Advanced Avionics Systems for Dependable Computing in Future Space Exploration

1
Advanced Avionics Systems for Dependable
Computing in Future Space Exploration
Leon Alkalai, Savio Chau, Ann Tai Center for
Integrated Space Microsystems Jet Propulsion
Laboratory California Institute of
Technology GOMAC 2002 March 12th,
2002 leon_at_cism.jpl.nasa.gov URL
http//cism.jpl.nasa.gov Tel. 818 354-5988 Fax.
818 393 5013
2
Potential CustomersMars 09 Smart Lander/Rover
Mission

• Conduct Significant
• Science
• Sub-surface drilling
• In-situ soil/rock analysis
• Atmospheric measurements

SURFACE MOBILITY

• Demonstrate Next-Generation
• Lander/Rover Capabilities
• Global access
• latitude range
• surface elevation
• rugged terrain
• Accurate/safe landing
• Go-to mobility
• Extended mission operations

GUIDED ENTRY

• Approach
• Strong, multi-
• disciplinary team
• NASA centers
• Industry
• Universities
• Early pre-project
• with extensive
• technology program

HAZARD DETECTION/AVOIDANCE
No strawman payload yet defined, examples of
possible experiments listed
ROBUST TOUCHDOWN SYSTEM
3
Potential CustomersSolar System Exploration
(circa 2008)
Europa Orbiter/Lander
Cassini/Huygens
Titan Explorer
Comet Nucleus Sample Return
Galileo-Europa

• Exploring Organic Rich Environments
• Extreme Radiation Environments
• Extreme Temperature Environments
• Long Duration missions
• Long latency of communications
• highly autonomous operations
• miniaturization of systems
• design for high survivability, fault-tolerance,
  and high availability

Pluto/Kuiper Express
4
Potential CustomersAstrophysics (2009)
Laser Interferometry Space Antenna (LISA)
Space Interferometry Mission (SIM)

• Space based Interferometry
• High precision metrology
• Pico-meter laser interferometry
• Highly miniaturized electronics
• High performance computing
• Micro-Newton Thrusters
• Disturbance reduction control
• High Performance inertial sensors

5
Dependable Computing in Previous Deep Space
Missions

• Typical Dual-String Designs for Spacecraft

Point-to-Point Architecture
Bus-Based Architecture
Mass Memory
Mass Memory
Mass Memory
Mass Memory
Flight Computer
Flight Computer
Flight Computer
Flight Computer
I/O Interface
I/O Interface
Bus Interface
Bus Interface
Telecom
Telecom
Telecom
Telecom
Attitude and GNC
Attitude and GNC
Attitude and GNC
Attitude and GNC
Power
Power
Power
Power
Science Instruments
Science Instruments
Science Instruments
Science Instruments
6
Dependable Computing in New Generation of Deep
Space Mission

• Characteristics of New Generation of Deep Space
  Missions
• Many missions focus on autonomous landers,
  rovers, sample return, etc.
• Missions requirements are much more demanding
• Precision autonomous navigation, including
  Aero-Braking and Aero-Capture
• Precision landing
• Entry, Descent and Landing Hazard avoidance
• Much higher processing requirements
• Distributed processing
• Much higher interface bandwidth requirements
• Autonomous operation
• High speed fault detection and recovery
• The systems are physically smaller with higher
  functional density
• Shrinking mission operation budget means smaller
  mission operations team
• Must rely on on-board autonomous fault tolerance

7
High-Performance Fault-TolerantBus Architecture
Research at JPL

• Requirements for Distributed Processing, High
  Interface Bandwidth, and High Speed Fault
  Recovery Necessitate the Development of a High
  Speed Fault Tolerant Bus Architecture
• Commercial-Off-The-Shelf (COTS) Bus Standards Are
  Highly Desirable Because of Cost, Availability,
  and Performance Benefits.
• Two COTS Bus Standards Were Selected for the
  initial X2000 design
• the IEEE 1394 and I2C
• However, These COTS Buses Are Not Designed for
  the Highly Reliable Applications Such As Deep
  Space Missions. Therefore, the Focus of the
  Research is How to Achieve Highly Reliable
  Avionics Bus Architecture Using COTS Bus
  Standards

8
Baseline X2000 COTS Bus Architecture
1 to N Computers N lt 64
global memory
SIO (SIO)
SIO (SIO)
I/O Interface
Micro Controller (NVM)
PCI
PCI
1394 Bus - 100Mbps
Power Control (Bus)
(Symbolic, topology not shown)
I2C Bus - 100kbps
Power Control (Bus)
1394 Bus - 100Mbps
I2C Bus - 100kbps
IMU
Micro Controller (Power)
Micro Controller (ACS)
Single Master, Subsystem I2C Bus
IMU
PCI
Telecom
Frame Grabber
SFG
Power Control
Battery Control
Switch Module (loads)
Temp. Sensor
Switch Module (loads)
PCS
BCS
Sun Sensor Interface
Sun Sensor
RS422
ISI
IMU
RS422
Star Camera
SSA
Power Regulation Control, Valve Pyro Drive,
Analog Telemetry Sensors
Attitude Determination
9
Multi-Layer Fault Tolerance Methodology for
COTS-Based Bus Architecture

• Mutually Assisted Fault Isolation Recovery
• Different topology

• Redundant bus sets
• Diverse bus topology

• Protocol Enhancements
• Fail-Silence Protocol

• Heartbeat Polling
• Isochronous Ack
• Link Layer Fail-Silence
• Watchdog timers

System Level Redundancy (Layer 4)
Mutually Assisted Recovery (Layer 3 Design
Diversity)
Design Diversity (Layer 3)
Enhanced Fault Tolerance (Layer 2)
Enhanced Fault Tolerance (Layer 2)
Enhanced Fault Tolerance (Layer 2)
Enhanced Fault Tolerance (Layer 2)
1394 Bus Native Fault Tolerance (Layer 1)
I2C Bus Native Fault Tolerance (Layer 1)
1394 Bus Native Fault Tolerance (Layer 1)
I2C Bus Native Fault Tolerance (Layer 1)

• Header Data CRC
• Ack Packets w. Error Code
• Ack Packet Parity
• Response Packet Error Code
• Timeout Conditions
• Port Enable/Disable

• Ack bit

Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
10
A Framework for the Design of Highly Survivable
Avionics Systems using COTS
Design
Analysis
Fault propagation path
System Level Redundancy (Layer 4)
Leakage Q4
System Level Redundancy (Level 4)
Design Diversity (Layer 3)
Design Diversity (Layer 3)
Leakage Q3
Enhanced Fault Tolerance (Layer 2)
Enhanced Fault Tolerance (Layer 2)
Enhanced Fault Tolerance (Layer 2)
Enhanced Fault Tolerance (Layer 2)
Design Diversity (Level 3)
Leakage Q2
Enhanced Fault Tolerance (Level 2)
COTS 1 Native Fault Tolerance (Layer 1)
COTS 2 Native Fault Tolerance (Layer 1)
COTS 1 Native Fault Tolerance (Layer 1)
COTS 2 Native Fault Tolerance (Layer 1)
Leakage Q1
COTS Native Fault Tolerance (Level 1)
Fault Propagation Model of Multi-Layer Design
L. Alkalai, A. T. Tai, Long-Life Deep-Space
Applications, Computer, IEEE, Vol. 31, No. 4,
IEEE Computer Society, April 1998, pp. 37-38. S.
Chau, L. Alkalai, and A. T. Tai, "The Analysis of
Multi-Level Fault-Tolerance Methodology for
Applying COTS in Mission-Critical Systems," in
Proceedings of the IEEE Workshop on
Application-Specific Software Engineering and
Technology (ASSET'2000), Dallas, TX, March
2000.   
11
X2000 Fault Containment Regions
1 to N Computers N lt 64
global memory
SIO (SIO)
SIO (SIO)
I/O Interface
Micro Controller (NVM)
PCI
PCI
Power Control (Bus)
(Symbolic, topology not shown)
1394 Bus - 100Mbps
I2C Bus - 100kbps
Power Control (Bus)
1394 Bus - 100Mbps
I2C Bus - 100kbps
IMU
Micro Controller (Power)
Micro Controller (ACS)
Single Master, Subsystem I2C Bus
IMU
PCI
Telecom
Frame Grabber
SFG
Power Control
Battery Control
Switch Module (loads)
Temp. Sensor
Switch Module (loads)
PCS
BCS
Sun Sensor Interface
Sun Sensor
RS422
ISI
IMU
RS422
Star Camera
SSA
Power Regulation Control, Valve Pyro Drive,
Analog Telemetry Sensors
Attitude Determination
12
A Highly Reliable Distributed NetworkArchitecture
for Future Missions

• Support distributed computing
• Rich set of redundant interconnections
• Multi-layer fault tolerance design to ensure
  fault containment

L. Alkalai, S. Chau, A.Tai, J.B. Burt, "The
Design of a Fault-Tolerant COTS-Based Bus
Architecture," Proceedings of 1999 Pacific Rim
International Symposium On Dependable Computing
(Prdc'99), Hong Kong, China December 16-17, 1999.
Also, IEEE Trans. Reliability, Vol. 48, December
1999, pp. 351-359.   A. Tai, S. Chau, L. Alkalai,
"COTS-Based Fault Tolerance in Deep Space
Qualitative and Quantitative Analyses of A Bus
Network Architecture" will appear in proceedings
of HASE 99 Fourth IEEE International Symposium
on High Assurance System Engineering, Washington
DC Metropolitan Area, November 17-19, 1999.
13
Realization of Multi-Level Fault Protection
Methodology
Cable IEEE 1394 has a tree topology
Enhanced Fault Tolerance (An Example)
1
2
3
4
Design Diversity
5
6
7
8
System Level Redundancy with Diverse Topology
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
14
X2000 Fault Protection Strategy
1394 Bus 1 Backup Connections
1394 Bus 2 Backup Connections
1
2
3
4
Bus 1
Root
Bus 1
Bus 1
Bus 1
Branch
Branch
Branch
Leaf
Bus 2
Bus 2
Leaf
Bus 2
Leaf
Bus 2
Leaf
1394 Bus 1
I2C Bus 1
I2C Bus 2
1394 Bus 2
Bus 1
Bus 1
Bus 1
Bus 1
Leaf
Leaf
Leaf
Leaf
Bus 2
Branch
Bus 2
Branch
Bus 2
Branch
Bus 2
Root
5
6
7
8
1394 Bus 2 Backup Connections
1394 Bus 1 Backup Connections
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
15
X2000 Fault Protection Strategy

• Possible Recovery Initiator
• IEEE 1394 Root
• IEEE 1394 IRM
• IEEE 1394 Bus Manager
• I2C Prime Master

1394 Bus 1 Backup Connections
1394 Bus 2 Backup Connections
1
2
3
4
Bus 1
Root
Bus 1
Bus 1
Bus 1
Branch
Branch
Branch
Leaf
Bus 2
Bus 2
Leaf
Bus 2
Leaf
Bus 2
Leaf
1394 Bus 1
I2C Bus 1
Interrogate
I2C Bus 2
1394 Bus 2
Bus 1
Bus 1
Bus 1
Bus 1
Leaf
Leaf
Leaf
Leaf
Bus 2
Branch
Bus 2
Branch
Bus 2
Branch
Bus 2
Root
5
6
7
8
1394 Bus 2 Backup Connections
1394 Bus 1 Backup Connections
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
16
X2000 Fault Protection Strategy
1394 Bus 1 Backup Connections
3 Failed
1394 Bus 2 Backup Connections
1
2
3
4
Bus 1
Root
Bus 1
Bus 1
Bus 1
Branch
Branch
Branch
Leaf
Bus 2
Bus 2
Leaf
Bus 2
Leaf
Bus 2
Leaf
1394 Bus 1
I2C Bus 1
Reconfigure
I2C Bus 2
1394 Bus 2
Bus 1
Bus 1
Bus 1
Bus 1
Leaf
Leaf
Leaf
Leaf
Bus 2
Branch
Bus 2
Branch
Bus 2
Branch
Bus 2
Root
5
6
7
8
1394 Bus 2 Backup Connections
1394 Bus 1 Backup Connections
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
17
X2000 Fault Protection Strategy
1394 Bus 1 Backup Connections
1394 Bus 2 Backup Connections
1
2
3
4
Bus 1
Root
Bus 1
Bus 1
Bus 1
Branch
Branch
Branch
Leaf
Bus 2
Bus 2
Leaf
Bus 2
Leaf
Bus 2
Leaf
1394 Bus 1
I2C Bus 1
I2C Bus 2
1394 Bus 2
Bus 1
Bus 1
Bus 1
Leaf
Leaf
Leaf
Bus 1
Branch
Bus 2
Branch
Bus 2
Branch
Bus 2
Branch
Bus 2
Root
5
6
7
8
1394 Bus 2 Backup Connections
1394 Bus 1 Backup Connections
Next fault recovery needs repair before bus
switching if this node fails
18
I2C Bus Fault Protection Fail Silence
Flight Computer
Flight Computer
Microcontroller
I2C Bus
Sensor
Sensor
Actuator
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
19
I2C Bus Fault Protection Fail Silence
Flight Computer
Flight Computer
Microcontroller
Timeout
Timeout
Timeout
Babbling
I2C Bus
Sensor
Sensor
Actuator
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
20
I2C Bus Fault Protection Fail Silence
Flight Computer
Flight Computer
Microcontroller
Unmute
Babbling
Unmute
Unmute
I2C Bus
Unmute
Sensor
Sensor
Actuator
Presentation for Paper A Design-Diversity Based
Fault-Tolerant COTS Avionics Bus Network.
CL01-1161
21
Architecture Testbed Configuration
PCI Bus analyzer
Built-In Power Supply
Built-In Power Supply
Built-In Power Supply
cPCI bus (6U chassis)
cPCI bus (6U chassis)
cPCI bus (6U chassis)
PMC
PMC
PMC
PPC 750 (Synergy)
1394a I/F (Saderta)
1394a I/F (Saderta)
Empty Slot
Empty Slot
Empty Slot
PPC 750 (Synergy)
PPC 750 (Synergy)
1394a I/F (Saderta)
1394a I/F (Saderta)
Empty Slot
Empty Slot
Empty Slot
Empty Slot
Empty Slot
PPC 750 (Synergy)
PPC 750 (Synergy)
1394a I/F (Saderta)
1394a I/F (Saderta)
Empty Slot
Empty Slot
Empty Slot
PPC 750 (Synergy)
Empty Slot
Hard Drive
Hard Drive
Hard Drive
Terminal Server
SUN Ultra 10 Workstation
SUN Ultra 10 Workstation
Pentium III w/1394a analyzer (Saderta)
Pentium III w/1394a analyzer (Saderta)
Hard Drive
Hard Drive
SUN E3500 Workstation (35 GB HD)
PPC 750 (Synergy)
PPC 750 (Synergy)
1394a I/F (Saderta)
Empty Slot
Empty Slot
Empty Slot
PPC 750 (Synergy)
PPC 750 (Synergy)
1394a I/F (Saderta)
1394a I/F (Saderta)
Empty Slot
Empty Slot
Empty Slot
Empty Slot
Empty Slot
1394a I/F (Saderta)
cPCI bus (6U chassis)
cPCI bus (6U chassis)
Built-In Power Supply
Built-In Power Supply
Legends
Ethernet
RS232
COTS
IEEE 1394
I2C
SCSI
COTS Support Equipment
JPL In-House Product
Future Expansion
22
Example of Fault Injection in IEEE 1394 Bus
Fault Injected in the Gap Count Register in the
IEEE 1394 Bus
Before Fault Injection
After Fault Injection
23
Distributed Flight Computer Testbed
24
Guarded Software Upgrade

• Motivation
• Flight software for long life deep space missions
  have to be upgraded periodically to correct
  design bugs or due to change of mission phases
• Unprotected software upgrades have previously
  caused severe and costly damage to space missions
  and critical applications
• Objectives
• Update flight software without System Reboot
• Fall back to previous version of the software if
  failures occur during the upgrade
• Approach
• Use the old version of the software to guard
  the new version during the transition
• Turn over the control to the new software only
  when the right level of confidence is reached

