Design

Practice: Derate applied stress levels for electrical, electronic, and electromechanical (EEE) part characteristics and parameters with respect to the maximum stress level ratings of the part. The allowed stress levels are established as the maximum levels in circuit applications.

Benefits: Derating lowers the probability of failures occurring during assembly, test, and flight. Decreasing mechanical, thermal, and electrical stresses lowers the possibility of degradation or catastrophic failure.

Practice: Thoroughly test high-voltage power supply packaging on flight configured engineering models, in a simulated spaceflight environment, to evaluate corona effects.

Benefits: Process controls on design, manufacturing, and testing operations reduce component failure rates and improve reliability. The goal is production of power supplies that will operate in space for the mission duration.

Practice: Use Class S and Grade 1 or equivalent parts in all applications requiring high-reliability or long life to yield the lowest possible failure rates.

Benefits: Low parts failure rates in typical circuit applications result in significant system reliability enhancement. For space systems involving serviceability, the mean-time-between-failure (MTBF) is greatly extended, which significantly reduces maintenance requirements and crew time demands.

Practice: Maintain part junction temperatures during flight below 60°C. (Short-term mission excursions associated with transient mission events are permissible.)

Benefit: Reliability is greatly increased because the failure rate is directly related to the long-term flight temperature.

Practice: Power line filters are designed into power lines (power buses) at the inputs to payloads, instruments, subsystems, and components.

Benefits: Power line filters minimize the flow of conducted noise currents on power buses emanating from hardware that could interfere with the proper operation of other hardware also operating on the same power buses. Additionally, power-line filters minimize the flow of noise currents on power buses into hardware that could interfere with the proper operation of that hardware.

Practice: Design flight subsystems with low residual dipole magnetic fields to maintain the spacecraft’s total static and dynamic magnetic fields within science requirements.

Benefit: Provides for a magnetically clean spacecraft, which increases the quality and accuracy of interplanetary and planetary magnetic field data gathered during the mission.

Practice: Provide protection against electrostatic charges, discharges, and lightning strikes by shielding and bonding space systems, structures, and their components in accordance with Standard Payload Assurance Requirements (SPAR-3) for GSFC Orbital Projects. This reliability practice does not cover Electrostatic Discharge (ESD) control due to an energetic, space plasma environment.

Benefit: The Earth’s space environment (geospace) is uniquely comprised of dynamic and complex regions of interacting plasmas, ionized particles, magnetic fields, and electrical currents. Proper grounding/bonding of the space vehicle’s shell and its electronic equipment can provide protection against lightning strikes in geospace, and also can eliminate or control most of its internal electrical and electrostatic hazards. This results in lower failure rates and significant reliability and safety enhancement of space systems and space vehicles.

Practice: Design primary and secondary structural components to accommodate loads which include steady-state, transient dynamic, and vibroacoustic contributions at liftoff.

Benefit: The probability of structural failure during launch and landing is significantly reduced.

Practice: Design all circuits to perform within defined tolerance limits over a given mission lifetime while experiencing the worst possible variations of electronic piece parts and environments.

Benefit: The probability of mission success is maximized by assuring that all assemblies meet their mission electrical performance requirements at all times.

Practice: All wiring harnesses, cables, and wires on payloads, instruments, subsystems, and components are well shielded, including the use of connector types that provide tight EMI back shells or other means for attaching shields. This practice assumes that all efforts have been made to develop a design which requires minimum shielding.

Benefit: High-performance shielding on wiring harnesses, cables and wires minimizes radiated emissions from hardware that could be picked up by itself or other hardware and interfere with proper operation. Shielding also minimizes the sensitivity of hardware to radiated emissions, from itself or other hardware, that could interfere with proper operation.

Practice: Electrical grounding procedures must adhere to a proven set of requirements and design approaches to produce safe and trouble-free electrical and electronic circuits. Proper grounding is fundamental for reliable electronic circuits.

Benefits: Grounding procedures used in the design and assembly of electrical and electronic systems will protect personnel and circuits from hazardous currents and damaging fault conditions. Benefits are prevention of potential damage to delicate spaceflight systems, subsystems and components, and protection of development, operations, and maintenance personnel.

Practice: Conduct a formal preliminary design review (PDR) at the system and subsystem levels prior to the start of subsystem detail design, to assure that the proposed design and associated implementation approach will satisfy the system and subsystem functional requirements.

Benefits: The PDR will provide for increased assurance that the proposed design approach, and the manufacturing and test implementation plans, will result in an acceptable product, with minimal project risk.

Practice: A Hardware Review/Certification Requirement (HR/CR) Review is conducted prior to the delivery of flight hardware and associated software to evaluate and certify that the hardware is ready for delivery and that it is acceptable for integration with the spacecraft.

Benefit: The HR/CR provides a structured review process for assessing the status of flight hardware and screening for unresolved defects prior to delivery for integration.

Practice: Conduct a formal Critical Design Review (CDR) of hardware, software, and firmware at the subsystem and system levels. Schedule the review prior to the start of subsystem fabrication and assembly to assure that the design solutions satisfy the performance requirements established in the development specifications. Establish this review as a standard reliability engineering practice for flight hardware.

Benefits: The CDR provides increased assurance that the proposed design, and the planned manufacturing and test methods and procedures, will result in an acceptable product, with minimal project risk.

Practice: Conduct technical reviews to validate engineering designs using a common, consistent approach which has been proven to lead to reliable and quality products. A technical review is an evaluation of the engineering status of products and processes by an independent group of knowledgeable people. Although major technical reviews for a project differ in their content and timing, there are practices common to most reviews which may be defined to assure review success. These practices provide a common framework for planning, conducting, documenting, and evaluating the review process.

Benefits: Standards established for common review methods are presently supporting reliability assurance by emphasizing early detection and correction of deficiencies through the increased use of working level, peer reviews (detailed technical reviews) in preparation for major design reviews. The standards also assure that reviews are scaled in accordance with criticality, complexity, and risk, and that the review process is optimized to produce results of value to the mission.

Practice: Prior to shipment of hardware or software, conduct a preship review at the completion of the fabrication or build and testing of the item to be shipped. This review is scheduled as part of the overall technical review program as defined in a project review plan. Preship review is held at the supplier or NASA facility where the item was made and tested.

Benefits: Preship review ensures the completeness and readiness of each item of hardware and, if applicable, any associated software or firmware, prior to release for shipment to another facility. By imposing this requirement, any discrepancies or unresolved problems may be identified and corrected while the item remains under supplier purview. This review is beneficial because it provides an independent assessment of product readiness by knowledgeable people not directly involved in the fabrication and test activity.

Practice: Use active redundancy as a design option when development testing and reliability analysis show that a single component is not reliable enough to accomplish the function. Although active redundancy can be applied to various types of mechanical and electrical components and systems, the application detailed in this practice illustrates an approach using a traveling wave tube amplifier in a spaceflight application.

Benefits: Provides multiple ways of accomplishing a function to improve mission reliability.

Practice: The creation of reliable structural laminate composites for space applications requires precision design and manufacturing using an integrated, concurrent engineering approach. Since the final material characteristics are established at the same time the part or subassembly is fabricated, part design, fabrication development, and material characterization must proceed concurrently. Because composite materials are custom-tailored to meet structural requirements of the assembly, stringent in-process controls are required to arrive at a configuration with optimum physical and material properties.

Benefits: Conscientious adherence to proven procedures in the design, manufacture, and test of aerospace structural composites will result in low rejection rates and high product integrity. In specific applications, successful composite design provides design flexibility, increased strength to weight ratio, dimensional stability under thermal loading, light weight, ease of fabrication and installation, corrosion resistance, impact resistance, high fatigue strength (compared to metal structures with the same dimensions), and product simplicity when compared to conventional fabricated metal structures.

Practice: Use master gauges, tooling, jigs, and fixtures to transfer precise dimensions to ensure accurate mating of interfacing aerospace hardware. Calculate overall worst-case tolerances using the root sum square method of element tolerances when integrating multiple elements of aerospace hardware.

Benefits: Using prudent and carefully planned methods for specifying tolerances and for designing, manufacturing and mating major elements of aerospace hardware, will result in a cost-effective program with minimal rejects and waivers, and will avoid costly schedule delays due to potential mismatching or misfitting of major components and assemblies.

Practice: In those cases where spacecraft science requirements or attitude control systems impose constraints on the magnetic characteristics of components and the use of ferromagnetic material cannot be avoided, perform a complete demagnetization of the ferromagnetic parts, individually, prior to assembly.

Benefit: In an unassembled state, ferromagnetic parts can be exposed to stronger AC demagnetizing fields, as high as 60 mT (600 Gauss), thus assuring a lower level of remanent magnetization than can be achieved after the parts are mounted on assemblies. Attaining a low level of remanent magnetization minimizes the adverse effects of unwanted fields. In those cases where magnetic compensation may be required, the ability to apply high-level fields to an unmounted part enables the utilization of techniques to stabilize the magnetic moment of the part.

