|
UNIVERSITY COLLEGE LONDON
|
Author: A Dibbens |
|
NRL
|
G Doschek
|
|
|
|
C Korendyke
|
|
|
|
S Myers
|
|
|
|
C Brown
|
|
|
|
K Dere
|
|
|
|
J Mariska
|
|
|
|
|
|
|
NAOJ
|
H Hara
|
|
|
|
T Watanabe
|
|
|
|
|
|
|
RAL
|
J Lang
|
|
|
|
B Kent
|
|
|
|
D Pike
|
|
|
BU
|
C Castelli
|
|
|
|
S Mahmoud
|
|
|
Mullard Space Science Laboratory
|
J L Culhane
|
|
|
|
A Smith
|
|
|
|
A James
|
|
|
|
L Harra
|
|
|
|
A McCalden
|
.
|
|
|
C McFee
|
|
|
|
R Chaudery
|
|
|
|
P Thomas
|
|
|
|
R Card
|
|
|
|
W Oliver
|
|
|
|
P Coker
|
|
|
|
R Gowen
|
|
|
|
K Al Janabi
|
|
|
|
M Whillock
|
|
|
SLB-EIS Project Office
|
A Dibbens
|
Orig
|
|
Author:
|
|
Date:
|
|
|
|
|
|
|
|
Authorised By
|
|
Date:
|
|
|
|
|
|
|
|
Distributed:
|
|
Date:
|
|
|
ISSUE
|
DATE
|
PAGES CHANGED
|
COMMENTS
|
|
01
|
9 June 2000
|
All New
|
Document re-issued in new numbering system. A major review of risks has
been conducted in preparation for the EIS UK PDR
|
|
02
|
04 July 2000
|
3,4,5,6,7
|
Minor updates to paras 2 & 3. Par 4.1, EM changed to PM. Minor
editorial changes to par 4.2. Par 5.1. addition of OE6.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Term
|
Notation
|
|
Impossible
|
0
|
|
Very unlikely
|
1
|
|
Unlikely
|
2
|
|
Moderately Unlikely
|
4
|
|
Moderately Probable
|
6
|
|
Probable
|
8
|
|
Very Probable
|
9
|
|
Certain
|
10
|
|
Unknown
|
99
|
|
Category
|
Element
|
Risk #
|
Prob
|
Owner
|
Event
|
Effect
|
Management
|
Notes
|
|
0000
|
Solar-B
|
PE3
|
1
|
ISAS
|
Launch Delay
|
Extra costs
|
Revise schedule
|
Has occurred once. Considered unlikely to occur again.
|
|
1000
|
EIS
|
PE4
PE4.1 PE4.2 PE4.3 PE4.4 PE4.5 PE4.6 |
2-4
4 4 2 4 4 2 |
MSSL
MSSL MSSL MSSL MSSL MSSL MSSL |
Incompatibility of sub-system interfaces at pre delivery
integration
Mechanical interfaces Thermal interfaces Optical interfaces Electrical interfaces Cleanliness interfaces PA interfaces |
Failure to integrate hardware or software. Delay and/or
additional costs of re-work
|
Rigorous attention to interface management procedures.
Regular system design team meetings. Early integration checks, walkthroughs,
configuration management. Allow schedule margin.
|
|
|
1000
|
EIS
|
PE6
PE6.1 PE6.2 PE6.3 |
2
2 2 2 |
MSSL
BU MSSL MSSL |
System failure during environmental testing
MTM/TTM PM FM |
Delay in delivery whilst reworks and retests
occur
|
Design margins and derating of components. AIV schedule to
include contingency for such events. Items which are both critical and
particularly susceptible to have spares available - within budgetary
constraints.
|
Each subsystem item should have been qualified to
appropriate levels by analogy, analysis or test prior to system test. Lessons
learned during EM and STM environmental tests should allow us to identify the
susceptible items.
|
|
1000
|
EIS
|
PE7
PE7.1 PE7.2 PE7.3 |
2-4
3 2 2 |
MSSL
BU MSSL MSSL |
Incompatibility with spacecraft discovered during
integration
MTM/TTM PM FM |
Delays to entire mission. Increased costs of support of
rework in Japan. Possibility that instrument performance be
compromised.
|
Close co-operation with the spacecraft design teams.
