The MSX Performance Assurance Program

THE MSX PERFORMANCE ASSURANCE PROGRAMThe MSX Performance Assurance ProgramM. Edwin GossTINTRODUCTIONhe structure and organization of the Performance Assurance Program developedfor the Midcourse Space Experiment (MSX) spacecraft are discussed. Included is anoverview of the engineering disciplines of the program: reliability, quality assurance,and system safety. The performance assurance role in each of the four MSXdevelopment phases is explained, followed by a review of MSX integration and testhistory as it relates to performance assurance. A discussion of lessons learnedsummarizes the results of the Performance Assurance is generally agreed that the performance assurancerole involves two basic activities: engineering andproduct assurance. Engineering functions include reli-ability, quality assurance, and system safety. Productassurance consists of elements needed to establishconfidence that the product is being designed andmanufactured as intended to meet the reliability addition to these engineering and product assurancefundamentals, the Midcourse Space Experiment(MSX) Performance Assurance Program emphasizeddesign integrity by specifying conformance to the APLSpace Department’s Engineering Notebook, which in-cludes guidelines for part usage and test, software qual-ity assurance, and design reviews. Figure 1 presents theorganization of the MSX Performance AssuranceProgram, and shows that the performance assuranceengineer reports directly to APL’s Space PERFORMANCE ASSURANCEPROGRAM STRUCTUREManagementThe Performance Assurance Program established forMSX was governed by the APL Product Assurance Plan,a detailed document tailored for MSX from a genericmaster plan. Other important documents that helpedshape the MSX Performance Assurance Program in-cluded the MSX Integrated Safety Program Plan, the MSXAccident Risk Assessment Report, interface control draw-ings, individual equipment specifications for subcon-tracted hardware, and detail drawings. The MSX per-formance assurance engineer, who is part of the APLSpace Department’s Satellite Reliability Group (SOR),managed the program and documented its status withmonthly reports. This engineer was also responsiblefor reviewing as-built documentation and other testand inspection records to ensure conformance to theJOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)189

aceDepartment(SDO)ChiefengineerMSXprogrammanagerSpace DepartmentReliability GroupMSX performanceassurance engineerReliabilityand qualitydisciplinesSystemsafetyQualityassuranceReliabilityandcomponentengineeringMaterialcontrolTest andinspectionRadiationeffectsFigure MSX Performance Assurance m. Complete hardware documentation, as well asintegration and test records such as problem/failurereports (P/FRs), were presented to the sponsor at MSXpre-ship and flight readiness ility EngineeringThe MSX spacecraft hardware was designed, fabricat-ed, and tested to achieve a 4-year (5-year-goal), on-orbitoperational life while operating under environmentalguidelines specified for each subsystem. Reliability en-gineers in design reviews verified proper part selectionand stress derating, using the Goddard Space FlightCenter (GSFC) Preferred Parts List as a guideline. Inaddition, critical functions and single-point failures wereexamined and selectively analyzed for redundancy andcross-strapping lists submitted by all APL designers and sub-contractors were reviewed by the SOR ReliabilityEngineering Section for correct grade level, nonstand-ard part approval request (NSPAR) requirements, andpart usage concerns. Nonstandard parts required adestructive physical analysis to be performed and wereupgrade screened (screened to standard part level re-quirements) before gh critical precap (inspection of the integratedcircuit die before package lidding) and other sourceinspections were performed by APL personnel. Otherquality assurance functions included verification ofequipment calibration, setup of an electrostatic dis-charge monitoring and control system, parts and assem-bly problem investigation, failed parts analysis, qualityand configuration

audits, and personnel training forelectrostatic discharge and clean room re quality assurance was performed on anaudit basis, where conformance to the Software QualityAssurance Plan was verified by the performance assur-ance engineer. The plan was written by the MSX soft-ware system engineer, and covered such topics as man-agement of the Software Quality Assurance Program,documentation and record collection, standards andpractices, reviews and audits, configuration manage-ment, problem reporting and corrective action, andsoftware Test and Material ControlElectrical, electronic, or electromechanical partswere selected, to the extent possible, from the APLSpace Department Preferred Parts List, which includesapproved parts from the GSFC Preferred Parts List andMIL-STD-975. APL-fabricated hardware used inconstruction of the MSX spacecraft required 140,000electrical, electronic, or electromechanical parts, con-sisting of approximately 1600 different line items. Over4000 parts constituting 1140 line items underwentQuality Assurance EngineeringThe

