apollo experience report command and service module sequential events control subsystem

8/8/2019 Apollo Experience Report Command and Service Module Sequential Events Control Subsystem

1/24


2/24

1. Report No. 2. Government Accession No.NASA TN D-7951 3. Recipient's Catalog No.

15. Supplementary Notes

Gary W. Johnson9. Performing Organization Name and AddressLyndon B. Johnson Space CenterHouston, Texas 77058

12. Sponsoring Agency Name and AddressNational Aeronautics and Space AdministrationWashington, D. C. 20546

16. AbstractThe Apollo command and service module sequential events control subsystem is described, withparti cula r emphasis on the majo r s ys te ms and component problems and solutions.requ irements , design, and development and the test and flight histo ry of the hardware a r e dis-cussed.

The subsystemRecommendations to avoid si mi la r problems on future prog ra ms are outlined.

10. Work Unit No.914-11-00-00-72

11. Contract or Grant No.

13. Type of Report and Period CoveredTechnical Note

14. Sponsoring Agency Code

17. Key Words (Suggested by A ut ho rb ))'Sneak Circuit * Switching'Pyrotechnic Devices 'Electrica l Relays'Sequencing System 'Logic Ci rcu its'Sequential Control 'Apollo Pr og ra m

18. Dis tr ibut ion StatementSTAR Subject Category:12 (Astronautics, General)

'For Sale by the National Technical Informa tion Service, Springfield, Virginia 22151Unclassified $3.25Unclassified 24


3/24


4/24

FIGURES

Figure1 Relationship of co ntr oll ers . . . . . . . . . . . . . . . . . . . . . . . .2 C r ew compartment controller location . . . . . . . . . . . . . . . . .3 Service module jettison controller location . . . . . . . . . . . . . . .4 Lunar module separation sequence controller location . . . . . . . . .5 Reaction control sy ste m cont roller location . . . . . . . . . . . . . . .6 Typical sequential events control subsystem logic andpyrotechnic circui t . . . . . . . . . . . . . . . . . . . . . . . . . .7 Launch vehicle breakup initiates abort . . . . . . . . . . . . . . . . .8 Launch escape motor pulls command module to safety . . . . . . . . .9 Master event sequence controller fu se module. origina l design . . . .10 Master event sequence controller fuse module. after modification . . .11 Service module jettison controller changes . . . . . . . . . . . . . . .12 Multiple- oper atio ns module box location . . . . . . . . . . . . . . . .13 Earth-landing system sequence controller sneak circuit . . . . . . . .

Page22333

4991515151718

iv


5/24

APOLLO EXPERIENCE REPORTC O M M A N D A i I D S E R v i CE MODULE

SEQUENTIAL EVENTS CONTROL SUBSYSTEMB y G a ry W . J o h n s o nL y n d o n B . J o h n s o n S pace C e n t e r

S U M M A R YThe Apollo command and service module sequential events control subsystemprovides the auto matic timing and control of the cr itica l functions required for thelaunch escape sys tem and serv ice propulsion system aborts, spac ecra ft stage separa-tions, and the Eart h recovery system operations. All pyrotechnics (explosive devices)on the spac ecraft are initiated by this subsystem.Major recommendations on the sequencer design include emphasizing the installa-tion of flight components in earl y development hardware, consider ing the ease of com-ponent installation, and implementing the capability f o r checkout of all redundantelements. Because of t he heavy emphasis on safety in design and the use of speciallyscre ened components, no flight fail ures have o ccurred in the sequential events controlsubsyste m on manned o r unmanned Apollo spacecra ft.

INT RODUCT IONThe Apollo command and ser vic e module (CSM) sequential event s control subsys-tem (SECS) is a n integrated subsystem composed of the following sequence con trol lers .1. Mas ter event sequence co ntro ller (MESC), two2. Earth-landing sequence controller (ELSC), two3. Lunar docking events con trol ler (LDEC), two4. Lunar module (LM) sepa rati on sequence contr oll er (LSSC), two5. Service module (SM) jettison controller (SMJC), two6. Reaction control sys tem control ler (RCSC), one7. Pyrotechnic continuity verification box (PCVB), one


6/24

The controller operating relationship, the sou rc es of elect ric al power, and the locationof the con troll ers in the CSM crew compart ment are given in this repo rt. The SM jet-tison controllers are located on the fo rwa rd bulkhead of the SM, the LM sep ara tio nsequence controlle rs are located in the space craf t-LM a dapte r (SLA), and the RCSC islocated i n the command module (CM) aft compartment. The SECS is used t o automati-cally sequence time- cri tic al portion s of manually initiated norm al missi on functions.A typical logic and pyrotechnic cir cui t used in the SECS is shown in this repo rt.

A s an aid to the reader, where nece ssa ry the original units of m ea su re have beenconverted to the equivalent value in the Systkme International d'Unit6s (SI). The SI unit sare written first, and the original uni ts are written parenthetically there after.

C0NT 0LLER RELATThe interrelationship of

O N S H I P, POWER SOURCES, AND L O C A T I O Nhe CSM SECS individual controllers and applicablesources of power are shown in figu re 1. The location of the controllers in the CM crew

compartment is indicated in figu re 2; the SM jettison cont rolle rs on the forw ard bulk-head of the SM in figu re 3; the LM separat ion sequence c ontr oller s in the SLA in fig-u r e 4; and the RCSC in the CM aft comp artme nt in figure 5. A typical SECS logic andpyrotechnic circuit is shown in figure 6.

LEntry andpyro l q i cbatteries

cells

Diw lays and control s +b

TMastereventssequencecontroller

* -I ttact ion I I LM

I1m ItEarth-

lapding. equencecontrollerPyrocontinuity

I I

Figure 1. - Relationship of cont ro ller s.

Earth-landingsequencecontrollersLunar dockingTJQ events controllersK-RiZH sequence controller s

Master events

pressure w is ing l ine-L

Figure 2. - Crew compartment controllerlocation.

2


7/24

Service module jet t ison control lers./ ti

Figure 3 . - Service module jettisoncontroller location.

Helium tanksystem 8

cont ro lsystemcont ro l l e r

Figure 5. - Reaction control systemcontroller location.

Figure 4.- Lunar module separationsequence controller location.D E S I G N PH I LOSOPHY

The following is an outline of thedesign philosophy applied to t he SECS.1. The subsystem shall contain nosingle-point failu re that wi l l cause eitherpremature operation or lo ss of a function.2. The subsystem shall consist of adual- redundant, electr ica lly isolated, sep-arat ely powered, and sepa rate ly initiatedsystem for all functions.

3. No electrical crossovers shall exist between the two redundant syst em s exceptthrough electromechanical contacts (relays).4. Failures in one part of the SECS shall not propagate to the redundant part.5. The logic control must obtain operating power from a source separate fromthe pyrotechnic power source.6. A l l pyrotechnic devices shall rem ain electric ally shorted until firing.

3


8/24

Q

-

Manual backupswitch

-

NCf2-r1 attery- 0A-h r

Pyrotechnic arm-

Motorg-+JII

L attery0175 A-hr 6-Q

Systems testmeter

I I

NC T h N o

I I

l o I

FusistorQ ntry and post-landing batteryone of three+Pyrotechnic retur n

Logic returnNO Normally openNC Norm ally closedTD Time delay

(@ Relay0 ogic switch

@ Redundant source oflogic power

@ Relay contacts con-trolle d by logic ofprevious event@ Automated contro l tonext eventdevice

Figure 6. - Typical sequential events control su bsyst em logic and pyrotechnic circu it.7. The subsystem s hall have provisions fo r prelaunch ground sup port equipment(GSE) hardline monitoring.8. Logic and pyrotechnic ele ctr ica l grounding points shall be isolated electri-cally and physically.9. All power-source negative lines shall be re turne d to vehicle ground pointindividually.vehicle ground point.The syste m shall have no ele ctr ica l grounds to the vehicle except at the

10. Shield circuits shall be grounded inside the controller and at the pyrotechnichousing. Th er e must be 360" shielding between the shield and the pyrotechn ic c ase.11. The sequence controllers shall be bonded electrically to the spacecraftframe.

4


9/24

12. All pyrotechnic circuit wiring shal l consis t of twisted, shielded pai rs ofconductors.13. All pyrotechnic connectors shall be keyed so that nonpyrotechnic connectorscannot be connected to pyrotechnic devices and so that adjacent pyrotechnic connectors

cannot be interchanged.14. Circuit protection, fault isolation, and cu rre nt limiting shal l be provided inall pyrotechnic circuits.15. Te st points shall be provided f o r checking all redundant ele men ts andcircuits.16. No flight connec tors are to be broken (demated) to per form sy ste ms checkout.17. Ground suppor t equipment connectors w i l l be provided fo r checking pyro-technic bridgewire resistanc e after final pyrotechnic installation.18. Redundant firing c ircu its shall be routed through separate connectors;redundant functions shall be located in s eparate controllers; logic circu its shall berouted through connectors sepa rate fr om the pyrotechnic circu its.19. All logic timing circ uits must fail long, not short (must fail to infinity).20. Manual backup switching must be provided on all crew-safety functions.21. The two series relays shall be mounted in such a manner that the vibration-sen si tiv e ax is (actuation plane of contac ts) of one re lay is orthogonal (90") to the sens i-tive axis of the other relay.In a few cases, these criteria were not applied ac ro ss the board because of space-craf t volume and schedule constraints. For example, in the ca se of the PCVB andBlock I1 RCSC, the redundant sys te ms were located in the sa me box.

DEVELOPMENT H I STORYInitially, the sequencing syste m fo r the Apollo res ea rc h and development (R&D)flights was to be developed at the NASA Lyndon B. Johnson Space Cente r (JSC) (form er ly

the Manned Spacecraft Center (MSC)). However, in March 1962, the responsibili ty forthe R&D sequencing sys tem was assi gned to the Apollo CSM contrac tor. The initialMSC design was a dual- redundant rela y design, using flight- qualified components s imi -lar to those used for Projec t Mercury. However, the contractor elected to design asolid- state logic s equencer with motor- switch power output circuits.In Ja nu ar y 1964, the MSC Eng ineering and Development Dir ecto rate yas givenApollo subsy stem design and management responsibility and, in Marc h 1964, the solid-state sequencer design was reviewed by personnel fr om the MSC because numerousfa il ur es occurr ed during prefligh t test ing of boilerplate 13 (BP- 13). The review

5


10/24

revealed that the solid- state design was unnece ssarily complex and that numeroussingle fai lu res could cause out-of-sequence functions to occur. It was pointed out thatchanging to a rela y design could eliminate the single-point failures, result in the use offe we r components, and provide re liab le function. For the BP- 13 flight, a relay wasadded to the existing solid-state design to protect the circuit f rom inadvertent opera-tion. Concern was express ed that the operational mission sequencer, which was of asolid-state design sim ila r to but more complex than that used in the BP-13 vehicle,would not provide sufficient reliabil ity for the Apollo spacecr aft. In Apr il 1964, a sub-contractor made a trade-off study of the sol id- sta te design and of a relay design; theconclusion was that the rela y design would be less complex, mor e flexible, and mor ereliable. In May 1964, the subcontracto r was reques ted to design, fabricat e, and testan electromechanical (relay) type MESC. In June 1964, the redesigned mis sionsequencers (MESC and SMJC) were reviewed by the MSC and were judged to be satis-fac tory. However, the ELSC design was not reviewed, and the contr act or was requestedto i mpose upon the ELSC design all the cri teria that we re applicable to the MESC design(i .e., no single-point fail ures ). In late Jul y and ea rl y August 1964, the CSM contractorrequested that the subcontractor eliminate the motor switches from the operationalsequencers. This request was made because of pr oble ms that occ urre d during testing(excessive tra ns fer tim e, low- an d high- tem pera ture sensitivity, susceptibility to tran -sients, and high contact resistance). On August 20, 1964, the entire sequencing-systemdesign was reviewed. A t that time, it was decided to move the ELSC fr om the forwardcompartment and relocate the controllers in the crew compartm ent, because thesequen cers were not accessib le with the forward heat shield installed. A decision wasmade that te st points would be made available to v erify final hookup of pyrotechnicinitiato rs in the Earth-landing syst em (ELS).

It was a ls o decided that an investigation of the single-point fa ilu re mode of CMswi tches would be conducted, because fa ilu re of a switch could cause premature systemoperation. The investigation disclosed that, accordi ng to the prel imi nary schematic,single relays were being used to fire pyrotechnic initiators, which resulted in a single-point-failure design.

The contractor reported that redesig ning the ELSC to eliminate the single-pointfailures and incorporating test points (GSE ac ce ss connector) for final connection veri -fication of the ini tiat ors would resu lt in large costs and would affect the schedule.An interim a rm/ disa rm circuit was added to the existing design so the R&D mis-sions could procee d on schedule. This circuit was added to keep the pyrotechnic sub-system disarmed during the mission until tim e to fire pyrotechnic devices, thusminimizing the timespan during which potential single-point failures could occur.design concept was incorporated into the R&D mission sequencer that was used at the

White Sands Missile Range on the boilerp late fl ights and on sp acec raf t 9 (SC-009).This

A new junction box was designed that would provide a GSE access connector forcheckout of the ELS pyrotechnics.and subsequent vehicles.

