NASA Built A Computer For Artemis II That Can't Fail, Here's The Engineering Behind It
When the Artemis II's four-person crew left Earth’s orbit, they were protected by a computing system designed to move beyond simple redundancy (a la the Apollo missions) to a fail-silent architecture that ensures one glitch never becomes a critical problem. Well, broken potty, notwithstanding.
The Orion spacecraft, which has carried the first human crew to the moon for the first time in over half a century, operates on a scale of complexity that would baffle Apollo engineers. While the Apollo guidance computer managed specific navigation tasks, Orion’s brain, consisting of four Flight Control Modules (FCMs), is responsible for everything from life support to engine burns. Because deep space is one giant bowl filled with high-energy particles capable of flipping computer memory bits, NASA engineers didn't just build a fast computer; they had to build a paranoid one.
The core of the system holds eight CPUs arranged in self-checking pairs. Each of the four FCMs contains two processors running identical software in lockstep. Before any command is sent to the spacecraft’s actuators or thrusters, the two processors must agree perfectly on the output. If a radiation strike causes a single bit to flip in one processor, creating a discrepancy, the entire module fails silent, meaning it immediately stops transmitting and takes itself offline rather than risking green-lighting a corrupted instruction.
This 'fail-silent' approach is a departure from traditional 'fail-operational' systems that might try to figure out which processor is right. In Orion’s world, it is safer to shut down a module instantly and let one of its three healthy siblings take over the load. To make this work, the system relies on a strictly deterministic architecture. In a standard PC, background tasks might cause slight timing variations, but in Orion, every calculation and network message happens at a precisely choreographed microsecond. This ensures that all eight CPUs stay in sync, making it easy to spot a rebel bit the moment it deviates.
Moreso, the hardware itself is reinforced, utilizing Triple Modular Redundant (TMR) memory, where data is stored in triplicate. Every time a byte is read, the hardware performs a best-of-three vote. If one bit has been corrupted by radiation, the hardware corrects it on the fly before the software even sees the error.
Even with these protection layers, NASA prepared for common mode failures, i.e. software bugs or events that could theoretically take down all four primary modules. For this, a completely independent Backup Flight Software (BFS) system sits in wait. Developed by a different team using different requirements, the BFS is the ultimate safety net. If the primary system goes dark, the BFS can autonomously stabilize the ship, point the solar panels at the sun, and re-establish contact with Earth.
Now, instead of de-funding them, let's give those NASA brains a raise.
