Mode" 
allows spacecraft engineers to divide and manage different phases of the mission separately. 
The design of the "Spacecraft Mode" affects the behavior of the spacecraft throughout its 
mission and is a major aspect of the early design process of a spacecraft [WER03]. A lot of 
effort is spent to allocate the appropriate modes and to specify transitions between different 
modes. 
-1ControI Mode I 
Spacecraft 
Description: The Spacecraft Control Mode I Comment: NA I 
References: Spacecraft, Sun Sensor Input, Ground Command, 
Attitude Svstem 
Appears In: NA 
= Launch 
DEFINITION 
lsystem Start I FI 
= Sun Acquisition ' 
Launch 
Now > =  10 minutes 
= Normal 
Fau I t  Detected 
= Fault Detected 
I ( ~ t t i t u d e  System in state Fault I El 
1 I 
Figure 15: Example of a Mode Element 
Supervisory Mode elements are structurally equivalent to Control Mode elements. However, 
Supervisory Mode elements are used to model a different aspect of the system. Unlike 
Control Mode elements, Supervisory Mode elements are used to model operational modes 
that involve human operators and automation that can affect the operational mode of the 
system. In a complex system like a spacecraft, there are usually multiple actors that can exert 
control on the system [LEV97]. Accidents have occurred because of confusion among 
different controllers. On a typical spacecraft, there are usually multiple ground controllers as 
well as multiple automations on-board that can issue commands at any given time. 
Conflicting commands sent from multiple controllers or a lack of correct commands can cause 
the spacecraft to enter a hazardous or unknown state. Supervisory Mode elements are 
specifically designed to model the logic of who is in charge of the system. Supervisory Mode 
elements allow engineers to specifically identify and capture information that relates to the 
supervisor of the system at different phases of the mission. 
Logical requirements may not all be part of an operational or supervisory mode. It is useful 
to capture intermediate states based on information received from inputs. These states are 
then used to trigger outputs or change a mode within the system. SpecTRM-RL captures 
inferred system states through State Value elements. An example of a State Value element is 
shown in Figure 16. 
----- -" -"a --"------- 
-piizKXq 
Attitude System State 
Obsolescence: 
Exception-Handl i ng: Force to  Unknown transition 
Related Inputs: Attitude Angle lnput 
Description: Status o f  Attitude System inferred from input(s) 
Comments: None 
References: Attitude Angle Input 
Appears In: Spacecraft Mode 
REF1 NITION 
= Unknown 
System Start 
Attitude Angle lnput is Obsolete 
= Normal 
= Fault Detected 
System Start 
(Attitude Angle lnput - Previous Value 
o f  Attitude Angle Input) 3 = 20 
Figure 16: Example of a State Value Element 
The "Attitude System State" is used to infer the status of the attitude system based on data 
received by the "Attitude Angle Input" element. A fault is determined by comparing the 
change in angles between two consecutive measurements and the maximum expected limit. 
The "Attitude System State" has three possible transitions: "Unknown", "Normal", and "Fault 
Detected." An "Unknown" transition is required for all State Value elements. The 
"Unknown" transition describes situations where there is insufficient information to infer the 
status of the system. Many accidents have occurred because automated controllers had no 
requirements to handle the unknown case [LEVOO] . 
The other transitions of a State Value element are specified by users. Transitions can take on 
any meaningful string value. In the example, "Normal" and "Fault Detected" are used to 
unambiguously describe distinct transitions of the attitude control system. Like all other 
SpecTRM-RL elements, AND/OR tables are used to capture the logical specification of each 
transition. 
The logic specified in the example is a relatively simple fault detection logic intended to 
illustrate the structure of a State Values element. Spacecraft fault detection logic is usually 
more sophisticated. A comprehensive example featuring actual spacecraft fault detection 
logic will be provided in Chapter 5. 
Macro and Function EZernenl 
The final two elements in SpecTRM-RL are Macro and Function elements. These elements 
are used to manage complexity and make the specification more readable. A Macro element 
is simply an AND/OR table. It is used to abstract and store commonly used logic. Figure 17 
is an example of a Macro element. 
1 Attitude Angle Fault Check 
Description: Checks Attitude Angle Input t o  determine if 
there i s  a fault in the Attitude System 
' Comments: NA 
, References: Attitude Anule, Spacecraft 
' Appears In: Attitude System 
DEFINITION 
System Start 
Absolute ValueCAttitude Angle - Previous Value o f  Attitude Angle) > = 20.0 
Time Since Spacecraft Last k i t e d  Launch 3 5 minutes 
Attitude Angle i s  Obsolete 
Figure 17: Example of a Macro element 
A Macro element evaluates to true if the AND/OR table evaluates to true and false if the table 
evaluates to false. A Macro element allows the reuse of common logic. The combined logical 
specification stored in each Macro element is evaluated by referencing the name of the Macro 
element in an AND/OR table. Macro elements make the specification more readable and 
simpllfy modifications. 
Function elements in SpecTRM-RL are used to make intermediate calculations. As stated in 
the previous section, SpecTRM-RL already includes several built-in mathematical functions. 
The example in Figure 17 uses a "Minus" function and an L'Absolute Value" function. 
Function elements are used to specify more sophisticated algorithms. The algorithm is easily 
recalled in an AND/OR table by referencing the name of the function along with its specified 
parameters. Like Macro elements, Function elements make the specification more readable 
and simplify modifications. Figure is an example of a Function element. When called the 
Function element returns the data value of the "Attitude Angle" Input element multiplied by 
factor of 4.5. 
Calculate Angle 
Result: 
Type: Real 
Possible Values (Expected Range): [0,.360] 
Units: Degrees 
Granularity: 0.01 Degrees 
Exception-Handling: Force to 0 
Description: Returns Degree at which spacecraft should be rotated, 
Comments: NA 
Appears In: Commanded Attitude Anale 
DEFINITION 
Return Attitude Angle * 4,s; 
1 I 
Figure 18: Example of SpecTRM-RL Function Element 
A SpecTRM-RL specification is constructed from the six elements described. A commercial 
tool called SpecTRM is used to develop SpecTRM-RL specifications. The SpecTRM toolset is 
the topic of the next section. 
3.2.3 SpecTRM Toolset 
SpecTRM-RL specifications are captured with SpecTRM, a commercial toolset developed by 
Safeware'. A screen shot of the SpecTRM toolset is provided in Figure 19. 
Attitude Angle Fault Check 
Description: Checks Act~rrr.Je h y l e  Inpuc co deterrnme IF 1 1 
Figure 19: SpecTRM Toolset Environment 
Figure 19 depicts the major elements of the SpecTRM toolset. Specifications are captured 
using the main Editor window, shown at the center of Figure 19. Multiple files may be 
opened at the same time. Navigation menus and outlines are shown on the left side of Figure 
19. These windows allow users to quickly navigate through the specification document and 
between multiple documents. The error tracking window is located at the bottom of Figure 
19. The toolset automatically detects syntactic and structural errors in the specification. The 
location of each error found along with suggestions for corrections are displayed in this 
window. 
The SpecTRM toolset is built on an open-source platform known as Eclipse [DANOLF]. The 
Eclipse platform uses standard interfaces to facilitate rapid development of applications and 
plug-ins. The Eclipse platform allows users to easily access the Application Programming 
Interface (API) of any application developed under the Eclipse platform. The API is a 
documented interface that allows users to add custom plug-ins to existing applications. 
Several tools developed for this thesis use the SpecTRM API and the Eclipse platform. 
The SpecTRM toolset provides a convenient environment to capture SpecTRM-RL 
specifications. Once captured, the specification can be analyzed using several built-in tools. 
These analyses tools are described next. 
3.2.4 Automatic Analysis Tools 
Automatic analysis tools facilitate detection of errors in SpecTRM-RL specifications. These 
analysis tools are a powerful addition to the spacecraft design process that is not available 
with traditional methods. There are currently four analysis tools included in the SpecTRM 
toolset: the Validator, the Non-Determinism Analysis tool, the Robustness Analysis tool, and 
the Simulator. 
The Validator ensures that the specification adheres to formal rules of the SpecTRM-RL 
language. For example, the language requires that all State Value elements have an 
"Unknown" transition1. The Validator automatically checks the specification and reports any 
inconsistencies found. The Validator also ensures that the specification is syntactically 
correct. For example, comparisons between different data types are not allowed. The 
Validator does not account for any inconsistencies in the logical specification of the system 
itself however. To help detect possible inconsistencies in the actual specification, users can 
invoke three built-in analysis tools. 
The Non-Determinism Analysis tool in SpecTRM can automatically analyze the specification 
for nondeterministic behavior. Nondeterminism occurs when an element is capable of being 
in multiple transitions at the same time. 
1 A complete list of formal rules can be found in [SAFE031 
.-l~ontrol Mode I---- 
Spacecraft 
= Launch 
lsystem Start I U  
= Sun Acquisition 
Launch 
Now > =  10 minutes 
= Normal 
Ground Command is Go to  Normal 
= Fault Detected 
l~ t t i t ude  System in state Fault 1 
= Launch & h k m d  
Fau It Detected 
= Launch, Faua 
I svs tem Start I 
l ~ t t i t u d e  System in state ~ a u l t l  
, 
= Sun Aqisitiwr, Fault Detected 
Figure 20: Nondeterminism Analysis 
Figure 20 illustrates several examples of nondeterministic conditions found in the 
"Spacecraft" Control Mode element. The AND/OR tables on the left describe the specified 
behavior of the "Spacecraft" Control Mode element. On the right side of Figure 20 are 
several conditions that trigger multiple transitions in the element. Spacecraft and other 
safety-critical systems generally demand nondeterministic behavior [LEV95]. Non- 
deterministic behavior prevents controllers from accurately determining the state of the 
system and makes testing more difficult. At worst, non-deterministic behavior can place the 
spacecraft in a hazardous state. Nondeterminism results from an incomplete specification. 
The Non-Determinism Analysis tool allows users to quickly detect non-deterministic behavior 
and modify the specification to account for these conditions. 
The Robustness Analysis tool is the functional opposite of the Nondetenninism Analysis tool. 
The Robustness Analysis tool checks each element of the specification for conditions that do 
not result in any one of the possible transitions being true. For example, if every statement in 
the AND/OR tables of Figure 20 is evaluated as false, then there are no possible transitions in 
the element for that particular scenario. Non-robust behavior may signify an incomplete 
specification but can also be a result of designed behavior. For example, the scenario where 
all statements are false occurs before the system is initialized. The system immediately enters 
the "Launch" transition following system start. The scenario where all statements are false 
corresponds to a state in the system that has no significance and can be safely avoided. 
The last analysis tool built-in to SpecTRM is the Simulator. The Simulator allows users to 
examine the behavior of the specification in real-time using custom-designed test cases. The 
Simulator simulates the behavior of the system in response to user-supplied inputs. By 
changing the input data space, users can create custom test scenarios and analyze the 
behavior of the system in each scenario. The Simulator allows users to observe transitions of 
each element as they occur in real-time in a dedicated environment shown in Figure 21. 
Sun %mot Input 
NotaCquiwd 
Commanded m u d e  Angle A 
Figure 21: SpecTRM Simulator Environment 
The window at the center of Figure 21 is the visualization of the SpecTRM-RL specification. 
The visualization is created from the template first depicted in Figure 12 and populated with 
elements from the specification. During the execution of the simulation, the transition of 
each element is animated. Similarly, information relating to Input and Output elements are 
displayed and highlighted next to their corresponding devices. The transitions and values for 
each element can also be observed in the window on the right side of Figure 21. The 
simulator is controlled using the interface at the top of the visualization window. The 
interface allows users to run, stop, pause, and incrementally step through the simulation. 
Events from the simulation are recorded for post-simulation review in the Simulation Log 
window shown at the bottom of Figure 21. 
3.2.5 SpecTRM-RL Summary 
The SpecTRM-RL language and SpecTRM toolset are uniquely qualified to capture spacecraft 
control-oriented specifications. The SpecTRM-RL language was specifically designed to assist 
engineers in the design of large and complex engineering systems. SpecTRM-RL is built-on 
an underlying FSM. FSMs are the most widely used method to model control-oriented 
systems [JAN03]. Because the SpecTRM-RL language is governed by formal rules, automatic 
analysis tools can be used to analyze a SpecTRM-RL specification. The SpecTRM toolset 
provides several built-in tools to automatically analyze a specification and help engineers 
detect specification errors. 
As described in Chapter 2, spacecraft processing involves both control-oriented and data- 
oriented specifications. While SpecTRM-RL is great for capturing control-oriented 
specifications, its underlying FSM is not well suited for data-oriented specifications. The next 
section will describe the development of a new specification language specifically designed to 
capture spacecraft data-oriented specifications. 
3.3 Octavia 
Spacecraft data-oriented processing specifications are captured in a new specification 
language and toolset called Octavia. Octavia is a block-diagram language. As first stated in 
Chapter 2, block-diagrams are an intuitive and popular way to capture data-oriented 
specifications. Block-diagrams are easy to read, and they can be used to describe complex 
mathematical algorithms. The Octavia toolset is designed as a block-diagram manipulation 
tool. Octavia facilitates rapid development of spacecraft control laws and other spacecraft 
data-oriented specifications by allowing engineers to easily configure and manipulate block 
diagrams on the screen. 
This section describes the development of the Octavia language and toolset. Octavia is based 
on the Octave mathematical programming language. Section 3.3.1 provides a description of 
the Octave language and its command line interface. Section 3.3.2 describes the Octave 
control theory toolbox. Octave includes a comprehensive suite of toolboxes. A toolbox is a 
set of commonly used mathematical functions designed for a specific application. For 
example, there are toolboxes designed for statistics, signal processing, and probability. The 
Octave control theory toolbox is particularly important for spacecraft. Control laws are one 
of the most prominent components of a spacecraft processing specification. Octavia extends 
the Octave control theory toolbox by providing block diagrams that correspond to the most 
commonly used control theory functions. Section 3.3.3 describes the actual Octavia toolset. 
The Octavia environment and user interface allow engineers to develop complex control law 
algorithms and other data-oriented specifications. Once assembled, these algorithms can be 
tested using built-in analysis tools. These tools are also described in Section 3.3.3. Finally, in 
Section 3.3.4, the methods used to verify the Octavia toolset are described. 
3.3.1 Octave 
The Octavia language and toolset is built on the Octave mathematical programming 
language. Octave is a high-level language designed to solve complex numerical 
computations. Octave has extensive tools for solving numerical linear algebra problems, 
finding roots of nonlinear equations, integrating ordinary and partial differential equations, 
and performing many other scientific and mathematical computations [EAT97]. 
Octave is designed as an interpretive language. Each command is executed at run-time. This 
method is in contrast to programming languages like C where source code must be compiled 
before it is executed. Octave uses a command-line interface. Users type commands into a 
shell prompt and the results are displayed on the screen. A screen shot of the Octave 
command line interface is shown in Figure 22. The first command shows how a matrix is 
specified in Octave. The second command shows how a simple mathematical operation is 
entered'. 
Figure 22: Octave Command Line Interface 
To facilitate complex computations that involve a series of commands, Octave provides the 
capability to store commands in a script file. A script file allows users to run a series of 
commands with a single command. A simple example of a script file is shown in the lower 
half of Figure 22. The 'binomial.mt script file is used to compute the binomial function, a 
commonly used function in probability and statistics. As shown, the script file is called 
directly from the command line interface, and the result is displayed on the screen. 
Octave is packaged with a plotting software called GNU Plot. Like Octave, GNU Plot is also 
1 An manual for the Octave language is available at www.gnu.org/software/octave/ 
an open source project [WILL04]. GNU Plot allows users to create plots from computations 
performed in Octave. Figure 23 shows a screen shot of the output from Octave and GNU 
Plot. 
nuplot> s e t  t i t l e  
nuplot> s e t  x l a b e l  
nuplot> s e t  y l a b e l  
nuplot)  s e t  nogrid 
nuplot> s e t  n o l a b e l  
nuplot> s e t  t i t l e  "in 
nuplot> s e t  g r i d  
nuplot> s e t  x l a b e l  ' 
0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 
Figure 23: Example of GNU Plot Output 
Plots allow users to quickly visualize the results of computations. Spacecraft engineers rely 
on plots to quickly visualize the behavior of mathematical algorithms like control laws. GNU 
Plot provides a fast and convenient method to create and analyze these visualizations. 
Octave provides many features needed to design and specify spacecraft data-oriented 
applications. The following section describes another Octave feature required for spacecraft 
systems: the control theory toolbox. 
3.3.2 Control Theory Toolbox 
Some of the most complex data-oriented applications on spacecraft are control law 
algorithms. The Octavia language and toolset developed in this thesis provide an array of 
block diagrams to capture and analyze control law algorithms. These block diagrams are 
derived from Octave's control theory toolbox. The control theory toolbox contains a 
collection of functions that allow users to specify control laws and perform analyses. 
The control theory toolbox provides convenient functions to specify a control theory system 
using any one of the standard formats. These formats include Transfer Function, Zero Pole, 
or State-Space1. The control theory toolbox also provides several functions to analyze the 
behavior of the specified control system. Two of the most commonly used time-domain 
analysis methods are the impulse and step input responses. The impulse response tests the 
system's behavior in response to an impulsive input, while the step response tests the system's 
behavior in response to a step input. The control theory toolbox provides convenient 
functions to generate the impulse and step input response of a specified system. The outputs 
from each analysis are plotted automatically using the GNU Plot software. Figure 24 depicts 
the results from an impulse and step input response analysis on a discrete control system 
using Octave's control theory toolbox. 
I Impulse Input Response Step lnput Response 1 
- - 
0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 / 
time Is1 time [s] 
Figure 24: Impulse and Step Input Responses in Octave 
1 For background information on control theory functions, refer to R. Dorf and R. Bishop, 
Modern Control Systems, Prentice Hall, 2004. 
Octave's control theory toolbox also includes several frequency domain analysis functions. 
Standard frequency response analysis methods such as Bode plots and Nyquist plots can be 
generated automatically using functions included in the control theory toolbox. Plots 
generated from these analyses are shown in Figure 25. 
100 
Digital frequency w=rad/sec. pilT=314.2 
10 1 00 
Digital frequency wradjsec. piK=314.2 
Nyquist plot from u-I to y-I , w [radk) in [1.000000e+01,3.141593e+02] 
-2 -1.5 -1 -0.5 0 0.5 
Rel G@(ylw)> 1 
Figure 25: Bode and Nyquist Frequency Response Outputs 
Octave's control theory toolbox provides a convenient method to specify and analyze control 
theory systems. Together with other notable features such as the GNU Plot software and the 
ability to store multiple commands in script files, Octave provides an array of tools necessary 
to capture spacecraft data-oriented specifications. In the next section, Octave is extended to 
form a new block-diagram specification language and toolset for spacecraft specifications. 
This new language and toolset is called Octavia. 
Octavia Block Diagram Language and Toolset 
While Octave can be used to capture spacecraft data-oriented processing specifications, the 
command line interface is not the most intuitive method to specify complex systems and 
algorithms. A block-diagram interface is more intuitive. Most engineers are taught to 
recognize and describe control laws and other complex algorithms using block diagrams. A 
block-diagram encapsulates information with visualizations and allows engineers create more 
complex algorithms. 
Octavia is designed as a block-diagram language. The accompanying toolset provides an 
interface to capture and manipulate block diagrams. A screen shot of the Octavia 
environment is provided in Figure 26. 
Figure 26: Screen shot of Octavia Environment 
Like SpecTRM, Octavia is built on the Eclipse platform [DAN04]. Interfaces such as the multi- 
window editor, project navigation window, and properties window are the same as the ones found 
in SpecTRM. The main window in Octavia is the block-diagram editor. This is where block- 
diagrams are created. Users insert new blocks using a well-known drag-and-drop method. 
The block library immediately on the left of the editor contains a selection of common blocks, 
connectors, and miscellaneous tools to support the specification of a block diagram. Blocks 
relating to control theory functions such as transfer functions, zero-pole functions, and state-space 
functions are provided in the library. Common mathematical functions such as gains and 
summations are also included in the library. The step input and impulse input blocks provide an 
interface to their respective analysis functions in Octave. Finally, SpecTRM blocks provide an 
interface to SpecTRM-RL and the SpecTRM toolset. The "from SpecTRM and "to SpecTRM" 
blocks allow data transfer between the two specification languages. 
The properties window on the lower left corner of Figure 26 allows users to change 
information encapsulated in each block. For example, the transfer function in the block 
diagram shown in Figure 26 has several options. The numerator and denominator matrices 
of the transfer function, its initial condition state, and its sampling time are all accessed 
through the properties window. A name can also be assigned to the block for easy 
identification during reviews. 
The bottom window of Figure 26 is an interface to the Octave command shell. This window 
instantiates an Octave command line interface (See Figure 22). Users can manually enter 
commands and observe results from the execution much like a traditional Octave command 
line interface. Unlike a normal Octave shell, however, the Octave process embedded within 
the Octavia toolset window is connected to the block-diagram editor. The Octavia toolset 
converts each block in the diagram into equivalent commands for the Octave command shell. 
For example, a control theory block is converted into an equivalent control theory function in 
Octave. 
Once a block-diagram specification is captured, it can be simulated with the simulation tools 
provided in the toolset. A toolbar located at the top of the main editor window provides 
access to simulation options such as the simulation step size, the sampling time of each block, 
and the simulation end time. Once these options are assigned, the simulation is carried out 
automatically by clicking on the simulate button on the toolbar. A plotting block provides an 
interface to the GNU Plot software in Octave and provides the ability to record results from 
simulations and generate plots after the simulation is complete. The simulation tool and 
plotting functions in the Octavia toolset allow spacecraft engineers to observe and visualize 
the behavior of data-oriented specifications. These methods and tools provide an 
opportunities to detect errors and improve the efficiency over the traditional process. 
3.3.4 Verification of Octavia 
Flaws within a toolset can lead to errors and failures. The toolsets used during the 
development of a safety-critical system must be subject to the same level of verification efforts 
as the actual system itself. Octavia, however, is designed to be a research tool and not 
verified to the standards required for a safety-critical system. This section describes the 
methods used to verify the Octavia toolset. 
The Octavia toolset is built on the Octave language and command line interface. Octave is 
continually tested by its community of users and developers. As with most open source 
software, the level of trust and reliability increases as more users and developers exercise the 
software, locating and reporting bugs Octave has been tested and updated by a large 
community of users since 1988 [EAT97]. Most of its features such as mathematical functions, 
matrix functions, and control theory toolbox have been used and vetted by a large group of 
users. 
Because the Octave command line interface can be trusted, the Octavia toolset relies on 
Octave to perform all mathematical and analytical operations. To ensure that block-diagrams 
captured in Octavia are converted into the correct commands in Octave, each block in the 
library was individually verified. Parameters for each block were varied and manually 
checked against its equivalent in the Octave command. 
The Matlab and Simulink toolsets were used to provide additional verification of the Octavia 
block library and simulation tools. Like Octave, Matlab and Simulink are trusted by a large 
group of users. Equivalent blocks were created in Simulink and Octavia and subjected to the 
same inputs and simulation parameters. After each simulation run, the outputs from each 
toolset were compared. This procedure was repeated for each block in the Octavia library. 
Additionally, several simulation runs were performed using an interconnected set of blocks. 
Equivalent outputs from each toolset helped verify the simulation tools developed for 
Octavia. 
The verification methods described are only designed to show input output equivalence to 
the Matlab Simulink toolset. Given the same inputs for each block within the Octavia library 
and an equivalent block in Simulink, the same outputs are obtained. A more comprehensive 
verification process is needed in order to prove functional equivalence. These verification 
efforts are beyond the scope of the thesis. 
3.3.5 Octavia Summary 
The Octavia language and toolset is designed specifically to capture spacecraft data-oriented 
specifications. Spacecraft data-oriented specifications involve mathematically intensive 
algorithms such as control laws. These algorithms can be captured and visualized with a 
block-diagram interface. The Octavia language and toolset provides spacecraft engineers with 
a block-diagram interface that can be used to develop complex algorithms that are still 
readable and easy to review. Using built-in simulation tools, engineers can test and examine 
the behavior of their designed algorithms. The Octavia toolset is based on a trusted and 
reliable mathematical programming language called Octave. The Octavia toolset is verified 
by ensuring that information captured in each block in the Octavia library is converted to an 
equivalent command in Octave. Simulation results from Octavia are compared to results 
from Matlab and Simulink to provide additional verification of the Octavia toolset. 
3.4 Chapter Summary 
This chapter provided descriptions of the high-level specification languages and toolsets used 
to capture spacecraft computing processing specifications. SpecTRM-RL and Octavia provide 
spacecraft engineers with the ability to capture processing specifications of a typical 
spacecraft. SpecTRM-RL is used to capture control-oriented specifications like fault detection 
and isolation procedures. SpecTRM-RL is based on a formal FSM-based language but 
designed to be readable and easy to review. The SpecTRM toolset provides a powerful 
interface to capture and analyze SpecTRM-RL specifications. The SpecTRM toolset has a 
user-friendly interface and provides several built-in tools to analyze the behavior of the 
captured specification. These tools provide a powerful new method to detect errors that are 
not available in the traditional specification process. 
This chapter also described Octavia, a new specification language and toolset developed to 
capture spacecraft data-oriented specifications like control law algorithms. Octavia uses an 
underlying mathematical programming language called Octave. Octavia extends Octave by 
providing a block diagram interface. Octavia provides spacecraft engineers with the ability to 
design complex algorithms that are readable and easy to review. Using the built-in 
simulation tools, engineers can also observe and visualize the behavior of their data-oriented 
specifications. 
The next chapter continues the discussion of the new spacecraft computing development 
process outlined in the beginning of this chapter. The next chapter describes the second 
major component of the thesis: the autocode generators used to generate software code in C 
and a hardware description captured in VHDL. 
Chapter 4 
4. Autocode Generators 
This chapter presents the second major component of the thesis: the autocode generators 
used to convert high-level specifications into hardware and software components that can be 
used to develop a unique spacecraft computing system. Chapter 3 described a pair of high- 
level specification languages and toolsets to capture the computer processing specifications of 
a typical spacecraft. Control-oriented specifications are captured in SpecTRM-RL and data- 
oriented specifications are captured in a new specification language called Octavia. 
Capturing high-level specifications is the first step of a new spacecraft development process 
developed in this thesis (see Figure 10). The aim of this new process is to greatly reduce the 
role of software engineers and provide a more efficient and less error-prone process to design 
a spacecraft computing system. This chapter continues where Chapter 3 left off in the 
process. This chapter describes how each high-level specification is automatically converted 
into equivalent hardware descriptions and software code. The high-level specifications and 
autocode generators allow spacecraft subsystem engineers to interact directly with hardware 
engineers. Because the conversion is automatic, intermediate specifications are not required, 
resulting in a more efficient process. The process is also less error-prone as errors that occur 
between manual translations of specifications are eliminated. 
4.1 Chapter Outline 
Three autocode generators are described in this chapter. The first autocode generator 
converts a SpecTRM-RL specification into a hardware description in VHDL. The SpecTRM-RL 
to VHDL autocode generator is the subject of Section 4.2. The second autocode generator 
converts an Octavia specification into an equivalent C program. The Octavia to C autocode 
generator is described in Section 4.3. The third autocode generator is described in Section 
4.4. The SpecTRM-RL to C autocode generator is used as an evaluation tool. The autocode 
generated VHDL description and C program of a SpecTRM-RL specification are used to 
compare the performance of a combined hardware and software computing architecture 
versus a software-dedicated computing architecture. Finally, Section 4.5 describes the 
verification process used for each autocode generator. The verification processes are 
designed to show input output equivalence with the original high-level specifications. In the 
next chapter, the VHDL descriptions and C programs generated in this chapter are used to 
synthesize a unique computing system on an FGPA. A demonstration example based on the 
backup attitude control system of the Landsat 7 spacecraft will be used to illustrate the 
feasibility of the new spacecraft computing development process. 
4.2 SpecTRM-RL to VHDL Generator 
This section describes the autocode generator that converts a SpecTRM-RL specification into 
an equivalent hardware description in VHDL. The section is divided into three parts. Section 
4.2.1 describes the underlying finite state machine (FSM) of a SpecTRM-RL specification. 
The autocode generator extracts this underlying FSM before converting the information into 
an equivalent form in VHDL. Section 4.2.2 describes the VHDL hardware description 
language and the features useful for the conversion process. Finally, Section 4.2.3 presents 
the SpecTRM-RL to VHDL autocode generator. Examples are provided to illustrate how each 
element within a SpecTRM-RL specification is converted into its equivalent form in VHDL. 
4.2.1 SpecTRM-RL FSM 
SpecTRM-RL is a high-level specification language used to capture control-oriented 
specifications. A SpecTRM-RL specification is constructed from six elements: Inputs, Outputs, 
Modes, State Values, Macros, and Functions. These elements are used to specify or model 
different aspects of a system. Input and Output elements model data transfer into and out of 
the system. Mode elements model the major operational modes or supervisory control of the 
system. State Value elements model inferred system states gathered from inputs. Macro 
elements store frequently used logic and Function elements are used to perform 
mathematical calculations. 
The underlying formal language of SpecTRM-RL is a FSM. Each element in a SpecTRM-RL 
specification can be viewed as an independent FSM. Figure 27 presents an example of a 
State Value element and its equivalent FSM state transition diagram. 
Sensor Status 
- Unknown 
I 
nsor Value is  Obsaletr! 
= Normal 
= Fault 
Figure 27: SpecTRM-RL Element and Equivalent State Transition Diagram 
The "Sensor Status" State Value element can be viewed as a FSM with three states. These 
states correspond to the three transitions of the State Value element: "Unknown", "Normal", 
and "Fault". Transitions between each state is derived from the AND/OR tables of the State 
Value element. The default state is "Unknown." The state machine automatically enters 
"Unknown" when initiated. The "Normal" state is entered when the "Sensor Value" Input 
element is greater than zero and less than one hundred. Otherwise, the "Fault" state is 
entered. The FSM enters the "Unknown" state again if the "Sensor Value" Input element 
becomes obsolete. 
Each element specified in a SpecTRM-RL specification can be converted into an equivalent 
FSM similar to the example in Figure 27. A SpecTRM-RL specification can be viewed as an 
interconnected set of FSMs. A visualization of this concept is shown in Figure 28. Each 
SpecTRM-RL element can be viewed as an independent FSM that can trigger or be triggered 
by transitions in other FSMs. For example, upon transitioning into the "Obsolete" state, the 
"Sensor Value" Input FSM triggers the "Sensor Status" State Value FSM to transition into the 
"Unknown" state. Similarly, transitions within the "Sensor Status" State Value FSM can 
trigger transitions in the FSMs of other elements. 
I-- I 
Figure 28: Interconnected FSMs in a SpecTRM-RL Specification 
The boundaries between the FSM of each SpecTRM-RL element is used to organize a large 
system involving many different states. If these boundaries are removed, the resulting 
interconnected set of states is simply a large FSM representing the entire SpecTRM-RL 
specification. Because each SpecTRM-RL element can be viewed as an independent FSM 
within the larger FSM, each SpecTRM-RL element can be converted independently. 
The SpecTRM-RL to VHDL autocode generator converts each SpecTRM-RL element into an 
equivalent form in VHDL. The next section describes some features of VHDL that are useful 
in the conversion process. 
4.2.2 VHDL Features 
VHDL has many features that are useful in the conversion process. VHDL is a popular 
hardware description language used throughout the semiconductor and computing industry 
[JAN03]. When paired with a hardware simulator and synthesis tool, VHDL provides 
engineers with an efficient and powerful method to design and generate unique computing 
devices. VHDL boasts a large user base and extensive industry support. Many popular 
simulators and synthesis tools are designed to support VHDL. 
Several features of the VHDL language are particularly useful for the autocode generation 
process. These features include common data-type support, behavioral specifications, and 
subprograms. 
VHDL Data-Types 
VHDL supports a wide range of data-types. These data-types include Integer, Enumerated, 
Real, and Time. The conversion from SpecTRM-RL to VHDL is greatly facilitated by common 
data-types between the two languages. Figure 29 provides some examples of data-types used 
by the SpecTRM-RL to VHDL autocode generator. 
- -- . . - -- - - - . - -- -- - . -- - - -- - ] signal syst-start : std-logic : = I1 I ; 
/signal attitude-angle-obsolete : std~logic~vector(0 to 1) := 
(111, Ill); 
signal attitude-angle-data : real : = 0.0 ; 
signal counter : integer := 0; 
lsignal mission-time : time := 0 s; 
type spacecraft-enumerated is (launch, sun-acquisition, 
normal, fault-detected); 
type spacecraft-transitions is array(0 to 1) of 
spacecraft-enumerated; 
signal spacecraft : spacecraft-transitions; 
-- - - - - - - . - -- - - - -  - 
Figure 29: VHDL Data-Types 
VHDL is a hardware description language. Unlike programming languages, VHDL data-types 
are not associated with variables. Instead, data-types are associated with signals representing 
physical wires in a circuit. The std-logic data-type associated with the system-start 
signal declared on line 1 is the simplest VHDL data-type. A std-logic signal represents a wire 
in a circuit. A logical '1' is associated with the wire driven high, while a logical '0' is 
associated with the wire driven low. An array of std-logic signals can be declared with the 
std-logic-vector data-type. The attitude-angle-obsolete signal declared on line 2 is 
an array of std-logic signals representing the obsolete information of the Input element's past 
data values. The next section describes how these signals are used in the VHDL description 
of an Input element. 
VHDL also supports several advanced data-types including Real, Integer, and Time. 
Examples of signals declared in each of these data-types are shown on lines 3, 4, and 5 
respectively. Although the VHDL language supports all three advanced data-types, they may 
not be supported by all VHDL synthesis tools'. The Real, Integer, and Time data-types are 
primarily used for simulation purposes. These advanced data-types must be converted to 
elementary std-logic signals for synthesis. There is currently no common standard to support 
the synthesis process. 
Both SpecTRM-RL and VHDL support the enumerated data-type. Line 6 shows the 
declaration of an enumerated data-type. The transition names of the "Spacecraft" Control 
Mode element are declared as a custom enumerated data-type called 
sgacecraf t-enumerated. An array of spacecraft enumerated values is declared as 
another distinct data-type on line 7. Finally, the signal spacecraft is declared on line 8. 
The signal is treated as an array of data values that can take on only values that correspond 
to the transition names of the "Spacecraft" Control Mode element. 
Behavioral Descriptions 
Another useful feature of the VHDL language is the ability to specify hardware in terms of its 
expected behavior rather than an interconnection of circuits [RAJ98]. VHDL behavioral 
descriptions are useful because SpecTRM-RL specifications are also behavioral. SpecTRM-RL 
1 A working group has been set-up to provide a standard synthesis package that supports IEEE 
floating point data-type. See http://www.eda.org/fphdl 
specifications describe how a spacecraft responds to inputs sensed in the environment. 
SpecTRM-RL specifications do not describe what physical circuits are needed to carry out the 
desired behavior. By converting a SpecTRM-RL specification into an equivalent form in 
VHDL, the behavioral specification of the spacecraft is preserved. A commercial synthesis 
tool is used to convert the behavioral specification to an actual physical circuit capable of 
performing the desired behavior. 
Behavioral specifications in VHDL are captured in process statements. An example of a 
simple process is shown in Figure 30. 
Figure 30: Example of a VHDL Process Statement 
1 
2 
3 
8 4 
5 
The process statement is triggered by signals in the sensitivity list, shown on line 2. The 
process is activated whenever any signal in the sensitivity list changes. The process in the 
example is dependent on two signals: clock and clock-reset. An oscillator provides 
global timing for the circuit. When the circuit is powered up, the clock signal oscillates 
between the values '0' and '1' at a defined period. The clock-reset signal is connected to 
the circuit reset switch. When a circuit reset occurs, the signal is driven to '1'. 
- .- - - - -- -- - -- - - - . -- - - - -- - - . -- - - - - - - - - -- - - - - 
-- Update system start process 
update~systam_start~rocess : process(clock, clock-reset) 
begin 
if (clock-reset = '1') then 
system-start <= '1'; 
elsif (clock8event and clock = '1') then 
The example process statement listed in Figure 30 is used to set the system start condition 
represented by the sys tern-s tart std-logic signal. A system start condition is present 
immediately following the initial power up of the system or immediately following a system 
reset. The process statement captures this desired behavior with an "if-then" statement. 
When a reset condition is present, the clock-reset signal is triggered and the 
system-start <= '0'; 
end if; 
1 9 end process update~system~start~rocess; - . - . -- - - - -- - --- - - . - - - 
system-start signal is set to '1' or true. After the system has powered up, the clock 
signal will begin to oscillate. The process uses the clock signal to determine when the 
system start condition has passed. 
The VHDL description listed in Figure 30 specifies a desired behavior for a hardware circuit. 
Before the circuit can be synthesized, a VHDL synthesis tool must be used to convert the 
behavioral description into an interconnection of hardware components. In the next chapter, 
behavioral VHDL descriptions generated from the autocode generators described in this 
chapter are synthesized with a synthesis tool and programmed on an FPGA. 
VHDL Subprograms 
Another useful feature of the VHDL language is the ability to create subprograms. 
Subprograms are equivalent to functions in a programming language. VHDL subprograms 
are designed to store and carry out commonly performed operations. Subprograms can be 
used to facilitate the conversion of SpecTRM-RL Function elements. The next section 
describes how Function elements and the other SpecTRM-RL elements are converted to their 
equivalent forms in VHDL. 
4.2.3 SpecTRM-RL to VHDL 
The SpecTRM-RL to VHDL autocode generator converts a SpecTRM-RL specification into an 
equivalent VHDL description. SpecTRM-RL specifications are constructed from six elements. 
These six elements can be converted into equivalent fonns in VHDL. The autocode generator 
converts Input, Output, Mode, State Values, and Macro elements into an equivalent process 
in VHDL, while Function elements are converted into an equivalent VHDL subprogram. 
Each element has a number of attributes that must be preserved in the conversion process. 
Attributes are information extracted from the underlying FSM of each element. They include 
the current and past transitions of the element, its data value, or the time at which the 
element transitioned or received data. The SpecTRM-RL to VHDL autocode generator is 
designed to illustrate the feasibility of converting a high-level behavioral specification into an 
intermediate hardware model in VHDL. No effort is spent to optimize the autogenerated 
VHDL design. The following sections provide an account of the conversion process for each 
element. 
Output Elements 
An Output element is automatically converted to an equivalent process in VHDL. Each 
Output element has a number of attributes that must be preserved in the conversion process. 
An Output element has a data value that is specified in the Message Contents table (See 
Figure 13). This value is converted into a VHDL signal with an equivalent data-type. The 
time when the Output element is last triggered and whether the Output element has ever 
been triggered is also preserved. These attributes are converted into a time signal and a 
std-logic signal respectively. Figure 31 is the autocode generated VHDL description of an 
Output element. 
Figure 31: Auto-Generated VHDL Description for SpecTRM-RL Output Element 
1 - -  Process for Output element : Compmanded Attitude Angle 
2 lc~nded~attitude~angle~output~rocess : process (clock) 
The auto-generated VHDL description in Figure 31 is a process statement that specifies the 
behavior of the "Commanded Attitude Angle" Output element first described in Chapter 3 
(See Page 62). The process is triggered by the clock signal shown on line 4. The clock signal 
provides synchronous control of all processes. Transitions can only occur at the instant when 
the clock signal transitions to '1'. Line 5 is a conditional statement that is equivalent to the 
triggering conditions specified in the AND/OR table of the Output element. The triggering 
3 
4 
begin 
if (clockwevent and clock = '1') then 
5 1 if ((((spacecraft(0) =normal)) 
I 
I or ((sgacecraft(0) = sun-acquisition))) ) then 
I commanded-attitudeanglenever-sent <= '0'; 7 I commanded-attitude-angle-time-sent <= mission-time; 
8 1 commanded-attitudeangle-angledata i <= 0cta~ia~calc~1ated~angle(0); 
9 / end if; I 1 I 10 / end if; 
11 !end process conmranded~attitude~angle~outputprocess; I 
-- - - -- _. _ __ _  
condition is automatically converted into an equivalent conditional statement in VHDL. If the 
condition evaluates to true, then the attributes associated with the Output element are 
updated. The signal corresponding to the "Never Sent" attribute is set to 'Of representing a 
false condition. The signal corresponding to the "Time Sent" attribute is set to the current 
mission time provided by the spacecraft mission clock. Finally, the latest data value of the 
Output element is updated with the data value specified in the Message Contents table. 
These operations are carried out on lines 6, 7, and 8 respectively. 
Input Elements 
An Input element is automatically converted to an equivalent process in VHDL. Like Output 
elements, each Input element has a number of attributes that must be preserved in the 
conversion process. Each Input element can be viewed as an equivalent FSM with four 
possible states. These states correspond to the four possible transitions of an Input element: 
"Obsolete", "New Data", "Previous Value", or the name of another Input element. Each Input 
element also stores the data value received from an external device or the referencing Input 
element in the case of the last transition. The current and past values of the Input element 
are converted to an array of VHDL signals. 
There is also some timing information related to each Input element. The time when the 
latest data is received and whether the Input element has ever received any data are 
converted into VHDL signals in their respective data-types. Figure 32 is the autocode 
generated VHDL description of an Input element. 
- - - - - 
-- Process for Input Element : Attitude Angle 
: process (clock) begin 
3 1 if (clockmevent and clock = '1') then 1 
1 if (((attitude-angle-has-new-data = 'Im))) then 
5 ~ -- Update Previous Values I 
6 I for i in 1 to 1 loop 
7 ~ attitude-angle(i) <= temp-attitude-angle(i-1); 
1 8  attitude-angle-obsolete(i) <= 
I temp-attitude-angle-obsolete(i-1); 
9 end loop; 
10 -- Update latest value 
11 attitude-angle(0) <= attitude-angle-data; 
- 
-- - 
-- -- - - - - --- 
12 I attitude-angle-obsolete (0) <= '0 I ; 
13 -- Update timing related signals 
attitude-angle-never-received <= '0'; 
15 1 attitude-angle-time-received <= mission-time; 
1 6  
elsif ((((attitude-anglehas-new-data I= Ill)) and 
~ ((((mission-time - attitude-angle-time-received) <= 
5000)) and 
(attitude-anglenever-received = 'Om)))) then 
17 -- Update latest value 
18 attitude-angle(0) <= attitude-angle(1); 
-- Update obsolete information 
attitude-angle-obsolete(0) <= '0'; ~ 
elsif (((((system-start = 'Im)) and 
((attitude-anglenever-received = '1'))) or 
((attitude-anglenever-received = '1')) or 
((((mission-time - attitude-angle-time-received) > 
5000)) and 
(attitude-angle-never-received = 'OR)))) then 
-- Update obsolete information 
23 attitude-angle-obsolete(0) <= '1'; 
24 1 elsif ((((ground-updated-attitude-angle-has-new-data = 
Ill)) or 
((ground~updated~attitude~angle~obsolete(0) /=  
Ill)))) then 
-- Update latest value 
attitude-angle(0) <= ground-updated-attitude-angle(0); 
-- Update obsolete information 
attitude-angle-obsolete(0) <= lo1; 
Figure 32: Auto-Generated VHDL Description of SpecTRM-RL Input Element 
The auto-generated VHDL description in Figure 32 is a process statement that specifies the 
behavior of the "Attitude Angle" Input element described in Chapter 3 (See Page 64). The 
specification of each transition in the "Attitude Angle" Input element begins on line 4. The 
conditional statement on line 4 is the logical specification for the "New Data" transition. The 
conditional statement has the equivalent logical specification captured in the original 
AND/OR table. Similarly, the conditional statements on line 16, 21, and 24 represent the 
logical specifications for the "Previous Value", "Obsolete", and "Ground Updated Attitude" 
transitions. 
The attributes of the Input element are updated for every transition. In the "New Data" 
transition, the latest data value is updated. This operation is carried out on line 11. Because 
data values can become obsolete, the obsolescence information of each data value is also 
stored. In the "New Data" transition, the signal corresponding to the obsolete information of 
the element is set to '0' representing a "Not Obsolete" condition. This operation is carried out 
on line 12. In the "Previous Value" transition, the current data value is set to the previous 
data value and the obsolete signal remains '0'. These operations are carried out on lines 18 
and 20. When the Input element is in the "Obsolete" transition, the obsolete signal is set to 
'1' representing an "Obsolete" condition. This operation is carried out on line 23. Finally, if 
the Input element is in the "Ground Updated Attitude" transition, the current data value is 
updated with the current data value from the "Ground Updated Attitude" Input element. The 
obsolete signal remains '0'. These operations are carried out on lines 26 and 28 respectively. 
Past values and obsolescence information of the Input element are also updated whenever 
new data is received. The "for loop" from line 6 to line 9 updates the last five data values 
received by the Input element, excluding the current value. The number of past values stored 
is dependent on the oldest value recalled in the SpecTRM-RL specification. If another 
element within the specification requires the data value of the Input element from ten 
transitions ago, then last ten data values received are stored. 
Finally, timing information is updated during the "New Data" transition. The time at which 
the transition occurs is stored and the signal corresponding to the "Never Received" attribute 
is set to '0' representing a false condition. These operations are carried out on lines 14 and 
15 respectively. 
Mode and State Value Elements 
Mode and State Value elements are also converted to equivalent processes in VHDL. The 
conversion process preserves several attributes. These attributes are the present and past 
transitions of each element, the time at which the element transitioned, the time at which the 
element enters and exit each transition, and whether the element has ever entered each 
transition. Figure 33 is the autocode generated VHDL description of a Supervisory Mode 
element. 
I  
1 I - -  Process for Mode Element : Spacecraft Supervisor 
2 spacecraft~supervisor~mode_~rocess : process(c1ock) begin 
3 if (clock'event and clock = '1') then 
I temp~spacecraft~supervisor <= spacecraft~supervisor; l 5  if ( (  (attitude-system(0) I= fault))) then 
spacecraft~supervisor~never~enteredoperational <= '0'; 
if (spacecraft~supervisor(0) = ground-controlled) then 
spacecraft~supervisor~time~enteredtoperationa1 <= 
mission-time; 
spacecraft~supervisor~time~e~ited~gr~undcontrolled <= 
mission-time; 
l 9  I spacecraft~supervisor~time~transitioned < mission-time; 
spacecraft~supervisor~never~e~ited~gr~und~controlled 
<= '0'; ~ 
11 l o  1 spacecraft~supervisor~never~transitioned <= '0'; 
12 for i in 1 to 1 loop 
~ 1 
13 spacecraft~supervisor(i) <= 
spacecraft~supervisor~never~transitioned <= ' 0 ' ;  
25 4 1 for i in 1 to 1 loop 
26 i I spacecraft-supervisor(i) <= 
tamp-spacecraft-supervisor(i-1); I 
27 end loop; 
28 spacecraft~supervisor(0) <= ground-controlled; 
29 end if; 
3 0  1 end if; 
3 1  end if; 
32 end process spacecraft~supervisor~mode_~rocess; 
-- - . - - --- - - - - - - - 
14 
15 
16 
17 
18 
19 
20 
~ 
21 
22 
Figure 33: Auto-Generated W D L  Description of SpecTRM-RL Mode Element 
temp~spacecraft~supervisor(i-1); I 
end loop; I 
spacecraft~supervisor(0) <= operational; 
end if; 
elsif (((attitude-system(0) = fault))) then 
spacecraft~supervisor~ne~er~entered~groundcontrolled <= 
'0'; 
if (spacecraft~supervisor(0) = operational) then 
spacecraft~supervisor~time~entered~ground~controlled 
<= mission-time; , 
spacecraft~supervisor~time8exited~operationa1 i 
<= mission-time; ~ 
spacecraft~supervisor~timemetransitioned I 
<= mission-time; 
23 1 spacecraft~supervisor~ne~er~exited~operational <= '0'; 
The conversion process for Control Mode elements, Supervisory Mode elements, and State 
Value elements are equivalent. The same attributes must be preserved for each element. 
Figure 33 is the VHDL description generated for a simple Supervisory Mode element. The 
element has two transitions: "Normal" and "Ground Controlled." The conditional statement 
for each transition is carried out on lines 5 and 17 respectively. The attributes of the element 
are updated upon entering a transition. The value of the current transition is set on line 15 
and 28. Timing related attributes are updated on lines 7-9, and 20-22. The past transitions 
of a Mode or State Value element are stored in an array. The array is updated after each 
transition. These operations are carried out in the "for loops" on lines 12-14 and 25-27. 
Macro Elements 
The conversion process for a Macro element is similar to the conversion process for the 
previous elements described. A Macro element only has one attribute that must be preserved. 
A Macro element is simply an AND/OR table. The AND/OR table either evaluates to true or 
false. A std-logic signal is used to store the evaluation of the Macro element. Figure 34 is the 
autocode generated VHDL description of a Macro element. 
-- Process for Macro element : Attitude Angle Fault Check 
a t t i t u d e ~ a n g l e ~ f a u l t ~ c h e c k ~ m a c r o ~ s  : grocess (clock) 
begin 
if (clocklevent and clock = 'I1) then 
if ((system-start /=  '1')) and 
((ABS((attitude-angle(0) - attitude-angle(1))) >= I 
20.0)) then 
attitude-angle-fault-check <= 'I1; 
else 
attitude-angle-fault-check <= '0'; 
end if; 
end if; 
end grocess a t t i t u d e ~ a n g l e ~ f a u l t ~ c h e c k ~ x n a c r o ~ s ;  
- - 
Figure 34: Auto-Generated VHDL Description of a SpecTRM-RL Macro Element 
Like all previous elements, a Macro element is specified in VHDL with a process statement. 
The VHDL process statement in Figure 34 is derived from "Attitude Angle Fault Check" Macro 
element first described in Chapter 3 (See Page 69). The conditional statement on line 4 is the 
converted logical specification of the Macro element's AND/OR table. If the conditional 
statement evaluates to a true condition, the signal representing the Macro element's 
evaluation is set to '1'. Otherwise, it is set to '0'. These operations are carried out on lines 5 
and 7 respectively. 
Function Elements 
A Function element in SpecTRM-RL is converted to an equivalent VHDL subprogram. 
Function elements are used to make intermediate mathematical calculations. VHDL 
subprograms are used in a similar fashion. Subprograms are designed to abstract and store 
commonly performed operations. A VHDL subprogram can be used to perform the same job 
as any SpecTRM-RL Function element. Figure 35 is the autocode generated VHDL 
description of a Function element. 
- - - .- -. - --- . - -. - - -- -- - - - - .- - . -. . -.  . . . . . -. - -- . - .. .  . . 
-- Calculate Angle Function 
impure function calculate-angle() return real is 
begin 
return (attitude-angle(0) * 4.5); 
end calculate-angle; 
-. - - . .. . . .- . , .- .- . .-. .... - - - ... -- -- - 
Figure 35: Auto-Generated VHDL Description of SpecTRM-RL Function Element 
Figure 35 is the autocode generated VHDL subprogram equivalent to the "Calculate Angle" 
Function element described in Chapter 3 (See Page 70). The VHDL subprogram is declared 
on line 2. The impure function keywords are used to declare the VHDL subprogram. 
These keywords are followed by the name of the subprogram and the data-type of the 
returned value. The mathematical operation of the original Function element is converted to 
its VHDL equivalent on line 4. The data value of the "Attitude Angle" Input element is 
multiplied by 4.5 and returned. Much like the original Function element, the 
calculate-angle ( ) subprogram can be called from anywhere in the autocode generated 
VHDL description. 
4.2.4 SpecTRlll-RL to VHDL Generator Summary 
This section described the autocode generator that converts a SpecTRM-RL specification into 
an equivalent VHDL description. SpecTRM-RL elements can be viewed as an interconnected 
set of FSMs. The autocode generator extracts the information from these FSMs and converts 
the information into equivalent signals in VHDL. This section also described several 
important features of the VHDL language. VHDL provides convenient data-types, the ability 
to describe hardware using behavioral specifications, and the ability to abstract and store 
intermediate mathematical operations with subprograms. These features greatly facilitate 
the conversion process. Finally, the autocode generator was presented. The autocode 
generator converts each SpecTRM-RL element into an equivalent form in VHDL. Input, 
Output, Mode, State Value, and Macro elements are converted into equivalent behavioral 
process statements. Function elements are converted to equivalent VHDL subprograms. 
VHDL descriptions from converted example SpecTRM-RL elements were provided to 
illustrate the conversion process. The next section describes the second autocode generator 
developed in this thesis: the Octavia to C autocode generator. 
4.3 Octavia to C Generator 
This section describes the autocode generator that converts an Octavia specification into an 
equivalent C program. Section 4.3.1 provides a brief background on the C programming 
language, and Section 4.3.2 describes the process used to convert an Octavia specification 
into a equivalent C program. 
4.3.1 C Programming Language 
The C programming language is one of the most popular language in the history of 
computing [RIT93]. It was first developed in the early 1970s and is still widely used today 
[RIT93]. The C language is used in an array of applications including many safety-critical 
systems. C has a large user-base and strong industry support. There are many trusted 
compilers available including several open-source versions. The open source GNU C compiler 
was used to validate the C programs generated by the autocode generators described in this 
The C language supports a number of common data-types including Real, Integer, and String. 
Additionally, the precision of Real and Integer variables can be specified. The Octavia to C 
autocode generator converts all data from Octavia specifications into 64-bit double precision 
real variables [IEEE85]. The SpecTRM-RL to C autocode generator to be described in the 
next section uses all three data-types. Real and Integer variables are used to store equivalent 
SpecTRM-RL data values, while SpecTRM-RL enumerated data-types are converted to String 
variables in C. 
C programs can be partitioned across multiple source files. Commonly used functions can be 
stored in a separate file called a library. C compilers provide a number of well-established 
libraries. The Octavia to C and SpecTRM-RL to C autocode generators rely on a number of 
these libraries to interface with input/output devices, solve complex mathematical 
calculations, and perform timing related functions. The next section describes the Octavia to 
C autocode generator. 
4.3.2 Octavia to C 
The Octavia to C autocode generator converts each block of an Octavia block-diagram 
specification into equivalent functions and variables in C. The Octavia to C autocode 
generator is designed to illustrate the feasibility of converting a high-level data-oriented 
specification in Octavia into software code that can be compiled and executed on a 
microprocessor. No effort is made to optimize the autocode generated C program. The 
conversion process is illustrated through an example specification shown in Figure 36. 
[ from SpecTRM +> Transfer Function p 
1 . 1  
from SpecTRM 
-1 
I 
Figure 36: Simple Octavia Block Diagram Specification 
Figure 36 is an Octavia specification designed to illustrate the autocode generation process. 
Control theory blocks in all three supported formats are represented in the blocks labeled 
"System A", "System B", and "System C." There are two summation blocks and a gain block. 
These blocks perform common mathematical functions. Finally, SpecTRM blocks are used to 
interface with SpecTRM-RL specifications. Data enters the specification through "Sensor A", 
"Sensor B", and "Sensor C," and the results are sent back to SpecTRM through the "Actuator7' 
block. There are several blocks not represented in Figure 36. The Step Input, Impulse Input, 
and Output Plot blocks are not included in the block-diagram. These blocks are designed for 
simulation purposes, while the autocode generated C program is executed on the actual 
spacecraft computing system. 
The autocode generated C program from the Octavia specification in Figure 36 is listed in 
Figure 37. The following sections describe the conversion process for each block in the 
Octavia specification. 
1 / *  Declare External Variables * /  
2 extern double sensor~a,sensorb,sensor~c; 
3 extern double actuator; 
4 
5 / *  These constants are hardcoded * /  
- - - - -- - 
- . . - . - . . - - . - - . . -. - -- - . . -- -- - - - -- 
6 static const double system_a-a_matrix[2] 121 = I 
I 
7 
8 
19 
10 
11 
12 
13 
1 4  
15 
16 
17 
18 
{{0.5,11, {0,1)1; i 
static const double syst-ab-matrix[2] = {0,1); I 
static const double system-a-c_matrix[2] = {-0.5,l); 
static const double systam_ad~atrix[l] = {O); I 
static const double ~ystem~b~a~natrix[l] = {-0.5); 
static const double system-bbbbmatrix[l] = {I); 
static const double syste~t~b~c~matrix[l] = {l); 
static const double system-b-d-matrix [1] = (0) ; 
static const double system-c-a-matrix[l] = {l); ! 
static const double system-cb-matrix[l] = {I); 
static const double syst-c-c-matrix[l] = {I); 
static const double syst-c-d-matrix[l] = {I); 
l9 1 
20 / *  Initialize variables */  
211static double systam_a_state[2] = {O,O); 
22 
23 
:24 
2 5  26 
27 
28 
29 
static double system-a-out = 0.0; 
static double system-b-statell] = {O); 
static double system-b-out = 0.0; 
static double gain-state[l] = (0); 
static double system-c-state[l] = {O); 
static double system-c-out = 0.0; 
static double sum-1-out = 0.0; 
static double sum_2-out = 0.0; 
30lstatic double gain-out = 0.0; 
31 ' 
32 
33 
34 
35 
36 
137 
I 
'38 
39 
40 
/*  Declare temp variables * /  
float tamg[100]; 
I 
41 syst-a-out = system-a-c-matrixIO] * syst-a-state [O] 1 
42 + system-a-c-matrix [l] * system-a-state [1] 1 
43 + system-a-d-matrix [O] * sensor-a; 
I 44 teqp [O] = system-a-a-matrix[O] [O] * system-a-state [O] 
145 + system-a-a-matrix[O] [I] * 1 
void run-octaviao { 
sum-1-out = system-a-out * 1 + gain-out * 1 + sensor-c * 
1; 
s-2-out = system-b-out * 1 + system-cout * -1; 
I 
146 system-a-state [O] I 
4 7 .  + system-a-b-matrix[O] * sensor-a; 
' 48 / temp [ll = system-a-a-matrix [l] [O] * system-a-state [1] 
49 i + system-a-a-matrix [I] [I] * 
50 i system-a-state [l] 
51 ' + system-a-b_matrix[l] * sensor-a; 
52: for(i=O;i<l;i++) { 
53 1 system-a-state [i] = temp [i] ; 
- -- -- - 
- - - - - - - . -- -- - - . -- - 
system-b-out = system-b-c-matrix [OI * system-b-state [O] 
+ system-b-d-matrix [O] * s-1-out; 
temp[Ol = system-b-a-matrix[Ol [O] * system-b-state [O] 
+ system-b-b-matrix[O] * sum-1-out; 
for(i=O;i<O;i++) { 
system-b-state [i] = temp [i] ; 
3 
gain-out = 5.0 * sensor-b; ~ 
system-c-out = system-c-c-matrix [O] * system-c-state [O] 
+ system-c-d-matrix[O] * sum-1-out; 
temp [O] = system-c-a-matrix[O] [O] * system-c-state [O] 
+ system-c-b-matrix[O] * sum-1-out; 
for(i=O;i<O;i++) { 
system-c-state [i] = tenp [i] ; 
1 
actuator = sum-1-out; 
Figure 37: Auto-Generated C Program from Octavia Specification 
SpecTRM Blocks 
SpecTRM blocks provide an interface between the Octavia specification and a SpecTRM-RL 
specification. Data enters the Octavia specification through "from SpecTRM" blocks and exits 
through "to SpecTRM" blocks. Each "from SpecTRM" block is associated with a SpecTRM-RL 
Output element, and each "to SpecTRM" block is associated with a SpecTRM-RL Input 
element. 
SpecTRM blocks are converted to external variables in C. For example, the three "from 
SpecTRM" blocks in Figure 36 are associated with the "Sensor A ,  "Sensor B", and "Sensor C" 
SpecTRM-RL Output elements. These blocks are converted to three external variables 
declared on line 2. The "to SpecTRM" block is associated with the "Actuator" SpecTRM-RL 
Input element. The block is converted to the external variable declared on line 3. The 
extern keyword in C is used to declare variables external to the main program. The 
methodology developed in this thesis does not specify the method by which to implement the 
physical connections between the VHDL design generated from SpecTRM-RL and the 
software code generated from Octavia. The design of these physical interface on the 
spacecraft computer is left up to the spacecraft hardware engineers. 
Octavia supports only real values in the form of the IEEE floating point data-type standard 
[IEEE85]. Integer and single precision Real input values are automatically converted to 
double precision floating point values. 
Math Function Blocks 
Commonly used mathematical functions are encapsulated in two Octavia blocks. The 
multiplication function is encapsulated in a gain block, while addition and subtraction 
functions are encapsulated in summation blocks. The conversion process for math function 
blocks is relatively simple. A unique C variable is declared for each math function block. 
These variables are declared on lines 27-29. The static keyword is used to declare 
variables that are used within the scope of the program only. 
The variable for each math function block is assigned on lines 36, 37, and 60. Inputs for 
summation blocks are multiplied by the sign of the summation block and summed. The gain 
variable is assigned the value of the input multiplied by the specified gain value. 
