1. THEMIS MISSION PDROVERVIEW- 1 UCB, November 12, 2003 THEMIS MISSION SYSTEM OVERVIEW Dr. Ellen Taylor University of California - Berkeley

2. THEMIS MISSION PDROVERVIEW- 2 UCB, November 12, 2003 Requirement Process Requirement Development and Verification Process Mission Requirements Document (Status, Statistics, Control) Mission Level Requirements Lifetime and Radiation Resource Budgets (Allocations, Tracking and Control) Contamination Requirements (Magnetics, ESC, Contamination) Interface Requirements (ICD Document Status) Test and Verification Requirements (Verification Process) Fault Tolerance (Reliability analyses - Fault Tree, PRA, FMECA) Level 1 Science  Error Budgets Risk Management Configuration Management System Change Notices Major system trades Overview

3. THEMIS MISSION PDROVERVIEW- 3 UCB, November 12, 2003 Requirement Development Top-Level requirements developed during Phase A Concept Study Report (CSR) provides basic mission concept Outlines top-level requirements imposed by science and programmatic objectives Mission requirements flown down (to subsystem level), formalized and documented early in Phase B All elements of CSR concept and mission requirements reviewed by development team Mission Requirements Database (MRD) developed and reviewed MRD finalized and put under Configuration Control at System Requirements Review (SRR), July 2003 Subsystem Interfaces and Component Requirements further detailed in Phase B Interface Control Documents between Subsystems and Institutions System and Subsystem Specifications (Board Specifications, SOWs, etc) Mission Plans and Policies (PAIP, Risk Management Plan, FMECA, etc) Control Plans (Magnetics, ESC, Contamination)

4. THEMIS MISSION PDROVERVIEW- 4 UCB, November 12, 2003 Requirement Verification Requirement Verification Plans developed in Phase B and C Development of Verification Matrix ensures a test or analysis is scheduled for all Mission Requirements in MRD Performance Verification and Environmental Test Plan provides launch and space environments and outlines comprehensive component, subsystem and system level test program Requirements Compliance and Verification Matrices completed in Phase D MRD evolves into summary of test program as run Documents Verification and Compliance Status of all Requirements Provides direct trace-ability from requirements to test procedures and reports

5. THEMIS MISSION PDROVERVIEW- 5 UCB, November 12, 2003 MRD Status MRD Rev A released at System Requirements Review (SRR) MRD Rev B released prior to Instrument and Subsystem Peer Reviews Incorporated SRR Recommendations and RFAs Added verification plan (Inspection/Analysis/Test) for each requirement MRD Rev C released at Mission PDR TBD/TBR List: IDRequirementSchedule for Closure M-13THEMIS Probes shall be launched into a transfer orbit w/ following characteristics: apogee 12 +/- 0.38 Re… (all parameters TBR) Detailed Performance Analysis by Boeing (Feb 2004) M-45The THEMIS Probe Carrier Assembly (5 Fueled Probes plus Probe Carrier) shall not exceed 807kg (TBR). Detailed Performance Analysis by Boeing (Feb 2004) M-51The THEMIS Ground Station shall contact probes once an orbit (required) / once a day (desired) (TBR). Could be driven by accuracy/drift of clock. Oscillator trade (Nov 2003) M-62The Launch Vehicle shall despin (if necessary) the Probe Carrier to less than 15 RPM (TBR) prior to probe deployment. Separation Analysis (Nov 2003) PB.EPS-5The Battery capacity shall be sufficient to provide power for the Bus through the worst-case launch scenario of 90 minutes (TBR). Launch scenarios throughout year to be run by KSC (Dec 2003) PC.MEC-1The Probe Carrier shall accommodate 5 probes of max mass, with a minimum static clearance of 4 inches (TBR) between Probes Separation Analysis (Dec 2003) PC.MEC-5The Probes shall be released from the Probe Carrier within TBD sec of receiving the deployment signal from the launch vehicle Pending discussions with KSC and Boeing (Feb 2004) PC.MEC-11The Probe Carrier Assembly (Probe Carrier, with all 5 Probes installed) shall have a roll MOI > 515 kg-m^2 (TBR) Pending discussions with KSC and Boeing (Feb 2004) PC.MEC-13The Probe Bus separation system shall include TBD inhibits to prevent inadvertent release of the Probe from the Probe Carrier. Pending discussions with KSC Safety (Dec 2003)

6. THEMIS MISSION PDROVERVIEW- 6 UCB, November 12, 2003 MRD Control MRD Change Control Change history column with each requirement Detailed change log shows Rev A statement, Rev B statement, etc. Change log has approval column for check off by Systems and affected Subsystem leads Parent and Child IDs used to identify affected subsystems Change Statistics Approximately 800 requirements tracked Approximately 200 minor changes since SRR (wording, clarifications, deletions) Approximately 20 major changes since SRR (error budgets, magnetics, timing)

7. THEMIS MISSION PDROVERVIEW- 7 UCB, November 12, 2003 Interface Control Plans: Sign-off by PDR Instruments-to-IDPU ICDs (covers software, data, electrical) Instruments-to-Probe ICDs (covers mechanical, thermal, contamination) Probe-to-IDPU ICD (electrical and mechanical) Launch Vehicle ICD (Boeing Mission Specification) Ground System ICDs (Space-to-Ground link, Ground Station, Data System) Electrical System Specification: Sign-off by PDR Provides Electrical Standards for board design System Plans for grounding, harness, etc. Contamination Control Plans: Draft by PDR, Sign-off by CDR Separate Plans for Magnetics, Electrostatic Cleanliness (ESC) and Contamination Provides contamination budgets, best design practice guidelines and verification plans Verification Plan and Environmental Spec: Draft by PDR, Sign-off by CDR Performance Verification Plan Qualification Philosophy and Test Levels (Acceptance, Qualification, Protoflight) Vibration/Loads/Shock Environments Thermal Vacuum/Balance Environments EMI/EMC/Magnetics/ESC Test Requirements Mission Simulations and RF Compatibility Testing Key Requirement Documents