Identification and control of comprehensive interface
specification.
|
This would arise from inadequacy of interface management
between the EIS and spacecraft teams. There is a vital need for prompt and
reliable exchange of accurate interface information with the spacecraft
teams.
|
|
1000
|
EIS
|
PE8
PE8.1 PE8.2 PE8.3 |
4
4 4 4 |
MSSL
BU MSSL MSSL |
Late delivery of
instrument
MTM/TTM PM FM |
Schedule impact on spacecraft programme
|
Establish and agree realistic delivery
schedule
Establish and agree realistic requirements for each model Rigorously control internal schedules |
|
|
Category
|
Element
|
Risk #
|
Prob
|
Owner
|
Event
|
Effect
|
Management
|
Notes
|
|
1100
|
Structure
|
PS1
|
4
|
BU
|
Composite material shows excessive
out-gassing
|
Contamination of optical components/CCDs
|
Select and evaluate materials. Plan out-gassing paths.
Investigate with Contamination Model.
|
|
|
1300
|
Optics
|
PS2
|
99
|
NRL
|
Multilayer coating fails to provide adequate reflectivity or
other property
|
Instrument throughput threatened.
|
Seek to fully understand the coating technology and the
sources of variation of performance. Consider possibility of re-coating or
provision of uncoated spares. Allow contingency for this. Consider alternative
coating technologies.
|
This is mainly an issue with the so-called EIS-400
wavelength range coating, range 6 in EIS Science Notes (EIS-sci-notes),
operating near 400 Å, which is baselined to use the relatively unknown
Si/Sc multilayer pair. This risk also pertains to the ageing properties of
coatings.
|
|
1300
|
Optics
|
PS3
|
2
|
NRL
|
Optic inadequately figured or polished
|
Poor focusing properties leading to loss of spatial and
spectral resolution. Possible need for re-work.
|
Form an error budget for each optical surface, allowing the
system PSF to be estimated. Measure samples to validate the error budget. Unit
level test.
|
|
|
1300
|
Optics
|
PS4
|
99
|
NRL
|
Grating manufacturing faults
|
Loss of throughput.
|
Error budget, with quantified error sources, is required.
Test of grating performance prior to multilayer coating.
|
All comments also apply as per PS2
|
|
1300
|
Optics
|
PS5
|
2
|
NRL
|
Proposed mechanism fails to meet spacecraft disturbance
torque requirement
|
Other Solar-B instrumentation performance
degraded.
|
Seek alternative mechanisms (mass penalties are likely), or
propose spacecraft-level observation (i.e. mechanism) control protocol. Seek to
avoid this risk in the early stages of the programme.
|
This is an important requirement for the successful
operation of Solar-B SOT.
|
|
1600
|
Shutter
|
PS6
|
2
|
NRL
|
Motor unavailable
|
Shutter redesign, possible life test program (costs &
schedule affected)
|
Explore likelihood of this, if necessary study replacement
options.
|
The shutter design currently baselined, which has
substantial space flight heritage, uses a specific (brushless)
motor.
|
|
1400
|
Filters
|
PS7
|
5
|
NRL
|
Accidental breakage of filter
|
Possible debris in the instrument. Excessive light at CCDs.
