NASA Office of Logic Design

NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.

2004 MAPLD International Conference

Ronald Reagan Building and International Trade Center
Washington, D.C.

September 8-10, 2004


MODULE LEADER: Susan C. Lee, Applied Physics Laboratory

MISHAP DATE: December 20, 1998


The main engine's normal start-up transient exceeded a lateral acceleration safety threshold that was set too low. Compounding this error was a missing command in the onboard burn- abort contingency command script that was not fully tested on the testbed.


On 20 December 1998 the Near Earth Asteroid Rendezvous (NEAR) spacecraft began the first and largest of a series of rendezvous burns required for capture into orbit around the asteroid Eros. Almost immediately after the main engine ignited, the burn aborted, demoting the spacecraft into safe mode. Less than a minute later the spacecraft began an anomalous series of attitude motions, and communications were lost for the next 27 hours. Onboard autonomy eventually recovered and stabilized the spacecraft in its lowest safe mode (Sun- safe mode). However, in the process NEAR had performed 15 autonomous momentum dumps, fired its thrusters thousands of times, and consumed 29 kg of fuel (equivalent to about 96 m/s in lost delta-v capability). The reduced solar array output during periods of uncontrolled attitude ultimately led to a low-voltage shutdown in which the solid-state recorder was powered off and its data lost. After reacquisition, NEAR was commanded to a contingency plan and took images of Eros as the spacecraft flew past the asteroid on 23 December. The NEAR team quickly designed a make-up maneuver that was successfully executed on 3 January 1999. The make-up burn placed NEAR on a trajectory to rendezvous with Eros on 14 February 2000, 13 months later than originally planned. The remaining fuel is sufficient to carry out the original NEAR mission, but with little or no margin.

A NEAR Anomaly Review Board (NARB) was formed to determine the reason for the rendezvous burn events and to make recommendations for NEAR and for similar programs. The cause of the abort itself was determined within 2 days of the event: the main engine's normal start-up transient exceeded a lateral acceleration safety threshold that was set too low. Compounding this error was a missing command in the onboard burn- abort contingency command script; this script error started the attitude anomaly. Fault protection software onboard NEAR correctly identified the problem and took the designed, preprogranuned actions. While the fault protection actions did prevent complete battery discharge before the spacecraft recovered its proper Sun-facing orientation, they did not prevent, and they possibly even exacerbated, the protracted recovery sequence.

The Board's investigation included a painstaking reconstruction of the post-abort timeline from the small amounts of data that remained following solid-state recorder powerdown. More than 128 simulations were run on a NEAR simulator containing ground hardware replicas of all six flight processors running the actual flight code. Additional simulations were run on a software- only simulator. These simulations show that the fault protection actions should have ended the attitude anomaly quickly. Although the simulation fidelity was substantially improved and extended during the course of this investigation, it is clearly deficient in some respect, since we are unable to duplicate the entire sequence of events that occurred in flight. An independent review of the flight code was also conducted, and suspect hardware and circuit elements were reviewed. The investigation established a good understanding of the events during approximately the first 47 min after the abort, but no explanation for the failure of onboard autonomy to quickly correct the problem. The Board found no evidence that any hardware fault or single-event upset contributed to the failure. Although software errors were found that could prolong and exacerbate the recovery, they by no means fully explain it.

The Board is unable to establish a complete explanation for the rendezvous burn events. Nevertheless, we include in this report observations and recommendations that could prevent a recurrence on NEAR or on other programs. These recommendations focus on improving quality control and configuration management within Mission Operations, making better use of NEAR's simulation capability, and taking certain defensive measures on the spacecraft.

Presentation: near

Return to 2004 MAPLD Seminar: Aerospace Mishaps and Lessons Learned

Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz