futron corporation 400 virginia avenue,sw suite 340 washington, dc 20024-2730 phone 202-488-2931 fax...

Futron Corporation • 400 Virginia Avenue,SW Suite 340• Washington, DC 20024-2730Phone 202-488-2931 • Fax 202-488-7863 • http://www.futron.com

We make technology work

NASA PRA Practices and NeedsNASA PRA Practices and Needsfor the New Millenniumfor the New Millennium

International Space StationInternational Space StationProbabilistic Risk AssessmentProbabilistic Risk Assessment

Stage 7AStage 7A

October 25-26, 2000

We make technology workOctober 23,2000ISS PRA 00-34

• 2

Purpose of ISS PRAPurpose of ISS PRA

• Provide a decision support tool for the ISS program that evaluates safety and mission assurance risk

• Objectives Provide risk data across ISS functions/systems (useful to

operations planners as well as follow-on development managers) Ensure synergy with ongoing safety, reliability, and risk

management activities

• Scope Develop the PRA in phases (allows for strategic/tactical changes

to approach) Consider only the catastrophic end states of loss of station, crew,

module, or mission Incorporate existing safety and reliability data


• 3

PRA ProductsPRA Products

• Risk model capable of assessing risks due to changes in ISS configuration, operations, or environmental factors

• Probability distribution functions (including median values, mean values and uncertainties) for the end states, events, and accident scenarios

• Trade and sensitivity analyses (i.e. effects of: system upgrades; risk mitigation strategies; modeling assumption changes etc.)

• Identification of any discrepancies found in existing safety and reliability analyses (provides independent check)


• 4

Phased ApproachPhased Approach

2000 2001 2002 2003 2004

Flt 7A Flt 12A Final Assembly F light

Stage 7A PRAQuick Look

Interm ediateS tage PRA

AssemblyCompletePRA

Safety Data ProductsProduced by ISS Program

Safety Data ProductsUsed by PRA Process

Num ber of DataProducts

Hazard AnalysesFMEA/CILReliability D iagram sFault TreesFailure Rate PredictionsArch. Description DocsFlight RulesProcedures

Phase I

2005

Phase II Phase III Phase IV

Stage 7A PRA

Use PRA to perform Trade andSensitivity analysis to support

program decisions


• 5

DefinitionsDefinitions

• Event Sequence Diagram (ESD) - ESDs show the progression of an initiating event to all the possible end states.

• Initiating Event - Initiating events begin the event sequences. Single component failure or a combination of failures Start of a procedure Energetic external event

• Pivotal Event - Pivotal events are those that must occur in order to prevent the initiating event from propagating further. These may take the form of safety systems, procedural steps, crew or ground intervention, physical conditions, or time constraints.

• End States - Terminating point of an event sequence. An ESD can have multiple end states.

• Sequence - Accident scenario. A path through the ESD from initiator to a bad end state

• Basic Events - Lowest quantified part of the model


• 6

Model PhilosophyModel Philosophy

• Stage 7A (including previous stages) is assembled correctly

• All equipment is operational at start of 7A

• Structural failures are not credible

• Spares noted in logistics plans are on station

• Repair actions incorporate restoration of initiating events restoration of onboard spared items

• Human errors are not initiating events They do contribute to pivotal events

• Russian EVA resources not available Procedures do not yet show the use of these assets

• Software is perfect for this iteration of the model


• 7

Stage 7A ConfigurationStage 7A Configuration

• Airlock is attached and functional

• Model includes: 3 Crew members 8 Months of operations 3 Progress dockings 3 Orbiter dockings 2 Soyuz dockings 1 Soyuz port change 1 Avoidance maneuvers 2 Reboost burns 3 EVAs

Joint Airlock

ServiceModule

Progress

Soyuz

U.S. Laboratory

Node 1

Functional Cargo BlockZ1 Truss (CMGs)

PV Arrays

Radiators

Space Station RemoteManipulator System

Pressurized Mating Adapter

Pressurized Mating Adapter

P6 Truss


• 8

End State DefinitionsEnd State Definitions

• Station and Crew are Functional (OK) This end state signifies that the station is still working with the

flight rule constraints

• Loss of Station and Crew (LOS/C) Catastrophic loss of the station and crew

• Loss of Crew (LOC) Resultant loss of a crew-member Also includes the inability to evacuate the station due to

evacuation end state and the unavailability of either Soyuz or Orbiter to perform such a task


• 9


• Evacuation End States (EVAC) Emergency Evacuation

• An emergency situation exists and warrants station evacuation. These situations are characterized by short response times and are captured in Flight Rules.

