Description of Driving Event:
This Lesson Learned is based on Reliability Practice No. PD-ED-1256; from NASA Technical Memorandum 4322A, NASA Reliability Preferred Practices for Design and Test. Benefit: The major benefit of these design considerations is the greater assurance that loss of power to critical loads and the resulting consequences will not occur. Achieving optimum reliability is of paramount importance in systems that protect life and property. Along with the increase in the reliability of the ATS that is achieved, usually little or no additional design cost is required. Implementation Method: The implementation of these techniques has resulted in the elimination of critical failure modes in Automatic Transfer Switches used in the KSC Shuttle Landing Facility 60 Hertz Power System supporting critical landing aids. Increased system reliability and reduced maintainability costs are inherent features of these practices. Technical Rationale: For critical 60 Hertz Power applications which must use Automatic Transfer Switches (ATS) to provide redundant power sources, it is important to examine the following three design considerations which serve to minimize the probability of ATS failures that could result in loss of power to the load. The first of the three considerations involves the use of ATS's which are designed such that either molded-case circuit-breakers or molded-case switches can be used interchangeably as the switching devices. Only the latter should be used to avoid the possibility of a premature-trip of the circuit-breaker causing total loss of power to the critical load, or depending on the conditions used to cause the ATS to switch, the ATS could transfer prematurely. Whereas a premature transfer is not a critical failure-mode, any unnecessary transfer of an ATS supporting a critical load is undesirable because of the possibility of a system malfunction occurring due to transients or glitches caused by the switch-over. The potential for loss of power to the critical load caused by an open switching device in the ATS brings about the necessity to investigate the second consideration. The second consideration pertains to the technique used to cause the ATS to transfer to its alternate power source. Many ATS's employ a voltage-sensor circuit(s) to detect the loss of preferred input power. When the voltage sensor detects the absence of preferred input power, the transfer is initiated and the ATS switches the load to the alternate power source. In the event that the ATS switching device fails "open" as described in the previous paragraph, no transfer would occur because the voltage-sensor at the preferred input would not have detected any loss of input power. The result would again be loss of power to the load. Hence, the only sure way to guard against this failure-mode is to configure the ATS to sense loss of voltage at the "load" terminals of the ATS instead of at the "preferred" power input terminals. Thus, any internal ATS failure which would otherwise cause loss of power to the load will be neutralized. The intent of providing an ATS in critical power circuits is to eliminate single failures that would cause loss of power to the load. Eliminating the potential for these two types of internal ATS failure-modes significantly reduces the chances of the ATS itself becoming a single-fail point. The third consideration is maintaining the good working order of the ATS, i.e. maintainability and preventative maintenance. Because the ATS is used only for emergency transfer of power, and since maintenance could require taking down the system, regular maintenance may be repeatedly postponed or ignored until a real-time catastrophe reveals that the ATS will not transfer because of a maintenance related failure. Adequate preventative maintenance should not be substituted for convenience. Where possible, scheduled down-time should be used to complete an appropriate maintenance plan. In systems where down-time is not a convenient option, a hardware method of bypassing the ATS to facilitate maintenance should be installed. Designing the system for maintainability allows the required preventative maintenance to be performed without interfering with normal system operation. With the appropriate hardware configuration and preventative maintenance plan in place, optimum reliability can be achieved without any substantial increase in installation or operating cost. Any cost incurred, if any at all, to implement these safeguards is assuredly returned by the avoidance of a single failure of the ATS under worst-case conditions.
Lesson(s) Learned:
The consequences of non-practice can lead ultimately to loss of life, and secondarily property. The very nature of the critical systems which drive the requirement to use ATS to guard against loss of power demand maximum reliability.
Recommendation(s):
This practice provides proven techniques for enhancing the reliability of Automatic Transfer Switches (ATS) used in critical applications. Systems which require the use of ATS may be optimized for fail-safe operation using worst-case design techniques and good maintainability/preventive maintenance practices. The probability of internal ATS failures which could result in loss of power to the load can be minimized by giving particular attention to the ATS transfer methods, power-switch types used, and regular attention to the health of the equipment.
Evidence of Recurrence Control Effectiveness:
This practice has been used on Kennedy Space Center Shuttle Landing Facility 60 Hertz Power System supporting critical landing aids.
Documents Related to Lesson:
N/A
Mission Directorate(s):
- Exploration Systems
- Science
- Space Operations
- Aeronautics Research
Additional Key Phrase(s):
- Emergency Preparedness
- Facilities
- Flight Operations
- Ground Operations
- Hardware
- Industrial Operations
- Launch Process
- Range Operations
- Safety & Mission Assurance
Additional Info:
|