Control Theory Blocks 
Octavia control theory blocks are specified in three formats: Transfer Function, Zero-Pole, 
and State-Space. Each format can be used to describe the same control theory system. Of the 
three formats, the State-Space format is the easiest to solve computationally. The output for 
a control theory system in State-Space format is solved by the following equations: 
Y = C X X ( ~ ) + D X U  
Equation 2: System Output Equation 
x ( n + l ) = A x x ( n ) + B x u  
Equation 3: System State Equation 
Equation 2 and Equation 3 are the equations for the output and state information of a control 
theory block in State-Space format. A, B, C, and D are the matrices specified for each block 
in State-Space format. x(n) is the value of the current system state and x(n+l)  is the value 
of the system's state in the next round. u is the value of the input to the block. 
Each control theory block is converted to the State-Space format using the "sysupdate" 
function in Octave [EAT97]. Once the block is in State-Space format, the values of the A, B, 
C, and D matrices can be accessed and converted to C variables. These variables are declared 
on lines 6-17. The output value and state information for each block are also declared as 
variables in the C program. These variables are declared on lines 20-26. Equation 2 and 
Equation 3 are applied to output value and state information variables for each block. These 
operations are shown on lines 39-50 for "System A", lines 52-58 for "System B", and lines 62- 
68 for "System C." 
As shown in Figure 37, all operations are organized into a single function called 
run-octaviao. The declaration of this function is shown on line 34. Each time the 
function is called, the output and state information for each block is updated. The next 
chapter describes how this autogenerated C function is used within a prototype computing 
system for the Landsat 7 Backup Attitude Control System. 
4.3.3 Octavia to C Generator Summary 
This section described the Octavia to C autocode generator. A brief background on the C 
programming language was provided. The C language is well established and is supported 
by many trusted compilers and libraries. Next, the autocode generation process was 
described. The autocode generator converts each block within an Octavia specification into 
equivalent functions and variables in C. An example Octavia specification was used to 
illustrate the conversion process. 
The next section will describe the third autocode generator developed for this thesis: the 
SpecTRM-RL to C autocode generator. 
SpecTRM-RL to C Generator 
This section describes the SpecTRM-RL to C autocode generator. Chapter 2 provided a 
survey of current spacecraft computing hardware and software technologies. Both hardware 
and software can be used to cany out spacecraft processing requirements. However, each 
method has advantages over the other. The primary benefit of hardware is better 
performance. Custom hardware can perform tasks much faster than software executed on a 
generic microprocessor. The SpecTRM-RL to C autocode generator was developed to 
evaluate the performance of a hardware implementation of the SpecTRM-RL specification 
versus software-dedicated implementation. In the next chapter, a software-dedicated version 
of the Landsat 7 Backup Attitude Control System is compiled and executed on an embedded 
microprocessor. The speed and throughput of the software-dedicated computing architecture 
is compared to the results from a combined hardware and software computing architecture. 
4.4.1 Octavia to C 
The following sections describe the conversion process for each SpecTRM-RL element. The 
process is similar to the SpecTRM-RL to VHDL autocode generator. Again, the SpecTRM-RL 
to C autocode generator is designed to illustrate the feasibility of automatically converting a 
high-level SpecTRM-RL specification into software code. No effort is spent to optimize the 
autogenerated C source code. 
Output Elements 
The code listed in Figure 38 is the autocode generated C equivalent of the "Commanded 
Attitude Angle" Output element (Seepage 62). 
- - - - - - - - . - - .  - --- - - - - -- 
1 I* Output Element : Commanded Attitude Angle */ 
2 I if ( ( (Spacecraft [ O ]  == 3) I I (spacecraft [ o ]  == 2 )  ) ) { 
3 ' ComrmandedAttitudeAngle[O] = OctaviaCalculatedAngle[O]; 
14 ComrmandedAttitudeAnglenever-sent = 0 ;  
# 5  get t imeofday( tCommandedAtt i tudeAng1e- t imLL);  
' 6  1 
-- - - --  -. -- 
Figure 38: Auto-Generated C Code from SpecTRM-RL Output Element 
The condition statement on line 2 is the converted logical specification from the element's 
AND/OR table. If the conditional statement is evaluated as true, the attributes of the Output 
element are updated. On line 3, the data value of the element is assigned. Line 4 assigns the 
element's "Never Sent" attribute to '0' representing a false condition. Lastly, the "Time Sent" 
attribute is updated on line 5. The gettimeofday function is used to set the "Time Sent7' 
attribute to the processor's current time. The gettimeofday function is called from the C 
time . h library. 
Input Elements 
The C code listed in Figure 39 is the autocode generated C equivalent of the "Attitude Angle" 
Input element (See Page 64). 
12 , AttitudeAngle-obsolete[O] = 0; 
13 1 
14 else if ( ( ( (system-start == 1) && 
15 1 (never~received(AttitudeAngle~obsolete.2))) 1 I 
16 / (never~received(AttitudeAngle~obsolete.2)) 1 I 
17 ((time-since(&AttitudeAngle-time-received) > 5) && 
18 check~time(time~since(&AttitudeAngle~time_received).5)) )  
19 { 
20 AttitudeAngle-obsolete [0] = 1; 
21 1 
22 else if(((GroundUgdatedAttitudeAng1e-has-new-data) I I 
23 (GroundUpdatedAttitudeAngle~obsolete[O] != 1))) { 
24 AttitudeAngle[O] = GroundUpdatedAttitudeAngle[O]; 
25 AttitudeAngle-obsolete [0] = 0; 
26 1 
1 
, 2  
/ 3 
4 
/ *  Input Element : Attitude Angle * /  
if((AttitudeAng1e-has-new-data)) { 
gettimeofday(&AttitudeAng1e8timemereceived,NULL); 
AttitudeAngle-obsolete[O] = 0; 
15 AttitudeAngle[O] = AttitudeAngledata; 
I 6  I }  
' 7  else if(((!AttitudeAngle-has-new-data) && 
/ 8  ((time~since(&AttitudeAngle~time~received) <= 5)&& 
19 check~time(time~since(&AttitudeAngle~tim~received)~5)))) 
1 0  I {  
11 AttitudeAngle[O] = AttitudeAngle[l]; 
. 
/ *  Shift Array * /  
for (i = 5; i >= 1; i--) { 
AttitudeAngle [i] = AttitudeAngle [i-1] ; 
AttitudeAngle-obsolete[i] = AttitudeAngle-obsolete[i-11; 
1 
-  -- - - - -. -- . - -. - - - -  - - -- - - - - -. 
Figure 39: Auto-Generated C Code for SpecTRM-RL Input Element 
The logical specification for the four transitions of the "Attitude Angle" Input element are 
represented by the conditional statements on lines 2, 7, 14, and 22. The conditional 
statement on line 3 evaluates the "New Data" transition. If the conditional statement is true, 
then the element's "Time Received" attribute, obsolete information, and latest data value are 
updated on lines 3, 4, and 5 respectively. If the "New Data" transition is false, then the 
conditional statement for the "Previous Value" transition is evaluated on line 7. The 
element's obsolete information and latest data value are updated on lines 11 and 12 for the 
"Previous Value" transition. The conditional statements for the "Obsolete" and "Ground 
Commanded Attitude" transitions are similarly evaluated on lines 14 and 22. The obsolete 
information and latest data value for each transition is updated on lines 20, 24, and 25. 
The past values of each Input element are stored in an array. The array is updated every 
cycle, after each element has been evaluated. The "for loop" on lines 50-54 carries out the 
update operation. 
Mode and State Value Elements 
The C code listed in Figure 40 is the autocode generated C equivalent of the "Spacecraft 
Supervisor" S u p e ~ s o r y  Mode element. 
- - - -  - - - - - - - - -  - - - - -- - - 
1 / *  Mode Element : Spacecraft Supervisor */ 
2 if ( (AttitudeSystem[O] != 3) ) { I 
3 -- Supervisor is Nonnal I 
4 SpacecraftSupervisor[O] = 1; I 
I 
5 if (Sgacecraf tsugervisor [l] == I) { 
- - - -- - . -- - - .. -.A 
/ *  Shift Array * /  
for (i = 1; i >= 1; i--) { 
SpacecraftSupervisor[i] = SgacecraftSupervisor[i-11; 
1 
- - -- 
16-7 gettimeof day( supervisory-time-transitioned, NULL) ; I 
7 1 1  
8 else if (SpacecraftSupervisor [1] == 2) { 
gettimeofday(Supervisoryrytime8transitioned,NULL); 
I i O  ~ gettimeofday(Supervisory-time8entereddnorma1,NULL); 
Figure 40: Auto-Generated C Code for SpecTRM-RL Mode Element 
' 11 
The logical specification for the "Normal" transition of the "Spacecraft Supervisor" 
Supervisory Mode element is converted into a conditional statement shown on line 2. If the 
conditional statement is true, the transition value of the element is updated. This operation 
is carried out on line 4. 
gettimeofday(Supervisoryrytimemeexited-ground,NULL); 
The timing attributes of a Mode and State Value element depend on the element's previous 
transition. The conditional statements on lines 5 and 8 are used to determine if the current 
and previous transitions of the element are the same. If the transition has not changed since 
the previous cycle, then only the "Time Transitioned" attribute is updated. This operation is 
carried out on line 6. If the element has transitioned, then the timing attributes related to 
when each transition is entered and exited are updated as well. These operations are carried 
1 
12 
13 
1 4  
15 
16 
I 
1 I 
I 
1 
/ *  Spacecraft Supervisor = Ground Controlled * /  
else if ( (AttitudeSystem[O] == 3) ) { 
-- Supervisor is Ground Controlled 
17 SpacecraftSupervisor[O] = 2; 
I 
~ 
18 if (SpacecraftSupervisor [I] == 1) { 
19 gettimeofday(Supervis~ry-time~transitioned,NULL); 
20 
21 
22 
23 
2 4  
25 
gettimeofday(Supervisory-time8entereddground,NULL); 
get t imeofday(Superv i sory- t ime-ex i teddno~~L);  
1 I 
else if (SpacecraftSupervisor [I] == 2) { I 
gettimeofday(Supervisoryrytime8transitioned,NULL); 
1 
2 6  1 1 I 
- - - - - - - - - - - - -- . 
- .. - 
112 
- - 
out on lines 9,10, and 11. 
Similar to Input elements, the past values of each Mode or State Value element are stored in 
an array. The array is updated after each cycle. The operation is carried out in the "for loop" 
on lines 50-53. 
Macro Elements 
The C code listed in Figure 41 is the autocode generated C equivalent of the "Attitude Angle 
Fault Check" Macro element (See Page 69). 
-. . - - - -- - - - - -. - - .- 
1 / *  Macro Element : Attitude Angle Fault Check */ 
2 if((((system-start != 1) && 
-- 3 I (fabs((AttitudeAngle[O] - AttitudeAngle[l])) >= 20.0)) { 
4 AttitudeAngleFaultCheck[O] = 1; 
5 1 )  
6 'else { 
7 Att itudeAngleFaultCheck [O] = 0 ; 
a , I  
-- - - - - - - . - - -- - - - . - - 
Figure 41: Auto-Generated C Code for SpecTRM-RL Macro Element 
The conditional statement on line 2 is the equivalent logical specification of the element's 
AND/OR table. A variable representing the value of the element is assigned based on the 
result of this conditional statement. If the statement is true, a '1' representing a true 
condition is assigned on line 4. Otherwise, the variable is assigned a '0' representing the false 
condition. 
Function Elements 
The C code listed in Figure 42 is the autogenerated C equivalent of the "Calculate Angle" 
Function element. 
I - -  
-- - - -  - 
1 I / *  Calculate Angle Function * /  
2 float CalculateAngle() { 
3 return ( (AttitudeAngle [ O ]  * 4.5) ) ; 
4 1 3  
--- -- - -- - - - -- - 
Figure 42: Auto-Generated C Code for SpecTRM-RL Function Element 
The code listed in Figure 42 is an equivalent C function of the original SpecTRM-RL Function 
element. Line 2 declares the function and line 3 returns the data value of the "Attitude 
Angle" Input element multiplied by 4.5. 
4.4.2 SpecTRM-RL to C Generator Summary 
This section described the SpecTRM-RL to C autocode generator developed for this thesis. 
The autocode generator converts each SpecTRM-RL element into equivalent C code. 
Examples of the autocode generated C code for each element was provided to illustrate the 
conversion process. 
The SpecTRM-RL to C autocode generator was one of three autocode generators developed in 
this thesis. Each autocode generator was individually verified. The verification process for 
each autocode generator is described in the next section. 
4.5 Verification of Autocode Generators 
The three autocode generators described in this chapter were subjected to independent 
verification processes. Errors in automated tools designed for safety-critical systems can lead 
to potential hazards and failures. Like software and hardware compilers, autocode 
generators must be subjected to rigorous certification processes before they can be trusted. 
Although the autocode generators developed for this thesis are designed for research 
purposes only, a verification process was applied to find errors in the conversion process. 
The verification procedures performed are only designed to show input output equivalence 
with the original high-level specifications however. Given the same inputs to the original 
high-level specifications and the autocode generated VHDL and C programs, the same 
outputs are obtained. A more comprehensive verification and certification process is needed 
if these autocode generators are used for an actual spacecraft in the future. In particular, 
timing related specifications such as data latency and task completion deadlines must be 
verified. These verification methods are provided by the co-design methodologies surveyed 
in Chapter 2. If required, the autocode generated VHDL and C source code can be imported 
into co-design frameworks such as SpecC, SystemC, or Ptolemy. These frameworks provide 
additional verification tools, but the autocode generated VHDL and C programs must be 
modified before the verification tools can be applied. 
4.5.1 SpecTRIM-RL to VHDL Generator Verifiation Process 
The SpecTRM-RL to VHDL autocode generator was verified using a VHDL simulator. The 
VHDL description from the autocode generator was simulated with the ModelSiml toolset. 
ModelSim provides a convenient environment to analyze the behavior of a hardware design 
captured in VHDL. A screen shot from ModelSimts simulation environment is shown in 
Figure 43. 
Figure 43: ModelSim Simulation Environment 
Figure 43 is a screen shot of the ModelSim VHDL simulation environment. The main window 
is occupied by a list of signals and waveforms. The simulation parameters and user-interface 
are accessed just above the main window. The waveform is automatically generated during 
the simulation. The waveforms allow users to observe the value of each signal as the 
simulation is carried out in real-time. 
The autocode generated VHDL description for each SpecTRM-RL element was simulated in 
ModelSim. The results from the VHDL simulation were compared to results from the 
SpecTRM Simulator. Attributes related to each SpecTRM-RL element were compared from 
each simulator. Matching results ensured that the autocode generator produced a VHDL 
description that generates the same outputs as the original SpecTRM-RL specification given 
identical inputs. 
4.5.2 Octavia to C Generator Verification Process 
The Octavia to C autocode generator was verified with a process similar to the verification 
process used on the Octavia toolset. Autocode generated C code for each block in the Octavia 
library was verified individually. The C code was compiled and executed on a desktop 
computer. Inputs were provided to the C program and the results were recorded in a file. 
These results were then compared to results from simulations performed in Octavia with 
identical inputs. Each block in the Octavia library was subjected to the same verification 
process. 
To enhance the verification process, the results from the C program were also compared to 
results from simulations performed in Matlab and Simulink. Matching results from all three 
components ensured that the autocode generated C program generates the same outputs as 
the original Octavia specification given identical inputs. 
4.5.3 SpecTRM-RL to C Generator Verification Process 
The SpecTRM-RL to C autocode generator was verified with a similar process used to verify 
the Octavia to C autocode generator. An autocode generated C program representing all six 
SpecTRM-RL elements was compiled and executed on a desktop computer. Inputs were 
provided to the C program and the transitions of each element were recorded. These results 
were then compared to results from a simulation performed with the SpecTRM Simulator. 
The transitions and attributes for each SpecTRM-RL element were then compared. Matching 
results from both components ensured that the autocode generated C program generates the 
same outputs as the original SpecTRM-RL specification given identical inputs. 
4.6 Chapter Summary 
This chapter described the second major component developed for this thesis: the autocode 
generators used to convert high-level specifications into equivalent hardware and software 
components. Three autocode generators were developed for this thesis. The SpecTRM-RL to 
VHDL autocode generator converts a SpecTRM-RL specification into an equivalent hardware 
description in VHDL. The autocode generator extracts information from the underlying FSM 
of each SpecTRM-RL element and produces an equivalent behavioral statement or 
subprogram in VHDL. Examples from each element were used to illustrate the conversion 
process. 
The second autocode generator described converts an Octavia specification into an equivalent 
C program. Each block in the Octavia block-diagram specification is converted into 
equivalent functions and variables in C. The autogenerated C code from an example Octavia 
specification was used to illustrate the conversion process. 
The third autocode generator described converts a SpecTRM-RL specification into an 
equivalent C program. The SpecTRM-RL to C autocode generator was developed to evaluate 
the performance of a dedicated software computing architecture versus a combined hardware 
and software computing architecture. The autocode generator converts each SpecTRM-RL 
element into equivalent functions and variables in C. Examples from each element were used 
to illustrate the conversion process. 
Each autocode generator was subjected to a verification process. A VHDL description from 
the SpecTRM-RL to VHDL autocode generator was simulated with the ModelSim hardware 
simulation toolset. The signal waveforms of each element were compared to results from a 
simulation performed with the SpecTRM Simulator. The Octavia to C and SpecTRM-RL to C 
autocode generator were verified with similar processes. In both cases, the autocode 
generated C program was compiled and executed on a desktop computer. Inputs were 
provided to the program, and the results were recorded in a file. These results were later 
compared to results from simulations performed on the original specifications. Matching 
results from each component ensured that the autocode generated VHDL design and C 
programs generate the same outputs as the original specifications given identical inputs. 
The next chapter will provide further verification of the autocode generators described in this 
chapter. In the next chapter, an attitude control system computer will be synthesized using 
the autocode generated VHDL description and C programs described in this chapter. A 
closed-loop simulation performed with the synthesized computing system will further help 
verify the autocode generators described in this chapter. The development of high-level 
specifications will also provide further verification of the high-level specification languages 
and toolsets developed in Chapter 3. Finally, the feasibility of the new spacecraft computing 
development process is illustrated with the specification and generation of a prototype 
spacecraft computing system. 
Chapter 5 
5. Landsat 7 Backup ACS 
This chapter describes the synthesis of an FPGA computing system for the Landsat 7 Backup 
Attitude Control System (ACS). The synthesized Landsat 7 Backup ACS computing system 
illustrates the new spacecraft computing development process described in this thesis and 
demonstrates its feasibility and utility. 
The methodologies and toolsets developed for the new spacecraft computing development 
process were described in Chapters 3 and 4. In this chapter, the methodologies and toolsets 
in the new process are applied to a real spacecraft system. This chapter describes the 
development of high-level specifications for the Landsat 7 Backup ACS. A SpecTRM-RL 
specification is used to capture specifications related to the Fault Detection Isolation and 
Reconfiguration (FDIR) procedures, and an Octavia specification is used to capture the 
control law algorithm. 
Each high-level specification is automatically converted into an equivalent VHDL description 
or C program. The SpecTRM-RL specification is converted into an equivalent VHDL 
description, while the Octavia specification is converted into an equivalent C program. The 
autocode generated VHDL description and C program are used to synthesize the Landsat 7 
Backup ACS computing system. The synthesis process uses a commercial FPGA synthesis 
toolset and an FPGA development board. The synthesis process is summarized in Figure 44. 
Figure 44: From Specifications to FPGA Computing System 
Figure 44 illustrates the synthesis process of the FPGA-based computing system for the 
Landsat 7 Backup ACS. The process starts with the development of high-level specifications. 
Information from the original Landsat 7 specification documents is used to develop a 
SpecTRM-RL specification and an Octavia specification. The SpecTRM-RL specification is 
converted into an equivalent VHDL description, while the Octavia specification is converted 
into an equivalent C program. The VHDL description and C program are then transferred to 
a commercial FPGA synthesis toolset. The FPGA synthesis toolset converts the VHDL 
description into an FPGA netlist. A netlist describes the interconnection of logical units 
within the FPGA. The FPGA synthesis toolset also compiles the C program. 
FPGA 
Synthesized 
FSM 
Memtrry 
SpecTRM Toolset FPGA Synthesis 
Toolset 
FDlR 
Finally, the FPGA is synthesized or programed with the specifications of the Landsat 7 
Backup ACS. Within the FPGA is a memory component used to store the compiled C program 
and some shared data. A microprocessor is also synthesized within the FPGA. The 
microprocessor is used to execute the C program. 
I Netlist 
Compiled 
Octavia Toolset C Source ) c Program 
Code 
Control 
Law 
Micropracessor 
Compiled 
C Source , C Program 
Code 
Specs 
The FPGA computing system is used to validate the toolsets developed in this thesis. The 
synthesized Landsat 7 Backup ACS computing system is connected to a desktop computer 
V HDL 
Design 
VHDL w 
Design Synthesis 
, 
running a Landsat 7 spacecraft simulation program. Several closed-loop simulations are 
performed to test each component within the FPGA computing system. The results from 
these simulations provide further verification for the methodologies and toolsets developed in 
this thesis and demonstrate the feasibility of the new spacecraft computing development 
process for future spacecraft. 
5.1 Chapter Outline 
This chapter is divided into six sections. Section 5.2 provides some background information 
on the Landsat 7 spacecraft. A description of the spacecraft and the components of the 
Backup ACS is provided. A summary of the original FDIR specification and control law 
algorithm used by the Backup ACS is also provided. Section 5.3 describes the development of 
high-level specifications for the Landsat 7 Backup ACS. Information from the original 
specification documents is used to generate a SpecTRM-RL specification and an Octavia 
specification. Section 5.3 also describes the interfaces between the two high-level 
specifications and how these interfaces are used to perform a high-level simulation of the 
complete system. Section 5.4 describes the autocode generation process used to create an 
equivalent VHDL description and C program from the high-level specifications. Section 5.5 
describes the synthesis of the Landsat 7 Backup ACS FPGA computing system. A description 
of the FPGA synthesis toolset and FPGA development board is provided. Following, the 
actual synthesis process is described. The autocode generated VHDL description and C 
program are synthesized on the FPGA development board. In Section 5.6, the FPGA 
computing system is connected to a Landsat 7 spacecraft simulation program. Several closed- 
loop simulations are performed. Test inputs are used to validate the FDIR procedures and 
control law algorithm executed on the FPGA computing system. Finally, Section 5.7 
compares the performance of the combined hardware and software computing architecture 
versus a software-dedicated architecture. Instead of the VHDL description, a C program of 
the SpecTRM-RL specification is generated. The C programs from both specifications are 
compiled and programmed into the memory on the same FPGA development board. A set of 
simulations is performed for each architecture. The performance of each computing 
architecture is evaluated based on the results of these simulations. 
5.2 Landsat 7 Spacecraft Overview 
The Landsat 7 spacecraft is an Earth orbiting satellite launched in 1997. The spacecraft carries 
instruments to map the Earth's surface. During normal operations, the spacecraft uses its Primary 
ACS to maintain the attitude in all three axes to within 180 arcseconds.' A picture of the Landsat 7 
spacecraft is provided in Figure 45. 
Figure 45: Landsat 7 Spacecraft 
The Landsat 7 spacecraft features an advanced fault protection system. When a fault is 
detected, the spacecraft automatically transitions into Safe-Hold Mode [MM295]. The Safe- 
Hold Mode automatically turns off instruments and rotates the spacecraft to a direction that 
points the solar array towards the sun. The attitude control requirements during Safe-Hold 
Mode are different than during normal operations. Pointing accuracy is relaxed to within 10 
degrees and the thrusters are turned off to presenre fuel [MM195]. During Safe-Hold Mode, 
the spacecraft uses the Backup ACS to change and maintain its attitude. The next three 
sections provide a description of the Backup ACS specification. 
1 1 arcsecond = 1/3600 degrees 
5.2.1 Backup ACS Components 
The Landsat 7 Backup ACS is made up of a number of sensors and actuators. An Inertial 
Measurement Unit (IMU) measures the attitude rate of the spacecraft. The IMU consists of 
six independent gyros that are configured to provide redundant measurements for each of the 
three axes. 
A Course Sun Sensor (CSS) is used to measure the spacecraft attitude. The CSS derives the 
spacecraft attitude in each axis by locating and measuring the direction of the sensor in 
relation to the sun. The CSS provides a single measurement in each axis, but the data is 
routed to the computer through two independent databuses. 
To change attitude during Safe-Hold Mode, the spacecraft relies on two independent sets of 
attitude control actuators. A set of Reaction Wheel Assemblies (RWA) is used as the primary 
attitude control actuator. A RWA consists of a spinning wheel and some electronics. The 
spinning wheel stores angular momentum. By changing the spin speed, the spacecraft's 
angular momentum changes and the spacecraft rotates. Three RWA aligned orthogonally 
provide attitude control in each of the three axes. 
If a RWA fails, the spacecraft uses a redundant pair of Magnetic Torque Rods (MTR) for 
attitude control. Current is supplied to the MTR to produce a magnetic field. This magnetic 
field interacts with the Earth's magnetic field to produce a net torque that rotates the 
spacecraft. 
Several components within the backup ACS have redundant channels or are designed to be 
backup components themselves. The FDIR specification determines how each component is 
monitored for faults and what actions are taken in response to a detected fault. The FDIR 
specification of the Landsat 7 Backup ACS is described next. 
5.2.2 FDIR Specification 
Each component in the Backup ACS is monitored for faults. The FDIR specification provides 
a list of fault checks that are performed on data received from each component. These fault 
checks determine if a fault has occurred. When a fault is detected, the FDIR specification 
determines an appropriate response. These responses include switching the channel of the 
component or switching to a different component entirely. The FDIR specification can be 
divided into two sections. The first section involves the attitude sensors and the second 
involves the attitude actuators. 
Attitude Sensor FDIR 
There are two attitude sensor components in the Backup ACS. The IMU provides 
measurements of the attitude rate and the CSS provides measurements of the attitude. Both 
measurements are used during nominal operation. If one of the two measurements becomes 
invalid, the spacecraft can still operate with a single measurement, albeit in a degraded 
fashion. Additionally, the IMU has two independent channels. If the primary IMU channel 
fails, measurements from the second channel are used instead. The following sections 
describe the fault checks used to monitor each attitude sensor and what actions are taken 
when a fault is detected. 
IMU FDIR 
The IMU consists of six independent gyros aligned to provide two independent measurements 
of each axis. The two independent channels form a primary and backup configuration for the 
IMU. Each gyro in the IMU provides an independent measurement of the spacecraft attitude 
rate. These measurements are monitored to determine if and when a fault has occurred. 
Each gyro measurement is subject to three fault checks: Limit Check, Static Check, and 
Obsolete Check. 
The Limit Check compares the current and past five measurements against the maximum 
expected attitude rate of +/- 15 degrees per second [MM395]. If any measurement is above 
or below the maximum attitude rate, it is highly likely that a fault has occurred. Another sign 
of a gyro fault is a constant output. The Static Check monitors the current and past five 
measurements from each gyro. If the measurements are all the same, it is highly likely that a 
constant output fault has occurred [MM395]. Finally, if no new data is received after a 
period of 1.5 seconds, the gyro measurement is declared obsolete. The Obsolete Check 
ensures that the current and past five measurements are not obsolete [MM395]. 
The measurements from each channel of the IMU are also subject to a Comparison Check. 
The Comparison Check measures the difference between each channel and compares the 
absolute value of the difference to the maximum expected limit of 2 degrees [MM395]. 
Each fault check is applied to both primary and backup IMU channels during nominal 
operation. If a fault is detected in the primary channel or if the Comparison Check fails, 
measurements from the backup channel are used. If faults are detected in both channels, the 
IMU is declared failed and turned off. 
CSS FDIR 
The CSS provides two attitude measurements in each axis. These measurements are not 
independently however. The measurements are transferred through two different databuses 
and provide a way to detect errors during the transfer [MM395]. The CSS measurements are 
compared to determine if and when a fault has occurred. If the absolute value of the 
difference between the two measurements is greater than 2 degrees, a fault is declared and 
the CSS is turned off. 
Attitude Actuator FDIR 
There are two attitude actuator components in the Backup ACS. The RWAs are used as the 
primary attitude actuators. If a fault is detected in any of the three RWAs, all three RWAs are 
turned off and the primary MTR is used as the attitude actuator. If a fault is detected in the 
primary MTR, the backup MTR is used. The RWA and MTRs provide three levels of 
redundancy for the Backup ACS. The following sections describe the fault checks used to 
determine if and when a fault has occurred in each attitude control actuator. 
RWA FDIR 
Each RWA provides two telemetry measurements that are used to monitor the status of the 
reaction wheel. A temperature sensor provides a temperature reading from the reaction 
wheel motor, and a speed sensor provides a measurement of the current wheel speed. These 
measurements are used in two corresponding fault checks. Both fault checks compare the 
current and past five measurements to the maximum expected limit. The Temperature Limit 
Check declares a fault if any temperature measurement is above the maximum expected 
temperature of 70 degrees Celsius [MM395]. The Speed Limit Check declares a fault is any 
speed measurement is above the maximum expected speed of 6000 revolutions per minute 
(RPM) [MM395]. 
The temperature and speed measurements are also subject to an Obsolete Check. Each 
received measurement is declared obsolete after five seconds. The Temperature and Speed 
Obsolete Checks ensure that the current and past five measurements are not obsolete 
[MM395]. 
MTR FDIR 
The Backup ACS uses two independent MTR channels to provide backup attitude control in 
all three axes. Each MTR provides a telemetry measurement associated with the electrical 
current in each torque rod. The Current Limit Check uses these current measurements to 
monitor the status of each torque rod. The Current Limit Check compares the current and 
past five measurements to the maximum expected limit of 100 amperes [MM395]. A fault is 
declared if any measurement exceeds the limit. 
Similar to other telemetry measurements, the current measurements from each MTR are also 
subject to an Obsolete Check. Each measurement received is declared obsolete after five 
seconds. The Current Obsolete Check ensures that the current and past five measurements 
are not obsolete [MM395]. 
The FDIR specification of the Backup ACS ensures that the spacecraft is capable of changing 
its attitude and point the solar array towards the sun, even when a fault has occurred. The 
next section describes the control law algorithm used to calculate the attitude angle 
commands sent to the attitude control actuators to change the spacecraft attitude. 
5.2.3 Control Law Algorithm 
The Backup ACS control law algorithm calculates the attitude angle commands sent to the attitude 
control actuators. The control law algorithm is specified with a traditional block-diagram shown in 
Figure 46. 
1 
Low Pass Filter = - 
10~4-1 
w  , 2ndOrder Bu~erwortk = t ~ ,  =0.6radfs 
z 2 + ~ * , z f w ~  
T T 
-2--24-1 
. 8 2 Zero Order Hold = 1 Sffnplo &lay= 2 r2 tau r z O . 5  see T '1" I z + - 2 4 - 1  -z+-z+1 8 2 8 2 -- -- -- -- - i 
Figure 46: Backup ACS Control Law Block-Diagram, derived from [MM195] 
Figure 46 is the block-diagram of the attitude control law for the Backup ACS in a single axis. The 
same control law algorithm is applied to all three axes. The control law algorithm features two 
feedback loops. The outer loop accounts for the attitude measured by the CSS, and the inner loop 
accounts for the attitude rate measurements provided by the IMU. The measured attitude and 
attitude rate are subtracted from a reference attitude input. The reference attitude input is the 
commanded attitude provided by the mission computer. The difference between the reference 
attitude input and the measured attitude is the change in attitude needed. This value is filtered by 
a zero order hold transfer function before it is sent to the attitude actuator. 
The body dynamics and integrator blocks in Figure 46 represent the kinematics of the spacecraft. 
These blocks are used to model the behavior of the spacecraft in response to commanded attitude 
inputs. The body dynamics and integrator blocks are used for simulations. These blocks are 
removed in the final specification. 
The output from the integrator block is the attitude measurement. In the final specification, the 
output from the integrator block is replaced by an input from the CSS. Each CSS measurement is 
fed through a low pass filter, sample delay, and gain. The low pass filter removes short-term 
oscillations, leaving only the long-term trend. The sample delay accounts for the time delay that 
occurs between taking the measurement and processing the measurement in the control law 
algorithm. A gain is applied to the output of the sample delay transfer function before closing the 
loop around the reference attitude input. 
The output from the body dynamics block is the attitude rate measurement. The output from the 
body dynamics block is replaced by measurements from the IMU in the final specification. Each 
IMU measurement is fed through two filers, a sample delay, and a gain before closing the loop 
around the reference attitude input. The gyro filter and 2nd order Butterworth filter are used to 
remove noise from the IMU measurements. The gyro filter is a second order low pass filter that 
removes short-term oscillations. The Butterworth filter is designed to have a frequency response 
that is as flat as mathematically possible in a specified frequency band [BUT30]. 
The parameters for each block are provided in the lower half of Figure 46. These parameters are 
derived from the original Landsat 7 specification documents [MM195]. In the next section, the 
control law algorithm and FDIR procedures described in this section are captured in high-level 
specifications. The FDIR procedures are captured in a SpecTRM-RL specification and the control 
law algorithm is captured in an Octavia block-diagram specification. These high-level 
specifications are the first step in the development of a dedicated FPGA computing system for the 
Backup ACS. 
5.3 High-Level Specifications 
This section describes the high-level specifications generated for the Landsat 7 Backup ACS. 
Specifications related to the FDIR procedures are captured in a SpecTRM-RL specification, 
and the control law algorithm is captured in an Octavia specification. Section 5.3.1 and 
5.3.2 describe the Landsat 7 Backup ACS SpecTRM-RL and Octavia specifications 
respectively. An overview of each high-level specification is provided along with excerpts 
from key components in each specification. The complete high-level specification documents 
are provided in the appendices. Each high-level specification is subject to a number of 
automatic analyses using built-in analysis tools described in Chapter 3. Section 5.3.3 
provides a description of the analyses performed on each high-level specification. 
5.3.1 SpecTRM-RL Specification 
The original Landsat 7 specification documents are used to generate a SpecTRM-RL 
specification. The SpecTRM-RL specification captures control-oriented specifications related 
to the Backup ACS. These specifications include all the FDIR procedures for each component 
in the backup ACS. Figure 47 is a visualization of the Landsat 7 Backup ACS captured in 
SpecTRM-RL. 
CSS Attitude A (F] [T] IMU Attitude Rate A 
CSS Attitude I3 I I IMU Attitude Rate B 
Odavia Attitude 
IMU Difference 
Reference Attitude 
IMU Attitude Rate A 
IMU Attitude Rate B 
Command t I  t I  
MTR A Current MTR A Attitude 
MTR Current I 1 MTR B Attitude I 1 Command Command 
f-l r-7 
I""] 
CSS Difference 
Odavia El 
CSS Attitude A 
CSS Attitude B 
Figure 47: Landsat 7 Backup ACS SpecTRM-RL Model 
The SpecTRM-RL specification shown in Figure 47 is constructed from five of six SpecTRM- 
RL elements: Inputs, Outputs, Modes, State Values, and Macros. Function elements are not 
used. The following sections provide excerpts from each element type used to construct the 
Landsat 7 Backup ACS SpecTRM-RL specification. 
Input Elements 
The Landsat 7 Backup ACS interfaces with a number of external devices shown in Figure 47. 
These external devices include the attitude sensors and actuators, the mission computer, and 
an Octavia specification. Input elements are used to model data received by the Landsat 7 
Backup ACS from external devices. An Input element from the SpecTRM-RL specification is 
shown in Figure 48. The complete high-level specification document with all elements is 
provided in Appendix A. 
IMU Attitude Rate A 
Source: IMU 
Type: Real 
Possible Values [Expected Range): [- 15.. 151 
Units: degreeslsec 
Granularity: 0.001 degrees/sec 
Exception-Handling: None 
Description: Input data from IMU Channel A 
Comments: Measures spacecraft attitude rate 
References: None 
Appears In: IMU Attitude Rate A Obsolete Passed, IMU Attitude Rate A L i m ~ t  Passed, 
IMU Attitude Rate A Static Passed, IMU Attitude Rate A Octavia, 
IMU Attitude RAte A Compare Octavia 
DEFINITION 
= New Data for IMU Attitude Rate A 
[IMU Attitude Rate A was Received 1 
= Previous Value o f  IMU Attitude Rate A 
IMU Attitude Rate A was Received 
Time Since IMU Attitude Rate A was Last Received < =  1500 milliseconds 
= Obsotete 
System Start 
IMU Attitude Rate A was Never Received 
Time Since IMU Attitude Rate A was Last Received > 1500 milliseconds 
L - - -- - -  - i 
Figure 48: IMU Attitude Rate A Input Element 
The "IMU Attitude Rate A" Input element shown in Figure 48 models data received by the 
Backup ACS from the IMU. The IMU provides two attitude rate measurements for each axis. 
The measurement from the primary channel is labeled A, while the measurement from the 
backup channel is labeled B. The expected range of both measurements is between -15 and 
15 degrees/second. The time between when a new measurement is received and when the 
measurement is declared obsolete is 1.5 seconds. The AND/OR tables captures the logical 
specification for each transition. 
Macro Elements 
Macro elements are used to model the fault checks specified in the FDIR procedures. The 
example in Figure 49 is a Macro element that performs the Limit Check for the IMU attitude 
rate measurements. 
IMU Attitude Rate A Limit Passed 
Description: Corresponds t o  IMU Limit Check 
Comments: Compares the IMU measurement against the maximum expected limit. 
References: IMU Attitude Rate A 
Appears In: IMU Channel 
DEFINITION 
Figure 49: IMU Attitude Rate Limit Check Macro 
The "IMU Attitude Rate A Limit Passed" Macro element compares the absolute value of the 
current and past five measurements from the "IMU Attitude Rate A" Input element to the 
maximum expected limit of 15 degrees/second. If all the measurements are within the limit, 
then the Macro element evaluates to true and the Limit Check has passed. 
Each fault check specified in the FDIR procedures has a corresponding Macro element. 
Appendix A provides the complete SpecTRM-RL specification including Macro elements 
corresponding to each fault check. 
State Value Elements 
The Landsat 7 Backup ACS SpecTRM-RL specification has six State Value elements. State 
Value elements are used to infer the health status of each component. The health status of 
each component is either unknown, good, or bad depending on measurements received from 
each component. 
The "IMU Health" and "MTR Health" State Value elements are used to infer the health status 
of the IMU and MTR respectively. Unlike the RWA and CSS components, the IMU and MTR 
each have redundant channels. Measurements received from each channel are used to select 
an appropriate channel for the device. The logical specification for selecting the appropriate 
channel is captured in a separate State Value element. The "IMU Channel" State Value 
element shown in Figure 50 selects the appropriate IMU channel based on measurements 
received from the external device. 
[state Value I 
IMU Channel 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: IMU Attitude Rate A, IMU Attitude Rate B 
Description: Inferred IMU Channel 
Comments: A, B, or None 
References: IMU Attitude Rate A Obsolete Passed .., 
Appears In: IMU Health 
DEFINITION 
= Unknown 
IMU Attitude Rate A Static Passed 
System Start 
IMU Attitude Rate A Limit Passed 
IMU Attitude Rate A Static Passed 
IMU Attitude Rate Compare Passed 
I 
IMU Attitude Rate B Limit Passed 
IMU Attitude Rate B Obsolete Passed 
IMU Attitude Rate B Static Passed 
111 
T T T  
T T T  
T T T  
I = None i i 
System Start 
IMU Attitude Rate A Obsolete Passed 
IMU Attitude Rate B Obsolete Passed 
IMU Attitude Rate A Limit Passed 
IMU Attitude Rate A Static Passed 
IMU Attitude Rate Compare Passed 
IMU Attitude Rate B Limit Passed 
IMU Attitude Rate B Static Passed 
Figure 50: IMU Channel Input Element 
The "IMU Channel" State Value element infers the health status of each channel in the IMU 
through measurements received from each channel of the IMU. Measurements from both 
channels are subjected to fault checks performed through corresponding Macro elements. 
These fault checks include the Obsolete Check, Limit Check, and Static Check. The "IMU 
Channel" State Value element selects the A channel if all the fault checks corresponding to 
the A channel passes. Otherwise, the B channel is selected. If both channels fail to pass their 
corresponding fault checks, then the "None" transition is entered. 
The health status of the IMU can be inferred from transitions of the "IMU Channel" State 
Value element. The "IMU Health" State Value element is shown in Figure 51. 
IMU Health 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: IMU Attitude Pate A, IMU Attitude Rate B 
Description: Infers health o f  IMU 
Com ments: Unknown, Good, Ehd 
References: IMU Channel 
Appears In: ACS Mode 
DEFINITION 
System Start 
IMU Channel in state Unknown 
= Unknown 
11 
System Start 
IMU Channel in state None 
Figure 51: IMU Health State Value Element 
The "IMU Health" State Value element uses the "IMU Channel" State Value element to infer 
the health status of the IMU. If either channel A or B is available, then the health status of 
the IMU is good. If both channels A and B are not available, then the health status of the 
IMU is bad. Otherwise, there is insufficient information to infer the health status of the IMU 
and the "IMU Health" State Value element remains in "Unknown." 
The "MTR Channel" and "MTR Health" State Value elements are used to model the health 
status of the MTR component. The specification of these elements is similar to the 
specification of the "IMU Channel" and "IMU Health" State Value elements. 
Unlike the IMU and MTR components, the CSS and RWA components do not have redundant 
channels. The health status of the CSS and RWA are inferred directly from measurements 
received from each external device. Figure 52 shows the "RWA Health" State Value element. 
. . . .. . . . . -- -. - . . . .- . .- . . - - . -. -. - - - -- . - . . . - 
-14tate Value I 
RWA Health 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: RWA Temperature, RWA Speed 
Description: Infer health of RWA 
Comments: Unknown, Good, Bad 
References: RWA Speed Obsolete Passed, RWA Tem perature Obolete Passed 
RWA Speed Limit Passed, RWA Temrrerature Limit Passed 
Appears In: ACS Mode 
DEFINITION 
- Unknown 
RWA Speed Obsolete Passed 
RWA Tem peratu re Obsolete Passed 
= Good 
= Bad 
i 
I 
RWA Temperature Limit Passed 
Figure 52: RWA Health State Value Element 
The "RWA Health" State Value element is used to model the health status of the RWA from 
the "RWA Temperature" and "RWA Speed" Input elements. The FDIR procedures specify 
fault checks for temperature and speed measurements received from each reaction wheel. 
Fault checks for the RWA are performed by the "RWA Temperature Obsolete Passed, "RWA 
Temperature Limit Passed," "RWA Speed Obsolete Passed," and "RWA Speed Limit Passed" 
Macro elements. If any of the Macro elements corresponding to the Obsolete Checks is false, 
the health status of the RWA cannot be determined and the "RWA Health Status" State Value 
element transitions to "Unknown." If the Macro elements corresponding to the Obsolete 
Checks and Limit Checks are true, then the "RWA Health" State Value element transitions to 
"Good." If any of the Macro elements corresponding to the Limit Checks is false, the "RWA 
Health" State Value element transitions to "Bad." 
The "CSS Health" State Value element is similar to the "RWA Health" State Value element. 
The "CSS Health" State Value element infers the health status of the CSS directly from the 
"CSS Attitude A" and "CSS Attitude B" Input elements. The Macro element "CSS Attitude 
Compare Passed" compares the difference between the inputs against a maximum expected 
limit. 
Mode Element 
The Landsat 7 Backup ACS SpecTRM-RL specification has one Mode element. The "ACS 
Mode" Control Mode element models the overall health of the Backup ACS. The "ACS Mode" 
element is shown in Figure 53. 
----.--..".-"---. " "-.p,.-"p 
l ~ o n t r o l  Mode 1 
ACS Mode 
Description: Element used t o  model health o f  ACS 
Comment: Primary, hckup, or Failed 
References: IMU Health, CSS Health, RWA Health, MTR Health 
Appears In: None 
DEFINITION 
= Primary 
IMU Health in state Ead 
CSS Health in state Ehd 
RWA Health in state Bad 
I = Backup I 
= Failed 
IFIm 
RWA Health in state Bad 
Figure 53: ACS Mode SpecTRM-RL Element 
The "ACS Mode" element has three transitions corresponding to the health status of the 
Backup ACS. The transitions are inferred from State Value elements corresponding to the 
health status of each component in the Backup ACS. The three transitions of the "ACS Mode" 
element are "Primary," "Backup," and "Failed." The "Primary" transition requires that none 
of the three primary components have failed. The primary components of the Backup ACS 
are the IMU, CSS, and RWA. The ACS can also function in a degraded or backup mode as 
long as there is at least one good attitude sensor component and one good attitude actuator 
component. The second AND/OR table specifies this condition. Finally, if both attitude 
sensors or both attitude actuators are unavailable, the spacecraft is incapable of sensing or 
changing its attitude. In that case, the "ACS Mode" element transitions to "Failed." 
Output Elements 
Output elements are used to send data to external devices. For the Landsat 7 Backup ACS, 
outputs include the attitude commands sent to attitude control actuators and attitude sensor 
data sent to the Octavia specification. Each attitude control actuator has a corresponding 
attitude command Output element. These Output elements are triggered based on the health 
status of the attitude control actuator components. The RWA is the primary attitude control 
actuator. Attitude commands are sent to the RWA by default. The "RWA Attitude 
Command" Output element is shown in Figure 54. 
RWA Attitude Command 
1 Destination: RWA 
1 Fields: 1 Name: Attitude 
I Type: Real I Acceptable Values: Any I 
I Units: degrees I I Granularity: 0.1 degrees 1 I Hazardous Values: None 
Exception-Handling: None 
i Description: Attitude command for RWA 
Comments: Triggered when RWA Health is good 1 
References: RFlA Health, Octav~a Attitude 
TRIGGERING CONDITION 
IRWA Health in state Good 1 
IOctavia Attitude i s  ~ b s o l e t e l  
MESSAGE CONTENTS 
Figure 54: RWA Torque Output Element 
Field: 
Attitude 
The "RWA Attitude Command" Output element outputs data corresponding to the required 
change in attitude. The required attitude change is derived from the control law algorithm 
specified in an Octavia specification. The Octavia specification is described in the next 
Value: 
Octavia Attitude 
section. 
Similar to the "RWA Attitude Command", the "MTR A Attitude Command" and "MTR B 
Attitude Command" Output elements send attitude commands to each channel of the MTR. 
The "MTR A Attitude Command" Output element is triggered when the "RWA Health" State 
Value element is "Bad." Similarly, the "MTR B Attitude Command" Output element is 
triggered when the A channel of the MTR has failed. These elements are documented in 
Appendix A. 
SpecTRM-RL - Octavia Interface 
The Landsat 7 Backup ACS SpecTRM-RL specification interfaces with the control law 
algorithm specified in an Octavia specification in the same manner as any external device. As 
shown in Figure 47, Input and Output elements are used to model data transfer that occurs 
between each high-level specification. Output elements send measurements received from 
each attitude sensor to the Octavia specification. The commanded attitude received from the 
mission computer is also sent to Octavia. These measurements are used by the control law 
algorithm to calculate the required change in attitude. This data is returned to the SpecTRM- 
RL specification through an Input element. Figures 55 and 56 show elements used to 
interface with the control law algorithm specified in Octavia. 
-1 LIisplay Output ] 
1 Reference Attitude Octavia / 
Destination: Octavia 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: [O., 3601 
Units: Degrees 
Granularity: 0.1 Degree 
Hazardous Values: 
Exception-Handling: None 
Description: Used by Octavia Control Law 
Comments: Outputs the commanded attitude 
References: Commanded Attitude 
TRIGGERING CONDITION 
[commanded Attitude is ~ b s o l e t e l  
MESSAGE CONTENTS 
I 
Figure 55: Octavia Interface SpecTRM-RL Element 
Field: 
Attitude 
The "Reference Attitude Octavia" Output element provides the control law algorithm with the 
commanded attitude. The data is received from the mission computer through the 
"Commanded Attitude" Input element found in Appendix A. 
Value: 
Commanded Attitude 
In addition to the "Reference Attitude Octavia" Output element, there are Output elements 
corresponding to measurements received from each attitude sensor. Data from these Output 
elements are used by the control law algorithm to derive the required change in attitude. 
This data is received by the SpecTRM-RL specification through the "Octavia Attitude" Input 
element shown in Figure 56. The next section describes how the control law algorithm is 
captured with the Octavia block-diagram toolset. 
, 
!knput Value I 
I Octavia Attitude 
i Source: Octavia 
Type: Real 
I Fbssible Values (Expected Range): Any 1 Units: degrees I Granularity: 0.01 degrees 
I Exception-Handling: None 
I Description: Octavia calculated attitude command 
1 Comments: Provided by Octavia 
= New Data for Octavia Attitude 
. 
[ m a v i a  Attitude was Received I 
= Previous Value o f  Octavia Attitude 
Octavia Attitude was Received 
Time Since Octavia Attitude was Last Received c = 1500 milliseconds 
= Obsolete 
System Start 
Octavia Attitude was Never Received 
Time Since Octavia Attitude was Last Received > 1500 milliseconds 
References: None 
Appears In: RWA Attitude Command, MTR A Atttiude Command, 
MTR B Attitude Command 
DEFINITION 
I I 
Figure 56: Octavia Interface SpecTRM-RL Element 
5.3.2 Octavia Specifics tion 
An Octavia specification is used to capture the control law algorithm of the Landsat 7 Backup 
ACS. Figure 57 is the equivalent Octavia specification of the original control law algorithm 
shown in Figure 46. 
[IMU Attitude Rate B I 
(from SpecTRM IMU Attitude Rate Difference 
~ I u  Attitude Rate AI 
ICSS Attitude Difference I 
-1 
,> Transfer Function 9 
[ = I  
l~osition Gain I 
Transfer Function 
lRdteGdinl 
from SpecTRM 
[jER+g-@ 
a Transfer Function 
[ from SpecTRM 4 p 4  
Transfer Function Transfer Function 
(-4 
12nd order Butterworth I F l  
from SpecTRM M $ b - l  
Transfer Function 
I from SD~CTRM 
i4 
~ I M U  Attitude Rate B I 
I* Only One Attitude Measurement is used I 
I I 
Figure 57: Landsat 7 Backup ACS Octavia Specification 
The Octavia specification shown in Figure 57 is divided into two parts. The blocks in the 
upper half of Figure 57 are used to calculate the difference between attitude and attitude rate 
measurements provided by different channels in the IMU and CSS. The results from these 
calculations are used in the fault checks specified in SpecTRM-RL. Data from the SpecTRM- 
RL specification arrives through "from SpecTRM" blocks. Each "from SpecTRM-RL" block 
labeled receives data from the corresponding SpecTRM-RL element. The inputs are 
subtracted using a summation block and the results are returned to SpecTRM-RL through 
corresponding "to SpecTRM" blocks. 
The control law algorithm of the Backup ACS is specified in the lower half of Figure 57. The 
transfer functions specified in the original block-diagram in Figure 46 are recreated in 
Octavia using Octavia Transfer Function blocks. Similarly, the original gain and summation 
blocks are replaced by equivalent blocks in Octavia. The inputs for the control law arrive 
through corresponding "from SpecTRM'' blocks. There are "from SpecTRM" blocks 
corresponding to the reference attitude received from the mission computer, measured 
attitudes received from the CSS, and measured attitude rates received from the IMU. 
The output of the control law algorithm is an attitude command. The attitude command 
represents the change in attitude required to place the spacecraft in the commanded attitude. 
The attitude command is sent back to SpecTRM-RL and forwarded to one of the attitude 
actuators. The "Octavia Attitude" Input element shown in Figure 56 receives the output of 
the control law algorithm. 
The completed SpecTRM-RL specification and Octavia specification are subject to a suite of 
analyses. These analyses are described in the following section. 
5.3.3 Specification Analyses 
Several analyses are performed on the SpecTRM-RL specification and Octavia specification. 
Analyses are first performed on each specification individually using built-in analyses tools in each 
toolset. The SpecTRM-RL specification is first analyzed by the Validator analysis tool. The 
Validator tool ensures that the SpecTRM-FU specification is structurally and semantically correct. 
Next, the specification is analyzed for nondeterminism and robustness. These analyses are called 
from the Nondeterminism and Robustness Analysis tools. Finally, the SpecTRM Simulator is used 
to observe and validate the behavior of the specification. Test inputs signaling faults for each 
component in the Backup ACS are provided. The responses of the specification are then checked 
against the specified FDIR procedures. 
The control law algorithm is analyzed using the Octavia built-in simulation tool. The Reference 
Input block is replaced with a Step Input block. The Step Input block represents a commanded 
attitude change of 1 degree. The results from the simulation are plotted and compared to analyses 
in the original documentation [MM195]. 
After each high-level specification is analyzed individually, a combined simulation is carried out 
using the integrated simulation tools developed in the thesis. The combined simulation allows the 
behavior of the complete Backup ACS specification to be observed and analyzed. The transitions 
of each element and data transfer between the SpecTRM-RL and Octavia specifications are 
observed directly from the SpecTRM Simulator environment. A screen shot from the combined 
simulation is shown in Figure 58. 
CSS Altitude A ( CSS ] ( IMU ] IMUAttitude Rate A 
1.208253 0.201 376 
CSS Altitude B 
1.101261 1 0 216877 
OctavlaTorque 
' ,  
IMU Difference 
- 
Reference Attitude 
3.1 
IMUAttitude Rate A 
0.201 376 
IMU Attitude Rate B 
MTR ACumnt I 1 MTRA ~nltude MTR B Current 1 ~ M T R  B Attitude 
26.464993 Command 26 464993 Command 
CSS Difference 
-0.006042 
Odavia 
CSS Attitude A 
1.208253 
CSS Attitude B 
1.301 262 
Figure 58: SpecTRM-RL and Octavia Combined Simulation of Landsat 7 Backup ACS 
5.3.4 High-Level SpeciJcations Summaty  
This section described the high-level specifications generated for the Landsat 7 Backup ACS. 
FDIR procedures are captured with a SpecTRM-RL specification, while the control law 
algorithm is captured in an Octavia specification. Each high-level specification is subject to a 
series of analyses using the built-in analysis tools provided by each toolset. These analyses 
tools provide a powerful and convenient way to detect specification errors. After the analyses 
are complete, the high-level specifications are converted into equivalent VHDL and C 
programs for synthesis on an FPGA. The conversion process is described in the next section. 
5.4 Autocode Generators 
The high-level specifications of the Landsat 7 Backup ACS are converted to equivalent VHDL 
description and C programs intended for synthesis on an FPGA. The SpecTRM-RL 
specification is converted into an equivalent VHDL description, while the Octavia 
specification is converted into an equivalent C program. The VHDL description and C 
program are synthesized on an FPGA to create a computing system for the Landsat 7 Backup 
ACS. The synthesis process is described in the next section. This section is divided into three 
parts. Section 5.4.1 describes the process that converts the SpecTRM-RL specification into an 
equivalent VHDL description. Section 5.4.2 describes the process that converts the Octavia 
specification into an equivalent C program. Finally, Section 5.4.3 describes the process that 
converts the SpecTRM-RL specification into an equivalent C program. This C program is used 
to evaluate the performance of a software-dedicated computing architecture versus a 
combined hardware and software architecture. 
The SpecTRM-RL to VHDL conversion process is performed by invoking the autocode 
generator described in Chapter 4. The SpecTRM-RL to VHDL autocode generator developed 
provides a simple interface to convert any SpecTRM-RL specification into an equivalent VHDL 
description. The autocode generated VHDL description for the Landsat 7 Backup ACS 
SpecTRM-RL specification is provided in Appendix B. 
5.4.2 Octavia to C 
The Octavia to C conversion process is performed by invoking the autocode generator 
described in Chapter 4. The Octavia to C autocode generator developed provides a simple 
interface to convert any Octavia specification into an equivalent C program. The autocode 
generator is used to convert the Landsat 7 Backup ACS control law specification into and 
equivalent C program. The source listing of the autocode generated C program is provided in 
Appendix C. 
An equivalent C program is automatically generated by the SpecTRM-RL to C autocode 
generator. The C program and VHDL description of the Landsat 7 Backup ACS SpecTRM-RL 
specification allow a comparison to be made between the performance of a software- 
dedicated computing architecture versus a combined hardware and software architecture. 
The C source listing for the autocode generated Landsat 7 Backup ACS SpecTRM-RL 
specification is provided in Appendix D. 
5.4.4 Autocode Generator Summary 
Using the autocode generators developed for this thesis, the conversion process from high- 
level specification to equivalent VHDL description and C programs are relatively 
straightfonvard. The autocode generators are invoked directly from the SpecTRM and 
Octavia toolsets. The converted specifications are synthesized on an FPGA to create the 
Landsat 7 Backup ACS computing system. The next section describes the FPGA synthesis 
process. 
5.5 FPGA Computing System 
The autocode generated VHDL description and C programs described in Section 5.4 are 
synthesized on an FPGA development board to create a Landsat 7 Backup ACS computing 
system. The FPGA development board is a Memec Design development board and features a 
Xilinx Virtex I1 Pro FPGA device. Section 5.5.1 provides some background information on the 
FPGA development board. Descriptions of relevant components on the development board 
are provided. Section 5.5.2 describes the FPGA synthesis process. The synthesis process 
involves the use of a commercial synthesis tool. The synthesis tool is described followed by a 
description of the actual synthesis process. 
5.5.1 Memec Design FPGA Board 
The Landsat 7 Backup ACS computing system is synthesized on a Memec Design FPGA 
-- - - - - - - - -- -. - . . 
146 
development board1. The Memec Design development board features a Xilinx Virtex I1 Pro 
FPGA device and some supporting peripherals. The FPGA and supporting peripherals are 
described in the following sections. A photo of the Memec Design development board is 
shown in Figure 59. 
Xilinx Virtex II Pro FPGA 
The main component of the Memec Design development board is the Xilinx Virtex I1 Pro 
FPGA device2 [XILOS]. The Virtex I1 Pro FPGA is available in multiple configurations. The 
version that is embedded in the Memec Design development board has a total of 9,856 
programmable logic cells. Each logic cell is comprised of four generic Look-Up Tables (LUT). 
An embedded PowerPC microprocessor core can be synthesized on the Virtex I1 Pro FPGA. 
1 Model Number: DS-BD-2VP4/7-FG456 Rev 4A, data sheet at http://www.em.avnet.com/ 
2 Model Number: XCV2P-FG456, data sheet at http://www.xilinx.com 
The PowerPC is a 32-bit Reduced Instruction Set Computer (RISC) microprocessor. It has a 
comprehensive instruction set including support for floating point arithmetic. The embedded 
PowerPC on the Virtex I1 Pro can be clocked at a maximum speed of 100 Megahertz (Mhz). 
The PowerPC was jointly developed by Apple, IBM, and Mototorola in 1991 for desktop 
computers. It has since been used on in many embedded applications. A radiation-hardened 
version of the PowerPC microprocessor is used in the RAD6000 Spacecraft Computer made 
by BAE Systems1. The RAD6000 is the primary computer used on board the Mars Spirit and 
Opportunity Rovers CMAl.041. 
The PowerPC microprocessor has a large user base and strong industry support. A number of 
compilers support the PowerPC architecture including the open source GNU GCC compiler. 
The autocode generated C programs described in Section 5.4 are compiled with a GCC 
compiler embedded in the Xilinx synthesis tool. 
BRAM 
The Block Random Access Memory (BRAM) is a Xilinx proprietary memory configuration. 
The BRAM provides fast and convenient data storage for devices on the FPGA development 
board. Multiple BRAM units can be synthesized on a single Virtex I1 Pro FPGA. Each BRAM 
unit has two ports capable of providing simultaneous access to two separate devices. The 
size of each BRAM must be configured to multiples of 16k bytes. 
Serial Port 
The Memec Design development board includes a serial port for communication with 
external devices. The serial port uses the standard RS-232 serial communication protocol 
[NIOG]. The serial port driver is synthesized on the Virtex I1 Pro FPGA and can be configured 
with a wide range of options including the data rate, data bits, stop bits, and parity bit 
settings [XIL205]. The serial port is used to communicate with a desktop computer running a 
simulated model of the Landsat 7 spacecraft. The simulation setup is described in Section 
5.6. 
LED 
The Memec Design development board also includes 4 LED lights. These LED lights can be 
programmed to perform simple tasks such as communicating messages. The LED lights are 
programmed to signal when the PowerPC microprocessor is running a control law algorithm 
task. 
PLB Bus 
Data transfer between peripherals synthesized on the FPGA is carried out with a databus. 
The Processor Local Bus (PLB) Bus is a Xilinx proprietary databus that can be instantiated 
and synthesized on the FPGA device FIL3051. Data transfer between the peripherals 
described in this section is facilitated by he PLB. 
5.5.2 FPGA Synthesis 
This section describes the FPGA synthesis process used to create the Landsat 7 Backup ACS 
computing system. The Xilinx Platform Studio and Embedded Development Kit (EDK) toolset 
is used to capture the FPGA design and manage the synthesis process1. The following 
sections describe the steps in the synthesis process starting with a brief description of the 
Xilinx Platform Studio and EDK toolset. 
