proctection concepts used in spacecraft power systems.pdf

7/28/2019 Proctection Concepts used in Spacecraft Power Systems.pdf

http://slidepdf.com/reader/full/proctection-concepts-used-in-spacecraft-power-systemspdf 1/6

157

Protection Concepts used In Spacecraft Power Systems

'Dermot Levins

esa.nt.c,

...

~Roog

unSoW

R99'~ y Untt

The three most commonly used power system designsare (1) The RegulateQ Power Bus in which the solararray and the battery bus voltages are regulated bothin sunlight and eclipse. (2) The Sunlight Regulated Busin which the solar array bus is regulated in sunlight andthe battery bus is unregulated and (3) The UnregulatedBus in which nei ther the solar array or batteries areregulated. They are brief ly descr ibed in [1 J. Themission requirements and the types of loads are criticalparameters in the decision process of which ooncept is

most suitable for a particular application. Theequipments and protections used within the differentdesign concepts are extensive and this paper onlyaddresses those used in the regulated bus systemshown in fig.1. Many of the protections included withinthis system are applicable throughout most spacecraftpower system designs.

FIgure 1: Sunlight Regulated Bus

9{sJonfwijt rrru :;"&tfuruuufs

power bus d es ig ns . T he ir attractive features,

limitations and suitability for a particular applicai,ion orspacecraft mission are not always apparent. It isnecessary to contain all critical protection to the poweror anergy sources on a spacecraf t within the powersystem and inadvisable to rely on other spacecraf tsystems or grounci stations for protection. The groundstation and th e data handl ing system may providec om ma nd in g, r ec on fi gu ra tio n, i nh ib itio n or

reprogramming of protection features bU1 the primarybus protection should always be seff Contained withinthe power system. Ground station operations cannot'provide a v iable protection of ,he power or energy

resources as it may not be available or sufficientlyk;"lowledgeabla to rectify problems before the availableenergy is depleted to a level where recovery ispossible.

Abstract

1. IntroductIon

Power system d es ig n c on fi gu ra ti on s used inspacecraft are n u m e r o u ~ . They are all oonstrained byreliability and fauft tolerant requirements. These shouldensure that any single failure will not produce adegradation of per formance below the specifiedrequirements during th e mis sio n life time ,

M anufacturers generally have a preferred designtopology which they optimise fo r each spacecraftmission. They reduce the development costs byoptimising the solar array power andlor battery energycapacity and reusing the electr ical designs of otherequipments within their power system. In this way lheyexploit their experience gained from previous use ofthe system. Important features of any power systemare th e protect ion concepts used within the systeman d the equipments.Concepts which are suitable forone mission and its spacecraft equipments may not be

adequate for another mission. It is also possible thatmodification of a single power interface in an equipmentmay invalidatG th e oomplete protection scheme, Thispaper describes some of the protections used inspacecraft programs and explains their l imitat ions.Protection at the power source, power equipment andpower system levels are addressed.

When assigned the task of designing an equ·pment ora power system engineers are usually confronted withvery specific and stringent performance requirementsand a deliv'ery deadl ine which is invar iab ly crit ical .Ef fi ciency, mass, oos ls etc. are often the pr imaryrequirements. Protection aspects usually surface lalerwhen the tes1 phases of the equipment or system havecommenced and the limitations of the design within itsworking environment appear. Some of the protectionswh ich have been used in spacecraf1 power system. designs or which have been forgotten or rejected on

th e assumption that they were unnecessary areaddressed. Protec1ion is one of the more cr iti calfeatures of any reliable design, unfortunately itsomission is often only recognised in hindsight and, inspacecraft applications this can be catastrophic. It ishoped that this paper will stimulate engineers to givemore attention to the protection features o f theirdesign and to be more forthcoming in identifying thelimitations of different design topologies or concepts.

