Backup Systems are Crucial to a Safe and Successful Orion Mission
NASA’s Orion spacecraft will take humans far. First to the Moon (more than 238 thousand miles away), then to Mars (more than 211 million miles away). To put that distance in perspective, to make a journey around the Earth takes just over 24,901 miles.
Traveling so far into space makes it hard to return home if your mission encounters problems.
“If you’re an astronaut and you’re out orbiting the Moon in Orion and your only flight computer has a problem and stops working, you’re sitting there in whatever orbit you happen to be in and you’ve got no way home – that’s a bad day,” said Dr. George Schamel, Lockheed Martin’s Orion Avionics, Power and Wiring Responsible Systems Engineer.
Orion’s computers provide significantly faster computing speed over other human spaceflight vehicles: just one of Orion’s redundant computers is only 75% the weight of the sole computer aboard Apollo, has 128,000 times more memory and is 20,000 times faster. Technology so powerful needs to work and work well.
That’s where redundancy comes in.
“Knowing the possible dangers of deep space travel, Lockheed Martin designed redundancy into Orion’s flight computer system, with not one, but four flight computers that can each operate the spacecraft independent of the others,” said Dr. Schamel. “And if all four primary computers fail, there’s a fifth backup computer that would take over.”
Cold, Warm…Getting Warmer: How Redundancies Work
Redundancy in operating systems means having either a second, duplicate system to your main system or a backup system that replicates the functionality of your main system.
Redundancies are built into Orion’s systems at every possible level, from its wiring to solar panels to parachutes. But one key software redundancy is in Orion’s flight computers.
Orion’s four flight computers and their ability to each operate the spacecraft independently serve as an example of a hot redundancy – a redundancy in which two systems operating in parallel, both sending the same commands to the spacecraft with the first command to arrive getting acted on. This means that should something happen to one of those systems, the other one is right there to take over with seamless operation.
Orion’s fifth backup flight computer is an example of a warm redundancy, where a system is powered on – not actually operating and commanding, but warm and ready with no boot up time to take over.
The last type of redundancy – cold – is not powered on and takes outside action to start operating when the main system fails.
Redundancy is built into Orion, mainly in the form of hot and warm redundancies, at every possible level, says Dr. Schamel. “For human space flight, redundancies are required pretty much whenever possible. The main concern is the safety of the astronaut, so if something is critical to functionality and safety, those systems become the primary candidates for hot redundancy.”
From Risk to Redundancy
To build effective redundancies on Orion, the Lockheed Martin team first set out to understand the risks the spacecraft could be exposed to during the mission.
Gary Epstein, Manager for Specialty Engineering on the Orion program, leads a team responsible for, among many tasks, “looking at things that can go wrong on the mission,” both qualitatively and quantitatively.
“We try to determine what can go wrong, what the consequences are and what the probably associated with those events are,” said Epstein. “We use this information to help the engineering and program leadership team make risk-informed decisions about design.”
At Lockheed Martin, risk assessment is used as a system engineering tool.
“Our team works closely with other engineering teams and program leadership to make sure our risk findings don’t stand alone but are used to make important improvements to the spacecraft,” said Epstein.
Crucial Redundancies on Orion
Flight Control Computers: Orion has four identical flight control computers that can operate independently of each other, plus a backup fifth computer.
Auxiliary Engines: Eight auxiliary engines serve as backup to Orion’s main engine and can support all necessary propulsion and maneuvering.
CM Reaction Control: The Crew Module has dual string reaction control systems.
Uprighting System: If one of the 5 uprighting airbags – intended to upright Orion if it lands inverted in the water – experiences a failure, the remaining four can still upright the vehicle.
Wiring: Each of Orion’s redundant systems is independently wired in case of wire damage.
Solar Panels: Orion has four identical solar panels that can each operate independently. The spacecraft can operate with three or even two in case of failure.
Batteries: There are four main batteries – any two of which can get the vehicle home.
Environmental Control and Life Support Systems: Built in redundancies in thermal control, cabin pressure, oxygen and CO2 controls and water systems.
Parachute deployment: Orion’s parachutes are deployed via cues from the navigation system. If that system fails, a barometrical altimeter will deploy the chutes based on altitude measurements. Additionally, Orion has three main parachutes and can land safely with two if one does not deploy.
Navigation: Orion has three inertial measurement units and two star trackers supporting the craft’s navigation for increased accuracy and support should one device fail. As an added redundant layer to navigation, Orion also has an optical navigation camera that can identify Orion’s position in space without any communication to Earth. And when near the GPS satellite constellation, Orion is also capable of navigation on GPS signals.
Displays & Controls: Orion’s ‘glass’ cockpit provides fully redundant crew controls and displays with over 60 GUI formats and interactive electronic procedures - a first in spacecraft history.
Network Systems: Orion runs a three-plane network operating system so if a network connection fails, the network continues to support software functions.
Testing is Key
Risk assessment occurred on Orion throughout the design phase and continues now in the assembly and integration phase. Risk assessments are part of the tests performed on the spacecraft’s various redundancies to ensure all systems are go for launch.
Alexandra Starkman, Senior Systems Engineer for the Displays and Controls System on Orion, says testing for the system she supports involves first testing of individual components, and then additional testing when these components are integrated into the spacecraft.
“We initiate failure of the system or certain parts of the system to test the redundancies in place,” said Starkman. “We test in our Integrated Test Lab, which is our Orion mockup, and as we’re integrating the vehicle at Kennedy Space Center.”
Testing, risk assessment and redundancies all come back to the main priority – astronaut safety.
“Lockheed Martin designed the systems in Orion to be able to effectively get astronauts out to deep space and back home” said Dr. Schamel. “And the ‘get us home’ part is most important there – get us home and get us home safely.”