8. THEMIS MISSION PDROVERVIEW- 8 UCB, November 12, 2003 Document Status

9. THEMIS MISSION PDROVERVIEW- 9 UCB, November 12, 2003 Mission Requirements Lifetime and Radiation (M-1 to M-4) Fault Tolerance (M-5 to M-8) Mission Design (M-9 to M-17 presented later in Mission Design) Resource Budgets (M-19 to M-28) Contamination Requirements (M-30 to M-37) Interface Requirements (M-39) Test Requirements (M-40 to M-42) Launch Vehicle (M-43 to M-47, M-62 to M-64) Ground Station (M-48 to M-58 presented later in Ground System) Safety (M-64 to M-71 presented later in Safety Splinter) Mission Requirements

10. THEMIS MISSION PDROVERVIEW- 10 UCB, November 12, 2003 REQUIREMENTSYSTEM DESIGN M-1. The THEMIS operational system shall be designed for at least a two year lifetime. Compliance. All flight systems are designed and analyzed for two year lifetime. M-3. THEMIS shall be designed for a total dose environment of 33 krad/year (66 krad for 2 year mission, 5mm of Al, RDM 2) Compliance. Radiation analyses performed. Performance Assurance and Implementation Plan (PAIP) THM_pa_001A.doc Version A-2003-Sept 30 Signed-Off. Lifetime and Radiation From PAIP: Parts shall have a TID tolerance of 33 Krads or more based manufactures data sheet, demonstrated technology hardness, or lot testing. The Radiation Environment for THEMIS: Michael Xapsos Radiation Effects and Analysis Group Flight Data Systems and Radiation Effects Branch/Code 561

11. THEMIS MISSION PDROVERVIEW- 11 UCB, November 12, 2003 REQUIREMENTSYSTEM DESIGN M-4. THEMIS shall be Single Event Effect (SEE) tolerant and immune to destructive latch-up. Compliance. Radiation analyses performed. Performance Assurance and Implementation Plan (PAIP) THM_pa_001A.doc Version A-2003-Sept 30 Signed-Off. From PAIP: Parts shall be SEL-immune to a LET >37 MeV-cm2/mg, or else shall be protected against damage by a protection circuit. Parts that affect critical functions shall be SEU immune, or else shall use a Triple Modular Redundancy scheme. Parts shall meet these criteria based on manufacturers data sheet, demonstrated technology hardness, or lot testing. Lifetime and Radiation The Radiation Environment for THEMIS: Michael Xapsos Radiation Effects and Analysis Group Flight Data Systems and Radiation Effects Branch/Code 561

12. THEMIS MISSION PDROVERVIEW- 12 UCB, November 12, 2003 REQUIREMENTDESIGN M-2. The THEMIS project shall develop a plan to meet the NASA orbital debris guidelines of re-entry in NSS 1740.14 Compliance. Preliminary Orbital Debris Assessment (SAI-RPT-0555) has been completed complying with NASA Policy 8710.3A and Safety Standard 1740.14. Re-entry < 25 years. Worse-case (P1) passive re- entry = 11.8 years (debris assessment s/w) Debris Area < 8m2. Estimate for probes = 2.68m2, Estimate for probe carrier and 3 rd stage = 1.04m2. Compliance covered further by Swales (Brenneman) Orbital Debris Analysis

13. THEMIS MISSION PDROVERVIEW- 13 UCB, November 12, 2003 REQUIREMENTDESIGN M-19. THEMIS maneuvers shall be optimized for a delta-V of 650m/s Compliance. CBE worst case delta-V is 566m/s (worst-case, P1). Provides 15% contingency. M-20. All THEMIS Probes shall have 15% propellant margin at launch Compliance. 15% propellant margin at launch is included in mass, dV allocations. Ref M-22. Resource Budgets - Propellant From THEMIS Maneuver Calculator:

14. THEMIS MISSION PDROVERVIEW- 14 UCB, November 12, 2003 REQUIREMENTDESIGN M-21a. No THEMIS Probe shall exceed a dry mass of 93.3 kg. Compliance. CBE is 66.60 kg. Contingency is 10.35%. Provides 27% Program Managers Margin. M-21b. The THEMIS Probe Carrier shall not exceed a mass of 147 kg. Compliance. CBE is 105.34 kg. Contingency is 15.8%. Provides 20.5% Program Managers Margin. Resource Budgets - Mass From THM-SYS-008 System Mass Budget:

15. THEMIS MISSION PDROVERVIEW- 15 UCB, November 12, 2003 Resource Budgets REQUIREMENTDESIGN M-22. Each THEMIS Probe shall be designed to accommodate a dry mass of 93.3 kg and a Delta-V of 650m/s, with a goal of 15% propellant margin at launch. Compliance. Ref PB.RCS-1, -2, -3: Tanks are sized (38.70 kg) to accommodate full mass growth, attitude maneuvers and 650m/s dV. Mass is allocated assuming a 15% propellant margin at launch.

16. THEMIS MISSION PDROVERVIEW- 16 UCB, November 12, 2003 REQUIREMENTDESIGN M-45. The THEMIS Probe Carrier Assembly (5 Fueled Probes plus Probe Carrier) mass-to-orbit shall not exceed 807kg (TBR*). Compliance. CBE is 438.37 kg (dry mass). Contingency is 11.66%. Provides 25.34% Program Managers Margin. *Note: TBR added since SRR. Decrease in launch vehicle performance estimate possible. Resource Budgets - Mass From THM-SYS-008 System Mass Budget:

17. THEMIS MISSION PDROVERVIEW- 17 UCB, November 12, 2003 REQUIREMENTDESIGN M-23. No THEMIS Probe shall exceed an on-orbit power draw of 41.5 W. Compliance. CBE is 24.20W. Contingency is 21.08%. Provides 41.64% Program Managers Margin. M-24. The Probe power system shall be designed to accommodate an EOL on-orbit average power of 41.5W. Compliance. Ref PB.EPS-6: EPS design provides >41.5W on-orbit average power. M-25. Each Probe shall be designed to achieve electrical energy balance over an orbit assuming a 30 minute transmitter power on time and 180 minute eclipse. Compliance. Ref PB.EPS-7: EPS designed for peak power of 65W during 30 min downlink; Ref PB.EPS- 8: EPS designed for 49W during 180 minute eclipse. Resource Budgets - Power From THM-SYS-009 System Power Budget:

18. THEMIS MISSION PDROVERVIEW- 18 UCB, November 12, 2003 REQUIREMENTDESIGN M-26. No THEMIS Probe shall not exceed 750 Mbits/orbit (uncompressed) Instrument science and housekeeping data and 87 Mbits/orbit Probe Bus housekeeping data. Compliance. Ref IN-10: Instrument Payload data budget estimate is 744Mbits/orbit for worst case probe, P2. Ref PB-14 and PB.CDH-32: Storage rate variable from 250 bps to 4 kbps, nominal 1kbps or 11MB (87 Mbits) per day for inner probes. M-27. Each THEMIS Probe shall be capable of storing 1 orbit + 1 days worth of Instrument and Probe Bus housekeeping data. Compliance. Ref IN.DPU-6: Instrument memory sized for 1 orbit + 1 day (256MB SSR); Ref IN.CDH- 14: Probe memory sized for 1 orbit + 1 day (16MB + variable storage rate) Resource Budgets - Data From THM-SYS-010 System Data Budget: Detailed Instrument rates calculated for each Mode (Slow Survey, Fast Survey, Particle Burst and Wave Burst) Summary Page provides data volume for each Probe by estimating how long Probe will be in different Modes

19. THEMIS MISSION PDROVERVIEW- 19 UCB, November 12, 2003 REQUIREMENTDESIGN M-28. Resource budgets (mass, power) shall show margin at each project milestone per the Systems Engineering Management Plan (SEMP). Compliance. THM-SYS-006 System Engineering Management Plan signed off. Mission PDR contingency and margin matches schedule. Resource Margins Contingency is defined as a percentage of resource added to an estimate as a provision for uncertainty. Contingency is based on the level of maturity: 1. Concept: 25% 2. Design: 15% 3. Prior Build: 7.5% 4. Fabrication: 4% 5. Flight Build: 2% Contingency % that doesn’t meet schedule triggers re-allocation and possible release of PM Margin. Program Managers (PM) Margin is defined as the amount of resource remaining when an estimate plus the associated contingencies are subtracted from the available quantity. The project will maintain appropriate margin at each phase, as shown:1. Phase A Concept: > 30% 2. Preliminary Design Review (PDR): > 20% 3. Conceptual Design Review (CDR): > 15% 4. Pre-Environmental Review (PER): > 10% 5. Pre-Ship Review (PSR): 2% to 5% PM Margin % that doesn’t meet the following Margin Schedule will trigger a project level risk mitigation plan, resulting in possible descope of mission objectives. From System Engineering Management Plan (SEMP): Schedule is consistent with historic NASA project trends. NASA Systems Engineering Handbook, SP-6105, 1995, says spacecraft dry mass tends to grow during Phases C and D by as much as 25 to 30 percent. JPL guidelines say that from the Phase B start to launch, growth ranged from 20% to 48%. AIAA Recommended Practice (R-020A 1999) doesn't give mass growth by phase, but by type of calculation, and has 12-30% growth allowance.

20. THEMIS MISSION PDROVERVIEW- 20 UCB, November 12, 2003 Resource Tracking & Control In order to ensure that the design will meet Mission Requirements, Systems Engineering controls the following key resources: Mass (dry mass, delta-V, propellant margin) Power Telemetry (data budget) RF Link Margin Resource Requirements have been flowed down to the Probe, Probe Carrier, and Instrument Payload in the MRD. Each Instrument and Probe Subsystem includes: Current Best Estimate (CBE), updated periodically as the design matures Contingency, based on design maturity, following schedule outlined in SEMP System not-to-exceed allocation (current CBE + contingency) documented in Mission Requirements Database Sum of not-to-exceeds is less than the System Capability providing Program Managers Margin held at UCB All Resources closely tracked throughout program Continually tracked and updated by System Engineers (Probe and Instrument) Periodically (once a month) reported to and reviewed by MSE and PM Periodically (once a month) reported to NASA Mission Manager From System Engineering Management Plan (SEMP):

21. THEMIS MISSION PDROVERVIEW- 21 UCB, November 12, 2003 REQUIREMENTDESIGN M-30: AC magnetic noise radiated by the Probe and other instruments shall not exceed the following levels at 1 meter from the Probe: <30pT/sqrt(Hz) at 1Hz; <1pT/sqrt(Hz) at 10Hz; <0.1pT/sqrt(Hz) at 1kHz; and <0.1pT/sqrt(Hz) in range 1-10kHz Compliance. Magnetic requirements, guidelines and verification plan provided in THM-SYS-002 Magnetics Contamination Control Plan. Magnetics From THEMIS Magnetics Contamination Control Plan: Figure 2-1: FGM and SCM sensitivity at the sensor location (1m and 2m respectively). Ordinate is frequency measured in Hz. Abscissa is amplitude spectral density in nanoTeslas per root Hz. Figure 2-2: AC magnetic noise level requirement (solid curves) and goal (dashed curves) at 1m from the spacecraft. Ordinate is frequency in Hz. Abscissa is amplitude spectral density in nanoTeslas per root Hz.