Xilinx Platform Studio and EDK Toolset 
The Xilinx Platform Studio and EDK toolset is a commercial toolset used to design and 
synthesize Xilinx FPGA devices. The toolset provides a convenient environment to enter a 
hardware design, optimize the design, perform the synthesis process, and download the 
design to the FPGA device. A hardware component is imported from a VHDL description file 
through a simple wizard. Once entered, the optimization, synthesis, and programming 
processes are performed automatically through a simple push button interface. 
The Xilinx Platform Studio and EDK toolset also includes an environment and applications to 
capture, compile, and program embedded software applications. The toolset includes a GNU 
GCC C compiler. Once entered, the C program can be compiled and loaded onto the FPGA 
automatically. A Xilinx proprietary operating system is automatically generated and 
compiled along with any user-entered C programs. The operating system allows multiple 
programs to be executed on the embedded PowerPC microprocessor. 
Landsat 7 Backup ACS Computer Architecture 
The methodology described in this thesis does not specify an implementation architecture for 
the autocode generated components derived from the original high-level specifications. The 
architecture design and exploration is left to spacecraft hardware engineers. The computing 
architecture presented here is an example used to illustrate the feasibility of the 
methodologies and toolsets developed in this thesis. It is not an optimized architecture. The 
performance of the computing system must only satisfy the performance requirements 
specified in the FDIR and control law specification. A performance evaluation of the 
computing architecture presented here is provided in the next section. A diagram of the 
architecture of the Landsat 7 Backup ACS computing system is shown in Figure 60. 
Figure 60: Landsat 7 Backup ACS Computer Architecture 
The architecture of the Landsat 7 Backup ACS computing system is composed of a number of 
components within the Memec Design development board. The main component is the 
Virtex I1 Pro FPGA device. Several components are synthesized within the FPGA device. The 
VHDL description of the SpecTRM-RL specification is imported and synthesized as a 
peripheral device on the FPGA. The C program of the Octavia specification is imported as a 
software application. The C program is compiled and stored in a section of the BRAM 
memory. A PowerPC core is also synthesized to execute the Octavia C program. The LED 
and serial port are not part of the FPGA device. These peripherals are 
Figure 60 also describes the interfaces between the various components on the Memec Design 
development board. Data enters the development board through the serial port. Custom C 
code is added to the Octavia program to access the serial port. The custom C code provides 
functions to retrieve data from the serial port and deposit the data in the BRAM. On the 
other end, data can also be retrieved from the BRAM sent back to the serial port. The C 
program and serial port interface allow data transfer between the Memec Design 
development board and an external device. Section 5.6 describes how the interface is used to 
perform a closed-loop simulation with a Landsat 7 spacecraft simulation program running on 
a desktop computer. 
At regular intervals1, the custom SpecTRM-RL peripheral accesses the BRAM and retrieves 
any new data. New data retrieved from the BRAM is equivalent to new data values for Input 
elements in the original SpecTRM-RL specification. The new data drives state transitions in 
the SpecTRM-RL peripheral and triggers output data. Output data from the SpecTRM-RL 
peripheral are in turn written to the BRAM. 
The SpecTRM-RL peripheral is also responsible for signaling the execution of the Octavia C 
program. After new data is received and stored in the BRAM, the SpecTRM-RL peripheral 
calls on the PowerPC microprocessor to execute the Octavia C program. The Octavia C 
program accesses data from the BRAM and performs calculations specified in the original 
control law algorithm. After all calculations are performed, the results are written back to 
the BRAM. 
C code is also added to the Octavia program to trigger the LED lights. The LED lights are 
1 The interval at which the SpecTRM-RL peripheral accesses the BRAM can be varied. 
triggered whenever the Octavia C program is executed. The LED lights provide a simple 
mechanism to signal execution flow. These signals are very helpful in the debugging process. 
FPGA Utilization 
After each synthesis process, the Xilinx Platform Studio and EDK toolset provides a set of 
FPGA utilization data. The utilization data for the Landsat 7 Backup ACS computing system 
is listed in Figure 61. 
1 Component / Resource 1 Used 1 Available 1 Percent 1 
1 SpecTRM- RL Peripheral 1 Logic Cells 1 3336 1 9856 1 33% 1 
/ Complete System I Logic Cells 1 4280 1 9856 1 43% 1 
/ Octavia C Program 1 Memory Size 1 60 k bytes / 80 k bytes 1 75% 1 
Figure 61: Landsat 7 Backup ACS FPGA Utilization Data 
The Landsat 7 Backup ACS prototype computing system utilizes roughly half of the available 
FPGA resources. The SpecTRM-RL peripheral is the most complicated peripheral and 
requires one third of the available Look Up Tables (LUT) on the FPGA. The complete 
computing system including all the supporting peripherals and memory requires less than 
half of the available FPGA resources. The utilization data shows that the FPGA can still 
accommodate more features. The FPGA device can still accommodate a more complex 
system involving more advanced FDIR procedures. 
Utilization data related to software applications are also reported. The Octavia C program 
requires a significant amount of memory space. However, the BRAM memory used to store 
the C program is synthesized from the FPGA. The size of the memory can be increased to 
accommodate a larger Octavia C program. Given that more than half of the FPGA has not 
been utilized, the size of the C program can be increased significantly. A larger C program 
will correspond to a more complex control law algorithm. 
The resources of the FPGA computing system can be increased significantly if required. The 
Virtex I1 Pro FPGA device on the Memec Design development board consists of a total of 
9,856 logic cells. The most complex Virtex I1 Pro FPGA device available has a total of 99,216 
logic cells or roughly ten times the capacity of the version used [XILOS]. In addition, the 
larger device also supports two PowerPC microprocessor cores. The extra microprocessor 
and larger FPGA capacity provide significant room for additional processing capabilities. For 
example, the processing requirements for multiple subsystems can be combined and 
implemented on a single FPGA computing device. Alternatively, more automation features 
and more complex control law algorithms can be processed on a single FPGA computing 
device. 
5.5.3 FPGA Computing System Summary 
This section described the synthesis process used to create the Landsat 7 Backup ACS 
computing system. A Memec Design FPGA development board is used as the prototype 
computing platform. The Memec Design development board features a Xilinx Virtex I1 Pro 
FPGA device and several supporting peripherals. The autocode generated VHDL description 
and C program from the SpecTRM-RL and Octavia high-level specifications are synthesized 
and compiled with the Xilinx Platform Studio and EDK toolset. The toolset provides a 
powerful and convenient environment to manage the synthesis process. Once the VHDL 
description and C program are imported into the toolset, the optimization, synthesis, and 
programming process is carried out automatically. 
The architecture of the Landsat 7 Backup ACS computing system was also described. Data 
enters the computing system through the serial port and is stored in the BRAM memory. At 
regular intervals, the data is accessed by the SpecTRM-RL peripheral and Octavia C program. 
Output data generated by the SpecTRM-RL peripheral and C program is sent out through the 
serial port. 
Finally, the utilization data for the FPGA was presented. The utilization data showed that the 
Landsat 7 Backup ACS computing system requires less than half of the FPGA resources. 
Additionally, the capacity of the FPGA can be increased significantly if a higher capacity 
FPGA device is used. 
To validate the synthesized FPGA computing system, the Landsat 7 Backup ACS computing 
system is connected to a desktop computer running a simulation program of the Landsat 7 
spacecraft. The simulation setup and results are described in the next section. 
5.6 Closed-Loop Simulations 
This section describes the closed-loop simulations performed to validate the synthesized 
Landsat 7 Backup ACS FPGA computing system. The closed-loop simulations help validate 
the FPGA architecture and FPGA synthesis process described in Section 5.5. The closed-loop 
simulations also provide another level of verification for the new methodologies and toolsets 
developed for this thesis. Successful simulation results help demonstrate the feasibility of the 
new spacecraft computing development process. 
This section is divided into two parts. Section 5.6.1 describes the simulation setup. The 
Memec Design development board is connected to a desktop computer. A simulation 
program of the Landsat 7 spacecraft is written and compiled on the desktop computer. The 
simulation program simulates the spacecraft dynamics and produces data for each 
component of the Backup ACS. The results of the simulations performed are described in 
Section 5.6.2. Two sets of simulations are performed. The first set tests the response of the 
Landsat 7 Backup ACS computing system to simulated faults in each component. Simulated 
data corresponding to component faults are provided to validate each fault check and 
element transition specified in the SpecTRM-RL specification. The second set of simulations 
validates the control law algorithm executed in the Octavia C program. Reference attitude 
commands are provided and the calculated attitude commands are recorded to determine if 
the control law algorithm is carried out correctly in the FPGA computing system. 
5.6.1 Simulation Setup 
To validate the Landsat 7 Backup ACS computing system, a closed-loop simulation is 
performed with a Landsat 7 spacecraft simulation program running on a desktop computer. 
A high-level overview of the simulation setup is shown in Figure 62. 
Figure 62: Block Diagram of Simulation Architecture 
The Memec Design development board is connected to a desktop computer through the serial 
port. A simulated version of the Landsat 7 spacecraft is executed on the desktop computer 
and provides simulated data inputs for the FPGA development board. These inputs include 
attitude rate measurements from the IMU, the attitude measurements from the CSS, 
temperature and speed measurements from the RWA, and current measurements from the 
MTR. The Landsat 7 Backup ACS computing system uses the simulated data to determine the 
health status of the Backup ACS and generate attitude commands for one of the three 
attitude control actuators. Attitude commands are sent back to the desktop computer to 
update the spacecraft simulation program. The Landsat 7 Backup ACS computing system 
also sends telemetry data to the desktop computer. This data include information from 
Macro elements related to each fault check specified in the FDIR procedures and state 
transition of each State Value and Mode element. The data is not used by the Landsat 7 
spacecraft simulation program but is recorded for review after the simulation. 
The Landsat 7 spacecraft simulation program consists of several components as shown in 
Figure 62. The spacecraft dynamics component is a kinematic model of the Landsat 7 
spacecraft. The model uses attitude commands generated by the Landsat 7 Backup ACS 
computing system to calculate the current spacecraft attitude. The output of the spacecraft 
dynamics component is then used to generate outputs for the IMU, CSS, RWA, and MTR 
models. A random value consistent with electronic white noise is added to the measurement 
outputs for the IMU and CSS models. The speed, temperature, and current values of the 
RWA and MTR models are generated by scaling the value of the attitude commands. The 
speed, temperature, and current outputs of the RWA and MTR models increase linearly with 
the value of the attitude command. 
Faults can be triggered in the IMU, CSS, RWA, and MTR models to simulate a failure in the 
actual spacecraft component. The output from each simulated component can be assigned a 
constant value or removed completely. This feature is used to test the FDIR procedures 
synthesized on the Landsat 7 Backup ACS. 
The Landsat 7 spacecraft simulation program is written in C and compiled with the GNU GCC 
compiler. A command line interface is used to start and stop the simulation. Data sent and 
received by the Landsat 7 spacecraft simulation program is displayed on the screen during 
the simulation. The C source listing for the Landsat 7 spacecraft simulation program is 
provided in Appendix E. 
Figure 63 is a photo of the simulation setup during a simulation. The Memec Design 
development board, serial cable, and spacecraft simulation program are visible in the photo. 
Figure 63: Simulation Setup in Lab 
Two sets of simulations are conducted to validate the synthesized Landsat 7 Backup ACS 
computing system. The results from these simulations are discussed next. 
5.6.2 Simulation Results 
Closed-loop simulations are performed to validate the SpecTRM-RL peripheral and Octavia C 
program in the Landsat 7 Backup ACS computing system. Tests are performed to ensure that 
the FDIR procedures and control law algorithm are carried out correctly on the FPGA 
computing system. These tests are described in the following sections. 
FDIR Test 
The SpecTRM-RL peripheral on the FPGA device is in charge of performing the FDIR 
procedures described in the SpecTRM-RL specification. Simulated faults are provided to test 
each fault check specified in the original specification. For example, the IMU Attitude Limit 
Check is designed to detect an out-of-range attitude rate input from the IMU. To test the IMU 
Attitude Limit Check, the Landsat 7 spacecraft simulation program is programmed to provide 
the SpecTRM-RL peripheral with an attitude rate value that is beyond the expected limit. 
The evaluation of the fault check is then recorded and reviewed after the simulation. Each 
fault check is tested and validated individually using the procedure described. 
The FDIR procedures also specify responses for each component fault detected. For example, 
if a fault is detected in the IMU primary channel, then data from the backup channel is used 
instead. Similarly, if a fault is detected in the RWA, then attitude commands are sent to the 
primary MTR instead. After each simulated fault, the response issued by the Landsat 7 
Backup ACS computing system is recorded. The results are reviewed after each simulation. 
Control Law Test 
The Octavia C program performs calculations specified in the control law algorithm. 
Reference attitude commands are provided by the Landsat 7 simulation program. The 
Octavia C program generates attitude commands based on the reference attitude command 
and measurements provided the IMU and CSS models. The attitude command for each 
calculation cycle is recorded on the desktop computer. A plot of the data collected from a 
simulation is shown in Figure 64. 
Step Input Responses 
I Time Is) I 
Figure 64: Step Input Response from Closed-Loop Simulation 
Figure 64 plots the three sets of data values as a function of time recorded from a closed-loop 
simulation performed to test the outputs of the Octavia C program. The solid blue line is the 
commanded reference attitude. The green line represents the attitude command value 
calculated by the Octavia C program. The pink line represents the measured attitude 
recorded from the CSS model running on the Landsat 7 spacecraft simulation program. 
The commanded attitude is set to a value of 1 degree 10 seconds into the simulation. As 
shown, the value of the attitude command increases to around 1 degree in response to the 
commanded attitude. This spike in the calculated attitude command occurs just after the 
reference attitude is issued. The value of the attitude command decreases to zero as the 
measured attitude reaches a value of 1 degree. 170 seconds into the simulation, the 
commanded attitude is set to -1 degree. As expected, the Octavia C program generates an 
attitude command of -2 degrees. This value corresponds to the change in attitude needed to 
put rotate the spacecraft from 1 degree to -1 degree. Once again, the attitude command 
decreases to zero as the measured attitude approaches the commanded attitude. 
Performance Requirements Evaluation 
The original Landsat 7 Backup ACS requirements specify the minimum evaluation rate for the 
FDIR procedures and control law algorithm. The FDIR procedures must be evaluated once 
every 5 seconds, while the control law algorithm must be executed once every 1.5 seconds. 
Results from the closed-loop simulations verify the satisfaction of these performance 
requirements. The FDIR procedures are evaluated by the SpecTRM-RL peripheral within 1 
milliseconds of receiving new data, while execution of the control law algorithm by the 
Octavia C program is completed within 100 milliseconds of receiving new data. 
The performance of the synthesized computing system is highly dependent on the rate at 
which new inputs are received. Because all inputs are accessed through the serial port, only 
one measurement can be received at any given time. Although results from the simulations 
of the FPGA computing system show that the original performance requirements of the 
Landsat 7 Backup ACS are met, the performance of the FPGA computing system can be 
further improved. If the FPGA device can be connected directly to input sources, multiple 
measurements can be processed concurrently by the SpecTRM-RL peripheral, resulting in a 
higher evaluation rate. 
5.6.3 Closed-Loop Simulations Summary 
This section described the closed-loop simulation performed to validate the FPGA computing 
system. The FPGA computing system is connected to a desktop computer running a Landsat 
7 spacecraft simulation program. The simulation program provides input data for each 
component in the Landsat 7 Backup ACS. Attitude commands and telemetry data generated 
by the FPGA computing system are sent back to the desktop computer and spacecraft 
simulation program. 
Simulations are performed to validate the SpecTRM-RL peripheral and Octavia C program on 
the FPGA computing system. The results from these simulations validate the synthesis 
process used to create the Landsat 7 Backup ACS computing system. These simulations also 
provide further verification for the methodologies and toolsets developed in this thesis. The 
results from these simulations illustrate the feasibility of the new spacecraft computing 
development process. 
The simulations described in this section involve a combined hardware and software 
computing architecture. In the next section, the performance of the combined architecture is 
evaluated against a software-dedicated computing architecture. 
5.7 Hardware versus S o w a r e  Evaluation 
This section describes the evaluation of two computing architectures. The first architecture 
involves a combination of dedicated hardware synthesized on an FPGA and software 
executed on a microprocessor. The Landsat 7 Backup ACS computing system described in 
this chapter is based on this architecture. The SpecTRM-RL peripheral is a dedicated 
hardware circuit synthesized on an FPGA and the Octavia C program is software that is 
executed by the embedded PowerPC microprocessor. To evaluate the performance of 
hardware versus software, a software-dedicated version of the Landsat 7 Backup ACS 
computing system is synthesized. C programs are generated with the SpecTRM-RL to C 
autocode generator and Octavia to C autocode generator. These C programs are then 
compiled and uploaded to the same Memec Design FPGA development board and executed 
by the PowerPC. The same closed-loop simulations described in Section 5.6 are performed 
with the software-dedicated computing system to compare the performance of each 
computing architecture. A block diagram of the software-dedicated computing architecture 
and simulation setup is shown in Figure 65. 
IMU Attitude Rates 
CSS Attitude 
Figure 65 shows the architecture for the software-dedicated computing system. Instead of a 
dedicated hardware circuit, the SpecTRM-RL peripheral is replaced with a C program that is 
executed by the PowerPC microprocessor. Both C programs access the BRAM memory to 
retrieve and store data. All other functions and parameters remain the same. 
Figure 66 shows the results from the evaluation of each computing architecture. 
Evaluation Parameter Hardware- Software 
- - 
FSM Evaluation Rate 9.8 Hz 
Software Architecture 
1 Data Throughput 1 31 0 bitslsec 1 300 bitslsec 1 
Figure 66: Evaluation of Hardware versus Software Performance 
Two parameters are measured and compared. The first involves the evaluation rate of the 
SpecTRM-RL FSM. The evaluation rate parameter measures the speed at which logical 
expressions captured in the original SpecTRM-RL specification can be evaluated. With all 
other factors remaining constant, the evaluation rate of the SpecTRM-RL FSM is slightly 
higher in the synthesized VHDL circuit than an equivalent C program executed on the 
embedded PowerPC microprocessor. 
The other parameter measured involves the data throughput of each computing architecture. 
The data throughput parameter measures the amount of data that each computing system is 
capable of sending out through the serial port during a closed-loop simulation. As expected, 
the data throughput of the combined hardware and software architecture is slightly higher 
than the software-dedicated architecture. With a higher evaluation rate, the VHDL circuit is 
capable of producing more output data, resulting in a higher data throughput. 
The performance evaluation described in this section is a rough comparison of two competing 
architectures. The evaluation is highly dependent on the parameters of the computing 
platform used during the evaluation. In particular, the performance of the software 
architecture is highly dependent on the speed of the microprocessor used. It can be argued 
that the performance of the software-dedicated architecture will exceed the performance of 
the combined hardware and software architecture given a faster microprocessor. However, 
microprocessor performance decreases as the complexity of software increases. The 
microprocessor can only perform one operation at a time, while a synthesized hardware 
circuit can perform as many operations as required simultaneously. As more complex 
features are introduced on spacecraft, the performance of hardware-based computing systems 
may become a necessary feature in future spacecraft computing systems. 
5.8 Chapter Summary 
This chapter described the synthesis process used to create the Landsat 7 Backup ACS 
computing system. The Landsat 7 spacecraft has a Primary and Backup ACS. The Landsat 7 
Backup ACS computing system is used to perform attitude control tasks in the event that the 
spacecraft enters Safe-Hold Mode. Using original specification documents from the Landsat 7 
spacecraft, the specifications of the Backup ACS are captured in a SpecTRM-RL specification 
and an Octavia specification. FDIR procedures are captured in a SpecTRM-RL specification, 
while the control law algorithm is captured in an Octavia specification. Each specification is 
then analyzed using built-in analyses tools provided in each toolset. Following, each 
specification is converted into an equivalent VHDL description or C program using the 
autocode generators developed in this thesis. 
The autocode generated VHDL description and C program are then synthesized on a Memec 
Design FPGA development board featuring a Xilinx Virtex I1 Pro FPGA and a PowerPC 
microprocessor core. To validate the synthesized FPGA computing system, closed-loop 
simulations are performed with a Landsat 7 spacecraft simulation program running on a 
desktop computer. 
Results from the simulations helps to verify the methodologies and toolsets developed in this 
thesis. The successful synthesis of a computing system for the Landsat 7 spacecraft 
demonstrates the feasibility of the new spacecraft computing development process developed 
in this thesis. In the next and final chapter, the contributions of the thesis are summarized 
followed by a brief discussion of future work. 
Chapter 6 
Conclusions 
Spacecraft software is one-of-a-kind. The current development process requires a dedicated 
group of software engineers to specify, design, and develop software for a spacecraft 
computer. Spacecraft subsystem engineers must interact with software engineers in order to 
implement requirements that involve computer processing. If the role of software engineers 
can be reduced from the current development process, there is potential to lower the cost 
related to the development of spacecraft computing systems. More importantly, the number 
of potential errors related to manual translations of specifications can be reduced or 
eliminated through the introduction of automated conversion tools. 
This thesis described a new spacecraft computing development process that has the potential 
to reduce the program cost related to software engineering. The new process relies on a pair 
of high-level specification languages and FPGA technology to provide subsystem engineers 
with the ability to interface directly with spacecraft hardware engineers to create unique 
computing devices. 
This final chapter is divided into three sections. Section 6.1 provides a summary of the 
methodologies and toolsets developed in this thesis. Section 6.2 discusses the contributions 
made in the thesis. Finally, Section 3.3 discusses some future work. 
Thesis Summary 
Chapter 2 provided a review of the state-of-the-art in spacecraft hardware and software 
development. A review of common spacecraft hardware devices such as memories, 
microprocessors, and FPGAs was provided. Chapter 2 also provided a survey of software and co- 
design methodologies that can generate hardware and software using high-level specifications and 
autocode generators. 
Chapter 3 described the development of high-level specifications specifically designed for 
spacecraft processing requirements. Chapter 3 provided a description of the two high-level 
specification languages used in the thesis: SpecTRM-RL and Octavia. The development of 
accompanying toolsets for each high-level specification languages was also described. SpecTRM- 
RL and Octavia provide spacecraft engineers with the ability to capture all processing specifications 
of a typical spacecraft. SpecTRM-RL is used to capture control-oriented specifications like fault 
detection isolation and recovery (FDIR) procedures. SpecTRM-RL is based on a formal finite state 
machine (FSM) language. The language is specifically designed to be readable and to facilitate the 
human review process. The SpecTRM toolset provides a powerful interface to capture and analyze 
SpecTRM-RL specifications. The SpecTRM toolset has a user-friendly interface and provides 
several built-in tools to analyze the behavior of the captured specification. These tools provide a 
powerful new method to detect errors that are not available in the traditional spacecraft 
specification process. 
Chapter 3 also described Octavia, a new specification language and toolset developed to capture 
spacecraft data-oriented specifications like control law algorithms. Octavia uses an underlying 
mathematical programming language called Octave. Octavia extends Octave by providing a block 
diagram interface. Octavia provides spacecraft engineers with the ability to design complex 
algorithms that are readable and easy to review. Using the built-in simulation tools, engineers can 
also observe and visualize the behavior of their data-oriented specifications. 
Chapter 4 described the autocode generators used to convert high-level specifications into 
equivalent hardware and software components. Three autocode generators were developed for 
this thesis. The SpecTRM-RL to VHDL autocode generator converts a SpecTRM-RL specification 
into an equivalent hardware description in VHDL. The autocode generator extracts information 
from the underlying FSM of each SpecTRM-RL element and produces an equivalent behavioral 
statement or subprogram in VHDL. Examples from each element were used to illustrate the 
conversion process. 
The second autocode generator converts an Octavia specification into an equivalent C program. 
Each block in the Octavia block-diagram specification is converted into equivalent functions and 
variable in C. 
The third autocode generator converts a SpecTRM-RL specification into an equivalent C program. 
The SpecTRM-RL to C autocode generator was developed to evaluate the performance of a 
software-dedicated computing architecture versus a combined hardware and software computing 
architecture. The autocode generator converts each SpecTRM-RL element into equivalent 
functions and variables in C. 
Finally, Chapter 5 described the synthesis process used to generate an FPGA-based computing 
system. The Landsat 7 Backup ACS is used to illustrate the feasibility of the new computing 
development process. Using original specification documents from the Landsat 7 spacecraft, the 
specifications related to the Backup ACS are captured in a SpecTRM-RL specification and an 
Octavia specification. FDIR procedures are captured in a SpecTRM-RL specification, while the 
control law algorithm is captured in an Octavia specification. Each specification is then analyzed 
using built-in analyses tools provided in each toolset. Following, each specification is converted 
into an equivalent VHDL description or C program using the autocode generators developed. 
The autocode generated VHDL description and C program are synthesized on an FPGA 
development board that features a Xilinx FPGA and a PowerPC microprocessor. Closed-loop 
simulations with a Landsat 7 spacecraft simulation program are performed to validate the 
synthesized FPGA computing system. 
Contributions 
This thesis provided several contributions to the development of spacecraft computing systems. A 
new high-level specification language and toolset called Octavia was introduced. Octavia is 
combined with the SpecTRM-RL specification language to form a new unified and formal 
methodology to capture and analyze spacecraft processing requirements. Both high-level 
specification languages are specifically designed for typical spacecraft processing requirements. 
Each language has been designed with features that allow engineers to better manage complexity. 
These features include visualizations, information encapsulation, and formal structure and 
semantics that allow powerful and automatic analyses. These features provide an improvement 
over the traditional process, which primarily involve manually composed specification documents. 
Methodologies and toolsets were also introduced in this thesis that provide spacecraft subsystem 
engineers with the ability to interact through a common interface. The high-level specification 
languages introduced are designed to be readable and reviewable. The formal logic for each 
specification language are abstracted with easy to read semantics or visualizations. These features 
allow engineers from different backgrounds to read and understand high-level specifications 
written by other subsystem engineers. Additionally, the toolsets developed in this thesis allow 
engineers to combine their specifications and perform simulations of the entire spacecraft. These 
simulations provide further opportunities for interaction by providing a new tool and interface for 
communication between various domain experts. 
This thesis also introduced three autocode generators. The SpecTRM-RL to VHDL and SpecTRM- 
RL to C autocode generators converts a SpecTRM-RL specification into an equivalent VHDL 
description and C program respectively. The Octavia to C autocode generator converts an Octavia 
specification into an equivalent C program. These autocode generators provide spacecraft 
engineers with the ability to convert high-level specifications into intermediate hardware and 
software components. These intermediate components can then be handed over to spacecraft 
hardware engineers for synthesis on an FPGA. 
This thesis also illustrated the feasibility of using FPGAs to carry out typical spacecraft 
requirements. The methodologies and toolsets introduced in this thesis were applied to the 
Landsat 7 Backup ACS. High-level specifications were generated to capture FDIR procedures and 
the control law algorithm of the Landsat 7 Backup ACS. The autocode generators introduced in 
this thesis were then used to convert the high-level specifications into VHDL and C source code. 
These intermediate components were then used to synthesize a prototype FPGA computing system. 
The methodologies and toolsets introduced in this thesis provide spacecraft subsystem engineers 
with the potential to carry out typical processing requirements with FPGAs. FPGA computing 
systems can be developed to off-load certain tasks intended for the primary computers. The 
Landsat 7 Backup ACS FPGA computing system developed in this thesis illustrate the feasibility of 
off-loading the processing of FDIR procedures and control law algorithm to a dedicated FPGA 
device. 
167 
- -- -. ... - - - -  . - . .. . - -- 
6.3 Future Work 
The methodologies and toolsets developed in this thesis are designed to illustrate the feasibility of 
introducing high-level specifications, autocode generators, and FPGAs into the spacecraft 
computing development process. High-level specifications and autocode generators have the 
potential to greatly increase the efficiency of the current development process while improving the 
ability to detect errors, while FPGAs allow the development of custom computing systems. The 
methodologies and toolsets developed in this thesis are intended to illustrate the feasibility and 
utility of introducing these advanced development methodologies. However, more work is needed 
before they can be applied to a real spacecraft computing system. 
The toolsets developed in this thesis are designed as research tools. In order to use these toolsets 
on a real spacecraft system, the toolsets must be redeveloped following a standard certification 
process such as the DO-178B standard. Although certification does not guarantee that all errors 
can be found and removed from the toolset, it does guarantee a higher level of scrutinization and 
verification. 
A more comprehensive verification effort is required to fully verify the simulation tools and 
autocode generators developed in this thesis. The verification methods used on these tools are 
designed only to show input output equivalence. A more comprehensive verification effort is 
required to show that the simulation tools and autocode generators produce functionally 
equivalent components. For example, timing information such as data latency and task completion 
deadlines should be verified. 
The autocode generated VHDL and C programs developed in this thesis are used to illustrate the 
feasibility of using FPGA computing systems to process spacecraft requirements. The co-design 
methodologies surveyed in Chapter 2 provide some future directions to improve the capabilities of 
the methodology described in this thesis. These capabilities include more advanced semantics to 
specify the interface of hardware and software components, methods to explore different 
hardware software partitioning schemes, hardware and software resource estimation tools, and 
improved verification tools. The introduction of these capabilities will allow the design and 
generation of higher performance FPGA computing systems for spacecraft. These capabilities will 
provide spacecraft engineers with a more comprehensive set of tools to optimize the computing 
system design. A tool to allow the exploration of different hardware software partitioning scheme 
can be added to the current methodologies and toolsets. Similarly, a resource estimation tools can 
also be added to the toolset to allow engineers to better select an appropriate target computing 
architecture. Finally, more advanced formal verification tools can be added to the methodologies. 
Alternatively, the high-level specification languages and toolsets can be linked with existing formal 
verification tools. These verification tools can be used to provide verification of timing constraints 
and other functional verification of the system design not already provided in the current toolsets. 
Bibliography 
[GAJOO] 
D. N. Baker, J. H. Allen, S. G. Kanekal, and G. D. Reeves, "Pager Satellite Failure", 
www.agu.org/sci~soc/articles/eisbaker.html, American Geophysical Union, 1998. 
G. Berry, "The Foundations of Esterel", MIT Press, 1999. 
J. Bergeron, E. Cerny, A. Hunter, A. Nightingale, Verification Methodology Manual 
for SystemVerilog, Springer, 2005. 
D. Briere, and P. Traverse, "Airbus A320/A330/A340 Electrical Flight Controls", 
IEEE, 1993. 
Stephen Butterworth, "On the Theory of Filter Amplifiers", Wireless Engineer, Vol 
7, 1930. 
David Chandler, "Mars rover recovering from memory problems", New Scientist, 
2004. 
J. D'Anjou, S. Fairbrother, D Kehn, J. Kellerrnen, P. McCarthy, Java Developer's 
Guide to Eclipse, Addison-Wesley Professional, 2004. 
W. Dellinger, M. Salada, H. Shapiro, "Application of Matlab/Simulink to Guidance 
and Control Flight-Code Design", AAS 99-062, 1999. 
Department of Energy, "Safety Software Quality Assurance Functional Area 
Qualification Standard", US Department of Emergy, 2003. 
Nicolas Dulac, Thomas Viguier, Nancy Leveson, and Margaret-Anne Storey, "On 
the Use of Visualization in Formal Requirements Specification", Int. Conference on 
Requirements Engineering, 2002. 
John W. Eaton, "Octave User Manual", www.octave.org, Octave, 1997. 
S.A. Edwards, "High-Level Synthesis from the Synchronous Language Esterel", 
MDC Conference, 2004. 
E.E. Euler, S.D. Jolly, and H.H. Curtis, "The Failure of Mars Climate Orbiter and 
Mars Polar Lander", Guidance & Control, American Astronautical Society, 2001. 
D. Gajski, J. Zhu, R. Domer, A. Gerstlauer, S. Zhao, SpecC: Specification Language 
and Methodology, Kluwer Academic Publishers, 2000. 
W. Gibbons, and H. Ames, "Use of FPGAs in Critical Space Flight Applications - A 
Hard Lesson", MAPLD, 1999. 
Rajesh Gupta, Co-Synthesis of Hardware and Software for Digital Embedded 
Systems, Kluwer Academic Publishers, 1995. 
[ a 9 6 1  Eldon C. Hall, Journey to the Moon: The History of the Apollo Guidance Computer, 
AIAA, 1996. 
[LEE041 
[LEVOO] 
D. Harel, "Statecharts: A Visual Formalism for Complex Systems", Sci. Comput. 
Prog. Vol. 8, pp. 231-274, 1987. 
C.A.R. Hoare, "Communicating Sequential Processes", ACM, 1978. 
Yerang Hur and Insup Lee, "Distributed Simulation of Multi-Agent Hybrid 
Systems", IEEE ISORC, 2002. 
C. Hylands, E. Lee, et. al., "Overview of the Ptolemy Project", UC Berkeley 
Technical Memorandum, 2003. 
IEEE, "IEEE-754 Floating Point Standard", IEEE, 1985. 
D. Jansen, Editor, The Electronic Design Automation Handbook, Kluwer Academic 
Publishers, 2003. 
R. Katz et. al., "EDAC and Dynamic Faults", klabs.org, 2006. 
R. Katz, R. Barto, and K. Erickson, "Logic Design Pathology and Space Flight 
Electronics", MAPLD, 1999. 
S. Kumar, J. Aylor, B. Johnson, and Wm. Wulf, The Codesign of Embedded Systems, 
Kluwer Academic Publishers, 1996. 
Kenneth A. LaBel, "Programmable Logic in the Space Radiation Environment", 
MAPLD, 2002. 
S.C. Lee, "NEAR Rendezvous Burn Anomaly of 1998", MAPLD, 2004. 
Nancy Leveson, "Intent Specifications: An Approach to Building Human-Centered 
Specification", IEEE Transactions on Software Engineering, Jan., 2000. 
Nancy Leveson, Safeware, Addison Wesley, 1995. 
N. Leveson, L. Pinnel, S Sandys, S. Koga, J.D. Reese, "Analyzing Software 
Specifications for Mode Confusion Potential", Workshop on Human Error and 
System Development, 1997. 
Nancy G. Leveson, J.D. Reese, and Matt Heimdahl, "SpecTRM: A CAD System for 
Digital Automation", IEEE, 1998. 
N. Leveson, M. Heimdahl, and J. Reese, "Designing Specification Languages for 
Process Control Systems", SIGSOFT Foundations of Software Engineering, 
September, 1999. 
Tariq Malik, "Thinking on Mars", Space.com, 1994. 
D.C. Mayer, and R.C. Lacoe, "Designing Integrated Circuits to Withstand Space 
Radiation", Crosslink, Summer, 2003. 
Department of Defense, "MIL-STD-498", www.pogner.demon.co.uk/mi1_498/, US 
Department of Defense, 1997. 
Martin Marietta, "Land Sat 7 ACS CDR Package", Martin Marietta, 1995. 
Martin Marietta, "Land Sat 7 FDAC CDR Package", Martin Marietta, 1995. 
Martin Marietta, "Land Sat 7 Software CDR Package", Martin Marietta, 1995. 
W. Muller, W. Rosenstiel, and J. Ruf, SystemC Methodologies and Applications, 
Kluwer Academic Publishers, 2003. 
NASA, "Standard for Software Assurance", NASA, 2005. 
National Instruments, "Serial Communication Overview", http://zone.ni.com/, 
2006. 
Sundar Rajan, Essential VHDL, Sundar Rajan and Gennis Lafayette, 1998. 
Dennis M. Ritchie, "The Development of the C Language", ACM, 1993. 
RTCA, "Software Considerations in Airborne Systems and Equipment 
Certification", RTCA, 1999. 
P. Sabelhaus, "LandSat 7 Software Requirements", Lockheed-Martin Missiles and 
Space, 1995. 
Safeware Engineering Corporation, "SpecTRM User Manual", Safeware, 2003. 
J. Scarpulla, and A. Yarbrough, "What Could Go Wrong, The Effects of Ionizing 
Radiation of Space Electronics", Crosslink, Summer, 2003. 
Alfred Spector and David Gifford, "The Space Shuttle Primary Computer System", 
ACM, 1984. 
J. Staunstrup and W. Wold (Eds), Hardware/Software Codesign, Principles and 
Practices, Kluwer Academic Publishers, 1997. 
James Tomayko, Computers in Spaceflight: The NASA Experience, NASA, 1988. 
D.K. Ward, S. Andrews, D.C. McComas, and J.R. O'Donnell, "Use of the MatrixX 
Integrated Toolkit on the MAP Control System", AAS 99-063, 1999. 
J.R. Wertz and W.J. Larson (Ed), Space Mission Analysis and Design, Microcosm 
Press and Kluwer Academic Publishers, 2003. 
Wikpedia, "State space (controls)", en.wikpedia.org/wiki/State~space~(controls), 
Wikpedia, 2006. 
Thomas Williams and Colin Kelley, "GNU Plot User Manual Ver. 4.OU, Available at 
www.gnuplot.info, 2004. 
Xilinx Corporation, 'Virtext I1 Pro Data Sheet", Xilinx Corporation, 2005. 
Xilinx Corporation, "OPB UART Lite (vl.OOb)", Xilinx Corporation, 2005. 
Xilinx Corporation, "Processor Local Bus (PLB) v3.4", Xilinx Corporation, 2005. 
M. Zimmerman, K. Lundqvist, and N. Leveson, "Investigating the Readability of 
State-Based Formal Specification Languages", International Conference on 
Software Engineering, 2002. 

Appendix A - Landsat 7 SpecTRM-RL Specification 

Landsat 7 Backup ACS 
Level 3: Blackbox Behavior 
System Blackbox Behavior 
Landsat 7 Backup ACS 
Outputs 
ÿÿ is play Output 1 
IMU Attitude Rate A Octavia 
Destination: Octavia 
Fields: 
Name: Attitude Rate 
Type: Real 
Acceptable Values: [-15.. 151 
Units: Degrees/Second 
Granularity: 1 Degrees /Second 
Hazardous Values: None 
Exception-Handling: None 
Description: Used by Octavia Control Law 
Comments: Triggered when IMU Channel i s  A 
References: IMU Attitude Rate P, IMU Channel 
TRIGGERING CONDITION 
IMU Attitude Rate A is 
- - - - - -- 
IMU channel in state A 
MESSAGE CONTENTS /- ----- 
F~eld Value I 
l ~ t t i t u d e    ate/ IMU Attitude Rate 
1 ~ i s ~ l a ~  Output 0 
IMU Attitude Rate B Octavia 
Destination: Octavia 
Fields: 
Name: Attitude Rate 
Type: Real 
Acceptable Values: [- 15 .. 151 
Units: DegreesISecond 
Granularity: 1 Degrees /Second 
Hazardous Values: None 
Exception-Handling: None 
Description: Used by Octavia Control Law 
Comments: Triggered when IMU Channel is B 
References: IMU Attitude Rate E, IMU Channel 
TRIGGERING CONDITION 
IMU Attitude Rate B is 
-- . - -- --- - - -- -- - 
IMU Channel in  state B 
MESSAGE CONTENTS 
I Field: /value: I 
l ~ t t i t u d e    at el IMU Attitude Rate B 
1   is play Output 1 
CSS Attitude A Octavia 
Destination: Octavia 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: [0..360] 
Units: Degrees 
Granularity: 1 Degrees 
Hazardous Values: 
Exception-Handling: None 
Description: Used by Octavia Control Law 
Comments: Triggerered if input is not obsolete 
References: CSS Attitude A 
TRIGGERING CONDITION 
I C S S  - - - Attitude - - A is - ~ b s o l e t d  
MESSAGE CONTENTS 
-- - . -- I ~ i e l d :  [value: 
l ~ t t i t u d e  css Attitude A I  
l ~ i s p l a y  Output I 
CSS Attitude B Octavia 
Destination: Octavia 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: [O. .360] 
Units: Degrees 
Granularity: 1 Degrees 
Hazardous Values: 
Exception-Handling: None 
Description: Used by Octavia Control Law 
Comments: Triggered when input is not obsolete 
References: CSS Attitude B 
TRIGGERING CONDITION 
~ S S  - - Attitude - -- . B - -- is 0bsolet{ 
MESSAGE CONTENTS 
I~tt i tudeI  CSS Attitude BI 
 isp play Output I 
IMU Attitude Rate A Compare Octavia 
Destination: Octavia 
Fields: 
Name: Attitude Rate 
Type: Real 
Acceptable Values: [-360..360] 
Units: Degrees/Second 
Granularity: 1 DegreeslSecond 
Hazardous Values: None 
Exception-Handling: None 
Description: Used to compare IMU measurements from different channels. 
Comments: Triggered when input not obsolete 
References: IMU Attitude Rate A 
TRIGGERING CONDITION 
~ I M U  Attitude . Rate A i s  obsolete A
MESSAGE CONTENTS 
- -- 
Field: 
Attitude Rate 
- - . 
Value: 
IMU Attitude Rate A 
IMU Attitude Rate B Compare Octavia 
- 
Destination: Octavia 
Fields: 
Name: Attitude Rate 
Type: Real 
Acceptable Values: [-360..360] 
Units: Degrees/Second 
Granularity: 1 Degrees/Second 
Hazardous Values: None 
Exception-Handling: None 
Description: Used to compare IMU measurements from different channels. 
Comments: Triggered when input not obsolete 
References: IMU Attitude Rate B 
TRIGGERING CONDITION 
Display Output 1 
 MU Attitude Rate -- - B - -. i s  -.~bso le te  -- . - ----. 
MESSAGE CONTENTS 
1 ~ t t i t u d e   ate IMU Attitude Rate B 
1 ~ i s ~ l a ~  Output 0 
Reference Attitude Octavia 
Destination: Octavia 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: [0..360] 
Units: Degrees 
Granularity: 0.1 Degree 
Hazardous Values: 
Exception-Handling: None 
Description: Used by Octavia Control Law 
Comments: Outputs the commanded attitude 
References: Commanded Attitude 
TRIGGERING CON DlTlON 
/commanded . - - - - Attitude - --- is obsolete - - - -  
MESSAGE CONTENTS 
- - - --- -- 
l ~ i e l d :  [value: 1 
l ~ t t i t u d e l  commanded Attitude 
~1  isp play Output 1 
RWA Attitude Command 
Destination: RWA 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: Any 
Units: degrees 
Granularity: 0.1 degrees 
Hazardous Values: None 
Exception-Handling: None 
Description: Attitude command for RWA 
Comments: Triggered when RWA Health is good 
References: R!dA Health, Octavia Attitude 
TRIGGERING CONDITION 
MESSAGE CONTENTS 
1 field: I ~ a l u e :  I 
~ i s ~ l a ~  Output 0 
MTR A Attitude Command 
Destination: MTR A 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: Any 
Units: degrees 
Granularity: 0.1 degrees 
Hazardous Values: None 
Exception-Handling: None 
Description: Attitude command for MTR A 
Comments: Triggered when RWA health is bad and MTR Channel is A 
References: R W A h ,  MTR Channe , Octavia Attitude 
TRIGGERING CONDITION 011 
Octavia Attitude is Obsolete 
MESSAGE CONTENTS 
G j ~ i s ~ l a ~  Output I 
MTR B Attitude Command 
Destination: MTR B 
Fields: 
Name: Attitude 
Type: Real 
Acceptable Values: Any 
Units: degrees 
Granularity: 0.1 degrees 
Hazardous Values: None 
Exception-Handling: None 
Description: Attitude command for MTR B 
Comments: Triggered when RWA health is bad and MTR channel is B 
References: RWA, MTR Channe, Octavia Attitude 
TRIGGERING CON DlTlON 
c j  1 
Octavia Attitude is Obsolete 
MESSAGE CONTENTS 
/ ~t t i tudel  Octavia ~tt i tudel  
Modes 
C I ~ o n t r o l  Mode 
ACS Mode 
Description: Element used to model health of ACS 
Comment: Primary, Backup, or Failed 
References: IMU Health, CSS Health, RWA Health, MTR Health 
Appears In: None 
DEFINITION 
= Primary 
System Start 
IMU Health in state Bad 
CSS Health in state Bad 
RWA Health in state 
= Backup 
= Failed 
IMU Health in state Bad 
CSS Health in state Bad 
States 
- 1  state Value 1 1  
IMU Channel 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: IMU Attitude Rate A, IMU Attitude Rate B 
Description: Inferred IMU Channel 
Comments: A, B, or None 
References : iMtfAttitudeRaEA4hs~!~_ta&sf( . . . 
Appears In: iMJ&&h 
DEFINITION 
= Unknown 
IMU Attitude Rate A Obsolete Passed 
IMU Attitude Rate B Obsolete Passed 
System Start 
IMU Attitude Rate A Limit Passed 
IMU Attitude Rate A Static Passed 
IMU Attitude Rate Compare Passed 
IMU Attitude Rate B Limit Passed 
IMU Attitude Rate B Obsolete Passed 
IMU Attitude Rate B Static Passed 
= None 
System Start 
IMU Attitude Rate A Obsolete Passed 
1 IMU Attitude Rate B Obsolete Passed / 
IMU Attitude Rate A Limit Passed 
IMU Attitude Rate A Static Passed 
1 IMU Attitude Rate Compare Passed / 
1 IMU Attitude Rate B Limit Passed / 
k~ Attitude Rate B Static Passed 
S state Value 1 1  
IMU Health 
Obsolescence: Unknown 
Exception-Handling: None 
Related In puts : 1M.U .... Ast.i.s..ude ..... R.ate.1, 1M.U ... Attiluck RaS.egggB 
Description: Infers health of IMU 
Comments: Unknown, Good, Bad 
References: I.MU Chann.e.1 
Appears In: ACSMode 
DEFINITION 
= Unknown 
System Start 
IMU Channel in state Unknown 
= Good 
= Bad 
System Start 
IMU Channel in state None 
state Value 
CSS Health 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: CSS Attitude A, CSS Attitude E, Octavia CSS. Attitude Difference 
Description: Infer health of CSS 
Comments: Unknown, Good, Bad 
References: Q a a i a  CSS A U ~ P  Differenct, CSS Attitude Compare Passed 
Appears In: ACSNode 
DEFINITION 
= Unknown 
System Start 
Octavia CSS Attitude Difference was Never 
= Good 
System Start 
CSS Attitude Compare Passed 
= Bad 
System Start 
CSS Attitude Compare Passed 
'state Value I 
RWA Health 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: RWA Temperaturt, RWA Speed 
Description: Infer health of RWA 
Comments: Unknown, Good, Bad 
References: RWA Speed*-=Pass-ec, RWATemnrature Ob~I~a-J~assed 
RWASpeedLimit Passec, RWA Temperature Limit Passed 
Appears In: ACS Mode 
DEFINITION 
= Unknown 
System Start 
RWA Speed Obsolete Passed 
I RWA Temperature Obsolete Passed 
= Good 
1 System Start 1 
/ RWA S~eed Obsolete Passed ~ 
RWA Temperature Obsolete passed 
RWA Speed Limit Passed i 
/ RWA ~emperature Limit Passed ! 
= Bad 
1 System Start ~ 
I RWA Speed Obsolete Passed ~ 
RWA Temperature Obsolete Passed 
RWA Speed Limit Passed 
I RWA Temperature Limit Passed 

/state Value 1 1  
MTR Health 
Obsolescence: Unknown 
Exception-Handling: None 
Related Inputs: MTR A Curren., MTR B Current 
Description: Inferred health of MTR 
Comments: Unknown, Good, Bad 
References: MTR.JJxamel 
Appears In: ACS Mode 
DEFINITION 
= Unknown 
System Start 
MTR Channel in state Unknown ! !%I 
= Good 
System Start 
MTR Channel in state A 
MTR Channel in state B 1
= Bad 
System Start 
MTR Channel in state None 
Macros 
IMU Attitude Rate A Limit Passed 
Description: Corresponds to IMU Limit Check 
Comments: Compares the IMU measurement against the maximum expected limit. 
References: ].MY.-A.tti.t.u.d.e ..... R.ate ...A 
Appears In: JMU Channel 
DEFINITION 
'Absolute Value(lMU Attitude Rate A) < 1 5  
1 Absolute Value(lMU Attitude Rate A 2 Transitions Ago < 1 5  
,Absolute Value(lMU Attitude Rate A 3 Transitions Ago) < 
'Absolute Value(lMU Attitude Rate A 4 Transitions Ago) < 
Absolute Value(lMU Attitude Rate A 5 Transitions Ago) < 
IMU Attitude Rate B Limit Passed 
Description: Corresponds to IMU Limit Check 
Comments: Compares the IMU measurement against the maximum expected limit. 
References: lM.!l.Ahtit.ude.~e-l3 
Appears In: IMU Channel 
DEFINITION 
Absolute Value(lMU Attitude Rate B) < 1 5  
Absolute Value(lMU Attitude Rate B 2 Transitions Ag) < 1 5  
Macro 11 
IMU Attitude Rate A Obsolete Passed 
Description: Corresponds t o  IMU Obsolete Check 
Comments: Checks obsolescence o f  IMU measurements 
References: IMU Attitude Rate A 
Appears In: IMU Channel 
DEFINITION 
IMU Attitude Rate B Obsolete Passed 
Description: Corresponds t o  IMU Obsolete Check 
Comments: Checks obsolescence of  IMU measurements 
References: IMU-Attitude Rate B 
Appears In: I M U I  
DEFINITION 
1 IMU Attitude Rate B is Obsolete 1 
/IMU Attitude Rate B 2 Transitions As0 is obsolete1 
llMU Attitude Rate B 3 Transitions Aao is obsolete1 
IMU Attitude Rate B 4 Transitions Ago is Obsolete 
IMU Attitude Rate B 5 Transitions Aqo is Obsolete 
Macro 1 
IMU Attitude Rate A Static Passed 
Description: Corresponds to IMU Static Check 
Comments: Checks IMU measurements for static failure mode 
References: IMU Attitude Rate A 
Appears In: IMU Channel 
DEFINITION 
IMU Attitude Rate A = IMU Attitude Rate A 2 Transitions Ago 
IMU Attitude Rate A = IMU Attitude Rate A 3 Transitions Ago 
IMU Attitude Rate A = IMU Attitude Rate A 4 Transitions Ago 
IMU Attitude Rate A = IMU Attitude Rate A 5 Transitions Ago 
IMU Attitude Rate B Static Passed 
Description: Corresponds t o  IMU Static Check 
Comments: Checks IMU measurements for static failure mode 
References: JMl Attitude Rate B 
Appears In: 
DEFINITION 
IMU Attitude Rate B = IMU Attitude Rate B 2 Transitions 
IMU Attitude Rate B = IMU Attitude Rate B 3 Transitions 
IMU Attitude Rate B = IMU Attitude Rate B 4 Transitions 
IMU Attitude Rate B = IMU Attitude Rate B 5 Transitions Ago 
IMU Attitude Rate Compare Passed 
Description: Corresponds to  IMU Comparison Check 
Comments: Compares measurements from each channel of  IMU to  expected maximum 
References: Octavia IMU Attitude Rate Difference 
Appears In: IMU Channel 
DEFINITION 
Absolute Value(0ctavia IMU Attitude Rate Difference) < 2 
Absolute Value(0ctavia IMU Attitude Rate Differencl 2 Transitions Ago) < 
Absolute Value(0ctavia IMU Attitude Rate Differencl 3 Transitions Ago) < 
Absolute Value(0ctavia IMU Attitude Rate Differencl4 Transitions Ago) < 
l ~ b s o l u t e  Value(0ctavia IMU Attitude Rate Differencl 5 Transitions Ago) < 2 [Ij 
CSS Attitude Compare Passed 
Description: Corresponds to CSS Comparison Check 
Comments: Compares measurements from each channel of CSS to maximum expected limit. 
References: Qctav.ia CSS Attitude Difference 
Appears In: CSHeakh  
DEFINITION 
[~bsolute Value(0ctavia CSS Attitude Difference) < 2 
I Macro I 
RWA Speed Obsolete Passed 
Description: Corresponds to RWA Speed Obsolete Check 
Comments: Checks obsolescence of RWA measurements 
References : RWA-Sped 
Appears In: B W m  
DEFlN ITION 
RWA Speed Limit Passed 
Description: Corresponds to RWA Speed Limit Check 
Comments: Checks RWA measurements against expected maximum. 
References: RWA Speed 
Appears In: RWA Health 
DEFINITION 
1 RWA Speed < 1169915904 I 
RWA Speed 2 Transitions Ago <1169915904 
RWA Speed 3 Transitions Ago < 1169915904 
RWA Speed 4 Transitions Ago < 1169915904 
RWA Speed 5 Transitions Ago < 1169915904 
RWA Temperature Obsolete Passed 
Description: Corresponds to RWA Temperature Obsolete Check 
Comments: Checks obsotescence of RWA measurements 
References: RWA Temperature 
Appears In: RWA Health 
DEFINITION 
RWA Temperature Limit Passed 
Description: Corresponds to RWA Temperature Limit Check 
Comments: Check RWA measurements against maximum expected iimt 
References: RWA Temperature 
Appears In: RWA Health 
DEFINITION 
/ RWA Tem~erature < 6000 I 
RWA Temperature 2 Transitions Ago < 6000 
I 
RWA Temperature 3 Transitions Ago < 6000 
I 
RWA Temperature 4 Transitions Ago < 6000 
1 
RWA Tem~erature 5 Transitions Aqo < 6000 
MTR A Current Obsolete Passed 
Description: Corresponds to MTR Obsolete Check 
Comments: Checks obsolescence of MTR measurements 
References: MTR ... A..-C..u.r-mt 
Appears In: MlXChx& 
DEFINITION 
I Macro 1 1 .  
MTR B Current Obsolete Passed 
Description: Corresponds to MTR Obsolete Check 
Comments: Checks obsolescence of MTR measurements 
References: MTR B-Current 
Appears In: MTR Channel 
DEFINITION 
IMTR B Current is Obsolete 1 
MTR B Current 2 Transitions Ago i s  Obsolete 
MTR B Current 3 Transitions Ago i s  Obsolete 
MTR B Current 4 Transitions Aqo i s  Obsolete 
IMTR B Current 5 Transitions Aao i s  obsolete1 
MTR A Current Limit Passed 
Description: Corresponds to MTR Limit Check 
Comments: Compares MTR measurements to maximum expected limit 
References: MTR A Current 
Appears In: MTR Channel 
DEFINITION 
MTR A Current < 100 
M T R  A current 2 Transitions Ago < 10; 
M T R  A current 3 Transitions Ago < 100 
MTR A Current 4 Transitions Ago < 106 [ 
I MTR A Current 5 Transitions Ago < 100 jll 
MTR B Current Limit Passed 
Description: Corresponds to MTR Limit Check 
Comments: Compares MTR measurements to maximum expected limit 
References: MTR B Current 
Appears In: Ml3Kbmd 
DEFINITION 
MTR B Current < 100 T 
MTR B Current 2 Transitions Ago < 100 
MTR B Current 3 Transitions Ago < 100 
MTR B Current 4 Transitions Ago < 100 
MTR B Current 5 Transitions Ago < 100 ' 1  
Inputs 
Input Value 
IMU Attitude Rate A 
Source: IMU 
Type: Real 
Possible Values (Expected Range): 
Units: degreeslsec 
Granularity: 0.001 degreeslsec 
Exception-Handling: None 
Description: lnput data from IMU Channel A 
Comments: Measures spacecraft attitude rate 
References: None 
Appears In: IMU Attkude-Rate- A Q bsolete Passec, IMU Attitude R a t e 4  Ci rnh Passec, 
IMU Atti-tude Rate- A Static Passec, I MU Attitude-Rate ABctavi;, 
IMU Attitude RAte A Compare Octavia 
DEFINITION 
= New Data for IMU Attitude Rate A 
- - - -- - - - - - - - - - . - - -- - FU Attitude Rate P was Received 1 
= Previous Value o f  IMU Attitude Rate A 
IMU Attitude Rate P was Received 
Time Since IMU Attitude Rate P was Last Received <= 1500 millisecond! 1 
= Obsolete 
System Start 
IMU Attitude Rate P was Never Received 
Time Since IMU Attitude Rate k was Last Received > 1500 milliseconds 
I Input Value 
IMU Attitude Rate B 
-- 
Source: IMU 
Type: Real 
Possible Values (Expected Range): [-15..15] 
Units: degreeslsec 
Granularity: 0.001 degreestsec 
Exception-Handling: None 
Description: lnput data from IMU Channel B 
Comments: Measures spacecraft attitude rate 
References: None 
Appears In: l-MUAtrit~deR~e.B-Oh~~letePass.ec, 1MUAttitude R;rte.BMthsse(, 
1MUAtitude Rate B Static .Pas_sec, lMl l  -Att~td_e. RateBQcravJ;, 
IMIJ Attitude Rate B Compare Octavia 
DEFINITION 
= New Data for IMU Attitude Rate B 
- - - -. . - . . . . - -- - . .- . - . . - -  - . - - - - . . . . - -- 
j IMU Attitude Rate B was Received I El 
= Previous Value o f  IMU AttitudeRate B 
IMU Attitude Rate B was Received 
Time Since IMU Attitude Rate B was Last Received <= 1500 milliseconds ! El
= Obsolete 
System Start 
IMU Attitude Rate B was Never Received 
Time Since IMU Attitude RateB was Last Received > 1500 milliseconds 
Input Value 11 
Octavia IMU At t i tude Rate Difference 
Source: Octavia 
Type: Real 
Possible Values (Expected Range): 
Units: degrees/sec 
Granularity: 0.001 degreeslsec 
Exception-Handling: None 
Description: Measurement difference between IMU Channels 
Comments: Provided by Octavia 
References: None 
Appears In: IMU Attitude Rate Campare Passed 
DEFINITION 
= New Data for Octavia IMU Attitude Rate Difference 
1 octavia IMU Attitude Rate Differenct was Received 1 0  
= Previous Value of  Octavia IMU Attitude Rate Difference 
Octavia IMU Attitude Rate Differenci was Received 
T ime  Since Octavia IMU Attitude Rate Difference was Last Received <= 1500 millisecond! [ 
= Obsolete 
System Start 
Octavia IMU Attitude Rate Differenci was Never Received 
Time Since Octavia IMU Attitude Rate Differencl was Last Received > 1500 milliseconds 
Input Value 11 
CSS Attitude A 
Source: CSS 
Type: Real 
Possible Values (Expected Range): [0..360] 
Units: degrees 
Granularity: 0.1 degrees 
Exception-Handling: None 
Description: lnput data from CSS Channel A 
Comments: Measures spacecraft attitude 
References: None 
Appears In: C.S.S ... Att.i~.u.d.e ... A...O..c.t.avia 
DEFINITION 
= New Data for CSS Attitude A 
1 css Attitude A was Received I rn 
= Previous Value of CSS Attitudc A 
CSS Attitude A was Received 
Time Since CSS Attitude A was Last Received <= 1500 milliseconds 
= Obsolete 
System Start 
CSS Attitude A was Never Received 
Time Since CSS Attitude A was Last Received > 1500 milliseconds 
!Input Value I 
CSS Attitude B 
Source: CSS 
Type: Real 
Possible Values (Expected Range): 
Units: degrees 
Granularity: 0.1 degrees 
Exception-Handling: None 
Description: Input data from CSS Channel B 
Comments: Measures spacecraft attitude 
References: None 
Appears In: CSS Attitude B Octavia 
DEFINITION 
= New Data for CSS Attitude B 
1 css Attitude B was Received 0 
= Previous Value of CSS Attitudt B 
CSS Attitude B was Received 
Time Since CSS Artitudc B was Last Received <= 1500 millisecond! 1 
= Obsolete 
System Start 
CSS Attitude B was Never Received 
Time Since CSS Attitudc B was Last Received > 1500 milliseconds 
i lnput Value I---- 
Octavia CSS Attitude Difference 
Source: Octavia 
Type: Real 
Possible Values (Expected Range): Any 
Units: degrees 
Granularity: 0.001 degrees 
Exception-Handling: None 
Description: Measurement difference between CSS channels 
Comments: Provided by Octavia 
References: None 
Appears In: G-S-..Attit. .d~C.am.~re ..... P.as.s.d 
DEFINITION 
= New Data for  Octavia CSS Attitude Difference 
1 octavia CSS Attitude Difference was Received I El 
= Previous Value o f  Octavia CSS Attitude Difference 
Octavia CSS Attitude Differencc was Received 
Time Since Octavia CSS Attitude Differenct was Last Received c= 1500 milliseconds 
= Obsolete 
System Start 
Octavia CSS Attitude Difference was Never Received 
Time Since Octavia CSS Attitude Differencc was Last Received > 1500 milliseconds 
Input Value 1 1 .  