"

2. Power Systems3. POW8r & Energy Sources

A feature of all spacecraft power systems is that theyare limited in the power and energy available from thesolar array and the batteries. They require a high levelof rel iabi li ty and a fail safe protection scheme whichensures a quick isolation of any fault within the power

system or the loads which thGy supply. Many diffGrentprotection configurations are found in spacecraft

3.1 So£ar ~ r r a y Protections:

The primary source of power for most spacecraftmissions are photovoltaic solar generators. They areseldom fully redundant because of mass constraints

and are genGrally divided into sections which areisolated f rom each other in order to avoid failure

Proceedings of the European Space Power Conference helo' In florence, Italy. 2 -6 September 1991 (ESA SP·320 Augusr 1991)



158

propagation. In many spacecraft the solar arrayrequi res mechanisms to deploy the array andmechanisms to rotate the array and maintain sunpointing. They thus require sliprings to provide current1rom the solar array to the power bus and possiblysliprings to supp ly power to array deployment

mechanisms or pyrotechnic devices. Protect ionfeatures which should be incorporated in solar array

designs are:

Series diodes to isolate sections of the array as shortc ircu it fai lures of s lipr ings can propagate from onearray section to the other or to the ful l array if thediodes are not present. This fai lure mode has alreadycaused the loss of a spacecraft because the diodeswere not included in the design {2].

Where shadowing of parts of the array can occurdiodes are also placed across groups of series cells toavoid hot spots which could r e s u ~ from high currentsflowlhg through high impedance shadowed solar cells.

In spacecraft where the main power bus is distributed

to the array mechanisms or electronics it is essential toprovide protec tion of the bus at the bus distributionpoint. Short circuit failures of loads, sliprings or

harnesses are possible fai lure modes at l:,is level asslipring failures, mechanisms and mechanical stress in

cables and connectors are potential problem areas.

Sat is factory insulat ion of solar cel ls from ground is

necessary as breakdown of the insulation layer hasoccured on a number of programs and resulted in lossof array power due to the short circurting to ground ofarray strings [3] & [4].

When the spacecraft is in an orbit where the solar arrayis exposed 10 a high radiation environment an indium

t in oxide conduct ive layer is coated on to the arraysurface to p ro tect it against electrostatic charging.Differential charged surfaces on spacecraft are liketyto discharge by an arc discharge between thesurfaces. These discharges may damage or destroyIhe surface, breakdown i nsulat ion layers and caninterfere with Ihe on-board electronics. All externalsurfaces (non-conductive, semi-conductive andconduct ive) should be bonded to spacecraft s t r u c ~ ! J r eto protect against electrostatic charging. ...

Several spacecraft have suffered from failures in oneor more of the above areas and the degradation inperformance cou ld have been avoided if adequateprotection had been provided.

3.2 tJJattery Protections:

Batteries generally provide Ihe power and energyrequirements of spacecraft during eclipse operationsand support peak spacecraft power demands duringsunlight. Dif ferent battery types, configurations andcapacities are used and their protection requirementsare dependent on the mission requirements, thebattery redundancy phHosophy and the type of batteryselected for the mission They are seldom fullyredundant as their weight may account for up to 15 to20 per cent of the spacecraft dry mass. The batterymanagement system on board the spacecraft shouldautomatical ly protect the batteries and cells against

open circuit failures, undervoftage, overvoltage, overtemperature andror over pressure.

Protect ion against loss of battery due to a cell opencircuit failure can be provided by relays or b y · p a ~ : ;

diodes connected in parallel with each cell.

Battery undervoltage p-rotection is necessary to retainan essential energy margin to allow recovery of thespacecraft power source from any failure which causesan excessive expenditure of its stored energy. Thisprotection functions by switching off all non essentialloads should the battery voltage fall below a predefined

level. The possibility to inhibit this protection by groundcommand in order to allow battery reconditioning isusually a design requirement. Care must be taken toensure that the battery voltage level at which theprotection operates is stable and low enough to ensurethat the required battery capacity· is available fornom inal operations over the . ful l opera ti onal

temperature range.

Cell undervoltage protection is n e ~ e s s a r y to protectagainst a cell reversal fai lure as the battery loadcurrenl flowing through a reversed cell could cause thecell 10 rupture. This protection should disconnect thebattery from the power bus.

