| Rule: | When used, the ABORT SEQUENCE command must be the first command in the sequence. |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | To determine whether to abort the currently active sequence, the rover examines only the first command in the next sequence in the lander's buffer. If an ABORT SEQUENCE command is placed anywhere else in a command sequence, it will be ignored by the rover. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | DO NOT USE the DRIVE MOTOR command, unless Rover Lite is active. This will occur only if rover EEPROM has been corrupted. |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | The DRIVE MOTOR command is non-functional when standard rover flight software is operating. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Unless specifically directed otherwise, NEVER use image compression when capturing a rear color image (camera = 2). |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | Compression of color images results in loss of color information. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Unless specifically directed otherwise, ALWAYS use image compression when capturing front camera images using the CAPTURE IMAGE command (camera = 0,1). When using compression, the number of rows in the image must be evenly divisible by 4; the number of columns must be evenly divisible by 16. |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | Compression of images reduces downlink data volume by 4.9:1, as well as reducing total time required to complete CAPTURE IMAGE command execution. If the numbers of rows and columns are not evenly divisible by 4 and 16 respectively, some image corruption will appear in the final image product. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Place an END OF SEQUENCE command at the end of all command sequences. Use only one END OF SEQUENCE command per sequence. |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | The rover will not accept command sequence uploads that do not contain an END OF SEQUENCE command. Any commands placed after END OF SEQUENCE will be ignored by the rover. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Use a TURN TOWARD x1 y1 command as the last move command before a FIND ROCK x1 y1 command in a sequence. |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | If the rover is not facing the target rock when the FIND ROCK command is issued, it may locate another rock in the vicinity. (This is particularly likely when the rover is very near to the target rock but facing in the opposite direction.) By turning to face the direction of the desired rock, the probability of encountering the desired target is maximized. |
| Criticality/Impact of violation: | If APXS data collected from a random rock is not acceptable, then achieving the originally intended science return will require at least an additional sol, with a corresponding delay in the mission timeline. |
| Recovery procedure: | Issue a new command sequence which includes the appropriate TURN TOWARD command. |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Do not open the APXS shutter when the ambient Mars temperature is below minus 50 degrees C. |
| Related rover commands: | SEND APXS COMMAND D1 (OPEN_SHUTTER) |
| Command restrictions after violation: | If an attempt is made to open the shutter when it is too cold, the shutter may not open. No commands are restricted, but any commands involving the APXS may not achieve the desired scientific results. |
| Impacted subsystems: | APXS; Rover |
| Rationale: | Shutter motor testing has demonstrated that it does not work at temperatures below minus 60 degrees C. The APXS shutter motor could be damaged. If it cannot be opened, then APXS analyses of rock and soil cannot be obtained. We won't know that it hasn't worked until after an APXS spectrum is obtained and returned. |
| Criticality/Impact of violation: | If the APXS shutter motor is damaged and stuck in the closed position, no more APXS analyses of rocks and soil can be obtained. This would significantly reduce the science return of the mission. |
| Recovery procedure: | Reissue the open shutter command when the ambient Mars temperature is above minus 50 degrees C. This requires scheduling the open shutter command at an appropriate Mars local time, and including the open shutter command in the next rover command sequence upload opportunity. An open shutter can only be confirmed by taking an APXS spectrum of a rock or soil and assessing the results. |
| Additional information: | This flight rule must be implemented by careful scheduling (by the Experiment Team) of the APXS Experiment scenario and the shutter opening operation. On the basis of Martian ambient temperature predicts and the APXS experiment scenario, the Experiment Team must specify a safe time window for the shutter open command. (For example: "The Shutter Open command should be used only after 08:00 Mars LST and before 20:00 Mars LST.") Note that the rover cannot access the internal APXS temperature sensor, and cannot practically perform temperature-dependent command sequences. |
| Enforcement: | Rover Subsystem Analysis Team |
| Source: | Tom Economou |
| Rule: | Do not close the APXS shutter when the ambient Mars temperature is below minus 50 degrees C. |
| Related rover commands: | SEND APXS COMMAND 21 (CLOSE_SHUTTER) |
| Command restrictions after violation: | If an attempt is made to close the shutter when it is too cold, the shutter may not close. No commands are restricted, but any commands involving the APXS may not achieve the desired scientific results. |
| Impacted subsystems: | APXS; Rover |
