ESA GNC Conference Papers Repository
Avoiding rigor mortis - Euclid attitude and orbit control subsystem failure detection isolation and recovery
The EUCLID Mission was selected in 2011 as the second medium-class ('M-class') mission, which is part ESA's Cosmic Vision Scientific Programme to map the geometry of the dark universe by accurately measuring the acceleration of the universe. To achieve this, the spacecraft will provide highly accurate measurements of the shape and redshift of galaxies at varying distances from Earth and investigate the relationship between distance and redshift. Within the context of long ground response time, limited ground contact and rapid failure propagation possibilities, the continuation of mission operations (even after a single failure) are ensured by limitations on the operational domain and tight restrictions on the transients outside these domains. These requirements are covered by the Attitude and Orbit Control Subsystem (AOCS) Application Software (AASW), in particular by the Failure Detection, Isolation and Recovery (FDIR). The AASW is an (independently developed) set of tasks running on the central Command and Data Management Unit (CDMU). All interactions with the AOCS units, the ground and the system software are through the CDMU ASW (CASW). The high level goals of the EUCLID AOCS FDIR are to prevent degradation of the telescope payload by Sun illumination, to ensure sufficient power for the spacecraft generated by the solar panels, and to enhance mission continuation in the presence of single failures. The goals given above are far from exceptional for high-end science missions. What makes this FDIR implementation different is the mixture of the two main approaches in FDIR design: complete independent hardware versus all software integrated within the nominal AOCS application software. The stringent philosophy of complete independence of hardware and software used for mission critical error detection and safe mode control has been partially abandoned. Software errors, attitude and rate anomaly detection are implemented in a dedicated Software task (called the System Safeguarding Logic) running on the main CDMU processor. We will discuss the advantages and acceptability of this approach both from an AOCS point of view and a System point of view. In addition, the AOCS FDIR is distributed over the system software (CASW), the AOCS Software, and the dedicated System Safeguard Logic function. Due to the necessary fast response times after AOCS failures [i.e. avoiding AOCS rigor mortis], spike filtering of data and a final decision whether a unit is healthy or not is done by the AASW. The system software only initiates high level recovery actions. We will also address the crucial aspect of the interaction between the AOCS application software FDIR and central application software (system level) FDIR, involving autonomous reconfiguration and the advanced interface between the AOCS and the actuators and sensors outside the AOCS responsibility (a.k.a. customer furnished items): the reaction control subsystem, the fine guidance sensor and micro-propulsion subsystem, of which the latter two have dedicated system FDIR logic. It is only through the symbiotical relationship between the AOCS and System FDIR that the EUCLID spacecraft will be able to continue its operations autonomously and avoid premature mission termination.