VEX design report - TOC

VEX design report - TOC

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : ii

SUMMARY

This document summarises the main design characteristics of the Venus Express spacecraft.

The detailed description is presented in the Venus Express User Manual Volume 2.

Document controlled by

Astrium

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : iii

DOCUMENT CHANGE LOG

Issue/

Revision

1/0

Date

31/01/03

Modification Nb

2/0 06/02/04

Modified pages Observations

First issue for PDR

Astrium

2/0 All

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : iv

PAGE ISSUE RECORD

Issue of this document comprises the following pages at the issue shown

Page

Issue/

Rev.

Page

Issue/

Rev.

Page

Issue/

Rev.

Page

Issue/

Rev.

Page

Issue/

Rev.

Page

Issue/

Rev.

Astrium

TABLE OF CONTENTS

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : v

1.

SPACECRAFT OVERVIEW ..................................................................................................1.1

1.1

D

ESIGN DRIVERS

..................................................................................................................1.1

1.2

S

PACECRAFT

M

AIN CHARACTERISTICS

...............................................................................1.3

1.3

S

PACECRAFT CONFIGURATION

............................................................................................1.5

1.4

S

PACECRAFT

A

RCHITECTURE

..............................................................................................1.6

1.5

C

OORDINATE SYSTEM

..........................................................................................................1.8

2.

SCIENCE PAYLOAD ..............................................................................................................2.1

2.1

THE

V

ENUS

E

XPRESS

M

ISSION AND PERSPECTIVES

............................................................2.1

2.2

T

HE

V

ENUS

E

XPRESS

S

CIENCE

P

AYLOAD

...........................................................................2.2

2.3

S

CIENCE

P

AYLOAD

D

ESIGN

.................................................................................................2.2

2.3.1

ASPERA.......................................................................................................................2.3

2.3.2

MAGNETOMETER .....................................................................................................2.4

2.3.3

PFS ..............................................................................................................................2.5

2.3.4

SPICAV........................................................................................................................2.6

2.3.5

VeRa ............................................................................................................................2.7

2.3.6

VIRTIS .........................................................................................................................2.8

2.3.7

VMC ..........................................................................................................................2.10

3 MECHANICAL DESIGN ........................................................................................................3.1

3.1

D

ESIGN

D

RIVERS

.................................................................................................................3.1

3.2

S

PACECRAFT

C

ONFIGURATION

............................................................................................3.2

3.3

L

AUNCH

C

ONFIGURATION

...................................................................................................3.6

3.4

D

EPLOYED

C

ONFIGURATION

.............................................................................................3.12

4.

THERMAL CONTROL DESIGN...........................................................................................4.1

4.1

T

HERMAL CONTROL DESIGN APPROACH

..............................................................................4.1

4.2

T

HERMAL

C

ONTROL

C

ONFIGURATION

................................................................................4.4

4.3

T

HERMAL

C

ONTROL

O

VERVIEW

.........................................................................................4.6

4.3.1

Thermal control features.............................................................................................4.6

4.3.2

Radiators .....................................................................................................................4.8

4.3.3

Multilayer insulation.................................................................................................4.10

4.3.4

Heating system ..........................................................................................................4.11

5.

ATTITUDE AND ORBIT CONTROL SYSTEM ..................................................................5.1

Astrium

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : vi

5.1

AOCS

BASIC CONCEPTS

......................................................................................................5.1

5.2

AOCS H

ARDWARE ARCHITECTURE

.....................................................................................5.2

5.3

AOCS M

ODE ARCHITECTURE

.............................................................................................5.5

5.4

AOCS

GENERIC FUNCTIONS

..............................................................................................5.15

5.5

AOCS

MODE TRANSITIONS

................................................................................................5.20

5.6

H

IGH

G

AIN

A

NTENNA

M

ANAGEMENT

...............................................................................5.24

6.

PROPULSION SYSTEM ARCHITECTURE........................................................................6.1

6.1

D

ESIGN

D

ESCRIPTION

..........................................................................................................6.2

6.1.1

Pressurant Subsystem..................................................................................................6.2

6.1.2

Propellant Feed Subsystem .........................................................................................6.5

6.2

L

AYOUT

...............................................................................................................................6.6

7 ELECTRICAL AND POWER ARCHITECTURE ...............................................................7.1

7.1

OVERVIEW

...........................................................................................................................7.1

7.2

ELECTRICAL POWER

.............................................................................................................7.2

7.2.1

Power Generation .......................................................................................................7.4

7.2.2

Power Storage .............................................................................................................7.8

7.2.3

Power Control ...........................................................................................................7.10

7.2.4

Main Bus Power Distribution ...................................................................................7.12

7.3

PYRO DEVICES

...................................................................................................................7.14

7.4

GROUNDING

& EMC..........................................................................................................7.16

7.4.1

Grounding .................................................................................................................7.16

7.4.2

EMC ..........................................................................................................................7.18

8 RF COMMUNICATIONS .......................................................................................................8.1

8.1

OVERVIEW

...........................................................................................................................8.1

8.2

A

NTENNAS ACCOMMODATION

............................................................................................8.2

8.3

TT&C

CONFIGURATIONS ACCORDING TO THE MISSION PHASES

.........................................8.3

8.4

R

EDUNDANCY AND

FDIR

PRINCIPLES

.................................................................................8.4

8.4.1

LGA communications ..................................................................................................8.4

8.4.2

HGA communications .................................................................................................8.4

8.4.3

FDIR principles...........................................................................................................8.5

8.5

UPLINK

(O

N

-B

OARD

R

ECEPTION

)........................................................................................8.6

8.6

D

OWNLINK

...........................................................................................................................8.7

8.7

R

ADIO

S

CIENCE OPERATIONS

..............................................................................................8.8

8.8

RFC

COMPATIBILITY

...........................................................................................................8.9

9.

DATA HANDLING ARCHITECTURE .................................................................................9.1

9.1

O

VERVIEW

...........................................................................................................................9.2

9.2

CDMU.................................................................................................................................9.4

9.3

I

NTERFACE

U

NITS

................................................................................................................9.8

Astrium

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : vii

9.4

S

OLID

S

TATE

M

ASS

M

EMORY

...........................................................................................9.10

10 SOFTWARE ARCHITECTURE ......................................................................................10.1

10.1

S

OFTWARE COMPONENTS AND ASSOCIATED FUNCTIONS

..................................................10.2

10.2

S

OFTWARE INTERFACES

....................................................................................................10.4

10.3

P

ROCESSOR

M

ODULE

F

IRMWARE

......................................................................................10.7

10.4

DMS

AND

AOCS

SOFTWARE

............................................................................................10.9

10.4.1

DMS and AOCMS SW layered breakdown ...............................................................10.9

10.4.2

Common DMS/AOCS SOFTWARE .........................................................................10.11

10.4.3

DMS Application Software......................................................................................10.12

10.4.4

AOCMS Application Software.................................................................................10.13

10.5

SSMM S

OFTWARE

..........................................................................................................10.14

10.6

S

TAR

T

RACKER SOFTWARE

.............................................................................................10.15

10.7

IMP

SOFTWARE

...............................................................................................................10.16

10.8

T

RANSPONDER

S

OFTWARE

..............................................................................................10.17

10.9

I

NSTRUMENTS SOFTWARE

................................................................................................10.18

11 FDIR PRINCIPLES............................................................................................................11.1

11.1

FDIR H

IERARCHY

.............................................................................................................11.1

11.2

G

ROUND

FDIR

SUPPORT

...................................................................................................11.4

11.3

H/W R

ECONFIGURATION OF

C

ENTRAL

C

OMPUTING AND

C

OMMUNICATIONS

..................11.6

11.4

DMS S

YSTEM

S/W-

IMPLEMENTED

FDIR..........................................................................11.9

11.5

S

UBSYSTEM

L

EVEL

..........................................................................................................11.11

11.6

TT

&

C FDIR SUMMARY

......................................................................................................11.13

11.7

P

OWER

FDIR S

UMMARY

.................................................................................................11.16

11.8

AOCS FDIR ....................................................................................................................11.18

11.9

U

NIT

L

EVEL

.....................................................................................................................11.24

11.9.1

Failure Management of Intelligent Units................................................................11.24

11.9.2

Failure management of CDMS non-intelligent modules ........................................11.25

12 RELIABILITY AND REDUNDANCY ARCHITECTURE............................................12.1

12.1

R

EDUNDANCY

R

EQUIREMENTS

.........................................................................................12.1

12.2

R

EDUNDANCY SCHEMES

....................................................................................................12.2

12.3

R

EDUNDANCY DESCRIPTION

..............................................................................................12.4

13.

SPACECRAFT BUDGETS ................................................................................................13.1

13.1

M

ASS AND

P

ROPELLANT

B

UDGETS

...................................................................................13.1

13.2

P

OWER

B

UDGETS

...............................................................................................................13.4

13.3

L

INK

B

UDGETS

..................................................................................................................13.7

13.4

L

INES

B

UDGETS

.................................................................................................................13.8

13.5

P

OINTING BUDGETS

...........................................................................................................13.9

13.6

S

OFTWARE BUDGETS

.......................................................................................................13.11

Astrium

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : viii

13.7

R

ELIABILITY

B

UDGETS

....................................................................................................13.12

Astrium

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.1

1. SPACECRAFT OVERVIEW

1.1 DESIGN DRIVERS

The major objective of the Venus Express spacecraft design is to cope with Venus Express mission requirements with extensive reuse of Mars Express design, in order to take maximum benefit of the recurrence, and minimize development risks. As a consequence, Venus Express spacecraft is very similar to Mars Express:

- Same system concept: body mounted instruments, fixed RF antennas and 2 solar arrays mounted on one-degree-of-freedom mechanisms.

- Same structure, with only local changes,

- Same propulsion subsystem,

- Same avionics units,

- Same operational concept: Earth pointing in steady state, in order to allow communication with Earth 8 hours per day and battery charging, alternate with Venus observation during specific portions of the orbit.

However, there are specific Venus Express mission features that have lead to design changes, mainly regarding thermal control, RF communication and power subsystem:

- Science mission: new payloads must be accommodated (VIRTIS, VMC, VERA and MAG).

Two payloads that were design drivers to Mars Express have been removed (BEAGLE and

MARSIS).

- Venus thermal environment: since Venus is much closer to the Sun than Mars (0,72 AU instead of 1,5 AU), the thermal flux is four times higher in Venus vicinity than in Mars vicinity, i.e. twice higher than on Earth.

- Venus radiation environment: it is closely related to the distance to Sun, thus quite more stringent for Venus Express than for Mars Express.

- Planets configuration: around Mars, Earth vector is always within +/- 40° of the Sun vector, which helps keeping the cold face away from the Sun. Since Venus is an inner planet, there is no longer such convenient property.

- Distances to Earth: Venus maximum distance to Earth is smaller than Mars maximum distance to Earth (1,72 AU instead of 2,7 AU).

- Venus gravity: it is quite bigger than Mars gravity (0,81 Earth gravity instead of 0,11). One of the consequence is that more

V is needed for injection, which leads to propellant mass increase. Finally, operational orbit duration is driven by the tank capability, and happens to be

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.2

much longer than for Mars Express (24h instead of approximately 7h). In addition, spacecraft velocity at pericentre is also much bigger (about 9 km/s instead of 4 km/s).

It was possible to accommodate all new payloads with no major change w.r.t. Mars Express structure.

The biggest challenge was to implement VIRTIS, that has very stringent thermal requirements (infrared detectors must be kept at very low temperature). It was achieved by coupling VIRTIS to a dedicated radiator located on the “cold face” of the spacecraft, as well as for PFS. This cold face needs to be kept permanently away from the Sun.

Beside the accommodation of new payloads, the main driver to the spacecraft design is obviously the thermal design. Considering the planets configuration and the need to keep the cold face away from the Sun, it was deemed necessary to implement a second High Gain Antenna in the opposite direction to the main High Gain Antenna.

Alternate use of HGAs, combined with an optimised attitude guidance law, allows to keep the Sun in a narrow area, located between +X and +Z, during the steady state Earth pointing phase. This solution allows to satisfy with good margins the thermal constraints w.r.t. to both the cold face and the

Propulsion face. In addition, external coatings must be modified w.r.t. Mars Express, in order to minimize the thermal flux entering the spacecraft.

Spacecraft resources sizing (i.e. thermal control and power subsystem) is driven by the characteristics of the observation phase. Indeed, thermal flux is entering the radiators in this phase, thus increasing the temperature inside the spacecraft. This leads to a time limitation for observation phase. In the same way, battery discharge occurs in this phase, since Solar Arrays cannot be perfectly oriented towards the Sun. This also leads to time limitation for this phase, mostly in eclipse seasons.

Spacecraft resources sizing has been done on the basis of a sizing case, as defined per Mission

Requirement Document. It corresponds to 95 minutes of Nadir-pointing observation around pericentre.

Due to the high thermal flux in Venus vicinity, it was necessary to enforce the radiators efficiency w.r.t. Mars Express. One of the consequence is that more heating is necessary during Cruise phase and during Earth pointing phase. As a consequence, minor changes of the power subsystem have been deemed necessary, in order to cope with more stringent requirements. In particular, increase of the

Battery Discharge Regulator capability (from 250W to 300W) was implemented.

Finally, one of the major design change regards the Solar array. It was proven that use of Silicon cells, as for Mars Express, is not suitable for Venus Express, due to the fact that Venus thermal environment leads to a very wide temperature range for solar cells, thus to a wide voltage range that would not be compatible with Power Control Unit. GaAs cells will be used instead, since they are much less sensitive to temperature as well as to radiation environment. Each solar array wing is twice smaller than for Mars Express (2 panels per wing instead of 4), due to the fact that thermal flux is higher, and that GaAs cells are more efficient.

As a conclusion, it was possible to cope with Venus Express mission requirements while keeping the changes w.r.t. Mars Express to the minimum.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.3

1.2 SPACECRAFT MAIN CHARACTERISTICS

Main characteristics of the baseline design are presented hereafter:

- Mechanical design: Mars Express structure concept has been fully reused, with only local changes. The core structure is a honeycomb parallelipedic box sizing about 1.7 m length, 1.7 m width and 1.4 m height, reinforced by 3 shear walls, and connected to a cylindrical Launch

Vehicle Adapter.

The solar array is composed of two wings, providing a symmetrical configuration favourable to aerobraking technique and minimising torques and forces applied on the arrays and the drive mechanisms during the Venus insertion manœuvres performed with the main engine.

Within the overall integrated design of the spacecraft, four main assemblies are planned to simplify the development and integration process: (1) the Propulsion Module with the core structure, (2) the Y lateral walls, supporting the spacecraft avionics and the solar arrays, (3) the Y/+X shear wall and the lower and upper floors, supporting the payload units, and (4) the

X lateral walls supporting the High Gain Antenna (+X) and the instruments radiators (-X).

- Thermal control: passive control is kept, as for Mars Express. However, external coatings shall be modified, in order to minimize the thermal flux entering the spacecraft. In particular, black MLI shall be replaced by multi-layer Kapton MLI (as for Rosetta).In addition, OSR shall be used on the lateral radiators and on the solar arrays. On LVA ring, alodine shall be replaced by clear sulphuric anodisation.

- AOCS: as for Mars Express, Attitude Control is achieved using a set of star sensors, gyros, accelerometers, reaction wheels and 10N thrusters. Modification of communication strategy lead to minor changes in the guidance function. In addition, on-board ephemeris calculation is now offered, in order to improve the spacecraft autonomy.

- Propulsion : A bi-propellant reaction control system is used for orbit and attitude manoeuvres by either a 400 N main engine or banks of 10 N thrusters. It is the same as Mars Express, except the pipe routing had to be modified due to change of pyros valves. In addition, propellant load must be increased, because

V requirement is more stringent than for Mars

Express.

- Electrical design: The Electrical Power generation is performed by Solar Arrays. GaAs cells shall be used instead of Silicon cells, because they are less sensitive to temperature and to radiation. Since they are also more efficient, 2 panels per wing are sufficient to meet the power requirements. 820W BOL is achieved in Earth vicinity, which is the sizing case. At least 1380W EOL is then available in Venus vicinity, which is much more than the requirement (1100W). Once around Venus, the spacecraft is thus very tolerant to mispointing of the Solar Array (up to 45°).

Power storage is performed by 3 Lithium-Ion batteries (24 Ah each), as for Mars Express.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.4

Mostly because of heating budget augmentation, PCU modification is needed, in order to increase BDR capability (from 250W to 300W).

A standard 28 V regulated main bus is offered to the payload instruments.

- RF: planets configuration, combined with the need to keep the “cold face” (-X) away from the

Sun, lead to implement a second HGA antenna (HGA2), that will be used during approximately one fourth of the mission, centred around the inferior conjunction. It is similar to Rosetta “MGA” (i.e. offset antenna, 0,3m diameter). Only the mechanical support had to be modified. Due to its small dimension, HGA2 is X-band only.

Main HGA (HGA1) is very similar to the one of Mars Express, with a smaller diameter (1,3m instead of 1,6m), because maximum distance is smaller.

The RF Communications function will transmit X Band telemetry 8 hours per day at rates between 19 and 228 kbps depending of the Venus to Earth Distance. An average of 2 Gbits of science data can thus be transmitted to Earth every day.

A variable telecommand rate of 7.81 to 2000 bps (overall) is foreseen during up to 8 hour per day.

Top-floor LGA orientation is modified w.r.t. Mars Express, in order to take into account the planets configuration.

- Data Handling: the existing Mars Express design allows to fulfil Venus Express requirements with no modification.

- Software: modifications with Mars Express are mostly limited to RF communication function and AOCS function.

1.3 SPACECRAFT CONFIGURATION

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.5

Figure 1.3-1 : Spacecraft In-Orbit Configuration

1.4 SPACECRAFT ARCHITECTURE

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.6

Figure 1.4-1 : Spacecraft Architecture

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.7

Figure 1.4-2 : Spacecraft Electrical Architecture

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.8

1.5 COORDINATE SYSTEM

The origin of the spacecraft Reference Frame, named Os, is located at the separation plane between the spacecraft and the adapter, at the centre of the interface diameter of 937 mm. q

The Xs axis is contained in the SC/LV separation plane, and oriented toward the High Gain

Antenna 1 side of the spacecraft. q

The Zs axis is coincident with the launcher X1-axis. It represents the SC line of sight toward

Venus during science operation. q

The Ys axis is contained in the SC/LV separation plane, and oriented so as to complete the right handed co-ordinate system. It is therefore parallel to the solar array plane. In launch configuration, the +Ys Venus Express spacecraft axis is located in the (Y1-Soyuz, Z1-Soyuz) quadrant at 45 deg from +Y1-Soyuz axis.

The (Ob, Xb, Yb, Zb) Reference Frame is structure related, and is no more used at S/C or operations level.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.9

Figure 1.4-1: Spacecraft coordinate axes

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

1.10

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.1

2. SCIENCE PAYLOAD

2.1 THE VENUS EXPRESS MISSION AND PERSPECTIVES

The first phase of Venus exploration, started in the sixties with the unprecedented series of early

Venera, Pioneer-Venus and Vega missions. These allowed for a first and basic description of the conditions prevailing in the atmosphere and the near-environmental sphere of the planet, or even at its surface from very time limited measurements obtained from landers or balloons.

The more intrusive and intensive radar imaging, with the late Venera or Magellan orbiters combined with Galileo or Cassini fly-by images, have greatly expanding our knowledge in the geology and geophysics fields. They have revealed, hidden behind a curtain of dense clouds, an exotic planetary world, which is still full of mysteries.

But, many of the questions raised on the processes sustaining these conditions remain unsolved:

Is it possible to explain, by in-situ measurements of the various plasma species – from energetic neutrals, to ions and electrons - the drastic evolution of the terrestrial atmosphere of

Venus into this wild world of carbon dioxide and sulphuric acid micron size droplets?

How to explain the global atmospheric circulation, as seen from the typical ultra-violet and infrared markers (from various poorly known constituents), in which the deep atmospheric layer shows a zonal and retrograde super-rotation – 20 times the planet one - with velocities decreasing from up to 120 m/s at the cloud tops down to almost 0 near the surface?

In fully exploiting the recently discovered near-infrared windows in the high and middle atmospheres, can we close the gap between the low atmosphere vertical composition and the still to be demonstrated surface volcanism?

Thus, a combination of spectrometers, spectro-imagers and imagers covering a wavelength range from

UV to thermal IR, along with a full plasma analyser, should be able to map and analyse the entire

Venus atmosphere from about 200 km – or even higher – altitude to the surface (through the fine atmospheric transparency window).

Most of the instruments are re-using design and / or spare hardware originated from either Mars

Express or Rosetta program. As for Mars Express, the Venus Express instrument complement has been confirmed as being highly suitable for such a planetary mission.

Fitted onto a spacecraft bus designed from the original Mars Express one, but thoroughly adapted to the specific Venus thermal environment, the science payload will gather from orbit – and over a typical 500 Earth day overall mission duration – a consistent data set of measurements, which will be made available to the science community.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.2

2.2 THE VENUS EXPRESS SCIENCE PAYLOAD

The Venus Express science payload is contained in seven instruments with a total mass of slightly less than 90 kg. Most of the instruments are re-using design and / or spare hardware originated from either

Mars Express or Rosetta program.

Acronym Heritage

ASPERA-4

Mars Express

(ASPERA-3)

MAG

PFS

Rosetta Lander

(ROMAP)

Mars Express

(PFS)

SPICAV

Mars Express

(SPICAM)

VeRA

VIRTIS

VMC

Principal Investigator Payload Objective

S.Barabash (IRF / Neutral and Ionised Plasma Analyser

Kiruna, Sweden)

T.Zhang (OAW / Graz,

Austria)

Magnetometer

CNR / Rome, Italy)

JL.Bertaux (SA CNRS

/ Verrières, France)

Infrared Fourier Spectroscopy

Atmospheric spectrometry by Star or

Sun Occultation in the Ultraviolet to

Mid Infrared Range Range

Radio Sounding of the Atmosphere Rosetta (RSE) B.Haeusler (UniBW /

Muenchen, Germany)

Mars Express

(HRSC / SRC) and Rosetta

(OSIRIS)

Meudon, France) and

G.Piccioni (IASF CNR

/ Rome, Italy)

W.Markiewicz (MPAe

/ Lindau, Germany)

Atmosphere and Surface

Spectrographic Mapping from the

Ultraviolet and Visible to Mid

Infrared Ranges

Ultraviolet and Visible Multi-spectral

Camera

The Venus Express Science Payload

The VMC instrument is the only fully new system, although re-using some design heritage. The other instruments are deeply based on their prime Mars Express or Rosetta background.

2.3 SCIENCE PAYLOAD DESIGN

While originated from other programs, both design and accommodation of the Venus Express science payload has experienced some iteration work, from the kick-off and subsequent SRR. Have been mainly concerned ASPERA (MU no more located onto top floor, but on –Y wall), VeRa (no more mounted onto shear wall, but onto –Y wall), SPICAV with the SOIR channel thermal coupling, and

VIRTIS with the definition of its interface structure.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.3

2.3.1 ASPERA

The ASPERA experiment (for Analyzer of Plasma and EneRgetic Atoms) consists of two plasma measurement units, located on two different walls of the Spacecraft structure:

The Main Unit (MU) provides electron and neutral sensors (namely ELS, NPI and NPD), together with scanning (one-axis mechanism) and central experiment electronics; this unit is placed on the –Y wall of the S/C, the scanner rotation axis being parallel to the Y direction;

The Ion Measurement Assembly (IMA) complements the plasma measurements through a non-rotating design (large FOV); the unit is placed on the S/C bottom floor.

ASPERA Main Unit (MU) and Ion Measurement Assembly (IMA), from Mars Express

Compared with Mars Express, no major design change is to be noticed.

Anyway, to cope with the Venus thermal environment:

• to cope with the direct – and significant – planet flux, when the nadir instruments are operated, a new location for the MU has been defined, on the +Y wall, but finally not impacting the

Mars Express defined mechanical environment,

• and some thermal adaptation has been worked out for the sensors (e.g. enlarged radiating surfaces, use of new MLI and coatings).

In addition, and specific to Venus Express, more ASPERA analyses are to be concluded on:

High energy radiations effects on EEE parts (both IMA and MU being not significantly protected by the S/C structure, as are the optical instruments, some limited “spot shielding” is to be introduced),

And general behavior wrt UV radiation (in relation with Sun vicinity), in particular as the experiment MLI is concerned (the S/C MLI solution is to be re-conducted here).

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.4

2.3.2 MAGNETOMETER

The Magnetometer experiment (or MAG), looked as a complement of ASPERA, is made of two measurement sensors, external to the S/C, both controlled by a centralised electronics (MAGE).

The design of the sensors (of fluxgate type) is re-conducted from the Rosetta design (ROMAP).

One sensor (MAGIS) is mounted directly on the S/C top floor, to measure the S/C magnetic “near proximity field”. The second one (MAGOS) is fitted to the extremity of a 1-meter deployable CFRP boom, to assess the “mid proximity field”. This very specific accommodation allows for a vector combination of the MAGIS and MAGOS measurements to retrieve the undistorted field (no magnetic constraint imposed to the S/C).

The boom is attached to the S/C top floor for launch, and released when around Venus.

The Magnetometer Boom and One Sensor Unit, from Rosetta Lander

In addition, the potential implementation of the external sensor at the far end of the S/C HGA2 structure is possible, as a fall back option. Despite its early impact on the procurement scheme of the new HGA2 (through CASA), this programmatic approach allows to insure MAGOS proper fitting, even in case the deployable boom development would not be conclusive.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.5

2.3.3 PFS

The PFS instrument, a Planetary Fourier transform Spectrometer (in a quite extended infrared range, from 0.9 to 50 microns), aims in the “vertical optical sounding” of the Venus atmosphere. Its design relies on an optical module “O”, a pointing unit “S” (to orientate the measurement beam), and two electronic boxes for power control / distribution “P” and instrument control “E”.

The PFS opto-mechanical design is fully re-conducted from the MEX one, with some minor (but reversible) modifications basically located within the optical interferometer.

The Mars Express PFS Interferometer

The optical modifications are aimed for a better scientific exploitation of the NIR transmission window, as recently discovered within the dense Venus atmosphere. These are limited to:

A new laser diode (for cinematic control), operating at 0.9 µm instead of 1.2 µm;

And to a new Short Wave (SW) detector (PbS + PbSe sandwich instead of PbS), for covering an enhanced wavelength range, down to 0.9 µm, now.

The module-S (pointing unit) will be slightly adapted – at the level of its coatings (gold replaced by silvered taping) – to cope with the new Venus thermal conditions.

From another hand, the module E has been slightly re-worked to allow for operational flexibility

(EEPROM replacing PROM), and science data production enlargement (imaging mode). The other module P is kept unchanged.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.6

2.3.4 SPICAV

The SPICAV instrument (for Spectroscopic Investigation of the Characteristics of the Atmosphere of

Venus) is an imaging spectrometer operating in various wavelength ranges: UV (0.12 to 0.32 µm), near IR (0.8 to 1.5 µm / SPICAM SIR design) and mid IR (2 to 4.4 µm / SOIR design).

This payload is primarily designed to perform “horizontal sounding” (direction along the tangent to the planet) measurements of the Venus atmosphere, either from star or Sun occultation. In pointing either specific bright stars (from catalogue) or the Sun, the instrument will acquire significant spectra of these astronomical objects when virtually entering the Venus atmosphere (because of the relative movements of S/C wrt the planet), and will allow for their comparison. This will then give clues to analyse the Venus atmosphere content – e.g. water content, SO2 / volcanic effects, HDO escape / trap phenomena - through differential (thus self-calibrated) measurements.

In complement, the instrument may operate in the “Nadir mode” (SPICAM only), thus pointed towards the Venus planet surface for “vertical sounding”.

The SPICAM Instrument Core, from Mars Express

The SPICAV design features two independent channels:

The SPICAM channel (Mars Express repeat / use of the MEX spare parts), operating in both occultation and Nadir pointing modes; its only adaptation for VEX lies with its mechanical interface with the “new” SOIR channel;

And the SOIR channel, the Sun occultation experiment, using a dedicated IR optics / detector assembly (together with cooling unit), located on top of SPICAM.

This SOIR channel is to be linked to a S/C radiator to allow for its proper cooling down.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.7

2.3.5 VeRa

The VeRa (Venus Radio science Assembly) measurements use an enhanced S/C RF system in

“horizontally sounding” the Venus atmosphere in directing the HGA towards Earth – as for nominal

S/C communications – during specific occultation paths. This will occur when the Venus atmosphere region under study is optimally placed between the S/C and Earth.

Consequently, the VeRa experiment does consist in:

Incorporating a USO (Ultra Stable Oscillator) – together with its connecting harness - within the S/C RF system, through a direct link between USO and the TRSP’s (transponders)

And operating the S/C in specific conditions making the use of the RF link as a support science (radio sounding) measurements of the Venus atmosphere

The VEX USO design is similar (optimally identical) to the one of Rosetta.

RFDU

DIPL 1

S-Band Rx 1

LGA 1

(+Z)

X-Band Rx 1

LGA 2

(-Z)

DIPL 2

S-Band Tx 1

X-Band Tx 1

USO

HGA 1

S-Band Rx 2

DIPLX

X-Band Rx 2

S-Band Tx 2

TWTA 1

DIPLX

X-Band Tx 2

HGA 2

TWTA 2

WIU

The VeRa Experiment – with its USO - is expanding the S/C RF System Capabilities

Around the Venus planet, the operations of VeRa will be “unique”, in the sense the S/C HGA1 will have to be directed to Earth for specific S/C-to-Venus conjunctions, while no S/C data transmission will be allowed for an optimal accuracy of the sounding measurements.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.8

2.3.6 VIRTIS

The instrument (Visible and Infra Red and Thermal Imaging Spectrometer) is a near UV / visible and infrared spectro-imager (from 0.25 to 5 µm wavelength range), working in various operating modes, and covering a large range of observations from pure high-resolution spectrometry to spectro-imaging.

The main scientific goals of VIRTIS – a key instrument within the science payload - are from the atmosphere detailed analysis (all layers, clouds and markers tracking…) to any potential surface measurement (temperature mapping, hot spots…), including surface / atmosphere interaction phenomena (meteorology, volcanism…).

The “core” VIRTIS design is fully re-conducted from the Rosetta one. No change has been recorded yet, but the needed adaptation (minor, indeed, but existing) of the IEEE 1355 protocol on the highspeed link (dedicated to science data retrieval).

The VIRTIS Opto-mechanical Unit (from Rosetta)

The instrument measurement unit consists of two independent channels, grouped within an Opto-

Mechanical (OM) unit:

The “M-Channel”, operating in the 0.3-to-1 µm (CCD) and 1-to-5 µm (photo-conductive

HgCdTe) spectral ranges, linked to a “PEM-M” proximity electronics;

And the “H-Channel”, operating in the 2-to-5 µm (photo-conductive HgCdTe / 436x270 pixels detector matrix) spectral range, with its “PEM-H” proximity electronics.

These two channels are operated through a centralised system located within a Main Electronics (ME) unit, which fully drives the overall instrument.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.9

The critical opto-mechanical part of the instrument is fitted to a specific interface plate (worked as part of the Spacecraft structure) to get its cryo-coolers (M- and H-channels) well connected – through heat pipe system – to their specific radiator.

It is to be noted here that the “de-icing” heaters needed for Rosetta, to be operated during the hibernation phase, may be removed from the VEX design (i.e. not connected), if the operations of the

S/C – as for Mars Express – incorporate the orientation of the cryogenic panels towards sunlight in case of any identified radiator performance problem linked to “icing”.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 2.10

2.3.7 VMC

The VMC science payload (for Venus Multi-spectral Camera) is devoted to the cartographic imaging of the Venus atmosphere, directed towards UV-markings, O2 airglow and near IR emission of surface and lower atmosphere. VMC is basically used in connection with VIRTIS, but with a higher imaging frequency while its spectral resolution is far lower.

