Mars lander spacecraft, beginning with Mars Pathfinder (MPF), have been designed to tolerate flight computer resets during the entry, descent, and landing (EDL) phase despite having only a single flight computer. This capability was enabled by a predictable, nondynamic EDL architecture. The Mars Science Laboratory (MSL) spacecraft has a highly dynamic EDL architecture as well as dual flight computers, adding more complexity to EDL flight software fault tolerance.
To take advantage of the dual flight computers in MSL, a new flight software system called Second Chance (SECC) was developed to provide tolerance to flight computer and flight software faults during EDL. The SECC flight software was designed to track the execution of the primary flight software during EDL, and to take control of the spacecraft and complete EDL upon detection of a primary flight computer reset.
This was a challenging problem due to three critical design drivers. First, the presence of SECC on the backup computer was required to be completely transparent to the primary flight software. Second, the primary flight software only provided limited information about its execution to the backup flight software, and no changes could be made to the primary flight software.
Lastly, due to the breadth of the spacecraft state space that had to be considered and the real-time execution time constraints, algorithms had to be developed to re-establish control of the vehicle given any realistic state combination, as fast as possible. These algorithms model the current state of the primary flight software, given a variety of inputs, and map the estimated state into a set of actions that must be taken in order to gain control of the spacecraft and complete EDL given a primary flight software reset at any moment.