| Rationale: | Shutter motor testing has demonstrated that it does not work at temperatures below minus 60 degrees C. The APXS shutter motor could be damaged. If the shutter motor is damaged and the shutter cannot be closed, then the APXS sensor head is at risk for getting dirty, and no further calibrations with closed shutter can be obtained. This is not a serious problem unless there is a lot of dust blowing around at the height of the APXS, or unless the initial calibration data taken with the shutter closed is corrupted or lost. |
| Criticality/Impact of violation: | If the APXS shutter motor is damaged and stuck in the open position, then the APXS sensor head is at more risk of getting dirty, which would compromise the scientific results from the APXS, and no further calibrations of the APXS with closed shutter would be possible. |
| Recovery procedure: | Reissue the close shutter command when the ambient Mars temperature is above minus 50 degrees C. This requires scheduling the close shutter command at an appropriate Mars local time, and including the close shutter command in the next rover command sequence upload opportunity. Actual closing of the shutter can only be confirmed by taking an APXS spectrum of a rock or soil and assessing the results. If the shutter is found to be stuck in an open position, then the Experiment Team can decide to proceed as nominally planned, but leaving the shutter always open, or it might decide to try closing the shutter again at another time. |
| Additional information: | This flight rule must be implemented by careful scheduling (by the Experiment Team) of the APXS Experiment scenario and the shutter opening operation. On the basis of Martian ambient temperature predicts and the APXS experiment scenario, the Experiment Team must specify a safe time window for the shutter open command. (For example: "The Shutter Open command should be used only after 08:00 Mars LST and before 20:00 Mars LST.") Note that the rover cannot access the internal APXS temperature sensor, and cannot practically perform temperature-dependent command sequences. |
| Enforcement: | Rover Subsystem Analysis Team |
| Source: | Tom Economou |
| Rule: | APXS data collection shall consist of a number of uninterrupted data collection periods, each of 30 minutes or greater duration. |
| Related rover commands: | Any rover command executed during an APXS data collection period, unless rover communications has been suspended. (Note that, if rover communications has not been suspended, any rover command execution will result in at least one communication cycle between the rover and the lander; this requires power-up of the modem, which requires power cycling of the APXS using the following rover internal sequence: MEAS_STOP, power off of APXS, use modem, power on of APXS, MEAS_START.) |
| Command restrictions after violation: | If the FMR is violated, no commands are restricted. |
| Impacted subsystems: | APXS; Rover
The rover is significantly affected by this flight rule: In order to abide by this rule, the rover must either execute no commands during the data collection period, other than Wait; or suspend communications, with the attendant risks of that action. During APXS data collection, the rover is precluded from making command requests or communicating with the lander in any way. |
| Rationale: | 30 minutes will provide useful results for some elemental abundances. In addition, there is always some warm up time, needed to stabilize the gain and the offset of the electronics. Less than 30 min. counting time might not be desirable to include in the total accumulation time. |
| Criticality/Impact of violation: | It could deteriorate the APXS resolution to distinguish neighboring elements. |
| Recovery procedure: | Provide additional uninterrupted data collection periods to continue to current APXS experiment in the early segment of the next sol's rover command sequence. Do not move the rover or ADM from the APXS target position before continuing the APXS experiment. |
| Additional information: | This flight rule must be implemented by careful scheduling (by the Experiment Team) of the APXS Experiment scenario, together with the suspension of rover-lander communications during APXS data collection. Rover command sequences containing APXS experiments must be designed to include a series of uninterrupted data collection periods for the APXS. Note that even the telemetry message acknowledging the start of APXS data collection would result in a short power-cycling of the APXS. |
| Enforcement: | Rover Operations Team; Experiment Team |
| Source: | Tom Economou |
| Rule: | The APXS electronics shall be operated only when the rover Warm Electronics Box (WEB) is between -40 degrees C and 40 degrees C. |
| Related rover commands: | SEND APXS COMMAND; TURN ON DEVICES (device = APXS)
The SEND APXS COMMAND rover command will turn on the APXS instrument if it is not already on. |
| Command restrictions after violation: | If the FMR is violated, no commands are restricted. |
| Impacted subsystems: | APXS; Rover |
| Rationale: | There is a possibility that the APXS electronics could be damaged if operated outside this temperature range. Subsequent APXS analyses then could not be performed. |
| Criticality/Impact of violation: | If the electronics are damaged as a result of violating this FMR, this would significantly reduce the science return of the mission. |
| Recovery procedure: | If the out-of-operating range condition is expected to continue through
the next rover command upload period, then include the command: TURN
OFF DEVICES d (Byte 0-3: bit 7 = APXS) in the next rover command
sequence.
