CISEC
Introduction to critical embedded systems engineering

ISAE, Toulouse, November 25th, 2013

An overview of needs, co...
Lecture overview
 Space systems, a quick overview

This document is the property of Astrium. It shall not be communicated...
Space Systems: Definition (tentative)
 Space system

This document is the property of Astrium. It shall not be communicat...
Various “segments”
 Interacting systems

This document is the property of Astrium. It shall not be communicated to third ...
Various missions
 Telecommunications

This document is the property of Astrium. It shall not be communicated to third par...
Various “locations”

This document is the property of Astrium. It shall not be communicated to third parties without prior...
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. I...
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. I...
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. I...
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. I...
Space standards and regulations

This document is the property of Astrium. It shall not be communicated to third parties w...
Space standards

This document is the property of Astrium. It shall not be communicated to third parties without prior wri...
Constraints
 Mass, size, power consumption

This document is the property of Astrium. It shall not be communicated to thi...
Reminder

This document is the property of Astrium. It shall not be communicated to third parties without prior written ag...
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. I...
Needs (dependability)
 Reliability

This document is the property of Astrium. It shall not be communicated to third parti...
Means (dependability)
 Prevention

This document is the property of Astrium. It shall not be communicated to third partie...
Cold standby redundancy architecture

This document is the property of Astrium. It shall not be communicated to third part...
Hot standby redundancy

This document is the property of Astrium. It shall not be communicated to third parties without pr...
Warm standby redundancy

This document is the property of Astrium. It shall not be communicated to third parties without p...
Fault-masking using majority voting

This document is the property of Astrium. It shall not be communicated to third parti...
Assembly of self-checking components

This document is the property of Astrium. It shall not be communicated to third part...
Dependable space system

Architecture

This document is the property of Astrium. It shall not be communicated to third par...
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. I...
Launchers: other solutions

This document is the property of Astrium. It shall not be communicated to third parties withou...
Manned launchers

This document is the property of Astrium. It shall not be communicated to third parties without prior wr...
Typical satellite architecture (functional)
Puissance

This document is the property of Astrium. It shall not be communica...
Classical satellite architecture
Eqt N

Eqt N

Eqt N

Eqt N

This document is the property of Astrium. It shall not be com...
Safety concerns (ATV): Nominal + Safety chains

This document is the property of Astrium. It shall not be communicated to ...
Fifty years in a spacecraft
10%

Launchers

Propulsion

Success rate

This document is the property of Astrium. It shall n...
Oupsss…
Factory,

This document is the property of Astrium. It shall not be communicated to third parties without prior wr...
Upcoming SlideShare
Loading in …5
×

20131125 cisec-space embedded systems-jean-paul-blanquart

1,542 views

Published on

Despite the large variety of space systems, from micro or nano satellites to large orbital infrastructures, from launchers to deep space probes, from scientific to telcommunication satellites, the presentation will attempt and propose a synthesis of the safety and dependability needs, constraints and solutions. The focus will especially be put on the architecture of the satellites, redundancy schemes and fault tolerance mechanisms so as to achieve the required dependability for missions up to some 15 or 20 years in an agressive environment with very little repair capabilities after launch. These solutions will be illustrated through typical examples representative of the major combinations of needs and constraints, including launchers (Ariane V), typical "service" satellites (telecommunication) and particular cases such as for man-related critical space systems (ATV, Columbus).

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,542
On SlideShare
0
From Embeds
0
Number of Embeds
691
Actions
Shares
0
Downloads
31
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

