FLIGHT ASSURANCE PROCEDURE Page 1 of 10



Similar documents
Criteria for Flight Project Critical Milestone Reviews

Easy Step 1000 Stepper Driver Module

University of Ljubljana. Faculty of Computer and Information Science

Value Paper Author: Edgar C. Ramirez. Diverse redundancy used in SIS technology to achieve higher safety integrity

Goddard Procedures and Guidelines

Similar benefits are also derived through modal testing of other space structures.

ESA s Data Management System for the Russian Segment of the International Space Station

MOCET A Certification Scaffold for Critical Software

ILLINOIS DEPARTMENT OF CENTRAL MANAGEMENT SERVICES CLASS SPECIFICATION CLASS TITLE POSITION CODE EFFECTIVE

NEBB STANDARDS SECTION-8 AIR SYSTEM TAB PROCEDURES

Space Flight Project Work Breakdown Structure

Space product assurance

Ohio Supercomputer Center

CalMod Design-Build Electrification Services

Application Note. Line Card Redundancy Design With the XRT83SL38 T1/E1 SH/LH LIU ICs

Requirements Management John Hrastar

Current Loop Tuning Procedure. Servo Drive Current Loop Tuning Procedure (intended for Analog input PWM output servo drives) General Procedure AN-015

Summary of GAO Cost Estimate Development Best Practices and GAO Cost Estimate Audit Criteria

PEZ. System Design and Project Plan. System Design and Project Plan. PEZ (Pills EZ) Dispenser. October 12, Ben Anderson.

What methods are used to conduct testing?

How To Develop Software

Foundations for Systems Development

AC REUSABLE SOFTWARE COMPONENTS

SOFTWARE DEVELOPMENT STANDARD FOR SPACECRAFT

SuperIOr Controller. Digital Dynamics, Inc., 2014 All Rights Reserved. Patent Pending. Rev:

XtraView Installation Manual

Cable Discharge Event

University of Paderborn Software Engineering Group II-25. Dr. Holger Giese. University of Paderborn Software Engineering Group. External facilities

ECE 495 Project 3: Shocker Actuator Subsystem and Website Design. Group 1: One Awesome Engineering

HP 8970B Option 020. Service Manual Supplement

CTC Technology Readiness Levels

Software Test Plan (STP) Template

Atlas Emergency Detection System (EDS)

Road Vehicles - Diagnostic Systems

Recovery Management. Release Data: March 18, Prepared by: Thomas Bronack

Space Project Management

Designing VM2 Application Boards

What Is Regeneration?

Quest- 1 Satellite Functional Description

Electrical Circuit Theory

8-Bit Microcontroller with Flash. Application Note. Using a Personal Computer to Program the AT89C51/C52/LV51/LV52/C1051/C2051

Artur Scholz University of Applied Sciences Aachen, Germany

Basic circuit troubleshooting

DATA REQUIREMENTS DESCRIPTION (DRD)

Allen-Bradley HP AC Line Filter Kit

KUMU A O CUBESAT: ELECTRICAL POWER SUBSYSTEM. Jordan S. Torres Department of Electrical Engineering University of Hawai i at Mānoa Honolulu, HI 96822

Position Classification Standard for Management and Program Clerical and Assistance Series, GS-0344

Space project management

Integrating System Safety and Software Assurance

Hardware safety integrity Guideline

10-3. SYSTEM TESTING AND DOCUMENTATION

MIDECO 64-outputs MIDI note decoder USER MANUAL. Roman Sowa 2012

How can you support RIDM/CRM/RM through the use of Risk Analysis

VEHICLE SPEED CONTROL SYSTEM

Global Motion Technology Inc Web THCSA200. Capacitive sensor plasma & Oxy-fuel Torch Height Control

3.4.4 Description of risk management plan Unofficial Translation Only the Thai version of the text is legally binding.

Zenith Controls ISO R-1000C 5/99

Digi-Motor Installation Guide

6500m HOV Project Stage 1: A-4500 HOV

MWA Project. Configuration Management Plan

OPERATION MANUAL VALVE CHECKER G

Final Report Bid Evaluation and Selection Process For Wind-Generated Electricity Hydro-Quebec Distribution Call For Tenders Process.

