Mass Storage device developed for application in the space station by Algra, T.
Nationaal Lucht- en Ruimtevaartlaboratorium
National Aerospace Laborator y NLR
NLR TP 97360
Mass storage device developed for application
in the space station
T. Algra
217-02
DOCUMENT CONTROL SHEET
                     
ORIGINATOR'S REF.                    SECURITY CLASS.
                     NLR TP 97360 U                 Unclassified
ORIGINATOR 
National Aerospace Laboratory NLR, Amsterdam, The Netherlands
TITLE  
Mass storage device developed for application in the space station
PRESENTED AT
the 48th International Astronautical Congress, October 6-10, 1997, Turin.
AUTHORS                 DATE                 pp      ref
T. Algra
                  
970722 11 2
DESCRIPTORS   
Computer storage devices Magnetic disks
Data storage Memory (computers)
Data acquisition Protocol (computers)
Environmental tests Radiation protection
Latch-up Real time operation
ABSTRACT
Data storage devices each providing 260 MB non-volatile random access
memory will be used in the Data Management Systems of the Russian and the
European Modules of the Space Station. The National Aerospace Laboratory
NLR, and Signaal Special Products have jointly developed these Mass
Storage Devices (MSD) based on commercial winchester disks. For increased
reliability, these MSDs contain two separate disk cartridges with
identical data contents. An intelligent latch-up protection system has
been incorporated to safeguard the drives against destruction due to
radiation effects. This protection mechanism has been validated by tests
in a proton beam facility.
TP 97360
-5-
MASS STORAGE DEVICE DEVELOPED FOR APPLICATION IN THE SPACE STATION
T. Algra
National Aerospace Laboratory NLR
P.O.Box 153, 8300 AD, Emmeloord, The Netherlands
E-mail: algra@nlr.nl
ABSTRACT Based on non-volatile memory technology,
Data storage devices each providing 260 MB DMS system software and payload data. 
non-volatile random access memory will be As much as possible, the elements of the
used in the Data Management Systems of the DMS-R will be re-used for the realisation of
Russian and the European Modules of the the DMS of the European module of the Space
Space Station. The National Aerospace Station, the Columbus Orbital Facility (COF).
Laboratory NLR, and Signaal Special For example, the MSD will be a part of the
Products have jointly developed these Mass MMU (Mass Memory Unit) computer.
Storage Devices (MSD) based on commercial
winchester disks. For increased reliability, Signaal Special Products (SSP) together with
these MSDs contain two separate disk the National Aerospace Laboratory (NLR),
cartridges with identical data contents. An both of the Netherlands, developed and used a
intelligent latch-up protection system has been design and implementation approach for the
incorporated to safeguard the drives against MSD, which is relatively cost-effective by
destruction due to radiation effects. This employing Commercial-Of-The-Shelf
protection mechanism has been validated by winchester disk drives. The selected drives are
tests in a proton beam facility. PCMCIA type 3 drives with a storage capacity
1  INTRODUCTION accommodated in removable cartridges. These
The Russian Service Module of the Inter- reasons: i) the drives require at least 0.6 Bar
national Space Station will be equipped with a environmental pressure during operation, ii)
Data Management System (DMS-R) to be the drives contain components and materials
built by a European industrial consortium that are not manufactured according military
under ESA responsibility. The DMS-R or space quality standards. 
includes two so-called Control Post Com- In order to meet the applicable vibration and
puters. These computers, developed under shock requirements, the drives are protected
responsibility of Matra Marconi Space France, by a suspension system inside the cartridges.
are driven by a SPARC processor The selected drive meets the other basic en-
configuration, based on VME architecture (10 vironmental requirements except the radiation
slots), and equipped with MIL-STD-1553B susceptibility (see Section 3). Temperature
and Ethernet interfaces. The Control Post screening of the drives has been included in
Computers each contain a Mass Storage the MSD manufacturing cycle for the
Device (MSD) qualification with respect to temperature
Copyright
Copyright © 1997 by the National Aerospace
Laboratory NLR, The Netherlands. Published by
the American Institute of Aeronautics and
Astronautics, Inc. with permission. Released to
IAF/IAA/AIAA to publish in all forms.
these units will provide storage capacity for
of 260 MB. The small dimensions (86 x 54 x
10.5 mm) allow the disk drives to be
cartridges are hermetically sealed for two
extremes. 
