Power conditioning equipment for a thermoelectric outer planet spacecraft, volume 1, book 1 by Andrews, R. E.
DIN 72SD4223
15 JUNE 1972
FINAL TECHNICAL REPORT
,, (NASA-CR-1 2 7 9 1 4 ) POWER CONDITIONING
- EQUIPMENT FOR A R.E. Andrews (GeneralJ Electric Co.) 15 Jun. 1972 282 p CSCL 10A
U
LA-111
VOLUME I (BOOK 1)
GENERAL ELECTRIC COMPANY
SPACE DIVISION
PHILADELPHIA, PENNSYLVANIA
N72-3 0 0 3 8
GENERAL ELECTRIC
Reproduced by
NATIONAL TECHNICAL
INFORMATION SERVICE
U S Department of Commerce
Springfield VA 22151
SPACE
DIVISION
G3/03 40089 
POWER CONDITIONING EQUIPMENT
FOR A THERMOELECTRIC OUTER PLANET
SPACECRAFT
JPL CONTRACT 952536
I
https://ntrs.nasa.gov/search.jsp?R=19720022388 2020-03-11T19:34:38+00:00Z
DIN 72SD4223
15 JUNE 1972
FINAL TECHNICAL REPORT
POWER CONDITIONING EQUIPMENT
FOR A
THERMOELECTRIC OUTER PLANET SPACECRAFT
VOLUME 1 (BOOK 1)
JPL CONTRACT NO. 952536
ITTHIS WORK WAS PERFORMED FOR THE JET
PROPULSION LABORATORY, CALIFORNIA
INSTITUTE OF TECHNOLOGY, AS SPONSORED
BY THE NATIONAL AERONAUTICS AND SPACE
ADMINISTRATION UNDER CONTRACT NAS 7-100.11
ED ITOR
R.E. ANDREWS,
POWER SUBSYSTEM ENGINEER
APPROVED BY
J. HAYDEN, ROGRAM MANAGER
PO Ea12/ RT IONAGE7 I PM ENT
I . CRAFT, *MANAGER
ADVANCED PLANETARY PROGRAMS
Headquarters: Valley Forge, Pennsylvania 0 Daytona Beach. Fla. - Cape Kennedy, Fla. 0 Houston, TexasSpace Division OBeltsville, Md. 0 Evendale, Ohio D Huntsville, Ala. 0 Bay St. Louis, Miss. 0 Newport Beacht Calif.
GENERAL ELECTRIC
THIS REPORT CONTAINS INFORMATION PREPARED
BY THE GENERAL ELECTRIC COMPANY UNDER JPL
SUBCONTRACT. ITS CONTENT IS NOT NECESSARILY
ENDORSED BY THE JET PROPULSION LABORATORY,
CALIFORNIA INSTITUTE OF TECHNOLOGY, OR THE
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION.
ii
ABSTRACT
This final report covers the significant activities associated with the design and development
of Power Conditioning Equipment (PCE) for the Thermoelectric Outer Planet Spacecraft (TOPS)
program. The work was performed under JPL Contract No. 952536 during the period from
April 1969 through December 1971. During this period four quarterly technical reports were
issued along with biweekly progress reports and numerous topical reports. This final report
has assembled the more significant results of this overall effort.
One major aspect of the program included the design, assembly and test of various breadboard
power conditioning elements. Among others these included a quad-redundant shunt regulator,
a high voltage (_ 3500 vdc) Traveling Wave Tube dc-to-dc converter, two-phase gyro inverters
and numerous solid-state switching circuits. Toward the end of the development effort many
of these elements were arranged in a typical subsystem configuration and tests were conducted
which demonstrated basic element compatibility.
In parallel with the development of the basic power conditioning elements, system studies were
continued during the entire effort. As new mission related data became available from JPL,
the design effort for the PCE was examined and a suitable system configuration was gradually
evolved. The salient features of the selected power subsystem configuration are as follows:
e The PCE regulates the power from the radioisotope thermoelectric generator
(RTG) power source at 30 vdc by means of a quad-redundant shunt regulator.
d 30 vdc power is used by certain loads, but is more generally inverted and
distributed as square-wave ac power.
d A protected bus is used to assure that power is always available to the Control
Computer Subsystem (CCS) to permit corrective action to be initiated in re-
sponse to fault conditions.
d Various levels of redundancy are employed to provide high subsystem reliability.
iii
ACKNOWLEDGEMENT
The Editor wishes to acknowledge the contribution of the following General Electric engineers
whose combined efforts provided the trade studies, designs, and analyses of a candidate power
subsystem for an Outer Planet Spacecraft.
Andryczyk, R.W.
Barry, F.R.
Brown, L.
(Japodici, S.
Ebersole, T. J.
Klisch, J. S.
Kirpich, A.
Kutner, N.
Peck, S. R.
Pellman, R. R.
This task was performed under the leadership and direction of Contract Technical Manager,
Mr.. H. M. Wick, and PCE Cognizant Engineer, Mr. D. Hopper, of the Jet Propulsion
Laboratory.
iv
GLOSSARY
A/C Attitude Control Subsystem
AEC Atomic Energy Commission
ASI Amperes per Square Inch
BOM Beginning of Mission
CCS Control Computer Subsystem
CDS Command Decoder Subsystem
CG Command Generator
CMMA Ceramic Metalized Multigate Array
CT Current Throttle
CTSS Current Throttle Steering Switch
DPDT Double Pole - Double Throw
DVM Digital Volt Meter
EMC Electromagnetic Compatibility
EOM End of Mission
FD&C Fault Detection and Correction
FMECA Failure Mode, Effect, and Criticality Analysis
I/O Input - Output
KHz Kilo Hertz
LVCO Low Voltage Cutoff
MB Main Bus
Mev Million Electron Volts
MHW Multi-Hundred Watt
MVFD Majority Vote Failure Detector
MPS Measurement Processor Subsystem
OSE Operations Support Equipment
PB Protected Bus
PCE Power Conditioning Equipment
PS Power Supply
Rft Failure Tolerant Reliability
Rpow 100% Main Bus Power Reliability
RDA Remote Decoder Array
v
RFS Radio Frequency Subsystem
RTG Radioisotope Thermoelectric Generator
S/C Spacecraft
SEQ Sequence
SRP Shunt Resistor Panel
SW Switch
TARP Test and Repair Processor
T/C Thermal Control Subsystem
TCM Trajectory Correction Maneuver
TOPS Thermoelectric Outer Planet Spacecraft
T/R Transformer - Rectifier
TSS Timing Synchronizer Subsystem
TTL Transistor - Transistor Logic
TWT Traveling Wave Tube
vi
TABLE OF CONTENTS
PageSection
BOOK I
INTRODUCTION. 1-1
REQUIREMENTS AND GUIDELINES . 2-1
POWER SUBSYSTEM DESIGN
3.1 Electrical Configuration . . . . . . . . . .
3.2 Physical Configuration . . . . . . . . . .
3.3 Performance . . . . . . . . . . . . . .
3.4 Electrical Interfaces . . . . . . . . . . .
3.4.1 Radioisotope Thermoelectric Generation (RTG) .
3.4.2 Measurement Processor . . . . . . .
3.4.3 Operational Support Equipment . . . . .
3.4.4 Command Decoder Subsystem (CDS) . . .
3.4. 5 Timing Synchronizer Subsystem (TSS) . . .
3.4.6 Control Computer Subsystem (CCS) . . . .
3. 5 PCE Characteristics . . . . . . . . . . .
3. 6 System Reliability Overview . . . . . . . . .
3.6.1 System Reliability Considerations . . . .
3. 6.2 Power Subsystem Numerical Summary . . .
3.6.3 Trade Studies . . . . .
3. 6.4 Reliability Improvement .
3-1
. . . . 3-1
3-7
3-8
, ::.. .. 3-11
,... . 3-11
, ... . 3-15
, . ... .. 3-16
. . . . 3-21
, ... ... . 3-22
, ... : . 3-22
, ... . 3-25
. . . . 3-25
. . . . 3-25
. .. . .3-33
, ... . 3-33
. ... 3-37
DESIGN AND TRADE STUDIES
4.1 Energy Storage Studies . . .
4.1. 1 Long-Term Flight Batteries
4.1.2 Launch Batteries . . . .
4.2 Regulation Studies . . . . . .
4.2.1 Basic Regulation Alternatives.
4.2.2 Shunt Regulation Alternatives .
4.2.3 Conclusions . . . . .
4.3 Distribution Studies . . . .
4.3.1 Bussing Arrangement . .
4.3.2 AC - DC Power Distribution
4.3.3 Ground Isolation . . . .
4.3.4 Power Switching . . . .
4.4 Fault Detection and Correction. .
4.4.1 Load Failures ..
4.4.2 Power Subsystem Failures
1
2
3
4 . . . . 4-1
.. . . . . . . . . . 4-1
.. . . . . . . . . . 4-2
... .. . . . . . 4-8
......... . ....4-13
.... ...... . . . .. .4-13
. . . . . . . . . . ....4-17
......... . ....4-25
......... . ....4-26
......... . ....4-26
......... . ....4-31
. . ... ... . . . .. 4-31
......... . ....4-34
......... . ....4-55
......... . . .. 4-55
......... . ....4-94
vii
I . . .
· . . .
. . . .
TABLE OF CONTENTS (Cont)
Page
4. 5 Reliability/Redundancy Studies . . . . . . .
4.5.1 Reliability Apportionment . . . . . . .
4.5.2 Current Throttle Redundancy . . . . . .
4.5.3 Main Inverter Configuration . . . . . . .
4.5.4 RTG Reliability with and without Isolation Diodes
4.5.5 Power Subsystem Reliability . . .
4.6 Transformer Optimization Study . . . .
4.6.1 Analysis . . . . . . . . . .
4.6.2 Conclusions . . . . . . .
4. 7 System Response Studies . . . .
4.7.1 Filter Configuration . . . . . .
4.7.2 Filter Analysis . . . . .
4.7.3 Filter Component Characteristics
4.8 Radiation Analyses . . . . . . . . .
4.8.1 Introduction . . . . . . . .
4.8.2 Radiation Sources . . . . . .
4.8.3 Effects on Semiconductor Electronics .
4.8.4 Test Evaluation . . . . . . .
4.8.5 Conclusions . . . . . . .
4.9 Harness Optimization . . . . . . . .
4.9.1 Conclusions . . . . . . . .
4-145
4-145
4-150
4-151
. . . 4-162
. 0 . 4-194
. . . 4-194
. 0 . 4-197
. . . 4-197
. . . 4-198
O. . 4-199
. . . 4-203
. . . 4-215
. . . 4-215
. . . 4-215
·. . 4-217
. . . 4-220
. . . 4-228
. . . 4-230
. . . 4-232
BOOK 2
BREADBOARD CIRCUIT DESIGN . . . . .
5.1 Current Throttle . . . . . . . . . . . .
5. 1. 1 Functional Requirements . . . . . . .
5.1.2 Design Description . . . . . . . .
5.1.3 Test Results . . . . . . . . . . .
5.1.4 Failure Mode, Effect, and Criticality Analysis .
5.2 Current Throttle Steering Switch . . . . . . .
5.2.1 Functional Requirements . . . . . . .
5.2.2 Design Description . . . . . . . . .
5.2.3 Test Results .... . . . . . . . .
5.2.4 Failure Mode, Effect, and Criticality Analysis
5.3 Shunt Regulator . . . . . . . . . . . . .
5. 3. 1 Functional Requirements . . . . . . .
5.3.2 Design Description . . . . . .
5.3.3 Test Results . . . . . .
Section
5 5-1
5-1
5-1
5-3
5-4
5-11
5-18
5-18
5-19
5-19
5-27
5-38
5-38
5-38
5-43
viii
· · o ·
· · ··
· * * ·
· · o ·
* ** 
* . * 
* * * 
· 
* ** 
* ** 
· 
* ** 
* * 
* .
.·
· .
* * 
* * 
* * 
· · o ·
· · · ·
* * * 
* * .
* * * 
* * * 
* .
* * .
* . .
* * * 
TABLE OF CONTENTS (Cont)
Section
5.4 Main Inverter . . . . . . . . . . . . .
5.4. 1 Functional Requirements . . . . . . .
5.4.2 Design Description . . . . . . . .
5.4.3 Test Results . . . . . . . . . . .
5.4.4 Failure Mode, Effect and Criticality Analysis
5.5 Protected Bus Inverter . . . . . . . . . .
5. 5. 1 Functional Requirements . . . . . . .
5.5.2 Design Description . . . . . . . . .
5.5.3 Test Results . . . . . . . . . . .
5.5.4 Failure Mode, Effects, and Criticality Analysis
5.6 Inverter Switch .. . . . . . . . . . .
5.6.1 Functional Requirements . . . . . . .
5.6.2 Design Description . . . . . . . . .
5.6.3 Test Results . . . . . . . . . . .
5.6.4 Failure Mode, Effect, and Criticality Analysis .
5. 7 Inverter Switch Command Generator . . . . . .
5.7.1 Functional Requirements . .
5.7.2 Design Description . . . . . . . . .
5.7.3 Test Results . . . . . . . . . . .
5.7.4 Failure Mode, Effect, and Criticality Analysis .
5. 8 Inverter Failure Detector . . . . . . . . .
5. 8.1 Functional Requirements . . . . . . .
5.8.2 Design Description . . . . . . . . .
5.8.3 Test Results . . . . . . . . . . .
5. 8.4 Failure Mode, Effect, and Criticality Analysis .
5. 9 Power Distribution Circuitry . . . . . . . .
5.9.1 Relay Switch . . . . . . . . . . .
5.9.2 Magnetic Switch . . . . . . . . . .
5.9.3 AC Solid State Switch . . . . . . . .
5.9.4 AC Current Limiter . . . . . . . . .
5.10 Low Voltage Cut-Off (LVCO) . . . . . . . .
5. 10. 1 Functional Requirements . . . . . . .
5.10.2 Design Description . . . . . . . . .
5.10.3 Test Results . . . . . . . . . . .
5.10.4 Failure Mode, Effect and Criticality Analysis
TECHNOLOGY DEVELOPMENT . . . . . . . . .
6.1 TWT Converter Assembly . . . . . . . . .
6.1.1 Functional Characteristics . . . . . .
6.1.2 Design Definition . . . . . . . . . .
5-83
5-83
5-83
* .... ...5-85
5-89
5-92
5-9e
.. . 5-92
5-97
.... 5-98
5-114
5-114
5-114
5-116
5-116
5-123
5-123
* ... . ...5-123
5-123
5-123
5-138
5-138
5-138
5-142
. ... 5-157
5-187
5-187
... 5-206
*... 5-212
5-220
5-229
5-229
5-229
5-234
5-241
. ... 6-1
.. . . . 6-1
.. . . . 6-1
.. . . . 6-2
ix
6
Page
TABLE OF CONTENTS (Cont)
Page
6.2 Two-Phase Inverter Assemblies . . .
6.2. 1 Functional Characteristics . .
6.2.2 Design Definition . . . . .
6.2.3 Drive Circuit Alternatives . . .
6. 3 DC Power Conditioner Assemblies . . .
6.3.1 Science Data Subsystem Converter .
6.3.2 Tracking Receiver Converter . .
6.3.3 DC Magnetometer Converter . .
6.3.4 Packaging Considerations . . .
CONCLUSIONS . . .
RECOMMENDATIONS . . . . . . . . .
NEW TECHNOLOGY . . . . . .
10 REFERENCES AND BIBLIOGRAPHY
APPENDIX A - Reliability Analysis . . . . . .
. . . 9-1
. . . . . . ... . 10-1
A-1
APPENDIX B- Transformer Analysis . . . . . . . B-1
Section
7
8
6-20
6-20
6-20
6-29
6-34
6-34
6-40
6-45
6-45
9
7-1
8-1
x
. . . .
* . .*
. .
* . .
* . ..
. . .
* . . .
. . .
. . .
. . .
. . .
. . .
. . .
. . ..
* . . .
* *
· 
SECTION 1
INTRODUCTION AND SUMMARY
The effort of this contract was directed at designing and developing the Power Conditioning
Equipment in support of the Jet Propulsion Laboratory Thermoelectric Outer Planet Space-
craft (TOPS), Advanced System Technology Project. The function of this equipment is to
receive power from a Radioisotope Thermoelectric Generator (RTG) power source, condition,
distribute, and control this power for the spacecraft loads. The TOPS mission, aimed at a
representative tour of the outer planets, would operate for an estimated 12 year period.
Unique design characteristics required for the power conditioning equipment results from the
long mission time and the need for autonomous on-board operations due to large communica-
tions distances and the associated time delays of ground initiated actions.
This particular power conditioning equipment contract was specifically initiated as a means
for evaluating the status of various subsystem technologies for extended outer planet missions.
The objectives were to consider subsystem alternatives, conduct trade studies, and identify
and proceed with necessary technology developments. Specific trade studies were concerned
with power regulation, the need for batteries, the selection of bus configurations which yield
a high probability of mission success, and fault tolerance of the power subsystem. Technology
developments pertain principally to techniques for increasing the life of power equipment and
devices. These include examinations of such items as circuit redundancy and the possible
replacement of life limited mechanical relays by solid state switching circuits.
The power conditioning equipment was designed, built, and tested against detailed design
requirements resulting from the studies and spacecraft integration activities.
Significant characteristics for the power subsystem which have resulted from the studies
are summarized as follows:
1-1
1. Square-wave ac power will be the principal form of distributed power. A project
decision was made in favor of ac because of satisfactory results obtained on previous
JPL programs.
2. Electrochemical energy storage will not be used. Power margins from the RTGs are
sufficient to avoid the use of batteries. Maintenance of the necessary margin will
require careful load management of both user power demand levels and the
sequencing of loads.
3. Fault detection and isolation involves several general strategies:
a. The Control Computer Subsystem (CCS) will provide the logic responses to load
fault conditions including signals to isolate and remove the fault.
b. Power for the CCS and related subsystems will be derived from a separate
power source (protected bus concept).
c. The power subsystem will contain an autonomous means of load fault removal
as a backup to the CCS fault detection methods. The backup method will, of
necessity, have a reduced capability for fault discrimination and isolation.
d. The power system will provide highly reliable fault detection and correction
capability for PCE faults.
1-2
SECTION 2
REQUIREMENTS AND GUIDELINES
The outer planets mission concept, briefly described below, provides the basic guidelines for
developing the PCE designs.
The representative missions use minimum launch energy and are gravity assisted during en-
counters with Jupiter, Saturn, Uranus, and Neptune. The mission is planned for the unique
planetary alignment period that exists in the 1976-1980 time period.
The grand tour mission in 1978-1979 allows encounter with all four of the outer planets in a
single mission. An alternative dual mission places one spacecraft on a trajectory to Jupiter,
Saturn and Pluto, and a second to Jupiter, Uranus and Neptune. The representative arrival
times for a grand tour trajectory are listed in Table 2-1.
Table 2-1. Representative Four Planet Trajectory
2-1
Parameter Earth-Jupiter Jupiter-Saturn Saturn-Uranus Uranus-Neptune
Launch Date Sept 1977 -
Departure Date Dec 1977 Aug 1979 Sept 1981 Dec 1985
Departure Date Radius 920,000 44,800,000 42,800,000 51, 700,000
Arrival Date May 1979 June 1981 Sept 1985 Feb 1989
Arrival Radius 44, 800,000 42, 800, 000 51,700,000 86, 800,000
Periapsis Date July 1979 July 1981 Oct 1985 -
Periapsis Distance (km) 635, 000 144,000 98,600
Swingby Turn Angle (degs) 98.0 84.0 24. 0
Flight Time (days) 668. 0 759. 0 1554. 0 1210. 0
Total Flight Time (days) 668.0 1427.0 2981. 0 4191.0
Planet encounter spacecraft operations begin approximately thirty days before closest ap-
proach. The near encounter phase is defined as the twenty-four hour period of closest ap-
proach, with a nominal one hour of occultation at each planet. Table 2-2 lists the duration
of the planetary approach periods for a representative mission.
Table 2-2. Representative Encounter Events
Spacecraft load power requirements for each component as a function of mission phase is
shown in Table 2-3. This was supplied and periodically updated by JPL throughout the con-
tract period.
A total load power summary is presented on Figure 2-1.
2-2
Event Time - Davs
Event Jupiter Saturn Uranus Neptune
Initiate approach guidance measure D-30 D-37 D-37
Perform trajectory-correction operation D-24 - D-30 D-100
Initiate far encounter TV operations (Record & D-21 D-36 - D-30
playback daily to E-1)
Perform trajectory correction operations - D-12 D-12
Terminate approach-guidance measurements D-5 D-5 D-5 D-5
Initiate near-encounter (N. E.) science D-1 D-1 D-1 D-1
Terminate TV D D-1 D D
Enter Earth-occultation (S/C on inertial control) D+13. 7 D+O. 2 D+2.4 D+2. 6
Enter solar occultation D+16. 2 D+O. 3 D+2. 7 D+2. 7
Exit Earth occultation D+16. 6 D+1. 5 D+3.4 D+4. 0
Exit solar occultation D+19. 2 D+1. 8 D+3. 8 D+4. 1
Terminate N. E. science D+1 D+1 D+1 D+1
Playback N. E. stored data D+1 D+1 D+1 D+1
Perform trajectory correction D+20 D+20 D+20
rN
U
)_ 
IO
 
N
O
O
 
O
 
In0 
N
 
OC 
O
1
0
1
0
N
 
10 
C
D
N
 
O
.
-
N
C
1
0
n
N
 
N
 
0 O
C
.
~
.
0
.
.
,
 
I .
.
N
 
_V
.
.
C
J
C
Jfl 
CC 
CCJO
C 
O
C
.. 
C 
I 
C 
C
N
C
C
~
O
1
C
.. 
IC
 
C 
C
 
C
 
C
 
C
 
C
,
 
19CC C
C
.
-
C
j
-
,
.
C
.
L
9
 
f
l
 
~lC'.C CC 
,
 
C
.
-
0
0
:
'
~
C
*
-
' ~I!- 
C
C
 
Lfl.-99 
!~
!"' 
1 
.
.
C
 
.C
!C
I9
 
! 
C
 
C
C
I
 
C
C
C
C
C
C
 :: 
I
N
C
 
w
 
-
I
;
 
,M
0
 
C
C4 
N
 
w
 
CO 
)I
In
 
M
C. 
1
0
.-O
 
-
I 
O
O
O
C
lU
n
N
N
N
0
C
O
')O
 
O
1
l
0
1
N
 
1n0
@
 
,
 
.
,
 
,
 
9 
"! 
"! 
.
I 
"l, 
I
C' 
IN
 
lN
 
I 
C
D
 
I 
O
N
 
CDO-O 
:
.
 
.
I
O
C
 
nN
N
 
n
 
n
 
C
 
C
4
 c
m
 
: 
: 
N
N
 
I
*
 
CJ) 1 
,
 
C
 
-
C
 
-
C
 
It 
_
 
_
_
 
_
_
,
 
,
IU 
C
O
e
N
C
.
 
N
O
ln
<
N
 
N
 
0
0
N
0
 
I 
Ij 
-
I 
C
 
¢ 
N
 
19 
_
 
N
 
C
 
N
 
I
C
 
C
 
_
 
tO
 
C% 
0
e
 
C')
N
 
"
o
 
W
~M
 
C
N
.
.
N
U
C
O
 
0
C
N
C
O
C
O
 
,I-N
N
N
0
C
O
')>C
 
O
1
 
O
L
n
U
C
N
 
1
1
'1
C
 
C
N
e
I
N
C
O
.
-
N
O
U
n
 
N
 
N
 
0 
SO
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
 
.
.
.
 
.
,
 
,
 .
.
,
.
 
,
-
,
-
,
,
 , 
N
, 
0 
,I)"tN
 
N
 
,,O
, 
O
:l,,, 
, 
;.~ 
.
~
 
.N
 
,
.r
 
_
 
N
O
.Ln 
.cm
 O
D
N
. 0 
,0 
, 
.
.
.
.
 
N
 
,
.
-
 
0
e,, 
,
 
.
N
 
N
... 
0 
,N
 
.
,
 
C
N
.
,
.
N
N
e
n
I
 
I
C
 IIN
O
O
l 
O
_
 
I
C
-
 
1
-O
N
N
 
C
C
'
C
O
C
n
O
 
I 
N
N
N
I
 
I 
I 
I 
I 
I 
C
I
 U
 
n
C
-
N
1
_
 
N
t
 
tlen 
N
O
N
0
C
O
I-en
C
lO
_
_
 
I 
I 
U
)
N
 
C
 
.
-
_
IC
I 
I 
I 
I 
I 
IIN
C
 
_
 
N
n
 
%
 
C
_
 
r
.N
2
... 
0 
N
 
e
o
.oU
...N
N
N
0e, 
o
...N
 
U
U
. 
.
r
-
.C
N
 
eC
 
-
N
O
cM
n 
N
 
N
 
O
0
...
e 
o
n
-C
C
N
N
N
 
n
I
?
 
,
O
C
 
t
.
O
.
N
.
 
IN
N
N
N
w
 
C
 
C
0
 
J-fN
^
eN
 
.
N
_
C
 
C
C
 
IO
 
m
N
 
…
 
C 
C
C
 
C
C
 
C
N
C
 
-
C 
C
e
 
4
.~
 
*N
o~~c
-0
 
-
o
o
0
n
0
,
U
 
N
N
N
0
0
C
 
o
C
U
N
 
InflI¢
I 
.
I-. 
' 
N
 
_
_
 
O
N
 
.
e
O
m
.
C
C
N
N
N
N
C
C
.
 
1
0
-
 
0 
NOOOC 
C
1
 
N
 
N
O
C
.
 
0
0
1
 
0
N
C
0
,
 
C
N
e
 
C
N
C
C
N
t
C
C
C
 
-
3
.
 
N
C
N
e
N
C
o
,
-
.
N
U
C
 
C
 
) 
C
C
~
 
1
0
- 
C 
C 
-
C
U
C
C
I
0
l
c
.
N
.
.
.
.
N
O
U
.
N
 
N
 
.
.
O
O
..
C
 
.
.
 
.
.
C
 
C
 
C
 
1
0
-
.
C
N
C
-
1
0
C
N
C
t
e
n
N
 
C
 
N
 
C
 
C
-
w
C
N
C
C
 
l
N
C
 
_
 
C
 
C
C
'
 
e
n
,
-
U
W
 
N
e
O
N
C
N
O
1
 
N
 
N
 
O
0
_
o
0
i 
N
N
C
 
C
 
C
 
C
 
`
-
e
N
C' 
C
-
U
,
-
 
0 
N
O
O
O
C
O
N
 
N
0
0
0
 
O
0
1
0
1
N
 
e
N
O
U
N
,
 
C
N
e
N
O
e
N
.
q
! 
L
: 
C
 
-
c
 
.
.
.
.
.
 
.
C
 
.
.
.
-
C
C
 
.
C
.
 
.
.
.
.
.
,
.
C
 
enCCCNC-oNCCC,..'d. 
"
O
C
U
C
 
C
-
.
C
 
C
 :C
:
 
C
C
 
:
-
C
-
C
 
N
.
-
1
.
N
C
C
 
U
 
0 
N
o
o
C
O
)
,
N
 
N
0
0
0
 
o
0
U
N
 
n
N
 
U
,
 
C
N
 
_
c
-
N
O
1
L
e
N
I 
C
 
I
W
 
0
-
 
I
 
N
.
l
 
C
 
C
 
C
 
N
C
 
O'-4
N
 
O
0
C
e
n
.
N
· 
I 
IC 
.0
0
0
n
 
en
N
 
0(0,-C
C
 
C~ 
,
 C
 
C 
C
e
n
 
en
ca) a)02a)Cd
,
 
t 
O
_
0
 
_
 
O
O
O
C
1
0
C
N
N
 
0) 
O
0
1
0
1
N
 
e
N
 
U
,
 
C
N
n
C
.
-
N
N
O
C
U
e
N
 
N
 
0
0
C
0
U
.
J
 I
C
.
t
C
-
-
N
-
 
-
,
 
.
.
.
.
 
O
N
C
C
C
 
-
0
 
C
 
C
 
-
.
 
C
 
C
 
C
 
C
 
C
C
 
C
U
 
.
.
.
.
 
0
C
-
N
C
 
N
C
N
 
C
C
0
0
.
.
.
L· 
e
n
 
e
n
o
C- 
U
,-- 
-
C
C
O
)U
C
N
C
N
0C
'O
) 
C
U
N
 
0 
10 
C
N
en
C
.N
0
1
0
eN
 
N
 
O
0
0
0
 
W
 
C
,
.
.
.N
en
N
C
-C
C
O
N
C
C
C
.-0
,..O
 
N
N
C
C
.O
IO
C
-. 
C 
C
 
C
C
 
C
C
 
,
 
C
N
1
0
-
N
C
C
C
 
N
 
C
N
 
C
 
-
C
e
n
0
 
n
.
U
_
-
0
 
_
 
o
o
o
 
n
 1
0
 
e 
N
0
 
O
Y
I 
C
@
N
-
 
N
 
`
0
0
P
0
1
 
0
1
0
C
.
-
C
N
e
N
 
C
_
 
.
-
C
N
C
C
C
 
C 
C
.
N
 
C
C
C
C
C
C
N
O
 
C 
C 
C 
C 
C
l
 
N
l
C
 
.
-
C
N
C
0
C 
C
 
C 
10,- 
CI 
,
 
C
,
 
C 
.
.
C. 
N
. 
.
.
.
 
C
eC
 
I!
4, 
O
S4,C- 
.4 
C
' 
S 
d 
o
 
,
-
 
g
L,, 
~
 
~
 
4 
L 
C
C
 
v
 
-4 
O
4
 91 
U
f 
O
U
 
U
 
U 
_
 
C
-C
- 
°
,
 
0 
.
c
L
°
4
°
0
0
.
.
-
 
0 
U 
°
 
-
U 
0
; 
+
 
=
 
_
 
; 
U
 
N
 
O
 
Lo 3 g 3 
@
 u
 
-
<
~
~
~
~
~2 
4o 
v
. 
v. 
o
o
°
 
o
 L. 
; 
<
, 
>
 
_
 
FF~ 
o
 
E 
-O l 
S
; sn 
v e
 
*
 u
_
 u
<
 
m
osen eexa 
O
 a 
x 
L
, 
s 
z 
r
>
 
-
e 
L 
oi~~~~~~~~~cc 
<
 
C
o
 
-
o
 
o
 
L 
a
=
 
_
 
o
_
 
e 
u
 
e
eO
 
o
 
a
 
v~
w
 
t 
u
 
e
c
_
 la 
e 
.
g 
O
O
 -C 
' 
u
 
EE 
°
 
4fi 
L 
eC
 
4
, 4 
,44444 
e
,0
C
-...C
 
O
 
L
4
,4
, 
C- 
E
; 
S 
x 
O
 
X
 
E 
L 
0 1 
-
=
 
E 5 
_
 
0 
4
,C
-C
C
-O
0
4
4
0
~
 
C O
 
4 
a
 
U
4
 
4 
44 ,0 
C 
_
 
_
 
-
O
 
O
 
_
 
-
-
-
 
0 
4
,
 
0C-44U, 
4
,
4
4
L
c
 
W
C
 
.
-
C
4
 
C0
e
-8 
_
 
_fiw 
G
 
°
e
 
ln
 
4, 
4, 
C
O
 
4 
C
-
L
.
 
L 
a
 
a 
L 
a
, 
V
 
=
 
L 
_
 
-
E
- 
-
e
 
4, 
N
 
_
 
.
C
I 
0 
4 
eC
 
e
, 
e
°
e
 
B
L
 
O
La 
.0
 
F-
S
. C-Ca 442 
'3
LL 
,
,v
 
loo~~~~~~~r 
o
u
 
~
~j 
c 
u
 
4,C.C 
w
 
w
C
-
-
C
 
L
.
 
' 
0 
C
 
0
4
,
0
0
4
,
u
,
0
 
4 
u
.C
C
E
 
-aC-4-'C 
,
 
.
,
 
c 
4,44.* 
0
.
~
,
.
.
.
.
.4
,4
,4
4
 
W
4 
O
C
O
 
Im
 
c
c
 
S
O
-
-
 
-
.
C
4
 
C
C
-
.
J
0
0
0
C
4
,
,
4
,
V
C
.
a
 
.
f
l
C
 
c
o
I 
U
 
C 4
.
c
o
 
o
 
U 
le c 
u
o
 
M
I
X
 
W
M
 
U
 
c 
v
 
.O
C
4
,C
~
 
.
-
-
.
4 
V
O
 
-C
C
 
.4
.(4,,--U
 
~
~U
 
0
0
 
V 
4
,0
 
O
C
C
, 
O
,,-)..C
 
w
 
~
 
)c 
o
 
o
 
o
c
 
C 
=
 
o
 
a
o
6
o
 
4
! 
0
0
.~
.-JC
O
JC
g~C.CCU
CZBZICCCC 
2
2
C
" 
O
 
' 
Cc' 
U
 
C
C
 
~
 
.r
W
 
c 
41 
-0
 
G) aw; 
co E
~
~
"
 
n
~
~
~
,,lB~~ 
,
 
-Z- 
RL
.a 
o
..44 
g
o
 
a 
oC 
uC4..C>...> 
C
C
%
- 
C 
U
4
0
V
4
w
p
aCI- C C.C
-C
L
C
0
,c2
0
-a
 
O
C
- 
C 
o
4
,4
,O
0
2-3
9 
-u
o
 
0
V-O
4 -
>0
-
o
 
.
0'aS0C,-s00Cew
_
e 
e CC
o
 a)
Cv .
_
0C
-
4
,
U
0 
0 
C. 
V
Qc-
-
x
,
C
-
 
M
 4,.
ua
,
o
 
C
C
- 
V0
0
0
I
c
e
 
C
.
Cd
'
-
Q)00.
C
d
Cd *D 
O
0) 
;
4, 
N
4VIC
::.0
 
C
~
 U
,
 440,0
e00 
400 -
300 I
200
100
249
r'
384
338
389 388
421
444
428
360
333
N U
Zs I. Z r.~ r.~ 0 ~o.
E 3(C go b3 E.
Figure 2-1. Load Requirements Summary
The mission is characterized by twelve operational modes with ten of the modes repeated at
each planetary encounter.
Guidelines of a more specific nature concerning the power subsystem are listed below.
1. Power source - 4 RTGs, each rated at 150 watts at beginning of mission and
110 watts at end of mission (12 years).
2. Life - 12 years.
3. No batteries to be used unless higher reliability and/or mission advantages can
be demonstrated.
4. Reliability shall be a strong factor in the PCE design, and shall be achieved
through judicious part selection, use of redundancy, etc. No single component
failure shall cause catastrophic failure of the PCE. No failure in the RTG power
source shall impair operation of the PCE. Additionally, redundant power supplies
shall be used for all mission critical subsystems.
2-4
460 4
5. On/off switching shall be provided for all major spacecraft loads to facilitate
effective power utilization.
6. All power on/off switches and all primary/standby unit switches shall be com-
mandable by both a primary source in the Central Computer Subsystem (CCS)
and a backup source by ground command through the Command Decoder Sub-
system (CDS).
7. Telemetry points shall be incorporated in the power subsystem to provide the
CCS with information on the performance of the PCE, so that in the event of
failures, the CCS can take corrective action (switch to a standby unit, remove
a faulted load from the bus, etc. ).
8. Some capability shall exist in the power subsystem to distinguish between PCE
failures and load faults. The PCE shall be capable of removing faulted loads or
switching to standby PCE units in the event that the CCS is unable to perform
these functions.
9. Short circuit protection in the form of switches that may be commanded by CCS
or ground command shall be provided for bus protection at the front end of PCE
power supplies.
10. Circuitry shall be provided to minimize power switching transients and to limit
current in the event of a load or power supply fault.
11. "Non-toggle" switching shall be used so that knowledge of switch status is not
required.
12. Main inverters and dc-to-dc converters shall be capable of free-running should
the synchronization signal be lost.
13. Weight and volume of the PCE shall be minimized.
14. Power efficiency of the PCE, including inverters, converters, switches, etc.,
shall be maximized.
15. Power consumption by the power switching control circuitry shall be minimized.
16. Immunity to spurious switch operation shall be provided.
17. The environmental qualification temperature range shall be -20 C to +800C.
18. The regulation of the shunt regulator shall be traded off against the required
regulation of the various spacecraft loads and the use of post-regulation in the
user subsystem.
19. The maximum PCE power dissipation shall be 100 watts.
2-5/6
SECTION 3
POWER SUBSYSTEM DESIGN
The PCE receives power from the RTG power source and regulates, conditions and controls
the delivery of the power to the user loads. At an early point in the program, it was deter-
mined that power at 30 vdc from RTGs provides a reasonably efficient Power Subsystem
design (the voltage drops of diodes and transistors represent a sufficiently small percentage
of 30 volts) and also provides a realistic goal as far as RTG design is concerned. Thus, the
selection of the 30 volt value provided the basic parameter for the design of regulation and
conversion equipment. DC power, being characteristic of RTG generation, is required
whether ac or dc is used as the distributed form of spacecraft power.
The question of ac versus dc distribution is mainly a matter of where and how in the system
conversion is made from the basic 30 vdc level to other use levels. Conversion can be accom-
plished in load dedicated dc-to-dc converters, or by transformer rectifier units (T/R) from an
ac bus. In either case, ac transformation is required. Based on the experience gained on
other programs, a decision has been reached by JPL to use the ac distribution approach with
transformer-rectifiers installed at the loads. The system described in this report is based
on this selection. (For more information on the detailed ac vs dc trade study see Quarterly
Technical Report, 1J86-TOPS-480. )
Baseline selections for the subsystem are summarized in Table 3-1. Overall electrical, phy-
sical, and interface characteristics of the present concept are described below. The justifica-
tion for particular system selections is provided under paragraph 4. 0, Design and Trade Studies.
3.1 ELECTRICAL CONFIGURATION
A simplified block diagram of the system is shown on Figure 3. 1-1. Four RTGs are used.
estimated to provide a beginning of mission output of 600 watts (150 watts each) and a conserva-
tive end of life power (after about 12 years) of 440 watts (110 watts each). The RTG outputs are
combined through isolation diodes to provide a regulated 30 vdc bus. Regulation is accomplished
by a shunt regulator on the main bus. The shunt regulator dissipates excess power by a se-
quence operation of transistor-resistor sections. This type of shunt regulator was selected
because of low dissipation of the transistor elements and minimum interface complexity.
Preceding page blank] 3-1
Table 3-1. Baseline Selections
The 30 vdc power is supplied to a main inverter with standby redundancy for generating 4. 8 KHz
50 vrms ac power. This is the power used for general distribution to the spacecraft loads. The
30 vdc power is also supplied directly to the attitude control two-phase inverters, TWT conver-
ters, and heater loads.
An additional ac bus distributes power derived from RTG 1. This protected bus serves as a
redundant source of power to the CCS and associated power control functions. Should power on
the main ac bus fail due to load faults or PCE failures, the ac protected bus would provide the
power required for diagnosis and corrective action by the CCS. The Current Throttle shown in
the output line of RTG 1 has the function of maintaining required voltage levels on the ac pro-
tected bus. If a fault occurs on the main bus with a consequent drop in voltage, the Current
Throttle would respond by increasing its series impedance such that its input voltage would be
held constant. In this way the protected bus voltage would be maintained within a close toler-
ance.
3-2
Function Selection Reason
Power Source RTG s Sun distance
Regulation Shunt regulator Maintain load on RTGs to limit
temperature excursion of the hot
junction and also regulate the
30 vdc bus
Distribution (a) 30 vdc to inverters, TWT con- a) Voltage established by RTG
verter & heater loads
(b) 50 rms, 4800 Hz, square wave b) Frequency is within mini-
for distribution to load T/Rs mum weight range
Protection (a) Redundant busses to CCS and a) Assure fault removal capa-
power control circuitry bility
(b) Low voltage cutoff circuit b) Backup to CCS corrective
procedures
(c) PCE dedicated failure detectors c) Criticality of specific units
for mission success
~
~
~03~~
-
U
L
) 
_
 
~
~
~
~
~
~
~C
 
CL 
o
 
u
~
~
~
~
~
~
~
~
~
~
~
~
~
~
u
l~
~
~
~
~
~
~
~
~
~
~
~
" 
.f 
L
O
i3
cg
ic5
c
v
 
o
-
o
(Joe 
e 
.o
 
'
boC.0COI
c,'.4
3-3
Control of load power switches is accomplished through circuits which receive actuation
signals from the CCS, the CommandDecoder Subsystem (CDS) or theLow Voltage Cutoff (LVCO).
The CCS and CDS relay their signals in digital form through spacecraft command busses to the
Remote Decoder Arrays in the Power Subsystem.
Two independent methods are used to clear fault conditions:
1. CCS Fault Correction - the state of the Power Subsystem is determined by the CCS
by interpreting diagnostic information from the Measurement Processor Subsystem
(currents, voltages, switch states, etc. ). Through interpretive subroutines, CCS
identifies and locates faults, overload conditions or other abnormalities and deter-
mines where and how corrective measures should be applied. Such corrective
actions will generally involve switch actuations for load removal or the transfer
from main to standby units. It is estimated that approximately 50 milliseconds
would elapse from the onset of a fault condition until total corrective action took
X', place, and restored the Main Power Bus to specification.
2. LVCO Fault Correction - This method serves as a backup to the CCS method by initiat-
ing preprogrammed corrective actions. The existence of a voltage less than 46 vac at
the output of the Main Bus Inverter for 100 milliseconds or greater is used as the
criterion for initiating the corrective actions. These actions would be:
a. Interrupt power to all non-essential loads.
b. Transfer power from main to standby elements within critical load categories.
The above actions will be carried out sequentially, in the order shown.
A more comprehensive subsystem diagram is shown in Figure 3. 1-2. Significant features over
those described earlier are as follows:
1. Inverter failure detectors are provided for both main and protected bus inverters.
2. RTG shorting switches are installed as a convenient means for turning off the space-
craft during ground preparation and checkout operations.
3. Current throttle standby redundancy is shown.
4. Interfaces to other subsystems are included.
3-4
,
,
*
:
::
,
00::
0 
,
,
.
0,*
0104
,
,
Io,,,,00,,
iiI I
,
,
,
,I,,,::5:,,::,,: 
,
,\ 
\\\\\ 
^
,
 
