Despite the large variety of space systems, from micro or nano satellites to large orbital infrastructures, from launchers to deep space probes, from scientific to telcommunication satellites, the presentation will attempt and propose a synthesis of the safety and dependability needs, constraints and solutions. The focus will especially be put on the architecture of the satellites, redundancy schemes and fault tolerance mechanisms so as to achieve the required dependability for missions up to some 15 or 20 years in an agressive environment with very little repair capabilities after launch. These solutions will be illustrated through typical examples representative of the major combinations of needs and constraints, including launchers (Ariane V), typical "service" satellites (telecommunication) and particular cases such as for man-related critical space systems (ATV, Columbus).
1. CISEC
Introduction to critical embedded systems engineering
ISAE, Toulouse, November 25th, 2013
An overview of needs, constraints and solutions
for safe and dependable space systems
Jean-Paul Blanquart
Astrium Satellites, Toulouse
jean-paul.blanquart@astrium.eads.net
2. Lecture overview
Space systems, a quick overview
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Definition
Various missions, spacecrafts, …
Regulation and standards
Dependable architecture solutions for space systems.
Needs and constraints
Redundancy, basic schemes
Illustrations
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 3
3. Space Systems: Definition (tentative)
Space system
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
A “system” with at least one component in “space”
System:
Not too simple
Artificial (at least partly): made, or adapted, to serve some explicitly stated
purpose
Space:
At least 100 km above the surface of the Earth
During some significant time (“Several orbits”)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 4
4. Various “segments”
Interacting systems
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Space and ground segments
Launch segment
Ground + launcher
In-orbit servicing
Constellations of satellites
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 5
5. Various missions
Telecommunications
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Earth observation
Meteorology
Navigation and positioning
Science
Astronomy
Earth observation
Deep space and planetary exploration
Technology
In-orbit servicing
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 6
6. Various “locations”
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Earth orbit
Low Earth Orbit (LEO)
Medium Earth Orbit (MEO)
Geostationary Orbit (GEO)
Highly Elliptical Orbit (HEO)
GEO Transfer Orbit (GTO)
Other
Lagrange points
Trajectories in space
Planetary rover
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 7
7. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Various spacecrafts
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 8
8. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
This is a spacecraft too
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 9
9. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
And what about this one?
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 10
10. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
And this one?
The Westford project (1961-1963)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 11
11. Space standards and regulations
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
1958: COPUOS: United Nations Committee on Peaceful Uses of Outer Space. 5
treaties, 5 principles. Founding text: 1967
Treaty on principles governing the activities of States in the exploration of outer space, including the
Moon and other celestial bodies
Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched
into Outer Space
Convention on International Liability for Damage Caused by Space Objects
Convention on Registration of Objects Launched into Outer Space
Agreement Governing the Activities of States on the Moon and Other Celestial Bodies
Declaration of Legal Principles Governing the Activities of States in the Exploration and Use of Outer
Space
Principles Governing the Use by States of Artificial Earth Satellites for International Direct Television
Broadcasting
Principles Relating to Remote Sensing of the Earth from Outer Space
Principles Relevant to the Use of Nuclear Power Sources in Outer Space
Declaration on International Cooperation in the Exploration and Use of Outer Space for the Benefit and
in the Interest of All States, Taking into Particular Account the Needs of Developing Countries
Launch regulations
Space Operations Laws
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 12
12. Space standards
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
ECSS, European
Cooperation for Space
Standardisation
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 13
13. Constraints
Mass, size, power consumption
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Environment (radiations, temperature, …)
Knowledge, mastering of the environment
Maintenance
Ground-space communication limitations
Phased missions, critical parts
Cost
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 14
14. Reminder
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Dependability (IFIP, WG 10.4)
Dependability: trustworthiness of a (computer) system such that
reliance can justifiably be placed on the service it delivers.
"ability to avoid services failures that are frequent and more severe
than acceptable"
Characterised by:
Attributes, (attributs)
Threats, (entraves)
Means (moyens)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 15
15. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
The dependability tree
Attributes
(attributs)
Means
(moyens)
Fault prevention (prévention des fautes)
Fault tolerance (tolérance aux fautes)
Fault removal (élimination des fautes)
Fault forecasting (prévision des fautes)
Threats
(entraves)
Dependability
(sûreté de fonctionnement)
Availability (disponibilité)
Reliability (fiabilité)
Safety (sécurité-innocuité)
Security (sécurité-confidentialité)
...