Commanded Attitude 
Source: Mission Computer 
Type: Real 
Possible Values (Expected Range): 
Units: degrees 
Granularity: 0.1 degrees 
Exception-Handling: None 
Description: Ground control or automated commanded spacecraft attitude 
Comments: Provided by mission computer 
References: None 
Appears In: Reference Attitude Qctavia 
DEFINITION 
= New Data for Commanded Attitude 
[commanded Attitudc was Received 1 El 
= Previous Value of Commanded Attitude 
Commanded Attitudc was Received 
Time Since Commanded Attitudc was Last Received <= 60 
= Obsolete 
System Start 
Commanded Attitudc was Never Received 
Time Since Commanded Attitudc was Last Received > 60 minutes 
Input Value I 
Octavia Attitude 
Source: Octavia 
Type: Real 
Possible Values (Expected Range): Any 
Units: degrees 
Granularity: 0.01 degrees 
Exception-Handling: None 
Description: Octavia calculated attitude command 
Comments: Provided by Octavia 
References: None 
Appears In: .RW.A..At~t.d.~..C.u.m.m.a.n~c, MT.R..AAtrtiu.deCamant, 
M1.R ...B._Atr.&u.d..e ..... C.~m.m.a..nd 
DEFINITION 
= New Data for  Octavia Attitude 
1 ~ c t a v i a  Attitude was Received 1 El 
= Previous Value of Octavia Attitude 
Octavia Attitude was Received 
Time Since Octavia Attitude was Last Received <= 1500 
= Obsolete 
System Start 
Octavia Attitude was Never Received 
Time Since Octavia Attitude was Last Received > 1500 milliseconds 
1 Input Value / 
RWA Speed 
Source: RWA 
Type: Real 
Possible Values (Expected Range): 
Units: RPM 
Granularity: 0.5 RPM 
Exception-Handling: None 
Description: RWA wheel speed 
Comments: RWA wheel speed 
References: None 
Appears In: RVVA SpeixLQbsaletn Passec, RWA Speed Limit Passed 
DEFINITION 
= New Data for RWA Speed 
~ R W A  Speec was Received 1 El 
= Previous Value of RWA Speed 
RWA Speec was Received 
Time Since RWA Speec was Last Received <= 5 seconds ! 1 
= Obsolete 
1 System Start 
RWA Speec was Never Received 
,Time Since RWA Speec was Last Received > 5 seconds 
/input Value I 
RWA Temperature 
Source: RWA 
Type: Real 
Possible Values (Expected Range): 
Units: Degrees C 
Granularity: 0.1 Degree C 
Exception-Handling: None 
Description: RWA wheel temperature 
Comments: RWA wheel temperature 
References: None 
Appears In: RWAIemg~e~&1bl:e4hs~le&Pilsse, B W A T e m p e r a t u r ~ l i m i t P ~  
DEFINITION 
= New Data for RWA Temperature 
[RWA Temperaturc was Received 1 El 
= Previous Value of RWA Temperature 
RWA Temperaturt was Received 
Time Since RWA Temperatur was Last Received <= 5 second! 1 
= Obsolete 
System Start 
RWA Temperaturr was Never Received 
Time Since RWA Temperaturl was Last Received > 5 seconds 
Input  Value i. 
MTR A Current 
Source: MTR A 
Type: Real 
Possible Values (Expected Range): 
Units: Amps 
Granularity: 0.1 Amps 
Exception-Handling: None 
Description: MTR measured current 
Comments: MTR mesaured current 
References: None 
Appears In: MTR A Current Obsolete Passec, MTR-A Current Limit Passed 
DEFINITION 
= New Data for MTR A Current 
I MTR A Current was Received 1 El 
= Previous Value of MTR A Current 
MTR A Currenl was Received 
Time Since MTR A Curren was Last Received <= 5 seconds ! 1 
= Obsolete 
System Start 
MTR A Curren'was Never Received 
l ~ i m e  Since MTR A Curren was Last Received > 5 seconds I 
I L l n p u t  Value 1 
MTR B Current 
Source: MTR B 
Type: Real 
Possible Values (Expected Range): 
Units: Amps 
Granularity: 0.1 Amps 
Exception-Handling: None 
Description: MTR B measured current 
Comments: MTR B measured current 
References: None 
Appears In: MTR ... B--C.urrmt.Q_ku.al.es.e4.as..s.e.!, MTBB. C..u.rre.a..limit_P& 
DEFINITION 
= New Data for MTR B Current 
I MTR B Curren. was Received 
= Previous Value of MTR B Current 
I MTR B Curren. was Received 
- 7 
ITime Since MTR B Curren was Last Received <= 5 seconds 
= Obsolete 
System Start 
MTR B Curren was Never Received 
Time Since MTR B Curren was Last Received > 5 seconds 
Appendix B - Landsat 7 VHDL Description 

-- Name: Landsat7 Backup ACS 
-- Author: Elwin Ong 
-- Date: Wed Mar 29 12:20:03 EST 2006 
-- Description: Auto-generated VHDL File from SpecTRM-RL Model 
-- Declare landsat7 acs package 
package enumerated is 
type imu-channel-enumerated is (unknown, a, b, none); 
type imu-health-enumerated is (unknown, good, bad); 
type css-health-enumerated is (unknown, good, bad) ; 
type rwa-health-enumerated is (unknown, good, bad) ; 
type mtr-channel-enumerated is (unknown, a, b, none) ; 
type mtr-health-enumerated is (unknown, good, bad); 
type acs-mode-enumerated is (primary, backup, failed); 
end enumerated; 
-- Declare libraries and packages 
library IEEE; 
use 1EEE.std-logic-ll64.all; 
use 1EEE.numeri.c-std.al1; 
use 1EEE.std-logic-arith.al1; 
use 1EEE.std-logic-unsigned.al1; 
use work.enumerated.al1; 
-- This is the high-level entity declaration 
entity landsat7-acs is 
generic ( 
imu-attitude-rate-a-addr 
imu-attitude-rateb-addr 
octavia-imu-attitude-rate-difference-addr 
css-attitude-a-addr 
css-att itude-b-addr 
octavia~css~attitude~difference~addr 
commanded-attitude-addr 
octavia-torque-addr 
rwa-speed-addr 
rwa-temperature-addr 
mtr-a-current-addr 
mtr-b-current-addr 
rwa-torque-addr 
mtr-a-torque-addr 
mtr-b-torque-addr 
imu-channel-addr 
imu-health-addr 
css-health-addr 
rwa-health-addr 
mtr-channel-addr 
mtr-health-addr 
acs-mode-addr 
imu-attitude-rate-a-limit-passed-addr 
imu-attitude-rate-b-limit-passed-addr 
imu~attitude~rate~a~obso1ete-passed~addr 
i m u ~ a t t i t u d e ~ r a t e ~ b ~ o b s 0 1 e t e ~ a s s e d ~ a d d r  
imu-attitude-rate-a-static-passed-addr 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
integer 
mission-time-addr 
ppc-trigger-addr 
ppc-trigger-word 
C-PLB-DWIDTH 
C-PLBAWIDTH 
) ;  
port ( 
clock 
clock-reset 
MY-BRAM-EN 
MY-BRAM-WEN 
1 downto 0) ; 
MY-BRAM-Addr 
downto 0); 
MYBRAM-Dout 
downto 0); 
MY-BRAM-Din 
downto 0) 
) ;  
end landsat7-acs; 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer 
: integer := 150; 
: integer := 151; 
: integer := 1001; 
: integer := 64; 
: integer :=  32 
: in std-logic; 
: in std-logic; 
: out std-logic; 
: out std-logic-vector(C-PLB-DWIDTH/8 - 
: out std-logic-vector (C-PLBAWIDTH-1 
: out std-logic-vector(C-PLB-DWIDTH-1 
-- This is the main architecture declaration 
architecture Behavorial of landsat7-acs is 
-- Declare signals used throughout finite state machine 
signal system-start : std-logic := '1'; 
signal mission-time : integer := 0; 
signal mission-millisec : integer := 0; 
signal mission~millisec~counter : integer := 0; 
signal mission~millisec~counter~reset : std-logic := '0'; 
signal mission-sec : integer := 0; 
signal counter : integer : =  0; 
signal counter-reset : std-logic := '0'; 
-- Declare enumerated types used 
type imu-attitude-rate-a-input-values is array(0 to 5) of integer; 
type imu-attitude-rate-b-input-values is array(0 to 5) of integer; 
type octavia~imu~attitude~rateedifference~inputvalues is array(0 to 5) 
of integer; 
type css~attitude~a~input~va1ues is array(0 to 1) of integer; 
type css~attitude~b~input~va1ues is array(0 to 1) of integer; 
type octavia~css~attitude~difference~inp~t~values is array(0 to 1) of 
integer; 
type commanded~attitude~input~va1ues i array(0 to 1) of integer; 
type octavia~torque~input~va1ues i array(0 to 1) of integer; 
type rwa-speed-input-values is array(0 to 5) of integer; 
type rwa-temperature-input-values is array (0 to 5) of integer; 
type mtr-a-current-input-values is array(0 to 5) of integer; 
type mtr-b-current-input-values is array(0 to 5) of integer; 
type imu-channel-transitions is array(0 to 1) of imu-channel-enumerated; 
type imu-health-transitions is array(0 to 1) of imu-health-enumerated; 
type css-health-transitions is array(0 to 1) of css-health-enumerated; 
type rwa-health-transitions is array(0 to 1) of rwa-health-enumerated; 
type mtr-channel-transitions is array(0 to 1) of mtr-channel-enumerated; 
type mtr-health-transitions is array(0 to 1) of mtr-health-enumerated; 
type acs-mode-transitions is array(0 to 1) of acs-mode-enumerated; 
-- Declare enumerated types used 
signal imu-attitude-rate-a : imu-attitude-rate-a-inp~t~values; 
signal temp-imu-attitude-rate-a : imu-attitude-rate-a-input-values; 
signal imu-attitude-rate-b : imu-attitude-rate-b-input-values; 
signal temp-imu-attitude-rate-b : imu-attitude-rate-b-input-values; 
signal octavia-imu-attitude-rate-difference : 
octavia~imu~attitude~rate~difference~input~values; 
signal temp~octavia~imu~attitude~rateedifference : 
octavia~imu~attitude~rate~difference~input~values; 
signal css-attitude-a : css~attitude~a~input~values; 
signal temp-css-attitude-a : css~attitude~a~input~va1ues; 
signal css-attitude-b : css~attitude~b~input~va1ues; 
signal temp-css-attitude-b : css~attitudeb~input~values; 
signal octavia~css~attitude~difference : 
octavia~css~attitude~difference~input~values; 
signal temp~octavia~css~attitude~difference : 
octavia~css~attitude~differenceninput~va1ues; 
signal commanded-attitude : commanded~attitude~input~va1ues; 
signal temp-commanded-attitude : commanded~attitude~input~va1ues; 
signal octavia-torque : octavia~torque~input~va1ues; 
signal temp-octavia-torque : octavia~torque~input~va1ues; 
signal rwa-speed : rwa-speed-input-values; 
signal temp-rwa-speed : rwa-speed-input-values; 
signal rwa-temperature : rwa-temperature-input-values; 
signal temp-rwa-temperature : rwa-temperature-input-values; 
signal mtr-a-current : mtr-a-current-input-values; 
signal temp-mtr-a-current : mtr-a-current-input-values; 
signal mtr-b-current : mtr-b-current-input-values; 
signal temp-mtr-b-current : mtr-b-current-input-values; 
signal imu-channel : imu-channel-transitions; 
signal temp-imu-channel : imu-channel-transitions; 
signal next-imu-channel : imu-channel-enumerated; 
signal imu-health : imu-health-transitions; 
signal temp-imu-health : imu-health-transitions; 
signal next-imu-health : imu-health-enumerated; 
signal css-health : css-health-transitions; 
signal temp-css-health : css-health-transitions; 
signal next-css-health : css-health-enumerated; 
signal rwa-health : rwa-health-transitions; 
signal temp-rwa-health : rwa-health-transitions; 
signal next-rwa-health : rwa-health-enumerated; 
signal mtr-channel : mtr-channel-transitions; 
signal temp-mtr-channel : mtr-channel-transitions; 
signal next-mtr-channel : mtr-channel-enumerated; 
signal mtr-health : mtrhealth-transitions; 
signal temp-mtr-health : mtr-health-transitions; 
signal next-mtr-health : mtr-health-enumerated; 
signal acs-mode : acs-mode-transitions; 
signal temp-acs-mode : acsmode-transitions; 
signal next-acs-mode : acs-mode-enumerated; 
-- Declare time signals used 
signal imu-attitude-rate-a-time-received : integer; 
signal imu-attitude-rate-b-time-received : integer; 
signal octavia~imu~attitude~rate~difference~timereceived : integer; 
signal css-attitude-a-time-received : integer; 
signal css-attitude-b-time-received : integer; 
signal octavia~css~attitude~difference~time~received : integer; 
signal commanded-attitude-time-received : integer; 
signal octavia-torque-time-received : integer; 
signal rwa-speed-time-received : integer; 
signal rwa-temperature-time-received : integer; 
signal mtr-a-current-time-received : integer; 
signal mtr-b-current-time-received : integer; 
signal rwa-torque-time-sent : integer; 
signal mtr-a-torque-t ime-sent : integer; 
signal mtr-b-torque-time-sent : integer; 
signal imu-channel-time-transitioned : integer; 
signal imu-channel-time-entered-unknown : integer; 
signal imu~channel~time~exited~unknown : i teger; 
signal imu-channel-time-entered-a : integer; 
signal imu-channel-time-exited-a : integer; 
signal imu-channel-time-entered-b : integer; 
signal imu-channel-time-exited-b : integer; 
signal imu-channel-time-entered-none : integer; 
signal imu-channel-time-exited-none : integer; 
signal imu-health-time-transitioned : integer; 
signal imu-health-time-entered-unknown : integer; 
signal imu-health-time-exited-unknown : integer; 
signal imu-health-time-entered-good : integer; 
signal imu-health-t ime-exited-good : integer; 
signal imu-health-time-entered-bad : integer; 
signal imu-health-time-exited-bad : integer; 
signal css-health-time-transitioned : integer; 
signal css-health-time-entered-unknown : integer; 
signal css-health-time-exited-unknown : integer; 
signal css-health-time-entered-good : integer; 
signal css-health-time-exited-good : integer; 
signal css-health-time-entered-bad : integer; 
signal css-health-time-exited-bad : integer; 
signal rwa-health-time-transitioned : integer; 
signal rwa-health-time-entered-unknown : integer; 
signal rwa-health-time-exited-unknown : integer; 
signal rwa-health-time-entered-good : integer; 
signal rwa-health-time-exited-good : integer; 
signal rwa-health-time-entered-bad : integer; 
signal rwa-health-time-exited-bad : integer; 
signal mtr-channel-time-transitioned : integer; 
signal mtr-channel-time-entered-unknown : integer; 
signal mtr-channel-time-exited-unknown : integer; 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
signal 
mtr-channel-time-entered-a : integer; 
mtr-channel-time-exited-a : integer; 
mtr-channel-time-entered-b : integer; 
mtr-channel-time-exited-b : integer; 
mtr-channel-time-entered-none : integer; 
mtr-channel-time-exited-none : integer; 
mtr-health-time-transitioned : integer; 
mtr-health-time-entered-unknown : integer; 
mtr-health-time-exited-unknown : integer; 
mtr-health-time-entered-good : integer; 
mtr-health-time-exited-good : integer; 
mtr-health-time-entered-bad : integer; 
mtr-health-time-exited-bad : integer; 
acs-mode-time-transitioned : integer; 
acs-mode-time-entered-primary : integer; 
acs-mode-time-exited-primary : integer; 
acs-mode-time-entered-backup : integer; 
acs-mode-time-exited-backup : integer; 
acs-mode-time-entered-failed : integer; 
acs-mode-time-exited-failed : integer; 
-- Declare real signals used 
-- Declare int signals used 
signal imu-attitude-rate-a-data : integer := 0; 
signal imu-attitude-rate-a-state-int : integer; 
signal imu-attitude-rate-b-data : integer := 0; 
signal imu-attitude-rate-b-state-int : integer; 
signal octavia-imu-attitude-rate-difference-data : integer := 0; 
signal octavia~imu~attitude~rate~difference~stateint : in eger; 
signal css-attitude-a-data : integer := 0; 
signal css-attitude-a-state-int : integer; 
signal css-attitude-b-data : integer := 0; 
signal css-attitude-b-state-int : integer; 
signal octavia-css-attitude-difference-data : integer := 0; 
signal octavia~css~attitude~difference~state~int : integer; 
signal commanded-attitude-data : integer := 0; 
signal commanded-attitude-state-int : integer; 
signal octavia-torque-data : integer := 0; 
signal octavia-torque-state-int : integer; 
signal rwa-speed-data : integer := 0; 
signal rwa-speed-state-int : integer; 
signal rwa-temperature-data : integer := 0; 
signal rwa-temperature-state-int : integer; 
signal mtr-a-current-data : integer := 0; 
signal mtr-a-current-state-int : integer; 
signal mtr-b-current-data : integer :=  0; 
signal mtr-b-current-state-int : integer; 
signal rwa-torque-torque-data : integer; 
signal mtr-a-torque-torque-data : integer; 
signal mtr-b-torque-torque-data : integer; 
signal imu-channel-int : integer; 
signal imu-health-int : integer; 
signal css-health-int : integer; 
signal rwa-health-int : integer; 
signal mtr-channel-int : integer; 
signal mtr-health-int : integer; 
signal acs-mode-int : integer; 
-- Declare std logic signals used 
signal imu-attitude-rate-a-has-new-data : std-logic := '0'; 
signal imu-attitude-rate-a-obsolete : std-logic-vector(0 to 5) := ('l', 
'I1, 'l', 'l', 'l', '1'); 
signal temp-imu-attitude-rate-a-obsolete : std-logicvector(0 to 5) := 
('I1, 'I1, 'l', 'l', 'I1, '1'); 
signal imu-attitude-rate-a-neverreceived : std-logic := '1'; 
signal imu-attitude-rate-b-has-new-data : std-logic := '0'; 
signal imu-attitude-rate-b-obsolete : std-logic-vector(0 to 5) := ('l', 
'I1, 'lVf 'I1, 'I1, '1'); 
signal temp-imu-attitude-rateb-obsolete : std-logicvector(0 to 5) := 
('l', 'lVf 'I1, 'Iff 'l', '1'); 
signal imu-attitude-rate-b-neverreceived : std-logic := '1'; 
signal octavia~imu~attitude~rateedifference~has~new~data : std-logic := 
'0'; 
signal octavia~imu~attitude~rate~difference~obsolete : 
std-logic-vector(0 to 5) := ('If, 'I1, 'l', 'l', 'l', '1'); 
signal temp~octavia~imu~attitude~rate~difference~obsolete : 
std-logic-vector(0 to 5) := ('I", 'l', 'l', 'l', 'l', '1'); 
signal octavia~imu~attitude~rateedifference~neverreceived : std-logic 
:= '1'; 
signal css-attitude-a-has-new-data : std-logic := '0'; 
signal css-attitude-a-obsolete : std-logic-vector(0 to 1) := ('I1, '1'); 
signal temp~css~attitude~a~obs01ete : std-logic-vector(0 to 1) := ('I1, 
'1'); 
signal css-attitude-a-never-received : std-logic := '1'; 
signal css-attitude-b-has-new-data : std-logic := '0'; 
signal css-attitude-b-obsolete : std-logic-vector (0 to 1) := ('I1, I1') ; 
signal temp-css-attitude-b-obsolete : std-logic-vector(0 to 1) := ('I1, 
'1'); 
signal css-attitude-b-never-received : std-logic := '1'; 
signal octavia~css~attitude~difference~has~new~data : s d-logic := '0'; 
signal octavia~css~attitude~difference~obso1ete : std-logic-vector(0 to 
1) := ('l', '1'); 
signal temp~octavia~css~attitude~difference~obsolete : 
std-logic-vector (0 to 1) := ('I1, '1 ' ) ; 
signal octavia~css~attitude~difference~never~received : std-logic := '1'; 
signal commanded-attitude-has-new-data : std-logic := '0'; 
signal commanded-attitude-obsolete : std-logic-vector(0 to 1) := ('I1, 
'1'); 
signal temp~commanded~attitude~obs01ete : std-logic-vector(0 to 1) := 
('l', '1'); 
signal commanded-attitude-never-received : std-logic := '1'; 
signal octavia-torque-has-new-data : std-logic := '0'; 
signal octavia~torque~obsolete : std-logic-vector(0 to 1) := ('l','ll); 
signal temp~octavia~torque~obs01ete : std~logic~vector(0 to 1) := ('l', 
'1'); 
signal octavia~torque~never~received : std-logic := '1'; 
signal rwa-speed-has-new-data : std-logic := '0'; 
signal rwa-speed-obsolete : std-logic-vector (0 to 5) : = ( '1 ' , ' 1 ' , ' 1 I ,  ' 1 ' , 
'I1); 
signal temp-rwa-speed-obsolete : std-logic-vector(0 to 5) := ('1','11, 
Ill, 'l', 'l', '1'); 
signal rwa-speed-never-received : std-logic := '1'; 
signal rwa-temperature-has-new-data : std-logic := '0'; 
signal rwa-temperature-obsolete : std-logic-vector(0 to 5) := ('1','11, 
'11, '11, 'I1, '1'); 
signal temp-rwa-temperature-obsolete : std-logic-vector(0 to 5) := ('l', 
'11, 'I1, 'l', 'l', '1'); 
signal rwa-temperature-never-received : std-logic := '1'; 
signal mtr-a-current-has-new-data : std-logic := '0'; 
signal mtr-a-current-obsolete : std-logic-vector (0 to 5) := ( ' 1 ' , ' 1 ' , ' 1 ' , 
'I1, 'l', '1'); 
signal temp-mtr-a-current-obsolete : std-logic-vector(0 to 5) := ('l', 
'l', 'I1, 'l', 'I1, '1'); 
signal mtr-a-current-never-received : std-logic := '1'; 
signal mtr-b-current-has-new-data : std-logic :=  '0'; 
signal mtr-b-current-obsolete : std-logic-vector (0 to 5) := ( ' 1 ' , ' 1 ' , ' 1 ' , 
signal temp-mtr-b-current-obsolete : std-logic-vector(0 to 5) := ('I1, 
'I1, '11, '11, 'I1, '1'); 
signal mtr-b-current-never-received : std-logic := '1'; 
signal rwa-torque-never-sent : std-logic := '1'; 
signal rwa-torque-torquehas-new-data : std-logic := '0'; 
signal mtr-a-torque-never-sent : std-logic := '1'; 
signal mtr~a~torque~torque~ha~~new~data : std-logic := '0'; 
signal mtr-b-torque-never-sent : std-logic := '1'; 
signal mtr-b-torque-torque-has-new-data : std-logic := '0'; 
signal imu-channel-never-transitioned : std-logic := '1'; 
signal imu-channel-never-entered-unknown : std-logic := '1'; 
signal imu-channel-never-exited-unknown : std-logic := '1'; 
signal imu-channel-never-entered-a : std-logic := '1'; 
signal imu-channel-never-exited-a : std-logic :=  'I1; 
signal imu-channel-never-entered-b : std-logic := '1'; 
signal imu-channel-never-exited-b : std-logic := 'I1; 
signal imu-channel-never-entered-none : std-logic := '1'; 
signal imu-channel-never-exited-none : std-logic := '1'; 
signal imu-health-never-transitioned : std-logic := '1'; 
signal imu-health-never-entered-unknown : std-logic := '1'; 
signal imu-health-never-exited-unknown : std-logic := '1'; 
signal imu-health-never-entered-good : std-logic := '1'; 
signal imu-health-never-exited-good : std-logic := '1'; 
signal imu-health-never-entered-bad : std-logic := '1'; 
signal imu-health-never-exited-bad : std-logic := '1'; 
signal css-health-never-transitioned : std-logic := '1'; 
signal css-health-never-entered-unknown : std-logic := '1'; 
signal css~health~never~exited~unknown : std-logic := '1'; 
signal css-health-never-entered-good : std-logic := '1'; 
signal css-health-never-exited-good : std-logic := '1'; 
signal css-health-never-entered-bad : std-logic := '1'; 
signal css-health-never-exited-bad : std-logic := '1'; 
signal rwa-health-never-transitioned : std-logic := '1'; 
signal rwa-health-never-entered-unknown : std-logic := '1'; 
signal rwa-health-never-exited-unknown : std-logic := '1'; 
signal rwa-health-never-entered-good : std-logic := '1'; 
signal rwa-health-never-exited-good : std-logic := '1'; 
signal rwa-health-never-entered-bad : std-logic := 'I1; 
signal rwa-health-never-exited-bad : std-logic := '1'; 
signal mtr-channel-never-transitioned : std-logic := '1'; 
signal mtr-channel-never-entered-unknown : std-logic : =  '1'; 
signal mtr-channel-never-exited-unknown : std-logic := '1'; 
signal mtr-channel-never-entered-a : std-logic := '1'; 
signal mtr-channel-never-exited-a : std-logic := '1'; 
signal mtr-channel-never-entered-b : std-logic := '1'; 
signal mtr-channel-never-exited-b : std-logic := '1'; 
signal mtr-channel-never-entered-none : std-logic := '1'; 
signal mtr-channel-never-exited-none : std-logic := '1'; 
signal mtr-health-never-transitioned : std-logic := 'I1; 
signal mtr-health-never-entered-unknown : std-logic := '1'; 
signal mtr-health-never-exited-unknown : std-logic := '1'; 
signal mtr-health-never-entered-good : std-logic := '1'; 
signal mtr-health-never-exited-good : std-logic := '1'; 
signal mtr-health-never-entered-bad : std-logic := '1'; 
signal mtr-health-never-exited-bad : std-logic := '1'; 
signal acs-mode-never-transitioned : std-logic := '1'; 
signal acs-mode-never-entered-primary : std-logic := '1'; 
signal acs-mode-never-exited-primary : std-logic := '1'; 
signal acs-mode-never-entered-backup : std-logic := '1'; 
signal acs-mode-never-exited-backup : std-logic := '1'; 
signal acs-mode-never-entered-failed : std-logic := '1'; 
signal acs-mode-never-exited-failed : std-logic := '1'; 
signal imu-attitude-rate-a-limitsassed : std-logic; 
signal imu-attitude-rate-b-limitsassed : std-logic; 
signal irnu~attitude~rate~a~obs01ete-passed : std-logic; 
signal imu~attitude~rate~b~obso1ete-passed : std-logic; 
signal imu-attitude-rate-a-static-passed : std-logic; 
signal imu-attitude-rate-b-static-passed : std-logic; 
signal imu-attitude-rate-comparejassed : std-logic; 
signal css~attitude~compare-passed : std-logic; 
signal rwa-speed-obsolete-passed : std-logic; 
signal rwa-speed-limit-passed : std-logic; 
signal rwa-temperature-obsolete-passed : std-logic; 
signal rwa-temperature-l imitsassed : std-logic; 
signal mtr-a-current-obsolete-passed : std-logic; 
signal rntr~b~current~obsolete-passed : std-logic; 
signal mtr -a -cu r r en t - l imi t s a s sed  : std-logic; 
signal mtr-b-current-limit-passed : std-logic; 
-- Declare function elements 
-- Begin architecture 
begin 
-- Update system start process 
update~system~start~process : process(clock, clock-reset) begin 
if (clock-reset = '1') then 
system-start <= ' 1 ' ; 
elsif (clock'event and clock = '1') then 
system-start <= ' 0' ; 
end if; 
end process update~system~start-process; 
-- Update counter process 
update~counter~process : process(clock, clock-reset) begin 
if (clock-reset = '1') then 
counter <= 0; 
elsif (clock'event and clock = '1') then 
if (counter-reset = '1') then 
counter <= 0; 
else 
counter <= counter + 1; 
end if; 
end if; 
end process update~counter~process; 
-- Update counter reset process 
update~counter~reset~process : process(c1ock) begin 
if (clock'event and clock = '1') then 
if (counter = 3000) then 
counter-reset <= '1'; 
else 
counter-reset <= '0'; 
end if; 
end if; 
end process update~counter~reset~process; 
-- Update mission millisecond counter process 
update~mission~millisec~counter~process : process(clock, 
clock-reset) begin 
if (clock-reset = '1') then 
mission~millisec~counter <= 0; 
elsif (clock'event and clock = '1') then 
if (rnission~millisec~counter~reset = '1') then 
mission~millisec~counter <= 0; 
else 
mission~millisec~counter <= mission~millisec~counter + 1; 
end if; 
end if; 
end process update~rnission~millisec~counterprocess; 
-- Update mission millisecond counter reset process 
update~mission~millisec~~o~nter~reset~process : process(c1ock) begin 
if (clock'event and clock = '1') then 
if (mission~millisec~counter = 200000) then 
mission~millisec~counter~reset <= '1'; 
else 
mission~millisec~counter~reset <= '0'; 
end if; 
end if; 
end process update~mission~millisec~~ounter~reset~process; 
-- -- Update mission millisecond process 
update~rnission~millisec-process : process(clock, clock-reset) begin 
if (clock-reset = '1') then 
mission-millisec <= 0; 
elsif (clock'event and clock = '1') then 
if (mission~rnillisec~counter~reset = '1') then 
mission-millisec <= missionmillisec + 1; 
end if; 
if (mission-millisec = 999) then 
mission~millisec <= 0; 
end if; 
end if; 
end process update~missionmillisec-process; 
-- Update mission sec process 
update~mission~sec~rocess : process(clock, clock-reset) begin 
if (clock-reset = '1') then 
mission-sec <= 0; 
elsif (clock'event and clock = '1') then 
if (mission-millisec = 999) then 
mission-sec <= mission-sec + 1; 
end if; 
end if; 
end process update~mission~sec-process; 
-- Update mission time process 
update~mission~tirne~rocess : process(clock, clock-reset) begin 
if (clock-reset = '1' ) then 
mission-time <= 0; 
elsif (clock'event and clock = '1') then 
mission-time <= (mission-sec * 1000) + mission-millisec; 
end if; 
end process update~mission~time-process; 
-- Process for Input Element : IMU Attitude Rate A 
imu~attitude~rate~a~input-process : process (clock) begin 
if (clock'event and clock = '1') then 
if (((imu-attitude-rate-ahas-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
imu-attitude-rate-a(i) <= temp-imu-attitude-rate-a(i- 
1); 
imu-attitude-rate-a-obsolete(i) <= 
temp-imu-attitude-rate-a-obsolete(i-1); 
end loop; 
-- Update latest value 
imu-attitude-rate-a(0) <= imu-attitude-rate-a-data; 
imu-attitude-rate-a-state-int <= 1; 
imu-attitude-rate-a-obsolete(0) <= '0'; 
-- Update timing related signals 
imu-attitude-rate-a-neverreceived <= '0'; 
imu-attitude-rate-a-time-received <= mission-time; 
elsif ((((imu-attitude-rate-a-has-new-data /= '1')) and 
((((mission-time - imu-attitude-rate-a-time-received) <= 1500)) and 
(imu-attitude-rate-a-neverreceived = '0')))) then 
imu-attitude-rate-a-state-int <= 2; 
-- Update latest value 
imu-attitude-rate-a(0) <= imu-attitude-rate-a(1); 
-- Update obsolete information 
imu-attitude-rate-a-obsolete(0) <= '0'; 
elsif (((((system-start = '1')) and 
((imu-attitude-rate-a-neverreceived = '1'))) or 
((imu-attitude-rate-a-neverreceived = '1')) or ((((mission-time - 
imu-attitude-rate-a-time-received) > 1500)) and 
(imu-attitude-rate-a-neverreceived = '0')))) then 
imu-attitude-rate-a-state-int <= 3; 
-- Update obsolete information 
imu-attitude-rate-a-obsolete (0) <= ' 1 ' ; 
end if; 
end if; 
end process imu~attitude~rate~a~input~process; 
-- Process for Input Element : IMU Attitude Rate B 
imu~attitude~rate~b~input-process : process (clock) begin 
if (clock'event and clock = ' I' ) then 
if (((imu-attitude-rate-b-has-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
imu-attitude-rate-b(i) <= temp-imu-attitude-rateb(i- 
1) ; 
imu-attitude-rate-b-obsolete (i) <= 
temp-imu-attitude-rate-bbobsolete(i-1); 
end loop; 
-- Update latest value 
imu-attitude-rate-b(0) <= imu-attitude-rate-b-data; 
imu-attitude-rate-b-state-int <= 1; 
imu-attitude-rateb-obsolete(0) <= '0'; 
-- Update timing related signals 
imu-attitude-rate-b-neverreceived <= '0'; 
imu-attitude-rate-b-time-received <= mission-time; 
elsif ((((imu-attitude-rateb-has-new-data /= '1')) and 
((((mission-time - imu-attitude-rate-b-time-received) <= 1500)) and 
(imu-attitude-rate-b-neverreceived = '0')))) then 
imu-attitude-rate-b-state-int <= 2; 
-- Update latest value 
imu-attitude-rate-b (0) <= imu-attitude-rate-b (1) ; 
-- Update obsolete information 
imu-attitude-rate-b-obsolete(0) <= '0'; 
elsif ( ( ( ( (system-start = ' 1 ' ) ) and 
((imu-attitude-rate-b-neverreceived = '1'))) or 
((imu-attitude-rate-b-neverreceived = 'I1)) or ( ( (  (mission-time - 
imu-attitude-rate-b-time-received) > 1500)) and 
(imu-attitude-rate-b-neverreceived = '0')))) then 
imu-attitude-rate-b-state-int <= 3; 
-- Update obsolete information 
imu-attitude-rate-b-obsolete(0) <= '1'; 
end if; 
end if; 
end process 
-- Process for Input Element : Octavia IMU Attitude Rate Difference 
octavia~imu~attitude~rateedifference~input~rocess : process (clock) 
begin 
if (clock'event and clock = '1') then 
if (((octavia~imu~attitude~rate~difference~has~new~data = 
'1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
octavia-imu-attitude-rate-difference(i) <= 
temp~octavia~imu~attitude~rate~difference(i-1); 
octavia~imu~attitude~rate~difference~obsolete(i) <= 
temp~octavia~imu~attitude~rate~difference~obsolete(i-1); 
end loop; 
-- Update latest value 
octavia~imu~attitude~rate~difference~stateint <= 1; 
octavia~imu~attitude~rateedifference~obsolete(0) <= '0'; 
-- Update timing related signals 
octavia~imu~attitude~rate~difference~timereceived <= 
mission-time; 
elsif ((((octavia~imu~attitude~rate~differencehas~new~data 
/= '1 ' ) ) and ( ( ( (mission-time - 
octavia~imu~attitude~rateedifference~timereceived) <= 1500)) and 
(octavia~imu~attitude~rateedifference~neverreceived = ' 0 ' ) ) ) )  then 
octavia~imu~attitude~rate~difference~stateint <= 2; 
-- Update latest value 
octavia-imu-att itude-rate-dif ference (0) <= 
octavia-imu-attitude-rate-difference(1); 
-- Update obsolete information 
octavia~imu~attitude~rate~difference~obsolete(0) <= '0'; 
elsif ( ( ( ( (system-start = ' 1 ' ) ) and 
((octavia~imu~attitude~rateedifference~never~received = '1'))) or 
((octavia~imu~attitude~rate~difference~never~received = '1')) or 
((((mission-time - octavia~imu~attitude~rate~difference~timereceived) > 
1500)) and (octavia~imu~attitude~rateedifference~never~received = '0')))) 
then 
octavia~imu~attitude~rate~difference~stateint <= 3; 
-- Update obsolete information 
octavia~imu~attitude~rateedifference~obsolete(0) <= 'I1; 
end if; 
end if; 
end process octavia~imu~attitude~rate~difference~input~rocess; 
-- Process for Input Element : CSS Attitude A 
css-attitude-a-input-process : process (clock) begin 
if (clock'event and clock = '1') then 
if (((.css-attitude-a-has-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 1 loop 
css-attitude-a(i) <= temp-css-attitude-a(i-1); 
css-attitude-a-obsolete (i) <= 
end loop; 
-- Update latest value 
css-attitude-a (0) <= css-attitude-a-data; 
css-attitude-a-state-int <= 1; 
css~attitude~a~obsolete(0) <= '0'; 
-- Update timing related signals 
css-attitude-a-never-received <= '0'; 
css-attitude-a-time-received <= mission-time; 
elsif ((((css-attitude-a-has-new-data /= '1')) and 
((((mission-time - css-attitude-a-time-received) <= 1500)) and 
(css-attitude-a-never-received = '0')))) then 
css-attitude-a-state-int <= 2; 
-- Update latest value 
css-attitude-a (0) <= css-attitude-a (1) ; 
-- Update obsolete information 
css~attitude~a~obsolete(0) <= '0'; 
elsif ( ( ( ( (system-start = ' 1 ' ) ) and 
((css-attitude-a-never-received = '1'))) or ((css-attitude-a-never-received 
= '1')) or ((((mission-time - css-attitude-a-time-received) > 1500)) and 
(css-attitude-a-never-received = '0')))) then 
css-attitude-a-state-int <= 3; 
-- Update obsolete information 
css~attitude~a~obsolete(0) <= '1'; 
end if; 
end if; 
end process css~attitude~a~input~process; 
-- Process for Input Element : CSS Attitude B 
css~attitude~b~input~process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( (css-attitudeb-has-new-data = ' 1 ' ) ) ) then 
-- Update Previous Values 
for i in 1 to 1 loop 
css-attitude-b (i) <= temp-css-attitude-b (i-1) ; 
css-attitude-b-obsolete (i) <= 
temp~css~attitude~b~obs01ete(i-1); 
end loop; 
-- Update latest value 
css-attitude-b (0) <= css-attitude-b-data; 
css-attitude-b-state-int <= 1; 
css~attitude~b~obsolete(0) <= '0'; 
-- Update timing related signals 
css-attitude-b-never-received <= '0'; 
css-attitude-b-time-received <= mission-time; 
elsif ((((css-attitudeb-has-new-data /= '1')) and 
((((mission-time - css-attitude-b-time-received) <= 1500)) and 
(css-attitude-b-never-received = 'Or)))) then 
css-attitude-b-state-int <= 2; 
-- Update latest value 
css-attitude-b (0) <= css-attitude-b (1) ; 
-- Update obsolete information 
css~attitude~b~obsolete(0) <= '0'; 
elsif (((((system-start = '1')) and 
((css-attitude-b-never-received = '1'))) or ((css-attitude-b-never-received 
= '1')) or ( (  ((mission-time - css-attitude-b-time-received) > 1500)) and 
(css-attitude-b-never-received = '0')))) then 
css-attitude-b-state-int <= 3; 
-- Update obsolete information 
css-attitude-b-obsolete(0) <= 'I1; 
end if; 
end if; 
end process css~attitudeb~input_process; 
-- Process for Input Element : Octavia CSS Attitude Difference 
octavia~css~attitude~difference~inp~t~process : process (clock) begin 
if (clock'event and clock = 'I1) then 
then 
-- Update Previous Values 
for i in 1 to 1 loop 
temp~octavia~css~attitude~difference~obsolete(i-1); 
end loop; 
-- Update latest value 
octavia-css-attitude-dif ference (0) <= 
octavia~css~attitude~difference~data; 
octavia~css~attitude~difference~state~int <= 1;
o c t a v i a ~ c s s ~ a t t i t u d e ~ d i f f e r e n c e _ o b s o l e t e ( O )  <= '0'; 
-- Update timing related signals 
octavia~css~attitude~difference~never~received <= '0'; 
octavia~css~attitude~difference~time~received <= 
mission-time; 
elsif ((((octavia~css~attitude~differencefhas~newWdata /= 
'1')) and ((((mission-time - octavia~css~attitude~difference~timeereceived) 
<= 1500)) and (octavia~css~attitude~difference~never~received = ' 0 ' ) ) ) )  then 
octavia~css~attitude~difference~~tate~int <= 2; 
-- Update latest value 
octavia~css~attitude~difference(0) <= 
octavia~css~attitude~difference(1); 
-- Update obsolete information 
octavia~css~attitude~difference~obsolete(0) <= '0'; 
elsif (((((system-start = '1')) and 
((octavia~css~attitude~difference~never~received = '1'))) or 
((octavia~css~attitude~difference~never~received = '1')) or ((((mission-time 
- octavia~css~attitude~differencetimereceived) > 1500)) and 
(octavia~css~attitude~difference~never~received = '0')))) then 
octavia~css~attitude~difference~state~int <= 3; 
-- Update obsolete information 
octavia~css~attitude~difference~obsolete(0) <= '1'; 
end if; 
end if; 
end process octavia~css~attitude~differenceeinput-process; 
-- Process for Input Element : Commanded Attitude 
commanded-attitude-inputjrocess : process (clock) begin 
if (clock'event and clock = '1') then 
if (((commanded-attitudehas-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 1 loop 
end loop; 
-- Update latest value 
commanded-attitude(0) <= commanded-attitude-data; 
commanded-attitude-state-int <= 1; 
commanded~attitude~obsolete(0) <= '0'; 
-- Update timing related signals 
commanded~attitude~never~received <= '0'; 
commanded~attitude~time~received <= mission-time; 
elsif ((((commanded-attitude-has-new-data /= '1')) and 
((((mission-time - commanded~attitude~time~received) <= 3600000)) and 
(commanded~attitude~never~received = ' 0 ' ) ) ) )  then 
commanded-attitude-state-int <= 2; 
-- Update latest value 
commanded-attitude (0) <= commanded-attitude (1) ; 
-- Update obsolete information 
commanded~attitude~obsolete (0) <= '0' ; 
elsif (((((system-start = '1')) and 
((commanded~attitude~never~received = '1'))) or 
((commanded~attitude~never~received = '1')) or ((((mission-time - 
commanded-attitude-time-received) > 3600000)) and 
(commanded~attitude~never~received = '0')))) then 
commanded-attitude-state-int <= 3; 
-- Update obsolete information 
commanded~attitude~obsolete (0) <= ' 1 ' ; 
end if; 
end if; 
end process commanded~attitude~input~process; 
-- Process for Input Element : Octavia Torque 
octavia~torque~input~process : process (clock) begin 
if (clock'event and clock = '1') then 
if (((octavia~torque~has~ne~~data = '1'))) then 
-- Update Previous Values 
for i in 1 to 1 loop 
octavia-torque (i) <= temp-octavia-torque (i-1) ; 
octavia~torque~obsolete (i) <= 
temp~octavia~torque~obso1ete(i-1); 
end loop; 
-- Update latest value 
octavia-torque(0) <= octavia-torque-data; 
octavia-torque-state-int <= 1; 
octavia~torque~obsolete (0) <= ' 0 ' ; 
-- Update timing related signals 
octavia~torque~never~received <= '0'; 
octavia-torque-time-received <= mission-time; 
elsif ((((octavia-torque-has-new-data /= '1')) and 
((((mission-time - octavia-torque-time-received) <= 1500)) and 
(octavia~torque~never~received = '0')))) then 
octavia-torque-state-int <= 2; 
-- Update latest value 
octavia-torque (0) <= octavia-torque (1) ; 
-- Update obsolete information 
octavia~torque~obsolete (0) <= ' 0 ' ; 
elsif (((((system-start = '1')) and 
((octavia~torque~never~received = '1'))) or ((octavia~torque~neverereceived 
= '1')) or ( (  ((mission-time - octavia~torque~time~received) > 1500)) and 
(octavia-torque-never-received = '0')) ) )  then 
octavia-torque-state-int <= 3; 
-- Update obsolete information 
octavia~torque~obsolete (0) <= 'I ' ; 
end if; 
end if; 
end process o c t a v i a ~ t o r q u e ~ i n p u t j r o c e s s ;  
-- Process for Input Element : RWA Speed 
rwa-speed-inputjrocess : process (clock) begin 
if (clock'event and clock = '1') then 
if (((rwa-speed-has-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
rwa-speed (i) <= temp-rwa-speed (i-1 ) ; 
rwa-speed-obsolete(i) <= temp-rwa-speed-obsolete(i- 
end loop; 
-- Update latest value 
rwa-speed (0) <= rwa-speed-data; 
rwa-speed-state-int <= 1; 
rwa-speed-obsolete (0) <= ' 0 ' ; 
-- Update timing related signals 
rwa-speed-never-received <= '0'; 
rwa-speed-time-received <= mission-time; 
elsif ((((rwa-speed-has-new-data /= '1')) and 
((((mission-time - rwa-speed-time-received) <= 5000)) and 
(rwa-speed-never-received = '0')))) then 
rwa-speed-state-int <= 2; 
-- Update latest value 
rwa-speed (0 ) <= rwa-speed ( 1 ) ; 
-- Update obsolete information 
rwa-speed-obsolete (0) <= ' 0 ' ; 
elsif ( ( ( ( (system-start = ' 1 ' ) ) and 
((rwa-speed-never-received = '1'))) or ((rwa-speed-never-received = '1')) or 
((((mission-time - rwa-speed-time-received) > 5000)) and 
(rwa-speed-never-received = '0')))) then 
rwa-speed-state-int <= 3; 
-- Update obsolete information 
rwa-speed-obsolete (0) <= ' 1 ' ; 
end if; 
end if; 
end process rwa-speed-inputjrocess; 
-- Process for Input Element : RWA Temperature 
rwa-temperature-input-process : process (clock) begin 
if (clock'event and clock = '1') then 
if (((rwa-temperaturehas-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
rwa-temperature (i) <= temp-rwa-temperature (i-1) ; 
rwa-temperature-obsolete(i) <= 
temp-rwa-temperature-obsolete(i-1); 
end loop; 
-- Update latest value 
rwa-temperature(0) <= rwa-temperature-data; 
rwa-temperature-state-int <= 1; 
rwa-temperature-obsolete (0) <= ' 0 ' ; 
-- Update timing related signals 
rwa-temperature-never-received <= '0'; 
rwa-temperature-time-received <= mission-time; 
elsif ((((rwa-temperaturehas-new-data /= '1')) and 
((((mission-time - rwa-temperature-time-received) <= 5000)) and 
(rwa-temperature-never-received = '0')))) then 
rwa-temperature-state-int <= 2; 
-- Update latest value 
rwa-temperature (0) <= rwa-temperature (1) ; 
-- Update obsolete information 
rwa-temperature-obsolete (0) <= ' 0 ' ; 
elsif ( ( ( ( (system-start = ' 1 ' ) ) and 
((rwa-temperature-never-received = '1'))) or 
((rwa-temperature-never-received = '1')) or ((((mission-time - 
rwa-temperature-time-received) > 5000)) and (rwa-temperature-never-received 
= '0')))) then 
rwa-temperature-state-int <= 3; 
-- Update obsolete information 
rwa-temperature-obsolete (0) <= ' 1 ' ; 
end if; 
end if; 
end process rwa~temperature~input~process; 
-- Process for Input Element : MTR A Current 
mtr~a~current~input~process : process (clock) begin 
if (clock'event and clock = '1') then 
if (((mtr-a-current-has-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
mtr-a-current (i) <= tempmtr-a-current (i-1) ; 
mtr-a-current-obsolete (i) <= 
temp-mtr-a-current-obsolete(i-1); 
end loop; 
-- Update latest value 
mtr-a-current(0) <= mtr-a-current-data; 
mtr-a-current-state-int <= 1; 
mtr-a-current-obsolete (0) <= ' 0 ' ; 
-- Update timing related signals 
mtr-a-current-never-received <= '0'; 
mtr-a-current-time-received <= mission-time; 
elsif ((((mtr-a-current-has-new-data /=  '1')) and 
( (  ((mission-time - mtr-a-current-time-received) <= 5000)) and 
(mtr-a-current-never-received = '0')))) then 
mtr-a-current-state-int <= 2; 
-- Update latest value 
mtr-a-current (0) <= mtr-a-current (1) ; 
-- Update obsolete information 
mtr-a-current-obsolete (0) <= ' 0 ' ; 
elsif ( ( ( ( (system-start = ' 1') ) and 
((mtr-a-current-never-received = '1'))) or ((mtr-a-current-never-received = 
'1')) or ((((mission-time - mtr-a-current-time-received) > 5000)) and 
(mtr-a-current-never-received = ' 0 ' ) ) ) )  then 
mtr-a-current-state-int <= 3; 
-- Update obsolete information 
mtr-a-current-obsolete ( 0 )  <= ' 1 ' ; 
end if; 
end if; 
end process rntr~a~current~input-process; 
-- Process for Input Element : MTR B Current 
m t r ~ b ~ c u r r e n t ~ i n p u t ~ r o c e s s  : process (clock) begin 
if (clock'event and clock = '1') then 
if (((mtr-b-current-has-new-data = '1'))) then 
-- Update Previous Values 
for i in 1 to 5 loop 
mtr-b-current (i) <= temp-mtr-b-current (i-1) ; 
mt rbcurrent-obsolete (i) <= 
temp-mtr-b-current-obsolete(i-1); 
end loop; 
-- Update latest value 
mtrb-current (0) <= mtr-b-current-data; 
mtrb-current-state-int <= 1; 
mtrb-current-obsolete (0) <= ' 0 ' ; 
-- Update timing related signals 
mtr-b-current-never-received <= '0'; 
mtr-b-current-time-received <= mission-time; 
elsif ((((mtr-b-current-has-new-data /= '1')) and 
((((mission-time - mtr-b-current-time-received) <= 5000)) and 
(mtrb-current-never-received = 'Or)))) then 
mtr-b-current-state-int <= 2; 
-- Update latest value 
mtrb-current (0) <= mtr-b-current (1) ; 
-- Update obsolete information 
mtrb-current-obsolete (0) <= '0 ' ; 
elsif ( ( ( ( (system-start = ' 1') ) and 
((mtr-b-current-never-received = '1'))) or ((mtr-b-current-never-received = 
'1')) or ((((mission-time - mtr-b-current-time-received) > 5000)) and 
(mtr-b-current-never-received = '0')))) then 
mtrb-current-state-int <= 3; 
-- Update obsolete information 
mtrb-current-obsolete (0) <= '1 ' ; 
end if; 
end if; 
end process rntr~b~current~input-process; 
-- Process for Output element : RWA Torque 
rwa~torque~output-process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (rwa-health (0) = good) ) and 
( (octavia~torque~obsolete (0) /= '1 ' ) ) ) ) then 
rwa-torque-never-sent <= '0'; 
rwa-torque-time-sent <= mission-time; 
rwa-torque-torque-data <= octavia-torque (0) ; 
rwa-torque-torque-has-new-data <= '1'; 
else 
rwa-torque-torque-has-new-data <= '0'; 
end if; 
end if; 
end process rwa~torque~output_process; 
-- Process for Output element : MTR A Torque 
mtr~a~torque~output-process : process (clock) begin 
if (clock'event and clock = 'I1) then 
if ((((rwa-health(0) = bad)) and ((mtr-channel(0) = a)) and 
((octavia~torque~obsolete(0) /= '1'))) ) then 
mtr-a-torque-never-sent <= '0'; 
mtr-a-torque-time-sent <= mission-time; 
mtr-a-torque-torque-data <= octavia-torque(0); 
mtr-a-torque-torque-has-new-data <= '1'; 
else 
m t r ~ a ~ t o r q u e ~ t o r q u e ~ h a ~ ~ n e w ~ d a t a  <= '0'; 
end if; 
end if; 
end process mtr~a~torque~output~process; 
-- Process for Output element : MTR B Torque 
mtr~b~torque~output~process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (rwa-health (0) = bad) ) and ( (mtr-channel(0) = b) ) and 
( (octavia~torque~obsolete (0) /=  ' 1' ) ) ) ) then 
mt r-b-t orque-never-sent <= ' 0 ' ; 
mtrb-torque-time-sent <= mission-time; 
mtr-b-torque-torque-data <= octavia-torque(0); 
mtr-b-torque-torque-has-new-data <= '1'; 
else 
m t r b ~ t o r q u e ~ t o r q u e ~ h a s ~ n e ~ ~ d a t a  <= '0';
end if; 
end if; 
end process mtr~b~torque~output~process; 
-- Process for State Value Element : IMU Channel 
imu~channel~state~value~process : process(c1ock) begin 
if (clock'event and clock = '1') then 
temp-imu-channel <= imu-channel; 
if ( ( ( (system-start = '1' ) ) or 
((imu~attitude~rate~a~obs01ete~passed = '0') and 
(imu~attitude~rate~b~ob~01ete~passed = '0')))) then 
imu-channel-int <= 1; 
if (imu-channel(0) = a and 
imu-channel-never-transitioned = '0') then 
imu-channel-time-entered-unknown <= mission-time; 
imu-channel-time-exited-a <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-a <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel(i) <= temp-imu-channel(i-1); 
end loop; 
imu-channel(0) <= unknown; 
elsif (imu-channel(0) = b and 
imu-channel-never-transitioned = '0') then 
imu-channel-time-entered-unknown <= mission-time; 
imu-channel-time-exited-b <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-b <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel(i) <= temp-imu-channel(i-1); 
end loop; 
imu-channel(0) <= unknown; 
elsif (imu-channel(0) = none and 
imu-channel-never-transitioned = '0') then 
imu-channel-time-entered-unknown <= mission-time; 
imu-channel-time-exited-none <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-none <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel(i) <= temp-imu-channel(i-1); 
end loop; 
imu-channel(0) <= unknown; 
elsif (imu-channel-never-transitioned = '1') then 
imu-channel-time-entered-unknown <= 0; 
end if; 
elsif ( ( ( (system-start /= ' 1' ) ) and 
(irnu~attitude~rate~a~obs01ete-passed = '1') and 
(imu-attitude-rate-a-limitsassed = '1') and 
(imu-att itude-rate-a-static-passed = ' 1 ' ) and 
(imu~attitude~rate~compare~assed = '1'))) then 
imu-channel-never-entered-a <= '0'; 
imu-channel-int <= 2; 
if (imu-channel(0) = unknown) then 
imu-channel-time-entered-a <= mission-time; 
imu~channel~time~exited~unknown <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-unknown <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel ( i ) <= temp-imu-channel (i-1 ) ; 
end loop; 
imu-channel(0) <= a; 
elsif (imu-channel(0) = b) then 
imu-channel-time-entered-a <= mission-time; 
imu-channel-time-exited-b <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-b <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel (i-1) ; 
end loop; 
imu-channel(0) <= a; 
elsif (imu-channel(0) = none) then 
imu-channel-time-entered-a <= mission-time; 
imu-channel-time-exited-none <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-none <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel (i-1) ; 
end loop; 
imu-channel(0) <= a; 
end if; 
elsif (((((system-start /= '1')) and 
(imu-attitude-rate-a-limit-passed = '0') and 
(imu-attitude-rate-b-limit-passed = '1') and 
(imu-attitude-rate-b-obsolete-passed = '1') and 
(imu-attitude-rate-b-static-passed = '1')) or ( (  (system-start /= '1')) and 
(imu-attitude-rate-a-staticsassed = '0') and 
(imu-attitude-rate-b-limit-passed = '1') and 
(imu-attitude-rate-b-obsolete-passed = '1') and 
