1、Lessons Learned Entry: 0637Lesson Info:a71 Lesson Number: 0637a71 Lesson Date: 1998-10-21a71 Submitting Organization: HQa71 Submitted by: Michael E. CardSubject: Wide-Field Infrared Explorer (WIRE) Mishap Investigation Board Description of Driving Event: Graphic of the WIRE SPACECRAFT Orbiter with l
2、abels. Labels read Clockwise from the top: APERTURE SHADE, INSTRUMENT, SEPARATION RING, COMPOSITE SPACECRAFT, MODULAR SOLAR ARRAY, STAR TRACKERThe Wide-Field Infrared Explorer Mission objective was to conduct a deep infrared, extra galactic science survey. The Wide-Field Infrared Explorer was launch
3、ed on March 4, 1999, and was observed to be initially tumbling at a rate higher than expected during its initial pass over the Poker Flat, Alaska, ground station. After significant recovery efforts, WIRE was declared a loss on March 8, 1999.Lesson(s) Learned: The WIRE Mishap Review Board has determi
4、ned that the telescope instrument cover was ejected earlier than planned and at approximately the time the WIRE pyro electronics box was first powered on. The instruments solid hydrogen cryogen supply started to sublimate faster than planned, causing the spacecraft to spin up to a rate of sixty revo
5、lutions per minute over the twelve hours following the opening of the secondary cryogen vent. Without any solid hydrogen remaining, the instrument could not perform its observations.Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-The root cause of th
6、e WIRE mission loss is a digital logic design error in the instrument pyro electronics box. The transient performance of components was not adequately considered in the box design. The failure was caused by two distinct mechanisms that, either singly or in concert, result in inadvertent pyrotechnic
7、device firing during the initial pyro electronics box power-up. The control logic design utilized a synchronous reset to force the logic into a safe state. However, the start-up time of the Vectron crystal clock oscillator was not taken into consideration, leaving the circuit in a non-deterministic
8、state for a time sufficient for pyrotechnic actuation. Likewise, the startup characteristics of the Actel A1020 FPGA were not considered. These devices are not guaranteed to follow their “truth table“ until an internal charge pump “starts“ the part. These uncontrolled outputs were not blocked from t
9、he pyrotechnic devices driver circuitry. There has been no evidence or indication of any component failure although component failures were considered in the investigation.A significant contributing cause of the anomaly was the failure to identify, understand, and correct the electronic design of th
10、e pyro electronics box. Design errors in the circuitry, which controlled pyro functions, were not identified. The pyro electronics box design was not peer reviewed, and other system reviews conducted by the instrument design organization did not focus on the electronics box. At the time the Systems
11、Design Review was conducted for WIRE the design of the pyro electronics box was not completed. It is the assessment of the WIRE Mishap Investigation Board that a peer review held during the design process, by people with knowledge of and expertise regarding pyro circuit design would have identified
12、the turn-on characteristics that led to failure.A large number of failure scenarios were evaluated during the investigation to determine the cause of the cover ejection. These included; pre-launch, launch, powered flight, separation, software, operations, design and component reliability faults. Bas
13、ed on comprehensive, systematic review of data, it was determined the cover was most likely ejected at the time the WIRE pyro electronics box was turned on due to a transient condition that exists in the pyro electronics during startup. This transient condition is the direct result of the non-determ
14、inistic initialization of a Field-Programmable Gate Array (FPGA) that controls both the arming and firing circuits in the pyro electronics.Although some design attention was given to the startup behavior of the FPGA, the design contained unidentified idiosyncrasies that triggered the cover ejection.
15、 The system design did not contain sufficient start-up lockout protection or independent provisions to prevent the FPGA startup operation from propagating to the firing circuits.The anomalous characteristics of the pyro electronics unit were not detected during subsystem or system functional testing
16、 due to the limited fidelity and detection capabilities of the electrical ground support equipment. Post-flight circuit analyses conducted as part of the failure investigation have predicted the existence of the anomaly and it has been reproduced confidently using engineering model hardware.Provided
17、 by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Recommendation(s): 1. Independent, separate pyro inhibits should be considered for mission critical events, particularly if all pyro functions can be simultaneously armed and enabled. Hence, activitation of a p
18、yro event would require two separate actions - one separate action to enable the inhibit and another to fire the pyros. This approach would preclude spurious transient pyro firings during turn-on and preclude sympathetic firings induced by sneak path and/or crosstalk/magnetic field interactions that
19、 may occur in cabling.2. Testing only for correct functional behavior should be augmented with a significant effort in testing for anomalous behavior, especially during intitial turn-on and power-on reset conditions.3. Peer reviews should be required by Project Management and held as often as necess
20、ary.4. Peer reviews should consider the heritage capability and limitations of the support equipment to be used for testing the flight design.5. Project review board members should consistently penetrate the system and subsystem functional design and implementation to expose risk areas, particularly
21、 where multiple/complex interfaces exist. Reviews should fully define spacecraft and payload interface requirements, and have a cognizant systems person from each program element review the other persons test program and payload/spacecraft simulators for fidelity.6. System and subsystem engineers sh
22、ould consistently evaluate functional designs and implementation to expose risk areas, particularly where multiple/complex interfaces exist. Projects with multiple components, i.e. spacecraft bus and a separate instrument, require complete team coopoeration, openness, and the ability to penetrate an
23、d understand each others design responsibilities in a timely manner.Evidence of Recurrence Control Effectiveness: N/ADocuments Related to Lesson: N/AMission Directorate(s): a71 ScienceAdditional Key Phrase(s): a71 Energetic Materials - Explosive/Propellant/PyrotechnicProvided by IHSNot for ResaleNo
24、reproduction or networking permitted without license from IHS-,-,-a71 Flight Operationsa71 Flight Equipmenta71 Hardwarea71 Mishap Reportinga71 Policy & Planninga71 Research & Developmenta71 Risk Management/Assessmenta71 Spacecrafta71 Test & VerificationMishap Report References: WIRE Mishap Investigation Board ReportAdditional Info: Approval Info: a71 Approval Date: 1999-11-02a71 Approval Name: Eric Raynora71 Approval Organization: QSa71 Approval Phone Number: 202-358-4738Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
