HomeNewsArticle Display

Self-Aid in Space

  • Published
  • By Maj. Barbara Braun
  • Air Force Safety Center
KIRTLAND AIR FORCE BASE, N.M. --  Note:  Long before the Air Force Safety Center stood up at Kirtland Air Force Base, N.M., on Jan. 1, 1996, Airmen were sharing their lessons learned in a variety of safety publications such as Aerospace Safety, Aerospace Maintenance Safety, Air Force Driver, among others.  During a year-long commemoration of the safety center's 20th anniversary, the Public Affairs Office will highlight previously-published articles and reprise historic Rex Riley cartoons to emphasize that long-standing safety practices and lessons learned remain relevant to the mishap prevention program of today's Air Force.

Let's talk about self-aid and buddy care for a minute. Imagine you're wounded in combat. What do you do? We've all had the class, and we understand the basic principles. Get out of danger. Stop the bleeding. Conserve strength. You aren't going to perform surgery on yourself. Your goal is to keep yourself alive long enough to get to the doctors and get fixed.

Now let's think about space. Our satellites aren't generally dodging bullets on a daily basis (though that may change as space debris increases). Nevertheless, a satellite's systems can fail internally, causing problems that endanger the satellite's survival. What can a satellite do to help itself?

The answer depends a lot on your vehicle's safe modes. Satellite safe modes can be thought of as self-aid and buddy care on the celestial level. A satellite, detecting that something has gone wrong, takes a series of steps to keep itself alive long enough for the people on the ground to figure out what's really wrong and fix it. A classic example of a safe-mode entry might occur when a satellite encounters a problem with its attitude control subsystem. Perhaps it's a software glitch or that one of the hardware devices (such as a momentum wheel) is failing. Without any safemode intervention, the satellite would eventually lose the ability to point its solar arrays at the sun. Battery power would drop. The satellite would start to "bleed out," and eventually, it might not have enough power to communicate with the ground. By the time the experts could respond, it would already be too late.

Satellite safe modes can be thought of as self-aid and buddy care on the celestial level.

Now let's assume that the satellite has a well-functioning safe mode. The first step might occur when the satellite recognizes that its attitude is drifting out of some pre-determined limits. The satellite might automatically switch to a simpler attitude control mode, one that uses a simpler set of software rules, or less hardware, and gives up some performance in exchange for a more robust, predictable sun-pointing mode. Next, the satellite might start to turn off some of its less critical components, giving up functionality to preserve battery power. In the ultimate extremity, the satellite will turn off everything that isn't essential to preserve itself -- like applying a tourniquet to stop the bleeding.

All satellites have some form of safe mode, but not all are effective. What makes satellites' safe modes effective? There are many schools of thought on this, but we can summarize most of them by thinking in terms of a few basic principles.

Keep things simple

When a satellite is in trouble, it shouldn't be trying to do anything complicated. The idea is to simplify operations as much as possible. That means a three-axis-stabilized satellite might drop into a simpler, more robust attitude control mode designed to point the solar arrays at the sun. It means that any complicated schedule of tasks onboard the vehicle should be dropped in favor of a very simple set of instructions -- or no instructions at all. In some cases, the vehicle might turn off its computer entirely since the software is sometimes the most complicated and error-prone part of the system.

The satellite would start to "bleed out," and eventually, it might not have enough power to communicate with the ground.

Conserve your strength

The next goal of a satellite in trouble should be to conserve power. The longer the vehicle can stay powered, the more time the ground team has to restore it to health. Every satellite should have a well-thought-out, orderly process for shedding loads on the power system. Start with the least critical: the payloads, secondary transmitters, heaters (other than those needed for survival) and other noncritical resources. Difficult decisions eventually may need to be made. Similar to sacrificing a limb to save a life, the vehicle might have to endanger a payload to preserve its essential functions.

Keep listening

The one subsystem that should never be turned off is the vehicle's command receivers. If the vehicle can't hear the ground, the ground can't fix it. Simple enough. The whole idea behind the first two steps is to preserve enough power to keep the command receivers online.

Do nothing and await orders

Once the vehicle enters safe mode, it shouldn't turn things on or attempt to recover until it's told to do so by ground command. This can be a controversial provision. Many of today's satellites have sophisticated anomaly-recovery software and circuitry, and some have the capability to diagnose and fix minor problems autonomously. With such sophistication, however, comes a great deal of risk. No autonomous recovery software can anticipate every contingency and, just like all software, autonomous recovery software can contain bugs. In general, if the vehicle has gotten to the point of shedding loads to conserve power, all autonomous software recovery should be abandoned. The satellite shouldn't turn things back on until the ground has fixed the problem, restored a positive power balance and commanded the vehicle to do so.

Bypass the brain

Here's a surprising fact about robust satellite safe modes: One of the least critical -- and least desirable -- systems to keep running during an anomaly is the onboard computer. In fact, given the complexity of today's software, the onboard computer might actually be the source of the problem. But in order to function without the onboard computer, the satellite must be able to preserve itself at a basic level without its brain. If you lose consciousness, your body will continue to try to maintain itself -- you'll breathe, and your heart will beat, without your conscious direction. Similarly, the satellite must be able to preserve its basic functions without the software running. This means having a set of "hardware" commands that go directly from
the command receiver to the hardware in question without needing to be processed by the onboard computer. It means that, if possible, the vehicle should be able to collect and transmit basic state-of-health telemetry without relying on the software. And it means -- and this is important -- that your safe mode processes must be capable of executing without the software running. All the load-shedding, all the basic attitude maintenance and all the other life-preserving activities of a satellite's safe mode should be able to run at the hardware level -- without the satellite's brain.

In some cases, the vehicle might turn off its computer entirely since the software is sometimes the most complicated and error-prone part of the system.

We don't learn self-aid and buddy care on the battlefield. We take the class ahead of time so we know what to do when the time comes. Similarly, the time to think about robust safe modes for the satellite comes long before launch: during the design phase. With a little forethought, we can arm our space satellites with the ability to keep themselves alive until we have the time to come to their aid. (Reprinted from Wingman Magazine, Fall 2010)