Advantages of Heritage Atlas Systems for Human Spaceflight

Similar documents
Assessing Compliance with United States Government Orbital Debris Mitigation Guidelines

Role of Simulation Assisted Risk Assessment in Abort Trigger Recommendations

2017 LOCKHEED MARTIN CORPORATION. ALL RIGHTS RESERVED

Probability Risk Assessment Methodology Usage on Space Robotics for Free Flyer Capture

Launch Vehicle Performance Estimation:

Feasibility of Developing a Refrigerant-Based Propulsion System for Small Spacecraft

Notes on Risk Analysis

Active Control of Vapor Pressurization (VaPak) Systems

Engineering Risk Assessment of Space Thruster Challenge Problem

Altair Constellation Returns Humans to the Moon

Gravity Probe-B System Reliability Plan

HIGH WIND PRA DEVELOPMENT AND LESSONS LEARNED FROM IMPLEMENTATION Artur Mironenko and Nicholas Lovelace

Reliability and Crew Safety Assessment for a Solid Rocket Booster/J-2S Launcher

ADDRESSING UNIQUENESS AND UNISON OF RELIABILITY AND SAFETY FOR BETTER INTEGRATION

AC : MEASUREMENT OF HYDROGEN IN HELIUM FLOW

Motion and Flow Controls for Space Systems RELIABILITY WITHOUT COMPROMISE

OIL & GAS. MTS DP Committee. Workshop in Singapore Session 4 Day 2. Unwanted Thrust

E. MENDOZA, C. KEMPEN, Y. ESTERKIN, S. SUN, K. SUSKO and J. GOGLIA

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

Robotic On-Orbit Satellite Servicing: One Size Does Not Fit All

Fail Operational Controls for an Independent Metering Valve

PEAPOD. Pneumatically Energized Auto-throttled Pump Operated for a Developmental Upperstage. Test Readiness Review

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

The Quarter Pounder A Vehicle to Launch Quarter Pound Payloads to Low Earth Orbit

WARM GAS PROPULSION FOR SMALL SATELLITES. J. R. French Propulsion Development Associates, Inc. ~1AlN HOUSING CATALY5THOUSP.\G C AT.

Employ The Risk Management Process During Mission Planning

NanoRacks/Quad-M Rideshare Overview. Michael D. Johnson 10/12/2016

RESULTS SUMMARY. APU risk reduction post STS-9 (re-design) Orbiter flight software using OI-7

TAKEOFF & LANDING IN ICING CONDITIONS

Preliminary Cost Analysis MARYLAND. Cost Sources Vehicle-level Costing Heuristics Applications Learning Curves Program-Level Analysis

Landsat 8's Emergency RMM

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

Development of Xenon feed system for a 300-W Hall-Thruster

Federal Aviation Administration Safety & Human Factors Analysis of a Wake Vortex Mitigation Display System

USA Space Debris Environment, Operations, and Policy Updates

The Integrated Risk Acceptance Approach for Return To Flight

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

Review and Assessment of Engineering Factors

Ch.5 Reliability System Modeling.

Helicopter Safety Recommendation Summary for Small Operators

A quantitative software testing method for hardware and software integrated systems in safety critical applications

Next Generation Life Support (NGLS): Variable Oxygen Regulator Element

IAC-06-D4.1.2 CORRELATIONS BETWEEN CEV AND PLANETARY SURFACE SYSTEMS ARCHITECTURE PLANNING Larry Bell

RICK FAUSEL, BUSINESS DEVELOPMENT ENGINEER TURBOMACHINERY CONTROL SYSTEM DESIGN OBJECTIVES

CNS In-Pool Assembly Mechanical Design for OYSTER Project

Impact on People. A minor injury with no permanent health damage

Modelling Today for the Future. Advanced Modelling Control Techniques

Space Launchers. Cryogenic, gas-related equipment and engineering solutions for launchers and launch pads infrastructures