Practice: When selecting batteries for space flight applications, the following requirements should be considered: ampere-hour capacity, rechargeability, depth of discharge (DOD), lifetime, temperature environments, ruggedness, and weight. Many batteries have been qualified and used for space flight, enhancing the ease of selecting the right battery.

Benefits: Selection of the optimum battery for space flight applications results in a safe, effective, efficient, and economical power storage capability. The optimum battery also enhances launch operations, minimizes impacts to resources, supports contingency operations, and meets demand loads.

Practice: Control magnetic field disturbance of spacecraft systems by avoiding the use of components and subassemblies with significant magnetic dipole moments.

Benefit: Limits magnetic field interference at flight sensor positions and minimizes magnetic dipole moments that can increase magnetic torquing effects that place additional loads on attitude control systems.

Practice: Initially, the design requirements for each subsystem are established so that all nonfunctional emissions will be at least 9 dB below the emission specification limit.

Benefits: By initially selecting a 9-dB margin, the probability of complying with the electromagnetic compatibility (EMC) specification during system test is high.

Practice: Ensure that thermal design practices for electronic assemblies will meet the requirements of the combined ground and flight environmental conditions defined by the spacecraft mission. Special emphasis should be placed on limiting the junction temperature of all active components. Proper thermal design practices take into consideration the need for ease of operation and repairability to enhance overall system reliability. The environmental conditions that the spacecraft encounters, both on the ground and in flight, are designed to include adequate margin. The use of proper thermal design practices ensures that the assemblies will survive the expected environmental conditions.

Benefit: Constraining the electronic component junction temperature through proper design practices will ensure that the assemblies can withstand the mission’s environmental conditions.

Practice: This practice presents considerations that should be evaluated and applied concerning stress corrosion and subsequent crack propagation in mechanical devices, structural devices, and related components used in aerospace applications. Material selection, heat treat methods, fabrication methodology, testing regimes, and loading path assessments are presented as methods to reduce the potential for stress corrosion cracking (SCC) in a material’s operational environment.

Benefits: Selection of materials, heat-treating methods, fabrication methodologies, testing regimes, and loading paths that are not susceptible to stress corrosion cracking will promote fewer failures due to SCC and will eliminate downtime due to the change-out of components.

Practice: To produce high-quality, reliable software, use independent verification and validation (IV&V) in an independent, systematic evaluation process throughout the software life cycle. Using the IV&V process; locate, identify, and correct software problems and errors early in the development cycle.

Benefit: The use of IV&V processes ensures that computer software is developed in accordance with original specifications, that the software performs the functions satisfactorily in the operational mission environment for which it was designed, and that it does not perform unintended functions. Identification and correction of errors early in the development cycle are less costly than identification and correction of errors in later phases, and the quality and reliability of software are significantly improved.

Practice: Careful attention is given to the specific application of electric motors for aerospace applications when selecting motor type. The following factors are considered in electric motor design: application, environment, thermal, efficiency, weight, volume, life, complexity, torque, speed, torque ripple, power source, envelope, duty cycle, and controllability. Brushless direct current motors have been proven to be best all-around type of motors for aerospace applications because of their long life, high torque, high efficiency, and low heat dissipation.

Benefit: Selection of the optimum electric motor for spaceflight operations results in a safe, reliable, effective, efficient, and economical electric motor power source for spaceflight. Brushless direct current motors provide the lightest-weight alternative for most applications.

Practice: Use design management improvements such as matrix methods, quality techniques, and life cycle cost analyses in a systematic approach to systems analysis.

Benefit: The use of advanced design management methods in each program phase of major launch vehicle developments will maximize reliability and minimize cost overruns. Significant improvements in user satisfaction, error-free performance, and operational effectiveness can be achieved through the use of these methods.

Practice: Implement lightning survivability in the design of launch vehicles to avoid lightning-induced failures.

Benefits: Experience learned from the Atlas/Centaur and Space Shuttle flights serve to emphasize the importance of the implementation of the proper protection/design enhancements to avoid and survive natural or triggered lightning for all launches.

Practice: Apply a contamination control program to those spacecraft projects involving scientific instruments that have stringent cleanliness level requirements.

Benefits: This practice enables spacecraft to meet these stringent cleanliness level requirements of state-of-the-art scientific instruments. It also serves to maintain the inherent efficiency and reliability of the instrument by minimizing degradation of critical surfaces and sensors due to undesired condensation of molecular and accumulation of particulate contamination layers.

Practice: Use highest-reliability EEE parts available, consistent with functional requirements, program cost, and schedule constraints, for spaceflight systems.

Benefit: One of the most important considerations in designing reliable flight hardware is selection and use of the highest-quality possible components. Proper selection, application, and testing of EEE components will generally contribute to mission success and provide long-term program cost savings. An effective EEE parts program has helped many projects in achieving optimum safety, reliability, maintainability, on-time delivery, and performance of program hardware. The resulting reduction in parts and part-related failures saves program resources through decreased failure investigation and maintenance costs.

Practice: Design and fabricate spaceflight electrical harnesses to meet the minimum requirements of the GSFC Design and Manufacturing Standard for Electrical Harnesses.

Benefit: Designing and testing flight harnesses in accordance with the requirements of the GSFC Design and Manufacturing Standard for Electrical Harnesses enhances the probability of mission success (reliability) by ensuring that harnesses meet high standards of quality as well as the electrical and environmental requirements of spaceflight missions. The occurrence of early failures is minimized.

Practice: Select and apply thermal coatings for control of spacecraft and scientific instrument temperatures within required ranges and for control of spacecraft charging and RF emissions.

Benefit: This practice enhances the probability of mission success by controlling temperatures of flight hardware as well as spacecraft charging and RF emissions over the life of the mission.

Practice: Initiate the preparation of critical items lists (CILs) early in programs to identify and potentially eliminate critical items before the design is frozen and as an input to hardware and software design, testing, and inspection planning activities. Utilize CILs during the operational portion of the life cycle to manage failures and ensure mission success.

Benefits: Early identification, tracking, and control of critical items through the preparation, implementation, and maintenance of CILs will provide valuable inputs to a design, development, and production program. From the CIL activity, critical design features, tests, inspection points, and procedures can be identified and implemented that will minimize the probability of failure of a mission or loss of life.

Practice: Use preplanned contamination budgeting for each manufacturing/assembly, testing, shipping, launch, and flight operation and meticulously test optical systems using witness samples throughout the process to track actual contamination against total and incremental allocations.

Benefit: Budgeting of a specific amount of the established allowable contamination to the major elements and operations during fabrication, assembly, testing, transportation launch support, and launch, and on-orbit operations of space optical systems will preclude jeopardizing the scientific objectives of the mission. Budgeting of contamination to major elements will ensure that the cleanliness of the optics and instruments will remain within designated optical requirements for operations in space. Reliability of the scientific objectives is increased by limiting the contamination allowed to the optical systems during each operation, which ensures that contamination during orbital operations is within specification.

Practice: Fault protection is the use of cooperative design of flight and ground elements (including hardware, software, procedures, etc.) to detect and respond to perceived spacecraft faults. Its purpose is to eliminate single point failures or their effects and to ensure spacecraft system integrity under anomalous conditions.

Benefits: Fault-protection design maximizes the probability of spacecraft mission success by avoiding possible single failure points through the use of autonomous, short-term compensation for failed hardware.

Practice: Minimize the adverse effects of electrostatic discharge (ESD) on spacecraft by implementing the following three design practices:

1. Make all external surfaces of the spacecraft electrically conductive and grounded to the main structure.

2. Provide all internal metallic elements and other conductive elements with an “ESD conductive” path to the main structure.

3. Enclose all sensitive circuitry in an electrically conductive enclosure–a “Faraday cage.”

Benefit: The first two practices should dissipate most electric charges before a difference in potential can become high enough to cause an ESD. If a discharge occurs, the third practice lowers the coupling to sensitive circuits, reducing the probability or severity of the interference.

Practice: Magnetic dipole allocation is an empirical method for initiating control of spacecraft magnetic contamination. The practice is necessary for missions which incorporate instruments to measure low-level magnetic fields.

Benefit: Control of the net magnetic dipole of the spacecraft will assure the integrity of magnetic field measurements made during the mission. Measurement of the individual contributions from various assemblies, subassemblies, and components allows the identification of the major dipole sources. The major contributors can then be evaluated for corrective action, and they can be monitored individually to ensure that they are at the lowest level of magnetization at the time of installation on the spacecraft.

Practice: Incorporate hardware and software features in the design of spacecraft equipment which tolerate the effects of minor failures and minimize switching from the primary to the secondary string. This increases the potential availability and reliability of the primary string.

