1、Lessons Learned Entry: 0343Lesson Info:a71 Lesson Number: 0343a71 Lesson Date: 1994-09-29a71 Submitting Organization: JPLa71 Submitted by: G.T. Chen / J.O. BlosiuSubject: Mars Observer Inappropriate Fault Protection Response Following Contingency Mode Entry due to a Postulated Propulsion Subsystem B
2、reach Abstract: Following the loss of the Mars Observer spacecraft, simulations showed that a postulated propellant breach would have caused angular accelerations that could have inhibited downlink and caused multi-axis gyro saturation. In this case, fault protection features of flight software woul
3、d have inhibited all momentum unloading and prevented the stabilization of the spacecraft.Ensure that fault protection takes proper action regardless of spacecraft state. Fault responses should not be allowed to interrupt critical activities. Description of Driving Event: Verification Test Laborator
4、y (VTL) simulations of the Mars Observer spacecraft spin-up were performed to simulate a postulated propellant subsystem breach. The results indicated that even moderately low angular accelerations caused by the postulated propulsion subsystem breach could have triggered a contingency mode entry tha
5、t would have interfered with the Radio Power Amplifier (RPA) turn-on cycle. Under these circumstances, contingency mode entry would have inhibited downlink until a ground command was sent. In contingency mode, fault protection was not capable of properly configuring the telecommunication subsystem t
6、o re-establish downlink autonomously. Contingency mode was a stable state and flight software could have stayed in this mode indefinitely.This angular acceleration level would have caused multi-axis gyro saturation. If multi-axis gyro saturation was entered, flight software would have inhibited all
7、momentum unloading thus preventing the stabilization of the spacecraft. Assuming sun on the array 33% of the time, battery depletion could be expected within 4.5 +/- 0.5 hours (sooner for even less favorable sun angle). The ground commands to re-activate RPA were not issued until about 4.5 hours aft
8、er propellant Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-pressurization since spacecraft autonomy was assumed capable to solve the issue. By the time these ground commands were issued, the batteries most likely would have been depleted.The above
9、 postulated sequence of mishaps could have been the cause of Mars Observer loss of signal.Additional Keyword(s): Sequence Interaction, Attitude ControlReference(s):1. Mars Observer Loss of Signal: Special Review Board Final Report: JPL Pub. 93-282. Mars Observer Fault Protection Response in High Spa
10、cecraft Spin Rates, IOM MOS 94-159, 06/17/94, G. T. Chen to D. E. Bernard.Lesson(s) Learned: Inappropriate fault protection actions can be as hazardous as the failure the system was designed to protect against.Recommendation(s): 1. It is imperative that spacecraft designers consider the consequences
11、 of anomalies at all mission phases and ensure that fault protection takes proper action regardless of spacecraft state.2. Fault responses should not be allowed to interrupt critical activities unless they have the ability to assure completion of these activities. Final, stable fault protection mode
12、s (such as contingency mode) should autonomously assure communications.Evidence of Recurrence Control Effectiveness: N/ADocuments Related to Lesson: N/AMission Directorate(s): N/AAdditional Key Phrase(s): Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,
13、-,-a71 Hardwarea71 Safety & Mission Assurancea71 Softwarea71 SpacecraftAdditional Info: Approval Info: a71 Approval Date: 1994-09-01a71 Approval Name: Marilyn Platta71 Approval Organization: 186-120a71 Approval Phone Number: 818-354-0880Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1