1、Lessons Learned Entry: 1733Lesson Info:a71 Lesson Number: 1733a71 Lesson Date: 2004-02-10a71 Submitting Organization: JPLa71 Submitted by: David Oberhettingera71 POC Name: Donald Sweetnama71 POC Email: Donald.N.Sweetnamjpl.nasa.gova71 POC Phone: 818-354-7771Subject: Genesis Sample Return Mishap (200
2、4) Abstract: The Genesis sample return mishap was attributed to a design error in which the gravity switches that activate the parachute deployment sequence were phased (oriented) incorrectly so that their mechanisms could not detect the atmospheric entry. Mission critical functions should have func
3、tional backups as well as redundant hardware. Ensure that heritage designs that have been modified are fully tested, that design engineers fully understand the system function of their hardware, and that peer reviews of critical functions achieve full fidelity.Description of Driving Event: The missi
4、on of the Genesis spacecraft was to collect solar wind samples and return those samples to Earth for analysis. In September 2004, the spacecraft approached Earth and fired pyros that jettisoned the Sample Return Capsule (SRC). After entering Earths atmosphere, the SRC was expected to open a drogue p
5、arachute, followed by release of the main parachute and the mid-air capture of the SRC by a helicopter. Instead, the pyro event to release the drogue chute did not occur, and the SRC struck the Earth at high speed. This resulted in a loss of some of the science return, but the integrity of the sampl
6、e collectors was maintained sufficiently to achieve mission success. Failure analysis determined that four gravity switches (g-switches)- two switches mounted on each of the two relay modules (Figure 1), each within an SRC Avionics Unit (AU)- were phased incorrectly. That is, they were assembled acc
7、ording to the drawings, but the design placed the switches on both relay boards in the wrong orientation relative to the deceleration force during Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-atmospheric entry (Reference (1). This orientation prev
8、ented the switch mechanism (Figure 2) from closing during the deceleration of the SRC. G-switch closure was required to trigger the critical events needed for the SRCs safe return. The switch design error resulted from modifications to the heritage Stardust Avionics Unit that changed both the orient
9、ation of the circuit boards and the orientation of the switches as they were mounted on each circuit board. These apparently minor design changes constituted a departure from design heritage that necessitated testing. Indeed, the centrifuge test that was performed for Stardust would have detected th
10、e Genesis design error, but the test was not performed because of (1) an erroneous view of the Genesis AU design as Stardust heritage and (2) a 4-month schedule slip in the delivery of the AU for test and verification. The multiple Genesis g-switches within the duplicate Avionics Units provided hard
11、ware redundancy, but not functional redundancy. Hardware redundancy was provided in that both switches needed to close in only one of the AUs. However, an independent pressure switch to sense altitude, or a countdown timer that started when the SRC was released from the spacecraft, would have added
12、a backup function for triggering drogue chute deployment during the entry, descent, and landing (EDL) phase. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Figure 1 is a black and white photo of a portion of an approximated one foot square circuit b
13、oard. The board is populated with a number of modular and discrete components. Arrows have been added to the image to point to the location and orientation of two identical, cylindrical, G-switches attached to the board. The two piece parts are coplanar to the board, and are 2-inches apart and in-li
14、ne with each other along their long axisFigure 1. G-switch function requires an appropriate orientation (polarity) on the SRC Relay Module. The g-switches are mounted (per print) with the flared end containing the fixed contact (see Figure 2) positioned toward the top of the photo. Provided by IHSNo
15、t for ResaleNo reproduction or networking permitted without license from IHS-,-,-Figure 2 is two black and white images. One is a g-switch? a cylindrical piece part encapsulated in a shiny metal can with a metal lead extending from each end. The piece part is laid next to a pencil, indicating that t
16、he G-switch is about one-half inch long and perhaps 3/16 inch in diameter. The cylinder flares slightly at one end. The second image is an X-ray of an identical G-switch in which the internal workings of the G-switch are visible in shadow. The mechanism includes a dark mass positioned against a spri
17、ng such that a deceleration in the proper direction along the long axis of the part would cause the mass to press against the restraining spring. The outside diameter of both the mass and the spring appear to match the inside diameter of the enclosing cylinder such that the mass could freely slide w
18、ithin the cylinder, subject to the constraining springFigure 2. G-switch views. The X-ray shows a moving contact and spring for sensing deceleration in one direction only. References: a71 (1) Genesis Failure Investigation Report (JPL Failure Review Board, Avionics Sub-team), JPL Publication 2005-2,
19、July 2004. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a71 (2) Genesis Mishap Investigation Board Report, National Aeronautics and Space Administration, November 30, 2005.Lesson(s) Learned: 1. Hardware redundancy only adds to design robustness in
20、 the absence of common cause failure modes. 2. An over-reliance on design heritage in identifying essential tests may lead to violations of the “test-as-you-fly, fly-as-you-test“ rule. 3. Technical penetration into the design for a mission critical Genesis EDL sequence was inadequate, as was the tes
21、t program. 4. The peer review of the Genesis modifications to the Stardust Avionics Unit (AU) design was not adequately supported by independent avionics and EDL experts. Recommendation(s): 1. Do not rely solely on hardware redundancy to ensure performance of a mission-critical function, but conside
22、r additional design features that will provide a functional backup. 2. Along with redundancy verification analysis, the test and verification program must fully encompass the potential effects of modifications to heritage designs. The testing methods must be adequate and valid for verifying the prop
23、er function and performance of all system elements necessary to accomplish all mission events in addition to verifying the satisfaction of formal development requirements. 3. Assure that cognizant engineers and subsystem managers fully characterize the design functionality of their unit within the s
24、ystem, as well as assuring that the requirements placed on the unit itself are met. 4. Ensure the fidelity of the peer review process, with functional experts giving special attention to each mission-critical function. Evidence of Recurrence Control Effectiveness: JPL opened Preventive Action Notice
25、 (PAN) No. 1443 on 2/13/06 to initiate and document appropriate Laboratory-wide action on the above recommendations.Documents Related to Lesson: N/AMission Directorate(s): a71 Space Operationsa71 ScienceProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,
26、-a71 Exploration SystemsAdditional Key Phrase(s): a71 Program Management.a71 Program Management.Contractor relationshipsa71 Systems Engineering and Analysis.a71 Systems Engineering and Analysis.Engineering design and project processes and standardsa71 Systems Engineering and Analysis.Planning of req
27、uirements verification processesa71 Engineering Design (Phase C/D).a71 Engineering Design (Phase C/D).Spacecraft and Spacecraft Instrumentsa71 Mission Operations and Ground Support Systems.a71 Mission Operations and Ground Support Systems.Mission control Planninga71 Safety and Mission Assurance.a71
28、Safety and Mission Assurance.Product Assurancea71 Safety and Mission Assurance.Review systems and boardsa71 Additional Categories.a71 Additional Categories.Accident Investigationa71 Additional Categories.Aerospace Safety Advisory Panela71 Additional Categories.Flight Equipmenta71 Additional Categori
29、es.Flight Operationsa71 Additional Categories.Ground Operationsa71 Additional Categories.Hardwarea71 Additional Categories.Mishap Reportinga71 Additional Categories.Payloadsa71 Additional Categories.SpacecraftAdditional Info: a71 Project: Genesisa71 Year of Occurrence: 2004Approval Info: a71 Approval Date: 2006-06-30a71 Approval Name: tmasona71 Approval Organization: HQProvided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