(imu-attitude-rate-b-static-passed = '1')) or (((system-start /= '1')) and 
(irnu~attitude~rate~compare~assed = '0') and 
(imu-attitude-rate-b-limitsassed = '1') and 
(imu-attitude-rate-b-obs~lete~passed = '1') and 
imu-channel-never-entered-b <= '0'; 
imu-channel-int <= 3; 
if (imu-channel(0) = unknown) then 
imu-channel-time-entered-b <= mission-time; 
imu~channel~time~exited~unknown <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-unknown <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel (i-1 ) ; 
end loop; 
imu-channel(0) <= b; 
elsif (imu-channel(0) = a) then 
imu-channel-time-entered-b <= mission-time; 
imu-channel-time-exited-a <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-a <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel (i-1) ; 
end loop; 
imu-channel(0) <= b; 
elsif (imu-channel(0) = none) then 
imu-channel-time-enteredb <= mission-time; 
imu-channel-time-exited-none <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-none <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel(i) <= temp-imu-channel(i-1); 
end loop; 
imu-channel(0) <= b; 
end if; 
elsif (((((system-start /=  '1')) and 
(imu-attitude-rate-a-obsolete-passed = '1') and 
(imu-attitude-rate-b-obsolete-passed = '1') and 
(imu-attitude-rate-a-limit-passed = '0') and 
(imu-attitude-rate-b-limit-passed = '0')) or (((system-start /= '1')) and 
(imu~attitude~rate~a~obs01ete~passed = '1') and 
(imu-attitude-rate-b-obsolete-passed = '1') and 
(imu-attitude-rate-a-limitsassed = '0') and 
(imu-attitude-rate-b-static-passed = '0')) or (((system-start /= '1')) and 
(imu~attitude~rate~a~obso1ete~passed = '1') and 
(imu-attitude-rate-b-obsolete-passed = '1') and 
(imu~attitude~rate~a~stati~~passed = '0') and 
(imu-attitude-rate-b-limit-passed = '0')) or (((system-start /= '1')) and 
(imu-attitude-rate-a-obsolete-passed = '1') and 
(imu-attitude-rate-b-obsolete-passed = '1') and 
(imu-attitude-rate-a-static-passed = '0') and 
(imu-attitude-rate-b-static-passed = '0')) or ( (  (system-start /= '1')) and 
(imu-attitude-rate-a-obsolete-passed = '1') and 
(imu-attitude-rate-b-ob~olete~passed = '1') and 
(imu-attitude-rate-compare-passed = '0') and 
(imu-attitude-rate-b-limitsassed = '0')) or (((system-start /= '1')) and 
fimu-attitude-rate-a-ob~olete~passed = '1') and 
(imu~attitude~rate~b~obso1ete~passed = '1') and 
fimu-attitude-rate-compare-passed = '0') and 
(imu-attitude-rate-b-static-passed = '0')))) then 
imu-channel-never-entered-none <= '0'; 
imu-channel-int <= 4; 
if (imu-channel(0) = unknown) then 
imu-channel-time-entered-none <= mission-time; 
imu~channel~time~exited~unknown <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-unknown <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel (i-1) ; 
end loop; 
imu-channel ( 0) <= none; 
elsif (imu-channel(0) = a) then 
imu-channel-time-entered-none <= mission-time; 
imu-channel-time-exited-a <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-a <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel ( i-1 ) ; 
end loop; 
imu-channel(0) <= none; 
elsif (imu-channel(0) = b) then 
imu-channel-time-entered-none <= missiontime; 
imu-channel-time-exited-b <= mission-time; 
imu-channel-time-transitioned <= mission-time; 
imu-channel-never-exited-b <= '0'; 
imu-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-channel (i) <= temp-imu-channel (i-1 ) ; 
end loop; 
imu-channel(0) <= none; 
end if; 
end if; 
end if; 
end process imu~channel~state~value~rocess; 
-- Process for State Value Element : IMU Health 
i m u ~ h e a l t h ~ s t a t e ~ v a l u e ~ r o c e s s  : process(clock) begin 
if (clock'event and clock = '1') then 
temp-imu-health <= imu-health; 
if ( ( ( (system-start = '1' ) ) or ( (imu-channel(0) = 
unknown) ) ) ) then 
imu-health-never-entered-unknown <= '0'; 
imu-health-int <= 1; 
if (imu-health(0) = good and 
imu-health-never-transitioned = '0') then 
imu-health-time-entered-unknown <= mission-time; 
imu-health-time-exited-good <= mission-time; 
imu-health-time-transitioned <= mission-time; 
imu-health-never-exited-good <= '0'; 
imu-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-health (i) <= temp-imu-health (i-1) ; 
end loop; 
imu-health (0) <= unknown; 
elsif (imu-health (0) = bad and 
imu-health-never-transitioned = '0') then 
imu-health-time-entered-unknown <= mission-time; 
imu-health-time-exited-bad <= mission-time; 
imu-health-time-transitioned <= mission-time; 
imu-health-never-exited-bad <= '0'; 
imu-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-health (i) <= temp-imuhealth (i-1) ; 
end loop; 
imu-health (0) <= unknown; 
elsif (imu-health-never-transitioned = '1 ' ) then 
imu-health-time-entered-unknown <= 0; 
end if; 
elsif ( ( ( ( (system-start /= '1 ' ) ) and ( (imu-channel(0) = a) ) 
and ( (imu-channel(0) /= b) ) ) or ( ( (system-start /= ' 1 ' ) ) and 
( (imu-channel(0) /= a) ) and ( (imu-channel(0) = b) ) ) ) ) then 
imu-health-never-entered-good <= '0'; 
imu-health-int <= 2; 
if (imu-health(0) = unknown) then 
imu-health-time-entered-good <= mission-time; 
imu-health-time-exited-unknown <= mission-time; 
imu-health-time-transitioned <= mission-time; 
imu-health-never-exited-unknown <= '0'; 
imu-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-health (i) <= temp-imu-health (i-1) ; 
end loop; 
imu-health (0) <= good; 
elsif (imu-health(0) = bad) then 
imu-health-time-entered-good <= mission-time; 
imu-health-time-exited-bad <= mission-time; 
imu-health-time-transitioned <= mission-time; 
imu-health-never-exited-bad <= '0'; 
imu-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-health (i) <= temp-imuhealth (i-1) ; 
end loop; 
imu-health (0) <= good; 
end if; 
elsif ( ( ( (system-start /= ' 1 ' ) ) and ( (imu-channel(0) = 
none) ) ) ) then 
imu-health-never-entered-bad <= '0'; 
imu-health-int <= 3; 
if (imu-health (0) = unknown) then 
imu-health-time-entered-bad <= mission-time; 
imu-health-time-exited-unknown <= mission-time; 
imu-health-time-transitioned <= mission-time; 
imu-health-never-exited-unknown <= '0'; 
imu-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-health(i) <= temp-imu-health(i-1); 
end loop; 
imu-health (0) <= bad; 
elsif (imu-health(0) = good) then 
imu-health-time-entered-bad <= mission-time; 
imu-health-time-exited-good <= mission-time; 
imu-health-time-transitioned <= mission-time; 
imu-health-never-exited-good <= '0'; 
imu-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
imu-health (i) <= temp-imu-health (i-1) ; 
end loop; 
imu-health (0) <= bad; 
end if; 
end if; 
end if; 
1151: end process imu~health~state~value~process; 
1152: 
1153: -- Process for State Value Element : CSS Health 
1154: css~health~state~value~process : process(c1ock) begin 
1155: if (clock'event and clock = ' 1') then 
1156: 
1157: temp-css-health <= css-health; 
1158: if ((((system-start = '1')) or 
((octavia~css~attitude~difference~never~received = '1')))) then 
1159: css-health-never-entered-unknown <= '0'; 
1160: css-health-int <= 1; 
1161: if (css-health(0) = good and 
css-health-never-transitioned = ' 0 ' )  then 
1162: css-health-time-entered_unknown <= mission-time; 
1163: css~health~time~exited~good <= mission-time; 
1164: css-health-time-transitioned <= mission-time; 
1165: css-health-never-exited-good <= '0'; 
1166: css-health-never-transitioned <= '0'; 
1167: for i in 1 to 1 loop 
1168: css-health (i) <= temp-css-health (i-1) ; 
1169: end loop; 
1170: css-health (0) <= unknown; 
1171: elsif (css-health (0) = bad and 
css-health-never-transitioned = '0') then 
css-health-time-entered-unknown <= mission-time; 
css-health-time-exited-bad <= mission-time; 
css-health-time-transitioned <= mission-time; 
css-health-never-exited-bad <= '0'; 
css-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
css-health (i) <= temp-css-health (i-1) ; 
end loop; 
css-health (0) <= unknown; 
1181: elsif (css-health-never-transitioned = '1') then 
1182: css-health-time-entered_unknown <= 0; 
1183: end if; 
1184: elsif ((((system-start /= '1')) and 
(css~attitude~compare~passed = '1'))) then 
1185: css-health-never-entered-good <= '0'; 
1186: css-health-int <= 2; 
1187: if (css-health(0) = unknown) then 
css-health-time-entered-good <= mission-time; 
css-health-time-exited-unknown <= mission-time; 
css-health-time-transitioned <= mission-time; 
css~health~never~exited~unknown <= '0'; 
css-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
css-health (i) <= temp-css-health (i-1) ; 
end loop; 
css-health (0) <= good; 
elsif (css-health (0) = bad) then 
css-health-time-entered-good <= mission-time; 
css-health-time-exitedbad <= mission-time; 
css-health-time-transitioned <= mission-time; 
css-health-never-exited-bad <= '0'; 
css-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
css-health (i) <= temp-css-health (i-1) ; 
end loop; 
css-health(0) <= good; 
end if; 
elsif ( ( ( (system-start /= ' 1 ' ) ) and 
(css~attitude~compare~passed = '0'))) then 
css-health-never-entered-bad <= '0'; 
css-health-int <= 3; 
if (css-health (0) = unknown) then 
css-health-time-entered-bad <= mission-time; 
css~health~time~exited~unknown <= mission-time; 
css-health-time-transitioned <= mission-time; 
css~health~never~exited~unknown <= '0'; 
css-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
css-health (i) <= temp-css-health (i-1) ; 
end loop; 
css-health (0) <= bad; 
elsif (css-health (0) = good) then 
css-health-time-entered-bad <= mission-time; 
css-health-time-exited-good <= mission-time; 
css-health-time-transitioned <= mission-time; 
css-health-never-exited-good <= '0'; 
css-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
csshealth(i) <= temp-css-health(i-1); 
end loop; 
css-health (0) <= bad; 
end if; 
end if; 
end if; 
end process css~health~state~value~process; 
-- Process for State Value Element : RWA Health 
rwa~health~state~value~process : process(c1ock) begin 
if (clock'event and clock = '1') then 
temp-rwa-health <= rwahealth; 
if ((((system-start = '1')) or (rwa-speed-obsolete-passed = 
'0') or (rwa-temperature-obsolete-passed = '0'))) then 
rwa-health-never-entered-unknown <= '0'; 
rwa-health-int <= 1; 
if (rwa-health(0) = good and 
rwa-health-never-transitioned = '0') then 
rwa-health-time-entered-unknown <= mission-time; 
rwa-health-time-exited-good <= mission-time; 
rwa-health-time-transitioned <= mission-time; 
rwa-health-never-exited-good <= '0'; 
rwa-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
rwa-health (i) <= temp-rwa-health (i-1) ; 
end loop; 
rwa-health (0) <= unknown; 
elsif (rwa-health (0) = bad and 
rwa-health-never-transitioned = '0') then 
rwa-health-time-entered-unknown <= mission-time; 
rwahealth-time-exited-bad <= mission-time; 
rwa-health-time-transitioned <= mission-time; 
rwa-health-never-exited-bad <= '0'; 
rwa-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
rwa-health (i) <= temp-rwa-health (i-1) ; 
end loop; 
rwa-health (0) <= unknown; 
elsif (rwa-health-never-transitioned = '1') then 
rwa-health-time-entered-unknown <= 0; 
end if; 
elsif ((((system-start /= '1')) and 
(rwa-speed-obsolete-passed = '1') and (rwa~temperature~obsolete~passed = 
'1') and (rwa-speed-limit-passed = '1') and (rwa-temperature-limit-passed = 
'1'))) then 
rwa-health-never-entered-good <= '0'; 
rwa-health-int <= 2; 
if (rwa-health (0) = unknown) then 
rwa-health-time-entered-good <= mission-time; 
rwa-health-time-exited-unknown <= mission-time; 
rwa-health-time-transitioned <= mission-time; 
rwa-health-never-exited-unknown <= '0'; 
rwa-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
rwa-health (i) <= temp-rwa-health (i-1) ; 
end loop; 
rwa-health (0) <= good; 
elsif (rwa-health(0) = bad) then 
rwa-health-time-entered-good <= mission-time; 
rwa-health-time-exitedbad <= mission-time; 
rwa-health-time-transitioned <= mission-time; 
rwa-health-never-exited-bad <= '0'; 
rwahealth-never-transitioned <= '0'; 
for i in 1 to 1 loop 
rwa-health (i) <= temp-rwa-health (i-1) ; 
end loop; 
rwa-health (0) <= good; 
end if; 
elsif ( ( ( ( (system-start /= ' 1 ' ) ) and 
(rwa-speed-obsolete-passed = '1') and (rwa~temperature~obsoleteepassed =
'1') and (rwa-speed-limit-passed = '0')) or (((system-start /= '1')) and 
(rwa-speed-obsolete-passed = '1') and (rwa~temperature~obsolete~passed = 
'1') and (rwa-temperature-limit-passed = '0')))) then 
rwa-health-never-entered-bad <= '0'; 
rwa-health-int <= 3; 
if (rwa-health (0) = unknown) then 
rwa-health-time-entered-bad <= mission-time; 
rwa-health-time-exited-unknown <= mission-time; 
rwa-health-time-transitioned <= mission-time; 
rwa-health-never-exited-unknown <= '0'; 
rwa-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
rwa-health (i) <= temp-rwa-health (i-1) ; 
end loop; 
rwa-health (0) <= bad; 
elsif (rwa-health (0) = good) then 
rwa-health-time-entered-bad <= mission-time; 
rwa-health-time-exited-good <= mission-time; 
rwa-health-time-transitioned <= mission-time; 
rwa-health-never-exited-good <= '0'; 
rwa-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
rwa-health (i) <= temp-rwa-health (i-1) ; 
end loop; 
rwa-health(0) <= bad; 
end if; 
end if; 
end if; 
end process rwa~health~state~value~process; 
-- Process for State Value Element : MTR Channel 
mtr~channel~state~valueprocess : process(c1ock) begin 
if (clock'event and clock = '1') then 
temp-mtr-channel <= mtr-channel; 
if ((((system-start = '1')) or 
((mtr-a-current-obsolete-passed = '0') and (mtr-b-current-~bsolete~passed = 
'0')))) then 
mtr-channel-never-entered-unknown <= '0'; 
mtr-channel-int <= 1; 
if (mtr-channel(0) = a and 
mtr-channel-never-transitioned = '0') then 
mtr-channel-time-entered-unknown <= mission-time; 
mtr-channel-time-exited-a <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
mtr-channel-never-exited-a <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel (i) <= tempmtr-channel (i-1) ; 
end loop; 
mtr-channel(0) <= unknown; 
elsif (mtr-channel(0) = b and 
mtr-channel-never-transitioned = '0') then 
mtr-channel-time-entered-unknown <= mission-time; 
mtr-channel-time-exited-b <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
m t r - c h a n n e l - n e v e r - e x i t e d b  <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel (i) <= temp-mtr-channel (i-1) ; 
end loop; 
mtr-channel (0) <= unknown; 
elsif (mtr-channel(0) = none and 
mtr-channel-never-transitioned = '0') then 
mtr-channel-time-entered-unknown <= mission-time; 
1349: mtr-channel-time-exited-none <= mission-time; 
1350: mtr-channel-time-transitioned <= mission-time; 
1351: mtr-channel-never-exited-none <= '0'; 
1352: mtr-channel-never-transitioned <= '0'; 
1353: for i in 1 to 1 loop 
1354: mtr-channel (i) <= temp-mtr-channel (i-1) ; 
1355: end loop; 
1356: mtr-channel(0) <= unknown; 
1357: elsif (mtr-channel-never-transitioned = ' 1 ' ) then 
1358: mtr-channel-time-entered-unknown <= 0; 
1359: end if; 
1360: elsif ( ( ( (system-start /=  ' 1' ) ) and 
(mtr-a-current-limit-passed = '1') and (mtr~a~current~obsolete~passed = 
'1'))) then 
1361: mtr-channel-never-entered-a <= '0'; 
1362: mtr-channel-int <= 2; 
1363: if (mtr-channel(0) = unknown) then 
1364: mtr-channel-time-entered-a <= mission-time; 
1365: mtr-channel-time-exited-unknown <= mission-time; 
1366: mtr-channel-time-transitioned <= mission-time; 
1367: mtr-channel-never-exited-unknown <= '0'; 
1368: mtr-channel-never-transitioned <= '0'; 
1369: for i in 1 to 1 loop 
1370: mtr-channel (i) <= tempmtr-channel (i-1) ; 
1371: end loop; 
1372: mtr-channel(0) <= a; 
1373: elsif (mtr-channel(0) = b) then 
1374: mtr-channel-time-entered-a <= mission-time; 
1375: mtr-channel-time-exited-b <= mission-time; 
1376: mtr-channel-time-transitioned <= mission-time; 
1377: mtr-channel-never-exited-b <= ' 0 ; 
1378: mtr-channel-never-transitioned <= '0'; 
1379: for i in 1 to 1 loop 
1380: mtr-channel (i) <= tempmtr-channel (i-1) ; 
1381: end loop; 
1382: mtr-channel(0) <= a; 
1383: elsif (mtr-channel(0) = none) then 
1384: mtr-channel-time-entered-a <= mission-time; 
1385: mtr-channel-time-exited-none <= mission-time; 
1386: mtr-channel-time-transitioned <= mission-time; 
1387: mtr-channel-never-exited-none <= '0'; 
1388: mtr-channel-never-transitioned <= '0'; 
1389: for i in 1 to 1 loop 
1390: mtr-channel(i) <= tempmtr-channel(i-1); 
1391: end loop; 
1392: mtr-channel(0) <= a; 
1393: end if; 
1394: elsif ( ( ( (system-start /= ' 1 ' ) ) and 
(mtr-a-current-limit-passed = '0') and (mtr~b~current~obsolete~passed = '1') 
and (mtr-b-current-limit-passed = '1'))) then 
1395: mtr-channel-never-entered-b <= '0'; 
1396: mtr-channel-int <= 3; 
1397: if (mtr-channel(0) = unknown) then 
1398: mtr-channel-time-enteredb <= mission-time; 
1399: mtr-channel-time-exited-unknown <= mission-time; 
1400: mtr-channel-time-transitioned <= mission-time; 
1401: mtr-channel-never-exited-unknown <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel (i) <= temp-mtr-channel (i-1) ; 
end loop; 
mtr-channel(0) <= b; 
elsif (mtr-channel(0) = a) then 
mtr-channel-time-entered-b <= mission-time; 
mtr-channel-time-exited-a <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
mtr-channel-never-exited-a <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel (i) <= temp-mtr-channel (i-1) ; 
end loop; 
mtr-channel(0) <= b; 
elsif (mtr-channel(0) = none) then 
mtr-channel-time-entered-b <= mission-time; 
mtr-channel-time-exited-none <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
mtr-channel-never-exited-none <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel (i) <= temp-mtr-channel (i-1) ; 
end loop; 
mtr-channel(0) <= b; 
end if; 
elsif ( ( ( (system-start /= ' 1 ' ) ) and 
(mtr-a-current-obsolete-passed = '1') and (mtr-b-current-~bsolete~passed = 
' 1 ' ) and (mtr-a-current-limit-passed = ' 0 ' ) and (mtrb-current-limit-passed 
= '0'))) then 
mtr-channel-never-entered-none <= '0'; 
mt r-channel-int <= 4 ; 
if (mtr-channel(0) = unknown) then 
mtr-channel-time-entered-none <= mission-time; 
mtr-channel-time-exited-unknown <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
mtr-channel-never-exited-unknown <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel (i) <= temp-mtr-channel (i-1) ; 
end loop; 
mtr-channel (0) <= none; 
elsif (mtr-channel(0) = a) then 
mtr-channel-time-entered-none <= mission-time; 
mtr-channel-time-exited-a <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
mtr-channel-never-exited-a <= '0'; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-channel(i) <= temp-mtr-channel(i-1); 
end loop; 
mtr-channel(0) <= none; 
elsif (mtr-channel(0) = b) then 
mtr-channel-time-entered-none <= mission-time; 
mtr-channel-time-exited-b <= mission-time; 
mtr-channel-time-transitioned <= mission-time; 
mtr-channel-never-exited-b <= ' 0 ' ; 
mtr-channel-never-transitioned <= '0'; 
for i in 1 to 1 loop 
1458: mtr-channel (i) <= temp-mtr-channel (i-1) ; 
1459: end loop; 
1460: mtr-channel(0) <= none; 
1461: end if; 
1462: end if; 
1463: end if; 
1464: end process mtr~channel~state~value~process; 
1465: 
1466: -- Process for State Value Element : MTR Health 
1467: mtr~health~state~value~process : process(c1ock) begin 
1468: if (clock'event and clock = '1') then 
1469: 
1470: temp-mtr-health <= mtrhealth; 
1471: if ( ( ( (system-start = ' 1 ' ) ) or ( (mtr-channel(0) = 
unknown)))) then 
1472: mtrhealth-never-entered-unknown <= '0'; 
1473: mtr-health-int <= 1; 
1474: if (mtr-health (0) = good and 
mtr-health-never-transitioned = '0') then 
mtr-health-time-entered-unknown <= mission-time; 
mtr-health-time-exited-good <= mission-time; 
mtr-health-time-transitioned <= mission-time; 
mtr-health-never-exited-good <= '0'; 
mtr-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-health (i) <= temp-mtr-health (i-1) ; 
end loop; 
mtr-health (0) <= unknown; 
elsif (mtr-health (0) = bad and 
mtr-health-never-transitioned = '0') then 
mtr-health-time-entered-unknown <= mission-time; 
mtr-health-time-exited-bad <= mission-time; 
mtr-health-time-transitioned <= mission-time; 
mtr-health-never-exited-bad <= '0'; 
mtr-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtrhealth (i) <= temp-mtr-health (i-1) ; 
end loop; 
mtr-health (0) <= unknown; 
elsif (mtr-health-never-transitioned = '1') then 
mtr-health-time-entered-unknown <= 0; 
end if; 
elsif ( ( ( ( (system-start /= ' 1 ' ) ) and ( (mtr-channel(0) = a) ) 
and ((mtr-channel(0) /= b))) or (((system-start /= '1')) and 
( (mtr-channel(0) /= a) ) and ( (mtr-channel(0) = b) ) ) ) ) then 
mtr-health-never-entered-good <= '0'; 
mtr-health-int <= 2; 
if (mtr-health(0) = unknown) then 
mtr-health-time-entered-good <= mission-time; 
mtr-health-time-exited-unknown <= mission-time; 
mtr-health-time-transitioned <= mission-time; 
mtr-health-never-exited-unknown <= '0'; 
mtr-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-health (i) <= temp-mtr-health (i-1) ; 
end loop; 
mtr-health (0) <= good; 
elsif (mtr-health (0) = bad) then 
mtr-health-time-entered-good <= mission-time; 
mtr-health-time-exited-bad <= mission-time; 
mtrhealth-time-transitioned <= mission-time; 
mtr-health-never-exited-bad <= '0'; 
mtr-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtrhealth (i) <= temp-mtr-health (i-1) ; 
end loop; 
mtr-health (0) <= good; 
end if; 
elsif ( ( ( (system-start /= '1' ) ) and ( (mtr-channel(0) = 
none) ) ) ) then 
mtr-health-never-entered-bad <= '0'; 
mtr-health-int <= 3; 
if (mtr-health (0) = unknown) then 
mtr-health-time-entered-bad <= mission-time; 
mtr-health-time-exited-unknown <= mission-time; 
mtr-health-time-transitioned <= mission-time; 
mtr-health-never-exited-unknown <= '0'; 
mtr-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-health (i) <= temp-mtr-health (i-1) ; 
end loop; 
mtr-health(0) <= bad; 
elsif (mtr-health (0) = good) then 
mtr-health-time-entered-bad <= mission-time; 
mtr-health-time-exited-good <= mission-time; 
mtr-health-time-transitioned <= mission-time; 
mtr-health-never-exited-good <= '0'; 
mtr-health-never-transitioned <= '0'; 
for i in 1 to 1 loop 
mtr-health (i) <= temp-mtr-health (i-1) ; 
end loop; 
mtr-health (0) <= bad; 
end if; 
end if; 
end if; 
end process mtr-health-state-value-process; 
-- Process for Mode Element : ACS Mode 
acs~mode~mode~process : process(c1ock) begin 
if (clock'event and clock = '1') then 
temp-acs-mode <= acs-mode; 
if ((((system-start = '1')) or (((system-start /=  '1')) and 
( (imu-health (0) /= bad) ) and ( (css-health (0) /=  bad) ) and ( (rwa-health (0) /= 
bad)) and ((mtr-health(0) /= bad))))) then 
acs-mode-never-entered-primary <= '0'; 
acs-mode-int <= 1; 
if facs-mode(0) = backup) then 
acs-mode-time-entered-primary <= mission-time; 
acs-mode-time-exited-backup <= mission-time; 
acs-mode-time-transitioned <= mission-time; 
acs-mode-never-exited-backup <= '0'; 
acs-mode-never-transitioned <= '0'; 
for i in 1 to 1 loop 
acs-mode (i) <= temp-acsmode (i-1) ; 
end loop; 
acs-mode (0) <= primary; 
elsif (acs-mode (0) = failed) then 
1568: acs-mode-time-entered-primary <= mission-time; 
1569: acs-mode-time-exited-failed <= mission-time; 
1570: acs-mode-time-transitioned <= mission-time; 
1571: acs-mode-never-exited-failed <= '0'; 
1572: acs-mode-never-transitioned <= '0'; 
1573: for i in 1 to 1 loop 
1574: acs-mode (i) <= temp-acsmode (i-1) ; 
1575: end loop; 
1576: acs-mode (0) <= primary; 
1577: end if; 
1578: elsif ( ( ( ( (system-start /= '1 ' ) ) and ( (imu-health (0) = bad) ) 
and ( (css-health (0) /= bad) ) and ( (rwa-health (0) /= bad) ) and 
( (mtrhealth (0) /= bad) ) ) or ( ( (system-start /=  ' 1' ) ) and ( (imu-health (0) = 
bad)) and ((css-health(0) /= bad)) and ((rwa-health(0) = bad)) and 
( (mtr-health(0) /=  bad)) ) or ( ( (system-start /= '1')) and ( (imu-health(0) = 
bad) ) and ( (css-health (0) /= bad) ) and ( (rwa-health (0) /= bad) ) and 
( (mtr-health (0) = bad) ) ) or ( ( (system-start /=  ' 1' ) ) and ( (imu-health (0) /= 
bad) ) and ( (css-health (0) = bad) ) and ( (rwa-health (0) /= bad) ) and 
( (mtr-health (0) /=  bad) ) ) or ( ( (system-start /= ' 1' ) ) and ( (imu-health (0) /= 
bad) ) and ( (css-health (0) = bad) ) and ( (rwa-health (0) = bad) ) and 
( (mtrhealth (0) /= bad) ) ) or ( ( (system-start /= '1') ) and ( (imu-health(0) /= 
bad) ) and ( (css-health (0) = bad) ) and ( (rwa-health (0) /= bad) ) and 
( (mtrhealth (0) = bad) ) ) or ( ( (system-start /= ' 1 ' ) ) and ( (imu-health (0) /= 
bad) ) and ( (css-health (0) /= bad) ) and ( (rwa-health (0) = bad) ) and 
( (mtrhealth (0) /= bad) ) ) or ( ( (system-start /= ' 1 ' ) ) and ( (imu-health (0) /= 
bad) ) and ( (css-health (0) /= bad) ) and ( (rwa-health (0) /= bad) ) and 
( (mtr-health(0) = bad) ) ) ) ) then 
1579: acs-mode-never-entered-backup <= '0'; 
1580: acs-mode-int <= 2; 
1581: if (acs-mode(0) = primary) then 
acs-mode-time-entered-backup <= mission-time; 
acs-mode-time-exited-primary <= mission-time; 
acs-mode-time-transitioned <= mission-time; 
acs-mode-never-exited-primary <= '0'; 
acs-mode-never-transitioned <= '0'; 
for i in 1 to 1 loop 
acs-mode (i) <= temp-acs-mode (i-1) ; 
end loop; 
acs-mode (0) <= backup; 
elsif (acs-mode(0) = failed) then 
acs-mode-time-entered-backup <= mission-time; 
acs-mode-time-exited-failed <= mission-time; 
acs-mode-time-transitioned <= mission-time; 
acs-mode-never-exited-failed <= '0'; 
acs-mode-never-transitioned <= '0'; 
for i in 1 to 1 loop 
acs-mode (i) <= temp-acsmode (i-1) ; 
end loop; 
acs-mode (0) <= backup; 
end if; 
elsif ( ( ( ( (system-start /=  ' 1 ' ) ) and ( (imu-health (0) = bad) ) 
and ( (css-health (0) = bad) ) and ( (rwa-health (0) /=  bad) ) and ( (mtr-health (0) 
/= bad) ) ) or ( ( (system-start / =  '1')) and ( (imu-health(0) = bad) ) and 
( (css-health (0) = bad) ) and ( (rwa-health (0) = bad) ) and ( (mtr-health (0) /= 
bad) ) ) or ( ( (system-start /= '1 ' )  ) and ( (imu-health (0) = bad) ) and 
( (css-health (0) = bad) ) and ( (rwa-health (0) /=  bad) ) and ( (mtr-health (0) = 
bad) ) ) or ( ( (system-start /=  'I ' ) ) and ( (imu-health (0) / =  bad) ) and 
( (css-health (0) / =  bad) ) and ( (rwa-health (0) = bad) ) and ( (mtr-health (0) = 
1603: acs-mode-never-entered-failed <= '0'; 
1604: acs-mode-int <= 3; 
1605: if (acs-mode(0) = primary) then 
1606: acs-mode-time-entered-failed <= mission-time; 
1607: acs-mode-time-exited-primary <= mission-time; 
1608: acs-mode-time-transitioned <= mission-time; 
1609: acs-mode-never-exited-primary <= '0'; 
1610: acs-mode-never-transitioned <= '0'; 
1611: for i in 1 to 1 loop 
1612: acs-mode (i) <= temp-acsmode (i-1) ; 
1613: end loop; 
1614: acs-mode (0) <= failed; 
1615: elsif (acs-mode (0) = backup) then 
1616: acs-mode-time-entered-failed <= mission-time; 
1617: acs~mode~time~exited~backup <= mission-time; 
1618: acs-mode-time-transitioned <= mission-time; 
1619: acs-mode-never-exited-backup <= '0'; 
1620: acs-mode-never-transitioned <= '0'; 
1621: for i in 1 to 1 loop 
1622: acs-mode(i) <= temp-acsmode(i-1); 
1623: end loop; 
1624: acs-mode (0) <= failed; 
1625: end if; 
1626: end if; 
1627 : end if; 
1628: end process acs~modemode~process; 
1629: 
1630: -- Process for Macro element : IMU Attitude Rate A Limit Passed 
1631: imu~attitude~rate~a~1imit-passed~ma~r0~process : process (clock) 
begin 
1632 : if (clock'event and clock = '1') then 
1633: if ( ( ( ( (imu-attitude-rate-a (0) > 0) and 
(imu-attitude-rate-a-obsolete (0) = ' 0 ' ) ) and ( (imu-attitude-rate-a (0) < 
1097859072) and (imu-attitude-rate-a-obsolete(0) = '0')) and 
((imu-attitude-rate-a(2) < 1097859072) and (imu-attitude-rate-a-obsolete(2) 
= ' 0' ) ) and ( (imu-attitude-rate-a (3) < 1097859072) and 
(imu-attitude-rate-a-obsolete (3) = ' 0 ' ) ) and ( (imu-attitude-rate-a (4) < 
1097859072) and (imu-attitude-rate-a-obsolete(4) = '0')) and 
((imu-attitude-rate-a(5) < 1097859072) and (imu-attitude-rate-a-obsolete(5) 
= '0') ) ) or ( ( (imu-attitude-rate-a(0) < 0) and 
(imu-attitude-rate-a-obsolete(0) = '0')) and ((imu-attitude-rate-a(0) < - 
1049624576) and (imu-attitude-rate-a-obsolete (0) = '0') ) and 
( (imu-attitude-rate-a (2) < -1049624576) and (imu-attitude-rate-a-obsolete (2) 
= ' 0' ) ) and ( (imu-attitude-rate-a (3) < -1049624576) and 
(imu-attitude-rate-a-obsolete(3) = '0')) and ((imu-attitude-rate-a(4) < - 
1049624576) and (imu-attitude-rate-a-obsolete(4) = '0')) and 
( (imu-attitude-rate-a (5) < -1049624576) and (imu-attitude-rate-a-obsolete (5) 
= ' 0' ) ) ) or ( (imu-attitude-rate-a (0) = 0) and 
(imu-attitude-rate-a-obsolete (0) = ' 0' ) ) ) ) then 
1634: imu-attitude-rate-a-limit-passed <= '1'; 
1635: else 
1636: imu-attitude-rate-a-limit-passed <= '0'; 
1637: end if; 
1638: end if; 
1639: end process imu~attitude~rate~a~limit~passeddma~roOprocess; 
1640: 
1641: -- Process for Macro element : IMU Attitude Rate B Limit Passed 
1642: i m u ~ a t t i t u d e ~ r a t e ~ b ~ 1 i m i t ~ p a s s e d _ m a c r o ~ p r o c e s s  : process (clock) 
begin 
1643: if (clock'event and clock = '1') then 
1644: if (((((imu-attitude-rate-b(0) > 0) and 
(imu-attitude-rate-b-obsolete (0) = '0') ) and ( (imu-attitude-rateb (0) < 
1097859072) and (imu-attitude-rate-b-obsolete(0) = '0')) and 
( (imu-attitude-rate-b (2) < 1097859072) and (imu-attitude-rate-b-obsolete (2) 
= '0') ) and ( (imu-attitude-rate-b (3) < 1097859072) and 
(imu-attitude-rate-b-obsolete(3) = '0')) and ((imu-attitude-rate-b(4) < 
1097859072) and (imu-attitude-rate-b-obsolete (4) = '0' ) ) and 
( (imu-attitude-rate-b (5) < 1097859072) and (imu-attitude-rate-b-obsolete (5) 
= '0')) ) or ( (  (imu-attitude-rateb(0) < 0) and 
(imu-attitude-rate-b-obsolete (0) = '0') ) and ( (imu-attitude-rate-b (0) < - 
1049624576) and (imu-attitude-rate-b-obsolete (0) = '0' ) ) and 
( (imu-attitude-rate-b (2) < -1049624576) and (imu-attitude-rate-b-obsolete (2) 
= '0') ) and ( (imu-attitude-rateb (3) < -1049624576) and 
(imu-attitude-rate-b-obsolete (3) = ' 0' ) ) and ( (imu-attitude-rate-b (4) < - 
1049624576) and (imu-attitude-rate-b-obsolete(4) = '0')) and 
( (imu-attitude-rate-b (5) < -1049624576) and (imu-attitude-rate-b-obsolete (5) 
= '0') ) ) or ( (imu-attitude-rate-b(0) = 0) and 
(imu-attitude-rate-b-obsolete (0) = '0' ) ) ) ) then 
1645: imu-attitude-rate-b-limit-passed <= '1'; 
1646: else 
1647: imu-attitude-rate-b-limit-passed <= '0'; 
1648: end if; 
1649: end if; 
1650: end process i m u ~ a t t i t u d e ~ r a t e ~ b ~ l i m i t ~ p a s s e d ~ ~ a c r o ~ p ~ ~ c ~ ~ ~ ;  
1651: 
1652: -- Process for Macro element : IMU Attitude Rate A Obsolete Passed 
1653: imu~attitude~rate~a~ob~olete~passed~macroprocess : process (clock) 
begin 
1654: if (clock'event and clock = '1') then 
1655: if ((((imu-attitude-rate-a-obsolete(0) /= '1')) and 
( (imu-attitude-rate-a-obsolete (2) /=  ' 1' ) ) and 
( (imu-attitude-rate-a-obsolete (3) /=  '1 ' ) ) and 
( (imu-attitude-rate-a-obsolete (4) /=  ' 1 ' ) ) and 
((imu-attitude-rate-a-obsolete(5) /= '1')))) then 
i m u ~ a t t i t u d e ~ r a t e ~ a _ o b s o l e t e ~ p a s s e d  <= '1'; 
else 
i m u ~ a t t i t u d e ~ r a t e ~ a _ o b s o l e t e ~ p a s s e d  <= '0'; 
end if; 
end if; 
1661: end process imu~attitude~rate~a~~b~~lete~passed~macro~process; 
1662: 
1663 : -- Process for Macro element : IMU Attitude Rate B Obsolete Passed 
1664: i m u ~ a t t i t u d e ~ r a t e ~ b ~ o b ~ 0 1 e t e _ p a s s e d ~ m a c r o p r o c e s s  : process (clock) 
begin 
1665: if (clock'event and clock = '1') then 
1666: if ( ( ( (imu-attitude-rate-b-obsolete (0) /= '1 ' )  ) and 
( (imu-attitude-rate-b-obsolete (2) /= ' 1 ' ) ) and 
((imu-attitude-rate-b-obsolete(3) /=  '1')) and 
( (imu-attitude-rate-b-obsolete (4) /= ' 1 ' ) ) and 
((imu-attitude-rate-b-obsolete(5) /=  '1') ) ) )  then 
1667: imu~attitude~rate~b~obso1ete~passed <= '1'; 
1668: else 
i m u ~ a t t i t u d e ~ r a t e ~ b _ o b s o l e t e ~ p a s s e d  <= '0'; 
end if; 
end if; 
end process i m u ~ a t t i t u d e ~ r a t e ~ b ~ 0 b ~ 0 1 e t e ~ p a ~ s e d ~ m a c r o j r o c e s s ;  
-- Process for Macro element : IMU Attitude Rate A Static Passed 
i m u ~ a t t i t u d e ~ r a t e ~ a ~ ~ t a t i ~ ~ p a s s e d ~ m a ~ r ~ - p r o c e s s  : process (clock) 
begin 
if (clock'event and clock = '1') then 
if ((((imu-attitude-rate-a(0) /= imu-attitude-rate-a(2)) and 
(imu-attitude-rate-a-obsolete(0) = '0') and (imu-attitude-rate-a-obsolete(2) 
= '0') ) and ( (imu-attitude-rate-a (0) /= imu-attitude-rate-a (3) ) and 
(imu-attitude-rate-a-obsolete (0) = '0 ' ) and (imu-attitude-rate-a-obsolete (3) 
= '0' ) ) and ( (imu-attitude-rate-a (0) /= imu-attitude-rate-a (4) ) and 
(imu-attitude-rate-a-obsolete (0) = '0' ) and (imu-attitude-rate-a-obsolete (4) 
= '0')) and ((imu-attitude-rate-a(0) /= imu-attitude-rate-a(5)) and 
(imu-attitude-rate-a-obsolete (0) = ' 0' ) and (imu-attitude-rate-a-obsolete (5) 
= '0')))) then 
imu-attitude-rate-a-staticsassed <= '1'; 
else 
imu-attitude-rate-a-static-passed <= '0'; 
end if; 
end if; 
end process i m u ~ a t t i t u d e ~ r a t e ~ a ~ ~ t a t i ~ - p a s s e d ~ m a ~ r ~ ~ r o c e s s ;  
-- Process for Macro element : IMU Attitude Rate B Static Passed 
imu~attitude~rateb~static_passed~macrojrocess : process (clock) 
begin 
if (clock'event and clock = '1') then 
if ( ( ( (imu-attitude-rate-b (0) /= imu-attitude-rate-b (2) ) and 
(imu-attitude-rate-b-obsolete(0) = '0') and (imu-attitude-rate-b-obsolete(2) 
= '0' ) ) and ( (imu-attitude-rate-b (0) /= imu-attitude-rate-b (3) ) and 
(imu-attitude-rate-b-obsolete(0) = '0') and (imu-attitude-rate-b-obsolete(3) 
= '0') ) and ( (imu-attitude-rate-b (0) /= imu-attitude-rate-b (4) ) and 
(imu-attitude-rate-b-obsolete (0) = '0') and (imu-attitude-rate-b-obsolete (4) 
= '0') ) and ( (imu-attitude-rate-b (0) /= imu-attitude-rate-b (5) ) and 
(imu-attitude-rate-b-obsolete (0) = '0' ) and (imu-attitude-rate-b-obsolete (5) 
= '0') ) ) )  then 
imu-attitude-rateb-staticsassed <= '1'; 
else 
imu-attitude-rateb-staticsassed <= '0'; 
end if; 
end if; 
end process i m u ~ a t t i t u d e ~ r a t e ~ b ~ ~ t a t i c ~ a ~ ~ e d ~ m a ~ r ~ ~ p r o c e s s ;  
-- Process for Macro element : IMU Attitude Rate Compare Passed 
imu~attitude~rate~compare-pa~~ed~macro_process : process (clock) 
begin 
if (clock'event and clock = ' 1') then 
if ( ( ( ( (octavia-imu-attitude-rate-difference 0 > 0) and 
(octavia~imu~attitude~rateedifference~obsolete(O) = '0')) and 
((octavia~imu~attitude~rate~difference(0) < 1073741824) and 
foctavia~imu~attitude~rate~difference~obsolete(0) = '0')) and 
((octavia-imu-attitude-rate-difference(2 < 1073741824) and 
(octavia~imu~attitude~rate~difference~obsolete(2) = '0')) and 
((octavia-imu-attitude-rate-difference(3) < 1073741824) and 
(octavia~imu~attitude~rate~difference~obsolete(3) = '0')) and 
((octavia-imu-attitude-rate-difference(4 < 1073741824) and 
(octavia~imu~attitude~rateedifference~obsolete(4) = '0')) and 
((octavia-imu-attitude-rate-difference(5) < 1073741824) and 
(octavia~imu~attitude~rateedifference~obsolete(5) = '0'))) or 
(((octavia~imu~attitude~rateedifference(0) < 0) and 
( o c t a v i a ~ i m u ~ a t t i t u d e _ r a t e d i f f e r e n c e ~ o b s o l e t e ( 0 )  = '0')) and 
((octavia-imu-attitude-rate-difference(0 < -1073741824) and 
(octavia~imu~attitude~rate~difference~obsolete(0) = ' ')) and 
((octavia-imu-attitude-rate-difference(2 < -1073741824) and 
imu~attitude~rate~compare~passed <= '1'; 
else 
imu~attitude~rate~compare~passed <= '0'; 
end if; 
end if; 
1705: end process imu~attitude~rate~compare~passed~macro~process; 
1706: 
1707: -- Process for Macro element : CSS Attitude Compare Passed 
1708: css~attitude~compare~passed~macro~process : process (clock) begin 
1709: if (clock'event and clock = '1') then 
1710: if ( ( ( ( ( o c t a v i a ~ c s s ~ a t t i t u d e ~ d i f f e r e n c e  (0) > 0) and 
(octavia~css~attitude~difference~obsolete(0) = '0')) and 
((octavia~css~attitude~difference(0) < 1073741824) and 
(octavia~css~attitude~difference~obsolete(0) = '0') ) )  or 
( ( (octavia-css-attitude-dif ference (0) < 0) and 
(octavia~css~attitude~difference~obsolete(0) = '0')) and 
((octavia~css~attitude~difference(0) < -1073741824) and 
(octavia~css~attitude~difference~obsolete(0) = '0'))) or 
( (octavia~css~attitude~difference (0) = 0) and 
(octavia~css~attitude~difference~obsolete(0) = '0')))) then 
css~attitude~compare~passed <= '1'; 
else 
css~attitude~compare~passed <= '0'; 
end if; 
end if; 
1716: end process css~attitude~compare~passed~macro~proces~; 
1717: 
1718: -- Process for Macro element : RWA Speed Obsolete Passed 
1719: rwa~speed~obsolete~passed~macro~process : process (clock) begin 
1720: if (clock'event and clock = '1') then 
1721: if ( ( ( (rwa-speed-obsolete (0) /= ' 1' ) ) and 
( (rwa-speed-obsolete (2) /=  ' 1 ' ) ) and ( (rwa-speed-obsolete (3) /=  ' 1 ' ) ) and 
( (rwa-speed-obsolete (4) /= ' 1 ' ) ) and ( (rwa-speed-obsolete (5) /= ' 1 ' ) ) ) ) then 
rwa-speed-obsolete-passed <= '1'; 
else 
rwa-speed-obsolete-passed <= '0'; 
end if; 
end if; 
1727: end process rwa~speed~obsolete~passed~macro~process; 
1728: 
1729: -- Process for Macro element : RWA Speed Limit Passed 
1730: rwa~speed~limit~passed~macro~process : process (clock) begin 
1731: if (clock'event and clock = '1') then 
1732: if ( ( ( (rwa-speed(0) < 1169915904) and (rwa-speed-obsolete (0) 
= '0 ' ) ) and ( (rwa-speed (2) < 1169915904) and (rwa-speed-obsolete (2) = ' 0 ' ) ) 
and ( (rwa-speed (3) < 1169915904) and (rwa-speed-obsolete (3) = ' 0' ) ) and 
( (rwa-speed(4) < 1169915904) and (rwa-speed-obsolete (4) = '0' ) ) and 
( (rwa-speed (5) < 1169915904) and (rwa-speed-obsolete (5) = ' 0' ) ) ) ) then 
rwa-speed-limit-passed <= ' 1 ' ; 
else 
rwa-speed-limit-passed <= '0'; 
end if; 
end if; 
end process rwa~speed~limit~passed~macro~process; 
-- Process for Macro element : RWA Temperature Obsolete Passed 
rwa~ternperature~obsolete~passed~macro~process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (rwa-temperature-obsolete (0) /= '1 ' ) ) and 
( (rwa-temperature-obsolete (2) /= ' 1 ' ) ) and ( (rwa-temperature-obsolete (3) /=  
' 1 ' ) ) and ( (rwafemperature-obsolete (4) /= ' 1 ' ) ) and 
((rwa-temperature-obsolete(5) /= '1')))) then 
rwa~ternperature~obsolete-passed <= '1'; 
else 
rwa~temperature~obsolete-passed <= '0'; 
end if; 
end if; 
end process rwa~temperature~obsolete-pa~~ed~ma~r~-process; 
-- Process for Macro element : RWA Temperature Limit Passed 
r w a ~ t e m p e r a t u r e ~ l i m i t - p a ~ ~ e d ~ m a c r o ~ p r ~ ~ e s s  : proce s (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (rwa-temperature (0) < 1114636288) and 
(rwa-temperature-obsolete (0) = ' 0 ' ) ) and ( (rwa-temperature (2) < 1114636288) 
and (rwa-temperature-obsolete (2) = ' 0' ) ) and ( (rwa-temperature (3) < 
1114636288) and (rwa-temperature-obsolete (3) = ' 0 ' ) ) and 
( (rwa-temperature (4) < 1114636288) and (rwa-temperature-obsolete (4) = '0') ) 
and ( (rwa-temperature (5) < 1114636288) and (rwa-temperature-obsolete (5) = 
'0')))) then 
rwa-temperature-limitsassed <= '1'; 
else 
rwa-temperature-limit-passed <= '0'; 
end if; 
end if; 
end process rwa~temperature~limit-passed~macro~rocess; 
-- Process for Macro element : MTR A Current Obsolete Passed 
m t r ~ a ~ c u r r e n t ~ o b s o l e t e ~ p a s ~ e d ~ m a c r o ~ r ~ ~ e s s  : p ocess (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (mtr-a-current-obsolete (0) /= '1 I )  ) and 
( (mtr-a-current-obsolete (2) /= '1 ' ) ) and ( (mtr-a-current-obsolete (3) /= 
' 1 ' ) ) and ( (mtr-a-current-obsolete (4) /= '1 ' ) ) and 
((mtr-a-current-obsolete(5) /= '1')))) then 
m t r ~ a ~ c u r r e n t ~ o b s o l e t e ~ a s s e d  <= '1'; 
else 
m t r ~ a ~ c u r r e n t ~ o b s o l e t e ~ a s s e d  <= ' 0 ' ; 
end if; 
end if; 
end process mtr~a~current~obsolete-pas~ed~macro_process; 
-- Process for Macro element : MTR B Current Obsolete Passed 
rntr~b~current~obsolete~passed~macro_process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (mtr-b-current-obsolete (0) /= ' 1 ' ) ) and 
( (mtr-b-current-obsolete (2) /= ' 1 ' ) ) and ( (mtr-b-current-obsolete (3) /= 
'1 ' ) ) and ( (mtr-b-current-obsolete (4) /= ' 1 ' ) ) and 
( (mtr-b-current-obsolete (5) /= ' 1 ' ) ) ) ) then 
mtr~b~current~obsolete~passed <= '1'; 
else 
mtr~b~current~obsolete~passed <= '0'; 
end if; 
end if; 
end process mtr~b~current~obsolete~passed~macro~process; 
-- Process for Macro element : MTR A Current Limit Passed 
mtr~a~current~limit~pas~ed~macro~process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (mtr-a-current (0) < 1120403456) and 
(mtr-a-current-obsolete (0) = ' 0 ' ) ) and ( (mtr-a-current (2) < 1120403456) and 
(mtr-a-current-obsolete (2) = '0') ) and ( (mtr-a-current (3) < 1120403456) and 
(mtr-a-current-obsolete (3) = ' 0 ' ) ) and ( (mtr-a-current (4) < 1120403456) and 
(mtr-a-current-obsolete (4) = ' 0 ' ) ) and ( (mtr-a-current (5) < 1120403456) and 
(mtr-a-current-obsolete(5) = '0')))) then 
mtr-a-current-limit-passed <= '1'; 
else 
mtr-a-current-limit-passed <= '0'; 
end if; 
end if; 
end process mtr~a~current~limit~passed~macro~process; 
-- Process for Macro element : MTR B Current Limit Passed 
mtr~b~current~limit~pa~sed~ma~ro~process : process (clock) begin 
if (clock'event and clock = '1') then 
if ( ( ( (mtr-b-current 0 )  < 1120403456) and 
(mtr-b-current-obsolete (0) = '0 ' ) ) and ( (mtr-b-current (2) < 1120403456) and 
(mtr-b-current-obsolete (2) = ' 0 ' ) ) and ( (mtr-b-current (3) < 1120403456) and 
(mtr-b-current-obsolete (3) = ' 0 ' ) ) and ( (mtrb-current (4) < 1120403456) and 
(mtr-b-current-obsolete(4) = '0')) and ((mtr-b-current(5) < 1120403456) and 
(mtr-b-current-obsolete (5) = ' 0 ' ) ) ) ) then 
mtrb-current-limit-passed <= '1'; 
else 
mtr-b-current-limit-passed <= ' 0 ' ; 
end if; 
end if; 
end process mtr~b~current~limit~passed~macro~process; 
-- BRAM Interface Process 
bram-interface-process : process (clock, counter) begin 
if (clock'event and clock = ' 1 ' ) then 
-- Read Input Data from BRAM 
if (counter = 10) then 
-- Set Address for IMU Attitude Rate A 
MY-BRAMAddr <= 
conv~std~logic~vector(imu~attitude~rate~aaddr,29) & "000"; 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= X1'OO" ;
elsif (counter = 12) then 
if (MY-BRAM-Din(0) = '1') then 
temp-imu-attitude-rate-a <= imu-attitude-rate-a; 
temp-imu-attitude-rate-a-obsolete <= 
imu-attitude-rate-a-obsolete; 
end if; 
elsif (counter = 14) then 
if (MY-BRAM-Din(0) = '1') then 
temp-imu-attitude-rate-a(0) <= 
conv-integer(MY-BRAM-Din(63 downto 32)); 
1828: end if; 
1829: elsif (counter = 16) then 
1830: -- Store Data if there is New Data 
1831: if (MY-BRAM-Din (0) = '1') then 
1832: imu-attitude-rate-a-data <= conv-integer(MY-BRAM-Din(63 
downto 32) ) ;  
1833: imu-attitude-rate-a-has-new-data <= '1'; 
1834: else 
1835: imu-attitude-rate-a-has-new-data <= '0'; 
1836: end if; 
1837: elsif (counter = 20) then 
1838: if (MY-BRAM-Din(0) = '1') then 
1839: imu-attitude-rate-a-has-new-data <= '0'; 
1840: end if; 
1841: elsif (counter = 22) then 
1842: MY-BRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(imu~attit~de~rate~a~data~32); 
1843: MY-BRAM-Dout (31 downto 0) <= X"0000~0000"; 
1844: elsif (counter = 24) then 
1845: -- If New Data Received, Reset New Data Register 
1846: if (MY-BRAM-Din(0) = '1') then 
1847: -- Enable Write 
1848: MY-BRAM-EN <= '1'; 
1849: MY-BRAM-WEN <= X"FF1' ;
1850: end if; 
1851: elsif (counter = 26) then 
1852: -- Disable BRAM En pin 
1853: MYBRAM-EN <= '0'; 
1854: MY-BRAM-WEN <= X"O0"; 
1855: 
1856: elsif (counter = 30) then 
1857: -- Set Address for IMU Attitude Rate B 
1858: MY-BRAM-Addr <= 
conv~std~logic~vector(imu~attit~de~rate~baddr~29) & "000"; 
1859: MY-BRAMEN <= '1'; 
1860: MY-BRAM-WEN <= X"O0"; 
1861: elsif (counter = 32) then 
1862: if (MY-BRAM-Din(0) = '1') then 
1863: temp-imu-attitude-rate-b <= imu-attitude-rate-b; 
1864: temp-imu-attitude-rate-b-obsolete <= 
imu-attitude-rate-b-obsolete; 
1865: end if; 
1866: elsif (counter = 34) then 
1867: if (MY-BRAM-Din(0) = '1') then 
1868: temp-imu-attitude-rateb(0) <= 
conv-integer(MY-BRAM-Din(63 downto 32)); 
1869: end if; 
1870: elsif (counter = 36) then 
1871: -- Store Data if there is New Data 
1872: if (MY-BRAM-Din (0) = '1') then 
1873: imu-attitude-rate-b-data <= conv-integer(MY-BRAM-Din(63 
downto 32)); 
1874: imu-attitude-rate-b-has-new-data <= '1'; 
1875: else 
1876: imu-attitude-rate-b-has-new-data <= '0'; 
1877: end if; 
1878: elsif (counter = 40) then 
if (MY-BRAM-Din (0) = '1') then 
imu-attitude-rate-b-has-new-data <= '0'; 
end if; 
elsif (counter = 42) then 
MYBRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(imu~attitude~rate~b~data,32); 
MYBRAM-Dout (31 downto 0) <= X"0000~0000"; 
elsif (counter = 44) then 
-- If New Data Received, Reset New Data Register 
if (MYBRAM-Din (0) = '1') then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= XmFF"; 
end if; 
elsif (counter = 46) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X"O0"; 
elsif (counter = 50) then 
-- Set Address for Octavia IMU Attitude Rate Difference 
MYBRAM-Addr <= 
conv~std~logic~vector ( c t av i a - imu-a t t i t ude ra t ed i f f e r enceadd r ,  29) & v'OOO"; 
MY-BRAM-EN <= '1'; 
MYBRAM-WEN <= XwOO"; 
elsif (counter = 52) then 
if (MY-BRAM-Din (0) = '1') then 
temp~octavia~imu~attitude~rate~difference <= 
octavia-imu-attitude-rate-difference; 
temp~octavia~imu~attitude~rate~differenceobsolete c= 
octavia~imu~attitude~rate~difference~obsolete; 
end if; 
elsif (counter = 54) then 
if (MY-BRAM-Din(0) = '1') then 
temp~octavia~imu~attitude~rate~difference(0) <= 
conv-integer(MYBRAM-Din(63 downto 32)); 
end if; 
elsif (counter = 56) then 
-- Store Data if there is New Data 
if (MYBRAM-Din(0) = '1') then 
octavia-imu-attitude-rate-difference-data <= 
conv-integer (MYBRAM-Din (63 downto 32) ) ; 
octavia~imu~attitude~rateedifference~hasnewdata <= '1'; 
else 
octavia~imu~attitude~rate~difference~has~new~data <= '0'; 
end if; 
elsif (counter = 60) then 
if (MY-BRAM-Din(0) = '1') then 
octavia~imu~attitude~rate~difference~has~new~data <= '0';
end if; 
elsif (counter = 62) then 
MYBRAM-Dout (63 downto 32 ) <= 
conv~std~logic~vector(octavia~imu~attitude~rate~difference~data,32); 
MY-BRAM-Dout (31 downto 0) <= X"0000~0000"; 
elsif (counter = 64) then 
-- If New Data Received, Reset New Data Register 
if (MY-BRAM-Din(0) = '1') then 
1929: -- Enable Write 
1930: MY-BRAM-EN <= '1'; 
1931: MY-BRAM-WEN <= X"FF1'; 
1932: end if; 
1933: elsif (counter = 66) then 
1934 : -- Disable BRAM En pin 
1935: MYBRAM-EN <= '0'; 
1936: MY-BRAM-WEN <= XnOO"; 
1937: 
1938: elsif (counter = 70) then 
1939: -- Set Address for CSS Attitude A 
1940: MY-BRAM-Addr <= conv~std~logic~vector(css~attitude~a~addr, 
29) & "000"; 
1941: MYBRAM-EN <= '1'; 
1942: MY-BRAM-WEN <= XWOO"; 
1943: elsif (counter = 72) then 
1944: if (MY-BRAM-Din(0) = '1') then 
1945: temp-css-attitude-a <= css-attitude-a; 
1946: temp~css~attitude~a~obso1ete <= css-attitude-a-obsolete; 
1947: end if; 
1948: elsif (counter = 74) then 
1949: if (MY-BRAM-Din (0) = '1') then 
1950: temp-css-attitude-a(0) <= conv-integer(MY-BRAM-Din(63 
downto 32)); 
1951: end if; 
1952: elsif (counter = 76) then 
1953: -- Store Data if there is New Data 
1954 : if (MY-BRAM-Din(0) = '1') then 
1955: css-attitude-a-data <= conv-integer(MY-BRAM-Din(63 
downto 32)); 
1956: css-attitude-a-has-new-data <= '1'; 
1957: else 
1958: css-attitude-a-has-new-data <= '0'; 
1959: end if; 
1960: elsif (counter = 80) then 
1961: if (MY-BRAM-Din(0) = '1') then 
1962: css-attitude-a-has-new-data <= '0'; 
1963: end if; 
1964: elsif (counter = 82) then 
1965: MYBRAM-Dout(63 downto 32) <= 
conv~std~logicvector(css~attitude~aadata,32); 
1966: MYBRAM-Dout(31 downto 0) <= X"0000~0000"; 
1967: elsif (counter = 84) then 
1968: -- If New Data Received, Reset New Data Register 
1969: if (MY-BRAM-Din(0) = '1') then 
1970: -- Enable Write 
1971: MY-BRAM-EN <= '1'; 
1972: MY-BRAM-WEN <= X "FF " ; 
1973: end if; 
