*5.1.1 Launch and deployment*

At Cape Canaveral, Florida, final preparations were nearly complete for Cassini's launch from Space Launch Complex 40 (SLC-40). But on September 3, 1997, NASA announced that high air conditioning flow-rate servicing of the Cassini spacecraft and the Huygens Probe tore a 2-inch rip within the insulation protecting the probe. It was feared that particles may have contaminated Huygens' delicate instruments, so that the spacecraft had to be hoisted off the launch tower, and the Huygens Probe removed and cleaned thoroughly. Re-installation of the probe on Cassini was performed on September 13 and the Cassini/Huygens vehicle was returned to SLC-40, followed by the integration of the spacecraft with the launch vehicle.

Cassini had a 30-day nominal launch window (from October 10, 1997 to November 4, 1997), which provided an arrival date at Saturn of January 7, 2004. After this launch window expired, the desired arrival date would no longer be achievable. A Titan IV launch vehicle with Solid Rocket Motor Upgrades (SRMUs) and a Centaur upper stage was used as the launch vehicle; Cassini was the second mission to use the SRMU configuration. Cassini was scheduled to launch on October 13, 1997, and after two launch attempts, the spacecraft successfully achieved lifted-off on October 15, 1997 at 08:55 UTC. Cassini was placed into an elliptical orbit by the Centaur upper stage burn (170 × 445 km parking orbit with an inclination of approximately 30°). In case the Centaur stage failed to successfully initiate a successful second burn, this "parking orbit" was designed to provide an orbital lifetime of about 20 days. Failure of subsequent burns would have caused the SOFS team to initiate operations to keep the spacecraft in a Sufficiently High Orbit (SHO) so that Cassini could be placed into a 2000-year lifetime orbit. But after 17 min in the parking orbit, the Centaur successfully fired again, launching Cassini toward Venus en route to Saturn. Cassini's AACS computers then executed the "find stars" mode block to acquire star knowledge via the onboard sequence, starting its journey toward the Saturnian system.

*SSR bit flips:* Almost as soon as Cassini left the launch pad, the spacecraft's telemetry stream indicated a higher than expected single bit error (SBE) and double bit error (DBE) rate in the SSRs than was predicted by the SSR Specification document. This spec predicted occurrences of SBE = 6/week and DBE = 2/year per SSR; the actual in flight was SBE = 20/h and DBE = 2/day. The SSRs are a high capacity, solid state bulk storage medium with no moving parts, containing 2.01 gigabits of memory per SSR for storage of computer/instrument FSW and collected science data. These erroneous "bit flips" change the affected stored/collected data from "1" to "0" (or vice versa), corrupting the data. Error detection and correction (EDAC) logic was installed by the manufacturer to "scrub" (detect and fix) the SBEs every several minutes, but the DBEs cannot be corrected without an arduous manual process performed by the SOFS team. An anomaly team was formed to determine

**139**

*5.1.2 Inner cruise*

*Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example*

the cause for these high bit rates. The team discovered that due to the physical adjacency of some data and checksum bits (a violation of design requirements), one cosmic ray could cause two bit errors to occur [14]. This was due to a human error in

*Fix:* As a result, a new "SSR DBE Auto Repair" FP algorithm was designed by the SOFS team and uplinked to detect and initiate automatic repairs of DBEs within the

*PMS regulator malfunction*: The spacecraft prepared for the first Trajectory Control

However when PV-1 was opened, the prime regulator (which keeps the tank pressures at a safe level) was discovered to have malfunctioned due to a trapped particle within the hard-seat regulator, and was leaking at a significant rate. The pressure in the tanks rose high enough to reach FP thresholds, which would have activated the Overpressure Response FP, executing the Safe Mode Response and halting the onboard sequence (and the ME burn maneuver). Analysis determined that the leak rate was 1700 cc/min; the worst leak rate expected through testing was only 1.70 cc/min (a factor of 1000 times lower than this leak rate). The impact of this unexpected regulator malfunction would now require a substantial redesign in the ME burn strategy for the entire mission. This leak further increased a year later during the 90-min Deep Space Maneuver (DSM) burn, by a factor of 6.6. The upcoming SOI burn (in the next 6 years) was a crucial mission event which relied upon the characterization of the PMS system 30 days before Saturn-capture. This task would now be impossible to achieve, so that an entire redesign of the 90-min SOI burn would now be required [15].

*Fix:* To halt the pressure rise, the SOFS team uplinked a command to close the High Pressure Latch Valve (HPLV) to stop the helium pressurant from filling the tanks' ullage bubble with helium. During the cruise period, the mission was redesigned so that all ME burns were supported by a special uplinked sequence which controlled the inflow pressurization of the fuel and oxidizer tank duration, by allowing the HPLV to remain open for just a short period of time (~10 min). A new set of FP routines addressing the associated new failure modes that resulted from the redesign effort were also uplinked to the spacecraft's FSW, and the SOI burn

*Safe mode activation #1:* FP swapped the prime SRU to the backup device during a decontamination activity which did not proceed normally. It was determined that a misalignment between SRU prime and SRU backup had occurred when the backup unit was turned on, triggering the FP since the affected AACS design parameter was too sensitive. The fix was to improve the parameter and patch the spacecraft's FSW. This problem could not be uncovered by testing since it could not

*Safe mode activation #2:* During an instrument checkout, Cassini was commanded to perform a slow roll about the Z-axis to keep the X-axis as close as

possible to Sun-point while the spacecraft proceeded through Opposition. An overly sensitive AACS control target parameter tripped the Safe Mode response. The

pressurization strategy was also redesigned successfully.

be modeled in the Cassini test facility.

Maneuver (TCM) on November 9, 1997 (L + 25 days). Before this first maneuver could begin, the fuel and oxidizer tanks were heated (in order to avoid an irreversible overpressure in the propellant lines), including venting, priming, and pressurizing of the bipropellant lines for the ME. This venting activity removes the gas between the latch valves and the engines, which creates a vacuum in the propellant lines. The ME cover was opened prior to venting, and the lines were primed (priming fills the ME lines with propellant). The helium pressurant line was opened (to fill the ullage

bubble within the fuel and oxidizer tanks) by opening a pyro valve, PV-1.

*DOI: http://dx.doi.org/10.5772/intechopen.82161*

the mapping of SSR memory.

FSW on both SSRs.

*Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example DOI: http://dx.doi.org/10.5772/intechopen.82161*

the cause for these high bit rates. The team discovered that due to the physical adjacency of some data and checksum bits (a violation of design requirements), one cosmic ray could cause two bit errors to occur [14]. This was due to a human error in the mapping of SSR memory.

*Fix:* As a result, a new "SSR DBE Auto Repair" FP algorithm was designed by the SOFS team and uplinked to detect and initiate automatic repairs of DBEs within the FSW on both SSRs.

*PMS regulator malfunction*: The spacecraft prepared for the first Trajectory Control Maneuver (TCM) on November 9, 1997 (L + 25 days). Before this first maneuver could begin, the fuel and oxidizer tanks were heated (in order to avoid an irreversible overpressure in the propellant lines), including venting, priming, and pressurizing of the bipropellant lines for the ME. This venting activity removes the gas between the latch valves and the engines, which creates a vacuum in the propellant lines. The ME cover was opened prior to venting, and the lines were primed (priming fills the ME lines with propellant). The helium pressurant line was opened (to fill the ullage bubble within the fuel and oxidizer tanks) by opening a pyro valve, PV-1.

However when PV-1 was opened, the prime regulator (which keeps the tank pressures at a safe level) was discovered to have malfunctioned due to a trapped particle within the hard-seat regulator, and was leaking at a significant rate. The pressure in the tanks rose high enough to reach FP thresholds, which would have activated the Overpressure Response FP, executing the Safe Mode Response and halting the onboard sequence (and the ME burn maneuver). Analysis determined that the leak rate was 1700 cc/min; the worst leak rate expected through testing was only 1.70 cc/min (a factor of 1000 times lower than this leak rate). The impact of this unexpected regulator malfunction would now require a substantial redesign in the ME burn strategy for the entire mission. This leak further increased a year later during the 90-min Deep Space Maneuver (DSM) burn, by a factor of 6.6. The upcoming SOI burn (in the next 6 years) was a crucial mission event which relied upon the characterization of the PMS system 30 days before Saturn-capture. This task would now be impossible to achieve, so that an entire redesign of the 90-min SOI burn would now be required [15].

*Fix:* To halt the pressure rise, the SOFS team uplinked a command to close the High Pressure Latch Valve (HPLV) to stop the helium pressurant from filling the tanks' ullage bubble with helium. During the cruise period, the mission was redesigned so that all ME burns were supported by a special uplinked sequence which controlled the inflow pressurization of the fuel and oxidizer tank duration, by allowing the HPLV to remain open for just a short period of time (~10 min). A new set of FP routines addressing the associated new failure modes that resulted from the redesign effort were also uplinked to the spacecraft's FSW, and the SOI burn pressurization strategy was also redesigned successfully.

#### *5.1.2 Inner cruise*

*Aerospace Engineering*

satellite encounters.

**5.1 Prime mission experience**

*5.1.1 Launch and deployment*

journey toward the Saturnian system.

was used as "the tour engine" enabling orbit rotation, orbital period, and inclination changes needed to study Saturn's geometry, as well as to set up the many icy

During Cassini's mission and its three tour phases, there were several instances where faults and problems occurred that required resolution by way of the onboard FP, FSW updates, and/or SOFS interaction. Detailed in the following sections are some of these experiences (mostly unexpected) during the Cassini mission, which

At Cape Canaveral, Florida, final preparations were nearly complete for Cassini's launch from Space Launch Complex 40 (SLC-40). But on September 3, 1997, NASA announced that high air conditioning flow-rate servicing of the Cassini spacecraft and the Huygens Probe tore a 2-inch rip within the insulation protecting the probe. It was feared that particles may have contaminated Huygens' delicate instruments, so that the spacecraft had to be hoisted off the launch tower, and the Huygens Probe removed and cleaned thoroughly. Re-installation of the probe on Cassini was performed on September 13 and the Cassini/Huygens vehicle was returned to SLC-40,

challenged prelaunch assumptions and the ingenuity of the SOFS team.

followed by the integration of the spacecraft with the launch vehicle.

Cassini had a 30-day nominal launch window (from October 10, 1997 to November 4, 1997), which provided an arrival date at Saturn of January 7, 2004. After this launch window expired, the desired arrival date would no longer be achievable. A Titan IV launch vehicle with Solid Rocket Motor Upgrades (SRMUs) and a Centaur upper stage was used as the launch vehicle; Cassini was the second mission to use the SRMU configuration. Cassini was scheduled to launch on October 13, 1997, and after two launch attempts, the spacecraft successfully achieved lifted-off on October 15, 1997 at 08:55 UTC. Cassini was placed into an elliptical orbit by the Centaur upper stage burn (170 × 445 km parking orbit with an inclination of approximately 30°). In case the Centaur stage failed to successfully initiate a successful second burn, this "parking orbit" was designed to provide an orbital lifetime of about 20 days. Failure of subsequent burns would have caused the SOFS team to initiate operations to keep the spacecraft in a Sufficiently High Orbit (SHO) so that Cassini could be placed into a 2000-year lifetime orbit. But after 17 min in the parking orbit, the Centaur successfully fired again, launching Cassini toward Venus en route to Saturn. Cassini's AACS computers then executed the "find stars" mode block to acquire star knowledge via the onboard sequence, starting its

*SSR bit flips:* Almost as soon as Cassini left the launch pad, the spacecraft's telemetry stream indicated a higher than expected single bit error (SBE) and double bit error (DBE) rate in the SSRs than was predicted by the SSR Specification document. This spec predicted occurrences of SBE = 6/week and DBE = 2/year per SSR; the actual in flight was SBE = 20/h and DBE = 2/day. The SSRs are a high capacity, solid state bulk storage medium with no moving parts, containing 2.01 gigabits of memory per SSR for storage of computer/instrument FSW and collected science data. These erroneous "bit flips" change the affected stored/collected data from "1" to "0" (or vice versa), corrupting the data. Error detection and correction (EDAC) logic was installed by the manufacturer to "scrub" (detect and fix) the SBEs every several minutes, but the DBEs cannot be corrected without an arduous manual process performed by the SOFS team. An anomaly team was formed to determine

**138**

*Safe mode activation #1:* FP swapped the prime SRU to the backup device during a decontamination activity which did not proceed normally. It was determined that a misalignment between SRU prime and SRU backup had occurred when the backup unit was turned on, triggering the FP since the affected AACS design parameter was too sensitive. The fix was to improve the parameter and patch the spacecraft's FSW. This problem could not be uncovered by testing since it could not be modeled in the Cassini test facility.

*Safe mode activation #2:* During an instrument checkout, Cassini was commanded to perform a slow roll about the Z-axis to keep the X-axis as close as possible to Sun-point while the spacecraft proceeded through Opposition. An overly sensitive AACS control target parameter tripped the Safe Mode response. The

SOFS team determined that only flight experience can reveal this problem and the parameter was updated.

*Spurious SSPS trip events:* Starting at L + 4 months on February 14, 1998, Cassini started to experience trip-off events on its 192 SSPS switches, with an average of two trips per year. Cassini was the first spacecraft ever to use SSPS switches, so that the effect of the flight environment on these devices was not completely predictable. These trips are caused by galactic rays within the flight environment, where one or more photon hits on the voltage comparator of the switch, and can result in a false indication that the current load is anomalously high. This causes the switch to transition from either an "on" or "off" state to a "tripped" condition, which can result in either a benign or serious effect on the spacecraft, depending on which switch trips, and if it is operating at the time of the event.

During the mission, 38 trip events occurred, some of which had significant effects. In May 2005, the USO experienced a trip event, causing loss of communication with the SOFS team until two-way communication could be established once again. In September 2007, the Traveling Wave Tube Amplifier (TWTA) underwent a trip event, causing FP to activate; Safe Mode was executed three times, in addition to a Power-On-Reset (POR) of the RFS system and a Hardware (HW) swap of the TCU and TWTA. The spacecraft's DST was hit in September 2013, causing the Command Demodulation Unit (CDU) to reduce the uplink transmission rate from 500 bits-per-second (bps) to 7.8 bps.

*Fix:* Nothing can be done to prevent SSPS trip occurrences. Therefore, a new "SSPS Trip" FP algorithm was designed and uplinked into the spacecraft's FSW to address these SEU induced trip events. This new FP monitors each SSPS switch and responds to trips conditions with a predetermined response which is unique for each of the 192 SSPS switches.

*Degradation in the ME cover:* Shortly before the DSM maneuver, when the ME cover was opened, the cover did not deploy as far as it had in ground tests (14° less than expected), although the opening angle was sufficient to allow for ME burns. The cause was attributed to an increased stiffness in the cover material due to its exposure within the radiation environment of the inner solar system, and to a lesser extent, the long period of disuse. Unfortunately, the ME cover activity within flight environment could not be adequately tested on the ground prelaunch. Since the DSM maneuver, the ME cover opening angle held steady through many cycles, with no further signs of degradation observed. The cover behavior was monitored by the SOFS team until the End of the Mission (EOM).

#### *5.1.3 Outer cruise*

*Safe mode activation #3:* In 2001, the backup CDS computer experienced a reset due to an oversite in the onboard sequence (human error); a missing telemetry mode definition. As part of the CDS design, all telemetry modes (the rate at which data is downlinked) are executed in both the prime and online CDS computers. As a result of an SOFS exercise to update the SSR with MAG replacement heater patches, one of the backup CDS computer's telemetry modes were overwritten (and thus, was not available), so that it existed only in the prime CDS computer. After activating this particular telemetry mode from the C26 background sequence, the backup CDS reset since the telemetry mode did not exist.

*Fix:* The SOFS team uses "flight rules" and constraint checklists to ensure errors do not creep into sequences; this particular check was not included in the real-time patch checklist, and was henceforth added to this list.

*RWA increased friction anomaly:* On December 16, 2000, RWA wheel #2 caused the spacecraft to autonomously switch from RWA control to RCS control due to

**141**

*Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example*

an increase in friction (triggering FP with no Safe Mode execution), interrupting planned science activities. Analyses determined that this high friction region was

*Fix:* Constraints were imposed by the SOFS team to avoid the low RPM region for all three RWAs. This was accomplished by altering the wheel speed biasing strategy. A project directive was made to use the RCS system as the primary control

*ISS instrument haze anomaly:* Five months after the Jupiter flyby event in 2001, it was discovered that a distinct haze was observed around Saturn in images captured by the NAC camera, which had not been seen in previous images. It was determined that this anomaly was caused by contamination of very small particles residing on either the camera's filter assembly or CCD window. It appeared to have been caused by the very long period since the previous decontamination cycle (13 months), and the deeper cold of the environment compared to previous cycles (−90 vs. 0°C). *Fix:* A series of decontamination cycles were completed to remove the haze (from periods of 7–57 days in length). A flight rule was added to correct the proce-

*Safe mode activation #4:* The C37 cruise sequence was operating nominally when one of the target vectors was queued to be loaded by the series of commands in operation. Although this target vector was provided in the AACS table being accessed, the associated time-tag associated with the command contained an error, so that it was labeled prior to the start time of the C37 sequence. Since the vector

*Fix:* The proper vector was reloaded and the sequence restarted onboard the spacecraft; ground procedures were updated to preclude this human error from

*Fix:* RWA #3 was commanded off to save its remaining life and the redundant

*Loss of MAG data during SOI:* During the SOI event, no magnetometer data was acquired due to a sequencing error that caused an unexpected instrument reset (instrument FP was triggered). Since SOI was the only opportunity in the prime mission to fly very close to Saturn (until later in the extended mission phases), the

*Probe Doppler bandwidth error:* Tests were conducted before reaching Saturn in February 2000 for the Probe ⇒ Cassini ⇒ DSN station data link delivery transmission. These analyses were needed to prepare for the Probe deploy and relay tasks, consisting of several flight exercises and performing "what-if" tests, as well as to validate the Probe's FSW. Since the Probe's two computers contained minimal

*Activation of the redundant RWA #4 wheel:* All three RWAs had started to exhibited the same high friction levels at low RPM (drag torque spikes), but unlike RWA #1 and RWA #2, RWA #3 also began to exhibit "cage instability," which is characterized by vibration of the metal cage that holds the ball bearings in place. Analysis showed that the wheel was trending towards possible failure in weeks to

could not be loaded properly, the Safe Mode response was requested.

loss of science data was considered to be very significant (**Figure 8**).

*DOI: http://dx.doi.org/10.5772/intechopen.82161*

localized to the low RPM operating region.

for the rest of the cruise phase.

dure of heating the ISS camera.

*5.1.4 Science cruise phase*

happening again.

possibly months.

*5.1.5 Saturn approach phase*

*5.1.6 Huygens probe mission*

(spare) RWA #4 was turned on to replace it.

#### *Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example DOI: http://dx.doi.org/10.5772/intechopen.82161*

an increase in friction (triggering FP with no Safe Mode execution), interrupting planned science activities. Analyses determined that this high friction region was localized to the low RPM operating region.

*Fix:* Constraints were imposed by the SOFS team to avoid the low RPM region for all three RWAs. This was accomplished by altering the wheel speed biasing strategy. A project directive was made to use the RCS system as the primary control for the rest of the cruise phase.

*ISS instrument haze anomaly:* Five months after the Jupiter flyby event in 2001, it was discovered that a distinct haze was observed around Saturn in images captured by the NAC camera, which had not been seen in previous images. It was determined that this anomaly was caused by contamination of very small particles residing on either the camera's filter assembly or CCD window. It appeared to have been caused by the very long period since the previous decontamination cycle (13 months), and the deeper cold of the environment compared to previous cycles (−90 vs. 0°C).

*Fix:* A series of decontamination cycles were completed to remove the haze (from periods of 7–57 days in length). A flight rule was added to correct the procedure of heating the ISS camera.
