[SystemSafety] Schiaparelli Incident Investigation - "Very Preliminary" Results

Peter Bishop pgb at adelard.com
Thu Nov 24 10:07:15 CET 2016


You might also think that if they can simulate this event now
- they should have been able to simulate the landing during system testing.

Peter Bishop

On 24/11/2016 08:17, Matthew Squair wrote:
> Landing on mars is a tough gig and hindsight as always is 20:20 but
> still, you'd think that the flight software should have recognized that
> flying below ground level was not realistic, discounted it and gone to a
> fall back response. 
> 
> Matthew Squair
> 
> MIEAust, CPEng
> Mob: +61 488770655
> Email; Mattsquair at gmail.com <mailto:Mattsquair at gmail.com>
> Web: http://criticaluncertainties.com
> 
> On 24 Nov. 2016, at 5:10 pm, Peter Bernard Ladkin <ladkin at causalis.com
> <mailto:ladkin at causalis.com>> wrote:
> 
>> https://www.theguardian.com/science/2016/nov/24/mars-lander-smashed-into-ground-at-540kmh-after-misjudging-its-altitude
>>
>> [begin quote Guardian]
>>
>> After trawling through vast amounts of data, the ESA said on Wednesday
>> that while much of the
>> mission went according to plan, a computer that measured the rotation
>> of the lander hit a maximum
>> reading, knocking other calculations off track.
>>
>> That led the navigation system to think the lander was much lower than
>> it was, causing its parachute
>> and braking thrusters to be deployed prematurely.
>>
>> “The erroneous information generated an estimated altitude that was
>> negative – that is, below ground
>> level,” the ESA said in a statement.
>>
>> “This in turn successively triggered a premature release of the
>> parachute and the backshell [heat
>> shield], a brief firing of the braking thrusters and finally
>> activation of the on-ground systems as
>> if Schiaparelli had already landed. In reality, the vehicle was still
>> at an altitude of around 3.7km
>> (2.3 miles).”
>>
>> [end quote Guardian]
>>
>> This colloquial explanation didn't say much to me. ESA has more
>> precise info on its WWW site at
>> http://www.esa.int/Our_Activities/Space_Science/ExoMars/Schiaparelli_landing_investigation_makes_progress
>>
>> [begin quote ESA]
>> The parachute deployed normally at an altitude of 12 km and a speed of
>> 1730 km/h. The vehicle’s
>> heatshield, having served its purpose, was released at an altitude of
>> 7.8 km.
>>
>> As Schiaparelli descended under its parachute, its radar Doppler
>> altimeter functioned correctly and
>> the measurements were included in the guidance, navigation and control
>> system. However, saturation –
>> maximum measurement – of the Inertial Measurement Unit (IMU) had
>> occurred shortly after the
>> parachute deployment. The IMU measures the rotation rates of the
>> vehicle. Its output was generally
>> as predicted except for this event, which persisted for about one
>> second – longer than would be
>> expected.
>>
>> When merged into the navigation system, the erroneous information
>> generated an estimated altitude
>> that was negative – that is, below ground level. This in turn
>> successively triggered a premature
>> release of the parachute and the backshell, a brief firing of the
>> braking thrusters and finally
>> activation of the on-ground systems as if Schiaparelli had already
>> landed. In reality, the vehicle
>> was still at an altitude of around 3.7 km.
>>
>> This behaviour has been clearly reproduced in computer simulations of
>> the control system’s response
>> to the erroneous information.
>>
>> [end quote ESA]
>>
>> However, this information is a "very preliminary conclusion",
>> according to ESA's Director of Human
>> Spaceflight and Robotic Exploration, David Parker. An "external
>> independent inquiry board" is due to
>> report in "early 2017".
>>
>> My initial reaction to the Guardian quote was that someone thinks it
>> looks like a specification
>> error or a data-type bounding problem. That's not necessarily what I
>> get from the ESA quote. There
>> is an unanticipated event, namely a maximum value emanating from the
>> IMU for "longer
>> than...anticipated". So that could be due to
>> * unexpected behaviour of the spacecraft; veridical IMU reading; out
>> of requirements-spec situation; or
>> * erroneous output of the IMU; inadequate exception handling of this
>> unanticipated behaviour (also
>> an out-of-spec situation, but of a different kind)
>> * inadequate data-typing and boundary-case/overflow exception handling
>> * ? something else ?
>>
>> If ESA has reproduced the behaviour in simulation, then they very
>> likely know which of these is the
>> case.
>>
>> PBL
>>
>>
>> Prof. Peter Bernard Ladkin, Bielefeld, Germany
>> MoreInCommon
>> Je suis Charlie
>> Tel+msg +49 (0)521 880 7319  www.rvs-bi.de <http://www.rvs-bi.de>
>>
>>
>>
>>
>>
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety at TechFak.Uni-Bielefeld.DE
>> <mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
> 
> 
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
> 

-- 

Peter Bishop
Chief Scientist
Adelard LLP
24 Waterside, 44-48 Wharf Rd, London N1 7UX
http://www.adelard.com
Recep:  +44-(0)20-7832 5850
Direct: +44-(0)20-7832 5857

Registered office: Stourside Place, Station Road, Ashford, Kent TN12 1PP
Registered in England & Wales no. OC 304551. VAT no. 454 489808

This e-mail, and any attachments, is confidential and for the use of
the addressee only. If you are not the intended recipient, please
telephone 020 7832 5850. We do not accept legal responsibility for
this e-mail or any viruses.


More information about the systemsafety mailing list