U.S.

ARMY FUZE MANAGEMENT OFFICE

An Overview Of The U.S. Army Fuze Safety Review Board (AFSRB)

55th NDIA Fuze Conference Salt Lake City, UT
Presented By: Chris Janow Chief US Army Fuze Management Office (AFMO) 973-724-5438 [email protected]

Army Fuze Safety Review Board

Chairman of AFSRB was requested to brief conference on how to get a program through the AFSRB successfully. Answer..

Army Fuze Safety Review Board

Design and test the fuze properly!!!!

AGENDA

AFSRB Overview Generic Guidelines ESA Guidelines Command Arm Fuzing Origin of the 500 Volt Requirement MIL-STD-1316F and STANAG 4187 Edition 4 New ARSRB Guidelines

Army Fuze Safety Review Board

Charged with reviewing fuzing systems and hand emplaced munitions to assure acceptable safety exists and residual risks are properly described in system safety risk documents.

In existence since late 1960s Authority: AR 385-10, Army Safety Program AR 700-142, Type Classification, Materiel Release, Fielding & Transfer Chartered by CG, Army Materiel Command (1995) AFMO responsibility to operate in charter and AR 70-1, Army Acquisition Policy

AFSRB PERSONNEL
Larry Borshard Jeff Fornoff George Vinansky David Shigure

SOFTWARE SAFETY ARMY PUBLIC HEALTH CMD

E3 SYSTEM DESIGN

Dan Gutierrez Tony DiGiacomo Bill Pottratz

ARMY
FUZE SAFETY REVIEW BOARD

Brian Travers
John Banks Frank Papano Sean Bonney Brian Mary Chris Janow

ENERGETICS
ARDEC SAFETY
ORDNANCE TESTING

AMCOM SAFETY

ELECTRONIC Stew Genberg DESIGN EOD

Wilfred Cruz Keith Gunn Gene Henderson Dwaine Shaw

TRADOC ARL CHAIRMAN EXECUTIVE

HUMAN FACTORS
AMRDEC/ AMCOM JMC ARDEC AMC TECHNICAL ADVISOR

Bob Hubal
Ken Rose/Bill Edmonds

Homesh Lalbahadur SECRETARY

VOTING MEMBER

What Does The AFSRB Do?

Performs a safety review of fuze designs by an independent panel of experts

Appraises level of safety inherent in the design Ensures acceptable level of safety is present in final design

Presents findings and recommendations to PM Issues Safety Certifications

Initial Safety Certification issued at request of test agency or project team (non mandatory) Interim Safety Certification issued prior to Type Classification to allow beginning of initial production (mandatory) Final Safety Certification issued prior to Materiel Release to allow fielding (mandatory)

AFSRB Certifications

Safety Certifications Only apply for the specific fuze configuration under review and for that specific application Some contractor and DOD personnel guilty of implying to potential customers that a previously certified fuze design will automatically receive certification in a different application. NOT NECESSARILY TRUE!!!! There is no guarantee that a previously approved design will be acceptable for a new or different application.

What Items Are Reviewed?

Any new fuzing system design or fuze procured by the Army Any modification (product improvements or materiel changes) of existing fuzing system designs that affect the fuze safety system or a safety critical item A new application of an existing fuzing system Fuzes adapted for Army use from other U.S. Military Services

Foreign fuzes for U.S. Army applications

Fuzes for Non-Lethal Weapons as deemed necessary by the appropriate Safety Office (based on hazard/risk) All hand-emplaced ordnance as deemed necessary by the Chairman of the AFSRB

What Is The Basis For The AFSRB Review? STANAG 4187, Edition 4, Fuzing Systems - Safety Design Requirements
Mil-Std-1316F, Fuze Design, Safety Criteria For

STANAG 4497, Hand-Emplaced Munitions (HEM), Principles for Safe Design

Mil-Std-1911A, Hand-Emplaced Ordnance Design, Safety Criteria For

STANAG 4157, Edition 2, & AOP-20, Tests for the Safety Qualification of Fuzing Systems
Mil-Std-331C, Fuze and Fuze Components, Environmental and Performance Tests For

Experience

AFSRB Process

Prior to MS B Prior to MS C Prior to MR

Read ahead Briefing Experience Standards Guidelines

Start

Army Sponsor

Quarterly Reviews
No

Prepare/Distribute Meeting Minutes

Proceed with Yes Program

MDA Decision Proceed w/o Cert?