Flight Rule Evacuation• Evacuation as a set of conditions are met. Some Flight Rules state

that certain conditions must be satisfied but do not identify further action, while others state that further discussion with the ground is required.

Medical Evacuation• Evacuation of the station is dictated by a medical condition of one of

the crewmembers. At Stage 7A all three crewmembers must evacuate together since only one Soyuz is available.


• 10


• Other Undesired End States (OUE) Collection of end states, while neither catastrophic nor an evacuation, still

represent a “bad day”. These include: The shut down of any pressurized module

• as dictated by flight rule

• as result of MMOD The loss of either US or RS distributed systems

Electrical Power Attitude Control Command & Data Handling

Thermal Control Guidance & Nav Communications

Environmental Control and Life Support Propulsion

Loss of a function such as• ability for Orbiter, Progress, or Soyuz to dock

• ability to reboost

• insufficient O2 or N2 reserves


• 11

ISS PRA Approach Flow DiagramISS PRA Approach Flow Diagram

Phase I R esu lts FM EA/C IL H azard R eports Functiona l Ana lysis Previous R isk

Assessm ents

Master LogicDiagram

List o f In itia tingEvents

SAPHIRE

Fligh t R u les Tra in ing M anuals System A rch itecture Engineering

Expertise

M AD S PR AC A Industry databases O ther assessm ents

C om ponentsSystem s

R acks

R esults

Event SequenceDiagrams

Fault Trees

Data Analysis

R eviewed byISS P rogram O rgan izations

Integrates operationalmodels and hardwareconfiguration to provideresults


• 12

Master Logic DiagramMaster Logic Diagram

Loss ofStation

Function

InternalSystemFailures

EnergeticHazards

InteractionWith Other

Vehicles

Crew Injury orIncapacitation

ElementInterfaceIntegrity

StructuralIntegrity

Propulsion

LifeSupport

ElecticalPow er

C&DH Comm.

ThermalControl

ExternalSources

InternalSources

SoyuzCollision

ProgressCollision

OrbiterCollision

AttitudeControl

"Bad Day"


• 13

ISS PRA Model

Continuousoperations

Perdemand

Occurrencefrequency

Housekeeping ESDs•EPS•TCS•GNC•C&DH•ECLSS•ACS•Medical

Procedural ESDs•Orbiter Docking•Soyuz Docking•Progress Docking•Reboost•EVAs

Energetic Hazard ESDs•MMOD•Radiation•Fire•Toxic

ISS PRA ModelISS PRA Model

End StatesProbabilities based on:

Gatheredacross all

ESDs

ResultsProbabilities and

dependency interactions

PRA Stage 7A Model status

65 Event Sequence Diagrams

~450 Fault Trees

~1500 Basic Events

28 Unique Bad End States

~400 Sequences

>2 million Cut-sets


• 14

ESD Example - OESD Example - O22 Generation Generation

Elektronfails1

Progress O2/A irtanks available (390

hours of supplies)OK

O 2 HPGC #1available (1000


SFOGs available/functional2 (320


FR EVAC

Yes

Yes

Yes

Yes

No

No

Yes

Yes

Yes

No

No

N otes:1) The E lektron is considered the prim ary oxygensource fo r the IS S as per F ligh t R u le {B 17.2 .10-2}E LE K TR O N N O M IN A L C O N FIG U R A TIO N A N DFA ILU R E R E S P O N S E ® [111699-7014A ]. Th is fligh tru le sta tes tha t "...upon loss o f E lektron , M C C w illrecom m end in rea l-tim e..." The sequence o f use o fredundant system s was then based on the IS SE C LS S C onso le H andbook, V o lum e I - A ppend ix:C onso le F lipbook (JS C -36331) R esource S ystemC apacities (pg. 44).2) The S FO G s and the E V A H P G C are no tnecessary fo r the 35 days (840 hrs) be tween 7A and7A .1 .3) The E V A H P G C is on ly necessary be tween 7A .1and U F-1 if the P rogress stores were com ple te lyconsum ed prio r to 7A .1 and the E lektron does no twork fo r m ore than 8 days (192 hrs) o f tha t tim eperiod .4) 68 kg o f O 2 a re reserved as per F ligh t R u le{B 17.5 .1-1} O XYG E N A N D N ITR O G E N R E S E R V ER E Q U IR E M E N TS ® [062296-6596] so th is H P G Ccan on ly provide 13 .3 days (320 hrs) o f O 2 support.5 ) G reatest length o f tim e be tween O rb ite r fligh ts(H P G C recharge and S FO G cassette rep len ishm ent)is be tween 7A .1 and U F-1 - 63 days (1512 hrs).

