Hierarchical fault detection, isolation and recovery applied to cof and atv avionics

Abstract

The avionics architecture of in-orbit infrastructure elements is driven by safety. Safety of the crew inside the Columbus Orbital Facility (COF) laboratory module, safety of the Space Station as a whole for the automated transfer vehicle (ATV) when performing a rendezvous manoeuvre. The design answers on safety requirements, methods and tools used for the development stem from a common concept. The paper first describes the COF Data Management System architecture, basically organised in two layers with a strict hierarchical relationship. The vital layer is in charge of COF initial activation, safety supervision and emergency modes management. The nominal layer is a distributed system, organised around a local area Ethernet network. Under normal conditions, it is in charge of its own fault management supported by management agents distributed in the system. Fault detection criteria are derived from an FMECA (failure mode, effect and criticality analysis) and also from a SEEA (software error effect analysis). Recovery actions are allocated to various decision levels in the hierarchy depending on their time criticality. In ATV, the same principles apply, but the implementation is adapted to the peculiarities of an automated vehicle. The nominal layer, because of the time constraints bearing upon any reconfiguration, implements fault masking (majority voting) instead of fault detection and recovery.The vital layer is allocated the very critical task of monitoring the spacecraft attitude and velocity, and performing if necessary a collision avoidance manoeuvre. An end-to-end comprehensive methodology is put in place to be able to demonstrate the compliance of the systems to technical, product assurance and safety requirements.