Excessive heat input.
|
non-flight protective covers, spares, design for exchange
procedures (including cleaning)
|
´
|
|
1500
|
Slit
|
PS8
|
2
|
NRL
|
Slit exchange mechanism fails disturbance torque
criteria
|
Other Solar-B instrumentation performance
degraded.
|
Choose a single slit (or slit/slot) that gives best
all-round performance, or seek alternative mechanisms. Merge operational
sequences with other instruments.
|
See also the comments on PS2 – PS6
|
|
1710
|
CCD
|
PS9
|
6
|
MSSL
|
Loss of device due to (e.g.) static
discharge
|
Replacement needed
|
Provide for (in contract) adequate test-grade devices during
development programme and spares of flight devices. Design for late replacement
of CCD. Consider static discharge protection procedures.
|
Simulators may be used for many test
purposes.
|
|
1730
|
ROE
|
PS10
|
2
|
MSSL
|
High power consumption of readout
electronics
|
Exceed instrument power budget
|
Carefully engineer for low power. Demonstrate at breadboard
level
|
Possible tradeoff between readout rate and power
consumption
|
|
1922
|
Radiator
|
PS11
|
5
|
MSSL
|
Radiator cannot provide necessary CCD
cooling
|
Radiation damage (see Operational Risks - 1740 CCD) causes
unacceptable performance degradation
|
Seek to minimise CCD radiation damage by alternative
clocking regimes and/or shielding. Consider radiator designs that avoid viewing
the Earth.
|
The orbit and spacecraft configuration mean that Earthshine
becomes a problem for efficient thermal design with a simple
radiator.
|
|
3410
|
Electronic Ground Support Equipment (EGSE)
|
PS12
|
1
|
MSSL
|
EGSE software not ready for AIV programme caused by lack of
continuity of Norwegian effort
|
AIV cannot be accomplished
|
Design for interoperability with sub-system EGSE. Specify
early delivery of an EGSE version which is capable of supporting a subset of
functions for test use.
|
|
|
3420
|
Mechanical Ground Support Equipment (MGSE)
|
PS13
|
1
|
BU
|
Gas purge equipment - contaminates
instrument
|
Dismantle, clean and reassemble structure and optics
(TBD)
|
Obtain certificates of purity or equip with in-line gas
analysers. Verify purity of equipment.
|
A purged structure is considered to be considerably easier
to produce than a vacuum vessel (especially given the Solar-B mass
constraints).
|
|
3800
|
Calibration
|
PS14
|
6
|
RAL + MSSL
|
Insufficient time to complete calibration
|
Poor knowledge of in-flight performance - value of science
data reduced
|
Allow schedule contingency at this stage of the programme.
Rehearse calibration procedures prior to arrival of FM
instrument.
|
|
|
1100
|
Structure
|
PS15
|
4
|
BU
|
Non-delivery of suitable structure
|
Probable termination of project.
|
BU to commission expert help in design and manufacture of
composites.
|
BU may need to solicit additional funding.
|
|
1710
|
CCD
|
PS16
|
4
|
MSSL
|
CCD quality poor
|
Degraded science performance
|
Take out option to purchase further devices, as
necessary.
|
Contract for CCD foresees this possibility
|
|
|
Sub-system
Structure Camera ICU QCM Optics/Mech’ MHC Software GSE |
PS17
PS17.1 PS17.2 PS17.3 PS17.4 PS17.5 PS17.6 PS17.7 PS17.8 |
2-6
6 4 4 2 3 4 4 3 |
See
below
BU MSSL MSSL RAL NRL MSSL MSSL Var |
Late delivery of subsystem for integration
|
Schedule delay
|
Establish realistic schedule and then rigorously
enforce.
|
|
|
|
MHC
|
PS18
|
4
|
MSSL
|
NRL software not transferable to flight
standard
|
Schedule delay through need for extra work
|
Close Liaison between NRL and MSSL
|
Issue raised at NASA PDR
|
|
Category
|
Element
|
Risk #
|
Prob
|
Owner
|
Event
|
Effect
|
Management
|
Notes
|
|
|
1000
|
EIS
|
OE2
|
4
|
RAL
|
Contamination - optics or detector
|
Progressive loss of sensitivity and ultimate loss of
instrument, uncertainty in intensity calibration
|
Contamination control plan, Front door closure, Purging,
QCM, CCD Heater, venting paths
|
||
|
1000
|
EIS
|
OE3
|
99
|
MSSL
|
Electronic Component failure
|
Possible loss of instrument or reduced scientific
return
|
Appropriate component quality, fault tolerant design,
redundant interfaces
|
Failure mode analysis to unit, board or component level will
be carried out as the designs mature.