SOR Quality Assurance Section inspectedboth in-house hardware and subcontracted items. Thesection also coordinated the use of contract inspectors,190JOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

THE MSX PERFORMANCE ASSURANCE PROGRAMdestructive physical analysis performed by one outsidetest house. Upgrade screening was performed by fouroutside test houses as well as by SOR personnel usingin-house facilities, and was coordinated by the SORTest and Inspection Section. Over 700 parts kits wereassembled by the SOR Material Control Section, in-spected by the SOR Test and Inspection Section, andsent to APL fabrication shops. Including subcontractedhardware, the total MSX parts count was estimated toapproach 300,ion EffectsThe SOR Advanced Technology and RadiationEffects Section characterized over 100 different parttypes used on MSX for total dose exposure, displace-ment damage, and single-event upset/latch-up. Thesepart types were not tested previously for radiation ef-fects, and characteristics were not available from thepart manufacturers. For example, field-programmablegate arrays, such as those made by ACTEL, are veryeffective in reducing volume and power consumptionin spacecraft systems, but are vulnerable to space ra-diation effects, particularly single-event upset. Exten-sive testing and analyses were performed to optimizecircuit designs implemented in these arrays, with atriple-redundant register/comparison scheme used tominimize upset safety requirements. Results of the preliminaryhazard analysis were included in the report, as were thesubsystem and system hazard system safety tasks included preparation ofhazardous operation procedures, emergency and con-tingency procedures, and ground safety plans for useduring integration at APL, testing at GSFC, andlaunch operations at Vandenberg Air Force Base(VAFB). Safety training for all personnel having facil-ity access was also provided. Table 1 presents how thesystem safety program was integral to various MSXprogram MANCE ASSURANCE IN THEFOUR PHASES OF THE MSX PROGRAMThe MSX program comprises four phases: missiondefinition; system design; subsystem design, fabrica-tion, and test; and spacecraft integration, test, andlaunch. Performance assurance was an integral part ofeach of these n DefinitionDuring the mission definition stage, the missionrequirements were used to help conceptualize accom-plishment of the mission and tailor the MSX Perfor-mance Assurance Program. The necessary spacecraftlifetime was used to set the mission reliability goal andhelp determine part levels and definition. For MSX,grades 1 and 2 (much like the grade levels describedin the GSFC Preferred Parts List) defined standardparts, and lower grades were classified as n and documentation requirements specifieddrawing levels and hardware types. Table 2 defineshardware types and their required documentation lev-els,1 and Table 3 presents the configuration require-ments used for this mission definition stage, the MSX concep-tual design review was held. System block diagramswere presented at this time, and SOR reliability engi-neers performed parts reliability predictions using MIL-HDBK-217E, although APL experience has shownthese failure rates to be extremely pessimistic. Thereliability of systems was calculated for a 4-year mis-sion, with each subsystem’s operating environmentconsidered. For example, the electronics section wasrequired to operate from 229 to 66°C, and the instru-ment section from 235 to 35°C; SPIRIT III and othersubsystems had unique Safety EngineeringA system safety program was developed to ensurecompliance with the Western Space and Missile Cen-ter Range safety requirements. The MSX IntegratedSafety Program Plan describes organizational relation-ships, responsibilities, and engineering and manage-ment criteria to ensure comprehensive accident riskassessment. Safety requirements applicable to space-craft subcontractors were based on the inherent safetyrisks of the particular hardware and the scope andcomplexity of the s system safety working groups were estab-lished by the APL system safety engineer or the West-ern Space and Missile Center Range safety organiza-tion to review, track, and resolve outstanding safetyissues, most notably those related to the SPIRIT IIIdewar, which contained 944 