Ronald Reagan Building and International Trade Center
September 8-10, 2004
MODULE LEADER: Rick Obenschain, Director Applied Engineering & Technology Directorate, NASA Goddard Space Flight Center
MISHAP DATE: October 9,1978
FAILURE AND MAIN CONTRIBUTING FACTOR
There was a massive and progressive short in one of the slip ring assemblies used to connect the rotating solar arrays into the power subsystem. The most likely cause of this short was the initiation of an arc between adjacent slip ring brush assemblies.
The Seasat spacecraft failed on October 9, 1978, after satisfactory operation in orbit for 105 days, as a result of a loss of electrical power in the Agena bus that was used as part of the spacecraft. The loss of power was caused by a massive and progressive short in one of the slip ring assemblies that was used to connect the rotating solar arrays into the power subsystem. The most likely cause of this short was the initiation of an arc between adjacent slip ring brush assemblies. The triggering mechanism of this arc could have been either a wire-to-brush assembly contact, a brush-to-brush contact, or a momentary short caused by a contaminant that bridged internal components of opposite electrical polarity.
The slip ring assembly, as used n the Seasat spacecraft, was connected into the power subsystem in such a way that most of the adjacent brush assemblies were of opposite electrical polarity. This wiring arrangement, together with the congested nature of the design itself, made the Seasat slip ring assembly a unique, first-of-a-kind component that was particularly prone to shorting.
The possibility of slip ring failures resulting from placing opposite electrical polarities on adjacent brush assemblies was known at least as early as the summer of 1977 to other projects within the contractor's organization. Furthermore, failures of slip ring assemblies due to shorting between brushes had been experienced by the prime contractor on the slip ring assemblies used by other programs. That the Seasat organization was not fully aware of these potential failure modes was due to a breakdown in communication within the contractor's organization.
In addition to this small, though fatal, breakdown in communications, the failure to give the slip ring assembly the attention it deserved was due, in large part, to an underlying program policy and a pervasive view that Seasat's Agena bus was a standard, well-proven piece of equipment that had been used on other programs. In actuality, however, three major subsystems -- the electrical power subsystem, the attitude control subsystem, and the data subsystem -- were substantially modified for use on Seasat's Agena bus. So firmly rooted was this principle of using a "standard Agena bus" that, even after the engineering staffs of both the government and the contractor were well aware of the final uniqueness of their bus, the words, and the associated way of doing business, persisted to the end.
The point of view that the Seasat bus was flight proven, standard equipment proved to have far-reaching consequences. It became program policy to minimize testing and documentation, to qualify components by similarity wherever possible, and to minimize the penetration into the Agena bus by the government. It led to a concentration by project management of the sensors, sensor integration, and the data management system to the near exclusion of the bus subsystems. Important component failures were not reported to project management, a test was waived without proper approval, and compliance with specifications was weak. The component that failed -- the slip ring assembly -- was never mentioned in the briefing charts for either the Consent to Ship meeting of the Critical Design Review.
The Failure Modes, Effects and Criticallity Analysis that was conducted for the electrical power subsystem did not consider shorts as a failure mode and thus did not reveal the presence of single point failure modes in the system or provide a basis for the development of a full complement of safing command sequences that could be used by the flight controllers in responding to anomalies in the power subsystem. A lack of clarity and rigor in the operating requirements and constraints documents for the power subsystem of the bus, together with this lack of safing command sequences, prevented the flight controllers from having all the tools they needed to do their job. The flight controller for the power subsystem was also new to his job at the time of the failure and thus was not sufficiently knowledgeable of the system he was controlling. While no action of the flight controllers contributed to the failure, they did fail to follow the prescribed procedures in response to the information available to them at the time of the failure.
The advantages of using standard, well proven equipment in terms of both cost and mission success are well recognized. But the experience of Seasat illustrates the risks that are associated with the use of equipment that is classified as "standard" or "flight proven." The uncritical acceptance of such classifications by the Seasat engineering staff submerged important differences in both design and application from previously used equipment. It is therefore important that thorough planning be conducted at the start of a project to fully evaluate the heritage of previously used equipment and to establish project plans and procedures that enable the system to be selectively penetrated.
Return to 2004 MAPLD Seminar: Aerospace Mishaps and Lessons Learned
Home - NASA Office of Logic Design
Last Revised: February 03, 2010
Digital Engineering Institute
Web Grunt: Richard Katz