22. THEMIS MISSION PDROVERVIEW- 22 UCB, November 12, 2003 REQUIREMENTDESIGN M-31a: DC magnetic field generated by the Probe and other instruments shall not exceed 5nT at 2 meters from the Probe (location of FGM). M-31b: DC magnetic field generated by the Probe subsystems and other instruments shall be stable to <0.1nT at 2 meters from the Probe (location of FGM) Compliance. Magnetic requirements, budget, guidelines and verification plan provided in THM- SYS-002 Magnetics Contamination Control Plan. M-32. All THEMIS elements shall comply with the Magnetics Cleanliness standard described in the THEMIS Magnetics Contamination Control Plan. Compliance. THM-SYS-002 Magnetics Contamination Control Plan in review. Verification Matrix to be completed. Magnetics THEMIS Magnetic Cleanliness Program: Magnetics Control Board Established (Vassilis Angelopoulos, UCB; Ellen Taylor, UCB; Paul Turin, UCB; Tom Ajluni, SA; Mike McCullough, SA; David Jeyasunder, SA; Bob Snare, UCLA; Chris Russell, UCLA ) Bi-weekly meetings held to coordinate all relevant activities Main Offenders List and Preliminary Magnetics Budget Established Budgeting was based on a survey of THEMIS components and identifying the main offenders listed below in decreasing order for each group: Special considerations and activities to be taken (testing, modeling, analysis) for each of these major offenders are described in Magnetic Contamination Control Plan Magnetic Verification and Test planning in progress Hard Perm FieldsLatch valves, Thruster valves, Tanks, Motors, SST magnets Soft Perm FieldsMu metal shielding, welding Stray FieldsSolar panels, Current loops (power cables), Battery, RF components AC FieldsSolar panels, Power converters

23. THEMIS MISSION PDROVERVIEW- 23 UCB, November 12, 2003 REQUIREMENTDESIGN M-33. Quasi-DC voltages produced by the Probe and the other instruments shall not affect the quality of the EFI measurement. Compliance. ESC requirements, guidelines and verification plan provided in THM-SYS-003 Electrostatic Cleanliness Plan. M-34. All THEMIS elements shall comply with the THEMIS Electrostatic Cleanliness (ESC) Plan Compliance. THM-SYS-003 Electrostatic Cleanliness Specification signed off. Verification Matrix to be completed. Electrostatic Cleanliness From THEMIS Electrostatic Cleanliness Specification: Requirement: The maximum tolerable variation in potential across the surface of the THEMIS spacecraft, dV max, shall be 1 Volt, with a goal of 0.1 Volts Flow-down: No exposed components (solar cells, thermal coatings, boom appendages and sensors, exposed portions of instruments, spacecraft hardware, cables) shall charge to potentials in excess of the maximum tolerable variation with respect to the mean spacecraft potential, and all exposed surfaces shall be tied together into a single conductive surface. Adherence: Upper bounds on bulk resistivity and resistance to ground to meet requirement calculated: Verification: Adherence to specification is guaranteed by ESC subcommittee, consisting of EFI Lead Scientist and the MSE (at a minimum). End item verification straightforward - measuring resistance between any pair of surfaces.

24. THEMIS MISSION PDROVERVIEW- 24 UCB, November 12, 2003 REQUIREMENTDESIGN M-35. The molecular contamination of the ESA sensor shall be less than 0.01 ug/cm^2. Compliance. Cleanliness levels, bake-out and purge requirements provided in THM-SYS-004 Contamination Control Plan. M-36. The molecular contamination of the SST sensor shall be less than 0.1 ug/cm^2. Compliance. Cleanliness levels, bake-out and purge requirements provided in THM-SYS-004 Contamination Control Plan. M-37. All THEMIS Elements shall comply with the THEMIS Contamination Control Plan Compliance. THM-SYS-004 Contamination Control Plan in review. Verification Matrix to be completed. Contamination From THEMIS Contamination Control Plan (based on successful FAST program): Instrument Requirements: External cleanliness level of 500A per MIL-STD-1246B ESA & SST purged continuously, not to be interrupted for periods longer than 24 hours Non-flight covers remain installed at all possible times Spacecraft Requirements: Typically maintained at a Visibly Clean, Highly Sensitive level per NASA-JSC-SN-C-0005 Cleaned to Level 500A per MIL-STD-1246B for instrument integration, occasions when the non-flight covers are removed from ESA and SST Adherence and Verification: THEMIS Subsystem Bake-out Plan Class 100,000 clean area for integration and test Bagged w/approved material during periods of inactivity or when removed from clean area Routinely verified by visual inspection with a white lamp per NASA-JSC-SN-C-0005, Revision C

