NMP EO1 RED TEAM REVIEW Section 13 Spacecraft

NMP /EO-1 RED TEAM REVIEW Section 13 Spacecraft Systems Management Approach Day 2: 03/29/00 . . . Mark Perry Swales Aerospace, 13 Inc. -

NMP /EO-1 Contents RED TEAM REVIEW u Requirements Verification – Process – Matrix u EO-1 Approach to Systems Engineering u Risk Management u Critical Resource Management – u u u Day 2: 03/29/00 Mass, power, and telemetry bandwidth Configuration Management – Drawings - Integration & Test Procedures – Software Spacecraft Quality Assurance – Design & Fabrication – I&T Program I&T Staffing 13 - 2

NMP /EO-1 RED TEAM REVIEW Requirements Analysis u u Day 2: 03/29/00 Traceability – Lowest level requirements traced back to the higher level requirements from which they were developed – Level One requirements tracked to source project document (EO-1 Project Plan) – Level Two and Three requirements become Derived to satisfy a Level One requirement or Allocated by an Interface Control Document Verification – Each lowest level requirement, for a given function, is verified by Analysis or Test & Evaluation – The requirement is traced to the Verification requirement (Test Plans) in addition to the verification performed (Test Procedures, Analysis Reports, and Work Order Authorizations) 13 - 3

NMP /EO-1 RED TEAM REVIEW Requirements Verification u u u Day 2: 03/29/00 System-level 1, 2 and 3 and subsystem derived requirements – Verified during integration and system tests – Functional requirements verified using functional test after each environmental test and each move – Performance requirements verified using CPT and other special tests before and after environmental testing Environmental requirements – Verified at box and satellite level – See Environmental Verification Matrix Software – Verified by developer, by EO-1 team in S/W lab, and on spacecraft in acceptance tests, regression tests, and CPT – Separate S/W verification matrix 13 - 4

NMP /EO-1 RED TEAM REVIEW Requirements Matrix LEVEL I REQUIREMENTS (Sample) LEVEL III REQUIREMENTS (Sample) REQMT ID Interpretation: Example 02. 3. 12 Interpretation: 02 - This requirement is a level 2 requirement. 3 – The requirement is item number 3 within the L-II requirements. 12 – This requirement is traceable to the next higher level requirement (L-I in the example) item number 12. Day 2: 03/29/00 13 - 5

NMP /EO-1 RED TEAM REVIEW Program Constraints u u EO-1 development was driven by cost and schedule – Design to cost: existing architecture and hardware, redundancy implemented to balance risk of single-string design – Build to cost: limited documentation, de-scope if necessary, rapid decisions, etc. Cost and schedule are as important as performance – If cost or schedule threatened, performance trades considered – Due to aggressive planning to incorporate the most advanced technologies, de-scopes occurred as the mission progressed – ALI WIS and GIS detectors – 1 Gb/s fiber optic data bus – Day 2: 03/29/00 The early design was realistically evaluated with respect to program constraints: “buy-ins” not considered on EO-1 13 - 6

NMP /EO-1 RED TEAM REVIEW Approach to Systems Engineering u Success depended on – Active interface control and monitoring – Quick decisions: key personnel using engineering judgement – Example: quick incorporation of Hyperion – Limited system documentation, particularly on design process – Lesson-learned: earlier documentation (e. g. , systems schematics, C&T handbook) would have saved time during integration & tests – u Selected redundancy implemented only on mission-critical systems consistent with Project constraints – u Day 2: 03/29/00 When evaluating system trades, took advantage of mission goal: technology development. For example, EO-1 is in standby mode for 90% of the mission. Solar array release mechanism, 1773 data bus, power harnessing, separate ACS safehold processor, main-computer memory source (EEPROMS), propulsion heaters Thorough and careful Integration & Testing – Detailed documentation of all integration procedures & anomalies – Caught errors not discovered during rapid development phase 13 - 7

NMP /EO-1 RED TEAM REVIEW Delegated Responsibilities u Managers and systems engineers identified and empowered lead engineers who have the initiative, capability, and dedication to take full responsibility for their system: performance, cost, schedule, and interfaces – u Day 2: 03/29/00 Responsible for all phases of development: design through on -orbit checkout This distributes the systems-engineering responsibility and ensures several checks on each interface – Minimizes the number of dedicated systems engineers, reducing cost – For example, the EO-1 engineer responsible for the structure also acts as the mechanical systems engineer: confirming interfaces and doing the system layout 13 - 8

