Download - Autonomy & FDIR Logics in ISRO Spacecraftflightsoftware.jhuapl.edu/files/2015/Day-2/FSW2015... · Autonomy & FDIR Autonomy & FDIR Logics in ISRO Spacecraft Subramanya Udupa Deputy

Autonomy & FDIR

Autonomy & FDIR Logics in ISRO Spacecraft

Subramanya Udupa

Deputy Director, CDA,ISAC/ISRO

Email: [email protected]

FSW-2015

John Hopkins Applied Physics Lab, Maryland, USA

October- 2015

Autonomy & FDIR

Agenda

• On-Board computer

• Spacecraft Autonomy

• FDIR logics

• Safe mode & MRS (Master Recovery Sequencer)

• Software architecture

• Software Features & Statistics

October , 2015 Autonomy & FDIR 2

Autonomy & FDIR

On-Board Computer

OBCTelecommand

Telemetry

Sensor Processing

AOCS

Thermal Management

Power Manag-ement

Solar Panel

Control

Payload Operation &

Safety

Operational Autonomy

Fault Tolerant/

Autonomy

Attitude and Orbit

Control

Command processing

Telemetry and

housekeeping

Sensor Processing

Electronics

Thermal Management

Power Management

Safety Logics

Autonomy

Mil Std 1553B Bus

Control

Customized Interfaces


Autonomy & FDIR


On-Board Computer

Software Requirements

Control Requirements

1. Attitude Pointing & Rate Specification:- Sensor requirements- Actuator requirements

2. Control Law- Computational- Logical- Precision- Accuracy- Timing

3. Data Validation / Error Handling

OperationalRequirements

1. Orbit Determination- SPS Data Acquisition - Orbit Model

2. Telecommand3. Telemetry4. Spacecraft Thermal Control5. Spacecraft Power

Management6. Payload Sequencer7. Spacecraft Operation

Autonomy

Safety / Redundancy Requirements

1. Avoid Single Point failures2. Fuel Conservation

- LPD

3. Power Safe Mode & Sun Pointing

4. Processor hang up- FDI

5. Algorithm failure handling- Remote programmability

6. Sensor/Actuator failure/malfunction- FDIR/ESR/Auto Reconfiguration /MRS

Autonomy & FDIR

o To carryout day today activities without groundintervention

o To Monitor health of AOCS systemscontinuously & take corrective actions to avoidAttitude loss

o Ensure Power Generation & communicationtowards Earth and survive without groundintervention incase of any AOCS systemanomalies

Autonomy : Definition/Objectives

Spacecraft Autonomy


Autonomy & FDIR

Spacecraft Autonomy

• Autonomy features like • Time tagged mode, Event based commanding

• Configurable command blocks

• Auto temperature control

• FDIR logics for sensors, Actuators, Payload

• Master Recovery Sequencer

• AOCS Safe Mode, Power Safe Mode

• Driving Factors:• Fail Safe Operations.

• Easiness of Operations.

• Non availability of Contact.

Launch Phase Sequencer

Auto Acquisition Sequencer

LEB / Orbit / Station Keeping

Sequencer

Payload Operation Sequencer

Master Recovery Sequencer

Fault Tolerant features Hardware : NMI, WDT, Redundancy,

EDAC, Hardware Filters

Software: Memory Scrubbing, Filters, Wild Sample Remover, Data Validation, Consistency Checks, Remote Programming, EEPROM

Actions: Shutdown, Abort, Retry, Reconfiguration


Autonomy & FDIR

Levels of Autonomy • Level A Autonomy

o Fault Detection and Isolation(FDI) logic: WDT Based

o Long Pulse Detection(LPD) logic: Thruster Driver stuck high failure detection and Isolation

o EDAC and Memory Scrubbing

o Mil 1553B Bus Change over Logic

o Remote Programming

o AOCE Reset Handling

o E2PROM Management

• Level B Autonomy

o Fault Detection, Isolation and Reconfiguration (FDIR)

