Despite a self-titled dissenting opinion from the Aerospace Corporation, the issue of Tin Whiskers won’t get in the way of proceeding to launch with Shuttle Discovery on STS-121.
Despite the wide-ranging – and at times strongly worded – document, NASA issued its own “rebuttal” rationale to fly “as-is” from seasoned data, in the belief there is little chance that the small slices of metal will fall off on to the circuit boards – which could cause shorts in the orbiter’s electrical components, with the potential loss of vehicle and crew.
L2, for expanded documents and information covering the space programs at work.
Both the NASA and Aerospace Corporation documents can be viewed on L2, plus a video on simulated MVA.
**Selected slides for all readers can be viewed here**
NASA managers came to an official decision that Discovery will be able to fly safely ‘as-is’ at last week’s PRCB (Program Requirements Control Board) meeting at the Johnson Space Center.
A presentation, written by Don McCorvey, NASA Flight Controls Subsystem Manager and Trent Kit, from NASA Safety, came to the conclusion that a ‘lack of documented failure history’ along with ‘robust hardware design’ mitigated most of the concerns – concerns that has resurfaced following evaluations and testing by the Aerospace Corporation.
Those concerns were outlined at the start of a fascinating 26 page document, that didn’t mince its words.
‘The flight rationale currently proposed that would allow flight ‘as is’ of critical Flight Control System (FCS) avionics boxes suspected of whisker infestation cannot be validated with the available data and, therefore, is not acceptable for flight,’ opened the Executive Summary.
‘Catastrophic impacts for tin whisker generated failures puts not only the Orbiter at risk, but also potentially the International Space Station and the crew for both vehicles.’
It was recognised that the systems involving the Ascent Thrust Vector Control (ATVC) and Aerosurface Survo Amplifier (ASA) have a mitigated risk, due to redundancy through the need of three failures being required to affect the same actuator signal, before loss of function occurs. These systems are only used during launch and landing. However, concerns were focused on the RJDs (Reaction Jet Drivers).
RJDs covert the GPC (General Purpose Computer) fire commands into the required voltage to open the bi-propellant valves. This allows the hypergolic propellants which are under pressure (via helium) to feed into the combustion chamber of the specific thruster. Once the propellants enter the combustion chamber they ignite on contact.
‘The RJDs do not require multiple failures (for certain shorts in a single connector) for catastrophic consequences,’ noted the Aerospace Corporation document, warning of a single fault, single failure (1/1) issue.
This gained a cryptic – and slightly defensive – note in the NASA rebuttal presentation: ‘At no time has engineering claimed that the RJDs are anything less than 1/1 for the Fail ON case and are not robust in that respect.
‘All discussion of conformal coating and vulnerability of components has been specifically focused on RJDs – while helpful to ASA and ATVC, it is not necessary for flight rationale.
‘Because RJDs cannot be justified by internal architecture, we instead rely upon their design and construction, and the number of whiskers likely to be found in the box.’
‘Unlike ASA and ATVC, RJDs are left on throughout the flight, which results in approximately 30,000 hours of flight experience across the five vehicles. No such discussions have taken place in the history of the program, strongly suggesting that no such events have occurred.’
The Aerospace Corporation continued with by-product risks relating to the Tin Whisker issue, namely plasma/metal vapor arcing (MVA), noting: ‘The failure descriptions preclude the possibility of metal vapor arcing, which can take out more than a data channel on a single actuator. Metal arcing possible=more opportunities and potentially more significant failures.’
They argued that MVA can overstress and destroy both adjacent hardware and circuit components – taking out power, blowing fuses and even causing fires.
Again, NASA countered: ‘Concerns have been raised repeatedly about the prospect of metal vapor arcing inside an LRU (Line Replaceable Unit) with tin whiskers.
‘Aerospace Corporation sponsored a test at 1 atm with a 28ìm extruded tin wire across a battery-powered circuit, resulting in a self-sustaining metal vapor arc that was automatically cut off after 1.5 seconds.
Screenshot from the video of the test, which can be viewed on the L2 section.
‘Dr. Leidecker at Goddard tested our whiskers – between 1ìm and 6ìm to determine whether or not they would ‘vaporize’ at our expected currents. Whiskers universally vaporized without a sustained arc in air at 1 atm at approximately 30mA. Total time sustaining current before vaporization was approximately 1 microsecond.
‘In the event that a valve could actually open, the valve requires at least 12ms to open – far longer than the whisker is expected to survive. For the whiskers involved in this situation, MVA appears not to be an issue.’
Adding in conclusion to the refuting of the Aerospace Corporation’s findings, NASA emphasised their point in the MVA threat to the RJDs, noting: ‘Aerospace Corporation’s dissenting opinion is primarily over the potential for metal vapor arcing on RJDs. Testing already performed at Goddard suggests that for whiskers found in shuttle flight controls equipment, MVA is not a threat and cannot result in a jet firing.
That statement was designed to place a line over the Aerospace Corporation’s own summing up, which claimed that NASA’s data is incomplete.
‘Failures, as defined by failure history, include only those whisker shorts that can be identified by failure signature,’ their document claimed, whilst pointing to two related UAs (Unexplained Anomalies) in the Shuttle’s flight history.
‘Unpowered boxes will not show where whiskers may have contacted critical contacts. In powered boxes, short duration, failed off and vaporized whiskers (that do not result in metal vapor arcs) are all whisker shorts that would not be captured by examination of past data.
‘An independent review of CARs associated with past FCS LRU failures found a number that were not classified as Unexplained Anomaly, but that did not have a specific flaw. (The document expanded into detail on this issues in its back-up section).
‘At least eleven did not have clear data that precluded tin whisker involvement. Several were assumed to be external short because it could not be duplicated, a hallmark of tin whisker failures – these were often power related resulting in loss of power supply or fuse that lost several/all channels originating from that box. Some cited a physical problem that later was shown to be independent of the failure
‘Additionally, the failure analysis argument depends on being able to estimate the condition of the whiskers in the past, something that cannot be positively determined. Flight data from STS-114 has been examined, but it is subject to the same limits on visibility. It should not be assumed that the condition of these FCS LRUs has been the same throughout the past 20 years.
‘Bottom line: Failure history is incomplete, could hide false positives and may not be representative of the current state of FCS boxes. Therefore, conclusions based on failure history are subject to considerable uncertainty.’
Despite these findings, NASA are confident in their own ‘seasoned’ data and evaluation of the Aerospace Corporation ‘dissenting view’ – which ultimately led to their management decision to press ahead with STS-121, without this issue becoming a showstopper for the mission.