HST Observatory Assessment and Lifetime Projection
This chapter discusses in some detail the current status of the Hubble Space Telescope (HST) and prospects for its future operation under various servicing options. Essential to this discussion is a model for the failure rate of the observatory’s avionics subsystems. This model has been developed by NASA and serves two purposes. First, it establishes a time window for servicing the spacecraft, based on the fact that inevitable failures (both foreseen and unforeseen) combined with a delay in servicing will lead ultimately to the loss of HST’s capability to collect science data. The result would be an interruption in HST science operations, although the telescope would remain in a safe state such that repairs would allow for the resumption of operations. In the event of an extended delay, however, the risk of accumulated failures could become serious enough to make the spacecraft’s survival questionable.
Second, the failure model assists in predicting whether a proposed servicing approach can be successful. “Success” here means that the planned repairs, if accomplished, will enable the spacecraft to operate with a reasonable probability of success over the full post-servicing operating period. NASA has specified this period as being 3 to 5 years, although it is shown in the discussion below that a timely and comprehensive servicing strategy can improve the probability of success and also potentially extend HST’s post-servicing lifetime.
This assessment of HST’s lifetime divides the spacecraft components into three conceptually different categories. The first category contains the science instruments but, since this section is concerned solely with the viability of spacecraft infrastructure, this category is set aside. The second category consists of three unique subsystems that are subject to predictable wear-out, meaning that their performance degrades gradually over time in predictable ways that allow for planned replacement. The three key subsystems in this category are the fine-guidance sensor (FGS) units, the rate sensor unit (RSU; commonly referred to as “gyro” or “gyros”), and the batteries.
The third category contains all the other components, which the committee terms the “avionics system.” The failure model adopted for this last category is crucial, and some of its consequences are counter-intuitive, as explained below. The model assumes that components in this class exhibit random, unpredictable failures at a rate that is constant over time. Consequently, the avionics components do not wear out in the traditional sense; if a component lasts, say, 3 years, it is just as likely to keep working at the end of that time as it is today. Eventually, the avionics system will enter a wear-out stage, but the statistics for the failure of electronics parts combined with those for the performance of Hubble (and other spacecraft) indicate that that time frame is beyond the servicing window currently under consideration.
Above, the committee used the words “foreseen” and “unforeseen” to describe failures. Foreseen failures are the predictable failures that affect the wear-out components. Unforeseen failures are the random failures that affect the avionics system. The model for observatory lifetime computes the failure rate of the two categories separately to derive the projected lifetime of the system as a whole.
Previous shuttle servicing missions to HST have demonstrated that essentially all failures on HST are repairable. However, battery failure has unique consequences, since sufficient power must be available to prevent loss of temperature regulation in the optical system. If a battery is severely degraded or it fails, the temperature will drop below safe limits and the structural elements of the telescope will lose their proper shape. Recovery from this state is not possible.
The HST avionics system is currently fully operable and retains redundancy on all subsystems. (Redundancy is a vital element of spacecraft health; as soon as failures render a key system non-redundant, the projected lifetime becomes much shorter.) The observatory’s good condition since its launch in 1990 is the result of continuous extensive efforts by a dedicated and skilled team of scientists and engineers at the Space Telescope Science Institute (STScI) and the Goddard Space Flight Center (GSFC). The spacecraft is actively monitored on a daily basis and is conservatively operated with the objective of maximizing its performance and lifetime. The avionics system’s performance has also been extensively modeled and trended using flight telemetry data such that it is possible to credibly forecast system performance, failure trends, and replacement requirements.
FINDING: The HST avionics system is currently in a fully operable state and retains redundancy on all subsystems. Its performance is monitored regularly and is well understood by the operations team such that it is possible to credibly forecast system performance, failure trends, and replacement requirements.
Failure (both foreseen and unforeseen) rates are sufficiently high on HST that the spacecraft cannot function for an extended period without servicing. Servicing has been done in the past with crewed shuttle missions that have enabled three types of repairs. Some repairs replaced components that are subject to foreseen wear-out, such as the FGS units, gyros, and batteries. This class of repairs can be planned years in advance.
The second category, unforeseen failures (in the avionics system and science instruments), such as failure of the S-band single access transmitter (SSAT) or the reaction wheel assembly (RWA), are of a random or unpredictable type that cannot be planned for in advance. Repairs in response to failures in this category must be responded to at the time of occurrence and, historically, have been inserted as late as 3 months prior to a planned servicing mission. In the case of SM-3A, the mission itself (although other servicing work was also performed) was based on responding to an unexpected premature failure of gyros that resulted in an interruption of science operations.