Prepare Certification Letter

Guidance on safety Action items Safety Appraisal

Certification Review?
No Yes

No

End

Yes

AFSRB satisfied w/design?

Prior to MS B Initial Certification Prior to MS C Interim Certification Prior to MR Final Certification

Types of Testing

Tests that simulate anticipated manufacturing, logistic and tactical usage environments

Tests that exceed anticipated storage, transport and operational Fuze level tests
System and component level tests Test types depend upon the fuze/ammunition/weapon
Some system level tests can substitute for some fuze level tests

HAPPY 60th BIRTHDAY TO MIL-STD-331!!! First issued in 1951

Typical Tests & Quantities

AOP-20/MIL-STD-331 Fuze Level Tests Environmental Design

Jolt Jumble 1.5m Drop Salt Fog Temp/Humidity Extreme Temp Storage Thermal Shock Trans Vib & Secured Cargo E3

Out of Line Safety Minimum Arming Explosive Component Safety

Sequential testing is required by STANAG 4157, to demonstrate robustness against expected and typical life-cycle environments

New FESWG Fuze Qualification Guideline specifies tests and quantities

GENERIC GUIDELINES

Generic Guidelines
Limit use of safety critical software
Raw data from guidance sensors (i. e., accelerometers) should be passed along to fuze logic devices for processing. This can be sent thru guidance computer, as long as data is not modified by this computer. If processed in guidance computer, this becomes safety critical (it is expensive and cumbersome to safety certify guidance logic devices) Having raw data processed by fuze logic is not considered cost driver or design complication

If using more than one logic device, should strive to implement in such a manner that only one is safety critical

Preference is always to have separate environmental and guidance sensors BIT Checks: AFSRB prefers that these be limited to continuity checks only does not support exercising of safety features or powering up of logic beyond what is needed to verify continuity

Generic Guidelines Safety Features

Must be independent:

Independent means that the failure or subversion of one safety feature does not affect performance of the other safety feature(s)
Also means they must sense different environments (i.e., velocity and acceleration are not different) Two physically independent setback locks would not be allowed (exception: multi-stage rockets or missiles where separate G-T profiles are gated with an interstagial time window) Must be, where possible, environments instead of events that occur in munition or signals derived from events. Events include reaching apogee, generation of good guidance signals, umbilical disconnect, deployment of control surfaces, firing of side thrusters, etc. If events are used where a second environment is difficult at best to sense, they should be gated with some logic associated with the event (i. e., time window)

Generic Guidelines

Safe Separation For the AFSRB: Safe Separation is defined as the distance from the munition to the launch crew where there is a 1x10-4 probability of the crew taking a hit from a fragment that has a 50% chance of breaking exposed skin Is based on munition fragmentation pattern and has nothing to do with fuze functioning

Is different than Safe Escape for an aircraft, the fuze arming distance, and the minimum engagement distance

ESA DESIGN GUIDELINES

ESA Design Guidelines

With STANAG 4187 Ed 4, three switches (energy breaks) are now mandatory: two static and one dynamic

No single environment or event signal can be used to enable more than one static switch
Multiple signals can be used to enable more than one static switch The circuit which controls operation of the arming switches shall be physically partitioned into at least two elements, none of which are capable (by virtue of circuit architecture and partitioning, not element design) of independently arming the system. The functional partitioning shall be immune to being bypassed by electrical, mechanical, and thermal environmental hazards.

ESA Design Guidelines

A second safety feature (static switch) shall not be configured as the mechanical equivalent of a lock on a lock.
Dynamic Switch

The circuit driving the dynamic switch shall be designed so that any failure modes of that circuit should not lead to a situation where the switch defaults to a gated fixed frequency free running oscillator
System clocks operating at frequencies that may drive the dynamic switch are not allowed to be part of the S&A design

The dynamic arming switch, when configured as an integral part of the high voltage converter, should be so configured that any static failures disable the converter.

