SlideShare a Scribd company logo

Mitchell.davis

N
NASAPMC
TechnologyBusiness
1 of 17
Download to read offline
Mitigating the June 2007 International Space Station (ISS) Russian Segment Computer Anomaly in your Design Project Management Challenge 2008 Daytona Beach, Florida February 26 - 27, 2008 Mitchell Davis NASA Technical Fellow for Avionics NASA Engineering & Safety Center
Summary Purpose: This presentation considers the resulting design features on the ISS computers and redundancy implementation in relationship to the June 2007 ISS computer shutdown anomaly. • The resulting design features dictate how each subsystem responds to particular fault, which in turn dictates the entire system response. • The first section covers the anomaly and recovery • The second sections covers the lower level implementation details in connection to the threat • This paper in intended to provide an example of the design decisions covered in earlier NESC “risk-based design” presentations. 2
Anomaly Timeline • In June 2007, during ISS Assembly Mission 13A (STS-117) on day 3 of a 11 day mission at 20:41:44 of GMT day 162, the first Russian Segment (RS) Service Module (SM) Central Computer-2 went off-line. – Central Computer-3 had not been part of the active set since 2005 • An RS Terminal computer went off line minutes later and within 24 hours all 6 RS control computers were non-functional. • Repeated attempts to bring the computers back to an operational state over the next three days produced only temporary and erratic results. 3
ISS/Shuttle Impact • The loss of the RS computers resulted in ISS in June 2007 the inability to remotely control some Russian systems and for the ISS to resume attitude control of the mated vehicle configuration. • Orbiter provided critical independent attitude control of the combined ISS/shuttle allowing opportunity and time to restore ISS system. • The ISS attitude control and redundancy strategy relies on both the US and Russian Segment attitude control systems. – The normal method of ISS attitude control is non-propulsive via the four US Control Moment Gyroscopes (CMGs). – The CMGs have limited torque output, therefore Russian propulsive control (requiring RS computers) is used to maneuver the ISS or if the CMGs were to saturate due to some significant attitude disturbance. 4
Temporary Mitigation • The are multiple RS computers for redundancy and they could be configured by ON/OFF command signals on an “as needed” but intended infrequent basis. • The ON/OFF commands can come from either the crew or ground control and are routed to the computers by the BOK3. • After three days of erratic computer operation, the harnesses between the BOK3 command unit and the computers were disconnected – Thus removing any shorting connection on the BOK3 side of the interface harness. – Shorting jumpers provided a continuous ON command into the computers’ pulse command input. 5
BOK3 & Harness Photographs Connector on BOK3 Corrosion/contamination found on BOK3 command box and associated harness BOK3 Discoloration Mating Harness Box Connector X16 6
Moisture & Condensation • The ISS has a requirement for no condensation in the pressurized environment and historically, the ISS vehicle has been very dry with no reports of condensation by the crew. • Both the US and Russian segments have condensing heat exchangers as part of their air conditioning systems. The condensed water is recycled only by the Russian environmental control system because the US water recycling БOK3 – Panel 407 system is not yet operational. Panels 404-405 • The air conditioner and the BOK3 are adjacent to each other. • Factors that influence the amount of condensation include: – There have been momentary periods where debris blocking the outlet line and membrane water separator resulted in a raised dew point. – During Space Shuttle docking, the ISS crew size increase to a maximum of 10 people can significantly increases the atmospheric moisture. • In spite of requirements, constraints and operational considerations, influences outside beyond control can lead to momentarily undesirable environments. 7
Cause and Correction • Temporary circuit jumpers remained in place until ISS mission 13A.1 (STS-118) • Mission 13A.1 included a new BOK3, connectors and harness • Operational changes were put in place to be better prepared for a similar event – Method was developed to allow attitude control handovers from Shuttle directly to CMG control (without the need for Russian Thrusters) This was demonstrated during a subsequent assembly flight. – Periodic inspections of RS interior compartments were instituted to look for moisture Service Module Panel 407- BOK3 8
BOK3 to Computer ON/OFF Commands • The BOK3 receives three command inputs (Regul, Crew Control Panel & the matching unit) and outputs the appropriate ON & OFF commands to the six individual computers. • Commanding implementation in the BOK3 is by providing a low impedance path between the two computer provide connections, (common called “Low Side” switching. ) • The three connectors (X-14, X-15, & X-16) contain 24 wires in which half are common returns available to complete the circuit. • Spice circuit modeling indicated that a kilo-ohm range resistive path between the command and any return was sufficient current to active the opto-coupler. • The Russian system is unique in that the primary power is isolated from chassis by several 100kohm therefore conductive paths to chassis would not activate the command. 9
