Inadvertent Firing of L1L, L1U, R4U, F3L, and F3U (ORB)
INVESTIGATION/DISCUSSION: Primary reaction control system (RCS) thrusters L1L, L1U, R4U, F3L, and F3U inadvertently fired simultaneous 80-msec pulses at 035:11:41:06 G.m.t. (001:06:19:02 MET) when aft flight controller power was switched on. The firing was consistent with a +Y/+Z translation command response. The crew reported that the aft station translational hand controller (THC) had not been deflected.
A THC translation command is produced when two of the three THC contact outputs for a given translation direction are set high. When a THC translation command output is present while the output is being sampled by the general purpose computer (GPC) at 160-msec intervals, a command is issued to fire the associated thrusters. GPC software invalidates all translation commands if any simultaneous commands for translation in opposing directions are detected when the sample takes place. When flight controller power is switched on, a 40-msec transient occurs while capacitors in the THC contact output circuitry charge causing each of the THC's eighteen contact outputs (three contacts for each of the six translation directions) to be set high during the transient. This condition produces THC translation command outputs in all six directions. If THC command outputs are sampled during the middle of a power-on transient while all THC contact outputs are still set high, software invalidates all translation commands because opposing commands will be present. However, at the end of the power-on transient, the eighteen THC contact outputs do not return to the low state simultaneously due to within- tolerance charging circuit time constant variations; therefore, THC translation command outputs produced by the contact outputs are also not set off simultaneously. If THC command outputs are sampled at the end of the power-on transient while unopposed translation commands are still present, an inadvertent thruster firing command is issued. If the reaction jet drivers (RJDs) are powered, an inadvertent firing of the commanded thrusters occurs. A similar event occurred during STS-66 when the forward flight controller power was switched on resulting in deselection of thrusters that were commanded to fire while RJD power was off. This event was initially attributed to the possiblity that a crewmember in the vicinity of the forward station may have bumped the THC, although the crewmember did not recall bumping the THC. The power-on transient phenomenon was thought to be too improbable to be the most likely cause at the time, but the subsequent occurrence of an inadvertent firing on STS-63 induced by the application of flight controller power indicated the THC power-on transient phenomenon may be the more likely cause of the STS-66 event. Shuttle Avionics Integration Laboratory (SAIL) testing accomplished after the STS-66 mission determined that SAIL hardware had a 375-microsecond window produced by the variation in charging times between the eighteen THC contacts at the end of the power-on transient during which a sample of THC command outputs might produce an inadvertent firing command, but this single data point cannot be extrapolated to predict a probability that the phenomenon will be experienced on other flight THC hardware. Inadvertent primary RCS translation firings are not desirable, but they do not pose a concern for most flight operations. Firing duration is limited, accelerations are small, and propellant usage is not significant. Where concerns exist, such as operations with a payload attached to the remote manipulator system, flight crews are being trained to disable guidance, navigation, and control (GN&C) switch redundancy management (RM) using an ITEM 16 entry on the SPEC 025 page when flight controller power is switched on to inhibit THC command processing. A software change proposal is under review that would allow the THC hotstick logic to be turned on and off as necessary to prevent automatic moding to primary thrusters for a translation firing in response to a THC power-on transient or a bumped stick.
CAUSE(s)/PROBABLE Cause(s): The inadvertent firing of primary RCS thrusters was probably caused by a power-on transient in the aft station THC circuitry that was induced by application of aft station flight controller power. THC translation command outputs were probably sampled by the GPC at the end of the power-on transient when THC contact outputs were returning to their normal state after being set high by the transient.
CORRECTIVE_ACTION: Flight crews are being trained to disable GN&C switch RM using an ITEM 16 entry on the SPEC 025 page when flight controller power is switched on to inhibit THC command processing. A software change proposal is under review that would allow the THC hotstick logic to be turned on and off as necessary to prevent automatic upmode to primary thrusters for a translation firing in response to a THC power-on transient or a bumped stick.
RATIONALE FOR FLIGHT: Inadvertent primary RCS translation firings do not pose a concern for most flight operations. Firing duration is limited, accelerations are small, and propellant usage is not significant. Where concerns exist, such as operations with a payload attached to the remote manipulator system, flight crews are being trained to prevent inadvertent firings as necesary by disabling GN&C switch RM when flight controller power is switched on.
Source: http://www.jsc.nasa.gov/news/columbia/anomaly/STS63.pdf
Home - NASA Office of Logic Design
Last Revised:
October 09, 2005
Web Grunt:
Richard Katz