EDK 350 (868 MHz) EDK 350U (902 MHz) EnOcean Developer Kit

Meritor WABCO Pneumatic Antilock Braking System (ABS) 42.22

INSTALLATION INSTRUCTIONS

Security Systems Intrusion Alarm

Bluetooth + USB 16 Servo Controller [RKI-1005 & RKI-1205]

Operating Precautions: User configuration options:

ADB Airfield Solutions Runway Guard Light System Operation

CITY OF BLAINE REQUEST FOR PROPOSAL IP TELEPHONY SYSTEMS CONSULTANT

CHAPTER 11: Flip Flops

Six-servo Robot Arm. DAGU Hi-Tech Electronic Co., LTD Six-servo Robot Arm

Safety Function: Door Monitoring

System Requirements Specification (SRS) (Subsystem and Version #)

High Voltage (HV) Electricity System Safety Rules and Associated Safety Guidance

763XXX Timing Analysis, Critical Path Method (CPM) Project Schedule

Gates, Circuits, and Boolean Algebra

Failure Analysis Methods What, Why and How. MEEG 466 Special Topics in Design Jim Glancey Spring, 2006

A System-safety process for by-wire automotive systems

Session 4. System Engineering Management. Session Speaker : Dr. Govind R. Kadambi. M S Ramaiah School of Advanced Studies 1

4E2 Electronic and Electrical Engineering Project. Assist. Prof. Nicola Marchetti As agreed with Coordinator

System Development and Life-Cycle Management (SDLCM) Methodology

Exhibit F. VA CAI - Staff Aug Job Titles and Descriptions Effective 2015

STANDARDIZED WORK 2ND SESSION. Art of Lean, Inc. 1

Objectives: Part 1: Build a simple power supply. CS99S Laboratory 1

Failure Modes, Effects and Diagnostic Analysis

Calculating Total Power Requirements for Data Centers

USER GUIDE Programming Adapter Cable for Fujitsu Flash Microcontroller- F²MC-16LX/FR Family Fujitsu Microelectronics America, Inc.

MSAN-001 X-Band Microwave Motion Sensor Module Application Note

ALS Configuration Management Plan. Nuclear Safety Related

SSPI-APPN OTES: PARALLEL C ONNECTIONS

Data quality and metadata

The Need for a Systems Engineering Approach For Measuring and Predicting the Degradation of Aging Systems And How It Can Be Achieved

Description of the AAU satellite Project. CubeSat Concept. Financing. Organization

Quick Start Guide for High Voltage Solar Inverter DC-AC Board EVM. Version 1.3

GPS & GSM BASED REAL-TIME VEHICLE TRACKING SYSTEM.

Transcription:

FLIGHT ASSURANCE PROCEDURE Page 1 of 10 1.0 PURPOSE This procedure establishes guidelines for conducting a Failure Modes and Effects Analysis (FMEA) on GSFC spacecraft and instruments. 2.0 REFERENCE a. NHB 5300.4 Reliability Program Requirements for Aeronautical and Space System Contractors b. CR 5230.9 Payload and Experiment Failure Model and Effects Analysis and Critical Items List Groundrules c. MIL-STD 1629 Procedures for Performing a Failure Modes, Effects, and Criticality Analysis 3.0 DEFINITIONS a. Failure Mode - A particular way in which an item fails, independent of the reason for failure. b. Failure Mode and Effects Analysis (FMEA) - A procedure by which each credible failure mode of each item from a low indenture level to the highest is analyzed to determine the effects on the system and to classify each potential failure mode in accordance with the severity of its effect. c. Indenture Levels - The hierarchy of hardware levels from the part to the component to the subsystem to the system, etc. d. Redundancy - More than one independent means of performing a function. There are different kinds of redundancy, including: (1) Operational - Redundant items, all of which are energized during the operating cycle; includes load-sharing, wherein redundant items are connected in a manner such that upon failure of one item, the other will continue to perform the function. It is not necessary to switch out the failed item or switch in the redundant one.