Benefits: Fault tolerant design provides a means to achieve a balanced project risk where the cost of failure protection is commensurate with the program resources and the mission criticality of the equipment. By providing compensation for potential hardware failures, a fault-tolerant design approach may achieve reliability objectives without recourse to nonoptimized redundancy or overdesign.

Practice: Develop a spacecraft lessons learned file (LLF), a quick, but formal record of significant occurrences during design, implementation, and operation of spacecraft and support equipment. Provide fast and convenient traceability for knowledge capture of significant events to guide future spacecraft managers and engineers in recognizing and avoiding critical design problems. Maintain the system as a living problem-avoidance database for all flight project activities.

Benefits: The spacecraft LLF is a quick-reference document that preserves the NASA knowledge base, providing engineers and scientists with brief summaries of meaningful events that offer valuable lessons. Within the LLF, lessons of interest can be accessed through a keyword search, with more detailed information accessible from the referenced problem/failure report or alert documentation. The LLF serves as a repository of valuable information, including lessons that were learned at great expense, which would otherwise be lost following personnel turnover. The JPL LLF activity is performed in coordination with the NASA headquarters LLF program.

Practice: Use a standard SDS in spacecraft where possible that utilizes a standard data bus and spaceflight-qualified versions of widely used hardware and operating software systems.

Benefit: This practice enhances reliability of the SDS and the probability of mission success by simplifying the design and operation of the SDS system and providing capability to work around spacecraft and instrument problems.

Practice: Apply an electrostatic discharge (ESD) control program to all spaceflight projects to ensure that ESD-susceptible hardware is protected from damage due to ESD.

Benefit: This ESD control practice significantly enhances mission reliability by protecting susceptible flight and critical flight-support electronic parts and related hardware from damage or degradation caused by ESD and induction polarization charge (IPC) during the prelaunch phases of the mission.

Practice: A formal procedure is followed in the reporting and documentation of problems/failures occurring during test, prelaunch operations, and launch operations for both hardware and software. A separate system, the “spacecraft orbital anomaly report (SOAR),” is used for the reporting, evaluation, and correction of problems occurring on-orbit (see Practice No. PD-ED-1232).

Benefit: This practice significantly enhances the probability of mission success by ensuring that problems/failures occurring during ground test are properly identified, documented, assessed, tracked, and corrected in a controlled and approved manner. Another benefit of the PFR procedure is to provide data on problem/failure trends. Trend data may then be analyzed so that errors are not repeated on future hardware and software.

Practice: Instrumentation systems and related sensors (transducers), particularly those designed for use in reusable and refurbishable launch systems and subsystems, are analyzed, designed, fabricated and tested with meticulous care in order to ensure system and subsystem reliability.

Benefits: The benefits of implementing these reliability practices for instrumentation system and related sensors are (1) consistent performance and measurement results, (2) minimum need for continuous or periodic calibration, (3) avoidance of and resistance to contamination, and (4) reduced necessity for repair or replacement in repeated usage.

Practice: A closed-loop problem (or failure) reporting and corrective action system (PRACAS or FRACAS) is implemented to obtain feedback about the operation of ground support equipment used for the manned spaceflight program.

Benefits: The information provided by PRACAS allows areas in possible need of improvement to be highlighted to engineering for development of a corrective action, if deemed necessary. With this system in place in the early phases of a program, means are provided for early elimination of the causes of failures. This contributes to reliability growth and customer satisfaction. The system also allows trending data to be collected for systems that are in place. Trend analysis may show areas in need of design or operational changes.

Practice: During system design, choose electronic components/devices that will provide maximum failure tolerance from space radiation effects. The information below provides guidance in selection of radiation hardened (rad-hard) solid state devices and microcircuits for use in space vehicles which operate in low-Earth orbits.

Benefit: This practice provides enhanced reliability and availability as well as improved chances for mission success. Failure rates due to space radiation effects will be significantly lower, and thus system downtime will be much lower, saving program cost and resources.

Practice: Impose an acoustic noise requirement on spacecraft hardware design to ensure the structural integrity of the vehicle and its components in the vibroacoustic launch environment. Acoustic noise results from the propagation of sound pressure waves through air or other media. During the launch of a rocket, such noise is generated by the release of high-velocity engine exhaust gases, by the resonant motion of internal engine components, and by the aerodynamic flow field associated with high-speed vehicle movement through the atmosphere. This environment places severe stress on flight hardware and has been shown to severely impact subsystem reliability.

Practice: Design spacecraft hardware assemblies with the required radiation design margin (RDM) to ensure that they can withstand ionization effects and displacement damage resulting from the flight radiation environment. The term “margin” does not imply a known factor of safety, but rather accommodates the uncertainty in the radiation susceptibility predictions. The reliability requirement to survive for a period of time in the anticipated mission radiation environment is a spacecraft design driver.

Benefits: The RDM requirement is imposed on assemblies or subsystems to ensure reliable operation and to minimize the risk, especially in mission-critical applications. The general use of an RDM connotes action to overcome the inevitable uncertainties in environmental calculations and part radiation hardness determinations.

Practice: Reliable design of spacecraft radios requires the analysis and test of hardware responses to spurious emissions which may degrade communications performance. Prior to hardware integration on the spacecraft, receivers and transmitters are tested to verify their compatibility with respect to emissions of conducted radio frequency (RF) signals and susceptibility to these signals. This reliability practice is applied to receivers and transmitters located in the same subsystem and to those installed in different subsystems on the same spacecraft. This early test to identify and resolve radio compatibility problems reduces the risk of uplink/downlink degradation which might threaten mission objectives.

Benefits: This practice validates the compatibility of spacecraft receivers and transmitters. If electromagnetic compatibility problems are identified early in radio design, solutions can be developed, implemented, and verified prior to the integration of the hardware on the spacecraft.

Practice: Conduct a formal design inheritance review at the system, subsystem, or assembly level prior to, or in conjunction with, the corresponding subsystem preliminary design review (PDR). The purpose of the inheritance review is to identify those actions which will be required to establish the compatibility of the proposed inherited design, and any inherited hardware or software, with the subsystem functional and design, requirements.

Benefit: Use of inherited flight hardware or software may reduce cost and allow a spacecraft designer to avoid the risk of launching unproven equipment. However, the designer often lacks full information on the many design decisions made during development, including some which may cause incompatibility with current spacecraft requirements. Subsystem inheritance review (SIR) probes inheritance issues to help ensure that the proposed inherited item will result in an acceptable and reliable product with minimal mission risk.

Practice: Contamination of space optical systems is controlled through the use of proper design techniques, selection of proper materials, hardware/component precleaning, and maintenance of cleanliness during assembly, testing, checkout, transportation, storage, launch, and on-orbit operations. These practices will improve reliability through avoidance of the primary sources of space optical systems particulate and molecular contamination.

Benefit: Controlling contamination of space optical systems limits the amount of particulate and molecular contamination which could cause performance degradation. Contamination causes diminished optical throughput, creates off-axis radiation scattering due to particle clouds, and increases mirror scattering. Controlling molecular contaminates minimizes performance degradation caused by the deposition of molecular contaminants on mirrors, optical sensors and critical surfaces; improves cost-effectiveness of mission results; and improves reliability.

Practice: This practice is for use by designers of battery-operated equipment flown on space vehicles. It provides such people with information on the design of battery-operated equipment to result in a design which is safe. Safe, in this practice, means safe for ground personnel and crew to handle and use; safe for use in the enclosed environment of a manned space vehicle and safe to be mounted in adjacent unpressurized spaces.

Benefit: There have been many requests by the space shuttle payload customers for a practice which describes all the hazards associated with the use of batteries in and on manned spaceflight vehicles. This practice is prepared for designers of battery-operated equipment so that designs can accommodate these hazard controls. This practice describes the process that a design engineer should consider in order to verify control of hazards to personnel and the equipment. Hazards to ground personnel who must handle battery-operated equipment are considered, as well as hazards to space crew and vehicles.

Practice: Develop performance-based reliability requirements by considering elements of system performance in terms of specific missions and events and by determining the requisite system reliability needed to achieve those missions and events.

Specify the requisite reliability in the system specifications in quantitative terms, along with recommended approaches to verify the requirements are met. Require the system provider to demonstrate adherence to the reliability requirements via analysis and test.

Benefits: Quantitative reliability requirements provide specific design goals and criteria for assuring that the system will meet the intended durability and life. Early in the design process, the system developer will be required to consider how the design will provide the requisite reliability characteristics and must provide analyses to verify that the delivered hardware will meet the requirements. Assessment of the early design’s ability to meet quantitative reliability requirements will support design trades, component selection, and maintainability design, and help ensure that appropriate material strengths are used as well as the appropriate levels and types of redundancy.

Analysis

Practice: Considering the natural environment, perform spacecraft charging analyses to determine that the energy that can be stored by each nonconductive surface is less than 3 mJ. Determine the feasibility of occurrence of electrostatic discharges (ESD). ESD should not be allowed to occur on surfaces near receivers/antenna operating at less than 8 GHz or on surfaces near sensitive circuits. For this practice to be effective, a test program to demonstrate the spacecraft’s immunity to a 3 mJ ESD is required.

Benefit: Surfaces that are conceivable ESD sources can be identified early in the program. Design changes such as application of a conductive coating and use of alternate materials can be implemented to eliminate or reduce the ESD risk. Preventive measures such as the installation of RC filters on sensitive circuits also can be implemented to control the adverse ESD effects.

Practice: Establish a mandatory closed-loop system for detailed, independent, and timely technical reviews of all analyses performed in support of the reliability/design process.

Benefit: This process of peer review serves to validate both the accuracy and the thoroughness of analyses. If performed in a timely fashion, it can correct design errors with minimal program impact.

Practice: Every part in an electrical design is subjected to a worst-case part stress analysis performed at the anticipated part temperature experienced during the assembly qualification test (typically 75°C). Every part must meet the project stress derating requirements or be accepted by a formal project waiver.

Benefit: Part failure rates are proportional to their applied electrical and thermal stresses. By predicting the stress through analysis, and applying conservative stresses, the probability of mission success can be greatly enhanced.

Practice: Problem/failure (P/F) reports are reviewed independently and approved by reliability engineering specialists to ensure objectivity and integrity in the closure process. This practice assures that the analysis realistically bounds the extent of the P/F, and the corrective action and its verification are successfully accomplished.

The key elements are:

1. Analysis must address the problem.

2. Corrective action must address the analysis and the problem.

3. Analysis must address the effect on other items.

4. Corrective action must have been implemented.

5. Item must have passed the gate that caused the P/F–the hardware/software must be successfully retested.

Benefit: Any independent review process increases the level of compliance of the subject process. It also broadens the scope and depth of experience available for each individual issue without the need for a large supporting staff at each supplier organization. Also, an in-place independent review structure improves the rate of data flow for a given level of effort.

Practice: Problem/failure (P/F) reports are assigned a two-factor set of ratings: a failure effect rating and a failure cause/corrective action rating. The composite rating is used to assess the hardware/software residual launch and mission risk. The high-risk P/F reports are labeled “red flag.”

Benefit: Risk rating enables management to focus on the issues with the highest probability of impacting mission success. Project management is provided with visibility to a concise subset (<5%) of a large information base focusing on the key problematic areas in a timely fashion.

Practice: Perform a piece part thermal analysis that includes all piece parts in support of the part stress analysis. Also include fatigue sensitive elements of the assembly such as interconnects (solder joints, bondlines, wirebonds, etc.).

Benefit: Allows the thermally overstressed parts to be identified and assessed for risk (instead of just the electrically overstressed parts). Allows the design life requirements of the thermal fatigue sensitive elements (solder joints, bondlines, wirebonds, etc.) to be quantified.

Practice: Analyze all systems to identify potential failure modes by using a systematic study starting at the piece part or circuit functional block level and working up through assemblies and subsystems. Require formal project acceptance of any residual system risk identified by this process.

Benefit: The FMECA process identifies mission critical failure modes and thereby precipitates formal acknowledgment of the risk to the project and provides an impetus for design alteration.

Practice: Network circuit analysis programs are valuable tools in the analysis of switching circuit transients which are capable of generating conducted and radiated electromagnetic interference (EMI). The analysis is performed to insure that disruptions or degradations due to EMI do not occur. EMI is capable of disrupting the normal operating environment of an electronic circuit or degrading the performance of such a circuit.

Benefits: Circuit analysis for the purpose of evaluating the conducted and radiated EMI from a switching circuit has resulted in the proper design of switching circuit electronics. The devices connected to electronic switching circuits will not be adversely affected by transient currents and associated radiated fields generated by such currents.

Practice: Modeling is utilized for the analysis of conducted and radiated electromagnetic interference (EMI) caused by an electrostatic discharge (ESD) event. The modeling requires the combined use of a SPICE, or other circuit analysis code and a wire antenna code based on the method of moments, and is primarily applicable to wires, cables, and connectors.

Benefit: The use of a combined SPICE circuit analysis code and a method of moments code for the study of possible conducted and radiated EMI resulting from an ESD event, allow the assessment of EMI noise coupling onto electronic circuit interfaces.

Practice: Unexpected interference in receivers can be avoided in a complex system of transmitters and receivers by performing an intermodulation analysis to identify and solve potential problems. Various emitters may be encountered during system test, launch, boost, separation and flight. There are a large number of these harmonics and intermodulation products from which potential sources of spurious radiated interferences are identified by a computer aided analysis and corrective measures evaluated.

Benefit: Spurious radiated interference can be identified and evaluated during the design phase of the project. Solutions can be proposed and implemented in the design phase with far less impact on cost and schedule than when changes are required later.

Practice: Use a multidisciplinary approach to investigations using fault-tree analysis for complex systems to derive maximum benefit from fault-tree methodology. Adhere to proven principles in the scheduling, generation, and recording of fault-tree analysis results.

Benefits: The use of the team approach to fault-tree analysis permits a rapid, intensive, and thorough investigation of space hardware and software anomalies. This approach is specifically applicable when the solution of engineering problems is urgent and when they must be resolved expeditiously to prevent further delays in program schedules. The systematic, focused, highly participative methodology permits quick and accurate identification, recording, and solution of problems. The resulting benefits of the use of this methodology are reduction of analysis time, and precision in identifying and correcting deficiencies. The ultimate result is improved overall system reliability and safety.

Practice: Use reliability predictions derived from block diagram analyses during the design phase of the hardware development life cycle to analyze design reliability; perform sensitivity analyses; investigate design tradeoffs; verify compliance with system-level requirements; and make design and operations decisions based on reliability analysis outputs, ground rules, and assumptions.

Benefit: Reliability block diagram (RBD) analyses enable design and product assurance engineers to (1) quantify the reliability of a system or function, (2) assess the level of failure tolerance achieved, (3) identify intersystem disconnects as well as areas of incomplete design definition, and (4) perform tradeoff studies to optimize reliability and cost within a program. Commercially available software tools can be used to automate the RBD assessment process, especially for reliability sensitivity analyses, thus allowing analyses to be performed more effectively and timely. These assessment methods can also pinpoint areas of concern within a system that might not be obvious otherwise and can aid the design activity in improving overall system performance.

Practice: Sneak circuit analysis is used in safety-critical systems to identify latent paths which cause the occurrence of unwanted functions or inhibit desired functions, assuming that all components are functioning properly. It is based upon the analysis of engineering and manufacturing documentation. Because of the high cost of a sneak circuit analysis, it should be conducted only in areas where there is a high potential for a hazard.

Benefit: Identification of sneak circuits in the design phase of a project prior to manufacture can improve reliability; eliminate costly redesign and schedule delays; and eliminate problems in test, launch, on-orbit, and protracted space operations. Sneak circuit analysis can also be beneficial in identifying drawing errors and design concerns.

Practice: Dielectric compositions used in such spacecraft materials as circuit boards, cable insulation and thermal blankets will build up an imbedded charge when exposed to a natural space environment featuring energetic electrons. If the electric field resulting from the imbedded charge exceeds the breakdown threshold for the dielectric, an arc will occur, damaging the dielectric and producing an electromagnetic pulse that can couple into subsystem electronics. Enhance hardware reliability in an energetic electron environment by conducting a materials inventory, resistivity analysis, and shielding assessment. Ascertain material susceptibility to deep dielectric charging and explosive discharge when the material:

1. Is exposed to an energetic electron flux exceeding 2×10⁵ electrons/(cm²-s), and

2. Achieves an imbedded charge density greater than a threshold of 10¹¹ electrons/cm².

Test

Practice: Implement a 100% nondestructive screening test on EEE parts prior to assembly, which would prevent early-life failures (generally referred to as infant mortality).

Benefits: A lower rework cost during manufacturing and lower incident of component failures during flight.

Practice: As a minimum, run eight thermal cycles over the approximate temperature range for hardware that cycles in flight over ranges greater than 20°C. The last three thermal cycles should be failure-free.

Benefit: Demonstrates readiness of the hardware to operate in the intended cyclic environment. Precipitates defects from design or manufacturing processes that could result in flight failures.

Practice: Use thermographic mapping methods to locate hot spots on operating PC boards.

Benefit: Quick find of electronic components operating at or above recommended temperatures. Also, this technique can validate the derating factors and thermal design via low cost testing versus analysis.

Practice: Perform thermal dwell test on protoflight hardware over the temperature range of +75°C/–20°C (applied at the thermal control/mounting surface or shear plate) for 24 hours at the cold end and 144 to 288 hours at the hot end.

Benefit: This test, coupled with rigorous design practices, provides high confidence that the hardware design is not marginal during its intended long life high reliability mission.

Practice: Supply power to electronic assemblies during vibration, acoustics, and pyroshock and monitor the electrical functions continuously while the excitation is applied.

Benefit: Aids in the detection of intermittent or incipient failures in electronic circuitry not otherwise found. This reliability practice benefits even those electronics not powered during launch.

Practice: Subject assemblies and the full-up flight system to swept sinusoidal vibration.

Benefit: Certain failures are not normally exposed by random vibration. Sinusoidal vibration permits greater displacement excitation of the test item in the lower frequencies.

Practice: Subject selected (large surface area, low mass) assemblies, in addition to the full-up flight system, to acoustic noise. It is imperative on missions with fixed launch windows that acoustic problems on assemblies not be deferred to system level tests.

Benefit: Acoustic noise tests subject potentially susceptible hardware to a significant launch environment, revealing design and workmanship inadequacies which might cause problems in flight.

Practice: Subject potentially sensitive flight assemblies that contain electronic equipment or mechanical devices, as well as entire flight systems, to pyrotechnic shock (pyroshock) as part of a development, acceptance, protoflight, or qualification test program. Perform visual inspection and functional verification testing before and after each pyroshock exposure. Where feasible, perform assembly-level and system-level pyroshock tests with the test article powered and operational to better detect intermittent failures.

Benefit: Early assembly-level pyroshock testing can often reduce the impacts of design and manufacturing/assembly deficiencies upon program cost and schedule prior to system-level test. Such testing can provide a test margin over flight pyroshock conditions which cannot be achieved in system testing. Conversely, system-level shock testing can be used to verify system performance under pyroshock exposure, thus providing increased confidence in mission success and verifying the adequacy of the assembly-level tests.

Practice: Perform all thermal environmental tests on electronic spaceflight hardware in a flight-like thermal vacuum environment (i.e., do not substitute an atmospheric pressure thermal test for the thermal/vacuum test). Moreover, if a compromise is thought to be necessary for nontechnical reasons, then an analysis is required to quantify the reduction in test demonstrated reliability.

Benefit: Assembly-level thermal vacuum testing is the most perceptive test for uncovering design deficiencies and workmanship flaws in spaceflight hardware. The margin beyond flight conditions is demonstrated, as is reliability. However, substituting an atmospheric pressure thermal test for the thermal/vacuum test can effectively reduce electronic piece part temperatures by 20°C or more, even for low-power density designs. The net result of this is that the effective test temperatures may be reduced to the point where there is zero or negative margin over the flight thermal environment.

Practice: Each flight project provides requirements for defining and implementing a contamination control program applicable to the hardware for the program. The program consists first in defining the specific cleanliness requirements and setting forth the approaches to meeting them in a contamination control plan. One significant part of the contamination control plan is a comprehensive materials and process program beginning at the design stage of the hardware. This program helps ensure the safety and success of the mission by the appropriate selection, processing, inspection, and testing of the materials employed to meet the operational requirements for the application. The following potential problem areas are considered when selecting materials: radiation effects, thermal cycling, stress corrosion cracking, galvanic corrosion, hydrogen embrittlement, lubrication, contamination of cooled surfaces, composite materials, atomic oxygen, useful life, vacuum outgassing, toxic offgassing, flammability, and fracture toughness. The practice described here for the collection and compilation of vacuum outgassing data is used in conjunction with a number of other processes in the selection of materials. Vacuum outgassing tests are conducted on materials intended for spaceflight use,

Practice: Perform a thermal analysis of each electronic assembly to the piece-part level. Provide a heat conduction path for all parts whose junction temperature rise exceeds 35°C above the cold plate.

Benefits: Controlling the operating temperature of parts in a vacuum flight environment will lower the failure rate, improve reliability, and extend the life of the parts.

Practice: Perform dynamic tests prior to performing thermal-vacuum tests on flight hardware.

Benefit: Experience has shown that until the thermal-vacuum tests are performed, many failures induced during dynamics tests are not detected because of the short duration of the dynamics tests. In addition, the thermal-vacuum test on flight hardware at both the assembly level and the system level provides a good screen for intermittent as well as incipient hardware failures.

Practice: Define an appropriate random vibration test, and subject all assemblies and selected subsystems to the test for design qualification and workmanship flight acceptance.

Benefit: This practice assists in identifying existing and potential failures in flight hardware so that they can be rectified before launch.

Practice: Test satellites for the ability to survive the effects of electrostatic discharges (ESDs) caused by a space-charging environment. Such environments include Earth equatorial orbits above 8000 km and virtually all orbits above 40 degrees latitude, Jupiter encounters closer than 15 Rj (Jupiter radii), and possibly other planets.

Benefit: Proper implementation of this practice will assure that satellites will operate in the space charging environment without failure or awkward ground controller operations.

Practice: Test power system components for corona to ensure that their insulation system will meet the design requirements imposed on the equipment and to verify that the gas discharges are not deteriorating the insulation system. The acceptable corona levels are verified in power system components.

Benefits: Knowledge of the presence or absence of corona discharge will help in controlling the reliability of high voltage components/systems. Corona testing can reveal potential and unaccounted-for corona discharges that may shorten the service-life of electrical insulating systems, seriously interfere with high-voltage system operation and communication links, and result in failure and loss of mission objectives.

Practice: Verify that a flight vehicle or system is hardened to the launch, boost, and flight electromagnetic radiation environment by radiating simultaneously, during system checkout, on all major emission frequencies that are known to exist during vehicle operations. Monitor all critical systems for erroneous performance while the spacecraft or system is stepped through all operating modes.

Benefit: Spurious interferences and responses can be identified during system checkout. After the spurious responses are evaluated, solutions can be proposed, and remedial action taken, if necessary, prior to the actual flight.

Practice: Direct current (DC) electrical isolation verification tests are made as part of the EMC test of hardware prior to final spacecraft assembly. Flight acceptance isolation retest is required after any hardware rework of subsystems with electrical interfaces that utilize system wiring.

Benefit: Inadvertent grounds of isolated circuits and ground loops are detected directly by this test. In some cases, such grounds may pass other tests with no apparent degradation. Failure may not occur until the vehicle is subjected to high-level electromagnetic radiation. Since this test requires minimal test equipment and can be performed in a short time, its benefits are achieved at low cost.

Practice: The source for selection of acceptable flight-quality EEE parts for use on Goddard projects is GSFC Preferred Parts List (PPL-20). PPL-20 complements NASA Standard Electrical, Electronic, and Electromechanical (EEE) Parts List (NSPL) (MIL-STD-975) by listing additional part types and part categories not included in MIL-STD-975. Recognizing that it is neither possible nor desirable to include all parts in the GSFC PPL and in the NSPL, the GSFC parts requirements make provision that limited numbers of parts not included in the PPL or the NSPL may be used if it is demonstrated that the parts are acceptable. The acceptability of (5, section 5) nonstandard parts is enhanced by use of the part procurement specifications provided in Appendix E of PPL-20. The acceptability of these nonstandard parts must be demonstrated prior to commitment to design or use. Requests for approval to use nonstandard parts with supporting documentation are forwarded to the appropriate GSFC Project Office for review and approval. The practice described herein is used for demonstrating and documenting the acceptability of nonstandard parts for spaceflight use.

Practice: Perform acoustic and random vibration testing supplemented with additional sine vibration testing as appropriate to qualify payload hardware to the vibroacoustic environments of the mission, particularly the launch environment and to demonstrate acceptable workmanship.

Benefit: Adherence to the practice alleviates vibroacoustic-induced failures of structural stress and fatigue, unacceptable workmanship, and performance degradation of sensitive subsystems including instruments and components. Implementation of this practice assures that minimal degradation of “design reliability” has occurred during prior fabrication, integration and test activities.

Practice: The sine-burst test is used to apply a quasi-static load to a test item in order to strength qualify the item and its design for flight.

Benefits: The sine-burst test is a simple method to apply a quasi-static load using a vibration shaker and shock testing software. Depending on the complexity of the test item, it often can be used in lieu of and is more economical than, acceleration (centrifuge) or static tests. For components and subsystems, the fixture used for vibration testing often can also be used for sine-burst strength testing. For this reason, strength qualification and random vibration qualification can often be performed during the same test session which saves time and money.

Practice: Eddy Current Testing (ECT) can be used on electrically conductive material for detecting and characterizing defects such as surface and near surface cracks, gouges, and voids. It can also be used to verify a material’s heat treat condition. In addition, wall thickness of thin wall tubing, and thickness of conductive and nonconductive coating on materials can be determined using ECT.

Benefits: Eddy current testing is a fast, reliable, and cost-effective nondestructive testing (NDT) method for inspecting round, flat, and irregularly shaped conductive materials. Specific processes have been developed to determine the usability and integrity of threaded fasteners. In addition, ECT has the capability of being automated. With proper equipment and skilled test technicians, readout is instantaneous.

