An Heritage Approach to Aerospace Risk Based Design: With ... · A Heritage Approach to Aerospace...

28-29 October 2002 Slide 1 of 44

A Heritage Approach to Aerospace Risk Based Design: With ApplicationDay 1 Morning

An Heritage Approach to Aerospace Risk Based Design: With Application

Prepared at:SRA Workshop on Risk Analysis of Aerospace Systems II:

Mission success Starts with Safety28-29 October 2002

Prepared by:Joseph R. Fragola

Vice President and Principal Scientist

Science Applications International Corporation265 Sunrise Highway, Suite 22, Rockville Centre, NY 11570



• Historical Performance Assessment • Space Shuttle Analysis• Potential Safety Goals Review• Current Risk vs. Time (Risk Intensity)• Application of heritage approach to

risk-based design

Heritage Approach to Risk-Based DesignLauncher Architecture Application



Historical Crew Safety

1 in 10

1 in 100

1 in 1,000

1 in 10,000

Mercury &Gemini

Apollo

Apollo (LunarLandings Only)

Apollo, Mercury& Gemini

All pre-Shuttleprograms

(including Skylab& Apollo-Soyuz)

Pre-Challenger

Post-Challenger(SAIC '95)

Current Shuttle(SAIC '99)

Apportionment

Estimate

Demonstrated

Loss

of C

rew

Pro

babi

lity

Estimate



0.1%

1.0%

10.0%

100.0%

Shuttle* Delta II Atlas I & II

Soyuz Proton Zenit Ariane 4 H-II Long March

Launch Vehicle

Loss

of V

ehic

le P

roba

bilit

y (p

er m

issi

on)

*Space Shuttle estimate is for ascent only (this allows a for a fair comparison with other launch vehicles)

Current Launch Vehicle Safety/Reliability



Historical Performance Assessment

Safety and Mission Reliability Performance



Mission Reliability vs. Safety

• Reliability related to Safety, but not identical

• Sometimes the two conflict, as in abort decisions

• Less reliable vehicles can even be safer if intact abort/crew survival options better



Historical PerspectiveLV Safety and Reliability

• Space shuttle one of the most reliable demonstrated launchers: 1 in 100 or 99%

• Estimated current launch reliability over 1 in 400 or 99.7%. Best, by far of any other

• Crew survival capability limits safety. Estimated in same range as Apollo era Saturn, about 1 in 200



Transportation System Safety “Pillars”

1 . Inherent Reliability: Safe and reliable in normal operation.

2 . Intact-Abort: Robust design allows return of vehicle and personnel, safely given mission loss.

3 . Survival: Personnel safety ensured with vehicle loss.



Space Transportation Safety Improvements

• Inherent reliability• Abort success• Personnel survival



QRAS Cumulative Risk Intensity



Current Shuttle Abort Capability

(Alt ~ 150kft)



Abort Focus and Definition

• Inherent reliability and crew survival/escape potential discussed previously

• Focus here on “aborts”• Aborts include mission continuance or safe

return with “graceful” failures in major risk contributing areas

• Propulsion on ascent and landing on descent for example



Abort Risk Reduction Value• Intact aborts valuable contributors to safety

and payload,risk reduction, but not mission reliability unless mission is continued

• Aborts provide mission continuance and vehicle return in ascent and assured return in descent

• Ascent value driven by ICF%,engine out, and benign failure detection capability

• Descent value driven by Go-around



Ascent Risk Reduction Value

• Shuttle abort probability about 1 in 100 • Probability driven by single engine

failure for most of ascent• Mission continuance limited to only

small portion of ascent• Intact abort to landing success limited

by viable landing sites



SSME Benign Shutdown

DynamicProbability of: Safie

First Engine Shutdown 1 in 150 1 in 106 1 in 106Second Engine Shutdown 1 in 225 1 in 159 1 in 230

Two Engine Shutdown 1 in 33,750 1 in 16,854 1in 24,345

MaggioStaticModel Evaluation

•Dynamic calculates probability of second engine shutdown as a function of first engine time. •Determines the extended operation time required and probability of shutdown based on extended operation time and power level.



Ascent Abort Risk Reduction Value

• 90% shuttle abort success, implies reduction in ascent safety from 1 in 400 to 1 in 290

• Abort success improvement factor of 10, at least, by increase in landing site options



Ascent Risk Reduction Value

• Engine out capability allows single liftoff failure mission continuance and abort to landing with benign double failure

• Horizontal takeoff and flight to altitude also significant potential risk reducer

• Risk reduced to 1 in 100,000 by combining both at current engine inherent reliability levels. Factor of 10 increase approaches commercial air risk range of 1 in 1,000,000



Risk Reduction Value of Aborts Descent

• Shuttle landing risk estimated in order of 1 in 2000, Dead stick

• Assuming majority of the landing risk alleviated by Go-Around, risk reduced to 1 in 4 million

• Reduced risk consistent with commercial air landing (assuming higher speed compensated by other factors)



Final CommentsShuttle Safety

• The Space Shuttle is the world’s most reliable launch system in operation

• Inherent reliability growth, while important, is limited by the existing design of the Shuttle

• Process changes, while not analyzed, offer the potential for additional safety growth

• The safety impact of a 50% ascent crew survival system or RFS are approximately the same– Factor of 2 improvement– Potentially large difference in cost and schedule

• If significant ascent improvements are made, further safety improvements must address descent risk items– Examples: Landing, TPS, APU, Flight Controls(limited

work to date)