PI MODERN RELIABILITY TECHNIQUES OBJECTIVES. 5.1 Describe each of the following reliability assessment techniques by:

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Ranger Walking Initiation Stephanie Schneider 5/15/2012 Final Report for Cornell Ranger Research

WATER ROCK. Lawndart The rocket goes straight up and comes down nose first at high speed. Disadvantages

Comparison of Methods and Devices for High Pressure Vessel Passivation B. Zitouni (1), L. Denies (1),M. Peukert (1)

DeZURIK. KSV Knife Gate Valve. Safety Manual

Test Flights of the Revised ULDB Design

SP2012_ Study of Electronic Pressure Regulator for Telecommunications Satellite Applications

Risk Management. Definitions. Principles of Risk Management. Types of Risk

Technical Standards and Legislation: Risk Based Inspection. Presenter: Pierre Swart

Simplicity to Control Complexity. Based on Slides by Professor Lui Sha

Phase B: Parameter Level Design

DEPARTMENT OF THE NAVY NAVAL AIR SYSTEMS COMMAND RADM WILLIAM A. MOFFEIT BUILDING BUSE ROAD, BLDG 2272 PATUXENT RIVER, MARYLAND,

Fuel for the Fire. Name Student Activity. Open the TI-Nspire document Fuel for the Fire.tns.

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Complex operations on the International Space Station training and execution in manned and unmanned situations

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Accelerate Your Riverbed SteelHead Deployment and Time to Value

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Drilling Efficiency Utilizing Coriolis Flow Technology

POWER Quantifying Correction Curve Uncertainty Through Empirical Methods

Load Responsive Multilayer Insulation Performance Testing

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Proof of concept of a Bio-Containment System for Mars Sample Return Mission

Development of a Back Pressure Valve for the Spacesuit Water Membrane Evaporator (SWME)

RocketSat V: AirCore. 4/18/09 Symposium Jessica (JB) Brown Mackenzie Miller Emily Logan Steven Ramm. Colorado Space Grant Consortium RocketSat V 1

Vestas Cold Climate Solutions and next stepsclimate Offerings

Roger D. Launius National Air and Space Museum Smithsonian Institution Washington, D.C.

Vibration-Free Joule-Thomson Cryocoolers for Distributed Microcooling

Active Propellant Management

Enbridge Pipelines Inc. PIPELINE INTEGRITY AXIAL CRACK THREAT ASSESSMENT

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

Industrial Explosion Protection How Safe is your Process?

Risk Management Series Article 8: Risk Control

ZIN Technologies PHi Engineering Support. PHi-RPT CFD Analysis of Large Bubble Mixing. June 26, 2006

Ballistics and Trajectory

Ballistics and Trajectory

1309 Hazard Assessment Fundamentals

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Using STPA in the Design of a new Manned Spacecraft

The Scrum Guide. The Definitive Guide to Scrum: The Rules of the Game. July Developed and sustained by Ken Schwaber and Jeff Sutherland

Surrogate UAV Approach and Landing Testing Improving Flight Test Efficiency and Safety

Dynamic Positioning Control Augmentation for Jack-up Vessels

LFE OEM TCD - Thermal Conductivity Detector

Safety-Critical Systems

Design Review Agenda

(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

Understanding safety life cycles

Selecting Maintenance Tactics Section 4

IMPROVED XENON LOADING EQUIPMENT WITH LOADING CAPACITY UP TO 1200 KG FOR ALPHABUS

(Dynamic Positioning System (DPS) Risk Analysis Using Probabilistic Risk Assessment (PRA))

Transcription:

Advantages of Heritage Atlas Systems for Human Spaceflight Pollard, L. J. 1 and Tribbett, E. J. 2 United Launch Alliance, Littleton, CO, 80112 The current Atlas V launch vehicle has been developed through evolutionary enhancements to heritage vehicles dating to the 1960s. By building on previous configurations and blending advanced and proven technologies, Atlas V has achieved 100% mission success. NASA s commercial crew development (CCDev) program provides an opportunity to bring this established approach into the arena of crewed spaceflight. In contrast to designing a new launch vehicle, evolving a heritage vehicle requires that we develop a method to meet emerging requirements with flight-proven systems or components. Assessing potential changes involves weighing the understood benefits of a mature design against the perceived advantages of a new design. This process can be complicated by immature requirements, difficulty in quantifying the relative reliability of new and heritage hardware, and complication in identifying and evaluating all potential system-level impacts due to the change. The advantages of heritage systems, however, outweigh these challenges as illustrated with specific examples. CCDev DER EDS ICBM LH 2 LO 2 NASA PRA ULA Nomenclature = commercial crew development = design equivalency review = emergency detection system = intercontinental ballistic missile = liquid hydrogen = liquid oxygen = National Aeronautics and Space Administration = probabilistic risk assessment = United Launch Alliance I. Introduction he Atlas launch vehicle was developed as weapon system in the 1950s. These vehicles served the nation as a T rapid response to a perceived or actual intercontinental ballistic missile (ICBM) attack. The mission plans for these vehicles were simple; trajectories were ballistic, the re-entry vehicles had no propulsion system, and mission durations were short. As the nation moved from liquid-propellant intercontinental ballistic missiles to solid-propellant intercontinental ballistic missiles, opportunities became available for converted ICBMs in launch services and space exploration. Modifications were necessary to the missile hardware to convert them to launch vehicles in order to complete their primary mission objectives. Additional development programs were required to understand the vehicles and potential upgrades that were required. As an example, in the early 1960s, the Apollo program was committed to using liquid hydrogen (LH 2 ) as an upper stage propellant. The Centaur upper stage rocket was tasked with pioneering the use of LH 2 as a rocket propellant 1. The first flight was not successful and led to criticism of the feasibility of LH 2 as a rocket fuel. Despite this criticism and early technical failures, Centaur was developed into a successful launch vehicle. Over fifty years, the Atlas and Centaur vehicles have developed through this type of evolutionary enhancement. The vehicles capacity has grown to accommodate new requirements from satellite operators. As these vehicles have 1 Senior Analytical Engineer, Propulsion Systems PDT, PO Box 277005 Mail Stop B3300 2 Senior Analytical Engineer, Propulsion Systems PDT, PO Box 277005 Mail Stop B3300 1