Practice: Three general methods of ultrasonic testing can be used singly or in combination with each other to identify cracks, debonds, voids, or inclusions in aerospace materials. Each has its own unique application and all require certain precautions or techniques to identify potentially flawed hardware. This practice describes selected principles that are essential in reliable ultrasonic testing.

Benefit: Careful attention to detail in ultrasonic testing can result in the identification of very small cracks, debonds, voids, or inclusions in aerospace hardware that could be detrimental to mission performance. New ultrasonic technologies are enhancing the accuracy, speed, and cost-effectiveness of this method of nondestructive testing.

Practice: Radiographic testing can be used as a nondestructive method for detecting internal defects in thick and complex shapes in metallic and nonmetallic materials, structures, and assemblies.

Benefit: Unlike most other nondestructive testing methods, radiographic testing provides a permanent visual record of the defects for possible future use. It can also be used to determine crack growth for use in fracture mechanics to determine critical flaw size in a particular component.

Practice: Ensure that potentially significant problems involving parts, materials, and safety discovered during receiving inspection, manufacturing, postmanufacturing inspection, or testing do not affect the safety or the performance of NASA hardware by reporting all anomalies via ALERT systems. ALERTS and SAFE ALERTS pertaining to these problems are quickly disseminated for impact assessment and, if required, corrective action taken or a rationale developed for “flying as is.”

Benefit: The benefit of the ALERTS system is the reduction or elimination of duplicate expenditures of time and money by exchanging information of general concern regarding parts, materials, and safety problems within MSFC, between MSFC and other NASA centers, between NASA and other government organizations, and between government and industry to assist in preventing similar occurrences. The use of the ALERTS system avoids future failures, rules out fraudulent hardware, helps enhance reliability, and ensures mission success.

Practice: Use proven GSFC practices during the integration and testing of flight hardware to prevent electrical and mechanical overstressing of flight hardware parts and components, thereby, assuring that the “designed in” reliability is not compromised.

Benefits: These practices prevent the long term degradation and early failure of electrical parts and components due to electrical and mechanical overstressing. Damage due to overstressing may not result in immediate failure and may not be detected by component or assembly level testing but can result in early failures.

Practice: Use short-circuit testing method or response characteristics on nickel/hydrogen (Ni/H₂) battery to characterize the battery impedance. These data are necessary for designing power-processing equipment and electric power fault-protection systems.

Benefits: Ni/H₂ battery technology is gaining wide acceptance as an energy storage system for use in space applications because of its reliability, weight, and long-cycle expectancy at deep depths-of-discharge (DOD). When a charged Ni/H₂ battery is short-circuited, its short circuit current data can be used to calculate the internal resistance of the cells for the purpose of determining the overall characteristics of the energy storage system. Also, by examining the cell impedance only, a Ni/H₂ battery simulation utilizing low-cost lead-acid cells can be developed.

Practice: Voltage and temperature margin testing (VTMT) is the practice of exceeding the expected flight limits of voltage, temperature, and frequency to simulate the worst case functional performance, including effects of radiation and operating life-parameter variations on component parts. For programs subject to severe cost or schedule constraints, VTMT has proven an acceptable alternative to conventional techniques such as worst-case analysis (WCA). WCA is the preferred approach to design reliability, but VTMT is a viable alternative for flight projects where tradeoffs of risk versus development time and cost are appropriate.

Benefits: On spacecraft hardware where risk vs. cost trades permit higher risk (Class C), VTMT is an economical alternative to classical worst case analysis. The major benefits in using VTMT instead of WCA are:

1. Assurance of a systematic method for investigation of potential risks where the parameters are not adequately modeled by worst case analysis. An example is RF circuits which have distributed circuit parameters.

2. Labor savings for units too complex to simulate and which generally require Monte Carlo or root-sum squares analyses.

Practice: Tests are performed to verify that radio frequency (RF) equipment, such as receivers, transmitters, diplexers, isolators, RF cables, and connectors, can operate without damage or degradation.

Reliability assurance is necessary in both a vacuum environment and at critical pressure with adequate demonstrated margins above the expected operating RF signal levels.

Benefits: Knowledge of the dielectric breakdown characteristics of RF devices at low pressures or in a near vacuum environment can be used to protect sensitive flight equipment. RF breakdown is a concern because of the low, near-vacuum pressures at which spacecraft are tested and operated. RF breakdown testing is conducted to establish hardware resilience to the application of out-of-spec input signal levels, signal reflections due to mismatches at hardware interfaces, inadvertent evacuation of vacuum chambers during RF input, application of RF signals during the ascent phase of the spacecraft launch vehicle, and so on.

Practice: Applies a formal flight assurance inspection system for mechanical fasteners used in flight hardware and critical applications on ground support equipment (GSE), including all flight hardware/GSE interfaces.

Benefit: This practice significantly enhances flight reliability by ensuring that mechanical fasteners do not fail during the mission due to inadequate integrity requirements or quality control inspection procedures.

Practice: Conduct highly instrumented real-time long term tests and accelerated testing of spaceflight batteries using automated systems that simulate prelaunch, launch, mission, and postmission environments to verify suitability for the mission, to confirm the acceptability of design configurations, to resolve mission anomalies, and to improve reliability.

Benefit: Since the operational readiness and future performance of spaceflight batteries at any point in a mission are strongly dependent on past power cycles and environments, thoroughly instrumented and analyzed ground testing of spaceflight batteries identical to flight configurations will ensure predictable performance and high reliability of flight batteries.

Practice: Analyses are performed early in the design of radio frequency (RF) hardware to determine hardware imposed limitations which affect radio performance. These limitations include distortion, bandwidth constraints, transfer function non-linearity, non-zero rise and fall transition time, and signal-to-noise ratio (SNR) degradation. The effects of these hardware performance impediments are measured and recorded.

Performance evaluation is a reliability concern because RF hardware performance is sensitive to thermal and other environmental conditions, and reliability testing is constrained by RF temperature limitations.

Benefits: Identification of hardware-imposed limitations on RF subsystem performance permits designers to evaluate a selected radio technology or architecture against system requirements. In the test phase of the reliability assurance program, it also helps engineers to understand performance characteristics they encounter during testing. RF modeling and verification provides for designed-in reliability in accordance with NASA’s project streamlining policy.

NASA Software Safety Guidebook

Terrestrial Environment (Climatic) Criteria Handbook for Use in Aerospace Vehicle Development

Electrical Grounding Architecture for Unmanned Spacecraft

Avoiding Problems Caused by Spacecraft On-Orbit Internal Charging Effects

Low Earth Orbit Spacecraft Charging Design Handbook

Fracture Control Implementation Handbook for Payloads, Experiments, and Similar Hardware

NASA Handbook Requirements for Conformal Coating and Staking of Printed Wiring Boards for Electronic Assemblies

Application of Data Matrix Identification Symbols to Aerospace Parts Using Direct Part Marking Methods/Techniques (Supersedes NASA-HDBK-6003b)

Handbook for Recommended Material Removal Processes for Advanced Ceramic Test Specimens and Components

Force Limited Vibration Testing

Dynamic Environmental Criteria

Handbook for Limiting Orbital Debris

Procedural Handbook for NASA Program and Project Management of Problems, Nonconformances, and Anomalies

Welding of Aerospace Ground Support Equipment and Related Nonconventional Facilities

Standard for the Design and Fabrication of Ground Support Equipment

NASA Configuration Management (Cm) Standard

Software Formal Inspections Standard

Software Formal Inspections Standard

Digital Television Standards for NASA

Man-Systems Integration Standards, vol. I

Man-Systems Integration Standards, vol. II

Man-Systems Integration Standards, vol. III

NASA Spaceflight Human System Standard, vol. 1: Crew Health (Superseding NASA-STD-3000, vol. 1, Chapter 7; and JSC 26882, Spaceflight Health Requirements Document)

Electrical Bonding for NASA Launch Vehicles, Spacecraft, Payloads, and Flight Equipment

Low Earth Orbit Spacecraft Charging Design Standard (Supersedes NASA-STD-(I)-4005)

Structural Design and Test Factors of Safety for Spaceflight Hardware

Load Analyses of Spacecraft and Payloads

Fracture Control Requirements for Payloads Using the Space Shuttle

Ground Support Equipment (Superseding NASA-STD-5005a)

General Fusion Welding Requirements for Aerospace Materials Used in Flight Hardware

General Fracture Control Requirements for Manned Spaceflight Systems

Protective Coating of Carbon Steel, Stainless Steel, and Aluminum on Launch Structures, Facilities, and Ground Support Equipment

Nondestructive Evaluation Requirements for Fracture Critical Metallic Components

Strength and Life Assessment Requirements for Liquid Fueled Space Propulsion System Engines