The cartridges are removable and exchan-
geable. The standardized PCMCIA interface
offers a number of advantages:
- growth potential: the disks can be easily
replaced by future higher-density types
without the necessity to redesign the MSD;
TP 97360
-6-
- existing hardware and software components mirror mode the data written to drive 1 are
can be used in ground support and test equip- automatically and simultaneously written to
ment; drive 2 as well. When reading data, the
- the fully documented and supported controller accesses and reads both drives and
PCMCIA interface reduces efforts required compares the two data streams on the fly. In
for controller development; case of a difference, the controller signals the
- the design of the MSD may be used in the host by an interrupt. Differences may occur
future for other Commercial-Of-The-Shelf due to radiation effects or a drive defect. The
PCMCIA applications such as Ethernet cards, probability of bit errors caused by radiation in
video interfacing and compression, and A/D orbit is extremely low. Nevertheless, these
conversion, without the need for hardware errors can be corrected for by the host. The
modifications. mirror mode is the default operational mode,
Fig. 1 gives an impression of the complete special feature in this mode is the verify
unit. Fig. 2 depicts a block diagram of the command, providing the option to compare
system. The MSD contains two cartridges the data contents of the two drives by the
with a disk drive, with identical data contents. controller, without data transfer over the VME
This allows mirror mode operation to improve bus.
system reliability. A controller board has been In the single mode, data is transferred between
developed with the following basic the host and one drive (selected by command).
functionality: VME to PCMCIA interfacing, The controller electronics at the VME bus side
mirror mode operation, and latch-up protec- is defined as a VME Slave Module supporting
tion. The MSD occupies three slots in the byte and word transfers (including block
VME crate of the Control Post Computer. The transfer). All the control and I/O registers of
disks can be formatted (DOS 5) and preloaded the drives are mapped to VME memory and
with software and/or data, using a Ground are directly accessible for the host processor.
Support Tool, basically a PC equipped with a A command register and a status register are
PCMCIA interface extended with a "flight" included on the controller board to direct and
connector compatible to the cartridge. The to monitor the drive command and transfer
MSD has been designed for 10 years processes. By the command register the fol-
operational lifetime. lowing command options are available to the
2  MSD CONTROLLER interrupt, enable latch-up detection, and select
The controller interfaces the VME bus to the gives information on the power-on status of
two drives (Fig. 3). It supports the VME the drives, pending interrupt requests,
protocol at one side and the PCMCIA ATA microcontroller health, and verify status. The
protocol at the other side to transfer data host is interrupted upon any change of the
between a host processor and the drives. controller's status register.
In addition, the controller provides the fol- The PCMCIA interfaces to the two drives are
lowing functions: completely separated, to prevent any fault
- data duplication and verification in the propagation from one drive to the other. For
mirror mode; both drives an electronic short circuit protec-
- generation of status information; tion function has been included.
- monitoring of the power supply currents of The controller electronics are assembled on a
the drives and protection of the drives against printed circuit board (PCB) which is mounted
circuit burnout due to radiation effects (refer inside the unit. This PCB is provided with a
to Section 3). conduction cooling plate with a heat
The controller supports two operational management layer. The PCB assembly is
modes: mirror mode and single mode. In the mounted between the unit's top and bottom
providing increased system reliability. A
host: reset, initiate verify function, mask
mode (single or mirror). The status register
TP 97360
-7-
frames which are in close thermal contact to bleeder circuit which rapidly removes internal
the cooling plate. The unit is positioned in the charges. In addition, the event is reported to
VME rack and clamped by expanders to the host by an interrupt and status information.
assure mechanical rigidity and thermal contact Note that the other drive is not influenced by
between the unit and the rack. this recovery process.  
3  LATCH-UP PROTECTION FUNCTION processor. This feature is useful to test the
The disk drives contain microcircuits which current can be regarded as a simulated latch-
are sensitive to radiation effects, in particular up current.
so-called Single Event Upsets. The basic The supply current profile depends on the
mechanism of Single Event Upset is the state of the disk and the command history.
deposition of charge by the passage of a heavy Therefore, the microprocessor algorithm
ion through the sensitive region of a device. If continuously adapts the detection thresholds
the ion has enough stopping power the charge to the current situation. Variations due to
may be sufficient to change the state of an temperature, measuring offset, and dispersion
electrical node or cell within a device. The are also covered. Fig. 4 depicts a simplified
best known example of this is the change in state transition diagram of the microcontroller
state of a memory cell which can be software (shown for one drive only).
subsequently rewritten. This is known as a
soft error which may be defined as an
erroneous but correctable logic state. A more 4  DEVELOPMENT AND VERIFICATION
dangerous form of upset is heavy ion induced
latch-up . In a CMOS device a deposited The development and verification programme1
charge may cause a low-impedance path. This included the realization of two Development
state is permanent as long as the device Models (functionally equivalent to the end
remains powered, and results in a potentially product), two Engineering Models (electrical-
destructive high current through the device. A ly equivalent), and a Qualification Model. The
latch-up state can be removed by powering off Qualification Model is equivalent to the flight
the device for a while immediately after the models, including components, materials, and
occurrence of the event. This prevents damage manufacturing processes applied. However,
to the microcircuit. due to the tight project planning, the
To detect instantaneous rises due to latch-up integration of the engineering model of the
events, the supply currents of the two drives control post computer was still in progress
are continuously monitored . The architecture during the production of the MSD
of the latch-up protection function is included Qualification Model. This approach was
in Fig. 3. Power is supplied to the drives intended, and resulted in a number of
through an electronic switch and a current modifications carried out on the MSD
sense resistor. The currents are measured, Qualification Model before the start of the
digitized, and read by a microprocessor. This qualification test programme. This model was
processor compares the currents with an adap- intentionally referred to as "Engineering
tive threshold. Using a specially designed al- Qualification Model". It was also subjected to
gorithm, noise and other variations are an extensive pre-qualification programme,
excluded and a reliable latch-up detection is mainly to verify procedures and design
realized. As soon as such a latch-up is solutions with respect to the cartridge suspen-
detected, the microprocessor drives the sion system, the cartridge hermeticity, and
electronic switch in the off state long enough temperature control issues.
to remove the latch-up condition. The A computerized Unit Tester (Fig. 5) has been
microprocessor simultaneously activates a developed for the functional and performance
The bleeder circuit can also be activated
directly via the VME bus, e.g. by the host
latch-up protection function since the bleeder
TP 97360
-8-
tests. The Unit Tester comprises two VME 5  CONCLUSIONS
racks (host rack and rigid rack) and a PC. The
host rack accommodates a power supply, a A Mass Storage Device with Commercial-Of-
VME master/controller board, a custom test The-Shelf winchester drives has been
hardware board, and a VME extension board. developed. It is a non-volatile memory unit
The rigid VME rack, used as a fixture during providing 260 MB random access memory in
the operational environmental tests, contains a VME environment, and has been designed
another, ruggedized VME extension board and for an operational lifetime of 10 years for
the MSD under test. The two racks act like application in the International Space Station.
one VME rack by the use of extension boards. Compliance to all the applicable requirements
The Unit Tester software runs under a real- has been achieved by a special cartridge
time operating kernel. The lowest level of the accommodation method and an intelligent
Unit Tester software comprises the MSD latch-up protection system. The adoption of
driver. The next level consists of modular test the PCMCIA standard offers growth potential
functions (read or write a block of data, put a towards higher-density drives and oppor-
drive in sleep mode, etc). At the highest level, tunities for technology insertion.
automated test sequences are available, that
execute predetermined sets of MSD test 6  REFERENCES
actions. These test sequences, written in a
dedicated test language, are processed by an [1] Adams, L., "Cosmic ray effects in
interpreter. microelectronics", Microelectronics Jour-
The latch-up protection function has been nal, Vol. 16, No. 2, 1985
validated by proton irradiation at the Paul
Scherrer Institute, Switzerland. For this [2] Dorp, A.L.C. van, "Mass Storage Device
validation a test set-up has been realized being Radiation Test Final Report", MSD-NLR-
a modified version of the MSD/Unit Tester TN-031, issue 1, NLR, 1996
configuration with provisions for extended
PCMCIA cabling, data acquisition, and test
software .2
Table 1  Mass Storage Device specifications
ENVIRONMENT
Vibration Random (20-2000 Hz) Operating 4.8 grms
Non-operating 21 grms
Shock 5 ms 40 g 
Temperature Operating 0 - +40 C
Non-operating -50 - +50 C
o
o
Pressure 5 - 970 mm Hg
Radiation SEU SEL protected
PERFORMANCE
Interfaces VME IEC 821 / IEEE 1101.2
Disks PCMCIA ATA
Data capacity 2 x 260 MB
Power DC input voltages + 5 V ± 2.5%
+5 V current 2.1 A peak
+12 V; -12V
System performance Read transfer rate 780 kByte/s
Write transfer rate 955 kByte/s
Max. access time 18 ms
Physical Size 3 VME slots
Weight 2650 g
Reliability BER < 10
MTBF (30 C) 9E5 hrso
-14
VME bus PCMCIA
PCMCIA
WDD
WDD
LU protection
VME/PCMCIA
interface
WDD = Winchester Disk Drive
controller
TP 97360
-9-
Fig. 1  Mass Storage Device
Fig. 2  MSD block diagram
comparator
drive 1 data
drive 2 data
drive 1
control
drive 2
control
drive 1 adress
drive 2 address
buffering
buffering
buffers
interface
logic
control &
status
registers
microcontroller
latch-up
protection
ROM
ADC mux
amp
amp
buf
buf
power
drive 1
power
drive 2
+ 5 V
VME
control
VME
addr
VME
data
VME
data
VME
data
Initialization
I/O
moderate 
threshold
no I/O
accurate
threshold
switch off
disk power
switch on
disk power
no I/O
I/O
LU detect
LU detect
2 s
TP 97360
-10-
Fig. 3  Architecture of MSD controller
Fig. 4  Simplified state transition diagram of latch-up protection software
PC RS232
P2
VME bridge
+12V
P1
P1
Host
68040
LED
brd MSD
WDD1
WDD2
Oscilloscope MK-III
Dig.
Mult.
meter
PM 3350
+5V
Unit Tester (rigid rack)Unit Tester (host rack)
-12V
TP 97360
-11-
Fig. 5  MSD Unit Tester