|
|
|
1000
|
EIS
|
OE4
|
2
|
MSSL
|
“bad command”
|
Ranges from severe (damage to hardware?) to nearly benign
(although an observation could be missed).
|
Identify hazardous states of the instrument. Do not allow
these to be reached without operator confirmation. Allow detection of such
conditions (e.g. by recording all tele-commands).
|
A bit error in a command sequence should be detected by
checksum mechanisms incorporated into the data link protocols. This risk
concerns the possibility that the operator sends a valid command that
nevertheless is not the intended or appropriate one.
|
|
|
1000
|
EIS
|
OE5
|
4
|
MSSL
|
On-board software error
|
Control program halt, output data error, & effects in
"bad command"
|
Allow detection and reboot, periodically compare memory
checksum with nominal value
|
probable cause: SEU
|
|
|
1000
|
EIS
|
OE6
|
99
|
ISAS
|
Disturbance from mechanism of another
instrument
|
Degraded science data
|
Need to manage observing sequence. Control disturbing source
budget
|
|
|
|
Category
|
Element
|
Risk #
|
Prob
|
Owner
|
Event
|
Effect
|
Management
|
Notes
|
||
|
1200
|
Door
|
OS1
|
2
|
BU
|
Clamshell Door(s) mechanism failure
|
Fail closed - Loss of instrument. Fail open - possible
contamination during thruster firings.
|
Life-test programme Redundant heaters in
actuators
|
|
||
|
1300
|
Optics
|
OS2
|
99
|
NRL
|
Ageing of multilayer coatings
|
Instrument throughput reduced.
|
Perform life tests on coatings whose ageing properties are
unknown.
|
|
||
|
1300
|
Optics
|
OS3
|
2
|
NRL
|
Scanning mechanism failure
|
Loss of scanning and alignment compensation
|
Life test programme. No possibility to move outside of
functional position. Monitoring and management of movements during
mission.
|
|||
|
1300
|
Optics
|
OS4
|
2
|
NRL
|
Grating focus mechanism failure
|
(fail in focused position) Flat-fielding of detector no
longer possible. (fail in de-focused position) loss of science
|
Life test programme. Redundant actuators.
|
|||
|
1600
|
Shutter
|
OS5
|
1
|
NRL
|
Shutter failure
|
(fail closed) Loss of instrument (fail open) image
smearing
|
Select proven technology. Life test
|
|
||
|
1400
|
Filters
|
OS6
|
1
|
NRL
|
meteoroid strike on front filter
|
possible debris in the instrument. White light ingress to
detector - worsens SNR. Heat input to instrument - thermal stresses and
consequent misalignment
|
Recess filter in exterior baffle. Use segmented filter
design to limit area od breakage.
|
|||
|
1500
|
Slit
|
OS7
|
99
|
NRL
|
Slit exchange mechanism fails
|
Fail in a nominal slit position - loss of rapid imaging
facility Fails in viewfinder position - loss of spectroscopy in intermediate
position - some spectroscopy retained
|
Select proven technology. Life test.
|
(assuming mechanism with one or more spectroscopy slit and a
wide viewfinder slit)
|
||
|
1710
|
CCD
|
OS8
|
4
|
MSSL
|
Radiation Damage to CCD
|
1. Dark current distribution 2. CTE change 3. clock bias
drift 4. no longer operates (output FET latch-up)
|
Appropriate shielding to ensure life commensurate with
mission Monitor dark current distribution periodically. Provide means to adjust
operating temperature and clocking rate. Provide ability to adjust the clock
bias levels.
|
|||
|
1A00
|
ICU/MHU
|
OS9
|
4
|
MSSL
|
Radiation Damage to electrical component
|
Data degradation
Latch-up – loss of function |
Component selection to be rad hard to required level. Local
shielding as required.
|
|
||