- The Orion spacecraft uses eight processors that run identical instructions simultaneously
- A fail-safe design prevents faulty computers from sending incorrect commands
- Triple redundant memory automatically corrects single-bit errors on access
The NASA Artemis II mission relies on a computer system built to remain operational under extreme conditions and hardware failures.
Unlike the Apollo program, where on-board computers handled limited functions, the Orion spacecraft controls life support, navigation and communications through integrated flight software.
The Orion capsule carries one of the most fault-tolerant computer systems ever built for spaceflight and operates 250,000 miles from Earth, where no repairs are possible.
The article continues below
From Apollo’s limits to Orion’s full system control
Apollo astronauts relied on a 1MHz computer with only 4 kilobytes of memory, but today’s spacecraft need much more, given the distance.
The Orion spacecraft uses two vehicle control computers, each containing two flight control modules.
Each module consists of a pair of processors that continuously check each other’s output, resulting in 8 processors executing the same instructions simultaneously.
If a processor produces an incorrect result, the paired design detects the discrepancy immediately and prevents the output from being used.
“We’re still building to cover hardware failures,” said Nate Uitenbroek, Software Integration and Verification Lead in NASA’s Orion Program.
“Along with physically redundant wiring, we have logically redundant network aircraft. We have redundant aircraft computers.”
Instead of relying on majority voting, the system selects output from available modules based on a defined priority order.
The system is designed to tolerate rapid in-flight failures. Uitenbroek stated, “We can lose three FCMs in 22 seconds and still drive through safely on the last FCM… A faulty computer will fail silently instead of sending the wrong response.”
Failed modules are reset and resynchronized so they can rejoin the system during the mission.
Orion uses a time-triggered Ethernet network that distributes a shared time reference throughout the system – so if a module misses its execution deadline, it is automatically isolated, reset and re-synchronized before returning to service.
The computer system includes triple redundant memory capable of correcting single bit errors during each read operation.
Network interfaces use dual communication paths that are continuously compared to detect inconsistencies while the overall network is replicated across three independent planes.
Orion carries a separate Backup Flight Software system that operates on different hardware and software and runs continuously in the background.
“It is intentionally different to ensure that a common mode software error in the primary flight software is not also misimplemented on the backup,” Uitenbroek said.
The spacecraft also includes procedures for full power loss scenarios that allow systems to restart, stabilize and re-establish communications once power is restored.
The system is overengineered by any commercial standard, but deep space offers no new chances.
Whether all 8 processors will perform as designed under real radiation conditions remains untested and the backup software has never been exposed to an actual emergency.
Still, for a mission where the nearest hardware store is 250,000 miles away, this architecture makes a brutal kind of sense.
Via communication from ACM
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
