NASA ARC: C. Knight (presenter), J. - PowerPoint Presentation

NASA ARC: C. Knight (presenter), J. Frank, M. Iatauro, G. Aaseng, R. Levinson, J. Ossenfort, M. Scott, A. Sweet NASA GRC: J. Csank, J. SoederNASA JSC: D. Carrejo, A. Loveless, T. NgoNASA MSFC: Z. Greenwood A M S 10 1 Autonomous Systems and Operations Core Flight Software Autonomous Systems Operation

Autonomous and Dormant Operations Future exploration destinations (e.g. Mars) will operate tens of light minutes from Earth.Small crews cannot operate complex spacecraft far from Earth without assistance from Mission ControlThe Lunar Outpost Gateway (LOP-G) is intended to prove out concepts for future Mars missions.LOP-G will be dormant (uncrewed) 10-11 months out of the year.LOP-G elements, including Habitat and Power Production Element (PPE), have numerous autonomy requirements

NASA Advanced TechnologyNASA’s Advanced Exploration Systems (AES) program develops and tests technology for LOP-G, including: Modular Power ControllerAvionics and SoftwareHabitat Autonomy TechnologyA test of these technologies required additional development effort:Systems Engineering and IntegrationTesting and Fault Injection

NASA Advanced Technology:Modular Power System

NASA Advanced Technology:AvionicsTTE Switches:Deterministic data deliveryMessage delivery redundancyNon-terministic network:AMPS End-item controlcFS: SCH, SBN, DS + DS_REPLAY, LC, L1VTriplicate Flight Computers:cFS Flight SoftwareDuplicate Flight LoadLinux support/simulation:Some cFS applications (voting, autonomy applications)

NASA Advanced Technology:Habitat Autonomy Technology Fault DetectorLeverages cFS LC – with 64-bit and “platform-endian” adds.Process system data to detect possible faults.Output is pass/fail of ‘tests’.Data cleansing for off-scale, stale data, configurationDiagnostic ExecutiveIsolate faults given tests produced by Fault DetectorUses declarative model of components and fault modesUses COTS technology (TEAMS)Fault Impacts ReasonerDetermines impacts of faults Uses same model as Diagnostic Executive

NASA Advanced Technology:Habitat Autonomy Technology Hybrid Diagnosis EngineDetect and Isolate faults from system dataUses declarative model of components and fault modesAble to reason over mixed discrete-continuous dataVehicle Systems Manager: SchedulingSchedule system activity in presence of operational constraintsReasons about power, energy, system operation modesVehicle Systems Manager: PLEXILSends commands to systemsInvokes scheduler in response to either APC or fault messages

NASA Advanced Technology:Systems Engineering and Integration Capture cFS message contentDisplay messages by sub-systemConvenient Web interfaceMessage content auto-generates cFS msg-ids

NASA Advanced Technology:Testing and Fault Injection cFS: DS_ReplayAble to replay cFS message traffic captured with standard DS toolAble to record and playback fault casesAlso able to transform other packet data with fault signaturesModular Power Systems Fault Generation toolSimulate dozens of MPS faultscFS ‘Silent Command’ to Power SystemCause MPS switch to open/close without registering normally; can simulate failed open, short circuit, power supply faults

cFS for Orion (EFT-1) Diagnostics 10Data Playback ServerOrion Telemetry DataTLM BridgeCFSData StoreSBN Linux PPC 750 VxWorks Core Flight Executive SBN SCH ACAWS FD ACAWS DE TLM_Data_Msg FD_Test_Results_Msg Diag_Results_Msg CFS Message TLM Input Legend Advanced Caution & Warning System (ACAWS) ACAWS Fault Detector (FD) performs data filtering and testing ACAWS Diagnostic Executive (DE) performs diagnostic reasoning Executes with an Orion EM-1 Fault Model Analysis & Test Architecture Orion telemetry played back into cFS environment Data transmitted via Ethernet to PPC Results returned and logged for functional verification Performance data collected on Linux host VxWorks SystemViewer Perf Data

EFT-1 Fault Model 11Model AttributeValueFailure Modes5473Components 2971Tests5372Failure Modes Per Component1.84Tests Per Component1.81 Tests Per Failure Mode 0.98 Orion Fault Model Faults in Electrical Power System and connected electrical loads Built with the TEAMS® modeling toolset TEAMS® uses a dependency model that correlates faults and their propagation paths with tests that detect indications of a fault

ASO cFS Recent Past and Near Future FY17Voting, SBN, real-time OS + cFS integrationFY18CCDD: ASO supported iPAS integrated testing by feeding input to the CCDD process and integrating the configuration into autonomy apps.Protobetter: iPAS developed framework for data management for mix-platform SBN networks. ASO demonstrated with autonomy apps.FY19+EDS: demonstrate/integrate?Further real-time OS + cFS integration.Voting 2.0 (distributed voting)?Autonomous commanding of cFS?Lua (and/or other embedded programming languages) for complex event-driven commanding scenarios? “LC++”!12

