Interstellar Maintenance – part 2
by Pat Galea
Introduction – Software maintenance
Following on from the recent blogs by Philipp Reiss and Robert Freeland II, I thought I would add a little of my own perspective and experience, as a deep space software engineer. Let’s remember: the only item of a spacecraft that is routinely subject to maintenance after launch is the on-board software. This can also be used to work around other system problems. For example, when the Voyager scan platform suffered a failure the on-board software was reprogrammed to roll the whole spacecraft, to achieve an equivalent scan of the camera pointing direction. Similarly following the failure of the upper stage of Hipparcos the onboard software was substantially reconfigured, firstly for fault investigation, and recovery attempts, and then subsequently for a revised mission approach. In the end this sucessfully recovered the mission from a completely different orbit. Furthermore many spacecraft have been characterised so completely when in space that progressive refinements of the software have provided ever greater operating capabilities. This approach to software updates has now become so sophisticated that some spacecraft are launched without anything other than their basic safety and cruise phase software loaded. This allows subsequent development and refinement of the mission software post launch. It is therefore highly likely that the bulk of the on-board software for Icarus, and for its scientific payloads, will be written post launch. We must expect these to be extensively tested in a simulated environment on earth – running many thousands of mission scenarios. Given the autonomy requirements this testing will probably approach the training and simulation regime used in current ground segment operational work-ups. This means injecting multiple faults into the operational scenarios and checking that the operational approach recovers the mission. Without human beings in the loop we must aim to use “fail operational” or fault tolerant systems, with fault protection algorithms, and possibly some Artificial Intelligence elements. However the largest challenges for maintenance will not be software. I think it is worth looking at three categories of components that may need repair.. :
Integrated circuits have a history of less than a hundred years, so how can we be confident that we can build any circuits which will last for that long? The truth is, that at the launch of Icarus it is unlikely that we will know for sure the true probability of the electronics functioning successfully. We currently have no models of long term electronic failure, in the ways we have characterised materials, stress factors and metal fatigue. It may be that crystalisation, or doping migration, or some other mechanism, limits the life of the electronics we produce – leading to a similar “bathtub” curve to that seen in mechanical systems. At present we neither know the shape of the failure curve after 50 years, or the time to reach the “tipping point”. However there are techniques, such as accelerated ageing which can help us predict. Research in this area will be key to the Icarus design. This general problem suggests that “conservative” designs should be used. As with military devices the actual hardware will be at least a generation behind the latest consumer electronics – as that time is needed to characterise devices, and build to a robust specification. It is for this reason that I doubt that either quantum computers or nanotechnology will be making a significant contribution to the Icarus electronics. In selecting devices, and producing designs there are a number of key items to remember. Firstly operating (powered) electronics are subject to many stresses and strains that items switched off do not experience. The lifetime of electronics is measured mainly in terms of the “operating lifetime”. Secondly there are technologies which are inherently more suited to the space environment – devices such as core memory, silicon on sapphire chips, and larger dimensioned devices are all less susceptible to radiation effects. Thirdly that storage conditions are also relevant. I personally have seen the lifetime of equipment dramatically reduced by high temperatures, or possibly temperature fluctuations during storage. This happened when a set of workstations and servers were left unprotected in their boxes in the desert – the building to house them was not finished when they were delivered The most shocking aspect of this was not that some of the units failed, it was that they ALL failed, within two months of each other, after a year of service. Icarus must therefore be built with these factors considered. Each piece of equipment must operate for a period that does not exceed its realistic lifetime, so spares, or additional systems are required. Furthermore the non operating equipment should be kept in a controlled environment – certainly for temperature and atmosphere – ideally for radiation and vibration as well, though that may not be possible for this mission.
The biggest challenges in spacecraft design are the things that move. This is such a challenge that large amounts of effort go into eliminating moving parts. Most spacecraft parts move only once – at deployment. Of parts that move “in the space environment”, scan platforms, antenna and solar panel pointing, and rover parts, the current best lifetimes vary from a year (for the rovers) to maybe fifteen years (for reaction wheels and gyroscopes). Lubrication is a difficulty if you are surrounded by vacuum, and exposed to deep space temperatures of only a few degrees. Mechanical stresses are a problem if thermal cycling occurs, for example orbiting into light and shade, or getting thermal radiation from an engine when operating. For Icarus to work some mechanical devices are unavoidable. Certainly the payloads will be radically limited if reaction wheel assemblies cannot be produced that can lie dormant for c60 years, and then work reliably for 10-20 years. Some of the approaches for mechanical devices also apply here. The biggest challenge however may be deploying the payload after 60 years. Will explosive bolts or knife cutters or mechanical springs function after so long, or will all elements be “vacuum welded” into a single mass? Remember that devices must be firmly attached during the acceleration and deceleration phase. In my own experience I know that the entry-decent-landing (EDL) systems of the Huygens probe were some of the most uncertain during analysis. Not even the experts knew how the gunpowder in the parachute mortar would behave after only seven years in space, and there was real concern that the fabric of the parachute might decompose under the radiation environment and thermal cycling. Separation from the Cassini orbiter relied on a mechanical spring and short screw thread to impart just the right velocity and spin. The spring was the most well understood component, as the human race has significant long term experience with clockwork systems. Even this however will be challenged by a 60+ year timeframe