Design and Development Requirements for Mechanisms

Fracture Control Requirements for Spaceflight Hardware (Superseding NASA-STD-(I)-5019 (interim) and NASA-STD-5007)

Flammability, Odor, Off-gassing and Compatibility Requirements and Test Procedures for Materials in Environments That Support Combustion

Applying Data Matrix Identification Symbols on Aerospace Parts (Superseding NASA-STD-6002c)

NASA Fastener Procurement, Receiving Inspection, and Storage Practices for Spaceflight Hardware

Standard Materials and Processes Requirements for Spacecraft

Payload Vibroacoustic Test Criteria

Payload Test Requirements

Pyroshock Test Criteria

Standard for Models and Simulations

NASA Safety and Mission Assurance Roles and Responsibilities for Expendable Launch Vehicle Services; Revalidated/Reaffirmed 08/21/2003

Standard for Underwater Facility and Non–Open Water Operations

Safety Standard for Fire Protection

NASA Software Safety Standard (Rev B W/Ch1 of 7/8/2004)

Process for Limiting Orbital Debris (Baseline W/Ch 1 of 9/6/07)

NASA Requirements for Ground-Based Pressure Vessels and Pressurized Systems (Pv/S)

Facility System Safety Guidebook

Standard for Lifting Devices and Equipment; Revalidated/Reaffirmed 10/01/2007

Planning, Developing and Managing an Effective Reliability and Maintainability (R&M) Program

Workmanship Standard for Polymeric Application on Electronic Assemblies

Workmanship Standard for Surface Mount Technology (Baseline with Chapter 1 of 6/6/08); Revalidated/Reaffirmed 06/05/2008

Soldered Electrical Connections (Baseline with Chapter 3 of 6/6/08)

Crimping, Interconnecting Cables, Harnesses, and Wiring (Baseline with Chapter 4 of 7/25/08)

Fiber Optic Terminations, Cable Assemblies, and Installation (Baseline with Chapter 1 of 7/25/08)

Software Assurance Standard (Baseline with Chapter 1 of 5/5/05)

Safety Standard for Explosives, Propellants, and Pyrotechnics

NASA Safety Standard Guidelines and Assessment Procedures for Limiting Orbital Debris

The principal investigator is responsible for the overall success of the mission. He/she serves as the ultimate authority within the project for decisions that could affect the ability to deliver the science results. The PI sets the science goals for the mission and is responsible for developing the plan to meet those goals.

The project scientist is responsible for implementing the science plan that was developed by the PI. He/she derives the measurement requirements from the science objectives. He/she also leads the science team and reports to the PI.

The lead for E/PO is responsible for planning, developing, and coordinating programs to educate students and the public about the mission. The E/PO lead works closely with public relations regarding press releases and public events surrounding major mission milestones or accomplishments.

The project manager is responsible for formulating the project plan and implementing the project according to this plan. The PM reports to the PI. The PM establishes and coordinates the project office for the purpose of directing the project tasks and managing the project cost, schedule, and risk. The PM communicates the project progress/performance to the customer and conducts technical and programmatic reviews of the project.

The DPM assists the PM with the project management responsibilities. In the event the PM is unable to fulfill his/her duties, the DPM may serve as the acting PM in his/her absence.

The payload manager is a member of the project office and is responsible for the development of the payload. He/she works closely with the payload system engineer to deliver the required instrument performance on schedule and budget.

The project office support includes a number of individuals in various areas of expertise. The project office supports the PM with skills necessary to perform scheduling, cost accounting, subcontracting, export control, and administrative tasks.

The MAE (sometimes referred to as the performance assurance engineer) is responsible for the development and implementation of the mission assurance plan. The MAE oversees configuration management and enforces the quality standards for the project. MAE approval is required for the release of all project documentation and the closure of all issue reports.

The safety engineer reports to the MAE and is responsible for the implementation of system safety and personnel safety plans on the project. These plans include safety training, identification and mitigation of safety hazards, compliance with the range safety requirements, and developing the missile systems pre-launch safety plan (MSPSP).

The MSE serves as the lead technical authority on the project and reports to the project manager. He/she is responsible for developing the systems engineering management plan (SEMP) and managing the systems engineering team. The MSE handles the flow-down of the mission requirements to the mission elements. The overall requirements verification plan is also the responsibility of the MSE. The MSE conducts trade studies to evaluate various mission concepts and architecture options. He/she also monitors risks and identifies mitigations and reports recommendations to the PM. The MSE is responsible for managing all system budgets and margins on the mission. These typically include mass, power, RF link, alignment, guidance and control (G&C), data recorder space, downlink volume, etc. In some cases, tracking of these budgets may be delegated to a lead engineer. For example, the mass budget is often updated by the mechanical systems engineer.

The DMSE assists the MSE in completion of mission system engineering tasks. In the absence of the MSE, the DMSE may serve as acting MSE.

The MSSE is part of the mission systems engineering team. He/she is responsible for establishing the process and standards for all software development on the project, including both flight and ground applications.

The FPE, also part of the mission systems engineering team, is responsible for the development, implementation, and verification of the fault protections requirements. The FPE also coordinates the development of the onboard fault detection and autonomous responses.

The PSE is responsible for the requirements and verification of the instruments. He/she is responsible for coordinating with the MSE regarding the instrument interfaces and reports to the payload manager.

Instrument lead engineers are responsible for the technical development, cost, and schedule of their respective instruments. They report to the PSE.

The SSE is responsible for the technical aspects of the spacecraft segment. He/she documents the requirements flow-down from the segment to the subsystems and is responsible for the verification of these requirements.

Subsystem lead engineers are responsible for technical development, cost, and schedule of the spacecraft subsystem development. The lead engineer assignments are dependent on the spacecraft architecture. For example, some spacecraft may not have a propulsion system and therefore would not require a propulsion lead engineer. Common designations for subsystem lead engineers include structural, mechanical, thermal, power, command and data handling (C&DH), RF, G&C, propulsion, and flight software. Each lead engineer has specific responsibility with regard to her/his respective subsystem.

The LVC is the project point-of-contact for all launch vehicle–related activities. This person participates in all meetings of the ground operations working group and the payload safety working group. The LVC is also involved in the trajectory review cycle and the coupled loads analysis. He/she is responsible for developing the launch vehicle interface requirements document, which documents the mission-unique requirements for the project.

The I&T lead engineer is responsible for the integration and testing of the spacecraft and instruments. She/he leads the I&T team and coordinates the schedule of activities involving the spacecraft through launch.

The MOM is responsible for managing the mission operations team and coordinating the in-flight activities on the spacecraft. He/she provides status updates for the project during the operations phase of the mission.

The ground system engineer is responsible for the development of the hardware and software that makes up the ground system. She/he maintains the command and telemetry database and manages the development of many of the ground system software tools used by mission operations to perform the mission.

The mission design lead is responsible for the development of the mission trajectory (or orbit) and associated parameters, such as launch date, C₃ requirements, arrival date, and delta-V budget. He/she works with the LVC and LV provider in the trajectory review cycles.

Pre-phase A represents the period when advanced concept are studied. For NASA announcements of opportunity (e.g., for Discovery-class and New Frontiers-class missions), the development of the initial proposal is equivalent to the pre-Phase A period. During this phase, preliminary concepts are explored and trade studies conducted. This phase concludes with the production of a report or proposal describing the science objectives, measurement requirements, and the preliminary mission implementation plans.

The activities conducted during Phase A include developing the technical and programmatic requirements and formulating the details of the implementation plan. For NASA announcements of opportunity, the development of concept study report is considered equivalent to Phase A.

Phase B is the period when the preliminary design is completed and long-lead procurements are begun. Hardware breadboards of new designs are typically built and tested during Phase B. This phase concludes with the Preliminary Design Review (PDR) and the authorization to proceed from the formulation phases (Phases A/B) into the implementation phases (Phases C/D/E/F).

Also referred to as “final design and fabrication,” Phase C marks the beginning of the hardware development and includes the fabrication and test of components and subsystems. Critical design concludes with the critical design review (CDR), after which component fabrication begins. For many projects, Phases C and D are merged as single phase in the project life cycle (Phase C/D), because the transition from Phase C to Phase D is not necessarily marked by a single event in time. For example, the schedule may show some Phase D activities, such as the “system assembly,” starting before all of the Phase C “component fabrication” activities are complete. So even though the activities conducted in each of the two phases are distinct, the transition in time between Phases C and D may not be distinct.

Also referred to as assembly, test, and launch operations (ATLO), Phase D represents the period when the spacecraft is assembled, tested, launched, and commissioned. Typically Phase D includes the 30 to 60 days of commissioning after launch.

Phase E represents the primary mission operations phase. Often the mission operations phase is further divided into mission phases based on the trajectory and mission-critical events. For example, an interplanetary mission often refers to the long journey to the object of interest as the “cruise” phase. Upon arrival there would be increase activity during the “encounter” phase or the “orbit insertion” phase, depending on whether the event was a flyby or an orbital mission. These phase boundaries often represent changes in staffing requirements or changes in the complexity of operations. At the completion of the primary mission, the mission may be closed out or continue for an extended mission.