FLIGHT ASSURANCE PROCEDURE Page 2 of 10 3.0 DEFINITIONS (cont.) 4.0 SCOPE (2) Standby - Items that are inoperative (have no power applied) until they are switched in upon failure of the primary item. (3) Like Redundancy - Identical items performing the same function. (4) Unlike Redundancy - Nonidentical items performing the same function. Typical ground rules for an FMEA are given along with an overview of the technique, principal, step-by-step instructions, sample work sheets, and work sheet data entries. Specific projects must, of course, add to, delete and otherwise tailor the procedures to conform with their needs, objectives, and contractual requirements. That is particularly true of safety issues or workaround operational methods. Although software analysis is outside the scope of an FMEA, the effects of failure modes at both software and hardware-software interfaces are included. 5.0 INSTRUCTIONS 5.1 GENERAL 5.1.1 Objective of the FMEA The objective of an FMEA is to identify the way failures could occur (failure modes) and the consequences of the failures on spacecraft performance (failure effect) and the consequences on mission objectives (severity assignment). It is based on the usual case on which failure effects, which are expressed at the system level, are caused by failure modes at lower hardware levels. The procedure herein, does not quantify the probability for failure occurrence; rather a qualitative assessment of the failure effect is gained by assigning the failure mode to a severity category.

FLIGHT ASSURANCE PROCEDURE Page 3 of 10 The results of the analysis are used to improve system performance by initiating corrective action, usually design changes; they are also useful in focusing product assurance procedures and identifying operational constraints. The FMEA is updated as necessary to include design changes and operational revisions. 5.1.2 Methodology 5.1.3 Timing A bottom-up methodology, the FMEA is initiated by selecting the hardware at the lowest level of interest (e.g., component module, circuit, part). The various failure modes that can occur for each item at that level are tabulated. The corresponding failure effect, in turn, is interpreted as a failure mode at the next higher functional level. Successive iterations result ultimately in identification of the failure effects up to the highest system level. It is a process of inductive synthesis. The effectiveness of the FMEA in the design process is dependent upon its early use in the identification of problems and the communication of the information gained to project personnel who can initiate changes before design becomes fixed. Therefore, the FMEA should be initiated as soon as preliminary design information is avai lable and then applied at greater depth as the design takes shape. 5.1.4 Preliminary Subsystem Analysis During the conceptual phase of system development, when design information is limited to block diagrams, a functional approach is appropriate for identifying design problems. Failures are postulated for the major subsystems (the subsystems can also be broken down into lower-level blocks). The effects are assessed, and conceptual design changes are made as necessary. The identified failures are assigned to a severity category (defined in 5.1.8) with emphasis given to catastrophic and critical failures for which possible workaround procedures can be planned. 5.1.5 Detailed Hardware Analysis Detailed hardware analysis is conducted when hardware items, signal lines, and power lines have been assigned. Using schematics and assembly drawings, failure modes are

FLIGHT ASSURANCE PROCEDURE Page 4 of 10 postulated and their effects assessed. The failure modes are defined at the component interface, based on knowledge of the internal design and the effects are assessed at the component level are upward to higher hardware levels of assembly. The hardware level at which analysis begins is included in the project s Statement of Work, which usually requires analysis to the component level. The analysis is often extended to the part level as needed; that is especially true for safety considerations. At the part level, failure modes are defined for the parts within a component and the effect is assessed at the component interface. 5.1.6 Failure Modes All the ways that a failure may occur at the har dware indenture level are identified. All probable, possible, or credible modes of failure are postulated; they include failure mechanisms that have been observed historically and whose mechanisms have been described in accordance with sound engineering reasoning. The identification of the failure modes is based on a knowledge of the component, functional specifications, interface requirements, schematics, or failure modes of the piece parts associated with the interface. Failure modes at interfaces typically involve electrical connectors. Failures within the unit appear as short to ground, short to a voltage or open, for both signal and power lines. The analysis is for the purpose of detecting potential interface failures o riginating within the unit; the failure modes internal to the connectors are not considered. Although it is not necessary to understand circuitry adjacent to connectors in order to identify a generic set of failure modes, such an understanding will help rule out certain failure modes and thereby reduce the amount of analytical work that has to be done. 5.1.6.1 Failure modes that occur within a unit, be it electrical or mechanical, are manifested at the interface by one of the following failure conditions: a. Premature operation, b. Failure to operate at a prescribed time,