L of solid hydrogen tomaintain optics and instrument temperatures. Systemsafety analysis methods provided for inclusion of po-tential hazards into a closed-loop analysis and trackingsystem, with assigned qualitative values for hazardprobabilities and severity levels. An Accident RiskAssessment Report was prepared to address system-levelhazards and hazards of spacecraft interfaces. Each riskfrom an identified hazard was listed along with ratio-nale for acceptance, actions taken to preclude acci-dents, and data to support compliance certification toSystem DesignDuring the system design phase, instrument inter-face definitions were established. Typically, the variouselectrical, mechanical, and thermal engineers worked191JOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

ble safety interfaces with MSX program amelementProgrammanagementProgram requirementCustomer requirementsProgram requirements documentProgram policyProgram planRisk acceptance criteriaSafety/performance/operational trade-offsSignature approval authorityDesign specificationsDesign criteriaDesign drawingsRequests for deviations and waiversEngineering changesSoftware specifications and requirementsFunctional flow diagramsProgram structure documentation and codeSoftware changesInput and review of software safety analysisSafety-critical ground support equipment specificationsDesign criteria and drawingsIntegrationProcessing and test plansHazardous proceduresInput and review of hazard analyses and safety deliverablesOutput from system safetyMSX Integrated Safety Program PlanSafety requirementsHazard reportsUnresolved safety problemsSafety program statusAccident risk assessmentsTest operations risk assessmentsOther safety deliverablesDesign safety criteriaHazard analysesHazard controlsHazard reportsSafety impact determinationsSoftware safety criteriaSafety-critical softwareSoftware safety analysesSpacecrafthardwareSoftwareGroundoperationsTest and operational safety criteriaHazard analysesHazard controlsHazard reportsApproval of hazardous proceduresGround safety plansOn-site monitoringTrainingSpace test and missionoperations safety criteriaHazard analysesHazard controlsHazard reportsReview of operationsdocumentationReal-time safety controlTrainingHazard analysesHazard controlsSafety-critical componentsFlightoperationsSpace test operations and mission operations requirementsOrbital operations handbookTest operations instructionsEmergency test plansInput and review of hazard analysesSafety deliverablesPerformanceassuranceProblem summariesFailure reportsInspection plansAcceptance criteriaMaterial deficienciesNonstandard parts listsaFrom MSX Integrated Safety Program Plan, APL Doc. No. 7334-9049.192JOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

THE MSX PERFORMANCE ASSURANCE PROGRAMTable re types and corresponding documentation ntation levelaLevel 2aLevel 2Not recommended(insufficientdocumentation toverify configuration)MinimumrecommendedMinimumrecommendedHardware typeType ADeliverable outsideAPL (“production”or fully qualified)Type BDeliverable outsideAPL (prototype)Type CDeliverable for APLinternal use only(breadboard)aLevel 1Not applicable(insufficientdocumentation toverify configuration)Not recommended(insufficientdocumentation toverify configuration)MinimumrecommendedLevel 3Required (whentechnology transferis intended)Required (whenproduction byoutside vendoris anticipated)Not applicableRecommendedRecommended(if design is to beduplicated at alater date)Not recommended(not normallynecessary)Documentation level descriptionsLevel 1•Breadboard/brassboard development•Informal drawings allowed•Configuration control not possibleLevel 2a•Uses redlined control prints•Limited capability to reproduce the design•Will not support a configuration auditLevel 2•Assured capability to reproduce the design•Can provide spare parts to support the design•Can verify correctness of hardware by documentation•Prepared in accordance with DoD-STD-100•Drawings stored in vault after releaseLevel 3•For quantity production•Provides data to permit competitive procurement of items•Allows for outside manufacture of hardwaretogether to refine subsystem needs. Individual designersworked with SOR reliability and materials engineers toselect parts of the proper grade level to meet reliabilityand availability parameters. Preliminary electrical,electronic, or electromechanical parts and materialslists were submitted to the performance assuranceengineer for Performance Assurance Program establishedthe need for upgrade screening of nonstandard parts,based on the requirements of the GSFC Preferred PartsList. This screening was controlled in-house by theSOR Test and Inspection Section for all APL-manu-factured hardware; much of the destructive