Energy relies on electronics, and often mechanics, for effective production and distribution, and here again the timescales and environment of interstellar exploration push the boundaries of technology and understanding. While the engines of Icarus will provide abundant energy during operation the Icarus operation will require non-engine based primary power, energy storage, and fuel and energy systems for payload probes. The current assumption is that primary energy during coast flight will be provided by fission reactors. In this respect I was heartened by recent descriptions of British nuclear submarine production. The current generation of attack submarines are built with reactors fuelled for a 25 year lifetime. It is conceivable therefore to extend this to 60+ years. However our submarine reactors rely on convection – little use in zero gravity, so this exact reactor design will be inappropriate for zero-g. I must admit to concern that the control rods of any reactor will require functioning mechanical systems – unless a “self moderating, self adjusting” design can be found (perhaps where the fuel burns from one end of the reactor to the other, catalysed or moderated by neutrons from the main reaction locus). Perhaps surprisingly nuclear fission appears an easier thing to expect to last for 100 years than either electronics or mechanical systems. For energy on the payload probes the best solution would appear to be Radioisotope Thermoelectric Generators (RTGs) . Using radioactive decay to generate heat, and thermocouples to convert that to electricity. This results in a stable, long term, but relatively low energy density power source. RTGs have powered the Voyager probes for over thirty years, and the energy output of the nuclear material is well understood and can be calculated. The usual plutonium fuel has a half life of about 90 years, meaning it will sink to half the output in this time. However the thermoelectric elements also degrade, and their performance after 50 years is an unknown. One advantage of RTGs is that the heat they produce – which is 10 times their electrical output – can be used to keep spacecraft warm. In fact small pieces of plutonium can be distributed in the interior of spacecraft to provide an evenly distributed heat source, without relying on electrical energy at all. This can dramatically reduce the electrical power requirements for deep space craft needing to keep warm. It is interesting to note that the suggested alternative fuel for RTGs (Americium) has a half life of about 450 years, but a quarter the energy density – this translates to a better energy output only after about 220 years. Primary energy can also be provided by solar panels. Within the solar system existing scientific satellites for planetary exploration basically fall into the two categories of “inner solar system craft” which use solar panels – usually out to Mars, and “outer solar system craft” which use RTGs. Solar panels can provide substantial power levels for a modest weight. However solar panels are fragile, subject to many mechanical failure modes, rely on sun pointing, and degrade over time. In earth orbit this degradation is 25% over a 15 year GEO satellite lifetime . In addition solar panels tend to be optimised both for the wavelengths of light available, and for the level of radiation expected. It may be that there are simply too many constraints to make a reliance on solar panels for any Icarus elements at all desirable In addition to primary power sources energy storage is highly desirable. Energy storage allows low powered primary sources to be accumulated for short burst of high power operation – for example long distance, or high bandwidth data transmissions, multiple simultaneous instrument operations during close approach or flybys, or specific experiment operating modes (e.g. high temperature heating). At present modern battery designs have less history than electronics, so their long term properties are unknown, however it seems that some technologies, such as lithium-ion batteries, can be stored indefinitely if discharged and cooled . Finally there is the issue of fuel. Volatile chemicals may well decompose over time, and cryogenic fuels may well “boil off”. Less energetic, but more stable fuels may be preferred. For this reason Ion engines, rather than chemical thrusters, may be better for the Icarus payload probes. The low thrust may not be an issue given deep space deployment, and the stable monopropellant reaction mass may be easier to manage..
Strategies for maximizing reliability at target system
The long period of cruise means that at deployment of the payload solar system exploration probes the hardware will be of the order of 60+ years old. In many cases this will be a period of no operation, but a variety of degradations will likely have occurred. In seeking to minimise the impact of these we have seen that non-operation, and controlled storage may be key to providing components with sufficient remaining operational life. There is however one further technique which may be applicable – that of on board fabrication. Construction close to usage time means that the devices concerned will be relatively “pristine”. Simple elements may be relatively easy to create – fuel can be fabricated from less volatile or reactive precursors, for example by electrolysis of water. Batteries may be constructed fresh by mixing chemicals kept separate during the flight. RTGs may be refreshed/activated or even manufactured by using the output of the on-board fission reactor to irradiate precursor fuels (or even using waste products of the reactor itself). Probes can be constructed from modular components. I feel however that the biggest leap though will come with manufacturing technologies such as three-d printers . Such devices can in theory produce any new mechanical parts required, and given the right scaling and feedstock might also produce electrical items. The way they keep themselves working is also novel – they can make their own replacement parts, or even copies of themselves. I think this is a key strategy for long term missions, it should allow generic feedstock to be used in place of specific spare parts. The only problem I foresee is the many a science fiction stories that have raised the fear of self-replicating machines… References:  Multi-Mission Radioisotope Thermoelectric Generator (MMRTG) Program Overview, Ritz, F and Peterson C. E. from http://trs-new.jpl.nasa.gov/dspace/bitstream/2014/38246/1/04-0191.pdf  Solar Panel Degradation from http://www.solarstorms.org/Svulnerability.html  Method for powering a spacecraft with extended-life battery operation, Stanley J. Krause, US patent number: 6027076, Issue date: 22 Feb 2000  Open source 3D printer copies itself, by Ulrika Hedquist from http://computerworld.co.nz/news.nsf/tech/2F5C3C5D68A380EDCC257423006E71CD