\\\\ 
_
-
-
b 
Ir 
,
'z
'\\\ 
,*
O
 
,
 
,
 
Vm
0 
-
0 
-:
0 C
ii 
C 
-
C 
i!. 
LL 
_
 
_
 
_
 
-
-
_
 
_
a)cd
a) pO
.
-
)
m>1M
c)
-
,
 
o
p
lo
c)s- 'a r
CDI"mr
LLU
H :EQaZaJC8
o
 
0 
0 
,
! 
I 
0Io.
I! 
LU75U. n--m
LLI,1-'014 :.ji
z 
E 
0
Of 
C) 
C0 
0 
0 
0
0 
0 
0 
C
a 0
0 
0
1
.0
a~
 > 
8 
z
II
I L"L.
L 
II
5. Power control and power distribution are shown on the right-hand side of the diagram.
6. Use of the protected bus within the PCE is detailed.
3.2 PHYSICAL CONFIGURATION
Physically, the Power Subsystem consists of four RTGs; a single bay assembly containing
the Power Conditioning Equipment; and a Shutn Panel, which contains the power resistors
for the shunt regulator.
Figure 3.2-1 shows the physical breakdown of assemblies comprising the Power Subsystem
Weight and heat burden estimates for the PCE, shunt resistor panel, and the RTGs are shown
in Table 3. 2-1. Transformer-rectifiers for the detailed conditioning of load power, wheel
inverters, gyro inverters, and TWT converters are considered to be part of the load sub-
systems, and as such are not included in Table 3. 2-1.
I
SHUNT RESISTOR PANEL
Figure 3.2-1.
TRANSFORMER-RECTIFIERS
WHEEL INVERTERS
TWT CONVERTERS
GYRO INVERTERS
Component Designations
3-7
POWER CONDITIONING EQUIPMENT BAY
Shunt Regulator Electronics
Main Inverter Assembly
Protected Bus Inverter Assembly
Current Throttle Assembly
Current Throttle
Steering Switch
Power Distribution Assembly
Power Control Switches
Current Limiters
Low Voltage Cutoff
Power Source and Logic
RTG Isolation Diodes and
Shorting Switches
Telemetry and Command
Interface Electronics
4 RTGs
I -
Table 3. 2-1. Physical Characteristics
Weight Power Dissipation
Assembly Kilograms (Pounds) Watts
Shunt Regulator Electronics 3.17 (7. 0) 0. 1 to 50
Main Inverter Assembly (3) 7.48 (16. 5) 13 to 27
Protected Bus Inverter Assembly (2) 2. 72 (6. 0) 4 to 8
Current Throttle Assembly 0.45 (1. 0) 3 to 10 (normal)
Power Distribution Assembly
Switches (80) 10. 70 (23. 5) 0
Current Limiter (6) 0. 23 (0. 5) 7
Low Voltage Cutoff 0. 91 (2.0) 0. 5
Chassis Wiring 2.30 (5. 0) 4
Power Source and Logic 3.63 (8. 0)
RTG Isolation Diodes --- 16
Telemetry Sensors, Remote Decoders, and Tree --- 10
Switch Segment
PCE Bay Total 31.59 (69. 5) 57 to 132
Shunt Regulator Resistor Panel 2. 72 (6. 0) 0 to 600
Radioisotope Thermoelectric Generator (4) 117.9 (260)
Power Subsystem Total 152.21 (335. 5) ---
3.3 PERFORMANCE
Power margin status is summarized on Figure 3.3-1. The load profile shown contains
allowances for conditioning and diode losses and therefore represents the power demand
at the RTG terminals. The RTG characteristic curve is based on data supplied by GE's
Isotope Power Operation in connection with the Multi-Hundred Watt (MHW) RTG program.
The resulting RTG margins for different planetary encounters are expressed in absolute
power and percent.
Analysis of steady state ripple in Section 4. 7 indicates that filter designs which provide
minimum system weight result in currents which may be 4 percent higher than that in-
dicated by steady state loads. Thus the RTG power should be at least 4 percent higher
than the indicated demand. As shown on Figure 3.3-1 the presently defined loads and RTG
performance estimates indicate less than 4 percent margin for the last encounter. Since the
RTG performance is of a preliminary nature this margin deficiency cannot be fully evaluated
3-8
o
 
o0 
o
 
o
N
 
to
 
Su)
NU
0
-n
 i- a
m
 
-
-
-
t 
-
-
-4
0
 
004) w
cn~~~~~~~~~~~~~~~~~~~~~~0
_
 
~
~
~
~
~
~
~O
c
r
,~
~
~
~
~
~
~
~
~
~
~
C
 
CUO
U): N~~~~~~~~~C
C~~~~~~~~~~' 
~
~
~
~
~
~
~
 
~4
0
~
~
~
~
~
~
iL
/2
 
n
 
Li
LI) 
I 
C
D
U
, 
7
.C
~) 
C,)C
0
.a
. 
X
_
_
_
 
.
.
.
.
.
I.__ 
_
c
t 
J
_
 
r-.l
M
 
I
C
j
SiiV
M
 
' 83M
Od 
_
I- 
~
 
~
 
~
 
~
 
~
 
~
~
 
I
LD 
I-
oh 
o
 
0r 
0~ 
0
C') 
C'J 
SIIVI4 '~
~
~
~13M~~d
3-9 I
at this time other than to bring attention to a potential problem. Solutions may lie in in-
creasing the RTG capability or possibly in accepting degraded mission performance by re-
moving certain less essential loads.
In general the notion of degraded mission modes must be considered for the case where one
or more RTGs fail to produce power. The RTGs are arranged to permit such failures without
endangering the remaining RTGs through the use of isolation diodes. The mission worth un-
der such degraded power conditions has not been evaluated as part of this study since such an
evaluation can be more suitably performed as an aspect of overall system performance. As
an aid in considering degraded power operations, Table 3.3-1 indicates power margin at
various encounter phases considering the loss of up to two of the four RTGs.
Table 3. 3-1. RTG Power Margin, Watts
Number of Power Margin, at Encounter Phase, Watts
Operable RTGs Jupiter Saturn Uranus Neptune
4 out of 4 125 90 38 10
3 out of 4 -20 -48 -86 -108
2 out of 4 -168 -185 -211 -225
A cursory review of the loads shown in Table 2-3 provides a measure of the practicality of
degraded power operation. With the failure of one RTG at the Jupiter encounter, for example,
the 20 watt deficiency indicated on Table 3.3-1 could possibly be compensated for by reducing
heater power or removing several of the less significant science loads for the "Far Encounter"
phase. Time sharing of certain loads may provide alternative solutions. For later encounters
or larger RTG losses, severe changes in operation would appear necessary.
The electrical characteristics of the various ac and dc power buses which are distributed to
the spacecraft loads are summarized in Table 3.3-2. The dc Protected Bus is shown for
reference only since it is used exclusively within the PCE.
3-10
Table 3. 3-2. Bus Electrical Characteristics
DC Main Bus
* 50 vac, rms +3%, -4%
square-wave, single-phase
* Rise Time: 2 microseconds typical
* Frequency: 4800 Hz (Clocked)
4750 Hz -5% (Free Run)
* Rated Load: 315 watts
AC Protected Bus
* 50 vac, rms +5%, -6%
square-wave, single-phase
a Rise Time: 2 microseconds typical
* Frequency: 4800 Hz (Clocked)
4750 Hz +0, -5% (Free Run)
i Rated Load: 100 watts
c 30 vdc 4-1%
* Ripple - 300 millivolts Peak-to-Peak
* Transient Response to 100 watt step load:
500 millivolts excursion
100 microseconds duration
* Dynamic Impedance:
Less than 100 milliohms
(100 Hz to 50 KHz)
DC Protected Bus
* 33.4 vdc -3%
* Ripple - 300 millivolts Peak-to-Peak
* Rated Load: 110 watts end of life
e Dynamic Impedance:
Less than 500 milliohms
(100 Hz to 50 KHz)
3.4 ELECTRICAL INTERFACES
The electrical interfaces to the Power Subsystem that were defined and developed during the
study period are identified in the following sections.
3.4.1 RADIOISOTOPE THERMOELECTRIC GENERATOR (RTG)
3.4. 1. 1 Steady State Characteristics
Although the RTG is classified as a unit of the Power Subsystem, development of its electrical
characteristics under the Atomic Energy Commission MHW-RTG Program paralleled that of
the PCE design. Therefore, it was necessary to establish a typical RTG whose performance
characteristics were and could be representatively used for PCE trade studies.
3-11
AC Main Bus
Figure 3.4-1 presents the steady state (thermally stabilized) power output, RTG voltage, and
hot junction temperature as a function of RTG current. The change of these characteristics
with time is presented.
The RTG is a diode drop above the 30 vdc regulated bus, and accounting for wiring IR drop
between the RTG and the regulated bus, the terminal voltage of the RTG will be approximately
31 vdc. This identifies the operating point on each of the curves.
3. 4. 1. 2 Instantaneous Characteristics
The relationship between the voltage generated by an RTG and the temperature gradient between
the two dissimilar conductors of the thermoelectric device is known as the Seebeck coefficient,
and is defined as:
- AV
aRTG AT (3-4-1-1)
Where a is the Seebeck coefficient at a particular temperature differential. As the AV of the
RTG is held constant by the action of the shunt regulator, a specific AT will be established
within the RTG.
The current through the RTG is found from:
aRTG AT
I = +R (3-4-1-2)
RRTG RL
Where RRT G is the RTG internal resistance which is constant over small time intervals, and
RL is the combined parallel resistance of the shunt regulator and the spacecraft loads. RL is
maintained constant by the action of the variable shunt regulator impedance compensating for
changes in load impedance (switching loads on or off). With this arrangement, the current
through the RTG is a constant.
3-12
rn
 
u)
cO
 
Q 
a)r:h
U
 w 
U
O
0 Ai0 Co cd '
4 
~
 
Q
Icr 
Z 
1 
9
.
w
cq 
*g
0P
 
Q
.11 
C
P14 
o
 
0 
0 
0 
0 
0 
0 Ifl 
N
 
-
3DYV"IOA DI11(gSLIVA) 
aL
O
d 
JDI
o0
>4
0
40 
N
(gslO
A
) 3VaD 
,IOA DIM
oC) 4.3Cd
4.>Ca
S 
PQ'4C)It
.r3-13
o
 
0 
0
o
 
o
 
0
N
 
0
(30) 
d
W
tL
 N
tO
Iin
r 
LOH
I N
There are operating modes where RL cannot be maintained constant.
When the spacecraft load impedance is decreased to the value of RL, the shunt regulator
impedance becomes infinite. Further reduction of the spacecraft load impedance (a short
circuit failure or turning on additional loads) cannot be compensated by the shunt regulator,
and the effect is a decrease in RL.
From equation (3-4-1-2), a decrease in RL results in an increase in I.
The magnitude of the current will change with time, with an initial value larger than its
steady state value. This is due to the Peltier cooling effect which decreases the AT between
the two thermoelectric surfaces and also changes the Seebeck Coefficient.
The thermal time constant of the RTG is on the order of hours. The decay of the current
magnitude from its instantaneous to steady state value would follow this thermal decay (Ref.
equation 3-4-1-2). As the electrical system response time constant is on the order of milli-
seconds, the instantaneous current value is a significant design parameter for the Power Sub-
system.
If failures within the shunt regulator prevent it from operating to its minimum impedance
range, RL of equation 3-4-1-2 will increase thus decreasing the RTG instantaneous current.
This lowers the RTG internal IR drop, thus increasing its terminal voltage.
The instantaneous voltage current characteristics for an RTG operating at a nominal terminal
voltage of 31 vdc has been reproduced in Figure 3.4-2.
3.4. 1.3 RTG Power Transient at Launch
Launch pad cooling reduces the temperature differential of the thermoelectric surfaces thus re-
ducing the available power from the RTG,
Venting the gas during powered flight allows the hot and cold junction temperatures to increase
to the steady state space operating values.
3-14
The useable RTG power after launch is shown on Figure 3.4-3. For the first 30 minutes after
lift-off, RTG useable power is less than launch pad power. This peculiarity is due to the cold
junction temperature increasing at a faster rate and reaching equilibrium before the hot junction.
150
140
19an
, 13U
c 120
S 110
100
90
80
80 100
TIME FROM LAUNCH (MINUTES)
120 140 160 180
Figure 3.4-3. RTG Power After Launch
3.4. 1.4 Power to Weight Performance
For the purpose of conducting optimization trade studies, a ratio of RTG power supplied per
RTG weight of 1. 7 watts/pound was used. When the actual RTG end of mission power output
and weight are known, those studies should be reviewed to determine the impact of any devia-
tion from the predicted ratio.
3.4.2 MEASUREMENT PROCESSOR
The Measurement Processor is the telemetry interface for diagnostic as well as operational
data for the entire spacecraft. All power subsystem analog and digital data are conditioned
within the PCE to the following format.
3-15
60
Voltage: 0 - 3 vdc
Impedance:
Source Impedance: Less than 10K and greater than 100 ohms
MPS Input Impedance: 1 megohm or greater
The Measurement Processor is generally the source of spacecraft information for the Control
Computer Subsystem. All data to the Measurement Processor is compared with reprogram-
mable limits in order to identify out-of-tolerance conditions. An interrupt signal is generated
to the Control Computer Subsystem when a limit is exceeded.
A list of Power Subsystem measurements to the Measurement Processor is containd in Table
3.4-1.
3.4.3 OPERATIONAL SUPPORT EQUIPMENT
The integrity of the Power Subsystem must be determined before applying power to the space-
craft. Such major sections of the Power Conditioning Equipment (PCE) as the shunt regulator,
the current throttle, and the inverters must always be checked when the spacecraft has been
transported or reconfigured for a different level of testing. The consequence of not taking this
precaution and turning on flight hardware into a faulty power subsystem is destruction of the
loads. Therefore, at the launch pad, the spacecraft umbilical must provide the connections to
control and verify proper operation of the PCE prior to initializing any other subsystem.
Table 3.4-2 contains the power subsystem umbilical requirements. The purpose of each of
these is discussed below.
RTG Voltage
Used in conjunction with RTG current to establish proper operating point for the RTG. Also
used to determine voltage across shunt regulator.
3-16
Table 3.4-1. Power Subsystem Measurement
edatg of or Reaction to Out of Qmtity of np
Meuremet I Reson I Limit Condition Iesoremd BRan Qtutiatilon IRetR · I b~
.~~~~~~~~~ 
_ 
.1. RTG Pressure
2. RTG Voltage
3. RTG Current
4. RTC Temperature
5. Shunt Regulator
Current
6. DC Main Bus
Voltage
7. Main Inverter
Input Current
8. Main Inverter
Output Voltage
9. Main Inverter
Output Current
10. DC load Current
II. Protected Bus
Inverter Input
Current
12. Protected Bus
Inverter Input
Voltage
13. Protected Bus
Inverter Output
Current
14. Protected Bus
Inverter Output
Voltage
15. PCE lnternal
Temperature
16. LVCO Interrupt
17. LVCO Inhldbt
18. LVCO Bypass
19. LVCO Reset
tMeaure Inert GM Internal to
RTG. Requrd while Into Earth
tmoapbers.
Detertmine Operatlg Point of
RTG - Determine falure of
RTG.
Used in conjunction with men-
surement 2 to determine RTG
output.
Used in eonjunction with mea-
surement 6 to determine
available power in the shbunt.
CCS uses this data for power
management.
Used to determine voltage level
and regulatton to all DC loads.
Used by CCS for power manage-
met.
Used for enginerlng telemetry
Used to determine voltage level
to all AC loads
Used to detestine cu-rret sup-
plied to AC loads.
Used by CCS to determline
excessive current drath.
tsed in eonjunction with mea-
surement 6 to detsrmine power
being supplied to DC load..
Used for eglneerlng telemetry
Used for enghneertng telemetry
Used by CCS to determine
excessive current drain.
Used to determine voltage level
to protected bus loads.
To determine effect of power
dissipation on amblent tem-
pernture.
Determine proper/prem ture
operatllon of LVCO
Determine proper/premature
operation of LVCO
Determine proper/premature
operantlon of LVCO
Determine proper/premature
operation of LVCO
On Pad - Recharge from OSE Reservoir
In Flight- None.
Hlgb Voltage of all fur RTGs indlcutes
failure In the Shunt Regulator. Can be
verified by H. V on main bus voltage
mooitors. (Add load to main bus to
lower voltage) High voltage in RTG #1
could tndicate op r circtt flure of
the currant throttle. Lo Voltage -
Vertficaton of ystem overltod if all
four indicators are low.
During system overload. RTG current
goes hgh as the RTG voltage is lowered.
Decreae In current while RTG voltage
remasns constance Indicates degreda-
tion of RTG.
High shunt current with low main bue
voltage indlcates a shorted shunt regu-
lator. Low hutnt curret wIth bgh
main bus voltage indicates an open
shunt regulator.
High voltage Indicates open CKT failure
of shunt regulators.
Low voltsage indcates short of
shunt Regulator or syst em overload.
If 19 > I calculated by CCS a current
overload exists on this bus.
If 110 > I eleulated by CCS a current
overload exist on this bus.
If 113 > I calculated by CCS a current
overload exists on this bus.
l/RTG
1/RTG
I/RTG
14/RTG
l
4
1
1
1
1
1
1
1
1
1
4
L
1
t
1
0to 20 pet
0 to 60 vde
0-10 Amp
1800-2300 F
0-5 Amp
25-35 vdc
0-o0 vdc
0-35 Amp
DC
40-60 vac
0-21 Amp
AC
0-10 Amps
DC
0-$ Amps
DC
27-37 vdc
0-3 Amps
AC
40-60 vac
20 to 120 °F
t70 : 50F)
X
X
X
X
7 Bits
10 Bits
10 Bit.
10 Bits
10 Bit.
10 Bits
7 Bit.
7 Bits
10 Bits
10 Bit.
10 Bits
7 Bit.
7 Bits
10 Bits
10 Bits
7 Blte
I Blt
I Bit
I Bit
1 Bit
I/Mtn
12/Yft.
12/M1n
12/Hr
20/8ec
20/See
(50ms)
20/See
(50ms)
(SOmo)20/8ec
(S0ms)
20/sec
(50ms)
20/sec
(50.ms)
20/Sec
20/Sec
20/8em
20/See
(50ms)
20/Sec
(50ms)
12/lHr
20/See
20/Sec
State
Vector
Rate
State
Vector
Rkte
3-17
_ 
I I I . ii i
Table 3.4-1. Power Subsystem Measurement (Cont)
Menin of or Reaction to Out of 1 n~lty of I is
MleaIurement Reasdn i Lnit Codditton M-eumremte I Rang QozatiUoat Bte R& -.dancy
20. Main Inverter
Failure Detector
01 Otput
21. hai.n Inverter
Failure Detector
02 Cutput
22. Main Inverter
Failure Detector
03 Output
23. Protected Bus
Inverter Failure
Detector 01
Output
24. Protected Bus
Inverter Failure
Detector #2
Out0put
25. Protected Bus
Inverter Failure
Detector 3
Outplut
26. Current Throttle
Steerlng Switch
27. lain Inverter *1
Input Power
Switch
28. Maln Inverter #
Output Power
Switch
29. Main Inverter #2
Input Power
Switch
30. Main lnverter 2
Outplt Power
Switch
31. Main Inverter 03
Input Power
Switch
32. Man Inverter #3
Output Power
Switch
33. Protected Bue
Inverter #1 Input
Power Switch
34. Protected Bus
Inverter #1 Output
Power Switch
35. Protected Bus
Inverter 02 Input
Power Switch
36. Protected Bus
Inverter #2 Outpul
Power Switch
Determine failure of detector
Dieter.ine failure of detector
Deternine failure of detector
Determine failure of detector
Determine failure of detector
Determine failure of detector
State Vcctor
State Vector
State Vector
State Vector
State Vector
State Vector
State Vector
State Vector
State Vector
State Vector
State Vector
Indicates reduodant measuremente Os reqoired
I Bit
I Bit
I Bit
I Bit
I Bit
1 Bit
I Bit
I Bit
I Bit
I Btt
I Bit
I Bit
I Bit
I Bit
I Bit
I Bit
I Bit
State
Vector
Rate
state
Vector
Rate
State
Vector
Rate
State
Vector
Rate
State
Vector
Bate
State
Vector
Bate
State
Vector
Rate
State
Vector
Rate
State
Vector
Rate
Stat.
Vector
RBate
State
Vector
Rate
State
Vector
Rate
Stat.
Vector
Rate
state
Vector
RBate
State
Vector
Bate
state
Vector
Bate
Stat.
Vector
Bate
3-18
1
1
RTG Current
Used in conjunction with RTG voltage to establish proper operation of the RTG.
Used to monitor short circuit current when RTG is shunted by PCE switch.
RTG Temperature
The RTG will be severely degraded if the hot junction temperature increases above its design
value; therefore, this point must be monitored continuously.
DC Main Bus Voltage and Current
Used to verify proper operation of shunt regulator.
Used in conjunction with ac main bus voltage and current to determine proper operation of main
inverter.
Used in conjunction with RTG voltage and current to determine operation of the Current Throttle.
AC Main Bus Voltage and Current
Used in conjunction with dc main bus voltage and current to determine proper operation of the
main inverter.
Used to determine proper output levels to the spacecraft loads.
DC Protected Bus Voltage and Current
Used with dc main bus voltage and RTG No. 1 voltage to verify operation of the Current Throttle.
Used with ac protected bus voltage and current to verify operation of the protected bus inverter.
AC Protected Bus Voltage and Current
Used with the dc protected bus voltage and current to verify operation of the protected bus
inverter.
Used to determine proper output on the protected bus.
3-19
RTG Shunting Switch Command
To remove all power from the spacecraft while on the launch pad, the RTGs must be short
circuited. A normally open switch which is commanded closed only through the umbilical will
perform the shunting. A separate switch is provided for each RTG.
External Power
Should the situation arise that all RTGs must be shunted, selective internal sensors must still
be operative. Some candidates for this type of sensor would be the RTG temperature sensors
and RTG current and voltage monitors that are hard wired through the umbilical. The external
power lines would be junctioned with internal power to these sensors.
External Ground Loads
One of the important functions internal to the PCE is the current throttle. This circuit is to
maintain regulated voltage on the protected bus should a short occur on the main bus. To check
this function, a simulated overload must be placed on the dc main bus while monitoring the
protected bus voltage. To reduce the size of the overload required to suppress the main bus
voltage, RTGs 2 through 4 will be removed from the bus by activation of the shunting switches.
RTG No. 1 can supply regulated voltage to the main bus until the load exceeds 5 amperes.
Beyond this, the current throttle will limit current into the main bus in order to maintain the
protected bus voltage. Therefore, the external test load through the umbilical must be
slightly greater than 150 watts.
Common Return
This line will provide a reference return for the shunting switch commands and all PCE
monitors.
3-20
Table 3.4-2. Power Subsystem Umbilical Requirements
Function Quantity
RTG Voltage 4
RTG Current 4
RTG Temperature 4
DC Main Bus Voltage and Current 2
AC Main Bus Voltage and Current 2
DC Protected Bus Voltage and Current 2
AC Protected Bus Voltage and Current 2
RTG Shunting Switch Command 4
External Power 2
External Ground Loads 4
Common Return 1
3.4.4 COMMAND DECODER SUBSYSTEM (CDS)
As an alternate ground command path to the Control Computer Subsystem, the Command De-
coder Subsystem will decode ground commands and transmit these orders via a command bus
to a remote decoder array within the Power Subsystem.
The command bus format is a four bit parallel, five byte serial command word. The output
of the remote decoder array which interfaces to the power distribution switches will have the
characteristics shown on Table 3.4-3.
The Command Decoder will be capable of changing the state of each of the forty power distribu-
tion switches. As independant commands are required for each "on" and "off" operation switch
toggling by a single command is not acceptable), eighty commands are required.
Table 3.4-3. Remote Decoder Array Output Characteristics
3-21
Logical "1" Voltage 3. 0 to 5. 0 vdc
Logical "1" Output Current 1 Milliampere Min.
Logical "0" Voltage 0. 3 vdc Max.
Logical "0" Sink Current 5 Milliamperes
Duration of command ("1") 15 Milliseconds
Minimum period between consecutive On or Off commands - 10 Sec.
3.4. 5 TIMING SYNCHRONIZER SUBSYSTEM (TSS)
The Timing Synchronizer Subsystem is a highly reliable spacecraft central timing generator.
Since it provides the reference for CCS operations, all subsystems that communicate with CCS
must be synchronized to this reference.
3.4. 5. 1 Remote Decoder Timing Signals
Two signals are required at the Power Subsystem Remote Decoder Array (RDA) to receive
commands from the CCS or CDS command buses. One is the Byte Time Pulse which has a
repetition rate of 500 Kpps, and this is effectively an RDA input register shift pulse. The
second, called the Work Cycle Pulse, has a repetition rate of 500/9 Kpps. This signals the
RDA to read out its input register.
3.4. 5. 2 Inverter Timing Signal
The Timing Synchronizer will provide a clock pulse to the Main and Protected Bus inverters
with the following characteristics:
Input Voltage Logical "1" 3. 5 to 5. 0 vdc
Input Voltage Logical "0" 0 - 0. 5 vdc
Input Current Logical "1" 0. 2 Milliamperes
Input Current Logical "0" 0. 0 Milliamperes
Clock Frequency 9. 6 KHz
Positive Going Pulse Width 3. 0 Microseconds
A local oscillator in each inverter will be synchronized by this clock reference. If this
reference is lost, the inverter will free run at a slightly lower frequency.
3.4.6 CONTROL COMPUTER SUBSYSTEM (CCS)
In addition to furnishing commands for control of all power distribution switches, the Control
Computer Subsystem (CCS) provides two levels of support to the Power Subsystem. Level 1
support is required during normal spacecraft operation, while Level 2 support is reserved for
anomalous conditions.
3-22
3. 4. 6. 1 Level 1 Support
As a normal function, the CCS will provide power management services for the Power Sub-
system. CCS will determine if sufficient power is available in the Shunt Regulator before
switching on new loads. If the load power is not available, combinations of less important
loads must be removed to satisfy the new load.
CCS in conjunction with MPS will determine available power from voltage and current monitors
on the Shunt Regulator. Prior to activating a load, CCS will access its memory for the load
power requirements. The required load power shall be subtracted from the Shunt Regulator
power with the restriction that Shunt Regulator power shall not be reduced below 20 watts after
application of the new load (s). This will keep the regulator in its linear operation and thus
maintain voltage regulation on the Main and Protected Buses.
3.4.6.2 Level 2 Support
The following signals will be transmitted from the Power Subsystem directly to CCS to provide
failure identification and to alert CCS of impending corrective action by the PCE.
1. Low Voltage Cutoff (LVCO) Interrupt
2. Main Inverter Failure Detector Interrupt
3. Protected Bus Inverter Failure Detector Interrupt
3.4. 6.3 CCS Commands
The CCS command interface to the PCE is the same format as described for the Command De-
coder (Section 3.4.4). A separate command bus, used exclusively by CCS, connects to an
identical remote decoder array in the PCE.
As the primary command/control element, CCS will supply eighty commands to operate the
power distribution switches in the PCE. In addition, the following commands will be provided:
1. Protected Bus Inverter No. 1 On - No. 2 Off
2. Protected Bus Inverter No. 1 Off - No. 2 On
3-23
3. Protected Bus Inverter No. 1 Off - No. 2 Off
4. Main Bus Inverter No. 1 On - No. 2 Off - No. 3 Off
5. Main Bus Inverter No. 1 Off - No. 2 On - No. 3 Off
6. Main Bus Inverter No. 1 Off - No. 2 Off - No. 3 On
7. Low Voltage Cutoff - Inhibit
8. Low Voltage Cutoff - Bypass
9. Low Voltage Cutoff - Reset
10. Low Voltage Cutoff - Non Critical Load Off
11. Current Throttle - Select No. 1
12. Current Throttle - Select No. 2
All commands will have the characteristics shown on Table 3.4-3.
3-24
3.5 PCE CHARACTERISTICS
Table 3. 5-1 describes the performance characteristics for those equipments designated in
the Functional Block Diagram of Figure 3. 1-1.
3.6 SYSTEM RELIABILITY OVERVIEW
3.6. 1 SYSTEM RELIABILITY CONSIDERATIONS
The Power Subsystem has two significant success modes. The first is delivery of the required
regulated power, the second is providing fault tolerant power to enable recovery from an over-
load external to the Power Subsystem. Incorporation of hardware to accomplish the second
function degrades the probability of success of the primary function. The System/Power Sub-
system design has been arranged to minimize the deleterious effects of the additional hardware.
This is done mainly by providing power to critical loads by the protected bus and the main bus,
thus the loss of the protected bus can be tolerated.
To assess the System/Power Subsystem reliability, two steps are required. The first compo-
nent of success probability would be the power delivery probability of success without external
overload. The second element would be failure tolerant probability times the probability of an
external overload:
RPSS = ROW PNF + RF T (1- PNF)
where:
RpSS = Power Subsystem reliability
RPow = Probability of 100 percent power to the loads via the main bus
RNF = Probability no external load fault occurs
RFT = Probability of 100 percent power and the protected bus function
3-25
*
 
cd
I 
-
m
 
ss
a)
k 
E
c) 
Q
.
c
 d
C
Z
om
+
1)
s 
a
v
m
 
0E
+
 
00 
>
 
>
 o
-
clc
o
J
o
S
 >
cr)
bb$
>
 
a
.0
0
a)0
11LO
0
o LO
 
1~c~ PrilmC 
Ed
P4
BQ9
*
.
.
.
U)Qou~6ao c¢ C)Cdcd
UCw(JI-
LOI(1)4
0
Cd 
4
- 
i 
4
3
 
0 
9 
h 
C m
 
>
Cd
CD 
,
-
0 
bo
C
d
d
;4
 
L4p 
,
Cd 
' 
~
 
Q
)C
CZ 
n
-4
 
C
d
·
 
Cd 
( 
4
1
.4
" 
Po 
II
O
 
O
 
.
k 
W
 w
'C 
o
 
4.
a
 
o3
>
 
-BE f
0 
.
9 
.
,$ k
o(j
I0 
.
o) .eO 6 
)
S 0 
e4
-P
 
a
, 
g
0 
'
*
 
.
00w2~.. w, 4E-1E-
6eoo
m10
0
.
0a) 
W
i 
bd 
-a0 .
4 
4
m-.¢ C. 
C
Q c
4., 
m
 q 
Q 
°
 
a
mUcc
.
.
3-26
Cd 
e
>
 
>$ 
c d 
c< 
>
 
:c
o
>
 
w
e
In
7
4
t
o'; 
(
M
~
~
0. 0 
.
,
 r.
04~ 
~
 
O
*H
 
Q~~~~C
a)
s 
C
.,I 
.5o
O
*
: 
C 
w
a 
^
 
o
; 4 
c
02~O~
XE4ZWP4U
+1
.
Y
 
o
 
,
.
.
o
o
d
,
5 
o
 
e
·*
 
-0
 
0 -
-4.0
o
~
~
bb
.
,20 
g
EcU
Pg-
w
dz
Cd
-4aC
d
a)Ss
4.34
a)-4 
*
 
0 
0
O
'
EH
a)4
m
 
>
0 0 
C.
H
 
0 2 
0
A:1 
4 
r 
zMU~
0
u-40P;OU004P 0
0
bD
 
a
ed
 <
 
d
0 
0
; 
z 
a 
g
*
b
D
0
0 
0 
02 
-4 
d
°
 3, 2 
°g 
00 
.
.5 
·f 
15
0
*
 
0
a)a)k'5
02 ao
.
.4o 
0
N
 
g
; 
m
M
, 
F-
;8 
p
a)
.b 
.
,
.
-
o°
 
=
 
0
,
,
 
I 
O
cD o
-
 
*
 
0 
0
a) "o'C. Oa).0H um0 vU~OU~la)O cd(JLOICJ
w02.,.4 w02a)0
a)
do 
m
h
CUO
Q 02n4
a)
d--4.0a)
.
0
dj 
cU
*H
 
u
x
 
cd
00d 
C
c 
.0
102,?~
0
 
c
.4
4 
S- , 
C
mw B
 X qa)
2 
o
 
U
°O
a)a
:n
 
0
o
0
C9 d 
cd
r 
) 
m
a)C.)02
00) 
d
0 
cd
C)o
E
a)0
a
*
 
0 
0
3-27
P~oo 
+LO
.
.0 
0
d 
0t
-4 0 
0
e Q$4r
+
u
+l I0
o
 d
bDo
o
+
 
0
7-,
0oC
d
0InU)..iCa
o
 
bD
0a)0'00 ,-
'O 
~
-
a) 
to
0( 
+N
 
d
-
F
4
 D
.. ,
-i
do 
0
:i. 
54
0 
0 
0 
0 
0 
0
Ia)oo Cd
C 
a)
C
d
a)0 0L0
o
-N 
O
m
0 h 0
U'OD
0
o
Cd0o0 
.
yO0) 0
4 
o
Is
o
Cd )
~
-4 
.0
0 
la
o
 
0
F4 
o
0 
-9 
Cd :
5-4 
C)0
a1) 
0
a)
0 
'0
t
-
00
m
 
m
k
0 
0 
0 
0
o
 
-
d
0
)
k 
a
 ;El
3 H9:1w -I~
uUpR
c
0
0 
0 
0 
0 
0 
a)S.I '0oo
a)
cola
"0Cdo
a) 0
0
0 
0
IM
U
,
0:-I0 Cdcd00) rO
=;l
'0
cd 
4
3
 0
0 
0D )
o
 
0.-
 
,
O
 
·r
m
 
0f
0 
0 
0 
0 
0
0
o
lrO
'04- 
cd
Cd
aQ S o
0 
O
kQj4-2O
0a)5-*d9 n;
cs
r-I +
C.) 
o
1 
o
 
j
M
 g
a)
L0o 
baStE
o
b
i.C
d
.200Cd0
C
L
O
o
 
u
,
Cd
o
"0 Iaoum0o:0
- tur, --IG)
,
.
.
.
p-I-4to
Cd0rW+3~0a,w 04
pq'44i:4
3-28
S 
.)
s- 
i
aD 
d4 
0
-
004 
biD
0
0
4
 
) 
-
°
w
 Q 
4S
~
~
~
~
*
e o
 
gQ 
>
 
>
°
0 
0 
0
·
 
4 a
.
0 
a 
"0
$4 
bh b 
*
4 
4 
-
CI 
o
 
t0)0
0 
0 
z 
u
 
o
 
Q
04
.) CI,.Q-I0
Z I
0* 
0 
*
 
0
U, CA
Cd Cd 
C
q 
z
$4
bD
w
Z
0 .2
 >
 
oU 
k 
C0 
>
 Q 5 
=
a) 
>0))0 
a)oa)
k 
CI) 
CI
s
~
~
b
o
~
Cd 
-4
o
 
>
Cd 
0
o
*
 
-
2 
m
 
>
0 
;
0Q)a)ss.V
a)0o> 
.
00b0
0
oo. 
C.)o lCS 
U
o
 
0o
oo
 
Qt
0 
0
bO 
C-)?
Cd
0
)
W
0. 
-4
+4 
s-I
04 
0C
sj
.
la0moC,,oCdVICO C4a)H-
t~Cd0
U)
U)0--Is-I000
PA
fi8 z 0I
.
I0 a>b1
o
o
P
c
 
0
3-29
Accordingly, two numbers were generated in Power Subsystem reliability analyses, Rp o W
and RFT. The probability of no external load failures ,cannot be determined by the Power
Subsystem Engineer, but of all the possible failures in all the loads, one would expect a
rather small percentage to cause a severe overload on the power bus, therefore the term
RPoW X PNF will dominate in the above equation.
Another part of power control must also be analyzed from an overall system viewpoint. Each
power distribution switch is in series (reliability) with the load it controls. The switch con-
tribution to system reliability depends on the load criticality, the number of times the load
must be switched, and, for fault clerance, the specific failure mode of the load. For block
redundant critical loads, the switch function must provide power to a good load. Table 3, 6-1
presents success states for a critical, block redundant load that is always powered.
Table 3. 6-1. Success States
where:
G = Good
FS = Failed Short (closed)
FO = Failed Open
X = Don't care
3-30
Switch 1 Load 1 Switch 2 Load 2
G G G G
G or FS G G or FO G
G or FO G G or FS G
X FO G or FS G
G or FO FS G or FS G
G or FS G X FO
G or FS G G or FS FS
Notice that many success states include multiple as well as single switch failures. Since the
load is also involved in these success states, it is not possible to compute the switch system
reliability effect without considering the load. Another way of analyzing switch/load reliability
is shown using the block diagram of Figure 3. 6-1.
4 _ [ 3_LOAD R = 1 - (l-R SWRLOAD N
W rSLOAD NL,
Figure 3.6-1. Switch/Load Reliability Relationship
Figures 3.6-2 and 3.6-3 present the results of such a simplified analysis. Notice that the
switch/load reliability is highly dependent on load reliability, hence the system unreliability
contribution by the switches is a function of the load. The curves illustrate that, if the switch
is significantly more reliable than the load (a likely possiblity for solid state or magnetic
switches), the function reliability becomes insensitive to switch reliability.
If a load were not required for some definition of mission success, such as a science experi-
ment, the switch need only provide disconnect if the load failed short. Other loads may be
non-critical or not required, but inability to turn off that load may jeopardize another experi-
ment or particular mission event.
Therefore the power distribution switches are not included in the power subsystem analysis.
These switches should be considered as part of the load for system reliability calculations.
3-31
0.999
0. 998
0.995 
0.990 -
i
U
0.99
0.95 
0.90
0.
Figure 3.6-2.
0. 999 
0. 998
F.
c,
3
m
C
W
-
9
o. 9s
0.990
0.98
0.95
0.90
0. 9 0.98 0.9 '0. 995 0. 998 0.999
SWITCH RELIABILITY
Switch/Load Reliability vs. Switch Reliability
(1 of 2 Loads Required to Operate)
0.9 0.95 0.98 0.99 0.995
SWITCH RELIABILITY
Figure 3. 6-3.
0. 998 0. 999
Switch/Load Reliability vs. Switch Reliability
(1 of 3 Loads Required to Operate)
3-32
9
3.6.2 POWER SUBSYSTEM NUMERICAL SUMMARY
Section 4. 5. 5 presents a detailed explanation of the numerical computation of reliabilities.
Table 3. 6-2 below gives the present subsystem results for the original piece part (High)
failure rates and for the more realistic (Low) rates recently developed. There is a greater
probability of power delivery over failure tolerant reliability for the high failure rates. For
the low failure rates, the probability of failure is so small that the reliability difference is
less significant. Piece part failure rates for both 'high' and 'low' conditions are contained
in Appendix A.
Table 3.6-2. TOPS Power Subsystem Reliability
Figures 3.6-4 and 3.6-5 present the basic block diagrams for the functions involved in com-
puting the reliability. Basically, everything must work in the failure tolerant subsystem.
For just power delivery, the protected bus (PB) components are not required so the PB in-
verter function is deleted and shorts are allowed in the current throttle (CT). The probability
of (1) an RTG and power diode short, and (2) a PB inverter short which cannot be cleared
were presumed to be small compared to the other functions unreliability and were therefore
ignored in numerical computation.
3.6.3 TRADE STUDIES
Two studies determined the effects of different functional configurations on the Power Subsys-
tem reliability.
3-33
Failure Tolerant 100% Main Bus Power
Reliability (RFT) Reliability (Rpow)
High Rates & 0. 7874 0. 8247
(RRTG = 0. 99)
Low Rates & 0. 9704 0. 9721
(RRTG = 0. 995)
3-34
zpFeI-
D
S
9N::> Pj
a)arc)
o s-
so-5-) 0Q
-4C)
Pq CD
o
n .00Ccr ,f
-I"4aU)5-.,4 "4o,. P4Cd
V)U;
C
DC()
.
,
44
The command generator* of the inverter failure detector was rearranged into a quad con-
figuration to compare with the baseline configuration (See Figure 3.6-6). This impact on
subsystem reliability is shown in Table 3.6-3.
Table 3.6-3. Effect of Various Command Generator Configurations
on Subsystem Reliability
The last column presents {1 - [(1-RQCG)/ (1-RBCG) ] in percent, as the figure of unreli-
ability reduction. Although the magnitude of improvement is not as dramatic when the low
failure rates are used, rearranging the command generators into a quad doesn't require
additional hardware, but does improve subsystem reliability, and is therefore recommended.
The second study concerned the effect on subsystem reliability when two or three Main Inverters
were used. Table 3.6-4 presents these results which were calculated using the Quad Command
Generator configuration previously discussed.
Table 3.6-4. Effect of Various Main Inverter Configurations
on Subsystem Reliability
3-35
*For detailed discussion of command generator see Section 5. 7 and 4. 5. 5. 2.
Subsystem Fault Tolerant Reliability
Baseline Command Quad Command Unreliability
Generator (RBCG) Generator (RQCG) Reduction (%)
High Failure
Rates 0. 7874 0. 8216 16.0
Low Failure
Rates 0.9704 0. 9714 3. 5
Subsystem Fault Tolerant Reliability
2 Main Inverters 3 Main Inverters Unreliability
(R2 ) (R3 ) Increase (%)
High Failure
Rates 0.8098 0.8216 6.5
Low Failure
Rates 0.9706 0.9714 3.0
L~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"
 o,0
: 1
W
 , 
40
Fi4i ~
I z0U E-9z
z2Oz0uwCm
03
6 
M
 E-w>,
iE
>
wo
¢o LkLZL- 
.
P4.99w3
0u
H
FD
0aPo Im P0r-I~
m41Oz
0 
-
m
C
 