The parameters used to indicate the state of charge ofthe battery are cell voltage, temperature and pressure.Two of these parameters are usualty used to determinethe end of charge criteria however all three parametersare interdependent. The battery mounting platformtemperature var ies with mission phases, seasonalchanges and operational modes and if cell failures anddegradation are taken into account it is very drtficult todefinitively set end of charge criteria prior to launch forthese missions. Programmable end of charge levelsare generally preferred. A second level of protec1ion isalso required to prevent overcharging of cells as th;sadversely effects their operational l ife and if theovercharge is excessive can result in rupture of thecells. Battery end of charge and overcharge protectionlevels must be high enough to ensure Ihat the batterycan be fully charged and low enough to preventovercharging. The stability of the protection levels iscritical and where feasible it should be possible toinhibit them in case of failure.

4. EqUipment Protections

Vbus

Error

Signal

Fig. 2 Shunt Regulator

4.1 Sowr J4TTay ~ g u w t o r s :Regulation 01 the solar array generated power isachieved either by shunt regUlation (fig. 2) in whichexcessive power is shunted from the spacecraft powerbus into power dumps [5] or series regulation (fig. 3)where excessive power is blocked from the power bus



Vout-VIn(h ToniTolf)

VO<A • Vln " .... (lon.'olI)

Fig. 5 Boosl ReguialOr

In order to protect these regulators against the abovefailures they both require two serIes redundant diodes

and two control transistors. The control transistorsshould have independent control electronics to providea full redundancy of th e protect ion. Regulatortopologies which have input current limiting protectionincluded in their design [6] & [7] are preferred for spaceapplications as they offer a comprehensive protectionof t he semicond u ct or s wi tc hi ng device againstoverloads or current surges. Secondary convertertopologies used in s pa c e a pp li ca ti on s are toonumerous to mention however their protectionrequirements are similar to those of the regulators.When active paral le l operation of regulators orconverters is required topologies which do not haveovervottage failure modes are preferred because isdifficutt to detect and protect the output overvottagesbefore they reach a critical level in the event of a

failure.

Fig.6 Bud< R&g(jalor U ~

159

topologies utilised in space programs and theprotection, isolation and redundancy concepts usedare numerous. Circuit concepts for a boost regulator(fig. 5) and a buck regulator (fig. 6) are shown.

High power regulators and converters generally do nothave very low conducted and radiated emission noiselevels. They therefore require ~ y n c h r o n i s e d operationsand phasing 10 minimise aggregate ripple current asu ns yn ch ro ni se d o p er at io n at sl ightly differeaJfrequencies can produce input ripple frequencies whichare outside the bandwidth of the system fil ters. Theyare general ly synchronised to the clock signal in thedala handling encoder and as switchimg on or offencoders or fai lures can result in large variations inclock f requency and waveshape regulators andconverters must be designed 10 perform within theirspecifications with any shape of sync. signal. A

number of regulators and corwertars have damagedtheir loads both in o r b ~ and during ground testing as aresult of their inabili ty to operate correct ly with poorquality sync signals. One BOA and the main andredundan1 converters for a c r ~ i c a l payload on an ES A

ErrorSignal

by series regulators. Unacceptable failure modes arefor the dumps or regulators to be permanently on or offas these failures could result ei the r in a bus

o v e r v o ~ a g e or a loss of solar power. Protection againston failure modes is achieved by using redundant senGS

switches whareas protection against permanently offfailure modes is achieved by adding an additional dumpor series section. For the non-dissipative shunt

configuration two diodes are needed to prevent shortcircuiting the power bus when the dump is on and..Qlllldiode fails s ho rt -c ir cu it ed . F or the diss ipativaconfiguration [6] on e diode is required. The seriesregulator requires a diode connected in series with theregulat ing transistor to protect the bus from reversecurrent through the series switch in the event of a slipring or solar array string short circuit.

4.2 Power Contro{ l1nit:

Fig. 3 Series Regulator

This unit (fig. 4) controls the voltage regulation of themain bus by sequencing the operations of the shunt,battery discharge and battery charge regulators [1 J.Because of its cri ticali ty it is always triple redundantwith majority voted logic to ensure that no single pointfailures are possible. Guard bands between tile threeoperational domains are necessary to ensure that nooverlapping of th e dif ferent domains can occur. Aprotect ion which switches off all bat tery dischargeregulalors (BORs) in the eV9nt of the shunt dumpssaturating prevents the possibility of overvol1ing thebus due to a permanently on failure 01 a BoR.

43 13attery Charge ~ g u C a t o r s ('BCR.J),

'Battery 1Jiscfiarge 'R.fgu[ators (13CJ<j)

& Converters:

As for shunt regulators BeRs and BORs must maintainth e bus voltage within'specificatiQn. They should be

protected against f,ailures w ~ i c h could produce a busovervollage , a bus short circuit or a battery to busshort circuit. There are a wide range of regulator



160

spacecraft are current ly mispertorming due to a poorquali ty sync. signal. Fortunately the redundant BORwas not effected by the bad sync. as a dephasingrequirement to minimise ripple current had resulted in

the redundant BDR receiving its sync. from the mainBOR; thus when the main BOR is switched off theredundat1t unit is unsynchronised. The converters areintermitte

ntlymisperforming

atdifterent

seasonalperiods due, we believe, to slightly different unittemperatures and performance characteristics; oneconverter is again fortunately always operable. Thesync. s ignal was disto rted because of a groundingerror which resul ted in the return signal of the sync.passing through an inductive balun filter in the powerreturn.

4.4 Pyrotedinic 7'iring V.nit:

The launch vehic!a and launch site facilrty generallyrequire the pyrotechnic firing unrt (fig. 7) to have atleast three levels of protection for safety reasons.

One level is a side/arm c'onnector, this is a

mechanical operated switch which breaks the firing lineto the pyrotechnic i ni tiator and short circuits theinitiator. Prior to launch it is replaced by an armconnector, or switched to an arm configuration. Twoother switches namely the Arm switch and the Fireswitch are sequentially commanded to fi re eachspecific init iator when t he spacecraft is in orbit.Because of the ir hazardous potential care must be

taken to protect initiators and pyrotechnic units fromany interference eHeets which could provoke

unauthorised f ir ing. Special monitoring, harnessscreening, electrostatic bleed res is tors and noiseimmune command interface circuits are mandatorysafety requirements.. Full. redundancy is usuallyincluded in the pyrotechnic system and it is

recommended to separate main and redundant uoitswithout cross strapping to avoid failure propagation ..

Simuftaneous firing of main and redundant initiatorsmay also be a requirement and care needs to 00 takenin implementing it in the design phaS8 as it is difficun toachieve in practise.

~ " ' . " - - : ~ ' ' ' ' ' ; ' ' ' ' ' ' ' ' ' ' ' - - ' ' ' ' ' ' ' - - C l n D - Pyr-O--'

'M:.o-

....

FIg.7 Pyro Firir1'ij Circul

Spacecraft initiators have a one ohm resistance andrequire a constant current of between 3.5 and 5.5 ampsfor a time duration of approximately 10 milliseconds toensure successful firing. When relays are used asfiring switches their on time must exceed the firing timeof the initiator to compensate for switching delay timesand for relay contact bounce effects. Although thepower requirements of initiators appear simple they aredifficult to achieve in practise. A 5 ampere current at 50volts bus level is 250 watts of peak bus power.of whichonly 25 watts are necessary to fire the initiator. Some

form of power conditioning is thus required if theiniti ators are to be fired from the main bus. Onspacecraft which do not have batteries a noo-dissipative pyrotechnic regulat inq circuit [8] can be

used to reduce the peak power demanded lrom thebus. When batteries are available the pyrotechnic firing

current is usually taken directly from the batteries or

from 8 battery tap connooion of 5 or 6 cells. Reducingthe supply vol tage to the pyrotechnic uni t eases theregulat ion problem. Initiator res istance values canchange to any value from a short c ircui t to an opencircuit when they fire. Some current l imit ing device istherefore necessary between the power supply andthe ini tiator in order to protect the power source. Aseries regulator with a constant current limit of 5 ampsis an attract ive design option provided the regulatorcan safely dissipate the maximum energy supplied bythe source into a short circuit for the on duration timeof the fire swi tch. On many spacecraft programs

