scope:

Abstract:

When a new mission software release was uploaded to the spacecraft, the inflight upload failed to include a software patch that had been written to fix a defective countdown timer. Because an independent "watchdog timer" was planned, but never implemented due to constrained project resources, the thrusters continued to fire after the desired shutdown time and the mission was terminated. Recommendations centered on the need for rigorous software configuration management, a watchdog timer to terminate operations, and testbed verification of in-flight software updates.