• Level C Autonomy

o Power Safety Logic

o AOCS Safe ModeAutonomy & FDIR 7

Spacecraft Autonomy

October , 2015

Autonomy & FDIR

Levels of Autonomy • Level D Autonomy

o Operational Autonomy

o Sequencers

o Launch phase sequencer

o LEB Sequencer

o Thruster Augmentation Logic

o LEB termination logic

o Payload operation Sequencer

o Other Logics

o SS occultation handling

o Over speed protection logic

o Reference check logic

• Master Recovery Sequencer (MRS): To handle more than one failure and recovery & Safe Mode recovery

Autonomy & FDIR 8

Spacecraft Autonomy

October , 2015

Autonomy & FDIR

Spacecraft Autonomy

9October , 2015 Autonomy & FDIR

OBC Hardware Layer

Real Time Executive

Data Acq Layer

Data Delivery

Layer

Interface Layer

Data Proc &

Filter

Data Selection &

Distribution

Mission & Control Laws

(Operational Autonomy)

O/P Data Proc &

Distribution

Level-A: EDAC, FDI, LPD

Fault Tolerant Autonomy

Level-B: Gyro, SS, AccMtr

FDIR, TFDL, RW (OSPL,

ARC, Spurious On/Off

handling), Memory

Scrubbing, Memory

consistency, SPDM, 1553-B

FDIR, Reset, FDI, LPD

Handling with EEPROM,

Remote Programming

Level-C: Power Safety Logic

Level-D: Safe Mode

Maste

r R

ecovery

Seq

ue

ncer

(MR

S)

Autonomy & FDIR

1553 Interface

Events Flag Interface

Tele command Processor ( TCP-1 and TCP-2)

1. Isolation and Reconfiguration Commands

Execution on the reception of Events Flag ( 64)

from AOCE.

2. Health Check Using Telemetry and Isolation

and Reconfiguration using EBC’s (40)

3. Auto Thermal Control ( PATC)

AOCE Processor ( AOCE-1 and AOCE-2)

1. Health and Performance Analysis

2. Fault Detection

3. Isolation and Reconfiguration Through Events

Raising

4. Internal Reconfiguration

5. Battery Voltage and Current Check

6. Safe Mode Detection and Normalization(thru

Events Flag)

Sensors

3 Dynamically Tuned Gyros

2 Star Sensors

4 Accelerometers

Actuators

4 Reaction Wheels

8 22N Attitude Control

Thrusters

2 SPDM Motor Coils

Power Electronics

Li-Ion Battery ( Voltage Levels

Check )

Thermal System

Heaters Temperatures

( PATC)

Communication System

2 Transmitters

2 Receivers

2 TWTA

3 Antennas ( Low Gain ,

Medium Gain , High Gain)

1553

Packets

Transfer

Direct

InterfaceTelemetryInterface

TC Interface

TC InterfaceTC Interface

TC Interface

Events Commands Execution for

Isolation and Reconfiguration

TC Interface

Events Commands

Execution for Isolation

and Reconfiguration

16 TM Words ( Battery

Voltage , Current etc)

TelemetryInterface

Spacecraft Autonomy


Autonomy & FDIR

Why FDIR ?

• Hardware Faults

• Temporary or Permanent

• Computation Faults

• Numerical errors, Divide by zero, exceptions

• Design Errors

• Algorithm failures

• Interface Errors

• Communication failures

• Environment Errors

• Temperature out of limits etc

FDIR Logics


Autonomy & FDIR

FDIR Logics in Spacecraft system

• Gyro FDIR

• Accelerometer FDIR

• SS FDIR

• Mil-STD-1553 BC/RT FDIR

• Wheel FDIR

• Thruster FDIR

• Solar Panel Drive Mechanism safety logic

Autonomy & FDIROctober , 2015

FDIR Logics

12

Autonomy & FDIR

Gyro FDIR

GFDIRSync loss

Sync Toggling

Low Wheel Speed

Data Freeze

RT Fail

Autonomy & FDIR 13October , 2015

FDIR Logics

Autonomy & FDIR

Accelerometer FDIR

AFDIR

Accelerometer Data Freeze

Accelerometer Wild Data

Gyro Data Freeze

RT Failure

Autonomy & FDIR 14October , 2015

FDIR Logics

Autonomy & FDIR

SS FDIR

SSFDIRRefT

Freeze

RefT Reset

Attitude FD

Data Error

CCD Temperature Voltage

Monitor

Check Sum

SS Occultation

Bus Fail

SS Change Over if other sensor is usable Else Retry

If both SS Fail indicate Both SS fail Flag to MRS

Consistency Logic Disable

Consistency Logic disable if both head attitude are

matching

No failure but update counter is not incrementing

No failure but update counter is not incrementing under both heads on condition

FDIR Logics


Autonomy & FDIR

1553 based Logics

• Auto Bus Change Over Logics for single bus failure

• RT fail declaration for both bus failure for RTs

• BC FDIR logics to detect BC failure

– by detecting protocol scheduler completion failure OR

– if TC1 and TC2 both bus failures are detected

• Action:

– If any of the above or both failures are detected by System then ‘Safe mode select’ command is issued internally to force system change over

– The changed over system configures itself as BC and resumes its activities continuing current mode, while non selected System (where failure got detected) acts as Remote Terminal (RT) and remains in Safe mode

FDIR Logics


Autonomy & FDIR

Wheel FDIR

Wheel Fault check by comparing with accumulated Torque (30 s)

Indicate TM “Wheel Faulty” if Wheel Torque is not achieved.

Fault Detection

3RW Mode Select

Switch OFF Failed Wheel

Isolation & Reconfiguration

Switch ON Redundant Wheel if it is OFF

Switch OFFFailed Wheel

Switch OFF all Wheels

Indicate Wheel Failure Flag to

MRS

4 RW 3 RW & Rednt Whl En 3 RW & Rednt Whl Dis

FDIR Logics


Autonomy & FDIR

Model based generic algorithm that can detect closed mode and open mode failures in IAC Mode and LEB Mode

The fault detection logic is residual-based and the measured /actual rate difference iscompared with a set of all the pre-determined possible failure cases

Reconfiguration is based on the selected thruster selection logic, thruster block, identified failed thruster and number of thrusters failed at the time of reconfiguration

Thruster Failure Detection Algorithm(Based on delta rate

residuals)

•III

On-board Input Parameters

• Gyro rate• Thruster firing pattern

Ground Up-linkable Input Parameters

•Individual thruster torque data•S/c Moment of Inertia•Threshold value

Thruster Reconfiguration

• Identifies the failed thruster• Identifies the fail type (close or open mode)

THRUSTER FDIR

FDIR Logics


Autonomy & FDIR

• Safe to rotate logic (During Operation)

Detection

– Micro switch actuation detected

– Potentiometer measurement out of range

– SPDM Counter value out of range

Action: Go to safe parking (last commanded offset value)

• SPDM FDL Logic: Fault detection and Isolation Logic– Using Potentiometer Data, SPSS data and SPDM counter

SPDM Safety Logic

FDIR Logics


Autonomy & FDIR

• The Master Recovery Sequencer (MRS) is a higher levelrecovery sequencer to circumvent sensor, actuator andsystem failures

• Existing AOCS logics (like wheel over speed occurs, Wheelauto reconfiguration occurs etc)

• LEB sequencer and Imaging sequencer on attitudeconvergence failure

• Sensor FDI for Two Gyro failure or All star sensor failure• Safe mode detection modules (CASS based safe mode, Rate

Safe mode, Communication safe detection modules)

Safe Mode & MRS


Autonomy & FDIR

Safe Mode & MRS

Safe Mode Detection

Rate based

Low Battery voltage

CASS based

Command link based

Rates > 2.8 deg/sec in Thruster Mode or

Rates > 1.5 deg/sec in Wheel Mode for 192 ms

CASS Pitch East Yaw Negative or Centre SPS Absent Or

CASS Roll Yaw East Yaw Negative SPS Absentfor 1 minute during non Eclipse period

Battery voltage < Commanded thresholdfor a duration of 1 minute

Link WDT reset not received within Watch dog timer limit

(Power on 21hrs)