1974: elsif (counter = 86) then 
1975: -- Disable BRAM En pin 
1976: MY-BRAM-EN <= '0'; 
1977: MY-BRAM-WEN <= X" 00" ; 
1978: 
1979: elsif (counter = 90) then 
1980: -- Set Address for CSS Attitude B 
1981: MY-BRAM-Addr <= conv~std~logic~vector(css~attitudeb~addr, 
29) & "000"; 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= X"O0"; 
elsif(counter = 92) then 
if (MY-BRAM-Din(0) = '1') then 
temp-css-attitude-b <= css-attitude-b; 
temp~css~attitude~b~obsolete <= css-attitude-b-obsolete; 
end if; 
elsif (counter = 94) then 
if (MY-BRAM-Din (0) = '1') then 
temp-css-attitude-b(0) <= conv-integer(MY-BRAM-Din(63 
downto 32) ) ;  
end if; 
elsif (counter = 96) then 
-- Store Data if there is New Data 
if (MY-BRAM-Din(0) = '1') then 
css-attitude-b-data <= conv-integer(MY-BRmDin(63 
downto 32)); 
css-attitude-b-has-new-data <= '1'; 
else 
css-attitude-b-has-new-data <= '0'; 
end if; 
elsif (counter = 100) then 
if (MY-BRAM-Din(0) = '1') then 
css-attitude-b-has-new-data <= '0'; 
end if; 
elsif (counter = 102) then 
MY-BRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(css~attitude~b~dataf32); 
MY-BRAM-Dout(31 downto 0) <= X"0000~0000"; 
elsif (counter = 104) then 
-- If New Data Received, Reset New Data Register 
if (MY-BRAM-Din(0) = '1') then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= X"FFW; 
end if; 
elsif (counter = 106) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 0 0 " ; 
elsif (counter = 110) then 
-- Set Address for Octavia CSS Attitude Difference 
MY-BRAM-Addr <= 
conv~std~logic~vector(octavia~cssSattitudedi£ferenceaddrf29) & "000"; 
MY-BRAM-EN <= 'I' ; 
MY-BRAM-WEN <= X"OOn; 
elsif (counter = 112) then 
if (MY-BRAM-Din(0) = '1') then 
temp~octavia~css~attitude~difference <= 
octavia~css~attitude~difference; 
temp~octavia~css~attitude~difference~obsolete <= 
octavia~css~attitude~difference~obso1ete; 
end if; 
elsif (counter = 114) then 
if (MY-BRAM-Din(0) = '1') then 
temp~octavia~css~attitude~difference(0) <= 
conv-integer(MY-BRAM-Din(63 downto 32)); 
2033: end if; 
2034: elsif (counter = 116) then 
2035 : -- Store Data if there is New Data 
2036: if (MY-BRAM-Din (0) = '1') then 
2037: octavia~css~attitude~differen~e~data <= 
conv-integer(MY-BRAM-Din(63 downto 32)); 
2038: octavia~css~attitude~differen~e~has~new~data <= '1';
2039: else 
2040: octavia~css~attitude~differen~e~has~new~data <= '0';
2041: end if; 
2042: elsif (counter = 120) then 
2043: if (MY-BRAM-Din(0) = ' I 1 )  then 
2044 : octavia~css~attitude~difference~has~ne~~data <= '0';
2045: end if; 
2046: elsif (counter = 122) then 
2047: MYBRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(octavia~~ss~attitude~difference~data,32); 
2048: MY-BRAM-Dout (31 downto 0) <= X"0000~0000"; 
2049: elsif (counter = 124) then 
2050 : -- If New Data Received, Reset New Data Register 
2051: if (MY-BRAM-Din (0) = '1') then 
2052: -- Enable Write 
2053 : MY-BRAM-EN <= '1'; 
2054: MY-BRAM-WEN <= X"FFV; 
2055: end if; 
2056: elsif (counter = 126) then 
2057 : -- Disable BRAM En pin 
2058: MY-BRAM-EN <= '0'; 
2059: MY-BRAM-WEN <= X"O0"; 
2060: 
2061: elsif (counter = 130) then 
2062: -- Set Address for Commanded Attitude 
2063: MYBRAM-Addr <= 
conv~std~logic~vector(commanded~attitudeaddr,29) & "000"; 
2064: MY-BRAM-EN <= '1'; 
2065: MY-BRAM-WEN <= X" 00 " ; 
2066: elsif(counter = 132) then 
2067: if (MY-BRAM-Din(0) = '1') then 
2068 : temp-commanded-attitude <= commanded-attitude; 
2069: temp~commanded~attitude~obso1ete <= 
commanded-attitude-obsolete; 
2070: end if; 
2071: elsif (counter = 134) then 
2072: if (MY-BRAM-Din(0) = '1') then 
2073: temp-commanded-att itude (0) <= 
conv-integer(MY-BRAM-Din(63 downto 32)); 
2074: end if; 
2075: elsif (counter = 136) then 
2076: -- Store Data if there is New Data 
2077: if (MY-BRAM-Din (0) = '1') then 
2078: commanded-attitude-data <= conv-integer(MY-BRAM-Din(63 
downto 32)); 
2079: commanded~attitude~has~ne~~data <= '1'; 
2080: else 
2081: commanded~attitude~has~ne~~data <= '0'; 
2082: end if; 
2083: elsif (counter = 140) then 
if (MY-BRAM-Din(0) = '1') then 
commanded-attitude-has-new-data <= '0'; 
end if; 
elsif (counter = 142) then 
MY-BRAM-Dout(63 downto 32) <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( c o m m a n d e d _ a t t i t u d e ~ d a t a f 3 2 ) ;  
MY-BRAM-Dout(31 downto 0) <= X"0000~0000"; 
elsif (counter = 144) then 
-- If New Data Received, Reset New Data Register 
if (MY-BRAM-Din(0) = '1') then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= XnFF";  
end if; 
elsif (counter = 146) then 
-- Disable BRAM En pin 
MY-BRAM-EN <= '0'; 
MY-BRAM-WEN <= X"O0"; 
elsif (counter = 150) then 
-- Set Address for Octavia Torque 
MY-BRAM-Addr <= conv~std~logic~vector(octavia~torque~addrf 
29) & "000"; 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= X"O0"; 
elsif(counter = 152) then 
if (MY-BRAM-Din(0) = '1') then 
temp-octavia-torque <= octavia-torque; 
t e m p ~ o c t a v i a ~ t o r q u e _ o b s o l e t e  <= octavia~torque~obsolete; 
end if; 
elsif (counter = 154) then 
if (MY-BRAM-Din(0) = '1') then 
temp-octavia-torque (0) <= conv-integer (MY-BRAM-Din (63 
downto 32)); 
end if; 
elsif (counter = 156) then 
-- Store Data if there is New Data 
if (MY-BRAM-Din(0) = '1') then 
octavia-torque-data <= conv_integer(MY_BRAM_Din(63 
downto 32)); 
octavia-torque-has-new-data <= '1'; 
else 
octavia-torque-has-new-data <= '0'; 
end if; 
elsif (counter = 160) then 
if (MY-BRAM-Din (0) = '1') then 
octavia-torque-has-new-data <= '0'; 
end if; 
elsif (counter = 162) then 
MY-BRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(octavia~torq~e~data~32); 
MY-BRAM-Dout(31 downto 0) <= X"0000~0000~; 
elsif (counter = 164) then 
-- If New Data Received, Reset New Data Register 
if (MY-BRAM-Din(0) = '1') then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
2136: MY-BRAM-WEN <= XwFF"; 
2137: end if; 
2138: elsif (counter = 166) then 
2139: -- Disable BRAM En pin 
2140: MY-BRAM-EN <= '0'; 
2141: MY-BRAM-WEN <= X"O0"; 
2142: 
2143: elsif (counter = 170) then 
2144: -- Set Address for RWA Speed 
2145: MY-BRAM-Addr <= conv~std~logic~vector(rwa~speed~addr,29) & 
"000"; 
2146: MY-BRAM-EN <= '1'; 
2147: MY-BRAM-WEN <= X" 00 " ; 
2148: elsif (counter = 172) then 
2149: if (MY-BRAM-Din (0) = ' I ' ) then 
2150: temp-rwa-speed <= rwa-speed; 
2151: temp-rwa-speed-obsolete <= rwa-speed-obsolete; 
2152: end if; 
2153: elsif (counter = 174) then 
2154: if (MY-BRAM-Din (0) = '1') then 
2155: temp-rwa-speed(0) <= conv-integer(MY-BRAM-Din(63 downto 
32)); 
2156: end if; 
2157: elsif (counter = 176) then 
2158: -- Store Data if there is New Data 
2159: if (MY-BRAM-Din(0) = '1') then 
2160: rwa-speed-data <= conv-integer(MY-BRAM-Din(63 downto 
32) ) ;  
2161: rwa-speed-has-new-data <= '1'; 
2162: else 
2163: rwa-speed-has-new-data <= ' 0 ' ; 
2164: end if; 
2165: elsif (counter = 180) then 
2166: if (MY-BRAM-Din(0) = '1') then 
2167: rwa-speed-has-new-data <= '0'; 
2168: end if; 
2169: elsif (counter = 182) then 
2170: MY-BRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(rwa~speed~data,32); 
2171: MY-BRAM-Dout(31 downto 0) <= X"0000~0000"; 
2172: elsif (counter = 184) then 
2173: -- If New Data Received, Reset New Data Register 
2174: if (MY-BRAM-Din (0) = '1') then 
2175: -- Enable Write 
2176: MY-BRAM-EN <= '1'; 
2177: MY-BRAM-WEN <= XWFF"; 
2178: end if; 
2179: elsif (counter = 186) then 
2180: -- Disable BRAM En pin 
2181: MY-BRAM-EN <= '0'; 
2182: MY-BRAM-WEN <= X"O0"; 
2183: 
2184: elsif (counter = 190) then 
2185: -- Set Address for RWA Temperature 
2186: MY-BRAM-Addr <= conv~std~logic~vector(rwa~temperatureeaddr, 
29) & "000"; 
2187: MY-BRAM-EN <= '1'; 
MYBRAM-WEN <= XWOO"; 
elsif (counter = 192) then 
if (MY-BRAM-Din(0) = '1') then 
temp-rwa-temperature <= rwa-temperature; 
temp-rwa-temperature-obsolete <= 
rwa-temperature-obsolete; 
end if; 
elsif (counter = 194) then 
if (MY-BRAM-Din (0) = ' 1 ' ) then 
temp-rwa-temperature (0) <= conv-integer (MY-BRAM-Din (63 
downto 32) ) ;  
end if; 
elsif (counter = 196) then 
-- Store Data if there is New Data 
if (MY-BRAM-Din (0) = ' 1 ' ) then 
rwa-temperature-data <= conv-integer(MY-BRAM-Din(63 
downto 32)); 
rwa-temperature-has-new-data <= 'IV; 
else 
rwa-temperature-has-new-data <= '0'; 
end if; 
elsif (counter = 200) then 
if (MY-BRAM-Din(0) = '1') then 
rwa-temperature-has-new-data <= '0'; 
end if; 
elsif (counter = 202) then 
MY-BRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(rwa~temperature~dataf32); 
MY-BRAM-Dout (31 downto 0) <= X"0000~0000"; 
elsif (counter = 204) then 
-- If New Data Received, Reset New Data Register 
if (MY-BRAM-Din(0) = '1') then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= XnFF"; 
end if; 
elsif (counter = 206) then 
-- Disable BRAM En pin 
MY-BRAM-EN <= '0'; 
MY-BRAM-WEN <= X"OOW; 
elsif (counter = 210) then 
-- Set Address for MTR A Current 
MY-BRAM-Addr <= conv~std~logic~vector(mtr~a~~urrent~addr~29) 
& "000"; 
MY-BRAM-EN <= 'I1; 
MY-BRAM-WEN <= X"O0"; 
elsif(counter = 212) then 
if (MY-BRAM-Din(0) = '1') then 
temp-mtr-a-current <= mtr-a-current; 
temp-mtr-a-current-obsolete <= mtr-a-current-obsolete; 
end if; 
elsif (counter = 214) then 
if (MY-BRAM-Din(0) = '1') then 
temp-mtr-a-current(0) <= conv-integer(MY-BRAM-Din(63 
downto 32)); 
end if; 
elsif (counter = 216) then 
-- Store Data if there is New Data 
if (MY-BRAM-Din(0) = '1') then 
mtr-a-current-data <= conv-integer(MY-BRAM-Din(63 downto 
32) 1 ;  
mtr-a-current-has-new-data <= '1'; 
else 
mtr-a-current-has-new-data <= '0'; 
end if; 
elsif (counter = 220) then 
if (MY-BRAM-Din(0) = '1') then 
mtr-a-current-has-new-data <= '0'; 
end if; 
elsif (counter = 222) then 
MYBRAM-Dout (63 downto 32) <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( m t r ~ a a c u r r e n t _ d a t a 1 3 2 ) ;  
MYBRAM-Dout (31 downto 0) <= XW0000-0000"; 
elsif (counter = 224) then 
-- If New Data Received, Reset New Data Register 
if (MY-BRAM_Din(O) = '1') then 
-- Enable Write 
MYBRAM-EN <= '1'; 
MY-BRAM-WEN <= X "FF" ; 
end if; 
elsif (counter = 226) then 
-- Disable BRAM En pin 
MYBRAM-EN <= ' 0' ; 
MY-BRAM-WEN <= X1'OO"; 
elsif (counter = 230) then 
-- Set Address for MTR B Current 
MYBRAM-Addr <= c o n v ~ s t d ~ l o g i c ~ v e c t o r ( m t r ~ b ~ ~ u r r e n t ~ a d d r ~ 2 9 )  
& "000"; 
MYBRAM-EN <= '1'; 
MYBRAM-WEN <= X" 00" ; 
elsif(counter = 232) then 
if (MYBRAM-Din (0) = '1') then 
temp-mtr-b-current <= mtrb-current; 
temp~mtr~b~current~obsolete <= mtr-b-current-obsolete; 
end if; 
elsif (counter = 234) then 
if (MYBRAM-Din(0) = '1') then 
temp-mtr-b-current (0) <= conv-integer (MY-BRAM-Din (63 
downto 32)); 
end if; 
elsif (counter = 236) then 
-- Store Data if there is New Data 
if (MY-BRAM-Din(0) = '1') then 
mtrb-current-data <= conv-integer(MY-BRAM-Din(63 downto 
32)); 
mtrb-current-has-new-data <= '1'; 
else 
mtr-b-current-has-new-data <= ' 0 ' ;  
end if; 
elsif (counter = 240) then 
if (MY-BRAM-Din(0) = '1') then 
mtrb-current-has-new-data <= '0'; 
2291: end if; 
2292: elsif (counter = 242) then 
2293: MYBRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(rntr~bbcurrent~dataf32); 
2294: MYBRAM-Dout (31 downto 0) <= X"0000~0000"; 
2295: elsif (counter = 244) then 
2296: -- If New Data Received, Reset New Data Register 
2297 : if (MY-BRAM-Din(0) = '1') then 
2298: -- Enable Write 
2299: MY-BRAM-EN <= ' 1 '; 
2300: MY-BRAM-WEN <= X1'FF" ; 
2301: end if; 
2302 : elsif (counter = 246) then 
2303: -- Disable BRAM En pin 
2304: MYBRAM-EN <= '0'; 
2305: MYBRAM-WEN <= X1'OO"; 
2306: 
2307: 
2308: --Write Outputs to BRAM 
2309: 
2310: -- Write Data for Output : RWA Torque 
2311: elsif (counter = 1000) then 
2312: -- Set Address for Output Data 
2313: MYBRAM-Addr <= conv~std~logicvector(rwa~torque~addr,29) & 
"000"; 
2314: MYBRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(rwa~torque~torque~data,32); 
2315: MYBRAM-Dout (31 downto 0 )  <= conv~std~logic~vector (0,31) & 
rwa-torque-torque-has-new-data; 
2316: elsif (counter = 1002) then 
2317: -- Enable Write 
2318: MYBRAM-EN <= '1'; 
2319: MY-BRAM-WEN <= X"FFn; 
2320: elsif (counter = 1004) then 
2321 : -- Disable BRAM En pin 
2322: MYBRAM-EN <= '0'; 
2323: MYBRAM-WEN <= X"OO1'; 
2324 : 
2325: -- Write Data for Output : MTR A Torque 
2326: elsif (counter = 1010) then 
2327: -- Set Address for Output Data 
2328: MYBRAM-Addr <= conv~std~logic~vector(rntr~aatorque~addrI29) 
& "000"; 
2329: MYBRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(mtr~aatorque~torque~data,32); 
2330: MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector ( 0 3 )  & 
mtr-a-torque-torque-has-new-data; 
2331: elsif (counter = 1012) then 
2332: -- Enable Write 
2333: MYBRAM-EN <= '1'; 
2334: MYBRAM-WEN <= X"FF1' ; 
2335: elsif (counter = 1014) then 
2336: -- Disable BRAM En pin 
2337: MYBRAM-EN <= '0'; 
2338: MYBRAM-WEN <= X" 0 0 " ; 
2339: 
2340: -- Write Data for Output : MTR B Torque 
elsif (counter = 1020) then 
-- Set Address for Output Data 
MYBRAM-Addr <= conv~std~logic~vector(mtr~b~t0rque~addr~29) 
& "000"; 
MY-BRAM-Dout (63 downto 32) <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( m t r ~ b ~ t o r q u e ~ t o r q ~ e ~ d a t a ~ 3 2 ) ;  
MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,31) & 
mtrb-torque-torque-has-new-data; 
elsif (counter = 1022) then 
-- Enable Write 
MYBRAM-EN <= ' 1' ; 
MYBRAM-WEN <= X"FF" ; 
elsif (counter = 1024) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= XWOO"; 
-- Write Data for State Value or Mode : IMU Channel 
elsif (counter = 1030) then 
-- Set Address for Data 
MYBRAM-Addr <= conv~std~logic~vector(imu~channe1~addr,29) & 
"000"; 
MY-BRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(imu~channe1~int,32); 
MY-BRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1032) then 
-- Enable Write 
MYBRAM-EN <= ' 1 ' ; 
MYBRAM-WEN <= X"FF '' ; 
elsif (counter = 1034) then 
-- Disable BRAM En pin 
MYBRAM-EN <= ' 0'; 
MYBRAM-WEN <= X" 0 0 " ; 
-- Write Data for State Value or Mode : IMU Health 
elsif (counter = 1040) then 
-- Set Address for Data 
MY-BRAM-Addr <= conv~std~logic~vector(imu~hea1th~addr,29) & 
"000"; 
MYBRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(imu~hea1thhint,32); 
MY-BRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1042) then 
-- Enable Write 
MYBRAM-EN <= '1'; 
MYBRAM-WEN <= X"FFW; 
elsif (counter = 1044) then 
-- Disable BRAM En pin 
MY-BRAM-EN <= '0'; 
MY-BRAM-WEN <= XWOO"; 
-- Write Data for State Value or Mode : CSS Health 
elsif (counter = 1050) then 
-- Set Address for Data 
MY-BRAM-Addr <= conv~std~logic~vector (css-health-addrm & 
''000''; 
MYBRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(css~hea1thhint,32); 
MYBRAMDout (31 downto 0 )  <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1052) then 
-- Enable Write 
MYBRAM-EN <= ' I ' ; 
MYBRAM-WEN <= X1'FF" ; 
elsif (counter = 1054) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 00 " ; 
-- Write Data for State Value or Mode : RWA Health 
elsif (counter = 1060) then 
-- Set Address for Data 
MY-BRKAddr <= conv~std~logic~vector(rwa~health~addr,29) & 
l'Oooll; 
MYBRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(rwa~hea1thhint,32); 
MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1062) then 
-- Enable Write 
MYBRAM-EN <= ' 1'; 
MYBRAM-WEN <= XWFF"; 
elsif (counter = 1064) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 0 0 " ; 
-- Write Data for State Value or Mode : MTR Channel 
elsif (counter = 1070) then 
-- Set Address for Data 
MYBRAM-Addr <= conv~std~logicvector(mtr~channel~addr,29) & 
"000"; 
MYBRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(mtr~channe~~int,32); 
2420 : MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1072) then 
-- Enable Write 
MYBRAM-EN <= ' 1 ' ; 
MYBRAM-WEN <= X1'FF" ; 
elsif (counter = 1074) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X " 0 0 " ; 
-- Write Data for State Value or Mode : MTR Health 
elsif (counter = 1080) then 
-- Set Address for Data 
MYBRAM-Addr <= conv~std~logic~vector(mtr~hea1thhaddr,29) & 
''000''; 
MYBRAM-Dout (63 downto 32) <= 
conv~std~logic~vector(mtr~hea1th~int,32); 
MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1082) then 
-- Enable Write 
MY-BRAM-EN <= '1' ; 
MYBRAM-WEN <= X1'FF" ; 
elsif (counter = 1084) then 
-- Disable BRAM En pin 
MYBRAM-EN <= ' 0'; 
MYBRAM-WEN <= X"O0"; 
-- Write Data for State Value or Mode : ACS Mode 
elsif (counter = 1090) then 
-- Set Address for Data 
MYBRAM-Addr <= conv~std~logic~vector(acs~mode~addr,29) & 
"000"; 
MYBRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(acs~mode~int,32); 
MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
elsif (counter = 1092) then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MYBRAM-WEN <= X"FF " ; 
elsif (counter = 1094) then 
-- Disable BRAM En pin 
MYBRAM-EN <= ' 0' ; 
MYBRAM-WEN <= X" 0 0'' ; 
-- Write Data for Macro : IMU Attitude Rate A Limit Passed 
elsif (counter = 1100) then 
-- Set Address for Data 
MYBRAM-Addr <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( i m u ~ a t t i t ~ d e ~ r a t e ~ a ~ l i m i t ~ a s s e d ~ a d d r ~ 2 9 )  & "000"; 
MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector (0 4) & 
imu-attitude-rate-a-limit-passed; 
MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
elsif (counter = 1102) then 
-- Enable Write 
MYBRAM-EN <= ' 1' ; 
MYBRAM-WEN <= XWFF"; 
elsif (counter = 1104) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 00"; 
-- Write Data for Macro : IMU Attitude Rate B Limit Passed 
elsif (counter = 1110) then 
-- Set Address for Data 
MYBRAM-Addr <= 
conv~std~logic~vector(imu~attitude~rate~b~limit~assed~addr,29) & "000"; 
MYBRAM-Dout(63 downto 32) <= conv~std~logic~vector(0,31) & 
imu-attitude-rateb-limit-passed; 
MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
elsif (counter = 1112) then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= X1'FF" ; 
elsif (counter = 1114) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X''O0"; 
-- Write Data for Macro : IMU Attitude Rate A Obsolete Passed 
elsif (counter = 1120) then 
2492: -- Set Address for Data 
2493: MY-BRAM-Addr <= 
conv~std~logic~vector (i nu~attitude~rate~a~obso1ete-passeddaddr, 2 & "000"; 
2494: MY-BRAM-Dout (63 downto 32 ) <= conv~std~logic~vector (0,3l) & 
imu-attitude-rate-a-obsoletejassed; 
2495: MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
2496: elsif (counter = 1122) then 
2497: -- Enable Write 
2498: MYBRAM-EN <= '1'; 
2499: MYBRAM-WEN <= XWFF"; 
2500: elsif (counter = 1124) then 
2501: -- Disable BRAM En pin 
2502 : MYBRAM-EN <= '0'; 
2503: MYBRAM-WEN <= X" 0 0" ; 
2504: 
2505: -- Write Data for Macro : IMU Attitude Rate B Obsolete Passed 
2506: elsif (counter = 1130) then 
2507: -- Set Address for Data 
2508: MY-BRAM-Addr <= 
conv~std~logic~vector (imu-attit~de~rate~b~obsolete~passed~addr, 2 & "000"; 
2509: MY-BRAM-Dout (63 downto 32) <= conv~std~logic~vector (0,31) & 
imu-attitude-rate-b-obsolete~assed; 
2510: MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
2511: elsif (counter = 1132) then 
2512: -- Enable Write 
2513: MYBRAM-EN <= 'I1; 
2514: MY-BRAM-WEN <= X"FF1l ; 
2515: elsif (counter = 1134) then 
2516: -- Disable BRAM En pin 
2517: MYBRAM-EN <= '0'; 
2518: MYBRAM-WEN <= XI1 0 0 l1 ; 
2519: 
2520: -- Write Data for Macro : IMU Attitude Rate A Static Passed 
2521: elsif (counter = 1140) then 
2522 : -- Set Address for Data 
2523: MYBRAM-Addr <= 
conv~std~logic~vector (imu-attitude-rate-a-static-passed-add 2 & "000"; 
2524 : MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector ( O m )  & 
imu-attitude-rate-a-staticjassed; 
2525: MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0 2 2 )  ; 
2526: elsif (counter = 1142) then 
2527: -- Enable Write 
2528: MYBRAM-EN <= ' I' ; 
2529: MYBRAM-WEN <= X l1 FF l1 ; 
2530: elsif (counter = 1144) then 
2531 : -- Disable BRAM En pin 
2532 : MYBRAM-EN <= ' 0' ; 
2533: MY-BRAM-WEN <= X" 0 0 l1 ; 
2534: 
2535: -- Write Data for Macro : IMU Attitude Rate B Static Passed 
2536: elsif (counter = 1150) then 
2537: -- Set Address for Data 
2538: MY-BRAM-Addr <= 
conv~std~logic~vector(imu_attitude~rate~bbstaticCpasseddaddr,29) & "000"; 
2539: MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector ( 0 3 )  & 
imu-attitude-rate-b-static-passed; 
2540: MYBRAMDout (31 downto 0) <= conv~std~logic~vector (O,32) ; 
elsif (counter = 1152) then 
-- Enable Write 
MYBRAM-EN <= '1'; 
MYBRAM-WEN <= XWFF"; 
elsif (counter = 1154) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 00" ; 
-- Write Data for Macro : IMU Attitude Rate Compare Passed 
elsif (counter = 1160) then 
-- Set Address for Data 
MY-BRAM-Addr <= 
conv~std~logic~vector(imu~attitude~rate~compare~pas~ed~addr~29) & "000"; 
MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector (0,31) & 
imu-attitude-rate-compare-passed; 
MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
elsif (counter = 1162) then 
-- Enable Write 
MYBRAM-EN <= '1'; 
MYBRAM-WEN C= XWFF"; 
elsif (counter = 1164) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 00"; 
-- Write Data for Macro : CSS Attitude Compare Passed 
elsif (counter = 1170) then 
-- Set Address for Data 
MYBRAM-Addr <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( c s s ~ a t t i t ~ d e ~ ~ o m p a r e ~ a s s e d ~ a d d r ~ 2 9 )  & "000"; 
MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector ( 0 4 )  & 
css~attitude~compare-passed; 
MY-BRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
elsif (counter = 1172) then 
-- Enable Write 
MYBRAM-EN <= '1'; 
MYBRAM-WEN <= X"FFn; 
elsif (counter = 1174) then 
-- Disable BRAM En pin 
MYBRAM-EN <= ' 0' ; 
MYBRAM-WEN <= XWOO"; 
-- Write Data for Macro : RWA Speed Obsolete Passed 
elsif (counter = 1180) then 
-- Set Address for Data 
MYBRAM-Addr <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( r w a ~ ~ p e e d ~ o b s o l e t e p a s s e d a d d r ~ 2 9 )  & "000";
MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector (O 31) & 
rwa-speed-obsolete~assed; 
MY-BRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
elsif (counter = 1182) then 
-- Enable Write 
MY-BRAM-EN <= '1'; 
MY-BRAM-WEN <= X"FFW ; 
elsif (counter = 1184) then 
-- Disable BRAM En pin 
2592: MYBRAM-EN <= '0'; 
2593: MY-BRAM-WEN <= X1'OO" ; 
2594: 
2595: -- Write Data for Macro : RWA Speed Limit Passed 
2596: elsif (counter = 1190) then 
2597: -- Set Address for Data 
2598: MY-BRAM-Addr <= 
conv~std~logic~vector(rwa~speed~1imit~passed~addr,29) & "000"; 
2599: MYBRAM-Dout(63 downto 32) <= conv~std~logic~vector(0f31) & 
rwa-speed-limitsassed; 
. 2600: MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
2601: elsif (counter = 1192) then 
2602: -- Enable Write 
2603: MY-BRAM-EN <= '1'; 
2604: MYBRAM-WEN <= X1' FF " ; 
2605: elsif (counter = 1194) then 
2606: -- Disable BRAM En pin 
2607: MYBRAM-EN <= ' 0 ' ; 
2608: MY-BRAM-WEN <= X1'OO"; 
2609: 
2610: -- Write Data for Macro : RWA Temperature Obsolete Passed 
2611: elsif (counter = 1200) then 
2612: -- Set Address for Data 
2613: MYBRAM-Addr <= 
conv~std~logic~vector ( r w a ~ t e m p e r a t u r e ~ o b s o l e t e ~ a s s e d ~ a d d r ,  2 & "000"; 
2614: MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector ( 0 3 )  & 
rwa~temperature~obsolete~passed; 
2615: MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
2616: elsif (counter = 1202) then 
2617: -- Enable Write 
2618: MYBR-EN <= ' 1' ; 
2619: MYBRAM-WEN <= X"FF1'; 
2620: elsif (counter = 1204) then 
2621: -- Disable BRAM En pin 
2622: MYBRAMEN <= ' 0'; 
2623: MY-BRAM-WEN <= X"OO1'; 
2624 : 
2625: -- Write Data for Macro : RWA Temperature Limit Passed 
2626: elsif (counter = 1210) then 
2627: -- Set Address for Data 
2628: MYBRAM-Addr <= 
conv~std~logic~vector(rwa~temperature~limit~assed~addr,29) & "000"; 
2629: MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector (0,31) & 
rwa-temperature-limit-passed; 
2630: MYBRAM-Dout (3 1 downto 0) <= conv~std~logic~vector (0,32) ; 
2631: elsif (counter = 1212) then 
2632: -- Enable Write 
2633: MY-BRAMEN <= '1'; 
2634: MYBRAM-WEN <= X"FFW ; 
2 635 : elsif (counter = 1214) then 
2636: -- Disable BRAM En pin 
2637: MY-BRAMEN <= '0'; 
2638: MY-BRAM-WEN <= X1'OO1'; 
2639: 
2640: -- Write Data for Macro : MTR A Current Obsolete Passed 
2641: elsif (counter = 1220) then 
2642: -- Set Address for Data 
2643: MYBRAM-Addr <= 
c o n v ~ s t d ~ l o g i c ~ v e c t o r ( m t r ~ a ~ ~ u r r e n t _ o b s o l e t e ~ a s s e d ~ a d d r , 2 9 )  & "000"; 
2644: MYBRAM-Dout(63 downto 32) <= conv~std~logic~vector(0,31) & 
mtr~a~current~obsolete~passed; 
MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0 3 2 )  ; 
elsif (counter = 1222) then 
-- Enable Write 
MYBRAM-EN <= '1'; 
MYBRAM-WEN <= X" FF " ; 
elsif (counter = 1224) then 
-- Disable BRAM En pin 
MYBRAM-EN <= '0'; 
MYBRAM-WEN <= X" 0 0 " ; 
-- Write Data for Macro : MTR B Current Obsolete Passed 
elsif (counter = 1230) then 
-- Set Address for Data 
MYBRAM-Addr <= 
conv~std~logic~vector (mtr~b~current~obsolete-pa~~ed~addr, 29) & "000"; 
MYBRAM-Dout(63 downto 32) <= conv~std~logic~vector(0,3l) & 
mtrb~current~obsolete~passed; 
2660: MYBRAM-Dout (31 downto 0) <= conv~std~logic~vector (0,32) ; 
2661: elsif (counter = 1232) then 
2662: -- Enable Write 
2663: MYBRAM-EN <= '1'; 
2664 : MYBRAM-WEN <= X1'FF" ; 
2665: elsif (counter = 1234) then 
2666: -- Disable BRAM En pin 
2667: MYBRAM-EN <= '0'; 
2668: MYBRAM-WEN <= X1'OO"; 
2669: 
2670: -- Write Data for Macro : MTR A Current Limit Passed 
2671: elsif (counter = 1240) then 
2672 : -- Set Address for Data 
2673: MYBRAM-Addr <= 
conv~std~logic~vector(mtr~aacurrent~limit~assed~addr,29) & "000"; 
2674 : MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector (0,3l) & 
mtr-a-current-limit-passed; 
2675: MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
2676: elsif (counter = 1242) then 
2677: -- Enable Write 
2678: MYBRAM-EN <= '1'; 
2679: MYBRAM-WEN <= X"FF1' ; 
2680: elsif (counter = 1244) then 
2681 : -- Disable BRAM En pin 
2682 : MYBRAM-EN <= '0'; 
2683: MYBRAM-WEN <= X" 0 0 " ; 
2684: 
2685: -- Write Data for Macro : MTR B Current Limit Passed 
2686: elsif (counter = 1250) then 
2687: -- Set Address for Data 
2688 : MY-BRAM-Addr <= 
conv~std~logic~vector(mtr~bb~urrente1imit-pa~~ed~addr29) & "000"; 
2689: MYBRAM-Dout (63 downto 32) <= conv~std~logic~vector (0,31) & 
mtr-b-current-limit-passed; 
2690: MYBRAM-Dout(31 downto 0) <= conv~std~logic~vector(0,32); 
2691: elsif (counter = 1252) then 
2692: -- Enable Write 
2693: MY-BRAM-EN <= '1'; 
2694: MY-BRAM-WEN <= XwFF" ; 
2695: elsif (counter = 1254) then 
2696: -- Disable BRAM En pin 
2697 : MYBRAMEN <= '0'; 
2698: MYBRAM-WEN <= X"OOW; 
2699: 
2700: -- Write Mission Time 
2701: elsif (counter = 1500) then 
2702: MYBRAM-Addr <= conv~std~logic~vector (mission-t ime-addr, 29) 
& "000"; 
2703: MY-BRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(mission~timef32); 
2704: MYBRAM-Dout (31 downto 0) <= 
conv~std~logic~vector(mission~millisecf32); 
2705: elsif (counter = 1502) then 
2706: -- Enable Write 
2707 : MYBRAM-EN <= '1'; 
2708: MYBRAM-WEN <= XWFF"; 
2709: elsif (counter = 1504) then 
2710: -- Disable BRAM En pi'n 
2711: MYBRAM-EN <= '0'; 
2712 : MYBRAM-WEN <= X"O0"; 
2713: 
2714: -- Call PowerPC Octavia Function 
2715: elsif (counter = 2000) then 
2716: MYBRAM-Addr <= conv~std~logic~vector(ppc~trigger~addr,29) & 
"000"; 
2717: MY-BRAM-Dout(63 downto 32) <= 
conv~std~logic~vector(ppc~trigger~~ord~32); 
2718: MY-BRAM-Dout (31 downto 0) <= 
conv~std~logic~vector(ppc~trigger~word,32); 
2719: elsif (counter = 2002) then 
2720: -- Enable Write 
2721: MYBRAM-EN <= ' 1 '; 
2722 : MYBRAM-WEN <= X" FF " ; 
2723: elsif (counter = 2004) then 
2724 : -- Disable BRAM En pin 
2725: MYBRAMEN <= '0'; 
2726: MYBRAM-WEN <= X" 00 " ; 
2727: 
2728: -- Disable Call to PowerPC Octavia Function 
2729: elsif (counter = 2100) then 
2730: MYBRAM-Addr <= conv~std~logic~vector (ppc-t rigger-addr, 29) & 
"000"; 
2731: MYBRAM-Dout (63 downto 32) <= convdstd~logic~vector (0,32) ; 
2732 : MY-BRAM-Dout(31 downto 0 )  <= conv~std~logic~vector(0,32); 
2733: elsif (counter = 2102) then 
2734: -- Enable Write 
2735: MYBRAM-EN <= '1'; 
2736: MYBRAM-WEN <= XWFF"; 
2737 : elsif (counter = 2104) then 
2738: -- Disable BRAM En pin 
2739: MYBRAM-EN <= '0'; 
2740: MY-BRAM-WEN <= X1'OO"; 
2741: 
2742: -- Else Condition 
2743: else 
2744: NULL; 
2745: 
2746: end if; 
2747: 
2748: end if; 
2749: 
2750: end process bram-interface-process; 
2751: 
2752 : 
2753: 
2754: end Behavorial; 
2755: 

Appendix C - Landsat 7 Octavia C Program 

1: / *  
2 : Name: S i m u l a t i o n  S t e p p i n g  Program 
3 : L i c e n s e :  GPL 
4 : A u t h o r :  E l w i n  Ong 
5 : D a t e  C r e a t e d :  11-Apr-2006 
6 : D e s c r i p t i o n :  T h i s  progrant i s  a n  e q u i v a l e n t  C program o f  O c t a v i a  d i a g r a m .  
7: */ 
8 : 
9 : 
10: #incLud.e  Cstdi-o.h> 
11: 
12: / *  D e c l a r e  v a r i a b l e s  from SpecTRM C F i l e  */ 
13: extern double CommandedAttitudeAngle[]; 
14: extern double CommandedAttitudeAngle[]; 
15: extern double CommandedAttitudeAngle[]; 
16: extern double SpeedSetPoint[]; 
17: extern Boo1 SpeedSetPoint-has-new-data; 
18: 
19: 
20: / *  T h e s e  c o n s t a n t s  a r e  h a r d c o d e d  */ 
21: s t a t i c  const double TF-dc64a2-a-matrix [1] [I] = (-0.5); 
22: s t a t i c  const double TF-dc64a2-b-matrix[l] = (1); 
23: s t a t i c  const double TF-dc64a2-c-matrix[l] = (1); 
24: s t a t i c  const double TF-dc64a2-d-matrix[l] = ( 0 ) ;  
25: s t a t i c  const double Gain-lO6def2-amatrix[O] [O] = (0); 
26: s t a t i c  const double Gain-lOGdef2-bmatrix[O] = ( 0 ) ;  
27 : s t a t i c  const double Gain-lO6def 2-cmatrix [I] = { 0) ; 
28: s t a t i c  const double Gain_lO6def2_d_matrix[l] = ( 5 ) ;  
29: s t a t i c  const double SS-ldl6ecf-a-matrix [1[1] = { I  ) ; 
30: s t a t i c  const double SS-ldl6ecf-b-matrix[I] = { I ) ;  
31: s t a t i c  const double SS-ldl6ecf-cmatrix[1] = {I); 
32 : s t a t i c  const double SS-ldl6ecf-d-matrix [l] = {I) ; 
33: s t a t i c  const double ZP-f690e4-a-matrix[23[2] = {{0.5,1),{0,1)); 
34 : s t a t i c  const double ZP-f690e4-b-matrix [2] = {O, 1) ; 
35: s t a t i c  const double ZP_f690e4_c_matrix[2] = {-0.5,l); 
36: s t a t i c  const double ZP-f69Oe4-d-matrix[l] = (0); 
37: 
38: 
39: / *  I ~ l i t i a l i z e  v a r i a b l e s  */ 
40: s t a t i c  double TF-dc64a2_state[l] = (0); 
41: s t a t i c  double TF-dc64a2-out = 0.0; 
42: s t a t i c  double Gain-lOGdef2-state [ I ]  = {O) ; 
43: s t a t i c  double Gain-lOGdef2-out = 0 . 0 ;  
44 : s t a t i c  double SS-ldl6ecf-state [1] = ( 0 )  ; 
45: s t a t i c  double SS-ldl6ecf-out = 0.3; 
46: s t a t i c  double ZP-f690e4_state [ 2 ]  = {O, 0); 
47: s t a t i c  double ZP-f690e4_out = 0.0; 
48: s t a t i c  double Summation-lbc59aa-out = 0 . 0 ;  
49: s t a t i c  double Summation-20ca8b-out = 3.0; 
50: 
51: 
52 : 
53: void run-octaviao { 
54: 
55: / *  D e c l a r e  t e n p  v a r i a b l e s  */ 
56: unsigned i n t  step-counter, i; 
57: f loa t  temp[lOC] ; 
58: 
5 9 : Summation-lbc59aa-out = TF-dc64a2-out * i + SS-ldl6ecf-out * - 7 -  r
60: Summation~20ca8b~out = ZP-f690e4_out * 1 + Gain-lO6def2-out * 1 + 
CommandedAttitudeAngle [O] * 1; 
61: 
62 : TF-dc64a2-out = TF-dc64a2-c-matrix[O] * TF-dc64a2_state[O] t 
TF-dc64a2-d-matrix[O] * Summation~20ca8b~out; 
63: temp [0] = TF-dc64a2-a-matrix [O1[0] * TF-dc64a2-state [O] t 
TF-dc64a2-b-matrix[O] * Summation~20ca8b~out; 
64: f o r  (i=0; i<0; i++) { 
65: TF-dc64a2-state [i] = temp [i] ; 
66: 1 
67: 
68: Gain-lO6def2-out = 5 * CommandedAttitudeAngle[~; 
69: 
70: SS-ldl6ecf-out = SS-ldl6ecf-c_rnatrix[0] * SS-ldl6ecf-state[O] + 
SS-ldl6ecf-dWmatrix[0] * Summation~20ca8b~out; 
71: temp [0] = SS-ldl6ecf-a-matrix [(:!I [a] * SS-ldl6ecf-state [GI + 
SS-ldl6ecf-b-matrix[0] * Summation~20ca8b~out; 
72: f o r  (i=Q; i<Q; it+) { 
73: SS-ldl6ecf-state [i] = temp [i] ; 
74: 1 
75: 
76: ZP-f690e4_out = ZP-f 690e4-c-matrix [0] * ZP-f690e4_state [0] + 
ZP-f 690e4-c-matrix [I] * ZP-f 690e4-state [I] t ZP-f 690e4-d-matrix [C] * 
ComrnandedAttitudeAngle[Ol; 
77: temp [0] = ZP-f 690e4-a-matrix [a] [O] * ZP-f 690e4-state [GI + 
ZP-f 690e4-a-matrix [01[1] * ZP-f 690e4-state [O] t ZP-f690e4-b-matrix [O] * 
CommandedAttitudeAngle[Ol; 
78: temp[l] = ZP-f690e4-a-matrix [I.] [GI * ZP-f690e4-state [I.] + 
ZP-f 690e4-a-matrix [I] [I.] * ZP-f 690e4-state [1] t ZP-f 690e4-b-matrix [ l ]  * 
CommandedAttitudeAngle [Ol ; 
79: f o r  (i=0; i<l; it+) { 
80: ZP-f690e4-state [i] = temp [i] ; 
81: 1 
82: 
83: SpeedSetPoint[O] = Summation-lbc59aa-out; 
84: SpeedSetPoint-has-new-data = 1; 
85: 
86: 
87: } 
88: 
Appendix D - Landsat 7 SpecTRM-RL C Program 

/ *  
Name: L a n d s a t  7 Backup  ACS 
A u t h o r :  E l w i n  Gng 
D a t e :  Sun  A p r  23 1 0 : 1 4 : 5 4  PDT 2006 
D e s c r i p t i o n :  A u t o - g e n e r a t e d  C F i l e  f rom SpecTRM-RL Model 
*/ 
/ *  D e c l a r e  s y s t e m  v a r i a b l e s  */ 
struct timeval start, end, now, elapsed, round-start; 
static -Boo1 system-start = 1; 
static B o o 1  dummy = 0; 
static -Boo1 evaluated = 0; 
static unsigned int i; 
/ *  D e c l a r e  f u n c t i o n s  */ 
extern double return-now ( )  ; 
extern double time-since(struct timeval *lasthappended); 
extern double time-difference(struct timeval "earlier, struct timeval 
*later) ; 
extern B o o 1  in-range-int(int min,int max,int value); 
extern B o o 1  in-range-real(doub1e mintdouble max,double value); 
extern B o o 1  has-new-data(char string[]); 
extern B o o 1  never-received(Boo1 input[], int size); 
extern int process-transition(int *previous-transition, int 
*current-transition, struct timeval *time-transitioned, struct timeval 
*time-entered, struct timeval *time-exited, -Boo1 *never-exited-old); 
extern B o o 1  checkt ime (double x, double y) ; 
extern void send-output(char name[], double value); 
extern void record (char modelName [I , char type [I , char name [I , double value, 
Boo1 evaluated); 
- 
extern void run-octaviao; 
extern double read-input (char name [I ) ; 
double IMUAttitudeRateA[G]; 
double IMUAttitudeRateB[G]; 
double OctaviaIMUAttitudeRateDifference[6]; 
double CSSAttitudeA[2]; 
double CSSAttitudeB[2]; 
double OctaviaCSSAttitudeDifference[2]; 
double ComrnandedAttitude [2 ] ; 
double OctaviaTorque[2]; 
double RWASpeed[6]; 
double RWATemperature[O]; 
double MTRACurrent [GI ; 
double MTRBCurrent[G]; 
double CSSAttitudeAOctavia [I] ; 
double CSSAttitudeBOctavia[Il; 
double IMUAttitudeRateACompareOctavia[1]; 
double IMUAttitudeRateBCompareOctavia[ll; 
double Refe renceAt t i t udeOc tav ia [ l ] ;  
double IMUAttitudeRateAOctavia[l]; 
54: double IMUAttitudeRateBOctavia[il; 
55: double RWATorque[l]; 
5 6 : double MTRATorque [ 11 ; 
57 : double MTRBTorque [1] ; 
58: 
59: 
60: i n t  IMUChannel[2]; 
61 : i n t  IMUHealth [?I ; 
62: i n t  CSSHealth [?I ; 
63 : i n t  RWAHealth [ ? ]  ; 
64: i n t  MTRChannel[2]; 
65 : i n t  MTRHealth [2] ; 
66: i n t  ACSMode[d]; 
67 : 
68: s t a t i c  s t ruct  timeval IMUAttitudeRateA-time-received; 
69: s t a t i c  struct  timeval IMUAttitudeRateB-time-received; 
70: s t a t i c  struct  timeval OctaviaIMUAttitudeRateDifference~time~received; 
71: s t a t i c  struct  timeval CSSAttitudeA-time-received; 
72: s t a t i c  struct  timeval CSSAttitudeB-time-received; 
73: s t a t i c  struct  timeval OctaviaCSSAttitudeDifference~time~received; 
74: s t a t i c  struct  timeval CommandedAttitude-time-received; 
75: s t a t i c  s t ruct  timeval OctaviaTorque~time~received; 
76: s t a t i c  s t ruct  timeval RWASpeed-time-received; 
77: s t a t i c  struct  timeval RWATemperature-time-received; 
78: s t a t i c  struct  timeval MTRACurrent-time-received; 
79: s t a t i c  struct  timeval MTRBCurrent-time-received; 
80: s t a t i c  struct  timeval CSSAttitudeAOctavia-time-sent; 
81: s t a t i c  struct  timeval CSSAttitudeBOctavia-time-sent; 
82: s t a t i c  struct  timeval IMUAttitudeRateACompareOctavia~timeesent; 
83: s t a t i c  struct  timeval IMUAttitudeRateBCompare0ctavia~time~sent; 
84: s t a t i c  s t ruct  timeval ReferenceAttitudeOctavia-time-sent; 
85: s t a t i c  struct  timeval IMUChannel-time-transitioned; 
86: s t a t i c  struct  timeval IMUChannel-time-entered-1; 
87: s t a t i c  struct  timeval IMUChannel-time-exited-1; 
88: s t a t i c  s t ruct  timeval IMUChannel-time-entered-2; 
89: s t a t i c  struct  timeval IMUChannel-time-exited-2; 
90: s t a t i c  s t ruct  timeval IMUChannel-time-entered-3; 
9 1 :  s t a t i c  struct  timeval IMUChannel-time-exited-3; 
92: s t a t i c  struct  timeval IMUChannel-time-entered-4; 
93: s t a t i c  struct  timeval IMUChannel-time-exited-4; 
94: s t a t i c  struct  timeval IMUHealth-time-transitioned; 
95: s t a t i c  struct  timeval IMUHealth-time-entered-1; 
96: s t a t i c  struct  timeval IMUHealth-time-exited-1; 
97: s t a t i c  struct  timeval IMUHealth-time-entered-2; 
98: s t a t i c  struct  timeval IMUHealth-time-exited-2; 
99: s t a t i c  struct  timeval IMUHealth-time-entered-3; 
100: s t a t i c  struct  timeval IMUHealth-time-exited-3; 
101: s t a t i c  struct  timeval CSSHealth-time-transitioned; 
102: s t a t i c  struct  timeval CSSHealth-time-entered-1; 
103: s t a t i c  struct  timeval CSSHealth-time-exlted-1; 
1 0 4 :  s t a t i c  struct  timeval CSSHealth-time-entered-2; 
105: s t a t i c  struct  timeval CSSHealth-time-exited-2; 
106: s t a t i c  struct  timeval CSSHealth-time-entered-3; 
107: s t a t i c  struct  timeval CSSHealth-time-exited-3; 
108: s t a t i c  struct  timeval RWAHealth-time-transitioned; 
109: s t a t i c  struct  timeval RWAHealth-time-entered-1; 
110: s t a t i c  struct  timeval RWAHealth-time-exited-1; 
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
s t a t i c  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
struct  
timeval RWAHealth-time-entered-2; 
timeval RWAHealth-time-exited-2; 
timeval RWAHealth-time-entered-3; 
timeval RWAHealth-time-exited-3; 
timeval MTRChannel-time-transitioned; 
timeval MTRChannel-time-entered-1; 
timeval MTRChannel-time-exited-1; 
timeval MTRChannel-time-entered-2; 
timeval MTRChannel-time-exited-2; 
timeval MTRChannel-time-entered-3; 
timeval MTRChannel-time-exited-3; 
timeval MTRChannel-time-entered-4; 
timeval MTRChannel-time-exited-4; 
timeval MTRHealth-time-transitioned; 
timeval MTRHealth-time-entered-1; 
timeval MTRHealth-time-exited-1; 
timeval MTRHealth-time-entered-2; 
timeval MTRHealth-time-exited-2; 
timeval MTRHealth-time-entered-3; 
timeval MTRHealth-time-exited-3; 
timeval ACSMode-time-transitioned; 
timeval ACSMode-time-entered-1; 
timeval ACSMode-time-exited-1; 
timeval ACSMode-time-entered-2; 
timeval ACSMode-time-exited-2; 
timeval ACSMode-time-entered-3; 
timeval ACSMode-time-exited-3; 
timeval IMUAttitudeRateAOctavia-time-sent; 
timeval IMUAttitudeRateBOctavia-time-sent; 
timeval RWATorque-time-sent; 
timeval MTRATorque-time-sent; 
timeval MTRBTorque-time-sent; 
- Boo1 IMUAttitudeRateA-has-new-data = 0; 
s t a t i c  -Boo1 IMUAttitudeRateA-obsolete[6]; 
- Boo1 IMUAttitudeRateB-has-new-data = 0; 
s t a t i c  -Boo1 IMUAttitudeRateB_obsolete[6]; 
- Boo1 OctaviaIMUAttitudeRateDifference~has~newdata = 0; 
s t a t i c  -Boo1 OctaviaIMUAttitudeRateDifference~obsolete[6]; 
Bool CSSAttitudeA-has-new-data = 0; 
s t a t i c  -Boo1 CSSAttitudeA-obsolete[2]; 
- Boo1 CSSAttitudeB-has-new-data = 0; 
s t a t i c  -Boo1 CSSAttitudeB_obsolete[2l; 
Bool OctaviaCSSAttitudeDifference-has-new-data = 0; 
s t a t i c  -Boo1 OctaviaCSSAttitudeDifferenceeobso1ete[2]; 
- Boo1 CommandedAttitude-has-new-data = 0; 
s t a t i c  -Boo1 CommandedAttitude-obsolete[2l; 
- Boo1 OctaviaTorque-has-new-data = 3; 
s t a t i c  -Boo1 OctaviaTorque~obsolete[~; 
- Boo1 RWASpeed-has-new-data = 0; 
s t a t i c  -Boo1 RWASpeed-obsolete[E]; 
- Boo1 RWATemperature-has-new-data = 0; 
s t a t i c  -Boo1 RWATemperature_obsolete[6]; 
- Boo1 MTRACurrent-has-new-data = 0; 
s t a t i c  -Boo1 MTRACurrent-obsolete[q; 
- Boo1 MTRBCurrent-has-new-data = 3; 
s t a t i c  -Boo1 MTRBCurrent-obsolete[fl; 
168: s ta t ic  -Boo1 CSSAttitudeAOctavia-never-sent = 1; 
169: s ta t ic  -Boo1 CSSAttitudeBOctavia-never-sent = 1; 
170: s ta t i c  -Boo1 IMUAttitudeRateACompareOctavia~never~sent = 1; 
171: s ta t i c  -Boo1 IMUAttitudeRateBCompare0ctavia~never~sent = 1; 
172: s ta t i c  -Boo1 ReferenceAttitudeOctavia-never-sent = 1; 
173: -Boo1 IMUAttitudeRateALimitPassed[l]; 
174: -Boo1 IMUAttitudeRateBLimitPassed[l]; 
175: -Boo1 IMUAttitudeRateAObsoletePassed[ll; 
176: -Boo1 IMUAttitudeRateBObsoletePassed[l~; 
177: -Boo1 IMUAttitudeRateAStaticPassed[ll; 
178: -Boo1 IMUAttitudeRateBStaticPassed[l]; 
179: B o o 1  IMUAttitudeRateComparePassed[l]; 
180: -Boo1 CSSAttitudeComparePassed[ll; 
181: -Boo1 RWASpeedObsoletePassed[U; 
182: -Boo1 RWASpeedLimitPassed[l]; 
183: -Boo1 RWATemperatureObsoletePassed[1]; 
184: -Boo1 RWATemperatureLimitPassed[l]; 
185: B o o 1  MTRACurrentObsoletePassed[l]; 
186: B o o 1  MTRBCurrentObsoletePassed[~; 
187: -Boo1 MTRACurrentLimitPassed[l]; 
188: -Boo1 MTRBCurrentLimitPassed[ll; 
189: s ta t i c  -Boo1 IMUChannel-never-transitioned = 1; 
190: s ta t ic  -Boo1 IMUChannel-never-entered-1 = 1; 
191: s ta t ic  -Boo1 IMUChannel-never-exited-1 = 1; 
192: s ta t ic  -Boo1 IMUChannel-never-entered-2 = 1; 
193: s ta t i c  -Boo1 IMUChannel-never-exited-2 = 1; 
194: s ta t i c  -Boo1 IMUChannel-never-entered-3 = 1; 
195: s ta t i c  -Boo1 IMUChannel-never-exited-3 = 1; 
196: s ta t i c  -Boo1 IMUChannel-never-entered-4 = 1; 
197: s ta t i c  -Boo1 IMUChannel-never-exited-4 = I; 
198: s ta t ic  -Boo1 IMUHealth-never-transitioned = 2; 
199: s ta t ic  -Boo1 IMUHealth-never-entered-1 = I; 
200: s ta t i c  -Boo1 IMUHealth-never-exited-1 = 1; 
201: s ta t ic  -Boo1 IMUHealth-never-entered-2 = 1; 
202: s ta t i c  -Boo1 IMUHealth-never-exited-2 = 1; 
203: s ta t i c  -Boo1 IMUHealth-never-entered-3 = 1; 
204: s ta t i c  -Boo1 IMUHealth-never-exited-3 = 1; 
205: s ta t i c  -Boo1 CSSHealth-never-transitioned = 1; 
206: s ta t ic  -Boo1 CSSHealth-never-entered-1 = 1; 
207: s ta t ic  -Boo1 CSSHealth-never-exited-1 = 1; 
208: s ta t i c  -Boo1 CSSHealth-never-entered-2 = I; 
209: s ta t i c  -Boo1 CSSHealth-never-exited-2 = !.; 
210: s ta t ic  -Boo1 CSSHealth-never-entered-3 = 1; 
211: s ta t i c  -Boo1 CSSHealth-never-exited-3 = 1; 
212: s ta t i c  -Boo1 RWAHealth-never-transitioned = 1; 
213: s ta t ic  -Boo1 RWAHealth-never-entered-1 = 1; 
214: s ta t ic  -Boo1 RWAHealth-never-exited-1 = 1; 
215: s ta t ic  -Boo1 RWAHealth-never-entered-2 = 1; 
216: s ta t ic  -Boo1 RWAHealth-never-exited-2 = 1; 
217: s ta t i c  -Boo1 RWAHealth-never-entered-3 = 1; 
218: s ta t i c  -Boo1 RWAHealth-never-exited-3 = 1; 
219: s ta t ic  -Boo1 MTRChannel-never-transitioned = 1.; 
220: s ta t ic  -Boo1 MTRChannel-never-entered-1 = :; 
221: s ta t ic  -Boo1 MTRChannel-never-exited-1 = 1; 
222: s ta t ic  -Boo1 MTRChannel-never-entered-2 = 1; 
223: s ta t i c  -Boo1 MTRChannel-never-exited-2 = 1; 
224: s ta t ic  -Boo1 MTRChannel-never-entered-3 = 1; 
225: stat ic  -Boo1 MTRChannel-never-exited-3 = I; 
226: stat ic  -Boo1 MTRChannel-never-entered-4 = 1; 
227: stat ic  -Boo1 MTRChannel-never-exited-4 = 1; 
228: s ta t ic  -Boo1 MTRHealth-never-transitioned = 1; 
229: stat ic  -Boo1 MTRHealth-never-entered-1 = 1; 
230: stat ic  -Boo1 MTRHealth-never-exited-1 = 1; 
231: stat ic  -Boo1 MTRHealth-never-entered-2 = 1; 
232: stat ic  -Boo1 MTRHealth-never-exited-2 = 1; 
233: stat ic  -Boo1 MTRHealth-never-entered-3 = 1; 
234: stat ic  -Boo1 MTRHealth-never-exited-3 = 1; 
235: s ta t ic  -Boo1 ACSMode-never-transitioned = 1; 
236: s ta t ic  -Boo1 ACSMode-never-entered-1 = I; 
237: stat ic  -Boo1 ACSMode-never-exited-1 = I; 
238: s ta t ic  -Boo1 ACSMode-never-entered-2 = 1; 
239: s ta t ic  -Boo1 ACSMode-never-exited-2 = 1; 
240: stat ic  -Boo1 ACSMode-never-entered-3 = 1; 
241: stat ic  -Boo1 ACSMode-never-exited-3 = 1; 
242: stat ic  -Boo1 IMUAt t i tudeRa teAOctav ia_never - sen t  = 1; 
243: s ta t ic  -Boo1 IMUAttitudeRateBOctavia-never-sent = 1; 
244: stat ic  -Boo1 RWATorque-never-sent = 1; 
245: stat ic  -Boo1 MTRATorque-never-sent = 1; 
246: stat ic  -Boo1 MTRBTorque-never-sent = 1; 
247: 
248: / *  
249: IMVChanne l  : Unknown - i 
250: 1MUChanne l :A  = 2 
251: I M V C h a n n e l r B  = 3 
252: IlbiUChannei : N o n e  = 4 
253 : .TNliHeal th : Unknown = 1 
254 : IMUuF!ealth:Good = 2 
255: IMrJ l lea l th :Bad  = 3 
256: C S S H e a 1 t h : U n k n o w n  = 1 
257: C S S H e a 1 t h : G c o d  = 2 
258: C S S H e a l t h r B a d  = 3 
259: RPdAHea1th:Ur;known = 1 
260: RWAHea1th:Good = 2 
261: RPv'AHeaithrBad = 3 
262 : MI'NChannel : Unknown = 1 
263 : MTRChannel  :A = 2 
264: MTRChannel  : B = 3 
265: MTRChannel  : N o n e  = 4 
266: MTRHeai th: Unknown = 1 
267: MTRHea2th:Good = 2 
268 : M T R H e a l t h r B a d  = 3 
269: A C S M o d e : P r i m a r y  = 1 
270: AC:SMobe:Backup = 2 
271: A Z S M o d e : F a i i e d  = 3 
272: */ '  
273: 
274 : 
275: /-+ D e c i a r e  v a r i a b l e s  f r o m  SpecTRM C F i l e  */ 
276: double Sum-1-out = 0.0; 
277: double Sum-2-out = 0.0; 
278: double Sum-3-out = 0 . 0 ;  
279: double Sum-4-out = 0.0; 
280: double Sum-5-out = 0.0; 
281: double TF-6-out = 0.0; 
282 : double TF-8-out = 0.0; 
283: double TF-12-out = C.0; 
284 : double TF-15-out = 0.0; 
2 85 : double TF-18-out = C . 0 ; 
286: double TF-22-out = 0. C; 
287: double Gain-11-out = C.O; 
288: double Gain-21-out = C.O; 
289: double Gain-25-out = C.O; 
290: 
291: 
292: ,+ Thc2se  coi7stants arc h a r d c o d e d  */ 
293: s t a t i c  const double TF-6-amatrix[l] = {0.39900}; 
294: s t a t i c  const double TF-6-bmatrix[l] = {I}; 
295: s t a t i c  const double TF-6-cmatrix [1] = {G. 00099950); 
296: s t a t i c  const double TF-6-d-matrix [1] = {O}; 
297: s t a t i c  const double TF-8_amatrix[2] [2] = { {G, 11, {-0.92312,l. 920004}}; 
298 : s t a t i c  const double TF-8-b-matrix [a] = { O, l} ; 
299: s t a t i c  const double TF-8-cmatrix [2] = {G. 15368, -0.15359); 
300: s t a t i c  const double TF_8_dmatrix[l] = (1); 
301: s t a t i c  const double TF-12-a-matrix [2] [%I = { {Of I}, {-0. 9kj313, 1. 95:!-14} } ;  
302: s t a t i c  const double TF_12_bmatrix[2] = {O,l}; 
303: s t a t i c  const double TF-12-cmatrix [2] = {0.0001,337,0. C001968); 
304: s t a t i c  const double TF-12-d-matrix [1] = {O} ; 
305: s t a t i c  const double TF-15_amatrix[2] [2] = {{Of I}, {-0.99155,1.99152}}; 
306: s t a t i c  const double TF-15-bmatrix [2] = {C, 1) ; 
307: s t a t i c  const double TF-15-cmatrix[2] = {l.?S98~-05,1.7949e-05); 
308 : s t a t i c  const double TF-15-d-matrix [1] = { O} ; 
309: s t a t i c  const double TF_18_amatrix[Z] [2] = {{C, 11, { - a .  92312,1.92G04}}; 
310: s t a t i c  const double TF-18_bmatrix[2] = {Of I } ;  
311: s t a t i c  const double TF-18-cmatrix[%] = { G .  15368, -0.153693; 
3 12 : s t a t i c  const double TF-18-d-mat rix [ 1 ] = { I } ; 
313: s t a t i c  const double TF_22_amatrix[2] [2] = {{C, l}, {-0.92312,1:320O4}}; 
314: s t a t i c  const double TF-22-bmatrix [2] = {C, 1); 
315: s t a t i c  const double TF_22_cmatrix[2] = {0.0015168,0.OCl557Sj; 
316: s t a t i c  const double TF-22-d-matrix [1] = {O} ; 
317: 
318: 
319: j* I n i t i a l i z e  v a r i a b l e s  */ 
320: s t a t i c  double TF-6-state[:] = {O}; 
321: s t a t i c  double TF-8_state[2] = {0,0); 
322: s t a t i c  double TF-12_state[2] = {0,0}; 
323: s t a t i c  double TF-15-state [2] = {Of 0); 
324: s t a t i c  double TF-18-state [2] = (0, C}; 
325: s t a t i c  double TF-22-state [2] = {C, C }  ; 
326: 
327: 
328: 
................................................. 
329: // insert O c t a v i a  Z o i i t r o l  L o o p  Function Here 
330: ....................................................... 
