RCS Threat

Out of all the things that could go wrong, at least from knowing what I
know, this would worry me the most as an astronaut, since it has
happened five times already. I don't know where they come up with the
odds of 1 in 10,000 to 1 in 1,000,000 when it has happened five times
through 114 missions. I'd be quite uncomfortable.

wrote in news:1146147688.536719.219130
@j33g2000cwa.googlegroups.com:

Out of all the things that could go wrong, at least from knowing what I
know, this would worry me the most as an astronaut, since it has
happened five times already.

This is what happens when the press takes things out of context - I know
that Florida Today has published the above factoid several times.

The five past occurrences were caused by a design flaw in the orbiter's
Display Driver Units (DDUs), which also provide power to the orbiter's hand
controllers. The flaw (caused by capacitor discharge) caused the DDUs to
briefly report an erroneous Translational Hand Controller (THC) deflection
when the crew flipped the power switch to the controllers. If the flight
software happened to be polling the hand controllers during that brief
period (it polls once every 320 ms), an uncommanded RCS thruster firing
would result.

The old DDUs were used only with the pre-"glass cockpit" (MCDS) orbiters.
As part of the glass cockpit (MEDS) upgrade, the dedicated displays were
removed and the DDUs were replaced with Device Driver Units (DDUs, same
acronym, yes I know it's confusing...) that only power the hand
controllers. The new DDUs do not share the design flaw. STS-113 was the
last flight with the old DDUs.

Therefore, the root cause of the five *actual* uncommanded firings has been
eliminated and cannot recur.

I don't know where they come up with the
odds of 1 in 10,000 to 1 in 1,000,000 when it has happened five times
through 114 missions. I'd be quite uncomfortable.

The two remaining failure modes for an uncommanded RCS firing are a
Darlington pair transistor failure in the Reaction Jet Drivers (RJDs), or a
"smart" wire-to-wire short along the lines leading from the RJDs to the
thrusters. The odds you quote are for those two causes. They have never
occurred in any of the previous 114 missions. The space shuttle program is
considering an RJD modification to mitigate the former, and increased
wiring inspections for the latter.
--
JRF

Reply-to address spam-proofed - to reply by E-mail,
check "Organization" (I am not assimilated) and
think one step ahead of IBM.

The five past occurrences were caused by a design flaw in the orbiter's
Display Driver Units (DDUs), which also provide power to the orbiter's hand
controllers. The flaw (caused by capacitor discharge) caused the DDUs to
briefly report an erroneous Translational Hand Controller (THC) deflection
when the crew flipped the power switch to the controllers. If the flight
software happened to be polling the hand controllers during that brief
period (it polls once every 320 ms), an uncommanded RCS thruster firing
would result.

I would argue that turning on the THC means that you're going to use the
RCS in the near future, so you shouldn't be in a state where you can't
tolerate a transient RCS firing. What if somebody/something bumps the THC
by accident?

The two remaining failure modes for an uncommanded RCS firing are a
Darlington pair transistor failure in the Reaction Jet Drivers (RJDs), or a
"smart" wire-to-wire short along the lines leading from the RJDs to the
thrusters. The odds you quote are for those two causes.

Those can occur at any time, and seem to me to be the really dangerous
scenarios for a Shuttle-ISS stack.

Jan

=?ISO-8859-15?Q?Jan_Vorbr=FCggen?= wrote
in :

The five past occurrences were caused by a design flaw in the
orbiter's Display Driver Units (DDUs), which also provide power to
the orbiter's hand controllers. The flaw (caused by capacitor
discharge) caused the DDUs to briefly report an erroneous
Translational Hand Controller (THC) deflection when the crew flipped
the power switch to the controllers. If the flight software happened
to be polling the hand controllers during that brief period (it polls
once every 320 ms), an uncommanded RCS thruster firing would result.

I would argue that turning on the THC means that you're going to use
the RCS in the near future, so you shouldn't be in a state where you
can't tolerate a transient RCS firing.

For the most part, you're correct. There was a procedural workaround for
this problem, which involved the crew making a keyboard entry to disable
switch Redundancy Management (RM) software prior to turning on controller
power, then repeating the entry to re-enable it afterwards. This
workaround was only written into the checklists in the few cases (such as
just before undocking) when an uncommanded firing would be bad. In other
cases, such as the RCS burn cue card, NASA didn't bother with the
workaround since the crew could simply clean up the trajectory effects of
an uncommanded firing during the actual burn.

What if somebody/something
bumps the THC by accident?

Normally the controllers are powered off on-orbit, and only powered on
when used. In addition, the DDU circuit breakers are usually pulled open.
So an inadvertent bump is only possible when the crew is going to use the
hand controllers anyway. The forward THC is in the far left corner of the
forward control panels and so is unlikely to be bumped. The aft THC is
vulnerable to bumping, though not nearly as much as the aft RHC. When the
CDR/PLT has the aft controller power on, he/she usually floats near the
THC and "guards" the RHC with the right hand.

The two remaining failure modes for an uncommanded RCS firing are a
Darlington pair transistor failure in the Reaction Jet Drivers
(RJDs), or a "smart" wire-to-wire short along the lines leading from
the RJDs to the thrusters. The odds you quote are for those two
causes.

Those can occur at any time, and seem to me to be the really dangerous
scenarios for a Shuttle-ISS stack.

A third failure mode I forgot to mention is a "tin whisker" short in an
RJD. There are steps that can be (and are) taken to mitigate the risk,
such as powering off the RJDs during docked ops. That protects against
the transistor failure and the tin whisker short, but not the wire-to-
wire short.

It's worth pointing out that a wire-to-wire short is a very "smart"
failure since you have to have insulation loss on both an RCS command
wire and a 28Vdc power wire, and the frayed points have to be close
enough to each other for arcing to occur. In contrast, the AC bus loss on
STS-93 was (IIRC) a wire-to-ground short. That won't cause an uncommanded
RCS firing.


--
JRF

Reply-to address spam-proofed - to reply by E-mail,
check "Organization" (I am not assimilated) and
think one step ahead of IBM.

a wrong rcs firing at docking time can destroy both the shuttle and
station in one single errant command

hey we must fly or lose our jobs, they might not die lets give it a
whirl....

mark my words the 2010 end date will be looked on as the major reason
for the next accident