fusistors (low wattage resistors used as slow blow

fuses) are used to limit the current and provide a slowfusing capabi li ty to protect the source supply. Itdifficult to establish the fusing characteristics of thesedevices in vacuum and the problems of ground testingtheir performance introduce reliability uncertaintieswhich are dif ficult to resolve it is not recommended touse these devices to limit the current. Two seriesswitches are required in the fi re circuit to avoidpremature initiator firing, when arming takes place, in

the event of one switch failing short c ircui t. Most ofthese protections in pyrotechnic circuits are imposedto inhibit unauthorised firing of the initiator. They do notaddress the protect ion of the power source or thenecessity to obtain a reliable fire funct ion. These arethe responsibil ity of the circuit designer who shouldensure that the protections implemented in the designdo not compromise the reliability requirement to providea successfu l operation. Failure to igni te the apogeeboost motor on Hipparcos was attributed to a failure inthe pyrotechnic initiators.

4.5 Power Vistri.6ution llnit:

This unit connec1s the power sources to the loads andprovides isolation and protection of the power bus fromoverload failures or excessive power demands. Manyspacecraft have a simple distribution concept and userelays to switch loads together with fuses to protectand isolate the power bus from fai lures; current

sensors which switch the relays when an overcurrent isdetected are sometimes used instead of fuses. In theevent of a failure, or incorrect operation, whichoverloads the bus a centralised bus undervoltageprotection circuit w_hich autonomously disconnects allnon essential loads is also provided. This distributiondesign philosophy, although simple in concept, hasmany critical aspects which sElverely l imi ts itsperiormance and the integrity of the protection which it

offers. Fuses are singular in thei r protect ion and as

they do not oHer a repowering of the load they areunsuitable for use in spacecraft. Their rating is critical,they must have sufficient margin to allow for derating,inrush current and transients while remaining low

enough to ensure that the available current capabilityof the source can clear thom within a specified t ime. Ifthe load fai lure is only partial isolation may not bepossible. Load .isolation during ground testing can

occur and replacement of fuses is t ime consuming.Relays also have limitations resul ting f rom arcingbetween contacts when breaking a current flow or fromcontact bouncing effects when making a connection.Their i nabi li ty to handle inrush current and their

mechanical limitations are additional disadvantages.Current sensors which monitor the current and switch

off relays when they detect an overcurrent are limitedin the protection they provide as the current may havereached a 1evel greater than the relay capability beforethe ralay starts to open and welding of the contactsmay resutt. For the above reasons the protect ionoffered by this concept is very difficult to define and is



•More recent spacecraft power distribution systemsuse current limiting switches to distribute the powerand protect the power bus [9]. These devices offer thefollowing advantages. They autonomously protect andisolate the spacecraft power bus from any load failuresand thus ensure continuous uninterrupted power toother spacecraft users. They can control inrushcurrent and reduce component stresses due to currentovershoots. They do not degrade du e to arcing orc on t ac t b ou n ce . Their performance and behavioureven when overloaded by a hard short circuit is easilycharacterised and thus any overload effects on the

power bus can be predicted. On deep space missionsand manned missions where the integrity of the powerbus i s e ss en ti al th e protect ion offered by currentl imit ing switches is often essential to the rel iabil ity ofth e mission as a load failure will not result in adiscont inui ty of the supply to other klads. This is notthe case with the centralised undervoltage protectionwhere all non·essent ial loads must be switched offwhen a failure occurs. 8us undervoltage protection canalso be an integral part of the l imiter design ands el ec ti ve d is co nn ec ti on of loads at differentundervoltage levels can be implemented.

4.6 'Equipment 'Design Protection:

Additional protections which are required withinequipment designs are:

D ou bl e i so la ti on from ground or return of allconnections or components which are directly

connected to the main bus lines or source suppfies e,g.fifter capacitors. current sense resistors, transistorcollector to baseplate isolation,auxiliary supplies etc.

Adequate separation between positive and negativepins in connectors.

Adequate protection of components against reversev ol ta ge s d ue to collapsing or short circuited inputsupply l ines e.g. reverse diodes across transistors toprevent reverse breakdown, diodes across relay coilst o p re v en t overvoltage stresses etc.

Adequate phase-gain margins in amplifiers and controlloops over the full operating temperature range(margins greater than 1Odbs and 60 degrees),

Equipments should be designed to switch on or offcorrectly without overstressing components whenoperated from any voltage between zero volts and themaximum supply voltage and wrth any rate of rise or fallof supply voltage.