VMC Camera and typical VMC / VIRTIS Images (for comparison)

The VMC instrument is a CCD integrated camera, of about 1.6 kg mass, which houses optics, CCD read-out circuitry (derived from the Mars Express SRC), processing electronics and power converter

(derived from the Rosetta OSIRIS design).

The specificity of the VMC design lies with its standard cooled CCD Kodak matrix (down to –40°C at the lowest), optically fed with four miniature optical lenses (about 5 mm in diameter), and further linked to a high performance / highly compact electronics.

A copper band is attached to the CCD base, which is used to extract the heat out of the chip to the

Peltier cooler, and further on to the close S/C wall (+Y wall) on which the instrument is mounted.

Issue : 2

Page : 3.1

Rev. : 0

The mechanical design of the Venus Express spacecraft results from the following design drivers: a) To reuse the Mars Express mechanical bus as far as possible, b) To take into account the specific constraints of the Venus Express mission, c) To implement the lessons learnt from Mars Express, d) To minimize the spacecraft dry mass and optimise the centre of gravity location.

a) The reuse of the Mars Express mechanical bus (structure and propulsion system) helps in minimising the development risks and securing the very tight schedule of the programme. It takes benefit from the qualification status achieved on Mars Express. In particular the core structure design remains basically unchanged, which allows a qualification approach by similarity. The modifications of the secondary structure are strictly limited to the accommodation of the new or modified units.

Moreover, the mechanical environments are identical to Mars Express for most of the units. b) The main constraints induced on the design by the Venus Express mission are as follows:

- Accommodation of the Venus Express payloads, composed of modified payloads

(ASPERA, PFS, SPICAV), and new payloads (VIRTIS, MAG, VMC, and VERA),

- Specific thermal environment, with permanent sun illumination on +Zs (top floor) and +Xs faces. For that reason, accommodation of payloads on the top floor has been avoided as far as possible, and RW radiator design on +Xs panel has been improved,

- Accommodation of the VIRTIS cryogenic radiator on the non-illuminated -Xs face of the spacecraft ; Accommodation of radiators for other payloads on the

±

Ys sidewalls,

- Accommodation of the HGA2 antenna and associated diplexer, HGA1 diameter reduction

- Accommodation of a new solar array populated with GaAs cells and OSR mirrors,

- Slight changes in SAS and LGA orientations. c) The lessons learnt from Mars Express are mainly directed towards improving the integration issues, in particular during the panel closure operation:

- To enlarge the cut-outs for harness routing on shearwall edges,

- To increase the distance between CPS piping and some bus units,

- To improve waveguide design (accessibility, attachment, flexibility),

- To add cut-outs for endoscope.

Another key lesson learnt from Mars Express is the control of the centre of mass location. d) The spacecraft dry mass has been minimized in the aim to cope with the launcher capacity. The interest for the mission of increasing the propellant mass as far as possible is understood. The CoG location is carefully assessed and refined by analysis and measurement along the development.

Summarising, the Venus Express design is a close derivate from the Mars Express one, with minimal changes when necessary for accommodating the Venus Express specific requirements and constraints, and implementing the lessons learnt from Mars Express.

Issue : 2

Page : 3.2

Rev. : 0

In the aim to avoid any risk of confusion, a unique axis reference system Os, Xs, Ys, Zs has been introduced at spacecraft level. It corresponds to the Oa, Xa, Ya, Za system used on Mars Express.

The Venus Express spacecraft is roughly a cubic box (dimensions 1.65 m x 1.7 m x 1.4 m high, same as Mars Express). The overall configuration of the spacecraft box structure is as follows:

As part of the core structure, four non-removable panels, which divide the spacecraft in six compartments:

- The lower floor (-Zs panel),

- The Ys shearwall, which gives the spacecraft shear stiffness in the Xs/Zs plane,

- The +Xs and –Xs shearwalls, which give the spacecraft shear stiffness in the Ys/Zs plane.

As part of the secondary structure,

- The top floor (+Zs panel), which is a non-removable panel,

The propulsion system is accommodated as on Mars Express: The two propellant tanks are gathered in the centre part of the core structure, and the propulsion units are accommodated on the +Xs shearwall and on the lower floor. The main engine is located under the lower floor and orientated in roughly –Zs direction, while the eight thrusters are located at the four lower corners of the spacecraft.

The two solar wings are mounted to the

±

Ys sidewalls and can rotate around Ys axis. The attachment interfaces are identical to Mars Express. Each wing is composed of two panels and a yoke made of two parts.

There are two fixed high gain antennas: The HGA1 antenna is accommodated on the +Xs closure panel (same attachment interface as Mars Express, smaller diameter), and the HGA2 antenna is accommodated on the top floor, and orientated in quasi-opposite direction.

The payloads are accommodated as follows:

- PFS, VIRTIS and SPICAV are accommodated on the –Xs shearwall, with a nadir field of view in +Zs direction,

- MAG sensors and deployable boom are accommodated on the top floor, MAG electronics is accommodated on the –Ys sidewall,

- VMC and VERA are accommodated on the +Ys sidewall,

- ASPERA is accommodated outside the spacecraft, on the –Ys sidewall (MU) and underneath the lower floor (IMA).

Most of the bus electronics are accommodated on the inner side of the

±

Ys sidewalls, in the same location as on Mars Express. The WIU is gathered in the same cavity as on Mars Express, and attached to the sidewall, top floor and Ys shearwall.

The AOCS units are accommodated in the same location as on Mars Express.

Issue : 2 Rev. : 0

-Ys Sidewall

+Xs Closure Panel

Top Floor

Zs

Page : 3.3

-Xs Closure Panel

+Ys Sidewall

Xs Ys

Figure 3.2-1 : Spacecraft Exploded View

The Venus Express mechanical bus overall configuration is identical to Mars Express

Issue : 2 Rev. : 0

Xs

-Xs Shearwall

+Xs Shearwall

Zs

Ys

Page : 3.4

Ys Shearwall

Figure 3.2-2 : Spacecraft Exploded View – Core part

Lower Floor

Issue : 2

Page : 3.5

Rev. : 0

+Ys Sidewall

+Xs Closure Panel

Top Floor

Ys

Zs

Xs

Figure 3.2-3 : Spacecraft Exploded View

+Xs Closure Panel

+Ys Sidewall

Issue : 2

Page : 3.6

Rev. : 0

3.3 LAUNCH CONFIGURATION

In launch configuration, the solar wings are stowed on the

±

Ys sidewalls thanks to four holddown points (same configuration as Mars Express), and the MAG boom is stowed on the top floor thanks to a launch lock device. Spacecraft dimensions in that configuration are depicted in the following pages.

They are compatible with the spacecraft transport container.

The spacecraft is planned to be launched on SOYUZ/FREGAT, same configuration as for Mars

Express. The adapter between Fregat and the spacecraft is supplied by Astrium. The spacecraft dimensions are compatible with the allowable volume under launcher fairing (3435 mm diameter) with a comfortable margin inherited from Mars Express (Delta-2 initially alternative launcher).

When the spacecraft is under fairing, access to skin connectors is possible through an access door in the fairing (same configuration as Mars Express).

The spacecraft centre of mass in launch configuration (including the balance mass) is as follows:

- 10

±

5 mm on Xs,

+10

±

5 mm on Ys

+ 760

±

10 mm on Zs

The unbalance in Xs/Ys plane is less than on Mars Express and is compliant with the launcher ICD requirement of

±

15 mm in both directions.. The CoG height is less than on Mars Express (mainly due to removal of Beagle-2) and is not an issue.

Issue : 2

Page : 3.7

Rev. : 0

Zs

Ys Xs

Figure 3.3-1 : Spacecraft Stowed Configuration

Zs

Xs Ys

Issue : 2

Page : 3.8

Rev. : 0

Xs

Zs

Ys

Zs

Ys Xs

Figure 3.3-2 : Spacecraft Stowed Configuration with MLI

(MLI on Payload not shown)

Issue : 2

Page : 3.9

Rev. : 0

Figure 3.3-3 : Spacecraft Launch Configuration on FREGAT

Spacecraft dimensions comply with available volume under fairing

Skin

Connectors

Figure 3.3-4 : Access to skin connectors under fairing

Issue : 2

Page : 3.10

Rev. : 0

Figure 3.3-5 : Spacecraft Launch Configuration Outer Dimensions

Xs

Zs

Issue : 2

Page : 3.11

Rev. : 0

Figure 3.3-6 : Spacecraft Launch Configuration Outer Dimensions

Zs

Ys

Issue : 2

Page : 3.12

Rev. : 0

After spacecraft separation from FREGAT, the solar wings are released by pyrocutter firing, and deployed thanks to hinge springs. The wings are latched at end of deployment. Once deployed, the wings can rotate around Ys axis, each one is moved by a drive mechanism.

The MAG boom is released and deployed once the spacecraft is in final orbit. Release is ensured by a pyrocutter, deployment is driven by hinge spring. The boom is latched at end of deployment, and is then parallel to Zs axis.

SA Wing Deployed MAG Boom Deployed

Ys

Zs

Xs

Figure 3.4-1 : Spacecraft in-Orbit Configuration

Issue : 2

Page : 3.13

Rev. : 0

Zs

Xs Ys

Figure 3.4-2 : Spacecraft In-Orbit Configuration

Issue : 2

Page : 3.14

Rev. : 0

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.1

4. THERMAL CONTROL DESIGN

The spacecraft thermal control is in charge of maintaining all spacecraft equipment within their allowed temperature ranges during all mission phases. The equipments fall into two categories:

Ø the collectively controlled units, for which the heat rejection and heating capabilities (design and accommodation) are provided by the spacecraft thermal control,

Ø the individually controlled units, self provided with their own thermal control features

(coatings selection, heaters, insulators…) for which the spacecraft thermal design controls the thermal interfaces within the required ranges.

4.1 THERMAL CONTROL DESIGN APPROACH

The thermal control design of Venus Express spacecraft is based on a robust and passive concept with a maximum commonality with Mars Express but some system and design modifications are implemented to cope with the Venus inner orbit and hot environment.

The two main discrepancies with the Mars Express missions are:

Ø

A stringent thermal environment with a high solar constant, almost 4 times higher than around

Mars. The Venus albedo and planet fluxes are imposed by the spacecraft orbit and attitude.

While the planet IR flux is far lower than around Mars, and constant, the albedo flux is significant during the operation phase around the pericentre.

Ø

Using MEX platform as it is, Venus inner orbit does not allow keeping a wall in the shadow during the entire mission when the S/C is pointed to earth.

To cope with these new constraints, the system architecture for the earth telecommunications has been modified to keep the sun direction in an allowable area determined by the thermal requirements of the spacecraft units and subsystems. A trade-off has been conducted to determine the sun aspect

angle limitation on each wall (see Figure 4.1-1). The conclusion of this study lead to the

implementation of a smaller HGA on the VEX top floor in order to restrict the sun illumination possibilities during communication in the (+X,+Z) quadrant only.

The VEX bus configuration is very recurrent from MEX. Except some payloads that have been changed, the structure and units layout is the same than MEX. The –X shear wall is dedicated to the payloads with the –X closure panel accommodating the cryogenic radiators. The platform units are mounted on the Y sidewalls and the propulsion subsystem is fitted on the -Z floor and the +X shear wall.

The heat rejection toward space is performed using radiators mainly on the +/-Y panels for the platform internal units and the -X panel for the payload equipments. These sides of the spacecraft are the most favourable areas, being most of the time protected from the direct sun inputs (always for the

-X side). The rest of the spacecraft is insulated with Multi Layer Insulation blankets to minimise the heat exchange and the temperature fluctuations.

Communication and Stand-by

+Z

Sun direction / (+X,+Z)=

0° to +90°

+Z

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.2

Sun direction / (+Y,+Z) = 0°

+X

+Y

Observation

Venus

+Z

Sun direction/ (+X,+Z)

=0° to 180°

+X

Venus

+Z

Sun direction/ (+Y,+Z)

=0° to 360°

+Y

Figure 4.1-1: Sun aspect angle during Venus orbit operations

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.3

The spacecraft external units (Platform and Payload units) are thermally decoupled from the spacecraft and provided with their individual radiator when needed.

The electrical heater system allows raising the temperature of the units above their minimum allowed limits, with temperature regulation functions provided either by mechanical device or by the onboard software.

The main design modifications with regard to MEX consist in:

Ø

Using as much as possible low solar absorptance and low ageing coatings.

Ø

Optimising the radiators area and improving their efficiency: ITO SSM replaced by OSR.

Ø

Enlarging temperature qualification of some units: PDU, CDMU, WIU.

Ø

Enlarging the +X reaction wheels radiator paddle and replacing SSM by OSR. In addition

OSR deflectors tilted of 2° are fixed around the radiator to reduce the sun reflection and the IR flux received by the paddle and generated by the temperature of the surrounding.

Ø

Implementing heat pipes under the PCU and PDU to reject the high thermal dissipation of the

PCU through a larger radiator.

Ø

Reducing heat exchanges through the MLI. Two ways of improvement have been implemented. The first step consists in changing the external layer coating (black coating on

MEX) to reduce the temperature level of the blankets. Embossed Kapton is baselined for all the spacecraft walls and “white” coating patches will be added on very critical areas where

Kapton is still a too hot solution. The second step is to increase the number of layers of the blanket. Taking advantage of Austrian Aerospace experience on XMM, a 23 layer blanket is designed.

Ø

Replacing the alodine treatment of the LVA ring by a clear sulphuric anodisation to minimise the LVA ring temperature level when sun illuminated

Ø

Changing hot coatings on external units by colder ones: e.g. PFS_S scanner, LGA, SADAM

Ø

Mixing cells and OSR on the front side of the solar arrays panel. The rear side is also completely covered with OSR.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.4

4.2 THERMAL CONTROL CONFIGURATION

Most of the spacecraft units are collectively controlled inside thermal enclosures, created by the spacecraft mechanical architecture, in which the heat balance is controlled by proper sizing of heat rejecting radiators and heating power implementation. This allows maintaining the unit temperatures to acceptable levels. The heat transfer from the units to the radiators is performed by conduction when unit base plate is attached to the radiator honeycomb panels and by radiation. The units and the panels have a black finish to maximise heat transfer inside the thermal enclosures.

Ø

Platform units:

The platform units are directly accommodated on Y walls which are acting as radiators. These walls are covered by OSR with an embossed Kapton MLI trimming to reduce solar and albedo entrances.

The units are conductively cooled: dissipation is transferred from the baseplate or the foot/bracket of the unit to the radiator via the supporting honeycomb panel. The conductive couplings are improved by means of thermal interface fillers and aluminium doublers. For the special case of the PCU, heat pipes are needed to conduct the dissipation to a large radiator. All the internal units and the sidewalls are black painted in order to homogenise the temperature of the cavities.

The wheels thermal interface (conductively cooled at baseplate interface) combined with the geometrical accommodation constraints prevents from mounting the wheels directly on a radiator panel. The +X reaction wheels thermal control principle is the same as MEX. The two wheels are connected by means of a thermal strap to an extra radiator (paddle radiator) oriented to

±

Y directions. In order to reduce the radiative coupling between the paddle and the +X wall MLI, OSR deflectors are implemented on the –X wall in the vicinity of the paddle. The -X reaction wheels thermal dissipation is transferred by means of a thermal strap to the –X wall acting as a radiator.

A thermo-switch heating system is installed to compensate the environment changes and/or the unit thermal dissipation when non-operated.

Ø

Payload units

The payload units can be divided into two categories:

Ø the internal payloads which thermal control is directly dependant from the S/C

Ø the external payloads that have their own thermal control and are conductively and radiatively decoupled from the S/C.

Most of the internal payload units are collectively controlled in the -X enclosure. They are accommodated on the –X shear wall and radiators are implemented on the -X closure panel to control the cavity environment temperature. The thermal control takes advantage of the transient operation profile.

For more demanding units like the SPICAV/SOIR, the VIRTIS cameras, and the PFS spectrometer, featuring their own thermal control, special precautions are taken on the design of their conductive and radiative isolation. VIRTIS and PFS are provided with dedicated cryo-radiators, implemented on the -X side of the Spacecraft, VIRTIS radiator being integrated to the optical module. Whatever the

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.5

Sun / Earth / Mars / Spacecraft geometry, the -X side of the Spacecraft is oriented away from the

Sun over the complete Venus orbit, both during Nadir pointed science phase and Earth pointed communication phase.

This allows keeping the camera and the spectrometer temperature around 170K and 190K respectively during the Planet observation. The connection to the radiators is performed by thermal straps, the radiators being themselves decoupled from the rest of the spacecraft using thermal blankets and insulating stand-offs.

Every payload aperture is protected with baffles in order to avoid sun entrance inside the Spacecraft.

Payload external units like ASPERA and MAG are individually controlled units. They are directly exposed to the external environment and they have to withstand larger temperature ranges than the standard units. A special care is taken to their accommodation on the spacecraft to provide them the softer thermal environment. They are as far as possible insulated from the spacecraft to reduce the interface fluxes. Their coatings are selected and trimmed to fulfil the thermal requirements. The spacecraft interface temperature has a very limited influence on their thermal behaviour.

Ø

CPS

The internal propulsion equipments (tanks, fluid lines, valves, pressure sensors) and pipes are radiatively and conductively isolated from the structure and provided with their own thermal control.

The Mars Express CPS individual thermal control principle is kept as much as possible and broaden to all the CPS pipes.

The main engine and the thrusters have their thermal coupling with the spacecraft tailored to meet their thermal requirement while preserving the spacecraft thermal behaviour. They are provided with individual electrical heaters sized to maintain these external units within the acceptable temperature range accounting for wide change in radiative environment.

The tanks thermal control is sized to respect the various requirements related to the different phases of the mission (cruise, VOI, in-orbit). Controlled heaters are bonded on the tanks structures. For the particular case of the pressurant tank a software control is necessary to cope with the VOI requirements.

Ø

External appendages

Some units are ‘externally’ accommodated on the spacecraft: antennas or AOCS sensors for example. It means that they have some space exposed areas, which allows them to reject dissipation using their own structure, or a dedicated radiator mounted on its side, if necessary. In order to reduce the interface fluxes with the rest of the spacecraft these units are generally thermally isolated from the support structure by stand-offs or insulation washers and MLI blankets.

They are provided with an individual thermal control, designed at unit level: radiators, heaters, MLI.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.6

4.3 THERMAL CONTROL OVERVIEW

4.3.1 Thermal control features

The unit temperature control is achieved through the use and the selection of flight-proven materials used on numerous spacecraft.

The key features of the thermal control are presented on Figure 4.3-1 and summarised as follows:

Ø

Optical solar reflectors radiators electrically grounded to the aluminium sandwich panel face sheet reject internal heat dissipation toward Space

Ø

Dedicated radiators are provided for the VIRTIS_OM (integrated to the OM) and PFS_O payload requiring operation at low temperature

Ø

The platform high dissipative units are mounted on the panels directly behind the radiators to provide a good conductive path from unit to panel. Thermal doublers ensure spreading of heat over the radiator areas.

Ø

Heat pipes are implemented under the PCU and PDU units to spread the high PCU thermal dissipation.

Ø

A high emissivity finish is used inside the spacecraft when required to maximise the radiative heat transfer to the radiators

Ø

Thermal straps are used to connect the Reaction wheels and some payload units needing a dedicated radiator (PFS_O cryo I/F, SPICAV/SOIR, VIRTIS_OM coolers, VIRTIS ME)

Ø

Dedicated radiator (paddle) for +X reaction wheels with OSR deflector to reduce heat load by reflection and IR coupling on the paddle.

Ø

Multi-Layer Insulation (MLI) is used to minimise heat flow from non-radiating areas and to minimise the thermal distortions. The conductive surfaces of all thermal blanket layers are electrically grounded.

Ø

“Cold” coatings on LVA ring external part (Clear Sulphuric Anodisation) and on SADM panel flange (White paint)

Ø

Heaters and thermal blankets on the liquid bi-propellant system prevent propellant freezing, and enable to optimise propellant management

Ø Both software and hardware controlled heaters are implemented. Appropriate redundancy is included for all heaters, thermistors and thermostats to prevent single point failure in the thermal control function

Ø

Low conductive stand-offs for the appendages and external payload units minimise heat transfer to the spacecraft main body

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.7

OSR and cells stripe

RW OSR deflectors

RW paddle

PFSO cryo radiator

Clear sulfuric anodisation

Figure 4.3-1: Venus Express external views

Embossed Kapton MLI

+Y walls radiators

Virtis OM cryo radiator

+Y walls radiators

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.8

4.3.2 Radiators

The S/C main way of heat rejection are the radiators located on the Y panels for the platform and the

-X panel for the payload. The proposed thermal design uses:

Ø

1.72 m² room temperature radiator opened directly on the platform walls that rejects the platform units and some payload units dissipation. The available area of panels demonstrates important margins. Those areas of the panels in excess w.r.t the required radiator size are covered by MLI blankets.

Ø

0.22 m2 of radiator area for PFS_O payloads cryogenic interface.

Ø

0.28 m² for the +X wheel paddle

The table provided Figure 4.3-2 presents the radiator areas in the current stage of design. Trimming

of the radiators is possible up to the final integration campaign of the spacecraft: radiator size will be adapted if required after TB/TV test correlations.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.9

Figure 4.3-2: Venus Express radiators definition

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.10

The satellite external barrier is a Multi Layer Insulation (MLI) blanket which completely isolates the

+Z floor and the +X closure panel (High Gain Antenna support panel) from the cold space environment and the sun illumination. MLI is also used on

±

Y and -X radiator panels and on –Z lower floor in order to adjust the radiative area to the units need. This adjustment may be performed after thermal balance test if needed without major impact.

The composition of the blankets (number of layers, spacers…) is governed by the location on the spacecraft and the temperature level seen by the external layer. The Venus environment induces important issues on the MLI materials selection, especially for the +X and +Z walls that may be continuously sun illuminated.

The first one concerns the outer layer. The aim is to select as far as possible a “cold” coating presenting a low solar absorptance combined to a high emittance and stable to UV and proton radiation (low discoloration). These considerations led to trade-off non-usual coatings like

Astroquartz, Beta-cloth and Nextel for the MLI external layers of these 2 walls. But development and qualification status of these materials prove to be not advanced enough with respect to schedule to select one of them as the baseline. A solution using classical and well-known materials is preferred and a “white” coating is foreseen only as patches on restricted areas. These “White” patches will be added at the very end of the integration phase and the best candidates are Betacloth or Nextel (performances still under study).

Currently an embossed Kapton MLI is baselined on all the spacecraft walls and “white” patches are implemented on the +X wall around the wheels deflectors.

Another issue concerns the internal layer. Due to their restricted temperature resistance, Mylar is avoided and Dacron is partially removed. All the internal layers are VDA Kapton layers and Dacron is replaced by a tissuglass spacer, only for the first 10 layers due to mass constraints.

The insulation efficiency has been improved by several points of design. The Venus Express MLI will be composed of 23 Kapton layers separated with spacers in order to increase the efficiency of the ideal blanket compared to a classical one (13 layer). Moreover all the interfaces that are the principle sources of heat leakage are carefully designed. The overlaps between the MLI will be

“interleaving” overlaps reducing heat loads to the spacecraft. Vespel stand-offs will be used, instead of aluminium stand-offs, because of their lower conductivity. All the grounding points (aluminium) will be located in the overlapping area and covered by a neighbouring blanket overlap as far as possible. If not a dedicated MLI cap will cover them.

A high temperature titanium MLI is designed to cover the LVA ring cavity around the Main Engine.

The Titanium foil prevents the MLI overheating during the engine firing. It will be black painted

(FIBA) in order to reduce the temperature of the external layer when sun illuminated and then the heat loads on the LVA stiffener and CPS pipes.

MLI blankets (Dacron/VDA Mylar) are also used internally around the tanks and the CPS components to limit the heater power installed in order to prevent propellant freezing.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.11

Electrical heaters are used on Venus Express to prevent excessive cooling of units, structures and propellant during the cold phases and eclipses, payload non-operation (partial or total) and safe mode. They are also used when the payload is fully operational in order to comply with the units minimum temperature limits.

The heating system consists of 16 nominal heater lines (extra 16 identical redundant lines) corresponding to a potential 781 W nominal installed power.

Almost all the heater lines are controlled using bimetallic thermostats with fixed temperature set points in order to allow a large number of controlled areas. Two thermostats are used in series to avoid closed circuit failure.

If the change in temperature set points is required a software control is implemented. A set of three temperature sensors is dedicated to each circuit to provide an ON/OFF regulation type using the on board software capability. The helium tank boost heating is managed that way.

When the temperature monitoring is not able to provide the required detection for reconfiguration, the circuits are operated in hot redundancy. This is the case of most of the CPS lines and thrusters heating lines.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 4.12

5. ATTITUDE AND ORBIT CONTROL SYSTEM

Issue : 2 Rev. : 0

Date : 06/02/2004

5.1

5.1 AOCS BASIC CONCEPTS

Attitude manoeuvrability

Due to the selection of fixed High Gain Antennas (HGA1 & HGA2), and to the propulsion configuration including a Main Engine, the Venus Express mission requires a high level of attitude manoeuvrability for the spacecraft. Attitude manoeuvres will be performed : q

Between the observation phase and the Earth communication phase, or to reach specific attitudes necessary for science observations (SPICAV for instance). q

Before and after each trajectory correction manoeuvre, performed either with the Main

Engine or with the 10N thrusters. q

To optimise the Wheel Off-Loading, through the selection of an adapted attitude for this operation.

All the attitude manoeuvres of the operational phase are defined on ground, using a polynomial description of the Quaternion to be followed by the Spacecraft.

Attitude estimation and control concepts

The attitude estimation is based on Star Tracker and gyros, ensuring the availability of the measurements in almost any attitude. Some constraints have however to be fulfilled, the Star Tracker being unable to provide attitude data, when the sun or the planet are close to, or inside its Field of view.

Reaction wheels are used for almost all the attitude manoeuvres, providing a great flexibility to the

Spacecraft and reducing the fuel consumption. The angular momentum of the wheels has however to be managed carefully from ground.

Earth pointing attitude for communication

Nadir pointing and P/L dedicated profiles for Venus observation

Inertial attitude for P/L specific observation or wheel off-loading

MAT 13258

Figure 5.1-1: Manoeuvrability of the Venus Express Spacecraft

Issue : 2 Rev. : 0

Date : 06/02/2004

5.2

5.2 AOCS HARDWARE ARCHITECTURE

AOCS Hardware architecture

All the sensors and actuators used by the AOCS are connected to the AOCS interface electronics unit

(AIU), through a IEEE 1355 bus for the Star Tracker, a MACS bus for the SADM, a RS 422 link for the IMU, or direct wirings for the SAS and the reaction wheels.

The Control and Data Management Unit (CDMU) contains a dedicated processor for the AOCS S/W, including the processing of the sensors and actuators, the estimation and control algorithms, and the

AOCS Failure management function.

AOCS hardware units

The

Star Tracker

(STR) is the main optical sensor of the AOCS, used at the end of the attitude acquisition to acquire the final 3-axes pointing, and during almost all the nominal operations of the mission. A medium Field Of View (16.4° circular) and a sensitivity to Magnitude 5.5 are used to provide a 3-axes attitude measurement with at least 3 stars permanently present in the FOV. The STR includes a star pattern recognition function and can perform autonomously the attitude acquisition.

The Venus Express Star Tracker is produced by Galileo Avionica, and the basic design of the hardware is identical to the Mars Express one. The robustness to straylight is improved for Venus

Express, through the addition of an internal diaphragm inside the optics. The thermal analyses lead also to change the coating of the Star Tracker radiator and baffle, and to add a thermal shield on the spacecraft. 2 Star Trackers are implemented on the –X between their optical axes. s

face of the Spacecraft, with an angle of 30°

Two

Inertial Measurement Units

(IMU) are used by the AOCS, each IMU including a set of 3 gyros and 3 accelerometers aligned along 3 orthogonal axes. The AOCS control can use either the 3 gyros of the same IMU (reference solution at the beginning of life) or any combination of 3 gyros among the

6 provided by both IMUs. For the accelerometers, only a full set of accelerometers of one single IMU is used, due to the lower criticality of the accelerometer function, and to the availability onboard of an alternative method for the

V measurement (pulse counting). The Gyros are useful during the attitude acquisition phase for the rate control, during the observation phase to ensure the required pointing performances and during the trajectory corrections, for the control robustness and failure detection. A non mechanical technology is selected to avoid the mechanical sources of failure in flight. The Accelerometers are essential during the main trajectory corrections such as the insertion manoeuvre to improve the accuracy of the

V. The IMU of Venus Express is identical to the Mars

Express unit. The number of units and the onboard management of the configuration is identical to

Mars Express.

Two redunded

Sun Acquisition Sensors

(SAS) are implemented on the Spacecraft central body and are used for the pointing of the Sun Acquisition Mode (SAM) during the attitude acquisition or reacquisition in case of failure. The SAS are identical to Mars Express units, for what concern their mechanical, electrical or functional interfaces. New solar cells, mounted on a new ceramic backing are used in order to withstand the Venus thermal environment. The higher current delivered by the

SAS in the Venus environment lead to change the electrical interface with the AIU (impedance). The

SAS are provided with customised baffles.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.3

The

Reaction Wheel Assembly

(RWA) includes 4 Reaction Wheels (RW) implemented on a skewed configuration. This configuration, identical to Mars Express, enables to perform most of the nominal operations of the mission with a 3 wheels configuration among 4. During some critical phases during which the transition to the SAM shall be avoided (before Venus Insertion Manoeuvre), a 4 wheels configuration may be used, under ground request. The Reaction wheels provide the AOCS control torques during all the phases of the mission except the trajectory corrections, the attitude acquisition and back up modes.

The

Propulsion configuration

includes a Main Engine (414 N) which is used to perform all the major trajectory changes, and 10 N thrusters used for the attitude control and also to produce the thrust during the small trajectory corrections. The 10 N thrusters configuration is optimised to perform all the attitude control functions with only 4 redunded thrusters, each of them being implemented near a corner of the -Z face of the spacecraft. The Venus Express propulsion configuration is identical to Mars Express.

2 redunded

Solar Array Drive Mechanisms (SADM)

are implemented on the Y+ and Y- walls of the spacecraft to control the orientation of the Solar Arrays. The SADM position is fixed during the the

Venus observation phase requiring no SADM actuation, once the selected observation attitude is reached. The SADM uses a stepper motor, a gear, and a twist capsule technology. The SADM motion is defined in the range +/-180° (minus margins). The Venus Express SADM is identical to the Mars

Express unit and also to the Rosetta unit, except for the speed levels which are specific to Mars

Express and Venus Express. The coating of the Venus Express unit has been modified to withstand the Venus thermal environment.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.4

Sun

Acquisition

Sensor

SAS

Gyros Acceleros

Star

Tracker

Control & Data

Management

Unit

(CDMU)

AOCS

Interface

Unit

(AIU)

Propulsion

N2O4 MMH

Solar Array

Drive

Electronics

Solar Array

Drive

Mechanism

Wheel

(Integrated

Electronics)

Modified unit

Mars Express derived unit

Mars Express recurring unit n/o n/o

10 N

Thrusters

Main Engine

MAT 13259

Duplicated Unit

Internally

Redunded

Unit

Figure 5.2-1: AOCS Hardware architecture

AOCS unit

Star Tracker

(STR)

Nb Technology / Main characteristics

2 CCD detector. 16.4° circular FOV. Magnitude 5 (TBC depending on straylight modification)

Heritage

Rosetta / Mars Express unit (modified for straylight).

Supplier

Galileo

Avionica

Gyro/accelero

(IMU)

2 Ring Laser Gyros (RLG). 3 gyros/3 acceleros per unit Rosetta and Mars Express unit

Honeywell

Sun Acquisition

Sensor (SAS)

SADM

2 Solar cells mounted on a pyramid. Internal redundancy.

New solar cells mounted on a new ceramic backing.

Reaction Wheel 4 Ball bearing Momentum/Reaction wheels.

12 Nms /0.075 Nm

2 Stepper motor with gear. Twist capsule

Derived from Rosetta and

Mars Express unit

Telecom. Sat. and Mars

Express Unit

Mars Express and Rosetta unit (except speed levels)

TPD-TNO

Teldix

Kongsberg

Figure 5.2-2: AOCS Harware units

Issue : 2 Rev. : 0

Date : 06/02/2004

5.5

5.3 AOCS MODE ARCHITECTURE

AOCS Mode logic

The AOCS includes several modes for attitude acquisition/ reacquisition purposes, for the nominal scientific mission operations and for the orbit control.

The Attitude acquisition or attitude reacquisition sequence is ensured by 2 modes : q

The Sun Acquisition Mode pointing the X towards the sun. s

axis of the spacecraft and the Solar Arrays q

The Safe/Hold Mode completes the acquisition and provides the final 3-axes pointing (HGA1 or HGA 2 axis towards the Earth).

This attitude acquisition sequence is used nominally after launch and also after a large trajectory correction manoeuvre performed with the Main Engine. The same sequence is used in case of failure during a Software Safe Mode or a Hardware Safe Mode. It is an automatic sequence including all the operations of both Modes, except during the first acquisition, where the flexibility is let to the ground to introduce 1 or 2 stand by points.

The nominal routine operations of the mission are performed in the Normal Mode, which enables all the scientific operations around Venus, but also the cruise pointing, and all the attitude manoeuvres necessary before and after an orbit control manoeuvre for instance.

The trajectory correction manoeuvres are performed through 3 Modes : q

The Orbit Control Mode (OCM), for small trajectory corrections performed with the 10N thrusters. q

The Main Engine Boost Mode (MEBM), for trajectory corrections performed with the 415N engine. q

The Braking Mode (BM) is specifically designed for the Aerobraking phase, if such a phase is necessary to achieve the final orbit, using the force produced by the air-drag when passing through the Venus atmosphere at orbit pericentre.

The Thruster Transition Mode (TTM) is used as a smooth transition between the thruster controlled

Modes (OCM and BM) and the wheel controlled modes (Normal Mode).

Issue : 2 Rev. : 0

Date : 06/02/2004

5.6

From Any Mode except

MEBM & SBM

(Anomaly)

Launch / Init

Stand By

Mode

(SBM)

Sun Acquisition

Mode

(SAM)

Automatic

TC/MTL

DMS Request

Gyro-Stellar

Pointing on

Ephemeris

(GSEP)

Safe/Hold

Mode

(SHM)

Wheel

Damping

Phase

(WDP)

Ground

Slew Phase

(GSP)

Main Engine

Boost Mode

(MEBM)

Fine Pointing

Accuracy

Phase

(FPAP)

Normal Mode (NM)

Thruster

Transition

Mode

(TTM)

Orbit Control

Mode

(OCM)

Attitude acquisition or transient phases

Scientific missions phases

Modes used for trajectory change manoeuvers

Figure 5.3-1: AOCS Modes Diagram

Braking

Mode

(BM)

Wheel

Off-Loading

Phase

(WOLP)

Fine Pointing

Inertial

Phase

(FPIP)

MAT 11497L

Issue : 2 Rev. : 0

Date : 06/02/2004

5.7

Stand-By Mode

Acquisition & Back-up

Modes

Sun Acquis. Mode

Rate reduction

Sun Capture

AIU IMU SAS Star

Tracker

Reaction

Wheels

10N thrusters

Main

Engine

SADM

1 (*)

1 2 (2) 4

Sun Acquisition

Sun Pointing

Biased pointing

Star Acquisition

1 2 2 4

1 2 2 4 2/Hold

1 2 1+(1) 4

1 2 (2) 4

Safe/Hold Mode

Earth Acquisition

Hold Phase

Earth Pointing Init

Earth Pointing

Operational Modes

Normal Mode

Thruster TransitionM.

Orbit Control Mode

Main Engine Boost

Burn Firing (4T)

Burn Firing (8T)

1 3t/4t(**) 2/Hold

1 1 1 3s 4 Hold

1 1 1 3s 4 Hold

1 2 4 1

2 2 8 1

Back up 1 2 8

Braking Mode

1 1 3s 4

(*)= The H/W configuration in SBM is not fixed and depends on the configuration in the previous mode.

(**)= Before the Venus Orbit Insertion phase, the recommended Normal Mode configuration includes 4 wheels and 2 IMUs

(n)=

out of control closed loop for monitoring purpose, or for initialisation

ns

= n wheels in speed control mode

nt

= n wheels in torque control mode

2/Hold

= the SADM is set in Hold Mode once it has reached the target position

Hold

Figure 5.3-2: Use of Hardware units in the AOCS Modes

Issue : 2 Rev. : 0

Date : 06/02/2004

5.8

Attitude acquisition modes

Stand-By Mode (SBM)

The Stand-By Mode is used in Pre-launch and Launch phases for general check supervision, and during the deployment of the Solar Array. It is also a mode used during the transient after failure, when a switch to the Software or Hardware safe mode is necessary. This Mode is followed by the

SAM upon a DMS command, starting the autonomous acquisition sequence up to Earth pointing.

Only DMS functions are activated in SBM. At AOCS level, there is no control during this mode, and all the H/W resources which are not necessary in the following mode (SAM) are switched OFF. The

AIU and the IMUs are therefore kept ON, except during launch phase, where the IMUs are OFF.

Sun Acquisition Mode (SAM)

The Sun Acquisition Mode performs a first attitude acquisition to orient the +X s

and the Solar Array cells towards the sun. It is used for the initial attitude acquisition after launch, for nominal attitude reacquisition after Solar Arrays deployment, for the nominal re-acquisition after the Main Engine Boost

Mode, and also after a failure during Software or Hardware safe mode. It uses gyros (IMUs) and Sun

Acquisition Sensors (SAS) for the attitude measurements, and thrusters for the control.

This mode starts by a reduction of the Spacecraft rates (RRP : Rate Reduction Phase). The sun is then acquired close to the (+X s

,+Z s

) half plane corresponding to the global Field Of View of the 2 SASs

(SCP : Sun Capture Phase). A third phase orients the Spacecraft in such a way that the +X s

axis points to the sun (SAP : Sun Acquisition Phase). If the solar array is not yet deployed, the Mode continues with a Sun Pointing Phase (SPP) and a biased Pointing phase (BPP). If the Solar array is deployed, a preparation to the next mode is performed in the Star acquisition phase (StAP). During this phase, the

Autonomous Attitude Acquisition is commanded to the star tracker (outside the control loop). Once a

3 axis attitude is provided by the star tracker, its consistency with the Sun direction measured in spacecraft frame and computed from on-board ephemeris is tested, enabling the gyro-stellar estimator initialisation and the transition to the next Mode.

At the end of the SAM/StAP, the Spacecraft +X s

axis is oriented towards the sun, with an angular control on 2 axes, and a constant rate on the third axis (Spacecraft to sun direction).

Safe/Hold mode (SHM)

The Safe/Hold Mode completes the attitude acquisition sequence, pointing the HGA-1 or HGA-2 axis towards the Earth. The main function of the SHM is to perform a 3-axes attitude acquisition with the

Star tracker (STR) and the gyros from the 2-axes sun pointing of the SAM. It relies for this operation on the autonomous attitude acquisition capabilities of the STR. The sequence starts in fact at the end of the SAM mode by a switch ON of the STR and a star acquisition phase (StAP phase, inside the

SAM). The SHM itself starts by a control based on the STR measurements and cancels the residual rate on X axis (EAIP : Earth acquisition Init Phase). It performs then an autonomous slew manœuvre computed onboard from the actual attitude estimation and the ephemeris data (EAP : Earth

Acquisition Phase), ended in the Hold Phase (HP). Up to this phase, the attitude control torques are provided by the thrusters. The wheels are then switched ON and spun up (EPIP : Earth Pointing

Initialisation Phase) and then used in the attitude control loop once they have reached their target rate

Issue : 2 Rev. : 0

Date : 06/02/2004

5.9

(EPP : Earth pointing Phase). An autonomous Off-Loading of the wheel (WOLP : wheel Off-Loading

Phase) is activated at this stage when necessary.

The

attitude acquisition sequence,

including the SAM and the SHM, is fully automatic in case of reacquisition after a failure. For the initial attitude acquisition , two stand by points are implemented in the design :

Ø one at the end of the SAM, when the Sun pointing is acquired,

Ø one inside the SHM, when the final pointing is acquired with a thruster control, just before the switch to a wheel control.

After each of these stand by points, the ground is able to resume the automatic sequence. Each of these 2 stand by points are cancelled automatically onboard after a predefined and adjustable duration, such that a complete flexibility is provided to the ground to manage the initial sequence.

Seting the duration to 0 enables to transform the initial sequence in an automatic one.

These Stand-By points are also used by the onboard failure management (FDIR) to avoid a permanent loop between SAM and SHM.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.10

S u n A c q u is itio n

M o d e (S A M )

R ate R e d u c tio n

P h a s e

(R R P )

S ta n d B y

M od e

(S B M )

S u n C a p tu re

P h a s e

(S C P )

S u n A c q u is itio n

P h a s e

(S A P )

D ep loy e d S A S to w ed S A

S u n P o in tin g

P h a s e

(S P P )

S ta r A c q uis itio n

P ha s e

(S tA P )

S w itc h to S B M (n o c o n tro l) fo r S A d e p lo ym e n t

B ia s e d P o in tin g

P h a s e

(B P P )

S afe / H o ld M o d e

(S H M )

E arth A c q u is itio n

In it

(E A IP )

E arth A c q u is itio n

(E A P )

H o ld

(H P )

E arth P o in tin g

In it

(E P IP )

W h e e l

O ff L o a d ing

E arth / S u n

P o in tin g

(E P P )

M AT 1 1515

N orm al M od e (T C / M TL )

Figure 5.3-3: Attitude acquisition /reacquisition sequence

Issue : 2 Rev. : 0

Date : 06/02/2004

5.11

Normal Mode (NM)

The Normal Mode is designed to enable all the nominal operations of the mission, except the trajectory corrections. It uses Star Tracker measurements and gyros for the attitude measurements, and reaction wheels for the control, in order to reduce the fuel consumption and the orbit disturbances, and to have the best pointing performances during Venus observation phases. The Normal mode contains several sub-phases used to cover all the functionalities required during the operational mission.

The

Gyro-Stellar pointing on Ephemeris Phase (GSEP)

is optimised to ensure to the spacecraft a deterministic and quasi-inertial attitude with respect to the Sun and the Earth directions with a pointing accuracy compatible with Earth communication needs (HGA-1 or HGA-2 axis pointed towards the Earth) and a sun pointing of the Solar arrays. This phase is used during the cruise phase, and in the communication phase of the orbit to hold a robust link with the Earth between scientific operations for data transmission. It can be also the phase used during long duration solar conjunctions

(i.e. with no Earth communication).

The

Fine Pointing Accuracy Phase (FPAP),

is the operational mode used for the scientific mission during the Venus observation. It is designed to be able to control the Spacecraft around mission attitude profiles defined by the ground (Nadir pointing, Earth radio occultation), and to ensure the pointing and pointing stability performances necessary for payloads operation. The Solar Array orientation is commanded by the ground and is fixed during the observation phase. This phase is also used for attitude transient damping before any thruster controlled mode.

The

Fine Pointing Inertial Phase (FPIP)

controls the Spacecraft attitude around a ground commanded fixed attitude ensuring the pointing and pointing stability performances necessary for the payloads operation, with fixed Solar Arrays (the Solar Array orientation is automatically computed on-board at the beginning of the phase, then it remains fixed during the observation period). This phase is adapted to a period of the mission where inertial observation is required, such as SPICAV observations. It can also be used before Wheel Off-Loading, if a specific attitude is required for this operation.

The

Ground Slew Phase (GSP),

is used as a transition between sub phases or modes, when an attitude reorientation is necessary : between the pointing on ephemeris (in GSEP) and the observation

(in FPAP or FPIP), before and after transition to the OCM for trajectory corrections, in order to orient properly the thrust, and before the MEBM. The attitude profile is defined by the ground. The orientation of the Solar Array is fixed during this phase, and is adapted to the final attitude and mission during the following phase.

The

Wheel Damping Phase (WDP)

includes a robust control law able to reduce the residual rates and attitude errors when coming from other modes. It is therefore the entry point in the Normal mode, especially usefull when a transition from a thruster controlled mode has to be performed (TTM).

The

Wheel Off-loading Phase (WOLP)

enables to manage during the Normal mode the wheel angular momentum. Thruster pulses are used to reach a target angular momentum during this phase, autonomously onboard or upon ground commands. This operation is forbidden in some situations where it could have dangerous effects like the slew manœuvres. For this reason, the WOLP is authorised only from the GSEP, FPAP and FPIP phases. During the observation phase in FPAP, the transition to the WOLP is authorised in the S/W, but should not be used, the Wheel Off-Loading taking place nominally out of observation period.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.12

Trajectory correction modes

Main Engine Boost Mode (MEBM)

The Main Engine Boost Mode enables to perform the large trajectory corrections using the 414 N

Main Engine. The efficiency is greater in this mode for large manoeuvres, due to the better specific impulse of the Main Engine and the higher force delivered, reducing gravity loss effects. During this mode however, the disturbance torques due to the Main Engine misalignments are very high, and a large attitude depointing transient is observed at the beginning of the manoeuvre. This mode is therefore not suitable for small

Vs of a few m/s.

The MEBM uses 2 IMUs and the 10N thrusters for attitude control. The reaction wheels, the STR and the SADE are OFF in MEBM, to avoid failure management of these non-mandatory equipment that may jeopardise the completion of the manoeuvre. The Solar Array orientation is specific for this mode

(perpendicular to the Thrust) and is reached in normal mode before the MEBM.

On Mars Express, the late discovery of a large discrepancy between the centre of mass and the Z axis of the Spacecraft lead to a significant increase of the disturbing torques during the Main Engine

Boost. It has been decided to introduce in the software the capability to control the spacecraft with 8 thrusters. The principle of this function is to use both nominal and redundant thruster branches at the same time to double the spacecraft control capacity and be able to control higher disturbing torques.

This capability has been also introduced for Venus Express, even if a better control of the spacecraft centre of mass is expected from a specific action plan. The 4-thrusters control remains the baseline.

The preparation of the Venus Orbit Insertion (VOI) manoeuvre in Normal Mode has to be performed with a specific configuration, defined to reduce the risk of a safe mode before the manoeuvre. The recommended configuration includes 4 wheels, 2 IMUs, and the inhibition of several AOCS surveillances.

This mode is split in three phases. It starts by a boost initialisation phase (BIP) during which no thrust is created (the control is ensured by the thrusters in on-modulation). This phase is dedicated to the switch-off of all equipments not mandatory in MEBM. It is followed by Liquid Settling Phase (LSP) during which a low mean acceleration is generated by the 10N thrusters (commanded in OFFmodulation, like during the OCM) to reduce the liquid transient in the tanks. It is followed by the burn itself (Burn Firing Phase : BFP) during which the Main Engine produces the thrust and the attitude control is ensured by the thrusters in on-modulation.

The boost can be done with 8 thrusters. The Mode is called in this case the “back-up” MELSP. Four thrusters are actuated continuously, and the four others are OFF-modulated to provide both thrust and control torques. The “back-up” MELSP can be entered either at the beginning on ground decision, from MEBM BIP in place of the nominal MELSP, or automatically from the MEBFP in case of unrecoverable Main Engine failure detected onboard during the boost.

The MEBM is nominally entered from the Normal Mode, during which an orientation of the spacecraft (slew manoeuvre) is performed (NM/GSP). The MEBM can also be entered from the Safe and Hold Mode (SHM), prior or after the reaction wheels activation, in order to shorten the procedure in case of anomaly just before the critical insertion manoeuvre. In this case, the attitude manoeuvre is done with thrusters in the first phase of the MEBM (BIP phase).

Issue : 2 Rev. : 0

Date : 06/02/2004

5.13

During the MEBM, an attitude profile programmed by the ground is commanded to the spacecraft.

This profile includes the attitude profile to be followed during a longer time in case of Main Engine failure.

The end of the manoeuvre is decided onboard on the basis of the

V estimation, derived from accelerometers measurements in order to ensure the required accuracy. This strategy requires previously an in-flight calibration of the accelerometer biases. In case of Back-up MELSP the thrust is stopped on the basis of a timer.

The manoeuvre is followed by a switch to SAM. The following sequence includes an automatic Earth reacquisition in SHM. This strategy is necessary due to the possible use of back-up MELSP with various final attitudes. It is the most robust one.

Orbit Control Mode (OCM)

The Orbit Control Mode enables to perform the small trajectory corrections using the 10 N thrusters.

The OCM uses 1 Star tracker, 1 or 2 IMPs and thrusters. The reaction wheels are commanded during the OCM either at their current speed or at a ground uplinked speed level. It is therefore possible for the ground to take advantage of this mode using thrusters for reaction wheel off-loading (not the baseline). The mechanisms (SADM) have a constant orientation during the mode.

This mode uses the thrusters located on –Z s

face of the Spacecraft to generate the thrust and also to control the attitude through an OFF-modulation command. It starts by a Liquid Settling Phase (LSP) during which a lower mean acceleration is generated to reduce the liquid transient in the tanks. It is followed by the burn itself (Burn Firing Phase : BFP).

The OCM is preceded by an orientation of the spacecraft (slew manoeuvre) performed during the

Normal Mode (NM/GSP) before entering the orbit control mode.

The end of the manoeuvre is decided onboard on the basis of the

V estimation, derived from accelerometers measurements or thruster ON time counting. The first method is recommended for large delta V manoeuvres and requires previously an accelerometer in-flight calibration.

All manoeuvres are followed by a tranquillisation phase in TTM, allowing to reduce the spacecraft angular rates before using the reaction wheels during the Normal Mode. The slew manoeuvre necessary to come back to the nominal operations is performed in the Normal Mode after a reduction of the attitude transient due to the end of the TTM (Normal Mode-Wheel Damping Phase :

NM/WDP).

Thruster Transition Mode (TTM)

The Thruster Transition Mode ensures a smooth transition from the thruster controlled modes (OCM,

BM) and the Normal Mode, designed with reaction wheels control. The exit from the Thruster

Transition Mode is achieved automatically (the transition criterion combines an attitude depointing criterion, a rate criterion, and conditions on the reaction wheels).

The Thruster Transition Mode uses one Star Tracker, 1 or 2 IMUs, and thrusters for the torque generation. The reaction wheels are commanded during the TTM either at their current speed or at a

Issue : 2 Rev. : 0

Date : 06/02/2004

5.14

ground uplinked speed level. It is therefore possible for the ground to take advantage of this thruster controlled mode for reaction wheel off-loading (not the baseline). The mechanisms (SADM) have a constant orientation during the mode and are in Hold mode.

Aerobraking

The Aerobraking uses the aerodynamic drag force to provide a deceleration effect during an atmospheric pass and modify the satellite orbit. This concept is an alternative solution to propulsive methods for achieving the transition from the high elliptical insertion orbit into the observation orbit.

If an Aerobraking phase is necessary to reach the final mission orbit or to change the orbit, the necessary operations will include, on each orbit, a phase with an Earth pointing near the apocentre, and a phase with a specific pointing adapted to aerodynamic pressure near the pericentre, during the drag pass. For this latter function, the

Braking Mode (BM)

is used to control the Spacecraft around an attitude which is stable with respect to aerodynamic disturbances.

During the Aerobraking phase, the ground is in charge of the overall sequence of operations on each orbit, described through the Mission Time Line (MTL). The Navigation is also a ground responsibility, in order to ensure the efficiency of the Aerobraking, and define appropriate apocentre manoeuvres in OCM when necessary, to ensure that the S/C remains in the domain for which it has been designed (less than 0.3 N/m

2

).

Braking Mode (BM)

The Braking Mode uses gyros only (1 or 2 IMUs) for the attitude estimation, owing to the small duration of the drag pass, and 10N thrusters for the control.

Just before the atmospheric pass which lasts about 400 seconds, the satellite is aligned with the aerodynamic frame in Normal Mode (the manoeuvre is performed in NM/GSP and the satellite maintained in FPAP until the transition to the Braking Mode is commanded).

The control is performed with thrusters, but in a large angular corridor (15 deg) in order to reduce the number of thruster actuations necessary to control the spacecraft attitude (which is stable around this attitude thanks the aerodynamic forces). This mode also allows (around the pericentre) to off-load the wheels if necessary, using the aerodynamic torques (not the baseline). Otherwise, they will be maintained at a constant rate during the atmosphere pass. The STR is maintained in stand-by mode because its implementation has not been optimised with respect to this specific attitude, and the

SADM is controlled in a fixed position (Hold) during the Braking Mode, keeping the Solar array orientation optimised for aerodynamic effects.

The accelerometer measurements can be sent to the ground to help for ground Navigation purpose.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.15

5.4 AOCS GENERIC FUNCTIONS

The AOCS modes use generic functions for the guidance, the attitude estimation and the actuators management. At the Software level, these functions are common objects, used by several modes.

Guidance

The role of the guidance is to provide onboard the reference attitude to be followed at each time of the mission by the attitude control, and the commanded position of the Solar Array position. The analysis of the mission needs shows that 4 types of guidance are necessary along Venus Express mission : q

Pointing of the High Gain Antenna (HGA-1 or HGA-2) towards the Earth, and the Solar

Array cells towards the Sun. This kind of guidance is used during the cruise phase and for communications during the scientific mission phase, these two cases corresponding to the

AOCS Normal Mode, pointing on ephemerides (NM/ GSEP phase). For this function, the guidance uses the Spacecraft to Earth and the Spacecraft to Sun directions as described in the ephemeris, based for Venus Express on Kepler orbit approximation of the planets orbits around the sun. q

This type of guidance is also used in a different way for the Earth acquisition (SHM :

Safe/Hold Mode), in order to perform the autonomous orientation of the spacecraft towards the Earth. The ephemeris data are then used to perform large angle slew manoeuvres with thruster control. q

Attitude profiles : this type of guidance is necessary during the observation phase for the

Nadir pointing or to follow more specific profiles. This function is ensured by an onboard profile description based on Chebychev polynomial, the parameters being uploaded from ground. This capability enables also to ensure the attitude slew manoeuvres. q

Fixed inertial pointing (fixed quaternion) : This type of guidance is used for specific phases of the mission, during Orbit Control Mode, Thruster Transition Mode or during the scientific mission phase (in NM/FPIP and NM/WDP).

Three generic functions have been defined for this purpose at software level : q the

Ground commanded guidance

, q the

Onboard Ephemeris propagation

, q the

Autonomous Attitude Guidance Function

, this latter function generating the guidance information necessary either for the fixed Earth pointing or for the Earth acquisition in SHM.

For Venus Express, as for Rosetta, the Autonomus Attitude Guidance function provides 2 independent guidance laws for pointing the Earth direction, avoiding Sun exposure of sensitive faces of the spacecraft . The difference between the 2 laws is the spacecraft Y-axis orientation : it can be set perpendicular to either the ecliptic plane (

“Ecliptic option”

, similar to MEX Guidance), or the Sun-

Spacecraft-Earth plane (

“SSCE option”

).

For Venus Express, the “SSCE” option is the nominal law to be used by the AOCS, and the “Ecliptic option” is a back-up law which can be used for very specific situations, corresponding to very low values of the angle (S/C-Sun, S/C-Earth).

Issue : 2 Rev. : 0

Date : 06/02/2004

5.16

Gyro-stellar estimation function

The gyro-stellar estimation function is common to many AOCS modes : It is initialised during the Sun

Acquisition Mode (SAM) to prepare the following Earth acquisition operation (SHM: Safe /Hold

Mode). It provides accurate attitude estimation during the Normal Mode of course but also in the

Orbit Control Mode (OCM) and Thruster Transition Mode (TTM) for instance.

The gyro-stellar estimator processes gyro and star tracker (STR) measurements to provide an accurate estimate of the spacecraft attitude. It is based on a Kalman filter with constant covariance that allows mixing measurements at different rates (8 Hz for the gyros and 2 Hz for the STR). The constant covariance reduces the computer load while ensuring good performances.

The estimated attitude is a quaternion representing the spacecraft attitude in the J 2000 inertial frame.

The gyro-stellar estimator also estimates the gyros drifts to limit the attitude errors in case of STR measurement absence due, for instance, to a STR occultation. A specific management of the drift estimates is implemented for Mars Express and Venus Express, taking into account the specific conditions of the scientific mission phase (existence of rates due to varying profiles, and potential occultation). The gyro-stellar estimator implements a coherency test between the gyro and STR measurements in order to detect failures that could not be detected at equipment level.

Reaction wheel Off-Loading function

The wheel Off-Loading function enables to manage the angular momentum of the wheels to a target value, through thruster actuations. This function is completely autonomous during the last phase of the Earth acquisition sequence (SHM / EPP : Earth Pointing Phase). During the nominal operations around Venus, it is preferable to command the wheel Off-Loading from the ground, in Normal Mode /

GSEP, the date being optimised taking into account the mission constraints.

The Off-Loading function manages simultaneously all the wheels. It includes several sequences of thruster pulses until angular momentum of each wheel is close to the target value. This sequence is defined by a feed forward 3-axes wheel torque command combined with a thruster pulse. The sequence ends with a tranquillisation phase controlled by the wheels, in order to damp the dynamic excitation generated by the actuation of thrusters and wheels.

It must be noticed that it is also possible to control the wheels speed in a more classical way, through a wheel speed command in some thruster modes (Orbit Control Mode, Thruster Transition Mode and

Braking Mode).

Sun/Earth ephemeris propagation

Attitude Guidance on ephemeris

Large slew autonomous Guidance

Fixed quaternion

Guidance

Ground commanded

Guidance

Gyro-stellar estimator

Reaction Wheels

Off-Loading

Reaction Wheels management

Thrusters management

Sun

Acquis. M.

(SAM)

ü

ü

(init)

ü

(*) For Wheels Off- Loading only.

Safe/ Hold

Mode

(SHM)

ü

ü

ü

ü

ü

ü

ü

Normal

Mode (NM)

ü

ü

(GSEP)

ü

(FPIP)

ü

(FPAP/ GSP)

ü

ü

ü

ü (*)

Issue : 2 Rev. : 0

Date : 06/02/2004

5.17

Orbit

Control

(OCM)

ü

ü

ü

ü

Main Engine

Boost

(MEBM)

Thruster transition

(TTM)

ü

ü

ü

ü

ü

ü

ü

Braking

Mode (BM)

ü

ü

ü

ü

Figure 5.4-1: Use of generic functions in the AOCS Modes

Specific S.A. positions

Ephemeris parameters

Time

HGA misalignments

Up linked reference attitude quaternion

(Polynomial description)

On Board

Ephemeris

Propagation

SADM

Commands

Computation

S/C to Earth/

S/C to sun directions

Autonomous

Attitude

Guidance

Function

SADM Commands

Large angle slews for

Earth (sun) pointing acquisition (SHM)

Ground Commanded

Quaternion Profiles

Propagation

MAT 13261

Profiles for observation/slews

Figure 5.4-2: Guidance function architecture

Earth pointing

Fixed quaternion

Normal

Mode

Attitude

Guindance

Issue : 2 Rev. : 0

Date : 06/02/2004

5.18

Reaction wheel management function

This function is active in all the modes controlled through wheel torques (Normal Mode and

Safe/Hold Mode at the end of the attitude acquisition sequence), but also when the wheels are kept to a constant speed through a specific control loop but not used in the AOCS control, as in Orbit Control

Mode, Thruster Transition Mode or Braking Mode.

Six states of the wheel configuration are possible with this function depending on the control of the wheels in torques (t) or in speed (s). For instance, the nominal operation in Normal Mode, uses 3 wheels in torques (3t), but could sometime require a fourth wheel if a hot redundancy is usefull (4t).

During trajectory corrections the configuration includes 3 wheels controlled in speed (3s).

Intermediate states are necessary between these basic configurations in order to spin the wheels for instance (3t + 1s).

This function is also in charge of the generation of wheel torque commands in wheel frame, and of the friction torque estimation necessary for compensation and for the failure detection. It interfaces also with the Wheel Off-Loading function.

Thruster modulator and selection function

The selected amplitude modulator and on-time summation algorithms are re-used from Mars Express.

The modulator has only one working phase where the four thrusters can be used : q to produce a force along the satellite Z axis direction (a force ratio

F commanded

commanded to the modulator),

F

max

is q to control the 3-axes satellite attitude (three torques are commanded to the modulator).

The modulator working frequency is 8Hz. At each step, the modulation type used (ON-modulation or

OFF-modulation) is automatically selected so as to maximise the available torque capacity for attitude control. In the case the torque capacity is insufficient with respect to the commanded control torque, priority is given to the control and the commanded force ratio is automatically modified to recover the required torque capacity. Moreover in order to limit the actuation delay, the attitude control torque is always produced at the beginning of the actuation period.

To limit the number of thrusters ON/OFF or to tune the control limit cycle amplitude when using thrusters, the modulator output period can be changed to any period multiple of 125 ms.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.19

∆Τ

Active phase

T pulse

Damping phase thrust

T damp

T wheel

T seq

Sequence N

Sequence N+1

Wheel torque command

r wheel

Thruster torque command

pulse

Figure 5.4-3: Wheel Off-Loading sequence

4

RW speed surveillance

+ failure detection

hc_On_Board off_load_cmd_torq

Wheel_id h c

RW

_

S c

SC

_

T

6

Transformation in wheel frame

c

RW

_

S

2

RW Command generation

RW c

_

T

r

T

WOL

1

Off-loading function interface r

T cmd

Wheel_id

r

h m

3

Friction torque estimation and compensation

T r

r

fric app

r

H wheel

5

Transformation in SC frame

Reaction wheel management function

Required_desat[4]

Forced_desat[4]

Wheel_failure[4] reach_ref_speed[4]

H

max

Wheels +

Tachometers r

h m t wheel

H

max

T

H

SC

SC app

Figure 5.4-4: Reaction Wheels management function

Issue : 2 Rev. : 0

Date : 06/02/2004

5.20

5.5 AOCS MODE TRANSITIONS

The AOCS mode transitions, or the transitions between the modes subphases are usually performed upon ground commands, taking into account the associated operational constraints. Automatic transitions are however performed autonomously by the AOCS in case of complete sequences for attitude acquisition or orbit control manoeuvres.

Automatic or ground commanded transitions

Automatic transitions onboard

Automatic transitions managed by the onboard Software are implemented when a complete sequence of operations has to be performed without ground intervention, involving several AOCS Modes or several AOCS Modes subphases.

This situation exists for the attitude acquisition sequence either during the nominal sequence or in case of reacquisition after a failure : q

The transitions between all the subphases of the Sun Acquisition Mode (SAM) are automatic onboard, q

The transitions between all the subphases of the Safe/Hold mode are automatic onboard , but the transition between Hold Phase (HP) and Earth Pointing Initialisation Phase (EPIP) can be inhibited by the ground (or the SW in case of failure) to avoid wheels use. q

The transition between the SAM and the SHM is automatic onboard, leading to a completely automatic attitude acquisition / reacquisition sequence. It can be however inhibited by the ground or by the SW in case of failure.

For both last cases, the ground inhibition is active only if the Spacecraft Elapsed Time is lower than a given value.

For the orbit control manoeuvres in OCM which have to be followed by a tranquillisation performed in Thruster Transition Mode (TTM), automatic transitions are also implemented : q

The transition between the Orbit Control mode (OCM) and the TTM is automatic onboard, q

The transition between the TTM and the Normal mode (NM) is automatic, q

The transition between the Main Engine Boost Mode (MEBM) and the SAM is automatic onboard.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.21

Ground commanded transitions

Other transitions between AOCS modes or Modes subphases are commanded by the ground.