FLIGHT ASSURANCE PROCEDURE Page 5 of 10 c. Failure to cease operation when required. d. Failure during operation. 5.1.7 The Hardware-Software Interface Although software analysis is outside the scope of an FMEA, the hardware-software interfaces are examined from two perspectives: a. Failures of the hardware that result in improper or lack of response to the software. b. Failures in the software that affect hardware operations. The results are brought to the attention of software designers and analysts for their consideration and possible corrective action. Examples of failures in the software that affect hardware operation follow: a. Commands are too early. b. Commands are too late. c. Failure to command. d. Commands erroneously. 5.1.8 Failure Effect Severity Categories To provide a qualitative measure of the failure effect, each failure mode is assigned to a severity category. Safety issues and impact to other systems or property are reflected in the selection of the severity category. The failure effect is assessed first at the hardware level being analyzed, then the next higher level, the subsystem level, and so on to the system or mission level. In selecting the severity category, the worst case consequence, considering all levels, are assumed for the failure mode and effect being analyzed. Severity categories are defined below. Specific projects may require expanded definitions depending, for example, on the amount of degradation that is allowable in the return of scientific data.

FLIGHT ASSURANCE PROCEDURE Page 6 of 10 a. Category 1, Catastrophic - Failure modes that could result in serious injury or loss of life, or damage to the launch vehicle. b. Category 1R, Catastrophic - Failure modes of identical or equivalent redundant hardware items that, if all failed, could result in Category 1 effects. c. Category 2, Critical - Failure modes that could result in loss of one or more mission objectives as defined by the GSFC project office. d. Category 2R, Critical - Failure modes of identical or equivalent redundant hardware items that could result in Category 2 effects if all failed. e. Category 3, Significant - Failure modes that could cause degradation to mission objectives. f. Category 4, Minor - Failure modes that could result in insignificant or no loss to mission objectives. 5.1.9 Ground Rules and Assumptions The ground rules off each FMEA include a set of projectselected procedures; the assumptions on which the analysis is based; the hardware that has been included and excluded from the analysis and the rationale for the exclusions. The ground rules also describe the indenture level of the analysis, the basic hardware status, and the criteria for system and mission success. Every effort should be made to define all ground rules before the FMEA begins; however, the ground rules may be expanded and clarified as the analysis proceeds. A typical set of ground rules (assumptions) follows: a. Only one failure mode exists at a time. b. All inputs (including software commands) to the item being analyzed are present and at nominal values. c. All consumables are present in sufficient quantities. d. Nominal power is available.

FLIGHT ASSURANCE PROCEDURE Page 7 of 10 e. All mission phases are considered in the analysis; mission phases that prove inapplicable may be omitted. f. Connector failure modes are limited to: connector disconnect. g. Special emphasis will be directed towards identification of single failures that could cause loss of two or more redundant paths. 5.2 THE FMEA PROCESS The following paragraphs present a typical procedure for conducting an FMEA. The sample series of tasks can be modified in keeping with the space project s operational requirements and mission concerns. The procedure is summarized in Figure 1 and as follows: 5.2.1 Define the system to be analyzed. A complete system definition includes identification of internal and interface functions, expected performance at all indenture levels, system restraints, and failure definitions. Also state systems and mission phases not analyzed giving rationale for the omissions. 5.2.2 Indicate the depth of t he analysis by identifying the indenture level at which the analysis is begun. 5.2.3 Identify specific design requirements that are to be verified by the FMEA. 5.2.4 Define ground rules and assumptions on which the analysis is based. Identify mission phases to be analyzed and the status of equipment during each mission phase. 5.2.5 Obtain or construct functional and reliability block diagrams indicating interrelationships of functional groups, system operation, independent data channels, and backup or workaround features of the system. 5.2.6 Identify failure modes, effects, failure detection and workaround features and other pertinent information on the worksheet. 5.2.7 Evaluate the severity of each failure effect in ac cordance with the prescribed severity categories.

FLIGHT ASSURANCE PROCEDURE Page 8 of 10 5.2.8 Identify hardware designs (or operations) that are candidates for corrective action and recommend specific corrective measures. 5.2.9 Document the analysis and summarize the results. 5.3 ANALYZING EACH FAILURE MODE The FMEA tasks listed in 5.2 are performed once for each analysis. Tasks 5.2.6 and 5.2.7 are performed once for each failure mode. The sample procedure for analyzing each failure mode is as follows: 5.3.1 Select part or interface circuit for analysis. 5.3.2 Identify item R1, C1, C2, or J05 pin 1, etc. 5.3.3 Postulate a single failure, including mode of failure. 5.3.4 From knowledge of part/circuitry, identify a possible cause of failure. 5.3.5 From knowledge of circuit performance in the presence of the postulated failure, assess the local effect. 5.3.6 Assess the failure effect at the next higher level and upward to the highest system level of interest, i.e., the mission. 5.3.7 Assign a severity category in accordance with definitions in paragraph 3.5. 5.3.8 Provide remarks on how the failure would be detected and what action could be taken to restore operation. If not detectable, so state. 5.3.9 Provide remarks on application of redundancy reconfiguration to workaround a failure, or any other relevant information. 5.4 FILLING OUT THE WORKSHEET Figure 2 presents a sample worksheet form that is used to compile the results of the FMEA. Sample entries are included. Wording should be brief and clear. Acronyms and abbreviations may be used providing they appear on the space project s acronym list. The Header Items are illustrated by

FLIGHT ASSURANCE PROCEDURE Page 9 of 10 Figure 2, but an explanation is given below for each column entry. The following is the minimum information that should be entered. 5.4.1 Worksheet Line Item Information Failure Mode Number - Unique identifier for each failure mode evaluated. Enter in numerical order. Identification of Item/Function - For functional analysis, enter a concern description of the function performed. For a hardware analysis, enter unique identifier, i.e., nomenclature, drawing/schematic refe rence designator, or block diagram identifier. If possible, use identifiers that are consistent with program usage. a. Failure Mode; b. Failure Cause - Identify the specific failure mode after considering the four basic failure conditions below: 1. Unscheduled operation. 2. Failure to operate when required. 3. Failure to cease operations when required. 4. Failure during operation. For each application hardware failure mode, list the major cause(s), e.g., separated connector, capacitor short, capacitor open, resistor short to ground, resistor short to voltage. Failure Effects - List failure effect for each of the hardware levels being considered. List in column by a, b, c, as below: a. Local Level - Enter a brief description of the failure effect at the subdivision level being analyzed. b. Next Higher Level - Enter the failure effect at the hardware level above the level of the analysis. c. System or Mission Level - Enter the effect of the failure mode on the mission. (If the failure has no effect, enter none.) Severity Category - Assign a severity category number (see paragraph 5.1.8 for definition).

FLIGHT ASSURANCE PROCEDURE Page 10 of 10 Remarks - Enter any pertinent information, references or comments. Specifically enter: a. How the failure would be detected in the data. b. Redundant or work around features of the design. 5.5 THE FMEA REPORT Preliminary or interim reports are usually made available for each design review. An analysis of the system at the functional level should be ready for the Preliminary Design Review. Interim reports should contain all failure modes and identified problem areas with the proposed corrective actions. Following are the major topics covered in the final report: a. Detailed description of system with reliability block diagrams. b. The indentured levels analyzed. c. Summary of the results. d. Summary of ground rules and assumptions. e. Identification and discussion of the failure modes that are potential problem areas. f. List of items exempted from the FMEA a nd the rationale for exemption. g. Worksheets arranged from system level to the lowest unit analyzed

DefineSystem andrequirements DefineHardware SubdivisionLevel foranalysis IdentifyDesign Requirements tobeverified CompleteWorkSheets -FailureModes -Failureeffects -SeverityClassification -CorrectiveMeasures ObtainFunctional& ReliabilityBlock Diagrams DefineGroundRules Assumptions&Mission Phases IdentifyProblem Areas Recommend Corrective Action Documentthe Analysis Figure1. FMEAFlowDiagram

Mission System Subsystem/Instrument Component MissionPhase DTF -1 FTS 3.13 Wrist Actuator Orbit Figure2. FAILUREMODEANDEFFECTSANALYSIS Date Preparedby Approvedby 8-10-96 Ron Smith RHB Failure Mode Number Identificationof Itemor Function a.failuremode b.failurecause FailureEffects a.localorsubsystem bnexthigher Level-System c.endeffect-mission Severity Category Remarks a.failuredetectionmethod b.compensatingfeatures/action c.other 3.13.6 Wrist actuator,roll provides motion in roll(x) axis a. Lossof motorcontrol b.partfailure in motordrive circuit a. Lossofwristroll motion and torque b. Cannot continue FTStask and mission c.none at Orbiter mission 2R a. Position sensor& torque sensordisplayed at DAC b. Backup hardware to put arminsafe position. Good arm can put arm insafe position.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information