[SystemSafety] Schiaparelli Incident Investigation - "Very Preliminary" Results

Matthew Squair mattsquair at gmail.com
Thu Nov 24 09:17:51 CET 2016


Landing on mars is a tough gig and hindsight as always is 20:20 but still, you'd think that the flight software should have recognized that flying below ground level was not realistic, discounted it and gone to a fall back response. 

Matthew Squair

MIEAust, CPEng
Mob: +61 488770655
Email; Mattsquair at gmail.com
Web: http://criticaluncertainties.com

> On 24 Nov. 2016, at 5:10 pm, Peter Bernard Ladkin <ladkin at causalis.com> wrote:
> 
> https://www.theguardian.com/science/2016/nov/24/mars-lander-smashed-into-ground-at-540kmh-after-misjudging-its-altitude
> 
> [begin quote Guardian]
> 
> After trawling through vast amounts of data, the ESA said on Wednesday that while much of the
> mission went according to plan, a computer that measured the rotation of the lander hit a maximum
> reading, knocking other calculations off track.
> 
> That led the navigation system to think the lander was much lower than it was, causing its parachute
> and braking thrusters to be deployed prematurely.
> 
> “The erroneous information generated an estimated altitude that was negative – that is, below ground
> level,” the ESA said in a statement.
> 
> “This in turn successively triggered a premature release of the parachute and the backshell [heat
> shield], a brief firing of the braking thrusters and finally activation of the on-ground systems as
> if Schiaparelli had already landed. In reality, the vehicle was still at an altitude of around 3.7km
> (2.3 miles).”
> 
> [end quote Guardian]
> 
> This colloquial explanation didn't say much to me. ESA has more precise info on its WWW site at
> http://www.esa.int/Our_Activities/Space_Science/ExoMars/Schiaparelli_landing_investigation_makes_progress
> 
> [begin quote ESA]
> The parachute deployed normally at an altitude of 12 km and a speed of 1730 km/h. The vehicle’s
> heatshield, having served its purpose, was released at an altitude of 7.8 km.
> 
> As Schiaparelli descended under its parachute, its radar Doppler altimeter functioned correctly and
> the measurements were included in the guidance, navigation and control system. However, saturation –
> maximum measurement – of the Inertial Measurement Unit (IMU) had occurred shortly after the
> parachute deployment. The IMU measures the rotation rates of the vehicle. Its output was generally
> as predicted except for this event, which persisted for about one second – longer than would be
> expected.
> 
> When merged into the navigation system, the erroneous information generated an estimated altitude
> that was negative – that is, below ground level. This in turn successively triggered a premature
> release of the parachute and the backshell, a brief firing of the braking thrusters and finally
> activation of the on-ground systems as if Schiaparelli had already landed. In reality, the vehicle
> was still at an altitude of around 3.7 km.
> 
> This behaviour has been clearly reproduced in computer simulations of the control system’s response
> to the erroneous information.
> 
> [end quote ESA]
> 
> However, this information is a "very preliminary conclusion", according to ESA's Director of Human
> Spaceflight and Robotic Exploration, David Parker. An "external independent inquiry board" is due to
> report in "early 2017".
> 
> My initial reaction to the Guardian quote was that someone thinks it looks like a specification
> error or a data-type bounding problem. That's not necessarily what I get from the ESA quote. There
> is an unanticipated event, namely a maximum value emanating from the IMU for "longer
> than...anticipated". So that could be due to
> * unexpected behaviour of the spacecraft; veridical IMU reading; out of requirements-spec situation; or
> * erroneous output of the IMU; inadequate exception handling of this unanticipated behaviour (also
> an out-of-spec situation, but of a different kind)
> * inadequate data-typing and boundary-case/overflow exception handling
> * ? something else ?
> 
> If ESA has reproduced the behaviour in simulation, then they very likely know which of these is the
> case.
> 
> PBL
> 
> 
> Prof. Peter Bernard Ladkin, Bielefeld, Germany
> MoreInCommon
> Je suis Charlie
> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de
> 
> 
> 
> 
> 
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161124/d414355b/attachment.html>


More information about the systemsafety mailing list