331: 
332: void run-octavia0 { 
333: 
334: / * L : c r l a r e  i ncrenen t ing  variables */ 
335: unsigned i n t  step-counter; 
336: unsigned i n t  i ; 
337: unsigned i n t  j; 
338: double templ; 
339: double temp2; 
340: 
341: Sum-1-out = IMUAttitudeRateAOctavia[O] - IMUAttitudeRateBOctavia[Cll; 
342: if (Sum-1-out < 9 )  Sum-1-out = Sum-1-out * -1; 
343: 
344: OctaviaIMUAttitudeRateDifference[Cl] = Sum-1-out; 
345: 
346: Sum-2-out = CSSAttitudeAOctavia[O] - CSSAttitudeBOctavia[W; 
347: if (Sum-2-out < 9 )  Sum-2-out = Sum-2-out * -1; 
348: 
349: OctaviaCSSAttitudeDifference[0] = Sum-2-out; 
350: 
351: Sum-3-out = ReferenceAttitudeOctavia[O] - Gain-11-out; 
352: 
353: Sum-4-out = Sum-3-out - Gain-21-out; 
354 : 
355: Sum-5-out = IMUAttitudeRateAOctavia[O] + IMUAttitudeRateBOctavia[O]; 
356: 
357 : TF-22-out = TF-22-cmatrix[0] * TF-22_state[O] + TF-22-c-matrix[l] * 
TF_22_state[l] + TF-22-d-matrix[G] * Sum-4-out; 
358: temp1 = TF-22-a-matrix[O] [0] * TF-22_state[O] + TF-22-a-matrix[O] [I] * 
TF-22_state[1] + TF-22bmatrix[0] * Sum-4-out; 
359: temp2 = TF-22-a-matrix[l] [0] * TF-22_state[O] + TF-22_a_matrix[l] [I] * 
TF-22_state[l] + TF-22bmatrix[l] * Sum-4-out; 
360: TF-22-state [0] = templ; 
361 : TF-22-state [l] = temp2; 
362 : 
363: OctaviaTorque[O] = TF-22-out; 
364: 
365: TF-6-out = TF-6-c-matrix [0] * TF-6-state [0] + TF-6-d-matrix [0] * 
CSSAttitudeAOctavia [ m  ; 
366: TF-6-state [0] = TF-6-amatrix [O] * TF-6-state [0] + TF-6-b-matrix [0] * 
CSSAttitudeAOctavia [w; 
367 : 
368: TF-8-out = TF-8-c-mat rix [ 0 ] * TF-8-st ate [ 0 ] + TF-8-c-mat rix [ 1 ] * 
TF-8-state [1] + TF-8-d-matrix [0] * TF-6-out; 
369: temp1 = TF_8_a_matrix[O] [0] * TF_8_state[O] + TF_8_a_matrix[O] [l] * 
TF-8-state [l ] + TF-8bmat rix [ 01 * TF-6-out ; 
370: temp2 = TF-8-a-matrix [l] [0] * TF-8-state [0] + TF-8-a-matrix [l] [I] * 
TF-8-state [l ] + TF-8bmatrix [ l] * TF-6-out; 
371: TF_8_state[O] = templ; 
372 : TF_8_state[l] = temp2; 
373 : 
374: Gain-11-out = 0.0325 * TF-8-out; 
375: 
376: TF-12-out = TF-12-c-matrix[O] * TF_12_state[O] + TF-12-c-matrix[l] * 
TF-12_state[l] + TF-12-d-matrix[D] * Sum-5-out; 
377: temp1 = TF-12-a-matrix [O] [O] * TF-12-state [0] + TF-12-a-matrix [O] [I] * 
TF-12-state[l] + TF-12bmatrix[C] * Sum-5-out; 
378: temp2 = TF-12-a-matrix [I] [0] * TF-12-state [0] + TF-12-a-matrix [l] [I] * 
TF-12_state[l] + TF-12-bmatrix[l] * Sum-5-out; 
379: TF-12-state [GI = templ; 
380: TF-12-state[l] = temp2; 
381: 
382: TF-15-out = TF-15-c-matrix[O] * TF-15_state[O] + TF-15-c-matrix[;] * 
TF-15-state [I] + TF-15-d-matrix [GI * TF-12-out; 
383: temp1 = TF-15-a-matrix[O] [C] * TF_15_state[O] + TF-15-a-matrix[O] [I] * 
TF-15_state[l] + TF_15bmatrix[0] * TF-12-out; 
temp2 = TF-15-a-matrix[l] [O] * TF-15-state [0] + TF-15-amatrix [I] [I] * 
TF-15_state[l] + TF-15_b_matrix[l] * TF-12-out; 
TF_15_state[C] = templ; 
TF-15_state[l] = temp2; 
TF-18-out = TF-18-c-matrix [O] * TF-18-state [O] + TF-18-c-matrix [I] * 
TF-18-st ate [ l ] + TF-18-d-mat rix [ C ] * TF-15-out ; 
templ = TF-18-a-matrix[G] [C] * TF-18_state[O] + TF-18-a-matrix[$] [I] * 
TF-18-53 t ate [ l ] + TF-18-b-mat rix [ C ] * TF-15-out ; 
temp2 = TF-18-a-matrix [I] [C] * TF-18-state [0] + TF-18-a-matrix [l] [I] * 
TF-18_state[l] + TF_18_b_matrix[l] * TF-15-out; 
TF-18-state [GI = templ; 
TF-18-state [I] = temp2; 
int main() { 
/ *  I n i t i a l i z e  S y s t e m  V a r i a b l e s  * /  
gettimeof day (&start, NULL) ; 
FILE *fp; 
if ( (fp = fopen ( " l a n t i s a t 7 a c s .  csv", "w") ) == NULL) { 
fprintf (stdout, " C ~ % n ' t  ocen f ilc. \ \ ,nV)  ;
1 
fclose (fp) ; 
/ *  Tn i  t i a . l i z e  E2ement  Var . iab1e .s  */ 
IMUAttitudeRateA-obsolete [O] = I; 
IMUAttitudeRateA-obsolete [I] = 1; 
IMUAttitudeRateA-obsolete[2] = 1; 
IMUAttitudeRateA-obsolete [3] = 1; 
IMUAttitudeRateA-obsolete [4] = 1; 
IMUAttitudeRateA-obsolete[V = 1; 
1MUAttitudeRateA~time~received.tv~sec = 0; 
I M U A t t i t u d e R a t e A ~ t i m e ~ r e c e i v e d . t v _ u s e c  = 0; 
IMUAttitudeRateB-obsolete[O] = 1; 
IMUAttitudeRateB-obsolete [ l  ] = I; 
IMUAttitudeRateB-obsolete [2] = I; 
IMUAttitudeRateB-obsolete[3] = 1; 
IMUAttitudeRateB-obsolete[4] = 1; 
IMUAttitudeRateB-obsolete[5] = 1; 
IMUAttitudeRateB-time-received.tv-sec = 0; 
I M U A t t i t u d e R a t e B ~ t i m e ~ r e c e i v e d . t v _ u s e c  = 0; 
O c t a v i a I M U A t t i t u d e R a t e D i f f e r e n c e _ o b s o l e t e [ ]  = 1; 
Octav i a IMUAt t i t udeRa t eDi f f e r ence_obso l e t e [ l ]  = 1; 
OctaviaIMUAttitudeRateDifference~obsolete[] = 1; 
OctaviaIMUAttitudeRateDifference~obsolete[] = I; 
OctaviaIMUAttitudeRateDifference~obs01ete 4 = 1; 
OctaviaIMUAttitudeRateDifference~obsolete[] = I; 
OctaviaIMUAttitudeRateDifference~timeereceived.tvsec = 0; 
0ctavia1MUAttitudeRateDifference~time~receivedtvusec = 0; 
CSSAttitudeA-obsolete [O] = 1; 
CSSAttitudeA-obsolete [l] = 1; 
CSSAttitudeA-time-received-tv-sec = 0; 
C S S A t t i t u d e A ~ t i m e ~ r e c e i v e d . t v _ u s e c  = 0; 
CSSAttitudeB-obsolete [0] = 1; 
CSSAttitudeB-obsolete [1] = 1; 
CSSAttitudeB-time-received.tv-sec = 0; 
CSSAttitudeB~time~received.tv~usec = 0; 
OctaviaCSSAttitudeDifference~obs01ete[0] = 1; 
OctaviaCSSAttitudeDifferenceeobsolete [1] = 1; 
OctaviaCSSAttitudeDifferenceetime~received.tvsec = 0; 
OctaviaCSSAttitudeDifference~timeereceived.tvusec = 0; 
ComrnandedAttitude-obsolete [0] = I; 
CommandedAttitude-obsolete [1] = 1; 
CommandedAttitude~time~received.tv~sec = 0; 
CommandedAt t i tude~t ime~rece ived . tv_usec  = 3; 
OctaviaTorque~obsolete [0] = 1; 
OctaviaTorque~obsolete[l] = 1; 
0ctaviaTorque~time~received.tv~sec = 0; 
0ctaviaTorque~time~received.tv~usec = 0; 
RWASpeed-obsolete [O] = 1; 
RWASpeed-obsolete [ I - ]  = 1; 
RWASpeed-obsolete [2] = I; 
RWASpeed-obsolete [3] = I; 
RWASpeed-obsolete [4] = 1; 
RWASpeed-obsolete [5] = 1; 
RWASpeed-time-received.tv-sec = 0; 
RWASpeed-time-received-tv-usec = 0; 
RWATemperature-obsolete [O] = 1; 
RWATemperature-obsolete [I] = 1; 
RWATemperature-obsolete[2] = 1; 
RWATemperature-obsolete [3] = 1; 
RWATemperature-obsolete [4] = 1; 
RWATemperature-obsolete [S] = 1; 
RWATemperature~time~received.tv~sec = 0; 
RWATemperature~time~received.tv~usec = 0; 
MTRACurrent-obsolete[O] = 1; 
MTRACurrent-obsolete [I] = 1; 
MTRACurrent_obsolete[2] = 1; 
MTRACurrent_obsolete[3] = 1; 
MTRACurrent-obsolete [4] = 1; 
MTRACurrent-obsolete [5] = 1; 
MTRACurrent-time-received.tv-sec = 0; 
MTRACurrent~time~received.tv~usec = 0; 
MTRBCurrent-obsolete[O] = 1; 
MTRBCurrent-obsolete [I] = 1; 
MTRBCurrent-obsolete [2] = 1; 
MTRBCurrent_obsolete[3] = 1; 
MTRBCurrent-obsolete [4] = 1; 
MTRBCurrent-obsolete[5] = 1; 
MTRBCurrent-time-received.tv-sec = 0; 
M T R B C u r r e n t ~ t i m e ~ r e c e i v e d . t v _ u s e c  = 0; 
CSSAttitudeAOctavia~timeesent.tv~sec = 0; 
CSSAttitudeAOctaviatime~sent.tv~usec = 0; 
CSSAttitudeBOctavia~timeesent.tv~sec = 0; 
CSSAttitudeBOctavia~time~sent.tv~usec = 0; 
IMUAttitudeRateACornpare0ctavia~time~~ent~tv~sec = 0; 
IMUAttitudeRateACornpareOctavia~timeesentttvVusec = 0; 
IMUAttitudeRateBCompare0ctavia~time~senttvsec = 0; 
IMUAttitudeRateBCompare0ctavia~time~~ent.tv~usec = 0; 


608: ACSMode-time-entered-2.t~-sec = 0; 
609: ACSMode-time-entered-2.t~-usec = 0; 
610: ACSMode-time-exited-2.t~-sec = 3; 
611: ACSMode-time-e~ited-2~tv-usec = 0; 
612: ACSMode-time-entered-3.t~-sec = 0; 
613: ACSMode-time-entered-3.t~-usec = 0; 
614: ACSMode-time-exited-3.t~-sec = 0; 
615: ACSMode~time~exited~3.tv~~sec = 0; 
616: IMUAttitudeRateAOctavia~timeesent.tv~sec = 0; 
617: 1 M U A t t i t u d e R a t e A 0 c t a v i a ~ t i m e ~ s e n t t v u s e c  = 0; 
618: IMUAttitudeRateBOctavia~time~sent.tv~sec = 0; 
61 9: IMUAttitudeRateBOctavia~timeesent.tvusec = 0; 
620: RWATorque-time-sent.tv-sec = 0; 
621: RWATorque-t ime-sent . tv-usec = 0; 
622 : MTRATorque-time-sent-tv-sec = 0; 
623: MTRATorque-time-sent-tv-usec = 0; 
624: MTRBTorque-time-sent-tv-sec = 0; 
625: MTRBTorque~time~sent.tv~usec = 0; 
62 6: 
627: / *  Main Eva.Luation Section */ 
628: while(l) { 
62 9 : 
630: gettimeofday (&round-start NULL) ; 
631: 
632 : / *  Input Element : I M U  Attitude Rate A */ 
633: if(!IMUAttitudeRateA-has-new-data) { 
634 : IMUAttitudeRateA-has-new-data = 
has-new-data ( " -MUAt t i ,~ ,  u(jeKcit-eL4. <:S\I '~ ) ; 
635 : IMUAttitudeRateA [C!] = (double) read-input (Ii TML:Ai:. t .i l:.ucieiiat;eA. ,-.sx;" -.  \ ) ;  
636: 1 
637 : if((1MUAttitudeRateA-has-new-data)) { 
638 : gettimeofday(&IMUAttitudeRateA-timeereceivedfNULL); 
639: IMUAttitudeRateA-obsolete [C] = 0; 
640: 1 
641: else 
if ( ( ( ! IMUAttitudeRateA-has-new-data) & &  ( (t ime-since ( LIMUAttitudeRateA-time-received) 
<= 1.5)&&check~time(time~~in~e(&IMUAttitudeRateAtimereceived)~1.5)))) { 
642: IMUAttitudeRateA [O] = IMUAttitudeRateA[L] ; 
643: IMUAttitudeRateA-obsolete [O] = 0; 
644: 1 
645: else if((((system-start == 
I)&&(never~received(IMUAttitudeRateA~obsoletef 
6))) I I (never~received(IMUAttitudeRateA~obs01ete~ 
6) ) 1 1 ( (time-since (&IMUAttitudeRateA-time-received > 
1.5) &&check-time (time-since (&IMUAtt itudeRateAtmereceved) 1 5) ) ) ) { 
646: IMUAttitudeRateA-obsolete [GI = I; 
647: 1 
648: re~ord("li~r;ds~i7~~~s.<~i;1,." I .  " i . : ;p?ui_fTf .iMlJ A t t i b E r . j p  -. - 1 ' 1 '  ,-i I 
(double) IMUAttitudeRateA [(.)I ! IMUAtt itudeRateA-obsolete [0l) ; 
649: 
650: 
651: /" I n p u t  E.ieme~?r : TMI.! .rit t i t~.:de Rate I! */ 
652 : if(!IMUAttitudeRateB-has-new-data) { 
653 : IMUAttitudeRateB-has-new-data = 
ha~-~ew-data ( TMi.,lAt, i ;:;,-:;- 7.; . z, L <  . c;;;;;" ) - 
654: IMUAttitudeRateB [ 3  ] = (double) read-input (" I M U A i _ t  ir1..i,dc3,a?:-cE. ,::,-;vn ) ;
655: 1 
65 6: if((1MUAttitudeRateBha.s-new-data)) { 
657: gettimeofday(&IMUAttit~deRateB-time~re~eived,NULL); 
658: IMUAttitudeRateB-obsolete[O] = 0; 
659: 1 
660: else 
if(((!IMUAttitudeRateB~ha~~new~data)&&((time~since(&IMUAttitudeRateB~time~received) 
<= 1.5)&&check~time(time~since(&IMUAttitudeRateB~time~received),~.5)))) { 
661: IMUAtt itudeRateB [O] = IMUAttitudeRateB [I ] ; 
662: IMUAttitudeRateB-obsolete [O 1 = 0; 
663: 1 
664: else if ( ( ( (system-start == 
1) & &  (never-received (IMUAttitudeRateB-obsolete, 
6))) 1 1  (never~received(IMUAttitudeRateB~obs01ete, 
6) ) 1 1 ( (time-since (&IMUAtt itudeRateB-time-received > 
1.5)&&check~time(time~~in~e(&IMUAttitudeRateBtimereceived),l.5)))) { 
665: IMUAttitudeRateB-obsolete [ @ I  = 1; 
666: 1 
667: record ("landsa.t--7acs. c sv"  "Input", "T'pu - 1  A c t '  L Atude Rat- B" 
(double)IMUAttitudeRateB[@], !IMUAttitudeRateB-obsolete[O]); 
668: 
669: 
670: / *  I n p u t  Element : O c t a v i a  I M U  A t t i t u d e  R a t e  D i f f e r e n c e  */ 
671: if(!OctaviaIMUAttitudeRateDifference~has~new~data) { 
672: OctaviaIMUAtt i tudeRateDifferen~e~has_newdata  =
has-new-data ("0ctavii~IElUP1t-ii tudeRateDif ference .csvl') ;
673: OctaviaIMUAttitudeRateDif f erence [ O ]  = 
(double) read-input ("Oct avi.aIMUAtti. tudeRatel ' ifference. csuf") ; 
674: 1 
675: i f ( ( O c t a v i a I M U A t t i t u d e R a t e D i f f e r e n c e _ h a s d a t a ) )  { 
676: gettimeofday(&0ctaviaIMUAttitudeRateDifference~time~received, 
NULL) ; 
677: OctaviaIMUAttitudeRateDifferencenobso1ete[0] = 0; 
678: 1 
679: else 
if(((!OctaviaIMUAttitudeRateDifference~has~new~data)&&((time~since(&OctaviaIMUAttitu~ 
<= 
1.5)&&check~time(time~sin~e(&OctaviaIMUAttitudeRateDifference~time~received), 
1.5)))) { 
680: OctaviaIMUAtt itudeRateDifference [O] = 
OctaviaIMUAttitudeRateDifference[l]; 
681: OctaviaIMUAttitudeRateDifferencenobso1ete[0] = 0; 
682: 1 
683: else if ( ( ( (system-start == 
1)&&(never~received(OctaviaIMUAttitudeRateDifference~obsolete, 
6))) I 1 (never~received(OctaviaIMUAttitudeRateDifference~obsolete, 
6)) I 1 ((time~since(&OctaviaIMUAttitudeRateDifferencetimereceived) > 
1.5)&&check~time(time~~in~e(&OctaviaIMUAttitudeRateDif£erence~time~received), 
1.5)))) { 
684 : OctaviaIMUAttitudeRateDifferenceeobsolete[0] = 1; 
685: 1 
686: record ( " i .and~at";Faes. :;svl', ".i:nput 'I, "gctav;ia IMU Attitude Rate  
Difference",  (double) OctaviaIMUAtt itudeRateDif ference [0 1, 
!OctaviaIMUAttitudeRateDifference~obsolete[O]); 
687: 
688: 
689: / *  I n p u t  E l e m e n t  : CSS A t t i t u d e  A */ 
690: if(!CSSAttitudeA-has-new-data) { 
691: CSSAttitudeA-has-new-data = has-new-data ("C:SSP~.i . t .? ;  ~ . I I ~ c ~ + E ~ ~ . < : , c : . ~ ~ ~ ' ' )  ; 
692: CSSAttitudeA[O] = (double) read-input ( " ~ ~ : ~ : ~ ~ ~ ~ . t t i i r : ~ ~ ~ r . : l l . c s ~ ~ " ) ;  
693: 1 
694: if((CSSAttitudeA-has-new-data)) { 
695: gettimeofday(&CSSAttitudeA-time-receivedfNULL); 
696: CSSAttitudeA-obsolete [C] = 0; 
697: 1 
698: else 
if(((!CSSAttitudeA~has~new~data)&&((time~since(&CSSAttitudeA~time~received) 
<= i.5)&&check~time(time~sin~e(&CSSAttit~deA~time~received)~l.5)))) { 
699: CSSAttitudeA[O] = CSSAttitudeA[l]; 
700: CSSAttitudeA-obsolete [C] = 0; 
701: 1 
702: else if((((system-start == l)&&(never-received(CSSAttitudeA-obsoletef 
1) ) ) I I (never-received (CSSAttitudeA-obsoletef 
I) ) I I ( (time-since (&CSSAttitudeA-time-received > 
1.5)&&check~time(time~sin~e(&CSSAttitudeAtimereceived)~.)))) { 
703: CSSAttitudeA-obsolete [O] = 1; 
704: 1 
705: record ( "  ; a;-,d:;<>i.'?:j~;:s. l ; ~ ~ " f  " ~ ' J ~ P I J ~  ", "I,:SS ;A>t t:j..t.!.;3e ,Ai'', 
(double)CSSAttitudeA[O] !CSSAttitudeA-obsolete [GI ) ; 
706: 
707: 
708: ,I* I n p u t  Element : CSS Attitude B * /  
709: if(!CSSAttitudeB-has-new-data) { 
710: CSSAtt itudeB-has-new-data = has-new-data ( "CSSAt t  ituc323. ~';:33~7") ;
711: CSSAtt itudeB [O] = (double) read-input ( "CCCSSEEtt L i i -uc ieU.  csS,i"') ; 
712: 1 
713: if ( (CSSAttitudeB-has-new-data) ) { 
714: gettimeofday(&CSSAttitudeB-timeereceivedfNULL); 
715: CSSAttitudeB-obsolete [O] = 3; 
716: 1 
717: else 
if(((!CSSAttitudeB~has~new~data)&&((time~since(&CSSAttitudeB~time~received) 
<= 1.5) &&check-time (time-since ( LCSSAttitudeB-time-received) 1.5) ) ) ) { 
718: CSSAttitudeB[G] = CSSAttitudeB[l] ; 
719: CSSAttitudeB-obsolete [C] = 0; 
720: 1 
721: else if((((system-start == l)&&(never-received(CSSAttitudeB-obsoletef 
I) ) ) 1 1 (never-received (CSSAttitudeB-obsoletef 
I.) ) ( ( ( (time-since (&CSSAttitudeB-time-received > 
1~.5)&&check~time(time~sin~e(&CSSAttitudeBtimereceived)~.S)))) { 
722: CSSAttitudeB-obsolete [O] = 1; 
723: 1 
724: record ("l~ncjsat~a:~s. <::; ; i f ' ,  llIrlput"r ;'(:SS At t i t uc$ -c  B", 
(double) CSSAttitudeB [O] , ! CSSAttitudeB_obsolete [GI ) ; 
725: 
72 6 : 
727: / *  Input Elemsnc : O c t a v i a  CSS Attitude Difference "/ 
728: if(!OctaviaCSSAttitudeDifference~ha~~newdata) { 
729: OctaviaCSSAttitudeDifferen~e~has~new~data = 
has-new-data ( " , ) I : :  :;.,; ,:!::S.'J.fi...i: :-, ;, t ~ ; : j c ~ [ , j  i f.i.-t: t;ence + <;s\/") ; 
730: OctaviaCSSAttitudeDifference [ill = 
(double) read-input ("C:: 3;;  i AI:::;F;?~~~ j .c, l jci-zj f f  cr-,:2!-!.:-:c . c::?;;;" ) ; 
731: } 
732: if((0ctaviaCSSAttitudeDifferen~e~has~newdata)) { 
733: gettimeofday(&OctaviaCSSAttitudeDifference~time~recei~ed~NULL); 
734: OctaviaCSSAttitudeDifference~obso1ete[0] = 0; 
735: 1 
736: else 
if(((!OctaviaCSSAttitudeDifference~hasSnew~data)&&((time~since(&OctaviaCSSAttitudeDi 
<= 1.5)&&check~time(time~~in~e(&OctaviaCSSAttitudeDifference~time~received)~ 
1.5) 1 )  t 
737: OctaviaCSSAttitudeDifference [0] = 
OctaviaCSSAttitudeDifference [q; 
738: OctaviaCSSAttitudeDifference~obs01ete[0] = 0; 
739: 1 
740: else if((((system-start == 
l)&&(never~received(OctaviaCSSAttitudeDifference~obs~lete~ 
1))) 1 1 (never~received(OctaviaCSSAttitudeDifference~obsolete, 
1)) l 1 ((time~since(&0ctaviaCSSAttitudeDifferencetimereceived) > 
1.5)&&check~time(time~sin~e(&OctaviaCSSAttitudeDifference~time~received)~ 
1.5) 1 )  t 
741: OctaviaCSSAttitudeDifference~obs01ete[0] = 1; 
742: 1 
743: record ("landsat7acs. csv", ll:I:'nput", "Octavi-a CSS At.t.i. .tude L>if ference", 
(double)OctaviaCSSAttitudeDifference[~, 
!OctaviaCSSAttitudeDifference~obso1ete[0]); 
744: 
745: 
746: / *  I n p u t  E l e m e n t  : Commanded  A t t i t u d e  */ 
747: if ( ! CommandedAttitude-has-new-data) { 
748: CommandedAttitude-has-new-data = 
has-new-data ("ComnandedAttitude. CSIT") ;
749: CommandedAttitude [ 0] = 
(double) read-input (llCommande&tt:j..tude. csv") ; 
750: 1 
751: if((C0mmandedAttitude-has-new-data)) { 
752 : gettimeofday(&CommandedAttitude~time~received,NULL); 
753: CommandedAttitude-obsolete [O] = 0; 
754 : } 
755: else 
if(((!CommandedAttitudehas~new~data)&&((time~since(&CommandedAttitude~time~received 
<= 3600.0)&&check~time(time~~in~e(&CommandedAttitude~time~received), 
3600.0)))) t 
756: CommandedAttitude[O] = CommandedAttitude[l]; 
757 : CommandedAttitude-obsolete[0] = 0; 
758 : 1 
759: else if((((system-start == 
I) & &  (never-received ( C o m m a n d e ~ b s o l e t e  , 
1) ) I I (never-received (CommandedAtt itude-obsolete , 
1)) I I ((time~since(&CommandedAttitudeetimeereceived) > 
36C0.0)&&checktime(time~since(&CommandedAttitude~time~received),3600.0)))) { 
760: CommandedAttitude-obsolete[O] = 1; 
761: 1 
762: record ("land~at7acs. c-vfr, "Inpi;.:: ", "Commarlded Attitude" 
(double) CommandedAttitude [O] ,!CommandedAttitude-obsolete [C] ) ; 
763: 
764: 
765: / *  I n p u t  E l e m e n t  : O c t a v i a  Torque */ 
766: if(!OctaviaTorque-has-new-data) { 
767: OctaviaTorque-has-new-data = has-new-data ( "Octavi. aTo.rgue. i3sL7") ; 
768: OctaviaTorque [C] = (double) read-input ( " O c t a v i a T o s q u s .  csv") ; 
769: 1 
770: if((0ctaviaTorque-has-new-data)) { 
771: gettimeofday(&0ctaviaTorque~time~received,NULL); 
772: OctaviaTorque~obsolete [O] = 0; 
773: 1 
774: else 
if(((!0ctaviaTorque~has~new~data)&&((time~since(&OctaviaTorque~time~received) 
<= 1.5)&&check~time(time~sin~e(&0ctaviaTorquetimereceived),1.5)))) { 
775: OctaviaTorque [O] = OctaviaTorque [l ] ; 
776: OctaviaTorque~obsolete [ a ]  = 0; 
777: } 
778: else if ( ( ( (system-start == 
1) & &  (never-received (OctaviaTorque~obsolete, 1) ) ) I I (never-received (OctaviaTorque~obs01~ 
1) ) I I ( (time-since (&OctaviaTorque~timeereceived) > 
1.5)&&check~time(time~sin~e(&OctaviaTorquetimereceived),.)))) { 
779: OctaviaTorque-obsolete [O] = 1; 
780: } 
781: record( 'Tla; i~~sai_-7ar~s .c:r;,~", i ; i t . ; u i n ,  "(J(;t;i;;ia 'Tc.rq1_ieTi, 
(double)OctaviaTorque[Ol, ! O c t a v i a T o r q u e - o b s o l e t e [ w ;  
782: 
783: 
784: / *  I n p u t  E i e n e n t  : RWA S p e e d  *,' 
785: if ( ! RWASpeed-has-new-data) { 
786: RWASpeed-has-new-data = has-new-data ( "3WASpec:id. c:svtl) ; 
787: RWASpeed [ 0 ] = (double) read-input ( 1'3!4PIi.<p2$:ci. ::STT" ) ; 
788: 1 
789: if ( (RWASpeed-has-new-data) ) { 
790: gettimeofday(&RWASpeed-time-received,NULL); 
791: RWASpeed-obsolete [0] = 3; 
792: 1 
793: else 
if ( ( ( ! RWASpeed-has-new-data) & &  ( (time-since (&RWASpeedtmereceved) <= 
5) &&check-time (time-since (&RWASpeed-time-received) , 5 )  ) ) ) { 
794: RWASpeed [O ] = RWASpeed [ 1 ] ; 
795: RWASpeed-obsolete[O] = 0; 
796: 1 
797: else if((((system-start == l)&&(never-received(RWASpeed-obsolete, 
6) ) ) I I (never-received (RWASpeed-obsolete, 
6) ) 1 1 ( (t ime-since (&RWASpeed-time-received) > 
5) &&check-time (time-since (&RWASpeed-time-received) , 5 )  ) ) ) { 
798: RWASpeed-obsolete [O] = 1.; 
799: 1 
800: record ( "  :i a n d s a t  ' I a c s .  CSV' ! ,  " i. npu t  " , iliiW.i'l S n ~ e d "  , (double) RWASpeed [GI , 
!RWASpeed-obsolete [O] ) ; 
801: 
802: 
803: ,Ik I n p u t  E l e m e n t  : RWA T e m p e r ' a t u r ' e  */ 
804: if ( ! RWATemperature-has-new-data) { 
805: RWATemperature-has-new-data = has-new-data ("~WA'L'e!nper~it u r ? .  cs t i " )  ; 
806: RWATemperature [O] = (double) read-input ( "A'~;~%'i '~.13per:it-  ire. CYV" ) ; 
807: 1 
808: if((RWATemperature-has-new-data)) { 
809: gettimeofday(&RWATemperature~time~received,NULL); 
810: RWATemperature-obsolete[C!] = 0; 
811: } 
812: else 
if(((!RWATemperature~hasSnew_data)&&((time~since(&RWATemperature~time~received) 
<= 5)&&check~time(time~sin~e(&RWATemperature~time~received),5)))) { 
RWATemperature [0] = RWATemperature [1] ; 
RWATemperature-obsolete [O] = 0; 
I 
else if((( (system-start == 
1) & &  (never-received (RWATemperature-obsolete, 
6))) 1 1  (never-received(RWATemperature-obsolete, 
6) ) 1 1 ( (time-since (&RWATemperature-time-received) > 
5)&&check~time(time~~in~e(&RWATemperaturetime~received),5)))) { 
RWATemperature-obsolete [O] = 1; 
I 
record ("1ar1dsat'7acs. c s ~ ' ~ ,  "Input1', "RWA Tenperature", 
(double)RWATemperature[O], !RWATemperature-obsolete[O]); 
/ *  I n p u t  E l e m e n t  : M T R  A C u r r e n t  */ 
if(!MTRACurrent-has-new-data) { 
MTRACurrent-has-new-data = has-new-data (llM'I'KACurrer~t. csvl') ; 
MTRACurrent [0] = (double) read-input (llMTRACurrentt csvtl) ; 
I 
if((MTRACurrent-has-new-data)) { 
gettimeofday(&MTRACurrent-time-received,NULL); 
MTRACurrent-obsolete[O] = 0; 
1 
else 
if(((!MTRACurrent~has~ne~~data)&&((time~since(&MTRACurrenttimereceived) <= 
5)&&check~time(time~~in~e(&MTRACurrent~time~received),5)))) { 
MTRACurrent [0] = MTRACurrent [1] ; 
MTRACurrent-obsolete [0] = 0; 
I 
else if ( ( ( (system-start == 1) & &  (never-received (MTRACurrent-obsolete, 
6) ) ) 1 1 (never-received (MTRACurrent-obsolete, 
6) ) I  1 ( (time-since (&MTRACurrent-time-received) > 
5) &&check-time (time-since ( & M T R A C u r r e n t - t i m e r e c e i v e d  , 5) ) ) ) { 
MTRACurrent-obsolete[0] = i; 
I 
record ("landsat7acs. csv", "Ir~put", "MTR A Current ", 
(doub1e)MTRACurrent [0] , !MTRACurrent-obsolete [0] ) ; 
/ *  I n p u t  E l e m e n t  : MTR B C u r r e n t  */ 
if(!MTRBCurrent-has-new-data) { 
MTRBCurrent-has-new-data = has-new-data("MTRECurrent.csvl'); 
MTRBCurrent [0] = (double) read-input ( IrMTRBCurrent .csv") ; 
1 
if((MTRBCurrent-has-new-data)) { 
gettimeofday(&MTRBCurrent-time-received,NULL); 
MTRBCurrent-obsolete[O] = 0; 
I 
else 
if(((!MTRBCurrent~has~ne~~data)&&((time~since(&MTRBCurrenttimereceived) <= 
5) &&check-time (time-since (&MTRBCurrent-time-received) , 5) ) ) ) { 
MTRBCurrent [O] = MTRBCurrent [1] ; 
MTRBCurrent-obsolete [ 0 ]  = 0; 
1 
else if ( ( ( (system-start == 1) & &  (never-received (MTRBCurrent-obsolete, 
6) ) ) 1 1 (never-received (MTRBCurrent-obsolete, 
6) ) 1 1 ( (time-since (&MTRBCurrent-time-received) > 
5)&&check~time(time~~in~e(&MTRBCurrent~time~received),5) 1 )  { 
855: MTRBCurrent-obsolete [0] = 1; 
856: 1 
857: record ("iari:js;;a;7a:r>; . !::i;Tb~", " II:~u~", "MTR 3 Crir r - - : r - : -  '. . . - - . - I  " 
(double) MTRBCurrent [ill , !MTRBCurrent-obsolete [I:] ) ; 
858: 
859: 
860: /"- Outp~.r t  E!e!nent  : CSS - 4 t t i t u c i e  A O c t a v i a  *I' 
861: if ( (CSSAttitudeA-obsolete [O] ! =  1 ) ) { 
862: CSSAttitudeAOctavia [C] = (double) CSSAttitudeA [GI ; 
863: . > re c 0 r d ( " ; (3 ;.i r j  cj ,cj i-, : <j  ;- 5 . ,; 5 x.; " , " C: 11 t. 0.~; i; 11 $1 !-' '< $ + +. ' , \., e., ,- . ~.. L. 1 .I:. LJ cis .A :-; c 1.. 2 ~", ; ,?l : 
, > t - t i  ?~:~:-;i:;.'\ (double) CSSAttitudeA[O] , 1) ; 
864: CSSAttitudeAOctavia-never-sent = 0; 
865: gettimeofday(&CSSAttitudeA0ctavia~timeesentINULL); 
866: } 
867: 
868: 
869: j* G u t p u ~  E l e m e n t  : CSS A t t i t u d e  B O c t a v i a  */ 
870: if ( (CSSAttitudeB-obsolete [ G I  ! = 1) ) { 
871: CSSAttitudeBOctavia [O] = (double) CSSAttitudeB [w; 
872: record ( "  i;,:1:-,ds~l!. '!;,~c:; . \ s r", iv':3ui:.&utv, '!C:;S Ai-ti.t.t.jde 1:; (:lct,y:,; i ;j : 
A t - i . . t ~ j d e , " ,  (double) CSSAttitudeB [O] , 1) ; 
873: CSSAttitudeBOctavia-never-sent = 0; 
874: gettimeofday(&CSSAttitudeB0ctavia~timeesent,NULL); 
875: 1 
876: 
877: 
878: / *  O u t p u t  E i e m e n C  IiYU A t t i t u d e  R a t e  A Compare O c t a v i a  */ 
879: if ( (IMUAttitudeRateA-obsolete [GI !=  i) ) { 
880: IMUAttitudeRateACompareOctavia [(I] = (double) IMUAttitudeRateA [C] ; 
881: record ( "  1 a r l d s , a . t " ' , ' a ~ ~  . ~ 5 : ; " ~  w ~ ~ ~ t , o - ~ i - -  , ~-. 'II " I M U  At:.t.i:Lude Rate A (2o;opaue 
O ~ t . a . ; ~ . i . c ~  : At:{: ... l.t.ude iiai:~?", (double) IMUAttitudeRateA[O], 1) ; 
882: IMUAttitudeRateACompare0ctavia~never~sent = 0; 
883: gettimeofday(&IMUAttitudeRateACompareOctavia~time~sent,NULL); 
884: 1 
885: 
886: 
887: / *  O n t p u t  E l e m e n t  : I M i J  A t t i t u d e  8 a t e  B Compare O c t a v i a  */ 
888: if ( (IMUAttitudeRateB-obsolete [0] !=  1) ) { 
889: IMUAtt itudeRateBCompare0ctavia [I:] = (double) IMUAttitudeRateB [ O l  ; 
890: record (" 1 ~r-idsai:.~7~3cr; .,:s;7", ":3u.t:.pl~:iiV, "LMU k t t i . t ~ .~de  fiai..? I3 Cr:~~p~:ire 
0c.tai:a : A i - t i t u c l e  iist?", (double)IMUAttitudeRateB[O],1); 
891: IMUAttitudeRateBCompare0ctavia~never~sent = C; 
892: gettimeofday(&IMUAttitudeRateBCompareOctavia~time~sent,NULL); 
893: 1 
894: 
895: 
896: / "u tput  Elerneni  : R e f e r e n c e  A t t i t u d e  Octav l ia  * /  
897: if ( (CommandedAttitude-obsolete [O] ! = 1) ) { 
898: ReferenceAttitudeOctavia[0] = (double)CommandedAttitude[Gl; 
899: rec0rd("I~;~r;ds~l;7<:~.r; .,-;s~,," "3ut;L;.,11, " & c C - ~ u : - : , - - ~  - , \_. - ._. ,. q~if -. t - . iLUQp A . (2 (-: i- c i  "v, i 3. : 
~ t , ? . .  . ; \.. u r j L t ~  ,. ,- , (double) CommandedAtt itude [GI , 1 ) ; 
900: ReferenceAttitudeOctavia-never-sent = 0; 
901: gettimeofday(&ReferenceAttitudeOctavia~time~sent,NULL); 
902: 1 
903: 
904 : 
905 : / *  Macro  Eienieric : ?MU A t t i t ~ ~ d e  R a t e  ;2 L i i n i t  P a s s e d  * /  
90 6: if ( (  (IMUAttitudeRateA[O] < 
1097859072)&&!IMUAttitudeRateA~ob~01ete[O]&&(IMUAttitudeRateA[O] < - 
1049624576)&&!IMUAttitudeRateA~ob~01ete[O]&&(IMUAttitudeRateA[2] < 
1097859072) & &  (IMUAttitudeRateA[u < -1049624576) & &  (IMUAttitudeRateA[3] < 
1097859072) & &  (IMUAttitudeRateA[3] < -1049624576) & &  (IMUAttitudeRateA[4] < 
1097859072) & &  (IMUAttitudeRateA[4] < -1049624576) & &  (IMUAttitudeRateAL51 < 
10978590?2)&& (IMUAttitudeRateA[5] < -10496245?6) ) ) { 
907 : IMUAttitudeRateALimitPassed[@] = 1; 
908: 1 
909: else { 
910: IMUAttitudeRateALimitPassed[O] = 0; 
911: 1 
912 : record (171;lndsat7ai:g. csvl$, "IMU A t t i t u d e  R a t e  A Lirg.it Passed1', 
(double) IMUAttitudeRateALimitPassed [0] , 1) ; 
913: 
914 : 
915: / *  Macro Element : IMU Attitude Rate B Limit Passed */ 
91 6: if ( ( (IMUAttitudeRateB[O] < 
1.097859072) & &  ! IMUAttitudeRateB-obsolete [ I  & IMUAtttdeRateB 0 < - 
1049624576)&&!IMUAttitudeRateB-obs01ete[O]&&(IMUAttitudeRateB[2] < 
1097859072) & &  (IMUAttitudeRateB [2] < -1049624576) & &  (IMUAttitudeRateB [3] < 
1097859072) & &  (IMUAttitudeRateB [3] < -1049624576) & &  (IMUAttitudeRateB [4] < 
1097859072) & &  (IMUAttitudeRateB [4] < -1049624570) & &  (IMUAttitudeRateB [5] < 
1097859072) & &  (IMUAttitudeRateB [5] < -1049624576) ) ) { 
917: IMUAttitudeRateBLimitPassed[O] = 1; 
918: 1 
919: else { 
920: IMUAttitudeRateBLimitPassed[O] = 0; 
921 : 1 
922: record ("lanclsat.7acs. csv1I, 'lKacrol', "IMU A t t . i t u d e  Rate :B :Li.m:i.t. Passed1', 
(double) IMUAttitudeRateBLimitPassed [0] , 1 ) ; 
923 : 
924: 
925: / *  Macro Element : IMU Attitude Rate A Obsolete Passed */ 
926: if ( ( (IMUAttitudeRateA-obsolete [0] ! = 
1) & &  (IMUAttitudeRateA-obsolete [2] != 1) & &  (IMUAttitudeRateA-obsolete [3] != 
1) & &  (IMUAttitudeRateA-obsolete [4] != 1) & &  (IMUAttit~deRateA~obsolete [5] != 
1))) t 
927: IMUAttitudeRateAObsoletePassed[@] = 1; 
928: 1 
929: else f 
930: IMUAttitudeRateAObsoletePassed[0] = 0; 
931 : 1 
932: record (l'landsat'lacs. csv", "MazroV, "IMU A t t i . t u i S e  R a t e  A Obsolete 
Passed", (double) IMUAttitudeRateAObsoletePassed [GI, 1) ; 
933: 
934 : 
935: / *  Macro Element : IMU Attitude Rate B Obsolete Passed */ 
936: if(((1MUAttitudeRateB-obsolete[O] != 
1) & &  (IMUAttitudeRateB-obsolete [2] != 1) & &  (IMUAttit~deRateB~obsolete [3] != 
l)&&(IMUAttitudeRateB-obsolete[4] != L)&&(1MUAttitudeRateBeobso1ete[5] != 
1 . ) ) )  { 
937 : IMUAttitudeRateBObsoletePassed[0] = 1.; 
938: 1 
939: else I 
940: IMUAttitudeRateBObsoletePassed[0] = 0; 
941: 1 
942: record ( "  : c!n:-jsa+.',!'a(~s. - r ; ; i l r  "!v!<~<:,-," , I' 7 , i r  . . : . ' t I] r^j r (z! y (: (> t:, :; ;j : f3 f ,: ' > % .  .
T; . ,:L ?, <-! ...-,. ,-, -.! II , (double) IMUAttitudeRateBObsoletePassed[0], 1) ; 
943: 
944: 
945: / *  Macro E l e m e n t  : I_...Cl A t t i t l i d e  R a t e  -4 S t a t i c  P a s s e d  "i 
94 6 : if(((IMUAttitudeRateA[O] != 
IMUAttitudeRateA[2] ) & &  ! IMUAttitudeRateA-obsolete [ I  & (IMUAtttudeRateA[] ! =  
IMUAttitudeRateA[3])&&!IMUAttitudeRateA~obsolete[]&&(IMUAttitudeRateA[?] != 
IMUAttitudeRateA [4] ) & &  ! IMUAttitudeRateA-obsolete [ I  & (MUAtttudeRateA [ I  ! = 
IMUAttitudeRateA[S])&&!IMUAttitudeRateA-obsolete[O])) { 
947: IMUAttitudeRateAStaticPassed[Cl] = 1; 
948: 1 
949: else { 
950: IMUAttitudeRateAStaticPassed [ti] = 0; 
951: 1 
952: r e c 0 r d ( " l ; i f i : ; j ; 3 ~ ~ t 7 ; ~ ! ~ ~ j ~ ~ ; ~ , ~ ~ I ~  f I f , i t i ~ c ;  I " :p<[- j  - - ky:_.,i,!_;i2s sat+ -- . 4 Sl-.-it ri A -  ;,-.- f:;ir;s+d" 
(double) IMUAttitudeRateAStaticPassed [3l, I) ; 
953: 
954 : 
955 : / *  Macro  E l e m e n t  : I M U  A t t l t u d e  Rate B S t a t i c  Passed */ 
956: if ( ( (IMUAttitudeRateB [C] ! =  
IMUAttitudeRateB [2] ) & &  ! IMUAttitudeRateB-obsolete 0 & ( IMUAttitudeRateB 0 ! = 
IMUAttitudeRateB [3] ) & &  ! IMUAttitudeRateB-obsolete 0 & ( IMUAttitudeRateB 0 ! = 
IMUAttitudeRateB[4])&&!IMUAttitudeRateB~obsolete[0]&&(IMUAttitudeRateB[0] != 
IMUAttitudeRateB[5])&&!IMUAttitudeRateB-obsolete[0])) { 
957: IMUAttitudeRateBStaticPassed [0] = 1; 
958: 1 
959: else { 
960: IMUAttitudeRateBStaticPassed [O] = 0; 
961: } 
962: record(" ii:lncjsat'.]acs. P S Y % T ~ ~ ,  * ~ ~ ~ < a ~ . ~ c ~ f f r  l I : r ~ b < l ~  ?.i...t n i. i f l i  A!.,l 4 ~ 1  i?:iLe F', :5t_at:,!.c Passed", 
(double) IMUAttitudeRateBStaticPassed[Ol ,1) ; 
963 : 
964: 
965: / *  Macro Element : I M U  A t t i t u d e  R a t e  Compare  Passed * /  
966: if ( ( (OctaviaIMUAttitudeRateDif ference [0] < 
1073741824)&&!0ctaviaIMUAttitudeRateDifference~obsolete[C]&&(OctaviaIMUAttitudeRateD 
< - 
1073741824)&&!0ctaviaIMUAttitudeRateDifference~obsolete[0]&&(OctaviaIMUAttitudeRateD 
< 107.374!524) & &  (OctaviaIMUAttitudeRateDifference 2 < - 
? G"13'741824) & &  (OctaviaIMUAttitudeRateDifference [ < 
10'13'71 .524) & &  (OctaviaIMUAttitudeRateDifference [ I  < - 
1073741824) & &  (OctaviaIMUAttitudeRateDifference 4 < 
1073741824) & &  (OctaviaIMUAttitudeRateDifference 4 < - 
1G73741824) & &  (OctaviaIMUAttitudeRateDifference 5 < 
1073741824) & &  (OctaviaIMUAttitudeRateDifference 5 < -1073741824) ) ) { 
967: IMUAttitudeRateComparePassed [0] = 1; 
968: 1 
969: else { 
970: IMUAttitudeRateComparePassed[0] = 0; 
971: 1 
972: record(" ; ,z j . ; r?dr ,~;~t . ' isc~~~;~;~~; f ' I  " ~ ~ j - j ~ y - , - . . f '  ,, , ' i I P : i ? :  , :,,, :+:,,; ' ' : t ii,;,;c: );,;i:-e C::-);i;nar-e pi2:;sed" 
(double) IMUAttitudeRateComparePassedEOl, 7 ) ;  
973: 
974: 
975: / +  M ~ ~ - T c  Elenjeri t  : CSS A t t i t u d e  Compare  ' ~ s s ~ c ]  * / '  
97 6 : if ( ( (OctaviaCSSAttitudeDifference [G 1 < 
I ~ : 7  , ., -3-  4'1.524) & &  !OctaviaCSSAttitudeDifference-obsolete [{I] & &  (OctaviaCSSAttitudeDifferencl 
< - l C - , ; 3 ? / l 1 8 2 4 )  & &  ! 0ctaviaCSSAttitudeDifference~obsolete [$I ) ) { 
977: CSSAttitudeComparePassed[0] = 1; 
978: 1 
97 9: else { 
980: CSSAttitudeComparePassed[0] = 0; 
981: } 
982: rec~rd("-~alidsat7ac5 .(_:st,-", "l\<iier<;", "("S.5 , & ~ t i i ; ~ : d e  C o r i ~ ~ ; ~ ~ ~  3ij~;~p,~j~1, 
(double)CSSAttitudeComparePassed[0l,l); 
983: 
984: 
985: / *  Mzcro Element : Rh7A Speed Obsolete P~ssed *,I 
98 6: if ( ( (RWASpeed-obsolete [O] ! = 1) & &  (RWASpeed-obsolete [2] ! = 
1) & &  (RWASpeed-obsolete [3] != 1) & &  (RWASpeed-obsolete [4] ! = 
1) & &  (RWASpeed-obsolete [5] ! =  1) ) ) { 
987: RWASpeedObsoletePassed [O] = 1; 
988: 1 
989: else { 
990: RWASpeedObsoletePassed[O] = 0; 
991: 1 
992: r ec~rd (" ,~ -~ ,~ - i :~+s~+L ' / ac : ; .  - ~ s T I " ,  ' ~ ~ ~ a ~ ~ - ~ "  "J<LQA Speed abso'lei--.a , -. . ' i )a .?r . -  . . .2 c (3 , 
(double) RWASpeedObsoletePassed [0] , I) ; 
993: 
994: 
995: / *  Macro Element : RKA Speed Limit Passed * /  
996: if ( ( (RWASpeed [0] < 1169915934) & &  ! RWASpeed-obsolete [O] & &  (RWASpeed [2] 
< 1163915304) & &  (RWASpeed[3] < 1169915904) & &  (RWASpeed[4] < 
1169915904) & &  (RWASpeed[5] < 1169915904) ) ) { 
997 : RWASpeedLimitPassed [0] = 1; 
998: 1 
999: else { 
1000: RWASpeedLimitPassed [GI = 0; 
1001: I 
% - ,  . 1002: record ("landsat'.7ac.r,. ~ s v " ,  lvMacr(;v, "RWA S 1 s . c ~ ~  .i...zmlt Passedq', 
(double) RWASpeedLimitPassed [C] ,I) ; 
1003: 
1004: 
1005: / *  Macro Element : Rh7A Temperature Obsolete Passed */ 
1006: if ( ( (RWATemperature-obsolete [Q] ! =  1) & &  (RWATemperature-obsolete [2] 
!= 1) & &  (RWATemperature-obsolete [3] ! = 1) & &  (RWATemperat~re~obsolete [4] ! = 
1) & &  (RWATemperature-obsolete [5] ! = 1) ) ) { 
1007: RWATemperatureObsoletePassed[0] = 1; 
1008: 1 
1009: else { 
1010: RWATemperatureObsoletePassed [O] = 0; 
1011: 1 
1012: record ("landsat7a:-:s. (.:c;v", "I<a:;:ro" 1 1 ~ ~ ~ ~ 1  ?'.:?irlperat_ll~e sk,solet-e Passed", 
(double) RWATemperatureObsoletePassed [ill, 1) ; 
1013: 
1014: 
1015: / *  Macro Element : RWA l'enperature Limit Passed */ 
1016: if ( ( (RWATemperature [O] < 
11.1 4 636258) & &  !RWATemperature-obsolete [O] & (RWATemperature [ I  < 
1 - 14636288) & &  (RWATemperature [3] < 1 L! 1 6 3 < % S G )  & &  (RWATemperature u ]  < 
' '  4,-.-.'""- 
, c3ul.!s8) & &  (RWATemperature [5] < 1 1 ;  4636255) ) ) { 
1017: RWATemperatureLimitPassed[0] = 1; 
1018: 1 
1019: else I 
1020: RWATemperatureLimitPassed [,2] = 0; 
} 
record(" laficj-ay.'!:3<:s*:-.c-i" ,,., b , "'\,",:,.-,r-a" . .... \ ,  jty+;yG. ' ~ C : T I F ) ( ' Y ~ ~ ~ T ~  T . i m i t  F,~~~,< : . : j y ' ,  
(double) RWATemperatureLimitPassed [O] 1) ; 
/" Mi?cro EIene11t : M Y 2  A Cur-rent Obsolete Passed */' 
if ( ( (MTRACurrent-obsolete [C:] !=  l) & &  (MTRACurrent-obsolete [2] != 
1 ) & &  (MTRACurrent-obsolete [3] ! = 1.) & &  (MTRACurrent-obsolete [4] != 
1 ) & &  (MTRACurrent-obsolete [5] ! = 1 ) ) ) { 
MTRACurrentObsoletePassed[O] = I ;  
1 
else { 
MTRACurrentObsoletePassed[O] = 0; 
1 
record ( " i;i:.1:::t-at--7a:::s + ,::s;;" "Kfi:;ro" "MTF; A c.\;r'rer?t Ck,:- ;>lete2 P2:;3~3,3" 
(double) MTRACurrentObsoletePassed [0l,l) ;
/'* Macro Element : MTR B Current Obsolete Passed */ 
if ( ( (MTRBCurrent-obsolete [C] !=  : ) & &  (MTRBCurrent-obsolete [ % I  !=  
1) & &  (MTRBCurrent-obsolete [3] ! = I) & &  (MTRBCurrent-obsolete [4] != 
1) & &  (MTRBCurrent-obsolete [El ! = I) ) ) { 
MTRBCurrentObsoletePassed[0] = 1; 
1 
else I 
MTRBCurrentObsoletePassed [0] = C; 
1 
record ( " ; d f l d ~ d ~ 7 ~ i : t : .  , . . - G ~ L / ' ' ,  ,"!C,~,JL~", "M'L'R 3 LLK re:*'- C:I-,sol~.'- t r'ciss~~(-I", 
(double)MTRBCurrentObsoletePassed[C~]rl); 
/ *  Macro EJernent : MTR A Current Limit Passed */ 
if ( ( (MTRACurrent [O] < 
11204O3456)&&!MTRACurrent-obso1ete[O]&&(MTRACurrent[] < 
1120403456) & &  (MTRACurrent [3] < 1120403456) & &  (MTRACurrent [4] < 
1120403456) & &  (MTRACurrent [5] < 1120403456) ) ) { 
MTRACurrentLimitPassed [O] = 1; 
else { 
MTRACurrentLimitPassed [0] = 0; 
,I* Macro Eiement : M T R  B Current Limit Passed *,I 
if ( ( (MTRBCurrent [0] < 
li20103456) &&!MTRBCurrent-obsolete [O] & &  (MTRBCurrent [ I  < 
1120103,455) & &  (MTRBCurrent [3] < 1120403455) & &  (MTRBCurrent [/I] < 
112filj93.456) & &  (MTRBCurrent [5] < 1120403456) ) ) { 
MTRBCurrent LimitPassed [ 01 = ? ; 
else { 
MTRBCurrent LimitPassed [!I = U; 
1 
rec~rd('~~,~~~:~<~,~,~~~-~~:~:~-:,+~:;~.:~-'~, !v;,<,~c<.,r< 'j 'fliI'i'5 3 ,:;.;XI;<:;-;? LiIy ,iy- ~ ~ 3 ~ < ? ~ ~ ' ! ,  
(double) MTRBCurrentLimitPassed[13], i) ; 
1063: 
1064: 
1065: / *  State Element : IMU Channel */ 
1066: evaluated = 1; 
1067: if ( ( (system-start == 
I)( 1 (!IMUAttitudeRateAObsoletePassed[9]&&!IMUAttitudeRateBObsoletePassed[O]))) 
{ 
1068: IMUChannel[O] = 1; 
1069: IMUChannel-never-entered-1 = 0; 
1070: IMUChannel-never-transitioned = 0; 
1071 : if (IMUChannel[l] == 1) { 
1072 : process-transition (&IMUChannel [1] , &IMUChannel [0] , 
&IMUChannel~time~transitioned,&IMUChannel~time~entered~l, 
&IMUChannel-time-exited-1,&IMUChannel-never-exited-l); 
1073: I 
1074 : else if(IMUChannel[l] == 2 )  { 
1075: process-transition (&IMUChannel [1] , &IMUChannel [0] , 
&IMUChannel~time~transitioned,&IMUChannel~time~entered~l, 
&IMUChannel-time-exited-2,&IMUChannel-never-exited-2); 
1076: 1 
1077: else if (IMUChannel [1] == 3) { 
1078: process-transition ( &  IMUChannel [1] , &IMUChannel [O] , 
&IMUChannel-timetransitioned,&IMUChannel-time-entered-l, 
&IMUChannel-time-exited-3,&IMUChannel-never-exited-3); 
1079: 1 
1080: else if ( IMUChannel [ 1 ] == 4 ) { 
1081 : process-transition (&IMUChannel [1] , &IMUChannel [0] , 
&IMUChannel~time~transitioned,&IMUChannel~time~entered~l, 
&IMUChannel-time-exited-4,&IMUChannel-never-exited-4); 
1082: 1 
1083: else if(IMUChannel[l] == 228) { 
1084 : process-transition (&IMUChannel [1] , CIMUChannel [0] , 
&IMUChannel~time~transitioned,&IMUChannel~time~entered~l,&elapsed,&dumy); 
1085: I 
1086: 1 
1087: else if ( ( (system-start ! = 
1)&&IMUAttitudeRateAObsoletePassed[O]&&IMUAttitudeRateALimitPassed[O]&&IMUAttitudeRa~ 
{ 
1088: IMUChannel[O] = 2; 
1089: IMUChannel-never-entered-2 = 0; 
1090: IMUChannel-never-transitioned = 0; 
1091: if ( IMUChannel [ l] == 1 ) { 
1092: process-transition (&IMUChannel [1] , &IMUChannel [O] , 
&IMUChannel-time-transitioned,&IMUChannel-time-entered-2, 
&IMUChannel-time-exited-1,&IMUChannel-never-exited-l); 
1093: 1 
1094: else if ( IMUChannel [ l] == 2) { 
1095: process-transition (&IMUChannel [1] &IMUChannel [GI, 
&IMUChannel-time-transitioned,&IMUChannel-time-entered-2, 
&IMUChannel-time-exited-2,&IMUChannel-never-exited-2); 
1096: 1 
1097: else if ( IMUChannel [ 1 ) == 3 ) { 
1098: process-transition (&IMUChannel [I.], &IMUChannel [GI, 
&IMUChannel-time-transitioned,&IMUChannel-time-entered-2, 
&IMUChannel-time-exited-3,&IMUChannel-never-exited-3); 
1099: 1 
1100: else if ( IMUChannel [1] == 4) { 
process-transition (&IMUChannel [I ] I SIMUChannel [C] 
&IMUChannel~time~transitionedf&IMUChannel~time~entered~2r 
LIMUChannel-time-exited-4! LIMUChannel-never-exited-4); 
} 
else if(IMUChannel[l] == 2 2 8 )  { 
process-transition (&IMUChannel [1] LIMUChannel [C ] 
&IMUChannel~time~transitionedI&IMUChannel~time~entered~2f&elapsedf&dumy); 
1 
1 
else if ( ( ( (system-start ! = 
l)&&!IMUAttitudeRateALimitPassed[O]&&IMUAttitudeRateBLimitPassed[~~]&&IMUAttitudeRate~ 
I = 
l)&&!IMUAttitudeRateAStaticPassed[C]&&IMUAttitudeRateBLimitPassed[G]&&IMUAttitudeRat~ 
I = 
l)&&!IMUAttitudeRateComparePassed[~.3]&&IMUAttitudeRateBLimitPassed[G]&&IMUAttitudeRat~ 
{ 
IMUChannel[G] = 3; 
IMUChannel-never-entered-3 = 0; 
IMUChannel-never-transitioned = 0; 
if ( IMUChannel [ I. ] == I ) { 
process-transition (&IMUChannel [1] I &IMUChannel [GI 
&IMUChannel~time~tran~itioned~&IMUChannel~time~entered~3~ 
&IMUChannel~time~exited~1f&IMUChannel~never~exited~l); 
1 
else if ( IMUChannel [l] == 2 ) { 
process-transition (&IMUChannel [1] &IMUChannel [GI 
& IMUChannel-t ime-t ransit ioned, & IMUChannel-t ime-entered-3 
&IMUChannel-time-e~ited-2~&IMUChannel-never-exited-2); 
1 
else i f  ( IMUChannel [ 1. ] == 3 )  { 
process-transition (&IMUChannel [1] LIMUChannel [O ] 
&IMUChannel-time-tran~itioned,&IMUChannel-time-entered-3~ 
&IMUChannel-time-exited-3I &IMUChannel-never-exited-3); 
1 
else if ( IMUChannel [1] == 4) { 
process-transition (&IMUChannel [1] &IMUChannel [O] 
&IMUChannel-time-tran~itioned,&IMUChannel-time-entered-3~ 
&IMUChannel-time-e~ited-4~&IMUChannel-never-exited-4); 
1 
else if ( IMUChannel [I] == 228) { 
process-transition (&IMUChannel [ l . ]  &IMUChannel [(J ] 
&IMUChannel~time~transitionedf&IMUChannel~time~entered~3f&elapsedf&dumy); 
1 
} 
else if((((system-start ! =  
l)&&IMUAttitudeRateAObsoletePassed[O]&&IMUAttitudeRateBObsoletePassed[0]&&!IMUAttitu~ 
I = 
l)&&IMUAttitudeRateAObsoletePassed[Ol&&IMUAttitudeRateBObsoletePassed[O]&&!IMUAttitu~ 
I = 
l)&&IMUAttitudeRateAObsoletePassed[Ol&&IMUAttitudeRateBObsoletePassed[~]&&!IMUAttitu~ 
I = 
l)&&IMUAttitudeRateAObsoletePassed[Ol&&IMUAttitudeRateBObsoletePassed[O]&&!IMUAttitu~ 
I = 
l)&&IMUAttitudeRateAObsoletePassed[Ol&&IMUAttitudeRateBObsoletePassed[G]&&!IMUAttitu~ 
I = 
l)&&IMUAttitudeRateAObsoletePassed[Ol&&IMUAttitudeRateBObsoletePassed[~3]&&!IMUAttitu~ 
{ 
1128: IMUChannel [ 0] = 4 ; 
1129: IMUChannel-never-entered-4 = 0; 
1130: IMUChannel-never-transitioned = 0; 
1131: if (IMUChannel [1] == 1) { 
1132: process-t ransit ion (&IMUChannel [l] , &IMUChannel [O] , 
&IMUChannel-time-transitioned,&IMUChannel-time-entered-4, 
&IMUChannel-time-exited-1,&IMUChannel-never-exited-l); 
1133: 1 
1134: else if ( IMUChannel [l. ] == 2) { 
1135: process-t ransit ion (&IMUChannel [l.] , &IMUChannel [ G I ,  
&IMUChannel-time-transitioned,&IMUChannel-time-entered-4, 
&IMUChannel-time-exited-2,&IMUChannel-never-exited-2); 
1136: 1 
1137: else if(IMUChannel[l] == 3) { 
1138: process-transition (&IMUChannel [1] , &IMUChannel [GI , 
&IMUChannel-time-transitioned,&IMUChannel-time-entered-4, 
&IMUChannel-time-exited-3,&IMUChannel-never-exited-3); 
1139: 1 
1140: else if (IMUChannel [1] == 4) { 
1141: process-transition (&IMUChannel [ I - ] ,  tIMUChanne1 [O 1, 
&IMUChannel-time-transitioned,&IMUChanneltime-entered-4, 
&IMUChannel~time~exited~4,&IMUChannel~never~exited~4); 
1142: 1 
1143: else if (IMUChannel [1] == 228) { 
1144: process-transition (&IMUChannel [1] , ~IMUChannel [0] , 
&IMUChannel~time~transitioned,&IMUChannel~time~entered~4,&elapsed,&dumy); 
1145: 1 
1146: 1 
1147: else if (IMUChannel [1] == 228) { 
1148: IMUChannel[O] = 228; 
1149: evaluated = 0; 
1150: } 
1151: else { 
1152: IMUChannel [0] = IMUChannel [1] ; 
1153: evaluated = 0; 
1154 : 1 
1155: record ("landsa.t.7azs. csvl', llS.tate" , IMU Chanr le l" ,  (double) IMUChannel [0] , 
evaluated) ; 
1156: 
1157: 
1158: / *  State Element : I M U  Health */ 
1159: evaluated = 1.; 
1160: if ( ( (system-start == 1) I I (IMUChannel[O] == 1) ) ) { 
1161: IMUHealth[O] = I; 
1162: IMUHealth-never-entered-1 = 0; 
1163: IMUHealth-never-transit ioned = 0; 
1164: if(IMUHealth[l] == 1) { 
1165: process~transition(&IMUHealth[l],&IMUHealth[O], 
&IMUHealth-time-transitioned,&IMUHealth-time-entered-l, 
&IMUHealth-time-exited-1,&IMUHealthHnever-exiteddl); 
1166: 1 
1167: else if (IMUHealth [l] == 2) { 
1168: process-transition (&IMUHealth[l.] ,&IMUHealth[O], 
&IMUHealth~time~transitioned,&IMUHealth~time~entered~l, 
&IMUHealth-time-exited-2,&IMUHealthHnever-exitedd2); 
1169: 1 
1170: else if(IMUHealth[l] == 3) { 
1171: process-transition (LIMUHealth [I], &IMUHealth [GI 
&IMUHealth-time-transitionedf&IMUHea1thhtimeeentereddlf 
&IMUHealth-time-exited-3,&IMUHea1thhnever-exited-3); 
1172: 1 
1173: else if(IMUHealth[l] == 228) { 
1174: process-transition (&IMUHealth [1] LIMUHealth [O] , 
&IMUHealth~time~transitionedf&IMUHea1thhtime~entered~lf&elapsedf&dummy); 
1175: 1 
1176: 1 
1177: else if((((system-start !=  I)&&(IMUChannel[O] == 2 )  & &  (IMUChannel [O] 
! =  3) ) 1 1 ( (system-start !=  I) & &  (IMUChannel [O] ! =  2) & &  (IMUChannel [O] == 3) ) ) ) { 
1178: IMUHealth[O] = 2; 
1179: IMUHealth-never-entered-2 = 0; 
1180: IMUHealth-never-transitioned = 0; 
1181: if (IMUHealth[l] == 1) { 
1182: process-transition ( &  IMUHealth [1] LIMUHealth [0] 
&IMUHealth-time-tran~itioned~&IMUHealth-time-entered-2~ 
&IMUHealth-time-exited-1,&IMUHealth~never-exited-l); 
1183: 1 
1184: else if (IMUHealth[l] == 2) { 
1185: process-transition (&IMUHealth [I], &IMUHealth[O], 
&IMUHealth-time-tran~itioned~&IMUHealth~time~entered~2~ 
&IMUHealth-time-exited-2,&IMUHea1thhnever-exited-2); 
1186: } 
1187: else if(IMUHealth[l] == 3) { 
1188: process-transition (&IMUHealth [1] &IMUHealth[O] 
&IMUHealth-time-transitionedf&IMUHealth-time-entered-2, 
&IMUHealth-time-e~ited-3~&IMUHealth~never-exited-3); 
1189: 1 
1190: else if(IMUHealth[l] == 228) { 
1191: process-transition (&IMUHealth [ 1 1, &IMUHealth [O] , 
&IMUHealth~time~transitionedf&IMUHea1th~time~enteredd2f&elapsed,&dummy); 
1192: 1 
1193: I 
1194: else if ( ( (system-start !=  1) & &  (IMUChannel [a] == 4) ) ) { 
1195: IMUHealth[O] = 3; 
1196: IMUHealth-never-entered-3 = 0; 
1197: IMUHealth-never-transitioned = 0; 
1198: if (IMUHealth[l] == 1) { 
1199: process-transition (&IMUHealth [I.] LIMUHealth [O] , 
&IMUHealth-time-tran~itioned,&IMUHealth-time-entered-3~ 
&IMUHealth-time-exited-1,&IMUHea1th~never-exited-l); 
1200: } 
1201: else if (IMUHealth[l] == 2) { 
1202: process-transition (&IMUHealth [l] LIMUHealth [0] 
&IMUHealth-time-transitioned,&IMUHealth-time-entered-3, 
&IMUHealth-time-e~ited-2~&IMUHealth~never-exited-2); 
1203: 1 
1204: else if(IMUHealth[l] == 3) { 
1205: process-transition (&IMUHealth [I] LIMUHealth [ g ]  
&IMUHealth-time-transitioned,&IMUHealth-time-entered-3, 
&IMUHealth-time-e~ited-3~&IMUHealth~never-exited-3); 
1206: 1 
1207: else if(IMUHealth[l] == 2223 { 
1208: process-transition (&IMUHealth [I 1, LIMUHealth [O] 
&IMUHealth~time~transitionedf&IMUHea1thhtimeeentered~3,&elapsedf&dummy); 
1209: 1 
1210: 1 
1211: else if (IMUHealth[l] == 228) { 
1212 : IMUHealth[O] = 228; 
1213: evaluated = 0; 
1214 : 1 
1215: else { 
1216: IMUHealth [O] = IMUHealth [1] ; 
1217: evaluated = 0; 
1218: 1 
1219: record ("I.andsat'7acs. csv", "State", "IKU Heal-th", (double) IMUHealth [0] , 
evaluated) ; 
1220: 
1221 : 
1222 : / *  State Element : CSS Health */ 
1223: evaluated = 1; 
1224 : if ( ( (system-start == 
1) I I (never-received (OctaviaCSSAtt i t u d e D i f f e r e n c e o b s o l e t e ,  1 ) ) 1 { 
1225: CSSHealth[O] = 1; 
1226: CSSHealth-never-entered-1 = 0; 
1227 : CSSHealth-never-transitioned = 0; 
1228: if (CSSHealth[l] == 1) { 
1229: process-transition (&CSSHealth [1] , &CSSHealth [O] 
&CSSHealth~time~transitionedl&CSSHealth~time~entered~ll 
&CSSHealth-time-exited-1,&CSSHealthSnever-exiteddl); 
1230: 1 
1231: else if (CSSHealth[l] == 2) { 
1232: process-transition (GCSSHealth [1] , &CSSHealth [0] , 
&CSSHealth-time-transitionedI&CSSHealth-time-entered-ll 
&CSSHealth-t ime-e~ited-2~&CSSHealth_neverexi ted-2);  
1233: } 
1234 : else if (CSSHealth [I] == 3) { 
1235: process-transition (&CSSHealth [1] , &CSSHealth [0] , 
&CSSHealth-time-transitionedI&CSSHealth-time-entered-l, 
&CSSHealth-time-exited-3,&CSSHealth_neverexited-3); 
1236: 1 
1237: else if (CSSHealth [1] == 228) { 
1238: process-transition (&CSSHealth [1] , ~CSSHealth [0] , 
&CSSHea1th~timetransitioned,&CSSHea1th~time~entered~1,&e1ap~ed,&dummy); 
1239: 1 
1240: } 
1241: else if(((system-start != l)&&CSSAttitudeComparePassed[O])) { 
1242: CSSHealth[O] = 2; 
1243: CSSHealth-never-entered-2 = 0; 
1244: CSSHealth-never-transitioned = 0; 
1245: if(CSSHealth[l] == 1) { 
1246: process-transition (&CSSHealth [1] , ~CSSHealth [0] , 
&CSSHealth-time-tran~itioned~&CSSHealth-time-entered-2~ 
&CSSHealth-time-exited-lI&CSSHealth_never-exited-l); 
1247: 1 
1248: else if (CSSHealth[l] == 2) { 
1249: process-transition (&CSSHealth[l] , &CSSHealth [0] , 
&CSSHealth-time-tran~itioned,&CSSHealth-time-entered-2~ 
&CSSHealth-time-exited-2,&CSSHealth-never-exited-2); 
1250: 1 
1251: else if (CSSHealth[l] == 3) { 
1252 : process-transition (&CSSHealth [1] I ~CSSHealth [O] , 
&CSSHealth-time-tran~itioned,&CSSHealth-time-entered-2~ 
&CSSHealth-time-e~ited-3~&CSSHealth~never-exited~3); 
1253: 1 
1254: else if (CSSHealth[l] == 228) { 
1255: process-transition (&CSSHealth [l] , LCSSHealth [O ] 
&CSSHealth~time~transitionedr&CSSHea1th~time~entered~2r&elapsedl&dummy); 
1256: 1 
1257: 1 
1258: else if(((system-start != l)&&!CSSAttitudeComparePassed[0l)) { 
1259: CSSHealth[3] = 3; 
1260: CSSHealth-never-entered-3 = 0; 
1261: CSSHealth-never-transitioned = 0; 
1262: if (CSSHealth[l] == 1) { 
1263: process-transition (&CSSHealth [1] &CSSHealth [ G  ] 
&CSSHealth-time-transiti0ned,&CSSHealth-time-entered-3~ 
&CSSHealth-time-exited-lr&CSSHea1thhnever-exiteddl); 
1264: I 
1265: else if (CSSHealth[l] == 2) { 
1266: process-transition (&CSSHealth [i] , LCSSHealth [ G  ] 
&CSSHealth-time-transitionedr&CSSHea1thhtimeeenteredd3, 
&CSSHealth-time-e~ited-2~&CSSHealth~never-e~ited~2); 
1267: 1 
1268: else if (CSSHealth[l] == 3) { 
1269: process-transition (&CSSHealth [1] , LCSSHealth [O] , 
&CSSHealth-time-transitionedf&CSSHealth-time-entered-3, 
&CSSHealth-time-exited-3,&CSSHea1thhnever-exited-3); 
1270: 1 
1271: else if (CSSHealth[l] == 228) { 
1272: process-transition (&CSSHealth [1] I LCSSHealth [ G  ] , 
&CSSHealth~time~transitionedf&CSSHealth~time~entered~3r&elapsedf&dummy); 
1273: 1 
1274: 1 
1275: else if(CSSHealth[l] == 228) { 
1276: CSSHealth[O] = 228; 
1277: evaluated = 0; 
1278: 1 
1279: else { 
1280: CSSHealth [O] = CSSHealth [1] ; 
1281: evaluated = 0; 
1282: 1 
1283: record ("lafi.js;_;;t;'-id.~:j. c-vl! "State" " ~ S S  lie- d 1. ; t1:", 1 (double) CSSHealth [g] , 
evaluated) ; 
1284: 
1285: 
1286: ,/* State Element : RWA Health */ 
1287: evaluated = 1; 
1288: if ( ( (system-start == 
1) 1 I !RWASpeedObsoletePassed[O] I I !RWATemperatureObsoletePassed[0l)) ( 
1289: RWAHealth[O] = 1; 
1290: RWAHealth-never-entered-1 = 0; 
1291: RWAHealth-never-transitioned = 0; 
1292: if(RWAHealth[l] == 1) { 
1293: process-transition (&RWAHealth [I] LRWAHealth [C] , 
&RWAHealth-time-transitionedr&RWAHea1thhtimeeentereddlf 
&RWAHealth-time-exited-lr&RWAHea1thhnever-exited-l); 
1294: 1 
1295: else if (RWAHealth[l] == 2) { 
1296: process-transition (&RWAHealth [I], &RWAHealth [ill, 
&RWAHealth-time-transitionedf&RWAHea1thhtimeeentereddlr 
&RWAHealth-time-exited-2, &RWAHealth-never-exited-2); 
else if (RWAHealth[l] == 3) { 
process-transition (&RWAHealth [l] LRWAHealth [O] , 
&RWAHealth-time-transitionedf&RWAHealth-time-entered-lf 
&RWAHealth-time-exited-3f LRWAHealth-never-exited-3); 
else if (RWAHealth [1] == 228) { 
process-transition (&RWAHealth [I] LRWAHealth [GI 
&RWAHealth~time~transitioned,&RWAHealth~time~entered~l,&elapsed,&dummy); 
1 
1 
else if ( ( (system-start != 
l)&&RWASpeedObsoletePassed[O]&&RWATemperatureObsoletePassed[~~]&&RWASpeedLimitPassed[ 
RWAHealth[O] = 2; 
RWAHealth-never-entered-2 = 0; 
RWAHealth-never-transitioned = 0; 
if (RWAHealth[l] == 1) { 
process-transition (&RWAHealth [I] , LRWAHealth [O] 
&RWAHealth-time-transitionedf&RWAHealth-time-entered-2, 
&RWAHealth-time-exited-1,&RWAHealthanever-exiteddl); 
I 
else if (RWAHealth[l] == 2) { 
process-transition (&RWAHealth [l] , &RWAHealth [C)] 
&RWAHealth-time-tran~itioned,&RWAHealth-time-entered-2~ 
&RWAHealth-time-exited-2,&RWAHealthAnever-exitedd2); 
1 
else if (RWAHealth [1] == 3) { 
process-transition (&RWAHealth [ 1.1 , &RWAHealth [O] 
&RWAHealth-time-tran~itioned~&RWAHealth-time-entered-2~ 
&RWAHealth-time-exited-3,&RWAHealthanever-exitedd3); 
1 
else if (RWAHealth[l] == 228) { 
process-transition (&RWAHealth [1] , &RWAHealth [C] 
&RWAHealth~time~transitioned,&RWAHealth~time~entered~2f&elapsed,&dummy); 
1 
I 
else if ( ( ( (system-start != 
l)&&RWASpeedObsoletePassed[O]&&RWATemperatureObsoletePassed[O]&&!RWASpeedLimitPassed 
I = 
I)&&RWASpeedObsoletePassed[O]&&RWATemperatureObsoletePassed[G]&&!RWATemperatureLimit~ 
t 
RWAHealth[O] = 3; 
RWAHealth-never-entered-3 = 0; 
RWAHealth-never-transitioned = 0; 
if (RWAHealth[l] == 1) { 
process-transition (&RWAHealth [I] &RWAHealth [GI, 
&RWAHealth-time-tran~itioned~&RWAHealth-time-entered-3~ 
&RWAHealth-time-exited-lf&RWAHea1thhnever-exited-l); 
1 
else if(RWAHealth[l] == 2) { 
process-transition (&RWAHealth [ 1 ] LRWAHealth [GI, 
&RWAHealth-time-tran~itioned~&RWAHealth-time-entered-3~ 
& R W A H e a l t h - t i m e - e ~ i t e d - 2 ~ & R W A H e a l t h _ n e v e r - e x i t e d - 2 ) ;  
1 
else if(RWAHealth[l] == 3) { 
process-transition (LRWAHealth [I], &RWAHealth [{I], 
&RWAHealth-time-tran~itioned~&RWAHealth-time-entered-3~ 
&RWAHealth-time-e~ited-3~ LRWAHealth-never-exited-3); 
} 
else if (RWAHealth[l] == 228) { 
process-transition (&RWAHealth [i] , LRWAHealth [O] , 
&RWAHea1th~time~transitioned,&RWAHea1th~time~entered~3,&e1apsed,&dummy); 
1 
1 
else if (RWAHealth [1] == 228) { 
RWAHealth[O] = 228; 
evaluated = 0; 
1 
else { 
RWAHealth[O] = RWAHealth[l]; 
evaluated = 0; 
1 
record ("l?,r!.::Isat7ac:s. irsv", "State:", "RWA HeaItI.:", (double) RWAHealth [3] , 
evaluated) ; 
/'* S t a t e  E.Lernent : MTR Channe.1 */ 
evaluated = I-; 
if ( ( (system-start == 
1) 1 1 ( !MTRACurrentObsoletePassed [O] & &  !MTRBCurrentObsoletePassed[] ) ) ) { 
MTRChannel [O] = I; 
MTRChannel-never-entered-1 = 0; 
MTRChannel-never-transitioned = 0; 
if (MTRChannel [1] == 1) { 
process-transition (&MTRChannel [1 ] , LMTRChannel [0] , 
&MTRChannel~time~transitioned,&MTRChannel~time~entered~l, 
&MTRChannel-time-exited-l,&MTRChannel-never-exited-l); 
1 
else if (MTRChannel [I] == 2 ) { 
process-transition (&MTRChannel [l] , LMTRChannel [O] , 
&MTRChannel~time~transitioned,&MTRChannel~time~entered~l, 
&MTRChannel-time-exited-2,&MTRChannel-never-exited-2); 
1 
else if (MTRChannel [1] == 3) { 
process-transition (&MTRChannel [l] I &MTRChannel [0] , 
&MTRChannel-time-transitionedI&MTRChannel-time-entered-lf 
&MTRChannel-time-e~ited-3~&MTRChannel-never-exited-3); 
1 
else if (MTRChannel [ l] == 4) { 
process-t ransit ion (&MTRChannel [ 1 ] , &MTRChannel [0] , 
&MTRChannel-time-transitionedf&MTRChannel-time-entered-lf 
&MTRChannel-time-exited-4,&MTRChannel_never-exited-4)> 
1 
else if (MTRChannel [1] == 228 ) { 
process-transition ( LMTRChannel [l ] , LMTRChannel [O] , 
&MTRChannel~time~transitionedI&MTRChannel~time~entered~lf&elapsed,&dummy); 
1 
} 
else if (((system-start !=  
1 ) &&MTRACurrentLimitPassed [0] &&MTRACurrentObsoletePassed [ I  ) ) { 
MTRChannel [O] = 2; 
MTRChannel-never-entered-2 = 0; 
MTRChannel-never-transitioned = 0; 
if (MTRChannel [ l ] == 1 ) { 
process-transition (&MTRChannel [1] , LMTRChannel [O ] , 
&MTRChannel-time-transitioned,&MTRChannel-time-entered-2, 
&MTRChannel-time-exited-l,&MTRChannel~never-exited-l); 
1378: 1 
1379: else if (MTRChannel [1] == 2 )  { 
1380: process~transition(&MTRChannel[l]f&MTRChannel[~l]f 
&MTRChannel-time-transiti0ned~&MTRChannel-time-entered-2~ 
&MTRChannel-time-exited-Zf LMTRChannel-never-exited-2); 
1381: 1 
1382: else if (MTRChannel [ 1 ]  == 3) { 
1383: process-transition (&MTRChannel [ 11 &MTRChannel [(?I 
&MTRChannel-time-tran~itioned~&MTRChanneltime-entered-2~ 
&MTRChannel-time-e~ited-3~&MTRChannel-never-exited-3); 
1384: 1 
1385: else if (MTRChannel [ l] == 4 ) { 
1386: process-transition (&MTRChannel [1] &MTRChannel [O] 
&MTRChannel-time-tran~itioned~&MTRChannel-time-entered-2~ 
&MTRChannel-time-e~ited-4~&MTRChannel-never-exited-4); 
1387: 1 
1388: else if (MTRChannel [1] == 228) { 
1389: process-transition (&MTRChannel [1] LMTRChannel [O] , 
&MTRChannel~time~transitionedf&MTRChanneltime~entered~2f&elapsed,&dummy); 
1390: 1 
1391: 1 
1392: else if ( ( (system-start ! =  
l)&&!MTRACurrentLimitPassed[Ol&&MTRBCurrentObsoletePassed[O]&&MTRBCurrentLimitPassed 
I 
1393: MTRChannel[O] = 3 ;  
1394: MTRChannel-never-entered-3 = 0; 
1395: MTRChannel-never-transitioned = 0; 
1396: if (MTRChannel [ 1 ] == I ) { 
1397: process-transition (&MTRChannel [I ] LMTRChannel [GI , 
&MTRChannel-time-tran~itioned~&MTRChannel-time-entered-3~ 
&MTRChannel-time-exited-lf&MTRChannel-never-exited-l); 
1398: 1 
1399: else if (MTRChannel [l ] == 2 ) { 
1400: process-transit ion (&MTRChannel [1] LMTRChannel [O] , 
&MTRChannel-time-tran~itioned~&MTRChannel-time-entered-3~ 
&MTRChannel-time-e~ited-2~&MTRChannel-never-exited-2); 
1401: 1 
1402: else if (MTRChannel [l] == 3) { 
1403: process-transit ion (&MTRChannel [1] &MTRChannel [O] 
&MTRChannel-time-transiti0ned~&MTRChannel-time-entered-3~ 
&MTRChannel-time-e~ited-3~&MTRChannel-never-exited-3); 
1404: 1 
1405: else if (MTRChannel [l ] == 4) { 
1406: process-transit ion (&MTRChannel [l] LMTRChannel [O] 
&MTRChannel-time-transitionedf&MTRChannel-time-entered-3, 
&MTRChannel-time-e~ited-4~&MTRChannel-never-exited-4); 
1407: 1 
1408: else if (MTRChannel [i] == 228) { 
1409: process-transition (&MTRChannel [1] LMTRChannel [C] 
&MTRChannel~time~transitionedf&MTRChannel~time~entered~3,&elapsedf&dummy); 
1410: 1 
1411: } 
1412: else if ( ( (system-start ! =  
l)&&MTRACurrentObsoletePassed[~~]&&MTRBCurrentObsoletePassed[O]&&!MTRACurrentLimitPas 
MTRChannel [ 9 ] = 4; 
MTRChannel-never-entered-4 = C:; 
1415: MTRChannel-never-transitioned = 0; 
1416: if (MTRChannel [ l] == 1 ) { 
1417: process-transition (&MTRChannel [1] , &MTRChannel [GI, 
&MTRChannel-time-transitioned,&MTRChannel-time-entered-4, 
&MTRChannel-time-exited-l,&MTRChannel-never-exited-l); 
1418: 1 
1419: else if (MTRChannel [1] == 2) { 
1420: process-transition (&MTRChannel [I.], &MTRChannel [0] , 
&MTRChannel-time-transitioned,&MTRChannel-time-entered-4, 
&MTRChannel-time,exited-2,&MTRChannel-never-exited-2); 
1421: 1 
1422 : else if (MTRChannel [1] == 3) { 
1423: process-t ransit ion (&MTRChannel [l ] , &MTRChannel [GI, 
&MTRChannel-time-transitioned,&MTRChannel-time-entered-4, 
&MTRChannel-time-exited-3,&MTRChannel-never-exited-3); 
1424: 1 
1425 : else if (MTRChannel [1] == 4 ) { 
1426: process-transition (&MTRChannel [1] , ~MTRChannel [GI, 
&MTRChannel-time-transitioned,&MTRChannel-time-entered-4, 
&MTRChannel-time-exited-4,&MTRChannel-never-exited-4); 
1427 : 1 
1428: else if (MTRChannel [1] == 228) { 
1429: process-transition (&MTRChannel [l] I &MTRChannel [0] 
&MTRChannel-time-transitioned,&MTRChannel-time-entered-4,&elapsed,&dumy); 
1430: I 
1431: 1 
1432: else if (MTRChannel [I ] == 228) { 
1433: MTRChannel [O] = 228; 
1434: evaluated = 0; 
1435: 1 
1436: else { 
1437: MTRChannel [0] = MTRChannel [1] ; 
1438: evaluated = 0; 
1439: 1 
1440: record ("landsclt7acs. csvl', "State", "MTR C:hannell', (doub1e)MTRChannel [Ol , 
evaluated) ; 
1441: 
1442 : 
1443: / *  S t a t e  E lemen t  : MTR H e a l t h  */ 
1444: evaluated = I; 
1445: if (((system-start == 1) ( I (MTRChannel[O] == I ) ) )  { 
1446: MTRHealth[O] = 1; 
1447: MTRHealth-never-entered-1 = 0; 
1448: MTRHealth-never-transitioned = 0; 
1449: if (MTRHealth[l] == 1) { 
1450: process-transit ion (&MTRHealth [ l] , ~MTRHealth [0] , 
&MTRHealth-time-transitioned,&MTRHealth-time-entered-l, 
&MTRHealth-time-exited-1,&MTRHea1thhnever-exiteddl); 
1451: 1 
1452: else if (MTRHealth [l] == 2) { 
1453: process-transition (&MTRHealth [ I.], &MTRHealth [0] , 
&MTRHealth-time-transitioned,&MTRHealth-time-entered-l, 
&MTRHealth-time-exited-2,&MTRHealthanever-exitedd2); 
1454: 1 
1455: else if (MTRHealth [I] == 3) { 
1456: process-transition (&MTRHealth [I], &MTRHealth [GI, 
&MTRHealth-time-transitioned,&MTRHealth-time-entered-l, 
&MTRHealth-time-exited-3,&MTRHea1thhnever-exitedd3); 
1457: 1 
1458: else if (MTRHealth[l] == 228) { 
1459: process-transition (&MTRHealth [I], &MTRHealth [O] , 
&MTRHealth~time~transitioned,&MTRHealth~time~entered~l,&elapsed,&dummy); 
1460: 1 
1461: 1 
1462: else if ( ( ( (system-start ! = 1) & &  (MTRChannel [O] == 2) & &  (MTRChannel [O] 
! =  3)) 1 1  ((system-start !=  ?)&&(MTRChannel[O] != 2)&&(MTRChannel[O] == 3)))) { 
1463: MTRHealth[O] = 2; 
1464: MTRHealth-never-entered-2 = 0; 
1465: MTRHealth-never-transitioned = 0; 
1466: if(MTRHealth[l] == 1) { 
1467: process-transition (&MTRHealth [1] , &MTRHealth [O] , 
&MTRHealth-time-transitioned,&MTRHealthdtime-entered-2, 
&MTRHealth-time-exited-1,&MTRHealthanever-exiteddl); 
1468: 1 
1469: else if (MTRHealth [1] == 2) { 
1470: process-transition (&MTRHealth [1] I LMTRHealth [g] , 
&MTRHealth-time-transitioned,&MTRHealth-time-entered-2, 
&MTRHealth-time-exited-2,&MTRHealthanever-exitedd2); 
1471: 1 
1472: else if (MTRHealth [1] == 3) { 
1473: process-transition (&MTRHealth [1] , &MTRHealth [O] , 
&MTRHealth-time-transitionedf&MTRHealth-time-entered-2, 
&MTRHealth-time-exited-3,&MTRHealthRnever-exitedd3); 
1474: 1 
1475: else if (MTRHealth[l] == 228) { 
1476: process-transition (&MTRHealth [1] &MTRHealth [O 1 ,  
&MTRHealth~time~transitioned,&MTRHealthdtime~entered~~f&elapsed,&dummy); 
1477: 1 
1478: 1 
1479: else if ( ( (system-start != I) & &  (MTRChannel [O] == 4) ) ) { 
1480: MTRHealth[O] = 3; 
1481: MTRHealth-never-entered-3 = 0; 
1482: MTRHealth-never-transitioned = 0; 
1483: if (MTRHealthEl] == 1) { 
1484: process-transition (&MTRHealth [1] I &MTRHealth [O] , 
&MTRHealth-time-transitioned,&MTRHealth-time-entered-3, 
&MTRHealth-time-exited-lI&MTRHealthanever-exiteddl); 
1485: 1 
1486: else if (MTRHealth[L] == 2) { 
1487: process-transition (&MTRHealth [I.] ,LMTRHealth [GI, 
&MTRHealth-time-transitioned,&MTRHealthdtime-entered-3, 
&MTRHealth-timeexited-2,&MTRHealth-never-e~ited_2); 
1488: 1 
1489: else if (MTRHealth [1] == 3) { 
1490: process-transition (&MTRHealth [1] , &MTRHealth [0] , 
&MTRHealth-time_transitioned,&MTRHealth-time-entered-3, 
&MTRHealth-time-exited-3,&MTRHealthanever-exitedd3); 
1491: 
1492: else if (MTRHealth [ 1 ] == 228) { 
1493: process-transition (&MTRHealth [I. 1 ,  &MTRHealth [GI, 
&MTRHealth~time~transitioned,&MTRHealth~time~entered~3,&elapsed,&dummy); 
1494: 1 
1495: 1 
1496: else if (MTRHealth[l] == 22%) { 
1497: MTRHealth [ ; > I  = 228; 
1498: evaluated = 0; 
1499: 1 
1500: else { 
1501: MTRHealth[O] = MTRHealth[l] ; 
1502 : evaluated = 0; 
1503: I 
1504: record ("la:ldsat7acs. csvn ,  "Stat.eV, "MTK Healthi', (doub1e)MTRHealth [O] , 
evaluated) ; 
1505: 
1506: 
1507: / *  Mode Element : ACS Mode */ 
1508: evaluated = 1; 
1509: if ( ( (system-start == 1) 1 1 ( (system-start !=  1) & &  (IMUHealth[O] != 
3) & &  (CSSHealth[C] !=  3) & &  (RWAHealth[O] !=  3) ) ) ) { 
1510: ACSMode[O] = 1; 
1511: if (ACSMode [I] == i) { 
1512: process-transition (&ACSMode [1] , &ACSMode [C] , 
&ACSMode~time~transitioned,&ACSMode~timeeentered~1,&ACSModeetimeeexited~l, 
&ACSMode-never-exited-1); 
1513: 1 
1514: else if (ACSMode [ 1 ] == 2 ) { 
1515: process-transition (&ACSMode [I] , &ACSMode [C] , 
&ACSMode~time~transitionedI&ACSM~de~time~enteredd1I&ACSM~de~time~e~itedd2, 
&ACSMode-never-exited-2); 
1516: 1 
1517: else if ( ACSMode [ 1 ] == 3) { 
1518: process-transition (&ACSMode [I], &AC,SMode [GI, 
&ACSMode~time~transitioned,&ACSMode~time~enteredd1,&ACSModeetimeeexited~3, 
&ACSMode-never-exited-3); 
1519: 1 
1520: else if (ACSMode [ l] == 228) { 
1521 : process-transition (&ACSMode [1] , CACSMode [0] , 
&ACSMode~time~transitioned,&ACSMode~timeeenteredd1,&e1apsed,&dummy); 
1522: 1 
1523: 1 
1524: else if ( ( ( (system-start != 1) & &  (IMUHealth[O] == 3) & &  (CSSHealth[G] != 
3) & &  (RWAHealth[O] == 3) & &  (MTRHealth[O] != 3) ) 1 1 ( (system-start != 
1) & &  (IMUHealth [0] == 3) & &  (CSSHealth[O] != 3) & &  (RWAHealth [0] !=  
3) & &  (MTRHealth [ O ]  == 3) ) 1 1 ( (system-start != 1) & &  (IMUHealth [0] != 
3) & &  (CSSHealth[O] == 3) & &  (RWAHealth[O] == 3 )  & &  (MTRHealth[O] != 
3) ) 1 1 ( (system-start != .I) & &  (IMUHealth [0] != 3) & &  (CSSHealth [0] == 
3) & &  (RWAHealth[O] != 3) & &  (MTRHealth[O] == 3) ) ) ) { 
1525: ACSMode [O] = 2; 
1526: if (ACSMode [I] == 1) { 
1527 : process-transition (&ACSMode [1] , &ACSMode [GI , 
&ACSMode~time~transitioned,&ACSMode~time~entered~2,&ACSMode~time~exited~l, 
&ACSMode-never-exited-1); 
1528: 1 
1529: else if (ACSMode [1] == 2) { 
1530: process-transition (&ACSMode [I], &ACSMode [el, 
&ACSMode~time~transitioned,&ACSModeetime~entered~2,&ACSMode~time~exited~2, 
&ACSMode-never-exited-2); 
1531 : 1 
1532 : else if (ACSMode [1] == 3) { 
1533: process-transition (&ACSMode [I], &ACSMode [O] , 
&ACSMode~time~transitioned,&ACSMode~time~enteredd2,&ACSMode~time~exited~3, 
CACSMode-never-exited-3); 
1534: 1 
1535: else if (ACSMode [ 1 ] == 228) { 
1536: process-transition (&ACSMode [I] , &ACSMode [GI , 
&ACSMode~time~transitionedf&ACSMode~time~entered~2,&elapsedf&dummy); 
1537: 1 
1538: 1 
1539: else if ( ( ( (system-start ! =  1) & &  (IMUHealth [O] == 3) & &  (CSSHealth [O] == 
3 )  ) 1 l ( (system-start ! =  1) & &  (RWAHealth[O] == 3) & &  (MTRHealth[O] == 3) ) ) ) { 
1540: ACSMode [0] = 3; 
1541: if (ACSMode[3] == 1) { 
1542: process-transition (&ACSMode [I], &ACSMode [O] , 
&ACSMode~time~transitioned,&ACSMode~time~entered~3,&ACSMode~time~exited~lf 
&ACSMode-never-exited-1); 
1543: } 
1544: else if (ACSMode [ l] == 2 ) { 
1545: process-transition (&ACSMode [I ] &ACSMode [O] , 
&ACSMode~time~transitioned,&ACSMode_time~entered~3,&ACSMode~time~exited~2, 
&ACSMode-never-exited-2); 
1546: 1 
1547: else if (ACSMode [ 1.1 == 3) { 
1548: process-transition (&ACSMode [I 1 ,  &ACSMode [0] , 
&ACSMode~time~transitioned,&ACSMode~time~entered~3,&ACSMode~time~exited~3, 
&ACSMode-never-exited-3); 
1549: 1 
1550: else if(ACSMode[l] == 228) { 
1551: process-transition (&ACSMode [I] , &ACSMode [GI , 
&ACSMode-time-transitioned,&ACSModeetime-entered-3, &elapsed, &dummy); 
1552: 1 
1553: 1 
1554: else if(ACSMode[l] == 228) { 
1555: ACSMode[3] = 228; 
1556: evaluated = 0; 
1557: 1 
1558: else { 
1559: ACSMode [ O 1 = ACSMode [ 1 ] ; 
1560: evaluated = 3; 
1561: 1 
1562: record ("larldsa?; 7 a c s .  ~sir", ilMcjdeuf "ACS Modev, (double) ACSMode [O] , 
evaluated) ; 
1563: 
1564: 
1565: / *  O u t p u t  E l e m e n t  : IMU A t t i t u d e  R a t e  A Gctavia */ 
1566: if ( ( (IMUAttitudeRateA-obsolete [O] ! =  1) & &  (IMUChannel [O] == 2) ) ) { 
1567: IMUAttitudeRateAOctavia [O] = (double) IMUAttitudeRateA[O] ; 
1568: r e c 0 r d ( ~ ~ l a r l : ~ s a t 7 a : : s . ~ ~ ~ , r ~ ,  '~~;t-~l;t", "I:*TT-T . t t i tEj<: j~  *I -  rat^: CcCavia : 
Attii.:i:?e 3at-e", (double) IMUAttitudeRateA[O], 1) ; 
1569: IMUAttitudeRateAOctavia-never-sent = 0; 
1570: gettimeofday(&IMUAttitudeRateA0ctavia~time~sent,NULL); 
1571: 1 
1572: 
1573: 
1574: /" Output Element : TMU Attitude Rate R Octavia "/' 
1575: if ( ( (IMUAttitudeRateB-obsolete [g] !=  1 . )  & &  (IMUChannel [ a ]  == 3) ) ) { 
1576: IMUAttitudeRateBOctavia [0] = (double) IMUAttitudeRateB [W ; 
1577 : ! ~ ~ ~ ~ ~ i ~ , = ~ ~ . ~ ~ ~ ; : ~  . r ~ x . ~ ~ ~ ,  ~l~>.~~-~>y.-.~~, *l~:~~l .j T*,::. j~ \;<-j:-? p~:.~,,;: :>, ~ k ~ ~ . ~ + T u ~ i - ~  :
;',\: * - : :  : x  :. .. -- 
. ,. .,... ~ : c i : : c ; " ,  (double) IMUAttitudeRateB [G ] , 1) ; 
1578: IMUAttitudeRateBOctavia-never-sent = 0; 
/ *  O u t p u t  E l e m e n t  : RFJA T o r q u e  */ 
if ( ( (RWAHealth [O] == 2) & &  (OctaviaTorque~obsolete [O] ! = 1) ) ) { 
RWATorque [0] = (double) OctaviaTorque [0] ; 
record (If ,landsat'yacs. csv.", "9u t .pu t  11,  "RWA ''orque : ':['orqueff, 
(double) OctaviaTorque [O] ,1) ; 
RWATorque-never-sent = 0; 
gettimeofday(&RWATorque-time-sent,NULL); 
1 
/ *  O u t p u t  E l e m e n t  : MTR A T o r q u e  */ 
if (((RWAHealth[O] == 3)&&(MTRChannel[O] == 
2) & &  (OctaviaTorque~obsolete [O] ! = 1) ) ) { 
MTRATorque [GI = (double) OctaviaTorque [0] ; 
record("I.ar-.ldsa~t"7acs.t:sv", Output", "KTR A 'Torque : Torque", 
(double) OctaviaTorque [0l,1) ;
MTRATorque-never-sent = 0; 
gettimeofday(&MTRATorque-time-sent,NULL); 
1 
/ *  O u t p u t  E l e m e n t  : MTR B T o r q u e  */ 
if (((RWAHealth[O] == 3)&&(MTRChannel[O] == 
3)&&(OctaviaTorque~obsolete[O] != 1))) { 
MTRBTorque [0] = (double) OctaviaTorque [0] ; 
record ("l.an.dsat7acs. csv",  "Output", "MTR R 'I'orq~e : Torque", 
(double) OctaviaTorque [O] ,1) ; 
MTRBTorque-never-sent = 0; 
gettimeofday(&MTRBTorque-time-sent,NULL); 
1 
/ *  I n p u t  I n t e r f a c e  S e c t i o n  */ 
IMUAttitudeRateA-has-new-data = 0; 
/ *  S h i f t  Array */ 
for (i = 5; i >= I-; i--) { 
IMUAttitudeRateA[i] = IMUAttitudeRateA[i-11; 
IMUAttitudeRateA-obsolete[i] = IMUAttitudeRateA-obsolete[i-11; 
1 
IMUAttitudeRateB-has-new-data = 0 ;  
/ *  S h i f t  A r r a y  */ 
for (i = 5; i >= 1; i--) { 
IMUAttitudeRateB[i] = IMUAttitudeRateB[i-11; 
IMUAttitudeRateB-obsolete[i] = IMUAttitudeRateB-obsolete[i-11; 
1 
OctaviaIMUAttitudeRateDifferen~e~has~newdata = 0; 
/ *  S h i f t  A r r a y  */ 
for (i = 5; i >= 1; i--) { 
OctaviaIMUAttitudeRateDifference[i] = 
OctaviaIMUAttitudeRateDifference[i-11; 
OctaviaIMUAttitudeRateDifferenceeobsolete[i] = 
OctaviaIMUAttitudeRateDifferen~e~obsolete[i-I]; 
1 
1629: CSSAttitudeA-has-new-data = 0; 
1630: ,/* S h i f t  2 1 - r a y  *,' 
1631: for (i = 1; i >= 1- i--) I 
1632 : CSSAttitudeA[i] = CSSAttitudeA[i-11; 
1633: CSSAttitudeA-obsolete[i] = CSSAttitudeA-obsolete[i-ll; 
1634: 1 
1635: CSSAttitudeB-has-new-data = 0; 
1636: / *  Sili f't A r r a y  * /  
1637: for (i = 1 ;  i >= ' .  ;, i--) { 
1638: CSSAttitudeB [i] = CSSAttitudeB[i-l] ; 
1639: CSSAttitudeB-obsolete[i] = CSSAttitudeB-obsolete[i-11; 
1640: 1 
1641: OctaviaCSSAttitudeDifferen~e~has~new~data = 0;
1642: / *  S h i f t  -4r;-ay * /  
1643: 0 (i = 1; 1 >= ; - -  { 
1644: OctaviaCSSAttitudeDifference[i] = OctaviaCSSAttitudeDifference[i- 
11 ; 
1645: OctaviaCSSAttitudeDifferenceeobsolete[i] = 
OctaviaCSSAttitudeDifferen~e~obsolete[i-3.1; 
164 6: 1 
1647: CommandedAttitude-has-new-data = 0; 
1648: / *  S h i f t  Array */  
164 9: for ( = 1; i >= ; - -  { 
1650: CommandedAttitude[i] = CommandedAttitude[i-11; 
1651: CommandedAttitude-obsolete[i] = CommandedAttitude-obsolete[i-11; 
1652 : 1 
1653: OctaviaTorque-has-new-data = 0; 
1654: / *  S h i f t  A r r a y  * /  
1655: for (i = I.; i = 1; i -  { 
1656: OctaviaTorque[i] = OctaviaTorque[i-I]; 
1657: OctaviaTorque~obsolete[i] = OctaviaTorque~obsolete[i-ll; 
1658: 1 
1659: RWASpeed-has-new-data = C; 
1660: / *  S h i f t  A r r a y  * /  
1661: for (i = 5; i >= 1; i--) { 
1662: RWASpeed [i] = RWASpeed [i-11 ; 
1663: RWASpeed-obsolete[i] = RWASpeed-obsolete[i-11; 
1664: 1 
1665: RWATemperature-has-new-data = 0; 
1666: / *  S h i f t  Array */ 
1667: for (i = 5; i >= I - i--) { 
1668: RWATemperature [i] = RWATemperature [i-I] ; 
1669: RWATemperature-obsolete[i] = RWATemperature-obsolete[i-11; 
1670: 1 
1671: MTRACurrent-has-new-data = 0; 
1672: / *  S h i f t  A r r a y  *,/ 
1673: for (i = 5; i >= 1; i--) I 
1674: MTRACurrent [i] = MTRACurrent [i-l] ; 
1675: MTRACurrent-obsolete[i] = MTRACurrent-obsoleteEi-11; 
167 6: } 
1677: MTRBCurrent-has-new-data = 0; 
1678: / *  S h i f t  A r r a y  *,/ 
1679: for (i = 5;  1 >= :; i--) { 
1680: MTRBCurrent [i] = MTRBCurrent [i-l] ; 
1681: MTRBCurrent-obsolete[i] = MTRBCurrent-obsolete[i-11; 
1682: } 
1683: 
/ *  S t a t e  V a J i l e  a n d  .Mode V a l u e  I n t e r f a c e  S e c t i o r :  */ 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= I; i--) { 
IMUChannel [i] = IMUChannel [i-l] ; 
I 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= I; i--) { 
IMUHealth [i] = IMUHealth [i-:I] ;
} 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= 1; i - )  { 
CSSHealth[i] = CSSHealth [i-l] ; 
I 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= 1; i - )  { 
RWAHealth[i] = RWAHealth [i-1] ; 
1 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= 1; i--) { 
MTRChannel[i] = MTRChannel[i-11; 
I 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= 1; i--) { 
MTRHealth [i] = MTRHealth [i-l] ; 
I 
/ *  S h i f t  A r r a y  */ 
for (i = 1; i >= I; i--) { 
ACSMode[i] = ACSMode[i-11; 
1 
/ *  Run O c t a v i a  */ 
run-octavia ( )  ; 
/*  T i m i n g  I n t e r f a c e  S e c t i o n  */ 
//while ( t i m e s i n c e  ( & r o u n d - s t a r t )  < 0 . 5 )  { 
/ / I  
/ *  S e t  S y s t e m  S t a r t  t o  F a l s e  */ 
system-start = 0; 
I 
return ( 0 ) ; 
I 
Appendix E - Landsat 7 Simulation Program 

1 : :t j y: (; .: 1.1 <-j (: <. ;,; 11 <j :T) i.,f :; . 17 ;, 
2: f t i , ,~c-: i ,ad< std;..;:.ki:> 
3 : # i r_ (2 l1-..; < :; t ,' LA ' L 3.) ,. . ' ,:' 
t., A .L <..I. 4 : k i n , - !  l:,--'e < s t r i n y .  pi> 
5 : #izicludtr.: <cc:1iic) 
6 : #il . iclude <f loaL . h:, 
7: #incll_lde "lcin<3_s;ii7 - <ics_ziddr Ji'' 
8 : 
9 : 4 '.j ;-; (: !. u rj e " ;,J 3 c . h 
. . 1 0 : 4 i. 7- (-- ; u ri . n u k-.bL,~de.hil p.l,.-. 
11: ~.i::c.~.~ici~:: y's~~y~~~:~:~)r:.j~Lfl 
12: 
. . 13 : #define ;nission,-z~rrc,---adtir 305 
14 : #def int! ppc-:---trias~:r ., , addr 302 
15: #clpzfir-le ppc;--tr.iqq~r,.._w:)r(i 10!:1 
16: 
17: 
18: charTemp[1281; //temporarybuffer 
19: int Port; 
20: int Baud; 
21: float temp-float; 
22: unsigned int output-addr; 
23: unsigned int bl, b2, b3, b4; 
24 : float y-bd; 
25: float y-intg; 
26: float x-bd = 0.0; 
27: float x-intg = 0.0; 
28: float octavia-torque = 0.0; 
29: float ppc-vals [35G] ; 
30: 
31: typedef union { 
32: float f ;  
33 : unsigned u; 
34: } bit-float-t; 
35: 
36- // 
3 7 :  // Converts ~ ~ ~ s i g n e d  integer to binary string 
38: ...................................................... 
39: void int2bin(unsigned int-val, unsigned length, char *binary) { 
40: 
41: int b; 
42: int remain; 
43: unsigned int i; 
44: 
45: for (i=O; i<length; i++) { 
46: binary[i] = '0'; 
47: 1 
48: binary[32] = 0; 
49: 
50: for (b = length-1; b >= 0; b--) { 
51: remain = int-val % 2; 
52 : int-val = int-val / 3; 
53: if (remain == 1) binary [b] = 'It; 
54: 1 
55: binary[32] = 0; 
56: 
57: } 
58: 
59: 
60. // 
------------------------------------- 
61: // Converts Custom Integer to Float 
62. //=--------------------------------------------------- ..................................... 
63 : f l o a t  int2f loat (unsigned int-val) { 
64 : 
65: i n t  exp-int = 0; 
66: f l o a t  exponent = l . 0 ;  
67 : f l o a t  man-f rac = I; 
68 : i n t  sign = 0; 
69: f l o a t  mantissa = 0.0; 
70: f l o a t  leading-one = 1.0; 
71: char fbinary[32]; 
72 : i n t  temp-arg = 1; 
73 : i n t  b; 
74: unsigned i n t  i; 
75: 
76: //printf ("int input is %d\r \nV ,  int-val); 
77: int2bin (int-val, 3 2 ,  f-binary) ; 
78: 
79: //printf ("int2bin binary is % s  \r\nW, f-binary) ; 
80: 
81: i f  (fbinary[O] == '0') sign = 1; 
82 : else sign = -1; 
83 : 
84 : 
85: f o r  (i=l; i<9; i++) { 
86: exp-int = (exp-int << 1 ) ; 
87 : i f  (f-binary[i] == '1') exp-int = exp-int I 0x00000001; 
88: I 
89: exp-int = exp-int - 127; 
90: //printf ("exponent int is %d\r\nU,exp-int); 
91: 
92 : i f  (exp-int < 0 )  { 
93 : i f  (exp-int == -127) leading-one = 0.0; 
94 : f or  (b=exp-int; b < G; b++) { 
95: exponent = exponent / 2; 
96: I 
97 : I 
98 : else i f  (exp-int > 0) { 
99: f or  (b=O; b < exp-int; b++) { 
100: exponent = exponent * 2.0; 
101: I 
102: I 
103: else exponent = 1.0; 
104: //printf("exponent is %f and mantissa is %f\r\nW,exponent,mantissa); 
105: 
106: 
107: i f  (leading-one == 1 . 0 )  { 
108: f or  (i=9; i<32; i++) { 
109: man-frac = man-frac / 2; 
110: i f  (fbinary[i] == '1') mantissa = mantissa + man-frac; 
111: 1 
112: mantissa = 1.0 + mantissa; 
113: 1 
114: e l s e  { 
if (f_binary[9] == '1') mantissa = mantissa + 1.0; 
exponent = 5.877472E-39; 
for (i=iO; i<3%; i++) { 
man-frac = man-frac / 2; 
if (f-binary [i] == '1') mantissa = mantissa + man-frac; 
/ / p r . i n t f ( "expo: :en t  i s  %e and ma.nt i s s a  i s  %fiir\r? I f f  e ~ ~ ~ o n e n t ~ m a n t i s s a )  ; 
/ / p r i n t f  ("exponent  i s  % f  and mant issa  is %f \r\r?", exponen t ,nan t i s sa )  ; 
return (sign * exponent * mantissa); 
/ ,I Converts  Float  t o  Custom I n t e g e r  
....................................................... 
int float2int(float ff) { 
bit-f loat-t arg; 
arg.f = ff; 
return arg . u; 
1 
...................................................... 
// Converts  Float  t o  Custon I n t e g e r  Bytes  f o r  [?ART 
//.=========.=============================.=.==.======.===== 
void float2bytes(float f, unsigned *bl-int, unsigned *b2-int, unsigned 
*b3_int, unsigned *b4_int) { 
bit-f loat-t arg; 
arg-f = f; 
*bl-int = (arg-u >> 21) & Oxff; 
*b2_int = (arg-u >> 16) & Oxff; 
*b3_int = (arg.u >> 8) & Oxff; 
*b4_int = arg.u & Cxf  f; 
...................................................... 
// Converts In t eger  t o  Custom I n t e g e r  Bytes  for UART 
...................................................... 
void int2bytes(unsigned int int-val, unsigned *bl-int, unsigned *b2-int, 
unsigned *b3_int, unsigned *b4_int) { 
*bl-int = (int-val >> 24) & O x f f ;  
*b2_int = (int-val >> 16) & O x f f ;  
*b3_int = (int-val >> 8) & Oxff; 
*b4-int = int-val & Oxff; 
// - - - 
-------------- ---- ------------------------- 
// Traps Error Code 
...................................................... 
i n t  Errorcheck ( i n t  Por t ,  i n t  Code) 
{ i f  (Code<O) 
{SayError (Code, NULL) ; 
SioDone ( P o r t )  ; 
e x i t  (1) ; 
1 
r e t u r n  Code; 
1 
//---------------------------------------------------- ............................................. 
// R u n  P l a n t  Model  
...................................................... 
v o i d  run-plant ( 1  I 
// 
1 
// --- ------------- ---- ----- .---- ---- 
------- ----- ------- 
// Transmit Data on UART to FPGA 
...................................................... 
void  transmit-data (unsigned i n t  addr, f l o a t  d a t a )  { 
s l e e p  ( 5 0 )  ; 
SioPutc (Por t ,  ' - I ) ;  
i n t 2 b y t e s  (addr,  & b l ,  &b2, &b3, &b4) ; 
SioPutc (Por t ,  b l )  ; 
SioPutc (Por t ,  b2) ; 
SioPutc (Por t ,  b3) ; 
SioPutc (Por t ,  b4) ; 
f loa t2by tes  ( d a t a ,  & b l ,  &b2, &b3, &b4) ; 
SioPutc (Por t ,  b l )  ; 
SioPutc ( P o r t ,  b2) ; 
SioPutc ( P o r t ,  b3) ; 
SioPutc (Por t ,  b4) ; 
1 
// 
---------------- 
// Is V a l i d  N u m b e r  
//---------------------------------------------------- -- - -- ---- ---- -- - -- - -- ---- ---- -- A 
i n t  is-num(int char-val) { 
i f  (char-val == 48)  r e t u r n  1; 
else i f  (char-val == 4 9 )  r e t u r n  1; 
else i f  (char-val == 513) r e t u r n  :I.; 
else i f  (char-val == 51) r e t u r n  1; 
else i f  (char-val == 5 2 )  r e t u r n  1; 
else i f  (char-val == 5 3 )  r e t u r n  1; 
else i f  (char-val == 54) r e t u r n  1; 
else i f  (char-val == 55) r e t u r n  1; 
else i f  (char-val == 56) r e t u r n  1; 
227: else i f  (char-val == 5 7 )  return 1 ;  
228: else return C; 
229: } 
230: 
231: 
232: ....................................................... 
233: // ~Yai.11 
234: ...................................................... 
235: void main(int argc, char *argv[]) { 
236: char c; 
237 : i n t  i; 
238: unsigned i n t  j ; 
239: unsigned i n t  mycounter = 0 ;  
240: unsigned i n t  errcount = 0; 
241: unsigned i n t  custom-int; 
242: f l o a t  status = 0.0; 
243: f l o a t  imu-a = 0.0; 
244: f l o a t  imu-b = C.O; 
245: f l o a t  css-a = 0.0; 
246: f l o a t  css-b = 0.0; 
247: f l o a t  ref = 1.0; 
248: f l o a t  rwa-temp = 25.6; 
249: f l o a t  rwa-speed = 2001.0; 
250: f l o a t  mtr-a-current = 34.2; 
251: f l o a t  mtr-b-current = 23.4; 
252 : f l o a t  torque-in; 
253: f l o a t  foo; 
254: f l o a t  mission-time; 
255: unsigned temp-addr; 
256: f l o a t  temp-data; 
257: char hold-bin [l2] ; 
258: FILE *fp; 
259: FILE *imu; 
260: FILE *css; 
261: FILE *rwa; 
262: FILE "octavia; 
263: FILE *mtr; 
264: FILE *states; 
265: FILE *macros; 
266: FILE "outputs; 
267: char outputFilename[] = " o u t . c s v f l ;  
268: i n t  opened = 0; 
269: 
270: //fp - fopen (outputFllename, " w " )  ; 
271: 
272: 
273: - .  . , printf ("This 5s 3 console-:- mocic: r>royram ?,. 1s .::lpslqac::j ZC:: r\jrl frsrfi a 
,. . ,Gjniv:~;~c~ - . ~ : . ~ ~ ~ d o w .  \,,rl") ; 
274: // process a r g s  
275: i f  (argc!=3) { 
276: print-(~~ijsacie: C::JNSGT,F; <:pal-i,,;: 1- .::bd;.;d:.',:-.w t .  ) ;  
277: printf(" ~':q-: c:::>NEc!~',~'; I i9,;!:j0\,*.-.lt); 
278: return; 
279: 1 
280: Port = atoi (argv[l]) - 1; 
281: Baud = atoi(argv[2]); 
282: / I '  pass the kej- code 
i f  (SioKeyCode (WSC-KEY-CODE) < O )  { 
print f (*F:RROR: Rad Key Code ! " ) ; 
exit (1) ; 
} 
// se l  de fau l t s  for  a l l  ports .  Note 'Port '  argument i s  -1 
ErrorCheck ( -1, SioReset (-Ill, 1) ; // DTR & RTS set  at  port i n i t i a l i z a t i o n  
ErrorCheck ( -1,  SioParms (-1, WSCNoParity, WSC-OneStopBit, WSC-WordLength8) ) ; 
// rese t  ( i n i t i a l i z e )  the port 
ErrorCheck ( Port, SioReset (Port, 1.024,1024) ) ; 
ErrorCheck ( Port, SioBaud (Port, Baud) ) ; 
printf ( " \ \ $ n E n t e r  terminal loop ( Type ^ Z  to exit )\\nV); 
// enter  terminal loop 
while (TRUE) { 
// was key pressed ? 
i f  (kbhit ( )  ) { 
// f e tch  character 
c = getch ( ) ;  
i f  (c==Oxla) { 
// restore COM port s ta tus  & e x i t  
SioDone (Port) ; 
exit (1) ; 
1 
else i f  (c=='ct) { 
printf ("Give me a floating point nunber. \r\nW) ; 
scanf ("%-f", &temp-float) ; 
printf ("Equivi31..ei?;.t Custom Int i.s %u or sL*-i\r'\?:" o  I .. , 
float2int(temp_float) , f l o a t 2 i n t ( t e m p _ f l o a t ) ) ;  
1 
else i f  (c=='yl ) { 
i n t  temp-int; 
printf("Give m e  an integer number.\r\nw); 
scanf ("%fm, &temp-int) ; 
printf ("Ec;ulivalerE Float is %f or %e\r \nw , int2f loat (temp-int) , 
int2float (temp-int) ) ; 
else i f  (c=='o') { 
octavia = fopen ("octavia. txt ", "w") ; 
printf("Fi1e opened!\r\nW); 
opened = 1; 
1 
else i f  (c=='ll) { 
fclose (octavia) ; 
printf ("F'ile Closed\r\~~') ; 
opened = 0; 
1 
else i f  (c=='tl) { 
// Transmit Data t o  FPGA 
print f ("Transi~i.- one pi..ece of d a t a . \ r \ \ , n V  ) ; 
imu-a = 1.1 + rand()/(((double)RAND-MAX + 1) / 0.01); 
imu-b = 1 .5  + rand()/(((double)RAND-MAX + 1) / 0.01); 
css-a = y-intg + rand()/(((double)RAND-MAX + 1) / 0.1); 
css-b = css-a; 
transmit-data(imu-attitude-rate-a-addr,imu-a); 
1 
else if (c=='sl ) { 
fp = fopen (outputFilename, "i*;" ) ;
rwa = fopen ( " r w a . r s v " ,  "w"); 
printf (".Sjr~~~jc!ti,on Star . t : ,ed! ' \ ,n\ ,yPt-es .s  5 1.;;. qcl;,~./:,i.'.,n~~); 
while (c!='ql) { 
// Look f o r  Data l o g g i n g  c h a r a c t e r  
/ / w h i l e  (i!=126) { 
//i = S i o G e t  c  ( P o r t )  ; 
/ / p r . i n t f  ( " T o p  g o t  % c \ r ! n r r ,  i); 
// Send C h a r a c t e r  t o  comnence  d a t a  l o g g i n g  
SioPutc (Port, ' ! ' ) ; 
/ / p r i n t f  ( " !  s e n t  \ r \ n V ) ;  
i = SioGetc (Port) ; 
/ ' / I  
while (i!=126) { 
i = SioGetc (Port) ; 
/ / p r - i n t f  ( " T r y i n g  f o r  1 2 6  : % c \ r \ n  ", i ) ;  
1 
,// Loop u n t i l  i=124 ,  wh ich  means  e n d  o f  d a t a  l o g g i n g  a r r a y  
while (i !=  124) { 
// Look f o r  - c h a r a c t e r ,  d e n o t e s  d a t a  l o g g i n g  
if (i == 126) { 
/ *  f i r s t  g e t  t i m e  */ 
custom-int = 0; 
for (j=O; j<4; j++) { 
i = SioGetc (Port) ; 
errcount = 0; 
while (i==WSC-NO-DATA) { 
i = SioGetc (Port) ; 
/ / p r i n t f ( " T i m e  g o t  i % u \ r \ n V , i ) ;  
errcount++; 
if (errcount > 103) break; 
1 
if (errcount > 103) break; 
/ / p r i n t f ( " T i r n e  g o t  i % u \ r \ n V , i ) ;  
custom-int = custom-int << 5;  
custom-int = custom-int I i; 
I 
mission-time = int2float(custom-int); 
if (errcount > 100) break; 
;'* then g e t  a d d r e s s  */' 
for (j=O; j<4; j++) { 
i = SioGetc (Port) ; 
while (i==WSC-NO-DATA) { 
i = SioGetc (Port) ; 
395: / / p r i : ? t f ( " A d d r  g o t  1: % u \ r \ n w ,  i ) ;  
396: 1 
397 : / / ' p r i n t f  ( " l i ddr  g o t  i %u \ r \ r :" ,  i j ; 
398: temp-addr = temp-addr << 8; 
399: temp-addr = temp-addr I i; 
400: 1 
401: 
402: j* t h e n  g e t  d a t a  */ 
403: custom-int = 0; 
404: fo r  (j=O; j < 4 ;  j++) { 
405: i = SioGetc (Port) ; 
406: while ( i==WSC-NO-DATA) { 
407: i = SioGetc(Port); 
408: I ' / - - . . i r ? t f  : L ( " D a t a  g o t  1 %u\r\ri", i ) ;  
409: } 
410: , / / ;?r i r ! t f  ( " D a t a  g o t  i % u \ r \ n V , i ) ;  
411: custom-int = custom-int << 8; 
412: custom-int = custom-int I i; 
413: 1 
414: temp-data = int2float(custom-int); 
415: 
416: i f  (temp-addr == octavia-torque-addr) { 
417: octavia-torque = temp-data; 
418: / i p r i r ~ t f  ( " T o r y u e  o u t p u t  i s  %f o r  % d \ r  \ n W ,  
t en$ ) -da ta ,  cu s to r r i - i n t ) ;  
419: 1 
420: 
421: / / P I - i n t i  ("Bi, %i, % d ,  %u \ n  " , m i s s i o n - t i m e ,  t emp-da ta ,  
c u s t o m - i n t ,  t emp-addr )  ; 
422 : 
423: while (i!=126 & &  i!=124) { 
424: i = SioGetc (Port) ; 
425: /',/if ( i==126i  / i = = 1 2 4 )  p r i n t f  ( " g o t  i t !  \ r \ n V ) ;  
426: / / ~ r i n t f ( ~ ' B o t t o m  g o t  % c \ r \ n r r , i ) ;  
427: 1 
428: 
429: // 
430: fprintf (fp, w?:,_r,c 1 , "(i o,., a o~ \i.:v , mission-time, temp-data, 
custom-int,temp-addr); 
431: 
432: 1 // End Data  L o q  One I t e m  
433: 
434: ) // End While  i!= 124, Data  L o g g g i n g  C o m p l e t e  for o n e  
Round 
435: 
436: i f  (errcount <= 100) { 
437: printf ("D,2:7ita l o , q r j i n c ;  r.c,:..;rlc:i c4:)rrtpleted'\,r',sr~17) ; 
438: i = SioGetc (Port) ; 
439: while (i==WSC-NO-DATA) { 
440: i = SioGetc (Port) ; 
441: //if ( i = = 8 9 )  pz - l . r - rc f ("got  8 9 ! \ r J n W ) ;  
442: / ' / _ r ~ r . i n t f ( " l , o o k i n g  f o r  89 : G c \ r \ n V , i ) ;  
443: 1 
444: 
445: // Perf o r n  I3od.y D ~ r 2 a : n i  cs E q u a t i o n s  
446: y-bd = Q.(:()99532 * x-bd; 
447: x-bd = 0. 39005 * x-bd + octavia-torque; 
y-intg = 0.OlCOCO * x-intg; 
x-intg = x-intg + y b d ;  
mycounter,errcount,octavia~torquefy~intg); 
454 : fprintf(rwa, "8f, sf, .I, &F'~,~-",mission~time,octavia~torque, 
y-bd, y-intg) ; 
455 : 
456: imu-a = y-bd; 
457: imu-b = imu-a; 
458: css-a = y-intg; 
459: css-b = css-a; 
460: 
461: 
transmit-data (2, imu-a) ; 
transmit-data (6, imub) ; 
transmit-data (14, css-a) ; 
transmit-data (18, css-b) ; 
printf ("Tr-an5mi. t  compl.et.e! \ , r ' ' . nV)  ; 
if(kbhit()) { 
c = getch(); 
SioPutc (Port, c) ; 
1 
1 // End while c!= q, End Simulation Loop 
printf ( " 3 l m u  -?t ion Stopped! ' \ , r \ n U )  ; 
//fprlntf (fp, "Simulation Stopped! \r\nV); 
fclose (fp) ; 
fclose (rwa) ; 
i = C; 
1 ;'/ End if c == s, Simulation 
else { 
SioPutc (Port, c) ; 
1 
j // end was ke.y pressed ? 
i = SioGetc (Port) ; 
if (i==WSC-NO-DATA) Sleep(50); 
else if ( i > = 0 )  { 
f t . '  i 
printf ( " :  ", i) ; 
if (opened == : ) fprintf (octavia, "(L:d",i) ; 
r+ (- c 
// d~splay In hex 
wsprintf ( (char *)Temp, ":x ", i) ; 
503: printf ( (char *)Temp) ; 
504: li ,:? (-j i f 
505: 
506: } // end e l s e  if j>=g 
507: 
508: } //' e n d - w h i i e  (TRUE) 
509: 
510: ) /,,' e n d  n a i n  
511: 
512 : 
