Fault Protection Techniques in JPL Spacecraft

Slides:

Advertisements

Similar presentations

Satellite Communication

Advertisements

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 2.

WPI CS534 Showcase Jeff Martin. * Computer Software on Deep Space 1 * Used to execute plans/mission objectives * Model based * Constraint based * Fault.

EEE440 Modern Communication Systems Satellite Systems.

1 Spacecraft Thermal Design Introduction to Space Systems and Spacecraft Design Space Systems Design.

Simulating A Satellite CSGC Mission Operations Team Cameron HatcherJames Burkert Brandon BobianAleks Jarosz.

Space Environment I Introduction to Space Systems and Spacecraft Design Space Systems Design.

Operating System Organization

©Ian Sommerville 2006Critical Systems Slide 1 Critical Systems Engineering l Processes and techniques for developing critical systems.

During a mains supply interruption the entire protected network is dependent on the integrity of the UPS battery as a secondary source of energy. A potential.

C&DH System COMMAND AND DATA HANDLING C&DH CDS MTM 3/13/03.

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Launching, Orbital Effects & Satellite Subsystems

1 Formation Flying Shunsuke Hirayama Tsutomu Hasegawa Aziatun Burhan Masao Shimada Tomo Sugano Rachel Winters Matt Whitten Kyle Tholen Matt Mueller Shelby.

1 Fault Tolerance in the Nonstop Cyclone System By Scott Chan Robert Jardine Presented by Phuc Nguyen.

1. 2 Purpose of This Presentation ◆ To explain how spacecraft can be virtualized by using a standard modeling method; ◆ To introduce the basic concept.

POWER SYSTEM PROTECTION

Module 5, Unit A Vocabulary Review Game. 2 pt 3 pt 4 pt 5pt 1 pt 2 pt 3 pt 4 pt 5 pt 1 pt 2pt 3 pt 4pt 5 pt 1pt 2pt 3 pt 4 pt 5 pt 1 pt 2 pt 3 pt 4pt.

20a - 1 NASA’s Goddard Space Flight Center Attitude Control System (ACS) Eric Holmes, Code 591 Joe Garrick, Code 595 Jim Simpson, Code 596 NASA/GSFC August.

Venus Observations HST Program Objectives v Explain Venus observing strategy. v Review areas of special concern with Venus observations and explain.

JPL AUTONOMOUS RENDEZVOUS OVERVIEW Rob Bailey Jet Propulsion Laboratory Inter-Agency AR&C Working Group Meeting May , 2002 Naval Research Laboratory.

.1 RESEARCH & TECHNOLOGY DEVELOPMENT CENTER SYSTEM AND INFORMATION SCIENCES JHU/MIT Proprietary Titan MESSENGER Autonomy Experiment.

Section Number - 1 NASA’s Goddard Space Flight Center Communication Systems Jason A. Soloff NASA/GSFC Code 567 August 16-17, 2005.

Database Security Outline.. Introduction Security requirement Reliability and Integrity Sensitive data Inference Multilevel databases Multilevel security.

DSL Distributed Systems Laboratory ATC 23 August Model Mission: Magnetospheric Multiscale (MMS) Mission Goal “To study the microphysics of three.

1 Arizona State University Senior Design ASU/JPL Flight System Group Members: Robert Hoffman, Dusty Terrill, Adam Nikolic, Josh Ruggiero.

Idaho RISE System Reliability and Designing to Reduce Failure ENGR Sept 2005.

STARDUST 20 Nov 2003CERR - Charles Love1 of 7 STARDUST Project CRITICAL EVENTS READINESS REVIEW COMET P/WILD 2 ENCOUNTER ISA Status Charles Love JPL:

Basic Satellite Communication (3) Components of Communications Satellite Dr. Joseph N. Pelton.

P. Mokashi IES Team Meeting, SwRI 29 May IES (SwRI) Develop sequences (flight and EQM test) Develop tables, macros and patches if necessary Test.

