CHAPTER 5 SYSTEMS: COMMAND AND DATA HANDLING—THE BRAINS OF THE INTERNATIONAL SPACE STATION 106 A special case occurs when an MDM fails. Among the MDMs, the C&C performs the recovery of the Tier 2 MDMs since they are redundant. Upon detecting a loss of communication with a Tier 2 MDM, the C&C will power on the Backup (normally kept off to minimize wear and tear) and command it operational. This process is called Redundancy Management (RM). A serious scenario, such as a major power channel failure, can cause multiple components, including MDMs, to be powered off. The CCS will perform RM on each Tier 2 MDM that failed, beginning with the most critical MDM. As the Tier 2 MDMs are recovered, they will detect any problems in their systems and will execute automated software to reconfigure their system, including bringing online redundant equipment. For example, the same power channel failure that powered off an active INT MDM could have left half the pumps for the internal cooling system unpowered in the Laboratory Module. The newly recovered INT MDM will detect one pump as off (“failed”) and reconfigure the water loops so that the remaining pump is cooling the entire system. Flight controllers will then do any further cleanup of the less- critical systems. Critical equipment, including MDMs, are usually put on different channels to minimize such impacts from the failure of a single power or cooling channel. Thus, if C&C-1 MDM is the Primary MDM, the INT-2 MDM on a different power channel may be configured as the Primary for that pair so that an issue with the power system is unlikely to power off both at the same time. Another key function of the software relates to what are called modes. The ISS is a large, complicated system. When the vehicle is reconfigured for key activities—e.g, preparing for the docking of a visiting vehicle—a lot of systems have to be changed to support the new mode or configuration. Mode transitions are automated to help relieve the work of the ground team. When the ISS is supporting regular increment operations, it is in Standard mode. The ISS transitions to Proximity Operations mode for visiting vehicle dockings. When the command is given, the C&C MDM will fire off a large number of commands to all the systems to configure the systems appropriately. Other modes include Microgravity, Reboost (for raising the station altitude), and External Operations (intended to be used for extravehicular activities). A Survival mode attempts to maintain the minimum systems required to keep the crew alive. Assembling the Command and Data Handling System Assembling the C&DH system was relatively straightforward, unlike several other systems described elsewhere in this book. Adding a computer to the network on the ISS is not all that different from adding a computer on a home or work network—with one notable exception. Prior to ISS-5A, the only USOS MDMs were the Node MDMs and the P6 PhotoVoltaic Control Unit (PVCU) MDMs. The crew would interface with the Node Control Software using the early PCS. At 5A, a number of MDMs were added and the PCS became the permanent method for crew interaction with the C&DH system. Transitioning from Node software to CCS control at 5A was the biggest expected challenge for the ODIN team during the ISS assembly process. The Node Control System (NCS) assumed interim C&C upon power- up in 1998 of the first element of the USOS—Node 1. The NCS controlled some fans and connected to the Early Communication System, which was used for talking to the crew and getting status telemetry on the ground. Later, at 4A, the Node MDMs worked with the PVCU computers on the P6 module to provide power. The Laboratory Module, launched in 2001, contained the CCS, which was destined to be the Tier 1 C&C as well as the INT, EXT, and GNC MDMs. The challenge is that the station cannot be without a Tier 1 computer for extended periods of time, and there can be only one Tier 1 controller at a time. Therefore, a careful handover from NCS to CCS had to be developed. Fortunately, a function designed to recover the C&C MDMs in the event of a failure provided a clever mechanism to achieve this. The NCS is technically a Tier 2 system under the CCS. Early on, it was realized that, in the unlikely event of all three C&C MDMs failing, there needed to be a way to power cycle them in the hope of recovering them (much as a desktop or laptop can be recovered if a software lockup occurs). If that effort was not successful, there needed to be a way to assume control of the ISS. If all three C&C MDMs were to fail, the NCS would detect the absence of a BC and begin power cycling the C&C MDMs. The NCS would then give up the bus control to allow the CCS to boot up and take charge. If, after a certain amount of time, the NCS still detected no BC, it would go back to controlling the main busses until the