REG NASA-LLIS-1493--2004 Lessons Learned - Ambiguous Fault Tolerance Requirements.pdf

1、Lessons Learned Entry: 1493Lesson Info:a71 Lesson Number: 1493a71 Lesson Date: 2004-04-27a71 Submitting Organization: LARCa71 Submitted by: Richard J. GilbrechSubject: Ambiguous Fault Tolerance Requirements Abstract: In November of 2003, the NASA Engineering and Safety Center (NESC) performed an Ind

2、ependent Technical Assessment of the Code Y CALIPSO satellite Proteus propulsion bus (ref. NESC Final Report NESC-RP-001, NASA Technical Memorandum number applied for). This is a joint mission with NASA GSFC, LaRC and the Centre National dEtudes Spatiales (CNES) scheduled to launch from Vandenberg A

3、ir Force base in April 2005 on a Delta II rocket. There were many interpretations of which specific document dictated the fault tolerance requirements for the spacecraft. Further, given a specific document, there were divergent conclusions over what the fault tolerance verbiage in each document impo

4、sed on the spacecraft design, checkout and operations.Description of Driving Event: The CALIPSO program involved NASA GSFC, LaRC, KSC Launch Services, CNES, and the Vandenberg Air Force Base Range Office. CNES contributed the Proteus hydrazine-fueled propulsion bus as part of their in-kind contribut

5、ion. This bus was designed and built by Alcatel Space Industries under subcontract to CNES. Several personnel hazards associated with the Proteus bus formed the basis of the NESC assessment (leakage of hydrazine from threaded A/N fittings, inadvertent thruster firings and leakage of hydrazine throug

6、h the thrusters). It was accepted by all that the Air Force Eastern and Western Range (EWR) requirements applied (ref. CALIPSO-Tailored Eastern and Western Range 127-1 Safety Regulations, Doc. TP2.LB.0.AQ.1836 ASC dated October 21-22, 2002), but there was confusion over whether NASA Procedural Requi

7、rement NPR-8715.3, “NASA Safety Manual”; applied as well. Both documents contain sections related to fault tolerance requirements and there was debate over whether the fault tolerance requirements of either document were satisfied because of ambiguous wording. Even further, an unrelated but similar

8、range safety document (ref. GSFC Wallops Flight Facility Range Safety Manual, RSM-2002) contained wording that seemed to conflict the GSFC engineering and safety offices position that threaded fittings are Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-

9、,-,-zero fault tolerant.Lesson(s) Learned: Fault tolerance requirements should be clearly defined in appropriate Agency-level design standards and variance accepted only when accompanied by appropriate risk trades and supporting technical rationale.Recommendation(s): NASA must establish unambiguous

10、requirements for fault tolerance in an agency level document (e.g., NPR 8715.3) and identify any exceptions. Evidence of Recurrence Control Effectiveness: N/ADocuments Related to Lesson: NPR 8715.3Mission Directorate(s): a71 Exploration Systemsa71 Sciencea71 Space Operationsa71 Aeronautics ResearchA

11、dditional Key Phrase(s): a71 Flight Equipmenta71 Ground Operationsa71 NASA Standardsa71 Program and Project Managementa71 Range Operationsa71 Risk Management/Assessmenta71 Safety & Mission Assurancea71 SpacecraftAdditional Info: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Approval Info: a71 Approval Date: 2004-05-26a71 Approval Name: Leslie Johnsona71 Approval Organization: LARCa71 Approval Phone Number: 757-864-9409Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-