Solar B - EIS
MULLARD SPACE SCIENCE LABORATORY
|
UNIVERSITY COLLEGE LONDON |
Author: A Smith |
SOLAR B - EIS
RISK ASSESSMENT
Document Number: MSSL/SLB-EIS/AD/005.01 9 June 2000
Distribution:
|
NRL |
G Doschek |
|
|
|
C Korendyke |
|
|
|
S Myers |
|
|
|
C Brown |
|
|
|
K Dere |
|
|
|
J Mariska |
|
|
|
|
|
|
NAOJ |
H Hara |
|
|
|
T Watanabe |
|
|
|
|
|
|
RAL |
J Lang |
|
|
|
B Kent |
|
|
|
D Pike |
|
|
BU |
C Castelli |
|
|
|
S Mahmoud |
|
|
|
G Simnett |
|
|
Mullard Space Science Laboratory |
J L Culhane |
|
|
|
A Smith |
|
|
|
A James |
|
|
|
L Harra |
. |
|
|
A McCalden |
|
|
|
C McFee |
|
|
|
R Chaudery |
|
|
|
P Thomas |
|
|
|
W Oliver |
|
|
|
P Coker |
|
|
|
R Gowen |
|
|
|
K Al Janabi |
|
|
|
M Whillock |
|
|
SLB-EIS Project Office |
A Dibbens |
Orig |
|
Author: |
|
Date: |
|
|
|
|
|
|
|
Authorised By |
|
Date: |
|
|
|
|
|
|
|
Distributed: |
|
Date: |
|
|
ISSUE |
DATE |
PAGES CHANGED |
COMMENTS |
|
01 |
9 June 2000 |
All New |
Document re-issued in new numbering system. A major review of risks has been conducted in preparation for the EIS UK PDR |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CONTENTS
1. SCOPE
2. APPLICABLE DOCUMENTS
3. DISCUSSION
4. PROGRAMMATIC RISK
4.1
System Level
4.2
Sub-system Level
5. OPERATIONAL RISK
5.1
System Level
5.2
Sub-system Level
1. SCOPE
Risks are characterised in terms of their nature, likelihood, origin and ownership.
2. APPLICABLE DOCUMENTS
MSSL/SLB-EIS/SP007 EIS Science Requirements
MSSL/SLB-EIS/SP011 EIS System Definition
EIS Work Break-down Structure EIS-sys-eng-wbs
Management Plan EIS-man-manplan
3. DISCUSSION
This document contains a risk analysis for the Solar-B EUV Imaging Spectrometer (EIS) at system and sub-system level. Its purpose is to record the sources of risk and their degree for EIS and its subsystems, and the means to reduce them to acceptable levels. Operational and Programmatic risks are considered.
The applicable versions of the systems documents are:
EIS Science Requiements MSSL/SLB-EIS/SP007.01 June 00
EIS System Definition MSSL/SLB-EIS/SP011.01 June 00
Work Breakdown Structure EIS-sys-eng-wbs 2 12 July 99
The probability of risks is described in a qualitative way using the following Scheme:
|
Term |
Notation |
|
Impossible |
0 |
|
Very unlikely |
1 |
|
Unlikely |
2 |
|
Moderately Unlikely |
4 |
|
Moderately Probable |
6 |
|
Probable |
8 |
|
Very Probable |
9 |
|
Certain |
10 |
|
Unknown |
99 |
Risks are numbered for reference, according to type.
· PE : Programmatic EIS (system or Mission) risk
· PS : Programmatic Subsystem risk
· OE : Operational (i.e. post-launch) EIS (system or Mission) risk
· OS: Operational Subsystem risk.
Each of the above risk types are described in separate section of this document.
The risk Category is the WBS code of the origin of the risk. 1000 = EIS instrument, 0000 = Solar‑B mission.
Ownership indicates the institute that will be responsible for management of the risk.
