Cassini spacecraft post-launch malfunction correction success

After the launch of the Cassini “Mission-to-Saturn” Spacecraft, the volume of subsequent mission design modifications was expected to be minimal due to the rigorous testing and verification of the Flight Hardware and Flight Software. For known areas of risk where faults could potentially occur, component redundancy and/or autonomous Fault Protection (FP) routines were implemented to ensure that the integrity of the mission was maintained. The goal of Cassini´s FP strategy is to ensure that no credible Single Point Failure (SPF) prevents attainment of mission objectives or results in a significantly degraded mission, with the exception of the class of faults which are exempted due to low probability of occurrence. In the case of Cassini´s Propulsion Module Subsystem (PMS) design, a waiver was approved prior to launch for failure of the prime regulator to properly close; a potentially mission catastrophic single point failure. However, one month after Cassini´s launch when the fuel and oxidizer tanks were pressurized for the first time, the prime regulator was determined to be leaking at a rate significant enough to require a considerable change in Main Engine (ME) burn strategy for the remainder of the mission. Crucial mission events such as the Saturn Orbit Insertion (SOI) bum task which required a characterization exercise for the PMS system 30 days before the maneuver were now impossible to achieve. This details the steps necessary to support the unexpected malfunction of the prime regulator, the introduction of new failure modes which required new FP design changes consisting of new/modified under-pressure and over-pressure algorithms; all which must be accomplished during the operation phase of the spacecraft, as a result of a presumed low probability waived failure which occurred after launch.