ESA GNC Conference Papers Repository

Safety in GNC systems design for In-Orbit Servicing during Rendezvous and close proximity operations
Davide Casu, Anthea Comellini, Vincent Dubanchet, Hervé Renault, Lorenzo Bitetti, Pierre Dandré
Presented at:
Sopot 2023
Full paper:

Although interest is rising in the execution of rendezvous, proximity, and capture operations for on- orbit services, the definition of accepted technical and safety standards for in-orbit servicing (IOS) to carry out in a safe and responsible manner these operations is still an on-going process. The need for safety standardization has been identified by major agencies. Stakeholders, organizations (e.g., CONFERS), and working groups such as the ESA-led Close Proximity Operations working group are working in this direction, to derive guidelines for safe close proximity operations. In all cases the economic context of these projects is challenging, and design rules and verification methods inherited from crewed rendezvous mission are probably over constraining. On the other hand, either from space debris mitigation point of view or a commercial service point a view, an adequate level of safety shall be implemented and demonstrated. Availability of adequate design and verification tool is thus considered essential to support in an exhaustive and cost effective way theses verifications. The final aim is to perform IOS missions in a safe and sustainable way. The current paper focuses on the impact of best practices and guidelines for safe close proximity operations on the conception, the design, and the validation and verification (V&V) of the GNC system. The GNC system is a high critical system for this kind of missions making use of autonomous guidance and navigation capabilities, coordinated control of robotic arm and Servicer’s platform, overall FDIR strategies and autonomous Collision Avoidance Maneuvers (CAM). The process of ensuring Safety with a low probability of collision is far to be taken for granted for these very complex missions. This paper will firstly address the majors problems and criticalities for In-Orbit Servicing missions, the major design drivers for the GNC system, key common IOS missions requirements and constrains. Secondly, the overall GNC workflow from design and development to validation and verification principles to ensure a safe but cost-effective IOS GNC product will be presented. GNC analyses, methodologies and tools proposed to be used along this workflow will be detailed. For example, early preliminary Safety and FDIR analyses on the design of GNC system are of paramount importance in order to avoid major architecture deviation changes in later phases. Also the entire Mission Analysis and Concept Of Operations of the Rendezvous strategy approach must take into account Safety from concept design (e.g., ensuring passive safety through safe orbits design approaches). The sharing of operational tasks between Ground commands and monitoring & autonomous on-board actions has to be thought thoroughly from early project phases. Different kind of analyses from Linear Covariance analyses to Monte Carlo Analyses applied to increasingly accurate models of environment and spacecraft have been used in different phases of the design and development of the GNC system. These tools are useful to verify that the derived concept of operations and mission analysis strategy for the rendezvous approach are consistent and the trajectory dispersion are within acceptable limits (e.g. there is no occurrence of involuntarily crossing of predefined zones such as the Approach Ellipsoid or the Keep-Out-Sphere). The analysis of specific sets of worst case scenarios for the nominal cases is not sufficient alone, but has to be complemented with a thorough analysis of contingency cases (e.g. recovery after navigation chain loss, thruster failure, collision avoidance from anomalous initial conditions). Contingency analyses shall cover for different situations contemplating FDIR detection & recovery, addressing all phases of the mission from phasing and long range navigation to capture, servicing operations, disposal, but also recovery from emergency collision avoidance maneuvers. Advanced phases of the IOS project make extensive use of several GNC tools from Robust control synthesis, frequency analyses, scattering and worst case analyses to extensive performance, robustness and sensitivity campaign with the Functional Engineering Simulator (FES) developed in auto-coding framework to facilitate also early porting and testing in space hardware and robotic test bench HIL tests. Moreover, the validation of the GNC complex functions for IOS (such as the autonomous navigation relying on optical sensors, computer vision, and image processing algorithms) requires a dedicated workflow from open to closed loop simulations in Model-In-the-Loop (MIL), Software-In-the-Loop (SIL) (using different rendering tools such as PANGU or SpiCam), Processor-In-the-Loop (PIL), and Hardware-In-the-Loop (HIL) (relying on robotic test benches) test campaigns. The final aim of this paper is to allow for a better understanding of the criticalities of IOS mission, and how the GNC design shall comply with safety requirements and address safety guidelines. It will be shown how main critical requirements are verified through the workflow of the GNC system from early conception to validation and verification.