Weak Simulations, Inadequate Software & Mismanagement caused Schiaparelli Crash Landing

Photo: ESA

The European Space Agency concluded its inquiry into the crash landing of the experimental Schiaparelli Mars Lander last October, citing a lack of understanding and modeling of parachute dynamics experienced at high speed, insufficient failure identification and recovery options in the craft’s software and mismanagement of subcontractors & hardware acceptance as contributing factors for the botched landing sequence.

ESA emphasized that the Schiaparelli mission was not a complete write-off as a very important part of the mission’s demonstration objectives were achieved until the point of failure. The agency also said findings of the investigation will help the upcoming ExoMars 2020 mission by reinforcing design weaknesses identified by the inquiry and doubling down on flight dynamics modeling. “As a direct result of this inquiry we have discovered the areas that require particular attention that will benefit the 2020 mission,” said Jan Woerner, ESA’s Director General.

Image: ESA/ATG Medialab

The 577-Kilogram Schiaparelli lander, also known as EDM, launched on March 14, 2016 attached to the Trace Gas Orbiter with the two making up the ExoMars 2016 mission under a two-mission project by the European Space Agency and Russia’s Roscosmos State Corporation.

ExoMars 2016 had two core objectives – a) delivering the Trace Gas Orbiter into orbit around Mars for a five-year science mission exploring the Martian atmosphere, and b) demonstrating a Mars Entry, Descent & Landing architecture with the Schiaparelli test bed to retire risk for the ExoMars 2020 mission that aims to deploy a small rover and surface science platform to Mars.

>>ExoMars 2016 Mission Overview

ExoMars 2016 Separation – Image: ESA/ATG Medialab

Shepherded to Mars by the 3,800-Kilogram Trace Gas Orbiter, Schiaparelli separated on October 16 for a three-day approach phase while the orbiter changed its course in preparation for a rocket-powered braking maneuver to be captured in Martian orbit.

At 14:42 UTC on October 19, Schiaparelli entered the Martian atmosphere – beginning a six-minute sequence to first slow down during a blazing entry, deploy a supersonic parachute, fire nine landing engines and finally drop to the surface from only one and a half meters. However, Schiaparelli’s signals stopped 43 seconds before the planned landing time and NASA orbiters flying over the expected landing site the next day showed the lander had crashed at very high speed.

Planned EDM Landing Sequence – Image: ESA

Schiaparelli’s daring landing sequence started at 14:42:22 UTC when the lander reached what is known as the Entry Interface Point, passing 121 Kilometers in altitude and traveling 5.83 Kilometers per second – beginning the process of slowing down through atmospheric friction on the lander’s protective heat shield. Three minutes and one second later, EDM had slowed to 1.5 times the speed of sound and reached an altitude of 12 Kilometers where G-forces triggered the deployment of the parachute and set in motion a chain of events leading to the hard impact of the lander.

The parachute deployment went as planned and the supersonic parachute inflated – causing some oscillations on the Schiaparelli module which was as expected since chute deployment at nearly 500 meters per second represents one of the most dynamic events of the descent. What was not expected by mission designers was the magnitude of the body rates experienced under the chute, particularly around the Z-axis of the lander.

These rates exceeded the operational measurement range of the Inertial Measurement Unit which was the sole source of navigation data at this stage of the descent.

Image: ESA/ATG Medialab

As a result of the high pitch angular rate, the IMU’s software send out a saturation flag to the general Guidance, Navigation & Control Software (GNC) run by the lander. During the design of EDM, saturation of the Inertial Measurement Unit was not considered as a possibility as parachute dynamic models – now shown to be insufficient – did not predict body rates anywhere close to the IMU saturation threshold.

Not equipped to deal with the saturation flag sent by the IMU, the general GNC software used the constant angular rate corresponding to the IMU saturation threshold when, in reality, the lander was oscillating. This created an error in the estimated orientation of the EDM of around 165 degrees – representing a nearly inverted attitude with the front heat shield pointed skyward (not physically possible during parachute descent).

Radar Antenna Assembly – Photo: ESA
Radar Measurement Geometry – Image: ESA/Thales

However, the GNC design did not implement ‘sanity checks’ of the guidance solution it processed and the software continued on with the erroneous attitude estimate. Though Schiaparelli was not lost at this point, the commission found, had it had the proper software tools to identify the error.

The probe dropped its heat shield based on a timing trigger 40 seconds after parachute deployment and the Radar Doppler Altimeter (RDA) powered up 15 seconds later to bounce radio pulses off the Martian surface to determine the lander’s altitude and speed. Radar altitude measurements were calculated using the faulty GNC estimated orientation to project the RDA slant angles on the vertical – introducing an erroneous off-vertical angle into the radar loop and causing mayhem to the radar altitude readings.

In fact, the faulty attitude data fed to the radar yielded a negative altitude and there was no plausibility check of such a reading built into the software loop. As a consequence, consistency checks between the GNC-derived altitude and the radar altitude failed, but the RDA solution was still forced into the control logic because landing was considered impossible without radar data. Working with a negative-altitude reading, the software went into Terminal Descent Mode which ran an algorithm comparing the current altitude with the planned backshell release point.

