AIAA SPACE 2009 Conference & Exposition 14-17 September 2009, Pasadena, California AIAA 2009-6523 Enhancing Human Spaceflight Safety Through Spacecraft Survivability Engineering Meghan S. Buchanan 1 and Michael K. Saemisch 2 Lockheed Martin Space Systems, Denver, CO, 80203 These Lockheed Martin introduced an innovation entitled Spacecraft Survivability (SCS) Engineering to further the advancement of crew safety design techniques for implementation on the Orion CEV contract with NASA awarded in September of 2006. This innovation identified new potential for enhancing crew safety of the Orion vehicle through the adaptation of techniques pioneered for military aircraft survivability. The benefit of this approach became apparent in early applications as vehicle evolution trade studies were undertaken when new advantages of potential designs were identified through the study of design options through SCS and considered in the trade study decisions. Three years after the award, Spacecraft Vulnerability Reduction (SVR) has grown from a concept to an application. Where only System Reliability, Crew Survival and System Safety were applied, SVR brings further closure of gaps to prevent loss of life for potential mishap scenarios by complementing but not duplicating efforts in System Safety, Reliability, and Crew Survival and providing a more comprehensive design and assessment approach. This innovation has been embraced by the aircraft survivability world with recent developments for potential collaboration of efforts. These techniques must be developed and applied to space design, now, in order to support human missions to Mars. The example set by military aircraft programs teaches the road to developing and implementing a structured survivability program is long and could take decades to mature. Collaborative work has begun with the Naval Post Graduate College and NASA in efforts to gain expertise and expand what is traditionally done for spacecraft safety by applying new techniques to support design survivability decisions, drive designs through new survivability requirements, and measure the effectiveness of these techniques through a new system metric. This paper describes the program as envisioned and currently implemented, the achieved and projected benefits to the NASA project Orion, and insight into the future of Survivability and potential benefits beyond Orion to other human and uncrewed space applications where common concerns such as optimizing safety while minimizing weight are priority concerns. Work being performed now includes the Damage Modes and Effects Analysis (DMEA) and Methodology Document written for Spacecraft application, Emergency Return Mode application to affect design and operational scenario development, additional robustness to lowered fault tolerance systems, and program development. The DMEA follows the widely know Failure Modes and Effects Analysis (FMEA). Where the FMEA identifies the possible failures and hazards, the DMEA plays through the failures and analyzes the damage and its cascading events. To this day, safety requirements only look at the susceptibility: how likely is it to happen?, and design only to prevent occurrence to a certain level of reliability. SVR is the practice of assuming the hazard has occurred. What then? By identifying these vulnerabilities during the design phase, LM is able to create a safer spacecraft, while having positive impacts on budget and schedule. This paper will propose the potential future of survivability driven design to strengthen the synergy between aircraft and spacecraft as we prepare for the moon, Mars and beyond. 1 Spacecraft Survivability Engineer, LMSS Human Space Flight, Project Orion, PO Box 179 MS W3001 Denver, CO 80201 2 Manager SR&QA, LMSS Human Space Flight, Project Orion, PO Box 179 MS W3001 Denver, CO 80201 1 Copyright 2009 by the, Inc. All rights reserved.
I. The Need The Spacecraft Vulnerability Redundancy (SVR) concept was originally envisioned to complement the traditional methods of achieving System Safety by addressing the potential of reducing severity of a potential human spaceflight hazard (Ref. 1). This complemented the traditional approach documented in many requirements that only reduced the likelihood of occurrence through such measures as failure tolerance and then reacted to the hazard should they occur through removing the crew from mishaps should they occur (Ref. 2). It appeared these were an untapped potential to improve crew and system safety by applying techniques that might increase the probability of crew survival should a hazard occur even after the likelihood had been reduced. At the time of the inception of this idea, human rating requirements provided stringent requirements such as twofailure tolerance to prevent hazards that could result in loss of life (Ref. 3). That is, three independent failures would have to occur before a catastrophic mishap resulted. Such a blanket approach to requirements provided excellent assurance for system safety in many cases, but over the life of programs, process errors or other unforeseen events could still cause these controls to fail. Even with these stringent requirements, it was identified that there was a potential to optimize the design in meeting these requirements through SVR to achieve great system safety by analyzing and looking for opportunities for optimization and design choices within the design parameters. Additional separation of redundancy or layouts of equipment to establish natural barriers were examples seen as improving the safety of design without adding another layer of safety to further reduce the likelihood of occurrence. The latest NASA human rating requirements change the blanket approach. The desire to minimize weight to use smaller launch vehicles placed pressure on such blanket approaches to safety in favor of more risk-based decisions. This caused NASA to take a more engineered approach to establishing proper levels of safety. Minimum requirements were lowered, with the burden of establishing proper levels of safety left to the design organization (Ref. 2). Where two-failure tolerance was previously required as a minimum, single failure tolerance is now the minimum with the proper minimum level of failure tolerance to be determined through risk-based decision making. Multiple factors are to be considered in the determination of the proper levels of safety, and not just a numerical prediction of likelihood of occurrence with given design and operational controls. This is seen as another opportunity and need to implement SVR: SVR analysis could be used in the risk-based decision making process and provide additional supporting rationale for the decisions. Where lower levels of failure tolerance are considered, an understanding of susceptibility could be another factor for the risk-based decision. SVR becomes more critical with potentially reduced levels of safety. With fewer levels of failure tolerance, SVR could be looked upon as even more critical since a higher degree of reliance and susceptibility to common cause failures becomes even more important. II. The Survivability Triangle The Survivability of the crew is what drives spacecraft design. It makes sense to build a survivable vehicle to ensure the safe return of the astronauts. This extends to unmanned craft as well. With no crew involved, our priorities change to safe return of craft and mission completion. Spacecraft Survivability (SCS) applies to all space travel. Under the umbrella of SCS are three main branches: System Safety (Susceptibility), Spacecraft Vulnerability Reduction, and Crew Survival (recoverability). Aircraft Susceptibility is described as The inability of an aircraft to avoid the hostile environment. This translates into the tasks of Safety and Mission Assurance, which is avoiding the hazard or threat. Aircraft Recoverability is the capability of repair and crew response; Equivalent of Crew Survival and abort capability. What has been missing in spacecraft design is damage tolerance/absorption, Vulnerability Reduction. Aircraft Vulnerability is defined as The inability of an aircraft to withstand (the damage caused by the damage mechanisms in) the hostile environment. Spacecraft Vulnerability is now defined as The inability of a spacecraft to withstand (the hits by the damagecausing mechanisms created by) the naturally occurring and man-made hostile environments. These three attributes contribute to the total Spacecraft Survivability solution. Spacecraft survivability is the capability of a spacecraft to avoid, withstand or recover from hazardous and hostile environments. 2
This work recommends the reorganization of System Safety, Reliability and Maintainability, Quality Assurance, Spacecraft Vulnerability Reduction, and Crew Survival; all under the umbrella of Spacecraft Survivability. III. General Guidelines many of the survivability concepts developed for aircraft apply to spacecraft as well. Given the increasing importance of space based assets, it is mandatory that designers of space systems apply these concepts to reduce the susceptibility and vulnerability of current space systems as well as insure the survivability of future systems. Dr. Ball and Matt Kolleck, On-Orbit Reconstruction (Ref. 4) After the introduction to aircraft survivability, the initial concept of spacecraft survivability evolved for the Orion project. The concept involves the following essential elements: A. Threat Identification Aircraft vulnerability describes threats as damage-causing mechanisms created by the man-made hostile environment, whereas spacecraft survivability considers threats from damage-causing mechanisms that naturally occurring and self-induced man-made hostile environments (hazard occurrence) create. These threats range from system failures to penetration by micrometeoroids and orbital debris (MMOD). Threats consider such sample failures as leak, fire, process, penetration, overpressure, and operations error. Natural threats include expected events like MMOD penetration and expand to radiation, charged particles, weather, flora, and fauna. For the Damage Modes and Effects Analysis (DMEA), these threats are narrowed to a manageable number of three to five threats, taken from non-failure tolerant areas, critical areas under fault tolerance weight reduction, system safety top hazard list, FMEA results and back-up capability analysis. B. Design Assessment/Metric A Spacecraft Vulnerability Reduction (SVR) metric was established to measure quantitative survivability improvements resulting from vulnerability reduction design changes made during configuration changes. Each design change is scored with a derived approach. In the same manner that aircraft survivability began as a qualitative collection of opinion estimated by industry experts, the SVR metric is derived through discussions between the SR&QA and design team. SVR is the study of dealing with a bad day scenario that is, failure even though failure tolerance or design for minimum risk requirements compliance has been achieved. Using SVR application, the Orion design reduces spacecraft vulnerabilities, increasing the probability of crew survivability if a mishap does occur. Collaborative work has begun to quantify the metric through a standardized vulnerability rating. C. Damage Modes and Effects Analysis (DMEA) Derived from military standard 1629A (MIL-STD-1629A) (Ref. 5), the overall purpose of performing DMEA is to reveal damage modes and their effects to guide design, operations, and training for decreasing spacecraft vulnerability, therefore increasing spacecraft survivability, and to document an assessment of the Orion vehicle s overall vulnerability. During the preliminary and detailed design phases, the purpose of the DMEA is to derive design inputs and requirements for survivability and vulnerability and to support trade studies. The DMEA provides data related to damage caused by specified threat mechanisms, identified in the process to be described, and the effects on flight and mission-essential functions. Preliminary involvement aids the development of requirements to drive a more robust design (increasing effectiveness of current design), identify areas to trade (alternate solutions), and provide inputs to emergency modes design and training or other Orion areas as they are identified. For a spacecraft DMEA, threats are based on results from the safety analysis hazard reports and the reliability Failure Modes and Effects analysis (FMEA). The MIL- STD-1629A required Flight and Mission Essential Functions, Missions Phases, Damage Modes, Damage Effect Levels, and Spacecraft Loss (Kill) Levels (Attrition Loss, Return Loss, Mission Abort Loss, Landing Loss and Pad Abort Loss), have been adapted to what is appropriate for spacecraft. Note also that what is formally known as kill levels in aircraft are referred to as loss levels in spacecraft. Kill is indicative of a wartime situation, whereas as loss refers to a non-violent environment yet reserves a placeholder for future definition. To be effective in fulfilling its purpose, it is essential that the DMEA be kept current at all times with the design. The DMEA must also be consulted in the review of design changes. 3
The latest Orion DMEA analysis focused task on application to a new emergency backup system to test the concepts for potential wider application. This DMEA is searching for vulnerability holes not addressed by safety tolerance or emergency backup procedures to help define the minimum capabilities such a system should possess. The Orion program developed this team to identify key vulnerabilities and new LOM (loss of mission) ground rules. Through these efforts, Orion hopes to improve primary systems (added redundancy and reliability), integrate backup and contingency system design, and provide recommendations to address such vulnerabilities. Spacecraft Vulnerability Reduction complements system safety and backup and emergency capability. While LOC (loss of crew) requirements are met, LOM predictions show the design and/or operational scenarios need improvement. The DMEA process and SVR analysis aids this process. The DMEA has identified critical areas not addressed sufficiently by failure tolerance or backup contingency. Areas such as filters, O2 and N2 control, Remote Interface Unit (RIU) failures, software, MMOD, Active Thermal Control System (ATCS) pump failures and power needs further vulnerability analysis. The DMEA assumes the hazards and failures, identified by the backup and emergency contingency team, have occurred. These failures populate the Failure Mode and Causes cells of the DMEA matrix. From that, the Damage Modes (what caused it to fail) are identified. The damage modes are the collaboration of system specific designers, safety and mission assurance and heritage data. The DMEA follows through the cascading effects of damage to address all scenarios and all affected subsystems. The analysis identified potential vulnerabilities to aid in the on-going design team activities. This process is meant to tolerating the damage effects leading up accidents like Challenger and Columbia. Meeting failure tolerance or factor of safety requirements is achievable, but no system is risk free, so anticipating and designing to tolerate the effects of hazards enhances safety further than just attempting to prevent the occurrence of hazards. It is not possible to design a system or component with no chance of failure. Identifying the damage modes and effects allows insight into the worse case scenario and allows engineers to design in preparation for these events before they occur. The DMEA also aids the backup system design effort by assessing capabilities and limitations, rating the severity of damage, determine potential consequences and prioritize the importance of application. Those results, in turn, aid the cost/benefit analysis performed. All programs must find the most appropriate relationship between cost, schedule and weight. The DMEA will break down the vulnerability techniques needed to build a more survivable spacecraft. Cost to implement, time to apply and any weight impacts can be developed from the data. Current DMEA work is focusing on a top 20 Hazards list extracted from the vehicle hazard analysis. Uncovering these gaps gives the opportunity to develop requirements for the Orion and future spacecraft. D. Requirements Development From the initial assessments, an important task is the derivation and implementation of new design requirements that will drive increase crew survivability through application of SCS techniques, while living within the project constraints. Developing requirements and placing them into program specifications is the surest and most effective way to drive requirements into a program while minimizing impacts. Survivability features, if they can be defined up front in a programs life, would avoid impacts arising from design analysis and resulting design changes later. The designers (as well as management) are much more receptive to survivability and other requirements if they are given discrete and verifiable requirements. This presents a challenge in the SCS area since the concept revolves around using in-place design features and analyzing placements for optimum survivability, etc., which are not developed until after the design process starts. Historical aircraft survivability requirements, such as probabilities of kill, do not adapt well to the spacecraft model, since we are working to tolerate threats that cannot be well predicted or modeled (with some exceptions such as micrometeoroids and space debris in low earth orbit). Requirements worded such as design to minimize susceptibility of threats and maximize survivability are good general requirements, but are not verifiable as proper requirements should be. In the human spaceflight safety requirements world, there are general requirements that are intended to drive the most preferable approach to designing in safety and prevent hazards, known as the Hazard Reduction Protocol. One approach is to first enhance these general safety requirements to include survivability requirements (Ref. 6). The NASA Constellation hazard reduction order of precedence sequence is in line with historical system safety practices as follows: 1) Eliminate the Hazard 2) Design to Minimize Hazards 3) Incorporate Safety Devices 4) Provide Caution and Warning Devices 4
5) Develop and Implement Special Procedures (Ref. 7) The traditional approaches and current requirements specified to implement this hazard reduction protocol, if the hazard cannot be eliminated, focus on preventing the occurrence of the hazard. Design requirements and features such as failure tolerance and design for minimum risk all work towards providing measures that attempt to keep hazards from occurring. For project Orion, additional requirements are imposed to provide for crew survival should a hazard occur. Specifically, requirements now mandate the provision for crew safety through abort with a launch abort system (Ref. 2). As previously stated, the implementation of the SVR can enhance this traditional protocol by not just designing to minimize the occurrence of the hazard, and reacting should they occur, but also looks at the implemented hazard controls to address their vulnerabilities and enhance them through application of SVR. To that end, a proposed enhancement to the order of precedence implemented on Orion was derived (Ref. 7) as follows: 1) Eliminate the Hazard [no change] 2) Design to Minimize Hazards and address the vulnerabilities of the hazard controls 3) Incorporate Safety Devices and address the vulnerabilities of the devices 4) Provide Caution and Warning Devices and address the vulnerabilities 5) Develop and Implement Special Procedures [no change] This enhanced protocol forms the basis for establishing new requirements to drive design for the incorporation of features and trade study selection to enhance what is derived through the traditional hazard control approaches and requirements. A challenge remains to now develop more detailed SVR requirements, which represents a future study effort. An example is slowing down an oxygen leak from 20 minutes to 1 hour to allow the crew to don suits. Pushing back the damage, or better, withstanding the damage improves LOM and LOC numbers. Through Vulnerability Reduction Techniques, these numbers can be achieved and requirements created. Survivability as a design requirement (Ref. 8): Survivability is essential to effectiveness. It must be incorporated early into the design of spacecraft in order to maximize effectiveness and minimize design impact. Therefore, survivability must be a major consideration beginning with program inception and continuing throughout the acquisition process. Early in the process: identify all survivability enhancement features, their performance parameters, and their contribution to effectiveness and cost. Set the performance thresholds for the right amount of survivability. How much survivability is enough? Too low vs. too high All of the attributes listed earlier are important, but they all cannot be achieved at the highest level if the spacecraft is to be affordable. Something has to give. E. Vulnerability Reduction Techniques Under sub-contract, the Naval Post Graduate School is detailing the concepts of spacecraft susceptibility, vulnerability and recovery (note comparisons to system safety and crew survival above). The Survivability concepts for air and spacecraft are as follow: Susceptibility Reduction 1. Threat Prevention and Suppression - Component reliability - Hazard elimination/suppression 2. Threat Warning - Alarms, sensors, indication - Debris tracking, communications (MMOD, ISS) 3. Procedures and Training - Mission rules, emergency procedures, flight plans - Maintenance Man-made Hostile Environment (future application) 5
4. Signature Control - Radar, magnetic, thermal, visual, interference 5. Noise Jamming and Deceiving 6. Expendables Vulnerability Reduction 1. Component Shielding - Component and spacecraft shielding (radiation/projectiles/cascading effects) 2. Component Redundancy with effective separation - Component/functional redundancy 3. Component Location 4. Damage Suppression - Active - Passive (self sealing) - Fail-safe - Margin - Containment 5. Component elimination, replacement or enhancement Recoverability/Crew Survival 1. Abort 2. Repair - Emergency repair capability - Ground support for troubleshooting 3. Procedures and Training - Safe haven - Standby rescue vehicle Taken from Dr. Ball (Ref. 9), combat aircraft vulnerability reduction techniques include Component Redundancy (with separation), Component Location, Passive Damage Suppression, Active Damage Suppression, Component Shielding, and Component Elimination or Replacement. Lockheed Martin and the NPGS have been working to take from current aircraft vulnerability reduction techniques as well as develop new appropriate solutions. IV. Merging Aircraft and Spacecraft Safety Orion Spacecraft Survivability is the bridge between aircraft and spacecraft safety processes and procedures internationally. After four years of defining processes, Lockheed Martin has begun collaboration with the NPGS, NASA, and others to utilize the expertise of Aircraft Survivability and create a working group to move this program further. The Postgraduate Naval Academy, in Monterey, CA, currently offers the only accredited schooling on combat aircraft survivability. The Orion Spacecraft Survivability team has created working group with the dean of engineering and applied sciences, and his department, plus the guidance of Dr. Robert Ball, author of The Fundamentals of Aircraft Combat Survivability Analysis and Design, Second Edition (Ref. 9). Efforts for the next year include standardizing spacecraft vulnerability reduction techniques, applying this new relationship between safety and survivability back into air, sea land craft, and continuing to grow a working group of expertise. LMSS and the NPGS are in the process of writing a spacecraft survivability manual and creating a short course to teach these techniques of design and engineering. Lockheed Martin will be looking to additional universities for quantitative analysis and air and space associations to further fund the future of flight. V. Conclusion Developing a spacecraft survivability program is not solely to prepare for returning to the moon or for manned missions to Mars; rather, it is the time to bridge the gap between air and space survivability efforts to develop a joint program merging the strengths of experience with future space travel visions. Large and small companies alike have dabbled in and designed space planes, and critical parameters such as weigh constraints demand new methods to assure safety within these constraints. This proven area of engineering has a potential to revolutionize traditional space safety practices and potentially benefit the aircraft survivability with the injection of new challenges. 6
Lockheed Martin has worked to prove the benefits of these methodologies over the course of the Orion program, and expanded collaboration will further this program. With NASA and the Postgraduate Naval Academy participating, spacecraft survivability will continue to grow and develop. This working group looks to involve members of the space safety community and continue research that benefits the international world of space travel. References 1 M. K. Saemisch, M. S. Buchanan, Spacecraft Survivability Engineering: A Lockheed Martin Innovation Enhancing Traditional Hazard Control Approaches, 2 nd International Association for the Advancement of Space Safety conference, 14 May 2007. 2 NPR 8707.2B, Human-Rating Requirements for Space Systems, NASA Offices of Safety & Mission Assurance, 6 May 2008. 3 NPR 8707.2 (no revision), Human-Rating Requirements for Space Systems, NASA Offices of Safety & Mission Assurance, 19 June 2003. 4 Ball, R.E. and Kolleck, M.L., Survivability: It s Not Just for Aircraft Anymore, JTCG/AS, Aircraft Survivability, Winter 2000, pp. 10 11. 5 MIL-STD-1629A, Procedures for Performing a Failure Mode, Effects and Criticality Analysis, Department of Defense, Washington DC, 24 November 1980. 6 M. K. Saemisch, M. S. Buchanan, Spacecraft Survivability Engineering: Enhancing the Hazard Reduction Protocol for the NASA Orion Project, International System Safety Society, Sept. 2007 7 NASA Constellation Program, CXP 70038 Constellation Program Hazard Analysis Methodology, 18 December 2006. 8 Adams, Christopher, Aircraft Combat Survivability Short Course, Introduction to Survivability Presentation, Naval Postgraduate School, May 2009 9 Ball, Robert E., The Fundamentals of Aircraft Combat Survivability Analysis and Design, Second Edition, AIAA Education Series, 2003. 7