| Rule: |
Leave LMRE modem on between sunrise and sunset.
|
| Related Lander commands: |
MODEM_POWER
|
| Command restrictions after violation: |
|
| Impacted subsystems: |
Rover; Power; Telecom
|
| Rationale: |
The rover nominal operating period is during daylight hours, waking up sometime after sunrise and shutting down sometime before sunset. This rule ensures that the lander is ready to receive rover command requests and telemetry whenever the rover is operating.
|
| Criticality/Impact of violation: |
If the LMRE modem remains off during rover operations, the rover will be forced to buffer telemetry; if the rover buffer overflows, additional telemetry would be lost. Any rover command sequences in the lander's buffer (including rover aborts), would be unavailable for transmission to the rover, resulting in unexpected rover performance.
|
| Recovery procedure: |
Include MODEM_POWER ON commands at appropriate points in next lander sequence upload.
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
Ramp release pyros must be fired no sooner than 10 minutes after the rover APXS-retraction sequence (Rover Load ID 50130) is queued to the rover buffer.
|
| Related Lander commands: |
RAMPS_DEPLOY
|
| Command restrictions after violation: |
|
| Impacted subsystems: |
Rover; Pyro
|
| Rationale: |
The APXS Deployment Mechanism must be fully retracted by the rover before the ramps are released, to avoid ramp contact with the APXS head during ramp deployment. Otherwise, damage to the APXS sensor head may result. Ten minutes allows a comfortable margin if there are any rover-lander communications problems resulting in delays in the loading of the APXS-retraction sequence.
|
| Criticality/Impact of violation: |
If the rule is violated, the ramp deploy activity may damage the APXS and possibly other rover assemblies. This may preclude any science return from the APXS during the mission.
|
| Recovery procedure: |
Abort any lander sequence which violates the flight rule. Inspect state of rover APXS sensor head using IMP imagery and rover health check telemetry.
|
| Additional information: |
This flight rule has been implemented via automatic constraint checking that assumes the APXS-retraction sequence has been assigned the Rover Load ID 50130. If this assignment is changed, immediately notify Bridget Landry (x3-7884).
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
Do not actuate petals after the rover is released and before the rover has left the ramp.
|
| Related Lander commands: |
PETAL_MOVE, PETAL_POSITION
|
| Command restrictions after violation: |
PETAL_MOVE, PETAL_POSITION
|
| Impacted subsystems: |
Rover
|
| Rationale: |
Operating the petals when the rover is on the petal but released may shift the rover position, possibly causing the rover to jump the rails on the ramp during deployment. This could cause the rover to fail its deployment, and/or damage the petal solar panel.
|
| Criticality/Impact of violation: |
If the rule is violated, petal actuation may shift the rover to an unknown location, damage the solar panel, and possible damage the rover.
|
| Recovery procedure: |
Capture IMP images of rover on petal, assess rover state, generate rover sequence for recovery if needed.
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
After landing, turn on the rover petal heater. Leave the heater on until the rover has stood up.
|
| Related Lander commands: |
PSA_RVR_NITE_HTR
|
| Command restrictions after violation: |
|
| Impacted subsystems: |
Rover
|
| Rationale: |
Until the rover stands up, the thermal path between the rover and lander will not be broken, and the "cold finger" acts as a heat sink for the rover. Firing of the rover release pyros (via the lander's ROVER_DEPLOY command) will not be sufficient to break this connection. Therefore, the lander must continue to heat the rover until the rover has been commanded to stand up (via the rover's UNSTOW command).
|
| Criticality/Impact of violation: |
If the rule is violated, the internal rover temperatures may fall below flight allowables, possibly damaging the rover.
|
| Recovery procedure: |
Turn on the petal heater.
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
Do not operate the rover reed relay (ROVER_WAKEUP command) for more than 30 seconds. Always wait at least 10 minutes between successive uses of the ROVER_WAKEUP command.
|
| Related Lander commands: |
ROVER_WAKEUP
|
| Command restrictions after violation: |
ROVER_WAKEUP
|
| Impacted subsystems: |
Rover
|
| Rationale: |
Extended operation of the reed relay actuator can overheat and burn out the actuator.
|
| Criticality/Impact of violation: |
If the rule is violated, the actuator may be damaged. The lander would no longer be able to wake up the rover either during cruise or after landing. If a rover solar panel failure also occurred, the rover would never be activated, resulting in loss of the rover mission.
|
| Recovery procedure: |
Attempt to use ROVER_WAKEUP command to power up rover when appropriate. If actuator has been damaged, rely on solar power wakeup of rover on sol 1.
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
Power on only one of the two LMRE modem strings (A, B) at any one time. To power on modem string A, issue the following two commands in order:
- MODEM_POWER, B, OFF
- MODEM_POWER, A, ON
To power on modem string B, issue the following two commands in order:
- MODEM_POWER, A, OFF
- MODEM_POWER, B, ON
|
| Related Lander commands: |
MODEM_POWER
|
| Command restrictions after violation: |
MODEM_POWER
|
| Impacted subsystems: |
LMRE; Power; Thermal
|
| Rationale: |
The modem is intended to be powered via either string A or string B (where string A also powers the modem heater). Powering the modem by both strings simultaneously will waste power.
|
| Criticality/Impact of violation: |
If the rule is violated, excess power will be wasted heating the modem.
|
| Recovery procedure: |
Turn off one of the LMRE modem strings (A or B).
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
During time periods in which the LMRE modem is powered on, power cycle the modem once per hour to clear any possible latchup conditions. The downtime of the modem should be no more than a few seconds to minimize disruption of any ongoing rover-lander communication.
To power cycle modem string A, issue the following three commands in order:
- MODEM_POWER, A, OFF
- MODEM_POWER, B, OFF
- MODEM_POWER, A, ON
To power cycle modem string B, issue the following three commands in order:
- MODEM_POWER, B, OFF
- MODEM_POWER, A, OFF
- MODEM_POWER, B, ON
|
| Related Lander commands: |
MODEM_POWER
|
| Command restrictions after violation: |
MODEM_POWER
|
| Impacted subsystems: |
Rover; LMRE
|
| Rationale: |
Modem latchup is expected to occur at least once during the landed mission. This procedure will minimize rover communications downtime in the event of such a latchup.
|
| Criticality/Impact of violation: |
If the rule is violated, lander-rover communications may be disrupted, resulting in lost rover telemetry, failure of the rover to respond to commands, and subsequent loss of mission return.
|
| Recovery procedure: |
Power cycle the LMRE modem as described in the Rule Description.
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |
| Rule: |
During cruise, do not command ROVER_WAKEUP more than once per hour.
|
| Related Lander commands: |
ROVER_WAKEUP
|
| Command restrictions after violation: |
ROVER_WAKEUP
|
| Impacted subsystems: |
Rover
|
| Rationale: |
Convective heating paths available to the rover on Earth and Mars are not available in vacuum during the cruise phase. Individual rover electronic components may overheat when operated in vacuum for more than a few minutes, physically damaging the rover.
|
| Criticality/Impact of violation: |
If the rule is violated, rover components may overheat, resulting in damage to rover electronics.
|
| Recovery procedure: |
Abort any sequence forcing the rover to be powered on for more than 5 minutes. Command the rover to shut down.
|
| Additional information: |
|
| Enforcement: |
Rover Operations Team, Rover Subsystem Analysis Team |
| Source: |
Andrew Mishkin |