REG NASA-LLIS-1120-1999 Lessons Learned - International Space Station (ISS) Program Extravehicular Activity (EVA) Simplified Aid for EVA Rescue (SAFER).pdf

《REG NASA-LLIS-1120-1999 Lessons Learned - International Space Station (ISS) Program Extravehicular Activity (EVA) Simplified Aid for EVA Rescue (SAFER).pdf》由会员分享，可在线阅读，更多相关《REG NASA-LLIS-1120-1999 Lessons Learned - International Space Station (ISS) Program Extravehicular Activity (EVA) Simplified Aid for EVA Rescue (SAFER).pdf（3页珍藏版）》请在麦多课文档分享上搜索。

1、Lessons Learned Entry: 1120Lesson Info:a71 Lesson Number: 1120a71 Lesson Date: 1999-02-01a71 Submitting Organization: HQa71 Submitted by: David M. LengyelSubject: International Space Station (ISS) Program/Extravehicular Activity (EVA)/Simplified Aid for EVA Rescue (SAFER) Description of Driving Even

2、t: Redundancy of Safety-Critical Flight SystemsLesson(s) Learned: The NASA Standard Initiator (NSI) on a SAFER unit tested on STS-86 on October 1, 1997, did not activate because of a marginal design of the activating power supply. As a result, the unit could not function. The certification testing f

3、or the firing circuit did not identify the power supply inadequacy. Also, an inadequate NSI emulator was used for most of the original SAFER certification (qualification) and acceptance tests (see also Finding #14).Recommendation(s): 25a. The design and implementation of flight systems critical to s

4、afety and mission success should, at least, provide redundancy for system startup.25b. All NASA Centers should review the design requirements for reliable activation of the NSI and assure they are adequate to be communicated to their suppliers, especially those who are responsible for the design of

5、firing circuits. All designs currently using NSIs should be reviewed to assure that the firing circuits are adequate and have been appropriately tested.25c. Qualification tests of safety-critical equipment must use flight-quality hardware. Any exceptions must require high-level program approval.Evid

6、ence of Recurrence Control Effectiveness: Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-25a. NASA concurs with the ASAP finding that the NSI drive circuit of the USA SAFER was marginal in its design to the point where the drive circuit failed to ac

7、tivate the NSI during a demonstration on STS-86. The failure was due to lack of margin within the subsystem to drive the NSI and not due to lack of redundancy (a backup subsystem) to the subsystem. Adding redundancy (a backup subsystem) to drive the NSI would not resolve the lack of margin as both t

8、he primary and backup subsystems would still fail to drive the NSI without sufficient margin. This condition was addressed by addition of a new NSI circuit with increased margin to fire the NSI on demand. In addition the new NSI contains redundant components where possible. The USA SAFER is categori

9、zed as emergency hardware and is designed for use only after the EVA crewmember had inadvertently separated from structure due to a tether failure or a tether disconnection. The combination of the tether and USA SAFER provide a functional redundancy to each other and a fail-operational system, which

10、 can sustain one failure in the tether (functional after one failure) and still retains the capability to continue with the EVA. A subsequent failure of the tether (two failures) and a functional USA SAFER provide a fail-safe system, which still retains the capability to successfully terminate the m

11、ission by using the USA SAFER to bring the inadvertently-separated EVA crewmember back to safety. Once the USA SAFER is needed to perform self-rescue in its role as the fail-safe device, its failure to perform due to any reason would result in loss of the EVA crewmember. Because the USA SAFER is to

12、provide the fail-safe capability, as the functional redundancy to the tether, it was designed as a single-string system. As such, redundancy was not required for all subsystems and components. Adding redundancy to the activation subsystem alone would not increase the probability of saving an inadver

13、tently separated crewmember since other critical subsystems (propulsion and mechanism) are still single-string. NASA will evaluate redesigning the next generation SAFER to be fully redundant in critical functions.25b. NASA agrees with the ASAP recommendation. The new USA SAFER NSI circuit employs th

14、e capacitive discharge approach which has been well proven by the SSP. Peer reviews were held to evaluate the new circuit design, and a series of tests were performed with the complete flight circuit. Also, the Engineering Directorates Pyrotechnic Subsystem Manager performed a comprehensive review o

15、f all known uses of the NSI to ensure an acceptable design existed and that appropriate certification/acceptance tests had been accomplished. Lastly, a Users Guide (JSC-28596) for the NSI was developed to assist developers in selecting the appropriate NSI, designing the appropriate NSI drive circuit

16、, and testing the complete NSI subsystem.25c. NASA concurs with ASAP recommendation to use flight-quality hardware to support qualification testing. The new USA SAFER circuit certification was completed with the successful firing of 15 flight NSIs consecutively.Documents Related to Lesson: N/AProvid

17、ed by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Mission Directorate(s): a71 Space Operationsa71 Exploration SystemsAdditional Key Phrase(s): a71 Aerospace Safety Advisory Panela71 Energetic Materials - Explosive/Propellant/Pyrotechnica71 Extra-Vehicular Ac

18、tivitya71 Flight Equipmenta71 Safety & Mission Assurancea71 Test & VerificationAdditional Info: Approval Info: a71 Approval Date: 2002-02-12a71 Approval Name: Bill Loewya71 Approval Organization: HQa71 Approval Phone Number: 202-358-0528Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-