20131125 cisec-space embedded systems-jean-paul-blanquart

  1. 1. CISEC Introduction to critical embedded systems engineering ISAE, Toulouse, November 25th, 2013 An overview of needs, constraints and solutions for safe and dependable space systems Jean-Paul Blanquart Astrium Satellites, Toulouse jean-paul.blanquart@astrium.eads.net
  2. 2. Lecture overview  Space systems, a quick overview This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Definition  Various missions, spacecrafts, …  Regulation and standards  Dependable architecture solutions for space systems.  Needs and constraints  Redundancy, basic schemes  Illustrations CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 3
  3. 3. Space Systems: Definition (tentative)  Space system This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  A “system” with at least one component in “space”  System:  Not too simple  Artificial (at least partly): made, or adapted, to serve some explicitly stated purpose  Space:  At least 100 km above the surface of the Earth  During some significant time (“Several orbits”) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 4
  4. 4. Various “segments”  Interacting systems This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Space and ground segments  Launch segment  Ground + launcher  In-orbit servicing  Constellations of satellites CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 5
  5. 5. Various missions  Telecommunications This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Earth observation  Meteorology  Navigation and positioning  Science  Astronomy  Earth observation  Deep space and planetary exploration  Technology  In-orbit servicing CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 6
  6. 6. Various “locations” This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Earth orbit      Low Earth Orbit (LEO) Medium Earth Orbit (MEO) Geostationary Orbit (GEO) Highly Elliptical Orbit (HEO) GEO Transfer Orbit (GTO)  Other  Lagrange points  Trajectories in space  Planetary rover CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 7
  7. 7. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Various spacecrafts CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 8
  8. 8. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. This is a spacecraft too CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 9
  9. 9. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. And what about this one? CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 10
  10. 10. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. And this one?  The Westford project (1961-1963) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 11
  11. 11. Space standards and regulations This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  1958: COPUOS: United Nations Committee on Peaceful Uses of Outer Space. 5 treaties, 5 principles. Founding text: 1967  Treaty on principles governing the activities of States in the exploration of outer space, including the Moon and other celestial bodies  Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space  Convention on International Liability for Damage Caused by Space Objects  Convention on Registration of Objects Launched into Outer Space  Agreement Governing the Activities of States on the Moon and Other Celestial Bodies  Declaration of Legal Principles Governing the Activities of States in the Exploration and Use of Outer Space  Principles Governing the Use by States of Artificial Earth Satellites for International Direct Television Broadcasting  Principles Relating to Remote Sensing of the Earth from Outer Space  Principles Relevant to the Use of Nuclear Power Sources in Outer Space  Declaration on International Cooperation in the Exploration and Use of Outer Space for the Benefit and in the Interest of All States, Taking into Particular Account the Needs of Developing Countries  Launch regulations  Space Operations Laws CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 12
  12. 12. Space standards This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  ECSS, European Cooperation for Space Standardisation CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 13
  13. 13. Constraints  Mass, size, power consumption This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Environment (radiations, temperature, …)  Knowledge, mastering of the environment  Maintenance  Ground-space communication limitations  Phased missions, critical parts  Cost CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 14
  14. 14. Reminder This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Dependability (IFIP, WG 10.4) Dependability: trustworthiness of a (computer) system such that reliance can justifiably be placed on the service it delivers. "ability to avoid services failures that are frequent and more severe than acceptable"  Characterised by: Attributes, (attributs) Threats, (entraves) Means (moyens) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 15
  15. 15. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. The dependability tree Attributes (attributs) Means (moyens) Fault prevention (prévention des fautes) Fault tolerance (tolérance aux fautes) Fault removal (élimination des fautes) Fault forecasting (prévision des fautes) Threats (entraves) Dependability (sûreté de fonctionnement) Availability (disponibilité) Reliability (fiabilité) Safety (sécurité-innocuité) Security (sécurité-confidentialité) ... Faults (fautes) Errors (erreurs) Failures (défaillances) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 16
  16. 16. Needs (dependability)  Reliability This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Availability  Maintainability  Safety  Security CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 17
  17. 17. Means (dependability)  Prevention This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Processes  Procurement, component selection, screening, “derating”  Validation  Tolerance  Redundant resources on-board  Dependable architecture  Fault tolerance: on-board automatic mechanism in charge of “Fault Detection, Isolation and Recovery” (FDIR) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 18
  18. 18. Cold standby redundancy architecture This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Monitoring and Reconfiguration Unit Context Memory Element A ON Element B OFF  Most often used for space systems  Most reliable as the failure rate of an unpowered element is generally significantly lower than of a powered one (about one tenth) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 19
  19. 19. Hot standby redundancy This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Monitoring and Reconfiguration Unit Context Memory Element A Element B ON OFF ON  (A way to select the active outputs may be necessary)  Lower long-term reliability  May be used if the backup cannot be activated in case of failure  E.g., TC receivers, TC decoders  Or for equipment for which no interruption of service is tolerated (ex : flight control OBC of Ariane V launcher) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 20
  20. 20. Warm standby redundancy This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Monitoring and Reconfiguration Unit Context Memory Element A Element B ON OFF Stand by  For equipment with a long start-up time (e.g., computers)  Ensure very short reconfiguration times  More complex to manage (periodic backup and upload of context, alarm watchdog & reconfiguration) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 21
  21. 21. Fault-masking using majority voting This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Basic approaches (triplex architecture) Computation Computation Computation Vote Computation CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Vote Computation Vote Computation Vote Page 22
  22. 22. Assembly of self-checking components This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Self-checking components Inputs Outputs Function Check Error  self-checking component (for a given set of faults): for each considered fault, all input configurations leads to either a correct output or a detected error  Self-checking component (for a given set of faults): for each considered fault, at least one configuration of inputs leads to a detected error  Both: totally self-checking component CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 23
  23. 23. Dependable space system Architecture This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.  Collection of chains with self-tests  When needed or possible, some variations Procedures  Explicit detection and reconfiguration  When needed or possible, some variations CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 24
  24. 24. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Launcher (Ariane 5) CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 25
  25. 25. Launchers: other solutions This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Simplex architecture N-modular redundancy  Zenit, Proton  Delta 4: RIFCA CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 26
  26. 26. Manned launchers This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Hermes quadruplex architecture substituted to launcher’s one CTV: adapted launcher architecture with improved computer failure detection coverage Alimentation Communication Busses RT RT RT GNC1 BC IPC RT RT GNC2 BC IPC RT RT MIOP USR NAP RT/OBS RT Reset / Alimentation GNC3 SIORP BC IPC BC IPC Bfin TM2 BFin TM1 Reset / Alimentation BAP OBC 1 GNC4 Contrôle commande BFout1 BC BFout2 OBC 2 RT/OBS Contexte / Reprise IPN 1553 GNC1 Bus GNC2 Bus GNC3 Bus GNC4 Bus CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 27
  27. 27. Typical satellite architecture (functional) Puissance This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Télécommandes Senseurs Actionneurs Bus SCAO Calculateur central Thermique Pyro Bus P/F TM/TC TM/TC Télémesures Stockage Charges Utiles Page 28
  28. 28. Classical satellite architecture Eqt N Eqt N Eqt N Eqt N This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. OBC N MRE OBC R COLD Eqt R Eqt R Eqt R Eqt R Reminder: Launcher CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 29
  29. 29. Safety concerns (ATV): Nominal + Safety chains This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Avionics System Bus A Avionics System Bus B Avionics S ystem Bus C Avionics System Bus D ALB FML DPU1 DPU2 DPU3 CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites AVI DPU4 MSU Page 30
  30. 30. Fifty years in a spacecraft 10% Launchers Propulsion Success rate This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. 13% 100.0 90.0 80.0 70.0 60.0 50.0 40.0 30.0 20.0 1955 39% Command Structure 3% Power 6% Separation 1960 1965 1970 1975 Launches 1980 10 year mean 1985 1990 1995 2000 Mean (90.7%) 9% Launch: 6-7% In-orbit installation: 4-5% Early phase: 1.510-6/h Life: 0.5 10-6/h 20% 4% Satellites  “~10-6/h” 2xlifetime, 90%>  However:     Explosion 29% 2005 Command Mechanical 25% 20% Power Deployment 22% CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Propulsion Environment Page 31
  31. 31. Oupsss… Factory, This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed. Road… It is a long way to space! No source of failure should be overlooked CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites Page 32

×