physicalanalysis and screening were subcontracted because ofthe quantity of parts involved. Parts upgrading for sub-contracted hardware was handled by the individualsubcontractors, and approval and status were docu-mented by NSPAR forms. A total of 793 NSPARs weresubmitted, and all but 16 were approved. NSPAR ap-proval required concurrence by SOR reliability, qualityassurance, and parts engineers. Part histories were stud-ied, screening results were reviewed, radiation concernswere checked, and part quality level and applicationwere verified. Unapproved NSPARs were either with-drawn or used with waiver configuration tem Design, Fabrication, and TestHardware unitFlight modelSafety-critical groundsupport equipmentSelected groundsupport equipmentBreadboardOther groundsupport equipmentDrawing level222a or 211Hardware typeAAB or ACCSubsystem design included more box-level detailinvolving all aspects of electronic, mechanical, struc-tural, and thermal disciplines. Positioning of the var-ious subsystems on the spacecraft structure was com-pleted. Most of the design reviews took place duringthis phase. Figure 2 presents the MSX design reviewprocess. Design reviews were also conducted at subcon-tractor facilities and were attended by cognizant APLengineers. Component hardware inspections werecompleted during this phase, as were the subcontractedhardware equipment acceptance reviews.193JOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

ssion-leveldesign reviews(customercommunityattendance)CoDRConceptual designPreliminary designParts acquisitionMission operations designDetail designMission operations implementationFabrication and testSpacecraft integrationMission operations testingSpacecraft qualificationLaunch site operationsPDRCDRPERPSRLRRUnit designreviews at APLor vendorEDRFFRDRRIRR/PSRUnit No. 1Engineering designPreliminary package design/layoutDetail package design/layoutFabrication and unit testAcceptance testUnit No.

NEngineering designPreliminary package design/layoutDetail package design/layoutFabrication and unit testAcceptance test•••EDRFFRDRRIRR/PSRFigure MSX design review process. CoDR = conceptual design review, PDR = preliminary design review, CDR = critical designreview, PER = pre-environmental review, PSR = pre-ship review, LRR = launch readiness review, EDR = engineering design review, FFR= fabrication feasibility review, DRR = drawing release review, and IRR = integration readiness APL-manufactured hardware, material reviewboard actions documented problems occurring beforespacecraft integration. After integration, problems orfailures were recorded on P/FRs. Material review boardand P/FR documentation helps ensure proper reinspec-tion of hardware, as well as adding to the as-built con-figuration record, which can be a valuable design re-source for future programs. For subcontracted hardware,the facility’s internal material review board system wasused prior to system acceptance testing. After accep-tance testing had begun, but before delivery to APL,the problem or failure was documented by the subcon-tractor, and the MSX program manager and perfor-mance assurance engineer were raft Integration, Test, and LaunchSpacecraft integration and test have been defined asassembling the mechanical, electrical, and thermalsubsystems into an integrated spacecraft and perform-ing tests on the spacecraft to ensure that it will operateproperly in the specified environment.2 The bulk of theintegration and test work for MSX was established inthe MSX Program Test Plan, which contains perfor-mance requirements, tests to be conducted, facilitiesrequired, and specification of environment. The testplan was reviewed by the MSX performance assuranceengineer for conformance to Space Department testrequirements. Quality assurance aspects of the plan194included delineation of responsibilities, definition ofquality assurance inspection points, compilation ofresults, description of logbook use, documentation ofproblems or failures, application of corrective action,equipment calibration, and setup of a test review raft integration and test can be consideredthe final phase of spacecraft design. At the point ofintegration, box-level reliability and quality have al-ready been determined and built into the hardware viaexisting design and fabrication. The performance assur-ance engineer now monitors and documents all thevariables that may affect spacecraft reliability, as wellas ensures that the high quality of the hardware ismaintained. This was done for MSX by diligently main-taining the P/FR system, and enforcing program qualityassurance, electrostatic discharge, and MSX integration period began in May 1992. Atthat time, roughly half of the subcontracted systems andboxes had not yet been delivered, which necessitateda dual role for the performance assurance , the engineer had to continue to oversee the prod-uct assurance requirements for MSX subcontractedhardware along with associated ongoing SOR reliabilityand quality assurance reviews. The effort included suchthings as performing hardware inspections, participat-ing in failure review board meetings, attending equip-ment acceptance reviews (where test results andJOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