Sources of programmatic risk to the project as a whole are considered first.
|
Category |
Element |
Risk # |
Prob |
Owner |
Event |
Effect |
Management |
Notes |
|
0000 |
Solar-B |
PE3 |
1 |
ISAS |
Launch Delay |
Extra costs |
Revise schedule |
Has occurred once. Considered unlikely
to occur again. |
|
1000 |
EIS |
PE4 PE4.1 PE4.2 PE4.3 PE4.4 PE4.5 PE4.6 |
2-4 4 4 2 4 4 2 |
MSSL MSSL MSSL MSSL MSSL MSSL MSSL |
Incompatibility of sub-system interfaces at pre delivery integration Mechanical interfaces Thermal interfaces Optical interfaces Electrical interfaces Cleanliness interfaces PA interfaces |
Failure to integrate hardware or
software. Delay and/or additional costs of re-work |
Rigorous attention to interface
management procedures. Regular system design team meetings. Early integration
checks, walkthroughs, configuration management. Allow schedule margin. |
|
|
1000 |
EIS |
PE6 PE6.1 PE6.2 PE6.3 |
2 2 2 2 |
MSSL BU MSSL MSSL |
System failure during environmental
testing MTM/TTM EM FM |
Delay in delivery whilst reworks and
retests occur |
Design margins and derating of
components. AIV schedule to include contingency for such events. Items which
are both critical and particularly susceptible to have spares available -
within budgetary constraints. |
Each subsystem item should have been
qualified to appropriate levels by analogy, analysis or test prior to system
test. Lessons learned during EM and STM environmental tests should allow us
to identify the susceptible items. |
|
1000 |
EIS |
PE7 PE7.1 PE7.2 PE7.3 |
2-4 3 2 2 |
MSSL BU MSSL MSSL |
incompatibility with spacecraft
discovered during integration MTM/TTM EM FM |
Delays to entire mission. Increased
costs of support of rework in Japan. Possibility that instrument performance
be compromised. |
Close co-operation with the spacecraft
design teams. Identification and control of comprehensive interface
specification. |
This would arise from inadequacy of
interface management between the EIS and spacecraft teams. There is a vital
need for prompt and reliable exchange of accurate interface information with
the spacecraft teams. |
|
1000 |
EIS |
PE8 PE8.1 PE8.2 PE8.3 |
4-6 6 4 4 |
MSSL BU MSSL MSSL |
Late delivery of instrument MTM/TTM EM FM |
Schedule impact on spacecraft programme |
Establish and agree realistic delivery
schedule Establish and agree realistic
requirements for each model Rigorously control internal schedules |
|
4.2 Sub-system level (PS)
Programmatic risks are now considered for major WBS items in the Hardware (WBS Code 1000) and AIV (3000) branches.
|
Category |
Element |
Risk # |
Prob |
Owner |
Event |
Effect |
Management |
Notes |
|
1100 |
Structure |
PS1 |
4 |
BU |
Composite material shows excessive
out-gassing |
Contamination of optical components |
Select and evaluate materials. Plan out-gassing paths |
|
|
1300 |
Optics |
PS2 |
99 |
NRL |
Multilayer coating fails to provide
adequate reflectivity or other property |
Instrument throughput threatened. |
Seek to fully understand the coating
technology and the sources of variation of performance. Consider possibility
of re-coating or provision of uncoated spares. Allow contingency for this.
Consider alternative coating technologies. |
This is mainly an issue with the
so-called EIS-400 wavelength range coating, range 6 in EIS Science Notes
(EIS-sci-notes), operating near 400 Ĺ, which is baselined to use the
relatively unknown Si/Sc multilayer pair. This risk also pertains to the
ageing properties of coatings. |
|
1300 |
Optics |
PS3 |
2 |
NRL |
Optic inadequately figured or polished |
Poor focusing properties leading to
loss of spatial and spectral resolution. Possible need for re-work. |
Form an error budget for each optical
surface, allowing the system PSF to be estimated. Measure samples to validate
the error budget. Unit level test. |
|
|
1300 |
Optics |
PS4 |
99 |
NRL |
Grating manufacturing faults |
Loss of throughput. |
Error budget, with quantified error
sources, is required. Test of grating
performance prior to multilayer coating. |
All comments also apply as per PS2 |
|
1300 |
Optics |
PS5 |
2 |
NRL |
Proposed mechanism fails to meet
spacecraft disturbance torque requirement |
Other Solar-B instrumentation
jeopardised. |
Seek alternative mechanisms (mass
penalties are likely), or propose spacecraft-level observation (i.e.
mechanism) control protocol. Seek to avoid this risk in the early stages of
the programme. Another alternative would be to omit the mechanism in
question. |
This is an important requirement for
the successful operation of Solar-B SOT. The nature of the mechanisms is
dependant on the telescope type selection. |
|
1600 |
Shutter |
PS6 |
2 |
NRL |
Motor unavailable |
Shutter redesign, possible life test
program (costs & schedule affected) |
Explore likelihood of this, if
necessary study replacement options. |
The shutter design currently baselined,
which has substantial spaceflight heritage, uses a specific (brushless)
motor. |
|
1400 |
Filters |
PS7 |
6 |
NRL |
Accidental breakage of filter |
Possible debris in the instrument - as
well as the big hole |
non-flight protective covers, spares,
design for exchange procedures (including cleaning) |
With thin foils (1500 Ĺ Al is being
considered) this is a moderately probable event. |
|
1500 |
Slit |
PS8 |
2 |
NRL |
Slit exchange mechanism fails
disturbance torque criteria |
Mechanism cannot be used. |
Choose a single slit (or slit/slot)
that gives best all-round performance, or seek alternative mechanisms. |
See also the comments on PS2 – PS6 |
|
1710 |
CCD |
PS9 |
6 |
MSSL |
Loss of device due to (e.g.) static
discharge |
Replacement needed |
Provide for (in contract) adequate
test-grade devices during development programme and spares of flight devices.
Design for late replacement of CCD. Consider static discharge protection
procedures. |
Simulators may be used for many test
purposes. |
|
1730 |
ROE |
PS10 |
2 |
MSSL |
High power consumption of readout
electronics |
Exceed instrument power budget |
carefully engineer for low power.
Demonstrate at breadboard level |
Possible tradeoff between readout rate
and power consumption |
|
1922 |
Radiator |
PS11 |
6 |
MSSL |
Radiator cannot provide necessary CCD
cooling |
Radiation damage (see Operational Risks
- 1740 CCD) causes unacceptable performance degradation |
Seek to minimise CCD radiation damage
by alternative clocking regimes and/or shielding. Consider radiator designs
that avoid viewing the Earth. |
The orbit and spacecraft configuration
mean that Earthshine becomes a problem for efficient thermal design with a
simple radiator. |
|
3410 |
Electronic Ground Support Equipment
(EGSE) |
PS12 |
1 |
MSSL |
EGSE software not ready for AIV
programme caused by lack of continuity of Norwegian effort |
AIV cannot be accomplished |
Design for interoperability with
sub-system EGSE. Specify early delivery of an EGSE version which is capable
of supporting a subset of functions for test use. |
|
|
3420 |
Mechanical Ground Support Equipment
(MGSE) |
PS13 |
1 |
BU |
Gas purge equipment - contaminates
instrument |
Dismantle, clean and reassemble
structure and optics |
Obtain certificates of purity or equip
with in-line gas analysers |
A purged structure is considered to be
considerably easier to produce than a vacuum vessel (especially given the
Solar-B mass constraints). |
|
3800 |
Calibration |
PS14 |
6 |
RAL + MSSL |
Insufficient time to complete
calibration |
Poor knowledge of in-flight performance
- value of science data reduced |
Allow schedule contingency at this
stage of the programme. Rehearse calibration procedures prior to arrival of
FM instrument. |
|
|
1100 |
Structure |
PS15 |
8 |
BU |
Non-delivery of suitable structure |
Catastrophic |
BU to commission expert help in design
and manufacture of composites. |
BU may need to solicit additional
funding. |
|
1710 |
CCD |
PS16 |
4 |
MSSL |
CCD quality poor |
Degraded science performance |
Take out option to purchase further
devices |
Contract for CCD foresees this
possibility |
|
|
Sub-system Structure Camera ICU QCM Optics/Mech’ MHC Software GSE |
PS17 PS17.1 PS17.2 PS17.3 PS17.4 PS17.5 PS17.6 PS17.7 PS17.8 |
2-6 6 4 4 2 3 4 4 3 |
See below BU MSSL MSSL RAL NRL MSSL MSSL Var |
Late delivery of subsystem for
integration |
Schedule delay |
Establish realistic schedule and then
rigorously enforce. |
|
|
|
MHC |
PS18 |
4 |
MSSL |
NRL software not transferable to flight
standard |
Schedule delay through need for extra
work |
Close Liaison between NRL and MSSL |
Issue raised at NASA PDR |
|
Category |
Element |
Risk # |
Prob |
Owner |
Event |
Effect |
Management |
Notes |
|
|
1000 |
EIS |
OE2 |
6 |
RAL |
Contamination - optics or detector |
Progressive loss of sensitivity and
ultimate loss of instrument, uncertainty in intensity calibration |
Contamination control plan, Front door
closure, Purging, QCM, CCD Heater, venting paths |
||
|
1000 |
EIS |
OE3 |
99 |
MSSL |
Electronic Component failure |
Possible loss of instrument or reduced
scientific return |
Appropriate component quality, fault
tolerant design, redundant interfaces |
Failure mode analysis to unit, board or
component level will be carried out as the designs mature. |
|
|
1000 |
EIS |
OE4 |
2 |
MSSL |
“bad command” |
ranges from severe (damage to
hardware?) to nearly benign (although an observation could be missed). |
Identify hazardous states of the
instrument. Do not allow these to be reached without operator confirmation.