The new junction box was designated the PCVB, andit operated in s er ie s with the ELSC. U s e of the new PCVB became effective on SC-009

In October 1964, failure problems were experienced during the testing on the R&Dmissio n sequencer during vibration exposure. The failure s were caused by broken

6


11/24

harness wires at relays, a broken internal coil lead to a latching relay , and contamina-tion on time-delay rel ay contacts. The broken coil lead and broken wir es at the externalrelay terminations were caused by exc essive st re ss resulting f ro m amplification ofvibra tion of the seque ncer chass is. The contact contamination was an organic film thatresul ted fr om sold er-flux re si n being washed onto the contacts by a cleaning solvent.Encapsulation of the rel ays into the c has sis as sembly solved the problem of area vibra-4L i u f i amplification. A burn-in procedure to cycle the re lay s (br eak down the contact filmby the slid ing act ion of the contacts) was used to scree n the relay s fo r contact contami-nation. Because of these probl ems, the relays to be used in the operational Apollosequencer wer e incorporated into the R&D mission sequencer to gain tes t and flightexperience e ar ly in the program.

During vibration testing (April 1965) of the mission sequencer that contained theoperational relay s, contact resonance occu rred and caused unacceptable contact chatter.The manufactu rer of the re lay resolved this problem by a design change that involved theinstallation of a vibration damp er in the relay.relay fa ults o ccurr ed before the problems could affect operational hardware. The effortrequi red to resol ve the prob lems caused by re lay design emphasizes the need to qualifyhardware as soon as poss ible during the R&D phase of a program. Design problems,associated with the GSE pyrotechnic simul ators that caused failu re of flight sequenc ersbecause of ove rload conditions, were discovered during checkout of the boi lerpla te vehi-cles. The design problem that caused the overload condition w as the us e of normallyclosed relay contacts (closed when the relay coil is unpowered) to apply the simulatedpyrotechnic load. Los s of facili ty power to the GSE prevented the cur ren t- sensing ci r-cuit from interrupting the load (applied by the deenergized relays).redes igned to remove the load (to be fail- safe) when electr ica l power was removed.

The discovery and cor rec tion of the

The GSE wasA l l Block I operational Apollo sequence controllers were qualification tested dur-ing 1965. Two models of each type of control le r were subjected to qualification testing,

One unit was exposed to design proof testing, thus verifying that design para mete rs hadbeen met. The other unit was mission simulation teste d (one operational cycle and onesubsequent mission cycle at nominal miss ion conditions) and then subjected t o off-limit(extreme st res s) testing at levels not exceeding 2.5 ti me s the design proof level.Six ma jo r probl ems were encountered during qualification testing.1. Long timeout of the ti me de lays in the firs t cycle (after long-term storage orexposure to high temperature) was caused by impurities in the timing capacitor.problem was resolved by using a different type of capacito r and screen ed par ts . The2. Pyrot echnic-fir ing relay con tacts became welded closed when inter rupting cur-

rent (because the no rmally closed contact was connected to ground).resolved by using a rel ay in which the normally closed contact was ungrounded to inte r-rupt the current.The problem was

3. Silver partic les inside a stud-mounted diode caused a short to the mountingplate.diodes were X-rayed.To scr ee n out the sil ver particles causing the electri cal shorts, all stud-mounted

7


12/24

4. Misalined relay contacts caused the relay to fail. New weld pr oc es s co ntrolsand inspection were incorporated to prevent rel ay c ontacts from being misalined duringwelding.

5. Hangup of a baroswitch plunger prevented the baroswitch fr om operating.Tighter dimensional limi ts were established fo r the baroswitch plunger and outer caseclearance to prevent this hangup.

6. Moistu re under a conformal coating resulted in a dec reas e in the insulationresistance.rubber coating on the components and wiring in the sequence controller.The conformal- coating/humidity p rob lem was resolved by using a silicone

In Jan uary 1965, a redesign of the Block I1 sequencing syste m was proposed toconsolidate all the sequencing functions into two co ntr oll ers pe r s yst em (one in the CMand one in the SM) instead of the five controll ers p e r sys tem used in Block I. The newdesign would in corporate the added Block I1 miss ion functions (docking) and would elim-inate the single-point f ai lu res and checkout limitat ions in the ELSC. The new designwould involve the sa me components (rel ays , time delays, etc. ) and would save weightand space. For future hardware (part of Block 11), a study was proposed to investigatethe feasibility of so lid -sta te component mechanization of the sequencing sys tem. InJune 1965, the proposal was turned down on the basis that the experience gained on theBlock I hardware would provide g re ate r ass ura nce of reliability than that to be gainedthrough simplification and improvement s of the s ys tem if the system were redesigned.A decision was made to eliminate the single-point fai lur es in the Block I sequencingsys tem and to design the Block I1 functions into new ass embl ies , so that the Block Iequipment would be changed as little as possible i n the transi tion fr om Block I toBlock I1 spacec raf t. In July 1965, it was decided to eliminate the single-point fail ure sin the ELSC by adding series rel ays t o the PCVB.were to be perfo rmed by two new controll ers , the LDEC and the LSSC.The additional Block I1 functions

In May 1965, a review of the elect rica l schemat ics, during the SC-009 designengineering inspection, revealed that a single-point failur e of a connector (P/J7) on theMESC would give an inadvertent automatic e mergency detection syst em (EDS) abort .A jumper was provided to elimin ate the connector single-point failure.In December 1965, a manual switch failed to operate during the thermal-vacuumqualification test.add redundant panel switches on manually initiated crew-safety functions on all mannedApollo spacecraft.

Because of this failure, a change w as approved in Janua ry 1966 to

On May 19, 1965, the need fo r an automatic ab or t sys tem was demonstrateddramatically during the BP-22 flight at the White Sands Missile Range.vehicle disint egrat ed because of e xcessive rol l when a control surface failed hard- overduring launch (figs. 7 and 8). When the abort-initiate wir es broke in the launch vehicleand deenergized the CM abort r elays, the abort was initiated automatically. This prob-lem highlighted the us efu lness of a hot-wire abo rt s yst em (an opening in wir es poweredfrom the spacecraft initiates the abort) to detect launch vehicle s tructu ral failure andsafely abort the flight and r ecover the spacecraft.

