*Adapted from the article 'The Huygens Probe System Design' by Jones & Giovagnoli, in Huygens: Science, Payload and Mission, ESA SP-1177.
Many engineering challenges had to be overcome in designing the first probe planned to study a moon beyond the Earth's system. An extensive development programme was undertaken (Fig. 1), involving several unusual tests, driven by the mission's unique aspects. ESA's Huygens Probe will be delivered to Titan, Saturn's largest satellite, by the Cassini Orbiter in 2004. After a dormant interplanetary journey of 6.7 years - although Huygens will be activated every 6 months for health checks - its aeroshell will decelerate it in less than 3 min from the entry speed of 6 km/s to 400 m/s (Mach 1.5) by about 160 km altitude. From that point, a pre-programmed sequence will trigger parachute deployment and heat-shield ejection (Fig. 2). The main scientific mission can then begin, lasting for the whole of the Probe's 2-2.5 h descent.
Figure 1. Scenes from the Huygens development programme
Figure 2. Huygens parachute deployment sequence
The industrial Phase-B activities for the Huygens Probe began in January 1991 under the leadership of Aerospatiale, the prime contractor. The geographical distribution of the work on Huygens is shown in Figure 3, and the organisation of the industrial consortium that undertook that work in Figure 4. Figure 5 summarises the overall development schedule, indicating the main milestones and the major Reviews carried out at agency level. The Huygens Probe System consists of two principal elements:
Figure 3. Geographical distribution of the Huygens Probe industrial responsibility
Figure 4. The organisation of the Huygens industrial consortium
Figure 5. The Huygens project overall development schedule SRR: System Requirement Review; PDR: Preliminary Design Review; SDR: System Design Review; MHDR: Mechanical Hardware Design Review; EHDR: Electrical Hardware Design Review; CDR: Critical Design Review; FAR: Flight Acceptance Review; LRR: Launch Readiness Review
Table 1 provides the mass breakdown.
Table 1. Huygens mass budget ------------------------------------------------- Probe PSE Subsystems FRSS 78.75 BCSS 16.13 SEPS 11.40 10.29 DCSS 12.13 ISTS 41.41 THSS 20.60 1.50 EPSS 44.73 PHSS 12.61 CDMS 23.10 PDRS 6.04 16.30 Experiments TUSO/RUSO 1.90 1.90 SSP 4.87 GCMS 17.20 HASI 5.77 DISR 8.07 DISR Cover 3.63 ACP 6.18 Fasteners, etc. 0.95 Balance mass 2.85 --------------------------------------------- Total 318.32 29.99
PSE: Probe Support Equipment (on Orbiter); FRSS: Front Shield Subsystem. BCSS: Back Cover Subsystem. SEPS: Separation Subsystem. DCSS: Descent Control Subsystem. ISTS: Inner Structure Subsystem. THSS: Thermal Subsystem. EPSS: Electrical Power Subsystem. PHSS: Probe Harness Subsystem. CDMS: Command and Data Management Subsystem. PDRS: Probe Data Relay Subsystem. TUSO/RUSO: Transmitter/Receiver Ultra Stable Oscillator; SSP: Surface Science Package; GCMS: Gas Chromatograph Mass Spectrometer. HASI: Huygens Atmospheric Structure Instrument. DISR: Descent Imager/Spectral Radiometer. ACP: Aerosol Collector and Pyrolyser.
The Probe (Fig. 6) consists of the Entry Assembly (ENA) cocooning the Descent Module (DM). The ENA provides Orbiter attachment, umbilical separation and ejection, cruise and entry thermal protection, and entry deceleration control. It is jettisoned after entry, releasing the Descent Module. The latter comprises an aluminium shell and inner structure containing all of the experiments and Probe support subsystems, including the parachute descent and spin control devices.
Figure 6. Huygens consists of the Descent Module (DM) within the Entry Assembly (ENA)
The PSE consists of:
The overall Probe System configuration and its relation to the Orbiter is shown functionally in Figure 7 and pictorially in Figure 8. Figure 9 illustrates the breakdown into the various subsystems, each of which is described below.