“Low-side” Switching & Threats Typical Grounding Configuration • Key factors that determine the degree of threat include the interaction of circuit design, system ground configuration and credible faults. • The two configurations have different probability of occurrences to inadvertent commanding faults and roughly equal no-command faults • The inadvertent command threats to the “high-side” switch configuration include energy sources with sufficient voltage, current and time duration as well as a conductive path to the command circuit. • The inadvertent command threats to the “Low-side” switch configuration include conductive paths between the command circuit and signal return or chassis. • The same approach applies to addressing failure modes of the lower level command circuit as well as higher levels within the architecture. 10
Computer Block Diagram Computer Power Command Notional Block Diagram • Power to the computer circuitry is controlled by a series of stages and the Power Switch closes when both switch-1 and switch-2 are open. • With both ON and OFF commands present, the OFF overrides the ON and the system will “Fail Silent”. • Similarly, the “Over Current Sense” circuit designed to “fail Silent” by removing power to the circuitry and thus minimize the risk/threat of additional damage in the event of a continuously powered short circuit – Note that the “low side” current sensing would not detect shorts to chassis in a typical power reference to chassis configuration. 11
Fail Silent System Architecture • A Fail Silent subsystem is a valid approach and has several advantages: – Decreases the threat of a Byzantine fault (the computer unknowingly providing an incorrect answer) – Mitigates the separate risk/treat of collateral damage to the power system from continuous short – Provides a predictable system response with multiple redundant systems • A Fail Silent system architecture requires a multi-tiered configuration where the “last line of defense” is a “never give up” or “Safe-hold” system to take over when all computers go silent. • A typical NASA robotic satellite utilizes a “Safe-hold” mode where a dissimilar, simple attitude control system is used to keep the spacecraft attitude stable and power positive in the event of an emergency. • The presents of the Orbiter docked to ISS at this critical time and provided the dissimilar attitude control. 12
“Risk Based” Approach • The NESC’s Design Development Test and Evaluation (DDT&E) Considerations for Safe and Reliable Human Rated Spacecraft Systems (Volume-II) focuses on creating a system that mitigates specific threats or risks to a given implementation [Predictability: subsystem’s fault 1 response consistent with system Eliminate the architecture] threat/risk from the design 2 Reduce the Likelihood by [Reduce the threat/risk to decoupling system 3 Mitigate the interactions equal probability/impact of consequences by other system threats/risks] adding diverse redundancy [Diverse redundant systems not simultaneously susceptible to threat/risk] 13
“Redundancy” Vulnerability Common • The 12 computer commands (6-ON & 6- Area OFF) are common inside the BOK3, the three identical BOK3 connectors (X-14, X-15 & X-16 ) and associated harness. • This common area creates a single point failure vulnerability where one single threat/risk can disrupt all six computers simultaneously • A Failure Modes and Effects and Criticality Circuit Analysis (FMECA) is designed to capture these types of system’s single point failure vulnerabilities. • The focus of a FMECA is to minimize the impact on the system of a single failure by physically separating redundant systems beyond the sphere of influence of that single failure. 14
Redundant Systems’ Degree of Separation • The required degree of separation is a function -2 the “sphere of influence” of a probable threat/risk in physical relationship to the system implementation. Threat-1 • In this example, redundancy is effective in mitigating Threat-2 (e.g., Part failure) but not effective at mitigating Threat-1 (e.g., condensation) • There is no single design answer, rather a reliable and safe system is created by a process that mitigates probable threats by considering the sphere of influence of that threat relative to physical relationship to the system implementation. • If the threat/risk sphere of influence impacts more than one system the threat classification changes to “common cause”. 15
Conclusion • Regardless of requirements, constraints and operational considerations momentary undesirable environments or interactions will occur eventually. • How each and every individual subsystem responds to probable threats must be aligned in a system architecture to achieve a predictable and robust system. • A reliable and safe system is created by a process that mitigates probable threats by considering the sphere of influence of each threat relative to the specific design implementation. • A “common cause” threat/risk can be any threat/risk that impacts more than one system in a given implementation. • For redundancy system architectures, the threat/risk mitigation effectiveness is a function of physical separation and/or dissimilar design implementation. – A dissimilar design has the advantage of reduced functionally to focus on safely and reliability. [less functions = less complexity = more predictability] • Fail Silent system architecture requires a multi-tiered configuration where the “last line of defense” is a “never give up” or “Safe-hold” system to provide critical functions when all computers go silent. 16
Events of Interest Limited Increased AC Airflow around Load by increase BOK3 crew Close Are there more? Unfinished US Side has water proximity of AC to BOK3 Discussion… Reclaiming on RS Blockage Identical of AC filter systems BOK3 Exposed No diversity to water Command Multiple common Contamination/ Low Side Zones of all Corrosion creates Switching commands Conductive paths Computer command Circuit designed to Fail Silent Shut down of all computers systems 17