The launch

8


13/24

Figure 7. - Launch vehicle breakupinitiates abort. Figure 3. - Launch esca pe mo tor pullscommand mojule to safety.In Ja nuar y 1366, during plugs-in test ing on SC-009 at the NASA John 3'. KennedySpace Cente r (KSC), a failure occurred on the ELSC main-parachute-deploy relay. TheGSE pyrotechnic sim ulato rs were overloading the rela y coatacts during checkout. Thisoverload ca used the rel ay contacts to weld closed and allowed the main-parachute simu-lators to fire when the ELSC pyrotechnic bus was armed.sequencer system circuits were changed to eliminate th is problem. The GSE was madecompatible with the actual spac ecra ft circuit- loading requireme nts, and the seqa ence rci rc ui ts were modified to re duce the loading on the ELSC re lay contacts. Testing was

perfo rmed to ver ify that the new design could meet o r exceed the mission requirements.

Both the GSE and the

On February 26, 1966, SC-009 (Apollo/Saturn 201) was launched. This was thefirst flight for the Block I SECS (consist ing of the MESC, SMJC, ELSC, RCSC, and thePCVB). Only th e ELSC and PCVB had been flight tested previously (ELSC and PCVBon SC-002 and ELSC al so on BP-22). Because the veh icl e was unmanned, the non-standard Block I equipment flown included a postlanding sequence controlle r, an impactswitch, and a fuel-dump box.During the entry phase of the mission, the circuit bre ake r that powered thesequencer sys tem B re lay s (arming the logic and pyrotechnic bus) opened.rence caused a lo ss of power to the syste m B sequencers and resulted in the los s of

sy st em redundancy.and postlanding functions sati sfac torily, except for the main-parachute disconnect andCM reac tion control sys tem (RCS) sys tem B propellant dump.requi red both syst em s to be operational. Postflight fail ure analy sis revealed that awire (associated with a never-implemented SM thermal control syst em) was powered bythe system B circuit breaker and was not deadfaced at CM-SM separation. Duringent ry heating, the wire shor ted and caused the circuit bre ake r to open, which causedloss of function.tro l sys tem was eliminated, and the latest vehicle drawings did not show the wire.

This occur-The remaining system A performed the re quired Earth-landing

The latter two functions

The wire had not been disconnected or removed when the thermal con-

9


14/24

This problem under score d the need to disable unused, powered ci rcu itry and to havevehicle drawings refl ect the actual vehicle configuration (both functional and nonfunc-tional). Fr om Jan uar y 1966 to July 1966, the seque ncer hardware was qualificationtested i n support of the manned Block I and Block I1 spa cec raf t requ iremen ts. Thehardware unique to the Block I1 mis sio n req uireme nts was qualification teste d fr omAugust 1966 to December 1966.On August 25, 1966, m is si on AS-202 (SC-011) wa s launched, and no pro ble mswere experienced on the sequenc er system during the mission. The sequencer hard-ware was the same as that used on SC-009, except that the PCVB contained the relaysto eliminate the ELSC single-point failure. During the first (August 1966) and second(October 1966) manned thermal-vacuum tests of SC-008, the syst em B MESC did not

provide the CM- SM sepa rat ion functions under a 34 474- N/mZ (5 ps i) environment , butit did function at 101 353 N/m The failure was repeated on the MESC in avacuum chamber at the vendor facility. The circu it perfo rmed in the manner of a baro-switch; that is, it opened a t altitudes gr eat er than 7010 me te rs (23 000 feet) and closedat altitudes le ss than 5791 met er s (19 000 feet). Subsequent fai lur e analysis revealedthat the problem was an inadequate sol der joint at a diode ter minal. The expansion ofthe flexible potting in the diode module (cordwood construction), caused by entr appedair bubbles, separ ated the diode fro m the solde r termin al. This open circu it preventedthe CM-SM separation rela ys from energizing. The fault was corre cted by the us e of ahar d and relatively inflexible encapsulating ma ter ial and better quality control on solderconnections. This failure emph asized the need fo r screeni ng flight hardware by testin gelect rical hardware functionally under spacecraft- environmental conditions.

2 (14. 7 ps i).

In January 1967, dur ing test ing of RCS engines on SC-012, the sys te m B SMJCdid not energize the plus-roll SM RCS jets (5. 5-second ti me d elay timed out in 0 sec-ond). Failu re analy sis revealed a shorted output trans isto r in the ti me delay. Anal -ys is of the tr an si stor indicated fai lure was caused by high-voltage punch-through(negative- voltage trans ient exceeded tra ns is to r rating). Te st s indicated 500- to600- volt negative spikes f rom the RCS engine solenoids (inductive kickback) duringengine firings. A diode was added to the SMJC 5. 5-second time delay to prevent tran-sie nts from damaging the output tra nsi sto r. Arc-s uppre ssion diodes could not be addedto th e engine solenoids because doing so would incr ea se the minimum pulse ti me whenthe engine was fired.

After the SC-012 fire in January 1967, flammability tests were conducted on anMESC in a 110 316-N/mtemperature-vulcanizing (RTV) encapsulant on a wire, har nes s inside the box resultedin self-extinguishment of the fire.

2 (16 ps i) oxygen environment. Ignition of the room-

The Block 11 RCSC underwent qualification testing fr om Jan uar y 1967 toMarch 1967. Numerous pro ble ms were experienced with the rela ys (contact chatt er)and with the time delays (long timeout) during vibration testing. The fai lur e analy sisrevealed that the components received exc essiv e vibration cau sed by amplification inthe chassis. In addition, the testing dete rmined that the relay in the assembly was notdesigned fo r the test-vibration levels used and that the time-delay capacitor sealsbecame deformed under v ibration and caused electr olyte leakage (long timeout).

10


15/24

The RCSC was designed by the electr ical group, even though it was considered asequenc er (fired pyrotechnics). A l l the other seque ncers in the sys tem were designedby the sequenc er group. As a result, the earl y R&D flight experience gained on thesequencers was not applied to the RCSC. The vibration-amplification problem experi-enced in the R&D pro gra m and the ELSC vendor design experience resu lted in all relaysbeing encapsulated in the units designed by the sequencer group. These se quenc ers al soused fiight-proven high- reliabilit y relays and time delays. Because of the fail ure of arelay used in Block I to switch three-pha se alterna ting-curre nt power, the electricalgroup used a new re lay design in the Block I1 hardware. This new re lay was used in theBlock I1 RCSC in place of the flight-proven re lays used by the sequencer group.

The co rrec tive action taken to resolve RCSC rela y problem s included the encap-sulation of the re lay s and time delays in the circuit, the r eplacement of the ele ctric al-group-designed relay with a sequencer- group-designed relay, and the vibration screenin gof the capaci tors used in the time delays. This problem il lust rate s the need to have acommon design philosophy and to apply the experience gained from the developmenttesting throughout the subsystem.In September 1967, dur ing integrated test ing of SC-020 at the contractor site, asystem A SM minus-roll engine circuit shorted when the engine was turned off. Theproblem was t raced to a stud-mounted diode in the RCSC; the 0.005-centimeter(0.002 inch) thick mica washe r had been damaged during installation. Late r, duringrepeated application of high- voltage transie nts caused by the inadvertent rem oval of theground from the arc- suppress ion network, a breakdown occurred at the mechanicallyweakened point. The corr ecti ve action taken on Block I1 was to install a thicker micawasher (0.013 centimeter (0.005 inch)) to give added mechanical and diele ctri c strengthand to modify the diode- installation procedures.The problem could be partially attributed to the original installation design, in

which a very thi n and fragile mica washe r was used to obtain better heat tra nsf er thanwas necessary.therefore, it would have been wi ser to use a thicker, less fragile washer that couldwithstand so me handling without damage. This fact exemplified the need for a designerto consider not only what provid es the best performance, but als o the ease of assembly,the durability, and the maintainability of the system.

No heat- sinking problem existed in the minus- roll engine circu it;

On November 9, 1967, the Apollo 4 mission (SC-017) was flown. No problemswere experienced in the sequential system.failu res in redundancy; therefore , to ensure that no failures had occurred, postflighttests were run on all sequence controllers.The in-flight telemetry did not indicate allThese tests verified the absence of fail ures .

In January 1968 at the KSC, the 2.0-second time delay in the sy ste m A SMJC onSC-020 failed at initial turnon (no time delay) during integrated testing.analysis revealed that the output transistor was shorted by a high-voltage negative tran-sient. Testing revealed that the transient was generated when the circuit breaker wasopened on a GSE box that powered the SMJC. Opening th is circuit breaker deenergizedthe SM RCS engine simulator, which generated a much greater kickback voltage tran-sie nt than the engine solenoids. This transien t, coupled with the opening of the circuitbrea ker which removed the bus arc-suppr ession network, resulted i n a voltage tran-sient that exceeded the 185-volt capability of the SMJC circuit tran sisto r. The

The fail ure

11


16/24

correcti ve actions taken were adding arc- suppre ssion diodes to the GSE circuitbrea kerbox and converting the RCS engine simu la to r (A14- 275) to a purely resistive load.During this period, two design changes were made to the sequential syste m onCSM- 101 and subsequent vehicles. A crew- safety- cri tic al single-point f ail ur e exist edin the launch-escape-tower-jettison circuit. If a shor t to ground occurred n ear the

tower leg connector in the negative ret urn of the abort-m ode relay, the sho rted sys temwould not switch from the launch escape syst em to the serv ice propulsion syst em (SPS)abort mode. If an SPS abort were initiated in this abnorm al condition, pre ma tu reCM-SM separati on would occur. The corr ecti ve action was to replace the two-positionpanel switch with a three-position switch to provide a redundant method of switch ing therelay to the SPS abo rt mode. The second change was provid ing additional GSE connec-to rs f o r checkout and separati ng the pyrotechnic and logic wiring leading to the PCVBand LDEC.spacecr aft connector was disconnected to check pyrotechnic bridgewire resistan ce.This correction made it possibl e to rev erify the logic circuit s when theIn Febru ary 1968, the Configuration Control Board approved the addition of circ uitbrea kers on CSM-101 and subsequent vehicles to isol ate the pyrotechnic bus fro m themain-parachute- disconnect pyrotechnic circuit. Isolation prevent s prem atu re discon-nection of t he main parachut es caused by a crew- safety- critical single-point failure ofthe panel switch. On April 4, 1968, the Apollo 6 mission (SC-020) was flown. Thesequential systems performed all the required mission functions satisfactorily.In May 1968, at the CSM-101 phase I11 Customer Acceptance Readiness Review,the MSC indicated that the A14-275 RCS engine simulator at the KSC had not been modi-fied to prevent SMJC damage. Because the simu lat or inductance function was needed,the board decided to i nstall switches in the A14-275 to allow the KSC to enable o r disablethe inductive load port ion of the simula tor. A l l the simula tors a t the contractor facilityhad the inductance disabled,However, in June 1968, the SM jett ison co nt ro ll er s on CSM-101 at the KSC had tobe replaced because the arc-suppression network was ins tall ed on the wrong s ide of theci rcu it in the GSE cir cu it br ea ke r box. The GSE box was reworked to the prop erconfiguration.In July 1968, during prepara tion fo r the CSM-101 unmanned chamb er test at theKSC, a 5-ampere fus e in the sy ste m A MESC was found to have been blown. Trouble-shooting revealed that a shorted wire in the transla tion hand controlle r caused the blownfuse. The fuse was replaced. During the MESC retest, wires that had been dematedand then remated were found broken at the pyrotechnic connectors. This experiencepoints out one of the hazards that must be considered when hardware is removed from

the spacecraft and emphasizes the need to reverify the integrity of eve ry wire associ atedwith connectors that have been disconnected.Spacecraft ala rm s occ urre d when the CM RCS hea ter switch was turn ed off duringthe manned cha mbe r tes t on CSM-101 a t the KSC and at the integrated tests at the con-tr ac to r facility (CSM- 104), Investigations revealed that the al a r m s were caused bydeenergizing the CM RCS engine solenoids. According to te st pro cedures being used atthat time, when the CM RCS heate r swi%ch s turned on and off, the CM arc -sup pres sionnetwork is disabled. The problem was resolved by a procedu ral change that would

1 2


17/24

prevent the problem during ground checkout. This change was transf errin g the enginelogic (including the arc-supp ressio n network) to the CM RCS before tu rning off t hehea ter switch. Later, a n arc-su ppres sion network was insta lled on the CM RCS cir -cuitry f o r CSM- 108 and subsequent vehicles.Block I1 sequential system hardware was initially flown on the first manned Apolloflight {Apollo 7) on October 11, 1968.tial systems.chutes occurred at the pr op er altitude; no manual backup switches we re used. Thecommander reported a delay in disconnecting the main parachutes aft er splashdownbecause he had c lw ed the switch guard on the ELSC logic switch befo re impact, beingconcerned that his knee might hit the guard at that time. The syste m is so designedthat closing the switch guard wi l l put the switch in the open position, which rem ovespower from the ELSC and recycl es the 14-second tim e delay. The ELSC logic switchwas tur ned on af te r splashdown, but it did not activate until after the 14-second timedelay to time out. The delay in disconnecting the parach ute s could have been the re aso nthe spacecraft turned over (stable I1position) after landing.

No pi*obkiiis were exyerieiicecl with the aeqien-The Apollo 7 cr ew repo rted that the automatic sequencing of the para-

On December 21, 1968, the Apollo 8 mission (CSM-103) wa s flown without anyanomal ies noted in the per formance of the SECS. However, a change in the cre w launchproce dures fo r the sequencer syste m had been made fo r thi s mission. During launch,the co mmand er opened the sys tem A and B SECS ARM circui t b re ak er s afte r tower jet-tison to di sa rm the CM-SM sep aration toggle switches. The reaso n fo r the proce duralchange w a s to prevent a pr em at ur e CM-SM separa tion in the event of the failure of acrew- safety toggle switch. Fai lur es that could possibly cause pre mat ur e operation hadocc urr ed in sim ila r toggle switches before the flight. A contact button could be loosein the switch, bridging the gap in the open contacts and energ izing the function prem a-turely. The CM-SM separation switc hes are classified as crew- safety- critica l afte rtower jettison; therefore, that was the time chosen to di sa rm the switches. The fail-u r e s that had occurre d were too close to the launch date fo r the switches to be replaced,so the procedural change was made. On subsequent spacecraft, the crew-safetyswitches w ere scree ned by means of X- r a y s fo r evidence of loose contact buttons.

Additionally, in la te 1968, a n SM overcurrent motor switch in the electrical powersystem failed during the altitude chamber test on CSM- 104 at the KSC. Investiga tionsrevealed that the failure was caused by transi ent s generated by the A14-275 RCS enginesim ula tor s. In Jan uary 1969, the CSM- 104 Flight Readiness Review board dire cte d thecontr actor to modify the simulato rs to prevent the transient problem. This time, allsimula tors were modified to present a res ist ive load. This problem is a n example ofhow neglecting to c or re ct a prob lem in te st hardware quickly, prope rly, and at allphases of sp acecra ft testing resu lted in flight hardware being damaged. Not all unitshad been modified as long as a year after the first direction was given to modify theA14- 275.

During the checkout of LM-4 and CSM-106 LSSC ci rcui try in Febr ua ry 1969, a nLM-SLA tension-tie circuit was cro sst ied with the guillotine circuit in the LM. Thiscrosst ie resulted in a much longer wire run for the pyrotechnic-guillotine circuit. Theprob lem would not have been disco vered if a n old te st battery that had a lower-than-nominal output voltage had not been used, The reduced output voltage, coupled with thehigher resistance path (a longer wire), resul ted in the pyrotechnic sim ula tor box not

13


18/24

receiving sufficient current to prese nt a GO indication. Investigations revea led that theproblem was caused by miswiring. The miswiring was caused by lack of a clear defini-tion of the inte rfa ce in the inter face control document (ICD). The ICD could be inte r-pre ted to indicate that both the LM and the CSM were wired correctly. Correctiveaction was taken to interchange wires at the s ystem A and B LSSC connectors. Th isproblem indicated the need to test spacecraft circuits, not only at nominal voltages butalso at design-limit voltages, to verify that the vehicle (as built) will meet the designrequirements. Also, in an ele ctr ica l connector inter face ICD, every pin should beidentified clear ly on each side of the interf ace.

On March 3, 1969, the Apollo 9 mission (CSM-104) was flown; this mis sion wasthe fi rs t on which the luna r-miss ion functions were perfo rmed by the LDEC and theLSSC. A l l the sequential system functions were performed satisfactorily during themission.On May 18, 1969, t he Apollo 10 miss ion (CSM-106) was flown and resul ted in thesucce ssful operat ion of all sequential functions. Some proce dural changes wer e madeon this flight because of concern over having the seq uence r sy ste m arm ed at time s when

it was not to be used. During launch, t he ELS switch was in the automatic mode fo r thefirst 30 seconds of the missio n to have the automatic ELS capability f o r near-pad abort.Then, this switch was placed in the manual position. F o r ent ry after CM-SM separa-tion, the pyrotechn ic bus was to be disarmed, then rea rmed at an altitude of15 240 me te rs (50 000 feet). Then, the ELS switch would be in the automati c positionat a n altitude of 9144 met er s (30 000 feet).In May 1969, when a review of the sequentia l syst em was being conducted by theMSC to locate te rm inal boards of a configuration on which fai lur es had occ urr ed (ref. l )it was discovered that two EDS abort signals we re pa ssed through the s ame space craftelectrical connector and that two booster- engine- cutoff commands went through anot hersingle connector on the MESC. The se connecto rs would be single-point fail ures that

could cause an ab or t of the mission. Clear ly, th is situation was a violation of the EDSdesign subpanel ground rule f o r routing redundant EDS functions through sepa rat e con-nectors. This ground rule was established in November 1966 for the Block I1 CSM EDS.The co rrecti ve action wa s to safety-wire the connectors togethe r on CSM- 107 andCSM- 108 to pre vent inadvertent disconnection. On CSM- 109 and subsequent vehicles,these critical functions were routed through separate connectors.In Ju ly 1969, during accep tance testi ng of a n MESC, the apex-cover-jett ison func-tion failed t o occur. Investigations revealed that one pin of a fuse-module connectorwas not seate d properly. Analysis of the fuse- module connector-assembly tol era nce sindicated that a margin al pin/socket engagement condition could exi st (fig. 9). Cor-rective action was taken to remove two flat washers and to insert a thinner O-ring

(0.124- centimeter (0.049 inch) compared with 0.178- centimeter (0.070 inch) o r0.157-centimeter (0. 062 inch) thick (fig. 10)) to provide add itional engagement distan ce.Thi s change was effective on CSM-108 and subsequent vehicle s.On Ju ly 16, 1969, the first lunar-landing mission, Apollo 11 (CSM-107), waslaunched; no probl ems relate d to the SECS occur red. The only proce dural change madewas that the ELS logic switch was set on manual after tower jettison rather than atT + 30 seconds as had been done on the Apollo 10 launch. Thi s change was a crew-preference revision to the launch procedures.

14


19/24

0.145 c m I(0.057in. l ,L C o m p r e s s e d ~

O-r ing ~

Figure 9. - Master event sequence con-trol le r fus e module, original design.

C o m p r e s q 0 i d c r n 1O-ring 10.025 in.]

Figure 10.- Master event sequence con-troll er fuse module, after modification.