A. Tai, K. S. Tso, L. Alkalai, S. N. Chau, and W.
H. Sanders, "On low-cost error containment and
recovery methods for guarded software upgrading,"
in Proceedings of the 20th International
Conference on Distributed Computing Systems
(ICDCS 2000), Taipei, Taiwan, April 2000, pp.
548-555.   A. T. Tai, K. S. Tso, L. Alkalai, S.
Chau, and W. H. Sanders, "On the effectiveness of
a message-driven confidence-driven protocol for
guarded software upgrading,'' in Proceedings of
the 4th IEEE International Computer Performance
and Dependability Symposium (IPDS 2000),
Schaumburg, IL, March 2000.  
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
(No Transcript)
33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
Direction of Dependable Computing Researches for
Future Flight Missions

• Characteristics of Future Deep Space Missions
• Future Space Exploration Missions are ambitious
• Precision navigation control for spacecraft
  aerobraking and aerocapture
• Precision entry-descent-landing with hazard
  avoidance
• Highly autonomous operations
• Long-duration missions in extreme environments
• Miniaturized systems for sample returns, ascent
  vehicles, mobile units, etc.
• Distributed surface science - network science -
  constellations of spacecraft
• Formation flying (e.g., interferometry missions)
• These missions require a new look at high
  performance dependable computing
• Distributed processing among multiple spacecraft,
  and within a spacecraft
• High performance computing and power efficient
  computing that supports long-life, high
  availability of systems
• Autonomous, on-board fault-detection, isolation
  and repair
• Fault adaptation
• A framework for using COTS for the design of
  future, highly reliable systems

44
References

• COTS-Based Fault Tolerance in Deep Space
  Qualitative and Quantitative Analyses of a Bus
  Network Architecture, in Proceedings of the 4th
  IEEE International Symposium on High Assurance
  Systems Engineering, Washington D.C., Nov 1999
• Design of a fault-tolerant COTS-based bus
  architecture, IEEE Trans. Reliability, vol. 48,
  pp. 351-359, Dec. 1999
• The design of a fault-tolerant COTS-based bus
  architecture, Pacific Rim International
  Symposium on Dependable Computing, Hong Kong,
  China, Dec. 1999
• "The Implementation of a COTS Based Fault
  Tolerant Avionics Bus Architecture", in the
  Proceedings of the Aerospace 2000 Conference, Big
  Sky, Montana, Mar. 2000
• "COTS-based fault tolerance in deep space A case
  study on IEEE 1394 application," International
  Journal of Reliability, Quality and Safety
  Engineering, vol. 9, June 2002.
• A design-diversity based fault-tolerant COTS
  avionics bus network, in Proceedings of the
  Pacific Rim International Symposium of Dependable
  Computing (PRDC 2001), Seoul, Korea, Dec. 2001.
• Note Some of these references can be found in
  http//www.ia-tech.com/obm/

45
References

• "On the effectiveness of a message-driven
  confidence-driven protocol for guarded software
  upgrading," Performance Evaluation, vol. 44, pp.
  211-236, Apr. 2001.
• "Low-cost error containment and recovery for
  onboard guarded software upgrading and beyond,"
  IEEE Trans. Computers, vol. 51, Feb. 2002.
• Low-cost flexible software fault tolerance for
  distributed computing, in Proceedings of the
  12th International Symposium on Software
  Reliability Engineering (ISSRE 2001), Hong Kong,
  China, pp.148-157, Nov. 2001.
• "Synergistic coordination between software and
  hardware fault tolerance techniques," in
  Proceedings of the International Conference on
  Dependable Systems and Networks (DSN 2001),
  Goteborg, Sweden, July 2001.
• "Onboard guarded software upgrading Motivation
  and framework," in Proceedings of the IEEE
  Aerospace Conference, Big Sky, MT, Mar. 2001.
• "On low-cost error containment and recovery
  methods for guarded software upgrading," in
  Proceedings of the 20th International Conference
  on Distributed Computing Systems (ICDCS 2000),
  Taipei, Taiwan, Apr. 2000.
• "On the effectiveness of a message-driven
  confidence-driven protocol for guarded software
  upgrading, in Proceedings of the 4th IEEE
  International Computer Performance and
  Dependability Symposium (IPDS 2000), Schaumburg,
  IL, Mar. 2000