THE MSX PERFORMANCE ASSURANCE PROGRAMproduct documentation were reviewed to determinethe suitability of the product to ship and integrate),as well as reviewing industry alerts for potential performance assurance engineer’s second taskincluded verifying subsystem readiness to integrate byparticipating in integration readiness reviews, main-taining the P/FR system, tracking corrective action, andpreparing monthly reports for the MSX Program performance assurance engineer also monitoredconformance to the MSX Program Test integration and test took place in four differentlocations: the APL clean room, the GSFC clean room/thermal vacuum chamber, the Astrotech payload pro-cessing facility at VAFB, and aboard the Delta launchvehicle at the launch complex. These different integra-tion and test sites required the performance assuranceengineer to be especially alert to transportation andhandling concerns. Ad hoc and system safety technicalinterchange meetings were also conducted to discusssystem safety, ground support issues, and spacecraftdesign ancillary performance assurance activitiesthat occurred during the integration and test phaseinvolved integration readiness reviews and problem/failure or test review board meetings to discuss andresolve software or hardware problems, failures, oranomalous test results. Ground support systems weremonitored to ensure that there were no spacecraft risksresulting from connections to flight hardware. Contam-ination and facilities engineers established clean areasat each of the four spacecraft locations. The MSX Con-tamination Control Plan was issued, which addressed ma-terials selection, fabrication, integration and test,GSFC operations, and launch site operations. In addi-tion, MSX spacecraft cleaning procedures for integra-tion and test were to critical hardware problems or failures beforedelivery, failure review boards were convened. Eightinstances of hardware failure occurring at subcontractorfacilities were serious enough to require review:ayer circuit board defects. Circuit boards ex-hibited many internal shorts and opens during igation showed that the boards were manufac-tured at a facility not employing adequate stor lead solderability problems. Inadequatelead plating yielded poor solder joints and led tocircuit failure. Incoming part inspection criteria werechanged to screen for potential solderability d solder joints. A poorly designed lap joint andimproper lead bending resulted in equipment cturing procedures and design were tored and poorly planned acceptance failure was due to a reverse-polarity hookup of abattery in test. Although protection diodes helpedsave the circuit’s electronic parts, the heat generateddestroyed a portion of the multilayer circuit board. Anew board was uate facility coordination. Part failure resultedwhen a room’s air conditioning equipment automati-cally shut off for the weekend, allowing higher ambi-ent temperatures in the test lab. The failed part d high-voltage power supply. During a ther-mal vacuum test, technicians unfamiliar with coronaeffects applied power to a subsystem while making thetransition to vacuum, causing damage to a high-voltage power supply. The supply was rebuilt andinternal procedures were d transformer core. Excessive torque on a trans-former mounting device caused the crack. Procedureswere modified and the cracked core was replaced.8.A manufacturer’s design anomaly in a key data en-cryption chip. A circuit work-around was designedand added to the hardware by the investigated were many specific technology,manufacturing, or quality assurance documentationproblems. It was found that the use of a high-temperature solder on feed-through capacitors causedinternal damage; the capacitor manufacturer requireda low-temperature solder to prevent device failure dueto excessive heat. Several instances were noted ofunauthorized work performed on flight hardware afteracceptance testing was completed. In such cases,subcontractor corrective action was reviewed, and thehardware was either reinspected or retested. SORreview of documentation prior to hardware deliveryrevealed several instances of nonstandard parts use withNSPAR approval, but without the required upgradescreening being completed. Residual parts from