The third category is not related to a failure per se and is more appropriately described as a proactive upgrade intended to improve system performance or to respond to a long-term downward performance trend on the spacecraft. The solid-state recorder (SSR) installed on SM-2 and the advanced computer installed on SM-3A are of this type, as are the FGS-2R (projected early failure), New Outer Blanket Layer (NOBL; thermal trend), ASCS (thermal trend), and DMU to SI C&DH cross-strap (DSC; avionics reliability) equipment installations that were planned for SM-4.
The difference between foreseen repairs, unforeseen repairs, and proactive upgrades leads to two important findings. First, the operational longevity of HST has resulted from both planned servicing activities and the ability to accomplish repairs of unpredicted and unpredictable failures. The ability of crewed missions to make such repairs has been crucial to the long-term operability of HST. Second, the reliability, performance, and longevity of the telescope have been substantially enhanced through the implementation of proactive upgrades during past servicing missions.
Since the robotic approach to servicing is new and untried, simplicity will be essential if successful servicing is to be achieved with acceptable mission risk. One key risk consideration is the need to protect the vehicle against undue harm during the servicing mission itself. The second key consideration is that the mission be carried out within a servicing time window in which the vehicle remains healthy and has a reasonable probability of meeting the goal of 3 to 5 years of post-servicing science operations.
The original SM-4 mission involves many components, including batteries, gyros, WFC3, COS, FGS-2R, the Aft Shroud Cooling System (ASCS), NOBL, and the DSC. Of these, the batteries, gyros, WFC3, and COS, and potentially one FGS,1 are included in NASA’s plans for a robotic servicing mission; the remainder are important proactive upgrades of the sort that have been installed on previous missions with the objective of increasing longevity and maintaining high operational efficiency for the observatory. These ancillary upgrades, which are more difficult to implement and also add mission risk, have rightly been eliminated by NASA from the robotic mission plans.
FINDING: Previous human servicing missions to HST have successfully carried out unforeseen repairs as well as executing both planned and proactive equipment and science upgrades. HST’s current excellent operational status is a product of these past efforts.
FINDING: The robotic mission plan presented by NASA accomplishes the minimum mission servicing goals of installing batteries, gyros, and scientific instruments and potentially a fine-guidance sensor, but would not install other important life-extension upgrades that were planned for SM-4. It is also unclear whether the FGS replacement or unforeseen repairs can be effected on a robotic mission without exceptional mission complexity and associated telescope risk.
AVIONICS RELIABILITY MODEL
The HST project has developed a model to predict overall spacecraft subsystem reliability as a function of time. The reliability predictions are recalculated and updated based on the system status at the completion of each servicing mission. A crucial implication is that if full avionics redundancy and
functionality are restored as a result of the servicing, the mission essentially resets the avionics system reliability back to unity as a byproduct of the activity. In other words, the avionics system is considered “like new” after successful servicing under the assumption that all known failures have been repaired, including whatever unforeseen failures have occurred since the system was previously serviced. This ability to “reset the avionics failure clock” has been demonstrated on past space shuttle servicing missions but is not likely for a robotic mission due to the complexity and risk considerations discussed above.
The SPATEL model used by NASA to project the reliability of HST’s avionics system was originally developed by Marshall Space Flight Center and Lockheed Missiles and Space Company. Progressive updates have been performed, with the current model maintained by the Aerospace Corporation.2 The Aerospace model determines the overall avionics system reliability by accounting for the failure rates of the individual avionics components (electronic boxes) according to a network of series and parallel connections representing the vehicle end-to-end operable configuration, including redundancy. The component-level approach is based on a standard MIL-HDBK-217 methodology3 whereby the failure rates of individual electrical parts are aggregated into a model for an electrical subsystem unit. The result is a constant unit-level failure rate derived from a parts count and the failure rates of the individual parts in combination with complexity factors plus stress factors such as electrical stress and temperature. These data are combined to develop a mean time to/before failure (MTTF or MTBF) reliability prediction for the unit.4
This committee has closely reviewed the Aerospace Corporation model and finds that it accurately represents the vehicle avionics configuration with regard to operational modes and redundancy. It also follows generally accepted aerospace practices whereby the electronic box failure rates are modified to 60 percent of standard rates, according to the approach described in RADC-TR-85-229.5 The failure rates of selected avionics system components are further modified beyond the RADC-TR-85-229 baseline using a Bayesian method to account for specific cases where there are a statistically significant number of failure-free operational hours. The overall method employed by the Aerospace model used for HST is an accepted approach for representing aerospace system reliability and is consistent with practices applied to most satellite systems produced by both government and industry. As previously noted, hardware components dominated by wear-out factors such as the batteries, gyros, and FGS units are not included in the avionics system model.6 Failure rates for these components are discussed separately below.
