=?ISO-8859-15?Q?Jan_Vorbr=FCggen?= wrote
in :

The five past occurrences were caused by a design flaw in the
orbiter's Display Driver Units (DDUs), which also provide power to
the orbiter's hand controllers. The flaw (caused by capacitor
discharge) caused the DDUs to briefly report an erroneous
Translational Hand Controller (THC) deflection when the crew flipped
the power switch to the controllers. If the flight software happened
to be polling the hand controllers during that brief period (it polls
once every 320 ms), an uncommanded RCS thruster firing would result.

I would argue that turning on the THC means that you're going to use
the RCS in the near future, so you shouldn't be in a state where you
can't tolerate a transient RCS firing.

For the most part, you're correct. There was a procedural workaround for
this problem, which involved the crew making a keyboard entry to disable
switch Redundancy Management (RM) software prior to turning on controller
power, then repeating the entry to re-enable it afterwards. This
workaround was only written into the checklists in the few cases (such as
just before undocking) when an uncommanded firing would be bad. In other
cases, such as the RCS burn cue card, NASA didn't bother with the
workaround since the crew could simply clean up the trajectory effects of
an uncommanded firing during the actual burn.

What if somebody/something
bumps the THC by accident?

Normally the controllers are powered off on-orbit, and only powered on
when used. In addition, the DDU circuit breakers are usually pulled open.
So an inadvertent bump is only possible when the crew is going to use the
hand controllers anyway. The forward THC is in the far left corner of the
forward control panels and so is unlikely to be bumped. The aft THC is
vulnerable to bumping, though not nearly as much as the aft RHC. When the
CDR/PLT has the aft controller power on, he/she usually floats near the
THC and "guards" the RHC with the right hand.

The two remaining failure modes for an uncommanded RCS firing are a
Darlington pair transistor failure in the Reaction Jet Drivers
(RJDs), or a "smart" wire-to-wire short along the lines leading from
the RJDs to the thrusters. The odds you quote are for those two
causes.

Those can occur at any time, and seem to me to be the really dangerous
scenarios for a Shuttle-ISS stack.

A third failure mode I forgot to mention is a "tin whisker" short in an
RJD. There are steps that can be (and are) taken to mitigate the risk,
such as powering off the RJDs during docked ops. That protects against
the transistor failure and the tin whisker short, but not the wire-to-
wire short.

It's worth pointing out that a wire-to-wire short is a very "smart"
failure since you have to have insulation loss on both an RCS command
wire and a 28Vdc power wire, and the frayed points have to be close
enough to each other for arcing to occur. In contrast, the AC bus loss on
STS-93 was (IIRC) a wire-to-ground short. That won't cause an uncommanded
RCS firing.


--
JRF

Reply-to address spam-proofed - to reply by E-mail,
check "Organization" (I am not assimilated) and
think one step ahead of IBM.