[SystemSafety] Schiaparelli Incident Investigation - "Very Preliminary" Results

Thu Nov 24 07:10:43 CET 2016

https://www.theguardian.com/science/2016/nov/24/mars-lander-smashed-into-ground-at-540kmh-after-misjudging-its-altitude

[begin quote Guardian]

After trawling through vast amounts of data, the ESA said on Wednesday that while much of the
mission went according to plan, a computer that measured the rotation of the lander hit a maximum
reading, knocking other calculations off track.

That led the navigation system to think the lander was much lower than it was, causing its parachute
and braking thrusters to be deployed prematurely.

“The erroneous information generated an estimated altitude that was negative – that is, below ground
level,” the ESA said in a statement.

“This in turn successively triggered a premature release of the parachute and the backshell [heat
shield], a brief firing of the braking thrusters and finally activation of the on-ground systems as
if Schiaparelli had already landed. In reality, the vehicle was still at an altitude of around 3.7km
(2.3 miles).”

[end quote Guardian]

This colloquial explanation didn't say much to me. ESA has more precise info on its WWW site at
http://www.esa.int/Our_Activities/Space_Science/ExoMars/Schiaparelli_landing_investigation_makes_progress

[begin quote ESA]
The parachute deployed normally at an altitude of 12 km and a speed of 1730 km/h. The vehicle’s
heatshield, having served its purpose, was released at an altitude of 7.8 km.

As Schiaparelli descended under its parachute, its radar Doppler altimeter functioned correctly and
the measurements were included in the guidance, navigation and control system. However, saturation –
maximum measurement – of the Inertial Measurement Unit (IMU) had occurred shortly after the
parachute deployment. The IMU measures the rotation rates of the vehicle. Its output was generally
as predicted except for this event, which persisted for about one second – longer than would be
expected.

When merged into the navigation system, the erroneous information generated an estimated altitude
that was negative – that is, below ground level. This in turn successively triggered a premature
release of the parachute and the backshell, a brief firing of the braking thrusters and finally
activation of the on-ground systems as if Schiaparelli had already landed. In reality, the vehicle
was still at an altitude of around 3.7 km.

This behaviour has been clearly reproduced in computer simulations of the control system’s response
to the erroneous information.

[end quote ESA]

However, this information is a "very preliminary conclusion", according to ESA's Director of Human
Spaceflight and Robotic Exploration, David Parker. An "external independent inquiry board" is due to
report in "early 2017".

My initial reaction to the Guardian quote was that someone thinks it looks like a specification
error or a data-type bounding problem. That's not necessarily what I get from the ESA quote. There
is an unanticipated event, namely a maximum value emanating from the IMU for "longer
than...anticipated". So that could be due to
* unexpected behaviour of the spacecraft; veridical IMU reading; out of requirements-spec situation; or
* erroneous output of the IMU; inadequate exception handling of this unanticipated behaviour (also
an out-of-spec situation, but of a different kind)
* inadequate data-typing and boundary-case/overflow exception handling
* ? something else ?

If ESA has reproduced the behaviour in simulation, then they very likely know which of these is the
case.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20161124/83627a53/attachment.pgp>