NEAR Shoemaker suffered a nearly fatal failure on December 22nd, 1998, at 22:00 UTC, as the spacecraft was executing rendezvous burn 1 (RND1). The failure caused mission control to lose contact with the craft for 27 hours, after which NEAR was found in it's lowest safe mode, Sun-safe-rotate. Controllers were able to figure out a way to get NEAR to it's target, the asteroid 443 Eros, but with a significant time penalty and a very narrow fuel margin. The only permanent damage suffered by the craft was a contamination of the multispectral imager's optics by propellant residues.

Because of low voltage conditions experienced by the craft during the time it was silent, power to the solid state memory recorder was turned off. This means that detailed telemetry and command information had been erased and were not available to help in the reconstruction of events during the time NEAR was not in contact with the deep space network. The events during this time had to be reconstructed from limited data found in processor memories, and inferences about what was happening to the craft.

Sequence of events

NEAR used a 200 second sequence of settling burns to settle the liquid fuel used by the main engine in it's tanks. This process completed successfully, after which the main engine was ignited. The main engine shut down almost immediately, apparently without cause. Thirty seven seconds later, communications with the craft were lost.

After the large velocity adjust (LVA) engine shutdown, the craft's guidance and control (G&C) computers began executing a maneuver that would bring the craft to Earth-safe mode. In Earth-safe mode, the craft aligns itself such that it's solar panels are facing the Sun and so that the craft is rolling about the Sun line, with its medium gain antenna pointing toward Earth. Instead of using reaction wheels to perform this attitude adjustment, as per normal, the 22 N thrusters were used as they are during a delta-v maneuver. This erroneous use of the thrusters was caused by a command script which did not properly clean up after the LVA engine abort; it should have returned attitude control to the reaction wheels. The use of the thrusters resulted in a body rate of 1 degree per second toward the Sun.

Twenty four seconds after the start of the LVA burn, a script running in the crafts command processors shut off power to the thrusters and closed the fuel tanks. With thruster power off, the guidance and control (G&C) system automatically started using the reaction wheels for attitude control. The reaction control wheels couldn't stop the slew toward the Sun started by the thrusters, and the spacecraft overshot the Sun.

The reaction control wheels were now saturated with momentum. The command computers began a thirty minute warm up of the thruster catalyst beds to prepare for a momentum dump (also called an angular momentum desaturation maneuver, AMD). This was to be a "red" dump, as opposed to a "white" dump, which is so urgent that the dump begins immediately, without first heating the thruster catalyst beds. The thirty minute warm up actually took thirty seven minutes, due to a data structure error that cause a wheel speed sensor to be interpreted as zero instead of the wheel's maximum speed.

The first momentum dump completed at T+00:27:52 (T=0 is RND1 start), 15 seconds short of the maximum allowed dump time. G&C signaled for the command processor to shut off thruster power, and then began a course correction to put the craft back into Sun-safe mode, as it had drifted off during the momentum dump. A design flaw caused a long handshaking process to take place between G&C and the command processor, which meant thruster power was not turned off immediately. Since G&C was still configured to use the 22 N thrusters for attitude control after RND1, G&C fired the thrusters, which imparted a lot of momentum to the craft. This momentum was high enough to initiate a "white" dump, one that occurs without first warming the thruster catalyst beds. This dump failed to complete before the 300 second timeout for a momentum dump, which caused a switch over to the backup attitude interface unit (AIU).

The AIU switchover caused the attitude control to switch back to reaction wheels, effectively cleaning up the mess left when RND1 aborted. Up to this point, ground based simulations were able to accurately predict the series of events after the burn abort. After the AIU switchover and the subsequent return of attitude control to the reaction wheels, the spacecraft should have been able to recover unless some other mode of failure was present. However, five more momentum dumps would occur before the spacecraft experienced a quiet period, which was followed by eight more dumps.

The spacecraft continued to switch between AIUs because momentum dumps weren't being completed in the 300 seconds allowed. After the fifth switchover, autonomy rules left control in the hands of AIU2 and stopped limiting the length of the momentum dumps. As a result, some of the dumps were extremely long, one over 1000 seconds. During this time, the craft experienced several low voltage sense (LVS) trips, which resulted in power being shutoff to the solid state recorder. The spacecraft's gyros are believed to have entered their whole angle mode (WAM) during this time. The gyroscopes would have probably entered WAM due to high body rates, which would have resulted in very noisy attitude readings and would have made momentum dumps extremely inefficient.

Eight more momentum dumps occurred over the next six hours. Beginning around T+06:10:00, the spacecraft entered a two and a half hour quiet period that ended at T+08:31:00 with one final "white" momentum dump. No further anomalous activity would occur. NEAR was found in Sun-safe-rotate twenty seven hours after the abort of RND1.

Causes

The NEAR RND1 burn anomaly was caused by bugs in the software used to control the spacecraft.

  • RND1 was aborted because the startup of the engine produced an acceleration transient that exceeded a safety threshold that was set to low.
  • The abort of the burn caused recovery scripts to execute, which were missing a command to return attitude control to reaction wheels.
  • A total of seventeen software errors, meaning errors in compiled code, algorithms, and data structures were found.
  • Lack of adherence to procedures and lack of top level procedures were found to contribute to the problem. Suggestions of systems engineers were often ignored, and the original software engineer was no longer consulted about or asked to review code changes.
  • Software and hardware simulators used to test command scripts were found to be inadequate and difficult to use.
  • The effect of stored momentum in liquids (propellant slosh)was ignored by G&C software.

No hardware failures were found. A stuck thruster or a propellant leak was theorized to have caused the lengthy recovery, but simulations showed that this was unlikely.

Conclusion

The NEAR operations team were rewarded for their successful efforts to recover the spacecraft. NEAR Shoemaker was able to continue its mission and was in orbit around 433 Eros. It has since finished its scientific mission and was put to rest on the surface of Eros. NEAR Shoemaker was not designed to land, but was able to return some data to Earth after doing so.


Researched from the NEAR web site, http://near.jhuapl.edu/, and from The NEAR Rendezvous Burn Anomaly of December 1998, final report of the NEAR (Near Earth Asteroid Rendezvous) Anomaly Review Board, available online at http://near.jhuapl.edu/anom/

Log in or register to write something here or to contact authors.