25. THEMIS MISSION PDROVERVIEW- 25 UCB, November 12, 2003 REQUIREMENTDESIGN M-39. All THEMIS Elements shall be compatible per their ICDs Compliance. Most flight system ICDs signed off or in final review cycle. Verification Matrices to be completed. Interfaces Electrical ICDs (Instrument to IDPU) THM-SYS-103 EFI Digital Fields Board-to IDPU ICDRev BSigned Off THM-SYS-104 EFI Boom Electronics Board-to-IDPU ICDRev BSigned Off THM-SYS-105 ESA and SST Electronics Card Spec (ICD)Rev AIn Review THM-SYS-106 FGM I/F Requirement Document (ICD)Rev BIn Signature Cycle THM-SYS-107 SCM Interface Control Document (ICD)Rev -In Signature Cycle Mechanical ICDs (Instrument to Probe) THM-SYS-108 Probe-to-EFI Radial Booms ICDRev BIn Signature Cycle THM-SYS-109 Probe-to-EFI Axial Booms ICDRev BIn Signature Cycle THM-SYS-110 Probe-to-SST ICDRev BIn Signature Cycle THM-SYS-111 Probe-to-FGM Mag Boom ICDRev BIn Review THM-SYS-112 Probe-to-SCM Mag Boom ICDRev BIn Review IDPU to Probe Interface THM-SYS-101 IDPU/ESA-to-Probe ICDRev FSigned Off Flight to Ground ICDs THM-SYS-102 Command Format SpecificationRev AIn Review THM-SYS-115 Telemetry Data Format SpecificationRev CIn Review From THM-SYS-000 Document List:

26. THEMIS MISSION PDROVERVIEW- 26 UCB, November 12, 2003 REQUIREMENTDESIGN M-40. All THEMIS components shall verify mission performance requirements are met per the Verification Plan and Environmental Test Specification Compliance. Verification method documented for each requirement in MRD. Reference to THM-SYS- 005 Verification Plan and Environmental Test Specification - preliminary draft released. (Swales Lead). Will be signed off by CDR. Test and Verification From THEMIS Systems Engineering Management Plan: Verification Program Applies to all technical requirements stated in MRD and associated documents Each item in MRD has fields for verification method, procedure, and result All associated documents will include verification matrix, containing same criteria InspectionProcess of measuring, examining, gauging, or otherwise comparing an article with specified requirements. AnalysisAnalysis is defined as the mathematical or physical interpretation of simulation data or test data. DemonstrationDemonstration is defined as those measurements of a system or equipment taken in the field in which actual or representative environments and external stimuli are used, with recording of information individually or cumulatively to correlate events with time and stress. TestTests are defined as measurements made under fully controlled and traceable conditions using simulated environments and external stimuli, as well as those measurements of a system or equipment taken in the field in which actual or representative environments and external stimuli are used. Verification Methodology Verification of requirements is by inspection, analysis, demonstration, test or combination Tasks for each method include: establishing the criteria; preparing plans and procedures; implementing; and documenting the results. Verification Levels Verification will be performed at one or more of following levels: Assembly, Subsystem, Element, Space Segment

27. THEMIS MISSION PDROVERVIEW- 27 UCB, November 12, 2003 REQUIREMENTDESIGN M-41. All THEMIS components shall survive and function prior to, during and after exposure to the launch and space environments described in the Verification Plan and Environmental Test Spec. Compliance. THM-SYS-005 Verification Plan and Environmental Test Specification preliminary draft released. (Swales Lead). Will be signed off by CDR. Verification Matrix to be completed. Test and Verification From THEMIS Systems Engineering Management Plan: Verification Plan and Environmental Test Specification Document shall define the environmental test tolerance limits at each level of assembly Contains the parameters associated with environmental tests and analysis planned, including: Test conditions (i.e. temperature, cleanliness) Environmental levels Durations Functional operations Safety and contamination precautions Instrumentation Procedure/Report Requirements Parameters apply to the following tests described in the specification: Shock test requirements Acoustic excitation levels Qualification and acceptance vibration test levels Electromagnetic test levels Thermal and thermal vacuum test profiles including hot and cold soak durations, transitions, etc. Life testing

28. THEMIS MISSION PDROVERVIEW- 28 UCB, November 12, 2003 Test and Verification REQUIREMENTDESIGN M-42. All THEMIS components shall be tested per the Comprehensive Performance Test (CPT), at the times defined in the I&T Test Flow. Compliance. CPT planned and called out in I&T flow. From Swales I&T Flow - RevB: From THEMIS Systems Engineering Management Plan: Systems Engineering is responsible for preparing the CPT. The purpose of the CPT is to ensure that the Instrument Payload and Probe Bus are completely functionally tested and ready for environmental tests. It is also used as part of the validation process during environmental tests. This plan combines all test plans associated with the Probe, and is based on the tests identified in lower level Instrument Calibration Plans….

29. THEMIS MISSION PDROVERVIEW- 29 UCB, November 12, 2003 REQUIREMENTDESIGN M-43. THEMIS shall be compatible with a Delta II 2925-10 Compliance. KSC Mission Manager assigned, bi- weekly telecons started. M-44. Within the schedule cap (March 2007), the THEMIS launch date shall not be restricted Compliance. Orbit design is independent of launch date. Safe State thermal and power analyses for any time in the year still to be verified. M-46. The fundamental frequency of the Probe Carrier Assembly (Probe Carrier + 5 Fueled Probes) in launch configuration shall be greater than 15 Hz lateral, 35 Hz axial. Compliance. Ref PB.Mec-11: See FEM results, probe 1 st mode is 43.7Hz. Ref PC-7: See FEM results, PCA 1 st lateral mode is 18.29Hz, 1 st axial mode is 48.27Hz. For components reference Environmental Spec design requirements (Stowed >75Hz, Deployed >0.25Hz). M-47. The Probe Carrier Assembly (Probe Carrier + 5 Fueled Probes) shall comply with the LV c.g. location and principal axis misalignment requirements. Compliance. Ref PC.Mec-9: PC balanced to max CG within 1.3 mm (0.05in) of centerline. Ref PC.Mec-10: PC balanced to max principle axis misalignment <0.25 deg. M-62. The Launch Vehicle shall despin (if necessary) the Probe Carrier to less than 15 RPM (TBR) prior to probe deployment. Compliance. Separation analysis run for 15 RPM +/-5 RPM uncertainties due to launch vehicle performance specification. M-63. The Launch Vehicle shall provide a separation signal to the Probe Carrier to indicate when the five probes should start the separation sequence. Compliance. Discussion w/ KSC on-going. Launch Vehicle

30. THEMIS MISSION PDROVERVIEW- 30 UCB, November 12, 2003 Error Budgets Level 1 requirements flow down directly to Instrument performance requirements In addition, an overall error budget is developed to ensure Level 1’s will be met From THEMIS Error Budget: Driving requirement on pointing stability. S-8: Determine the cross-current-sheet current change near the current disruption region at substorm onset … using the planar current sheet approximation with relative (inter-probe) resolution and inter-orbit (~12hrs) stability of 0.2nT. Inter-orbit stability over 12 hours shall be <0.2nT (relates to FGM sensor only) IN.FGM-3a: The relative stability of the FGM shall be less than 0.2nT over 12hrs Inter-probe resolution shall be <0.2deg (relates to knowledge only) ACS knowledge (FGM internal) shall be <0.1deg (Bx and By) GS-SOC-13: ACS knowledge (FGM-to-spin axis) shall be estimated to within 0.1 degree every hour using ground-based processing; and IN.FGM-3b: The relative stability of the FGM shall be less than 0.1nT over 1hr Mechanical/thermal stability shall be <0.1deg IN.BOOM-2: Magnetometer Boom stability shall be better than 0.1 degree (includes boom and bus components, i.e. sensor mount to boom, boom thermal stability, boom mount to bus, thermal stability of deck) Driving requirements on absolute time. Level 1 science objective of onset and evolution of substorm instability to within 30 seconds; the onset time of the auroral breakup, current disruption and reconnection should all be known to within 10 seconds. With a 3 second cadence due to the spin period on the 3 probes in the current disruption region, error on the absolute time must be less than 1 second PB.CDH-44: The C&DH subsystem shall maintain Coordinated Universal Time (UTC) with an accuracy of +/- 0.5 sec. Requirement drives the accuracy of the C&DH oscillator. Oscillator drift then drives how often the probes must be contacted to update the on-board time.

31. THEMIS MISSION PDROVERVIEW- 31 UCB, November 12, 2003 Error Budgets From THEMIS Error Budget: Driving requirements on absolute knowledge: S-6. Track between probes the earthward ion flows (400km/s) from the reconnection site and the tailward moving rarefaction wave in the magnetic field…with sufficient precision of… B to within 1nT… Requires absolute FGM orientation on one probe to 1deg (translated from 1nT in 10nT field, near the current sheet where flows and current disruption measurements are made). Bus stability (Probe Z axis-to-Izz principle axis) and Magnetometer drift (drift is 0.2nT/300nT, or <0.03 deg, at perigee) are considered negligible 1 degDescriptionRequirement 0.1 degACS knowledge (FGM- to-spin axis) GS-SOC-13: ACS knowledge (FGM-to-spin axis) shall be estimated to within 0.1 deg every hour using ground-based processing; assuming IN.FGM-3b: The relative stability of the FGM shall be <0.1nT over 1hr 0.5 degACS inertial knowledge (spin axis-to-Probe Z axis) GS-SOC-14: ACS knowledge (spin-to-Probe Z axis) shall be estimated to within 0.5 deg using ground-based processing; assuming IN.BOOM-1: Magnetometer Boom deployment shall be repeatable to 1 degree, 3 sigma. 0.1 degStability: Contribution from probe magnetics M-31b: DC field stability of the Probe and other instruments shall not exceed 0.1nT at 2 meters from the Probe (location of FGM sensor). 0.1 degStability: Contribution mechanical, thermal IN.BOOM-2: Magnetometer boom stability shall be better than 0.1 deg (includes boom and bus components, i.e. sensor mount to boom, boom thermal stability, boom mount to bus, bus thermal stability) 0.1 degAccuracy: Time tagIN.DPU-32: The IDPU shall time-tag DFB and FGM data to <0.5 ms (0.1 deg equivalent to 0.83ms for 3 sec spin period)

32. THEMIS MISSION PDROVERVIEW- 32 UCB, November 12, 2003 REQUIREMENTDESIGN M-6. THEMIS Probe 3 or 4 shall be capable of replacing any other probe during the minimum mission Compliance. Replacement margin (>50%) has increased considerably since CSR with optimized mission design. Note: P3/P4 replacement of P1 does not have to take it through a second year (since minimum mission is obtained in one year). Forward runs for replacement strategies still to be completed. M-7. Each Probe shall have a viable safe-state after carrier separation Compliance. Preliminary analyses show viable safe- state (thermally safe, power positive) for nominal launch date. Additional analyses to be completed for launch any day of year. M-8. THEMIS Probes shall implement Failure Detection and Correction (FDC) Compliance. Selective autonomy in detecting and correcting faults has been implemented in design (i.e. thruster shut-off). Fault Tolerance From THEMIS Maneuver Calculator – Replacement Strategy:

33. THEMIS MISSION PDROVERVIEW- 33 UCB, November 12, 2003 REQUIREMENTDESIGN M-5. To the maximum extent possible, THEMIS operational system shall be designed to be single fault tolerant and still meet minimum mission success criteria Compliance. Single point failures, reliability and possible failure modes have been assessed through Fault Tree Analyses, PRAs, and preliminary FMECA. In addition, THEMIS is inherently single point tolerant by virtue of M-6, constellation redundancy and use of on-orbit spare. Fault Tolerance Fault Tree Analysis Validates and depicts analyzed relationships between probe components and subsystems and associated “block” failure, regardless of cause Fault Tree Analysis completed in Phase A continues to be valid due to little system architecture change Probability Risk Assessment (PRA) Evaluates the likelihood of entering potential failed states Preliminary PRA performed to trade internal bus architecture and validate reliability related to minimum and nominal mission lifetime requirements Component-Level PRA (worst-case electronics board) performed in Phase B on Instrument Payload Component-Level PRA will be performed in Phase B (prior to CDR) on flight system after all vendors are selected Failure Mode Effects and Criticality Analyses (FMECA) Determines potential failure modes, data points required to detect them, and steps that should be taken to mitigate them Preliminary FMECA performed (THM-SYS-007 THEMIS Failure Modes Effects and Criticality Analysis) One-day FMECA Technical Interchange Meeting (TIM) with all technical leads scheduled

34. THEMIS MISSION PDROVERVIEW- 34 UCB, November 12, 2003 Fault Tree Analysis

35. THEMIS MISSION PDROVERVIEW- 35 UCB, November 12, 2003 Probability Risk Assessment PRA String Model used to obtain mission reliability values Conservative component reliability data from vendors and internal electronics database used to generate individual failure rates Mission reliability:

36. THEMIS MISSION PDROVERVIEW- 36 UCB, November 12, 2003 FMECA Objectives and Process FMECA main objectives Verify redundant paths are isolated or protected such that any single failure that causes the loss of a functional path shall not affect the other functional path or the capability to switch operation to that redundant path Verify system has no single or redundant interface failure mode, which could affect safety of personnel, or cause catastrophic failure of the launch vehicle Verify any single point failure have sufficient reliability so as to not compromise the probability of mission success Identify existing methods of failure detection and any possible need for new methods Identify any failure modes that may be time critical for corrective action FMECA process Performed at subsystem interface level for functional elements (Power, Data, Thermal, Software, Mechanisms) using block diagrams traceable to FMECA worksheets (JPL tool)

37. THEMIS MISSION PDROVERVIEW- 37 UCB, November 12, 2003 FMECA Worksheet COLUMN HEADERDEFINITION FMECA Item CodeUnique number assigned to the functional interface under analysis. InterfaceConcise statement of the functional interface. Potential Failure ModesConcise statement of each failure mode possible. Potential Failure EffectsEffects of the failure mode on component, subsystem, system, or LV. Severity (Sev)On a scale of 1-10, the severity of each failure (10=most severe). Potential CauseConcise statement of the potential cause(s) of the interface failure. Probability (Prob)On a scale of 1-10, the probability of the failure occurring. Current Design ControlsExamination of the current design as applied to the failure mode. Specifically includes: the detection method for each failure mode; action that may be taken in the event of the failure; description of alternate means of operation; and/or redundancy available after a failure. Detect-ability (Det)On a scale of 1-10, the ability to detect if the failure occurred. Risk Priority NumberThe combined weighting of severity, likelihood, and detect-ability. Recommended ActionConcise statement of response plan as required. Responsibility and Target Completion Date Identification of person responsible to implement response plan by a specific milestone. Action TakenConcise statement of action that was taken. New Sev, Prob, Det, FPNRe-evaluation of failure mode.

38. THEMIS MISSION PDROVERVIEW- 38 UCB, November 12, 2003 FMECA Results Category Definitions Category 1 failures include loss of all Probes or potential catastrophic effect on launch vehicle. FPN above 200. Category 2 failures included loss of one Probe, or significant (de-habilitating) problems. FPN of 20-200. These failures include loss of core functions on one Probe (power distribution, data collection, etc.) Category 3 failures included significant degradation of baseline science mission. FPN of 10- 20. These failures included timing, experiment quality and thermal considerations. Identification of Problem Areas Category 1 Failures: None. Only potential single point failure is the separation signal not triggering release or triggering an inadvertent separation of a probe or probes during ascent Current design control: two of three inhibitors to release a probe Recommended action: design must be extensively reviewed and tested Category 2 Failures: Single-string system results in numerous category 2 failures Current design controls: selected redundancy and graceful degradation where possible (Examples: redundant mag boom deploy, stability proven for one wire boom failure, failed attenuator does not effect minimum science, selective board level redundancy, i.e. either DFB ADC can fail, switch in the redundant, cross-strapped, ADC) Recommended actions: identification of critical item list and mitigation techniques Category 3 Failures: Complete loss of an instrument and specific elements of system design that could effect quality of all sensor data result in some category 3 failures Current design controls: science resilience (minimum mission can still be accomplished with partial or total loss of one or more sensors on different probes), timing analyses, contamination control plans, redundant thermal paths