>>Detailed Engineering Overview of Schiaparelli

Artist’s Illustration of Surface Platform Separation – Image: ESA/ATG Medialab

Backshell separation occurred some 3.7 Kilometers in altitude because the GNC software was processing a negative altitude reading well below the backshell release threshold. The planned landing sequence called for backshell separation between 1.2 and 0.6 Kilometers in altitude followed by a 29-second long rocket-powered braking maneuver to deliver EDM to an altitude of 2 meters where the engines were expected to stop to enable Schiaparelli to drop to the surface at a speed of 10km/h.

Two seconds after the surface platform separated, the nine 440-Newton thrusters fired up but were shut down after only three seconds based on a pre-set energy threshold that was to use a combination of altitude and vertical speed to judge whether conditions for the landing were met. Since the estimation of the altitude was negative, the negative potential energy calculated by GNC immediately satisfied the criterion of being lower than the positive kinetic energy threshold for the shutdown.

Schiaparelli’s Crash Site in Color – Image: NASA/JPL-Caltech/University of Arizona

Schiaparelli fell freely for 34 seconds, impacting close to the center of its planned landing ellipse at a speed of around 150 meters per second.

The first focus of the investigation was on the dynamics of parachute opening which, due to their complex nature and several uncertainties, are inherently difficult to model.

Multi-body analysis performed for Schiaparelli did not provide a realistic behavior of parachute deployment, the inquiry found. This was supported by previous experience by NASA’s Jet Propulsion Laboratory that placed particular focus on understanding wrist mode dynamics under the chute for its most recent Mars landing (Curiosity, 2012) and the upcoming Mars 2020 rover.

The investigation found that conservative uncertainty management in all simulation and analysis activities was not given for Schiaparelli and no ‘worst-case’ scenarios were considered as part of statistical simulation runs. As no dynamics beyond the IMU’s operating range were expected, there was no firm specification for the GNC’s response to an IMU saturation.

Because saturation of the IMU was not a feared event, the behavior of the IMU at saturation levels was not measured during acceptance testing. When the saturation occurred, the IMU software set a Rate Flag Bit at a persistence rate that was found to be too high for this mission as the GNC software was built based on the believe the persistence of IMU saturation time would be 15 milliseconds.

This basic error in properly tracking equipment specifications was found to be the fundamental cause of the Schiaparelli failure as the landing would likely have succeeded if the persistence time had been set to a lower value (for which no specification existed).

Schiaparelli atop Trace Gas Orbiter – Photo: ESA

Another concern raised by the inquiry was a lack of onboard Failure Detection, Isolation and Recovery (FDIR).

Schiaparelli had been built as a non-fault-tolerant system by design, however, as noted in the investigation report, some redundant measurements were available to the onboard software which could have been used for cross checks to identify erroneous readings. Additionally, plausibility checks of guidance values would have easily revealed the erroneous attitude as physically impossible values occurred at two distinct points (inverted attitude, negative altitude).

The report also notes that the adopted design approach only considered failures or anomalies with the landing radar and the IMU-derived solution was always considered to be free of errors. The presence of a number of measurements (accelerations, angular rates, altimeter measurements, time, etc.) could have been used to fabricate parallel-running logic for degraded modes had the possibility of IMU saturation been considered.

The failure investigation board saw a contributing factor to the failure in a mismanagement of subcontractors and the acceptance of hardware/software as evident in the unknown IMU saturation specifications and sub-contracted GNC software that was not equipped to deal with the saturation flag from the IMU.

ExoMars Rover & Orbiter – Image: ESA/ATG Medialab

Core recommendations made by the investigation board focus on engineering and management areas. Improvements in multi-body modeling and verification of all sub-models considered in statistical mission simulations are necessary to adequately reflect a realistic parachute opening scenario and worst-case scenarios shall be considered to increase system margins and robustness.

Onboard software shall implement cross-checks between different navigation sources as well as plausibility checks of measured values at all stages of flight. Suitable GNC modes should be foreseen to implement landing in degraded conditions when one measurement parameter proves out to be erroneous.

Looking at management and procedures, the commission concluded that detailed procurement specifications have to be followed for all components and a rigorous verification of all requirements for all hardware and software components has to be made.

With respect to the ExoMars 2020 mission, the investigation concluded that modeling of critical mission events such as parachute deployment should be double checked to ensure sub-models are properly verified with particular focus on stress-cases and whether the design is sufficiently robust for worst-case scenarios. The report also recommends ESA to look for partnerships between agencies and universities using their own competencies to secure the validation of models (such as JPL’s wrist mode assessment tools).

Recommendations are also made to establish an integrated systems engineering team between ExoMars contractors Thales Alenia and Lavochkin, plus setting a robust schedule and giving overweight to schedule when trading technical risks against schedule.