Mechanical Systems Working Group


Charter Timeline Policies Links Contacts

Over time, the MSWG has developed policies regarding specific points of Design for Minimum Risk criteria. These policies are based on lessons learned from previous experiences or research and investigations conducted by various members of the engineering community. Even if a mechanism does not require a DFMR designation to meet fault tolerance requirements, there is nothing in the requirements that is not just good mechanical design practice. Design organizations are encouraged to adopt these requirements in such situations since the MSWG will likely use criteria akin to these for their review.

A few things to keep in mind: First, we are dealing with hazards that have catastrophic consequences here, and thus the MSWG will prefer to err on the side of caution. Second, just because you have not had a problem with something before does not mean that no one has, nor does it mean that it will not have problems in the future. The MSWG will categorically reject this reasoning, every time. “It’s flown before” is never a valid argument. Please don’t try to use it.


Policy Topics

A Few Words About DFMR
The "Simple Mechanism" Designation
Structural Requirements after Mechanism Failure
Fail-Safe vs. Failure Tolerance
Tolerance Analysis
Quick Release Pins
Fastener Retention
Testing
Threaded Interfaces
Acceptance Testing of EVA Bolts
Velcro
Spring Plungers
Requirements Traceability



A Few Words About DFMR

Design for Minimum Risk (DFMR) is a process that allows safety-critical mechanisms to achieve fault tolerance through rigorous design, analysis, testing, and inspection practices rather than through true physical redundancy. MA2-00-057 lays out the requirements that the system must meet in order to gain this status. In essence, the granting of a DFMR designation is stating that because this rigorous development process was used, the credibility of a failure has been reduced. The MSWG has agreed that given the design and development of the hardware, they think it very unlikely to fail and is willing to stand behind the operation. DFMR represents a level of confidence equivalent to one-fault tolerance. The MSWG will therefore adhere strictly to the requirements.

One common misconception is that ALL safety-critical mechanisms are required to meet DFMR requirements. This is not true. Remember, DFMR is a method to achieve additional fault tolerance—thus mechanisms that already achieve the proper levels of fault tolerence do not need to formally meet these requirements. In fact, physical redundancy is the true goal; DFMR is intended as a path to take if fault tolerance is highly impractical. Often, redundancy will be easier to obtain than documenting DFMR, and hardware owners probably don't want to go through the work of formal documentation if they don't have to! However, the requirements do represent good design practice and so voluntarily meeting them is a good way to ensure mission success. And remember, the MSWG will be taking a look at all mechanisms, even if they are properly fault-tolerant, just to make sure there is nothing inherently unsafe in the design.

Top


The "Simple Mechanism" Designation

MA2-00-057 permits the use of “fully compliant simple mechanical systems” without redundancy in safety-critical applications when they meet certain special requirements AND are approved by the MSWG and the safety review panel. MA2-00-057 defines a simple mechanical system as “a robust mechanism that has relatively few moving parts and can demonstrate low sensitivity of environmental and operational conditions.” Note that a simple mechanism must still meet all DFMR requirements. Also note that this memorandum requires that approval for pursuing a “simple mechanism” designation must be granted by the MSWG prior to the Phase I safety review.

It is the MSWG’s experience that very few mechanisms actually meet “simple mechanism” requirements. In this case “simple” refers to more than just mechanical complexity—there must also be few failure modes that are easily controlled. Even something as seemingly simple as a bolt fails to meet these criteria. For example, even though a bolt consists of only one moving part (as simple as it gets) the failure modes are numerous and have a history manifesting themselves—cross threading, galling, cold welding, lubricant migration, jamming due to debris, degradation of the locking feature, and inconsistent running torque to name a few of the most common. This designation goes one step beyond DFMR—it essentially states that there is almost no possible way this mechanism can fail, given the design. The MSWG does not make a statement like this lightly. "Simple Mechanism" represents a level of confidence equivalent to two-fault tolerance. Some examples of mechanisms that have been granted this designation in the past include insertion of pins into holes and magnetic soft captures. However, design organizations are strongly encouraged to pursue redundancy instead of a “simple mechanism” designation no matter what the mechanism is. If a mechanism is not complex, then it is typically easy to add redundancy and it will have a much smoother path through the MSWG.