However, the operating temperature range of the APXS is the same as that of the electronics in the WEB. The design of the WEB and thermal control software is intended to keep the WEB internal temperature between -40C and +40C for the entire mission. If this temperature range is violated, then a serious anomaly has occurred. Recovery from the violation of this flight rule is equivalent to recovery from a rover mission critical thermal contingency. |
| Additional information: | Originated from the APXS FRD, section 6.4.2.2. While awake, the rover monitors its own internal temperature, and ceases command execution if the temperature exceeds a threshold value. However, if the APXS is operating at this time, the rover will not shut it down. If the APXS is operated while the rover is shut down (a nominal operational mode), there is no way for the rover to recognize an out-of-range temperature. |
| Enforcement: | Rover Operations Team; Experiment Team |
| Source: | Tom Economou |
| Rule: | The APXS sensor head shall be operated only when the surrounding Martian ambient temperature is between -100 degrees C and +25 degrees C. |
| Related rover commands: | SEND APXS COMMAND; TURN ON DEVICES (device = APXS).
The SEND APXS COMMAND rover command will turn on the APXS instrument if it is not already on. If the APXS is already in operating when the temperature range is exceeded, no command will be responsible for the flight rule violation. |
| Command restrictions after violation: | If the FMR is violated, no commands are restricted. |
| Impacted subsystems: | APXS; Rover |
| Rationale: | The APXS sensor head electronics could be damaged if operated below minus 100 C, putting subsequent APXS analyses in jeopardy. The X-ray data above +10 C will be dominated by noise. The x-ray detector depends on cooling from Martian environment. |
| Criticality/Impact of violation: | If the APXS sensor head is damaged as a result of violating this FMR, this would significantly reduce the science return of the mission. |
| Recovery procedure: | If the out-of-operating range condition is expected to continue through
the next rover command upload period, then include the command:
TURN OFF DEVICES d (Byte 0-3: bit 7 = APXS) in the next rover command sequence. There may be no useful recovery from this condition if it occurs. |
| Additional information: |
Originated from the APXS FRD, section 6.4.2.2.
This flight rule must be implemented by careful scheduling (by the Experiment Team) of the APXS Experiment scenario. On the basis of Martian ambient temperature predicts and the APXS experiment scenario, the Experiment Team must specify safe operating times for the APXS. (For example: "The APXS instrument shall be powered on only after 05:00 Mars LST and before 24:00 Mars LST.") The low end of the temperature range (-100 degrees C) should occur only at night, when the rover is off; therefore, this temperature cannot be monitored. The high end of the temperature range (+25 degrees C) is higher than anticipated on Mars during the mission. The high end temperature will not damage the sensor head if it does occur. Recovery from high temperature conditions might best be performed by designing the APXS experiment procedure to read out the spectral data sufficiently often to allow later subtraction of noisy data subsets. This is part of the operational plan already. |
| Enforcement: | Rover Operations Team; Experiment Team |
| Source: | Tom Economou |
| Rule: | APXS experiment targets shall be selected to avoid placing APXS sensor head axis more than 90 degrees from the vertical axis. |
| Related rover commands: | POSITION APXS; DEPLOY APXS |
| Command restrictions after violation: | None |
| Impacted subsystems: | APXS; Rover |
| Rationale: | Raising the APXS sensor head above 90 degress might allow soil or pebbles from the surface of the rock to get inside the sensor head. This could interfere with proper operation of the APXS. |
| Criticality/Impact of violation: | This could degrade the APXS energy spectra, or even damage the alpha detector. |
| Recovery procedure: | |
| Additional information: | This flight rule must be implemented by careful selection of APXS targets. Since the APXS sensor head is mounted in a compliant support, there is no capability to know the sensor head orientation with any certainty. The sensor head orientation is determined by its interaction with the target (i.e., rock surface) and cannot be fully predicted. |
| Enforcement: | APXS Instrument Engineer |
| Source: | Tom Economou |
| Rule: | Do not power on the ADM or leave the ADM powered on between 2200 and 0730 Mars local solar time. |
| Related rover commands: | DEPLOY APXS
RUN MOTOR 10 TO p (where p > 0) RUN MOTOR 10 FOR p CENTONS ( where p i s not equal to 0) TURN ON DEVICES d (Byte 0-3: bit 21 = APXS failsafe) LIMIT-CALIBRATE POSITION SENSORS (Byte 0: bit 4 = APXS motor) |
| Command restrictions after violation: | Since the ADM is unlikely to be damaged if the FMR is violated, due to rover overheat protection and stall detection software capabilities, future commands are not restricted. The most likely recovery procedure will be to repreat the original sequence activities at a more appropriate time of the Martian day. |
| Impacted subsystems: | APXS; Rover |
| Rationale: | The ADM actuator motor will not work properly and may stall if
operation is attempted when Mars ambient temperature is below -75
degrees C without running the motor heater for some period of time. The
motor has never been tested below -100
degrees C, and will probably stall even with
the motor heater on. In any case, rover software will nominally
prevent damage to the ADM actuator motor if such an attempt is made.
