1、Lessons Learned Entry: 1620Lesson Info:a71 Lesson Number: 1620a71 Lesson Date: 2005-08-29a71 Submitting Organization: JPLa71 Authored by: Doug ClarkSubject: Deep Impact Reiterates the Need for Peer Review and Contractor Oversight Abstract: The over-current detection scheme for Deep Impact spacecraft
2、 heater circuitry failed to detect an over-current condition during ground test due to an inadequate circuit design and test design. The root cause was inadequate contractor oversight and peer review. The lessons learned from the MCO mission loss on the value of detailed technical review and contrac
3、tor oversight must be re-emphasized, and test configurations should be subjected to FMEA and feature positive controls limiting electrical current. Description of Driving Event: During a test by a contractor on the heater circuitry in a Thermal Interface Board (TIB) for the Deep Impact Impactor, a g
4、round support equipment (GSE) switch stuck in the closed position. This caused an opto-isolated field effect transistor (FET) switch (Figure 1) to fail in the ON condition (Reference (1). The TIB controls the heaters for the spacecraft panels, NiH battery, and thrusters, and it is located in the Rem
5、ote Interface Unit (RIU), an assembly (Figure 2) that routes commands to, and data from, the flight instruments. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-The GSE switch was a momentary switch mounted on a GSE test box. Its purpose was to short
6、 the output of the FET switch to ground to verify that the heater over-current detection circuitry and the field programmable gate array (FPGA) could detect a short and shut off the heater. A defect in the GSE switch is suspected to have caused repeated cycles of intermittent contact that kept the i
7、nput voltage above the over-current sense voltage level that would have caused the FPGA to trigger a shutdown of the FET switch. In-flight failure or unintentional turn-off of an FET switch (optocoupler) in the TIB controlling the heaters could cause severe under-temperature conditions with catastro
8、phic results. Both the TIB over-current detection circuit and the test configuration were poorly designed by a subcontractor to the JPL system contractor. There was very limited oversight by JPL or by the system contractor, with only one-half of a JPL engineers time assigned to monitoring developmen
9、t and test of the Command & Data Handling Subsystem. In addition, a detailed technical review of the circuit schematic performed by engineers with the appropriate expertise would have identified the design error, and a failure mode and effects analysis (FMEA) of the test configuration (Reference 2)
10、would have shown the absence of current-limiting GSE to protect the flight hardware. The value of detailed technical reviews at the assembly and subsystem levels was well established by the JPL Mars Pathfinder project, and JPL took corrective action several years later to require mandatory peer revi
11、ews (Reference 3) and contractor surveillance (Reference 4) in the wake of the JPL Mars Climate Orbiter mission loss. References1. JPL Problem/Failure Report No. Z79614, February 27, 2003.2. “Flight Hardware Damage Due to Inadequate Test Planning and Insufficient QA Involvement,” LLIS No. 1201, NASA
12、 Lesson Learned Information System (LLIS), January 1, 2002.3. JPL Corrective Action Notice No. Z66277, “MCO-JPL/SRB Finding #4.11 (Technical Reviews),” November 23, 1999.4. JPL Corrective Action Notice No. Z69129, “IG Report/Stephenson Report: Subcontractor Performance,” April 28, 2000. 5. “Current
13、Limitation is Necessary for All Uses of Power Supplies,” LLIS No. 1358, NASA Lesson Learned Information System (LLIS), July 29, 2003. Additional Key Words: opto-coupler, test-induced failure, test damage, design error, overcurrent detection, overcurrent protection Lesson(s) Learned: 1. Although NASA
14、 recognizes the value of contractor surveillance and detailed technical review (including peer review) of in-house and contractor designs, there is a tendency to sacrifice these functions on cost-capped projects. 2. A design that allows any GSE component failure to propagate to flight hardware or ot
15、her critical equipment is unacceptable. In this case, a failed GSE switch caused a flight component to fail. Recommendation(s): 1. Assure that adequate funding and provisions for detailed technical review and NASA surveillance of Provided by IHSNot for ResaleNo reproduction or networking permitted w
16、ithout license from IHS-,-,-contractors are included in project proposals, project implementation plans, and contracts. 2. Perform adequate analysis (FMEA etc.) of test equipment (GSE, Bench Test Equipment, etc.) to ensure that no test-setup failure propagates to critical equipment under test. Evide
17、nce of Recurrence Control Effectiveness: JPL opened Preventive Action Notice (PAN) No. Z87371 on August 30, 2005 to initiate and document appropriate Laboratory-wide action on the above recommendations. Documents Related to Lesson: “Flight Project Practices, Rev. 5,” JPL DocID 58032, February 27, 20
18、03, Paragraph 5.16.10 (Reviews).Mission Directorate(s): a71 Exploration Systemsa71 Sciencea71 Aeronautics Researcha71 Space OperationsAdditional Key Phrase(s): a71 Flight Equipmenta71 Ground Equipmenta71 Ground Operationsa71 Hardwarea71 Payloadsa71 Spacecrafta71 Test & Verificationa71 Test ArticleAdditional Info: Approval Info: a71 Approval Organization: JPLProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