At AOCS Mode level, this is for instance the case of the transition between the Normal mode (NM) and the OCM to start an orbit correction, the transition between the NM and the Main Engine Boost

Mode (MEBM) or the transition between the NM and the Braking Mode (BM). The transition from the Safe/Hold Mode and the Normal Mode is also under ground control.

Between the subphases of the Normal Mode, the transitions are also managed from ground, the various capabilities offered by this Mode being used according to the mission needs.

The ground commanded transitions can be managed either by TC or by the Mission Time Line

(MTL). This latter possibility enables the ground to build operational sequences including several transitions. This is especially useful for instance when a slew manoeuvre to be performed in Normal

Mode is necessary before a switch to another mode (OCM, MEBM, BM). Some time constraints exist in these sequences, in order to ensure mode convergences, before transitions.

Wheels off-Loading

The wheel Off-Loading Phase (WOLP) is a sub-phase of the Safe and Hold Mode (SHM) and also of the Normal Mode.

During the SHM, this operation is automatically commanded onboard on the basis of wheel kinetic momentum criteria, when the AOCS has reached the Earth Pointing phase of the mode (SHM/ EPP).

During the NM, this operation is nominally commanded by the ground out of observation phases, at a date commanded by the ground. In order to limit the orbit disturbances due to the thruster actuations, it is also possible to perform the wheel Off-Loading with a spacecraft attitude defined by the ground in the Fine Pointing Inertial Phase (FPIP) after a slew manoeuvre. As a security, the wheel off-loading can also be triggered automatically in case of wheel over-rate detection, from the Fine Pointing

Accuracy, Fine Pointing Inertial and Gyro-stellar Ephemeris Pointing sub-phases of the Normal Mode

(NM/FPAP, NM/FPIP and NM/GSEP). During these three phases, the ground has the capability to inhibit the automatic procedure.

Between modes where the Wheel Off-Loading is authorised and Modes where it is inhibited, it is recommended to the ground to anticipate this inhibition to avoid a thruster pulse just at the time of the transition.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.22

Transition validity check

For the Mode and Sub-phases transitions commanded by the ground, some conditions may be required to ensure that the AOCS behaviour is adequate after the transitions. The onboard Software performs therefore a validity check when the transition is requested by the ground.

If the validity conditions are not fulfilled, the transition is rejected, and the AOCS stays in the current

Mode or subphase. The transition will have to be commanded again by the ground after analysis of the situation and the Software event.

On-board /ground sharing for the equipment configuration management

Onboard management of the AOCS equipment

Usually an AOCS Mode requires some H/W resources which are absolutely mandatory for the achievement of the Mode objectives. In this kind of situation, the onboard Software manages autonomously the H/W equipment of the Mode : q through a validity check at the Mode transition that the required resources for the next Mode are available q through an automatic switch ON/switch OFF of the required unit and an automatic change of the desired configuration (number of units or H/W functions, H/W modes…).

This management principle is the one applied in most of the cases for all the AOCS units. It is considered in this case that the considered H/W is “locked” by the AOCS Mode. This principle prevents from unexpected ground telecommands : for instance, if the ground attempts to switch-off a unit that is locked in the ON state by an AOCS mode, the ground TC will be rejected.

Flexibility let to the ground for some AOCS units

For some AOCS units, the ground has the capability to adapt the Hardware configuration to the mission needs, for failure management purposes (FDIR), for specific mission needs, or to have the best preparation and verification of the hardware from ground before specific operations : q

The IMUs configuration can be adapted from the ground during the operational modes, leading to a change in the AOCS FDIR actions. If a “6-axes” IMU configuration is selected for instance, the system will be able to react autonomously to some gyro failures in Normal

Mode without going to the back up mode (SAM). This ground capability is especially interesting for some critical mission phases such as the Venus insertion preparation for instance (during the insertion manoeuvre itself, the “6-axes” IMU configuration is locked and managed onboard). q

The IMUs configuration during the safe mode (SAM/SHM) is systematically “6-axes”.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.23

q

The wheel configuration during the nominal operations of the Normal mode includes 3 wheels. It is however possible to the ground to set a 4-wheels configuration. It allows to avoid the SAM triggering in some cases of wheel failures (prior the MEBM transition).

All these ground flexibilities have an impact on the onboard management of the AOCS Hardware, leading to some H/W actions which are not performed by the Software, but by the ground.

Ground recommended actions

In some cases, even if a transition validity check and a H/W configuration change is already performed by the onboard Software, it is however preferable to ask to the ground to anticipate on the

Mode transition to make the transition easier : this can help to avoid the time loss due for instance to the switching-ON sequence of the IMU (15 seconds without valid measurements) or the Star tracker.

Case of the mechanisms

The configuration of the Solar Array Drive Mechanism (SADM) is managed onboard during the attitude acquisition and back up modes. During the operational phase, the ground has the full capability to manage this unit depending on mission operations. A ground intervention is especially necessary in NM/ FPAP in order to define the final position to be reached by the Solar Array for the further operation (observation, OCM, MEBM, BM…).

The SADM is not “locked” by the onboard S/W.

Mode transition generic sequence

The Mode transition basic sequence includes 3 main steps : q

The validation of the Mode transition request, when it is a ground commanded transition.

During this step, the Software tests all the conditions necessary for the switching in the next

AOCS Mode, q

The execution of the Hardware configuration change for the considered Mode change. This step involves exchanges between the AOCS and the DMS processors and S/W, at 1 Hz, for the request of Hardware units switch-OFF and switch-ON. The exact duration of this sequence (a few seconds) depends of course on the number of configuration changes necessary for the mode transition. q

The starting of the next Software Mode, as requested, as soon as the AOCS S/W is informed by the DMS that the last H/W configuration change has been transmitted to the RTU. The new Mode will start by the initialisation of the new functions and algorithms with all the adapted parameters.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.24

5.6 HIGH GAIN ANTENNA MANAGEMENT

Specific need for Venus Express

On Venus Express, in order to fulfill thermal constraints at spacecraft level, 2 HGAs are used for the communications with the Earth. The switch from one HGA to another has to be performed around quadratures, in order to ensure that HGA1 is selected on superior conjunction side, and HGA2 on inferior conjunction side of the mission.

At AOCS level, both HGA1 and HGA2 direction unit vectors are stored onboard, and the AOCS will use the appropriate vector to compute the final attitude of the SHM, or the attitude of the Normal

Mode / GSEP.

In SHM, the adequate HGA parameters will be used when entering in this mode, the final attitude and the attitude manoeuvres being computed autonomously by the software.

In Normal Mode, the adequate HGA parameters will be used when entering in GSEP after a ground slew ensuring the correct pointing of the spacecraft (no attitude manoeuvre is computed autonomously in Normal Mode).

Management of the HGA switching at DMS and AOCS level

The HGA switching is performed only 4 times during the mission and is not considered as “time critical”. It is therefore performed from ground through a dedicated TC. The onboard software ensures however several tasks autonomously : q

The appropriate storage of parameters in the Safeguard Memory (SGM), q

The consistency between DMS data and AOCS data for the HGA selection is performed autonomously by the DMS, in order to avoid a critical situation where the RF configuration selected by the DMS is different from the HGA pointed towards the Earth by the AOCS, q

The adequate selection of parameters during Safe Mode is also ensured by the DMS.

For this purpose, the DMS uses a “Selected HGA” flag in DMS PM RAM, which is also stored in

SGM, and an internal command sent to AOCS for the HGA switching.

On receipt of the DMS command, the AOCS updates its own “HGA selected” flag and selects the associated directors cosines of the HGA. This direction to be pointed will be effective at AOCS level only at the next entry in SHM or NM / GSEP, as recalled before.

During a Software or Hardware Safe Mode, the DMS also sends this command to the AOCS, ensuring that the safe mode is started with the same data at DMS and AOCS level.

This procedure is defined for the “SSCE option” of the Guidance, which is the baseline, and especially mandatory at quadrature time. The AOCS software ensures autonomously the sign change necessary in this guidance law when changing from one HGA to the other.

Issue : 2 Rev. : 0

Date : 06/02/2004

5.25

.

.

.

.

Inferior Conjunction side

0.0

E

S

0.0

0.2

.

0.4

0.6

0.8

1.0

1.2

1.4

1.6

.

1.8

Venus day

-0.4

.

.

.

.

Figure 5.6-1 : Vex HGA switching strategy

Issue : 2 Rev. : 0

Date : 06/02/2004

5.26

Issue : 2 Rev. : 0

Date : 06/02/2004

6.1

6. PROPULSION SYSTEM ARCHITECTURE

The Venus Express propulsion system is based on the bi-propellant Mars Express propulsion system, with higher propellant mass.

This chapter gives a description of the design of the VENUS EXPRESS propulsion system, including the CPS schematic. More detailed information is provided in the CPS Design Report

(VEX.RP.00002.EU.ASTR) and User’s Manual (VEX.MA.00001.EU.ASTR).

Issue : 2 Rev. : 0

Date : 06/02/2004

6.2

6.1 DESIGN DESCRIPTION

The Venus Express CPS is a helium-pressurised bipropellant system, using monomethyl hydrazine

(MMH) as the fuel and mixed oxides of nitrogen with 3% nitric oxide (MON-3) as the oxidant, also referred to as NTO, its main constituent. The main engine, used for Venus orbit insertion, has a thrust of ~416 N and a specific impulse of ~317 seconds. Four pairs of 10 N thrusters (4 primary, 4 redundant) are provided for trajectory corrections and attitude control / reaction wheel unloading.

These components are the same as used on Eurostar 2000. However, the intended use of the main engine on Venus Express, with a propellant mass ratio close to 90% between main engine and 10 N thrusters, is higher than on Eurostar, where this ratio does not exceed 75%. This is a specificity in the use of the main engine. The limitations of main engine use due to propellant tank functional constraints have been identified in the CPS user’s manual.

The CPS is designed to operate in a constant pressure mode during main engine firings for capture manoeuvre and first part of apocentre reduction manoeuvre, using a regulated helium supply. The latter manoeuvre is pursued with main engine in blow down mode. Following completion of main engine manoeuvres, the regulated helium supply and the main engine are isolated. The last part of the apocentre reduction manoeuvre is achieved with the 10 N thrusters.

The thrusters are used in blowdown mode, i.e. the system pressure reduces as propellant is consumed.

This represents a major simplification to the design of the system, maximising reliability. There is no appreciable loss of performance because the thrusters are capable of operation over a much wider range of inlet pressures than the main engine.

Propellant is delivered to the main engine and thrusters by the propellant feed subsystem, which is supplied with helium by the pressurant subsystem. Each of these contains pipework (with associated fittings) and CPS units.

The helium pressurant subsystem is commonly referred to as the “gas side”. It may be considered as two “sections”, the high pressure gas side and the low pressure gas side.

High Pressure Gas Side

The high pressure gas side comprises: (1) a 35.5 litre helium tank, (2) normally open and normally closed pyrovalves, (3) a high-range pressure transducer, (4) a fill & drain valve, and (5) a test port.

This section has a maximum expected operating pressure (MEOP) of 276 bar, and during all ground operations and through launch it is isolated from the pressure regulator by a pair of normally closed pyrovalves. These are arranged parallel to each other, providing redundancy in the design. Helium usage is monitored by the high-range pressure transducer. The purpose of the normally open pyrovalve is to isolate the pressurant tank from the rest of the CPS after the final main engine firing.

There is no need for a redundant normally open pyrovalve since successful tank isolation is not critical to the mission.

The helium tank is loaded via the fill & drain valve. The test port is used for pressure regulator performance testing on the ground.

Issue : 2 Rev. : 0

Date : 06/02/2004

6.3

Figure 6-1/1: Propulsion System Schematics

The propulsion schematic is fully identical to Mars Express one.

Issue : 2 Rev. : 0

Date : 06/02/2004

6.4

Low Pressure Gas Side

The low pressure gas side comprises: (1) a pressure regulator, (2) non-return valves, (3) a pair of low flow latch valves, (4) a low-range pressure transducer, (5) normally closed pyrovalves, and (6) test ports and fill & vent valves.

This section has a MEOP of 20 bar, controlled by the regulator which senses downstream pressure.

The regulator is the dual, series redundant type. This design features both a primary and a secondary regulator. In the event of failure of the primary regulator (~17 bar regulated pressure), the secondary regulator will control the system pressure (at ~17.5 bar). Another feature of the regulator is the dynamic flow limiter fitted at its inlet. The limiter restricts the rate of rise of downstream pressure in the unlikely event that the firing of a normally closed pyrovalve in the high pressure gas side delivers helium too rapidly for the regulator to respond.

During main engine firings and over the on-orbit life of the spacecraft, there exists a potential for propellant vapours to migrate from the propellant tanks toward the pressure regulator. To prevent possible mixing of fuel and oxidant vapours, a pair of non-return valves is fitted in the helium lines to both the fuel and the oxidant sides of the system. To increase reliability each pair of non-return valves is arranged in series, providing two inhibits to prevent mixing of propellant vapours.

The potential for propellant vapour migration is particularly relevant to the long cruise to Venus, during which the main engine is isolated and the thrusters are fired only intermittently. Therefore, further protection is provided by the addition of a pair of parallel redundant low flow latch valves in the low pressure gas side. These allow the pressurisation lines to be closed off for the greater part of the time. The latch valves are located upstream of the normally closed pyrovalves. This eliminates any risk of debris, possibly generated by the firing of the pyrovalves, entering the latch valves.

The low-range pressure transducer is used to monitor the pressure in this section in flight and during testing on the ground.

The purpose of the normally closed pyrovalves is to keep the propellant feed subsystem isolated from the pressurant subsystem until the time comes to bring the propellant tanks up to regulated pressure

(~17 bar). As in the high pressure side of the pressurant subsystem, the normally closed pyrovalves are positioned in parallel for redundancy.

The fill & vent valves and test ports are used on the ground, e.g. to vent gas during propellant tank filling, to pressurise section volumes, and to obtain system pressures via ground instrumentation.

Issue : 2 Rev. : 0

Date : 06/02/2004

6.5

6.1.2 Propellant Feed Subsystem

The propellant feed subsystem, commonly referred to as the “liquid side”, supplies propellant to the main engine and thrusters. It comprises: (1) a pair of 267 litre propellant tanks, (2) normally open and normally closed pyrovalves, (3) propellant filters, (4) low-range pressure transducers, (5) main engine, (6) reaction control thrusters, and (7) test ports and fill & drain valves.

This section is pressurised with helium by the low pressure gas side, and has a MEOP of 20 bar.

Propellant is demanded from the fuel and oxidant tanks by the main engine and thrusters, at oxidantto-fuel mixture ratios of ~1.67 and ~1.54, respectively.

The presence of the normally closed pyrovalves allows the propellant feed subsystem downstream of the propellant tanks to remain isolated before flight. Thus the tanks may be loaded with simulated propellant for ground testing (not envisaged for Venus Express), and later with propellant at the launch site. Loading of these liquids is performed through the fill & drain valves, during which gas in the tanks is vented out through the fill & vent valves.

Another purpose of the normally closed pyrovalves is to isolate the tanks from the rest of the propellant feed subsystem, so that proof pressure testing of the pipework without pressurising the propellant tanks may be performed. As is the case throughout the CPS, the normally closed pyrovalves are positioned in parallel for redundancy.

Downstream of the pyrovalves are the filters, one for fuel and one for oxidant. These provide an additional level of protection to the main engine and thrusters, which have filters built into them.

The low-range pressure transducers are used to monitor propellant tank pressures in flight, following the opening of the normally closed pyrovalves between the tanks and the pressure transducers.

Downstream of the filters the pipework divides into separate branches, supplying the main engine, and the reaction control thrusters.

In the feedlines to the main engine are the normally open pyrovalves. Their purpose is to isolate the engine after its final firing. Because engine isolation is not critical to the mission, the normally open pyrovalves are not duplicated for redundancy.

The purpose of the normally closed pyrovalves in the feedlines to the main engine is to allow the main engine to remain isolated until required without compromising the use of the thrusters during Venus transfer. Again, the normally closed pyrovalves are positioned in parallel for redundancy. The main engine is fitted with its own filters and flow control valves (FCVs).

The dual valve thrusters are arranged in pairs, primary and redundant. Direct switching between the primary and redundant thruster of any pair will be implemented in the unlikely event of failure of any primary thruster.

Each unit incorporates a filter, and a thruster latch valve (TLV) upstream of a flow control valve

(FCV), providing further redundancy in the system.

As for the gas side, the test ports are used on the ground.

Issue : 2 Rev. : 0

Date : 06/02/2004

6.6

6.2 LAYOUT

This section examines the physical layout of the CPS.

The propellant tanks are positioned centrally along the spacecraft Ys axis, but are offset with respect to the Xs axis. The oxidant tank is closer to the centre line to compensate for its greater mass when loaded with NTO. This arrangement reduces the shift in the position of the centre of gravity over the mission. The tanks are supported on beams under the lower floor, hence the propellant outlet pipes have to pass through the beams to emerge under the spacecraft but within the [launch vehicle] adapter ring. A 90

O

elbow fitting is used to turn the pipes within the available envelope to enable them to bend upwards and pass back through the floor.

The helium pressurant tank is located in the -Xs, +Ys segment of the structure. The port boss is mounted through the Ys shearwall and the blind boss is mounted to a dedicated support panel.

The main engine is positioned close to the centre of the lower floor. It is mounted on a raised bracket so that the feed pipes to the flow control valves at the top of the engine can run across the upper face of the floor. The mounting bracket is positioned between the two propellant tanks, subsequently the engine valve mechanical couplings are inaccessible after installation of the tanks. For this reason testing of the main engine sub-assembly is conducted prior to installation of the oxidant tank to the spacecraft structure. The testing verifies that the engine pipe connections are leak tight.

The four thruster modules (two thrusters per module) are positioned below the lower floor at the corners. Their feedlines pass locally through the floor to emerge within the envelope of the thruster mounting brackets.

The CPS units are mounted on the +Xs face of the +Xs shearwall, and on the +Zs side of the lower floor in the +Xs/+Ys and +Xs/+Ys segments. This arrangement facilitates the use of a jig for manufacture. The layouts of the fuel and oxidant supply assemblies are similar to one another, as are the layouts of the low pressure gas assemblies feeding them. The high pressure gas side completes the shearwall layout. The unit layout has been modified with respect to Mars Express in the aim to accommodate the CONAX pyrovalves and the POLYFLEX non-return valves.

The 15 fill / drain / vent valves are mounted at the lower floor, accessible from underneath the spacecraft. They are grouped in five clusters of three valves, located along the +Xs edge of the structure. Each cluster is directly associated with one of the five assemblies, i.e. liquid sides for fuel and oxidant; low pressure gas sides feeding fuel and oxidant; and high pressure gas side. The positioning of the valves within each cluster follows the same pattern with regard to valve function.

The valves used for the loading of pressurant and propellants at the launch site are positioned at the front of each cluster, allowing easy access for personnel wearing SCAPE suits during loading operations.

The feedlines to the main engine, to and from the propellant tank, and from the pressurant tank, are routed through the +Xs shearwall at appropriate locations. The feedlines to the thrusters are routed along the -Ys and +Ys edges of the lower floor of the structure.

Issue : 2 Rev. : 0

Date : 06/02/2004

6.7

CPS Units

Assembly

Thruster

Module

Main Engine

Xs

Zs

Figure 6-2/1: Propulsion Layout inside Spacecraft Structure

NTO Tank

MMH Tank

Ys

Pressurant

Tank

Figure 6-2/2: Propulsion Layout on +Xs shearwall and lower floor

Issue : 2 Rev. : 0

Date : 06/02/2004

6.8

Propellant Tank

Equipped with

Thermal Hardware

Main Engine

Pressurant Tank

Equipped with

Thermal Hardware

Figure 6-2/3: Venus Express CPS Main Units

Issue : 2 Rev. : 0

06/02/2004

7.1

7 ELECTRICAL AND POWER ARCHITECTURE

7.1 OVERVIEW

The Venus Express electrical architecture is designed to cope with the main design drivers as found on interplanetary missions. q

The first one is the need for a high autonomy, due to the absence of real-time control of the spacecraft, and at mission critical phases (such as Venus orbit insertion and eclipses). q

Secondly, the spacecraft shall be able to cope with a highly variable environment: Sun-to-Venus distance (impact on Solar flux), Earth-to-Venus distance, changing attitude, etc. and with optimised resources to cope with the launch mass restriction.

The following diagram gives an overview of the VEX electrical architecture :

Payload

VERA VIRTIS VMC PFS ASPERA MAG SPICAV

S

S

S

X

X

Heater Power Heater Power Heater Power

LGA1

USO I/F

Communications

1355 link 1355 link

+ 28V Regulated

Protected lines

OBDH

Solid State Mass Memory

1355

RemoteTerminal

Unit

RFDU

LGA2

HGA1

WIU

S

Dual Band

Transponder

X - Rx X -Tx

TC

TM

Control & Data Management

System

CDMU 2

CDMU 1

AOCS Interface

Unit

Pyro Heater Power

Thermal Heater Power

Pyro Devices

Power Supply

Power Distribution Unit

Power Control Unit

Battery

SADE

HGA2

X -Tx

X Band

TWTA

Analogue

Propulsion

Data Handling

1355 link

Analogue

1355

MACS

SADM

Solar Array Drive Assembly

RS422 Analogue

Solar

Array

Reaction

Wheel

Assembly

Star

Tracker

Inertial

Measurement

Unit

Sun

Acquisition

Sensor

Attitude and Orbital Control

Issue : 2 Rev. : 0

06/02/2004

7.2

Two Solar Arrays wings equipped with triple junction Gas cells generate electrical power. The Solar

Arrays are oriented towards the Sun by a Solar Array Drive Mechanism (SADM).

During eclipses, three Li-Ion batteries supply the required power.

Power management and regulation is performed by the Power Control Unit (PCU) providing a controlled

+28Volts main bus voltage.

The use of a Maximum Power Point Tracker (MPPT) avoids to oversize the solar array in order to cope with both near-Earth and Venus orbit conditions. It allows working at the Solar Array maximum power point, while three Battery Charge and Discharge Regulators (BCDR) are in charge of the battery management, controlled by an Error Amplifier Control Loop (MEA).

The resulting +28 V regulated power bus is distributed to all spacecraft users by a Power Distribution

Unit (PDU) featuring Latch Current limiters (LCL).

The PDU is also responsible for Pyro commands generation, whereby the necessary energy is drawn from the batteries.

Solar Array

Drive

Electronics

Power Control Unit (PCU)

MPPT 1

Array Power

Regulator 1

Array Power

Regulator 2

Issue : 2 Rev. : 0

06/02/2004

7.3

The following figure shows the VEX Power Subsystem.

Solar

Array (-Y)

-Y Solar

Array Drive

Mechanism

+Y Solar

Array Drive

Mechanism

Solar

Array (+Y)

MPPT 2

MEA

BCDR1 BCDR2

From / To RTU

TM/TC

Interface

+ 28V Main Bus

BCDR3

From / To RTU

TM/TC

Interface

Power Distribution Unit (PDU)

FCL

FCL

LCL

LCL

LCL

Pyro

Interface

CDMUs

Transponder

Receivers

Spacecraft Bus

Equipment

Payload

Instruments

Thermal Control

Heaters

Solar Array

Propulsion

Payload MAG

Li-Ion

Battery 1

Li-Ion

Battery 2

Li-Ion

Battery 3

Figure7.2 : VEX Power Subsystem diagram

Issue : 2 Rev. : 0

06/02/2004

7.4

Two symmetrical Solar Array wings generate the Venus Express power. The solar array consists of two identical low weight deployable wings of 2 panels each, and is pointed towards the Sun by means of a one

Degree-of-Freedom Solar Array Drive Mechanism. When stowed, each wing is clamped to the spacecraft side panel on four hold-down points and release mechanisms. For deployment four redundant pyrotechnics bolt cutters release each wing individually. After deployment the two panels are held in position and in a defined distance to the satellite body by the Inner Yoke and the Outer Yoke.

The Solar Cell Assemblies (SCAs) are placed on the 2 panels of a wing, and no cells are placed on the outer yoke. When stowed the solar cell assemblies located on the outer panel are facing to space/Sun.

The electrical power is transferred to the spacecraft by a harness routed on the rim of the wings onto the connectors of the SADM. The chosen cell technology is RWE triple junction GaAs cells GAGET1-

ID/160 65x38, with 100 µm cover glass thickness allowing to cope with Venus radiation environment.

In order to decrease the S/A temperature, OSRs have been introduced on each panel lay out on front and rear side

Issue : 2 Rev. : 0

06/02/2004

7.5

The following figure presents the Wing Block diagram with different sections and strings.

WING

PANEL 2 PANEL 1

4 x 3 positive power lines

Section 4 Section 3 Section 2 Section 1

F gu e 7.2 1.1 : VEX Wing Block Diag am

The SA circuitry is as follows:

-

Number of wings: 2

- Number of panel per wing: 2

- Numbers of sections per panel: 2

-

Number of strings in parallel per section: 6

- Number of SCA's in series per string : 22

Two redundant bleed resistors, each 20 kOhms per panel, achieve short circuit protection.

Each string includes one blocking diode.

By design, each cell provides a by pass diode.

4 x 3 negative power lines

Grounding

Issue : 2 Rev. : 0

06/02/2004

7.6

The S/A dimensioning has been achieved in order to guarantee 800 W min in earth vicinity and 1100 W min in Venus vicinity.

The strings are designed in order to cope with a max S/A Voc of 80V and a min Vmpp of 32V. The cells with a Venus flux have been considered with an efficiency of 25%.

This lay out leads to a max S/A current of 18A/ wing.

The following table summarises the SA estimated power values.

Power Near Earth

Power BOL Venus

Power EOL Venus

P mp (W)

820

1490

1400

The following figure shows the VEX Power Generation block diagram.

Issue : 2 Rev. : 0

06/02/2004

7.7

SA – Wing -Y

Panel 1

Section 1

Section 2

Panel 2

Section 3

Section 4

SADM1

Array Power Regulator 1

Array Power

Converter 1

MPPT1

MPPT Control 1

MEA

PCU

MPPT2

Array Power

Converter 2

MPPT Control 1

MEA

MPPT3

Array Power

Converter 3

MPPT Control 1

MEA

MPPT

Majority

Voting

2 / 3

MPPT

Control 1

28v Main Bus

SA – Wing +Y

Panel 1

Section 1

Section 2

Panel 2

Section 3

Section 4

SADM2

Array Power Regulator 2

Array Power

Converter 1

MPPT1

MPPT Control 2

MEA

MPPT2

Array Power

Converter 2

MPPT Control 2

MEA

MPPT3

Array Power

Converter 3

MPPT Control 2

MEA

MEA

MPPT

Majority

Voting

2 / 3

Main Error Amplifier

2 / 3

Voting

E/A 3

E/A 2

E/A 1

MPPT

Control 2

Figure 7.2.1 : VEX Power Generation Diag am

Issue : 2 Rev. : 0

06/02/2004

7.8

Three batteries supply the spacecraft power when the Solar Array is not illuminated by the sun or in case the power demand is higher than what can be generated by the Solar Array.

The energy is stored within 3 identical batteries of 24 Ah , based on low mass Li-Ion technology. Each battery is built with 16 parallel strings of 6 serial 1.5 Ah battery cells.

The cells are based on the Sony Hard Carbon typ 18650, which is a cylindrical cell.

Each battery has the following parameters:

- Maximum Battery Voltage : 25.2V

- Minimum Battery Voltage : 15V

-

Battery Capacity : 24 Ah

- Battery Energy : 518 Wh

The following figure shows the VEX Power Storage block diagram.

Issue : 2 Rev. : 0

06/02/2004

7.9

PCU

Battery 1

BCDR1

Bat Charge Regulator

Series connection of 6 cells to form a string

16 strings in // to form the battery cell array Bat Discharge Regulator

+28v Main Bus

Battery 2

Series connection of 6 cells to form a string

16 strings in // to form the battery cell array

Battery 3

BCDR2

Bat Charge Regulator

Bat Discharge Regulator

Series connection of 6 cells to form a string

16 strings in // to form the battery cell array

BCDR3

Bat Charge Regulator

Bat Discharge Regulator

PDU

Nominal Pyro board

Redundant Pyro board

Nom Pyro I/Fs

Nom Pyro I/Fs

Figure 7.2.2 : VEX Power Storage diagram

Issue : 2 Rev. : 0

06/02/2004

7.10

The Power Control Unit (PCU) converts the solar array and battery power inputs into a regulated main bus voltage at 28V

±

1%. The main bus regulation is performed by a conventional three-domain control system, based on one common and reliable Main Error Amplifier (MEA) signal which controls the two

APRs (one per SA wing) and the three BCDRs (one per battery).

Power management is supported by an adequate measurement of the power parameters within the PCU.

This includes array current and voltage, BDR output current, battery charge and discharge currents, total main bus current and voltage and main error voltage.

Solar Array Power Control:

When the available array power exceeds the total power demand from the PCU, including the battery power charge, the Array Power Regulator (APR) will perform the main bus regulation based on the MEA control line signal. The regulator function is a buck type switched regulator, which will leave the surplus energy on the array by increasing its input impedance.

A MPPT function will automatically take over the regulation control of the Regulator when the MEA signal enters the BCR or BDR control domain. The MPPT monitors the array voltage and current and controls the Regulator to provide that specific input impedance, which will derive the maximum electrical power available on the array.

The MPPT function finds the maximum power point by oscillating the APR input impedance slightly around the impedance providing the maximum power.

Each APR function comprises 3 individual Array Power Regulators, configured as two out of three hot redundant regulators. The active regulators share equally the requested power transfer to the main bus.

Each of the two solar array wings has its own individual APR function to allow individual tracking of the maximum power point.

Battery Power Control:

Each of the three batteries has its own dedicated Battery Charge / Discharge Regulator (BCDR) function in the PCU. As the battery voltage is lower than the regulated main bus voltage, the BDR is a conventional step-up regulator design while the BCR is a step-down regulator.

The batteries are charged at constant regulated current at 3A, until a command selected End of Charge

(EOC) voltage limit is reached. The BCR will then maintain the battery at this EOC voltage level.

Issue : 2 Rev. : 0

06/02/2004

7.11

VEX PCU Power Limitations :

Venus express PCU power limitations are as follows:

- APR output power = 2 APR x 3 APC x 250W = 1500W ( 750 W per Wing )

-

BDR output power = 3 BDR x 300 W = 900W (300W per Battery)

- BCR charge current = 3A / Battery

The following figure shows the PCU functional block diagram

Solar Array - Wing 2

Solar Array - Wing 1

PCU

APR – Wing 2

APR – Wing 1

APC3

(P out = 250W)

APC2

(P out = 250W)

APC1

(P out = 250W)

LCL Filter

2 / 3 Hot Redundancy

DC/DC Converter

+28V Main Bus

Control

I SA

V SA

OFF

MPPT

MPPT

Control

MPPT1 MPPT

2/3 Voting

MEA

OFF PWM

Control

BDR Failure detection

Ref.

Overvoltage

LCL OFF

+

-

Ref.

Overcurrent

+

-

LCL OFF

BCR LCL OFF

Ref.

Zero-Demand

+

-

LCL OFF

Capacitor

Bank

1 mF

32V – 80V

TM / TC

Control

MPPT 2&3

SA

Local

Auxiliary Supply

A & B Bus Control

3 x BCDR

(Pout = 3 x 300W)

MEA

Main Error Amplifier

2 / 3

Voting

E/A 3

E/A 2

E/A 1

BCR - LCL

Battery 3

Battery 2

Battery 1

16V – 25V

BDR - LCL

Control

BDR LCL OFF

V Battery

+ 28V MB

BCR Failure detection

Overvoltage

BCR LCL OFF

+

-

Ref.

V Bat

Battery Regulation

Ref.

+

-

I Bat

Ref.

+

-

MEA

OFF

BDR Filter

BCDR

Auxiliary Supply

BCR Converter Stage (Super Buck)

PWM

Control

BDR Converter Stage (Push-Pull)

PWM

Control

BDR Failure detection

Ref.