The amount of heating required if ambient is between -75 and -100 degrees depends on the actual ambient temperatures and the time of day. Generally, it is faster to wait until the ambient reaches -75 than it is to use the heater for a sufficient time to be sure it is warm enough. Therefore, this rule sets up a time window to ensure that the temperature of operation is always above -75 degrees C, as long as the ambient diurnal temperature cycle is not far from what we expect. |
| Criticality/Impact of violation: | Damage to the ADM motor should be prevented by rover load overheat
protection and stall detection software functions; however, failure of
the APXS deployment operation will generally result in the loss of the
remainder of the current sol's rover activities. This will delay rover
activities by at least one sol, significant in a 7 day primary
mission.
If rover software protections fail and the ADM is damaged, this could significantly reduce the science return of the mission; if the ADM fails in the deployed state, it may result in loss of rover mobility and end of rover mission. |
| Recovery procedure: | Analyze the data returned from the rover to assess the deployment state of the ADM. If the commanded operation failed, take the following action in the next available rover sequence load: operate the ADM motor when the ambient Mars temperature is above -75 degrees C (if temperatures are as we expect, operation between 0730 and 2200 Mars local solar time will be good). If the ADM fails to operate at this point, then use of the ADM failsafe must be considered. |
| Additional information: | This originated from the APXS FRD, section 3.5.1.1. and R. Blomquist's
HRCR writeup. Original FRD set the minimum operation temperature to be
minus 40 degrees C, but later, at the HRCR, it was shown to work at
minus 90 degrees C. A minimum operation temperature for the actuator
of -75 degrees C allows for 15 degrees of margin. To override this
flight rule would require careful scheduling (by the Experiment Team)
of the APXS Experiment scenario. On the basis of Martian ambient
temperature predicts from ASI-MET, the Experiment Team might have to
adjust, if necessary, the safe time window for this flight rule. Note
that the rover cannot access the internal APXS temperature sensor, and
cannot practically perform temperature-dependent command sequences.
In the unlikely event that operation of the ADM is required when ambient temperatures are between -75 and -100 degrees C, then the Experiment Team will have to carefully examine the documentation on ADM testing under various conditions to determine the required ADM preheating time and request a special flight rule override. Operation when Mars ambient temperature is above 25 degrees C could soften the cerrobend in the failsafe, causing a partial retraction. The failsafe would then need to be reset completely, and the deployed pot reading may change. However, it is unlikely that ambient temperatures will ever rise above 25 degrees C. |
| Enforcement: | Rover Subsystem Analysis Team |
| Source: | Holly Kubo, Joy Crisp |
| Rule: | Do not activate the ADM failsafe between 1600 and 0700 Mars local solar
time.
|
| Related rover commands: | TURN ON DEVICES d (Byte 0-3: bit 21 = APXS failsafe) |
| Command restrictions after violation: | If the FMR is violated, then any additional movement of the ADM using
these commands are restricted, until the situation is evaluated by the
APXS Instrument Engineer:
DEPLOY APXS RUN MOTOR 10 TO p (where p > 0) RUN MOTOR 10 FOR p CENTONS ( where p i s not equal to 0) LIMIT-CALIBRATE POSITION SENSORS (Byte 0: bit 4 = APXS motor) |
| Impacted subsystems: | APXS; Rover |
| Rationale: | The ADM could be damaged if this FMR is violated, limiting the ability to position the APXS sensor head on rocks and soil. After the failsafe is operated and ADM has been retracted, the cerrobend must reach 60 degrees C to completely melt. This flight rule allows sufficient time at sufficiently warm ambient temperatures to ensure thorough cerrobend melting afterwards (ADM Flight Rule 3), as long as the ambient diurnal temperature cycle is not far from what we expect. |
| Criticality/Impact of violation: | If the cerrobend is not completely melted and cooled then the ADM may not deploy smoothly or may not deploy at all. This could significantly reduce the science return of the mission. |
| Recovery procedure: | If the ADM operation is faulty after violation of the flight rule, then
the cerrobend in the ADM must be resolidified properly. In the next
rover sequence upload, include the following sequence of activities:
TURN ON DEVICE (fail-safe heater) Wait N minutes TURN OFF DEVICE (fail-safe heater) Wait at least M minutes before operating the ADM. |
| Additional information: | On the basis of Martian ambient temperature predicts updated from ASI-MET, the Experiment Team might have to request a formal change to this flight rule to adjust the time window for this flight rule. Note that the rover cannot access the internal APXS temperature sensor, and cannot practically perform temperature-dependent command sequences. |
| Enforcement: | Rover Subsystem Analysis Team, APXS Instrument Engineer |
| Source: | Holly Kubo |
| Rule: | After operating the ADM failsafe, allow the failsafe heater to stay on
without moving the ADM for 3 hours, then turn off the failsafe heater
and wait at least 30 minutes before operating the ADM again.