The reliability values in Figure 4.1 show the output of the avionics system model. The prediction is by year, with October 2004 established as the starting date. The 50 percent point (at 4.5 years) based on the model is the nominal reliability value NASA has traditionally used as its baseline to set the servicing interval for HST. Therefore, if the avionics system is working as of October 2004 (T0) the system is projected to have a 50 percent probability of still being operational (and conversely, a 50 percent risk of failing) as of 4.5 years from that date, or May 2009.7
FINDING: The HST avionics system reliability model used by NASA projects a 50 percent reliability interval of 4.5 years. Using October 2004 as a starting date, this interval establishes May 2009 as the latest approximate date for servicing HST with at least a 50 percent chance for success.
As noted above, the avionics system model represents a constant failure-rate prediction, so that the probability of failure “resets to zero” each moment that a failure does not occur. A shuttle mission such as SM-4 is capable of responding to and correcting both foreseen and unforeseen anomalies. If the mission is successfully executed, the probability of failure will be reset to zero at the time of servicing.
It should be recognized that the numbers in Figure 4.1, while quantitatively derived in the avionics system reliability model, are essentially a qualitative representation of the system’s reliability since they reflect many design and implementation assumptions. Despite this qualitative nature, the reliability values are useful for comparative purposes and, as noted in the text, are also the traditional method used by NASA for assessment of HST’s reliability.
The projected probability of successful post-servicing science operations can therefore be read directly from the values in Figure 4.1 as 0.69 after 3 years and 0.45 after 5 years. This means that 3 to 5 years of science operations can reasonably be expected after an SM-4 type mission, with the projected avionics system reliability being above 0.50 for the first 4.5 years.
A robotic mission does not have the same level of flexibility to deal with unforeseen anomalies unless they are unusually simple and occur early enough in the mission development cycle (prior to critical design review) to be accommodated effectively. This means that it is unlikely that the avionics system’s reliability can be reset through robotic servicing, a result with two important mission implications. First, a robotic mission with an implementation schedule of 4 to 6 years (5.4 years is the projected development time derived in Chapter 5 based on an independent assessment by the Aerospace Corporation) would be servicing HST at a time when it is already near or below the 0.50 reliability point.
Second, the extended time until robotic servicing makes it likely that the avionics system will have suffered a component failure that is beyond the capability of a robotic mission to repair. Therefore, while a simple robotic servicing mission performed on a reasonable schedule is likely to be successful, servicing limitations also make it likely that the reliability “clock” cannot be reset. This means that the projected avionics system reliability will continue from its T0 starting point in October 2004, with a reliability value of 0.41 at the projected time of servicing in February 2010 and subsequent values of 0.18 after 3 years and less than 0.10 at 5 years.
FINDING: The flexibility for repairing unforeseen anomalies has been demonstrated on past shuttle servicing missions. With this flexibility, the HST’s avionics system is projected to operate with a reliability value of 0.69 at 3 years and 0.45 at 5 years in support of science operations following a shuttle servicing mission.
FINDING: The baseline robotic mission is judged to have minimal capacity for responding to and repairing unforeseen anomalies. Assuming robotic servicing in February 2009 (based on a 5.4-year “most likely” readiness date), the HST’s avionics system reliability is projected to be 0.41 at the time of servicing, 0.18 after 3 years of post-servicing science operations, and less than 0.10 at 5 years.
COMPONENTS SUBJECT TO WEAR-OUT
An assessment of overall HST observatory reliability is dependent on the avionics system components described in the preceding model, plus consideration of other key subsystems left out of the model because their reliability is dominated by degradation according to predictable criteria. Components of this type are subject to wear-out described by a reliability model based on either measured and understood trends or physics-of-failure assumptions.8 Key components in this category from an observatory perspective are the batteries, gyros, and the fine-guidance sensors, each of which is scheduled for replacement. The reaction wheel assembly, solar panels, and several other items (discussed in “Other Reliability Considerations” below in this chapter) are also in this category but have slow enough wear-out trends that they are not projected to require replacement until after the 2012 time frame, unless an unexpected failure occurs.
HST uses a direct energy transfer power system topology whereby the solar panels are connected (through intermediate equipment) directly to the batteries. The batteries charge during the sunlit portion of the orbit and then discharge to supply power to the observatory when the solar panels are not illuminated. There are six individual batteries in the system, with each consisting of 22 series-connected nickel hydrogen cells.9 The batteries are grouped in two three-battery compartments, but the batteries are operated and charged in pairs.
