1. Design Verification of MSL Second Chance Pradip Maitra TASC Pradip.Maitra@ivv.nasa.gov 1 of 7 What is MSL Second Chance? Some Design Details Verifying the Design Summary Questions

2. What is Second Chance (SECC)? 2 of 7 MSL has 2 Flight Computers (FC-A and FC-B) normally loaded with the same flight software (FSW) image. Only FC-A is ON during Cruise and Surface Ops. During EDL, the FC-B is also turned ON. FC-B executes a different FSW image during EDL. This FC-B image monitors FC-A state and actions. If FC-A misbehaves, FC-B takes over control and resumes EDL operation within 1-2 seconds. This was the intent of MSL Second Chance (SECC).

3. Design Details 3 of 7 134 Second Chance requirements in addition to original 4446 FSW requirements. Principal guidelines: – Do not harm existing FSW functionality as it is going to get changed to accommodate Second Chance. – SC Image will not share normal FSW image banks. – SC Functionality can be deactivated in the last moment. – SC Image will be uploaded 2 weeks before EDL. – SC Image will be forgotten immediately after landing.

4. Design Details 4 of 7

5. Verifying the Design 5 of 7 Reset Scenario Analysis. Does any SECC requirement violate EDL Timeline? How capable is SECC image in resuming EDL? How SECC image interfaces with FSW environment? – SECC image upload and booting into it. – Unintended Enabling/Disabling/Arming SECC image. – Verifying receipt of “Prime in distress” event. – Where SECC image is being stored and can it affect normal FSW boot sequence? – Verifying successful removal of SECC image after landing.

6. Swim lane example: Verifying the Design 6 of 7

7. Summary The design verification work had uncovered a few problem areas that were judged to be of very low probability of occurrence. JPL conducted a high resolution simulation of FC-A failures during different time points of EDL. Their simulation also found that not all possible failure periods can be covered using a 1.5 to 2 seconds recovery time. 7 of 7