COMMAND-ARM FUZING

COMMAND ARM FUZING

New capability driving fuze designs for use in urban combat environments, and to defeat enemy positioned behind obstacles Has become a more common fuze architecture Primarily medium caliber is really implemented as command arming + functioning of a fuze Need precise bursting point due to relatively small warhead footprint, or to defeat target Probably will be firing over the heads of friendly forces

COMMAND ARM FUZING CONT

Requires capability of air bursting anywhere along the projectiles trajectory beyond minimum engagement Minimum engagement distance can be within safe separation distance Target distance/setting info input to fuze via fire control system Preference is to protect friendly troops along trajectory and/or near target to the greatest degree possible Some traditional fuze solutions either not accurate enough or did not provide overhead safety

COMMAND ARM FUZING CONT

Preferred solution is to incorporate an approach where fuze is arm-enabled by sensing launch environments and then command armed/functioned at burst point. For final arming, preferred approach is to release interrupter with stored energy device and use available flight environments to move interrupter into armed position. The AFSRB accepted the use of a piston actuator to move the interrupter into the armed condition, after the interrupter had been unlocked. The piston actuator defeats a shear tab that acts as a safety feature in the form of a blocking device.

COMMAND ARM FUZING CONT

In the absence of a spin lock, the use of a piston actuator overcoming a shear tab violates a tenant and an objective of the safety standards:
Dual safety shear tab is a block, not a lock

Use of stored energy in arming of the interrupter

The acceptance by the Board was based on: Rigorous testing of the shear tab, to include jolt and jumble with the setback lock missing Historical evidence that piston actuators of this type do not fail by pre-firing without the correct signals and power

COMMAND ARM FUZING CONT

The setback lock would prevent shearing of the tab and keep the interrupter safe if the P/A pre-fired with setback lock in place

That under any credible environmental mishap or other accident at least two safety feature failures would be required in order for the interrupter to be released That testing to AOP-20/MIL-STD-331 environments indicated no safety issues

COMMAND ARM FUZING CONT

Challenge to the fuze community:

Is there a better way to do this?

ORIGIN OF THE 500 VOLT REQUIREMENT

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-332 (MUCOM) 14 May 1969:

Paragraph 5.1.3.2 When the explosive train does not contain primary explosives, (e.g. EBW), interruption, shielding, and other protection, the initiation system must be designed to provide at least the same degree of fuze safety obtained with an interrupted train employing primary explosives. MIL-STD-1316 (Navy) 16 June 1967:

Paragraph 5.1.3
Electric initiators in-line Electric initiators in-line (i.e., not followed by explosive train interruption) shall not be used in fuzes even though explosives employed are those listed in 5.1.2.

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-1316A (17 September 1970)

4.2 Initiators in-line. - Initiators in-line (i.e., not followed by explosive train interruption) shall not be used in fuzes, except as allowed by paragraph 4.2.2 below, even though explosives employed are those listed in 4.1.2. Where electrical type initiators or detonators are employed, a positive means (e.g., shorting or switching) of preventing fuze detonation prior to fuze arming shall be provided. 4.2.1 When the explosive train does not contain primary explosives (e.g. Exploding Bridgewire (EBW) per MIL-I-23659), and has no provision for interruption, shielding, and other protection, then the initiation system shall be designed to provide at least the same degree of fuze safety, including a mechanical interruption in the electrical circuit, as is obtained with an interrupted train employing primary explosives.

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-1316A (17 September 1970)

4.2.2 EBW Devices. Exploding bridgewire (EBW) devices may be used may be used without subsequent explosive train interruption if the following conditions are met:
a. The explosive initiated by the exploding wire is an explosive listed in 4.1.2.

b. The arming and triggering signals for initiating the EBW device are switched by two independent features requiring independent sources of energy from an environmental force for operation.
c. One of the mechanisms in (b) above shall derive its energy from an environmental force after launch.

d. The sensitivity of the EBW device to electrical initiation is not greater than Group B per MIL-I23659. The device cannot be initiated by any electrical signal at a peak potential of 500 volts, nor can a 500 volt discharge, especially from the firing circuit capacitor, initiate the device.

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-1316B (15 February 1977)

Eliminated Non-Interrupted Explosive Train discussion from the requirement sections Paragraph 7.2 In-Line Explosive Systems (in the NOTES section):
The use of an in-line explosive system which does not meet the requirements of explosive train interruption, may be necessary or very desirable for future systems to simplify an otherwise overly complex system or to solve a unique set of safing, arming and firing requirements. For in-line systems, the basic safety requirements and the methodology for demonstrating that an acceptable level of safety is achieved, HAVE NOT BEEN ESTABLISHED.

If in a future weapon, an in-line explosive is the preferred approach, the development of the system will include the establishment of safety requirements and procedures for demonstrating that the required safety is achieved. The following is a list of some of the major conditions which should be met if an in-line system is developed.