|
| Related rover commands: | TURN OFF DEVICES d (Byte 0-3: bit 21 = APXS failsafe)
DEPLOY APXS RUN MOTOR 10 to p RUN MOTOR 10 FOR p CENTONS (where p i s not equal to 0) LIMIT-CALIBRATE POSITION SENSORS (Byte 0: bit 4 = APXS motor) |
| Command restrictions after violation: | If the FMR is violated, then any additional movement of the ADM using
these commands are restricted, until the situation is evaluated by the
APXS Instrument Engineer:
DEPLOY APXS RUN MOTOR 10 TO p (where p > 0) RUN MOTOR 10 FOR p CENTONS ( where p i s not equal to 0) LIMIT-CALIBRATE POSITION SENSORS (Byte 0: bit 4 = APXS motor) |
| Impacted subsystems: | APXS; Rover |
| Rationale: | The ADM could be damaged if this FMR is violated, limiting the ability to position the APXS sensor head on rocks and soil. The cerrobend requires this heating (followed by cooling) to completely melt and work properly. |
| Criticality/Impact of violation: | If the heater remains on for an extended period of time at warm temperatures, the failsafe could get too hot. The failsafe heater could start to delaminate at 200 degrees C. If the cerrobend is not completely melted and cooled then the ADM may not deploy smoothly or may not deploy at all. |
| Recovery procedure: | If the ADM operation is faulty after violation of the flight rule, then
the cerrobend in the ADM must be resolidified properly. In the next
rover sequence upload, include the following sequence of activities:
TURN ON DEVICE (fail-safe heater) Wait N minutes TURN OFF DEVICE (fail-safe heater) Wait at least M minutes before operating the ADM. |
| Additional information: | |
| Enforcement: | Rover Subsystem Analysis Team, APXS Instrument Engineer |
| Source: | Holly Kubo, Joy Crisp |
| Rule: | When execution of the DEPLOY APXS command will require batteries (i.e., early morning, late afternoon, or when the solar panel has failed), the following sequence of commands should be used to ensure that the ADM fully deploys:
|
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | When operating on batteries, rather than on solar power, the ADM may deploy very slowly. If this occurs, the motor overheat protection algorithm may be triggered before the ADM is fully deployed, also setting an error flag. The specified sequence above should ensure that the desired APXS deployment is achieved. |
| Criticality/Impact of violation: | If the flight rule is violated, the APXS may not be fully deployed, and an error flag will be set. The result will likely be loss of the rest of the activities for the given sol, including total loss of return from the ongoing APXS experiment. |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Always CLEAR errors or SET ERROR MASK to mask errors before setting {HOLD_COMM} = 0 to restore communications. |
| Related rover commands: | CLEAR, SET ERROR MASK, SEND APXS COMMAND |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | If an unmasked error state exists when the SET PARAMETER {HOLD_COMM} = 0 command is issued to restore communications, the command will be skipped. This will leave the rover in an uncommunicative state, in which it will neither downlink telemetry or check for new command loads. |
| Criticality/Impact of violation: | Violation of this flight rule may result in loss of contact with the rover for significant time during surface operations; mission delays of an entire sol are likely. |
| Recovery procedure: | Disabling communications via {HOLD_COMM} does not prevent the rover from making command requests to the lander whenever no command sequence is active. Therefore, recovery can be accomplished by including the following sequence fragment early in the next rover sequence sent to the lander:
