The post below was sent in by Rosetta Spacecraft Operations Engineer Tiago Francisco, in response to our question: how does Rosetta get shut down upon comet landing?
ITU regulations require us to permanently switch off the craft's radio transmitter at end of mission. Since Rosetta wasn't designed to have its transmitter permanently off, we had to change the on-board software by patching it.
With the software change we created, once the spacecraft hits the surface of the comet, it will trigger an ‘FDIR’ response (Failure Detection, Isolation and Recovery – basically, the core on-board software that reacts when any monitored parameter goes out of limits), which will lead to a ‘safe mode’.
Upon completion of the safe-mode sequence, the spacecraft will be ‘passivated’ by using a specific branch nominally used for ground testing only. In other words, the craft will be placed into a passive, non-reactive mode that was initially designed only for ground testing prior to launch.
This means that all of the attitude and orbit control units will be off, as well as the transmitter.
As of yesterday, the software patch has been installed on board, but is not active. The first step to activate this response is ...