1 / 57

The Failure of a Small Satellite and the Loss of a Space Science Mission

The Failure of a Small Satellite and the Loss of a Space Science Mission. R. Katz National Aeronautics and Space Administration Electrical Systems Center Goddard Space Flight Center. Overview. Background and Introduction How did the mission * fail? Why did mission fail? * SMEX/WIRE

zoie
Download Presentation

The Failure of a Small Satellite and the Loss of a Space Science Mission

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Failure of a Small Satellite and the Loss of a Space Science Mission R. KatzNational Aeronautics and Space Administration Electrical Systems Center Goddard Space Flight Center

  2. Overview • Background and Introduction • How did the mission* fail? • Why did mission fail? • * SMEX/WIRE • Small Explorer • Wide Field Infrared Explorer

  3. "rk" • Experience: JPL, NASA GSFC • Design Engineer, Electrical • Galileo, Magellan, Cassini, ISTP, SIRTF, MGS, SMEX, etc. • Research and Technology Development • Logic, FPGAs, Radiation, Design Techniques • Reviews, Failure Investigations • Cassini, HST, EOS-AM, AXAF, HETE-2, SIRTF, etc. • Small Explorer WIRE

  4. Failure Examples (Simplified) Mars Climate Orbiter Units Mars Polar Lander 1 Line of Missing Software Ariane V/501 Operand Error, Unprotected Sea Launch Ground S/W Logic; Valve Config Intelsat VI “Two wires crossed” Terriers Inverted Sign IUS 21 Tape/Thermal Wrap Titan IV Data Entry Error SMEX/WIRE 1 Wire, Disable Buffer

  5. Payload/Launcher Success Rates

  6. 1999 Payload Failures • 1. WIRE (NASA) • 2. TERRIERS (Boston University/AeroAstro) • 3. Abrixas (Germany) • 4. SACI 1 (Brazil) •  All Small Scientific Satellites

  7. Small Explorer (SMEX) Program Spacecraft Mass(kg) Launch Date Galileo 2,562 1989 SMEX 150-300 1992-1999 SMEX/WIRE 250 1999 UoSAT-12 325 1999 SNAP-1 7 2000

  8. Wide-Field Infrared ExplorerProgrammatic PI: JPL Spacecraft: NASA Goddard Space Flight Center Instrument: Utah State University - SDL Launch: Orbital Science Corp. - Pegasus XL Cost: $75 million Duration: 4 Months

  9. Wide-Field Infrared ExplorerTechnical Objective: Deep Infrared, Extragalactic Survey Detectors: Two 128 x 128 Si:As Arrays Telescope: 30 cm Cassegrain Cryostat: Solid Hydrogen; Dual Stage 7 K/12 K. Orbit: 540 kilometer

  10. PYRO BOX LM117 REG +5VDC +5VDC +28V SPE 200 kHz +5VDC POR Relay FET PYRO CRYSTAL OSC 200 kHz ARM ARM SCS +5VDC FIRE FIRE POR R,C, 4093B A1020 POR PULSE Logic System Overview Spacecraft

  11. WIRE Spacecraft Aperture Shade Star Tracker Modular Solar Array Composite Spacecraft

  12. The WIRE Mission March 4th: Launch, Vandenberg Air Force Base/L-1011 T+9 min: Separation Nominal T+29 min: Antarctica Pass - Vent Command Xmitted T+79 min: NORAD Tracks 3 Objects, Including Cover T+99 min: Alaska Pass - Tumbling* T+36 Hrs: Cryogen Supply Exhausted March 8th: Mission Declared Lost * Eventually Spun up to 60 rpm

  13. Loss of Control - Telemetry

  14. Root Cause of Failure (1) The root cause of a failure is the mechanism that directly caused the mishap. Significant contributing causes include events or conditions that could have been used to identify this condition as the phenomena has been understood. Contributing factors are other events or conditions that might have been able to prevent the mishap and should have been done significantly better.

  15. Root Cause of Failure (2) The root cause of the WIRE mission loss is a digital logic design error in the instrument pyro electronics box. The transient performance of components was not adequately accounted for in its design. The failure was caused by two distinct mechanisms that, either singly or in concert, resulted in inadvertent pyrotechnic device firing during the initial pyro box power-up.

  16. Requirements for Failure • Design Error (2) • Errors Not Caught In: • Analysis • Simulation • Design Reviews • Box Level Tests • Instrument Level Tests • Spacecraft Integration Tests • Spacecraft Systems Tests • Final Reviews

  17. SMEX/WIRE System

  18. Why Did WIRE “Spin Up?” • Zero Thrust Vent - a “T.” • Vent Located To Minimize Pressure (Temperature). • One Side of “T” Pointed At Connector. • No Analysis of Exit Design During a Worst-Case Venting Scenario. • ACS Could Not Overcome Force • Spun Up To 60 RPM

  19. "System" Perspective Spacecraft Instrument Spacecraft Power Electronics "PYRO Subsystem" Cover +28V BUS +28V Pyros PYRO BOX ARM Pyros Spacecraft Computer System (80386/387) FIRE Vent A 4th level of protection was an arming plug.

