1、Lessons Learned Entry: 2044Lesson Info:a71 Lesson Number: 2044a71 Lesson Date: 2009-04-7a71 Submitting Organization: JPLa71 Submitted by: David Oberhettingera71 POC Name: Todd Bayer; David E. Hermana71 POC Email: Todd.J.Bayerjpl.nasa.gov; David.E.Hermanjpl.nasa.gova71 POC Phone: 818-354-5810 (Bayer)
2、; 818-393-5872 (Herman)Subject: MRO Articulation Keep-Out Zone Anomaly Abstract: An articulating solar array collided with the MRO spacecraft due to inadequate definition and verification/validation of system-level design requirements for implementing the appendages keep-out zone in flight software.
3、 Construct models to ensure requirements discovery is complete, provide a robust appendage motion backstop capability, ensure precision in requirements language, and never ask control laws to exceed your control authority.Description of Driving Event: Mars Reconnaissance Orbiter (MRO) was launched i
4、n August 2005 with a mission to study the Martian climate, identify water-related landforms and aqueous deposits, characterize potential landing sites for Mars landers, and provide UHF relay for science data produced by these future missions. The spacecraft features three articulated, motorized, app
5、endages: one High Gain Antenna (HGA) that tracks Earth to downlink science data and two Solar Arrays (SA) that track the Sun to supply spacecraft power. Their pointing is controlled by flight software (FSW) that limits each appendages acceleration/deceleration and rate of motion, in each axis, towar
6、d the final inner and outer gimbal angles needed to point the appendage at the target. All FSW pointing commands must pass through a Keep Out Zone (KOZ) algorithm that constrains each appendages motion within a swept volume that prevents inadvertent contact with the spacecraft structure, another app
7、endage, or the payload field-of-view. The MRO KOZ, instead of being defined as an inviolate area, was defined as a space where Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-appendage motion would be arrested and reversed. A KOZ boundary that was so
8、mewhat flexible- often referred to as a “reaction zone“- was implemented so that appendage motion could be safely constrained without incurring sudden stops and jitter that could degrade high resolution imaging. The KOZ algorithms control parameters limited the depth of penetration into this area to
9、 a fraction of the distance between the boundary and any possible physical contact. Such an implementation, rather than inviolate boundaries with the familiar hard and soft stops on the actuators, was chosen for implementing the movement of the two-axis gimbal called upon to execute MROs complex coo
10、rdinated motions. Keeping the penetrations small and benign was accomplished by setting appropriate control parameters. The allowed spaces (Figure 1) were determined through pre-flight analysis and were verified by testing. Figure 1 is a color diagram of the three-dimensional geometry of MRO appenda
11、ge motion. It depicts the spacecraft bus as connected to the HGA and the two SAs. The HGA sweeps an area, separate from the volume that contains the bus, that is depicted as a grey torus. Each SA sweeps a yellow-colored area about the bus that occupies a slice of pie that (in a plane orthogonal to t
12、he HGA volume) each represents about a third of a pie.Figure 1. Three shaded areas depict the geometry of MRO two-axis gimbal managementIn November 2007, one year after MRO began science operations, an anomalously large SA appendage KOZ violation occurred, resulting in actual appendage contact with
13、a thermal blanket (Reference (1). Mechanical resistance by the blanket caused motor rate errors that onboard fault protection interpreted as failure of both redundant gimbal motors, and fault protection commanded a warm reset of the flight computer and entry into safe mode. The SA contacted the spac
14、ecraft because the appendage motion needed to reach the targeted gimbal angles placed it near a “kinematic singularity.“1Travelling at the maximum allowed rate, the appendages maximum allowed deceleration was insufficient to arrest the appendages motion after it penetrated the KOZ and before it resu
15、lted in contact. The parameters for the combination of maximum rate and maximum acceleration had been set pre-launch to values that were incorrect for KOZ enforcement. The interactions between these critical parameters were not well-documented, and their effect on KOZ penetration escaped detection i
16、n the pre-launch verification and validation process. The non-standard implementation approach for the KOZ was exacerbated by miscommunications Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-caused by imprecise terminology, and by staff turnover. He
17、nce, the elastic nature of the boundary and the potential for a kinematic singularity were not widely understood throughout the MRO flight system team (Reference (2) or by the FSW developers responsible for the algorithm implementation. The project failed to write and verify a spacecraft system-leve
18、l design requirement that completely defined all potential combinations of appendage movement directions and rates in order to prevent inadvertent contact. There were also no requirements for back-up measures to prevent collisions. The KOZ violation and spacecraft contact by the SA caused no detecta
19、ble damage, but science operations were halted for two months until it was determined that the mission could safely continue. The MRO project has implemented corrective actions that have greatly reduced the residual risk of future MRO appendage collisions. 1Two-axis gimbal systems can be used to poi
20、nt anywhere in three-dimensional space, except when the inner gimbal axis (fixed to the spacecraft body) becomes aligned with the desired target vector. In this case the inner axis becomes useless for pointing control. This is known as a “kinematic singularity.“ Near the singularity, small pointing
21、changes require that the inner axis moves a very large amount at very high speed (in the limit it must move 180 degrees at infinite speed).References: 1. “MRO Reboot on 2007-311T15:20:59,“ JPL Problem/Failure Report No. Z92078 (ISA Z91824), January 15, 2008. 2. “Mars Reconnaissance Orbiter Articulat
22、ion Keep-Out Zone Anomaly Final Report,“ JPL Document Nos. MRO-565-86 and JPL D-37648, October 27, 2008. 3. Todd J. Bayer, “Systems Engineering Lessons Learned from the Mars Reconnaissance Orbiter Mission,“ NASA/Caltech Jet Propulsion Laboratory, December 2, 2008. 4. Robert D. Rasmussen, Gurkirpal S
23、ingh, David B. Rathbun, and Glenn A. Macala, “Behavioral Model Pointing on Cassini Using Target Vectors,“ Proc. SPIE 2803, 271 (1996), DOI:10.1117/12.25342. http:/spiedl.aip.org/getpdf/servlet/GetPDFServlet?filetype=pdf&id=PSISDG002803000001000271000001&idtype=cvips&prog=normalLesson(s) Learned: 1.
24、MRO appendage KOZ Level 3 design requirements proved insufficient to prevent collision between an appendage and the spacecraft. Even faithful compliance with the “test-as-you-fly“ rule does not cover all circumstances- in this case motion associated with a unique geometric configuration. A requireme
25、nt for a design implementation that would prevent penetration into a KOZ should have been written and verified. An early, relatively simple, parametric or Systems Modeling Language (SysML) diagramming activity would have quickly cleared up misunderstandings and led to correct and complete requiremen
26、ts (Reference (3). 2. Robust and fault resistant pointing capabilities are essential to the ultimate development of Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-fully autonomous systems for future missions.Recommendation(s): Design and verificatio
27、n of kinematically complex systems such as spacecraft appendage control should observe the following principles: 1. Re-affirm the importance of precision in requirements language. 2. Consider applying special techniques to increase confidence in requirements quality and verification completeness. Fo
28、r example, construct SysML or State Analysis models to ensure requirements discovery is complete and to allow early simulations. 3. Consider implementing a robust appendage motion backstop capability, such as an independent software stop, in the design of configurable articulation KOZs. 4. Never ask
29、 control laws to exceed your control authority. For example, the Cassini project profiled all inputs to control laws such that any rate that would violate a keep-out constraint would be changed (i.e., to something achievable by the control laws) or would be aborted (Reference (4).Evidence of Recurre
30、nce Control Effectiveness: JPL has referenced this lesson learned as additional rationale and guidance supporting Paragraph 6.4.4 (“Engineering Practices: System Engineering“) in the Jet Propulsion Laboratory standard “Flight Project Practices, Rev. 7,“ JPL DocID 58032, September 30, 2008. In additi
31、on, JPL has referenced it supporting Paragraph 4.11.5 (“Flight System Design: Flight Software System Design - Verification“), in the JPL standard “Design, Verification/Validation and Operations Principles for Flight Systems (Design Principles),“ JPL Document D-17868, Rev. 3, December 11, 2006.Docume
32、nts Related to Lesson: N/AMission Directorate(s): a71 Exploration Systemsa71 Sciencea71 Space OperationsAdditional Key Phrase(s): Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a71 1.Engineering design and project processes and standardsa71 1.Level
33、II/III requirements definitiona71 1.Planning of requirements verification processesa71 1.Orbiting Vehiclesa71 1.Roboticsa71 1.Software Engineeringa71 1.Spacecraft and Spacecraft Instrumentsa71 1.Ground support systemsa71 1.Mission operations systemsa71 1.Planetary Operationsa71 1.Configuration Chang
34、e Controla71 1.Early requirements and standards definitiona71 1.Flight Operationsa71 1.Softwarea71 1.Spacecrafta71 1.Test & VerificationAdditional Info: a71 Project: Mars Reconnaissance OrbiterApproval Info: a71 Approval Date: 2009-04-28a71 Approval Name: mbella71 Approval Organization: HQProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-