"That one\´s gotta work" Mars Odyssey\´s use of a fault tree driven risk assessment process

The Odyssey project was the first mission to Mars after the failures of Mars Climate Orbiter and Mars Polar Lander. In addition to incorporating the results of those failure review boards and responding to external "Red Team" reviews, the Odyssey project itself implemented a risk assessment process. This paper describes that process and its use of fault trees as an enabling tool. These trees were used to break the mission down into the functional elements needed to make it a success. By determining how each function could be prevented from executing, a list of failure modes was created. Each fault was individually assessed as to what mitigations could prevent the fault from occurring, as well as what methods should be used to explicitly verify that mitigation. Fault trees turned out to be an extremely useful tool in both identifying risks as well as structuring the development of mitigations.