In August 1969, a change was made to power the crew-safet y CM-SM separationswitches fro m the ELS circuit b reak er s (instead of fr om the SECS ARM circu it break-e r s ) on CSM-109 and subsequent vehicles. This change would allow the switches to bedisa rmed, except during the launch and entry phases of the mission.A t that time (August 1969), a post-flight SM trajectory analysis revealed thatthe SM maneuvers after CM-SM separationwere not satisfactory for preventing pos-sible CM-SM recontac t during entry. InNovember 1969, a directive was issued tomodify the SMJC (fig. 11). This modifi-cation consi sted of replacing the5. 5- second plus- rol l engine t im e delayswith 2.0-second time delays and adding25-second tim e delays to tu rn off the

minus-X RCS engines.During the Apollo 1 2 launch(CSM-108) on November 14, 1969, thespacecraft was st ruck by lightning, andthe spacecraft electronic sys tem s wereaffected. Pri maril y, the overload-protection electronics equipment that

sm To X-axisbus thrusterstII

Starl

3+

G S E reset

To roll- axisthrusters

AddChange from 5 . 5 to 2 sec

Figure 11.- Service module jettisoncontroller changes.

15


20/24

involved a silicon-controlled rect ifier was affected. The electromagnetic inter feren ceprotection designed into the SECS proved to be eff ective because no inadvertent fi ring ofpyrotechnics occurred.In December 1969, a decision was m ade to eliminate the crew- safety- criticalsingle-point fai lur es on the SECS backup pushbutton switches by wiring con tacts inseries for each sys tem on the Skylab CSM. In Jan uar y 1970, th e sa me change wasimplemented for the J-m iss ion vehicles (CSM-112 to CSM-115A).During the electrical mating EDS test on Apollo 13 at the KSC, the spacecr aft /launch vehicle/GSE loop went into a n osci llato ry mode and cycled the automatic- abo rtlogic relays of the vehicle approximately 1200 ti me s before the tes t oper ato r removedtest power. Investigations revealed that a change to the pr evious EDS test was madefo r this vehicle and that the tower-jettison switches were placed in the off positionrather than in the automatic position used in the previous EDS test.tioning resulted in the launch vehicle test -abort command being routed to the SPS ab or tlogic, which ene rgi zes the SLA sepa ratio n pyrotechni c relay, removing the spacecra ft-pyrotechnic- relays- indicate- safe signal to the launch vehicle GSE. Accordingly, the

launch vehicle GSE removed EDS te st power (which powered the simu lated abo rt stim-ulus). However, the EDS test power is not latched off; thus, the loop osc ill ate s at afrequency determined by the ch ara cte ris tic s of the r ela ys and tim e delays of the space-craft, launch vehicle, and GSE (approximately 70 msec/cycle). Corr ectiv e action wastaken to eliminate the procedur al change made on the tower jettison switch position andto modify the launch vehicle GSE to latch the test power off when the safe indicationshad been inte rrup ted. The number of cycles on the MESC re lays was far below therated life; therefore, no hardware changes were made. This incident showed that,when a test procedure has been used successfully on previous vehicles, any changesmust be reviewed very carefully by everyone concerned with the affected system.

This switch posi-

On April 11, 1970, the Apollo 1 3 missi on (CSM-109) was launched. The plannedlun ar landing had to be aborted because of an abrupt loss of SM cryogenic oxygen.Because this loss necessitated retention of the LM as long as possible, the sequence ofeven ts before ent ry had to be changed. Instead of the LM being sep ara ted from theCSM, the CM and LM were sep ara ted from the SM, then the CM was s epa rat ed from theLM before entry. The remaining functions were perfor med in the norm al sequence.

The missio ns flown with the scientific instr umen t module (SIM) bay located in theSM (J-missions) requ ired fir ing pyrotechnics to jettisoil the SIM-bay door, to launchthe subsatel lite (from CSM-112 and CSM- 1131, and to j ettison the high-frequencyantenna (from CSM- 114), The rela ys for performi ng thes e functions were incorporatedinto the multip le-opera tions module (MOM) box, which is located in th e upper SIM bay(fig. 12). The MOM box was primarily a power-di stribution box fo r the SIM-bay expe r-imen ts but, because pyrotechn ic firing rela ys als o were involved, the MSC sequ ence rsubsystem manager followed the development of the MOM box. The MOM box under-went qualification testi ng from September to December 1970.

During vibration testing, one of the redundant rel ay s that switches alternating-curre nt power to the experiments failed to operate. Investigations reveale d that thearmature- re turn spring had broken.adjacent to a tool mark. The brea k patt ern indicated that the fra ctu re result ed fro mMicroscopic inspection revealed the brea k to be

16


21/24

Figure 12. - Multiple-operations modulebox location.

material fatigue. A design- evaluationvibration test was conducted on the r ela ysto determine if the fai lure was caused byextended vibration exposure o r by highlevels of vibration (or both). Based on th istesting, it was concluded that the failurewas caused by an isolated quality defect(the tool mark); however, to ens ur e thatmarginal relay s were not in stall ed in theMOM box, a relay- component vibration-screening test before installation wasimplemented.For crew safety, relays were addedto the LDEC to is ola te the SIM-bay pyro-technic bus fr om the spac ecraf t pyrotechnicbus. Then, the SIM-bay bus could be armed

i n flight without arming the spacecraftpyrotechnics.On January 31, 1971, the Apollo 14miss ion (CSM-110) was flown. The onlymajor change in the operation of the sequen-tial system was that the crewmen prefe rredt o launch with the ELS logic switch in man-ual, keeping the ELS baroswitche s disar med .On Ju ly 26, 1971, the Apollo 15 mis-sion (CSM-112) was flown. This miss ion

was the first flight with the SIM bay. All the required sequential functions were pe r-fo rm ed successfully, including the new pyrotechnic functions for SIM- bay-door jettisonand subsatel lite launch. The main-parachute anomaly that occurr ed duri ng CM RCSprop ellan t burn-off did re su lt i n the RCSC CM-RCS dump-inhibit t im er being changedfro m 42 to 61 seconds for CSM-113 and CSM-114. The Skylab CSM RCSC alr ead y con-tained the 61-second t i m er s because of the use of th e Saturn IB launch vehicle.During the initial sequencer- subsystem checkout at the contractor facility inSeptember 1971, som e EDS functions were not received fro m the MESC on the firstSkylab vehicle (CSM- 116). Investigations revealed that the spac ecr aft w i r e changes(for elimina ting EDS connector single-point failures) that were approved in May 1969were not implemented on the Skylab CSM-116 to CSM-119. The corr ective action was

to i ncor pora te the approved wire change. This problem was identified originally on theSC-009 Block I vehicle and was to have been co rrected on all subsequent vehicles.However, each time a majo r change in spacecraft vehicles oc curre d, Block I to Block 11and Block I1 t o Skylab, the autho rized change was not implemented. This situationemphasizes the need to ensure that approved changes are car rie d over from one vehicleto the next, even though these changes ar e approved fo r incorporation on later vehicles.