39. THEMIS MISSION PDROVERVIEW- 39 UCB, November 12, 2003 FMECA Results Critical Items List Significant aspect of the potential cause or mechanism of Category 2 failures. Circuit elements are studied from the critical items list and, on a case-by-case basis, the best method for adding redundancy or ensuring reliability is recommended (see Worksheet). THEMIS Critical Items List (in decreasing order): 1. Separation Signal; 2. Receiver; 3. Transponder; 4. BAU Coldfire; 5. IDPU 8085 6. FPGAs; and 7. FETs Failure Prevention and Mitigation Techniques Analysis Techniques Parts Stress Analysis (PSA): examines all of the components in a circuit to ensure parts operate within their prescribed guidelines under all input conditions assuming standard derating criteria (change in Power Supply voltage, change in temperature, change in load, etc.) Worst-Case Analysis (WCA): looks at lifetime and performance issues and is appropriate for circuits whose performance degradation cannot be reasonably compensated for Board-Level Thermal Analysis: detailed look at parts placement on a circuit board; power consumption; conductivity between part leads and part junction; conductivity of circuit board and housing; and reference plate temperature to derive predicted junction temperatures Timing and Frequency Simulations: simulates FPGA performance under given set of test vectors to ensure adequate timing margin, etc. exists in the design Test Techniques Voltage Margin Testing: varies the operational voltage and the operational temperature to values outside those specified Frequency Margin Testing: clock signals are run from an external function generator and rise time, frequency, and symmetry are adjusted over approximately a 10% range

40. THEMIS MISSION PDROVERVIEW- 40 UCB, November 12, 2003 Risk Management Continuous Risk Management Lessons Learned database reviewed SAI-PLAN-0618 Probe Bus and Probe Carrier Continuous Risk Management (CRM) Plan completed Swales using web based tool PRIMX for managing risks UCB Risk Management Plan in progress with help from GSFC Project uses 5x5 matrix (ranking 1-5 probability and impact) to assess risks Risk Reporting UCB will have access to Swales PRIMX tool Probe and Probe Carrier top 10 risks will be reported to UCB monthly Report combined with UCB top 10 risks and reported to GSFC Explorers monthly Project specific risks will be presented during Confirmation Assessment Review (CAR)

41. THEMIS MISSION PDROVERVIEW- 41 UCB, November 12, 2003 From THM-SYS-011 Configuration Management Plan: Configuration Identification Provides schedule of data and document release to facilitate interface and interaction between subsystems and subcontractors Configuration Accounting Controlled document, drawing and schematic revisions, ensure formal review process for changes, maintain history Engineering database control using PDMWorks TM Security: password protected, typical UCB network protection Controlled Access: only authorized user can view, add or delete (Read, Write permissions), only one owner at any one time has ability to change document and check it back in Controlled Revision: automated revision control and history tracking, all previous revisions kept within database Accountability: maintains log of all persons responsible for any change, addition, or deletion to the database Configuration Assurance and Verification Accomplished by end-item inspection and documentation review to determine product compliance with the latest approved baseline Responsibility relies mainly with the MAM The THEMIS Performance Assurance and Implementation Plan (PAIP) provides the plans for inspection and test, requirements for end-item acceptance, and procedures for numbering and serializing accepted parts, subassemblies, and assemblies Configuration Management

42. THEMIS MISSION PDROVERVIEW- 42 UCB, November 12, 2003 From THM-SYS-011 Configuration Management Plan: Configuration Control Formal change approval/disapproval implemented to protect against uncoordinated/ unauthorized change Change process involves an Impact Assessment (IA) followed by a formal approval process. The IA is attached a System Change Notice (SCN) and submitted to the Configuration Control Board (CCB) for approval. Impact Assessments (IAs): Includes rationale for a change to baseline, summary of impact System Change Notices (SCNs): Prompts a systematic evaluation of the proposed changes Problem Failure Reports (PFRs): Initiated after a problem is found, documents impacts, assesses alternatives and provides recommended courses of action Configuration Control Board (CCB) used for Level 1,2,3 changes Subsystem trades (level 4) can be made within the resources of the subsystem. Systems Engineer insight and involvement. Trades that impact subsystem/system interfaces or resource allocations (level 3/level 2) require concurrence by the Configuration Control Board (CCB): Principal Investigator, Project Manager, Mission Systems Engineer (MSE), Probe Systems Engineer, Mission Operations Manager and affected Team Leads. GSFC Mission Manager insight. Trades that impact Level 1 baseline science/programmatic requirements must include approval by Principal Investigator and GSFC Mission Manager. Trades that impact Level 1 minimum science/programmatic requirements must include have approval by NASA HQ. Configuration Management

43. THEMIS MISSION PDROVERVIEW- 43 UCB, November 12, 2003 System Change Notices SCN 001 Propulsion Tank Size Change Initiated to improve propellant margins by 11.5% Required EFI spin plane booms to be ‘canted’ by small angle Increased propellant load from 34.52 to 38.7 kg Approved SCN 002 Separation System Change Initiated to ensure separation system met timing requirement Required heavier pyro activated clamp band Increased Probe Carrier mass allocation from 103 to 122 kg Approved SCN 003 Thruster Size Change Initiated to improve maneuver efficiency Required dynamic instability analysis (Fuel Slosh and Boom Wire “Wiggle”) Increased Thrusters from 1N to 5N Approved SCN 004 SST Envelope Increase Initiated to ensure full SST FOV is accommodated Required reduction in minimum static clearance between probes kept by Swales (3.8 in vs. 4 in) Approved SCN 005 ACS Stability Initiated after recent dynamic simulations Requires further verification of mass properties and analyses If problem does exist, axials can be shorted or radials lengthened with little system impact On-going