Figure 7. Huygens Probe system architecture PSA: Probe System Avionics; S/S: subsystem; TUSO: Transmitter Ultra Stable Oscillator; RUSO: Receiver Ultra Stable Oscillator; HGA: High Gain Antenna; RFE: Receiver Front End; TF: Transfer Frame
Figure 8. Huygens Probe accommodation on the Cassini Orbiter
Figure 9. Huygens Probe subsystem breakdown
Front Shield Subsystem (FRSS)
The 79 kg, 2.7 m diameter, 60° half-angle coni-spherical Front Shield will decelerate the Probe in Titan's upper atmosphere from about 6 km/s at entry, to a velocity equivalent to about Mach 1.5 by around 160 km altitude. Tiles of AQ60 ablative material, a felt of silica fibres reinforced by phenolic resin, provide protection against the entry's 1 MW/m2 thermal flux. The shield is then jettisoned and the Descent Control Subsystem (DCSS) is deployed to control the DM's descent to the surface.
The FRSS supporting structure is a CFRP honeycomb shell, to which the AQ60 tiles are attached with CAF/730 adhesive. Prosial, a suspension of hollow silica spheres in silicon elastomer, is sprayed directly on to the aluminium structure of the FRSS rear surfaces, where fluxes are ten times lower.
Back Cover Subsystem (BCSS)
The Back Cover protects the DM during entry, ensures depressurisation during launch and carries multi-layer insulation (MLI) for the cruise and coast phases. Since it does not have to meet stringent aerothermodynamic requirements, it is a stiffened aluminium shell of minimal mass (11.4 kg) protected by Prosial (5 kg). It includes: an access door for late access during integration and for forced-air ground cooling of the Probe; a break- out patch through which the first (drogue) parachute is fired; a labyrinth sealing joint with the Front Shield, providing a non-structural thermal and particulate barrier.
Descent Control Subsystem (DCSS)
The DCSS controls the descent rate to satisfy the scientific payload's requirements, and the attitude to meet the requirements of the Probe-Orbiter radio-frequency (RF) data link and of the descent camera's image-taking.
The DCSS is activated nominally at Mach 1.5 and about 160 km altitude. The sequence (Fig. 2) begins by firing the Parachute Deployment Device (PDD) to eject the pilot chute pack through the Back Cover's break-out patch, the attachment pins of which shear under the impact. The 2.59 m- diameter Disk Gap Band (DGB) pilot chute inflates 27 m behind the DM and pulls the Back Cover away from the rest of the assembly. As it goes, the Back Cover pulls the 8.30 m-diameter DGB main parachute from its container. This canopy inflates during the supersonic phase to decelerate and stabilise the Probe through the transonic region. The Front Shield is released at about Mach 0.6. In fact, the main parachute is sized by the requirement to provide sufficient deceleration to guarantee a positive separation of the Front Shield from the Descent Module.
The main parachute is too large for a nominal descent time shorter than 2.5 h, a constraint imposed by battery limitations, so it is jettisoned and a 3.03 m-diameter DGB stabilising parachute is deployed. All parachutes are made of Kevlar lines and nylon fabric. The main and stabiliser chutes are housed in a single canister on the DM's top platform. A swivel using redundant low-friction bearings in the connecting riser of both the main and stabiliser chutes ensures that the lines do not tangle as the Probe spins.
Separation Subsystem (SEPS)
SEPS provides: mechanical and electrical attachment to, and separation from, the Orbiter; the transition between the entry configuration ('cocoon') and the descent configuration (DM under parachute). The three SEPS mechanisms are connected on one side to Huygens' Inner Structure (ISTS) and on the other to the Orbiter's supporting struts. As well as being the Probe-Orbiter structural load path, each SEPS fitting incorporates a pyro-nut for Probe- Orbiter separation, a rod cutter for Front Shield release, and a rod cutter for Back Cover release.
Within SEPS, the Spin Eject Device (SED) performs the mechanical separation from the Orbiter:
In addition, the Umbilical Separation Mechanism of three 19-pin connectors, which provide Orbiter-Probe electrical links, is disconnected by the SED.
Inner Structure Subsystem (ISTS)
The ISTS provides mounting support for the Probe's payload and subsystems. It is fully sealed except for a vent hole of about 6 cm2 on the top, and comprises:
Thermal Subsystem (THSS)
While the PSE is thermally controlled by the Orbiter, the Probe's THSS must maintain all experiments and subsystem units within their allowed temperature ranges during all mission phases. In space, the THSS partially insulates the Probe from the Orbiter and ensures that there are only small variations in the Probe's internal temperatures, despite the incident solar flux varying from 3800 W/m2 (near Venus) to 17 W/m2 (approaching Titan after 22 days of the coast phase following Orbiter separation).
As shown in Figure 10, Probe thermal control is achieved by:
Figure 10. The Probe's thermal control system RHU: Radioisotope Heater Unit; MLI: Multi-Layer Insulation.
The MLI is burned and torn away during entry, leaving temperature control to the AQ60 high-temperature tiles on the Front Shield's front face, and to Prosial on the Front Shield's aft surface and on the Back Cover.
During the descent phase, thermal control is provided by foam insulation and gas-tight seals. Lightweight open-cell Basotect foam covers the internal walls of the DM's shells and Top Platform. This prevents convection cooling by Titan's cold atmosphere (70 K at 45 km altitude) and therefore thermally decouples the units mounted on the Experiment Platform from the cold aluminium shells. Gas-tight seals around all elements protruding through the DM's shell minimise gas influx. In fact, the DM is gas tight except for a single 6 cm2 hole in the Top Platform that equalises pressure during launch and the descent to Titan's surface.
The EPSS consists of:
Five batteries, which provide power from the time of Orbiter separation until at least 30 min after arrival on Titan's surface. Each battery comprises two modules of 13 LiSO2 (7.6 Ah) cells in series.
A Power Conditioning & Distribution Unit (PCDU), which provides the power conditioning and distribution to the Probe's equipment and experiments via a regulated main bus, with protection to ensure uninterrupted operations even in the event of single failures inside or outside the PCDU.
During the cruise phase, the Probe is powered by the Orbiter and the PCDU isolates the batteries. The five interface circuits connected to the Orbiter's Solid-State Power Switches (SSPSs) provide Probe-Orbiter insulation and voltage adaptation between the SSPS output and the input of the PCDU's Battery Discharge Regulator (BDR) circuits. The BDRs condition the power from either the Orbiter or the batteries and generate the 28 V bus, controlled by a centralised Main Error Amplifier (MEA). The distribution is performed by active current limiters, with the current limitation adapted for each user and with an on/off switching capability. The Mission Timer, however, is supplied by three switchable battery voltage lines through series fuses or, when the PCDU is powered by the Orbiter, by dedicated output voltage lines of the Orbiter interface circuits.
The PCDU also provides a protected +5 V supply used by the Pyro unit to generate the bi-level status telemetry of the selection relays and for the activation circuit that switches on the Pyro unit's energy intercept relay.
A Pyro Unit (PYRO) provides two redundant sets of 13 pyro lines, directly connected to the centre taps of two batteries (through protection devices), for activating pyro devices. Safety requirements are met by three independent levels of control relays in series in the Pyro Unit, as well as active switches and current limiters controlling the firing current. The three series relay levels are: energy intercept relay (activated by PCDU at the end of the coast phase); arming relays (activated by the arming timer hardware); selection relays (activated by Command and Data Management Unit, CDMU. software). In addition, safe/arm plugs are provided on the unit itself for ground operations.
The EPSS is completely off over the whole cruise phase, except for periodic checkout operations. There is no power at the Orbiter interface and direct monitoring by the Orbiter allows verification that all the relays are open and that the PCDU temperature (representative of all units within the inert Probe) is within limits.
Cruise phase checkout
The EPSS is powered by the Orbiter for cruise checkout operations. The 28 V bus is regulated by the EPSS BDRs associated with each Orbiter SSPS; a total of 210 W is available from the Orbiter. All of the relays remain open during the check-out.
Following the loading (from the Orbiter) of the correct coast-time duration into the Mission Timer Unit, battery depassivation is performed to minimise any energy loss due to ageing of the chemically active surfaces within the battery during cruise. Before Probe separation, the EPSS timer relays are closed to supply the Mission Timer from the batteries and the Orbiter power is switched off.
Only the Mission Timer is supplied by batteries through specific timer relays during the coast phase. The EPSS is off and all other relays are open.
End of coast phase - Probe wake-up
At the end of the coast phase, the Mission Timer wakes the Probe by activating the EPSS. Input relays are closed and the current limiters powering the CDMU are automatically switched on as soon as the 28 V bus reaches its nominal value (other current limiters are initially off at power up). The pyro energy intercept relay is also automatically switched on by a command from the PCDU.
Entry and descent phases
All PCDU relays are closed and the total power (nominal 300 W, maximum 400 W) is available on the 28 V distribution outputs to subsystems and equipment. The Pyro Unit performs the selection and the firing of the pyros, activated by CDMU commands.
The PDRS (Fig. 12) is Huygens' telecommunications subsystem, combining the functions of RF link, data handling and communications with the Orbiter. It transmits science and housekeeping data from the Probe to the Orbiter- mounted PSE, which are then relayed to the Orbiter CDS via a Bus Interface Unit. In addition, the PDRS is responsible for telecommand distribution from the Orbiter to the Probe by umbilical during the ground and cruise checkouts. The PDRS comprises:
Figure 12. The Probe Data Relay Subsystem (PDRS) ACP: Aerosol Collector and Pyrolyser; CDMU: Command and Data Management Unit; DISR: Descent Imager/Spectral Radiometer; DWE: Doppler Wind Experiment; GCMS: Gas Chromatograph Mass Spectrometer; HASI: Huygens Atmospheric Structure Instrument; LNA: Low-Noise Amplifier; ORT: Orbiter Receiving Terminal; PTA: Probe Transmitting Antenna; PTT: Probe Transmitting Terminal; RA: Radar Altimeter; SSP: Surface Science Package.
The Orbiter's High Gain Antenna (HGA) acts as the PDRS receive antenna.
In addition, as part of the Doppler Wind Experiment (DWE), two ultra- stable oscillators are available as reference signal sources to allow the accurate measurement of the Doppler shift in the Probe-Orbiter RF link: the Transmitter Ultra Stable Oscillator (TUSO) on the Probe and the Receiver Ultra Stable Oscillator (RUSO) on the Orbiter.
The PDRS electrical architecture is fully channelised for redundancy, except that TUSO and RUSO are connected to only one chain. During Probe descent, starting from the time of atmospheric entry as predicted from Orbiter trajectory and Probe separation characteristics, the Orbiter HGA is controlled to track a fixed point on Titan's surface - the nominal touchdown point. Orbiter movement along its trajectory significantly reduces the 'space loss' due to link distance during the Probe's 2-2.5 h descent. However, if Huygens does not land at the nominal point, e.g. due to non-nominal entry parameters or zonal winds, the gain in received signal strength arising from the reduced distance is offset by the HGA's reduced gain due to the off-axis angle of the Probe with respect to the HGA's boresight axis.
The link budget worst cases occur at the beginning and end of mission. The link design attempts to equalise the signal-level margins at the Beginning and End of Mission (BOM and EOM, respectively). At BOM, the signal level is determined by the range, while the losses owing to off-axis pointing are mainly due to HGA pointing and Probe delivery errors (the additional dispersion arising from variations in the entry phase is relatively minor). At EOM, however, the signal level is critically dependent on the descent duration: the off-axis pointing losses due to the Probe's lateral drift in the assumed Titan wind worsens with the longer descent duration.
