1、Lessons Learned Entry: 0634Lesson Info:a71 Lesson Number: 0634a71 Lesson Date: 1999-08-12a71 Submitting Organization: JPLa71 Submitted by: M. Landano/ D. Oberhettinger with contributions from E. Herring of NASA/GSFCSubject: Transient Start-up Performance of the WIRE Pyro Electronics (1999) Abstract:
2、 Due to a transient effect, the Wide-Field Infrared Explorer (WIRE) telescope aperture cover was unintentionally ejected when the WIRE pyro electronics box was first powered. The cryogen subsequently vented, resulting in mission loss. Pyro electronics design, such as the use of pyro inhibits, must c
3、onsider transient effects known to occur upon powering of the pyro electronics. Conduct detailed, independent technical peer reviews of the system design, and electronics power turn-on characterization tests that can detect anomalous behavior such as subtle transient events.Description of Driving Ev
4、ent: The Wide-Field Infrared Explorer (WIRE) was declared a loss only a few days after launch. A NASA review board (reference 1) determined that the telescope aperture cover was unintentionally ejected prior to spacecraft attitude stabilization when the WIRE pyro electronics box was first powered. W
5、ithout the thermal protection provided by the cover, the solid hydrogen cryogen essential for operation of the telescope rapidly sublimated and vented.The mission loss is attributed to a pyro electronics box design that did not allow for the known transient performance of components. The control log
6、ic design utilized a synchronous reset to force the logic into a safe state. However, the start-up time of the crystal clock oscillator was not taken into consideration, leaving the circuit in a non-deterministic state for a time sufficient for pyrotechnic actuation. Likewise, the startup characteri
7、stics of the field-programmable gate arrays (FPGAs) were not considered. The FPGAs were not guaranteed to follow their “truth table“ until “started“ by an internal charge pump. The electrical transients initially generated by the FPGAs were not blocked from the driver circuitry of the pyros.Provided
8、 by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Prompted by the failure investigation, circuit analysis and test showed that the turn-on transients are sufficient to produce spurious signals that latch-up the control logic to a state that can issue commands
9、to fire cover release pyros. These anomalous characteristics were not detected during subsystem or system functional testing due to the limited fidelity and detection capabilities of the electrical ground support equipment. There was no system-level end-to-end test in an as-flown configuration.refer
10、 to D descriptionD WIRE Pyro Electronics Startup Characteristics The design error was exacerbated by the failure of a detailed technical review to penetrate the electronic design of the pyro electronics box. Detailed peer review did not extend to the box and its interfaces with the spacecraft. The M
11、ishap Investigation Board concluded that a peer review, held by knowledgeable people, would have identified the turn-on characteristics that led to the failure.Additional Keyword(s): WIRE failure, WIRE instrument electronics (WIE), cover deployment, pyrotechnic device, pyro arming, pyro firing, pyro
12、 circuit, qualification test, test equipment, spurious logic, transient analysis, inadvertent actuation, stray current, sneak circuit, SAFE/ENABLE-RESET, management and planning, system development, subsystem and instrument development, system integration and testReference(s):Provided by IHSNot for
13、ResaleNo reproduction or networking permitted without license from IHS-,-,-1. WIRE Mishap Investigation Board Report, NASA, June 8, 1999.2. Informal Design Reviews Add Value to Formal Design Review Processes, Lesson Learned No. 0582, September 26, 1997.Lesson(s) Learned: 1. Pyro electronics design m
14、ust appropriately consider transient effects known to occur upon powering of the pyro electronics. Pyro inhibits should be considered for mission critical events, particularly if all pyro functions can be simultaneously armed and enabled. Activation should require two separate and independent action
15、s-one to override the inhibit (referred to as “ARM“ or “SAFE/ENABLE-ENABLE“), and another to fire the pyros.2. 3. Detailed, independent technical peer reviews are essential to assess the integrity of the system design, including an evaluation of the system and mission consequences of the detailed de
16、sign and implementation: a. Technical peer reviews for all design elements should be encouraged by project management.b. Peer reviews should consider the capability and limitations of the support equipment to be used for testing the flight design.c. Peer review board members should consistently pene
17、trate the system and subsystem functional design and implementation to expose risk areas, particularly where multiple or complex interfaces exist.4. 5. Ensure adequate fidelity of test and simulation equipment to detect subtle transient events where appropriate. Perform electronics power turn-on cha
18、racterization tests, particularly for applications involving irreversible events, that include testing for anomalous behavior. Testing of power turn-off characteristics may also be important in some applications.Recommendation(s): See lesson(s) learned.Evidence of Recurrence Control Effectiveness: N
19、/ADocuments Related to Lesson: N/AProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Mission Directorate(s): a71 ScienceAdditional Key Phrase(s): a71 Flight Equipmenta71 Ground Equipmenta71 Hardwarea71 Mishap Reportinga71 Policy & Planninga71 Spacecraft
20、a71 Test & VerificationMishap Report References: WIRE Mishap Investigation Board ReportAdditional Info: Approval Info: a71 Approval Date: 1999-08-26a71 Approval Name: Carol Dumaina71 Approval Organization: 301-450a71 Approval Phone Number: 818-354-8242Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