Overvoltage

BDR LCL OFF

+

-

Overcurrent

I MB

Ref.

+

-

BDR LCL OFF

+28V MB

OFF MEA

Control I MB

BCR LCL OFF

TM / TC

Control

A & B Bus Control

Command

&

Telemetry I/F

Figure 7.2.3 : PCU Functional Block Diagram

PDU

RTU

Issue : 2 Rev. : 0

06/02/2004

7.12

7.2.4 Main Bus Power Distribution

The Venus Express power distribution policy is based on a centralised scheme and is ensured by the

Power Distribution Unit (PDU).

One switched protected power line derived from the regulated main power bus is dedicated to each

DC/DC Power Converter within the users. In addition, power lines are also dedicated to users, which draw directly power from the power bus without any need for a DC/DC Converter. This is the case of the 10 N Thrusters FCV (Flow Control Valve), the FCV of the Main Engine coils and of the Latch

Valves. These lines are routed via the AOCS Interface unit.

Each power line is switched and protected by means of a Latch Current Limiter (LCL). An LCL is a solid state latching switch which also acts as a protection device in case of over current. Should the current through the LCL exceeds the trip off current, the device will enter into current limitation. In case current limitation continues for more than a given trip-off time in the order of 16 ms, the LCL will open to isolate the failed unit from the Spacecraft power bus. The LCL are actuated using Delayed Memory Load commands (DML), which are the same as Memory Load Commands but delayed by 100msec within the

PDU control module, and provide isolated ON/OFF status and primary current telemetry.

It is however not possible for all units to isolate from the power bus for some units in case of overcurrent.

This is the case for the CDMU and for the Dual Band Transponder Receivers. These units shall never be switched off and shall be able to recover autonomously in case of return to normal conditions. Primary power is distributed to them through Foldback Current Limiters (FCL). These are devices identical in essence to LCL, except that they do not feature ON/OFF switching capability and that overcurrent will never lead to disconnection when the trip-off time is exceeded. The current limiting function is of the foldback type, meaning that the unit voltage will decrease as the current demand increases above the limitation threshold. Six FCL are baselined in the Venus Express PDU, which are allocated to nominal and redundant Dual Band Transponder Receivers and CDMU (2 DC/DC Converters are implemented in each CDMU).

Seven LCL classes are defined on Venus Express in order to cope with a wide range of nominal currents while ensuring an efficient protection.

A total of 78 LCLs and 6 FCLs are implemented within the PDU.

VEX PDU output power capability is limited to 750W (compared to Mex PDU limitation @ 650W).

Issue : 2 Rev. : 0

06/02/2004

7.13

The following figure shows the PDU block diagram.

PDU

PCU

Main Bus Power

RTU_R

RTU_N

HPC Reset

AUX. DC/DC - R

AUX. DC/DC - N

MLC/SDT

CDMU R

CDMU N

HPC Priority

CONTROL LOGIC - R

CONTROL LOGIC - N

TM /TC

MLC_B_N

SDT_B_N

Coder MLC_A_N

SDT_A_N

Battery 2

Battery 3

Battery 1

PYRO - R

PYRO - N

Fire N Fire R

LCL - R

LCL - N

LCL - 3

LCL - 2

LCL - 1

13 x LCLs

MLC ON/OFF

HPC 1

FCL - R

FCL - N

FCL - 3

FCL - 2

FCL - 1

LCL (78)

S/C users

FCLs (6)

CDMS

CDMU N

PM1 PM2

CDMU N

PM1 PM2

PYRO

TRSP RX _R

TRSP RX _N

S/C users :

- SA

- Propulsion

- MAG Boom

MLC FIRE MLC ARM MLC SELECT

MLC

SOURCE

SELECT

Figure 7.2.4 : VEX PDU block diagram

Issue : 2 Rev. : 0

06/02/2004

7.14

The Venus Express Pyro function is included in the PDU and is fully redundant at both actuation electronics and initiator level. The purpose of this electronics is to provide necessary means to select a particular firing input power source and firing outlet, to fire, monitor and control the pyro outlet current to actual pyro devices. The necessary energy is being taken from the batteries, whereby battery 1 is dedicated to the pyro primary section and battery 2 to the pyro redundant section. The battery 3 is being used as a common spare energy source.

Each nominal and redundant side of the PDU provides 32 Pyro outputs delivering power to the users.

The rule to allocate the 32 Pyro lines to one group or to another is, that two commands cannot be part of the same group if the erroneous sending of one command instead of the other leads to a mission catastrophic action. This allows in particular a safe management of the Propulsion isolation Pyro valves.

The five following groups are defined on Venus Express: q

Group 1 (8 firing circuits) features all Pyro lines dedicated to the Solar Array wings deployment, q

Group 2 (8 firing circuits) features pyro commands for all Pyrotechnic valves used for priming of the Propulsion System, q

Group 3 (9 firing circuits) is dedicated to opening Main Engine inhibition Pyrotechnic valves and

High Pressure Gas Pyrovalves q

Group 4 (3 firing circuits) features the MAG boom deployment command, q

Group 5 (4 firing circuits) is not used.

The activation of selected pyro requires four independent commands :

Battery source select activation

Pyro selection

Pyro arming

Pyro firing

Note that Battery Arm plugs and Pyro Arm plugs are connected just before Flight. Otherwise Safe plugs are used as additional mechanical safety barriers during the ground activities.

The following figure shows the VEX Pyro Electrical chain.

PDU

PYRO - R

PYRO - N ARM1

Issue : 2 Rev. : 0

06/02/2004

7.15

ARM / SAFE PLUG

CB-SKN-PYR

SA Pyro

SELECT x 8

Battery 2

ARM PLUG

CB-SKN-BAT SOURCE

SELECT ARM2

ARM / SAFE PLUG

CB-SKN-PYR

CPS Pyro

SELECT x 8

Battery 3

ARM PLUG

CB-SKN-BAT

ARM3

ARM / SAFE PLUG

CB-SKN-PYR

CPS Pyro

SELECT x 9

Battery 1

ARM PLUG

CB-SKN-BAT

Fire N Fire R

FIRE

ARM4

SELECT x 3

ARM5

SELECT x 4

ARM / SAFE PLUG

CB-SKN-PYR

MAG Pyro

ARM / SAFE PLUG

CB-SKN-PYR

Spare

Issue : 2 Rev. : 0

06/02/2004

7.16

7.4 GROUNDING & EMC

7.4.1 Grounding

The Venus Express selected grounding concept is a Distributed Single Point Grounding (DSPG). The main characteristics of this concept are the following: q all primary power supplies are referenced in a single point, located in the PCU, q primary power supplies are galvanically insulated from secondary ones, q all secondary suppliers are referenced to the unit housing, q the housing of each unit is locally referenced to the structure, q all return currents flow through dedicated lines (wire return policy), q no current shall be intentionally flown through the spacecraft structure.

The spacecraft structure is used as low impedance equipotential ground plane.

The main advantages of DSPG are that it combines the prevention of low frequency interferences provided by Single Point Grounding (SPG) together with the avoidance of high frequency interferences brought by multiple ground systems.

Low frequency emissions are avoided by insulation of the primary power from both the equipment housings and the secondary power supplies (prevention of ground loops).

High frequency interference generated by capacitive coupling with the grounding system is minimized by grounding of the equipment secondary power supplies referenced directly to the structure for each equipment.

Differential balanced interfaces are used as a rule between different units to offer robustness to common mode between units.

Issue : 2 Rev. : 0

06/02/2004

7.17

The following figure shows the VEX Distributed Single Point Grounding diagram

PCU

POWER CONVERTER

MECHANICAL GROUND

PRIMARY 0 V

SECONDARY 0 V

Issue : 2 Rev. : 0

06/02/2004

7.18

7.4.2 EMC

The Venus Express EMC environment is strictly controlled so as to guarantee:

- the S/C auto-compatibility

- the Launcher / Spacecraft compatibility

S/C auto-compatibility:

Radiated and Conducted emissions are limited as much as possible in order to offer margin with respect to the susceptibility limits of the units. This enables to guarantee the good functioning of the units and payloads once mounted on the S/C.

Compared to Mex, no systematic over shielding is applied on the bundles as Venus express S/C does not feature any longer the Vensis payload.

Launcher and Spacecraft compatibility:

Radiated emissions of units powered during launch are limited to offer margin with respect to launcher susceptibility limits.

The Spacecraft susceptibility is limited as much as possible in order to offer margin with respect to the

Launch vehicle emissions.

Issue : 2 Rev. : 0

06/02/2004

8.1

8.1 OVERVIEW

The communications with the Earth can be performed either in S-Band or X-Band in accordance with

ESA Standards.

The RF communication S/S consists of a redundant set of transponders using S-band and X-band for the uplink and the downlink. Depending on the mission phase, the transponder can be routed via RF switches

(RFDU, WIU) to different antennas: q

Two Low Gain Antennas (LGA) allowing an omni-directional reception and hemispherical emission in S-Band. q

One dual band High Gain Antenna (HGA1) allowing high rate TM emission and TC reception in

S-Band and X-Band. q

One single band offset Antenna (HGA2) allowing high rate TM emission and TC reception in X-

Band.

The Dual Band Transponder performs the demodulation of the up-link signal before routing the resulting bit flow to the Data Handling (CDMU).

The stored TM within the SSMM is routed through the CDMU then modulated in either S-Band or X-

Band within the Dual Band Transponder, which also performs S-Band signal amplification with 5 W RF output power.

X-Band signal amplification is performed using a 65 W Travelling Wave Tube Amplifier (TWTA).

LGA1

(front)

P01 P08

RFDU

TRSPD 1

S Bd Feeder

S Bd Feeder

LGA2

(rear)

P01 P05

P07

2

SW-3

1

3

4

1

2

SW-4

3

4

2

1

4

3

SW-1

DIPL1

2

1

4

3

SW-2

DIPL2

P11

X-Band Rx 1

P03 P01

P02

S-Band Tx 1

P10

X-Band Tx 1

P04 Frequency Reference

USO / Internal TCXO

TC to CDMU

TM to CDMU

HGA1

S Bd Feeder

HGA2

X Bd Feeder

X Bd Feeder

WIU

P03

DIPLX

P04

DIPLX

P04

P04

VERA

P08

USO

1

4

2

3 P07

P05

P04

TWTA 1

Attenuator 1

TRSPD 2

3 dB

Hybrid

1

P01

P112 P01 P02 P01

P03 P02

Frequency Reference

USO / Internal TCXO

4

2

3

TWTA 2

Attenuator 2

P04 P01

P02

P112 P01 P02 P01

P03

P11

S-Band Rx 2

X-Band Rx 2

P01

P02

S-Band Tx 2

X-Band Tx 2

Figure 8.1-1 : RF Communications block diagram

TC to CDMU

TM to CDMU

Issue : 2 Rev. : 0

06/02/2004

8.2

Cryo

Face

HGA2

LGA1

Zs

HGA1

Xs

LGA2

Issue : 2 Rev. : 0

06/02/2004

8.3

8.3 TT&C CONFIGURATIONS ACCORDING TO THE MISSION PHASES

In the LEOP phase, communications are done in S-band via the LGAs.

When the LEOP phase is completed (few days after Launch), commun ications are done in X-Band via one HGA. The proper HGA is selected along the mission depending on the planets configuration to avoid sun illumination on the cryo face (-Xs) as illustrated on the following figure.

.

.

.

.

Start

Venus day

HGA2 selected on

Inferior Conjunction side

0.0

E

0.0

0.2

Inferior

Conjunction

.

0.4

0.6

0.8

Start 3

Venus day

-0.4

.

.

.

.

S

1.0

1.2

Superior

Conjunction

1.4

1.6

.

.

Start

Venus day

Figure 8.1.2 : VEX HGA selection along the mission

T he following table sums up the communication strategy along the mission.

Mission Phase

LEOP

Cruise

Payload Commissioning

Routine and Extend

Operations

Earth to SC distance RF Band LGA1 LGA2 HGA1 HGA2

< 0.05 AU (TBC)

< 0.78 AU

S-Band √ √ - -

X-Band √

X-Band √

X-Band √

X-Band

X-Band

-

-

-

-

-

-

0.78 AU<d<1.72 AU X-Band - - √ -

8.4 REDUNDANCY AND FDIR PRINCIPLES

Issue : 2 Rev. : 0

06/02/2004

8.4

During the LEOP phase, the communications are done in S-band via the LGAs. The nominal configuration is the following: LGA1 is routed to TRSP1 and LGA2 is routed to TRSP2. The communication via one LGA is only possible when the Earth direction is within its FOV (

±

95 deg around its boresight) : q

In Sun pointing attitude (rotation around X axis at 0.1 deg/s), the Earth is within the LGA1 FOV during half of the rotation and within the LGA2 FOV in the other half, q

In Earth pointing attitude (HGA2 is Earth pointed), for geometrical reasons (see Figure 8.2-1),

the Earth is within the LGA1 FOV and not in the LGA2 one. So communications are recommended via LGA1.

Uplin k

Th e telecomand is received in cold redundancy most of the time because only one LGA is visible from th e ground station (see above), even if both S-band receivers are ON.

Downlink

Th e telemetry is transmitted in cold redundancy: only one transponder emitter is ON at the same time. It must be routed to the antenna that is in visibility from the ground.

In addition, it is not possible to transmit simultaneously via both LGAs because they have the same polarisation.

After completion of the LEOP phase, communications are done in X-band via the selected HGA.

Communications in X-band are possible only when the Spacecraft is accurately Earth pointed.

Uplink

The X-band telecomand is received in cold redundancy because there is no coupler between the antennas and the X band receivers, even if both X-band receivers are ON.

Remark : a redundant path might be possible in S-band, but the Cebreros ground Station which is baselined for VEX operations has only X-Band capability, that means that a backup in S-band would require the use of another ground station. In addition, uplink via LGAs would require the use of the DSN

Network for long distances. Refer to link budgets for details.

Downlink

The telemetry is transmitted in cold redundancy : one X-TX emitter feeding one TWT amplifier feeding the selected HGA.

Issue : 2 Rev. : 0

06/02/2004

8.5

As explained in the previous sections, the Uplink and the Downlink operate in a cold redundancy scheme.

Due to the criticality of the uplink (unrecoverable TC loss means loss of the mission), an on-board TC link monitoring application is implemented in view of detecting failures that prevent the reception of ground TC. In case no TC has been received during a time period, an automatic reconfiguration is executed to reco ver the TC link.

No on-board monitoring on the TM link is implemented since the loss of the TM does not endanger the spa cecraft integrity. In case of TM loss detected at ground level, the recovery actions are under ground control.

Issue : 2 Rev. : 0

06/02/2004

8.6

The communication from the ground station(s) to the spacecraft is performed in S-Band or X-Band.

Uplink Frequencies

The frequencies for the uplinks are: q

2114.335648 MHZ (DSN 17) for S–Band, q

7165.780092 MHZ (DSN 17) for X–Band.

Ranging signal

F or ESA ground stations, the ranging signal is in accordance with the ESA Ranging standard.

For the NASA DSN ground stations, the ranging signal is in accordance with the DSN handbook.

Modulation

The RF uplink signal, which is modulated as NRZ/PSK/PM on a 16 KHz sinusoidal subcarrier, is routed towards a diplexer, performing frequency discrimination, and then to the Dual Band Transponder input.

The transponder performs carrier acquisition and demodulation, and transmits the extracted signal to the

Data Handling for further processing.

TC bit rates

The following telecommand bit rates are handled by the Venus Express Spacecraft, as provided by the

CDMU design : 7.8125 bps, 15.625 bps, 250 bps, 1000 bps and 2000 bps.

As a baseline, the lowest bit rates will be used in case of emergency while the highest ones will be used operationally.

Issue : 2 Rev. : 0

06/02/2004

8.7

8.6 DOWNLINK

A high data downlink capability is required, considering the large data volume generated by the in struments. Nevertheless, the large spacecraft to Earth distance limits the downlink capacity.

The downlink of the te lemetry data to the ground stations can be performed in either S-band or X-Band.

Down l ink Frequencies

The freq uencies for the downlink are: q

2296.111111 MHZ (DSN 17) for S–Band, q

8419.074073 MHZ (DSN 17) for X–Band.

Modulation

T he telemetry is transmitted to the Dual Band Transponder as PCM/PSK/PM on a square wave subcarrier for transmitted information rates as high as 22.853 Kbps. Two subcarrier frequencies are used :

8.192 kHz fo r low bit rates and 262.144 kKhz for high bit rates.

For information rate equal or greater than 28.566 Kbps, the PCM/SP-L is directly modulated on the carrier.

This signal is phase-modulated in either S Band or X Band by the Dual Band Transponder.

T he ranging signal in the ranging channel of the transponder directly phase modulates the carrier. When simultaneous ranging and telemetry is performed, the two signals are added prior to phase modulation of the downlink c arrier.

TM bit rates

The information bit rate can vary from about 9 bps as a minimum and can be up to about 228 kbps

(CDMU limitation).

As a baseline, the lowest bit rates will be used in case of emergency whilst the highest ones will be used operationally.

Coding

The telemetry is Reed Solomon coded before being the subject of a convolutional encoding.

Issue : 2 Rev. : 0

06/02/2004

8.8

8.7 RADIO SCIENCE OPERATIONS

The Venus Express spacecraft host a radio science experiment, so-called VeRa (Venus Radio science assembly).

This experiment consists in the TT&C subsystem whose stability performances are enhanced by the

introduction of an Ultra Stable Oscillator (USO), as illustrated in Figure 8.1-1.

The science investigations use the Radio Links between the spacecraft and the Earth in emitting simultaneously not modul ated carriers in X-band and S-band from the S-TX and X-TX of the same transponder via the High Gain Antenn a HGA1.

The Radio Links can operate in two modes : q the One-way mode (no uplink is involved) : the stability of the downlink carrier frequencies is provided by the USO, q

The Two-way mode : the downlink carrier frequencies are coherent with the uplink whose freque ncy stability is provided by hydrogen masers.

Issue : 2 Rev. : 0

06/02/2004

8.9

Radio Frequency Compatibility (RFC) is ensured by tight control of potential noise sources emissions and accurate knowledge of receivers susceptibility thresholds. Coupling factors between antennas are determined and controlled at System level. Compatibility is verified by test between all RF sensitive receivers and all RF power transmitters to prove non-couplings into the indi vidual antennas (autocomp

RF test).

Coupl ing

Factor

RF

Transmitter

Transmitter

Output Spectrum

Cable

Filters etc.

Cable

Filters etc.

RF

Receiver

Receiver

Susceptibility Threshold

Issue : 2 Rev. : 0

06/02/2004

8.10

Issue : 2 Rev. : 0

Date : 06/02/2004

9.1

9. DATA HANDLING ARCHITECTURE

The Data Management System (DMS) is in charge of : q telecommand distribution to the whole spacecraft, q telemetry data collection from the whole spacecraft and data storage, q overall supervision of spacecraft and payload functions and health. q

Timing functions including distribution of time and synchronisation information

The DMS is based on a dual processor architecture embedding standard communication links such as a standard OBDH bus and high rate IEEE 1355 serial data links. q

The OBDH bus is the data route for data acquisition of platform units and payloads with a low data rate and for commands distribution via the RTU. q

IEEE 1355 links are used between the CDMU processor and the SSMM, the CDMU processor and the AIU and between the payloads with high data rate (VIRTIS, VMC) and the SSMM.

DMS includes 4 identical Processor Modules (PM) located in 2 CDMUs. Two processor modules are dedicated to the DMS, and two to the AOCMS. q

The PM selected for the DMS function is in charge of the Platform subsystems management

(Communications, Power, Thermal). q

The PM selected as the AOCS computer is in charge of acquisition and control of all sensors

(SAS, STR, IMP), actuators (wheels, main engine, thrusters) and Solar Array Drive

Electronics (SADE) through the AOCMS Interface Unit (AIU).

Each CDMU includes a TC-decoder for the telecommands decoding and the direct high power commands generation and a Transfer Frame Generator (TFG) for the telemetry generation incorporating TM packets from the CDMU itself and from the SSMM.

The Solid State Mass Memory (SSMM) is used for data storage including 12 Gbits of memory at

BOL. It is coupled to the two DMS processors, the TFG, the VIRTIS and VMC instruments. It stores science and global housekeeping telemetry packets.

Issue : 2 Rev. : 0

Date : 06/02/2004

9.2

9.1 OVERVIEW

The Data Handling architecture is organised around the two Control and Data Management Units

(CDMU). They are in charge of controlling ground command reception and execution, on-board housekeeping and science data telemetry storage and formatting them for transmission. The on-board data management, control laws processing and execution of on-board control procedures belongs to their tasks as well. Each CDMU features two MA3-1750 Processor Modules, each of them processing either Data Management or AOCS software. A built-in failure operational

Reconfiguration Module ensures system level FDIR and reconfigures the CDMU as necessary.

Three other units are part of the DMS architecture :

The RTU connected to the redundant OBDH bus. It is the interface between the DMS processor module and the platform units and the payloads. The RTU is internally redunded and contains 6 modules : 2 redundant core units in charge of processing the interrogations sent by the DMS PM on the OBDH bus; 2 I/O boards interfacing with the users; 2 power supplies delivering the secondary voltages to the cores and I/O modules.

The AOCS Interface Unit (AIU) is dedicated to AOCS equipment. It is the interface between the AOCMS processor module and the sensors, the actuators and the solar array drive electronics. The AIU is internally redunded and contains 6 modules : 2 interface modules interfacing with the AOCMS processor modules and the IMPs and controlling the generation of internal HPCs and the AIU internal bus; 2 TMTC boards which generates the commands to the thrusters and main engine, acquires the internal (secondary voltages) and external

(AOCMS units) telemetry and implements the interface with the reaction wheels assembly.

The SSMM is a file organised 12 Gbits BOL mass memory used to store the Housekeeping and the Science Data collected by the CDMU. It also collects directly Science Data from

VIRTIS and VMC. The SSMM contains : three 4 Gbit memory modules; two redundant controller paths controlling the interfaces with the CDMU processor modules, the Transfer

Frame Generators, the payloads with high data rate (VIRTIS, VMC) and the Memory

Modules, each of them being connected to a power supply from which it receives the necessary voltages.

Issue : 2 Rev. : 0

Date : 06/02/2004

9.3

TRSP1 TRSP2

SSMM

1355

CDMU1 CDMU2

OBDH

RTU

1355

AIU

AOCS

P/Ls TT&C TCS EPS

Figure 9.1-1 : Data Handling Block diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

9.4

9.2 CDMU

The core of the Data Handling function is implemented in the two externally redundant Control and

Data Management Units (CDMU). Each CDMU features :

• two Processor Modules, one dedicated to AOCMS software execution, the other one to Data

Handling software execution. The Processor Module design is based on a flexible 16-bit

MA3-1750 microprocessor, with 1Mword of associated RAM and 512 Kwords of EEPROM.

Two reconfiguration modules, each one containing an accurate clock function (stability better than 3 10

-7

/day) and a watch-dog function which, when it triggers, sends a reconfiguration request to the High Power Command Module.

One High Power Command Module (HPCM) containing : o

A decoder which processes the telecommands transmitted by the transponders, can generate 64 High Power Commands (CPDU commands) and transmits the TC segment to the DMS PM. o

A reconfiguration function which executes an autonomous reconfiguration of the

CDMU when it receives at minimum 2 among the 4 reconfiguration requests generated by the 4 reconfiguration modules. o

A Transfer Frame Generator (TFG) which contains 3 virtual channels (VC0 for real time telemetry, VC1 for telemetry memorised in the SSMM and VC7 for the idle frames). It provides the possibility to select the convolutional coding and/or the

Reed-Solomon coding. The PM DMS delivers the subcarrier clock and the bitrate clock which can vary from 8 bps to 250kbps (depending on the Venus-to-Earth distance, on the selected frequency band and on the spacecraft mode).

One Centralised Memory Module containing : o

A PROM cassette including 512 Kwords of PROM accessible by the 4 PMs and containing the default DMS and AOCMS softwares. o

A SGM containing 64 Kwords of RAM and 64 Kwords of EEPROM

Two power supplies, one powering one processor module and one reconfiguration module and the other powering the remaining parts of the CDMU.

Issue : 2 Rev. : 0

Date : 06/02/2004

9.5

AIU,SSMM

EGSE, PMs

2 RMs

(redundant

CDMU)

Alarms

(UVD Battery, TBD)

CDMU

4 RMs

4

PM Alive signals

2 PMs

4 PMs

(redundant

CDMU)

4

PM

Alive signals

Processor

Module

SW source unloading

Context management

Reconfiguration

Communication link

(& clocks)

Module

C om m un ic at io n li nk

CK signals

4 PMs

CK signals

Subset of commands generation request

HPCMs 4 RMs

Reconfiguration request

Processor

Module

Communication link

Reconfiguration

(& clocks)

Module

4

PM Alive signals

4 RMs

4

2 PMs

(redundant

CDMU)

4 PMs

PM

Alive signals

Centralised memory module

512 Kw PROM

SGM : 64 Kw RAM + 64 Kw EEPROM

High Power Command Module

High Power Commands

Generator

CPDU I/F

Decoder

2 PMs

TC segment transfer

Virtual Channel parameters and bitrate loading

Transfer Frames Generator

2 PMs

TM packet transfer

4

Serial

links

AIU,SSMM

EGSE, PMs

2 RMs

(redundant

CDMU)

Alarms

(UVD Battery, TBD)

2 PMs

(redundant

CDMU)

SSMM branch A

SSMM

branch B

64 HPCs :

some internally routed others routed to other equipments

Transponders receivers

EGSE

2 PMs

(redundant

CDMU)

Transponder emitters

(1, 2, 3 and 4)

Figure 9.2-1 : CDMU block diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

9.6

CDMU Memory Policy

Each Processor Module is baselined with the three following memory types : q

Start-Up Programmable Read Only Memory (PROM), q

Electrically Erasable Programmable Read Only Memory (EEPROM), q

Random Access Memory (RAM).

The Start Up PROM contains the Firmware and monitor software, and also the RAM and EEPROM test software. It consists in 32 K of 24 bit words. The Start up PROM is enabled after Processor

Module reset, initialisation and Built-In Test (BIT). When Start Up is completed, the Start Up

PROM is disabled with a dedicated CPU internal XIO.

The RAM contains the software to be run in the Processor Module (DMS or AOCS) and all associated data. It is loaded from the EEPROM (or from the non-volatile PROM in case of

EEPROM failure) by the Firmware, according to the status defined for the Processor Module. The

Basic RAM area consists of eight 128 kword banks and each word is 24 bits wide to provide protection by an EDAC. The proposed memory circuit is the TEMIC M65608 128 K x 8 bit CMOS

SRAM manufactured in the their high performance CMOS technology named SCMOS.

The Start Up PROM and the RAM memory are protected by an EDAC. The EDAC is a flow-through type EDAC with one 24 bit memory port and two 16 bit CPU ports.

The EEPROM is used to store DMS or AOCS software so that they can be readily accessible to the

Processor Module during Start Up. The in-flight programmable capability allow to introduce software modifications and patches in the EEPROM. In this way, the most up-to-date software version will be taken into account during the Start Up sequence. The EEPROM area consists of four

128 kword banks and is connected to the internal parallel bus through buffers. The memory circuit is the HMP MEM8129 128 K x 8 bit 5V EEPROM.

The Non-Volatile Memory contains an uncorrupted copy of the initial DMS and AOCS software, which it is not possible to erase or modify. These software will be loaded during Start Up sequence if it turns out that EEPROM stored software are not correct. The Non-Volatile Memory is physically located in a cassette which is attached to the top of the CDMU. This approach enables easy PROM content updates on ground, since the complete module is exchanged without opening the CDMU.

The PROM’s can be replaced by EEPROM’s for on ground use.

The Safeguard Memory is permanently on and contains the nominal context, i.e. the data necessary for the Processor Modules to restart automatically in the same mode as they were before the reconfiguration, and the Safe Mode context, which is the data necessary for the processor modules to restart in Safe Mode. The Safeguard Memory is comprised of the following :

Issue : 2 Rev. : 0

Date : 06/02/2004

9.7

q

SGM RAM, in which the nominal context is stored, and featuring 64 kwords as implemented using two HX 6228 128kxs SEU immune SRAMs, q

SGM EEPROM, in which the Safe Mode context is stored, and featuring 64 kwords as implemented using two MEM8129 EEPROMs.

CDMU

POINT

REGISTER

PROM

PREDEFINED

RECONFIGURATION

OF: DMS

PROCESSOR

MODULE,

CDMU I/O

AND CLOCK

INTERNAL

HPC

SGM

EEPROM

LAST MTL

RESTART POINT

AND

EPHEMERIDS /

COARSE TIME

FOR TM RECOVERY

AND

FORBIDEN RECONF.

EXTERNAL

HPC

PROM

DEFAULT SW

FOR DMS

AND AOCS

RAM

LAST OBCP

RESTART POINT

AND

AOCS CONTEXT

SAVEGUARD

FOR CURRENT

MODE

CONTINUATION

EPHEMERIDS

PARAMETERS

UPDATE

BY GROUND

ON DMS

CONTROL

ON BOARD

TIME COPY

ABOUT

ONCE PER

DAY ON DMS

CONTROL

GROUND

PM1 "DMS"

EEPROM

MTL

DMS

AOCS

PATCHS

& SW

DMS

SW

INIT

(IN CASE

EEPROM

NOT VALID)

AOCS

SW

INIT

(IN CASE

EEPROM

NOT VALID)

1 Hz

ON

DMS

CONTROL

PM3 "AOCS "

EEPROM

MTL

DMS

AOCS

PATCHS

& SW

GROUND

DMS

SW

IMT

MA

31750

MAT 9826 B

RAM

CURRENT

DMS

SW

BOOT

PROM

RAM

CURRENT

AOCS

SW

MA

31750

BOOT

PROM

Figure 9.2-2: Control and Data Management Unit General Memory Map

The general memory map of the CDMU allows to cope with erroneous software updates from ground in the Processor Modules EEPROMs. In this case, the Start Up sequence loads in the

Processor Modules memories an uncorrupted copy of the initial Data Handling and AOCS software.

Issue : 2 Rev. : 0

Date : 06/02/2004

9.8

9.3 INTERFACE UNITS

Interface Unit concept consists in grouping all interface functions with non-standard equipment into dedicated units.

The Remote Terminal Unit (RTU) is in charge of the interface with Instruments and non-AOCS

Platform equipment through TTC-B-01 standard links. The following types of interface are implemented within the RTU : q

Analog acquisitions (equipment secondary voltages …) q

Serial 16 bits digital acquisitions (payloads, transponders, power subsystem …) q

Bi-level digital acquisitions q

Relay status acquisitions q

Thermistor value acquisitions (thermal subsystem, …) q

High power ON/OFF commands q

Extended high power commands (RF switches) q

Memory load commands (payloads, transponders, power subsystem …) q

Timer synchronisation pulses (STR, SSMM …)

The AOCS Interface Unit (AIU) is dedicated to all AOCS equipment interface It acquires signals from the AOCS sensors and generates actuator commands according to the control law outputs as provided by the Processor module. The following interfaces are implemented within the AIU: q

Reaction Wheels command, tacho signal acquisition and analogue monitoring signals acquisition, q

Star Tracker configuration / programming command and data acquisition, q

Inertial Measurement Unit data acquisition and power switching, q

Sun Sensors current acquisition, q

Thrusters and Main Engine command, and current and temperature acquisition, q

Latch Valves command and status acquisition, q

Pressure Transducers power supply and signal acquisition,

Communication between the PM DMS and the RTU is ensured by means of a standard OBDH Data

Bus and the communication between the PM AOCMS and the AIU is ensured by means of IEEE

1355 links.

