Presentation on theme: "Avionics Processing Evolution – Apollo to Constellation"— Presentation transcript:
1Avionics Processing Evolution – Apollo to Constellation Mike AucoinDivision Leader – Guidance, Navigation and Control Flight SystemsDraper LaboratoryMarch 4, 2008
2Apollo – Design for Minimum Risk Apollo Guidance Computer relied on highly dependable single-string system with extensive ground testing followed by full scale un-crewed and then crewed flight testing.Three un-crewed suborbital tests of the Apollo Command Module (CM) and Service Module (SM) launched on Saturn I-B boosters (flights AS-201, AS-203, and AS-204).Two un-crewed Earth orbital tests of the Apollo CM and SM launched on Saturn 5 boosters and flown to high altitude enabling high energy (lunar-like) entries (Apollo 4 and Apollo 6).An un-crewed Earth orbital test of the Lunar Module (LM) launched on a Saturn I-B (Apollo 5).A piloted CM and SM test in Earth orbit launched on a Saturn I-B (Apollo 7)A piloted CM, SM, and LM test in Earth orbit launched on a Saturn 5 (Apollo 9)A piloted CM, SM, and LM test in lunar orbit launched on a Saturn 5 (Apollo 10)Contingency backup employed, e.g., use of command module flight control system during ascent to earth orbit, use of the lunar module as a life boat (a la Apollo 13).Avionics technology not as vulnerable: core memory/extremely large line widths in memory.No unexplained test failures allowed:At the electronic device level, all devices were tested and if a sample in a run proved defective the entire lot was quarantined. Failed devices went through detailed teardown failure analysis to preclude defect migration problems
3Apollo/Constellation – Same or Different? Development of the AGC pushed/drove the state of the art.When the program started the embedded computer technology did not exist to perform the necessary computation.Development of the AGC helped drive the semiconductor market.The development of the GN&C and AGC proceeded in parallel – up-front requirements were not in place.It took three years for the mission requirements to be solidified.The computer went through three major redesigns, largely driven by technology (e.g., development of integrated circuits) and requirements.Commonality was a major driver.There was a great desire to use the same computer in the Command Module and Lander.There was disagreement as to whether the system should be autonomous or manually operated or remotely controlled.There was a strong emphasis on making sure there were long-term stable suppliers available.The AGC development program looked across a 10-year lifespan.During that ten year period semiconductor and computer system development technology were exploding. This put constant pressure back on the AGC development program to upgrade technology.
4Shuttle – Fail Op, Fail Safe “All subsystems shall be designed to fail-op … and to fail safe … after failure of the two most critical components”Redundancy and built in test -> reliability – no explicit quantitative reliability standard.Less rigorous testing than Apollo – eight piloted subsonic Approach to Landing TestsIntegrated computational requirements, e.g., for GN&CMore densely packed processing – increased vulnerability to radiationTwo fault tolerant power distribution system and inertial measurement systemAscent and entry employed four Primary Flight Control Systems (PFCS) computers and one Backup Flight Control System (BFCS). BFCS addressed common mode failures, had separately developed/verified software.Manual switching from PFCS to BFCSDifferent software load and less redundancy for on-orbit operation
5X-38 – COTS, Dual Fault-tolerant Able to sustain two faults while maintaining operationMaintained processing system reliability while using COTS processor boards that were less reliableEmployed redundant power supplies, cross channel data link, and voting to carry out redundant calculation and protect against Byzantine failuresHad to be active during critical flight phase – reentryDesigned to specific reliability requirement and to be two fault tolerantNetworkElementICPVME BusFCPDigital I/ODecommAnalog OutMPCCVME BusSubsystem Communications/Control BusesPower Control SubsystemFCC 1FCC 4FCC 3FCC 2NEFUPower Supply voterF C C 2F C C 3F C C 4F C C 1FTPPPower Control subsystemGPSData AcquisitionDeorbit ModuleAttitude ControlParafoil and ChuteAerosurfaceCommunication sECLSSExperimentsPower Supply voterPower Supply voterPower Supply voterVME BusX-38 Processing ArchitectureX-38 Fault-tolerant Computer
6ISS – On Orbit Operation Russian Service Module TC computer for GN&C (thruster control) is two-fault tolerant.US Module flight processor that handles attitude control employs failover operation, but not fault toleranceAll processing is on orbit, not involving critical flight phase such as ascent or reentryRussian system experienced a common mode failure on STS-117US MDM (Flight Computer)Russian Service Module TC Computer
7Constellation – Trends Size, Weight, and Power … Size, Weight and Power … Weight, Weight, WeightOne fault tolerance is current design criteriaA variety of flight modes being addressed, e.g., ascent, on-orbit, rendezvous, descentAres is progressing towards some sort of voting systemOrion is relying on a self-checking pair with backup
8Lunar – ImplicationsThere will be continued emphasis on size, weight, and power.One fault tolerance is current design criteria.There are several flight phases requiring varying levels of necessary reliability.There are several systems involved (e.g., Orion, Altair, Ares I, Ares V, Earth Departure Stage, etc.).The processing requirements of the system of systems change with mission phase and connectivity.Reconfiguration may be desirable to maximize processing throughput and reliability.Connectivity and interoperability may drive ability to accomplish reconfiguration effectively.We should explore architectures that are insensitive (less sensitive) to common mode failures.We will need to continue to tradeoff the use of COTS with required reliability.We will need to trade off required reliability with the amount and kind of testing employed.