Safe mode (spacecraft)


Safe mode is an operating mode of a modern spacecraft during which all non-essential systems are shut down and only essential functions such as thermal management, radio reception and attitude control are active.
Safe mode is entered automatically upon the detection of a predefined operating condition or event that may indicate loss of control or damage to the spacecraft. Usually the trigger event is a system failure or detection of operating conditions considered dangerously out of the normal range. Cosmic rays penetrating spacecraft electrical systems can create false signals or commands and thus cause a trigger event. The central processor electronics are especially prone to such events.
Another trigger is the lack of a received command within a given time window. Lack of received commands can be caused by hardware failures or mis-programming of the spacecraft, as in the case of the Viking 1 lander.
The process of entering safe mode, sometimes referred to as safing, involves a number of immediate physical actions taken to prevent damage or complete loss. Power is removed from non-essential subsystems. Regaining attitude control, if lost, is the highest priority because it is necessary to maintain thermal balance and proper illumination of the solar panels. A tumbling or cartwheeling spacecraft can quickly roast, freeze or exhaust its battery power and be lost forever.

In safe mode

While in safe mode the preservation of the spacecraft is the highest priority. Typically all non-essential systems, such as science instruments, are shut down. The spacecraft attempts to maintain orientation with respect to the Sun for illumination of solar panels and for thermal management. The spacecraft then awaits radio commands from its mission control center monitoring for signals on its low-gain omnidirectional antenna. Exactly what happens while in safe mode is dependent on the spacecraft design and its mission.
Recovery from safe mode involves reestablishing communication between the spacecraft and mission control, downloading any diagnostic data and sequencing power back on to the various subsystems to resume the mission. The recovery time can be anywhere from a few hours to days or weeks depending on the difficulty in reestablishing communications, conditions found on the spacecraft, distance to the spacecraft and the nature of the mission.

Overriding normal safe mode behavior

Normal safe mode operation can sometimes be overridden. A spacecraft's ability to enter safe mode may be suppressed during crucial spacecraft operations, during which – if a critical failure were to occur – most, if not all, of the mission objectives would be lost anyway. On occasion, a spacecraft is placed in safe mode deliberately by mission control, as the Spirit rover was on sol 451.

Modern incidents

;2005
;2007
;2009
;2014
;2015
;2016
;2018