ESA GNC Conference Papers Repository

Solar Orbiter is an ESA Cosmic Vision M-class mission, which is to perform remote sensing and in-situ measurements of the Sun and its environment, from close proximity (down to 0.28AU) and high latitudes out of the ecliptic plane. A key element in the robustness is protection against high Solar thermal input. Radiators and solar arrays on the spacecraft need to be protected. This limits the angular excursion the spacecraft is allowed to make from Sun pointing. This provides challenges for in particular the detection and recovery of open thruster failures, but also for slow drifts away from the commanded attitude. The mission features a high degree of autonomy, as the spacecraft is not only autonomously acquiring the Sun in a thruster based mode, but also transitions to wheel based Sun pointing control, after an autonomous wheel health check. Under the right conditions, the star tracker is activated for inertial, wheel based pointing. This results in the spacecraft being able to fully autonomously reach its normal operating mode (gyro-stellar, wheel based control under ground commanded guidance profiles). An alternative path exists in both the thruster based and wheel based control modes to perform a medium gain antenna strobing manoeuvre, ensuring communications with ground. The Airbus defined FDIR concept is a centralized one, where the AOCS provides monitoring parameters upon which recovery strategies are initiated. Units are monitored on their performance, onboard algorithms are monitored for deviations from normal behaviour and operator inputs are checked for correctness and availability. Important monitoring signals are the Solar aspect angle, as well as the inertial angular rates, being last resort monitors to safe guard the spacecraft from loss of Sun pointing attitude. The paper concentrates on the FDIR design methods and results. In the design, emphasis is placed on the processing of the unit and subsystem FMECA. This is completed by analysis work to ensure full understanding and coverage of the identified failure modes under different use cases, such as AOCS modes and manoeuvres. This leads to a consolidated set of monitors and recovery actions, and requirements to these monitors and recovery actions are identified. Based on this, the monitors are designed, and prioritized. The prioritization ensures that lower level monitors trigger recovery actions first, as failing equipment can be isolated in that way. When the lower level monitors do not identify failures, then higher level monitors form a second and third line of defence. This prioritization manifests itself in the tuning of thresholds and recovery time outs. The FDIR design is finally verified on several stages of closed loop simulation, ending in HITL campaigns and a final tuning based on final performance predictions for both subsystem and units. It is also noted that this work has a close interaction with the AOCS control design work, particularly in terms of mode entry conditions for the various modes and boundary constraints for the design, such as rate bounds. The thruster failure detection is based on excessive angular rates, which lead to hard constraints on the control design. However, these constraints can be relaxed when the pointing performance of the various modes improves. This leads to an iterative design, where pointing performance, stability, rate limits, mode entry conditions all contribute to the critical Sun pointing performance under the presence of failures.