OBDH

28 V

RTU

OBDH

Bus

Interface

DC/DC converter

IUB

PIB

Command

and Control

Interface

Issue : 2 Rev. : 0

Date : 06/02/2004

9.9

Analog acquisitions

Serial digital acquisitions

Bi-level acquisitions

Relay status acquisitions

Temperature acquisitions

High Power commands

Memory load commands

Synchronisation pulses

Figure 9.3-1 : RTU Block diagram

IEEE 1355 link

AIU

IEEE

1355

Interface

IUB

TMTC

Module

28 V

DC/DC converter

PIB

Star Trackers

Inertial Measurement Units

Sun sensors

Reaction Wheel Assembly

Solar Array Drive Assembly

Propulsion module

Figure 9.3-2 : AIU Block diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

9.10

9.4 SOLID STATE MASS MEMORY

The SSMM features the following functions :

Three 4 Gbits Memory Modules (MM), providing 12 Gbits user capacity. In case of failure of one complete memory module, the remaining capacity is 8 Gbits.

Two redundant controller paths, each path providing : o

One Memory System Supervisor (MSS) which performs the overall SSMM control and monitoring tasks o

One PM Interface Controller (PIC) which provide two bi-directional IEEE1355 interface to the DMS processor modules from which it receives the packets

(housekeeping and science) and to which it sends the events and the housekeeping data and some requested packets (MTL content, dump …) o

One User Interface Controller (UIC) which provides two bi-directional IEEE1355 interfaces to the payloads with high data rate (VIRTIS, VMC), two interfaces with the Transfer Frame Generators (TFG) of the CDMU and the interfaces with the memory modules o

One File and Packet controller which controls and manages the access to the

Memory Modules and performs the file management functions o

One Input/output Communication Switching Matrix (CSM) o

One DC/DC converter which provides the necessary voltages to the SSMM internal electronics. The controller board is powered in conjunction with the power converter. The Memory Modules are switched on by command under control of the

MSS.

Issue : 2 Rev. : 0

Date : 06/02/2004

9.11

PDU (N)

RTU (N)

CDMS

(CDMU 1)

PM2

PM3

VIRTIS

VMC

Main Power (N)

HPC ON & HPC OFF(N)

Relay Status (N)

Temperature (N)

Sec. Voltages (N)

HFC (N)

TSY (N)

PM-DMS A (N)

PM-DMS B (N)

DC/DC

Converter

DCC A

Nominal

Controller & Converter

IEEE1355

PM Interface

Controller

PIC A

TFG1 (N)

TFG2 (N)

IEEE1355

Use

Interface

Controller

UIC A

Memory System

Parallel Port

Communication

Switching

Matrix

CSM A

Supervisor

MSS A

Fileand

Packet

Controller

FPC A

DC/DC

Converter

DCC B

Redundant

Controller & Converter

Memory System

Supervisor

MSS B

Main Power (R)

HPC ON & HPC OFF (R)

Relay Status (R)

Temperature (R)

Sec. Voltages (R)

HFC (R)

TSY (R)

PM-DMS A (R)

PM-DMS B (R)

IEEE1355

PM Interface

Controller

PIC A

Fileand

Packet

Controller

FPC B

Parallel Port

Communication

Switching

Matrix

CSM B

Use

Interface

Controller

UIC B

PDU (R)

RTU (R)

CDMS

(CDMU 2)

PM2

PM3

VIRTIS

VMC

Control &

Data I/F A

Control &

Data I/F B

Module Control

Memory partition 3

Memory partition 2

Memory partition 1

Memory partition 0

Latch Up Switch

SDRAM 1

User

Data

SDRAM 16

SDRAM 17

SDRAM 18

ECC

Memory Module 0

Control &

Data I/F A

Control &

Data I/F B

Module Control

Memory partition 3

Memory partition 2

Memory partition 1

Memory partition 0

Latch Up Switch

SDRAM 1

User

Data

SDRAM 16

SDRAM 17

SDRAM 18

ECC

Memory Module 1

Control &

Data I/F A

Control &

Data I/F B

Module Control

Memory partition 3

Memory partition 2

Memory partition 1

Memory partition 0

Latch Up Switch

SDRAM 1

User

Data

SDRAM 16

SDRAM 17

SDRAM 18

ECC

Memory Module 2

Figure 9.4-1: Solid State Mass Memory Block Diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

9.12

10 SOFTWARE ARCHITECTURE

06/02/2004

10.1

The purpose of this chapter is to describe the overall Venus Express on-board software which, as shown below, is composed of several software running on processors located on different hardware units.

This chapter mainly focuses on the interfaces between these software, rather than the description of each individual software. Such a description is found in the global description of their hosting hardware as shown below.

Software Overview see VUM Volume 2

Section 1, Chapter 4

Detailed description see VUM

Volume 4, Section 7 DMS application and common software

Firmware

SSMM software

AOCS application

STR

IMP

Transponder

Payloads

Section 1, Chapter 1

Section 1, Chapter 3

Section 5, Chapter 7

Section 5, Chapter 7

Section 5, Chapter 7

None

None

Volume 7, Section 3

Volume 4, Section 2

Volume 4, Section 8

Volume 4, Section 5

Volume 4, Section 5

Volume 4, Section 4

Volume 4, Section 6

06/02/2004

10.2

10.1 SOFTWARE COMPONENTS AND ASSOCIATED FUNCTIONS

The Venus Express on-board software manages the payload and the platform. It is composed of several software running on different processors.

The Venus Express software (SW) is made of the DMS SW and the AOCMS SW, together with the

CDMU SW (Firmware), the SSMM SW, the STR SW, the gyros SW, the Transponder SW and the different Payload SW. These software components are located on different hardware units and contribute to fulfil different parts of Venus Express mission.

The

DMS SW

runs on a dedicated Processor Module (PM) located on one of the two Control &

Data Management Units (CDMU). It is made of the Common software and the DMS application software. The Common software contains the PM HW interface manager, the basic SW services, the generic services and the OBCP manager. The DMS application software performs the mission management and the DMS functions management.

The

AOCMS SW

runs on another CDMU PM. It is composed of the Common software (quite the same Common SW as for the DMS SW) and the AOCMS application software. The AOCMS application software performs the AOCMS modes and algorithms management and the AOCMS sub-systems management.

Both DMS SW and AOCMS SW are loaded in the PM RAM and started-up by the PM Firmware presented hereafter. The DMS SW runs on a dedicated PM and the AOCMS SW runs on another PM belonging to anyone of the two CDMU. The two remaining PM are spares, which only contain

Firmware and are ready to be configured as DMS or AOCMS PM, in case of failure.

Each one of the two CDMU owns two PM and each PM has a software in PROM, called the

PM

Firmware

. The PM Firmware is automatically activated when the CDMU is powered on. It initialises the PM and performs PM health status verifications, software loading, and minimum communication handling with a test console, an EGSE and another PM.

The

SSMM SW

running on its own processor, is designed to operate the SSMM and includes two main tasks, the Start-up & Initialisation task and the Operational task.

The

STR SW

run on its own processor at unit level under the control of the AOCMS SW. It is in charge of the Star Tracker (STR) management, and provides three-axis autonomous attitude determination to the AOCMS SW.

The

gyros SW

runs on a processor at unit level, and provides angles and velocities to the AOCMS

SW. It performs the gyros management under the control of the AOCMS SW.

The

Transponder SW

runs on a processor at unit level. It interfaces with the DMS SW by means of

TM and TC only.

Several autonomous software are running in stand-alone payload instruments under the control of the

DMS SW.

Control & Data

Management

Transponder

TC

TM

IEEE-1355

Standard Link

Solid State

Mass

Memory

CPDU

Commands

OBDH Data Bus

06/02/2004

10.3

Payloa ds

Serial lines

+ 28 V Regulated

Protected Lines

Remote

Terminal

Unit

PDU

Solar Array

Drive

Mechanism

Main Engine

(400 N)

Reaction

Wheels Drive

Electronics

Acceleros

Figure 10.1-1: Venus Express on-board software location

Sun

Acquisition

Sensor

06/02/2004

10.4

10.2 SOFTWARE INTERFACES

Interface with the host processor is through the low level layers of the software (e.g. PM HW interface manager of the Kernel layer for the DMS SW and the AOCMS SW). To communicate with the external world (ground, external hardware equipment, other software) the Venus Express onboard software components use OBDH data bus and IEEE-1355 links.

External interfaces

All the ground telecommands are received by the DMS SW through the Packet TC decoder. The

DMS SW sends housekeeping telemetry and low rate scientific data to the Transfer Frame Generator

(TFG), for transmission to the ground.

Payload instruments have their own autonomous software located in the instruments electronic units.

The command and control of the payloads is performed by a dedicated function of the DMS SW which sends commands to the instruments and receives monitoring information and low rate scientific data from them.

Another dedicated function of the DMS SW sends commands to the Platform equipment and receives their monitoring information.

The AOCMS SW ensures the same function for the AOCMS equipment (e.g. sensors and actuators) to which it sends commands and from which it receives monitoring information.

The DMS SW interfaces with the Safeguard Memory (SGM) for the emission and reception of software contexts and patches, and provides SGM access to AOCMS SW through a dedicated

TM/TC interface.

The SSMM SW receives data from the DMS SW and directly from some payload instruments (high rate science data) and participates to the execution of file transfer requests by sending data files to the Transfer Frame Generator (TFG).

06/02/2004

10.5

TC DEC

TC

SW contexts

SGM

AOCS

EQUIPMENTS

Sub-system

Command & Monitoring

P/F

Sub-system Command

& Monitoring

SW contexts

HK TM & Low Rate

Scientific Data

TFG

P/L

Data Files

Sub-system Command,

Monitoring & Low Rate

Scientific Data

High Rate

Scientific Data

DMS SW

SSMM SW STR SW

AOCS

SW

GYROS SW

Figure 10.2-1: Venus Express on-board software external interfaces

06/02/2004

10.6

Internal interfaces

The main components of Venus Express on-board software have software interfaces between them, through OBDH and IEEE-1355 serial links.

The DMS SW sends File Management, patch and dump requests to the SSMM SW. The SSMM SW sends files information, memory dumps, and SSMM health status to the DMS SW.

The DMS SW sends Time Line, OBCP handling, patch, dump, configuration and reconfiguration orders to the AOCMS SW. The AOCMS SW sends acknowledges, dumps, monitoring and FDIR information to the DMS SW.

The AOCMS SW sends mode, configuration, patch and dump orders to the STR SW. The STR SW sends 3-axis attitude, STR health status and dump information to the AOCMS SW.

The AOCMS SW sends configuration orders to the gyros SW. The gyros SW sends health status, angles and velocities information to the AOCMS SW.

The SSMM resource is shared by the DMS/AOCMS component and the Payload instruments.

Simultaneous data handling (concurrent downlink, store or routing) are directly managed at SSMM unit level.

TC (Time Line, Mode, Config, Reconf,

OBCP, Patch and Dump Orders)

TC (File

Management,

SSMM Patch and Dump

Requests)

Events log,

Files

TM (SSMM

Dump,

Files Info,

Health

Status)

Files

TM (Acknowledge, Dump,

Monitoring Info, FDIR Info)

TC Equipment

(Config, Mode,

Patch and Dump)

TC Equipment

(Config)

TM Equipment

(3-Axis Attitude,

Health Status,

Dump)

TM Equipment

(Angles,

Velocities

Status)

Figure 10.2-2: Venus Express on-board software internal interfaces

06/02/2004

10.7

10.3 PROCESSOR MODULE FIRMWARE

Each Processor Module comprises a software stored in PROM, called PM Firmware, designed to perform PM initialisation, PM health status verifications, software loading, minimum communication handling with a test console (for PM hardware development and maintenance), with an EGSE and with the DMS PM.

The PM Firmware is automatically activated when the CDMU board is powered on. The PM

Firmware provides the following functions: q

Initialisation of the PM and acquisition of the hardware configuration of the PM (DMS,

AOCMS or spare, automatic software patches enabled or not). q

Complete auto-tests of the PM and its interfaces (IEEE-1355, OBDH BC and RT), activated when the CDMU board is powered on, including a destructive test for the complete RAM contents. q

Selective auto-tests of the PM and its interfaces, possibly called during nominal software operation (DMS or AOCMS), to analyse a PM dysfunction during the « Isolation » part of a

PM FDIR. q

Software loader able to fetch software from the CDMU PROM or EEPROM, possibly from the SSMM through IEEE-1355, from the EGSE through IEEE-1355, or from a debugger or test console through RS232. After having checked the loaded software integrity

(checksums), it is able to start the loaded software automatically. q

Minimal TM-TC to execute requests sent by the current DMS PM via IEEE-1355 or OBDH: auto-tests, housekeeping, health status telemetry, RAM and EEPROM patch and dump, and other critical autonomous functions. q

PROM monitor able to support software debug and hardware investigations. The PROM monitor can execute basic instructions sent through the RS232 by the test console, such as

Load Software, Set Break Point, Set Memory or Register, Examine Break Point, Examine

Memory or Register, Start, Stop. This PROM monitor, connected to a simple console or to a

TLD debugger, is useful for PM prototype validation, AIV, thermal tests campaigns and launch campaign (if EGSE link is not available) and PM boards maintenance.

All the anomalies detected by the PM Firmware are logged into a synthetic table in RAM (health status). Detection of anomalies does not prevent from starting the loaded software, except if all the software loading attempts failed. The active software (DMS SW or AOCMS SW) will be in charge of checking the health status and conduct appropriate PM FDIR if necessary.

BOOT-UP

INIT

PM INIT

SW START

06/02/2004

10.8

LOADER

SSMM

EGSE/SVF

TEST CONSOLE

TESTER

PM

MEMORY

IEEE-1355

OBDH

SERVICES

I/O

TM/TC

HW interfaces

DELAYS

Figure 10.3-1: PM Firmware architecture

06/02/2004

10.9

10.4 DMS AND AOCS SOFTWARE

Both the DMS and AOCS software are composed of the so-called Common SW, common to DMS and AOCS, and an applicative part, called the DMS application SW and the AOCMS application

SW.

10.4.1 DMS and AOCMS SW layered breakdown

Both the DMS and AOCMS SW are organised in layers (Figure 10.4-1 and Figure 10.4-2) :

q

The

Kernel software layer

providing hardware interfaces and basic software services. q

The

General Services software layer

providing TC services, TM services, Generic

Services, equipment management and processing, OBCP execution and control services. q

The

Sub-System software layer

providing SSMM management, Platform management

(Thermal Control function, RF Communications function, Pyrotechnics), Payload management, AOCMS management and remote PM management on the DMS PM. This software layer provides Sensors and Actuators management and SADM management on the

AOCMS PM. q

The

System software layer

providing Mission Time Line management and System

Autonomy and FDIR management on the DMS PM, and providing AOCMS Algorithms and

Modes management, and AOCMS Autonomy and FDIR management on the AOCMS PM.

06/02/2004

10.10

DMS

PROCESSOR MODULE

System SW layer

Mission Time-Line

Management

Autonomy & FDIR

Management

Sub-System SW layer

SSMM

Management

Platform

Management

Payload

Management

AOCS

Management

Remote PM

Management

General services

SW layer

TM/TC services

Generic services

Kernel SW layer

Bootstrap &

Initialisation

Serial Line

IEEE-1355

Basic SW services

IEEE-1355

DMS Equipments

Management & Processing

(equipments drivers)

BC OBDH

HW Interfaces

OBCP

Management

Common SW

OBDH Data Bus

MAT 10834

System SW layer

Figure 10.4-1: DMS Software Layered Breakdown

AOCS

PROCESSOR MODULE

AOCS Modes & Algorithms Mgt AOCS Autonomy & FDIR Mgt

Sub-System SW layer

STR Mgt Sensors Mgt

General services

Sw layer

TM/TC services

Generic services

Kernel SW layer

Bootstrap &

Initialisation

Serial Line

IEEE-1355

Basic SW services

IEEE-1355

Actuators Mgt SADM Mgt

AOCS

Equipments Mgt

& Processing

(equipments drivers)

HW Interfaces

OBCPs

Mgt

RT OBDH

Common SW

OBDH Data Bus

MAT 10835

Figure 10.4-2: AOCMS SW Layered Breakdown

06/02/2004

10.11

10.4.2 Common DMS/AOCS SOFTWARE

The DMS SW and the AOCMS SW, running on identical processors, share a set of general services called the Common SW. The Common SW gathers the Kernel SW and the Generic Services. q

The Kernel SW is a set of general services supporting the applicative part of the DMS SW and the AOCMS SW. It constitutes the lowest layer of these two software. The Kernel SW directly interfaces with the hardware of the hosting processor, and provides basic software mechanisms to hide the details of implementation to the high level layers. q

The Generic Services gather the software components in charge of providing general services (mainly the services described in the "Generic TM/TC ICD" and the "DMS TM/TC

ICD", see Volume 7) to higher level applications.

06/02/2004

10.12

10.4.3 DMS Application Software

The DMS application SW mainly performs the Mission Time Line (MTL) management, the system

Autonomy management and the system FDIR management. It also manages directly or through the

AOCMS PM, all the equipment and functions necessary to fulfil the spacecraft mission objectives.

The DMS application SW relies on the services provided by the Common SW (Kernel SW, Generic services, OBCP manager). It includes the following functions. q

The SSMM management

: a DMS SW dedicated function acquires SSMM data, stores them in the datapool and monitors them in order to elaborate the SSMM health status. q

The Platform management

which administrates, commands and allocates all the platform bus resources with the exception of the AOCMS (Thermal Control System, Power Control

System, RF Control System, Pyrotechnics). The platform bus is composed of non-packetised end-users. So, the DMS SW dedicated function, which ensures the platform management has to decode TC packets and to route the orders to the platform bus end-user as discrete commands. Inversely, unpacketised TM data from platform bus functions are acquired by the DMS SW on IEEE-1355 link. Parameters are updated in the datapool, monitored to elaborate platform bus health statuses and telemetry data are packetised for downlink to the ground. q

The Payload management

. All the payload instruments are packetised end-users, i.e. they are intelligent units providing useful information in telemetry packets, and obeying to telecommand packets. The DMS SW dedicated function, which insures the payload management elaborates and sends TC packets to the payloads. It receives TM packets coming from the payloads, updates datapool parameters according to packets content.

Payloads monitoring is performed using Service 12 or by specific OBCP (to be developed by

PIs). q

The AOCMS management

provides the DMS SW with the knowledge of the AOCMS current configuration and state. q

The remote (or Service Mode) PM management

provides the DMS SW with the knowledge of the remote PM state. q

The Mission management

which sequences the nominal and contingency mission phases and interfaces with the ground control for units observability and commandability. q

the FDIR management

. Based on a hierarchical approach, the FDIR is handled at two levels by the DMS SW: at DMS sub-system level with the monitoring of equipment health statuses and the management of local reconfigurations, and at system level with the monitoring of the current functions to be fulfilled and the management of functional modes reconfigurations.

06/02/2004

10.13

10.4.4 AOCMS Application Software

The AOCMS application SW manages the AOCMS modes according to a mission dependent modes transition logic. It also manages the different AOCMS sensors and actuators used in AOCMS modes and mission phases.

The AOCMS specific functions rely on the services provided by the Common SW (Kernel SW,

Generic services) and include: q

The resources management

which handles all the resources needed to achieve the AOCMS objectives, i.e. the star tracker, the Sun acquisition sensor, the Inertial Measurement Units

(including gyros and accelerometers), the Reaction Wheels, the thrusters and the Solar Array

Drive Mechanisms. This function performs the configuration management and commanding of all these units. q

The processing of sensors output and actuators input

which provides the AOCMS modes with specific services allowing the filtering of hardware raw resources measurements or the processing of commands computed by the attitude and control laws. q

The ephemerides propagator

(continuously running) which provides the AOCMS modes with the spacecraft inertial directions to the Earth and Sun. q

The AOCMS modes management

which manages the transitions between the AOCMS modes: Sun Acquisition Mode, Safe/Hold Mode, Normal Mode, Orbit Control Mode,

Thruster Transition Mode, Main Engine Boost Mode, Braking Mode. q

The AOCMS algorithms management

which performs the attitude estimation and control, and the trajectory control in each mode. q

The AOCMS FDIR

which manages the FDIR at AOCMS equipment and AOCMS function levels. As for the DMS SW, this function is based on the monitoring of specific parameters representative of the equipment states and functions completion.

The AOCMS SW acts at a sub-system level in comparison with the DMS SW which manages the system level. However, the AOCMS SW participates to the implementation of : q the Mission management which sequences nominal and contingency mission phases based on specific sets of AOCMS modes, and interfaces with the ground control via the DMS for observability and commandability of the AOCMS equipment. q the Spacecraft management, which administrates, commands and allocates all AOCMS resources, q the system FDIR which rely, in its hierarchical approach, on the AOCMS sub-system FDIR level and the AOCMS equipment FDIR level.

06/02/2004

10.14

10.5 SSMM SOFTWARE

The SSMM consists of 2 processor systems: q

The Memory System Supervisor (MSS), dedicated to the communication with the DMS PM. q

The File and Packet Controller (FPC), dedicated to the file management on the memory modules and to the data exchange with the instruments and the TFG.

The SSMM software runs on the micro-processor based MSS and the micro-controller located in the

FPC. The main part of the SSMM-SW is programmed in C language. Parts of the start-up function are programmed in Assembler.

The SSMM software consists in two parts: q

The Initialisation software covering the Init Mode and running in the MSS. It is executed in

MSS PROM after activation of the SSMM. It performs the following main functions: initialisation of system controller and control interface hardware, tables, data, etc., load nominal software from EEPROM to RAM, (reduced) commands handling, transition to

Operational Mode. q

The Operational software covering the Operational Mode and Test Mode. It runs in the MSS

RAM and FPC RAM. It performs the following main functions: execution and control of telecommands, configuration and test of the memory modules, control of data flow from instruments and to TFG to and from the Memory Modules, failure handling, including management of failure log, failure recovery, creation of event report, housekeeping, TM packing for all required data, Watchdog control. In case of fatal failure, the SW returns to the Init software to allow for failure investigation.

06/02/2004

10.15

10.6 STAR TRACKER SOFTWARE

The STR SW runs on its own 32-bit microprocessor (DSP21020) at unit level. Its architecture is structured in modules according to different operative modes of the sensor (i.e. image acquisition, image processing, attitude acquisition/determination, and I/O data management).

It is composed of a generic part and a specific part.

The STR SW generic part provides basic services to the AOCMS SW for full visibility and investigation (health status, auto-tests, programmable window raw video access, memory read and write).

The STR SW specific part gathers all the tasks related to the application modes and include: q

Acquisition and Measurement mode: provides three-axis attitude restitution to the AOCMS

SW without initial information from the AOCMS SW (it performs an initial mapping, an automatic pattern recognition, selects stars and automatically tracks them), q

Mapping mode: provides magnitude and co-ordinates of all targets present in the field of view for ground investigation (backup mode), q

Calibration mode: gives the AOCMS SW the possibility to change default parameters.

The STR SW is a slave to the AOCMS application SW which can always, through equipment TC, switch off or reset it, change the current mode, modify parameters, dump or patch data and code. In the same way, the AOCMS SW asks for TM data and is free of reading them, interrupting a dialogue, asking for other TM data without corrupting the nominal execution of the mission modes.

TM/TC is managed as a high priority task by the STR SW.

06/02/2004

10.16

10.7 IMP SOFTWARE

The IMP SW

also runs at unit level. It concerns the gyros only, and provides the AOCMS SW with spacecraft angular rate.

As the STR SW, the gyro SW is a slave to the AOCMS application SW which performs the configuration, commanding and surveillance of this equipment.

Serial data is output from the IMU to the AIU via the RS-422 signal interface in blocks of ten words at 200 Hz. Each word consists of 16 bits, where the first bit (bit 0) is the MSB and the last bit (bit

15) is the LSB. The MSB is transmitted first.

<-----------------------------------

One block of data – 160 micro-seconds

---------------------------------->

Word 1 Word 2 Word 3 Word 4 Word 5 Word 6 Word 7 Word 8 Word 9 Word 10

Frame

Timer

MIMU

Status

Angle

X

Angle

Y

Angle

Z

Velocity

X

Velocity

Y

Velocity Z Mux Data Checksum

Data acquired and by the AOCS are the last ten words in a 8 Hz cycle. Data stored in the datapool are the last 8Hz acquisition within a 1 Hz cycle.

25 x 10 words

200 Hz

10 words

200 Hz

10 words

200 Hz

10 words

8 Hz acquired by the AOCS at 8 Hz

8 x 10 words

8 Hz

10 words

8 Hz

10 words

8 Hz

10 words

1 Hz stored in the AOCS datapool at 1Hz

Figure 10.7-1: IMP data acquisition and storage by the AOCS

06/02/2004

10.17

10.8 TRANSPONDER SOFTWARE

The S/X band transponder provides the two-way link between the S/C and the ground terminal via

S/X-band RF signals.

The Transponder software is composed of an RF section and a digital section. Its purpose is to control the functionalities of the digital section and to execute the signal processing operations required to maintain the forward and return links.

The Transponder software interfaces with the S/C by means of serial commands and digital telemetry.

The Transponder software is not patchable, which means that the Transponder is considered as a

“black-box” at software level.

06/02/2004

10.18

10.9 INSTRUMENTS SOFTWARE

Each instrument has its own autonomous SW, located in the instrument electronic units. The command and control of the payloads is performed by the dedicated Payload Management function of the DMS SW. The physical interface of the DMS PM with the instruments is the Remote

Terminal Unit (RTU).

Data exchange between the payloads and the DMS software are performed by means of packetised

TM/TC, both for commands, housekeeping and science telemetry data. q

Commands from the Ground are routed by the DMS software to the payloads through the

RTU and the OBDH bus. q

Housekeeping data from all the instruments are transmitted from the RTU to the DMS SW through the OBDH bus. q

Scientific data from low rate payloads (PFS, ASPERA, MAG, SPICAV) are transmitted from the RTU to the DMS SW through the OBDH bus. q

Scientific data from high rate payloads (VIRTIS and VMC) are directly transferred to the

SSMM through TM packets on the IEEE-1355 link.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.1

11 FDIR PRINCIPLES

11.1 FDIR HIERARCHY

The Venus Express automated FDIR function, as for the other function of S/C, is highly recurrent from Mars Express automated FDIR function with local adaptations due to the design changes between MEX and VEX.

The Venus Express automated FDIR function ensures that the anomalies are handled on-board with the goal in a first step, to recover from failure in the same operational mode and then, in a second step, to preserve the spacecraft integrity in case of unforeseen/unrecoverable anomalies. This second step leads to a spacecraft Safe Mode allowing stable safe attitude and TM/TC communications with ground for further diagnosis and recovery (TC).

Figure 11.1-1 shows the hierarchy of the Venus Express fault management. The faster the fault

response must be, the lower level the FDIR mechanism is implemented. Also, the number of units involved in a reconfiguration may increase with the level of fault management. In case of conflicts in terms of fault treatment between two or more FDIR layers or structures, the next higher level of FDIR, or ultimately the ground, will trigger.

CDMS Reconfiguration Modules

DMS S/W System Layer

Subsystems or application programs

Units

Ground

CDMS Computing

& Communications

Reconfiguration

DMS S/W System FDIR

(MTL, Auto Sequences Supervision,

Safe Mode Mgt, Comm’s Recovery

Subsystem / Applications FDIR

(DMS, TCS, AOCS, TTC)

Ground-driven diagnostic (TM), and fault recovery procedures (TC)

Automatic CDMS H/W table-driven reconfiguration actions

System recovery procedures

Avionics / platform units (DMS, AOCS, Power, Comm's)

CDMU, RTU, SSMM, PDU, PCU, RFDU, WIU, TWTA

AIU, SAS, RCS, SADM, STR, RWA, IMP

Subsystem/AP recovery

(switching group of units)

Unit recovery or reconfiguration

Local Reflex actions

Figure 11.1-1: Venus Express FDIR Hierarchy

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.2

FDIR Level

Reflex actions

Units

Group of Units

Order of Magnitude of Time

Response

[milliseconds, second]

[second, 10 seconds]

[10 seconds, minute]

Comment

H/W-implemented

TCS

TC Recovery

[minute, several minutes]

[several minutes, hours] Some delays as per Ground programming

S/C Safe Mode

CDMS Reconfiguration +

System Re-Initialisation

~30 minutes (S/C)

+ Ground ops afterwards

~30 minutes (S/C)

+ Ground ops afterwards

“Go to SAM” to AOCMS < 20 seconds.

“Go to SAM” to AOCMS < 30 seconds.

Ground [hours]

Figure 11.1-2: Order of Magnitude of FDIR Delays vs. Levels

When mapped onto the hardware and software architecture of Venus Express, the FDIR hierarchy can

be depicted as in Figure 11.1-3

Ground

HPCM A

(1) Reconfigure

Processors

(2) RTU power supplies

(2)

Reconfigure

SSMM & SSMM users

SSMM

(1)

1

Reconfiguration Modules

2 3 4

WD refresh, Power Alarm, DMS HPCs

DMS

System S/W

DMS S/S &

AP S/W

AOCS S/W

DMS PM AOCS PM

CMM

CMM

RTU AIU

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.3

HPCM B

Level 4 : reconfiguration modules

Level 3 : DMS

System software

Level 2 : S/S

& AP software

Level 1 : DMS processors

Level 0 : avionics

& platform units with or w/o embedded S/W

Platform units

AOCS units payloads

Figure 11.1-3: FDIR Hierarchy Mapping onto Venus Express H/W and S/W

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.4

11.2 GROUND FDIR SUPPORT

The Ground constitutes the ultimate level for FDIR management. Venus Express supports the ground fault treatment as follows : q

TM data to allow ground-driven :

• fault isolation down to the least reconfigurable item,

• trend analysis (long-term analysis, correlation between multiple parameters),

• high-level commanding of CDMU data processing resources (processor modules, clocks, CDMU I/O, "last chance bit"),

• checks of data recorded during the execution of autonomous sequences. q

DMS capability :

• to store and execute Master Time Line (MTL), "Short MTL", TC files,

Ground-Identified Failed Unit Table (GIFUT) and Ground-Selected Unit Table

(e.g., GSUT). The GIFUT and GSUT uploaded by the Ground are taken into account by the DMS S/W upon system (re-)initialisation.

• to serve ground requests to modify individual entries of the Processor-Identified

Failed Unit Table (PIFUT), and Processor-Selected Unit Tables (PSUT) in a

"real-time" manner.

• to store and execute ground recovery procedures which may constitute ground answers to on-board failures having led to the S/C Safe Mode (unanticipated or unrecoverable on-board fault conditions which autonomously triggered the S/C

Safe Mode to preserve the S/C integrity). See §

'Safe Mode'

. q

Capability to impose the CDMS PM configuration setting through HPCM CPDUs after reset. If the Ground selects a not physically working configuration (e.g., DMS PM = PM1 or PM4), such configuration will be attempted by the CDMS and rejected as nonoperational, provoking a new reconfiguration. q

Capability to disable the safing mechanisms (those that trigger the Safe Mode) at mission times when on-board fault management should not interfere with the autonomous sequence in progress (e.g., orbital burn). The ground is of course given the possibility to re-enable the safing mechanisms it previously disabled. q

Capability to upload S/W patches, Application Programs (APs), or FDIR OBCPs.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.5

FDIR Data Logging

The on-board software provides logging of data related to the occurrence and the processing of an anomaly. These logs are time-stamped with the spacecraft elapsed time (SCET). Nominally, these logs go to the SSMM. On the other hand, Critical Event Logs (CEL) are stored in SGM RAM and thus remain accessible to the Ground when the SSMM is off or "not used".

Context

Context data required during system initialisation are maintained in SGM RAM or E²PROM so that they are preserved in case of processor module reconfiguration. These data are down-linked upon request from the ground.

Critical Data Storage

During the execution of autonomous sequences (e.g., Separation Sequence, Main Engine Boost), the

DMS software stores critical data (in particular failure reports) to check later the execution of the sequence on ground. These critical data are stored in the Critical Event Log (CEL) of the SGM RAM.

