NASA Office of Logic Design

NASA Office of Logic Design

A scientific study of the problems of digital engineering for space flight systems,
with a view to their practical solution.


ACTS PYRO Separation Band Anomaly (Shuttle Orbiter)

Abstract:

Minor damage to the Shuttle was caused when the firing of the primary explosive cord to deploy the payload from the cargo bay also triggered the backup cord. End-to-end system tests had validated the erroneous design rather than the end function. Document electrical-mechanical interfaces, protect hazardous systems against any possible unintended operation, and consider use of a single cord configuration.

Description of Driving Event:

During the successful deployment of the ACTS/TOS Payload from the STS-51 cargo bay on September 12, 1993, the "SUPER*ZIP" pyrotechnic separation joint ruptured, producing debris that caused minor damage. Two explosive cords were initiated and operated in the subsystem (when functioning of one cord was desired), causing considerably more energy to be imparted into this subsystem, resulting in the rupture of the containment tube, doubler plates, lead sheathing, silicone rubber extrusion and in the emission of carbon particles (smoke). One affected plate penetrated through the shuttle orbiter aft bulkhead insulation blanket and punctured a 1/8 x 1/2 inch hole in the aft bulkhead. Flight/crew critical equipment exists immediately behind the bulkhead. Other debris caused at least nine small tears in cargo bay insulation blankets, three gouges in wire tray covers and possibly a gouge in a thermal protection system tile.

The primary cause of the separation system anomaly was a circuit design error, which resulted in firing one end of both the primary and back-up cords, rather than firing both ends of the primary cord. The direct cause of the design error could not be determined. This embedded error remained undetected throughout a series of comprehensive requirements, design and certification reviews and systems tests with wide participation by both the government and contractors. The end-to-end system tests, end-to-end verification Ground Support Equipment (GSE), and procedures were established in a manner that validated the erroneous design rather than the end function. This was due in part because of lack of adequate systems engineering in the TOS program and because the SUPER*ZIP end-to-end drawings were spread among several individual drawings and never aggregated into a single end-to-end functional electrical/mechanical schematic.

Lesson(s) Learned:

End-to-end system checks should be performed to verify proper connection, wiring, signal level and function. If necessary, as in the case of pyrotechnic circuits, simulators should be used.

Recommendation(s):

  1. Develop end-to-end schematics/diagrams for electrical mechanical interfaces including software driven interfaces.
  2. Require that potentially hazardous systems have demonstrated protection against any possible unintended operation.
  3. Consider use of a single cord configuration which will prevent this type of event.

References:

  1. NASA Public Lessons Learned Information  System, Lesson #0312.

Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz
NACA Seal