Robotic Autonomous Spacecraft Missions: Cassini Mission-To-Saturn Example

Robotic interplanetary spacecraft sent to the outer planets of our solar system face many challenges: maintaining internal health and functionality of spacecraft subsystems handling material stresses from solar heating close to Earth, the cold of deep space once the destination is reached, solar radiation and bombardment of cosmic rays; maintaining adequate power to support engineering devices and science instruments; handling time-critical onboard faults in the presence of the long round-trip light time; and preserving one-time “crucial event” activities such as moon/planet flybys, deployment of the probe, and selected science targets. As an example, this chapter details the strategy implemented on the Cassini Mission-to-Saturn spacecraft, how its onboard subsystems are protected and maintained, the advantage of automated onboard fault protection monitor/response routines, protocols implemented to preclude human error in uplinked sequences, and updat-ing onboard flight software as new discoveries are uncovered about the adverse flight environment, so that mission objectives are met under the presence of an ever-increasing delay between ground issued commands and the Cassini spacecraft as it approaches the Saturnian system, safeguarding planetary protection constraints as the spacecraft was deposited into the planet in a final fiery plunge.


Introduction
Unlike conventional aircraft which can be serviced when breakdowns occur, spacecraft launched outside of Earth's gravity well, whether they be Earth-orbiting satellites or inner solar system/interplanetary spacecraft, all robotic vehicles must be equipped to deal with their own unique, often hostile flight environments in order to accomplish their science objectives. Once launched, these spacecraft cannot return to earth for servicing or maintenance, but must maintain self-sufficient systems that have been designed to preclude problems, whether introduced by human error, flight environment, erroneous commanding by the operations team, or the large lag interval between ground-station commanding and receipt by the spacecraft. Spacecraft must make the journey through the vastness of space as self-sufficient systems, as they safeguard themselves against the many influences that will introduce challenges in maintaining internal spacecraft health and functionality.

Background: science goals and Cassini's design
The science objectives of the prime Cassini mission were to determine:  In order to achieve these science goals, several instruments were implemented onto the Cassini orbiter and Huygens probe vehicles. The combined Cassini-Huygens spacecraft consisted of 18 scientific instruments. Twelve instruments were placed on the Cassini orbiter (see Figure 6), and six were contained within the Huygens probe instruments (see Figure 7).
Orbiter remote sensing instruments: • Imaging Science Subsystem (ISS) • Visible and Infrared Mapping Spectrometer (VIMS) • Composite Infrared Spectrometer (CIRS) • Ultra-Violet Imaging Spectrograph (UVIS) • Radar • Radio Science (RS) Orbiter fields, particles, and waves instruments: The instruments on the Cassini orbiter were body-mounted (no scanning platforms), which required the spacecraft to be oriented toward specific science targets for some instruments. Optical instruments provided imagery and spectrometry, while the Radar supplied imaging, altimetry, and radiometry. Radio links contributed information about intervening material and gravity fields. Other instruments on the orbiter were used to measure electromagnetic fields and the properties of plasma, energetic particles, and dust particles.
The Huygens probe was spin-stabilized, returning data via an S-band link to the Cassini orbiter. The probe's six instruments included several sensors to determine the atmospheric properties and composition of Titan. The probe's radiometric and optical sensors produced data on thermal balance and captured images of Titan's atmosphere and its surface. Wind profiles were captured by Doppler measurements between the probe and orbiter. Surface sensors on the probe were implemented to measure the surface impact acceleration, in addition to thermal and electrical properties.
The combined Cassini-Huygens instrument suite enabled scientists to determine the composition, physical, morphological, geological nature, and chemical processes of Saturn and Titan's atmospheres, to investigate their surfaces, and the magnetosphere of the Saturnian system.

Cassini orbiter subsystem functional descriptions
Cassini was a "stacked configuration" containing a lower equipment module, a propulsion module, an upper equipment module, and a High-gain Antenna (HGA). The Huygens Probe, Remote Sensing Pallet, and Fields & Particles Pallet of scientific instruments are attached to the stack within the upper equipment module, which contains the orbiter's 12-bay electronics bus, along with an 11-m magnetometer boom. Several engineering subsystems/devices control the spacecraft's operation as defined below: Command and data subsystem (CDS): The CDS consists of two redundant computers that receive ground commands and memory loads through the RFS subsystem, processing and distributing the data to designated instruments and subsystems. CDS also receives data from Cassini's various subsystems and instruments, processing and formatting the data into telemetry packets by applying Reed-Solomon encoding, and then delivering the data to earth-based DSN ground stations through the telemetry data stream via the RFS subsystem. CDS also contains two Solid State Recorders (SSRs) with a 2.01-gigabit mass storage capability for Flight Software (FSW) loads and captured science data. Attitude and articulation control subsystem (AACS): The AACS is comprised of two redundant computers which provide three-axis stabilization attitude control by either reaction wheel assembly (RWA) control or by the reaction control system (RCS) thrusters. Two sun sensor assemblies (SSA) and two stellar reference units (SRU) provide celestial attitude reference. Inertial reference is furnished by vibrating (nonrotating) gyros. An accelerometer on the central z-axis aids in controlling the duration of the engine burns. AACS flight computers receive commands from the CDS by way of a data bus, sending commands over its own data bus to the AACS controlled assemblies.
Propulsion module subsystem (PMS): The PMS contains two redundant (gimbaled) 445-N engines with a specific impulse of 3020 N-s/kg (308 lbf-s/lbm), respectively. Approximately, 3000 kg of nitrogentetroxide and monomethylhydrazine are housed in the main bipropellent tanks. A retractable cover protects the main engines (ME) from damage by dust and micrometeoroid impacts. Four sets of mono-propellant hydrazine RCS thrusters (0.2-1.0-N thrust) fire in a direction parallel and perpendicular to the HGA (130 kg hydrazine tank capacity). Helium pressurization feeds the ME and RCS liquid propellants.
Power and pyrotechnic subsystem (PPS): Power was provided by three radioisotope thermoelectric generators (RTG). At the beginning of Cassini's mission, an allocation of 882 W of power was available, declining to 600 W by the end of the Solstice mission. The PPS distributes regulated 30-V dc power to orbiter instruments and subsystems by way of a power bus and 192 solid-state power switches (SSPS). Firing of pyrotechnic devices is supplied by the PPS once commands are received by the  CDS subsystem. A shunt radiator disposes all unused heat energy from the RTGs by radiating the excess into space.
Radio frequency subsystem (RFS): An X-band link (7.2-8.4 GHz) provides communication between the ground and Cassini orbiter. Contained in this subsystem are redundant deep space transponders (DST; each includes a receiver and an exciter), and redundant traveling-wave tube power amplifiers which provide a 20 W radio frequency output [3]. The RFS also includes two command detector units (TCU), an ultra-stable oscillator (USO) for the radio science investigation, as well as an auxiliary oscillator. Telemetry modulation units and interface control units are also included. DSN station support is supplied through the use of 70-and 34-m ground antennas for uplink commanding, and to capture downlinked telemetry.
Cassini's antenna suite consists of a 4-m parabolic HGA and two low-gain antennas (LGA) fixed to the structure of the vehicle. Communication is accomplished through an X-band feed. To receive telemetry from the Huygens probe after Cassini/ probe separation, an S-band feed was used. A Ka-feed and 5 Ku-feeds supplied additional beams for radar experiments.
Thermal subsystem: The thermal subsystem provides control of vehicle temperatures by the application of reflective multilayer insulating blankets, radiators, reflective and absorptive paints, louvers, shades, radioisotope heater units, and electrical heaters. For selected devices, autonomous thermal control (ATC) is applied.
In general, redundancy was applied to devices whose failure could cause loss of the mission, or loss of data from more than one scientific instrument. Onboard fault protection (FP) was designed into the system to safeguard against many possible fault conditions. Most electronic parts were radiation hardened and designed to be resistant to single-event upsets (SEU).

Cassini's mission challenges
Before spacecraft like Cassini can be launched, designers must consider external and internal influences on all devices and instruments. These components must be monitored, regulated, and controlled on a continuous basis during the entire lifetime of the mission.

Flight environment
Temperature conditions internal and external to the spacecraft must be monitored constantly. The vacuum of space exposes the spacecraft to intense heat from the sun when the spacecraft is in close proximity, causing its surfaces to superheat. Shadowed surfaces are subject to extremely low temperatures which can cause onboard propellants to freeze. Once frozen, the spacecraft will be rendered inoperative, since it inhibits the spacecraft's ability to maneuver, so that it will eventually become misaligned with the earth (and unable to receive ground commands). Material stresses are also a concern with these temperature extremes, since thermal expansion-contraction can introduce camera distortion, breakage of components, and warpage. Also, computers and spacecraft components will cease to work if temperatures become too extreme. Instruments can fall out of operating limits, since many devices only function properly within a narrow range of temperatures. Heat build-up can also occur from the spacecraft's own systems. For Cassini, several protective measures were applied to control these hazardous conditions: the application of reflective multilayer insulating blankets to reflect the sun's heat, radiators were added, reflective/absorptive paints applied, louvers and shades installed, radioisotope heater units added, in addition to the inclusion of electrical heaters and ATC controlling monitors. Internal temperatures were also regulated by circulating the spacecraft's liquid fuel to cool its interior. When flying within the vicinity of the sun, Cassini shielded itself from overheating by utilizing the HGA as a sunshade.
Micrometeoroid bombardment, cosmic rays, and radiation are also part of the hazardous flight environment, having the potential to damage or interfere with the operation of the spacecraft's subsystems. Radiation-hardening was applied to electronic devices to deal with this risk, and thermal blankets and commanded HGA shielding of spacecraft components (in the direction of flight) was used to protect against micrometeoroid impacts.
Some unknown influences were also in play for the Cassini mission. The unique (and partially unknown) dust environment at Saturn, which can potentially influence component operation or become hazardous to the spacecraft during flight, would be a new and unique flight environment for the mission. Cassini was also the first JPL mission ever to use SSPS for power distribution, and its operation under these external influences could potentially be affected.

Planning for and maintaining consumables
All spacecraft must maintain adequate power margins to operate their subsystem components and scientific instruments, and to support communications with earth. Cassini's electrical power was derived from three RTGs, with a Beginningof-Mission (BOM) capability of 875 W. RTGs are lightweight, compact power systems that are extraordinarily reliable. RTGs have no moving parts and provide power through the natural radioactive decay of Plutonium-238. The heat generated from the natural decay is converted into electricity by solid-state thermoelectric converters, enabling spacecraft to operate at significant distances from the sun, where solar power systems could be infeasible or ineffective compared to other power solutions. The durability and dependability of RTGs made them the preferred choice to implement the Cassini mission and its extended operation in the distant environment of Saturn orbit (~10 AU from the sun). The power output from the RTGs decreases predictably over time, so that the number of powered loads allowed to operate simultaneously must also decline accordingly. Planning and predicting the allowable number of operating spacecraft power loads (devices) is necessary throughout the mission as the available power decreases.
There are several other consumables which must be monitored on the spacecraft as well. The fuel and oxidizer used by the ME system (plus the hydrazine of the RCS) are particularly valuable, in that their availability controls the useful lifetime of the spacecraft. This is an important commodity for the consideration of mission extensions. Sufficient fuel for the end of a spacecraft's mission must also be maintained so that disposal of the vehicle is adhered to under planetary protection plan constraints [4].

Protecting against human error
Human interaction with the spacecraft design and operation must also be considered when designing its systems against possibly fault occurrences. Humaninduced error can manifest itself in the form of electro-static discharge events with spacecraft components during the manufacturing process. These are referred to as "latent failures" and can sometimes present themselves well after launch, rendering a device partially or completely useless. Commanded sequences that are uplinked to the spacecraft during mission operations contain instructions for data collection and control of spacecraft's activities, and can contain errors as well. These onboard running sequences (that execute continuously for weeks to months) consist of DOI: http://dx.doi.org /10.5772/intechopen.82161 hundreds of commands to perform activities such as earth, sun, and star tracking, monitoring celestial references for attitude targeting, performing maneuvers to fine-tune the trajectory when required, science calibration and collection; all of which are all subject to human-induced glitches which can potentially cause serious faults. As an example, should the transmitter or receiver onboard the spacecraft be accidentally commanded off, the condition would cause an inability of the ground station to communicate with the spacecraft [5]. Too many components commanded on at the same time could exceed the spacecraft's power allocation, leading to a spacecraft-wide "under-voltage power-outage" condition. An error in target parameters could send the spacecraft in the wrong direction or miss a valuable science observation.
The possibility of human error must also be considered during the spacecraft's conceptual design process where prelaunch assumptions are made based upon past mission experience, in some cases, using their test data which is not an "apples-to-apples" comparison as assumed.

Aging hardware
After many years of flight through the harsh flight environment, it is expected that spacecraft will experience various hardware degradations and failures. These potential problems must also be taken into account when extending spacecraft missions past their intended prime mission end dates, as the functionality of critical devices, is clearly a factor in this decision. Sensors can fail and devices that must undergo periodic cycling are all subject to breakdowns and degradations, which limit the mission's capability to perform future planned objectives.

Dealing with earth-spacecraft relative distance
An inhibitor of fault diagnosis and resolution is the ever-increasing lag time experienced on missions with large earth-to-spacecraft distance, referred to as Round Trip Light Time (RTLT). Ground ⇒ Spacecraft ⇒ ground transactions are almost instantaneous when the vehicle is near the earth since radio waves travel at the speed of light, but once the spacecraft gains substantial distance from our planet, even a signal traveling at this great velocity can take hours. In the case of Cassini at Saturn, a command sent from the ground took nearly 3 h to confirm back on Earth (~10 AU). This lag time becomes a high-risk deterrent to resolving problems when spacecraft like Cassini are sent out great distances. In fact, under certain failure conditions, it is impossible for the ground team to detect a spacecraft's anomalous condition and command recovery actions in time to preclude a catastrophic failure from occurring. An example of this situation would be failure of the helium latch valve to close properly (within the PMS system) after a pressurization task of the fuel/oxidizer tanks. This valve failure could cause the tank pressure to rise substantially in a very short period of time. If this condition occurred on the Cassini spacecraft, the pressure could rise to a catastrophic level before the pressure measurement data can even reach earth's ground stations to indicate the fault condition. In addition to fault detection and resolution concerns, this large lag time becomes a significant factor in the presence of one-time science opportunities such as planet flybys, moon encounters, and special science targets. For these events, the timing is crucial since only one opportunity exists to meet the objective and there may be no second chance. In many cases, these unique events must proceed unimpeded by fault interference in order for the spacecraft's mission to be successful.

Meeting challenging problems through FP & FSW uploads
To aid in many of the above challenges, onboard autonomous Fault Protection routines are implemented into the computers' FSW to monitor the spacecraft's many systems and devices to autonomously detect fault occurrences and respond to anomalous conditions. FP consists of "canned" automated responses that can swap to redundant devices (if available), command actions (like closing valves, commanding alternate targets, etc.) and/or place the spacecraft into a "safe state" using preprogrammed instructional routines. A general-purpose, "Safe Mode" fault response routine is typically executed if the fault condition interferes with the onboard running sequence (along with other corrective actions performed by FP if required), which terminates the onboard running sequence, configures the spacecraft to a lower power state by powering off all nonessential spacecraft loads, commands a thermally safe attitude and safe state for the hardware, establishes a low uplink and downlink rate for earth communications, and commands the LGA antenna (to accommodate the low rates). This safe, predictable spacecraft state allows the SOFS sufficient time to evaluate the fault causes and determine a solution [6]. On Cassini, FP was implemented early in the design phase. In general, FP responsibility is allocated to both the SOFS team and the spacecraft (which must deliver sufficient information on its health and fault condition to support fault recovery).
Unexpected conditions and problems can potentially exist for spacecraft missions that are exploring unknown parts of our solar system. New devices never flown in space before can experience unexpected faults due to the adverse flight environment. For these reasons (and those stated above), designers provide the SOFS team with the ability to upload FSW patches (replacing the memory locations within the onboard FSW with new data), and to replace entire CDS, AACS, or instrument FSW loads so that unknown problems can be addressed and increased visibility added to the downlinked telemetry stream.

Cassini mission experience
Cassini-Huygens is a "Class A" Flagship mission, which requires that it be configured as a low risk, high robustness design with all practical measures taken to assure mission success. Numerous analyses and test programs were required before launch approval could be obtained for Cassini by NASA, in order to assure the mission's technical worthiness. These programs were also needed to fulfill mission requirements, which consisted of spacecraft loads analyses to demonstrate that all structural margins met expected safety standards, including a modal test program that yielded experimental data to verify the spacecraft and instruments via a finite element model arranged in the launch configuration. Dynamic tests of the spacecraft and instruments were also performed, as well as acoustic/vibration tests [7][8][9][10]. Thermal analyses provided environmental verification, proving the functionality of all components. Also, verified were the heater power and the radiator area for engineering, as well as transducer performance [11,12].
For Cassini, JPL's "conceptual life cycle strategy" was implemented. This consisted of splitting the development effort into several phases [13]: Once in Phase E, Cassini's operations phase was also divided into phases. Each phase was executed by way of several uplinked command sequences which were stored and executed onboard the spacecraft (sequences were designated as "C" for cruise or "S" for science): • Launch and Deployment (C1-C4 sequences) • Inner Cruise (C5-C16 sequences) • Outer Cruise (C17-C32 sequences) • Science Cruise Phase (C33-C41 sequences) • Saturn Approach Science Phase (C42-C44 sequences) • Saturn Tour (S01-S06 sequences) • Huygens Probe Mission (S07 sequence) • Tour (all three tours; S08-S101 sequences) The Launch Phase spanned from launch (L) to L + 30 days, during which time launch activities and essential engineering checkouts and calibrations were required to prepare for the first main engine maneuver at L + 25 days. The Inner Cruise Phase encompassed the trajectory interior to Earth's orbit, included two Venus flybys and an Earth flyby. In this phase, the two close flybys of Venus and Earth were required to gain the needed velocity boost through gravity-assist maneuvers, to allow Cassini's trajectory to continue on to Saturn (via the next flyby at Jupiter). The science activities during this period were limited to instrument checkout exercises, with limited science performed during the Venus and Earth flybys. Since Cassini was in close proximity to the sun, the HGA was used to shield the spacecraft to prevent overheating.
During the Outer Cruise Phase, the HGA was used for data transmission (instead of the LGA) since the relative distance between Cassini and the sun was now increasing rapidly and overheating was no longer an issue. Instrument checkout activities continued during this phase, as well as checkout of the Huygens probe. Also included was the final gravity-assist flyby of Jupiter, where extensive science activities began. The Science Cruise Phase began 2 years prior to arrival at Saturn, in order to prepare for Cassini's arrival. Science activities increased during this time, and final instrument calibrations were completed.
The Saturn Approach Phase included a one-time opportunity flyby of the Phoebe moon and the SOI deceleration burn. After launch, the SOI burn was the most crucial activity of the entire mission since it not only allowed Cassini to be captured into Saturn's orbit, but also was an opportunity to view the planet at the closest range of the entire Prime Mission. The Probe Mission Phase was completed on the third encounter (flyby) with the moon Titan. The Tour Phase began at SOI and continued for 13 years (including the two extended missions, Equinox and Solstice). The moon Titan was massive enough to offer gravity-assist capability, and was used as "the tour engine" enabling orbit rotation, orbital period, and inclination changes needed to study Saturn's geometry, as well as to set up the many icy satellite encounters.

Prime mission experience
During Cassini's mission and its three tour phases, there were several instances where faults and problems occurred that required resolution by way of the onboard FP, FSW updates, and/or SOFS interaction. Detailed in the following sections are some of these experiences (mostly unexpected) during the Cassini mission, which challenged prelaunch assumptions and the ingenuity of the SOFS team.

