The post below was sent in by Rosetta Spacecraft Operations Engineer Tiago Francisco, in response to our question: how does Rosetta get shut down upon comet landing?
ITU regulations require us to permanently switch off the craft’s radio transmitter at end of mission. Since Rosetta wasn’t designed to have its transmitter permanently off, we had to change the on-board software by patching it.
Basically, we expect the spacecraft to touch the surface, causing an attitude perturbation, and we expect this to trigger a safe mode.
Specifically, with the software change we created, once the spacecraft hits the surface of the comet, it will trigger an ‘FDIR’ response (Failure Detection, Isolation and Recovery – basically, the core on-board software that reacts when any monitored parameter goes out of limits), which will lead to a ‘safe mode’.
Upon completion of the safe-mode sequence, the spacecraft will be ‘passivated’ by using a specific branch nominally used for ground testing only. In other words, the craft will be placed into a passive, non-reactive mode that was initially designed only for ground testing prior to launch.
This means that all of the attitude and orbit control units will be off, as well as the transmitter.
As of yesterday, the software patch has been installed on board, but is not active. The first step to activate this response is being done today. Thereafter, the spacecraft will be passivated only if 15 reboots occur in a row (which is very unlikely). Three hours before the expected impact on 30 September, what we internally call the ‘point of no return’, we will fully activate the passivation instructions. Any safe mode after that point will passivate the spacecraft.
Upon landing, an FDIR trigger (likely caused by excess rates or off-pointing of the spacecraft) will cause a safe mode and hence the passivation.
Discussion: 2 comments
I am wondering if there could be some theatrics where a soft landing occurs (by a lot of luck) where the satellite could keep broadcasting from the surface for a time period.
Irrespective – what a mission, just great.
I’m a bit confused.
The first part of the text, the one about the “ground testing” branch, sounds like you will hardcode the OBSW to keep it in ground mode (AIT mode, pre-launch, or any name to the mode in ground testing).
But then, the part about the “15 reboots” sounds like you are changing the last configuration of the Safe Guard Memory, or the Reconfiguration Unit, (the part that changes the configuration after a reboot to try to avoid an faulty unit) so on a reboot the Transmitter keep switched off.
You will use both? I have misunderstood anything?
Regards