Cassini spacecraft´s in-flight Fault Protection redesign for unexpected regulator malfunction

After the launch of the Cassini ?Mission-to-Saturn? Spacecraft, the volume of subsequent mission design modifications was expected to be minimal due to the rigorous testing and verification of the Flight Hardware and Flight Software. For known areas of risk where faults could potentially occur, component redundancy and/or autonomous Fault Protection (FP) routines were implemented to ensure that the integrity of the mission was maintained. The goal of Cassini´s FP strategy is to ensure that no credible Single Point Failure (SPF) prevents attainment of mission objectives or results in a significantly degraded mission, with the exception of the class of faults which are exempted due to low probability of occurrence. In the case of Cassini´s Propulsion Module Subsystem (PMS) design, a waiver was approved prior to launch for failure of the prime regulator to properly close; a potentially mission catastrophic single point failure. However, one month after Cassini´s launch when the fuel & oxidizer tanks were pressurized for the first time, the prime regulator was determined to be leaking at a rate significant enough to require a considerable change in Main Engine (ME) burn strategy for the remainder of the mission. Crucial mission events such as the Saturn Orbit Insertion (SOI) burn task which required a characterization exercise for the PMS system 30 days before the maneuver were now impossible to achieve. This paper details the steps that were necessary to support the unexpected malfunction of the prime regulator, the introduction of new failure modes which required new FP design changes consisting of new/modified under-pressure & over-pressure algorithms; all which must be accomplished during the operation phase of the spacecraft, as a result of a presumed low probability, waived failure which occurred after launch.