CLEAR ffff SET PARAMETER {HOLD_COMM} = 0 Alternatively, the rover will recover on its own when it drops into contingency mode after receiving no communication for the time period specified in {CMD_TLIM}. When contingency mode is triggered, {HOLD_COMM} will automatically be reset to 0. |
| Additional information: | |
| Enforcement: | Rover Operations Team |
| Source: | Andrew Mishkin |
| Rule: | NEVER use {APXS_TIME_RL} unless Rover Lite is active. |
| Related rover commands: | SET PARAMETER {APXS_NIGHT} |
| Command restrictions after violation: | Do not use {APXS_TIME_RL} again; instead use {APXS_NIGHT}. |
| Impacted subsystems: | Rover; APXS |
| Rationale: | {APXS_TIME_RL} is a pseudo-parameter in the RCW which is actually identical to the {APXS_NIGHT} parameter. During Rover Lite only, the {APXS_NIGHT} parameter is interpreted by the rover as {APXS_TIME_RL} and is used to determine APXS integration time. |
| Criticality/Impact of violation: | Violation of this flight rule will result in an invalid value for the {APXS_NIGHT} parameter (range 0-2), and may cause the APXS to be powered on overnight unintentionally. |
| Recovery procedure: | In the next command sequence, set {APXS_NIGHT} to an appropriate value, e.g.,
SET PARAMETER {APXS_NIGHT} = 0 |
| Additional information: | |
| Enforcement: | Rover Operations Team |
| Source: | Andrew Mishkin |
| Rule: | If Rover Lite is active, do not use {APXS_NIGHT}. |
| Related rover commands: | SET PARAMETER {APXS_TIME_RL} |
| Command restrictions after violation: | Do not use {APXS_NIGHT} again; instead use {APXS_TIME_RL}. |
| Impacted subsystems: | Rover; APXS |
| Rationale: | {APXS_NIGHT} is actually identical to the {APXS_NIGHT} pseudo-parameter in the RCW. During Rover Lite only, the {APXS_NIGHT} parameter is interpreted by the rover as {APXS_TIME_RL} and is used to determine APXS integration time. |
| Criticality/Impact of violation: | Violation of this flight rule will result in an inappropriate value for the {APXS_TIME_RL} parameter (representing seconds of integration time), and would cause the APXS to collect data for such a short time (2 seconds maximum) that the measurement would be useless. |
| Recovery procedure: | In the next command sequence, repeat the planned APXS data collection with an appropriately set {APXS_TIME_RL} integration time. |
| Additional information: | |
| Enforcement: | Rover Operations Team |
| Source: | Andrew Mishkin |
| Rule: | Always set {DUST_CVR} value immediately before executing the MAE command. Use the parameter value guidelines given in 'Additional Information' below. | ||||||||||||||||||||||||||||||
| Related rover commands: | MAE | ||||||||||||||||||||||||||||||
| Command restrictions after violation: | The MAE command is restricted after violation until an assessment by the MAE experiment team has been made. | ||||||||||||||||||||||||||||||
| Impacted subsystems: | Rover; MAE | ||||||||||||||||||||||||||||||
| Rationale: | {DUST_CVR} determines the time that the MAE dust cover will be actuated. The actuation time is a function of ambient temperature. Actuating the dust cover for too long may destroy the actuator. Setting the parameter value immediately before a MAE experiment ensures that the proper parameter setting for the dust cover has been explicitly chosen. | ||||||||||||||||||||||||||||||
| Criticality/Impact of violation: | If the dust cover actuator is operated for too long a time, the MAE dust cover may be damaged, possibly resulting in no further mission return from this experiment.