  20. Basic Pyro Characteristics • NASA Standard Initiator, Type 1 (NSI-1) • No-Fire: 1 Amp and 1 Watt for 5 minutes • Bridgewire Impedance: ~ 1  • Fire Time: ~ 1 ms @ 5 amps

  21. Cover Vent "Pyro Box" Perspective Instrument Pyro Box Power +28V • Pulse forming • Timing. • Lockouts. • Filtering. Logic Signal Arm • FPGA - Complex • FSM • Counters Logic Signal Fire Pyro Box is powered off during launch Multiple Pyro Functions

  22. Voltage Regulation

  23. Regulator Circuit +5V OUT +28V IN

  24. EM Regulator Performance +28V +5 VDC 5 ms/Div

  25. Logic Design (1)Reset Circuitryand Crystal Clock Oscillator

  26. Flight Oscillator on System Board

  27. Crystal Oscillator Characteristics It is known that crystal oscillators do not start immediately with the application of power. From Horowitz and Hill's The Art of Electronics, 2nd Edition: ... However, because of its high-resonant Q, a crystal oscillator cannot start up instantaneously, and an oscillator in the megahertz range typically takes 5-20 ms to start up; a 32 kHz oscillator can take up to a second (Q = 105). ... • Start up time for oscillators is sometimes not included in the specification. • - SMEX/WIRE Class S screening specification did not • include a start up time limit.

  28. Example Oscillator Start Time 200 kHz +5 VDC 1 ms/Div Power Supply Rise Time = 1 ms for this example

  29. Summary of Oscillator Start Times

  30. Summary of Oscillator Start Times

  31. Oscillator Startup on WIRE EM 23 ms +28V +5V 200 kHz Oscillator Output 5 ms/Div

  32. Logic AnalysisAssuming Random Power Up Of Flip-Flops • Reset Flip-Flips • 3 Flip-Flops • At Least One Must Be A “0” To Be Safe • 7 Chances In 8 • ARMCNT Block • 14 Flip-Flops • All Must Be A “0” To Be Safe • One Chance In 16,384 • TIMECNT Block • 8 Flip-Flops • All Must Be A “0” To Be Safe • One Chance In 256 Note: Two Sides PFailure ~ 25%

  33. Logic Design (2)FPGA Transient Behavior

  34. FPGA and Drivers +5VDC +28 VDC 200 kHz POR Relay FET PYRO A1020 FPGA ARM FIRE

  35. FPGA Implementation:Charge Pump And Isolation FETs HV Isolation FETs Module Output CHARGE PUMP Antifuse Module Input

  36. A1020 Output TransientOverview Device Architecture Requires HV Isolation FETs ON Charge Pump Needs Time To Start, Bias HV FETs I/O May Power-up Uncontrolled Inputs May Source Current Outputs May Be Invalid Truth Tables Not Followed Documented In Actel App Notes; EEE Links, WWW Site Not Documented In Data Sheet

  37. Output Transient - Investigation • Flight Pattern Obtained From SDL • Devices Programmed For Bench Test • A1020B’s (3) • Non-flight A1020 (1) • Flight A1020 (2) • Transients Observed On Critical Outputs • Critical Outputs May Be Latched High

  38. A1020 Sample Transient Cover Arm VCC 5 ms/Div Device Had Been Powered Off For 2 Days

  39. A1020 FPGA Output Transient Summary • Longer power supply rise times • Increase the probability of the transient • Increase the size of the transient • Quick power cycles tend to eliminate transients • Long power-off times tend to increase the chance of a transient (memory effect). Now it was known how to test the Engineering Model

  40. Failure Demonstration on EM 13.5 msec A Side Power Input 5 A/Div 1.6 msec

  41. Instrument Level TestingFidelity of Spacecraft Power Electronics (SPE) Simulation

  42. Relay Operating Characteristics

  43. +28V Bench Power SupplyInstrument Level Testing Logic Begins To Function Relay Closes 10V / Div Relay Starts To Operate 50 ms / Div

  44. Spacecraft Level TestingFidelity of Pyrotechnic Simulation

  45. EED Simulator - Input Stage Easy To “Trip” Low-Impedance Switched In After Delay

  46. EED Simulator - Delay 23 ms CURRENT 1 A/Div +5VDC 2V/Div 10 ms/Div

  47. Spacecraft Level TestingProblem Reporting and Analysis

  48. Reporting Mechanism Not Used • Simulator Box Tripped In System Level Tests • Procedure Was To Reset The Simulator • Dispositioned "OK" By Similarity to Previous Mission With Different Hardware Set • Not Troubleshot in Depth • Design Engineer Not Involved • No Failure Report Written • Eliminated Reviews of Failure Report

  49. ConclusionsandPoints for Discussion

  50. Reviews • Single System Review • Pyro Box Not Ready For Review • Never Reviewed: “Fell Through The Cracks” • Would Reviews Prevented Mission Loss? • SDL Engineers Not Familiar With Startup Transient In A1020 Device • Neither Was The Local Actel FAE • Customer Review Board Members? Makeup Of Review Teams And Depth of Reviews Are Critical

More Related