An Advanced Weapon and Space Systems Company

Lessons Learned: STRV 1c/d Mission

Keith AveryATK Mission Research

5001 Indian School Rd. NEAlbuquerque, NM 87110Keith.Avery@ATK.com

2MAPLD 2004/Avery

Introduction

My Role in the ProgramElectronic TestBed (ETB)Multiple RolesSingle Point of Failure

What can be Learned?

3MAPLD 2004/Avery

Background

Mission

QinetiQ (then the UK Defence Evaluation and Research Agency – DERA) designed and built the Space Technology Research Vehicles (STRV-1c and –1d) during the latter part of the 1990s. These were 100kg micro-satellites that carried between them 25 different experiments and payloads from a wide variety of international sponsoring organizations.

They followed on from the highly successful STRV-1a and –1b programme that culminated in their launch in 1994 into Geostationary Transfer Orbit (GTO) as auxiliary passengers on an Ariane-4 launcher. Designed for only one year of operations, both vehicles continued for 4 years in the harsh environment of GTO before the programme partners decided to shut them down. Among their notable achievements was the first demonstration of a tactical cryo-cooler in space and a comprehensive mapping of the electron and proton fluxes in the Van Allen Radiation Belts.

STRV-1c and –1d were launched as auxiliary passengers on an Ariane-5 in November 2000, again into GTO. After two weeks of successfully commissioning all subsystems and experiments on both spacecraft, and immediately prior to announcing the start of routine operations, telemetry from both spacecraft indicated a serious problem.

4MAPLD 2004/Avery

Background

Orbit Parameters

Equator

p+

e--

7.5 o Inclination

Apogee 36,000 kmOrbital Period

~ 10.5 hours

5MAPLD 2004/Avery

Background – Spacecraft

Spacecraft Design

6MAPLD 2004/Avery

Things Go Right – The Program

•QinetiQ, its suppliers and its sponsors • Brought together 25 different

experiments from academic, government and industry sponsors based around the world

• All were successfully integrated into 2 spacecraft that were launched together.

• Payloads were all fully commissioned on orbit. This was a huge management and technical undertaking, requiring a delicate balance of all the disparate technical and political requirements.

• STRV-1c and –1d were the first spacecraft to fly as auxiliary passengers on an Ariane-5 • New launch vehicle with a new

auxiliary platform • Introduced difficult and changing

launch requirements • Difficult design issues with the

structural qualification process were overcome.

•Robustness of the system was demonstrated • The onboard data handling, attitude control

and thermal control all performed flawlessly, as did the ground segment and S-band station at QinetiQ.

•Great success in terms of the cost • In 2000 economic conditions, the entire

programme cost less than 15M$ and took less than 4 years of design and development time to launch.

•Cause of the failure identified • Not typically the case

Despite the mission loss the programme was a success in many other respects:

7MAPLD 2004/Avery

Things Go Wrong – On Orbit

•Problem same for both vehicles•S/C rendered incapable of receiving commands • Receivers without power•Systematic issue not random failures•Obvious candidates discounted quickly•Spacecraft designed to be fully dual-redundant •Subsequent on-ground investigations using flight spare equipment replicated anomaly after two weeks in vacuum chamber• Tiny relay inside the communications equipment

burned out• Could not cause the inability to communicate

through either receiver by itself• Power system architecture meant both receivers

powered down as result of excessive current drawn by failed component

• Failed component found to be driven with a continuous rather than pulsed signal • Does not cause the device to fail when used in

air• Absence of convective heating in space

causes the device to fail after approximately 2 weeks of operations

• Failure not detected during the months of in-air testing

• Failure not detected during thermal vacuum tests • Total duration of these tests was insufficient to

cause the onset of the failure

•Options for recovery• System reset of the spacecraft triggered by

• Single event upset (SEU) in the main computer• SEU probability was extremely low

• Software crash (and automatic reset) • Software crash was not observed for

the 6 months • Power bus outage

• Drift of the solar aspect angle (and loss of power from the solar arrays)

• Residual torques on spacecraft did not significantly change SAA over the course of 6 months

• Power design had sufficient margin to prevent an outage from occurring

8MAPLD 2004/Avery

Things Go Wrong – The Result

The spacecraft were formally declared lost after 6 months of observations and attempts to re-establish communications. Throughout this time, telemetry continued to indicate that all onboard systems were healthy, with the one catastrophic exception.

9MAPLD 2004/Avery

Learning Experience – Lessons

•Combination of events led to the mission loss• Component knowledge• Architecture design decisions • System engineering • Project management

•Program unable to uncover problem during development despite usual sequence of independent reviews and many layers of testing •Multiple event nature of problem and depth hidden •Lessons learned here not necessarily new or Earth-shattering

•Thoroughly consider the system failure modes!•Failure Modes Analysis conducted!• Did not detect the architectural weakness that was

inherent in the system from this particular failure•Beware the complacency that might exist if systems are a “rebuild” from a previous programme! • Subtle component changes lead to a system

whose characteristics are subtly different•Beware the technical expert who has worked with a device or system for many years and “understands” it’s characteristics! • Important difference between knowledge and

experience blurred• All claims backed up with documented facts from a

sound source•Share your fortunes openly and in good time with your sponsors! • No time or money would have saved this program

once the opportunities to find the problem had passed

• Relationship between customer and supplier crucial in understanding risks involved and in successfully exposing many other development issues during course of program

10MAPLD 2004/Avery

Background – Electronics Testbed (ETB)

ETB History• MAPLE Series• STRV2• STRV1d

11MAPLD 2004/Avery

ETB Development Plan

Architecture – ETBCOMMAND ANDDATA HANDLINGSYSTEM (DHS)

SUB-EXPERIMENT #1

SUB-EXPERIMENT #2

SUB-EXPERIMENT #3

SUB-EXPERIMENT #4

SUB-EXPERIMENT #5

SUB-EXPERIMENT #6

SUB-EXPERIMENT #7

SUB-EXPERIMENT #8

COMMUNICATIONSTO/FROM SPACECRAFTCOMPUTER

POWER FROMSPACECRAFT BUS

STRV1d ELECTRONICS TEST BED BLOCK DIAGRAM

COMMUNICATION AND POWER TO SUB-EXPERIMENTS

TEMPERATUREAND DOSEMONITORS

12MAPLD 2004/Avery

ETB Development Plan

Architecture – DHS1M X 8

RAD-HARDRAM32K X 8

ROM

RS-422/RS-232TRANSCEIVERS

TX+/- AND RX+/- 1-12 SPACECRAFTCOMMUNICATION

COMMUNICATIONTO/FROM

EXPERIMENTSPOWER SWITCH CONTROLOUTPUT CIRCUITS

(UP TO 16 CIRCUITS)

POWER SWITCHCIRCUITS(UP TO 16)

INRUSH LIMITINGAND

CURRENT SENSECIRCUITS

MCM

RAM SELECTPOWER SELECT

SENSE INPUTANALOG SELECT

DATA TX/RXWATCH DOG TIMERPOWER ON RESET

RAMSELECT

SOLID STATERECORDER

(1M X 8 EEPROM)

WDT/POR

SSR COMM

+5V TO SSR

SPACECRAFTBUS VOLTAGE

16 CHANNEL ANALOGTO DIGITAL SELECT

80C31RAD-HARD

CONTROLLER

ADDRESSAND DATA

DISCRETE

ANALOG SWITCHESAND A/D CONVERTERS

RAD-TOLERANTGATE ARRAY

GLUELOGIC

16 ANALOGCHANNELS

SW0-16

MDI3080R-T12

DHS POWER

MDI3080R-T12

MDI3080R-T12

MDI3080R-T12

+5V, +12, -12V to Sub-Experiments(-5V also supplied to PHA)

S/C COMMINTERRUPT

10/7/97

TRAM

DOSELPE

QWIPCOTS#1COTS#2

COTS#3CCD

PHALINEARREGULATOR

13MAPLD 2004/Avery

ETB Development Plan

• Slot Concept

Exp #1

Exp #2

Exp #3

Exp #4Exp #5

Exp #6

Exp #7

Exp #8

Exp #9Exp #10

60 secondcycle

6 seconds allottedper sub-experiment

14MAPLD 2004/Avery

ETB Development Plan

Software ConOps– Time Slice

0 sec

sub-experiment activity

poll

6 sec

sec

DHS activity

DHS Researved Time

Sub-experiment advances to next state or position

Analog sample is taken from sub-experiment on A and/or Bchannels

poll

sec

DHS Reserved poll DHS Reserved poll DHS Reserved

1st state, ith timeslice

Sample from 3rd stateof (i-1)th time slice

2nd state, ith timeslice

Sample from 1st stateof (i)th time slice

3rd state, ith timeslice

Sample from 2nd stateof (i)th time slice

(a) 1 sample / time slice

(b) 3 samples / time slice

15MAPLD 2004/Avery

ETB Development Plan

• Software ConOps– Time Slice

i i+1 i+2

Master time slice, indicating window for sub-experiment #3

Power applied to experiment #3

Communications dialogs with #3 Commandedto switch todata mode x

Analog data sampling for #3Sample takenimmediately beforecomm dialog

16MAPLD 2004/Avery

ETB Development Plan

• Types of Experiments• “Smart” Experiments

• Full Communication• Analog Sample

• State Based Experiments• Use ‘Poll’ to advance counter

• Analog Only Experiment• No communication

•COTS1 – Analog Circuits•COTS2 – Digital Circuits•COTS3 – Digital Circuits•PHA – Pulse Height Analyzer•LPE – Low Power Experiment (AIC)•TRAM – Transmit Receive Antenna Module•CCD – Charge Coupled Device

•QWIP – Quantum Well Infrared Photodector•Dose – TID Dose Monitor/Shielding

•None Used

17MAPLD 2004/Avery

Things Go Wrong – ETB Development

•During Development• BIC (Basic Interface Controller)

• Co-Design• ASIC Into MCM

• Radiation Shield• Tantalum Structure• Redesign Implemented

18MAPLD 2004/Avery

Things Go Wrong – ETB Integration

During Integration• First attempt at MFS• Service Connections (Don’t do it this

way)• Connector Dyslexia

19MAPLD 2004/Avery

Things Go Wrong – ETB Test

During Integration• A Broken Experiment• Never Recovered

20MAPLD 2004/Avery

Things Go Right – ETB Modular System

During Integration• Recovery (modularity of system)

21MAPLD 2004/Avery

A Good Mistake

•Miscommunication •Flight Spare Used •Missions Problems•Flight Unit Available for Another Mission

Flight

Flight Spare

22MAPLD 2004/Avery

Conclusions

Failure Modes – Cover All the BasesComplacency – Sometimes Experience Can Be BadCommunication – Key to Good Design and SuccessExperience – Build On ItModularity – Too Much Can Be BadModularity – Turns bad into goodLuck Beats Skill