The CDMS has two primary functions: autonomous control of Probe operations after separation, and management of data transfer from the equipment, subsystems and experiments to the Probe transmitter for relay to the Orbiter. The data are stored redundantly on the Orbiter's two Solid-State Re-corders (SSRs) for subsequent downlinking to Earth when the Orbiter has been reoriented to its normal attitude with its HGA Earth-pointing. (During cruise checkouts, this attitude allows direct data downlinking if NASA Deep Space Network (DSN) coverage is available.)
The driving requirement of the CDMS design is intrinsic single-point- failure tolerance. As a result of the unusual Huygens mission (limited duration and no access by telecommand after separation), a very safe redundancy scheme has been selected. As shown in Figure 11, the CDMS therefore comprises:
Figure 11. The Probe's Command and Data Management Subsystem (CMDS) CASU: Central Acceleration Sensor Unit; CDMU: Command and Data Management Unit; HASI: Huygens Atmospheric Structure Instrument; I/F: intermediate frequency; PSA: Probe Support Avionics; RASU: Radial Acceleration Sensor Unit; TC: Telecommand; TM: Telemetry.
The two CDMUs each execute their own POSW simultaneously and are configured with hot redundancy (Chain A and Chain B). Each hardware chain can run the mission independently. They are identical in almost all respects, with the following minor differences facilitating simultaneous operations and capitalising on the redundancy:
Each CDMU chain incorporates a health check (called the Processor Valid status), which is reported to the experiments in the Descent Data Broadcasts (DDBs). Either chain will declare itself invalid when two bit errors in the same memory word, an ADA exception, or an under-voltage on the 5 V line occur within the CDMU.
The Huygens software consists of that running in the Probe CDMS, referred to as Probe Onboard Software (POSW), and that within the PSA on the Orbiter, referred to as the Support Avionics Software (SASW). The POSW output telemetry is relayed via the SASW and then Cassini's CDS to the ground. The redundant data handling hardware (CDMU's and PSA's) run identical copies of POSW and SASW.
The software is based on a top-down hierarchical and modular approach using the Hierarchical Object-Oriented Design (HOOD) method and, except for some specific low-level modules, is coded in ADA. The software consists, as much as possible, of a collation for synchronous processes timed by a hardware reference clock (8 Hz repetition rate). In order to avoid unpredictable behaviour, interrupt-driven activities are minimised. Such a design also provides for better software observability and reliability.
The processes are designed to use data tables as much as possible. Mission profile reconfiguration and experiment polling can therefore be changed only by reprogramming these tables. This is possible via an EEPROM. In order to avoid a RAM modification while the software is running (which can lead to unpredictable behaviour and unnecessary complexity), direct RAM patching is forbidden.
The POSW communicates with the SASW in different ways depending on the particular mission phase. Before Probe separation, the two software subsystems communicate via an umbilical that provides both command and telemetry interfaces. Huygens cannot be commanded after separation, and telemetry is transmitted to the Orbiter via the PDRS RF link. The overall operational philosophy is that the software runs the nominal mission from power-up without checking its hardware environment or the Probe's connection or disconnection.
The specific software actions or inhibitions required for ground or flight checkout must therefore be invoked by special procedures, activated by the delivery of specific telecommands to the software.
To achieve this autonomy, POSW's in-flight modification is autonomously applied at power-up by using a non-volatile EEPROM. At power-up, the POSW validates the CDMU EEPROM structure and then applies any software patches stored in the EEPROM before running the (resultant) software. If the EEPROM proves to be invalid at start-up, no patches are applied and the software continues based on the software in the CDMU ROM. A number of other checks are also carried out at start-up (e.g. a DMA check and a main ROM checksum), but the software will continue execution attempts even if the start-up checks fail.