The energy capacity of each battery at the time of launch in 1990 was greater than 90 ampere-hours (Ah), with a resulting HST battery system capacity of approximately 540 Ah. Recent measurements show that the system capacity is now in the range of 300 Ah due to a gradual loss of energy storage capability in each battery over time. Replacement of the six batteries is required on either a shuttle or a robotic servicing mission in order to ensure 3 to 5 years of post-servicing science operations.
Gradual loss of charge capacity in response to charge and discharge cycles is a normal aging effect for batteries and was anticipated for HST. Energy capacity has been continuously monitored since HST’s launch. The batteries have also been periodically reconditioned, which is accomplished by removing a single battery from service and then cycling it through a deep discharge to an essentially discharged state followed by a full recharge. Battery reconditioning, when performed correctly, helps to restore some capacity to aging batteries. By careful monitoring of the amount of energy extracted during the discharge cycle, determination of battery capacity is also possible.
Despite meticulous efforts by NASA, projecting measured trends to future performance has proven especially difficult in the specific case of HST due to the long service life of the batteries, thermal constraints during charging, and limitations on the battery reconditioning method. Given the observatory’s critical dependence on battery condition, an expert working group consisting of NASA and industry experts was consulted to review the most recent reconditioning test results in conjunction with the trend data taken since launch. The consensus conclusion,10 based on both flight trends and relevant ground test results on similar batteries, is that abrupt wear-out factors (loss of pressurization and cell short circuits being the most common and important) will not affect battery lifetime until substantially beyond 2010.11 Therefore, the relatively graceful degradation trend indicated by current data is expected to continue over the next several years, with the batteries experiencing a relatively linear loss of capacity over time.
The working group also projected battery life over time based on the trend data. Figure 4.2 summarizes the results. The red segments represent the working group’s consensus opinion on projected battery life versus time. The pessimistic, most likely, and optimistic dates for each of the three segments follow a linear trend indicated by each of the dotted lines starting (off the graph) at the current battery capacity of approximately 300 Ah. A capacity loss rate of 37.8 Ah per year represents the most likely case based on long-term trends and the latest reconditioning test results. Loss rates of 48 Ah and 30 Ah
per year correspond to the pessimistic and optimistic cases based on available data. The relatively large divergence between these cases is due to the charging constraints and reconditioning limitations discussed above. However, the specified worst-case and best-case rates of decline are considered to reasonably bound the range of battery capacity loss based on the measured flight battery performance.
The three battery segments in Figure 4.2 also correspond to the three key battery capacity levels associated with operational states for the observatory. The 160 Ah on the upper red segment represents the minimum battery capacity required to support science operations. Once the 160 Ah threshold is reached (based on a battery voltage level representing a specific discharge level), science operations are
suspended and the vehicle transitions to a software-controlled Level-1 safe-hold state intended to provide maximum protection for the telescope. The 110 Ah capacity described by the middle red segment corresponds to a more risky hardware-controlled Level-2 safe-hold state where the vehicle remains in a safe condition but has relatively little power margin to protect itself from a catastrophic failure. The lower red segment at 40 Ah is the limiting capacity level at which the safe-hold function has sufficient power to maintain thermal stability on the optical metering structure. When this threshold is crossed, the structural deformation caused by the loss of thermal stability will result in permanently degraded optics.
Summarizing the information in Figure 4.2: April 2008 represents the most likely date for reaching the 160 Ah battery capacity limit resulting in the suspension of science operations and transition into a Level-1 safe-hold state. Similarly, July 2009 is the most likely date for reaching the 110 Ah limit for transition to a less protective and more risky Level-2 safe-hold condition. Failure of HST’s optics is most likely to occur in the May 2011 time frame when the battery capacity reaches the 40 Ah threshold.
FINDING: Battery lifetime trends are consistent with supporting HST science operations through April 2008 and maintaining the telescope’s optical system in a highly protected Level-1 safe-hold state until July 2009. Loss of capability to do science because of optical failure is most likely to occur in the May 2011 time frame but could occur as early as December 2009 based on a worst-case projection.
Rate Sensor Unit (Gyroscope) Assessment
Gyroscopes consisting of a rate sensor unit and an associated electronic control unit (ECU) are key components of the HST control system, sensing drift rates that are used by the pointing control system when pointing and slewing the telescope. The gyros also provide active short-timescale pointing control during exposures (control over longer timescales is provided by the fine-guidance sensors).
While observatory survival is ultimately dependent on battery capacity, Figure 4.2 shows that the progressive failure of gyros (green segments) will be the most likely cause for suspension of science operations. There are three RSUs on the telescope, each containing two gyro sensors numbered G1 through G6. The gyro design uses a floating rotor in a liquid-filled cavity with electrical connections made using very fine copper-silver alloy flex-wires. These wires experience a gradual metallurgical change as a function of run time on the specific gyro rotor. Failure occurs as a result of corrosion and mechanical fracture due to wear-out processes that are physically understood.