Safe Mode Entry Inhibit

Safing algorithms that trigger the spacecraft Safe Mode will be disabled by the ground at times of orbital manoeuvres to allow recovery guaranteeing that the burn occurs on time and that fault management does not interfere with the timely execution of the manoeuvre.

Safe Mode / CMDS Reconfiguration Inhibit Rights

With the exception of the system (re-)initialisation sequence only the ground has the possibility to enable/disable the mechanisms that trigger the CDMS reconfiguration and/or the Safe Mode. This is done by the Ground directly or through the ground-uplinked MTL.

Short MTL

The DMS software has the capability to execute a "Short MTL" previously stored by the ground in the PM RAM. The “Short MTL” is a SSMM-less MTL type of execution, and therefore allows S/C operations transparency wrt SSMM failure modes during mission-critical phases. This capability is used by during the VOI/MEBM.

Standard Monitoring Enable/Inhibit

The DMS S/W incorporates a standard monitoring service (denoted as S131) to monitor individual parameters against pre-defined thresholds (SM), or a logical combination of SMs (Functional

Monitoring, FM) for which recovery actions are identical. The ground has the possibility to enable/disable a SM or a FM (this can be used to avoid generation of events and out-of-limit actions, for instance after a 1 st

or even a 2 nd

failure of a device).

Ground Overriding

It is possible from the Ground to override switch-over that may have been automatically performed on-board, i.e., the Ground can force the S/C to come back to any flight configuration.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.6

11.3 H/W RECONFIGURATION OF CENTRAL COMPUTING AND COMMUNICATIONS

The DMS and AOCMS software execute on safe processors as configured by the CDMU

Reconfiguration Modules (RM) and High Power Command Modules (HPCM).

The reconfiguration handling in the CDMS is divided into two parts :

1. Monitoring and reconfiguration request function (RM),

R ec

A

RM1

HPC

Reconfig.

sequencer

A

RM2

Rec

B

HPC

Reconfig.

sequencer

B

RM3 RM4

PM

Alive

Alarm

PM

Alive

Alarm

PM

Alive

Alarm

PM

Alive

Alarm

Figure 11.3-1 : H/W-implemented Reconfiguration of CDMU Processors

The monitoring and reconfiguration request function is located in the RM. Each RM contains a watchdog, which is periodically re-armed by the DMS PM. The time-out period for each RM differs between 531 ms and 578 ms, in steps of 15.6 ms. When the watchdog timer elapses, a reconfiguration request is sent to the reconfiguration sequencer. The RM generates the request alternatively between sequencer A and B.

In order to start the reconfiguration, the sequencer has to receive requests from at least two RM.

When two requests have been asserted to the sequencer, the Reset line is asserted to all units within the CDMS. This will halt any on-going activities in the CDMS. The sequencer then starts to execute a sequence of High Power Commands. The sequence is stored in a PROM that is read by the sequencer for each reconfiguration.

Once the sequence is completed (duration < 250 ms), the Reset line / Reconfiguration Request signals are automatically de-asserted and the system is re-started. In case the reconfiguration was not

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.7 successful, i.e. the RM watchdog timer elapses again, a new reconfiguration is started from the other sequencer. This means that in case a sequencer is faulty, the system will handle this automatically.

Should one Reconfiguration Request signal be left asserted (failure case), this does not trigger a new reconfiguration.

The DMS S/W re-arms the RM watchdog through the ‘PM Alive’ signal every 250 ms (counting 64

Hz RTC interrupts). Not re-arming the watchdog is a system level response to a variety of faults which require the spacecraft to be reconfigured and the science mission to be temporarily suspended.

The watchdogs in the RM have different elapse times between 531 ms to 578 ms.

Upon loss of the AOCMS S/W "heartbeat", the DMS S/W reacts by non-triggering of the RM watchdog, i.e., processor halt. The "heartbeat" surveillance consists in checking that the 1 Hz

AOCMS S/W housekeeping packet is periodically received.

In case one of the Battery Voltage is detected low during several successive acquisitions of the associated PCU SDT data (available in the DMS Data Pool), the DMS S/W causes the watchdog to trigger. This in turn provokes a CDMS reconfiguration and a System (Re-)Initialisation with large power shedding (i.e., P/L Off, TX Off, AOCMS units off till SAM commanding).

In case of one Battery / BCDR channel failure, a specific FDIR mechanism is triggered to reduce the

SC power consumption in order to be compatible with the remaining battery resources. In case of triggering, the S/W makes a first power load shedding by putting the payloads and the SSMM in keep alive or OFF mode. At the next eclipse entry, a S/W safe mode is commanded to expand the power load shedding : additional units are switched OFF such as the RF emitters (TX’s and TWT’s), the

AOCS units which are not used in SAM and non critical heaters. The SC remains in such low power consumption configuration until the eclipse exit and until the earth acquisition is completed with the

SA sun pointed. Afterwards, the telemetry transmission is re-started and the non critical heating lines

are re-powered. The description is presented in more details in section 11.7.

The following actions are included in the reconfiguration sequence initiated by the CDMS

RM/HPCM :

PM DMS A

PM DMS B

PM AOCMS A

PM AOCMS B

CK A

CK B

LCB A/

PM1 to OBDH

PM2 to OBDH

PM3 to OBDH

PM4 to OBDH

PM1

PM2

PM3

PM4

ON or OFF

ON or OFF

ON or OFF

ON or OFF

ON or OFF

ON or OFF

ON or OFF

A or B

A or B

A or B

A or B

ON or OFF

ON or OFF

ON or OFF

ON or OFF

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.8

A reconfiguration PROM provides automatically all the possible configurations of the above resources. A configuration is selected in accordance with an incremented pointer. Also, the ground has the possibility to force the pointer value to select a specific configuration.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.9

11.4 DMS SYSTEM S/W-IMPLEMENTED FDIR

The DMS System Layer software executes the mission- and system-level functions : q

System (Re-)Initialisation. q

Mission Time Line (MTL). q

Autonomous Sequences:

Separation Sequence (SSAP) including Solar Array (SA) Deployment

RCS Priming

Venus Orbit Insertion (VOI) / Main Engine Boost Mode (MEBM)

Safe RF Configuration (SAFCAP)

TC Link Monitor (TLMAP)

TC Link Recovery (TLRAP) q

Safe Mode.

The FDIR on this level relies on essential DMS and AOCMS functions and mechanisms such as to achieve and secure the mission : q

On-board time which is permanently available to trigger nominal mission operation events and time-stamp any anomaly situation. q

Mission timeline (MTL) which activate the spacecraft modes and functions according to the mission phase. q

Mission ephemerides, updated on-board the S/C to improve its autonomy (especially in case of opposition phase) and stored into SGM E²PROM, provide all data necessary to master

Earth, Sun and Venus position. This improvement is a modification with regards to Mars

Express S/C, which ephemerides were updated by the ground. These data are used to autonomously (re-)establish ground link and control programmed spacecraft attitude according to the mission phase. q

Attitude measurement with respect to an inertial reference frame is based on star pattern recognition using an on-board star catalogue. It is performed by the star tracker, which supports attitude measurement autonomy since no a priori attitude knowledge is necessary, and can be used in all mission phases. q

Redundancy management using healthy on-board resources. Cross-strapped access paths allow to confine the reconfiguration to the concerned unit. Non-volatile memories (RAM &

EEPROM SGM) allow to restart the spacecraft from a safe context.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.10

Figure 11.4-1 shows the DMS System Layer context with respect to CDMS and AOCMS.

Ground

CMD

CDMU o Dependable Clock o Safeguard Context (SGM) o TC Decoder / TFG o High Power Cmde / CPDUs o Reconfiguration PROM

Ground

CMD

Clock

Reference

DMS - PM o System (Re-) initialisation o MISSION TIME-LINE(MTL) o Ground TC Processing o Autonomous Sequences

AOCS

Supervision

AOCS PM o Attitude Management o Ephemeris Data o Modes Transitions

(convergence criteria,

time-out) o Autonomous Star Pattern

Recognition (STR) o VOI/MEBM

DMS

Control

Monitoring and

Control

FDIR

Management

Autonomous

Three Axis

Attitude

Knowledge

Star

Tracker

AOCS Units Units

MAT9921C

Figure 11.4-1 : DMS System Layer Context

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.11

11.5 SUBSYSTEM LEVEL

The DMS S/W executes Application Programs (TCS, RF communications, Separation Sequence) which include their own FDIR mechanisms.

The RF communications TT&C FDIR mechanisms are summarised in Section 11.6.

The Power FDIR is summarised in Section 11.7.

The AOCMS FDIR is summarised in Section 11.8.

Typical related errors of the DMS and AOCMS S/W are RTC error, overflow, overrun/overload.

The DMS S/W implements specific mechanisms to protect itself and the SSMM against overload conditions that would create S/W crashes. Overload conditions would typically occur upon ground programming exceeding the max operational limits such as the number of TC with the same SCET in the MTL (q = 24 TC/sec) or the number of P/L TM polling during the 8-second polling period, etc.

Also, it might happen in case the DMS is busy with a RTU reconfiguration while TC continue to accumulate in the DMS S/W buffers.

Finally, jitters of the VHF sequencer (64 Hz), HF sequencer (8 Hz) and NF sequencer (1 Hz) could result in an 1 Hz cycle overrun whenever cyclic task time allocations are computed irrespective of the worst-case jitters.

The DMS S/W protects itself against burst of TC originating from the ground-uplinked MTL as follows :

❏ if the number of MTL TC with the same SCET is larger than 24, then the DMS S/W executes the first 24 TC in the current 1 Hz cycle and spreads the remaining TC over the next 1 Hz cycles. Should the burst of TC last for several seconds, the DMS S/W continue to behave the same way.

The MTL execution FDIR will trigger if and only if a TC is 20-second overdue.

The DMS S/W queues up ground TC during RTU reconfiguration, suspends the MTL execution pending RTU availability, and allows for a 20-sec lag time for time-tagged TC (which is about 10 times the RTU reconfiguration delay).

The DMS S/W protects itself from VHF/HF/NF jitters by introducing time margins greater than the worst-case jitters (determined through tests with actual H/W and S/W).

At each 1 Hz cycle, the DMS S/W OBCP Manager checks that sufficient CPU time is available before launching the execution of OBCP during this cycle. If no sufficient time is available, the OBCP execution will be re-attempted at the next 1 Hz cycle.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.12

In case two successive overruns happen despite of the preventive provisions implemented in the DMS

S/W, the overload is considered as confirmed by the DMS S/W. It consequently provokes a processor halt that in turn triggers the automated CDMS reconfiguration and system (re-)initialisation.

Fault detection of the DMS S/W is managed at 2 levels: through some internal surveillances, and by the 4 watchdogs implemented within the RM, but the result is the same, since what the DMS S/W does (in case it detects internally a major failure) is simply halts, thus provoking voluntarily a triggering of the watchdogs. Failure recovery and isolation are fully managed by the automatic H/W controlled reconfiguration sequence.

Failure detection of the AOCMS S/W is managed on 2 levels: by the AOCMS S/W itself, and

(because the S/W could possibly not be correctly working because of the failure) by the DMS S/W which monitors the correct behaviour of the AOCMS S/W. Whether an AOCMS S/W major failure is detected within the AOCMS S/W or by the DMS S/W, the final result is the same since what the

AOCMS S/W does in this case is to halt (and this is considered as a major failure by the DMS S/W), and what the DMS S/W does is to halt also. As for a DMS S/W major failure, the final result is therefore a triggering of the watchdog monitoring the DMS S/W. Failure recovery and isolation are fully managed by the automatic H/W controlled reconfiguration sequence which follows watchdog triggering.

Failure protection against irreversible actuators activation due to AOCMS S/W error : to avoid inadvertent and so, irreversible, actuator activation H/W protection mechanisms are implemented :

Over-speed for the Reaction wheel control and Time-out for thrusters control. During nominal thrusters activation (short duration) , use of the gyros provides thrusters failure detection

.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.13

11.6 TT&C FDIR SUMMARY

The TT&C FDIR is the major modification between Venus Express S/C FDIR and Mars Express S/C

FDIR.

The modifications are induced by the design changes of the TT&C subsystem introduced between

MEX and VEX, mainly the addition of a second High gain antenna. This new HGA is a single X-band

HGA, so-called HGA2.

The block diagram of the TT&C subsystem is presented in the following figure.

RFDU

LGA 1

(front)

LGA 2

(rear)

DIPL 1

DIPL 2

S-Band Rx 1

X-Band Rx 1

S-Band Tx 1

X-Band Tx 1

HGA 1

DIPLX

DIPLX

TWTA 1

S-Band Rx 2

X-Band Rx 2

S-Band Tx 2

X-Band Tx 2

HGA 2

WIU

TWTA 2

Figure 11.6-1 : Venus Express TT&C Subsystem block diagram

In violet color is represented the H/W modification with regard to Mars Express (implementation of

HGA2 and WIU Diplexer and its associated Wave Guides).

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.14

Reminder of the Mars Express FDIR design:

The following mechanisms are implemented in the Mars Express design : q

Safe RF Configuration Application Program (SAFCAP)

: Establishment of an autonomous

S-Band configuration, most of the time featuring the HGA, as part of the S/C Safe Mode execution (HW or SW safe mode). q

TC Link Recovery Application Program (TLRAP)

: Detection of the TC link loss and subsequent autonomous recovery of the TC link taking into account the previous RF equipment configuration as an entry for establishing a new configuration. The recovery can lead to versatile RF configurations combining X-Band and S-Band RX/TX, S-Band configurations featuring the HGA, or, ultimately, a dual LGA mode. q

WIU Load Overheating Surveillance (WILOS)

: Surveillance that no TWTA feeds a WIU load to prevent from over-heating. Should this abnormal condition exists, a SW safe mode is triggered to passivate the anomaly through the Master Switch Off, and establish a safe RF configuration by SAFCAP execution.

Modification for Venus Express :

SAFCAP

The RF configurations established by SAFCAP depends first on the Earth-SC distance flag stored in

SGM E

2

PROM) : q if the flag indicates “Near earth” (it corresponds to the LEOP Phase), SAFCAP establishes a dual LGA S-band configuration. This is unchanged for VEX because this configuration is common between MEX and VEX q if the flag indicates “Far from Earth”, in the MEX design, SAFCAP establishes a S-band configuration with the HGA. This is modified for VEX to establish a X-band configuration instead of S-band because HGA2 is a single X-band antenna. SAFCAP uses a flag stored in the SGM which indicates which HGA has to be used for communications : HGA1 or HGA2. q

The start of the telemetry transmission, done in SAM/StAP in the MEX design, has been postponed in SHM after the execution of the attitude manoeuvre from Sun pointing attitude to

Earth pointing attitude.

WILOS

This monitoring is deleted on Venus Express S/C as there is no more loads in the WIU due to the implementation of HGA2.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.15

TLRAP

The TC link monitoring is triggered when no TC has been received in a time period.

The recovery strategy is the following : q

One or two reconfigurations are tried, according to the current TT&C configuration, q

After each attempt, the TC link recovery is checked. q

If the TC link is recovered, TLRAP is exited. q

If the TC link is not recovered after the reconfiguration attempts, the ULGA mode is entered

(Ultimate Low Gain Antenna) where both LGA’s are selected for the communications and the

Safe mode is entered (in this case, SAFCAP is bypassed)

Two types of TT&C configurations are considered by TLRAP : q

Foreseen operational configurations, defined as “interpretable” by TLRAP. For these ones, two reconfiguration attempts are tried before entering the ULGA mode, that offers a 2 failures tolerance. These configurations are therefore recommended for use by the Ground. q

Unforeseen operational configurations, defined as “not interpretable” by TLRAP. For these ones, only one reconfiguration attempt is tried by establishing a unique default configuration.

In the VEX design, the interpretable configurations have been modified to take into account the implementation of the HGA2, the configurations established by SAFCAP which are different wrt

MEX, and the configurations required for Radio-Science operations.

The reconfiguration principle is unchanged wrt MEX : q

At 1 st

attempt, the X-band receiver is changed, q

At 2 nd

attempt, the receiver is changed from X-band to S-band, q

The TM chain configuration is unchanged.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.16

11.7 POWER FDIR SUMMARY

The Venus Express Power FDIR is identical to the Mars Express one, except the FDIR mechanism related to the APR failures.

The SW-implemented Power FDIR includes the 2 following monitorings: q

Battery Discharge Alarm Surveillance (BDAS), q

BCDR FDIR mechanism based on the Battery Anomaly Reactive Surveillance (BARS) and the Battery Discharge Current Surveillance (BDCS).

The

Battery Discharge Alarm Surveillance

(BDAS) is a global surveillance which monitors any failure out of the power subsystem leading to a battery over-discharge condition (erroneous pointing, over-consumption conditions during eclipse, erroneous mission programming by the ground, …).

Upon BDAS triggering, a transition to S/C Safe mode with an overall CDMU and avionics reconfiguration is activated, leading to a significant power load shedding : the Payloads are put in

Keep-live or OFF mode, as well as the AOCS units which are not used in SAM, and the RF emitters

(TX and TWTA) are also switched OFF. The telemetry transmission is re-started in SHM when the

Solar Array is properly sun pointed.

The

BCDR FDIR mechanism,

as illustrated is based on the following surveillances :

The

BCDR Anomaly Recovery Surveillance

(BARS) which is a local surveillance that detects any

BCDR failure occurring outside eclipses. Upon BARS triggering, the S/C power consumption is reduced in a first step by putting the payloads and the SSMM in keep alive or OFF mode. Since the overall battery power capability has been reduced to 600W (instead of 900W before failure), the SC power consumption shall be further reduced during eclipses. This is the aim of the second monitoring, the Battery Discharge Current Surveillance (BDCS) which is therefore enabled by BARS.

The

Battery Discharge Current Surveillance

(BDCS) monitors the TM battery discharge currents of the two safe BDRs to detect the eclipse entry. Upon triggering, a S/W safe mode is commanded to expand the power load shedding initiated by BARS : additional units are switched OFF such as the

RF emitters (TX’s and TWT’s), the AOCS units which are not used in SAM and non critical heaters.

The SC remains in such low power consumption configuration until the eclipse exit and until the earth acquisition is completed with the SA sun pointed. Afterwards, the telemetry transmission is re-started and the non critical heating lines are re-powered.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.17

Figure 11.7-1: BCDR FDIR logical diagram

In case of BCDR failure during the eclipse, a Main Bus Undervoltage (MBU) will occur prior to the

BARS reaction, due to the over-load of the remaining BDR’s (SC consumption higher than 600W).

This MBU will trigger the under-voltage detection (UVD) of the LCLs which will switch OFF the

LCL’s. After such event, the over-load conditions are cleared and the Bus voltage rises again to nominal values. The System will then automatically restart after an overall reconfiguration. The SC will be kept in the same low power consumption mode as commanded by the BDCS triggering until the eclipse exit and the earth acquisition is completed with the SA sun pointed.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.18

11.8 AOCS FDIR

The main role of the FDIR is to ensure autonomously the Spacecraft safety in case of failure. As a secondary objective, the continuation of the mission will be ensured as far as possible, when the failure is not too critical and if the first objective is not endangered. Note that during the Venus insertion manoeuvre, the mission continuation is as critical as the Spacecraft safety.

Hierarchy in the FDIR

A classification of the surveillances is performed in two ways, by their level in the functional chain, and by their criticality in a dedicated Mode.

The level classes of the surveillances are the following: q

A local monitoring

, concerns health checks at unit level, q

A functional monitoring

is built from a comparison between several units, q

A global monitoring

concerns high-level vital spacecraft capabilities.

The reconfiguration actions decided by the onboard Software strongly depend on the level of the surveillance triggered, a local monitoring enabling usually a reconfiguration at unit level, while a global monitoring triggering often leads to the reconfiguration of several H/W subassemblies.

The criticality of the surveillance in a dedicated mode is described by the capability to continue the current operations or not after reconfiguration: q

A Non Emergency Surveillance (NES)

enables to continue in the current mode. If this surveillance triggers, and if redundant units are available, the AOCS will stay in the same mode after the adequate reconfiguration. q

An Emergency Surveillance (ES)

leads to a switch in the safe mode after the reconfiguration.

Two other classes have been defined for the units that are not mandatory to continue operations: the

Blocking Surveillances (BS)

and the

Off-Line Surveillances (OLS)

. The triggering of these surveillances does not lead to a mode change.

Reconfiguration / recovery

For each unit or module, nominal and redundant sets are identified and managed by the S/W. Out of failures, nominal elements are used. The link with physical resources (A/B units) is ensured through a redundancy table managed by the ground. For each surveillance, a set of suspected units is identified, depending of course on the level of the surveillance. After surveillance triggering, the reconfiguration actions consist first to switch off suspected units and change their nominal/redundant status. In a second step, a switch to the safe mode will be commanded if necessary, with redundant units if they are also used in this mode.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.19

Safe Mode

In most of the AOCS Modes (except the Main Engine Boost Mode), when it is not possible to stay in the same mode after a surveillance trigerring (Emergency Surveillance), the safe mode is entered. The mode starts by the Sun Acquisition Mode (SAM), and the sequence continues autonomously in SHM performing an Earth acquisition.

Depending on the fact that there is a reconfiguration of the CDMU (including a PM reboot) or not, a

Hardware safe mode, or a Software safe mode will be entered.

Sun Acquisition

Mode (SAM)

Rate Reduction

Phase

(RRP)

Stand By

Mode

(SBM)

Sun Capture

Phase

(SCP)

Stowed SA

Sun Acquisition

Phase

(SAP)

Deployed SA

Sun Pointing

Phase

(SPP)

Star Acquisition

Phase

(StAP)

Switch to SBM (no control) for SA deployment

Biased Pointing

Phase

(BPP)

Safe / Hold Mode

(SHM)

Nominal transition

FDIR transition

Earth Acquisition

Init

(EAIP)

Earth Acquisition

(EAP)

Wheel

Off Loading

Hold

(HP)

Earth Pointing

Init

(EPIP)

Earth / Sun

Pointing

(EPP)

MAT 13260

Normal Mode

Figure 11.8-1 : AOCS FDIR Transitions

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.20

5 levels in the AOCS FDIR

5 levels of actions are identified in the AOCS FDIR : q

The level 1

corresponds to a reconfiguration without mode change. A Typical case is the triggering of a Non Emergency Surveillance during an operational mode. q

The level 2

corresponds to a switch to SAM after a reconfiguration of suspected units. The level

2 of the AOCS FDIR leads to a SW Safe Mode. q

The level 3

corresponds to the triggering of a surveillance during the SAM. In this case, a global reconfiguration is commanded by the Software, and the SAM is restarted with all redundant units.

The level 3 of the AOCS FDIR leads to a SW safe mode. q

The level 4

is reached if a surveillance triggers after the previous step in SAM.

In this case, it is assumed that the anomaly cannot be managed by the AOCS alone. A HW Safe mode, (with a processor reboot) is then performed by the DMS under AOCS request. After the reboot, the

AOCS restarts in SAM with all the nominal units. q

The level 5

corresponds to the triggering of a surveillance in SAM after the level 4. The AOCS reboot counter is incremented, and a second HW safe mode (processor reboot) is commanded.

The SAM is restarted with all redundant units. All surveillances are inhibited, and the transition between SAM and SHM is inhibited : this is the ultimate back-up Mode.

These 5 steps enable to scan all the possible configurations of the H/W, starting of course, at the level

1 and 2, by the simplest actions, which should cover the most probable failures at AOCS level.

At level 2 or 3, the back-up mode termination is the

Earth Pointing

phase (EPP) of the SHM (wheel controlled phase in which the Spacecraft waits for ground orders). But as some transitions to this mode may be forbidden because of a lack of redundancy (after a second failure, for instance), the final mode may be: q the

Hold

phase of the SHM that allows communications with Earth, the SC being controlled by thrusters instead of wheels (after a second wheel failure, for instance), q the

Star Acquisition

Phase of the SAM, ultimate back-up mode (after a second STR failure, for instance).

In order to ensure the synchronisation between the DMS and the AOCS, the reconfiguration to the

Sun Acquisition Mode (level 2 or 3) is implemented in three steps :

1. The AOCS sends a Safe Mode request to the DMS and switches to the Stand-By Mode.

2. The DMS answers by sending to the AOCS the AOCS Master Switch-Off command

(switch-off of all AOCS equipments except the IMPs).

3. The DMS switches the AOCS to the Sun Acquisition Mode, at the end of the AOCS

Master Switch OFF.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.21

Specific case of the Main Engine Boost Mode

In the MEBM, a specific logic is used, due the criticality of the insertion manoeuvre: q

The number of active surveillances is reduced to the minimum (the equipments that are not mandatory for the MEBM completion are off (STR, SADE and Reaction Wheels) q

Except in the case of the time-out triggering, the active surveillances are classified as “NES”, leading to continue or restart the manoeuvre after the triggering. If a reconfiguration of the

AOCS H/W is necessary (all cases except IMP failures), the Main Engine is stopped, and a specific procedure is run at DMS level, to ensure that the thrust and the AOCS control can be restarted within 10s (a thermal constraint at Engine level requires that the motor is not restarted between 10s and 500s after cut-OFF). If the manoeuvre is declared “critical” by the ground, the Main Engine is restarted. If not, the MEBM ends in Back-Up MELSP. q

When the Main Engine can not be restarted (double velocity triggering) or shall not be restarted (temperature monitoring triggering) or when the manoeuvre is declared “not critical” by the ground, the MEBM is ended in Back-Up MELSP. In this phase, the 8 thrusters are used to produce both thrust and control torque (4 thrusters are continuously open, since the four others are off-modulated). q

In case of time-out triggering, the Main Engine is switched off and the transition to the Sun

Acquisition Mode is realised.

The manoeuvres that are not “mission critical” shall be declared by the ground has “not critical” because, in case of failure, the Main Engine restart may generate high torque at the SADM interface.

Specific cases for Hardware reconfigurations

A specific management of the Nominal/redundant configurations is necessary for the gyros and the wheels , due to the specific H/W redundancy configuration : q

Use of 3 gyros among 6, q

Use of 3 Reaction wheels among 4.

A specific algorithm is used onboard to select from the H/W IMU channels status, and from the ground indications, the set of 3 gyros to be used in case of reconfiguration.

Venus Orbit Insertion (VOI) prepration

Before the Venus Orbit insertion manœuvre, it is necessary to avoid a transition to safe mode, which could endanger the mission introducing inacceptable delays in the sequence. For this period, “4-wheels” and “6axes” gyro configurations are selected and several surveillances are inhibited.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.22

Retrieve Context

SBM

Yes =Level 5

: after 2 reboots due to AOCMS

AOCMS boot flag

• select redundant units

• inhibit all surveillances

• inhibit transition to SHM

2 ?

NO = Nominal SAM

(Separation Sequence), or

Level 4

: 1st reboot due to AOCMS

• select nominal units

HALT

Level 3

: after any Surveillance triggering, switch all units to B and restart SAM

(SBM-SAM sequence managed by the

DMS “Master switch-OFF”) stowed solar arrays : go to

BPP

SAM deployed solar arrays : go to

StAP

Levels 4 & 5

: after any Surveillance triggering, with all units already on

B, request PM reboot if authorized

Go to SBM

(upon DMS request)

Level2

: ES or NES with no redundancy available for at least one suspected unit

(SBM-SAM sequence managed by the DMS “Master switch-OFF”)

Level 1

: NES with

Redundancy available for all suspected units

SHM

Ground TC

Normal Mode

Other operational modes

Figure 11.8-2 : AOCS FDIR levels

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.23

Star Tracker mode management

The initial Star Tracker mode management of Mars Express assumed that the sensor remains in

Tracking Mode, and the FDIR detected a failure when the Tracking of the sensor was lost. There was some exceptions to this rule, during slew manoeuvres, during occultations of the sensor by the planet, or during specific AOCS modes, when the acceleration seen by the Star Tracker is too high, as for instance in OCM.

The occultations by the planet are managed through 2 different ways, depending on the Mode. During

Normal Mode, the occultation are predicted on ground and managed onboard through “occultation tables” providing the beginning and end dates of these events.

During Safe and Hold Mode (SHM), a specific algorithm has been defined, able to manage autonomously the occultation periods, and trying to restart the Star Tracker in acquisition when the

Tracking is lost due to an occultation. This attempt will be performed during a delay compatible with the largest duration of the occultation, and no failure will be declared by the FDIR during this period.

This algorithm is necessary to cope with orbit degradations related to thruster pulses in SAM and

SHM, leading to inaccurate or wrong predictions of occultation tables.

A modification has been proposed for Venus Express, and finally implemented on both Mars Express and Venus Express, in order to extend this autonomous occultation management to all AOCS Modes using the Star Tracker, i.e. the Normal Mode, the Thruster Transition Mode (TTM), and the Orbit

Control Mode (OCM).

It is still possible to manage the occultations during the mission as initially foreseen on MEx , the specific algorithm being also able to treat occultation tables.

This modification will increase significantly the robustness of the system to a tracking loss at Star

Tracker level, which could occur for other reasons than explicitely predicted in the Mars Express initial strategy recalled previously. This will also increase the robustness of the sytem to the solar flares, since Venus Express radiation analyses showed that the probability to have a tracking loss in this environment is almost equal to 1.

In case of tracking loss, the current AOCS mode will not be interrupted, continuing on gyro measurements, and no failure will be declared by the FDIR, up to a certain duration, which can be selected on ground to be compatible with occultations and Solar Flare duration.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.24

11.9 UNIT LEVEL

11.9.1 Failure Management of Intelligent Units

Failure detection of intelligent AOCMS (respectively other bus) units is managed at 2 levels: through some surveillance internal to the units, and via additional surveillances implemented within the

AOCMS (respectively DMS) S/W. Failures detected internally of the units are signalled to the

AOCMS (respectively DMS) S/W via normal TM or via events.

The STR (respectively the SSMM) may also decide to perform internal S/W transition to Stand-By

Mode or Init Mode, which is seen from the AOCMS (respectively the DMS) S/W as a specific failure, such a unit S/W reconfiguration being monitored by the AOCMS (respectively the DMS) S/W. As for the non-intelligent units, the additional surveillance implemented within the AOCMS (respectively the DMS) S/W can be individuated to these units only or larger surveillance which monitor consistency between several units (for example monitoring of converters voltages or consistency checks of their outputs with the outputs of other sensors).

Failure Isolation and Recovery is fully managed by the AOCMS (respectively the DMS) S/W, i.e. the decision to switch off a unit (and / or to switch on its redundancy) in case of major failure is taken by the AOCMS (respectively the DMS) S/W only. This decision can also lead to reconfiguration to Safe

Mode.

Note that as for the non-intelligent units, the DMS S/W acts as slave of the AOCMS S/W relative to the AOCMS intelligent units.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.25

11.9.2 Failure management of CDMS non-intelligent modules

Some CDMU internal modules are accessed only by the DMS S/W. FDIR of these modules is therefore fully managed by the DMS S/W itself.

For modules which may be used by both the AOCMS S/W and the DMS S/W (these are the SGM and the Central PROM located within the CMM, and the Master Clock located within one RM), failure detection activities are implemented both within the AOCMS S/W and within the DMS S/W, but responsibility of failure isolation and recovery belongs only to the DMS S/W. In case of problem, the

AOCMS S/W will simply inform the DMS S/W of this problem, and it is the DMS S/W which shall decide on what to do.

The AOCMS may access both SGM RAM and EEPROM during initialisation. Once the initialisation is completed, the AOCMS accesses the SGM through requests sent to the DMS S/W which is in charge of executing these requests.

All PM memories are either not sensitive to SEU, or SEU protected

,

either directly through EDAC

(program code) or through S/W processing (rewrite, check-sum, scrubbing, double write,...).

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 11.26

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.1

12 RELIABILITY AND REDUNDANCY ARCHITECTURE

The Venus Express S/C architecture is recurring from Mars Express S/C with very few exceptions

(addition of HGA2 X-band only antenna with its associated Diplexer and wave guides). Thus, the redundancy scheme provides the same Mars Express hardware resources to handle on-board failures through an autonomous failure management. The redundancy concept is mainly derived from autonomy requirements, failure tolerance requirements, reuse of Mars Express avionics architecture and reliability figure. This concept allows Venus Express spacecraft to be fully one-failure tolerant.