E- 
-!
o 00 C
d
2;
a0
z3 
2
o
C)
Z
0I 
'
3-36
TI
D Pk
zTi0
]z I Tiz SiTi2J,
3¢ 
F
o- 
-
NC4
4r--jS n
.:
 
w
° 
o
>
, 
The last column is [(1 - R2 ) / (1 - R3 ) - 1] in percent, to give a value for unreliability
increase. As would be expected, the greatest gain is realized for the high failure rates,
but the gain is less than 10 percent. A main inverter represents 7 to 9 percent of the PCE
weight, so a weight-reliability trade would be even for the high failure rates. For the low
rates, a weight versus reliability measure goes against the use of 3 inverters. Generally,
the third inverter will produce only a small reduction in the subsystem unreliability. Unless
that reduction makes a significant gain toward an unreliability goal, two inverters are
recommended.
3.6.4 RELIABILITY IMPROVEMENT
Table 3.6-5 presents the detailed function reliabilities for a two main inverter, quad command
generator subsystem.
Table 3.6-5. Detailed Function Reliabilities
Single
RTG 4 RTGs
Current
Throttle
Function
Shunt
Regulator
Function
Main Bus
Inverter
Function
Protected
Bus Inverter
Function
Subsystem
Fault
Tolerant
Reliability
High
Failure 0. 990 0. 9606 0. 98097 0. 90212 0. 97603 0. 97603 0. 8098
Rates 0.995 0.98015 0. 8263
Low
Failure 0. 995 0. 98015 0 998368 0. 99382 0. 999037 0. 999037 0. 9706
Rates 0.998 0.99202 0. 9824
'I[
The most effective way to increase subsystem reliability is to raise the lowest value. Since,
on a relative complexity basis, the two inverter reliability is significantly better than the other
major elements (shunt, RTGs), the two inverter recommendation is reinforced.
Comparing the Power Conditioning Equipment functions, it can be observed that all are of
equivalent reliability with the exception of the Shunt Regulator. If the shunt was improved to
3-37
be nearly equal to the other elements, the values would be well balanced, which is desir-
able as this is most efficient from a numerical reliability viewpoint.
3-38
SECTION 4
DESIGN AND TRADE STUDIES
The features of the subsystem described in Section 3 were selected through continuous evalua-
tion of alternatives during the course of the study. This section summarizes the principal
trade study and evaluation efforts and, where appropriate, describes design options which
appear practical and might be employed where warranted by particular conditions.
The trade studies are grouped according to their relationship with the following power system
functional areas:
1. Energy Storage
2. Regulation
3. Distribution
4. Fault Detection & Correction
5. Reliability/Redundancy
6. Transformer Optimization
7. System Response
8. Radiation Analysis
9. Harness Optimization
4.1 ENERGY STORAGE STUDIES
Studies of the RTG power source were conducted under the AEC MHW-RTG development
program and are considered in this TOPS-PCE program only insofar as proposed RTG
concepts influence the Power Subsystem configuration. The principal factors considered
thus far are: (a) the need for long term flight batteries, and (b) the use of launch batteries
to augment limited on-pad RTG capability.
4-1
4. 1.1 LONG-TERM FLIGHT BATTERIES
The use of batteries was investigated to determine advantages, operational flexibility, and
ability to clear faults. Batteries provide a high degree of operational flexibility. Principally
they permit the application of loads greatly in excess of those capable of being satisfied by
the prime power source. Additionally, through power averaging, they potentially permit a
reduction in the size of the prime power source. In the case of RTGs this can represent
large cost savings because of the high cost of radioisotope fuels. Evaluation of these and
other factors is provided below.
4. 1. 1. 1 Evaluation Factors
(1) Power Averaging
The load profile chart, Figure 2-1, indicates a maximum power requirement of 460 watts
during the Far Encounter phase of any particular planetary pass. This phase may last as
long as twenty hours. For each watt supplied by nickel cadmium batteries (the only reason-
able contender for the life requirements involved) the weight penalty is 2 pounds, considering
an energy density of 10 watt-hours/per pound and operation for 20 hours. For the contem-
plated RTGs, the weight penalty is about 0. 5 pounds per watt. Thus the weight penalty of
battery averaging is at least four times as great as increasing the RTG size to provide
direct power. With depths of discharge less than 100 percent (decreasing the effective
energy density) and taking the losses of discharge conditioning into account, the weight
penalty difference is even more pronounced. The use of batteries for power averaging
does not appear to be justified for the outer planet missions.
(2) High Current Pulse Loads
Particular pyro loads will incur power demands considerably larger than those listed on the
power profile, Figure 2-1. Suitable methods for supplying such loads are using (1) capacitor
- bank systems of the type used on previous Mariner - Class spacecraft, or (2) thermal
batteries which have been used for many high current short pulse duration applications.
These systems are reliable and would be suitable for the 12-year outer planet missions.
4-2
In comparison, secondary battery energy storage is not warranted because of the uncertainty
associated with extended 12-year operation.
Smaller pulse loads, for which batteries could be considered, are presented by the solenoid
thrusting for attitude control. -Each solenoid valve requires 2 watts during thruster operation.
Two such valves are used for each thruster of which there are twelve (four for each of three
directions). The highest solenoid load of 24 watts would occur if all thrusters operated
simultaneously, a condition that might result in response to a meteoroid impact. Although
this level of solenoid power demand will rarely if ever occur, it must be reflected in the
power requirements for contingency purposes. More frequent demands will be associated
with single axis solenoid operation (8 watts) or momentum wheel operation (about 11 watts).
Batteries for supplying these demands could be quite small, probably on the order of 2 to 3
pounds. With an associated reduction in RTG requirements of about 20 watts, an RTG weight
saving of 10 pounds is possible for a net saving of 7 to 8 pounds. Against this potential
advantage are the added complexity and uncertainty of operation. Further, the RTGs are
oversized for degradation allowances. Thus, if the solenoid load pulses were not taken into
account, there would be sufficient margin except for the final phases of the mission. All
these factors weigh against the use of a battery for pulse load purposes.
(3) Turn-On Transients
Many continuous loads whose steady-state demands would be satisfied by the RTG have
high starting current characteristics. The TWT mentioned earlier provides a case in point.
Batteries would seem to minimize the turn-on transient disturbances. However, a variety
of suppression techniques can also be employed to minimize transients and these should be
thoroughly investigated before a battery is used for transient suppression purposes.
Load sequencing provides another means for minimizing the effects of turn-on transients.
If the loads which cause the more severe effects are turned on first in a particular turn-on
sequence, there is a better chance that the transient will be within the current capability of
the RTGs. Loads with lesser transient effects would then be turned on after the initial
transient condition subsided. If the reverse procedure were used it is more likely that the
power capability might be exceeded as illustrated simply in Figure 4.1-1.
4 -3
SEQUENCE NO. 1: LOAD A-IST SEQUENCE NO. 2: LOAD B-IST
LOAD B-2ND LOAD A-2ND
POWER LIMIT EXCEEDED
POWER B
LIMIT
( t
B
TIME
* 50% TRANSIENT ASSUMED FOR BOTH LOADS A&B.
Figure 4.1-1. Load Turn-On Sequences
,Whether particular mission phases will permit such load sequencing is not known. If such
options exist, it seems clear that applying power to the larger loads first would tend to
result in fewer transient disturbances and further obviate any need for battery energy
storage.
(4) Fault Clearing Capability
The RTGs may also have sufficient fault clearing capability. An estimate of this capa-
bility is provided below to determine if a battery is necessary for this purpose.
In this estimate it is assumed that all loads are fused and that any fault may be cleared with
a current at three times the normally rated load value by blowing the fuse. The following
figure shows the relationship of the RTG voltage-current characteristic to the load character-
istics. This relationship as shown assumes a nominal load of 460 watts with the RTG just
capable of supplying this power. This represents a situation which might exist at the Far
Encounter phase of the last planetary encounter.
4-4
60
NORMAL NORMAL SYSTEM
50 _ TWT - LOAD
40
VOLTS 30
RTG
20 CHARACTERISTIC
3 TIMES NORMAL
10 _ / TWT CURRENT
3 6 9 12 15 18 21 24 27 30
CURRENT, AMPERES
Point A represents the normal operating point with the system drawing 15. 3 amps at 30
volts from the RTG. The TWT is the largest load and is rated at about 60 watts. Point B
indicates the current drawn by all loads except the TWT. The load line through the origin
and point B represents the impedance of these loads assuming they are purely resistive in
nature. Assuming a complete short in the TWT, the system voltage would be depressed
increasing the RTG current output. At 20 volts or lower the current through the TWT fuse
would be larger than three times the normal rating and the fault would be cleared.
In the above example the largest load of the system was used. The clearing capability for
smaller loads would be that much better. The conclusion is that sufficient fault clearing
capability exists with the RTGs and the use of batteries for that purpose is unnecessary.
(5) Reliability
The prediction of battery reliability for 12 years of operation is based on published cell
failure rates* occurring over periods of one to six years. The twelve year predictions are
necessarily extrapolations.
*TRW paper titled "Optimization of Battery Subsystems for Earth Satellite Lifetimes of
Greater Than 5 Years" contained in the Proceedings of the Fourth Intersociety Energy
Conversion Engineering Conference - September 1969, Washington, D. C.
4-5
The cell failure data is summarized on Figure 4.1-2. The dotted line extensions beyond
six years are the extrapolations mentioned.
1400
1200
/ /
~iooo / //
0O.
Figure 4.1-2. Battery Cell Failures Due to Separate Causes
600
I__
0 2 4 6 8 10 12
YEARS OF OPERATION
.1-2.  t  
The "high voltage divergence" failure mode shown in Figure 4.1-2 was not considered in
reliability predictions since it was assumed that the low rate battery charging required for
TOPS would not lead to this problem. The other three failure modes shown on Figure 4.1-2
were summed to produce the cumulative failure rate curve shown on Figure 4. 1-3.
Figure 4.1-4 is the calculated results using only the failure rates from Figure 4.1-3.
The effect of using many series cells in decreasing the reliability is evident on the figures.
By using redundancy, the reliability is increased as indicated by the cases using 2, 4 or
8 batteries. In these cases it should be realized that only one battery is needed, this redun-
dancy being necessary to assure the operation of one battery with the reliability indicated.
4-6
2800
2400
2000
40
200
10, : _
00
0.60
B I I \ I BATTERIES
0.40 
0.30
0 4 8 12 16 20
NUMBER OF CELLS PER BATTERY
Figure 4.1-4. Reliability for a Twelve Year Mission
4-7
In general, the penalties associated with achieving reasonable reliability appear rather
severe. Fewer batteries can be used if the number of series cells is limited; this, of
course, would require the use of boost electronics. If this complexity is to be avoided then
more batteries would be required.
The fact should be emphasized that any present commitment on the use of a long-life
battery for TOPS would be made without the benefit of a demonstrated 12-year life capability.
This is probably the most important single fact against the use of a long life battery. Aside
from this, the possible leakage of electrolyte may endanger other spacecraft equipment and
possibly interfere with certain science measurements. Reliability is also compromised as
a result of the additional integration complexity involving such functions as charge regulation,
battery temperature control, etc.
4.1.1.2 Conclusions
The use of long-term flight batteries for TOPS appears neither necessary nor desirable.
The principal benefit of batteries would be to reduce turn-on voltage transients. It is
considered that other less-complex techniques can be used to relieve such transients. These
would include a variety of suppression circuit techniques and the judicious application of
filters to the more sensitive loads.
4.1.2 LAUNCH BATTERIES
Launch batteries may be required if the RTGs are not capable of generating power because
of environmental restrictions during the launch phase. The proposed RTGs are designed
for vacuum operation and may be damaged if certain interior elements are exposed to air.
Since the RTGs cannot be vacuum sealed reliably, it may be necessary to cool the fuel
capsule before launch or pressurize the RTG interior with an inert gas which would be
released after space flight is achieved. With fuel capsule cooling no power is generated,
requiring the use of a launch battery (full RTG power would be developed several hours
after launch), while with inert gas protection, partial power is generated during the launch
phase.
4-8
The study reported here was to determine the complexity involved in using a launch battery,
and thereby indicate, from a power system standpoint, which of the proposed RTG schemes,
fuel capsule cooling or inert gas pressurization, was preferred. No attempt was made to
justify the preference from an RTG point of view considering comparative RTG weight
penalties, manufacturing complexity, or cost.
A subsystem configuration was developed which used batteries specifically for the case where
pre-launch cooling of the RTGs is used, i. e., no RTG power is generated prior to launch.
In accordance with the load profile, a launch and ascent load of 250 watts is used. A rough
calculation indicated that full RTG power would be developed after 2 hours. This was the
value assumed in determining battery size.
4.1. 2. 1 Evaluation of this system is provided below.
4.1.2.1.1 Weight
The launch phase requires 500 watt-hours of energy (250 watts for 2 hours). With allowances
for prelaunch and contingencies, a 750 watt-hour capability seems reasonable. Using silver-
zinc batteries rated at 50 watt-hours per pound, the battery weight is 15 pounds. It is esti-
mated that 5 to 10 pounds of other equipment would be required (series regulators, protective
circuits, etc) for a total of 20 to 25 pounds. This would be the difference in a battery versus
no-battery system discounting any difference in RTG or additional equipment weight. In
sizing the battery, no allowance was made for partial RTG power generation during the 2-hour
buildup period. If the possibility of a battery failure is hypothesized during this 2-hour
period the gradual buildup of RTG power to the loads could be injurious. In the implementation
described in the following paragraph the RTGs are actually shorted out to prevent the gradual
buildup possibility. Thus the disallowance for partial RTG power is justified.
4.1.2.1.2 Battery Electrical Integration
Figure 4.1-5 shows a particular arrangement for integrating launch batteries into the power
source end of the subsystem. Various other schemes were considered - the one shown
4-9
O
--
o
~
I~
C
_J~~~~~u 
1 
o
 
-
~
~
 
-To 
=0
~
~
~
~
"
'1
0
~
~
 
C 
C)
W
S
-X
k
W
I-
0
~
~
 
~
 
-r
-
A
 
-
-d 
o
r
=
 
-
E 
e 
A
S
H
- 
-
-
.
.
 
I 
[-q
-
,
 0 U~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4-10
appeared to be least complex and survives a variety of failure mode conditions. Comparing
this diagram with one not using a battery (Figure 3.1-1) the following differences are noted:
1. Two series regulators are required for feeding battery power to the protected and
main busses.
2. To prevent battery discharge, the shunt regulator must be segmented into four
units and placed upstream of the RTG Isolation Diodes.
3. Isolation diodes are introduced on the protected bus to prevent the battery from
discharging through the shunt regulator of RTG #1.
4. A switch circuit is introduced to permit battery charging through OSE.
5. RTG output diodes are used to permit on-pad testing of the subsystem. Since the
RTGs are cold, the diodes prevent them from loading down RTG test simulators.
Once space flight is achieved and the RTGs produce full power, these blocking
diodes are bypassed through a switching circuit.
6. Separation switches are used to short the RTGs. This is a backup feature used
in the event of a failure of the launch battery. As long as the spacecraft is attached
to the kickstage the switches are closed, shorting the RTGs and thus preventing
partial power from being applied to the loads. If a battery failure is detected it
would be necessary to delay separation until proper RTG temperatures are estab-
lished. Since separation occurs after interplanetary injection the delay may be
acceptable. No power would be available but the mission could proceed normally
after separation. An additional switch circuit is shown which can override the
RTG shorting, once it is established that RTG temperatures are at a level permitting
sufficient power generation.
In general it is seen that the batteries introduce a variety of electrical complexities. Not
all of these have been covered in detail. For example, each new switching element will
require command and CCS circuitry, not to mention the additional test procedures.
4.1. 2.1. 3 Battery Physical Integration
The principal problem regarding physical integration concerns potential electrolyte leakage
from the battery. An active silver-zinc system would in time exhibit electrolyte leakage.
Ways of getting around this problem might be as follows:
4 -11
1. Jettison the battery
2. Mount the battery on the kick stage.
3. Develop an hermetic case and/or improved seal.
The first two options introduce significant interface complexity. The third method would
require additional weight and would be difficult to prove for the life times involved.
4.1.2.2 Conclusions
The above evaluations indicate a preference for on-pad RTG capability.
4-12
4.2 REGULATION STUDIES
Shunt regulation was selected early in the study as the appropriate method for regulating the
RTG voltage. The principal reasons for this selection are: (1) maximum possible efficiency -
in-line loss elements are avoided; (2) shunt regulation presents constant load conditions for
the RTGs which both limit RTG internal temperatures and avoid abrupt temperature-time
conditions.
Elaboration on these results is provided in the following sections. Section 4.2. 1 compares
several basic regulation concepts showing that shunt regulation appears most attractive.
Section 4.2.2 then compares the merits of various shunt regulation alternatives.
4.2.1 BASIC REGULATION ALTERNATIVES
The isotope fuel within the RTG produces steady heat which is only modified by its decay
characteristics. In terms of energy, this heat appears as the sum of the electrical output
power and the heat rejected from the RTG case. If power is not removed electrically, the
rejected heat and temperatures are correspondingly increased. Higher operating tempera-
tures may cause faster rates of degradation of the thermoelectric element. To avoid or
minimize this possibility, regulation may be employed to adjust the apparent electrical load
to levels consistent with limiting the rejected heat.
Other factors of regulation concern the means for taking decay and degradation into account
and possible methods for extracting the maximum power from the RTG. Three general
regualtion approaches for meeting the above objectives are compared below.
4.2.1.1 Maximum Power Point Tracking Approach
In this approach, means would be incorporated for operating at the voltage-current condition
corresponding to maximum power capability. The power output of an RTG is greater when
it is recently fueled than when it is several years old. This increased power is available at a
combination of voltage and current which changes as the RTG ages. A possible means of
utilizing this extra power would be to use a voltage regulator which tracks the maximum point
of the RTG. An analysis was made to determine whether, in fact, any additional power could
4-13
be obtained from the new RTG by allowing the RTG voltage to vary. A plot of the RTG power
output versus voltage is shown in Figure 4.2-1 for an RTG when newly fueled and when 12
years old. The curves indicate that, if a fixed RTG voltage is selected which is optimized
for end-of-life, the loss in initial power capability will be less than 1 percent.
Thus, maximum power point tracking is not a favorable regulation approach, particularly
when taking into account the additional complexity required, and the mandatory 6 to 8 per-
cent in-line losses incurred to restore voltage regulation to the bus.
4.2. 1.2 Peltier Cooling Approach
It has been suggested that the life of an RTG might be extended, or the rate of degradation
of the thermoelectric elements reduced, by operating the RTG with a lower hot junction
temperature. For a fixed RTG design, the hot junction temperature can be lowered under
part-load conditions by withdrawing the power at lower voltages. The resultant higher cur-
rents will increase the Peltier cooling by the thermoelectric elements and lower the hot
junction temperature. This method of operation requires an in-line boost regulator to pro-
duce a regulated bus.
I,
e 60 ttTWE-VE YEARS-
10 -
0 10 20 30 40 4i) 60 70 80
OUTPUT VOLTAGE, VDC
Figure 4.2-1. RTG Power-Voltage Characteristic
4-14
The steady-state voltage-current (V-I) characteristics of the RTG are shown in Figure
4.2-2, with transient V-I lines for several hot-junction temperatures. As the operating
point moves to lower voltages, the hot-junction temperature falls. The relationship between
power and hot junction-temperature is shown more clearly in Figure 4.2-3.
Operation of the RTG in this manner is not without disadvantages. As the electrical load
changes, the temperature of the RTG will change, and the resultant thermal cycling may
accelerate the degradation of the RTG.
Furthermore, the reduced hot-junction temperature at low load will cause a significant reduc-
tion in the transient power capability when full load is required. When the RTG has cooled to
its new lower hot-junction temperature, increases in power demand will cause the operating
point to rise along the transient V-I line corresponding to that temperature, which is lower
than the steady-state V-I curve. This reduction in transient power capability is shown in
Figure 4.2-4. For example, assume that a 100-watt RTG is operated at 50 watts. When
full load is called for, only 82 watts will be immediately available, until the RTG heats up
to its normal operating temperature again.
This effect alone is sufficient reason to discontinue further consideration of this method of
operation. The power loss of 6 to 10 percent and the complexity of the in-line boost regu-
lator are additional negative factors to consider.
4.2.1.3 Shunt Regulation Approach
In this method, the RTG is operated at constant voltage conditions. The voltage level is
selected to correspond to maximum power output at end-of-life. Excess power is dissipated
in shunt resistive elements. A number of variations to this approach are possible as discussed
in Section 4.2.2. In general they are characterized by constant operating conditions for the
RTG resulting in a significant advantage for shunt regulation. Another important advantage is
the elimination of in-line conditioning elements and the corresponding loss in efficiency.
4-15
10 20 30 40 50 60
OUTPUT VOLTAGE, VDC
Figure 4.2-2. Hot-Junction Temperature Effects on
Volt-Ampere Characteristics
Figure 4.2-3.
OUTPUT POWER, WATTS
RTG Output Power Effects on Terminal
Hot-Junction Temperature
Voltage and
6
v-0 4
z
go2oc
a-
2) 
0
0
30--
20
.J_I
' I 0
0
0
"7
*u
orM.
M:
w
To
z
F-
0
I-
C-
0
4-16
Too0
80 -' '
60
LU
40
0 20 40 60 80 i 100
PERCENT POWER OPERATING POINI
Figure 4.2-4. Reduced Transient Power Capability
4.2.1.4 Regulation Concept Selection
Shunt regulation is selected over the other approaches because of the following:
1. Constant operating condition for the RTG.
2. High efficiency - no in-line losses.
3. Simplicity - straightforward circuit designs.
4.2.2 SHUNT REGULATION ALTERNATIVES
A variety of shunt regulation methods are possible. As described below several types were
considered and a particular approach adopted as being most suitable.
4-17
4.2.2.1 Full, Linear Dissipative
Figure 4.2-5. Linear Shunt Regulator
Operation. All excess RTG power is dissipated within the shunt regulator (Figure 4.2-5).
To limit environmental temperature variations the transistor elements would be located in
the PCE bay. The less critical resistor elements may be located externally. Maximum
dissipation occurs when the transistors are saturated with almost full bus voltage applied
to the resistive elements. The maximum transistor dissipation is about 1/4 this value when
the transistor and resistor drops are equal.
Evaluation. For a shunt designed to dissipate the full RTG output (600 watts at beginning
of life) the transistors must be designed to dissipate 150 watts. It is estimated that the PCE
bay could handle about 100 watts of total dissipation with an allocation of 40 to 50 watts for
the shunt transistor elements. Thus the full dissipative shunt approach exceeds this constraint.
4.2.2.2 Partial Shunt
Lower
Figure 4.2-6. Partial Shunt RSec
Figure 4.2-6. Partial Shunt Regulator
4-18
Operation. The RTGs are electrically divided into upper and lower sections (Figure 4. 2-6).
Shunt regulation is applied to one of the sections which results in a total dissipation 1/4
that of a full shunt. The need for resistive shunt elements is eliminated; however the
transistor dissipation is identical to that for a full shunt.
Evaluation. No decrease in transistor dissipation is provided by this approach. Therefore
no relief is provided for the PCE dissipation problem. Resistive elements are eliminated
but at the expense of requiring a more complicated RTG design whose upper and lower sec-
tions must be physically integrated to average out the different temperature operating points
of both sections.
4.2.2.3 Switching Shunt Regulation
Figure 4.2-7. Switching Shunt Regulator
Operation. The effect of a switching shunt regulator on RTG operation was studied. The
switching shunt (Figure 4.2-7) shorts the output of the RTG on a duty-cycled basis. Power
is drawn from the RTG at a voltage higher than the regulated bus voltage, and the filter
averages out the voltage. The operating points of the RTG alternate between Point A and
Point S (Figure 4.2-8). By switching to the short circuit current point (S), a high current
is maintained on the RTG even at no useful load, and this limits the excursion of the hot-
junction temperature.
4-19
Evaluation, An approximate analysis, the elements of which are shown in Figure 4.2-8
indicates that, regardless of the load, the time-averaged current output of the RTG is
constant, just as for the linear shunt. Thus, the Peltier component of cooling should
remain constant.
50
CD
-_J
0)
0
50
30
0
6
3
1
0
A
40
Li
ED
-J
01
S1
CURRENT
0
40
30
0
6
3
2
0
A
C 30
2 S U S
CURRENT CURRENT
30
0
6
3
0
Figure 4. 2-8. Operation of Switching Shunt Regulator
4-20
RTG
CHARAC-
TERISTIC
RTG
VOLTAGE
RTG
CURRENT
In the above analysis it was assumed for the sake of simplicity that the hot-junction tem-
perature remained constant. However, at part load the hot-junction temperature will in-
crease to some extent. Some linear approximations were made to determine this tempera-
ture variation. The two equilibrium hot-junction temperatures were found which correspond-
ed to the current of each of the two operating points (Point A and Point S), and these were
averaged, weighted by the duty cycle. The results are presented in Figure 4. 2-9, indicating
o
a rise of about 60 C in the hot-junction temperature at no load. The temperature increase is
expected to be slightly less when predicted by a more precise analysis taking nonlinear ef-
fects into account.
The major advantage of the switching shunt is that the heat load in the shunt regulator is
relatively constant, independent of the varying spacecraft load. Whether or not this is an
advantage to TOPS has not been demonstrated, as the dissipation in the linear shunt may be
used constructively to stabilize the spacecraft thermal balance.
3.0
2.0
a
A:
C 1.0
n
950 960 970 980 990 1000 101
AVERAGE HOT JUNCTION TEMPERATURE, "C
Figure 4.2-9. RTG Temperature with Switching
0
4-21
: i
i-
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~I
u
There are disadvantages to the switching shunt. The in-line filter introduces about 2 to
3 percent loss, and there are switching and drive losses in the switching circuit. A
major problem is introduced in the area of EMI since double the RTG rated current must
be switched by the switching shunt. In TOPS, this switched current is carried from the
RTGs by long lines, which effectively act as large radiating antennas.
In addition, the switching shunt violates the allowable ripple current specified for the RTG,
although the effect of the ripple and the need for an RTG ripple current specification has not
been definitively established.
Because of the EMI problem, and because the losses at full load are higher for the switching
shunt than for the linear dissipative shunt, it is recommended that the switching shunt regu-
lator not be considered further.
4.2.2.4 Full, Linear Dissipative, Auxiliary Loads
RTG
-- -I
Shunt 
I CCS
RTG - - - -I Control
hunt I Aux.
loads
Figure 4. 2-10. Auxiliary Load Shunt Regulator
Operation. This approach (Figure 4. 2-10) uses a full dissipative shunt with its range re-
duced through the use of auxiliary loads. To limit the transistor dissipation to around
40 watts (the limit of the PCE-bay dissipation) the shunt resistive elements are sized to
dissipate 160 watts. Sufficient auxiliary loads are then required to absorb the 440 watt
remainder of the 600 watt RTG output. The auxiliary loads are in discrete increments
permitting load adjustments such that the active shunt regulator is always at midrange
4-22
(around 80 watts of dissipation). The switching in or out of any load (none of which is greater
than 80 watts) then occurs within the dynamic range of the shunt regulator, Subsequently -
the auxiliary loads must be adjusted to again bring the active shunt to midrange in preparation
for the next application of loads. In this way, all switching (including the switching of the
auxiliary loads themselves) occurs within the dynamic range of the active shunt, resulting in fast
system response. To maintain the midrange adjustment it is necessary to sense the active
shunt current and through appropriate logic circuitry add or remove the necessary auxiliary
loads until the proper shunt current value is reached.
Evaluation. This approach satisfies the PCE bay dissipation constraint but at the expense of
added complexity - current sensing in an active control loop, logic circuitry, auxiliary
loads, and switching elements. This complexity is more pronounced when redundant elements
are added to improve shunt regulator reliability.
4. 2. 2. 5 Full, Sequence Dissipative Shunt Regulator
SEQUENCE SHUNT REGULATOR
Figure 4. 2-11. Dissipative Shunt Regulator
Operation. This method (Figure 4. 2-11) provides the response of the full, linear dissipative
shunt without the disadvantage of high thermal dissipation in the shunt transistors.
4-23
Four transistor/resistor legs, operated sequentially, provide the capability to shunt the full
RTG output of 600 watts, while limiting the maximum power dissipation in the PCE bay to
approximately 56 watts. As the transistor in the first sequence is varied from full-off to
full-on, it passes through a region of maximum dissipation as shown in Figure 4.2-12.
When the first sequence approaches saturation, the second sequence begins its operation from
full-off to full-on. This operation continues until the sum of the spacecraft (S/C) load current
and shunt regulator current equals the RTG current at 30 vdc.
With a four-step sequence, it is possible to limit PCE bay (transistor) dissipation to a maxi-
mum value of 56 watts and provide a total shunt capability of 600 watts.
Evaluation. The sequence shunt is attractive from a thermal standpoint as the PCE dissi-
pation allocated to the shunt is just slightly exceeded.
z
0
E-4
W _
cr;
o
;4 H
E-m
0
a; f
xD 
¢n
To
60
50
40
30
20
10
0 100 200 300 400 500
TOTAL SHUNT DISSIPATION (WATTS)
600
Figure 4. 2-12. Electronics Power Dissipation vs Total Shunt Regulator Power
Sequence Dissipative Shunt Regulator
4-24
This segmented shunting arrangement also provides a higher reliability than those previously
described. This is due to the aging characteristics of the RTGs in that they develop less
power near the end of mission (EOM). This would permit open circuit failures of the third
or fourth sequence (loss of shunting capability) to occur and the shunt regulator could still
absorb all the RTG power near EOM.
4.2.3 CONCLUSIONS
Based on the above evaluations, the sequence shunt offers the most suitable characteristics
and is selected for the baseline design.
A detailed description of operation is included in Section 5.3.
4 -25
4.3 DISTRIBUTION STUDIES
AC distribution was selected to supply power to the spacecraft loads. The results of
an ac-dc trade study did not strongly indicate a preference and as previous JPL ex-
perience has been with ac, this was selected.
There are loads that can operate directly from the regulated 30v dc bus and thus save
the ac distribution losses. In order to implement this, a means was developed to inter-
face signals from an ac-powered load to the dc load while maintaining ground isolation.
Three different circuit concepts were investigated for power distribution switches.
The relay type switch was judged best for TOPS over a magnetic and a solid state ac
switch. Different power bussing arrangements were studied to determine the best
configuration for TOPS. A Protected Bus concept was selected as a baseline design.
The following sections describe these studies in further detail.
4.3.1 BUSSING ARRANGEMENT
The purpose of this study was to identify several practical bussing alternatives and to
select a baseline bussing arrangement.
Certain basic criteria were used in considering bussing alternatives.
1. Power is to be provided from 3 to 4 separate RTGs.
2. The output from any single RTG or group of RTGs will be regulated at
30 vdc. This constraint results from the basic selection of shunt
regulation described earlier and the voltage defined for the RTGs under
study.
3. Consideration is to be given to establishing power priority to loads in
accordance with their mission criticality.
4. Means are to be incorporated for limiting the effect of source or load
faults.
4-26
The principal bussing concepts considered and their evaluation are described below:
4. 3. 1. 1 Multiple Bus Concept
Description. The loads are divided into separate groups and supplied by separate
RTGs (see Figure 4. 3-1).
_RTGe Cot L2i
Figure 4. 3-1. Multiple Bus Concept
Evaluation. This method provides the best isolation against load or source faults, but
is severely limited in its flexibility. Critical loads contained in any of the load groups
are dependent on power from a single source. Failure of any single source could
thereby constitute a total loss of the mission. Another severe flexibility restriction
concerns the power demand limitation imposed by any single source; no load is per-
mitted to exceed the single source capability.
4. 3. 1. 2 Priority Bus Concept
Description. This concept is representative of a class of arrangements in which cer-
tain priority load groups can receive power from multiple sources while less critical
4-27
groups are restricted to power from fewer sources. In the particular concept shown in
Figure 4. 3-2, L3 receives power from RTGs No. 1, No. 2 and No. 3; L2 receives
power from RTGs No. 1 and No. 2; and L1 receives power only from RTG No. 1.
Figure 4. 3-2. Priority Bus Concept
Evaluation. It would appear that this method passively accomplishes power priority to
critical loads. However, this capability is conditional on the critical loads also being
those demanding the greatest power. From the arrangement shown, L3 would be the
critical load group since power is available from all three sources. If components of
L3 demand peak power in excess of the output of one RTG, the arrangement is fine. If,
however, peak demands are associated with non-critical loads, more generally the
case, the advantages of this system are somewhat compromised. If non-mixing of
critical and non-critical loads is to be rigidly adhered to the system is probably no
more flexible than the Multiple Bus Concept described in Section 4. 3. 1. 1.
4. 3. 1. 3 Single Bus Concept
Description. All RTG power sources supply power to a common bus; all loads draw
power from this common bus (see Figure 4. 3-3).
4-28
431
RTG #1
RTG #2 I 
RTG #3
Figure 4.3-3. ESingle Bus Concept
Evaluation. This method provides the greatest source/load flexibility. Source fault
protection is easily provided with the use of the isolation diodes shown. Active means
for isolating load faults or limiting their effects is required.
4. 3. 1. 4 Protected Bus Concept
Description. The Protected Bus Concept provides the load flexibility of the Single Bus
concept, and at the same time provides power precedence to critical loads as does the
Priority Bus concept. A device inserted between RTG No. 1 and the junction point of
all RTGs isolates it from the Main Bus in the event of an overload. This device, called
the Current Throttle, is a linear series regulator used in a unique way in that it regu-
lates its input voltage. The input side of the Current Throttle is designated the Pro-
tected Bus (see Figure 4. 3-4). After the current demands of the Protected Bus loads
are satisfied, the Current Throttle allows the remainining RTG No. 1 current de-
veloped at the PB voltage to pass into the Main Bus.
4-29
Figure 4. 3-4. Protected Bus Concept
Evaluation. This power bussing arrangement provides redundant power sources to those
loads required for fault detection and correction. It allows operational flexibility in
that any combination of loads can be applied to the Main Bus as long as the source capa-
bility is not exceeded.
4. 3.1. 5 Selection
A system level trade study of failure detection and correction selected a centralized
scheme which uses the capabilities of CCS and MPS over a dedicated failure equipment
concept. Therefore, power must be provided to these loads during fault conditions.
Of the power busing concepts, the Protected Bus best meets this requirement. The
Fault Detection and Correction (FD&C) loads operate from the Protected Bus which is
insensitive to Main Bus faults. Should a problem develop on the PB, the FD&C loads
transfer to the Main Bus, correct the PB problem, and then return to the PB. The
interfacing of both MB and PB at the loads is described in Section 4. 4. 1. 1. 2.
4-30
4.3. 2 AC - DC POWER DISTRIBUTION
A study was performed to determine the electrical power distribution method for the
Thermoelectric Outer Planet Spacecraft. The study objectives were to provide rela-
tive comparisons of system performance with respect to power, weight, and relia-
bility. Other parameters that were reviewed are thermal control, voltage regulation,
size, producibility, electromagnetic interference, and static switching.
The ac distribution system studied consists of a main inverter in the power subsystem
with a transformer, rectifier, and filter at each load. Two dc distribution systems were
studied. The first contained a dc-to-dc converter at each load, and the second con-
tained a single dc-to-dc converter in the power subsystem that provides all output
voltages required by the spacecraft loads.
The results of this study contained in GE Quarterly Report No. 1J86-TOPS-480 indi-
cate small differences between the three systems. As a result, ac distribution was
designated by JPL as the baseline approach.
4.3.3 GROUND ISOLATION
The main form of power delivered from the Power Subsystem to the spacecraft loads
is in the form of 50 vac rms square-wave power. This power is transformed, recti-
fied, and filtered at the load to provide the required voltages.
The voltage from the source (RTG) is controlled to form a regulated 30 vdc i 1% bus.
There is certain equipment in the TOPS system that can operate directly from the 30
vdc power bus without requiring additional power conversion. The advantages of sup-
plying power in this form to these loads, rather than ac power via the Main Inverter
are as follows:
1. Elimination of conversion inefficiency through inverter and transformer-
rectifier. ( t 87 percent efficient).
4-31
2. Reduction of system weight by elimination of transformer-rectifiers
at the load.
3. Improved transient suppression. (Conducted noise produced by these
loads would be better attenuated because the dc bus dynamic impedance
is lower than that of the ac bus. )
4. Better voltage regulation at the load. The dc bus has ± 1% regulation.
+3%The ac bus has 4% regulation.
To take advantage of these reasons, a grounding scheme must be established and im-
plemented within the user subsystem.
Since these dc loads are powered from the dc Power Bus, they will be referenced to
Power Ground in the PCE. However, most of these dc loads are controlled by cir-
cuitry whose reference is chassis ground via a ground tree. Figure 4. 3-5 presents a
representative scheme for interfacing these two loads while maintaining ground iso-
lation. The control signal from the ac load is transmitted to the dc load via an optical
coupler which consists of a light emitting diode and a photo detector.
Candidate loads for the dc Power Bus are:
Subsystem Load
RFS S-Band Power Amplifier
RFS X-Band Power Amplifier
A/C Propulsion Thrusters
A/C Gyro 20 Inverter
A/C Reaction Wheel 20 Inverter
A/C Motor Gimbal Actuator
A/C Science Scan Actuator
A/C Feed Actuator
4-32
4-33
00 CQws
'00C)
m:5r_C)s-a) Tocl 0C)Coa: 0Q)Db0
C2'0 Cd40 m5-4 W)
0C)5-4 bli"0k4kbi)-4l
P~4
I.>
 
0
F4uco
11
MGA Pointing Actuator
T/C Temperature Control Heaters
Science IMR Cooler
Maximum loading of the above equipment occurs during TCM burn and requires approx-
imately 150 watts. By supplying dc to these, distribution losses of 22 watts could be
saved.
4.3.4 POWER SWITCHING
4. 3. 4. 1 Requirements
The Power Subsystem supplies regulated power to the user subsystem by way of the
Power Distribution Assembly. This assembly receives commands from both CCS and
CDS via a Remote Decoder Array to open or close power distribution switches. The
power distribution assembly also receives commands from the LVCO within the Power
Conditioning Equipment.
The power switch function is most important because the design of a fault tolerant
power subsystem depends on the ability to remove system faults by opening the
power switches. To ensure power to operate the switches, both the Main Bus and the
Protected Bus will be supplied to the Power Distribution Assembly. Also, redundancy
in the switch breaking operation will be employed to ensure removal of load faults.
There are over 50 load switches needed for the TOPS spacecraft to control operating
modes and provide fault clearing. Fault correction philosophy relies on CCS to detect
fault location and issue corrective commands to open the power switch of the faulted
load. Because this action does take a finite time, all spacecraft subsystems must be
tolerant of temporary power interruption, undervoltage, and/or loss of one particular
load until corrective procedures are performed. Therefore, there is no current limit-
ing or overcurrent trip in the baseline TOPS power switches for load control.
4-34
A/C
Consistent with this philosophy and the preceding requirements, a single failure which
causes resettable turn-on or turn-off of a particular load is acceptable in the power
distribution switch. In the strict sense of no single failure criteria for mission suc-
cess, the loss of control of a single load due to a switch failure is not a critical fail-
ure unless that load is essential to mission success or the load erroneously powered
prevents turning on one or more loads which are essential to the mission. Since the
TOPS power margin is small near the end of the mission, and the long life require-
ment demands maximizing reliability, most switching requirements preclude non-
resettable failure modes.
All power lines distributed from the Power Subsystem will be routed through a switch
in the Power Distribution Assembly with the exception of three major subsystems.
These critical subsystems (CCS, MPS, and Timing Synchronizer) are continuously on
throughout the mission. To avoid lowering the reliability of these functions caused by
inserting a series on/off switch, these units will be hard-wired to the Power Subsys-
tem busses. A current limiter will be placed in series with each subsystem to protect
the power subsystem against severe load faults.
In order to compile requirements for Power Distribution Switches, the requirements
of each spacecraft load were determined. A matrix of loads to be switched, and the
options available for each load have been assembled in Table 4. 3-1. The following is
an explanation of each column in the matrix:
Redundancy - Should the load switch provide redundancy in the make or
break operation or both operations?
Single Failure Shall Allow - If one piece part of the switch fails, is it accept-
able that any of the following would result?
Non-Resetable Turn On - The load is turned ON and cannot be turned
OFF.
Non-Resetable Turn Off - The load is turned OFF and cannot be turned
ON.
4-35/4-36
'tok
?
?
P
k
't
'N
'N
'N
'to
't
k
?
k
P
k
k
k
k
k
't
'A'
'to
'to
/N
't
k
lI
6
I
9
Z
9
g
I
I
I
I
I
I
g
9
I
g
9,
I
I
g,
9
I
I
I
I
9
9
9
Z
I
I
1
slUntmmo3 / b
IX/; 
.,'to '~z.
toe
80 -' 1
'01
-9 '01
6 'LS
1 '911
9 'EC
9 'S9
0 '8
0'S
0 'Z
L 'Z
O 'II
8'1
6 '0
9 'I
6 '91
SL
I'I
I 'I
I 'Z
I '91
91
6 ',
'0
L 'Z
8'1
I '0
O, 0
0'Z
ZZ-11
0'I
I,'9
6 '99
1 '9
9 '1
8 Z
0 '11
6 '9
8 9
/I
/I
'?
'?
?t
i,
I
9
T
I
1
g
I
I
I
I
I
I
I
I
I
I
T
I
I
I
I
I
I
TI
1
I
I
Z
I
1
I
I
Z
I
Z
g
Z
T
T
g
T
I
g
I
9
I
I
I
I.
I
2
2
2
2
Z
Z
/I
I
I .
II
II
II
II
1
3
9.
9
9
9
Z
9
&INO aso 1
TL
2
a
a
a
a
a
aao
Js
aa
aa
aa
a7o
't
'A
,/
/
/
~'/
h/
/'/
h/
h~
,h
',
',
/'I
N/'
N
t/
h
?
/,
/,
/h,
/',
?,
?
'N
N
't'
'to
h
x
;h
zh
xh
xh
't
't
't
'N
'I
k
k
?
h
'I
k
't
't
'A
s/
/
/
/
Is
/
0
0
L
:0
$1
10
/
/
/
/
/
'i
LS
I0
i'
i'
%
I /
I /
)N
)v
0
1LS
[±10
[±10
[±10
[50
1±10
AdO
AdO
lao
adO
afxo
ad1o
.1
1±1
1±10
1,1o
aao
adO
a0o aao
aao
ado
"aao
a0o
aao
aIO
aac
aac
aac
IOC
SaC
.ado
adC
aac
aa(
&ifL5
10'C
ad(
I a
aI±(
a1.
adi
IX]1 ,geI
N
/I
N,
N
NN
N
N
/I
p
/
/I
/I
/I
/I
/
/
p
p
rN
/I
N
N1 
NI
/N
'N
/I
//
/
/
/
/
/
/
p
/I
/I
N
I
/I
tI
/I
'f
'1
/I
I
/I
I't
h't
I't
I't
N
N
n
/I
p
/V
/V
/I
/I
/I
'to
k
?
I/'
I/
'N
I'
I/
I'
P
NI
'N
p
',
'to
'2
'1
/
N/
t'I
'I!
'I'
'I'
'I
'I
NI
N
to
I'
I't
I't
'N
'N
'to
'V
'V
NI
pI
/II
PI/
I
I
/v
/,h,
v
N
N
Np
h
N
',
/,
/I
/I
'I
/I
/I
I
I
/I
h
/I
, 
/.
'.
'?
/,
k
't
'k
to
/,
h
f
/,
N
NI
P
P
P
/N
/V
t
'to
'to
3
3
v
3D0
3V
3V
30
3V
3V
3V
3V
3V
3V
DV
3V
3V
3V
3V
Da
3rDa
D(V
DV
DV
DV
DV
Da
3Vj(I
DV
DV
3V
DV
DV
Da
Da
3V3cr
3(0
DV
DV
DV
DV
DV
3V
3V
3V
30(
3V
3V
3V
3V
3V
08
088
V08 '
1
VII
VTI
h-1I
VI9
SV9
08
Z61
t8v
S9
99
96
ZZ
_P
o80
9G
68
Z89
V09'I
9Z
,8
I'S99
S99
811
99
08I
ZTI
Z0Z
0L6
b'Z
V9I-
V91 '
9JI
09
19
b99
S91
991
6£1
pt
?
I
Ip /
/,
/'
N
N
N
N
N
t"I
p
to
to
P
/,
/V
/V
(V
'N
P
'N
/I
Pt
Pt
'/
k
k
/N
I/I
I/o
'Io
?
?
k
'to
k
h
P·
I/
I
Ip
k
'to
',to
'to
'N
'N
'N/
'to
'N"
/'/
/'/
/I
/I
/,
/
/
/
/
/,/I
/I
/I
/
/
/
/
/,
'ti
/N
/t
/I
/
/
I
I
I
to
v
v
to
to
to
/N
/I/
/
I
/
/
/
/
/
/
//
/
h
h
h
h
t
,h
I
i
h
y
, /.
to/
I
I
I
I
I
I
I
tI
I
'N
'N
'to
'to
'tI
'to
'to
'to
'to
N
/
/
, -Qb, ·e
g ~ ~ ~ g. "t,~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~t
IeIo _11 0 I,1'B,1 .N! / .
N/ ~// / /o//,/ .o 
MS 2UTIunqS 0111
aoioaq,L juaOnD
a .xlaaUI 0 Z olO
.IqIaXAUI 'U'd
Ja9,XAUI UPaIN
aliuV aMOXr'N A-L
altuV apTlA A-L
a81003 HNI
aoaOauoTpcl a9IdllnlI H-I
aalRTuOOqd A-fl
-laa uoissTulm otPI
adooseaI, ajoqfled patl3qD
aqOJd Vuuscli
(aa pTloaaosV-pTl0oaJOa w
pao pTo1oaoauolmOTl
9uaounxsuI uo!leTPpH paddviL
'aa uoa:IPvH paddsinl
aroaoaa AcWM MUsId
aaaqmoeauScA UunITaH 1o0oaA
aoupln9 qotoaddv
-loa0uo3 duaL,l
ollTp3-l0aUO3 duma,
1Tufl O10UO3 o.1d
'alV 2UllUITod V '90'I
'-I1t 2uBuTOd 'V '90 '[
'1oV poaa
.oala paa,
'4oV u7os aouaots
oiala uoas aouaTS
'1oV qtuTlO .0oloN
;,oala joljdolnV
amnqS uns
iosuaS sndouv3
alv8/saosuaS unm 'bov
slosuoa unS Oasln.3
slaaqtM uoalaov
sUaaqOt uoT3o1a[
iofuoa~oO O°t
.T4H 2Y Jaola9AUI o0.D
sJagsnuqL dO11d
soIuooal9a DV
a8eiols e9ea
jazluolqouxS SlUTmlL
'8 'd '
*S *30 3
lTUln VITL uopl npoli
lUfl lzo0oa(aa p3D
drV lMd puVEf-X
(eqnoL) duiV lmd putU-s
(SS) drv lad puea-s
a9lox1ax pusg-X
.alloga puTe-S
1ufl IO4UO3 Sall
(VN'l) d-eaod SaIl
A311 puurwo03
;apooaa puwrwumoo
pto0I
oaolnoS /o ss'- I qlTM
pumewoo/ uollounI
/ snN q-lS \
lueoaua!nbeao
qIlzMS peoI
:IAOIIV l1its o
| anlip ellhis -punps l
o00
ce
I
L-.
{I
lmd
a
H
B
AMd
[Mdc
:IA
DV
D3/
3D/
DV
3DV
DV
DV
DV
3y
SDD
Sd3
SDD
3V
3V
3¥
3V
SaH
S33 da
sa3
S(I I
sa(I
Sau
sag
said
SIE
sau
SUD
8.11
8.111
SS
I-
0
0
LQ-J
0
aJ
0
L.J
0
i =i
.co 
U _
-1
1 I
-T -T
11
T --
--I -I IT -T ---T ------ -r ---i ---r
L cI I- LI L L II I 1, I-- J- L
I
I
L L- I I
I I I II it I , 1 I
I
I
0
I
Vl
V9
I6
I
-I-
I
I
II
I
I
N
N
N
IV
0
V1
LIS
2
£
E
I O
I
OI'
-1-
I
V
II
II
N
1.
N
N
N
Ov
I
g
N
Ov /,
/,,
N,
1
N
N
N
N
N
N
N
N
1%
tv
p
1
I
N
N
N
N
N
N
(v
/I
p
I
N
N
N
N
1%
P
I
I
I
/I
/I
/I
/I
p,
/I
p
/I
/I
/I
v
v
11
N,
N
N
p P
1
p
1p I/ i
i
i
I
I/
XIlLVIY SINaNkIAI{HISfI : H3DLAS NOMEILfIKII I HaMOc '*-£' WalVL
Resetable Turn On - The load is turned ON but can be commanded OFF.
Resetable Turn Off - The load is turned OFF but can be commanded ON.
Loss Of Turn On - The load cannot be commanded ON after the failure.
Loss Of Turn Off - The load cannot be commanded OFF after the
failure.
Load/Switch Requirement
Make Current - This is 120% of the load steady state current.
Break Current - The maximum fault current to the load.
Current Trip/Limit Point - Shall the load be current tripped or limited?
If so, at what value ?
DC or AC - The type of power being supplied to the load.
Switch Must Function With the Loss of:
Main Bus Power - If the main bus is lost, the switch must operate
from the protected bus.
Protected Bus Power - If the protected bus is lost, the switch must operate
from the main bus.
Both Busses Simultaneously - If power is lost from both busses, the switch
must provide energy for one operation (either open
or close operation).
Command Source
CCS On & Off
Cmd Decoder On &
LVCO
OWN CONTROL
Level of Redundancy
On Protected Bus
Load Power
- What controls the load switch?
- CCS provides an on and off command.
Off - Cmd Decoder provides an on and off command.
- The LVCO (failure detector in the PCE) provides an
on or off command.
- The switch has its own control circuit for changing
state.
- The quantity of identical loads each of which will be
provided with a power distribution switch.
- Does the load receive power from the Protected Bus
as well as the Main Bus?
- The power required at the load power supply (T/R).
4-39
Energy storage at the higher voltage is more economical than both the previous methods,
and cost an equivalent of about 1 watt (combining power and weight).
The level and type of redundancy at the load is unknown at this time. Consequently,
both energy storage techniques could considerably increase in size and weight, as the
circuitry might be repeated the same number of times the load is redundant.
SUMMARY
Three circuit configurations were synthesized and investigated that would ensure unin-
terrupted power to critical Protected Bus loads in the event of a short of the Current
Throttle followed by a Main Bus load fault.
The configurations considered were:
1. An increase in the voltage drop across an unfailed Current Throttle to permit
detection and transfer (Raising the dc Protected Bus voltage).
2. Shunt voltage capacitive energy storage at the operating voltage for critical
loads.
3. High voltage capacitive energy storage with series voltage regulation to
critical loads.
The salient characteristics of these configurations are tabulated in Table 4.4-8.
4.4.2.1.6 Recommendations
Configuration 1, which increases the Protected Bus voltage was selected for the follow-
ing reasons:
1. The equivalent power penalty is less than configuration 2. Configuration 3
appears to have the smallest penalty, but if the loads are redundant, the pen-
alty is doubled, and if double redundant, the penalty is three times that shown
in Table 4.4-8.
4-40
Switch Type
An analysis of Table 4. 3-1 showed that the power switch requirements could be sum-
marized into four basic switch types for spacecraft loads and four switch types for the
inverters of the PCE. These are shown in Table 4. 3-2.
TABLE 4.3-2. POWER SWITCH REQUIREMENTS SUMMARY
Switch
Redundancy
0)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
"orIt:$
g;; 3UEd a h
U Uo~~~~~~ ~a 
X
X
X
X
X
X
X
X
b0
d)
U
Power Bus Failure
Tolerance
0) 
$4 0
¢o
k110
,~l4 mO
& .,- 0
sH E m
0)
U2
M
0)
q
Q
3
0
pi
k
4O 0
3" UkW 
S
Cd 
O.( W C
Switch Use
To
970 ma
To
1. 5A
To
2. 7A
To
500 ma
To 10 A
make
34A
break
To 2.5A
make
11A
break
To 5. 5A
make
20. 5A
break
To 1. 5A
make
6. 6A
break
Spacecraft Load
Spacecraft Load
Spacecraft Load
Spacecraft Load
Main Inverter Input
Protected Bus
Inverter Input
Main Inverter Output
Protected Bus
Inverter
X
X
X
X
4-41
6ZC
.0
1
2
3
4
5
6
7
8
X
X
X
X
Two special purpose switches to be used for power subsystem functions are described
as follows:
1. Switch 9 - Current Throttle Steering
This device detects a failure of a Current Throttle and switches in a standby
Current Throttle. The Steering Switch senses its own input voltage. If this
voltage goes out of band low or high, the switch changes state and diverts
the RTG power from the first Current Throttle to the second.
Capability to command the switch to either position by CCS will be provided.
No single failure shall cause repetitive erroneous switching.
Overvoltage Trip Point
When the input bus voltage exceeds 34.0 ± 0. 3 vdc for 1 to 5 milliseconds,
the Steering Switch will change the RTG power path from Current Throttle
No. 1 to No. 2.
Undervoltage Trip Point
When the input voltage reduces below 32. 8 ± 0. 3 vdc for 1 to 5 milli-
seconds, the Steering Switch.will change the RTG power path from Cur-
rent Throttle No. 1 to No. 2.
Switch Current
This switch shall be capable of making 5 amperes dc and breaking 11
amperes dc.
2. Switch 10 - RTG Shunting
After the RTGs are installed in the spacecraft, a positive means must be
provided to remove power from the system in the event of a test anomaly.
To introduce a series switch between the RTG and the PCE would reduce
the probability of mission success due to the potential switch failures open.
If the switch was designed to be removed before flight, this removal would
have to be performed before fairing installation, thus the Power Subsystem
could not be turned off after this point. Also, a switch that would open cir-
cuit the RTG could cause damage from RTG internal heating. A shunting
switch permits the RTG input voltage at the PCE to be reduced to approxi-
mately zero by shorting the RTG power input to the RTG power return.
4-42
Switch Control
The shunting switch will be commanded thru the umbilical by the ground
support equipment only. The switch will remain closed only during the
presence of a "close command" from ground support. If the switch does not
receive a command, it will revert to the open state.
Switch Current
The switch must make and break 11 amperes dc.
Switch Power
The power required to close the switch will be supplied by the O. S.E. com-
mand. The switch shall not consume power in the open state.
Failure Criteria
No single failure shall cause the switch to close.
In addition to the above requirements, switches No. 5 through 9 must provide a
digital status indication for the spacecraft State Vector.
Some major equipments are powered on during the entire mission and have
internal self switched redundancy. Therefore, a power switch is not required
for this equipment. However, degraded mission operations can be accomplished
should these units fail. A current limiter is required to protect the power sub-
system from short circuit failures of these units.
Current Limiter
Three spacecraft loads will not be provided with power distribution switches.
Instead, the Power Distribution Assembly will provide current limiting to
this equipment to protect the system from a potential overload. The limit
will be set at twice the maximum steady state current requirement.
Load Limit Point
CCS 1.80 A +20% -0%
MPS 880 mA++20% -0%
TSS 80 mA +50% -0%
Efficiency Greater than 90%
Reliability 0. 973 for 105 hours
4-43
4.3.4.2 Hardware Studies
The following is a description of the circuitry which was designed, breadboarded,
and tested to determine its ability to meet the preceding requirements. Test results
are detailed in Section 5.
4.3.4.2.1 Load Switches
Three approaches were taken to develop an acceptable load switch for TOPS. The
first approach employed relays, the second used magnetics, and the third was com-
pletely solid state.
4.3.4.2.1.1 Relay Switch. The design shown (see Figure 4.3-6) uses two relays
with the contacts 'quaded" in the load path. This permits turn-on and turn-off
of the load by either relay so long as the other relay has a closed path.
The other set of contacts in the relay is used to determine the position of each relay.
This eliminates additional parts for sensing and gating the commands to the proper
relay driver. The switch command signal is capacitively coupled to isolate short
circuit failures.
A self-latching, time delay circuit applies the on and off commands from CCS to the
second switch (S2). The circuit prevents activating the S2 driver, during the duration
of the CCS command, to allow S1 sufficient time to transfer, then applies the com-
mand, for duration of an RC timer, to S2. Thus, one command input from CCS always
produces the correct response.
A short in any transistor can produce a turn-on or-turn-off, depending on which
transistor failed and the state of both relays. Such a single failure can affect only
one relay, and the other will correctly execute CCS commands. This is also true of
failures open, which only prevents operation of one relay when commanded.
4-44
S1
FROM
POWER
SOURCE IA
I
S2
[Y--~ TO LOAD
I
IA
I
SWITCH
COMMANDS
Figure 4.3-6. Power Distribution Switch
Because of the large number of low power loads on TOPS, extensive use of subminia-
ture relays, such as TO-5 types, would provide highly efficient distribution and
control at a size and weight competitive with other switch designs. The control cir-
cuit can also drive a 1/2 crystal can relay, hence, it is applicable to most (>90 per-
cent) switch applications. This approach was chosen to maximize benefits from thick
film or other miniaturization packaging techniques for the driver.
4.3.4.2.1.2 Magnetic Switch. The magnetic switch (see Figure 4.3-7) consists of
two saturable reactors with a common control winding and appropriate electronics to
switch the control current. The command/control electronics are '"transformer"
isolated from the AC. The reactors block voltage, keeping the load off, unless the
current is applied to the control winding, then the reactors are saturated and pass
the load current. The control winding current is applied by a quad switch and current
limiting resistor from the 30 volt DC bus. A quad command receiver provides the
4-45
I
I
O0
X
 4 6 3R I0
*
~
~
~
~
Cd
9b Cd ._eToo.HToaCOsos
G
 Etr
.
~
~x
 
I 
g ! 
o
 
+
4-46
+
base drive to the control transistor switch. Each command receiver is controlled
by a latch-up which keeps the command receiver on when an ON command has been
issued. The OFF command resets the latch-up allowing the command receiver to
turn off.
The arrangement of quads and independent command receiving provides control
electronics which is unaffected by any single piece part failure. An open of the
limiting resistor or any winding of the mag amp will, of course, produce a perma-
nently off switch. Because the parts which can cause failure of the whole switch
are few, and rather reliable compared to a relay, this switch is considerably more
reliable than the relay switch.
This switch is considerably less efficient than a relay. At best, it was 92 percent
efficient. The switch also passes about 15 milliamps to the load when the switch is
off, or about 0.75 watt per "off" load, which detracts from the overall power sub-
system efficiency.
These factors (efficiency, off-current) can be improved, by adding size and weight.
More iron, more turns of larger wire, and a higher control to gate ratio (also more
wire) will improve the magnetic switch loss characteristics.
4.3.4.2.1.3 Transistor Switch. The transistor AC switch (see Figure 4.3-8) is
almost identical to the magnetic switch just described. The difference is that the
saturable reactors have been replaced by a bridge rectifier. Each diode in the
bridge shown on Figure 4.3-8 is quad redundant. In this switch design, no single
piece part failure can cause degradation of performance. As a result, this transistor
switch has the highest reliability of the three types studied.
4-47
One of the characteristics that makes this switch undesirable is that the AC load cur-
rent is passed through the diode rectifier and the transistor switches. The power
lost in this switch is therefore very high. Efficiencies of about 83 percent were
measured in the breadboard developmental tests. This is largely due to the 3 to 4
volt drop in bridge diodes and pass transistors. This poor efficiency can present a
thermal problem in the PCE bay and could necessitate higher structure weight to
provide adequate heat paths if many switches of this type were used. This switch will
also degrade the regulation of the power bus supplied to the loads which causes
additional losses in the load regulators.
The major problem with the transistor switch, aside from its efficiency, is that it
floats on one side of the AC line. The noise generating potential is therefore great.
This connection to the AC means the command inputs and 10 volt supply must be
isolated from DC power return and chassis. Two or more switches cannot share
the same 10 volt source or be in any way common due to coupling between on and off
switches (for a detailed discussion of this problem, see section 5.9.4). This would
require separate 10 volt windings on a transformer or separate transformers, for
each switch, which will reduce the apparent reliability and weight advantages of this
switch.
4.3.4.2.2 AC Magnetic Current Limiter. The AC current limiter (see Figure 4.3-9)
is similar to the AC magnetic switch. The control current in the limiter is derived
from the output, as shown in the schematic, by a full wave rectifier. The saturable
reactors remain saturated unless the current through them (load current) produces
more ampere turns than the control current through the common control winding.
When the control ampere turns are exceeded, the cores become unsaturated, limiting
the current and causing a quasi square wave to be seen by the load. Since the control
current is derived from the output, the power delivered to the load actually decreases
(fold-back characteristic) as load resistance decreases. Because of the nature of the
current limiter however, the peak amplitude of the current increases, so the current
4-48
a 
CdbbO-I
c.F-'Cfl
W
 U
¢ 
l
1 
1I
u
 
Z 
: 
Z
W
 
r
u
4-49
AC TO -
LOAD
AC -
~~~~~TIN CR3
CR1
RE TURN CR4
RCR TR l tCR7
CR6 CR8CR8
Figure 4.3-9. AC Current Limiter Schematic
is not really "limited" to the peak value selected. Peak currents over 5 amperes
were typical for a unit set at a 1.8 ampere limit. The power source (inverter) must
conduct these transients. (For a more detailed discussion of these effects, see Sec-
tion 5.9.5). The limiter introduces voltage drop and biasing losses. The efficiency
of the breadboard unit was 94 percent and produced a voltage drop between source
and load of as much as 1.5 volts rms.
The limiter is reliable, consisting of few and simple parts, but many parts failures
will cause a turn off of the load power. The most unreliable parts are the trans-
formers, hence, it becomes costly to incorporate redundancy. The weight penalty
is high, the 45 watt unit magnetics weigh about 0. 20 pound.
4.3.4.2.3 Inverter Switching
Figure 4.3-10 presents the block diagram of an inverter switching approach. Figure
4.3-11 is a block diagram of a single quad switch. Double break is required of the
switch since many failure modes of an inverter reflect a short circuit. Due to the
long mission time, an inverter failure is rather likely, and since the inverters are
4-50
bDCo
o4E> '-ICOC.
4-51
-
,
0I-H0u
~E"I
cr 
>I 
p
X
 0
,4 
E.
w
u
cpQ 
EI
a3 
U
m
POWER
IN
SWITCH
COMMANDS
POWER
~- OUT
Figure 4.3-11. Quad Relay Switch Block Diagram
so critical, double make is required of the switch to keep the switching from being
considerably less reliable than the inverter. Separate switches are shown for the
input and output of the inverter on Figure 4.3-10. A single switch could control
both the dc input and ac output if a relay which contained four poles rated at the
inverter current levels was approved for TOPS.
The inverter switching command approach is shown on Figure 4.3-12. Only one
inverter is ON at a time. The command to turn ON one inverter turns OFF the
other two inverters.
Energy storage is required to handle inverter switching if the protected bus is lost.
The CCS commands are 15 millisecond pulses, and the switchover control circuit
of the hardware failure detectors also time limits its commands, so the energy
storage can provide power for two switchings.
4-52
oa^
IIA
I
I
Figure 4.3-12. Inverter Switch Commanding Scheme
The entire scheme contains no single piece part failure which will alter the state of
the inverters, or prevent subsequent changes by command or automatic switchover
because of an inverter failure.
4.3. 4.2.4 Hardware Summary
Table 4.3-3 presents a summary of Power Distribution Switch characteristics.
The relay switch has the seemingly very unreliable relay which causes it to have the
lowest calculated reliability. It also has single failure modes which can cause turn-on
or turn-off of the load, but as these failures are resetable, they are acceptable.
The magnetic switch appears more reliable, but it has single failure modes which
cause loss of the load. For general use, it cannot be called superior.
4-53
TABLE 4.3-3. POWER DISTRIBUTION SWITCH SUMMARY
NOTES: i Does not include 10 volt power supply
Includes 10 volt supply
The transistor switch has the highest reliability, but the worst efficiency and greatest
noise generation capability. As such, it is unacceptable as a universal switch.
The relay quad switch has the lowest calculated reliability because four relays are
required in this design. However, this switch has no single failure effects.
There are possible dc magnetic effects from all switches. The relays have permanent
magnets, the magnetic switch has iron cores, and the transistor switch rectifies the
ac for the pass transistors, thereby making a dc loop.
Since the contacts of a magnetic latching relay present a very low series resistance
path, the relay switch provides maximum efficiency with steady state losses being
almost zero.
In general, the limited power margin of the TOPS spacecraft demands the efficiency
of the relay switch.
4-54
C .i E a U 
Relay Design No. 2 5.2
Crystal Can 1.00 0 0 1.00 0.954
TO-4 3.9
Relay Quad
Crystal Can 1.00 0 0 1.00 10 0.946
Magnetic 1.025 0.7 0.6, 1.2 .92 4.0 0.985
Transistor 1.085 1.1 3.3, 3.8 83 3.1 AL -0.993/A
AC Current
Limiter I - 1.0, 1.4 .94 3.4 0.986
4.4 FAULT DETECTION AND CORRECTION
When designing a power subsystem for a ten year mission, it must be assumed that any
circuit or function that can fail, will. Those failures that effect the quality and/or
quantity of power delivered to the spacecraft loads must be autonomously resolved by
the spacecraft itself. Dependence on Earth for assistance is ruled out as irreparable
damage could occur during the time it takes to communicate between Earth and the
spacecraft. So, the Power Subsystem by itself, or in conjunction with other subsystems,
must provide for these emergencies.
4.4.1 LOAD FAILURES
Load failures can be categorized into open circuit and short circuit failures. The
latter will effect the quantity of power available to other spacecraft loads and can ef-
fect the quality by pulling the power bus voltage below regulation. The spacecraft
must be protected against this load failure mode.
Another failure which involves the spacecraft loads and affects the Power Subsystem
performance is improper power management.
To meet the reliability requirements for a ten year mission, most equipment is pro-
vided with standby units. The power required if all equipment was switched on simul-
taneously would far exceed the power source capability. Consequently, the result of
improper power management would overload the power source and cause an undervoltage
condition on the power bus. A method for resolving this failure must also be provided
on the spacecraft.
4. 4. 1. 1 Protected Bus Development
There are many hardware options available to protect the power subsystem from load
faults. The obvious ones are fuses and current limiters. Also, since each load is
connected to the power bus via a switch in the PCE, a device may be used which mea-
sures load current and trips the load switch off when a limit is exceeded.
4-55
Each of these options adds equipment in series with the power source and the load.
This equipment like the rest of the spacecraft gear can not insure one hundred per-
cent success. Therefore, it reduces the probability of success of each load.
Additional disadvantages such as the inability to test (trip point of the actual fuse em-
ployed); low efficiency (approximately 90 percent for current limiter); high peak cur-
rents when limiting (current limiter); and premature nuisance trips (current trip
circuits) contributed to the investigation of other methods for load fault protection.
Also, incorporation of fault protection such as mentioned above, does not alleviate
an undervoltage problem caused by improper power management. This condition is
not caused by load fault, but by too many loads on at any one time.
A centralized fault detection and correction scheme was developed which uses the
capabilities of two major spacecraft subsystems.
The Measurement Processor Subsystem (MPS) can determine an out of limit condition
by comparing collected data from the spacecraft with stored/reprogrammable param-
eters. It then informs the Control Computer Subsystem (CCS) of the problem and CCS
determines, through stored programs, the corrective action.
The requirement on the Power Subsystem is, then, to provide operating power tothe
CCS and MPS for all types of electrical failures including those which overload the
main power bus.
The concept of a "Protected Bus, " insensitive to Main Bus faults, was developed to
meet this requirement.
The loads on the Protected Bus are basically those required to restore a faulted Main
Bus. These loads and their functions related to Fault Detection and Correction (FD&C)
are described in order to appreciate the method in which Spacecraft and Power Sub-
system faults are handled.
4-56
The Measurement Processor Subsystem (MPS) receives data from all spacecraft telem-
etry sensors and compares this data to stored limits. An out-of-limit condition results
in the MPS sending an alert to the Control Computer Subsystem (CCS). If the problem
is diagnosed as a load failure, CCS sends a series of commands to the Power Subsystem
Remote Decoder Array. The output of the RDA is a pulse to a Power Distribution
Switch to turn off the failed load; if there is a standby unit, another pulse to another
switch to turn on the standby. In order to synchronize all data and command trans-
mission within the spacecraft, timing pulses are required from the Timing Syncronizer.
To summarize the Fault Detection and Correction loads on the Protected Bus, there
are the MPS, CCS, Timing Syncronizer, and (internal to the Power Subsystem) the
Remote Decoder and Power Distribution Switches.
The Protected Bus is generated by the addition of a Current Throttle between one
Radioisotope Thermoelectric Generator (RTG) and the summing point of all the RTGs.
The Current Throttle prevents excessive current from being drawn from the RTG as
this would lower the RTG terminal voltage below the regulation point. The Current
Throttle is simply a series regulator that regulates its input instead of its output
voltage. During normal operation, the pass transistor in the Current Throttle is in
or near saturation. If an overload were to occur, the pass transistor collector-
emitter voltage is increased in order to maintain the current throttle input voltage.
Therefore, the line between the RTG and the Current Throttle is designated the
Protected Bus. The Protected Bus powers those loads associated with Fault Detec-
tion and Correction (FD&C). The Main Bus is distributed to the remaining loads and
also is OR'd with the Protected Bus at each FD&C load. This enables FD&C loads to
operate from the Main Bus to clear faults on the Protected Bus. A method for linking
the two buses at the loads is covered in Section 4. 4. 1. 1. 2.
In addition to the Power Distribution Switches and the Remote Decoder directly associ-
ated with fault detection and correction, other circuits in the PCE receive power from
the Protected Bus. The Current Throttle and Current Throttle Steering Switch which
4-57
produce the Protected Bus are powered by it such that control is maintained in the
event of a Main Bus fault. The primary source of power for the Main Bus Inverter
oscillator and switching circuits is the dc Main Bus. If this bus voltage is reduced
due to an external load fault, these inverter circuits could fail. Thus a load failure
would propagate the failure of the Main Inverter. The Protected Bus is OR'd to these
circuits to prevent the undervoltage condition.
The Protected Bus Inverter which supplies the external FD&C loads obtains power for
the oscillator and switching circuits from the dc Protected Bus. The Protected Bus
Inverter is protected from externally produced failures by OR'ing the dc Main Bus with
the dc Protected Bus in the same fashion as the Main Bus Inverter.
Inverter Failure Detectors and Inverter Switches are required to operate during under-
voltage conditions. To accomplish this, all failure detection circuits operate from
both the Main and Protected Buses.
4. 4. 1. 1. 1 Protected Bus Voltage Range Evolution
As the Power Subsystem design progressed through the study period, the voltage range
of the dc Protected Bus went through three iterations.
The first was developed using the results of Current Throttle breadboard tests and
minimum/maximum conditions of the regulated Main Bus.
The second resulted in a reduction of the Protected Bus voltage range, hence an im-
provement in regulation.
The third and final iteration shifted the voltage range upward in order to detect a Cur-
rent Throttle short circuit. (See Section 4. 4. 2. 1. )
4-58
4.4. 1. 1. 1. 1 First Protected Bus Voltage Range. In the early stages of Protected Bus
development, the Current Throttle function was configured as shown in Figure 4.4-1.
The Main Bus voltage is controlled by the Shunt Regulator to 30 -0. 3 vdc.
To determine the Protected Bus voltage range, the minimum and maximum voltage
drops across the Current Throttle and the Isolation Diode had to be determined. From
vendor data on power diodes, it was found that a 9 ampere diode had a low of 0. 5 V
and a high of 1.0 V drop for a current excursion of 0 to 5 amperes. Preliminary test
results on the Current Throttle indicated that a low of 0.6 V and a high of 1. 3 V drop
could be expected. In Figure 4.4-2 adding all the lows, the minimum Protected Bus
voltage was 30. 8 vdc and summing the highs was 32. 6 vdc.
Referring to Figure 4. 4-3, the normal operating range is between 30. 8 and 32. 6 vdc.
If the Protected Bus voltage drops below 30. 8, it is assumed there is a fault on the
PROTECTED BUS
BY PASS
l -SWITCH
RTG I CURRENTCI6Rllln *~~~~ ~ TO MAIN BUSJ1 I - ' - 1 THROTTLE
Figure 4.4-1. First Current Throttle Configuration
4-59
c_ -3
PROTECTED BUS
~RTG -1 I CURRENT MAIN
THROTTLE0.5 BUSV
30. 8 L 0 - . 6 V 7t 29. 7 L
Figure 4.4-2. Voltage Drops between Main and Protected Bus
Main Bus. The Current Throttle set point with its voltage band of 600 millivolts
is then below 30. 8 vdc. When the Protected Bus voltage rises above 32.6 vdc, it
indicates an open circuit failure of the Current Throttle.
The Bypass Switch with its voltage band of 600 millivolts, is set above the 32.6 volt
point. Because of uncertainty in the maximum voltage drop of the Current Throttle,
a dead band of 100 millivolts was inserted between the normal operation range and the
Bypass Switch band.
The total excursion of the Protected Bus is between 30.2 and 33.3 vdc which can be
specified as 31. 75 nominal ±1. 55 vdc, or 31. 75 vdc ±4. 9 percent. The Protected Bus
Inverter adds +2, -3 percent to the regulation, so that the Protected Bus regulation to
the loads was +6.9, -7.9 percent.
4. 4. 1. 1. 1. 2 Second Protected Bus Voltage Range. The second configuration of the
Protected Bus/Current Throttle function was changed as shown in Figure 4.4-4.
The differences from the first configuration are the deletion of the Bypass Switch and
the addition of a standby Current Throttle and a Steering Switch. The Steering Switch
is a relay device so it doesn't contribute to voltage drop variation between the P. B.
and M.B.
4-60
33.4
33.2
33.0
32.8
32.6
32.4
32.2'
32.00
0 31.8
31.6
H
o-4 31.40
31.2
U 31.0
H
0 30.8
30.6
30.4
30.2
30.0
e
, 
OVERVOLTAGE CONDITION
(TRIP BYPASS SWITCH)
NORMAL OPERATING RANGE
UNDERVOLTAGE CONDITION
(CURRENT THROTTLE OPERATION BANI)
Figure 4.4-3. First Protected Bus Voltage Band
4-61
I 
I
L
Do C. PROTECTED BUS
MAIN
BUS
STEEI
I SWII
I CONT
L_ _J
POINT
SENSE POINT
Figure 4.4-4. Second Current Throttle Configuration
From actual test data (Ref. Section 5. 1), the Current Throttle voltage drop as a func-
tion of pass current is plotted in Figure 4.4-5. Also plotted is the diode drop. The
sum of the two voltage drops shows that the maximum voltage differential between the
MB and PB will be 2.2 vdc at 250C (As temp increases, this voltage decreases; 2.2
vdc is worst case). Reconstructing the voltage drop diagram in Figure 4.4-6 shows
that the highest normal PB voltage is 32.5 vdc.
If the Current Throttle set point was selected at 32. 5 V, a constant voltage could be
maintained at the input of the Current Throttle/diode combination regardless of the
magnitude of the current through them. The maximum voltage drop across the Cur-
rent Throttle/diode would be:
32.5 - 29.7 = 2.8 vdc
Figure 4.4-7 is a plot of power dissipation in the Current Throttle/diode combination
as a function of current through them to the Main Bus. From this figure, it can be
seen that as much as 3 watts additional power might be lost if the throttle point is at
32.5 V and the Main Bus is low at 29. 7 vdc. If the throttle point is set 600 millivolts
lower (set point voltage band of the Current Throttle) and the Main Bus is low at 29. 7 V,
the additional power loss would be between 0 and 1 watt.
4-62
2.4
2. -
i2.0
1.8 
4 i-CURRENT THROTTLE
1.2
1.0
0. 8
0.2
0[
0.0
o 0.0 I I _ I
> 0 1 2 3 4 5
CURRENT THROUGH THE CURRENT
THROTTLE/DIODE COMBINATION (AMP)
Figure 4.4-5. Current Throttle and Diode Voltage Drop as a Function
of Pass Current
* P.B.
3 2.5 H C_ 0 V 30.3 H
RTG CURRENT ~(1.0 MAIN
#1 I ' I THROTTLE 1 "  BUS
Figure 4.4-6. Voltage Drops between Main and Protected Bus
Figure 4.4-8 presents the present dc Protected Bus voltage band. The Current Throttle
set point is between 32.5 and 31.9 vdc. If the voltage goes out of this band either high
or low, it indicates a failure of the Current Throttle and the Steering Swtich selects the
standby unit. The high and low set point voltage range of the Steering Switch adds
another 600 millivolts on each side of the Current Throttle. As a result, the dc Pro-
tected Bus varies between 31.3 and 33. 1 vdc or nominally 32.2 +0. 9 vdc or 32.2 vdc
±2.8 percent. Adding the Inverter contribution of +2, -3 percent results in an ac Pro-
tected Bus regulation of +4. 8, -5. 8 percent. This represents an improvement of
±2. 1 percent at a sacrifice of 3 watts (max. worst case) additional power lost in the
Current Throttle/diode. Along with this increase in power dissipation in the Power
Subsystem, there is a decrease in power usage in the Protected Bus loads. These
4-63
loads require about 60 watts. If they are considered resistive (digital circuitry is
approximately resistive) the relationship between the voltage supplied and the power
consumed is given by: V2 = RP
To find the effect of a change in voltage on the change in power, the above equation is
differentiated: 2 V = RAP
An equipment designer must design his circuitry to operate at the minimum input volt-
age. The difference between the minimum and nominal voltage represents wasted
power in his equipment. This difference has been decreased as follows:
Previous difference between nominal and minimum voltage = 7. 9 percent
Present difference = 5.8 percent
12
10
8
6
4
z
a
4
z
0
Figure 4.4-7.
CURRENT THROTTLE
SET AT 32.5 VDC
(MAIN BUS AT 29.7 V]
CURRENT THROTTLE
SET AT 31.9 VDC
(MAIN BUS AT 29.7 VDC)
DELTA POWER
LOST (MIN)
DELTA pOWER LOST
(WORST CASE)
POWER LOST DUE TO NORMAL
V-I PRODUCT (FROM FIGURE 4.4-5)
2 -
I I I
0 1 2 3 4 5
CURRENT THROUGH THE CURRENT THROTTLE/DIODE COMBINATION (AMP)
Current Throttle/Diode Power Dissipation as a Function
of Pass Current
4-64
14 r-
I l l
33.:
33.0
STEERING SWITCH
32,8
OVERVOLTAGE TRIP
32.6
32.4
CURRENT THROTTLE
32,2
- OPERATION BAND
32.0
31.8
STEERING SIJITCH
31.6
UNDERVOLTAGE TRIP
31.4
31.2
31.0
Figure 4.4-8. Second Protected Bus Voltage Band
0
0
13
0
E4
0
U,
4-65
Subtracting the two, the AV is found to be 2.1 percent. Inserting this into the above
equation, AP = 4.2 percent. The voltage reduction of 2. 1 percent produces a reduc-
tion in consumed power of 4. 2 percent. 4. 2 percent of 60 watts is 2. 5 watts saved.
This savings just about cancels the additional worst-case power loss in the Current
Throttle/diode and will be a positive gain if the CT/diode dissipation is less than worst
case.
4.4.1. 1.1.3 Third (Present) Protected Bus Voltage Range. The Current Throttle (CT)
which develops the Protected Bus can fail open or short circuit. An open circuit fail-
ure can be immediately detected by the Steering Switch as the Protected Bus voltage
increases due to unloading RTG No. 1. Thus, a standby Current Throttle can be se-
lected to maintain the voltage of the Protected Bus.
A short circuit failure could not be detected until a fault on the Main Bus pulled the
Protected Bus voltage down. Then the Steering Switch sensing circuit would select the
standby Current Throttle.
A failure modes and effects analysis of an undetected short circuited Current Throttle
(Ref. Section 4.4.2. 1) on the spacecraft loads indicated that this was an unacceptable
mode.
Without increasing the design complexity of the Current Throttle, there is a way of
detecting this failure. It requires that the Protected Bus voltage range be shifted up
higher so the voltage drop across the CT is large enough that loss of this drop due to
a short can be detected by the Steering Switch.
In order to do this, the dc Protected Bus voltage must be raised above the maximum
de Main Bus plus the maximum diode drop plus the maximum saturation voltage of the
CT pass transistor, V
ce(Sat)
4-66
Max. de Main Bus = 30.3 vdc
Max. Diode Drop = 1.0 vdc (@ 5 amp)
Max. Vce(Sat) = 1.2 vdc (@ 5 amp)
So the low point of the dc Protected Bus becomes 32. 5 vdc.
The comparison of the second and third voltage band is shown in Figure 4.4-9.
The second regulation is 32. 2 +0. 9 vdc (+2. 8 percent). The third regulation is 33.4
+0. 9 vdc (±2. 7 percent).
This scheme requires the pass transistor in the Current Throttle to operate further in
its linear region in order to keep the dc Protected Bus voltage up.
Increasing the voltage drop across the Current Throttle results in a nominal power
dissipation increase of 2 watts at E.O.M.
4. 4. 1. 1. 2 Protected Bus Utilization
The major subsystems associated with fault detection and correction must be able to
operate from either the Main or the Protected Buses. This enables the use of one bus
to clear faults on the other.
Figure 4.4-10 presents the method devised for the Control Computer Subsystem (CCS).
The CCS is modularized into many processors which are under the control of the Test
And Repair Processors (TARP). The TARP monitors the operation of these units and
controls their replacement when it becomes necessary. The TARP is also protected
from failures by operating three simultaneously in a hybrid, triple modular redundant
configuration with replacement spares. The TARPs operate continuously while the
other processors are sequenced on and off, as required by the computations being
performed.
4-67
33.2
STEERING SWITCH
OVERVOLTAGE TRIP
CURRENT THROTTLE
OPERATION BAND
i
STEERING SWITCH
UNDERVOLTAGE TRIP
34.2
34.0 ZO
2; _
33.8 
33.6 O) 
33.4 Z >
33.2
33.0
32.8 EAi
32.6
32.4
Figure 4.4-9. Comparison of Protected Bus Voltage Ranges for the Second
and Third Configurations
4-68
T
I
33.G
32.8
32.6
32.4
32.2
32.0
31.8
31. 6
0
O
0 i U
C ,
'
wW
31.4
31.2
.-
1
II
LI
0
0
A
34.4
0(4~~~~~>
U
l~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
C
C,.
u
~
~
~
~
~
~
~
~
~
~
bq
o
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
o
.
0
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
0
i" 
8
~
H
 
B
 
a~
~
 
P
0
f: 
9~~~~~~~~~~~~ 
CZ 
In
w
:
E
~
3
4-69
A detailed design of the CCS has not been performed, so it was assumed that each pro-
cessor on/off switch is located up-stream of its transformer/rectifier (T/R). This
will allow the switch to remove a failed processor or its failed T/R from the power bus.
The TARP receives power from both the Main and Protected Buses through separate
transformer rectifiers as shown on Figure 4.4-10. Current limiting is employed at
each T/R to prevent TARP short circuit failures from overloading both power buses
simultaneously.
To provide the other processors with the same power interface as the TARP would re-
quire two T/R's and two power switches per processor. The selected approach makes
use of the decision making capability of the TARP in order to minimize the power con-
version equipment at each processor.
All processors are connected to a common distribution bus in the CCS. This bus is
interfaced to the two power buses through a switch which can be toggled from Pro-
tected to Main Bus.
Switch control is provided by the TARPs which monitor the Protected Bus and Main
Bus voltages. If an undervoltage is detected on the Protected Bus, the TARPs trans-
fer the switch to the Main Bus. When the Protected Bus is restored, the switch is
returned to its initial position.
Because there are fewer loads on the Protected Bus, transients and undervoltage con-
ditions are less probable than on the Main Bus. Therefore, the CCS will operate pri-
marily from the "quiet" Protected Bus, and use the Main Bus as a back-up.
This same power bus selected scheme can be extended to include the Measurement
Processor and Timing Synchronizer Subsystems. A switch in each subsystem con-
trolled by the TARPs in the CCS would provide this service.
4-70
4.4.1.2 CCS Support for Correcting Load Failures
Voltage and current monitors within the Power Subsystem provide information of op-
erating conditions to the CCS via the Measurement Processor Subsystem (MPS).
Current monitors on the Main Bus will permit CCS to diagnose excess current drains
to the spacecraft loads. A change in one of these sensors without an accompanying
on/off command indicates a problem. CCS will remove each load from the affected
bus in a planned sequence. At the same time, CCS will search its memory for the
"rated power" of the loads remaining and compare this to the "actual power" as deter-
mined by the Power Subsystem monitors. When the two are equal, the unit removed
prior to this is the faulty one. A decision program for this overcurrent condition is
shown in Figure 4.4-11.
If the current drain to a faulty load is of sufficient magnitude to cause a decrease in
the Main Bus voltage, a different more drastic procedure must be followed. First,
the voltage must be restored to specification so that good equipment is not damaged
by the undervoltage. Then the faulty load must be isolated.
One concept for accomplishing this is for CCS to turn off all the loads and turn on the
standby units for those functions which are critical for spacecraft survival. Now the
problem remains to determine which load has failed so that the good units that were
turned off may be put back into service. A procedure similar to the overcurrent pro-
gram might be implemented. In a predetermined sequence, each load would be turned
back on and CCS would compare the "actual power" consumed to the "rated power" of
each device.
Another means of finding the faulted load would use a binary turn-on sequence. Half
the loads that were on at the time of the undervoltage would be turned back on (Step 1
of Figure 4.4-12). If the "actual power" equals the "rated power", these loads are
good and the faulty device is somewhere in the other half. Next, half of those
4-71
C) b)
C; 2
.
.P
,r-I
w
C) .4 l djaQbD.-
za
Z
Q
'I
-S
 
c4
4-72
FAILED UNIT
64 LOADS ON AT TIME OF FAILURE.
Figure 4.4-12. Fault Isolation Diagram Binary Turn On Scheme
remaining are turned on (Step 2). Again the actual and rated power comparison is
made. Assuming the fault is not here, half of the remaining are turned on (Step 3).
This procedure is repeated until the problem is isolated to one failed unit. If sixty
four loads were on initially, the faulty one could be identified in a maximum of six
steps. Selection of a specific scheme for handling an undervoltage problem by CCS
has not been made at this time.
4.4.1. 3 Low Voltage Cut Off (LVCO)
4.4.1. 3.1 Introduction
The Power Subsystem is primarily dependent on the CCS and MPS for load fault detec-
tion and correction. However, a back-up function will be implemented within the PCE,
to protect against catastrophic failures which would result in loss of the spacecraft
power.
4-73
These failures, which can be postulated, all have a common element, which is the loss
of CCS fault correction capability. Since CCS is reprogrammable from the ground, it
is possible that inadvertent software program changes can be executed which negate
fault correction capability. Another possibility for not having CCS fault removal oper-
ations is that all power failure modes are not properly identified and therefore, the
CCS software is inadequate. Also, failure of MPS to alert and inform CCS of a fault
condition will have the same result as those conditions previously mentioned.
Loss of CCS fault detection and correction does not constitute a catastrophic failure,
but faults occuring after this could. Such problems as a power overload caused by a
failed spacecraft load, or by loss of CCS power management capability would be cata-
strophic. Also the following failures within the. power subsystem would be catastrophic:
1. The remote decoder turns on a group of loads causing a bus undervoltage.
2. A power distribution switch turns on a load causing a bus undervoltage.
3. An RTG failure reduces available power and results in a bus undervoltage.
The LVCO will provide a hardware back-up to CCS and protect against these failure
modes.
4.4.1.3.2 Operation
A Low Voltage Cut Off circuit will sense the output of the Main Bus Inverter. If an
undervoltage condition appears, the LVCO will immediately send an interrupt signal
to CCS. The interrupt signal informs CCS that the Power Subsystem intends to change
the state of the spacecraft loads within a fixed time unless stopped by either correction
of the system load fault (returning the bus voltage to specification), or inhibit command
from the CCS. When CCS receives the interrupt signal, it will interrogate independent
voltage monitors on the Main Bus. This enables CCS to distinguish between real bus
problems and a failure of the LVCO circuit. If the voltage monitors do not indicate a
4-74
bus undervoltage, CCS stops the LVCO action with an inhibit command. Assuming there
is a fault condition, the LVCO waits a predetermined time to allow CCS to clear the
fault. After this time expires, and the fault still exists, the LVCO will remove all non-
critical loads.
(Because of the quantity of noncritical loads, it is most probable that a bus undervoltage
is caused by a fault in one of these loads. The problem might have been caused by a
power distribution switch or remote decoder failure which turned on loads. These
problems would also be resolved by this action. )
If the Main Bus voltage does not return to specification within a preselected time, the
LVCO will transfer all critical loads (those loads required for establishing a command
up-link to receive ground commands) to their standby units. At this point, all loads
that were on at the time of the undervoltage failure have been turned off. A timing
diagram of these events is shown in Figure 4.4-13.
T O - T 1
T - T
T 2 - T 3
0 i
1 mS+ 0.5 mS
100 mS + 10. 0 mS
25 mS+ 2.5 mS
3
LOW
VOLTAGE
CONDITION
LVCO
INTERRUPT
TO CCS
TURN OFF
NONCRITICAL
LOADS
SWITCH
CRITCAL
LOADS TO
STANDBY
Figure 4.4-13. LVCO Timing Diagram
4-75
I~~~~~~~.- - . m . . ~--
The decision making process of the LVCO and the CCS is shown on Figure 4.4-14. The
critical loads have been defined as those required by the spacecraft to respond to ground
commands and consist of:
1. Attitude control subsystem cruise mode loads made up of:
a. Sun Sensors
b. Canopus Sensor
c. Attitude Control Electronics
d. Gyros and Electronics (only powered if A/C requires them)
e. Reaction Wheels
f. Attitude Propulsion Subsystem
2. Radio frequency subsystem units required to establish the uplink which con-
sists of:
a. Pre-amplifier
b. Command receiver
c. Control unit
3. Command Decoder
4. Command Detector section of the Modulation/Demodulation Subsystem.
5. Thermal Control Heaters
4.4.1.3.3 Failure Modes and Effects
The intent of the LVCO is that it be a simple hardware back-up to the CCS fault correc-
tion capability. As such, the design has single failure modes that perturb the space-
craft. These failures, their probability of occurrence, and impact on the spacecraft
are discussed in detail in Section 5.10.3.1. They are summarized as follows:
1. The CCS interrupt signal is issued without a bus voltage problem.
2. All non-critical loads turn off.
3. All critical loads are switched from main to standby units.
4. One critical load is switched from main to standby.
4-76
00L-I
'tcI--
L-
Cdbf)0
0C2-r-4.1,a)Pk
-
-U
0 Zq-J
0UL.
W
 ME)
wW
 
Z
u1'I
LLI
0
-J0LL
'
These failures, through the use of capacitive coupling, are non-repetitive. Their ef-
fects on the spacecraft can be over-ridden by CCS commands.
4.4.1.4 Impact of a Reduced Capability CCS on the TOPS Power Subsystem
The TOPS baseline spacecraft contains a Self Test And Repair (STAR) Control Computer
Subsystem (CCS). Since this concept is an advancement in the state-of-the-art for
spacecraft computers, the effects on the Power Subsystem of not having this machine
developed were investigated.
The TOPS CCS performs many service operations for the Power Subsystem. If a de-
graded spacecraft configuration minus a TOPS CCS is to be defined, a review of these
operations and methods of how they might otherwise be performed is required.
Before proceeding, it is proper to define the assumptions made concerning the Reduced
Capability CCS. First, no fault detection and correction capability exists for either
Power Subsystem or spacecraft load faults. Second, power management can be per-
formed, but there is a possibility of overloading the power bus due to single failures
(either hardware or software programming failures). Third, unless failure detectors
are incorporated, a fault condition could exist for an extended period before being de-
tected (up to a week). Fourth, as the computer cannot correct faults, its relative im-
portance to mission success is decreased to where the Command Decoder and the Com-
puter are of about equal importance (this effects power distribution philosophy).
A discussion of those operations presently performed for the power subsystem by CCS,
and how they might be handled in the Reduced Capability CCS spacecraft, follows.
4.4.1.4.1 Load Failure
Load faults are divided into two categories, those that draw excess current but not
enough to pull the Main Bus out of regulation; and those that draw excess current and
4-79
cause an undervoltage condition. Two computer programs have been identified to clear
these problems: overcurrent routine and undervoltage routine.
How can these problems be handled by Power Subsystem hardware ?
Overcurrent
The options for protecting against overcurrent failures are:
1. Fuse
2. Current Limiter
3. Current Trip
Any one of these devices could be added to the load power distribution lines in the
Power Conditioning Equipment.
A fuse is the simplest, smallest, and least power consumer of the above three. How-
ever, it has the distinct disadvantage of being a 'one-shot' device. The fuse that is to
be flown can't be tested. The best that can be done is to "lot sample" a batch in order
to establish some confidence in the fuse used. Also, the blow characteristics of fuses
are known to change over extended periods of usage due to metal migration phenomenon.
An ac current limiter has the disadvantages of being large and heavy due to the mag-
netics. It limits the RMS current but generally has large current spikes at each half
cycle of the ac wave. Also the efficiency of a current limiter when not limiting is ap-
proximately 90 percent. When the spacecraft encounter loads of 450 watts are on, the
loss in the current limiters would be 50 watts.
Each power line from the PCE is supplied with a power distribution switch. An over-
current trip generator was developed during this study which measures the current
4-80
through the power distribution switch to the S/C load. When the current exceeds a pre-
set limit, the overcurrent trip generator initiates an OFF command to its respective
load switch.
The advantages of this Overcurrent Trip are:
1. The device is not a 'one shot' device as is the fuse. It can be tested to deter-
mine proper operation and trip current level. It is reset by removal of the
overcurrent condition.
2. The device is equipped with a command override capability in the event it
would fail and turn off a load inadvertently.
3. Standby power required is approximately 5 milliwatts.
4. The magnetics is much smaller than the current limiter magnetics because
it is only sampling the load current where as the current limiter is passing
the load current.
5. The reliability compares favorably with that of a fuse.
The overcurrent trip generator appears to be the best choice at this time to protect
against overcurrent load faults.
4.4.1.4.2 Undervoltage
Undervoltage caused by failed spacecraft loads should not occur because of the over-
current trip mentioned above. However, there are other anomalies that might result
in an undervoltage condition.
4.4.1.4.2. 1 Improper Power Management. The reduced capability CCS will be able
to provide power management services to the Power Subsystem. However, inadvertent
changes to the power management software program could result in turning on loads
without the proper power margin available thus resulting in an undervoltage condition.
4-81
4.4.1.4.2.2 Power Distribution Switch Failure. Single failure modes exist in the
power distribution switches which could cause uncommanded turn-on of a spacecraft
load. If the spacecraft was in a peak power mode and a large load (like a TWT) were
to accidentally come on, an undervoltage would exist.
4.4.1.4.2o 3 RTG Failures. The output power of an RTG can be reduced or com-
pletely lost due to internal failures. Consequently, there might have been enough
power to satisfy the spacecraft loads when they were initially turned on, but now,
after an RTG failure, an undervoltage exists.
How is the power bus voltage restored ? CCS does not have fault detection and correc-
tion capability, so another method must be used. There are two major reasons why
this problem can't be corrected from the ground. First, the ground station can not
communicate as the command receiver and decoder probably will not work with a low
power bus voltage. Second, the time between the failure occurring and being detected
on the ground might be as long as a week. Some equipment would be permanently
damaged within a few seconds after an undervoltage. Therefore, an undervoltage de-
tector must be included in the Power Subsystem.
The undervoltage detector would sense an undervoltage condition and would remove all
except critical loads from the power bus. The critical loads are listed in Table 4.4-1.
With a Main Bus Inverter efficiency of 92 percent, 140 watts of power is required from
the RTGs to satisfy the 128. 6 watt critical load demand. Reducing the spacecraft load
to 140 watts will definitely return the bus voltage to specification if the problem was
caused by one of the previously mentioned anomalies. Ground commands would then
be required to reinitialize the spacecraft equipment that was turned off.
4.4.1.4.3 Undervoltage Detector
The Undervoltage Detector must be a device which is extremely reliable and does not
have failure modes which cannot be corrected by ground command.
4-82
TABLE 4.4-1. CRITICAL SPACECRAFT LOADS
*Representative numbers
Figure 4.4-15 shows a candidate configuration for which the reliability has been com-
puted. The voltage sensing is majority-voted to operate a quad redundant switch which
opens the power line to the non-critical loads.
Table 4. 4-2 compares the reliability of 2 of 3 with the 3 of 5 majority vote.
TABLE 4.4-2. UNDERVOLTAGE DETECTOR RELIABILITY
Because of relay failure rates used in the calculations, the overall reliability is low.
However, as the voltage detector is majority voted and the switch is quad redundant,
there is no single piece part failure which prohibits operation.
4-83
Command Decoder
Command Receiver
RFS Preamplifier (LNA)
RFS Control Unit
Command Detector
AC Electronics
Reaction Wheels
Cruise Sun Sensor
Canopus Sensor
Critical Temperature Control
CCS
MPS
Timing Sync
5.8 w*
6.9 w*
2.3 w*
2.8 w*
6.4 w*
10. 1 w*
12.2 w*
2.7 w*
6.5 w*
15.0 w*
45.0 w*
10.9 w*
2.0 w*
128.6 w*
LOAD
SWIT HES
./^-4
r- -- - - --- I
POWER BUS
lI
I
I VOLTAGE k
I SENSE
r nI VOLTAGE
I SENSE F
L __ __ I
- __-1
Figure 4.4-15. Undervoltage Detector
4-84
I
MAJORITY
VOTING
CIRCUIT
-=
I
>_(gA
I
I
I
I 
L _. ]1~ ~ J
As can be seen in Table 4.4-2, the change in overall reliability is not significantly im-
proved by using a 3 of 5 voting scheme so the 2 of 3 majority vote approach is recom-
mended.
4. 4. 1. 4.4 Protected Bus Discussion
The Protected Bus was developed for the TOPS CCS spacecraft to supply power to those
loads involved with fault detection and correction. They are:
CCS
MPS
TIMING SYNC
REMOTE DECODER ARRAYS
PCE POWER DISTRIBUTION SWTICHES
The protected bus also provides drive to the Main Inverter to protect it from damage
due to a short circuit on the output.
In the Reduced Capability CCS design, all fault detection and correction is performed
in the Power Subsystem by the inverter failure detector, undervoltage detector, and
for load faults by the power distribution/overcurrent trip combination.
Since the power required from a protected bus for these functions will be less than the
60 watts required by the baseline system, perhaps energy storage might be a better
choice than developing a protected bus.
Transient analysis shows that the dc bus, which powers all switches and failure de-
tectors, follows the ac bus voltage down with a delay of less than 2 milliseconds when
the ac bus is overloaded. This means that the dc voltage won't be maintained long
enough for the overcurrent trip to open the power distribution switch and remove the
overload. Therefore, energy storage for power distribution switches would be neces-
sary.
4-85
The undervoltage detector and the inverter failure detector would also require energy
storage.
A determination of how this might be implemented and how much capacitance is re-
quired follows.
4. 4. 1. 4.5 Energy Storage for Power Distribution Switches
The largest energy consumer in a switch is the relay itself. If a relay is to be operated
by capacitor discharge, how much capacitance is required? Assume for relay charac-
teristics:
R coil = 600 a
V coil = 22 volts
Operate time = 7 m seconds
Initial voltage on capacitor = 29 V
2229 = 76% discharge a .27 T29
.27 T = 7 m sec
T = 26 m sec
RC = T
26 x 10
- 3
C - 600 43.4 Cf600
CalculatedTolerance Temp CoefficientTolerance + Temp Coefficient
- 43.4/1f = 62 Mf
.7
So a 62 /f capacitor would be adequate. Figure 4.4-16 shows a scheme for the "design
2" relay switch (Reference Section 5. 9. 2) with capacitive operation. The network CR1,
R1, C1 supplies power to half of the power distribution switch (relay K1) and the other
4-86
r-- -
I TO ALL POWER I
I DISTRIBUTION I
I SWITCHES I
L. - - - a1
MAIN
DC BUS
r-- --- - -I TO ALL
I OVERCURRENT I
I TRIPS I
L- - _. ._ J
Figure 4.4-16. Energy Storage Interface to Power Distribution Switches and
Overcurrent Trip
network CR2, R2, C2 operates relay K2. Thus, with any single short circuit failure
of a relay driver (Q1 or Q2) one capacitor network would be charged up to operate one
half of the switch (with a design 2 switch this is all that is required to change the state
of a load).
Both networks are or'ed into the overcurrent trip circuit. No single failure in this
network will result in a low impedance path so the capacitors would not rapidly dis-
charge into a failed overcurrent trip.
Notice that the same two capacitor networks feed all power distribution switches and
trip circuits. How can this be accomplished if there is just enough energy in the
capacitors for one switch ? Looking at Figure 4.4-16 it can be seen that as long as
the main dc bus is in regulation, it will power the switch. It is assumed that the bus
4-87
voltage goes low due to a single load fault. Now the capacitors are needed, but be-
cause there is only one load failure, only one power switch/overcurrent trip is re-
quired to clear the fault, restore the main bus voltage, and recharge the capacitors
for the next failure.
To sum up, it takes two diode-resistor-capacitor networks and four isolation diodes to
provide energy storage to all the power distribution switches and overcurrent trips.
4.4.1.4.6 Energy Storage for Undervoltage Detector
From circuit experience on the LVCO, it was determined that a 15 Atf capacitor charged
to 48 vdc is required for each voltage sensing circuit and will provide the power for the
majority vote circuit. A quad relay switch would require four 62 /lf capacitors (one for
each relay). If we have a 2 of 3 vote detector the capacitor requirements are:
Voltage Sensing 3 - 15 pf
Quad Switch 4 - 62 1 lf
4. 4. 1. 4. 7 Energy Storage for Inverter Failure Detector
The ratio measurement failure detector (Reference 4.4.2.2) requires a 20 /f capacitor
per detector. The capacitor interface to the inverter switches is shown in Figure
4. 4-17. Each capacitor must be sized to operate two relays simultaneously.
As the relay coil resistance is half that of the power distribution switch (10 amp relay,
300 C1 coil), the capacitance required for one relay would be twice the size calculated
for the power distribution switch. For two relays, four times the capacitance or:
C1 = C2 = C3 = C4 = 4 x 62 lf = 248 lf is required.
There is a problem with the way the dc input current is being derived in the present
failure detector which might have to be changed. The ac excitation voltage is taken
4-88
4-89
atoO8vlV) op0C .,CY,c)
0i2To 000alTo , 4--'50 140
4t: 
-!X
;
E-4
f,%r-4cli:4
from the output of the Protected Bus inverter. If there is no protected bus inverter,
an exciter will be required for each current sensor. This will require energy storage
but as it has not been designed, the capacitance size remains undetermined.
From design experience, a 20 lf capacitor is needed for each detector circuit.
4.4.1.4.8 Main Inverter
The main inverter design requirements must be revised to be compatible with the fault
correction mechanisms in the power subsystem. With an overcurrent trip on each
load switch, no single failure can cause a short circuit on the output of the inverter.
Therefore, the requirement to survive a short circuit is no longer required. How-
ever, a single failure can cause an overload which depresses the input voltage. This
can be the result of a power management failure which turns on more loads than the
RTGs can support. To determine how low the voltage will fall, a worst case condi-
tion of EOM RTG, maximum load mode (Encounter 450 w) is selected, and assume
the load erroneously turned on is the S-Band TWT (54 w).
Case I-A
1.44 R 1.44S1
R4 RTG
2.OR 16.7
53 V ENCOUNTER TW 53 V 1.79
LOADS LOADS DC Il l
1. 79 x 53V~c =1*79x-3 = 29.4 VDC 3.23
In this case, the input voltage to the inverter would drop to 29.4 vdc and the inverter
must survive and operate in spec when the dc bus is restored.
4-90
Another single failure which the inverter must survive is the loss of an RTG. If an
RTG should fail at EOM while a maximum load mode (encounter) is on, the dc bus
voltage will drop. The inverter must operate in spec after the Undervoltage Detector
has removed enough loads to return the dc bus voltage to spec.
Case II-A
1.92 
R3 RTG
53V V -ASIDC ENCOUNTERI . LOADS
2 x 53
V = 3 92 = 27 vdc
DC 3. 92
The inverter input voltage would drop to 27 vdc.
If these loads were considered constant current rather than resistive devices, a worst
case voltage condition is found.
Case I-B
4-91
450 w
1 30 v
54 w
I2 30 v
IT = I 1 + 2
= 15 AMP
= 1. 8 AMP
= 16.8 AMP
V1 = 53 V - IT R 4 R T G
V = 28.8 vdclii- SBd
Case II-B
1.92 R
53 V
I T = 15A
V1 = 53 - ITR 3RTG
V1 = 24.2 vdc1
From the above calculations, we see that the inverter must survive an undervoltage of
24 vdc. If this requirement is met, there is no need to provide a protected bus to the
switching circuitry.
4.4. .1.4.9 Protected Bus Summary
Discrete application of capacitors for fault detection and correction circuitry within
the Power Subsystem obviates the need for a protected bus.
4-92
V,
To develop a protected bus requires two Current Throttles and a Steering Switch which
consists of 89 piece parts.
A summary of the energy storage technique piece parts required is as follows:
0
Cd145
.z¼!".0~_
_ _ _ _ __ I _r_
Overcurrent Trip 2 2 2
Undervoltage Detector 7 7 7
Inverter Failure Detector 22 22 22
31 31 31
/
A total of 93 piece parts. Although the piece part count is higher, the reliability is
higher because:
1. The failure rates are lower for capacitors than the op-amps required in a
Current Throttle and Steering switch.
2. As the capacitors are dispersed into their respective failure detectors,
capacitor failures in one detector will not effect the operation of other dis-
associated failure detectors.
If all failure detectors were powered from a common protected bus, failures of that
protected bus would affect operation of all detectors.
4.4.1.4.10 Conclusions
A TOPS spacecraft without a TOPS full capability CCS would require fault detection
and correction hardware in the Power Subsystem.
Overcurrent due to load failures will be protected against by use of an overcurrent
trip in conjunction with each Power Distribution Switch in the PCE.
4-93
J
Undervoltage conditions can exist due to incorrect power management or random piece
part failures. To protect against a long duration low voltage, a 2 of 3 majority vote
undervoltage detector will sense the problem and remove loads to restore the main bus
voltage.
A candidate Power Subsystem block diagram for this Reduced Capability CCS space-
craft is shown in Figure 4.4-18.
4.4. 2 POWER SUBSYSTEM FAILURES
Open and short circuit failures within the Power Subsystem can effect the quality and/
or quantity of power delivered to the S/C loads.
Each function of the PCE will be examined to determine that failures can be tolerated
and corrected.
4.4.2.1 Current Throttle Failure Detection
The Current Throttle which develops the Protected Bus is a non-redundant circuit.
Redundancy is provided by using a standby unit which is selected by the Current
Throttle Steering Switch.
From the component failure modes and effects analysis (Reference Section 5.1.3), it
was found that the majority of single piece part failures resulted in either an open
circuit or short circuit of the Current Throttle.
If the Current Throttle fails open, the extra RTG power that was passed into the Main
Bus in order to maintain regulation, nolonger has a path. As a result, the RTG load-
ing decreases which causes operation at a higher voltage point on the V-I curve (see
Figure 4.4-19). The Protected Bus loads are subjected to an overvoltage beyond the
specified design range.
4-94
V) 
c
I AL
I1I) H
Ig 
H
X
I 
0Z
I
4-95
C)
IPa
U) i5 C)C4)mU,U)C) Cp40o P,oCE a)'U 04Comuu0-)~U-ou'U04 'UC-) VP)C)r-lvC) 00PC)
i 
I
60
50
PROTECTED BUS LOADS ONLY
0
'; 40
e PROTECTED BUS & MAIN BUS LOADS
[-~>
30 - REGULATION VOLTAGE
20
0
RTG CHARACTERIBTIC"
10 -/ / / LOAD LINE
0 4 8 12
RTG CURRENT, AMPERES
Figure 4.4-19. Load Impedance Effect on Protected Bus Voltage
If the Current Throttle fails short, nothing happens or can be detected until a fault oc-
curs on the Main Bus. During normal operation, the Current Throttle is effectively a
short circuit since its series pass transistor is near saturation. When a fault occurs
that would lower the Main Bus voltage, this pass transistor comes out of saturation to
maintain its input voltage in regulation. If the Current Throttle fails short, the Pro-
tected Bus voltage follows the Main Bus voltage down. Effectively, the Protected Bus
is no longer "protected" from Main Bus faults.
To obviate these single failures and improve overall reliability, the Current Throttle
Assembly is configured as shown in Figure 4.4-20. There are two Current Throttles,
one main and one standby, and a Steering Switch. The Steering Switch selects a Cur-
rent Throttle path to the Main Bus. The switch can be commanded to either Current
Throttle by CCS. It also has its own control loop which transfers the switch from the
main to the standby Current Throttle. The Steering Switch senses its own input volt-
age. If this voltage goes above the Current Throttle regulation band, (CT open circuit
4-96
-L SWITCH o l rL- ...- J SENSE t I MAIN BUS
POINT
/_ J SENSEEN
POINT TT
POINT
Figure 4.4-20. Current Throttle Assembly
failure), or below the band (CT short circuit failure), the Steering Switch automatically
selects the standby Current Throttle.
Many problems could result from a large PB voltage excursion if it persisted for an
extended period. It takes some time for the Steering Switch to detect and correct a
Current Throttle failure.
To avoid erroneous switch-over due to system transients, a 5 millisecond maximum
delay is provided before excitation of the switching relay. For the relay character-
istics, the specifications of a GE 2 ampere latching relay of the 3 SAM series is used.
Switching time is given as 5 milliseconds maximum which includes 1 millisecond for
contact bounce time. Therefore, it could take as long as 10 milliseconds from the
time a failure is detected until it is corrected.
4-97
The magnitudes of over and undervoltage which could exist during this time were deter-
mined and their effect on those components powered by the Protected Bus was analyzed.
4.4.2. 1. 1 Protected Bus Overvoltage
The magnitude of overvoltage caused by an open circuited Current Throttle can be
determined by examination of the loads remaining on the RTG that powers the Pro-
tected Bus. The block diagram is shown in Figure 4.4-,21.
PROTECTED P
BUS
~~BUS LOADS
INVERTER
FAILED OPEN
CURRENTRTG PROTECTED CURRENT
NO. 1 BUS MAIN BUS
THROTTLE
Figure 4. 4-21. Simplified Block Diagram - Failed Open Current Throttle
The failed Current Throttle is shown as there is a small current path to the Main Bus
through 37 ohms of resistance.
Each block in this diagram must be replaced by an equivalent circuit such that voltage
magnitudes may be calculated.
The Protected Bus Inverter characteristics are defined by test results in Section 5. 5.2.
A simplified model of the inverter is shown in Figure 4.4-22,
From the curve of Power Out vs. Output Voltage in the above referenced test results,
we can calculate the inverter series resistance to be approximately 0. 4 ohms. The
inverter efficiency of about 90 percent is due to the combined losses of the series and
shunt resistance. If the load requires 50 watts, the inverter dissipates 5.5 watts. As
4-98
3.22:5 SERIES RESISTANCE
3.22 AC OUTPDC UT
SHUNT
RESISTANCE
Figure 4.4-22. Simplified Protected Bus Inverter
about one ampere flows in the output, the series resistance dissipates 0.4 watts.
Therefore, the shunt resistance can be found as it dissipates 5. 1 watts at 32.2 volts.
R shunt = (32.2) = 204 ohms5. 1
4.85 n
A simplified model of the RTG is shown as: 54 V
T
The circuit values were determined from the RTG instaneous V-I curves (at beginning
of mission).
The Protected Bus loads are considered resistive and of a magnitude of 50 ohms. Fig-
ure 4.4-23 presents the complete circuit.
V = 11.91 x 3.5 41.6 volts
The dc input voltage to the inverter is 41. 6 volts. The developed ac output is:
5
x 41.6 = 64.5 volts3.22
4-99
r-1- -
4.V85
54V T
r- - - -1
.~
RTG I IFAILED C. T. I
_ _ _ J I _ I
I I IP.B. I
I INVERTER I
L i L _ _j
21C2
--- ~1
.85fi
54VITT 
_ 1
r-- . -I
37 IC{
ov T
I I I
F-- Z
54
4. 85 E 4.85
AMP Pt I
I
I
L__-
I I
.J L 
11.91
AMP
1: 4l
O 3.5f2'
Figure 4.4-23. Protected Bus Equivalent Schematic
4-100
L
I
I
I
19gn
19XF
I
I
I
I
I
I
I
I
Across the load we would have
50
x 64.5 = 64 volts.50.4
Therefore, the dc Protected Bus can rise to 41 volts with a corresponding increase of
the ac voltage across the loads to 64 volts when the Current Throttle fails open circuit.
4.4.2. 1.2 Protected Bus Undervoltage
The magnitude of P. B. undervoltage caused by a short circuited Current Throttle can
be determined from Figure 4.4-24.
RTG
NO. 1
PROTECTED
BUS
POWER
DIODE
-Il
MAIN
BUS
SHORT
CIRCUIT
Figure 4.4-24. Block Diagram - Current Path through a Failed Current Throttle
A short circuit or overload is required on the Main Bus in order to pull down the Pro-
tected Bus. A short circuit resistance of 1 milliohm was assumed.
4-101
FAILED
SHORT
CURRENT
THROTTLE
The equivalent circuit for the above diagram is as shown on Figure 4.4-25.
I
I I
4.85° I
I 54V I
I RTG
L NO. 1 
I SHORT
CURRENT
I THROTTLE I
I I
DIODEV 
I 0.5V l
~_ 1
I
_1__I
__j
Figure 4.4-25. Schematic Diagram - Current Path through a Failed Current Throttle
The short circuit current (I) is found by:
54 - I (4.85 + 0.06 + 0.001) - 0.5 = 0
53.5I 4.911 10.9 amps
Then the Protected Bus voltage (VpB) is:
VpB = 54 - (4.85) (10. 9) = 1.14 volts
Assuming a hard short circuit of the Current Throttle, the dc Protected Bus could go
as low as 1.14 vdc. The Protected Bus could be anywhere between the low of 1. 14V
and nominal spec value of 32.2 vdc depending on the magnitude of the Main Bus over-
load.
4-102
4.4.2.1.3 Effects on User Loads
The three loads external to the Power Subsystem that operate from the Protected Bus
are:
1. Control Computer Subsystem
2. Measurement Processor Subsystem
3. Timing Synchronizer
Internal to the Power Subsystem, the Protected Bus is used to back-up the Main Bus
for those circuits required for fault detection and correction or, as in the case of the
inverters, to prevent damage to the circuitry during Main Bus fault conditions. The
Power Subsystem loads which use Protected Bus power are:
1. Main and Protected Bus Inverters
2. Inverter Failure Detectors and Switch Command Generators
3. Inverter Power Switches
4. Power Distribution Switches
5. Current Throttle
6. Current Throttle Steering Switch
7. Low Voltage Cut Off
8. Remote Decoder Array
The effects of the voltage transient due to CT failure on the PCE loads are detailed in
their respective sections of 5.0.
In general, the overvoltage exceeds some piece part ratings while the undervoltage has
no detrimental effect because of energy storage in each circuit. The inverters, however,
will stop operating at about 14 vdc input.
4-103
The Remote Decoder Array (RDA) which received coded commands from the CCS was
not developed to the circuit level during this study. However, as it is a digital circuit,
the Custom Metallized Multi-gate Array (CMMA) developed for CCS will be used as the
basic building block. By analyzing under/overvoltage effects on the CMMA, the effects
on 95 percent of the RDA will be recognized.
Input voltage rating of the CMMA is 4. 5 to 5. 5 vdc with an overvoltage limit of 7 vdc
maximum.
The Protected Bus Inverter output spec is 50 vdc +5 -6 percent for an input of 32.2 vdc
+ 3 percent vdc. The turns ratio of the output transformer is:
50
= 1. 55 and to convert to an equal number of turns on both
primary and secondary, a ratio of 20:31 can be used.
A simplified schematic of a 5 volt supply for the CMMA is shown in Figure 4.4-26.
Figure 4.4-26. Schematic Diagram - 5 Volt Power Supply
4-104
P. B. INVERTER
20:31
5V SUPPLY
T1
] 1 1· 4.5-5.5 VDC
47:5.2
The minimum in specification voltage from the inverter is 47 vac. To provide 4.5 vdc
at the output of the 5V supply, 5.2 vac is required on the secondary of T1 (assumed
0. 7V diode drop). This dictates a turns ratio of 47:5.2 for T1 transformer.
When the maximum in specification voltage of 52.5 vac appears on the T1 primary,
the secondary is:
5.2V
s
= x 52.5 = 5.8 vacS 47
Subtracting the diode drop of 0. 7V, the output voltage of the supply becomes 5.1 vdc
which is less than the maximum allowed by the CMMA.
Next, the output voltage of the 5V supply is determined for the overvoltage condition of
41 vdc on the dc Protected Bus.
The PB Inverter output is:
31
nverter utput x 41 = 63.5 vacInverter Output 20
The T1 secondary is:
V Secondary 5.2 x 63.5 = 7 vacT1 Secondary 47
Subtracting the 0. 7V diode drop, the output of the supply is 6.3 vdc which also is below
the CMMA overvoltage limit.
To summarize the preceding discussion, a 5V supply can be designed so that the over-
voltage caused by a failed Current Throttle will not exceed the limitations of the CMMA.
4-105
Next, the range of undervoltage on a 5V supply due to a shorted CT will be found. The
input voltage to the Protected Bus Inverter during this failure condition is a function of
the magnitude of the overload on the Main Bus. The inverter will continue to operate
down to about 10 vdc input. Below this, the inverter stops switching and the inverter
output goes to zero. At 10 vdc in, the inverter output is:
31
V V~=- x 10 = 15.5 vacInverter Output 20
The secondary voltage of the 5V supply would be:
5.2
VT1 Secondary 4- x 15.5 = 1.7 vacT1 Secondary 47
After rectification, 1.0 vdc is provided on the output of the 5V supply.
The undervoltage, and overvoltage regions for a 5V power supply caused by CT failure
are shown on Figure 4.4-27. The undervoltage can fall anywhere between 1. 0 and 4. 5
vdc for the 10 millisecond fault duration.
Detailed effects of the undervoltage can't be defined at this time; however, it can be
postulated that scrambling and loss of data will occur. Flip-flops that had previously
been set in one state could come back up in the opposite state causing Power Distribu-
tion Switches to change state.
The fact that loads could randomly change state when the Current Throttle Steering
Switch selects the standby Current Throttle after an undervoltage on the Protected Bus
is quite significant. If more loads were turned on, it would intensify the overload
condition on the Main Bus. Also, at the same time these loads are changing state, CCS
is trying to locate and isolate the failed unit which initially caused the undervoltage.
The effects of these voltage excursions on the MPS and Timing Synchronizer would
be relatively the same as those of the RDA. They all have in common the CMMA
building block.
4-106
WHEN INVERTER
INPUT IS 41 VDC
7
6
5
>0 
P, 0
P, 
14 W
U
F-43 ¢4
o
LID
4
3
2
WHEN INVERTER INPUT
IS 10 VDC
1- WILL BE ZERO WHEN
~'- INVERTER STOPS
O K SWITCHING
Figure 4.4-27. 5V Power Supply Voltage Excursions Caused by Current
Throttle Failures,
The CCS also consisting of CMMA's can protect itself during this time while insuring that
spurious commands won't be initialized.
Loss of MPS during this period would result in loss of some data, but the subsystem
can be reinitialized by CCS when power is restored.
The Timing Synchronizer which is used as a central timing reference for the spacecraft
should be protected from the undervoltage condition as the effect of an intermittent
clock is unknown.
4.4.2.1.4 Resolution of Failure Effects
Before investigating design solutions for this undervoltage problem, the probability of
occurrence will be determined to see if it is of a magnitude that must be considered.
4-107
From Section 5.1.3, the failure rate for parts which produce a short (Xs) is 0.267 x
10- 6 failures per hour and total part failure rate (>t) is 0.814 x 10- 6 failures per hour.
Then the percentage of failures short (Q s) is:
Qs s Qt where Qt= total failures
X
tx
Qs = Xs (R) = X (1-et), t = 105 hours
xt xt
.267 (-e-. 0841Qs .8 41 (l
Qs = .318 (1- .9194)
Qs = '0256 = 2.56 percent
The probability of 2.56 percent that a Current Throttle will fail short circuit is signi-
ficant because of the impact on the spacecraft.
4. 4.2. 1.4. 1 Increase Protected Bus Voltage
Without increasing the design complexity of the Current Throttle, there is a way of
detecting this failure. It requires that the Protected Bus voltage range be shifted up
higher so the voltage drop across the CT is large enough that loss of this drop due to
a short can be detected by the Steering Switch.
In order to do this, the dc Protected Bus voltage must be raised above the maximum dc
Main Bus plus the maximum diode drop plus the maximum saturation voltage of the CT
pass transistor.
4-108
Max. dc Main Bus = 30.3 vdc
Max. Diode Drop = 1.0 vdc (< 5 amp)
Max. V = 1.2 vdc (<5 amp)
ce(Sat)
So the low point of the Protected Bus dc becomes 32.5 vdc.
The comparison of the present and proposed voltage band is shown in Figure 4.4-9.
The present regulation is 32.2 ± 0.9 vdc (± 2.8%)
The proposed regulation is 33.4 ± 0. 9 vdc (± 2.7%)
This scheme requires the pass transistor in the Current Throttle to operate further in
its linear region in order to keep the dc Protected Bus voltage up.
Three of the Power Subsystem RTGs will be operating at a terminal voltage of 31 vdc
(1 volt diode drop above the 30 V main bus). The RTG used for the Protected Bus
source is presently operating at 32.2 vdc nominal, and it is proposed that it be in-
creased to 33.4 vdc nominal.
It can be seen from Figure 4.4-28, that the RTG power curve is very flat at the top,
and there is little variation in output power between any of these voltages. The in-
crease in voltage with its corresponding decrease in current does cause the hot junction
temperature to increase about 5-7°C. This change in temperature has no significant
effect on the RTG performance.
The Current Throttle/Isolation Diode power dissipation at the two voltages will be de-
termined. The RTG currents are determined from Figure 4.4-28, at the two voltage
levels for BOM (Beginning of Mission) and EOM (End of Mission). Then current into
the Protected Bus is calculated, assuming a constant load of 60 watts, for each voltage
level. The difference between the RTG current and the Protected Bus current is the
4-109
1200
0
33.4 V
1100E--q \r 32.2 V
.1000
1500 HIR
5 YR
900 - 10 YR
31 V
32.2 V
33.4 V f/ - 160
1020 ' § 1 2 - V=< 1 120
40 2 4 80
33.Figure 44-28. RTG Characteristics
H 0
20 40
0 ' I_ r I ~ YI _0
0 2 4 6 8 10
RTG CURRENT (AMP)
Figure 4.4-28. RTG Characteristics
4-110
current through the Current Throttle/Isolation Diode into the Main Bus. Table 4.4-3
below, contains these values.
Determine the power loss in the Current Throttle/Isolation Diode combination:
p = (VPB - VMB) ICT
where
VPB = 32.2 or 33.4 vdc
VMB = 30 vdc
ICT = Values in Table 4. 4-3
From Table 4.4-4, it can be seen that it will cost 2 to 3 watts of additional power to
raise the Protected Bus voltage range.
TABLE 4. 4-3. PROTECTED BUS VOLTAGE EFFECTS ON RTG AND
CURRENT THROTTLE CURRENTS
BOM (1500 Hrs) EOM (10 Yrs.)
32.2 vdc 33.4 vdc 32.2 vdc 33.4 vdc
IRTG 4.65 A 4.50 A 3.75 A 3.60 A
IPB 1.86 A 1.80 A 1.86 A 1.80 A
ICT 2.79 A 2.70 A 1.89 A 1.80 A
TABLE 4.4-4. NOMINAL POWER LOSS IN CURRENT THROTTLE/
ISOLATION DIODE
Present RB Proposed PB
Voltage Range Voltage Range
BOM Power Loss 6. 14 watts 9.19 watts
EOM Power Loss 4. 16 watts 6. 12 watts
4-111
The loads on the Protected Bus Inverter will not detect a higher dc bus voltage because
by changing the turns ratio of the output transformer, the 50 vac can still be provided.
Loads on the dc Protected Bus are for the majority of the mission in a standby mode
not drawing power (Power Distribution Switches, Inverter Power Switches, Inverter
Failure Detectors/Switch Command Generators, Current Throttle Steering Switch,
and LVCO). Therefore, the increase in voltage will not cause an increase in power
while in the dormant state. The exceptions are the Main and Protected Bus Inverters.
The switching and output drive circuits of both inverters are powered from the dc
Protected Bus. The increase in PB voltage can be compensated for by changing the
turns ratio of the drive transformer so there is no increase in power into the drive
circuitry.
The power into the switching circuit will increase by:
P2 = (V2)2 = 33.42 1.08
P1 (Vl)1 \32.2/
So there would be a power increase of 8 percent. The switching circuit power consump-
tion of approximately 300 milliwatts would increase by 24 milliwatts.
A summary of all effects is shown on Table 4.4-5. Basically, for the cost of 2 to 3
watts, a Current Throttle short circuit failure can be detected and corrected before
it has a serious impact on the spacecraft.
4.4.2.1.4.2 Energy Storage for the Critical Loads. An alternate solution to the
Current Throttle short circuit failure would be to provide energy storage at those
loads that must be maintained during the Current Throttle switch over to the standby
unit. Basically, these loads are the Timing Synchronizer and the PCE Remote
Decoder.
4-112
TABLE 4.4-5. EFFECTS OF INCREASING PROTECTED BUS VOLTAGE
Analysis of the energy storage requirements of the Timing Synchronizer used the
power requirements of 2 watts and the voltage requirements of the CMMA which are:
V Min. operating
V Max. operating
V Overvoltage Max.
4.5 vdc
5.5 vdc
7. 0 vdc
If the load T/R is designed such that the highest input bus voltage provides a 5.5 vdc
to the load, the lowest input bus voltage will provide more than the load minimum
requirement. This will allow a capacitor to be sized to discharge from the lowest
input bus transformed voltage to the minimum load requirement of 4.5 vdc during the
interval that the Protected Bus undervoltage exists.
Referring to Figure 4.4-29, an input transformer can be designed such with minimum
ac input voltage, the energy storage capacitor voltage will not drop below 4.8 vdc and
maximum ac input voltage will not exceed the 5.5 vdc limit at the load. The capacitor
must be sized to discharge from 4.8 down to 4.5 vdc while providing energy to the load.
4-113
Component Effect of Increasing DC Protected Bus Voltage
Current Throttle Power Dissipation increases by 2 to 3 watts
AC PB Loads None (Same ac voltage and slightly tighter regulation).
Main Inverter Change turns ratio of drive transformer - Milliwatt
increase in switching circuitry power.
PB Inverter Change turns ratio of drive and output transformers.
Milliwatt increase in switching circuitry power.
Other DC PB Loads 8 percent increase in power dissipation when oper-
ating (only operating when changing loads or during
inverter failure).
RTG #1 (on Slight increase in hot junction temperature.
Protected Bus)
PROTECTED
BUS VAC I 153
Figure 4.4-29. 5-VDC Power Supply from the Protected Bus Inputs
A study of this configuration shown in Figure 4.4-29 provided the requirements of
Table 4.4-6. The weight shown is that required for the energy storage for both the
Timing Synchronizer and the PCE Remote Decoder. Very large capacitors are re-
quired because the allowable discharge voltage is small (from 4.8 down to 4.5 VDC).
The capacitance for each component is in the vicinity of 12, 000 uf. A fuse resistor
in series with the capacitor bank prevents capacitor failures short from affecting
load operation. Hence, the probability that circuit failures will not affect load
operation is 100 percent.
4.4.2.1.4.3 Energy Storage at a Higher Voltage. Another and perhaps more
acceptable configuration of energy storage than that just discussed would store energy
at a higher voltage and discharge through a voltage regulator into the load. An
approach is shown below in Figure 4.4-30.
TABLE 4.4-6. CIRCUIT SUMMARY
4-114
Weight 1. 78 pounds
Power 0
Reliability Probability of circuit operating 95.8 percent,
Probability that circuit failure won't affect load
operation 100 percent.
CR2
P. B .V c CR1
Figure 4.4-30. Higher Voltage Energy Storage Schematic
R1 - R2 - Controls the charge rate of C1 and also limits the currents in
the event of a short of C1, Q1, Q2, CR2, or CR3 and open of CR1.
C1 - Provides energy storage.
R3 - Controls the current through CR1 and base drive of Q1.
CR1 - Provides voltage reference for Q1.
Q1 - Q2 - The regulating transistors.
In order to evaluate this concept requirements must be identified and then circuit values
must be determined to determine weight and power needs.
Requirements:
1. A short of the circuit must not load the Protected Bus in excess of 1 watt.
2. The energy storage circuit will sustain the load for 10 milliseconds when the
load voltage is less than 4.8 vdc. Assuming an 87 percent T/R efficiency,
the Timing Synchronizer requires 1. 74 watts @ 5V.
4-115
R1
A detailed design analysis was performed on the circuit of Figure 4.4-30. The
results of this study are shown in Table 4.4-7 which is the total requirement for
two such circuits (timing synchronizer and PCE Remote Decoder).
The circuit weight is mainly due to the 100V, 200 uf, capacitor required. Standby
power loss of 200 milliwatts is dissipated in the zener reference of Q1. The prob-
ability of circuit operation was found from summarizing the individual part failure
rates while the probability of circuit failure effecting the load operation only considered
the failures of CR1 open, Q1 short, and/or Q2 short. These failures present an over-
voltage to the load.
4.4.2.1.5 Conclusion
Increasing the voltage drop across the Current Throttle will enable immediate detection
of a short circuit. The increased power dissipation in the Current Throttle does not
effect its numerical reliability as the piece part failure rates are a constant value and
not a function of part stress. Some design changes are required in the Main and Pro-
tected Bus inverters if the PB dc voltage is increased.
Energy storage at 4.8 vdc requires large capacitors at the load. The weight of these
capacitors can be compared to power losses by the relationship of 1.70 watts per
pound. So 1. 78 pounds of circuit is equivalent to 3. 03 watts of power which is approxi-
mately what it cost to raise the voltage drop across the Current Throttle.
TABLE 4.4-7. CIRCUIT SUMMARY
4-116
Weight - 0.53 pounds
Power - 200 milliwatts
Reliability - probability of circuit operating 96.1%.
probability that circuit failure won't effect load
operation 99. 4%.
Energy storage at the higher voltage is more economical than both the previous
methods, and cost an equivalent of about 1 watt (combining power and weight).
The level and type of redundancy at the load is unknown at this time. Consequently,
both energy storage techniques could considerably increase in size and weight, as the
circuitry might be repeated the same number of times the load is redundant.
SUMMARY
Three circuit configurations were synthesized and investigated that would ensure
uninterrupted power to critical Protected Bus loads in the event of a short of the
Current Throttle followed by a Main Bus load fault.
The configurations considered were:
1. An increase in the voltage drop across an unfailed Current Throttle
to permit detection and transfer (Raising the dc Protected Bus voltage).
2. Shunt voltage capacitive energy storage at the operating voltage for
critical loads.
3. High voltage capacitive energy storage with series voltage regulation to
critical loads.
The salient characteristics of these configurations are tabulated in Table 4. 4-8.
4. 4. 2.1. 6 Recommendations
Configuration 1, which increases the Protected Bus voltage was selected for the
following reasons:
1. The equivalent power penalty is less than configuration 2. Configuration 3
appears to have the smallest penalty, but if the loads are redundant, the
penalty is doubled, and if double redundant, the penalty is three times that
shown in Table 4. 4-8.
4-117
0 
a
 
i 
o
 
o
 
.o
a
 
~
 
~
 
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
a 
.4
4· 
4.i
.> bl 
00 
m
 
n
 h o
 
4 0
k 
·;a
" 
o
 
o
 
o
o
b4)
Fr 
O
 
O
 
a
 
O
 
_
c
 
C 
0 
P
'-
~
 
0
0 p 
C) 
ts 
c
PI 
~
~
~
~
~
~
 
>
 
~
 
~
 
~
 
~
~
~
~
~
~
a
t
M
 o
 
a,~~~~~~~~~~~~~~~C
I
E0co
Cil08, P4w ¢P4;
0
o
O
Z
o
O
 "
¢UoJI 1-4 <o 
u
"a 0
,
 
zp. ¢ 
w
u
 
A)
¢-
44E
-
0 
0
¢ 4-118
Cd
C
D
~~ 
~
'
~
 
~
 
0 
0
'
 w
 
'
)
1
9 
Cd
o
 
-t: 
f 
: 
,k 
cO
~~~~~~~:a-0 
C
0 
4 ) 
0 
p 
a) 
,
 
Q 
i
c c 
0 
>
 c 0,>r. 
E-4 
-0
 
.
.
 
3 
h 
b
D
 
O
 
m
 
3
V
 
s 
t 
c- B 
C
0 
m
 
I 
w
 
4
i 
a
 
44 
_
q
m
 
u
 
u
 
o
 
'W", 
0 
p~o 
·j 
E
2, Configuration 1 does not require additional hardware at the load or the PCE.
Consequently, it does not decrease the system reliability (Fail Safe = 1. 000)
nor increase the probability of fail to operate (0. 000). It is simplier to im-
plement as no new interfaces are required.
3. It maintains operating voltage to the switching and drive circuitry of the Main
Bus Inverter during a Main Bus overload. Thus it prevents damage to that
inverter during the overload period.
4. It maintains the Protected Bus Inverter thus all Protected Bus loads during
the Main Bus fault condition. Presently, the Protected Bus will follow the
Main Bus undervoltage until the Current Throttle Steering Switch selects the
Standby Current Throttle. This delays by 10 milliseconds the start up of
the fault detection and correction loads and thus extends the duration of the
Main Bus undervoltage.
4.4.2.2 Inverter Failure Detection
To meet the reliability requirements for the inverter function, standby redundancy
was employed.
A concept to identify a failed inverter and select a standby unit must be identified.
4.4.2.2.1 Failure Detector Algorithm
In order to develop a failure decision procedure, an inverter failure must be defined.
For the TOPS inverters, a failure is defined as follows:
1. The output voltage is low while the input voltage is in specification.
2. The input current increases without a corresponding change in the output
current.
Since the ac bus is not to be used as a timing reference, a change in inverter frequency
is not considered a failure until it affects the output voltage.
One technique for failure detection is a ratio comparison algorithm. This compares
input to output voltages and currents and is expressed as follows:
4-119
Statement 1
If:
Vo
Vi< K1Vi
the inverter has failed.
Where
Vo is the ac output voltage
Vi is the dc input voltage
K1 is a constant which is proportional to the transformation ratio and the inverter
IR drop.
Statement 2
Or if:
Io
< K2Ii 
the inverter has failed.
Where
Io is the ac output current
Ii is the dc input current
K2 is the transformation ratio of the inverter.
Proof of the linear relationships of the voltages and currents is shown in Figures 4.4-31
and 4.4-32 which are actual test results of breadboard hardware. Figure 4.4-31 shows
the relationship between input and output currents, while Figure 4.4-32 contains the
voltage relationship.
A failure detection technique must be able to distinguish between inverter failures and
external failures. Those external failures which effect inverter input or output char-
acteristics are examined in Table 4.4-9 to see if statements 1 or 2 are violated.
4-120
20 r
Io
THEORETICAL 3/5 RATIOtI
TIO
15
MEASURED RAN
O
>/
10
5
INVERTER INPUT CURRENT (AMPS)
Figure 4.4-31. Inverter Input Versus Output Current
50
40L~ ~THEORETICAL- V 5/3 RATIO
0
30 
20
oo-
0 I
Of/l 
30
4-121
0 10 20
INVERTER INPUT VOLTAGE (VOLTS)
Figure 4.4-32. Inverter Input Versus Output Voltage
TABLE 4.4-9. EXTERNAL FAILURE EFFECTS ON INVERTER
INPUT/OUTPUT CHARACTERISTIC S
The ratio algorithm can distinguish between inverter and other failures. A decision
program is shown in Figure 4.4-33 for the Main Inverter and in Figure 4.4-34 for the
Protected Bus Inverter.
A technique which detects inverter failures by comparing input and output parameters
with maximum or minimum limits has been suggested. This is expressed as follows:
Statement 3
If (Vo < K1) * (Vi 2 K2) * (Io 5 K3) the inverter has failed.
Where
Vo, Vi and Io are the same as previously described
K1 is the minimum output voltage limit
4-122
Effect on Inverter Inverter FailureExternal Failure Input/Output Detector Response
Load fault draws high Io increases but Ii also in- None - Statement 2
current creases proportionally. is not violated.
Load fault pulls down An output voltage (Vo) decrease None - Statements 1
inverter output is caused by overloading the and 2 are not
voltage RTG source hence the input violated.
voltage (Vi) also has decreased.
The inverter currents increase
in proportion due to the load
fault.
Load fails open No voltage changes. Io de- None - Statement 2
circuit creases and Ii does also in is not violated.
the proper proportion.
Input voltage de- Both (Vo - Vi) and (Io - Ii) None - Statements 1
creases (RTG or decrease in the proper pro- and 2 are not
DC Bus fault) portion. violated.
Figure 4.4-33. Main Inverter Ratio Program
NO
YES
YES
Figure 4.4-34. Protected Bus Inverter Ratio Program
4-123
SWITCH OFF
PB INVERTER
SWITCH ON
STBY
K2 is the minimum input voltage limit
K3 is the maximum output current during normal operation
* is the operator 'and'
Statement 4
If (Ii > K4) * (Io 5 K3) the inverter has failed.
Where Ii, Io and K3 are the same as previously described. K4 is the maximum input
current during normal operation.
Referring to Statement No. 3, if the output voltage is low, while the input voltage is
in spec., and the output current is not high, the inverter has failed.
The reason for the look at the output current in order to make the decision, is be-
cause it was felt that a spacecraft load fault could drop the inverter output voltage
out of specification. However, after examination of the inverter test report it was
found that an overload will not lower the output voltage significantly unless it also
drops the input voltage.
Therefore, the requirement to check the output current level in Statement No. 3 is
no longer necessary. If the inverter output voltage decreases while the input voltage
remains in spec. the inverter has failed. So Statement No. 3 can be rewritten.
Statement 3-A
If (Vo < K1) * (Vi 2 K2) the inverter has failed.
Statement No. 4 places upper limits on the input and output currents to detect inverter
failures. This has two disadvantages.
First, only inverter failures that draw enough input current to exceed this limit will
be detected.
4-124
The maximum input current limit K4, is found as follows:
Max. inverter load
inverter eff.
Max. input power
Max. input current
The minimum inverter
= 315 W
= 93%
315
0.93
339
30
load is 210W
210W
.93 x 30V
= 339 watts
= 11.3 amp
= 7.5 amps input
The input current varies between 7.5 amps and 11.3 amps. This means that an
internal inverter failure could draw 11.3 - 7.5 = 3.8 amps of current and go undetected
(114 watts).
IThe second disadvantage is that the size of the inverter load is limited to what
was initially planned. At BOM, a power margin of 150 watts exists above the peak load
requirement. If the Flight Command Director wanted to use this margin to perform,
for example, a transmitter health check, he would violate the part in Statement No. 4
which asks "Is the output current less than or equal to the preplanned load value ?"
Figure 4.4-35 shows the decision program for this level algorithm.
The hardware designs for both inverter failure techniques are described in Section 5.8.
The level detector was designed to satisfy Statements No. 3 and No. 4 and as such, it
is more complex. If statement No. 3-A were used, the two hardware designs would
be of equal complexity.
If a software approach using MPS and CCS for inverter failure detection was considered
acceptable from an operational complexity viewpoint, the level technique could be used.
4-125
Figure 4.4-35. Main Inverter Level Program
The current limits of Statement No. 4 could be reprogrammed in the MPS as the
spacecraft loads are changed by CCS. This would eliminate the disadvantages of the
level detector method.
Recommendation
For a dedicated hardware failure detector, the Ratio method is recommended because
of the limitations of fixed current limits in the Level method.
If failure detection is to be accomplished using the MPS/CCS, the Level method can be
used.
4.4.2.2.2 Inverter Failure Detector Approaches
Two methods have been identified for detecting and correcting Main and Protected Bus
Inverter Failures.
4-126
One method uses the MPS/CCS capabilities for failure correction. This is identified
as the software approach.
The second method uses special purpose hardware within the Power Subsystem to
identify 'and correct inverter failures. This is the hardware approach.
The operation and implementation of both approaches is defined. A comparison of
reliability, weight,power, response time, interface complexity, failure modes and
effects, and operational complexity is included to enable selection of the failure de-
tection scheme for both the Main and Protected Bus inverters.
4.4.2.2.2.1 Software Approach. Figure 4.4-36 shows in block diagram form the
equipment involved in the Software approach. An inverter failure is determined by
measuring the input voltage and current and output voltage and current. A comparison
of input to output is performed. This result is transmitted to the MPS (Measurement
Processor Subsystem) where it is compared with a reprogrammable limit. If this
limit is exceeded, the MPS informs the CCS (Control Computer Subsystem) of an
inverter problem. CCS interrogates the Spacecraft State Vector (equipment status
indicator) to determine which inverter is on line. Commands are generated by CCS
to switch off the failed inverter and switch on a standby inverter. These are decoded
in the PC E Remote Decoder and the respective inverter switches then change state.
4,4.2.2.2.2 Hardware Approach. Figure 4.4-37 shows the equipment relationship
for a hardware inverter failure detector which is entirely contained within the PC E.
The same parameters are used for identifying failures. They are compared with pre-
selected values in the Failure Detector. When a failure occurs, the Failure Detector
alerts the Switching Command Generator. The Switching Command Generator deter-
mines which inverter is on and sends simultaneous commands to turn off the failed
inverter and turn on a standby.
4-127
-
-
 
0
Q 
Q93 000Cd
01
a,
~
~
~E-4~~~~~~
C
I2~~~~~~~~C
0 
2
P 
P 
w
 
~
~
~
~
~
~
~
~
~
~
~
~
~
a
~
~
~
 
00
: S 
s 
>
 
Z 
>
 
T 
Q~~~~~~~> 
Cd0
-
~
~
o
~
~
~
~
-
~
~
~
Cd
4 ; 
0
1
~
~
 
H
Z
 
HZp
-
-
 
ri- 
-
ci 
*Ii .
.
_
,
4-128
.o 0
w
 
IsIC
-
0 
,loCU
m
 
C 
CU'-
r 
ca~~~~~~~~~~~~~M
4-129
Note that the interfaces between the sensors and the MPS are still required so that
this data can be transmitted to earth.
Also, the CCS-Remote Decoder-Inverter Switch interface is required to provide ground
initiated inverter selection in the event of an erroneous Failure Detector or Switching
Command Generator.
Failure Detectors have been developed for TOPS and are defined in Section 5.8. A
Switching Command Generator is defined by Section 5. 7. For the purpose of this
study, these designs will be used as the Hardware approach.
The Signal Converter circuit shown in the Software approach was not developed, and
for the study purpose, the front end of the Failure Detector (to the Op Amp Output)
will be used as a circuit representing the relative complexity of the Signal Comparator.
4.4.2.2.2.3 Reliability/Redundancy. A reliability model representing both the
Software and Hardware approaches is shown in Figure 4.4-38.
It has been found from previous studies that a significant enhancement in reliability is
obtained by majority voting.
Referring to the Hardware model, it can be seen that the measurements and the failure
detector are triply redundant. Their outputs are majority voted such that any two that
are in agreement will control the Switching Command Generator. The Switching
Command Generator is configured functionally in a quad redundant arrangement such
that any three of the four units will provide the necessary commands to the inverter
switches (switches not shown on the diagram - included within the inverter block).
Reliability calculations show that the probability of success with the Hardware approach
is 0. 9936. This exceeds the goal of 0.992 for the Main Bus Inverter function. (Refer-
ence Section 4. 5.1)
4-130
2C)t C)C)cdF-a)I CdI ,F-
4-131
-a
 
'
*5 
a A-4 H;i cnH wC. HF-4
.
I.,HC.) 0C.uw04m13
A4inH>1.4E.) 0L.) HC- HI14InWw,E.
As might be expected from observation of the reliability model, the probability of
success for the software approach is much lower due to the quantity of external equip-
ment involved in the fault detection and correction routine. The overall reliability was
found to be 0. 9798.
4.4.2.2.2.4 Weight. A point to be made about the external equipment (MPS-CCS)
associated with the inverter failure routine is that the complexity of these units would
not be reduced if the hardware approach were used. The MPS would still receive
and process the inverter data to make it available for transmission to the ground.
The circuitry of the CCS is multi-purpose in that it would be working on another task
until called upon to handle an inverter failure. Therefore, if the hardware failure
detector is used, there would not be an associated weight reduction of the MPS, CCS,
and Remote Decoder.
In order to compare the weight impact of the two approaches, it is necessary only
to compare the differences between the two within the Power Subsystem. It is assumed
that these circuits will be packaged for flight using the thick film technique.
To approximate the weights of the two approaches, an inverter failure detector recently
developed by JPL for potential use on Mariner spacecraft was used as a reference.
This unit is 1" x 1/2" x 1/8" and weighs 3. 75 gm. From Table 4.4-10 it is found that
three thick film packages of the Mariner type are required for the Software approach
and nine packages for the Hardware approach. The Hardware approach requires a
delta of six packages or 22.5 gm (<1 oz).
4. 4. 2. 2.2. 5 Power. The standby power for each approach is that required by the op
amps. The rest of the circuitry in the Hardware approach is inactive until a failure is
detected. As the quantity of op amps is equal in both the Software Comparator and
the Hardware Failure Detector, the standby power is equal.
4-132
TABLE 4.4-10. NUMBER OF MARINER TYPE THICK FILM CIRCUITS
REQUIRED FOR EACH FAILURE DETECTION APPROACH
Relative
Complexity
Number of
circuits
required
Number of
thick film
circuits
4.4.2.2.2.6 Response Time. Figure 4.4-39 shows the events involved in both
inverter failure schemes in the form of a timing diagram. As can be seen, more
functions are required in the Software approach, and as a result, it takes approxi-
mately 16 milliseconds longer. (Reference Table 4.4-11)
Hardware - 31 milliseconds
Software - 47 milliseconds
Intervals To - T3 are identical for both concepts. To - T1 is the time required for
the current sensors to respond to a change. During T1 - T2 , the op amp compares
the two measurements. A delay at T2 - T3 is added to prevent activation on a large
transient.
For the Hardware approach, T3 - T4 is the time for a transistor to turn on to generate
the switch commands. During T4 - T5 the relay switches receive the command and
change state. T5 - T6 is required to recharge the distributed spacecraft capacitance
(assumed 1000 1f) and allow for transient ripple attenuation.
4-133
Software Hardware
Failure Switching 3rd SectionComparator Detector Command of LVCO
Generator
.50 .75 3.0 4.45
6 6 3 1
4.5 + 9 - 4.45
3 9.05
FAILURE -FAILURE m- oI I
SENSOR
RESPONSE
COMPARE DATA
- DELAY
SAMPLE DATA
- MPS ALGORITHM
CCS PERFORM
CALCULATIONS
CHECK STATE
VECTOR
INITIATE CMD'S
TRANSMIT, RECEIVE
& DECODE CMD'S
ACTIVATE
TIME OF
INVERTER
SWITCHES
0
n
oc3 }34-
t'3W
.4 
SENSOR
RESPONSE
COMPARE DATA
- DELAY
- INITIATE CMD'S
TO INVERTER SWITCHES
AND INTERRUPT SIGNAL
TO CCS
ACTIVATE
TIME OF
INVERTER
SWITCHES
1 SWITCHING
TRANSIENTS
M13 .
SWITCHING
TRANSIENTS
I.-W
Figure 4.4-39. Comparison of Response Time for Hardware and Software
Inverter Failure Detection
4-134
W
0
0
X
To
t3d
~q
X
c: r33
-4 I
(3
CD
Co0O
ju
t
I
i
i
1
I
Ii
j I%-KL
.
I
TABLE 4.4-11. REPRESENTATIVE TIME INTERVALS FOR THE
EVENTS IDENTIFIED IN FIGURE 4.4-41
HARDWARE
<5 ms
< 200 ps
<1 ms
< 10 itS
< 20 ms
< 5 ms
<31.21 ms
SOFTWARE
To - T 1
T1 - T2
T2-T3
T-T
T3 - T4
T4 - T5
T-T
T - T10
T10 - T11
Total
The Software approach requires sampling of the op amp output through the MPS
Tree Switch during the period T3 - T 4 . During T4 - T5, the MPS compares the input
signal with a reprogrammable max-min limit. If the limit is exceeded, a CCS inter-
rupt is generated at T5 . Between T5 and T6 , CCS verifies that an inverter failure
does exist.
During T6 - T7 , the CCS checks the spacecraft State Vector to determine which inverter
is on, and which standby unit is available. Commands to these two units are generated
during T7 - T8. T8 - Tg is required to transmit, receive, and decode the commands.
Tg - T10 and T10 - T11 are the same as T4 through T6 of the Hardware concept.
The fact that one approach is 16 milliseconds faster than the other is not significant
because they both take less than half the time specified as the duration of an under-
voltage condition in which all spacecraft hardware must survive (150 milliseconds).
4-135
- T1
-T 2
-T3
-T 4
- T5
-T 6
To
T1
T2
T3
T4
T5
< 5 ms
< 200 ps
< 1 ms
< 5 ms
< 64 ps
<10 ms
< 1 ms
< 100 is
< 20 ms
< 5 ms
47.364
Both approaches are acceptable from a time standpoint.
4.4. 2.2.2. 7 Interface Complexity. Referring to Figure 4.4-36, the Software
approach requires interfacing the output of the Signal Comparatorto the Measurement
Processor Subsystem. The interfaces between the MPS, CCS, and the Remote
Decoder would exist irregardless of the inverter failure requirement. The Remote
Decoder interfaces to the inverter switches in the same manner as all other power
distribution switches in the PCE.
The hardware interfaces are shown on Figure 4.4-37. The MPS interface still exists,
as all measurements must be processed in order to be radio linked to the ground.
Therefore, the inverter current and voltage measurements must connect to both the
Failure Detector and the MPS.
Interface complexity at the inverter switches remains the same for both concepts. In
the Software approach, the Remote Decoder and the LVCO interface to the inverter
switches. The Hardware approach interfaces to the switches are the Switching Com-
mand Generator and the Remote Decoder. It is felt that the capability to select the
inverter via ground command is required, thus the Remote Decoder interface is needed.
The hardware approach must also provide a signal to CCS when it senses a failure.
An inverter failure which effects the output voltage will cause the LVCO to begin
operation, the first of which is to send an LVCO Interrupt signal to CCS. CCS must
stop whatever it is doing, and begin its "Low Voltage" routine (see Figure 4.4-14).
By providing an Inverter Failure Detector Interrupt, CCS is informed that the prob-
lem has been identified by the failure detector and it can ignore the LVCO Interrupt
signal immediately following.
The hardware approach then introduces a slight increase in interface complexity.
4-136
4.4.2.2.2.8 Failure Modes and Effects
Hardware Concept - All single piece part failures of the Failure Detection circuit are
negated by the fact that the circuit is repeated three times and majority voted.
Single failures in the switch command generator can be accommodated as each
transistor controls only one corner of the quad inverter switches. If a failure causes
an output, only one of the four switchesin the quad changes state, the other three
remain as is and thus control the state of the inverter.
One problem with the Hardware concept is that failure conditions are preset before
launch by the proper selection of sampling resistors in the failure detector. If after
launch, a condition which was not considered should violate the preset conditions, an
inverter which might be good could be switched off by the hardware.
Software Concept - As with the hardware, the sensing and comparison in the Power
Subsystem will be triple redundant.
The MPS Tree Switch has series-parallel (quad) redundancy through the first six
levels. Levels 7, 8, and 9 (9 is defined as where subsystem data is received into the
tree switch) are not redundant, hence a single piece part failure will result in the loss
of one comparison measurement. The other two measurements that have the same
data will be routed through other branches of the tree so as not to be effected by the
failure. The MPS processing failures that might occur are backed up with standby
redundancy and some self-test and repair capability by the MPS itself.
The CCS through the use of Test and Repair Processor (TARP) maintains its operation
by switching in standby units as required.
The PCE Remote Decoder also employs standby redundancy.
4-137
It does not appear that single failure modes exist in any of the above mentioned sub-
systems. At this period of the project, detailed designs of these units and the imple-
mentation of switching in standby units has not been attempted, therefore, single
hardware failures cannot be identified.
Single failures initiated from the ground can be postulated that could incapacitate the
inverter failure detection and correction routine.
One of the main features of the baseline CCS and MPS is the reprogramming capability
in flight. The limits to which the MPS compares incoming data can be changed and the
software programs that CCS uses can be modified. If either or both of these were to
happen to the inverter program due to an error in an uplink command,the inverter
failure program could be lost. Unless a periodic readout of these programs and
limits is performed, this change would go undetected until an inverter failure occurred
and went uncorrected.
4.4.2.2.2.9 Operational Complexity. Figure 4.4-38 also shows relative complexity
by comparing the number of operations and calculations performed by each concept
in the fault correction process. Table 4.4-12 lists the operations performed by each
concept.
The Software approach requires nearly twice the number of operations to perform the
same task. This increases the potential for errors to occur.
4.4.2.2.2.10 Summary. Referring to Figure 4.4-40, the Hardware approach exceeds
the reliability and response time requirements at the expense of adding weight and
slightly increasing interface complexity. However, it is least complex from a data
proc essing/operational viewpoint.
The Software approach exceeds the response time requirements and has slightly less
complex interfaces as the additional ones to the inverter sensors would be eliminated.
4-138
TABLE 4.4-12. COMPARISON OF EVENTS REQUIRED TO DETECT AND
REPLACE A FAULTY INVERTER
Software Approach
1. The Signal Comparator receives data from the sensors, compares input to
output, and supplies the MPS Tree Switch with signals proportional to this
comparison.
2. The MPS Tree Switch samples the above signals.
3. The MPS Engineering Data Conditioner converts the analog output of the
Tree Switch to a digital format.
4. The MPS Data Processor compares this data with preset limits and if
out of spec,
5. The MPS Mode I/O sends an interrupt to CCS.
6. The CCS Interrupt Processor receives the MPS signal and alerts the
Control Processor.
7. The Control Processor selects the proper program for inverter failures
from the Read-Write Memory.
8. The Logic and Arithmetic Processor determines from the Spacecraft State
Vector which inverter is on and which standby inverter is available.
9. The Input-Output Processor generates the proper commands to the Power
S/S.
10. The Power S/S Remote Decoder receives the commands and formats them
for the inverter input and output switches.
11. The switches receive the signal above and switch out the failed inverter
and switch in the standby unit.
Hardware Approach
1. The Failure Detector receives sensor data and compares input to output
then to a preselected limit.
2. The outputs of the Failure Detector are majority voted so at least two units
must agree there is a failure before the Switching Command Generator is
informed.
3. The Switching Command Generator receives the output of the voted Failure
Detectors.
4. It determines which inverter is on, and which is the next standby inverter
to be activated.
5. It initiates commands to those inverter input and output switches.
6. The switches receive the signal above and perform their function.
4-139
jL
ia
 o 
H
a 
a 
a 
-
o
~
~
~
~
-
~
~
~
~
~
~
~
~
o
 
©
'
 
c
 
0 
c
 
O
 ~
of 
ii, 
X
e
PL, 
PLI )-4 
P4 
q
U
 
p
3 
n
 
a 
i g 
°
 
g
=
 
=
 
W
k
o
 
°
0 0
ril~
~
~
~
~
~
~
~
~
~
~
r
I 
I
.m4
L
..~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
L
a, 
X
 
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
o
 
-t
4 
a
 
(2) 
cl 
1) 
) 
P4 
44 
P
4
~
~
I.-
cd
(J 4IC)bb o,-.,4
A
 
0
a) 
-
k 
CdO~
a
a
Uo 
UZ 
4-140
The data processing/operational path through the MPS-CCS-Remote Decoder is much
more complex than the Hardware approach.
The reliability of the Software approach was lower than the goal for the Main Inverter
function.
An argument against using the Hardware concept is that if all subsystems took this
approach for their fault detection and correction, the capabilities of the MPS and CCS
would not be fully utilized, and though individual failure routines would be more
reliable, the overall spacecraft reliability would be reduced as a result of all this
dedicated failure equipment.
The Main Bus inverter function is extremely critical. Without it, all subsystems
except those on the Protected Bus (CCS, MPS, Timing Synchronizer) are lost. Ground
initiated fault correction is not possible as communication with the spacecraft is gone.
For this reason, the probability of having the inverter function should be maximized.
The Hardware approach does this due to the fewer number of operations performed
between sensing and correcting.
4.4.2.2.3 Concept Selection
Until that time when the number of fault correction operations in the Software approach can
be significantly reduced, it is recommended that the weight penalty of 22 grams be
paid by the Power Subsystem for the incorporation of the Hardware approach for both
the Main and Protected Bus Inverters.
4.4.2.3 Failure Tolerance Within the Power Subsystem
Most functions of the Power Subsystem have a failure tolerance such that a single failure
within the function does not affect performance. Each of these functions will be ex-
amined to explain inherent fault tolerance capabilities.
4-141
4.4.2.3.1 Radioistope Thermoelectric Generator (RTG)
An RTG consists of two parallel paths of series connected thermocouples cross-
strapped between each couple, A thermocouple failure results in a slight reduction
of output power. Complete loss of power could be caused by either an open circuit
failure of two electrically adjacent thermocouples or by shorting enough series
couples to cause the RTG terminal voltage to drop below the Main Bus regulation
voltage. The second case causes not only the loss of that RTG power, but the RTG
would appear as a load and draw power from the remaining RTGs. To prevent this,
isolation diodes have been included between each RTG and their common tie point.
The isolation diode could fail open, and the power from the RTG would be lost.
Therefore, a parallel redundant diode is used. If one diode fails, the remaining will
provide a power path to the Power Conditioning Equipment.
4.4.2.3.2 Shunt Regulator
The Shunt Regulator maintains a constant voltage on the Main Bus by absorbing the
difference between the RTG power output and the power required by the spacecraft
loads. Due to far reaching effects of a regulator failure, and to meet its reliability
requirement, a high level of automatic redundancy has been incorporated into the
Shunt Regulator Assembly.
The shunt regulator assembly is actually four separate regulators connected in a quad
arrangement (See Figure 4.4-41). All four are operating simultaneously, but because
of inherent differences in the piece parts of the control circuits, only one is regulating
while the other three are full-on or full-off. If the one that is regulating would fail
open circuit, the regulator that is parallel to the failed unit will take control. If the
failure was a short circuit, the regulator that is in series would come out of its full-on
state to maintain the DC Main Bus voltage. With this arrangement, fault detection and
corrective action external to the Shunt Regulator is not required.
4-142
MAIN D.C. BUS
FROM
ITG'S 4 4
I I
SENSE As
POINT L
II
L _
~-F TO INVERTER
|J I SENSE POINT
I
I
I
_ J
MAIN BUS RETURN
Figure 4.4-41. Quad Arrangement - Shunt Regulator Assembly
To increase the Shunt Regulator fault tolerance such that it is not damaged by any
external failure, it is designed to absorb all the RTG power should an anomaly re-
move all spacecraft loads.
4.4.2.3.3 Inverter
A requirement in designing a fault tolerant Power Subsystem is that it must sustain a
system overload.
The one function of the Power Subsystem that could be adversely affected by an over-
load is the Main Inverter. An inverter design which would be adequate for normal
loading might not withstand the overload situation. To avoid this, the Main Inverter is
designed to survive without damage a short circuit on its output. This was accom-
plished by sizing the switching transistors to handle the short circuit current and pro-
viding current feed-back base drive from the output transformer.
4-143
I
SHUNT
REGULAT OR
SHUNT
REGULATOR
SHUNT
REGULATOR
SHUNT
REGULATOR
4.4.2.3.4 Power Distribution Switch
A common switch design has been selected for switching power to both ac and dc loads.
This assembly consists of two switches whose contacts are arranged in a toggle fashion
as shown in Figure 4.4-42.
Detailed switch operation is covered in Section 5. 9. 2, but briefly, it works as follows:
A command is issued to the power distribution switch to turn ON or OFF a load. Switch
S1 senses position of switch S2, compares that with its own position, then takes the
necessary action to make S1 comply to the command. The command is also sent to S2.
If, after a predetermined period, S1 didn't comply to the command, S2 senses S1 posi-
tion, compares that with its own position, then takes the necessary action to make S2
comply to the command.
With this arrangement, a failure of either switch to respond to the command is
acceptable.
S1 S2
FROM
POWER
SOURCE
SWITCH
COMMAND
7°r-- TO LOAD
A A i
I
--I I-
A- ___\ /,-_ .
I '\ / l
Figure 4.4-42. Power Distribution Switch
4-144
---
4.5 RELIABILITY/REDUNDANCY STUDIES
The ability to operate for the 10-year mission duration with a high probability of
success is perhaps the most stringent requirement of the TOPS spacecraft.
To enable the Power Subsystem to meet its reliability goal of 0. 95, various forms of
redundancy were employed in the major elements of the subsystem. This section
will describe the reliability apportionment methods used to assign a reliability num-
ber to each function within the subsystem, the type and level of redundancy required
for each functional element, and assessment of the overall Power Subsystem relia-
bility.
A Power Subsystem reliability over-view is provided in Section 3.6.
4.5.1 RELIABILITY APPORTIONMENT
The Power Subsystem reliability goal of 0.95 was apportioned to the major assemblies*
such that requirements for detailed circuitry as well as levels of redundancy could be
developed. The methodology used for apportionment is worthy of discussion.
4.5.1.1 Apportionment Method
The method used for apportioning the Power Subsystem reliability is based on two
major considerations:
1. The relative importance of each assembly in performing the PCE function.
2. The relative complexity of each assembly.
For the first of these, it is desirable that the assemblies having a more important
role in accomplishing the PC E function be allocated higher reliability goals.
*At the time this task was performed, a Gyro Inverter was required within the PC E.
This requirement has since been deleted. Therefore, the reliability objectives
determined for each assembly are inaccurate, but do indicate the high degree of
reliability required.
4-145
Similarly, for the second consideration the assemblies capable of providing higher
reliability because of inherent design characteristics and operational conditions,
should be assigned higher reliability goals.
The factors selected to represent the apportionment as discussed above, and the
values assigned for each assembly are shown in Table 4.5-1. Definition of these
factors and the numerical derivation for each are now described.
The interaction factor is a measure of the degree to which each assembly affects the
performance of other assemblies and is obtained from the Power Subsystem functional
characteristics shown in Figure 4. 5-1.
The interaction factor for each assembly is the total number of assemblies directly
dependent on it for operation, including itself, and is computed as the number of
arrows leaving the assembly, plus one.
The number of functions performed by each assembly are as shown on Figure 4.5-1.
The complexity factor is a gross estimate of the relative complexity of each assembly
on a scale of 1.0 for the most complex.
The duty cycle factor is the estimated fraction of time that the assembly is expected
to operate during the mission, using a scale of 1.0 for full time operation.
For performing the computations, the importance factors were normalized to show
the highest value as 1.0 and the remaining values were scaled proportionally. The
reliability factors were already scaled in this manner. The overall effect of this
scaling is to give equal weight to each of the factors. This is shown in Table 4.5-2.
4-146
Table 4. 5. 1 PCE Importance and Reliability Factors
Importance Factors Reliability Factor
Interaction Number of Relative Duty
Factor Functions Complexity Cycle
Power source 6 4 0.50 1.00
& Logic
Shunt Regulator 2 1 0.50 1.00
Protected Bus 1 1 0.20 1.00
Inverter
Main Bus 2 2 0.20 1.00
Inverter
Gyro Inverter 2 1 0.40 0.20
PowerDoistr1 2 1.00 0.01Distribution
Table 4.5-2. PCE Importance and Reliability Apportionment
4-147
F2 W F4 X R
Assembly F No. of F1+F2 Relative Duty F3+F4 Relative Apportioned
Interaction ComplexityInteraction Funct s Weight Complexity Cycle Weight Reliability
Pwr Source
& Logic 1.000 1.000 2.000 18.054 0.50 1.00 1.50 0.214 0. 9933
Shunt
Regulator 0. 333 0.250 0.583 5.262 0.50 1.00 1. 50 0.214 0. 9899
Protected Bus
Inverter 0. 167 0.250 0.417 3.764 0.20 1.00 1.20 0. 171 0. 9890
Main Bus
Inverter 0. 333 0. 500 0. 833 7.519 0.20 1.00 1.20 0. 171 0. 9924
Gyro
Inverter 0. 333 0.250 0. 583 5.262 0.40 .20 .60 0.086 0.9931
Power
Distribution 0. 167 0. 500 0.667 6.021 1.00 .01 1.01 0. 144 0. 9923
-
~
 
c
 
o~~U
0: 
0 
4-1
00 
pq P
O0
A)Q)
P~~~~~~~· 
·
 
~
 
~
 
~
 
~
 
~
 
~
 
~
~
 
P
0 
~
~
~02 M
o0 
U
~
o
 
~
~
~
~
~
~
~
~19
e
0 
P4 
I
E-4 
u
~
~
~
~
~
H
 
' 
z 
0 
4Q
P4 
-
.4 
0o H
 
p
4
~
~
~
~
~
~
P
z 
a
u
o
 
g 
p 4
p4
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~U
H z
H
 
H
0
0~z
H
 0
8 
w
 U
z 
9 o
M
 
0a
U) 
H
 
5
Z 
pq 
H
r 
H
 
.4 
H
w
 
0 
t 0 
l
3 o
~: 
Cu 
<
:
m- 
rn 
m
 14&
Q 
w
 Q , 
Q ZD
L)El 
04~
W
0 
1 X 
O
 
4 
:
p 
Z 
-
N
 
1 
a
oI. 
z 
H
o
 
az
z
0 
~
~
~
o
~
.4 
0 
0 
0 
0
P0P4U
 
4P
m
 
0 
0 
0 
w
 
w
 
O
 
6 
p~~
0 
I 0 
4
:)o 
:)H
E
-
0
0
2
4-148
Determination of the importance weighting factor, the reliability weighting factor, and
then the assembly apportioned reliability was accomplished using the following equa-
tions:
R. 
=
(1- Rs) +X
2 2+where:x)
where:
R.
1
Apportioned reliability for ith element
Rs = PCE Reliability Goal = 0. 95
W.
1
X.
1
Importance Weighting Factor for ith element
Reliability Weighting Factor for ith element
Importance Weighting Factor is Determined by:
Wi = (F 1+ F)
i
( i)
i 1 1 2 F1 + F2
Reliability Weighting Factor is Determined by:
(F 3 + F4 )i
E (F 3 + F4 )
The results of the reliability apportionment are given below:
Assembly Reliability Objective
Power Source and Logic 0. 993
Shunt Regulator 0. 990
Protected Bus Inverter 0. 989
Main Bus Inverter 0. 992
Gyro Inverter 0. 993
Power Distribution 0. 992
4-149
4.5.2 CURRENT THROTTLE REDUNDANCY
The Current Throttle maintains regulation of the Protected Bus (PB) when the Main
Bus is subjected to an undervoltage condition. It also maintains PB regulation during
normal operations by providing a power path into the Main Bus for the difference
between RTG power generated and PB power consumed. If this path were lost, the
RTG load would decrease causing an increase in the PB voltage. The Current
Throttle (CT) configuration must prevent a single component failure from losing this
path.
Three configurations were investigated for the Current Throttle function.
4. 5. 2. 1 Configuration No. 1
The first arrangement for the CT function is shown in Figure 4. 5-2A. It consists of a
Current Throttle and a by-pass switch. The by-pass switch senses the input voltage to
the CT. If this voltage goes out of tolerance high, it is assumed that the CT has failed
open circuit. The switch closes its contact around the CT to provide a path into the
Main Bus.
This configuration provides for an open circuit CT failure. A short circuit failure has
no effect on the PB voltage unless a subsequent failure overloads the Main Bus. The
PB is then no longer protected or isolated from faults on the Main Bus and will follow
the Main Bus voltage. This is unacceptable because the fault detection and correction
equipment could be disabled. Therefore, this configuration was modified to provide
for a CT short circuit.
4.5.2.2 Configuration No. 2
Figure 4. 5-2B shows the addition of a series switch to produce the second CT function
configuration which provides for a CT short circuit. This switch senses the CT input
voltage and disconnects the path to the Main Bus if the voltage drops. A dummy load is
switched in to replace the loading of the Main Bus in order to maintain PB RTG voltage
4-150
within acceptable limits. However, because of the decrease in the RTG output power
over the mission duration and to variations and uncertainties in the PB loads, the
voltage tolerance on the PB increases appreciably. The PB voltage regulation drops
to about ± 12 percent depending on the size of the dummy load.
This configuration was studied to determine its reliability. It was found that it required
97 piece parts to make an operable design and in this series parallel arrangement it
had a reliability of 0. 874.
4. 2. 5. 3 Configuration No. 3
The design presented in Figure 4. 5-2C contains a main and standby CT and a steering
switch. The switch circuitry senses both out of band high or low input voltage to the
CT and switches in the standby unit if the voltage exceeds these limits.
Conclusion
Configuration No. 3 is the approach selected for the TOPS Power Subsystem.
This configuration requires about the same number of electronic components as Con-
figuration No. 2, but has a higher probability of success (0. 976) as it uses only one
relay compared to the two relays required in the Configuration No. 2 design.
Also, this configuration has the advantage that it doesn't degrade the regulation of the
Protected Bus if the prime Current Throttle fails as is the case for Configuration No. 2.
4.5.3 MAIN INVERTER CONFIGURATION
To determine the arrangement and number of inverters required to satisfy the TOPS
loads on the Main Bus, four inverter configurations were analyzed. The parameters
of voltage regulation, reliability, and configuration weight were used to select a
recommended approach. Assuming equal efficiency for the different size inverters,
4-151
PROTECTED BUS
MAIN BUS
A - Configuration No. 1
PROTECTED
BUS
HIGH VOLTAGE
r SENSE
~~~~~~I 0 vMAIN
CURRENT
THROTTLE
I
I Is DUMMY
LI ,LOW VOLTAGE 1 °
SENSE I --
B - Configuration No. 2
MAIN
BUS
C - Configuration No. 3
Figure 4. 5-2. Current Throttle Function Configurations
4-152
RTG
#1
inverter power losses are a function of the total system load and are not related to the
quantity of inverters in the system. Therefore, the power parameter was not con-
sidered a variable.
The inverter configurations are as shown in Figure 4. 5. 3. Configuration A segments
the inverters into subsystem units while configuration D has a single inverter to
supply all spacecraft loads. Configurations B and C are com binations of these
approaches.
4. 5. 3. 1 Subsystem Power Levels
All loads as defined in Table 2-4 of Section 2 were grouped into subsystem ac loads,
special ac loads (such as gyro and wheel loads), and dc loads (see Table 4. 5-3). This
provided the data for the subsystem inverters of configuration A. The combination of
subsystems into configurations B, C, and D and determining power levels was done by
summing all the particular loads for each mission phase and selecting the maximum and
minimum conditions. Table 4. 5-4 presents this data. The percent change in loading
on each of these inverters as shownon Table 4. 5-5 enabled calculation of the voltage
regulation at the load. Table 4. 5-6 shows the percent regulation for a 5V and a 20V
output for each of the subsystem inverters.
A comparison of voltage regulation shows that some of the spacecraft loads will ex-
perience a larger variation in regulation in Configurations A through C, concluding that
Configuration D. is best from a system regulation standpoint.
4. 5. 3. 2 Reliability Calculations*
To determine the reliability of the four configurations, a failure rate for an existing
inverter design was used in conjunction with the reliability numbers for a solid state
*This analysis was performed early in the program. Consequently, the numerical
results shown here do not agree with that of Section 4. 5. 5 which were determined after
the hardware designs were completed. However, for the purpose of comparing
different configurations of equal reliability, the technique is still valid.
4-153
w
 
P
Iz
z
I
1
E-1 
I 
H
 
H
 
I
04 
9 
0 
&
 
X
 
O
w
 
z
UF~l( 
p
i~
 
C
-t4 
P
I-
I<
 
I
w
IzE
- E
U
 
F-~4 
ZWU X
_
8 H
IH
 
w
IE--( L
.!4~-
to
iI
E<-4E
9 
z 
P.,
Iq
 
~4
L
iii
4-154
IQC)a.SI1.4L:a).4
TABLE 4. 5-3 SUBSYSTEM LOADS
Inverter No. 1 Central Data Subsystem
RFS TLM
CCS
MPS
Data Storage
Timing Sync
Flight Command
AC
1w
50 w
12 - 24. 3 w
44.9 w
2w
6.4w
116. 3 - 128.6 w
Inverter No. 2 Radio Subsystem
CMD Rcvr (continuous)
Trking Rcvr
RFS Preamp (continuous)
RFS Cont Unit (continuous)
S-Band Xmitr
X-Band Xmtr
Inverter No. 3 Attitude Control Subsystem
A/C Electronics (continuous)
Gyro Electronics
Accelerometer
Cruise Sun Sensors (continuous)
Acq Sun Sensors (continuous)
Canopos Sensor (continuous)
Sun Shutter (continuous)
Autopilot Elec
Science Scan Elec
AGSS Platform Elec
MGA Pointing Elec
AC
7.7- 15.4
12.2
2.5
3, 1
2,8
6. 8
35. 1 max
16. 1 min
11. 2
9. 8
2.0
3. 0
0,5
5. 5
7.2
2.6
2.5
2,5
1. 3
27.4
42.2
12.4
Inverter No. 4 Experiments
Vector Helium Magnetometer
Plasma Wave Detector
Trapped Radiation Det.
Trapped Radiation Instrument
Micro Meteoriod Det
Meteoriod-Asteriod Det
Plasma Probe
Charged Particle Telescope
Radio Emission Det
Ultraviolet Photometer
Infrared Radiometer,
IMR Cooler
Inverter No. 5 Approach Planet Equipment
Approach Guidance Sensor
TV - A (wide angle)
TV - B (narrow angle)
Inverter No. 6 Gyro Inverter
AC
(off at cruise & data dump)
(on only at TCM)
(on only at TCM & Launch)
(on at Planet approach)
(on during approach)
(on at cruise, TCM,
Roll Cal)
w min
w max
w launch
AC
(encounter period)
4. 1
2.0
1.2
5.0
1. 0
2.0
12.6
4.5
3.0
2.0
8. 9
2.2
39 - 48. 5
AC
17. 7
36.0
28.4
53. 7 min
64.4 max
Special AC
12, 3 wmin
24. 0 w max
Inverter No. 7 Reaction Wheel Invt
12.9 w min
25.8 w max
DC Loads
S-Band Pwr Amp
X-Band Pwr Amp
Attitude Propulsion Thrust
Gyro Heaters
Motor Gimbal Actuators
Science Scan Actuators
AGSS Platform Actuators
MGA Pointing Actuators
Engine Solenoids
Temperature Control
Power Tlm
Pwr Switching & Logic
Pyro Control Unit
51. 1 w
62.2 w
14.4 w
7.2w
20. 1- 55.8 w
2.4w
2.4w
1.2 w
21.4w
11. 3 - 25.5 w
1.0 w
4.8 w
55 w
Il
0
ri
0
f-
0
C
-1
--
-n
m
I
C(
Special AC
Table 4. 5-4 Range of Loads for Configuration
'rB?", I"C", AND "ID"
For Configuration B
Combined Radio, Attitude Control & Science
Max 123. 3 Watts
Min 92. 3 Watts
For Configuration C
All A. C. Loads Excluding Central Data
Max 185 Watts
Min 92 Watts
For Configuration D
All A. C. Loads Combined
Max 313 Watts
Min 208 Watts
Table 4. 5-5 Percent Load Change for Configuration "A" and "D"
Inverter No. 1
Inverter No. 2
Inverter No. 3
Inverter No. 4
Inverter No. 5
Inverter No. 1
Inverter No. 2
Inverter No. 3
Inverter No. 4
Inverter No. 5
Central Data S/S
Radio
Attitude Control
Experiments
Approach Planet
% LOAD CHANGE =
% LOAD CHANGE =
% LOAD CHANGE =
% LOAD CHANGE =
% LOAD CHANGE =
116 - 128 w A
16 - 35 w 
27 - 4 2 w, 
39 - 48.5 w A
54 - 65 w 
10%
54%
35%
18is
18%
One Main Inverter 208 - 315 w A 105W
Load Change = 33%
12W
19W
15W
9W
11W
4-157
Table 4. 5-6 Voltage Regulation at the Load for
Various Inverter Configurations
Invt No. 5
% Series % Los | Invt No. 1 Invt.No. 2 Invt No. 3 Invt No. 4 Approach One Main
- Loss Chane Central Data Radio Att Cont. Science Planet nverte
% Load Change 
DC Buse 2.0 2.0 2.00 2.00 2.00 2.00 2.00 2.00
Input Fltr 1.0 0.50 0. 10 0.54 0. 35 0.18 0.18 0.33
Pwr Transistor 1.5 0. 75 0.15 0.81 0.52 0.27 0.27 0.50
Main Transformer 1.5 0. 75 0.15 0.81 0.52 0.27 0.50 0.50
Remote Transformer 1.5 0.75 0.15 0.81 0.52 0.27 0.27 0.15
Output Fltr 1.0 0. 50 0. 10 0. 54 0. 35 0. 18 0. 18 0. 10
5 Volt Output Rect - 2.00 0.40 2. 16 1.40 0.72 0.72 0.40
20 Volt Output Rect - 0.50 0.10 0.54 0. 35 0. 18 0. 18 0. 10
5 V % Reg. 3.05 7.67 5.66 3.89 3. 89 3.98
20 V % Reg. 2. 75 6.05 4.61 3.34 3. 342 3.68
switch at the inverter input and a relay switch on the output. This
culation of the series combination to result in a reliability number
assembly as shown on Table 4. 5-7.
permitted the cal-
for the inverter
Using this result, the reliability of each configuration with various spare units was
found using the reliability equations of Table 4. 5-8. The calculations show that con-
figuration A requires 8 inverters, B requires 5, and C requires 4 to equal the re-
liability of 2 inverters of configuration D. (see Figure 4. 5-3)
4. 5. 3. 3 Weight Determination
A previously built 400 watt 4. 8 KHz inverter*, weighs approximately 7 pounds.
Using the following equation which has been derived empirically, weights of lower
inverters were calculated.
Wx Y= w PYa
*Loughlin, J, McLyman, W., and Hopper, D., "A 400 WattDC to AC Inverter for
TOPS Power Subsystem, " JPL Space Programs, Summary 37-61, Vol III, Feb
28, 1970.
4-158
TABLE 4. 5-7. Reliability of an Inverter Assembly
400 Watt Inverter
X= 1.235 x 10 6
4t = 10 years = 8. 76 x 10 Hours
-= t -(1.235)(8. 76)(10-2)R=e =e
R = e-0. 108
R = 0. 8975
Solid State Quad Switch
R = .9992
Relay Quad Switch
R = .9662
Ss RLY
SW SW
RTot= (Rs) (RI ) (RR)
= (9992) (. 8975) (. 9662)
RT = 8665ot
TABLE 4. 5-8. Reliability Equations
4-159
Reliability Situation
n - 1 of n Units Must Work for Success
R R. + n! R.n-iQ1
s i (n- 1) I 1
n - 2 of n Units Must Work for Success
R .n + n Rn- 11 n n-2Q2
s I I ! (n- l) I1 21 (n-2) I x
n - 3 of n Units Must Work
R =Rn + nI R.n- n1 n-2 2 n n-33
s i 1 I (n-) I 1 2 (n-2) I i 3 1 (n-3)! i 
where:
W
PyPy
= 7 lb
= 400 watts
In order to compare weights, the configurations of nearly equal reliability were used.
A summary of configuration weights is shown in Table 4. 5-9.
4. 5. 3.4 Configuration Selection
Figure 4.5-4 summarizes the characteristics of the four inverter configurations.
Configuration '"DI was selected as it provides the best weight-reliability ratio, the
best system voltage regulation, and is the simplest to implement from a spare switching
viewpoint.
4.5.4 RTG RELIABILITY WITH AND WITHOUT ISOLATION DIODES
An analysis was performed to evaluate the relative reliability of the TOPS RTG con-
figuration with and without isolation diodes. These results were reported in detail in
GE Quarterly Report No. 1J86-TOPS-513 and summarized as follows.
Table 4. 5-9. Inverter Configuration Weight Summary!
4-160
Configuration Prime Inverter Spare Inverter Total
A 3. 3 3.3 17.1
1.4 2.1
1.5 1.7
1.7
2. 1
B 3.3 3. 3 15.3
3.3 3.3
2. 1
C 3.3 3.3 15.0
4.2 4.2
D 6.0 6.0 12.0
W
e, 
I9 I
z >
: 34
o
 
0 C
D
I 
ZW 
0 
I
0--4 
N
v 
~
 
e
 ',
 
~
 In
9 
7 4 
A
 
E-
b 
L 
M
 
0U
 
p 
I
Kv~I
E-4 < 4 
L ii. 1 i
#36
Icl,
I 
c
o
 
m
 
1
%
ffi;
mIn
pqoU't -4
:U 
3H
 
=
 
Cw
H
 3
Or 
cACO-4K
E-.'ci,
H= 
C0 
~
 
¢
3 
z
cq
O
-
U
-
I
 
03
C
< HWL
IOl4 
t
pq 
I 
-
!4 
P 
4 
m
 
F 7 F 1a 
1 o
FI 4 
M
 ,5
I 
E 
-
.
' 
-
I~~~ 
v 
*
 I 
~
 
0 
w
 
4L
POj01JT.
-4 co I:-
V
 
m
w
 
-
.
4 
3 
N
EH
3
w
~
w
co 
m
 V- 
I
L 
2 
Ir 
Z
>4HI-414pqP; m-
¢B3
.cm
~
-4
-4 
9-4
0~0~
p
4P
4
UC) 
ci
mr 
m
 
m
¢ 
¢
w
W
 
m
r
V
 
r 
U
i
e4
r-4m
,
>
.4H -4
Ez
c1-4
0e,
.,: 
C
0
 
t
It 
LfM 
Lo
-4 
"
t 
00
Fq 
.
.
0.4
04 
U
) 
m
H
 
C
l 
G
N
 U
4
w
 
c
oM
 
m
,
9 
_4 
C
i 
Ci
p.'p. 
p4-161
C
d
-I0o .40Qa- l)'-4az md1C).-4rz4 0sQ,P4
The isolation diodes are inserted on the output of each RTG to prevent the loss of the
bus in the event of an RTG short.
In general it is concluded that the configuration without diodes is preferable if the
power distribution and load arrangement is such that all RTGs are required to achieve
a reasonable mission value. However, if a significant mission value can be realized
even though one or more (but not all) RTGs cannot supply power, then the configura-
tions with diodes provide a greater probability of success.
4.5.5 POWER SUBSYSTEM RELIABILITY
An overview of the Power Subsystem reliability was presented in Section 3.6. This
section contains the detailed analysis from which the overview was derived. To deter-
mine the overall Power Subsystem probability of success, each function was individually
analyzed. The final configuration of each circuit as defined in Section 5 was used in
calculating reliability of the shunt regulator function, the inverter function, and the
current throttle function.
Tabulation of piece part failure rates used, component failure rates calculated and
computer programs used in the following analyses are included in Appendix A.
4. 5. 5. 1 Shunt Regulator Reliability Analysis
The block diagram of the quad redundant sequenced shunt regulator used for this
reliability analysis is shown in Figure 4. 5-5. The assembly is divided into electronics
and power dissipation resistors. The resistors are subdivided into four banks and the
electronics into four separate shunt regulators arranged in a quad configuration. From
a failure mode viewpoint, most of these divisions are completely independent.
A shunt regulator consists of the drive electronics and four shunting elements or
sequences. The drive and sequence electronics can have opposing failure modes.
For example, the drive could fail "open" which means it cannot provide base drive
4-162
0ao!4
7,-4 U:.4
4-163
to the sequences. Also, one of the transistors in a sequence could fail "short"
causing a potential continuous shunting. This combination of the two failure modes
can cause excessive shunting when not desired (due to the shorted transistor) and not
enough shunting when needed (due to the "open" drive). This duality of failure modes
2 4 3 3precludes use of the normal quad reliability equation, 1 - (2P - P 4 + 4P - 4P +
~4~~~o o s s
P ), because this equation is based on mutually exclusive opens and shorts. There-
s
fore, each shunt regulator was analyzed allowing the following states for the drive
and sequence electronics.
G - All parts good
O - One or more sequences failed open, but none failed short.
S One, two or three sequences failed short, with or without other
sequences failed open
SS - All sequences of one shunt regulator shorted or failed full-on.
For each shunt regulator, the equations for the above conditions are:
G = Rd R1 R2 R3 R4
° = Od ' (-S1) . (1-S 2 ) - (1-S3 ) . (1-S4 )
+Rd ' [(1-S 1) . (1-S2) · (1-S3) · (1-S4)-R 1R R 3 R]
S = Sd (1 - 1 022 032 04)
+ (Rd + Od) . (1 - (1-S1 ) · (1-S2). (1-S 3 ). (1-S4)
- SS
SS = S d . (10) (1-02 ) (1-03) . (1-04)
+ (Rd + Od) S1 S2 S 3 ' S 4
where:
Rd - Reliability of driver electronics
Probability of open (no drive) in drive electronics
4-164
Sd - Probability of short (constant drive) in drive electronicsd
R1 - Reliability of sequence 1 circuits
O1 - Probability of no shunting in sequence 1
S1 - Probability of constant shunting in sequence 1
Likewise for R, S, and 02-4' the 2nd, 3rd, and 4th sequences.
O = % open. (1-R) S = 1-R-O
The shunt arrangement, consisting of a quad of shunt regulators, was analyzed for
all combinations of the states defined above which provide proper shunting. Table
4. 5-10 lists the possible combinations of good states. Figure 4. 5-6 shows the
Electronics Model Schematic Diagram
Table 4. 5-10. Combinations of Shunt Regulator "Good" States
Shunt Regulator
Reduced Expression A B C D
G4 G G G GG
B G G G
G B G G4G (1-G) G B GG G B G
G G G B
2 2 G O G O4G2 x 0 G O 0 G
O G G O
O G O G
G G S SS
2 G G SS S4G x SxS SS G GS SS G G
SS S G G
2 2 G G SS SS
2G x SS SS SS G G
4-165
R = e- t
Table 4. 5-10. Combinations of Shunt Regulator "Good" States (Cont.)
Shunt Regulator
Reduced Expression A B C D
8G x (S+SS) x O
8G x 0 x S x SS
4G x O x SS2
2
8Gx x SS
G
G
G
G
O
S
O
S
G
G
O
0
S
SS
S
SS
O
G
SS
SS
G
G
O
O
0
SS
O
SS
O
S
O
S
G
G
G
G
O
O
G
G
SS
S
SS
S
G
O
SS
SS
O
O
G
G
SS
O
SS
O
G
G
S
O
G
G
S
O
S
SS
S
SS
G
G
O
O
SS
SS
G
O
SS
O
SS
G
G
O
0
S
0
G
G
S
0
G
G
SS
S
SS
S
0
O
G
G
SS
SS
O
O
SS
O
SS
O
O
O
G
G
4-166
Figure 4. 5-6. Electronics Model Schematic Diagram
In the computer program used for the numerical computations, the expressions from
Table 4. 5-10. were further combined to:
electronics = G 4+4G 3(1-G)+G [4 02+2· SS2 +4. S SS+8 0 SS]
+G- 0. [4- (SS2+2. S. SS) +8 0' SS]
The resistor bank reliability for each of 4 banks was defined as:
Nf
RN I p(N-1) QiB. i ! (N-i)!
ji=
Where
N = No. parallel strings per bank (where each string consists of two
resistors in series)
Nf = No. strings allowed to fail
2
P = R 2+2.R.PS
S
Q = Allowed failure probability 1-P-P 2
R = e X (x for resistor)
P = 0.1. (1-R)
S
4-167
With all the drive and sequence components good, the shunt has more power capacity
than required, even at mission start. Therefore, it was possible to allow one failure
open in one resistor bank at the mission start.
Likewise, an open in another bank by 1. 1 years, an open in the third bank at 2. 3 years
and an open in the last bank by 3.4 years. As the mission continues, the RTG capacity
degrades to a level which permits a second open in 1 bank at about 7 years, a second
open in two banks by 8 years, 3 banks by 9 years and a second open in ail banks by 10
years.
The shunt reliability was then:
Relect. x RB x RB2 x RB3 x RB4 x RCA P
Where R CAP is the reliability of the quad redundant shunt regulator capacitor bank.
One additional term was included when time exceeds 10 years. It was determined that
the second, third, or fourth sequence of the quad configuration could be completely
lost if the other three were completely good, due to reduced RTG capacity. This is the
probability of losing sequence 2, 3, or 4 to open while having all resistors in the other
banks good and proper shunting electronics in the other sequences. Proper shunting
was assured by requiring all four drive sections to be good. This permits use of the
quad equation for the shunting sequences. Thus the additional terms:
4 11 9
+ R4 i R R 11 [R 9R RCAP D Q res res Q2 res
SEQ 2 SEQ
OK OK
SEQ 1 resistor bank good
SEQ 1 electronics quad
All drives good
9 2 4 9
+Rs *RQ 2 P 03 -P )· R R RQ + (2 P
res 03 res
9 2 4
RQ3 (2 P0 4 -P04
3 SEQ 4 shunting
Open
02 02 ) Rrs .RQ3 R 9 RQ4 ]02 02 res 3 res
Numerically, the above expression was found to be insignificant.
4-168
Figure 4.5-7 presents the quad shunt regulator reliability as a function of mission
time for the two sets of failure rates shown in Appendix A. The irregularities in the
curves are caused by the step increase in the resistor bank reliability when additional
parallel strings are permitted to fail. A listing of the computer program and the
printouts are included in Appendix A. The 105 hour reliability for the quad redundant
sequenced shunt regulator is:
High Failure Rates Low Failure Rates
Shunt Reliability 0. 90212 0. 99383
4.5. 5. 2 Inverter F unction R eliability
The inverter function consists of main and standby inverters, failure detectors, switch
command generators, and relay switches.
Most of these devices are defined as being in one of three possible states: good,
failed open, or failed short. Each of these states are mutually exclusive, that is, it
is not possible to have a partial good - partial failed open state, etc. However, the
dual coil magnetic latch relay has four possible states: good, failed open, failed
short, or failed but will change state. This last state has a large impact on the
probability of switch success.
To determine the probability that a relay is in a specific state and will transfer when
desired, a Markov Chain analysis was performed. A transition matrix was derived
to determine the probability of the switch changing state during any time interval At.
From this, a state matrix is calculated which predicts the probability of being in each
of the four previously defined states at any time t.
Next, the probability of a successful switch-over from one inverter to another is
determined by examining the relationship between the inverter switches and the
command generators of the failure detector.
4-169
LOW FAILURE RATES
HIGH FAILURE RATES
I I I I I i I I I ,I I I
8
Figure 4.5-7.
MISSION TIME - YEARS
Quad Redundant Sequenced Shunt Regulator Reliability
0.999
0. 998
0.995
0.99
0.98
0.95
0.9
0. 8
0 2 4 6
4-170
10 12
i-
m 
The reliabilities of the inverter, dormant inverter, and failure detector were then
combined to allow determination of the probability of operating on Inverters No. 1, 2,
and 3, or all inverters failed.
4. 5. 5. 2. 1 Inverter Switch Relay Analysis
The analysis of a relay switch, which follows, produces a transition matrix that changes
with time.
A dual coil magnetic latching DPDT relay consists of several relatively independent
parts - coils, contacts, armature and supports - which produce different effects when
failed. An open coil will prevent setting the relay to a given state (A), but does not
prevent changing the relay state from A to B so long as the other coil, armature and
contacts function correctly. Likewise a jammed armature does not represent a failure
if no change of state is required.
Accordingly, a relay and its drive electronics were analyzed separately. Several
assumptions were made about the nature of relay failures. It was assumed that 90
percent of relay failures were associated with contacts and armature and 10 percent
with coils. Of the contact and armature failures, 50 percent were assumed to be the
equivalent of an immobile armature, 10 percent welded contacts, and 40 percent failed
open contacts. The probabilities for use in reliability calculations are then calculated
as shown below:
RELAY ANALYSIS
D - Driver Electronics: Good Open (Off) Short (On)
D - Driver Electronics: Good Open (Off) Short (On)
C - Coil: Good Open
K - Contracts & Armature: Open Short Stuck Good
4-171
RRelay
QC1
QK
QsK
QcK
Q Stuck
RD
QD
OD
SD
-= e<- Rt; QR = 1-RR
= QC2 0 5 QR
= .9 QR
= 19
K
=. 09Q
R
= .4Q = 3 6 QR
= .5Q = 45Q
= eDt= 
(shorted)
(Open)
= 1-R
= % open. QD
= (1-% open)' QD
The relay switch can then be in essentially 4 states - good, failed open, failed short,
failed but will change state. Calculations for these states using the above expressions
are:
for an open relay switch
PFO = (QC2 + OD2 - OC2 OD2) RK + ' 9 QK
(Will not close + (RC1 SD1) RK (1-. 5 SD2RC1)
when commandecd
FS = RC2 SD2 (1 .5 RC SD1 ) RK
(E rroneous
closure)
2
PG = RR RD
PWT = 1-PG-PFS-PFo
(Will close when
commanded)
4-172
for a closed relay switch
PFS
(won't open)
FO
(Erroneous
open)
PG
PWT
If these switches
the desired state
(QC1 + OD1 - OD1 QC1 ) RK + '6QK
+ (RC2 SD2) RK (1-. 5 RC1 SD1)
(R C1SD1) (1-. 5 RC2 SD2) RK +.4 QK
= RR (RD)
= 1-PG-PFoP FsG FO FS
were arranged in a quad configuration, the expression for being in
and will transfer when commanded is:
Pt = 1- (2PFo 2 P FO 4+ 4 FS 4P + P F S )
If it is assumed that this "reliability" can be computed using an equivalent A in Pt =
-At
e , then A = In(Pt) + t. A computer aided analysis was done to calculate an
equivalent A. The results shown in Figure 4. 5-8 demonstrate the error of using the
equivalent end of life A since A changes considerably with time. The figure also
shows, for the assumptions used in this analysis, a closed switch is more likely to
open when required than an open switch to close. This is due mainly to the higher
probability of contact failure open (due to contamination, weakening springs, etc.)
than failure short. Due to these large differences, a Markov approach was used for
relay reliability. A brief explanation of the Markov Chain analysis is included
in Appendix A.
The relay state vector was assumed to be [S1 S2 S3 S4], where:
S = Probability of being 100 percent good
S2 = Probability switch is in desired state and will change state if
commanded
4-173
EQUIVALENT X FOR AN OPEN SWITCH
=-e, Pt
t
EQUIVALENT X FOR A CLOSED SWITCH
2 4 6 8 10 12
TIME - YEARS
Figure 4.5-8 . Quad Relay Switch Equivalent A (High Failure Rates)
1.0
.5
o
Pa
1;
.1
.05
.02
0
4-174
S3 = Switch is permanently open3
S4 = Switch is permanently closed
These states correspond to the states previously defined for the relay switch. Since
Sit + ,At = [SIt x [T] t, the components of [T] can be calculated from the components
of [S] t and [SIt + At' Let:
[S]t = [G1 WT1 0 1 S1 ]
[St+At = [G2 WT2 02 2]
FPG WT PO PS
o (1-Po-PS) P 0 PS
[T] At [TIt 0 0 1 0
0 0 0 1
Then:
PG = G2/G1
PS = (S2 - S1) / (G1 +WT 1 )
P = (02 - 0 1 ) / (G1 + WT 1)
WT 1 PG - PS
Thus the incremental time transition characteristics can be calculated, and must be
done separately for an open switch and a closed switch, providing a [T o] and [Tc].
The state vector thus derived is used to calculate probabilities of failure and of
successful transfer. For instance, assume a quad configuration of closed switches
in state [G WT 0 S]. The iterative state calculation would be [S] X [Tc]. The
probability of an erroneous open is:
p = 202 - 04
O
4-175
The probability of successful transfer is:
1 - (4S - 4S3 + S4 )
If the switch is commanded, the "state" of each switch changes to [G O (O + WT) S]
since the WT state implies being in previously desired state but will transfer. The
iterative state calculation is now [S] X [T ]. The only failure of concern now is an
erroneous short, so R = 1 - (4S - 4S3 + S4 ).
In the TOPS power subsystem the relays can be configured to use either of 3 main
inverters. Accordingly, the "state" of any relay has a dimension of 3 (A-C). For
example a relay switch state is completely defined by: [SA] + [SB] + [Sc] or:
[GA WTA OA SA ]
+ [GB WTB OB SB]
+ [ C WTC 0 C SC ]
where A, B, and C correspond to the main inverters. In the subsystem analysis the
numerical value of [SA] + [SB] + [Sc] = 1. The system starts in A, and the B and C
values are computed:
[B]t + +[SA]t PAB [B ] t PBC
[]t+t = [Sc]tt + [SAlt PAC+ [B]t BC
[SA]t
'
+A t = [SA]t (1-PAB- PAC)
where
PAB = Probability system changes to B during time interval AtA = robability system changes from A to during 
PBC = Probability system changes from A to C during at
P BC= Probability system changes from B to C during AtBC
4-176
Due to the nature of the failure detection and switching
BA CB CA
For failure and reliability calculations, a unity value "probability" vector was
computed:
[PSA] = K [SA] = [K . GA K WTA K OA K SA]
where
K=
A + WTA + OA + SA
likewise for [PSB] and [PSc].
4. 5. 5. 2. 2 Redundant Inverters Analysis
Figure 4.5-9 shows the block diagram of the command generator/inverter switch
interface. In this circuit arrangement, failures can occur which cause the subsystem
to change to another inverter. Either a turnoff of the first inverter or a turn on of the
input of the second will probably trip the failure detector and cause switchover to the
second inverter.
Each command generator can be good - Gcg, open (will give no output) -Ocg, or short
(has previously given wrong output) -Scg. The probability of a relay open in K1 switch
is (approximately)
o =0 * (G Ocg ) +0 (1S-S)*Sko =sw (Gcg+ g (ISsW) Scg
where O and S correspond to the relay states in the probability vector described
sw sw
above.
Since the relays are in two quad switches, the probability of a switch open is:
PO= 2 4= (2ko2 4) 2
P1 ko ko ko ko
4-177
A. BASELINE CONFIGURATION
FROM MAJORITY VOTE
FAILURE DETECTOR
INV 1 (OFF CMD)
2 IN K2 OUT
INV 2 (ON CMD)
COMMAND
GENERATORS
INVERTER
SWITCHES
B. QUAD CONFIGURATION
FROM MAJORITY VOTE
FAILURE DETECTOR
[1 1i
I
INV 1
COMMAND
GENERATORS
I
INV 2
INVERTER
SWITCHES
Figure 4.5-9. Command Generator/Inverter Switches
4-178
C1 [- E-1
-C- D - [1
Likewise, the probability of the input to inverter 2 being turned on is:
PT 4P 2 = 4P 42 s2 s2 s2
where:
Ps2 = SSW (Gcg +0 )+ (1-0S ) Ss2 sw cg cg sw cg
The probability of this overall circuit causing an apparent inverter failure is:
PF = PO 1 + PT -P0 1 PT1 2 1 2
For a successful switchover, both quads of inverter 1 must open and both quads of in-
verter 2 must close. Since the command generators and relays are complexly inter-
connected, it is difficult to obtain a rigorous expression for this probability. A con-
servative expression is obtained by requiring 3 of the 4 "positions" to work, that is,
assume each command generator and its associated switches comprise a set of 4
elements, 3 of which must operate for success. The probability expression is then:
P
sw over
4 3
= P + 4 P (1-Pw)
w w w
where:
P = [G + WT +0]2
w I _
(2 K1 switches)
e [G+WT +S] [G + Scg]
2 Kwitches) (Command generator outpcgut)
(2 K1 switches) (Command generator output)
-X t
G = ecg
cg
0_ = % open * (1- G
cg cg)
Scg = (1- % open) · (1- Gcg)
4-179
Another possible command generator/switches interface is given in Figure 4. 5-9.
This quad configuration has much cleaner interfaces, is more easily analyzed, and
is more reliable. The failure and switchover expressions for this configuration
are:
2 4
PO 2 (2 0 -041 = swl - sw2)
PT 4 S2 -4 S3 +S
4
2 sw2 sw2 sw2
F = 4S 2 -4S3 +S 4
cg cg cg cg
PF = Fcg+ P + PT - P01 PT 2 (approximate)
The probability of a successful switchover if commanded is:
~P ~ ~~~ 2 2
sw over cg (1-PS)2 · (1-PC 2 )
R 1 - (20 _ 4 + 4S2 -4S3 + S4cg cg cg cg cg cg
PS = 4 2 4S 3 +S 4 (K1 relay won't open)1 swl swl swl
PO2 = 20 2 0 4 (K2 relay won't close)2 sw2 sw2
For both command generator/switches configurations, the probability that a failure
has not occurred at time t is (1-PF). Since the transition matrix uses At expressions,
the probability that no failure occurs during At was computed by:
RFAt = (1 - PFt)/(1 - PFtAt )
4-180
The following were also used in the overall inverter function reliability:
R.
mnv
-X. tInv
= e ON Inverter
X.inv
_ t10
= e Dormant Inverter
-kfdtR = e Failure Detector
fd = % Open (1 - Rfd)
Sfd = 1-Rfd fd
PMV = 1 - PWO - PNO Majority Voted Failure Detector reliability
2 3PWO = 3 Sfd - Sfd M V F D Wrong output
PNO = 3 0 -O M V F D No outputfd fd
The second command generator was calculated using a matrix approach like the relays
[SAcg] (= [GDcg ODcg SDcg]) for its dormant phase and [SBcg] after it was turned on.
GD
cg
OD
cg
cg t
- 10
= e
= %open . (1 - GDcg)
SD = 1 - GD - OD
cg cg cg
[SB g ] = [SBc I[T I+[SA ] PAB
cg cg[cg cg
4-181
Rdinv
where:
PAB = Probability subsystem goes from inverter 1 to inverter 2
-X At ~-X At -e c t
e cg At % Open . (1 - e ) % Short (1 - e )
[T_= 0f 1 0[Tcg
0' 0 1
The SB vector was used to calculate a unity value probability vector which was used in
reliability calculations.
When a switchover to inverter 2 occurs, the second command generator is turned on.
This CG along with the switches of inverters 2 and 3 could produce a failure condition
where inverter 2 is turned off or inverter 3 turned on. A short (erroneous turn on) in
the inverter 3 input switch is computed for the quad switch and the command generator
assumed to be good or open in all four parts. Again, since certain failures are toler-
ated in inverter 2 switches in computing the switchover probability, and other failures
in the inverter 3 switch in computing the no short probability, it would be very difficult
to obtain a precise expression for the complexly interconnected circuits. Thus requir-
ing the dormant command generators to be good or open (no wrong output) was assumed
as the best reasonable estimate. However, for the quad command generator arrange-
ment, the exact expressions can be obtained for all parts. Since they are not so com-
plexly interconnected, the normal quad reliability expressions are correct for the
switches and command generator.
Once on inverter 2, the expressions for failure probabilities and switchover to inverter
3 are the same as 1 to 2 only using the values for the second command generator and
inverters 2 and 3 switches. Once the inverter switches are used to turn off the inverter,
the only way they cause a failure is to close again, so all other failure modes can be
ignored.
4-182
4. 5.5.2.3 Inverter Function Calculations
Definition of the inverter transition matrix, its components, and the computer pro-
gram used for calculating inverter reliability is included in Appendix A.
Figure 4.5-10 presents the inverter function reliability in increments of 1000 hours.
The computer program calculated the reliability every 100 hours between each print
out. Beside the inverter function reliability at each of these intervals, printed out is
the probability of operating on Inverter No. 1, Inverter No. 2, Inverter No. 3, and the
probability of having no inverter operating.
Figure 4.5-10 was derived using the "high" failure rates and the baseline Command
Generator. Figure 4.5-11 defines the inverter function reliability using the "Low"
failure rates and the recommended quad Command Generators. Calculations were
made with the high and low rates for 3 inverters with baseline command generator
configuration and quad configuration command generator and for 2 inverters with
both command generator configurations. Table 4. 5-11 presents the results of
these runs for a mission time of 105 hours.
Table 4.5-11. Inverter Function Reliability Results
This inverter function reliability is then used in
system functions to calculate overall subsystem
conjunction with the other power sub-
reliability in Section 4.5.5. 6.
4-183
Inverter Command High Failure Low Failure
Configuration Generator Rates Rates
1 of 3 Present 0.96682 0.9992833
Quad 0.99035 0.9998509
1 of 2 Present 0. 95810 0. 998546
Quad 0.97603 0.999037
READY
$FORT TOPS-REL,PRINTOUT
12/21/71
TOPS MAIN BUS INvt.TER FUNCTION RELIABILITY
DO YOU WANT RELAY STATUS,DIAGNOSTIC PRINT OUTS(TWO ANSWERS)?: NO, NO
# INVERTERS(2 OR 3)= 3
QUAD COMMAND GENERATOR?(YES OR NO): Nn
LAMBDAS IN FAILURES PER MILLION HOURS
LAMBDAS-RELAY,INVERTER: 2.0, 1.546
LAMBDAS,P OPEN-RELAY DRIVER,FAILURE DETECTOR,COMMAND GENERATOR
= 0.076, .566, 0.q99, .561, 0.061, .705
MISSION HOURS, # INTERVALS: 100000, 1300
1.141-YEARS,INV FUNCT. RELIABILITY:0.999952137
STATE MATRIX-1,2,3,FAILED
0.984539457 0.015234974 0.000177711 0.000047856
2.282-YEARS,INV FUNCT. RELIABILITY:0.999625909
STATE MATRIX-1,2,3,FAILED
0.968644880 0.030268369 0.000712566 0.000374153
3.422-YEARS,INV FUNCT. RELIABILITY=0.998775467
STATE MATRIX-1,2,3,FAILED
0.952521317 0.044682372 0.001571786 0.001224525
4.563-YEARS,INV FUNCT. RELIABILITY=0.997200266 MAIN BUS INVERTER
STATE MATRIX-I,2,3,FAILED
0.936215833 0.053821396 0.002703038 0.002799733 RELIABILITY FOR
SEVERAL MISSION
5.704-YEARS.INV FUNCT. RELIABILITY:0.994746558 TIMES
Figure 4.5-10. Inverter Reliability Program Printout - Using High Failure Rates
4-184
STATE MATRIX-1,2,3,FAILED
0.919772223 0.070929025 0.004046306 0.005253441
6.845-YEARS,INV FUNCT. RELIABILITY:0.991305962
STATE MATRIX-1,2,3,FAILED
0.903231144 0.082533845 0.005540977 0.008694033
7.995-YEARS,INV FUNCT. RELIABILITY=0.986810990
STATE MATRIX-I,2,3,FAILED
0.886630192 0.093050870 0.007129925 0.013189003
9.126-YEARS,INV FUNCT. RELIABILITY:0.931229626
STATE MATRIX-1,2,3,FAILED
0.870004095 0.102463770 0.008761758 0.018770371
10.267-YEARS,INV FUNCT. RELIABILITY:0.974559732
STATE MATRIX-1,2,3,FAILED
0.853384300 0.110782984 0.010391945 0.025440264
11.408-YEARS,INV FUNCT. RELIABILITY=0.966823608
STATE MATRIX-I,2,3,FAILED
0.836801626 0.118038747 0.011983230 0.033176390
READy
$FORT TOPS-REL,PRINTOUT
12/22/71
TOPS MAIN BUS INVERTER FUNCTION RELIABILITY
DO YOU WANT RELAY STATUS,DIAGNOSTIC PRINT OUTS(TWO ANSWERS)?= NO, NO
# INVERTERS(2 OR 3)- 3
QUAD COMMAND GENERATOR?(YES OR NO):YES
LAMBDAS IN FAILURES PER MILLION HOURS
LAMBDAS-RELAY,INVERTER: 0.5, 0.3696
LAMBDAS,P OPEN-RELAY DRIVER,FAILURE DETECTOR,COMMAND GENERATOR
= 0.0128, .578, 0.3072, .533, 0.0135, .741
MISSION HOURS. # INTERVALS= 100000, 1000
1.141-YEARS,INV FIJNCT. RELIABILITY:=0.999999944
STATE MATRIX-1,2,3,FAILED
0.996328130 0.003658130 0.000013539 0.000000150
2.282-YEARS,INV .FUNCT. RELIABILITv:0.999999930
STATE MATRIX-1,2,3,FAILED
0.992593999 0.007350105 0.000054736 0,.000001166 MAIN BUS INVERTER
3.422-YEARS,INV FUNCT. RELIABILITY-0.999996074 RELIABILITY FOR
STATE 1MATRIX-1,2,3,FAILED ,"SEVERAL MISSION
0.993935469 0.011036775 0.000123834 0.000003920 TIMES
Figure 4.5-11. Inverter Reliability Program Printout - Using Low Failure Rates
4-185
4.563-YEARS,INV FUNCT. RELIABILITY=0.999990694
STATE MATRIX-1,2,3,FAILED
0.985053472 0.014716194 0.000221026 0.000009301
5.704-YEARS,INV FUNCT. RELIABILITY=0.999981776
STATE MATRIX-1 2,3,FAILED
0.981243909 0.018396409 0.000346456 0.000013224
6.845-YEARS,INV FUNCT. RELIABILITY:0.999969380
STATE MATRIX-1,2,3,FAILED
0.977422647 0.02204550S 0.000500221 0.000031618
7.985-YEARS,INV FUNCT. RELIABILITY=0.999949567
STATE MATRIX-1,2,3,FAILED
0.973575562 0.025691630 0.000632370 0.000050432
9.126-YEARS,INV FUNCT. RELIABILITY=0.999924369
STATE MATRIX-1,2,3,FAILED
0.969703510 0.029322951 0.000992904 0.000075629
10.267-YEARS,INV FUNCT. RELIABILITY"0.999891910
STATE MATRIX-1,2,3,FAILED
0.965q22324 0,032937700 0.001131780 0.00010813S
11.409-YEARS,INV FUNCT. RELIABILITY=0.999q50999
STATE tIATRIX-1,2,3,FAILED-
0.961917940 0.036534152 0.001399190 0.000149097
4.5.5.3 Current Throttle/Steering Switch Reliability Analysis
As the steering switch uses a relay to transfer from the main current throttle to the
standby, the Markov Chain analysis was used for the same reasons as those of the
inverter switches previously described.
The state vectors, transition matrix elements, and the equations that define the matrix
elements are included as part of Appendix A.
Calculation of the Current Throttle function reliability was performed in the subsystem
reliability program of Section 4.5.5.6. Figure 4. 5-12 and 4. 5-13 show the probability
of a Current Throttle path as well as a good Current Throttle. Also a state matrix
presents the probabilities of CT No. 1 good, CT No. 1 short, CT No. 2 good, CT No. 2
short, and the probability of no path through the Current Throttle function at the end
of the mission (105 hours). These results are presented in Table 4. 5-12 below:
.Table 4. 5-12. Current Throttle/Steering Switch Reliability
CT Power Path| Good Cr
High Failure Rates 0.98446 0. 98097
Low Failure Rates 0.99867 0. 99837
4.5.5.4 RTG Reliability Analysis
The development of the RTG power source continued through the Power Subsystem
Study period. Reliability data of the thermocouple design provided a range of RTG
probability of successful operation at end of mission (105 hour).
Two sets of numbers were used in computing subsystem reliability. The first set
which provided a band of 0. 99 to 0. 995 was used in conjunction with the High Failure
Rates for determining subsystem reliability. The second set with a band of 0. 995 to
0. 998 was used in conjunction with the Low Failure Rates. The extremes of each
band represent a change in failure rate of approximately 50 percent.
4-186
TOPS POWER SUBSYSTEM RELIABILITY
LONG FORM PRINTOUT?(YES OH NO)- NO
LAMBDAS-RTGPRELAY= 0.1005- 2.0
LAMBDASP OPEN-C.T.-ST.SW.*RELAY DRiR.PO~W DIODES
- 0.834, .4908 0-4809 .534 80.053. *491. 0.-9a .5
RELIABILITIES
SHUNT- .96974, -96494- .98495. .97403 .965863. .94951 .-93734
.92573, .91829, .90212
MAIN INV FUNC- .9999521. .9996258, .*9987755. *99720a3. .9947466
.9913060, .9866110. .9812296. .9745597. -9668236
PB INV FUNCG .999821. .999095. -99751a. .995178. .991723
.987178, .981520, .974762. *966937, .958097
1-14 YEARS
MAIN BUS 1001 POWER REL= 0.965622
FAILURE TOLERANT HEL = 80965411
2.28 YEARS
MAIN BUS 100Z POWER REL- 8.956147
FAILURE TOLERANT REL - 0-955131
3.42 YEARS
MAIN BUS 100% POWER HEL= 0.970365
FAILURE TOLERANT HEL - 0-967697
SUBSYSTEM RELIABILITY
4.-56 YEARS FOR SEVERAL MISSION
MAIN aUS 100Z POWER HEL= 0.953093 TIMES
PGRTG CT PATH CT GOOD POW DIODES
0-9605973 0.9844550 0.9809747 0.9999197
CURRENT
_- TEHROTTLE
RELIABILITY
PROGRAM- STOP AT 1390
Figure 4. 5-12. TOPS Power Subsystem Reliability Printout - Using High
Failure Rates
4-187
FAILURE TrOLERANT REL = 0.947913
5.70 YEARS
MAIN BUS 100% POWER REL- a.932496
FAILURE TOLERANT REL = 0.923901
6.-84 YEARS
MAIN BUS 1002 POWER REL- 0.913193
FAILURE TOLERANT REL - 0.900270
7.99 YEARS
MAIN BUS 1002 POWER REL- 0.891978
FAILURE TOLERANT REL = 0.873905
9.13 YEARS
MAIN BUS 1001 POWER HEL- 0.878426
FAILURE TOLERANT REL 0.846485
10.27 YEARS
MAIN BUS 1002 POWER REL- 0.685197d
FAILURE TOLERANT REL - 0.821410
11.41 YEARS
MAIN BUS 100i POWER REL- 0.824734
FAILURE TOLERANT REL = 0.787382
C.T. STATE MATRIX
0-8420090 0.0003998 0-1386145 0-0034317 .-0155450
C.T. TRANSITION MATRIX
0.9998328 0.0000009 0.0001476 0.0000006 0-0000181
0. 0.9999348 0- 0. .-6008652
0. 0-. 0-9998684 0-0000425 0-0000891
0. 0. 0. 0.9999518 3.0a 00482
0. 0. 0. a. 1.0000000
TOPS POWER SUBSYSTEM WELIABILITY
LONG FORM PRINTOUT?(YES OR NO)= NO
LAMBDAS-RTG,RELAYn 0.0501, 0.5
LAMBDAS.P OPEN-C-.T.ST.SW..RELAY DRVR,POW DIODES
* 0.2261* .477, 0-1545 .*521. 0-0089, .438, 0-008, -5
RELIABILITIES
SHUNT- .99024..98991,.99896 .99817..99715.-99648 .99574.-99512
.99497..99383
MAIN INV FUNC- .9999993. .9999942. .9999803, .9999534, .9999091
.9998431. .9997514, .9996301, .9994752, .9992833
PB INV FUNC- .9999919, .9999641- *9999121, .9998318 *-9997190
.9995701. .9993815, .9991499. .9988724, .9985459
SUBSYSTEM RELIABILITY
FOR SEVERAL MISSION
^ TIMES
PGRTG CT PATH CT GOOD POV DIODES
0-9801594 0.9986683 0-9983675 0.9999994
CURRBNT
. THROTTLE
RELIABILITY
PROGRAM STOP AT 1390
Figure 4.5-13. TOPS Power Subsystem Reliability Printout - Using Low
Failure Rates
4-188
1.14 YEARS
MAIN BUS 1001 POWER RELa 0.988243
FAILURE TOLERANT REL a 0-988232
2.28 YEARS
MAIN BUS 100X POWER REL= 0-985890
FAILURE TOLERANT REL = 0.985842
3.42 YEARS
MAIN BUS 100S POWER RELs 0.992829
FAILURE TOLERANT REL = 0.992714
4.56 YEARS
MAIN 8US 100% POWER REL- 0.989936
FAILURE TOLERANT REL a 0-.99721
5.70 YEARS
MAIN BUS 1001 POWER REL= 0-986781
FAILURE TOLERANT REL - 0-986428
6.84 YEARS
MAIN BUS 100S POWER REL- 0.983933
FAILURE TOLERANT REL = 0.983401
7.99 YEARS
MAIN BUS 1001 POWER HEL- 0.980973
FAILURE TOLERANT REL * 0.980220
9.13 YEARS
MAIN BUS 100% POWER REL- 0-978087
FAILURE TOLERANT REL - 0-977066
10.27 YEARS
MAIN BUS 1001 POWER REL= 0.975613
FAILURE TOLERANT REL = 0-974274
11.41 YEARS
MAIN BUS 100S POWER HEL- 0-972117
FAILURE TOLERANT REL - 0.970411
C.T. STATE MATRIX
0.9530018 0-0000456 0.0453218 0.0002991 0.0013317
C.T. TRANSITION MATRIX
0-9999521 0-0000001 0-0000461 0.0000001 0-0000016
0. 0.9999821 0. 0. 0-0000179
0. 0. 0.9999640 0.0000118 0.0000242
0. 0. 0. 0.9999866 0.0000134
0. 0. 0. 6. 1-0000000
4.5.5.5 RTG Power Diode Reliability Analysis
Each RTG is connected to the common Main Bus via isolation diodes. The diodes pre-
vent an RTG failure from loading the remaining RTGs. As the diodes are parallel re-
dundant, their reliability is determined as follows:
RD = Reliability of one diode
QD = Probability of failure open
RpD = Probability of power path through all power diodes
RD = e
QO = % open (1-RD)
RPD = (1-Q02 )4
Numerical calculation was performed in the subsystem reliability program of Section
4.5.5.6.
4.5.5.6 Power Subsystem Reliability Analysis
The analyses and results of the Power Subsystem functions contained in previous sec-
tions of 4. 5.5 are combined here to determine overall Power Subsystem reliability.
Two results were calculated. The first presents the probability of delivering 100
percent power from the Main Bus to the spacecraft loads. The second which is
identified as Failure Tolerance determines the probability of having both a good Main
Bus and a good Protected Bus.
The probability of suppling 100 percent power from the Main Bus to the spacecraft
loads is computed by:
P100POW = RM1NV- PGRTG . RPD. RSHUNT. PCTPOW
4-189
where:
P100POW = Probability of 100% power from the Main Bus
RMINV = Reliability of main inverter function
PGRTG = Reliability of four RTGs
RPD = Probability of a power path through power diodes
RSHUNT = Reliability of shunt regulator function.
PCTPOW = Probability of a power path through current throttle function.
Also calculated was the probability of having 100 percent power to the Main Bus with a
good Protected Bus. This measures the power subsystem's failure tolerance reliability
and is calculated as follows:
PFTOL = PGRTG. RPD. PCTG- RSHUNT · RMINV. RPINV
where:
PFTOL = Probability of 100 percent Main Bus power and a good Protected Bus
PC TG = Probability of a good current throttle function
RPINV = Reliability of the Protected Bus inverter function
The computer program developed for these subsystem calculations is included in Ap-
pendix A. Figures 4. 5-12 and 4. 5-13 are representative printouts for the baseline
Power Subsystem configuration.
A graphical presentation of the Failure Tolerant Reliability is shown on Figure 4.5-14.
This is the probability that both Main and Protected Buses are operating within speci-
fication. As can be seen, at about 4.5 years into the mission reliability drops below
that allocated for the Power Subsystem (R = 0. 95) if the high failure rates are used.
4-190
.996
992 
· 98
.99
LOW FAILURE RATES
.96
.9
.8
.7
I I I I I I
0 2 4 6 8 10 12
MISSION TIME - YEARS
Figure 4. 5-14. TOPS Power Subsystem Failure Tolerant Reliability
Using the low failure rates, the lowest reliability occurs at end of mission and is 0. 97.
The discontinuity at 3.4 years is attributed to allowing loss of shunting capacity in the
shunt regulator function (Reference Section 4. 5. 5.1).
Many computations were performed to determine power subsystem reliability sensi-
tivity to changes of function reliability within the subsystem. Three functions were
varied individually; the RTG, the Command Generator of the Inverter Failure Detector,
and the number of Main Bus Inverters.
Table 4.5-13 shows how the reliabilities of 100 percent Main Bus power and Power
Subsystem Failure Tolerant are changed due to changes in RTG reliability.
4-191
Table 4.5-13. Effects on Subsystem Reliability - Variation of RTG Reliability
Both "High" and "Low" piece part failure rates were used. As can be seen, an improve-
ment of RTG reliability in the third significant figure impacts the second significant
figure of the subsystem reliability. This is due to the fact that there are four RTGs
in series in the reliability equation.
Table 4. 5-14 presents the effects of changing the configuration of the Inverter Failure
Detector Command Generator from the baseline arrangement to a quad. A significant
improvement is noted when comparing Table 4. 5-14 with the comparable data of
Table 4. 5-13.
Table 4. 5-15 shows that the reduction of the number of Main Bus inverters from 3
to 2 results in the same or a slight improvement in subsystem reliability if the quad
Command Generator is incorporated. (Compare Tables 4. 5-13 and 4.5-15.)
The results of these calculations show that the Power Subsystem can exceed its
reliability apportionment of 0. 95 if the "Low" failure rates are used in the analysis.
4-192
Main Protected Bus 100% Main FailureInverter Inverter RTG Bus Power Tolerance
Function Function
High Failure 0. 9668 0.9581 0.99 0. 8247 0. 7874
Rates 0.995 0.8415 0.8034
Low Failure 0. 999283 0. 998546 0, 995 0.9721 0, 9704
Rates 0.998 0.9839 0.9822
Table 4.5-14. Effects on Subsystem Reliability - Using a Quad Command Generator
Table 4.5-16. Effects on Subsystem Reliability - Quad Command
Generator with 2 Main Bus Inverters
4-193
4.6 TRANSFORMER OPTIMIZATION STUDY
A study was conducted to determine the optimum frequency-flux-material combination
for transformers in the TOPS power subsystem. The optimum combination results in
the least weight of both the transformer and power source required to compensate for
transformer losses. Using a power source weight penalty of 1. 7 watts per pound, the
least weight combination is provided by Supermalloy transformers operating at 8 KHz.
4.6.1 ANALYSIS
A computer program was written to study five transformer types: Orthonol, 48 Alloy,
and Supermalloy toroids, and Silectron and Supermalloy cut C Cores. 48 Alloy was
subsequently deleted because it did not differ significantly from Orthonol. Figure
4.6-1 presents the physical construction of the transformers. Core dimension D was
varied and the window area completely filled with wire using the same amperes per
square inch (ASI) for all windings. As the iron area increased, the turns decreased
and the window area increased, resulting in a rapid decrease in the ASI. For different
fluxes and frequency, the program calculated losses and weight for transformers rated
at 18 watts. Frequencies of 5 and 10 KHz were studied in more detail since core loss
data at these frequencies was available. The effect of switching losses in the driving
transistors was also included. Specific formulas used are listed in Table 4.6-1.
To get results most applicable to the expected requirements, a limit of 200 millivolts
per turn (maximum) was used. Since five volt outputs are often required, this granu-
larity would permit adjustment to the proper output voltage level.
The computer program calculated transformer characteristics by incrementally in-
creasing the iron area (at a given flux and frequency) and determining the turns that
would fill the resulting window area. An acceptable design is achieved when the
ampere turns divided by the window area results in an acceptable ASI. The wire, core,
and switching losses are then calculated along with weight. Additional designs are then
calculated (by increasing the iron) to span the region of minimum loss. Appendix B
provides a copy of the computer program and a sample of one printout.
4-194
TOROa/IDR \n \\ vCOPPER
ht/2
TOROID SECTION A-A
A4-1 9D r 32D
h_ _COR
COPPER
CUT CORE SECTION A-A
Figure 4.6-1. Transformer Physical Characteristics
4-195
Table 4.6-1. Formulae
GENERAL
Usable Window = window x % Usable (WF) x Copper Stacking Factor (SF)
N windings
Area Current = E Ki Ni Ai K = 2 for Center Tap
i
-
':
=
-
1 N = Number of turns
A = Current
i = Winding Index
ASI = Current Area/Usable Window
NW sigma x Mean length x (A. Ni)2
Copper Power Dissipation = E 
i=1 N. A./ASI1 1
Winding Build =Area Current length for the winding (L)ASI x WF x SF
Toroid:
Winding Length (L) = 2 fI x Radius from center for that winding
Core Volume = 10 n1 D3
Winding Volume = [(ht + M x R) (R - R )inner i 0 (.
-M/3 (R -Ri3 )] -10 D3
Where R = radius to outside of winding
Ri = radius to inside of winding
M = slope
C-Core:
Core Volume = 24 D3
Winding Volume = h x W x 4. 5D - 6. 75D3
4-196
4.6.2 CONCLUSIONS
A locus of minimum weight per dissipation was found for each material for both the 6
and 10 KHz frequencies. This locus resulted from the maximum limit of 200 mv/turn
placed on the transformer design.
The point of each locus where the slope was equal to 1. 7 watts per pound was computed.
This value was selected as it is the RTG power to weight ratio and provides a minimum
weight power subsystem.
If a transformer ratio less than 1.7 was selected, adding a pound in the transformer
would reduce the power loss and theoretically, weight could be removed from the RTG
to equal the power saved. However, less than a pound is removed from the RTG be-
cause less than 1.7 watts was saved at the transformer. This does not provide a
minimum weight system as there is a net increase in weight. If the transformer ratio
was larger than the RTG, removing one pound of transformer increases the power loss
at a magnitude greater than 1. 7 watts/pound (RTG ratio). Therefore, more than one
pound of RTG must be added to provide the power lost in the transformer.
A comparison of the 1. 7 watts per pound points showed the supermalloy to be superior
for both the toroid and the C-core transformers with toroid being the most favorable
configuration from a watts per pound viewpoint.
It is recommended that supermalloy material be used at 8 to 10 KHz for an optimum
transformer design for this power subsystem. The study is covered in detail in GE
Quarterly Report 1J86-TOPS-555, dated 1 August, 1970.
4.7 SYSTEM RESPONSE STUDIES
Section 4.1 pointed out the desirability of avoiding the use of long-life batteries for the
TOPS mission. The principal reason cited was the uncertainty associated with long-
life performance. By eliminating battery energy storage, it becomes necessary to
4-197
provide some additional RTG capability to cope with transient conditions that would
ordinarily be handled by batteries. Besides the added RTG capability, filters must
also be incorporated so that desired bus voltage conditions are maintained for the
anticipated operational sequences.
This section discusses these factors and provides a rational basis for determining
necessary RTG margins and filter designs.
4.7.1 FILTER CONFIGURATION
Filters, consisting of combinations of in-line inductors and shunt capacitors, are
inserted between the source and loads for the following purposes:
1. They limit the time rate of change of demand current to values consistent
with the capability of the voltage regulation equipment. As long as excessive
rates of current change are avoided, the regulator can maintain voltages
within specified limits.
2. They serve as buffers by preventing current fluctuations peculiar to the load
from being reflected back to the regulated bus.
3. For certain types of fluctuating loads (e. g., switching type converters and
regulators), the energy stored in the filter is necessary for proper operation
of the load.
The need for and design of the filter elements are, of course, dependent on the charac-
teristics of the particular loads. Some loads, of which heaters are typical, may be
mostly resistive, and will generally require little if any filtering. Other loads are
quite different and can produce undesirable disturbance because of insufficient filtering.
Filters are usually applied to individual loads or limited load groupings rather than as
a single element for the entire system. Historically, filters are incorporated to cor-
rect undesirable transient conditions detected during system development tests. Besides
being heavy, the use of a single large filter would not likely satisfy all of the dis-
turbance characteristics uncovered during such testing. Additional filtering would be
4-198
required anyway - hence the use of filters for individual loads seems more appro-
priate. Furthermore, individual load filtering is more effective for buffering, the
principal purpose for filtering.
Figure 4. 7-1 shows several filter-load arrangements which might be applied to the
TOPS electrical arrangement. In one case, load switches are located between the
filter elements and the loads. In the other case, the switches are located ahead of the
filters and loads. Since it is desirable to locate the filter near its associated load,
the first arrangement would require that the load control switches also be located at
the loads. Locating switches centrally in the Power Distribution Assembly will not
only result in greater design uniformity and simpler means of switch control by the
CCS, but will also be more effective for fault isolation. Protection against both
harness and filter failures is more effective by locating the switches centrally.
4.7.2 FILTER ANALYSIS
Some of the principal factors affecting filter design are as follows:
a. Voltage regulation requirements.
b. Response characteristics of the regulation equipment.
c. Available power margin for absorbing transient disturbances.
A discussion of these and related factors is presented below with the use of an im-
pedance-frequency plot of the type shown on Figure 4.7-2. This plot is useful in de-
fining regions in which satisfactory operation is obtained. Since specific values of im-
pedance and frequency uniquely define inductance and capacitance, the plot can be used
to select particular combinations of these elements for filter designs.
4.7.2.1 Shunt Regulator Response
The use of a filter might first be considered in conjunction with the response of the
main shunt regulator used to regulate the voltage to 30 VDC ± I percent. The introduction
4-199
of a heavy load could result in an excessive voltage deviation unless the demand current
characteristics were constrained to match the response capability of the shunt regulator.
An inductor may be used to limit the rate of change of current so that the shunt regu-
lator capability is not exceeded. Tests on the shunt regulator demonstrated that the
rate of change of current that could be furnished within the allowable regulated voltage
deviation was 60, 000 amperes per second. The value of inductance required to limit
the current rate to this value can be determined from the expression,
E
L di/dt
where
E = the step voltage applied to the load, 30 volts
L = value of inductance in henries
di/dt = maximum rate of charge of current, 60, 000 amperes per second.
With these limiting values, the minimum value of inductance required is
30L = 0. 5 millihenries60,000
With this value of inductance inserted between the regulated bus and loads, the bus
voltage will remain within regulation when power is suddenly demanded. For purely
resistive loads, the response of this inductive-resistive load will take the form of an
initial current increase of 60, 000 amperes per second which exponentially approaches,
but does not exceed, a steady-state value. The limiting condition of using a 0.5 milli-
henry inductance or larger is shown on the impedance-frequency plot which excludes
the region to the right of the 0.5 millihenry line.
Another characteristic of the shunt regulator which affects filter design concerns its
high impedance at certain frequencies. This is shown on Figure 4.7-3 which indicates
the desirability of operating below 5000 Hertz to avoid regions of resonant operation
and instability. Therefore, the region to the right of 5000 Hertz is excluded on the
impedance-frequency plot of Figure 4. 7-2.
4-200
I LTEER_
.__ 
_ I _.
LFITER 
_-If 
(A) REMOTE SWITCHING ARRANGEMENT
LOAD
FLT ER II - -- - ~~~~~~~I
FILTE RI
(B) CENTRAL SWITCHING ARRANGEMENT
Figure 4.7-1. Filter Configurations
100
0
P4
10
1 .l
0.01
Figure 4.7-2. Impedance Chart
0.1 1 10
FREQUENCY, KILOHERTZ
Figure 4.7-3. Shunt Regulator Dynamic Impedance at Nine Amperes, 210 AF
4-201
I
Va
A,
N
9
FREQUENCY (HZ)
100
I"-3
4. 72.2 Weight Trade Considerations
With the several limits described above established by the shunt regulator, it seems
desirable that inductors should be selected having the lowest value of inductance since
this will result in least weight. (The weight analysis of filter elements is covered
later in paragraph 4.7.3.2). This would be true excepting for the weight associated
with RTG margin resulting from particular filter selections. To explain this relation-
ship, it is necessary first to discuss capacitive filter requirements due to load pecu-
liarities. In the development of certain TOPS converters, it was necessary to install
input capacitors to provide energy pulses due to the pulsed nature of the load demand.
Typically, a capacitance of 50 microfarads was sufficient for this purpose. If this
capacitance is used in conjunction with the 0.5 millihenry inductor defined earlier,
the resonant frequency of the combination is about 1000 Hertz with an impedance of
3 ohms as indicated on the impedance-frequency plot of Figure 4. 7-2.
Other inductance values could be selected, which are greater than 0. 5 millihenries, by
transversing along the 50 microfarad line, assuming this capacitance is firmly estab-
lished by the load characteristics. By doing this, the filter weight increases because
of the increased inductance, but the RTG margin decreases as shown by the overlaid
horizontal lines on the plot. These margin lines are simply established by the imped-
ance for the particular inductor-capacitor combination, and the rated RTG current and
voltage. At an impedance of 20 ohms, for example, the margin is 10 percent. This
results from the fact that 1.5 amps at 30 volts is required to satisfy a 20 ohm load.
This represents 10 percent margin over the rated RTG current of 15 amperes. The
margin would come into play during the switch on to a fully loaded condition. If the
filter impedance for this final load was 20 ohms, then 1. 5 amperes would be required
to satisfy the transient characteristic at turn on.
By traversing the constant capacitance line, a weight trade between filter weight and
the weight associated with RTG margin can be developed. The filter weight must
4-202
represent the aggregate of the filters for all of the loads. The following procedure
would be used in conducting this trade:
1. Select a value of RTG margin.
2. Determine the RTG added weight associated with this margin. Based on a 450-
watt nominal RTG output, each percent margin represents 4.5 watts. At an
RTG rating of 1. 7 watts per pound, this represents a penalty of 2.64 pounds
for each percent of margin.
3. For each load, determine the value of capacitance required for operation.
Determine the capacitance weight as described in Paragraph 4.7.3.2.
4. Using this value of capacitance, determine the value of inductance corres-
ponding to the point where the capacitance line crosses the RTG margin line
on the impedance-frequency plot.
5. With this value of inductance, determine the inductor weight as described in
Paragraph 4. 7. 3.1.
6. Determine the total weight penalty by adding the filter weights for each load
and the RTG margin weight.
7. Develop the weight trade by selecting a different value of margin and repeat-
ing steps 1 to 6.
The above process was carried out for a hypothetical set of loads representative of
those to be used on the TOPS mission. The results are shown on Figure 40 7-4 which
indicates that an RTG margin of about four percent would result in an optimum system.
This margin should not be confused with other margins required for such factors as
growth, degradation, uncertainties, etc. The four percent margin would be strictly
associated with the maintaining voltage during transient load sequences.
4.7.3 FILTER COMPONENT CHARACTERISTICS
The discussion below describes the behavior of filter elements and certain factors to
be considered in their application to filter designs.
4-203
1 2 3 4 5 6 7
PERCENT PEAK CURRENT
Figure 4.7-4. Optimized System Weight
8 9 10
15
14
13
12
11
10
9
8
X
3
H
0
7
6
5
4
3
2
1
0
0
4-204
4. 7.3. 1 Inductor Elements
It has been observed that inductors used in transient suppression filters do not always
behave as would be predicted by their ac characteristics. Saturation by dc magnetiza-
tion appears to be principally responsible for the inconsistent behavior. To illustrate
this effect Figure 4. 7-5 shows an oscilloscope trace of the current through a filter in-
ductor at turn-on, with a time base of 200 microseconds per centimeter. It can be
seen that the inductor holds the current to a linear ramp during only the first few
hundred microseconds. With loss of inductance (due to saturation) the current rate
increases drastically. For this particular case, the magnetic core of the inductor
was made from a pulverized 2 percent molybdenum, 81 percent nickel, 17 percent iron
alloy that is annealed, insulated, and pressed into a rigid toroid. The core had a
nominal permeability of 125. The toroid was wound with approximately 14 feet of AWG
20 magnet wire to 108 turns to give a nominal inductance of 1. 83 millihenries. The
nominal copper resistance of the winding was 0. 0103 ohms per foot at 250 C which re-
sulted in a total resistance of 0. 1442 ohms.
VERTICAL SCALE = 4 amperes perI, - ---centimeter
HORIZONTAL SCALE = 150 microseconds
per centimeter
Figure 4.7-5. Turn on Current Transient of a Filter Inductor
4-205
A further evaluation of this inductor was carried out to determine its inductive react-
ance. This was done by introducing a resistive load in series, controlled by an ac
current modulated transistor. The alternating voltage across the inductor under test
was divided by the peak-to-peak current swing at the same frequency to provide the
dynamic impedance of the inductor. Knowing the impedance, the inductance was calcu-
lated from the relationship ZL = 27TfL. The dc current level was varied during the test
to determine the effects of dc magnetization as shown on Figure 4.7-6.
The maximum unsaturated inductance is nominally 1.83 millihenries. At full satura-
tion where the permeability is effectively equal to 1, the inductance may be as low as
14.64 microhenries, based on a permeability of 125 at 1.83 millihenries. (1. 83 x
10-3/125 = 14.64 x 10- 6 henries)
The insulation on the turns of electromagnetic devices serve as dielectric materials in
developing capacitance effects as voltage is induced in each turn. The maximum voltage
2.0
1.8 
1.6
1.4
Z
1.2
1.0
U 0.8
E 0.6
3 0.4
0.2
0. 
0 1 2 3 4 5
DC MAGNETIZING CURRENT, AMPERES
Figure 4.7-6. Apparent Inductance
4-206
exists between the end turns; if these end turns can be separated sufficiently, the intra-
winding capacitance can be reduced.
Considering a toroid core, low capacitance is obtained by leaving a sector of the core
free of turns. The turns start at one side of the sector, proceed around the main body of
the core, and end at the opposite side of the free sector. The turn to turn voltage is
low and the capacitance effects are low. The highest voltage difference occurs at the
ends, but capacitance is minimized by the sector separation.
The comparative results of a random layer wound inductor and a sector wound inductor
are shown on Figure 4.7-7. The total effect of the distributed intrawinding capacity
can be considered as a single capacitor shunted across the coil terminals. This parallel
circuit will exhibit a maximum impedance at some high frequency defined as the self-
resonant frequency.
A novel approach to reducing the effects of dc magnetization was developed as described
below. A second winding is placed on the magnetic core, and terminated across a
resistor as shown in the schematic of Figure 4. 7-8. The value of this resistance is
selected to minimize the peak current at turn-on. The induced voltage from the primary
winding causes a current flow in the current limited secondary that effectively links the
core in a direction to attempt to cancel the ampere-turns that caused it. This results
in lower net ampere-turns of dc magnetization, and a higher apparent inductance.
Some typical data on resistor selection for this approach are plotted on Figure 4.7-9.
Inductor weights vary more nearly as the product of inductance and the square of the
rated current, and per unit weights vary almost ten to one as a function of core material,
losses, and the style of packaging. A typical range of weight values is shown between
the two nominal limits of Figure 4.7-10. A meaningful tradeoff exists then between the
amount of filtering provided to limit ripple current, and the extra weight of RTG
4-207
100lK
10K \
1K-
100 I I I
10 100 1K 10K
FREQUENCY, KILO HERTZ
Figure 4.7-7. High Frequency Inductor Characteristics
4-208
,C >30 OHM
LOAD
R1
Figure 4.7-8. Inductor Transformer Test Circuit
100
z 
4 10 0_ MH, 100 f
100
1 10 100
INDUCTOR SECONDARY RESISTANCE (OHMS)
Figure 4.7-9. Turn-on Transient Current
4-209
> AT.
OOw
o
0o 
o
-
(ONf1Od H
Sd ZSS3H
dW
V
-X
H
N
aH
ITIIIW
) A
L
ISIaG
4
-2
1
0
-
-
4
.,
capacity to provide the peak over average current that is permitted on the bus. If the
output capacitance of the shunt regulator is neglected, each component should limit its
peak current with a filter whose weight is optimized to minimize the combined weight of
the filter and the RTG. The results of this trade-off is shown on Figure 4.7-4, where
the two nominal limits on inductor weight were used, data is presented for sixty typical
loads rated at 0.5 amperes each, and the results show that permissible ripple current
should be in the range of two to four percent.
4.7.3.2 Capacitor Elements
Foil tantalum capacitors are usually selected for low pass filter applications on dc
systems. For the nominal 60 vdc rating required on the 30 vdc bus, the capacitance-
equivalent series resistance product is a constant at approximately 180 microfarad-
ohms. A value of nominal equivalent series resistance of the filter capacitor can thus
be established in terms of capacitance in farads as
R c =- (180 x 10
- 6 ) ohmsc C
Some typical foil tantalum characteristics in the values of interest are listed in Table
4,7-1.
The characteristic weight of tantalum foil capacitors of type CL-55 and CL-65 of
MIL-C-3965, covering the capacitance range from 10 microfarads to 1000 microfarads,
is fairly uniform. Typical weights per microfarad are shown on Figure 4. 7-11.
4.7.4 DC IMPEDANCE
DC impedance cannot be conveniently plotted on the impedance-frequency plot. The im-
portant factors concerning its determination are discussed as follows:
4-211
Table 4.7-1. Capacitor Characteristics
The impedance at dc is the sum of the effects of the shunt regulator static regulation,
distribution harness voltage drops and series resistance of filter inductors.
Each is estimated as follows:
1. The shunt regulator has a static regulation capability of 30 volts ± .1 volts as
established by test. The specified regulation at the regulator terminals was
30 volts ± 0.3 volts.
2. As described later in Section 4.9, optimum harness sizing results in a voltage
drop of 6.6 millivolts per foot of harness length. Harness lengths may be on
the order of 15 feet and therefore the total voltage drop will be 100 millivolts.
At a maximum load of 15 amperes this is equivalent to an impedance of 6.6
milliohms.
3. Inductor elements will typically incur a dc voltage drop of 150 millivolts. The
inductor developed for the TWT convert had a resistance of 0.144 ohms
and could typically handle about one ampere of steady dc current.
The total voltage drop resulting from these dc impedance factors is then 0.35 volts
(0.1 due to static regulation, 0. 1 due to harness drops, and 0. 15 due to inductor drops).
4-212
Resistance, Weight,
Voltage Microfarads Case Size Ohms Grams
50 12 C 15.6 2.5
50 30 D1 5.18 7.3
50 70 D2 2.46 11.2
50 100 D3 1.78 14.5
60 8 C 23.3 2.5
60 25 D1 7.77 7.3
60 50 D2 3.69 11.2
60 70 D3 2.59 14.5
60 4 C 60.0 2.5
100 2 C 119.0 2.5
100 1 C 168.0 2.5
1000r
500
300
200 -
100 -
z
50
30-
20-
10-
5
3
2
1
1 2 3 5 10 20 30 50 100 200 500 1000
CAPACITANCE (MICROFARADS)
Figure 4.7-11. Characteristic Weight of Tantalum Capacitors
4-213
As mentioned previously the regulator was specified at 30 volts 4 0.3 volts. This
allows a drift of + 0.2 volts over its present performance. With this allowance the
total dc variation at the loads would then be increased from ± 0.35 volts to + 0. 55 volts
or slightly less than + 2 percent about a nominally specified 30 volt bus. For the range
of current from 0 to 15 amperes the effective dc source impedance as seen by the loads is
then a maximum of 0. 55/15= 40 milliohms.
4-214
4.8 RADIATION ANALYSES
4.8.1 INTRODUCTION
In this section, the radiation environment of an outer planet is described and the effect
of this environment on the design of the PCE is discussed. In general these effects are
not severe in terms of any impact on the PCE design.
Consideration must be given to selecting parts, materials, and components that will
adequately withstand the expected radiation environment. Hardware elements that have
been qualified for the space radiation environment will be used in many cases. The
use of passivated semiconductor devices will be preferred generally for application in
the radiation environment. In addition, circuits should be designed to be insensitive
to the effects of radiation degradation. In general, proper component derating for
gain and leakage will provide the desired insensitivity and will enhance the circuit
performance. The detrimental effects of radiation on electronics can be reduced
further by packaging the components so that the shielding of sensitive components is
provided by the less sensitive devices. Shielding provides protection in the case of
electron and proton radiation, but is ineffective in preventing neutron and gamma
damage.
4.8.2 RADIATION SOURCES
Neutron and gamma irradiation from a radioisotope thermoelectric generator utilizing
Plutonium 238 as a fuel are potential problems for the power conditioning equipment
semiconductor devices. The gamma and neutron environments of concern have been
specified as an absorbed dose equivalent to 300 rads in silicon, and 3 x 1011 neutrons
incident upon a square centimeter of surface area (NVT).
The geomagnetically trapped radiation environment that the spacecraft will encounter
during the earth parking orbit, early transition, and planetary encounters will consist
of electrons and protons. For the most part, the electrons will constitute the primary
4-215
penetrating component of the trapped particles since the magnetic field at low altitudes
is not capable of trapping protons of energy greater than about five million electron
volts (Mev). However, large quantities of low energy protons, less than about 5 Mev,
can be expected. These low energy protons are readily absorbed in the external
spacecraft surface and are of concern only to exterior surface mounted equipment,
such as the shunt resistor panel. This high flux, although not very penetrating,
delivers a significant surface dose.
Additional dose rates will accrue from outer plant Van Allen belt particle fluxes as
functions of energy, trajectory, and flyby times. Jupiter's Van Allen belts are
formidable, having calculated peak fluxes equal to or greater than 1011 electrons
per centimeter squared second and approximately 109 particles per centimeter squared
second, yielding equivalent dose rates in silicon of greater than 105 rads per hour at
altitudes of 1.5 Jovian radii. Saturn's belts are at least two orders of magnitude less
intense, and their existence is highly problematical. The intensity and existence
probabilities of belts around Uranus and Neptune are even less.
Sporadic, intense solar flare activity occurs which may result in the spacecraft
receiving a significant radiation dose due to solar flare protons. In addition to the
energetic particles of periodic solar flares, the sun releases a continual flux of
very low energy particles into the solar system. This flux is referred to as the
"solar wind", consists primarily of low energy protons and electrons, and has a mean
velocity near earth of 500 kilometers per second. In the vicinity of the earth, the
protons have energies of several thousand electron volts, and a density of approximately
five protons per cubic centimeter. Similarly, the electron density is approximately
one thousand electrons per cubic centimeter with energies of the order of several
electron volts. The near earth proton flux is approximately 2 x 108 particles per
centimeter squared second, and although not very penetrating, will constitute a
significant ionization dose on the spacecraft surface. It is of interest to note that
for shield thicknesses greater than about one gram per square centimeter, the solar
4-216
flare proton environment is the major contributor to the internal dose. The internal
dose due to the Bremsstrahlung created by the impinging electrons will be less than
100 rads. This Bremsstrahlung dose, while being very penetrating, will not
contribute significantly to the ionization expected from the other components of the
radiation environment.
Primary galactic cosmic rays consist primarily of various atoms stripped of their
electrons, with high energy electrons amounting to a few percent of the primary flux.
The majority, however, are hydrogen atoms. The average energy of these particles
is four billion electron volts, with the energy varying from less than 102 Mev to 1013
Mev. The average free space isotropic flux is two particles per centimeter squared
second. This intensity is modulated somewhat by the eleven year solar cycle, being
about a factor of two more at solar minimum than at solar maximum. This is
apparently due to the injection of large magnetic clouds into the entire solar system
by the sun during maximum sunspot years, which in turn deflect away some of the
galactic particles. This component of the radiation environment, although very
penetrating, will not constitute a significant radiation dose to the spacecraft systems.
As a worst case, the flux will be approximately four particles per centimeter squared
second throughout almost the entire mission, yielding a typical total of approximately
109 per centimeter squared.
Based on these calculations, almost all the entire mission dose will be due to the
Jupiter flyby. To obtain the requisite velocity increment to continue the Grand Tour
Mission, the spacecraft must approach to within approximately ten Jovian radii,
yielding doses of equal to or greater than an absorbed dose equivalent to 1000 rads
in silicon for 0. 1 grams per centimeter squared shielding.
4.8.3 EFFECTS ON SEMICONDUCTOR ELECTRONICS
The main effects of ionizing radiation on semiconductor electronics, particularly
transistors, are the bulk damage effects and the so-called radiation-induced surface
4-217
effects. The bulk damage effect is the disruption of the crystal lattice of the semiconductor
material. In transistors, this causes a decrease in carrier lifetime in the base
region of the device. This effect takes place whether the device is electrically
active or not. The surface effects phenomenon, on the other hand, is more predominant
when the devices are simultaneously under electrical stress and exposed to ionizing
radiation. This effect is due mainly to the interaction of the ionized gas (in the
hermetically sealed transistor) and ionized surface impurities with the semiconductor
surface.
Both of these effects (bulk and surface) can affect the transistor gains quite drastically.
In addition, the surface effects can also alter junction leakage currents considerably.
The extent to which device parameters are altered for a given radiation dose can
depend to a large degree on device construction and initial electrical characteristics.
The change in the leakage current for gas filled mesa and planar devices is caused
essentially by the total accumulated ionization dose. The effect is apparently
strongly dependent upon surface contamination, thickness of the passivation layer and
other process variables, resulting in a rather random behavior. Two of the transistor
parameters most sensitive to surface effects in both passivated and non-passivated
devices are the collector-base leakage current (ICBo) and the current gain.
In general, passivated devices are much less sensitive to ICBO variations than
non-passivated devices. It is difficult to make generalizations about ICBO increases on
passivated devices. Some devices have thresholds equivalent to an absorbed dose of
104 to 105 rads in air. On the otherhand, the Space Systems Organization of the
General Electric Company has tested hundreds of passivated 2N708, 2N914, 2N930,
and 2N2453 devices which showed no significant ICBO increases up to doses of
approximately 106 rads in air. Also, large variations from one device manufacturer
to another have been seen. Thus, it appears that the quality of the passivation on the
collector-base junction is a controlling factor.
4-218
Considering the previous environment estimates, it is seen that the internal ionization
doses to the electronic components for the twelve year mission depend on parameters
totally beyond the control of the circuit designer. Generator fuel and shielding, parking
orbit inclination and duration, Jupiter fly-by distance, and solar activity all contribute
to the expected environment.
The expected irradiation range for the mission is a minimum absorbed dose equivalent
to 300 rads in silicon as specified in "Design Requirements and Constraints for
Thermoelectric Outer Planet Spacecraft (TOPS) Power Subsystem" dated 24 April
1969; or a maximum of perhaps two decades greater than this for a close Jupiter
fly-by. A 300 to 3000 rad gamma dose is far below the ionizing radiation damage
threshold of passivated minority carrier devices. A neutron exposure of 3 x 1011 nvt,
however, is about the damage threshold for certain types of transistors.
The most sensitive transistor in the circuits under consideration is the high voltage
series regulator pass transistor in the Traveling Wave Tube Converter, which operates
at very high collector to emitter voltage and at very low current. Any increase in
leakage current above the minimum current required by the load would result in loss
of regulation and an increase in output voltage. Additionally, there is no source of
negative voltage to back bias the emitter to base junction. This would permit the
collector to base leakage current to be removed before it is amplified by transistor gain.
The same type transistor is used in other applications at lower voltage and higher
current, but the low current application is most sensitive to increased leakage
current if surface effect damage is severe at the radiation doses of interest.
Furthermore, this phenomenon is influenced by the test conditions of temperature,
time, and bias. The investigation of the transistor design indicates that very little
degradation in leakage current and current gain should be expected below 105 rads
exposure dose.
4-219
4.8.4 TEST EVALUATION
An experiment was performed on a sample of four Westinghouse silicon power transistors,
type 1763-1820, to determine the effect of a high dose of radiation. The test schematic
of Figure 4.8-1 was used. The test method involved simultaneous exposure of the four
devices. One hundred volts of collector to emitter bias was continuously applied,
except for one dose increment. This was to determine if healing might occur with radiation
and no bias. The device cases were grounded, and leads were shielded to facilitate
handling, reduce spurious radiation induced signals, and allow monitoring of case
temperature on one device. A Keithley 602 electrometer was used to measure
collector current, and base current was monitored by a Keithley 155 microvoltmeter
across a precision one kilohm resistor. Power supplies were used to bias the collector
to emitter junction and the base to emitter junction, and a one hundred kilohm series
base resistor was used during the test.
4-220
Figure 4.8-1. Electrical Test Schematic
Radiation was supplied from a Cobalt 60 source at the Franklin Institute, Philadelphia,
Pennsylvania; with a total dose obtained of 5 x 105 rads ± 10 percent.
The specific measurements made were:
1. Pre- and post-test curve tracer measurements of gain over a range of
collector currents from 0.5 to 35 milliamperes for collector to emitter
voltages up to one hundred volts.
2. Pre- and post-test measurements of open emitter, collector to base
leakage current with a one hundred volt bias.
3. Pre-, during, and post-test measurements of collector to emitter leakage
current with open base, and required base current at 0.5 milliamperes
of collector current to establish current gain.
4. Radiation exposure dose during the test phase.
5. The degree of post-test recovery of leakage current and gain for one
device at an elevated annealing temperature of 2000 C.
The electrical characteristics specified by Westinghouse Electric Corporation
Semiconductor Division, Youngwood, Pennsylvania, are as tabulated in Table 4.8-1.
The 1763-1820 is an NPN double epitaxial silicon power transistor designed expressly
for high reliability operation in military, space, and industrial applications.
A reproduction of curve tracer measurements on Sample No. are shown in Figures
4.8-2 and 4. 8-3 as typical of the four devices tested. Operation is shown from
zero to one hundred volts collector to emitter bias, and from zero to forty milliamperes
collector current. The post irradiation measurements are also post annealing, and
portray the gain recovery to seventy percent of initial value.
The change in open base collector to emitter leakage current as a result of radiation
can be determined from Figures 4.8-4 through 4.8-7. Data taken both under radiation
and at ambient conditions is presented. The results on Sample No. 1 show a reduction
in leakage current with irradiation under both conditions. This indicates the lack of
4-221
Table 4. 8-1. 1763-1820 Electrical Characteristics
Collector to Emitter Voltage
Collector to Base Voltage
Emitter to Base Voltage
Peak Collector Current
Peak Base Current
Open Base Collector Current at 135 Volts Bias
Minimum Current Gain at 20 Amperes
Minimum Gain-Bandwidth Product at 10 Megahertz
Minimum Operating Junction Temperature
Maximum Operating Junction Temperature
Vertical:
180 Volts
180 Volts
7 Volts
40 Amperes
10 Amperes
0.5 Milliamperes
20
30 Megahertz
OOC
2000 C
5 Milliamperes Per Division
Horizontal: 20 Volts Per Division
Base Current Steps: 0.2 Milliamperes
Figure 4. 8-2. Typical Pretest Data, Sample No. 2
4-222
Vertical: 5 Milliamperes Per Division
Horizontal: 20 Volts Per Division
Base Current Steps: 0.3 Milliamperes
Figure 4.8-3. Typical Posttest Data, Sample No. 2
any mechanism to increase true collector to base leakage current, shows the effect
of gain degradation reducing total collector to emitter leakage current, and shows
higher leakage under radiation exposure which is attributed to energetic particle
activity. Data on Sample No. 2 shown on Figure 4.8-5 is similar to that of
Sample No. 1, with the added post annealing test point for reference. Figures
4.8-6 and 4.8-7 show fairly constant leakage current with radiation dose at ambient,
although Sample No. 3 demonstrated at least one decade higher leakage in the
radiation environment. The apparent good performance of leakage current variation
is more probably due to low gain, and consequently low amplification of energetic
particles.
4-223
.4 
4
E 
O
 
E
aS 
a4 
-
C, 
C
·
-
 
-P 
.
-
 
C
D
0 
?m
.. 
.
-
,
.i 
i3
V
I O
o
e
0
~
~
-
 ~
~
o
 
~I
O
0
I-- 
C)
I 
I I 
I 
I
S3I3dWV 
'LN3H:l3 3V)1V31 13111 W3 01 
01i311303
4-224
N
~
~
~
 
~
 
8lm
EEW
eW
w
w
W
ll1Tm
H
R 
0 lm
m
 
i 
I 
I 
L 
L 
li 
|E|| 
lL
u
~
g
lr 
i 
l 
N| 
|m11 
-1 
3
0 U
 | 
W
 1W
g W
 WW
 W
 l 
I 
I 
ill 
H
 
II 
IIII I II I II I l~
ila
W
~
II!I!~
m
iliililiililiil IItI 
111 1 11 
<
 
.
0 
m
g0W
g 
IIlil~IllliiiilIIIIIII 
I|IIIlllltiilllllo liilll 
III 
=Y
X
 
ii 
| 
W
 
W
 
g 
S 
0 
g 
llL
~
lllillllllllllN
~
llll 
I 
1
1
1
1
1
 
1 
,
 
t
0 
X
 
E 
i 
E 
! 
S 
S 
L
-H
E
~
~
~
~
~
~
~
~
~
~
~
~
III!!L
l 1111llil 11illtHIIIIo 
fl 
E 
W
 
W
 
g 
| 
| 
-
W
 
W
~~~~~~~~~~~~F
4-224
a
 