5. System level

Protection at system level is provided within the powersources, th e power distribution unit (by bus and batteryundervoltage load shedding) and by redundancy ofequipments. When centralised bu s and bat te ryundervoltage protection circuits are used the designsshould be major ity voted for rel iabi li ty or an inhibitfunction of th e protection provided. Redundancyconcepts vary considerably, full redundancy is onlyp ro vi de d w he n either of the redundant units can beremoved from the spacecraf1 without limiting nominaloperations. Main and redundant units are often housedin on e bo x without redundant connectors, this

ccrnoromises the redundancy and can cause delays in

U.!I... • ....- --r--" - ~ . - -

is a critical feature. When cold redundancy operated byground rommand is required then the implementation is

relatively easy. If hot redundancy , with both unitsoperating simuttan90usly, or hot standby redundancy;with one unit operating and the other autonomouslycoming on line; is required. the implementation is moredifficult. The measurement which determines the failureand decides to switch a unit has to be specific to oneequipment and should distinguish between transientconditions to avoid spurious switchovers or oscillatoryoperations. It is advisable to provide ground commandoverride of these protections as their failure modes areoften very complex.

6. Conclusions

The paper addressed fai lure mode protections andlimitations in spacecraft power system designs whichthe author has encountered. It is hoped that it will aidother engineers in improving protection aspects of theirdesign and encouragG them to' relate their ownexperience in these aspects. There is natural ly areluctance to relate design problems and failures thusmany are repealed in different programs. It isfrequently the case that the addition of a singlecomponent or a slight design modification can result inthe dif ference between success or failure. The

diHicultyis in

identifying the failure before it occursin

practise and having the opportunity to protect againstit.

It is strongly recommended that the protection systemis self contained within the power system and that allpower lines distr ibuted to other users are adequatelyprotected. A completE! fai lure modes and criticali tyanalyses (which includes oscillatory failures) should becarried out on all equipments and in each spacecraftprogram. Acceptance of interfaces and protections as

uncritical or flight proven on previous missions shouldbe reject&d as modifications or implementation inlo adifferent environment often invalidates previousevidence of flight worthiness. Ground commands whichcan override or disable critical protect ion andreconfiguration circuitry should be included in designswhere possible as a safeguard against failures withinthe protection.

References:

Il} Spaacraft Power System ConceptD O'Sullivan ESA Journal' 989

{2} Seasat (.qgena :Bus)Failure Investigation Report

{3} Investigations arufCondusions on tfie

'ECS Sorar ~ r r a y In-Or6it ~ n o m a [ i e s .K. Bogus C. Classens and H. LechleIEEE Photovoltaic Conference, Las Vegas Oct '985

14} 1\§view of Synergistic. Interactions.

(jui.t£efine.f for IJ{g.w testing :Approadu.s on

:Future Sofar 5'IrraljsJ. Berry et al. -

European Space Power Conference Madrid Spain Oct

1989



162

[5} 'T1it SequentialSwitdiing Shunt

'.lWJulator S 3 ~D. O'Sullivan and A. Weinberg

ESTeC Power Conditioning Seminar NoordwijkNetherlands Sept 1977s

[6}.Currtnt-Mock Control, :Five 'Different

Types usd with three 6asu. c£asses of

Power ConvertersRichard Redl

Power Electronics Specialist ConferenceToulouse, France June 1985

[7J.LC3 J'lpp[ication to Vo{tage

1<f.gu[atorsA.. Weinberg and D. O'Sullivan

ESTeC Power Conditioning Seminar NoordwijkNetherlands Sep! 1977

[8J 'Design ana 1JeveCopment of aPyrotedinic :::4rming and :Firing 'UnitM. Heisel and D. Levins.Power Electronics Specialist ConferenceToulouse France June 1985.

[9} 120 Vo{t 105-1mpere So{U[ State Power

Controae.rD. Levins, F. Fachinetti and B. Danthony

26th. Inter Society Energy Engineering Conference

Boston Massachusetts Aug 1991

proctection concepts used in spacecraft power systems.pdf

Documents