Workshop Location: RAYTHEON FACILITIES, WACO TEXAS

Workshop Date: May 7, 1997

Representatives from USRA, Raytheon E-Systems, United Airlines, SOFIA Project Office and the Science Instrument Certification Working Group (SICWG) were present. The science community was represented by the SICWG and nine individuals representing seven interested science instrument teams. The SICWG (formally called the FAA Science Advisory Group) consists of Bob Pernic (University of Chicago), Andy Harris (University of Maryland), George Gull (Cornell University), George Voellmer (GSFC), and Ray Russell (Aerospace Corp.). The Raytheon and United representatives at the workshop included FAA Designated Engineering Representatives (DER) and Designated Assurance Representatives (DAR), who explained the FAA's requirements with respect to the science instruments (SIs).

It is the intent and position of all parties (mentioned above) to provide the simplest solution to achieve safe, certifiable and effective SIs for SOFIA. Personnel from Raytheon and United, who will be identified to SI builders after the award of SI development contracts, will assist by providing information on FAA issues upon request from the builders. Such inquires will be routed in a manner enabling questions and answers to be disseminated to other instrument builders. This procedure should ease the burden inflicted on the few individuals at Raytheon and United identified for such tasks.

A number of conclusions resulted from this workshop:

1. The first round of SIs will be certified under the same FAA Supplemental Type Certificate (STC) as for the SOFIA observatory. This means a schedule of events will need to be adhered to by SI builders, so their SIs are ready for certification before the observatory is certified (May 2001). (Note: Once the initial instruments are selected they will be added to the STC application for the SOFIA observatory. SI progress will be reported at the SOFIA FAA Type Board meetings during development.)

2. Specific practices, procedures and reviews must be meet by the SI development teams. (These will be discussed in detail in the "strawman" process that follows.)

3. Each SI as a whole will need to be FAA certified for the STC. However, only parts of an SI will have to be certified under the "essential equipment" category, most of an SI and related equipment will be characterized non-essential. Essential equipment is defined as those components which form an integral part of the airframe and directly form an interface between the cabin environment and atmosphere. They will include the mounting flange and the instrument support structure. Essential equipment must maintain their integrity throughout the range of conditions specified in the FAR Part 25, but non-essential equipment need only be shown to be safe (i.e., not result in projectiles or hazards such as toxic gases) in order to be certified. All parts of an SI which are completely and securely contained within an outer enclosure (e.g., a cryostat) will be considered non-essential.

Outline of the FAA Procedure (a strawman):

The following is a procedure which a builder may wish to review in order to better understand the certification process and milestones. This strawman is subject to changes as they become apparent.

An SI builder must:

(i) Do a preliminary design of whole SI and telescope interface.

(ii) Design in more detail all parts of the SI which are considered "essential", including the SI mechanical structure/ support fixture and attachment to telescope interface.

(iii) Do an FAA approved structural analysis ( finite analysis or closed-form solution) of 1 & 2 to determine if the requirements for loads as given in FAR Sec. 25.365 and 25.561 are met (see this web-site).

(iv) Produce basic drawings of 1 & 2 and include changes based on analysis. Drawings should be complete showing as much of the production processes as possible. An example of a process for a tapped hole would be: Drill all holes 3/4 inch deep using number (7) drill - tap 1/4-20 to a clear thread depth of 1/2 inch. Processes can be called out in separate text. These process are very important for it is the specification used to check conformity once the part is manufactured. Naturally processes which conform to accepted practices are best, many of which can be supplied by Raytheon. It is also important to state the source of the process if possible. (i.e., per standard machinist handbook, per mil standard XYZ etc.). A good designer is worth his or her weight in gold at this point. All process specifications used must be FAA approved, just like the drawings. The shops performing the processes must be capable of meeting the requirements called out in the process specifications.

(v) Hold a Certification Preliminary Design Review (CPDR) with a Raytheon Designated Engineering Representative (DER). This will involve a trip to Raytheon in Waco, Texas and is for your SI and mounting structure only (not your SI rack). At this time the DER will confirm that all FAA essential parts of your SI have been correctly identified. It is also at this point that the critical processes will be identified, and necessary documentation, proper materials, fasteners and procedures for things such as welds etc., will be discussed and specified.

(vi) Start a "build-to-design" documentation package which should contain a procedure for inspection of the certifiable part of your SI, which can be used by yourselves and others to determine if parts have been constructed per drawings and processes.