Gradual attrition of gyros was anticipated in the HST system design and has been mitigated through a planned replacement strategy. The most recent replacement occurred on SM-3A in 1999, when all three RSUs were replaced. At the time of this report, G3 and G5 have failed, while G1, G2, and G4 are operational. G6 is turned off and held in reserve. Three gyro sensors (located in any of the three RSUs) are required for three-axis control of the telescope. However, simulations by GSFC and the STScI indicate that a two-gyro configuration can, in conjunction with other telescope sensors, be used with only a small degradation in imaging performance. Therefore, the HST project is currently developing software and control algorithms aimed at extending the telescope’s scientific service life via operation on two gyros.
A realistic prediction of each gyro system’s reliability has been developed by NASA based on both on-orbit failure statistics and a determination of root cause. The prediction for a combined RSU and ECU is the product of flex-wire reliability following a Weibull failure distribution and an exponential probability law characterizing the electronics failure rate (in combination with other failure modes). The projected dates, at 50 percent probability, for transition first to two-gyro operation and then complete
suspension of science operations are July 2006 and September 2007, respectively.12 If a transition to two-gyro operation is made in the mid-2005 time frame, overall gyro lifetime can be extended by up to a year, with a corresponding extension of science operations until mid-2008.
Replacement of the six gyros on SM-4 entails exchange of the three RSUs, which are co-located in one of the telescope bays (–V3). The associated ECUs are currently working and do not require replacement. For NASA’s planned robotic mission, the RSUs are to be installed on the WFC3 instrument. There is a complication, however, in that it is not possible to interface each RSU with its respective ECU located within the telescope. To overcome this problem, NASA’s plans call for replacement of the ECUs together with new interface electronics that allow the gyro system to send signals to the telescope avionics system through an unused test port on the 486 advanced computer (the current plan is to rebuild the ECUs together with the communication interface electronics as a common unit). The cable associated with this data link would be routed external to the telescope and connected to the 486 computer in Avionics Bay 1.
FINDING: If HST operations continue as they are, progressive gyroscope failures are likely to terminate observatory science operations around September 2007. Timely transition to a two-gyro mode after software validation in the first half of 2005 could extend science operations into the mid-2008 time frame.
FINDING: Replacement of HST gyros by the space shuttle is a straightforward operation that has been accomplished successfully on past servicing missions. Replacement by a robotic mission is more complex, entailing the attachment of multiple RSU and ECU elements plus interface electronics onto the WFC3 instrument. The interface to the spacecraft system would be made via an external cable routed to a test interface on the telescope computer.
Fine-Guidance Sensor Assessment
The FGS units (in combination with their electronics subsystems) are used for precision pointing of the observatory. Due to limits on sky coverage, two operating FGS units are usually required to support the HST observing program. From the perspective of reliability, this means that three working FGS units are required to ensure that two operational units plus a redundant spare are available to support science operations (this is referred to as “two for three” redundancy).
The three FGS units on HST are designated FGS-1R, FGS-2R, and FGS-3; the number designates the mounting position on the telescope, and the “R” indicates that the unit has been previously replaced on-orbit. FGS-1R is currently in excellent working condition, whereas FGS-2R and FGS-3 are each exhibiting wear-out effects in their servo systems that will ultimately make them inoperable. Based on recent test and performance data, FGS-2R is projected to fail sometime between October 2007 and October 2009, and FGS-3 will fail sometime between January 2010 and January 2012.13
H. Leidecker and W. Thomas, “Notes on the Reliability of the HST Gyros,” NASA GSFC, September 10, 2001, available online at http://nepp.nasa.gov/index_nasa.cfm/993/; H. Leidecker, “The Probability of Having at Least Three Operating Gyros,” NASA GSFC, June 25, 2002; H. Leidecker and J.K. Kalinowski, NASA GSFC, personal communication, August 30, 2004.
“Hubble Space Telescope Flight Systems and Servicing (FS&S) Program FGS Spare Servo Study Report Prepared for LMTO in Support of the FGS 2R On-Orbit HSTAR Anomalies,” Goodrich Document No. TE A16-0523, prepared for Lockheed Missiles & Space Company (LMSC), Greenbelt, Md., April 20, 2004; Mike Wenz, Lockheed-Martin Technical Operations, personal communication, September 1, 2004.