NMP /EO-1 RED TEAM REVIEW Spacecraft Level Risk Management Process u Risk Identification Sources u Examples – Schedule – Cost – Performance – Use of core design personnel from development through operations – Recent anomalies on other Programs – Use of MAP design personnel during I&T process – During developments, risks identified, reported monthlies, and tracked to completion – During I&T, risks identified and tracked through PR system – – Limited Documentation Single String Design – Some elected redundancy under program constraints – Incorporation of fuse plugs for nonessential loads – Schedule/Cost – Descopes – ALI WIS and GIS detectors – 1 Gb/s fiber optic data bus – Augment team with GSFC & MAP personnel Day 2: 03/29/00 13 - 9

NMP /EO-1 RED TEAM REVIEW Sample of Monthly Risk Matrix Day 2: 03/29/00 13 - 10

NMP /EO-1 RED TEAM REVIEW Management of Critical Resources u Preliminary allocations developed for the Systems Design Review – u u Included reserves for mass and power and telemetry Resource use constantly monitored, with weekly reports – Deviations reported by subsystems as soon as discovered – Systems reallocates when necessary EO-1 allocations revised several times – In trades to reduce cost or shorten schedule – Example: allocate additional mass to structure to permit switching from a composite structure to an aluminum structure – In response to technical difficulties – Example: ALI required additional mass to meet stiffness requirement. – Day 2: 03/29/00 After as-built characteristics released reserve u Mass: after switch to Delta L/V, total mass became weak constraint u Telemetry: sufficient bandwidth for nominal and emergency ops u Power: the most-critical resource, particularly after adding Hyperion 13 - 11

NMP /EO-1 RED TEAM REVIEW EO-1 Mass Day 2: 03/29/00 u Subsystem weights were measured prior to installation on the satellite & the solid model is updated based on latest measured weights u Inertia properties are calculated from solid model u Final satellite mass will be within flight allocation – Allocation: 588 Kg – Final mass: 573 Kg, 2. 5% below allocation 13 - 12

NMP /EO-1 RED TEAM REVIEW EO-1 Power Use u Day 2: 03/29/00 Rack up of “as measured” powers for total system power for DCE and Standby orbits 13 - 13

NMP /EO-1 RED TEAM REVIEW EO-1 Telemetry Bandwidth Use Day 2: 03/29/00 13 - 14

NMP /EO-1 RED TEAM REVIEW CM Drawings and I&T Procedures u u u SAI EO 1 -CM-PLAN-001 Configuration Management Plan for the EO-1 Spacecraft (265 I&T Plans/Procedures not including Test Directives) – Covers the CM Process for all Swales generated Drawings and Hardcopy Test Procedures specific to the EO-1 Program – Process audited by outside ISO 9001 certification team and GSFC Code 300 (no discrepancies or changes required) – Subcontractors rely on in-house CM Plan/Procedures – Payload ICDs managed by GSFC CM All documentation reviewed and signed before work begins – Drawings updated following fabrication and assembly – Procedure redlines incorporated before re-running procedures – CM personnel co-located with I&T team to reduce process time Automated Test Procedures – Day 2: 03/29/00 STOL Procedures managed by EO-1 Lead Test Conductor. Changes to procedures require Data Base Change Request (DBCR) form with review by system/subsystem engineer. QA verifies that DBCR has been written prior to PR closure. 13 - 15

NMP /EO-1 RED TEAM REVIEW EO-1 Software CM u Visual Source. Safe – Flight Software stored in separate libraries – Problems & changes to source code documented with EO-1 Problem Test Report (PTR) number – Builds labeled on delivery to FSW Test Lab – After testing, code is copied from string by CD&H CM Manager – If needed, old builds can be retrieved from VSS – u u VSS can generate history report of code changes for each file PTR System – Changes to code done via PTR – Problems, design issues, and program improvements are logged – MAP PTRs tracked for issues applicable to EO-1 Delivery to Spacecraft for Test – Version Description Document (VDD) delivered w/ WOA for each new build & includes: – Description of change – PTRs implemented in the new build – Day 2: 03/29/00 Test Directive (TD) specifically calls out regression testing to be performed on load to fully test change on spacecraft 13 - 16