(vii) Hold a Certification Critical Design Review (by Feb. 1999). At this time all build-to-design drawings, processes and any specifications for tests the DER and /or FAA require for engineering approval will be reviewed. Once FAA Design Engineering Approval has been granted, actual building may begin.

(viii) Start to build:

a: Order material and hardware for those SI parts identified in the CPDR which need to be built from materials and parts to be purchased from suppliers which can provide a paper trail certifying that each part meets FAA standards and quality assurances. Best providers will be those that regularly supply the aircraft industry and are located through out the country especially near airports. A list of suppliers specializing in small quantities will be compiled and distributed to interested builders. It is essential that these raw materials be stored in a manner preventing mixing with uncertified materials. One should expect that these storage facilities and your records will be inspected by a DAR from Raytheon.

b: Identify certified machine, welding and other process shops which can build to the FAA approved SI drawings.

c: Inspection of critical parts by a DAR. These parts would have been identified at the CPDR and will be inspected at the discretion of the DAR.

d: Assemble SI (including the SI mechanical support structure).

e: Hydrostatic testing of cryostats at Raytheon or the SOFIA Science and Mission Operation Center (SSMOC: N211 at Ames). The cryostat will have to be shipped for this procedure.

(ix) A DAR grants FAA Conformity Approval of the SI (including the SI mechanical support structure) with respect to the certified design (before May 2001).

The proposer should assume that Raytheon will provide for the cost of their testing and advising (formal and informal), including travel to builders institutions. But the proposer should estimate the costs for travel to Raytheon E-Systems in Waco Texas for CPDR (and related trips) and CCDR, and the costs related to the shipment of cryostats for hydrostatic tests. Assume the DAR will travel to the builder's institute for inspections and for the Conformity Approval Review.

Other Topics Discussed at the Workshop:

CRYOGENICS:

All cryogenic dewars will be equipped with burst valves on each reservoir and the vacuum case; it is impractical to assume the optical window will reliably burst first. These valves will provide a controlled release of gas at sufficiently low pressures assuring the level of safety required. Valves will be selected and provided by USRA or Raytheon to the SI builder, assuring conformity among the community. It will be standard procedure to connect vent hoses to the burst valve on the case and on the fill tubes of each reservoir when the instrument is mounted in the aircraft in flight. The hoses will vent boil-off overboard in a controlled manner (via pumps if desired for the reservoirs). Safety procedures will be developed to avoid "ice plugs" during the various phases of flight for each individual instrument. This set-up will allow for straight forward certification of cryogenic systems. However, it must first be shown that the required telescope pointing performance can be achieved with three attached hoses.

ELECTRICAL:

Designating the SI electronics as nonessential equipment greatly simplifies its areas of interest to the FAA: primarily how the SI can interfere with flight instrumentation and personnel safety. For the electronics in essentially all SIs this boils down to electrical system sizing, fire worthiness, and the conducted and radiated power from the instrument to the aircraft.

(Note: The FAA is concerned with the SI electronics ability to function in the aircraft only if the SI documentation to the FAA includes SI operational specs. The builder can refer to document AC 25-10 which describes a process found acceptable to the FAA for certifying non-essential electrical equipment.)

A power analysis must show that the SI will not overload the 60 Hz power supply provided by the MCCS. (This may actually be a systems requirement, rather than an FAA requirement, since SI instruments are not connected directly to aircraft power but to a 400 Hz to 60 Hz converter which must itself protect aircraft power.) Documentation and possible tests for verification of average and peak power loads, wire sizing, wire materials, and fusing, will almost certainly satisfy the requirements. All tests needed for FAA certification will need to be FAA approved, witnessed and conformity inspections performed. The FAA may choose do one or all of the above themselves or delegate to the appropriate DER or DAR. DERs may approve test plans and results and witness testing, if the FAA so delegates, and the DAR may approve conformity if so delegated.

MATERIALS:

Wiring and circuit materials should be self-extinguishing either by material choice (preferred; e.g. Teflon wiring, standard circuit board material) or by enclosure in metal boxes that are sufficiently airtight to extinguish any fire that might break out from component failure. The FAA has certified aircraft that have UL-approved commercially packaged and assembled equipment without difficulty. Since the SI electronics are nonessential equipment, the FAA has no requirement that the parts function properly at the components level (i.e., commercial or industrial grade parts are fine) as long as they meet the safety requirements.