Top



Structural Requirements after Mechanism Failure

This one is not just MSWG policy, it is a hard requirement from TA-93-037, which can be found in NSTS/ISS 18798. It basically says that all structural design requirements apply to all loading conditions, including those that occur after credible mechanism failures. Verification of these loading conditions is required if limit load is redistributed by the failures. So, you still need positive margins with full factors of safety. Per Fracture Control Board memorandum ES4-07-031 it is not required to address fracture control after a mechanism failure.

Top



Fail-Safe vs. Failure Tolerance

There is often a lot of confusion concerning fail-safe analysis; often people think that showing a system is fail-safe is the same thing as having failure tolerance, but these are two entirely different things. As before, this is also the result of a hard requirement as opposed to just being MSWG policy.

"Fail-safe" is a fracture-control term and has little to do with mechanical failure tolerance. A fail-safe analysis is just one of several ways to meet fracture control requirements. It involves showing that if one of a number of components fails because of an undetected inherent material flaw then positive structural margins of safety exist in the system under the redistributed loading conditions with a factor of safety of 1.0. However there are other fracture-control approaches available such as low-risk and fracture-critical safe-life analysis. Another thing to keep in mind is that different fracture control approaches can be used for different mission phases. For example, you can use a fail-safe approach for launch and a low-risk approach for return. Choosing a certain method for launch doesn't lock you into that choice for the remainder of the flight.

Failure tolerance involves meeting the performance requirements of the system and the aforementioned structural requirements of TA-93-037 after any credible mechanism failure. For a system to be considered failure-tolerant, full factors of safety must be used in the analysis of the redistributed loading conditions. The factor of safety difference is very important because depending on the factor used, there may be a difference of 40% to 100% in the loads.

Whereas in the past the fracture control requirements have been applied after mechanism failure, by mutual agreement between the fracture control board and the MSWG, the current policy is that the fracture control requirements are only applied to the nominal design configuration: i.e. the fracture control requirements and the failure tolerance requirements may be applied independently. Thus, mechanisms that meet failure tolerance requirements will often automatically qualify for a fail-safe fracture control approach, at least in part, due to the lower factor of safety used in the fail-safe analysis. The system should always be reviewed with the fracture control board to ensure that the proper fracture control plan is in place.

Top



Tolerance Analysis

For safety-critical mechanisms MA2-00-057 lists several requirements for complete dimensional tolerance and thermal effects analysis in Section 1.0. The MSWG interprets the establishing of these tolerances as the production of a detailed tolerance analysis report, and requires all such analysis to be submitted for review. The analysis only needs to consider geometry that will affect the mechanical operations; a complete assembly analysis is not required.

For manufacturing tolerances, use a worst-on-worst (WOW) stack-up for analyses with six or fewer tolerances. Tolerance stack-ups with seven or more tolerances may use a value of 1.6*RSS.

It is very important that a thorough enough tolerance analysis be provided by the design organization that the MSWG can review it. In the past, if a poor analysis was submitted the MSWG would do its own analysis. However, this is extremely time consuming and inefficient, and it has become a crutch for design organizations. As a result, the MSWG will now reject a poorly done tolerance analysis and require a resubmittal before reviewing it.

Click here for an example of what a good dimensional tolerance analysis should look like. Note that you will have a much easier time both performing the analysis and receiving approval if Geometric Dimensioning and Tolerancing (GD&T) per ASME Y14.5 is used on the drawings. This particular example does not include thermal effects, but they are easily included with this method. Note also that this example comes from course notes; we do not intend for drawing data to be recreated in PowerPoint or anything. A simple cut-and-paste portion of the released drawing PDF or a screen capture of the model right in an Excel or Mathcad file, with TSU vectors overlaid on it, is fine. But the gaps analyzed and the vectors used must be indicated. If there are any questions, don’t hesitate to contact the MSWG!