Hard Emergency : In case of hard emergency after emergency relay close,

safe mode initiated by TCP


Autonomy & FDIR

Safe Mode and MRS InteractionRate Safe Mode CASS Safe Mode Link Safe Mode

Power Safe Mode

Safe Mode by Command

Safe Mode

Master Recovery Sequence

Safe Mode & MRS


Autonomy & FDIR

• Master Recovery Sequencer

Safe Mode & MRS


Autonomy & FDIR

MRS RETRY Four retry options programmed in E2PROM tables to reconfigure the onboard

system or force MRS onto a particular recovery path

Safe Mode & MRS


Autonomy & FDIR

Software Architecture

• Round Robin type scheduling

• Language Ada with Safe Subset

• Design

• 64ms Major Cycle ( AOCS, Sensors )

• 8ms Minor Cycle ( PWPFM etc..)

• 512ms Super Cycle ( Orbit Model, Autonomy)

• NMI for WDT action

• Provision for Remote Programming

• Review :

• System Reqmts

• Software Reqmts

• Software Design

• CWT

• Test Readiness Review

• Test Results Review Board


Autonomy & FDIR

Remote Program & Memory Scrubbing • Software

• Remote Programming

• Provision to Modify Software to take care unforeseen changes

• AOCS mode changes

• Modification of Gains

• Inclusion of new Commands

• Modification of Auto Temperature control Mapping

• Full Software Main program change

• Majority Voting of critical Parameters

• Memory Scrubbing ( Read and Write Memory so that bits are corrected and written back )

System 1

System 2

System 3

System 4

System 5

Vote

Output

Input

Software Features


Autonomy & FDIR

• Event Based Commanding provides function

• To Define An Event

• Which is “Any Parameter” to Satisfy Logical Condition >, <, =, Bit wise conditions for consecutive “n” Number of times

• Issue Action – Which is execution of Commands

Extensively Used to Handle critical Autonomy functions which were called for during Mission operations

Bring in Fail Safe Logics

To switch to Redundant Coil in case of Anomaly – during LEB Burn

To Bring in Safe Mode with Additional Checks felt Necessary after

Event Basedcommandin

g

Variable Address orTM channel Information

Type, Condition,Limits

Action-> Event to Execute a command/ A Group of commands


Software Features

Autonomy & FDIR

SDLC Process Standard


IEEE-12207: Process Tree

Life Cycle

Primary

Acquisition

Supply

Development

Operation

Maintenance

Supporting DocumentationConfiguration Management

QAV & V (2)

Joint ReviewAudit

OrganizationalManagement

Infrastructure

Improvement

Training

TailoringISRO Process Control Document (ISPD)

Software Process

Autonomy & FDIR

SW Functionalities

• Data Acq & Processing – 20%

• TC & TM - 10%

• AOCS Function – 30%

• Flight Dynamics – 15%

• Operational Autonomy – 10%

• Fault Tolerant Autonomy – 15%


Software Statistics

Autonomy & FDIR

• 35-40% reusability- across different types of Systems

• Horizontal – Across the projects

• Vertical – Across systems - Pattern & architecture reusability

• Design guidelines & coding standards ensures better maintainability – better reusability

• Object Based design – better reusability

• Overhead in global variables/vulnerability to ensure execution time management

• SW Standard adoption


Software Statistics

Autonomy & FDIR


Acknowledgement

• I thank Dr. M. Annadurai, Director, ISAC and Dr. A.S.Kiran Kumar, Chairman ISRO for providing opportunityto attend this Work Shop.

• I thank team Colleagues and Team members of Control &Digital Area for helping in preparation of presentationmaterial

• I thank Mr. Harmalkar Subodh and Organizers of FSW-2015 for inviting and giving the great opportunity toparticipate in this workshop

• I thank all the distinguished delegates and domain expertswho made me feel great by presenting in this Workshop

THANK YOU ALL