TMCnet News

New Software Will Safeguard ATV Station Rendezvous
[June 20, 2006]

New Software Will Safeguard ATV Station Rendezvous


(Space Daily Via Thomson Dialog NewsEdge) If Europe's new Automated Transfer Vehicle encounters difficulties during rendezvous with the International Space Station, some highly sophisticated software will be on-hand to take over operations and avoid a potentially dangerous situation.



The ATV is a multi-functional spaceship that makes great use of flight software in order to combine both the full automatic capabilities of an unmanned vehicle, and the human spacecraft safety requirements.

During its automated rendezvous with the space station, the software responsible for the ultimate safety of the crew is critical and cannot accept a failure probability at the same rate as non-critical software.


For that purpose, the most stringent requirements, gathered under the label Category A, are imposed on the design and development of such software to make it reach an exceptional level of robustness in order to avoid any catastrophic situation or loss of human life.

The ATV, even in the case of malfunction, does not rely on human intervention to take over manual control of the vehicle to ensure mission success and ISS safety.

The spaceship, even after two possible failures on board, must still be safe for the ISS crew and for the station itself. The main risk resides in the critical phase of rendezvous and docking.

Because of its 20.7-ton mass, the ATV must, by all possible means, avoid a collision with the Station during the docking and de-docking operations. If control is lost at this critical phase of the mission, it could result in severe damage to the ISS.

For this purpose, the ATV relies on several automatic layers of software and hardware redundancies, which provide a high level of autonomy to the spaceship. This autonomy allows the ATV to fulfil the entire mission on its own - including recovering from two independent failures without crew input.

In the classification used by ESA's Directorate of Human Spaceflight, Microgravity and Exploration, there are four categories of software, from A to D, and all of the requirements are specific to manned flights.

The D category is applied to all the ground software that has no direct impact on the mission objectives. At the other end of the scale, the A category software is the most critical, because it is the last resort available to save the crew and the space habitat in case of major failure of the main system.

Other ISS related human spaceflight projects already use this software classification scheme; however Category A software has never been applied before.

NASA has monitored the MSU progress by being involved in many reviews and has always been impressed by the professionalism exhibited by ESA during the development of this critical component, said Jerry Clubb, NASA's manager of the International Partner Avionics Integration for the ISS at Johnson Space Center in Houston, Texas.

On board the ATV, the main or Fault Tolerant Computer, and its Flight Application Software, play the role of the pilot who navigates the ATV mission. The FTC actually comprises three identical computers that monitor one another during the flight; each hosts identical software that manages the main vehicle functions - in nominal mode - according to predefined on board mission plans.

If the FTC fails during the approach phase, or the ATV maneuvers endanger the ISS, a dedicated backup computer, the Monitoring and Safing Unit, or MSU, enters into play.

This is the only computer unit on board that executes the Category A software. Already during nominal approach to the ISS, the MSU, a completely independent computer, constantly monitors the position of the ATV and the performance of the main computer by comparing it to a pre-programmed set of data.

Upon detection of a critical failure or an unsafe situation, the MSU isolates the ATV's nominal system and commands a Collision Avoidance Maneuver. This brings the ATV on a safe trajectory within the monitoring corridor toward the ISS.

When the CAM is completed, the MSU points the vehicle toward the Sun, thus ensuring sufficient power from the solar panels during its survival mode. The MSU works with its own hardware chains and avionics lanes built independently, in order to keep the ATV functioning in case of main hardware failure.

The MSU also can be activated to execute a CAM from within the ATV Control Center in Toulouse, France, or by the ISS crew in orbit.

The MSU and its associated systems - hardware and software - are so segregated from the main ATV systems, that we can compare it to a satellite inside a satellite - like a pilot responsible for safety, hidden inside the automated spaceship responsible for the mission, said ESA astronaut Jean-Franois Clervoy, the senior adviser to the ATV program.