12.1 REDUNDANCY REQUIREMENTS

Autonomy

As Venus Express is required to be autonomously one-failure tolerant (decision taking function without ground intervention on failure/event occurrence), all failures which endanger the Spacecraft integrity need to be managed on-board. The FDIR function is in charge of failures management using

redundancy resources

. Most functions are supported by

stand-by

redundancies.

Hot redundancy and majority voting

are used for critical functions (main bus regulation, reconfiguration module, WD...).

To improve availability (waiting for powering on)

hot stand-by

redundancies can be programmed for critical mission phases (Venus orbit insertion manoeuvre).

Failure tolerance

The Venus Express spacecraft is designed to be one-failure tolerant which means that each EEE function is redunded as a minimum. Specific design rules (segregation, thermal dissipation control, parts redundancy, etc.) is implemented to avoid failure propagation.

Reuse of Mars Express Avionics architecture

The redundancy architecture has been kept as is because of the numerous existing similarities between

Mars Express and Venus Express in terms of mission, autonomy and failure tolerance constraints.

Reliability figure

Cross-strappings are implemented so as to improve significantly the spacecraft reliability figure or the operational flexibility, but shall not bring additional risks by increased design complexity.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.2

12.2 REDUNDANCY SCHEMES

Mission critical functions and system alarms are implemented with a

majority voting

structure to automatically filter inadvertent and latent failures.

Vital functions (power) and essential functions supporting reconfiguration process (HPC, TC decoder,

RM, SGM, RX-Transponders) are implemented in a

hot redundancy

structure to provide redundant resources without any configuration commands.

All other EEE functions are supported by

stand-by

redundancies except for critical phases for which the ground can select a

hot stand-by

redundancy mode to avoid outages due to reconfiguration (e.g. 2

STR, 4 RW, 2 IMU).

Hot stand-by

redundancy mode can also be used as an operational flexibility for some multiple failure cases within a dedicated unit (ex : possibility to use the AIU in hot stand-by mode after the failures of thruster 1N and thruster 2R)

These different redundancy schemes can be implemented for each unit internally or externally.

At unit level, three types of redundancy packaging are provided : q

Internal redundancy: optimised for mass and volume aspects; segregation rules between N &

R functions will be applied to simplify failure propagation avoidance assessment; concerns typically multi-function units (e.g. AIU). q

External redundancy: safest architecture for N

R failure propagation avoidance detrimental to mass & volume aspects ; concerns typically single function units (e.g. STR, TWTA,...). q

No redundancy: mechanical elements, mechanisms are generally not redounded ; operational reliability of such units is demonstrated through adequate design margins, quality control and successful environmental test results.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.3

Payload

VERA VIRTIS VMC PFS ASPERA MAG SPICAV

S

S

S

X

X

Heater Power Heater Power Heater Power

LGA1

USO I/F

RFDU

Communications

1355 link 1355 link

+ 28V Regulated

Protected lines

OBDH

Solid State Mass Memory

1355

RemoteTerminal

Unit

LGA2

HGA1

WIU

S

Dual Band

Transponder

X - Rx X -Tx

TC

TM

Control & Data Management

System

CDMU 2

CDMU 1

AOCS Interface

Unit

Pyro Heater Power

Thermal Heater Power

Pyro Devices

Power Supply

Power Distribution Unit

Power Control Unit

Battery

SADE

HGA2

X -Tx

X Band

TWTA

Analogue

Propulsion

Data Handling

1355 link

Analogue

1355

MACS

SADM

Solar Array Drive Assembly

RS422 Analogue

Solar

Array

Reaction

Wheel

Assembly

Star

Tracker

Inertial

Measurement

Unit

Sun

Acquisition

Sensor

Attitude and Orbital Control

Figure 12.2-1: Venus Express Spacecraft Physical Redundancy Implementation at Unit

Level

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.4

12.3 REDUNDANCY DESCRIPTION

Definitions

“1 out of 2” stand-by redundancy, or cold redundancy,

means that a function is ensured by 1 element nominally active among 2. After one failure, the second one is used in place of the failed element.

“1 out of 2” active redundancy, or hot redundancy,

means that a function is ensured by 2 elements nominally active in parallel. After one failure, the second one still ensures the function.

“2 out of 3” stand-by redundancy, or cold redundancy,

means that a function is ensured by 2 elements nominally active among 3. After one failure, the third one is used in place of the failed element.

“2 out of 3” active redundancy or hot redundancy,

means that a function is ensured by 3 elements nominally active in parallel. In case one element is failed, the 2 remaining ones still ensure the function.

Redundancy policy

Consistent with the redundancy schemes, most functions are implemented with a

one out of two stand-by

redundancy. The main exceptions to this rule are the following : q

The antennas (LGA1, LGA2, HGA1 and HGA2) and the front end RF components until the RF switches in the RFDU and the WIU (wave guides, diplexers, RF cables), and also the 3 dB Hybrid are not redunded. The other items are Single Point Failure free. q

The Dual Band Transponder receiving function is used in

1 out of 2 hot stand-by

redundancy

(only one RX is receiving the uplink RF signal, but both RX are ON), it must be noticed also that the S-RX and the X-RX of the same transponder cannot operate simultaneously (only one can be selected as active) q

There are three separate batteries, each one being in series with one BCDR in the PCU, used in a

2 out of 3 active

redundancy. Should one battery or one BCDR fail, the 2 remaining ones allow to ensure a graceful degraded mission (limitation of operations in eclipse). q

The three Array Power Converters of one Array Power Regulator are used in

2 out of 3 active

redundancy. Should one converter fail, the two remaining ones can still provide the power bus with SA wing power, but with a power capability reduced by a third. q

There are 4 PM in the whole CDMS (2 per CDMU). In each CDMU, 1PM is DMS-configured and the other one is AOCMS-configured. The DMS PM and the AOCMS PM are used in

1 out of

2 stand-by

redundancy.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.5 q

The On-Board Time generation function and the spacecraft monitoring and reconfiguration function of the Control and Data Management Units (CDMU) are used in

2 out of 3 hot

redundancy. In particular, a System Alarm will lead to a reconfiguration only if it is detected by at least two Reconfiguration Modules among the four operational ones. This allows to be one-failure tolerant during critical phases. q

The TC decoder of the CDMU is used in

1 out of 2 hot stand-by

redundancy (both are ON, but only one is addressed by the ground Telecommand). q

There 3 memory stacks in the SSMM are used in a

2 out of 3 active

redundancy. q

The 4 Reaction Wheels can be used in two redundancy schemes : a

3 out of 4 stand-by

redundancy scheme or a

3 out of 4 active

redundancy scheme. q

The Remote Terminal Unit I/O boards are used in

1 out of 2 active

redundancy. In the case one

RTU I/O board is failed, some functions are no more accessible because no cross-strapping is implemented between the RTU and these users (e.g. the TRSP-A is coupled to I/O-A and TRSP-B is coupled to I/O-B),

The Venus Express S/C reliability block diagram is composed of the following reliability block diagrams: q

Communication Subsystem reliability block diagram (Figure 12.3-1).

q

Data Management & Attitude, Orbital Control Management subsystem reliability block

diagram (Figure 12.3-2).

q

Combined Propulsion Subsystem reliability block diagram(Figure 12.3-3).

q

Power Supply subsystem reliability block diagram (Figure 12.3-4).

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.6

Figure 12.3-1: Venus Express Communication reliability block diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.7 a b

CDMS

HPC A

½ ACT

CDMS

HPC B

RTU

BUSC Nom

½ STB

RTU

BUSC Red c d e f

RTU

Moth. Board

& connect.

Chain 1 (68 Fits)

RTU

Moth. Board

& connect.

Chain 2 (306 Fits)

AIU

PDM Nom

AIU

PDM Red g h

PDU

LCL

PDU

LCL

IMU

Gyros/Acceleros

Processing & Supply

IMU

Gyros/Acceleros

Processing & Supply

PDU

FCL

PDU

FCL

PDU

FCL

PDU

FCL

CDMS

PS1

½ ACT

CDMS

PS 4

CDMS

PS 2

½ ACT

CDMS

PS 3

AIU

Switching

Elements Nom

½ STB

AIU

Switching

Elements Red

STR

EU Nom

½ STB

STR

EU Red

PDU

LCL

PDU

LCL

PDU

LCL

PDU

LCL

CDMS

SGM A

½ ACT

CDMS

SGM B

RTU

Moth. Board

& connect.

Chain 1N

RTU

Moth. Board

& connect.

Chain 1R

PDU

LCL

½ ACT

PDU

LCL

CDMS

PM1 (AOCMS)

CDMS

PM 4 (AOCS)

CDMS

PM 2 (DMS)

CDMS

PM 3 (AOCS)

CDMS

PROM A

CDMS

PROM B

RTU

TCM Nom

RTU

TCM Red

CDMS

TRSP I/F A

½ ACT

CDMS

TRSP I/F B

RTU

TMMA Nom

½ STB

RTU

TMMA Red

STR

OH Nom

STR

OH Red

RWA 1

¾ ACT

RWA 2

RWA 3

RWA 4

SSMM

Power

Converter

SSMM

MC

SSMM

½ STB

SSMM

Power MC

Converter

AIU

CON Nom

AIU

CON Red

AIU

TMCM Nom

½ STB

AIU

TMCM Red

PDU

LCL

PDU

LCL

PDU

LCL

PDU

LCL

RTU

TMMB Nom

RTU

TMMB Red

CDMS

RM1

CDMS

RM2

CDMS

RM3

2/4 ACT

CDMS

RM4

SSMM

MM0+MM1+MM2 complex

SAS 1

SPS 1

½ STB

SAS 1

SPS 2

IMU

Gyros Nom

½ STB

IMU

Gyros Red

CDMS

TFG A

½ ACT

CDMS

TFG B

RTU

PDM Nom

½ STB

RTU

PDM Red

RTU

SER Nom

RTU

SER Red c d a b

PDU

LCL

PDU

LCL

SAS 2

SPS 1

½ STB

SAS 2

SPS 2

IMU

Acceleros Nom

IMU

Acceleros Red g h e f

Figure 12.3-2: Venus Express DMS & AOCMS reliability block diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.8

HE tank Pressure Transducer

(PT1) (leakage)

Fill & Drain Flow valve

(FDV1) (leakage)

Pyro Valve

(PVNO1)

Pyro Valve

(PVNC1)

½ active

Pyro Valve

(PVNC2)

Filter

(a)

(b)

Pressure Regulator

½ active

Pressure Regulator

Pressure Regulator

½ active

Pressure Regulator

Pressure Transducer

(PT2) (leakage)

Non Return Valve (1)

½ active

Non Return Valve (2)

Non Return Valve (3)

½ active

Non Return Valve (4)

Pyro Valve

(PVNC3)

½ active

Pyro Valve

(PVNC5)

Pyro Valve

(PVNC4)

½ active

Pyro Valve

(PVNC6)

Filter

(F1)

Fill & Vent Valve

(FVV9) (leakage)

½ active

Fill & Vent Valve

(FVV8) (leakage)

Latch Control Valve

(LV1)

½ passive

Latch Control Valve

(LV2)

NTO1 tank Fill & Drain Flow valve

(FDV11)

Pyro Valve

(PVNC7)

½ active

Pyro Valve

(PVNC9)

Pressure Transducer

(PT3) (leakage)

MMH2 tank Fill & Drain Flow valve

(FDV10)

Pyro Valve

(PVNC8)

½ active

Pyro Valve

(PVNC10)

Filter

(F2)

Pressure Transducer

(PT4) (leakage)

Pyro Valve (PVNC11)

(Main Engine)

½ active

Pyro Valve (PVNC13)

(Main Engine)

Pyro Valve (PVNC12)

(Main Engine)

½ active

Pyro Valve (PVNC14)

(Main Engine)

Pyro Valve (PVNO3)

(Main Engine)

Flow Orifice

(Main Engine)

Filter

(Main Engine)

Flow Control Valve

(Main Engine)

Pyro Valve (PVNO2)

(Main Engine)

Flow Orifice

(Main Engine)

Latch Control Valve

(Thrust. 1A / Fuel)

½ active

Latch Control Valve

(Thrust. 1B / Fuel)

Latch Control Valve

(Thrust. 3A / Oxydiser)

½ active

Latch Control Valve

(Thrust. 3A / Oxydiser)

Latch Control Valve

(Thrust. 4A / Fuel)

½ active

Latch Control Valve

(Thrust. 4B / Fuel)

Flow Control Valve

(Thrust. 1A / Fuel)

Flow Control Valve

(Thrust. 1B / Fuel)

Flow Control Valve

(Thrust. 3A / Oxydiser)

Flow Control Valve

(Thrust. 3A / Oxydiser)

Flow Control Valve

(Thrust. 4A / Fuel)

Flow Control Valve

(Thrust. 4B / Fuel)

Filter

(Main Engine)

Flow Control Valve

(Main Engine)

Latch Control Valve

(Thrust. 2A / Oxydiser)

½ active

Latch Control Valve

(Thrust. 2B / Oxydiser)

Latch Control Valve

(Thrust. 3A / Fuel)

½ active

Latch Control Valve

(Thrust. 3B / Fuel)

Flow Control Valve

(Thrust. 2A / Oxydiser)

Flow Control Valve

(Thrust. 2B / Oxydiser)

Flow Control Valve

(Thrust. 3A / Fuel)

Flow Control Valve

(Thrust. 3B / Fuel)

Latch Control Valve

(Thrust. 1A / Oxydiser)

½ active

Latch Control Valve

(Thrust. 1B / Oxydiser)

Flow Control Valve

(Thrust. 1A / Oxydiser)

Flow Control Valve

(Thrust. 1B / Oxydiser)

Latch Control Valve

(Thrust. 2A / Fuel)

½ active

Latch Control Valve

(Thrust. 2B / Fuel)

Latch Control Valve

(Thrust. 4A / Oxydiser)

½ active

Latch Control Valve

(Thrust. 4B / Oxydiser)

Flow Control Valve

(Thrust. 2A / Fuel)

Flow Control Valve

(Thrust. 2B / Fuel)

Flow Control Valve

(Thrust. 4A / Oxydiser)

Flow Control Valve

(Thrust. 4B / Oxydiser)

(a)

(b)

Figure 12.3-3: Venus Express propulsion reliability block diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.9

PCU

BCDR1

PCU

BCDR2

PCU

BCDR3

2/3 active

Battery 1

Battery 2

Battery 3

2/3 active (*)

Solar Array

Deployment+Wing

Solar Array

Deployment+Wing

PCU - APR1

APC1 + MPPT

PCU - APR1

APC2 + MPPT

PCU - APR1

APC3 + MPPT

2/3 active

PCU - APR2

APC1 + MPPT

PCU - APR2

APC2 + MPPT

PCU - APR2

APC3 + MPPT

2/3 active

PCU - MEA

EA1

PCU - MEA

EA2

PCU - MEA

EA3

2/3 active

PCU

Control 1

½ active

PCU

Control 2

PCU

Aux. Supply 1

PCU

Aux. Supply 2

PDU

Aux Supply 1

½ active

PDU

Aux Supply 2

PDU

Control 1

PDU

Control 2

PDU

Pyro

½ active

PDU

Pyro

PDU LCL

PDU LCL

SADE

½ passive

SADE

SADM SADM

(*) : The 3 batteries are used in hot redundancy, however the batteries have been sized such that the power requirements will be met for two batteries surviving from the three. So, the battery reliability model is simplified to a 2/3 active redundancy model.

Figure 12.3-4: Venus Express Power Supply Subsystem Reliability Block Diagram

Issue : 2 Rev. : 0

Date : 06/02/2004

Page : 12.10

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.1

13. SPACECRAFT BUDGETS

13.1 MASS AND PROPELLANT BUDGETS

Table 13.1/1 constitutes a synthesis of mass budget for all sub-assemblies.

It was verified that all components of the spacecraft have been considered in this mass budget, which is therefore exhaustive.

It was possible to reduce contingencies on the basis of the latest assessments of all units. In particular, the structure mass was measured. However, 16 kg of contingency is still considered in the dry mass.

It shall be noticed that the total mass of payloads exceeds the specification (88kg). Additional contingencies have been considered in order to cope with future evolutions.

Balancing mass is needed to keep the centre of gravity within the acceptable range w.r.t. Launch

Vehicle requirement and Main Engine Boost. Maximum balancing mass (19 kg) is considered in this mass budget. The most probable figure is however closer to 12 kg.

It was considered that only half of apocentre lowering manoeuvre can be performed with the Main

Engine, which is a worst case assumption derived from the CPS functional constraints. This results in a small increase of the propellant budget.

Finally, 2% system margin was added as required.

Maximum launch mass exceeds by 3 kg the launcher capability at the very end of the launch window

(1270 kg on November 25 th

). However, structure qualification is still guaranteed with adequate margins.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.2

MASS BUDGET

Bus

Mars Express

Structure 135,9

Thermal 33,6

Harness 69,3

Solar array 45,9

Propulsion 60,1

Power 51,9

Communications 37,9

Avionics 40,9

Best estimate

Venus Express

Current mass Contingency

135,38 135,77 0,3%

57 64,65 13,4%

64,63 67,28 4,1%

41,52 43 3,6%

60,58 61,49 1,5%

51,89 52,33 0,8%

39,06 40,50 3,7%

41,16 41,57 1,0%

Total bus (kg)

Payloads

AOCS 41,9

517,4

ASPERA

MAG

PFS

SPICAV

VERA

Total payloads (kg)

Balancing mass (kg)

Total dry mass (kg)

VIRTIS

VMC

123,3

640,7

41,75 42,23 1,2%

533 548,8

3%

9,80 10,1 2,7%

2,2 2,4 10%

30,80 31,7 3,0%

14,60 16,2 10,7%

1,50 1,6 3,0%

33,40 34,5 3,4%

1,8 2,0 10,0%

4,6% 94,2 98,5

1% 19,4

646,6

19,6

666,9

3,2%

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.3

MASS BUDGET (cont’d)

Delta-V

Mars Express

Cruise 61

Capture 795

Best estimate

Venus Express

Current mass Contingency

70 70

1310 1310

Apocentre lowering Main Engine 641

Apocentre lowering RCT

Station keeping

Total Delta V (m/s)

Propellant budget

10

1507

Cruise 25,4

Capture 242,8

Apocentre lowering Main Engine 154,9

Apocentre lowering RCT

Station keeping 2,4

AOCS budget

Propellant residual

17,6

7,4

Additional fueling

25,4

Total propellant budget (kg) 476

LVA (kg)

Beagle (kg)

Launch mass budget (kg)

System margin (%)

Launch mass budget with margin (kg)

36,1

69,6

1222,4

0,0

1222,4

142 142

146 146

40

1708

29,3 30,3

395,5 408,1

33,7 34,8

36,7 37,9

9,7 10

14,3

6,6

525,8

38,3

1210,7

2,0

1234,9

40

1708

14,4

7,3

542,7

38,3

1247,9

2,0

1272,8

0,0%

Propellant budget with margin

(kg) 476 536,4 553,5

Table 13.1/1: Spacecraft Mass and Propellant budget

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.4

Power budgets are presented for all mission phases:

- Launch & Early Operation Phase,

- Near Earth Commissioning and Interplanetary Cruise Phases,

- Venus Orbit Insertion Phase,

- Payload Commissioning, Routine Operation and Extended Operation Phases.

Units power consumptions are based either on Mars Express FM measurements for platform units and on conservative assumptions for payloads.

Heating power budget is based on CDR thermal analyses.

They demonstrate adequacy of Solar Array sizing with comfortable margins:

- Battery charging after Launch Phase can be performed at maximum charge rate,

- Large allocation can be offered to Payloads in Near Earth Commissioning Phase,

- Solar Array will be very tolerant to pointing error (up to 45° approximately) once in orbit around Venus.

Robustness to BDR or battery failure is demonstrated in all modes and phases. Moreover, peak power consumption remains lower than maximum capability of 2 BDR (extended to 600W for

Venus Express) in most modes, except science observation.

Peak power consumption remains lower than PDU maximum capability (extended to 750W for

Venus Express) in all modes.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.5

System

DMS total (W)

COM's total (W)

AOCS total (W)

CPS total (W)

Thermal total (W)

Instruments total (W)

Power total (W)

Spacecraft total average consumption (W)

Spacecraft total peak consumption (W)

LEOP Phase

Normal modes

Launch

Initial Sun

Acquisition

Standby

Sun

Acquisition

Earth

Acquisition

52,6 52,6 52,6 52,6 52,6

0,0

25,0

110

30,4

0,0

0,0

0,0

0,0

25,0

329

54,0

65,9

16,0

110,0

0,0

25,0

309

54,0

65,9

1,7

104,7

0,0

25,0

353

54,0

91,9

16,0

107,2

0,0

25,0

430

54,0

115,5

16,0

158,9

124 358 315 469 506

Table 13.2/1 : LEOP power budgets

Rest

52,6

30,4

88,3

1,7

211,2

0,0

25,0

417

481

0,0

25,0

432

495

Earth

Comm's

Backup modes

Sun

Acquisition

Earth

Acquisition

52,6 52,6 52,6

54,0

88,3

1,7

202,6

54,0

91,9

16,0

201,2

54,0

115,5

16,0

181,0

0,0

25,0

449

539

0,0

25,0

452

534

System

DMS total (W)

COM's total (W)

AOCS total (W)

CPS total (W)

Thermal total (W)

Instruments total (W)

Power total (W)

Spacecraft total average consumption (W)

Spacecraft total peak consumption (W)

Near-Earth Commissionning & Cruise Phases

Normal modes

Rest

Earth

Comm's

Slew

Manœuvre

Orbit

Control

52,6 52,6 52,6 52,6

30,4

88,3

158,3

88,3

30,4

88,3

30,4

88,3

1,7

211,2

0,0

1,7

179,3

0,0

1,7

211,2

0,0

16,0

211,2

0,0

25,0

417

481

25,0

515

588

25,0

417

558

25,0

432

577

Backup modes

Sun

Acquisition

Earth

Acquisition

52,6 52,6

30,4

72,5

158,4

115,5

16,0

249,3

0,0

16,0

162,7

0,0

25,0

454

549

25,0

540

600

Table 13.2/2 : Near Earth Commissioning and Cruise Phases power budgets

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.6

System

DMS total (W)

COM's total (W)

AOCS total (W)

CPS total (W)

Thermal total (W)

Instruments total (W)

Power total (W)

S/C total average cons. pow. (W)

S/C total peak con. pow (W)

VOI Phase

Normal modes

Rest

Earth

Comm's

Pre-Capture

Slew

Manœuvre

Main Engine

Boost

Sun

Acquisition

Earth

Acquisition

Backup modes

Sun

Acquisition

Earth

Acquisition

Back-Up

Boost

Aerobraking

52,6 52,6 52,6 52,6 52,6 52,6 52,6 52,6 52,6 52,6 52,6

30,4

88,3

158,4

88,3

182,0

123,3

54,0

123,3

54,0

65,9

54,0

91,9

54,0

115,5

30,4

72,5

158,4

115,5

54,0

65,9

54,0

115,5

1,7

161,9

0,0

25,0

367

464

1,7

179,3

0,0

25,0

515

588

1,7

103,6

0,0

25,0

497

592

1,7

136,4

0,0

25,0

400

521

88,6

90,5

0,0

25,0

384

460

16,0

104,6

0,0

25,0

350

368

16,0

93,4

0,0

25,0

363

384

16,0

113,8

0,0

25,0

316

376

16,0

113,8

0,0

25,0

490

550

30,3

113,8

0,0

25,0

348

402

16,0

113,8

0,0

25,0

384

433

System

DMS total (W)

COM's total (W)

AOCS total (W)

CPS total (W)

Thermal total (W)

Instruments total (W)

Power total (W)

S/C total average cons. pow. (W)

S/C total peak con. pow. (W)

30,4

88,3

1,7

140,0

36,4

25,0

381

483

Table 13.2/3 : Venus Orbit Insertion Phase power budgets

Payload Commissioning, Routine & Extended Ops Phases

Normal modes

Rest

Earth

Comm's

Slew

Manœuvre

Orbit

Control

Inertial

Observation

Non Inertial

Observation

52,6 52,6 52,6 52,6 52,6 52,6

Radio

Science

Backup modes

Sun

Acquisition

Earth

Acquisition

Back-Up

Boost

Aerobraking

52,6 52,6 52,6 52,6 52,6

158,4

88,3

1,7

122,0

36,4

25,0

494

30,4

88,3

1,7

138,0

50,0

25,0

393

30,4

88,3

16,0

140,0

36,4

25,0

396

30,4

88,3

1,7

151,6

159,6

25,0

519

30,4

88,3

1,7

151,6

157,1

25,0

516

182,0

88,3

1,7

151,6

154,1

25,0

668

553 519 518 582 579 808 363

Table 13.2/4 : Venus In-orbit Phase power budgets

30,4

72,5

16,0

100,4

0,0

25,0

302

158,4

115,5

16,0

100,4

0,0

25,0

477

538

54,0

65,9

30,3

100,4

0,0

25,0

334

389

54,0

115,5

16,0

100,4

0,0

25,0

370

421

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.7

S-Band

Uplink

LGA

15.6 bps

HGA1

2000 bps

HGA1

2000 bps

Kourou 15m

New Norcia 35m

Cebreros 35m

DSN 34m (BWG)

DSN 70m

0.013 AU

0.15 AU no RG

0.039 AU

1.06 AU no RG

N/A

N/A

0.11 AU

1.72 AU no RG

0.39 AU

0.41 AU no RG

1.35 AU

1.72 AU no RG

N/A

N/A

1.72 AU

0.43 AU

1.2 AU

@

X-Band

250 bps

1.72 AU

1.72 AU

1.72 AU

N/A

HGA2

2000 bps

0.13 AU

0.36 AU

@

250 bps

0.68 AU

0.78 AU no RG

0.78 AU

0.78 AU

N/A

S-Band

LGA

Downlink

HGA1 HGA1

9.2 bps 74.4 bps

Kourou 15m

0.013 AU

0.013 AU no RG

0.39 AU

0.45 AU no RG

19044 bps

0.43 AU

0.64 AU no RG

X-Band

HGA2

19044 bps

0.13 AU

0.18 AU no RG

New Norcia 35m

0.039 AU

0.039 AU no RG

1.35 AU

1.36 AU no RG

Cebreros 35m

DSN 34m (BWG)

N/A

N/A

N/A

N/A

38091 bps

1.72 AU

45710 bps

1.72 AU

38091 bps

1.72 AU

19044 bps

0.68 AU

19044 bps

0.78 AU

19044 bps

0.69 AU

DSN 70m

0.11 AU

0.11 AU no RG

1.72 AU N/A N/A

Note that when not expressly mentioned the link budgets have been checked with ranging mode.

Table 13.3/1: Venus Express Link Budgets

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.8

The table 13.4/1 provides the PDU power lines allocation:

PDU

Platform Heaters Payloads

Payloads

Heaters

Spares

LCL A

LCL B

LCL C

LCL D

LCL E

LCL F

LCL G

FCL

11 2 4 5 0 0

Total 84 32 32 17 3 0

Table 13.4/1:PDU Power Lines Budget

No spare line is available.

The table 13.4/2 provides the pyro lines allocation:

Nominal

Redundant

Total

PDU

Solar

Array

CPS

MAG boom

Spares

32 8 17 1 6

32 8 17 1 6

64 16 34 2 12

Table 13.4/2: Pyro Lines Budget

The detail of lines allocation is provided in document “ Acquisition and command allocation list”.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.9

The pointing performances for Venus Express are computed from Venus Express simulation results.

They are also detailed in the Venus Express AOCS Budgets Technical Note (Ref VEX-T-ASTR-

TCN-1120).

Several error sources which are not properly represented in the simulations are added to the simulation results :

The STR spatial noise,

The STR misalignment.

The worst case occultation effect on the drift of the attitude,

The impact of ASPERA scan mechanism,

The guidance algorithm error.

The occultation effect takes into account the duration of occultations during Venus Express mission.

The guidance algorithm error has been updated with respect to Mars Express figures taking into account the new algorithms proposed for Venus Express, and the error analysis performed for the

Venus mission. Note that the ground guidance error is not considered.

A provision for Star Tracker degradation due to radiations effect has been included in the budgets.

The pointing performances of the antenna during Earth pointing phase are computed in Normal

Mode, and are also valid for the SHM/EPP (wheel control) after convergence, if the gyros configuration has not been changed (the budget assumes calibrated drifts).

The impact of the Aspera scan mechanism is much smaller on Venus Express than on Mars Express, due to the absence of Marsis /Vensis antenna.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.10

Error source

VEX simulation results

STR degradation (radiations)

STR spatial noise

STR-Payload alignment

TOTAL

X axis

0.0114

0.0014

0.0075

Y axis

0.0027

0.0014

0.0017

Z axis

0.0039

0.0014

0.0075

0.0337 0.0337 0.0337

0.0367 0.0342 0.0351

Table 13.5/1: Attitude Estimation Error budget during Nadir observation (deg, 3

σ

).

Error source

Attitude Pointing (VEx simulation results)

STR degradation (radiations)

STR spatial noise

STR-Payload alignment

Aspera scan mechanism

X axis

0.0252

0.0014

0.0075

0.0337

0.0001

Y axis

0.0205

0.0014

0.0017

0.0337

0.0001

Z axis

0.0282

0.0014

0.0075

0.0337

0.0001

TOTAL

Requirement

0.043 0.040 0.045

0.0612 0.0612 0.0612

Table 13.5/2 : Pointing Error budget during Nadir observation (deg, 3

σ

).

Error source

Attitude estimation (VEx simulation results)

Attitude control (Vex simulations results)

STR degradation (radiations)

STR spatial noise

STR HGA alignment

No occultation

0.018

0.031

0.002

0.007

0.077

Occultation in GSEP

0.018

0.031

0.002

0.007

0.077

TOTAL

0.101 0.168

Table 13.5/3 : Pointing Error budget during Earth pointing phases (deg, 3

σ

).

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.11

The best estimates for Venus Express software budgets are the figures measured on Mars Express, until Venus Express measurements are available.

They are reported in table 13.6/1.

Resource

CDMS Shared Resources

SGM EEPROM

SGM RAM

PROM Cassette

DMS SW

Physical Memory

PM RAM

CPU

Venus OBServation

Earth VISIbility - No STR invest.

Earth VISIbility - STR diagnosis

AOCS SW

Physical Memory

PM RAM

CPU

1 Hz cycle worse case

8Hz cycle worse case

Unit

ms ms ms kW

Kw

Kw

Kw kW ms ms

Capacity

512

1000

1000

1000

64

64

512

512

1000

1000

Used

12.5

23.4

310.7

318.8

174.0

%

19.6 %

36.6 %

60.7 %

62.3 %

34.0 %

Table 13.6/1: Venus Express Software Budgets

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.12

The reliability budget of each Venus Express module (payload instruments excluded, but including spacecraft resources & interfaces provided to instruments) is summarized in table 13.7/1 for the two missions “Nominal” and “Extended”.

Module Nominal mission

(699 days)

Extended mission

(1185 days)

COMS 0.986 0.967

DMS / AOCS 0.919 0.812

POWER 0.992 0.981

PROPULSION 0.9955 0.9955

Total 0.896 0.767

Table 13.7/1: Venus Express Reliability Budgets

These reliability budgets have been derived from Mars Express, taking into account following updates:

- Implementation of second High Gain Antenna,

- Venus Express mission phases duration,

- Update of reliability calculation for Propulsion Module.

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

13.13

Issue : 2 Rev. : 0

Date : 06/02/2004

Page :

A

DISTRIBUTION LIST

Overall document

Action Information

Summary

ESTEC

Mac Coy D.

ESOC

EADS ASTRIUM

Documentation

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement