Driving Down Risk in the Psyche Fault Protection Design Post Launch Slip

The Psyche Mission is a NASA Discovery-class Mission to explore (16) Psyche, a large metallic asteroid that orbits the sun between 2.5 and 3.3 au. The spacecraft bus is a repurposed earth-orbiting telecommunication satellite bus developed by Maxar, combined with Avionics and software developed by JPL. To ensure this earth-orbiting spacecraft bus can survive the lengthy journey into deep space, a robust fault protection function was designed, implemented, and tested. Originally scheduled for July 2022, the launch date was postponed to October 2023 due to delays during system-level testing of the spacecraft. By the time the launch slip was announced, the fault protection design was fully implemented in software, and the V&V program was nearly complete. Consequently, the team found themselves with an additional year of unplanned development time, which provided the unique opportunity to revisit parts of the fault protection design, implementation, and V&V strategy prior to launch, while incorporating lessons learned from the previous year of testing.This paper provides an overview of the efforts taken to drive down risk in the Psyche fault protection design after the launch slip. These efforts can be split into three categories: additional “deep dive” analyses targeting higher risk areas of the design, improvements to the design and implementation that resulted in software changes, and the development of a rich set of high-fidelity risk reduction test cases meant to validate the fault protection function. This paper discusses the motivating concerns that drove each of these efforts and explains how lessons learned were incorporated into the post-launch slip development work. It summarizes the analyses that were spawned and explains the methods that were used to constrain and complete each analysis. It captures the trades made when deciding which design changes and software bug fixes to implement, and describes the processes used to implement and verify those changes in an agile manner. Finally, the paper captures the brainstorming process for devising a set of risk reduction tests used to improve confidence in the fault protection design, and validate its performance over a wide range of scenarios.

灵神星（Psyche）任务是美国国家航空航天局（National Aeronautics and Space Administration，NASA）发现级任务，旨在探测（16）灵神星——一颗在2.5至3.3天文单位（astronomical unit，au）轨道绕日运行的大型金属小行星。该任务所用航天器平台由马克萨尔（Maxar）公司基于现役地球轨道通信卫星平台改造而来，并搭载了喷气推进实验室（Jet Propulsion Laboratory，JPL）开发的航电系统（Avionics）与软件。为确保这款原本适配近地轨道运行的航天器平台能够顺利完成漫长的深空航行，团队设计、实现并测试了一套高鲁棒性的故障防护（fault protection）功能。 该任务原定于2022年7月发射，但因航天器系统级测试进度延误，发射日期被推迟至2023年10月。 在宣布发射推迟时，故障防护系统的软件实现已全部完成，验证与确认（Verification and Validation，V&V）工作也接近收尾。因此，团队获得了一年的额外开发周期，得以在发射前重新审视故障防护系统的设计、实现与验证与确认策略，并将过去一年测试中总结的经验教训融入其中。 本文概述了发射推迟后，为降低灵神星任务故障防护系统设计风险所开展的各项工作。这些工作可分为三类：一是针对设计中高风险区域开展的专项深度剖析分析；二是优化设计与实现方案，由此产生软件变更；三是开发了一套丰富的高保真风险降低测试用例，用于验证故障防护系统的功能。 本文阐述了推动各项工作开展的核心关切，并阐释了如何将经验教训融入发射推迟后的开发工作。文中总结了由此催生的各项分析工作，并说明了用于约束并完成每项分析的具体方法；记录了团队在确定需实施的设计变更与软件漏洞修复方案时开展的权衡分析，并描述了以敏捷方式实施并验证这些变更的完整流程。最后，本文记录了为设计一套风险降低测试方案所开展的头脑风暴过程，该方案旨在提升故障防护系统设计的可信度，并验证其在多种复杂场景下的运行性能。