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements u Overall Mission QA Requirements – u NMP/EO-1 Mission Assurance Requirements (MAR) Spacecraft Bus QA Requirements covered in: – SAI-QA-008, EO-1 Performance Assurance Requirements for Spacecraft Bus – Appendix A of SAI-QA-008 covers EO-1 EEE Parts Implementation Plan & Procedure. Plan conforms to the EEE parts requirements of GSFC 311 -INST 001 for Grade 3 quality level parts. The plan is similar & based on the MIDEX EEE parts requirements. – u I&T Work Order Authorization & Problem Report System process covered in SAI-PLAN-130, the EO-1 I&T plan u SAI-SPEC-158 EO-1 Verification Plan & Environmental Specification – Day 2: 03/29/00 Subcontractor/Vendor QA requirements are dictated in existing company documentation unless specifically addressed in EO-1 Specification/SOW Covers Verification Process and design/test environments 13 - 17

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Workmanship Standards u Day 2: 03/29/00 The following commercial, or NASA, workmanship standards are used for the EO -1 effort: – NHB 5300. 4 (3 M) Workmanship standard for surface mount technology – NHB 5300. 4 (3 A-2) or ANSI/J-STD-001 thru 006 (Hi Rel) Soldering of electrical connections – NAS 5300. 4(3 G-1) Cable, harness, & wiring interconnections – NHB 5300. 4(3 H) Crimping – NAS 5300. 4(3 J) Conformal coating and staking – IPC-D-275 [NASA alt. - NHB 5300. 4(3 K)] Printed wiring board design – EIA-625 [NASA alt. -. NHB 5300. 4 (3 L)] ESD control u Technicians required to be certified for the specific standard u Printed wiring board coupons evaluated at GSFC or by a GSFC approved laboratory. Approval required prior to population of printed wiring board. 13 - 18

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Work Order Authorization (WOA) System u The WOA System controls all work performed on the spacecraft u Initiated by Subsystem Lead or Test Conductor, and only authorized after the following actions: u u Day 2: 03/29/00 – Referenced Procedure released through CM – Signature of Systems Mgr. , Subsystem Lead, Mech. & Elec. Leads, I&T Mgr & QA Mgr. Following successful completion of work, WOA will be closed after approval from I&T Manager & QA – If a Problem Report is issued, the WOA remains open until PR is disposition & closed – Original WOA with supporting information will then be entered into S/C logbook WOA System uses an ACCESS 97 database developed specifically for EO-1 – Provides statistics on WOAs and Problem Records, – GSFC representative has full access to database at anytime & is invited to attend all meetings – Database is located on I&T network which will be portable to the Launch Site 13 - 19

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Work Order Authorization (WOA) System Day 2: 03/29/00 13 - 20

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Problem Records (PRs) and S/W Problem Test Reports (PTRs) u PRs are anomalous events that are inconsistent with expected results u PRs entered into the ACCESS database system & assigned numbers associated with the WOA under which the work was performed – u PRs must be dispositioned, corrective action taken and closed before WOAs can be closed – Day 2: 03/29/00 PRs are entered into the database system as they occur Closure of PRs requires approval from responsible subsystem lead & QA u PR meeting held typically every two weeks or as required to review status & develop corrective action plan u QA responsible to follow through with Subsystem Leads on closure u PTRs are analogous to PRs in Software environment. – PTR data base maintained by Hammers Co. – FSW-related PRs generated during S/C I&T have an associated PTR – FSW PR closure requires closure of the associated PTR – PTRs also are generated during FSW testing in software lab & MAP program 13 - 21

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements PR Closure Process u Day 2: 03/29/00 Typical PR Meetings held with the following Representatives: – Responsible Subsystem Engineer (PR Assignee) – System Engineering – Swales Quality Lead – GSFC Quality Assurance Manager – Swales Program Manager – GSFC Mission Manager and or Observatory Manager u PR Closure requires agreement of all of the above u The PAR form used during spacecraft I&T replaces the Material Review Board Report form used during hardware development as referenced in the CERT Log 13 - 22

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements WOA Status u Spacecraft I&T WOA Statistics – Total number generated as 3/24/98 through 3/21/00 = 952 – Note all work prior to 3/24/98 is covered in component/subsystem certlogs Day 2: 03/29/00 – Number Closed out = 924 (97% closure rate) – Open Work Orders = 28 (as of 3/21/00) – Work In Process =8 – Open PRs = 16 (two on WOA-829) – Close Out Work =3 – In Close Out Process =0 13 - 23

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Problem Report Status u Total number generated from 4/1/98 through 3/21/00 = 1572 u Number Closed out = 1554 (98. 9% closure rate) u Number open = 17 (as of 3/21/00) – Work In Process =9 – Test verification required =0 – In Closure Process = 5 (one potential Redbook candidate) – Redbook Items =3 – WOA 468 -20 -4 IRU Helium Exposure (see Special Topic) – WOA 770 -20 -3 One Time Event Chassis Current during EMC Testing (see Electrical Systems) – WOA 837 -20 -1 One Time Event LVPC Current Red Limit (see Power Subsystem) Day 2: 03/29/00 13 - 24

