1、Lessons Learned Entry: 0312Lesson Info:a71 Lesson Number: 0312a71 Lesson Date: 1994-03-24a71 Submitting Organization: JPLa71 Submitted by: M. P. ZydowiczSubject: ACTS Pyro Separation Band Anomaly (Shuttle Orbiter) Abstract: Minor damage to the Shuttle was caused when the firing of the primary explos
2、ive cord to deploy the payload from the cargo bay also triggered the backup cord. End-to-end system tests had validated the erroneous design rather than the end function. Document electrical-mechanical interfaces, protect hazardous systems against any possible unintended operation, and consider use
3、of a single cord configuration.Description of Driving Event: During the successful deployment of the ACTS/TOS Payload from the STS-51 cargo bay on September 12, 1993, the “SUPER*ZIP“ pyrotechnic separation joint ruptured, producing debris that caused minor damage. Two explosive cords were initiated
4、and operated in the subsystem (when functioning of one cord was desired), causing considerably more energy to be imparted into this subsystem, resulting in the rupture of the containment tube, doubler plates, lead sheathing, silicone rubber extrusion and in the emission of carbon particles (smoke).
5、One affected plate penetrated through the shuttle orbiter aft bulkhead insulation blanket and punctured a 1/8 x 1/2 inch hole in the aft bulkhead. Flight/crew critical equipment exists immediately behind the bulkhead. Other debris caused at least nine small tears in cargo bay insulation blankets, th
6、ree gouges in wire tray covers and possibly a gouge in a thermal protection system tile.The primary cause of the separation system anomaly was a circuit design error, which resulted in firing one end of both the primary and back-up cords, rather than firing both ends of the primary cord. The direct
7、cause of the design error could not be determined. This embedded error remained undetected throughout a series of comprehensive requirements, design and certification reviews and systems tests with wide participation by both the government and contractors. The end-to-end system tests, end-to-end ver
8、ification Ground Support Equipment (GSE), and procedures were established in Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-a manner that validated the erroneous design rather than the end function. This was due in part because of lack of adequate s
9、ystems engineering in the TOS program and because the SUPER*ZIP end-to-end drawings were spread among several individual drawings and never aggregated into a single end-to-end functional electrical/mechanical schematic.Lesson(s) Learned: End-to-end system checks should be performed to verify proper
10、connection, wiring, signal level and function. If necessary, as in the case of pyrotechnic circuits, simulators should be used.Recommendation(s): 1. Develop end-to-end schematics/diagrams for electrical mechanical interfaces including software driven interfaces.2. Require that potentially hazardous
11、systems have demonstrated protection against any possible unintended operation.3. Consider use of a single cord configuration which will prevent this type of event.Evidence of Recurrence Control Effectiveness: N/ADocuments Related to Lesson: N/AMission Directorate(s): N/AAdditional Key Phrase(s): a7
12、1 Configuration Managementa71 Hazardous/Toxic Waste/Materialsa71 Test & VerificationAdditional Info: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Approval Info: a71 Approval Date: 1994-03-22a71 Approval Name: Carol Dumaina71 Approval Organization: 125-204a71 Approval Phone Number: 818-354-8242Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-
