page 196
8.2.1 Design Applications of Risk Management
8.2.1.1 - The Space Shuttle Orbiter Control Computers
• The space shuttle uses 5 computers for flight control. The first 4 run a primary flight control system. The fifth computer runs a separate flight control program, and is only used in the most dire emergencies. The 4 redundant systems will operate separately, then compare outputs. These should be identical, but in the event of disagreement, they can vote a conflicting system out.
8.2.1.2 - A Mobile Service Robot for the Space Station
•We can see a figure depicting the SPDM for the planned space station.
*********** Include Robot Arm figure
•All discussions in this section are based on the space station manipulator as described in SSP30000.
•The basic functions (at PMC) are classified as,
Category 1 - requires tolerance for two consecutive failures in each system - fail safe/fail operational - basically required 1 prime + 1 redundant + 1 backup
Category 2 - requires tolerance for one failure in each system - failure tolerant - typically requires 1 prime + 1 backup
Category 2S - requires tolerance for one failure in the system - fail operational
•Examples of equipment in the different categories are,
•Category 1 - The orbiter is a time critical system
•Category 2 - MBS
•Category 2S - Safety monitoring and emergency control systems
•Recall the following hazard levels, also consider the control requirements,
page 197
Hazard |
Description |
Requirement |
Criticality |
|
|
|
|
|
1 |
Catastrophic - disables/kills personnel. |
No combination of any two failures, |
|
Loss of vehicle or extensive damage |
either operator error or equipment |
|
to major ground facilities. |
faults, will result in a hazard. |
2 |
Critical - severe injuries to personnel, |
No single operator or equipment fail- |
|
loss/use of emergency system, exten- |
ure can result in a hazard. |
|
sive damage to essential vehicle sys- |
|
|
tems, extensive damage to ground |
|
|
facilities. |
|
3 |
Marginal - minor injury to personnel, |
Systems and equipment that can |
|
minor damage to vehicle or ground |
result in hazards should have two |
|
facilities. |
inhibiting controls. |
|
|
|
•For the manipulator (SSRMS) hazards include,
•Criticality 1
-payload released without command
-possible collision
-payload cannot be released
-orbiter stuck to space station via SSRMS
-orbiter collides with space station because of failed capture (docking with SSRMS).
-motion of arm without command
-possible collisions
-no motion in arm in response to command
-orbiter stuck to space station via SSRMS.
•Dealing with failures,
-Criticality 1
-all functions must be safed within 250 ms of occurrence of fault
-Criticality 2
-report as occurs
-side effects are
-can’t report critical failure
-can’t safe a system
-can’t implement alternate operation
•isolation - we want to estimate the % failures that are prevented from reaching a specific module. Typically these values are,
95% isolated through ORU
page 198
90% isolated by online bits
5% maximum false error indication rate
• MSS Failure Tolerance Concept [Brimley]
failure tolerance
functional
failure
tolerance hazard control
redundancy
|
|
|
|
detect |
|
|
|
|
|
dual |
|
backup |
|
|
|
|
|
|
|
|
|
critical |
|
safe |
|
prevent |
|
||
string |
|
drive |
|
|
|
|
|||
|
|
1 and 2 |
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
failures |
|
|
|
|
|
- single string |
|
- SSRMS only |
|
|
|
|
|||
|
|
|
|
|
|
|
|
||
+ backup |
|
- 2 failure |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
channel for |
|
tolerant |
|
- BIT/BITE |
- brake |
- failsafe design] |
|||
the SPDM |
|
|
|
- safing function |
- inhibit |
- inhibit |
|||
- 1 failure |
|
|
|
monitor |
- backup drive |
- software interlock |
|||
tolerant |
|
|
|
- system health |
- power removal |
- operator interface |
|||
|
|
|
|
monitor |
- EVA drive |
|
|
||
-operator
-detection algorithm
where,
BIT - Built In Test BITE - BIT Equipment
CRIT - failure CRITicality FT - Failure Tolerance
• Failure Detection and Isolation Coverage Scheme [Brimley]
page 199
MSS faults
100%
faults detected by system
faults detected by operator
95% |
5% |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
100% of |
|
|
|
|
|
|
|||
95% of faults |
|
MSS faults |
|
|
|
|
5% |
|
||||
|
detected |
|
|
|
|
|
||||||
detected by system |
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
||||||
|
|
|
|
|
|
|
|
|
|
|
||
are automatically |
|
|
|
|
|
|
|
|
|
|
|
|
isolated by system |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
||
|
|
4.75% not isolated |
|
|
|
9.75% |
|
|||||
|
|
|
|
|
|
|||||||
90.25% |
|
automatically |
|
|
|
|
||||||
|
|
|
|
|
|
|||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
all faults not automatically |
||||
|
|
|
|
|
|
|
|
isolated by system are |
||||
|
|
|
|
|
|
|
|
isolated by the operator |
||||
|
|
|
|
|
|
|
|
supported by ground |
||||
|
|
|
|
|
|
|
|
segment analysis |
||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9.75% |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
100% of MSS faults isolated to a single ORU
• MSS Failure Management Functional Interfaces [Brimley]
page 200
initiate
MSS Failure
MSS Safing
Management
failed BIT identifier
MSS Caution
and Warning
SS Caution
and Warning
Operator
• Layered defense approach for Detection of Sensor Data Failures [Brimley]
page 201
Operator
Communication check
sensor consistency check
BIT/BITE
MSS equipment
•Failure tolerance
-fault tolerance
-single failure tolerant
-two failure tolerant for orbiter
-provide drive (EVA) for joint and LEE latch mechanisms
•Reconfigurations
-alternate data path/transmission
-reconfiguration time less than 271 seconds
•The purpose for these measures
-when the failure occurs, the software, and hardware engineers must know what their systems are to do. This is the best way to get all to agree.
•operation failure of computational units may include,
page 202
-invoking off-line bit checks with error checking algorithms
-operator visual inspections via cameras, etc.
-analysis of units memory through data dumps, etc.
-ground support failure isolation analysis
-exercising equipment with known algorithms
•Note: in the case of SSRMS the operator may use EVA units to move the arm away from contact.
•Operators may always elect to replace failed units, if extras available.
•A diagram of the MSS Failure Management Concept is shown below, [Brimley]. This depicts a scheme for dealing with faults once they are detected. Some of the acronyms used are,
FD - Failure Detection FI - Failure Isolation
C&W - Caution & Warning CRIT - Failure Criticality EVA - Extra Vehicular Activity BIT - Built-In-Test
page 203
|
Operation |
|
|
fault |
|
Data Logging |
FD |
FI |
|
||
|
off-line bit |
Auto Isolation |
CRIT 1,2,3 |
|
|
|
|
|
C & W |
on-line bit |
Manual Isolation |
|
||
CRIT 1,2 |
|
|
Operator |
Operator detection |
|
safe |
|
|
|
|
Safing |
|
Ground |
|||
|
|
Auto |
|
|||||||
|
|
|
|
|
|
|
|
Segment |
||
|
|
|
|
|
|
|
|
|
|
Support |
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Manual |
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Power on/off
Reconfiguration |
Recovery |
|
Prime or Redundant |
Complete |
Isolate |
Mission |
|
|
|
|
|
Prime/Redun. to Backup |
Bring to |
Replace |
|
||
|
a safe |
|
EVA Drive |
state |
Test |
|
||
|
|
• There is also a scheme for estimating when a system has erred. This is based on a bottom up approach where the checks for errors are made in the specific modules, and then error reports are propagated up to the high level software/hardware. The diagram below depicts the system used in the SSRM.
page 204
IHS
MES
-processor check
-BIT/BITE checks
-subsystems checks
-power limit checks
POA-LEU
-processor check
-motor consistency check
-BIT/BITE checks
AVU
-processor checks
-BIT/BITE checks
HCA
-processor check
-HCA data check
-BIT/BITE checks
LEU
-processor check
-BIT/BITE check
-arm control data bus checks
-end effector motor module checks
-FMS data check
MCCF
-processor check
-BIT/BITE checks
-MSS local bus checks
-MSS inadvertent EE release check
-MSS safing function status
• The fault/health information for each module flows from the lower level modules, up to the Master Control level.
ACU
- processor check - BIT/BITE checks
-MSS local bus checks
-arm control data bus checks
-SSRMS inadvertent EE release check
-SSRMS safing function status
-joint resolver check
JEU
-processor check
-BIT/BITE check
-arm control data bus checks
-joint motor module checks
-joint sensor checks