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Critical Problem Reports u Day 2: 03/29/00 In response to Pre-Ship Review Teams request the EO-1 Project Team has identified all Problems Reports that were generated from the start of Thermal Vacuum (10/1/99) that fall in the following categories: – Flight Hardware Changes – Flight Software Changes – “Use As Is” Classification/MOC Constraint Manual – Redbook items / unknown – Under investigation (as of 3/21/00) u All Problem Reports that are classified as critical, or that remain open as of 3/21/00, are addressed within the Subsystem presentations or in the Special Topic sections u Residual Risk has been assessed for all critical and open PRs u All open Problem Reports prior to the 10/1/99 were addressed in detail at the Thermal Vacuum readiness reviews (9/24/99, 10/1/99) 13 - 25

Quality Assurance Spacecraft Bus Elements RED TEAM REVIEW Pre TV NMP /EO-1 Open Problem Reports Day 2: 03/29/00 13 - 26

NMP /EO-1 RED TEAM REVIEW Quality Assurance Spacecraft Bus Elements Summary of Critical PRs as of 3/21/00 u 122 Critical Problem Reports, all closed with exception of 4 – 7 Hardware – Re-wire thermostats and heaters on nadir deck (3) (Special Topic) – Rework LFSA power and telemetry interface (Special Topic) – Reset ALI HOP – Repair WARP 5 -volt power service – Battery Trickle Charge Fuse (ground use only) – 78 Software (see S/W presentation) – Expected because of limited testing available in the S/W lab without ETUs – Many related to improved deployment logic (20) and failure monitoring implemented in the TSM system (20) – 33 “Use as is” / constraint manual – May add complication during operations, but not residual risk u Day 2: 03/29/00 – 2 (Post 10/1/99) Redbook items – 2 under investigation (WOA-949, WOA-943) Negligible residual risk due to the critical PRs 13 - 27

NMP /EO-1 RED TEAM REVIEW Spacecraft Problem Report Statistics from 10/1/99 to 3/20/00 Day 2: 03/29/00 13 - 28

NMP /EO-1 RED TEAM REVIEW RFA #2. 06 Delta Confirmation Review (RFA #6) u Define which spacecraft-level test will not be conducted with both flight instruments installed and the rationale and how the instruments will be tested to assure mission success (safe launch and successful on-orbit performance) – Day 2: 03/29/00 This RFA has been since overtaken by events since all the instruments were available for the start of the environmental test program. Therefore, there was no need to justify a separate spacecraft-level test program 13 - 29

NMP /EO-1 RED TEAM REVIEW Critical PRs not covered in other Sections Day 2: 03/29/00 13 - 30

NMP /EO-1 RED TEAM REVIEW Integration & Testing Staff Day 2: 03/29/00 13 - 31

NMP /EO-1 RED TEAM REVIEW Integration & Testing Staff Day 2: 03/29/00 13 - 32

NMP /EO-1 RED TEAM REVIEW Integration & Testing Staff Day 2: 03/29/00 13 - 33

NMP /EO-1 RED TEAM REVIEW Integration & Testing Staff Day 2: 03/29/00 13 - 34

NMP /EO-1 RED TEAM REVIEW Integration & Testing Staff Day 2: 03/29/00 13 - 35

NMP /EO-1 RED TEAM REVIEW Additional Systems Information Section 13 a . . . Mark Perry Swales Aerospace, Inc. Day 2: 03/29/00 13 - 36

NMP /EO-1 RED TEAM REVIEW EO-1 Mission and Subsystem Modes Switch to Internal Power * Turned ON during early Mission Ops ** Includes 30 W of survival heater power Day 2: 03/29/00 Separation from L/V 13 - 37

NMP /EO-1 RED TEAM REVIEW EO-1 Changes Since Environmental Test u LVPC fuses on non-critical services: full environmental testing u S/A release HOP fuses: environmental and functional testing u New s/w: all verified by extensive regression testing – M 5 – ACS: arctan, warm start time, validate GPS data using HK RSN flag – Time code: add GPS leap second – XB: 1773 request 2 words to prevent hangup – TSMs and RTSs: table loads – TO: jam limit on APIDs, filter tables, add GPS leap second Day 2: 03/29/00 – Read/write timing for all RSNs A/D conversion (except WARP RSN) – HK RSN: GPS, time processing, and deployment (auto-detect) – ACE: SHM inhibit, IRU event message, checksum – PSE and COMM: no change other than A/D read – X-band: open telemetry limits on FDC 13 - 38