FGS units were replaced on SM-2 and SM-3A, and FGS-2R was also planned for replacement on SM-4. The degradation in FGS-2R results in target acquisition failures due to a gradual loss of gain in the servo system. The loss of gain is believed to be due to radiation damage to light-emitting diode (LED) devices used in the optical encoder. Recent testing indicates that the system gain has declined to a level that is 5 percent above the servo stability limit, with projections indicating that FGS-2R will become unusable within 3 to 5 years. Since the LED radiation effects are time-dependent but are not affected by actual operating time, the lifetime of FGS-2R cannot be extended beyond the projected dates.
FGS-3 has been operating since HST was launched in 1990 and is suffering from bearing wear induced by large coarse-track excursions during early mission operations. An extrapolation of key performance data indicates that failure will occur in the 2010 to 2012 time frame if the unit is continuously operated. Unlike the FGS-2R case discussed above, the FGS-3 wear-out is a function of actual operating time in a target acquisition mode. Therefore, limiting the operation of FGS-3 (through the use of FGS-1R in conjunction with FGS-2R) can potentially extend the life of FGS-3 beyond the currently projected 2010 to 2012 point of failure.
Loss of FGS redundancy due to the failure of FGS-2R is a significant mission risk. Mitigation of this risk was planned for SM-4 through the planned replacement of FGS-2R. The robotic mission originally presented to this committee could not mitigate this risk since the robotic arm was capable of reaching the FGS-3 position but could not reach the FGS-2R position (in technical terms, the WFC3 is located in the –V3 radial bay of the telescope in the 180 degree position, whereas the FGS-2R unit is located in the +V3 radial bay in the 0/360 degree position; FGS-3 is located in the +V2 radial bay in the 270 degree position and could be reached by an arm that is configured to replace WFC3). Since FGS-2R is expected to fail prior to the date projected for a robotic mission, its replacement as part of the robotic mission is considered necessary if FGS redundancy is to be retained during post-mission science operations. However, the mission risk and risk to HST for this activity must be carefully evaluated due to the technical complexity of reaching the FGS-2R location on the telescope.
FINDING: FGS-2R is projected to fail in the October 2007 to October 2009 time frame. Its replacement is important if FGS redundancy is to be retained to support post-servicing HST science operations. Replacement of FGS-2R is straightforward on a space shuttle mission but is considered to be high risk for a robotic mission. Therefore, it is possible to retain FGS redundancy by shuttle servicing and potentially is possible via robotic servicing.
FINDING: FGS-3 is projected to fail in the January 2010 to January 2012 time frame, although its life can potentially be extended through the near-term use of FGS-2R. Failure in this time frame will not strongly affect post-servicing science operations if FGS-2R is replaced.
OTHER RELIABILITY CONSIDERATIONS
Solar Panel Assessment
The HST uses a pair of articulated solar panels on each side of the telescope to generate power when the panels are illuminated by the Sun. Power from the solar panels is used both to operate the vehicle systems and to recharge the batteries. New solar panels were installed on the SM-3B mission in 2002 and have performed normally since that time.
Performance of the solar arrays is continuously monitored by the operations team in order to track
the average loss of power over time. The drop in power output due to a combination of accumulated damage from meteoroid and debris impacts, cracking from thermal-cycling, and damage to the solar cells from radiation, is within the expected range of performance degradation.
For the SM-4 servicing case, the trend indicates that power generated by the solar panels will be adequate to support post-servicing operations into the 2014 time frame. The assessment for a robotic mission is a little more complicated because the remote location of the batteries (in the DM) requires extra equipment and cabling, resulting in an added power loss of approximately 200 watts. Despite this complication, careful power management (by turning off selected instruments and duty cycling of non-critical equipment) should also allow for science operations with either mission option until at least 2014.
FINDING: Solar panel performance is running according to expected trends such that sufficient power will be available to support HST science operations until at least 2014 in the case of either shuttle or robotic servicing.
Reaction Wheel Assembly Assessment
The RWA units are used on HST to provide three-axis (pitch, roll, and yaw) control of the telescope as part of a closed-loop pointing control system. During science operations, the principal modes are fine guidance whereby the spacecraft is maintained pointed at a celestial target, and slewing whereby the spacecraft is rapidly moved to acquire targets in different areas of the sky. Four RWAs are used to support normal HST operations, although the telescope can be re-programmed to operate on three units with little or no loss of science performance. However, the telescope cannot perform science with only two RWAs. Therefore, if the telescope has a failure that leaves it with only three working RWAs, it will not have redundancy.
