20131125 cisec-space embedded systems-jean-paul-blanquart
DESCRIPTION
Despite the large variety of space systems, from micro or nano satellites to large orbital infrastructures, from launchers to deep space probes, from scientific to telcommunication satellites, the presentation will attempt and propose a synthesis of the safety and dependability needs, constraints and solutions. The focus will especially be put on the architecture of the satellites, redundancy schemes and fault tolerance mechanisms so as to achieve the required dependability for missions up to some 15 or 20 years in an agressive environment with very little repair capabilities after launch. These solutions will be illustrated through typical examples representative of the major combinations of needs and constraints, including launchers (Ariane V), typical "service" satellites (telecommunication) and particular cases such as for man-related critical space systems (ATV, Columbus).TRANSCRIPT
CISEC Introduction to critical embedded systems engineering
ISAE, Toulouse, November 25th, 2013
An overview of needs, constraints and solutions
for safe and dependable space systems
Jean-Paul Blanquart
Astrium Satellites, Toulouse
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 3 CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Lecture overview
Space systems, a quick overview Definition Various missions, spacecrafts, …
Regulation and standards
Dependable architecture solutions for space systems.
Needs and constraints Redundancy, basic schemes Illustrations
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 4
Space Systems: Definition (tentative)
Space system A “system” with at least one component in “space”
System:
Not too simple
Artificial (at least partly): made, or adapted, to serve some explicitly stated purpose
Space: At least 100 km above the surface of the Earth
During some significant time (“Several orbits”)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 5
Various “segments”
Interacting systems Space and ground segments
Launch segment Ground + launcher
In-orbit servicing
Constellations of satellites
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 6
Various missions
Telecommunications
Earth observation
Meteorology
Navigation and positioning
Science Astronomy Earth observation Deep space and planetary exploration
Technology
In-orbit servicing
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 7
Various “locations”
Earth orbit Low Earth Orbit (LEO) Medium Earth Orbit (MEO) Geostationary Orbit (GEO) Highly Elliptical Orbit (HEO) GEO Transfer Orbit (GTO)
Other
Lagrange points Trajectories in space Planetary rover
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 8
Various spacecrafts
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 9
This is a spacecraft too
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 10
And what about this one?
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 11
And this one?
The Westford project (1961-1963)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 12
Space standards and regulations
1958: COPUOS: United Nations Committee on Peaceful Uses of Outer Space. 5 treaties, 5 principles. Founding text: 1967
Treaty on principles governing the activities of States in the exploration of outer space, including the Moon and other celestial bodies
Agreement on the Rescue of Astronauts, the Return of Astronauts and the Return of Objects Launched into Outer Space
Convention on International Liability for Damage Caused by Space Objects Convention on Registration of Objects Launched into Outer Space Agreement Governing the Activities of States on the Moon and Other Celestial Bodies
Declaration of Legal Principles Governing the Activities of States in the Exploration and Use of Outer
Space Principles Governing the Use by States of Artificial Earth Satellites for International Direct Television
Broadcasting Principles Relating to Remote Sensing of the Earth from Outer Space Principles Relevant to the Use of Nuclear Power Sources in Outer Space Declaration on International Cooperation in the Exploration and Use of Outer Space for the Benefit and
in the Interest of All States, Taking into Particular Account the Needs of Developing Countries
Launch regulations
Space Operations Laws CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 13
Space standards
ECSS, European Cooperation for Space Standardisation
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 14
Constraints
Mass, size, power consumption
Environment (radiations, temperature, …)
Knowledge, mastering of the environment
Maintenance
Ground-space communication limitations
Phased missions, critical parts
Cost
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 15
Reminder
Dependability (IFIP, WG 10.4)
Dependability: trustworthiness of a (computer) system such that reliance can justifiably be placed on the service it delivers.
"ability to avoid services failures that are frequent and more severe
than acceptable"
Characterised by: Attributes, (attributs) Threats, (entraves) Means (moyens)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 16
The dependability tree
Attributes (attributs)
Availability (disponibilité) Reliability (fiabilité) Safety (sécurité-innocuité) Security (sécurité-confidentialité) ...
Dependability (sûreté de fonctionnement)
Means (moyens)
Fault prevention (prévention des fautes) Fault tolerance (tolérance aux fautes) Fault removal (élimination des fautes) Fault forecasting (prévision des fautes)
Threats (entraves)
Faults (fautes) Errors (erreurs) Failures (défaillances)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 17
Needs (dependability)
Reliability
Availability
Maintainability
Safety
Security
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 18
Means (dependability)
Prevention Processes
Procurement, component selection, screening, “derating”
Validation
Tolerance
Redundant resources on-board
Dependable architecture
Fault tolerance: on-board automatic mechanism in charge of “Fault Detection, Isolation and Recovery” (FDIR)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 19
Cold standby redundancy architecture
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
Monitoring and Reconfiguration Unit
Most often used for space systems
Most reliable as the failure rate of an unpowered element is generally significantly lower than of a powered one (about one tenth)
Context Memory Element A Element B
ON OFF
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 20
Hot standby redundancy
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
(A way to select the active outputs may be necessary) Lower long-term reliability May be used if the backup cannot be activated in case of failure
E.g., TC receivers, TC decoders Or for equipment for which no interruption of service is tolerated (ex :
flight control OBC of Ariane V launcher)
Context Memory
Monitoring and Reconfiguration Unit
Element A Element B
ON OFF ON
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 21
Warm standby redundancy
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
For equipment with a long start-up time (e.g., computers)
Ensure very short reconfiguration times
More complex to manage (periodic backup and upload of context, alarm watchdog & reconfiguration)
Context Memory
Monitoring and Reconfiguration Unit
Element A Element B
ON OFF Stand by
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 22
Fault-masking using majority voting
Basic approaches (triplex architecture)
Computation
Computation
Computation Vote
Computation Vote
Computation Vote
Computation Vote
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 23
Assembly of self-checking components
Self-checking components
self-checking component (for a given set of faults): for each considered fault, all input configurations leads to either a correct output or a detected error
Self-checking component (for a given set of faults): for each considered fault, at least one configuration of inputs leads to a detected error
Both: totally self-checking component
Function
Check
Outputs
Error
Inputs
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 24
Dependable space system
Architecture
Collection of chains with self-tests
When needed or possible, some variations
Procedures
Explicit detection and reconfiguration
When needed or possible, some variations
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 25
Launcher (Ariane 5)
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 26
Launchers: other solutions
Simplex architecture N-modular redundancy
Zenit, Proton Delta 4: RIFCA
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 27
Manned launchers
Hermes quadruplex architecture substituted to launcher’s one CTV: adapted launcher architecture with improved computer failure detection
coverage
BFout2
Reset / Alimentation
1553
TM1
BFout1
TM2
Alimentation
BC
Bfin BFin
USRRT/OBS
Reset / Alimentation
OBC 2RT/OBS
OBC 1Contexte / RepriseContrôle commande
IPN
GNC2 Bus GNC3 Bus GNC4 Bus
Communication Busses
GNC2
BC
RT
IPC
GNC3
BC
RT
IPC
NAPMIOP
GNC4
BAP
RT
SIORPBC IPC
RT
GNC1 Bus
GNC1
BC
RT
IPC
RT RTRT
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 28
Typical satellite architecture (functional)
Télécommandes
Télémesures
Stockage
Puissance
Senseurs Actionneurs
Bus P/F
Calculateurcentral
TM/TC TM/TC
Charges Utiles
Bus SCAO
PyroThermique
Télécommandes
Télémesures
Stockage
Puissance
Senseurs Actionneurs
Bus P/F
Calculateurcentral
TM/TC TM/TC
Charges Utiles
Bus SCAO
PyroThermique
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 29
Classical satellite architecture
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
OBC N
Eqt N Eqt N Eqt N Eqt N
OBC R
Eqt R Eqt R Eqt R Eqt R COLD
MRE
Reminder: Launcher
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 30
Safety concerns (ATV): Nominal + Safety chains
DPU2
ALB
Bus A
Avionics System Bus B
Avionics System Bus C
Avionics System Bus D
Avionics System
FML
AVI MSU DPU3DPU4DPU1
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 31
Fifty years in a spacecraft
Launchers Satellites
“~10-6/h” 2xlifetime, 90%> However:
Launch: 6-7% In-orbit installation: 4-5% Early phase: 1.510-6/h Life: 0.5 10-6/h
20.030.040.050.060.070.080.090.0
100.0
1955 1960 1965 1970 1975 1980 1985 1990 1995 2000 2005
Succ
ess r
ate
Launches 10 year mean Mean (90.7%)
20%
20%
22%
25%
4%9%
Propulsion
Command
Mechanical
Power
Deployment
Environment
39%
29%
6%
3%
13%
10%Propulsion
Command
Structure
Power
Separation
Explosion
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites
This
doc
umen
t is
the
prop
erty
of A
striu
m. I
t sha
ll no
t be
com
mun
icat
ed t
o th
ird p
artie
s w
ithou
t pr
ior
writ
ten
agre
emen
t. Its
con
tent
sha
ll no
t be
dis
clos
ed.
Page 32
Oupsss…
It is a long way to space!
No source of failure should be overlooked
Factory, Road…
CISEC - SEC Conferences Series - Space systems - JP. Blanquart - Astrium Satellites