ACMS FDIR System for the Herschel / Planck satellites
Size: px
Start display at page:

Download "ACMS FDIR System for the Herschel / Planck satellites"

Transcription

1 ACMS FDIR System for the Herschel / Planck satellites J.F.T. Bos (1) D. Zorita (2), A. Bacchetta (3), G. Chlewicki (3), D. Guichon (4), I. Rasmussen (5) (1) Dutch Space B.V, (2) Sener, (3) Alenia Aerospazio, (4) Alcatel, (5) ESA ACMS FDIR for Herschel/Planck, 1

2 Contents Introduction General FDIR approaches Herschel / Planck FDIR design Level 4 Level 3 Levels 0-2 Discussion Conclusion ACMS FDIR for Herschel/Planck, 2

3 Introduction ACMS FDIR for Herschel/Planck, 3

4 -Orbit around second Lagrangian Point in Earth/Moon - Sun System -1.5 million kilometres from Earth. -Transfer trajectories with duration of three months ACMS FDIR for Herschel/Planck, 4

5 STR GYR CRS AAD ACMS discrete I/O ACMS data bus Attitude Control Computer RCS SAS RWA AIR Instruments Payloads CIR/SIR S/C data bus Command& Data Mngt. Unit Instrument PCDU TM/TC units ACMS FDIR for Herschel/Planck, 5

6 General FDIR approaches only vital criteria, like attitude loss, checked by HW independent of HW nominal control loop. Recovery by Ground (SOHO, XMM, Integral) SW checks verifying sensors/actuators health. Recovery autonomously by satellite. No independent hardware (Rosetta, Mars Express) ACMS FDIR for Herschel/Planck, 6

7 General FDIR approaches (2) SOHO (independent HW) 1 fail-safe guaranteed simple straightforward FDIR design relatively small verification effort relatively large effort in Ground procedures execution recovery procedures relatively time-critical ACMS FDIR for Herschel/Planck, 7

8 General FDIR approaches (3) Rosetta (SW only) no extra HW complex FDIR design large verification effort easier for Ground less outage time ACMS FDIR for Herschel/Planck, 8

9 Herschel / Planck FDIR design 2 goals: ensure safety guarantee mission continuation after 1 failure 2 FDIR modes: Autonomous Fail Safe Autonomous Fail Operational ACMS FDIR for Herschel/Planck, 9

10 Hierarchical structure failure severity functions involved in detection (HW/SW) recovery sequence levels 0-4 ACMS FDIR for Herschel/Planck, 10

11 Coarse Rate Sensor Herschel Planck ACMS Level 4 (ARAD) OOL rates thresholding filtered alarm channel A Attitude Anomaly Detector Channel B current current thresholding thresholding OR reconfigure GYR, SAS+Z/A, SAS-Z/A, STR, RWL, RCS/1 Nominal ACC-1 power SAS+Z/B, SAS-Z/B CRS/Red, RCS/2 Survival Mode ACC-2 ACMS FDIR for Herschel/Planck, 11

12 Level 3 ACC-1 / ASW-NOM ACC-2 / ASW-SM WD / computer alarms 2 reset attempts third attempt: reconfigure (Survival Mode) ACC_RM ACMS FDIR for Herschel/Planck, 12

13 Level 3 (2) CDMU System In Reconfiguration Computer In Reconfiguration ACC sun pointing Earth Pointing ACMS FDIR for Herschel/Planck, 13

14 Levels 1-2 override commands FDIR mode command reconfiguration AFO FDIR mode logic unit health determination AFS reconfiguration (power off/on commands) TM reporting report to CDMU override commands data validity checks Data History Recording data replacement strategies Event Buffer storage (SGM) ACMS FDIR for Herschel/Planck, 14

15 Level 0 UNIT equipment-nom detection / reconfiguration report ASW equipment-red ACMS FDIR for Herschel/Planck, 15

16 Discussion 2 goals: ensure safety guarantee mission continuation after 1 failure safety independent HW/SW independent? Similar HW no guard against design errors Similar SW drivers, OS,.., algorithms ACMS FDIR for Herschel/Planck, 16

17 Independent HW easily proven safety: no Monte Carlo needed to prove effect under all dynamical conditions no fault diagnosis needed for safety S/W failures do not need to be analyzed checks no guarantee necessary that all subtle failures are detected small verification effort ACMS FDIR for Herschel/Planck, 17

18 Single failure Survival Mode inadvertently can be avoided by majority voting of 3 sensors Not done justification: spike filtering conservative thresholds AAD simple & highly reliable ACMS FDIR for Herschel/Planck, 18

19 guarantee mission continuation after 1 failure All units subject to health checking Mode : AFS (no reconfiguration allowed) Sun Acq., dv AFO (reconfiguration allowed) science more optimal when only more complex units used in scientific operations subject to health checking ACMS FDIR for Herschel/Planck, 19

20 subject to health checks depend on reliablity SAS simple, highly reliable, flight proven not needed STR complex, sensitive for solar flares needed ACMS FDIR for Herschel/Planck, 20

21 SOHO Rosetta H/P power + mass + extra HW (costs) + design effort + + verification effort + + safety + + availability + + Ground effort + + ACMS FDIR for Herschel/Planck, 21

22 Conclusion Herschel/Planck FDIR design: Combined best aspects of both main FDIR approaches Easily verified safety of the s/c Autonomous mission continuation enhanced More optimal when only more complex units used in scientific operations subject to health checking. ACMS FDIR for Herschel/Planck, 22

Similar documents
2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback