Environmental Engineering Reference
In-Depth Information
Flight Autonomy Enablers of Health and Safety Maintenance
Previously the FDC capability was described at a high level to illustrate how
FSW autonomy is utilized to mitigate health and safety risks that might oth-
erwise lead to onboard failures that could, in turn, result in failure to achieve
spacecraft mission objectives. However, FDC can also be viewed as a key com-
ponent of the spacecraft infrastructure dedicated to maintaining the spacecraft
in a suitable state so the ground can schedule its science observations with
confidence, with the knowledge that the FSW will be capable of carrying out
its directives effectively, reliably, and safely. As with the case of onboard re-
source management, there are reasonable arguments for viewing FSW FDC
capability both as an enabler of achieving mission objectives and as a critical
component of the spacecraft infrastructure.
The most important safety check for all spacecraft is to verify that elec-
trical power capacity is adequate to keep the spacecraft alive. Detection of
unacceptably low power levels will engender the autonomous commanding of
major load-shedding and (usually) transition to safemode for the spacecraft
and its SIs. Verifying that no violations of thermal limits have occurred is
almost of equal importance as the power checks. Such violations at best may
lead to irretrievably degraded science data, and at worst, loss of the SI or even
the spacecraft itself due to potentially irreversible hardware failures such as
freezing of thruster propellant lines. At a more local level, celestial pointers, in
particular, are always very concerned with possible damage to their imaging
system and/or SIs due to exposure to bright objects or excessive radiation.
Another potentially lethal problem is loss of attitude control. Maintenance of
attitude control must be checked both to ensure that the spacecraft is able
to acquire and collect data from its science targets, and more importantly to
ensure that none of the previously discussed constraints (power, thermal, and
bright object avoidance) are violated.
Note that not all these safety checks are performed exclusively onboard.
The ground system will normally attempt to ensure that none of its commands
knowingly violate any of the constraints described above, and the ground
system as well will use telemetered engineering data to monitor the spacecraft
state to detect any violations that may have occurred. In practice, the crucial
job of maintaining the spacecraft system is distributed between flight and
ground systems, but when an offending event occurs in realtime onboard, it is
primarily the responsibility of the flight system to be the first to recognize the
advent of a problem and to take the initial (although not necessarily definitive)
steps to solve the problem.
3.1.3 Satisfying Operations Staff Needs
Unlike more mundane earth-bound situations where users typically are per-
mitted direct, physical access to the hardware they are using, for space-
craft applications the users effectively interface with the spacecraft exclusively