Allow detection of such conditions (e.g. by recording all tele-commands). |
A bit error in a command sequence
should be detected by checksum mechanisms incorporated into the data link
protocols. This risk concerns the possibility that the operator sends a valid
command that nevertheless is not the intended or appropriate one. |
|
|
1000 |
EIS |
OE5 |
8 |
MSSL |
on-board software error |
control program halt, output data
error, & effects in "bad command" |
Allow detection and reboot,
periodically compare memory checksum with nominal value |
probable cause: SEU |
|
Risks associated with individual WBS elements are considered.
|
Category |
Element |
Risk # |
Prob |
Owner |
Event |
Effect |
Management |
Notes |
||
|
1200 |
Door |
OS1 |
2 |
BU |
Clamshell Door(s) mechanism failure |
Fail closed - Loss of instrument. Fail
open - possible contamination during thruster firings. |
Life-test programme Redundant heaters
in actuators |
|
||
|
1300 |
Optics |
OS2 |
99 |
NRL |
Ageing of multilayer coatings |
Instrument throughput reduced. |
Perform life tests on coatings whose
ageing properties are unknown. |
|
||
|
1300 |
Optics |
OS3 |
2 |
NRL |
Scanning mechanism failure |
Loss of scanning and alignment
compensation |
Life test programme. No possibility to move outside of
functional position. Monitoring and management of movements during mission. |
|||
|
1300 |
Optics |
OS4 |
2 |
NRL |
Grating focus mechanism failure |
(fail in focussed position)
Flat-fielding of detector no longer possible. (fail in de-focussed position) loss of science |
Life test programme. Redundant actuators. |
|||
|
1600 |
Shutter |
OS5 |
1 |
NRL |
Shutter failure |
(fail closed) Loss of instrument (fail
open) image smearing |
Select proven technology. Life test |
|
||
|
1400 |
Filters |
OS6 |
1 |
NRL |
meteoroid strike on front filter |
possible debris in the instrument.
White light ingress to detector - worsens SNR. Heat input to instrument -
thermal stresses and consequent misalignment |
Recess filter in exterior baffle. Use segmented filter design to limit area
od breakage. |
|||
|
1500 |
Slit |
OS7 |
99 |
NRL |
Slit exchange mechanism fails |
Fail in a nominal slit position - loss
of rapid imaging facility Fails in viewfinder position - loss of spectroscopy
in intermediate position - some spectroscopy retained |
Select proven technology. Life test. |
(assuming mechanism with one or more
spectroscopy slit and a wide viewfinder slit) |
||
|
1710 |
CCD |
OS8 |
8 |
MSSL |
Radiation Damage to CCD |
1. Dark current distribution 2. CTE
change 3. clock bias drift 4. no longer operates (output FET latch-up) |
Appropriate shielding to ensure life
commensurate with mission Monitor dark current distribution periodically.
Provide means to adjust operating temperature and clocking rate. Provide
ability to adjust the clock bias levels. |
|||
|
|
ICU/MHU |
OS9 |
4 |
MSSL |
Radiation Damage to electrical
component |
Data degradation Latch-up – loss of function |
Component selection to be rad hard to
required level. Local shielding as required. |
|
||