1、Lessons Learned Entry: 0345Lesson Info:a71 Lesson Number: 0345a71 Lesson Date: 1994-10-10a71 Submitting Organization: JPLa71 Submitted by: D.E. Bernard / J.O. BlosiuSubject: Mars Observer Attitude Control Fault Protection Abstract: From the analyses performed after the Mars Observer mission failure,
2、 it became apparent that the MO fault protection suffered from a lack of top-down system engineering design approach. Most fault protection was in the category of low-level redundancy management. It was also determined that the MO fault protection software was never tested on the flight spacecraft b
3、efore launch. Design fault protection to detect and respond to excessive attitude control errors, use RCS Thrusters to control excessive attitude control errors, and always test fault protection software on the flight spacecraft before launch.Description of Driving Event: No Attitude and Articulatio
4、n Control System (AACS) or fault protection failure has been identified as a likely direct cause of the failure of the Mars Observer (MO) mission. Nevertheless, modification to the MO AACS and fault protection design could have: a) stabilized the spacecraft, and reestablished communications in the p
5、ostulated “pressurant“ line burst scenario and b) increased the likelihood of stabilizing the spacecraft after a power-on-reset in the electronic part latch-up scenario.By analyzing MO software algorithms and documentation, as well as performing verification test laboratory simulations of the spacec
6、raft, it became apparent that the MO fault protection suffered from a lack of top-down system engineering design approach. Most fault protection was in the category of low-level redundancy management. It was also determined that the MO fault protection software was never tested on the flight spacecr
7、aft before launch.Furthermore, it was determined that in case of excessive attitude control errors, the spacecraft would not be stabilized by the Reaction Control System (RCS) thrusters. No RCS thruster control algorithms were present in the software code, thus there was no functional back-up to the
8、 Reaction Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Wheel Assemblies (RWA) for attitude control. If the RCS thrusters were used directly for control, they could have prevented a spin-up for most “pressurant“ line burst scenarios.Additional Keyw
9、ord(s): Software TestingReference(s):1. Fault Protection Lessons Learned from Mars Observer Loss of Signal Briefing to Division 34 Staff, Douglas E. Bernard 07/20/94.2. Mars Observer Loss of Signal: Special Review Board Final Report: JPL Pub. 93-28.Lesson(s) Learned: 1. MO fault protection did not d
10、etect and respond to excessive attitude control errors.2. RCS Thrusters were not used to correct excessive attitude control errors.3. Fault protection software was never tested on the flight spacecraft before launch.Recommendation(s): 1. Design fault protection to detect and respond to excessive att
11、itude control errors.2. Use RCS Thrusters to control excessive attitude control errors.3. Always test fault protection software on the flight spacecraft before launch.Evidence of Recurrence Control Effectiveness: N/ADocuments Related to Lesson: N/AMission Directorate(s): N/AAdditional Key Phrase(s):
12、 a71 Safety & Mission Assurancea71 Spacecrafta71 Test & VerificationProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Additional Info: Approval Info: a71 Approval Date: 1994-09-01a71 Approval Name: Marilyn Platta71 Approval Organization: 186-120a71 Approval Phone Number: 818-354-0880Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