Top



Quick Release Pins

Quick release pins have a terrible track record, hence their specific requirements in Section 2.0. Currently, the MSWG has only approved one series of off-the-shelf quick release pins for use in safety-critical applications: Avibank part number 56789. This series has undergone a thorough site certification by JSC M&P personnel. Other off-the-shelf pins from Avibank or other manufacturers have not been shown to be acceptable for safety-critical applications. Any other pins must undergo a similar certification and approval before the MSWG will consider them. QRP, Inc. has also designed custom pins for space use but these still require certain engineering controls before use. However, the use of even these approved pins will meet with resistance from the MSWG since they are still not infallible. The MSWG will usually at least require some sort of backup retention method, such as a hitch pin, be utilized. Quick release pins have also been inadvertently snagged numerous times during EVAs, sometimes caught on-orbit and sometimes not noticed until return. The use of quick-release pins in any safety-critical application will be very highly scrutinized, especially if they reside in a primary load path. The bottom line is that the use of quick-release pins in critical or catastrophic hazard applications is strongly discouraged. Design organizations should consider alternate design approaches, especially where the pins are anticipated to be installed permanently.

As discussed, quick release pins have mechanical/structural failure modes even after final installation including loss of the retention balls or even loss of the entire pin head. Because of the specific manufacturing process and testing restrictions were put in place on the Avibank 56789 pin to control these failure modes. When thinking of these pins from a tolerance perspective the Avibank 56789 pin can be thought of as a DFMR equivalent, or one fault tolerant. In a potentially catastrophic applications that means an additional level of fault tolerance is still required.

Top



Fastener Retention

The MSWG generally follows the same policy as JSC M&P, as listed in Section 5.6.5.1 of JSC 27301D, Materials Control Plan for JSC Flight Hardware. Some additional commentary:

It is the MSWG policy that all fasteners shall have positive, verifiable locking in addition to preload unless the MSWG specifically approves otherwise. Examples include self-locking threads, lockwire, and cotter pins. Verifiable is a key word here. Self-locking thread features must have running torque measured and recorded for each safety-critical instance. The MSWG will want this stated explicitly in your MSVP.
Liquid locking compounds (Vibra-tite, etc) are NOT verifiable in the traditional sense and require strict process controls for use that must be negotiated with Materials and Processes (M&P). They also have other problems. The MSWG will rarely approve their use. The following JSC M&P presentation on fastener retention explains some of the reasons why liquid locking compounds are not a good idea for safety-critical applications.
Two locking features are required on all safety-critical fasteners. Preload counts as one locking feature. Unless supporting analysis or test data is provided, minimum preload values should be in accordance with MSFC-STD-486B. If a fastener is not preloaded, another different secondary locking feature is required. Fasteners in joints subject to rotation in operation must use at least one non-friction locking device.
Inserts: All insert styles have strengths and weaknesses, and the proper choice is very application-dependent. Here’s a quick overview:
Helical Inserts. Helical inserts give can sometimes produce more consistent running torque performance and are easy to replace if the locking feature wears out or other problems arise. They are also very small and can be used when the edge distance is not sufficient for other styles. However, they have many drawbacks as well. Their performance is very sensitive to installation. The quality of the tooling used and the process controls can produce inconsistent preloading. They offer limited corrosion protection and are difficult to seal properly. Installation, especially in blind holes where inspection of the back side is difficult, must be carried out carefully to ensure proper tang removal and fit. Also, helical inserts behave differently in steel than they do in aluminum, and special installation procedures are required to achieve proper performance in steel. Helical inserts have also been know to back out during fastener removal. For this reason, applications involving removal of an EVA bolt should never use Helical inserts because of the sharp-edge hazard they pose if backed out at all.
Slimserts. Slimserts give more reliable torque-tension performance than helical inserts but can have retention problems if the installation staking is not done carefully. Hence, these inserts require increased inspection and verification efforts. Slimserts are slightly larger than helical inserts, and a little smaller than key-locked inserts.
Key-locked inserts. Key-locked inserts give consistent preload and due to their key staking they will not back out. However, they are larger than other insert types, their running torque can be inconsistent, and they can be more prone to galling than other inserts.
Spiralock Inserts. Spiralock inserts are currently only available in helical form. While these inserts are very good at preload retention, they are not locking features—when they lose preload they do not prevent the fastener from backing out. The use of spiralock inserts will require a separate locking feature.