Flight Failures vs. Altitude



Personnel Survival Considerations

• Shuttle Risk insights• Re-visit of SRB Risk• Review of WSTF test results• Re-visit of 51-L event• Risk-based design perspective for

personnel survial



SRB Considerations

• SRBs continue to be the most risk intense element of shuttle system

• SRBs most likely initiator of ascent accident while attached

• However, SRB failure mode risk dominated by non-explosive modes– Historically only 1 in-flight explosion in the

last 20 years– Dominant failure scenarios lead to H2/O2

involvement and/or aerodynamic breakup



WSTF H2O2 Explosion Testing• WSTF Conducting Tests for NASA

Code Q as part of INSRP Activity

• Tests on Scale of Delta ELVindicate limiting effects even atground level

• Interaction zone appears limited tointertank surface area

• NASA lead and contractor expertsfeel 95% limit is 1,000lb (TNT) and50% limit (most probable) is 500lb



Key Events Leading to 51-L Accident

Event MET (sec)

• First Evidence of plume 58.788

• LH2 Press. Deviates 66.764

• H2 Cloud RH of ET 73.188

• Bright spot bet. Orbiter & ET 73.173

• Localized small expl’n at intertank 73.213• Massive dump of H2 73.282• H2 leak from aft dome 73.290• Last Telemetry 73.631• Crew Module emerges from cloud 74.165• Nose and cargo bay severed 74.578

InsertChallenger Movie

*51L Explosion Working Group, KSC-00232,06/16/89



Required Escape Warning TimesConstant 10G, 3 second escape acceleration, equivalent

Structural overpressure load for 14.7 psi internal pressure

Note: Does not account for initial vehicle flight velocity



Observations from 51-L Applied to Crew Escape Activation

• Even with initiation of LH2 pressure deviations, only 6.5 secs would have been available to activate escape system

• Wait to loss of pressure maintenance would have allowed only 1 sec for activation

• Activation of escape system likely only if initiated without hesitation at first deviation

Unlikely that an escape system would have activated in a 51-L type event



Observations from 51-L Applied to Crew Module Survival

• Only small local explosion in intertank - no pressure wave

• Breakup aerodynamic, failed in pure tension

• Crew cabin survived 51-L with minimal damage to integrity of system

• Crew loads (7-8 gs) were well within survival limits

Crew and cabin would likely survive initial insult if a 51-L type event were to reoccur



Crew Survival Option Impact on Safety

Sf

0.05

0.07

0.40

TBD

0.30

0.80

0.80

Mean

349

353

438

TBD

470

1234

1512

Ascent Descent Total Pcs

Sf

0

0

0.05

TBD

0.25

0.65

0.75

Pcs

671

671

706

TBD

895

1917

Pcs

729

745

1155

TBD

990

3465

Median*

380

386

478

TBD

513

1350

16532684 3465

Survival OptionComments

Bailout

Walkaround Extract

Seat Extract

CM Stabilization and Bailout

CM Separation (Intact Recovery)

CM Separation (Extract/Eject)

Escape Pod

Current System

Current System with Stabilization

*Calculated using an error factor of 2



CFD Surface Mesh for Explosive Survivability Analysis

173,794 Boundary Points2,679,754 Points

15,197,690 Elements

173,794 Boundary Points2,679,754 Points

15,197,690 Elements



Detonation Initiation and Early Time Propagation

• 500lb TNT Equivalent Charge

• Initiation as a spherical blast with radius of 32.15cm

• Typical Time-Step : DT = 3.1 m sec– About 13,000 Time-

Steps



Steady State Conditions at 51-L Accident Point

7.98 psi

0.04 psi

Pressure Distribution

Alt. = 52,000 ftMa = 1.97

2.8

0.0

Velocity Distribution



Space Shuttle Explosion Analysis500 lb. of TNT - Time = 0.4ms

126.2 psi

0.0 psi1.3e+5 cm/s

0.0 cm/s





Space Shuttle Explosion Analysis 500 lb. of TNT - Time = 2.4ms

22.5 psi

0.1 psi 1.3e+5 cm/s

0.0 cm/s






22.5 psi

0.0 psi1.3e+5 cm/s

0.0 cm/s






22.5 psi

0.0 psi 1.3e+5 cm/s

0.0 cm/s






7 psi

0.0 psi 2.7e+5 cm/s

0.0 cm/s





Explosive Overpressure and Impulse on Orbiter

140

Approximate Location of 576 Bulkhead

134

135

136

137

138

139

Probable Range ofAcceptable Pressures



Crew Survival System Concept

Initial Event Crew Cabin Separation Stabilization

DecelerationLanding

QuickTime™ and aCinepak Codec by Radius decompressor

are needed to see this picture.



Historical Approaches to Personnel Survival

• Two approaches applied:– Escape from danger

• Military aircraft-ejection• Passenger ships-lifeboats

– Survive and recover• Military helicopters• Race cars



Crew Safety Lessons Learned fromShuttle Design

• Launcher survival heritage in “escape from danger” technology

• Technology suitable for Apollo era launchers and others stacked in-line

• Escape systems may be non-viable for tandem vehicles as shuttle or others requiring in-stream ejection

• “Survival and recover” approach may be viable option especially for LOX/H2 fueled systems



Example Risk Allocation - 1:10,000

ImmediateCatastrophic

FailureGoal: 1 in 1,200

UnrecoverableAbort

SituationGoal: 1 in 6,000

Loss of VehicleGoal: 1 in 1,000

Crew SurvivalGoal: 1 in 13

Crew RecoveryGoal: 1 in 46

Crew ReturnGoal: 1 in 10

Crew SafetyGoal: 1 in 10,000

An Heritage Approach to Aerospace Risk Based Design: With ... · A Heritage Approach to Aerospace...

Documents

Transcript of An Heritage Approach to Aerospace Risk Based Design: With ... · A Heritage Approach to Aerospace...