matured, component-level reliability and safety have increased. This reliability increase has resulted from a wealth of acquired flight data. This, in turn, provides the basis for a highly reliable flight system based on flight data rather than paper estimates. The systems are now well characterized - the family of data for nominal and dispersed operating conditions is compared with previous flights. Analyses after each flight are used to scrutinize and refine system operating characteristics to enable ready identification of off nominal conditions. The current configurations of Atlas V have achieved 100% mission success launching critical national security assets, science, and valuable commercial space vehicles. Now, just as their predecessors, these vehicles are positioned to serve the nation in another capacity; crewed space launch. II. Considerations The Atlas V configurations that are currently flying have amassed an impressive flight success rate. Evolutionary upgrades have added redundancy to many of the hardware components to ensure reliability and protect expensive payloads. The requirements for launching valuable high profile United States government payloads go a long way to meeting requirements for crewed missions. Much of the current crewed flight safety requirements were developed through decades and over several crewed space flight programs. Safety requirements for crewed flight are currently being developed for the CCDev program. In 2010, United Launch Alliance (ULA) started an effort to identify potential crew hazards and to develop an Emergency Detection System 2 (EDS) to command a crew abort if a hazard is detected. In 2011, a design equivalency review (DER) is taking place to review the compliance of the existing Atlas vehicle design to NASA s emerging 1130 requirements document for crewed spaceflight certification 3. The benefits of attempting to meet new requirements with major design changes that do not have flight history are offset by several factors. First, any benefits of a new design may adversely impact the mature reliability of the current propulsion system. Second, potential system-level interactions that are well analyzed, understood, and mitigated may not be as well behaved when modified. The propulsion systems on these vehicles have demonstrated flight reliability, and the existing design has the proper level of redundancy to perform crewed missions. The key to a safe mission is determining how to use the flight proven designs and characterized system performance as a means of setting Emergency Detection System (EDS) monitoring points and levels. Additionally, the heritage of the Atlas V helps determine which failures are credible and which failures can be monitored at higher levels even though they might be non-credible. A flight proven, well-characterized launch vehicle, with a welldesigned EDS can be safer and more reliable than redesigning a flight proven vehicle and destroying the family of data from decades of flight. III. Heritage Propulsion System Advantages The Atlas V has been providing safe and successful launch services for nearly a decade. The Atlas V launch vehicle has evolved over decades from preceeding Atlas vehicles used to fly the manned Mercury missions. During the 2010 CCDev effort, the task of identifying the failure scenarios that pose potential hazards to crew safety was completed at the system and subsystems levels. The EDS development objective was to detect and issue an abort on failures that may generate a crew hazard. This paper examines example scenarios that have been divided into three categories; a single point failure, a secondary failure, and a multiple failure scenario. A single point failure is when a non-redundant propulsion component failure results in a hazard that directly endangers the crew. A related failure that may occur as the result of a primary failure is considered a secondary failure. Multiple failure scenarios require several independent failures to occur before the crew hazard is realized, which are not considered credible. Demonstrated reliability and emergency monitoring decisions are considered for each of these crew hazard types. Some examples of having a significant amount of flight data to provide confidence in the as designed system follow each of these may or may not be considered credible failures, but in each case, there is a significant amount of flight history to validate the approach to minimizing risk to the crew. In each case, evaluations have shown that modifications are not required and that the existing design is appropriate. A. Propellant Tank Pressure Sense-line Single Point Failure Crew Hazard A simple example of a single point failure is failure of a propellant tank pressure sense-line, used as part of the control system. While in all cases, the sensors that monitor tank pressure are triple redundant, they share a common sense-line While this failure is not considered credible for several reasons to be explained below, a sense line failure would cause tank pressure to be off nominal, and would be a slow developing situation that would be monitored by the ground crew as well as the EDS. In this case, an abort would be issued using higher level corroborating parameters. 2