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-1316C (3 January 1984)

Paragraph 4.3.4 Non-interrupted explosive train control. When the
explosive train contains only those explosive materials allowed by 4.3.1, no explosive train interruption is required. One of the following methods of controlling function energy shall be employed to preclude arming before safe separation. Additionally, the fuze design shall include positive means to prevent the fuze from being assembled without its energy control feature(s). The combined probability of having minimum function energy in the fuze, having a failure of the energy control feature(s) and firing the initiator with minimum function energy must be compatible with the specified fuze safety system failure rate (see 4.6).
a. For fuzes containing minimum non-electrical function energy prior to safe separation, at least one energy interrupter directly and mechanically locked in the safe position by at least two independent safety features shall prevent the flow of energy to the initiator. b. For fuzes containing minimum electrical function energy prior to safe separation, at least two energy interrupters directly and mechanically locked in the safe position, each by an independent safety feature, shall prevent the flow of energy to the initiator. c. For systems using techniques for accumulating functioning energy from the post-launch environment, the fuze shall not permit any functioning energy to reach the initiator until verification, by the fuze, of a proper launch, and attainment of a safe separation distance. Additionally, any energy of the type required to function the initiator which exists in the fuze prior to safe separation shall be less than the minimum function energy.

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-1316C (3 January 1984)

4.3.5 Electrical sensitivity. The initiator for an electrically fired noninterrupted explosive train shall meet the characteristics listed for Class B initiators of MIL-I-23659. The initiator shall not be capable of being functioned by any electrical signal at a potential of less than 500 volts. Electromagnetic emission sensitivity and susceptibility of the fuze shall not create a hazard. The requirements of MIL-STD-461 (and DOD-STD-1463 for the Army) shall apply.

More severe requirement than MIL-STD-1316A Based on experience with EBWs?

ORIGIN OF THE 500 VOLTS REQUIREMENT

MIL-STD-1316D (9 April 1991)

5.3.4.1 Electrical initiator sensitivity. The initiator for an electrically fired non-interrupted explosive train shall:
a. Meet the characteristics listed for Class B initiators of MIL-I-23659. b. Not exhibit unsafe degradation when tested in accordance with MIL-STD1512. c. Not be capable of being detonated by any electrical potential of less than 500 volts. d. Not be capable of being initiated by any electrical potential of less than 500 volts, when applied to any accessible part of the fuzing system after installation into the munition or any munition subsystem.

More severe requirement than MIL-STD-1316C

ORIGIN OF THE 500 VOLTS REQUIREMENT

Believe intent was to prevent use of EBW initiators inline with secondary explosives.
Due to low voltage sensitivity of these types of initiators.

But, why 500?

Believe nothing to do with 400 VDC available shipboard, as has been suggested. Lowest voltage everyone present could agree to. Should the 500 V requirement be left unchanged?

ORIGIN OF THE 500 VOLTS REQUIREMENT

Should the 500 V requirement be changed?

To what? No compelling argument to change it

Precedent to change it again

Need a threshold If changed, no longer a threshold, but a variable

MIL-STD-1316F & STANAG 4187 Ed 4

MIL-STD-1316F

In Tri-Service Approval process Will now be a supplement to STANAG 4187 Edition 4

Will now have a dual-standard system for safety design guidelines

Intend to brief at next years conference Both documents will be available on ASSIST

Similar situation for:

STANAG 4497 Edition 2 and MIL-STD-1911B STANAG 4368 Edition 3 and MIL-STD-1901B

AFSRB Guidelines

New version of Guidance for AFSRB Safety Certifications, dated April 2011 For copies, contact:
Chris Janow at: [email protected] 973-724-5438

Summary

AFSRB staffed for and focused on providing the safest fuzes for our Warfighters AFSRB is a Gatekeeper group that provides safety reviews of products going to the field Ultimately, safety is the responsibility of the MDA, the PM and the Project Team The AFSRB will work with the Project Team to assure safety is achieved The AFSRB will be integral part of joint weapon systems safety reviews

Summary

Command Arm fuzing is becoming a common type of fuze architecture Cant figure out a way to meet requirements without the use of a stored energy device AFSRB has accepted concept of using a piston actuator to overcome a blocking type of safety feature in these designs in order to provide overhead safety

Origin of the 500 volt requirement as a threshold used to prevent use of EBWs
Do not think it should be modified Contact Info: Chris Janow

973-724-5438 [email protected]