**4.4 Aging hardware**

*Aerospace Engineering*

against micrometeoroid impacts.

these external influences could potentially be affected.

**4.2 Planning for and maintaining consumables**

**4.3 Protecting against human error**

ATC controlling monitors. Internal temperatures were also regulated by circulating the spacecraft's liquid fuel to cool its interior. When flying within the vicinity of the sun, Cassini shielded itself from overheating by utilizing the HGA as a sunshade. Micrometeoroid bombardment, cosmic rays, and radiation are also part of the hazardous flight environment, having the potential to damage or interfere with the operation of the spacecraft's subsystems. Radiation-hardening was applied to electronic devices to deal with this risk, and thermal blankets and commanded HGA shielding of spacecraft components (in the direction of flight) was used to protect

Some unknown influences were also in play for the Cassini mission. The unique (and partially unknown) dust environment at Saturn, which can potentially influence component operation or become hazardous to the spacecraft during flight, would be a new and unique flight environment for the mission. Cassini was also the first JPL mission ever to use SSPS for power distribution, and its operation under

All spacecraft must maintain adequate power margins to operate their subsystem components and scientific instruments, and to support communications with earth. Cassini's electrical power was derived from three RTGs, with a Beginningof-Mission (BOM) capability of 875 W. RTGs are lightweight, compact power systems that are extraordinarily reliable. RTGs have no moving parts and provide power through the natural radioactive decay of Plutonium-238. The heat generated from the natural decay is converted into electricity by solid-state thermoelectric converters, enabling spacecraft to operate at significant distances from the sun, where solar power systems could be infeasible or ineffective compared to other power solutions. The durability and dependability of RTGs made them the preferred choice to implement the Cassini mission and its extended operation in the distant environment of Saturn orbit (~10 AU from the sun). The power output from the RTGs decreases predictably over time, so that the number of powered loads allowed to operate simultaneously must also decline accordingly. Planning and predicting the allowable number of operating spacecraft power loads (devices)

is necessary throughout the mission as the available power decreases.

There are several other consumables which must be monitored on the spacecraft as well. The fuel and oxidizer used by the ME system (plus the hydrazine of the RCS) are particularly valuable, in that their availability controls the useful lifetime of the spacecraft. This is an important commodity for the consideration of mission extensions. Sufficient fuel for the end of a spacecraft's mission must also be maintained so that disposal of the vehicle is adhered to under planetary protection plan constraints [4].

Human interaction with the spacecraft design and operation must also be considered when designing its systems against possibly fault occurrences. Humaninduced error can manifest itself in the form of electro-static discharge events with spacecraft components during the manufacturing process. These are referred to as "latent failures" and can sometimes present themselves well after launch, rendering a device partially or completely useless. Commanded sequences that are uplinked to the spacecraft during mission operations contain instructions for data collection and control of spacecraft's activities, and can contain errors as well. These onboard running sequences (that execute continuously for weeks to months) consist of

**134**

After many years of flight through the harsh flight environment, it is expected that spacecraft will experience various hardware degradations and failures. These potential problems must also be taken into account when extending spacecraft missions past their intended prime mission end dates, as the functionality of critical devices, is clearly a factor in this decision. Sensors can fail and devices that must undergo periodic cycling are all subject to breakdowns and degradations, which limit the mission's capability to perform future planned objectives.

### **4.5 Dealing with earth-spacecraft relative distance**

An inhibitor of fault diagnosis and resolution is the ever-increasing lag time experienced on missions with large earth-to-spacecraft distance, referred to as Round Trip Light Time (RTLT). Ground ⇒ Spacecraft ⇒ ground transactions are almost instantaneous when the vehicle is near the earth since radio waves travel at the speed of light, but once the spacecraft gains substantial distance from our planet, even a signal traveling at this great velocity can take hours. In the case of Cassini at Saturn, a command sent from the ground took nearly 3 h to confirm back on Earth (~10 AU). This lag time becomes a high-risk deterrent to resolving problems when spacecraft like Cassini are sent out great distances. In fact, under certain failure conditions, it is impossible for the ground team to detect a spacecraft's anomalous condition and command recovery actions in time to preclude a catastrophic failure from occurring. An example of this situation would be failure of the helium latch valve to close properly (within the PMS system) after a pressurization task of the fuel/oxidizer tanks. This valve failure could cause the tank pressure to rise substantially in a very short period of time. If this condition occurred on the Cassini spacecraft, the pressure could rise to a catastrophic level before the pressure measurement data can even reach earth's ground stations to indicate the fault condition. In addition to fault detection and resolution concerns, this large lag time becomes a significant factor in the presence of one-time science opportunities such as planet flybys, moon encounters, and special science targets. For these events, the timing is crucial since only one opportunity exists to meet the objective and there may be no second chance. In many cases, these unique events must proceed unimpeded by fault interference in order for the spacecraft's mission to be successful.
