This report sent in by Charlotte Beskow late this afternoon, detailing activities around the power issue that affected ATV earlier this week.

Staying on the safe side

Another interesting day in the office. The main objective of the day was to run a simulation  of the undocking sequence with one power chain failed, i.e. representative of the situation we have today.

ATV Control Centre. Credits: CNES

ATV Control Centre. Credits: CNES

The simulation at ATV-CC in Toulouse started at 08:00 CET; after the  the usual difficulties with getting started (initialising the correct configuration, representative of the current vehicle status), activating consoles and environments in the backup control room (completely separate from the nominal one), the simulation proceeded smoothly. Both the Flight Control Team at and the Engineering Support Team (from the ATV Programme) came prepared. The situation had been analysed in depth, and everyone knew the sequence of events and the expected ‘alarms’.

ATV is a complex vessel

ATV is a complex vehicle. It is designed to be ‘one-fail tolerant’ (i.e. the first failure is transparent to routine operations) and ‘two-fail’ safe (i.e. the vehicle is still completely safe with respect to the ISS and to people on the ground)  after two failures.

This means that there are two of everything, three of some things and four power chains.  These subsystems and units are then interconnected so that a switch from one to the other becomes seamless, the functionality is recovered by what we call the ‘redundant unit’. Most of this is managed by software, which is designed to quickly tells us the configuration of any given subsystem at any given moment (nominal, failed, degraded, which unit is degraded etc.).

Thousands of parameters are collected and stored by the systems. A subset of these is downlinked and they  allow ESA and CNES operators at ATV-CC to keep tabs on what is happening. Naturally it is impossible to look at thousands of parameters, so the system is designed to do that itself, and then trigger alarms (of different severity) to alert the operators when something is amiss.

Alarms are usually set on the safe side

Alarms are usually set on the safe side, i.e. better to alert the operator and let him or her assess the data, thus part of our work is to clearly distinguish between real, unexpected, alarms and ‘expected’ alarms due to a particular flight phase or configuration.

The atmosphere today was both attentive and relaxed (this is the best possible state). Things always happen, so keeping a cool head and a calm voice is essential. The more urgent the action and reaction, the more important not to be hasty, to take that extra split second to think.  The devil is in the details, so one of the many objectives of  today was to run the ‘off-nominal’ procedures, check that the various commands had the desired effect,  see that the alarms that occurred were foreseen, checking for unforeseen alarms or behaviour, and – of course – ensuring that ATV could leave the ISS as planned.

On the Engineering Support Team (EST) side, we had instantaneous telephone support from the office in Les Mureaux [home to ATV industry efforts], which helped us assess what we saw on the screens.

It was a good simulation. Off-line analysis will  be done over the weekend and early next week to ensure that all is ready for the undocking, planned on 14 February.

– Charlotte