Safety and autonomy make the ATV unique
Thanks to its unique level of on board autonomy and safety, the Automated Transfer Vehicle (ATV) is the first fully automatic re-supply spacecraft of its kind. The ATV, even in case of malfunction, does not rely on human intervention to take over manual control of the vehicle to ensure mission success and ISS safety.
The ATV relies on additional automatic layers of safety and failure management, which provides a high level of autonomy. This autonomy allows the ATV to fulfil the entire mission on its own - including responding to two independent failures - from navigation in orbit, to rendezvous manoeuvres towards the ISS, and finally docking with the ISS without crew input.
Due to this autonomy requirement, the ATV has a very high level of automation and its automatic systems, in case of failure, can isolate failed equipment and reconfigure the vehicle to use the built-in redundancy. The only action required of the astronauts on board the ISS and controllers on Earth is to monitor the ATV rendezvous. At specific hold points planned during the mission, the flight controllers at the ATV Control Centre in Toulouse will also provide a “GO” command to authorize the spaceship to continue the mission.
"The ATV has no manual capability as a back-up and is fully automatic. That is why we have implemented - in the design - additional layers of safety, redundancy and surveillance by automatic systems", says Richard Chase, the ESA ATV engineer who is in charge of safety for the programme. "And the more you add redundancy and safety layers, the more complex your spacecraft is."
A new philosophy
Like the Russian Progress re-supply ship, the much heavier 20.7-tonne ATV can dock safely to the ISS in the unlikely event of total absence of crew on board. The ATV also has the capability to accomplish its mission alone, even in the case of a failure. The built-in ATV autonomy makes it different from the US Space Shuttle, which does not have automatic rendezvous capability.
The ATV is also different from the three-person Soyuz capsule or the unmanned Progress, which relies on the manual takeover by the crew (directly for Soyuz, or remotely for Progress) to cope with malfunctions during the nominal automatic approach. In this aspect, the ATV could be almost called the Autonomous Transfer Vehicle.
As well as this automatic autonomy, the ATV must also fulfil the ISS man-rated requirements for safety because it docks with the Station. The pressurised cargo carrier must also satisfy the safety and human factors requirements applicable to the habitable modules of the ISS.
Two-failure tolerance and one million lines of code!
The ATV architecture must respect a tough requirement: the spaceship, even with any combinations of two possible failures on board, must still be safe for the ISS crew and for the Space Station itself.
The ATV must also be one-failure tolerant for mission success. In fact, the critical phase of docking or undocking always has to be successful after one breakdown, and most the time, can still be successful after two breakdowns; in any case, it has to remain always safe after any of these two situations.
To respect these requirements, the ATV propulsion and avionics architecture incorporates both functional and hardware redundancy. For example, the main computer (FTC – Fault Tolerant Computer) that navigates the ATV mission is actually comprised of three identical processing chains. In addition, a completely independent computer (MSU), itself incorporating two chains, monitors the performance of the main computer.
The autonomy of the ATV and the failure tolerance requirements means that a large amount of software in needed. In total, there are about one million lines of code in the various computers on the vehicle, with about half of that total in the FTC alone. Since the MSU is the final barrier to prevent catastrophic consequences, its software has been subject to ESA's most stringent software development rules and quality assurance measures. In addition to the analyses, code inspections and tests performed by the developer, a separate contractor has been tasked to perform independent software validation and verification.
The ATV is also required to meet quantitative reliability requirements for a successful docking (reliability prediction of 0.99) and overall mission success from Ariane 5 launcher separation to re-entry six months later (reliability prediction of 0.95). The ATV system reliability prediction shows compliance to these requirements, which are essentially guidelines.
Four automatic layers of safety
Even if the ATV represents the state of the art in automated spaceship, the Space Station crew, before welcoming the arrival of its cargo, will monitor the automatic rendezvous using independent means.
As we said, the crew members cannot manually pilot the ATV by remote control but, for the inaugural flight of the ATV, called Jules Verne, they will carefully monitor its performance from inside the Russian Service Module using a video camera and an independent range and range rate system. They have the capability to interrupt the rendezvous manoeuvre at any moment if they consider their safety is at stake. The ISS crew, on its own, can command a Hold, Retreat, Escape or Abort, depending on the observed anomaly.
In case of a serious problem during rendezvous, the crew will act only as a last resort. This crew monitoring capability, which is important for the Jules Verne demonstration flight, is not an extra layer of safety for the architecture of the ATV itself, but it is a means for the crew to have a minimal remote control of the robot-like vehicle if needed.
In other terms, off-nominal scenarios should be automatically handled by any of the four existing layers of safety that are already implemented - on board and on the ground - for this highly automated spacecraft. The different monitoring methods and the related failure responses are implemented at different levels within the design.
Crew monitoring
The main action to be taken by the crew in case of a failure occurring at distances further away than 20 m is to report to mission controllers. The space vehicle is sufficiently far away for the ground controllers – having access to all data and not just a limited selection – to take the best decision. At distances closer than 20 m, the crew will send the ATV away using the Escape mode if the ATV moves outside the approach-monitoring corridor or in case of malfunctions of the safety system. Abort has the same effect as Escape but uses independent software and hardware. Abort is used as a last resort should the main ATV computers or piloting hardware fail completely.
"The Abort system is so segregated, that is to say independent, that we can compare it to a pilot, responsible for safety, hidden inside the main satellite responsible for the mission", says ESA astronaut Jean-François Clervoy, the senior advisor to the ATV programme. "This independent mode relies on different computers, different software, different batteries, different trajectory monitoring sensors and different thrusters. The only item shared with the main system of the ATV is propellant."
The crew surveillance role is important since it provides the crew with a minimum capability to master their safety. At the same time, on the ground, the ATV-CC flight director can also interrupt the ATV's approach, even if the crew does not see any showstopper.
In case of a serious problem during the rendezvous, the crew will act only as a last resort. This crew monitoring capability is not necessary to meet the safety requirements imposed on the ATV but it does provide an extra level of assurance for failure cases that might have been missed in the detailed safety analyses performed on the system. In other words, it just allows the ISS crew to keep high authority over the unmanned vehicle.
"The stringent safety and autonomy requirements on ATV have led to a design that is unique in the history of space flight. The vehicle is capable of completing its mission autonomously even after one failure and will not threaten ISS safety even after two failures", says Richard Chase. The flight controllers on the ground and the ISS crew also have intervention capabilities in the unlikely case of unforeseen events the vehicle cannot handle by itself.