This independent mode relies on separate computers, separate software, separate batteries, separate trajectory monitoring sensors and separate thrusters, he added. The only item shared with the ATV's main system is propellant.

The MSU itself features two identical computers, the master and the slave. The slave monitors the health status of the master, ready to take over in case the latter should fail. The slave works in fact like a backup. Once the lead computer activates a CAM, the other computer - the slave - inhibits itself.

Because the MSU is the last barrier to prevent catastrophic consequences, its software has been subject to ESA's most stringent software development rules and quality assurance measures.

In addition to the analyses, code inspections and tests performed by the developer, EADS SPACE Transportation in Les Mureaux, France, ESA has appointed a separate contractor, the Danish firm ROVSING A/S, to perform independent software validation and verification.

The MSU software has been developed with the objective of extreme robustness. To achieve this objective, reduced complexity, 100 percent determinism and maximum capability to be tested, were directly built in its design.

In accordance with the Category A software requirements, the MSU software has been 100-percent tested on target, which means on a computer architecture similar to the flight model, said Eric Zekri, ESA ATV programme software engineer, in charge of MSU development.

The test has also reproduced all possible conditions the software may have to cope with, including running stress and long duration tests.

The failure tolerance requirements of ATV, which add to the complexity of the ATV spaceship, mean a large amount of software: There are about 1-million lines of code in the various computers on the vehicle, with about half that total in the FTC alone.

The MSU software, meanwhile, has been kept extremely compact and implements navigation, monitoring, and the CAM, with just 15,000 lines of code.

This software is small on purpose; the smaller it is, the better you can test it and such a size is needed for our ambitious verification approach, said Klaus Ludwig, ESA software manager on the ATV program.

To obtain the best and most reliable software quality, special design and implementation rules had to be developed and have been applied in the development of code and algorithms for the software.

Unlike any other space programs, the entire MSU software - line by line - has been through a meticulous numerical analysis to guarantee its computational stability, in order to avoid any error.

In terms of validation and verification tests, a very rigorous scheme has been put into place to validate the MSU software.

The independent software validation and verification team has been involved as an independent player from the very beginning of the software development, and has actively participated in all major software reviews. In addition, the ISVV team has performed independent unit and integration level testing at a dedicated ISVV test facility.

Last, engineers have performed stress tests in parallel to the developer's qualification tests. Contrary to the qualification test objectives, which prove the correctness and completeness of the software, the only goal of a 'stress test' is to break the software.

These stress tests have been conducted on carefully selected parts of the software, which have been identified during code inspections as potentially critical. And all stress test results have confirmed the robustness of the MSU software, Ludwig said.

The MSU software has been designed and developed within a tight collaboration between the ESA and EADS-ST technical teams, gathered in the MSU team, comprising a dozen flight control and software specialists.

From the early development stages, ROVSING A/S has been involved in the development and test campaign of the MSU software, providing feedback on the results of their own independent assessment to the MSU team.

This collaboration started in 2001, and the qualification of the 'Category A' software was achieved in March 2006. This development is a premiere in Europe, and is, above all, the result of the successful day-to-day collaboration, underlines Eric Zekri.

For the ESA ATV team and EADS SPACE Transportation, being collocated on the same site of Les Mureaux - 50-kilometers (31 miles) west of Paris - has helped software development.

The working relationship we had with our ESA partner is much more than contractual. A real process of emulation and mutual confidence has been built up between us for five years, said David Berthelier, the MSU project manager at EADS SPACE Transportation in Les Mureaux.

Within our EADS integrated team, everyone was proud and motivated to develop a whole software from top to bottom with this exceptional level of criticality. This Category A software is a first in Europe, he added.

Important lessons could be learned from this unique experience, in terms of design, and testing, but also in terms of interaction between the teams and the involvement of the ISVV team.

If the Jules Verne mission is nominal and successful as we expect it to be, this state of the art MSU software will never be used for active control of the ATV. The MSU will just be limited to its monitoring role, Ludwig said.

[ Back To TMCnet.com's Homepage ]