In this case, a failed capacitor or electrical connection caused complete LOM.
Source?
I do not think, that any concrete reason for the LOS has been published so early.
Ooops, no source, I am simply speculating that a power system failure was caused by a component, not a rapid unplanned disassembly of the Briz-M.
That is certainly a poor system architecture, if the satellite cannot separate itself from a dead upper stage.
Heads will roll.
Could you please tell us how you would have designed the upper stage to avoid this problem?
Andy
A design that allows the payload to separate itself in the event of total system failure of the upper stage is not exactly rocket science.
1. What good will it do, the fifth burn never happened. Not all satellites can recover from such a failure.
2. Name one LV that works that way.
That is certainly a poor system architecture, if the satellite cannot separate itself from a dead upper stage.
Heads will roll.
Could you please tell us how you would have designed the upper stage to avoid this problem?
Andy
A design that allows the payload to separate itself in the event of total system failure of the upper stage is not exactly rocket science.
1. What good will it do, the fifth burn never happened. Not all satellites can recover from such a failure.
2. Name one LV that works that way.
You are suggesting that there are no launch systems that allow the satellite to initiate separation?
Does Briz-M have a fail-safe tank pressure relief system? I assume that in the case of a normal launch, after spacecraft separation the upper stage has a CCAM maneuver similar to Centaur to eliminate the chance of a residual fuel explosion. Is there a failsafe system in case the stage is stranded without power while partially fuelled? Just want to avoid debris-creating events like the one in February 2007:
http://apod.nasa.gov/apod/ap070222.html
Does Briz-M have a fail-safe tank pressure relief system? I assume that in the case of a normal launch, after spacecraft separation the upper stage has a CCAM maneuver similar to Centaur to eliminate the chance of a residual fuel explosion. Is there a failsafe system in case the stage is stranded without power while partially fuelled? Just want to avoid debris-creating events like the one in February 2007:
http://apod.nasa.gov/apod/ap070222.html
Considering that is the explosion of a Briz-M a year after it failed to place Badr-1 into the correct orbit, that may not be the case.
That is certainly a poor system architecture, if the satellite cannot separate itself from a dead upper stage.
Heads will roll.
Could you please tell us how you would have designed the upper stage to avoid this problem?
Andy
A design that allows the payload to separate itself in the event of total system failure of the upper stage is not exactly rocket science.
So, every spacecraft manufacturer would have to include the necessary commands to separate its spacecraft from all types of rockets that could be used for that satellite? Who tests to make sure the separation command doesn't inadvertently come from the satellite during ascent?
And, who actually generates the power for the pyro or spring command to function? The satellite's power bus doesn't extend into the upper stage usually. How about spin-up manuevers? How does the command get to the upper stage computer which has no power? Are you going to hard-wire into the separation system for every different type of upper stage?
So, actually it is rocket science. I'll ask again, could you please tell us how you would have designed the upper stage to avoid this problem? I would really like to know.
One object being tracked so far, in a (roughly) 147 x 11,338 km x 49.58 deg orbit. It may be the Briz M drop tank, which would have jettisoned prior to the fourth burn.
- Ed Kyle
Considering that is the explosion of a Briz-M a year after it failed to place Badr-1 into the correct orbit, that may not be the case.
That was a few years ago, just figured someone had time since to send a memo saying 'maybe we should start installing burst discs on these tanks just in case'.
That is certainly a poor system architecture, if the satellite cannot separate itself from a dead upper stage.
Heads will roll.
Could you please tell us how you would have designed the upper stage to avoid this problem?
Andy
A design that allows the payload to separate itself in the event of total system failure of the upper stage is not exactly rocket science.
So, every spacecraft manufacturer would have to include the necessary commands to separate its spacecraft from all types of rockets that could be used for that satellite? Who tests to make sure the separation command doesn't inadvertently come from the satellite during ascent?
And, who actually generates the power for the pyro or spring command to function? The satellite's power bus doesn't extend into the upper stage usually. How about spin-up manuevers? How does the command get to the upper stage computer which has no power? Are you going to hard-wire into the separation system for every different type of upper stage?
So, actually it is rocket science. I'll ask again, could you please tell us how you would have designed the upper stage to avoid this problem? I would really like to know.
A simple relay to transfer the pyro circuits to Payload when the stage loses power would address most that. I'd guess an added on connector for the high current signals. Not as sexy as 3 million lines of code, but more the Russian way anyhow. It obviously wouldn't use the upper stage computer if the upper stage were dead. There's no problem with simple, last ditch efforts if you don't have anything to lose.
That was a few years ago, just figured someone had time since to send a memo saying 'maybe we should start installing burst discs on these tanks just in case'.
That is why I said "
may".
That is problem with storable propellants, how do you get them out of the tanks of a dead stage. In the prior case when you mentioned Centaur, due to the propellants, good or bad, something would have already happened. Now we wait for something to leak, corrode, or fatigue (from the thermal cycles) and hope nothing mixes.
The burst disks only work if the pressure is changing inside the tanks. With storable propellants, that should not be happening.
Don't forget that the satellite which by all accounts is still attached to the Briz-m, has consumables on board that can cause long term problems. It has not been, and it may not be possible at this point to safe. It has batteries that can potentially over charge and explode, it still has propellants on board, the system is still pressurized.
One object being tracked so far, in a (roughly) 147 x 11,338 km x 49.58 deg orbit. It may be the Briz M drop tank, which would have jettisoned prior to the fourth burn.
The low perigee (91 miles) is good news. If it stays intact, it will quickly reenter.
One object being tracked so far, in a (roughly) 147 x 11,338 km x 49.58 deg orbit. It may be the Briz M drop tank, which would have jettisoned prior to the fourth burn.
The low perigee (91 miles) is good news. If it stays intact, it will quickly reenter.
I'm puzzled by that perigee. The tank should have had a perigee of 265 km at least when it was jettisoned. I doubt it would decay that quickly!
Perhaps this is Briz M/Express AM4, knocked into a goofy orbit by a failure during its fourth burn?
- Ed Kyle
That is certainly a poor system architecture, if the satellite cannot separate itself from a dead upper stage.
Heads will roll.
Could you please tell us how you would have designed the upper stage to avoid this problem?
Andy
A design that allows the payload to separate itself in the event of total system failure of the upper stage is not exactly rocket science.
So, every spacecraft manufacturer would have to include the necessary commands to separate its spacecraft from all types of rockets that could be used for that satellite? Who tests to make sure the separation command doesn't inadvertently come from the satellite during ascent?
And, who actually generates the power for the pyro or spring command to function? The satellite's power bus doesn't extend into the upper stage usually. How about spin-up manuevers? How does the command get to the upper stage computer which has no power? Are you going to hard-wire into the separation system for every different type of upper stage?
So, actually it is rocket science. I'll ask again, could you please tell us how you would have designed the upper stage to avoid this problem? I would really like to know.
A simple relay to transfer the pyro circuits to Payload when the stage loses power would address most that. I'd guess an added on connector for the high current signals. Not as sexy as 3 million lines of code, but more the Russian way anyhow. It obviously wouldn't use the upper stage computer if the upper stage were dead. There's no problem with simple, last ditch efforts if you don't have anything to lose.
Suppose the relay triggers inadvertently and now the upper stage can no longer control the pyros during a normal mission? I'm not saying it isn't do-able, I'm just saying it isn't as easy as made out to be.
You would hate to lose a normal mission for the sake of a "nothing to lose" manuever.
Suppose the relay triggers inadvertently and now the upper stage can no longer control the pyros during a normal mission? I'm not saying it isn't do-able, I'm just saying it isn't as easy as made out to be.
You would hate to lose a normal mission for the sake of a "nothing to lose" manuever.
Suppose the satellite solar panels deploy during launch? Suppose the satellite main engine fires prematurely due to a faulty relay? At some point, system operators have to simply design the a robust command system; obviously, there has to be a trade between the risks of use of a dual separation command system and being stuck to a dead upper stage.
In the case of dead upper stages, maybe 5 Proton missions in the last 15 years have resulted in off nominal performance of an upper stage in orbit. That is probably frequent enough to warrant implementation of a dual separation system.
When an upper stage doesn't operate nominally, there is always the risk that separation won't occur, or won't be timely.
You would hate to lose a normal mission for the sake of a "nothing to lose" manuever.
The dreaded false redundancy: when an effort to make a system more reliable inadvertently adds enough complexity to actually make it less reliable.
Suppose the relay triggers inadvertently and now the upper stage can no longer control the pyros during a normal mission? I'm not saying it isn't do-able, I'm just saying it isn't as easy as made out to be.
You would hate to lose a normal mission for the sake of a "nothing to lose" manuever.
Suppose the satellite solar panels deploy during launch? Suppose the satellite main engine fires prematurely due to a faulty relay? At some point, system operators have to simply design the a robust command system; obviously, there has to be a trade between the risks of use of a dual separation command system and being stuck to a dead upper stage.
In the case of dead upper stages, maybe 5 Proton missions in the last 15 years have resulted in off nominal performance of an upper stage in orbit. That is probably frequent enough to warrant implementation of a dual separation system.
When an upper stage doesn't operate nominally, there is always the risk that separation won't occur, or won't be timely.
What makes you think the Briz-M doesn't already have one?