Recommended

Seas sr study
Seas sr studySeas sr study
Seas sr studyJeffrey Strickland, Ph.D., CMSP
 
Umts signaling
Umts signalingUmts signaling
Umts signalingDragos Biciu
 
Avionics class
Avionics classAvionics class
Avionics classAustinHanika
 
Hostile Takeover Of Satellites
Hostile Takeover Of SatellitesHostile Takeover Of Satellites
Hostile Takeover Of SatellitesMeidad Pariente
 
Smart grid 4 novembre
Smart grid 4 novembreSmart grid 4 novembre
Smart grid 4 novembrecanaleenergia
 
SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...
SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...
SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...University of South Carolina
 
Lisa.ditullio
Lisa.ditullioLisa.ditullio
Lisa.ditullioNASAPMC
 
Bitten
BittenBitten
BittenNASAPMC
 

Recommended

Seas sr study
Seas sr studySeas sr study
Seas sr studyJeffrey Strickland, Ph.D., CMSP
 
Umts signaling
Umts signalingUmts signaling
Umts signalingDragos Biciu
 
Avionics class
Avionics classAvionics class
Avionics classAustinHanika
 
Hostile Takeover Of Satellites
Hostile Takeover Of SatellitesHostile Takeover Of Satellites
Hostile Takeover Of SatellitesMeidad Pariente
 
Smart grid 4 novembre
Smart grid 4 novembreSmart grid 4 novembre
Smart grid 4 novembrecanaleenergia
 
SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...
SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...
SSR Damping Controller Design and Optimal Placement in Rotor-Side and Grid-Si...University of South Carolina
 
Lisa.ditullio
Lisa.ditullioLisa.ditullio
Lisa.ditullioNASAPMC
 
Bitten
BittenBitten
BittenNASAPMC
 
CDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxCDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxssuser035685
 
I-3.pdf
I-3.pdfI-3.pdf
I-3.pdfDheerajAdlakha1
 
T1-4_Maslennikov_et_al.pdf
T1-4_Maslennikov_et_al.pdfT1-4_Maslennikov_et_al.pdf
T1-4_Maslennikov_et_al.pdfMareLunare
 
Power Gating
Power GatingPower Gating
Power GatingMahesh Dananjaya
 
ppt nrel.pptx
ppt nrel.pptxppt nrel.pptx
ppt nrel.pptxgulie
 
ORBCOMM Satellite System
ORBCOMM Satellite SystemORBCOMM Satellite System
ORBCOMM Satellite SystemAkram Ahmed
 
Diesel Locomotive Works (DLW)
Diesel Locomotive Works (DLW) Diesel Locomotive Works (DLW)
Diesel Locomotive Works (DLW)Neha Gethe
 
Van jaconson netchannels
Van jaconson netchannelsVan jaconson netchannels
Van jaconson netchannelsSusant Sahani
 
Power System Stability Issues
Power System Stability IssuesPower System Stability Issues
Power System Stability IssuesChandan Kumar
 
Selective Coordination "The Rest of the Story"
Selective Coordination "The Rest of the Story"Selective Coordination "The Rest of the Story"
Selective Coordination "The Rest of the Story"michaeljmack
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkAPNIC
 
Psoc
PsocPsoc
Psocmkumargzb123
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkAPNIC
 
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink DownloadAPNIC
 
RDR 9_29_16 FINAL
RDR 9_29_16 FINALRDR 9_29_16 FINAL
RDR 9_29_16 FINALJanelle Williams
 
Random access scan
Random access scan Random access scan
Random access scan Harish Peta
 
Neutral grounding resistor
Neutral grounding resistorNeutral grounding resistor
Neutral grounding resistorNithin Kumar K S
 
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ... Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...EnergyTech2015
 
Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Paolo Giaccone
 
Conexiones cross bonding
Conexiones cross bondingConexiones cross bonding
Conexiones cross bondingDoy clases en la UNEFA y IUPSM
 
Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk boNASAPMC
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski johnNASAPMC
 

More Related Content

Similar to Mitchell.davis

CDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxCDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxssuser035685
 
T1-4_Maslennikov_et_al.pdf
T1-4_Maslennikov_et_al.pdfT1-4_Maslennikov_et_al.pdf
T1-4_Maslennikov_et_al.pdfMareLunare
 
ppt nrel.pptx
ppt nrel.pptxppt nrel.pptx
ppt nrel.pptxgulie
 
ORBCOMM Satellite System
ORBCOMM Satellite SystemORBCOMM Satellite System
ORBCOMM Satellite SystemAkram Ahmed
 
Diesel Locomotive Works (DLW)
Diesel Locomotive Works (DLW) Diesel Locomotive Works (DLW)
Diesel Locomotive Works (DLW)Neha Gethe
 
Van jaconson netchannels
Van jaconson netchannelsVan jaconson netchannels
Van jaconson netchannelsSusant Sahani
 
Power System Stability Issues
Power System Stability IssuesPower System Stability Issues
Power System Stability IssuesChandan Kumar
 
Selective Coordination "The Rest of the Story"
Selective Coordination "The Rest of the Story"Selective Coordination "The Rest of the Story"
Selective Coordination "The Rest of the Story"michaeljmack
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkAPNIC
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkAPNIC
 
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink DownloadAPNIC
 
Random access scan
Random access scan Random access scan
Random access scan Harish Peta
 
Neutral grounding resistor
Neutral grounding resistorNeutral grounding resistor
Neutral grounding resistorNithin Kumar K S
 
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ... Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...EnergyTech2015
 
Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Paolo Giaccone
 

Similar to Mitchell.davis (20)

CDH on Board Cubesat.pptx
CDH on Board Cubesat.pptxCDH on Board Cubesat.pptx
CDH on Board Cubesat.pptx
 
I-3.pdf
I-3.pdfI-3.pdf
I-3.pdf
 
T1-4_Maslennikov_et_al.pdf
T1-4_Maslennikov_et_al.pdfT1-4_Maslennikov_et_al.pdf
T1-4_Maslennikov_et_al.pdf
 
Power Gating
Power GatingPower Gating
Power Gating
 
ppt nrel.pptx
ppt nrel.pptxppt nrel.pptx
ppt nrel.pptx
 
ORBCOMM Satellite System
ORBCOMM Satellite SystemORBCOMM Satellite System
ORBCOMM Satellite System
 
Diesel Locomotive Works (DLW)
Diesel Locomotive Works (DLW) Diesel Locomotive Works (DLW)
Diesel Locomotive Works (DLW)
 
Van jaconson netchannels
Van jaconson netchannelsVan jaconson netchannels
Van jaconson netchannels
 
Power System Stability Issues
Power System Stability IssuesPower System Stability Issues
Power System Stability Issues
 
Selective Coordination "The Rest of the Story"
Selective Coordination "The Rest of the Story"Selective Coordination "The Rest of the Story"
Selective Coordination "The Rest of the Story"
 
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and StarlinkRIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
RIPE 87: On Low Earth Orbit Satellites (LEOs) and Starlink
 
Psoc
PsocPsoc
Psoc
 
VNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and StarlinkVNNIC Internet Day 2023: On LEOs and Starlink
VNNIC Internet Day 2023: On LEOs and Starlink
 
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
40th TWNIC OPM: On LEOs (Low Earth Orbits) and Starlink Download
 
RDR 9_29_16 FINAL
RDR 9_29_16 FINALRDR 9_29_16 FINAL
RDR 9_29_16 FINAL
 
Random access scan
Random access scan Random access scan
Random access scan
 
Neutral grounding resistor
Neutral grounding resistorNeutral grounding resistor
Neutral grounding resistor
 
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ... Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
Anne McNelis: Intelligent Power Controller Development for Human Deep Space ...
 
Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks Inter-controller Traffic in ONOS Clusters for SDN Networks
Inter-controller Traffic in ONOS Clusters for SDN Networks
 
Conexiones cross bonding
Conexiones cross bondingConexiones cross bonding
Conexiones cross bonding
 

More from NASAPMC

Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk boNASAPMC
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski johnNASAPMC
 
Yew manson
Yew mansonYew manson
Yew mansonNASAPMC
 
Wood frank
Wood frankWood frank
Wood frankNASAPMC
 
Wood frank
Wood frankWood frank
Wood frankNASAPMC
 
Wessen randi (cd)
Wessen randi (cd)Wessen randi (cd)
Wessen randi (cd)NASAPMC
 
Vellinga joe
Vellinga joeVellinga joe
Vellinga joeNASAPMC
 
Trahan stuart
Trahan stuartTrahan stuart
Trahan stuartNASAPMC
 
Stock gahm
Stock gahmStock gahm
Stock gahmNASAPMC
 
Snow lee
Snow leeSnow lee
Snow leeNASAPMC
 
Smalley sandra
Smalley sandraSmalley sandra
Smalley sandraNASAPMC
 
Seftas krage
Seftas krageSeftas krage
Seftas krageNASAPMC
 
Sampietro marco
Sampietro marcoSampietro marco
Sampietro marcoNASAPMC
 
Rudolphi mike
Rudolphi mikeRudolphi mike
Rudolphi mikeNASAPMC
 
Roberts karlene
Roberts karleneRoberts karlene
Roberts karleneNASAPMC
 
Rackley mike
Rackley mikeRackley mike
Rackley mikeNASAPMC
 
Paradis william
Paradis williamParadis william
Paradis williamNASAPMC
 
Osterkamp jeff
Osterkamp jeffOsterkamp jeff
Osterkamp jeffNASAPMC
 
O'keefe william
O'keefe williamO'keefe william
O'keefe williamNASAPMC
 
Muller ralf
Muller ralfMuller ralf
Muller ralfNASAPMC
 

More from NASAPMC (20)

Bejmuk bo
Bejmuk boBejmuk bo
Bejmuk bo
 
Baniszewski john
Baniszewski johnBaniszewski john
Baniszewski john
 
Yew manson
Yew mansonYew manson
Yew manson
 
Wood frank
Wood frankWood frank
Wood frank
 
Wood frank
Wood frankWood frank
Wood frank
 
Wessen randi (cd)
Wessen randi (cd)Wessen randi (cd)
Wessen randi (cd)
 
Vellinga joe
Vellinga joeVellinga joe
Vellinga joe
 
Trahan stuart
Trahan stuartTrahan stuart
Trahan stuart
 
Stock gahm
Stock gahmStock gahm
Stock gahm
 
Snow lee
Snow leeSnow lee
Snow lee
 
Smalley sandra
Smalley sandraSmalley sandra
Smalley sandra
 
Seftas krage
Seftas krageSeftas krage
Seftas krage
 
Sampietro marco
Sampietro marcoSampietro marco
Sampietro marco
 
Rudolphi mike
Rudolphi mikeRudolphi mike
Rudolphi mike
 
Roberts karlene
Roberts karleneRoberts karlene
Roberts karlene
 
Rackley mike
Rackley mikeRackley mike
Rackley mike
 
Paradis william
Paradis williamParadis william
Paradis william
 
Osterkamp jeff
Osterkamp jeffOsterkamp jeff
Osterkamp jeff
 
O'keefe william
O'keefe williamO'keefe william
O'keefe william
 
Muller ralf
Muller ralfMuller ralf
Muller ralf
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Mitchell.davis

  • 1. Mitigating the June 2007 International Space Station (ISS) Russian Segment Computer Anomaly in your Design Project Management Challenge 2008 Daytona Beach, Florida February 26 - 27, 2008 Mitchell Davis NASA Technical Fellow for Avionics NASA Engineering & Safety Center
  • 2. Summary Purpose: This presentation considers the resulting design features on the ISS computers and redundancy implementation in relationship to the June 2007 ISS computer shutdown anomaly. • The resulting design features dictate how each subsystem responds to particular fault, which in turn dictates the entire system response. • The first section covers the anomaly and recovery • The second sections covers the lower level implementation details in connection to the threat • This paper in intended to provide an example of the design decisions covered in earlier NESC “risk-based design” presentations. 2
  • 3. Anomaly Timeline • In June 2007, during ISS Assembly Mission 13A (STS-117) on day 3 of a 11 day mission at 20:41:44 of GMT day 162, the first Russian Segment (RS) Service Module (SM) Central Computer-2 went off-line. – Central Computer-3 had not been part of the active set since 2005 • An RS Terminal computer went off line minutes later and within 24 hours all 6 RS control computers were non-functional. • Repeated attempts to bring the computers back to an operational state over the next three days produced only temporary and erratic results. 3
  • 4. ISS/Shuttle Impact • The loss of the RS computers resulted in ISS in June 2007 the inability to remotely control some Russian systems and for the ISS to resume attitude control of the mated vehicle configuration. • Orbiter provided critical independent attitude control of the combined ISS/shuttle allowing opportunity and time to restore ISS system. • The ISS attitude control and redundancy strategy relies on both the US and Russian Segment attitude control systems. – The normal method of ISS attitude control is non-propulsive via the four US Control Moment Gyroscopes (CMGs). – The CMGs have limited torque output, therefore Russian propulsive control (requiring RS computers) is used to maneuver the ISS or if the CMGs were to saturate due to some significant attitude disturbance. 4
  • 5. Temporary Mitigation • The are multiple RS computers for redundancy and they could be configured by ON/OFF command signals on an “as needed” but intended infrequent basis. • The ON/OFF commands can come from either the crew or ground control and are routed to the computers by the BOK3. • After three days of erratic computer operation, the harnesses between the BOK3 command unit and the computers were disconnected – Thus removing any shorting connection on the BOK3 side of the interface harness. – Shorting jumpers provided a continuous ON command into the computers’ pulse command input. 5
  • 6. BOK3 & Harness Photographs Connector on BOK3 Corrosion/contamination found on BOK3 command box and associated harness BOK3 Discoloration Mating Harness Box Connector X16 6
  • 7. Moisture & Condensation • The ISS has a requirement for no condensation in the pressurized environment and historically, the ISS vehicle has been very dry with no reports of condensation by the crew. • Both the US and Russian segments have condensing heat exchangers as part of their air conditioning systems. The condensed water is recycled only by the Russian environmental control system because the US water recycling БOK3 – Panel 407 system is not yet operational. Panels 404-405 • The air conditioner and the BOK3 are adjacent to each other. • Factors that influence the amount of condensation include: – There have been momentary periods where debris blocking the outlet line and membrane water separator resulted in a raised dew point. – During Space Shuttle docking, the ISS crew size increase to a maximum of 10 people can significantly increases the atmospheric moisture. • In spite of requirements, constraints and operational considerations, influences outside beyond control can lead to momentarily undesirable environments. 7
  • 8. Cause and Correction • Temporary circuit jumpers remained in place until ISS mission 13A.1 (STS-118) • Mission 13A.1 included a new BOK3, connectors and harness • Operational changes were put in place to be better prepared for a similar event – Method was developed to allow attitude control handovers from Shuttle directly to CMG control (without the need for Russian Thrusters) This was demonstrated during a subsequent assembly flight. – Periodic inspections of RS interior compartments were instituted to look for moisture Service Module Panel 407- BOK3 8
  • 9. BOK3 to Computer ON/OFF Commands • The BOK3 receives three command inputs (Regul, Crew Control Panel & the matching unit) and outputs the appropriate ON & OFF commands to the six individual computers. • Commanding implementation in the BOK3 is by providing a low impedance path between the two computer provide connections, (common called “Low Side” switching. ) • The three connectors (X-14, X-15, & X-16) contain 24 wires in which half are common returns available to complete the circuit. • Spice circuit modeling indicated that a kilo-ohm range resistive path between the command and any return was sufficient current to active the opto-coupler. • The Russian system is unique in that the primary power is isolated from chassis by several 100kohm therefore conductive paths to chassis would not activate the command. 9