E 
E 
O
 
0
·r 
Q
IQ
) ~
 
a) 
4-'
O
 
r-L 
~
 
S 
4- CE
1
#
 S(I -
*
.
-
C
D
C
c;
zC
dI
4: 
,
11141 
L1111I!llif 
I 
LO
44|mW 
i 
o
 
o
o
o
~
~
~
 
1 
1 
1 
1 
I 
!0i' 
0 IL
 
0 
I 
$3i 
3
d
l 
'IN
I 
I 
I3
±
H
 
0/ 
0/q 
ii_
- 
W
i
i0 
W
 
W
 m
 | 
w
O
 
O
 
O
~
~
~
~
~
~
~
~
~
~
~
~
~
u
_
 
| 
_
~
~
~
~
~
~
~
~
~
~
~
~
4
S
3
8
3
d
W
V
~
~
~
- 
' 
N
do1 
9
V
1
d
3
1
W
 
1
'O
3
1
0
4-225
L0
c
-
 
c
-
E O 
E
a. 
aa_ 
c
-
ic
 a
r
 
G) 
-E
~1 
(1) 
.r
 
~
 
.
e
-
Q 
.
'
 
.
.
.
.
 
.
0
C
OCd
4t 
.0
.I 
_
 
_
tw
u
IL 
S
-40 
F 
0: 
-
O
I 
d 11113 
CY)3 
B
3
 
N
 
0 
w00
C
0
 
0 
SR3d 
iW
V
 
'1
N
u
u
 3W
 V31 OJ3lIM11 
01 NOIJJ11OJ
W
 0 0 
W
 E 0~~~~~~~~
E
F
 
: 
tF
X
 
F
l 
D
IH
 
1
1
1
 
1 
11
I
n
4-226
O0-
+
+
-
fo
C
CL.J 
0,-
I- 
Fire 
C 
CW
IT-E V
~~~~luil 
4
-J 
.
-
OLxJ
f, 
it 
M
4- 
RT'', 
T
F
- 
)
o
I--
S3~3~dNV 
'1N3ddnl~ 3~Y)Y31 
d
3
9
]
 01 
OJ 
UOIm 
910D1
zz 
Cd~~~~~~~~~~~~~~~~~~~~e
I't 
44 
ti: 
1
a)
fit 
9b
C
)·
In 
N
-T 
TT 
F---- 
If 
E 
P 
W
. 
M
 
4
iij
F
E
~
~
~
~
~
~
~
~
~
E
T
~
~
~
~
~
~
~
~
~
~
T
co
ili~il i 
CD 
SR~~dW
V
 '10m
n) 
3OV)IV31 
H~~~iiM
 
O
i H
O
D
3
1
1
0
3
f
4-227
L)IO
Table 4.8-2 shows the increase in post-irradiation current gain as a result of an
exposure to a temperature of 200
°
Centigrade. Measurements were made at room
temperature immediately after the exposure, and the exposure time was in increments
of 1 hour, 1 hour, and 14 hours. Healing by annealing indicates that the degradation
in current gain during irradiation was due to surface effects phenomena. The gain
was reduced to 20 percent of its pre-test value as a result of the radiation dose
administered, but recovered to approximately seventy percent of its initial value
as a result of annealing.
The results of collector to base leakage current measurements indicate that this
characteristic is exceptionally stable, demonstrating a high quality surface
passivation and an extremely low level of surface impurities. The collector to
emitter leakage current shows a decrease from initial to post radiation, but this is
an apparent decrease only, and is actually the result of gain degradation operating on
the relatively stable collector to base leakage current. There is no absolute
correlation between gain at collector to base leakage current and measured gain
at 0.5 milliamperes, but the trends are in the same direction.
4.8.5 CONCLUSIONS
Based on the expected total accumulated radiation dose and the performance of
the transistor selected as the worst device from a radiation environment and
application standpoint, it is assumed that selection of devices and design of circuits
can overcome the degradation expected from radiation from all causes.
The high voltage regulator was identified as being especially susceptible to damage that
would cause poor performance. This selection was made on the premise that the
results of increased leakage current could not be compensated for easily by device
selection or design change. Gain degradation is more easily corrected, for example.
4-228
0o-aEI
rnCV.D Q1
ooO
l
oj
CDcI0;
,4
0 
Lo 
0 
0 
CD
tN 
_l 
O
 
Cq 
1 
O
 
C
i 
i 
0 
i 
I 
I
C~1 
C
'~1 
0
5-I
O'-4
0,.O
o
cio
,J
0 
Lf 
0 
tO
 
CV 
cq
w
 
Cd 
0 
*
 
o
 
1 
C
' 
cq
·0 
*, 
0- 
4d 
0 0 
L 
0 
-
S 
o
 
j 
E 
o
o
.o
,-
-Io
 
o0
a
 _
 aav
In 
EC
O
 
c 
O
.
o
_
-
 
0 
0 
-m
 
0
C) 
C) 
5 
C) 
b0C, ;ad0o0cia,)-4.0,
4-229
The results of the radiation testing, however, demonstrated that the open emitter
leakage current did not increase signficantly, and that gain degradation actually
caused a decrease in the open base leakage current. This indicates that, in the
application, performance as to leakage current will be enhanced by the radiation
environment.
4.9 HARNESS OPTIMIZATION
The analysis as described below provides guidelines for designing the electrical
power distribution harness.
The optimum current density in power distribution cables can be determined as a
trade-off of harness weight and the weight of added RTG capability to compensate
for harness losses. This trade-off is analyzed as follows:
The combined weight (Wc) equals the sum of the generator weight (WG) and the
harness weight (WH).
WC = WG + WH
By varying the harness size in terms of its cross-,sectional area, A, both WG and
WH are effected. Differentiating, with respect to A, the minimum weight system
is obtained by setting C = .
dA
or
dWH = - dWG
dA dA
Introducing the generator output, PG, as a variable, results in,
dW - dWG dPG(1)
-dPG . d7X_
4-230
Each term in equation (1) is examined below:
a) dWH . Ignoring the insulation weight, the relationship of
dA
harness weight to area is,
WH = PlA where P = conductor density
and 1 = conductor length
Then,
dWH P1 (2)
dA
b) d . This term defines the weight to power performance of the
dPG
generator. A rating of 1. 7 watts per pound provides a conservative
estimate of predicted performance for the RTG's being developed
for TOPS missions.
Then, G = 1(3)
dPG 1.7
c) dG . This term represents the change in generated power as
dA
a function of area resulting from the variation in harness losses
with changes in wire area. dP is defined as follows. The
generated power (PG) equals the harness losses (PH) plus the
load power (PL):
G H L
Now
PH = I 2 R
= I2 1 where R = harness resistance
A
and a = resistivity
ThenPG =P I PLG A L
dP -I2 a 1
and dPG 2 (4)dA A
4-231
Substituting (2), (3), and (4) in (1) gives
1 2 a1
P1 = ( 17) ( A2
I -P xRearranging gives - = x 1.7A a
The resistivity of copper is approximately 0.68 x 10- 6 ohm-inches 2/inches and the
specific weight of copper is 0.32 pounds per cubic inch. Then,
= Operating current density = 0.68 = 894 amps/inch2
No. 28 AWG wire having a cross-sectional area of 125 x 10- 6 square inches is
the wire type intended for general use on TOPS. At 894 amps per square inch, this
results in a current of 112 milliamperes.
4.9.1 CONCLUSIONS
For accomodating higher currents either heaver or multiple No. 28 AWG wires could
be used. Maintaining the current density at 894 amperes per square inch, Table 4.9-1
shows the resulting harness resistance and weight considering multiple wire
harnesses for both No. 28 and 24 AWG wire. This data is based on information
extracted from MIL-W-81044/3.
The result of the distribution design analysis is a safe, reliable, minimum weight,
minimum power loss distribution system within the principal design constraint of
minimum weight or minimum voltage drop.
4-232
Table 4.9-1. Minimum Weight Cable
4-233/4-234
Number of Wires Per Thousand Feet Allowable
AWG 28 AWG 24 Pounds Ohns Amperes
1 0.95 62.9 0.012
2 1.90 31.45 0.224
1 2.10 23.2 0.283
3 2.85 20.97 0.336
4 3.80 15.72 0.448
2 4.20 11.6 0.566
6 5.70 10.5 0.672
3 6.30 7.73 0.849
8 7.60 7.86 0.896
4 8.40 5.8 1.132
11 10.45 5.72 1.232
5 10.50 4.64 1.415
13 12.35 4.84 1.456
6 12.60 3.87 1.698
7 14.70 3.31 1.981
8 16.80 2.9 2.264
9 18.90 2.58 2.547
10 21.00 2.32 2.83
11 23.10 2.11 3.113
12 25.20 1.93 3.396
