**4.1 Flight environment**

*Aerospace Engineering*

*Attitude and articulation control subsystem* (*AACS*): The AACS is comprised of two redundant computers which provide three-axis stabilization attitude control by either reaction wheel assembly (RWA) control or by the reaction control system (RCS) thrusters. Two sun sensor assemblies (SSA) and two stellar reference units (SRU) provide celestial attitude reference. Inertial reference is furnished by vibrating (nonrotating) gyros. An accelerometer on the central z-axis aids in controlling the duration of the engine burns. AACS flight computers receive commands from the CDS by way of a data bus, sending commands over its own data bus to the AACS

*Propulsion module subsystem* (*PMS*): The PMS contains two redundant (gimbaled) 445-N engines with a specific impulse of 3020 N-s/kg (308 lbf-s/lbm), respectively. Approximately, 3000 kg of nitrogentetroxide and monomethylhydrazine are housed in the main bipropellent tanks. A retractable cover protects the main engines (ME) from damage by dust and micrometeoroid impacts. Four sets of mono-propellant hydrazine RCS thrusters (0.2–1.0-N thrust) fire in a direction parallel and perpendicular to the HGA (130 kg hydrazine tank capacity). Helium

*Power and pyrotechnic subsystem* (*PPS*): Power was provided by three radioisotope thermoelectric generators (RTG). At the beginning of Cassini's mission, an allocation of 882 W of power was available, declining to 600 W by the end of the Solstice mission. The PPS distributes regulated 30-V dc power to orbiter instruments and subsystems by way of a power bus and 192 solid-state power switches (SSPS). Firing of pyrotechnic devices is supplied by the PPS once commands are received by the

pressurization feeds the ME and RCS liquid propellants.

**132**

controlled assemblies.

*Huygens probe instrument suite.*

**Figure 7.**

Temperature conditions internal and external to the spacecraft must be monitored constantly. The vacuum of space exposes the spacecraft to intense heat from the sun when the spacecraft is in close proximity, causing its surfaces to superheat. Shadowed surfaces are subject to extremely low temperatures which can cause onboard propellants to freeze. Once frozen, the spacecraft will be rendered inoperative, since it inhibits the spacecraft's ability to maneuver, so that it will eventually become misaligned with the earth (and unable to receive ground commands). Material stresses are also a concern with these temperature extremes, since thermal expansion-contraction can introduce camera distortion, breakage of components, and warpage. Also, computers and spacecraft components will cease to work if temperatures become too extreme. Instruments can fall out of operating limits, since many devices only function properly within a narrow range of temperatures. Heat build-up can also occur from the spacecraft's own systems. For Cassini, several protective measures were applied to control these hazardous conditions: the application of reflective multilayer insulating blankets to reflect the sun's heat, radiators were added, reflective/absorptive paints applied, louvers and shades installed, radioisotope heater units added, in addition to the inclusion of electrical heaters and ATC controlling monitors. Internal temperatures were also regulated by circulating the spacecraft's liquid fuel to cool its interior. When flying within the vicinity of the sun, Cassini shielded itself from overheating by utilizing the HGA as a sunshade.

Micrometeoroid bombardment, cosmic rays, and radiation are also part of the hazardous flight environment, having the potential to damage or interfere with the operation of the spacecraft's subsystems. Radiation-hardening was applied to electronic devices to deal with this risk, and thermal blankets and commanded HGA shielding of spacecraft components (in the direction of flight) was used to protect against micrometeoroid impacts.

Some unknown influences were also in play for the Cassini mission. The unique (and partially unknown) dust environment at Saturn, which can potentially influence component operation or become hazardous to the spacecraft during flight, would be a new and unique flight environment for the mission. Cassini was also the first JPL mission ever to use SSPS for power distribution, and its operation under these external influences could potentially be affected.

#### **4.2 Planning for and maintaining consumables**

All spacecraft must maintain adequate power margins to operate their subsystem components and scientific instruments, and to support communications with earth. Cassini's electrical power was derived from three RTGs, with a Beginningof-Mission (BOM) capability of 875 W. RTGs are lightweight, compact power systems that are extraordinarily reliable. RTGs have no moving parts and provide power through the natural radioactive decay of Plutonium-238. The heat generated from the natural decay is converted into electricity by solid-state thermoelectric converters, enabling spacecraft to operate at significant distances from the sun, where solar power systems could be infeasible or ineffective compared to other power solutions. The durability and dependability of RTGs made them the preferred choice to implement the Cassini mission and its extended operation in the distant environment of Saturn orbit (~10 AU from the sun). The power output from the RTGs decreases predictably over time, so that the number of powered loads allowed to operate simultaneously must also decline accordingly. Planning and predicting the allowable number of operating spacecraft power loads (devices) is necessary throughout the mission as the available power decreases.

There are several other consumables which must be monitored on the spacecraft as well. The fuel and oxidizer used by the ME system (plus the hydrazine of the RCS) are particularly valuable, in that their availability controls the useful lifetime of the spacecraft. This is an important commodity for the consideration of mission extensions. Sufficient fuel for the end of a spacecraft's mission must also be maintained so that disposal of the vehicle is adhered to under planetary protection plan constraints [4].

#### **4.3 Protecting against human error**

Human interaction with the spacecraft design and operation must also be considered when designing its systems against possibly fault occurrences. Humaninduced error can manifest itself in the form of electro-static discharge events with spacecraft components during the manufacturing process. These are referred to as "latent failures" and can sometimes present themselves well after launch, rendering a device partially or completely useless. Commanded sequences that are uplinked to the spacecraft during mission operations contain instructions for data collection and control of spacecraft's activities, and can contain errors as well. These onboard running sequences (that execute continuously for weeks to months) consist of

**135**

spacecraft's mission to be successful.

*Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example*

hundreds of commands to perform activities such as earth, sun, and star tracking, monitoring celestial references for attitude targeting, performing maneuvers to fine-tune the trajectory when required, science calibration and collection; all of which are all subject to human-induced glitches which can potentially cause serious faults. As an example, should the transmitter or receiver onboard the spacecraft be accidentally commanded off, the condition would cause an inability of the ground station to communicate with the spacecraft [5]. Too many components commanded on at the same time could exceed the spacecraft's power allocation, leading to a spacecraft-wide "under-voltage power-outage" condition. An error in target parameters could send the spacecraft in the wrong direction or miss a valuable science

The possibility of human error must also be considered during the spacecraft's conceptual design process where prelaunch assumptions are made based upon past mission experience, in some cases, using their test data which is not an "apples-to-apples"

After many years of flight through the harsh flight environment, it is expected that spacecraft will experience various hardware degradations and failures. These potential problems must also be taken into account when extending spacecraft missions past their intended prime mission end dates, as the functionality of critical devices, is clearly a factor in this decision. Sensors can fail and devices that must undergo periodic cycling are all subject to breakdowns and degradations, which

An inhibitor of fault diagnosis and resolution is the ever-increasing lag time experienced on missions with large earth-to-spacecraft distance, referred to as Round Trip Light Time (RTLT). Ground ⇒ Spacecraft ⇒ ground transactions are almost instantaneous when the vehicle is near the earth since radio waves travel at the speed of light, but once the spacecraft gains substantial distance from our planet, even a signal traveling at this great velocity can take hours. In the case of Cassini at Saturn, a command sent from the ground took nearly 3 h to confirm back on Earth (~10 AU). This lag time becomes a high-risk deterrent to resolving problems when spacecraft like Cassini are sent out great distances. In fact, under certain failure conditions, it is impossible for the ground team to detect a spacecraft's anomalous condition and command recovery actions in time to preclude a catastrophic failure from occurring. An example of this situation would be failure of the helium latch valve to close properly (within the PMS system) after a pressurization task of the fuel/oxidizer tanks. This valve failure could cause the tank pressure to rise substantially in a very short period of time. If this condition occurred on the Cassini spacecraft, the pressure could rise to a catastrophic level before the pressure measurement data can even reach earth's ground stations to indicate the fault condition. In addition to fault detection and resolution concerns, this large lag time becomes a significant factor in the presence of one-time science opportunities such as planet flybys, moon encounters, and special science targets. For these events, the timing is crucial since only one opportunity exists to meet the objective and there may be no second chance. In many cases, these unique events must proceed unimpeded by fault interference in order for the

limit the mission's capability to perform future planned objectives.

**4.5 Dealing with earth-spacecraft relative distance**

*DOI: http://dx.doi.org/10.5772/intechopen.82161*

observation.

comparison as assumed.

**4.4 Aging hardware**

*Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example DOI: http://dx.doi.org/10.5772/intechopen.82161*

hundreds of commands to perform activities such as earth, sun, and star tracking, monitoring celestial references for attitude targeting, performing maneuvers to fine-tune the trajectory when required, science calibration and collection; all of which are all subject to human-induced glitches which can potentially cause serious faults. As an example, should the transmitter or receiver onboard the spacecraft be accidentally commanded off, the condition would cause an inability of the ground station to communicate with the spacecraft [5]. Too many components commanded on at the same time could exceed the spacecraft's power allocation, leading to a spacecraft-wide "under-voltage power-outage" condition. An error in target parameters could send the spacecraft in the wrong direction or miss a valuable science observation.

The possibility of human error must also be considered during the spacecraft's conceptual design process where prelaunch assumptions are made based upon past mission experience, in some cases, using their test data which is not an "apples-to-apples" comparison as assumed.