Launch and deployment
At Cape Canaveral, Florida, final preparations were nearly complete for Cassini's launch from Space Launch Complex 40 (SLC-40). But on September 3, 1997, NASA announced that high air conditioning flow-rate servicing of the Cassini spacecraft and the Huygens Probe tore a 2-inch rip within the insulation protecting the probe. It was feared that particles may have contaminated Huygens' delicate instruments, so that the spacecraft had to be hoisted off the launch tower, and the Huygens Probe removed and cleaned thoroughly. Re-installation of the probe on Cassini was performed on September 13 and the Cassini/Huygens vehicle was returned to SLC-40, followed by the integration of the spacecraft with the launch vehicle.
Cassini had a 30-day nominal launch window (from October 10, 1997 to November 4, 1997), which provided an arrival date at Saturn of January 7, 2004. After this launch window expired, the desired arrival date would no longer be achievable. A Titan IV launch vehicle with Solid Rocket Motor Upgrades (SRMUs) and a Centaur upper stage was used as the launch vehicle; Cassini was the second mission to use the SRMU configuration. Cassini was scheduled to launch on October 13, 1997, and after two launch attempts, the spacecraft successfully achieved lifted-off on October 15, 1997 at 08:55 UTC. Cassini was placed into an elliptical orbit by the Centaur upper stage burn (170 × 445 km parking orbit with an inclination of approximately 30°). In case the Centaur stage failed to successfully initiate a successful second burn, this "parking orbit" was designed to provide an orbital lifetime of about 20 days. Failure of subsequent burns would have caused the SOFS team to initiate operations to keep the spacecraft in a Sufficiently High Orbit (SHO) so that Cassini could be placed into a 2000-year lifetime orbit. But after 17 min in the parking orbit, the Centaur successfully fired again, launching Cassini toward Venus en route to Saturn. Cassini's AACS computers then executed the "find stars" mode block to acquire star knowledge via the onboard sequence, starting its journey toward the Saturnian system. SSR bit flips: Almost as soon as Cassini left the launch pad, the spacecraft's telemetry stream indicated a higher than expected single bit error (SBE) and double bit error (DBE) rate in the SSRs than was predicted by the SSR Specification document. This spec predicted occurrences of SBE = 6/week and DBE = 2/year per SSR; the actual in flight was SBE = 20/h and DBE = 2/day. The SSRs are a high capacity, solid state bulk storage medium with no moving parts, containing 2.01 gigabits of memory per SSR for storage of computer/instrument FSW and collected science data. These erroneous "bit flips" change the affected stored/collected data from "1" to "0" (or vice versa), corrupting the data. Error detection and correction (EDAC) logic was installed by the manufacturer to "scrub" (detect and fix) the SBEs every several minutes, but the DBEs cannot be corrected without an arduous manual process performed by the SOFS team. An anomaly team was formed to determine DOI: http://dx.doi.org/10.5772/intechopen.82161 the cause for these high bit rates. The team discovered that due to the physical adjacency of some data and checksum bits (a violation of design requirements), one cosmic ray could cause two bit errors to occur [14]. This was due to a human error in the mapping of SSR memory.
Fix: As a result, a new "SSR DBE Auto Repair" FP algorithm was designed by the SOFS team and uplinked to detect and initiate automatic repairs of DBEs within the FSW on both SSRs.
PMS regulator malfunction: The spacecraft prepared for the first Trajectory Control Maneuver (TCM) on November 9, 1997 (L + 25 days). Before this first maneuver could begin, the fuel and oxidizer tanks were heated (in order to avoid an irreversible overpressure in the propellant lines), including venting, priming, and pressurizing of the bipropellant lines for the ME. This venting activity removes the gas between the latch valves and the engines, which creates a vacuum in the propellant lines. The ME cover was opened prior to venting, and the lines were primed (priming fills the ME lines with propellant). The helium pressurant line was opened (to fill the ullage bubble within the fuel and oxidizer tanks) by opening a pyro valve, PV-1.
However when PV-1 was opened, the prime regulator (which keeps the tank pressures at a safe level) was discovered to have malfunctioned due to a trapped particle within the hard-seat regulator, and was leaking at a significant rate. The pressure in the tanks rose high enough to reach FP thresholds, which would have activated the Overpressure Response FP, executing the Safe Mode Response and halting the onboard sequence (and the ME burn maneuver). Analysis determined that the leak rate was 1700 cc/min; the worst leak rate expected through testing was only 1.70 cc/min (a factor of 1000 times lower than this leak rate). The impact of this unexpected regulator malfunction would now require a substantial redesign in the ME burn strategy for the entire mission. This leak further increased a year later during the 90-min Deep Space Maneuver (DSM) burn, by a factor of 6.6. The upcoming SOI burn (in the next 6 years) was a crucial mission event which relied upon the characterization of the PMS system 30 days before Saturn-capture. This task would now be impossible to achieve, so that an entire redesign of the 90-min SOI burn would now be required [15].
Fix: To halt the pressure rise, the SOFS team uplinked a command to close the High Pressure Latch Valve (HPLV) to stop the helium pressurant from filling the tanks' ullage bubble with helium. During the cruise period, the mission was redesigned so that all ME burns were supported by a special uplinked sequence which controlled the inflow pressurization of the fuel and oxidizer tank duration, by allowing the HPLV to remain open for just a short period of time (~10 min). A new set of FP routines addressing the associated new failure modes that resulted from the redesign effort were also uplinked to the spacecraft's FSW, and the SOI burn pressurization strategy was also redesigned successfully.

Inner cruise
Safe mode activation #1: FP swapped the prime SRU to the backup device during a decontamination activity which did not proceed normally. It was determined that a misalignment between SRU prime and SRU backup had occurred when the backup unit was turned on, triggering the FP since the affected AACS design parameter was too sensitive. The fix was to improve the parameter and patch the spacecraft's FSW. This problem could not be uncovered by testing since it could not be modeled in the Cassini test facility.
Safe mode activation #2: During an instrument checkout, Cassini was commanded to perform a slow roll about the Z-axis to keep the X-axis as close as possible to Sun-point while the spacecraft proceeded through Opposition. An overly sensitive AACS control target parameter tripped the Safe Mode response. The SOFS team determined that only flight experience can reveal this problem and the parameter was updated.
Spurious SSPS trip events: Starting at L + 4 months on February 14, 1998, Cassini started to experience trip-off events on its 192 SSPS switches, with an average of two trips per year. Cassini was the first spacecraft ever to use SSPS switches, so that the effect of the flight environment on these devices was not completely predictable. These trips are caused by galactic rays within the flight environment, where one or more photon hits on the voltage comparator of the switch, and can result in a false indication that the current load is anomalously high. This causes the switch to transition from either an "on" or "off " state to a "tripped" condition, which can result in either a benign or serious effect on the spacecraft, depending on which switch trips, and if it is operating at the time of the event.
During the mission, 38 trip events occurred, some of which had significant effects. In May 2005, the USO experienced a trip event, causing loss of communication with the SOFS team until two-way communication could be established once again. In September 2007, the Traveling Wave Tube Amplifier (TWTA) underwent a trip event, causing FP to activate; Safe Mode was executed three times, in addition to a Power-On-Reset (POR) of the RFS system and a Hardware (HW) swap of the TCU and TWTA. The spacecraft's DST was hit in September 2013, causing the Command Demodulation Unit (CDU) to reduce the uplink transmission rate from 500 bits-per-second (bps) to 7.8 bps.
Fix: Nothing can be done to prevent SSPS trip occurrences. Therefore, a new "SSPS Trip" FP algorithm was designed and uplinked into the spacecraft's FSW to address these SEU induced trip events. This new FP monitors each SSPS switch and responds to trips conditions with a predetermined response which is unique for each of the 192 SSPS switches.
Degradation in the ME cover: Shortly before the DSM maneuver, when the ME cover was opened, the cover did not deploy as far as it had in ground tests (14° less than expected), although the opening angle was sufficient to allow for ME burns. The cause was attributed to an increased stiffness in the cover material due to its exposure within the radiation environment of the inner solar system, and to a lesser extent, the long period of disuse. Unfortunately, the ME cover activity within flight environment could not be adequately tested on the ground prelaunch. Since the DSM maneuver, the ME cover opening angle held steady through many cycles, with no further signs of degradation observed. The cover behavior was monitored by the SOFS team until the End of the Mission (EOM).

Outer cruise
Safe mode activation #3: In 2001, the backup CDS computer experienced a reset due to an oversite in the onboard sequence (human error); a missing telemetry mode definition. As part of the CDS design, all telemetry modes (the rate at which data is downlinked) are executed in both the prime and online CDS computers. As a result of an SOFS exercise to update the SSR with MAG replacement heater patches, one of the backup CDS computer's telemetry modes were overwritten (and thus, was not available), so that it existed only in the prime CDS computer. After activating this particular telemetry mode from the C26 background sequence, the backup CDS reset since the telemetry mode did not exist.
Fix: The SOFS team uses "flight rules" and constraint checklists to ensure errors do not creep into sequences; this particular check was not included in the real-time patch checklist, and was henceforth added to this list.
RWA increased friction anomaly: On December 16, 2000, RWA wheel #2 caused the spacecraft to autonomously switch from RWA control to RCS control due to an increase in friction (triggering FP with no Safe Mode execution), interrupting planned science activities. Analyses determined that this high friction region was localized to the low RPM operating region.
Fix: Constraints were imposed by the SOFS team to avoid the low RPM region for all three RWAs. This was accomplished by altering the wheel speed biasing strategy. A project directive was made to use the RCS system as the primary control for the rest of the cruise phase.
ISS instrument haze anomaly: Five months after the Jupiter flyby event in 2001, it was discovered that a distinct haze was observed around Saturn in images captured by the NAC camera, which had not been seen in previous images. It was determined that this anomaly was caused by contamination of very small particles residing on either the camera's filter assembly or CCD window. It appeared to have been caused by the very long period since the previous decontamination cycle (13 months), and the deeper cold of the environment compared to previous cycles (−90 vs. 0°C).
Fix: A series of decontamination cycles were completed to remove the haze (from periods of 7-57 days in length). A flight rule was added to correct the procedure of heating the ISS camera.

Science cruise phase
Safe mode activation #4: The C37 cruise sequence was operating nominally when one of the target vectors was queued to be loaded by the series of commands in operation. Although this target vector was provided in the AACS table being accessed, the associated time-tag associated with the command contained an error, so that it was labeled prior to the start time of the C37 sequence. Since the vector could not be loaded properly, the Safe Mode response was requested.
Fix: The proper vector was reloaded and the sequence restarted onboard the spacecraft; ground procedures were updated to preclude this human error from happening again.
Activation of the redundant RWA #4 wheel: All three RWAs had started to exhibited the same high friction levels at low RPM (drag torque spikes), but unlike RWA #1 and RWA #2, RWA #3 also began to exhibit "cage instability," which is characterized by vibration of the metal cage that holds the ball bearings in place. Analysis showed that the wheel was trending towards possible failure in weeks to possibly months.
Fix: RWA #3 was commanded off to save its remaining life and the redundant (spare) RWA #4 was turned on to replace it.

Saturn approach phase
Loss of MAG data during SOI: During the SOI event, no magnetometer data was acquired due to a sequencing error that caused an unexpected instrument reset (instrument FP was triggered). Since SOI was the only opportunity in the prime mission to fly very close to Saturn (until later in the extended mission phases), the loss of science data was considered to be very significant (Figure 8).

Huygens probe mission
Probe Doppler bandwidth error: Tests were conducted before reaching Saturn in February 2000 for the Probe ⇒ Cassini ⇒ DSN station data link delivery transmission. These analyses were needed to prepare for the Probe deploy and relay tasks, consisting of several flight exercises and performing "what-if " tests, as well as to validate the Probe's FSW. Since the Probe's two computers contained minimal onboard data storage capability, the data had to be transmitted to the Cassini orbiter directly during Titan entry, and then relayed to Earth. In this way, the spacecraft would provide the bulk of the data storage needed to support the Probe Relay task, throughout the descent and landing stages of the Probe mission. In the test, the Probe's signal was delivered to the Cassini spacecraft in flight, and then delivered to the DSN station on the ground. Results from this Probe ⇒ Cassini ⇒ DSN station relay test showed insufficient margin to maintain the carrier and subcarrier lock for the duration of the upcoming Probe mission. Analysis showed that the digital circuitry that decodes the data from the subcarrier did not have sufficient bandwidth to properly process the data from the subcarrier once it was Doppler shifted by the expected 5.6 km/s (nominal) velocity difference between Cassini and the Probe. The effect of this anomaly (caused by human error) would yield an unacceptable loss of data during the upcoming Probe Descent ⇒ Titan Landing phase since the digital circuit design did not adequately account for the Probe data's full Doppler shift.
Fix: In January 2001, a joint effort between ESA and NASA established the Huygens Recovery Task Force (HRTF) team to evaluate the problem and develop a solution. This effort leads to a three-part fix that allowed full recovery of the Titan data: Part 1: The mission profile was redesigned to a Probe trajectory conducive to a low Doppler shift in the Probe-Cassini spacecraft radio link. The early part of the Saturn Tour was redesigned to a higher orbiter flyby altitude of Titan (at 60,000 km). This required that the (original) first two orbital revolutions around Saturn be increased to three revolutions (the tour configuration was unchanged after this point; this extra orbit was at a moderate ΔV cost).
Part 2: Preheating of the Probe's transmitters was necessary before its descent into Titan's atmosphere so that the transmit frequency could be optimized.
Part 3: The new mission design would now have a much lower Doppler shift than that of the original Probe mission. This would require that the Probe be commanded to its "Base Frequency" (referred to as "BITE Mode," a "zero Doppler" test mode that held the lockup frequency at a level equivalent to −1 m/s relative velocity). This BITE Mode of operation must be maintained constantly, even in the presence of fault occurrences and Safe Mode activations. To accomplish this goal, an empty slot within the ATC FSW (eight ATC monitors were in use; four empty placeholders were designed into FSW for future use) was programed to send the "Probe BITE Mode" command continuously, since these ATC algorithms are capable of issuing commands every 12 s, even during and after FP activations.

Tour operations
Safe mode activation #5: In S33, very soon after a flyby of the Iapetus moon was completed, a SSPS Trip occurred on the prime TWTA. The spacecraft interpreted the SSPS trip as a hardware failure and executed the Safe Mode three times and swapped to the redundant backup TWTA unit. The FP also commanded a TCU swap and an RFS POR.
Fix: The prime TWTA was powered back on (and swapped back), and FSW was updated to implement new FP for selected devices in order to avoid activating SSPS Trip FP. This FSW fix was planned in advance of this incident, based upon observed SSPS trips, but was not uplinked in time to preclude this TWTA SSPS trip. Exactly 1 year later, another SSPS trip occurred on the prime TWTA unit. FP was not activated due to the new updates.
Loss of MIMI motor drive: In January 2005, a motor controlling one of MIMI's three detectors suffered a mechanical failure. Although all three detectors were still fully functional, one was forced to rely on spacecraft pointing for proper orientation. The loss to MIMI science was approximately 10%.
Loss of SSR DRAM memory: In December 2006, a portion of memory failed within one of the SSR's DRAM memory units, in a location where science/engineering data is stored. This failure was significant because the memory was corrupted, leading to ground software decomposition problems as well as erroneous science and engineering data. No capability to remove or bypass bad areas of SSR hardware memory had been implemented into FSW.
Fix: New capability to bypass corrupted memory locations was uploaded to FSW.

Extended mission experience (equinox mission)
RCS thrust branch swap: In March 2009, Cassini swapped over to the backup branch of RCS thrusters to replace those that had been in use since launch, since the prime thrusters were exhibiting increased chamber pressure roughness and decreased thrust (e.g., these thrusters were displaying end-of-life characteristics).
Loss of an ATC temperature sensor: Temperature readings are reported to each ATC from two sensors. For ATC #7, these sensors are mounted on opposite sides of the ME, and are used to monitor chamber temperatures. In 2009, during a maneuver, one of these sensors began to report erroneous data. It was speculated that the failure was most likely caused by a soft short.
Fix: The SOFS team uplinked a command to declare the sensor "dead" (not usable), since the ATC was able to function with only the single remaining sensor. Also, a new operations strategy was developed to eliminate the use of ATC #7 (implemented in S56).

Second extended mission experience (solstice mission)
Safe mode activation #6: On November 2, 2010, during the S64 background sequence, a file was uplinked to reset the backup AFC computer during normal operations. The command was hit by a cosmic ray and corrupted (bit flip), causing the prime CDS computer to reset from receipt of this erroneous command (caused by a failure of the uplinked command to process properly). As a result, Safe Mode was called.
Aerospace Engineering 20 Fix: The chances of a cosmic ray hit on an uplinked command are so unlikely (millions to one), that no fix was implemented.
CAPS instrument failure: In April 2011, Cassini's power bus suffered unexpected swings. The imbalance remained in place until June of that year, when another shift occurred. Engineers suspected the high-rail short to be within the CAPS instrument and 3 days later the instrument was turned off. The bus returned to near preanomaly values, and the CAPS instrument was left off while an investigation was conducted into the cause of the short condition, and whether CAPS could be turned back on. The conclusion was that it was safe to turn the CAPS instrument back on. Two days later the short condition reappeared, causing the bus voltage to shift again. The CAPS instrument was left on and the shifted values remained until June 2012, until a series of voltage swings occurred over a 24-h period. The condition culminated until CAPS was autonomously shut off by the SSPS switch, by an overcurrent draw from the instrument. A second investigation was undertaken after this CAPS anomaly, leading to a decision to leave the CAPS instrument off for the remainder of the mission.
Loss of the USO: At the beginning of the DSN track on December 23, 2011, no downlink signal was received from Cassini. The suspected cause was bad predicts used at the DSN station. New predicts were built and two different DSN antennas were used to acquire the spacecraft's signal to no avail, ruling out the bad predicts as the cause of the anomaly. Attention then turned to the USO as the source of the problem. Cassini's signal was acquired after RTLT (when the USO is no longer used by the spacecraft, but switches over to the DST's VCO).
Fix: A test was devised to determine if the DST's downlink path or the USO was the cause of the loss-of-signal problem. It was determined that the USO had failed. The Auxiliary Oscillator was used for the remainder of the mission, which yielded a "rattier" signal. Spacecraft operations were not affected by the loss of the USO; however, the quality of radio science observations was reduced.

The grand finale
The Cassini mission ended with 20 orbits of the F-Ring, followed by a 22 orbit ballistic trajectory through the D-Ring, and a highly successful final plunge into Saturn. Unique science data was captured during this final flight phase, and no significant anomalies occurred, ending the highly successful, nearly 20-year mission [16].

EOM statistics
Power usage: Figure 9 shows the entire power history telemetered by the spacecraft during its 20-year mission, including the very last data point sent just before EOM. The overall RTG power decay shows an exponential behavior starting from 882.1 W on the Day 1, to 600.3 W on the last day of the mission (indicating a total power decay of 32%). The data plot indicates nominal RTG performance, with some peculiarities: during the first 3 years of the mission, the power output decayed by 70 W at an accelerated rate due to the dopant precipitation in the SiGe thermocouple, which reduces the available current carriers.
Cassini's SSRs used as a radiation detector: As discussed above, Cassini's SSRs were susceptible to high SBE and DBE occurrences due to environmental effects. These elevated bit error counts often occurred in the presence of high dust and radiation. In this way, the SSRs were inadvertently turned into uncalibrated and unofficial radiation detectors. Figure 10 shows the effects of radiation on the SSRs during several ring flybys, relative to the SBE error count. The spacecraft's flybys between the D-Ring and Saturn's atmosphere are shown as the "proximal orbit" region. These results were consistent with MIMI's radiation model.

Saturn science
Many incredible discoveries were uncovered by the Cassini-Huygens mission during its 20 years of flight; a few of those fascinating encounters are mentioned here. Figure 11 depicts six of the more than 60 of Saturn's known moons, which range in size from a few hundred meters to larger than planet Mercury. The top row of this figure, from the left (not to scale), shows the tiny odd looking moon Pan, Mimas (which looks like the "Death Star" space station from movie Star Wars), and Hyperion, which resembles a sponge. On the bottom row are Iapetus, Titan (the largest of Saturn's moons), and Enceladus, which contains "tiger stripe" fissures with erupting plumes, implying an underground reservoir of water that is suspected to be around 10 km deep (i.e., an underground ocean). Figure 12 depicts an artist's impression of the hydrothermal activity taking place on this south polar  Aerospace Engineering 22 region of Enceladus. Hot water traveling upward from the ocean comes into contact with cooler water, which is eventually expelled through the vents that connect the ocean to the surface of the moon.    Figure 13 depicts how different organic compounds make their way to Titan's seas and lakes. Ligeia Mare is one of three of Titan's seas, consisting of pure methane and a seabed covered by sludge-like organic-rich material. Titan's atmosphere of nitrogen and methane react to produce organic molecules, the heaviest of which fall to the surface through air and rainfall, some of which make their way to the sludge on the sea floor. Figure 14 depicts the giant hexagonal hurricane at Saturn's north pole (approximately 30,000 km across). An intense six-sided jet stream with winds at 320 km/h spirals around a massive storm which rotates anticlockwise at the heart of this region (false color image).

Conclusions and lessons learned
For robotic spacecraft to complete their goals successfully without significant risk or degradation to mission objectives, preventative measures for instruments and subsystems must be implemented by way of a robust FP strategy and onboard FSW flexibility. Prelaunch analyses and tests conducted to preclude problems do not always safeguard against human error, the flight environment, or design oversights, nor can they capture all fault cases. Mission planners must acknowledge that unknown problems can still surface after launch. During the Cassini-Huygens mission, this was proven true by the need for several new FP routines, FSW updates, and FSW patches required to resolved unexpected problems not anticipated by prelaunch designers. For interplanetary spacecraft like Cassini, these fixes were made more manageable given that significant time was available during the cruise phase to augment the FP and patch FSW in order to address these unforeseen problems, due to the flexibility that designers built into the FSW architecture.
© 2018 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.