Engineering model of Hera's onboard computer in redundant configuration. Running on a powerful dual-core LEON-3 processor – part of a family of ESA-developed microprocessors for space, its overall design is developed from the ADPMS – Advanced Data and Power Management System – computer flown on Proba-2, Proba-V and the forthcoming Proba-3 mini-satellites. This computer has demonstrated more than 15 years of in-orbit operations with very high reliability. Credit: QinetiQ Space

At the heart of ESA's Hera mission to the double Didymos asteroids will be an onboard computer intended to be failure-proof.

Designed to operate up to 490 million km away from Earth and withstanding four years of harsh radiation exposure, Hera's computer must run smoothly without locking up or crashing—on pain of mission failure, while pushing the limits of onboard autonomy.

Development of the Hera mission for planetary defense is taking place across Europe, to finalize a ready-to-build design to present to Europe's space ministers at the Space19+ Ministerial Council this November. Hera's onboard computer is being overseen by QinetiQ Space in Belgium, also the makers of the Proba family of technology-testing minisatellites.

Peter Holsters of QinetiQ Space explains: "A popular analogy is that if a satellite's platform is like a bus—with the science-generating payloads like passengers on its seats—then the onboard computer is the driver of the bus. It is the brain of the entire mission, coordinating and operating the various onboard systems and payloads."

Beyond Earth orbit

The challenge is that this particular onboard computer will be operating much further away than a typical mission in Earth orbit. In order to intercept the Didymos pair of near-Earth asteroids the desk-sized spacecraft will be venturing far into deep space, slightly beyond the orbit of Mars.

Hera mission. Credit: ESA/ScienceOffice.org

"Going so far away means operating in a different radiation environment for a start, which requires very careful component selection as well as specific software strategies," adds Peter.

Beyond the protection of Earth's magnetic field, space is riddled with charged particles from the wider cosmos, as well as solar storms from our own Sun. These particles are energetic enough to pass through surface shielding to 'flip' individual memory bits—potentially corrupting computer memory—or do permanent damage called 'latch-ups," equivalent to tiny short circuits.

"Our computers use flash memory—the same as in your own laptop or smartphone—but we perform rigorous radiation testing to ensure the batches we use meet the necessary performance standards," adds Peter.

"The next level of managing the problem is on the software side, with speedy error detection and checking in the memory management, including the ability to identify and work around 'bad blocks' in memory."

This composite image shows a SOHO image of the Sun and an artist's impression of Earth's magnetosphere. Credit: Magnetosphere: NASA, the Sun: ESA/NASA - SOHO

Venturing far from the Sun also means the onboard computer—like the spacecraft as a whole—will have to get by on less power than in its home planet's orbit, as available sunshine shrinks.

Pushing the boundaries of autonomy

As for all deep-space missions, support from ground control will be constrained as well. The sheer distance involved means that real-time control will not be feasible. Hera's computer will be capable of making many of its own decisions. In addition, in the complex double asteroid environment of Didymos, switching into safe mode during critical close-proximity operations must be avoided.

"In Earth orbit a mission's computer going into safe mode is no big deal—the satellite itself is not going anywhere, there's time to reconfigure it," says Peter. "But in deep space, with big asteroids whirling around, any recovery from failure will have to be done autonomously, and as quickly as possible.

Computer testing. Credit: QinetiQ Space

"That implies maximum redundancy and fast switch-over times from the failing element to its backup. We actually have good experience of such hot redundancy from another company project: developing a safety-critical docking mechanism according to the International Birthing and Docking Mechanism Standard, which is used for making the connection between crewed and uncrewed spacecraft on one end and the International Space Station or in future the Lunar Gateway station, on the other.

"Our benchmark for Hera is that reconfiguration from any computer failure should be extremely fast, a matter of 10 to 20 seconds.

"Another design strategy is to deliberately not have all the functionality in the central onboard computer. On Hera the image processing—which can potentially be used for autonomous spacecraft navigation—will be performed by a dedicated unit, being developed by GMV in Romania."

It's a similar approach to having a separate graphics card to make your home computer run video games better—avoiding clogging up the computer with computationally intensive but non-core tasks.

Hera mission timeline. Credit: ESA – Science Office

From the Proba fold

Hera's computer will run on a powerful dual-core LEON-3 processor—part of a family of ESA-developed microprocessors for space. Its overall design is developed from the ADPMS—Advanced Data and Power Management System—computer flown on Proba-2, Proba-V and the forthcoming Proba-3 mini-satellites. This computer has demonstrated more than 15 years of in-orbit operations with very high reliability.

"We've reached the engineering model phase of our upgraded ADPMS design, which will serve the Altius ozone-monitoring mission as well as Hera.

"This testing—supported through ESA's General Support Technology Programme—is taking place under our ProbaNEXT project, which is developing our next-generation Proba platform for a wide variety of uses and users.

"Currently, we are qualifying the redundancy and fast switch-over time element of the design. This testing is allowing us to demonstrate all relevant functioning that Hera needs, so once the decision is made to fly the mission then we will be ready."

Proba-3. Credit: ESA-P. Carril, 2013

Explore further Self-driving spacecraft set for planetary defence expedition