..Design for Reliability and Safety" Approach for the New NASA Launch Vehicle

Safie, Fayssal M., Ph.D(l), Weldon, Danny M.(2)

(1) NASAlMSFC, Huntsville Al 35812,fayssal.m.safie@nasa.gov(2) NASAlMSFC, Huntsville Al 35812, Danny.M Weldon@nasa.gov:

ABSTRACT

Figure 1. ARES J andARES V Launch Vehicles inComparison

The United States National Aeronautics and SpaceAdministration (NASA) is in the midst of a spaceexploration program intended for sending crew andcargo to the international Space Station (ISS), to themoon, and beyond. This program is calledConstellation. As part of the Constellation program,NASA is developing new launch vehicles aimed atsignificantly increase safety and reliability, reduce thecost of accessing space, and provide a growth path formanned space exploration. Achieving these goalsrequires a rigorous process that addresses reliability,safety, ,md cost upfront and throughout all the phases ofthe life cycle of the program.

SpaceShuttle

ARES I ARES V

r

SablrnV

This paper discusses the "Design for Reliability andSafety" approach for the NASA new launch vehicles,the ARES I and ARES V. Specifically, the paperaddresses the use of an integrated probabilisticfunctional analysis to support the design analysis cycleand a probabilistic risk assessment (PRA) to support thepreliminary design and beyond.

1.0 BACKGROUND

The ARES I, shown in Fig. 2, consists of three majorElements: A solid First Stage (FS), an Upper Stage(US), and liquid Upper Stage Engine (USE). The CEVit delivers to orbit consists of a Launch Abort System(LAS), Crew Module (CM), Service Module (SM), anda Spacecraft Adapter (SA). The CEV development isbeing led by NASA Johnson Space Center (JSC).

This section provides some background on the newNASA launch vehicles, and an overview of some ofNASA applications of probabilistic methods in recentyears.

1.1 NASA New Launch Vehicles

The following paragraphs provide a brief description ofthe NASA new launch vehicles, ARES I and ARES V.Fig. I shows the two vehicles in comparison withthemselves and heritage vehicles. The arrows indicatehardware commonality.

InshUmenl Unit

_II fruslrUln

Crew Exploration VehicleSpececrofl_er

ForwarllSkirt

Upper Stage

First Stage

The intended purpose of the ARES I, developed byNASA Marshall Space Flight Center (MSFC), is tosafely deliver a payload of crew and cargo to a specifiedascent target. This capability will support two separatemissions: to carry the payloads to the InternationalSpace Station (ISS); and to deliver a Crew ExplorationVehicle (CEV) with crew to dock with a Lunar SurfaceAscent Module (LSAM) and Earth Departure Stage(EDS) in Earth orbit for a lunar mission.

Figure 2. ARES J Expanded View

The intended purpose of the ARES V launch vehicle,also developed by MSFC, is currently to deliver theLSAM for lunar missions, to deliver cargo to orbit, andto potentially deliver a single-launch solution to theMoon with combined CEV and lunar lander payloads.As shown in Fig. 3, the ARES V consists of thefollowing: a liquid Core Stage with 5 RS-68 enginesaugmented by 2 five-segment Redesigned Solid RocketMotors (RSRMs); an Interstage; an EDS with payload(LSAM shown); and Shroud.

https://ntrs.nasa.gov/search.jsp?R=20070031700 2018-06-24T16:01:09+00:00Z

Shroud

Lunar SurfaceAccess Module

Earth DepartureStage

Interstage

Core Stage

Figure 3. ARES V Expanded View

1.2 Overview of NASA Applications of ProbabilisticMe-thods

Since the Space Shuttle Challenger accident in 1986,NASA has begun incorporating Quantitative riskassessments (QRA) in decisions concerning the SpaceShuttle and other NASA projects. At MSFC, forexample, QRA has been extensively used in areas suchas risk management of fljght hardware, trade studies,and reliability prediction of new hardware. In the riskmanagement area, life limits based on QRA are beingused in the Space Shuttle main engine (SSME) program[1]. QRA has also been incorporated to support flightissues on the SSME as well as other MSFC elements.With regard to trade studies, QRA has been used as thebasis to evaluate the elimination of unnecessaryinspections, procedures, and other program costs. Forexample, an extensive study was conducted in 1994 todetermine whether to eliminate the pre-proof test x-rayinspections on the Space Shuttle External Tank (ET)[2]. In the reliability prediction area, similarity analysisand probabilistic structural models have been used byMSFC to predict the reliability of Alternate TurboPumps (ATD) for the SSME, the X-33 Engine, andother engines [3, 4, and 5].

At the system level, NASA Headquarters has led severalstudies to predict the overall Space Shuttle risk. Thefirst of these Space Shuttle QRA studies was conductedin 1988 by Planning Research Corporation (pRC). PerNASA's request, PRC conducted a QRA study todetermine the Space Shuttle risk for the Galileo mission[6]. In 1993, Science Applications InternationalCorporation (SAIC) updated the Galileo study usingBayesian techniques [7]. In 1995, SAIC conducted acomprehensive QRA study [8]. In July 1996, the NASAAdministrator requested an independent QRA to beconducted by NASA QRA experts. In response to the

Administrator's request, ASA conducted a two yearstudy (October 1996 - September 1998) to develop amodel that provided an overall Space Shuttle risk andestimates of risk changes due to proposed Shuttleupgrades [9]. Finally, building on previous Shuttle riskassessment studies, JSC has recently completed anextensive study of the Space Shuttle risks. This studyhave not yet officially been released.

After the Columbia accident, NASA conducted a QRAon ET foam. This study was the most focused and mostextensive risk assessment that NASA has conducted inrecent years. It used a dynamic, physics based,integrated system analysis approach to understand theintegrated system risk due to ET foam loss in flight[10].

Unfortunately, a lot ofNASA probabilistic analyses inthe past have been done after the fact (operationalShuttle system). This paper describes NASA applicationof probabilistic analysis methods starting at the designphase. Specifically, the paper addresses the use of anintegrated probabilistic functional analysis upfront tosupport the system Design Analysis Cycle (DAC) and aprobabilistic risk assessment (PRA) to support thepreliminary design and beyond.

2.0 THE "DESIGN FOR RELIABILITY ANDSAFETY APPROACH"

The "Design for Reliability and Safety" discussions inthis paper is focused on ARES I launch vehicle.However, the same approach is applicable to the ARESV launch vehicle.

Before getting into the discussion of the subject of thispaper, it important note the Constellation Program hasin place ambitious quantitative requirements for Loss ofMission (LOM) and Loss of Crew (LOC. The LOM andLOC (or equivalents) have been allocated to the ARES Iand its major elements, the First Stage (FS), the UpperStage (US), and the Upper Stage Engine (USE).Satisfying these requirements constitute an ambitiousgoal that forced a paradigm shift at NASA. Thisparadigm shift has set the stage for establishing aworking environment that integrates various disciplines(safety, reliability, design, etc.) and variousorganizations (Engineering design organizations, projectoffice, and safety and mission assurance organisation) tosupport the design process. Within this integratedenvironment, this paradigm shift has also set the stagefor a new era at ASA in applying a sound probabilisticdesign approach, to analyze, understand, and influencethe design upfront and throughout the different phasesof the design. This paper focuses on the probabilisticdesign approach, and more specifically, on the use ofthe various quantitative probabilistic approaches thathave been pursued by the ARES I project.

Section 2.1. discusses an integrated functionalprobabilistic analysis approach that addresses upfrontsome key areas to support the ARES I Design AnalysisCycle (DAC) pre Preliminary Design (PD) Phase. Thisfunctional approach is a probabilistic physics basedapproach that combines failure probabilities with systemdynamics and engineering failure impact models toidentify key system risk drivers and potential systemdesign requirements. Section 2.2 discusses otherprobabilistic risk assessment approaches planned by theARES ] project to support the PD phase and beyond.

2.1 The Probabilistic Functional Failure Analysis(pFFA) Approach

The PFFA approach is a dynamic top-down scenario­based approach intended to identify, model, andunderstand high system risk drivers for the purpose ofinfluencing both system design and systemrequirements. This approach is implemented upfrontduring the system DAC phase preceding the preliminarydesign review (PDR). The current focus for the ARES IPFFA i- on energetic or dynamic events and significantchanges of state for the launch vehicle that can lead toLOM or LOC. Failures not initiated by the launchvehicle, other than those induced by the naturalenvironment, and launch vehicle software failures werenot currently considered. The launch vehicle wasassumed to be fully tested and qualified with all testsand ve 'fication complete.

The first step in a PFFA is to define the miSSIOntimeline of system level functions. The applicableARES I mission timeline includes the pre-launch andascent hases. The system level functions during thephases include fuel load, crew load, pre-start, launch,staging (FS separation and USE start), LAS jettison,Main Engine Cutoff (MECO), and orbit insertion(payload separation) with CEV separation from theUpper Stage. Fig. 4 shows the ARES I ISS ascentmission proftle including elapsed times.

---Figure 4. Example ISS Mission Profile

Given the mission timeline of system level functions,the nex1 step in a PFFA is to identify for each system

level function the lower-level functions to a selectedlevel of indenture. These lower-level functions are thentransformed into a failure structure by restating each asfunctional failure or failure event. Next, the functionalfailures are analyzed for their effects on the applicablephysical design. The resulting failure effects, labeled ashazards or undesired conditions, are grouped bycommonality of their effect on element (e.g., UpperStage) or launch vehicle. These groupings are labeledas failure bins which are listed for further analysis. Tab.1 is an example of such a failure bin for the uncontained(energetic failure with hazardous physical effectscrossing beyond the source boundary) failure of theUpper Stage Engine.

Table 1. Example ofa Binfor Upper Stage EngineUncontained Failure

Failure Events or Hazard or UndesiredScenarios Condition

MFV fails to open Ox-rich combustion inMCC. LOC

Insufficient purge at Trapped propellantsigniter on ignite/explode

Insufficient purge at Trapped propellantsigniter on ignite/explode

Excessive gas spin flow Excess propellant flow toengine. Overpressure inMCC/GG. Ifnot detected,rupture and LOC

GGFV fails to open Lox-rich combustion inGG. Fire/explosion. LOC

Excessive gimbaling Structural Damageduring engine start

Engine Hardware failure Fire/explosionMCC/Nozzle bumthrough Hot gas impingement on

engine. LOC

Nozzle extension Side thrust. IfTVCburnthrough unable to correct for thrust

enough to give time forcrew abort, LOC.Otherwise LOM

Seal failure Hot gas impingement onengine. LOC

MCC/GG overpressure Continued MCCdata not relayed to/from overpressure results inengine rupture. LOC

Insufficient propellant Engine cavitation leading(NPSP) from US to engine to uncontained failure(either L02 or LH2) LOC.

Insufficient propellant Engine turbopumps couldquality/volume (gas) from overspeedUS to engine

Insufficient propellant Engine cavitation(NPSP) from US to engine

Figure 6. Failure Environment Development Example

ascent and launch vehicle parameters, and LASactivation time.

Fig. 7 illustrates the combined failure timeline frominitiator to critical overpressure for the examplescenario along with a crew escape timeline. The crewescape timeline is superimposed upon the failuretimeline to model the effectiveness of abort capabilityagainst the particular hazard to crew. The escapetimeline involves the response and abort capability ofthe LAS and CEV. It includes detection of the hazard,activation of the LAS, and subsequent CEV separationto a safe position.

,-­-' ..-

Fig. 5 shows a representation of the path and off­nominal time from the failure event, labeled "initiator",to the physical failure mode of rupture, labeled "fault",to the local failure effects, labeled "threat/hazardousenvironment", from which the crew must escape. Eachfailure event or initiator is assumed to cause animmediate loss of mission and a decision to perform anabort.

Given the "bounding" failure scenarios, a short list (ahandful of scenarios) is established based on projectpriorities for further in-depth focused analysis.Specifically, the items on the short list are subjected toin-depth physics based dynamic simulation modeling tounderstand the physics of failure, the probability oflaunch vehicle failure or break up, and the launch abortsystem capability to save the crew. Fig. 5, Fig. 6, andFig. 7 represent an end-to-end example of the logic ofthe components of the in-depth focused analysis for anitem that could potentially be part of the short list forARESl.

Given the list of failure bins, the next step in a PFFA isto detennine the "bounding" failure scenario for eachbin. The "bounding" failure scenario is selected basedon the frequency of occurrence, the impact on systemrisk, and the potential for design improvement.

Figure 5. Failure Event to Initial Failure EnvironmentExample

-"........_ ft,.... .,... u ..........__ ~ .. _.1JIIIItU

­"'~

While the PFFA described in section 2.1 serves thepurpose of impacting the design during the systemDAC, a classical PRA is performed subsequently tosupport the preliminary design, detailed design andbeyond. The PRA would be structured and focused bythe results of the PFFA. The following section discussesthe classical PRA process that will be used in

To summarize, the process just described in the example(Fig. 5, Fig. 6, and Fig. 7) starts with a failure initiators,followed by propagations of the failure initiator to asystem failure, and then the impact of the system failureon the LOC. This all done taking into consideration thesystem dynamics at the time of the failure initiation andthe physics of the failure as the failure propagatesthrough the system all the way to the impact of thefailure on the effectiveness of the abort system.

Figure 7. Failure and Crew Escape Timeline

LIu ....

"'='"" USE Unconla.hed start FaJure

InitJatDr

Fault ---=~~=~~~~~=--}-­~j-- ~~

11lreallhazaroous r_.._...... MVIronment

Fig. 6 shows an example of the failure logic for anexplosion resulting from the energetic event of an USEuncontained start failure as seen in the previous figure.Hazards to other launch vehicle elements from anexplosion include overpressure, fragmentation, and fire.Physics-based simulation models will be developed foreach hazard to crew survivability as applicable. Forexample, the model for overpressure risk to crew willinvolve a blast model that makes use of the equivalentTNT yield of the liquid propellant, launch vehicletrajectory and flight environment data, physicalparameters of the LAS and crew module, other critical

conjunction with the PFFA to support post DAC designphases.

2.2. The PRA Process

PRA is a rigorous method to model what can go wrongwith a system, predict how often it might go wrong (theprobability that specific undesired events will occur),identify the consequences if something does go wrong,and, engage the design and development community tothe fullest extent. Within NASA the PRA uses as input,among others, the safety, reliability, and even qualitymodels and analyses. These would include hazardanalyses, fault tree analyses, failure modes and effectsanalyses, reliability predictions, and processcharacterization and control analyses. PRA providesinformation on the uncertainty of the predictions andidentifies which failures and, therefore, which systems,subsystems, and components, pose the most significantrisk to the system. The following is a description of thePRA process as defined by NPR 8705.5, ProbabilisticRisk Assessments (PRA) Procedures for NASAPrograms and Projects.

Fig. 8 shows a generic PRA process. The master logicdiagram (MLD) is a hierarchical, top-down display ofinitiating events (IE), showing general types ofundesired events at the top, proceeding to increasinglydetailed event descriptions at lower tiers, and displayinginitiating events at the bottom. The modeling of eachaccident scenario proceeds with inductive logic toolscalled event sequence diagrams (ESDs). An ESD startswith the initiating event and progresses through thescenario, a series of successes or failures of intermediateevents called pivotal events, until an end state isreached. ESDs are mapped into event trees (ETs),which relate more directly to practical quantification ofaccident scenarios, but the ESD representation has thesignificant advantage over the ETs of enhancingcommunication between risk engineers, designers, andcrews. Upon completion of the event trees, Fault Trees(FTs) are created to model how failures and other eventscombine to cause failures of pivotal events(intermediate events) in the accident scenario. Thepivotal events are placed at the tops of the FTs anddeductive logic is used to identify the combination ofevents that may result in the top event-Le., to developthe branches of the fault trees. The fault trees mayconsist of: the top event (pivotal event), intermediateevents or logic gates, and the basic events. The basicevents are linked to the top event through theintermediate logic gates. The fault trees are simplifiedthrough Boolean reduction to quantify each pivotalevent in the scenario. The accident sequences (eventsequences) and FTs are logically linked and quantified,usually using an integrated PRA computer program.The frequency of occurrence of each end state in the ETis calculated as the product of the IE frequency and the(conditional) probabilities of the pivotal events along

the scenario path linking the IE to the end state.Scenarios are grouped according to the end state of thescenario defining the consequence. All end states arethen grouped, i.e., their frequencies are summed up intothe frequency of a representative end state. As part ofthe quantification, uncertainty analyses are performed toevaluate the degree of knowledge or confidence in thecalculated numerical risk results. [11]

I..... F)IllLl"lREE DIAGRAM

o...

Figure 8. PRA Process

2.2.2 PFFA and PRA in support of the Designprocess

As discussed in section 2.1, the intent of the PFFA is toanalyze and understand a set of integrated system failurescenarios that have the major impact on system risk.The analysis results are then used for potential designchanges, abort requirements changes, fault detectionimprovements, and possibly design changes to reducesor eliminate the probability of the failure initiator. Theanalysis in a PFFA is dynamic in nature. It takes intoconsideration the dynamic of the failure sequence as afunction of time, and the dynamics of the systemenvironment. On the other hand, the PRA described inthe above section is, generally, static in nature. Whilethe PFFA serves the purpose of impacting the designduring the system DAC, a classical PRA is performedsubsequently to support the preliminary design, detaileddesign and beyond. The PRA would be structured andfocused by the results of the PFFA. Specifically, thePFFA work results in the event sequence diagrams andpossibly the initial event trees and branch pointquantification that would be part of the PRA. Thesemodels would then be supplemented by detailed faulttree models and supporting data analyses, as required, inthe areas that have been shown in the PFFA as thepotential risk drivers.

3.0 CONCLUSION

The authors of this paper tried to describe a changingenvironment at NASA set by a paradigm shift on howNASA is planning to use probabilistic assessmentmethods to support the design process for its newlaunch vehicles. The PFFA discussed in the paperrepresents a critical first step for the implementation ofa "design for Reliability and Safety" approach neededfor achieving the NASA ambitious goals in designing ahighly reliable and safe launch vehicles.

4.0 ACKNOWLEDGEMENT

The authors of this paper would like to acknowledge theARES I abort risk assessment team at MSFC, JSC, andARC for their contribution to material used to write thispaper. Special acknowledgement is made to risk andreliability expert Professor Joe Fragola, Vice President,Valador, Incorporated, for his contribution to the PFFAactivity across the various NASA Centers.

5.0 REFERENCES

1. Safie F.M., A Statistical Approach for RiskManagement ofSpace Shuttle Main EngineComponents. Probabilistic Safety Assessment andManagement, 19912. Safie F.M., A Risk Assessment Methodology for theSpace Shuttle External Tank Welds. Reliability andMaintainability Symposium, 1994.3. Hoffman c.R., Pugh R., Safie F.M., Methods andTechniques for Risk Prediction ofSpace ShuttleUpgrades. AIAA, 1998.4. Fox KP., SSME Alternate Turbopump DevelopmentProgram-Probabilistic Failure Methodology InterimReport. FR-20904-02, 1990.5. Safie F.M., Fox E.P., A Probabilistic Design AnalysisApproachfor Launch Systems. AIAAlSAE/ASME 27th

Joint Propulsion Conference, 1991.6. Planning Research Corporation, IndependentAssessment ofShuttle Accident Scenario Probabilitiesfor Galileo Mission and Comparison with NSTSProgram Assessment, 1989.7. Science Applications International Corporation,Probabilistic Risk Assessment ofthe Space ShuttlePhase J: Space Shuttle Catastrophic Failure FrequencyFinal Report, 1993.8. Science Applications International Corporation,Probabilistic Risk Assessment ofthe Space Shuttle, 19959. Safie F. M., An Overview ofQuantitative RiskAssessmentfor the Space Shuttle Propulsion Elements,The fourth Probabilistic Safety Assessment andManagement (PSAM4), NY City, 1998.10. Safie F.M., Role ofProcess Control in ImprovingSpace Vehicle Safety A Space Shuttle External Tank

Example, 1st IAASS Conference "Space Safety, a NewBeginning, Nice, France, 2005.11. NPR 8705.5, Probabilistic RiskAssessments (PRA)Procedures for NASA Programs and Projects.