17


22/24

F r o md e p l o y m e n t d e p l o y r e l a yIn December 1971, a n Apollo sneak- d r o g u e - P C V B d r o g u e -

A r r o w s s h o ws n e a k - c i r c u i t p a t h s w i t c h

cir cui t bulletin for CSM- 113 identified asne ak circuit in the ELSC and PCVB thatcould possibly resul t in pr em at ur e deploy- ---ment of the parachutes. If the singleground connection to the ELSC should failopen, then a sneak cir cuit would exist(fig. 13) that could r esult in deploying thedrogue and pilot parac hutes under the a pexcov er and cause los s of the crew.rectiv e action taken was to add a redundantground wire to the ELSC on CSM-113 andsubsequent vehicles.

The cor-

This crew- safety hazard, which wasdiscovered by the sneak- cir cui t group,analyses to be run on all critical spacecraftcircu itry. Also pointed out is the unseenhazard that can exist when wirin g modifica-tions are made external to an elect rical boxto add additional components. Th is addi-tion nullifies the orig inal design of th e boxand allows circuit path s to exist that theoriginal desimer had nev er planned. In

underscores the need for sneak- circuit b a r o s w i t c h e s

'onmuapeh"~oy

Figure 13. - Earth-landing systemsequence controller sneak circuit.th is ca se , relays were added to the PCVB.Rather than redesign the ELSC with theadded relays inc orp ora ted (which wouldhave been more desirable), it was decidedto tie the wiring into the ELSC exte rna l tothe controller.

Also in December 1971, cir cui t br ea ke rs were added to the LM docking ringfinal -sepa ration c ircuit fo r CSM- 113 and subsequent vehicles. The addition of thesecircuit breakers was the re su lt of re liabi lity upgrading of the manual LM final-separation switches to crew-safety critic ality fo r the premat ure-fa ilure mode. Theadded circuit breakers downgraded the criticality.of re liability upgrading to ensu re that the correct criticality is placed on the spacecraftcomponents ea rly in the program .changes to the spacecraft.

This action shows the importanceAny later change could res ult in expensive design

On April 16, 1972, the Apollo 16 mis sion (CSM-113) was launched and th e SECSperformed all the required mission functions successfully.that was made in the SECS fo r thi s mi ssion was to leave the pyrotechnic buses a rm edaf te r CM-SM separ ation to prevent undetected motor- switch failu re that would causethe loss of one pyrotechnic s yst em fo r the ELS.The only operational change

On December 7 , 1972, the last Apollo lu na r mis si on (Apollo 17; CSM-114) waslaunched and the SECS pe rformed flawlessly throughout the flight. The only changes in

18


23/24

the SECS fr om the Apollo 1 6 mission were the deletion of the subsatell ite-launch pyro-technic function and the addition of the high-f requency- antenna- j ettison pyrotechnicfunction.RECOMM ENDATIONS FOR FUTURE SPACECRAFT PROG RAMS

A s a re su lt of the development and flight experience gained during the ApolloPr og ra m and experience from re lated studies, the following recommendations aremade fo r future spacecraft programs.

C o m po n en R eco m me nd at o nsEarly in a program , ma jo r emphas is should be placed on obtaining reli able com-ponents. One- hundred-percent testing, both environmental and electri cal , should beaccomplished on the components. The required pe rfo rma nce capability should allow

for a margi n ov er expected design conditions, which will help avoid a costly redesign o rchange in components if unforeseen changes in the component environment occur later.Installing the operational components in the developmental hardware allows for the dis-covery and co rrec tion of component fa ults before the pr obl ems could have a n effect onthe operational hardware.

S e q ue n c e r - D e s i g n R e c o m m e n d a t i o n sThe e as e of installation and the accessibility fo r rework should be considered inthe sequencer design. Connec tors should be keyed to preven t inadvertent interchange,and sufficient room should be provided between connectors for eas y mating and dematingafter installation of the sequen cer in the spacecraft. Fu se s should be easily replace-ab le without disconnecting o r removing the controller. Internal circu itry should be pro-tected fro m electrical transients and re ve rs e polarity. When logic power is routedfr om one sequen cer t o other sequencers, fusing and diode isolation should be provided;the se provisions prevent l os s of the sequencer-logic bus because of e xternal sh or ts andprevent sneak circuit s caused by loss of ground in external hardware. Timing fo r time-delay functions should be capable of being changed without ma jo r modifications to the

' sequen cer. When electromechan ical components (such as relays) are installed, theyshould be potted into modules t o minimize vibration- amplification probl ems caused bythe sequence r assembly. In designing the installation of stud-mounted diodes, ease ofas sem bl y should be con sidered to prevent damage to the fragile mica washer.

T e st a n d C h e c k o u t R e c o m m e n d a t i o n sThe capability f o r te st and checkout of all redundant elements must be designedinto the hardware. It is desirab le to have the capability to verify (after installation) allredundancies in the spa cecr aft without breaking flight connections.In testing , emphasi s should be placed on development testing to uncover problemsea rl y in the pr og ram , rath er than waiting to discover the pro blem s during qualification

19


24/24

testing. End-to-end continuity and isolat ion te st s should be performe d on the subsystem(with the GSE connected) before power- on testing, ensurin g the pro pe r configuration ofthe spacec raft and the GSE and saving time later when power-on troubleshooting of thevehicle is accomplished. The subsystem testing should als o ensure that the redundantsy st em s actual ly do work independently of each other.have sufficient resolution to verify that the subsystem meets the required criteria. Afai lure in the GSE should not damage the sp ace craf t hardware.The GSE used f or checkout must

C O N C L U D IN G R E M A R K S A N D R E C O M M EN D A TI O NSNo fail ures have o ccu rred on the sequential events control subsys tem during flightthroughout the Apollo Pro gram, including all re se ar ch and development flights. Onereason for this performance is the concern for the crew -safety a spe ct of the seq uentialsyst em, which resul ted in much attention being dir ecte d both by NASA and con trac tormanagement to the system and its problems. This sa me attention should be applied tosystems that involve pyrotechnic functions in fut ure spacecr aft.The major recommendations fo r providing a reliable sequential events controlsubsystem on future spacecr aft include the screening and earl y testing of components,the p rotect ion of internal sequencer circuitry fr om electri cal transients, overload andisolation protection on circu its routed external to the sequencer, and provisions forcheckout of all redundant elements.

Lyndon B. Johnson Space Cent erNational Aeronautics and Space AdministrationHouston, Texas, January 17, 19759 4- 1-00-00- 2REFERENCE

1, White, Lyle D. Apollo Experience Report- lectrica l Wiring Subsystem.NASA T N D-7885, 1974.

apollo experience report command and service module sequential events control subsystem

Documents