RWA replacements were performed on SM-2 in response to a failure and on SM-3B in response to an operational anomaly (unit RWA-1 was replaced in both cases; although it was not known at the time, the SM-3B replacement was, in retrospect, more precautionary than necessary). In both of these cases, the RWA anomaly occurred late enough to have the RWA added as an emergency replacement. A record of two late replacements in the span of four missions leads to the conclusion that the ability to carry an RWA can substantially protect against an RWA failure and the associated risk of losing RWA (three for four) redundancy. While RWA replacement has been demonstrated during shuttle servicing, a robotic replacement capability is not currently planned. The location of the RWA units (in Bay 6 and Bay 9) may also preclude their replacement with the planned robotic mission.
FINDING: Retention of RWA redundancy is important to maximize the likelihood of 3 to 5 years of post-servicing HST science operations. Replacement of RWA units has been performed successfully on two previous shuttle missions in response to an unexpected anomaly and is also possible, if required, on SM-4. Replacement of an RWA is not part of the planned robotic mission and may not be possible on such a mission due to the RWA mounting locations on the telescope.
The SM-4 mission included thermal upgrades to the telescope that are not baselined for the planned robotic mission. The most important of these upgrades are the installation of the Aft Shroud Cooling System (ASCS) and NOBL. These are new equipment items developed to mitigate a gradual rise in
equipment temperatures on the vehicle. While these upgrades are of a proactive nature, eroding temperature margins on several subsystems mean that installation of the ASCS and NOBL are important if science operations are expected to continue, without thermal impacts, beyond approximately 2010.
Radiation Effects Assessment
An analysis of the effects of radiation damage to HST electronic components was performed by Lockheed Martin for the HST project and is documented in a 1998 memorandum.14 The review, although limited in scope, provides reasonable confidence that the avionics subsystems can be expected to operate to 2010 and beyond without any major negative effects. Unpowered redundant units are also considered to be essentially unharmed by radiation in the HST orbit because the rates of self-annealing (for 1970 and 1980 device technologies used on HST) for unpowered electronic parts mostly offset the accumulation of ionizing radiation effects.
There are currently no telemetry trends (except for the previously discussed FGS-3R LED problem) to indicate that HST’s operating avionics units are significantly degraded. Therefore, the overall radiation risk is judged to be low for the avionics system plus FGS units until 2010, and medium thereafter. The risk to the science instrument electronics is judged to be low due to their recent replacement. Assuming that 3 to 5 years of post-servicing science operations following a robotic mission will extend into and beyond 2014, avionics failures could eventually occur due to radiation effects.
FINDING: Analysis in combination with long-term avionics monitoring predicts that radiation damage should not interfere with HST science operations through the 2010 time frame. Adverse radiation effects after 2010 are more likely, with an increasing risk of avionics component failures if science operations are extended until 2014.
HST SYSTEM LIFETIME AND MISSION TIMING CONSIDERATIONS
HST servicing missions have occurred at intervals of 3 to 5 years. This timing is consistent with the reliability model discussed above in “Failure Modeling” and has allowed for proactive repairs and a timely response to unforeseen failures. The result of this servicing strategy is the HST discussed in this report. It is a vehicle that remains fully operational, with optical performance meeting the original design requirements and science utility that has been systematically improved through both instrument and system upgrades.
SM-4, intended by NASA to be the final servicing mission to HST, was designed to change out key instruments as well as to perform replacements and upgrades to several subsystems. NASA was thoughtful in its choices of the components for SM-4 and the timing of the mission, whereby servicing was planned to be performed in the 2005 time frame. An SM-4 mission in 2005 satisfied all of the key objectives discussed in this report, by maintaining the continuity of science operations while achieving installation of new instruments and also replacing batteries, gyros, and other key system components.
Figure 4.3 provides an integrated picture describing the factors controlling HST lifetime discussed above in combination with a projection of the estimated schedule for the SM-4 shuttle mission and the
planned NASA robotic mission. A description of each element is provided below in the context of mission timing and potential mission results. Starting from the top of Figure 4.3:
Battery lifetime evaluation. The top three red bars correspond to the battery lifetime projections for 160 Ah termination of science operations, the 110 Ah limit for science survival, and the 40 Ah threshold for the failure of telescope optics as discussed above in “Battery Assessment.” Key results:
Battery capacity is not likely to be the limiting factor for the termination of science operations.
The projected time frame for a shuttle SM-4 mission should allow for uninterrupted science operations and can be completed prior to the worst-case 40 Ah science telescope survival date of December 2009.
The planned NASA robotic mission is likely to occur after the expected date for suspension of science operations but is also likely to occur while the vehicle is in a safe, recoverable state.
In the worst combined schedule and battery lifetime case, the planned robotic servicing mission will not arrive at the telescope before the 40 Ah threshold is reached for telescope optical failure.
FGS lifetime evaluation. The blue bars correspond to the FGS lifetime projection discussed above in “Fine-Guidance Sensor Assessment.” Key results:
FGS-2R is projected to fail subsequent to the shuttle SM-4 mission but was planned to be replaced. Therefore, the SM-4 mission should result in three working FGS units capable of supporting post-servicing science operations.
FGS-2R is likely to fail prior to the planned robotic mission or early in the operational phase following the servicing mission. It can potentially be replaced in the planned robotic mission.
FGS-3 is likely to be near the end of its service life and will fail before the goal is met for 3 years of science operations following robotic servicing.
Replacement of FGS-3 as part of a robotic servicing mission can potentially ensure having two FGS units available for supporting science operations but does not ensure redundancy. For either servicing option, only replacement of FGS-2R can ensure FGS redundancy.
Gyroscope (RSU) lifetime evaluation. The green bars correspond to the HST gyroscope lifetime projection discussed in the section “Rate Sensor Unit (Gyroscope) Assessment.” Key results:
The projected end of two-gyro operations in September 2007 comes after the recommended window for shuttle servicing.
Based on the projected time for mounting the robotic mission, there will likely be an interruption of science operations of approximately 29 months.
Mission timing evaluation. The next line shows the projected time windows for the shuttle SM-4 option (yellow) and the NASA planned robotic option (orange). The shuttle option projects the expected 7th and 12th mission dates to define the servicing time window. The robotic mission time line projects February 2010 (5.4-year development cycle) as the most likely date for mission readiness, with October 2008 and February 2011 projected as the best- and worst-case bounds on the estimate.
Mission comparison. The lower orange and yellow bars represent the expected post-servicing operations time lines based on the projected shuttle and robotic mission dates. Associated with these bars are the orange- and yellow-star mission risk values at the bottom of Figure 4.3 and the horizontal dashed 50 percent risk line. The orange-star values represent the assessed risk for the planned NASA robotic mission, and the yellow-star values represent the assessed risk for the shuttle servicing case, with the vertical dashed lines representing the corresponding dates for the robotic and shuttle mission 50 percent values. As discussed in the section “Avionics Reliability Model,” the ability to perform unexpected repairs allows the shuttle mission risk value to be reset. Hence the yellow-star values are reset as
a result of performing the SM-4 mission, whereas the orange-star values associated with the robotic mission are not reset. Key results:
Early servicing afforded by the SM-4 shuttle mission essentially ensures 5 years of operations before other reliability factors might affect the need to suspend science operations. The specific avionics system risk factors are shown in purple on Figure 4.3 below the yellow “post-shuttle science operations” bar, with the 50 percent risk point occurring after approximately 4.5 years of operations.
The projected delay in the robotic mission not only results in a likely 29-month interruption of science operations (as depicted by the blue arrow on the figure) but, due to lower system reliability, is also likely to result in a shorter period of post-servicing operations. As shown in purple below the orange bar labeled “post-robotic science operations,” the projected telescope risk value is estimated to be above 50 percent (0.59) at the time of servicing and to be approximately 0.82 after 3 years.
The projected shuttle mission scenario results in servicing of HST prior to suspension of science operations due to gyro failure and should achieve at least 4.5 years of post-servicing operations before the avionics system risk value reaches 50 percent. Therefore, the total expected operational time in the science mode is projected to be at least 6.3 years for a shuttle servicing mission executed in July 2006 and 7.3 years for a shuttle mission executed in July 2007.
The projected robotic servicing mission starts with 3 years of operations prior to gyro failure followed by a 29-month suspension of science operations, at which time the projected telescope avionics system risk value will be above 50 percent.
Performing a direct comparison between the two servicing options, 6.3 years of SM-4-associated science operations (1.8 years prior to servicing followed by 4.5 years of post-servicing operations) is essentially equivalent to 3 years of robotics-associated science operations (all accumulated prior to servicing) at a similar level of risk.
FINDING: The projected termination in mid to late 2007 of HST science operations due to gyroscope failure and the projected readiness in early 2010 to execute the planned NASA robotic mission result in a projected 29-month interruption of science operations. No interruption of science operations is projected for a realistically scheduled SM-4 shuttle mission.
FINDING: The planned NASA robotic mission is less capable than the previously planned SM-4 shuttle astronaut mission with respect to its response to unexpected failures and its ability to perform proactive upgrades. Combined with the projected schedule for the two options, the mission risk associated with achieving at least 3 years of successful post-servicing HST science operations is significantly higher for the robotic option, with the respective risk numbers at 3 years being approximately 30 percent for the SM-4 mission and 80 percent for the robotic mission.