Faults (fautes)
Errors (erreurs)
Failures (défaillances)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 16
16. Needs (dependability)
Reliability
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Availability
Maintainability
Safety
Security
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 17
17. Means (dependability)
Prevention
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Processes
Procurement, component selection, screening, “derating”
Validation
Tolerance
Redundant resources on-board
Dependable architecture
Fault tolerance: on-board automatic mechanism in charge of “Fault Detection, Isolation
and Recovery” (FDIR)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 18
18. Cold standby redundancy architecture
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Monitoring and
Reconfiguration Unit
Context
Memory
Element A
ON
Element B
OFF
Most often used for space systems
Most reliable as the failure rate of an unpowered element is generally
significantly lower than of a powered one (about one tenth)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 19
19. Hot standby redundancy
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Monitoring and
Reconfiguration Unit
Context
Memory
Element A
Element B
ON
OFF
ON
(A way to select the active outputs may be necessary)
Lower long-term reliability
May be used if the backup cannot be activated in case of failure
E.g., TC receivers, TC decoders
Or for equipment for which no interruption of service is tolerated (ex :
flight control OBC of Ariane V launcher)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 20
20. Warm standby redundancy
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Monitoring and
Reconfiguration Unit
Context
Memory
Element A
Element B
ON
OFF
Stand by
For equipment with a long start-up time (e.g., computers)
Ensure very short reconfiguration times
More complex to manage (periodic backup and upload of context,
alarm watchdog & reconfiguration)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 21
21. Fault-masking using majority voting
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Basic approaches (triplex architecture)
Computation
Computation
Computation
Vote
Computation
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Vote
Computation
Vote
Computation
Vote
Page 22
22. Assembly of self-checking components
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Self-checking components
Inputs
Outputs
Function
Check
Error
self-checking component (for a given set of faults): for each considered fault, all
input configurations leads to either a correct output or a detected error
Self-checking component (for a given set of faults): for each considered fault, at
least one configuration of inputs leads to a detected error
Both: totally self-checking component
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 23
23. Dependable space system
Architecture
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Collection of chains with self-tests
When needed or possible, some variations
Procedures
Explicit detection and reconfiguration
When needed or possible, some variations
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 24
24. This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Launcher (Ariane 5)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 25
25. Launchers: other solutions
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Simplex architecture
N-modular redundancy
Zenit, Proton
Delta 4: RIFCA
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 26
26. Manned launchers
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Hermes quadruplex architecture substituted to launcher’s one
CTV: adapted launcher architecture with improved computer failure detection
coverage
Alimentation
Communication Busses
RT
RT
RT
GNC1
BC IPC
RT
RT
GNC2
BC IPC
RT
RT
MIOP
USR
NAP
RT/OBS
RT
Reset / Alimentation
GNC3
SIORP
BC IPC
BC
IPC
Bfin
TM2 BFin
TM1
Reset / Alimentation
BAP
OBC 1
GNC4
Contrôle commande
BFout1
BC
BFout2
OBC 2
RT/OBS Contexte / Reprise
IPN
1553
GNC1 Bus
GNC2 Bus
GNC3 Bus
GNC4 Bus
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 27
27. Typical satellite architecture (functional)
Puissance
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Télécommandes
Senseurs
Actionneurs
Bus SCAO
Calculateur
central
Thermique
Pyro
Bus P/F
TM/TC
TM/TC
Télémesures
Stockage
Charges Utiles
Page 28
28. Classical satellite architecture
Eqt N
Eqt N
Eqt N
Eqt N
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
OBC N
MRE
OBC R
COLD
Eqt R
Eqt R
Eqt R
Eqt R
Reminder:
Launcher
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 29
29. Safety concerns (ATV): Nominal + Safety chains
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Avionics System Bus A
Avionics System Bus B
Avionics S ystem Bus C
Avionics System Bus D
ALB
FML
DPU1
DPU2
DPU3
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
AVI
DPU4
MSU
Page 30
30. Fifty years in a spacecraft
10%
Launchers
Propulsion
Success rate
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
13%
100.0
90.0
80.0
70.0
60.0
50.0
40.0
30.0
20.0
1955
39%
Command
Structure
3%
Power
6%
Separation
1960 1965
1970 1975
Launches
1980
10 year mean
1985 1990
1995 2000
Mean (90.7%)
9%
Launch: 6-7%
In-orbit installation: 4-5%
Early phase: 1.510-6/h
Life: 0.5 10-6/h
20%
4%
Satellites
“~10-6/h” 2xlifetime, 90%>
However:
Explosion
29%
2005
Command
Mechanical
25%
20%
Power
Deployment
22%
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Propulsion
Environment
Page 31
31. Oupsss…
Factory,
This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.
Road…
It is a long way to space!
No source of failure
should be overlooked
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Page 32