NMP /EO-1 RED TEAM REVIEW EO-1 Changes Since Environmental Test (continued) Day 2: 03/29/00 u Nadir-deck heaters re-wired; bay-5 heater on new service; fully tested u WARP removed, repaired, tested, and re-integrated for TV test u ACDS removed, opened, x-rayed, workmanship vibe, and reintegrated u LFSA: power re-work, re-integrated with full functional test u AST removed, and filter replaced, workmanship vibe, and reintegrated u Replace trickle-charge fuse with diode: non-flight path u IRU removed (from Helium exposure), 5 of 6 vent holes closed, reintegrated u Hyperion electronics removed for access to panel: re-integrated 13 - 39

NMP /EO-1 Redundancy on EO-1 RED TEAM REVIEW u u u u Day 2: 03/29/00 1773 communications bus MV memory and processes area (2 PROMs and areas of RAM) Special hardware command path for contingency commands Thermal control system: power services, heaters, and tstats S/A release: power, HOPs, switches, activation, mechanisms Backup to GPS: time and position are up-loadable Independent processor for safehold attitude Dual coils on magnetic torquer bars RCS thruster valves and valve seats S/A drive: drive motors, drive electronics, and position indicators Battery temperature monitor S-band backup for science downlink TDRSS telemetry and commanding SSPC Power harnesses, S/A and battery wiring, BERB relays ALI thermal control system Backup device for opening ALI door 13 - 40

NMP /EO-1 RED TEAM REVIEW Built-In Redundancy that Contributes to Graceful Degradation u Multiple S/A strings u 4 GPS antennas 2 S-band antennas, on opposite decks 64 amplifiers in X-band phased array 22 battery cells and large capacity permits functionality after some failure modes Two WARP memory boards, each with multiple blocks Coupled thermal control u u u Day 2: 03/29/00 13 - 41

NMP /EO-1 RED TEAM REVIEW EO-1 S/C Risk Management Process - 1 u Mostly informal: process not well documented, – u Implementation is formal: PRs, PTRs, reviews, etc. Elements of risk management – – Top-level requirements and ICDs – Active management of ICDs, looking for problems Constant communication between subsystems – Weekly, full-team, technical review meetings – Monitor cost and schedule as additional problem indicators Emphasis on design margins and approved parts – Increases reliability in single-fault areas Internal review and peer reviews – Resulted in changes and risk mitigation – Insert redundancy where mitigated risk warranted extra cost and complexity – Review requirements during development; de-scope if necessary – Day 2: 03/29/00 Sacrifice performance rather than increase cost or risk 13 - 42

NMP /EO-1 RED TEAM REVIEW EO-1 S/C Risk Management Process - 2 u Elements of risk management (continued) – Examples of changes due to technical reviews – ACE safehold on independent processor – PSE H/W and S/W: analysis and changes – Extra ACS phasing tests – X-band near-field test – Fuse plugs – Second TV test – Active investigation and implementation of other-mission issues – IMAGE (PSE, DC/DC converters, etc), MAP (Flight S/W, AST, HSSR 7111 oscillations, etc. ), TIMED (S/A cell de-bonding) – Continued communication with the related missions – Comprehensive, rigorous, integration and system test – No sacrifices in documenting integration procedures – Identifies risks – Mitigates risks incurred during rapid development – Strict and thorough attention to PRs during I&T – Take advantage of delays to further retire risk – Additional testing, including contingency and simulation testing Day 2: 03/29/00 13 - 43

NMP /EO-1 RED TEAM REVIEW Top Risks and Mitigation on EO-1 u u u Day 2: 03/29/00 Single string failure possibility: LVPCs, MV processor, COMM RSN, transponder, ACS components, PSE RSN: mitigate by continued improvement of contingency procedures and continued review of parts vulnerability WARP recovery: mitigation is full environmental testing at box level, TV at S/C level Flight software: mitigation is 2 additional CPTs, 2 nd TV, and ops sims IRU sensitivity to helium: removed from S/C, purge until launch, close extra vent holes, improve purge lines AST quality: mitigation is complete (extra testing and parts review) u SSPC fuses trip at too high current; possible problem if 1. 5 to 2 ohm short: mitigated by TSMs and FDC u A/D anomalies: testing on MAP ETU to investigate cause 13 - 44