A million lines of code

The ATV flight software matches the complexity of the vehicle and its mission:

• To comply with the safety and availability constraints, the electrical and digital (avionics) architecture of the ATV is quadruplex (quadruple redundancy) and contains no less than 50 items of equipment, such as nominal and redundant sensors and actuators, which are controlled by a fault tolerant central computer. This computer is composed of three data processing units each running the FAS (Flight Application Software) in parallel.
• From its separation from the Ariane 5 launcher until de-orbiting and re-entry, via the phases of rendezvous, docking/undocking and support to the ISS during the attached phase, the ATV mission consists of almost 100 different operating modes.

At the heart of this system, the ATV flight software is primarily in charge of:

the mission management, and the sequencing of the various vehicle modes, via the execution of the 100 or so mission plans loaded on board, and the processing of the commands sent during the mission by the control centre in Toulouse (ATV-CC) or the ISS;

the execution of the different functionalities that allow the Jules Verne mission to be performed in its entirety; in particular:

• the flight control algorithms for joining the station from the A5 injection orbit, or for deorbiting after undocking from the station
• the algorithms for the thermal control and the management of the on-board electrical power supply
• the docking/undocking functions
• the station re-boost and refuelling functions
• the communication functions with the ground and the ISS
• the on-board operational monitoring of the equipment, and the vehicle, as well as the management of the different configurations (no less than 200 possible degraded configurations).

The complexity of this software is due to the quantity and intrinsic complexity of the algorithms required to ensure an autonomous rendezvous, as well as the volume of data processed, and the number of possible configurations. Ultimately, this software represents:

• more than 2,600 functional requirements to be implemented and checked
• almost a million lines of Ada code and configuration data lines (more than five times the amount for the Ariane 5 flight programme)
• more than 8,000 measurements taken and processed on board
• numerous official test campaigns, conducted internally at Astrium, and with the partners RSCE & NASA, resulting in thousands of hours of tests both on simulators and platforms equipped with real equipment. For example, one of these campaigns – the ‘software validation’ campaign – typically implemented more than 700 test scenarios, performed on the flight computer for a total duration of 15 days non-stop, gathering many results which were analysed using specialised automated tools.

The station must be approached in complete safety for the crew, in particular with regard to the risk of collision, which is one of the events that is most feared. The rendezvous phase is therefore monitored by another software programme which is run on a special computer that is independent of the rest of the vehicle and, if necessary, takes over from the main computer to command an avoidance manoeuvre. This collision avoidance manoeuvre will distance the ATV from the ISS and place it on an orbit that cannot cross the ISS’ orbit while, at the same time, positioning the ATV so that it can obtain the maximum amount of energy from its solar panels.

This second software programme, the monitoring and safing unit software, which is directly involved in ensuring the safety of the station, complies with the strictest (Class A) requirements of ESA’s development standards. The software is therefore deliberately very simple (30,000 lines of Ada code), has even been tested at machine code level, and offers maximum robustness in the event of defects or failures. The software was checked during intensive test campaigns covering the normal and degraded operations of the vehicle, up to the limits of the operating range (stress testing).

This is one of the rare Class A software programmes (if not the first) to be developed by the European space industry.