Teknologi Pusat Data 12 Data Center Site Infrastructure Tier Standard: Topology Ida Nurhaida, ST., MT. FASILKOM Teknik Informatika.

Wes Ousley June 28, 2001 SuperNova/ Acceleration Probe (SNAP) Thermal.

Testing Overview Software Reliability Techniques Testing Concepts CEN 4010 Class 24 – 11/17.

10/31/2006VSOP-2 Tracking Station Meeting 1 Lessons Learned From VSOP-1 Larry R. D’Addario JPL.

Electrical and RF Safety. Electrical Safety Generators Generators convert mechanical energy to electrical energy. They actually consist of two devices:

A+ Computer Repair Lesson 9 Problems Causing Power Events.

Artificial Intelligence In Power System Author Doshi Pratik H.Darakh Bharat P.

Computer System Structures

Spacecraft Technology Structure

Operational Flight Software

Gravity Assists and the use of the Slingshot method

NERC Lessons Learned Summary

Communications Design Review

Spacecraft Power Systems

Safety Measures in Super Power and High Power Transmitters in

Domain 4 – Communication and Network Security

Telemetry system The telemetry, tracking, and command (TT&C) subsystem performs several routine functions abroad a spacecraft. The telemetry or "telemetering"

Flight Software for KySat-1

Thermal Control In spacecraft design, the Thermal Control System (TCS) has the function to keep all the spacecraft parts within acceptable temperature.

Introduction to Operating System (OS)

Heat Pipe-Thermal Energy Exchanger Manufactured by Maniks

JPL Autonomous Space Mission Simulation

Subject Name: SATELLITE COMMUNICATION Subject Code: 10EC662

Chapter 2: System Structures

Fault Tolerance Distributed Web-based Systems

EagleSat 2 – Electrical Power Subsystem Development

CubeSat vs. Science Instrument Complexity

University of Maryland DYMAFLEX SHOT II Post-Flight Presentation

REMOTE POWER MONITORING OF MARINE SITES

Regional Seminar on Digital TV Broadcasting

Operating Systems: A Modern Perspective, Chapter 3

A. Talk louder into the microphone B. Let the transceiver cool off

What is the primary purpose of a dummy load?

IlliniSat-3 Power Board

A. The signal strength of received signals

Design Yaodong Bi.

Presentation transcript:

Fault Protection Techniques in JPL Spacecraft Paula S. Morgan Jet Propulsion Laboratory, California Institute of Technology Jason Bratcher EE 585 Monday, December 1, 2008

Introduction For a spacecraft to function properly it is desirable to monitor systems and subsystems continuously This is costly and impractical Time constraints due to distance for communication will not allow this Instead we use autonomous fault protection so the spacecraft can correct anomalies itself without ground station interaction Bratcher, Jason. EE 585

Health & Safety Concerns for Deep Space Missions Exposure to the sun’s intense heat Optical solar reflectors Mirror tiles Multi-layer insulation thermal blankets Internal temperature regulation Circulation of the spacecraft’s gas or liquid (fuel) cools the internal hardware of the spacecraft heats the gas/liquid so it doesn’t freeze Human interaction Electro-static discharge Immediate failures vs. Latent failures Command generated failures Turn off receiver (can’t communicate) Turning on too many components (under-voltage power-outage) Increasing lag time between transmission and reception Distance between the Earth and Saturn’s orbit causes approximately one hour transmission time Bratcher, Jason. EE 585

Fault Protection Implementation Approach Fault protection is applied by implementing: Functional redundancy Redundant hardware Autonomous fault protection monitors and responses Swap redundant units Maintain spacecraft health Safeguard operation through continuous monitoring of spacecraft systems Anomalous conditions preprogrammed safe code Autonomous fault protection implemented on spacecraft only if: Ground response is not feasible or practical Fault resolution action is required in a pre-defined period of time Bratcher, Jason. EE 585

Standard Fault Protection Implementation Most spacecraft rely on a “general-purpose, safe mode” Configure Lower power state (turns off nonessential payloads) Command a thermally safe attitude Provide a safe state for hardware Establish an uplink and downlink with a low-gain antenna Terminate sequence currently executing on spacecraft “Command Loss Response” is communication error fault protection that protects against: Ground antenna failures Environmental interferences Spacecraft hardware failures Erroneous spacecraft attitude (pointing error) Radio frequency interferences Error in an uplinked sequence (radio device accidentally turned off) Bratcher, Jason. EE 585

Standard Fault Protection Implementation Cont. Under-Voltage Response (system loss of power) Oversubscribing available power Short in the power system Communications bus overload Under-Voltage fault protection should Acknowledge the drop in power Shed the non-essential payloads from the communications bus Isolate the defective device Re-establish essential hardware Bratcher, Jason. EE 585

Fault Protection in JPL Spacecrafts Bratcher, Jason. EE 585

Fault Protection in JPL Spacecrafts The Cassini Spacecraft requires up to an hour of response time which is not ideal for fault resolution from a ground station Bratcher, Jason. EE 585

Fault Protection Application Fault protection responsibility is allocated to ground teams and the spacecraft itself based on severity of fault The autonomous fault protection is divided into two applications Subsystem Internal fault Protection (SIFP) System Fault protection (SFP) Fault protection is allocated to the SIFP if the subsystem can recover without affecting any other subsystem Bratcher, Jason. EE 585

Fault Protection Ground Rules and Requirements In general, fault protection is designed with the following priorities: Protect critical spacecraft functionality Protect spacecraft performance and consumables Minimize disruptions to normal sequence operations Simplify ground recovery response, including provisions of downlink telemetry It is also desirable to ensure: The safe state of a spacecraft allows commanding for a pre-defined amount of time after an anomaly Error Logging is kept periodically and sent back to ground stations Bratcher, Jason. EE 585

Fault Interaction Non-interfering faults Interfering faults Non-critical sequence Critical sequence Bratcher, Jason. EE 585

Fault Protection Architecture in JPL Spacecraft The main Computer (CDS: Command and data processing computer) is the host for the4 spacecraft’s SFP monitors and responses Below is the services and architecture for the SFP in the CDS Bratcher, Jason. EE 585

Fault Protection Architecture in JPL Spacecraft Cont. SFP and SIFP are a group of monitors and responses that are initiated and executed by their own “Fault Protection Manager” Fault Protection Managers can be disabled during a mission for various reasons The response is only appropriate when the associated device is powered on and operating The response is required only for specific mission events The response is not appropriate for a particular event The response is not compatible with the currently operating sequence Bratcher, Jason. EE 585

Cassini’s Under-Voltage FP / Safe Mode FP Responses Diode isolate RTGs Loadshed Regain voltage regulation Power on required devices Set UV flags CDS watches flags Un-isolate healthy RTGs Reset UV flags Enter safe mode Bratcher, Jason. EE 585

Cassini’s Command Loss Fault Response Command Loss FP hardware for Cassini consists of Dual computer CDS units Redundant radio Frequency devices (RFS) Deep space transponders Traveling wave tube amplifiers Telemetry control units Three antennas (high and low gain) The FP response is to enter an endless loop to attempt to restore uplink by performing hardware swaps and commanding an alternate attitude Bratcher, Jason. EE 585

Cassini’s Command Loss Fault Response Cont. Bratcher, Jason. EE 585

References [1] P. S. Morgan, “Fault Protection Techniques in JPL Spacecraft” Ph.D. thesis, Jet Propulsion Laboratory/California Institute of Technology, Pasadena, California [2] C. E. Ong. Fault Protection in a Component-based Spacecraft Architecture. Massachusetts Institute of Technology. Accessed November, 2008. Available: http://sunnyday.mit.edu/papers/smcit.doc Bratcher, Jason. EE 585