EMI/EMC:

Electromagnetic Interference and Compatibility (EMI/EMC) is an area which has caused much concern for the proposers. Again, from the FAA side, since the equipment is nonessential, the concern is only that conducted and radiated signals from the SI not interfere with flight or personnel safety. For conducted interference, standard good practice filtering on power supplies (e.g. line filters) will almost certainly provide adequate decoupling from the aircraft's systems, and the MCCS power converter's buffering provides yet another layer of isolation.

Radiation from computers, high-speed data links, motors, and microwave components in heterodyne systems do not seem to be an overwhelming problem if the instrument builder is reasonably careful about shielding, filtering, and decoupling. The concern on commercial flights is that passenger devices are untested and used in an uncontrolled way; our preflight testing insures that this is not the case. Well-grounded metal instrument cases, commercial filtering feedthroughs, and semi-rigid cable for microwave coherent signals are likely to prevent most problems. The real test is whether any SI subsystems interfere with aircraft systems in flight. Ground tests in the aircraft after installation, characterization in the Science Interface Laboratory (SIL) before installation, and some laboratory tests may indicate potential problems, if any, but the FAA approved ground or flight test is the only one used for certification. A very rigorous program could include laboratory tests in anechoic shield chambers to industrial guidelines (RTCA/DO-160C Section 21), which will help in instrument design and debugging, but there was no feeling that this should be part of development for typical SI electronics. Limited industrial experience indicates that commercial equipment which meets FCC requirements for radiation and interference causes no problems on aircraft as long as they are not close to sensitive points; the intention is to keep SI stations far from sensitive areas [although there is an antenna on the aircraft belly directly below the telescope opening and possibly nearby on the top].

The facility cabling between the telescope and SI station will be properly shielded. These cables and connectors will be discussed with the community and specified as soon as possible. Building equipment that does not break the shielding integrity of this system (e.g. using matching connectors into shielded boxes) will relieve the instrument builder of testing for radiation from long interconnection cable runs. Use of this cable bundle is likely to be a requirement for telescope balancing reasons in any event.

As a guide, typical frequency bands for 747SP receivers (Rx) and transmitters (Tx) are:

As a parenthetical SI susceptibility note: the HF transmitter can be in the hundreds of watts range; VHF communication and navigation transmitters in the tens of watts; and radar and altimeters in kW range but directional and shielded.

LASERS:

Radiation from lasers and other coherent sources, in addition to not interfering with flight safety, must meet existing safety standards for eye protection and power density limits to protect personnel. Free-space beams with sufficient power to melt or burn must be completely enclosed in nonflammable structures that attenuate the power to safe levels over the generator's range of operating frequencies.

BATTERIES:

Batteries must not produce dangerous amounts of explosive gas and must be mounted in a way that potential high temperatures under charging or short-circuit conditions do not cause fire or burn hazards.

INTERLOCKS:

The FAA requires pressure or other interlocks to prevent arcing in the event of cabin decompression for devices with high voltage (CRTs, also PZTs, lasers, and their supplies). This requirement will be taken into the MCCS and need not be satisfied by individual SIs. (The corollary to this is that instrument builders should expect that SI line power will be cut without warning in the event of sudden loss of power, decompression or other emergency situations.)

GAS HAZARDS:

Small amounts of toxic or otherwise hazardous compressed gases for calibration and lasers may be maintained in completely sealed systems capable of containing any possible internal pressure. The amount of gas contained in breakable parts of the apparatus (e.g. glass laser tubes or gas cells) must not be hazardous when released into the cabin if the container breaks. Larger amounts of nonflammable gas may be necessary for backfilling helium cryostats in the event of vacuum pump failure and for flowing-gas laser use.

INSPECTION:

A set of installation and operating procedures must be developed by the builder to aid in the installation inspection. These will be used by United Airlines inspectors before each flight. It is important that these do not contain any information relating to instrument performance or specification to be met. If such procedure or specification is given the inspector will be obliged to inspect for compliance. Installation and removal procedures of the instrument from the aircraft, routine maintenance and emergency handling procedures should be documented and readily available.

This report has been written and respectfully submitted by the following members of the SICWG. Questions or omissions should be brought to the attention of the chairman.

Andrew Harris

George Gull

George Voellmer

Robert Pernic - chairman <pernic@yerkes.uchicago.edu>

Note: As guides and illustrations, FAA documents relating to EMI/EMC, FAA approved processes for fasteners, and the advisory circular offering guidance for installation of miscellaneous, non-required electrical equipment will be sent to those who have submitted their Letter of Intent to build a SOFIA SI. The documents to be sent are:

FAA advisory circular AC-25-10

CTAS process specification - Hi-Lock Fastener

Sections of RTCA document No.DO-160C