REG NASA-LLIS-0939-2001 Lessons Learned MPL Uplink Loss Timer Software Test Errors (1998).pdf

1、Lessons Learned Entry: 0939Lesson Info:a71 Lesson Number: 0939a71 Lesson Date: 2001-02-15a71 Submitting Organization: JPLa71 Submitted by: David A. NicholsSubject: MPL Uplink Loss Timer Software/Test Errors (1998) Abstract: Prelaunch tests and verification of software and hardware used to switch to

2、a redundant string should include assumed failures in either string during all mission phases. MPL did not verify the ability of the Lander to switch to the redundant uplink string after landing assuming a failure in the primary string had occurred during earlier entry, descent and landing phases. R

3、ecognize that transitions to another mission phase are high-risk sequences and that database changes that impact logic decisions should be retested.Description of Driving Event: The Mars Polar Lander (MPL) flight software design contained mission-critical logic errors that were not detected during t

4、esting of the spacecraft due to omissions in the pre-launch test program and pre-launch uplink verification process. The failure reviews (References 1 and 2) attributed MPL mission loss to a leg rebound transient that is summarized in Reference 4.The uplink loss timer is software designed to trigger

5、 a switch from a failed uplink hardware string to the backup string if the spacecraft has not received a command from mission operations for a selected time period. Because of the significant physical reconfiguration of the spacecraft telecommunications equipment from the cruise to post-landing conf

6、iguration, this uplink loss software was planned to self-reconfigure after the landing. Post mission testing demonstrated that an undetected logic error prevented the reconfiguration. With this software misconfigured, the detection of a failed uplink string and the required swapping to the backup st

7、ring could not occur.Inadequate Test of Mission Phase Transition: During software integration testing, there were several tests that crossed the boundary from Entry, Descent and Landing (EDL) to the landed mission phase. After the successful simulated landing, each test issued commands to configure

8、the “uplink loss Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-fault“ test case (i.e., loss of primary uplink string). This test condition masked the software flaw by inadvertently completing a successful transition to the landed configuration, whi

9、ch would not have occurred had a true hardware fault happened. The test did not verify the ability of the lander to switch to the redundant string if a failure occurred during the earlier EDL sequence.Failure to Test Full Range of Operational Parameters: Unit and integration testing of the uplink lo

10、ss timer logic did not cover the full operational range of parameters. This resulted in failure to identify a legal parameter value that could cause catastrophic behavior.References:1. Mars Program Independent Assessment Team Summary Report (Young Report), 14 March 2000.2. Report on the Mars Polar L

11、ander and Deep Space 2 Missions, JPL Special Review Board (Casani Report), JPL Internal Document D-18709, 22 March 2000, Section 7.7.3. JPL Corrective Action Notice No. Z69163, Mars Program Investigation Results: “Software Design“, 4 May 2000.4. JPL Lesson Learned “Probable Scenario for Mars Polar L

12、ander Mission Loss“Additional Key Words: Fault Tolerance, Redundancy Verification, Software Test, System Integration and Test, Test PlanningLesson(s) Learned: 1. Recognize that the transition to another mission phase (e.g. from EDL to the landed phase) is a high risk sequence. Devote extra effort to

13、 planning and performing tests of these transitions.2. Unit and integration testing should, at a minimum, test against the full operational range of parameters. When changes are made to database parameters that affect logic decisions, the logic should be re-tested.Recommendation(s): See Lesson(s) Le

14、arnedEvidence of Recurrence Control Effectiveness: A JPL Corrective Action Notice was assigned and practices will be modified as appropriate.Documents Related to Lesson: N/AProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Mission Directorate(s): a71 E

15、xploration Systemsa71 Sciencea71 Aeronautics ResearchAdditional Key Phrase(s): a71 Flight Equipmenta71 Policy & Planninga71 Risk Management/Assessmenta71 Safety & Mission Assurancea71 Softwarea71 Spacecrafta71 Test & VerificationAdditional Info: Approval Info: a71 Approval Date: 2001-05-17a71 Approval Name: Carol Dumaina71 Approval Organization: JPLa71 Approval Phone Number: 818-354-8242Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-