Command Loss Timer Reset
Command Loss Timer Resets are part of the CCSDS communications system to spacecraft either in Earth orbit or beyond Earth orbit.
The Command Loss Timer Reset, if it is not received in a timely manner by the spacecraft generally forces the spacecraft to engage in safety and self-protection procedures.
- Command Loss Timer Reset systems involve both hardware and software, whereas watchdog timers are essentially hardware only affairs.
- Most spacecraft have more than one Command Loss Timer Reset for subsystem level safety reasons, with the Voyager craft using at least 7 of these timers.
- Technically the Command Loss Timer Reset is a glorified array of Watchdog timers, each with different settings.
Overall spacecraft safety is very important for missions of multi-year duration. This means that the Command Loss Timer Reset subsystem has to be used to avoid multiple computer reboot events. Generally speaking, when a computer reboots it decreases the overall safety of the spacecraft for a very brief time.
The Command Loss Timer Reset can be used for computer system rebooting, but only when multiple timers have not been reset—like the classical "Dead man's switch" of industrial transport use.
Embedded systems need to be inherently self-reliant, as this is fundamentally part of their design. Embedded systems (like those on spacecraft) can't be constantly watched by a human. It is simply not possible to wait for someone to reboot the embedded system if the software or hardware hangs.
- Embedded designs, such as robotic spacecraft—are simply not accessible to human operators by any means but command telemetry for 99.9% of their expected mission life.
- If spacecraft software or hardware ever hangs, the spacecraft would in essence be permanently disabled. The Command Loss Timer Reset subsystem acts to partly resolve hardware-software problems in Solar System or Earth orbital operating conditions.
In actual use
This is an extract from a Voyager Mission report
- Voyager Mission Operations Status Report #2009-12-25
- Command Transmission & Verification Operations
- Voyager 1 command operations consisted of the uplink of a Command Loss Timer Reset and HPOINT LINK with MRO on 12/21 [DOY 355/1350z]. The spacecraft received all commands sent and all commands were verified.
- Voyager 2 command operations consisted of the uplink of seven bracketed Command Loss Timer Resets sent on five-minute centers using 0.5 Hz steps on 12/23 [DOY 357/0212z]. The spacecraft received three of the seven commands sent.
Voyager 30 Year Mission explanation
- The purpose of the CMDLOS routine is to provide a means for the spacecraft to automatically respond to an on-board failure resulting in the inability to receive ground commands. Whenever a specified number of hours have elapsed without the CCS receiving a valid command, the CCS assumes a spacecraft failure and attempts to correct that failure by systematically switching to redundant hardware elements until a valid command is received. CMDLOS will be executed four consecutive times if command reception is not successful. After four unsuccessful executions, CMDLOS will be permanently disabled and BML will be activated.
The Command Loss Timer Reset is not strictly limited to spacecraft, as any scientific instrument that is in a situation where remote command could be lost could use this safety measure.
This feature is common with devices connected over the Internet, but not all Internet connected devices use it.
Every report indicated how many CTLRs were sent and how many were received. So far this is the only NASA mission to indicate this aspect of spacecraft health.