thesame lot were then screened and put through195POSTLAUNCH ACTIVITIESThe MSX postlaunch performance assurance activ-ities basically involved archiving of quality assurancedocumentation, records, notes, and logbooks, as well assummary report preparation. Reports were based on allavailable MSX documentation of program activity inboth the reliability/quality assurance and system safetyareas. Thoroughness in both documentation and itsreview is important so that lessons learned canbe extracted from the records and applied to y of Major Performance Assurance IssuesSubcontracted HardwareIn order to thoroughly investigate, document, andoversee corrective action initiated by subcontractorsJOHNS HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

structive physical analysis to determine lot ac-ceptance, and a decision to replace the affected part orleave it in place was made jointly by the subcontractorand the performance assurance -Fabricated HardwareSubcontracted23%APL hardware was affected by the need for stringentelectrostatic discharge control procedures. For exam-ple, a special procedure was developed to control themating and demating of connectors going to the space-craft’s data handling system, where certain HS9-1840RH-Q chips were sensitive to as little as 14 staticvolts. Nonconductive spacecraft materials such asthe beta cloth on the multilayer thermal blanketswere determined to be electrostatic discharge in the MSX fabrication process, it was discoveredthat data supplied by the IDT72104 integrated circuitmanufacturer were erroneous. The device, which wasused throughout the spacecraft, was susceptible tosingle particle-induced latch-up, and a command anddata handling “autonomy rule” protection scheme wasdeveloped and implemented via hardware or powercable modifications and software changes. A small boxwas fabricated and inserted in series with the affectedunit’s power cable to perform current sensing. For themission-critical command processor, internal modifica-tions were made. During spacecraft testing at GSFC,misconnected battery cables in the thermal vacuumchamber caused an unexpected “conditioning” ofthe flight battery when the battery was m/Failure ReportsAPL47%UVISI5%Instrument25%Figure m/failure reports by hardware nship24%Operatorerror14%Software error18%Wiring error 4%The MSX P/FRs provided a summary of the MSXintegration and test experience. The test conductor’slog provided backup details and a cross-reference forthe events documented on the P/FRs. The problemsand anomalies recorded using the P/FR system werevaried. Part and design problems seemed to affect sub-contracted hardware more than APL-constructed hard-ware, although the design problems were more relatedto fabrication than actual circuit design. A majority ofthese problems were discovered and corrected in theearly stages of integration. In fact, there were no hard-ware failures during GSFC testing that affected the testschedule or that required the return of any hardware tothe s 3 and 4 show how the approximately 260P/FRs written for the MSX program were 3 presents the relative relationship among thevarious sources of MSX hardware: subcontracted, builtat APL, furnished as an instrument, or the APL-builtUltraviolet and Visible Imagers and SpectrographicImagers (UVISI). Figure 4 presents how the total num-ber of P/FRs was distributed among six listed anomaly196Part failure9%Design error31%Figure m/failure reports by anomaly , and includes all spacecraft hardware and soft-ware. Percentages of the total number of P/FRs areshown. The category of “operator error” represented alearning curve for ground support equipment and space-craft operation, and included P/FRs written for suchthings as ground test software errors, tester problems,and simulator malfunctions. Design errors includedsuch things as incorrect part application, poor boardlayout, and faulty material choice. Many part failureswere actually due to misapplication and therefore wereconsidered design errors. Wiring error P/FRs consistedof subsystem, harness, or connector wiring issues. TheP/FR database is available to designers throughout theAPL Space Department for future HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)

THE MSX PERFORMANCE ASSURANCE PROGRAMLessons LearnedResults of the MSX Performance Assurance Programseem to suggest that parts-related problems are becom-ing less significant, except for mechanical parts likerelays and connectors. Data from the Quality ControlHandbook3 indicate that, in general, defective parts areresponsible for approximately 30% of failures in un-screened development systems. However, the MSXrecord is much better. Process, manufacturing, andother human factor issues require more attention, in-cluding personal discipline in following the rules forelectrostatic discharge control, cleanliness, and consis-tent use of connector savers. Also requiring attentionare strict control of design changes after the criticaldesign review, training in proper soldering techniqueand connector mating and assembly, controlled proce-dures for bench checkout of flight hardware, and pro-cedures for areas not normally considered critical, suchas cable hookup at appears that there was an expectedly large propor-tion of design-related problems during the MSX pro-gram. This situation suggests that more fabrication-typedesign reviews should be conducted, especially at sub-contractor facilities, and that the reviews be overseenby a manufacturing l observations can be made as a result ofoperational safety experience during integration, test,and launch preparations. It would have been beneficialto enhance safety oversight during APL integration byusing the same formal safety practices that were laterused by GSFC and VAFB. Use of the same proceduresat APL, for example, would have provided the MSXoperational personnel with a better understanding ofthe safety role and the safety requirements of the otherfacilities. A more structured effort for review of oper-ating procedures with a greater lead time for feedbackof comments from reviewers would enhance the usabil-ity of safety-critical uration of the spacecraft electrical groundsupport equipment was a major consideration inplanning for emergency shutdown of non-explosion-proof equipment, so as to avoid creation of a hazardousor detrimental situation should facility power be re-moved. Also, the vast maze of cables and cryogenictransfer and vent lines necessitated daily safety walk-throughs. It may be prudent in the future to examineground support equipment cable and cryogenic linerouting to maximize its layout for personnel safety. Theimportance of end-to-end checkout of emergency sys-tems in the integration, test, and launch preparationfacilities cannot be overemphasized. In several cases,safety-critical systems failed upon initial checkout,even though the equipment was new, and locations ofsome of the hydrogen sensors in the payload processingfacility at VAFB had to be changed. Remote monitor-ing and recording of hydrogen sensor output had to beprovided, and the emergency vent/roof louvre systemhad to be SPIRIT III cryostat failure in November 1994forced many additional enhancements to the payloadprocessing facility configuration, including an emer-gency button override on the air shower doors, im-proved power distribution to the spacecraft, and pro-visions for monitoring cryostat status in the payloadprocessing facility control room. Finally, ground sup-port equipment, test equipment, and ground test soft-ware often slowed the test schedule by giving erroneousand conflicting results that required NCES1The Johns Hopkins University Applied Physics Laboratory TechnicalServices Department, Hardware Configuration Management Manual, TSD-STD-400.1, Rev. 2, Laurel, MD, pp. 1–2 (Sep 1993).2Peterson, M. R., “Spacecraft Integration and Test,” in Fundamentals of SpaceSystems, Moore, R. C., and Pisacane, V. L., eds., Oxford University Press,New York, p. 721 (1994).3Gryna, F. M., and Juran, J. M., Quality Control Handbook, McGraw-Hill, NewYork, p. 31.17 (1988).ACKNOWLEDGMENTS:The author wishes to thank the various members ofthe SOR Satellite Reliability Group for their support during the MSX effort. Also,the contributions of Joyce McDevitt and Clay Smith in the system safety area werenoteworthy. Finally, the understanding and cooperation of the APL MSX ProgramOffice were key factors in MSX Performance Assurance Program success. TheMSX mission is sponsored by the Ballistic Missile Defense Organization. This workwas supported under contract N00039-94-C-0001.M. EDWIN GOSS is an APL Senior Staff Engineer specializing in aerospacereliability, quality assurance, and launch safety. He received his B.S. and s in industrial technology (concentration in management) from theUniversity of Maryland in 1973 and 1982, respectively. Mr. Goss’s early APLexperience included a variety of work on satellite subsystems and components, aswell as design and installation of high-frequency radio systems to support seatrials. From 1979 to 1986, he was employed by Gould, Inc., where he conceivedand implemented quality assurance programs for towed sonar arrays. Since 1986,Mr. Goss has served as performance assurance engineer for the JANUS MissionII and Delta 181 programs, and as supervisor of the Space Department’s QualityAssurance Section. In 1991, he was appointed supervisor of the PerformanceAssurance Section. His e-mail address is @ HOPKINS APL TECHNICAL DIGEST, VOLUME 17,NUMBER 2 (1996)197