If the actuator is operated for too short a time, the dust cover may not fully open, resulting in invalid data for the experiment. | ||||||||||||||||||||||||||||||
| Recovery procedure: | Perform the MAE experiment again with an appropriate value for {DUST_CVR}. Assess the telemetry for the MAE to determine if the dust cover is still functioning. | ||||||||||||||||||||||||||||||
| Additional information: | {DUST_CVR} values should be determined from the following table, based on expected Watchplate temperatures at the time of command execution:
| ||||||||||||||||||||||||||||||
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team | ||||||||||||||||||||||||||||||
| Source: | Andrew Mishkin, Phil Jenkins |
| Rule: | Always set {HEALTH_RATE} so that automatic health checks do not interrupt an APXS data collection period. This can be achieved by one of the following steps:
|
| Related rover commands: | WAIT, SEND APXS COMMAND |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover; APXS |
| Rationale: | APXS data collections must be uninterrupted by APXS instrument power cycling for at least 30 minutes (see APXS FLIGHT RULE 3). Automatic health checks during WAIT commands potentially would violate this requirement. |
| Criticality/Impact of violation: | If the flight rule is violated, the quality of the APXS data collected would be reduced due to increased noise and less total integration time. |
| Recovery procedure: | If possible, extend the APXS data collection period to compensate for the additional noise in the spectra. |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | DO NOT CHANGE the value of {ADC_PER_CENTON}. This parameter value has been determined by calibration. Changing this parameter value requires an explicit waiver of this flight rule. |
| Related rover commands: | |
| Command restrictions after violation: | TBD |
| Impacted subsystems: | Rover |
| Rationale: | TBD |
| Criticality/Impact of violation: | TBD |
| Recovery procedure: | TBD |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | DO NOT CHANGE the value of {BAM_PER_CENTON}. This parameter value has been determined by calibration. Changing this parameter value requires an explicit waiver of this flight rule. |
| Related rover commands: | |
| Command restrictions after violation: | TBD |
| Impacted subsystems: | Rover |
| Rationale: | TBD |
| Criticality/Impact of violation: | TBD |
| Recovery procedure: | TBD |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | DO NOT CHANGE the value of {BAM_PER_COUNT}. This parameter value has been determined by calibration. Changing this parameter value requires an explicit waiver of this flight rule. |
| Related rover commands: | |
| Command restrictions after violation: | TBD |
| Impacted subsystems: | Rover |
| Rationale: | TBD |
| Criticality/Impact of violation: | TBD |
| Recovery procedure: | TBD |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | DO NOT CHANGE the value of {COUNTS_PER_CENTON}. This parameter value has been determined by calibration. Changing this parameter value requires an explicit waiver of this flight rule. |
| Related rover commands: | |
| Command restrictions after violation: | TBD |
| Impacted subsystems: | Rover |
| Rationale: | TBD |
| Criticality/Impact of violation: | TBD |
| Recovery procedure: | TBD |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | During mission operations (i.e., after the test phase) NEVER issue a relative SHUTDOWN UNTIL command. Relative shutdowns cause the rover to shutdown for a specified number of hours, rather than until a specified mission time. |
| Related rover commands: | SHUTDOWN UNTIL |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | Since the exact time of execution of the SHUTDOWN UNTIL command would likely be uncertain, use of a relative shutdown may result in an unknown rover wakeup time. |
| Criticality/Impact of violation: | The criticality of a violation would usually be low, since a solar wakeup will nominally occur during the morning of the next sol, limiting the duration of any relative shutdown.
However, if a solar panel failure has occurred prior to issuing the relative shutdown, the rover could remain shutdown for up to 30 hours, resulting in significant loss of mission time. This would be particularly serious during such a battery-only mission, since the expected survival time of the rover on batteries would already be limited. |
| Recovery procedure: | |
| Additional information: | A relative shutdown is triggered by commanding a SHUTDOWN UNTIL a time in the range of 0 to 108000, which corresponds to a CCSDS time between midnight January 1, 1958 and 06:00 January 2, 1958. |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | During surface operations, execute a SYNCHRONIZE CLOCK command shortly before the first End-of-Day shutdown of the rover. |
| Related rover commands: | SHUTDOWN UNTIL, SYNCHRONIZE CLOCK |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | Synchronizing the rover clock before shutdown minimizes the impact of clock drift. If night wakeups are planned (e.g., for APXS reads or rover health checks), this will improve the odds of rover-lander communication during those wakeups; the LMRE modem and rover will be more likely to both be powered at the same time. It will also reduce the uncertainty in the alarm clock-based morning wakeup time. |
| Criticality/Impact of violation: | The criticality of a violation would usually be low, since the rover will buffer any data generated overnight if the lander is not available, and the rover will usually wake up due to solar triggering.
