NASA Orion Space Capsule Has Surprising Brain
New manned spacecraft will use a flight computer adapted from jetliners for deep space missions to the asteroids and Mars.
NASA's Orion Spacecraft: 9 Facts
NASA's Orion Spacecraft: 9 Facts (Click image for larger view and slideshow.)
You wouldn't expect NASA to power the brains of a manned spacecraft bound for the asteroids or Mars with a computer from Best Buy. Yet with the Orion spacecraft being prepared for a first unmanned test flight in December, the space agency has inched to something more like an off-the-shelf design -- by NASA standards, anyway.
Instead of being a completely custom computer, the flight mission computer in charge of the new space capsule is adapted from a computer avionics platform used aboard jetliners -- albeit with substantial accommodations for radiation hardening and redundancy. The onboard network will also be more standard, capable of working with any Ethernet-connected device but also of achieving real-time precision.
Looking much like an overgrown Apollo system, Orion is intended to return NASA to the business of manned space exploration, taking astronauts far beyond the altitude of the International Space Station or any height attained by the late, lamented Space Shuttle. Orion is what survived after the cancellation of the Constellation program in 2010, a more modular approach to developing the components needed for deep space exploration. Most likely, its first mission will be to an asteroid, although ideas for a Mars mission are also being kicked around. First, Orion must prove itself with an unmanned test flight scheduled for December, followed by a planned 2017 flight that is to integrate a new high-powered booster. The first manned flight is still several years away.
The main goal of December's Exploration Flight Test-1 will be to test the new heat shield and bring the space capsule home intact. However, the computer system and associated sensor and control electronics -- collectively known as the avionics package -- will also be getting a workout, since the plan is for the spacecraft to fly itself without human intervention.
"There are a couple of hundred commands we could send to the vehicle, but they are for all contingency or emergency operations," explained Matthew Lemke, Orion Avionics, Power and Wiring Manager at NASA, who works with Lockheed-Martin and its subcontractors on the flight control systems. If all goes as planned, however, mission planners still want to make sure to test their ability to send a remote command, he said. "So we're making up a dummy command, if you will, so we can send a command and the spacecraft will answer back, 'yes, you did.' But we expect it all to work smoothly."
"The spacecraft is capable of doing the mission itself," he added, "although of course once you add a crew, it becomes even more capable."
Figure 1: NASA's Matthew Lemke oversees Orion's avionics
The avionics system has gone through extensive testing on the ground, but the test flight will show how all the components work together when integrated into a complete system and subjected to all the extremes of radiation and vibration that only a real space flight can provide, he said.
Orion will be the first reusable manned spacecraft that parachutes back to Earth for a water landing, a model that hasn't been used by the U.S. space program since Apollo. In part, the Orion program is using a simpler design reminiscent of the spacecraft designs of the 1960s in an attempt to improve on the safety record of the shuttle program, which was marred by both the disintegration upon reentry of the Columbia in 2003, as well as the Challenger explosion of 1986.
Instead of building a new space truck to replace the shuttle on missions to Earth orbit, NASA is hoping that private firms like SpaceX and Orbital Sciences will graduate from carrying supplies to the ISS to delivering crews there. That would provide a welcome degree of independence for astronauts who in recent years have been dependent on hitching rides with the Russians. If private contractors can handle transport to low Earth orbit, that will free NASA to get more aggressive about going where no man (or woman) has gone before.
Like Apollo, the Orion crew capsule will be launched into space atop a stack of booster rockets, which will be discarded along the way. Also like Apollo, the crew module is joined to a service module that includes its primary engines and oxygen tanks for operations in space, but only the conical crew compartment returns to Earth. Unlike with Apollo, Gemini, and Mercury, the Orion space capsule is designed to survive a water landing without letting its major electronic systems be rendered useless by salt water corrosion.
We spoke with Lemke about how NASA's approach to the computing component of spaceflight is changing with this program.
InformationWeek: Is there anything particularly exotic about the Orion flight computer? What stands out most about this design?
Lemke: Our vehicle master computer is from Honeywell and it's based on the 787 avionics they did for Boeing. So one new thing for NASA is we're not designing the computer from the ground up just for space, which is how we did shuttle. That was very, very expensive. Using commercial technology really reduced the cost of our flight computer. Then all we have to do is live with some disadvantages. The big one we have is radiation tolerance. A commercial airliner doesn't care about radiation -- it doesn't see very much. But we go up through the Van Allen Belt, farther into deep space, encountering heavy doses of radiation potentially. So we've done things to upgrade the computer. We've replaced individual piece parts with radiation-hardened components. Then we look at redundancy on the vehicle and say, "what if we allow radiation to happen to certain components" and [the flight computer] goes down. Well, we need another computer just in case. That's still a lot cheaper than trying to design one that is never going to have a problem.
IW: So you will have a second computer running in parallel?
Lemke: We're actually going to have a spare flight computer running the same software. Both computers will think they are flying the vehicle. Neither one knows if it's flying or not, but if one goes out the other just takes over seamlessly and keeps on flying while the other comes back up after being hit by radiation.
Throughout the design, there are a lot of themes like that.
IW: Are they comparing against each other to see if one has an error or the results from calculations are inconsistent?
Lemke: The shuttle computers used to compare -- they had four computers comparing every output against every other output, to make sure they were all saying the exact same thing. But once again, that was very custom, and it was expensive.
Each of our flight computers is actually a self-checking pair. We have two 750 processors [PowerPC 750 FX] on a single board within a computer. Those two are checking each other to make sure they are getting the same answer. If those two self-checking pairs ever find they're not getting the same answer, they just fail silently. They just don't do anything [for the current computing operation].
At the same time, we have a whole second computer doing that same self-checking on its own processing. The whole idea is we don't have to vote count on the two computers because they're internally doing that themselves to make sure they're consistent. Because if they're not, they just fail silently and reset themselves.
IW: I wouldn't think an airliner computer would be equipped to run a spacecraft -- or are the differences more at the level of software?
Lemke: Exactly, it's all about the software. You'd be surprised how similar an aircraft is to a spacecraft. You have engines you have to run. You have cooling and heating systems on the aircraft, and you have all the sensors. But in general to the flight computer, it's just a bunch of I/O - sensor inputs in and flight control signals out.
We're not just taking a commercial flight computer designed for an aircraft and putting it on our spacecraft, but it's based on that design.
IW: And part of the purpose of the December flight is to prove this all works?
Lemke: Kind of. We've done most of our avionics testing on the ground. Through simulation, we can test most of it. What the test flight is going to give us that we can't get anywhere else is all the environments at once -- vibration, shocks space, hot and cold and radiation -- all those at once.
IW: The published specs also say something about "algorithmic autocode generation" -- is that something new and exotic?
Lemke: It's new and exotic for NASA, but not for industry in general. Are you familiar with Matlab? With that software, you can very quickly develop algorithms and test them out, and it lets you see that graphically. What Matlab means for us is we can work with the control team and those guys can design all their flight algorithms, all their test algorithms in Matlab. They can test it and get it working perfectly. Then you push a button in Matlab and it automatically generates C code. Then you take that C code directly into the flight software, and there you have it -- no coding, no chance of misinterpreting something that the designer wanted in the software.
This is about designing the trajectory of the spacecraft, the maneuvering of the spacecraft, like how it's going to dock. It used to be they'd use a tool like Matlab to design all that - and then they'd write a set of requirements.
IW: So this is about how you're designing the software, as opposed to how it operates in space?
Lemke: Exactly. That's a big deal for us because it costs us a lot of money to prove that the software we're going to run in space is perfect, that it's not going to have a problem. The closer we can get to making that development time collapsed from having an engineer designing that and getting it right to having it run on the spacecraft -- that reduction of time saves us a lot of money.
IW: Isn't there also something new about the networking?
Lemke: That's actually one of the most unique things we're doing. It's never flown in space before. It's called Time Triggered Gigabit Ethernet.
It's your standard gigabit Ethernet that you could go buy for your home or your office, except that we've put this extra layer on top of it. By making it time triggered, that lets us guarantee timing of data coming in and going across the network. This design lets us use all the advantages of an Ethernet network, and it also gives us the reliability and the timing of a custom-built military or spacecraft network.
We're the first ones to use it. It came from a company called TTTech In Austria. They've actually turned it into an SAE standard and are trying to get other folks interested. It lets us use things like commercial hardware -- say, a a video camera that talks Ethernet -- onto the network as well as the flight computer that controls the engines. And the two won't interfere with each other.
IW: Aside from flight control, do you use more standard equipment like commodity laptops for other purposes the crew might have like doing their email?
Lemke: We're going to leverage off what shuttle did and what space station is now doing. Yes, we use commercial off the shelf -- just as you'd buy them at Best Buy -- laptops on space station. The thought is, yes, they are susceptible to radiation, so sometimes they reboot. And you have to expect that. And sometimes they break. The radiation hits the wrong part, and it breaks, it's no good anymore -- and you get another one. You can go buy a laptop for $1000 today. If we were to try to develop a radiation hardened one, it would be way too big and bulky -- and cost of tens of millions of dollars to develop it.
So it actually makes sense for us, for non-life-critical tech, where no one's life depends on it, to actually just use the commercial equipment as it is. You zccept that it could fail and fly a couple of extra ones.
One of the biggest issues is making sure that they're safe, like the glass on the display - we need to make sure that they never shatter.
That guides us on which commercial laptop to use. We'll buy a bunch of different brands and fly the ones that are safe, from a crew perspective.
Orion is going to do a lot of the same things.
IW: Whereas with the mission computer, you started with a commercial system and hardened it against radiation?
Lemke: What we do is select different parts. You might use a commercial memory part in computer, but NASA has tested a lot of memory chips. We've replaced the memory chips with ones that we know are radiation tolerant. We use transistors that are typically not affected by radiation. So it's the same basic design, but we've swapped out parts.
IW: So is the expense in the design, even more than the hardware?
Lemke: The hardware is this big recurring cost, but we don't fly it all that often. So that's not quite as important to us as it is to an airliner. The man hours to design it, and test it, and prove that it's going to work in all our situations -- that's where the true expense comes in.
IW: What would you say have been the most diff challenges to overcome?
Lemke: The number one problem has really been math and budget. We're trying to build the largest capsule that's ever been built. It looks a lot like Apollo, but if you put the two next to other, this is so much larger. You make it bigger, then it's heavier. Being able to keep it affordable, that's where the real challenge is.
IW: To be honest, when I heard about the test flight coming up, I thought "didn't they cancel that whole program?"
Lemke: That's why we're so eager to talk to people like you -- to show we're still here, we're still working on exploration.
(Transcript edited for length and clarity.)
Our new survey shows federal agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation. Read InformationWeek's Government IT Priorities digital issue.
About the Author
You May Also Like