Any potential failure of the common pressure sense-line for each tank is an example of a single point failure that could lead to loss of active pressure control. The Atlas and Centaur vehicles use similar designs in sensing pressures in each of the cryogenic propellant tanks. Each tank uses a single pressure sense-line for three redundant pressure transducers that monitor the tank pressure. Three pressure transducers that provide redundancy for the transducers themselves receive pressure data from the single sense-line, which is then interpreted by the vehicle software. Since a single sense-line is used for all three pressure transducers, it may be considered a single point failure for the tank pressurization system. To varying extents, all launch vehicles including both the Atlas and Centaur require tank pressure to maintain structural stability during flight (particularly for reacting loads during boost phase). The pressure sense-line designs on the Atlas and Centaur vehicles are robust and designed to the appropriate design margins and factors of safety. The component has never failed or ever been implicated in an anomaly, over a long Atlas flight history, including previous versions of the vehicle. Additionally, the sense-lines are considered structural in nature. That is, they are designed and tested, with margin, to the expected environments. They are akin to engine feed-lines and other structural components, which do not require redundancy. It is desirable to maintain a highly-reliable, flight-proven design rather than redesign the system and introduce new uncertainties with the new design. In relation to potential single point failures in the pressurization systems, addition of the EDS to the Atlas V vehicle provides another means to ensure proper function of pressure control. Atlas and Centaur propellant tank pressures will be monitored by the EDS. Evaluation of any discrepancy in the pressurization control of the tanks will be flagged by the EDS and the mission control crew, and an abort issued if required. By monitoring in this manner, both primary and secondary pressure control issues are mitigated. B. Maintaining Structural Limits Increased Risk of Secondary Failure Crew Hazard An example of a secondary failure mode that was postulated is maintaining structural limits when nominal propellant tank pressure profiles are compromised. The failure scenario examined assumes a failure of the pressurization system, in addition to a secondary failure of a tank leak. During the ascent phase of flight, venting or pressurizing during certain critical times is necessary to react vehicle loads. Depending on the time of flight, structural limits need to be protected with active pressurization and venting. Normal flight design precludes venting the Centaur liquid hydrogen tank, using either of two vent valves, during ascent until any potential structural limit interference is mitigated. Concern for structural limit violation is mitigated under nominal conditions. However, if a single, independent failure impacts pressurization control, the result may have a secondary effect where structural limits may be compromised. It should be noted that this type of multiple failure scenario has not occurred on Atlas Centaur since the vehicle was flight proven over the decades of flight history. Requirements for design of structural limits for crewed vehicles are designed using tried and true methods over hundreds of missions. In this scenario, the primary failure has caused a significant decrease in propellant tank pressure. Mitigation for this hazard is inherent in the pressure control design of the tanks. The pressurization and venting levels are designed to protect the structural limits under nominal and dispersed flight environment conditions. Tank pressures are controlled to reside within a predetermined pressure envelope. The pressure envelope provides margin to the structural limits of the vehicle. Additionally the valve module design of series / parallel redundant valve modules allows two levels of pressurization control that would help to control and mitigate the first failure occurrence. A crew hazard resulting from a tank leak as a secondary failure, as an example, has significant implications. Abrupt decrease in tank pressure, when venting is not expected to occur, is an obvious indication that a significant leak path and potential hazard exists. Minor leaks across the vent valves (or other minor external leaks) or other thermodynamic effects that may reduce the magnitude of tank pressure rise may be within the pressure rise dispersion. In this case, the risk to structural limits may be undetectable and not deemed critical to abort monitoring software. However, if tank pressures violate the dispersed pressure envelope, action may be required. The addition of the EDS to monitor the pressurization control of the propellant tanks on Atlas and Centaur add the critical layer of protection for this type of failure. Under an unlikely condition where the tank pressure loss is not corrected by the pressurization system, EDS will monitor and interpret this data and provide feedback. The EDS will take corrective action if the pressure envelope is violated but prior to structural failure. C. Pressurization Valves Multiple (Independent) Failure Crew Hazard While the previous examples identify single point failures in the pressurization system, great care has been taken to ensure hardware redundancy in the pressurization system components considered most likely to experience a failure the pressurization valves themselves. Centaur tanks have series / parallel redundant valve modules (quadpacks). Atlas tanks have three and four series-redundant pressurization branches in the fuel and LO2 tanks 3

respectively. The valves are powered and commanded independently by the avionics system. Mission specific analyses are done to ensure that, in no case, can a single valve failure lead to an over or under pressure condition in the tank. Additionally, unlike the structural limit example given above, a single valve failure does not increase the likelihood of experiencing any secondary failure. To adversely impact tank pressures, two (and in most cases more) truly independent valve failures are required. In this case, requirements for hardware redundancy are satisfied at issue is the requirement to provide hazard monitoring and abort capability should this hazard be monitored for at all? Although spacecraft down-select and subsequent integration remain in the future, one envisions abort systems designed with sufficient thrust to escape explosions or still burning boosters. Employing any such system includes its own, non-negligible, risk to crew safety. Philosophically, EDS should only monitor for a crew hazard if the likelihood of the hazard occurring is greater than the likelihood of it causing a false abort that could lead to injury to the crew. While this is easily understood in concept, implementation proves challenging. As part of its 2011 effort, United Launch Alliance has taken on performance of a Probabilistic Risk Assessment (PRA). An understanding of failure mechanisms and the ability to lay out the logic tree leading to a crew hazard (population of events with various AND-gates and OR-gates) is within the ability of any launch vehicle provider. The great deal of launch history possessed by ULA, however, puts it in a unique position when it comes to populating probabilities for various failures and failure propagation events. Given the high reliability of most components, probabilities are difficult to calculate and PRA results can vary widely. Probabilities of pressurization valve failures provide an excellent example. A new vehicle or one with little flight experience would have to rely on purely analytical predictions. ULA, however, has a wealth of data available. The current Centaur pressurization valves were first implemented on Centaur II in the 1980s. Each vehicle since then has flown twelve valves a quad-pack for the LO2 tank, a helium pressurization quad-pack for the LH2 tank, and an autogenous pressurization quad-pack for the LH2 tank. While the Atlas booster pressurization valves are new on Atlas V, they are the product of the lessons learned over a much longer time. Each Atlas V flies 14 pressurization valves three fuel pressurization branches and four LO2 pressurization branches with two valves each. Each of these valves comes with acceptance test data and those utilized in flight provide additional flight data. This wealth of data is indicative of what is available for the great majority of Atlas V components. Any PRA process will involve some estimation of probabilities. Minimizing this however will allow ULA to come up with reliable probabilities on which to base risk decisions. IV. Conclusion NASA and all of its commercial partners place crew safety above all else and will make conservative decisions in the direction of protecting human life. When developing an EDS, however, one is faced with decisions for which the decision to elect conservative parameters has to be weighed against the potential for a false abort., i.e. setting parameters to trigger too slow may result in not issuing an abort while monitoring for an important crew hazard. Setting the parameters to trigger too quickly may result in an unnecessary abort while monitoring for a non-credible hazard. It should be kept in mind that using the abort system is not risk free. While all commercial companies are motivated to make decisions to maximize crew safety, United Launch Alliance, given its extensive flight experience, is uniquely suited to truly achieve this. The United Launch Alliance Atlas V has been successfully placing satellites in orbit since 2002 using vehicles and technologies that have been evolved and optimized for mission success over many decades. ULA is currently prepared to bring the resulting high-level of safety and reliable performance to the arena of crewed spaceflight. The first two examples show the types of decisions that must be made relative to potential failure points in the current vehicles. To continue its impressive track record of mission success, ULA must actively seek out opportunities to demonstrate safe vehicle design while being careful not to compromise flight-proven heritage designs. While the potential for crewed missions sharpens the safety and mission success focus even more, this is not especially different than the evolutionary approach ULA has long employed to improve its vehicles for United States government payloads. What is new is the fact that mission success is no longer the sole discriminator. The potential for a flight that fails to meet all of the mission requirements and returns the crew safely to Earth is a new mission which drives United Launch Alliance s development of an EDS. Despite the fact that this is a new task for ULA, it is equally helped by the experience gained over so many flights. Mitigating flight risks with an EDS requires an intimate understanding of those risks that can only come with experience. While there will be challenging reviews and 4

difficult decisions to be made before humans once again fly on an Atlas, United Launch Alliance is ready and uniquely positioned to ensure the highest level of safety as we move into the era of commercial crew transportation. References 1 Dawson, V. P., and Bowles, M. D., Taming Liquid Hydrogen: The Centaur Upper Stage Rocket 1958-2002, NASA SP- 2004-4230, 2004. 2 Holguin, M., Herbella, G., and Mingee, R., Commercial Crew Launch Emergency Detection System the Key Technology for Human Rating EELV, AIAA Space 2010 Conference & Exposition, AIAA, Washington, DC, 2010. 3 ISS Crew Transportation and Services Requirements Document, Commercial Crew Program, John F. Kennedy Space Center, CCT-REQ-1130, Draft 3.0, April 29, 2011. 5

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback