EVALUATION OF RISK AND POSSIBLE MITIGATION SCHEMES FOR PREVIOUSLY UNIDENTIFIED HAZARDS WilliamLinzey,MicahMcCutchan,andMichaelTraskos LectromechanicalDesignCompany RichardGilbrech,Ph.D. NASALangleyResearchCenter RobertCherney OrbitalSciencesCorporation GeorgeSlenski WrightPattersonAirForceBase WalterThomasIII NASAGoddardSpaceFlightCenter Preface InApril2004,theNASAEngineeringandSafetyCenter(NESC)wascommissionedbyNASA’s Chief SafetyandMissionAssurance(S&MA)Officertoreviewandrenderatechnicalopiniononthe probabilityofacatastrophicfailurerelatedtothisscenario: TheSpaceShuttleProgram(SSP)recognized azero-fault-tolerantdesignrelatedtoaninadvertentfiringoftheprimaryreactioncontrolsystem(RCS) jetsontheOrbiterduringmatedoperationswiththeInternationalSpaceStation(ISS). Itwasdetermined thatanun-commandedfiringofanRCSjetcouldcauseseriousdamageorlossofboththe SSPOrbiter andtheISS. Severalscenariosweresuggestedinwhichanun-commandedfiringoftheRCSjetis possible[1]. Thesescenariosincludeanarctrackeventinthe28-voltheatercircuitsthatcouldresultina wire-to-wireshorttotheadjacentreactioncontroljetwire. Inthisworst-casescenario,enoughcurrent andpowercouldbeappliedtoactivatethereactioncontroljetvalvesandfireathruster. Thefollowing reportsummarizestheworkthatwassponsoredbytheNESCaspartoftheirassessmentoftheOrbiter inadvertentfiringofaRCSthrusterwhileattachedtotheISS[2]. Introduction Background Duringthelifecycleofanaircraftorspacecraft,newinformationandperformancedatachange(andeven invalidate) engineering assumptions that were made during the initial design and development of a platform. This information can affect many aspects of ownership including the validity of any previous safetyanalyses.Insomecases,anewfailuremodemaybepostulated,foundtobeasignificantthreat,and appropriate mitigation techniques developed and deployed to reduce the newly discovered threat to an acceptable level. Where necessary, laboratory evaluation may be needed to acquire data to evaluate new risks, solutions, and advance a technical way forward. The development of mitigation techniques to preventun-commanded firing of the Space Shuttle’s primaryRCSjetsisanexampleofsuchaprocess. Page1of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 This report presents the results of arc track testing conducted to determine if such a transfer of power to un-energized wires is possible and/or likely during anarcingevent,andtoevaluate anarrayof protection schemes that maysignificantlyreduce the possibilityof such a transfer. The results of these experiments may be useful for determining the level of protection necessary to guard against spurious voltage and currentbeingappliedtosafetycriticalcircuits. It was not the purpose of these experiments to determine the probability of the initiation of an arc track event ― only if an initiation did occur could it cause the undesired event: an inadvertent thruster firing. TheprimarywireinsulationusedintheOrbiterisaromatic polyimide, orKapton®, aconstructionknown to arc track under certain conditions [3]. Previous Boeing testing has shown that arc tracks can initiate in aromaticpolyimideinsulated28voltsdirectcurrent(VDC)powercircuitsusingmorerealistictechniques suchaschafingwithanaluminumblade(simulatingthecornerofan avionicsboxorlipofawiretray),or vibration of an aluminum plate against a wire bundle [4]. Therefore, an arc initiation technique was chosenthatprovidedareliableandconsistenttechniqueofstartingthearcandnotarealisticsimulationof a scenario on the vehicle. Once an arc is initiated, the current, power and propagation characteristics of the arc depend on the power source, wire gauge and insulation type, circuit protection and series resistance rather than type of initiation. The initiation method employed for these tests was applying an oilandgraphitemixturetotheendsofapoweredtwistedpairwire. Theflightconfigurationoftheheatercircuits,thefuel/oxider(orox)wire,andtheRCSjetsolenoidwere modeledinthetestconfigurationsothatthebehaviorofthesecomponentsduringanarcingeventcould bestudied.Todetermineifcoilactivationwouldoccurwithvariousprotectionwireschemes,145tests wereconductedusingvariousfuel/oxwirealternatives(shieldedandunshielded)and/ordifferent combinationsofpolytetrafuloroethylene(PTFE),Mystik®tapeandconvolutedwrapstoprevent unwantedcoilactivation. Testresultswereevaluatedalongwithotherpertinentdataandinformationtodevelopamitigation strategyforaninadvertentRCSfiring. TheSSPevaluatedcivilianaircraftwiringfailurestosearchfor agingtrendsinassessingthewire-shorthazard. Appendix2appliesWeibullstatisticalmethodstothe samedatawithasimilarpurpose. Experimental Detail TestSpecimenConfigurationandExperimentalSetup Twenty-nine different configurations were tested,with five tests per configurationfor a total of 145tests. All test configurations consisted of heater wires and a set of fuel/ox wires. Heater circuits were made of twisted pairs and fuel/ox wires were either two twisted pairs, one twisted quad, or two shielded twisted pairs,as shownin Figure 1. In all tests,the heater circuits and fuel/oxbundles were bundledtogether and an arc was initiated in the heater wire bundle. The arc was allowed to propagate down the length of the bundleanddamagetothefuel/oxbundlewasassessed. Page2of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Figure1.Fuel/OxWireOptions Within the set of 145 tests, there were subtle differences in the bundle configurations depending on the number of heater circuits, the type of fuel/ox wire, and the materials used to assemble and protect the bundle.Theseconfigurationsweregroupedintofourdistincttypes,displayedinFigure2.Theapplication of the protection scheme changed both the size and weight for the fuel/ox bundles. Each protection scheme had a unique impact on the size and weight of the wire bundle. The range of possible configurationsisshowninFigure3. Thetypeoffuel/oxwire,protectionschemes,andcircuitprotectionforeachgroupoffivetestsare summarizedinTable1.EachprotectionschemewasappliedaccordingtoBoeingOrbiterwireharness assemblyandinstallationspecificationsML0303-0013DandML0303-0014N. Adescriptionofthe twelvedifferentprotectionschemesevaluatedisprovidedinAppendix1. Page3of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Configuration1:1PowerCircuit Configuration1:3PowerCircuits Fuel/OxWires:TwistedQuad Fuel/OxWires:TwistedQuad NoProtectiveOverwrap NoProtectiveOverwrap OX OX OX 28VDC 28VDC COIL COIL RTN Lacing GND FUEL OX GND FUEL FUEL GND Cord RTN COIL RTN RTN COIL RTN RTN Lacing FUEL Cord 28VDC GND 28VDC RTN RTN Configuration2:3PowerCircuits Fuel/OxWires:2ShieldedTwistedPair OX OX NoProtectiveOverWrap Lacing COIL RTN Shield Cord FUEL FUEL COIL RTN 28VDC GND GND 28VDC RTN RTN 28VDC GND RTN Configuration3:3PowerCircuits Fuel/OxWires:2ShieldedTwistedPair OX OX 1or2LayersofProtectiveOverwrap COIL RTN Shield Lacing Cord FUEL FUEL COIL RTN 28VDC GND GND 28VDC RTN RTN 1or2Layers ofProtective 28VDC GND Overwrap RTN Configuration4:3PowerCircuits Fuel/OxWires:2Twistedpair Lacing OX OX 1or2LayersofProtectiveOverwrap Cord COIL RTN FUEL FUEL COIL RTN 28VDC GND GND 28VDC RTN RTN 1or2Layers ofProtective 28VDC GND Overwrap RTN Figure2. Cross-sectionofProtectionSchemesandHeaterWireCircuits Page4of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Shielded 1Layer 1Layer 1Layer 2Layers 2Layers 2Layers TwistedPair PTFEWrap Mystik Convolute PTFEWrap Mystik Convolute NoProtection (3wraps) Figure3.CompositePhotoofVariousProtectionConfigurations Table1.TestConfigurationsEvaluated ProtectionSchemes Circuit Harness #Heater Test# Fuel/OxWire Protection Config# Circuits 1stLayer 2ndLayer (fuserating) (Bottom) (Top) N2641-5 1 1 TwistQuad NA NA 15A N2646-10 1 3 TwistQuad NA NA 15A N26411-15 2 3 2Sh/Tw/Pair NA NA 15A N26416-20 3 3 2Sh/Tw/Pair PTFEWrap None 15A N26421-25 3 3 2Sh/Tw/Pair Mystik None 15A N26426-30 3 3 2Sh/Tw/Pair Convolute None 15A N26431-35 3 3 2Sh/Tw/Pair PTFEWrap PTFEWrap 15A N26436-40 3 3 2Sh/Tw/Pair PTFEWrap Mystik 15A N26441-45 3 3 2Sh/Tw/Pair PTFEWrap Convolute 15A N26446-50 3 3 2Sh/Tw/Pair Mystik PTFEWrap 15A N26451-55 3 3 2Sh/Tw/Pair Mystik Mystik 15A N26456-60 3 3 2Sh/Tw/Pair Mystik Convolute 15A N26461-65 3 3 2Sh/Tw/Pair Convolute PTFEWrap 15A N26466-70 3 3 2Sh/Tw/Pair Convolute Mystik 15A N26471-75 3 3 2Sh/Tw/Pair Convolute Convolute 15A N26476-80 4 3 2Tw/Pair PTFEWrap None 15A N26481-85 4 3 2Tw/Pair Mystik None 15A N26486-90 4 3 2Tw/Pair Convolute None 15A N26491-95 4 3 2Tw/Pair PTFEWrap PTFEWrap 15A N26496-100 4 3 2Tw/Pair PTFEWrap Mystik 15A N264101-105 4 3 2Tw/Pair PTFEWrap Convolute 15A N264106-110 4 3 2Tw/Pair Mystik PTFEWrap 15A N264111-115 4 3 2Tw/Pair Mystik Mystik 15A N264116-120 4 3 2Tw/Pair Mystik Convolute 15A N264121-125 4 3 2Tw/Pair Convolute PTFEWrap 15A N264126-130 4 3 2Tw/Pair Convolute Mystik 15A N264131-135 4 3 2Tw/Pair Convolute Convolute 15A N264136-140 1 1 TwistQuad NA NA 10A N264141-145 1 3 TwistQuad NA NA 10A Page5of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Eachofthefourharnessconfigurations,displayedinFigures4athrough4d,requiredaslightlydifferent experimentalsetup.Differentialvoltageprobesandcurrentshuntsareincludedatappropriatelocationsin thecircuitstocaptureusefulinformationduringthearcingevent(Figures4athrough4d).Datawere collectedonaNicoletVisionDataloggerat1kilosample(KS)/sec. Oil/Graphite Mixture Voltage PowerOn 15AmpFuse 25'of20awg Measurement CurrentShunt twistedpair HeaterWire Fuel/Ox Valves 28VDC Bundle Accelerometers VMoelatasugerement VMoelatasugerement Coils Fuel/OxWire CurrentShunt CurrentShunt CurrentShunt Ch Amp Ch Amp Figure4a.HarnessConfiguration1:1HeaterCircuit,Fuel/Ox=UnshieldedTwistedQuad Harness configuration 1 (Figure 4a) was the simplest configuration, with only one heater circuit. This configuration was used in Tests 1 through 5 with unprotected twisted quad for the fuel/ox wires. This setupcorrespondstotheconfigurationthatexistsinsomelocationsontheOrbiter. Fuel/Ox:1TwistedQuad Oil/Graphite 15Amp 25'of20AWG Mixture Fuses(3) Ch2 TwistedPair Bundle Ch3 Ch1 Ch4 Ch10 Ch11 Fuel/Ox Valves Ch15 Ch12 Ch13 Accelerometers Ch16 s Ch7 oil Ch5 C Ch6 Ch8 Charge Amp Ch9 CAhmaprge Figure4b.HarnessConfiguration1:3HeaterCircuits,Fuel/Ox=UnshieldedTwistedQuad Harness configuration 1 with three heater circuits (Figure 4b) was used in Tests 5 through 10 for the unprotected twisted quad. This series of tests represents the configuration that presently exists in some locations on the Orbiter. Tests performed in this group determined whether the present Orbiter configuration would allow enough voltage and current to be transferred to the fuel/ox wires to cause coil activation. Page6of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Fuel/Ox:2ShieldedTwistedPairs Oil/Graphite 15Amp 25'of20AWG Mixture Fuses(3) Ch2 TwistedPair Bundle Ch3 Ch4 Ch10 Ch11 Ch1 Fuel/Ox Valves Ch15 Ch12 Ch13 Accelerometers Ch16 s Ch7 oil Ch5 C Fuel/OxProtection Ch14 Ch6 Ch8 CAhmaprge Ch9 Charge Amp Figure4c. HarnessConfigurations2and3:3HeaterCircuits,Fuel/Ox=ShieldedTwistedPair Harness configurations 2 and 3, with three heater circuits (Figure 4c), were used in Tests 11 through 75. This series of tests used two twisted shielded pairs for the fuel/ox wires, and included five tests for each of the protection schemes identified in Table 2. Note that the purple box highlights the fuel/ox wires. It should berecognizedthat eachtwistedshieldedpairhad itsownmetalshieldandthat oneshielddoes not protectbothtwistedpairsoffuel/oxwire(seeFigures1and2). Configuration4 Fuel/Ox:2TwistedPairs Oil/Graphite Mixture 15Amp Fuses(3) Ch2 Ch3 Bundle Ch4 Ch10 Ch11 Ch1 Ch15 Ch12 Ch13 Ch16 Ch5 Ch7 Coils Ch6 Fuel/OxProtection Ch8 Ch Amp Ch9 CAhmp Figure4d. HarnessConfiguration4:3HeaterCircuits,Fuel/Ox=2UnshieldedTwistedPairs Harness configuration4(Figure 4d) wasusedinTests76through145.This configuration was essentially the same as configurations 2 and 3, with unshielded twisted pairs replacing the shielded twisted pairs for thefuel/oxwires. Thistestseriesincludedfivespecimensforeachoftheprotectionschemesidentifiedin Table1. Heatercircuitswererepresentedinthetestconfigurations,buttheactualheaterswerenot.OntheOrbiter, theheaterswitchingislocatedinthefuel/oxvalveassembly.Therefore,evenwhentheheatersareoff,the heaterwiresareenergizeduptotheswitchatthevalve.Inthisseriesofteststheheatersweresimulatedin Page7of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 the “off” position (open circuit). If the heaters had been included in the test circuit the heaters would have been in parallel with the arc. There would have been little effect on the arc except that the additional heatercurrentwouldcausethecircuitprotectiontotripearlierlimitingthedamage. The 25 feet of 20 American Wire Gage (AWG) (Figures 4a through 4d) wire was used to simulate an event that may occur away from the power bus ― this represents the configuration on the Orbiter. The resistanceofthe25feetofwire(~0.25ohmsinboththefeederandreturn)limitsthepowerinthearc,but also slows the speed that the arc travels and increases the time before the circuit protection (fuse) opens. The later two of these factors tend to increase the collateral damage caused by the arc. While the additional resistance of the 25 feet of wire tends to stabilize the arc, too much resistance (wire) inhibits thearc. Research into fuel/ox circuits indicated that the aft thrusters are protected, such that “a steady state load current of 15 amperes (amp) shall cause the fusible link to open” (Rockwell Procurement Specification MC477-0263, paragraph 3.4.5). Therefore, the 15 amp fuse was conservative since at this value, the current would not cause the fuse to open. However, without more detailed information, the more conservative protection was used. The forward reaction jet driver (RJD) uses smaller fuses. Therefore, additionaltestsusingharnessconfiguration1specimenswereperformedusing10 ampfusesasprotection fortheheatercircuits. TestProcedure After all preliminary checks were performed, the heater circuits were energized and the oil/graphite mixture was used to initiate the arc. The arc was allowed to propagate the length of the sample. The arc event tripped the circuit protection, self–extinguished the arc, or stopped when it reached the end of the sample. After the power was turned off, the specimen was removed from the testing chamber and all test information was recorded. A visual inspection of the sample gave preliminary indications of the effectivenessoftheprotectionscheme.Foreachsample,wetdielectricvoltagewithstand(DVW)testwas used to determine if the insulation of the fuel/ox wires was actually compromised. Figure 5 is a still shot (capturedfromvideo)ofTestN264-008inprogress. Page8of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Figure5. TestN264-008InProgress Theopeningofthefuel/oxvalvewasdetectedinthreeways: 1. Audibleclickingsoundofvalvesolenoids. 2. Accelerometermeasurements. 3. Coil voltage and current measurements indicating that the coil was at or above the operational threshold. Damagetothespecimenandfuel/oxwirewasdeterminedinthefollowingways: 1. Coilvoltageandcurrentmeasurements(includingshieldcurrentmeasurements). 2. Fuel/oxwiredamage(visualandwetDVWtest). 3. Breachofprotectionlayers(visualexamination). Results Table 2 summarizes test results with identical harness configuration, protection scheme, and circuit protectiongroupedtogether. Page9of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006 Table2.TestResultsSummaryGroupedbyExperimentalConditions ProtectionSchemes Circuit AudibleClick, MaxCoil Damageto BreachofAll Harness #Heater Accelero- Test# Fuel/OxWire Protection Valve Volt/Current Fuel/Ox Protection Config# Circuits 1stLayer 2ndLayer meterActivity (fuserating) Opened Reading Wires Layers (Bottom) (Top) N2641-5 1 1 TwistQuad NA NA 15A 5/5 Yes 24V/2.1A Yes NA N2646-10 1 3 TwistQuad NA NA 15A 4/5 Yes 23V/2.0A Yes NA N264136-140 1 1 TwistQuad NA NA 10A 2/5 Yes 24.8V/2.1A Yes NA N264141-145 1 3 TwistQuad NA NA 10A 0/5 No 3.5V/0.1A Yes NA N26411-15 2 3 2Sh/Tw/Pair NA NA 15A 0/5 No 2.2V/0.2A Yes NA N26416-20 3 3 2Sh/Tw/Pair PTFEWrap None 15A 0/5 No <1V Slight 4/5 N26421-25 3 3 2Sh/Tw/Pair Mystik None 15A 0/5 No <1V Slight* 2/5* N26426-30 3 3 2Sh/Tw/Pair Convolute None 15A 0/5 No <1V No 2/5 N26431-35 3 3 2Sh/Tw/Pair PTFEWrap PTFEWrap 15A 0/5 No <1V No 0/5 N26436-40 3 3 2Sh/Tw/Pair PTFEWrap Mystik 15A 0/5 No <1V No 0/5 N26441-45 3 3 2Sh/Tw/Pair PTFEWrap Convolute 15A 0/5 No <1V No 0/5 N26446-50 3 3 2Sh/Tw/Pair Mystik PTFEWrap 15A 0/5 No <1V No 1/5 N26451-55 3 3 2Sh/Tw/Pair Mystik Mystik 15A 0/5 No <1V No 0/5 N26456-60 3 3 2Sh/Tw/Pair Mystik Convolute 15A 0/5 No <1V No 0/5 N26461-65 3 3 2Sh/Tw/Pair Convolute PTFEWrap 15A 0/5 No <1V No 0/5 N26466-70 3 3 2Sh/Tw/Pair Convolute Mystik 15A 0/5 No <1V No 0/5 N26471-75 3 3 2Sh/Tw/Pair Convolute Convolute 15A 0/5 No <1V No 0/5 N26476-80 4 3 2Tw/Pair PTFEWrap None 15A 0/5 No <1V Yes 4/5 N26481-85 4 3 2Tw/Pair Mystik None 15A 0/5 No <1V Slight 3/5 N26486-90 4 3 2Tw/Pair Convolute None 15A 0/5 No <1V No 1/5 N26491-95 4 3 2Tw/Pair PTFEWrap PTFEWrap 15A 0/5 No <1V No 0/5 N26496-100 4 3 2Tw/Pair PTFEWrap Mystik 15A 0/5 No <1V No 1/5 N264101-105 4 3 2Tw/Pair PTFEWrap Convolute 15A 0/5 No <1V No 0/5 N264106-110 4 3 2Tw/Pair Mystik PTFEWrap 15A 0/5** No** <1V** No 0/5 N264111-115 4 3 2Tw/Pair Mystik Mystik 15A 0/5 No <1V No 0/5 N264116-120 4 3 2Tw/Pair Mystik Convolute 15A 0/5 No <1V No 0/5 N264121-125 4 3 2Tw/Pair Convolute PTFEWrap 15A 0/5 No <1V No 0/5 N264126-130 4 3 2Tw/Pair Convolute Mystik 15A 0/5 No <1V No 0/5 N264131-135 4 3 2Tw/Pair Convolute Convolute 15A 0/5 No <1V No 0/5 * Specimen N264 – 021 had only 1 wrap of Mystik Tape instead of 3 called for in ML 0303-0014. This shield for this specimen failed the DVWwheretheshieldfortheother4specimeninthisconfigurationdidnot. ** Specimen N264 – 106: movement of sample during arc caused Fuel/Ox valve clip lead to touch the heater terminal block and the valveopened.Howeverthiswasnotduetoarcingdamageorpowertransferredbythearc.Note:Theprotectionlayerswerenotfully breached. Thebackgroundcoloroftherowssignifiesthepossibilityofanarctrackeventcausingthefuel/oxvalve toopenorcauseddamagetothefuel/oxwireaccordingtothefollowing: • Red: It is likely that the fuel/ox valve would open due to an arc track event. This would notbeanunexpectedeventshouldanarctrackoccur. • Yellow: It is unlikely that the fuel/ox valve would open due to an arc track event; however,significantdamagetothefuel/oxwirescouldbeexpected. • Green:Itisveryunlikelythatthe fuel/oxvalvewouldopenduetoanarctrackevent.Itis alsounlikelythatsignificantdamagetothefuel/oxwirescouldbeexpected. Theresultscolumnsprovidethefollowinginformation: Audible Click,Valve Opened: Whenthe fuel/ox valve openedandclosed, a clickingsoundcouldeasily be heard. This column records the number of tests in each group of 5 in which the valve opening/closing washeard. Accelerometer Activity: The accelerometers, placed on the valve solenoids, were used to “listen” for valvemovement.Theaccelerometerrecordsifmovementwasdetectedforanytestinthegroupof5. Page10of28 9thJointFAA/DoD/NASA2006AgingAircraftConference March6-9,2006