  • 10. “Low-side” Switching & Threats Typical Grounding Configuration • Key factors that determine the degree of threat include the interaction of circuit design, system ground configuration and credible faults. • The two configurations have different probability of occurrences to inadvertent commanding faults and roughly equal no-command faults • The inadvertent command threats to the “high-side” switch configuration include energy sources with sufficient voltage, current and time duration as well as a conductive path to the command circuit. • The inadvertent command threats to the “Low-side” switch configuration include conductive paths between the command circuit and signal return or chassis. • The same approach applies to addressing failure modes of the lower level command circuit as well as higher levels within the architecture. 10
  • 11. Computer Block Diagram Computer Power Command Notional Block Diagram • Power to the computer circuitry is controlled by a series of stages and the Power Switch closes when both switch-1 and switch-2 are open. • With both ON and OFF commands present, the OFF overrides the ON and the system will “Fail Silent”. • Similarly, the “Over Current Sense” circuit designed to “fail Silent” by removing power to the circuitry and thus minimize the risk/threat of additional damage in the event of a continuously powered short circuit – Note that the “low side” current sensing would not detect shorts to chassis in a typical power reference to chassis configuration. 11
  • 12. Fail Silent System Architecture • A Fail Silent subsystem is a valid approach and has several advantages: – Decreases the threat of a Byzantine fault (the computer unknowingly providing an incorrect answer) – Mitigates the separate risk/treat of collateral damage to the power system from continuous short – Provides a predictable system response with multiple redundant systems • A Fail Silent system architecture requires a multi-tiered configuration where the “last line of defense” is a “never give up” or “Safe-hold” system to take over when all computers go silent. • A typical NASA robotic satellite utilizes a “Safe-hold” mode where a dissimilar, simple attitude control system is used to keep the spacecraft attitude stable and power positive in the event of an emergency. • The presents of the Orbiter docked to ISS at this critical time and provided the dissimilar attitude control. 12
  • 13. “Risk Based” Approach • The NESC’s Design Development Test and Evaluation (DDT&E) Considerations for Safe and Reliable Human Rated Spacecraft Systems (Volume-II) focuses on creating a system that mitigates specific threats or risks to a given implementation [Predictability: subsystem’s fault 1 response consistent with system Eliminate the architecture] threat/risk from the design 2 Reduce the Likelihood by [Reduce the threat/risk to decoupling system 3 Mitigate the interactions equal probability/impact of consequences by other system threats/risks] adding diverse redundancy [Diverse redundant systems not simultaneously susceptible to threat/risk] 13
  • 14. “Redundancy” Vulnerability Common • The 12 computer commands (6-ON & 6- Area OFF) are common inside the BOK3, the three identical BOK3 connectors (X-14, X-15 & X-16 ) and associated harness. • This common area creates a single point failure vulnerability where one single threat/risk can disrupt all six computers simultaneously • A Failure Modes and Effects and Criticality Circuit Analysis (FMECA) is designed to capture these types of system’s single point failure vulnerabilities. • The focus of a FMECA is to minimize the impact on the system of a single failure by physically separating redundant systems beyond the sphere of influence of that single failure. 14
  • 15. Redundant Systems’ Degree of Separation • The required degree of separation is a function -2 the “sphere of influence” of a probable threat/risk in physical relationship to the system implementation. Threat-1 • In this example, redundancy is effective in mitigating Threat-2 (e.g., Part failure) but not effective at mitigating Threat-1 (e.g., condensation) • There is no single design answer, rather a reliable and safe system is created by a process that mitigates probable threats by considering the sphere of influence of that threat relative to physical relationship to the system implementation. • If the threat/risk sphere of influence impacts more than one system the threat classification changes to “common cause”. 15
  • 16. Conclusion • Regardless of requirements, constraints and operational considerations momentary undesirable environments or interactions will occur eventually. • How each and every individual subsystem responds to probable threats must be aligned in a system architecture to achieve a predictable and robust system. • A reliable and safe system is created by a process that mitigates probable threats by considering the sphere of influence of each threat relative to the specific design implementation. • A “common cause” threat/risk can be any threat/risk that impacts more than one system in a given implementation. • For redundancy system architectures, the threat/risk mitigation effectiveness is a function of physical separation and/or dissimilar design implementation. – A dissimilar design has the advantage of reduced functionally to focus on safely and reliability. [less functions = less complexity = more predictability] • Fail Silent system architecture requires a multi-tiered configuration where the “last line of defense” is a “never give up” or “Safe-hold” system to provide critical functions when all computers go silent. 16
  • 17. Events of Interest Limited Increased AC Airflow around Load by increase BOK3 crew Close Are there more? Unfinished US Side has water proximity of AC to BOK3 Discussion… Reclaiming on RS Blockage Identical of AC filter systems BOK3 Exposed No diversity to water Command Multiple common Contamination/ Low Side Zones of all Corrosion creates Switching commands Conductive paths Computer command Circuit designed to Fail Silent Shut down of all computers systems 17