However, if the lander and rover fail to communicate for some time, the rover's telemetry buffer will eventually overflow, resulting in loss of data. If the solar panel fails, rover wakeup will be determined solely by the alarm clock, making an accurate clock more critical for operations. |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | NEVER use the TURN ON DEVICES bit=15 (MAE dust cover) command. |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover; MAE |
| Rationale: | Using the TURN ON DEVICES command to power the dust cover would apply power to the dust cover actuator until another command turned it off. This would almost certainly burn out the dust cover actuator. |
| Criticality/Impact of violation: | If the flight rule is violated, the dust cover would probably be destroyed; no more data would likely be available from the MAE dust cover experiment. |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Before the first driving command of a given sol, ALWAYS turn on the rate sensor and allow it to warm up for at least two minutes. This can be implemented using the following two commands:
|
| Related rover commands: | FIND ROCK, GO TO WAYPOINT, MOVE, POSITION APXS, TURN LEFT, TURN RIGHT, TURN TOWARD, TURN TO HEADING |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | The performance of the rate sensor improves if it has been powered for two minutes before use, resulting in improved overall rover dead reckoning performance. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | After all driving for a given sol has been completed, execute TURN OFF DEVICES (turn rate sensor = bit 17) to turn off the rate sensor. |
| Related rover commands: | FIND ROCK, GO TO WAYPOINT, MOVE, POSITION APXS, TURN LEFT, TURN RIGHT, TURN TOWARD, TURN TO HEADING |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | This will shut down the gyro which will be unused for the rest of the sol. If this TURN OFF DEVICES command is not executed, the gyro will be powered off by the rover when the next SHUTDOWN command is executed. |
| Criticality/Impact of violation: | |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | DO NOT USE the CALL FUNCTION command. Use of this command requires an explicit waiver of this flight rule. |
| Related rover commands: | |
| Command restrictions after violation: | TBD |
| Impacted subsystems: | Rover |
| Rationale: | TBD |
| Criticality/Impact of violation: | TBD |
| Recovery procedure: | TBD |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Use a MOVE 0 0 0 command as the final move command for any given sol's traverse (i.e.,before the scehduled End-of_Day imaging time). |
| Related rover commands: | |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | Updating the rover's position using the EOD image is much easier for the RCW operator to perform when the wheels are straight. Straight wheels can be readily aligned with the 3D rover icon in the RCW display. |
| Criticality/Impact of violation: | If the rover wheels are not straight when the EOD images are captured, then updating the rover's position and orientation will require more operator time, and may not be as accurate. This could result in failure to reach the desired target in the following sol's traverse. |
| Recovery procedure: | Perform only a short traverse, or choose an activity for the next sol which does not require precise positioning of the rover. |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Mask all contact sensors except the lower ADM contact sensor before executing an UNSTOW command. Unmask contact sensors after the UNSTOW. |
| Related rover commands: | SET PARAMETER (CONTACT MASK) |
| Command restrictions after violation: | No traverse commands may be executed until the Unstow is successfully completed. |
| Impacted subsystems: | Rover |
| Rationale: | Failure to successfully complete an Unstow attempt may place the rover in an unrecoverable condition, resulting in loss of rover mission. Any contact hazards encountered during the unstow are unlikely to be more hazardous than a failed unstow itself. Masking the contact sensors reduces that chance that a failed sensor will abort the standup operation. The lower ADM contact sensor must remained unmasked to ensure that the rover will not attempt to stand up if the ADM is still restrained on the petal. |
| Criticality/Impact of violation: | The rover may fail to unstow properly during the first attempt, resulting in a configuration from which ustow attempts may fail. The worst case consequence would be loss of rover mission, with an additional impact on lander power availability. |
| Recovery procedure: | Adjust unstow parameters appropriately, mask contact sensors, and attempt another Unstow. |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | Follow the WAE command by a Health Check level 2 (or higher) |
| Related rover commands: | HEALTH CHECK |
| Command restrictions after violation: | |
| Impacted subsystems: | Rover |
| Rationale: | The WAE command may cause motion of the right bogie as the right middle wheel is buried in soil. This motion must be assessed. The WAE command reports bogie angle information at the start of execution, but not at completion. A health check (level 2 or higher) will provide this information. |
| Criticality/Impact of violation: | Telemetry assessing bogie angle motion would be lost. |
| Recovery procedure: | |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |
| Rule: | During operations intended to abrade the right middle wheel (i.e., RUN MOTOR 3), the motor must be run in reverse to avoid lifting the front wheel into the air. |
| Related rover commands: | RUN MOTOR TO (motor 3); RUN MOTOR FOR (motor 3) |
| Command restrictions after violation: | No traverse commands should be executed until after execution of a RUN MOTOR command returns the front wheel to a stable configuration. |
| Impacted subsystems: | Rover |
| Rationale: | The rover may be susceptible to terrain hazards in the wheel-up configuration |
| Criticality/Impact of violation: | The rover may be susceptible to terrain hazards in the wheel-up configuration |
| Recovery procedure: | Execute a RUN MOTOR (motor 3) command to stabilize the bogey configuration. |
| Additional information: | |
| Enforcement: | Rover Operations Team, Rover Subsystem Analysis Team |
| Source: | Andrew Mishkin |