BACKUP 13

NASA ARC: G. Aaseng (presenter), J. Frank, M. Iatauro, C. Knight, R. Levinson, J. Ossenfort, M. Scott, A. Sweet NASA GRC: J. Csank, J. SoederNASA JSC: D. Carrejo, A. Loveless, T. NgoNASA MSFC: Z. Greenwood A M S 10 14 Autonomous Systems and Operations Development and Testing of a Vehicle Management System for Autonomous Spacecraft Habitat Operations

Talk Outline IntroductionLunar Outpost GatewayAutonomous and Dormant OperationsAdvanced Technology DevelopmentModular Power ControllerAvionics and SoftwareHabitat Autonomy TechnologySystems Engineering and IntegrationTesting and Fault InjectionCapability DemonstrationOperations ConstraintsScenariosLessons Learned and Next Steps15

Introduction 16EarthInternationalSpace Station(1-2 days)Moon(3-7 days)Mars(6-9 months)Lagrange Points and other stable lunar orbits(8-10 days) Near-Earth Asteroid (3-12 months) Human Exploration Destinations Robotics and Mobility Deep Space Habitation Resource Utilization Human- Robot Systems Advanced Propulsion Advanced Space Comm Advanced Spacesuits Future missions will be longer, more complex, & require new technology (o ne-way travel t imes)

NASA Advanced Technology:Core Flight Software

Future Work TTE: Level 0 voting to complement Level 1 votingAMPS: single-machine APCVSM: manage more complex operations constraintsHyDE: more complex PPA-SAB fault modelsFIR and VSM: port to Flight ComputersCCDD: auto-produce message content headers

Capability Demonstration:Loads, Operational Constraints LoadPower (Kw)PDU-RPCPriorityNotesFC10.252-21Flight computer (PPC750); live loadFC20.252-32Flight computer (PPC750); live loadFC30.252-43Flight computer (PPC750); live loadTTE10.0452-64TTE Switch. Live load. Max power.TTE2 0.0452-75 TTE Switch. Live load. Max power.TTE3 0.045 2-86 TTE Switch. Live load. Max power.SAB 0.11-17Sabatier reactor (air-side life support). Replay data. PWD0.022751-5 8 Potable Water Dispenser. Simulated.PPA0.1 2-19Plasma Pyrolysis Assembly (air-side life support). Replay data. EXP0.22-5 10EXPRESS rack (experiment hardware facility). Simulated.OGA Fan 0.31-611Oxygen Generator Assembly. Simulated. CCCA Fan0.4 1-712Cryo Cooler Compressor Assembly. Simulated. SAM0.41-8 13Spacecraft Atmosphere Monitor. Simulated.

Capability Demonstration:Power System Operational Constraints ParameterConstraintNotesSolar Array Power2.88KwAssumedMBSU Power2.88 KwCross-Strapped; 1 MBSU may power both PDU’s LoadsPDU Power2.88 KwNo load cross strappingBattery DoD30%AssumedBattery Energy1.134 KwHDerived from 30 Ah, 126VBattery Power Rate 1.235 Kw Derived from Max Eclipse duration of 55 mins

Capability DemonstrationOperational Constraints Duty Cycle constraints: system on/off mode schedule PPA: 100 minutes on, 15 minutes offSAB: 100 minutes on, 15 minutes offPWD: 15 minutes on, 1 minute offPPA-SABSAB produces methane processed by PPAPPA and SAB either both on or both offEXPContinuously on in nominal scenarioMay be powered off for max of 30 minutes(Proxy for thermal constraint on a freezer with specimens)

Capability Demonstration:Scenarios ScenarioDescriptionNotesNominalAll Systems Running, no faultsNo eclipseNominal plus eclipseAll Systems Running, no faultsEclipse (55 mins)2 FC Voting test1 FC faultedNo eclipse1 FC test2 FC faultedNo eclipse3 FC voting testInject Mangled DataNo eclipsePower System FaultLose 1 battery during eclipseDemonstrate load shed and power replanningPower System RestoredReconnect battery Demonstrate fault cleared and battery recharging Life Support Fault PPA fault Demonstrate replanning and power off SAB

Capability Demonstration:Scenarios 23Power systems fault during eclipse30% Depth of Discharge constraint violation before leaving eclipse

Capability Demonstration:Scenarios 24Power off EXP for 30 minutes, avoid violating EXP power-down (thermal) constraint30% Depth of Discharge constraint now satisfied

Capability Demonstration:Habitat Simulation FaultNumber of InstancesNotesPower Loss14Flight computer (PPC750); live loadSwitch Fail Open30Flight computer (PPC750); live loadSwitch Fail Close30Flight computer (PPC750); live loadExternal Short Circuit20TTE Switch. Live load. Max power.Circuit Overload14TTE Switch. Live load. Max power.Load Failure10TTE Switch. Live load. Max power.Internal Power Supply 10Sabatier reactor (air-side life support). Replay data. Data Corruption3Potable Water Dispenser. Simulated. Data Loss 10Plasma Pyrolysis Assembly (air-side life support). Replay data. Controller Fault4EXPRESS rack (experiment hardware facility). Simulated. Bus Short3 Oxygen Generator Assembly. Simulated.Power Card Fault4 Cryo Cooler Compressor Assembly. Simulated.