Top



Testing

Often, despite the fact that it is required per NSTS requirements, environmental qualification and acceptance testing is one of the first things to be cut when the budget starts to run thin. However, since mechanical systems are some of the most complex and unpredictable systems around, they are in most need of adequate testing. For this reason, the MSWG will always closely examine the verification plan to make sure that the proper testing is planned, and will be very insistent upon its presence. Depending on the mechanism function, thermal-vacuum, vibration, design-life, and wear-in testing can all be absolutely critical to proper function. See NASA-STD-5017 or AIAA-S-114 for a good overview of proper wear-in testing. Time and time again failures occur on-orbit that would have been caught if proper ground testing had been performed. If there is one overriding lesson learned from past mechanical failures, it is that the proper testing is of the utmost importance.

Top



Threaded Interfaces

Threaded interfaces that operate during flight, including EVA bolts, are considered mechanisms. As such, they must meet the same requirements as other mechanisms in order to be granted a DFMR designation. However, the way in which the requirements apply is typically different than with other mechanisms and can be confusing. To help with the process, the MSWG has created a flowchart for granting DFMR to a threaded interface to help translate some of the DFMR requirements into specific requirements for threads. Following this flowchart will satisfy most of the binding/jamming/seizing requirements of section 1 and the testing requirements of sections 9 through 11 of MA2-00-057. Refer to the DFMR Requirements Matrix for more information.

Top



Acceptance Testing of EVA Bolts

Sometimes, acceptance testing and wear-in of the removal of any EVA bolt with self-locking threads is not recommended. This is because some self-locking thread features and some lubricants have a very limited life, which can be prematurely degraded by acceptance testing. In these cases, the MSWG recommends an alternate acceptance approach consisting of a combination of rigorous torque margin analysis; increased attention to materials and lubricant selection; increased attention to process control and inspection of thread form, lubricant application, assembly, and running torque measurement; and increased contamination control precautions.

However, in some instances, depending on the materials and lubricants involved and the operational scenario, a preconditioning of the locking insert may be recommended. In this case, conditioning with one cycle has met with good success in the past because the torque in the inserts is typically reduced by about 50% after only one cycle. It’s best to make sure you discussed the situation with the MSWG and Materials and Processes to make sure the proper approach is used.

In cases where the only operational scenario for an EVA bolt is removal, further reduction in testing requirements may be acceptable. Be sure to talk to the MSWG about your application before making any assumptions.

Top



Velcro

Velcro should not be used as a retention method for safety-critical mechanisms if any other method is available, and should never be used as a primary retention method. Among other problems, it is not easily verifiable, it does not provide a clear indication of status, its repeatability is poor, and there is little data on its use in an exposed orbital environment. When used, it should be in a configuration that does not allow peeling and should be looped back on itself or be secured on two perpendicular planes.

Top



Spring Plungers

Bullet-nosed spring plungers are not recommended for retention or locking in safety-critical situations. There have been multiple instances of this type of spring plunger not operating correctly on-orbit (for example, see ISS PRACA 3284.) If spring plungers are used, they should be the spherical style plungers.

Top



Requirements Traceability

Requirement for Two Fault Tolerance:

Shuttle Payloads - NSTS 1700.7B, paragraph 200.1B
ISS Payloads - SSP 51700, paragraph 3.1.1.2 (Note: This is a draft document. Until it's released, it's in 1700.7B ISS Addendum)
ISS Hardware - SSP 50021, paragraph 3.3.6.1.1

Requirements Regarding Secondary Locking Features:

GFE Hardware - JSC 27301D, paragraph 5.6.5.1
DFMR mechanisms, MA2-00-057, paragraph 4.0
ISS Payloads - SSP 52005, paragraph 5.6
ISS Hardware - SSP 30559, paragraph 3.8, SSP 30233, paragraphs 4.5.5.3 and 4.5.5.4

Requirement for an MSVP:

Shuttle Payloads - NSTS 14046, paragraph 5.1.6
ISS Payloads - SSP 13830, paragraphs 7.9.1a, 7.9.1b, 7.9.2, and 7.9.3
ISS Hardware - SSP 30599, paragraphs 5.1.3, 5.2.3, and 5.3.3

Top


Curator: Brandan Robertson
Responsible NASA Official: Deborah Graham
Last Update: 5/22/2017