An Approach to Fault Management Design for the Proposed Mars Sample Return EDL and Ascent Phase Architectures

The Mars Sample Return (MSR) campaign aims to bring Martian regolith samples back to Earth. JPL is currently developing the Sample Retrieval Lander (SRL) to receive the samples collected by the Perseverance rover and launch them into Mars orbit using a Mars Ascent Vehicle (MAV) for future Earth return. The telecommunications delay from Earth to Mars requires autonomy on-board the spacecraft for different phases of the mission like Entry, Descent \& Landing (EDL) and MAV Launch given limited possible operator intervention. Fault protection (FP) encapsulates these autonomous system behaviors, which aim to protect the spacecraft by limiting or detecting and responding to anomalies. In order to provide sufficient coverage to the possible faults a system may encounter, multiple FP analyses are needed to identify and analyze the fault set of a system to guide future design iterations. This thesis focuses on three tools: Fault Containment Region (FCR), Failure Mode Effects \& Criticality Assessment (FMECA), and Fault Tree Analysis (FTA). FCRs are used to identify the boundaries at which faults can occur and propagate in a system, making them useful tools for defining functional boundaries in a system and identifying areas that are single-string, or have no redundancy. FMECAs and FTAs use a bottoms-up and top-down approach, respectively, to identify possible faults and the associated consequences and impacts of each anomaly; together, these tools provide a comprehensive fault set to be used in FP architecture design. Using these tools demonstrates how FP design factors into engineering trades – monitoring or additional redundancy adds additional cost and complexity – and thus the results of these analyses need to be used iteratively with the system design to determine the best approach. As such, it’s shown that a majority of EDL and MAV Launch elements are single-string, and while there are opportunities of adding redundancy in EDL sensors, there are few options for MAV Launch given its engineering constraints. While both phases have little redundancy, the option space for EDL is better known given JPL’s multiple successful past landings. Future work should conceptualize possible areas of added redundancy to the MAV to lower overall mission risk.