Phase F marks the end of the project by implementing the system decommissioning/disposal plan. If additional data analysis is required, it may take place during this phase.

A red team review is an independent review of a proposal draft for the sole purpose of improving the final proposal. It should be held when a complete draft of the proposal can be assembled. The review panel should consist of experienced reviewers from various disciplines, and the panel should evaluate the draft proposal using the same evaluation criteria that the customer will use to evaluate and score the final proposal. Receiving independent feedback that identifies potential weaknesses early helps the project team to strengthen their proposal and increase the probability of an award.

This review represents the customer evaluation of the mission proposal. This review is performed at the conclusion of the pre-Phase A effort. In NASA’s announcement of opportunity process, the primary focus is on evaluation of the science, the science implementation strategy, and risk. The results of the evaluation factor into the “down-select” process. If selected, the project is awarded a contract for the next phase of the project (Phase A).

At the conclusion of the Phase A, the concept study report is evaluated according to the published evaluation criteria. The evaluation committee also conducts a site visit, during which members of the project team make oral presentations to the evaluators. The primary focus of this evaluation is to assess the risk associated with mission implementation. Results and recommendations from the evaluation team are used by the selecting official in the selection process.

The purpose of the SRR is to demonstrate that the decomposition of the requirements from the mission objectives is sufficient to proceed with the development of the design concept and performance specifications. This review typically occurs during Phase A. Topics covered in the SRR include the following: Mission objectives and success criteria Mission requirements Performance requirements Programmatic requirements Functional requirements of mission segments (payload, spacecraft, launch vehicle, mission operations, ground system, mission design and navigation) Results of tradeoff studies Mission drivers Contract deliverables Open trades and issues Lessons learned In some cases, the SRR and the conceptual design review are combined into a single review.

The purpose of the CoDR is to assure that the proposed implementation will meet the mission requirements. The focus is on the proposed design concept and major interfaces. The CoDR should be held early enough that changes can be made without major impacts to the project. Topics covered in the CoDR include the following: Mission overview, including objectives and mission success criteria Changes since the proposal Action item closure status System performance requirements System constraints System drivers Proposed design approach for mission segments (payload, spacecraft, launch vehicle, mission operations, ground system, mission design and navigation) Major system trades Technical and programmatic interfaces Project risks and mitigations System redundancy System margins System heritage Integration and test plan Ground support equipment Mission assurance and system safety plans Lessons learned The results from the CoDR form the basis for the preliminary design (Phase B). In some cases the concept study oral site-visit review is substituted for the CoDR.

The PDR is the first detailed review of the system design. The focus of the review is on demonstrating that the design meets all system requirements with an acceptable level of risk and within the cost and schedule constraints. The results from the PDR form the basis for proceeding with the detailed (i.e., critical) design (Phase C). The topics covered in the PDR include the following: Mission overview/project overview, including mission objectives, mission success criteria, launch dates, mission phases, key mission milestones) Project status, schedule, management metrics Project risks and mitigations Action item closure status Changes since the last review System performance requirements and specifications System interface specifications (with preliminary interface control documents [ICDs]) System budgets and margins (mass, power, communication link, data storage, processor throughput, processor memory usage, attitude control, alignments, etc.) Spacecraft subsystem descriptions Structural design and analysis Electrical systems design and analysis Software requirements and conceptual design Fault management design Design heritage Verification plans Integration and test flow Ground system and ground system equipment (GSE) design (mechanical and electrical GSE) Launch vehicle interfaces Mission operations plans Electromagnetic interference (EMI) control plans Contamination control plans EEE parts processes, quality control, quality processes, and inspections

The NAR is often conducted as part of the PDR. This part of the review provides the customer with an independent assessment of the readiness of the project to proceed to the next phase of development (Phase C).

The CDR is the most comprehensive project-level review of the detailed system design. The focus is on demonstrating that the detailed design will meet the final performance and interface specifications. At the time the CDR takes place, all actions from previous reviews should be closed, or there is a good rationale for why they remain open. Most drawings should be ready for release. The material covered should revisit all items listed for the PDR plus the following additional items: Final implementation plans Detailed hardware block diagrams showing signal and power interfaces and flow Detailed software diagrams showing logic, task communication, and timing Completed design analyses (loads, stress, torque, thermal, radiation) Design and expected lifetime Engineering model/breadboard hardware/software test results Released ICDs (spacecraft, payload, launch vehicle) Test verification matrix System functional, performance, environmental test plans Ground operations (including during launch campaign) Transportation plans, shipping container design Results of the planned analyses such as FMECA, FTA, PRA, reliability/redundancy analyses Hazard analyses and safety control measures Single-point failures list Spares philosophy The results from CDR form the basis for fabrication, assembly, integration, test and launch of the flight system (rest of Phase C, Phase D).

The purpose of the MOR is to demonstrate that the mission operations plans are sufficient to conduct the required flight operations to achieve the mission objectives. This review is the first of two major prelaunch reviews focused primarily on the ground system and mission operations (the second is the operations readiness review, described below). The MOR is held before the major integration and test activities, such as environmental test. The MOR should include the following topics: Mission overview, including mission objectives, mission success criteria, launch dates, mission phases, key mission milestones Spacecraft overview, including subsystem descriptions Schedule status, including status of documentation and procedures Mission operations risks and mitigations Mission operations and ground system action item closure status Mission operations objectives, including launch and early operations Mission operations plans and status (payload and spacecraft) Mission operations staffing, training, and facilities Onboard data management and data flow diagrams Health and safety monitoring, contingency operations Data trending Configuration management Operations functional process flow (planning, control, and assessment) Ground system requirements, design, and status Ground software Operational interfaces Flight constraints Prelaunch tests plans and status (tests, simulations, exercises) Payload operations and data analysis Documentation status Launch critical facilities Lessons learned Issues/concerns

The SIR assesses the readiness to begin integration and test of the system. This review is held before the start of integration and test. The material covered in this review include integration and test plans, verification and validation plans, status of flight system components and associated procedures, ground equipment status, and staffing plans.

The purpose of the PER is to show the flight system and ground support equipment are ready for environmental test and that the plans and procedures are complete and comprehensive. This review is held before environmental test and includes the following: Project overview and status Action item closure status Changes since the last review Closure status of problems, anomaly reports, deviations, and waivers Test objectives, descriptions, plans, procedures, and flow Test facilities, equipment, instrumentation Pass/fail criteria Test verification matrix Contamination control safety Thermal vacuum profile with test Component-level test history/results Baseline comprehensive performance test results Failure-free operating hours Documentation status Calibration plans Open issues and concerns

The PSR serves to confirm that the spacecraft has successfully completed all environmental testing and is ready to be shipped to the launch site. The PSR takes place after environmental test and before shipment. The PSR should include the following: Project overview and status Action item closure status Closure status of problems, anomaly reports, deviations, and waivers Risk assessment of any open items Compliance with test verification matrix Comparison of measured margins to estimates Trending data Failure-free operating hours Transportation plans, shipping container, ground support equipment Launch site operations Status of safety approvals for launch site operations

The LVRR certifies that the project is ready to proceed with integration of the launch vehicle with the spacecraft. Typically, the LVRR is held before the mission readiness review and is chaired by the launch services program manager.

The MRR certifies that the project is ready to move the spacecraft to the launch pad.

The FRR is held to close out any issues or actions from the LVRR and to certify that the launch vehicle is ready to start the launch countdown. This review is held about 3 days before the opening of the launch window and is chaired by the NASA launch manager.

The LRR is held to close out any issues or actions from the FRR and certify that the project is ready to start the launch countdown. At this review the certification of flight readiness is signed. The LRR is held no later than 1 day before launch and is chaired by the space operations assistant associate administrator or may be delegated to the launch services program manager.

The purpose of the OOR is to demonstrate the flight system, ground system, and operations team are ready for launch. In some cases this review may be called the mission operations readiness review (MORR) or the flight operations review (FOR). This review is held near the completion of the pre-flight testing and include the following information: Final launch, operations, and commissioning plans Mission operations procedures (nominal and contingency operations) Flight and ground system hardware and software characteristics Personnel and staffing User documentation

LLEs are held to capture and document knowledge from experiences of the project team. This activity helps preserve knowledge and improve processes. These exercises are held periodically or after major events.

PLARs are held to assess project performance after significant events or accomplishments. For example, a commissioning review, where results of the spacecraft and instrument commissioning activities are presented, is an example of a PLAR.

Prior to critical events, such as a trajectory correction maneuver (TCM) or other major operation, a CERR, is held to confirm that the requirements are well understood and the event can be accomplished with an acceptable level of risk.