EVA HPGCavailable/

functional3 (320hours of supplies)

OKYes Yes

No

No No

No

Elektron repairedbefore Progress

supplies areconsumed

Elektron repairedbefore O2 HPGC#1 supplies are

consumed

Elektron repairedbefore SFOGsupplies areconsumed

Elektron repairedbefore EVA HPGC

supplies areconsumed

Failure PathInitiator

Pivotal EventEnd State


• 15

Fault Trees - CDRAFault Trees - CDRA

CVV fails(CDRA)

CO2 Vent ValveVacuum Line

PressureTransducer fails

CO2 Vent ValveRack Isolation

Valve fails closed

CO2 Vent ValveBulkhead IsolationValve fails closed

No power to CVV(RPCM LAAFT2B-E

fails)

ColdplateHXRM04 fails

INT MDMs failDDCU LAAFT-2B

fails

LB SEPS-N2-23fails

RPCM LAAFT2B-E fails

CDRA fails

2

CDRA HWfails

INT MDMsfail

LA-3 MDMfails

4

AR rack AAAfails

No power to ARrack (RPCM)

LAF6-2B-A) fails

ITCS LTL not atproper

tem perature

Both LabCCAAs are

inactive

Fault trees trace failures into supporting systems such as the DDCUs


• 16

QuantificationQuantification

• For each Basic Event, the probability of failure is calculated within a given time period

Pr = e-t

where: = failure rate (failures/hours) t = mission time

• Failure rates and probabilities Derived from a number of sources to give a mean and distribution

• MADS - ISS logistics approved

• NPRD - Nonelectronic Parts Reliability Data

• EPRD - Electronic/Electrical Parts Reliability Data

• Russian R&M reports RE-03, R-10-R02 Probability distributions reflect the uncertainty in knowing the

time of the next failure• Typically 5th and 95th percentiles of log-normal failure rates


• 17

Basic Event QuantificationBasic Event Quantification

0.01

0.1

1

10

100

1000

Fai

lure

Rat

e (

fpm

h : f

ailu

res

pe

r m

illio

n ho

urs)

5th Percentile = 0.166 fpmh

95th Percentile = 14.7 fpmh

MADS or RSA Data0.465 fpmh

Distribution mean = 3.96 fpmh

Data values from NPRD

Many data points are combined to derive the mean failure rate and its distribution


• 18

Quantification (Updating)Quantification (Updating)

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0.01 0.1 1 10 100

Failure Rate (fpmh: failure per million hours)

Pro

ba

bili

ty T

ha

t F

ailu

re R

ate

is G

rea

ter

Th

an

Prior Data

Posterior: Updated Data

Component failure rates are updated with actual failure experience on-orbit


• 19

Significance of ResultsSignificance of Results• MMOD is > 90% of risk of LOS

• Majority of risks do not lead to catastrophic end states

• Numbers over estimate the risk of non-catastrophic end states since many options may still be available to the crew and ground once end states are reached

Not meeting flight rules triggers end states Ops documentation still in development

• Several top sequences are driven by having no power jumper to the airlock

Failure of external US power channel 2B prevents an EVA and therefore power is not repairable

No Russian EVA (not in flight rules or procedures)

• Lacks fidelity on Russian segment

futron corporation 400 virginia avenue,sw suite 340 washington, dc 20024-2730 phone 202-488-2931 fax...

Documents

purpose of iss pra

iss configuration

model slide

iss program

event sequences

iss functionssystems

reliability data slide

nasa pra practices